From 9d7244c4c60d9f85f58b3770065a394c71fdce3f Mon Sep 17 00:00:00 2001 From: Michael Niedermayer Date: Tue, 19 Apr 2011 11:50:32 +0200 Subject: [PATCH 0001/1119] Typo Signed-off-by: Michael Niedermayer --- libavformat/asfdec.c | 1 + 1 file changed, 1 insertion(+) diff --git a/libavformat/asfdec.c b/libavformat/asfdec.c index ce5d662046..f433141545 100644 --- a/libavformat/asfdec.c +++ b/libavformat/asfdec.c @@ -1114,6 +1114,7 @@ static void asf_reset_header(AVFormatContext *s) static int asf_read_close(AVFormatContext *s) { + int i; asf_reset_header(s); for(i=0;inb_streams;i++) { From ea189b77eb89134a9d3928631c579ca0a28e1a3a Mon Sep 17 00:00:00 2001 From: multiple authors Date: Wed, 27 Apr 2011 00:00:50 +0200 Subject: [PATCH 0002/1119] Revert removial of 3 files, this sliped through the last merge into oldabi because the files where locally available during testing just not in git. Signed-off-by: Michael Niedermayer --- libavcodec/opt.c | 89 ++++++++++++++++++++ libavformat/metadata_compat.c | 148 ++++++++++++++++++++++++++++++++++ libavutil/sha1.h | 57 +++++++++++++ 3 files changed, 294 insertions(+) create mode 100644 libavcodec/opt.c create mode 100644 libavformat/metadata_compat.c create mode 100644 libavutil/sha1.h diff --git a/libavcodec/opt.c b/libavcodec/opt.c new file mode 100644 index 0000000000..f41fae0ba1 --- /dev/null +++ b/libavcodec/opt.c @@ -0,0 +1,89 @@ +/* + * AVOptions ABI compatibility wrapper + * Copyright (c) 2010 Michael Niedermayer + * + * This file is part of Libav. + * + * Libav is free software; you can redistribute it and/or + * modify it under the terms of the GNU Lesser General Public + * License as published by the Free Software Foundation; either + * version 2.1 of the License, or (at your option) any later version. + * + * Libav is distributed in the hope that it will be useful, + * but WITHOUT ANY WARRANTY; without even the implied warranty of + * MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the GNU + * Lesser General Public License for more details. + * + * You should have received a copy of the GNU Lesser General Public + * License along with Libav; if not, write to the Free Software + * Foundation, Inc., 51 Franklin Street, Fifth Floor, Boston, MA 02110-1301 USA + */ + +#include "avcodec.h" +#include "opt.h" + +#if LIBAVCODEC_VERSION_MAJOR < 53 && CONFIG_SHARED && HAVE_SYMVER + +FF_SYMVER(const AVOption *, av_find_opt, (void *obj, const char *name, const char *unit, int mask, int flags), "LIBAVCODEC_52"){ + return av_find_opt(obj, name, unit, mask, flags); +} +FF_SYMVER(int, av_set_string3, (void *obj, const char *name, const char *val, int alloc, const AVOption **o_out), "LIBAVCODEC_52"){ + return av_set_string3(obj, name, val, alloc, o_out); +} +FF_SYMVER(const AVOption *, av_set_double, (void *obj, const char *name, double n), "LIBAVCODEC_52"){ + return av_set_double(obj, name, n); +} +FF_SYMVER(const AVOption *, av_set_q, (void *obj, const char *name, AVRational n), "LIBAVCODEC_52"){ + return av_set_q(obj, name, n); +} +FF_SYMVER(const AVOption *, av_set_int, (void *obj, const char *name, int64_t n), "LIBAVCODEC_52"){ + return av_set_int(obj, name, n); +} +FF_SYMVER(double, av_get_double, (void *obj, const char *name, const AVOption **o_out), "LIBAVCODEC_52"){ + return av_get_double(obj, name, o_out); +} +FF_SYMVER(AVRational, av_get_q, (void *obj, const char *name, const AVOption **o_out), "LIBAVCODEC_52"){ + return av_get_q(obj, name, o_out); +} +FF_SYMVER(int64_t, av_get_int, (void *obj, const char *name, const AVOption **o_out), "LIBAVCODEC_52"){ + return av_get_int(obj, name, o_out); +} +FF_SYMVER(const char *, av_get_string, (void *obj, const char *name, const AVOption **o_out, char *buf, int buf_len), "LIBAVCODEC_52"){ + return av_get_string(obj, name, o_out, buf, buf_len); +} +FF_SYMVER(const AVOption *, av_next_option, (void *obj, const AVOption *last), "LIBAVCODEC_52"){ + return av_next_option(obj, last); +} +FF_SYMVER(int, av_opt_show2, (void *obj, void *av_log_obj, int req_flags, int rej_flags), "LIBAVCODEC_52"){ + return av_opt_show2(obj, av_log_obj, req_flags, rej_flags); +} +FF_SYMVER(void, av_opt_set_defaults, (void *s), "LIBAVCODEC_52"){ + return av_opt_set_defaults(s); +} +FF_SYMVER(void, av_opt_set_defaults2, (void *s, int mask, int flags), "LIBAVCODEC_52"){ + return av_opt_set_defaults2(s, mask, flags); +} +#endif + +#if FF_API_SET_STRING_OLD +const AVOption *av_set_string2(void *obj, const char *name, const char *val, int alloc){ + const AVOption *o; + if (av_set_string3(obj, name, val, alloc, &o) < 0) + return NULL; + return o; +} + +const AVOption *av_set_string(void *obj, const char *name, const char *val){ + const AVOption *o; + if (av_set_string3(obj, name, val, 0, &o) < 0) + return NULL; + return o; +} +#endif + +#if FF_API_OPT_SHOW +int av_opt_show(void *obj, void *av_log_obj){ + return av_opt_show2(obj, av_log_obj, + AV_OPT_FLAG_ENCODING_PARAM|AV_OPT_FLAG_DECODING_PARAM, 0); +} +#endif diff --git a/libavformat/metadata_compat.c b/libavformat/metadata_compat.c new file mode 100644 index 0000000000..19b8f59df1 --- /dev/null +++ b/libavformat/metadata_compat.c @@ -0,0 +1,148 @@ +/* + * Copyright (c) 2009 Aurelien Jacobs + * + * This file is part of FFmpeg. + * + * FFmpeg is free software; you can redistribute it and/or + * modify it under the terms of the GNU Lesser General Public + * License as published by the Free Software Foundation; either + * version 2.1 of the License, or (at your option) any later version. + * + * FFmpeg is distributed in the hope that it will be useful, + * but WITHOUT ANY WARRANTY; without even the implied warranty of + * MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the GNU + * Lesser General Public License for more details. + * + * You should have received a copy of the GNU Lesser General Public + * License along with FFmpeg; if not, write to the Free Software + * Foundation, Inc., 51 Franklin Street, Fifth Floor, Boston, MA 02110-1301 USA + */ + +#include +#include "avformat.h" +#include "metadata.h" +#include "libavutil/avstring.h" + +#if FF_API_OLD_METADATA + +#define SIZE_OFFSET(x) sizeof(((AVFormatContext*)0)->x),offsetof(AVFormatContext,x) + +static const struct { + const char name[16]; + int size; + int offset; +} compat_tab[] = { + { "title", SIZE_OFFSET(title) }, + { "author", SIZE_OFFSET(author) }, + { "copyright", SIZE_OFFSET(copyright) }, + { "comment", SIZE_OFFSET(comment) }, + { "album", SIZE_OFFSET(album) }, + { "year", SIZE_OFFSET(year) }, + { "track", SIZE_OFFSET(track) }, + { "genre", SIZE_OFFSET(genre) }, + + { "artist", SIZE_OFFSET(author) }, + { "creator", SIZE_OFFSET(author) }, + { "written_by", SIZE_OFFSET(author) }, + { "lead_performer", SIZE_OFFSET(author) }, + { "composer", SIZE_OFFSET(author) }, + { "performer", SIZE_OFFSET(author) }, + { "description", SIZE_OFFSET(comment) }, + { "albumtitle", SIZE_OFFSET(album) }, + { "date", SIZE_OFFSET(year) }, + { "date_written", SIZE_OFFSET(year) }, + { "date_released", SIZE_OFFSET(year) }, + { "tracknumber", SIZE_OFFSET(track) }, + { "part_number", SIZE_OFFSET(track) }, +}; + +void ff_metadata_demux_compat(AVFormatContext *ctx) +{ + AVMetadata *m; + int i, j; + + if ((m = ctx->metadata)) + for (j=0; jcount; j++) + for (i=0; ielems[j].key, compat_tab[i].name)) { + int *ptr = (int *)((char *)ctx+compat_tab[i].offset); + if (*ptr) continue; + if (compat_tab[i].size > sizeof(int)) + av_strlcpy((char *)ptr, m->elems[j].value, compat_tab[i].size); + else + *ptr = atoi(m->elems[j].value); + } + + for (i=0; inb_chapters; i++) + if ((m = ctx->chapters[i]->metadata)) + for (j=0; jcount; j++) + if (!strcasecmp(m->elems[j].key, "title")) { + av_free(ctx->chapters[i]->title); + ctx->chapters[i]->title = av_strdup(m->elems[j].value); + } + + for (i=0; inb_programs; i++) + if ((m = ctx->programs[i]->metadata)) + for (j=0; jcount; j++) { + if (!strcasecmp(m->elems[j].key, "name")) { + av_free(ctx->programs[i]->name); + ctx->programs[i]->name = av_strdup(m->elems[j].value); + } + if (!strcasecmp(m->elems[j].key, "provider_name")) { + av_free(ctx->programs[i]->provider_name); + ctx->programs[i]->provider_name = av_strdup(m->elems[j].value); + } + } + + for (i=0; inb_streams; i++) + if ((m = ctx->streams[i]->metadata)) + for (j=0; jcount; j++) { + if (!strcasecmp(m->elems[j].key, "language")) + av_strlcpy(ctx->streams[i]->language, m->elems[j].value, 4); + if (!strcasecmp(m->elems[j].key, "filename")) { + av_free(ctx->streams[i]->filename); + ctx->streams[i]->filename= av_strdup(m->elems[j].value); + } + } +} + + +#define FILL_METADATA(s, key, value) { \ + if (!av_metadata_get(s->metadata, #key, NULL, 0)) \ + av_metadata_set2(&s->metadata, #key, value, 0); \ + } +#define FILL_METADATA_STR(s, key) { \ + if (s->key && *s->key) FILL_METADATA(s, key, s->key); } +#define FILL_METADATA_INT(s, key) { \ + char number[10]; \ + snprintf(number, sizeof(number), "%d", s->key); \ + if(s->key) FILL_METADATA(s, key, number) } + +void ff_metadata_mux_compat(AVFormatContext *ctx) +{ + int i; + + if (ctx->metadata && ctx->metadata->count > 0) + return; + + FILL_METADATA_STR(ctx, title); + FILL_METADATA_STR(ctx, author); + FILL_METADATA_STR(ctx, copyright); + FILL_METADATA_STR(ctx, comment); + FILL_METADATA_STR(ctx, album); + FILL_METADATA_INT(ctx, year); + FILL_METADATA_INT(ctx, track); + FILL_METADATA_STR(ctx, genre); + for (i=0; inb_chapters; i++) + FILL_METADATA_STR(ctx->chapters[i], title); + for (i=0; inb_programs; i++) { + FILL_METADATA_STR(ctx->programs[i], name); + FILL_METADATA_STR(ctx->programs[i], provider_name); + } + for (i=0; inb_streams; i++) { + FILL_METADATA_STR(ctx->streams[i], language); + FILL_METADATA_STR(ctx->streams[i], filename); + } +} + +#endif /* FF_API_OLD_METADATA */ diff --git a/libavutil/sha1.h b/libavutil/sha1.h new file mode 100644 index 0000000000..3ff58043ea --- /dev/null +++ b/libavutil/sha1.h @@ -0,0 +1,57 @@ +/* + * Copyright (C) 2007 Michael Niedermayer + * + * This file is part of FFmpeg. + * + * FFmpeg is free software; you can redistribute it and/or + * modify it under the terms of the GNU Lesser General Public + * License as published by the Free Software Foundation; either + * version 2.1 of the License, or (at your option) any later version. + * + * FFmpeg is distributed in the hope that it will be useful, + * but WITHOUT ANY WARRANTY; without even the implied warranty of + * MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the GNU + * Lesser General Public License for more details. + * + * You should have received a copy of the GNU Lesser General Public + * License along with FFmpeg; if not, write to the Free Software + * Foundation, Inc., 51 Franklin Street, Fifth Floor, Boston, MA 02110-1301 USA + */ + +#ifndef AVUTIL_SHA1_H +#define AVUTIL_SHA1_H + +#include + +extern const int av_sha1_size; + +struct AVSHA1; + +/** + * Initialize SHA-1 hashing. + * + * @param context pointer to the function context (of size av_sha_size) + * @deprecated use av_sha_init() instead + */ +void av_sha1_init(struct AVSHA1* context); + +/** + * Update hash value. + * + * @param context hash function context + * @param data input data to update hash with + * @param len input data length + * @deprecated use av_sha_update() instead + */ +void av_sha1_update(struct AVSHA1* context, const uint8_t* data, unsigned int len); + +/** + * Finish hashing and output digest value. + * + * @param context hash function context + * @param digest buffer where output digest value is stored + * @deprecated use av_sha_final() instead + */ +void av_sha1_final(struct AVSHA1* context, uint8_t digest[20]); + +#endif /* AVUTIL_SHA1_H */ From 0b3a88fe1585f9d5d64da89417c0f8cc6788526a Mon Sep 17 00:00:00 2001 From: Michael Niedermayer Date: Mon, 2 May 2011 04:10:44 +0200 Subject: [PATCH 0003/1119] Revert "lavc: remove FF_API_MB_Q cruft" This reverts commit 6deae83e555982d86ef8cc68b804495092216fc4. --- libavcodec/avcodec.h | 16 ++++++++++++++++ libavcodec/options.c | 4 ++++ libavcodec/version.h | 3 +++ 3 files changed, 23 insertions(+) diff --git a/libavcodec/avcodec.h b/libavcodec/avcodec.h index bc61007137..86560f5cd7 100644 --- a/libavcodec/avcodec.h +++ b/libavcodec/avcodec.h @@ -1816,6 +1816,22 @@ typedef struct AVCodecContext { */ uint64_t error[4]; +#if FF_API_MB_Q + /** + * minimum MB quantizer + * - encoding: unused + * - decoding: unused + */ + attribute_deprecated int mb_qmin; + + /** + * maximum MB quantizer + * - encoding: unused + * - decoding: unused + */ + attribute_deprecated int mb_qmax; +#endif + /** * motion estimation comparison function * - encoding: Set by user. diff --git a/libavcodec/options.c b/libavcodec/options.c index 1d8b7dc567..c8220e43b3 100644 --- a/libavcodec/options.c +++ b/libavcodec/options.c @@ -253,6 +253,10 @@ static const AVOption options[]={ {"pf", "forward predicted MVs of P-frames", 0, FF_OPT_TYPE_CONST, FF_DEBUG_VIS_MV_P_FOR, INT_MIN, INT_MAX, V|D, "debug_mv"}, {"bf", "forward predicted MVs of B-frames", 0, FF_OPT_TYPE_CONST, FF_DEBUG_VIS_MV_B_FOR, INT_MIN, INT_MAX, V|D, "debug_mv"}, {"bb", "backward predicted MVs of B-frames", 0, FF_OPT_TYPE_CONST, FF_DEBUG_VIS_MV_B_BACK, INT_MIN, INT_MAX, V|D, "debug_mv"}, +#if FF_API_MB_Q +{"mb_qmin", "obsolete, use qmin", OFFSET(mb_qmin), FF_OPT_TYPE_INT, DEFAULT, INT_MIN, INT_MAX, V|E}, +{"mb_qmax", "obsolete, use qmax", OFFSET(mb_qmax), FF_OPT_TYPE_INT, DEFAULT, INT_MIN, INT_MAX, V|E}, +#endif {"cmp", "full pel me compare function", OFFSET(me_cmp), FF_OPT_TYPE_INT, DEFAULT, INT_MIN, INT_MAX, V|E, "cmp_func"}, {"subcmp", "sub pel me compare function", OFFSET(me_sub_cmp), FF_OPT_TYPE_INT, DEFAULT, INT_MIN, INT_MAX, V|E, "cmp_func"}, {"mbcmp", "macroblock compare function", OFFSET(mb_cmp), FF_OPT_TYPE_INT, DEFAULT, INT_MIN, INT_MAX, V|E, "cmp_func"}, diff --git a/libavcodec/version.h b/libavcodec/version.h index 522c6d6886..b13c953028 100644 --- a/libavcodec/version.h +++ b/libavcodec/version.h @@ -71,6 +71,9 @@ #ifndef FF_API_OLD_AUDIOCONVERT #define FF_API_OLD_AUDIOCONVERT (LIBAVCODEC_VERSION_MAJOR < 54) #endif +#ifndef FF_API_MB_Q +#define FF_API_MB_Q (LIBAVCODEC_VERSION_MAJOR < 53) +#endif #ifndef FF_API_ANTIALIAS_ALGO #define FF_API_ANTIALIAS_ALGO (LIBAVCODEC_VERSION_MAJOR < 54) #endif From 329559ae502a8d63bb04c0c3852caa48ac405ccc Mon Sep 17 00:00:00 2001 From: Michael Niedermayer Date: Mon, 2 May 2011 04:10:51 +0200 Subject: [PATCH 0004/1119] Revert "lavc: remove FF_API_RATE_EMU cruft" This reverts commit 694c142434f1b775c93cb2586eebf7ddd5ef6aa8. --- libavcodec/avcodec.h | 10 ++++++++++ libavcodec/options.c | 3 +++ libavcodec/version.h | 3 +++ 3 files changed, 16 insertions(+) diff --git a/libavcodec/avcodec.h b/libavcodec/avcodec.h index 86560f5cd7..35037979b5 100644 --- a/libavcodec/avcodec.h +++ b/libavcodec/avcodec.h @@ -1226,6 +1226,16 @@ typedef struct AVCodecContext { */ enum PixelFormat pix_fmt; +#if FF_API_RATE_EMU + /** + * Frame rate emulation. If not zero, the lower layer (i.e. format handler) + * has to read frames at native frame rate. + * - encoding: Set by user. + * - decoding: unused + */ + attribute_deprecated int rate_emu; +#endif + /** * If non NULL, 'draw_horiz_band' is called by the libavcodec * decoder to draw a horizontal band. It improves cache usage. Not diff --git a/libavcodec/options.c b/libavcodec/options.c index c8220e43b3..3117bbe1b5 100644 --- a/libavcodec/options.c +++ b/libavcodec/options.c @@ -105,6 +105,9 @@ static const AVOption options[]={ {"extradata_size", NULL, OFFSET(extradata_size), FF_OPT_TYPE_INT, DEFAULT, INT_MIN, INT_MAX}, {"time_base", NULL, OFFSET(time_base), FF_OPT_TYPE_RATIONAL, DEFAULT, INT_MIN, INT_MAX}, {"g", "set the group of picture size", OFFSET(gop_size), FF_OPT_TYPE_INT, 12, INT_MIN, INT_MAX, V|E}, +#if FF_API_RATE_EMU +{"rate_emu", "frame rate emulation", OFFSET(rate_emu), FF_OPT_TYPE_INT, DEFAULT, INT_MIN, INT_MAX}, +#endif {"ar", "set audio sampling rate (in Hz)", OFFSET(sample_rate), FF_OPT_TYPE_INT, DEFAULT, INT_MIN, INT_MAX}, {"ac", "set number of audio channels", OFFSET(channels), FF_OPT_TYPE_INT, DEFAULT, INT_MIN, INT_MAX}, {"cutoff", "set cutoff bandwidth", OFFSET(cutoff), FF_OPT_TYPE_INT, DEFAULT, INT_MIN, INT_MAX, A|E}, diff --git a/libavcodec/version.h b/libavcodec/version.h index b13c953028..56c7a95b0c 100644 --- a/libavcodec/version.h +++ b/libavcodec/version.h @@ -71,6 +71,9 @@ #ifndef FF_API_OLD_AUDIOCONVERT #define FF_API_OLD_AUDIOCONVERT (LIBAVCODEC_VERSION_MAJOR < 54) #endif +#ifndef FF_API_RATE_EMU +#define FF_API_RATE_EMU (LIBAVCODEC_VERSION_MAJOR < 53) +#endif #ifndef FF_API_MB_Q #define FF_API_MB_Q (LIBAVCODEC_VERSION_MAJOR < 53) #endif From 8d8962ca3e95b1ce86ab505498e7cd3ec89fa996 Mon Sep 17 00:00:00 2001 From: Michael Niedermayer Date: Mon, 2 May 2011 04:10:59 +0200 Subject: [PATCH 0005/1119] Revert "lavc: remove FF_API_HURRY_UP cruft" This reverts commit e7021c0ed5d1265d5b4f0f01a01f840196a70415. --- libavcodec/avcodec.h | 10 ++++++++++ libavcodec/h261dec.c | 4 ++++ libavcodec/h263dec.c | 8 ++++++++ libavcodec/h264.c | 18 ++++++++++++++++-- libavcodec/mpeg12.c | 8 ++++++++ libavcodec/mpegvideo.c | 6 ++++++ libavcodec/mpegvideo.h | 5 +++++ libavcodec/options.c | 3 +++ libavcodec/pthread.c | 3 +++ libavcodec/rv34.c | 9 +++++++++ libavcodec/svq1dec.c | 3 +++ libavcodec/svq3.c | 8 ++++++++ libavcodec/vc1dec.c | 10 ++++++++++ libavcodec/version.h | 3 +++ 14 files changed, 96 insertions(+), 2 deletions(-) diff --git a/libavcodec/avcodec.h b/libavcodec/avcodec.h index 35037979b5..78715e4f0f 100644 --- a/libavcodec/avcodec.h +++ b/libavcodec/avcodec.h @@ -1340,6 +1340,16 @@ typedef struct AVCodecContext { int b_frame_strategy; +#if FF_API_HURRY_UP + /** + * hurry up amount + * - encoding: unused + * - decoding: Set by user. 1-> Skip B-frames, 2-> Skip IDCT/dequant too, 5-> Skip everything except header + * @deprecated Deprecated in favor of skip_idct and skip_frame. + */ + attribute_deprecated int hurry_up; +#endif + struct AVCodec *codec; void *priv_data; diff --git a/libavcodec/h261dec.c b/libavcodec/h261dec.c index d732123d3e..060aef6173 100644 --- a/libavcodec/h261dec.c +++ b/libavcodec/h261dec.c @@ -599,6 +599,10 @@ retry: s->current_picture.pict_type= s->pict_type; s->current_picture.key_frame= s->pict_type == FF_I_TYPE; +#if FF_API_HURRY_UP + /* skip everything if we are in a hurry>=5 */ + if(avctx->hurry_up>=5) return get_consumed_bytes(s, buf_size); +#endif if( (avctx->skip_frame >= AVDISCARD_NONREF && s->pict_type==FF_B_TYPE) ||(avctx->skip_frame >= AVDISCARD_NONKEY && s->pict_type!=FF_I_TYPE) || avctx->skip_frame >= AVDISCARD_ALL) diff --git a/libavcodec/h263dec.c b/libavcodec/h263dec.c index 72622e693f..4151f4b012 100644 --- a/libavcodec/h263dec.c +++ b/libavcodec/h263dec.c @@ -612,10 +612,18 @@ retry: /* skip B-frames if we don't have reference frames */ if(s->last_picture_ptr==NULL && (s->pict_type==FF_B_TYPE || s->dropable)) return get_consumed_bytes(s, buf_size); +#if FF_API_HURRY_UP + /* skip b frames if we are in a hurry */ + if(avctx->hurry_up && s->pict_type==FF_B_TYPE) return get_consumed_bytes(s, buf_size); +#endif if( (avctx->skip_frame >= AVDISCARD_NONREF && s->pict_type==FF_B_TYPE) || (avctx->skip_frame >= AVDISCARD_NONKEY && s->pict_type!=FF_I_TYPE) || avctx->skip_frame >= AVDISCARD_ALL) return get_consumed_bytes(s, buf_size); +#if FF_API_HURRY_UP + /* skip everything if we are in a hurry>=5 */ + if(avctx->hurry_up>=5) return get_consumed_bytes(s, buf_size); +#endif if(s->next_p_frame_damaged){ if(s->pict_type==FF_B_TYPE) diff --git a/libavcodec/h264.c b/libavcodec/h264.c index 285dbeadd6..22a57866d4 100644 --- a/libavcodec/h264.c +++ b/libavcodec/h264.c @@ -2966,7 +2966,11 @@ static int decode_nal_units(H264Context *h, const uint8_t *buf, int buf_size){ buf_index += consumed; //FIXME do not discard SEI id - if(avctx->skip_frame >= AVDISCARD_NONREF && h->nal_ref_idc == 0) + if( +#if FF_API_HURRY_UP + (s->hurry_up == 1 && h->nal_ref_idc == 0) || +#endif + (avctx->skip_frame >= AVDISCARD_NONREF && h->nal_ref_idc == 0)) continue; again: @@ -3003,6 +3007,9 @@ static int decode_nal_units(H264Context *h, const uint8_t *buf, int buf_size){ } if(hx->redundant_pic_count==0 +#if FF_API_HURRY_UP + && hx->s.hurry_up < 5 +#endif && (avctx->skip_frame < AVDISCARD_NONREF || hx->nal_ref_idc) && (avctx->skip_frame < AVDISCARD_BIDIR || hx->slice_type_nos!=FF_B_TYPE) && (avctx->skip_frame < AVDISCARD_NONKEY || hx->slice_type_nos==FF_I_TYPE) @@ -3040,6 +3047,9 @@ static int decode_nal_units(H264Context *h, const uint8_t *buf, int buf_size){ if(hx->redundant_pic_count==0 && hx->intra_gb_ptr && hx->s.data_partitioning && s->context_initialized +#if FF_API_HURRY_UP + && s->hurry_up < 5 +#endif && (avctx->skip_frame < AVDISCARD_NONREF || hx->nal_ref_idc) && (avctx->skip_frame < AVDISCARD_BIDIR || hx->slice_type_nos!=FF_B_TYPE) && (avctx->skip_frame < AVDISCARD_NONKEY || hx->slice_type_nos==FF_I_TYPE) @@ -3176,7 +3186,11 @@ static int decode_frame(AVCodecContext *avctx, } if(!(s->flags2 & CODEC_FLAG2_CHUNKS) && !s->current_picture_ptr){ - if (avctx->skip_frame >= AVDISCARD_NONREF) + if (avctx->skip_frame >= AVDISCARD_NONREF +#if FF_API_HURRY_UP + || s->hurry_up +#endif + ) return 0; av_log(avctx, AV_LOG_ERROR, "no frame!\n"); return -1; diff --git a/libavcodec/mpeg12.c b/libavcodec/mpeg12.c index 510a2b0809..192ecdd478 100644 --- a/libavcodec/mpeg12.c +++ b/libavcodec/mpeg12.c @@ -2476,10 +2476,18 @@ static int decode_chunks(AVCodecContext *avctx, /* Skip P-frames if we do not have a reference frame or we have an invalid header. */ if(s2->pict_type==FF_P_TYPE && !s->sync) break; } +#if FF_API_HURRY_UP + /* Skip B-frames if we are in a hurry. */ + if(avctx->hurry_up && s2->pict_type==FF_B_TYPE) break; +#endif if( (avctx->skip_frame >= AVDISCARD_NONREF && s2->pict_type==FF_B_TYPE) ||(avctx->skip_frame >= AVDISCARD_NONKEY && s2->pict_type!=FF_I_TYPE) || avctx->skip_frame >= AVDISCARD_ALL) break; +#if FF_API_HURRY_UP + /* Skip everything if we are in a hurry>=5. */ + if(avctx->hurry_up>=5) break; +#endif if (!s->mpeg_enc_ctx_allocated) break; diff --git a/libavcodec/mpegvideo.c b/libavcodec/mpegvideo.c index 73305d1324..819f58dc95 100644 --- a/libavcodec/mpegvideo.c +++ b/libavcodec/mpegvideo.c @@ -1131,6 +1131,9 @@ int MPV_frame_start(MpegEncContext *s, AVCodecContext *avctx) } } +#if FF_API_HURRY_UP + s->hurry_up= s->avctx->hurry_up; +#endif s->error_recognition= avctx->error_recognition; /* set dequantizer, we can't do it during init as it might change for mpeg4 @@ -2122,6 +2125,9 @@ void MPV_decode_mb_internal(MpegEncContext *s, DCTELEM block[12][64], } /* skip dequant / idct if we are really late ;) */ +#if FF_API_HURRY_UP + if(s->hurry_up>1) goto skip_idct; +#endif if(s->avctx->skip_idct){ if( (s->avctx->skip_idct >= AVDISCARD_NONREF && s->pict_type == FF_B_TYPE) ||(s->avctx->skip_idct >= AVDISCARD_NONKEY && s->pict_type != FF_I_TYPE) diff --git a/libavcodec/mpegvideo.h b/libavcodec/mpegvideo.h index c90912f853..3836a6ef38 100644 --- a/libavcodec/mpegvideo.h +++ b/libavcodec/mpegvideo.h @@ -391,6 +391,11 @@ typedef struct MpegEncContext { int no_rounding; /**< apply no rounding to motion compensation (MPEG4, msmpeg4, ...) for b-frames rounding mode is always 0 */ +#if FF_API_HURRY_UP + int hurry_up; /**< when set to 1 during decoding, b frames will be skipped + when set to 2 idct/dequant will be skipped too */ +#endif + /* macroblock layer */ int mb_x, mb_y; int mb_skip_run; diff --git a/libavcodec/options.c b/libavcodec/options.c index 3117bbe1b5..fae1164c9b 100644 --- a/libavcodec/options.c +++ b/libavcodec/options.c @@ -127,6 +127,9 @@ static const AVOption options[]={ {"rc_strategy", "ratecontrol method", OFFSET(rc_strategy), FF_OPT_TYPE_INT, DEFAULT, INT_MIN, INT_MAX, V|E}, {"b_strategy", "strategy to choose between I/P/B-frames", OFFSET(b_frame_strategy), FF_OPT_TYPE_INT, 0, INT_MIN, INT_MAX, V|E}, {"wpredp", "weighted prediction analysis method", OFFSET(weighted_p_pred), FF_OPT_TYPE_INT, 0, INT_MIN, INT_MAX, V|E}, +#if FF_API_HURRY_UP +{"hurry_up", "deprecated, use skip_idct/skip_frame instead", OFFSET(hurry_up), FF_OPT_TYPE_INT, DEFAULT, INT_MIN, INT_MAX, V|D}, +#endif {"ps", "rtp payload size in bytes", OFFSET(rtp_payload_size), FF_OPT_TYPE_INT, DEFAULT, INT_MIN, INT_MAX, V|E}, {"mv_bits", NULL, OFFSET(mv_bits), FF_OPT_TYPE_INT, DEFAULT, INT_MIN, INT_MAX}, {"header_bits", NULL, OFFSET(header_bits), FF_OPT_TYPE_INT, DEFAULT, INT_MIN, INT_MAX}, diff --git a/libavcodec/pthread.c b/libavcodec/pthread.c index 6d4ee549cb..e0eea4b1f1 100644 --- a/libavcodec/pthread.c +++ b/libavcodec/pthread.c @@ -380,6 +380,9 @@ static void update_context_from_user(AVCodecContext *dst, AVCodecContext *src) dst->release_buffer = src->release_buffer; dst->opaque = src->opaque; +#if FF_API_HURRY_UP + dst->hurry_up = src->hurry_up; +#endif dst->dsp_mask = src->dsp_mask; dst->debug = src->debug; dst->debug_mv = src->debug_mv; diff --git a/libavcodec/rv34.c b/libavcodec/rv34.c index b11e84ea0b..32d8198eeb 100644 --- a/libavcodec/rv34.c +++ b/libavcodec/rv34.c @@ -1454,10 +1454,19 @@ int ff_rv34_decode_frame(AVCodecContext *avctx, } if((!s->last_picture_ptr || !s->last_picture_ptr->data[0]) && si.type == FF_B_TYPE) return -1; +#if FF_API_HURRY_UP + /* skip b frames if we are in a hurry */ + if(avctx->hurry_up && si.type==FF_B_TYPE) return buf_size; +#endif if( (avctx->skip_frame >= AVDISCARD_NONREF && si.type==FF_B_TYPE) || (avctx->skip_frame >= AVDISCARD_NONKEY && si.type!=FF_I_TYPE) || avctx->skip_frame >= AVDISCARD_ALL) return buf_size; +#if FF_API_HURRY_UP + /* skip everything if we are in a hurry>=5 */ + if(avctx->hurry_up>=5) + return buf_size; +#endif for(i=0; ipict_type==FF_B_TYPE && s->last_picture_ptr==NULL) return buf_size; +#if FF_API_HURRY_UP + if(avctx->hurry_up && s->pict_type==FF_B_TYPE) return buf_size; +#endif if( (avctx->skip_frame >= AVDISCARD_NONREF && s->pict_type==FF_B_TYPE) ||(avctx->skip_frame >= AVDISCARD_NONKEY && s->pict_type!=FF_I_TYPE) || avctx->skip_frame >= AVDISCARD_ALL) diff --git a/libavcodec/svq3.c b/libavcodec/svq3.c index ece514dc2e..c7119b975b 100644 --- a/libavcodec/svq3.c +++ b/libavcodec/svq3.c @@ -952,6 +952,14 @@ static int svq3_decode_frame(AVCodecContext *avctx, /* Skip B-frames if we do not have reference frames. */ if (s->last_picture_ptr == NULL && s->pict_type == FF_B_TYPE) return 0; +#if FF_API_HURRY_UP + /* Skip B-frames if we are in a hurry. */ + if (avctx->hurry_up && s->pict_type == FF_B_TYPE) + return 0; + /* Skip everything if we are in a hurry >= 5. */ + if (avctx->hurry_up >= 5) + return 0; +#endif if ( (avctx->skip_frame >= AVDISCARD_NONREF && s->pict_type == FF_B_TYPE) ||(avctx->skip_frame >= AVDISCARD_NONKEY && s->pict_type != FF_I_TYPE) || avctx->skip_frame >= AVDISCARD_ALL) diff --git a/libavcodec/vc1dec.c b/libavcodec/vc1dec.c index ddd59700fa..27695f184a 100644 --- a/libavcodec/vc1dec.c +++ b/libavcodec/vc1dec.c @@ -3519,11 +3519,21 @@ static int vc1_decode_frame(AVCodecContext *avctx, if(s->last_picture_ptr==NULL && (s->pict_type==FF_B_TYPE || s->dropable)){ goto err; } +#if FF_API_HURRY_UP + /* skip b frames if we are in a hurry */ + if(avctx->hurry_up && s->pict_type==FF_B_TYPE) return -1;//buf_size; +#endif if( (avctx->skip_frame >= AVDISCARD_NONREF && s->pict_type==FF_B_TYPE) || (avctx->skip_frame >= AVDISCARD_NONKEY && s->pict_type!=FF_I_TYPE) || avctx->skip_frame >= AVDISCARD_ALL) { goto end; } +#if FF_API_HURRY_UP + /* skip everything if we are in a hurry>=5 */ + if(avctx->hurry_up>=5) { + goto err; + } +#endif if(s->next_p_frame_damaged){ if(s->pict_type==FF_B_TYPE) diff --git a/libavcodec/version.h b/libavcodec/version.h index 56c7a95b0c..9046632b94 100644 --- a/libavcodec/version.h +++ b/libavcodec/version.h @@ -71,6 +71,9 @@ #ifndef FF_API_OLD_AUDIOCONVERT #define FF_API_OLD_AUDIOCONVERT (LIBAVCODEC_VERSION_MAJOR < 54) #endif +#ifndef FF_API_HURRY_UP +#define FF_API_HURRY_UP (LIBAVCODEC_VERSION_MAJOR < 53) +#endif #ifndef FF_API_RATE_EMU #define FF_API_RATE_EMU (LIBAVCODEC_VERSION_MAJOR < 53) #endif From 66b1f210c024a08ba00e4a730e64940d248b8717 Mon Sep 17 00:00:00 2001 From: Michael Niedermayer Date: Mon, 2 May 2011 04:25:42 +0200 Subject: [PATCH 0006/1119] Revert "avio: Fix the deprecated fallback URL-prefixed open flags" This reverts commit 5b81e295931bad4dac0af29333b4e2a203b3f4d4. --- libavformat/avio.h | 6 +++--- 1 file changed, 3 insertions(+), 3 deletions(-) diff --git a/libavformat/avio.h b/libavformat/avio.h index 23e099d3fb..9d805822d4 100644 --- a/libavformat/avio.h +++ b/libavformat/avio.h @@ -152,9 +152,9 @@ attribute_deprecated int url_poll(URLPollEntry *poll_table, int n, int timeout); * constants, optionally ORed with other flags. * @{ */ -#define URL_RDONLY 1 /**< read-only */ -#define URL_WRONLY 2 /**< write-only */ -#define URL_RDWR (URL_RDONLY|URL_WRONLY) /**< read-write */ +#define URL_RDONLY 0 /**< read-only */ +#define URL_WRONLY 1 /**< write-only */ +#define URL_RDWR 2 /**< read-write */ /** * @} */ From 33651e3edffcf404e7dce33395b31b1113e5d4b2 Mon Sep 17 00:00:00 2001 From: Michael Niedermayer Date: Sun, 15 May 2011 19:38:46 +0200 Subject: [PATCH 0007/1119] Revert "lavc: remove the FF_API_VIDEO_OLD cruft." This reverts commit e89e5afdd04a0f081ecc38b528c1147f204027d7. Conflicts: libavcodec/utils.c libavcodec/version.h Signed-off-by: Michael Niedermayer --- libavcodec/utils.c | 16 ++++++++++++++++ 1 file changed, 16 insertions(+) diff --git a/libavcodec/utils.c b/libavcodec/utils.c index 0c03c5224d..b169c9b9d1 100644 --- a/libavcodec/utils.c +++ b/libavcodec/utils.c @@ -736,6 +736,22 @@ static int64_t guess_correct_pts(AVCodecContext *ctx, return pts; } +#if FF_API_VIDEO_OLD +int attribute_align_arg avcodec_decode_video(AVCodecContext *avctx, AVFrame *picture, + int *got_picture_ptr, + const uint8_t *buf, int buf_size) +{ + AVPacket avpkt; + av_init_packet(&avpkt); + avpkt.data = buf; + avpkt.size = buf_size; + // HACK for CorePNG to decode as normal PNG by default + avpkt.flags = AV_PKT_FLAG_KEY; + + return avcodec_decode_video2(avctx, picture, got_picture_ptr, &avpkt); +} +#endif + int attribute_align_arg avcodec_decode_video2(AVCodecContext *avctx, AVFrame *picture, int *got_picture_ptr, AVPacket *avpkt) From 788c313b5091d47aa801fc64f62e971c5b38e140 Mon Sep 17 00:00:00 2001 From: Michael Niedermayer Date: Tue, 21 Jun 2011 05:47:44 +0200 Subject: [PATCH 0008/1119] swscale: revert ABI breaking long->int chnage that touch public ABI Signed-off-by: Michael Niedermayer --- libswscale/swscale.h | 4 ++-- libswscale/swscale_unscaled.c | 12 ++++++------ 2 files changed, 8 insertions(+), 8 deletions(-) diff --git a/libswscale/swscale.h b/libswscale/swscale.h index 4bb2dfcf28..2252e513b4 100644 --- a/libswscale/swscale.h +++ b/libswscale/swscale.h @@ -354,7 +354,7 @@ struct SwsContext *sws_getCachedContext(struct SwsContext *context, * @param num_pixels number of pixels to convert * @param palette array with [256] entries, which must match color arrangement (RGB or BGR) of src */ -void sws_convertPalette8ToPacked32(const uint8_t *src, uint8_t *dst, int num_pixels, const uint8_t *palette); +void sws_convertPalette8ToPacked32(const uint8_t *src, uint8_t *dst, long num_pixels, const uint8_t *palette); /** * Converts an 8bit paletted frame into a frame with a color depth of 24 bits. @@ -366,7 +366,7 @@ void sws_convertPalette8ToPacked32(const uint8_t *src, uint8_t *dst, int num_pix * @param num_pixels number of pixels to convert * @param palette array with [256] entries, which must match color arrangement (RGB or BGR) of src */ -void sws_convertPalette8ToPacked24(const uint8_t *src, uint8_t *dst, int num_pixels, const uint8_t *palette); +void sws_convertPalette8ToPacked24(const uint8_t *src, uint8_t *dst, long num_pixels, const uint8_t *palette); #endif /* SWSCALE_SWSCALE_H */ diff --git a/libswscale/swscale_unscaled.c b/libswscale/swscale_unscaled.c index e0c4b25846..e17de2b206 100644 --- a/libswscale/swscale_unscaled.c +++ b/libswscale/swscale_unscaled.c @@ -182,14 +182,14 @@ static int uyvyToYuv422Wrapper(SwsContext *c, const uint8_t* src[], int srcStrid return srcSliceH; } -static void gray8aToPacked32(const uint8_t *src, uint8_t *dst, int num_pixels, const uint8_t *palette) +static void gray8aToPacked32(const uint8_t *src, uint8_t *dst, long num_pixels, const uint8_t *palette) { int i; for (i=0; isrcFormat; const enum PixelFormat dstFormat= c->dstFormat; - void (*conv)(const uint8_t *src, uint8_t *dst, int num_pixels, + void (*conv)(const uint8_t *src, uint8_t *dst, long num_pixels, const uint8_t *palette)=NULL; int i; uint8_t *dstPtr= dst[0] + dstStride[0]*srcSliceY; @@ -826,7 +826,7 @@ int sws_scale_ordered(SwsContext *c, const uint8_t* const src[], int srcStride[] #endif /* Convert the palette to the same packed 32-bit format as the palette */ -void sws_convertPalette8ToPacked32(const uint8_t *src, uint8_t *dst, int num_pixels, const uint8_t *palette) +void sws_convertPalette8ToPacked32(const uint8_t *src, uint8_t *dst, long num_pixels, const uint8_t *palette) { int i; @@ -835,7 +835,7 @@ void sws_convertPalette8ToPacked32(const uint8_t *src, uint8_t *dst, int num_pix } /* Palette format: ABCD -> dst format: ABC */ -void sws_convertPalette8ToPacked24(const uint8_t *src, uint8_t *dst, int num_pixels, const uint8_t *palette) +void sws_convertPalette8ToPacked24(const uint8_t *src, uint8_t *dst, long num_pixels, const uint8_t *palette) { int i; From 082b4f8348c6d8fc110969692c2a2ccf81f4e20c Mon Sep 17 00:00:00 2001 From: Michael Niedermayer Date: Tue, 21 Jun 2011 06:26:38 +0200 Subject: [PATCH 0009/1119] swscale: undo version upgrade that git merged in and that i missed Signed-off-by: Michael Niedermayer --- libswscale/swscale.h | 6 +++--- 1 file changed, 3 insertions(+), 3 deletions(-) diff --git a/libswscale/swscale.h b/libswscale/swscale.h index 2252e513b4..006118a5a1 100644 --- a/libswscale/swscale.h +++ b/libswscale/swscale.h @@ -29,9 +29,9 @@ #include "libavutil/avutil.h" -#define LIBSWSCALE_VERSION_MAJOR 2 -#define LIBSWSCALE_VERSION_MINOR 0 -#define LIBSWSCALE_VERSION_MICRO 0 +#define LIBSWSCALE_VERSION_MAJOR 0 +#define LIBSWSCALE_VERSION_MINOR 14 +#define LIBSWSCALE_VERSION_MICRO 1 #define LIBSWSCALE_VERSION_INT AV_VERSION_INT(LIBSWSCALE_VERSION_MAJOR, \ LIBSWSCALE_VERSION_MINOR, \ From 44e83d0c976dd098455173877fc22b57ed212bed Mon Sep 17 00:00:00 2001 From: Anton Khirnov Date: Thu, 9 Jun 2011 10:58:23 +0200 Subject: [PATCH 0010/1119] ffplay: use new avformat_open_* API. --- ffplay.c | 32 +++++++++----------------------- 1 file changed, 9 insertions(+), 23 deletions(-) diff --git a/ffplay.c b/ffplay.c index 96a8517b98..8788771491 100644 --- a/ffplay.c +++ b/ffplay.c @@ -27,6 +27,7 @@ #include "libavutil/colorspace.h" #include "libavutil/pixdesc.h" #include "libavutil/imgutils.h" +#include "libavutil/dict.h" #include "libavutil/parseutils.h" #include "libavutil/samplefmt.h" #include "libavutil/avassert.h" @@ -2295,15 +2296,13 @@ static int decode_interrupt_cb(void) static int read_thread(void *arg) { VideoState *is = arg; - AVFormatContext *ic; + AVFormatContext *ic = NULL; int err, i, ret; int st_index[AVMEDIA_TYPE_NB]; AVPacket pkt1, *pkt = &pkt1; - AVFormatParameters params, *ap = ¶ms; int eof=0; int pkt_in_play_range = 0; - - ic = avformat_alloc_context(); + AVDictionaryEntry *t; memset(st_index, -1, sizeof(st_index)); is->video_stream = -1; @@ -2313,30 +2312,17 @@ static int read_thread(void *arg) global_video_state = is; avio_set_interrupt_cb(decode_interrupt_cb); - memset(ap, 0, sizeof(*ap)); - - ap->prealloced_context = 1; - ap->width = frame_width; - ap->height= frame_height; - ap->time_base= (AVRational){1, 25}; - ap->pix_fmt = frame_pix_fmt; - ic->flags |= AVFMT_FLAG_PRIV_OPT; - - - err = av_open_input_file(&ic, is->filename, is->iformat, 0, ap); - if (err >= 0) { - set_context_opts(ic, avformat_opts, AV_OPT_FLAG_DECODING_PARAM, NULL); - err = av_demuxer_open(ic, ap); - if(err < 0){ - avformat_free_context(ic); - ic= NULL; - } - } + err = avformat_open_input(&ic, is->filename, is->iformat, &format_opts); if (err < 0) { print_error(is->filename, err); ret = -1; goto fail; } + if ((t = av_dict_get(format_opts, "", NULL, AV_DICT_IGNORE_SUFFIX))) { + av_log(NULL, AV_LOG_ERROR, "Option %s not found.\n", t->key); + ret = AVERROR_OPTION_NOT_FOUND; + goto fail; + } is->ic = ic; if(genpts) From 680e47364386038c5039345ef2d9fe6947191a12 Mon Sep 17 00:00:00 2001 From: =?UTF-8?q?Cl=C3=A9ment=20B=C5=93sch?= Date: Wed, 22 Jun 2011 10:33:01 +0200 Subject: [PATCH 0011/1119] vf_mp: do not add duplicated pixel formats. This avoid a crash with in avfilter_merge_formats() in case one of the filter formats list has multiple time the same entry. Thanks to Mina Nagy Zaki for helping figuring out the issue. --- libavfilter/vf_mp.c | 7 ++++++- 1 file changed, 6 insertions(+), 1 deletion(-) diff --git a/libavfilter/vf_mp.c b/libavfilter/vf_mp.c index 36616b9c94..9e413b4776 100644 --- a/libavfilter/vf_mp.c +++ b/libavfilter/vf_mp.c @@ -41,6 +41,7 @@ //FIXME maybe link the orig in +//XXX: identical pix_fmt must be following with each others static const struct { int fmt; enum PixelFormat pix_fmt; @@ -785,13 +786,17 @@ static int query_formats(AVFilterContext *ctx) { AVFilterFormats *avfmts=NULL; MPContext *m = ctx->priv; + enum PixelFormat lastpixfmt = PIX_FMT_NONE; int i; for(i=0; conversion_map[i].fmt; i++){ av_log(ctx, AV_LOG_DEBUG, "query: %X\n", conversion_map[i].fmt); if(m->vf.query_format(&m->vf, conversion_map[i].fmt)){ av_log(ctx, AV_LOG_DEBUG, "supported,adding\n"); - avfilter_add_format(&avfmts, conversion_map[i].pix_fmt); + if (conversion_map[i].pix_fmt != lastpixfmt) { + avfilter_add_format(&avfmts, conversion_map[i].pix_fmt); + lastpixfmt = conversion_map[i].pix_fmt; + } } } From 0b5c2612126773c5c8eb0c0defb77d5310cc93c3 Mon Sep 17 00:00:00 2001 From: Michael Niedermayer Date: Wed, 22 Jun 2011 20:24:02 +0200 Subject: [PATCH 0012/1119] set for next release of 0.8 Signed-off-by: Michael Niedermayer --- VERSION | 1 + 1 file changed, 1 insertion(+) create mode 100644 VERSION diff --git a/VERSION b/VERSION new file mode 100644 index 0000000000..6f4eebdf6f --- /dev/null +++ b/VERSION @@ -0,0 +1 @@ +0.8.1 From 3fedb3e65c6595c4fd78b03ed9b0d83cf257062c Mon Sep 17 00:00:00 2001 From: =?UTF-8?q?Reimar=20D=C3=B6ffinger?= Date: Wed, 22 Jun 2011 18:25:49 +0200 Subject: [PATCH 0013/1119] Revert needless API change in 05e84c95. MIME-Version: 1.0 Content-Type: text/plain; charset=UTF-8 Content-Transfer-Encoding: 8bit When providing a custom AVIOContex for a AVFMT_NOFILE format only print a warning instead of erroring out. This allows the code to work with older MPlayer versions that just always set pb out of laziness. Signed-off-by: Reimar Döffinger --- libavformat/utils.c | 3 ++- 1 file changed, 2 insertions(+), 1 deletion(-) diff --git a/libavformat/utils.c b/libavformat/utils.c index aebf8f68c0..b610276844 100644 --- a/libavformat/utils.c +++ b/libavformat/utils.c @@ -661,7 +661,8 @@ static int init_input(AVFormatContext *s, const char *filename) if (!s->iformat) return av_probe_input_buffer(s->pb, &s->iformat, filename, s, 0, 0); else if (s->iformat->flags & AVFMT_NOFILE) - return AVERROR(EINVAL); + av_log(s, AV_LOG_WARNING, "Custom AVIOContext makes no sense and " + "will be ignored with AVFMT_NOFILE format.\n"); return 0; } From e845455225110f679127f6a6aa0cac1862789197 Mon Sep 17 00:00:00 2001 From: Anton Khirnov Date: Thu, 9 Jun 2011 10:58:23 +0200 Subject: [PATCH 0014/1119] ffplay: use new avformat_open_* API. (cherry picked from commit 44e83d0c976dd098455173877fc22b57ed212bed) --- ffplay.c | 32 +++++++++----------------------- 1 file changed, 9 insertions(+), 23 deletions(-) diff --git a/ffplay.c b/ffplay.c index 164757cfea..c41709674f 100644 --- a/ffplay.c +++ b/ffplay.c @@ -27,6 +27,7 @@ #include "libavutil/colorspace.h" #include "libavutil/pixdesc.h" #include "libavutil/imgutils.h" +#include "libavutil/dict.h" #include "libavutil/parseutils.h" #include "libavutil/samplefmt.h" #include "libavutil/avassert.h" @@ -2295,15 +2296,13 @@ static int decode_interrupt_cb(void) static int read_thread(void *arg) { VideoState *is = arg; - AVFormatContext *ic; + AVFormatContext *ic = NULL; int err, i, ret; int st_index[AVMEDIA_TYPE_NB]; AVPacket pkt1, *pkt = &pkt1; - AVFormatParameters params, *ap = ¶ms; int eof=0; int pkt_in_play_range = 0; - - ic = avformat_alloc_context(); + AVDictionaryEntry *t; memset(st_index, -1, sizeof(st_index)); is->video_stream = -1; @@ -2313,30 +2312,17 @@ static int read_thread(void *arg) global_video_state = is; avio_set_interrupt_cb(decode_interrupt_cb); - memset(ap, 0, sizeof(*ap)); - - ap->prealloced_context = 1; - ap->width = frame_width; - ap->height= frame_height; - ap->time_base= (AVRational){1, 25}; - ap->pix_fmt = frame_pix_fmt; - ic->flags |= AVFMT_FLAG_PRIV_OPT; - - - err = av_open_input_file(&ic, is->filename, is->iformat, 0, ap); - if (err >= 0) { - set_context_opts(ic, avformat_opts, AV_OPT_FLAG_DECODING_PARAM, NULL); - err = av_demuxer_open(ic, ap); - if(err < 0){ - avformat_free_context(ic); - ic= NULL; - } - } + err = avformat_open_input(&ic, is->filename, is->iformat, &format_opts); if (err < 0) { print_error(is->filename, err); ret = -1; goto fail; } + if ((t = av_dict_get(format_opts, "", NULL, AV_DICT_IGNORE_SUFFIX))) { + av_log(NULL, AV_LOG_ERROR, "Option %s not found.\n", t->key); + ret = AVERROR_OPTION_NOT_FOUND; + goto fail; + } is->ic = ic; if(genpts) From 07f5da61289cd1bfb552ea276368b4cc7a2f010a Mon Sep 17 00:00:00 2001 From: =?UTF-8?q?Cl=C3=A9ment=20B=C5=93sch?= Date: Wed, 22 Jun 2011 10:33:01 +0200 Subject: [PATCH 0015/1119] vf_mp: do not add duplicated pixel formats. This avoid a crash with in avfilter_merge_formats() in case one of the filter formats list has multiple time the same entry. Thanks to Mina Nagy Zaki for helping figuring out the issue. (cherry picked from commit 680e47364386038c5039345ef2d9fe6947191a12) --- libavfilter/vf_mp.c | 7 ++++++- 1 file changed, 6 insertions(+), 1 deletion(-) diff --git a/libavfilter/vf_mp.c b/libavfilter/vf_mp.c index 36616b9c94..9e413b4776 100644 --- a/libavfilter/vf_mp.c +++ b/libavfilter/vf_mp.c @@ -41,6 +41,7 @@ //FIXME maybe link the orig in +//XXX: identical pix_fmt must be following with each others static const struct { int fmt; enum PixelFormat pix_fmt; @@ -785,13 +786,17 @@ static int query_formats(AVFilterContext *ctx) { AVFilterFormats *avfmts=NULL; MPContext *m = ctx->priv; + enum PixelFormat lastpixfmt = PIX_FMT_NONE; int i; for(i=0; conversion_map[i].fmt; i++){ av_log(ctx, AV_LOG_DEBUG, "query: %X\n", conversion_map[i].fmt); if(m->vf.query_format(&m->vf, conversion_map[i].fmt)){ av_log(ctx, AV_LOG_DEBUG, "supported,adding\n"); - avfilter_add_format(&avfmts, conversion_map[i].pix_fmt); + if (conversion_map[i].pix_fmt != lastpixfmt) { + avfilter_add_format(&avfmts, conversion_map[i].pix_fmt); + lastpixfmt = conversion_map[i].pix_fmt; + } } } From e82ddde05aaab76984fb8795848afc9125a0fc01 Mon Sep 17 00:00:00 2001 From: Michael Niedermayer Date: Wed, 22 Jun 2011 23:19:34 +0200 Subject: [PATCH 0016/1119] set VERSION for 0.7.1 Signed-off-by: Michael Niedermayer --- VERSION | 1 + 1 file changed, 1 insertion(+) create mode 100644 VERSION diff --git a/VERSION b/VERSION new file mode 100644 index 0000000000..39e898a4f9 --- /dev/null +++ b/VERSION @@ -0,0 +1 @@ +0.7.1 From 82b2dd5ee483c46c7ab26c0ead33b89594c9f6c0 Mon Sep 17 00:00:00 2001 From: Michael Niedermayer Date: Wed, 22 Jun 2011 23:21:19 +0200 Subject: [PATCH 0017/1119] release_notes: update for 0.7.1 Signed-off-by: Michael Niedermayer --- doc/RELEASE_NOTES | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/doc/RELEASE_NOTES b/doc/RELEASE_NOTES index 7861bfd4bc..536ef39f08 100644 --- a/doc/RELEASE_NOTES +++ b/doc/RELEASE_NOTES @@ -2,7 +2,7 @@ Release Notes ============= * 0.8 "Love" June, 2011 -* 0.7 "Peace" June, 2011 (identical to 0.8 but using 0.6 ABI/API) +* 0.7.1 "Peace" June, 2011 (identical to 0.8 but using 0.6 ABI/API) General notes From 26f732e21df7f79dbff040737b6030fd9a5ada11 Mon Sep 17 00:00:00 2001 From: Jason Garrett-Glaser Date: Tue, 21 Jun 2011 01:10:37 -0700 Subject: [PATCH 0018/1119] H.264: reference the correct SPS in decode_scaling_matrices (cherry picked from commit 85a88f9c0c0fcc2fc48121db1beb5ada68d24bdc) --- libavcodec/h264_ps.c | 4 ++-- 1 file changed, 2 insertions(+), 2 deletions(-) diff --git a/libavcodec/h264_ps.c b/libavcodec/h264_ps.c index ddfe1d2c64..75a0af7fff 100644 --- a/libavcodec/h264_ps.c +++ b/libavcodec/h264_ps.c @@ -281,12 +281,12 @@ static void decode_scaling_matrices(H264Context *h, SPS *sps, PPS *pps, int is_s decode_scaling_list(h,scaling_matrix4[5],16,default_scaling4[1],scaling_matrix4[4]); // Inter, Cb if(is_sps || pps->transform_8x8_mode){ decode_scaling_list(h,scaling_matrix8[0],64,default_scaling8[0],fallback[2]); // Intra, Y - if(h->sps.chroma_format_idc == 3){ + if(sps->chroma_format_idc == 3){ decode_scaling_list(h,scaling_matrix8[1],64,default_scaling8[0],scaling_matrix8[0]); // Intra, Cr decode_scaling_list(h,scaling_matrix8[2],64,default_scaling8[0],scaling_matrix8[1]); // Intra, Cb } decode_scaling_list(h,scaling_matrix8[3],64,default_scaling8[1],fallback[3]); // Inter, Y - if(h->sps.chroma_format_idc == 3){ + if(sps->chroma_format_idc == 3){ decode_scaling_list(h,scaling_matrix8[4],64,default_scaling8[1],scaling_matrix8[3]); // Inter, Cr decode_scaling_list(h,scaling_matrix8[5],64,default_scaling8[1],scaling_matrix8[4]); // Inter, Cb } From f84c349b3b765f8d5c7a79a69ef9f8bb23cbfd83 Mon Sep 17 00:00:00 2001 From: Jason Garrett-Glaser Date: Tue, 21 Jun 2011 04:16:33 -0700 Subject: [PATCH 0019/1119] H.264: fix 4:4:4 cropping warning (cherry picked from commit 932db250243812380640112fd27a59bc0642bc8a) --- libavcodec/h264_ps.c | 3 ++- 1 file changed, 2 insertions(+), 1 deletion(-) diff --git a/libavcodec/h264_ps.c b/libavcodec/h264_ps.c index 75a0af7fff..61fb12ce0c 100644 --- a/libavcodec/h264_ps.c +++ b/libavcodec/h264_ps.c @@ -396,6 +396,7 @@ int ff_h264_decode_seq_parameter_set(H264Context *h){ #endif sps->crop= get_bits1(&s->gb); if(sps->crop){ + int crop_limit = sps->chroma_format_idc == 3 ? 16 : 8; sps->crop_left = get_ue_golomb(&s->gb); sps->crop_right = get_ue_golomb(&s->gb); sps->crop_top = get_ue_golomb(&s->gb); @@ -403,7 +404,7 @@ int ff_h264_decode_seq_parameter_set(H264Context *h){ if(sps->crop_left || sps->crop_top){ av_log(h->s.avctx, AV_LOG_ERROR, "insane cropping not completely supported, this could look slightly wrong ...\n"); } - if(sps->crop_right >= (8<crop_bottom >= (8<crop_right >= crop_limit || sps->crop_bottom >= crop_limit){ av_log(h->s.avctx, AV_LOG_ERROR, "brainfart cropping not supported, this could look slightly wrong ...\n"); } }else{ From 7a6e47b99dfa669fa108058868ba06263e78f801 Mon Sep 17 00:00:00 2001 From: Jason Garrett-Glaser Date: Wed, 22 Jun 2011 02:05:14 -0700 Subject: [PATCH 0020/1119] H.264: fix 4:4:4 + deblocking + MBAFF (cherry picked from commit 7c9079ab4cf0bcf34103fc9c5e49ec1fd7dd390c) --- libavcodec/h264.c | 4 ++-- libavcodec/h264_loopfilter.c | 30 ++++++++++++++++++++++-------- 2 files changed, 24 insertions(+), 10 deletions(-) diff --git a/libavcodec/h264.c b/libavcodec/h264.c index 419f7c5b84..3b7ed58933 100644 --- a/libavcodec/h264.c +++ b/libavcodec/h264.c @@ -3303,8 +3303,8 @@ static void loop_filter(H264Context *h, int start_x, int end_x){ uvlinesize = h->mb_uvlinesize = s->uvlinesize * 2; if(mb_y&1){ //FIXME move out of this function? dest_y -= s->linesize*15; - dest_cb-= s->uvlinesize*7; - dest_cr-= s->uvlinesize*7; + dest_cb-= s->uvlinesize*((8 << CHROMA444)-1); + dest_cr-= s->uvlinesize*((8 << CHROMA444)-1); } } else { linesize = h->mb_linesize = s->linesize; diff --git a/libavcodec/h264_loopfilter.c b/libavcodec/h264_loopfilter.c index fd1fb5f662..7a4c621c69 100644 --- a/libavcodec/h264_loopfilter.c +++ b/libavcodec/h264_loopfilter.c @@ -663,19 +663,33 @@ void ff_h264_filter_mb( H264Context *h, int mb_x, int mb_y, uint8_t *img_y, uint filter_mb_mbaff_edgev ( h, img_y , linesize, bS , 1, qp [0] ); filter_mb_mbaff_edgev ( h, img_y + 8* linesize, linesize, bS+4, 1, qp [1] ); if (chroma){ - filter_mb_mbaff_edgecv( h, img_cb, uvlinesize, bS , 1, bqp[0] ); - filter_mb_mbaff_edgecv( h, img_cb + 4*uvlinesize, uvlinesize, bS+4, 1, bqp[1] ); - filter_mb_mbaff_edgecv( h, img_cr, uvlinesize, bS , 1, rqp[0] ); - filter_mb_mbaff_edgecv( h, img_cr + 4*uvlinesize, uvlinesize, bS+4, 1, rqp[1] ); + if (CHROMA444) { + filter_mb_mbaff_edgev ( h, img_cb, uvlinesize, bS , 1, bqp[0] ); + filter_mb_mbaff_edgev ( h, img_cb + 8*uvlinesize, uvlinesize, bS+4, 1, bqp[1] ); + filter_mb_mbaff_edgev ( h, img_cr, uvlinesize, bS , 1, rqp[0] ); + filter_mb_mbaff_edgev ( h, img_cr + 8*uvlinesize, uvlinesize, bS+4, 1, rqp[1] ); + }else{ + filter_mb_mbaff_edgecv( h, img_cb, uvlinesize, bS , 1, bqp[0] ); + filter_mb_mbaff_edgecv( h, img_cb + 4*uvlinesize, uvlinesize, bS+4, 1, bqp[1] ); + filter_mb_mbaff_edgecv( h, img_cr, uvlinesize, bS , 1, rqp[0] ); + filter_mb_mbaff_edgecv( h, img_cr + 4*uvlinesize, uvlinesize, bS+4, 1, rqp[1] ); + } } }else{ filter_mb_mbaff_edgev ( h, img_y , 2* linesize, bS , 2, qp [0] ); filter_mb_mbaff_edgev ( h, img_y + linesize, 2* linesize, bS+1, 2, qp [1] ); if (chroma){ - filter_mb_mbaff_edgecv( h, img_cb, 2*uvlinesize, bS , 2, bqp[0] ); - filter_mb_mbaff_edgecv( h, img_cb + uvlinesize, 2*uvlinesize, bS+1, 2, bqp[1] ); - filter_mb_mbaff_edgecv( h, img_cr, 2*uvlinesize, bS , 2, rqp[0] ); - filter_mb_mbaff_edgecv( h, img_cr + uvlinesize, 2*uvlinesize, bS+1, 2, rqp[1] ); + if (CHROMA444) { + filter_mb_mbaff_edgev ( h, img_cb, 2*uvlinesize, bS , 2, bqp[0] ); + filter_mb_mbaff_edgev ( h, img_cb + uvlinesize, 2*uvlinesize, bS+1, 2, bqp[1] ); + filter_mb_mbaff_edgev ( h, img_cr, 2*uvlinesize, bS , 2, rqp[0] ); + filter_mb_mbaff_edgev ( h, img_cr + uvlinesize, 2*uvlinesize, bS+1, 2, rqp[1] ); + }else{ + filter_mb_mbaff_edgecv( h, img_cb, 2*uvlinesize, bS , 2, bqp[0] ); + filter_mb_mbaff_edgecv( h, img_cb + uvlinesize, 2*uvlinesize, bS+1, 2, bqp[1] ); + filter_mb_mbaff_edgecv( h, img_cr, 2*uvlinesize, bS , 2, rqp[0] ); + filter_mb_mbaff_edgecv( h, img_cr + uvlinesize, 2*uvlinesize, bS+1, 2, rqp[1] ); + } } } } From b7b61ff6a31d4ffa1fb9a0ebeb1579d84c01c0b7 Mon Sep 17 00:00:00 2001 From: Jason Garrett-Glaser Date: Wed, 22 Jun 2011 02:34:02 -0700 Subject: [PATCH 0021/1119] H.264: fix 4:4:4 + deblocking + 8x8dct + cavlc + MBAFF (cherry picked from commit 2702a6f114f996ddfb334f1d8ddfae50e2c7eef7) --- libavcodec/h264_loopfilter.c | 10 +++++----- 1 file changed, 5 insertions(+), 5 deletions(-) diff --git a/libavcodec/h264_loopfilter.c b/libavcodec/h264_loopfilter.c index 7a4c621c69..46abc54c49 100644 --- a/libavcodec/h264_loopfilter.c +++ b/libavcodec/h264_loopfilter.c @@ -393,10 +393,10 @@ static av_always_inline void filter_mb_dir(H264Context *h, int mb_x, int mb_y, u AV_WN64A(bS, 0x0003000300030003ULL); } else { if(!CABAC && IS_8x8DCT(s->current_picture.mb_type[mbn_xy])){ - bS[0]= 1+((h->cbp_table[mbn_xy] & 4)||h->non_zero_count_cache[scan8[0]+0]); - bS[1]= 1+((h->cbp_table[mbn_xy] & 4)||h->non_zero_count_cache[scan8[0]+1]); - bS[2]= 1+((h->cbp_table[mbn_xy] & 8)||h->non_zero_count_cache[scan8[0]+2]); - bS[3]= 1+((h->cbp_table[mbn_xy] & 8)||h->non_zero_count_cache[scan8[0]+3]); + bS[0]= 1+((h->cbp_table[mbn_xy] & 0x4000)||h->non_zero_count_cache[scan8[0]+0]); + bS[1]= 1+((h->cbp_table[mbn_xy] & 0x4000)||h->non_zero_count_cache[scan8[0]+1]); + bS[2]= 1+((h->cbp_table[mbn_xy] & 0x8000)||h->non_zero_count_cache[scan8[0]+2]); + bS[3]= 1+((h->cbp_table[mbn_xy] & 0x8000)||h->non_zero_count_cache[scan8[0]+3]); }else{ const uint8_t *mbn_nnz = h->non_zero_count[mbn_xy] + 3*4; int i; @@ -635,7 +635,7 @@ void ff_h264_filter_mb( H264Context *h, int mb_x, int mb_y, uint8_t *img_y, uint else{ bS[i] = 1 + !!(h->non_zero_count_cache[12+8*(i>>1)] | ((!h->pps.cabac && IS_8x8DCT(mbn_type)) ? - (h->cbp_table[mbn_xy] & ((MB_FIELD ? (i&2) : (mb_y&1)) ? 8 : 2)) + (h->cbp_table[mbn_xy] & (((MB_FIELD ? (i&2) : (mb_y&1)) ? 8 : 2) << 12)) : h->non_zero_count[mbn_xy][ off[i] ])); } From 4db2b966be1274983f1af189cce84cabfdab0f49 Mon Sep 17 00:00:00 2001 From: Jason Garrett-Glaser Date: Tue, 21 Jun 2011 01:10:37 -0700 Subject: [PATCH 0022/1119] H.264: reference the correct SPS in decode_scaling_matrices (cherry picked from commit 85a88f9c0c0fcc2fc48121db1beb5ada68d24bdc) --- libavcodec/h264_ps.c | 4 ++-- 1 file changed, 2 insertions(+), 2 deletions(-) diff --git a/libavcodec/h264_ps.c b/libavcodec/h264_ps.c index ddfe1d2c64..75a0af7fff 100644 --- a/libavcodec/h264_ps.c +++ b/libavcodec/h264_ps.c @@ -281,12 +281,12 @@ static void decode_scaling_matrices(H264Context *h, SPS *sps, PPS *pps, int is_s decode_scaling_list(h,scaling_matrix4[5],16,default_scaling4[1],scaling_matrix4[4]); // Inter, Cb if(is_sps || pps->transform_8x8_mode){ decode_scaling_list(h,scaling_matrix8[0],64,default_scaling8[0],fallback[2]); // Intra, Y - if(h->sps.chroma_format_idc == 3){ + if(sps->chroma_format_idc == 3){ decode_scaling_list(h,scaling_matrix8[1],64,default_scaling8[0],scaling_matrix8[0]); // Intra, Cr decode_scaling_list(h,scaling_matrix8[2],64,default_scaling8[0],scaling_matrix8[1]); // Intra, Cb } decode_scaling_list(h,scaling_matrix8[3],64,default_scaling8[1],fallback[3]); // Inter, Y - if(h->sps.chroma_format_idc == 3){ + if(sps->chroma_format_idc == 3){ decode_scaling_list(h,scaling_matrix8[4],64,default_scaling8[1],scaling_matrix8[3]); // Inter, Cr decode_scaling_list(h,scaling_matrix8[5],64,default_scaling8[1],scaling_matrix8[4]); // Inter, Cb } From 0820593e645aa0e4527752c17c9404e44042e809 Mon Sep 17 00:00:00 2001 From: Jason Garrett-Glaser Date: Tue, 21 Jun 2011 04:16:33 -0700 Subject: [PATCH 0023/1119] H.264: fix 4:4:4 cropping warning (cherry picked from commit 932db250243812380640112fd27a59bc0642bc8a) --- libavcodec/h264_ps.c | 3 ++- 1 file changed, 2 insertions(+), 1 deletion(-) diff --git a/libavcodec/h264_ps.c b/libavcodec/h264_ps.c index 75a0af7fff..61fb12ce0c 100644 --- a/libavcodec/h264_ps.c +++ b/libavcodec/h264_ps.c @@ -396,6 +396,7 @@ int ff_h264_decode_seq_parameter_set(H264Context *h){ #endif sps->crop= get_bits1(&s->gb); if(sps->crop){ + int crop_limit = sps->chroma_format_idc == 3 ? 16 : 8; sps->crop_left = get_ue_golomb(&s->gb); sps->crop_right = get_ue_golomb(&s->gb); sps->crop_top = get_ue_golomb(&s->gb); @@ -403,7 +404,7 @@ int ff_h264_decode_seq_parameter_set(H264Context *h){ if(sps->crop_left || sps->crop_top){ av_log(h->s.avctx, AV_LOG_ERROR, "insane cropping not completely supported, this could look slightly wrong ...\n"); } - if(sps->crop_right >= (8<crop_bottom >= (8<crop_right >= crop_limit || sps->crop_bottom >= crop_limit){ av_log(h->s.avctx, AV_LOG_ERROR, "brainfart cropping not supported, this could look slightly wrong ...\n"); } }else{ From a3589cce81340989247c4c3bf5baa5a8388b6fce Mon Sep 17 00:00:00 2001 From: Jason Garrett-Glaser Date: Wed, 22 Jun 2011 02:05:14 -0700 Subject: [PATCH 0024/1119] H.264: fix 4:4:4 + deblocking + MBAFF (cherry picked from commit 7c9079ab4cf0bcf34103fc9c5e49ec1fd7dd390c) --- libavcodec/h264.c | 4 ++-- libavcodec/h264_loopfilter.c | 30 ++++++++++++++++++++++-------- 2 files changed, 24 insertions(+), 10 deletions(-) diff --git a/libavcodec/h264.c b/libavcodec/h264.c index 5170a559b0..87120693d4 100644 --- a/libavcodec/h264.c +++ b/libavcodec/h264.c @@ -3303,8 +3303,8 @@ static void loop_filter(H264Context *h, int start_x, int end_x){ uvlinesize = h->mb_uvlinesize = s->uvlinesize * 2; if(mb_y&1){ //FIXME move out of this function? dest_y -= s->linesize*15; - dest_cb-= s->uvlinesize*7; - dest_cr-= s->uvlinesize*7; + dest_cb-= s->uvlinesize*((8 << CHROMA444)-1); + dest_cr-= s->uvlinesize*((8 << CHROMA444)-1); } } else { linesize = h->mb_linesize = s->linesize; diff --git a/libavcodec/h264_loopfilter.c b/libavcodec/h264_loopfilter.c index fd1fb5f662..7a4c621c69 100644 --- a/libavcodec/h264_loopfilter.c +++ b/libavcodec/h264_loopfilter.c @@ -663,19 +663,33 @@ void ff_h264_filter_mb( H264Context *h, int mb_x, int mb_y, uint8_t *img_y, uint filter_mb_mbaff_edgev ( h, img_y , linesize, bS , 1, qp [0] ); filter_mb_mbaff_edgev ( h, img_y + 8* linesize, linesize, bS+4, 1, qp [1] ); if (chroma){ - filter_mb_mbaff_edgecv( h, img_cb, uvlinesize, bS , 1, bqp[0] ); - filter_mb_mbaff_edgecv( h, img_cb + 4*uvlinesize, uvlinesize, bS+4, 1, bqp[1] ); - filter_mb_mbaff_edgecv( h, img_cr, uvlinesize, bS , 1, rqp[0] ); - filter_mb_mbaff_edgecv( h, img_cr + 4*uvlinesize, uvlinesize, bS+4, 1, rqp[1] ); + if (CHROMA444) { + filter_mb_mbaff_edgev ( h, img_cb, uvlinesize, bS , 1, bqp[0] ); + filter_mb_mbaff_edgev ( h, img_cb + 8*uvlinesize, uvlinesize, bS+4, 1, bqp[1] ); + filter_mb_mbaff_edgev ( h, img_cr, uvlinesize, bS , 1, rqp[0] ); + filter_mb_mbaff_edgev ( h, img_cr + 8*uvlinesize, uvlinesize, bS+4, 1, rqp[1] ); + }else{ + filter_mb_mbaff_edgecv( h, img_cb, uvlinesize, bS , 1, bqp[0] ); + filter_mb_mbaff_edgecv( h, img_cb + 4*uvlinesize, uvlinesize, bS+4, 1, bqp[1] ); + filter_mb_mbaff_edgecv( h, img_cr, uvlinesize, bS , 1, rqp[0] ); + filter_mb_mbaff_edgecv( h, img_cr + 4*uvlinesize, uvlinesize, bS+4, 1, rqp[1] ); + } } }else{ filter_mb_mbaff_edgev ( h, img_y , 2* linesize, bS , 2, qp [0] ); filter_mb_mbaff_edgev ( h, img_y + linesize, 2* linesize, bS+1, 2, qp [1] ); if (chroma){ - filter_mb_mbaff_edgecv( h, img_cb, 2*uvlinesize, bS , 2, bqp[0] ); - filter_mb_mbaff_edgecv( h, img_cb + uvlinesize, 2*uvlinesize, bS+1, 2, bqp[1] ); - filter_mb_mbaff_edgecv( h, img_cr, 2*uvlinesize, bS , 2, rqp[0] ); - filter_mb_mbaff_edgecv( h, img_cr + uvlinesize, 2*uvlinesize, bS+1, 2, rqp[1] ); + if (CHROMA444) { + filter_mb_mbaff_edgev ( h, img_cb, 2*uvlinesize, bS , 2, bqp[0] ); + filter_mb_mbaff_edgev ( h, img_cb + uvlinesize, 2*uvlinesize, bS+1, 2, bqp[1] ); + filter_mb_mbaff_edgev ( h, img_cr, 2*uvlinesize, bS , 2, rqp[0] ); + filter_mb_mbaff_edgev ( h, img_cr + uvlinesize, 2*uvlinesize, bS+1, 2, rqp[1] ); + }else{ + filter_mb_mbaff_edgecv( h, img_cb, 2*uvlinesize, bS , 2, bqp[0] ); + filter_mb_mbaff_edgecv( h, img_cb + uvlinesize, 2*uvlinesize, bS+1, 2, bqp[1] ); + filter_mb_mbaff_edgecv( h, img_cr, 2*uvlinesize, bS , 2, rqp[0] ); + filter_mb_mbaff_edgecv( h, img_cr + uvlinesize, 2*uvlinesize, bS+1, 2, rqp[1] ); + } } } } From 523b57b331432cce81986ee1fd8370e78655c4f2 Mon Sep 17 00:00:00 2001 From: Jason Garrett-Glaser Date: Wed, 22 Jun 2011 02:34:02 -0700 Subject: [PATCH 0025/1119] H.264: fix 4:4:4 + deblocking + 8x8dct + cavlc + MBAFF (cherry picked from commit 2702a6f114f996ddfb334f1d8ddfae50e2c7eef7) --- libavcodec/h264_loopfilter.c | 10 +++++----- 1 file changed, 5 insertions(+), 5 deletions(-) diff --git a/libavcodec/h264_loopfilter.c b/libavcodec/h264_loopfilter.c index 7a4c621c69..46abc54c49 100644 --- a/libavcodec/h264_loopfilter.c +++ b/libavcodec/h264_loopfilter.c @@ -393,10 +393,10 @@ static av_always_inline void filter_mb_dir(H264Context *h, int mb_x, int mb_y, u AV_WN64A(bS, 0x0003000300030003ULL); } else { if(!CABAC && IS_8x8DCT(s->current_picture.mb_type[mbn_xy])){ - bS[0]= 1+((h->cbp_table[mbn_xy] & 4)||h->non_zero_count_cache[scan8[0]+0]); - bS[1]= 1+((h->cbp_table[mbn_xy] & 4)||h->non_zero_count_cache[scan8[0]+1]); - bS[2]= 1+((h->cbp_table[mbn_xy] & 8)||h->non_zero_count_cache[scan8[0]+2]); - bS[3]= 1+((h->cbp_table[mbn_xy] & 8)||h->non_zero_count_cache[scan8[0]+3]); + bS[0]= 1+((h->cbp_table[mbn_xy] & 0x4000)||h->non_zero_count_cache[scan8[0]+0]); + bS[1]= 1+((h->cbp_table[mbn_xy] & 0x4000)||h->non_zero_count_cache[scan8[0]+1]); + bS[2]= 1+((h->cbp_table[mbn_xy] & 0x8000)||h->non_zero_count_cache[scan8[0]+2]); + bS[3]= 1+((h->cbp_table[mbn_xy] & 0x8000)||h->non_zero_count_cache[scan8[0]+3]); }else{ const uint8_t *mbn_nnz = h->non_zero_count[mbn_xy] + 3*4; int i; @@ -635,7 +635,7 @@ void ff_h264_filter_mb( H264Context *h, int mb_x, int mb_y, uint8_t *img_y, uint else{ bS[i] = 1 + !!(h->non_zero_count_cache[12+8*(i>>1)] | ((!h->pps.cabac && IS_8x8DCT(mbn_type)) ? - (h->cbp_table[mbn_xy] & ((MB_FIELD ? (i&2) : (mb_y&1)) ? 8 : 2)) + (h->cbp_table[mbn_xy] & (((MB_FIELD ? (i&2) : (mb_y&1)) ? 8 : 2) << 12)) : h->non_zero_count[mbn_xy][ off[i] ])); } From 403eee165c7763c56ba8b51ad91b4b6cf0811b40 Mon Sep 17 00:00:00 2001 From: Diego Biurrun Date: Tue, 21 Jun 2011 01:11:28 +0200 Subject: [PATCH 0026/1119] h264: Fix assert that failed to compile with -DDEBUG. The assert referenced a variable that no longer exists since 4:4:4 support. (cherry picked from commit 6371ce4b0f0535a7f576b8f109d35345e3d11d7d) Signed-off-by: Reinhard Tartler --- libavcodec/h264.c | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/libavcodec/h264.c b/libavcodec/h264.c index dc4acb8379..13a63809a0 100644 --- a/libavcodec/h264.c +++ b/libavcodec/h264.c @@ -1682,7 +1682,7 @@ static av_always_inline void hl_decode_mb_predict_luma(H264Context *h, int mb_ty uint64_t tr_high; if(dir == DIAG_DOWN_LEFT_PRED || dir == VERT_LEFT_PRED){ const int topright_avail= (h->topright_samples_available<mb_y || linesize <= block_offset[i]); if(!topright_avail){ if (pixel_shift) { tr_high= ((uint16_t*)ptr)[3 - linesize/2]*0x0001000100010001ULL; From 6cef3ddbdc354799bc30711766a98ff9082332c6 Mon Sep 17 00:00:00 2001 From: ami_stuff Date: Mon, 25 Apr 2011 00:20:27 +0200 Subject: [PATCH 0027/1119] rawvideo: Support auv2 fourcc. (cherry picked from commit d352df093169f39631f1ec0017a3f186ef85f83c) Signed-off-by: Reinhard Tartler --- libavcodec/raw.c | 1 + libavformat/riff.c | 1 + 2 files changed, 2 insertions(+) diff --git a/libavcodec/raw.c b/libavcodec/raw.c index 7d92aba4a7..bc7c1561e7 100644 --- a/libavcodec/raw.c +++ b/libavcodec/raw.c @@ -61,6 +61,7 @@ const PixelFormatTag ff_raw_pix_fmt_tags[] = { { PIX_FMT_UYVY422, MKTAG('A', 'V', '1', 'x') }, /* Avid 1:1x */ { PIX_FMT_UYVY422, MKTAG('A', 'V', 'u', 'p') }, { PIX_FMT_UYVY422, MKTAG('V', 'D', 'T', 'Z') }, /* SoftLab-NSK VideoTizer */ + { PIX_FMT_UYVY422, MKTAG('a', 'u', 'v', '2') }, { PIX_FMT_UYYVYY411, MKTAG('Y', '4', '1', '1') }, { PIX_FMT_GRAY8, MKTAG('G', 'R', 'E', 'Y') }, { PIX_FMT_NV12, MKTAG('N', 'V', '1', '2') }, diff --git a/libavformat/riff.c b/libavformat/riff.c index fe6cc55055..756fc57f01 100644 --- a/libavformat/riff.c +++ b/libavformat/riff.c @@ -180,6 +180,7 @@ const AVCodecTag ff_codec_bmp_tags[] = { { CODEC_ID_RAWVIDEO, MKTAG('Y', '4', '2', 'B') }, { CODEC_ID_RAWVIDEO, MKTAG('Y', 'U', 'V', '9') }, { CODEC_ID_RAWVIDEO, MKTAG('Y', 'V', 'U', '9') }, + { CODEC_ID_RAWVIDEO, MKTAG('a', 'u', 'v', '2') }, { CODEC_ID_FRWU, MKTAG('F', 'R', 'W', 'U') }, { CODEC_ID_R10K, MKTAG('R', '1', '0', 'k') }, { CODEC_ID_R210, MKTAG('r', '2', '1', '0') }, From 137838945fc355207234a0cc846e23d4996bfcc1 Mon Sep 17 00:00:00 2001 From: Carl Eugen Hoyos Date: Mon, 25 Apr 2011 00:27:03 +0200 Subject: [PATCH 0028/1119] riff: Add M263, XVIX, MMJP, CDV5 fourccs. (cherry picked from commit 682a20114e9ee0272be764c68dc1cf251ff083da) Signed-off-by: Reinhard Tartler --- libavformat/riff.c | 4 ++++ 1 file changed, 4 insertions(+) diff --git a/libavformat/riff.c b/libavformat/riff.c index 756fc57f01..95e08b28a8 100644 --- a/libavformat/riff.c +++ b/libavformat/riff.c @@ -40,6 +40,7 @@ const AVCodecTag ff_codec_bmp_tags[] = { { CODEC_ID_H263, MKTAG('L', '2', '6', '3') }, { CODEC_ID_H263, MKTAG('V', 'X', '1', 'K') }, { CODEC_ID_H263, MKTAG('Z', 'y', 'G', 'o') }, + { CODEC_ID_H263, MKTAG('M', '2', '6', '3') }, { CODEC_ID_H263P, MKTAG('H', '2', '6', '3') }, { CODEC_ID_H263I, MKTAG('I', '2', '6', '3') }, /* intel h263 */ { CODEC_ID_H261, MKTAG('H', '2', '6', '1') }, @@ -83,6 +84,7 @@ const AVCodecTag ff_codec_bmp_tags[] = { { CODEC_ID_MPEG4, MKTAG('U', 'L', 'D', 'X') }, { CODEC_ID_MPEG4, MKTAG('G', 'E', 'O', 'V') }, { CODEC_ID_MPEG4, MKTAG('S', 'I', 'P', 'P') }, /* Samsung SHR-6040 */ + { CODEC_ID_MPEG4, MKTAG('X', 'V', 'I', 'X') }, { CODEC_ID_MSMPEG4V3, MKTAG('M', 'P', '4', '3') }, { CODEC_ID_MSMPEG4V3, MKTAG('D', 'I', 'V', '3') }, { CODEC_ID_MSMPEG4V3, MKTAG('M', 'P', 'G', '3') }, @@ -107,6 +109,7 @@ const AVCodecTag ff_codec_bmp_tags[] = { { CODEC_ID_DVVIDEO, MKTAG('d', 'v', '5', '0') }, { CODEC_ID_DVVIDEO, MKTAG('c', 'd', 'v', 'c') }, /* Canopus DV */ { CODEC_ID_DVVIDEO, MKTAG('C', 'D', 'V', 'H') }, /* Canopus DV */ + { CODEC_ID_DVVIDEO, MKTAG('C', 'D', 'V', '5') }, /* Canopus DV */ { CODEC_ID_DVVIDEO, MKTAG('d', 'v', 'c', ' ') }, { CODEC_ID_DVVIDEO, MKTAG('d', 'v', 'c', 's') }, { CODEC_ID_DVVIDEO, MKTAG('d', 'v', 'h', '1') }, @@ -148,6 +151,7 @@ const AVCodecTag ff_codec_bmp_tags[] = { { CODEC_ID_MJPEG, MKTAG('A', 'V', 'I', '2') }, { CODEC_ID_MJPEG, MKTAG('M', 'T', 'S', 'J') }, { CODEC_ID_MJPEG, MKTAG('Z', 'J', 'P', 'G') }, /* Paradigm Matrix M-JPEG Codec */ + { CODEC_ID_MJPEG, MKTAG('M', 'M', 'J', 'P') }, { CODEC_ID_HUFFYUV, MKTAG('H', 'F', 'Y', 'U') }, { CODEC_ID_FFVHUFF, MKTAG('F', 'F', 'V', 'H') }, { CODEC_ID_CYUV, MKTAG('C', 'Y', 'U', 'V') }, From 5254285636a2d58805152be0f9700f773624879c Mon Sep 17 00:00:00 2001 From: ami_stuff Date: Wed, 11 May 2011 22:18:15 +0200 Subject: [PATCH 0029/1119] riff: Add DAVC fourcc. This fourcc is used by the "mpegable AVC" codec and files encoded with this codec decode correctly with our H.264 decoder. (cherry picked from commit 2ea1ca1714f655a463b941b115e45a1a2f031f7b) Signed-off-by: Reinhard Tartler --- libavformat/riff.c | 1 + 1 file changed, 1 insertion(+) diff --git a/libavformat/riff.c b/libavformat/riff.c index 95e08b28a8..b2e8414b5d 100644 --- a/libavformat/riff.c +++ b/libavformat/riff.c @@ -33,6 +33,7 @@ const AVCodecTag ff_codec_bmp_tags[] = { { CODEC_ID_H264, MKTAG('X', '2', '6', '4') }, { CODEC_ID_H264, MKTAG('x', '2', '6', '4') }, { CODEC_ID_H264, MKTAG('a', 'v', 'c', '1') }, + { CODEC_ID_H264, MKTAG('D', 'A', 'V', 'C') }, { CODEC_ID_H264, MKTAG('V', 'S', 'S', 'H') }, { CODEC_ID_H263, MKTAG('H', '2', '6', '3') }, { CODEC_ID_H263, MKTAG('X', '2', '6', '3') }, From 9ac3e32b29ae9e4af30ed671e736d1d83b0c7255 Mon Sep 17 00:00:00 2001 From: Kamil Nowosad Date: Mon, 23 May 2011 23:13:34 +0200 Subject: [PATCH 0030/1119] riff/img2: Add JPEG 2000 codec IDs. (cherry picked from commit a304a833621a793bbf49b796fe1fd11ea1cd54c8) Signed-off-by: Reinhard Tartler --- libavformat/img2.c | 1 + libavformat/riff.c | 1 + 2 files changed, 2 insertions(+) diff --git a/libavformat/img2.c b/libavformat/img2.c index ec37a38845..4eef62371d 100644 --- a/libavformat/img2.c +++ b/libavformat/img2.c @@ -82,6 +82,7 @@ static const IdStrMap img_tags[] = { { CODEC_ID_SUNRAST , "im24"}, { CODEC_ID_SUNRAST , "sunras"}, { CODEC_ID_JPEG2000 , "jp2"}, + { CODEC_ID_JPEG2000 , "jpc"}, { CODEC_ID_DPX , "dpx"}, { CODEC_ID_PICTOR , "pic"}, { CODEC_ID_NONE , NULL} diff --git a/libavformat/riff.c b/libavformat/riff.c index b2e8414b5d..817349cb82 100644 --- a/libavformat/riff.c +++ b/libavformat/riff.c @@ -250,6 +250,7 @@ const AVCodecTag ff_codec_bmp_tags[] = { { CODEC_ID_ZMBV, MKTAG('Z', 'M', 'B', 'V') }, { CODEC_ID_KMVC, MKTAG('K', 'M', 'V', 'C') }, { CODEC_ID_CAVS, MKTAG('C', 'A', 'V', 'S') }, + { CODEC_ID_JPEG2000, MKTAG('m', 'j', 'p', '2') }, { CODEC_ID_JPEG2000, MKTAG('M', 'J', '2', 'C') }, { CODEC_ID_VMNC, MKTAG('V', 'M', 'n', 'c') }, { CODEC_ID_TARGA, MKTAG('t', 'g', 'a', ' ') }, From 1aef8de6d730df7f0a0841939954d12cd604b2d7 Mon Sep 17 00:00:00 2001 From: ami_stuff Date: Fri, 13 May 2011 00:49:29 +0200 Subject: [PATCH 0031/1119] mov: Support R10g codec identifier. (cherry picked from commit 7ac639654f21aa78e0afa14f6c049ffa2c9078bd) Signed-off-by: Reinhard Tartler --- libavformat/isom.c | 1 + 1 file changed, 1 insertion(+) diff --git a/libavformat/isom.c b/libavformat/isom.c index c65f9317e7..dd4008b69b 100644 --- a/libavformat/isom.c +++ b/libavformat/isom.c @@ -83,6 +83,7 @@ const AVCodecTag codec_movvideo_tags[] = { { CODEC_ID_RAWVIDEO, MKTAG('b', '4', '8', 'r') }, { CODEC_ID_R10K, MKTAG('R', '1', '0', 'k') }, /* UNCOMPRESSED 10BIT RGB */ + { CODEC_ID_R10K, MKTAG('R', '1', '0', 'g') }, /* UNCOMPRESSED 10BIT RGB */ { CODEC_ID_R210, MKTAG('r', '2', '1', '0') }, /* UNCOMPRESSED 10BIT RGB */ { CODEC_ID_V210, MKTAG('v', '2', '1', '0') }, /* UNCOMPRESSED 10BIT 4:2:2 */ From 26f48752fbaa49161eb3454eda68dc043d733567 Mon Sep 17 00:00:00 2001 From: Carl Eugen Hoyos Date: Fri, 13 May 2011 01:08:01 +0200 Subject: [PATCH 0032/1119] mov: Support Digital Voodoo SD 8 Bit and DTS codec identifiers. (cherry picked from commit 53d5cd2c8225e251826c77f8f69a30250038fbd0) Signed-off-by: Reinhard Tartler --- libavcodec/raw.c | 1 + libavformat/isom.c | 4 ++++ 2 files changed, 5 insertions(+) diff --git a/libavcodec/raw.c b/libavcodec/raw.c index bc7c1561e7..4bc07b869a 100644 --- a/libavcodec/raw.c +++ b/libavcodec/raw.c @@ -122,6 +122,7 @@ const PixelFormatTag ff_raw_pix_fmt_tags[] = { { PIX_FMT_UYVY422, MKTAG('A', 'V', 'U', 'I') }, /* FIXME merge both fields */ { PIX_FMT_YUYV422, MKTAG('y', 'u', 'v', '2') }, { PIX_FMT_YUYV422, MKTAG('y', 'u', 'v', 's') }, + { PIX_FMT_YUYV422, MKTAG('D', 'V', 'O', 'O') }, /* Digital Voodoo SD 8 Bit */ { PIX_FMT_PAL8, MKTAG('W', 'R', 'A', 'W') }, { PIX_FMT_RGB555LE,MKTAG('L', '5', '5', '5') }, { PIX_FMT_RGB565LE,MKTAG('L', '5', '6', '5') }, diff --git a/libavformat/isom.c b/libavformat/isom.c index dd4008b69b..eb17e25474 100644 --- a/libavformat/isom.c +++ b/libavformat/isom.c @@ -57,6 +57,7 @@ const AVCodecTag ff_mp4_obj_type[] = { { CODEC_ID_VC1 , 0xA3 }, { CODEC_ID_DIRAC , 0xA4 }, { CODEC_ID_AC3 , 0xA5 }, + { CODEC_ID_DTS , 0xA9 }, /* mp4ra.org */ { CODEC_ID_VORBIS , 0xDD }, /* non standard, gpac uses it */ { CODEC_ID_DVD_SUBTITLE, 0xE0 }, /* non standard, see unsupported-embedded-subs-2.mp4 */ { CODEC_ID_QCELP , 0xE1 }, @@ -81,6 +82,7 @@ const AVCodecTag codec_movvideo_tags[] = { { CODEC_ID_RAWVIDEO, MKTAG('A', 'B', 'G', 'R') }, { CODEC_ID_RAWVIDEO, MKTAG('b', '1', '6', 'g') }, { CODEC_ID_RAWVIDEO, MKTAG('b', '4', '8', 'r') }, + { CODEC_ID_RAWVIDEO, MKTAG('D', 'V', 'O', 'O') }, /* Digital Voodoo SD 8 Bit */ { CODEC_ID_R10K, MKTAG('R', '1', '0', 'k') }, /* UNCOMPRESSED 10BIT RGB */ { CODEC_ID_R10K, MKTAG('R', '1', '0', 'g') }, /* UNCOMPRESSED 10BIT RGB */ @@ -243,6 +245,8 @@ const AVCodecTag codec_movaudio_tags[] = { { CODEC_ID_AAC, MKTAG('m', 'p', '4', 'a') }, /* MPEG-4 AAC */ { CODEC_ID_AC3, MKTAG('a', 'c', '-', '3') }, /* ETSI TS 102 366 Annex F */ { CODEC_ID_AC3, MKTAG('s', 'a', 'c', '3') }, /* Nero Recode */ + { CODEC_ID_DTS, MKTAG('d', 't', 's', 'c') }, /* mp4ra.org */ + { CODEC_ID_DTS, MKTAG('D', 'T', 'S', ' ') }, /* non-standard */ { CODEC_ID_AMR_NB, MKTAG('s', 'a', 'm', 'r') }, /* AMR-NB 3gp */ { CODEC_ID_AMR_WB, MKTAG('s', 'a', 'w', 'b') }, /* AMR-WB 3gp */ From 6a34f5d4478bf79b452ab90eb47df75b62202d9c Mon Sep 17 00:00:00 2001 From: Mans Rullgard Date: Sun, 19 Jun 2011 18:41:14 +0100 Subject: [PATCH 0033/1119] configure: report optimization for size separately This removes an unsightly override of the 'optimizations' setting only to make the configure report print 'small' when --enable-small is used. Signed-off-by: Mans Rullgard (cherry picked from commit f082a0fb420f0367bdd00219fd0fe8fe3caf7bc7) Signed-off-by: Reinhard Tartler --- configure | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/configure b/configure index 31e82fc6db..b26394ec29 100755 --- a/configure +++ b/configure @@ -3006,7 +3006,6 @@ fi if enabled small; then add_cflags $size_cflags - optimizations="small" elif enabled optimizations; then add_cflags $speed_cflags else @@ -3140,6 +3139,7 @@ if enabled sparc; then echo "VIS enabled ${vis-no}" fi echo "debug symbols ${debug-no}" +echo "optimize for size ${small-no}" echo "optimizations ${optimizations-no}" echo "static ${static-no}" echo "shared ${shared-no}" From fcd26ebc8f371612e56e9f591b578d519e04c4c2 Mon Sep 17 00:00:00 2001 From: ami_stuff Date: Tue, 24 May 2011 23:38:01 +0200 Subject: [PATCH 0034/1119] rawdec: Fix decoding of QT WRAW files. From some tests it results that: 1. All of the AVI/MOV WRAW files need to be flipped. 2. MOV WRAW files need to use AVI color modes. 3. Assigning PAL8 mode by default to WRAW codec is not correct. (cherry picked from commit 67e7dc54049d9b51a0c2168c8265145a9aef7780) Signed-off-by: Reinhard Tartler --- libavcodec/raw.c | 1 - libavcodec/rawdec.c | 4 +++- 2 files changed, 3 insertions(+), 2 deletions(-) diff --git a/libavcodec/raw.c b/libavcodec/raw.c index 4bc07b869a..aa1ea308b0 100644 --- a/libavcodec/raw.c +++ b/libavcodec/raw.c @@ -123,7 +123,6 @@ const PixelFormatTag ff_raw_pix_fmt_tags[] = { { PIX_FMT_YUYV422, MKTAG('y', 'u', 'v', '2') }, { PIX_FMT_YUYV422, MKTAG('y', 'u', 'v', 's') }, { PIX_FMT_YUYV422, MKTAG('D', 'V', 'O', 'O') }, /* Digital Voodoo SD 8 Bit */ - { PIX_FMT_PAL8, MKTAG('W', 'R', 'A', 'W') }, { PIX_FMT_RGB555LE,MKTAG('L', '5', '5', '5') }, { PIX_FMT_RGB565LE,MKTAG('L', '5', '6', '5') }, { PIX_FMT_RGB565BE,MKTAG('B', '5', '6', '5') }, diff --git a/libavcodec/rawdec.c b/libavcodec/rawdec.c index 6b3387f636..5e8e6c4c43 100644 --- a/libavcodec/rawdec.c +++ b/libavcodec/rawdec.c @@ -78,6 +78,8 @@ static av_cold int raw_init_decoder(AVCodecContext *avctx) if (avctx->codec_tag == MKTAG('r','a','w',' ')) avctx->pix_fmt = find_pix_fmt(pix_fmt_bps_mov, avctx->bits_per_coded_sample); + else if (avctx->codec_tag == MKTAG('W','R','A','W')) + avctx->pix_fmt = find_pix_fmt(pix_fmt_bps_avi, avctx->bits_per_coded_sample); else if (avctx->codec_tag) avctx->pix_fmt = find_pix_fmt(ff_raw_pix_fmt_tags, avctx->codec_tag); else if (avctx->pix_fmt == PIX_FMT_NONE && avctx->bits_per_coded_sample) @@ -98,7 +100,7 @@ static av_cold int raw_init_decoder(AVCodecContext *avctx) avctx->coded_frame= &context->pic; if((avctx->extradata_size >= 9 && !memcmp(avctx->extradata + avctx->extradata_size - 9, "BottomUp", 9)) || - avctx->codec_tag == MKTAG( 3 , 0 , 0 , 0 )) + avctx->codec_tag == MKTAG(3, 0, 0, 0) || avctx->codec_tag == MKTAG('W','R','A','W')) context->flip=1; return 0; From bf5ed476ba6315daeff83930787cdf02aa3268e0 Mon Sep 17 00:00:00 2001 From: Carl Eugen Hoyos Date: Mon, 13 Jun 2011 21:16:30 +0200 Subject: [PATCH 0035/1119] alsa: add support for more formats. Specifically, f32, f64, s32, s24, a-law and mu-law. Signed-off-by: Anton Khirnov (cherry picked from commit 921715edffbba5db8deb26b7ad3cb583ba963d03) Signed-off-by: Reinhard Tartler --- libavdevice/alsa-audio-common.c | 10 ++++++++++ 1 file changed, 10 insertions(+) diff --git a/libavdevice/alsa-audio-common.c b/libavdevice/alsa-audio-common.c index ff6c9f875d..4279790ddc 100644 --- a/libavdevice/alsa-audio-common.c +++ b/libavdevice/alsa-audio-common.c @@ -36,9 +36,19 @@ static av_cold snd_pcm_format_t codec_id_to_pcm_format(int codec_id) { switch(codec_id) { + case CODEC_ID_PCM_F64LE: return SND_PCM_FORMAT_FLOAT64_LE; + case CODEC_ID_PCM_F64BE: return SND_PCM_FORMAT_FLOAT64_BE; + case CODEC_ID_PCM_F32LE: return SND_PCM_FORMAT_FLOAT_LE; + case CODEC_ID_PCM_F32BE: return SND_PCM_FORMAT_FLOAT_BE; + case CODEC_ID_PCM_S32LE: return SND_PCM_FORMAT_S32_LE; + case CODEC_ID_PCM_S32BE: return SND_PCM_FORMAT_S32_BE; + case CODEC_ID_PCM_S24LE: return SND_PCM_FORMAT_S24_3LE; + case CODEC_ID_PCM_S24BE: return SND_PCM_FORMAT_S24_3BE; case CODEC_ID_PCM_S16LE: return SND_PCM_FORMAT_S16_LE; case CODEC_ID_PCM_S16BE: return SND_PCM_FORMAT_S16_BE; case CODEC_ID_PCM_S8: return SND_PCM_FORMAT_S8; + case CODEC_ID_PCM_MULAW: return SND_PCM_FORMAT_MU_LAW; + case CODEC_ID_PCM_ALAW: return SND_PCM_FORMAT_A_LAW; default: return SND_PCM_FORMAT_UNKNOWN; } } From e4071fa04c213ab3ddf4f89953daf4e3788a9d0f Mon Sep 17 00:00:00 2001 From: Jason Garrett-Glaser Date: Mon, 20 Jun 2011 15:56:35 -0700 Subject: [PATCH 0036/1119] H.264: fix bug in lossless 4:4:4 decoding Coefficient test for i16x16 add_pixels4 assumed luma plane. (cherry picked from commit 3b79f2e2e928eb346dbea85cc89393dcdf010ca9) Signed-off-by: Reinhard Tartler --- libavcodec/h264.c | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/libavcodec/h264.c b/libavcodec/h264.c index 13a63809a0..124f9a88cd 100644 --- a/libavcodec/h264.c +++ b/libavcodec/h264.c @@ -1744,7 +1744,7 @@ static av_always_inline void hl_decode_mb_idct_luma(H264Context *h, int mb_type, h->hpc.pred16x16_add[h->intra16x16_pred_mode](dest_y, block_offset, h->mb + (p*256 << pixel_shift), linesize); }else{ for(i=0; i<16; i++){ - if(h->non_zero_count_cache[ scan8[i+p*16] ] || dctcoef_get(h->mb, pixel_shift, i*16)) + if(h->non_zero_count_cache[ scan8[i+p*16] ] || dctcoef_get(h->mb, pixel_shift, i*16+p*256)) s->dsp.add_pixels4(dest_y + block_offset[i], h->mb + (i*16+p*256 << pixel_shift), linesize); } } From 4c8b14c37ff292ca9d4a412984e5132a27a83858 Mon Sep 17 00:00:00 2001 From: Jason Garrett-Glaser Date: Tue, 21 Jun 2011 01:10:37 -0700 Subject: [PATCH 0037/1119] H.264: reference the correct SPS in decode_scaling_matrices (cherry picked from commit 85a88f9c0c0fcc2fc48121db1beb5ada68d24bdc) Signed-off-by: Reinhard Tartler --- libavcodec/h264_ps.c | 4 ++-- 1 file changed, 2 insertions(+), 2 deletions(-) diff --git a/libavcodec/h264_ps.c b/libavcodec/h264_ps.c index 9c41e4ca73..5ca2361a6d 100644 --- a/libavcodec/h264_ps.c +++ b/libavcodec/h264_ps.c @@ -281,12 +281,12 @@ static void decode_scaling_matrices(H264Context *h, SPS *sps, PPS *pps, int is_s decode_scaling_list(h,scaling_matrix4[5],16,default_scaling4[1],scaling_matrix4[4]); // Inter, Cb if(is_sps || pps->transform_8x8_mode){ decode_scaling_list(h,scaling_matrix8[0],64,default_scaling8[0],fallback[2]); // Intra, Y - if(h->sps.chroma_format_idc == 3){ + if(sps->chroma_format_idc == 3){ decode_scaling_list(h,scaling_matrix8[1],64,default_scaling8[0],scaling_matrix8[0]); // Intra, Cr decode_scaling_list(h,scaling_matrix8[2],64,default_scaling8[0],scaling_matrix8[1]); // Intra, Cb } decode_scaling_list(h,scaling_matrix8[3],64,default_scaling8[1],fallback[3]); // Inter, Y - if(h->sps.chroma_format_idc == 3){ + if(sps->chroma_format_idc == 3){ decode_scaling_list(h,scaling_matrix8[4],64,default_scaling8[1],scaling_matrix8[3]); // Inter, Cr decode_scaling_list(h,scaling_matrix8[5],64,default_scaling8[1],scaling_matrix8[4]); // Inter, Cb } From 18052f1df9d5a21ff354c4f70ae35993959d9686 Mon Sep 17 00:00:00 2001 From: Jason Garrett-Glaser Date: Tue, 21 Jun 2011 04:16:33 -0700 Subject: [PATCH 0038/1119] H.264: fix 4:4:4 cropping warning (cherry picked from commit 932db250243812380640112fd27a59bc0642bc8a) Signed-off-by: Reinhard Tartler --- libavcodec/h264_ps.c | 3 ++- 1 file changed, 2 insertions(+), 1 deletion(-) diff --git a/libavcodec/h264_ps.c b/libavcodec/h264_ps.c index 5ca2361a6d..7491807460 100644 --- a/libavcodec/h264_ps.c +++ b/libavcodec/h264_ps.c @@ -396,6 +396,7 @@ int ff_h264_decode_seq_parameter_set(H264Context *h){ #endif sps->crop= get_bits1(&s->gb); if(sps->crop){ + int crop_limit = sps->chroma_format_idc == 3 ? 16 : 8; sps->crop_left = get_ue_golomb(&s->gb); sps->crop_right = get_ue_golomb(&s->gb); sps->crop_top = get_ue_golomb(&s->gb); @@ -403,7 +404,7 @@ int ff_h264_decode_seq_parameter_set(H264Context *h){ if(sps->crop_left || sps->crop_top){ av_log(h->s.avctx, AV_LOG_ERROR, "insane cropping not completely supported, this could look slightly wrong ...\n"); } - if(sps->crop_right >= (8<crop_bottom >= (8<crop_right >= crop_limit || sps->crop_bottom >= crop_limit){ av_log(h->s.avctx, AV_LOG_ERROR, "brainfart cropping not supported, this could look slightly wrong ...\n"); } }else{ From 13c943ffb1d0faa6de0de292d196551990e93512 Mon Sep 17 00:00:00 2001 From: Jason Garrett-Glaser Date: Wed, 22 Jun 2011 02:05:14 -0700 Subject: [PATCH 0039/1119] H.264: fix 4:4:4 + deblocking + MBAFF (cherry picked from commit 7c9079ab4cf0bcf34103fc9c5e49ec1fd7dd390c) Signed-off-by: Reinhard Tartler --- libavcodec/h264.c | 4 ++-- libavcodec/h264_loopfilter.c | 30 ++++++++++++++++++++++-------- 2 files changed, 24 insertions(+), 10 deletions(-) diff --git a/libavcodec/h264.c b/libavcodec/h264.c index 124f9a88cd..6bee7c39b0 100644 --- a/libavcodec/h264.c +++ b/libavcodec/h264.c @@ -3300,8 +3300,8 @@ static void loop_filter(H264Context *h, int start_x, int end_x){ uvlinesize = h->mb_uvlinesize = s->uvlinesize * 2; if(mb_y&1){ //FIXME move out of this function? dest_y -= s->linesize*15; - dest_cb-= s->uvlinesize*7; - dest_cr-= s->uvlinesize*7; + dest_cb-= s->uvlinesize*((8 << CHROMA444)-1); + dest_cr-= s->uvlinesize*((8 << CHROMA444)-1); } } else { linesize = h->mb_linesize = s->linesize; diff --git a/libavcodec/h264_loopfilter.c b/libavcodec/h264_loopfilter.c index 1ae534ec96..b88c338804 100644 --- a/libavcodec/h264_loopfilter.c +++ b/libavcodec/h264_loopfilter.c @@ -663,19 +663,33 @@ void ff_h264_filter_mb( H264Context *h, int mb_x, int mb_y, uint8_t *img_y, uint filter_mb_mbaff_edgev ( h, img_y , linesize, bS , 1, qp [0] ); filter_mb_mbaff_edgev ( h, img_y + 8* linesize, linesize, bS+4, 1, qp [1] ); if (chroma){ - filter_mb_mbaff_edgecv( h, img_cb, uvlinesize, bS , 1, bqp[0] ); - filter_mb_mbaff_edgecv( h, img_cb + 4*uvlinesize, uvlinesize, bS+4, 1, bqp[1] ); - filter_mb_mbaff_edgecv( h, img_cr, uvlinesize, bS , 1, rqp[0] ); - filter_mb_mbaff_edgecv( h, img_cr + 4*uvlinesize, uvlinesize, bS+4, 1, rqp[1] ); + if (CHROMA444) { + filter_mb_mbaff_edgev ( h, img_cb, uvlinesize, bS , 1, bqp[0] ); + filter_mb_mbaff_edgev ( h, img_cb + 8*uvlinesize, uvlinesize, bS+4, 1, bqp[1] ); + filter_mb_mbaff_edgev ( h, img_cr, uvlinesize, bS , 1, rqp[0] ); + filter_mb_mbaff_edgev ( h, img_cr + 8*uvlinesize, uvlinesize, bS+4, 1, rqp[1] ); + }else{ + filter_mb_mbaff_edgecv( h, img_cb, uvlinesize, bS , 1, bqp[0] ); + filter_mb_mbaff_edgecv( h, img_cb + 4*uvlinesize, uvlinesize, bS+4, 1, bqp[1] ); + filter_mb_mbaff_edgecv( h, img_cr, uvlinesize, bS , 1, rqp[0] ); + filter_mb_mbaff_edgecv( h, img_cr + 4*uvlinesize, uvlinesize, bS+4, 1, rqp[1] ); + } } }else{ filter_mb_mbaff_edgev ( h, img_y , 2* linesize, bS , 2, qp [0] ); filter_mb_mbaff_edgev ( h, img_y + linesize, 2* linesize, bS+1, 2, qp [1] ); if (chroma){ - filter_mb_mbaff_edgecv( h, img_cb, 2*uvlinesize, bS , 2, bqp[0] ); - filter_mb_mbaff_edgecv( h, img_cb + uvlinesize, 2*uvlinesize, bS+1, 2, bqp[1] ); - filter_mb_mbaff_edgecv( h, img_cr, 2*uvlinesize, bS , 2, rqp[0] ); - filter_mb_mbaff_edgecv( h, img_cr + uvlinesize, 2*uvlinesize, bS+1, 2, rqp[1] ); + if (CHROMA444) { + filter_mb_mbaff_edgev ( h, img_cb, 2*uvlinesize, bS , 2, bqp[0] ); + filter_mb_mbaff_edgev ( h, img_cb + uvlinesize, 2*uvlinesize, bS+1, 2, bqp[1] ); + filter_mb_mbaff_edgev ( h, img_cr, 2*uvlinesize, bS , 2, rqp[0] ); + filter_mb_mbaff_edgev ( h, img_cr + uvlinesize, 2*uvlinesize, bS+1, 2, rqp[1] ); + }else{ + filter_mb_mbaff_edgecv( h, img_cb, 2*uvlinesize, bS , 2, bqp[0] ); + filter_mb_mbaff_edgecv( h, img_cb + uvlinesize, 2*uvlinesize, bS+1, 2, bqp[1] ); + filter_mb_mbaff_edgecv( h, img_cr, 2*uvlinesize, bS , 2, rqp[0] ); + filter_mb_mbaff_edgecv( h, img_cr + uvlinesize, 2*uvlinesize, bS+1, 2, rqp[1] ); + } } } } From 180faac637c9b8cd63fc8007a126e55175d415aa Mon Sep 17 00:00:00 2001 From: Jason Garrett-Glaser Date: Wed, 22 Jun 2011 02:34:02 -0700 Subject: [PATCH 0040/1119] H.264: fix 4:4:4 + deblocking + 8x8dct + cavlc + MBAFF (cherry picked from commit 2702a6f114f996ddfb334f1d8ddfae50e2c7eef7) Signed-off-by: Reinhard Tartler --- libavcodec/h264_loopfilter.c | 10 +++++----- 1 file changed, 5 insertions(+), 5 deletions(-) diff --git a/libavcodec/h264_loopfilter.c b/libavcodec/h264_loopfilter.c index b88c338804..86ecb2737f 100644 --- a/libavcodec/h264_loopfilter.c +++ b/libavcodec/h264_loopfilter.c @@ -393,10 +393,10 @@ static av_always_inline void filter_mb_dir(H264Context *h, int mb_x, int mb_y, u AV_WN64A(bS, 0x0003000300030003ULL); } else { if(!CABAC && IS_8x8DCT(s->current_picture.mb_type[mbn_xy])){ - bS[0]= 1+((h->cbp_table[mbn_xy] & 4)||h->non_zero_count_cache[scan8[0]+0]); - bS[1]= 1+((h->cbp_table[mbn_xy] & 4)||h->non_zero_count_cache[scan8[0]+1]); - bS[2]= 1+((h->cbp_table[mbn_xy] & 8)||h->non_zero_count_cache[scan8[0]+2]); - bS[3]= 1+((h->cbp_table[mbn_xy] & 8)||h->non_zero_count_cache[scan8[0]+3]); + bS[0]= 1+((h->cbp_table[mbn_xy] & 0x4000)||h->non_zero_count_cache[scan8[0]+0]); + bS[1]= 1+((h->cbp_table[mbn_xy] & 0x4000)||h->non_zero_count_cache[scan8[0]+1]); + bS[2]= 1+((h->cbp_table[mbn_xy] & 0x8000)||h->non_zero_count_cache[scan8[0]+2]); + bS[3]= 1+((h->cbp_table[mbn_xy] & 0x8000)||h->non_zero_count_cache[scan8[0]+3]); }else{ const uint8_t *mbn_nnz = h->non_zero_count[mbn_xy] + 3*4; int i; @@ -635,7 +635,7 @@ void ff_h264_filter_mb( H264Context *h, int mb_x, int mb_y, uint8_t *img_y, uint else{ bS[i] = 1 + !!(h->non_zero_count_cache[12+8*(i>>1)] | ((!h->pps.cabac && IS_8x8DCT(mbn_type)) ? - (h->cbp_table[mbn_xy] & ((MB_FIELD ? (i&2) : (mb_y&1)) ? 8 : 2)) + (h->cbp_table[mbn_xy] & (((MB_FIELD ? (i&2) : (mb_y&1)) ? 8 : 2) << 12)) : h->non_zero_count[mbn_xy][ off[i] ])); } From acb62e998f4d72bd53cd6837cdcb2ba6f59ab3f1 Mon Sep 17 00:00:00 2001 From: Carl Eugen Hoyos Date: Thu, 14 Apr 2011 01:04:18 +0200 Subject: [PATCH 0041/1119] alsa: support unsigned variants of already supported signed formats. (cherry picked from commit 2359aeb52d2325ed6c28d4f7579e0999963bcec1) Signed-off-by: Reinhard Tartler --- libavdevice/alsa-audio-common.c | 7 +++++++ 1 file changed, 7 insertions(+) diff --git a/libavdevice/alsa-audio-common.c b/libavdevice/alsa-audio-common.c index 4279790ddc..baa6ac79ca 100644 --- a/libavdevice/alsa-audio-common.c +++ b/libavdevice/alsa-audio-common.c @@ -42,11 +42,18 @@ static av_cold snd_pcm_format_t codec_id_to_pcm_format(int codec_id) case CODEC_ID_PCM_F32BE: return SND_PCM_FORMAT_FLOAT_BE; case CODEC_ID_PCM_S32LE: return SND_PCM_FORMAT_S32_LE; case CODEC_ID_PCM_S32BE: return SND_PCM_FORMAT_S32_BE; + case CODEC_ID_PCM_U32LE: return SND_PCM_FORMAT_U32_LE; + case CODEC_ID_PCM_U32BE: return SND_PCM_FORMAT_U32_BE; case CODEC_ID_PCM_S24LE: return SND_PCM_FORMAT_S24_3LE; case CODEC_ID_PCM_S24BE: return SND_PCM_FORMAT_S24_3BE; + case CODEC_ID_PCM_U24LE: return SND_PCM_FORMAT_U24_3LE; + case CODEC_ID_PCM_U24BE: return SND_PCM_FORMAT_U24_3BE; case CODEC_ID_PCM_S16LE: return SND_PCM_FORMAT_S16_LE; case CODEC_ID_PCM_S16BE: return SND_PCM_FORMAT_S16_BE; + case CODEC_ID_PCM_U16LE: return SND_PCM_FORMAT_U16_LE; + case CODEC_ID_PCM_U16BE: return SND_PCM_FORMAT_U16_BE; case CODEC_ID_PCM_S8: return SND_PCM_FORMAT_S8; + case CODEC_ID_PCM_U8: return SND_PCM_FORMAT_U8; case CODEC_ID_PCM_MULAW: return SND_PCM_FORMAT_MU_LAW; case CODEC_ID_PCM_ALAW: return SND_PCM_FORMAT_A_LAW; default: return SND_PCM_FORMAT_UNKNOWN; From 4ad56612f94f5e4312ba24155b5c446e151e6ca1 Mon Sep 17 00:00:00 2001 From: Diego Biurrun Date: Thu, 23 Jun 2011 12:38:03 +0200 Subject: [PATCH 0042/1119] build: Remove dependency and editor backup files also in the doc/ subdirectory. --- Makefile | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/Makefile b/Makefile index 084e175b90..d6bae7680b 100644 --- a/Makefile +++ b/Makefile @@ -172,7 +172,7 @@ testclean: clean:: testclean $(RM) $(ALLPROGS) $(RM) $(CLEANSUFFIXES) - $(RM) doc/*.html doc/*.pod doc/*.1 + $(RM) doc/*.html doc/*.pod doc/*.1 doc/*.d doc/*~ $(RM) $(TOOLS) $(RM) $(CLEANSUFFIXES:%=tools/%) From 9c709f053474dd74890f32662b7d7010e5cc0b0d Mon Sep 17 00:00:00 2001 From: Reinhard Tartler Date: Thu, 23 Jun 2011 09:50:43 +0200 Subject: [PATCH 0043/1119] add changelog entries for added fourcc codecs and H.264 fixes --- Changelog | 7 +++++++ 1 file changed, 7 insertions(+) diff --git a/Changelog b/Changelog index b785197083..276812bd66 100644 --- a/Changelog +++ b/Changelog @@ -2,6 +2,13 @@ Entries are sorted chronologically from oldest to youngest within each release, releases are sorted from youngest to oldest. +version 0.7.1: + +- added various additional FOURCC codec identifiers +- H.264 4:4:4 fixes +- build system fixes + + version 0.7: - E-AC-3 audio encoder From c0b90d40888147b314ca788bba406882c3d25d1a Mon Sep 17 00:00:00 2001 From: Stefano Sabatini Date: Fri, 24 Jun 2011 23:45:15 +0200 Subject: [PATCH 0044/1119] configure: select buffersink_filter when ffmpeg is enabled buffersink_filter is a strong requirement for compiling ffmpeg. Fixes ffmpeg compilation with --disable-everything. (cherry picked from commit e65d6e22e300e286bcc27443df8449aaf9d062dd) --- configure | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/configure b/configure index c9eedaf974..62b5002342 100755 --- a/configure +++ b/configure @@ -1512,7 +1512,7 @@ postproc_deps="gpl" # programs ffmpeg_deps="avcodec avformat swscale" -ffmpeg_select="buffer_filter" +ffmpeg_select="buffer_filter buffersink_filter" ffplay_deps="avcodec avformat swscale sdl" ffplay_select="rdft" ffprobe_deps="avcodec avformat" From 1bf80a9a144852460d3c10c9461df214292ff82f Mon Sep 17 00:00:00 2001 From: Stefano Sabatini Date: Fri, 24 Jun 2011 23:45:15 +0200 Subject: [PATCH 0045/1119] configure: select buffersink_filter when ffmpeg is enabled buffersink_filter is a strong requirement for compiling ffmpeg. Fixes ffmpeg compilation with --disable-everything. (cherry picked from commit e65d6e22e300e286bcc27443df8449aaf9d062dd) --- configure | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/configure b/configure index c9eedaf974..62b5002342 100755 --- a/configure +++ b/configure @@ -1512,7 +1512,7 @@ postproc_deps="gpl" # programs ffmpeg_deps="avcodec avformat swscale" -ffmpeg_select="buffer_filter" +ffmpeg_select="buffer_filter buffersink_filter" ffplay_deps="avcodec avformat swscale sdl" ffplay_select="rdft" ffprobe_deps="avcodec avformat" From 9b69efc02b6f34fbe50512d4d108ec5559ebb9ec Mon Sep 17 00:00:00 2001 From: Mans Rullgard Date: Sat, 25 Jun 2011 18:51:00 +0100 Subject: [PATCH 0046/1119] ARM: silence some annoying armcc warnings This silences warnings about pointer target sign mismatches as already done for gcc with -Wno-pointer-sign. Signed-off-by: Mans Rullgard (cherry picked from commit d0ce090ec553c88eb8e9c303156017417d4599cc) Signed-off-by: Reinhard Tartler --- configure | 2 ++ 1 file changed, 2 insertions(+) diff --git a/configure b/configure index b26394ec29..b3c20350df 100755 --- a/configure +++ b/configure @@ -3059,6 +3059,8 @@ elif enabled armcc; then add_cflags -W${armcc_opt},--diag_suppress=1207 add_cflags -W${armcc_opt},--diag_suppress=1293 # assignment in condition add_cflags -W${armcc_opt},--diag_suppress=3343 # hardfp compat + add_cflags -W${armcc_opt},--diag_suppress=167 # pointer sign + add_cflags -W${armcc_opt},--diag_suppress=513 # pointer sign elif enabled tms470; then add_cflags -pds=824 -pds=837 elif enabled pathscale; then From e54fd33848355202c03edb3ebfcdb53b1d71c2ce Mon Sep 17 00:00:00 2001 From: Jason Garrett-Glaser Date: Sun, 26 Jun 2011 00:21:54 -0700 Subject: [PATCH 0047/1119] H.264: disable 2tap qpel with CODEC_FLAG2_FAST and >8-bit 2tap qpel isn't implemented yet for high bit depth, so it just breaks decoding. (cherry picked from commit 9a0dda8b3ab07fa7be60335715a6c350c907a7b8) Signed-off-by: Reinhard Tartler --- libavcodec/h264.c | 3 ++- 1 file changed, 2 insertions(+), 1 deletion(-) diff --git a/libavcodec/h264.c b/libavcodec/h264.c index 6bee7c39b0..2c000a3420 100644 --- a/libavcodec/h264.c +++ b/libavcodec/h264.c @@ -2485,7 +2485,8 @@ static int decode_slice_header(H264Context *h, H264Context *h0){ s->dropable= h->nal_ref_idc == 0; - if((s->avctx->flags2 & CODEC_FLAG2_FAST) && !h->nal_ref_idc){ + /* FIXME: 2tap qpel isn't implemented for high bit depth. */ + if((s->avctx->flags2 & CODEC_FLAG2_FAST) && !h->nal_ref_idc && !h->pixel_shift){ s->me.qpel_put= s->dsp.put_2tap_qpel_pixels_tab; s->me.qpel_avg= s->dsp.avg_2tap_qpel_pixels_tab; }else{ From ce993ce791cd01916d79e315d1558b016d2770df Mon Sep 17 00:00:00 2001 From: Martin Matuska Date: Tue, 28 Jun 2011 13:26:56 +0200 Subject: [PATCH 0048/1119] pict_type: add a value for unknown/none. In commit bebe72f4a05d338e04ae9ca1e9c6b72749b488aa, the enum AV_PICTURE_TYPE_* was introduced. There are still places in the code where pict_type is used as an integer and there is a case where "pict_type = 0" with the explanation "let ffmpeg decide what to do". The new enum does not know a value of 0 and C++ will fail if compiling such programs anyway as it is refered as an int (and you cannot patch them properly). (cherry picked from commit 512933671409f9f88cc9fdfc8f29525d32240bab) --- libavutil/avutil.h | 3 ++- 1 file changed, 2 insertions(+), 1 deletion(-) diff --git a/libavutil/avutil.h b/libavutil/avutil.h index 05b45ce8bf..59b59db29e 100644 --- a/libavutil/avutil.h +++ b/libavutil/avutil.h @@ -112,7 +112,8 @@ enum AVMediaType { #define FF_API_OLD_IMAGE_NAMES (LIBAVUTIL_VERSION_MAJOR < 51) #endif enum AVPictureType { - AV_PICTURE_TYPE_I = 1, ///< Intra + AV_PICTURE_TYPE_NONE = 0, ///< Undefined + AV_PICTURE_TYPE_I, ///< Intra AV_PICTURE_TYPE_P, ///< Predicted AV_PICTURE_TYPE_B, ///< Bi-dir predicted AV_PICTURE_TYPE_S, ///< S(GMC)-VOP MPEG4 From d052370c1eb5c50ad2dd2cac1b967699f42c62b0 Mon Sep 17 00:00:00 2001 From: Martin Matuska Date: Tue, 28 Jun 2011 13:26:56 +0200 Subject: [PATCH 0049/1119] pict_type: add a value for unknown/none. In commit bebe72f4a05d338e04ae9ca1e9c6b72749b488aa, the enum AV_PICTURE_TYPE_* was introduced. There are still places in the code where pict_type is used as an integer and there is a case where "pict_type = 0" with the explanation "let ffmpeg decide what to do". The new enum does not know a value of 0 and C++ will fail if compiling such programs anyway as it is refered as an int (and you cannot patch them properly). (cherry picked from commit 512933671409f9f88cc9fdfc8f29525d32240bab) --- libavutil/avutil.h | 3 ++- 1 file changed, 2 insertions(+), 1 deletion(-) diff --git a/libavutil/avutil.h b/libavutil/avutil.h index 4d6ef66003..8affad6717 100644 --- a/libavutil/avutil.h +++ b/libavutil/avutil.h @@ -104,7 +104,8 @@ enum AVMediaType { #define AV_TIME_BASE_Q (AVRational){1, AV_TIME_BASE} enum AVPictureType { - AV_PICTURE_TYPE_I = 1, ///< Intra + AV_PICTURE_TYPE_NONE = 0, ///< Undefined + AV_PICTURE_TYPE_I, ///< Intra AV_PICTURE_TYPE_P, ///< Predicted AV_PICTURE_TYPE_B, ///< Bi-dir predicted AV_PICTURE_TYPE_S, ///< S(GMC)-VOP MPEG4 From 06107e9605cbdb8a9a06cd9fd30108c483d7a5dc Mon Sep 17 00:00:00 2001 From: Carl Eugen Hoyos Date: Mon, 27 Jun 2011 09:26:48 +0200 Subject: [PATCH 0050/1119] Fix VDPAU decoding for some H264 samples. (cherry picked from commit e747b091cbc6b41f3531cfdf9d1bdd34606b1df3) --- libavcodec/vdpau.c | 3 ++- 1 file changed, 2 insertions(+), 1 deletion(-) diff --git a/libavcodec/vdpau.c b/libavcodec/vdpau.c index 19bd96bc15..9dc2745922 100644 --- a/libavcodec/vdpau.c +++ b/libavcodec/vdpau.c @@ -183,7 +183,8 @@ void ff_vdpau_h264_picture_complete(MpegEncContext *s) render->info.h264.deblocking_filter_control_present_flag = h->pps.deblocking_filter_parameters_present; render->info.h264.redundant_pic_cnt_present_flag = h->pps.redundant_pic_cnt_present; memcpy(render->info.h264.scaling_lists_4x4, h->pps.scaling_matrix4, sizeof(render->info.h264.scaling_lists_4x4)); - memcpy(render->info.h264.scaling_lists_8x8, h->pps.scaling_matrix8, sizeof(render->info.h264.scaling_lists_8x8)); + memcpy(render->info.h264.scaling_lists_8x8[0], h->pps.scaling_matrix8[0], sizeof(render->info.h264.scaling_lists_8x8[0])); + memcpy(render->info.h264.scaling_lists_8x8[1], h->pps.scaling_matrix8[3], sizeof(render->info.h264.scaling_lists_8x8[0])); ff_draw_horiz_band(s, 0, s->avctx->height); render->bitstream_buffers_used = 0; From f239b91596cc469560227ae2900891d7610f018c Mon Sep 17 00:00:00 2001 From: Carl Eugen Hoyos Date: Mon, 27 Jun 2011 09:26:48 +0200 Subject: [PATCH 0051/1119] Fix VDPAU decoding for some H264 samples. (cherry picked from commit e747b091cbc6b41f3531cfdf9d1bdd34606b1df3) --- libavcodec/vdpau.c | 3 ++- 1 file changed, 2 insertions(+), 1 deletion(-) diff --git a/libavcodec/vdpau.c b/libavcodec/vdpau.c index 19bd96bc15..9dc2745922 100644 --- a/libavcodec/vdpau.c +++ b/libavcodec/vdpau.c @@ -183,7 +183,8 @@ void ff_vdpau_h264_picture_complete(MpegEncContext *s) render->info.h264.deblocking_filter_control_present_flag = h->pps.deblocking_filter_parameters_present; render->info.h264.redundant_pic_cnt_present_flag = h->pps.redundant_pic_cnt_present; memcpy(render->info.h264.scaling_lists_4x4, h->pps.scaling_matrix4, sizeof(render->info.h264.scaling_lists_4x4)); - memcpy(render->info.h264.scaling_lists_8x8, h->pps.scaling_matrix8, sizeof(render->info.h264.scaling_lists_8x8)); + memcpy(render->info.h264.scaling_lists_8x8[0], h->pps.scaling_matrix8[0], sizeof(render->info.h264.scaling_lists_8x8[0])); + memcpy(render->info.h264.scaling_lists_8x8[1], h->pps.scaling_matrix8[3], sizeof(render->info.h264.scaling_lists_8x8[0])); ff_draw_horiz_band(s, 0, s->avctx->height); render->bitstream_buffers_used = 0; From 87eedf69433d95a40830a98bb2d656a04dfd4609 Mon Sep 17 00:00:00 2001 From: Jason Garrett-Glaser Date: Tue, 28 Jun 2011 18:22:23 -0700 Subject: [PATCH 0052/1119] Add new yuv444 pixfmts to avcodec_align_dimensions2 Fixes draw_edges crashes with high-bit-depth 4:4:4 decoding. (cherry picked from commit da55ee6ccc05efdd9006bb8c31db9012a3326857) Signed-off-by: Reinhard Tartler --- libavcodec/utils.c | 4 ++++ 1 file changed, 4 insertions(+) diff --git a/libavcodec/utils.c b/libavcodec/utils.c index 1e5886473d..c32fda26ec 100644 --- a/libavcodec/utils.c +++ b/libavcodec/utils.c @@ -142,6 +142,10 @@ void avcodec_align_dimensions2(AVCodecContext *s, int *width, int *height, int l case PIX_FMT_YUV420P10BE: case PIX_FMT_YUV422P10LE: case PIX_FMT_YUV422P10BE: + case PIX_FMT_YUV444P9LE: + case PIX_FMT_YUV444P9BE: + case PIX_FMT_YUV444P10LE: + case PIX_FMT_YUV444P10BE: w_align= 16; //FIXME check for non mpeg style codecs and use less alignment h_align= 16; if(s->codec_id == CODEC_ID_MPEG2VIDEO || s->codec_id == CODEC_ID_MJPEG || s->codec_id == CODEC_ID_AMV || s->codec_id == CODEC_ID_THP || s->codec_id == CODEC_ID_H264) From 9482dd0d17435c9b5b46d44cdf8af21b1f09235c Mon Sep 17 00:00:00 2001 From: Kostya Shishkov Date: Tue, 28 Jun 2011 11:49:32 +0200 Subject: [PATCH 0053/1119] wavpack: skip blocks with no samples These blocks don't report audio stream parameters and they are not needed for decoding. Signed-off-by: Mans Rullgard (cherry picked from commit cb7b55b0962f5503f601d6b557f8945444b73395) Signed-off-by: Reinhard Tartler --- libavformat/wv.c | 13 +++++++++++-- 1 file changed, 11 insertions(+), 2 deletions(-) diff --git a/libavformat/wv.c b/libavformat/wv.c index 8f9d0fdb1b..d6d7099ba7 100644 --- a/libavformat/wv.c +++ b/libavformat/wv.c @@ -110,6 +110,9 @@ static int wv_read_block_header(AVFormatContext *ctx, AVIOContext *pb, int appen size = wc->blksize; } wc->flags = AV_RL32(wc->extra + 4); + // blocks with zero samples don't contain actual audio information and should be ignored + if (!AV_RN32(wc->extra)) + return 0; //parse flags bpp = ((wc->flags & 3) + 1) << 3; chan = 1 + !(wc->flags & WV_MONO); @@ -207,8 +210,14 @@ static int wv_read_header(AVFormatContext *s, AVStream *st; wc->block_parsed = 0; - if(wv_read_block_header(s, pb, 0) < 0) - return -1; + for(;;){ + if(wv_read_block_header(s, pb, 0) < 0) + return -1; + if(!AV_RN32(wc->extra)) + avio_skip(pb, wc->blksize - 24); + else + break; + } /* now we are ready: build format streams */ st = av_new_stream(s, 0); From cb66b552700c4fe54f3387eb12207049ff63dfe3 Mon Sep 17 00:00:00 2001 From: "Ronald S. Bultje" Date: Tue, 28 Jun 2011 22:24:21 -0700 Subject: [PATCH 0054/1119] ogg: fix double free when finding length of small chained oggs. ogg_save() copies streams[], but doesn't keep track of free()'ed struct members. Thus, if in between a call to ogg_save() and ogg_restore(), streams[].private was free()'ed, this would result in a double free -> crash, which happened when e.g. playing small chained ogg fragments. (cherry picked from commit 9ed6cbc3ee2ae3e7472fb25192a7e36fd7b15533) Signed-off-by: Reinhard Tartler --- libavformat/oggdec.c | 3 ++- 1 file changed, 2 insertions(+), 1 deletion(-) diff --git a/libavformat/oggdec.c b/libavformat/oggdec.c index f1ad630c5e..998a33b43c 100644 --- a/libavformat/oggdec.c +++ b/libavformat/oggdec.c @@ -238,7 +238,8 @@ static int ogg_read_page(AVFormatContext *s, int *str) for (n = 0; n < ogg->nstreams; n++) { av_freep(&ogg->streams[n].buf); - av_freep(&ogg->streams[n].private); + if (!ogg->state || ogg->state->streams[n].private != ogg->streams[n].private) + av_freep(&ogg->streams[n].private); } ogg->curidx = -1; ogg->nstreams = 0; From 00498a7e59727cfe51703d84ac55e055b47c8872 Mon Sep 17 00:00:00 2001 From: Carl Eugen Hoyos Date: Fri, 1 Jul 2011 02:38:28 +0200 Subject: [PATCH 0055/1119] Fix possible double free when encoding using xvid. (cherry picked from commit 315f0e3fd8dcbd1362276b7407dad2e97cccc4b7) --- libavcodec/libxvidff.c | 1 + 1 file changed, 1 insertion(+) diff --git a/libavcodec/libxvidff.c b/libavcodec/libxvidff.c index 9b5c17c59d..effd2db158 100644 --- a/libavcodec/libxvidff.c +++ b/libavcodec/libxvidff.c @@ -528,6 +528,7 @@ static av_cold int xvid_encode_close(AVCodecContext *avctx) { if( x->twopassbuffer != NULL ) { av_free(x->twopassbuffer); av_free(x->old_twopassbuffer); + avctx->stats_out = NULL; } av_free(x->twopassfile); av_free(x->intra_matrix); From b62c0c0bce5c3a203a6e01a4f07d991718c5fac5 Mon Sep 17 00:00:00 2001 From: "Ronald S. Bultje" Date: Tue, 28 Jun 2011 22:24:21 -0700 Subject: [PATCH 0056/1119] ogg: fix double free when finding length of small chained oggs. ogg_save() copies streams[], but doesn't keep track of free()'ed struct members. Thus, if in between a call to ogg_save() and ogg_restore(), streams[].private was free()'ed, this would result in a double free -> crash, which happened when e.g. playing small chained ogg fragments. (cherry picked from commit 9ed6cbc3ee2ae3e7472fb25192a7e36fd7b15533) --- libavformat/oggdec.c | 3 ++- 1 file changed, 2 insertions(+), 1 deletion(-) diff --git a/libavformat/oggdec.c b/libavformat/oggdec.c index 655da35dd4..dc9f7b62fd 100644 --- a/libavformat/oggdec.c +++ b/libavformat/oggdec.c @@ -240,7 +240,8 @@ static int ogg_read_page(AVFormatContext *s, int *str) for (n = 0; n < ogg->nstreams; n++) { av_freep(&ogg->streams[n].buf); - av_freep(&ogg->streams[n].private); + if (!ogg->state || ogg->state->streams[n].private != ogg->streams[n].private) + av_freep(&ogg->streams[n].private); } ogg->curidx = -1; ogg->nstreams = 0; From 376dfd07abf8a5f493146d818bfb04807dc8bd5a Mon Sep 17 00:00:00 2001 From: Carl Eugen Hoyos Date: Fri, 1 Jul 2011 02:38:28 +0200 Subject: [PATCH 0057/1119] Fix possible double free when encoding using xvid. (cherry picked from commit 315f0e3fd8dcbd1362276b7407dad2e97cccc4b7) --- libavcodec/libxvidff.c | 1 + 1 file changed, 1 insertion(+) diff --git a/libavcodec/libxvidff.c b/libavcodec/libxvidff.c index 9b5c17c59d..effd2db158 100644 --- a/libavcodec/libxvidff.c +++ b/libavcodec/libxvidff.c @@ -528,6 +528,7 @@ static av_cold int xvid_encode_close(AVCodecContext *avctx) { if( x->twopassbuffer != NULL ) { av_free(x->twopassbuffer); av_free(x->old_twopassbuffer); + avctx->stats_out = NULL; } av_free(x->twopassfile); av_free(x->intra_matrix); From 8f7f3f0453dfe3a14b70bae28301a2ee661fc3f4 Mon Sep 17 00:00:00 2001 From: "Ronald S. Bultje" Date: Tue, 28 Jun 2011 22:24:21 -0700 Subject: [PATCH 0058/1119] ogg: fix double free when finding length of small chained oggs. ogg_save() copies streams[], but doesn't keep track of free()'ed struct members. Thus, if in between a call to ogg_save() and ogg_restore(), streams[].private was free()'ed, this would result in a double free -> crash, which happened when e.g. playing small chained ogg fragments. (cherry picked from commit 9ed6cbc3ee2ae3e7472fb25192a7e36fd7b15533) --- libavformat/oggdec.c | 3 ++- 1 file changed, 2 insertions(+), 1 deletion(-) diff --git a/libavformat/oggdec.c b/libavformat/oggdec.c index 655da35dd4..dc9f7b62fd 100644 --- a/libavformat/oggdec.c +++ b/libavformat/oggdec.c @@ -240,7 +240,8 @@ static int ogg_read_page(AVFormatContext *s, int *str) for (n = 0; n < ogg->nstreams; n++) { av_freep(&ogg->streams[n].buf); - av_freep(&ogg->streams[n].private); + if (!ogg->state || ogg->state->streams[n].private != ogg->streams[n].private) + av_freep(&ogg->streams[n].private); } ogg->curidx = -1; ogg->nstreams = 0; From 72ac64544f9c0529759c0a1dc16d328dd3342b9b Mon Sep 17 00:00:00 2001 From: =?UTF-8?q?Reimar=20D=C3=B6ffinger?= Date: Sun, 26 Jun 2011 13:29:17 +0200 Subject: [PATCH 0059/1119] Add operand size to add instructions. MIME-Version: 1.0 Content-Type: text/plain; charset=UTF-8 Content-Transfer-Encoding: 8bit In these cases it can't be guessed from the operands (at least not necessarily), and it seems some clang versions refuse to compile it. Fixes ticket #303. Signed-off-by: Reimar Döffinger (cherry picked from commit 5c13b5bb398c12361732b7b47c71954484f5af1d) --- libavcodec/x86/snowdsp_mmx.c | 4 ++-- 1 file changed, 2 insertions(+), 2 deletions(-) diff --git a/libavcodec/x86/snowdsp_mmx.c b/libavcodec/x86/snowdsp_mmx.c index 9c1fa429a8..f107d55e87 100644 --- a/libavcodec/x86/snowdsp_mmx.c +++ b/libavcodec/x86/snowdsp_mmx.c @@ -675,14 +675,14 @@ static void ff_snow_vertical_compose97i_mmx(IDWTELEM *b0, IDWTELEM *b1, IDWTELEM #define snow_inner_add_yblock_sse2_end_8\ "sal $1, %%"REG_c" \n\t"\ - "add $"PTR_SIZE"*2, %1 \n\t"\ + "add"OPSIZE" $"PTR_SIZE"*2, %1 \n\t"\ snow_inner_add_yblock_sse2_end_common1\ "sar $1, %%"REG_c" \n\t"\ "sub $2, %2 \n\t"\ snow_inner_add_yblock_sse2_end_common2 #define snow_inner_add_yblock_sse2_end_16\ - "add $"PTR_SIZE"*1, %1 \n\t"\ + "add"OPSIZE" $"PTR_SIZE"*1, %1 \n\t"\ snow_inner_add_yblock_sse2_end_common1\ "dec %2 \n\t"\ snow_inner_add_yblock_sse2_end_common2 From b6fe44b9db4f204ff0794401e495b73688b50c3d Mon Sep 17 00:00:00 2001 From: =?UTF-8?q?Reimar=20D=C3=B6ffinger?= Date: Sun, 26 Jun 2011 13:29:17 +0200 Subject: [PATCH 0060/1119] Add operand size to add instructions. MIME-Version: 1.0 Content-Type: text/plain; charset=UTF-8 Content-Transfer-Encoding: 8bit In these cases it can't be guessed from the operands (at least not necessarily), and it seems some clang versions refuse to compile it. Fixes ticket #303. Signed-off-by: Reimar Döffinger (cherry picked from commit 5c13b5bb398c12361732b7b47c71954484f5af1d) --- libavcodec/x86/snowdsp_mmx.c | 4 ++-- 1 file changed, 2 insertions(+), 2 deletions(-) diff --git a/libavcodec/x86/snowdsp_mmx.c b/libavcodec/x86/snowdsp_mmx.c index 9c1fa429a8..f107d55e87 100644 --- a/libavcodec/x86/snowdsp_mmx.c +++ b/libavcodec/x86/snowdsp_mmx.c @@ -675,14 +675,14 @@ static void ff_snow_vertical_compose97i_mmx(IDWTELEM *b0, IDWTELEM *b1, IDWTELEM #define snow_inner_add_yblock_sse2_end_8\ "sal $1, %%"REG_c" \n\t"\ - "add $"PTR_SIZE"*2, %1 \n\t"\ + "add"OPSIZE" $"PTR_SIZE"*2, %1 \n\t"\ snow_inner_add_yblock_sse2_end_common1\ "sar $1, %%"REG_c" \n\t"\ "sub $2, %2 \n\t"\ snow_inner_add_yblock_sse2_end_common2 #define snow_inner_add_yblock_sse2_end_16\ - "add $"PTR_SIZE"*1, %1 \n\t"\ + "add"OPSIZE" $"PTR_SIZE"*1, %1 \n\t"\ snow_inner_add_yblock_sse2_end_common1\ "dec %2 \n\t"\ snow_inner_add_yblock_sse2_end_common2 From 9da3063e1cadf0bb4b910e4d9bcd9f859f2bbec6 Mon Sep 17 00:00:00 2001 From: Anton Khirnov Date: Fri, 1 Jul 2011 21:24:17 +0200 Subject: [PATCH 0061/1119] lavf: use the correct pointer in av_open_input_stream(). (cherry picked from commit 5001d6ef4a2b70fe903b1d2e3e64c6ad7cc1cfa6) Signed-off-by: Reinhard Tartler --- libavformat/utils.c | 3 ++- 1 file changed, 2 insertions(+), 1 deletion(-) diff --git a/libavformat/utils.c b/libavformat/utils.c index 7370c60bdf..29390b818d 100644 --- a/libavformat/utils.c +++ b/libavformat/utils.c @@ -461,8 +461,9 @@ int av_open_input_stream(AVFormatContext **ic_ptr, } ic->pb = pb; - err = avformat_open_input(ic_ptr, filename, fmt, &opts); + err = avformat_open_input(&ic, filename, fmt, &opts); + *ic_ptr = ic; fail: av_dict_free(&opts); return err; From b263e94f774fa612c8329ddd95b35fdf5dac86d5 Mon Sep 17 00:00:00 2001 From: Anton Khirnov Date: Fri, 24 Jun 2011 07:58:16 +0200 Subject: [PATCH 0062/1119] lavf: restore old behavior for custom AVIOContex with an AVFMT_NOFILE format. av_open_input_stream used to allow this, even though it makes no sense. Make it just print a warning instead of failing, thus restoring compatibility. Note that avformat_open_input() will still reject this combination. Signed-off-by: Anton Khirnov (cherry picked from commit 4f731c4429e1fe66a5c92ff15feb63253a36d8fb) Signed-off-by: Reinhard Tartler --- libavformat/utils.c | 7 ++++++- 1 file changed, 6 insertions(+), 1 deletion(-) diff --git a/libavformat/utils.c b/libavformat/utils.c index 29390b818d..0e6b00195b 100644 --- a/libavformat/utils.c +++ b/libavformat/utils.c @@ -459,9 +459,14 @@ int av_open_input_stream(AVFormatContext **ic_ptr, err = AVERROR(ENOMEM); goto fail; } - ic->pb = pb; + if (pb && fmt && fmt->flags & AVFMT_NOFILE) + av_log(ic, AV_LOG_WARNING, "Custom AVIOContext makes no sense and " + "will be ignored with AVFMT_NOFILE format.\n"); + else + ic->pb = pb; err = avformat_open_input(&ic, filename, fmt, &opts); + ic->pb = ic->pb ? ic->pb : pb; // don't leak custom pb if it wasn't set above *ic_ptr = ic; fail: From f1d1ef810ab4b1d5449b229c4be81321de5dff9c Mon Sep 17 00:00:00 2001 From: Reinhard Tartler Date: Fri, 1 Jul 2011 20:49:14 +0200 Subject: [PATCH 0063/1119] avformat: doxify the Metadata API convert the comment that documents the metadata API to use the doxygen markup (cherry picked from commit 1a53a438dc04e74628b39f29d3ff81ae4aa086a0) Signed-off-by: Reinhard Tartler --- libavformat/avformat.h | 73 ++++++++++++++++++++++-------------------- 1 file changed, 39 insertions(+), 34 deletions(-) diff --git a/libavformat/avformat.h b/libavformat/avformat.h index 9abc9c51a4..05e80f1922 100644 --- a/libavformat/avformat.h +++ b/libavformat/avformat.h @@ -48,63 +48,68 @@ const char *avformat_license(void); struct AVFormatContext; -/* - * Public Metadata API. +/** + * @defgroup metadata_api Public Metadata API + * @{ * The metadata API allows libavformat to export metadata tags to a client * application using a sequence of key/value pairs. Like all strings in Libav, * metadata must be stored as UTF-8 encoded Unicode. Note that metadata * exported by demuxers isn't checked to be valid UTF-8 in most cases. * Important concepts to keep in mind: - * 1. Keys are unique; there can never be 2 tags with the same key. This is + * - Keys are unique; there can never be 2 tags with the same key. This is * also meant semantically, i.e., a demuxer should not knowingly produce * several keys that are literally different but semantically identical. * E.g., key=Author5, key=Author6. In this example, all authors must be * placed in the same tag. - * 2. Metadata is flat, not hierarchical; there are no subtags. If you + * - Metadata is flat, not hierarchical; there are no subtags. If you * want to store, e.g., the email address of the child of producer Alice * and actor Bob, that could have key=alice_and_bobs_childs_email_address. - * 3. Several modifiers can be applied to the tag name. This is done by + * - Several modifiers can be applied to the tag name. This is done by * appending a dash character ('-') and the modifier name in the order * they appear in the list below -- e.g. foo-eng-sort, not foo-sort-eng. - * a) language -- a tag whose value is localized for a particular language + * - language -- a tag whose value is localized for a particular language * is appended with the ISO 639-2/B 3-letter language code. * For example: Author-ger=Michael, Author-eng=Mike * The original/default language is in the unqualified "Author" tag. * A demuxer should set a default if it sets any translated tag. - * b) sorting -- a modified version of a tag that should be used for + * - sorting -- a modified version of a tag that should be used for * sorting will have '-sort' appended. E.g. artist="The Beatles", * artist-sort="Beatles, The". * - * 4. Demuxers attempt to export metadata in a generic format, however tags + * - Demuxers attempt to export metadata in a generic format, however tags * with no generic equivalents are left as they are stored in the container. * Follows a list of generic tag names: * - * album -- name of the set this work belongs to - * album_artist -- main creator of the set/album, if different from artist. - * e.g. "Various Artists" for compilation albums. - * artist -- main creator of the work - * comment -- any additional description of the file. - * composer -- who composed the work, if different from artist. - * copyright -- name of copyright holder. - * creation_time-- date when the file was created, preferably in ISO 8601. - * date -- date when the work was created, preferably in ISO 8601. - * disc -- number of a subset, e.g. disc in a multi-disc collection. - * encoder -- name/settings of the software/hardware that produced the file. - * encoded_by -- person/group who created the file. - * filename -- original name of the file. - * genre -- . - * language -- main language in which the work is performed, preferably - * in ISO 639-2 format. Multiple languages can be specified by - * separating them with commas. - * performer -- artist who performed the work, if different from artist. - * E.g for "Also sprach Zarathustra", artist would be "Richard - * Strauss" and performer "London Philharmonic Orchestra". - * publisher -- name of the label/publisher. - * service_name -- name of the service in broadcasting (channel name). - * service_provider -- name of the service provider in broadcasting. - * title -- name of the work. - * track -- number of this work in the set, can be in form current/total. - * variant_bitrate -- the total bitrate of the bitrate variant that the current stream is part of + @verbatim + album -- name of the set this work belongs to + album_artist -- main creator of the set/album, if different from artist. + e.g. "Various Artists" for compilation albums. + artist -- main creator of the work + comment -- any additional description of the file. + composer -- who composed the work, if different from artist. + copyright -- name of copyright holder. + creation_time-- date when the file was created, preferably in ISO 8601. + date -- date when the work was created, preferably in ISO 8601. + disc -- number of a subset, e.g. disc in a multi-disc collection. + encoder -- name/settings of the software/hardware that produced the file. + encoded_by -- person/group who created the file. + filename -- original name of the file. + genre -- . + language -- main language in which the work is performed, preferably + in ISO 639-2 format. Multiple languages can be specified by + separating them with commas. + performer -- artist who performed the work, if different from artist. + E.g for "Also sprach Zarathustra", artist would be "Richard + Strauss" and performer "London Philharmonic Orchestra". + publisher -- name of the label/publisher. + service_name -- name of the service in broadcasting (channel name). + service_provider -- name of the service provider in broadcasting. + title -- name of the work. + track -- number of this work in the set, can be in form current/total. + variant_bitrate -- the total bitrate of the bitrate variant that the current stream is part of + @endverbatim + * + * @} */ #if FF_API_OLD_METADATA2 From b91ebb60d898510bc131d7ff9157fcbb0302d532 Mon Sep 17 00:00:00 2001 From: Reinhard Tartler Date: Fri, 1 Jul 2011 20:53:09 +0200 Subject: [PATCH 0064/1119] doxygen: be more permissive when searching for API examples (cherry picked from commit 7655cfb1b8d8a70e8cc4b1ca811bfc3f293768d8) --- Doxyfile | 4 ++-- 1 file changed, 2 insertions(+), 2 deletions(-) diff --git a/Doxyfile b/Doxyfile index 5d80a2b6f5..b75d2d6e10 100644 --- a/Doxyfile +++ b/Doxyfile @@ -591,14 +591,14 @@ EXCLUDE_SYMBOLS = # directories that contain example code fragments that are included (see # the \include command). -EXAMPLE_PATH = +EXAMPLE_PATH = libavcodec/ libavformat/ # If the value of the EXAMPLE_PATH tag contains directories, you can use the # EXAMPLE_PATTERNS tag to specify one or more wildcard pattern (like *.cpp # and *.h) to filter out the source-files in the directories. If left # blank all files are included. -EXAMPLE_PATTERNS = +EXAMPLE_PATTERNS = *-example.c # If the EXAMPLE_RECURSIVE tag is set to YES then subdirectories will be # searched for input files to be used with the \include or \dontinclude From 2fe47b21c825460f01d3cb5546b29b686b909e4d Mon Sep 17 00:00:00 2001 From: Reinhard Tartler Date: Sun, 3 Jul 2011 18:55:01 +0200 Subject: [PATCH 0065/1119] doxygen: Prefer member groups over grouping into modules Before this, almost all module groups have been used for grouping functions and fields in structures semantically. This causes them to not appear properly in the file documentation and needlessly clutters up the "Modules" index. Additionally, this commit streamlines some spelling and appearances. (cherry picked from commit 21a19b7912fe0622f3d1748ff102fcc7bc7a974a) --- libavcodec/aac.h | 9 +-- libavcodec/ac3.h | 4 +- libavcodec/ac3dec.h | 30 ++++---- libavcodec/amrnbdec.c | 16 ++--- libavcodec/apedec.c | 2 +- libavcodec/ass.h | 3 +- libavcodec/avcodec.h | 4 +- libavcodec/h264.h | 2 +- libavcodec/qcelpdata.h | 4 +- libavcodec/rv34.c | 155 ++++++++++++++++++++-------------------- libavcodec/rv40data.h | 2 +- libavcodec/sbr.h | 8 +-- libavcodec/tableprint.h | 3 +- libavcodec/vc1.c | 2 +- libavcodec/vc1dec.c | 6 +- libavcodec/wmavoice.c | 22 +++--- libavformat/avio.h | 12 ++-- libavformat/rtmppkt.h | 2 +- libavutil/lzo.h | 2 +- 19 files changed, 143 insertions(+), 145 deletions(-) diff --git a/libavcodec/aac.h b/libavcodec/aac.h index 76b6a7821b..4861ec0320 100644 --- a/libavcodec/aac.h +++ b/libavcodec/aac.h @@ -258,7 +258,7 @@ typedef struct { DynamicRangeControl che_drc; /** - * @defgroup elements Channel element related data. + * @name Channel element related data * @{ */ enum ChannelPosition che_pos[4][MAX_ELEM_ID]; /**< channel element channel mapping with the @@ -270,14 +270,15 @@ typedef struct { /** @} */ /** - * @defgroup temporary aligned temporary buffers (We do not want to have these on the stack.) + * @name temporary aligned temporary buffers + * (We do not want to have these on the stack.) * @{ */ DECLARE_ALIGNED(32, float, buf_mdct)[1024]; /** @} */ /** - * @defgroup tables Computed / set up during initialization. + * @name Computed / set up during initialization * @{ */ FFTContext mdct; @@ -289,7 +290,7 @@ typedef struct { /** @} */ /** - * @defgroup output Members used for output interleaving. + * @name Members used for output interleaving * @{ */ float *output_data[MAX_CHANNELS]; ///< Points to each element's 'ret' buffer (PCM output). diff --git a/libavcodec/ac3.h b/libavcodec/ac3.h index c06f3d542d..9adad93db8 100644 --- a/libavcodec/ac3.h +++ b/libavcodec/ac3.h @@ -92,7 +92,7 @@ typedef struct AC3BitAllocParameters { * Coded AC-3 header values up to the lfeon element, plus derived values. */ typedef struct { - /** @defgroup coded Coded elements + /** @name Coded elements * @{ */ uint16_t sync_word; @@ -110,7 +110,7 @@ typedef struct { int num_blocks; ///< number of audio blocks /** @} */ - /** @defgroup derived Derived values + /** @name Derived values * @{ */ uint8_t sr_shift; diff --git a/libavcodec/ac3dec.h b/libavcodec/ac3dec.h index 590bee6b6d..aed87432f5 100644 --- a/libavcodec/ac3dec.h +++ b/libavcodec/ac3dec.h @@ -67,7 +67,7 @@ typedef struct { GetBitContext gbc; ///< bitstream reader uint8_t *input_buffer; ///< temp buffer to prevent overread -///@defgroup bsi bit stream information +///@name Bit stream information ///@{ int frame_type; ///< frame type (strmtyp) int substreamid; ///< substream identification @@ -85,7 +85,7 @@ typedef struct { int eac3; ///< indicates if current frame is E-AC-3 ///@} -///@defgroup audfrm frame syntax parameters +///@name Frame syntax parameters int snr_offset_strategy; ///< SNR offset strategy (snroffststr) int block_switch_syntax; ///< block switch syntax enabled (blkswe) int dither_flag_syntax; ///< dither flag syntax enabled (dithflage) @@ -95,7 +95,7 @@ typedef struct { int skip_syntax; ///< skip field syntax enabled (skipflde) ///@} -///@defgroup cpl standard coupling +///@name Standard coupling int cpl_in_use[AC3_MAX_BLOCKS]; ///< coupling in use (cplinu) int cpl_strategy_exists[AC3_MAX_BLOCKS];///< coupling strategy exists (cplstre) int channel_in_cpl[AC3_MAX_CHANNELS]; ///< channel in coupling (chincpl) @@ -108,7 +108,7 @@ typedef struct { int cpl_coords[AC3_MAX_CHANNELS][AC3_MAX_CPL_BANDS]; ///< coupling coordinates (cplco) ///@} -///@defgroup spx spectral extension +///@name Spectral extension ///@{ int spx_in_use; ///< spectral extension in use (spxinu) uint8_t channel_uses_spx[AC3_MAX_CHANNELS]; ///< channel uses spectral extension (chinspx) @@ -124,12 +124,12 @@ typedef struct { float spx_signal_blend[AC3_MAX_CHANNELS][SPX_MAX_BANDS];///< spx signal blending factor (sblendfact) ///@} -///@defgroup aht adaptive hybrid transform +///@name Adaptive hybrid transform int channel_uses_aht[AC3_MAX_CHANNELS]; ///< channel AHT in use (chahtinu) int pre_mantissa[AC3_MAX_CHANNELS][AC3_MAX_COEFS][AC3_MAX_BLOCKS]; ///< pre-IDCT mantissas ///@} -///@defgroup channel channel +///@name Channel int fbw_channels; ///< number of full-bandwidth channels int channels; ///< number of total channels int lfe_ch; ///< index of LFE channel @@ -139,27 +139,27 @@ typedef struct { int out_channels; ///< number of output channels ///@} -///@defgroup dynrng dynamic range +///@name Dynamic range float dynamic_range[2]; ///< dynamic range ///@} -///@defgroup bandwidth bandwidth +///@name Bandwidth int start_freq[AC3_MAX_CHANNELS]; ///< start frequency bin (strtmant) int end_freq[AC3_MAX_CHANNELS]; ///< end frequency bin (endmant) ///@} -///@defgroup rematrixing rematrixing +///@name Rematrixing int num_rematrixing_bands; ///< number of rematrixing bands (nrematbnd) int rematrixing_flags[4]; ///< rematrixing flags (rematflg) ///@} -///@defgroup exponents exponents +///@name Exponents int num_exp_groups[AC3_MAX_CHANNELS]; ///< Number of exponent groups (nexpgrp) int8_t dexps[AC3_MAX_CHANNELS][AC3_MAX_COEFS]; ///< decoded exponents int exp_strategy[AC3_MAX_BLOCKS][AC3_MAX_CHANNELS]; ///< exponent strategies (expstr) ///@} -///@defgroup bitalloc bit allocation +///@name Bit allocation AC3BitAllocParameters bit_alloc_params; ///< bit allocation parameters int first_cpl_leak; ///< first coupling leak state (firstcplleak) int snr_offset[AC3_MAX_CHANNELS]; ///< signal-to-noise ratio offsets (snroffst) @@ -175,25 +175,25 @@ typedef struct { uint8_t dba_values[AC3_MAX_CHANNELS][8]; ///< delta values for each segment ///@} -///@defgroup dithering zero-mantissa dithering +///@name Zero-mantissa dithering int dither_flag[AC3_MAX_CHANNELS]; ///< dither flags (dithflg) AVLFG dith_state; ///< for dither generation ///@} -///@defgroup imdct IMDCT +///@name IMDCT int block_switch[AC3_MAX_CHANNELS]; ///< block switch flags (blksw) FFTContext imdct_512; ///< for 512 sample IMDCT FFTContext imdct_256; ///< for 256 sample IMDCT ///@} -///@defgroup opt optimization +///@name Optimization DSPContext dsp; ///< for optimization AC3DSPContext ac3dsp; FmtConvertContext fmt_conv; ///< optimized conversion functions float mul_bias; ///< scaling for float_to_int16 conversion ///@} -///@defgroup arrays aligned arrays +///@name Aligned arrays DECLARE_ALIGNED(16, int, fixed_coeffs)[AC3_MAX_CHANNELS][AC3_MAX_COEFS]; ///< fixed-point transform coefficients DECLARE_ALIGNED(32, float, transform_coeffs)[AC3_MAX_CHANNELS][AC3_MAX_COEFS]; ///< transform coefficients DECLARE_ALIGNED(32, float, delay)[AC3_MAX_CHANNELS][AC3_BLOCK_SIZE]; ///< delay - added to the next block diff --git a/libavcodec/amrnbdec.c b/libavcodec/amrnbdec.c index 4e24e26d68..1c90aadb12 100644 --- a/libavcodec/amrnbdec.c +++ b/libavcodec/amrnbdec.c @@ -204,7 +204,7 @@ static enum Mode unpack_bitstream(AMRContext *p, const uint8_t *buf, } -/// @defgroup amr_lpc_decoding AMR pitch LPC coefficient decoding functions +/// @name AMR pitch LPC coefficient decoding functions /// @{ /** @@ -341,7 +341,7 @@ static void lsf2lsp_3(AMRContext *p) /// @} -/// @defgroup amr_pitch_vector_decoding AMR pitch vector decoding functions +/// @name AMR pitch vector decoding functions /// @{ /** @@ -403,7 +403,7 @@ static void decode_pitch_vector(AMRContext *p, /// @} -/// @defgroup amr_algebraic_code_book AMR algebraic code book (fixed) vector decoding functions +/// @name AMR algebraic code book (fixed) vector decoding functions /// @{ /** @@ -547,7 +547,7 @@ static void pitch_sharpening(AMRContext *p, int subframe, enum Mode mode, /// @} -/// @defgroup amr_gain_decoding AMR gain decoding functions +/// @name AMR gain decoding functions /// @{ /** @@ -633,7 +633,7 @@ static void decode_gains(AMRContext *p, const AMRNBSubframe *amr_subframe, /// @} -/// @defgroup amr_pre_processing AMR pre-processing functions +/// @name AMR preprocessing functions /// @{ /** @@ -751,7 +751,7 @@ static const float *anti_sparseness(AMRContext *p, AMRFixed *fixed_sparse, /// @} -/// @defgroup amr_synthesis AMR synthesis functions +/// @name AMR synthesis functions /// @{ /** @@ -812,7 +812,7 @@ static int synthesis(AMRContext *p, float *lpc, /// @} -/// @defgroup amr_update AMR update functions +/// @name AMR update functions /// @{ /** @@ -837,7 +837,7 @@ static void update_state(AMRContext *p) /// @} -/// @defgroup amr_postproc AMR Post processing functions +/// @name AMR Postprocessing functions /// @{ /** diff --git a/libavcodec/apedec.c b/libavcodec/apedec.c index d5a7efd94d..f92b37527e 100644 --- a/libavcodec/apedec.c +++ b/libavcodec/apedec.c @@ -217,7 +217,7 @@ static av_cold int ape_decode_close(AVCodecContext * avctx) } /** - * @defgroup rangecoder APE range decoder + * @name APE range decoding functions * @{ */ diff --git a/libavcodec/ass.h b/libavcodec/ass.h index d350cf3fc2..594b5f3ac6 100644 --- a/libavcodec/ass.h +++ b/libavcodec/ass.h @@ -25,8 +25,7 @@ #include "avcodec.h" /** - * Default values for ASS style. - * @defgroup ass_default + * @name Default values for ASS style * @{ */ #define ASS_DEFAULT_FONT "Arial" diff --git a/libavcodec/avcodec.h b/libavcodec/avcodec.h index a70d8adb90..835279eb21 100644 --- a/libavcodec/avcodec.h +++ b/libavcodec/avcodec.h @@ -2488,7 +2488,7 @@ typedef struct AVCodecContext { #if FF_API_FLAC_GLOBAL_OPTS /** - * @defgroup flac_opts FLAC options + * @name FLAC options * @deprecated Use FLAC encoder private options instead. * @{ */ @@ -2897,7 +2897,7 @@ typedef struct AVCodec { const AVProfile *profiles; ///< array of recognized profiles, or NULL if unknown, array is terminated by {FF_PROFILE_UNKNOWN} /** - * @defgroup framethreading Frame-level threading support functions. + * @name Frame-level threading support functions * @{ */ /** diff --git a/libavcodec/h264.h b/libavcodec/h264.h index 3abf895010..e3cc815565 100644 --- a/libavcodec/h264.h +++ b/libavcodec/h264.h @@ -507,7 +507,7 @@ typedef struct H264Context{ int cabac_init_idc; /** - * @defgroup multithreading Members for slice based multithreading + * @name Members for slice based multithreading * @{ */ struct H264Context *thread_context[MAX_THREADS]; diff --git a/libavcodec/qcelpdata.h b/libavcodec/qcelpdata.h index df33e9158c..672da49523 100644 --- a/libavcodec/qcelpdata.h +++ b/libavcodec/qcelpdata.h @@ -38,14 +38,14 @@ * QCELP unpacked data frame */ typedef struct { -/// @defgroup qcelp_codebook_parameters QCELP excitation codebook parameters +/// @name QCELP excitation codebook parameters /// @{ uint8_t cbsign[16]; ///!< sign of the codebook gain for each codebook subframe uint8_t cbgain[16]; ///!< unsigned codebook gain for each codebook subframe uint8_t cindex[16]; ///!< codebook index for each codebook subframe /// @} -/// @defgroup qcelp_pitch_parameters QCELP pitch prediction parameters +/// @name QCELP pitch prediction parameters /// @{ uint8_t plag[4]; ///!< pitch lag for each pitch subframe uint8_t pfrac[4]; ///!< fractional pitch lag for each pitch subframe diff --git a/libavcodec/rv34.c b/libavcodec/rv34.c index b5d314cf0f..c5dcfdcba4 100644 --- a/libavcodec/rv34.c +++ b/libavcodec/rv34.c @@ -62,8 +62,10 @@ static const int rv34_mb_type_to_lavc[12] = { static RV34VLC intra_vlcs[NUM_INTRA_TABLES], inter_vlcs[NUM_INTER_TABLES]; +static int rv34_decode_mv(RV34DecContext *r, int block_type); + /** - * @defgroup vlc RV30/40 VLC generating functions + * @name RV30/40 VLC generating functions * @{ */ @@ -171,7 +173,7 @@ static av_cold void rv34_init_tables(void) /** - * @defgroup transform RV30/40 inverse transform functions + * @name RV30/40 inverse transform functions * @{ */ @@ -246,7 +248,7 @@ static void rv34_inv_transform_noround(DCTELEM *block){ /** - * @defgroup block RV30/40 4x4 block decoding functions + * @name RV30/40 4x4 block decoding functions * @{ */ @@ -393,7 +395,7 @@ static inline void rv34_dequant4x4_16x16(DCTELEM *block, int Qdc, int Q) /** - * @defgroup rv3040_bitstream RV30/40 bitstream parsing + * @name RV30/40 bitstream parsing * @{ */ @@ -432,10 +434,76 @@ static inline int rv34_decode_dquant(GetBitContext *gb, int quant) return get_bits(gb, 5); } +/** + * Decode macroblock header and return CBP in case of success, -1 otherwise. + */ +static int rv34_decode_mb_header(RV34DecContext *r, int8_t *intra_types) +{ + MpegEncContext *s = &r->s; + GetBitContext *gb = &s->gb; + int mb_pos = s->mb_x + s->mb_y * s->mb_stride; + int i, t; + + if(!r->si.type){ + r->is16 = get_bits1(gb); + if(!r->is16 && !r->rv30){ + if(!get_bits1(gb)) + av_log(s->avctx, AV_LOG_ERROR, "Need DQUANT\n"); + } + s->current_picture_ptr->mb_type[mb_pos] = r->is16 ? MB_TYPE_INTRA16x16 : MB_TYPE_INTRA; + r->block_type = r->is16 ? RV34_MB_TYPE_INTRA16x16 : RV34_MB_TYPE_INTRA; + }else{ + r->block_type = r->decode_mb_info(r); + if(r->block_type == -1) + return -1; + s->current_picture_ptr->mb_type[mb_pos] = rv34_mb_type_to_lavc[r->block_type]; + r->mb_type[mb_pos] = r->block_type; + if(r->block_type == RV34_MB_SKIP){ + if(s->pict_type == AV_PICTURE_TYPE_P) + r->mb_type[mb_pos] = RV34_MB_P_16x16; + if(s->pict_type == AV_PICTURE_TYPE_B) + r->mb_type[mb_pos] = RV34_MB_B_DIRECT; + } + r->is16 = !!IS_INTRA16x16(s->current_picture_ptr->mb_type[mb_pos]); + rv34_decode_mv(r, r->block_type); + if(r->block_type == RV34_MB_SKIP){ + fill_rectangle(intra_types, 4, 4, r->intra_types_stride, 0, sizeof(intra_types[0])); + return 0; + } + r->chroma_vlc = 1; + r->luma_vlc = 0; + } + if(IS_INTRA(s->current_picture_ptr->mb_type[mb_pos])){ + if(r->is16){ + t = get_bits(gb, 2); + fill_rectangle(intra_types, 4, 4, r->intra_types_stride, t, sizeof(intra_types[0])); + r->luma_vlc = 2; + }else{ + if(r->decode_intra_types(r, gb, intra_types) < 0) + return -1; + r->luma_vlc = 1; + } + r->chroma_vlc = 0; + r->cur_vlcs = choose_vlc_set(r->si.quant, r->si.vlc_set, 0); + }else{ + for(i = 0; i < 16; i++) + intra_types[(i & 3) + (i>>2) * r->intra_types_stride] = 0; + r->cur_vlcs = choose_vlc_set(r->si.quant, r->si.vlc_set, 1); + if(r->mb_type[mb_pos] == RV34_MB_P_MIX16x16){ + r->is16 = 1; + r->chroma_vlc = 1; + r->luma_vlc = 2; + r->cur_vlcs = choose_vlc_set(r->si.quant, r->si.vlc_set, 0); + } + } + + return rv34_decode_cbp(gb, r->cur_vlcs, r->is16); +} + /** @} */ //bitstream functions /** - * @defgroup mv motion vector related code (prediction, reconstruction, motion compensation) + * @name motion vector related code (prediction, reconstruction, motion compensation) * @{ */ @@ -885,7 +953,7 @@ static int rv34_decode_mv(RV34DecContext *r, int block_type) /** @} */ // mv group /** - * @defgroup recons Macroblock reconstruction functions + * @name Macroblock reconstruction functions * @{ */ /** mapping of RV30/40 intra prediction types to standard H.264 types */ @@ -1027,79 +1095,6 @@ static void rv34_output_macroblock(RV34DecContext *r, int8_t *intra_types, int c } } -/** @} */ // recons group - -/** - * @addtogroup bitstream - * Decode macroblock header and return CBP in case of success, -1 otherwise. - */ -static int rv34_decode_mb_header(RV34DecContext *r, int8_t *intra_types) -{ - MpegEncContext *s = &r->s; - GetBitContext *gb = &s->gb; - int mb_pos = s->mb_x + s->mb_y * s->mb_stride; - int i, t; - - if(!r->si.type){ - r->is16 = get_bits1(gb); - if(!r->is16 && !r->rv30){ - if(!get_bits1(gb)) - av_log(s->avctx, AV_LOG_ERROR, "Need DQUANT\n"); - } - s->current_picture_ptr->mb_type[mb_pos] = r->is16 ? MB_TYPE_INTRA16x16 : MB_TYPE_INTRA; - r->block_type = r->is16 ? RV34_MB_TYPE_INTRA16x16 : RV34_MB_TYPE_INTRA; - }else{ - r->block_type = r->decode_mb_info(r); - if(r->block_type == -1) - return -1; - s->current_picture_ptr->mb_type[mb_pos] = rv34_mb_type_to_lavc[r->block_type]; - r->mb_type[mb_pos] = r->block_type; - if(r->block_type == RV34_MB_SKIP){ - if(s->pict_type == AV_PICTURE_TYPE_P) - r->mb_type[mb_pos] = RV34_MB_P_16x16; - if(s->pict_type == AV_PICTURE_TYPE_B) - r->mb_type[mb_pos] = RV34_MB_B_DIRECT; - } - r->is16 = !!IS_INTRA16x16(s->current_picture_ptr->mb_type[mb_pos]); - rv34_decode_mv(r, r->block_type); - if(r->block_type == RV34_MB_SKIP){ - fill_rectangle(intra_types, 4, 4, r->intra_types_stride, 0, sizeof(intra_types[0])); - return 0; - } - r->chroma_vlc = 1; - r->luma_vlc = 0; - } - if(IS_INTRA(s->current_picture_ptr->mb_type[mb_pos])){ - if(r->is16){ - t = get_bits(gb, 2); - fill_rectangle(intra_types, 4, 4, r->intra_types_stride, t, sizeof(intra_types[0])); - r->luma_vlc = 2; - }else{ - if(r->decode_intra_types(r, gb, intra_types) < 0) - return -1; - r->luma_vlc = 1; - } - r->chroma_vlc = 0; - r->cur_vlcs = choose_vlc_set(r->si.quant, r->si.vlc_set, 0); - }else{ - for(i = 0; i < 16; i++) - intra_types[(i & 3) + (i>>2) * r->intra_types_stride] = 0; - r->cur_vlcs = choose_vlc_set(r->si.quant, r->si.vlc_set, 1); - if(r->mb_type[mb_pos] == RV34_MB_P_MIX16x16){ - r->is16 = 1; - r->chroma_vlc = 1; - r->luma_vlc = 2; - r->cur_vlcs = choose_vlc_set(r->si.quant, r->si.vlc_set, 0); - } - } - - return rv34_decode_cbp(gb, r->cur_vlcs, r->is16); -} - -/** - * @addtogroup recons - * @{ - */ /** * mask for retrieving all bits in coded block pattern * corresponding to one 8x8 block @@ -1109,6 +1104,8 @@ static int rv34_decode_mb_header(RV34DecContext *r, int8_t *intra_types) #define U_CBP_MASK 0x0F0000 #define V_CBP_MASK 0xF00000 +/** @} */ // recons group + static void rv34_apply_differences(RV34DecContext *r, int cbp) { diff --git a/libavcodec/rv40data.h b/libavcodec/rv40data.h index 4787075742..1b6e8c31b1 100644 --- a/libavcodec/rv40data.h +++ b/libavcodec/rv40data.h @@ -65,7 +65,7 @@ static const uint8_t rv40_luma_dc_quant[2][32] = { }; /** - * @defgroup loopfilter coefficients used by the RV40 loop filter + * @name Coefficients used by the RV40 loop filter * @{ */ /** diff --git a/libavcodec/sbr.h b/libavcodec/sbr.h index cbf3e23e6b..5b0f334219 100644 --- a/libavcodec/sbr.h +++ b/libavcodec/sbr.h @@ -42,7 +42,7 @@ typedef struct { uint8_t bs_xover_band; /** - * @defgroup bs_header_extra_1 Variables associated with bs_header_extra_1 + * @name Variables associated with bs_header_extra_1 * @{ */ uint8_t bs_freq_scale; @@ -58,7 +58,7 @@ typedef struct { */ typedef struct { /** - * @defgroup aac_bitstream Main bitstream data variables + * @name Main bitstream data variables * @{ */ unsigned bs_frame_class; @@ -74,7 +74,7 @@ typedef struct { /** @} */ /** - * @defgroup state State variables + * @name State variables * @{ */ DECLARE_ALIGNED(16, float, synthesis_filterbank_samples)[SBR_SYNTHESIS_BUF_SIZE]; @@ -116,7 +116,7 @@ typedef struct { SpectrumParameters spectrum_params; int bs_amp_res_header; /** - * @defgroup bs_header_extra_2 variables associated with bs_header_extra_2 + * @name Variables associated with bs_header_extra_2 * @{ */ unsigned bs_limiter_bands; diff --git a/libavcodec/tableprint.h b/libavcodec/tableprint.h index ddf2635da0..c89f3107f8 100644 --- a/libavcodec/tableprint.h +++ b/libavcodec/tableprint.h @@ -56,8 +56,7 @@ void write_##type##_2d_array(const void *arg, int len, int len2)\ } /** - * \defgroup printfuncs Predefined functions for printing tables - * + * @name Predefined functions for printing tables * \{ */ void write_int8_t_array (const int8_t *, int); diff --git a/libavcodec/vc1.c b/libavcodec/vc1.c index 7b878c18d7..32869b97d1 100644 --- a/libavcodec/vc1.c +++ b/libavcodec/vc1.c @@ -40,7 +40,7 @@ /***********************************************************************/ /** - * @defgroup vc1bitplane VC-1 Bitplane decoding + * @name VC-1 Bitplane decoding * @see 8.7, p56 * @{ */ diff --git a/libavcodec/vc1dec.c b/libavcodec/vc1dec.c index 186610ea95..8fca2da738 100644 --- a/libavcodec/vc1dec.c +++ b/libavcodec/vc1dec.c @@ -137,7 +137,7 @@ static int vc1_init_common(VC1Context *v) /***********************************************************************/ /** - * @defgroup vc1bitplane VC-1 Bitplane decoding + * @name VC-1 Bitplane decoding * @see 8.7, p56 * @{ */ @@ -774,7 +774,7 @@ static void vc1_mc_4mv_chroma(VC1Context *v) /***********************************************************************/ /** - * @defgroup vc1block VC-1 Block-level functions + * @name VC-1 Block-level functions * @see 7.1.4, p91 and 8.1.1.7, p(1)04 * @{ */ @@ -1512,7 +1512,7 @@ static inline int vc1_pred_dc(MpegEncContext *s, int overlap, int pq, int n, /** @} */ // Block group /** - * @defgroup vc1_std_mb VC1 Macroblock-level functions in Simple/Main Profiles + * @name VC1 Macroblock-level functions in Simple/Main Profiles * @see 7.1.4, p91 and 8.1.1.7, p(1)04 * @{ */ diff --git a/libavcodec/wmavoice.c b/libavcodec/wmavoice.c index 4e69b83b32..eb3bcb0629 100644 --- a/libavcodec/wmavoice.c +++ b/libavcodec/wmavoice.c @@ -128,9 +128,7 @@ static const struct frame_type_desc { */ typedef struct { /** - * @defgroup struct_global Global values - * Global values, specified in the stream header / extradata or used - * all over. + * @name Global values specified in the stream header / extradata or used all over. * @{ */ GetBitContext gb; ///< packet bitreader. During decoder init, @@ -182,8 +180,9 @@ typedef struct { /** * @} - * @defgroup struct_packet Packet values - * Packet values, specified in the packet header or related to a packet. + * + * @name Packet values specified in the packet header or related to a packet. + * * A packet is considered to be a single unit of data provided to this * decoder by the demuxer. * @{ @@ -213,7 +212,8 @@ typedef struct { /** * @} - * @defgroup struct_frame Frame and superframe values + * + * @name Frame and superframe values * Superframe and frame data - these can change from frame to frame, * although some of them do in that case serve as a cache / history for * the next frame or superframe. @@ -256,7 +256,9 @@ typedef struct { float synth_history[MAX_LSPS]; ///< see #excitation_history /** * @} - * @defgroup post_filter Postfilter values + * + * @name Postfilter values + * * Variables used for postfilter implementation, mostly history for * smoothing and so on, and context variables for FFT/iFFT. * @{ @@ -432,7 +434,7 @@ static av_cold int wmavoice_decode_init(AVCodecContext *ctx) } /** - * @defgroup postfilter Postfilter functions + * @name Postfilter functions * Postfilter functions (gain control, wiener denoise filter, DC filter, * kalman smoothening, plus surrounding code to wrap it) * @{ @@ -825,7 +827,7 @@ static void dequant_lsps(double *lsps, int num, } /** - * @defgroup lsp_dequant LSP dequantization routines + * @name LSP dequantization routines * LSP dequantization routines, for 10/16LSPs and independent/residual coding. * @note we assume enough bits are available, caller should check. * lsp10i() consumes 24 bits; lsp10r() consumes an additional 24 bits; @@ -969,7 +971,7 @@ static void dequant_lsp16r(GetBitContext *gb, /** * @} - * @defgroup aw Pitch-adaptive window coding functions + * @name Pitch-adaptive window coding functions * The next few functions are for pitch-adaptive window coding. * @{ */ diff --git a/libavformat/avio.h b/libavformat/avio.h index e07e3c3c92..211fe9349e 100644 --- a/libavformat/avio.h +++ b/libavformat/avio.h @@ -145,7 +145,7 @@ typedef struct URLPollEntry { attribute_deprecated int url_poll(URLPollEntry *poll_table, int n, int timeout); /** - * @defgroup open_modes URL open modes + * @name URL open modes * The flags argument to url_open and cosins must be one of the following * constants, optionally ORed with other flags. * @{ @@ -176,7 +176,7 @@ extern URLInterruptCB *url_interrupt_cb; /** * @defgroup old_url_funcs Old url_* functions - * @deprecated use the buffered API based on AVIOContext instead + * The following functions are deprecated. Use the buffered API based on #AVIOContext instead. * @{ */ attribute_deprecated int url_open_protocol (URLContext **puc, struct URLProtocol *up, @@ -235,7 +235,7 @@ attribute_deprecated AVIOContext *av_alloc_put_byte( /** * @defgroup old_avio_funcs Old put_/get_*() functions - * @deprecated use the avio_ -prefixed functions instead. + * The following functions are deprecated. Use the "avio_"-prefixed functions instead. * @{ */ attribute_deprecated int get_buffer(AVIOContext *s, unsigned char *buf, int size); @@ -272,7 +272,7 @@ attribute_deprecated int64_t av_url_read_fseek (AVIOContext *h, int stream_in /** * @defgroup old_url_f_funcs Old url_f* functions - * @deprecated use the avio_ -prefixed functions instead. + * The following functions are deprecated, use the "avio_"-prefixed functions instead. * @{ */ attribute_deprecated int url_fopen( AVIOContext **s, const char *url, int flags); @@ -479,7 +479,7 @@ void avio_flush(AVIOContext *s); int avio_read(AVIOContext *s, unsigned char *buf, int size); /** - * @defgroup avio_read Functions for reading from AVIOContext. + * @name Functions for reading from AVIOContext * @{ * * @note return 0 if EOF, so you cannot use it if EOF handling is @@ -523,7 +523,7 @@ int avio_get_str16be(AVIOContext *pb, int maxlen, char *buf, int buflen); /** - * @defgroup open_modes URL open modes + * @name URL open modes * The flags argument to avio_open must be one of the following * constants, optionally ORed with other flags. * @{ diff --git a/libavformat/rtmppkt.h b/libavformat/rtmppkt.h index bb3475811e..8372484fbd 100644 --- a/libavformat/rtmppkt.h +++ b/libavformat/rtmppkt.h @@ -138,7 +138,7 @@ int ff_rtmp_packet_write(URLContext *h, RTMPPacket *p, void ff_rtmp_packet_dump(void *ctx, RTMPPacket *p); /** - * @defgroup amffuncs functions used to work with AMF format (which is also used in .flv) + * @name Functions used to work with the AMF format (which is also used in .flv) * @see amf_* funcs in libavformat/flvdec.c * @{ */ diff --git a/libavutil/lzo.h b/libavutil/lzo.h index 01c9280a43..a3924de908 100644 --- a/libavutil/lzo.h +++ b/libavutil/lzo.h @@ -24,7 +24,7 @@ #include -/** \defgroup errflags Error flags returned by av_lzo1x_decode +/** @name Error flags returned by av_lzo1x_decode * \{ */ //! end of the input buffer reached before decoding finished #define AV_LZO_INPUT_DEPLETED 1 From c5c265435114ccbfd489a04d8e2f8f3d05d4d858 Mon Sep 17 00:00:00 2001 From: Reinhard Tartler Date: Fri, 1 Jul 2011 20:50:33 +0200 Subject: [PATCH 0066/1119] libavformat: Add an example how to use the metadata API Also include it into the doxygen documentation (cherry picked from commit 12489443dec228d60fa3dc56695f6ddae08beb37) --- libavformat/Makefile | 2 +- libavformat/avformat.h | 2 ++ libavformat/metadata-example.c | 56 ++++++++++++++++++++++++++++++++++ 3 files changed, 59 insertions(+), 1 deletion(-) create mode 100644 libavformat/metadata-example.c diff --git a/libavformat/Makefile b/libavformat/Makefile index c2fa8af466..7a8aba6e21 100644 --- a/libavformat/Makefile +++ b/libavformat/Makefile @@ -335,7 +335,7 @@ OBJS-$(CONFIG_UDP_PROTOCOL) += udp.o # libavdevice dependencies OBJS-$(CONFIG_JACK_INDEV) += timefilter.o -EXAMPLES = output +EXAMPLES = metadata output TESTPROGS = timefilter include $(SUBDIR)../subdir.mak diff --git a/libavformat/avformat.h b/libavformat/avformat.h index 05e80f1922..8561a50c01 100644 --- a/libavformat/avformat.h +++ b/libavformat/avformat.h @@ -109,6 +109,8 @@ struct AVFormatContext; variant_bitrate -- the total bitrate of the bitrate variant that the current stream is part of @endverbatim * + * Look in the examples section for an application example how to use the Metadata API. + * * @} */ diff --git a/libavformat/metadata-example.c b/libavformat/metadata-example.c new file mode 100644 index 0000000000..7bf77e7378 --- /dev/null +++ b/libavformat/metadata-example.c @@ -0,0 +1,56 @@ +/* + * Copyright (c) 2011 Reinhard Tartler + * + * Permission is hereby granted, free of charge, to any person obtaining a copy + * of this software and associated documentation files (the "Software"), to deal + * in the Software without restriction, including without limitation the rights + * to use, copy, modify, merge, publish, distribute, sublicense, and/or sell + * copies of the Software, and to permit persons to whom the Software is + * furnished to do so, subject to the following conditions: + * + * The above copyright notice and this permission notice shall be included in + * all copies or substantial portions of the Software. + * + * THE SOFTWARE IS PROVIDED "AS IS", WITHOUT WARRANTY OF ANY KIND, EXPRESS OR + * IMPLIED, INCLUDING BUT NOT LIMITED TO THE WARRANTIES OF MERCHANTABILITY, + * FITNESS FOR A PARTICULAR PURPOSE AND NONINFRINGEMENT. IN NO EVENT SHALL + * THE AUTHORS OR COPYRIGHT HOLDERS BE LIABLE FOR ANY CLAIM, DAMAGES OR OTHER + * LIABILITY, WHETHER IN AN ACTION OF CONTRACT, TORT OR OTHERWISE, ARISING FROM, + * OUT OF OR IN CONNECTION WITH THE SOFTWARE OR THE USE OR OTHER DEALINGS IN + * THE SOFTWARE. + */ + +/** + * @file + * @example libavformat/metadata-example.c + * Shows how the metadata API can be used in application programs. + */ + +#include + +#include +#include + +int main (int argc, char **argv) +{ + AVFormatContext *fmt_ctx = NULL; + AVDictionaryEntry *tag = NULL; + int ret; + + if (argc != 2) { + printf("usage: %s \n" + "example program to demonstrate the use of the libavformat metadata API.\n" + "\n", argv[0]); + return 1; + } + + av_register_all(); + if ((ret = avformat_open_input(&fmt_ctx, argv[1], NULL, NULL))) + return ret; + + while ((tag = av_dict_get(fmt_ctx->metadata, "", tag, AV_DICT_IGNORE_SUFFIX))) + printf("%s=%s\n", tag->key, tag->value); + + avformat_free_context(fmt_ctx); + return 0; +} From c445e9dc6284c24a4d527480a8f78fc89d1b56a3 Mon Sep 17 00:00:00 2001 From: Stefano Sabatini Date: Sat, 2 Jul 2011 13:22:18 +0200 Subject: [PATCH 0067/1119] ffmpeg: use av_get_bytes_per_sample() in place of av_get_bits_per_sample_fmt() av_get_bits_per_sample_fmt() was deprecated. Signed-off-by: Ronald S. Bultje (cherry picked from commit f6d6783a4df127d2ad1cf755ac4f363decbd7fbb) --- ffmpeg.c | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/ffmpeg.c b/ffmpeg.c index b28408741c..2ed2802333 100644 --- a/ffmpeg.c +++ b/ffmpeg.c @@ -1801,7 +1801,7 @@ static int output_packet(AVInputStream *ist, int ist_index, ret = 0; /* encode any samples remaining in fifo */ if (fifo_bytes > 0) { - int osize = av_get_bits_per_sample_fmt(enc->sample_fmt) >> 3; + int osize = av_get_bytes_per_sample(enc->sample_fmt); int fs_tmp = enc->frame_size; av_fifo_generic_read(ost->fifo, audio_buf, fifo_bytes, NULL); From d734d4ce6ae6e798b17c26ed1cc228891897b34f Mon Sep 17 00:00:00 2001 From: Stefano Sabatini Date: Sat, 2 Jul 2011 13:22:35 +0200 Subject: [PATCH 0068/1119] suggest to use av_get_bytes_per_sample() in av_get_bits_per_sample_format() doxy The previously suggested replacement - av_get_bits_per_sample_fmt() - was also deprecated. Signed-off-by: Ronald S. Bultje (cherry picked from commit ccfa626db863b6019fd4c316d19d8f7018543bed) --- libavcodec/avcodec.h | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/libavcodec/avcodec.h b/libavcodec/avcodec.h index 835279eb21..9a3076ae27 100644 --- a/libavcodec/avcodec.h +++ b/libavcodec/avcodec.h @@ -3847,7 +3847,7 @@ int av_get_bits_per_sample(enum CodecID codec_id); #if FF_API_OLD_SAMPLE_FMT /** - * @deprecated Use av_get_bits_per_sample_fmt() instead. + * @deprecated Use av_get_bytes_per_sample() instead. */ attribute_deprecated int av_get_bits_per_sample_format(enum AVSampleFormat sample_fmt); From 154ea553f672ace5890fd93f8e70d6173aa1ac4a Mon Sep 17 00:00:00 2001 From: Reinhard Tartler Date: Sun, 3 Jul 2011 18:58:09 +0200 Subject: [PATCH 0069/1119] Update Doxyfile to the format preferred by Doxygen 1.7.1 (via 'doxygen -u'). This is the version available in Debian stable, so it should be a reasonable baseline that can be expected to be present on all developer machines. Moreover, this is the version that is used by the nightly cronjob that generates the online html version. (cherry picked from commit 10dde477c77e0ac0fecda49fdb1dc71329aa7513) --- Doxyfile | 345 +++++++++++++++++++++++++++++++++++++++++++++---------- 1 file changed, 283 insertions(+), 62 deletions(-) diff --git a/Doxyfile b/Doxyfile index b75d2d6e10..a4beaba323 100644 --- a/Doxyfile +++ b/Doxyfile @@ -1,4 +1,4 @@ -# Doxyfile 1.5.6 +# Doxyfile 1.7.1 # This file describes the settings to be used by the documentation system # doxygen (www.doxygen.org) for a project @@ -54,11 +54,11 @@ CREATE_SUBDIRS = NO # information to generate all constant output in the proper language. # The default language is English, other supported languages are: # Afrikaans, Arabic, Brazilian, Catalan, Chinese, Chinese-Traditional, -# Croatian, Czech, Danish, Dutch, Farsi, Finnish, French, German, Greek, -# Hungarian, Italian, Japanese, Japanese-en (Japanese with English messages), -# Korean, Korean-en, Lithuanian, Norwegian, Macedonian, Persian, Polish, -# Portuguese, Romanian, Russian, Serbian, Slovak, Slovene, Spanish, Swedish, -# and Ukrainian. +# Croatian, Czech, Danish, Dutch, Esperanto, Farsi, Finnish, French, German, +# Greek, Hungarian, Italian, Japanese, Japanese-en (Japanese with English +# messages), Korean, Korean-en, Lithuanian, Norwegian, Macedonian, Persian, +# Polish, Portuguese, Romanian, Russian, Serbian, Serbian-Cyrilic, Slovak, +# Slovene, Spanish, Swedish, Ukrainian, and Vietnamese. OUTPUT_LANGUAGE = English @@ -155,13 +155,6 @@ QT_AUTOBRIEF = NO MULTILINE_CPP_IS_BRIEF = NO -# If the DETAILS_AT_TOP tag is set to YES then Doxygen -# will output the detailed description near the top, like JavaDoc. -# If set to NO, the detailed description appears after the member -# documentation. - -DETAILS_AT_TOP = NO - # If the INHERIT_DOCS tag is set to YES (the default) then an undocumented # member inherits the documentation from any documented member that it # re-implements. @@ -214,6 +207,18 @@ OPTIMIZE_FOR_FORTRAN = NO OPTIMIZE_OUTPUT_VHDL = NO +# Doxygen selects the parser to use depending on the extension of the files it +# parses. With this tag you can assign which parser to use for a given extension. +# Doxygen has a built-in mapping, but you can override or extend it using this +# tag. The format is ext=language, where ext is a file extension, and language +# is one of the parsers supported by doxygen: IDL, Java, Javascript, CSharp, C, +# C++, D, PHP, Objective-C, Python, Fortran, VHDL, C, C++. For instance to make +# doxygen treat .inc files as Fortran files (default is PHP), and .f files as C +# (default is Fortran), use: inc=Fortran f=C. Note that for custom extensions +# you also need to set FILE_PATTERNS otherwise the files are not read by doxygen. + +EXTENSION_MAPPING = + # If you use STL classes (i.e. std::string, std::vector, etc.) but do not want # to include (a tag file for) the STL sources as input, then you should # set this tag to YES in order to let doxygen match functions declarations and @@ -268,6 +273,22 @@ SUBGROUPING = YES TYPEDEF_HIDES_STRUCT = NO +# The SYMBOL_CACHE_SIZE determines the size of the internal cache use to +# determine which symbols to keep in memory and which to flush to disk. +# When the cache is full, less often used symbols will be written to disk. +# For small to medium size projects (<1000 input files) the default value is +# probably good enough. For larger projects a too small cache size can cause +# doxygen to be busy swapping symbols to and from disk most of the time +# causing a significant performance penality. +# If the system has enough physical memory increasing the cache will improve the +# performance by keeping more symbols in memory. Note that the value works on +# a logarithmic scale so increasing the size by one will rougly double the +# memory usage. The cache size is given by this formula: +# 2^(16+SYMBOL_CACHE_SIZE). The valid range is 0..9, the default is 0, +# corresponding to a cache size of 2^16 = 65536 symbols + +SYMBOL_CACHE_SIZE = 0 + #--------------------------------------------------------------------------- # Build related configuration options #--------------------------------------------------------------------------- @@ -366,6 +387,12 @@ HIDE_SCOPE_NAMES = NO SHOW_INCLUDE_FILES = YES +# If the FORCE_LOCAL_INCLUDES tag is set to YES then Doxygen +# will list include files with double quotes in the documentation +# rather than with sharp brackets. + +FORCE_LOCAL_INCLUDES = NO + # If the INLINE_INFO tag is set to YES (the default) then a tag [inline] # is inserted in the documentation for inline members. @@ -385,6 +412,16 @@ SORT_MEMBER_DOCS = YES SORT_BRIEF_DOCS = NO +# If the SORT_MEMBERS_CTORS_1ST tag is set to YES then doxygen +# will sort the (brief and detailed) documentation of class members so that +# constructors and destructors are listed first. If set to NO (the default) +# the constructors will appear in the respective orders defined by +# SORT_MEMBER_DOCS and SORT_BRIEF_DOCS. +# This tag will be ignored for brief docs if SORT_BRIEF_DOCS is set to NO +# and ignored for detailed docs if SORT_MEMBER_DOCS is set to NO. + +SORT_MEMBERS_CTORS_1ST = NO + # If the SORT_GROUP_NAMES tag is set to YES then doxygen will sort the # hierarchy of group names into alphabetical order. If set to NO (the default) # the group names will appear in their defined order. @@ -459,7 +496,8 @@ SHOW_DIRECTORIES = NO SHOW_FILES = YES # Set the SHOW_NAMESPACES tag to NO to disable the generation of the -# Namespaces page. This will remove the Namespaces entry from the Quick Index +# Namespaces page. +# This will remove the Namespaces entry from the Quick Index # and from the Folder Tree View (if specified). The default is YES. SHOW_NAMESPACES = YES @@ -474,6 +512,15 @@ SHOW_NAMESPACES = YES FILE_VERSION_FILTER = +# The LAYOUT_FILE tag can be used to specify a layout file which will be parsed +# by doxygen. The layout file controls the global structure of the generated +# output files in an output format independent way. The create the layout file +# that represents doxygen's defaults, run doxygen with the -l option. +# You can optionally specify a file name after the option, if omitted +# DoxygenLayout.xml will be used as the name of the layout file. + +LAYOUT_FILE = + #--------------------------------------------------------------------------- # configuration options related to warning and progress messages #--------------------------------------------------------------------------- @@ -577,7 +624,8 @@ EXCLUDE_SYMLINKS = NO # against the file with absolute path, so to exclude all test directories # for example use the pattern */test/* -EXCLUDE_PATTERNS = *.git *.d +EXCLUDE_PATTERNS = *.git \ + *.d # The EXCLUDE_SYMBOLS tag can be used to specify one or more symbol names # (namespaces, classes, functions, etc.) that should be excluded from the @@ -591,7 +639,8 @@ EXCLUDE_SYMBOLS = # directories that contain example code fragments that are included (see # the \include command). -EXAMPLE_PATH = libavcodec/ libavformat/ +EXAMPLE_PATH = libavcodec/ \ + libavformat/ # If the value of the EXAMPLE_PATH tag contains directories, you can use the # EXAMPLE_PATTERNS tag to specify one or more wildcard pattern (like *.cpp @@ -618,14 +667,17 @@ IMAGE_PATH = # by executing (via popen()) the command , where # is the value of the INPUT_FILTER tag, and is the name of an # input file. Doxygen will then use the output that the filter program writes -# to standard output. If FILTER_PATTERNS is specified, this tag will be +# to standard output. +# If FILTER_PATTERNS is specified, this tag will be # ignored. INPUT_FILTER = # The FILTER_PATTERNS tag can be used to specify filters on a per file pattern -# basis. Doxygen will compare the file name with each pattern and apply the -# filter if there is a match. The filters are a list of the form: +# basis. +# Doxygen will compare the file name with each pattern and apply the +# filter if there is a match. +# The filters are a list of the form: # pattern=filter (like *.cpp=my_cpp_filter). See INPUT_FILTER for further # info on how filters are used. If FILTER_PATTERNS is empty, INPUT_FILTER # is applied to all files. @@ -675,7 +727,8 @@ REFERENCES_RELATION = NO # If the REFERENCES_LINK_SOURCE tag is set to YES (the default) # and SOURCE_BROWSER tag is set to YES, then the hyperlinks from # functions in REFERENCES_RELATION and REFERENCED_BY_RELATION lists will -# link to the source code. Otherwise they will link to the documentstion. +# link to the source code. +# Otherwise they will link to the documentation. REFERENCES_LINK_SOURCE = YES @@ -758,18 +811,50 @@ HTML_FOOTER = HTML_STYLESHEET = +# The HTML_COLORSTYLE_HUE tag controls the color of the HTML output. +# Doxygen will adjust the colors in the stylesheet and background images +# according to this color. Hue is specified as an angle on a colorwheel, +# see http://en.wikipedia.org/wiki/Hue for more information. +# For instance the value 0 represents red, 60 is yellow, 120 is green, +# 180 is cyan, 240 is blue, 300 purple, and 360 is red again. +# The allowed range is 0 to 359. + +HTML_COLORSTYLE_HUE = 220 + +# The HTML_COLORSTYLE_SAT tag controls the purity (or saturation) of +# the colors in the HTML output. For a value of 0 the output will use +# grayscales only. A value of 255 will produce the most vivid colors. + +HTML_COLORSTYLE_SAT = 100 + +# The HTML_COLORSTYLE_GAMMA tag controls the gamma correction applied to +# the luminance component of the colors in the HTML output. Values below +# 100 gradually make the output lighter, whereas values above 100 make +# the output darker. The value divided by 100 is the actual gamma applied, +# so 80 represents a gamma of 0.8, The value 220 represents a gamma of 2.2, +# and 100 does not change the gamma. + +HTML_COLORSTYLE_GAMMA = 80 + +# If the HTML_TIMESTAMP tag is set to YES then the footer of each generated HTML +# page will contain the date and time when the page was generated. Setting +# this to NO can help when comparing the output of multiple runs. + +HTML_TIMESTAMP = YES + # If the HTML_ALIGN_MEMBERS tag is set to YES, the members of classes, # files or namespaces will be aligned in HTML using tables. If set to # NO a bullet list will be used. HTML_ALIGN_MEMBERS = YES -# If the GENERATE_HTMLHELP tag is set to YES, additional index files -# will be generated that can be used as input for tools like the -# Microsoft HTML help workshop to generate a compiled HTML help file (.chm) -# of the generated HTML documentation. +# If the HTML_DYNAMIC_SECTIONS tag is set to YES then the generated HTML +# documentation will contain sections that can be hidden and shown after the +# page has loaded. For this to work a browser that supports +# JavaScript and DHTML is required (for instance Mozilla 1.0+, Firefox +# Netscape 6.0+, Internet explorer 5.0+, Konqueror, or Safari). -GENERATE_HTMLHELP = NO +HTML_DYNAMIC_SECTIONS = NO # If the GENERATE_DOCSET tag is set to YES, additional index files # will be generated that can be used as input for Apple's Xcode 3 @@ -779,6 +864,8 @@ GENERATE_HTMLHELP = NO # directory and running "make install" will install the docset in # ~/Library/Developer/Shared/Documentation/DocSets so that Xcode will find # it at startup. +# See http://developer.apple.com/tools/creatingdocsetswithdoxygen.html +# for more information. GENERATE_DOCSET = NO @@ -796,13 +883,22 @@ DOCSET_FEEDNAME = "Doxygen generated docs" DOCSET_BUNDLE_ID = org.doxygen.Project -# If the HTML_DYNAMIC_SECTIONS tag is set to YES then the generated HTML -# documentation will contain sections that can be hidden and shown after the -# page has loaded. For this to work a browser that supports -# JavaScript and DHTML is required (for instance Mozilla 1.0+, Firefox -# Netscape 6.0+, Internet explorer 5.0+, Konqueror, or Safari). +# When GENERATE_PUBLISHER_ID tag specifies a string that should uniquely identify +# the documentation publisher. This should be a reverse domain-name style +# string, e.g. com.mycompany.MyDocSet.documentation. -HTML_DYNAMIC_SECTIONS = NO +DOCSET_PUBLISHER_ID = org.doxygen.Publisher + +# The GENERATE_PUBLISHER_NAME tag identifies the documentation publisher. + +DOCSET_PUBLISHER_NAME = Publisher + +# If the GENERATE_HTMLHELP tag is set to YES, additional index files +# will be generated that can be used as input for tools like the +# Microsoft HTML help workshop to generate a compiled HTML help file (.chm) +# of the generated HTML documentation. + +GENERATE_HTMLHELP = NO # If the GENERATE_HTMLHELP tag is set to YES, the CHM_FILE tag can # be used to specify the file name of the resulting .chm file. You @@ -841,6 +937,76 @@ BINARY_TOC = NO TOC_EXPAND = NO +# If the GENERATE_QHP tag is set to YES and both QHP_NAMESPACE and +# QHP_VIRTUAL_FOLDER are set, an additional index file will be generated +# that can be used as input for Qt's qhelpgenerator to generate a +# Qt Compressed Help (.qch) of the generated HTML documentation. + +GENERATE_QHP = NO + +# If the QHG_LOCATION tag is specified, the QCH_FILE tag can +# be used to specify the file name of the resulting .qch file. +# The path specified is relative to the HTML output folder. + +QCH_FILE = + +# The QHP_NAMESPACE tag specifies the namespace to use when generating +# Qt Help Project output. For more information please see +# http://doc.trolltech.com/qthelpproject.html#namespace + +QHP_NAMESPACE = org.doxygen.Project + +# The QHP_VIRTUAL_FOLDER tag specifies the namespace to use when generating +# Qt Help Project output. For more information please see +# http://doc.trolltech.com/qthelpproject.html#virtual-folders + +QHP_VIRTUAL_FOLDER = doc + +# If QHP_CUST_FILTER_NAME is set, it specifies the name of a custom filter to +# add. For more information please see +# http://doc.trolltech.com/qthelpproject.html#custom-filters + +QHP_CUST_FILTER_NAME = + +# The QHP_CUST_FILT_ATTRS tag specifies the list of the attributes of the +# custom filter to add. For more information please see +# +# Qt Help Project / Custom Filters. + +QHP_CUST_FILTER_ATTRS = + +# The QHP_SECT_FILTER_ATTRS tag specifies the list of the attributes this +# project's +# filter section matches. +# +# Qt Help Project / Filter Attributes. + +QHP_SECT_FILTER_ATTRS = + +# If the GENERATE_QHP tag is set to YES, the QHG_LOCATION tag can +# be used to specify the location of Qt's qhelpgenerator. +# If non-empty doxygen will try to run qhelpgenerator on the generated +# .qhp file. + +QHG_LOCATION = + +# If the GENERATE_ECLIPSEHELP tag is set to YES, additional index files +# will be generated, which together with the HTML files, form an Eclipse help +# plugin. To install this plugin and make it available under the help contents +# menu in Eclipse, the contents of the directory containing the HTML and XML +# files needs to be copied into the plugins directory of eclipse. The name of +# the directory within the plugins directory should be the same as +# the ECLIPSE_DOC_ID value. After copying Eclipse needs to be restarted before +# the help appears. + +GENERATE_ECLIPSEHELP = NO + +# A unique identifier for the eclipse help plugin. When installing the plugin +# the directory name containing the HTML and XML files should also have +# this name. + +ECLIPSE_DOC_ID = org.doxygen.Project + # The DISABLE_INDEX tag can be used to turn on/off the condensed index at # top of each HTML page. The value NO (the default) enables the index and # the value YES disables it. @@ -854,27 +1020,30 @@ ENUM_VALUES_PER_LINE = 4 # The GENERATE_TREEVIEW tag is used to specify whether a tree-like index # structure should be generated to display hierarchical information. -# If the tag value is set to FRAME, a side panel will be generated +# If the tag value is set to YES, a side panel will be generated # containing a tree-like index structure (just like the one that # is generated for HTML Help). For this to work a browser that supports -# JavaScript, DHTML, CSS and frames is required (for instance Mozilla 1.0+, -# Netscape 6.0+, Internet explorer 5.0+, or Konqueror). Windows users are -# probably better off using the HTML help feature. Other possible values -# for this tag are: HIERARCHIES, which will generate the Groups, Directories, -# and Class Hiererachy pages using a tree view instead of an ordered list; -# ALL, which combines the behavior of FRAME and HIERARCHIES; and NONE, which -# disables this behavior completely. For backwards compatibility with previous -# releases of Doxygen, the values YES and NO are equivalent to FRAME and NONE -# respectively. +# JavaScript, DHTML, CSS and frames is required (i.e. any modern browser). +# Windows users are probably better off using the HTML help feature. GENERATE_TREEVIEW = NO +# By enabling USE_INLINE_TREES, doxygen will generate the Groups, Directories, +# and Class Hierarchy pages using a tree view instead of an ordered list. + +USE_INLINE_TREES = NO + # If the treeview is enabled (see GENERATE_TREEVIEW) then this tag can be # used to set the initial width (in pixels) of the frame in which the tree # is shown. TREEVIEW_WIDTH = 250 +# When the EXT_LINKS_IN_WINDOW option is set to YES doxygen will open +# links to external symbols imported via tag files in a separate window. + +EXT_LINKS_IN_WINDOW = NO + # Use this tag to change the font size of Latex formulas included # as images in the HTML documentation. The default is 10. Note that # when you change the font size after a successful doxygen run you need @@ -883,6 +1052,34 @@ TREEVIEW_WIDTH = 250 FORMULA_FONTSIZE = 10 +# Use the FORMULA_TRANPARENT tag to determine whether or not the images +# generated for formulas are transparent PNGs. Transparent PNGs are +# not supported properly for IE 6.0, but are supported on all modern browsers. +# Note that when changing this option you need to delete any form_*.png files +# in the HTML output before the changes have effect. + +FORMULA_TRANSPARENT = YES + +# When the SEARCHENGINE tag is enabled doxygen will generate a search box +# for the HTML output. The underlying search engine uses javascript +# and DHTML and should work on any modern browser. Note that when using +# HTML help (GENERATE_HTMLHELP), Qt help (GENERATE_QHP), or docsets +# (GENERATE_DOCSET) there is already a search function so this one should +# typically be disabled. For large projects the javascript based search engine +# can be slow, then enabling SERVER_BASED_SEARCH may provide a better solution. + +SEARCHENGINE = NO + +# When the SERVER_BASED_SEARCH tag is enabled the search engine will be +# implemented using a PHP enabled web server instead of at the web client +# using Javascript. Doxygen will generate the search PHP script and index +# file to put on the web server. The advantage of the server +# based approach is that it scales better to large projects and allows +# full text search. The disadvances is that it is more difficult to setup +# and does not have live searching capabilities. + +SERVER_BASED_SEARCH = NO + #--------------------------------------------------------------------------- # configuration options related to the LaTeX output #--------------------------------------------------------------------------- @@ -900,6 +1097,9 @@ LATEX_OUTPUT = latex # The LATEX_CMD_NAME tag can be used to specify the LaTeX command name to be # invoked. If left blank `latex' will be used as the default command name. +# Note that when enabling USE_PDFLATEX this option is only used for +# generating bitmaps for formulas in the HTML output, but not in the +# Makefile that is written to the output directory. LATEX_CMD_NAME = latex @@ -959,6 +1159,13 @@ LATEX_BATCHMODE = NO LATEX_HIDE_INDICES = NO +# If LATEX_SOURCE_CODE is set to YES then doxygen will include +# source code with syntax highlighting in the LaTeX output. +# Note that which sources are shown also depends on other settings +# such as SOURCE_BROWSER. + +LATEX_SOURCE_CODE = NO + #--------------------------------------------------------------------------- # configuration options related to the RTF output #--------------------------------------------------------------------------- @@ -1095,8 +1302,10 @@ GENERATE_PERLMOD = NO PERLMOD_LATEX = NO # If the PERLMOD_PRETTY tag is set to YES the Perl module output will be -# nicely formatted so it can be parsed by a human reader. This is useful -# if you want to understand what is going on. On the other hand, if this +# nicely formatted so it can be parsed by a human reader. +# This is useful +# if you want to understand what is going on. +# On the other hand, if this # tag is set to NO the size of the Perl module output will be much smaller # and Perl will parse it just the same. @@ -1158,16 +1367,22 @@ INCLUDE_FILE_PATTERNS = # undefined via #undef or recursively expanded use the := operator # instead of the = operator. -PREDEFINED = __attribute__(x)="" "RENAME(x)=x ## _TMPL" "DEF(x)=x ## _TMPL" \ - HAVE_AV_CONFIG_H HAVE_MMX HAVE_MMX2 HAVE_AMD3DNOW \ +PREDEFINED = "__attribute__(x)=" \ + "RENAME(x)=x ## _TMPL" \ + "DEF(x)=x ## _TMPL" \ + HAVE_AV_CONFIG_H \ + HAVE_MMX \ + HAVE_MMX2 \ + HAVE_AMD3DNOW \ + "DECLARE_ALIGNED(a,t,n)=t n" \ + "offsetof(x,y)=0x42" # If the MACRO_EXPANSION and EXPAND_ONLY_PREDEF tags are set to YES then # this tag can be used to specify a list of macro names that should be expanded. # The macro definition that is found in the sources will be used. # Use the PREDEFINED tag if you want to use a different macro definition. -#EXPAND_AS_DEFINED = FF_COMMON_FRAME -EXPAND_AS_DEFINED = declare_idct(idct, table, idct_row_head, idct_row, idct_row_tail, idct_row_mid) +EXPAND_AS_DEFINED = declare_idct # If the SKIP_FUNCTION_MACROS tag is set to YES (the default) then # doxygen's preprocessor will remove all function-like macros that are alone @@ -1185,9 +1400,11 @@ SKIP_FUNCTION_MACROS = YES # Optionally an initial location of the external documentation # can be added for each tagfile. The format of a tag file without # this location is as follows: -# TAGFILES = file1 file2 ... +# +# TAGFILES = file1 file2 ... # Adding location for the tag files is done as follows: -# TAGFILES = file1=loc1 "file2 = loc2" ... +# +# TAGFILES = file1=loc1 "file2 = loc2" ... # where "loc1" and "loc2" can be relative or absolute paths or # URLs. If a location is present for each tag, the installdox tool # does not have to be run to correct the links. @@ -1255,6 +1472,14 @@ HIDE_UNDOC_RELATIONS = YES HAVE_DOT = NO +# The DOT_NUM_THREADS specifies the number of dot invocations doxygen is +# allowed to run in parallel. When set to 0 (the default) doxygen will +# base this on the number of processors available in the system. You can set it +# explicitly to a value larger than 0 to get control over the balance +# between CPU load and processing speed. + +DOT_NUM_THREADS = 0 + # By default doxygen will write a font called FreeSans.ttf to the output # directory and reference it in all dot files that doxygen generates. This # font does not include all possible unicode characters however, so when you need @@ -1266,6 +1491,11 @@ HAVE_DOT = NO DOT_FONTNAME = FreeSans +# The DOT_FONTSIZE tag can be used to set the size of the font of dot graphs. +# The default size is 10pt. + +DOT_FONTSIZE = 10 + # By default doxygen will tell dot to use the output directory to look for the # FreeSans.ttf font (which doxygen will put there itself). If you specify a # different font using DOT_FONTNAME you can set the path where dot @@ -1383,10 +1613,10 @@ DOT_GRAPH_MAX_NODES = 50 MAX_DOT_GRAPH_DEPTH = 0 # Set the DOT_TRANSPARENT tag to YES to generate images with a transparent -# background. This is enabled by default, which results in a transparent -# background. Warning: Depending on the platform used, enabling this option -# may lead to badly anti-aliased labels on the edges of a graph (i.e. they -# become hard to read). +# background. This is disabled by default, because dot on Windows does not +# seem to support this out of the box. Warning: Depending on the platform used, +# enabling this option may lead to badly anti-aliased labels on the edges of +# a graph (i.e. they become hard to read). DOT_TRANSPARENT = YES @@ -1408,12 +1638,3 @@ GENERATE_LEGEND = YES # the various graphs. DOT_CLEANUP = YES - -#--------------------------------------------------------------------------- -# Configuration::additions related to the search engine -#--------------------------------------------------------------------------- - -# The SEARCHENGINE tag specifies whether or not a search engine should be -# used. If set to NO the values of all tags below this one will be ignored. - -SEARCHENGINE = NO From c172eb7925dad8db6ad8fde9cd81a90a5cb06bb6 Mon Sep 17 00:00:00 2001 From: Gavin Kinsey Date: Tue, 21 Jun 2011 13:13:37 +0100 Subject: [PATCH 0070/1119] Fix segmentation fault in ffprobe (cherry picked from commit c558122e4ee53dc4cb82f87749a9c28c38ca9401) --- ffprobe.c | 1 + 1 file changed, 1 insertion(+) diff --git a/ffprobe.c b/ffprobe.c index 711a17246d..edda454cde 100644 --- a/ffprobe.c +++ b/ffprobe.c @@ -393,6 +393,7 @@ int main(int argc, char **argv) int ret; av_register_all(); + init_opts(); #if CONFIG_AVDEVICE avdevice_register_all(); #endif From 093f0f13e611c7fd7a8ee6130c4211427033329d Mon Sep 17 00:00:00 2001 From: Reinhard Tartler Date: Thu, 30 Jun 2011 23:00:46 +0200 Subject: [PATCH 0071/1119] doxygen: fix usage of @file directive in libavutil/{dict,file}.h (cherry picked from commit 134557f3a47697a7b5e5da2bd7e5a4b8f8d56b1c) --- libavutil/dict.h | 3 ++- libavutil/file.h | 3 ++- 2 files changed, 4 insertions(+), 2 deletions(-) diff --git a/libavutil/dict.h b/libavutil/dict.h index ff24b36f81..397ce3852f 100644 --- a/libavutil/dict.h +++ b/libavutil/dict.h @@ -18,7 +18,8 @@ */ /** - * @file Public dictionary API. + * @file + * Public dictionary API. */ #ifndef AVUTIL_DICT_H diff --git a/libavutil/file.h b/libavutil/file.h index 8b65bfb01d..c481c37f93 100644 --- a/libavutil/file.h +++ b/libavutil/file.h @@ -22,7 +22,8 @@ #include "avutil.h" /** - * @file misc file utilities + * @file + * Misc file utilities. */ /** From 8f536408d1a8b6899442fd46a2e70ffb2897f4c2 Mon Sep 17 00:00:00 2001 From: Diego Biurrun Date: Sun, 3 Jul 2011 16:11:16 +0200 Subject: [PATCH 0072/1119] doxygen: Remove spurious documentation for non-existing function parameters. (cherry picked from commit 01c17c88ede76f8321cf2c59a535dbbc5b5ff989) --- libavcodec/h264idct_template.c | 1 - libswscale/swscale.h | 1 - 2 files changed, 2 deletions(-) diff --git a/libavcodec/h264idct_template.c b/libavcodec/h264idct_template.c index e7f9af7fb0..e288f9bf1b 100644 --- a/libavcodec/h264idct_template.c +++ b/libavcodec/h264idct_template.c @@ -237,7 +237,6 @@ void FUNCC(ff_h264_idct_add8)(uint8_t **dest, const int *block_offset, DCTELEM * } /** * IDCT transforms the 16 dc values and dequantizes them. - * @param qp quantization parameter */ void FUNCC(ff_h264_luma_dc_dequant_idct)(DCTELEM *_output, DCTELEM *_input, int qmul){ #define stride 16 diff --git a/libswscale/swscale.h b/libswscale/swscale.h index 2aa5e50ab2..3899596983 100644 --- a/libswscale/swscale.h +++ b/libswscale/swscale.h @@ -235,7 +235,6 @@ int sws_scale(struct SwsContext *context, const uint8_t* const srcSlice[], const /** * @param inv_table the yuv2rgb coefficients, normally ff_yuv2rgb_coeffs[x] - * @param fullRange if 1 then the luma range is 0..255 if 0 it is 16..235 * @return -1 if not supported */ int sws_setColorspaceDetails(struct SwsContext *c, const int inv_table[4], From f95e5225fe1b94c5c2ee683fa75aafed22c5b3e1 Mon Sep 17 00:00:00 2001 From: Reinhard Tartler Date: Sun, 3 Jul 2011 19:00:59 +0200 Subject: [PATCH 0073/1119] doxygen: Drop array size declarations from Doxygen parameter names. Adding [] to a Doxygen parameter name clashes with Doxygen syntax. (cherry picked from commit ff993cd7fcdfeffcac10337c0c6b69c599060c2b) --- libavcodec/cook.c | 2 +- libavcodec/motion_est_template.c | 4 ++-- libavutil/imgutils.h | 2 +- libavutil/lfg.h | 2 +- 4 files changed, 5 insertions(+), 5 deletions(-) diff --git a/libavcodec/cook.c b/libavcodec/cook.c index 84211a6d08..05d8d7a3cf 100644 --- a/libavcodec/cook.c +++ b/libavcodec/cook.c @@ -335,7 +335,7 @@ static av_cold int cook_decode_close(AVCodecContext *avctx) * Fill the gain array for the timedomain quantization. * * @param gb pointer to the GetBitContext - * @param gaininfo[9] array of gain indexes + * @param gaininfo array[9] of gain indexes */ static void decode_gain_info(GetBitContext *gb, int *gaininfo) diff --git a/libavcodec/motion_est_template.c b/libavcodec/motion_est_template.c index 6b807dc6f6..d65edd933a 100644 --- a/libavcodec/motion_est_template.c +++ b/libavcodec/motion_est_template.c @@ -990,8 +990,8 @@ static av_always_inline int diamond_search(MpegEncContext * s, int *best, int dm return var_diamond_search(s, best, dmin, src_index, ref_index, penalty_factor, size, h, flags); } -/*! - \param P[10][2] a list of candidate mvs to check before starting the +/** + @param P a list of candidate mvs to check before starting the iterative search. If one of the candidates is close to the optimal mv, then it takes fewer iterations. And it increases the chance that we find the optimal mv. diff --git a/libavutil/imgutils.h b/libavutil/imgutils.h index b569eb1ca4..fad4435b94 100644 --- a/libavutil/imgutils.h +++ b/libavutil/imgutils.h @@ -69,7 +69,7 @@ int av_image_fill_linesizes(int linesizes[4], enum PixelFormat pix_fmt, int widt * * @param data pointers array to be filled with the pointer for each image plane * @param ptr the pointer to a buffer which will contain the image - * @param linesizes[4] the array containing the linesize for each + * @param linesizes the array containing the linesize for each * plane, should be filled by av_image_fill_linesizes() * @return the size in bytes required for the image buffer, a negative * error code in case of failure diff --git a/libavutil/lfg.h b/libavutil/lfg.h index 89a635a1b0..904d00a669 100644 --- a/libavutil/lfg.h +++ b/libavutil/lfg.h @@ -55,7 +55,7 @@ static inline unsigned int av_mlfg_get(AVLFG *c){ * Get the next two numbers generated by a Box-Muller Gaussian * generator using the random numbers issued by lfg. * - * @param out[2] array where the two generated numbers are placed + * @param out array where the two generated numbers are placed */ void av_bmg_get(AVLFG *lfg, double out[2]); From 924b2ee8f29823877b6b544b48fe153f307d7be7 Mon Sep 17 00:00:00 2001 From: Reinhard Tartler Date: Sun, 3 Jul 2011 20:00:31 +0200 Subject: [PATCH 0074/1119] Add version number to doxygen config --- Doxyfile | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/Doxyfile b/Doxyfile index a4beaba323..485b93d87f 100644 --- a/Doxyfile +++ b/Doxyfile @@ -31,7 +31,7 @@ PROJECT_NAME = Libav # This could be handy for archiving the generated documentation or # if some version control system is used. -PROJECT_NUMBER = +PROJECT_NUMBER = 0.7.1 # The OUTPUT_DIRECTORY tag is used to specify the (relative or absolute) # base path where the generated documentation will be put. From d32b2d4de164d6e2bd4b441c5f2aa0e442fef1f6 Mon Sep 17 00:00:00 2001 From: Reinhard Tartler Date: Sun, 3 Jul 2011 19:54:05 +0200 Subject: [PATCH 0075/1119] update Changelog --- Changelog | 3 +++ 1 file changed, 3 insertions(+) diff --git a/Changelog b/Changelog index 276812bd66..1c6952c394 100644 --- a/Changelog +++ b/Changelog @@ -7,6 +7,9 @@ version 0.7.1: - added various additional FOURCC codec identifiers - H.264 4:4:4 fixes - build system fixes +- Doxygen corrections and improvements +- fixed segfault in ffprobe +- behavioral fix in av_open_input_stream() version 0.7: From e8baa8eb7f45bb5fdbfcc70ae028cd11238faa88 Mon Sep 17 00:00:00 2001 From: =?UTF-8?q?Reimar=20D=C3=B6ffinger?= Date: Tue, 5 Jul 2011 23:10:44 +0200 Subject: [PATCH 0076/1119] Fix av_open_input_stream with uninitialized context pointer. MIME-Version: 1.0 Content-Type: text/plain; charset=UTF-8 Content-Transfer-Encoding: 8bit Code would allocate a new context but forget to assign it to the pointer actually passed to avformat_open_input, potentially causing a crash. Even if it was initialized it would cause a memleak. This caused crashes with e.g. mpd, see also http://bugs.gentoo.org/show_bug.cgi?id=373423 Signed-off-by: Reimar Döffinger --- libavformat/utils.c | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/libavformat/utils.c b/libavformat/utils.c index cd90480be6..c99065759b 100644 --- a/libavformat/utils.c +++ b/libavformat/utils.c @@ -457,7 +457,7 @@ int av_open_input_stream(AVFormatContext **ic_ptr, opts = convert_format_parameters(ap); if(!ap->prealloced_context) - ic = avformat_alloc_context(); + *ic_ptr = ic = avformat_alloc_context(); else ic = *ic_ptr; if (!ic) { From 0a48a67e57873b938c49ca57b0629e3e33fe37db Mon Sep 17 00:00:00 2001 From: =?UTF-8?q?Reimar=20D=C3=B6ffinger?= Date: Tue, 5 Jul 2011 23:10:44 +0200 Subject: [PATCH 0077/1119] Fix av_open_input_stream with uninitialized context pointer. MIME-Version: 1.0 Content-Type: text/plain; charset=UTF-8 Content-Transfer-Encoding: 8bit Code would allocate a new context but forget to assign it to the pointer actually passed to avformat_open_input, potentially causing a crash. Even if it was initialized it would cause a memleak. This caused crashes with e.g. mpd, see also http://bugs.gentoo.org/show_bug.cgi?id=373423 Signed-off-by: Reimar Döffinger (cherry picked from commit 4e59c8ecf1433b85b539c5e89bb68cfe8b839866) --- libavformat/utils.c | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/libavformat/utils.c b/libavformat/utils.c index b610276844..b8a284a52b 100644 --- a/libavformat/utils.c +++ b/libavformat/utils.c @@ -524,7 +524,7 @@ int av_open_input_stream(AVFormatContext **ic_ptr, opts = convert_format_parameters(ap); if(!ap->prealloced_context) - ic = avformat_alloc_context(); + *ic_ptr = ic = avformat_alloc_context(); else ic = *ic_ptr; if (!ic) { From 2f0a10174efd47f210e4863cb66da54cfb5a898e Mon Sep 17 00:00:00 2001 From: Loren Merritt Date: Sun, 3 Jul 2011 22:47:10 +0000 Subject: [PATCH 0078/1119] vf_gradfun: relicense x86 asm to LGPL Actually I gave permission for LGPL long ago, but the original import failed to update the license header. (cherry picked from commit 082768f0b189b1706fdcd15b42dcca5fd0822315) --- libavfilter/x86/gradfun.c | 20 +++++++++++--------- 1 file changed, 11 insertions(+), 9 deletions(-) diff --git a/libavfilter/x86/gradfun.c b/libavfilter/x86/gradfun.c index c9ade8294a..ff3b19d38d 100644 --- a/libavfilter/x86/gradfun.c +++ b/libavfilter/x86/gradfun.c @@ -1,19 +1,21 @@ /* + * Copyright (C) 2009 Loren Merritt + * * This file is part of Libav. * - * Libav is free software; you can redistribute it and/or modify - * it under the terms of the GNU General Public License as published by - * the Free Software Foundation; either version 2 of the License, or - * (at your option) any later version. + * Libav is free software; you can redistribute it and/or + * modify it under the terms of the GNU Lesser General Public + * License as published by the Free Software Foundation; either + * version 2.1 of the License, or (at your option) any later version. * * Libav is distributed in the hope that it will be useful, * but WITHOUT ANY WARRANTY; without even the implied warranty of - * MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the - * GNU General Public License for more details. + * MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the GNU + * Lesser General Public License for more details. * - * You should have received a copy of the GNU General Public License along - * with Libav; if not, write to the Free Software Foundation, Inc., - * 51 Franklin Street, Fifth Floor, Boston, MA 02110-1301 USA. + * You should have received a copy of the GNU Lesser General Public + * License along with Libav; if not, write to the Free Software + * Foundation, Inc., 51 Franklin Street, Fifth Floor, Boston, MA 02110-1301 USA */ #include "libavutil/cpu.h" From 43de5c034fe8d9bf1687faec8865b5967291004b Mon Sep 17 00:00:00 2001 From: Diego Biurrun Date: Sun, 3 Jul 2011 16:33:25 +0200 Subject: [PATCH 0079/1119] doxygen: Escape '\' in Doxygen documentation. (cherry picked from commit c81a2b9b4f5488c831dc27635152394ab632c46a) --- libavformat/internal.h | 4 ++-- 1 file changed, 2 insertions(+), 2 deletions(-) diff --git a/libavformat/internal.h b/libavformat/internal.h index 7413b0906a..c1a4b4f51b 100644 --- a/libavformat/internal.h +++ b/libavformat/internal.h @@ -157,14 +157,14 @@ void ff_put_v(AVIOContext *bc, uint64_t val); /** * Read a whole line of text from AVIOContext. Stop reading after reaching - * either a \n, a \0 or EOF. The returned string is always \0 terminated, + * either a \\n, a \\0 or EOF. The returned string is always \\0-terminated, * and may be truncated if the buffer is too small. * * @param s the read-only AVIOContext * @param buf buffer to store the read line * @param maxlen size of the buffer * @return the length of the string written in the buffer, not including the - * final \0 + * final \\0 */ int ff_get_line(AVIOContext *s, char *buf, int maxlen); From 07dc4a79c701a4fd41d0973df1ab56333895faed Mon Sep 17 00:00:00 2001 From: Diego Biurrun Date: Sun, 3 Jul 2011 16:35:10 +0200 Subject: [PATCH 0080/1119] RTSP: Doxygen comment cleanup Do not use Doxygen for comments that apply to specific implementation details; merge some duplicated Doxygen comment blocks. (cherry picked from commit f75e3da535f297ddbe501ce866e57ccca7645455) --- libavformat/rtsp.c | 18 +++++------------- libavformat/rtsp.h | 6 ++++-- 2 files changed, 9 insertions(+), 15 deletions(-) diff --git a/libavformat/rtsp.c b/libavformat/rtsp.c index eeea9be4a0..80cd587144 100644 --- a/libavformat/rtsp.c +++ b/libavformat/rtsp.c @@ -428,11 +428,6 @@ static void sdp_parse_line(AVFormatContext *s, SDPParseState *s1, } } -/** - * Parse the sdp description and allocate the rtp streams and the - * pollfd array used for udp ones. - */ - int ff_sdp_parse(AVFormatContext *s, const char *content) { RTSPState *rt = s->priv_data; @@ -1050,9 +1045,6 @@ retry: return 0; } -/** - * @return 0 on success, <0 on error, 1 if protocol is unavailable. - */ int ff_rtsp_make_setup_request(AVFormatContext *s, const char *host, int port, int lower_transport, const char *real_challenge) { @@ -1078,7 +1070,7 @@ int ff_rtsp_make_setup_request(AVFormatContext *s, const char *host, int port, for (j = RTSP_RTP_PORT_MIN, i = 0; i < rt->nb_rtsp_streams; ++i) { char transport[2048]; - /** + /* * WMS serves all UDP data over a single connection, the RTX, which * isn't necessarily the first in the SDP but has to be the first * to be set up, else the second/third SETUP will fail with a 461. @@ -1151,7 +1143,7 @@ int ff_rtsp_make_setup_request(AVFormatContext *s, const char *host, int port, /* RTP/TCP */ else if (lower_transport == RTSP_LOWER_TRANSPORT_TCP) { - /** For WMS streams, the application streams are only used for + /* For WMS streams, the application streams are only used for * UDP. When trying to set it up for TCP streams, the server * will return an error. Therefore, we skip those streams. */ if (rt->server_type == RTSP_SERVER_WMS && @@ -1482,14 +1474,14 @@ redirect: cmd[0] = 0; if (rt->server_type == RTSP_SERVER_REAL) av_strlcat(cmd, - /** + /* * The following entries are required for proper * streaming from a Realmedia server. They are * interdependent in some way although we currently * don't quite understand how. Values were copied * from mplayer SVN r23589. - * @param CompanyID is a 16-byte ID in base64 - * @param ClientChallenge is a 16-byte ID in hex + * ClientChallenge is a 16-byte ID in hex + * CompanyID is a 16-byte ID in base64 */ "ClientChallenge: 9e26d33f2984236010ef6253fb1887f7\r\n" "PlayerStarttime: [28/03/2003:22:50:23 00:00]\r\n" diff --git a/libavformat/rtsp.h b/libavformat/rtsp.h index 5eae6bf4f3..7d2460fe2f 100644 --- a/libavformat/rtsp.h +++ b/libavformat/rtsp.h @@ -505,8 +505,9 @@ int ff_rtsp_setup_input_streams(AVFormatContext *s, RTSPMessageHeader *reply); int ff_rtsp_setup_output_streams(AVFormatContext *s, const char *addr); /** - * Parse a SDP description of streams by populating an RTSPState struct - * within the AVFormatContext. + * Parse an SDP description of streams by populating an RTSPState struct + * within the AVFormatContext; also allocate the RTP streams and the + * pollfd array used for UDP streams. */ int ff_sdp_parse(AVFormatContext *s, const char *content); @@ -525,6 +526,7 @@ int ff_rtsp_fetch_packet(AVFormatContext *s, AVPacket *pkt); /** * Do the SETUP requests for each stream for the chosen * lower transport mode. + * @return 0 on success, <0 on error, 1 if protocol is unavailable */ int ff_rtsp_make_setup_request(AVFormatContext *s, const char *host, int port, int lower_transport, const char *real_challenge); From b9e126fbe2510523dece2fe5433cdd00ab52f2f5 Mon Sep 17 00:00:00 2001 From: Carl Eugen Hoyos Date: Mon, 27 Jun 2011 07:25:58 +0000 Subject: [PATCH 0081/1119] ffmpeg: Fix VDPAU decoding for some H264 samples. (cherry picked from commit a4ab70f92e4d8705434a2fee42a2b69a8bfa6bb1) --- libavcodec/vdpau.c | 3 ++- 1 file changed, 2 insertions(+), 1 deletion(-) diff --git a/libavcodec/vdpau.c b/libavcodec/vdpau.c index 5f8f09186e..5312b4b852 100644 --- a/libavcodec/vdpau.c +++ b/libavcodec/vdpau.c @@ -183,7 +183,8 @@ void ff_vdpau_h264_picture_complete(MpegEncContext *s) render->info.h264.deblocking_filter_control_present_flag = h->pps.deblocking_filter_parameters_present; render->info.h264.redundant_pic_cnt_present_flag = h->pps.redundant_pic_cnt_present; memcpy(render->info.h264.scaling_lists_4x4, h->pps.scaling_matrix4, sizeof(render->info.h264.scaling_lists_4x4)); - memcpy(render->info.h264.scaling_lists_8x8, h->pps.scaling_matrix8, sizeof(render->info.h264.scaling_lists_8x8)); + memcpy(render->info.h264.scaling_lists_8x8[0], h->pps.scaling_matrix8[0], sizeof(render->info.h264.scaling_lists_8x8[0])); + memcpy(render->info.h264.scaling_lists_8x8[1], h->pps.scaling_matrix8[3], sizeof(render->info.h264.scaling_lists_8x8[0])); ff_draw_horiz_band(s, 0, s->avctx->height); render->bitstream_buffers_used = 0; From 46a2dc91753535ec36e5d743508a7b1b4602243e Mon Sep 17 00:00:00 2001 From: Robert Swain Date: Mon, 4 Jul 2011 08:44:49 +0200 Subject: [PATCH 0082/1119] vorbis: vpxenc: Add missing include for av_rescale* Signed-off-by: Mans Rullgard (cherry picked from commit 954a6532160b9eac7773613be105fd706d639ade) --- libavcodec/libvorbis.c | 1 + libavcodec/libvpxenc.c | 1 + 2 files changed, 2 insertions(+) diff --git a/libavcodec/libvorbis.c b/libavcodec/libvorbis.c index 88da705a32..85cb9c5989 100644 --- a/libavcodec/libvorbis.c +++ b/libavcodec/libvorbis.c @@ -30,6 +30,7 @@ #include "avcodec.h" #include "bytestream.h" #include "vorbis.h" +#include "libavutil/mathematics.h" #undef NDEBUG #include diff --git a/libavcodec/libvpxenc.c b/libavcodec/libvpxenc.c index 02f8135381..ca2e6157d5 100644 --- a/libavcodec/libvpxenc.c +++ b/libavcodec/libvpxenc.c @@ -30,6 +30,7 @@ #include "avcodec.h" #include "libavutil/base64.h" +#include "libavutil/mathematics.h" /** * Portion of struct vpx_codec_cx_pkt from vpx_encoder.h. From 8e3d264fb234db081436ab5b76525a355dc497db Mon Sep 17 00:00:00 2001 From: Christian Schmidt Date: Mon, 4 Jul 2011 10:41:04 +0100 Subject: [PATCH 0083/1119] libxvid: add missing include of libavutil/mathematics.h Signed-off-by: Mans Rullgard (cherry picked from commit 6c374bc0b40306c84e35a4002ab7fa96ace11c6c) --- libavcodec/libxvidff.c | 1 + 1 file changed, 1 insertion(+) diff --git a/libavcodec/libxvidff.c b/libavcodec/libxvidff.c index 1e887a2a8c..fd0aea58fa 100644 --- a/libavcodec/libxvidff.c +++ b/libavcodec/libxvidff.c @@ -30,6 +30,7 @@ #include "avcodec.h" #include "libavutil/cpu.h" #include "libavutil/intreadwrite.h" +#include "libavutil/mathematics.h" #include "libxvid_internal.h" #if !HAVE_MKSTEMP #include From 64e2656f7c6d03c11b8e65202fc803cf58c03e1a Mon Sep 17 00:00:00 2001 From: Diego Biurrun Date: Sun, 3 Jul 2011 16:09:37 +0200 Subject: [PATCH 0084/1119] doxygen: Fix documentation for some VP8 functions. (cherry picked from commit 3c432e1186443fae474fa4e8613fbc21fd8a6c63) --- libavcodec/vp8.c | 33 +++++++++++++++++++++++++++++---- 1 file changed, 29 insertions(+), 4 deletions(-) diff --git a/libavcodec/vp8.c b/libavcodec/vp8.c index 282d2fdb4e..5e331c9856 100644 --- a/libavcodec/vp8.c +++ b/libavcodec/vp8.c @@ -641,8 +641,6 @@ void decode_mb_mode(VP8Context *s, VP8Macroblock *mb, int mb_x, int mb_y, uint8_ * @param block destination for block coefficients * @param probs probabilities to use when reading trees from the bitstream * @param i initial coeff index, 0 unless a separate DC block is coded - * @param zero_nhood the initial prediction context for number of surrounding - * all-zero blocks (only left/top, so 0-2) * @param qmul array holding the dc/ac dequant factor at position 0/1 * @return 0 if no coeffs were decoded * otherwise, the index of the last coeff decoded plus one @@ -701,6 +699,17 @@ skip_eob: } #endif +/** + * @param c arithmetic bitstream reader context + * @param block destination for block coefficients + * @param probs probabilities to use when reading trees from the bitstream + * @param i initial coeff index, 0 unless a separate DC block is coded + * @param zero_nhood the initial prediction context for number of surrounding + * all-zero blocks (only left/top, so 0-2) + * @param qmul array holding the dc/ac dequant factor at position 0/1 + * @return 0 if no coeffs were decoded + * otherwise, the index of the last coeff decoded plus one + */ static av_always_inline int decode_block_coeffs(VP56RangeCoder *c, DCTELEM block[16], uint8_t probs[16][3][NUM_DCT_TOKENS-1], @@ -1034,10 +1043,9 @@ static const uint8_t subpel_idx[3][8] = { }; /** - * Generic MC function. + * luma MC function * * @param s VP8 decoding context - * @param luma 1 for luma (Y) planes, 0 for chroma (Cb/Cr) planes * @param dst target buffer for block data at block position * @param src reference picture buffer at origin (0, 0) * @param mv motion vector (relative to block position) to get pixel data from @@ -1083,6 +1091,23 @@ void vp8_mc_luma(VP8Context *s, uint8_t *dst, AVFrame *ref, const VP56mv *mv, } } +/** + * chroma MC function + * + * @param s VP8 decoding context + * @param dst1 target buffer for block data at block position (U plane) + * @param dst2 target buffer for block data at block position (V plane) + * @param ref reference picture buffer at origin (0, 0) + * @param mv motion vector (relative to block position) to get pixel data from + * @param x_off horizontal position of block from origin (0, 0) + * @param y_off vertical position of block from origin (0, 0) + * @param block_w width of block (16, 8 or 4) + * @param block_h height of block (always same as block_w) + * @param width width of src/dst plane data + * @param height height of src/dst plane data + * @param linesize size of a single line of plane data, including padding + * @param mc_func motion compensation function pointers (bilinear or sixtap MC) + */ static av_always_inline void vp8_mc_chroma(VP8Context *s, uint8_t *dst1, uint8_t *dst2, AVFrame *ref, const VP56mv *mv, int x_off, int y_off, From 683df9bf548da58e97365d61cf0338c5262ea6cc Mon Sep 17 00:00:00 2001 From: Diego Biurrun Date: Sun, 3 Jul 2011 19:40:34 +0200 Subject: [PATCH 0085/1119] Add LGPL license boilerplate to files lacking it. (cherry picked from commit e3759c567db42c8dff255ef9f7258326da470755) --- libavcodec/high_bit_depth.h | 18 ++++++++++++++++++ libavcodec/opt.h | 18 ++++++++++++++++++ 2 files changed, 36 insertions(+) diff --git a/libavcodec/high_bit_depth.h b/libavcodec/high_bit_depth.h index 511cd00f3a..c0a6eafe89 100644 --- a/libavcodec/high_bit_depth.h +++ b/libavcodec/high_bit_depth.h @@ -1,3 +1,21 @@ +/* + * This file is part of Libav. + * + * Libav is free software; you can redistribute it and/or + * modify it under the terms of the GNU Lesser General Public + * License as published by the Free Software Foundation; either + * version 2.1 of the License, or (at your option) any later version. + * + * Libav is distributed in the hope that it will be useful, + * but WITHOUT ANY WARRANTY; without even the implied warranty of + * MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the GNU + * Lesser General Public License for more details. + * + * You should have received a copy of the GNU Lesser General Public + * License along with Libav; if not, write to the Free Software + * Foundation, Inc., 51 Franklin Street, Fifth Floor, Boston, MA 02110-1301 USA + */ + #include "dsputil.h" #ifndef BIT_DEPTH diff --git a/libavcodec/opt.h b/libavcodec/opt.h index 70de27d192..2380e74332 100644 --- a/libavcodec/opt.h +++ b/libavcodec/opt.h @@ -1,3 +1,21 @@ +/* + * This file is part of Libav. + * + * Libav is free software; you can redistribute it and/or + * modify it under the terms of the GNU Lesser General Public + * License as published by the Free Software Foundation; either + * version 2.1 of the License, or (at your option) any later version. + * + * Libav is distributed in the hope that it will be useful, + * but WITHOUT ANY WARRANTY; without even the implied warranty of + * MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the GNU + * Lesser General Public License for more details. + * + * You should have received a copy of the GNU Lesser General Public + * License along with Libav; if not, write to the Free Software + * Foundation, Inc., 51 Franklin Street, Fifth Floor, Boston, MA 02110-1301 USA + */ + /** * @file * This header is provided for compatibility only and will be removed From 5a33a29a91fe0c3fc30eb89a0675258f538c6af8 Mon Sep 17 00:00:00 2001 From: =?UTF-8?q?Reimar=20D=C3=B6ffinger?= Date: Mon, 4 Jul 2011 02:57:47 +0200 Subject: [PATCH 0086/1119] oggdec: Abort Ogg header parsing when encountering a data packet. Fixes Bugzilla #11. Signed-off-by: Diego Biurrun (cherry picked from commit 0a94020b5b073d1abf442e28b6db3be785aa680a) --- libavformat/oggdec.c | 5 +---- 1 file changed, 1 insertion(+), 4 deletions(-) diff --git a/libavformat/oggdec.c b/libavformat/oggdec.c index 998a33b43c..49f24e9b9b 100644 --- a/libavformat/oggdec.c +++ b/libavformat/oggdec.c @@ -373,8 +373,7 @@ static int ogg_packet(AVFormatContext *s, int *str, int *dstart, int *dsize, // We have reached the first non-header packet in this stream. // Unfortunately more header packets may still follow for others, - // so we reset this later unless we are done with the headers - // for all streams. + // but if we continue with header parsing we may lose data packets. ogg->headers = 1; // Update the header state for all streams and @@ -383,8 +382,6 @@ static int ogg_packet(AVFormatContext *s, int *str, int *dstart, int *dsize, s->data_offset = os->sync_pos; for (i = 0; i < ogg->nstreams; i++) { struct ogg_stream *cur_os = ogg->streams + i; - if (cur_os->header > 0) - ogg->headers = 0; // if we have a partial non-header packet, its start is // obviously at or after the data start From cd63c32ff6f6a24dc971a0bb2ca8f8a4f57e79da Mon Sep 17 00:00:00 2001 From: Chris Evans Date: Wed, 29 Jun 2011 15:44:40 -0700 Subject: [PATCH 0087/1119] oggdec: prevent heap corruption. Specifically crafted samples can reinit ogg->streams[] while reading samples, and thus we should not cache old pointers since these may no longer be valid. Signed-off-by: Ronald S. Bultje (cherry picked from commit 4cc3467e7abfea7e8d03b6af511f7719038a5a98) --- libavformat/oggdec.c | 5 +++-- 1 file changed, 3 insertions(+), 2 deletions(-) diff --git a/libavformat/oggdec.c b/libavformat/oggdec.c index 49f24e9b9b..25f5cd8b2d 100644 --- a/libavformat/oggdec.c +++ b/libavformat/oggdec.c @@ -583,15 +583,15 @@ static int64_t ogg_read_timestamp(AVFormatContext *s, int stream_index, int64_t *pos_arg, int64_t pos_limit) { struct ogg *ogg = s->priv_data; - struct ogg_stream *os = ogg->streams + stream_index; AVIOContext *bc = s->pb; int64_t pts = AV_NOPTS_VALUE; - int i; + int i = -1; avio_seek(bc, *pos_arg, SEEK_SET); ogg_reset(ogg); while (avio_tell(bc) < pos_limit && !ogg_packet(s, &i, NULL, NULL, pos_arg)) { if (i == stream_index) { + struct ogg_stream *os = ogg->streams + stream_index; pts = ogg_calc_pts(s, i, NULL); if (os->keyframe_seek && !(os->pflags & AV_PKT_FLAG_KEY)) pts = AV_NOPTS_VALUE; @@ -617,6 +617,7 @@ static int ogg_read_seek(AVFormatContext *s, int stream_index, os->keyframe_seek = 1; ret = av_seek_frame_binary(s, stream_index, timestamp, flags); + os = ogg->streams + stream_index; if (ret < 0) os->keyframe_seek = 0; return ret; From 004194f465385c743adc2e52cdb726d8f70f6c0e Mon Sep 17 00:00:00 2001 From: =?UTF-8?q?Martin=20Storsj=C3=B6?= Date: Thu, 7 Jul 2011 09:51:57 +0300 Subject: [PATCH 0088/1119] docs: Remove needless configure options MIME-Version: 1.0 Content-Type: text/plain; charset=UTF-8 Content-Transfer-Encoding: 8bit Specifying --enable-static --disable-shared isn't necessary, these are the defaults. Signed-off-by: Martin Storsjö --- doc/general.texi | 4 ++-- 1 file changed, 2 insertions(+), 2 deletions(-) diff --git a/doc/general.texi b/doc/general.texi index 775bf5d03f..dbc7faf7a8 100644 --- a/doc/general.texi +++ b/doc/general.texi @@ -1024,7 +1024,7 @@ diffutils Then run @example -./configure --enable-static --disable-shared +./configure @end example to make a static build. @@ -1071,7 +1071,7 @@ and add some special flags to your configure invocation. For a static build run @example -./configure --target-os=mingw32 --enable-memalign-hack --enable-static --disable-shared --extra-cflags=-mno-cygwin --extra-libs=-mno-cygwin +./configure --target-os=mingw32 --extra-cflags=-mno-cygwin --extra-libs=-mno-cygwin @end example and for a build with shared libraries From 5c2d7c4dc8b8618f6586e220f4af6e4baae6dac2 Mon Sep 17 00:00:00 2001 From: Reinhard Tartler Date: Tue, 12 Jul 2011 18:09:55 +0200 Subject: [PATCH 0089/1119] docs: Don't recommend adding --enable-memalign-hack MIME-Version: 1.0 Content-Type: text/plain; charset=UTF-8 Content-Transfer-Encoding: 8bit It is enabled automatically when required nowadays. Signed-off-by: Martin Storsj (cherry picked from commit 9d36139231bfcf155a1b94f61a420768f1771174) --- doc/general.texi | 4 ++-- 1 file changed, 2 insertions(+), 2 deletions(-) diff --git a/doc/general.texi b/doc/general.texi index dbc7faf7a8..93f563e1bf 100644 --- a/doc/general.texi +++ b/doc/general.texi @@ -949,7 +949,7 @@ MSVC++-compatible import libraries. @item Build Libav with @example -./configure --enable-shared --enable-memalign-hack +./configure --enable-shared make make install @end example @@ -1076,7 +1076,7 @@ For a static build run and for a build with shared libraries @example -./configure --target-os=mingw32 --enable-memalign-hack --enable-shared --disable-static --extra-cflags=-mno-cygwin --extra-libs=-mno-cygwin +./configure --target-os=mingw32 --enable-shared --disable-static --extra-cflags=-mno-cygwin --extra-libs=-mno-cygwin @end example @bye From a52c615a421d497614020df4e04d91e18fc8c0a2 Mon Sep 17 00:00:00 2001 From: =?UTF-8?q?Martin=20Storsj=C3=B6?= Date: Fri, 8 Jul 2011 13:37:54 +0300 Subject: [PATCH 0090/1119] docs: Use proper markup for a literal command line option MIME-Version: 1.0 Content-Type: text/plain; charset=UTF-8 Content-Transfer-Encoding: 8bit Signed-off-by: Martin Storsjö (cherry picked from commit a3a94e1498685480800c22fc3ffa20d42ccfd527) --- doc/general.texi | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/doc/general.texi b/doc/general.texi index 93f563e1bf..a35c809000 100644 --- a/doc/general.texi +++ b/doc/general.texi @@ -986,7 +986,7 @@ extern __declspec(dllimport) const AVPixFmtDescriptor av_pix_fmt_descriptors[]; Note that using import libraries created by dlltool requires the linker optimization option to be set to -"References: Keep Unreferenced Data (/OPT:NOREF)", otherwise +"References: Keep Unreferenced Data (@code{/OPT:NOREF})", otherwise the resulting binaries will fail during runtime. This isn't required when using import libraries generated by lib.exe. From 0156f4f9da2577b32ebbb191047d7ff0ca613c44 Mon Sep 17 00:00:00 2001 From: =?UTF-8?q?Martin=20Storsj=C3=B6?= Date: Fri, 8 Jul 2011 11:00:01 +0300 Subject: [PATCH 0091/1119] docs: Mention the upstream bugzilla url about the dlltool vs MSVC issue MIME-Version: 1.0 Content-Type: text/plain; charset=UTF-8 Content-Transfer-Encoding: 8bit Signed-off-by: Martin Storsjö (cherry picked from commit b369f327d5e6b01a4cae9e2726df7c73b2893eba) --- doc/general.texi | 2 ++ 1 file changed, 2 insertions(+) diff --git a/doc/general.texi b/doc/general.texi index a35c809000..da6b62110e 100644 --- a/doc/general.texi +++ b/doc/general.texi @@ -989,6 +989,8 @@ the linker optimization option to be set to "References: Keep Unreferenced Data (@code{/OPT:NOREF})", otherwise the resulting binaries will fail during runtime. This isn't required when using import libraries generated by lib.exe. +This issue is reported upstream at +@url{http://sourceware.org/bugzilla/show_bug.cgi?id=12633}. @subsection Cross compilation for Windows with Linux From dc1b670a2c34a0e1c5c0ba9531dfc8f5a6746a0b Mon Sep 17 00:00:00 2001 From: "Ronald S. Bultje" Date: Sun, 10 Jul 2011 21:23:09 -0700 Subject: [PATCH 0092/1119] vp8/mt: flush worker thread, not application thread context, on seek. This prevents a crash when seeking. (cherry picked from commit d1cf45911935cc4fed9afd3a37d99616d31eb9da) --- libavcodec/pthread.c | 9 ++++++--- libavcodec/utils.c | 2 +- 2 files changed, 7 insertions(+), 4 deletions(-) diff --git a/libavcodec/pthread.c b/libavcodec/pthread.c index 08ef4ba0c2..9fea9a0afc 100644 --- a/libavcodec/pthread.c +++ b/libavcodec/pthread.c @@ -746,9 +746,12 @@ void ff_thread_flush(AVCodecContext *avctx) if (!avctx->thread_opaque) return; park_frame_worker_threads(fctx, avctx->thread_count); - - if (fctx->prev_thread) - update_context_from_thread(fctx->threads->avctx, fctx->prev_thread->avctx, 0); + if (fctx->prev_thread) { + if (fctx->prev_thread != &fctx->threads[0]) + update_context_from_thread(fctx->threads[0].avctx, fctx->prev_thread->avctx, 0); + if (avctx->codec->flush) + avctx->codec->flush(fctx->threads[0].avctx); + } fctx->next_decoding = fctx->next_finished = 0; fctx->delaying = 1; diff --git a/libavcodec/utils.c b/libavcodec/utils.c index c32fda26ec..bbed7263ab 100644 --- a/libavcodec/utils.c +++ b/libavcodec/utils.c @@ -1058,7 +1058,7 @@ void avcodec_flush_buffers(AVCodecContext *avctx) { if(HAVE_PTHREADS && avctx->active_thread_type&FF_THREAD_FRAME) ff_thread_flush(avctx); - if(avctx->codec->flush) + else if(avctx->codec->flush) avctx->codec->flush(avctx); } From 5e3578893a06644e226bcfefc726b60e2d75a890 Mon Sep 17 00:00:00 2001 From: "Ronald S. Bultje" Date: Sun, 10 Jul 2011 17:28:28 -0700 Subject: [PATCH 0093/1119] mt: proper locking around release_buffer calls. This fixes a crash when seeking in some webm files with many threads (e.g. 8). (cherry picked from commit 5eafc8b46644764f8aef1b7b2ecae53ee8034822) --- libavcodec/pthread.c | 7 ++++++- 1 file changed, 6 insertions(+), 1 deletion(-) diff --git a/libavcodec/pthread.c b/libavcodec/pthread.c index 9fea9a0afc..e546c21ddd 100644 --- a/libavcodec/pthread.c +++ b/libavcodec/pthread.c @@ -408,9 +408,10 @@ static void release_delayed_buffers(PerThreadContext *p) FrameThreadContext *fctx = p->parent; while (p->num_released_buffers > 0) { - AVFrame *f = &p->released_buffers[--p->num_released_buffers]; + AVFrame *f; pthread_mutex_lock(&fctx->buffer_mutex); + f = &p->released_buffers[--p->num_released_buffers]; free_progress(f); f->thread_opaque = NULL; @@ -839,6 +840,7 @@ int ff_thread_get_buffer(AVCodecContext *avctx, AVFrame *f) void ff_thread_release_buffer(AVCodecContext *avctx, AVFrame *f) { PerThreadContext *p = avctx->thread_opaque; + FrameThreadContext *fctx; if (!(avctx->active_thread_type&FF_THREAD_FRAME)) { avctx->release_buffer(avctx, f); @@ -854,7 +856,10 @@ void ff_thread_release_buffer(AVCodecContext *avctx, AVFrame *f) av_log(avctx, AV_LOG_DEBUG, "thread_release_buffer called on pic %p, %d buffers used\n", f, f->owner->internal_buffer_count); + fctx = p->parent; + pthread_mutex_lock(&fctx->buffer_mutex); p->released_buffers[p->num_released_buffers++] = *f; + pthread_mutex_unlock(&fctx->buffer_mutex); memset(f->data, 0, sizeof(f->data)); } From 2bbd81fba310aa34f2973f5dcff0f13bac1fd9b1 Mon Sep 17 00:00:00 2001 From: Reinhard Tartler Date: Mon, 4 Jul 2011 12:11:40 +0200 Subject: [PATCH 0094/1119] update Changelog --- Changelog | 6 ++++-- 1 file changed, 4 insertions(+), 2 deletions(-) diff --git a/Changelog b/Changelog index 1c6952c394..d3a1fb4026 100644 --- a/Changelog +++ b/Changelog @@ -6,10 +6,12 @@ version 0.7.1: - added various additional FOURCC codec identifiers - H.264 4:4:4 fixes -- build system fixes -- Doxygen corrections and improvements +- build system and compilation fixes +- Doxygen and general documentation corrections and improvements - fixed segfault in ffprobe - behavioral fix in av_open_input_stream() +- Licensing clarification for LGPL'ed vf_gradfun +- bugfixes while seeking in multithreaded decoding version 0.7: From 9459390f29ec6df63ff1878f13b7b4343811948a Mon Sep 17 00:00:00 2001 From: Reinhard Tartler Date: Tue, 12 Jul 2011 18:31:28 +0200 Subject: [PATCH 0095/1119] Update RELEASE file --- RELEASE | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/RELEASE b/RELEASE index eb49d7c7fd..39e898a4f9 100644 --- a/RELEASE +++ b/RELEASE @@ -1 +1 @@ -0.7 +0.7.1 From c29c609e0f4bf3fea29104c689c11f7dda499135 Mon Sep 17 00:00:00 2001 From: John Stebbins Date: Fri, 1 Jul 2011 08:57:42 -0700 Subject: [PATCH 0096/1119] matroskadec: matroska_read_seek after after EBML_STOP leads to failure. EBML_STOP leaves matroska->current_id set. Then matroska_read_seek changes the stream position without resetting current_id. The next matroska_parse_cluster fails due to calculation of incorrect pos. So clear current_id when avio_seek happens in matroska_read_seek. Signed-off-by: Ronald S. Bultje (cherry picked from commit cdc2c1c57616956d975c57b4b69eb73865f513f5) --- libavformat/matroskadec.c | 2 ++ 1 file changed, 2 insertions(+) diff --git a/libavformat/matroskadec.c b/libavformat/matroskadec.c index 57a8f624b8..60f6c6985b 100644 --- a/libavformat/matroskadec.c +++ b/libavformat/matroskadec.c @@ -1903,6 +1903,7 @@ static int matroska_read_seek(AVFormatContext *s, int stream_index, if ((index = av_index_search_timestamp(st, timestamp, flags)) < 0) { avio_seek(s->pb, st->index_entries[st->nb_index_entries-1].pos, SEEK_SET); + matroska->current_id = 0; while ((index = av_index_search_timestamp(st, timestamp, flags)) < 0) { matroska_clear_queue(matroska); if (matroska_parse_cluster(matroska) < 0) @@ -1931,6 +1932,7 @@ static int matroska_read_seek(AVFormatContext *s, int stream_index, } avio_seek(s->pb, st->index_entries[index_min].pos, SEEK_SET); + matroska->current_id = 0; matroska->skip_to_keyframe = !(flags & AVSEEK_FLAG_ANY); matroska->skip_to_timecode = st->index_entries[index].timestamp; matroska->done = 0; From 3749066dd83abb3aaca748c0ef949e9c3494ba44 Mon Sep 17 00:00:00 2001 From: Diego Biurrun Date: Sat, 9 Jul 2011 20:15:29 +0200 Subject: [PATCH 0097/1119] doc: Remove outdated comments about gcc 2.95 and gcc 3.3 support. (cherry picked from commit 5ccbf80963c1cc54aed97b1c81b1657ab91baf6a) --- doc/developer.texi | 6 ++---- 1 file changed, 2 insertions(+), 4 deletions(-) diff --git a/doc/developer.texi b/doc/developer.texi index 37b9f3e889..244ded71ec 100644 --- a/doc/developer.texi +++ b/doc/developer.texi @@ -60,10 +60,8 @@ These features are supported by all compilers we care about, so we will not accept patches to remove their use unless they absolutely do not impair clarity and performance. -All code must compile with GCC 2.95 and GCC 3.3. Currently, Libav also -compiles with several other compilers, such as the Compaq ccc compiler -or Sun Studio 9, and we would like to keep it that way unless it would -be exceedingly involved. To ensure compatibility, please do not use any +All code must compile with recent versions of GCC and a number of other +currently supported compilers. To ensure compatibility, please do not use additional C99 features or GCC extensions. Especially watch out for: @itemize @bullet @item From b57c6d1a4cc019f2ec899f780b30e7fd1a0dd019 Mon Sep 17 00:00:00 2001 From: Diego Biurrun Date: Sat, 9 Jul 2011 17:43:53 +0200 Subject: [PATCH 0098/1119] changelog: misc typo and wording fixes (cherry picked from commit b047941d7da470ba0dcedb1fd0aa828075265ffc) --- Changelog | 20 ++++++++++---------- 1 file changed, 10 insertions(+), 10 deletions(-) diff --git a/Changelog b/Changelog index d3a1fb4026..9f3cb09543 100644 --- a/Changelog +++ b/Changelog @@ -18,23 +18,23 @@ version 0.7: - E-AC-3 audio encoder - ac3enc: add channel coupling support -- floating-point sample format support to the ac3, eac3, dca, aac, and vorbis decoders. -- H264/MPEG frame-level multi-threading -- All av_metadata_* functions renamed to av_dict_* and moved to libavutil +- floating-point sample format support for (E-)AC-3, DCA, AAC, Vorbis decoders +- H.264/MPEG frame-level multithreading +- av_metadata_* functions renamed to av_dict_* and moved to libavutil - 4:4:4 H.264 decoding support - 10-bit H.264 optimizations for x86 -- Bump libswscale for recently reported ABI break +- bump libswscale for recently reported ABI break version 0.7_beta2: -- VP8 frame-multithreading +- VP8 frame-level multithreading - NEON optimizations for VP8 -- Lots of deprecated API cruft removed -- fft and imdct optimizations for AVX (Sandy Bridge) processors +- removed a lot of deprecated API cruft +- FFT and IMDCT optimizations for AVX (Sandy Bridge) processors - DPX image encoder - SMPTE 302M AES3 audio decoder -- Remove support for quitting ffmpeg with 'q', ctrl+c should be used. +- ffmpeg no longer quits after the 'q' key is pressed; use 'ctrl+c' instead - 9bit and 10bit per sample support in the H.264 decoder @@ -87,10 +87,10 @@ version 0.7_beta1: - demuxer for receiving raw rtp:// URLs without an SDP description - single stream LATM/LOAS decoder - setpts filter added -- Win64 support for optimized asm functions +- Win64 support for optimized x86 assembly functions - MJPEG/AVI1 to JPEG/JFIF bitstream filter - ASS subtitle encoder and decoder -- IEC 61937 encapsulation for E-AC3, TrueHD, DTS-HD (for HDMI passthrough) +- IEC 61937 encapsulation for E-AC-3, TrueHD, DTS-HD (for HDMI passthrough) - overlay filter added - rename aspect filter to setdar, and pixelaspect to setsar - IEC 61937 demuxer From 896f80f82ced236f35c286ae0b3c700044b6bfb8 Mon Sep 17 00:00:00 2001 From: Diego Biurrun Date: Mon, 20 Jun 2011 18:41:11 +0200 Subject: [PATCH 0099/1119] build: Create mlib optimization directories during out-of-tree builds. --- configure | 2 ++ 1 file changed, 2 insertions(+) diff --git a/configure b/configure index b3c20350df..5e40e083a0 100755 --- a/configure +++ b/configure @@ -3207,6 +3207,7 @@ if enabled source_path_used; then doc libavcodec libavcodec/$arch + libavcodec/mlib libavdevice libavfilter libavfilter/$arch @@ -3216,6 +3217,7 @@ if enabled source_path_used; then libpostproc libswscale libswscale/$arch + libswscale/mlib tests tools " From 0b4840af0c42f96e6057ec56919f16f7fbcae3d9 Mon Sep 17 00:00:00 2001 From: Stefano Sabatini Date: Fri, 15 Jul 2011 15:40:31 +0200 Subject: [PATCH 0100/1119] vf_libopencv: replace opencv/cxtypes.h #include by opencv/cxcore.h cxtypes.h works with version 2.1 and older, cxcore.h works with 2.2 and older. Signed-off-by: Diego Biurrun (cherry picked from commit 9bc8bcddbd4fc394e2268e9849dcbf3bad6de980) --- Changelog | 1 + libavfilter/vf_libopencv.c | 2 +- 2 files changed, 2 insertions(+), 1 deletion(-) diff --git a/Changelog b/Changelog index 9f3cb09543..35804f899b 100644 --- a/Changelog +++ b/Changelog @@ -12,6 +12,7 @@ version 0.7.1: - behavioral fix in av_open_input_stream() - Licensing clarification for LGPL'ed vf_gradfun - bugfixes while seeking in multithreaded decoding +- support newer versions of OpenCV version 0.7: diff --git a/libavfilter/vf_libopencv.c b/libavfilter/vf_libopencv.c index 5a52f246ba..6e343af7ef 100644 --- a/libavfilter/vf_libopencv.c +++ b/libavfilter/vf_libopencv.c @@ -26,7 +26,7 @@ /* #define DEBUG */ #include -#include +#include #include "libavutil/avstring.h" #include "libavutil/file.h" #include "avfilter.h" From 20829cf8a26a00c840c70f12224843e079c10ee6 Mon Sep 17 00:00:00 2001 From: Mans Rullgard Date: Sun, 17 Jul 2011 15:27:14 +0100 Subject: [PATCH 0101/1119] ffmpeg: fix operation with --disable-avfilter The width and height must be copied from the input before being used. Signed-off-by: Mans Rullgard (cherry picked from commit e9f98c90229999c0e654bd77af55d7020347440a) --- ffmpeg.c | 11 +++++++---- 1 file changed, 7 insertions(+), 4 deletions(-) diff --git a/ffmpeg.c b/ffmpeg.c index 2ed2802333..c1db3d5679 100644 --- a/ffmpeg.c +++ b/ffmpeg.c @@ -2206,6 +2206,12 @@ static int transcode(AVFormatContext **output_files, fprintf(stderr, "Video pixel format is unknown, stream cannot be encoded\n"); ffmpeg_exit(1); } + + if (!codec->width || !codec->height) { + codec->width = icodec->width; + codec->height = icodec->height; + } + ost->video_resample = codec->width != icodec->width || codec->height != icodec->height || codec->pix_fmt != icodec->pix_fmt; @@ -2232,10 +2238,7 @@ static int transcode(AVFormatContext **output_files, #endif codec->bits_per_raw_sample= 0; } - if (!codec->width || !codec->height) { - codec->width = icodec->width; - codec->height = icodec->height; - } + ost->resample_height = icodec->height; ost->resample_width = icodec->width; ost->resample_pix_fmt= icodec->pix_fmt; From 5fab0ccd81df0bc3fd6d16756006c260fdbca6e7 Mon Sep 17 00:00:00 2001 From: Chris Evans Date: Tue, 19 Jul 2011 17:51:48 -0700 Subject: [PATCH 0102/1119] matroskadec: fix integer underflow if header length < probe length. This fixes a crash with specifically crafted files. Signed-off-by: Ronald S. Bultje (cherry picked from commit 69619a13c3fef940cba545cf0a283ff22771dd71) --- libavformat/matroskadec.c | 2 ++ 1 file changed, 2 insertions(+) diff --git a/libavformat/matroskadec.c b/libavformat/matroskadec.c index 60f6c6985b..f74f76cb8a 100644 --- a/libavformat/matroskadec.c +++ b/libavformat/matroskadec.c @@ -900,6 +900,8 @@ static int matroska_probe(AVProbeData *p) * Not fully fool-proof, but good enough. */ for (i = 0; i < FF_ARRAY_ELEMS(matroska_doctypes); i++) { int probelen = strlen(matroska_doctypes[i]); + if (total < probelen) + continue; for (n = 4+size; n <= 4+size+total-probelen; n++) if (!memcmp(p->buf+n, matroska_doctypes[i], probelen)) return AVPROBE_SCORE_MAX; From c02b02d725153e4f5b612d2af256024cf1bb9bd9 Mon Sep 17 00:00:00 2001 From: Reinhard Tartler Date: Thu, 21 Jul 2011 09:27:23 +0200 Subject: [PATCH 0103/1119] Update Changelog --- Changelog | 3 ++- 1 file changed, 2 insertions(+), 1 deletion(-) diff --git a/Changelog b/Changelog index 35804f899b..1598336e55 100644 --- a/Changelog +++ b/Changelog @@ -13,7 +13,8 @@ version 0.7.1: - Licensing clarification for LGPL'ed vf_gradfun - bugfixes while seeking in multithreaded decoding - support newer versions of OpenCV - +- ffmpeg: fix operation with --disable-avfilter +- fixed integer underflow in matroska decoder version 0.7: From a05219d801cdf0fd83301e893301e9f6ba0ab6ed Mon Sep 17 00:00:00 2001 From: Alex Converse Date: Fri, 22 Jul 2011 10:13:22 -0700 Subject: [PATCH 0104/1119] riff: Add mpgv MPEG-2 fourcc Supported by mplayer and seen in the wild. (cherry picked from commit 505345ed5d180093a44da8d70ac541898c31c22f) --- libavformat/riff.c | 1 + 1 file changed, 1 insertion(+) diff --git a/libavformat/riff.c b/libavformat/riff.c index 817349cb82..0df569e2e3 100644 --- a/libavformat/riff.c +++ b/libavformat/riff.c @@ -130,6 +130,7 @@ const AVCodecTag ff_codec_bmp_tags[] = { { CODEC_ID_MPEG2VIDEO, MKTAG('s', 'l', 'i', 'f') }, { CODEC_ID_MPEG2VIDEO, MKTAG('E', 'M', '2', 'V') }, { CODEC_ID_MPEG2VIDEO, MKTAG('M', '7', '0', '1') }, /* Matrox MPEG2 intra-only */ + { CODEC_ID_MPEG2VIDEO, MKTAG('m', 'p', 'g', 'v') }, { CODEC_ID_MJPEG, MKTAG('M', 'J', 'P', 'G') }, { CODEC_ID_MJPEG, MKTAG('L', 'J', 'P', 'G') }, { CODEC_ID_MJPEG, MKTAG('d', 'm', 'b', '1') }, From f54b8f848287e5f3a41e629bc035ff60a31abbbc Mon Sep 17 00:00:00 2001 From: Michael Niedermayer Date: Mon, 25 Jul 2011 15:50:13 +0200 Subject: [PATCH 0105/1119] udp: allow fifo size to be tuned seperately Signed-off-by: Michael Niedermayer (cherry picked from commit bd652ff66e2062df5a05030f211c23e7d4e0be36) --- libavformat/udp.c | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/libavformat/udp.c b/libavformat/udp.c index 7c18fb7bf0..c2ff76ae2d 100644 --- a/libavformat/udp.c +++ b/libavformat/udp.c @@ -426,7 +426,7 @@ static int udp_open(URLContext *h, const char *uri, int flags) if (av_find_info_tag(buf, sizeof(buf), "connect", p)) { s->is_connected = strtol(buf, NULL, 10); } - if (av_find_info_tag(buf, sizeof(buf), "buf_size", p)) { + if (av_find_info_tag(buf, sizeof(buf), "fifo_size", p)) { s->circular_buffer_size = strtol(buf, NULL, 10)*188; } } From 6d75dbebc0b7af64cbac62cf32ee5ac0911cbfaa Mon Sep 17 00:00:00 2001 From: Michael Niedermayer Date: Mon, 25 Jul 2011 15:50:56 +0200 Subject: [PATCH 0106/1119] rtp: disable udp fifos, the rtp code cannot work with the fifos in its current form as rtp bypasses the public API. Signed-off-by: Michael Niedermayer (cherry picked from commit 158eb8599a2811ad8eed9939878982f172b79a89) --- libavformat/rtpproto.c | 1 + 1 file changed, 1 insertion(+) diff --git a/libavformat/rtpproto.c b/libavformat/rtpproto.c index 8b23f25c46..89c59cb877 100644 --- a/libavformat/rtpproto.c +++ b/libavformat/rtpproto.c @@ -115,6 +115,7 @@ static void build_udp_url(char *buf, int buf_size, url_add_option(buf, buf_size, "pkt_size=%d", max_packet_size); if (connect) url_add_option(buf, buf_size, "connect=1"); + url_add_option(buf, buf_size, "fifo_size=0"); } /** From a8d89df367859e5addd8bdbbebb4d787493397da Mon Sep 17 00:00:00 2001 From: Michael Niedermayer Date: Tue, 26 Jul 2011 01:01:06 +0200 Subject: [PATCH 0107/1119] Fix version numbers Signed-off-by: Michael Niedermayer --- Doxyfile | 2 +- RELEASE | 2 +- 2 files changed, 2 insertions(+), 2 deletions(-) diff --git a/Doxyfile b/Doxyfile index 3aca291a15..dbadd98d15 100644 --- a/Doxyfile +++ b/Doxyfile @@ -31,7 +31,7 @@ PROJECT_NAME = FFmpeg # This could be handy for archiving the generated documentation or # if some version control system is used. -PROJECT_NUMBER = 0.7.1 +PROJECT_NUMBER = 0.8.1 # The OUTPUT_DIRECTORY tag is used to specify the (relative or absolute) # base path where the generated documentation will be put. diff --git a/RELEASE b/RELEASE index 39e898a4f9..6f4eebdf6f 100644 --- a/RELEASE +++ b/RELEASE @@ -1 +1 @@ -0.7.1 +0.8.1 From dcf1830a15a1e9ad1e16086369d55d8cb3a14e83 Mon Sep 17 00:00:00 2001 From: =?UTF-8?q?Reimar=20D=C3=B6ffinger?= Date: Tue, 26 Jul 2011 21:58:10 +0200 Subject: [PATCH 0108/1119] For FFmpeg 0.7 branch: Treat AV_SAMPLE_FMT_NONE as S16 for encoders. MIME-Version: 1.0 Content-Type: text/plain; charset=UTF-8 Content-Transfer-Encoding: 8bit This fixes compatibility with e.g. pcm_a52 ALSA plugin which in previous versions never set sample_fmt. Signed-off-by: Reimar Döffinger --- libavcodec/utils.c | 2 ++ 1 file changed, 2 insertions(+) diff --git a/libavcodec/utils.c b/libavcodec/utils.c index 028a3a1532..b61fb75274 100644 --- a/libavcodec/utils.c +++ b/libavcodec/utils.c @@ -585,6 +585,8 @@ int attribute_align_arg avcodec_open(AVCodecContext *avctx, AVCodec *codec) if (avctx->codec->encode) { int i; if (avctx->codec->sample_fmts) { + if (avctx->sample_fmt == AV_SAMPLE_FMT_NONE) + avctx->sample_fmt = AV_SAMPLE_FMT_S16; for (i = 0; avctx->codec->sample_fmts[i] != AV_SAMPLE_FMT_NONE; i++) if (avctx->sample_fmt == avctx->codec->sample_fmts[i]) break; From 609d299ed06c2b00cc289129e0de7b2d57b2ab3d Mon Sep 17 00:00:00 2001 From: Michael Niedermayer Date: Wed, 27 Jul 2011 12:51:28 +0200 Subject: [PATCH 0109/1119] update version for 0.7.2 Signed-off-by: Michael Niedermayer --- RELEASE | 2 +- VERSION | 2 +- 2 files changed, 2 insertions(+), 2 deletions(-) diff --git a/RELEASE b/RELEASE index 6f4eebdf6f..7486fdbc50 100644 --- a/RELEASE +++ b/RELEASE @@ -1 +1 @@ -0.8.1 +0.7.2 diff --git a/VERSION b/VERSION index 39e898a4f9..7486fdbc50 100644 --- a/VERSION +++ b/VERSION @@ -1 +1 @@ -0.7.1 +0.7.2 From 893cf1b1ae2bc9c7987d5015a421cd2e09d06443 Mon Sep 17 00:00:00 2001 From: Baptiste Coudurier Date: Sun, 26 Jun 2011 14:01:00 -0700 Subject: [PATCH 0110/1119] ffmpeg: fix prototypes of functions after the removal of OPT_FUNC2. (cherry picked from commit 90a40b226a5c90e48da8041294c3782de6ee61fc) --- ffmpeg.c | 6 +++--- 1 file changed, 3 insertions(+), 3 deletions(-) diff --git a/ffmpeg.c b/ffmpeg.c index c6885d886b..a00d94ec70 100644 --- a/ffmpeg.c +++ b/ffmpeg.c @@ -4074,13 +4074,13 @@ static void parse_matrix_coeffs(uint16_t *dest, const char *str) } } -static void opt_inter_matrix(const char *arg) +static void opt_inter_matrix(const char *opt, const char *arg) { inter_matrix = av_mallocz(sizeof(uint16_t) * 64); parse_matrix_coeffs(inter_matrix, arg); } -static void opt_intra_matrix(const char *arg) +static void opt_intra_matrix(const char *opt, const char *arg) { intra_matrix = av_mallocz(sizeof(uint16_t) * 64); parse_matrix_coeffs(intra_matrix, arg); @@ -4378,7 +4378,7 @@ static void log_callback_null(void* ptr, int level, const char* fmt, va_list vl) { } -static void opt_passlogfile(const char *arg) +static void opt_passlogfile(const char *opt, const char *arg) { pass_logfilename_prefix = arg; opt_default("passlogfile", arg); From b55b34f86218fcd46629b85f27cba3265f2dd62f Mon Sep 17 00:00:00 2001 From: Baptiste Coudurier Date: Sun, 26 Jun 2011 14:01:00 -0700 Subject: [PATCH 0111/1119] ffmpeg: fix prototypes of functions after the removal of OPT_FUNC2. (cherry picked from commit 90a40b226a5c90e48da8041294c3782de6ee61fc) --- ffmpeg.c | 6 +++--- 1 file changed, 3 insertions(+), 3 deletions(-) diff --git a/ffmpeg.c b/ffmpeg.c index acd4b36a2c..3a1a150b6c 100644 --- a/ffmpeg.c +++ b/ffmpeg.c @@ -4075,13 +4075,13 @@ static void parse_matrix_coeffs(uint16_t *dest, const char *str) } } -static void opt_inter_matrix(const char *arg) +static void opt_inter_matrix(const char *opt, const char *arg) { inter_matrix = av_mallocz(sizeof(uint16_t) * 64); parse_matrix_coeffs(inter_matrix, arg); } -static void opt_intra_matrix(const char *arg) +static void opt_intra_matrix(const char *opt, const char *arg) { intra_matrix = av_mallocz(sizeof(uint16_t) * 64); parse_matrix_coeffs(intra_matrix, arg); @@ -4379,7 +4379,7 @@ static void log_callback_null(void* ptr, int level, const char* fmt, va_list vl) { } -static void opt_passlogfile(const char *arg) +static void opt_passlogfile(const char *opt, const char *arg) { pass_logfilename_prefix = arg; opt_default("passlogfile", arg); From 7e33a66c0e178c3576c1ba1648be4295809adca8 Mon Sep 17 00:00:00 2001 From: Michael Niedermayer Date: Thu, 28 Jul 2011 14:59:54 +0200 Subject: [PATCH 0112/1119] Fix several security issues in matroskadec.c (MSVR-11-0080). Whitespace of the patch cleaned up by Aurel Some of the issues have been reported by Steve Manzuik / Microsoft Vulnerability Research (MSVR) Signed-off-by: Michael Niedermayer (cherry picked from commit 956c901c68eff78288f40e3c8f41ee2fa081d4a8) --- libavformat/matroskadec.c | 32 ++++++++++++++++++++++++-------- 1 file changed, 24 insertions(+), 8 deletions(-) diff --git a/libavformat/matroskadec.c b/libavformat/matroskadec.c index f0fa4dab4d..0451071a57 100644 --- a/libavformat/matroskadec.c +++ b/libavformat/matroskadec.c @@ -826,11 +826,15 @@ static int ebml_parse_elem(MatroskaDemuxContext *matroska, uint32_t id = syntax->id; uint64_t length; int res; + void *newelem; data = (char *)data + syntax->data_offset; if (syntax->list_elem_size) { EbmlList *list = data; - list->elem = av_realloc(list->elem, (list->nb_elem+1)*syntax->list_elem_size); + newelem = av_realloc(list->elem, (list->nb_elem+1)*syntax->list_elem_size); + if (!newelem) + return AVERROR(ENOMEM); + list->elem = newelem; data = (char*)list->elem + list->nb_elem*syntax->list_elem_size; memset(data, 0, syntax->list_elem_size); list->nb_elem++; @@ -992,7 +996,10 @@ static int matroska_decode_buffer(uint8_t** buf, int* buf_size, pkt_data = av_realloc(pkt_data, pkt_size); zstream.avail_out = pkt_size - zstream.total_out; zstream.next_out = pkt_data + zstream.total_out; - result = inflate(&zstream, Z_NO_FLUSH); + if (pkt_data) { + result = inflate(&zstream, Z_NO_FLUSH); + } else + result = Z_MEM_ERROR; } while (result==Z_OK && pkt_size<10000000); pkt_size = zstream.total_out; inflateEnd(&zstream); @@ -1013,7 +1020,10 @@ static int matroska_decode_buffer(uint8_t** buf, int* buf_size, pkt_data = av_realloc(pkt_data, pkt_size); bzstream.avail_out = pkt_size - bzstream.total_out_lo32; bzstream.next_out = pkt_data + bzstream.total_out_lo32; - result = BZ2_bzDecompress(&bzstream); + if (pkt_data) { + result = BZ2_bzDecompress(&bzstream); + } else + result = BZ_MEM_ERROR; } while (result==BZ_OK && pkt_size<10000000); pkt_size = bzstream.total_out_lo32; BZ2_bzDecompressEnd(&bzstream); @@ -1066,13 +1076,17 @@ static void matroska_fix_ass_packet(MatroskaDemuxContext *matroska, } } -static void matroska_merge_packets(AVPacket *out, AVPacket *in) +static int matroska_merge_packets(AVPacket *out, AVPacket *in) { - out->data = av_realloc(out->data, out->size+in->size); + void *newdata = av_realloc(out->data, out->size+in->size); + if (!newdata) + return AVERROR(ENOMEM); + out->data = newdata; memcpy(out->data+out->size, in->data, in->size); out->size += in->size; av_destruct_packet(in); av_free(in); + return 0; } static void matroska_convert_tag(AVFormatContext *s, EbmlList *list, @@ -1626,11 +1640,13 @@ static int matroska_deliver_packet(MatroskaDemuxContext *matroska, memcpy(pkt, matroska->packets[0], sizeof(AVPacket)); av_free(matroska->packets[0]); if (matroska->num_packets > 1) { + void *newpackets; memmove(&matroska->packets[0], &matroska->packets[1], (matroska->num_packets - 1) * sizeof(AVPacket *)); - matroska->packets = - av_realloc(matroska->packets, (matroska->num_packets - 1) * - sizeof(AVPacket *)); + newpackets = av_realloc(matroska->packets, + (matroska->num_packets - 1) * sizeof(AVPacket *)); + if (newpackets) + matroska->packets = newpackets; } else { av_freep(&matroska->packets); } From cb8577a4dac816f264da294ee354311899b10032 Mon Sep 17 00:00:00 2001 From: Michael Niedermayer Date: Thu, 28 Jul 2011 14:59:54 +0200 Subject: [PATCH 0113/1119] Fix several security issues in matroskadec.c (MSVR-11-0080). Whitespace of the patch cleaned up by Aurel Some of the issues have been reported by Steve Manzuik / Microsoft Vulnerability Research (MSVR) Signed-off-by: Michael Niedermayer (cherry picked from commit 956c901c68eff78288f40e3c8f41ee2fa081d4a8) --- libavformat/matroskadec.c | 32 ++++++++++++++++++++++++-------- 1 file changed, 24 insertions(+), 8 deletions(-) diff --git a/libavformat/matroskadec.c b/libavformat/matroskadec.c index a88811f2cd..7e9b750959 100644 --- a/libavformat/matroskadec.c +++ b/libavformat/matroskadec.c @@ -826,11 +826,15 @@ static int ebml_parse_elem(MatroskaDemuxContext *matroska, uint32_t id = syntax->id; uint64_t length; int res; + void *newelem; data = (char *)data + syntax->data_offset; if (syntax->list_elem_size) { EbmlList *list = data; - list->elem = av_realloc(list->elem, (list->nb_elem+1)*syntax->list_elem_size); + newelem = av_realloc(list->elem, (list->nb_elem+1)*syntax->list_elem_size); + if (!newelem) + return AVERROR(ENOMEM); + list->elem = newelem; data = (char*)list->elem + list->nb_elem*syntax->list_elem_size; memset(data, 0, syntax->list_elem_size); list->nb_elem++; @@ -992,7 +996,10 @@ static int matroska_decode_buffer(uint8_t** buf, int* buf_size, pkt_data = av_realloc(pkt_data, pkt_size); zstream.avail_out = pkt_size - zstream.total_out; zstream.next_out = pkt_data + zstream.total_out; - result = inflate(&zstream, Z_NO_FLUSH); + if (pkt_data) { + result = inflate(&zstream, Z_NO_FLUSH); + } else + result = Z_MEM_ERROR; } while (result==Z_OK && pkt_size<10000000); pkt_size = zstream.total_out; inflateEnd(&zstream); @@ -1013,7 +1020,10 @@ static int matroska_decode_buffer(uint8_t** buf, int* buf_size, pkt_data = av_realloc(pkt_data, pkt_size); bzstream.avail_out = pkt_size - bzstream.total_out_lo32; bzstream.next_out = pkt_data + bzstream.total_out_lo32; - result = BZ2_bzDecompress(&bzstream); + if (pkt_data) { + result = BZ2_bzDecompress(&bzstream); + } else + result = BZ_MEM_ERROR; } while (result==BZ_OK && pkt_size<10000000); pkt_size = bzstream.total_out_lo32; BZ2_bzDecompressEnd(&bzstream); @@ -1066,13 +1076,17 @@ static void matroska_fix_ass_packet(MatroskaDemuxContext *matroska, } } -static void matroska_merge_packets(AVPacket *out, AVPacket *in) +static int matroska_merge_packets(AVPacket *out, AVPacket *in) { - out->data = av_realloc(out->data, out->size+in->size); + void *newdata = av_realloc(out->data, out->size+in->size); + if (!newdata) + return AVERROR(ENOMEM); + out->data = newdata; memcpy(out->data+out->size, in->data, in->size); out->size += in->size; av_destruct_packet(in); av_free(in); + return 0; } static void matroska_convert_tag(AVFormatContext *s, EbmlList *list, @@ -1626,11 +1640,13 @@ static int matroska_deliver_packet(MatroskaDemuxContext *matroska, memcpy(pkt, matroska->packets[0], sizeof(AVPacket)); av_free(matroska->packets[0]); if (matroska->num_packets > 1) { + void *newpackets; memmove(&matroska->packets[0], &matroska->packets[1], (matroska->num_packets - 1) * sizeof(AVPacket *)); - matroska->packets = - av_realloc(matroska->packets, (matroska->num_packets - 1) * - sizeof(AVPacket *)); + newpackets = av_realloc(matroska->packets, + (matroska->num_packets - 1) * sizeof(AVPacket *)); + if (newpackets) + matroska->packets = newpackets; } else { av_freep(&matroska->packets); } From 2ff36ef521a551b99ea69dda0aa82dc9fa49a131 Mon Sep 17 00:00:00 2001 From: Michael Niedermayer Date: Thu, 28 Jul 2011 18:32:26 +0200 Subject: [PATCH 0114/1119] ffmpeg: fix passlogfile regression Signed-off-by: Michael Niedermayer --- ffmpeg.c | 2 ++ 1 file changed, 2 insertions(+) diff --git a/ffmpeg.c b/ffmpeg.c index a00d94ec70..18ee782344 100644 --- a/ffmpeg.c +++ b/ffmpeg.c @@ -4381,7 +4381,9 @@ static void log_callback_null(void* ptr, int level, const char* fmt, va_list vl) static void opt_passlogfile(const char *opt, const char *arg) { pass_logfilename_prefix = arg; +#if CONFIG_LIBX264_ENCODER opt_default("passlogfile", arg); +#endif } static const OptionDef options[] = { From cf82c5cd5b584ae9ee2b2d10fb1c9f0748446071 Mon Sep 17 00:00:00 2001 From: Michael Niedermayer Date: Thu, 28 Jul 2011 18:32:26 +0200 Subject: [PATCH 0115/1119] ffmpeg: fix passlogfile regression Signed-off-by: Michael Niedermayer (cherry picked from commit 2ff36ef521a551b99ea69dda0aa82dc9fa49a131) --- ffmpeg.c | 2 ++ 1 file changed, 2 insertions(+) diff --git a/ffmpeg.c b/ffmpeg.c index 3a1a150b6c..857e02292e 100644 --- a/ffmpeg.c +++ b/ffmpeg.c @@ -4382,7 +4382,9 @@ static void log_callback_null(void* ptr, int level, const char* fmt, va_list vl) static void opt_passlogfile(const char *opt, const char *arg) { pass_logfilename_prefix = arg; +#if CONFIG_LIBX264_ENCODER opt_default("passlogfile", arg); +#endif } static const OptionDef options[] = { From 7c772ccd276021fed1f6ea40d150d73337fc3c1b Mon Sep 17 00:00:00 2001 From: =?UTF-8?q?Reimar=20D=C3=B6ffinger?= Date: Sun, 17 Jul 2011 13:03:57 +0200 Subject: [PATCH 0116/1119] Bink: clip AC coefficients during dequantization. MIME-Version: 1.0 Content-Type: text/plain; charset=UTF-8 Content-Transfer-Encoding: 8bit Fixes artefacts with Neverwinter Nights WOTCLogo.bik (http://drmccoy.de/zeugs/WOTCLogo.bik). Fixes trac ticket #352. Signed-off-by: Reimar Döffinger (cherry picked from commit 47b71eea099b3fe2c7e16644878ad9b7067974e3) --- libavcodec/bink.c | 20 ++++++++++++++++++-- 1 file changed, 18 insertions(+), 2 deletions(-) diff --git a/libavcodec/bink.c b/libavcodec/bink.c index ef07747dbc..4328a43525 100644 --- a/libavcodec/bink.c +++ b/libavcodec/bink.c @@ -571,6 +571,22 @@ static inline int binkb_get_value(BinkContext *c, int bundle_num) return ret; } +static inline DCTELEM dequant(DCTELEM in, uint32_t quant, int dc) +{ + /* Note: multiplication is unsigned but we want signed shift + * otherwise clipping breaks. + * TODO: The official decoder does not use clipping at all + * but instead uses the full 32-bit result. + * However clipping at least gets rid of the case that a + * half-black half-white intra block gets black and white swapped + * and should cause at most minor differences (except for DC). */ + int32_t res = in * quant; + res >>= 11; + if (!dc) + res = av_clip_int16(res); + return res; +} + /** * Read 8x8 block of DCT coefficients. * @@ -669,10 +685,10 @@ static int read_dct_coeffs(GetBitContext *gb, DCTELEM block[64], const uint8_t * quant = quant_matrices[quant_idx]; - block[0] = (block[0] * quant[0]) >> 11; + block[0] = dequant(block[0], quant[0], 1); for (i = 0; i < coef_count; i++) { int idx = coef_idx[i]; - block[scan[idx]] = (block[scan[idx]] * quant[idx]) >> 11; + block[scan[idx]] = dequant(block[scan[idx]], quant[idx], 0); } return 0; From 8893f7d815db4efed797101d7a94718554990706 Mon Sep 17 00:00:00 2001 From: Carl Eugen Hoyos Date: Thu, 4 Aug 2011 11:06:43 +0200 Subject: [PATCH 0117/1119] Fix possible crash when decoding mpeg streams. This reverts 2cf8355f98681bdd726b739008acd5483f82f8d7, fixes ticket 329. --- ffmpeg.c | 6 ++++-- 1 file changed, 4 insertions(+), 2 deletions(-) diff --git a/ffmpeg.c b/ffmpeg.c index 857e02292e..ab628b2cbc 100644 --- a/ffmpeg.c +++ b/ffmpeg.c @@ -345,6 +345,7 @@ typedef struct AVInputFile { int eof_reached; /* true if eof reached */ int ist_index; /* index of first stream in ist_table */ int buffer_size; /* current total buffer size */ + int nb_streams; } AVInputFile; #if HAVE_TERMIOS_H @@ -2046,7 +2047,7 @@ static int transcode(AVFormatContext **output_files, int si = stream_maps[i].stream_index; if (fi < 0 || fi > nb_input_files - 1 || - si < 0 || si > input_files[fi].ctx->nb_streams - 1) { + si < 0 || si > input_files[fi].nb_streams - 1) { fprintf(stderr,"Could not find input stream #%d.%d\n", fi, si); ret = AVERROR(EINVAL); goto fail; @@ -2732,7 +2733,7 @@ static int transcode(AVFormatContext **output_files, } /* the following test is needed in case new streams appear dynamically in stream : we ignore them */ - if (pkt.stream_index >= input_files[file_index].ctx->nb_streams) + if (pkt.stream_index >= input_files[file_index].nb_streams) goto discard_packet; ist_index = input_files[file_index].ist_index + pkt.stream_index; ist = &input_streams[ist_index]; @@ -3469,6 +3470,7 @@ static int opt_input_file(const char *opt, const char *filename) input_files = grow_array(input_files, sizeof(*input_files), &nb_input_files, nb_input_files + 1); input_files[nb_input_files - 1].ctx = ic; input_files[nb_input_files - 1].ist_index = nb_input_streams - ic->nb_streams; + input_files[nb_input_files - 1].nb_streams = ic->nb_streams; top_field_first = -1; video_channel = 0; From a0352d01e95ed084e777d0c259bad1f4cee4f402 Mon Sep 17 00:00:00 2001 From: =?UTF-8?q?Reimar=20D=C3=B6ffinger?= Date: Sun, 17 Jul 2011 13:03:57 +0200 Subject: [PATCH 0118/1119] Bink: clip AC coefficients during dequantization. MIME-Version: 1.0 Content-Type: text/plain; charset=UTF-8 Content-Transfer-Encoding: 8bit Fixes artefacts with Neverwinter Nights WOTCLogo.bik (http://drmccoy.de/zeugs/WOTCLogo.bik). Fixes trac ticket #352. Signed-off-by: Reimar Döffinger (cherry picked from commit 47b71eea099b3fe2c7e16644878ad9b7067974e3) --- libavcodec/bink.c | 20 ++++++++++++++++++-- 1 file changed, 18 insertions(+), 2 deletions(-) diff --git a/libavcodec/bink.c b/libavcodec/bink.c index ef07747dbc..4328a43525 100644 --- a/libavcodec/bink.c +++ b/libavcodec/bink.c @@ -571,6 +571,22 @@ static inline int binkb_get_value(BinkContext *c, int bundle_num) return ret; } +static inline DCTELEM dequant(DCTELEM in, uint32_t quant, int dc) +{ + /* Note: multiplication is unsigned but we want signed shift + * otherwise clipping breaks. + * TODO: The official decoder does not use clipping at all + * but instead uses the full 32-bit result. + * However clipping at least gets rid of the case that a + * half-black half-white intra block gets black and white swapped + * and should cause at most minor differences (except for DC). */ + int32_t res = in * quant; + res >>= 11; + if (!dc) + res = av_clip_int16(res); + return res; +} + /** * Read 8x8 block of DCT coefficients. * @@ -669,10 +685,10 @@ static int read_dct_coeffs(GetBitContext *gb, DCTELEM block[64], const uint8_t * quant = quant_matrices[quant_idx]; - block[0] = (block[0] * quant[0]) >> 11; + block[0] = dequant(block[0], quant[0], 1); for (i = 0; i < coef_count; i++) { int idx = coef_idx[i]; - block[scan[idx]] = (block[scan[idx]] * quant[idx]) >> 11; + block[scan[idx]] = dequant(block[scan[idx]], quant[idx], 0); } return 0; From 08ddfb77a1aff378345026ba49fea9fb93ff1e70 Mon Sep 17 00:00:00 2001 From: Carl Eugen Hoyos Date: Thu, 4 Aug 2011 11:06:43 +0200 Subject: [PATCH 0119/1119] Fix possible crash when decoding mpeg streams. This reverts 2cf8355f98681bdd726b739008acd5483f82f8d7, fixes ticket 329. --- ffmpeg.c | 6 ++++-- 1 file changed, 4 insertions(+), 2 deletions(-) diff --git a/ffmpeg.c b/ffmpeg.c index 18ee782344..c6374df949 100644 --- a/ffmpeg.c +++ b/ffmpeg.c @@ -343,6 +343,7 @@ typedef struct AVInputFile { int eof_reached; /* true if eof reached */ int ist_index; /* index of first stream in ist_table */ int buffer_size; /* current total buffer size */ + int nb_streams; } AVInputFile; #if HAVE_TERMIOS_H @@ -2045,7 +2046,7 @@ static int transcode(AVFormatContext **output_files, int si = stream_maps[i].stream_index; if (fi < 0 || fi > nb_input_files - 1 || - si < 0 || si > input_files[fi].ctx->nb_streams - 1) { + si < 0 || si > input_files[fi].nb_streams - 1) { fprintf(stderr,"Could not find input stream #%d.%d\n", fi, si); ret = AVERROR(EINVAL); goto fail; @@ -2731,7 +2732,7 @@ static int transcode(AVFormatContext **output_files, } /* the following test is needed in case new streams appear dynamically in stream : we ignore them */ - if (pkt.stream_index >= input_files[file_index].ctx->nb_streams) + if (pkt.stream_index >= input_files[file_index].nb_streams) goto discard_packet; ist_index = input_files[file_index].ist_index + pkt.stream_index; ist = &input_streams[ist_index]; @@ -3468,6 +3469,7 @@ static int opt_input_file(const char *opt, const char *filename) input_files = grow_array(input_files, sizeof(*input_files), &nb_input_files, nb_input_files + 1); input_files[nb_input_files - 1].ctx = ic; input_files[nb_input_files - 1].ist_index = nb_input_streams - ic->nb_streams; + input_files[nb_input_files - 1].nb_streams = ic->nb_streams; top_field_first = -1; video_channel = 0; From 91d5da9321c52e8197fb14046ebb335f3e6ff4a0 Mon Sep 17 00:00:00 2001 From: Michael Niedermayer Date: Wed, 10 Aug 2011 13:28:36 +0200 Subject: [PATCH 0120/1119] cavs: fix oCERT #2011-002 FFmpeg/libavcodec insufficient boundary check Signed-off-by: Michael Niedermayer --- libavcodec/cavsdec.c | 3 ++- 1 file changed, 2 insertions(+), 1 deletion(-) diff --git a/libavcodec/cavsdec.c b/libavcodec/cavsdec.c index c6ccb06524..6e83a7d381 100644 --- a/libavcodec/cavsdec.c +++ b/libavcodec/cavsdec.c @@ -115,7 +115,8 @@ static inline int get_ue_code(GetBitContext *gb, int order) { static int decode_residual_block(AVSContext *h, GetBitContext *gb, const struct dec_2dvlc *r, int esc_golomb_order, int qp, uint8_t *dst, int stride) { - int i, level_code, esc_code, level, run, mask; + int i, esc_code, level, mask; + unsigned int level_code, run; DCTELEM level_buf[65]; uint8_t run_buf[65]; DCTELEM *block = h->block; From d1bc77d86c5c8b013b371c1bf027f7583aef07b3 Mon Sep 17 00:00:00 2001 From: Michael Niedermayer Date: Wed, 10 Aug 2011 13:48:30 +0200 Subject: [PATCH 0121/1119] 0.8.2 Signed-off-by: Michael Niedermayer --- Doxyfile | 2 +- RELEASE | 2 +- VERSION | 2 +- 3 files changed, 3 insertions(+), 3 deletions(-) diff --git a/Doxyfile b/Doxyfile index dbadd98d15..0f7de822f6 100644 --- a/Doxyfile +++ b/Doxyfile @@ -31,7 +31,7 @@ PROJECT_NAME = FFmpeg # This could be handy for archiving the generated documentation or # if some version control system is used. -PROJECT_NUMBER = 0.8.1 +PROJECT_NUMBER = 0.8.2 # The OUTPUT_DIRECTORY tag is used to specify the (relative or absolute) # base path where the generated documentation will be put. diff --git a/RELEASE b/RELEASE index 6f4eebdf6f..100435be13 100644 --- a/RELEASE +++ b/RELEASE @@ -1 +1 @@ -0.8.1 +0.8.2 diff --git a/VERSION b/VERSION index 6f4eebdf6f..100435be13 100644 --- a/VERSION +++ b/VERSION @@ -1 +1 @@ -0.8.1 +0.8.2 From c5cbda50793e311aa73489d12184ffd6761c9fbf Mon Sep 17 00:00:00 2001 From: Michael Niedermayer Date: Wed, 10 Aug 2011 13:28:36 +0200 Subject: [PATCH 0122/1119] cavs: fix oCERT #2011-002 FFmpeg/libavcodec insufficient boundary check Signed-off-by: Michael Niedermayer --- libavcodec/cavsdec.c | 3 ++- 1 file changed, 2 insertions(+), 1 deletion(-) diff --git a/libavcodec/cavsdec.c b/libavcodec/cavsdec.c index c6ccb06524..6e83a7d381 100644 --- a/libavcodec/cavsdec.c +++ b/libavcodec/cavsdec.c @@ -115,7 +115,8 @@ static inline int get_ue_code(GetBitContext *gb, int order) { static int decode_residual_block(AVSContext *h, GetBitContext *gb, const struct dec_2dvlc *r, int esc_golomb_order, int qp, uint8_t *dst, int stride) { - int i, level_code, esc_code, level, run, mask; + int i, esc_code, level, mask; + unsigned int level_code, run; DCTELEM level_buf[65]; uint8_t run_buf[65]; DCTELEM *block = h->block; From 7371b0ca6fd396cb8c37e626391561c173431a79 Mon Sep 17 00:00:00 2001 From: Michael Niedermayer Date: Wed, 10 Aug 2011 13:59:49 +0200 Subject: [PATCH 0123/1119] 0.7.3 Signed-off-by: Michael Niedermayer --- Doxyfile | 2 +- RELEASE | 2 +- VERSION | 2 +- 3 files changed, 3 insertions(+), 3 deletions(-) diff --git a/Doxyfile b/Doxyfile index dbadd98d15..b7c634c74e 100644 --- a/Doxyfile +++ b/Doxyfile @@ -31,7 +31,7 @@ PROJECT_NAME = FFmpeg # This could be handy for archiving the generated documentation or # if some version control system is used. -PROJECT_NUMBER = 0.8.1 +PROJECT_NUMBER = 0.7.3 # The OUTPUT_DIRECTORY tag is used to specify the (relative or absolute) # base path where the generated documentation will be put. diff --git a/RELEASE b/RELEASE index 7486fdbc50..f38fc5393f 100644 --- a/RELEASE +++ b/RELEASE @@ -1 +1 @@ -0.7.2 +0.7.3 diff --git a/VERSION b/VERSION index 7486fdbc50..f38fc5393f 100644 --- a/VERSION +++ b/VERSION @@ -1 +1 @@ -0.7.2 +0.7.3 From f20f79307b837407ea2bdfe08515d45ce96898c8 Mon Sep 17 00:00:00 2001 From: Michael Niedermayer Date: Thu, 21 Jul 2011 11:00:47 +0200 Subject: [PATCH 0124/1119] libavfilter: fix --enable-small Signed-off-by: Michael Niedermayer (cherry picked from commit 633aa01f728b3f67b420e9e34ef21a995578d613) --- libavfilter/vf_lut.c | 4 ++-- 1 file changed, 2 insertions(+), 2 deletions(-) diff --git a/libavfilter/vf_lut.c b/libavfilter/vf_lut.c index c457972474..c72e6374df 100644 --- a/libavfilter/vf_lut.c +++ b/libavfilter/vf_lut.c @@ -345,8 +345,8 @@ static void draw_slice(AVFilterLink *inlink, int y, int h, int slice_dir) #define DEFINE_LUT_FILTER(name_, description_, init_) \ AVFilter avfilter_vf_##name_ = { \ - .name = NULL_IF_CONFIG_SMALL(#name_), \ - .description = description_, \ + .name = #name_, \ + .description = NULL_IF_CONFIG_SMALL(description_), \ .priv_size = sizeof(LutContext), \ \ .init = init_, \ From f66418afba4a7fcff33d6421a190a109f574b07b Mon Sep 17 00:00:00 2001 From: Michael Niedermayer Date: Thu, 21 Jul 2011 11:00:47 +0200 Subject: [PATCH 0125/1119] libavfilter: fix --enable-small Signed-off-by: Michael Niedermayer (cherry picked from commit 633aa01f728b3f67b420e9e34ef21a995578d613) --- libavfilter/vf_lut.c | 4 ++-- 1 file changed, 2 insertions(+), 2 deletions(-) diff --git a/libavfilter/vf_lut.c b/libavfilter/vf_lut.c index c457972474..c72e6374df 100644 --- a/libavfilter/vf_lut.c +++ b/libavfilter/vf_lut.c @@ -345,8 +345,8 @@ static void draw_slice(AVFilterLink *inlink, int y, int h, int slice_dir) #define DEFINE_LUT_FILTER(name_, description_, init_) \ AVFilter avfilter_vf_##name_ = { \ - .name = NULL_IF_CONFIG_SMALL(#name_), \ - .description = description_, \ + .name = #name_, \ + .description = NULL_IF_CONFIG_SMALL(description_), \ .priv_size = sizeof(LutContext), \ \ .init = init_, \ From 6a57021cf96dc548b6cc2c97dedb8958225d58e3 Mon Sep 17 00:00:00 2001 From: Carl Eugen Hoyos Date: Tue, 16 Aug 2011 23:31:09 +0200 Subject: [PATCH 0126/1119] Fix compilation with --disable-avfilter. (cherry picked from commit 67a8251690a17f05630eb6f45a73db0f0e806c72) --- ffplay.c | 2 ++ 1 file changed, 2 insertions(+) diff --git a/ffplay.c b/ffplay.c index 8788771491..6eefee6e00 100644 --- a/ffplay.c +++ b/ffplay.c @@ -1779,8 +1779,10 @@ static int video_thread(void *arg) if (ret < 0) goto the_end; +#if CONFIG_AVFILTER if (!picref) continue; +#endif pts = pts_int*av_q2d(is->video_st->time_base); From 87757508abe36dd376093c59f00db41fe15d76a5 Mon Sep 17 00:00:00 2001 From: Carl Eugen Hoyos Date: Tue, 16 Aug 2011 23:31:09 +0200 Subject: [PATCH 0127/1119] Fix compilation with --disable-avfilter. (cherry picked from commit 67a8251690a17f05630eb6f45a73db0f0e806c72) --- ffplay.c | 2 ++ 1 file changed, 2 insertions(+) diff --git a/ffplay.c b/ffplay.c index c41709674f..b79df9760e 100644 --- a/ffplay.c +++ b/ffplay.c @@ -1779,8 +1779,10 @@ static int video_thread(void *arg) if (ret < 0) goto the_end; +#if CONFIG_AVFILTER if (!picref) continue; +#endif pts = pts_int*av_q2d(is->video_st->time_base); From 00c5cf4beb0e45e936544a5766b56e241ae03234 Mon Sep 17 00:00:00 2001 From: Michael Niedermayer Date: Thu, 9 Jun 2011 03:35:50 +0200 Subject: [PATCH 0128/1119] jpegdec: actually search for and parse RSTn Fixes decoding of MJPEG files produced by some UVC Logitec web cameras, such as "Notebook Pro" and "HD C910". References: http://trac.videolan.org/vlc/ticket/4215 http://ffmpeg.org/trac/ffmpeg/ticket/267 Signed-off-by: Michael Niedermayer Reviewed-by: Kostya (cherry picked from commit 8c0fa61a9713a1306fca7997dd04d72ea1f060ea) --- libavcodec/mjpegdec.c | 7 +++++-- 1 file changed, 5 insertions(+), 2 deletions(-) diff --git a/libavcodec/mjpegdec.c b/libavcodec/mjpegdec.c index 391d58de6b..3f6b1f111e 100644 --- a/libavcodec/mjpegdec.c +++ b/libavcodec/mjpegdec.c @@ -879,9 +879,12 @@ static int mjpeg_decode_scan(MJpegDecodeContext *s, int nb_components, int Ah, i } } - if (s->restart_interval && !--s->restart_count) { + if (s->restart_interval && show_bits(&s->gb, 8) == 0xFF){ /* skip RSTn */ + --s->restart_count; align_get_bits(&s->gb); - skip_bits(&s->gb, 16); /* skip RSTn */ + while(show_bits(&s->gb, 8) == 0xFF) + skip_bits(&s->gb, 8); + skip_bits(&s->gb, 8); for (i=0; ilast_dc[i] = 1024; } From bd968d260aef322fb32e254a3de0d2036c57bd56 Mon Sep 17 00:00:00 2001 From: Mans Rullgard Date: Wed, 10 Aug 2011 18:52:11 +0100 Subject: [PATCH 0129/1119] cavs: fix some crashes with invalid bitstreams This removes all valgrind-reported invalid writes with one specific test file. Fixes http://www.ocert.org/advisories/ocert-2011-002.html Signed-off-by: Mans Rullgard (cherry picked from commit 4a71da0f3ab7f5542decd11c81994f849d5b2c78) --- libavcodec/cavsdec.c | 11 ++++++++--- 1 file changed, 8 insertions(+), 3 deletions(-) diff --git a/libavcodec/cavsdec.c b/libavcodec/cavsdec.c index a9e4d37c2a..35c37d0768 100644 --- a/libavcodec/cavsdec.c +++ b/libavcodec/cavsdec.c @@ -130,12 +130,14 @@ static int decode_residual_block(AVSContext *h, GetBitContext *gb, r++; mask = -(level_code & 1); level = (level^mask) - mask; - } else { + } else if (level_code >= 0) { level = r->rltab[level_code][0]; if(!level) //end of block signal break; run = r->rltab[level_code][1]; r += r->rltab[level_code][2]; + } else { + break; } level_buf[i] = level; run_buf[i] = run; @@ -189,7 +191,8 @@ static inline int decode_residual_inter(AVSContext *h) { static int decode_mb_i(AVSContext *h, int cbp_code) { GetBitContext *gb = &h->s.gb; - int block, pred_mode_uv; + unsigned pred_mode_uv; + int block; uint8_t top[18]; uint8_t *left = NULL; uint8_t *d; @@ -445,6 +448,8 @@ static inline int check_for_slice(AVSContext *h) { if((show_bits_long(gb,24+align) & 0xFFFFFF) == 0x000001) { skip_bits_long(gb,24+align); h->stc = get_bits(gb,8); + if (h->stc >= h->mb_height) + return 0; decode_slice_header(h,gb); return 1; } @@ -659,7 +664,7 @@ static int cavs_decode_frame(AVCodecContext * avctx,void *data, int *data_size, buf_end = buf + buf_size; for(;;) { buf_ptr = ff_find_start_code(buf_ptr,buf_end, &stc); - if(stc & 0xFFFFFE00) + if((stc & 0xFFFFFE00) || buf_ptr == buf_end) return FFMAX(0, buf_ptr - buf - s->parse_context.last_index); input_size = (buf_end - buf_ptr)*8; switch(stc) { From 95345e942cd5b8be6722d48e3f17782e97d09bde Mon Sep 17 00:00:00 2001 From: =?UTF-8?q?Reimar=20D=C3=B6ffinger?= Date: Tue, 23 Aug 2011 19:39:16 +0200 Subject: [PATCH 0130/1119] Avoid crash due to ic being NULL if avformat_open_input fails. MIME-Version: 1.0 Content-Type: text/plain; charset=UTF-8 Content-Transfer-Encoding: 8bit This updates the code to match current master. Should fix trac issue #410. Signed-off-by: Reimar Döffinger --- libavformat/utils.c | 3 ++- 1 file changed, 2 insertions(+), 1 deletion(-) diff --git a/libavformat/utils.c b/libavformat/utils.c index 3242887f41..662b49ae19 100644 --- a/libavformat/utils.c +++ b/libavformat/utils.c @@ -537,7 +537,8 @@ int av_open_input_stream(AVFormatContext **ic_ptr, else ic->pb = pb; - err = avformat_open_input(&ic, filename, fmt, &opts); + if ((err = avformat_open_input(&ic, filename, fmt, &opts)) < 0) + goto fail; *ic_ptr = ic; ic->pb = ic->pb ? ic->pb : pb; // don't leak custom pb if it wasn't set above From b37131f798941af1eb88e2d550203bdebb8b4324 Mon Sep 17 00:00:00 2001 From: Pino Toscano Date: Fri, 12 Aug 2011 14:11:21 +0200 Subject: [PATCH 0131/1119] configure: add missing CFLAGS to fix building on the HURD Signed-off-by: Reinhard Tartler Signed-off-by: Luca Barbato (cherry picked from commit f60d13663742d1c695680ede83c4d646bc57d380) --- configure | 1 + 1 file changed, 1 insertion(+) diff --git a/configure b/configure index 5e40e083a0..b6e2ff964b 100755 --- a/configure +++ b/configure @@ -2504,6 +2504,7 @@ case $target_os in add_cppflags -D_POSIX_C_SOURCE=200112 -D_XOPEN_SOURCE=600 -D_BSD_SOURCE ;; gnu) + add_cppflags -D_POSIX_C_SOURCE=200112 -D_XOPEN_SOURCE=600 ;; qnx) add_cppflags -D_QNX_SOURCE From 20ca827019a72bfacb38e73d0b8590e651818272 Mon Sep 17 00:00:00 2001 From: Piotr Kaczuba Date: Mon, 30 May 2011 13:19:35 +0200 Subject: [PATCH 0132/1119] postprocess.c: filter name needs to be double 0 terminated Signed-off-by: Reinhard Tartler (cherry picked from commit f4f3300c09bb13eb7922e60888b55e3e0fb325e7) --- libpostproc/postprocess.c | 5 +++-- 1 file changed, 3 insertions(+), 2 deletions(-) diff --git a/libpostproc/postprocess.c b/libpostproc/postprocess.c index dd50daf21e..eacf262ccd 100644 --- a/libpostproc/postprocess.c +++ b/libpostproc/postprocess.c @@ -763,7 +763,8 @@ pp_mode *pp_get_mode_by_name_and_quality(const char *name, int quality) ppMode->maxClippedThreshold= 0.01; ppMode->error=0; - av_strlcpy(temp, name, GET_MODE_BUFFER_SIZE); + memset(temp, 0, GET_MODE_BUFFER_SIZE); + av_strlcpy(temp, name, GET_MODE_BUFFER_SIZE - 1); av_log(NULL, AV_LOG_DEBUG, "pp: %s\n", name); @@ -819,7 +820,7 @@ pp_mode *pp_get_mode_by_name_and_quality(const char *name, int quality) plen= strlen(p); spaceLeft= p - temp + plen; - if(spaceLeft + newlen >= GET_MODE_BUFFER_SIZE){ + if(spaceLeft + newlen >= GET_MODE_BUFFER_SIZE - 1){ ppMode->error++; break; } From 1de90fd3758a71c5ff012e9288de07aa1b2915e0 Mon Sep 17 00:00:00 2001 From: Michael Niedermayer Date: Fri, 2 Sep 2011 18:00:31 +0200 Subject: [PATCH 0133/1119] mpeg4: adjust dummy frame threashold for packed divx. Fixes Ticket427 Signed-off-by: Michael Niedermayer (cherry picked from commit 3e7e1f1509e6a84bd7873586a66de1ee43c8ef88) --- libavcodec/h263dec.c | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/libavcodec/h263dec.c b/libavcodec/h263dec.c index f079557759..5a15bc4a44 100644 --- a/libavcodec/h263dec.c +++ b/libavcodec/h263dec.c @@ -681,7 +681,7 @@ frame_end: int current_pos= s->gb.buffer == s->bitstream_buffer ? 0 : (get_bits_count(&s->gb)>>3); int startcode_found=0; - if(buf_size - current_pos > 5){ + if(buf_size - current_pos > 7){ int i; for(i=current_pos; i Date: Tue, 6 Sep 2011 04:09:43 +0200 Subject: [PATCH 0134/1119] mpeg4: fix another packed divx issue. Fixes getting_stuck.avi Signed-off-by: Michael Niedermayer (cherry picked from commit 6dbac85f8d20c77283e3d01f42a7c2154bbf976d) --- libavcodec/h263dec.c | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/libavcodec/h263dec.c b/libavcodec/h263dec.c index 5a15bc4a44..e142c339c5 100644 --- a/libavcodec/h263dec.c +++ b/libavcodec/h263dec.c @@ -380,7 +380,7 @@ uint64_t time= rdtsc(); retry: - if(s->divx_packed && s->xvid_build>=0 && s->bitstream_buffer_size){ + if(s->divx_packed && s->bitstream_buffer_size){ int i; for(i=0; i Date: Thu, 1 Sep 2011 23:43:56 +0200 Subject: [PATCH 0135/1119] jpegdec: better rst skiping Fixes Ticket426 Signed-off-by: Michael Niedermayer (cherry picked from commit 94c2478d90c1b8c007591b8daba13e65d393d2e8) --- libavcodec/mjpegdec.c | 12 ++++++++---- 1 file changed, 8 insertions(+), 4 deletions(-) diff --git a/libavcodec/mjpegdec.c b/libavcodec/mjpegdec.c index 5c6d84a07d..cb5bc2387f 100644 --- a/libavcodec/mjpegdec.c +++ b/libavcodec/mjpegdec.c @@ -881,14 +881,18 @@ static int mjpeg_decode_scan(MJpegDecodeContext *s, int nb_components, int Ah, i } } + if (s->restart_interval) --s->restart_count; if (s->restart_interval && show_bits(&s->gb, 8) == 0xFF){ /* skip RSTn */ - --s->restart_count; + int pos= get_bits_count(&s->gb); align_get_bits(&s->gb); while(show_bits(&s->gb, 8) == 0xFF) skip_bits(&s->gb, 8); - skip_bits(&s->gb, 8); - for (i=0; ilast_dc[i] = 1024; + if((get_bits(&s->gb, 8)&0xF8) == 0xD0){ + for (i=0; ilast_dc[i] = 1024; + }else{ + skip_bits_long(&s->gb, pos - get_bits_count(&s->gb)); + } } } } From eb975b1c8bfc0d881479a5ba5c4ace4122191687 Mon Sep 17 00:00:00 2001 From: Michael Niedermayer Date: Tue, 6 Sep 2011 18:20:34 +0200 Subject: [PATCH 0136/1119] mjpegdec; even better RSTn skiping Fixes Ticket426 Signed-off-by: Michael Niedermayer (cherry picked from commit be7eed72c89368de70dbf8749eca1dac7443e51a) --- libavcodec/mjpegdec.c | 3 ++- 1 file changed, 2 insertions(+), 1 deletion(-) diff --git a/libavcodec/mjpegdec.c b/libavcodec/mjpegdec.c index cb5bc2387f..e64ea5cd68 100644 --- a/libavcodec/mjpegdec.c +++ b/libavcodec/mjpegdec.c @@ -882,7 +882,8 @@ static int mjpeg_decode_scan(MJpegDecodeContext *s, int nb_components, int Ah, i } if (s->restart_interval) --s->restart_count; - if (s->restart_interval && show_bits(&s->gb, 8) == 0xFF){ /* skip RSTn */ + i= 8+((-get_bits_count(&s->gb))&7); + if (s->restart_interval && show_bits(&s->gb, i) == (1<gb); align_get_bits(&s->gb); while(show_bits(&s->gb, 8) == 0xFF) From 274a5b7cdb4f7199ee8f04117d20459a60199de6 Mon Sep 17 00:00:00 2001 From: Michael Niedermayer Date: Fri, 2 Sep 2011 18:00:31 +0200 Subject: [PATCH 0137/1119] mpeg4: adjust dummy frame threashold for packed divx. Fixes Ticket427 Signed-off-by: Michael Niedermayer (cherry picked from commit 3e7e1f1509e6a84bd7873586a66de1ee43c8ef88) --- libavcodec/h263dec.c | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/libavcodec/h263dec.c b/libavcodec/h263dec.c index ff312b0935..5d4f03762d 100644 --- a/libavcodec/h263dec.c +++ b/libavcodec/h263dec.c @@ -689,7 +689,7 @@ frame_end: int current_pos= s->gb.buffer == s->bitstream_buffer ? 0 : (get_bits_count(&s->gb)>>3); int startcode_found=0; - if(buf_size - current_pos > 5){ + if(buf_size - current_pos > 7){ int i; for(i=current_pos; i Date: Tue, 6 Sep 2011 04:09:43 +0200 Subject: [PATCH 0138/1119] mpeg4: fix another packed divx issue. Fixes getting_stuck.avi Signed-off-by: Michael Niedermayer (cherry picked from commit 6dbac85f8d20c77283e3d01f42a7c2154bbf976d) --- libavcodec/h263dec.c | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/libavcodec/h263dec.c b/libavcodec/h263dec.c index 5d4f03762d..95b0164478 100644 --- a/libavcodec/h263dec.c +++ b/libavcodec/h263dec.c @@ -380,7 +380,7 @@ uint64_t time= rdtsc(); retry: - if(s->divx_packed && s->xvid_build>=0 && s->bitstream_buffer_size){ + if(s->divx_packed && s->bitstream_buffer_size){ int i; for(i=0; i Date: Thu, 1 Sep 2011 23:43:56 +0200 Subject: [PATCH 0139/1119] jpegdec: better rst skiping Fixes Ticket426 Signed-off-by: Michael Niedermayer --- libavcodec/mjpegdec.c | 14 +++++++++----- 1 file changed, 9 insertions(+), 5 deletions(-) diff --git a/libavcodec/mjpegdec.c b/libavcodec/mjpegdec.c index 02c66f504b..cb5bc2387f 100644 --- a/libavcodec/mjpegdec.c +++ b/libavcodec/mjpegdec.c @@ -881,14 +881,18 @@ static int mjpeg_decode_scan(MJpegDecodeContext *s, int nb_components, int Ah, i } } - if (s->restart_interval && show_bits(&s->gb, 8) == 0xFF){/* skip RSTn */ - --s->restart_count; + if (s->restart_interval) --s->restart_count; + if (s->restart_interval && show_bits(&s->gb, 8) == 0xFF){ /* skip RSTn */ + int pos= get_bits_count(&s->gb); align_get_bits(&s->gb); while(show_bits(&s->gb, 8) == 0xFF) skip_bits(&s->gb, 8); - skip_bits(&s->gb, 8); - for (i=0; ilast_dc[i] = 1024; + if((get_bits(&s->gb, 8)&0xF8) == 0xD0){ + for (i=0; ilast_dc[i] = 1024; + }else{ + skip_bits_long(&s->gb, pos - get_bits_count(&s->gb)); + } } } } From 374409eb1a640abde877bb55d2e8a1e65083699a Mon Sep 17 00:00:00 2001 From: Michael Niedermayer Date: Tue, 6 Sep 2011 18:20:34 +0200 Subject: [PATCH 0140/1119] mjpegdec; even better RSTn skiping Fixes Ticket426 Signed-off-by: Michael Niedermayer (cherry picked from commit be7eed72c89368de70dbf8749eca1dac7443e51a) --- libavcodec/mjpegdec.c | 3 ++- 1 file changed, 2 insertions(+), 1 deletion(-) diff --git a/libavcodec/mjpegdec.c b/libavcodec/mjpegdec.c index cb5bc2387f..e64ea5cd68 100644 --- a/libavcodec/mjpegdec.c +++ b/libavcodec/mjpegdec.c @@ -882,7 +882,8 @@ static int mjpeg_decode_scan(MJpegDecodeContext *s, int nb_components, int Ah, i } if (s->restart_interval) --s->restart_count; - if (s->restart_interval && show_bits(&s->gb, 8) == 0xFF){ /* skip RSTn */ + i= 8+((-get_bits_count(&s->gb))&7); + if (s->restart_interval && show_bits(&s->gb, i) == (1<gb); align_get_bits(&s->gb); while(show_bits(&s->gb, 8) == 0xFF) From 7b6b9be8614aa53e79db565c9203b9afaa452d8d Mon Sep 17 00:00:00 2001 From: Jeff Downs Date: Wed, 29 Jun 2011 12:38:46 -0400 Subject: [PATCH 0141/1119] Make all option parsing functions match the function pointer type through which they are called. All option parsing functions now match the function pointer signature through which they are called (int f(const char *, const char *), thereby working reliably on all platforms. Prefix all option processing functions with opt_ --- cmdutils.c | 24 ++++++++++++++++-------- cmdutils.h | 26 +++++++++++++++++--------- cmdutils_common_opts.h | 24 ++++++++++++------------ ffmpeg.c | 17 +++++++++++------ ffplay.c | 5 +++-- ffprobe.c | 3 ++- ffserver.c | 3 ++- 7 files changed, 63 insertions(+), 39 deletions(-) diff --git a/cmdutils.c b/cmdutils.c index cd6d13346d..62fe6e96ab 100644 --- a/cmdutils.c +++ b/cmdutils.c @@ -574,12 +574,13 @@ void show_banner(void) print_all_libs_info(stderr, INDENT|SHOW_VERSION); } -void show_version(void) { +int opt_version(const char *opt, const char *arg) { printf("%s " FFMPEG_VERSION "\n", program_name); print_all_libs_info(stdout, SHOW_VERSION); + return 0; } -void show_license(void) +int opt_license(const char *opt, const char *arg) { printf( #if CONFIG_NONFREE @@ -646,9 +647,10 @@ void show_license(void) program_name, program_name, program_name #endif ); + return 0; } -void show_formats(void) +int opt_formats(const char *opt, const char *arg) { AVInputFormat *ifmt=NULL; AVOutputFormat *ofmt=NULL; @@ -695,9 +697,10 @@ void show_formats(void) name, long_name ? long_name:" "); } + return 0; } -void show_codecs(void) +int opt_codecs(const char *opt, const char *arg) { AVCodec *p=NULL, *p2; const char *last_name; @@ -771,9 +774,10 @@ void show_codecs(void) "even though both encoding and decoding are supported. For example, the h263\n" "decoder corresponds to the h263 and h263p encoders, for file formats it is even\n" "worse.\n"); + return 0; } -void show_bsfs(void) +int opt_bsfs(const char *opt, const char *arg) { AVBitStreamFilter *bsf=NULL; @@ -781,9 +785,10 @@ void show_bsfs(void) while((bsf = av_bitstream_filter_next(bsf))) printf("%s\n", bsf->name); printf("\n"); + return 0; } -void show_protocols(void) +int opt_protocols(const char *opt, const char *arg) { URLProtocol *up=NULL; @@ -799,9 +804,10 @@ void show_protocols(void) up->url_write ? 'O' : '.', up->url_seek ? 'S' : '.', up->name); + return 0; } -void show_filters(void) +int opt_filters(const char *opt, const char *arg) { AVFilter av_unused(**filter) = NULL; @@ -810,9 +816,10 @@ void show_filters(void) while ((filter = av_filter_next(filter)) && *filter) printf("%-16s %s\n", (*filter)->name, (*filter)->description); #endif + return 0; } -void show_pix_fmts(void) +int opt_pix_fmts(const char *opt, const char *arg) { enum PixelFormat pix_fmt; @@ -843,6 +850,7 @@ void show_pix_fmts(void) pix_desc->nb_components, av_get_bits_per_pixel(pix_desc)); } + return 0; } int read_yesno(void) diff --git a/cmdutils.h b/cmdutils.h index e001ab9201..b05828cd0a 100644 --- a/cmdutils.h +++ b/cmdutils.h @@ -62,7 +62,7 @@ void uninit_opts(void); /** * Trivial log callback. - * Only suitable for show_help and similar since it lacks prefix handling. + * Only suitable for opt_help and similar since it lacks prefix handling. */ void log_callback_help(void* ptr, int level, const char* fmt, va_list vl); @@ -177,50 +177,58 @@ void show_banner(void); * Print the version of the program to stdout. The version message * depends on the current versions of the repository and of the libav* * libraries. + * This option processing function does not utilize the arguments. */ -void show_version(void); +int opt_version(const char *opt, const char *arg); /** * Print the license of the program to stdout. The license depends on * the license of the libraries compiled into the program. + * This option processing function does not utilize the arguments. */ -void show_license(void); +int opt_license(const char *opt, const char *arg); /** * Print a listing containing all the formats supported by the * program. + * This option processing function does not utilize the arguments. */ -void show_formats(void); +int opt_formats(const char *opt, const char *arg); /** * Print a listing containing all the codecs supported by the * program. + * This option processing function does not utilize the arguments. */ -void show_codecs(void); +int opt_codecs(const char *opt, const char *arg); /** * Print a listing containing all the filters supported by the * program. + * This option processing function does not utilize the arguments. */ -void show_filters(void); +int opt_filters(const char *opt, const char *arg); /** * Print a listing containing all the bit stream filters supported by the * program. + * This option processing function does not utilize the arguments. */ -void show_bsfs(void); +int opt_bsfs(const char *opt, const char *arg); /** * Print a listing containing all the protocols supported by the * program. + * This option processing function does not utilize the arguments. */ -void show_protocols(void); +int opt_protocols(const char *opt, const char *arg); /** * Print a listing containing all the pixel formats supported by the * program. + * This option processing function does not utilize the arguments. */ -void show_pix_fmts(void); +int opt_pix_fmts(const char *opt, const char *arg); /** * Return a positive value if a line read from standard input diff --git a/cmdutils_common_opts.h b/cmdutils_common_opts.h index 9b5e5d22cd..8e680490fe 100644 --- a/cmdutils_common_opts.h +++ b/cmdutils_common_opts.h @@ -1,13 +1,13 @@ - { "L", OPT_EXIT, {(void*)show_license}, "show license" }, - { "h", OPT_EXIT, {(void*)show_help}, "show help" }, - { "?", OPT_EXIT, {(void*)show_help}, "show help" }, - { "help", OPT_EXIT, {(void*)show_help}, "show help" }, - { "-help", OPT_EXIT, {(void*)show_help}, "show help" }, - { "version", OPT_EXIT, {(void*)show_version}, "show version" }, - { "formats" , OPT_EXIT, {(void*)show_formats }, "show available formats" }, - { "codecs" , OPT_EXIT, {(void*)show_codecs }, "show available codecs" }, - { "bsfs" , OPT_EXIT, {(void*)show_bsfs }, "show available bit stream filters" }, - { "protocols", OPT_EXIT, {(void*)show_protocols}, "show available protocols" }, - { "filters", OPT_EXIT, {(void*)show_filters }, "show available filters" }, - { "pix_fmts" , OPT_EXIT, {(void*)show_pix_fmts }, "show available pixel formats" }, + { "L", OPT_EXIT, {(void*)opt_license}, "show license" }, + { "h", OPT_EXIT, {(void*)opt_help}, "show help" }, + { "?", OPT_EXIT, {(void*)opt_help}, "show help" }, + { "help", OPT_EXIT, {(void*)opt_help}, "show help" }, + { "-help", OPT_EXIT, {(void*)opt_help}, "show help" }, + { "version", OPT_EXIT, {(void*)opt_version}, "show version" }, + { "formats" , OPT_EXIT, {(void*)opt_formats }, "show available formats" }, + { "codecs" , OPT_EXIT, {(void*)opt_codecs }, "show available codecs" }, + { "bsfs" , OPT_EXIT, {(void*)opt_bsfs }, "show available bit stream filters" }, + { "protocols", OPT_EXIT, {(void*)opt_protocols}, "show available protocols" }, + { "filters", OPT_EXIT, {(void*)opt_filters }, "show available filters" }, + { "pix_fmts" , OPT_EXIT, {(void*)opt_pix_fmts }, "show available pixel formats" }, { "loglevel", HAS_ARG, {(void*)opt_loglevel}, "set libav* logging level", "loglevel" }, diff --git a/ffmpeg.c b/ffmpeg.c index ab628b2cbc..4c067d79ed 100644 --- a/ffmpeg.c +++ b/ffmpeg.c @@ -2946,7 +2946,7 @@ static int opt_frame_pix_fmt(const char *opt, const char *arg) return AVERROR(EINVAL); } } else { - show_pix_fmts(); + opt_pix_fmts(NULL, NULL); ffmpeg_exit(0); } return 0; @@ -4077,16 +4077,18 @@ static void parse_matrix_coeffs(uint16_t *dest, const char *str) } } -static void opt_inter_matrix(const char *opt, const char *arg) +static int opt_inter_matrix(const char *opt, const char *arg) { inter_matrix = av_mallocz(sizeof(uint16_t) * 64); parse_matrix_coeffs(inter_matrix, arg); + return 0; } -static void opt_intra_matrix(const char *opt, const char *arg) +static int opt_intra_matrix(const char *opt, const char *arg) { intra_matrix = av_mallocz(sizeof(uint16_t) * 64); parse_matrix_coeffs(intra_matrix, arg); + return 0; } static void show_usage(void) @@ -4096,7 +4098,7 @@ static void show_usage(void) printf("\n"); } -static void show_help(void) +static int opt_help(const char *opt, const char *arg) { AVCodec *c; AVOutputFormat *oformat = NULL; @@ -4151,6 +4153,7 @@ static void show_help(void) } av_opt_show2(sws_opts, NULL, AV_OPT_FLAG_ENCODING_PARAM|AV_OPT_FLAG_DECODING_PARAM, 0); + return 0; } static int opt_target(const char *opt, const char *arg) @@ -4381,11 +4384,13 @@ static void log_callback_null(void* ptr, int level, const char* fmt, va_list vl) { } -static void opt_passlogfile(const char *opt, const char *arg) +static int opt_passlogfile(const char *opt, const char *arg) { pass_logfilename_prefix = arg; #if CONFIG_LIBX264_ENCODER - opt_default("passlogfile", arg); + return opt_default("passlogfile", arg); +#else + return 0; #endif } diff --git a/ffplay.c b/ffplay.c index b79df9760e..2c4bafcf74 100644 --- a/ffplay.c +++ b/ffplay.c @@ -212,7 +212,7 @@ typedef struct VideoState { int refresh; } VideoState; -static void show_help(void); +static int opt_help(const char *opt, const char *arg); /* options specified by the user */ static AVInputFormat *file_iformat; @@ -2952,7 +2952,7 @@ static void show_usage(void) printf("\n"); } -static void show_help(void) +static int opt_help(const char *opt, const char *arg) { av_log_set_callback(log_callback_help); show_usage(); @@ -2984,6 +2984,7 @@ static void show_help(void) "down/up seek backward/forward 1 minute\n" "mouse click seek to percentage in file corresponding to fraction of width\n" ); + return 0; } /* Called from the main */ diff --git a/ffprobe.c b/ffprobe.c index b2b2c8fd9c..ae97253cb8 100644 --- a/ffprobe.c +++ b/ffprobe.c @@ -353,7 +353,7 @@ static int opt_input_file(const char *opt, const char *arg) return 0; } -static void show_help(void) +static int opt_help(const char *opt, const char *arg) { av_log_set_callback(log_callback_help); show_usage(); @@ -361,6 +361,7 @@ static void show_help(void) printf("\n"); av_opt_show2(avformat_opts, NULL, AV_OPT_FLAG_DECODING_PARAM, 0); + return 0; } static void opt_pretty(void) diff --git a/ffserver.c b/ffserver.c index 0eac639137..2aa778f823 100644 --- a/ffserver.c +++ b/ffserver.c @@ -4662,12 +4662,13 @@ static void opt_debug(void) logfilename[0] = '-'; } -static void show_help(void) +static int opt_help(const char *opt, const char *arg) { printf("usage: ffserver [options]\n" "Hyper fast multi format Audio/Video streaming server\n"); printf("\n"); show_help_options(options, "Main options:\n", 0, 0); + return 0; } static const OptionDef options[] = { From 7d704f5127c8163a04026e3f53d082505c92c851 Mon Sep 17 00:00:00 2001 From: Jeff Downs Date: Wed, 29 Jun 2011 12:38:46 -0400 Subject: [PATCH 0142/1119] Make all option parsing functions match the function pointer type through which they are called. All option parsing functions now match the function pointer signature through which they are called (int f(const char *, const char *), thereby working reliably on all platforms. Prefix all option processing functions with opt_ --- cmdutils.c | 24 ++++++++++++++++-------- cmdutils.h | 26 +++++++++++++++++--------- cmdutils_common_opts.h | 24 ++++++++++++------------ ffmpeg.c | 17 +++++++++++------ ffplay.c | 5 +++-- ffprobe.c | 3 ++- ffserver.c | 3 ++- 7 files changed, 63 insertions(+), 39 deletions(-) diff --git a/cmdutils.c b/cmdutils.c index cd6d13346d..62fe6e96ab 100644 --- a/cmdutils.c +++ b/cmdutils.c @@ -574,12 +574,13 @@ void show_banner(void) print_all_libs_info(stderr, INDENT|SHOW_VERSION); } -void show_version(void) { +int opt_version(const char *opt, const char *arg) { printf("%s " FFMPEG_VERSION "\n", program_name); print_all_libs_info(stdout, SHOW_VERSION); + return 0; } -void show_license(void) +int opt_license(const char *opt, const char *arg) { printf( #if CONFIG_NONFREE @@ -646,9 +647,10 @@ void show_license(void) program_name, program_name, program_name #endif ); + return 0; } -void show_formats(void) +int opt_formats(const char *opt, const char *arg) { AVInputFormat *ifmt=NULL; AVOutputFormat *ofmt=NULL; @@ -695,9 +697,10 @@ void show_formats(void) name, long_name ? long_name:" "); } + return 0; } -void show_codecs(void) +int opt_codecs(const char *opt, const char *arg) { AVCodec *p=NULL, *p2; const char *last_name; @@ -771,9 +774,10 @@ void show_codecs(void) "even though both encoding and decoding are supported. For example, the h263\n" "decoder corresponds to the h263 and h263p encoders, for file formats it is even\n" "worse.\n"); + return 0; } -void show_bsfs(void) +int opt_bsfs(const char *opt, const char *arg) { AVBitStreamFilter *bsf=NULL; @@ -781,9 +785,10 @@ void show_bsfs(void) while((bsf = av_bitstream_filter_next(bsf))) printf("%s\n", bsf->name); printf("\n"); + return 0; } -void show_protocols(void) +int opt_protocols(const char *opt, const char *arg) { URLProtocol *up=NULL; @@ -799,9 +804,10 @@ void show_protocols(void) up->url_write ? 'O' : '.', up->url_seek ? 'S' : '.', up->name); + return 0; } -void show_filters(void) +int opt_filters(const char *opt, const char *arg) { AVFilter av_unused(**filter) = NULL; @@ -810,9 +816,10 @@ void show_filters(void) while ((filter = av_filter_next(filter)) && *filter) printf("%-16s %s\n", (*filter)->name, (*filter)->description); #endif + return 0; } -void show_pix_fmts(void) +int opt_pix_fmts(const char *opt, const char *arg) { enum PixelFormat pix_fmt; @@ -843,6 +850,7 @@ void show_pix_fmts(void) pix_desc->nb_components, av_get_bits_per_pixel(pix_desc)); } + return 0; } int read_yesno(void) diff --git a/cmdutils.h b/cmdutils.h index e001ab9201..b05828cd0a 100644 --- a/cmdutils.h +++ b/cmdutils.h @@ -62,7 +62,7 @@ void uninit_opts(void); /** * Trivial log callback. - * Only suitable for show_help and similar since it lacks prefix handling. + * Only suitable for opt_help and similar since it lacks prefix handling. */ void log_callback_help(void* ptr, int level, const char* fmt, va_list vl); @@ -177,50 +177,58 @@ void show_banner(void); * Print the version of the program to stdout. The version message * depends on the current versions of the repository and of the libav* * libraries. + * This option processing function does not utilize the arguments. */ -void show_version(void); +int opt_version(const char *opt, const char *arg); /** * Print the license of the program to stdout. The license depends on * the license of the libraries compiled into the program. + * This option processing function does not utilize the arguments. */ -void show_license(void); +int opt_license(const char *opt, const char *arg); /** * Print a listing containing all the formats supported by the * program. + * This option processing function does not utilize the arguments. */ -void show_formats(void); +int opt_formats(const char *opt, const char *arg); /** * Print a listing containing all the codecs supported by the * program. + * This option processing function does not utilize the arguments. */ -void show_codecs(void); +int opt_codecs(const char *opt, const char *arg); /** * Print a listing containing all the filters supported by the * program. + * This option processing function does not utilize the arguments. */ -void show_filters(void); +int opt_filters(const char *opt, const char *arg); /** * Print a listing containing all the bit stream filters supported by the * program. + * This option processing function does not utilize the arguments. */ -void show_bsfs(void); +int opt_bsfs(const char *opt, const char *arg); /** * Print a listing containing all the protocols supported by the * program. + * This option processing function does not utilize the arguments. */ -void show_protocols(void); +int opt_protocols(const char *opt, const char *arg); /** * Print a listing containing all the pixel formats supported by the * program. + * This option processing function does not utilize the arguments. */ -void show_pix_fmts(void); +int opt_pix_fmts(const char *opt, const char *arg); /** * Return a positive value if a line read from standard input diff --git a/cmdutils_common_opts.h b/cmdutils_common_opts.h index 9b5e5d22cd..8e680490fe 100644 --- a/cmdutils_common_opts.h +++ b/cmdutils_common_opts.h @@ -1,13 +1,13 @@ - { "L", OPT_EXIT, {(void*)show_license}, "show license" }, - { "h", OPT_EXIT, {(void*)show_help}, "show help" }, - { "?", OPT_EXIT, {(void*)show_help}, "show help" }, - { "help", OPT_EXIT, {(void*)show_help}, "show help" }, - { "-help", OPT_EXIT, {(void*)show_help}, "show help" }, - { "version", OPT_EXIT, {(void*)show_version}, "show version" }, - { "formats" , OPT_EXIT, {(void*)show_formats }, "show available formats" }, - { "codecs" , OPT_EXIT, {(void*)show_codecs }, "show available codecs" }, - { "bsfs" , OPT_EXIT, {(void*)show_bsfs }, "show available bit stream filters" }, - { "protocols", OPT_EXIT, {(void*)show_protocols}, "show available protocols" }, - { "filters", OPT_EXIT, {(void*)show_filters }, "show available filters" }, - { "pix_fmts" , OPT_EXIT, {(void*)show_pix_fmts }, "show available pixel formats" }, + { "L", OPT_EXIT, {(void*)opt_license}, "show license" }, + { "h", OPT_EXIT, {(void*)opt_help}, "show help" }, + { "?", OPT_EXIT, {(void*)opt_help}, "show help" }, + { "help", OPT_EXIT, {(void*)opt_help}, "show help" }, + { "-help", OPT_EXIT, {(void*)opt_help}, "show help" }, + { "version", OPT_EXIT, {(void*)opt_version}, "show version" }, + { "formats" , OPT_EXIT, {(void*)opt_formats }, "show available formats" }, + { "codecs" , OPT_EXIT, {(void*)opt_codecs }, "show available codecs" }, + { "bsfs" , OPT_EXIT, {(void*)opt_bsfs }, "show available bit stream filters" }, + { "protocols", OPT_EXIT, {(void*)opt_protocols}, "show available protocols" }, + { "filters", OPT_EXIT, {(void*)opt_filters }, "show available filters" }, + { "pix_fmts" , OPT_EXIT, {(void*)opt_pix_fmts }, "show available pixel formats" }, { "loglevel", HAS_ARG, {(void*)opt_loglevel}, "set libav* logging level", "loglevel" }, diff --git a/ffmpeg.c b/ffmpeg.c index c6374df949..ab5eb573a4 100644 --- a/ffmpeg.c +++ b/ffmpeg.c @@ -2945,7 +2945,7 @@ static int opt_frame_pix_fmt(const char *opt, const char *arg) return AVERROR(EINVAL); } } else { - show_pix_fmts(); + opt_pix_fmts(NULL, NULL); ffmpeg_exit(0); } return 0; @@ -4076,16 +4076,18 @@ static void parse_matrix_coeffs(uint16_t *dest, const char *str) } } -static void opt_inter_matrix(const char *opt, const char *arg) +static int opt_inter_matrix(const char *opt, const char *arg) { inter_matrix = av_mallocz(sizeof(uint16_t) * 64); parse_matrix_coeffs(inter_matrix, arg); + return 0; } -static void opt_intra_matrix(const char *opt, const char *arg) +static int opt_intra_matrix(const char *opt, const char *arg) { intra_matrix = av_mallocz(sizeof(uint16_t) * 64); parse_matrix_coeffs(intra_matrix, arg); + return 0; } static void show_usage(void) @@ -4095,7 +4097,7 @@ static void show_usage(void) printf("\n"); } -static void show_help(void) +static int opt_help(const char *opt, const char *arg) { AVCodec *c; AVOutputFormat *oformat = NULL; @@ -4150,6 +4152,7 @@ static void show_help(void) } av_opt_show2(sws_opts, NULL, AV_OPT_FLAG_ENCODING_PARAM|AV_OPT_FLAG_DECODING_PARAM, 0); + return 0; } static int opt_target(const char *opt, const char *arg) @@ -4380,11 +4383,13 @@ static void log_callback_null(void* ptr, int level, const char* fmt, va_list vl) { } -static void opt_passlogfile(const char *opt, const char *arg) +static int opt_passlogfile(const char *opt, const char *arg) { pass_logfilename_prefix = arg; #if CONFIG_LIBX264_ENCODER - opt_default("passlogfile", arg); + return opt_default("passlogfile", arg); +#else + return 0; #endif } diff --git a/ffplay.c b/ffplay.c index 6eefee6e00..6ac8f34fa0 100644 --- a/ffplay.c +++ b/ffplay.c @@ -212,7 +212,7 @@ typedef struct VideoState { int refresh; } VideoState; -static void show_help(void); +static int opt_help(const char *opt, const char *arg); /* options specified by the user */ static AVInputFormat *file_iformat; @@ -2952,7 +2952,7 @@ static void show_usage(void) printf("\n"); } -static void show_help(void) +static int opt_help(const char *opt, const char *arg) { av_log_set_callback(log_callback_help); show_usage(); @@ -2984,6 +2984,7 @@ static void show_help(void) "down/up seek backward/forward 1 minute\n" "mouse click seek to percentage in file corresponding to fraction of width\n" ); + return 0; } /* Called from the main */ diff --git a/ffprobe.c b/ffprobe.c index a2b27c3745..fdcdf70273 100644 --- a/ffprobe.c +++ b/ffprobe.c @@ -353,7 +353,7 @@ static int opt_input_file(const char *opt, const char *arg) return 0; } -static void show_help(void) +static int opt_help(const char *opt, const char *arg) { av_log_set_callback(log_callback_help); show_usage(); @@ -361,6 +361,7 @@ static void show_help(void) printf("\n"); av_opt_show2(avformat_opts, NULL, AV_OPT_FLAG_DECODING_PARAM, 0); + return 0; } static void opt_pretty(void) diff --git a/ffserver.c b/ffserver.c index 15ea00f4f8..83dd986dc2 100644 --- a/ffserver.c +++ b/ffserver.c @@ -4654,12 +4654,13 @@ static void opt_debug(void) logfilename[0] = '-'; } -static void show_help(void) +static int opt_help(const char *opt, const char *arg) { printf("usage: ffserver [options]\n" "Hyper fast multi format Audio/Video streaming server\n"); printf("\n"); show_help_options(options, "Main options:\n", 0, 0); + return 0; } static const OptionDef options[] = { From f5978250524f03364c4c67f14dab86db66f7a908 Mon Sep 17 00:00:00 2001 From: Michael Niedermayer Date: Sat, 27 Aug 2011 21:24:13 +0200 Subject: [PATCH 0143/1119] Fix memory corruption in case of memory allocation failure in av_probe_input_buffer() Reported-by: Tanami Ohad Signed-off-by: Michael Niedermayer (cherry picked from commit 941bb552c6e08b40eb7d7842df19285cd650edd0) --- libavformat/utils.c | 8 +++++++- 1 file changed, 7 insertions(+), 1 deletion(-) diff --git a/libavformat/utils.c b/libavformat/utils.c index 955aaa72a2..52b2ae95bf 100644 --- a/libavformat/utils.c +++ b/libavformat/utils.c @@ -524,13 +524,19 @@ int av_probe_input_buffer(AVIOContext *pb, AVInputFormat **fmt, probe_size = FFMIN(probe_size<<1, FFMAX(max_probe_size, probe_size+1))) { int ret, score = probe_size < max_probe_size ? AVPROBE_SCORE_MAX/4 : 0; int buf_offset = (probe_size == PROBE_BUF_MIN) ? 0 : probe_size>>1; + void *buftmp; if (probe_size < offset) { continue; } /* read probe data */ - buf = av_realloc(buf, probe_size + AVPROBE_PADDING_SIZE); + buftmp = av_realloc(buf, probe_size + AVPROBE_PADDING_SIZE); + if(!buftmp){ + av_free(buf); + return AVERROR(ENOMEM); + } + buf=buftmp; if ((ret = avio_read(pb, buf + buf_offset, probe_size - buf_offset)) < 0) { /* fail if error was not end of file, otherwise, lower score */ if (ret != AVERROR_EOF) { From 8af11e51f22705f37818f0aaded8bbd24dd34aac Mon Sep 17 00:00:00 2001 From: Michael Niedermayer Date: Sat, 27 Aug 2011 01:49:55 +0200 Subject: [PATCH 0144/1119] vf_scale: apply the same transform to the aspect during init that is applied per frame Signed-off-by: Michael Niedermayer (cherry picked from commit c8868f28e357e7e6ffe3254d0056b3e8033fe8e5) --- libavfilter/vf_scale.c | 5 +++++ 1 file changed, 5 insertions(+) diff --git a/libavfilter/vf_scale.c b/libavfilter/vf_scale.c index e172a2e586..ba8f9e1e82 100644 --- a/libavfilter/vf_scale.c +++ b/libavfilter/vf_scale.c @@ -232,6 +232,11 @@ static int config_props(AVFilterLink *outlink) if (!scale->sws) return AVERROR(EINVAL); + if (inlink->sample_aspect_ratio.num){ + outlink->sample_aspect_ratio = av_mul_q((AVRational){outlink->h * inlink->w, outlink->w * inlink->h}, inlink->sample_aspect_ratio); + } else + outlink->sample_aspect_ratio = inlink->sample_aspect_ratio; + return 0; fail: From b6187e48db484f9fe8437457bcb382c331baf8c5 Mon Sep 17 00:00:00 2001 From: Michael Niedermayer Date: Wed, 10 Aug 2011 17:29:51 +0200 Subject: [PATCH 0145/1119] cavsdec: avoid possible crash with crafted input Signed-off-by: Michael Niedermayer (cherry picked from commit 9f06c1c61e876e930753da200bfe835817e30a53) --- libavcodec/cavsdec.c | 4 ++-- 1 file changed, 2 insertions(+), 2 deletions(-) diff --git a/libavcodec/cavsdec.c b/libavcodec/cavsdec.c index 222355ea5e..906afdb668 100644 --- a/libavcodec/cavsdec.c +++ b/libavcodec/cavsdec.c @@ -166,7 +166,7 @@ static inline int decode_residual_inter(AVSContext *h) { /* get coded block pattern */ int cbp= get_ue_golomb(&h->s.gb); - if(cbp > 63){ + if(cbp > 63U){ av_log(h->s.avctx, AV_LOG_ERROR, "illegal inter cbp\n"); return -1; } @@ -226,7 +226,7 @@ static int decode_mb_i(AVSContext *h, int cbp_code) { /* get coded block pattern */ if(h->pic_type == AV_PICTURE_TYPE_I) cbp_code = get_ue_golomb(gb); - if(cbp_code > 63){ + if(cbp_code > 63U){ av_log(h->s.avctx, AV_LOG_ERROR, "illegal intra cbp\n"); return -1; } From c2a2ad133eb9d42361804a568dee336992349a5e Mon Sep 17 00:00:00 2001 From: Michael Niedermayer Date: Wed, 7 Sep 2011 14:12:42 +0200 Subject: [PATCH 0146/1119] rtp: Fix integer underflow that could allow remote code execution. Fixes MSVR-11-0088 Credit: Jeong Wook Oh of Microsoft and Microsoft Vulnerability Research (MSVR) Signed-off-by: Michael Niedermayer (cherry picked from commit ba9a7e0d71bd34f8b89ae99322b62a310be163a6) --- libavformat/rtpdec_asf.c | 2 ++ 1 file changed, 2 insertions(+) diff --git a/libavformat/rtpdec_asf.c b/libavformat/rtpdec_asf.c index 4f776453d7..384aeb24f3 100644 --- a/libavformat/rtpdec_asf.c +++ b/libavformat/rtpdec_asf.c @@ -235,6 +235,8 @@ static int asfrtp_parse_packet(AVFormatContext *s, PayloadContext *asf, int prev_len = out_len; out_len += cur_len; asf->buf = av_realloc(asf->buf, out_len); + if(!asf->buf || FFMIN(cur_len, len - off)<0) + return -1; memcpy(asf->buf + prev_len, buf + off, FFMIN(cur_len, len - off)); avio_skip(pb, cur_len); From b6b46db9e4fac641d2111c63f02b694250a5e90c Mon Sep 17 00:00:00 2001 From: Michael Niedermayer Date: Wed, 7 Sep 2011 15:18:29 +0200 Subject: [PATCH 0147/1119] Update for 0.7.4 Signed-off-by: Michael Niedermayer --- Doxyfile | 2 +- RELEASE | 2 +- VERSION | 3 +-- 3 files changed, 3 insertions(+), 4 deletions(-) diff --git a/Doxyfile b/Doxyfile index b7c634c74e..afd2e3c289 100644 --- a/Doxyfile +++ b/Doxyfile @@ -31,7 +31,7 @@ PROJECT_NAME = FFmpeg # This could be handy for archiving the generated documentation or # if some version control system is used. -PROJECT_NUMBER = 0.7.3 +PROJECT_NUMBER = 0.7.4 # The OUTPUT_DIRECTORY tag is used to specify the (relative or absolute) # base path where the generated documentation will be put. diff --git a/RELEASE b/RELEASE index f38fc5393f..0a1ffad4b4 100644 --- a/RELEASE +++ b/RELEASE @@ -1 +1 @@ -0.7.3 +0.7.4 diff --git a/VERSION b/VERSION index dc5add7e4d..0a1ffad4b4 100644 --- a/VERSION +++ b/VERSION @@ -1,2 +1 @@ -0.7.3 - +0.7.4 From a9a8e5ca99cead74c6c0c8ccf180634cb64301cd Mon Sep 17 00:00:00 2001 From: Michael Niedermayer Date: Wed, 7 Sep 2011 15:19:28 +0200 Subject: [PATCH 0148/1119] Update for 0.8.3 Signed-off-by: Michael Niedermayer --- Doxyfile | 2 +- RELEASE | 2 +- VERSION | 2 +- 3 files changed, 3 insertions(+), 3 deletions(-) diff --git a/Doxyfile b/Doxyfile index 0f7de822f6..eca888d1d8 100644 --- a/Doxyfile +++ b/Doxyfile @@ -31,7 +31,7 @@ PROJECT_NAME = FFmpeg # This could be handy for archiving the generated documentation or # if some version control system is used. -PROJECT_NUMBER = 0.8.2 +PROJECT_NUMBER = 0.8.3 # The OUTPUT_DIRECTORY tag is used to specify the (relative or absolute) # base path where the generated documentation will be put. diff --git a/RELEASE b/RELEASE index 100435be13..ee94dd834b 100644 --- a/RELEASE +++ b/RELEASE @@ -1 +1 @@ -0.8.2 +0.8.3 diff --git a/VERSION b/VERSION index 100435be13..ee94dd834b 100644 --- a/VERSION +++ b/VERSION @@ -1 +1 @@ -0.8.2 +0.8.3 From 61f55565fb96158a70ddc56c9e44312ffbd3cce5 Mon Sep 17 00:00:00 2001 From: Michael Niedermayer Date: Wed, 7 Sep 2011 16:48:49 +0200 Subject: [PATCH 0149/1119] rtpdec_asf: fix memleak Based on a suggestion by Ronald S. Bultje Signed-off-by: Michael Niedermayer (cherry picked from commit a2b66a366d7d9d7dacc217601b5e4406624f91ea) --- libavformat/rtpdec_asf.c | 8 ++++++-- 1 file changed, 6 insertions(+), 2 deletions(-) diff --git a/libavformat/rtpdec_asf.c b/libavformat/rtpdec_asf.c index 384aeb24f3..643ea7a5a0 100644 --- a/libavformat/rtpdec_asf.c +++ b/libavformat/rtpdec_asf.c @@ -233,10 +233,14 @@ static int asfrtp_parse_packet(AVFormatContext *s, PayloadContext *asf, int cur_len = start_off + len_off - off; int prev_len = out_len; + void *newbuf; out_len += cur_len; - asf->buf = av_realloc(asf->buf, out_len); - if(!asf->buf || FFMIN(cur_len, len - off)<0) + if(FFMIN(cur_len, len - off)<0) return -1; + newbuf = av_realloc(asf->buf, out_len); + if(!newbuf) + return -1; + asf->buf= newbuf; memcpy(asf->buf + prev_len, buf + off, FFMIN(cur_len, len - off)); avio_skip(pb, cur_len); From 076a8dfd411b77cd0b993581daf7ed7a313f017f Mon Sep 17 00:00:00 2001 From: Michael Niedermayer Date: Wed, 7 Sep 2011 16:48:49 +0200 Subject: [PATCH 0150/1119] rtpdec_asf: fix memleak Based on a suggestion by Ronald S. Bultje Signed-off-by: Michael Niedermayer (cherry picked from commit a2b66a366d7d9d7dacc217601b5e4406624f91ea) --- libavformat/rtpdec_asf.c | 8 ++++++-- 1 file changed, 6 insertions(+), 2 deletions(-) diff --git a/libavformat/rtpdec_asf.c b/libavformat/rtpdec_asf.c index 384aeb24f3..643ea7a5a0 100644 --- a/libavformat/rtpdec_asf.c +++ b/libavformat/rtpdec_asf.c @@ -233,10 +233,14 @@ static int asfrtp_parse_packet(AVFormatContext *s, PayloadContext *asf, int cur_len = start_off + len_off - off; int prev_len = out_len; + void *newbuf; out_len += cur_len; - asf->buf = av_realloc(asf->buf, out_len); - if(!asf->buf || FFMIN(cur_len, len - off)<0) + if(FFMIN(cur_len, len - off)<0) return -1; + newbuf = av_realloc(asf->buf, out_len); + if(!newbuf) + return -1; + asf->buf= newbuf; memcpy(asf->buf + prev_len, buf + off, FFMIN(cur_len, len - off)); avio_skip(pb, cur_len); From f4e34d161415d4f81e72115c1567a032540c36bf Mon Sep 17 00:00:00 2001 From: Chris Rankin Date: Thu, 8 Sep 2011 21:04:26 +0200 Subject: [PATCH 0151/1119] mp3dec: Dont spam the user on multiple mp3 frames. (cherry picked from commit 54e1eaef6787104083cbc9c9834ea4d13612df9f) --- libavcodec/mpegaudiodec.c | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/libavcodec/mpegaudiodec.c b/libavcodec/mpegaudiodec.c index 56a48ce71b..9fbae0c316 100644 --- a/libavcodec/mpegaudiodec.c +++ b/libavcodec/mpegaudiodec.c @@ -1809,7 +1809,7 @@ static int decode_frame(AVCodecContext * avctx, av_log(avctx, AV_LOG_ERROR, "incomplete frame\n"); return -1; }else if(s->frame_size < buf_size){ - av_log(avctx, AV_LOG_ERROR, "incorrect frame size\n"); + av_log(avctx, AV_LOG_DEBUG, "incorrect frame size - multiple frames in buffer?\n"); buf_size= s->frame_size; } From b2c9e9be870d2abcd2f85c9c0e3af5d1be3ac9e5 Mon Sep 17 00:00:00 2001 From: Chris Rankin Date: Thu, 8 Sep 2011 21:04:26 +0200 Subject: [PATCH 0152/1119] mp3dec: Dont spam the user on multiple mp3 frames. (cherry picked from commit 54e1eaef6787104083cbc9c9834ea4d13612df9f) --- libavcodec/mpegaudiodec.c | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/libavcodec/mpegaudiodec.c b/libavcodec/mpegaudiodec.c index 56a48ce71b..9fbae0c316 100644 --- a/libavcodec/mpegaudiodec.c +++ b/libavcodec/mpegaudiodec.c @@ -1809,7 +1809,7 @@ static int decode_frame(AVCodecContext * avctx, av_log(avctx, AV_LOG_ERROR, "incomplete frame\n"); return -1; }else if(s->frame_size < buf_size){ - av_log(avctx, AV_LOG_ERROR, "incorrect frame size\n"); + av_log(avctx, AV_LOG_DEBUG, "incorrect frame size - multiple frames in buffer?\n"); buf_size= s->frame_size; } From e6df35b3be5f722f49390b9950dde78975f33350 Mon Sep 17 00:00:00 2001 From: Gavin Kinsey Date: Thu, 8 Sep 2011 13:01:14 +0100 Subject: [PATCH 0153/1119] Prevent double free of side_data when AVFMT_FLAG_KEEP_SIDE_DATA flag is set (cherry picked from commit d64066f6e88c827e33002b2c7740efd62cd5ba7f) --- libavformat/utils.c | 5 ++++- 1 file changed, 4 insertions(+), 1 deletion(-) diff --git a/libavformat/utils.c b/libavformat/utils.c index 52b2ae95bf..a582ddcc61 100644 --- a/libavformat/utils.c +++ b/libavformat/utils.c @@ -1133,7 +1133,10 @@ static int av_read_frame_internal(AVFormatContext *s, AVPacket *pkt) if (!st->need_parsing || !st->parser) { /* no parsing needed: we just output the packet as is */ /* raw data support */ - *pkt = st->cur_pkt; st->cur_pkt.data= NULL; + *pkt = st->cur_pkt; + st->cur_pkt.data= NULL; + st->cur_pkt.side_data_elems = 0; + st->cur_pkt.side_data = NULL; compute_pkt_fields(s, st, NULL, pkt); s->cur_st = NULL; if ((s->iformat->flags & AVFMT_GENERIC_INDEX) && From 90edd5df3d8c7a98372532363a86ffc217b3fa82 Mon Sep 17 00:00:00 2001 From: Laurent Aimar Date: Wed, 7 Sep 2011 23:12:32 +0200 Subject: [PATCH 0154/1119] Fixed invalid access in wavpack decoder on corrupted extra bits sub-blocks. MIME-Version: 1.0 Content-Type: text/plain; charset=UTF-8 Content-Transfer-Encoding: 8bit Signed-off-by: Martin Storsjö (cherry picked from commit beefafda639dd53fc59c21d8a7cf8334da9a1062) --- libavcodec/wavpack.c | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/libavcodec/wavpack.c b/libavcodec/wavpack.c index d5102320fd..f46f9250de 100644 --- a/libavcodec/wavpack.c +++ b/libavcodec/wavpack.c @@ -385,7 +385,7 @@ static inline int wv_get_value_integer(WavpackFrameContext *s, uint32_t *crc, in if(s->extra_bits){ S <<= s->extra_bits; - if(s->got_extra_bits){ + if(s->got_extra_bits && get_bits_left(&s->gb_extra_bits) >= s->extra_bits){ S |= get_bits(&s->gb_extra_bits, s->extra_bits); *crc = *crc * 9 + (S&0xffff) * 3 + ((unsigned)S>>16); } From 399f7e0e75f902d4645879a1c39c4bd5fcfcee65 Mon Sep 17 00:00:00 2001 From: Laurent Aimar Date: Wed, 7 Sep 2011 22:17:39 +0200 Subject: [PATCH 0155/1119] Fixed invalid writes in wavpack decoder on corrupted bitstreams. MIME-Version: 1.0 Content-Type: text/plain; charset=UTF-8 Content-Transfer-Encoding: 8bit Signed-off-by: Martin Storsjö (cherry picked from commit 0aedab03405849962b469277afe047aa2c61a87f) --- libavcodec/wavpack.c | 6 +++--- 1 file changed, 3 insertions(+), 3 deletions(-) diff --git a/libavcodec/wavpack.c b/libavcodec/wavpack.c index f46f9250de..a01795aff5 100644 --- a/libavcodec/wavpack.c +++ b/libavcodec/wavpack.c @@ -1113,7 +1113,7 @@ static int wavpack_decode_block(AVCodecContext *avctx, int block_no, int16_t *dst = (int16_t*)samples + 1; int16_t *src = (int16_t*)samples; int cnt = samplecount; - while(cnt--){ + while(cnt-- > 0){ *dst = *src; src += channel_stride; dst += channel_stride; @@ -1122,7 +1122,7 @@ static int wavpack_decode_block(AVCodecContext *avctx, int block_no, int32_t *dst = (int32_t*)samples + 1; int32_t *src = (int32_t*)samples; int cnt = samplecount; - while(cnt--){ + while(cnt-- > 0){ *dst = *src; src += channel_stride; dst += channel_stride; @@ -1131,7 +1131,7 @@ static int wavpack_decode_block(AVCodecContext *avctx, int block_no, float *dst = (float*)samples + 1; float *src = (float*)samples; int cnt = samplecount; - while(cnt--){ + while(cnt-- > 0){ *dst = *src; src += channel_stride; dst += channel_stride; From e1baba3ddb8aa042f1a3a0d7bf74bb89a9c58f36 Mon Sep 17 00:00:00 2001 From: Laurent Aimar Date: Wed, 7 Sep 2011 22:02:55 +0200 Subject: [PATCH 0156/1119] Fixed invalid access in wavpack decoder on corrupted bitstream. MIME-Version: 1.0 Content-Type: text/plain; charset=UTF-8 Content-Transfer-Encoding: 8bit Signed-off-by: Martin Storsjö (cherry picked from commit 55354b7de21e7bb4bbeb1c12ff55ea17f807c70c) --- libavcodec/wavpack.c | 49 +++++++++++++++++++++++++++++++------------- 1 file changed, 35 insertions(+), 14 deletions(-) diff --git a/libavcodec/wavpack.c b/libavcodec/wavpack.c index a01795aff5..0ab05ac841 100644 --- a/libavcodec/wavpack.c +++ b/libavcodec/wavpack.c @@ -292,7 +292,14 @@ static int wv_get_value(WavpackFrameContext *ctx, GetBitContext *gb, int channel } }else{ t = get_unary_0_33(gb); - if(t >= 2) t = get_bits(gb, t - 1) | (1 << (t-1)); + if(t >= 2){ + if(get_bits_left(gb) < t-1) + goto error; + t = get_bits(gb, t - 1) | (1 << (t-1)); + }else{ + if(get_bits_left(gb) < 0) + goto error; + } ctx->zeroes = t; if(ctx->zeroes){ memset(ctx->ch[0].median, 0, sizeof(ctx->ch[0].median)); @@ -303,24 +310,24 @@ static int wv_get_value(WavpackFrameContext *ctx, GetBitContext *gb, int channel } } - if(get_bits_count(gb) >= ctx->data_size){ - *last = 1; - return 0; - } - if(ctx->zero){ t = 0; ctx->zero = 0; }else{ t = get_unary_0_33(gb); - if(get_bits_count(gb) >= ctx->data_size){ - *last = 1; - return 0; - } + if(get_bits_left(gb) < 0) + goto error; if(t == 16) { t2 = get_unary_0_33(gb); - if(t2 < 2) t += t2; - else t += get_bits(gb, t2 - 1) | (1 << (t2 - 1)); + if(t2 < 2){ + if(get_bits_left(gb) < 0) + goto error; + t += t2; + }else{ + if(get_bits_left(gb) < t2 - 1) + goto error; + t += get_bits(gb, t2 - 1) | (1 << (t2 - 1)); + } } if(ctx->one){ @@ -360,9 +367,13 @@ static int wv_get_value(WavpackFrameContext *ctx, GetBitContext *gb, int channel } if(!c->error_limit){ ret = base + get_tail(gb, add); + if (get_bits_left(gb) <= 0) + goto error; }else{ int mid = (base*2 + add + 1) >> 1; while(add > c->error_limit){ + if(get_bits_left(gb) <= 0) + goto error; if(get_bits1(gb)){ add -= (mid - base); base = mid; @@ -376,6 +387,10 @@ static int wv_get_value(WavpackFrameContext *ctx, GetBitContext *gb, int channel if(ctx->hybrid_bitrate) c->slow_level += wp_log2(ret) - LEVEL_DECAY(c->slow_level); return sign ? ~ret : ret; + +error: + *last = 1; + return 0; } static inline int wv_get_value_integer(WavpackFrameContext *s, uint32_t *crc, int S) @@ -580,7 +595,10 @@ static inline int wv_unpack_stereo(WavpackFrameContext *s, GetBitContext *gb, vo count++; }while(!last && count < s->max_samples); - s->samples_left -= count; + if (last) + s->samples_left = 0; + else + s->samples_left -= count; if(!s->samples_left){ if(crc != s->CRC){ av_log(s->avctx, AV_LOG_ERROR, "CRC error\n"); @@ -658,7 +676,10 @@ static inline int wv_unpack_mono(WavpackFrameContext *s, GetBitContext *gb, void count++; }while(!last && count < s->max_samples); - s->samples_left -= count; + if (last) + s->samples_left = 0; + else + s->samples_left -= count; if(!s->samples_left){ if(crc != s->CRC){ av_log(s->avctx, AV_LOG_ERROR, "CRC error\n"); From 48ba48fb132245a3a50cdd91eb90916a44f34c36 Mon Sep 17 00:00:00 2001 From: Alex Converse Date: Thu, 8 Sep 2011 11:02:43 -0700 Subject: [PATCH 0157/1119] wavpack: Check error codes rather than working around error conditions. (cherry picked from commit dba2b63a98bdcac7bda1a8a2c48950518c075e17) --- libavcodec/wavpack.c | 13 ++++++++++--- 1 file changed, 10 insertions(+), 3 deletions(-) diff --git a/libavcodec/wavpack.c b/libavcodec/wavpack.c index 0ab05ac841..0d92f1802c 100644 --- a/libavcodec/wavpack.c +++ b/libavcodec/wavpack.c @@ -1119,6 +1119,10 @@ static int wavpack_decode_block(AVCodecContext *avctx, int block_no, samplecount = wv_unpack_stereo(s, &s->gb, samples, AV_SAMPLE_FMT_S32); else samplecount = wv_unpack_stereo(s, &s->gb, samples, AV_SAMPLE_FMT_FLT); + + if (samplecount < 0) + return -1; + samplecount >>= 1; }else{ const int channel_stride = avctx->channels; @@ -1130,11 +1134,14 @@ static int wavpack_decode_block(AVCodecContext *avctx, int block_no, else samplecount = wv_unpack_mono(s, &s->gb, samples, AV_SAMPLE_FMT_FLT); + if (samplecount < 0) + return -1; + if(s->stereo && avctx->sample_fmt == AV_SAMPLE_FMT_S16){ int16_t *dst = (int16_t*)samples + 1; int16_t *src = (int16_t*)samples; int cnt = samplecount; - while(cnt-- > 0){ + while(cnt--){ *dst = *src; src += channel_stride; dst += channel_stride; @@ -1143,7 +1150,7 @@ static int wavpack_decode_block(AVCodecContext *avctx, int block_no, int32_t *dst = (int32_t*)samples + 1; int32_t *src = (int32_t*)samples; int cnt = samplecount; - while(cnt-- > 0){ + while(cnt--){ *dst = *src; src += channel_stride; dst += channel_stride; @@ -1152,7 +1159,7 @@ static int wavpack_decode_block(AVCodecContext *avctx, int block_no, float *dst = (float*)samples + 1; float *src = (float*)samples; int cnt = samplecount; - while(cnt-- > 0){ + while(cnt--){ *dst = *src; src += channel_stride; dst += channel_stride; From acf2d3293c305c96ac0afda28bd55233af4ce61c Mon Sep 17 00:00:00 2001 From: "Ronald S. Bultje" Date: Sun, 26 Jun 2011 15:52:00 -0700 Subject: [PATCH 0158/1119] swscale: don't use planar output functions to write to NV12/21. This prevents a crash when converting to NV12/21 without the bitexact flags enabled. (cherry picked from commit 0d994b2f45c08794899057ee7ca54f48218c0a53) Signed-off-by: Anton Khirnov --- libswscale/x86/swscale_template.c | 3 ++- 1 file changed, 2 insertions(+), 1 deletion(-) diff --git a/libswscale/x86/swscale_template.c b/libswscale/x86/swscale_template.c index 8fad257ddf..dc92cddff5 100644 --- a/libswscale/x86/swscale_template.c +++ b/libswscale/x86/swscale_template.c @@ -2203,7 +2203,8 @@ static av_cold void RENAME(sws_init_swScale)(SwsContext *c) enum PixelFormat srcFormat = c->srcFormat, dstFormat = c->dstFormat; - if (!is16BPS(dstFormat) && !is9_OR_10BPS(dstFormat)) { + if (!is16BPS(dstFormat) && !is9_OR_10BPS(dstFormat) && + dstFormat != PIX_FMT_NV12 && dstFormat != PIX_FMT_NV21) { if (!(c->flags & SWS_BITEXACT)) { if (c->flags & SWS_ACCURATE_RND) { c->yuv2yuv1 = RENAME(yuv2yuv1_ar ); From fa38ed8ac07402d9ab268eee0eb475e7e473a0c3 Mon Sep 17 00:00:00 2001 From: Jason Garrett-Glaser Date: Mon, 4 Jul 2011 06:05:34 -0700 Subject: [PATCH 0159/1119] H.264: fix overreads of qscale_table filter_mb_fast assumed that qscale_table was padded like many of the other tables. (cherry picked from commit 5029a406334ad0eaf92130e23d596e405a8a5aa0) Signed-off-by: Anton Khirnov --- libavcodec/mpegvideo.c | 5 +++-- libavcodec/mpegvideo.h | 1 + 2 files changed, 4 insertions(+), 2 deletions(-) diff --git a/libavcodec/mpegvideo.c b/libavcodec/mpegvideo.c index 4978d28b49..ceed41f230 100644 --- a/libavcodec/mpegvideo.c +++ b/libavcodec/mpegvideo.c @@ -285,9 +285,10 @@ int ff_alloc_picture(MpegEncContext *s, Picture *pic, int shared){ } FF_ALLOCZ_OR_GOTO(s->avctx, pic->mbskip_table , mb_array_size * sizeof(uint8_t)+2, fail) //the +2 is for the slice end check - FF_ALLOCZ_OR_GOTO(s->avctx, pic->qscale_table , mb_array_size * sizeof(uint8_t) , fail) + FF_ALLOCZ_OR_GOTO(s->avctx, pic->qscale_table_base , (big_mb_num + s->mb_stride) * sizeof(uint8_t) , fail) FF_ALLOCZ_OR_GOTO(s->avctx, pic->mb_type_base , (big_mb_num + s->mb_stride) * sizeof(uint32_t), fail) pic->mb_type= pic->mb_type_base + 2*s->mb_stride+1; + pic->qscale_table = pic->qscale_table_base + 2*s->mb_stride + 1; if(s->out_format == FMT_H264){ for(i=0; i<2; i++){ FF_ALLOCZ_OR_GOTO(s->avctx, pic->motion_val_base[i], 2 * (b4_array_size+4) * sizeof(int16_t), fail) @@ -339,7 +340,7 @@ static void free_picture(MpegEncContext *s, Picture *pic){ av_freep(&pic->mc_mb_var); av_freep(&pic->mb_mean); av_freep(&pic->mbskip_table); - av_freep(&pic->qscale_table); + av_freep(&pic->qscale_table_base); av_freep(&pic->mb_type_base); av_freep(&pic->dct_coeff); av_freep(&pic->pan_scan); diff --git a/libavcodec/mpegvideo.h b/libavcodec/mpegvideo.h index 6ce7faa235..f37977c941 100644 --- a/libavcodec/mpegvideo.h +++ b/libavcodec/mpegvideo.h @@ -88,6 +88,7 @@ typedef struct Picture{ * halfpel luma planes. */ uint8_t *interpolated[3]; + int8_t *qscale_table_base; int16_t (*motion_val_base[2])[2]; uint32_t *mb_type_base; #define MB_TYPE_INTRA MB_TYPE_INTRA4x4 //default mb_type if there is just one type From 0ab69793fc76b0653315b055fbfae4738a40d115 Mon Sep 17 00:00:00 2001 From: John Stebbins Date: Mon, 4 Jul 2011 09:55:19 -0700 Subject: [PATCH 0160/1119] dca: set AVCodecContext frame_size for DTS audio Set the frame size when decoding DTS audio. This has the side effect of fixing the computation of timestamps for DTS-HD in compute_pkt_fields. Since frame_size is not currently set, the duration of a frame is being guessed based on the streams bitrate. But for DTS-HD, the bitrate currently used is the rate of the DTS core which is much different than the whole DTS-HD stream and leads to a wildly inaccurate frame duration estimate. Signed-off-by: Ronald S. Bultje (cherry picked from commit 49c7006c7e815d4330247624a9e6ba30e288cd02) Signed-off-by: Anton Khirnov --- libavcodec/dca.c | 1 + 1 file changed, 1 insertion(+) diff --git a/libavcodec/dca.c b/libavcodec/dca.c index a9b2c9b0c9..fad6bce7a9 100644 --- a/libavcodec/dca.c +++ b/libavcodec/dca.c @@ -1650,6 +1650,7 @@ static int dca_decode_frame(AVCodecContext * avctx, //set AVCodec values with parsed data avctx->sample_rate = s->sample_rate; avctx->bit_rate = s->bit_rate; + avctx->frame_size = s->sample_blocks * 32; s->profile = FF_PROFILE_DTS; From 694279bfd2452c58a7b7ce6424dfba785a99fedd Mon Sep 17 00:00:00 2001 From: =?UTF-8?q?Cl=C3=A9ment=20B=C5=93sch?= Date: Mon, 4 Jul 2011 10:19:46 +0200 Subject: [PATCH 0161/1119] mxfenc: fix ignored drop flag in binary timecode representation. Signed-off-by: Ronald S. Bultje (cherry picked from commit 4d5e7ab5c48451404038706ef3113c9925a83087) Signed-off-by: Anton Khirnov --- libavformat/mxfenc.c | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/libavformat/mxfenc.c b/libavformat/mxfenc.c index c448e14b00..387263e1a1 100644 --- a/libavformat/mxfenc.c +++ b/libavformat/mxfenc.c @@ -1539,7 +1539,7 @@ static const uint8_t system_metadata_package_set_key[] = { 0x06,0x0E,0x2B,0x34,0 static uint32_t ff_framenum_to_12m_time_code(unsigned frame, int drop, int fps) { return (0 << 31) | // color frame flag - (0 << 30) | // drop frame flag + (drop << 30) | // drop frame flag ( ((frame % fps) / 10) << 28) | // tens of frames ( ((frame % fps) % 10) << 24) | // units of frames (0 << 23) | // field phase (NTSC), b0 (PAL) From 266ec41f77da6a44fe18e3774f08c9d4551137ac Mon Sep 17 00:00:00 2001 From: Mans Rullgard Date: Tue, 5 Jul 2011 18:29:35 +0100 Subject: [PATCH 0162/1119] ARM: workaround for bug in GNU assembler Some versions of the GNU assembler do not handle 64-bit immediate operands containing arithmetic. Writing the value out in full works correctly. Signed-off-by: Mans Rullgard (cherry picked from commit fce1e43410bdc032c4cf2b1c66166a9ed99cc8f1) Signed-off-by: Anton Khirnov --- libavcodec/arm/fft_fixed_neon.S | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/libavcodec/arm/fft_fixed_neon.S b/libavcodec/arm/fft_fixed_neon.S index 14884d3736..63d8159359 100644 --- a/libavcodec/arm/fft_fixed_neon.S +++ b/libavcodec/arm/fft_fixed_neon.S @@ -56,7 +56,7 @@ vhsub.s16 \r0, \d0, \d1 @ t3, t4, t8, t7 vhsub.s16 \r1, \d1, \d0 vhadd.s16 \d0, \d0, \d1 @ t1, t2, t6, t5 - vmov.i64 \d1, #0xffff<<32 + vmov.i64 \d1, #0xffff00000000 vbit \r0, \r1, \d1 vrev64.16 \r1, \r0 @ t7, t8, t4, t3 vtrn.32 \r0, \r1 @ t3, t4, t7, t8 From 2649439bbdbf32af2bd07160c8a85ba55112af11 Mon Sep 17 00:00:00 2001 From: "Ronald S. Bultje" Date: Tue, 5 Jul 2011 18:10:48 -0700 Subject: [PATCH 0163/1119] eval: fix memleak. (cherry picked from commit fe277b16f0861a327e1f6c00c0dbb8b00806d60d) Signed-off-by: Anton Khirnov --- libavutil/eval.c | 1 + 1 file changed, 1 insertion(+) diff --git a/libavutil/eval.c b/libavutil/eval.c index a3788210e3..8bcba3632d 100644 --- a/libavutil/eval.c +++ b/libavutil/eval.c @@ -488,6 +488,7 @@ int av_expr_parse(AVExpr **expr, const char *s, if ((ret = parse_expr(&e, &p)) < 0) goto end; if (*p.s) { + av_expr_free(e); av_log(&p, AV_LOG_ERROR, "Invalid chars '%s' at the end of expression '%s'\n", p.s, s0); ret = AVERROR(EINVAL); goto end; From baec70e16fd98c72a7ec9eaec70453a9279ad46c Mon Sep 17 00:00:00 2001 From: Alex Converse Date: Wed, 29 Jun 2011 13:41:47 -0700 Subject: [PATCH 0164/1119] adts: Fix PCE copying. Parse the extension flag bit when reading the MPEG4 AudioSpecificConfig. This has nothing to do with SBR/PS contradictory to what was noted when it was removed. (cherry picked from commit 7f01a4192cdf4565eadee457f76e6b5196e35e0b) Signed-off-by: Anton Khirnov --- libavformat/adtsenc.c | 4 ++++ 1 file changed, 4 insertions(+) diff --git a/libavformat/adtsenc.c b/libavformat/adtsenc.c index e858a81d92..75649e24dc 100644 --- a/libavformat/adtsenc.c +++ b/libavformat/adtsenc.c @@ -59,6 +59,10 @@ int ff_adts_decode_extradata(AVFormatContext *s, ADTSContext *adts, uint8_t *buf av_log(s, AV_LOG_ERROR, "Scalable configurations are not allowed in ADTS\n"); return -1; } + if (get_bits(&gb, 1)) { + av_log(s, AV_LOG_ERROR, "Extension flag is not allowed in ADTS\n"); + return -1; + } if (!adts->channel_conf) { init_put_bits(&pb, adts->pce_data, MAX_PCE_SIZE); From fa750933812f742bdc1e208e109b8b72305ca1a2 Mon Sep 17 00:00:00 2001 From: Anton Khirnov Date: Sun, 11 Sep 2011 12:27:51 +0200 Subject: [PATCH 0165/1119] Revert "ffmpeg: get rid of useless AVInputStream.nb_streams." This reverts commit 2cf8355f98681bdd726b739008acd5483f82f8d7. AVInputStream.nb_streams tracks number of streams found at the beginning, new streams may appear that ffmpeg doesn't know about. Fixes crash in this case. Signed-off-by: Anton Khirnov --- ffmpeg.c | 8 +++++--- 1 file changed, 5 insertions(+), 3 deletions(-) diff --git a/ffmpeg.c b/ffmpeg.c index c1db3d5679..76d1cf363c 100644 --- a/ffmpeg.c +++ b/ffmpeg.c @@ -329,6 +329,7 @@ typedef struct AVInputFile { int eof_reached; /* true if eof reached */ int ist_index; /* index of first stream in ist_table */ int buffer_size; /* current total buffer size */ + int nb_streams; /* nb streams we are aware of */ } AVInputFile; static AVInputStream *input_streams = NULL; @@ -1983,7 +1984,7 @@ static int transcode(AVFormatContext **output_files, int si = stream_maps[i].stream_index; if (fi < 0 || fi > nb_input_files - 1 || - si < 0 || si > input_files[fi].ctx->nb_streams - 1) { + si < 0 || si > input_files[fi].nb_streams - 1) { fprintf(stderr,"Could not find input stream #%d.%d\n", fi, si); ret = AVERROR(EINVAL); goto fail; @@ -1991,7 +1992,7 @@ static int transcode(AVFormatContext **output_files, fi = stream_maps[i].sync_file_index; si = stream_maps[i].sync_stream_index; if (fi < 0 || fi > nb_input_files - 1 || - si < 0 || si > input_files[fi].ctx->nb_streams - 1) { + si < 0 || si > input_files[fi].nb_streams - 1) { fprintf(stderr,"Could not find sync stream #%d.%d\n", fi, si); ret = AVERROR(EINVAL); goto fail; @@ -2607,7 +2608,7 @@ static int transcode(AVFormatContext **output_files, } /* the following test is needed in case new streams appear dynamically in stream : we ignore them */ - if (pkt.stream_index >= input_files[file_index].ctx->nb_streams) + if (pkt.stream_index >= input_files[file_index].nb_streams) goto discard_packet; ist_index = input_files[file_index].ist_index + pkt.stream_index; ist = &input_streams[ist_index]; @@ -3365,6 +3366,7 @@ static int opt_input_file(const char *opt, const char *filename) input_files = grow_array(input_files, sizeof(*input_files), &nb_input_files, nb_input_files + 1); input_files[nb_input_files - 1].ctx = ic; input_files[nb_input_files - 1].ist_index = nb_input_streams - ic->nb_streams; + input_files[nb_input_files - 1].nb_streams = ic->nb_streams; frame_rate = (AVRational){0, 0}; frame_pix_fmt = PIX_FMT_NONE; From 91f9c7917c830982f9122dc16d1d865cf82d8382 Mon Sep 17 00:00:00 2001 From: =?UTF-8?q?Tomas=20H=C3=A4rdin?= Date: Thu, 23 Jun 2011 15:59:33 +0200 Subject: [PATCH 0166/1119] gxf: Fix 25 fps DV material in GXF being misdetected as 50 fps Set DV packet durations using fields_per_frame. This requires turning gxf_stream_info into the demuxer's context for access to the value in gxf_packet(). Since MPEG-2 seems to work fine this done only for DV. Signed-off-by: Anton Khirnov (cherry picked from commit 99fecc64b064a013559d3d61f7d9790e3c95c80e) Signed-off-by: Anton Khirnov --- libavformat/gxf.c | 25 ++++++++++++++++--------- 1 file changed, 16 insertions(+), 9 deletions(-) diff --git a/libavformat/gxf.c b/libavformat/gxf.c index 74d925fe60..d77fd18b37 100644 --- a/libavformat/gxf.c +++ b/libavformat/gxf.c @@ -264,7 +264,7 @@ static int gxf_header(AVFormatContext *s, AVFormatParameters *ap) { int map_len; int len; AVRational main_timebase = {0, 0}; - struct gxf_stream_info si; + struct gxf_stream_info *si = s->priv_data; int i; if (!parse_packet_header(pb, &pkt_type, &map_len) || pkt_type != PKT_MAP) { av_log(s, AV_LOG_ERROR, "map packet not found\n"); @@ -282,7 +282,7 @@ static int gxf_header(AVFormatContext *s, AVFormatParameters *ap) { return 0; } map_len -= len; - gxf_material_tags(pb, &len, &si); + gxf_material_tags(pb, &len, si); avio_skip(pb, len); map_len -= 2; len = avio_rb16(pb); // length of track description @@ -300,7 +300,7 @@ static int gxf_header(AVFormatContext *s, AVFormatParameters *ap) { track_id = avio_r8(pb); track_len = avio_rb16(pb); len -= track_len; - gxf_track_tags(pb, &track_len, &si); + gxf_track_tags(pb, &track_len, si); avio_skip(pb, track_len); if (!(track_type & 0x80)) { av_log(s, AV_LOG_ERROR, "invalid track type %x\n", track_type); @@ -316,12 +316,12 @@ static int gxf_header(AVFormatContext *s, AVFormatParameters *ap) { if (idx < 0) continue; st = s->streams[idx]; if (!main_timebase.num || !main_timebase.den) { - main_timebase.num = si.frames_per_second.den; - main_timebase.den = si.frames_per_second.num * 2; + main_timebase.num = si->frames_per_second.den; + main_timebase.den = si->frames_per_second.num * 2; } - st->start_time = si.first_field; - if (si.first_field != AV_NOPTS_VALUE && si.last_field != AV_NOPTS_VALUE) - st->duration = si.last_field - si.first_field; + st->start_time = si->first_field; + if (si->first_field != AV_NOPTS_VALUE && si->last_field != AV_NOPTS_VALUE) + st->duration = si->last_field - si->first_field; } if (len < 0) av_log(s, AV_LOG_ERROR, "invalid track description length specified\n"); @@ -422,6 +422,8 @@ static int gxf_packet(AVFormatContext *s, AVPacket *pkt) { AVIOContext *pb = s->pb; GXFPktType pkt_type; int pkt_len; + struct gxf_stream_info *si = s->priv_data; + while (!pb->eof_reached) { AVStream *st; int track_type, track_id, ret; @@ -473,6 +475,11 @@ static int gxf_packet(AVFormatContext *s, AVPacket *pkt) { avio_skip(pb, skip); pkt->stream_index = stream_index; pkt->dts = field_nr; + + //set duration manually for DV or else lavf misdetects the frame rate + if (st->codec->codec_id == CODEC_ID_DVVIDEO) + pkt->duration = si->fields_per_frame; + return ret; } return AVERROR(EIO); @@ -518,7 +525,7 @@ static int64_t gxf_read_timestamp(AVFormatContext *s, int stream_index, AVInputFormat ff_gxf_demuxer = { "gxf", NULL_IF_CONFIG_SMALL("GXF format"), - 0, + sizeof(struct gxf_stream_info), gxf_probe, gxf_header, gxf_packet, From 9bf76932e5e4dffd5199084cab810b6c8203fce1 Mon Sep 17 00:00:00 2001 From: Justin Ruggles Date: Wed, 22 Jun 2011 15:33:56 -0400 Subject: [PATCH 0167/1119] alsa: fallback to buffer_size/4 for period_size. buffer_size/4 is the value used by aplay. This fixes output to null devices, e.g. writing ALSA output to a file. (cherry picked from commit 8bfd7f6a475225a0595bf657f8b99a8fffb461e4) Signed-off-by: Anton Khirnov --- libavdevice/alsa-audio-common.c | 2 ++ 1 file changed, 2 insertions(+) diff --git a/libavdevice/alsa-audio-common.c b/libavdevice/alsa-audio-common.c index baa6ac79ca..4c7c881300 100644 --- a/libavdevice/alsa-audio-common.c +++ b/libavdevice/alsa-audio-common.c @@ -146,6 +146,8 @@ av_cold int ff_alsa_open(AVFormatContext *ctx, snd_pcm_stream_t mode, } snd_pcm_hw_params_get_period_size_min(hw_params, &period_size, NULL); + if (!period_size) + period_size = buffer_size / 4; res = snd_pcm_hw_params_set_period_size_near(h, hw_params, &period_size, NULL); if (res < 0) { av_log(ctx, AV_LOG_ERROR, "cannot set ALSA period size (%s)\n", From 207db36a4fa234f6d5123601cceb96f261588fb7 Mon Sep 17 00:00:00 2001 From: Justin Ruggles Date: Wed, 22 Jun 2011 16:38:20 -0400 Subject: [PATCH 0168/1119] alsa: limit buffer_size to 32768 frames. In testing, the file output plugin gave a max buffer size of about 20 million frames, which is way more than what is really needed and causes a memory allocation error on my system. (cherry picked from commit e35c674d13a7f180412cfe058530a2e7f1d49a90) Signed-off-by: Anton Khirnov --- libavdevice/alsa-audio-common.c | 1 + libavdevice/alsa-audio.h | 2 ++ 2 files changed, 3 insertions(+) diff --git a/libavdevice/alsa-audio-common.c b/libavdevice/alsa-audio-common.c index 4c7c881300..825fcb1dbd 100644 --- a/libavdevice/alsa-audio-common.c +++ b/libavdevice/alsa-audio-common.c @@ -137,6 +137,7 @@ av_cold int ff_alsa_open(AVFormatContext *ctx, snd_pcm_stream_t mode, } snd_pcm_hw_params_get_buffer_size_max(hw_params, &buffer_size); + buffer_size = FFMIN(buffer_size, ALSA_BUFFER_SIZE_MAX); /* TODO: maybe use ctx->max_picture_buffer somehow */ res = snd_pcm_hw_params_set_buffer_size_near(h, hw_params, &buffer_size); if (res < 0) { diff --git a/libavdevice/alsa-audio.h b/libavdevice/alsa-audio.h index 32c07426ef..c8c6ea4aff 100644 --- a/libavdevice/alsa-audio.h +++ b/libavdevice/alsa-audio.h @@ -40,6 +40,8 @@ other formats */ #define DEFAULT_CODEC_ID AV_NE(CODEC_ID_PCM_S16BE, CODEC_ID_PCM_S16LE) +#define ALSA_BUFFER_SIZE_MAX 32768 + typedef struct { AVClass *class; snd_pcm_t *h; From e308a91c9cf3d93188cd30fc5ec7ef2ce0fbfc45 Mon Sep 17 00:00:00 2001 From: Jindrich Makovicka Date: Thu, 30 Jun 2011 09:03:15 +0000 Subject: [PATCH 0169/1119] mpegts: fix Continuity Counter error detection According to MPEG-TS specs, the continuity_counter shall not be incremented when the adaptation_field_control of the packet equals '00' or '10'. Signed-off-by: Jindrich Makovicka Signed-off-by: Anton Khirnov (cherry picked from commit 8923cfa328e8eb565aebcfe8672b276fd1c19bf7) Signed-off-by: Anton Khirnov --- libavformat/mpegts.c | 5 +++-- 1 file changed, 3 insertions(+), 2 deletions(-) diff --git a/libavformat/mpegts.c b/libavformat/mpegts.c index e9b8b3513a..608cbe710f 100644 --- a/libavformat/mpegts.c +++ b/libavformat/mpegts.c @@ -1247,7 +1247,7 @@ static int handle_packet(MpegTSContext *ts, const uint8_t *packet) { AVFormatContext *s = ts->stream; MpegTSFilter *tss; - int len, pid, cc, cc_ok, afc, is_start; + int len, pid, cc, expected_cc, cc_ok, afc, is_start; const uint8_t *p, *p_end; int64_t pos; @@ -1265,7 +1265,8 @@ static int handle_packet(MpegTSContext *ts, const uint8_t *packet) /* continuity check (currently not used) */ cc = (packet[3] & 0xf); - cc_ok = (tss->last_cc < 0) || ((((tss->last_cc + 1) & 0x0f) == cc)); + expected_cc = (packet[3] & 0x10) ? (tss->last_cc + 1) & 0x0f : tss->last_cc; + cc_ok = (tss->last_cc < 0) || (expected_cc == cc); tss->last_cc = cc; /* skip adaptation field */ From dc3ab8ca438e7033cd7e049398f78d87d3b6fc55 Mon Sep 17 00:00:00 2001 From: Oskar Arvidsson Date: Tue, 12 Jul 2011 10:52:19 +0200 Subject: [PATCH 0170/1119] pix_fmt: Fix number of bits per component in yuv444p9be Signed-off-by: Ronald S. Bultje (cherry picked from commit e59d6b4d7255d6d3dc89580f534e18af1433fe25) Signed-off-by: Anton Khirnov --- libavutil/pixdesc.c | 6 +++--- 1 file changed, 3 insertions(+), 3 deletions(-) diff --git a/libavutil/pixdesc.c b/libavutil/pixdesc.c index efc7c7ea0e..c70a41347b 100644 --- a/libavutil/pixdesc.c +++ b/libavutil/pixdesc.c @@ -918,9 +918,9 @@ const AVPixFmtDescriptor av_pix_fmt_descriptors[PIX_FMT_NB] = { .log2_chroma_w= 0, .log2_chroma_h= 0, .comp = { - {0,1,1,0,9}, /* Y */ - {1,1,1,0,9}, /* U */ - {2,1,1,0,9}, /* V */ + {0,1,1,0,8}, /* Y */ + {1,1,1,0,8}, /* U */ + {2,1,1,0,8}, /* V */ }, .flags = PIX_FMT_BE, }, From 44b3f053090bfb4bae50d3f92d4e70335066f91c Mon Sep 17 00:00:00 2001 From: Anton Khirnov Date: Tue, 12 Jul 2011 22:42:18 +0200 Subject: [PATCH 0171/1119] lavf: fix segfault in av_open_input_stream() ic is NULL in case of error. (cherry picked from commit 13551ad1e336573e3732fdeaf25607c47244bb80) Signed-off-by: Anton Khirnov --- libavformat/utils.c | 3 ++- 1 file changed, 2 insertions(+), 1 deletion(-) diff --git a/libavformat/utils.c b/libavformat/utils.c index 0e6b00195b..2cb096e373 100644 --- a/libavformat/utils.c +++ b/libavformat/utils.c @@ -465,7 +465,8 @@ int av_open_input_stream(AVFormatContext **ic_ptr, else ic->pb = pb; - err = avformat_open_input(&ic, filename, fmt, &opts); + if ((err = avformat_open_input(&ic, filename, fmt, &opts)) < 0) + goto fail; ic->pb = ic->pb ? ic->pb : pb; // don't leak custom pb if it wasn't set above *ic_ptr = ic; From fe7deb7cc40b4f5a91d5a5b22e5532fd14cdf123 Mon Sep 17 00:00:00 2001 From: Mans Rullgard Date: Fri, 15 Jul 2011 22:38:10 +0100 Subject: [PATCH 0172/1119] aacps: skip some memcpy() if src and dst would be equal Signed-off-by: Mans Rullgard (cherry picked from commit e5902d60ce8f7cf10b6e87a57eec536b316261a3) Signed-off-by: Anton Khirnov --- libavcodec/aacps.c | 19 +++++++++++-------- 1 file changed, 11 insertions(+), 8 deletions(-) diff --git a/libavcodec/aacps.c b/libavcodec/aacps.c index 724c13256a..3f1424bcf2 100644 --- a/libavcodec/aacps.c +++ b/libavcodec/aacps.c @@ -813,14 +813,17 @@ static void stereo_processing(PSContext *ps, float (*l)[32][2], float (*r)[32][2 const float (*H_LUT)[8][4] = (PS_BASELINE || ps->icc_mode < 3) ? HA : HB; //Remapping - memcpy(H11[0][0], H11[0][ps->num_env_old], PS_MAX_NR_IIDICC*sizeof(H11[0][0][0])); - memcpy(H11[1][0], H11[1][ps->num_env_old], PS_MAX_NR_IIDICC*sizeof(H11[1][0][0])); - memcpy(H12[0][0], H12[0][ps->num_env_old], PS_MAX_NR_IIDICC*sizeof(H12[0][0][0])); - memcpy(H12[1][0], H12[1][ps->num_env_old], PS_MAX_NR_IIDICC*sizeof(H12[1][0][0])); - memcpy(H21[0][0], H21[0][ps->num_env_old], PS_MAX_NR_IIDICC*sizeof(H21[0][0][0])); - memcpy(H21[1][0], H21[1][ps->num_env_old], PS_MAX_NR_IIDICC*sizeof(H21[1][0][0])); - memcpy(H22[0][0], H22[0][ps->num_env_old], PS_MAX_NR_IIDICC*sizeof(H22[0][0][0])); - memcpy(H22[1][0], H22[1][ps->num_env_old], PS_MAX_NR_IIDICC*sizeof(H22[1][0][0])); + if (ps->num_env_old) { + memcpy(H11[0][0], H11[0][ps->num_env_old], PS_MAX_NR_IIDICC*sizeof(H11[0][0][0])); + memcpy(H11[1][0], H11[1][ps->num_env_old], PS_MAX_NR_IIDICC*sizeof(H11[1][0][0])); + memcpy(H12[0][0], H12[0][ps->num_env_old], PS_MAX_NR_IIDICC*sizeof(H12[0][0][0])); + memcpy(H12[1][0], H12[1][ps->num_env_old], PS_MAX_NR_IIDICC*sizeof(H12[1][0][0])); + memcpy(H21[0][0], H21[0][ps->num_env_old], PS_MAX_NR_IIDICC*sizeof(H21[0][0][0])); + memcpy(H21[1][0], H21[1][ps->num_env_old], PS_MAX_NR_IIDICC*sizeof(H21[1][0][0])); + memcpy(H22[0][0], H22[0][ps->num_env_old], PS_MAX_NR_IIDICC*sizeof(H22[0][0][0])); + memcpy(H22[1][0], H22[1][ps->num_env_old], PS_MAX_NR_IIDICC*sizeof(H22[1][0][0])); + } + if (is34) { remap34(&iid_mapped, ps->iid_par, ps->nr_iid_par, ps->num_env, 1); remap34(&icc_mapped, ps->icc_par, ps->nr_icc_par, ps->num_env, 1); From 3b80fb50d815fe399ff7b69e7e646b4597a0bf84 Mon Sep 17 00:00:00 2001 From: =?UTF-8?q?Rafa=C3=ABl=20Carr=C3=A9?= Date: Sat, 16 Jul 2011 11:41:08 -0400 Subject: [PATCH 0173/1119] Do not decode RV30 files if the extradata is too small Signed-off-by: Diego Biurrun (cherry picked from commit 289c60001fb0a9a1d7a97c876d8a42b84c6874ac) Signed-off-by: Anton Khirnov --- libavcodec/rv30.c | 1 + 1 file changed, 1 insertion(+) diff --git a/libavcodec/rv30.c b/libavcodec/rv30.c index 62177dda78..2b423cc0d2 100644 --- a/libavcodec/rv30.c +++ b/libavcodec/rv30.c @@ -256,6 +256,7 @@ static av_cold int rv30_decode_init(AVCodecContext *avctx) if(avctx->extradata_size - 8 < (r->rpr - 1) * 2){ av_log(avctx, AV_LOG_ERROR, "Insufficient extradata - need at least %d bytes, got %d\n", 6 + r->rpr * 2, avctx->extradata_size); + return EINVAL; } r->parse_slice_header = rv30_parse_slice_header; r->decode_intra_types = rv30_decode_intra_types; From ba19cb688596a95d84617bb5e6551ea4ec364648 Mon Sep 17 00:00:00 2001 From: Mans Rullgard Date: Wed, 20 Jul 2011 09:55:48 +0100 Subject: [PATCH 0174/1119] Fix incorrect max_lowres values Signed-off-by: Mans Rullgard (cherry picked from commit e23a05ab0605693aa715b95120bc0132079ded06) Signed-off-by: Anton Khirnov --- libavcodec/cdgraphics.c | 1 - libavcodec/kgv1dec.c | 1 - libavcodec/pngdec.c | 1 - libavcodec/pnmdec.c | 5 ----- libavcodec/sp5xdec.c | 2 +- 5 files changed, 1 insertion(+), 9 deletions(-) diff --git a/libavcodec/cdgraphics.c b/libavcodec/cdgraphics.c index 2f8e98ca3d..bcfb6e9be5 100644 --- a/libavcodec/cdgraphics.c +++ b/libavcodec/cdgraphics.c @@ -377,6 +377,5 @@ AVCodec ff_cdgraphics_decoder = { cdg_decode_end, cdg_decode_frame, CODEC_CAP_DR1, - .max_lowres = 5, .long_name = NULL_IF_CONFIG_SMALL("CD Graphics video"), }; diff --git a/libavcodec/kgv1dec.c b/libavcodec/kgv1dec.c index 57684340af..88c54bf817 100644 --- a/libavcodec/kgv1dec.c +++ b/libavcodec/kgv1dec.c @@ -173,6 +173,5 @@ AVCodec ff_kgv1_decoder = { NULL, decode_end, decode_frame, - .max_lowres = 1, .long_name = NULL_IF_CONFIG_SMALL("Kega Game Video"), }; diff --git a/libavcodec/pngdec.c b/libavcodec/pngdec.c index 7477f6746b..1268c9e781 100644 --- a/libavcodec/pngdec.c +++ b/libavcodec/pngdec.c @@ -667,6 +667,5 @@ AVCodec ff_png_decoder = { decode_frame, CODEC_CAP_DR1 /*| CODEC_CAP_DRAW_HORIZ_BAND*/, NULL, - .max_lowres = 5, .long_name = NULL_IF_CONFIG_SMALL("PNG image"), }; diff --git a/libavcodec/pnmdec.c b/libavcodec/pnmdec.c index b9f20c0569..988ea0c267 100644 --- a/libavcodec/pnmdec.c +++ b/libavcodec/pnmdec.c @@ -199,7 +199,6 @@ AVCodec ff_pgm_decoder = { pnm_decode_frame, CODEC_CAP_DR1, .pix_fmts = (const enum PixelFormat[]){PIX_FMT_GRAY8, PIX_FMT_GRAY16BE, PIX_FMT_NONE}, - .max_lowres = 5, .long_name = NULL_IF_CONFIG_SMALL("PGM (Portable GrayMap) image"), }; #endif @@ -216,7 +215,6 @@ AVCodec ff_pgmyuv_decoder = { pnm_decode_frame, CODEC_CAP_DR1, .pix_fmts = (const enum PixelFormat[]){PIX_FMT_YUV420P, PIX_FMT_NONE}, - .max_lowres = 5, .long_name = NULL_IF_CONFIG_SMALL("PGMYUV (Portable GrayMap YUV) image"), }; #endif @@ -233,7 +231,6 @@ AVCodec ff_ppm_decoder = { pnm_decode_frame, CODEC_CAP_DR1, .pix_fmts = (const enum PixelFormat[]){PIX_FMT_RGB24, PIX_FMT_RGB48BE, PIX_FMT_NONE}, - .max_lowres = 5, .long_name = NULL_IF_CONFIG_SMALL("PPM (Portable PixelMap) image"), }; #endif @@ -250,7 +247,6 @@ AVCodec ff_pbm_decoder = { pnm_decode_frame, CODEC_CAP_DR1, .pix_fmts = (const enum PixelFormat[]){PIX_FMT_MONOWHITE, PIX_FMT_NONE}, - .max_lowres = 5, .long_name = NULL_IF_CONFIG_SMALL("PBM (Portable BitMap) image"), }; #endif @@ -267,7 +263,6 @@ AVCodec ff_pam_decoder = { pnm_decode_frame, CODEC_CAP_DR1, .pix_fmts = (const enum PixelFormat[]){PIX_FMT_RGB24, PIX_FMT_RGB32, PIX_FMT_GRAY8, PIX_FMT_MONOWHITE, PIX_FMT_NONE}, - .max_lowres = 5, .long_name = NULL_IF_CONFIG_SMALL("PAM (Portable AnyMap) image"), }; #endif diff --git a/libavcodec/sp5xdec.c b/libavcodec/sp5xdec.c index 6726c18ca9..ae25733530 100644 --- a/libavcodec/sp5xdec.c +++ b/libavcodec/sp5xdec.c @@ -104,7 +104,7 @@ AVCodec ff_sp5x_decoder = { sp5x_decode_frame, CODEC_CAP_DR1, NULL, - .max_lowres = 5, + .max_lowres = 3, .long_name = NULL_IF_CONFIG_SMALL("Sunplus JPEG (SP5X)"), }; From 8e0a53bd34829f594574ff810f410cc47bfac620 Mon Sep 17 00:00:00 2001 From: Diego Biurrun Date: Thu, 21 Jul 2011 14:25:01 +0200 Subject: [PATCH 0175/1119] rv30: return AVERROR(EINVAL) instead of EINVAL On some platforms EINVAL could be positive, ensure we return negative values. (cherry picked from commit e5985185d2eda942333ebbb72bd7d043ffe40be7) Signed-off-by: Anton Khirnov --- libavcodec/rv30.c | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/libavcodec/rv30.c b/libavcodec/rv30.c index 2b423cc0d2..b7f43a4bd0 100644 --- a/libavcodec/rv30.c +++ b/libavcodec/rv30.c @@ -256,7 +256,7 @@ static av_cold int rv30_decode_init(AVCodecContext *avctx) if(avctx->extradata_size - 8 < (r->rpr - 1) * 2){ av_log(avctx, AV_LOG_ERROR, "Insufficient extradata - need at least %d bytes, got %d\n", 6 + r->rpr * 2, avctx->extradata_size); - return EINVAL; + return AVERROR(EINVAL); } r->parse_slice_header = rv30_parse_slice_header; r->decode_intra_types = rv30_decode_intra_types; From 8abaa83d2c5ddc1cfe3f5e3eabcaac2b33cd5f12 Mon Sep 17 00:00:00 2001 From: "Ronald S. Bultje" Date: Tue, 26 Jul 2011 10:58:29 -0700 Subject: [PATCH 0176/1119] vp3/theora: flush after seek. (cherry picked from commit 8dcf5184307f072d55fb29373be05ef8b0fd02df) Signed-off-by: Anton Khirnov --- libavcodec/vp3.c | 22 ++++++++++++++++++++++ 1 file changed, 22 insertions(+) diff --git a/libavcodec/vp3.c b/libavcodec/vp3.c index c3dff7f89f..c117a64084 100644 --- a/libavcodec/vp3.c +++ b/libavcodec/vp3.c @@ -2321,6 +2321,26 @@ static av_cold int theora_decode_init(AVCodecContext *avctx) return vp3_decode_init(avctx); } +static void vp3_decode_flush(AVCodecContext *avctx) +{ + Vp3DecodeContext *s = avctx->priv_data; + + if (s->golden_frame.data[0]) { + if (s->golden_frame.data[0] == s->last_frame.data[0]) + memset(&s->last_frame, 0, sizeof(AVFrame)); + if (s->current_frame.data[0] == s->golden_frame.data[0]) + memset(&s->current_frame, 0, sizeof(AVFrame)); + ff_thread_release_buffer(avctx, &s->golden_frame); + } + if (s->last_frame.data[0]) { + if (s->current_frame.data[0] == s->last_frame.data[0]) + memset(&s->current_frame, 0, sizeof(AVFrame)); + ff_thread_release_buffer(avctx, &s->last_frame); + } + if (s->current_frame.data[0]) + ff_thread_release_buffer(avctx, &s->current_frame); +} + AVCodec ff_theora_decoder = { "theora", AVMEDIA_TYPE_VIDEO, @@ -2332,6 +2352,7 @@ AVCodec ff_theora_decoder = { vp3_decode_frame, CODEC_CAP_DR1 | CODEC_CAP_DRAW_HORIZ_BAND | CODEC_CAP_FRAME_THREADS, NULL, + .flush = vp3_decode_flush, .long_name = NULL_IF_CONFIG_SMALL("Theora"), .update_thread_context = ONLY_IF_THREADS_ENABLED(vp3_update_thread_context) }; @@ -2348,6 +2369,7 @@ AVCodec ff_vp3_decoder = { vp3_decode_frame, CODEC_CAP_DR1 | CODEC_CAP_DRAW_HORIZ_BAND | CODEC_CAP_FRAME_THREADS, NULL, + .flush = vp3_decode_flush, .long_name = NULL_IF_CONFIG_SMALL("On2 VP3"), .update_thread_context = ONLY_IF_THREADS_ENABLED(vp3_update_thread_context) }; From c5388d680e62db36ab235b5076d3b0c1eb5a04f4 Mon Sep 17 00:00:00 2001 From: Alex Converse Date: Fri, 29 Jul 2011 15:27:36 -0700 Subject: [PATCH 0177/1119] mxfdec: Include FF_INPUT_BUFFER_PADDING_SIZE when allocating extradata. This prevents out of bounds reads when extradata is being decoded. (cherry picked from commit 1f6f58d5855288492fc2640a9f1035c01c75d356) Signed-off-by: Anton Khirnov --- libavformat/mxfdec.c | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/libavformat/mxfdec.c b/libavformat/mxfdec.c index 82daa2a002..fcee7a7b83 100644 --- a/libavformat/mxfdec.c +++ b/libavformat/mxfdec.c @@ -599,7 +599,7 @@ static int mxf_read_generic_descriptor(void *arg, AVIOContext *pb, int tag, int default: /* Private uid used by SONY C0023S01.mxf */ if (IS_KLV_KEY(uid, mxf_sony_mpeg4_extradata)) { - descriptor->extradata = av_malloc(size); + descriptor->extradata = av_malloc(size + FF_INPUT_BUFFER_PADDING_SIZE); if (!descriptor->extradata) return -1; descriptor->extradata_size = size; From 82d7ad3344e11a33ab639052fcda6b30a378546a Mon Sep 17 00:00:00 2001 From: Alex Converse Date: Fri, 29 Jul 2011 15:49:11 -0700 Subject: [PATCH 0178/1119] aac: Remove some suspicious illegal memcpy()s from LTP. (cherry picked from commit a6c49f18abacb9bf52d4d808a2a56561a5b5445c) Signed-off-by: Anton Khirnov --- libavcodec/aacdec.c | 2 -- 1 file changed, 2 deletions(-) diff --git a/libavcodec/aacdec.c b/libavcodec/aacdec.c index 69aacb86d6..f94b109de5 100644 --- a/libavcodec/aacdec.c +++ b/libavcodec/aacdec.c @@ -1753,12 +1753,10 @@ static void windowing_and_mdct_ltp(AACContext *ac, float *out, } else { memset(in, 0, 448 * sizeof(float)); ac->dsp.vector_fmul(in + 448, in + 448, swindow_prev, 128); - memcpy(in + 576, in + 576, 448 * sizeof(float)); } if (ics->window_sequence[0] != LONG_START_SEQUENCE) { ac->dsp.vector_fmul_reverse(in + 1024, in + 1024, lwindow, 1024); } else { - memcpy(in + 1024, in + 1024, 448 * sizeof(float)); ac->dsp.vector_fmul_reverse(in + 1024 + 448, in + 1024 + 448, swindow, 128); memset(in + 1024 + 576, 0, 448 * sizeof(float)); } From 3af3a871afa31f570ce92e6a6647cb55357f62b5 Mon Sep 17 00:00:00 2001 From: Edgar Hucek Date: Sun, 11 Sep 2011 12:53:17 +0200 Subject: [PATCH 0179/1119] Fix VA-API decoding artefacts. Fixes ticket #457. (cherry picked from commit 3fec40b601827e75aae9f0baa47671af15de181a) --- libavcodec/vaapi_h264.c | 3 ++- 1 file changed, 2 insertions(+), 1 deletion(-) diff --git a/libavcodec/vaapi_h264.c b/libavcodec/vaapi_h264.c index 922dc86963..7d8eb606c9 100644 --- a/libavcodec/vaapi_h264.c +++ b/libavcodec/vaapi_h264.c @@ -281,7 +281,8 @@ static int start_frame(AVCodecContext *avctx, if (!iq_matrix) return -1; memcpy(iq_matrix->ScalingList4x4, h->pps.scaling_matrix4, sizeof(iq_matrix->ScalingList4x4)); - memcpy(iq_matrix->ScalingList8x8, h->pps.scaling_matrix8, sizeof(iq_matrix->ScalingList8x8)); + memcpy(iq_matrix->ScalingList8x8[0], h->pps.scaling_matrix8[0], sizeof(iq_matrix->ScalingList8x8[0])); + memcpy(iq_matrix->ScalingList8x8[1], h->pps.scaling_matrix8[3], sizeof(iq_matrix->ScalingList8x8[0])); return 0; } From 01f1201267f3d5c24d835c940545665382dc4ef1 Mon Sep 17 00:00:00 2001 From: Edgar Hucek Date: Sun, 11 Sep 2011 12:53:17 +0200 Subject: [PATCH 0180/1119] Fix VA-API decoding artefacts. Fixes ticket #457. (cherry picked from commit 3fec40b601827e75aae9f0baa47671af15de181a) --- libavcodec/vaapi_h264.c | 3 ++- 1 file changed, 2 insertions(+), 1 deletion(-) diff --git a/libavcodec/vaapi_h264.c b/libavcodec/vaapi_h264.c index 922dc86963..7d8eb606c9 100644 --- a/libavcodec/vaapi_h264.c +++ b/libavcodec/vaapi_h264.c @@ -281,7 +281,8 @@ static int start_frame(AVCodecContext *avctx, if (!iq_matrix) return -1; memcpy(iq_matrix->ScalingList4x4, h->pps.scaling_matrix4, sizeof(iq_matrix->ScalingList4x4)); - memcpy(iq_matrix->ScalingList8x8, h->pps.scaling_matrix8, sizeof(iq_matrix->ScalingList8x8)); + memcpy(iq_matrix->ScalingList8x8[0], h->pps.scaling_matrix8[0], sizeof(iq_matrix->ScalingList8x8[0])); + memcpy(iq_matrix->ScalingList8x8[1], h->pps.scaling_matrix8[3], sizeof(iq_matrix->ScalingList8x8[0])); return 0; } From b8fa424ce2e2f7206bdf37f2da8410764358cab3 Mon Sep 17 00:00:00 2001 From: Baptiste Coudurier Date: Sat, 29 Jan 2011 17:05:42 -0800 Subject: [PATCH 0181/1119] libx264: do not set pic quality if no frame is output Avoids uninitialized reads. Signed-off-by: Anton Khirnov (cherry picked from commit 5caa2de19ece830e32c95731bc92a423d55cff0c) Signed-off-by: Anton Khirnov --- libavcodec/libx264.c | 3 ++- 1 file changed, 2 insertions(+), 1 deletion(-) diff --git a/libavcodec/libx264.c b/libavcodec/libx264.c index e5fac00469..74ee1d45e0 100644 --- a/libavcodec/libx264.c +++ b/libavcodec/libx264.c @@ -138,7 +138,8 @@ static int X264_frame(AVCodecContext *ctx, uint8_t *buf, } x4->out_pic.key_frame = pic_out.b_keyframe; - x4->out_pic.quality = (pic_out.i_qpplus1 - 1) * FF_QP2LAMBDA; + if (bufsize) + x4->out_pic.quality = (pic_out.i_qpplus1 - 1) * FF_QP2LAMBDA; return bufsize; } From f629fcd308059a41f55a6022afee0f737af5fc02 Mon Sep 17 00:00:00 2001 From: Justin Ruggles Date: Wed, 10 Aug 2011 14:07:35 -0400 Subject: [PATCH 0182/1119] Remove incorrect info in documentation of AVCodecContext.bits_per_raw_sample. bits_per_raw_sample is used in video as well, where sample_fmt is not used. (cherry picked from commit d271d5b2152cafe540f3ab71d3be6ce8636d2fd6) Signed-off-by: Anton Khirnov --- libavcodec/avcodec.h | 1 - 1 file changed, 1 deletion(-) diff --git a/libavcodec/avcodec.h b/libavcodec/avcodec.h index 9a3076ae27..0269892028 100644 --- a/libavcodec/avcodec.h +++ b/libavcodec/avcodec.h @@ -2559,7 +2559,6 @@ typedef struct AVCodecContext { /** * Bits per sample/pixel of internal libavcodec pixel/sample format. - * This field is applicable only when sample_fmt is AV_SAMPLE_FMT_S32. * - encoding: set by user. * - decoding: set by libavcodec. */ From cc4718196ad6cfe765fa1e8db0adef0e5bb09664 Mon Sep 17 00:00:00 2001 From: Dustin Brody Date: Thu, 11 Aug 2011 08:57:58 -0400 Subject: [PATCH 0183/1119] h264: notice memory allocation failure Signed-off-by: Ronald S. Bultje (cherry picked from commit bac3ab13ea6a9dd8853e79ef3eacf51d234c8774) Signed-off-by: Anton Khirnov --- libavcodec/h264.c | 10 ++++++++-- 1 file changed, 8 insertions(+), 2 deletions(-) diff --git a/libavcodec/h264.c b/libavcodec/h264.c index 2c000a3420..99be210d13 100644 --- a/libavcodec/h264.c +++ b/libavcodec/h264.c @@ -1165,7 +1165,10 @@ static int decode_update_thread_context(AVCodecContext *dst, const AVCodecContex memcpy(&h->s + 1, &h1->s + 1, sizeof(H264Context) - sizeof(MpegEncContext)); //copy all fields after MpegEnc memset(h->sps_buffers, 0, sizeof(h->sps_buffers)); memset(h->pps_buffers, 0, sizeof(h->pps_buffers)); - ff_h264_alloc_tables(h); + if (ff_h264_alloc_tables(h) < 0) { + av_log(dst, AV_LOG_ERROR, "Could not allocate memory for h264\n"); + return AVERROR(ENOMEM); + } context_init(h); for(i=0; i<2; i++){ @@ -2635,7 +2638,10 @@ static int decode_slice_header(H264Context *h, H264Context *h0){ h->prev_interlaced_frame = 1; init_scan_tables(h); - ff_h264_alloc_tables(h); + if (ff_h264_alloc_tables(h) < 0) { + av_log(h->s.avctx, AV_LOG_ERROR, "Could not allocate memory for h264\n"); + return AVERROR(ENOMEM); + } if (!HAVE_THREADS || !(s->avctx->active_thread_type&FF_THREAD_SLICE)) { if (context_init(h) < 0) { From 210d8f4ca23b97bcb34b18a92c6a66b243e86021 Mon Sep 17 00:00:00 2001 From: =?UTF-8?q?Reimar=20D=C3=B6ffinger?= Date: Sat, 13 Aug 2011 11:58:18 +0200 Subject: [PATCH 0184/1119] VC-1: fix reading of custom PAR. MIME-Version: 1.0 Content-Type: text/plain; charset=UTF-8 Content-Transfer-Encoding: 8bit Custom PAR num/denum are in 1-256 range. Signed-off-by: Reimar Döffinger Signed-off-by: Diego Biurrun (cherry picked from commit 0e8696551414d4ea0aab2559f9475d1fe49d08f3) Signed-off-by: Anton Khirnov --- libavcodec/vc1.c | 4 ++-- 1 file changed, 2 insertions(+), 2 deletions(-) diff --git a/libavcodec/vc1.c b/libavcodec/vc1.c index 32869b97d1..5e53680ec6 100644 --- a/libavcodec/vc1.c +++ b/libavcodec/vc1.c @@ -485,8 +485,8 @@ static int decode_sequence_header_adv(VC1Context *v, GetBitContext *gb) if(ar && ar < 14){ v->s.avctx->sample_aspect_ratio = ff_vc1_pixel_aspect[ar]; }else if(ar == 15){ - w = get_bits(gb, 8); - h = get_bits(gb, 8); + w = get_bits(gb, 8) + 1; + h = get_bits(gb, 8) + 1; v->s.avctx->sample_aspect_ratio = (AVRational){w, h}; } av_log(v->s.avctx, AV_LOG_DEBUG, "Aspect: %i:%i\n", v->s.avctx->sample_aspect_ratio.num, v->s.avctx->sample_aspect_ratio.den); From e30e0a16af274f87c028ce4884d5b2e415517902 Mon Sep 17 00:00:00 2001 From: Luca Barbato Date: Wed, 8 Jun 2011 14:32:07 +0000 Subject: [PATCH 0185/1119] flvenc: use int64_t to store offsets Metadata currently is written only at the start of the file in normal cases, when transcoding from a rtmp source metadata could be written later and the offset recorded can exceed 32bit. Signed-off-by: Anton Khirnov (cherry picked from commit 7f5bf4fbaf1f2142547321a16358f9871fabdcc6) Signed-off-by: Anton Khirnov --- libavformat/flvenc.c | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/libavformat/flvenc.c b/libavformat/flvenc.c index 487993cd9a..bd1a1f49fe 100644 --- a/libavformat/flvenc.c +++ b/libavformat/flvenc.c @@ -177,7 +177,7 @@ static int flv_write_header(AVFormatContext *s) AVCodecContext *audio_enc = NULL, *video_enc = NULL; int i; double framerate = 0.0; - int metadata_size_pos, data_size; + int64_t metadata_size_pos, data_size; AVDictionaryEntry *tag = NULL; for(i=0; inb_streams; i++){ From 303e48e6a24bbc34148457137cfffc53185fa7d3 Mon Sep 17 00:00:00 2001 From: Kostya Shishkov Date: Wed, 17 Aug 2011 10:36:33 +0200 Subject: [PATCH 0186/1119] rv10/20: tell decoder to use edge emulation This removes out-of-edge motion compensation artifacts (easily spotted green blocks in avplay, gray blocks in transcoding), for example here: http://samples.libav.org/samples/real/tv_watching_t1.rm Signed-off-by: Diego Biurrun (cherry picked from commit 331971116d7d36743601bd2dc5384c5211d3bb48) Signed-off-by: Anton Khirnov --- libavcodec/rv10.c | 1 + 1 file changed, 1 insertion(+) diff --git a/libavcodec/rv10.c b/libavcodec/rv10.c index 6227dc6f6c..78f97b16b1 100644 --- a/libavcodec/rv10.c +++ b/libavcodec/rv10.c @@ -438,6 +438,7 @@ static av_cold int rv10_decode_init(AVCodecContext *avctx) s->avctx= avctx; s->out_format = FMT_H263; s->codec_id= avctx->codec_id; + avctx->flags |= CODEC_FLAG_EMU_EDGE; s->orig_width = s->width = avctx->coded_width; s->orig_height= s->height = avctx->coded_height; From 5925e25218cb8f053bc81591995d78728ab096f2 Mon Sep 17 00:00:00 2001 From: Alex Converse Date: Tue, 16 Aug 2011 11:03:26 -0700 Subject: [PATCH 0187/1119] aac: Only output configure if audio was found. Audio found is not triggered on a CCE because a CCE alone has no output. Signed-off-by: Luca Barbato (cherry picked from commit d8425ed4af6d8fce62ff363cc590f85e57bac06b) Signed-off-by: Anton Khirnov --- libavcodec/aacdec.c | 7 +++++-- 1 file changed, 5 insertions(+), 2 deletions(-) diff --git a/libavcodec/aacdec.c b/libavcodec/aacdec.c index f94b109de5..2958ddbe72 100644 --- a/libavcodec/aacdec.c +++ b/libavcodec/aacdec.c @@ -2074,7 +2074,7 @@ static int aac_decode_frame_int(AVCodecContext *avctx, void *data, ChannelElement *che = NULL, *che_prev = NULL; enum RawDataBlockType elem_type, elem_type_prev = TYPE_END; int err, elem_id, data_size_tmp; - int samples = 0, multiplier; + int samples = 0, multiplier, audio_found = 0; if (show_bits(gb, 12) == 0xfff) { if (parse_adts_frame_header(ac, gb) < 0) { @@ -2105,10 +2105,12 @@ static int aac_decode_frame_int(AVCodecContext *avctx, void *data, case TYPE_SCE: err = decode_ics(ac, &che->ch[0], gb, 0, 0); + audio_found = 1; break; case TYPE_CPE: err = decode_cpe(ac, gb, che); + audio_found = 1; break; case TYPE_CCE: @@ -2117,6 +2119,7 @@ static int aac_decode_frame_int(AVCodecContext *avctx, void *data, case TYPE_LFE: err = decode_ics(ac, &che->ch[0], gb, 0, 0); + audio_found = 1; break; case TYPE_DSE: @@ -2193,7 +2196,7 @@ static int aac_decode_frame_int(AVCodecContext *avctx, void *data, samples, avctx->channels); } - if (ac->output_configured) + if (ac->output_configured && audio_found) ac->output_configured = OC_LOCKED; return 0; From cb9ccc89c5e3d950fdce88e84e29ad8234240c15 Mon Sep 17 00:00:00 2001 From: Jeff Downs Date: Tue, 5 Jul 2011 14:21:54 -0400 Subject: [PATCH 0188/1119] h264: correct the check for invalid long term frame index in MMCO decode The current check on MMCO parameters prohibits a "max long term frame index plus 1" of 16 (frame idx of 15) for the "set max long term frame index" MMCO. Fix this off-by-one error to allow the full range of legal values. Signed-off-by: Diego Biurrun (cherry picked from commit 29a09eae9a827f4dbc9c4517180d8fe2ecef321a) Signed-off-by: Anton Khirnov --- libavcodec/h264_refs.c | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/libavcodec/h264_refs.c b/libavcodec/h264_refs.c index a025f7d352..b1c27ec810 100644 --- a/libavcodec/h264_refs.c +++ b/libavcodec/h264_refs.c @@ -678,7 +678,7 @@ int ff_h264_decode_ref_pic_marking(H264Context *h, GetBitContext *gb){ } if(opcode==MMCO_SHORT2LONG || opcode==MMCO_LONG2UNUSED || opcode==MMCO_LONG || opcode==MMCO_SET_MAX_LONG){ unsigned int long_arg= get_ue_golomb_31(gb); - if(long_arg >= 32 || (long_arg >= 16 && !(opcode == MMCO_LONG2UNUSED && FIELD_PICTURE))){ + if(long_arg >= 32 || (long_arg >= 16 && !(opcode == MMCO_SET_MAX_LONG && long_arg == 16) && !(opcode == MMCO_LONG2UNUSED && FIELD_PICTURE))){ av_log(h->s.avctx, AV_LOG_ERROR, "illegal long ref in memory management control operation %d\n", opcode); return -1; } From 767efcb46e6be63bca6856c4c6028746cc2f4360 Mon Sep 17 00:00:00 2001 From: Jeff Downs Date: Wed, 6 Jul 2011 11:54:36 -0400 Subject: [PATCH 0189/1119] h264: correct implicit weight table computation for long ref pics Correct computation of implicit weight tables when referencing pictures that are marked for long reference. Signed-off-by: Diego Biurrun (cherry picked from commit 87cf70eb237e7586cc7399627dafa1b980ec0b7d) Signed-off-by: Anton Khirnov --- libavcodec/h264.c | 20 +++++++++++--------- 1 file changed, 11 insertions(+), 9 deletions(-) diff --git a/libavcodec/h264.c b/libavcodec/h264.c index 99be210d13..1c60de7023 100644 --- a/libavcodec/h264.c +++ b/libavcodec/h264.c @@ -2198,15 +2198,17 @@ static void implicit_weight_table(H264Context *h, int field){ for(ref0=ref_start; ref0 < ref_count0; ref0++){ int poc0 = h->ref_list[0][ref0].poc; for(ref1=ref_start; ref1 < ref_count1; ref1++){ - int poc1 = h->ref_list[1][ref1].poc; - int td = av_clip(poc1 - poc0, -128, 127); - int w= 32; - if(td){ - int tb = av_clip(cur_poc - poc0, -128, 127); - int tx = (16384 + (FFABS(td) >> 1)) / td; - int dist_scale_factor = (tb*tx + 32) >> 8; - if(dist_scale_factor >= -64 && dist_scale_factor <= 128) - w = 64 - dist_scale_factor; + int w = 32; + if (!h->ref_list[0][ref0].long_ref && !h->ref_list[1][ref1].long_ref) { + int poc1 = h->ref_list[1][ref1].poc; + int td = av_clip(poc1 - poc0, -128, 127); + if(td){ + int tb = av_clip(cur_poc - poc0, -128, 127); + int tx = (16384 + (FFABS(td) >> 1)) / td; + int dist_scale_factor = (tb*tx + 32) >> 8; + if(dist_scale_factor >= -64 && dist_scale_factor <= 128) + w = 64 - dist_scale_factor; + } } if(field<0){ h->implicit_weight[ref0][ref1][0]= From 566d26923ec59d9897cd7c73e3689484135a78c6 Mon Sep 17 00:00:00 2001 From: Jeff Downs Date: Tue, 5 Jul 2011 13:20:06 -0400 Subject: [PATCH 0190/1119] h264: fix PCM intra-coded blocks in monochrome case Signed-off-by: Diego Biurrun (cherry picked from commit 6581e161c5f46733a5619208483de29416eb9a51) Signed-off-by: Anton Khirnov --- libavcodec/h264.c | 46 ++++++++++++++++++++++++++++++++++------------ 1 file changed, 34 insertions(+), 12 deletions(-) diff --git a/libavcodec/h264.c b/libavcodec/h264.c index 1c60de7023..75075f6b3c 100644 --- a/libavcodec/h264.c +++ b/libavcodec/h264.c @@ -1851,15 +1851,30 @@ static av_always_inline void hl_decode_mb_internal(H264Context *h, int simple, i tmp_y[j] = get_bits(&gb, bit_depth); } if(simple || !CONFIG_GRAY || !(s->flags&CODEC_FLAG_GRAY)){ - for (i = 0; i < 8; i++) { - uint16_t *tmp_cb = (uint16_t*)(dest_cb + i*uvlinesize); - for (j = 0; j < 8; j++) - tmp_cb[j] = get_bits(&gb, bit_depth); - } - for (i = 0; i < 8; i++) { - uint16_t *tmp_cr = (uint16_t*)(dest_cr + i*uvlinesize); - for (j = 0; j < 8; j++) - tmp_cr[j] = get_bits(&gb, bit_depth); + if (!h->sps.chroma_format_idc) { + for (i = 0; i < 8; i++) { + uint16_t *tmp_cb = (uint16_t*)(dest_cb + i*uvlinesize); + for (j = 0; j < 8; j++) { + tmp_cb[j] = 1 << (bit_depth - 1); + } + } + for (i = 0; i < 8; i++) { + uint16_t *tmp_cr = (uint16_t*)(dest_cr + i*uvlinesize); + for (j = 0; j < 8; j++) { + tmp_cr[j] = 1 << (bit_depth - 1); + } + } + } else { + for (i = 0; i < 8; i++) { + uint16_t *tmp_cb = (uint16_t*)(dest_cb + i*uvlinesize); + for (j = 0; j < 8; j++) + tmp_cb[j] = get_bits(&gb, bit_depth); + } + for (i = 0; i < 8; i++) { + uint16_t *tmp_cr = (uint16_t*)(dest_cr + i*uvlinesize); + for (j = 0; j < 8; j++) + tmp_cr[j] = get_bits(&gb, bit_depth); + } } } } else { @@ -1867,9 +1882,16 @@ static av_always_inline void hl_decode_mb_internal(H264Context *h, int simple, i memcpy(dest_y + i* linesize, h->mb + i*8, 16); } if(simple || !CONFIG_GRAY || !(s->flags&CODEC_FLAG_GRAY)){ - for (i=0; i<8; i++) { - memcpy(dest_cb+ i*uvlinesize, h->mb + 128 + i*4, 8); - memcpy(dest_cr+ i*uvlinesize, h->mb + 160 + i*4, 8); + if (!h->sps.chroma_format_idc) { + for (i = 0; i < 8; i++) { + memset(dest_cb + i*uvlinesize, 128, 8); + memset(dest_cr + i*uvlinesize, 128, 8); + } + } else { + for (i = 0; i < 8; i++) { + memcpy(dest_cb + i*uvlinesize, h->mb + 128 + i*4, 8); + memcpy(dest_cr + i*uvlinesize, h->mb + 160 + i*4, 8); + } } } } From f45cfb4751eb1012bb2c4e5303b7558593a17127 Mon Sep 17 00:00:00 2001 From: Anton Khirnov Date: Tue, 23 Aug 2011 17:28:33 +0200 Subject: [PATCH 0191/1119] lavc: remove vbv_delay option It's broken and serves no purpose as it's a read-only field. (cherry picked from commit 8ee18b4bee24f99e733cf1425894e82c25d02426) Signed-off-by: Anton Khirnov --- libavcodec/options.c | 1 - 1 file changed, 1 deletion(-) diff --git a/libavcodec/options.c b/libavcodec/options.c index ae9e0c902d..792bb5941c 100644 --- a/libavcodec/options.c +++ b/libavcodec/options.c @@ -449,7 +449,6 @@ static const AVOption options[]={ {"thread_type", "select multithreading type", OFFSET(thread_type), FF_OPT_TYPE_INT, {.dbl = FF_THREAD_SLICE|FF_THREAD_FRAME }, 0, INT_MAX, V|E|D, "thread_type"}, {"slice", NULL, 0, FF_OPT_TYPE_CONST, {.dbl = FF_THREAD_SLICE }, INT_MIN, INT_MAX, V|E|D, "thread_type"}, {"frame", NULL, 0, FF_OPT_TYPE_CONST, {.dbl = FF_THREAD_FRAME }, INT_MIN, INT_MAX, V|E|D, "thread_type"}, -{"vbv_delay", "initial buffer fill time in periods of 27Mhz clock", 0, FF_OPT_TYPE_INT64, {.dbl = 0 }, 0, INT64_MAX}, {"audio_service_type", "audio service type", OFFSET(audio_service_type), FF_OPT_TYPE_INT, {.dbl = AV_AUDIO_SERVICE_TYPE_MAIN }, 0, AV_AUDIO_SERVICE_TYPE_NB-1, A|E, "audio_service_type"}, {"ma", "Main Audio Service", 0, FF_OPT_TYPE_CONST, {.dbl = AV_AUDIO_SERVICE_TYPE_MAIN }, INT_MIN, INT_MAX, A|E, "audio_service_type"}, {"ef", "Effects", 0, FF_OPT_TYPE_CONST, {.dbl = AV_AUDIO_SERVICE_TYPE_EFFECTS }, INT_MIN, INT_MAX, A|E, "audio_service_type"}, From a8edc1cbc76f2c8144796f3f984bc4607fb0d71d Mon Sep 17 00:00:00 2001 From: "Ronald S. Bultje" Date: Wed, 24 Aug 2011 14:36:16 -0700 Subject: [PATCH 0192/1119] vc1: properly zero coded_block[] edges on new slice entry. Previously, we would leave the left edge uninitialized, which led to CBP prediction errors on slice edges, e.g. in SA10098.vc1. (cherry picked from commit d4b9974465baf893e90527a366e7a7411ded1ef8) Signed-off-by: Anton Khirnov --- libavcodec/vc1dec.c | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/libavcodec/vc1dec.c b/libavcodec/vc1dec.c index 8fca2da738..b17ce30b5c 100644 --- a/libavcodec/vc1dec.c +++ b/libavcodec/vc1dec.c @@ -3020,7 +3020,7 @@ static void vc1_decode_i_blocks_adv(VC1Context *v) s->mb_x = 0; ff_init_block_index(s); memset(&s->coded_block[s->block_index[0]-s->b8_stride], 0, - s->b8_stride * sizeof(*s->coded_block)); + (1 + s->b8_stride) * sizeof(*s->coded_block)); } for(; s->mb_y < s->end_mb_y; s->mb_y++) { s->mb_x = 0; From 526f24e3fd731e11b5c19bccf26b392d7a007327 Mon Sep 17 00:00:00 2001 From: =?UTF-8?q?Alberto=20Delm=C3=A1s?= Date: Thu, 25 Aug 2011 11:00:37 +0200 Subject: [PATCH 0193/1119] VC1: Fix first/last row checks with slices In some places 0/mb_height were used in place of start_mb_y/end_mb_y. Fixes SA00049, SA00058, SA10091, SA10097, SA10131, SA20021, SA30030 Improves PSNR in SA00054, SA00059, SA00060, SA10096, SA10098, SA20022, SA30031, SA30032, SA40012, SA40013 Signed-off-by: Ronald S. Bultje (cherry picked from commit 1cf82cab0840d669198ea76ab0363aa661950647) Signed-off-by: Anton Khirnov --- libavcodec/vc1dec.c | 14 +++++++------- 1 file changed, 7 insertions(+), 7 deletions(-) diff --git a/libavcodec/vc1dec.c b/libavcodec/vc1dec.c index b17ce30b5c..c87558bc50 100644 --- a/libavcodec/vc1dec.c +++ b/libavcodec/vc1dec.c @@ -243,7 +243,7 @@ static void vc1_loop_filter_iblk(VC1Context *v, int pq) } v->vc1dsp.vc1_v_loop_filter16(s->dest[0] + 8*s->linesize, s->linesize, pq); - if (s->mb_y == s->mb_height-1) { + if (s->mb_y == s->end_mb_y-1) { if (s->mb_x) { v->vc1dsp.vc1_h_loop_filter16(s->dest[0], s->linesize, pq); v->vc1dsp.vc1_h_loop_filter8(s->dest[1], s->uvlinesize, pq); @@ -295,7 +295,7 @@ static void vc1_loop_filter_iblk_delayed(VC1Context *v, int pq) v->vc1dsp.vc1_v_loop_filter16(s->dest[0] - 8 * s->linesize, s->linesize, pq); } - if (s->mb_y == s->mb_height) { + if (s->mb_y == s->end_mb_y) { if (s->mb_x) { if (s->mb_x >= 2) v->vc1dsp.vc1_h_loop_filter16(s->dest[0] - 16 * s->linesize - 16, s->linesize, pq); @@ -2330,7 +2330,7 @@ static av_always_inline void vc1_apply_p_v_loop_filter(VC1Context *v, int block_ } else { dst = s->dest[0] + (block_num & 1) * 8 + ((block_num & 2) * 4 - 8) * linesize; } - if (s->mb_y != s->mb_height || block_num < 2) { + if (s->mb_y != s->end_mb_y || block_num < 2) { int16_t (*mv)[2]; int mv_stride; @@ -3096,7 +3096,7 @@ static void vc1_decode_i_blocks_adv(VC1Context *v) if(v->s.loop_filter) vc1_loop_filter_iblk_delayed(v, v->pq); } if (v->s.loop_filter) - ff_draw_horiz_band(s, (s->mb_height-1)*16, 16); + ff_draw_horiz_band(s, (s->end_mb_y-1)*16, 16); ff_er_add_slice(s, 0, s->start_mb_y, s->mb_width - 1, s->end_mb_y - 1, (AC_END|DC_END|MV_END)); } @@ -3219,7 +3219,7 @@ static void vc1_decode_b_blocks(VC1Context *v) s->first_slice_line = 0; } if (v->s.loop_filter) - ff_draw_horiz_band(s, (s->mb_height-1)*16, 16); + ff_draw_horiz_band(s, (s->end_mb_y-1)*16, 16); ff_er_add_slice(s, 0, s->start_mb_y, s->mb_width - 1, s->end_mb_y - 1, (AC_END|DC_END|MV_END)); } @@ -3227,9 +3227,9 @@ static void vc1_decode_skip_blocks(VC1Context *v) { MpegEncContext *s = &v->s; - ff_er_add_slice(s, 0, 0, s->mb_width - 1, s->mb_height - 1, (AC_END|DC_END|MV_END)); + ff_er_add_slice(s, 0, s->start_mb_y, s->mb_width - 1, s->end_mb_y - 1, (AC_END|DC_END|MV_END)); s->first_slice_line = 1; - for(s->mb_y = 0; s->mb_y < s->mb_height; s->mb_y++) { + for(s->mb_y = s->start_mb_y; s->mb_y < s->end_mb_y; s->mb_y++) { s->mb_x = 0; ff_init_block_index(s); ff_update_block_index(s); From a7d35b2f99365b56937c144d05ca36ebe5458154 Mon Sep 17 00:00:00 2001 From: Michael Niedermayer Date: Wed, 9 Mar 2011 03:30:24 +0100 Subject: [PATCH 0194/1119] vf_scale: don't leak SWS context. Signed-off-by: Anton Khirnov (cherry picked from commit 52982dbe474663709033e1ad259f8ff7a5a2eefa) Signed-off-by: Anton Khirnov --- libavfilter/vf_scale.c | 2 ++ 1 file changed, 2 insertions(+) diff --git a/libavfilter/vf_scale.c b/libavfilter/vf_scale.c index 65fe01c9ae..5288d32116 100644 --- a/libavfilter/vf_scale.c +++ b/libavfilter/vf_scale.c @@ -205,6 +205,8 @@ static int config_props(AVFilterLink *outlink) scale->input_is_pal = av_pix_fmt_descriptors[inlink->format].flags & PIX_FMT_PAL; + if (scale->sws) + sws_freeContext(scale->sws); scale->sws = sws_getContext(inlink ->w, inlink ->h, inlink ->format, outlink->w, outlink->h, outlink->format, scale->flags, NULL, NULL, NULL); From fe9dae6df8be03ed5e62819ba98f16bfeb510abd Mon Sep 17 00:00:00 2001 From: Sean McGovern Date: Mon, 25 Jul 2011 18:51:02 -0400 Subject: [PATCH 0195/1119] cpu detection: avoid a signed overflow 1<<31 overflows because 1 is signed, so force it to unsigned. Signed-off-by: Ronald S. Bultje (cherry picked from commit 5938e02185430ca711106aaec9b5622dbf588af3) Signed-off-by: Anton Khirnov --- libavutil/x86/cpu.c | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/libavutil/x86/cpu.c b/libavutil/x86/cpu.c index 78aeadf0a1..f747e4dba8 100644 --- a/libavutil/x86/cpu.c +++ b/libavutil/x86/cpu.c @@ -113,7 +113,7 @@ int ff_get_cpu_flags_x86(void) if(max_ext_level >= 0x80000001){ cpuid(0x80000001, eax, ebx, ecx, ext_caps); - if (ext_caps & (1<<31)) + if (ext_caps & (1U<<31)) rval |= AV_CPU_FLAG_3DNOW; if (ext_caps & (1<<30)) rval |= AV_CPU_FLAG_3DNOWEXT; From de33e8675c9a67c223ca5e4e14532b217149a9c9 Mon Sep 17 00:00:00 2001 From: Anton Khirnov Date: Tue, 23 Aug 2011 07:46:51 +0200 Subject: [PATCH 0196/1119] AVOptions: fix av_set_string3() doxy to match reality. Fixes bug 28. (cherry picked from commit e955a682e125d44143415ff2b96a99a4dac78da2) Signed-off-by: Anton Khirnov --- libavutil/opt.h | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/libavutil/opt.h b/libavutil/opt.h index 30aa54f5b6..ce65865069 100644 --- a/libavutil/opt.h +++ b/libavutil/opt.h @@ -134,7 +134,7 @@ const AVOption *av_find_opt(void *obj, const char *name, const char *unit, int m * when 0 then no av_free() nor av_strdup() will be used * @return 0 if the value has been set, or an AVERROR code in case of * error: - * AVERROR(ENOENT) if no matching option exists + * AVERROR_OPTION_NOT_FOUND if no matching option exists * AVERROR(ERANGE) if the value is out of range * AVERROR(EINVAL) if the value is not valid */ From 7850a9b384d06d41bdde4a79d087509cad6c46c5 Mon Sep 17 00:00:00 2001 From: Anton Khirnov Date: Sun, 4 Sep 2011 09:56:47 +0200 Subject: [PATCH 0197/1119] lavc: fix type for thread_type option It should be flags, not int. (cherry picked from commit fb47997edb9d8ff16fc380d005a08c0545624aa6) Signed-off-by: Anton Khirnov --- libavcodec/options.c | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/libavcodec/options.c b/libavcodec/options.c index 792bb5941c..411094ba11 100644 --- a/libavcodec/options.c +++ b/libavcodec/options.c @@ -446,7 +446,7 @@ static const AVOption options[]={ {"lpc_passes", "deprecated, use flac-specific options", OFFSET(lpc_passes), FF_OPT_TYPE_INT, {.dbl = -1 }, INT_MIN, INT_MAX, A|E}, #endif {"slices", "number of slices, used in parallelized decoding", OFFSET(slices), FF_OPT_TYPE_INT, {.dbl = 0 }, 0, INT_MAX, V|E}, -{"thread_type", "select multithreading type", OFFSET(thread_type), FF_OPT_TYPE_INT, {.dbl = FF_THREAD_SLICE|FF_THREAD_FRAME }, 0, INT_MAX, V|E|D, "thread_type"}, +{"thread_type", "select multithreading type", OFFSET(thread_type), FF_OPT_TYPE_FLAGS, {.dbl = FF_THREAD_SLICE|FF_THREAD_FRAME }, 0, INT_MAX, V|E|D, "thread_type"}, {"slice", NULL, 0, FF_OPT_TYPE_CONST, {.dbl = FF_THREAD_SLICE }, INT_MIN, INT_MAX, V|E|D, "thread_type"}, {"frame", NULL, 0, FF_OPT_TYPE_CONST, {.dbl = FF_THREAD_FRAME }, INT_MIN, INT_MAX, V|E|D, "thread_type"}, {"audio_service_type", "audio service type", OFFSET(audio_service_type), FF_OPT_TYPE_INT, {.dbl = AV_AUDIO_SERVICE_TYPE_MAIN }, 0, AV_AUDIO_SERVICE_TYPE_NB-1, A|E, "audio_service_type"}, From a652bb2857a753a18181fb2e1373f4bf7cf04a46 Mon Sep 17 00:00:00 2001 From: Laurent Aimar Date: Wed, 7 Sep 2011 23:12:32 +0200 Subject: [PATCH 0198/1119] Fixed invalid access in wavpack decoder on corrupted extra bits sub-blocks. MIME-Version: 1.0 Content-Type: text/plain; charset=UTF-8 Content-Transfer-Encoding: 8bit Signed-off-by: Martin Storsjö (cherry picked from commit beefafda639dd53fc59c21d8a7cf8334da9a1062) Signed-off-by: Anton Khirnov --- libavcodec/wavpack.c | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/libavcodec/wavpack.c b/libavcodec/wavpack.c index e4fe217f59..64725c72c0 100644 --- a/libavcodec/wavpack.c +++ b/libavcodec/wavpack.c @@ -385,7 +385,7 @@ static inline int wv_get_value_integer(WavpackFrameContext *s, uint32_t *crc, in if(s->extra_bits){ S <<= s->extra_bits; - if(s->got_extra_bits){ + if(s->got_extra_bits && get_bits_left(&s->gb_extra_bits) >= s->extra_bits){ S |= get_bits(&s->gb_extra_bits, s->extra_bits); *crc = *crc * 9 + (S&0xffff) * 3 + ((unsigned)S>>16); } From 46d9dd6980bb630a2067ec92e5dd4c46949ed46c Mon Sep 17 00:00:00 2001 From: Laurent Aimar Date: Wed, 7 Sep 2011 22:17:39 +0200 Subject: [PATCH 0199/1119] Fixed invalid writes in wavpack decoder on corrupted bitstreams. MIME-Version: 1.0 Content-Type: text/plain; charset=UTF-8 Content-Transfer-Encoding: 8bit Signed-off-by: Martin Storsjö (cherry picked from commit 0aedab03405849962b469277afe047aa2c61a87f) Signed-off-by: Anton Khirnov --- libavcodec/wavpack.c | 6 +++--- 1 file changed, 3 insertions(+), 3 deletions(-) diff --git a/libavcodec/wavpack.c b/libavcodec/wavpack.c index 64725c72c0..5bd677e45e 100644 --- a/libavcodec/wavpack.c +++ b/libavcodec/wavpack.c @@ -1113,7 +1113,7 @@ static int wavpack_decode_block(AVCodecContext *avctx, int block_no, int16_t *dst = (int16_t*)samples + 1; int16_t *src = (int16_t*)samples; int cnt = samplecount; - while(cnt--){ + while(cnt-- > 0){ *dst = *src; src += channel_stride; dst += channel_stride; @@ -1122,7 +1122,7 @@ static int wavpack_decode_block(AVCodecContext *avctx, int block_no, int32_t *dst = (int32_t*)samples + 1; int32_t *src = (int32_t*)samples; int cnt = samplecount; - while(cnt--){ + while(cnt-- > 0){ *dst = *src; src += channel_stride; dst += channel_stride; @@ -1131,7 +1131,7 @@ static int wavpack_decode_block(AVCodecContext *avctx, int block_no, float *dst = (float*)samples + 1; float *src = (float*)samples; int cnt = samplecount; - while(cnt--){ + while(cnt-- > 0){ *dst = *src; src += channel_stride; dst += channel_stride; From 94af9cf46bc14c5b912c35e87c409c321c18ceac Mon Sep 17 00:00:00 2001 From: Laurent Aimar Date: Wed, 7 Sep 2011 22:02:55 +0200 Subject: [PATCH 0200/1119] Fixed invalid access in wavpack decoder on corrupted bitstream. MIME-Version: 1.0 Content-Type: text/plain; charset=UTF-8 Content-Transfer-Encoding: 8bit Signed-off-by: Martin Storsjö (cherry picked from commit 55354b7de21e7bb4bbeb1c12ff55ea17f807c70c) Signed-off-by: Anton Khirnov --- libavcodec/wavpack.c | 49 +++++++++++++++++++++++++++++++------------- 1 file changed, 35 insertions(+), 14 deletions(-) diff --git a/libavcodec/wavpack.c b/libavcodec/wavpack.c index 5bd677e45e..343120f494 100644 --- a/libavcodec/wavpack.c +++ b/libavcodec/wavpack.c @@ -292,7 +292,14 @@ static int wv_get_value(WavpackFrameContext *ctx, GetBitContext *gb, int channel } }else{ t = get_unary_0_33(gb); - if(t >= 2) t = get_bits(gb, t - 1) | (1 << (t-1)); + if(t >= 2){ + if(get_bits_left(gb) < t-1) + goto error; + t = get_bits(gb, t - 1) | (1 << (t-1)); + }else{ + if(get_bits_left(gb) < 0) + goto error; + } ctx->zeroes = t; if(ctx->zeroes){ memset(ctx->ch[0].median, 0, sizeof(ctx->ch[0].median)); @@ -303,24 +310,24 @@ static int wv_get_value(WavpackFrameContext *ctx, GetBitContext *gb, int channel } } - if(get_bits_count(gb) >= ctx->data_size){ - *last = 1; - return 0; - } - if(ctx->zero){ t = 0; ctx->zero = 0; }else{ t = get_unary_0_33(gb); - if(get_bits_count(gb) >= ctx->data_size){ - *last = 1; - return 0; - } + if(get_bits_left(gb) < 0) + goto error; if(t == 16) { t2 = get_unary_0_33(gb); - if(t2 < 2) t += t2; - else t += get_bits(gb, t2 - 1) | (1 << (t2 - 1)); + if(t2 < 2){ + if(get_bits_left(gb) < 0) + goto error; + t += t2; + }else{ + if(get_bits_left(gb) < t2 - 1) + goto error; + t += get_bits(gb, t2 - 1) | (1 << (t2 - 1)); + } } if(ctx->one){ @@ -360,9 +367,13 @@ static int wv_get_value(WavpackFrameContext *ctx, GetBitContext *gb, int channel } if(!c->error_limit){ ret = base + get_tail(gb, add); + if (get_bits_left(gb) <= 0) + goto error; }else{ int mid = (base*2 + add + 1) >> 1; while(add > c->error_limit){ + if(get_bits_left(gb) <= 0) + goto error; if(get_bits1(gb)){ add -= (mid - base); base = mid; @@ -376,6 +387,10 @@ static int wv_get_value(WavpackFrameContext *ctx, GetBitContext *gb, int channel if(ctx->hybrid_bitrate) c->slow_level += wp_log2(ret) - LEVEL_DECAY(c->slow_level); return sign ? ~ret : ret; + +error: + *last = 1; + return 0; } static inline int wv_get_value_integer(WavpackFrameContext *s, uint32_t *crc, int S) @@ -580,7 +595,10 @@ static inline int wv_unpack_stereo(WavpackFrameContext *s, GetBitContext *gb, vo count++; }while(!last && count < s->max_samples); - s->samples_left -= count; + if (last) + s->samples_left = 0; + else + s->samples_left -= count; if(!s->samples_left){ if(crc != s->CRC){ av_log(s->avctx, AV_LOG_ERROR, "CRC error\n"); @@ -658,7 +676,10 @@ static inline int wv_unpack_mono(WavpackFrameContext *s, GetBitContext *gb, void count++; }while(!last && count < s->max_samples); - s->samples_left -= count; + if (last) + s->samples_left = 0; + else + s->samples_left -= count; if(!s->samples_left){ if(crc != s->CRC){ av_log(s->avctx, AV_LOG_ERROR, "CRC error\n"); From a460d9e1f7e85759f2cf4db136ff00b758549c47 Mon Sep 17 00:00:00 2001 From: Alex Converse Date: Thu, 8 Sep 2011 11:02:43 -0700 Subject: [PATCH 0201/1119] wavpack: Check error codes rather than working around error conditions. (cherry picked from commit dba2b63a98bdcac7bda1a8a2c48950518c075e17) Signed-off-by: Anton Khirnov --- libavcodec/wavpack.c | 13 ++++++++++--- 1 file changed, 10 insertions(+), 3 deletions(-) diff --git a/libavcodec/wavpack.c b/libavcodec/wavpack.c index 343120f494..f614c7afec 100644 --- a/libavcodec/wavpack.c +++ b/libavcodec/wavpack.c @@ -1119,6 +1119,10 @@ static int wavpack_decode_block(AVCodecContext *avctx, int block_no, samplecount = wv_unpack_stereo(s, &s->gb, samples, AV_SAMPLE_FMT_S32); else samplecount = wv_unpack_stereo(s, &s->gb, samples, AV_SAMPLE_FMT_FLT); + + if (samplecount < 0) + return -1; + samplecount >>= 1; }else{ const int channel_stride = avctx->channels; @@ -1130,11 +1134,14 @@ static int wavpack_decode_block(AVCodecContext *avctx, int block_no, else samplecount = wv_unpack_mono(s, &s->gb, samples, AV_SAMPLE_FMT_FLT); + if (samplecount < 0) + return -1; + if(s->stereo && avctx->sample_fmt == AV_SAMPLE_FMT_S16){ int16_t *dst = (int16_t*)samples + 1; int16_t *src = (int16_t*)samples; int cnt = samplecount; - while(cnt-- > 0){ + while(cnt--){ *dst = *src; src += channel_stride; dst += channel_stride; @@ -1143,7 +1150,7 @@ static int wavpack_decode_block(AVCodecContext *avctx, int block_no, int32_t *dst = (int32_t*)samples + 1; int32_t *src = (int32_t*)samples; int cnt = samplecount; - while(cnt-- > 0){ + while(cnt--){ *dst = *src; src += channel_stride; dst += channel_stride; @@ -1152,7 +1159,7 @@ static int wavpack_decode_block(AVCodecContext *avctx, int block_no, float *dst = (float*)samples + 1; float *src = (float*)samples; int cnt = samplecount; - while(cnt-- > 0){ + while(cnt--){ *dst = *src; src += channel_stride; dst += channel_stride; From 144c80042b05b7e89abc16efcd52304548958d58 Mon Sep 17 00:00:00 2001 From: Laurent Aimar Date: Fri, 9 Sep 2011 22:04:09 +0200 Subject: [PATCH 0202/1119] ffv1: Fixed size given to init_get_bits() in decoder. init_get_bits() takes a number of bits and not a number of bytes as its size argument. Signed-off-by: Alex Converse (cherry picked from commit 46b004959bb7870a361a57272cd5fa7eea34250b) Signed-off-by: Anton Khirnov --- libavcodec/ffv1.c | 4 ++-- 1 file changed, 2 insertions(+), 2 deletions(-) diff --git a/libavcodec/ffv1.c b/libavcodec/ffv1.c index 50f1062ad4..ab2cc6e7cd 100644 --- a/libavcodec/ffv1.c +++ b/libavcodec/ffv1.c @@ -1765,7 +1765,7 @@ static int decode_frame(AVCodecContext *avctx, void *data, int *data_size, AVPac bytes_read = c->bytestream - c->bytestream_start - 1; if(bytes_read ==0) av_log(avctx, AV_LOG_ERROR, "error at end of AC stream\n"); //FIXME //printf("pos=%d\n", bytes_read); - init_get_bits(&f->slice_context[0]->gb, buf + bytes_read, buf_size - bytes_read); + init_get_bits(&f->slice_context[0]->gb, buf + bytes_read, (buf_size - bytes_read) * 8); } else { bytes_read = 0; /* avoid warning */ } @@ -1782,7 +1782,7 @@ static int decode_frame(AVCodecContext *avctx, void *data, int *data_size, AVPac if(fs->ac){ ff_init_range_decoder(&fs->c, buf_p, v); }else{ - init_get_bits(&fs->gb, buf_p, v); + init_get_bits(&fs->gb, buf_p, v * 8); } } From 1656dd7a4e72fcf3405f08b56d7293d87a329d7b Mon Sep 17 00:00:00 2001 From: Alex Converse Date: Fri, 9 Sep 2011 13:24:19 -0700 Subject: [PATCH 0203/1119] indeo2: init_get_bits size in bits instead of bytes (cherry picked from commit 68ca330cbd479111db9cb7649d7530ad59f04cc8) Signed-off-by: Anton Khirnov --- libavcodec/indeo2.c | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/libavcodec/indeo2.c b/libavcodec/indeo2.c index 0e588c3966..6cf893b15e 100644 --- a/libavcodec/indeo2.c +++ b/libavcodec/indeo2.c @@ -165,7 +165,7 @@ static int ir2_decode_frame(AVCodecContext *avctx, #endif start = 48; /* hardcoded for now */ - init_get_bits(&s->gb, buf + start, buf_size - start); + init_get_bits(&s->gb, buf + start, (buf_size - start) * 8); if (s->decode_delta) { /* intraframe */ ir2_decode_plane(s, avctx->width, avctx->height, From 6b1af6a3284e7146b619dff96d88492d47645050 Mon Sep 17 00:00:00 2001 From: Alex Converse Date: Fri, 9 Sep 2011 13:26:49 -0700 Subject: [PATCH 0204/1119] indeo2: fail if input buffer too small (cherry picked from commit b7ce4f1d1c3add86ece7ca595ea6c4a10b471055) Signed-off-by: Anton Khirnov --- libavcodec/indeo2.c | 8 +++++++- 1 file changed, 7 insertions(+), 1 deletion(-) diff --git a/libavcodec/indeo2.c b/libavcodec/indeo2.c index 6cf893b15e..544f476774 100644 --- a/libavcodec/indeo2.c +++ b/libavcodec/indeo2.c @@ -156,6 +156,13 @@ static int ir2_decode_frame(AVCodecContext *avctx, return -1; } + start = 48; /* hardcoded for now */ + + if (start >= buf_size) { + av_log(s->avctx, AV_LOG_ERROR, "input buffer size too small (%d)\n", buf_size); + return AVERROR_INVALIDDATA; + } + s->decode_delta = buf[18]; /* decide whether frame uses deltas or not */ @@ -163,7 +170,6 @@ static int ir2_decode_frame(AVCodecContext *avctx, for (i = 0; i < buf_size; i++) buf[i] = av_reverse[buf[i]]; #endif - start = 48; /* hardcoded for now */ init_get_bits(&s->gb, buf + start, (buf_size - start) * 8); From dd6334a1e425953dc1b0163e7e19b3d94e250ef5 Mon Sep 17 00:00:00 2001 From: Alex Converse Date: Fri, 9 Sep 2011 14:50:33 -0700 Subject: [PATCH 0205/1119] cljr: init_get_bits size in bits instead of bytes (cherry picked from commit 0c1f5b93d9b97c4cc3684ba91a040e90bfc760d2) Signed-off-by: Anton Khirnov --- libavcodec/cljr.c | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/libavcodec/cljr.c b/libavcodec/cljr.c index e2b01e2a6a..b83919e71d 100644 --- a/libavcodec/cljr.c +++ b/libavcodec/cljr.c @@ -67,7 +67,7 @@ static int decode_frame(AVCodecContext *avctx, p->pict_type= AV_PICTURE_TYPE_I; p->key_frame= 1; - init_get_bits(&a->gb, buf, buf_size); + init_get_bits(&a->gb, buf, buf_size * 8); for(y=0; yheight; y++){ uint8_t *luma= &a->picture.data[0][ y*a->picture.linesize[0] ]; From c11d360ebc86e994e223b646b62f471b0fbbe8d3 Mon Sep 17 00:00:00 2001 From: Laurent Aimar Date: Wed, 7 Sep 2011 21:43:03 +0200 Subject: [PATCH 0206/1119] Fixed segfault with wavpack decoder on corrupted decorrelation terms sub-blocks. MIME-Version: 1.0 Content-Type: text/plain; charset=UTF-8 Content-Transfer-Encoding: 8bit Signed-off-by: Martin Storsjö (cherry picked from commit 8bfea4ab4e2cb32bc7bf6f697ee30a238c65d296) Signed-off-by: Anton Khirnov --- libavcodec/wavpack.c | 5 +++-- 1 file changed, 3 insertions(+), 2 deletions(-) diff --git a/libavcodec/wavpack.c b/libavcodec/wavpack.c index f614c7afec..155633f3ac 100644 --- a/libavcodec/wavpack.c +++ b/libavcodec/wavpack.c @@ -862,12 +862,13 @@ static int wavpack_decode_block(AVCodecContext *avctx, int block_no, } switch(id & WP_IDF_MASK){ case WP_ID_DECTERMS: - s->terms = size; - if(s->terms > MAX_TERMS){ + if(size > MAX_TERMS){ av_log(avctx, AV_LOG_ERROR, "Too many decorrelation terms\n"); + s->terms = 0; buf += ssize; continue; } + s->terms = size; for(i = 0; i < s->terms; i++) { s->decorr[s->terms - i - 1].value = (*buf & 0x1F) - 5; s->decorr[s->terms - i - 1].delta = *buf >> 5; From 1125f26f83da490c9740cd84f52060a5ffb34e5b Mon Sep 17 00:00:00 2001 From: Kostya Shishkov Date: Mon, 12 Sep 2011 09:40:42 +0200 Subject: [PATCH 0207/1119] smacker demuxer: handle possible av_realloc() failure. Signed-off-by: Anton Khirnov (cherry picked from commit 47a8589f7bc69d1a29da1dfdfbd0dfa78a9e31fd) Signed-off-by: Anton Khirnov --- libavformat/smacker.c | 7 ++++++- 1 file changed, 6 insertions(+), 1 deletion(-) diff --git a/libavformat/smacker.c b/libavformat/smacker.c index db9a02bb6c..135b4ae708 100644 --- a/libavformat/smacker.c +++ b/libavformat/smacker.c @@ -286,11 +286,16 @@ static int smacker_read_packet(AVFormatContext *s, AVPacket *pkt) for(i = 0; i < 7; i++) { if(flags & 1) { int size; + uint8_t *tmpbuf; + size = avio_rl32(s->pb) - 4; frame_size -= size; frame_size -= 4; smk->curstream++; - smk->bufs[smk->curstream] = av_realloc(smk->bufs[smk->curstream], size); + tmpbuf = av_realloc(smk->bufs[smk->curstream], size); + if (!tmpbuf) + return AVERROR(ENOMEM); + smk->bufs[smk->curstream] = tmpbuf; smk->buf_sizes[smk->curstream] = size; ret = avio_read(s->pb, smk->bufs[smk->curstream], size); if(ret != size) From bb0c352ec550f19b8ced2675ebd266305ca25a99 Mon Sep 17 00:00:00 2001 From: Laurent Aimar Date: Sat, 10 Sep 2011 00:32:12 +0200 Subject: [PATCH 0208/1119] Fixed size given to init_get_bits() in xan decoder. (cherry picked from commit 393d5031c6aaaf8c2dda4eb5d676974c349fae85) Signed-off-by: Anton Khirnov --- libavcodec/xan.c | 10 ++++++---- 1 file changed, 6 insertions(+), 4 deletions(-) diff --git a/libavcodec/xan.c b/libavcodec/xan.c index 876a9a5558..521764fd1c 100644 --- a/libavcodec/xan.c +++ b/libavcodec/xan.c @@ -95,17 +95,18 @@ static av_cold int xan_decode_init(AVCodecContext *avctx) return 0; } -static int xan_huffman_decode(unsigned char *dest, const unsigned char *src, - int dest_len) +static int xan_huffman_decode(unsigned char *dest, int dest_len, + const unsigned char *src, int src_len) { unsigned char byte = *src++; unsigned char ival = byte + 0x16; const unsigned char * ptr = src + byte*2; + int ptr_len = src_len - 1 - byte*2; unsigned char val = ival; unsigned char *dest_end = dest + dest_len; GetBitContext gb; - init_get_bits(&gb, ptr, 0); // FIXME: no src size available + init_get_bits(&gb, ptr, ptr_len * 8); while ( val != 0x16 ) { val = src[val - 0x17 + get_bits1(&gb) * byte]; @@ -270,7 +271,8 @@ static void xan_wc3_decode_frame(XanContext *s) { vector_segment = s->buf + AV_RL16(&s->buf[4]); imagedata_segment = s->buf + AV_RL16(&s->buf[6]); - xan_huffman_decode(opcode_buffer, huffman_segment, opcode_buffer_size); + xan_huffman_decode(opcode_buffer, opcode_buffer_size, + huffman_segment, s->size - (huffman_segment - s->buf) ); if (imagedata_segment[0] == 2) xan_unpack(s->buffer2, &imagedata_segment[1], s->buffer2_size); From dc6ee1836392b6046cc3314a7fa8c58473318890 Mon Sep 17 00:00:00 2001 From: Alex Converse Date: Fri, 9 Sep 2011 16:10:03 -0700 Subject: [PATCH 0209/1119] xan: Add some buffer checks (cherry picked from commit 0872bb23b4bd2d94a8ba91070f706d1bc1c3ced8) Signed-off-by: Anton Khirnov --- libavcodec/xan.c | 37 +++++++++++++++++++++++++++++-------- 1 file changed, 29 insertions(+), 8 deletions(-) diff --git a/libavcodec/xan.c b/libavcodec/xan.c index 521764fd1c..88a9adbc30 100644 --- a/libavcodec/xan.c +++ b/libavcodec/xan.c @@ -106,6 +106,9 @@ static int xan_huffman_decode(unsigned char *dest, int dest_len, unsigned char *dest_end = dest + dest_len; GetBitContext gb; + if (ptr_len < 0) + return AVERROR_INVALIDDATA; + init_get_bits(&gb, ptr, ptr_len * 8); while ( val != 0x16 ) { @@ -245,7 +248,7 @@ static inline void xan_wc3_copy_pixel_run(XanContext *s, } } -static void xan_wc3_decode_frame(XanContext *s) { +static int xan_wc3_decode_frame(XanContext *s) { int width = s->avctx->width; int height = s->avctx->height; @@ -265,14 +268,30 @@ static void xan_wc3_decode_frame(XanContext *s) { const unsigned char *size_segment; const unsigned char *vector_segment; const unsigned char *imagedata_segment; + int huffman_offset, size_offset, vector_offset, imagedata_offset; - huffman_segment = s->buf + AV_RL16(&s->buf[0]); - size_segment = s->buf + AV_RL16(&s->buf[2]); - vector_segment = s->buf + AV_RL16(&s->buf[4]); - imagedata_segment = s->buf + AV_RL16(&s->buf[6]); + if (s->size < 8) + return AVERROR_INVALIDDATA; - xan_huffman_decode(opcode_buffer, opcode_buffer_size, - huffman_segment, s->size - (huffman_segment - s->buf) ); + huffman_offset = AV_RL16(&s->buf[0]); + size_offset = AV_RL16(&s->buf[2]); + vector_offset = AV_RL16(&s->buf[4]); + imagedata_offset = AV_RL16(&s->buf[6]); + + if (huffman_offset >= s->size || + size_offset >= s->size || + vector_offset >= s->size || + imagedata_offset >= s->size) + return AVERROR_INVALIDDATA; + + huffman_segment = s->buf + huffman_offset; + size_segment = s->buf + size_offset; + vector_segment = s->buf + vector_offset; + imagedata_segment = s->buf + imagedata_offset; + + if (xan_huffman_decode(opcode_buffer, opcode_buffer_size, + huffman_segment, s->size - huffman_offset) < 0) + return AVERROR_INVALIDDATA; if (imagedata_segment[0] == 2) xan_unpack(s->buffer2, &imagedata_segment[1], s->buffer2_size); @@ -358,6 +377,7 @@ static void xan_wc3_decode_frame(XanContext *s) { y += (x + size) / width; x = (x + size) % width; } + return 0; } #if RUNTIME_GAMMA @@ -519,7 +539,8 @@ static int xan_decode_frame(AVCodecContext *avctx, s->buf = buf; s->size = buf_size; - xan_wc3_decode_frame(s); + if (xan_wc3_decode_frame(s) < 0) + return AVERROR_INVALIDDATA; /* release the last frame if it is allocated */ if (s->last_frame.data[0]) From 1486e99b9039f380619f7eb516a5503ad3ad04c8 Mon Sep 17 00:00:00 2001 From: Laurent Aimar Date: Sun, 11 Sep 2011 19:17:40 +0200 Subject: [PATCH 0210/1119] ape demuxer: fix segfault on memory allocation failure. Signed-off-by: Anton Khirnov (cherry picked from commit 273aab99bf7be2bcda95dd64101c2317ee0fcb99) Signed-off-by: Anton Khirnov --- libavformat/ape.c | 2 ++ 1 file changed, 2 insertions(+) diff --git a/libavformat/ape.c b/libavformat/ape.c index 90b02619e0..b0841002a2 100644 --- a/libavformat/ape.c +++ b/libavformat/ape.c @@ -270,6 +270,8 @@ static int ape_read_header(AVFormatContext * s, AVFormatParameters * ap) if (ape->seektablelength > 0) { ape->seektable = av_malloc(ape->seektablelength); + if (!ape->seektable) + return AVERROR(ENOMEM); for (i = 0; i < ape->seektablelength / sizeof(uint32_t); i++) ape->seektable[i] = avio_rl32(pb); } From 2ac3aa129e7dbee5d6e19e27794706c8f2ee8345 Mon Sep 17 00:00:00 2001 From: Laurent Aimar Date: Mon, 12 Sep 2011 20:50:13 +0200 Subject: [PATCH 0211/1119] Check for invalid packet size in the smacker demuxer. MIME-Version: 1.0 Content-Type: text/plain; charset=UTF-8 Content-Transfer-Encoding: 8bit Signed-off-by: Martin Storsjö (cherry picked from commit e055932f5636a82275837968eea9c8fcb5bca474) Signed-off-by: Anton Khirnov --- libavformat/smacker.c | 2 ++ 1 file changed, 2 insertions(+) diff --git a/libavformat/smacker.c b/libavformat/smacker.c index 135b4ae708..87c59a3049 100644 --- a/libavformat/smacker.c +++ b/libavformat/smacker.c @@ -304,6 +304,8 @@ static int smacker_read_packet(AVFormatContext *s, AVPacket *pkt) } flags >>= 1; } + if (frame_size < 0) + return AVERROR_INVALIDDATA; if (av_new_packet(pkt, frame_size + 768)) return AVERROR(ENOMEM); if(smk->frm_size[smk->cur_frame] & 1) From 4482ee9d9c5b6e8e12b06a208f2b7b52d0bcee81 Mon Sep 17 00:00:00 2001 From: Laurent Aimar Date: Mon, 12 Sep 2011 20:50:34 +0200 Subject: [PATCH 0212/1119] Fixed off by one packet size allocation in the smacker demuxer. MIME-Version: 1.0 Content-Type: text/plain; charset=UTF-8 Content-Transfer-Encoding: 8bit Signed-off-by: Martin Storsjö (cherry picked from commit a92d0fa5d234582583d41b67dddecffc2c819573) Signed-off-by: Anton Khirnov --- libavformat/smacker.c | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/libavformat/smacker.c b/libavformat/smacker.c index 87c59a3049..a817c31355 100644 --- a/libavformat/smacker.c +++ b/libavformat/smacker.c @@ -306,7 +306,7 @@ static int smacker_read_packet(AVFormatContext *s, AVPacket *pkt) } if (frame_size < 0) return AVERROR_INVALIDDATA; - if (av_new_packet(pkt, frame_size + 768)) + if (av_new_packet(pkt, frame_size + 769)) return AVERROR(ENOMEM); if(smk->frm_size[smk->cur_frame] & 1) palchange |= 2; From bc2dd37e4f6fb549c1b16e9a9791e7b8f31ed112 Mon Sep 17 00:00:00 2001 From: Laurent Aimar Date: Mon, 12 Sep 2011 23:46:49 +0200 Subject: [PATCH 0213/1119] Check and propagate errors when VLC trees cannot be built in smacker decoder. MIME-Version: 1.0 Content-Type: text/plain; charset=UTF-8 Content-Transfer-Encoding: 8bit Signed-off-by: Martin Storsjö (cherry picked from commit 9676ffba8346791f494451e68d2a3b37a2918a9b) Signed-off-by: Anton Khirnov --- libavcodec/smacker.c | 20 ++++++++++++-------- 1 file changed, 12 insertions(+), 8 deletions(-) diff --git a/libavcodec/smacker.c b/libavcodec/smacker.c index 8060e1cee7..e8de0d89c5 100644 --- a/libavcodec/smacker.c +++ b/libavcodec/smacker.c @@ -134,10 +134,10 @@ static int smacker_decode_bigtree(GetBitContext *gb, HuffContext *hc, DBCtx *ctx return -1; } b1 = get_bits_count(gb); - i1 = get_vlc2(gb, ctx->v1->table, SMKTREE_BITS, 3); + i1 = ctx->v1->table ? get_vlc2(gb, ctx->v1->table, SMKTREE_BITS, 3) : 0; b1 = get_bits_count(gb) - b1; b2 = get_bits_count(gb); - i2 = get_vlc2(gb, ctx->v2->table, SMKTREE_BITS, 3); + i2 = ctx->v2->table ? get_vlc2(gb, ctx->v2->table, SMKTREE_BITS, 3) : 0; b2 = get_bits_count(gb) - b2; val = ctx->recode1[i1] | (ctx->recode2[i2] << 8); if(val == ctx->escapes[0]) { @@ -290,7 +290,8 @@ static int decode_header_trees(SmackVContext *smk) { smk->mmap_tbl[0] = 0; smk->mmap_last[0] = smk->mmap_last[1] = smk->mmap_last[2] = 1; } else { - smacker_decode_header_tree(smk, &gb, &smk->mmap_tbl, smk->mmap_last, mmap_size); + if (smacker_decode_header_tree(smk, &gb, &smk->mmap_tbl, smk->mmap_last, mmap_size)) + return -1; } if(!get_bits1(&gb)) { av_log(smk->avctx, AV_LOG_INFO, "Skipping MCLR tree\n"); @@ -298,7 +299,8 @@ static int decode_header_trees(SmackVContext *smk) { smk->mclr_tbl[0] = 0; smk->mclr_last[0] = smk->mclr_last[1] = smk->mclr_last[2] = 1; } else { - smacker_decode_header_tree(smk, &gb, &smk->mclr_tbl, smk->mclr_last, mclr_size); + if (smacker_decode_header_tree(smk, &gb, &smk->mclr_tbl, smk->mclr_last, mclr_size)) + return -1; } if(!get_bits1(&gb)) { av_log(smk->avctx, AV_LOG_INFO, "Skipping FULL tree\n"); @@ -306,7 +308,8 @@ static int decode_header_trees(SmackVContext *smk) { smk->full_tbl[0] = 0; smk->full_last[0] = smk->full_last[1] = smk->full_last[2] = 1; } else { - smacker_decode_header_tree(smk, &gb, &smk->full_tbl, smk->full_last, full_size); + if (smacker_decode_header_tree(smk, &gb, &smk->full_tbl, smk->full_last, full_size)) + return -1; } if(!get_bits1(&gb)) { av_log(smk->avctx, AV_LOG_INFO, "Skipping TYPE tree\n"); @@ -314,7 +317,8 @@ static int decode_header_trees(SmackVContext *smk) { smk->type_tbl[0] = 0; smk->type_last[0] = smk->type_last[1] = smk->type_last[2] = 1; } else { - smacker_decode_header_tree(smk, &gb, &smk->type_tbl, smk->type_last, type_size); + if (smacker_decode_header_tree(smk, &gb, &smk->type_tbl, smk->type_last, type_size)) + return -1; } return 0; @@ -522,8 +526,8 @@ static av_cold int decode_init(AVCodecContext *avctx) return -1; } - decode_header_trees(c); - + if (decode_header_trees(c)) + return -1; return 0; } From a5107aab98bf67ba32eb8b6a3a7478e620b7d3b3 Mon Sep 17 00:00:00 2001 From: Laurent Aimar Date: Mon, 12 Sep 2011 23:49:36 +0200 Subject: [PATCH 0214/1119] Check for invalid VLC value in smacker decoder. MIME-Version: 1.0 Content-Type: text/plain; charset=UTF-8 Content-Transfer-Encoding: 8bit Signed-off-by: Martin Storsjö (cherry picked from commit 6489455495fc5bfbebcfe3f57e5d4fdd6a781091) Signed-off-by: Anton Khirnov --- libavcodec/smacker.c | 2 ++ 1 file changed, 2 insertions(+) diff --git a/libavcodec/smacker.c b/libavcodec/smacker.c index e8de0d89c5..9628b07492 100644 --- a/libavcodec/smacker.c +++ b/libavcodec/smacker.c @@ -139,6 +139,8 @@ static int smacker_decode_bigtree(GetBitContext *gb, HuffContext *hc, DBCtx *ctx b2 = get_bits_count(gb); i2 = ctx->v2->table ? get_vlc2(gb, ctx->v2->table, SMKTREE_BITS, 3) : 0; b2 = get_bits_count(gb) - b2; + if (i1 < 0 || i2 < 0) + return -1; val = ctx->recode1[i1] | (ctx->recode2[i2] << 8); if(val == ctx->escapes[0]) { ctx->last[0] = hc->current; From c34968c6d49496d318591f1b4492fdd9c143aaeb Mon Sep 17 00:00:00 2001 From: Michael Niedermayer Date: Tue, 13 Sep 2011 23:24:56 +0200 Subject: [PATCH 0215/1119] smacker: fix a few off by 1 errors MIME-Version: 1.0 Content-Type: text/plain; charset=UTF-8 Content-Transfer-Encoding: 8bit stereo & 16bit is untested due to lack of samples Signed-off-by: Martin Storsjö (cherry picked from commit 5166376f24545207607f61ed8ff4e1b0572ff320) Signed-off-by: Anton Khirnov --- libavcodec/smacker.c | 8 +-- tests/ref/fate/smacker | 160 ++++++++++++++++++++--------------------- 2 files changed, 84 insertions(+), 84 deletions(-) diff --git a/libavcodec/smacker.c b/libavcodec/smacker.c index 9628b07492..1fa40def62 100644 --- a/libavcodec/smacker.c +++ b/libavcodec/smacker.c @@ -624,9 +624,9 @@ static int smka_decode_frame(AVCodecContext *avctx, void *data, int *data_size, if(bits) { //decode 16-bit data for(i = stereo; i >= 0; i--) pred[i] = av_bswap16(get_bits(&gb, 16)); - for(i = 0; i < stereo; i++) + for(i = 0; i <= stereo; i++) *samples++ = pred[i]; - for(i = 0; i < unp_size / 2; i++) { + for(; i < unp_size / 2; i++) { if(i & stereo) { if(vlc[2].table) res = get_vlc2(&gb, vlc[2].table, SMKTREE_BITS, 3); @@ -658,9 +658,9 @@ static int smka_decode_frame(AVCodecContext *avctx, void *data, int *data_size, } else { //8-bit data for(i = stereo; i >= 0; i--) pred[i] = get_bits(&gb, 8); - for(i = 0; i < stereo; i++) + for(i = 0; i <= stereo; i++) *samples8++ = pred[i]; - for(i = 0; i < unp_size; i++) { + for(; i < unp_size; i++) { if(i & stereo){ if(vlc[1].table) res = get_vlc2(&gb, vlc[1].table, SMKTREE_BITS, 3); diff --git a/tests/ref/fate/smacker b/tests/ref/fate/smacker index 85c4a9817c..df88a4ae8a 100644 --- a/tests/ref/fate/smacker +++ b/tests/ref/fate/smacker @@ -1,5 +1,5 @@ 0, 0, 192000, 0x8926d7fc -1, 0, 47240, 0xad778a78 +1, 0, 47240, 0x9974897c 0, 6390, 192000, 0x2506d384 0, 12780, 192000, 0x9a8dc93a 0, 19170, 192000, 0x4badb7f2 @@ -15,163 +15,163 @@ 0, 83070, 192000, 0x1a3d7971 0, 89460, 192000, 0xa1a65bd5 0, 95850, 192000, 0x344957b9 -1, 96408, 3128, 0x4c1564ae +1, 96408, 3128, 0x7e4064b4 0, 102240, 192000, 0xe23b5f4e -1, 102792, 3128, 0x34553309 +1, 102792, 3128, 0x80883301 0, 108630, 192000, 0xb5c2710b -1, 109176, 3136, 0xb474d246 +1, 109176, 3136, 0x2ad2d341 0, 115020, 192000, 0x7a25938f -1, 115576, 3128, 0x87b868ea +1, 115576, 3128, 0xda8468e3 0, 121410, 192000, 0x0a84e4c9 -1, 121959, 3136, 0xf1516dc3 +1, 121959, 3136, 0x9d6f6cdf 0, 127800, 192000, 0x94209b0d -1, 128359, 3128, 0x867563cb +1, 128359, 3128, 0x1aaa64b5 0, 134190, 192000, 0xf940e51f -1, 134743, 3128, 0x5200728c +1, 134743, 3128, 0x9182728b 0, 140580, 192000, 0xb9fdec42 -1, 141127, 3136, 0xeda118a0 +1, 141127, 3136, 0xfa8e17b3 0, 146970, 192000, 0x7b04a376 -1, 147527, 3128, 0x03e2c1d6 +1, 147527, 3128, 0x0dc3c1cf 0, 153360, 192000, 0x5fe0026b -1, 153910, 3136, 0xc3e862b6 +1, 153910, 3136, 0x0109639d 0, 159750, 192000, 0x775aca39 -1, 160310, 3128, 0x937a13be +1, 160310, 3128, 0x6d8a12d9 0, 166140, 192000, 0xae14fb32 -1, 166694, 3128, 0x7b1b9577 +1, 166694, 3128, 0x4b9a9597 0, 172530, 192000, 0x661106e5 -1, 173078, 3136, 0x042c7113 +1, 173078, 3136, 0x9112710e 0, 178920, 192000, 0xe8658dbf -1, 179478, 3128, 0xac48f451 +1, 179478, 3128, 0x8cccf522 0, 185310, 192000, 0x5359f0f9 -1, 185861, 3128, 0x018fbbe9 +1, 185861, 3128, 0x6594bbf3 0, 191700, 192000, 0xc1ec80f4 -1, 192245, 3136, 0xc62aa7ce +1, 192245, 3136, 0xd878a7d5 0, 198090, 192000, 0xca53806b -1, 198645, 3128, 0x106e3924 +1, 198645, 3128, 0xaa6e3905 0, 204480, 192000, 0xf0766b2e -1, 205029, 3136, 0xfeb82ecc +1, 205029, 3136, 0x2a062e04 0, 210870, 192000, 0x39962da8 -1, 211429, 3128, 0x7e7c005b +1, 211429, 3128, 0x84e4006a 0, 217260, 192000, 0x4171c37f -1, 217812, 3128, 0x949d3560 +1, 217812, 3128, 0x85183633 0, 223650, 192000, 0x3abf3b46 -1, 224196, 3136, 0x02bd4aff +1, 224196, 3136, 0xb62d4b02 0, 230040, 192000, 0xecc68313 -1, 230596, 3128, 0x4aaf4715 +1, 230596, 3128, 0xe209462a 0, 236430, 192000, 0xea339baf -1, 236980, 3136, 0x2958825f +1, 236980, 3136, 0x57c4824b 0, 242820, 192000, 0x616b8f16 -1, 243380, 3128, 0x99a5914d +1, 243380, 3128, 0x664a9163 0, 249210, 192000, 0xf77a8581 -1, 249763, 3128, 0xe67277a4 +1, 249763, 3128, 0xb4287874 0, 255600, 192000, 0xb315678b -1, 256147, 3136, 0x11296973 +1, 256147, 3136, 0xde626885 0, 261990, 192000, 0x0a4a5218 -1, 262547, 3128, 0x5cc362f7 +1, 262547, 3128, 0x919763c2 0, 268380, 192000, 0x98802be4 -1, 268931, 3128, 0x0c5e6586 +1, 268931, 3128, 0xa4f664e1 0, 274770, 192000, 0xa2f0fd94 -1, 275314, 3136, 0xe940b0f9 +1, 275314, 3136, 0xa0bab0d4 0, 281160, 192000, 0x6671c84f -1, 281714, 3128, 0x2c9292cc +1, 281714, 3128, 0xe938939c 0, 287550, 192000, 0x38327e31 -1, 288098, 3136, 0xa807c096 +1, 288098, 3136, 0x3679bfc7 0, 293940, 192000, 0xb85d3e08 -1, 294498, 3128, 0x9d2254d8 +1, 294498, 3128, 0xc96c55c3 0, 300330, 192000, 0xdc69eba9 -1, 300882, 3128, 0xe68015b0 +1, 300882, 3128, 0x119114d6 0, 306720, 192000, 0x8955a0b3 -1, 307265, 3136, 0x65d58029 +1, 307265, 3136, 0x42f3800f 0, 313110, 192000, 0x714a548b -1, 313665, 3128, 0xcffcc48c +1, 313665, 3128, 0x4250c4ad 0, 319500, 192000, 0xc0471de9 -1, 320049, 3136, 0x8c704944 +1, 320049, 3136, 0x5cdd4925 0, 325890, 192000, 0x2e16e039 -1, 326449, 3128, 0x1459231d +1, 326449, 3128, 0xa4c12360 0, 332280, 192000, 0x9fa4b033 -1, 332833, 3128, 0x7dde4839 +1, 332833, 3128, 0x849f48de 0, 338670, 192000, 0x4a0f9402 -1, 339216, 3136, 0xbb6890e2 +1, 339216, 3136, 0x6acd8ff9 0, 345060, 192000, 0x1f3e6843 -1, 345616, 3128, 0xcd9a8524 +1, 345616, 3128, 0xb2758556 0, 351450, 192000, 0x31774850 -1, 352000, 3128, 0xa244fc31 +1, 352000, 3128, 0x10f2fcb1 0, 357840, 192000, 0x9d5336a2 -1, 358384, 3136, 0x504e2bd9 +1, 358384, 3136, 0xf0f02b23 0, 364230, 192000, 0xf7de27a2 -1, 364784, 3128, 0x655858d8 +1, 364784, 3128, 0x64f759c6 0, 370620, 192000, 0x98c717ce -1, 371167, 3136, 0x46027610 +1, 371167, 3136, 0x7ec075e3 0, 377010, 192000, 0x615b10b8 -1, 377567, 3128, 0x4192d5e3 +1, 377567, 3128, 0xf981d51e 0, 383400, 192000, 0xd5bc0e7e -1, 383951, 3128, 0x21d2e7fe +1, 383951, 3128, 0xc622e8b9 0, 389790, 192000, 0xd5bc0e7e -1, 390335, 3136, 0x7c93e329 +1, 390335, 3136, 0xf632e2f8 0, 396180, 192000, 0xd5bc0e7e -1, 396735, 3128, 0xa67718c0 +1, 396735, 3128, 0xda561864 0, 402570, 192000, 0xd5bc0e7e -1, 403118, 3136, 0x9bb6e8a3 +1, 403118, 3136, 0x14d2e888 0, 408960, 192000, 0xd5bc0e7e -1, 409518, 3128, 0x0933b7a6 +1, 409518, 3128, 0x015bb869 0, 415350, 192000, 0xd5bc0e7e -1, 415902, 3128, 0x07f1fb57 +1, 415902, 3128, 0xedb1fb62 0, 421740, 192000, 0xd5bc0e7e -1, 422286, 3136, 0x8a050cfd +1, 422286, 3136, 0xe0560c41 0, 428130, 192000, 0xd5bc0e7e -1, 428686, 3128, 0xdb773c0b +1, 428686, 3128, 0x14773c9a 0, 434520, 192000, 0xd5bc0e7e -1, 435069, 3136, 0xd1281c53 +1, 435069, 3136, 0x850f1c82 0, 440910, 192000, 0xd5bc0e7e -1, 441469, 3128, 0x9f395324 +1, 441469, 3128, 0xb0bd5347 0, 447300, 192000, 0xd5bc0e7e -1, 447853, 3128, 0x5f13edec +1, 447853, 3128, 0x8f82edbf 0, 453690, 192000, 0xd5bc0e7e -1, 454237, 3136, 0x871cbecf +1, 454237, 3136, 0x493abee2 0, 460080, 192000, 0xd5bc0e7e -1, 460637, 3128, 0x799eff3e +1, 460637, 3128, 0xf5daff3f 0, 466470, 192000, 0xd5bc0e7e -1, 467020, 3128, 0x3f902762 +1, 467020, 3128, 0x78ad2690 0, 472860, 192000, 0xd5bc0e7e -1, 473404, 3136, 0x29f8bb04 +1, 473404, 3136, 0x490ebafc 0, 479250, 192000, 0xd5bc0e7e -1, 479804, 3128, 0xf3523ee9 +1, 479804, 3128, 0x70333fd2 0, 485640, 192000, 0xd5bc0e7e -1, 486188, 3136, 0x4405c435 +1, 486188, 3136, 0x8cb1c350 0, 492030, 192000, 0xd5bc0e7e -1, 492588, 3128, 0x892957cb +1, 492588, 3128, 0x8bd057cb 0, 498420, 192000, 0xd5bc0e7e -1, 498971, 3128, 0xdf483dbd +1, 498971, 3128, 0x161b3dbc 0, 504810, 192000, 0xd5bc0e7e -1, 505355, 3136, 0x5e8ab797 +1, 505355, 3136, 0xb47fb88a 0, 511200, 192000, 0xd5bc0e7e -1, 511755, 3128, 0x92e13820 +1, 511755, 3128, 0x474b381e 0, 517590, 192000, 0xd5bc0e7e -1, 518139, 3136, 0xfde719b6 +1, 518139, 3136, 0x07c519bb 0, 523980, 192000, 0xd5bc0e7e -1, 524539, 3128, 0x442f17ae +1, 524539, 3128, 0x15b916c8 0, 530370, 192000, 0xd5bc0e7e -1, 530922, 3128, 0x011af61f +1, 530922, 3128, 0x0ed7f6fb 0, 536760, 192000, 0xd5bc0e7e -1, 537306, 3136, 0x4e3e3a6d +1, 537306, 3136, 0x54d6397b 0, 543150, 192000, 0xd5bc0e7e -1, 543706, 3128, 0xc11242b9 +1, 543706, 3128, 0x437242bb 0, 549540, 192000, 0xd5bc0e7e -1, 550090, 3128, 0x01415b59 +1, 550090, 3128, 0x38f05c4d 0, 555930, 192000, 0xd5bc0e7e -1, 556473, 3136, 0x302e0e55 +1, 556473, 3136, 0x5d000e59 0, 562320, 192000, 0xd5bc0e7e -1, 562873, 3128, 0x20522d04 +1, 562873, 3128, 0xdeab2d04 0, 568710, 192000, 0xd5bc0e7e -1, 569257, 3136, 0x316a697d +1, 569257, 3136, 0x77de6880 0, 575100, 192000, 0xd5bc0e7e -1, 575657, 3128, 0x6d75ee27 +1, 575657, 3128, 0xbc87ef25 0, 581490, 192000, 0xd5bc0e7e -1, 582041, 3128, 0xcb008ae8 +1, 582041, 3128, 0xc1638ade 0, 587880, 192000, 0xd5bc0e7e -1, 588424, 3136, 0xd2664b51 +1, 588424, 3136, 0xcfb64a5f 0, 594270, 192000, 0xd5bc0e7e -1, 594824, 3128, 0xdfcab728 +1, 594824, 3128, 0x90b1b826 0, 600660, 192000, 0xd5bc0e7e 1, 601208, 3136, 0x00000000 0, 607050, 192000, 0xd5bc0e7e From 6ddb12b6889dd13c3bb514838c71d2f70114b3c1 Mon Sep 17 00:00:00 2001 From: Laurent Aimar Date: Fri, 9 Sep 2011 23:46:00 +0200 Subject: [PATCH 0216/1119] Fixed size given to init_get_bits(). init_get_bits() takes a number of bits and not a number of bytes as its size argument. Signed-off-by: Alex Converse (cherry picked from commit b59efc94347ccf0cbc2ff14a5a9e99819c5bdc4d) Signed-off-by: Anton Khirnov --- libavcodec/aac_adtstoasc_bsf.c | 2 +- libavcodec/avs.c | 2 +- libavcodec/jvdec.c | 2 +- libavcodec/rv34.c | 2 +- libavcodec/tta.c | 2 +- libavformat/movenc.c | 2 +- 6 files changed, 6 insertions(+), 6 deletions(-) diff --git a/libavcodec/aac_adtstoasc_bsf.c b/libavcodec/aac_adtstoasc_bsf.c index fbb86f8af7..d1310c4149 100644 --- a/libavcodec/aac_adtstoasc_bsf.c +++ b/libavcodec/aac_adtstoasc_bsf.c @@ -72,7 +72,7 @@ static int aac_adtstoasc_filter(AVBitStreamFilterContext *bsfc, int pce_size = 0; uint8_t pce_data[MAX_PCE_SIZE]; if (!hdr.chan_config) { - init_get_bits(&gb, buf, buf_size); + init_get_bits(&gb, buf, buf_size * 8); if (get_bits(&gb, 3) != 5) { av_log_missing_feature(avctx, "PCE based channel configuration, where the PCE is not the first syntax element is", 0); return -1; diff --git a/libavcodec/avs.c b/libavcodec/avs.c index 1c2682b338..1a5e44401c 100644 --- a/libavcodec/avs.c +++ b/libavcodec/avs.c @@ -117,7 +117,7 @@ avs_decode_frame(AVCodecContext * avctx, table = buf + (256 * vect_w * vect_h); if (sub_type != AVS_I_FRAME) { int map_size = ((318 / vect_w + 7) / 8) * (198 / vect_h); - init_get_bits(&change_map, table, map_size); + init_get_bits(&change_map, table, map_size * 8); table += map_size; } diff --git a/libavcodec/jvdec.c b/libavcodec/jvdec.c index 0c346486f5..5249764347 100644 --- a/libavcodec/jvdec.c +++ b/libavcodec/jvdec.c @@ -150,7 +150,7 @@ static int decode_frame(AVCodecContext *avctx, if (video_type == 0 || video_type == 1) { GetBitContext gb; - init_get_bits(&gb, buf, FFMIN(video_size, buf_end - buf)); + init_get_bits(&gb, buf, FFMIN(video_size, (buf_end - buf) * 8)); for (j = 0; j < avctx->height; j += 8) for (i = 0; i < avctx->width; i += 8) diff --git a/libavcodec/rv34.c b/libavcodec/rv34.c index c5dcfdcba4..910b933dd9 100644 --- a/libavcodec/rv34.c +++ b/libavcodec/rv34.c @@ -1444,7 +1444,7 @@ int ff_rv34_decode_frame(AVCodecContext *avctx, av_log(avctx, AV_LOG_ERROR, "Slice offset is greater than frame size\n"); return -1; } - init_get_bits(&s->gb, buf+get_slice_offset(avctx, slices_hdr, 0), buf_size-get_slice_offset(avctx, slices_hdr, 0)); + init_get_bits(&s->gb, buf+get_slice_offset(avctx, slices_hdr, 0), (buf_size-get_slice_offset(avctx, slices_hdr, 0))*8); if(r->parse_slice_header(r, &r->s.gb, &si) < 0 || si.start){ av_log(avctx, AV_LOG_ERROR, "First slice header is incorrect\n"); return -1; diff --git a/libavcodec/tta.c b/libavcodec/tta.c index 57f5818d7b..fd5aa46670 100644 --- a/libavcodec/tta.c +++ b/libavcodec/tta.c @@ -216,7 +216,7 @@ static av_cold int tta_decode_init(AVCodecContext * avctx) if (avctx->extradata_size < 30) return -1; - init_get_bits(&s->gb, avctx->extradata, avctx->extradata_size); + init_get_bits(&s->gb, avctx->extradata, avctx->extradata_size * 8); if (show_bits_long(&s->gb, 32) == AV_RL32("TTA1")) { /* signature */ diff --git a/libavformat/movenc.c b/libavformat/movenc.c index dcc5581443..0cf837c9b1 100644 --- a/libavformat/movenc.c +++ b/libavformat/movenc.c @@ -206,7 +206,7 @@ static int mov_write_ac3_tag(AVIOContext *pb, MOVTrack *track) avio_wb32(pb, 11); ffio_wfourcc(pb, "dac3"); - init_get_bits(&gbc, track->vosData+4, track->vosLen-4); + init_get_bits(&gbc, track->vosData+4, (track->vosLen-4) * 8); fscod = get_bits(&gbc, 2); frmsizecod = get_bits(&gbc, 6); bsid = get_bits(&gbc, 5); From 8c987d8291587959bd67728121ced38a0c7691d0 Mon Sep 17 00:00:00 2001 From: Laurent Aimar Date: Sun, 11 Sep 2011 23:26:12 +0200 Subject: [PATCH 0217/1119] oggdec: fix out of bound write in the ogg demuxer Between ogg_save() and ogg_restore() calls, the number of streams could have been reduced. Signed-off-by: Luca Barbato (cherry picked from commit 0e7efb9d23c3641d50caa288818e8c27647ce74d) Signed-off-by: Anton Khirnov --- libavformat/oggdec.c | 14 ++++++++++++-- 1 file changed, 12 insertions(+), 2 deletions(-) diff --git a/libavformat/oggdec.c b/libavformat/oggdec.c index 25f5cd8b2d..18201677b8 100644 --- a/libavformat/oggdec.c +++ b/libavformat/oggdec.c @@ -92,14 +92,24 @@ static int ogg_restore(AVFormatContext *s, int discard) ogg->state = ost->next; if (!discard){ + struct ogg_stream *old_streams = ogg->streams; + for (i = 0; i < ogg->nstreams; i++) av_free (ogg->streams[i].buf); avio_seek (bc, ost->pos, SEEK_SET); ogg->curidx = ost->curidx; ogg->nstreams = ost->nstreams; - memcpy(ogg->streams, ost->streams, - ost->nstreams * sizeof(*ogg->streams)); + ogg->streams = av_realloc (ogg->streams, + ogg->nstreams * sizeof (*ogg->streams)); + + if (ogg->streams) { + memcpy(ogg->streams, ost->streams, + ost->nstreams * sizeof(*ogg->streams)); + } else { + av_free(old_streams); + ogg->nstreams = 0; + } } av_free (ost); From dd606be909437c6fac8a91ffb9dacfd6e81a1ac0 Mon Sep 17 00:00:00 2001 From: David Goldwich Date: Sat, 17 Sep 2011 13:50:35 +0200 Subject: [PATCH 0218/1119] lavf: Fix context pointer in av_open_input_stream when avformat_open_input fails Signed-off-by: David Goldwich Signed-off-by: Anton Khirnov (cherry picked from commit 63d64228a7f31d534e3bcae87cbd37f4a0ae2dd6) Signed-off-by: Anton Khirnov --- libavformat/utils.c | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/libavformat/utils.c b/libavformat/utils.c index 2cb096e373..d9d154e3ab 100644 --- a/libavformat/utils.c +++ b/libavformat/utils.c @@ -469,8 +469,8 @@ int av_open_input_stream(AVFormatContext **ic_ptr, goto fail; ic->pb = ic->pb ? ic->pb : pb; // don't leak custom pb if it wasn't set above - *ic_ptr = ic; fail: + *ic_ptr = ic; av_dict_free(&opts); return err; } From bb6702f20675868fba91f6be5e5120b5d8ef031f Mon Sep 17 00:00:00 2001 From: Laurent Aimar Date: Sun, 18 Sep 2011 00:03:08 +0200 Subject: [PATCH 0219/1119] rv10: Reject slices that does not have the same type as the first one MIME-Version: 1.0 Content-Type: text/plain; charset=UTF-8 Content-Transfer-Encoding: 8bit This prevents crashes with some corrupted bitstreams. Signed-off-by: Martin Storsjö (cherry picked from commit 4a29b471869353c3077fb4b25b6518eb1047afb7) Signed-off-by: Anton Khirnov --- libavcodec/rv10.c | 5 +++++ 1 file changed, 5 insertions(+) diff --git a/libavcodec/rv10.c b/libavcodec/rv10.c index 78f97b16b1..223500c356 100644 --- a/libavcodec/rv10.c +++ b/libavcodec/rv10.c @@ -543,6 +543,11 @@ static int rv10_decode_packet(AVCodecContext *avctx, if(MPV_frame_start(s, avctx) < 0) return -1; ff_er_frame_start(s); + } else { + if (s->current_picture_ptr->pict_type != s->pict_type) { + av_log(s->avctx, AV_LOG_ERROR, "Slice type mismatch\n"); + return -1; + } } av_dlog(avctx, "qscale=%d\n", s->qscale); From 11b72c073c7f59ee19067ddaa7ea7755b972d793 Mon Sep 17 00:00:00 2001 From: Laurent Aimar Date: Sat, 17 Sep 2011 23:43:58 +0200 Subject: [PATCH 0220/1119] rv34: Avoid NULL dereference on corrupted bitstream MIME-Version: 1.0 Content-Type: text/plain; charset=UTF-8 Content-Transfer-Encoding: 8bit rv34_decode_slice() can return without allocating any pictures. Signed-off-by: Martin Storsjö (cherry picked from commit d0f6ab0298f2309c6104626787ed73416298b019) Signed-off-by: Anton Khirnov --- libavcodec/rv34.c | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/libavcodec/rv34.c b/libavcodec/rv34.c index 910b933dd9..2383903625 100644 --- a/libavcodec/rv34.c +++ b/libavcodec/rv34.c @@ -1486,7 +1486,7 @@ int ff_rv34_decode_frame(AVCodecContext *avctx, break; } - if(last){ + if(last && s->current_picture_ptr){ if(r->loop_filter) r->loop_filter(r, s->mb_height - 1); ff_er_frame_end(s); From a01387bb3524846d925a8862f077be91deb5f42d Mon Sep 17 00:00:00 2001 From: Laurent Aimar Date: Sat, 17 Sep 2011 16:56:30 +0200 Subject: [PATCH 0221/1119] rv34: Fix potential overreads MIME-Version: 1.0 Content-Type: text/plain; charset=UTF-8 Content-Transfer-Encoding: 8bit Signed-off-by: Martin Storsjö (cherry picked from commit b4ed3d78cb6c41c9d3ee5918c326ab925edd6a89) Signed-off-by: Anton Khirnov --- libavcodec/rv34.c | 5 +++-- 1 file changed, 3 insertions(+), 2 deletions(-) diff --git a/libavcodec/rv34.c b/libavcodec/rv34.c index 2383903625..87fca5c23e 100644 --- a/libavcodec/rv34.c +++ b/libavcodec/rv34.c @@ -1436,6 +1436,7 @@ int ff_rv34_decode_frame(AVCodecContext *avctx, slice_count = (*buf++) + 1; slices_hdr = buf + 4; buf += 8 * slice_count; + buf_size -= 1 + 8 * slice_count; }else slice_count = avctx->slice_count; @@ -1454,7 +1455,7 @@ int ff_rv34_decode_frame(AVCodecContext *avctx, if( (avctx->skip_frame >= AVDISCARD_NONREF && si.type==AV_PICTURE_TYPE_B) || (avctx->skip_frame >= AVDISCARD_NONKEY && si.type!=AV_PICTURE_TYPE_I) || avctx->skip_frame >= AVDISCARD_ALL) - return buf_size; + return avpkt->size; for(i=0; icurrent_picture_ptr= NULL; //so we can detect if frame_end wasnt called (find some nicer solution...) } - return buf_size; + return avpkt->size; } av_cold int ff_rv34_decode_end(AVCodecContext *avctx) From d805b8f454f57451277a052cc1bda49e6caf6cd7 Mon Sep 17 00:00:00 2001 From: Laurent Aimar Date: Mon, 19 Sep 2011 22:48:53 +0200 Subject: [PATCH 0222/1119] rv34: Check for invalid slice offsets MIME-Version: 1.0 Content-Type: text/plain; charset=UTF-8 Content-Transfer-Encoding: 8bit Signed-off-by: Martin Storsjö (cherry picked from commit 4cc7732386eb36661ed22d1200339b38a5fa60bc) Signed-off-by: Anton Khirnov --- libavcodec/rv34.c | 9 +++++---- 1 file changed, 5 insertions(+), 4 deletions(-) diff --git a/libavcodec/rv34.c b/libavcodec/rv34.c index 87fca5c23e..70c35ef4ff 100644 --- a/libavcodec/rv34.c +++ b/libavcodec/rv34.c @@ -1441,8 +1441,9 @@ int ff_rv34_decode_frame(AVCodecContext *avctx, slice_count = avctx->slice_count; //parse first slice header to check whether this frame can be decoded - if(get_slice_offset(avctx, slices_hdr, 0) > buf_size){ - av_log(avctx, AV_LOG_ERROR, "Slice offset is greater than frame size\n"); + if(get_slice_offset(avctx, slices_hdr, 0) < 0 || + get_slice_offset(avctx, slices_hdr, 0) > buf_size){ + av_log(avctx, AV_LOG_ERROR, "Slice offset is invalid\n"); return -1; } init_get_bits(&s->gb, buf+get_slice_offset(avctx, slices_hdr, 0), (buf_size-get_slice_offset(avctx, slices_hdr, 0))*8); @@ -1465,8 +1466,8 @@ int ff_rv34_decode_frame(AVCodecContext *avctx, else size= get_slice_offset(avctx, slices_hdr, i+1) - offset; - if(offset > buf_size){ - av_log(avctx, AV_LOG_ERROR, "Slice offset is greater than frame size\n"); + if(offset < 0 || offset > buf_size || size < 0){ + av_log(avctx, AV_LOG_ERROR, "Slice offset is invalid\n"); break; } From 1979a9b4f205d9446c3e11353b57b5d9bd3dad4e Mon Sep 17 00:00:00 2001 From: Michael Niedermayer Date: Wed, 31 Aug 2011 05:00:39 +0200 Subject: [PATCH 0223/1119] h264: change MAX_DELAYED_PIC_COUNT check to av_assert0 Signed-off-by: Michael Niedermayer (cherry picked from commit b955ab2f492e3b8c4cbf614f68f8d5bf79e1d1e1) --- libavcodec/h264.c | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/libavcodec/h264.c b/libavcodec/h264.c index 8ecf9b4dbd..3a1fa02998 100644 --- a/libavcodec/h264.c +++ b/libavcodec/h264.c @@ -1403,7 +1403,7 @@ static void decode_postinit(H264Context *h, int setup_finished){ pics = 0; while(h->delayed_pic[pics]) pics++; - assert(pics <= MAX_DELAYED_PIC_COUNT); + av_assert0(pics <= MAX_DELAYED_PIC_COUNT); h->delayed_pic[pics++] = cur; if(cur->reference == 0) From ca5dfd1550a1b118e1c4f357c1d4409f11c3d2cc Mon Sep 17 00:00:00 2001 From: Michael Niedermayer Date: Wed, 31 Aug 2011 05:04:14 +0200 Subject: [PATCH 0224/1119] h264: clean all non null elements of delayed_pic[] Signed-off-by: Michael Niedermayer (cherry picked from commit 66ce282df54edb33515d9ef3015b737428b6e0c3) --- libavcodec/h264.c | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/libavcodec/h264.c b/libavcodec/h264.c index 3a1fa02998..3701bc9b73 100644 --- a/libavcodec/h264.c +++ b/libavcodec/h264.c @@ -2233,7 +2233,7 @@ static void idr(H264Context *h){ static void flush_dpb(AVCodecContext *avctx){ H264Context *h= avctx->priv_data; int i; - for(i=0; idelayed_pic[i]) h->delayed_pic[i]->reference= 0; h->delayed_pic[i]= NULL; From e7d10f5a90f4f4dd94a2d859be32002ae37394e4 Mon Sep 17 00:00:00 2001 From: Michael Niedermayer Date: Thu, 1 Sep 2011 02:12:15 +0200 Subject: [PATCH 0225/1119] mpeg4: fix typo in mpeg4_encode_gop_header() Found-by: ubitux Signed-off-by: Michael Niedermayer (cherry picked from commit f5bda9fcbb54c9c27503ab1bdb86838eb6f602f1) --- libavcodec/mpeg4videoenc.c | 4 ++-- 1 file changed, 2 insertions(+), 2 deletions(-) diff --git a/libavcodec/mpeg4videoenc.c b/libavcodec/mpeg4videoenc.c index bdff535a99..f4ec50c9af 100644 --- a/libavcodec/mpeg4videoenc.c +++ b/libavcodec/mpeg4videoenc.c @@ -898,8 +898,8 @@ static void mpeg4_encode_gop_header(MpegEncContext * s){ s->last_time_base= FFUDIV(time, s->avctx->time_base.den); seconds= FFUDIV(time, s->avctx->time_base.den); - minutes= FFUDIV(seconds, 60); FFUMOD(seconds, 60); - hours = FFUDIV(minutes, 60); FFUMOD(minutes, 60); + minutes= FFUDIV(seconds, 60); seconds = FFUMOD(seconds, 60); + hours = FFUDIV(minutes, 60); minutes = FFUMOD(minutes, 60); hours = FFUMOD(hours , 24); put_bits(&s->pb, 5, hours); From 30442fa21732c3c3d44e202820e785635ae65cec Mon Sep 17 00:00:00 2001 From: Gavin Kinsey Date: Thu, 1 Sep 2011 16:18:22 +0200 Subject: [PATCH 0226/1119] jpegdec: set color_range (cherry picked from commit 2f870e262e953815060de0ebea9b6653133b203e) --- libavcodec/mjpegdec.c | 7 ++++++- 1 file changed, 6 insertions(+), 1 deletion(-) diff --git a/libavcodec/mjpegdec.c b/libavcodec/mjpegdec.c index e64ea5cd68..817636fa47 100644 --- a/libavcodec/mjpegdec.c +++ b/libavcodec/mjpegdec.c @@ -318,8 +318,10 @@ int ff_mjpeg_decode_sof(MJpegDecodeContext *s) case 0x11111100: if(s->rgb){ s->avctx->pix_fmt = PIX_FMT_BGRA; - }else + }else{ s->avctx->pix_fmt = s->cs_itu601 ? PIX_FMT_YUV444P : PIX_FMT_YUVJ444P; + s->avctx->color_range = s->cs_itu601 ? AVCOL_RANGE_MPEG : AVCOL_RANGE_JPEG; + } assert(s->nb_components==3); break; case 0x11000000: @@ -327,12 +329,15 @@ int ff_mjpeg_decode_sof(MJpegDecodeContext *s) break; case 0x12111100: s->avctx->pix_fmt = s->cs_itu601 ? PIX_FMT_YUV440P : PIX_FMT_YUVJ440P; + s->avctx->color_range = s->cs_itu601 ? AVCOL_RANGE_MPEG : AVCOL_RANGE_JPEG; break; case 0x21111100: s->avctx->pix_fmt = s->cs_itu601 ? PIX_FMT_YUV422P : PIX_FMT_YUVJ422P; + s->avctx->color_range = s->cs_itu601 ? AVCOL_RANGE_MPEG : AVCOL_RANGE_JPEG; break; case 0x22111100: s->avctx->pix_fmt = s->cs_itu601 ? PIX_FMT_YUV420P : PIX_FMT_YUVJ420P; + s->avctx->color_range = s->cs_itu601 ? AVCOL_RANGE_MPEG : AVCOL_RANGE_JPEG; break; default: av_log(s->avctx, AV_LOG_ERROR, "Unhandled pixel format 0x%x\n", pix_fmt_id); From 9c96b1efb1bb5094edda383b32106bf1bdf9297d Mon Sep 17 00:00:00 2001 From: =?UTF-8?q?Reimar=20D=C3=B6ffinger?= Date: Sat, 27 Aug 2011 15:06:37 +0200 Subject: [PATCH 0227/1119] Do not free BITMAPINFOHEADER before we are done using it. MIME-Version: 1.0 Content-Type: text/plain; charset=UTF-8 Content-Transfer-Encoding: 8bit Fixes trac ticket #396. Completely untested. Signed-off-by: Reimar Döffinger (cherry picked from commit 177aec1257d4dcde2190b6632d9c6e44e3e5c8e9) --- libavdevice/vfwcap.c | 32 +++++++++++++++----------------- 1 file changed, 15 insertions(+), 17 deletions(-) diff --git a/libavdevice/vfwcap.c b/libavdevice/vfwcap.c index a8e67e7dda..ea86c9a755 100644 --- a/libavdevice/vfwcap.c +++ b/libavdevice/vfwcap.c @@ -242,7 +242,7 @@ static int vfw_read_header(AVFormatContext *s, AVFormatParameters *ap) AVStream *st; int devnum; int bisize; - BITMAPINFO *bi; + BITMAPINFO *bi = NULL; CAPTUREPARMS cparms; DWORD biCompression; WORD biBitCount; @@ -293,7 +293,7 @@ static int vfw_read_header(AVFormatContext *s, AVFormatParameters *ap) (LPARAM) videostream_cb); if(!ret) { av_log(s, AV_LOG_ERROR, "Could not set video stream callback.\n"); - goto fail_io; + goto fail; } SetWindowLongPtr(ctx->hwnd, GWLP_USERDATA, (LONG_PTR) s); @@ -307,7 +307,7 @@ static int vfw_read_header(AVFormatContext *s, AVFormatParameters *ap) /* Set video format */ bisize = SendMessage(ctx->hwnd, WM_CAP_GET_VIDEOFORMAT, 0, 0); if(!bisize) - goto fail_io; + goto fail; bi = av_malloc(bisize); if(!bi) { vfw_read_close(s); @@ -315,7 +315,7 @@ static int vfw_read_header(AVFormatContext *s, AVFormatParameters *ap) } ret = SendMessage(ctx->hwnd, WM_CAP_GET_VIDEOFORMAT, bisize, (LPARAM) bi); if(!ret) - goto fail_bi; + goto fail; dump_bih(s, &bi->bmiHeader); @@ -324,7 +324,7 @@ static int vfw_read_header(AVFormatContext *s, AVFormatParameters *ap) ret = av_parse_video_size(&bi->bmiHeader.biWidth, &bi->bmiHeader.biHeight, ctx->video_size); if (ret < 0) { av_log(s, AV_LOG_ERROR, "Couldn't parse video size.\n"); - goto fail_bi; + goto fail; } } #if FF_API_FORMAT_PARAMETERS @@ -349,19 +349,17 @@ static int vfw_read_header(AVFormatContext *s, AVFormatParameters *ap) ret = SendMessage(ctx->hwnd, WM_CAP_SET_VIDEOFORMAT, bisize, (LPARAM) bi); if(!ret) { av_log(s, AV_LOG_ERROR, "Could not set Video Format.\n"); - goto fail_bi; + goto fail; } biCompression = bi->bmiHeader.biCompression; biBitCount = bi->bmiHeader.biBitCount; - av_free(bi); - /* Set sequence setup */ ret = SendMessage(ctx->hwnd, WM_CAP_GET_SEQUENCE_SETUP, sizeof(cparms), (LPARAM) &cparms); if(!ret) - goto fail_io; + goto fail; dump_captureparms(s, &cparms); @@ -376,7 +374,7 @@ static int vfw_read_header(AVFormatContext *s, AVFormatParameters *ap) ret = SendMessage(ctx->hwnd, WM_CAP_SET_SEQUENCE_SETUP, sizeof(cparms), (LPARAM) &cparms); if(!ret) - goto fail_io; + goto fail; codec = st->codec; codec->time_base = (AVRational){fps.den, fps.num}; @@ -405,31 +403,31 @@ static int vfw_read_header(AVFormatContext *s, AVFormatParameters *ap) } } + av_freep(&bi); + av_set_pts_info(st, 32, 1, 1000); ctx->mutex = CreateMutex(NULL, 0, NULL); if(!ctx->mutex) { av_log(s, AV_LOG_ERROR, "Could not create Mutex.\n" ); - goto fail_io; + goto fail; } ctx->event = CreateEvent(NULL, 1, 0, NULL); if(!ctx->event) { av_log(s, AV_LOG_ERROR, "Could not create Event.\n" ); - goto fail_io; + goto fail; } ret = SendMessage(ctx->hwnd, WM_CAP_SEQUENCE_NOFILE, 0, 0); if(!ret) { av_log(s, AV_LOG_ERROR, "Could not start capture sequence.\n" ); - goto fail_io; + goto fail; } return 0; -fail_bi: - av_free(bi); - -fail_io: +fail: + av_freep(&bi); vfw_read_close(s); return AVERROR(EIO); } From 77dafced713f47dc7c356689871b2ba9d8e64f45 Mon Sep 17 00:00:00 2001 From: Stefan Fritsch Date: Sat, 3 Sep 2011 22:29:07 +0200 Subject: [PATCH 0228/1119] http: Fix decetion of range support in HTTP servers currently libavformat only allows seeking if a request with "Range: 0-" results in a 206 reply from the HTTP server which includes a Content-Range header. But according to RFC 2616, the server may also reply with a normal 200 reply (which is more efficient for a request for the whole file). In fact Apache HTTPD 2.2.20 has changed the behaviour in this way and it looks like this change will be kept in future versions. The fix for libavformat is easy: Also look at the Accept-Ranges header. (cherry picked from commit 31dfc4959816aa4637e50c7f79660c75205ef84c) --- libavformat/http.c | 2 ++ 1 file changed, 2 insertions(+) diff --git a/libavformat/http.c b/libavformat/http.c index 95ba456cea..518c47d9c9 100644 --- a/libavformat/http.c +++ b/libavformat/http.c @@ -265,6 +265,8 @@ static int process_line(URLContext *h, char *line, int line_count, s->filesize = atoll(slash+1); } h->is_streamed = 0; /* we _can_ in fact seek */ + } else if (!strcasecmp (tag, "Accept-Ranges") && !strncmp (p, "bytes", 5)) { + h->is_streamed = 0; } else if (!strcasecmp (tag, "Transfer-Encoding") && !strncasecmp(p, "chunked", 7)) { s->filesize = -1; s->chunksize = 0; From 5c2d6849862f975254a82d8cdb82d64f8f148ec2 Mon Sep 17 00:00:00 2001 From: =?UTF-8?q?Reimar=20D=C3=B6ffinger?= Date: Sun, 17 Jul 2011 15:22:36 +0200 Subject: [PATCH 0229/1119] Check extradata size on resolution change. MIME-Version: 1.0 Content-Type: text/plain; charset=UTF-8 Content-Transfer-Encoding: 8bit Ignore resolution change if resolution not defined in extradata. Signed-off-by: Reimar Döffinger (cherry picked from commit 09c5f990bc7629dfbee8c760fd485936c60a7b40) --- libavcodec/rv30.c | 5 +++++ 1 file changed, 5 insertions(+) diff --git a/libavcodec/rv30.c b/libavcodec/rv30.c index b43859b9cb..53d824a109 100644 --- a/libavcodec/rv30.c +++ b/libavcodec/rv30.c @@ -51,6 +51,11 @@ static int rv30_parse_slice_header(RV34DecContext *r, GetBitContext *gb, SliceIn skip_bits1(gb); si->pts = get_bits(gb, 13); rpr = get_bits(gb, r->rpr); + if (r->s.avctx->extradata_size < 8 + rpr*2) { + av_log(r->s.avctx, AV_LOG_WARNING, + "Extradata does not contain selected resolution\n"); + rpr = 0; + } if(rpr){ w = r->s.avctx->extradata[6 + rpr*2] << 2; h = r->s.avctx->extradata[7 + rpr*2] << 2; From c026f336b9ff78ba450ff53a67ec2e5cd19dd454 Mon Sep 17 00:00:00 2001 From: Kostya Shishkov Date: Mon, 5 Sep 2011 12:37:50 +0200 Subject: [PATCH 0230/1119] wavpack: fix wrong return value in wavpack_decode_block() This function should return number of samples decoded, not number of bytes decoded. Spotted by Uoti Urpala. Signed-off-by: Luca Barbato (cherry picked from commit bcd4aa8bec19a17bd633e3db13357784c05b6ca5) --- libavcodec/wavpack.c | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/libavcodec/wavpack.c b/libavcodec/wavpack.c index 0d92f1802c..61a75fd765 100644 --- a/libavcodec/wavpack.c +++ b/libavcodec/wavpack.c @@ -800,7 +800,7 @@ static int wavpack_decode_block(AVCodecContext *avctx, int block_no, s->samples = AV_RL32(buf); buf += 4; if(!s->samples){ *data_size = 0; - return buf_size; + return 0; } }else{ s->samples = wc->samples; From 64556c200ee372130bcebb79f0fb37a9aa46f9c5 Mon Sep 17 00:00:00 2001 From: Asad Mehmood Date: Wed, 7 Sep 2011 23:18:07 +0100 Subject: [PATCH 0231/1119] flvdec: Remove AVFMTCTX_NOHEADER if both flags and metadata claim 1 stream If there is only 1 stream in an flv avformat_find_stream_info will continually read until probesize is reached. This should stop it reading if the metadata also claims there to be 1 stream. (cherry picked from commit bcc531f04a0590732d42da133c11c138e8d08b59) --- libavformat/flvdec.c | 4 ++++ 1 file changed, 4 insertions(+) diff --git a/libavformat/flvdec.c b/libavformat/flvdec.c index 4fb562f4e2..a2a3c5c493 100644 --- a/libavformat/flvdec.c +++ b/libavformat/flvdec.c @@ -269,6 +269,10 @@ static int amf_parse_object(AVFormatContext *s, AVStream *astream, AVStream *vst vcodec->bit_rate = num_val * 1024.0; else if(!strcmp(key, "audiodatarate") && acodec && 0 <= (int)(num_val * 1024.0)) acodec->bit_rate = num_val * 1024.0; + } else if(amf_type == AMF_DATA_TYPE_OBJECT){ + if(s->nb_streams==1 && ((!acodec && !strcmp(key, "audiocodecid")) || (!vcodec && !strcmp(key, "videocodecid")))){ + s->ctx_flags &= ~AVFMTCTX_NOHEADER; //If there is either audio/video missing, codecid will be an empty object + } } else if (amf_type == AMF_DATA_TYPE_STRING) av_dict_set(&s->metadata, key, str_val, 0); } From d99613bad60cd2640d15725581ef8fe14d9a6258 Mon Sep 17 00:00:00 2001 From: Michael Niedermayer Date: Thu, 8 Sep 2011 05:05:11 +0200 Subject: [PATCH 0232/1119] jpeglsdec: fix infinite loop Fixes Ticket331 Signed-off-by: Michael Niedermayer (cherry picked from commit bd358e128f47c14c7bc9dfceb8dedb3e5697f017) --- libavcodec/jpegls.h | 2 ++ 1 file changed, 2 insertions(+) diff --git a/libavcodec/jpegls.h b/libavcodec/jpegls.h index 28c75248be..2c21f774e8 100644 --- a/libavcodec/jpegls.h +++ b/libavcodec/jpegls.h @@ -86,6 +86,8 @@ static inline void ff_jpegls_downscale_state(JLSState *state, int Q){ } static inline int ff_jpegls_update_state_regular(JLSState *state, int Q, int err){ + if(FFABS(err) > 0xFFFF) + return -0x10000; state->A[Q] += FFABS(err); err *= state->twonear; state->B[Q] += err; From b0da6a744a4a3d089d9b5ea547e03336a1fe5f2c Mon Sep 17 00:00:00 2001 From: Chris Rankin Date: Wed, 7 Sep 2011 10:17:30 +0100 Subject: [PATCH 0233/1119] qcelpdec: fix the return value of qcelp_decode_frame(). (cherry picked from commit 04c13dca8812e8302686887b6e8201d4ad25b7d8) --- libavcodec/qcelpdec.c | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/libavcodec/qcelpdec.c b/libavcodec/qcelpdec.c index 3ed821c81e..e83704d801 100644 --- a/libavcodec/qcelpdec.c +++ b/libavcodec/qcelpdec.c @@ -839,7 +839,7 @@ erasure: *data_size = 160 * sizeof(*outbuffer); - return *data_size; + return buf_size; } AVCodec ff_qcelp_decoder = From 558cf502acdb1743921a212804199d650deaeaeb Mon Sep 17 00:00:00 2001 From: Laurent Aimar Date: Wed, 7 Sep 2011 22:17:39 +0200 Subject: [PATCH 0234/1119] Fixed invalid writes in wavpack decoder on corrupted bitstreams. MIME-Version: 1.0 Content-Type: text/plain; charset=UTF-8 Content-Transfer-Encoding: 8bit Signed-off-by: Martin Storsjö (cherry picked from commit 0aedab03405849962b469277afe047aa2c61a87f) --- libavcodec/wavpack.c | 6 +++--- 1 file changed, 3 insertions(+), 3 deletions(-) diff --git a/libavcodec/wavpack.c b/libavcodec/wavpack.c index 61a75fd765..1e6d857849 100644 --- a/libavcodec/wavpack.c +++ b/libavcodec/wavpack.c @@ -1141,7 +1141,7 @@ static int wavpack_decode_block(AVCodecContext *avctx, int block_no, int16_t *dst = (int16_t*)samples + 1; int16_t *src = (int16_t*)samples; int cnt = samplecount; - while(cnt--){ + while(cnt-- > 0){ *dst = *src; src += channel_stride; dst += channel_stride; @@ -1150,7 +1150,7 @@ static int wavpack_decode_block(AVCodecContext *avctx, int block_no, int32_t *dst = (int32_t*)samples + 1; int32_t *src = (int32_t*)samples; int cnt = samplecount; - while(cnt--){ + while(cnt-- > 0){ *dst = *src; src += channel_stride; dst += channel_stride; @@ -1159,7 +1159,7 @@ static int wavpack_decode_block(AVCodecContext *avctx, int block_no, float *dst = (float*)samples + 1; float *src = (float*)samples; int cnt = samplecount; - while(cnt--){ + while(cnt-- > 0){ *dst = *src; src += channel_stride; dst += channel_stride; From 5cc5152e80bd041e7ba47d174a83013c335539a9 Mon Sep 17 00:00:00 2001 From: Diego Biurrun Date: Thu, 8 Sep 2011 14:21:38 +0200 Subject: [PATCH 0235/1119] Employ FF_ARRAY_ELEMS instead of manually calculating array length. (cherry picked from commit 6376362d15ccbc02e15d0b3b7a7a5d862efd6b91) --- libavformat/avlanguage.c | 3 ++- libavformat/mxf.c | 3 ++- 2 files changed, 4 insertions(+), 2 deletions(-) diff --git a/libavformat/avlanguage.c b/libavformat/avlanguage.c index 525bf07d27..39f2560d94 100644 --- a/libavformat/avlanguage.c +++ b/libavformat/avlanguage.c @@ -20,6 +20,7 @@ #include "avlanguage.h" #include "libavutil/avstring.h" +#include "libavutil/common.h" #include #include #include @@ -736,7 +737,7 @@ const char *av_convert_lang_to(const char *lang, enum AVLangCodespace target_cod { int i; const LangEntry *entry = NULL; - const int NB_CODESPACES = sizeof(lang_table_counts)/sizeof(*lang_table_counts); + const int NB_CODESPACES = FF_ARRAY_ELEMS(lang_table_counts); if (target_codespace >= NB_CODESPACES) return NULL; diff --git a/libavformat/mxf.c b/libavformat/mxf.c index 643a95243a..50ea3b5648 100644 --- a/libavformat/mxf.c +++ b/libavformat/mxf.c @@ -19,6 +19,7 @@ * Foundation, Inc., 51 Franklin Street, Fifth Floor, Boston, MA 02110-1301 USA */ +#include "libavutil/common.h" #include "mxf.h" /** @@ -80,7 +81,7 @@ static const struct { {PIX_FMT_PAL8, {'P', 8 }}, }; -static const int num_pixel_layouts = sizeof(ff_mxf_pixel_layouts) / sizeof(*ff_mxf_pixel_layouts); +static const int num_pixel_layouts = FF_ARRAY_ELEMS(ff_mxf_pixel_layouts); int ff_mxf_decode_pixel_layout(const char pixel_layout[16], enum PixelFormat *pix_fmt) { From 1ec29b2da5ee02076d196ed4d1c8b09e53ebd84e Mon Sep 17 00:00:00 2001 From: "Panagiotis H.M. Issaris" Date: Wed, 17 Aug 2011 12:20:32 +0200 Subject: [PATCH 0236/1119] Fix documentation for "-debug" commandline argument (cherry picked from commit 180e7829428e26413916f0cbc2ad85eeb1fb877e) Signed-off-by: Michael Niedermayer (cherry picked from commit bcef876f168ce8e0263f018f45b8f88ce4dba623) --- doc/ffmpeg.texi | 33 ++++++++++++++++++++++++++++++++- 1 file changed, 32 insertions(+), 1 deletion(-) diff --git a/doc/ffmpeg.texi b/doc/ffmpeg.texi index 6f21451219..daf5d36de8 100644 --- a/doc/ffmpeg.texi +++ b/doc/ffmpeg.texi @@ -713,8 +713,39 @@ ffmpeg -i in.ogg -map_metadata 0:0,s0 out.mp3 Copy chapters from @var{infile} to @var{outfile}. If no chapter mapping is specified, then chapters are copied from the first input file with at least one chapter to all output files. Use a negative file index to disable any chapter copying. -@item -debug +@item -debug @var{category} Print specific debug info. +@var{category} is a number or a string containing one of the following values: +@table @samp +@item bitstream +@item buffers +picture buffer allocations +@item bugs +@item dct_coeff +@item er +error recognition +@item mb_type +macroblock (MB) type +@item mmco +memory management control operations (H.264) +@item mv +motion vector +@item pict +picture info +@item pts +@item qp +per-block quantization parameter (QP) +@item rc +rate control +@item skip +@item startcode +@item thread_ops +threading operations +@item vis_mb_type +visualize block types +@item vis_qp +visualize quantization parameter (QP), lower QP are tinted greener +@end table @item -benchmark Show benchmarking information at the end of an encode. Shows CPU time used and maximum memory consumption. From 4fbc35cd537a7629735badd5fe56f09138d6af93 Mon Sep 17 00:00:00 2001 From: Michael Niedermayer Date: Fri, 9 Sep 2011 18:06:51 +0200 Subject: [PATCH 0237/1119] rc: fix convergence failure Signed-off-by: Michael Niedermayer (cherry picked from commit ed14517c234299387d401959c6037f25e0937f02) --- libavcodec/ratecontrol.c | 6 ++++++ 1 file changed, 6 insertions(+) diff --git a/libavcodec/ratecontrol.c b/libavcodec/ratecontrol.c index 6874fc7034..bd42d72bdf 100644 --- a/libavcodec/ratecontrol.c +++ b/libavcodec/ratecontrol.c @@ -866,6 +866,12 @@ static int init_pass2(MpegEncContext *s) assert(filter_size%2==1); /* fixed I/B QP relative to P mode */ + for(i=0; inum_entries; i++){ + RateControlEntry *rce= &rcc->entry[i]; + + qscale[i]= get_diff_limited_q(s, rce, qscale[i]); + } + for(i=rcc->num_entries-1; i>=0; i--){ RateControlEntry *rce= &rcc->entry[i]; From a13ef6105167032cd0ecaeb86a3727c9bf67ac95 Mon Sep 17 00:00:00 2001 From: Michael Niedermayer Date: Fri, 9 Sep 2011 18:50:00 +0200 Subject: [PATCH 0238/1119] rc: finetune convergence failure fix Signed-off-by: Michael Niedermayer (cherry picked from commit 73e0ec2ff453799e361c67395b93df11986609b3) --- libavcodec/ratecontrol.c | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/libavcodec/ratecontrol.c b/libavcodec/ratecontrol.c index bd42d72bdf..cc742d15a1 100644 --- a/libavcodec/ratecontrol.c +++ b/libavcodec/ratecontrol.c @@ -866,7 +866,7 @@ static int init_pass2(MpegEncContext *s) assert(filter_size%2==1); /* fixed I/B QP relative to P mode */ - for(i=0; inum_entries; i++){ + for(i=FFMAX(0, rcc->num_entries-300); inum_entries; i++){ RateControlEntry *rce= &rcc->entry[i]; qscale[i]= get_diff_limited_q(s, rce, qscale[i]); From 8a8aafd2b901f78a3ce02fad717482ae58ab72b7 Mon Sep 17 00:00:00 2001 From: Alex Converse Date: Thu, 8 Sep 2011 11:02:43 -0700 Subject: [PATCH 0239/1119] wavpack: Check error codes rather than working around error conditions. (cherry picked from commit dba2b63a98bdcac7bda1a8a2c48950518c075e17) --- libavcodec/wavpack.c | 6 +++--- 1 file changed, 3 insertions(+), 3 deletions(-) diff --git a/libavcodec/wavpack.c b/libavcodec/wavpack.c index 1e6d857849..61a75fd765 100644 --- a/libavcodec/wavpack.c +++ b/libavcodec/wavpack.c @@ -1141,7 +1141,7 @@ static int wavpack_decode_block(AVCodecContext *avctx, int block_no, int16_t *dst = (int16_t*)samples + 1; int16_t *src = (int16_t*)samples; int cnt = samplecount; - while(cnt-- > 0){ + while(cnt--){ *dst = *src; src += channel_stride; dst += channel_stride; @@ -1150,7 +1150,7 @@ static int wavpack_decode_block(AVCodecContext *avctx, int block_no, int32_t *dst = (int32_t*)samples + 1; int32_t *src = (int32_t*)samples; int cnt = samplecount; - while(cnt-- > 0){ + while(cnt--){ *dst = *src; src += channel_stride; dst += channel_stride; @@ -1159,7 +1159,7 @@ static int wavpack_decode_block(AVCodecContext *avctx, int block_no, float *dst = (float*)samples + 1; float *src = (float*)samples; int cnt = samplecount; - while(cnt-- > 0){ + while(cnt--){ *dst = *src; src += channel_stride; dst += channel_stride; From bac822025e6d73d0932ac1a18e80658be186ccf9 Mon Sep 17 00:00:00 2001 From: Laurent Aimar Date: Fri, 9 Sep 2011 22:04:09 +0200 Subject: [PATCH 0240/1119] Fixed size given to init_get_bits() in ffv1 decoder. init_get_bits() takes a number of bits and not a number of bytes as its size argument. Signed-off-by: Michael Niedermayer (cherry picked from commit 8362a0ffed0b15a9977fcde947bcb49dfc06638b) --- libavcodec/ffv1.c | 4 ++-- 1 file changed, 2 insertions(+), 2 deletions(-) diff --git a/libavcodec/ffv1.c b/libavcodec/ffv1.c index a0a4a1d009..8fe725f78a 100644 --- a/libavcodec/ffv1.c +++ b/libavcodec/ffv1.c @@ -1805,7 +1805,7 @@ static int decode_frame(AVCodecContext *avctx, void *data, int *data_size, AVPac bytes_read = c->bytestream - c->bytestream_start - 1; if(bytes_read ==0) av_log(avctx, AV_LOG_ERROR, "error at end of AC stream\n"); //FIXME //printf("pos=%d\n", bytes_read); - init_get_bits(&f->slice_context[0]->gb, buf + bytes_read, buf_size - bytes_read); + init_get_bits(&f->slice_context[0]->gb, buf + bytes_read, (buf_size - bytes_read) * 8); } else { bytes_read = 0; /* avoid warning */ } @@ -1822,7 +1822,7 @@ static int decode_frame(AVCodecContext *avctx, void *data, int *data_size, AVPac if(fs->ac){ ff_init_range_decoder(&fs->c, buf_p, v); }else{ - init_get_bits(&fs->gb, buf_p, v); + init_get_bits(&fs->gb, buf_p, v * 8); } } From 7181adab8090e614bb4e37410c60d8f93cbd860d Mon Sep 17 00:00:00 2001 From: Laurent Aimar Date: Fri, 9 Sep 2011 23:46:00 +0200 Subject: [PATCH 0241/1119] Fixed size given to init_get_bits(). init_get_bits() takes a number of bits and not a number of bytes as its size argument. Signed-off-by: Michael Niedermayer (cherry picked from commit e5e0580b93a5bda34f62a5df50c1b15e610d4ad1) --- libavcodec/aac_adtstoasc_bsf.c | 2 +- libavcodec/avs.c | 2 +- libavcodec/jvdec.c | 2 +- libavcodec/rv34.c | 2 +- libavcodec/tta.c | 2 +- libavformat/movenc.c | 2 +- 6 files changed, 6 insertions(+), 6 deletions(-) diff --git a/libavcodec/aac_adtstoasc_bsf.c b/libavcodec/aac_adtstoasc_bsf.c index 6558c0280f..2e14b1a0b6 100644 --- a/libavcodec/aac_adtstoasc_bsf.c +++ b/libavcodec/aac_adtstoasc_bsf.c @@ -72,7 +72,7 @@ static int aac_adtstoasc_filter(AVBitStreamFilterContext *bsfc, int pce_size = 0; uint8_t pce_data[MAX_PCE_SIZE]; if (!hdr.chan_config) { - init_get_bits(&gb, buf, buf_size); + init_get_bits(&gb, buf, buf_size * 8); if (get_bits(&gb, 3) != 5) { av_log_missing_feature(avctx, "PCE based channel configuration, where the PCE is not the first syntax element is", 0); return -1; diff --git a/libavcodec/avs.c b/libavcodec/avs.c index 06fcd5cd0e..354b53c241 100644 --- a/libavcodec/avs.c +++ b/libavcodec/avs.c @@ -117,7 +117,7 @@ avs_decode_frame(AVCodecContext * avctx, table = buf + (256 * vect_w * vect_h); if (sub_type != AVS_I_FRAME) { int map_size = ((318 / vect_w + 7) / 8) * (198 / vect_h); - init_get_bits(&change_map, table, map_size); + init_get_bits(&change_map, table, map_size * 8); table += map_size; } diff --git a/libavcodec/jvdec.c b/libavcodec/jvdec.c index f4941992f6..f1fdee5d43 100644 --- a/libavcodec/jvdec.c +++ b/libavcodec/jvdec.c @@ -150,7 +150,7 @@ static int decode_frame(AVCodecContext *avctx, if (video_type == 0 || video_type == 1) { GetBitContext gb; - init_get_bits(&gb, buf, FFMIN(video_size, buf_end - buf)); + init_get_bits(&gb, buf, FFMIN(video_size, (buf_end - buf) * 8)); for (j = 0; j < avctx->height; j += 8) for (i = 0; i < avctx->width; i += 8) diff --git a/libavcodec/rv34.c b/libavcodec/rv34.c index 241132e092..8cec3634de 100644 --- a/libavcodec/rv34.c +++ b/libavcodec/rv34.c @@ -1444,7 +1444,7 @@ int ff_rv34_decode_frame(AVCodecContext *avctx, av_log(avctx, AV_LOG_ERROR, "Slice offset is greater than frame size\n"); return -1; } - init_get_bits(&s->gb, buf+get_slice_offset(avctx, slices_hdr, 0), buf_size-get_slice_offset(avctx, slices_hdr, 0)); + init_get_bits(&s->gb, buf+get_slice_offset(avctx, slices_hdr, 0), (buf_size-get_slice_offset(avctx, slices_hdr, 0))*8); if(r->parse_slice_header(r, &r->s.gb, &si) < 0 || si.start){ av_log(avctx, AV_LOG_ERROR, "First slice header is incorrect\n"); return -1; diff --git a/libavcodec/tta.c b/libavcodec/tta.c index dccca46132..ed7665ee29 100644 --- a/libavcodec/tta.c +++ b/libavcodec/tta.c @@ -226,7 +226,7 @@ static av_cold int tta_decode_init(AVCodecContext * avctx) if (avctx->extradata_size < 30) return -1; - init_get_bits(&s->gb, avctx->extradata, avctx->extradata_size); + init_get_bits(&s->gb, avctx->extradata, avctx->extradata_size * 8); if (show_bits_long(&s->gb, 32) == AV_RL32("TTA1")) { /* signature */ diff --git a/libavformat/movenc.c b/libavformat/movenc.c index ebfcacb107..463dd5b601 100644 --- a/libavformat/movenc.c +++ b/libavformat/movenc.c @@ -206,7 +206,7 @@ static int mov_write_ac3_tag(AVIOContext *pb, MOVTrack *track) avio_wb32(pb, 11); ffio_wfourcc(pb, "dac3"); - init_get_bits(&gbc, track->vosData+4, track->vosLen-4); + init_get_bits(&gbc, track->vosData+4, (track->vosLen-4) * 8); fscod = get_bits(&gbc, 2); frmsizecod = get_bits(&gbc, 6); bsid = get_bits(&gbc, 5); From ab2ea6415bdf76002e2bf80ae0785bdb3afa41d9 Mon Sep 17 00:00:00 2001 From: chinshou Date: Sat, 10 Sep 2011 05:21:50 +0200 Subject: [PATCH 0242/1119] avisynth: Remove wrong pts calculation. Fixes Ticket428 (cherry picked from commit 4f123a7d7c8cbf425958e726689c6bdc84605e91) --- libavformat/avisynth.c | 1 - 1 file changed, 1 deletion(-) diff --git a/libavformat/avisynth.c b/libavformat/avisynth.c index 768459a38d..e0b5a64e04 100644 --- a/libavformat/avisynth.c +++ b/libavformat/avisynth.c @@ -165,7 +165,6 @@ static int avisynth_read_packet(AVFormatContext *s, AVPacket *pkt) res = AVIStreamRead(stream->handle, stream->read, stream->chunck_samples, pkt->data, stream->chunck_size, &read_size, NULL); - pkt->pts = stream->read; pkt->size = read_size; stream->read += stream->chunck_samples; From 57571f348e2c976c5160d0d6137441ea121294a7 Mon Sep 17 00:00:00 2001 From: chinshou Date: Sat, 10 Sep 2011 05:23:17 +0200 Subject: [PATCH 0243/1119] avisynth: Fix upside down bug (cherry picked from commit b10ba1175d3afa28d88cf3b24b69dc4882be16f5) --- libavformat/avisynth.c | 8 ++++++++ 1 file changed, 8 insertions(+) diff --git a/libavformat/avisynth.c b/libavformat/avisynth.c index e0b5a64e04..643f25b661 100644 --- a/libavformat/avisynth.c +++ b/libavformat/avisynth.c @@ -122,6 +122,14 @@ static int avisynth_read_header(AVFormatContext *s, AVFormatParameters *ap) st->codec->bit_rate = (uint64_t)stream->info.dwSampleSize * (uint64_t)stream->info.dwRate * 8 / (uint64_t)stream->info.dwScale; st->codec->codec_tag = imgfmt.bmiHeader.biCompression; st->codec->codec_id = ff_codec_get_id(ff_codec_bmp_tags, imgfmt.bmiHeader.biCompression); + if (st->codec->codec_id == CODEC_ID_RAWVIDEO && imgfmt.bmiHeader.biCompression== BI_RGB) { + st->codec->extradata = av_malloc(9 + FF_INPUT_BUFFER_PADDING_SIZE); + if (st->codec->extradata) { + st->codec->extradata_size = 9; + memcpy(st->codec->extradata, "BottomUp", 9); + } + } + st->duration = stream->info.dwLength; } From b5fe6bee011ecb5d9b1f6649fe4eef177c113ebf Mon Sep 17 00:00:00 2001 From: Laurent Aimar Date: Sat, 10 Sep 2011 13:28:13 +0200 Subject: [PATCH 0244/1119] Fixed deference of NULL pointer in motionpixels decoder. Signed-off-by: Michael Niedermayer (cherry picked from commit 824f98f442996eaee9204b132752cf5114fc94cf) --- libavcodec/motionpixels.c | 3 ++- 1 file changed, 2 insertions(+), 1 deletion(-) diff --git a/libavcodec/motionpixels.c b/libavcodec/motionpixels.c index 01558ab95b..b18efa6b9c 100644 --- a/libavcodec/motionpixels.c +++ b/libavcodec/motionpixels.c @@ -279,7 +279,8 @@ static int mp_decode_frame(AVCodecContext *avctx, if (sz == 0) goto end; - init_vlc(&mp->vlc, mp->max_codes_bits, mp->codes_count, &mp->codes[0].size, sizeof(HuffCode), 1, &mp->codes[0].code, sizeof(HuffCode), 4, 0); + if (init_vlc(&mp->vlc, mp->max_codes_bits, mp->codes_count, &mp->codes[0].size, sizeof(HuffCode), 1, &mp->codes[0].code, sizeof(HuffCode), 4, 0)) + goto end; mp_decode_frame_helper(mp, &gb); free_vlc(&mp->vlc); From db93a5a0c8eb349c4380be61874c477fbcd248a3 Mon Sep 17 00:00:00 2001 From: Michael Niedermayer Date: Sat, 10 Sep 2011 19:18:41 +0200 Subject: [PATCH 0245/1119] cabac: fix cabac encoder Signed-off-by: Michael Niedermayer (cherry picked from commit 89653ea728bd59da2b88967ad648cce685950879) --- libavcodec/cabac.c | 4 ++++ 1 file changed, 4 insertions(+) diff --git a/libavcodec/cabac.c b/libavcodec/cabac.c index 76253afe3e..c94a560695 100644 --- a/libavcodec/cabac.c +++ b/libavcodec/cabac.c @@ -161,10 +161,14 @@ void ff_init_cabac_states(CABACContext *c){ ff_h264_mps_state[2*i+1]= 2*mps_state[i]+1; if( i ){ + ff_h264_lps_state[2*i+0]= ff_h264_mlps_state[128-2*i-1]= 2*lps_state[i]+0; + ff_h264_lps_state[2*i+1]= ff_h264_mlps_state[128-2*i-2]= 2*lps_state[i]+1; }else{ + ff_h264_lps_state[2*i+0]= ff_h264_mlps_state[128-2*i-1]= 1; + ff_h264_lps_state[2*i+1]= ff_h264_mlps_state[128-2*i-2]= 0; } } From f38b2a6be8866b55ccdb2ed4515d132015f02dfc Mon Sep 17 00:00:00 2001 From: Michael Niedermayer Date: Sat, 10 Sep 2011 19:20:28 +0200 Subject: [PATCH 0246/1119] cabac test: match encode and decode side Signed-off-by: Michael Niedermayer (cherry picked from commit 830d7d5c4fbf81265ca5260d59fe8467ac97b2e6) --- libavcodec/cabac.c | 3 ++- 1 file changed, 2 insertions(+), 1 deletion(-) diff --git a/libavcodec/cabac.c b/libavcodec/cabac.c index c94a560695..e39ad2ea7f 100644 --- a/libavcodec/cabac.c +++ b/libavcodec/cabac.c @@ -209,6 +209,7 @@ START_TIMER STOP_TIMER("put_cabac") } +#if 0 for(i=0; i Date: Sat, 10 Sep 2011 19:22:39 +0200 Subject: [PATCH 0247/1119] cabac test: Change input to test, so a wider range of states is tested. Signed-off-by: Michael Niedermayer (cherry picked from commit 1eb805ed70a0aac35523c7a308145b6b8d05441e) --- libavcodec/cabac.c | 3 ++- 1 file changed, 2 insertions(+), 1 deletion(-) diff --git a/libavcodec/cabac.c b/libavcodec/cabac.c index e39ad2ea7f..9acc2a079f 100644 --- a/libavcodec/cabac.c +++ b/libavcodec/cabac.c @@ -194,7 +194,8 @@ int main(void){ ff_init_cabac_states(&c); for(i=0; i>8)&1; } for(i=0; i Date: Fri, 9 Sep 2011 13:24:19 -0700 Subject: [PATCH 0248/1119] indeo2: init_get_bits size in bits instead of bytes (cherry picked from commit 68ca330cbd479111db9cb7649d7530ad59f04cc8) --- libavcodec/indeo2.c | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/libavcodec/indeo2.c b/libavcodec/indeo2.c index f58804bab3..510f4da01e 100644 --- a/libavcodec/indeo2.c +++ b/libavcodec/indeo2.c @@ -162,7 +162,7 @@ static int ir2_decode_frame(AVCodecContext *avctx, #endif start = 48; /* hardcoded for now */ - init_get_bits(&s->gb, buf + start, buf_size - start); + init_get_bits(&s->gb, buf + start, (buf_size - start) * 8); if (s->decode_delta) { /* intraframe */ ir2_decode_plane(s, avctx->width, avctx->height, From 9f05400ea8575e04f4853e184a38c1f1006dee10 Mon Sep 17 00:00:00 2001 From: Alex Converse Date: Fri, 9 Sep 2011 13:26:49 -0700 Subject: [PATCH 0249/1119] indeo2: fail if input buffer too small (cherry picked from commit b7ce4f1d1c3add86ece7ca595ea6c4a10b471055) --- libavcodec/indeo2.c | 8 +++++++- 1 file changed, 7 insertions(+), 1 deletion(-) diff --git a/libavcodec/indeo2.c b/libavcodec/indeo2.c index 510f4da01e..152b7cca6c 100644 --- a/libavcodec/indeo2.c +++ b/libavcodec/indeo2.c @@ -153,6 +153,13 @@ static int ir2_decode_frame(AVCodecContext *avctx, return -1; } + start = 48; /* hardcoded for now */ + + if (start >= buf_size) { + av_log(s->avctx, AV_LOG_ERROR, "input buffer size too small (%d)\n", buf_size); + return AVERROR_INVALIDDATA; + } + s->decode_delta = buf[18]; /* decide whether frame uses deltas or not */ @@ -160,7 +167,6 @@ static int ir2_decode_frame(AVCodecContext *avctx, for (i = 0; i < buf_size; i++) buf[i] = av_reverse[buf[i]]; #endif - start = 48; /* hardcoded for now */ init_get_bits(&s->gb, buf + start, (buf_size - start) * 8); From 3a0649ddebb9e23f8a3df44168d0afe9955c7b0e Mon Sep 17 00:00:00 2001 From: Alex Converse Date: Fri, 9 Sep 2011 14:50:33 -0700 Subject: [PATCH 0250/1119] cljr: init_get_bits size in bits instead of bytes (cherry picked from commit 0c1f5b93d9b97c4cc3684ba91a040e90bfc760d2) --- libavcodec/cljr.c | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/libavcodec/cljr.c b/libavcodec/cljr.c index c9b0911674..e94ad9b42e 100644 --- a/libavcodec/cljr.c +++ b/libavcodec/cljr.c @@ -67,7 +67,7 @@ static int decode_frame(AVCodecContext *avctx, p->pict_type= AV_PICTURE_TYPE_I; p->key_frame= 1; - init_get_bits(&a->gb, buf, buf_size); + init_get_bits(&a->gb, buf, buf_size * 8); for(y=0; yheight; y++){ uint8_t *luma= &a->picture.data[0][ y*a->picture.linesize[0] ]; From 82e4fd193fe5e9173d081bd244a3b5326bcab01f Mon Sep 17 00:00:00 2001 From: Laurent Aimar Date: Wed, 7 Sep 2011 21:43:03 +0200 Subject: [PATCH 0251/1119] Fixed segfault with wavpack decoder on corrupted decorrelation terms sub-blocks. MIME-Version: 1.0 Content-Type: text/plain; charset=UTF-8 Content-Transfer-Encoding: 8bit Signed-off-by: Martin Storsjö (cherry picked from commit 8bfea4ab4e2cb32bc7bf6f697ee30a238c65d296) --- libavcodec/wavpack.c | 5 +++-- 1 file changed, 3 insertions(+), 2 deletions(-) diff --git a/libavcodec/wavpack.c b/libavcodec/wavpack.c index 61a75fd765..a785b90046 100644 --- a/libavcodec/wavpack.c +++ b/libavcodec/wavpack.c @@ -862,12 +862,13 @@ static int wavpack_decode_block(AVCodecContext *avctx, int block_no, } switch(id & WP_IDF_MASK){ case WP_ID_DECTERMS: - s->terms = size; - if(s->terms > MAX_TERMS){ + if(size > MAX_TERMS){ av_log(avctx, AV_LOG_ERROR, "Too many decorrelation terms\n"); + s->terms = 0; buf += ssize; continue; } + s->terms = size; for(i = 0; i < s->terms; i++) { s->decorr[s->terms - i - 1].value = (*buf & 0x1F) - 5; s->decorr[s->terms - i - 1].delta = *buf >> 5; From 92f1b5df320613b5af3e34a634f506524a7aaa2a Mon Sep 17 00:00:00 2001 From: Joakim Plate Date: Sat, 10 Sep 2011 23:12:29 +0200 Subject: [PATCH 0252/1119] dvbsubdec: don't hardcode subtitle colors count in dvbsubdec to 16 Signed-off-by: Michael Niedermayer (cherry picked from commit 4a3294ef0069c898a495c783dfdb2f0bf1dc6583) --- libavcodec/dvbsubdec.c | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/libavcodec/dvbsubdec.c b/libavcodec/dvbsubdec.c index 5b09eb14d6..e43dd29a14 100644 --- a/libavcodec/dvbsubdec.c +++ b/libavcodec/dvbsubdec.c @@ -1360,7 +1360,7 @@ static int dvbsub_display_end_segment(AVCodecContext *avctx, const uint8_t *buf, rect->y = display->y_pos + offset_y; rect->w = region->width; rect->h = region->height; - rect->nb_colors = 16; + rect->nb_colors = (1 << region->depth); rect->type = SUBTITLE_BITMAP; rect->pict.linesize[0] = region->width; From c8736de331e4da336e8dfb8805a220af2bd67dc2 Mon Sep 17 00:00:00 2001 From: Art Clarke Date: Sun, 11 Sep 2011 03:14:14 +0200 Subject: [PATCH 0253/1119] libspeex encoder wraper taken from svn head of xuggle (cherry picked from commit a52cdcd296c40882c3b4f88958990c56f0ce3019) --- configure | 3 +- libavcodec/Makefile | 1 + libavcodec/allcodecs.c | 2 +- libavcodec/libspeexenc.c | 178 +++++++++++++++++++++++++++++++++++++++ 4 files changed, 182 insertions(+), 2 deletions(-) create mode 100644 libavcodec/libspeexenc.c diff --git a/configure b/configure index a877c2c6b9..ef3697e3c4 100755 --- a/configure +++ b/configure @@ -177,7 +177,7 @@ External library support: --enable-libopenjpeg enable JPEG 2000 decoding via OpenJPEG [no] --enable-librtmp enable RTMP[E] support via librtmp [no] --enable-libschroedinger enable Dirac support via libschroedinger [no] - --enable-libspeex enable Speex decoding via libspeex [no] + --enable-libspeex enable Speex encoding and decoding via libspeex [no] --enable-libtheora enable Theora encoding via libtheora [no] --enable-libvo-aacenc enable AAC encoding via libvo-aacenc [no] --enable-libvo-amrwbenc enable AMR-WB encoding via libvo-amrwbenc [no] @@ -1417,6 +1417,7 @@ libopenjpeg_decoder_deps="libopenjpeg" libschroedinger_decoder_deps="libschroedinger" libschroedinger_encoder_deps="libschroedinger" libspeex_decoder_deps="libspeex" +libspeex_encoder_deps="libspeex" libtheora_encoder_deps="libtheora" libvo_aacenc_encoder_deps="libvo_aacenc" libvo_amrwbenc_encoder_deps="libvo_amrwbenc" diff --git a/libavcodec/Makefile b/libavcodec/Makefile index b6103af3c0..738fb264c0 100644 --- a/libavcodec/Makefile +++ b/libavcodec/Makefile @@ -587,6 +587,7 @@ OBJS-$(CONFIG_LIBSCHROEDINGER_ENCODER) += libschroedingerenc.o \ libschroedinger.o \ libdirac_libschro.o OBJS-$(CONFIG_LIBSPEEX_DECODER) += libspeexdec.o +OBJS-$(CONFIG_LIBSPEEX_ENCODER) += libspeexenc.o OBJS-$(CONFIG_LIBTHEORA_ENCODER) += libtheoraenc.o OBJS-$(CONFIG_LIBVO_AACENC_ENCODER) += libvo-aacenc.o mpeg4audio.o OBJS-$(CONFIG_LIBVO_AMRWBENC_ENCODER) += libvo-amrwbenc.o diff --git a/libavcodec/allcodecs.c b/libavcodec/allcodecs.c index e6305cf7d2..f1c664f5d1 100644 --- a/libavcodec/allcodecs.c +++ b/libavcodec/allcodecs.c @@ -380,7 +380,7 @@ void avcodec_register_all(void) REGISTER_DECODER (LIBOPENCORE_AMRWB, libopencore_amrwb); REGISTER_DECODER (LIBOPENJPEG, libopenjpeg); REGISTER_ENCDEC (LIBSCHROEDINGER, libschroedinger); - REGISTER_DECODER (LIBSPEEX, libspeex); + REGISTER_ENCDEC (LIBSPEEX, libspeex); REGISTER_ENCODER (LIBTHEORA, libtheora); REGISTER_ENCODER (LIBVO_AACENC, libvo_aacenc); REGISTER_ENCODER (LIBVO_AMRWBENC, libvo_amrwbenc); diff --git a/libavcodec/libspeexenc.c b/libavcodec/libspeexenc.c new file mode 100644 index 0000000000..79a9fb0760 --- /dev/null +++ b/libavcodec/libspeexenc.c @@ -0,0 +1,178 @@ +/* + * Copyright (c) 2009 by Xuggle Incorporated. All rights reserved. + * This file is part of FFmpeg. + * + * FFmpeg is free software; you can redistribute it and/or + * modify it under the terms of the GNU Lesser General Public + * License as published by the Free Software Foundation; either + * version 2.1 of the License, or (at your option) any later version. + * + * FFmpeg is distributed in the hope that it will be useful, + * but WITHOUT ANY WARRANTY; without even the implied warranty of + * MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the GNU + * Lesser General Public License for more details. + * + * You should have received a copy of the GNU Lesser General Public + * License along with FFmpeg; if not, write to the Free Software + * Foundation, Inc., 51 Franklin Street, Fifth Floor, Boston, MA 02110-1301 USA + */ +#include +#include +#include +#include + +typedef struct { + SpeexBits bits; + void *enc_state; + SpeexHeader header; +} LibSpeexEncContext; + + +static av_cold int libspeex_encode_init(AVCodecContext *avctx) +{ + LibSpeexEncContext *s = (LibSpeexEncContext*)avctx->priv_data; + const SpeexMode *mode; + + if ((avctx->sample_fmt != SAMPLE_FMT_S16 && avctx->sample_fmt != SAMPLE_FMT_FLT) || + avctx->sample_rate <= 0 || + avctx->channels <= 0 || + avctx->channels > 2) + { + av_log(avctx, AV_LOG_ERROR, "Unsupported sample format, rate, or channels for speex"); + return -1; + } + + if (avctx->sample_rate <= 8000) + mode = &speex_nb_mode; + else if (avctx->sample_rate <= 16000) + mode = &speex_wb_mode; + else + mode = &speex_uwb_mode; + + speex_bits_init(&s->bits); + s->enc_state = speex_encoder_init(mode); + if (!s->enc_state) + { + av_log(avctx, AV_LOG_ERROR, "could not initialize speex encoder"); + return -1; + } + + // initialize the header + speex_init_header(&s->header, avctx->sample_rate, + avctx->channels, mode); + + // TODO: It'd be nice to support VBR here, but + // I'm uncertain what AVCodecContext options to use + // to signal whether to turn it on. + if (avctx->flags & CODEC_FLAG_QSCALE) { + spx_int32_t quality = 0; + // Map global_quality's mpeg 1/2/4 scale into Speex's 0-10 scale + if (avctx->global_quality > FF_LAMBDA_MAX) + quality = 0; // lowest possible quality + else + quality = (spx_int32_t)((FF_LAMBDA_MAX-avctx->global_quality)*10.0/FF_LAMBDA_MAX); + speex_encoder_ctl(s->enc_state, SPEEX_SET_QUALITY, &quality); + } else { + // default to CBR + if (avctx->bit_rate > 0) + speex_encoder_ctl(s->enc_state, SPEEX_SET_BITRATE, &avctx->bit_rate); + // otherwise just take the default quality setting + } + // reset the bit-rate to the actual bit rate speex will use + speex_encoder_ctl(s->enc_state, SPEEX_GET_BITRATE, &s->header.bitrate); + avctx->bit_rate = s->header.bitrate; + + // get the actual sample rate + speex_encoder_ctl(s->enc_state, SPEEX_GET_SAMPLING_RATE, &s->header.rate); + avctx->sample_rate = s->header.rate; + + // get the frame-size. To align with FLV, we're going to put 2 frames + // per packet. If someone can tell me how to make this configurable + // from the avcodec contents, I'll mod this so it's not hard-coded. + // but without this, FLV files with speex data won't play correctly + // in flash player 10. + speex_encoder_ctl(s->enc_state, SPEEX_GET_FRAME_SIZE, &s->header.frame_size); + s->header.frames_per_packet = 2; // Need for FLV container support + avctx->frame_size = s->header.frame_size*s->header.frames_per_packet; + + // and we'll put a speex header packet into extradata so that muxers + // can use it. + avctx->extradata = speex_header_to_packet(&s->header, &avctx->extradata_size); + return 0; +} + +static av_cold int libspeex_encode_frame( + AVCodecContext *avctx, uint8_t *frame, + int buf_size, void *data) +{ + LibSpeexEncContext *s = (LibSpeexEncContext*)avctx->priv_data; + int i = 0; + + if (!data) + // nothing to flush + return 0; + + speex_bits_reset(&s->bits); + for(i = 0; i < s->header.frames_per_packet; i++) + { + if (avctx->sample_fmt == SAMPLE_FMT_FLT) + { + if (avctx->channels == 2) { + speex_encode_stereo( + (float*)data+i*s->header.frame_size, + s->header.frame_size, + &s->bits); + } + speex_encode(s->enc_state, + (float*)data+i*s->header.frame_size, &s->bits); + } else { + if (avctx->channels == 2) { + speex_encode_stereo_int( + (spx_int16_t*)data+i*s->header.frame_size, + s->header.frame_size, + &s->bits); + } + speex_encode_int(s->enc_state, + (spx_int16_t*)data+i*s->header.frame_size, &s->bits); + } + } + // put in a terminator so this will fit in a OGG or FLV packet + speex_bits_insert_terminator(&s->bits); + + if (buf_size >= speex_bits_nbytes(&s->bits)) { + return speex_bits_write(&s->bits, frame, buf_size); + } else { + av_log(avctx, AV_LOG_ERROR, "output buffer too small"); + return -1; + } +} + +static av_cold int libspeex_encode_close(AVCodecContext *avctx) +{ + LibSpeexEncContext *s = (LibSpeexEncContext*)avctx->priv_data; + + speex_bits_destroy(&s->bits); + speex_encoder_destroy(s->enc_state); + s->enc_state = 0; + if (avctx->extradata) + speex_header_free(avctx->extradata); + avctx->extradata = 0; + avctx->extradata_size = 0; + + return 0; +} + +AVCodec ff_libspeex_encoder = { + "libspeex", + AVMEDIA_TYPE_AUDIO, + CODEC_ID_SPEEX, + sizeof(LibSpeexEncContext), + libspeex_encode_init, + libspeex_encode_frame, + libspeex_encode_close, + 0, + .capabilities = CODEC_CAP_DELAY, + .supported_samplerates = (const int[]){8000, 16000, 32000, 0}, + .sample_fmts = (enum SampleFormat[]){SAMPLE_FMT_S16,SAMPLE_FMT_FLT,SAMPLE_FMT_NONE}, + .long_name = NULL_IF_CONFIG_SMALL("libspeex Speex Encoder"), +}; From 97437dada65833d09604c40f01c874a676de3c32 Mon Sep 17 00:00:00 2001 From: Michael Niedermayer Date: Sat, 10 Sep 2011 16:28:53 +0200 Subject: [PATCH 0254/1119] h264dec: Prevent CABAC and CAVLC bitsteram overreading Signed-off-by: Michael Niedermayer (cherry picked from commit 23f5cff92cdcfa55a735c458fcb5f95c0e0f3b1f) --- libavcodec/h264.c | 18 +++++++++++------- libavcodec/h264.h | 2 ++ 2 files changed, 13 insertions(+), 7 deletions(-) diff --git a/libavcodec/h264.c b/libavcodec/h264.c index 3701bc9b73..ee2c6a31a0 100644 --- a/libavcodec/h264.c +++ b/libavcodec/h264.c @@ -183,20 +183,24 @@ const uint8_t *ff_h264_decode_nal(H264Context *h, const uint8_t *src, int *dst_l i-= RS; } - if(i>=length-1){ //no escaped 0 - *dst_length= length; - *consumed= length+1; //+1 for the header - return src; - } - bufidx = h->nal_unit_type == NAL_DPC ? 1 : 0; // use second escape buffer for inter data - av_fast_malloc(&h->rbsp_buffer[bufidx], &h->rbsp_buffer_size[bufidx], length+FF_INPUT_BUFFER_PADDING_SIZE); + si=h->rbsp_buffer_size[bufidx]; + av_fast_malloc(&h->rbsp_buffer[bufidx], &h->rbsp_buffer_size[bufidx], length+FF_INPUT_BUFFER_PADDING_SIZE+MAX_MBPAIR_SIZE); dst= h->rbsp_buffer[bufidx]; + if(si != h->rbsp_buffer_size[bufidx]) + memset(dst + length, 0, FF_INPUT_BUFFER_PADDING_SIZE+MAX_MBPAIR_SIZE); if (dst == NULL){ return NULL; } + if(i>=length-1){ //no escaped 0 + *dst_length= length; + *consumed= length+1; //+1 for the header + memcpy(dst, src, length); + return dst; + } + //printf("decoding esc\n"); memcpy(dst, src, i); si=di=i; diff --git a/libavcodec/h264.h b/libavcodec/h264.h index 4188ad922c..76e9832975 100644 --- a/libavcodec/h264.h +++ b/libavcodec/h264.h @@ -53,6 +53,8 @@ #define MAX_DELAYED_PIC_COUNT 16 +#define MAX_MBPAIR_SIZE (256*1024) // a tighter bound could be calculated if someone cares about a few bytes + /* Compiling in interlaced support reduces the speed * of progressive decoding by about 2%. */ #define ALLOW_INTERLACE From 54544100a3ad24a81275f013f278e7f41f1229f7 Mon Sep 17 00:00:00 2001 From: Michael Niedermayer Date: Sun, 11 Sep 2011 07:23:00 +0200 Subject: [PATCH 0255/1119] h264: prevent an out of array read in decode_nal_units() Signed-off-by: Michael Niedermayer (cherry picked from commit ea0ac11e52b9cf5264f3d4eb7543e760c2a5fbb4) --- libavcodec/h264.c | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/libavcodec/h264.c b/libavcodec/h264.c index ee2c6a31a0..12bed3a919 100644 --- a/libavcodec/h264.c +++ b/libavcodec/h264.c @@ -3672,7 +3672,7 @@ static int decode_nal_units(H264Context *h, const uint8_t *buf, int buf_size){ s->workaround_bugs |= FF_BUG_TRUNCATED; if(!(s->workaround_bugs & FF_BUG_TRUNCATED)){ - while(ptr[dst_length - 1] == 0 && dst_length > 0) + while(dst_length > 0 && ptr[dst_length - 1] == 0) dst_length--; } bit_length= !dst_length ? 0 : (8*dst_length - ff_h264_decode_rbsp_trailing(h, ptr + dst_length - 1)); From 4601765ee8fa4930cc3210307c5689911f3ddeba Mon Sep 17 00:00:00 2001 From: Laurent Aimar Date: Sun, 11 Sep 2011 19:17:40 +0200 Subject: [PATCH 0256/1119] Fixed segfault on memory allocation failure in ape demuxer. Signed-off-by: Michael Niedermayer (cherry picked from commit 1632a576e68c27229b31f0d1203ff90220e0e024) --- libavformat/ape.c | 2 ++ 1 file changed, 2 insertions(+) diff --git a/libavformat/ape.c b/libavformat/ape.c index bda6b32b1d..b0f2394ad8 100644 --- a/libavformat/ape.c +++ b/libavformat/ape.c @@ -270,6 +270,8 @@ static int ape_read_header(AVFormatContext * s, AVFormatParameters * ap) if (ape->seektablelength > 0) { ape->seektable = av_malloc(ape->seektablelength); + if (!ape->seektable) + return AVERROR(ENOMEM); for (i = 0; i < ape->seektablelength / sizeof(uint32_t); i++) ape->seektable[i] = avio_rl32(pb); } From 2bf9a09a2c10bacca1cc05950aa79030e7b68fa4 Mon Sep 17 00:00:00 2001 From: Laurent Aimar Date: Sun, 11 Sep 2011 18:54:01 +0200 Subject: [PATCH 0257/1119] Fixed segfaults on corruped smacker streams in the decoder. Signed-off-by: Michael Niedermayer (cherry picked from commit d07ac1853da29ea696243160e02154ebf758d1ee) --- libavcodec/smacker.c | 24 ++++++++++++++++-------- 1 file changed, 16 insertions(+), 8 deletions(-) diff --git a/libavcodec/smacker.c b/libavcodec/smacker.c index b8eab837ff..d215e3289c 100644 --- a/libavcodec/smacker.c +++ b/libavcodec/smacker.c @@ -134,11 +134,13 @@ static int smacker_decode_bigtree(GetBitContext *gb, HuffContext *hc, DBCtx *ctx return -1; } b1 = get_bits_count(gb); - i1 = get_vlc2(gb, ctx->v1->table, SMKTREE_BITS, 3); + i1 = ctx->v1->table ? get_vlc2(gb, ctx->v1->table, SMKTREE_BITS, 3) : 0; b1 = get_bits_count(gb) - b1; b2 = get_bits_count(gb); - i2 = get_vlc2(gb, ctx->v2->table, SMKTREE_BITS, 3); + i2 = ctx->v2->table ? get_vlc2(gb, ctx->v2->table, SMKTREE_BITS, 3) : 0; b2 = get_bits_count(gb) - b2; + if (i1 < 0 || i2 < 0) + return -1; val = ctx->recode1[i1] | (ctx->recode2[i2] << 8); if(val == ctx->escapes[0]) { ctx->last[0] = hc->current; @@ -290,7 +292,8 @@ static int decode_header_trees(SmackVContext *smk) { smk->mmap_tbl[0] = 0; smk->mmap_last[0] = smk->mmap_last[1] = smk->mmap_last[2] = 1; } else { - smacker_decode_header_tree(smk, &gb, &smk->mmap_tbl, smk->mmap_last, mmap_size); + if (smacker_decode_header_tree(smk, &gb, &smk->mmap_tbl, smk->mmap_last, mmap_size)) + return -1; } if(!get_bits1(&gb)) { av_log(smk->avctx, AV_LOG_INFO, "Skipping MCLR tree\n"); @@ -298,7 +301,8 @@ static int decode_header_trees(SmackVContext *smk) { smk->mclr_tbl[0] = 0; smk->mclr_last[0] = smk->mclr_last[1] = smk->mclr_last[2] = 1; } else { - smacker_decode_header_tree(smk, &gb, &smk->mclr_tbl, smk->mclr_last, mclr_size); + if (smacker_decode_header_tree(smk, &gb, &smk->mclr_tbl, smk->mclr_last, mclr_size)) + return -1; } if(!get_bits1(&gb)) { av_log(smk->avctx, AV_LOG_INFO, "Skipping FULL tree\n"); @@ -306,7 +310,8 @@ static int decode_header_trees(SmackVContext *smk) { smk->full_tbl[0] = 0; smk->full_last[0] = smk->full_last[1] = smk->full_last[2] = 1; } else { - smacker_decode_header_tree(smk, &gb, &smk->full_tbl, smk->full_last, full_size); + if (smacker_decode_header_tree(smk, &gb, &smk->full_tbl, smk->full_last, full_size)) + return -1; } if(!get_bits1(&gb)) { av_log(smk->avctx, AV_LOG_INFO, "Skipping TYPE tree\n"); @@ -314,7 +319,8 @@ static int decode_header_trees(SmackVContext *smk) { smk->type_tbl[0] = 0; smk->type_last[0] = smk->type_last[1] = smk->type_last[2] = 1; } else { - smacker_decode_header_tree(smk, &gb, &smk->type_tbl, smk->type_last, type_size); + if (smacker_decode_header_tree(smk, &gb, &smk->type_tbl, smk->type_last, type_size)) + return -1; } return 0; @@ -523,8 +529,8 @@ static av_cold int decode_init(AVCodecContext *avctx) return -1; } - decode_header_trees(c); - + if (decode_header_trees(c)) + return -1; return 0; } @@ -653,6 +659,8 @@ static int smka_decode_frame(AVCodecContext *avctx, void *data, int *data_size, } else { //8-bit data for(i = stereo; i >= 0; i--) pred[i] = get_bits(&gb, 8); + if (stereo + unp_size > data_size) + return -1; for(i = 0; i < stereo; i++) *samples8++ = pred[i]; for(i = 0; i < unp_size; i++) { From 8511c141e02d5a8c63d9cf1e8aef1d1135a7f7fa Mon Sep 17 00:00:00 2001 From: Laurent Aimar Date: Sun, 11 Sep 2011 18:51:52 +0200 Subject: [PATCH 0258/1119] Fixed segfault on corrupted smacker streams in the demuxer. Signed-off-by: Michael Niedermayer (cherry picked from commit d0121e8d969cde74fa7dbd96d3602109b051e701) --- libavformat/smacker.c | 8 +++++++- 1 file changed, 7 insertions(+), 1 deletion(-) diff --git a/libavformat/smacker.c b/libavformat/smacker.c index 29a66e79fa..c22f6daa73 100644 --- a/libavformat/smacker.c +++ b/libavformat/smacker.c @@ -291,6 +291,10 @@ static int smacker_read_packet(AVFormatContext *s, AVPacket *pkt) frame_size -= 4; smk->curstream++; smk->bufs[smk->curstream] = av_realloc(smk->bufs[smk->curstream], size); + if (!smk->bufs[smk->curstream]) { + smk->buf_sizes[smk->curstream] = 0; + return AVERROR(ENOMEM); + } smk->buf_sizes[smk->curstream] = size; ret = avio_read(s->pb, smk->bufs[smk->curstream], size); if(ret != size) @@ -299,7 +303,9 @@ static int smacker_read_packet(AVFormatContext *s, AVPacket *pkt) } flags >>= 1; } - if (av_new_packet(pkt, frame_size + 768)) + if (frame_size < 0) + return AVERROR_INVALIDDATA; + if (av_new_packet(pkt, frame_size + 769)) return AVERROR(ENOMEM); if(smk->frm_size[smk->cur_frame] & 1) palchange |= 2; From c9316b7c6d30e87f469ca6d9651f26eff5f4c6e9 Mon Sep 17 00:00:00 2001 From: Laurent Aimar Date: Sun, 11 Sep 2011 19:17:43 +0200 Subject: [PATCH 0259/1119] Fixed invalid read access on extra data in cinepak decoder. Signed-off-by: Michael Niedermayer (cherry picked from commit dc255275f6293a060518271a151e1ce75499e874) --- libavcodec/cinepak.c | 3 ++- 1 file changed, 2 insertions(+), 1 deletion(-) diff --git a/libavcodec/cinepak.c b/libavcodec/cinepak.c index 57657afaa4..0b822d2b7a 100644 --- a/libavcodec/cinepak.c +++ b/libavcodec/cinepak.c @@ -336,7 +336,8 @@ static int cinepak_decode (CinepakContext *s) * If the frame header is followed by the bytes FE 00 00 06 00 00 then * this is probably one of the two known files that have 6 extra bytes * after the frame header. Else, assume 2 extra bytes. */ - if ((s->data[10] == 0xFE) && + if (s->size >= 16 && + (s->data[10] == 0xFE) && (s->data[11] == 0x00) && (s->data[12] == 0x00) && (s->data[13] == 0x06) && From 812a4a5813c447e4fdb6b6a46462f1f34f539c51 Mon Sep 17 00:00:00 2001 From: Joakim Plate Date: Sun, 11 Sep 2011 21:23:53 +0200 Subject: [PATCH 0260/1119] gitignore: add files to git ignore generated on a win32 build Signed-off-by: Michael Niedermayer (cherry picked from commit 5a6f4a130226e04e0db3bd7c7c1ff76fe3f06080) --- .gitignore | 3 +++ 1 file changed, 3 insertions(+) diff --git a/.gitignore b/.gitignore index 3e8ed0046e..c831335517 100644 --- a/.gitignore +++ b/.gitignore @@ -7,6 +7,9 @@ *-example *-test *_g +*.def +*.dll +*.lib config.* doc/*.1 doc/*.html From b70a37f854df8b61be2055df352dfec40defce95 Mon Sep 17 00:00:00 2001 From: Luca Barbato Date: Sat, 10 Sep 2011 10:23:50 -0400 Subject: [PATCH 0261/1119] doc: explain __STDC_CONSTANT_MACROS in C++ In order to build C++ programs using libav you need -D__STDC_CONSTANT_MACROS appened to the CXXFLAGS. (cherry picked from commit d162994a81a311a8dd212a50a2d2ad2b088df97f) --- doc/faq.texi | 5 +++++ 1 file changed, 5 insertions(+) diff --git a/doc/faq.texi b/doc/faq.texi index 225f139b3c..daa4615a3c 100644 --- a/doc/faq.texi +++ b/doc/faq.texi @@ -447,6 +447,11 @@ encompassing your FFmpeg includes using @code{extern "C"}. See @url{http://www.parashift.com/c++-faq-lite/mixing-c-and-cpp.html#faq-32.3} +@section I'm using libavutil from within my C++ application but the compiler complains about 'UINT64_C' was not declared in this scope + +Libav is a pure C project using C99 math features, in order to enable C++ +to use them you have to append -D__STDC_CONSTANT_MACROS to your CXXFLAGS + @section I have a file in memory / a API different from *open/*read/ libc how do I use it with libavformat? You have to implement a URLProtocol, see @file{libavformat/file.c} in From be82df9e129995321917f47416ac755551915cb0 Mon Sep 17 00:00:00 2001 From: Laurent Aimar Date: Sun, 11 Sep 2011 23:37:44 +0200 Subject: [PATCH 0262/1119] Fix writes out of bounds in the ogg demuxer. Between ogg_save() and ogg_restore() calls, the number of streams could have been reduced. Signed-off-by: Michael Niedermayer (cherry picked from commit bc851a2946c64eefb96145b70e2190ff7d5a4827) --- libavformat/oggdec.c | 15 ++++++++++++--- 1 file changed, 12 insertions(+), 3 deletions(-) diff --git a/libavformat/oggdec.c b/libavformat/oggdec.c index bb1df35619..6ae4d804ce 100644 --- a/libavformat/oggdec.c +++ b/libavformat/oggdec.c @@ -29,7 +29,6 @@ DEALINGS IN THE SOFTWARE. **/ - #include #include "oggdec.h" #include "avformat.h" @@ -93,14 +92,24 @@ static int ogg_restore(AVFormatContext *s, int discard) ogg->state = ost->next; if (!discard){ + struct ogg_stream *old_streams = ogg->streams; + for (i = 0; i < ogg->nstreams; i++) av_free (ogg->streams[i].buf); avio_seek (bc, ost->pos, SEEK_SET); ogg->curidx = ost->curidx; ogg->nstreams = ost->nstreams; - memcpy(ogg->streams, ost->streams, - ost->nstreams * sizeof(*ogg->streams)); + ogg->streams = av_realloc (ogg->streams, + ogg->nstreams * sizeof (*ogg->streams)); + + if (ogg->streams) { + memcpy(ogg->streams, ost->streams, + ost->nstreams * sizeof(*ogg->streams)); + } else { + av_free(old_streams); + ogg->nstreams = 0; + } } av_free (ost); From f0869d3721a21c022f564251f93eb095843490f1 Mon Sep 17 00:00:00 2001 From: Joakim Plate Date: Mon, 12 Sep 2011 04:06:55 +0200 Subject: [PATCH 0263/1119] asf: Check return value of more avio_seek calls This reduces problems when underlying protocol is not seekable even if marked as such or if the file has been cut short. Signed-off-by: Michael Niedermayer (cherry picked from commit ac1d489320f476c18d6a8125f73389aecb73f3d3) --- libavformat/asfdec.c | 10 +++++++--- 1 file changed, 7 insertions(+), 3 deletions(-) diff --git a/libavformat/asfdec.c b/libavformat/asfdec.c index db00964c8a..033bdede13 100644 --- a/libavformat/asfdec.c +++ b/libavformat/asfdec.c @@ -1158,7 +1158,8 @@ static int64_t asf_read_pts(AVFormatContext *s, int stream_index, int64_t *ppos, if (s->packet_size > 0) pos= (pos+s->packet_size-1-s->data_offset)/s->packet_size*s->packet_size+ s->data_offset; *ppos= pos; - avio_seek(s->pb, pos, SEEK_SET); + if (avio_seek(s->pb, pos, SEEK_SET) < 0) + return AV_NOPTS_VALUE; //printf("asf_read_pts\n"); asf_reset_header(s); @@ -1200,7 +1201,9 @@ static void asf_build_simple_index(AVFormatContext *s, int stream_index) int64_t current_pos= avio_tell(s->pb); int i; - avio_seek(s->pb, asf->data_object_offset + asf->data_object_size, SEEK_SET); + if(avio_seek(s->pb, asf->data_object_offset + asf->data_object_size, SEEK_SET) < 0) + return; + ff_get_guid(s->pb, &g); /* the data object can be followed by other top-level objects, @@ -1272,7 +1275,8 @@ static int asf_read_seek(AVFormatContext *s, int stream_index, int64_t pts, int /* do the seek */ av_log(s, AV_LOG_DEBUG, "SEEKTO: %"PRId64"\n", pos); - avio_seek(s->pb, pos, SEEK_SET); + if(avio_seek(s->pb, pos, SEEK_SET) < 0) + return -1; asf_reset_header(s); return 0; } From 4a721b18edfdea44643ff9bb6ed80ee176e71f1b Mon Sep 17 00:00:00 2001 From: Joakim Plate Date: Mon, 12 Sep 2011 04:07:36 +0200 Subject: [PATCH 0264/1119] avidec: Check return value of more avio_seek calls The move of avio_seek in avi_read_seek is to avoiding modifying state if the seek would fail. Signed-off-by: Michael Niedermayer (cherry picked from commit f9e083a156f19094cb6fcd134c1ca4ca899a1a6d) --- libavformat/avidec.c | 16 ++++++++++++---- 1 file changed, 12 insertions(+), 4 deletions(-) diff --git a/libavformat/avidec.c b/libavformat/avidec.c index 80620dadba..6fedaf7f8e 100644 --- a/libavformat/avidec.c +++ b/libavformat/avidec.c @@ -220,13 +220,18 @@ static int read_braindead_odml_indx(AVFormatContext *s, int frame_num){ return -1; } - avio_seek(pb, offset+8, SEEK_SET); + if(avio_seek(pb, offset+8, SEEK_SET) < 0) + return -1; avi->odml_depth++; read_braindead_odml_indx(s, frame_num); avi->odml_depth--; frame_num += duration; - avio_seek(pb, pos, SEEK_SET); + if(avio_seek(pb, pos, SEEK_SET) < 0) { + av_log(s, AV_LOG_ERROR, "Failed to restore position after reading index"); + return -1; + } + } } avi->index_loaded=1; @@ -1325,11 +1330,13 @@ static int avi_read_seek(AVFormatContext *s, int stream_index, int64_t timestamp /* the av_index_search_timestamp call above. */ assert(stream_index == 0); + if(avio_seek(s->pb, pos, SEEK_SET) < 0) + return -1; + /* Feed the DV video stream version of the timestamp to the */ /* DV demux so it can synthesize correct timestamps. */ dv_offset_reset(avi->dv_demux, timestamp); - avio_seek(s->pb, pos, SEEK_SET); avi->stream_index= -1; return 0; } @@ -1380,7 +1387,8 @@ static int avi_read_seek(AVFormatContext *s, int stream_index, int64_t timestamp } /* do the seek */ - avio_seek(s->pb, pos_min, SEEK_SET); + if (avio_seek(s->pb, pos_min, SEEK_SET) < 0) + return -1; avi->stream_index= -1; return 0; } From 8449cebc90dcef1fda4c1fc83d8ce2651b029349 Mon Sep 17 00:00:00 2001 From: Joakim Plate Date: Mon, 12 Sep 2011 04:08:06 +0200 Subject: [PATCH 0265/1119] rmdec: Check return value of more avio_seek calls Signed-off-by: Michael Niedermayer (cherry picked from commit 7e4111cfe2f5d03af8d608757e897145aa252af8) --- libavformat/rmdec.c | 4 +++- 1 file changed, 3 insertions(+), 1 deletion(-) diff --git a/libavformat/rmdec.c b/libavformat/rmdec.c index c2eee815c2..b7c57af93a 100644 --- a/libavformat/rmdec.c +++ b/libavformat/rmdec.c @@ -905,7 +905,9 @@ static int64_t rm_read_dts(AVFormatContext *s, int stream_index, if(rm->old_format) return AV_NOPTS_VALUE; - avio_seek(s->pb, pos, SEEK_SET); + if (avio_seek(s->pb, pos, SEEK_SET) < 0) + return AV_NOPTS_VALUE; + rm->remaining_len=0; for(;;){ int seq=1; From 85b1e265c9dafaf60e120db73ce795eea24e1fad Mon Sep 17 00:00:00 2001 From: Hendrik Leppkes Date: Mon, 12 Sep 2011 17:45:25 +0200 Subject: [PATCH 0266/1119] gitignore: ignore .exp files, as generated by the MS linker on win32 Ignore another filetype, as generated by Microsofts lib.exe when creating the import libraries. (cherry picked from commit 73211630110886d849e3de837ca80280a2df2b46) --- .gitignore | 1 + 1 file changed, 1 insertion(+) diff --git a/.gitignore b/.gitignore index c831335517..bff585e806 100644 --- a/.gitignore +++ b/.gitignore @@ -10,6 +10,7 @@ *.def *.dll *.lib +*.exp config.* doc/*.1 doc/*.html From b1ceca016a498f2629f5cf1faa3d7981ab825f5a Mon Sep 17 00:00:00 2001 From: Kostya Shishkov Date: Mon, 12 Sep 2011 09:40:42 +0200 Subject: [PATCH 0267/1119] smacker demuxer: handle possible av_realloc() failure. Signed-off-by: Anton Khirnov --- libavformat/smacker.c | 9 +++++---- 1 file changed, 5 insertions(+), 4 deletions(-) diff --git a/libavformat/smacker.c b/libavformat/smacker.c index c22f6daa73..ad6f265c83 100644 --- a/libavformat/smacker.c +++ b/libavformat/smacker.c @@ -286,15 +286,16 @@ static int smacker_read_packet(AVFormatContext *s, AVPacket *pkt) for(i = 0; i < 7; i++) { if(flags & 1) { int size; + uint8_t *tmpbuf; + size = avio_rl32(s->pb) - 4; frame_size -= size; frame_size -= 4; smk->curstream++; - smk->bufs[smk->curstream] = av_realloc(smk->bufs[smk->curstream], size); - if (!smk->bufs[smk->curstream]) { - smk->buf_sizes[smk->curstream] = 0; + tmpbuf = av_realloc(smk->bufs[smk->curstream], size); + if (!tmpbuf) return AVERROR(ENOMEM); - } + smk->bufs[smk->curstream] = tmpbuf; smk->buf_sizes[smk->curstream] = size; ret = avio_read(s->pb, smk->bufs[smk->curstream], size); if(ret != size) From ad6177e52c86343b1a9043e56525d01d070a2009 Mon Sep 17 00:00:00 2001 From: Kostya Shishkov Date: Mon, 12 Sep 2011 11:39:53 +0200 Subject: [PATCH 0268/1119] rv34: check that subsequent slices have the same type as first one. This prevents some crashes when corrupted bitstream reports e.g. P-type slice in I-frame. Official RealVideo decoder demands all slices to be of the same type too. Signed-off-by: Anton Khirnov (cherry picked from commit 23a1f0c59241465ba30103388029a7afc0ead909) --- libavcodec/rv34.c | 7 +++++++ 1 file changed, 7 insertions(+) diff --git a/libavcodec/rv34.c b/libavcodec/rv34.c index 8cec3634de..f0f472dcaf 100644 --- a/libavcodec/rv34.c +++ b/libavcodec/rv34.c @@ -1305,6 +1305,13 @@ static int rv34_decode_slice(RV34DecContext *r, int end, const uint8_t* buf, int r->next_pts = r->cur_pts; } s->mb_x = s->mb_y = 0; + } else { + int slice_type = r->si.type ? r->si.type : AV_PICTURE_TYPE_I; + + if (slice_type != s->pict_type) { + av_log(s->avctx, AV_LOG_ERROR, "Slice type mismatch\n"); + return AVERROR_INVALIDDATA; + } } r->si.end = end; From 21587509ec54da2b7dbd4309d971b728ed3d1e17 Mon Sep 17 00:00:00 2001 From: Laurent Aimar Date: Mon, 12 Sep 2011 20:58:35 +0200 Subject: [PATCH 0269/1119] segafilm: Check for memory allocation failures in segafilm demuxer. Signed-off-by: Michael Niedermayer (cherry picked from commit 7cbe02575868e7d25acf3d319ece664702700f0a) --- libavformat/segafilm.c | 6 ++++++ 1 file changed, 6 insertions(+) diff --git a/libavformat/segafilm.c b/libavformat/segafilm.c index ae194d496b..e712ebfbb1 100644 --- a/libavformat/segafilm.c +++ b/libavformat/segafilm.c @@ -167,6 +167,8 @@ static int film_read_header(AVFormatContext *s, if(film->sample_count >= UINT_MAX / sizeof(film_sample)) return -1; film->sample_table = av_malloc(film->sample_count * sizeof(film_sample)); + if (!film->sample_table) + return AVERROR(ENOMEM); for(i=0; inb_streams; i++) av_set_pts_info(s->streams[i], 33, 1, film->base_clock); @@ -238,6 +240,10 @@ static int film_read_packet(AVFormatContext *s, av_free(film->stereo_buffer); film->stereo_buffer_size = sample->sample_size; film->stereo_buffer = av_malloc(film->stereo_buffer_size); + if (!film->stereo_buffer) { + film->stereo_buffer_size = 0; + return AVERROR(ENOMEM); + } } pkt->pos= avio_tell(pb); From 605f89ffc9dfd278d241d0425e9a8d93d535bbdd Mon Sep 17 00:00:00 2001 From: Laurent Aimar Date: Mon, 12 Sep 2011 21:09:57 +0200 Subject: [PATCH 0270/1119] segafilm: Fix potential division by 0 on corrupted segafilm streams in the demuxer. Signed-off-by: Michael Niedermayer --- libavformat/segafilm.c | 23 ++++++++++++++++------- 1 file changed, 16 insertions(+), 7 deletions(-) diff --git a/libavformat/segafilm.c b/libavformat/segafilm.c index e712ebfbb1..a9b9667d14 100644 --- a/libavformat/segafilm.c +++ b/libavformat/segafilm.c @@ -111,11 +111,16 @@ static int film_read_header(AVFormatContext *s, film->audio_samplerate = AV_RB16(&scratch[24]); film->audio_channels = scratch[21]; film->audio_bits = scratch[22]; - if (film->audio_bits == 8) - film->audio_type = CODEC_ID_PCM_S8; - else if (film->audio_bits == 16) - film->audio_type = CODEC_ID_PCM_S16BE; - else + if (scratch[23] == 2) + film->audio_type = CODEC_ID_ADPCM_ADX; + else if (film->audio_channels > 0) { + if (film->audio_bits == 8) + film->audio_type = CODEC_ID_PCM_S8; + else if (film->audio_bits == 16) + film->audio_type = CODEC_ID_PCM_S16BE; + else + film->audio_type = CODEC_ID_NONE; + } else film->audio_type = CODEC_ID_NONE; } @@ -189,8 +194,12 @@ static int film_read_header(AVFormatContext *s, film->sample_table[i].pts *= film->base_clock; film->sample_table[i].pts /= film->audio_samplerate; - audio_frame_counter += (film->sample_table[i].sample_size / - (film->audio_channels * film->audio_bits / 8)); + if (film->audio_type == CODEC_ID_ADPCM_ADX) + audio_frame_counter += (film->sample_table[i].sample_size * 32 / + (18 * film->audio_channels)); + else if (film->audio_type != CODEC_ID_NONE) + audio_frame_counter += (film->sample_table[i].sample_size / + (film->audio_channels * film->audio_bits / 8)); } else { film->sample_table[i].stream = film->video_stream_index; film->sample_table[i].pts = AV_RB32(&scratch[8]) & 0x7FFFFFFF; From 9cee26dfdebe25f0370172b939bd2e0c9e43c2df Mon Sep 17 00:00:00 2001 From: Michael Niedermayer Date: Mon, 12 Sep 2011 23:45:21 +0200 Subject: [PATCH 0271/1119] smacker: add forgotten * found by fenrir Signed-off-by: Michael Niedermayer (cherry picked from commit f98edc73c599badaa0c075fbffb519a150d03d80) --- libavcodec/smacker.c | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/libavcodec/smacker.c b/libavcodec/smacker.c index d215e3289c..2a85bda172 100644 --- a/libavcodec/smacker.c +++ b/libavcodec/smacker.c @@ -659,7 +659,7 @@ static int smka_decode_frame(AVCodecContext *avctx, void *data, int *data_size, } else { //8-bit data for(i = stereo; i >= 0; i--) pred[i] = get_bits(&gb, 8); - if (stereo + unp_size > data_size) + if (stereo + unp_size > *data_size) return -1; for(i = 0; i < stereo; i++) *samples8++ = pred[i]; From e952ff69810d370c361ece5dfe33a7bcd7a64e40 Mon Sep 17 00:00:00 2001 From: Michael Niedermayer Date: Tue, 13 Sep 2011 01:14:44 +0200 Subject: [PATCH 0272/1119] smacker: fix a few off by 1 errors stereo & 16bit is untested due to lack of samples Signed-off-by: Michael Niedermayer (cherry picked from commit d67e74929c2c0d09383c2f4a9c904bfdd839c67c) --- libavcodec/smacker.c | 10 ++- tests/ref/fate/smacker | 160 ++++++++++++++++++++--------------------- 2 files changed, 84 insertions(+), 86 deletions(-) diff --git a/libavcodec/smacker.c b/libavcodec/smacker.c index 2a85bda172..be4bc2336f 100644 --- a/libavcodec/smacker.c +++ b/libavcodec/smacker.c @@ -625,9 +625,9 @@ static int smka_decode_frame(AVCodecContext *avctx, void *data, int *data_size, if(bits) { //decode 16-bit data for(i = stereo; i >= 0; i--) pred[i] = av_bswap16(get_bits(&gb, 16)); - for(i = 0; i < stereo; i++) + for(i = 0; i <= stereo; i++) *samples++ = pred[i]; - for(i = 0; i < unp_size / 2; i++) { + for(; i < unp_size / 2; i++) { if(i & stereo) { if(vlc[2].table) res = get_vlc2(&gb, vlc[2].table, SMKTREE_BITS, 3); @@ -659,11 +659,9 @@ static int smka_decode_frame(AVCodecContext *avctx, void *data, int *data_size, } else { //8-bit data for(i = stereo; i >= 0; i--) pred[i] = get_bits(&gb, 8); - if (stereo + unp_size > *data_size) - return -1; - for(i = 0; i < stereo; i++) + for(i = 0; i <= stereo; i++) *samples8++ = pred[i]; - for(i = 0; i < unp_size; i++) { + for(; i < unp_size; i++) { if(i & stereo){ if(vlc[1].table) res = get_vlc2(&gb, vlc[1].table, SMKTREE_BITS, 3); diff --git a/tests/ref/fate/smacker b/tests/ref/fate/smacker index 85c4a9817c..df88a4ae8a 100644 --- a/tests/ref/fate/smacker +++ b/tests/ref/fate/smacker @@ -1,5 +1,5 @@ 0, 0, 192000, 0x8926d7fc -1, 0, 47240, 0xad778a78 +1, 0, 47240, 0x9974897c 0, 6390, 192000, 0x2506d384 0, 12780, 192000, 0x9a8dc93a 0, 19170, 192000, 0x4badb7f2 @@ -15,163 +15,163 @@ 0, 83070, 192000, 0x1a3d7971 0, 89460, 192000, 0xa1a65bd5 0, 95850, 192000, 0x344957b9 -1, 96408, 3128, 0x4c1564ae +1, 96408, 3128, 0x7e4064b4 0, 102240, 192000, 0xe23b5f4e -1, 102792, 3128, 0x34553309 +1, 102792, 3128, 0x80883301 0, 108630, 192000, 0xb5c2710b -1, 109176, 3136, 0xb474d246 +1, 109176, 3136, 0x2ad2d341 0, 115020, 192000, 0x7a25938f -1, 115576, 3128, 0x87b868ea +1, 115576, 3128, 0xda8468e3 0, 121410, 192000, 0x0a84e4c9 -1, 121959, 3136, 0xf1516dc3 +1, 121959, 3136, 0x9d6f6cdf 0, 127800, 192000, 0x94209b0d -1, 128359, 3128, 0x867563cb +1, 128359, 3128, 0x1aaa64b5 0, 134190, 192000, 0xf940e51f -1, 134743, 3128, 0x5200728c +1, 134743, 3128, 0x9182728b 0, 140580, 192000, 0xb9fdec42 -1, 141127, 3136, 0xeda118a0 +1, 141127, 3136, 0xfa8e17b3 0, 146970, 192000, 0x7b04a376 -1, 147527, 3128, 0x03e2c1d6 +1, 147527, 3128, 0x0dc3c1cf 0, 153360, 192000, 0x5fe0026b -1, 153910, 3136, 0xc3e862b6 +1, 153910, 3136, 0x0109639d 0, 159750, 192000, 0x775aca39 -1, 160310, 3128, 0x937a13be +1, 160310, 3128, 0x6d8a12d9 0, 166140, 192000, 0xae14fb32 -1, 166694, 3128, 0x7b1b9577 +1, 166694, 3128, 0x4b9a9597 0, 172530, 192000, 0x661106e5 -1, 173078, 3136, 0x042c7113 +1, 173078, 3136, 0x9112710e 0, 178920, 192000, 0xe8658dbf -1, 179478, 3128, 0xac48f451 +1, 179478, 3128, 0x8cccf522 0, 185310, 192000, 0x5359f0f9 -1, 185861, 3128, 0x018fbbe9 +1, 185861, 3128, 0x6594bbf3 0, 191700, 192000, 0xc1ec80f4 -1, 192245, 3136, 0xc62aa7ce +1, 192245, 3136, 0xd878a7d5 0, 198090, 192000, 0xca53806b -1, 198645, 3128, 0x106e3924 +1, 198645, 3128, 0xaa6e3905 0, 204480, 192000, 0xf0766b2e -1, 205029, 3136, 0xfeb82ecc +1, 205029, 3136, 0x2a062e04 0, 210870, 192000, 0x39962da8 -1, 211429, 3128, 0x7e7c005b +1, 211429, 3128, 0x84e4006a 0, 217260, 192000, 0x4171c37f -1, 217812, 3128, 0x949d3560 +1, 217812, 3128, 0x85183633 0, 223650, 192000, 0x3abf3b46 -1, 224196, 3136, 0x02bd4aff +1, 224196, 3136, 0xb62d4b02 0, 230040, 192000, 0xecc68313 -1, 230596, 3128, 0x4aaf4715 +1, 230596, 3128, 0xe209462a 0, 236430, 192000, 0xea339baf -1, 236980, 3136, 0x2958825f +1, 236980, 3136, 0x57c4824b 0, 242820, 192000, 0x616b8f16 -1, 243380, 3128, 0x99a5914d +1, 243380, 3128, 0x664a9163 0, 249210, 192000, 0xf77a8581 -1, 249763, 3128, 0xe67277a4 +1, 249763, 3128, 0xb4287874 0, 255600, 192000, 0xb315678b -1, 256147, 3136, 0x11296973 +1, 256147, 3136, 0xde626885 0, 261990, 192000, 0x0a4a5218 -1, 262547, 3128, 0x5cc362f7 +1, 262547, 3128, 0x919763c2 0, 268380, 192000, 0x98802be4 -1, 268931, 3128, 0x0c5e6586 +1, 268931, 3128, 0xa4f664e1 0, 274770, 192000, 0xa2f0fd94 -1, 275314, 3136, 0xe940b0f9 +1, 275314, 3136, 0xa0bab0d4 0, 281160, 192000, 0x6671c84f -1, 281714, 3128, 0x2c9292cc +1, 281714, 3128, 0xe938939c 0, 287550, 192000, 0x38327e31 -1, 288098, 3136, 0xa807c096 +1, 288098, 3136, 0x3679bfc7 0, 293940, 192000, 0xb85d3e08 -1, 294498, 3128, 0x9d2254d8 +1, 294498, 3128, 0xc96c55c3 0, 300330, 192000, 0xdc69eba9 -1, 300882, 3128, 0xe68015b0 +1, 300882, 3128, 0x119114d6 0, 306720, 192000, 0x8955a0b3 -1, 307265, 3136, 0x65d58029 +1, 307265, 3136, 0x42f3800f 0, 313110, 192000, 0x714a548b -1, 313665, 3128, 0xcffcc48c +1, 313665, 3128, 0x4250c4ad 0, 319500, 192000, 0xc0471de9 -1, 320049, 3136, 0x8c704944 +1, 320049, 3136, 0x5cdd4925 0, 325890, 192000, 0x2e16e039 -1, 326449, 3128, 0x1459231d +1, 326449, 3128, 0xa4c12360 0, 332280, 192000, 0x9fa4b033 -1, 332833, 3128, 0x7dde4839 +1, 332833, 3128, 0x849f48de 0, 338670, 192000, 0x4a0f9402 -1, 339216, 3136, 0xbb6890e2 +1, 339216, 3136, 0x6acd8ff9 0, 345060, 192000, 0x1f3e6843 -1, 345616, 3128, 0xcd9a8524 +1, 345616, 3128, 0xb2758556 0, 351450, 192000, 0x31774850 -1, 352000, 3128, 0xa244fc31 +1, 352000, 3128, 0x10f2fcb1 0, 357840, 192000, 0x9d5336a2 -1, 358384, 3136, 0x504e2bd9 +1, 358384, 3136, 0xf0f02b23 0, 364230, 192000, 0xf7de27a2 -1, 364784, 3128, 0x655858d8 +1, 364784, 3128, 0x64f759c6 0, 370620, 192000, 0x98c717ce -1, 371167, 3136, 0x46027610 +1, 371167, 3136, 0x7ec075e3 0, 377010, 192000, 0x615b10b8 -1, 377567, 3128, 0x4192d5e3 +1, 377567, 3128, 0xf981d51e 0, 383400, 192000, 0xd5bc0e7e -1, 383951, 3128, 0x21d2e7fe +1, 383951, 3128, 0xc622e8b9 0, 389790, 192000, 0xd5bc0e7e -1, 390335, 3136, 0x7c93e329 +1, 390335, 3136, 0xf632e2f8 0, 396180, 192000, 0xd5bc0e7e -1, 396735, 3128, 0xa67718c0 +1, 396735, 3128, 0xda561864 0, 402570, 192000, 0xd5bc0e7e -1, 403118, 3136, 0x9bb6e8a3 +1, 403118, 3136, 0x14d2e888 0, 408960, 192000, 0xd5bc0e7e -1, 409518, 3128, 0x0933b7a6 +1, 409518, 3128, 0x015bb869 0, 415350, 192000, 0xd5bc0e7e -1, 415902, 3128, 0x07f1fb57 +1, 415902, 3128, 0xedb1fb62 0, 421740, 192000, 0xd5bc0e7e -1, 422286, 3136, 0x8a050cfd +1, 422286, 3136, 0xe0560c41 0, 428130, 192000, 0xd5bc0e7e -1, 428686, 3128, 0xdb773c0b +1, 428686, 3128, 0x14773c9a 0, 434520, 192000, 0xd5bc0e7e -1, 435069, 3136, 0xd1281c53 +1, 435069, 3136, 0x850f1c82 0, 440910, 192000, 0xd5bc0e7e -1, 441469, 3128, 0x9f395324 +1, 441469, 3128, 0xb0bd5347 0, 447300, 192000, 0xd5bc0e7e -1, 447853, 3128, 0x5f13edec +1, 447853, 3128, 0x8f82edbf 0, 453690, 192000, 0xd5bc0e7e -1, 454237, 3136, 0x871cbecf +1, 454237, 3136, 0x493abee2 0, 460080, 192000, 0xd5bc0e7e -1, 460637, 3128, 0x799eff3e +1, 460637, 3128, 0xf5daff3f 0, 466470, 192000, 0xd5bc0e7e -1, 467020, 3128, 0x3f902762 +1, 467020, 3128, 0x78ad2690 0, 472860, 192000, 0xd5bc0e7e -1, 473404, 3136, 0x29f8bb04 +1, 473404, 3136, 0x490ebafc 0, 479250, 192000, 0xd5bc0e7e -1, 479804, 3128, 0xf3523ee9 +1, 479804, 3128, 0x70333fd2 0, 485640, 192000, 0xd5bc0e7e -1, 486188, 3136, 0x4405c435 +1, 486188, 3136, 0x8cb1c350 0, 492030, 192000, 0xd5bc0e7e -1, 492588, 3128, 0x892957cb +1, 492588, 3128, 0x8bd057cb 0, 498420, 192000, 0xd5bc0e7e -1, 498971, 3128, 0xdf483dbd +1, 498971, 3128, 0x161b3dbc 0, 504810, 192000, 0xd5bc0e7e -1, 505355, 3136, 0x5e8ab797 +1, 505355, 3136, 0xb47fb88a 0, 511200, 192000, 0xd5bc0e7e -1, 511755, 3128, 0x92e13820 +1, 511755, 3128, 0x474b381e 0, 517590, 192000, 0xd5bc0e7e -1, 518139, 3136, 0xfde719b6 +1, 518139, 3136, 0x07c519bb 0, 523980, 192000, 0xd5bc0e7e -1, 524539, 3128, 0x442f17ae +1, 524539, 3128, 0x15b916c8 0, 530370, 192000, 0xd5bc0e7e -1, 530922, 3128, 0x011af61f +1, 530922, 3128, 0x0ed7f6fb 0, 536760, 192000, 0xd5bc0e7e -1, 537306, 3136, 0x4e3e3a6d +1, 537306, 3136, 0x54d6397b 0, 543150, 192000, 0xd5bc0e7e -1, 543706, 3128, 0xc11242b9 +1, 543706, 3128, 0x437242bb 0, 549540, 192000, 0xd5bc0e7e -1, 550090, 3128, 0x01415b59 +1, 550090, 3128, 0x38f05c4d 0, 555930, 192000, 0xd5bc0e7e -1, 556473, 3136, 0x302e0e55 +1, 556473, 3136, 0x5d000e59 0, 562320, 192000, 0xd5bc0e7e -1, 562873, 3128, 0x20522d04 +1, 562873, 3128, 0xdeab2d04 0, 568710, 192000, 0xd5bc0e7e -1, 569257, 3136, 0x316a697d +1, 569257, 3136, 0x77de6880 0, 575100, 192000, 0xd5bc0e7e -1, 575657, 3128, 0x6d75ee27 +1, 575657, 3128, 0xbc87ef25 0, 581490, 192000, 0xd5bc0e7e -1, 582041, 3128, 0xcb008ae8 +1, 582041, 3128, 0xc1638ade 0, 587880, 192000, 0xd5bc0e7e -1, 588424, 3136, 0xd2664b51 +1, 588424, 3136, 0xcfb64a5f 0, 594270, 192000, 0xd5bc0e7e -1, 594824, 3128, 0xdfcab728 +1, 594824, 3128, 0x90b1b826 0, 600660, 192000, 0xd5bc0e7e 1, 601208, 3136, 0x00000000 0, 607050, 192000, 0xd5bc0e7e From 1072498081a5c8656db6df124386e171d25729fa Mon Sep 17 00:00:00 2001 From: Michael Niedermayer Date: Tue, 13 Sep 2011 03:52:30 +0200 Subject: [PATCH 0273/1119] vf_remove_logo: domt access vf->next->query_format() directly but use the API. This fixes a crash Signed-off-by: Michael Niedermayer (cherry picked from commit 39e0accb7a934bfe3d42324b016dd8790790746d) --- libavfilter/libmpcodecs/vf_remove_logo.c | 4 ++-- 1 file changed, 2 insertions(+), 2 deletions(-) diff --git a/libavfilter/libmpcodecs/vf_remove_logo.c b/libavfilter/libmpcodecs/vf_remove_logo.c index 5f1265eab3..5498a1bd03 100644 --- a/libavfilter/libmpcodecs/vf_remove_logo.c +++ b/libavfilter/libmpcodecs/vf_remove_logo.c @@ -671,7 +671,7 @@ static pgm_structure * generate_half_size_image(vf_instance_t * vf, pgm_structur * \brief Checks if YV12 is supported by the next filter. */ static unsigned int find_best(struct vf_instance *vf){ - int is_format_okay = vf->next->query_format(vf->next, IMGFMT_YV12); + int is_format_okay = vf_next_query_format(vf, IMGFMT_YV12); if ((is_format_okay & VFCAP_CSP_SUPPORTED_BY_HW) || (is_format_okay & VFCAP_CSP_SUPPORTED)) return IMGFMT_YV12; else @@ -814,7 +814,7 @@ static int put_image(struct vf_instance *vf, mp_image_t *mpi, double pts){ static int query_format(struct vf_instance *vf, unsigned int fmt) { if (fmt == IMGFMT_YV12) - return vf->next->query_format(vf->next, IMGFMT_YV12); + return vf_next_query_format(vf, IMGFMT_YV12); else return 0; } From 56634b2328ebe7e539278e7f4a6e8fa5973a25ad Mon Sep 17 00:00:00 2001 From: Michael Niedermayer Date: Tue, 13 Sep 2011 04:27:41 +0200 Subject: [PATCH 0274/1119] libavformat/utils: print ts in the "invalid dts/pts combination" case. Signed-off-by: Michael Niedermayer (cherry picked from commit 38670356f990da1efb906232768836d83356855b) --- libavformat/utils.c | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/libavformat/utils.c b/libavformat/utils.c index a582ddcc61..d24c7a0b5e 100644 --- a/libavformat/utils.c +++ b/libavformat/utils.c @@ -995,7 +995,7 @@ static void compute_pkt_fields(AVFormatContext *s, AVStream *st, // we take the conservative approach and discard both // Note, if this is misbehaving for a H.264 file then possibly presentation_delayed is not set correctly. if(delay==1 && pkt->dts == pkt->pts && pkt->dts != AV_NOPTS_VALUE && presentation_delayed){ - av_log(s, AV_LOG_DEBUG, "invalid dts/pts combination\n"); + av_log(s, AV_LOG_DEBUG, "invalid dts/pts combination %Ld\n", pkt->dts); pkt->dts= pkt->pts= AV_NOPTS_VALUE; } From 053bc4ce8b8f3504e4184d02281fb9a6ee4947eb Mon Sep 17 00:00:00 2001 From: Laurent Aimar Date: Sat, 10 Sep 2011 00:32:12 +0200 Subject: [PATCH 0275/1119] Fixed size given to init_get_bits() in xan decoder. (cherry picked from commit 393d5031c6aaaf8c2dda4eb5d676974c349fae85) --- libavcodec/xan.c | 10 ++++++---- 1 file changed, 6 insertions(+), 4 deletions(-) diff --git a/libavcodec/xan.c b/libavcodec/xan.c index f5d1812aec..5b22101e18 100644 --- a/libavcodec/xan.c +++ b/libavcodec/xan.c @@ -97,17 +97,18 @@ static av_cold int xan_decode_init(AVCodecContext *avctx) return 0; } -static int xan_huffman_decode(unsigned char *dest, const unsigned char *src, - int dest_len) +static int xan_huffman_decode(unsigned char *dest, int dest_len, + const unsigned char *src, int src_len) { unsigned char byte = *src++; unsigned char ival = byte + 0x16; const unsigned char * ptr = src + byte*2; + int ptr_len = src_len - 1 - byte*2; unsigned char val = ival; unsigned char *dest_end = dest + dest_len; GetBitContext gb; - init_get_bits(&gb, ptr, 0); // FIXME: no src size available + init_get_bits(&gb, ptr, ptr_len * 8); while ( val != 0x16 ) { val = src[val - 0x17 + get_bits1(&gb) * byte]; @@ -272,7 +273,8 @@ static void xan_wc3_decode_frame(XanContext *s) { vector_segment = s->buf + AV_RL16(&s->buf[4]); imagedata_segment = s->buf + AV_RL16(&s->buf[6]); - xan_huffman_decode(opcode_buffer, huffman_segment, opcode_buffer_size); + xan_huffman_decode(opcode_buffer, opcode_buffer_size, + huffman_segment, s->size - (huffman_segment - s->buf) ); if (imagedata_segment[0] == 2) xan_unpack(s->buffer2, &imagedata_segment[1], s->buffer2_size); From 169e6344573af8b4dc5a6e0da8db9a9d4eaf7532 Mon Sep 17 00:00:00 2001 From: Alex Converse Date: Fri, 9 Sep 2011 16:13:52 -0700 Subject: [PATCH 0276/1119] xan: Remove extra trailing newline (cherry picked from commit 350f57bd7b77b36c150540ad2aae9de42cc4dfca) --- libavcodec/xan.c | 1 - 1 file changed, 1 deletion(-) diff --git a/libavcodec/xan.c b/libavcodec/xan.c index 5b22101e18..1dace41e0d 100644 --- a/libavcodec/xan.c +++ b/libavcodec/xan.c @@ -566,4 +566,3 @@ AVCodec ff_xan_wc3_decoder = { CODEC_CAP_DR1, .long_name = NULL_IF_CONFIG_SMALL("Wing Commander III / Xan"), }; - From b7000d05175ee87774decb4b236f773c2059707b Mon Sep 17 00:00:00 2001 From: Alex Converse Date: Fri, 9 Sep 2011 16:10:03 -0700 Subject: [PATCH 0277/1119] xan: Add some buffer checks (cherry picked from commit 0872bb23b4bd2d94a8ba91070f706d1bc1c3ced8) --- libavcodec/xan.c | 37 +++++++++++++++++++++++++++++-------- 1 file changed, 29 insertions(+), 8 deletions(-) diff --git a/libavcodec/xan.c b/libavcodec/xan.c index 1dace41e0d..357593bf2d 100644 --- a/libavcodec/xan.c +++ b/libavcodec/xan.c @@ -108,6 +108,9 @@ static int xan_huffman_decode(unsigned char *dest, int dest_len, unsigned char *dest_end = dest + dest_len; GetBitContext gb; + if (ptr_len < 0) + return AVERROR_INVALIDDATA; + init_get_bits(&gb, ptr, ptr_len * 8); while ( val != 0x16 ) { @@ -247,7 +250,7 @@ static inline void xan_wc3_copy_pixel_run(XanContext *s, } } -static void xan_wc3_decode_frame(XanContext *s) { +static int xan_wc3_decode_frame(XanContext *s) { int width = s->avctx->width; int height = s->avctx->height; @@ -267,14 +270,30 @@ static void xan_wc3_decode_frame(XanContext *s) { const unsigned char *size_segment; const unsigned char *vector_segment; const unsigned char *imagedata_segment; + int huffman_offset, size_offset, vector_offset, imagedata_offset; - huffman_segment = s->buf + AV_RL16(&s->buf[0]); - size_segment = s->buf + AV_RL16(&s->buf[2]); - vector_segment = s->buf + AV_RL16(&s->buf[4]); - imagedata_segment = s->buf + AV_RL16(&s->buf[6]); + if (s->size < 8) + return AVERROR_INVALIDDATA; - xan_huffman_decode(opcode_buffer, opcode_buffer_size, - huffman_segment, s->size - (huffman_segment - s->buf) ); + huffman_offset = AV_RL16(&s->buf[0]); + size_offset = AV_RL16(&s->buf[2]); + vector_offset = AV_RL16(&s->buf[4]); + imagedata_offset = AV_RL16(&s->buf[6]); + + if (huffman_offset >= s->size || + size_offset >= s->size || + vector_offset >= s->size || + imagedata_offset >= s->size) + return AVERROR_INVALIDDATA; + + huffman_segment = s->buf + huffman_offset; + size_segment = s->buf + size_offset; + vector_segment = s->buf + vector_offset; + imagedata_segment = s->buf + imagedata_offset; + + if (xan_huffman_decode(opcode_buffer, opcode_buffer_size, + huffman_segment, s->size - huffman_offset) < 0) + return AVERROR_INVALIDDATA; if (imagedata_segment[0] == 2) xan_unpack(s->buffer2, &imagedata_segment[1], s->buffer2_size); @@ -360,6 +379,7 @@ static void xan_wc3_decode_frame(XanContext *s) { y += (x + size) / width; x = (x + size) % width; } + return 0; } #if RUNTIME_GAMMA @@ -521,7 +541,8 @@ static int xan_decode_frame(AVCodecContext *avctx, s->buf = buf; s->size = buf_size; - xan_wc3_decode_frame(s); + if (xan_wc3_decode_frame(s) < 0) + return AVERROR_INVALIDDATA; /* release the last frame if it is allocated */ if (s->last_frame.data[0]) From fa3f7391be8536ecdf5d8547c0162c68b206043f Mon Sep 17 00:00:00 2001 From: Michael Niedermayer Date: Wed, 14 Sep 2011 20:48:00 +0200 Subject: [PATCH 0278/1119] h264: allow disabling bitstream overread protection by using the fast flag. Signed-off-by: Michael Niedermayer (cherry picked from commit 205c13685f36a17f406b7cd07e14b6d2a61f396a) --- libavcodec/h264.c | 8 ++++++-- 1 file changed, 6 insertions(+), 2 deletions(-) diff --git a/libavcodec/h264.c b/libavcodec/h264.c index 12bed3a919..5841b1f399 100644 --- a/libavcodec/h264.c +++ b/libavcodec/h264.c @@ -197,8 +197,12 @@ const uint8_t *ff_h264_decode_nal(H264Context *h, const uint8_t *src, int *dst_l if(i>=length-1){ //no escaped 0 *dst_length= length; *consumed= length+1; //+1 for the header - memcpy(dst, src, length); - return dst; + if(h->s.avctx->flags2 & CODEC_FLAG2_FAST){ + return src; + }else{ + memcpy(dst, src, length); + return dst; + } } //printf("decoding esc\n"); From 6e21f03547a6fd4cb5d9e2414270b451613a3b50 Mon Sep 17 00:00:00 2001 From: =?UTF-8?q?Ingo=20Br=C3=BCckl?= Date: Thu, 15 Sep 2011 16:19:05 +0200 Subject: [PATCH 0279/1119] Correct determination of file size and frames in VBRI headers The fields "Number of Bytes" and "Number of Frames" are mixed up. "Bytes" come first, "Frames" behind. Signed-off-by: Michael Niedermayer (cherry picked from commit 5d305c9398c043f9ae3bbc6d64a3e1dc468c1e63) --- libavformat/mp3dec.c | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/libavformat/mp3dec.c b/libavformat/mp3dec.c index 64f6ea8c0e..47772a4998 100644 --- a/libavformat/mp3dec.c +++ b/libavformat/mp3dec.c @@ -109,8 +109,8 @@ static int mp3_parse_vbr_tags(AVFormatContext *s, AVStream *st, int64_t base) if(avio_rb16(s->pb) == 1) { /* skip delay and quality */ avio_skip(s->pb, 4); - frames = avio_rb32(s->pb); size = avio_rb32(s->pb); + frames = avio_rb32(s->pb); } } From 30d7dce94fc74a8ef8369ffe97f0b8b5484ff502 Mon Sep 17 00:00:00 2001 From: Laurent Aimar Date: Sat, 17 Sep 2011 16:56:30 +0200 Subject: [PATCH 0280/1119] Fix potential overreads in rv34 decoder. Signed-off-by: Michael Niedermayer (cherry picked from commit 9a0a64cb26bc6aaa7f29106bded8a27f3db918ee) --- libavcodec/rv34.c | 5 +++-- 1 file changed, 3 insertions(+), 2 deletions(-) diff --git a/libavcodec/rv34.c b/libavcodec/rv34.c index f0f472dcaf..ba88916f5d 100644 --- a/libavcodec/rv34.c +++ b/libavcodec/rv34.c @@ -1443,6 +1443,7 @@ int ff_rv34_decode_frame(AVCodecContext *avctx, slice_count = (*buf++) + 1; slices_hdr = buf + 4; buf += 8 * slice_count; + buf_size -= 1 + 8 * slice_count; }else slice_count = avctx->slice_count; @@ -1461,7 +1462,7 @@ int ff_rv34_decode_frame(AVCodecContext *avctx, if( (avctx->skip_frame >= AVDISCARD_NONREF && si.type==AV_PICTURE_TYPE_B) || (avctx->skip_frame >= AVDISCARD_NONKEY && si.type!=AV_PICTURE_TYPE_I) || avctx->skip_frame >= AVDISCARD_ALL) - return buf_size; + return avpkt->size; for(i=0; icurrent_picture_ptr= NULL; //so we can detect if frame_end wasnt called (find some nicer solution...) } - return buf_size; + return avpkt->size; } av_cold int ff_rv34_decode_end(AVCodecContext *avctx) From 4d8330d09565956ac40036e7b4af58d2d775d03e Mon Sep 17 00:00:00 2001 From: Laurent Aimar Date: Sat, 17 Sep 2011 16:56:35 +0200 Subject: [PATCH 0281/1119] Fix js_vlc_bits value validation when joint stereo is used in cook decoder. Signed-off-by: Michael Niedermayer (cherry picked from commit 352c878de6fca57a3f2a6369e27ca442fa5f9518) --- libavcodec/cook.c | 5 +++-- 1 file changed, 3 insertions(+), 2 deletions(-) diff --git a/libavcodec/cook.c b/libavcodec/cook.c index 116be2fe98..192ec5bdf1 100644 --- a/libavcodec/cook.c +++ b/libavcodec/cook.c @@ -1175,8 +1175,9 @@ static av_cold int cook_decode_init(AVCodecContext *avctx) return -1; } - if ((q->subpacket[s].js_vlc_bits > 6) || (q->subpacket[s].js_vlc_bits < 0)) { - av_log(avctx,AV_LOG_ERROR,"js_vlc_bits = %d, only >= 0 and <= 6 allowed!\n",q->subpacket[s].js_vlc_bits); + if ((q->subpacket[s].js_vlc_bits > 6) || (q->subpacket[s].js_vlc_bits < 2*q->subpacket[s].joint_stereo)) { + av_log(avctx,AV_LOG_ERROR,"js_vlc_bits = %d, only >= %d and <= 6 allowed!\n", + q->subpacket[s].js_vlc_bits, 2*q->subpacket[s].joint_stereo); return -1; } From 24e0a9e451e1aae427307a919d78f6790f4e413c Mon Sep 17 00:00:00 2001 From: Laurent Aimar Date: Sat, 17 Sep 2011 16:56:33 +0200 Subject: [PATCH 0282/1119] Reject audio tracks with invalid interleaver parameters in RM demuxer. Signed-off-by: Michael Niedermayer (cherry picked from commit 4907f813581acd6cf68f1be9eb163464503e8208) --- libavformat/rmdec.c | 10 ++++++---- 1 file changed, 6 insertions(+), 4 deletions(-) diff --git a/libavformat/rmdec.c b/libavformat/rmdec.c index b7c57af93a..cacca9bc89 100644 --- a/libavformat/rmdec.c +++ b/libavformat/rmdec.c @@ -192,8 +192,9 @@ static int rm_read_audio_stream_info(AVFormatContext *s, AVIOContext *pb, ast->audio_framesize = st->codec->block_align; st->codec->block_align = coded_framesize; - if(ast->audio_framesize >= UINT_MAX / sub_packet_h){ - av_log(s, AV_LOG_ERROR, "ast->audio_framesize * sub_packet_h too large\n"); + if (ast->audio_framesize <= 0 || sub_packet_h <= 0 || + ast->audio_framesize >= UINT_MAX / sub_packet_h){ + av_log(s, AV_LOG_ERROR, "ast->audio_framesize * sub_packet_h is invalid\n"); return -1; } @@ -229,8 +230,9 @@ static int rm_read_audio_stream_info(AVFormatContext *s, AVIOContext *pb, if ((ret = rm_read_extradata(pb, st->codec, codecdata_length)) < 0) return ret; - if(ast->audio_framesize >= UINT_MAX / sub_packet_h){ - av_log(s, AV_LOG_ERROR, "rm->audio_framesize * sub_packet_h too large\n"); + if (ast->audio_framesize <= 0 || sub_packet_h <= 0 || + ast->audio_framesize >= UINT_MAX / sub_packet_h){ + av_log(s, AV_LOG_ERROR, "rm->audio_framesize * sub_packet_h is invalid\n"); return -1; } From ed9e561490d70e317659f9e406c7920242e509eb Mon Sep 17 00:00:00 2001 From: Michael Niedermayer Date: Sat, 17 Sep 2011 19:40:25 +0200 Subject: [PATCH 0283/1119] rv34: check for size mismatch Signed-off-by: Michael Niedermayer (cherry picked from commit 35f38b3ab9d755aede5bce8abbe1cb9c07027f8a) --- libavcodec/rv34.c | 4 ++++ 1 file changed, 4 insertions(+) diff --git a/libavcodec/rv34.c b/libavcodec/rv34.c index ba88916f5d..0e5f868390 100644 --- a/libavcodec/rv34.c +++ b/libavcodec/rv34.c @@ -1312,6 +1312,10 @@ static int rv34_decode_slice(RV34DecContext *r, int end, const uint8_t* buf, int av_log(s->avctx, AV_LOG_ERROR, "Slice type mismatch\n"); return AVERROR_INVALIDDATA; } + if (s->width != r->si.width || s->height != r->si.height) { + av_log(s->avctx, AV_LOG_ERROR, "Size mismatch\n"); + return AVERROR_INVALIDDATA; + } } r->si.end = end; From 764ffdd0ec069cd648fd069d6de233519a65d49e Mon Sep 17 00:00:00 2001 From: Michael Niedermayer Date: Sat, 17 Sep 2011 21:53:21 +0200 Subject: [PATCH 0284/1119] check all svq3_get_ue_golomb() returns. Signed-off-by: Michael Niedermayer (cherry picked from commit 979bea13003ef489d95d2538ac2fb1c26c6f103b) --- libavcodec/dirac.c | 16 ++++++++-------- libavcodec/rv30.c | 4 ++-- libavcodec/rv40.c | 5 ++++- libavcodec/svq3.c | 12 ++++++------ 4 files changed, 20 insertions(+), 17 deletions(-) diff --git a/libavcodec/dirac.c b/libavcodec/dirac.c index af0d799acc..1582a5f8f2 100644 --- a/libavcodec/dirac.c +++ b/libavcodec/dirac.c @@ -120,7 +120,7 @@ static int parse_source_parameters(AVCodecContext *avctx, GetBitContext *gb, // chroma subsampling if (get_bits1(gb)) source->chroma_format = svq3_get_ue_golomb(gb); - if (source->chroma_format > 2) { + if (source->chroma_format > 2U) { av_log(avctx, AV_LOG_ERROR, "Unknown chroma format %d\n", source->chroma_format); return -1; @@ -128,14 +128,14 @@ static int parse_source_parameters(AVCodecContext *avctx, GetBitContext *gb, if (get_bits1(gb)) source->interlaced = svq3_get_ue_golomb(gb); - if (source->interlaced > 1) + if (source->interlaced > 1U) return -1; // frame rate if (get_bits1(gb)) { source->frame_rate_index = svq3_get_ue_golomb(gb); - if (source->frame_rate_index > 10) + if (source->frame_rate_index > 10U) return -1; if (!source->frame_rate_index) { @@ -156,7 +156,7 @@ static int parse_source_parameters(AVCodecContext *avctx, GetBitContext *gb, if (get_bits1(gb)) { source->aspect_ratio_index = svq3_get_ue_golomb(gb); - if (source->aspect_ratio_index > 6) + if (source->aspect_ratio_index > 6U) return -1; if (!source->aspect_ratio_index) { @@ -179,7 +179,7 @@ static int parse_source_parameters(AVCodecContext *avctx, GetBitContext *gb, if (get_bits1(gb)) { source->pixel_range_index = svq3_get_ue_golomb(gb); - if (source->pixel_range_index > 4) + if (source->pixel_range_index > 4U) return -1; // This assumes either fullrange or MPEG levels only @@ -207,7 +207,7 @@ static int parse_source_parameters(AVCodecContext *avctx, GetBitContext *gb, if (get_bits1(gb)) { idx = source->color_spec_index = svq3_get_ue_golomb(gb); - if (source->color_spec_index > 4) + if (source->color_spec_index > 4U) return -1; avctx->color_primaries = dirac_color_presets[idx].color_primaries; @@ -217,7 +217,7 @@ static int parse_source_parameters(AVCodecContext *avctx, GetBitContext *gb, if (!source->color_spec_index) { if (get_bits1(gb)) { idx = svq3_get_ue_golomb(gb); - if (idx < 3) + if (idx < 3U) avctx->color_primaries = dirac_primaries[idx]; } @@ -259,7 +259,7 @@ int ff_dirac_parse_sequence_header(AVCodecContext *avctx, GetBitContext *gb, else if (version_major > 2) av_log(avctx, AV_LOG_WARNING, "Stream may have unhandled features\n"); - if (video_format > 20) + if (video_format > 20U) return -1; // Fill in defaults for the source parameters. diff --git a/libavcodec/rv30.c b/libavcodec/rv30.c index 53d824a109..935866da9a 100644 --- a/libavcodec/rv30.c +++ b/libavcodec/rv30.c @@ -79,7 +79,7 @@ static int rv30_decode_intra_types(RV34DecContext *r, GetBitContext *gb, int8_t for(i = 0; i < 4; i++, dst += r->intra_types_stride - 4){ for(j = 0; j < 4; j+= 2){ int code = svq3_get_ue_golomb(gb) << 1; - if(code >= 81*2){ + if(code >= 81U*2U){ av_log(r->s.avctx, AV_LOG_ERROR, "Incorrect intra prediction code\n"); return -1; } @@ -108,7 +108,7 @@ static int rv30_decode_mb_info(RV34DecContext *r) GetBitContext *gb = &s->gb; int code = svq3_get_ue_golomb(gb); - if(code > 11){ + if(code > 11U){ av_log(s->avctx, AV_LOG_ERROR, "Incorrect MB type code\n"); return -1; } diff --git a/libavcodec/rv40.c b/libavcodec/rv40.c index 54d786a3a6..842f01af02 100644 --- a/libavcodec/rv40.c +++ b/libavcodec/rv40.c @@ -231,8 +231,11 @@ static int rv40_decode_mb_info(RV34DecContext *r) int blocks[RV34_MB_TYPES] = {0}; int count = 0; - if(!r->s.mb_skip_run) + if(!r->s.mb_skip_run) { r->s.mb_skip_run = svq3_get_ue_golomb(gb) + 1; + if(r->s.mb_skip_run > (unsigned)s->mb_num) + return -1; + } if(--r->s.mb_skip_run) return RV34_MB_SKIP; diff --git a/libavcodec/svq3.c b/libavcodec/svq3.c index 30cd0f102f..e5c18c59c2 100644 --- a/libavcodec/svq3.c +++ b/libavcodec/svq3.c @@ -221,7 +221,7 @@ static inline int svq3_decode_block(GetBitContext *gb, DCTELEM *block, for (limit = (16 >> intra); index < 16; index = limit, limit += 8) { for (; (vlc = svq3_get_ue_golomb(gb)) != 0; index++) { - if (vlc == INVALID_VLC) + if (vlc < 0) return -1; sign = (vlc & 0x1) - 1; @@ -239,7 +239,7 @@ static inline int svq3_decode_block(GetBitContext *gb, DCTELEM *block, level = ((vlc + 9) >> 2) - run; } } else { - if (vlc < 16) { + if (vlc < 16U) { run = svq3_dct_tables[intra][vlc].run; level = svq3_dct_tables[intra][vlc].level; } else if (intra) { @@ -569,7 +569,7 @@ static int svq3_decode_mb(SVQ3Context *svq3, unsigned int mb_type) for (i = 0; i < 16; i+=2) { vlc = svq3_get_ue_golomb(&s->gb); - if (vlc >= 25){ + if (vlc >= 25U){ av_log(h->s.avctx, AV_LOG_ERROR, "luma prediction:%d\n", vlc); return -1; } @@ -641,7 +641,7 @@ static int svq3_decode_mb(SVQ3Context *svq3, unsigned int mb_type) } if (!IS_INTRA16x16(mb_type) && (!IS_SKIP(mb_type) || s->pict_type == AV_PICTURE_TYPE_B)) { - if ((vlc = svq3_get_ue_golomb(&s->gb)) >= 48){ + if ((vlc = svq3_get_ue_golomb(&s->gb)) >= 48U){ av_log(h->s.avctx, AV_LOG_ERROR, "cbp_vlc=%d\n", vlc); return -1; } @@ -651,7 +651,7 @@ static int svq3_decode_mb(SVQ3Context *svq3, unsigned int mb_type) if (IS_INTRA16x16(mb_type) || (s->pict_type != AV_PICTURE_TYPE_I && s->adaptive_quant && cbp)) { s->qscale += svq3_get_se_golomb(&s->gb); - if (s->qscale > 31){ + if (s->qscale > 31U){ av_log(h->s.avctx, AV_LOG_ERROR, "qscale:%d\n", s->qscale); return -1; } @@ -755,7 +755,7 @@ static int svq3_decode_slice_header(AVCodecContext *avctx) skip_bits_long(&s->gb, 0); } - if ((i = svq3_get_ue_golomb(&s->gb)) == INVALID_VLC || i >= 3){ + if ((i = svq3_get_ue_golomb(&s->gb)) >= 3U){ av_log(h->s.avctx, AV_LOG_ERROR, "illegal slice type %d \n", i); return -1; } From b59919afe2b6caad1ddcbbb71bdcf5a8750b8c71 Mon Sep 17 00:00:00 2001 From: Laurent Aimar Date: Sun, 18 Sep 2011 00:17:44 +0200 Subject: [PATCH 0285/1119] Reject slices that does not have the same type than the first one in RV10/RV20 decoder. This prevents crashes with some corrupted bitstreams. Signed-off-by: Michael Niedermayer (cherry picked from commit d788af6cf696d547a442c47e1ce6f93bc9fc97b6) --- libavcodec/rv10.c | 4 ++++ 1 file changed, 4 insertions(+) diff --git a/libavcodec/rv10.c b/libavcodec/rv10.c index 2f822a8ac2..b8cdf4a312 100644 --- a/libavcodec/rv10.c +++ b/libavcodec/rv10.c @@ -559,8 +559,12 @@ static int rv10_decode_packet(AVCodecContext *avctx, if(MPV_frame_start(s, avctx) < 0) return -1; ff_er_frame_start(s); + } else { + if (s->current_picture_ptr->f.pict_type != s->pict_type) + return -1; } + av_dlog(avctx, "qscale=%d\n", s->qscale); /* default quantization values */ From 60a1384013071e4549e48459d484a7b72aeb6ebc Mon Sep 17 00:00:00 2001 From: Laurent Aimar Date: Sat, 17 Sep 2011 23:43:58 +0200 Subject: [PATCH 0286/1119] Avoid NULL dereference on corrupted bitstream with real decoder. rv34_decode_slice() can return without allocating any pictures. Signed-off-by: Michael Niedermayer (cherry picked from commit 140dbcff357351570426efd0e0bc00e380f5436e) --- libavcodec/rv34.c | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/libavcodec/rv34.c b/libavcodec/rv34.c index 0e5f868390..9196c9558d 100644 --- a/libavcodec/rv34.c +++ b/libavcodec/rv34.c @@ -1498,7 +1498,7 @@ int ff_rv34_decode_frame(AVCodecContext *avctx, break; } - if(last){ + if(last && s->current_picture_ptr){ if(r->loop_filter) r->loop_filter(r, s->mb_height - 1); ff_er_frame_end(s); From 89bd2307f52c3eceb50df64cd7a62c35fe9ee189 Mon Sep 17 00:00:00 2001 From: Arne de Bruijn Date: Sat, 17 Sep 2011 14:59:00 +0200 Subject: [PATCH 0287/1119] mpegpsdec: fix reading first mpegps packet (cherry picked from commit b2f230e23dd61112ac090b0c059d87b5f6bcb307) --- libavformat/mpeg.c | 4 ++++ 1 file changed, 4 insertions(+) diff --git a/libavformat/mpeg.c b/libavformat/mpeg.c index 1bc4480cd8..3166b42172 100644 --- a/libavformat/mpeg.c +++ b/libavformat/mpeg.c @@ -106,6 +106,7 @@ static int mpegps_read_header(AVFormatContext *s, MpegDemuxContext *m = s->priv_data; const char *sofdec = "Sofdec"; int v, i = 0; + int64_t last_pos = avio_tell(s->pb); m->header_state = 0xff; s->ctx_flags |= AVFMTCTX_NOHEADER; @@ -119,6 +120,9 @@ static int mpegps_read_header(AVFormatContext *s, m->sofdec = (m->sofdec == 6) ? 1 : 0; + if (!m->sofdec) + avio_seek(s->pb, last_pos, SEEK_SET); + /* no need to do more */ return 0; } From 9442f50c33232baed3a20f8b82c181f36b4ebe64 Mon Sep 17 00:00:00 2001 From: Carl Eugen Hoyos Date: Mon, 19 Sep 2011 12:20:42 +0200 Subject: [PATCH 0288/1119] Support 3IVD in isom, produced by 3ivx DivX Doctor. Fixes ticket #486. (cherry picked from commit 4a9b069b6742f78ed7511d2a87af621ab1d43a59) --- libavformat/isom.c | 2 ++ 1 file changed, 2 insertions(+) diff --git a/libavformat/isom.c b/libavformat/isom.c index 09ee23bdfd..1f75a4a956 100644 --- a/libavformat/isom.c +++ b/libavformat/isom.c @@ -208,6 +208,8 @@ const AVCodecTag codec_movvideo_tags[] = { { CODEC_ID_PRORES, MKTAG('a', 'p', 'c', 'o') }, /* Apple ProRes 422 Proxy */ { CODEC_ID_PRORES, MKTAG('a', 'p', '4', 'h') }, /* Apple ProRes 4444 */ + { CODEC_ID_MSMPEG4V3, MKTAG('3', 'I', 'V', 'D') }, /* 3ivx DivX Doctor */ + { CODEC_ID_NONE, 0 }, }; From ed288c0edd3a77537adbeb34c081363ea73e9c14 Mon Sep 17 00:00:00 2001 From: Gwenole Beauchesne Date: Mon, 19 Sep 2011 16:57:10 +0200 Subject: [PATCH 0289/1119] MAINTAINERS: add my GPG fingerprint. (cherry picked from commit 7882dc10f871bf25a848fe62a152f63814f9c7d1) --- MAINTAINERS | 1 + 1 file changed, 1 insertion(+) diff --git a/MAINTAINERS b/MAINTAINERS index 8588ba73ad..fb28a4e822 100644 --- a/MAINTAINERS +++ b/MAINTAINERS @@ -373,6 +373,7 @@ Ben Littler 3EE3 3723 E560 3214 A8CD 4DEB 2CDB FCE7 768C 8D2C Benoit Fouet B22A 4F4F 43EF 636B BB66 FCDC 0023 AE1E 2985 49C8 Daniel Verkamp 78A6 07ED 782C 653E C628 B8B9 F0EB 8DD8 2F0E 21C7 Diego Biurrun 8227 1E31 B6D9 4994 7427 E220 9CAE D6CC 4757 FCC5 +Gwenole Beauchesne 2E63 B3A6 3E44 37E2 017D 2704 53C7 6266 B153 99C4 Jaikrishnan Menon 61A1 F09F 01C9 2D45 78E1 C862 25DC 8831 AF70 D368 Justin Ruggles 3136 ECC0 C10D 6C04 5F43 CA29 FCBE CD2A 3787 1EBF Loren Merritt ABD9 08F4 C920 3F65 D8BE 35D7 1540 DAA7 060F 56DE From 27128d82faf17cbf476cf5f750722612639bdcd7 Mon Sep 17 00:00:00 2001 From: Laurent Aimar Date: Sat, 17 Sep 2011 21:17:45 +0000 Subject: [PATCH 0290/1119] rmdec: use the deinterleaving mode and not the codec when creating audio packets. It prevents crashes due to non initialized fields. Signed-off-by: Anton Khirnov (cherry picked from commit 3e033da84782e12ed529e6a88dd53b6a72199e8e) --- libavformat/rmdec.c | 3 ++- 1 file changed, 2 insertions(+), 1 deletion(-) diff --git a/libavformat/rmdec.c b/libavformat/rmdec.c index cacca9bc89..525e276dde 100644 --- a/libavformat/rmdec.c +++ b/libavformat/rmdec.c @@ -801,7 +801,8 @@ ff_rm_retrieve_cache (AVFormatContext *s, AVIOContext *pb, assert (rm->audio_pkt_cnt > 0); - if (st->codec->codec_id == CODEC_ID_AAC) + if (ast->deint_id == DEINT_ID_VBRF || + ast->deint_id == DEINT_ID_VBRS) av_get_packet(pb, pkt, ast->sub_packet_lengths[ast->sub_packet_cnt - rm->audio_pkt_cnt]); else { av_new_packet(pkt, st->codec->block_align); From 738c17b3a657b2017875c5b3ff9336944e4a8f22 Mon Sep 17 00:00:00 2001 From: Laurent Aimar Date: Sun, 18 Sep 2011 00:03:08 +0200 Subject: [PATCH 0291/1119] rv10: Reject slices that does not have the same type as the first one MIME-Version: 1.0 Content-Type: text/plain; charset=UTF-8 Content-Transfer-Encoding: 8bit This prevents crashes with some corrupted bitstreams. Signed-off-by: Martin Storsjö --- libavcodec/rv10.c | 4 +++- 1 file changed, 3 insertions(+), 1 deletion(-) diff --git a/libavcodec/rv10.c b/libavcodec/rv10.c index b8cdf4a312..189b79f4d0 100644 --- a/libavcodec/rv10.c +++ b/libavcodec/rv10.c @@ -560,8 +560,10 @@ static int rv10_decode_packet(AVCodecContext *avctx, return -1; ff_er_frame_start(s); } else { - if (s->current_picture_ptr->f.pict_type != s->pict_type) + if (s->current_picture_ptr->pict_type != s->pict_type) { + av_log(s->avctx, AV_LOG_ERROR, "Slice type mismatch\n"); return -1; + } } From 5163de0873faf3c7d39a9896ed188a6967cc1a40 Mon Sep 17 00:00:00 2001 From: Kostya Shishkov Date: Sat, 13 Aug 2011 21:02:54 +0200 Subject: [PATCH 0292/1119] Use deinterleavers for demangling audio packets in RealMedia. Unlike other containers RealMedia stores its audio packets in scrambled form, with interleaver ID preceeding audio codec ID. Currently deinterleaving decision is tied to the codec while it's possible to have non-default deinterleaver with audio codec (like Int0 deinterleaver instead of specific one for Sipro). Signed-off-by: Anton Khirnov --- libavformat/rmdec.c | 33 +++++++++++++++++++++------------ 1 file changed, 21 insertions(+), 12 deletions(-) diff --git a/libavformat/rmdec.c b/libavformat/rmdec.c index 525e276dde..fab6825bf3 100644 --- a/libavformat/rmdec.c +++ b/libavformat/rmdec.c @@ -26,6 +26,13 @@ #include "riff.h" #include "rm.h" +#define DEINT_ID_GENR MKTAG('g', 'e', 'n', 'r') ///< interleaving for Cooker/Atrac +#define DEINT_ID_INT0 MKTAG('I', 'n', 't', '0') ///< no interleaving needed +#define DEINT_ID_INT4 MKTAG('I', 'n', 't', '4') ///< interleaving for 28.8 +#define DEINT_ID_SIPR MKTAG('s', 'i', 'p', 'r') ///< interleaving for Sipro +#define DEINT_ID_VBRF MKTAG('v', 'b', 'r', 'f') ///< VBR case for AAC +#define DEINT_ID_VBRS MKTAG('v', 'b', 'r', 's') ///< VBR case for AAC + struct RMStream { AVPacket pkt; ///< place to store merged video frame / reordered audio data int videobufsize; ///< current assembled frame size @@ -39,6 +46,7 @@ struct RMStream { int sub_packet_size, sub_packet_h, coded_framesize; ///< Descrambling parameters from container int audio_framesize; /// Audio frame size from container int sub_packet_lengths[16]; /// Length of each subpacket + int32_t deint_id; ///< deinterleaver used in audio stream }; typedef struct { @@ -147,6 +155,7 @@ static int rm_read_audio_stream_info(AVFormatContext *s, AVIOContext *pb, st->codec->channels = 1; st->codec->codec_type = AVMEDIA_TYPE_AUDIO; st->codec->codec_id = CODEC_ID_RA_144; + ast->deint_id = DEINT_ID_INT0; } else { int flavor, sub_packet_h, coded_framesize, sub_packet_size; int codecdata_length; @@ -172,11 +181,12 @@ static int rm_read_audio_stream_info(AVFormatContext *s, AVIOContext *pb, avio_rb32(pb); st->codec->channels = avio_rb16(pb); if (version == 5) { - avio_rb32(pb); + ast->deint_id = avio_rl32(pb); avio_read(pb, buf, 4); buf[4] = 0; } else { get_str8(pb, buf, sizeof(buf)); /* desc */ + ast->deint_id = AV_RL32(buf); get_str8(pb, buf, sizeof(buf)); /* desc */ } st->codec->codec_type = AVMEDIA_TYPE_AUDIO; @@ -714,10 +724,9 @@ ff_rm_parse_packet (AVFormatContext *s, AVIOContext *pb, if(rm_assemble_video_frame(s, pb, rm, ast, pkt, len, seq)) return -1; //got partial frame } else if (st->codec->codec_type == AVMEDIA_TYPE_AUDIO) { - if ((st->codec->codec_id == CODEC_ID_RA_288) || - (st->codec->codec_id == CODEC_ID_COOK) || - (st->codec->codec_id == CODEC_ID_ATRAC3) || - (st->codec->codec_id == CODEC_ID_SIPR)) { + if ((ast->deint_id == DEINT_ID_GENR) || + (ast->deint_id == DEINT_ID_INT4) || + (ast->deint_id == DEINT_ID_SIPR)) { int x; int sps = ast->sub_packet_size; int cfs = ast->coded_framesize; @@ -730,30 +739,30 @@ ff_rm_parse_packet (AVFormatContext *s, AVIOContext *pb, if (!y) ast->audiotimestamp = timestamp; - switch(st->codec->codec_id) { - case CODEC_ID_RA_288: + switch (ast->deint_id) { + case DEINT_ID_INT4: for (x = 0; x < h/2; x++) avio_read(pb, ast->pkt.data+x*2*w+y*cfs, cfs); break; - case CODEC_ID_ATRAC3: - case CODEC_ID_COOK: + case DEINT_ID_GENR: for (x = 0; x < w/sps; x++) avio_read(pb, ast->pkt.data+sps*(h*x+((h+1)/2)*(y&1)+(y>>1)), sps); break; - case CODEC_ID_SIPR: + case DEINT_ID_SIPR: avio_read(pb, ast->pkt.data + y * w, w); break; } if (++(ast->sub_packet_cnt) < h) return -1; - if (st->codec->codec_id == CODEC_ID_SIPR) + if (ast->deint_id == DEINT_ID_SIPR) ff_rm_reorder_sipr_data(ast->pkt.data, h, w); ast->sub_packet_cnt = 0; rm->audio_stream_num = st->index; rm->audio_pkt_cnt = h * w / st->codec->block_align; - } else if (st->codec->codec_id == CODEC_ID_AAC) { + } else if ((ast->deint_id == DEINT_ID_VBRF) || + (ast->deint_id == DEINT_ID_VBRS)) { int x; rm->audio_stream_num = st->index; ast->sub_packet_cnt = (avio_rb16(pb) & 0xf0) >> 4; From 3899b3be0c4db1c280ed98e01388f8cebb888ef9 Mon Sep 17 00:00:00 2001 From: Laurent Aimar Date: Sat, 17 Sep 2011 00:05:13 +0200 Subject: [PATCH 0293/1119] rmdec: Reject invalid deinterleaving parameters MIME-Version: 1.0 Content-Type: text/plain; charset=UTF-8 Content-Transfer-Encoding: 8bit Signed-off-by: Martin Storsjö --- libavformat/rmdec.c | 48 ++++++++++++++++++++++++++++++--------------- 1 file changed, 32 insertions(+), 16 deletions(-) diff --git a/libavformat/rmdec.c b/libavformat/rmdec.c index fab6825bf3..708187e16f 100644 --- a/libavformat/rmdec.c +++ b/libavformat/rmdec.c @@ -193,6 +193,7 @@ static int rm_read_audio_stream_info(AVFormatContext *s, AVIOContext *pb, st->codec->codec_tag = AV_RL32(buf); st->codec->codec_id = ff_codec_get_id(ff_rm_codec_tags, st->codec->codec_tag); + switch (st->codec->codec_id) { case CODEC_ID_AC3: st->need_parsing = AVSTREAM_PARSE_FULL; @@ -201,14 +202,6 @@ static int rm_read_audio_stream_info(AVFormatContext *s, AVIOContext *pb, st->codec->extradata_size= 0; ast->audio_framesize = st->codec->block_align; st->codec->block_align = coded_framesize; - - if (ast->audio_framesize <= 0 || sub_packet_h <= 0 || - ast->audio_framesize >= UINT_MAX / sub_packet_h){ - av_log(s, AV_LOG_ERROR, "ast->audio_framesize * sub_packet_h is invalid\n"); - return -1; - } - - av_new_packet(&ast->pkt, ast->audio_framesize * sub_packet_h); break; case CODEC_ID_COOK: case CODEC_ID_ATRAC3: @@ -239,14 +232,6 @@ static int rm_read_audio_stream_info(AVFormatContext *s, AVIOContext *pb, } if ((ret = rm_read_extradata(pb, st->codec, codecdata_length)) < 0) return ret; - - if (ast->audio_framesize <= 0 || sub_packet_h <= 0 || - ast->audio_framesize >= UINT_MAX / sub_packet_h){ - av_log(s, AV_LOG_ERROR, "rm->audio_framesize * sub_packet_h is invalid\n"); - return -1; - } - - av_new_packet(&ast->pkt, ast->audio_framesize * sub_packet_h); break; case CODEC_ID_AAC: avio_rb16(pb); avio_r8(pb); @@ -266,6 +251,37 @@ static int rm_read_audio_stream_info(AVFormatContext *s, AVIOContext *pb, default: av_strlcpy(st->codec->codec_name, buf, sizeof(st->codec->codec_name)); } + if (ast->deint_id == DEINT_ID_INT4 || + ast->deint_id == DEINT_ID_GENR || + ast->deint_id == DEINT_ID_SIPR) { + if (st->codec->block_align <= 0 || + ast->audio_framesize * sub_packet_h > (unsigned)INT_MAX || + ast->audio_framesize * sub_packet_h < st->codec->block_align) + return AVERROR_INVALIDDATA; + if (av_new_packet(&ast->pkt, ast->audio_framesize * sub_packet_h) < 0) + return AVERROR(ENOMEM); + } + switch (ast->deint_id) { + case DEINT_ID_INT4: + if (ast->coded_framesize > ast->audio_framesize || + ast->coded_framesize * sub_packet_h > (2 + (sub_packet_h & 1)) * ast->audio_framesize) + return AVERROR_INVALIDDATA; + break; + case DEINT_ID_GENR: + if (ast->sub_packet_size <= 0 || + ast->sub_packet_size > ast->audio_framesize) + return AVERROR_INVALIDDATA; + break; + case DEINT_ID_SIPR: + case DEINT_ID_INT0: + case DEINT_ID_VBRS: + case DEINT_ID_VBRF: + break; + default: + av_log(NULL,0,"Unknown interleaver %X\n", ast->deint_id); + return AVERROR_INVALIDDATA; + } + if (read_all) { avio_r8(pb); avio_r8(pb); From d2c5904cab95cf064bbe885660eb2af0eaa89714 Mon Sep 17 00:00:00 2001 From: Laurent Aimar Date: Mon, 19 Sep 2011 22:48:53 +0200 Subject: [PATCH 0294/1119] Check for invalid slice offsets in real decoder. Signed-off-by: Michael Niedermayer (cherry picked from commit 8716c178ddabe28a01a9fe81fff68d117b779333) --- libavcodec/rv34.c | 9 +++++---- 1 file changed, 5 insertions(+), 4 deletions(-) diff --git a/libavcodec/rv34.c b/libavcodec/rv34.c index 9196c9558d..1810263751 100644 --- a/libavcodec/rv34.c +++ b/libavcodec/rv34.c @@ -1452,8 +1452,9 @@ int ff_rv34_decode_frame(AVCodecContext *avctx, slice_count = avctx->slice_count; //parse first slice header to check whether this frame can be decoded - if(get_slice_offset(avctx, slices_hdr, 0) > buf_size){ - av_log(avctx, AV_LOG_ERROR, "Slice offset is greater than frame size\n"); + if(get_slice_offset(avctx, slices_hdr, 0) < 0 || + get_slice_offset(avctx, slices_hdr, 0) > buf_size){ + av_log(avctx, AV_LOG_ERROR, "Slice offset is invalid\n"); return -1; } init_get_bits(&s->gb, buf+get_slice_offset(avctx, slices_hdr, 0), (buf_size-get_slice_offset(avctx, slices_hdr, 0))*8); @@ -1476,8 +1477,8 @@ int ff_rv34_decode_frame(AVCodecContext *avctx, else size= get_slice_offset(avctx, slices_hdr, i+1) - offset; - if(offset > buf_size){ - av_log(avctx, AV_LOG_ERROR, "Slice offset is greater than frame size\n"); + if(offset < 0 || offset > buf_size || size < 0){ + av_log(avctx, AV_LOG_ERROR, "Slice offset is invalid\n"); break; } From 596762f0588bf6db31c98a6a64c68a9538cc4cdd Mon Sep 17 00:00:00 2001 From: Michael Niedermayer Date: Wed, 21 Sep 2011 00:51:53 +0200 Subject: [PATCH 0295/1119] mp3demux: pass on error code on packet read. Reported-by: Tanami, Ohad Signed-off-by: Michael Niedermayer (cherry picked from commit c83442b0571370b946d3f8bb85c46879d62ab10a) --- libavformat/mp3dec.c | 4 +++- 1 file changed, 3 insertions(+), 1 deletion(-) diff --git a/libavformat/mp3dec.c b/libavformat/mp3dec.c index 47772a4998..5e3e3513ad 100644 --- a/libavformat/mp3dec.c +++ b/libavformat/mp3dec.c @@ -173,7 +173,9 @@ static int mp3_read_packet(AVFormatContext *s, AVPacket *pkt) pkt->stream_index = 0; if (ret <= 0) { - return AVERROR(EIO); + if(ret<0) + return ret; + return AVERROR_EOF; } if (ret > ID3v1_TAG_SIZE && From bf7dc6b29d785f149f18c39db021413e08735546 Mon Sep 17 00:00:00 2001 From: Carl Eugen Hoyos Date: Wed, 21 Sep 2011 23:47:34 +0200 Subject: [PATCH 0296/1119] Fix dxva2 decoding for some H264 samples. --- libavcodec/dxva2_h264.c | 7 ++++--- 1 file changed, 4 insertions(+), 3 deletions(-) diff --git a/libavcodec/dxva2_h264.c b/libavcodec/dxva2_h264.c index bc80e982fb..3f728e27b5 100644 --- a/libavcodec/dxva2_h264.c +++ b/libavcodec/dxva2_h264.c @@ -158,9 +158,10 @@ static void fill_scaling_lists(const H264Context *h, DXVA_Qmatrix_H264 *qm) for (j = 0; j < 16; j++) qm->bScalingLists4x4[i][j] = h->pps.scaling_matrix4[i][zigzag_scan[j]]; - for (i = 0; i < 2; i++) - for (j = 0; j < 64; j++) - qm->bScalingLists8x8[i][j] = h->pps.scaling_matrix8[i][ff_zigzag_direct[j]]; + for (j = 0; j < 64; j++) { + qm->bScalingLists8x8[0][j] = h->pps.scaling_matrix8[0][ff_zigzag_direct[j]]; + qm->bScalingLists8x8[1][j] = h->pps.scaling_matrix8[3][ff_zigzag_direct[j]]; + } } static int is_slice_short(struct dxva_context *ctx) From 5d833dd29985b53789304b350ac229abd4de0ff6 Mon Sep 17 00:00:00 2001 From: Carl Eugen Hoyos Date: Wed, 21 Sep 2011 23:47:34 +0200 Subject: [PATCH 0297/1119] Fix dxva2 decoding for some H264 samples. (cherry picked from commit bf7dc6b29d785f149f18c39db021413e08735546) --- libavcodec/dxva2_h264.c | 7 ++++--- 1 file changed, 4 insertions(+), 3 deletions(-) diff --git a/libavcodec/dxva2_h264.c b/libavcodec/dxva2_h264.c index bc80e982fb..3f728e27b5 100644 --- a/libavcodec/dxva2_h264.c +++ b/libavcodec/dxva2_h264.c @@ -158,9 +158,10 @@ static void fill_scaling_lists(const H264Context *h, DXVA_Qmatrix_H264 *qm) for (j = 0; j < 16; j++) qm->bScalingLists4x4[i][j] = h->pps.scaling_matrix4[i][zigzag_scan[j]]; - for (i = 0; i < 2; i++) - for (j = 0; j < 64; j++) - qm->bScalingLists8x8[i][j] = h->pps.scaling_matrix8[i][ff_zigzag_direct[j]]; + for (j = 0; j < 64; j++) { + qm->bScalingLists8x8[0][j] = h->pps.scaling_matrix8[0][ff_zigzag_direct[j]]; + qm->bScalingLists8x8[1][j] = h->pps.scaling_matrix8[3][ff_zigzag_direct[j]]; + } } static int is_slice_short(struct dxva_context *ctx) From f36cea267381571488070d3d6b8290359f3f94d3 Mon Sep 17 00:00:00 2001 From: =?UTF-8?q?Reimar=20D=C3=B6ffinger?= Date: Sun, 28 Aug 2011 21:14:13 +0200 Subject: [PATCH 0298/1119] Hack around gcc 4.6 breaking asm using call. MIME-Version: 1.0 Content-Type: text/plain; charset=UTF-8 Content-Transfer-Encoding: 8bit gcc 4.6 no longer decrements esp to account for local variables. Thus using call will end up overwriting some local variable. So add an extra one it can safely clobber. This is a huge hack because it's basically pure chance it works, no idea how this is supposed to be done. Fixes trac ticket #397. Signed-off-by: Reimar Döffinger (cherry picked from commit c928e9172928f3cddab949b107dd53b6bf79555e) --- libswscale/x86/swscale_template.c | 10 ++++++++++ 1 file changed, 10 insertions(+) diff --git a/libswscale/x86/swscale_template.c b/libswscale/x86/swscale_template.c index 25399fadef..e715270714 100644 --- a/libswscale/x86/swscale_template.c +++ b/libswscale/x86/swscale_template.c @@ -2240,6 +2240,10 @@ static void RENAME(hyscale_fast)(SwsContext *c, int16_t *dst, #if defined(PIC) DECLARE_ALIGNED(8, uint64_t, ebxsave); #endif + // HACK: gcc 4.6 no longer decrements esp, + // use this to make it reserve space for the call + // return address + void *dummy; __asm__ volatile( #if defined(PIC) @@ -2291,6 +2295,7 @@ static void RENAME(hyscale_fast)(SwsContext *c, int16_t *dst, #if defined(PIC) ,"m" (ebxsave) #endif + ,"m" (dummy) : "%"REG_a, "%"REG_c, "%"REG_d, "%"REG_S, "%"REG_D #if !defined(PIC) ,"%"REG_b @@ -2312,6 +2317,10 @@ static void RENAME(hcscale_fast)(SwsContext *c, int16_t *dst1, int16_t *dst2, #if defined(PIC) DECLARE_ALIGNED(8, uint64_t, ebxsave); #endif + // HACK: gcc 4.6 no longer decrements esp, + // use this to make it reserve space for the call + // return address + void *dummy; __asm__ volatile( #if defined(PIC) @@ -2351,6 +2360,7 @@ static void RENAME(hcscale_fast)(SwsContext *c, int16_t *dst1, int16_t *dst2, #if defined(PIC) ,"m" (ebxsave) #endif + ,"m" (dummy) : "%"REG_a, "%"REG_c, "%"REG_d, "%"REG_S, "%"REG_D #if !defined(PIC) ,"%"REG_b From a582b028a416a29e60b4748b2ae4221ada11c2b8 Mon Sep 17 00:00:00 2001 From: =?UTF-8?q?Reimar=20D=C3=B6ffinger?= Date: Sun, 28 Aug 2011 21:14:13 +0200 Subject: [PATCH 0299/1119] Hack around gcc 4.6 breaking asm using call. MIME-Version: 1.0 Content-Type: text/plain; charset=UTF-8 Content-Transfer-Encoding: 8bit gcc 4.6 no longer decrements esp to account for local variables. Thus using call will end up overwriting some local variable. So add an extra one it can safely clobber. This is a huge hack because it's basically pure chance it works, no idea how this is supposed to be done. Fixes trac ticket #397. Signed-off-by: Reimar Döffinger (cherry picked from commit c928e9172928f3cddab949b107dd53b6bf79555e) --- libswscale/x86/swscale_template.c | 10 ++++++++++ 1 file changed, 10 insertions(+) diff --git a/libswscale/x86/swscale_template.c b/libswscale/x86/swscale_template.c index 25399fadef..e715270714 100644 --- a/libswscale/x86/swscale_template.c +++ b/libswscale/x86/swscale_template.c @@ -2240,6 +2240,10 @@ static void RENAME(hyscale_fast)(SwsContext *c, int16_t *dst, #if defined(PIC) DECLARE_ALIGNED(8, uint64_t, ebxsave); #endif + // HACK: gcc 4.6 no longer decrements esp, + // use this to make it reserve space for the call + // return address + void *dummy; __asm__ volatile( #if defined(PIC) @@ -2291,6 +2295,7 @@ static void RENAME(hyscale_fast)(SwsContext *c, int16_t *dst, #if defined(PIC) ,"m" (ebxsave) #endif + ,"m" (dummy) : "%"REG_a, "%"REG_c, "%"REG_d, "%"REG_S, "%"REG_D #if !defined(PIC) ,"%"REG_b @@ -2312,6 +2317,10 @@ static void RENAME(hcscale_fast)(SwsContext *c, int16_t *dst1, int16_t *dst2, #if defined(PIC) DECLARE_ALIGNED(8, uint64_t, ebxsave); #endif + // HACK: gcc 4.6 no longer decrements esp, + // use this to make it reserve space for the call + // return address + void *dummy; __asm__ volatile( #if defined(PIC) @@ -2351,6 +2360,7 @@ static void RENAME(hcscale_fast)(SwsContext *c, int16_t *dst1, int16_t *dst2, #if defined(PIC) ,"m" (ebxsave) #endif + ,"m" (dummy) : "%"REG_a, "%"REG_c, "%"REG_d, "%"REG_S, "%"REG_D #if !defined(PIC) ,"%"REG_b From 533dbaa55b7d45d5ca76f9ed46f5690282f86ea9 Mon Sep 17 00:00:00 2001 From: Laurent Aimar Date: Wed, 21 Sep 2011 20:46:29 +0200 Subject: [PATCH 0300/1119] Check output buffer size in nellymoser decoder. Signed-off-by: Michael Niedermayer (cherry picked from commit 741ec30bd2385f794efa9fafa84d39a917f2574e) --- libavcodec/nellymoserdec.c | 3 +++ 1 file changed, 3 insertions(+) diff --git a/libavcodec/nellymoserdec.c b/libavcodec/nellymoserdec.c index 59c1b3bdd8..d85483dbf4 100644 --- a/libavcodec/nellymoserdec.c +++ b/libavcodec/nellymoserdec.c @@ -156,6 +156,7 @@ static int decode_tag(AVCodecContext * avctx, const uint8_t *buf = avpkt->data; int buf_size = avpkt->size; NellyMoserDecodeContext *s = avctx->priv_data; + int data_max = *data_size; int blocks, i; int16_t* samples; *data_size = 0; @@ -178,6 +179,8 @@ static int decode_tag(AVCodecContext * avctx, */ for (i=0 ; i data_max) + return i > 0 ? i * NELLY_BLOCK_LEN : -1; nelly_decode_block(s, &buf[i*NELLY_BLOCK_LEN], s->float_buf); s->fmt_conv.float_to_int16(&samples[i*NELLY_SAMPLES], s->float_buf, NELLY_SAMPLES); *data_size += NELLY_SAMPLES*sizeof(int16_t); From 69b6248327a042155396177eaff009b65bc8fcc8 Mon Sep 17 00:00:00 2001 From: Laurent Aimar Date: Wed, 21 Sep 2011 20:46:31 +0200 Subject: [PATCH 0301/1119] Check for invalid slices offsets in RV30/40 decoder. Signed-off-by: Michael Niedermayer (cherry picked from commit b64269ce5528bdbec8af671042f97af1242cf044) --- libavcodec/rv34.c | 11 ++++++++++- 1 file changed, 10 insertions(+), 1 deletion(-) diff --git a/libavcodec/rv34.c b/libavcodec/rv34.c index 1810263751..54fc29eca3 100644 --- a/libavcodec/rv34.c +++ b/libavcodec/rv34.c @@ -1477,13 +1477,18 @@ int ff_rv34_decode_frame(AVCodecContext *avctx, else size= get_slice_offset(avctx, slices_hdr, i+1) - offset; - if(offset < 0 || offset > buf_size || size < 0){ + if(offset < 0 || offset > buf_size){ av_log(avctx, AV_LOG_ERROR, "Slice offset is invalid\n"); break; } r->si.end = s->mb_width * s->mb_height; if(i+1 < slice_count){ + if (get_slice_offset(avctx, slices_hdr, i+1) < 0 || + get_slice_offset(avctx, slices_hdr, i+1) > buf_size) { + av_log(avctx, AV_LOG_ERROR, "Slice offset is invalid\n"); + break; + } init_get_bits(&s->gb, buf+get_slice_offset(avctx, slices_hdr, i+1), (buf_size-get_slice_offset(avctx, slices_hdr, i+1))*8); if(r->parse_slice_header(r, &r->s.gb, &si) < 0){ if(i+2 < slice_count) @@ -1493,6 +1498,10 @@ int ff_rv34_decode_frame(AVCodecContext *avctx, }else r->si.end = si.start; } + if (size < 0 || size > buf_size - offset) { + av_log(avctx, AV_LOG_ERROR, "Slice size is invalid\n"); + break; + } last = rv34_decode_slice(r, r->si.end, buf + offset, size); s->mb_num_left = r->s.mb_x + r->s.mb_y*r->s.mb_width - r->si.start; if(last) From a5a02ea3f2bb4e89d9ee0e381c938bd83e5c369d Mon Sep 17 00:00:00 2001 From: Laurent Aimar Date: Wed, 21 Sep 2011 20:46:30 +0200 Subject: [PATCH 0302/1119] Check for missing reference in vp5/6 decoder. Signed-off-by: Michael Niedermayer (cherry picked from commit 6a0e78929aa7d6b2c6b598c1589fb0e48fccb132) --- libavcodec/vp56.c | 2 ++ 1 file changed, 2 insertions(+) diff --git a/libavcodec/vp56.c b/libavcodec/vp56.c index ad451c251f..cf891763f6 100644 --- a/libavcodec/vp56.c +++ b/libavcodec/vp56.c @@ -399,6 +399,8 @@ static void vp56_decode_mb(VP56Context *s, int row, int col, int is_alpha) frame_current = s->framep[VP56_FRAME_CURRENT]; frame_ref = s->framep[ref_frame]; + if (mb_type != VP56_MB_INTRA && !frame_ref->data[0]) + return; ab = 6*is_alpha; b_max = 6 - 2*is_alpha; From c9c6e5f4e8680b7b7801dd6943590ae9cd6bfd89 Mon Sep 17 00:00:00 2001 From: Laurent Aimar Date: Wed, 21 Sep 2011 20:46:33 +0200 Subject: [PATCH 0303/1119] Release old pictures after a resolution change in vp5/6 decoder Signed-off-by: Michael Niedermayer (cherry picked from commit dba20b84784a7931b7eac50ced1d43e86801bde9) --- libavcodec/vp56.c | 10 ++++++++++ 1 file changed, 10 insertions(+) diff --git a/libavcodec/vp56.c b/libavcodec/vp56.c index cf891763f6..25ec7a376d 100644 --- a/libavcodec/vp56.c +++ b/libavcodec/vp56.c @@ -513,6 +513,16 @@ int ff_vp56_decode_frame(AVCodecContext *avctx, void *data, int *data_size, if (!res) return -1; + if (res == 2) { + int i; + for (i = 0; i < 4; i++) { + if (s->frames[i].data[0]) + avctx->release_buffer(avctx, &s->frames[i]); + } + if (is_alpha) + return -1; + } + if (!is_alpha) { p->reference = 1; if (avctx->get_buffer(avctx, p) < 0) { From cf43508eb39bb3749f45d84ded924e1b30794566 Mon Sep 17 00:00:00 2001 From: Laurent Aimar Date: Wed, 21 Sep 2011 20:46:32 +0200 Subject: [PATCH 0304/1119] Check for huffman tree building error in vp6 decoder. Signed-off-by: Michael Niedermayer (cherry picked from commit 7c249d4fbaf4431b20a90a3c942f3370c0039d9e) --- libavcodec/vp5.c | 3 ++- libavcodec/vp56.c | 4 +++- libavcodec/vp56.h | 2 +- libavcodec/vp6.c | 20 ++++++++++++-------- 4 files changed, 18 insertions(+), 11 deletions(-) diff --git a/libavcodec/vp5.c b/libavcodec/vp5.c index e9de38e6dd..f1b0169ae1 100644 --- a/libavcodec/vp5.c +++ b/libavcodec/vp5.c @@ -116,7 +116,7 @@ static void vp5_parse_vector_models(VP56Context *s) model->vector_pdv[comp][node] = vp56_rac_gets_nn(c, 7); } -static void vp5_parse_coeff_models(VP56Context *s) +static int vp5_parse_coeff_models(VP56Context *s) { VP56RangeCoder *c = &s->c; VP56Model *model = s->modelp; @@ -160,6 +160,7 @@ static void vp5_parse_coeff_models(VP56Context *s) for (ctx=0; ctx<6; ctx++) for (node=0; node<5; node++) model->coeff_acct[pt][ct][cg][ctx][node] = av_clip(((model->coeff_ract[pt][ct][cg][node] * vp5_ract_lc[ct][cg][node][ctx][0] + 128) >> 8) + vp5_ract_lc[ct][cg][node][ctx][1], 1, 254); + return 0; } static void vp5_parse_coeff(VP56Context *s) diff --git a/libavcodec/vp56.c b/libavcodec/vp56.c index 25ec7a376d..30f3efbc46 100644 --- a/libavcodec/vp56.c +++ b/libavcodec/vp56.c @@ -549,7 +549,8 @@ int ff_vp56_decode_frame(AVCodecContext *avctx, void *data, int *data_size, s->mb_type = VP56_MB_INTER_NOVEC_PF; } - s->parse_coeff_models(s); + if (s->parse_coeff_models(s)) + goto next; memset(s->prev_dc, 0, sizeof(s->prev_dc)); s->prev_dc[1][VP56_FRAME_CURRENT] = 128; @@ -613,6 +614,7 @@ int ff_vp56_decode_frame(AVCodecContext *avctx, void *data, int *data_size, } } + next: if (p->key_frame || golden_frame) { if (s->framep[VP56_FRAME_GOLDEN]->data[0] && s->framep[VP56_FRAME_GOLDEN] != s->framep[VP56_FRAME_GOLDEN2]) diff --git a/libavcodec/vp56.h b/libavcodec/vp56.h index d1735e5609..4d560dac6a 100644 --- a/libavcodec/vp56.h +++ b/libavcodec/vp56.h @@ -46,7 +46,7 @@ typedef void (*VP56Filter)(VP56Context *s, uint8_t *dst, uint8_t *src, typedef void (*VP56ParseCoeff)(VP56Context *s); typedef void (*VP56DefaultModelsInit)(VP56Context *s); typedef void (*VP56ParseVectorModels)(VP56Context *s); -typedef void (*VP56ParseCoeffModels)(VP56Context *s); +typedef int (*VP56ParseCoeffModels)(VP56Context *s); typedef int (*VP56ParseHeader)(VP56Context *s, const uint8_t *buf, int buf_size, int *golden_frame); diff --git a/libavcodec/vp6.c b/libavcodec/vp6.c index 0a02ce58d6..0b26c0461a 100644 --- a/libavcodec/vp6.c +++ b/libavcodec/vp6.c @@ -234,7 +234,7 @@ static void vp6_build_huff_tree(VP56Context *s, uint8_t coeff_model[], FF_HUFFMAN_FLAG_HNODE_FIRST); } -static void vp6_parse_coeff_models(VP56Context *s) +static int vp6_parse_coeff_models(VP56Context *s) { VP56RangeCoder *c = &s->c; VP56Model *model = s->modelp; @@ -279,15 +279,18 @@ static void vp6_parse_coeff_models(VP56Context *s) if (s->use_huffman) { for (pt=0; pt<2; pt++) { - vp6_build_huff_tree(s, model->coeff_dccv[pt], - vp6_huff_coeff_map, 12, &s->dccv_vlc[pt]); - vp6_build_huff_tree(s, model->coeff_runv[pt], - vp6_huff_run_map, 9, &s->runv_vlc[pt]); + if (vp6_build_huff_tree(s, model->coeff_dccv[pt], + vp6_huff_coeff_map, 12, &s->dccv_vlc[pt])) + return -1; + if (vp6_build_huff_tree(s, model->coeff_runv[pt], + vp6_huff_run_map, 9, &s->runv_vlc[pt])) + return -1; for (ct=0; ct<3; ct++) for (cg = 0; cg < 6; cg++) - vp6_build_huff_tree(s, model->coeff_ract[pt][ct][cg], - vp6_huff_coeff_map, 12, - &s->ract_vlc[pt][ct][cg]); + if (vp6_build_huff_tree(s, model->coeff_ract[pt][ct][cg], + vp6_huff_coeff_map, 12, + &s->ract_vlc[pt][ct][cg])) + return -1; } memset(s->nb_null, 0, sizeof(s->nb_null)); } else { @@ -297,6 +300,7 @@ static void vp6_parse_coeff_models(VP56Context *s) for (node=0; node<5; node++) model->coeff_dcct[pt][ctx][node] = av_clip(((model->coeff_dccv[pt][node] * vp6_dccv_lc[ctx][node][0] + 128) >> 8) + vp6_dccv_lc[ctx][node][1], 1, 255); } + return 0; } static void vp6_parse_vector_adjustment(VP56Context *s, VP56mv *vect) From 056e9efc8e06faed3516b610d8a74484f24ac07f Mon Sep 17 00:00:00 2001 From: Dustin Brody Date: Tue, 16 Aug 2011 16:46:34 -0400 Subject: [PATCH 0305/1119] vp6: partially propagate huffman tree building errors during coeff model parsing and fix misspelling Signed-off-by: Ronald S. Bultje (cherry picked from commit f913eeea43078b3b9052efd8d8d29e7b29b39208) Signed-off-by: Michael Niedermayer --- libavcodec/vp6.c | 10 +++++----- 1 file changed, 5 insertions(+), 5 deletions(-) diff --git a/libavcodec/vp6.c b/libavcodec/vp6.c index 0b26c0461a..d05a3618f7 100644 --- a/libavcodec/vp6.c +++ b/libavcodec/vp6.c @@ -213,8 +213,8 @@ static int vp6_huff_cmp(const void *va, const void *vb) return (a->count - b->count)*16 + (b->sym - a->sym); } -static void vp6_build_huff_tree(VP56Context *s, uint8_t coeff_model[], - const uint8_t *map, unsigned size, VLC *vlc) +static int vp6_build_huff_tree(VP56Context *s, uint8_t coeff_model[], + const uint8_t *map, unsigned size, VLC *vlc) { Node nodes[2*VP6_MAX_HUFF_SIZE], *tmp = &nodes[size]; int a, b, i; @@ -229,9 +229,9 @@ static void vp6_build_huff_tree(VP56Context *s, uint8_t coeff_model[], } free_vlc(vlc); - /* then build the huffman tree accodring to probabilities */ - ff_huff_build_tree(s->avctx, vlc, size, nodes, vp6_huff_cmp, - FF_HUFFMAN_FLAG_HNODE_FIRST); + /* then build the huffman tree according to probabilities */ + return ff_huff_build_tree(s->avctx, vlc, size, nodes, vp6_huff_cmp, + FF_HUFFMAN_FLAG_HNODE_FIRST); } static int vp6_parse_coeff_models(VP56Context *s) From b00fc80d406fef0acd54619a7c82e2a31e00c06c Mon Sep 17 00:00:00 2001 From: Michael Niedermayer Date: Thu, 22 Sep 2011 02:29:11 +0200 Subject: [PATCH 0306/1119] update version numbers for 0.8.4 Signed-off-by: Michael Niedermayer --- Doxyfile | 2 +- RELEASE | 2 +- VERSION | 2 +- 3 files changed, 3 insertions(+), 3 deletions(-) diff --git a/Doxyfile b/Doxyfile index eca888d1d8..4f45f3417e 100644 --- a/Doxyfile +++ b/Doxyfile @@ -31,7 +31,7 @@ PROJECT_NAME = FFmpeg # This could be handy for archiving the generated documentation or # if some version control system is used. -PROJECT_NUMBER = 0.8.3 +PROJECT_NUMBER = 0.8.4 # The OUTPUT_DIRECTORY tag is used to specify the (relative or absolute) # base path where the generated documentation will be put. diff --git a/RELEASE b/RELEASE index ee94dd834b..b60d71966a 100644 --- a/RELEASE +++ b/RELEASE @@ -1 +1 @@ -0.8.3 +0.8.4 diff --git a/VERSION b/VERSION index ee94dd834b..b60d71966a 100644 --- a/VERSION +++ b/VERSION @@ -1 +1 @@ -0.8.3 +0.8.4 From 1450d6e6377df00a538ae7542981a0ebff9415da Mon Sep 17 00:00:00 2001 From: Michael Niedermayer Date: Thu, 22 Sep 2011 02:30:14 +0200 Subject: [PATCH 0307/1119] Update version numbers for 0.7.5 Signed-off-by: Michael Niedermayer --- Doxyfile | 2 +- RELEASE | 2 +- VERSION | 2 +- 3 files changed, 3 insertions(+), 3 deletions(-) diff --git a/Doxyfile b/Doxyfile index afd2e3c289..bcb13563a5 100644 --- a/Doxyfile +++ b/Doxyfile @@ -31,7 +31,7 @@ PROJECT_NAME = FFmpeg # This could be handy for archiving the generated documentation or # if some version control system is used. -PROJECT_NUMBER = 0.7.4 +PROJECT_NUMBER = 0.7.5 # The OUTPUT_DIRECTORY tag is used to specify the (relative or absolute) # base path where the generated documentation will be put. diff --git a/RELEASE b/RELEASE index 0a1ffad4b4..8bd6ba8c5c 100644 --- a/RELEASE +++ b/RELEASE @@ -1 +1 @@ -0.7.4 +0.7.5 diff --git a/VERSION b/VERSION index 0a1ffad4b4..8bd6ba8c5c 100644 --- a/VERSION +++ b/VERSION @@ -1 +1 @@ -0.7.4 +0.7.5 From 47be9f5bd50e9c388adca6f8991cde7b4612db56 Mon Sep 17 00:00:00 2001 From: "Ronald S. Bultje" Date: Sun, 26 Jun 2011 15:52:00 -0700 Subject: [PATCH 0308/1119] swscale: don't use planar output functions to write to NV12/21. This prevents a crash when converting to NV12/21 without the bitexact flags enabled. (cherry picked from commit 0d994b2f45c08794899057ee7ca54f48218c0a53) Signed-off-by: Anton Khirnov --- libswscale/x86/swscale_template.c | 3 ++- 1 file changed, 2 insertions(+), 1 deletion(-) diff --git a/libswscale/x86/swscale_template.c b/libswscale/x86/swscale_template.c index 8fad257ddf..dc92cddff5 100644 --- a/libswscale/x86/swscale_template.c +++ b/libswscale/x86/swscale_template.c @@ -2203,7 +2203,8 @@ static av_cold void RENAME(sws_init_swScale)(SwsContext *c) enum PixelFormat srcFormat = c->srcFormat, dstFormat = c->dstFormat; - if (!is16BPS(dstFormat) && !is9_OR_10BPS(dstFormat)) { + if (!is16BPS(dstFormat) && !is9_OR_10BPS(dstFormat) && + dstFormat != PIX_FMT_NV12 && dstFormat != PIX_FMT_NV21) { if (!(c->flags & SWS_BITEXACT)) { if (c->flags & SWS_ACCURATE_RND) { c->yuv2yuv1 = RENAME(yuv2yuv1_ar ); From 8ad1f0852b26468cb681ad49be83e2bc25d07934 Mon Sep 17 00:00:00 2001 From: Jason Garrett-Glaser Date: Mon, 4 Jul 2011 06:05:34 -0700 Subject: [PATCH 0309/1119] H.264: fix overreads of qscale_table filter_mb_fast assumed that qscale_table was padded like many of the other tables. (cherry picked from commit 5029a406334ad0eaf92130e23d596e405a8a5aa0) Signed-off-by: Anton Khirnov --- libavcodec/mpegvideo.c | 5 +++-- libavcodec/mpegvideo.h | 1 + 2 files changed, 4 insertions(+), 2 deletions(-) diff --git a/libavcodec/mpegvideo.c b/libavcodec/mpegvideo.c index 4978d28b49..ceed41f230 100644 --- a/libavcodec/mpegvideo.c +++ b/libavcodec/mpegvideo.c @@ -285,9 +285,10 @@ int ff_alloc_picture(MpegEncContext *s, Picture *pic, int shared){ } FF_ALLOCZ_OR_GOTO(s->avctx, pic->mbskip_table , mb_array_size * sizeof(uint8_t)+2, fail) //the +2 is for the slice end check - FF_ALLOCZ_OR_GOTO(s->avctx, pic->qscale_table , mb_array_size * sizeof(uint8_t) , fail) + FF_ALLOCZ_OR_GOTO(s->avctx, pic->qscale_table_base , (big_mb_num + s->mb_stride) * sizeof(uint8_t) , fail) FF_ALLOCZ_OR_GOTO(s->avctx, pic->mb_type_base , (big_mb_num + s->mb_stride) * sizeof(uint32_t), fail) pic->mb_type= pic->mb_type_base + 2*s->mb_stride+1; + pic->qscale_table = pic->qscale_table_base + 2*s->mb_stride + 1; if(s->out_format == FMT_H264){ for(i=0; i<2; i++){ FF_ALLOCZ_OR_GOTO(s->avctx, pic->motion_val_base[i], 2 * (b4_array_size+4) * sizeof(int16_t), fail) @@ -339,7 +340,7 @@ static void free_picture(MpegEncContext *s, Picture *pic){ av_freep(&pic->mc_mb_var); av_freep(&pic->mb_mean); av_freep(&pic->mbskip_table); - av_freep(&pic->qscale_table); + av_freep(&pic->qscale_table_base); av_freep(&pic->mb_type_base); av_freep(&pic->dct_coeff); av_freep(&pic->pan_scan); diff --git a/libavcodec/mpegvideo.h b/libavcodec/mpegvideo.h index 6ce7faa235..f37977c941 100644 --- a/libavcodec/mpegvideo.h +++ b/libavcodec/mpegvideo.h @@ -88,6 +88,7 @@ typedef struct Picture{ * halfpel luma planes. */ uint8_t *interpolated[3]; + int8_t *qscale_table_base; int16_t (*motion_val_base[2])[2]; uint32_t *mb_type_base; #define MB_TYPE_INTRA MB_TYPE_INTRA4x4 //default mb_type if there is just one type From 06318968853ff8c628bbc75fb126483c08f22fd9 Mon Sep 17 00:00:00 2001 From: John Stebbins Date: Mon, 4 Jul 2011 09:55:19 -0700 Subject: [PATCH 0310/1119] dca: set AVCodecContext frame_size for DTS audio Set the frame size when decoding DTS audio. This has the side effect of fixing the computation of timestamps for DTS-HD in compute_pkt_fields. Since frame_size is not currently set, the duration of a frame is being guessed based on the streams bitrate. But for DTS-HD, the bitrate currently used is the rate of the DTS core which is much different than the whole DTS-HD stream and leads to a wildly inaccurate frame duration estimate. Signed-off-by: Ronald S. Bultje (cherry picked from commit 49c7006c7e815d4330247624a9e6ba30e288cd02) Signed-off-by: Anton Khirnov --- libavcodec/dca.c | 1 + 1 file changed, 1 insertion(+) diff --git a/libavcodec/dca.c b/libavcodec/dca.c index a9b2c9b0c9..fad6bce7a9 100644 --- a/libavcodec/dca.c +++ b/libavcodec/dca.c @@ -1650,6 +1650,7 @@ static int dca_decode_frame(AVCodecContext * avctx, //set AVCodec values with parsed data avctx->sample_rate = s->sample_rate; avctx->bit_rate = s->bit_rate; + avctx->frame_size = s->sample_blocks * 32; s->profile = FF_PROFILE_DTS; From 776603b650485f4f2d45f383b772ac5a4f03ebfb Mon Sep 17 00:00:00 2001 From: =?UTF-8?q?Cl=C3=A9ment=20B=C5=93sch?= Date: Mon, 4 Jul 2011 10:19:46 +0200 Subject: [PATCH 0311/1119] mxfenc: fix ignored drop flag in binary timecode representation. Signed-off-by: Ronald S. Bultje (cherry picked from commit 4d5e7ab5c48451404038706ef3113c9925a83087) Signed-off-by: Anton Khirnov --- libavformat/mxfenc.c | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/libavformat/mxfenc.c b/libavformat/mxfenc.c index c448e14b00..387263e1a1 100644 --- a/libavformat/mxfenc.c +++ b/libavformat/mxfenc.c @@ -1539,7 +1539,7 @@ static const uint8_t system_metadata_package_set_key[] = { 0x06,0x0E,0x2B,0x34,0 static uint32_t ff_framenum_to_12m_time_code(unsigned frame, int drop, int fps) { return (0 << 31) | // color frame flag - (0 << 30) | // drop frame flag + (drop << 30) | // drop frame flag ( ((frame % fps) / 10) << 28) | // tens of frames ( ((frame % fps) % 10) << 24) | // units of frames (0 << 23) | // field phase (NTSC), b0 (PAL) From 15355f9af2a415bbfbffdace04a4341c8af050e7 Mon Sep 17 00:00:00 2001 From: Mans Rullgard Date: Tue, 5 Jul 2011 18:29:35 +0100 Subject: [PATCH 0312/1119] ARM: workaround for bug in GNU assembler Some versions of the GNU assembler do not handle 64-bit immediate operands containing arithmetic. Writing the value out in full works correctly. Signed-off-by: Mans Rullgard (cherry picked from commit fce1e43410bdc032c4cf2b1c66166a9ed99cc8f1) Signed-off-by: Anton Khirnov --- libavcodec/arm/fft_fixed_neon.S | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/libavcodec/arm/fft_fixed_neon.S b/libavcodec/arm/fft_fixed_neon.S index 14884d3736..63d8159359 100644 --- a/libavcodec/arm/fft_fixed_neon.S +++ b/libavcodec/arm/fft_fixed_neon.S @@ -56,7 +56,7 @@ vhsub.s16 \r0, \d0, \d1 @ t3, t4, t8, t7 vhsub.s16 \r1, \d1, \d0 vhadd.s16 \d0, \d0, \d1 @ t1, t2, t6, t5 - vmov.i64 \d1, #0xffff<<32 + vmov.i64 \d1, #0xffff00000000 vbit \r0, \r1, \d1 vrev64.16 \r1, \r0 @ t7, t8, t4, t3 vtrn.32 \r0, \r1 @ t3, t4, t7, t8 From e9520db07e1e4a795523726329d448d168b188d5 Mon Sep 17 00:00:00 2001 From: "Ronald S. Bultje" Date: Tue, 5 Jul 2011 18:10:48 -0700 Subject: [PATCH 0313/1119] eval: fix memleak. (cherry picked from commit fe277b16f0861a327e1f6c00c0dbb8b00806d60d) Signed-off-by: Anton Khirnov --- libavutil/eval.c | 1 + 1 file changed, 1 insertion(+) diff --git a/libavutil/eval.c b/libavutil/eval.c index a3788210e3..8bcba3632d 100644 --- a/libavutil/eval.c +++ b/libavutil/eval.c @@ -488,6 +488,7 @@ int av_expr_parse(AVExpr **expr, const char *s, if ((ret = parse_expr(&e, &p)) < 0) goto end; if (*p.s) { + av_expr_free(e); av_log(&p, AV_LOG_ERROR, "Invalid chars '%s' at the end of expression '%s'\n", p.s, s0); ret = AVERROR(EINVAL); goto end; From 6107543d4e4f6bfa7810e3696ab57553f7257b4b Mon Sep 17 00:00:00 2001 From: Alex Converse Date: Wed, 29 Jun 2011 13:41:47 -0700 Subject: [PATCH 0314/1119] adts: Fix PCE copying. Parse the extension flag bit when reading the MPEG4 AudioSpecificConfig. This has nothing to do with SBR/PS contradictory to what was noted when it was removed. (cherry picked from commit 7f01a4192cdf4565eadee457f76e6b5196e35e0b) Signed-off-by: Anton Khirnov --- libavformat/adtsenc.c | 4 ++++ 1 file changed, 4 insertions(+) diff --git a/libavformat/adtsenc.c b/libavformat/adtsenc.c index e858a81d92..75649e24dc 100644 --- a/libavformat/adtsenc.c +++ b/libavformat/adtsenc.c @@ -59,6 +59,10 @@ int ff_adts_decode_extradata(AVFormatContext *s, ADTSContext *adts, uint8_t *buf av_log(s, AV_LOG_ERROR, "Scalable configurations are not allowed in ADTS\n"); return -1; } + if (get_bits(&gb, 1)) { + av_log(s, AV_LOG_ERROR, "Extension flag is not allowed in ADTS\n"); + return -1; + } if (!adts->channel_conf) { init_put_bits(&pb, adts->pce_data, MAX_PCE_SIZE); From 94177614747ebb8a8e1b7e70cfd5229cbac56c04 Mon Sep 17 00:00:00 2001 From: Anton Khirnov Date: Sun, 11 Sep 2011 12:27:51 +0200 Subject: [PATCH 0315/1119] Revert "ffmpeg: get rid of useless AVInputStream.nb_streams." This reverts commit 2cf8355f98681bdd726b739008acd5483f82f8d7. AVInputStream.nb_streams tracks number of streams found at the beginning, new streams may appear that ffmpeg doesn't know about. Fixes crash in this case. Signed-off-by: Anton Khirnov --- ffmpeg.c | 8 +++++--- 1 file changed, 5 insertions(+), 3 deletions(-) diff --git a/ffmpeg.c b/ffmpeg.c index c1db3d5679..76d1cf363c 100644 --- a/ffmpeg.c +++ b/ffmpeg.c @@ -329,6 +329,7 @@ typedef struct AVInputFile { int eof_reached; /* true if eof reached */ int ist_index; /* index of first stream in ist_table */ int buffer_size; /* current total buffer size */ + int nb_streams; /* nb streams we are aware of */ } AVInputFile; static AVInputStream *input_streams = NULL; @@ -1983,7 +1984,7 @@ static int transcode(AVFormatContext **output_files, int si = stream_maps[i].stream_index; if (fi < 0 || fi > nb_input_files - 1 || - si < 0 || si > input_files[fi].ctx->nb_streams - 1) { + si < 0 || si > input_files[fi].nb_streams - 1) { fprintf(stderr,"Could not find input stream #%d.%d\n", fi, si); ret = AVERROR(EINVAL); goto fail; @@ -1991,7 +1992,7 @@ static int transcode(AVFormatContext **output_files, fi = stream_maps[i].sync_file_index; si = stream_maps[i].sync_stream_index; if (fi < 0 || fi > nb_input_files - 1 || - si < 0 || si > input_files[fi].ctx->nb_streams - 1) { + si < 0 || si > input_files[fi].nb_streams - 1) { fprintf(stderr,"Could not find sync stream #%d.%d\n", fi, si); ret = AVERROR(EINVAL); goto fail; @@ -2607,7 +2608,7 @@ static int transcode(AVFormatContext **output_files, } /* the following test is needed in case new streams appear dynamically in stream : we ignore them */ - if (pkt.stream_index >= input_files[file_index].ctx->nb_streams) + if (pkt.stream_index >= input_files[file_index].nb_streams) goto discard_packet; ist_index = input_files[file_index].ist_index + pkt.stream_index; ist = &input_streams[ist_index]; @@ -3365,6 +3366,7 @@ static int opt_input_file(const char *opt, const char *filename) input_files = grow_array(input_files, sizeof(*input_files), &nb_input_files, nb_input_files + 1); input_files[nb_input_files - 1].ctx = ic; input_files[nb_input_files - 1].ist_index = nb_input_streams - ic->nb_streams; + input_files[nb_input_files - 1].nb_streams = ic->nb_streams; frame_rate = (AVRational){0, 0}; frame_pix_fmt = PIX_FMT_NONE; From c75ba07f6eb83439bc44e5504152f8ca03097bec Mon Sep 17 00:00:00 2001 From: =?UTF-8?q?Tomas=20H=C3=A4rdin?= Date: Thu, 23 Jun 2011 15:59:33 +0200 Subject: [PATCH 0316/1119] gxf: Fix 25 fps DV material in GXF being misdetected as 50 fps Set DV packet durations using fields_per_frame. This requires turning gxf_stream_info into the demuxer's context for access to the value in gxf_packet(). Since MPEG-2 seems to work fine this done only for DV. Signed-off-by: Anton Khirnov (cherry picked from commit 99fecc64b064a013559d3d61f7d9790e3c95c80e) Signed-off-by: Anton Khirnov --- libavformat/gxf.c | 25 ++++++++++++++++--------- 1 file changed, 16 insertions(+), 9 deletions(-) diff --git a/libavformat/gxf.c b/libavformat/gxf.c index 74d925fe60..d77fd18b37 100644 --- a/libavformat/gxf.c +++ b/libavformat/gxf.c @@ -264,7 +264,7 @@ static int gxf_header(AVFormatContext *s, AVFormatParameters *ap) { int map_len; int len; AVRational main_timebase = {0, 0}; - struct gxf_stream_info si; + struct gxf_stream_info *si = s->priv_data; int i; if (!parse_packet_header(pb, &pkt_type, &map_len) || pkt_type != PKT_MAP) { av_log(s, AV_LOG_ERROR, "map packet not found\n"); @@ -282,7 +282,7 @@ static int gxf_header(AVFormatContext *s, AVFormatParameters *ap) { return 0; } map_len -= len; - gxf_material_tags(pb, &len, &si); + gxf_material_tags(pb, &len, si); avio_skip(pb, len); map_len -= 2; len = avio_rb16(pb); // length of track description @@ -300,7 +300,7 @@ static int gxf_header(AVFormatContext *s, AVFormatParameters *ap) { track_id = avio_r8(pb); track_len = avio_rb16(pb); len -= track_len; - gxf_track_tags(pb, &track_len, &si); + gxf_track_tags(pb, &track_len, si); avio_skip(pb, track_len); if (!(track_type & 0x80)) { av_log(s, AV_LOG_ERROR, "invalid track type %x\n", track_type); @@ -316,12 +316,12 @@ static int gxf_header(AVFormatContext *s, AVFormatParameters *ap) { if (idx < 0) continue; st = s->streams[idx]; if (!main_timebase.num || !main_timebase.den) { - main_timebase.num = si.frames_per_second.den; - main_timebase.den = si.frames_per_second.num * 2; + main_timebase.num = si->frames_per_second.den; + main_timebase.den = si->frames_per_second.num * 2; } - st->start_time = si.first_field; - if (si.first_field != AV_NOPTS_VALUE && si.last_field != AV_NOPTS_VALUE) - st->duration = si.last_field - si.first_field; + st->start_time = si->first_field; + if (si->first_field != AV_NOPTS_VALUE && si->last_field != AV_NOPTS_VALUE) + st->duration = si->last_field - si->first_field; } if (len < 0) av_log(s, AV_LOG_ERROR, "invalid track description length specified\n"); @@ -422,6 +422,8 @@ static int gxf_packet(AVFormatContext *s, AVPacket *pkt) { AVIOContext *pb = s->pb; GXFPktType pkt_type; int pkt_len; + struct gxf_stream_info *si = s->priv_data; + while (!pb->eof_reached) { AVStream *st; int track_type, track_id, ret; @@ -473,6 +475,11 @@ static int gxf_packet(AVFormatContext *s, AVPacket *pkt) { avio_skip(pb, skip); pkt->stream_index = stream_index; pkt->dts = field_nr; + + //set duration manually for DV or else lavf misdetects the frame rate + if (st->codec->codec_id == CODEC_ID_DVVIDEO) + pkt->duration = si->fields_per_frame; + return ret; } return AVERROR(EIO); @@ -518,7 +525,7 @@ static int64_t gxf_read_timestamp(AVFormatContext *s, int stream_index, AVInputFormat ff_gxf_demuxer = { "gxf", NULL_IF_CONFIG_SMALL("GXF format"), - 0, + sizeof(struct gxf_stream_info), gxf_probe, gxf_header, gxf_packet, From 6ed533f56137f678ff8507012de14d277aded9cc Mon Sep 17 00:00:00 2001 From: Justin Ruggles Date: Wed, 22 Jun 2011 15:33:56 -0400 Subject: [PATCH 0317/1119] alsa: fallback to buffer_size/4 for period_size. buffer_size/4 is the value used by aplay. This fixes output to null devices, e.g. writing ALSA output to a file. (cherry picked from commit 8bfd7f6a475225a0595bf657f8b99a8fffb461e4) Signed-off-by: Anton Khirnov --- libavdevice/alsa-audio-common.c | 2 ++ 1 file changed, 2 insertions(+) diff --git a/libavdevice/alsa-audio-common.c b/libavdevice/alsa-audio-common.c index baa6ac79ca..4c7c881300 100644 --- a/libavdevice/alsa-audio-common.c +++ b/libavdevice/alsa-audio-common.c @@ -146,6 +146,8 @@ av_cold int ff_alsa_open(AVFormatContext *ctx, snd_pcm_stream_t mode, } snd_pcm_hw_params_get_period_size_min(hw_params, &period_size, NULL); + if (!period_size) + period_size = buffer_size / 4; res = snd_pcm_hw_params_set_period_size_near(h, hw_params, &period_size, NULL); if (res < 0) { av_log(ctx, AV_LOG_ERROR, "cannot set ALSA period size (%s)\n", From 0c039db4d8aa0928d9b7466c635247e6439df015 Mon Sep 17 00:00:00 2001 From: Justin Ruggles Date: Wed, 22 Jun 2011 16:38:20 -0400 Subject: [PATCH 0318/1119] alsa: limit buffer_size to 32768 frames. In testing, the file output plugin gave a max buffer size of about 20 million frames, which is way more than what is really needed and causes a memory allocation error on my system. (cherry picked from commit e35c674d13a7f180412cfe058530a2e7f1d49a90) Signed-off-by: Anton Khirnov --- libavdevice/alsa-audio-common.c | 1 + libavdevice/alsa-audio.h | 2 ++ 2 files changed, 3 insertions(+) diff --git a/libavdevice/alsa-audio-common.c b/libavdevice/alsa-audio-common.c index 4c7c881300..825fcb1dbd 100644 --- a/libavdevice/alsa-audio-common.c +++ b/libavdevice/alsa-audio-common.c @@ -137,6 +137,7 @@ av_cold int ff_alsa_open(AVFormatContext *ctx, snd_pcm_stream_t mode, } snd_pcm_hw_params_get_buffer_size_max(hw_params, &buffer_size); + buffer_size = FFMIN(buffer_size, ALSA_BUFFER_SIZE_MAX); /* TODO: maybe use ctx->max_picture_buffer somehow */ res = snd_pcm_hw_params_set_buffer_size_near(h, hw_params, &buffer_size); if (res < 0) { diff --git a/libavdevice/alsa-audio.h b/libavdevice/alsa-audio.h index 32c07426ef..c8c6ea4aff 100644 --- a/libavdevice/alsa-audio.h +++ b/libavdevice/alsa-audio.h @@ -40,6 +40,8 @@ other formats */ #define DEFAULT_CODEC_ID AV_NE(CODEC_ID_PCM_S16BE, CODEC_ID_PCM_S16LE) +#define ALSA_BUFFER_SIZE_MAX 32768 + typedef struct { AVClass *class; snd_pcm_t *h; From b772a757dd5e58ce94b56daee0deba78ab2e205e Mon Sep 17 00:00:00 2001 From: Jindrich Makovicka Date: Thu, 30 Jun 2011 09:03:15 +0000 Subject: [PATCH 0319/1119] mpegts: fix Continuity Counter error detection According to MPEG-TS specs, the continuity_counter shall not be incremented when the adaptation_field_control of the packet equals '00' or '10'. Signed-off-by: Jindrich Makovicka Signed-off-by: Anton Khirnov (cherry picked from commit 8923cfa328e8eb565aebcfe8672b276fd1c19bf7) Signed-off-by: Anton Khirnov --- libavformat/mpegts.c | 5 +++-- 1 file changed, 3 insertions(+), 2 deletions(-) diff --git a/libavformat/mpegts.c b/libavformat/mpegts.c index e9b8b3513a..608cbe710f 100644 --- a/libavformat/mpegts.c +++ b/libavformat/mpegts.c @@ -1247,7 +1247,7 @@ static int handle_packet(MpegTSContext *ts, const uint8_t *packet) { AVFormatContext *s = ts->stream; MpegTSFilter *tss; - int len, pid, cc, cc_ok, afc, is_start; + int len, pid, cc, expected_cc, cc_ok, afc, is_start; const uint8_t *p, *p_end; int64_t pos; @@ -1265,7 +1265,8 @@ static int handle_packet(MpegTSContext *ts, const uint8_t *packet) /* continuity check (currently not used) */ cc = (packet[3] & 0xf); - cc_ok = (tss->last_cc < 0) || ((((tss->last_cc + 1) & 0x0f) == cc)); + expected_cc = (packet[3] & 0x10) ? (tss->last_cc + 1) & 0x0f : tss->last_cc; + cc_ok = (tss->last_cc < 0) || (expected_cc == cc); tss->last_cc = cc; /* skip adaptation field */ From f8521560fa95c83bfbd95bb1b5adc8ded62a5104 Mon Sep 17 00:00:00 2001 From: Oskar Arvidsson Date: Tue, 12 Jul 2011 10:52:19 +0200 Subject: [PATCH 0320/1119] pix_fmt: Fix number of bits per component in yuv444p9be Signed-off-by: Ronald S. Bultje (cherry picked from commit e59d6b4d7255d6d3dc89580f534e18af1433fe25) Signed-off-by: Anton Khirnov --- libavutil/pixdesc.c | 6 +++--- 1 file changed, 3 insertions(+), 3 deletions(-) diff --git a/libavutil/pixdesc.c b/libavutil/pixdesc.c index efc7c7ea0e..c70a41347b 100644 --- a/libavutil/pixdesc.c +++ b/libavutil/pixdesc.c @@ -918,9 +918,9 @@ const AVPixFmtDescriptor av_pix_fmt_descriptors[PIX_FMT_NB] = { .log2_chroma_w= 0, .log2_chroma_h= 0, .comp = { - {0,1,1,0,9}, /* Y */ - {1,1,1,0,9}, /* U */ - {2,1,1,0,9}, /* V */ + {0,1,1,0,8}, /* Y */ + {1,1,1,0,8}, /* U */ + {2,1,1,0,8}, /* V */ }, .flags = PIX_FMT_BE, }, From 9c2a02466053dd4762d474d89d9be9a957eaaefe Mon Sep 17 00:00:00 2001 From: Anton Khirnov Date: Tue, 12 Jul 2011 22:42:18 +0200 Subject: [PATCH 0321/1119] lavf: fix segfault in av_open_input_stream() ic is NULL in case of error. (cherry picked from commit 13551ad1e336573e3732fdeaf25607c47244bb80) Signed-off-by: Anton Khirnov --- libavformat/utils.c | 3 ++- 1 file changed, 2 insertions(+), 1 deletion(-) diff --git a/libavformat/utils.c b/libavformat/utils.c index 0e6b00195b..2cb096e373 100644 --- a/libavformat/utils.c +++ b/libavformat/utils.c @@ -465,7 +465,8 @@ int av_open_input_stream(AVFormatContext **ic_ptr, else ic->pb = pb; - err = avformat_open_input(&ic, filename, fmt, &opts); + if ((err = avformat_open_input(&ic, filename, fmt, &opts)) < 0) + goto fail; ic->pb = ic->pb ? ic->pb : pb; // don't leak custom pb if it wasn't set above *ic_ptr = ic; From f7831bb104c48118b38d4ba86a7d594fe4fa0f2c Mon Sep 17 00:00:00 2001 From: Mans Rullgard Date: Fri, 15 Jul 2011 22:38:10 +0100 Subject: [PATCH 0322/1119] aacps: skip some memcpy() if src and dst would be equal Signed-off-by: Mans Rullgard (cherry picked from commit e5902d60ce8f7cf10b6e87a57eec536b316261a3) Signed-off-by: Anton Khirnov --- libavcodec/aacps.c | 19 +++++++++++-------- 1 file changed, 11 insertions(+), 8 deletions(-) diff --git a/libavcodec/aacps.c b/libavcodec/aacps.c index 724c13256a..3f1424bcf2 100644 --- a/libavcodec/aacps.c +++ b/libavcodec/aacps.c @@ -813,14 +813,17 @@ static void stereo_processing(PSContext *ps, float (*l)[32][2], float (*r)[32][2 const float (*H_LUT)[8][4] = (PS_BASELINE || ps->icc_mode < 3) ? HA : HB; //Remapping - memcpy(H11[0][0], H11[0][ps->num_env_old], PS_MAX_NR_IIDICC*sizeof(H11[0][0][0])); - memcpy(H11[1][0], H11[1][ps->num_env_old], PS_MAX_NR_IIDICC*sizeof(H11[1][0][0])); - memcpy(H12[0][0], H12[0][ps->num_env_old], PS_MAX_NR_IIDICC*sizeof(H12[0][0][0])); - memcpy(H12[1][0], H12[1][ps->num_env_old], PS_MAX_NR_IIDICC*sizeof(H12[1][0][0])); - memcpy(H21[0][0], H21[0][ps->num_env_old], PS_MAX_NR_IIDICC*sizeof(H21[0][0][0])); - memcpy(H21[1][0], H21[1][ps->num_env_old], PS_MAX_NR_IIDICC*sizeof(H21[1][0][0])); - memcpy(H22[0][0], H22[0][ps->num_env_old], PS_MAX_NR_IIDICC*sizeof(H22[0][0][0])); - memcpy(H22[1][0], H22[1][ps->num_env_old], PS_MAX_NR_IIDICC*sizeof(H22[1][0][0])); + if (ps->num_env_old) { + memcpy(H11[0][0], H11[0][ps->num_env_old], PS_MAX_NR_IIDICC*sizeof(H11[0][0][0])); + memcpy(H11[1][0], H11[1][ps->num_env_old], PS_MAX_NR_IIDICC*sizeof(H11[1][0][0])); + memcpy(H12[0][0], H12[0][ps->num_env_old], PS_MAX_NR_IIDICC*sizeof(H12[0][0][0])); + memcpy(H12[1][0], H12[1][ps->num_env_old], PS_MAX_NR_IIDICC*sizeof(H12[1][0][0])); + memcpy(H21[0][0], H21[0][ps->num_env_old], PS_MAX_NR_IIDICC*sizeof(H21[0][0][0])); + memcpy(H21[1][0], H21[1][ps->num_env_old], PS_MAX_NR_IIDICC*sizeof(H21[1][0][0])); + memcpy(H22[0][0], H22[0][ps->num_env_old], PS_MAX_NR_IIDICC*sizeof(H22[0][0][0])); + memcpy(H22[1][0], H22[1][ps->num_env_old], PS_MAX_NR_IIDICC*sizeof(H22[1][0][0])); + } + if (is34) { remap34(&iid_mapped, ps->iid_par, ps->nr_iid_par, ps->num_env, 1); remap34(&icc_mapped, ps->icc_par, ps->nr_icc_par, ps->num_env, 1); From 3ed12b97bed7f0cd430c4304f166e549b4dad634 Mon Sep 17 00:00:00 2001 From: =?UTF-8?q?Rafa=C3=ABl=20Carr=C3=A9?= Date: Sat, 16 Jul 2011 11:41:08 -0400 Subject: [PATCH 0323/1119] Do not decode RV30 files if the extradata is too small Signed-off-by: Diego Biurrun (cherry picked from commit 289c60001fb0a9a1d7a97c876d8a42b84c6874ac) Signed-off-by: Anton Khirnov --- libavcodec/rv30.c | 1 + 1 file changed, 1 insertion(+) diff --git a/libavcodec/rv30.c b/libavcodec/rv30.c index 62177dda78..2b423cc0d2 100644 --- a/libavcodec/rv30.c +++ b/libavcodec/rv30.c @@ -256,6 +256,7 @@ static av_cold int rv30_decode_init(AVCodecContext *avctx) if(avctx->extradata_size - 8 < (r->rpr - 1) * 2){ av_log(avctx, AV_LOG_ERROR, "Insufficient extradata - need at least %d bytes, got %d\n", 6 + r->rpr * 2, avctx->extradata_size); + return EINVAL; } r->parse_slice_header = rv30_parse_slice_header; r->decode_intra_types = rv30_decode_intra_types; From 99ec59adbdaced97d892da73e5c881ac122bd27b Mon Sep 17 00:00:00 2001 From: Mans Rullgard Date: Wed, 20 Jul 2011 09:55:48 +0100 Subject: [PATCH 0324/1119] Fix incorrect max_lowres values Signed-off-by: Mans Rullgard (cherry picked from commit e23a05ab0605693aa715b95120bc0132079ded06) Signed-off-by: Anton Khirnov --- libavcodec/cdgraphics.c | 1 - libavcodec/kgv1dec.c | 1 - libavcodec/pngdec.c | 1 - libavcodec/pnmdec.c | 5 ----- libavcodec/sp5xdec.c | 2 +- 5 files changed, 1 insertion(+), 9 deletions(-) diff --git a/libavcodec/cdgraphics.c b/libavcodec/cdgraphics.c index 2f8e98ca3d..bcfb6e9be5 100644 --- a/libavcodec/cdgraphics.c +++ b/libavcodec/cdgraphics.c @@ -377,6 +377,5 @@ AVCodec ff_cdgraphics_decoder = { cdg_decode_end, cdg_decode_frame, CODEC_CAP_DR1, - .max_lowres = 5, .long_name = NULL_IF_CONFIG_SMALL("CD Graphics video"), }; diff --git a/libavcodec/kgv1dec.c b/libavcodec/kgv1dec.c index 57684340af..88c54bf817 100644 --- a/libavcodec/kgv1dec.c +++ b/libavcodec/kgv1dec.c @@ -173,6 +173,5 @@ AVCodec ff_kgv1_decoder = { NULL, decode_end, decode_frame, - .max_lowres = 1, .long_name = NULL_IF_CONFIG_SMALL("Kega Game Video"), }; diff --git a/libavcodec/pngdec.c b/libavcodec/pngdec.c index 7477f6746b..1268c9e781 100644 --- a/libavcodec/pngdec.c +++ b/libavcodec/pngdec.c @@ -667,6 +667,5 @@ AVCodec ff_png_decoder = { decode_frame, CODEC_CAP_DR1 /*| CODEC_CAP_DRAW_HORIZ_BAND*/, NULL, - .max_lowres = 5, .long_name = NULL_IF_CONFIG_SMALL("PNG image"), }; diff --git a/libavcodec/pnmdec.c b/libavcodec/pnmdec.c index b9f20c0569..988ea0c267 100644 --- a/libavcodec/pnmdec.c +++ b/libavcodec/pnmdec.c @@ -199,7 +199,6 @@ AVCodec ff_pgm_decoder = { pnm_decode_frame, CODEC_CAP_DR1, .pix_fmts = (const enum PixelFormat[]){PIX_FMT_GRAY8, PIX_FMT_GRAY16BE, PIX_FMT_NONE}, - .max_lowres = 5, .long_name = NULL_IF_CONFIG_SMALL("PGM (Portable GrayMap) image"), }; #endif @@ -216,7 +215,6 @@ AVCodec ff_pgmyuv_decoder = { pnm_decode_frame, CODEC_CAP_DR1, .pix_fmts = (const enum PixelFormat[]){PIX_FMT_YUV420P, PIX_FMT_NONE}, - .max_lowres = 5, .long_name = NULL_IF_CONFIG_SMALL("PGMYUV (Portable GrayMap YUV) image"), }; #endif @@ -233,7 +231,6 @@ AVCodec ff_ppm_decoder = { pnm_decode_frame, CODEC_CAP_DR1, .pix_fmts = (const enum PixelFormat[]){PIX_FMT_RGB24, PIX_FMT_RGB48BE, PIX_FMT_NONE}, - .max_lowres = 5, .long_name = NULL_IF_CONFIG_SMALL("PPM (Portable PixelMap) image"), }; #endif @@ -250,7 +247,6 @@ AVCodec ff_pbm_decoder = { pnm_decode_frame, CODEC_CAP_DR1, .pix_fmts = (const enum PixelFormat[]){PIX_FMT_MONOWHITE, PIX_FMT_NONE}, - .max_lowres = 5, .long_name = NULL_IF_CONFIG_SMALL("PBM (Portable BitMap) image"), }; #endif @@ -267,7 +263,6 @@ AVCodec ff_pam_decoder = { pnm_decode_frame, CODEC_CAP_DR1, .pix_fmts = (const enum PixelFormat[]){PIX_FMT_RGB24, PIX_FMT_RGB32, PIX_FMT_GRAY8, PIX_FMT_MONOWHITE, PIX_FMT_NONE}, - .max_lowres = 5, .long_name = NULL_IF_CONFIG_SMALL("PAM (Portable AnyMap) image"), }; #endif diff --git a/libavcodec/sp5xdec.c b/libavcodec/sp5xdec.c index 6726c18ca9..ae25733530 100644 --- a/libavcodec/sp5xdec.c +++ b/libavcodec/sp5xdec.c @@ -104,7 +104,7 @@ AVCodec ff_sp5x_decoder = { sp5x_decode_frame, CODEC_CAP_DR1, NULL, - .max_lowres = 5, + .max_lowres = 3, .long_name = NULL_IF_CONFIG_SMALL("Sunplus JPEG (SP5X)"), }; From 44c718cf7116203e4e86ff2b92d7dcfd9c77e4b3 Mon Sep 17 00:00:00 2001 From: Diego Biurrun Date: Thu, 21 Jul 2011 14:25:01 +0200 Subject: [PATCH 0325/1119] rv30: return AVERROR(EINVAL) instead of EINVAL On some platforms EINVAL could be positive, ensure we return negative values. (cherry picked from commit e5985185d2eda942333ebbb72bd7d043ffe40be7) Signed-off-by: Anton Khirnov --- libavcodec/rv30.c | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/libavcodec/rv30.c b/libavcodec/rv30.c index 2b423cc0d2..b7f43a4bd0 100644 --- a/libavcodec/rv30.c +++ b/libavcodec/rv30.c @@ -256,7 +256,7 @@ static av_cold int rv30_decode_init(AVCodecContext *avctx) if(avctx->extradata_size - 8 < (r->rpr - 1) * 2){ av_log(avctx, AV_LOG_ERROR, "Insufficient extradata - need at least %d bytes, got %d\n", 6 + r->rpr * 2, avctx->extradata_size); - return EINVAL; + return AVERROR(EINVAL); } r->parse_slice_header = rv30_parse_slice_header; r->decode_intra_types = rv30_decode_intra_types; From b3b97559bb47fceaaa7fc5aa25a351c9de7f60d6 Mon Sep 17 00:00:00 2001 From: "Ronald S. Bultje" Date: Tue, 26 Jul 2011 10:58:29 -0700 Subject: [PATCH 0326/1119] vp3/theora: flush after seek. (cherry picked from commit 8dcf5184307f072d55fb29373be05ef8b0fd02df) Signed-off-by: Anton Khirnov --- libavcodec/vp3.c | 22 ++++++++++++++++++++++ 1 file changed, 22 insertions(+) diff --git a/libavcodec/vp3.c b/libavcodec/vp3.c index c3dff7f89f..c117a64084 100644 --- a/libavcodec/vp3.c +++ b/libavcodec/vp3.c @@ -2321,6 +2321,26 @@ static av_cold int theora_decode_init(AVCodecContext *avctx) return vp3_decode_init(avctx); } +static void vp3_decode_flush(AVCodecContext *avctx) +{ + Vp3DecodeContext *s = avctx->priv_data; + + if (s->golden_frame.data[0]) { + if (s->golden_frame.data[0] == s->last_frame.data[0]) + memset(&s->last_frame, 0, sizeof(AVFrame)); + if (s->current_frame.data[0] == s->golden_frame.data[0]) + memset(&s->current_frame, 0, sizeof(AVFrame)); + ff_thread_release_buffer(avctx, &s->golden_frame); + } + if (s->last_frame.data[0]) { + if (s->current_frame.data[0] == s->last_frame.data[0]) + memset(&s->current_frame, 0, sizeof(AVFrame)); + ff_thread_release_buffer(avctx, &s->last_frame); + } + if (s->current_frame.data[0]) + ff_thread_release_buffer(avctx, &s->current_frame); +} + AVCodec ff_theora_decoder = { "theora", AVMEDIA_TYPE_VIDEO, @@ -2332,6 +2352,7 @@ AVCodec ff_theora_decoder = { vp3_decode_frame, CODEC_CAP_DR1 | CODEC_CAP_DRAW_HORIZ_BAND | CODEC_CAP_FRAME_THREADS, NULL, + .flush = vp3_decode_flush, .long_name = NULL_IF_CONFIG_SMALL("Theora"), .update_thread_context = ONLY_IF_THREADS_ENABLED(vp3_update_thread_context) }; @@ -2348,6 +2369,7 @@ AVCodec ff_vp3_decoder = { vp3_decode_frame, CODEC_CAP_DR1 | CODEC_CAP_DRAW_HORIZ_BAND | CODEC_CAP_FRAME_THREADS, NULL, + .flush = vp3_decode_flush, .long_name = NULL_IF_CONFIG_SMALL("On2 VP3"), .update_thread_context = ONLY_IF_THREADS_ENABLED(vp3_update_thread_context) }; From c613a891433df18f5188efbab504942be8c809c0 Mon Sep 17 00:00:00 2001 From: Alex Converse Date: Fri, 29 Jul 2011 15:27:36 -0700 Subject: [PATCH 0327/1119] mxfdec: Include FF_INPUT_BUFFER_PADDING_SIZE when allocating extradata. This prevents out of bounds reads when extradata is being decoded. (cherry picked from commit 1f6f58d5855288492fc2640a9f1035c01c75d356) Signed-off-by: Anton Khirnov --- libavformat/mxfdec.c | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/libavformat/mxfdec.c b/libavformat/mxfdec.c index 82daa2a002..fcee7a7b83 100644 --- a/libavformat/mxfdec.c +++ b/libavformat/mxfdec.c @@ -599,7 +599,7 @@ static int mxf_read_generic_descriptor(void *arg, AVIOContext *pb, int tag, int default: /* Private uid used by SONY C0023S01.mxf */ if (IS_KLV_KEY(uid, mxf_sony_mpeg4_extradata)) { - descriptor->extradata = av_malloc(size); + descriptor->extradata = av_malloc(size + FF_INPUT_BUFFER_PADDING_SIZE); if (!descriptor->extradata) return -1; descriptor->extradata_size = size; From 96a453eb85a2d565681842a07ab759a52f1353fd Mon Sep 17 00:00:00 2001 From: Alex Converse Date: Fri, 29 Jul 2011 15:49:11 -0700 Subject: [PATCH 0328/1119] aac: Remove some suspicious illegal memcpy()s from LTP. (cherry picked from commit a6c49f18abacb9bf52d4d808a2a56561a5b5445c) Signed-off-by: Anton Khirnov --- libavcodec/aacdec.c | 2 -- 1 file changed, 2 deletions(-) diff --git a/libavcodec/aacdec.c b/libavcodec/aacdec.c index 69aacb86d6..f94b109de5 100644 --- a/libavcodec/aacdec.c +++ b/libavcodec/aacdec.c @@ -1753,12 +1753,10 @@ static void windowing_and_mdct_ltp(AACContext *ac, float *out, } else { memset(in, 0, 448 * sizeof(float)); ac->dsp.vector_fmul(in + 448, in + 448, swindow_prev, 128); - memcpy(in + 576, in + 576, 448 * sizeof(float)); } if (ics->window_sequence[0] != LONG_START_SEQUENCE) { ac->dsp.vector_fmul_reverse(in + 1024, in + 1024, lwindow, 1024); } else { - memcpy(in + 1024, in + 1024, 448 * sizeof(float)); ac->dsp.vector_fmul_reverse(in + 1024 + 448, in + 1024 + 448, swindow, 128); memset(in + 1024 + 576, 0, 448 * sizeof(float)); } From 67163d751ba1ffa89e61eff224158828d5f673a4 Mon Sep 17 00:00:00 2001 From: Baptiste Coudurier Date: Sat, 29 Jan 2011 17:05:42 -0800 Subject: [PATCH 0329/1119] libx264: do not set pic quality if no frame is output Avoids uninitialized reads. Signed-off-by: Anton Khirnov (cherry picked from commit 5caa2de19ece830e32c95731bc92a423d55cff0c) Signed-off-by: Anton Khirnov --- libavcodec/libx264.c | 3 ++- 1 file changed, 2 insertions(+), 1 deletion(-) diff --git a/libavcodec/libx264.c b/libavcodec/libx264.c index e5fac00469..74ee1d45e0 100644 --- a/libavcodec/libx264.c +++ b/libavcodec/libx264.c @@ -138,7 +138,8 @@ static int X264_frame(AVCodecContext *ctx, uint8_t *buf, } x4->out_pic.key_frame = pic_out.b_keyframe; - x4->out_pic.quality = (pic_out.i_qpplus1 - 1) * FF_QP2LAMBDA; + if (bufsize) + x4->out_pic.quality = (pic_out.i_qpplus1 - 1) * FF_QP2LAMBDA; return bufsize; } From 042934e78676a7854038be560e8f8a7d05552b84 Mon Sep 17 00:00:00 2001 From: Justin Ruggles Date: Wed, 10 Aug 2011 14:07:35 -0400 Subject: [PATCH 0330/1119] Remove incorrect info in documentation of AVCodecContext.bits_per_raw_sample. bits_per_raw_sample is used in video as well, where sample_fmt is not used. (cherry picked from commit d271d5b2152cafe540f3ab71d3be6ce8636d2fd6) Signed-off-by: Anton Khirnov --- libavcodec/avcodec.h | 1 - 1 file changed, 1 deletion(-) diff --git a/libavcodec/avcodec.h b/libavcodec/avcodec.h index 9a3076ae27..0269892028 100644 --- a/libavcodec/avcodec.h +++ b/libavcodec/avcodec.h @@ -2559,7 +2559,6 @@ typedef struct AVCodecContext { /** * Bits per sample/pixel of internal libavcodec pixel/sample format. - * This field is applicable only when sample_fmt is AV_SAMPLE_FMT_S32. * - encoding: set by user. * - decoding: set by libavcodec. */ From 59a22afa0b50b9037133a7bc26bdc5023e7e1df9 Mon Sep 17 00:00:00 2001 From: Dustin Brody Date: Thu, 11 Aug 2011 08:57:58 -0400 Subject: [PATCH 0331/1119] h264: notice memory allocation failure Signed-off-by: Ronald S. Bultje (cherry picked from commit bac3ab13ea6a9dd8853e79ef3eacf51d234c8774) Signed-off-by: Anton Khirnov --- libavcodec/h264.c | 10 ++++++++-- 1 file changed, 8 insertions(+), 2 deletions(-) diff --git a/libavcodec/h264.c b/libavcodec/h264.c index 2c000a3420..99be210d13 100644 --- a/libavcodec/h264.c +++ b/libavcodec/h264.c @@ -1165,7 +1165,10 @@ static int decode_update_thread_context(AVCodecContext *dst, const AVCodecContex memcpy(&h->s + 1, &h1->s + 1, sizeof(H264Context) - sizeof(MpegEncContext)); //copy all fields after MpegEnc memset(h->sps_buffers, 0, sizeof(h->sps_buffers)); memset(h->pps_buffers, 0, sizeof(h->pps_buffers)); - ff_h264_alloc_tables(h); + if (ff_h264_alloc_tables(h) < 0) { + av_log(dst, AV_LOG_ERROR, "Could not allocate memory for h264\n"); + return AVERROR(ENOMEM); + } context_init(h); for(i=0; i<2; i++){ @@ -2635,7 +2638,10 @@ static int decode_slice_header(H264Context *h, H264Context *h0){ h->prev_interlaced_frame = 1; init_scan_tables(h); - ff_h264_alloc_tables(h); + if (ff_h264_alloc_tables(h) < 0) { + av_log(h->s.avctx, AV_LOG_ERROR, "Could not allocate memory for h264\n"); + return AVERROR(ENOMEM); + } if (!HAVE_THREADS || !(s->avctx->active_thread_type&FF_THREAD_SLICE)) { if (context_init(h) < 0) { From 28321b777f76528b061646a3555d08b94ff667bc Mon Sep 17 00:00:00 2001 From: =?UTF-8?q?Reimar=20D=C3=B6ffinger?= Date: Sat, 13 Aug 2011 11:58:18 +0200 Subject: [PATCH 0332/1119] VC-1: fix reading of custom PAR. MIME-Version: 1.0 Content-Type: text/plain; charset=UTF-8 Content-Transfer-Encoding: 8bit Custom PAR num/denum are in 1-256 range. Signed-off-by: Reimar Döffinger Signed-off-by: Diego Biurrun (cherry picked from commit 0e8696551414d4ea0aab2559f9475d1fe49d08f3) Signed-off-by: Anton Khirnov --- libavcodec/vc1.c | 4 ++-- 1 file changed, 2 insertions(+), 2 deletions(-) diff --git a/libavcodec/vc1.c b/libavcodec/vc1.c index 32869b97d1..5e53680ec6 100644 --- a/libavcodec/vc1.c +++ b/libavcodec/vc1.c @@ -485,8 +485,8 @@ static int decode_sequence_header_adv(VC1Context *v, GetBitContext *gb) if(ar && ar < 14){ v->s.avctx->sample_aspect_ratio = ff_vc1_pixel_aspect[ar]; }else if(ar == 15){ - w = get_bits(gb, 8); - h = get_bits(gb, 8); + w = get_bits(gb, 8) + 1; + h = get_bits(gb, 8) + 1; v->s.avctx->sample_aspect_ratio = (AVRational){w, h}; } av_log(v->s.avctx, AV_LOG_DEBUG, "Aspect: %i:%i\n", v->s.avctx->sample_aspect_ratio.num, v->s.avctx->sample_aspect_ratio.den); From fe3e7297fe56a383baca484dea2c0d603ae305f8 Mon Sep 17 00:00:00 2001 From: Luca Barbato Date: Wed, 8 Jun 2011 14:32:07 +0000 Subject: [PATCH 0333/1119] flvenc: use int64_t to store offsets Metadata currently is written only at the start of the file in normal cases, when transcoding from a rtmp source metadata could be written later and the offset recorded can exceed 32bit. Signed-off-by: Anton Khirnov (cherry picked from commit 7f5bf4fbaf1f2142547321a16358f9871fabdcc6) Signed-off-by: Anton Khirnov --- libavformat/flvenc.c | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/libavformat/flvenc.c b/libavformat/flvenc.c index 487993cd9a..bd1a1f49fe 100644 --- a/libavformat/flvenc.c +++ b/libavformat/flvenc.c @@ -177,7 +177,7 @@ static int flv_write_header(AVFormatContext *s) AVCodecContext *audio_enc = NULL, *video_enc = NULL; int i; double framerate = 0.0; - int metadata_size_pos, data_size; + int64_t metadata_size_pos, data_size; AVDictionaryEntry *tag = NULL; for(i=0; inb_streams; i++){ From dec458b900439316ebdefa0de2bd1249440859cf Mon Sep 17 00:00:00 2001 From: Kostya Shishkov Date: Wed, 17 Aug 2011 10:36:33 +0200 Subject: [PATCH 0334/1119] rv10/20: tell decoder to use edge emulation This removes out-of-edge motion compensation artifacts (easily spotted green blocks in avplay, gray blocks in transcoding), for example here: http://samples.libav.org/samples/real/tv_watching_t1.rm Signed-off-by: Diego Biurrun (cherry picked from commit 331971116d7d36743601bd2dc5384c5211d3bb48) Signed-off-by: Anton Khirnov --- libavcodec/rv10.c | 1 + 1 file changed, 1 insertion(+) diff --git a/libavcodec/rv10.c b/libavcodec/rv10.c index 6227dc6f6c..78f97b16b1 100644 --- a/libavcodec/rv10.c +++ b/libavcodec/rv10.c @@ -438,6 +438,7 @@ static av_cold int rv10_decode_init(AVCodecContext *avctx) s->avctx= avctx; s->out_format = FMT_H263; s->codec_id= avctx->codec_id; + avctx->flags |= CODEC_FLAG_EMU_EDGE; s->orig_width = s->width = avctx->coded_width; s->orig_height= s->height = avctx->coded_height; From b4099a6dc539c54156a788c7020356c54bc6485e Mon Sep 17 00:00:00 2001 From: Alex Converse Date: Tue, 16 Aug 2011 11:03:26 -0700 Subject: [PATCH 0335/1119] aac: Only output configure if audio was found. Audio found is not triggered on a CCE because a CCE alone has no output. Signed-off-by: Luca Barbato (cherry picked from commit d8425ed4af6d8fce62ff363cc590f85e57bac06b) Signed-off-by: Anton Khirnov --- libavcodec/aacdec.c | 7 +++++-- 1 file changed, 5 insertions(+), 2 deletions(-) diff --git a/libavcodec/aacdec.c b/libavcodec/aacdec.c index f94b109de5..2958ddbe72 100644 --- a/libavcodec/aacdec.c +++ b/libavcodec/aacdec.c @@ -2074,7 +2074,7 @@ static int aac_decode_frame_int(AVCodecContext *avctx, void *data, ChannelElement *che = NULL, *che_prev = NULL; enum RawDataBlockType elem_type, elem_type_prev = TYPE_END; int err, elem_id, data_size_tmp; - int samples = 0, multiplier; + int samples = 0, multiplier, audio_found = 0; if (show_bits(gb, 12) == 0xfff) { if (parse_adts_frame_header(ac, gb) < 0) { @@ -2105,10 +2105,12 @@ static int aac_decode_frame_int(AVCodecContext *avctx, void *data, case TYPE_SCE: err = decode_ics(ac, &che->ch[0], gb, 0, 0); + audio_found = 1; break; case TYPE_CPE: err = decode_cpe(ac, gb, che); + audio_found = 1; break; case TYPE_CCE: @@ -2117,6 +2119,7 @@ static int aac_decode_frame_int(AVCodecContext *avctx, void *data, case TYPE_LFE: err = decode_ics(ac, &che->ch[0], gb, 0, 0); + audio_found = 1; break; case TYPE_DSE: @@ -2193,7 +2196,7 @@ static int aac_decode_frame_int(AVCodecContext *avctx, void *data, samples, avctx->channels); } - if (ac->output_configured) + if (ac->output_configured && audio_found) ac->output_configured = OC_LOCKED; return 0; From 8ad6555f820cc8db5debd5f76d8779cd329def20 Mon Sep 17 00:00:00 2001 From: Jeff Downs Date: Tue, 5 Jul 2011 14:21:54 -0400 Subject: [PATCH 0336/1119] h264: correct the check for invalid long term frame index in MMCO decode The current check on MMCO parameters prohibits a "max long term frame index plus 1" of 16 (frame idx of 15) for the "set max long term frame index" MMCO. Fix this off-by-one error to allow the full range of legal values. Signed-off-by: Diego Biurrun (cherry picked from commit 29a09eae9a827f4dbc9c4517180d8fe2ecef321a) Signed-off-by: Anton Khirnov --- libavcodec/h264_refs.c | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/libavcodec/h264_refs.c b/libavcodec/h264_refs.c index a025f7d352..b1c27ec810 100644 --- a/libavcodec/h264_refs.c +++ b/libavcodec/h264_refs.c @@ -678,7 +678,7 @@ int ff_h264_decode_ref_pic_marking(H264Context *h, GetBitContext *gb){ } if(opcode==MMCO_SHORT2LONG || opcode==MMCO_LONG2UNUSED || opcode==MMCO_LONG || opcode==MMCO_SET_MAX_LONG){ unsigned int long_arg= get_ue_golomb_31(gb); - if(long_arg >= 32 || (long_arg >= 16 && !(opcode == MMCO_LONG2UNUSED && FIELD_PICTURE))){ + if(long_arg >= 32 || (long_arg >= 16 && !(opcode == MMCO_SET_MAX_LONG && long_arg == 16) && !(opcode == MMCO_LONG2UNUSED && FIELD_PICTURE))){ av_log(h->s.avctx, AV_LOG_ERROR, "illegal long ref in memory management control operation %d\n", opcode); return -1; } From 45b3f7c71ec213a2f4177e866586660fcbc68ecd Mon Sep 17 00:00:00 2001 From: Jeff Downs Date: Wed, 6 Jul 2011 11:54:36 -0400 Subject: [PATCH 0337/1119] h264: correct implicit weight table computation for long ref pics Correct computation of implicit weight tables when referencing pictures that are marked for long reference. Signed-off-by: Diego Biurrun (cherry picked from commit 87cf70eb237e7586cc7399627dafa1b980ec0b7d) Signed-off-by: Anton Khirnov --- libavcodec/h264.c | 20 +++++++++++--------- 1 file changed, 11 insertions(+), 9 deletions(-) diff --git a/libavcodec/h264.c b/libavcodec/h264.c index 99be210d13..1c60de7023 100644 --- a/libavcodec/h264.c +++ b/libavcodec/h264.c @@ -2198,15 +2198,17 @@ static void implicit_weight_table(H264Context *h, int field){ for(ref0=ref_start; ref0 < ref_count0; ref0++){ int poc0 = h->ref_list[0][ref0].poc; for(ref1=ref_start; ref1 < ref_count1; ref1++){ - int poc1 = h->ref_list[1][ref1].poc; - int td = av_clip(poc1 - poc0, -128, 127); - int w= 32; - if(td){ - int tb = av_clip(cur_poc - poc0, -128, 127); - int tx = (16384 + (FFABS(td) >> 1)) / td; - int dist_scale_factor = (tb*tx + 32) >> 8; - if(dist_scale_factor >= -64 && dist_scale_factor <= 128) - w = 64 - dist_scale_factor; + int w = 32; + if (!h->ref_list[0][ref0].long_ref && !h->ref_list[1][ref1].long_ref) { + int poc1 = h->ref_list[1][ref1].poc; + int td = av_clip(poc1 - poc0, -128, 127); + if(td){ + int tb = av_clip(cur_poc - poc0, -128, 127); + int tx = (16384 + (FFABS(td) >> 1)) / td; + int dist_scale_factor = (tb*tx + 32) >> 8; + if(dist_scale_factor >= -64 && dist_scale_factor <= 128) + w = 64 - dist_scale_factor; + } } if(field<0){ h->implicit_weight[ref0][ref1][0]= From ce8f40a7b9e9fd8bc47181dc4a2b4de0042dac72 Mon Sep 17 00:00:00 2001 From: Jeff Downs Date: Tue, 5 Jul 2011 13:20:06 -0400 Subject: [PATCH 0338/1119] h264: fix PCM intra-coded blocks in monochrome case Signed-off-by: Diego Biurrun (cherry picked from commit 6581e161c5f46733a5619208483de29416eb9a51) Signed-off-by: Anton Khirnov --- libavcodec/h264.c | 46 ++++++++++++++++++++++++++++++++++------------ 1 file changed, 34 insertions(+), 12 deletions(-) diff --git a/libavcodec/h264.c b/libavcodec/h264.c index 1c60de7023..75075f6b3c 100644 --- a/libavcodec/h264.c +++ b/libavcodec/h264.c @@ -1851,15 +1851,30 @@ static av_always_inline void hl_decode_mb_internal(H264Context *h, int simple, i tmp_y[j] = get_bits(&gb, bit_depth); } if(simple || !CONFIG_GRAY || !(s->flags&CODEC_FLAG_GRAY)){ - for (i = 0; i < 8; i++) { - uint16_t *tmp_cb = (uint16_t*)(dest_cb + i*uvlinesize); - for (j = 0; j < 8; j++) - tmp_cb[j] = get_bits(&gb, bit_depth); - } - for (i = 0; i < 8; i++) { - uint16_t *tmp_cr = (uint16_t*)(dest_cr + i*uvlinesize); - for (j = 0; j < 8; j++) - tmp_cr[j] = get_bits(&gb, bit_depth); + if (!h->sps.chroma_format_idc) { + for (i = 0; i < 8; i++) { + uint16_t *tmp_cb = (uint16_t*)(dest_cb + i*uvlinesize); + for (j = 0; j < 8; j++) { + tmp_cb[j] = 1 << (bit_depth - 1); + } + } + for (i = 0; i < 8; i++) { + uint16_t *tmp_cr = (uint16_t*)(dest_cr + i*uvlinesize); + for (j = 0; j < 8; j++) { + tmp_cr[j] = 1 << (bit_depth - 1); + } + } + } else { + for (i = 0; i < 8; i++) { + uint16_t *tmp_cb = (uint16_t*)(dest_cb + i*uvlinesize); + for (j = 0; j < 8; j++) + tmp_cb[j] = get_bits(&gb, bit_depth); + } + for (i = 0; i < 8; i++) { + uint16_t *tmp_cr = (uint16_t*)(dest_cr + i*uvlinesize); + for (j = 0; j < 8; j++) + tmp_cr[j] = get_bits(&gb, bit_depth); + } } } } else { @@ -1867,9 +1882,16 @@ static av_always_inline void hl_decode_mb_internal(H264Context *h, int simple, i memcpy(dest_y + i* linesize, h->mb + i*8, 16); } if(simple || !CONFIG_GRAY || !(s->flags&CODEC_FLAG_GRAY)){ - for (i=0; i<8; i++) { - memcpy(dest_cb+ i*uvlinesize, h->mb + 128 + i*4, 8); - memcpy(dest_cr+ i*uvlinesize, h->mb + 160 + i*4, 8); + if (!h->sps.chroma_format_idc) { + for (i = 0; i < 8; i++) { + memset(dest_cb + i*uvlinesize, 128, 8); + memset(dest_cr + i*uvlinesize, 128, 8); + } + } else { + for (i = 0; i < 8; i++) { + memcpy(dest_cb + i*uvlinesize, h->mb + 128 + i*4, 8); + memcpy(dest_cr + i*uvlinesize, h->mb + 160 + i*4, 8); + } } } } From 97ce2a29b623f785f6b542846746f51018230df4 Mon Sep 17 00:00:00 2001 From: "Ronald S. Bultje" Date: Wed, 24 Aug 2011 14:36:16 -0700 Subject: [PATCH 0339/1119] vc1: properly zero coded_block[] edges on new slice entry. Previously, we would leave the left edge uninitialized, which led to CBP prediction errors on slice edges, e.g. in SA10098.vc1. (cherry picked from commit d4b9974465baf893e90527a366e7a7411ded1ef8) Signed-off-by: Anton Khirnov --- libavcodec/vc1dec.c | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/libavcodec/vc1dec.c b/libavcodec/vc1dec.c index 8fca2da738..b17ce30b5c 100644 --- a/libavcodec/vc1dec.c +++ b/libavcodec/vc1dec.c @@ -3020,7 +3020,7 @@ static void vc1_decode_i_blocks_adv(VC1Context *v) s->mb_x = 0; ff_init_block_index(s); memset(&s->coded_block[s->block_index[0]-s->b8_stride], 0, - s->b8_stride * sizeof(*s->coded_block)); + (1 + s->b8_stride) * sizeof(*s->coded_block)); } for(; s->mb_y < s->end_mb_y; s->mb_y++) { s->mb_x = 0; From db5e27f94ed8e74c2cca45b61085ebad7180e22d Mon Sep 17 00:00:00 2001 From: =?UTF-8?q?Alberto=20Delm=C3=A1s?= Date: Thu, 25 Aug 2011 11:00:37 +0200 Subject: [PATCH 0340/1119] VC1: Fix first/last row checks with slices In some places 0/mb_height were used in place of start_mb_y/end_mb_y. Fixes SA00049, SA00058, SA10091, SA10097, SA10131, SA20021, SA30030 Improves PSNR in SA00054, SA00059, SA00060, SA10096, SA10098, SA20022, SA30031, SA30032, SA40012, SA40013 Signed-off-by: Ronald S. Bultje (cherry picked from commit 1cf82cab0840d669198ea76ab0363aa661950647) Signed-off-by: Anton Khirnov --- libavcodec/vc1dec.c | 14 +++++++------- 1 file changed, 7 insertions(+), 7 deletions(-) diff --git a/libavcodec/vc1dec.c b/libavcodec/vc1dec.c index b17ce30b5c..c87558bc50 100644 --- a/libavcodec/vc1dec.c +++ b/libavcodec/vc1dec.c @@ -243,7 +243,7 @@ static void vc1_loop_filter_iblk(VC1Context *v, int pq) } v->vc1dsp.vc1_v_loop_filter16(s->dest[0] + 8*s->linesize, s->linesize, pq); - if (s->mb_y == s->mb_height-1) { + if (s->mb_y == s->end_mb_y-1) { if (s->mb_x) { v->vc1dsp.vc1_h_loop_filter16(s->dest[0], s->linesize, pq); v->vc1dsp.vc1_h_loop_filter8(s->dest[1], s->uvlinesize, pq); @@ -295,7 +295,7 @@ static void vc1_loop_filter_iblk_delayed(VC1Context *v, int pq) v->vc1dsp.vc1_v_loop_filter16(s->dest[0] - 8 * s->linesize, s->linesize, pq); } - if (s->mb_y == s->mb_height) { + if (s->mb_y == s->end_mb_y) { if (s->mb_x) { if (s->mb_x >= 2) v->vc1dsp.vc1_h_loop_filter16(s->dest[0] - 16 * s->linesize - 16, s->linesize, pq); @@ -2330,7 +2330,7 @@ static av_always_inline void vc1_apply_p_v_loop_filter(VC1Context *v, int block_ } else { dst = s->dest[0] + (block_num & 1) * 8 + ((block_num & 2) * 4 - 8) * linesize; } - if (s->mb_y != s->mb_height || block_num < 2) { + if (s->mb_y != s->end_mb_y || block_num < 2) { int16_t (*mv)[2]; int mv_stride; @@ -3096,7 +3096,7 @@ static void vc1_decode_i_blocks_adv(VC1Context *v) if(v->s.loop_filter) vc1_loop_filter_iblk_delayed(v, v->pq); } if (v->s.loop_filter) - ff_draw_horiz_band(s, (s->mb_height-1)*16, 16); + ff_draw_horiz_band(s, (s->end_mb_y-1)*16, 16); ff_er_add_slice(s, 0, s->start_mb_y, s->mb_width - 1, s->end_mb_y - 1, (AC_END|DC_END|MV_END)); } @@ -3219,7 +3219,7 @@ static void vc1_decode_b_blocks(VC1Context *v) s->first_slice_line = 0; } if (v->s.loop_filter) - ff_draw_horiz_band(s, (s->mb_height-1)*16, 16); + ff_draw_horiz_band(s, (s->end_mb_y-1)*16, 16); ff_er_add_slice(s, 0, s->start_mb_y, s->mb_width - 1, s->end_mb_y - 1, (AC_END|DC_END|MV_END)); } @@ -3227,9 +3227,9 @@ static void vc1_decode_skip_blocks(VC1Context *v) { MpegEncContext *s = &v->s; - ff_er_add_slice(s, 0, 0, s->mb_width - 1, s->mb_height - 1, (AC_END|DC_END|MV_END)); + ff_er_add_slice(s, 0, s->start_mb_y, s->mb_width - 1, s->end_mb_y - 1, (AC_END|DC_END|MV_END)); s->first_slice_line = 1; - for(s->mb_y = 0; s->mb_y < s->mb_height; s->mb_y++) { + for(s->mb_y = s->start_mb_y; s->mb_y < s->end_mb_y; s->mb_y++) { s->mb_x = 0; ff_init_block_index(s); ff_update_block_index(s); From 2b74db8d2781202742535a466a371a10a108b141 Mon Sep 17 00:00:00 2001 From: Michael Niedermayer Date: Wed, 9 Mar 2011 03:30:24 +0100 Subject: [PATCH 0341/1119] vf_scale: don't leak SWS context. Signed-off-by: Anton Khirnov (cherry picked from commit 52982dbe474663709033e1ad259f8ff7a5a2eefa) Signed-off-by: Anton Khirnov --- libavfilter/vf_scale.c | 2 ++ 1 file changed, 2 insertions(+) diff --git a/libavfilter/vf_scale.c b/libavfilter/vf_scale.c index 65fe01c9ae..5288d32116 100644 --- a/libavfilter/vf_scale.c +++ b/libavfilter/vf_scale.c @@ -205,6 +205,8 @@ static int config_props(AVFilterLink *outlink) scale->input_is_pal = av_pix_fmt_descriptors[inlink->format].flags & PIX_FMT_PAL; + if (scale->sws) + sws_freeContext(scale->sws); scale->sws = sws_getContext(inlink ->w, inlink ->h, inlink ->format, outlink->w, outlink->h, outlink->format, scale->flags, NULL, NULL, NULL); From 1cf3ba89711748b340c31fe018a3a72e8e9b75f1 Mon Sep 17 00:00:00 2001 From: Sean McGovern Date: Mon, 25 Jul 2011 18:51:02 -0400 Subject: [PATCH 0342/1119] cpu detection: avoid a signed overflow 1<<31 overflows because 1 is signed, so force it to unsigned. Signed-off-by: Ronald S. Bultje (cherry picked from commit 5938e02185430ca711106aaec9b5622dbf588af3) Signed-off-by: Anton Khirnov --- libavutil/x86/cpu.c | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/libavutil/x86/cpu.c b/libavutil/x86/cpu.c index 78aeadf0a1..f747e4dba8 100644 --- a/libavutil/x86/cpu.c +++ b/libavutil/x86/cpu.c @@ -113,7 +113,7 @@ int ff_get_cpu_flags_x86(void) if(max_ext_level >= 0x80000001){ cpuid(0x80000001, eax, ebx, ecx, ext_caps); - if (ext_caps & (1<<31)) + if (ext_caps & (1U<<31)) rval |= AV_CPU_FLAG_3DNOW; if (ext_caps & (1<<30)) rval |= AV_CPU_FLAG_3DNOWEXT; From 54f12d2889390293d59c2a9c36f1bf78fbca8dca Mon Sep 17 00:00:00 2001 From: Anton Khirnov Date: Tue, 23 Aug 2011 07:46:51 +0200 Subject: [PATCH 0343/1119] AVOptions: fix av_set_string3() doxy to match reality. Fixes bug 28. (cherry picked from commit e955a682e125d44143415ff2b96a99a4dac78da2) Signed-off-by: Anton Khirnov --- libavutil/opt.h | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/libavutil/opt.h b/libavutil/opt.h index 30aa54f5b6..ce65865069 100644 --- a/libavutil/opt.h +++ b/libavutil/opt.h @@ -134,7 +134,7 @@ const AVOption *av_find_opt(void *obj, const char *name, const char *unit, int m * when 0 then no av_free() nor av_strdup() will be used * @return 0 if the value has been set, or an AVERROR code in case of * error: - * AVERROR(ENOENT) if no matching option exists + * AVERROR_OPTION_NOT_FOUND if no matching option exists * AVERROR(ERANGE) if the value is out of range * AVERROR(EINVAL) if the value is not valid */ From a4f2973b2dfb2efe41d4e387eb9be404511da5e0 Mon Sep 17 00:00:00 2001 From: Anton Khirnov Date: Sun, 4 Sep 2011 09:56:47 +0200 Subject: [PATCH 0344/1119] lavc: fix type for thread_type option It should be flags, not int. (cherry picked from commit fb47997edb9d8ff16fc380d005a08c0545624aa6) Signed-off-by: Anton Khirnov --- libavcodec/options.c | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/libavcodec/options.c b/libavcodec/options.c index ae9e0c902d..6f25ebe6d4 100644 --- a/libavcodec/options.c +++ b/libavcodec/options.c @@ -446,7 +446,7 @@ static const AVOption options[]={ {"lpc_passes", "deprecated, use flac-specific options", OFFSET(lpc_passes), FF_OPT_TYPE_INT, {.dbl = -1 }, INT_MIN, INT_MAX, A|E}, #endif {"slices", "number of slices, used in parallelized decoding", OFFSET(slices), FF_OPT_TYPE_INT, {.dbl = 0 }, 0, INT_MAX, V|E}, -{"thread_type", "select multithreading type", OFFSET(thread_type), FF_OPT_TYPE_INT, {.dbl = FF_THREAD_SLICE|FF_THREAD_FRAME }, 0, INT_MAX, V|E|D, "thread_type"}, +{"thread_type", "select multithreading type", OFFSET(thread_type), FF_OPT_TYPE_FLAGS, {.dbl = FF_THREAD_SLICE|FF_THREAD_FRAME }, 0, INT_MAX, V|E|D, "thread_type"}, {"slice", NULL, 0, FF_OPT_TYPE_CONST, {.dbl = FF_THREAD_SLICE }, INT_MIN, INT_MAX, V|E|D, "thread_type"}, {"frame", NULL, 0, FF_OPT_TYPE_CONST, {.dbl = FF_THREAD_FRAME }, INT_MIN, INT_MAX, V|E|D, "thread_type"}, {"vbv_delay", "initial buffer fill time in periods of 27Mhz clock", 0, FF_OPT_TYPE_INT64, {.dbl = 0 }, 0, INT64_MAX}, From aee461277a54736511fdcb6298f0e7f9d90e0672 Mon Sep 17 00:00:00 2001 From: Laurent Aimar Date: Wed, 7 Sep 2011 23:12:32 +0200 Subject: [PATCH 0345/1119] Fixed invalid access in wavpack decoder on corrupted extra bits sub-blocks. MIME-Version: 1.0 Content-Type: text/plain; charset=UTF-8 Content-Transfer-Encoding: 8bit Signed-off-by: Martin Storsjö (cherry picked from commit beefafda639dd53fc59c21d8a7cf8334da9a1062) Signed-off-by: Anton Khirnov --- libavcodec/wavpack.c | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/libavcodec/wavpack.c b/libavcodec/wavpack.c index e4fe217f59..64725c72c0 100644 --- a/libavcodec/wavpack.c +++ b/libavcodec/wavpack.c @@ -385,7 +385,7 @@ static inline int wv_get_value_integer(WavpackFrameContext *s, uint32_t *crc, in if(s->extra_bits){ S <<= s->extra_bits; - if(s->got_extra_bits){ + if(s->got_extra_bits && get_bits_left(&s->gb_extra_bits) >= s->extra_bits){ S |= get_bits(&s->gb_extra_bits, s->extra_bits); *crc = *crc * 9 + (S&0xffff) * 3 + ((unsigned)S>>16); } From 685940da4c843beb9283a21718cbd2fa4fa5d796 Mon Sep 17 00:00:00 2001 From: Laurent Aimar Date: Wed, 7 Sep 2011 22:17:39 +0200 Subject: [PATCH 0346/1119] Fixed invalid writes in wavpack decoder on corrupted bitstreams. MIME-Version: 1.0 Content-Type: text/plain; charset=UTF-8 Content-Transfer-Encoding: 8bit Signed-off-by: Martin Storsjö (cherry picked from commit 0aedab03405849962b469277afe047aa2c61a87f) Signed-off-by: Anton Khirnov --- libavcodec/wavpack.c | 6 +++--- 1 file changed, 3 insertions(+), 3 deletions(-) diff --git a/libavcodec/wavpack.c b/libavcodec/wavpack.c index 64725c72c0..5bd677e45e 100644 --- a/libavcodec/wavpack.c +++ b/libavcodec/wavpack.c @@ -1113,7 +1113,7 @@ static int wavpack_decode_block(AVCodecContext *avctx, int block_no, int16_t *dst = (int16_t*)samples + 1; int16_t *src = (int16_t*)samples; int cnt = samplecount; - while(cnt--){ + while(cnt-- > 0){ *dst = *src; src += channel_stride; dst += channel_stride; @@ -1122,7 +1122,7 @@ static int wavpack_decode_block(AVCodecContext *avctx, int block_no, int32_t *dst = (int32_t*)samples + 1; int32_t *src = (int32_t*)samples; int cnt = samplecount; - while(cnt--){ + while(cnt-- > 0){ *dst = *src; src += channel_stride; dst += channel_stride; @@ -1131,7 +1131,7 @@ static int wavpack_decode_block(AVCodecContext *avctx, int block_no, float *dst = (float*)samples + 1; float *src = (float*)samples; int cnt = samplecount; - while(cnt--){ + while(cnt-- > 0){ *dst = *src; src += channel_stride; dst += channel_stride; From 4b84e995ad88f3bfa533c38218f2791c14fd72f0 Mon Sep 17 00:00:00 2001 From: Laurent Aimar Date: Wed, 7 Sep 2011 22:02:55 +0200 Subject: [PATCH 0347/1119] Fixed invalid access in wavpack decoder on corrupted bitstream. MIME-Version: 1.0 Content-Type: text/plain; charset=UTF-8 Content-Transfer-Encoding: 8bit Signed-off-by: Martin Storsjö (cherry picked from commit 55354b7de21e7bb4bbeb1c12ff55ea17f807c70c) Signed-off-by: Anton Khirnov --- libavcodec/wavpack.c | 49 +++++++++++++++++++++++++++++++------------- 1 file changed, 35 insertions(+), 14 deletions(-) diff --git a/libavcodec/wavpack.c b/libavcodec/wavpack.c index 5bd677e45e..343120f494 100644 --- a/libavcodec/wavpack.c +++ b/libavcodec/wavpack.c @@ -292,7 +292,14 @@ static int wv_get_value(WavpackFrameContext *ctx, GetBitContext *gb, int channel } }else{ t = get_unary_0_33(gb); - if(t >= 2) t = get_bits(gb, t - 1) | (1 << (t-1)); + if(t >= 2){ + if(get_bits_left(gb) < t-1) + goto error; + t = get_bits(gb, t - 1) | (1 << (t-1)); + }else{ + if(get_bits_left(gb) < 0) + goto error; + } ctx->zeroes = t; if(ctx->zeroes){ memset(ctx->ch[0].median, 0, sizeof(ctx->ch[0].median)); @@ -303,24 +310,24 @@ static int wv_get_value(WavpackFrameContext *ctx, GetBitContext *gb, int channel } } - if(get_bits_count(gb) >= ctx->data_size){ - *last = 1; - return 0; - } - if(ctx->zero){ t = 0; ctx->zero = 0; }else{ t = get_unary_0_33(gb); - if(get_bits_count(gb) >= ctx->data_size){ - *last = 1; - return 0; - } + if(get_bits_left(gb) < 0) + goto error; if(t == 16) { t2 = get_unary_0_33(gb); - if(t2 < 2) t += t2; - else t += get_bits(gb, t2 - 1) | (1 << (t2 - 1)); + if(t2 < 2){ + if(get_bits_left(gb) < 0) + goto error; + t += t2; + }else{ + if(get_bits_left(gb) < t2 - 1) + goto error; + t += get_bits(gb, t2 - 1) | (1 << (t2 - 1)); + } } if(ctx->one){ @@ -360,9 +367,13 @@ static int wv_get_value(WavpackFrameContext *ctx, GetBitContext *gb, int channel } if(!c->error_limit){ ret = base + get_tail(gb, add); + if (get_bits_left(gb) <= 0) + goto error; }else{ int mid = (base*2 + add + 1) >> 1; while(add > c->error_limit){ + if(get_bits_left(gb) <= 0) + goto error; if(get_bits1(gb)){ add -= (mid - base); base = mid; @@ -376,6 +387,10 @@ static int wv_get_value(WavpackFrameContext *ctx, GetBitContext *gb, int channel if(ctx->hybrid_bitrate) c->slow_level += wp_log2(ret) - LEVEL_DECAY(c->slow_level); return sign ? ~ret : ret; + +error: + *last = 1; + return 0; } static inline int wv_get_value_integer(WavpackFrameContext *s, uint32_t *crc, int S) @@ -580,7 +595,10 @@ static inline int wv_unpack_stereo(WavpackFrameContext *s, GetBitContext *gb, vo count++; }while(!last && count < s->max_samples); - s->samples_left -= count; + if (last) + s->samples_left = 0; + else + s->samples_left -= count; if(!s->samples_left){ if(crc != s->CRC){ av_log(s->avctx, AV_LOG_ERROR, "CRC error\n"); @@ -658,7 +676,10 @@ static inline int wv_unpack_mono(WavpackFrameContext *s, GetBitContext *gb, void count++; }while(!last && count < s->max_samples); - s->samples_left -= count; + if (last) + s->samples_left = 0; + else + s->samples_left -= count; if(!s->samples_left){ if(crc != s->CRC){ av_log(s->avctx, AV_LOG_ERROR, "CRC error\n"); From 5d4c065476da547fd1a8a604e3047e1b3a7a29d8 Mon Sep 17 00:00:00 2001 From: Alex Converse Date: Thu, 8 Sep 2011 11:02:43 -0700 Subject: [PATCH 0348/1119] wavpack: Check error codes rather than working around error conditions. (cherry picked from commit dba2b63a98bdcac7bda1a8a2c48950518c075e17) Signed-off-by: Anton Khirnov --- libavcodec/wavpack.c | 13 ++++++++++--- 1 file changed, 10 insertions(+), 3 deletions(-) diff --git a/libavcodec/wavpack.c b/libavcodec/wavpack.c index 343120f494..f614c7afec 100644 --- a/libavcodec/wavpack.c +++ b/libavcodec/wavpack.c @@ -1119,6 +1119,10 @@ static int wavpack_decode_block(AVCodecContext *avctx, int block_no, samplecount = wv_unpack_stereo(s, &s->gb, samples, AV_SAMPLE_FMT_S32); else samplecount = wv_unpack_stereo(s, &s->gb, samples, AV_SAMPLE_FMT_FLT); + + if (samplecount < 0) + return -1; + samplecount >>= 1; }else{ const int channel_stride = avctx->channels; @@ -1130,11 +1134,14 @@ static int wavpack_decode_block(AVCodecContext *avctx, int block_no, else samplecount = wv_unpack_mono(s, &s->gb, samples, AV_SAMPLE_FMT_FLT); + if (samplecount < 0) + return -1; + if(s->stereo && avctx->sample_fmt == AV_SAMPLE_FMT_S16){ int16_t *dst = (int16_t*)samples + 1; int16_t *src = (int16_t*)samples; int cnt = samplecount; - while(cnt-- > 0){ + while(cnt--){ *dst = *src; src += channel_stride; dst += channel_stride; @@ -1143,7 +1150,7 @@ static int wavpack_decode_block(AVCodecContext *avctx, int block_no, int32_t *dst = (int32_t*)samples + 1; int32_t *src = (int32_t*)samples; int cnt = samplecount; - while(cnt-- > 0){ + while(cnt--){ *dst = *src; src += channel_stride; dst += channel_stride; @@ -1152,7 +1159,7 @@ static int wavpack_decode_block(AVCodecContext *avctx, int block_no, float *dst = (float*)samples + 1; float *src = (float*)samples; int cnt = samplecount; - while(cnt-- > 0){ + while(cnt--){ *dst = *src; src += channel_stride; dst += channel_stride; From 07b3c4cde582a91377372d1dd2afe7c79230f56e Mon Sep 17 00:00:00 2001 From: Laurent Aimar Date: Fri, 9 Sep 2011 22:04:09 +0200 Subject: [PATCH 0349/1119] ffv1: Fixed size given to init_get_bits() in decoder. init_get_bits() takes a number of bits and not a number of bytes as its size argument. Signed-off-by: Alex Converse (cherry picked from commit 46b004959bb7870a361a57272cd5fa7eea34250b) Signed-off-by: Anton Khirnov --- libavcodec/ffv1.c | 4 ++-- 1 file changed, 2 insertions(+), 2 deletions(-) diff --git a/libavcodec/ffv1.c b/libavcodec/ffv1.c index 50f1062ad4..ab2cc6e7cd 100644 --- a/libavcodec/ffv1.c +++ b/libavcodec/ffv1.c @@ -1765,7 +1765,7 @@ static int decode_frame(AVCodecContext *avctx, void *data, int *data_size, AVPac bytes_read = c->bytestream - c->bytestream_start - 1; if(bytes_read ==0) av_log(avctx, AV_LOG_ERROR, "error at end of AC stream\n"); //FIXME //printf("pos=%d\n", bytes_read); - init_get_bits(&f->slice_context[0]->gb, buf + bytes_read, buf_size - bytes_read); + init_get_bits(&f->slice_context[0]->gb, buf + bytes_read, (buf_size - bytes_read) * 8); } else { bytes_read = 0; /* avoid warning */ } @@ -1782,7 +1782,7 @@ static int decode_frame(AVCodecContext *avctx, void *data, int *data_size, AVPac if(fs->ac){ ff_init_range_decoder(&fs->c, buf_p, v); }else{ - init_get_bits(&fs->gb, buf_p, v); + init_get_bits(&fs->gb, buf_p, v * 8); } } From af32fa929a81188c4c451f8648f2f650dcf5228a Mon Sep 17 00:00:00 2001 From: Alex Converse Date: Fri, 9 Sep 2011 13:24:19 -0700 Subject: [PATCH 0350/1119] indeo2: init_get_bits size in bits instead of bytes (cherry picked from commit 68ca330cbd479111db9cb7649d7530ad59f04cc8) Signed-off-by: Anton Khirnov --- libavcodec/indeo2.c | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/libavcodec/indeo2.c b/libavcodec/indeo2.c index 0e588c3966..6cf893b15e 100644 --- a/libavcodec/indeo2.c +++ b/libavcodec/indeo2.c @@ -165,7 +165,7 @@ static int ir2_decode_frame(AVCodecContext *avctx, #endif start = 48; /* hardcoded for now */ - init_get_bits(&s->gb, buf + start, buf_size - start); + init_get_bits(&s->gb, buf + start, (buf_size - start) * 8); if (s->decode_delta) { /* intraframe */ ir2_decode_plane(s, avctx->width, avctx->height, From 6550e2b5c51cf7d3d40f666f6966b57f622ffffc Mon Sep 17 00:00:00 2001 From: Alex Converse Date: Fri, 9 Sep 2011 13:26:49 -0700 Subject: [PATCH 0351/1119] indeo2: fail if input buffer too small (cherry picked from commit b7ce4f1d1c3add86ece7ca595ea6c4a10b471055) Signed-off-by: Anton Khirnov --- libavcodec/indeo2.c | 8 +++++++- 1 file changed, 7 insertions(+), 1 deletion(-) diff --git a/libavcodec/indeo2.c b/libavcodec/indeo2.c index 6cf893b15e..544f476774 100644 --- a/libavcodec/indeo2.c +++ b/libavcodec/indeo2.c @@ -156,6 +156,13 @@ static int ir2_decode_frame(AVCodecContext *avctx, return -1; } + start = 48; /* hardcoded for now */ + + if (start >= buf_size) { + av_log(s->avctx, AV_LOG_ERROR, "input buffer size too small (%d)\n", buf_size); + return AVERROR_INVALIDDATA; + } + s->decode_delta = buf[18]; /* decide whether frame uses deltas or not */ @@ -163,7 +170,6 @@ static int ir2_decode_frame(AVCodecContext *avctx, for (i = 0; i < buf_size; i++) buf[i] = av_reverse[buf[i]]; #endif - start = 48; /* hardcoded for now */ init_get_bits(&s->gb, buf + start, (buf_size - start) * 8); From 384ed15c2a81812757ecd182f01256f7426af290 Mon Sep 17 00:00:00 2001 From: Alex Converse Date: Fri, 9 Sep 2011 14:50:33 -0700 Subject: [PATCH 0352/1119] cljr: init_get_bits size in bits instead of bytes (cherry picked from commit 0c1f5b93d9b97c4cc3684ba91a040e90bfc760d2) Signed-off-by: Anton Khirnov --- libavcodec/cljr.c | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/libavcodec/cljr.c b/libavcodec/cljr.c index e2b01e2a6a..b83919e71d 100644 --- a/libavcodec/cljr.c +++ b/libavcodec/cljr.c @@ -67,7 +67,7 @@ static int decode_frame(AVCodecContext *avctx, p->pict_type= AV_PICTURE_TYPE_I; p->key_frame= 1; - init_get_bits(&a->gb, buf, buf_size); + init_get_bits(&a->gb, buf, buf_size * 8); for(y=0; yheight; y++){ uint8_t *luma= &a->picture.data[0][ y*a->picture.linesize[0] ]; From 9b30b7b9bfc83df9ba7c9a39fd0dcd74dfc063f3 Mon Sep 17 00:00:00 2001 From: Laurent Aimar Date: Wed, 7 Sep 2011 21:43:03 +0200 Subject: [PATCH 0353/1119] Fixed segfault with wavpack decoder on corrupted decorrelation terms sub-blocks. MIME-Version: 1.0 Content-Type: text/plain; charset=UTF-8 Content-Transfer-Encoding: 8bit Signed-off-by: Martin Storsjö (cherry picked from commit 8bfea4ab4e2cb32bc7bf6f697ee30a238c65d296) Signed-off-by: Anton Khirnov --- libavcodec/wavpack.c | 5 +++-- 1 file changed, 3 insertions(+), 2 deletions(-) diff --git a/libavcodec/wavpack.c b/libavcodec/wavpack.c index f614c7afec..155633f3ac 100644 --- a/libavcodec/wavpack.c +++ b/libavcodec/wavpack.c @@ -862,12 +862,13 @@ static int wavpack_decode_block(AVCodecContext *avctx, int block_no, } switch(id & WP_IDF_MASK){ case WP_ID_DECTERMS: - s->terms = size; - if(s->terms > MAX_TERMS){ + if(size > MAX_TERMS){ av_log(avctx, AV_LOG_ERROR, "Too many decorrelation terms\n"); + s->terms = 0; buf += ssize; continue; } + s->terms = size; for(i = 0; i < s->terms; i++) { s->decorr[s->terms - i - 1].value = (*buf & 0x1F) - 5; s->decorr[s->terms - i - 1].delta = *buf >> 5; From 0b9b3570a3e3f3eff088ee061dbab165ff3eff2f Mon Sep 17 00:00:00 2001 From: Kostya Shishkov Date: Mon, 12 Sep 2011 09:40:42 +0200 Subject: [PATCH 0354/1119] smacker demuxer: handle possible av_realloc() failure. Signed-off-by: Anton Khirnov (cherry picked from commit 47a8589f7bc69d1a29da1dfdfbd0dfa78a9e31fd) Signed-off-by: Anton Khirnov --- libavformat/smacker.c | 7 ++++++- 1 file changed, 6 insertions(+), 1 deletion(-) diff --git a/libavformat/smacker.c b/libavformat/smacker.c index db9a02bb6c..135b4ae708 100644 --- a/libavformat/smacker.c +++ b/libavformat/smacker.c @@ -286,11 +286,16 @@ static int smacker_read_packet(AVFormatContext *s, AVPacket *pkt) for(i = 0; i < 7; i++) { if(flags & 1) { int size; + uint8_t *tmpbuf; + size = avio_rl32(s->pb) - 4; frame_size -= size; frame_size -= 4; smk->curstream++; - smk->bufs[smk->curstream] = av_realloc(smk->bufs[smk->curstream], size); + tmpbuf = av_realloc(smk->bufs[smk->curstream], size); + if (!tmpbuf) + return AVERROR(ENOMEM); + smk->bufs[smk->curstream] = tmpbuf; smk->buf_sizes[smk->curstream] = size; ret = avio_read(s->pb, smk->bufs[smk->curstream], size); if(ret != size) From e6694dce1cbaa1ecd2cbe547c9bf45745986e2c1 Mon Sep 17 00:00:00 2001 From: Laurent Aimar Date: Sat, 10 Sep 2011 00:32:12 +0200 Subject: [PATCH 0355/1119] Fixed size given to init_get_bits() in xan decoder. (cherry picked from commit 393d5031c6aaaf8c2dda4eb5d676974c349fae85) Signed-off-by: Anton Khirnov --- libavcodec/xan.c | 10 ++++++---- 1 file changed, 6 insertions(+), 4 deletions(-) diff --git a/libavcodec/xan.c b/libavcodec/xan.c index 876a9a5558..521764fd1c 100644 --- a/libavcodec/xan.c +++ b/libavcodec/xan.c @@ -95,17 +95,18 @@ static av_cold int xan_decode_init(AVCodecContext *avctx) return 0; } -static int xan_huffman_decode(unsigned char *dest, const unsigned char *src, - int dest_len) +static int xan_huffman_decode(unsigned char *dest, int dest_len, + const unsigned char *src, int src_len) { unsigned char byte = *src++; unsigned char ival = byte + 0x16; const unsigned char * ptr = src + byte*2; + int ptr_len = src_len - 1 - byte*2; unsigned char val = ival; unsigned char *dest_end = dest + dest_len; GetBitContext gb; - init_get_bits(&gb, ptr, 0); // FIXME: no src size available + init_get_bits(&gb, ptr, ptr_len * 8); while ( val != 0x16 ) { val = src[val - 0x17 + get_bits1(&gb) * byte]; @@ -270,7 +271,8 @@ static void xan_wc3_decode_frame(XanContext *s) { vector_segment = s->buf + AV_RL16(&s->buf[4]); imagedata_segment = s->buf + AV_RL16(&s->buf[6]); - xan_huffman_decode(opcode_buffer, huffman_segment, opcode_buffer_size); + xan_huffman_decode(opcode_buffer, opcode_buffer_size, + huffman_segment, s->size - (huffman_segment - s->buf) ); if (imagedata_segment[0] == 2) xan_unpack(s->buffer2, &imagedata_segment[1], s->buffer2_size); From 61ddc8271d61b0e4ebb3b6954fc32f10799da228 Mon Sep 17 00:00:00 2001 From: Alex Converse Date: Fri, 9 Sep 2011 16:10:03 -0700 Subject: [PATCH 0356/1119] xan: Add some buffer checks (cherry picked from commit 0872bb23b4bd2d94a8ba91070f706d1bc1c3ced8) Signed-off-by: Anton Khirnov --- libavcodec/xan.c | 37 +++++++++++++++++++++++++++++-------- 1 file changed, 29 insertions(+), 8 deletions(-) diff --git a/libavcodec/xan.c b/libavcodec/xan.c index 521764fd1c..88a9adbc30 100644 --- a/libavcodec/xan.c +++ b/libavcodec/xan.c @@ -106,6 +106,9 @@ static int xan_huffman_decode(unsigned char *dest, int dest_len, unsigned char *dest_end = dest + dest_len; GetBitContext gb; + if (ptr_len < 0) + return AVERROR_INVALIDDATA; + init_get_bits(&gb, ptr, ptr_len * 8); while ( val != 0x16 ) { @@ -245,7 +248,7 @@ static inline void xan_wc3_copy_pixel_run(XanContext *s, } } -static void xan_wc3_decode_frame(XanContext *s) { +static int xan_wc3_decode_frame(XanContext *s) { int width = s->avctx->width; int height = s->avctx->height; @@ -265,14 +268,30 @@ static void xan_wc3_decode_frame(XanContext *s) { const unsigned char *size_segment; const unsigned char *vector_segment; const unsigned char *imagedata_segment; + int huffman_offset, size_offset, vector_offset, imagedata_offset; - huffman_segment = s->buf + AV_RL16(&s->buf[0]); - size_segment = s->buf + AV_RL16(&s->buf[2]); - vector_segment = s->buf + AV_RL16(&s->buf[4]); - imagedata_segment = s->buf + AV_RL16(&s->buf[6]); + if (s->size < 8) + return AVERROR_INVALIDDATA; - xan_huffman_decode(opcode_buffer, opcode_buffer_size, - huffman_segment, s->size - (huffman_segment - s->buf) ); + huffman_offset = AV_RL16(&s->buf[0]); + size_offset = AV_RL16(&s->buf[2]); + vector_offset = AV_RL16(&s->buf[4]); + imagedata_offset = AV_RL16(&s->buf[6]); + + if (huffman_offset >= s->size || + size_offset >= s->size || + vector_offset >= s->size || + imagedata_offset >= s->size) + return AVERROR_INVALIDDATA; + + huffman_segment = s->buf + huffman_offset; + size_segment = s->buf + size_offset; + vector_segment = s->buf + vector_offset; + imagedata_segment = s->buf + imagedata_offset; + + if (xan_huffman_decode(opcode_buffer, opcode_buffer_size, + huffman_segment, s->size - huffman_offset) < 0) + return AVERROR_INVALIDDATA; if (imagedata_segment[0] == 2) xan_unpack(s->buffer2, &imagedata_segment[1], s->buffer2_size); @@ -358,6 +377,7 @@ static void xan_wc3_decode_frame(XanContext *s) { y += (x + size) / width; x = (x + size) % width; } + return 0; } #if RUNTIME_GAMMA @@ -519,7 +539,8 @@ static int xan_decode_frame(AVCodecContext *avctx, s->buf = buf; s->size = buf_size; - xan_wc3_decode_frame(s); + if (xan_wc3_decode_frame(s) < 0) + return AVERROR_INVALIDDATA; /* release the last frame if it is allocated */ if (s->last_frame.data[0]) From 4ee014309c377f7cfaa9578a393864ae500136f6 Mon Sep 17 00:00:00 2001 From: Laurent Aimar Date: Sun, 11 Sep 2011 19:17:40 +0200 Subject: [PATCH 0357/1119] ape demuxer: fix segfault on memory allocation failure. Signed-off-by: Anton Khirnov (cherry picked from commit 273aab99bf7be2bcda95dd64101c2317ee0fcb99) Signed-off-by: Anton Khirnov --- libavformat/ape.c | 2 ++ 1 file changed, 2 insertions(+) diff --git a/libavformat/ape.c b/libavformat/ape.c index 90b02619e0..b0841002a2 100644 --- a/libavformat/ape.c +++ b/libavformat/ape.c @@ -270,6 +270,8 @@ static int ape_read_header(AVFormatContext * s, AVFormatParameters * ap) if (ape->seektablelength > 0) { ape->seektable = av_malloc(ape->seektablelength); + if (!ape->seektable) + return AVERROR(ENOMEM); for (i = 0; i < ape->seektablelength / sizeof(uint32_t); i++) ape->seektable[i] = avio_rl32(pb); } From 4e7905fa9ee75eed404db4d2cca69f833452bf72 Mon Sep 17 00:00:00 2001 From: Laurent Aimar Date: Mon, 12 Sep 2011 20:50:13 +0200 Subject: [PATCH 0358/1119] Check for invalid packet size in the smacker demuxer. MIME-Version: 1.0 Content-Type: text/plain; charset=UTF-8 Content-Transfer-Encoding: 8bit Signed-off-by: Martin Storsjö (cherry picked from commit e055932f5636a82275837968eea9c8fcb5bca474) Signed-off-by: Anton Khirnov --- libavformat/smacker.c | 2 ++ 1 file changed, 2 insertions(+) diff --git a/libavformat/smacker.c b/libavformat/smacker.c index 135b4ae708..87c59a3049 100644 --- a/libavformat/smacker.c +++ b/libavformat/smacker.c @@ -304,6 +304,8 @@ static int smacker_read_packet(AVFormatContext *s, AVPacket *pkt) } flags >>= 1; } + if (frame_size < 0) + return AVERROR_INVALIDDATA; if (av_new_packet(pkt, frame_size + 768)) return AVERROR(ENOMEM); if(smk->frm_size[smk->cur_frame] & 1) From 9f391c4971d4ce2e849a6465a19d1f9da1488194 Mon Sep 17 00:00:00 2001 From: Laurent Aimar Date: Mon, 12 Sep 2011 20:50:34 +0200 Subject: [PATCH 0359/1119] Fixed off by one packet size allocation in the smacker demuxer. MIME-Version: 1.0 Content-Type: text/plain; charset=UTF-8 Content-Transfer-Encoding: 8bit Signed-off-by: Martin Storsjö (cherry picked from commit a92d0fa5d234582583d41b67dddecffc2c819573) Signed-off-by: Anton Khirnov --- libavformat/smacker.c | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/libavformat/smacker.c b/libavformat/smacker.c index 87c59a3049..a817c31355 100644 --- a/libavformat/smacker.c +++ b/libavformat/smacker.c @@ -306,7 +306,7 @@ static int smacker_read_packet(AVFormatContext *s, AVPacket *pkt) } if (frame_size < 0) return AVERROR_INVALIDDATA; - if (av_new_packet(pkt, frame_size + 768)) + if (av_new_packet(pkt, frame_size + 769)) return AVERROR(ENOMEM); if(smk->frm_size[smk->cur_frame] & 1) palchange |= 2; From 5b1f79b092a4684c1e700ea21d5da77c68ca7d44 Mon Sep 17 00:00:00 2001 From: Laurent Aimar Date: Mon, 12 Sep 2011 23:46:49 +0200 Subject: [PATCH 0360/1119] Check and propagate errors when VLC trees cannot be built in smacker decoder. MIME-Version: 1.0 Content-Type: text/plain; charset=UTF-8 Content-Transfer-Encoding: 8bit Signed-off-by: Martin Storsjö (cherry picked from commit 9676ffba8346791f494451e68d2a3b37a2918a9b) Signed-off-by: Anton Khirnov --- libavcodec/smacker.c | 20 ++++++++++++-------- 1 file changed, 12 insertions(+), 8 deletions(-) diff --git a/libavcodec/smacker.c b/libavcodec/smacker.c index 8060e1cee7..e8de0d89c5 100644 --- a/libavcodec/smacker.c +++ b/libavcodec/smacker.c @@ -134,10 +134,10 @@ static int smacker_decode_bigtree(GetBitContext *gb, HuffContext *hc, DBCtx *ctx return -1; } b1 = get_bits_count(gb); - i1 = get_vlc2(gb, ctx->v1->table, SMKTREE_BITS, 3); + i1 = ctx->v1->table ? get_vlc2(gb, ctx->v1->table, SMKTREE_BITS, 3) : 0; b1 = get_bits_count(gb) - b1; b2 = get_bits_count(gb); - i2 = get_vlc2(gb, ctx->v2->table, SMKTREE_BITS, 3); + i2 = ctx->v2->table ? get_vlc2(gb, ctx->v2->table, SMKTREE_BITS, 3) : 0; b2 = get_bits_count(gb) - b2; val = ctx->recode1[i1] | (ctx->recode2[i2] << 8); if(val == ctx->escapes[0]) { @@ -290,7 +290,8 @@ static int decode_header_trees(SmackVContext *smk) { smk->mmap_tbl[0] = 0; smk->mmap_last[0] = smk->mmap_last[1] = smk->mmap_last[2] = 1; } else { - smacker_decode_header_tree(smk, &gb, &smk->mmap_tbl, smk->mmap_last, mmap_size); + if (smacker_decode_header_tree(smk, &gb, &smk->mmap_tbl, smk->mmap_last, mmap_size)) + return -1; } if(!get_bits1(&gb)) { av_log(smk->avctx, AV_LOG_INFO, "Skipping MCLR tree\n"); @@ -298,7 +299,8 @@ static int decode_header_trees(SmackVContext *smk) { smk->mclr_tbl[0] = 0; smk->mclr_last[0] = smk->mclr_last[1] = smk->mclr_last[2] = 1; } else { - smacker_decode_header_tree(smk, &gb, &smk->mclr_tbl, smk->mclr_last, mclr_size); + if (smacker_decode_header_tree(smk, &gb, &smk->mclr_tbl, smk->mclr_last, mclr_size)) + return -1; } if(!get_bits1(&gb)) { av_log(smk->avctx, AV_LOG_INFO, "Skipping FULL tree\n"); @@ -306,7 +308,8 @@ static int decode_header_trees(SmackVContext *smk) { smk->full_tbl[0] = 0; smk->full_last[0] = smk->full_last[1] = smk->full_last[2] = 1; } else { - smacker_decode_header_tree(smk, &gb, &smk->full_tbl, smk->full_last, full_size); + if (smacker_decode_header_tree(smk, &gb, &smk->full_tbl, smk->full_last, full_size)) + return -1; } if(!get_bits1(&gb)) { av_log(smk->avctx, AV_LOG_INFO, "Skipping TYPE tree\n"); @@ -314,7 +317,8 @@ static int decode_header_trees(SmackVContext *smk) { smk->type_tbl[0] = 0; smk->type_last[0] = smk->type_last[1] = smk->type_last[2] = 1; } else { - smacker_decode_header_tree(smk, &gb, &smk->type_tbl, smk->type_last, type_size); + if (smacker_decode_header_tree(smk, &gb, &smk->type_tbl, smk->type_last, type_size)) + return -1; } return 0; @@ -522,8 +526,8 @@ static av_cold int decode_init(AVCodecContext *avctx) return -1; } - decode_header_trees(c); - + if (decode_header_trees(c)) + return -1; return 0; } From 0d93b03e6861fafd3eddd9ee164cf56630c9d899 Mon Sep 17 00:00:00 2001 From: Laurent Aimar Date: Mon, 12 Sep 2011 23:49:36 +0200 Subject: [PATCH 0361/1119] Check for invalid VLC value in smacker decoder. MIME-Version: 1.0 Content-Type: text/plain; charset=UTF-8 Content-Transfer-Encoding: 8bit Signed-off-by: Martin Storsjö (cherry picked from commit 6489455495fc5bfbebcfe3f57e5d4fdd6a781091) Signed-off-by: Anton Khirnov --- libavcodec/smacker.c | 2 ++ 1 file changed, 2 insertions(+) diff --git a/libavcodec/smacker.c b/libavcodec/smacker.c index e8de0d89c5..9628b07492 100644 --- a/libavcodec/smacker.c +++ b/libavcodec/smacker.c @@ -139,6 +139,8 @@ static int smacker_decode_bigtree(GetBitContext *gb, HuffContext *hc, DBCtx *ctx b2 = get_bits_count(gb); i2 = ctx->v2->table ? get_vlc2(gb, ctx->v2->table, SMKTREE_BITS, 3) : 0; b2 = get_bits_count(gb) - b2; + if (i1 < 0 || i2 < 0) + return -1; val = ctx->recode1[i1] | (ctx->recode2[i2] << 8); if(val == ctx->escapes[0]) { ctx->last[0] = hc->current; From 78cd2e18a4aa2835f6d04cf145121fc82099c1a5 Mon Sep 17 00:00:00 2001 From: Michael Niedermayer Date: Tue, 13 Sep 2011 23:24:56 +0200 Subject: [PATCH 0362/1119] smacker: fix a few off by 1 errors MIME-Version: 1.0 Content-Type: text/plain; charset=UTF-8 Content-Transfer-Encoding: 8bit stereo & 16bit is untested due to lack of samples Signed-off-by: Martin Storsjö (cherry picked from commit 5166376f24545207607f61ed8ff4e1b0572ff320) Signed-off-by: Anton Khirnov --- libavcodec/smacker.c | 8 +-- tests/ref/fate/smacker | 160 ++++++++++++++++++++--------------------- 2 files changed, 84 insertions(+), 84 deletions(-) diff --git a/libavcodec/smacker.c b/libavcodec/smacker.c index 9628b07492..1fa40def62 100644 --- a/libavcodec/smacker.c +++ b/libavcodec/smacker.c @@ -624,9 +624,9 @@ static int smka_decode_frame(AVCodecContext *avctx, void *data, int *data_size, if(bits) { //decode 16-bit data for(i = stereo; i >= 0; i--) pred[i] = av_bswap16(get_bits(&gb, 16)); - for(i = 0; i < stereo; i++) + for(i = 0; i <= stereo; i++) *samples++ = pred[i]; - for(i = 0; i < unp_size / 2; i++) { + for(; i < unp_size / 2; i++) { if(i & stereo) { if(vlc[2].table) res = get_vlc2(&gb, vlc[2].table, SMKTREE_BITS, 3); @@ -658,9 +658,9 @@ static int smka_decode_frame(AVCodecContext *avctx, void *data, int *data_size, } else { //8-bit data for(i = stereo; i >= 0; i--) pred[i] = get_bits(&gb, 8); - for(i = 0; i < stereo; i++) + for(i = 0; i <= stereo; i++) *samples8++ = pred[i]; - for(i = 0; i < unp_size; i++) { + for(; i < unp_size; i++) { if(i & stereo){ if(vlc[1].table) res = get_vlc2(&gb, vlc[1].table, SMKTREE_BITS, 3); diff --git a/tests/ref/fate/smacker b/tests/ref/fate/smacker index 85c4a9817c..df88a4ae8a 100644 --- a/tests/ref/fate/smacker +++ b/tests/ref/fate/smacker @@ -1,5 +1,5 @@ 0, 0, 192000, 0x8926d7fc -1, 0, 47240, 0xad778a78 +1, 0, 47240, 0x9974897c 0, 6390, 192000, 0x2506d384 0, 12780, 192000, 0x9a8dc93a 0, 19170, 192000, 0x4badb7f2 @@ -15,163 +15,163 @@ 0, 83070, 192000, 0x1a3d7971 0, 89460, 192000, 0xa1a65bd5 0, 95850, 192000, 0x344957b9 -1, 96408, 3128, 0x4c1564ae +1, 96408, 3128, 0x7e4064b4 0, 102240, 192000, 0xe23b5f4e -1, 102792, 3128, 0x34553309 +1, 102792, 3128, 0x80883301 0, 108630, 192000, 0xb5c2710b -1, 109176, 3136, 0xb474d246 +1, 109176, 3136, 0x2ad2d341 0, 115020, 192000, 0x7a25938f -1, 115576, 3128, 0x87b868ea +1, 115576, 3128, 0xda8468e3 0, 121410, 192000, 0x0a84e4c9 -1, 121959, 3136, 0xf1516dc3 +1, 121959, 3136, 0x9d6f6cdf 0, 127800, 192000, 0x94209b0d -1, 128359, 3128, 0x867563cb +1, 128359, 3128, 0x1aaa64b5 0, 134190, 192000, 0xf940e51f -1, 134743, 3128, 0x5200728c +1, 134743, 3128, 0x9182728b 0, 140580, 192000, 0xb9fdec42 -1, 141127, 3136, 0xeda118a0 +1, 141127, 3136, 0xfa8e17b3 0, 146970, 192000, 0x7b04a376 -1, 147527, 3128, 0x03e2c1d6 +1, 147527, 3128, 0x0dc3c1cf 0, 153360, 192000, 0x5fe0026b -1, 153910, 3136, 0xc3e862b6 +1, 153910, 3136, 0x0109639d 0, 159750, 192000, 0x775aca39 -1, 160310, 3128, 0x937a13be +1, 160310, 3128, 0x6d8a12d9 0, 166140, 192000, 0xae14fb32 -1, 166694, 3128, 0x7b1b9577 +1, 166694, 3128, 0x4b9a9597 0, 172530, 192000, 0x661106e5 -1, 173078, 3136, 0x042c7113 +1, 173078, 3136, 0x9112710e 0, 178920, 192000, 0xe8658dbf -1, 179478, 3128, 0xac48f451 +1, 179478, 3128, 0x8cccf522 0, 185310, 192000, 0x5359f0f9 -1, 185861, 3128, 0x018fbbe9 +1, 185861, 3128, 0x6594bbf3 0, 191700, 192000, 0xc1ec80f4 -1, 192245, 3136, 0xc62aa7ce +1, 192245, 3136, 0xd878a7d5 0, 198090, 192000, 0xca53806b -1, 198645, 3128, 0x106e3924 +1, 198645, 3128, 0xaa6e3905 0, 204480, 192000, 0xf0766b2e -1, 205029, 3136, 0xfeb82ecc +1, 205029, 3136, 0x2a062e04 0, 210870, 192000, 0x39962da8 -1, 211429, 3128, 0x7e7c005b +1, 211429, 3128, 0x84e4006a 0, 217260, 192000, 0x4171c37f -1, 217812, 3128, 0x949d3560 +1, 217812, 3128, 0x85183633 0, 223650, 192000, 0x3abf3b46 -1, 224196, 3136, 0x02bd4aff +1, 224196, 3136, 0xb62d4b02 0, 230040, 192000, 0xecc68313 -1, 230596, 3128, 0x4aaf4715 +1, 230596, 3128, 0xe209462a 0, 236430, 192000, 0xea339baf -1, 236980, 3136, 0x2958825f +1, 236980, 3136, 0x57c4824b 0, 242820, 192000, 0x616b8f16 -1, 243380, 3128, 0x99a5914d +1, 243380, 3128, 0x664a9163 0, 249210, 192000, 0xf77a8581 -1, 249763, 3128, 0xe67277a4 +1, 249763, 3128, 0xb4287874 0, 255600, 192000, 0xb315678b -1, 256147, 3136, 0x11296973 +1, 256147, 3136, 0xde626885 0, 261990, 192000, 0x0a4a5218 -1, 262547, 3128, 0x5cc362f7 +1, 262547, 3128, 0x919763c2 0, 268380, 192000, 0x98802be4 -1, 268931, 3128, 0x0c5e6586 +1, 268931, 3128, 0xa4f664e1 0, 274770, 192000, 0xa2f0fd94 -1, 275314, 3136, 0xe940b0f9 +1, 275314, 3136, 0xa0bab0d4 0, 281160, 192000, 0x6671c84f -1, 281714, 3128, 0x2c9292cc +1, 281714, 3128, 0xe938939c 0, 287550, 192000, 0x38327e31 -1, 288098, 3136, 0xa807c096 +1, 288098, 3136, 0x3679bfc7 0, 293940, 192000, 0xb85d3e08 -1, 294498, 3128, 0x9d2254d8 +1, 294498, 3128, 0xc96c55c3 0, 300330, 192000, 0xdc69eba9 -1, 300882, 3128, 0xe68015b0 +1, 300882, 3128, 0x119114d6 0, 306720, 192000, 0x8955a0b3 -1, 307265, 3136, 0x65d58029 +1, 307265, 3136, 0x42f3800f 0, 313110, 192000, 0x714a548b -1, 313665, 3128, 0xcffcc48c +1, 313665, 3128, 0x4250c4ad 0, 319500, 192000, 0xc0471de9 -1, 320049, 3136, 0x8c704944 +1, 320049, 3136, 0x5cdd4925 0, 325890, 192000, 0x2e16e039 -1, 326449, 3128, 0x1459231d +1, 326449, 3128, 0xa4c12360 0, 332280, 192000, 0x9fa4b033 -1, 332833, 3128, 0x7dde4839 +1, 332833, 3128, 0x849f48de 0, 338670, 192000, 0x4a0f9402 -1, 339216, 3136, 0xbb6890e2 +1, 339216, 3136, 0x6acd8ff9 0, 345060, 192000, 0x1f3e6843 -1, 345616, 3128, 0xcd9a8524 +1, 345616, 3128, 0xb2758556 0, 351450, 192000, 0x31774850 -1, 352000, 3128, 0xa244fc31 +1, 352000, 3128, 0x10f2fcb1 0, 357840, 192000, 0x9d5336a2 -1, 358384, 3136, 0x504e2bd9 +1, 358384, 3136, 0xf0f02b23 0, 364230, 192000, 0xf7de27a2 -1, 364784, 3128, 0x655858d8 +1, 364784, 3128, 0x64f759c6 0, 370620, 192000, 0x98c717ce -1, 371167, 3136, 0x46027610 +1, 371167, 3136, 0x7ec075e3 0, 377010, 192000, 0x615b10b8 -1, 377567, 3128, 0x4192d5e3 +1, 377567, 3128, 0xf981d51e 0, 383400, 192000, 0xd5bc0e7e -1, 383951, 3128, 0x21d2e7fe +1, 383951, 3128, 0xc622e8b9 0, 389790, 192000, 0xd5bc0e7e -1, 390335, 3136, 0x7c93e329 +1, 390335, 3136, 0xf632e2f8 0, 396180, 192000, 0xd5bc0e7e -1, 396735, 3128, 0xa67718c0 +1, 396735, 3128, 0xda561864 0, 402570, 192000, 0xd5bc0e7e -1, 403118, 3136, 0x9bb6e8a3 +1, 403118, 3136, 0x14d2e888 0, 408960, 192000, 0xd5bc0e7e -1, 409518, 3128, 0x0933b7a6 +1, 409518, 3128, 0x015bb869 0, 415350, 192000, 0xd5bc0e7e -1, 415902, 3128, 0x07f1fb57 +1, 415902, 3128, 0xedb1fb62 0, 421740, 192000, 0xd5bc0e7e -1, 422286, 3136, 0x8a050cfd +1, 422286, 3136, 0xe0560c41 0, 428130, 192000, 0xd5bc0e7e -1, 428686, 3128, 0xdb773c0b +1, 428686, 3128, 0x14773c9a 0, 434520, 192000, 0xd5bc0e7e -1, 435069, 3136, 0xd1281c53 +1, 435069, 3136, 0x850f1c82 0, 440910, 192000, 0xd5bc0e7e -1, 441469, 3128, 0x9f395324 +1, 441469, 3128, 0xb0bd5347 0, 447300, 192000, 0xd5bc0e7e -1, 447853, 3128, 0x5f13edec +1, 447853, 3128, 0x8f82edbf 0, 453690, 192000, 0xd5bc0e7e -1, 454237, 3136, 0x871cbecf +1, 454237, 3136, 0x493abee2 0, 460080, 192000, 0xd5bc0e7e -1, 460637, 3128, 0x799eff3e +1, 460637, 3128, 0xf5daff3f 0, 466470, 192000, 0xd5bc0e7e -1, 467020, 3128, 0x3f902762 +1, 467020, 3128, 0x78ad2690 0, 472860, 192000, 0xd5bc0e7e -1, 473404, 3136, 0x29f8bb04 +1, 473404, 3136, 0x490ebafc 0, 479250, 192000, 0xd5bc0e7e -1, 479804, 3128, 0xf3523ee9 +1, 479804, 3128, 0x70333fd2 0, 485640, 192000, 0xd5bc0e7e -1, 486188, 3136, 0x4405c435 +1, 486188, 3136, 0x8cb1c350 0, 492030, 192000, 0xd5bc0e7e -1, 492588, 3128, 0x892957cb +1, 492588, 3128, 0x8bd057cb 0, 498420, 192000, 0xd5bc0e7e -1, 498971, 3128, 0xdf483dbd +1, 498971, 3128, 0x161b3dbc 0, 504810, 192000, 0xd5bc0e7e -1, 505355, 3136, 0x5e8ab797 +1, 505355, 3136, 0xb47fb88a 0, 511200, 192000, 0xd5bc0e7e -1, 511755, 3128, 0x92e13820 +1, 511755, 3128, 0x474b381e 0, 517590, 192000, 0xd5bc0e7e -1, 518139, 3136, 0xfde719b6 +1, 518139, 3136, 0x07c519bb 0, 523980, 192000, 0xd5bc0e7e -1, 524539, 3128, 0x442f17ae +1, 524539, 3128, 0x15b916c8 0, 530370, 192000, 0xd5bc0e7e -1, 530922, 3128, 0x011af61f +1, 530922, 3128, 0x0ed7f6fb 0, 536760, 192000, 0xd5bc0e7e -1, 537306, 3136, 0x4e3e3a6d +1, 537306, 3136, 0x54d6397b 0, 543150, 192000, 0xd5bc0e7e -1, 543706, 3128, 0xc11242b9 +1, 543706, 3128, 0x437242bb 0, 549540, 192000, 0xd5bc0e7e -1, 550090, 3128, 0x01415b59 +1, 550090, 3128, 0x38f05c4d 0, 555930, 192000, 0xd5bc0e7e -1, 556473, 3136, 0x302e0e55 +1, 556473, 3136, 0x5d000e59 0, 562320, 192000, 0xd5bc0e7e -1, 562873, 3128, 0x20522d04 +1, 562873, 3128, 0xdeab2d04 0, 568710, 192000, 0xd5bc0e7e -1, 569257, 3136, 0x316a697d +1, 569257, 3136, 0x77de6880 0, 575100, 192000, 0xd5bc0e7e -1, 575657, 3128, 0x6d75ee27 +1, 575657, 3128, 0xbc87ef25 0, 581490, 192000, 0xd5bc0e7e -1, 582041, 3128, 0xcb008ae8 +1, 582041, 3128, 0xc1638ade 0, 587880, 192000, 0xd5bc0e7e -1, 588424, 3136, 0xd2664b51 +1, 588424, 3136, 0xcfb64a5f 0, 594270, 192000, 0xd5bc0e7e -1, 594824, 3128, 0xdfcab728 +1, 594824, 3128, 0x90b1b826 0, 600660, 192000, 0xd5bc0e7e 1, 601208, 3136, 0x00000000 0, 607050, 192000, 0xd5bc0e7e From 54a178f28ff5caf8cac5493cc3f1c22ac2323fcf Mon Sep 17 00:00:00 2001 From: Laurent Aimar Date: Fri, 9 Sep 2011 23:46:00 +0200 Subject: [PATCH 0363/1119] Fixed size given to init_get_bits(). init_get_bits() takes a number of bits and not a number of bytes as its size argument. Signed-off-by: Alex Converse (cherry picked from commit b59efc94347ccf0cbc2ff14a5a9e99819c5bdc4d) Signed-off-by: Anton Khirnov --- libavcodec/aac_adtstoasc_bsf.c | 2 +- libavcodec/avs.c | 2 +- libavcodec/jvdec.c | 2 +- libavcodec/rv34.c | 2 +- libavcodec/tta.c | 2 +- libavformat/movenc.c | 2 +- 6 files changed, 6 insertions(+), 6 deletions(-) diff --git a/libavcodec/aac_adtstoasc_bsf.c b/libavcodec/aac_adtstoasc_bsf.c index fbb86f8af7..d1310c4149 100644 --- a/libavcodec/aac_adtstoasc_bsf.c +++ b/libavcodec/aac_adtstoasc_bsf.c @@ -72,7 +72,7 @@ static int aac_adtstoasc_filter(AVBitStreamFilterContext *bsfc, int pce_size = 0; uint8_t pce_data[MAX_PCE_SIZE]; if (!hdr.chan_config) { - init_get_bits(&gb, buf, buf_size); + init_get_bits(&gb, buf, buf_size * 8); if (get_bits(&gb, 3) != 5) { av_log_missing_feature(avctx, "PCE based channel configuration, where the PCE is not the first syntax element is", 0); return -1; diff --git a/libavcodec/avs.c b/libavcodec/avs.c index 1c2682b338..1a5e44401c 100644 --- a/libavcodec/avs.c +++ b/libavcodec/avs.c @@ -117,7 +117,7 @@ avs_decode_frame(AVCodecContext * avctx, table = buf + (256 * vect_w * vect_h); if (sub_type != AVS_I_FRAME) { int map_size = ((318 / vect_w + 7) / 8) * (198 / vect_h); - init_get_bits(&change_map, table, map_size); + init_get_bits(&change_map, table, map_size * 8); table += map_size; } diff --git a/libavcodec/jvdec.c b/libavcodec/jvdec.c index 0c346486f5..5249764347 100644 --- a/libavcodec/jvdec.c +++ b/libavcodec/jvdec.c @@ -150,7 +150,7 @@ static int decode_frame(AVCodecContext *avctx, if (video_type == 0 || video_type == 1) { GetBitContext gb; - init_get_bits(&gb, buf, FFMIN(video_size, buf_end - buf)); + init_get_bits(&gb, buf, FFMIN(video_size, (buf_end - buf) * 8)); for (j = 0; j < avctx->height; j += 8) for (i = 0; i < avctx->width; i += 8) diff --git a/libavcodec/rv34.c b/libavcodec/rv34.c index c5dcfdcba4..910b933dd9 100644 --- a/libavcodec/rv34.c +++ b/libavcodec/rv34.c @@ -1444,7 +1444,7 @@ int ff_rv34_decode_frame(AVCodecContext *avctx, av_log(avctx, AV_LOG_ERROR, "Slice offset is greater than frame size\n"); return -1; } - init_get_bits(&s->gb, buf+get_slice_offset(avctx, slices_hdr, 0), buf_size-get_slice_offset(avctx, slices_hdr, 0)); + init_get_bits(&s->gb, buf+get_slice_offset(avctx, slices_hdr, 0), (buf_size-get_slice_offset(avctx, slices_hdr, 0))*8); if(r->parse_slice_header(r, &r->s.gb, &si) < 0 || si.start){ av_log(avctx, AV_LOG_ERROR, "First slice header is incorrect\n"); return -1; diff --git a/libavcodec/tta.c b/libavcodec/tta.c index 57f5818d7b..fd5aa46670 100644 --- a/libavcodec/tta.c +++ b/libavcodec/tta.c @@ -216,7 +216,7 @@ static av_cold int tta_decode_init(AVCodecContext * avctx) if (avctx->extradata_size < 30) return -1; - init_get_bits(&s->gb, avctx->extradata, avctx->extradata_size); + init_get_bits(&s->gb, avctx->extradata, avctx->extradata_size * 8); if (show_bits_long(&s->gb, 32) == AV_RL32("TTA1")) { /* signature */ diff --git a/libavformat/movenc.c b/libavformat/movenc.c index dcc5581443..0cf837c9b1 100644 --- a/libavformat/movenc.c +++ b/libavformat/movenc.c @@ -206,7 +206,7 @@ static int mov_write_ac3_tag(AVIOContext *pb, MOVTrack *track) avio_wb32(pb, 11); ffio_wfourcc(pb, "dac3"); - init_get_bits(&gbc, track->vosData+4, track->vosLen-4); + init_get_bits(&gbc, track->vosData+4, (track->vosLen-4) * 8); fscod = get_bits(&gbc, 2); frmsizecod = get_bits(&gbc, 6); bsid = get_bits(&gbc, 5); From a3d471e500674c31fa4f52a62ef789d5e7fdbd3c Mon Sep 17 00:00:00 2001 From: Laurent Aimar Date: Sun, 11 Sep 2011 23:26:12 +0200 Subject: [PATCH 0364/1119] oggdec: fix out of bound write in the ogg demuxer Between ogg_save() and ogg_restore() calls, the number of streams could have been reduced. Signed-off-by: Luca Barbato (cherry picked from commit 0e7efb9d23c3641d50caa288818e8c27647ce74d) Signed-off-by: Anton Khirnov --- libavformat/oggdec.c | 14 ++++++++++++-- 1 file changed, 12 insertions(+), 2 deletions(-) diff --git a/libavformat/oggdec.c b/libavformat/oggdec.c index 25f5cd8b2d..18201677b8 100644 --- a/libavformat/oggdec.c +++ b/libavformat/oggdec.c @@ -92,14 +92,24 @@ static int ogg_restore(AVFormatContext *s, int discard) ogg->state = ost->next; if (!discard){ + struct ogg_stream *old_streams = ogg->streams; + for (i = 0; i < ogg->nstreams; i++) av_free (ogg->streams[i].buf); avio_seek (bc, ost->pos, SEEK_SET); ogg->curidx = ost->curidx; ogg->nstreams = ost->nstreams; - memcpy(ogg->streams, ost->streams, - ost->nstreams * sizeof(*ogg->streams)); + ogg->streams = av_realloc (ogg->streams, + ogg->nstreams * sizeof (*ogg->streams)); + + if (ogg->streams) { + memcpy(ogg->streams, ost->streams, + ost->nstreams * sizeof(*ogg->streams)); + } else { + av_free(old_streams); + ogg->nstreams = 0; + } } av_free (ost); From 9973ca992e8499848b8d5b0b536e709109dc65e2 Mon Sep 17 00:00:00 2001 From: David Goldwich Date: Sat, 17 Sep 2011 13:50:35 +0200 Subject: [PATCH 0365/1119] lavf: Fix context pointer in av_open_input_stream when avformat_open_input fails Signed-off-by: David Goldwich Signed-off-by: Anton Khirnov (cherry picked from commit 63d64228a7f31d534e3bcae87cbd37f4a0ae2dd6) Signed-off-by: Anton Khirnov --- libavformat/utils.c | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/libavformat/utils.c b/libavformat/utils.c index 2cb096e373..d9d154e3ab 100644 --- a/libavformat/utils.c +++ b/libavformat/utils.c @@ -469,8 +469,8 @@ int av_open_input_stream(AVFormatContext **ic_ptr, goto fail; ic->pb = ic->pb ? ic->pb : pb; // don't leak custom pb if it wasn't set above - *ic_ptr = ic; fail: + *ic_ptr = ic; av_dict_free(&opts); return err; } From 28d948ac44e38e8bec2f6268ccf4747ff4d992a9 Mon Sep 17 00:00:00 2001 From: Laurent Aimar Date: Sun, 18 Sep 2011 00:03:08 +0200 Subject: [PATCH 0366/1119] rv10: Reject slices that does not have the same type as the first one MIME-Version: 1.0 Content-Type: text/plain; charset=UTF-8 Content-Transfer-Encoding: 8bit This prevents crashes with some corrupted bitstreams. Signed-off-by: Martin Storsjö (cherry picked from commit 4a29b471869353c3077fb4b25b6518eb1047afb7) Signed-off-by: Anton Khirnov --- libavcodec/rv10.c | 5 +++++ 1 file changed, 5 insertions(+) diff --git a/libavcodec/rv10.c b/libavcodec/rv10.c index 78f97b16b1..223500c356 100644 --- a/libavcodec/rv10.c +++ b/libavcodec/rv10.c @@ -543,6 +543,11 @@ static int rv10_decode_packet(AVCodecContext *avctx, if(MPV_frame_start(s, avctx) < 0) return -1; ff_er_frame_start(s); + } else { + if (s->current_picture_ptr->pict_type != s->pict_type) { + av_log(s->avctx, AV_LOG_ERROR, "Slice type mismatch\n"); + return -1; + } } av_dlog(avctx, "qscale=%d\n", s->qscale); From f0bcba238a540793adc514fb84e74282b04d2418 Mon Sep 17 00:00:00 2001 From: Laurent Aimar Date: Sat, 17 Sep 2011 23:43:58 +0200 Subject: [PATCH 0367/1119] rv34: Avoid NULL dereference on corrupted bitstream MIME-Version: 1.0 Content-Type: text/plain; charset=UTF-8 Content-Transfer-Encoding: 8bit rv34_decode_slice() can return without allocating any pictures. Signed-off-by: Martin Storsjö (cherry picked from commit d0f6ab0298f2309c6104626787ed73416298b019) Signed-off-by: Anton Khirnov --- libavcodec/rv34.c | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/libavcodec/rv34.c b/libavcodec/rv34.c index 910b933dd9..2383903625 100644 --- a/libavcodec/rv34.c +++ b/libavcodec/rv34.c @@ -1486,7 +1486,7 @@ int ff_rv34_decode_frame(AVCodecContext *avctx, break; } - if(last){ + if(last && s->current_picture_ptr){ if(r->loop_filter) r->loop_filter(r, s->mb_height - 1); ff_er_frame_end(s); From b4a1bf0bbf53cc6a736a608732b2ac1de5c2447b Mon Sep 17 00:00:00 2001 From: Laurent Aimar Date: Sat, 17 Sep 2011 16:56:30 +0200 Subject: [PATCH 0368/1119] rv34: Fix potential overreads MIME-Version: 1.0 Content-Type: text/plain; charset=UTF-8 Content-Transfer-Encoding: 8bit Signed-off-by: Martin Storsjö (cherry picked from commit b4ed3d78cb6c41c9d3ee5918c326ab925edd6a89) Signed-off-by: Anton Khirnov --- libavcodec/rv34.c | 5 +++-- 1 file changed, 3 insertions(+), 2 deletions(-) diff --git a/libavcodec/rv34.c b/libavcodec/rv34.c index 2383903625..87fca5c23e 100644 --- a/libavcodec/rv34.c +++ b/libavcodec/rv34.c @@ -1436,6 +1436,7 @@ int ff_rv34_decode_frame(AVCodecContext *avctx, slice_count = (*buf++) + 1; slices_hdr = buf + 4; buf += 8 * slice_count; + buf_size -= 1 + 8 * slice_count; }else slice_count = avctx->slice_count; @@ -1454,7 +1455,7 @@ int ff_rv34_decode_frame(AVCodecContext *avctx, if( (avctx->skip_frame >= AVDISCARD_NONREF && si.type==AV_PICTURE_TYPE_B) || (avctx->skip_frame >= AVDISCARD_NONKEY && si.type!=AV_PICTURE_TYPE_I) || avctx->skip_frame >= AVDISCARD_ALL) - return buf_size; + return avpkt->size; for(i=0; icurrent_picture_ptr= NULL; //so we can detect if frame_end wasnt called (find some nicer solution...) } - return buf_size; + return avpkt->size; } av_cold int ff_rv34_decode_end(AVCodecContext *avctx) From 2bbb142a140173e1870017b66c439f4d430a6f67 Mon Sep 17 00:00:00 2001 From: Laurent Aimar Date: Mon, 19 Sep 2011 22:48:53 +0200 Subject: [PATCH 0369/1119] rv34: Check for invalid slice offsets MIME-Version: 1.0 Content-Type: text/plain; charset=UTF-8 Content-Transfer-Encoding: 8bit Signed-off-by: Martin Storsjö (cherry picked from commit 4cc7732386eb36661ed22d1200339b38a5fa60bc) Signed-off-by: Anton Khirnov --- libavcodec/rv34.c | 9 +++++---- 1 file changed, 5 insertions(+), 4 deletions(-) diff --git a/libavcodec/rv34.c b/libavcodec/rv34.c index 87fca5c23e..70c35ef4ff 100644 --- a/libavcodec/rv34.c +++ b/libavcodec/rv34.c @@ -1441,8 +1441,9 @@ int ff_rv34_decode_frame(AVCodecContext *avctx, slice_count = avctx->slice_count; //parse first slice header to check whether this frame can be decoded - if(get_slice_offset(avctx, slices_hdr, 0) > buf_size){ - av_log(avctx, AV_LOG_ERROR, "Slice offset is greater than frame size\n"); + if(get_slice_offset(avctx, slices_hdr, 0) < 0 || + get_slice_offset(avctx, slices_hdr, 0) > buf_size){ + av_log(avctx, AV_LOG_ERROR, "Slice offset is invalid\n"); return -1; } init_get_bits(&s->gb, buf+get_slice_offset(avctx, slices_hdr, 0), (buf_size-get_slice_offset(avctx, slices_hdr, 0))*8); @@ -1465,8 +1466,8 @@ int ff_rv34_decode_frame(AVCodecContext *avctx, else size= get_slice_offset(avctx, slices_hdr, i+1) - offset; - if(offset > buf_size){ - av_log(avctx, AV_LOG_ERROR, "Slice offset is greater than frame size\n"); + if(offset < 0 || offset > buf_size || size < 0){ + av_log(avctx, AV_LOG_ERROR, "Slice offset is invalid\n"); break; } From ecda54a640a7de55274ad2a86d58d0b483097aac Mon Sep 17 00:00:00 2001 From: Mans Rullgard Date: Sun, 25 Sep 2011 12:53:44 +0100 Subject: [PATCH 0370/1119] ppc: fix 32-bit PIC build On 32-bit ppc, the GOT pointer must be loaded manually. This adds a "get_got" assembler macro to compute the GOT address. The "movrel" macro is updated to take an additional parameter containing the GOT address since no register is reserved for this purpose on ppc32. These changes have no effect on ppc64 builds. Signed-off-by: Mans Rullgard (cherry picked from commit 6e4a35ced96cdf31a9d3bd82fd147554750af839) Signed-off-by: Reinhard Tartler --- libavcodec/ppc/asm.S | 19 ++++++++++++++++--- libavcodec/ppc/fft_altivec_s.S | 7 ++++--- 2 files changed, 20 insertions(+), 6 deletions(-) diff --git a/libavcodec/ppc/asm.S b/libavcodec/ppc/asm.S index 5cbbf97b64..4d4285b6d3 100644 --- a/libavcodec/ppc/asm.S +++ b/libavcodec/ppc/asm.S @@ -44,10 +44,13 @@ X(\name): L(\name): .endm -.macro movrel rd, sym +.macro movrel rd, sym, gp ld \rd, \sym@got(r2) .endm +.macro get_got rd +.endm + #else /* ARCH_PPC64 */ #define PTR .int @@ -65,15 +68,25 @@ X(\name): \name: .endm -.macro movrel rd, sym +.macro movrel rd, sym, gp #if CONFIG_PIC - lwz \rd, \sym@got(r2) + lwz \rd, \sym@got(\gp) #else lis \rd, \sym@ha la \rd, \sym@l(\rd) #endif .endm +.macro get_got rd +#if CONFIG_PIC + bcl 20, 31, .Lgot\@ +.Lgot\@: + mflr \rd + addis \rd, \rd, _GLOBAL_OFFSET_TABLE_ - .Lgot\@@ha + addi \rd, \rd, _GLOBAL_OFFSET_TABLE_ - .Lgot\@@l +#endif +.endm + #endif /* ARCH_PPC64 */ #if HAVE_IBM_ASM diff --git a/libavcodec/ppc/fft_altivec_s.S b/libavcodec/ppc/fft_altivec_s.S index ab33900582..958d7df0ee 100644 --- a/libavcodec/ppc/fft_altivec_s.S +++ b/libavcodec/ppc/fft_altivec_s.S @@ -353,6 +353,7 @@ extfunc ff_fft_calc\interleave\()_altivec mflr r0 stp r0, 2*PS(r1) stpu r1, -(160+16*PS)(r1) + get_got r11 addi r6, r1, 16*PS stvm r6, v20, v21, v22, v23, v24, v25, v26, v27, v28, v29 mfvrsave r0 @@ -360,14 +361,14 @@ extfunc ff_fft_calc\interleave\()_altivec li r6, 0xfffffffc mtvrsave r6 - movrel r6, fft_data + movrel r6, fft_data, r11 lvm r6, v14, v15, v16, v17, v18, v19, v20, v21 lvm r6, v22, v23, v24, v25, v26, v27, v28, v29 li r9, 16 - movrel r12, X(ff_cos_tabs) + movrel r12, X(ff_cos_tabs), r11 - movrel r6, fft_dispatch_tab\interleave\()_altivec + movrel r6, fft_dispatch_tab\interleave\()_altivec, r11 lwz r3, 0(r3) subi r3, r3, 2 slwi r3, r3, 2+ARCH_PPC64 From dde0fb4aeaf855fc38fb002c23dbbeba06407a09 Mon Sep 17 00:00:00 2001 From: Mans Rullgard Date: Sun, 25 Sep 2011 18:27:47 +0100 Subject: [PATCH 0371/1119] ppc: fix some pointer to integer casts Use uintptr_t instead of plain int. Without this change, the comparisons will come out wrong for pointers in certain ranges. Fixes random failures on ppc64. Also fixes some compiler warnings. Signed-off-by: Mans Rullgard (cherry picked from commit d853e571ad5e7e12c6a68cfde390daced7d85fbb) Signed-off-by: Reinhard Tartler --- libswscale/ppc/swscale_altivec.c | 10 +++++----- 1 file changed, 5 insertions(+), 5 deletions(-) diff --git a/libswscale/ppc/swscale_altivec.c b/libswscale/ppc/swscale_altivec.c index 42e965de95..4476e1cf67 100644 --- a/libswscale/ppc/swscale_altivec.c +++ b/libswscale/ppc/swscale_altivec.c @@ -36,13 +36,13 @@ altivec_packIntArrayToCharArray(int *val, uint8_t* dest, int dstW) register int i; vector unsigned int altivec_vectorShiftInt19 = vec_add(vec_splat_u32(10), vec_splat_u32(9)); - if ((unsigned int)dest % 16) { + if ((uintptr_t)dest % 16) { /* badly aligned store, we force store alignment */ /* and will handle load misalignment on val w/ vec_perm */ vector unsigned char perm1; vector signed int v1; for (i = 0 ; (i < dstW) && - (((unsigned int)dest + i) % 16) ; i++) { + (((uintptr_t)dest + i) % 16) ; i++) { int t = val[i] >> 19; dest[i] = (t < 0) ? 0 : ((t > 255) ? 255 : t); } @@ -251,7 +251,7 @@ static void hScale_altivec_real(int16_t *dst, int dstW, vector unsigned char src_v1, src_vF; vector signed short src_v, filter_v; vector signed int val_vEven, val_s; - if ((((int)src + srcPos)% 16) > 12) { + if ((((uintptr_t)src + srcPos) % 16) > 12) { src_v1 = vec_ld(srcPos + 16, src); } src_vF = vec_perm(src_v0, src_v1, vec_lvsl(srcPos, src)); @@ -290,7 +290,7 @@ static void hScale_altivec_real(int16_t *dst, int dstW, vector unsigned char src_v1, src_vF; vector signed short src_v, filter_v; vector signed int val_v, val_s; - if ((((int)src + srcPos)% 16) > 8) { + if ((((uintptr_t)src + srcPos) % 16) > 8) { src_v1 = vec_ld(srcPos + 16, src); } src_vF = vec_perm(src_v0, src_v1, vec_lvsl(srcPos, src)); @@ -376,7 +376,7 @@ static void hScale_altivec_real(int16_t *dst, int dstW, //vector unsigned char src_v0 = vec_ld(srcPos + j, src); vector unsigned char src_v1, src_vF; vector signed short src_v, filter_v1R, filter_v; - if ((((int)src + srcPos)% 16) > 8) { + if ((((uintptr_t)src + srcPos) % 16) > 8) { src_v1 = vec_ld(srcPos + j + 16, src); } src_vF = vec_perm(src_v0, src_v1, permS); From fed7f5b04f0ddde81fe1de1af725a63461a31f6f Mon Sep 17 00:00:00 2001 From: Michael Niedermayer Date: Sat, 24 Sep 2011 18:57:31 +0300 Subject: [PATCH 0372/1119] flvdec: Check for overflow before allocating arrays MIME-Version: 1.0 Content-Type: text/plain; charset=UTF-8 Content-Transfer-Encoding: 8bit On allocation, the array length is multiplied by sizeof(int64_t), this prevents the multiplication from overflowing. Signed-off-by: Martin Storsjö (cherry picked from commit a246cefa75aed2ade315d6d09068aacb6b0fe76b) Signed-off-by: Reinhard Tartler --- libavformat/flvdec.c | 3 +++ 1 file changed, 3 insertions(+) diff --git a/libavformat/flvdec.c b/libavformat/flvdec.c index c6b386e28f..5f442f7265 100644 --- a/libavformat/flvdec.c +++ b/libavformat/flvdec.c @@ -147,6 +147,9 @@ static int parse_keyframes_index(AVFormatContext *s, AVIOContext *ioc, AVStream break; arraylen = avio_rb32(ioc); + if (arraylen >> 28) + break; + /* * Expect only 'times' or 'filepositions' sub-arrays in other case refuse to use such metadata * for indexing From 42c8fdb943b210b2f79e2510a91ca0f542c9bad0 Mon Sep 17 00:00:00 2001 From: Sascha Sommer Date: Sat, 24 Sep 2011 20:56:41 +0200 Subject: [PATCH 0373/1119] Fix segfault in save_bits: use put_bits_count to get the buffer fill state instead of num_saved_bits as num_saved_bits is sometimes reset when frames are lost (Ticket 495) (cherry picked from commit 780d45473c32fa356c8ce385c3ea4692567c3228) Signed-off-by: Michael Niedermayer (cherry picked from commit 4f6187c7356111540024901932294e9807061dd0) --- libavcodec/wmaprodec.c | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/libavcodec/wmaprodec.c b/libavcodec/wmaprodec.c index e1d942dca2..b0b98f1d98 100644 --- a/libavcodec/wmaprodec.c +++ b/libavcodec/wmaprodec.c @@ -1436,7 +1436,7 @@ static void save_bits(WMAProDecodeCtx *s, GetBitContext* gb, int len, init_put_bits(&s->pb, s->frame_data, MAX_FRAMESIZE); } - buflen = (s->num_saved_bits + len + 8) >> 3; + buflen = (put_bits_count(&s->pb) + len + 8) >> 3; if (len <= 0 || buflen > MAX_FRAMESIZE) { av_log_ask_for_sample(s->avctx, "input buffer too small\n"); From 9960710b872e2d1c7d9d8730c4b6ca2c2cdf183e Mon Sep 17 00:00:00 2001 From: Sascha Sommer Date: Sat, 24 Sep 2011 20:56:41 +0200 Subject: [PATCH 0374/1119] Fix segfault in save_bits: use put_bits_count to get the buffer fill state instead of num_saved_bits as num_saved_bits is sometimes reset when frames are lost (Ticket 495) (cherry picked from commit 780d45473c32fa356c8ce385c3ea4692567c3228) Signed-off-by: Michael Niedermayer (cherry picked from commit 4f6187c7356111540024901932294e9807061dd0) --- libavcodec/wmaprodec.c | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/libavcodec/wmaprodec.c b/libavcodec/wmaprodec.c index e1d942dca2..b0b98f1d98 100644 --- a/libavcodec/wmaprodec.c +++ b/libavcodec/wmaprodec.c @@ -1436,7 +1436,7 @@ static void save_bits(WMAProDecodeCtx *s, GetBitContext* gb, int len, init_put_bits(&s->pb, s->frame_data, MAX_FRAMESIZE); } - buflen = (s->num_saved_bits + len + 8) >> 3; + buflen = (put_bits_count(&s->pb) + len + 8) >> 3; if (len <= 0 || buflen > MAX_FRAMESIZE) { av_log_ask_for_sample(s->avctx, "input buffer too small\n"); From ad47a5ec854d2ec6e451690622a3484010094aa2 Mon Sep 17 00:00:00 2001 From: Anton Khirnov Date: Fri, 16 Sep 2011 16:06:45 +0200 Subject: [PATCH 0375/1119] movenc: create an alternate group for each media type Partially fixes bug 44. (cherry picked from commit 7574cacbd5343bc303ee8333956274716e2444d5) Signed-off-by: Reinhard Tartler --- libavformat/movenc.c | 3 ++- tests/ref/acodec/alac | 2 +- tests/ref/acodec/pcm | 8 ++++---- tests/ref/lavf/mov | 2 +- 4 files changed, 8 insertions(+), 7 deletions(-) diff --git a/libavformat/movenc.c b/libavformat/movenc.c index 0cf837c9b1..5d9d3d1bfe 100644 --- a/libavformat/movenc.c +++ b/libavformat/movenc.c @@ -1214,7 +1214,8 @@ static int mov_write_tkhd_tag(AVIOContext *pb, MOVTrack *track, AVStream *st) avio_wb32(pb, 0); /* reserved */ avio_wb32(pb, 0); /* reserved */ - avio_wb32(pb, 0x0); /* reserved (Layer & Alternate group) */ + avio_wb16(pb, 0); /* layer */ + avio_wb16(pb, st->codec->codec_type); /* alternate group) */ /* Volume, only for audio */ if(track->enc->codec_type == AVMEDIA_TYPE_AUDIO) avio_wb16(pb, 0x0100); diff --git a/tests/ref/acodec/alac b/tests/ref/acodec/alac index 1f4b264b87..35a1d8e1bf 100644 --- a/tests/ref/acodec/alac +++ b/tests/ref/acodec/alac @@ -1,4 +1,4 @@ -c68f649777ab8e7c9a0f1f221451d3ad *./tests/data/acodec/alac.m4a +b25bcc7ec3f5c19cdfc01a6bbd32edb8 *./tests/data/acodec/alac.m4a 389386 ./tests/data/acodec/alac.m4a 95e54b261530a1bcf6de6fe3b21dc5f6 *./tests/data/alac.acodec.out.wav stddev: 0.00 PSNR:999.99 MAXDIFF: 0 bytes: 1058400/ 1058400 diff --git a/tests/ref/acodec/pcm b/tests/ref/acodec/pcm index 033f8bc8c6..fc9dd8f29d 100644 --- a/tests/ref/acodec/pcm +++ b/tests/ref/acodec/pcm @@ -6,7 +6,7 @@ f443a8eeb1647ec1eeb8370c939e52d4 *./tests/data/acodec/pcm_mulaw.wav 529256 ./tests/data/acodec/pcm_mulaw.wav 1c3eeaa8814ebd4916780dff80ed6dc5 *./tests/data/pcm.acodec.out.wav stddev: 103.38 PSNR: 56.04 MAXDIFF: 644 bytes: 1058400/ 1058400 -b7936d7170e0efefb379349d81aed360 *./tests/data/acodec/pcm_s8.mov +760f85fb9f4e8aba326fb44ae84c9507 *./tests/data/acodec/pcm_s8.mov 530837 ./tests/data/acodec/pcm_s8.mov 652edf30f35ad89bf27bcc9d2f9c7b53 *./tests/data/pcm.acodec.out.wav stddev: 147.89 PSNR: 52.93 MAXDIFF: 255 bytes: 1058400/ 1058400 @@ -14,7 +14,7 @@ stddev: 147.89 PSNR: 52.93 MAXDIFF: 255 bytes: 1058400/ 1058400 529244 ./tests/data/acodec/pcm_u8.wav 652edf30f35ad89bf27bcc9d2f9c7b53 *./tests/data/pcm.acodec.out.wav stddev: 147.89 PSNR: 52.93 MAXDIFF: 255 bytes: 1058400/ 1058400 -c42b9c04305455250366c84e17c1023f *./tests/data/acodec/pcm_s16be.mov +a4e18d1ca9ef5b8132a84d43625ddc47 *./tests/data/acodec/pcm_s16be.mov 1060037 ./tests/data/acodec/pcm_s16be.mov 95e54b261530a1bcf6de6fe3b21dc5f6 *./tests/data/pcm.acodec.out.wav stddev: 0.00 PSNR:999.99 MAXDIFF: 0 bytes: 1058400/ 1058400 @@ -30,7 +30,7 @@ c4f51bf32fad2f7af8ea5beedb56168b *./tests/data/acodec/pcm_s16le.mkv 1060638 ./tests/data/acodec/pcm_s16le.mkv 95e54b261530a1bcf6de6fe3b21dc5f6 *./tests/data/pcm.acodec.out.wav stddev: 0.00 PSNR:999.99 MAXDIFF: 0 bytes: 1058400/ 1058400 -07ffe7ffb78f3648b6524debdde5aec1 *./tests/data/acodec/pcm_s24be.mov +971d2d2633e41a0326fe2d04a2d0350f *./tests/data/acodec/pcm_s24be.mov 1589237 ./tests/data/acodec/pcm_s24be.mov 95e54b261530a1bcf6de6fe3b21dc5f6 *./tests/data/pcm.acodec.out.wav stddev: 0.00 PSNR:999.99 MAXDIFF: 0 bytes: 1058400/ 1058400 @@ -38,7 +38,7 @@ a85380fb79b0d4fff38e24ac1e34bb94 *./tests/data/acodec/pcm_s24le.wav 1587668 ./tests/data/acodec/pcm_s24le.wav 95e54b261530a1bcf6de6fe3b21dc5f6 *./tests/data/pcm.acodec.out.wav stddev: 0.00 PSNR:999.99 MAXDIFF: 0 bytes: 1058400/ 1058400 -d7792f0343cd66fda8b50b569e2bcc48 *./tests/data/acodec/pcm_s32be.mov +fc4f4e3e195bbde037ed31021d229f12 *./tests/data/acodec/pcm_s32be.mov 2118437 ./tests/data/acodec/pcm_s32be.mov 95e54b261530a1bcf6de6fe3b21dc5f6 *./tests/data/pcm.acodec.out.wav stddev: 0.00 PSNR:999.99 MAXDIFF: 0 bytes: 1058400/ 1058400 diff --git a/tests/ref/lavf/mov b/tests/ref/lavf/mov index 22aac3600e..07404aa862 100644 --- a/tests/ref/lavf/mov +++ b/tests/ref/lavf/mov @@ -1,3 +1,3 @@ -439684b82ccc1fdd24a23392c238ae53 *./tests/data/lavf/lavf.mov +4a3ad13f0355cb5d119109778d555207 *./tests/data/lavf/lavf.mov 357681 ./tests/data/lavf/lavf.mov ./tests/data/lavf/lavf.mov CRC=0x2f6a9b26 From 9f9b731a3a2f873b3fb1e4f52e181a43fab6b89b Mon Sep 17 00:00:00 2001 From: Anton Khirnov Date: Mon, 19 Sep 2011 15:15:56 +0200 Subject: [PATCH 0376/1119] movenc: fix NULL reference in mov_write_tkhd_tag st may be NULL when there are more mov streams than AVStreams, e.g. when chapters are present. (cherry picked from commit c92a2a4eb8b883e82871c2415f757153d263b6b3) Signed-off-by: Reinhard Tartler --- libavformat/movenc.c | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/libavformat/movenc.c b/libavformat/movenc.c index 5d9d3d1bfe..b171c2dc14 100644 --- a/libavformat/movenc.c +++ b/libavformat/movenc.c @@ -1215,7 +1215,7 @@ static int mov_write_tkhd_tag(AVIOContext *pb, MOVTrack *track, AVStream *st) avio_wb32(pb, 0); /* reserved */ avio_wb32(pb, 0); /* reserved */ avio_wb16(pb, 0); /* layer */ - avio_wb16(pb, st->codec->codec_type); /* alternate group) */ + avio_wb16(pb, st ? st->codec->codec_type : 0); /* alternate group) */ /* Volume, only for audio */ if(track->enc->codec_type == AVMEDIA_TYPE_AUDIO) avio_wb16(pb, 0x0100); From a2443e89d740204c960da0d29c979a9283071a65 Mon Sep 17 00:00:00 2001 From: Michael Niedermayer Date: Thu, 28 Jul 2011 14:59:54 +0200 Subject: [PATCH 0377/1119] Fix memory (re)allocation in matroskadec.c, related to MSVR-11-0080. Whitespace of the patch cleaned up by Aurel Some of the issues have been reported by Steve Manzuik / Microsoft Vulnerability Research (MSVR) Signed-off-by: Michael Niedermayer (cherry picked from commit 956c901c68eff78288f40e3c8f41ee2fa081d4a8) Further suggestions from Kostya have been implemented by Reinhard Tartler (cherry picked from commit 77d2ef13a8fa630e5081f14bde3fd20f84c90aec) Signed-off-by: Reinhard Tartler --- libavformat/matroskadec.c | 37 +++++++++++++++++++++++++++++-------- 1 file changed, 29 insertions(+), 8 deletions(-) diff --git a/libavformat/matroskadec.c b/libavformat/matroskadec.c index f74f76cb8a..59dce4f59f 100644 --- a/libavformat/matroskadec.c +++ b/libavformat/matroskadec.c @@ -798,11 +798,15 @@ static int ebml_parse_elem(MatroskaDemuxContext *matroska, uint32_t id = syntax->id; uint64_t length; int res; + void *newelem; data = (char *)data + syntax->data_offset; if (syntax->list_elem_size) { EbmlList *list = data; - list->elem = av_realloc(list->elem, (list->nb_elem+1)*syntax->list_elem_size); + newelem = av_realloc(list->elem, (list->nb_elem+1)*syntax->list_elem_size); + if (!newelem) + return AVERROR(ENOMEM); + list->elem = newelem; data = (char*)list->elem + list->nb_elem*syntax->list_elem_size; memset(data, 0, syntax->list_elem_size); list->nb_elem++; @@ -932,6 +936,7 @@ static int matroska_decode_buffer(uint8_t** buf, int* buf_size, uint8_t* data = *buf; int isize = *buf_size; uint8_t* pkt_data = NULL; + uint8_t* newpktdata; int pkt_size = isize; int result = 0; int olen; @@ -961,7 +966,12 @@ static int matroska_decode_buffer(uint8_t** buf, int* buf_size, zstream.avail_in = isize; do { pkt_size *= 3; - pkt_data = av_realloc(pkt_data, pkt_size); + newpktdata = av_realloc(pkt_data, pkt_size); + if (!newpktdata) { + inflateEnd(&zstream); + goto failed; + } + pkt_data = newpktdata; zstream.avail_out = pkt_size - zstream.total_out; zstream.next_out = pkt_data + zstream.total_out; result = inflate(&zstream, Z_NO_FLUSH); @@ -982,7 +992,12 @@ static int matroska_decode_buffer(uint8_t** buf, int* buf_size, bzstream.avail_in = isize; do { pkt_size *= 3; - pkt_data = av_realloc(pkt_data, pkt_size); + newpktdata = av_realloc(pkt_data, pkt_size); + if (!newpktdata) { + BZ2_bzDecompressEnd(&bzstream); + goto failed; + } + pkt_data = newpktdata; bzstream.avail_out = pkt_size - bzstream.total_out_lo32; bzstream.next_out = pkt_data + bzstream.total_out_lo32; result = BZ2_bzDecompress(&bzstream); @@ -1037,13 +1052,17 @@ static void matroska_fix_ass_packet(MatroskaDemuxContext *matroska, } } -static void matroska_merge_packets(AVPacket *out, AVPacket *in) +static int matroska_merge_packets(AVPacket *out, AVPacket *in) { - out->data = av_realloc(out->data, out->size+in->size); + void *newdata = av_realloc(out->data, out->size+in->size); + if (!newdata) + return AVERROR(ENOMEM); + out->data = newdata; memcpy(out->data+out->size, in->data, in->size); out->size += in->size; av_destruct_packet(in); av_free(in); + return 0; } static void matroska_convert_tag(AVFormatContext *s, EbmlList *list, @@ -1568,11 +1587,13 @@ static int matroska_deliver_packet(MatroskaDemuxContext *matroska, memcpy(pkt, matroska->packets[0], sizeof(AVPacket)); av_free(matroska->packets[0]); if (matroska->num_packets > 1) { + void *newpackets; memmove(&matroska->packets[0], &matroska->packets[1], (matroska->num_packets - 1) * sizeof(AVPacket *)); - matroska->packets = - av_realloc(matroska->packets, (matroska->num_packets - 1) * - sizeof(AVPacket *)); + newpackets = av_realloc(matroska->packets, + (matroska->num_packets - 1) * sizeof(AVPacket *)); + if (newpackets) + matroska->packets = newpackets; } else { av_freep(&matroska->packets); } From be9183de2ec54aab2f3e613b53ead369b6cf22fe Mon Sep 17 00:00:00 2001 From: Michael Niedermayer Date: Wed, 28 Sep 2011 22:22:56 +0200 Subject: [PATCH 0378/1119] h264: More correct ref_count check in decode_slice_header() Signed-off-by: Michael Niedermayer (cherry picked from commit dc9ce40069bde3d28f8d0b3e5bd733ae255fecb5) --- libavcodec/h264.c | 11 ++++++----- 1 file changed, 6 insertions(+), 5 deletions(-) diff --git a/libavcodec/h264.c b/libavcodec/h264.c index f227ddfedf..b844c38b56 100644 --- a/libavcodec/h264.c +++ b/libavcodec/h264.c @@ -2872,6 +2872,7 @@ static int decode_slice_header(H264Context *h, H264Context *h0){ h->ref_count[1]= h->pps.ref_count[1]; if(h->slice_type_nos != AV_PICTURE_TYPE_I){ + unsigned max= (16<<(s->picture_structure != PICT_FRAME))-1; if(h->slice_type_nos == AV_PICTURE_TYPE_B){ h->direct_spatial_mv_pred= get_bits1(&s->gb); } @@ -2882,11 +2883,11 @@ static int decode_slice_header(H264Context *h, H264Context *h0){ if(h->slice_type_nos==AV_PICTURE_TYPE_B) h->ref_count[1]= get_ue_golomb(&s->gb) + 1; - if(h->ref_count[0]-1 > 32-1 || h->ref_count[1]-1 > 32-1){ - av_log(h->s.avctx, AV_LOG_ERROR, "reference overflow\n"); - h->ref_count[0]= h->ref_count[1]= 1; - return -1; - } + } + if(h->ref_count[0]-1 > max || h->ref_count[1]-1 > max){ + av_log(h->s.avctx, AV_LOG_ERROR, "reference overflow\n"); + h->ref_count[0]= h->ref_count[1]= 1; + return -1; } if(h->slice_type_nos == AV_PICTURE_TYPE_B) h->list_count= 2; From ceede3a802478b6cf0c1cd7d54b76b4af8d00d56 Mon Sep 17 00:00:00 2001 From: Michael Niedermayer Date: Wed, 28 Sep 2011 22:24:05 +0200 Subject: [PATCH 0379/1119] h264: fix FIXME and use list_count in ff_h264_fill_mbaff_ref_list() Signed-off-by: Michael Niedermayer (cherry picked from commit 237d31e0b98b95eef687e612177ca3ea24b709fc) --- libavcodec/h264_refs.c | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/libavcodec/h264_refs.c b/libavcodec/h264_refs.c index 83a5564e4c..063ac97955 100644 --- a/libavcodec/h264_refs.c +++ b/libavcodec/h264_refs.c @@ -301,7 +301,7 @@ int ff_h264_decode_ref_pic_list_reordering(H264Context *h){ void ff_h264_fill_mbaff_ref_list(H264Context *h){ int list, i, j; - for(list=0; list<2; list++){ //FIXME try list_count + for(list=0; listlist_count; list++){ for(i=0; iref_count[list]; i++){ Picture *frame = &h->ref_list[list][i]; Picture *field = &h->ref_list[list][16+2*i]; From 783f45de4f3ee03a661c7d1479fe1b513bc0a863 Mon Sep 17 00:00:00 2001 From: Mans Rullgard Date: Sun, 17 Jul 2011 15:40:05 +0100 Subject: [PATCH 0380/1119] fate: separate lavf-mxf_d10 test from lavf-mxf Signed-off-by: Mans Rullgard (cherry picked from commit 0218808d4980b794c78f57931d671508aed500b5) required to unbreak fate with --disable-avfilter Signed-off-by: Reinhard Tartler --- configure | 2 +- tests/lavf-regression.sh | 3 +++ tests/ref/lavf/mxf | 3 --- tests/ref/lavf/mxf_d10 | 3 +++ 4 files changed, 7 insertions(+), 4 deletions(-) create mode 100644 tests/ref/lavf/mxf_d10 diff --git a/configure b/configure index b6e2ff964b..981b0fdffb 100755 --- a/configure +++ b/configure @@ -1576,7 +1576,7 @@ test_deps _muxer _demuxer \ mmf \ mov \ pcm_mulaw=mulaw \ - mxf \ + mxf="mxf mxf_d10" \ nut \ ogg \ rawvideo=pixfmt \ diff --git a/tests/lavf-regression.sh b/tests/lavf-regression.sh index 39e752b3c6..07dedb2ef2 100755 --- a/tests/lavf-regression.sh +++ b/tests/lavf-regression.sh @@ -66,6 +66,9 @@ fi if [ -n "$do_mxf" ] ; then do_lavf mxf "-ar 48000 -bf 2 -timecode_frame_start 264363" +fi + +if [ -n "$do_mxf_d10" ]; then do_lavf mxf_d10 "-ar 48000 -ac 2 -r 25 -s 720x576 -vf pad=720:608:0:32 -vcodec mpeg2video -intra -flags +ildct+low_delay -dc 10 -flags2 +ivlc+non_linear_q -qscale 1 -ps 1 -qmin 1 -rc_max_vbv_use 1 -rc_min_vbv_use 1 -pix_fmt yuv422p -minrate 30000k -maxrate 30000k -b 30000k -bufsize 1200000 -top 1 -rc_init_occupancy 1200000 -qmax 12 -f mxf_d10" fi diff --git a/tests/ref/lavf/mxf b/tests/ref/lavf/mxf index d4bbe2f25e..b5aea3c17e 100644 --- a/tests/ref/lavf/mxf +++ b/tests/ref/lavf/mxf @@ -1,6 +1,3 @@ 6e9bd63c5cadd7550ad313553ebf665f *./tests/data/lavf/lavf.mxf 525881 ./tests/data/lavf/lavf.mxf ./tests/data/lavf/lavf.mxf CRC=0x4ace0849 -e7168856f2b54c6272685967e707fb21 *./tests/data/lavf/lavf.mxf_d10 -5330989 ./tests/data/lavf/lavf.mxf_d10 -./tests/data/lavf/lavf.mxf_d10 CRC=0xc3f4f92e diff --git a/tests/ref/lavf/mxf_d10 b/tests/ref/lavf/mxf_d10 new file mode 100644 index 0000000000..f59a99ee0f --- /dev/null +++ b/tests/ref/lavf/mxf_d10 @@ -0,0 +1,3 @@ +e7168856f2b54c6272685967e707fb21 *./tests/data/lavf/lavf.mxf_d10 +5330989 ./tests/data/lavf/lavf.mxf_d10 +./tests/data/lavf/lavf.mxf_d10 CRC=0xc3f4f92e From 9bb7a128a34fb5e4abcd265e5dfcb61787ad2f0f Mon Sep 17 00:00:00 2001 From: Reinhard Tartler Date: Wed, 28 Sep 2011 00:50:08 +0200 Subject: [PATCH 0381/1119] fate: allow testing with libavfilter disabled This declares dependencies to skip tests using libavfilter when it is disabled. Signed-off-by: Mans Rullgard (cherry picked from commit 908f12f342341785bf0458e88a06d97a1af90339) Conflicts: configure tests/Makefile tests/fate.mak Signed-off-by: Reinhard Tartler --- Makefile | 7 +++++-- configure | 5 ++++- tests/fate.mak | 2 +- 3 files changed, 10 insertions(+), 4 deletions(-) diff --git a/Makefile b/Makefile index d6bae7680b..d29872f277 100644 --- a/Makefile +++ b/Makefile @@ -252,9 +252,12 @@ FATE_SEEK = $(SEEK_TESTS:seek_%=fate-seek-%) FATE = $(FATE_ACODEC) \ $(FATE_VCODEC) \ $(FATE_LAVF) \ - $(FATE_LAVFI) \ $(FATE_SEEK) \ +FATE-$(CONFIG_AVFILTER) += $(FATE_LAVFI) + +FATE += $(FATE-yes) + $(filter-out %-aref,$(FATE_ACODEC)): $(AREF) $(filter-out %-vref,$(FATE_VCODEC)): $(VREF) $(FATE_LAVF): $(REFS) @@ -276,7 +279,7 @@ fate-lavfi: $(FATE_LAVFI) fate-seek: $(FATE_SEEK) ifdef SAMPLES -FATE += $(FATE_TESTS) +FATE += $(FATE_TESTS) $(FATE_TESTS-yes) fate-rsync: rsync -vaLW rsync://fate-suite.libav.org/fate-suite/ $(SAMPLES) else diff --git a/configure b/configure index 981b0fdffb..f4c327439a 100755 --- a/configure +++ b/configure @@ -1504,7 +1504,7 @@ test_deps(){ dep=${v%=*} tests=${v#*=} for name in ${tests}; do - eval ${name}_test_deps="'${dep}$suf1 ${dep}$suf2'" + append ${name}_test_deps ${dep}$suf1 ${dep}$suf2 done done } @@ -1514,6 +1514,9 @@ set_ne_test_deps(){ eval ${1}_le_test_deps="!bigendian" } +mxf_d10_test_deps="avfilter" +seek_lavf_mxf_d10_test_deps="mxf_d10_test" + test_deps _encoder _decoder \ adpcm_g726=g726 \ adpcm_ima_qt \ diff --git a/tests/fate.mak b/tests/fate.mak index 0e3331178b..cf6c44e8e4 100644 --- a/tests/fate.mak +++ b/tests/fate.mak @@ -128,7 +128,7 @@ FATE_TESTS += fate-id-cin-video fate-id-cin-video: CMD = framecrc -i $(SAMPLES)/idcin/idlog-2MB.cin -pix_fmt rgb24 FATE_TESTS += fate-idroq-video-dpcm fate-idroq-video-dpcm: CMD = framecrc -i $(SAMPLES)/idroq/idlogo.roq -FATE_TESTS += fate-idroq-video-encode +FATE_TESTS-$(CONFIG_AVFILTER) += fate-idroq-video-encode fate-idroq-video-encode: CMD = md5 -t 0.2 -f image2 -vcodec pgmyuv -i $(SAMPLES)/ffmpeg-synthetic/vsynth1/%02d.pgm -sws_flags +bitexact -vf pad=512:512:80:112 -f RoQ FATE_TESTS += fate-iff-byterun1 fate-iff-byterun1: CMD = framecrc -i $(SAMPLES)/iff/ASH.LBM -pix_fmt rgb24 From e257eebd17fbb7e880cfdde8a80c089434b6cf1f Mon Sep 17 00:00:00 2001 From: Mans Rullgard Date: Sun, 17 Jul 2011 16:02:33 +0100 Subject: [PATCH 0382/1119] lavf: do not set codec_tag for rawvideo If the demuxer did not set a codec_tag, there is none and inventing one makes no sense. This change stops the rawvideo "decoder" over-writing user-supplied pixfmt with one derived from the codec_tag. The pixfmt-codec_tag-pixfmt round-trip is lossy since several pixfmts map to the same codec_tag. This fixes fate-lavf-pixfmt with avfilter disabled. Signed-off-by: Mans Rullgard (cherry picked from commit bb416bd68ca46b4a3f1901533064d56a6b8ac95e) Signed-off-by: Reinhard Tartler --- libavformat/utils.c | 3 --- 1 file changed, 3 deletions(-) diff --git a/libavformat/utils.c b/libavformat/utils.c index d9d154e3ab..e3c7d4aa84 100644 --- a/libavformat/utils.c +++ b/libavformat/utils.c @@ -2405,9 +2405,6 @@ int av_find_stream_info(AVFormatContext *ic) (st->codec_info_nb_frames-2)*(int64_t)st->time_base.den, st->info->codec_info_duration*(int64_t)st->time_base.num, 60000); if (st->codec->codec_type == AVMEDIA_TYPE_VIDEO) { - if(st->codec->codec_id == CODEC_ID_RAWVIDEO && !st->codec->codec_tag && !st->codec->bits_per_coded_sample) - st->codec->codec_tag= avcodec_pix_fmt_to_codec_tag(st->codec->pix_fmt); - // the check for tb_unreliable() is not completely correct, since this is not about handling // a unreliable/inexact time base, but a time base that is finer than necessary, as e.g. // ipmovie.c produces. From 35feff418aabd9964509e2c718c65314606545e3 Mon Sep 17 00:00:00 2001 From: Reinhard Tartler Date: Fri, 30 Sep 2011 15:44:19 +0200 Subject: [PATCH 0383/1119] Update RELEASE file for 0.7.2 --- RELEASE | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/RELEASE b/RELEASE index 39e898a4f9..7486fdbc50 100644 --- a/RELEASE +++ b/RELEASE @@ -1 +1 @@ -0.7.1 +0.7.2 From 58decdb639e8582063807b5ddfb86dada6731f74 Mon Sep 17 00:00:00 2001 From: Reinhard Tartler Date: Fri, 30 Sep 2011 18:14:12 +0200 Subject: [PATCH 0384/1119] Update Changelog for 0.7.2 release --- Changelog | 43 +++++++++++++++++++++++++++++++++++++++++++ 1 file changed, 43 insertions(+) diff --git a/Changelog b/Changelog index 1598336e55..ab02a02bf5 100644 --- a/Changelog +++ b/Changelog @@ -1,6 +1,48 @@ Entries are sorted chronologically from oldest to youngest within each release, releases are sorted from youngest to oldest. +version 0.7.2: + +- check buffer and input values in various parts of the code: + H.264, VC-1, APE, FLV, Indeo 2, XAN, Ogg, MXF, wavpack, ffv1, MOV, + cavs (OCERT-2011-002, CVE-2011-3362), Smacker, cpu detection, lavf, + Matroska (CVE-2011-3504), RV10, RV30/RV40 +- memory leaks: vf_scale, eval + +- ARM: workaround for bug in GNU assembler +- AVOptions: fix av_set_string3() doxy to match reality. (Bug #28) +- Reintroduce AVInputStream.nb_streams to avoid crashes +- aac: Only output configure if audio was found +- aac: Remove some suspicious illegal memcpy()s from LTP +- aacps: skip some memcpy() if src and dst would be equal +- adts: fix PCE copying +- alsa: fallback to buffer_size/4 for period_size +- alsa: limit buffer_size to 32768 frames +- cljr, indeo2: init_get_bits size in bits instead of bytes +- configure: add missing CFLAGS to fix building on the HURD +- dca: set AVCodecContext frame_size for DTS audio +- fate: allow testing with libavfilter disabled +- gxf: fix 25 fps DV material in GXF being misdetected as 50 fps +- h264: correct implicit weight table computation for long ref pics +- h264: correct the check for invalid long term frame index in MMCO decode +- h264: fix PCM intra-coded blocks in monochrome case +- jpegdec: actually search for and parse RSTn +- lavc: fix type for thread_type option +- lavf: fix context pointer in av_open_input_stream when avformat_open_input fails +- lavf: do not set codec_tag for rawvideo +- libx264: do not set pic quality if no frame is output +- movenc: create an alternate group for each media type +- mpegts: fix Continuity Counter error detection +- mxfenc: fix ignored drop flag in binary timecode representation +- fix crashes in 32-bit PIC builds (cf e.g. http://bugs.debian.org/639948) +- ppc64: fix cast related random failures +- riff: Add mpgv MPEG-2 fourcc +- swscale: don't use planar output functions to write to NV12/21 +- vc1: properly zero coded_block[] edges on new slice entry +- vp3/theora: flush after seek + +- various bug other fixes + version 0.7.1: @@ -16,6 +58,7 @@ version 0.7.1: - ffmpeg: fix operation with --disable-avfilter - fixed integer underflow in matroska decoder + version 0.7: - E-AC-3 audio encoder From e62ca1ab74a959584db80f42b49f708257abbdcb Mon Sep 17 00:00:00 2001 From: Michael Niedermayer Date: Sat, 1 Oct 2011 00:58:01 +0200 Subject: [PATCH 0385/1119] mpegvideo: increase emu edge buffer size This fixes a crash with 422 H.264 Signed-off-by: Michael Niedermayer (cherry picked from commit 7322483d72d4abefae9f5c08c611f521de7236a5) --- libavcodec/mpegvideo.c | 4 ++-- 1 file changed, 2 insertions(+), 2 deletions(-) diff --git a/libavcodec/mpegvideo.c b/libavcodec/mpegvideo.c index d819cc083f..a505b9071c 100644 --- a/libavcodec/mpegvideo.c +++ b/libavcodec/mpegvideo.c @@ -366,8 +366,8 @@ static int init_duplicate_context(MpegEncContext *s, MpegEncContext *base){ int i; // edge emu needs blocksize + filter length - 1 (=17x17 for halfpel / 21x21 for h264) - FF_ALLOCZ_OR_GOTO(s->avctx, s->allocated_edge_emu_buffer, (s->width+64)*2*21*2, fail); //(width + edge + align)*interlaced*MBsize*tolerance - s->edge_emu_buffer= s->allocated_edge_emu_buffer + (s->width+64)*2*21; + FF_ALLOCZ_OR_GOTO(s->avctx, s->allocated_edge_emu_buffer, (s->width+64)*2*21*2*2, fail); //(width + edge + align)*interlaced*MBsize*tolerance + s->edge_emu_buffer= s->allocated_edge_emu_buffer + (s->width+64)*2*21*2; //FIXME should be linesize instead of s->width*2 but that is not known before get_buffer() FF_ALLOCZ_OR_GOTO(s->avctx, s->me.scratchpad, (s->width+64)*4*16*2*sizeof(uint8_t), fail) From 4d36f7cf88ccb869c2febb50c6f42d7a722a6d4f Mon Sep 17 00:00:00 2001 From: Michael Niedermayer Date: Sat, 1 Oct 2011 01:29:30 +0200 Subject: [PATCH 0386/1119] avformat_free_context: favor av_freep() Signed-off-by: Michael Niedermayer (cherry picked from commit 2a93f28a4b6eef8b93046e0b4e3225f2ff1e7324) --- libavformat/utils.c | 16 ++++++++-------- 1 file changed, 8 insertions(+), 8 deletions(-) diff --git a/libavformat/utils.c b/libavformat/utils.c index 6f108fb7dd..40f0089c77 100644 --- a/libavformat/utils.c +++ b/libavformat/utils.c @@ -2659,13 +2659,13 @@ void avformat_free_context(AVFormatContext *s) av_free_packet(&st->cur_pkt); } av_dict_free(&st->metadata); - av_free(st->index_entries); - av_free(st->codec->extradata); - av_free(st->codec->subtitle_header); - av_free(st->codec); - av_free(st->priv_data); - av_free(st->info); - av_free(st); + av_freep(&st->index_entries); + av_freep(&st->codec->extradata); + av_freep(&st->codec->subtitle_header); + av_freep(&st->codec); + av_freep(&st->priv_data); + av_freep(&st->info); + av_freep(&st); } for(i=s->nb_programs-1; i>=0; i--) { av_dict_free(&s->programs[i]->metadata); @@ -2676,7 +2676,7 @@ void avformat_free_context(AVFormatContext *s) av_freep(&s->priv_data); while(s->nb_chapters--) { av_dict_free(&s->chapters[s->nb_chapters]->metadata); - av_free(s->chapters[s->nb_chapters]); + av_freep(&s->chapters[s->nb_chapters]); } av_freep(&s->chapters); av_dict_free(&s->metadata); From a0acc9eff642de0f3d247a728deb320fd4cbb75f Mon Sep 17 00:00:00 2001 From: Michael Niedermayer Date: Thu, 22 Sep 2011 14:08:39 +0200 Subject: [PATCH 0387/1119] mpeg4videoenc: guess a good aspect when we cant store the exact one. Signed-off-by: Michael Niedermayer (cherry picked from commit 394781a89706479aa56749a9d69c4e74b398dd71) --- libavcodec/mpegvideo_enc.c | 4 +++- 1 file changed, 3 insertions(+), 1 deletion(-) diff --git a/libavcodec/mpegvideo_enc.c b/libavcodec/mpegvideo_enc.c index a6e9c7c7be..d13534d4f8 100644 --- a/libavcodec/mpegvideo_enc.c +++ b/libavcodec/mpegvideo_enc.c @@ -411,8 +411,10 @@ av_cold int MPV_encode_init(AVCodecContext *avctx) if ((s->codec_id == CODEC_ID_MPEG4 || s->codec_id == CODEC_ID_H263 || s->codec_id == CODEC_ID_H263P) && (avctx->sample_aspect_ratio.num > 255 || avctx->sample_aspect_ratio.den > 255)) { - av_log(avctx, AV_LOG_ERROR, "Invalid pixel aspect ratio %i/%i, limit is 255/255\n", + av_log(avctx, AV_LOG_WARNING, "Invalid pixel aspect ratio %i/%i, limit is 255/255 reducing\n", avctx->sample_aspect_ratio.num, avctx->sample_aspect_ratio.den); + av_reduce(&avctx->sample_aspect_ratio.num, &avctx->sample_aspect_ratio.den, + avctx->sample_aspect_ratio.num, avctx->sample_aspect_ratio.den, 255); return -1; } From 0d68a6f72d8c2ff02ad3f83522ad17123bf1c4e5 Mon Sep 17 00:00:00 2001 From: Michael Niedermayer Date: Thu, 22 Sep 2011 18:16:57 +0200 Subject: [PATCH 0388/1119] mpeg4videoenc: remove forgotten return -1 Signed-off-by: Michael Niedermayer (cherry picked from commit f9bb7395a10ae44eb0f0f3f070f23124dfaee06e) --- libavcodec/mpegvideo_enc.c | 1 - 1 file changed, 1 deletion(-) diff --git a/libavcodec/mpegvideo_enc.c b/libavcodec/mpegvideo_enc.c index d13534d4f8..3c92aa93f4 100644 --- a/libavcodec/mpegvideo_enc.c +++ b/libavcodec/mpegvideo_enc.c @@ -415,7 +415,6 @@ av_cold int MPV_encode_init(AVCodecContext *avctx) avctx->sample_aspect_ratio.num, avctx->sample_aspect_ratio.den); av_reduce(&avctx->sample_aspect_ratio.num, &avctx->sample_aspect_ratio.den, avctx->sample_aspect_ratio.num, avctx->sample_aspect_ratio.den, 255); - return -1; } if((s->flags & (CODEC_FLAG_INTERLACED_DCT|CODEC_FLAG_INTERLACED_ME|CODEC_FLAG_ALT_SCAN)) From 3aad92f3e649dcc4f92c805291afb128c663efd3 Mon Sep 17 00:00:00 2001 From: Michael Niedermayer Date: Thu, 22 Sep 2011 18:17:28 +0200 Subject: [PATCH 0389/1119] lavf/utils: only complain about aspect missmatch when the difference is "meassureable" Signed-off-by: Michael Niedermayer (cherry picked from commit e8d8517b160bd2dea1279d19ec0efd83e00c8c6c) --- libavformat/utils.c | 4 +++- 1 file changed, 3 insertions(+), 1 deletion(-) diff --git a/libavformat/utils.c b/libavformat/utils.c index 40f0089c77..eaa8bd901f 100644 --- a/libavformat/utils.c +++ b/libavformat/utils.c @@ -2958,7 +2958,9 @@ int avformat_write_header(AVFormatContext *s, AVDictionary **options) ret = AVERROR(EINVAL); goto fail; } - if(av_cmp_q(st->sample_aspect_ratio, st->codec->sample_aspect_ratio)){ + if(av_cmp_q(st->sample_aspect_ratio, st->codec->sample_aspect_ratio) + && FFABS(av_q2d(st->sample_aspect_ratio) - av_q2d(st->codec->sample_aspect_ratio)) > 0.001 + ){ av_log(s, AV_LOG_ERROR, "Aspect ratio mismatch between encoder and muxer layer\n"); ret = AVERROR(EINVAL); goto fail; From e394f7984c6b921210e40f39868597f3627606b8 Mon Sep 17 00:00:00 2001 From: Michael Niedermayer Date: Fri, 23 Sep 2011 19:01:12 +0200 Subject: [PATCH 0390/1119] psxstr: improve probe to not misdetect so much. The score of 50 can probably be raised if needed Fixes Ticket490 Signed-off-by: Michael Niedermayer (cherry picked from commit 3f7dc480c1bf6abf4ac0f633a0c7e63d8eb29a55) --- libavformat/psxstr.c | 54 ++++++++++++++++++++++++++++++++++++-------- 1 file changed, 44 insertions(+), 10 deletions(-) diff --git a/libavformat/psxstr.c b/libavformat/psxstr.c index 744ae94459..b65bddd5c1 100644 --- a/libavformat/psxstr.c +++ b/libavformat/psxstr.c @@ -68,6 +68,8 @@ static const char sync_header[12] = {0x00,0xff,0xff,0xff,0xff,0xff,0xff,0xff,0xf static int str_probe(AVProbeData *p) { uint8_t *sector= p->buf; + uint8_t *end= sector + p->buf_size; + int aud=0, vid=0; if (p->buf_size < RAW_CD_SECTOR_SIZE) return 0; @@ -79,20 +81,52 @@ static int str_probe(AVProbeData *p) sector += RIFF_HEADER_SIZE; } - /* look for CD sync header (00, 0xFF x 10, 00) */ - if (memcmp(sector,sync_header,sizeof(sync_header))) - return 0; + while (end - sector >= RAW_CD_SECTOR_SIZE) { + /* look for CD sync header (00, 0xFF x 10, 00) */ + if (memcmp(sector,sync_header,sizeof(sync_header))) + return 0; - if(sector[0x11] >= 32) - return 0; - if( (sector[0x12] & CDXA_TYPE_MASK) != CDXA_TYPE_VIDEO - && (sector[0x12] & CDXA_TYPE_MASK) != CDXA_TYPE_AUDIO - && (sector[0x12] & CDXA_TYPE_MASK) != CDXA_TYPE_DATA) - return 0; + if (sector[0x11] >= 32) + return 0; + switch (sector[0x12] & CDXA_TYPE_MASK) { + case CDXA_TYPE_DATA: + case CDXA_TYPE_VIDEO: { + int current_sector = AV_RL16(§or[0x1C]); + int sector_count = AV_RL16(§or[0x1E]); + int frame_size = AV_RL32(§or[0x24]); + + if(!( frame_size>=0 + && current_sector < sector_count + && sector_count*VIDEO_DATA_CHUNK_SIZE >=frame_size)){ + return 0; + } + + /*st->codec->width = AV_RL16(§or[0x28]); + st->codec->height = AV_RL16(§or[0x2A]);*/ + +// if (current_sector == sector_count-1) { + vid++; +// } + + } + break; + case CDXA_TYPE_AUDIO: + if(sector[0x13]&0x2A) + return 0; + aud++; + break; + default: + if(sector[0x12] & CDXA_TYPE_MASK) + return 0; + } + sector += RAW_CD_SECTOR_SIZE; + } /* MPEG files (like those ripped from VCDs) can also look like this; * only return half certainty */ - return 50; + if(vid+aud > 3) return 50; + else if(vid+aud) return 1; + else return 0; } static int str_read_header(AVFormatContext *s, From 03e7314dd8662bdc20050c03d643b579c415a628 Mon Sep 17 00:00:00 2001 From: Michael Niedermayer Date: Fri, 23 Sep 2011 22:30:27 +0200 Subject: [PATCH 0391/1119] aacsbr: add a assert0 to check for a inconsistency that occurd during debug. I dont know if this can happen normally but if so it would be quite bad. Signed-off-by: Michael Niedermayer (cherry picked from commit abe0dbea2e228621e97184e39159d189b6085fe3) Signed-off-by: Michael Niedermayer --- libavcodec/aacsbr.c | 2 ++ 1 file changed, 2 insertions(+) diff --git a/libavcodec/aacsbr.c b/libavcodec/aacsbr.c index 82092b385d..10b8daf280 100644 --- a/libavcodec/aacsbr.c +++ b/libavcodec/aacsbr.c @@ -33,6 +33,7 @@ #include "fft.h" #include "aacps.h" #include "libavutil/libm.h" +#include "libavutil/avassert.h" #include #include @@ -1457,6 +1458,7 @@ static void sbr_mapping(AACContext *ac, SpectralBandReplication *sbr, uint16_t *table = ch_data->bs_freq_res[e + 1] ? sbr->f_tablehigh : sbr->f_tablelow; int k; + av_assert0(sbr->kx[1] <= table[0]); for (i = 0; i < ilim; i++) for (m = table[i]; m < table[i + 1]; m++) sbr->e_origmapped[e][m - sbr->kx[1]] = ch_data->env_facs[e+1][i]; From 92566cf6eefe62d98d9e10e66c6e294e91d493b8 Mon Sep 17 00:00:00 2001 From: Jean First Date: Fri, 23 Sep 2011 23:39:26 +0200 Subject: [PATCH 0392/1119] tiffenc: Add forgotten avclass to context. (cherry picked from commit 43c481e56929789883f5b078e0e86d50fcc0025e) Signed-off-by: Michael Niedermayer --- libavcodec/tiffenc.c | 1 + 1 file changed, 1 insertion(+) diff --git a/libavcodec/tiffenc.c b/libavcodec/tiffenc.c index f7228f128f..4a99a38831 100644 --- a/libavcodec/tiffenc.c +++ b/libavcodec/tiffenc.c @@ -42,6 +42,7 @@ static const uint8_t type_sizes2[6] = { }; typedef struct TiffEncoderContext { + AVClass *avclass; AVCodecContext *avctx; AVFrame picture; From 8c0a0f10df9bcb3494eb31cf42ab06371b68b195 Mon Sep 17 00:00:00 2001 From: Jean First Date: Fri, 23 Sep 2011 23:39:51 +0200 Subject: [PATCH 0393/1119] tiffenc: initialize forgotten avctx. (cherry picked from commit f7e797aa5c987c39b55666a2d41877ef2aec40bc) Signed-off-by: Michael Niedermayer --- libavcodec/tiffenc.c | 1 + 1 file changed, 1 insertion(+) diff --git a/libavcodec/tiffenc.c b/libavcodec/tiffenc.c index 4a99a38831..97e1dd38c4 100644 --- a/libavcodec/tiffenc.c +++ b/libavcodec/tiffenc.c @@ -217,6 +217,7 @@ static int encode_frame(AVCodecContext * avctx, unsigned char *buf, uint8_t *yuv_line = NULL; int shift_h, shift_v; + s->avctx = avctx; s->buf_start = buf; s->buf = &ptr; s->buf_size = buf_size; From 1cf6348cf7ef2bbdbd0020ebeb508c2de08a08c4 Mon Sep 17 00:00:00 2001 From: Sean McGovern Date: Mon, 19 Sep 2011 21:32:09 -0400 Subject: [PATCH 0394/1119] fft: avoid a signed overflow As a signed integer, 1<<31 overflows, so force it to unsigned. Signed-off-by: Alex Converse (cherry picked from commit c2d3f561072132044114588a5f56b8e1974a2af7) Signed-off-by: Michael Niedermayer --- libavcodec/x86/fft_3dn2.c | 4 ++-- libavcodec/x86/fft_sse.c | 4 ++-- 2 files changed, 4 insertions(+), 4 deletions(-) diff --git a/libavcodec/x86/fft_3dn2.c b/libavcodec/x86/fft_3dn2.c index 2abb8cfbd7..7a6cac14c4 100644 --- a/libavcodec/x86/fft_3dn2.c +++ b/libavcodec/x86/fft_3dn2.c @@ -23,7 +23,7 @@ #include "libavcodec/dsputil.h" #include "fft.h" -DECLARE_ALIGNED(8, static const int, m1m1)[2] = { 1<<31, 1<<31 }; +DECLARE_ALIGNED(8, static const unsigned int, m1m1)[2] = { 1U<<31, 1U<<31 }; #ifdef EMULATE_3DNOWEXT #define PSWAPD(s,d)\ @@ -70,7 +70,7 @@ void ff_imdct_half_3dn2(FFTContext *s, FFTSample *output, const FFTSample *input in1 = input; in2 = input + n2 - 1; #ifdef EMULATE_3DNOWEXT - __asm__ volatile("movd %0, %%mm7" ::"r"(1<<31)); + __asm__ volatile("movd %0, %%mm7" ::"r"(1U<<31)); #endif for(k = 0; k < n4; k++) { // FIXME a single block is faster, but gcc 2.95 and 3.4.x on 32bit can't compile it diff --git a/libavcodec/x86/fft_sse.c b/libavcodec/x86/fft_sse.c index 26b933c810..43f19fff3b 100644 --- a/libavcodec/x86/fft_sse.c +++ b/libavcodec/x86/fft_sse.c @@ -24,8 +24,8 @@ #include "fft.h" #include "config.h" -DECLARE_ASM_CONST(16, int, ff_m1m1m1m1)[4] = - { 1 << 31, 1 << 31, 1 << 31, 1 << 31 }; +DECLARE_ASM_CONST(16, unsigned int, ff_m1m1m1m1)[4] = + { 1U << 31, 1U << 31, 1U << 31, 1U << 31 }; void ff_fft_dispatch_sse(FFTComplex *z, int nbits); void ff_fft_dispatch_interleave_sse(FFTComplex *z, int nbits); From 101e38e08a0745a1b99d83d17358c6e81a464f8d Mon Sep 17 00:00:00 2001 From: Laurent Aimar Date: Sat, 24 Sep 2011 16:44:14 +0200 Subject: [PATCH 0395/1119] h264: Check for out of bounds reads in ff_h264_decode_extradata(). Signed-off-by: Michael Niedermayer (cherry picked from commit 57764c699671b32f0c70795feafc0c6d7491f198) --- libavcodec/h264.c | 4 ++++ 1 file changed, 4 insertions(+) diff --git a/libavcodec/h264.c b/libavcodec/h264.c index b844c38b56..8d44337b5b 100644 --- a/libavcodec/h264.c +++ b/libavcodec/h264.c @@ -1040,6 +1040,8 @@ int ff_h264_decode_extradata(H264Context *h) p += 6; for (i = 0; i < cnt; i++) { nalsize = AV_RB16(p) + 2; + if(nalsize > size - (p-buf)) + return -1; if(decode_nal_units(h, p, nalsize) < 0) { av_log(avctx, AV_LOG_ERROR, "Decoding sps %d from avcC failed\n", i); return -1; @@ -1050,6 +1052,8 @@ int ff_h264_decode_extradata(H264Context *h) cnt = *(p++); // Number of pps for (i = 0; i < cnt; i++) { nalsize = AV_RB16(p) + 2; + if(nalsize > size - (p-buf)) + return -1; if (decode_nal_units(h, p, nalsize) < 0) { av_log(avctx, AV_LOG_ERROR, "Decoding pps %d from avcC failed\n", i); return -1; From f71c761a9e2e528b739e6c86f624ac66357d2327 Mon Sep 17 00:00:00 2001 From: Michael Niedermayer Date: Fri, 23 Sep 2011 05:42:45 +0200 Subject: [PATCH 0396/1119] h264: pass buffer & size to ff_h264_decode_extradata() Signed-off-by: Michael Niedermayer --- libavcodec/h264.c | 14 +++++++------- libavcodec/h264.h | 2 +- libavcodec/h264_parser.c | 2 +- 3 files changed, 9 insertions(+), 9 deletions(-) diff --git a/libavcodec/h264.c b/libavcodec/h264.c index 8d44337b5b..4a2b0f0a92 100644 --- a/libavcodec/h264.c +++ b/libavcodec/h264.c @@ -1018,17 +1018,17 @@ static av_cold void common_init(H264Context *h){ memset(h->pps.scaling_matrix8, 16, 2*64*sizeof(uint8_t)); } -int ff_h264_decode_extradata(H264Context *h) +int ff_h264_decode_extradata(H264Context *h, const uint8_t *buf, int size) { AVCodecContext *avctx = h->s.avctx; - if(avctx->extradata[0] == 1){ + if(buf[0] == 1){ int i, cnt, nalsize; - unsigned char *p = avctx->extradata; + const unsigned char *p = buf; h->is_avc = 1; - if(avctx->extradata_size < 7) { + if(size < 7) { av_log(avctx, AV_LOG_ERROR, "avcC too short\n"); return -1; } @@ -1061,10 +1061,10 @@ int ff_h264_decode_extradata(H264Context *h) p += nalsize; } // Now store right nal length size, that will be use to parse all other nals - h->nal_length_size = (avctx->extradata[4] & 0x03) + 1; + h->nal_length_size = (buf[4] & 0x03) + 1; } else { h->is_avc = 0; - if(decode_nal_units(h, avctx->extradata, avctx->extradata_size) < 0) + if(decode_nal_units(h, buf, size) < 0) return -1; } return 0; @@ -1108,7 +1108,7 @@ av_cold int ff_h264_decode_init(AVCodecContext *avctx){ } if(avctx->extradata_size > 0 && avctx->extradata && - ff_h264_decode_extradata(h)) + ff_h264_decode_extradata(h, avctx->extradata, avctx->extradata_size)) return -1; if(h->sps.bitstream_restriction_flag && s->avctx->has_b_frames < h->sps.num_reorder_frames){ diff --git a/libavcodec/h264.h b/libavcodec/h264.h index 76e9832975..822ba0271a 100644 --- a/libavcodec/h264.h +++ b/libavcodec/h264.h @@ -663,7 +663,7 @@ int ff_h264_check_intra_pred_mode(H264Context *h, int mode); void ff_h264_write_back_intra_pred_mode(H264Context *h); void ff_h264_hl_decode_mb(H264Context *h); int ff_h264_frame_start(H264Context *h); -int ff_h264_decode_extradata(H264Context *h); +int ff_h264_decode_extradata(H264Context *h, const uint8_t *buf, int size); av_cold int ff_h264_decode_init(AVCodecContext *avctx); av_cold int ff_h264_decode_end(AVCodecContext *avctx); av_cold void ff_h264_decode_init_vlc(void); diff --git a/libavcodec/h264_parser.c b/libavcodec/h264_parser.c index 080b6a93b5..d560d3f86a 100644 --- a/libavcodec/h264_parser.c +++ b/libavcodec/h264_parser.c @@ -251,7 +251,7 @@ static int h264_parse(AVCodecParserContext *s, h->got_first = 1; if (avctx->extradata_size) { h->s.avctx = avctx; - ff_h264_decode_extradata(h); + ff_h264_decode_extradata(h, avctx->extradata, avctx->extradata_size); } } From 35f8ad420a0b7ebcade81c2be3ca5968a5861ddc Mon Sep 17 00:00:00 2001 From: Laurent Aimar Date: Sat, 24 Sep 2011 16:19:25 +0200 Subject: [PATCH 0397/1119] vp6:Reset the internal state when aborting key frames header parsing in vp6 decoder. It prevents leaving the state only half initialized. Signed-off-by: Michael Niedermayer (cherry picked from commit 91f104496bb7632ed5ff03798e06dd8af014f0d9) --- libavcodec/vp6.c | 5 ++++- 1 file changed, 4 insertions(+), 1 deletion(-) diff --git a/libavcodec/vp6.c b/libavcodec/vp6.c index d05a3618f7..3721d52192 100644 --- a/libavcodec/vp6.c +++ b/libavcodec/vp6.c @@ -137,8 +137,11 @@ static int vp6_parse_header(VP56Context *s, const uint8_t *buf, int buf_size, if (coeff_offset) { buf += coeff_offset; buf_size -= coeff_offset; - if (buf_size < 0) + if (buf_size < 0) { + if (s->framep[VP56_FRAME_CURRENT]->key_frame) + avcodec_set_dimensions(s->avctx, 0, 0); return 0; + } if (s->use_huffman) { s->parse_coeff = vp6_parse_coeff_huffman; init_get_bits(&s->gb, buf, buf_size<<3); From be22dc60f55bb99dcb0a90ad2e8773612a63a288 Mon Sep 17 00:00:00 2001 From: Laurent Aimar Date: Sat, 24 Sep 2011 16:16:40 +0200 Subject: [PATCH 0398/1119] vp56:Fix error recovery code on size changes in vp5/6 decoder Signed-off-by: Michael Niedermayer (cherry picked from commit 1aad9cd9d26adcca1d398a4cb3d67f89a6fa8967) --- libavcodec/vp56.c | 5 ++++- 1 file changed, 4 insertions(+), 1 deletion(-) diff --git a/libavcodec/vp56.c b/libavcodec/vp56.c index 30f3efbc46..5b787b6135 100644 --- a/libavcodec/vp56.c +++ b/libavcodec/vp56.c @@ -465,6 +465,7 @@ static int vp56_size_changed(AVCodecContext *avctx) s->mb_height = (avctx->coded_height+15) / 16; if (s->mb_width > 1000 || s->mb_height > 1000) { + avcodec_set_dimensions(avctx, 0, 0); av_log(avctx, AV_LOG_ERROR, "picture too big\n"); return -1; } @@ -519,8 +520,10 @@ int ff_vp56_decode_frame(AVCodecContext *avctx, void *data, int *data_size, if (s->frames[i].data[0]) avctx->release_buffer(avctx, &s->frames[i]); } - if (is_alpha) + if (is_alpha) { + avcodec_set_dimensions(avctx, 0, 0); return -1; + } } if (!is_alpha) { From 21c9d92646f375f0c3ff9b2bc7b2f5f07a150e74 Mon Sep 17 00:00:00 2001 From: Laurent Aimar Date: Sat, 24 Sep 2011 23:16:17 +0200 Subject: [PATCH 0399/1119] Fix potential overread in vmd audio decoder. Signed-off-by: Michael Niedermayer (cherry picked from commit 00cbe9e4053fd562b6f21e76aca6636ff926b637) --- libavcodec/vmdav.c | 5 ++++- 1 file changed, 4 insertions(+), 1 deletion(-) diff --git a/libavcodec/vmdav.c b/libavcodec/vmdav.c index b9acfe921c..ebc8c7eb1d 100644 --- a/libavcodec/vmdav.c +++ b/libavcodec/vmdav.c @@ -523,7 +523,10 @@ static int vmdaudio_decode_frame(AVCodecContext *avctx, silent_chunks = 0; if (block_type == BLOCK_TYPE_INITIAL) { - uint32_t flags = AV_RB32(buf); + uint32_t flags; + if (buf_size < 4) + return -1; + flags = AV_RB32(buf); silent_chunks = av_popcount(flags); buf += 4; buf_size -= 4; From 1ed90c84f6ab75af91b08436cefb8ea464f8495b Mon Sep 17 00:00:00 2001 From: Laurent Aimar Date: Sat, 24 Sep 2011 23:16:18 +0200 Subject: [PATCH 0400/1119] Check for invalid update parameters in vmd video decoder. Signed-off-by: Michael Niedermayer (cherry picked from commit e7aed1280ea14b60fceae04d71dfd03e1daf2d04) --- libavcodec/vmdav.c | 10 ++++++++++ 1 file changed, 10 insertions(+) diff --git a/libavcodec/vmdav.c b/libavcodec/vmdav.c index ebc8c7eb1d..d7cd3bbb87 100644 --- a/libavcodec/vmdav.c +++ b/libavcodec/vmdav.c @@ -204,6 +204,16 @@ static void vmd_decode(VmdVideoContext *s) frame_y = AV_RL16(&s->buf[8]); frame_width = AV_RL16(&s->buf[10]) - frame_x + 1; frame_height = AV_RL16(&s->buf[12]) - frame_y + 1; + if (frame_x < 0 || frame_width < 0 || + frame_x >= s->avctx->width || + frame_width > s->avctx->width || + frame_x + frame_width > s->avctx->width) + return; + if (frame_y < 0 || frame_height < 0 || + frame_y >= s->avctx->height || + frame_height > s->avctx->height || + frame_y + frame_height > s->avctx->height) + return; if ((frame_width == s->avctx->width && frame_height == s->avctx->height) && (frame_x || frame_y)) { From d92bfc98f9f64fa891ee4a3640ba6c55e90540ef Mon Sep 17 00:00:00 2001 From: Laurent Aimar Date: Sat, 24 Sep 2011 23:16:19 +0200 Subject: [PATCH 0401/1119] Prevent NULL dereferences when the previous frame is missing in vmd video decoder. Signed-off-by: Michael Niedermayer (cherry picked from commit 6a6383bebcb03a785797007031ad1c9786a508a5) --- libavcodec/vmdav.c | 9 +++++---- 1 file changed, 5 insertions(+), 4 deletions(-) diff --git a/libavcodec/vmdav.c b/libavcodec/vmdav.c index d7cd3bbb87..f5f8598919 100644 --- a/libavcodec/vmdav.c +++ b/libavcodec/vmdav.c @@ -226,8 +226,9 @@ static void vmd_decode(VmdVideoContext *s) /* if only a certain region will be updated, copy the entire previous * frame before the decode */ - if (frame_x || frame_y || (frame_width != s->avctx->width) || - (frame_height != s->avctx->height)) { + if (s->prev_frame.data[0] && + (frame_x || frame_y || (frame_width != s->avctx->width) || + (frame_height != s->avctx->height))) { memcpy(s->frame.data[0], s->prev_frame.data[0], s->avctx->height * s->frame.linesize[0]); @@ -272,7 +273,7 @@ static void vmd_decode(VmdVideoContext *s) ofs += len; } else { /* interframe pixel copy */ - if (ofs + len + 1 > frame_width) + if (ofs + len + 1 > frame_width || !s->prev_frame.data[0]) return; memcpy(&dp[ofs], &pp[ofs], len + 1); ofs += len + 1; @@ -312,7 +313,7 @@ static void vmd_decode(VmdVideoContext *s) ofs += len; } else { /* interframe pixel copy */ - if (ofs + len + 1 > frame_width) + if (ofs + len + 1 > frame_width || !s->prev_frame.data[0]) return; memcpy(&dp[ofs], &pp[ofs], len + 1); ofs += len + 1; From f40b04e9178c0a5246271c857437c6745276479c Mon Sep 17 00:00:00 2001 From: Laurent Aimar Date: Sat, 24 Sep 2011 23:52:23 +0200 Subject: [PATCH 0402/1119] Prevent out of bound read in lz_unpack in vmd video decoder. Signed-off-by: Michael Niedermayer (cherry picked from commit 5127f465bd3e2cf9cbf66dea3cf7b481b522d266) --- libavcodec/vmdav.c | 24 ++++++++++++++++++------ 1 file changed, 18 insertions(+), 6 deletions(-) diff --git a/libavcodec/vmdav.c b/libavcodec/vmdav.c index f5f8598919..d7cf18d62b 100644 --- a/libavcodec/vmdav.c +++ b/libavcodec/vmdav.c @@ -72,9 +72,11 @@ typedef struct VmdVideoContext { #define QUEUE_SIZE 0x1000 #define QUEUE_MASK 0x0FFF -static void lz_unpack(const unsigned char *src, unsigned char *dest, int dest_len) +static void lz_unpack(const unsigned char *src, int src_len, + unsigned char *dest, int dest_len) { const unsigned char *s; + const unsigned char *s_end; unsigned char *d; unsigned char *d_end; unsigned char queue[QUEUE_SIZE]; @@ -87,8 +89,12 @@ static void lz_unpack(const unsigned char *src, unsigned char *dest, int dest_le unsigned int i, j; s = src; + s_end = src + src_len; d = dest; d_end = d + dest_len; + + if (s_end - s < 8) + return; dataleft = AV_RL32(s); s += 4; memset(queue, 0x20, QUEUE_SIZE); @@ -101,10 +107,10 @@ static void lz_unpack(const unsigned char *src, unsigned char *dest, int dest_le speclen = 100; /* no speclen */ } - while (dataleft > 0) { + while (s_end - s > 0 && dataleft > 0) { tag = *s++; if ((tag == 0xFF) && (dataleft > 8)) { - if (d + 8 > d_end) + if (d + 8 > d_end || s_end - s < 8) return; for (i = 0; i < 8; i++) { queue[qpos++] = *d++ = *s++; @@ -116,17 +122,22 @@ static void lz_unpack(const unsigned char *src, unsigned char *dest, int dest_le if (dataleft == 0) break; if (tag & 0x01) { - if (d + 1 > d_end) + if (d + 1 > d_end || s_end - s < 1) return; queue[qpos++] = *d++ = *s++; qpos &= QUEUE_MASK; dataleft--; } else { + if (s_end - s < 2) + return; chainofs = *s++; chainofs |= ((*s & 0xF0) << 4); chainlen = (*s++ & 0x0F) + 3; - if (chainlen == speclen) + if (chainlen == speclen) { + if (s_end - s < 1) + return; chainlen = *s++ + 0xF + 3; + } if (d + chainlen > d_end) return; for (j = 0; j < chainlen; j++) { @@ -189,6 +200,7 @@ static void vmd_decode(VmdVideoContext *s) /* point to the start of the encoded data */ const unsigned char *p = s->buf + 16; + const unsigned char *p_end = s->buf + s->size; const unsigned char *pb; unsigned char meth; @@ -251,7 +263,7 @@ static void vmd_decode(VmdVideoContext *s) pb = p; meth = *pb++; if (meth & 0x80) { - lz_unpack(pb, s->unpack_buffer, s->unpack_buffer_size); + lz_unpack(pb, p_end - pb, s->unpack_buffer, s->unpack_buffer_size); meth &= 0x7F; pb = s->unpack_buffer; } From 08657a2a8a5f7dc420c41ffe0e1c7eb4878741fb Mon Sep 17 00:00:00 2001 From: Laurent Aimar Date: Sat, 24 Sep 2011 23:52:24 +0200 Subject: [PATCH 0403/1119] Fix potential pointer arithmetic overflows in lz_unpack of vmd video decoder. Signed-off-by: Michael Niedermayer (cherry picked from commit 78cb39d2b2ad731dd3b984b0c0711b9f1d6de004) --- libavcodec/vmdav.c | 6 +++--- 1 file changed, 3 insertions(+), 3 deletions(-) diff --git a/libavcodec/vmdav.c b/libavcodec/vmdav.c index d7cf18d62b..0a91d73ebe 100644 --- a/libavcodec/vmdav.c +++ b/libavcodec/vmdav.c @@ -110,7 +110,7 @@ static void lz_unpack(const unsigned char *src, int src_len, while (s_end - s > 0 && dataleft > 0) { tag = *s++; if ((tag == 0xFF) && (dataleft > 8)) { - if (d + 8 > d_end || s_end - s < 8) + if (d_end - d < 8 || s_end - s < 8) return; for (i = 0; i < 8; i++) { queue[qpos++] = *d++ = *s++; @@ -122,7 +122,7 @@ static void lz_unpack(const unsigned char *src, int src_len, if (dataleft == 0) break; if (tag & 0x01) { - if (d + 1 > d_end || s_end - s < 1) + if (d_end - d < 1 || s_end - s < 1) return; queue[qpos++] = *d++ = *s++; qpos &= QUEUE_MASK; @@ -138,7 +138,7 @@ static void lz_unpack(const unsigned char *src, int src_len, return; chainlen = *s++ + 0xF + 3; } - if (d + chainlen > d_end) + if (d_end - d < chainlen) return; for (j = 0; j < chainlen; j++) { *d = queue[chainofs++ & QUEUE_MASK]; From 55efeba2b554f8f2ea134d3d82d01062e0343828 Mon Sep 17 00:00:00 2001 From: Laurent Aimar Date: Sun, 25 Sep 2011 00:08:49 +0200 Subject: [PATCH 0404/1119] Check for out of bound reads in vmd_decode() of vmd video decoder. Signed-off-by: Michael Niedermayer (cherry picked from commit e07377e7366d038d6f28792c46745463a0542650) --- libavcodec/vmdav.c | 23 +++++++++++++++++++---- 1 file changed, 19 insertions(+), 4 deletions(-) diff --git a/libavcodec/vmdav.c b/libavcodec/vmdav.c index 0a91d73ebe..eb2d208389 100644 --- a/libavcodec/vmdav.c +++ b/libavcodec/vmdav.c @@ -203,6 +203,7 @@ static void vmd_decode(VmdVideoContext *s) const unsigned char *p_end = s->buf + s->size; const unsigned char *pb; + const unsigned char *pb_end; unsigned char meth; unsigned char *dp; /* pointer to current frame */ unsigned char *pp; /* pointer to previous frame */ @@ -248,6 +249,8 @@ static void vmd_decode(VmdVideoContext *s) /* check if there is a new palette */ if (s->buf[15] & 0x02) { + if (p_end - p < 2 + 3 * PALETTE_COUNT) + return; p += 2; palette32 = (unsigned int *)s->palette; for (i = 0; i < PALETTE_COUNT; i++) { @@ -256,16 +259,17 @@ static void vmd_decode(VmdVideoContext *s) b = *p++ * 4; palette32[i] = (r << 16) | (g << 8) | (b); } - s->size -= (256 * 3 + 2); } - if (s->size >= 0) { + if (p < p_end) { /* originally UnpackFrame in VAG's code */ pb = p; + pb_end = p_end; meth = *pb++; if (meth & 0x80) { lz_unpack(pb, p_end - pb, s->unpack_buffer, s->unpack_buffer_size); meth &= 0x7F; pb = s->unpack_buffer; + pb_end = s->unpack_buffer + s->unpack_buffer_size; } dp = &s->frame.data[0][frame_y * s->frame.linesize[0] + frame_x]; @@ -275,10 +279,12 @@ static void vmd_decode(VmdVideoContext *s) for (i = 0; i < frame_height; i++) { ofs = 0; do { + if (pb_end - pb < 1) + return; len = *pb++; if (len & 0x80) { len = (len & 0x7F) + 1; - if (ofs + len > frame_width) + if (ofs + len > frame_width || pb_end - pb < len) return; memcpy(&dp[ofs], pb, len); pb += len; @@ -303,6 +309,8 @@ static void vmd_decode(VmdVideoContext *s) case 2: for (i = 0; i < frame_height; i++) { + if (pb_end -pb < frame_width) + return; memcpy(dp, pb, frame_width); pb += frame_width; dp += s->frame.linesize[0]; @@ -314,13 +322,20 @@ static void vmd_decode(VmdVideoContext *s) for (i = 0; i < frame_height; i++) { ofs = 0; do { + if (pb_end - pb < 1) + return; len = *pb++; if (len & 0x80) { len = (len & 0x7F) + 1; + if (pb_end - pb < 1) + return; if (*pb++ == 0xFF) len = rle_unpack(pb, &dp[ofs], len, frame_width - ofs); - else + else { + if (pb_end - pb < len) + return; memcpy(&dp[ofs], pb, len); + } pb += len; ofs += len; } else { From 02bdeff1ef4915e1794a19184d567ef27e05c9c5 Mon Sep 17 00:00:00 2001 From: Laurent Aimar Date: Sun, 25 Sep 2011 00:08:50 +0200 Subject: [PATCH 0405/1119] Fix out of bound reads in rle_unpack() of vmd video decoder. Signed-off-by: Michael Niedermayer (cherry picked from commit 4749e074987d45cb98935a683a7ee8e1ee376d86) --- libavcodec/vmdav.c | 23 +++++++++++++++-------- 1 file changed, 15 insertions(+), 8 deletions(-) diff --git a/libavcodec/vmdav.c b/libavcodec/vmdav.c index eb2d208389..90cbab8b3d 100644 --- a/libavcodec/vmdav.c +++ b/libavcodec/vmdav.c @@ -153,32 +153,39 @@ static void lz_unpack(const unsigned char *src, int src_len, } } -static int rle_unpack(const unsigned char *src, unsigned char *dest, - int src_len, int dest_len) +static int rle_unpack(const unsigned char *src, int src_len, int src_count, + unsigned char *dest, int dest_len) { const unsigned char *ps; + const unsigned char *ps_end; unsigned char *pd; int i, l; unsigned char *dest_end = dest + dest_len; ps = src; + ps_end = src + src_len; pd = dest; - if (src_len & 1) + if (src_count & 1) { + if (ps_end - ps < 1) + return 0; *pd++ = *ps++; + } - src_len >>= 1; + src_count >>= 1; i = 0; do { + if (ps_end - ps < 1) + break; l = *ps++; if (l & 0x80) { l = (l & 0x7F) * 2; - if (pd + l > dest_end) + if (pd + l > dest_end || ps_end - ps < l) return ps - src; memcpy(pd, ps, l); ps += l; pd += l; } else { - if (pd + i > dest_end) + if (pd + i > dest_end || ps_end - ps < 2) return ps - src; for (i = 0; i < l; i++) { *pd++ = ps[0]; @@ -187,7 +194,7 @@ static int rle_unpack(const unsigned char *src, unsigned char *dest, ps += 2; } i += l; - } while (i < src_len); + } while (i < src_count); return ps - src; } @@ -330,7 +337,7 @@ static void vmd_decode(VmdVideoContext *s) if (pb_end - pb < 1) return; if (*pb++ == 0xFF) - len = rle_unpack(pb, &dp[ofs], len, frame_width - ofs); + len = rle_unpack(pb, pb_end - pb, len, &dp[ofs], frame_width - ofs); else { if (pb_end - pb < len) return; From 1b26a734b23829f0756500f9cec2ac47baa65cd7 Mon Sep 17 00:00:00 2001 From: Laurent Aimar Date: Sun, 25 Sep 2011 00:08:51 +0200 Subject: [PATCH 0406/1119] Fix potential pointer arithmetic overflows in rle_unpack() of vmd video decoder. Signed-off-by: Michael Niedermayer (cherry picked from commit 35cb6854bb76b4a5b6f2aea2dce81e18d7ab61cd) --- libavcodec/vmdav.c | 4 ++-- 1 file changed, 2 insertions(+), 2 deletions(-) diff --git a/libavcodec/vmdav.c b/libavcodec/vmdav.c index 90cbab8b3d..1f9694ea29 100644 --- a/libavcodec/vmdav.c +++ b/libavcodec/vmdav.c @@ -179,13 +179,13 @@ static int rle_unpack(const unsigned char *src, int src_len, int src_count, l = *ps++; if (l & 0x80) { l = (l & 0x7F) * 2; - if (pd + l > dest_end || ps_end - ps < l) + if (dest_end - pd < l || ps_end - ps < l) return ps - src; memcpy(pd, ps, l); ps += l; pd += l; } else { - if (pd + i > dest_end || ps_end - ps < 2) + if (dest_end - pd < i || ps_end - ps < 2) return ps - src; for (i = 0; i < l; i++) { *pd++ = ps[0]; From 5681d74aaf7e241303aa8785dcdc9b6b437e1573 Mon Sep 17 00:00:00 2001 From: Laurent Aimar Date: Sat, 24 Sep 2011 18:39:13 +0200 Subject: [PATCH 0407/1119] Add av_calloc() helper. Signed-off-by: Michael Niedermayer (cherry picked from commit ccecab4a0d7f3f4f296551c2e22bbf12af7d14e8) --- libavutil/mem.c | 7 +++++++ libavutil/mem.h | 12 ++++++++++++ 2 files changed, 19 insertions(+) diff --git a/libavutil/mem.c b/libavutil/mem.c index 87c2008a27..44bfc8c34d 100644 --- a/libavutil/mem.c +++ b/libavutil/mem.c @@ -168,6 +168,13 @@ void *av_mallocz(size_t size) return ptr; } +void *av_calloc(size_t nmemb, size_t size) +{ + if (size <= 0 || nmemb >= INT_MAX / size) + return NULL; + return av_mallocz(nmemb * size); +} + char *av_strdup(const char *s) { char *ptr= NULL; diff --git a/libavutil/mem.h b/libavutil/mem.h index 7c30e160fb..be8a8bf222 100644 --- a/libavutil/mem.h +++ b/libavutil/mem.h @@ -106,6 +106,18 @@ void av_free(void *ptr); */ void *av_mallocz(size_t size) av_malloc_attrib av_alloc_size(1); +/** + * Allocate a block of nmemb * size bytes with alignment suitable for all + * memory accesses (including vectors if available on the CPU) and + * zero all the bytes of the block. + * The allocation will fail if nmemb * size is greater than or equal + * to INT_MAX. + * @param nmemb + * @param size + * @return Pointer to the allocated block, NULL if it cannot be allocated. + */ +void *av_calloc(size_t nmemb, size_t size) av_malloc_attrib; + /** * Duplicate the string s. * @param s string to be duplicated From 6109974cd95cc75a72704029e5608beaaf6691d5 Mon Sep 17 00:00:00 2001 From: Michael Niedermayer Date: Sun, 25 Sep 2011 16:13:07 +0200 Subject: [PATCH 0408/1119] ffmpeg: increase bit_buffer_size, the header size is clearly too small for rgb48 raw based formats Signed-off-by: Michael Niedermayer (cherry picked from commit d8289ff9a9a3d0af416e70a1c864e1c6ce095656) --- ffmpeg.c | 4 ++-- 1 file changed, 2 insertions(+), 2 deletions(-) diff --git a/ffmpeg.c b/ffmpeg.c index 29060cf025..29a337ac2d 100644 --- a/ffmpeg.c +++ b/ffmpeg.c @@ -2379,9 +2379,9 @@ static int transcode(AVFormatContext **output_files, } } if(codec->codec_type == AVMEDIA_TYPE_VIDEO){ - /* maximum video buffer size is 6-bytes per pixel, plus DPX header size */ + /* maximum video buffer size is 6-bytes per pixel, plus DPX header size (1664)*/ int size= codec->width * codec->height; - bit_buffer_size= FFMAX(bit_buffer_size, 6*size + 1664); + bit_buffer_size= FFMAX(bit_buffer_size, 7*size + 10000); } } From 02affe2f0e8603533a80be9a1864cce0039e9c63 Mon Sep 17 00:00:00 2001 From: =?UTF-8?q?Reimar=20D=C3=B6ffinger?= Date: Wed, 21 Sep 2011 19:10:58 +0200 Subject: [PATCH 0409/1119] Compile x86/swscale_template with -mno-red-zone. MIME-Version: 1.0 Content-Type: text/plain; charset=UTF-8 Content-Transfer-Encoding: 8bit Replaces a very hackish hack to fix the same issue (call instruction overwriting stack variables). Signed-off-by: Reimar Döffinger (cherry picked from commit 424bcc46b5fb0d662e0fb9ad6319c5b9ef3d770f) --- configure | 5 +++++ libswscale/Makefile | 2 ++ libswscale/x86/swscale_template.c | 10 ---------- 3 files changed, 7 insertions(+), 10 deletions(-) diff --git a/configure b/configure index ef3697e3c4..b9badcafc6 100755 --- a/configure +++ b/configure @@ -3073,6 +3073,10 @@ else fi check_cflags -fno-math-errno check_cflags -fno-signed-zeros +check_cc -mno-red-zone < Date: Sat, 24 Sep 2011 18:00:16 +0200 Subject: [PATCH 0410/1119] h264: ff_h264_decode_extradata: check buffer args The buffer size and pointer were not checked prior to testing the first byte of the buffer. These were sometimes checked before calling, but it is better to add it inside the function as it takes buf and size arguments. Signed-off-by: Alexander Strasser (cherry picked from commit 715f259bf949b06df1b5ed0307606dc258754c99) --- libavcodec/h264.c | 3 +++ 1 file changed, 3 insertions(+) diff --git a/libavcodec/h264.c b/libavcodec/h264.c index 4a2b0f0a92..9c7bf24b5f 100644 --- a/libavcodec/h264.c +++ b/libavcodec/h264.c @@ -1022,6 +1022,9 @@ int ff_h264_decode_extradata(H264Context *h, const uint8_t *buf, int size) { AVCodecContext *avctx = h->s.avctx; + if(!buf || size <= 0) + return -1; + if(buf[0] == 1){ int i, cnt, nalsize; const unsigned char *p = buf; From 521dbccc1137fdf3c7ebdd75afe64a4d2567ba22 Mon Sep 17 00:00:00 2001 From: Laurent Aimar Date: Sun, 25 Sep 2011 13:43:37 +0200 Subject: [PATCH 0411/1119] Fix return value on EOF in mpc v8 demuxer. Signed-off-by: Michael Niedermayer (cherry picked from commit 7ec5ea437fc88ca58d7ac3cd12dfa2f0fbd4011f) --- libavformat/mpc8.c | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/libavformat/mpc8.c b/libavformat/mpc8.c index b18726c6db..db23781613 100644 --- a/libavformat/mpc8.c +++ b/libavformat/mpc8.c @@ -264,7 +264,7 @@ static int mpc8_read_packet(AVFormatContext *s, AVPacket *pkt) return AVERROR(EIO); mpc8_handle_chunk(s, tag, pos, size); } - return 0; + return AVERROR_EOF; } static int mpc8_read_seek(AVFormatContext *s, int stream_index, int64_t timestamp, int flags) From cdb72c827c4fc3d8a2dfe939654fa885aaedbbd1 Mon Sep 17 00:00:00 2001 From: Laurent Aimar Date: Sun, 25 Sep 2011 13:43:38 +0200 Subject: [PATCH 0412/1119] Check for out of bound bands limit in mpc v8 decoder. Signed-off-by: Michael Niedermayer (cherry picked from commit 508e47a5751b063e5b3d1d6aceda8a19ad8b1d37) --- libavcodec/mpc8.c | 4 ++++ 1 file changed, 4 insertions(+) diff --git a/libavcodec/mpc8.c b/libavcodec/mpc8.c index 2864b1a010..bca57451ca 100644 --- a/libavcodec/mpc8.c +++ b/libavcodec/mpc8.c @@ -127,6 +127,8 @@ static av_cold int mpc8_decode_init(AVCodecContext * avctx) skip_bits(&gb, 3);//sample rate c->maxbands = get_bits(&gb, 5) + 1; + if (c->maxbands >= BANDS) + return AVERROR_INVALIDDATA; channels = get_bits(&gb, 4) + 1; if (channels > 2) { av_log_missing_feature(avctx, "Multichannel MPC SV8", 1); @@ -260,6 +262,8 @@ static int mpc8_decode_frame(AVCodecContext * avctx, maxband = c->last_max_band + get_vlc2(gb, band_vlc.table, MPC8_BANDS_BITS, 2); if(maxband > 32) maxband -= 33; } + if(maxband > c->maxbands) + return AVERROR_INVALIDDATA; c->last_max_band = maxband; /* read subband indexes */ From be1ae17ec0e03b494e0ab9f1eedefe83cebd7f4e Mon Sep 17 00:00:00 2001 From: tipok Date: Mon, 26 Sep 2011 02:28:21 +0200 Subject: [PATCH 0413/1119] libaac+ support Signed-off-by: Michael Niedermayer --- Changelog | 1 + LICENSE | 6 +- configure | 7 +++ doc/general.texi | 4 +- libavcodec/Makefile | 1 + libavcodec/allcodecs.c | 1 + libavcodec/libaacplus.c | 136 ++++++++++++++++++++++++++++++++++++++++ 7 files changed, 152 insertions(+), 4 deletions(-) create mode 100644 libavcodec/libaacplus.c diff --git a/Changelog b/Changelog index 0b38b880f6..2a2089d98a 100644 --- a/Changelog +++ b/Changelog @@ -61,6 +61,7 @@ version 0.7_beta1: - Demuxer for On2's IVF format - Pictor/PC Paint decoder - HE-AAC v2 decoder +- HE-AAC v2 encoding with libaacplus - libfaad2 wrapper removed - DTS-ES extension (XCh) decoding support - native VP8 decoder diff --git a/LICENSE b/LICENSE index 8d4d6515b0..7272b90f8d 100644 --- a/LICENSE +++ b/LICENSE @@ -41,6 +41,6 @@ is incompatible with the LGPL v2.1 and the GPL v2, but not with version 3 of those licenses. So to combine the OpenCORE libraries with FFmpeg, the license version needs to be upgraded by passing --enable-version3 to configure. -The nonfree external library libfaac can be hooked up in FFmpeg. You need to -pass --enable-nonfree to configure to enable it. Employ this option with care -as FFmpeg then becomes nonfree and unredistributable. +The nonfree external libraries libfaac and libaacplus can be hooked up in FFmpeg. +You need to pass --enable-nonfree to configure to enable it. Employ this option +with care as FFmpeg then becomes nonfree and unredistributable. diff --git a/configure b/configure index b9badcafc6..d1169d4863 100755 --- a/configure +++ b/configure @@ -162,6 +162,7 @@ External library support: --enable-bzlib enable bzlib [autodetect] --enable-libcelt enable CELT/Opus decoding via libcelt [no] --enable-frei0r enable frei0r video filtering + --enable-libaacplus enable AAC+ encoding via libaacplus [no] --enable-libopencore-amrnb enable AMR-NB de/encoding via libopencore-amrnb [no] --enable-libopencore-amrwb enable AMR-WB decoding via libopencore-amrwb [no] --enable-libopencv enable video filtering via libopencv [no] @@ -927,6 +928,8 @@ CONFIG_LIST=" h264pred hardcoded_tables huffman + libaacplus + libcdio libcelt libdc1394 libdirac @@ -1401,6 +1404,7 @@ vdpau_deps="vdpau_vdpau_h vdpau_vdpau_x11_h" h264_parser_select="golomb h264dsp h264pred" # external libraries +libaacplus_encoder_deps="libaacplus" libcelt_decoder_deps="libcelt" libdirac_decoder_deps="libdirac !libschroedinger" libdirac_encoder_deps="libdirac" @@ -2584,6 +2588,7 @@ die_license_disabled gpl libxavs die_license_disabled gpl libxvid die_license_disabled gpl x11grab +die_license_disabled nonfree libaacplus die_license_disabled nonfree libfaac die_license_disabled version3 libopencore_amrnb @@ -2916,6 +2921,7 @@ check_mathfunc truncf enabled avisynth && require2 vfw32 "windows.h vfw.h" AVIFileInit -lavifil32 enabled libcelt && require libcelt celt/celt.h celt_decode -lcelt0 enabled frei0r && { check_header frei0r.h || die "ERROR: frei0r.h header not found"; } +enabled libaacplus && require "libaacplus >= 2.0.0" aacplus.h aacplusEncOpen -laacplus enabled libdc1394 && require_pkg_config libdc1394-2 dc1394/dc1394.h dc1394_new enabled libdirac && require_pkg_config dirac \ "libdirac_decoder/dirac_parser.h libdirac_encoder/dirac_encoder.h" \ @@ -3227,6 +3233,7 @@ echo "frei0r enabled ${frei0r-no}" echo "libdc1394 support ${libdc1394-no}" echo "libdirac enabled ${libdirac-no}" echo "libfaac enabled ${libfaac-no}" +echo "libaacplus enabled ${libaacplus-no}" echo "libgsm enabled ${libgsm-no}" echo "libmp3lame enabled ${libmp3lame-no}" echo "libnut enabled ${libnut-no}" diff --git a/doc/general.texi b/doc/general.texi index b193240b01..db78efef78 100644 --- a/doc/general.texi +++ b/doc/general.texi @@ -542,6 +542,8 @@ following image formats are supported: @multitable @columnfractions .4 .1 .1 .4 @item Name @tab Encoding @tab Decoding @tab Comments @item 8SVX audio @tab @tab X +@item AAC+ @tab E @tab X + @tab encoding supported through external library libaacplus @item AAC @tab E @tab X @tab encoding supported through external library libfaac and libvo-aacenc @item AC-3 @tab IX @tab X @@ -1060,7 +1062,7 @@ These library packages are only available from Cygwin Ports (@url{http://sourceware.org/cygwinports/}) : @example -yasm, libSDL-devel, libdirac-devel, libfaac-devel, libgsm-devel, +yasm, libSDL-devel, libdirac-devel, libfaac-devel, libaacplus-devel, libgsm-devel, libmp3lame-devel, libschroedinger1.0-devel, speex-devel, libtheora-devel, libxvidcore-devel @end example diff --git a/libavcodec/Makefile b/libavcodec/Makefile index 738fb264c0..5c6bedc27c 100644 --- a/libavcodec/Makefile +++ b/libavcodec/Makefile @@ -567,6 +567,7 @@ OBJS-$(CONFIG_WEBM_MUXER) += xiph.o mpeg4audio.o \ OBJS-$(CONFIG_WTV_DEMUXER) += mpeg4audio.o mpegaudiodata.o # external codec libraries +OBJS-$(CONFIG_LIBAACPLUS_ENCODER) += libaacplus.o OBJS-$(CONFIG_LIBCELT_DECODER) += libcelt_dec.o OBJS-$(CONFIG_LIBDIRAC_DECODER) += libdiracdec.o OBJS-$(CONFIG_LIBDIRAC_ENCODER) += libdiracenc.o libdirac_libschro.o diff --git a/libavcodec/allcodecs.c b/libavcodec/allcodecs.c index f1c664f5d1..c038524f75 100644 --- a/libavcodec/allcodecs.c +++ b/libavcodec/allcodecs.c @@ -370,6 +370,7 @@ void avcodec_register_all(void) REGISTER_ENCDEC (XSUB, xsub); /* external libraries */ + REGISTER_ENCODER (LIBAACPLUS, libaacplus); REGISTER_DECODER (LIBCELT, libcelt); REGISTER_ENCDEC (LIBDIRAC, libdirac); REGISTER_ENCODER (LIBFAAC, libfaac); diff --git a/libavcodec/libaacplus.c b/libavcodec/libaacplus.c new file mode 100644 index 0000000000..c8c87be549 --- /dev/null +++ b/libavcodec/libaacplus.c @@ -0,0 +1,136 @@ +/* + * Interface to libaacplus for aac+ (sbr+ps) encoding + * Copyright (c) 2010 tipok + * + * This file is part of FFmpeg. + * + * FFmpeg is free software; you can redistribute it and/or + * modify it under the terms of the GNU Lesser General Public + * License as published by the Free Software Foundation; either + * version 2.1 of the License, or (at your option) any later version. + * + * FFmpeg is distributed in the hope that it will be useful, + * but WITHOUT ANY WARRANTY; without even the implied warranty of + * MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the GNU + * Lesser General Public License for more details. + * + * You should have received a copy of the GNU Lesser General Public + * License along with FFmpeg; if not, write to the Free Software + * Foundation, Inc., 51 Franklin Street, Fifth Floor, Boston, MA 02110-1301 USA + */ + +/** + * @file + * Interface to libaacplus for aac+ (sbr+ps) encoding. + */ + +#include "avcodec.h" +#include + +typedef struct aacPlusAudioContext { + aacplusEncHandle aacplus_handle; +} aacPlusAudioContext; + +static av_cold int aacPlus_encode_init(AVCodecContext *avctx) +{ + aacPlusAudioContext *s = avctx->priv_data; + aacplusEncConfiguration *aacplus_cfg; + unsigned long samples_input, max_bytes_output; + + /* number of channels */ + if (avctx->channels < 1 || avctx->channels > 2) { + av_log(avctx, AV_LOG_ERROR, "encoding %d channel(s) is not allowed\n", avctx->channels); + return -1; + } + + s->aacplus_handle = aacplusEncOpen(avctx->sample_rate, + avctx->channels, + &samples_input, &max_bytes_output); + if(!s->aacplus_handle) { + av_log(avctx, AV_LOG_ERROR, "can't open encoder\n"); + return -1; + } + + /* check aacplus version */ + aacplus_cfg = aacplusEncGetCurrentConfiguration(s->aacplus_handle); + + /* put the options in the configuration struct */ + if(avctx->profile != FF_PROFILE_AAC_LOW && avctx->profile != FF_PROFILE_UNKNOWN) { + av_log(avctx, AV_LOG_ERROR, "invalid AAC profile: %d, only LC supported\n", avctx->profile); + aacplusEncClose(s->aacplus_handle); + return -1; + } + + aacplus_cfg->bitRate = avctx->bit_rate; + aacplus_cfg->bandWidth = avctx->cutoff; + if (avctx->flags & CODEC_FLAG_GLOBAL_HEADER) { + aacplus_cfg->outputFormat = 0; //raw aac + } + aacplus_cfg->inputFormat = AACPLUS_INPUT_16BIT; + if (!aacplusEncSetConfiguration(s->aacplus_handle, aacplus_cfg)) { + av_log(avctx, AV_LOG_ERROR, "libaacplus doesn't support this output format!\n"); + return -1; + } + + avctx->frame_size = samples_input / avctx->channels; + + avctx->coded_frame= avcodec_alloc_frame(); + avctx->coded_frame->key_frame= 1; + + /* Set decoder specific info */ + avctx->extradata_size = 0; + if (avctx->flags & CODEC_FLAG_GLOBAL_HEADER) { + + unsigned char *buffer = NULL; + unsigned long decoder_specific_info_size; + + if (aacplusEncGetDecoderSpecificInfo(s->aacplus_handle, &buffer, + &decoder_specific_info_size) == 1) { + avctx->extradata = av_malloc(decoder_specific_info_size + FF_INPUT_BUFFER_PADDING_SIZE); + avctx->extradata_size = decoder_specific_info_size; + memcpy(avctx->extradata, buffer, avctx->extradata_size); + } +#undef free + free(buffer); +#define free please_use_av_free + } + return 0; +} + +static int aacPlus_encode_frame(AVCodecContext *avctx, + unsigned char *frame, int buf_size, void *data) +{ + aacPlusAudioContext *s = avctx->priv_data; + int bytes_written; + + bytes_written = aacplusEncEncode(s->aacplus_handle, + data, + avctx->frame_size * avctx->channels, + frame, + buf_size); + + return bytes_written; +} + +static av_cold int aacPlus_encode_close(AVCodecContext *avctx) +{ + aacPlusAudioContext *s = avctx->priv_data; + + av_freep(&avctx->coded_frame); + av_freep(&avctx->extradata); + + aacplusEncClose(s->aacplus_handle); + return 0; +} + +AVCodec ff_libaacplus_encoder = { + "libaacplus", + AVMEDIA_TYPE_AUDIO, + CODEC_ID_AAC, + sizeof(aacPlusAudioContext), + aacPlus_encode_init, + aacPlus_encode_frame, + aacPlus_encode_close, + .sample_fmts = (const enum SampleFormat[]){SAMPLE_FMT_S16,SAMPLE_FMT_NONE}, + .long_name = NULL_IF_CONFIG_SMALL("libaacplus AAC+ (Advanced Audio Codec with SBR+PS)"), +}; From 7e362df304121003fda7705917d5e797b48a0920 Mon Sep 17 00:00:00 2001 From: Mike Scheutzow Date: Mon, 26 Sep 2011 10:57:53 -0400 Subject: [PATCH 0414/1119] Fix a buffer overflow in libx264 interface to x264 encoder. Previous code ignored the compressed buffer size passed in. This change returns as many complete NALs as can fit in the buffer, and logs an error message. Signed-off-by: Mike Scheutzow Signed-off-by: Michael Niedermayer (cherry picked from commit e2dae1faa84ada5746ac2114de7eb68abd824131) --- libavcodec/libx264.c | 10 ++++++++++ 1 file changed, 10 insertions(+) diff --git a/libavcodec/libx264.c b/libavcodec/libx264.c index cc5b9837f8..bf542accdf 100644 --- a/libavcodec/libx264.c +++ b/libavcodec/libx264.c @@ -70,9 +70,14 @@ static int encode_nals(AVCodecContext *ctx, uint8_t *buf, int size, /* Write the SEI as part of the first frame. */ if (x4->sei_size > 0 && nnal > 0) { + if (x4->sei_size > size) { + av_log(ctx, AV_LOG_ERROR, "Error: nal buffer is too small\n"); + return -1; + } memcpy(p, x4->sei, x4->sei_size); p += x4->sei_size; x4->sei_size = 0; + // why is x4->sei not freed? } for (i = 0; i < nnal; i++){ @@ -83,6 +88,11 @@ static int encode_nals(AVCodecContext *ctx, uint8_t *buf, int size, memcpy(x4->sei, nals[i].p_payload, nals[i].i_payload); continue; } + if (nals[i].i_payload > (size - (p - buf))) { + // return only complete nals which fit in buf + av_log(ctx, AV_LOG_ERROR, "Error: nal buffer is too small\n"); + break; + } memcpy(p, nals[i].p_payload, nals[i].i_payload); p += nals[i].i_payload; } From 20047f77b9592da17e8bc56e54d3b2e2ca6959a9 Mon Sep 17 00:00:00 2001 From: Justin Ruggles Date: Tue, 13 Sep 2011 15:13:44 -0400 Subject: [PATCH 0415/1119] flacdec: fix buffer size checking in get_metadata_size() Adds an additional check before reading the next block header and avoids a potential integer overflow when checking the metadata size against the remaining buffer size. (cherry picked from commit 4c5e7b27d57dd2be777780e840eef9be63242158) --- libavcodec/flacdec.c | 4 +++- 1 file changed, 3 insertions(+), 1 deletion(-) diff --git a/libavcodec/flacdec.c b/libavcodec/flacdec.c index ece095cf09..011c75faae 100644 --- a/libavcodec/flacdec.c +++ b/libavcodec/flacdec.c @@ -228,9 +228,11 @@ static int get_metadata_size(const uint8_t *buf, int buf_size) buf += 4; do { + if (buf_end - buf < 4) + return 0; ff_flac_parse_block_header(buf, &metadata_last, NULL, &metadata_size); buf += 4; - if (buf + metadata_size > buf_end) { + if (buf_end - buf < metadata_size) { /* need more data in order to read the complete header */ return 0; } From 4db466db9703fc348cc976387312afd6c283debe Mon Sep 17 00:00:00 2001 From: Justin Ruggles Date: Mon, 12 Sep 2011 08:55:43 -0400 Subject: [PATCH 0416/1119] ws_snd: decode to AV_SAMPLE_FMT_U8 instead of S16. 8-bit unsigned is the native sample format. (cherry picked from commit 2322ced8da990835717a176b8d2c32961cfecd3e) --- libavcodec/ws-snd1.c | 47 ++++++++++++++++++++++---------------------- 1 file changed, 24 insertions(+), 23 deletions(-) diff --git a/libavcodec/ws-snd1.c b/libavcodec/ws-snd1.c index d6a60d441f..1fb294d753 100644 --- a/libavcodec/ws-snd1.c +++ b/libavcodec/ws-snd1.c @@ -37,13 +37,11 @@ static const int8_t ws_adpcm_4bit[] = { -9, -8, -6, -5, -4, -3, -2, -1, 0, 1, 2, 3, 4, 5, 6, 8 }; -#define CLIP8(a) if(a>127)a=127;if(a<-128)a=-128; - static av_cold int ws_snd_decode_init(AVCodecContext * avctx) { // WSSNDContext *c = avctx->priv_data; - avctx->sample_fmt = AV_SAMPLE_FMT_S16; + avctx->sample_fmt = AV_SAMPLE_FMT_U8; return 0; } @@ -56,15 +54,14 @@ static int ws_snd_decode_frame(AVCodecContext *avctx, // WSSNDContext *c = avctx->priv_data; int in_size, out_size; - int sample = 0; + int sample = 128; int i; - short *samples = data; + uint8_t *samples = data; if (!buf_size) return 0; out_size = AV_RL16(&buf[0]); - *data_size = out_size * 2; in_size = AV_RL16(&buf[2]); buf += 4; @@ -76,9 +73,12 @@ static int ws_snd_decode_frame(AVCodecContext *avctx, av_log(avctx, AV_LOG_ERROR, "Frame data is larger than input buffer\n"); return -1; } + + *data_size = out_size; + if (in_size == out_size) { for (i = 0; i < out_size; i++) - *samples++ = (*buf++ - 0x80) << 8; + *samples++ = *buf++; return buf_size; } @@ -93,17 +93,17 @@ static int ws_snd_decode_frame(AVCodecContext *avctx, for (count++; count > 0; count--) { code = *buf++; sample += ws_adpcm_2bit[code & 0x3]; - CLIP8(sample); - *samples++ = sample << 8; + sample = av_clip_uint8(sample); + *samples++ = sample; sample += ws_adpcm_2bit[(code >> 2) & 0x3]; - CLIP8(sample); - *samples++ = sample << 8; + sample = av_clip_uint8(sample); + *samples++ = sample; sample += ws_adpcm_2bit[(code >> 4) & 0x3]; - CLIP8(sample); - *samples++ = sample << 8; + sample = av_clip_uint8(sample); + *samples++ = sample; sample += ws_adpcm_2bit[(code >> 6) & 0x3]; - CLIP8(sample); - *samples++ = sample << 8; + sample = av_clip_uint8(sample); + *samples++ = sample; out_size -= 4; } break; @@ -111,11 +111,11 @@ static int ws_snd_decode_frame(AVCodecContext *avctx, for (count++; count > 0; count--) { code = *buf++; sample += ws_adpcm_4bit[code & 0xF]; - CLIP8(sample); - *samples++ = sample << 8; + sample = av_clip_uint8(sample); + *samples++ = sample; sample += ws_adpcm_4bit[code >> 4]; - CLIP8(sample); - *samples++ = sample << 8; + sample = av_clip_uint8(sample); + *samples++ = sample; out_size -= 2; } break; @@ -125,19 +125,20 @@ static int ws_snd_decode_frame(AVCodecContext *avctx, t = count; t <<= 3; sample += t >> 3; - *samples++ = sample << 8; + sample = av_clip_uint8(sample); + *samples++ = sample; out_size--; } else { /* copy */ for (count++; count > 0; count--) { - *samples++ = (*buf++ - 0x80) << 8; + *samples++ = *buf++; out_size--; } - sample = buf[-1] - 0x80; + sample = buf[-1]; } break; default: /* run */ for(count++; count > 0; count--) { - *samples++ = sample << 8; + *samples++ = sample; out_size--; } } From 915b905a1b7ee9bd1a1526387abf009a755a8df2 Mon Sep 17 00:00:00 2001 From: Justin Ruggles Date: Mon, 12 Sep 2011 09:41:06 -0400 Subject: [PATCH 0417/1119] ws_snd: add some checks to prevent buffer overread or overwrite. (cherry picked from commit 417364ce1f979031ef6fee661fc15e1869bdb1b4) --- libavcodec/ws-snd1.c | 32 ++++++++++++++++++++++++++++---- 1 file changed, 28 insertions(+), 4 deletions(-) diff --git a/libavcodec/ws-snd1.c b/libavcodec/ws-snd1.c index 1fb294d753..48414c7201 100644 --- a/libavcodec/ws-snd1.c +++ b/libavcodec/ws-snd1.c @@ -61,6 +61,11 @@ static int ws_snd_decode_frame(AVCodecContext *avctx, if (!buf_size) return 0; + if (buf_size < 4) { + av_log(avctx, AV_LOG_ERROR, "packet is too small\n"); + return AVERROR(EINVAL); + } + out_size = AV_RL16(&buf[0]); in_size = AV_RL16(&buf[2]); buf += 4; @@ -74,20 +79,37 @@ static int ws_snd_decode_frame(AVCodecContext *avctx, return -1; } - *data_size = out_size; - if (in_size == out_size) { for (i = 0; i < out_size; i++) *samples++ = *buf++; + *data_size = out_size; return buf_size; } - while (out_size > 0) { - int code; + while (out_size > 0 && buf - avpkt->data < buf_size) { + int code, smp, size; uint8_t count; code = (*buf) >> 6; count = (*buf) & 0x3F; buf++; + + /* make sure we don't write more than out_size samples */ + switch (code) { + case 0: smp = 4; break; + case 1: smp = 2; break; + case 2: smp = (count & 0x20) ? 1 : count + 1; break; + default: smp = count + 1; break; + } + if (out_size < smp) { + out_size = 0; + break; + } + + /* make sure we don't read past the input buffer */ + size = ((code == 2 && (count & 0x20)) || code == 3) ? 0 : count + 1; + if ((buf - avpkt->data) + size > buf_size) + break; + switch(code) { case 0: /* ADPCM 2-bit */ for (count++; count > 0; count--) { @@ -144,6 +166,8 @@ static int ws_snd_decode_frame(AVCodecContext *avctx, } } + *data_size = samples - (uint8_t *)data; + return buf_size; } From 857c7e122b102da5c635852a32ba067157575311 Mon Sep 17 00:00:00 2001 From: Justin Ruggles Date: Mon, 12 Sep 2011 09:44:21 -0400 Subject: [PATCH 0418/1119] ws_snd: make sure number of channels is 1 (cherry picked from commit 6a818cb3ff2056d43361e5fd09e318cd2ca2a7b4) --- libavcodec/ws-snd1.c | 5 +++++ 1 file changed, 5 insertions(+) diff --git a/libavcodec/ws-snd1.c b/libavcodec/ws-snd1.c index 48414c7201..f92c3531e0 100644 --- a/libavcodec/ws-snd1.c +++ b/libavcodec/ws-snd1.c @@ -41,6 +41,11 @@ static av_cold int ws_snd_decode_init(AVCodecContext * avctx) { // WSSNDContext *c = avctx->priv_data; + if (avctx->channels != 1) { + av_log_ask_for_sample(avctx, "unsupported number of channels\n"); + return AVERROR(EINVAL); + } + avctx->sample_fmt = AV_SAMPLE_FMT_U8; return 0; } From 9770127cd8b16053b23a3f9fa693f23e18f410c6 Mon Sep 17 00:00:00 2001 From: Laurent Aimar Date: Mon, 26 Sep 2011 23:37:29 +0200 Subject: [PATCH 0419/1119] Validate the number of audio channels before using it in wmapro decoder. Signed-off-by: Michael Niedermayer (cherry picked from commit fc64434030a8e214fed4179733e49026e7550da5) --- libavcodec/wmaprodec.c | 24 ++++++++++++------------ 1 file changed, 12 insertions(+), 12 deletions(-) diff --git a/libavcodec/wmaprodec.c b/libavcodec/wmaprodec.c index b0b98f1d98..03fb4a67e1 100644 --- a/libavcodec/wmaprodec.c +++ b/libavcodec/wmaprodec.c @@ -309,10 +309,6 @@ static av_cold int decode_init(AVCodecContext *avctx) s->samples_per_frame = 1 << ff_wma_get_frame_len_bits(avctx->sample_rate, 3, s->decode_flags); - /** init previous block len */ - for (i = 0; i < avctx->channels; i++) - s->channel[i].prev_block_len = s->samples_per_frame; - /** subframe info */ log2_max_num_subframes = ((s->decode_flags & 0x38) >> 3); s->max_num_subframes = 1 << log2_max_num_subframes; @@ -332,6 +328,18 @@ static av_cold int decode_init(AVCodecContext *avctx) s->num_channels = avctx->channels; + if (s->num_channels < 0) { + av_log(avctx, AV_LOG_ERROR, "invalid number of channels %d\n", s->num_channels); + return AVERROR_INVALIDDATA; + } else if (s->num_channels > WMAPRO_MAX_CHANNELS) { + av_log_ask_for_sample(avctx, "unsupported number of channels\n"); + return AVERROR_PATCHWELCOME; + } + + /** init previous block len */ + for (i = 0; i < s->num_channels; i++) + s->channel[i].prev_block_len = s->samples_per_frame; + /** extract lfe channel position */ s->lfe_channel = -1; @@ -343,14 +351,6 @@ static av_cold int decode_init(AVCodecContext *avctx) } } - if (s->num_channels < 0) { - av_log(avctx, AV_LOG_ERROR, "invalid number of channels %d\n", s->num_channels); - return AVERROR_INVALIDDATA; - } else if (s->num_channels > WMAPRO_MAX_CHANNELS) { - av_log_ask_for_sample(avctx, "unsupported number of channels\n"); - return AVERROR_PATCHWELCOME; - } - INIT_VLC_STATIC(&sf_vlc, SCALEVLCBITS, HUFF_SCALE_SIZE, scale_huffbits, 1, 1, scale_huffcodes, 2, 2, 616); From 9851184d304c85b6863dd3a7553e81f4cba32cfa Mon Sep 17 00:00:00 2001 From: Laurent Aimar Date: Mon, 26 Sep 2011 23:37:30 +0200 Subject: [PATCH 0420/1119] Reset internal state on corrupted blocks in wavpack decoder. wavpack_decode_block() supposes that it is called back with the exact same buffer unless it has returned with an error. With multi-channels files, wavpack_decode_frame() was breaking this assumption. Signed-off-by: Michael Niedermayer (cherry picked from commit c2a016ad4d9c29285813ba5806189e63e063e0fb) --- libavcodec/wavpack.c | 14 +++++++++++++- 1 file changed, 13 insertions(+), 1 deletion(-) diff --git a/libavcodec/wavpack.c b/libavcodec/wavpack.c index a785b90046..28e866356d 100644 --- a/libavcodec/wavpack.c +++ b/libavcodec/wavpack.c @@ -1173,6 +1173,15 @@ static int wavpack_decode_block(AVCodecContext *avctx, int block_no, return samplecount * bpp; } +static void wavpack_decode_flush(AVCodecContext *avctx) +{ + WavpackContext *s = avctx->priv_data; + int i; + + for (i = 0; i < s->fdec_num; i++) + wv_reset_saved_context(s->fdec[i]); +} + static int wavpack_decode_frame(AVCodecContext *avctx, void *data, int *data_size, AVPacket *avpkt) @@ -1205,11 +1214,14 @@ static int wavpack_decode_frame(AVCodecContext *avctx, if(frame_size < 0 || frame_size > buf_size){ av_log(avctx, AV_LOG_ERROR, "Block %d has invalid size (size %d vs. %d bytes left)\n", s->block, frame_size, buf_size); + wavpack_decode_flush(avctx); return -1; } if((samplecount = wavpack_decode_block(avctx, s->block, data, - data_size, buf, frame_size)) < 0) + data_size, buf, frame_size)) < 0) { + wavpack_decode_flush(avctx); return -1; + } s->block++; buf += frame_size; buf_size -= frame_size; } From 184a156f7aac93cc0e354f526f9842f648c0b433 Mon Sep 17 00:00:00 2001 From: Laurent Aimar Date: Tue, 27 Sep 2011 01:02:16 +0200 Subject: [PATCH 0421/1119] Check for various out of bound writes in the bink decoder. Signed-off-by: Michael Niedermayer (cherry picked from commit 36bf135d4c32973933000a819208df7da9dd3e16) --- libavcodec/bink.c | 17 +++++++++++++---- 1 file changed, 13 insertions(+), 4 deletions(-) diff --git a/libavcodec/bink.c b/libavcodec/bink.c index 4328a43525..b3e53b8a32 100644 --- a/libavcodec/bink.c +++ b/libavcodec/bink.c @@ -343,14 +343,14 @@ static int read_motion_values(AVCodecContext *avctx, GetBitContext *gb, Bundle * memset(b->cur_dec, v, t); b->cur_dec += t; } else { - do { + while (b->cur_dec < dec_end) { v = GET_HUFF(gb, b->tree); if (v) { sign = -get_bits1(gb); v = (v ^ sign) - sign; } *b->cur_dec++ = v; - } while (b->cur_dec < dec_end); + } } return 0; } @@ -374,7 +374,7 @@ static int read_block_types(AVCodecContext *avctx, GetBitContext *gb, Bundle *b) memset(b->cur_dec, v, t); b->cur_dec += t; } else { - do { + while (b->cur_dec < dec_end) { v = GET_HUFF(gb, b->tree); if (v < 12) { last = v; @@ -382,10 +382,12 @@ static int read_block_types(AVCodecContext *avctx, GetBitContext *gb, Bundle *b) } else { int run = bink_rlelens[v - 12]; + if (dec_end - b->cur_dec < run) + return -1; memset(b->cur_dec, last, run); b->cur_dec += run; } - } while (b->cur_dec < dec_end); + } } return 0; } @@ -456,6 +458,7 @@ static int read_dcs(AVCodecContext *avctx, GetBitContext *gb, Bundle *b, { int i, j, len, len2, bsize, sign, v, v2; int16_t *dst = (int16_t*)b->cur_dec; + int16_t *dst_end =( int16_t*)b->data_end; CHECK_READ_VAL(gb, b, len); v = get_bits(gb, start_bits - has_sign); @@ -463,10 +466,14 @@ static int read_dcs(AVCodecContext *avctx, GetBitContext *gb, Bundle *b, sign = -get_bits1(gb); v = (v ^ sign) - sign; } + if (dst_end - dst < 1) + return -1; *dst++ = v; len--; for (i = 0; i < len; i += 8) { len2 = FFMIN(len - i, 8); + if (dst_end - dst < len2) + return -1; bsize = get_bits(gb, 4); if (bsize) { for (j = 0; j < len2; j++) { @@ -534,6 +541,8 @@ static int binkb_read_bundle(BinkContext *c, GetBitContext *gb, int bundle_num) int i, len; CHECK_READ_VAL(gb, b, len); + if (b->data_end - b->cur_dec < len * (1 + (bits > 8))) + return -1; if (bits <= 8) { if (!issigned) { for (i = 0; i < len; i++) From 1860053820a4a3a9cefa5131dbd263645944bc77 Mon Sep 17 00:00:00 2001 From: Laurent Aimar Date: Tue, 27 Sep 2011 01:02:17 +0200 Subject: [PATCH 0422/1119] Check for out of bound writes when building tree in bink decoder. Signed-off-by: Michael Niedermayer (cherry picked from commit 254af56dd101bc756194dd080bb99e8f123500dd) --- libavcodec/bink.c | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/libavcodec/bink.c b/libavcodec/bink.c index b3e53b8a32..f4fa44b761 100644 --- a/libavcodec/bink.c +++ b/libavcodec/bink.c @@ -246,7 +246,7 @@ static void read_tree(GetBitContext *gb, Tree *tree) tree->syms[i] = get_bits(gb, 4); tmp1[tree->syms[i]] = 1; } - for (i = 0; i < 16; i++) + for (i = 0; i < 16 && len < 16 - 1; i++) if (!tmp1[i]) tree->syms[++len] = i; } else { From 08decaeb95f20821df993a7c3b1692ce654ad390 Mon Sep 17 00:00:00 2001 From: Laurent Aimar Date: Tue, 27 Sep 2011 20:22:13 +0200 Subject: [PATCH 0423/1119] Prevent NULL dereferences when missing the reference frame in the bink decoder. Signed-off-by: Michael Niedermayer (cherry picked from commit 66aae97a60fcd8658f18c484b5af898a48d0e3f9) --- libavcodec/bink.c | 8 +++++--- 1 file changed, 5 insertions(+), 3 deletions(-) diff --git a/libavcodec/bink.c b/libavcodec/bink.c index f4fa44b761..63f17eb577 100644 --- a/libavcodec/bink.c +++ b/libavcodec/bink.c @@ -973,8 +973,9 @@ static int bink_decode_plane(BinkContext *c, GetBitContext *gb, int plane_idx, for (i = 0; i < BINK_NB_SRC; i++) read_bundle(gb, c, i); - ref_start = c->last.data[plane_idx]; - ref_end = c->last.data[plane_idx] + ref_start = c->last.data[plane_idx] ? c->last.data[plane_idx] + : c->pic.data[plane_idx]; + ref_end = ref_start + (bw - 1 + c->last.linesize[plane_idx] * (bh - 1)) * 8; for (i = 0; i < 64; i++) @@ -1003,7 +1004,8 @@ static int bink_decode_plane(BinkContext *c, GetBitContext *gb, int plane_idx, if (by == bh) break; dst = c->pic.data[plane_idx] + 8*by*stride; - prev = c->last.data[plane_idx] + 8*by*stride; + prev = (c->last.data[plane_idx] ? c->last.data[plane_idx] + : c->pic.data[plane_idx]) + 8*by*stride; for (bx = 0; bx < bw; bx++, dst += 8, prev += 8) { blk = get_value(c, BINK_SRC_BLOCK_TYPES); // 16x16 block type on odd line means part of the already decoded block, so skip it From 70727e16ca6840873145332bc16c0cfab1a3cdd5 Mon Sep 17 00:00:00 2001 From: Laurent Aimar Date: Tue, 27 Sep 2011 23:43:51 +0200 Subject: [PATCH 0424/1119] Check for out of bound writes in the wmavoice decoder. Signed-off-by: Michael Niedermayer (cherry picked from commit e09ae22ab7d9af7f1cbfd2445fa71ad9e7c28ee3) --- libavcodec/wmavoice.c | 2 ++ 1 file changed, 2 insertions(+) diff --git a/libavcodec/wmavoice.c b/libavcodec/wmavoice.c index 002c529a30..6cefb9a84d 100644 --- a/libavcodec/wmavoice.c +++ b/libavcodec/wmavoice.c @@ -1880,6 +1880,8 @@ static void copy_bits(PutBitContext *pb, rmn_bits = rmn_bytes = get_bits_left(gb); if (rmn_bits < nbits) return; + if (nbits > pb->size_in_bits - put_bits_count(pb)) + return; rmn_bits &= 7; rmn_bytes >>= 3; if ((rmn_bits = FFMIN(rmn_bits, nbits)) > 0) put_bits(pb, rmn_bits, get_bits(gb, rmn_bits)); From 0a5e269f03cc812d0309ebe9c4ba5053a804635a Mon Sep 17 00:00:00 2001 From: Laurent Aimar Date: Tue, 27 Sep 2011 23:43:52 +0200 Subject: [PATCH 0425/1119] Check for corrupted extra data in wmavoice decoder. Signed-off-by: Michael Niedermayer (cherry picked from commit 61930119cbff7572ebe7ade6cd9268becbec37f4) --- libavcodec/wmavoice.c | 8 ++++++++ 1 file changed, 8 insertions(+) diff --git a/libavcodec/wmavoice.c b/libavcodec/wmavoice.c index 6cefb9a84d..c343080b36 100644 --- a/libavcodec/wmavoice.c +++ b/libavcodec/wmavoice.c @@ -401,6 +401,10 @@ static av_cold int wmavoice_decode_init(AVCodecContext *ctx) s->min_pitch_val = ((ctx->sample_rate << 8) / 400 + 50) >> 8; s->max_pitch_val = ((ctx->sample_rate << 8) * 37 / 2000 + 50) >> 8; pitch_range = s->max_pitch_val - s->min_pitch_val; + if (pitch_range <= 0) { + av_log(ctx, AV_LOG_ERROR, "Invalid pitch range; broken extradata?\n"); + return -1; + } s->pitch_nbits = av_ceil_log2(pitch_range); s->last_pitch_val = 40; s->last_acb_type = ACB_TYPE_NONE; @@ -422,6 +426,10 @@ static av_cold int wmavoice_decode_init(AVCodecContext *ctx) s->block_conv_table[2] = (pitch_range * 44) >> 6; s->block_conv_table[3] = s->max_pitch_val - 1; s->block_delta_pitch_hrange = (pitch_range >> 3) & ~0xF; + if (s->block_delta_pitch_hrange <= 0) { + av_log(ctx, AV_LOG_ERROR, "Invalid delta pitch hrange; broken extradata?\n"); + return -1; + } s->block_delta_pitch_nbits = 1 + av_ceil_log2(s->block_delta_pitch_hrange); s->block_pitch_range = s->block_conv_table[2] + s->block_conv_table[3] + 1 + From 23197f546762e906837fb3293ce8243852b294dd Mon Sep 17 00:00:00 2001 From: Laurent Aimar Date: Tue, 27 Sep 2011 23:43:53 +0200 Subject: [PATCH 0426/1119] Check for out of bounds reads in sun rasterfile decoder. Signed-off-by: Michael Niedermayer (cherry picked from commit 039f3c33fffd2f4ae376b662ea4ec67c1d6a4c04) --- libavcodec/sunrast.c | 14 +++++++++++++- 1 file changed, 13 insertions(+), 1 deletion(-) diff --git a/libavcodec/sunrast.c b/libavcodec/sunrast.c index 558b0edd8f..7ab8e2c3f6 100644 --- a/libavcodec/sunrast.c +++ b/libavcodec/sunrast.c @@ -46,6 +46,7 @@ static av_cold int sunrast_init(AVCodecContext *avctx) { static int sunrast_decode_frame(AVCodecContext *avctx, void *data, int *data_size, AVPacket *avpkt) { const uint8_t *buf = avpkt->data; + const uint8_t *buf_end = avpkt->data + avpkt->size; SUNRASTContext * const s = avctx->priv_data; AVFrame *picture = data; AVFrame * const p = &s->picture; @@ -53,6 +54,9 @@ static int sunrast_decode_frame(AVCodecContext *avctx, void *data, uint8_t *ptr; const uint8_t *bufstart = buf; + if (avpkt->size < 32) + return AVERROR_INVALIDDATA; + if (AV_RB32(buf) != 0x59a66a95) { av_log(avctx, AV_LOG_ERROR, "this is not sunras encoded data\n"); return -1; @@ -109,6 +113,9 @@ static int sunrast_decode_frame(AVCodecContext *avctx, void *data, p->pict_type = AV_PICTURE_TYPE_I; + if (buf_end - buf < maplength) + return AVERROR_INVALIDDATA; + if (depth != 8 && maplength) { av_log(avctx, AV_LOG_WARNING, "useless colormap found or file is corrupted, trying to recover\n"); @@ -143,8 +150,11 @@ static int sunrast_decode_frame(AVCodecContext *avctx, void *data, uint8_t *end = ptr + h*stride; x = 0; - while (ptr != end) { + while (ptr != end && buf < buf_end) { run = 1; + if (buf_end - buf < 1) + return AVERROR_INVALIDDATA; + if ((value = *buf++) == 0x80) { run = *buf++ + 1; if (run != 1) @@ -163,6 +173,8 @@ static int sunrast_decode_frame(AVCodecContext *avctx, void *data, } } else { for (y=0; y Date: Tue, 27 Sep 2011 23:43:57 +0200 Subject: [PATCH 0427/1119] Prevent NULL dereferences when missing the reference frame in the xan decoder. Signed-off-by: Michael Niedermayer (cherry picked from commit 19e95b88459e879d3e67a66350d937c32ed762ca) --- libavcodec/xan.c | 2 ++ 1 file changed, 2 insertions(+) diff --git a/libavcodec/xan.c b/libavcodec/xan.c index 357593bf2d..404f4d10c6 100644 --- a/libavcodec/xan.c +++ b/libavcodec/xan.c @@ -222,6 +222,8 @@ static inline void xan_wc3_copy_pixel_run(XanContext *s, palette_plane = s->current_frame.data[0]; prev_palette_plane = s->last_frame.data[0]; + if (!prev_palette_plane) + prev_palette_plane = palette_plane; stride = s->current_frame.linesize[0]; line_inc = stride - width; curframe_index = y * stride + x; From df0d418ce0efd2d59c60518c4b09995948bd5faf Mon Sep 17 00:00:00 2001 From: Laurent Aimar Date: Tue, 27 Sep 2011 21:24:03 +0200 Subject: [PATCH 0428/1119] Check for invalid/corrupted bitstream in sun raster decoder. Signed-off-by: Michael Niedermayer (cherry picked from commit b9596a503760ccbd82ca3c03d1c0d5b9449be12b) --- libavcodec/sunrast.c | 16 +++++++++------- 1 file changed, 9 insertions(+), 7 deletions(-) diff --git a/libavcodec/sunrast.c b/libavcodec/sunrast.c index 7ab8e2c3f6..209d2c0ad3 100644 --- a/libavcodec/sunrast.c +++ b/libavcodec/sunrast.c @@ -68,13 +68,14 @@ static int sunrast_decode_frame(AVCodecContext *avctx, void *data, type = AV_RB32(buf+20); maptype = AV_RB32(buf+24); maplength = AV_RB32(buf+28); + buf += 32; - if (type == RT_FORMAT_TIFF || type == RT_FORMAT_IFF) { - av_log(avctx, AV_LOG_ERROR, "unsupported (compression) type\n"); + if (type < RT_OLD || type > RT_FORMAT_IFF) { + av_log(avctx, AV_LOG_ERROR, "invalid (compression) type\n"); return -1; } - if (type > RT_FORMAT_IFF) { - av_log(avctx, AV_LOG_ERROR, "invalid (compression) type\n"); + if (av_image_check_size(w, h, 0, avctx)) { + av_log(avctx, AV_LOG_ERROR, "invalid image size\n"); return -1; } if (maptype & ~1) { @@ -82,7 +83,10 @@ static int sunrast_decode_frame(AVCodecContext *avctx, void *data, return -1; } - buf += 32; + if (type == RT_FORMAT_TIFF || type == RT_FORMAT_IFF) { + av_log(avctx, AV_LOG_ERROR, "unsupported (compression) type\n"); + return -1; + } switch (depth) { case 1: @@ -102,8 +106,6 @@ static int sunrast_decode_frame(AVCodecContext *avctx, void *data, if (p->data[0]) avctx->release_buffer(avctx, p); - if (av_image_check_size(w, h, 0, avctx)) - return -1; if (w != avctx->width || h != avctx->height) avcodec_set_dimensions(avctx, w, h); if (avctx->get_buffer(avctx, p) < 0) { From 03a4b489f10c2ed3cb004e1d0bbe9515ebf0e586 Mon Sep 17 00:00:00 2001 From: Laurent Aimar Date: Tue, 27 Sep 2011 23:53:47 +0200 Subject: [PATCH 0429/1119] Prevent out of bound accesses in the xan decoder. Signed-off-by: Michael Niedermayer (cherry picked from commit feca3ba053499e0d38f48910cef9bc431036956f) --- libavcodec/xan.c | 25 ++++++++++++++++++++----- 1 file changed, 20 insertions(+), 5 deletions(-) diff --git a/libavcodec/xan.c b/libavcodec/xan.c index 404f4d10c6..141fccae77 100644 --- a/libavcodec/xan.c +++ b/libavcodec/xan.c @@ -220,6 +220,10 @@ static inline void xan_wc3_copy_pixel_run(XanContext *s, int width = s->avctx->width; unsigned char *palette_plane, *prev_palette_plane; + if ( y + motion_y < 0 || y + motion_y >= s->avctx->height || + x + motion_x < 0 || x + motion_x >= s->avctx->width) + return; + palette_plane = s->current_frame.data[0]; prev_palette_plane = s->last_frame.data[0]; if (!prev_palette_plane) @@ -230,7 +234,9 @@ static inline void xan_wc3_copy_pixel_run(XanContext *s, curframe_x = x; prevframe_index = (y + motion_y) * stride + x + motion_x; prevframe_x = x + motion_x; - while(pixel_count && (curframe_index < s->frame_size)) { + while(pixel_count && + curframe_index < s->frame_size && + prevframe_index < s->frame_size) { int count = FFMIN3(pixel_count, width - curframe_x, width - prevframe_x); memcpy(palette_plane + curframe_index, prev_palette_plane + prevframe_index, count); @@ -264,6 +270,7 @@ static int xan_wc3_decode_frame(XanContext *s) { int x, y; unsigned char *opcode_buffer = s->buffer1; + unsigned char *opcode_buffer_end = s->buffer1 + s->buffer1_size; int opcode_buffer_size = s->buffer1_size; const unsigned char *imagedata_buffer = s->buffer2; @@ -272,7 +279,7 @@ static int xan_wc3_decode_frame(XanContext *s) { const unsigned char *size_segment; const unsigned char *vector_segment; const unsigned char *imagedata_segment; - int huffman_offset, size_offset, vector_offset, imagedata_offset; + int huffman_offset, size_offset, vector_offset, imagedata_offset, imagedata_size; if (s->size < 8) return AVERROR_INVALIDDATA; @@ -297,14 +304,17 @@ static int xan_wc3_decode_frame(XanContext *s) { huffman_segment, s->size - huffman_offset) < 0) return AVERROR_INVALIDDATA; - if (imagedata_segment[0] == 2) + if (imagedata_segment[0] == 2) { xan_unpack(s->buffer2, &imagedata_segment[1], s->buffer2_size); - else + imagedata_size = s->buffer2_size; + } else { + imagedata_size = s->size - imagedata_offset - 1; imagedata_buffer = &imagedata_segment[1]; + } /* use the decoded data segments to build the frame */ x = y = 0; - while (total_pixels) { + while (total_pixels && opcode_buffer < opcode_buffer_end) { opcode = *opcode_buffer++; size = 0; @@ -353,6 +363,8 @@ static int xan_wc3_decode_frame(XanContext *s) { size_segment += 3; break; } + if (size > total_pixels) + break; if (opcode < 12) { flag ^= 1; @@ -361,8 +373,11 @@ static int xan_wc3_decode_frame(XanContext *s) { xan_wc3_copy_pixel_run(s, x, y, size, 0, 0); } else { /* output a run of pixels from imagedata_buffer */ + if (imagedata_size < size) + break; xan_wc3_output_pixel_run(s, imagedata_buffer, x, y, size); imagedata_buffer += size; + imagedata_size -= size; } } else { /* run-based motion compensation from last frame */ From fa816e01f401585bcd06e0c3785a8e2270cf37fd Mon Sep 17 00:00:00 2001 From: Laurent Aimar Date: Tue, 27 Sep 2011 22:05:15 +0200 Subject: [PATCH 0430/1119] Check for out of bound reads in the flic decoder. Signed-off-by: Michael Niedermayer (cherry picked from commit 1f024b882094b26c85e87698faa002b8713b5f88) --- libavcodec/flicvideo.c | 44 ++++++++++++++++++++++++++++-------------- 1 file changed, 29 insertions(+), 15 deletions(-) diff --git a/libavcodec/flicvideo.c b/libavcodec/flicvideo.c index 8cc72e241e..2055596503 100644 --- a/libavcodec/flicvideo.c +++ b/libavcodec/flicvideo.c @@ -132,7 +132,6 @@ static int flic_decode_frame_8BPP(AVCodecContext *avctx, FlicDecodeContext *s = avctx->priv_data; int stream_ptr = 0; - int stream_ptr_after_color_chunk; int pixel_ptr; int palette_ptr; unsigned char palette_idx1; @@ -172,7 +171,11 @@ static int flic_decode_frame_8BPP(AVCodecContext *avctx, pixels = s->frame.data[0]; pixel_limit = s->avctx->height * s->frame.linesize[0]; + if (buf_size < 16 || buf_size > INT_MAX - (3 * 256 + FF_INPUT_BUFFER_PADDING_SIZE)) + return AVERROR_INVALIDDATA; frame_size = AV_RL32(&buf[stream_ptr]); + if (frame_size > buf_size) + frame_size = buf_size; stream_ptr += 6; /* skip the magic number */ num_chunks = AV_RL16(&buf[stream_ptr]); stream_ptr += 10; /* skip padding */ @@ -180,13 +183,16 @@ static int flic_decode_frame_8BPP(AVCodecContext *avctx, frame_size -= 16; /* iterate through the chunks */ - while ((frame_size > 0) && (num_chunks > 0)) { + while ((frame_size >= 6) && (num_chunks > 0)) { + int stream_ptr_after_chunk; chunk_size = AV_RL32(&buf[stream_ptr]); if (chunk_size > frame_size) { av_log(avctx, AV_LOG_WARNING, "Invalid chunk_size = %u > frame_size = %u\n", chunk_size, frame_size); chunk_size = frame_size; } + stream_ptr_after_chunk = stream_ptr + chunk_size; + stream_ptr += 4; chunk_type = AV_RL16(&buf[stream_ptr]); stream_ptr += 2; @@ -194,8 +200,6 @@ static int flic_decode_frame_8BPP(AVCodecContext *avctx, switch (chunk_type) { case FLI_256_COLOR: case FLI_COLOR: - stream_ptr_after_color_chunk = stream_ptr + chunk_size - 6; - /* check special case: If this file is from the Magic Carpet * game and uses 6-bit colors even though it reports 256-color * chunks in a 0xAF12-type file (fli_type is set to 0xAF13 during @@ -219,6 +223,9 @@ static int flic_decode_frame_8BPP(AVCodecContext *avctx, if (color_changes == 0) color_changes = 256; + if (stream_ptr + color_changes * 3 > stream_ptr_after_chunk) + break; + for (j = 0; j < color_changes; j++) { unsigned int entry; @@ -235,13 +242,6 @@ static int flic_decode_frame_8BPP(AVCodecContext *avctx, s->palette[palette_ptr++] = entry; } } - - /* color chunks sometimes have weird 16-bit alignment issues; - * therefore, take the hardline approach and set the stream_ptr - * to the value calculated w.r.t. the size specified by the color - * chunk header */ - stream_ptr = stream_ptr_after_color_chunk; - break; case FLI_DELTA: @@ -249,6 +249,8 @@ static int flic_decode_frame_8BPP(AVCodecContext *avctx, compressed_lines = AV_RL16(&buf[stream_ptr]); stream_ptr += 2; while (compressed_lines > 0) { + if (stream_ptr + 2 > stream_ptr_after_chunk) + break; line_packets = AV_RL16(&buf[stream_ptr]); stream_ptr += 2; if ((line_packets & 0xC000) == 0xC000) { @@ -268,6 +270,8 @@ static int flic_decode_frame_8BPP(AVCodecContext *avctx, CHECK_PIXEL_PTR(0); pixel_countdown = s->avctx->width; for (i = 0; i < line_packets; i++) { + if (stream_ptr + 2 > stream_ptr_after_chunk) + break; /* account for the skip bytes */ pixel_skip = buf[stream_ptr++]; pixel_ptr += pixel_skip; @@ -284,6 +288,8 @@ static int flic_decode_frame_8BPP(AVCodecContext *avctx, } } else { CHECK_PIXEL_PTR(byte_run * 2); + if (stream_ptr + byte_run * 2 > stream_ptr_after_chunk) + break; for (j = 0; j < byte_run * 2; j++, pixel_countdown--) { palette_idx1 = buf[stream_ptr++]; pixels[pixel_ptr++] = palette_idx1; @@ -310,6 +316,8 @@ static int flic_decode_frame_8BPP(AVCodecContext *avctx, CHECK_PIXEL_PTR(0); pixel_countdown = s->avctx->width; line_packets = buf[stream_ptr++]; + if (stream_ptr + 2 * line_packets > stream_ptr_after_chunk) + break; if (line_packets > 0) { for (i = 0; i < line_packets; i++) { /* account for the skip bytes */ @@ -319,6 +327,8 @@ static int flic_decode_frame_8BPP(AVCodecContext *avctx, byte_run = (signed char)(buf[stream_ptr++]); if (byte_run > 0) { CHECK_PIXEL_PTR(byte_run); + if (stream_ptr + byte_run > stream_ptr_after_chunk) + break; for (j = 0; j < byte_run; j++, pixel_countdown--) { palette_idx1 = buf[stream_ptr++]; pixels[pixel_ptr++] = palette_idx1; @@ -356,6 +366,8 @@ static int flic_decode_frame_8BPP(AVCodecContext *avctx, stream_ptr++; pixel_countdown = s->avctx->width; while (pixel_countdown > 0) { + if (stream_ptr + 1 > stream_ptr_after_chunk) + break; byte_run = (signed char)(buf[stream_ptr++]); if (byte_run > 0) { palette_idx1 = buf[stream_ptr++]; @@ -370,6 +382,8 @@ static int flic_decode_frame_8BPP(AVCodecContext *avctx, } else { /* copy bytes if byte_run < 0 */ byte_run = -byte_run; CHECK_PIXEL_PTR(byte_run); + if (stream_ptr + byte_run > stream_ptr_after_chunk) + break; for (j = 0; j < byte_run; j++) { palette_idx1 = buf[stream_ptr++]; pixels[pixel_ptr++] = palette_idx1; @@ -387,10 +401,9 @@ static int flic_decode_frame_8BPP(AVCodecContext *avctx, case FLI_COPY: /* copy the chunk (uncompressed frame) */ - if (chunk_size - 6 > s->avctx->width * s->avctx->height) { + if (chunk_size - 6 != s->avctx->width * s->avctx->height) { av_log(avctx, AV_LOG_ERROR, "In chunk FLI_COPY : source data (%d bytes) " \ - "bigger than image, skipping chunk\n", chunk_size - 6); - stream_ptr += chunk_size - 6; + "has incorrect size, skipping chunk\n", chunk_size - 6); } else { for (y_ptr = 0; y_ptr < s->frame.linesize[0] * s->avctx->height; y_ptr += s->frame.linesize[0]) { @@ -403,7 +416,6 @@ static int flic_decode_frame_8BPP(AVCodecContext *avctx, case FLI_MINI: /* some sort of a thumbnail? disregard this chunk... */ - stream_ptr += chunk_size - 6; break; default: @@ -411,6 +423,8 @@ static int flic_decode_frame_8BPP(AVCodecContext *avctx, break; } + stream_ptr = stream_ptr_after_chunk; + frame_size -= chunk_size; num_chunks--; } From 651e21f584d92709d58242dcad49b238e54dfdd5 Mon Sep 17 00:00:00 2001 From: Nicolas George Date: Sun, 20 Mar 2011 19:39:20 +0100 Subject: [PATCH 0431/1119] Introduce av_size_mult. av_size_mult helps checking for overflow when computing the size of a memory area. Signed-off-by: Nicolas George Signed-off-by: Michael Niedermayer (cherry picked from commit b2600509fef4d77645491f208b8113c372a32110) --- libavutil/mem.h | 16 ++++++++++++++++ 1 file changed, 16 insertions(+) diff --git a/libavutil/mem.h b/libavutil/mem.h index be8a8bf222..241b453257 100644 --- a/libavutil/mem.h +++ b/libavutil/mem.h @@ -27,6 +27,7 @@ #define AVUTIL_MEM_H #include "attributes.h" +#include "error.h" #include "avutil.h" #if defined(__INTEL_COMPILER) && __INTEL_COMPILER < 1110 || defined(__SUNPRO_C) @@ -144,4 +145,19 @@ void av_freep(void *ptr); */ void av_dynarray_add(void *tab_ptr, int *nb_ptr, void *elem); +/** + * Multiply two size_t values checking for overflow. + * @return 0 if success, AVERROR(EINVAL) if overflow. + */ +static inline int av_size_mult(size_t a, size_t b, size_t *r) +{ + size_t t = a * b; + /* Hack inspired from glibc: only try the division if nelem and elsize + * are both greater than sqrt(SIZE_MAX). */ + if ((a | b) >= ((size_t)1 << (sizeof(size_t) * 4)) && a && t / a != b) + return AVERROR(EINVAL); + *r = t; + return 0; +} + #endif /* AVUTIL_MEM_H */ From a75b5a89d11b80e89bb2ff723cfcc270480dc06d Mon Sep 17 00:00:00 2001 From: Nicolas George Date: Sun, 20 Mar 2011 19:39:20 +0100 Subject: [PATCH 0432/1119] Introduce av_realloc_f. av_realloc_f helps avoiding memory-leaks in typical uses of realloc. Signed-off-by: Nicolas George Signed-off-by: Michael Niedermayer (cherry picked from commit 5cd754bca290775ec2dbbf88597ab58e0482efca) --- libavutil/mem.c | 15 +++++++++++++++ libavutil/mem.h | 10 ++++++++++ 2 files changed, 25 insertions(+) diff --git a/libavutil/mem.c b/libavutil/mem.c index 44bfc8c34d..a58f432a2c 100644 --- a/libavutil/mem.c +++ b/libavutil/mem.c @@ -143,6 +143,21 @@ void *av_realloc(void *ptr, size_t size) #endif } +void *av_realloc_f(void *ptr, size_t nelem, size_t elsize) +{ + size_t size; + void *r; + + if (av_size_mult(elsize, nelem, &size)) { + av_free(ptr); + return NULL; + } + r = av_realloc(ptr, size); + if (!r && size) + av_free(ptr); + return r; +} + void av_free(void *ptr) { #if CONFIG_MEMALIGN_HACK diff --git a/libavutil/mem.h b/libavutil/mem.h index 241b453257..d3e82b2ace 100644 --- a/libavutil/mem.h +++ b/libavutil/mem.h @@ -87,6 +87,16 @@ void *av_malloc(size_t size) av_malloc_attrib av_alloc_size(1); */ void *av_realloc(void *ptr, size_t size) av_alloc_size(2); +/** + * Allocate or reallocate a block of memory. + * This function does the same thing as av_realloc, except: + * - It takes two arguments and checks the result of the multiplication for + * integer overflow. + * - It frees the input block in case of failure, thus avoiding the memory + * leak with the classic "buf = realloc(buf); if (!buf) return -1;". + */ +void *av_realloc_f(void *ptr, size_t nelem, size_t elsize); + /** * Free a memory block which has been allocated with av_malloc(z)() or * av_realloc(). From bbb191c721d7104e4fcc77b45856cc9d585b0636 Mon Sep 17 00:00:00 2001 From: Nicolas George Date: Wed, 28 Sep 2011 17:16:11 +0200 Subject: [PATCH 0433/1119] bitstream: Replace av_realloc by av_realloc_f when relevant. Signed-off-by: Nicolas George Signed-off-by: Michael Niedermayer (cherry picked from commit 198ed6474d603f930430067b8b56955d443e821c) --- libavcodec/bitstream.c | 4 ++-- 1 file changed, 2 insertions(+), 2 deletions(-) diff --git a/libavcodec/bitstream.c b/libavcodec/bitstream.c index f0fa9652c6..e2a3d56d05 100644 --- a/libavcodec/bitstream.c +++ b/libavcodec/bitstream.c @@ -109,8 +109,8 @@ static int alloc_table(VLC *vlc, int size, int use_static) if(use_static) abort(); //cant do anything, init_vlc() is used with too little memory vlc->table_allocated += (1 << vlc->bits); - vlc->table = av_realloc(vlc->table, - sizeof(VLC_TYPE) * 2 * vlc->table_allocated); + vlc->table = av_realloc_f(vlc->table, + vlc->table_allocated, sizeof(VLC_TYPE) * 2); if (!vlc->table) return -1; } From acfe2c9154899b678c7638e3e247ba188cb18cfa Mon Sep 17 00:00:00 2001 From: Nicolas George Date: Wed, 28 Sep 2011 17:16:11 +0200 Subject: [PATCH 0434/1119] libvpxenc: Replace av_realloc by av_realloc_f when relevant. Signed-off-by: Nicolas George Signed-off-by: Michael Niedermayer (cherry picked from commit 769298a6869c3b16557280a63f6502409d1b5e49) --- libavcodec/libvpxenc.c | 4 ++-- 1 file changed, 2 insertions(+), 2 deletions(-) diff --git a/libavcodec/libvpxenc.c b/libavcodec/libvpxenc.c index ac1b79fcc7..990badb87b 100644 --- a/libavcodec/libvpxenc.c +++ b/libavcodec/libvpxenc.c @@ -481,8 +481,8 @@ static int queue_frames(AVCodecContext *avctx, uint8_t *buf, int buf_size, break; case VPX_CODEC_STATS_PKT: { struct vpx_fixed_buf *stats = &ctx->twopass_stats; - stats->buf = av_realloc(stats->buf, - stats->sz + pkt->data.twopass_stats.sz); + stats->buf = av_realloc_f(stats->buf, 1, + stats->sz + pkt->data.twopass_stats.sz); if (!stats->buf) { av_log(avctx, AV_LOG_ERROR, "Stat buffer realloc failed\n"); return AVERROR(ENOMEM); From 2a934e87b18030ac0b94d1761048a5d5aa9d5ed9 Mon Sep 17 00:00:00 2001 From: Nicolas George Date: Wed, 28 Sep 2011 17:16:11 +0200 Subject: [PATCH 0435/1119] 4xm: Replace av_realloc by av_realloc_f when relevant. Signed-off-by: Nicolas George Signed-off-by: Michael Niedermayer (cherry picked from commit 0cc44facf17153454727c26f2f40ee2f77b90df5) --- libavformat/4xm.c | 5 +++-- 1 file changed, 3 insertions(+), 2 deletions(-) diff --git a/libavformat/4xm.c b/libavformat/4xm.c index 0b79c761a5..0a314dc089 100644 --- a/libavformat/4xm.c +++ b/libavformat/4xm.c @@ -173,8 +173,9 @@ static int fourxm_read_header(AVFormatContext *s, } if (current_track + 1 > fourxm->track_count) { fourxm->track_count = current_track + 1; - fourxm->tracks = av_realloc(fourxm->tracks, - fourxm->track_count * sizeof(AudioTrack)); + fourxm->tracks = av_realloc_f(fourxm->tracks, + sizeof(AudioTrack), + fourxm->track_count); if (!fourxm->tracks) { ret= AVERROR(ENOMEM); goto fail; From 1537f86a9347ec7c17cb4be0d6657c583d316d40 Mon Sep 17 00:00:00 2001 From: Nicolas George Date: Wed, 28 Sep 2011 17:16:11 +0200 Subject: [PATCH 0436/1119] avidec: Replace av_realloc by av_realloc_f when relevant. Signed-off-by: Nicolas George Signed-off-by: Michael Niedermayer (cherry picked from commit 71e23d39a396f45bbdf258735b02a4bd5e25fd49) --- libavformat/avidec.c | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/libavformat/avidec.c b/libavformat/avidec.c index 6fedaf7f8e..7394bbc3a8 100644 --- a/libavformat/avidec.c +++ b/libavformat/avidec.c @@ -639,7 +639,7 @@ static int avi_read_header(AVFormatContext *s, AVFormatParameters *ap) if(st->codec->codec_tag==0 && st->codec->height > 0 && st->codec->extradata_size < 1U<<30){ st->codec->extradata_size+= 9; - st->codec->extradata= av_realloc(st->codec->extradata, st->codec->extradata_size + FF_INPUT_BUFFER_PADDING_SIZE); + st->codec->extradata= av_realloc_f(st->codec->extradata, 1, st->codec->extradata_size + FF_INPUT_BUFFER_PADDING_SIZE); if(st->codec->extradata) memcpy(st->codec->extradata + st->codec->extradata_size - 9, "BottomUp", 9); } From 7bc9c32573ab482d44f62bc08f9e508c81adae33 Mon Sep 17 00:00:00 2001 From: Nicolas George Date: Wed, 28 Sep 2011 17:16:11 +0200 Subject: [PATCH 0437/1119] avienc: Replace av_realloc by av_realloc_f when relevant. Signed-off-by: Nicolas George Signed-off-by: Michael Niedermayer (cherry picked from commit e47cfe9e5c10eee3c8d0b6aff81792c0f10e66e1) --- libavformat/avienc.c | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/libavformat/avienc.c b/libavformat/avienc.c index 8a53bb53d3..deff1c8d20 100644 --- a/libavformat/avienc.c +++ b/libavformat/avienc.c @@ -558,7 +558,7 @@ static int avi_write_packet(AVFormatContext *s, AVPacket *pkt) int cl = idx->entry / AVI_INDEX_CLUSTER_SIZE; int id = idx->entry % AVI_INDEX_CLUSTER_SIZE; if (idx->ents_allocated <= idx->entry) { - idx->cluster = av_realloc(idx->cluster, (cl+1)*sizeof(void*)); + idx->cluster = av_realloc_f(idx->cluster, sizeof(void*), cl+1); if (!idx->cluster) return -1; idx->cluster[cl] = av_malloc(AVI_INDEX_CLUSTER_SIZE*sizeof(AVIIentry)); From 431937883f5d10b461fd8c6ee5a11abc7af8c9b2 Mon Sep 17 00:00:00 2001 From: Nicolas George Date: Wed, 28 Sep 2011 17:16:11 +0200 Subject: [PATCH 0438/1119] aviobuf: Replace av_realloc by av_realloc_f when relevant. Signed-off-by: Nicolas George Signed-off-by: Michael Niedermayer (cherry picked from commit 247a1dc84716cb033b538a5bd5ba8b33de0e8260) --- libavformat/aviobuf.c | 4 ++-- 1 file changed, 2 insertions(+), 2 deletions(-) diff --git a/libavformat/aviobuf.c b/libavformat/aviobuf.c index aad0240d53..c6a67c3acc 100644 --- a/libavformat/aviobuf.c +++ b/libavformat/aviobuf.c @@ -921,7 +921,7 @@ int ffio_rewind_with_probe_data(AVIOContext *s, unsigned char *buf, int buf_size alloc_size = FFMAX(s->buffer_size, new_size); if (alloc_size > buf_size) - if (!(buf = av_realloc(buf, alloc_size))) + if (!(buf = av_realloc_f(buf, 1, alloc_size))) return AVERROR(ENOMEM); if (new_size > buf_size) { @@ -1090,7 +1090,7 @@ static int dyn_buf_write(void *opaque, uint8_t *buf, int buf_size) } if (new_allocated_size > d->allocated_size) { - d->buffer = av_realloc(d->buffer, new_allocated_size); + d->buffer = av_realloc_f(d->buffer, 1, new_allocated_size); if(d->buffer == NULL) return AVERROR(ENOMEM); d->allocated_size = new_allocated_size; From cfff8db7298e31bc4322af1f1de6fe142d2abd90 Mon Sep 17 00:00:00 2001 From: Nicolas George Date: Wed, 28 Sep 2011 17:16:11 +0200 Subject: [PATCH 0439/1119] gxfenc: Replace av_realloc by av_realloc_f when relevant. Signed-off-by: Nicolas George Signed-off-by: Michael Niedermayer (cherry picked from commit af84d9bb9e8a69a715fc7596d6cbaa00ad00dc29) --- libavformat/gxfenc.c | 10 ++++++---- 1 file changed, 6 insertions(+), 4 deletions(-) diff --git a/libavformat/gxfenc.c b/libavformat/gxfenc.c index 3f7d7851f7..36e2c91ef6 100644 --- a/libavformat/gxfenc.c +++ b/libavformat/gxfenc.c @@ -340,8 +340,9 @@ static int gxf_write_map_packet(AVFormatContext *s, int rewrite) if (!rewrite) { if (!(gxf->map_offsets_nb % 30)) { - gxf->map_offsets = av_realloc(gxf->map_offsets, - (gxf->map_offsets_nb+30)*sizeof(*gxf->map_offsets)); + gxf->map_offsets = av_realloc_f(gxf->map_offsets, + sizeof(*gxf->map_offsets), + gxf->map_offsets_nb+30); if (!gxf->map_offsets) { av_log(s, AV_LOG_ERROR, "could not realloc map offsets\n"); return -1; @@ -876,8 +877,9 @@ static int gxf_write_packet(AVFormatContext *s, AVPacket *pkt) if (st->codec->codec_type == AVMEDIA_TYPE_VIDEO) { if (!(gxf->flt_entries_nb % 500)) { - gxf->flt_entries = av_realloc(gxf->flt_entries, - (gxf->flt_entries_nb+500)*sizeof(*gxf->flt_entries)); + gxf->flt_entries = av_realloc_f(gxf->flt_entries, + sizeof(*gxf->flt_entries), + gxf->flt_entries_nb+500); if (!gxf->flt_entries) { av_log(s, AV_LOG_ERROR, "could not reallocate flt entries\n"); return -1; From 17b6abab50a42f1b81b8ae2207f86f2c76564380 Mon Sep 17 00:00:00 2001 From: Nicolas George Date: Wed, 28 Sep 2011 17:16:11 +0200 Subject: [PATCH 0440/1119] movenc: Replace av_realloc by av_realloc_f when relevant. Signed-off-by: Nicolas George Signed-off-by: Michael Niedermayer (cherry picked from commit 194c2432eecd97c36914956f3bf7781ac4fc6f3d) --- libavformat/movenc.c | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/libavformat/movenc.c b/libavformat/movenc.c index 463dd5b601..076f2e3c69 100644 --- a/libavformat/movenc.c +++ b/libavformat/movenc.c @@ -2058,7 +2058,7 @@ int ff_mov_write_packet(AVFormatContext *s, AVPacket *pkt) } if (!(trk->entry % MOV_INDEX_CLUSTER_SIZE)) { - trk->cluster = av_realloc(trk->cluster, (trk->entry + MOV_INDEX_CLUSTER_SIZE) * sizeof(*trk->cluster)); + trk->cluster = av_realloc_f(trk->cluster, sizeof(*trk->cluster), (trk->entry + MOV_INDEX_CLUSTER_SIZE)); if (!trk->cluster) return -1; } From 485b4317bba908f58ffa62181000c6180c31f698 Mon Sep 17 00:00:00 2001 From: Laurent Aimar Date: Thu, 29 Sep 2011 01:04:49 +0200 Subject: [PATCH 0441/1119] Fixed out of bound accesses in xan_unpack() of the xan decoder. Signed-off-by: Michael Niedermayer (cherry picked from commit 5279141c1d7a72c467b7e0666fc2275cbcec4668) --- libavcodec/xan.c | 18 +++++++++++++----- 1 file changed, 13 insertions(+), 5 deletions(-) diff --git a/libavcodec/xan.c b/libavcodec/xan.c index 141fccae77..52f3a3f64a 100644 --- a/libavcodec/xan.c +++ b/libavcodec/xan.c @@ -132,13 +132,16 @@ static int xan_huffman_decode(unsigned char *dest, int dest_len, * * @param dest destination buffer of dest_len, must be padded with at least 130 bytes */ -static void xan_unpack(unsigned char *dest, const unsigned char *src, int dest_len) +static void xan_unpack(unsigned char *dest, int dest_len, + const unsigned char *src, int src_len) { unsigned char opcode; int size; + unsigned char *dest_org = dest; unsigned char *dest_end = dest + dest_len; + const unsigned char *src_end = src + src_len; - while (dest < dest_end) { + while (dest < dest_end && src < src_end) { opcode = *src++; if (opcode < 0xe0) { @@ -163,9 +166,11 @@ static void xan_unpack(unsigned char *dest, const unsigned char *src, int dest_l back = ((opcode & 0x10) << 12) + bytestream_get_be16(&src) + 1; size2 = ((opcode & 0x0c) << 6) + *src++ + 5; - if (size + size2 > dest_end - dest) - return; } + if (dest_end - dest < size + size2 || + dest + size - dest_org < back || + src_end - src < size) + return; memcpy(dest, src, size); dest += size; src += size; av_memcpy_backptr(dest, back, size2); dest += size2; @@ -173,6 +178,8 @@ static void xan_unpack(unsigned char *dest, const unsigned char *src, int dest_l int finish = opcode >= 0xfc; size = finish ? opcode & 3 : ((opcode & 0x1f) << 2) + 4; + if (dest_end - dest < size || src_end - src < size) + return; memcpy(dest, src, size); dest += size; src += size; if (finish) return; @@ -305,7 +312,8 @@ static int xan_wc3_decode_frame(XanContext *s) { return AVERROR_INVALIDDATA; if (imagedata_segment[0] == 2) { - xan_unpack(s->buffer2, &imagedata_segment[1], s->buffer2_size); + xan_unpack(s->buffer2, s->buffer2_size, + &imagedata_segment[1], s->size - imagedata_offset - 1); imagedata_size = s->buffer2_size; } else { imagedata_size = s->size - imagedata_offset - 1; From 14617fa7b8e688f5688d3679c906c8cb75ff42ed Mon Sep 17 00:00:00 2001 From: Laurent Aimar Date: Thu, 29 Sep 2011 01:04:51 +0200 Subject: [PATCH 0442/1119] Prevent NULL dereference when the palette is missing in the xan decoder. Signed-off-by: Michael Niedermayer (cherry picked from commit 56ee5a9ad1b385129c40ba4773f99bc5943ae8af) --- libavcodec/xan.c | 3 +++ 1 file changed, 3 insertions(+) diff --git a/libavcodec/xan.c b/libavcodec/xan.c index 52f3a3f64a..b90353967d 100644 --- a/libavcodec/xan.c +++ b/libavcodec/xan.c @@ -552,6 +552,9 @@ static int xan_decode_frame(AVCodecContext *avctx, } buf_size = buf_end - buf; } + if (s->palettes_count <= 0) + return AVERROR_INVALIDDATA; + if ((ret = avctx->get_buffer(avctx, &s->current_frame))) { av_log(s->avctx, AV_LOG_ERROR, "get_buffer() failed\n"); return ret; From f8eabfc16ed260ae33bd2c15c240eaf2129dba47 Mon Sep 17 00:00:00 2001 From: Laurent Aimar Date: Thu, 29 Sep 2011 01:04:52 +0200 Subject: [PATCH 0443/1119] Prevent calling init_vlc() with invalid parameters in motionpixels decoder. Signed-off-by: Michael Niedermayer (cherry picked from commit 41b7389cade702383e59343561776f83bb26e17f) --- libavcodec/motionpixels.c | 2 ++ 1 file changed, 2 insertions(+) diff --git a/libavcodec/motionpixels.c b/libavcodec/motionpixels.c index b18efa6b9c..4bd83cb2ae 100644 --- a/libavcodec/motionpixels.c +++ b/libavcodec/motionpixels.c @@ -279,6 +279,8 @@ static int mp_decode_frame(AVCodecContext *avctx, if (sz == 0) goto end; + if (mp->max_codes_bits <= 0) + goto end; if (init_vlc(&mp->vlc, mp->max_codes_bits, mp->codes_count, &mp->codes[0].size, sizeof(HuffCode), 1, &mp->codes[0].code, sizeof(HuffCode), 4, 0)) goto end; mp_decode_frame_helper(mp, &gb); From dc9b708f4d79162771d893532fe35159fad0c21d Mon Sep 17 00:00:00 2001 From: Laurent Aimar Date: Thu, 29 Sep 2011 01:04:53 +0200 Subject: [PATCH 0444/1119] Check for out of bound reads in jpeg 2000 decoder. Signed-off-by: Michael Niedermayer (cherry picked from commit 02660a871301adada14b0e0fe64c66f73c2e4541) --- libavcodec/j2kdec.c | 9 ++++++--- 1 file changed, 6 insertions(+), 3 deletions(-) diff --git a/libavcodec/j2kdec.c b/libavcodec/j2kdec.c index 73af6a73df..96b4f64098 100644 --- a/libavcodec/j2kdec.c +++ b/libavcodec/j2kdec.c @@ -961,18 +961,20 @@ static int decode_codestream(J2kDecoderContext *s) static int jp2_find_codestream(J2kDecoderContext *s) { - int32_t atom_size; + uint32_t atom_size; int found_codestream = 0, search_range = 10; // skip jpeg2k signature atom s->buf += 12; - while(!found_codestream && search_range) { + while(!found_codestream && search_range && s->buf_end - s->buf >= 8) { atom_size = AV_RB32(s->buf); if(AV_RB32(s->buf + 4) == JP2_CODESTREAM) { found_codestream = 1; s->buf += 8; } else { + if (s->buf_end - s->buf < atom_size) + return 0; s->buf += atom_size; search_range--; } @@ -1005,7 +1007,8 @@ static int decode_frame(AVCodecContext *avctx, return AVERROR(EINVAL); // check if the image is in jp2 format - if((AV_RB32(s->buf) == 12) && (AV_RB32(s->buf + 4) == JP2_SIG_TYPE) && + if(s->buf_end - s->buf >= 12 && + (AV_RB32(s->buf) == 12) && (AV_RB32(s->buf + 4) == JP2_SIG_TYPE) && (AV_RB32(s->buf + 8) == JP2_SIG_VALUE)) { if(!jp2_find_codestream(s)) { av_log(avctx, AV_LOG_ERROR, "couldn't find jpeg2k codestream atom\n"); From d414c77ded5e8896e3a63dbdbd09bd96e70fbf6e Mon Sep 17 00:00:00 2001 From: Laurent Aimar Date: Thu, 29 Sep 2011 01:04:54 +0200 Subject: [PATCH 0445/1119] Check for unsupported parameters in ff_j2k_dwt_init() Signed-off-by: Michael Niedermayer (cherry picked from commit b4483a531a139f304f4370f470325facb107202f) --- libavcodec/j2k_dwt.c | 2 ++ 1 file changed, 2 insertions(+) diff --git a/libavcodec/j2k_dwt.c b/libavcodec/j2k_dwt.c index 9ba770ad83..ab7a1ab757 100644 --- a/libavcodec/j2k_dwt.c +++ b/libavcodec/j2k_dwt.c @@ -321,6 +321,8 @@ int ff_j2k_dwt_init(DWTContext *s, uint16_t border[2][2], int decomp_levels, int int i, j, lev = decomp_levels, maxlen, b[2][2]; + if (decomp_levels >= FF_DWT_MAX_DECLVLS) + return AVERROR_INVALIDDATA; s->ndeclevels = decomp_levels; s->type = type; From d155fdefb88ac45d90600252cd2348d3d6d2cf36 Mon Sep 17 00:00:00 2001 From: Stefano Sabatini Date: Fri, 12 Aug 2011 08:42:35 +0200 Subject: [PATCH 0446/1119] vf_unsharp: fix out-of-buffer read In apply_unsharp(), when y is >= height, prevent out-of-buffer reading from src, read from the last buffer line in src2 instead. The check was implemented in the original unsharp libmpcodecs code and lost in the port. This also fixes output discrepancy between the two filters. Signed-off-by: Anton Khirnov (cherry picked from commit 998e8519efbc772994c5ba19c0d39573998be9db) --- libavfilter/vf_unsharp.c | 6 +++++- 1 file changed, 5 insertions(+), 1 deletion(-) diff --git a/libavfilter/vf_unsharp.c b/libavfilter/vf_unsharp.c index 3542ca3eac..2bc090f26a 100644 --- a/libavfilter/vf_unsharp.c +++ b/libavfilter/vf_unsharp.c @@ -70,6 +70,7 @@ static void unsharpen(uint8_t *dst, const uint8_t *src, int dst_stride, int src_ int32_t res; int x, y, z; + const uint8_t *src2; if (!fp->amount) { if (dst_stride == src_stride) @@ -84,9 +85,12 @@ static void unsharpen(uint8_t *dst, const uint8_t *src, int dst_stride, int src_ memset(sc[y], 0, sizeof(sc[y][0]) * (width + 2 * fp->steps_x)); for (y = -fp->steps_y; y < height + fp->steps_y; y++) { + if (y < height) + src2 = src; + memset(sr, 0, sizeof(sr[0]) * (2 * fp->steps_x - 1)); for (x = -fp->steps_x; x < width + fp->steps_x; x++) { - tmp1 = x <= 0 ? src[0] : x >= width ? src[width-1] : src[x]; + tmp1 = x <= 0 ? src2[0] : x >= width ? src2[width-1] : src2[x]; for (z = 0; z < fp->steps_x * 2; z += 2) { tmp2 = sr[z + 0] + tmp1; sr[z + 0] = tmp1; tmp1 = sr[z + 1] + tmp2; sr[z + 1] = tmp2; From 8d61c684423c0b78d8ab076fef00d7095e339a97 Mon Sep 17 00:00:00 2001 From: Stefano Sabatini Date: Sat, 13 Aug 2011 16:30:44 +0200 Subject: [PATCH 0447/1119] vf_unsharp: set default chroma size value to 5x5 The previous default value 0x0 was not good, since it is not even valid. Signed-off-by: Anton Khirnov (cherry picked from commit 1ee20141900c98f9dc25eca121c66c3ff468c1e4) --- doc/filters.texi | 6 +++--- libavfilter/vf_unsharp.c | 4 ++-- 2 files changed, 5 insertions(+), 5 deletions(-) diff --git a/doc/filters.texi b/doc/filters.texi index eb31714486..e4873fafb2 100644 --- a/doc/filters.texi +++ b/doc/filters.texi @@ -1683,7 +1683,7 @@ It accepts the following parameters: Negative values for the amount will blur the input video, while positive values will sharpen. All parameters are optional and default to the -equivalent of the string '5:5:1.0:0:0:0.0'. +equivalent of the string '5:5:1.0:5:5:0.0'. @table @option @@ -1701,11 +1701,11 @@ and 5.0, default value is 1.0. @item chroma_msize_x Set the chroma matrix horizontal size. It can be an integer between 3 -and 13, default value is 0. +and 13, default value is 5. @item chroma_msize_y Set the chroma matrix vertical size. It can be an integer between 3 -and 13, default value is 0. +and 13, default value is 5. @item luma_amount Set the chroma effect strength. It can be a float number between -2.0 diff --git a/libavfilter/vf_unsharp.c b/libavfilter/vf_unsharp.c index 2bc090f26a..3a58a480b9 100644 --- a/libavfilter/vf_unsharp.c +++ b/libavfilter/vf_unsharp.c @@ -129,8 +129,8 @@ static void set_filter_param(FilterParam *fp, int msize_x, int msize_y, double a static av_cold int init(AVFilterContext *ctx, const char *args, void *opaque) { UnsharpContext *unsharp = ctx->priv; - int lmsize_x = 5, cmsize_x = 0; - int lmsize_y = 5, cmsize_y = 0; + int lmsize_x = 5, cmsize_x = 5; + int lmsize_y = 5, cmsize_y = 5; double lamount = 1.0f, camount = 0.0f; if (args) From 626f11b3bc92011896ae2502788adb423cbd74d9 Mon Sep 17 00:00:00 2001 From: Mans Rullgard Date: Wed, 28 Sep 2011 21:00:35 +0100 Subject: [PATCH 0448/1119] dca: clear inactive subbands only once in qmf_32_subbands() Writing zeros to the high entries in the array need only be done once as the cutoff position is constant throughout the loop. Signed-off-by: Mans Rullgard (cherry picked from commit bf00a73ace9b1aba790b75dcb26d43adfceb769f) --- libavcodec/dca.c | 5 +++-- 1 file changed, 3 insertions(+), 2 deletions(-) diff --git a/libavcodec/dca.c b/libavcodec/dca.c index 5166fc5337..69df8f4597 100644 --- a/libavcodec/dca.c +++ b/libavcodec/dca.c @@ -898,6 +898,9 @@ static void qmf_32_subbands(DCAContext * s, int chans, else /* Perfect reconstruction */ prCoeff = fir_32bands_perfect; + for (i = sb_act; i < 32; i++) + s->raXin[i] = 0.0; + /* Reconstructed channel sample index */ for (subindex = 0; subindex < 8; subindex++) { /* Load in one sample from each subband and clear inactive subbands */ @@ -905,8 +908,6 @@ static void qmf_32_subbands(DCAContext * s, int chans, uint32_t v = AV_RN32A(&samples_in[i][subindex]) ^ ((i-1)&2)<<30; AV_WN32A(&s->raXin[i], v); } - for (; i < 32; i++) - s->raXin[i] = 0.0; s->synth.synth_filter_float(&s->imdct, s->subband_fir_hist[chans], &s->hist_index[chans], From f9efe1d76e2c7fc302337506c42c5fd50ea36b5a Mon Sep 17 00:00:00 2001 From: Laurent Aimar Date: Wed, 28 Sep 2011 00:45:54 +0200 Subject: [PATCH 0449/1119] Check for out of bound reads in xan_huffman_decode() of the xan decoder. Signed-off-by: Michael Niedermayer (cherry picked from commit c8b835954ae4aef797112afda3b52f8dfe3c7b74) --- libavcodec/xan.c | 5 ++++- 1 file changed, 4 insertions(+), 1 deletion(-) diff --git a/libavcodec/xan.c b/libavcodec/xan.c index b90353967d..fe9eece61a 100644 --- a/libavcodec/xan.c +++ b/libavcodec/xan.c @@ -114,7 +114,10 @@ static int xan_huffman_decode(unsigned char *dest, int dest_len, init_get_bits(&gb, ptr, ptr_len * 8); while ( val != 0x16 ) { - val = src[val - 0x17 + get_bits1(&gb) * byte]; + unsigned idx = val - 0x17 + get_bits1(&gb) * byte; + if (idx >= 2 * byte) + return -1; + val = src[idx]; if ( val < 0x16 ) { if (dest >= dest_end) From 2451228b0c2685ec4b09b7beeaa34c4bad6f37cb Mon Sep 17 00:00:00 2001 From: =?UTF-8?q?Tomas=20H=C3=A4rdin?= Date: Wed, 28 Sep 2011 10:34:51 +0200 Subject: [PATCH 0450/1119] mov: Only touch extradata in mov_read_extradata() if codec_id is what we expect Extradata should only be parsed from the avss, fiel, jp2h and alac atoms for AVS, MJPEG, Motion JPEG 2000 and ALAC respectively. This also fixes the mov demuxer coming up with bogus extradata for some AVC-Intra samples due to the presence of fiel atoms. (cherry picked from commit e571305a71494af195891e314b05936f040f89d3) --- libavformat/mov.c | 36 +++++++++++++++++++++++++++++++----- 1 file changed, 31 insertions(+), 5 deletions(-) diff --git a/libavformat/mov.c b/libavformat/mov.c index 773760c98a..cdba33dcb0 100644 --- a/libavformat/mov.c +++ b/libavformat/mov.c @@ -755,7 +755,8 @@ static int mov_read_enda(MOVContext *c, AVIOContext *pb, MOVAtom atom) } /* FIXME modify qdm2/svq3/h264 decoders to take full atom as extradata */ -static int mov_read_extradata(MOVContext *c, AVIOContext *pb, MOVAtom atom) +static int mov_read_extradata(MOVContext *c, AVIOContext *pb, MOVAtom atom, + enum CodecID codec_id) { AVStream *st; uint64_t size; @@ -764,6 +765,10 @@ static int mov_read_extradata(MOVContext *c, AVIOContext *pb, MOVAtom atom) if (c->fc->nb_streams < 1) // will happen with jp2 files return 0; st= c->fc->streams[c->fc->nb_streams-1]; + + if (st->codec->codec_id != codec_id) + return 0; /* unexpected codec_id - don't mess with extradata */ + size= (uint64_t)st->codec->extradata_size + atom.size + 8 + FF_INPUT_BUFFER_PADDING_SIZE; if(size > INT_MAX || (uint64_t)atom.size > INT_MAX) return -1; @@ -779,6 +784,27 @@ static int mov_read_extradata(MOVContext *c, AVIOContext *pb, MOVAtom atom) return 0; } +/* wrapper functions for reading ALAC/AVS/MJPEG/MJPEG2000 extradata atoms only for those codecs */ +static int mov_read_alac(MOVContext *c, AVIOContext *pb, MOVAtom atom) +{ + return mov_read_extradata(c, pb, atom, CODEC_ID_ALAC); +} + +static int mov_read_avss(MOVContext *c, AVIOContext *pb, MOVAtom atom) +{ + return mov_read_extradata(c, pb, atom, CODEC_ID_AVS); +} + +static int mov_read_fiel(MOVContext *c, AVIOContext *pb, MOVAtom atom) +{ + return mov_read_extradata(c, pb, atom, CODEC_ID_MJPEG); +} + +static int mov_read_jp2h(MOVContext *c, AVIOContext *pb, MOVAtom atom) +{ + return mov_read_extradata(c, pb, atom, CODEC_ID_JPEG2000); +} + static int mov_read_wave(MOVContext *c, AVIOContext *pb, MOVAtom atom) { AVStream *st; @@ -2228,7 +2254,7 @@ static int mov_read_chan(MOVContext *c, AVIOContext *pb, MOVAtom atom) } static const MOVParseTableEntry mov_default_parse_table[] = { -{ MKTAG('a','v','s','s'), mov_read_extradata }, +{ MKTAG('a','v','s','s'), mov_read_avss }, { MKTAG('c','h','p','l'), mov_read_chpl }, { MKTAG('c','o','6','4'), mov_read_stco }, { MKTAG('c','t','t','s'), mov_read_ctts }, /* composition time to sample */ @@ -2237,12 +2263,12 @@ static const MOVParseTableEntry mov_default_parse_table[] = { { MKTAG('e','d','t','s'), mov_read_default }, { MKTAG('e','l','s','t'), mov_read_elst }, { MKTAG('e','n','d','a'), mov_read_enda }, -{ MKTAG('f','i','e','l'), mov_read_extradata }, +{ MKTAG('f','i','e','l'), mov_read_fiel }, { MKTAG('f','t','y','p'), mov_read_ftyp }, { MKTAG('g','l','b','l'), mov_read_glbl }, { MKTAG('h','d','l','r'), mov_read_hdlr }, { MKTAG('i','l','s','t'), mov_read_ilst }, -{ MKTAG('j','p','2','h'), mov_read_extradata }, +{ MKTAG('j','p','2','h'), mov_read_jp2h }, { MKTAG('m','d','a','t'), mov_read_mdat }, { MKTAG('m','d','h','d'), mov_read_mdhd }, { MKTAG('m','d','i','a'), mov_read_default }, @@ -2253,7 +2279,7 @@ static const MOVParseTableEntry mov_default_parse_table[] = { { MKTAG('m','v','e','x'), mov_read_default }, { MKTAG('m','v','h','d'), mov_read_mvhd }, { MKTAG('S','M','I',' '), mov_read_smi }, /* Sorenson extension ??? */ -{ MKTAG('a','l','a','c'), mov_read_extradata }, /* alac specific atom */ +{ MKTAG('a','l','a','c'), mov_read_alac }, /* alac specific atom */ { MKTAG('a','v','c','C'), mov_read_glbl }, { MKTAG('p','a','s','p'), mov_read_pasp }, { MKTAG('s','t','b','l'), mov_read_default }, From 603cb031f19bff898b99fca2234f4cebbcfd743c Mon Sep 17 00:00:00 2001 From: Laurent Aimar Date: Fri, 30 Sep 2011 00:05:46 +0200 Subject: [PATCH 0451/1119] Check for out of bound reads in the QuickDraw decoder. Signed-off-by: Michael Niedermayer (cherry picked from commit 44e2f0c3cd2df68659e07ed3d5eab4974794eb33) --- libavcodec/qdrw.c | 12 ++++++++++++ 1 file changed, 12 insertions(+) diff --git a/libavcodec/qdrw.c b/libavcodec/qdrw.c index cd3146388e..6432728cb8 100644 --- a/libavcodec/qdrw.c +++ b/libavcodec/qdrw.c @@ -37,6 +37,7 @@ static int decode_frame(AVCodecContext *avctx, AVPacket *avpkt) { const uint8_t *buf = avpkt->data; + const uint8_t *buf_end = avpkt->data + avpkt->size; int buf_size = avpkt->size; QdrawContext * const a = avctx->priv_data; AVFrame * const p= (AVFrame*)&a->pic; @@ -59,6 +60,8 @@ static int decode_frame(AVCodecContext *avctx, outdata = a->pic.data[0]; + if (buf_end - buf < 0x68 + 4) + return AVERROR_INVALIDDATA; buf += 0x68; /* jump to palette */ colors = AV_RB32(buf); buf += 4; @@ -67,6 +70,8 @@ static int decode_frame(AVCodecContext *avctx, av_log(avctx, AV_LOG_ERROR, "Error color count - %i(0x%X)\n", colors, colors); return -1; } + if (buf_end - buf < (colors + 1) * 8) + return AVERROR_INVALIDDATA; pal = (uint32_t*)p->data[1]; for (i = 0; i <= colors; i++) { @@ -89,6 +94,8 @@ static int decode_frame(AVCodecContext *avctx, } p->palette_has_changed = 1; + if (buf_end - buf < 18) + return AVERROR_INVALIDDATA; buf += 18; /* skip unneeded data */ for (i = 0; i < avctx->height; i++) { int size, left, code, pix; @@ -100,6 +107,9 @@ static int decode_frame(AVCodecContext *avctx, out = outdata; size = AV_RB16(buf); /* size of packed line */ buf += 2; + if (buf_end - buf < size) + return AVERROR_INVALIDDATA; + left = size; next = buf + size; while (left > 0) { @@ -115,6 +125,8 @@ static int decode_frame(AVCodecContext *avctx, } else { /* copy */ if ((out + code) > (outdata + a->pic.linesize[0])) break; + if (buf_end - buf < code + 1) + return AVERROR_INVALIDDATA; memcpy(out, buf, code + 1); out += code + 1; buf += code + 1; From 18cfe0238df259e4b541d28b465688bea4781b16 Mon Sep 17 00:00:00 2001 From: Laurent Aimar Date: Fri, 30 Sep 2011 00:05:50 +0200 Subject: [PATCH 0452/1119] Check for out of bounds reads in the Delphine Software International CIN decoder. Signed-off-by: Michael Niedermayer (cherry picked from commit 8e5f093c2cf13eab3d68d893bf8f30c56ba4e733) --- libavcodec/dsicinav.c | 2 ++ 1 file changed, 2 insertions(+) diff --git a/libavcodec/dsicinav.c b/libavcodec/dsicinav.c index f12560714a..c33b3edc4c 100644 --- a/libavcodec/dsicinav.c +++ b/libavcodec/dsicinav.c @@ -217,6 +217,8 @@ static int cinvideo_decode_frame(AVCodecContext *avctx, bitmap_frame_size = buf_size - 4; /* handle palette */ + if (bitmap_frame_size < palette_colors_count * (3 + (palette_type != 0))) + return AVERROR_INVALIDDATA; if (palette_type == 0) { for (i = 0; i < palette_colors_count; ++i) { cin->palette[i] = bytestream_get_le24(&buf); From 6e774cf67e6f30feb9b3dec11713d6b6dc0b521c Mon Sep 17 00:00:00 2001 From: Laurent Aimar Date: Fri, 30 Sep 2011 00:05:51 +0200 Subject: [PATCH 0453/1119] Check for out of bounds writes in the Delphine Software International CIN decoder. Signed-off-by: Michael Niedermayer (cherry picked from commit 3035c4034b6af3ad47f921e3385196e1b9d44ddf) --- libavcodec/dsicinav.c | 2 ++ 1 file changed, 2 insertions(+) diff --git a/libavcodec/dsicinav.c b/libavcodec/dsicinav.c index c33b3edc4c..faca821c7d 100644 --- a/libavcodec/dsicinav.c +++ b/libavcodec/dsicinav.c @@ -220,6 +220,8 @@ static int cinvideo_decode_frame(AVCodecContext *avctx, if (bitmap_frame_size < palette_colors_count * (3 + (palette_type != 0))) return AVERROR_INVALIDDATA; if (palette_type == 0) { + if (palette_colors_count > 256) + return AVERROR_INVALIDDATA; for (i = 0; i < palette_colors_count; ++i) { cin->palette[i] = bytestream_get_le24(&buf); bitmap_frame_size -= 3; From 376b0994746cbb14438c2a58ea1bdb2c9b934610 Mon Sep 17 00:00:00 2001 From: Laurent Aimar Date: Fri, 30 Sep 2011 00:05:48 +0200 Subject: [PATCH 0454/1119] Clear FF_INPUT_BUFFER_PADDING_SIZE bytes at the end of the temporary buffer used in motion pixels decoder. Signed-off-by: Michael Niedermayer (cherry picked from commit e60619f9b4bdaf9af46887cdb2c86454567b4a61) --- libavcodec/motionpixels.c | 1 + tests/ref/fate/motionpixels | 2 +- 2 files changed, 2 insertions(+), 1 deletion(-) diff --git a/libavcodec/motionpixels.c b/libavcodec/motionpixels.c index 4bd83cb2ae..a3afc02582 100644 --- a/libavcodec/motionpixels.c +++ b/libavcodec/motionpixels.c @@ -253,6 +253,7 @@ static int mp_decode_frame(AVCodecContext *avctx, mp->dsp.bswap_buf((uint32_t *)mp->bswapbuf, (const uint32_t *)buf, buf_size / 4); if (buf_size & 3) memcpy(mp->bswapbuf + (buf_size & ~3), buf + (buf_size & ~3), buf_size & 3); + memset(mp->bswapbuf + buf_size, 0, FF_INPUT_BUFFER_PADDING_SIZE); init_get_bits(&gb, mp->bswapbuf, buf_size * 8); memset(mp->changes_map, 0, avctx->width * avctx->height); diff --git a/tests/ref/fate/motionpixels b/tests/ref/fate/motionpixels index e588ed3e18..30651e92c6 100644 --- a/tests/ref/fate/motionpixels +++ b/tests/ref/fate/motionpixels @@ -109,4 +109,4 @@ 0, 648003, 230400, 0xb343f372 0, 654003, 230400, 0xf7f1e588 0, 660003, 230400, 0x9682bdb2 -0, 666003, 230400, 0x538a3db8 +0, 666003, 230400, 0x16f9aad8 From 9b1bf0852548bffde22b8f27f8eb32ab51559bf1 Mon Sep 17 00:00:00 2001 From: Laurent Aimar Date: Fri, 30 Sep 2011 00:05:49 +0200 Subject: [PATCH 0455/1119] Fix the size of workspace buffers in the motion pixels decoder. Some buffers must be mod 4 in width and/or height. Signed-off-by: Michael Niedermayer (cherry picked from commit 62234a4d3a30f3949694781ef8a941ef55b210fa) --- libavcodec/motionpixels.c | 6 ++++-- 1 file changed, 4 insertions(+), 2 deletions(-) diff --git a/libavcodec/motionpixels.c b/libavcodec/motionpixels.c index a3afc02582..635a7d14a1 100644 --- a/libavcodec/motionpixels.c +++ b/libavcodec/motionpixels.c @@ -52,14 +52,16 @@ typedef struct MotionPixelsContext { static av_cold int mp_decode_init(AVCodecContext *avctx) { MotionPixelsContext *mp = avctx->priv_data; + int w4 = (avctx->width + 3) & ~3; + int h4 = (avctx->height + 3) & ~3; motionpixels_tableinit(); mp->avctx = avctx; dsputil_init(&mp->dsp, avctx); - mp->changes_map = av_mallocz(avctx->width * avctx->height); + mp->changes_map = av_mallocz(avctx->width * h4); mp->offset_bits_len = av_log2(avctx->width * avctx->height) + 1; mp->vpt = av_mallocz(avctx->height * sizeof(YuvPixel)); - mp->hpt = av_mallocz(avctx->height * avctx->width / 16 * sizeof(YuvPixel)); + mp->hpt = av_mallocz(h4 * w4 / 16 * sizeof(YuvPixel)); avctx->pix_fmt = PIX_FMT_RGB555; avcodec_get_frame_defaults(&mp->frame); return 0; From 375bd0cfb3d7b86bd5f70d1bc2d15bbd44e3abfe Mon Sep 17 00:00:00 2001 From: Laurent Aimar Date: Fri, 30 Sep 2011 00:05:47 +0200 Subject: [PATCH 0456/1119] Check for out of bound reads in the Tiertex Limited SEQ decoder. Signed-off-by: Michael Niedermayer (cherry picked from commit 5d7e3d71673d64a16b58430a0027afadb6b3a54e) --- libavcodec/tiertexseqv.c | 65 +++++++++++++++++++++++++++++++--------- 1 file changed, 51 insertions(+), 14 deletions(-) diff --git a/libavcodec/tiertexseqv.c b/libavcodec/tiertexseqv.c index f3a044882e..160da8c630 100644 --- a/libavcodec/tiertexseqv.c +++ b/libavcodec/tiertexseqv.c @@ -35,15 +35,19 @@ typedef struct SeqVideoContext { } SeqVideoContext; -static const unsigned char *seq_unpack_rle_block(const unsigned char *src, unsigned char *dst, int dst_size) +static const unsigned char *seq_unpack_rle_block(const unsigned char *src, + const unsigned char *src_end, + unsigned char *dst, int dst_size) { int i, len, sz; GetBitContext gb; int code_table[64]; - /* get the rle codes (at most 64 bytes) */ - init_get_bits(&gb, src, 64 * 8); + /* get the rle codes */ + init_get_bits(&gb, src, (src_end - src) * 8); for (i = 0, sz = 0; i < 64 && sz < dst_size; i++) { + if (get_bits_left(&gb) < 4) + return NULL; code_table[i] = get_sbits(&gb, 4); sz += FFABS(code_table[i]); } @@ -54,8 +58,12 @@ static const unsigned char *seq_unpack_rle_block(const unsigned char *src, unsig len = code_table[i]; if (len < 0) { len = -len; + if (src_end - src < 1) + return NULL; memset(dst, *src++, FFMIN(len, dst_size)); } else { + if (src_end - src < len) + return NULL; memcpy(dst, src, FFMIN(len, dst_size)); src += len; } @@ -65,25 +73,30 @@ static const unsigned char *seq_unpack_rle_block(const unsigned char *src, unsig return src; } -static const unsigned char *seq_decode_op1(SeqVideoContext *seq, const unsigned char *src, unsigned char *dst) +static const unsigned char *seq_decode_op1(SeqVideoContext *seq, + const unsigned char *src, + const unsigned char *src_end, + unsigned char *dst) { const unsigned char *color_table; int b, i, len, bits; GetBitContext gb; unsigned char block[8 * 8]; + if (src_end - src < 1) + return NULL; len = *src++; if (len & 0x80) { switch (len & 3) { case 1: - src = seq_unpack_rle_block(src, block, sizeof(block)); + src = seq_unpack_rle_block(src, src_end, block, sizeof(block)); for (b = 0; b < 8; b++) { memcpy(dst, &block[b * 8], 8); dst += seq->frame.linesize[0]; } break; case 2: - src = seq_unpack_rle_block(src, block, sizeof(block)); + src = seq_unpack_rle_block(src, src_end, block, sizeof(block)); for (i = 0; i < 8; i++) { for (b = 0; b < 8; b++) dst[b * seq->frame.linesize[0]] = block[i * 8 + b]; @@ -92,9 +105,13 @@ static const unsigned char *seq_decode_op1(SeqVideoContext *seq, const unsigned break; } } else { + if (len <= 0) + return NULL; + bits = ff_log2_tab[len - 1] + 1; + if (src_end - src < len + 8 * bits) + return NULL; color_table = src; src += len; - bits = ff_log2_tab[len - 1] + 1; init_get_bits(&gb, src, bits * 8 * 8); src += bits * 8; for (b = 0; b < 8; b++) { for (i = 0; i < 8; i++) @@ -106,10 +123,16 @@ static const unsigned char *seq_decode_op1(SeqVideoContext *seq, const unsigned return src; } -static const unsigned char *seq_decode_op2(SeqVideoContext *seq, const unsigned char *src, unsigned char *dst) +static const unsigned char *seq_decode_op2(SeqVideoContext *seq, + const unsigned char *src, + const unsigned char *src_end, + unsigned char *dst) { int i; + if (src_end - src < 8 * 8) + return NULL; + for (i = 0; i < 8; i++) { memcpy(dst, src, 8); src += 8; @@ -119,11 +142,16 @@ static const unsigned char *seq_decode_op2(SeqVideoContext *seq, const unsigned return src; } -static const unsigned char *seq_decode_op3(SeqVideoContext *seq, const unsigned char *src, unsigned char *dst) +static const unsigned char *seq_decode_op3(SeqVideoContext *seq, + const unsigned char *src, + const unsigned char *src_end, + unsigned char *dst) { int pos, offset; do { + if (src_end - src < 2) + return NULL; pos = *src++; offset = ((pos >> 3) & 7) * seq->frame.linesize[0] + (pos & 7); dst[offset] = *src++; @@ -132,8 +160,9 @@ static const unsigned char *seq_decode_op3(SeqVideoContext *seq, const unsigned return src; } -static void seqvideo_decode(SeqVideoContext *seq, const unsigned char *data, int data_size) +static int seqvideo_decode(SeqVideoContext *seq, const unsigned char *data, int data_size) { + const unsigned char *data_end = data + data_size; GetBitContext gb; int flags, i, j, x, y, op; unsigned char c[3]; @@ -144,6 +173,8 @@ static void seqvideo_decode(SeqVideoContext *seq, const unsigned char *data, int if (flags & 1) { palette = (uint32_t *)seq->frame.data[1]; + if (data_end - data < 256 * 3) + return AVERROR_INVALIDDATA; for (i = 0; i < 256; i++) { for (j = 0; j < 3; j++, data++) c[j] = (*data << 2) | (*data >> 4); @@ -153,6 +184,8 @@ static void seqvideo_decode(SeqVideoContext *seq, const unsigned char *data, int } if (flags & 2) { + if (data_end - data < 128) + return AVERROR_INVALIDDATA; init_get_bits(&gb, data, 128 * 8); data += 128; for (y = 0; y < 128; y += 8) for (x = 0; x < 256; x += 8) { @@ -160,17 +193,20 @@ static void seqvideo_decode(SeqVideoContext *seq, const unsigned char *data, int op = get_bits(&gb, 2); switch (op) { case 1: - data = seq_decode_op1(seq, data, dst); + data = seq_decode_op1(seq, data, data_end, dst); break; case 2: - data = seq_decode_op2(seq, data, dst); + data = seq_decode_op2(seq, data, data_end, dst); break; case 3: - data = seq_decode_op3(seq, data, dst); + data = seq_decode_op3(seq, data, data_end, dst); break; } + if (!data) + return AVERROR_INVALIDDATA; } } + return 0; } static av_cold int seqvideo_decode_init(AVCodecContext *avctx) @@ -202,7 +238,8 @@ static int seqvideo_decode_frame(AVCodecContext *avctx, return -1; } - seqvideo_decode(seq, buf, buf_size); + if (seqvideo_decode(seq, buf, buf_size)) + return AVERROR_INVALIDDATA; *data_size = sizeof(AVFrame); *(AVFrame *)data = seq->frame; From 107ea3057eb8de8a38c45c2f7181c42ea694b187 Mon Sep 17 00:00:00 2001 From: Laurent Aimar Date: Fri, 30 Sep 2011 00:05:53 +0200 Subject: [PATCH 0457/1119] Fix out of bound writes in fix_bitshift() of the shorten decoder. The data pointers s->decoded[*] already take into account s->nwrap. Signed-off-by: Michael Niedermayer (cherry picked from commit f42b3195d3f2692a4dfc0a8668bb4ac35301f2ed) --- libavcodec/shorten.c | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/libavcodec/shorten.c b/libavcodec/shorten.c index f593d0a164..5e599fd504 100644 --- a/libavcodec/shorten.c +++ b/libavcodec/shorten.c @@ -155,7 +155,7 @@ static void fix_bitshift(ShortenContext *s, int32_t *buffer) if (s->bitshift != 0) for (i = 0; i < s->blocksize; i++) - buffer[s->nwrap + i] <<= s->bitshift; + buffer[i] <<= s->bitshift; } From b8ab1adfcdb1f87e3e26425b4499046352009f29 Mon Sep 17 00:00:00 2001 From: Justin Ruggles Date: Fri, 23 Sep 2011 21:54:44 -0400 Subject: [PATCH 0458/1119] avcodec: reject audio packets with NULL data and non-zero size There is no valid reason the user should ever send such packets in the first place, but the documentation for CODEC_CAP_DELAY states that the codec is guaranteed not to get a NULL packet unless that capability is set. That isn't true without preventing this case. (cherry picked from commit 6326afd5e90cfed9df08b652a1cd6f6a948c239a) --- libavcodec/utils.c | 5 +++++ 1 file changed, 5 insertions(+) diff --git a/libavcodec/utils.c b/libavcodec/utils.c index 1aa14a3381..ac559d2197 100644 --- a/libavcodec/utils.c +++ b/libavcodec/utils.c @@ -785,6 +785,11 @@ int attribute_align_arg avcodec_decode_audio3(AVCodecContext *avctx, int16_t *sa avctx->pkt = avpkt; + if (!avpkt->data && avpkt->size) { + av_log(avctx, AV_LOG_ERROR, "invalid packet: NULL data, size != 0\n"); + return AVERROR(EINVAL); + } + if((avctx->codec->capabilities & CODEC_CAP_DELAY) || avpkt->size){ //FIXME remove the check below _after_ ensuring that all audio check that the available space is enough if(*frame_size_ptr < AVCODEC_MAX_AUDIO_FRAME_SIZE){ From 932b5f3cbb22b9357d60914f85675020041299e0 Mon Sep 17 00:00:00 2001 From: =?UTF-8?q?Martin=20Storsj=C3=B6?= Date: Fri, 30 Sep 2011 20:30:35 +0300 Subject: [PATCH 0459/1119] lavf: Avoid using av_malloc(0) in av_dump_format MIME-Version: 1.0 Content-Type: text/plain; charset=UTF-8 Content-Transfer-Encoding: 8bit On OS X, av_malloc(0) returns pointers that cause crashes when freed. Signed-off-by: Martin Storsjö (cherry picked from commit e81e5e8ad2bb5746df0c343c396019aca165cf66) --- libavformat/utils.c | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/libavformat/utils.c b/libavformat/utils.c index eaa8bd901f..e79f98e62d 100644 --- a/libavformat/utils.c +++ b/libavformat/utils.c @@ -3437,7 +3437,7 @@ void av_dump_format(AVFormatContext *ic, int is_output) { int i; - uint8_t *printed = av_mallocz(ic->nb_streams); + uint8_t *printed = ic->nb_streams ? av_mallocz(ic->nb_streams) : NULL; if (ic->nb_streams && !printed) return; From c23d5261f79671a598f32be8bc403552891af24e Mon Sep 17 00:00:00 2001 From: Laurent Aimar Date: Sat, 1 Oct 2011 00:44:54 +0200 Subject: [PATCH 0460/1119] Check for corrupted data in avs demuxer. Signed-off-by: Michael Niedermayer (cherry picked from commit 1cce7def0a8eff2e7db294b7d195a0fb1a5043b0) --- libavformat/avs.c | 2 ++ 1 file changed, 2 insertions(+) diff --git a/libavformat/avs.c b/libavformat/avs.c index 355ae31f35..83023790d6 100644 --- a/libavformat/avs.c +++ b/libavformat/avs.c @@ -163,6 +163,8 @@ static int avs_read_packet(AVFormatContext * s, AVPacket * pkt) sub_type = avio_r8(s->pb); type = avio_r8(s->pb); size = avio_rl16(s->pb); + if (size < 4) + return AVERROR_INVALIDDATA; avs->remaining_frame_size -= size; switch (type) { From fa79af68453b810af94ccb0260ab38ba7b9bb04c Mon Sep 17 00:00:00 2001 From: Laurent Aimar Date: Sat, 1 Oct 2011 00:44:55 +0200 Subject: [PATCH 0461/1119] Check for out of bound writes in the avs demuxer. Signed-off-by: Michael Niedermayer (cherry picked from commit 5d44c061cf511d97be5fac8d76be2f3915c6e798) --- libavformat/avs.c | 2 ++ 1 file changed, 2 insertions(+) diff --git a/libavformat/avs.c b/libavformat/avs.c index 83023790d6..127639e7ee 100644 --- a/libavformat/avs.c +++ b/libavformat/avs.c @@ -169,6 +169,8 @@ static int avs_read_packet(AVFormatContext * s, AVPacket * pkt) switch (type) { case AVS_PALETTE: + if (size - 4 > sizeof(palette)) + return AVERROR_INVALIDDATA; ret = avio_read(s->pb, palette, size - 4); if (ret < size - 4) return AVERROR(EIO); From 3b840fab902e596e2f45de9046253ef955bb1979 Mon Sep 17 00:00:00 2001 From: Laurent Aimar Date: Sat, 1 Oct 2011 00:44:56 +0200 Subject: [PATCH 0462/1119] Check for out of bound reads in AVS decoder. Signed-off-by: Michael Niedermayer (cherry picked from commit 7afe9e5638242a3210a0fc378e34e3af41e29176) --- libavcodec/avs.c | 11 +++++++++++ 1 file changed, 11 insertions(+) diff --git a/libavcodec/avs.c b/libavcodec/avs.c index 354b53c241..c7dcf0e2dc 100644 --- a/libavcodec/avs.c +++ b/libavcodec/avs.c @@ -47,6 +47,7 @@ avs_decode_frame(AVCodecContext * avctx, void *data, int *data_size, AVPacket *avpkt) { const uint8_t *buf = avpkt->data; + const uint8_t *buf_end = avpkt->data + avpkt->size; int buf_size = avpkt->size; AvsContext *const avs = avctx->priv_data; AVFrame *picture = data; @@ -69,6 +70,8 @@ avs_decode_frame(AVCodecContext * avctx, out = avs->picture.data[0]; stride = avs->picture.linesize[0]; + if (buf_end - buf < 4) + return AVERROR_INVALIDDATA; sub_type = buf[0]; type = buf[1]; buf += 4; @@ -79,6 +82,8 @@ avs_decode_frame(AVCodecContext * avctx, first = AV_RL16(buf); last = first + AV_RL16(buf + 2); + if (first >= 256 || last > 256 || buf_end - buf < 4 + 4 + 3 * (last - first)) + return AVERROR_INVALIDDATA; buf += 4; for (i=first; i Date: Sat, 1 Oct 2011 00:44:57 +0200 Subject: [PATCH 0463/1119] Fix double free on error in Deluxe Paint Animation demuxer. Signed-off-by: Michael Niedermayer (cherry picked from commit d39d7122e34d2cf994d6dc474fe0c8bee2f7fcfd) --- libavformat/anm.c | 23 ++++++++--------------- 1 file changed, 8 insertions(+), 15 deletions(-) diff --git a/libavformat/anm.c b/libavformat/anm.c index 269e325e42..1210e67dc7 100644 --- a/libavformat/anm.c +++ b/libavformat/anm.c @@ -134,18 +134,17 @@ static int read_header(AVFormatContext *s, /* color cycling and palette data */ st->codec->extradata_size = 16*8 + 4*256; st->codec->extradata = av_mallocz(st->codec->extradata_size + FF_INPUT_BUFFER_PADDING_SIZE); - if (!st->codec->extradata) { - ret = AVERROR(ENOMEM); - goto close_and_return; - } + if (!st->codec->extradata) + return AVERROR(ENOMEM); + ret = avio_read(pb, st->codec->extradata, st->codec->extradata_size); if (ret < 0) - goto close_and_return; + return ret; /* read page table */ ret = avio_seek(pb, anm->page_table_offset, SEEK_SET); if (ret < 0) - goto close_and_return; + return ret; for (i = 0; i < MAX_PAGES; i++) { Page *p = &anm->pt[i]; @@ -156,21 +155,15 @@ static int read_header(AVFormatContext *s, /* find page of first frame */ anm->page = find_record(anm, 0); - if (anm->page < 0) { - ret = anm->page; - goto close_and_return; - } + if (anm->page < 0) + return anm->page; anm->record = -1; return 0; invalid: av_log_ask_for_sample(s, NULL); - ret = AVERROR_INVALIDDATA; - -close_and_return: - av_close_input_stream(s); - return ret; + return AVERROR_INVALIDDATA; } static int read_packet(AVFormatContext *s, From 1f2a93cf4b8f779da88a36e5c636db3dd481185e Mon Sep 17 00:00:00 2001 From: Laurent Aimar Date: Sat, 1 Oct 2011 00:44:58 +0200 Subject: [PATCH 0464/1119] Prevent infinite loop in the ANM decoder. Signed-off-by: Michael Niedermayer (cherry picked from commit 39993860e1525ca5d1b07521865b7e9e1b294ed7) --- libavcodec/anm.c | 2 ++ 1 file changed, 2 insertions(+) diff --git a/libavcodec/anm.c b/libavcodec/anm.c index 02244f70e1..8e40059576 100644 --- a/libavcodec/anm.c +++ b/libavcodec/anm.c @@ -79,6 +79,8 @@ static inline int op(uint8_t **dst, const uint8_t *dst_end, int striplen = FFMIN(count, remaining); if (buf) { striplen = FFMIN(striplen, buf_end - *buf); + if (*buf >= buf_end) + goto exhausted; memcpy(*dst, *buf, striplen); *buf += striplen; } else if (pixel >= 0) From df39708269f5c298dea08d63de37f701295a17d3 Mon Sep 17 00:00:00 2001 From: Laurent Aimar Date: Sat, 1 Oct 2011 00:44:59 +0200 Subject: [PATCH 0465/1119] Fix potential pointer arithmetic overflows in the Electronic Arts CMV decoder. Signed-off-by: Michael Niedermayer (cherry picked from commit e9064c9ce8ed18c3a3aab61e58e663b8f5b0c551) --- libavcodec/eacmv.c | 8 ++++---- 1 file changed, 4 insertions(+), 4 deletions(-) diff --git a/libavcodec/eacmv.c b/libavcodec/eacmv.c index 408d948812..35701caadd 100644 --- a/libavcodec/eacmv.c +++ b/libavcodec/eacmv.c @@ -56,7 +56,7 @@ static void cmv_decode_intra(CmvContext * s, const uint8_t *buf, const uint8_t * unsigned char *dst = s->frame.data[0]; int i; - for (i=0; i < s->avctx->height && buf+s->avctx->width<=buf_end; i++) { + for (i=0; i < s->avctx->height && buf_end - buf >= s->avctx->width; i++) { memcpy(dst, buf, s->avctx->width); dst += s->frame.linesize[0]; buf += s->avctx->width; @@ -88,7 +88,7 @@ static void cmv_decode_inter(CmvContext * s, const uint8_t *buf, const uint8_t * i = 0; for(y=0; yavctx->height/4; y++) - for(x=0; xavctx->width/4 && buf+iavctx->width/4 && buf_end - buf > i; x++) { if (buf[i]==0xFF) { unsigned char *dst = s->frame.data[0] + (y*4)*s->frame.linesize[0] + x*4; if (raw+16=buf_end) { + if(buf_end - buf < 16) { av_log(s->avctx, AV_LOG_WARNING, "truncated header\n"); return; } @@ -139,7 +139,7 @@ static void cmv_process_header(CmvContext *s, const uint8_t *buf, const uint8_t pal_count = AV_RL16(&buf[14]); buf += 16; - for (i=pal_start; i= 3; i++) { s->palette[i] = AV_RB24(buf); buf += 3; } From d950461f599241c770d29deea201d7438211dbbb Mon Sep 17 00:00:00 2001 From: Laurent Aimar Date: Sat, 1 Oct 2011 00:45:00 +0200 Subject: [PATCH 0466/1119] Prevent NULL dereferences when missing the reference frame in the Electronic Arts CMV decoder. Signed-off-by: Michael Niedermayer (cherry picked from commit 113d7be62497c4e59db8f224fdb7f0a90cf17d03) --- libavcodec/eacmv.c | 7 ++++--- 1 file changed, 4 insertions(+), 3 deletions(-) diff --git a/libavcodec/eacmv.c b/libavcodec/eacmv.c index 35701caadd..6e3b51998a 100644 --- a/libavcodec/eacmv.c +++ b/libavcodec/eacmv.c @@ -110,9 +110,10 @@ static void cmv_decode_inter(CmvContext * s, const uint8_t *buf, const uint8_t * }else{ /* inter using last frame as reference */ int xoffset = (buf[i] & 0xF) - 7; int yoffset = ((buf[i] >> 4)) - 7; - cmv_motcomp(s->frame.data[0], s->frame.linesize[0], - s->last_frame.data[0], s->last_frame.linesize[0], - x*4, y*4, xoffset, yoffset, s->avctx->width, s->avctx->height); + if (s->last_frame.data[0]) + cmv_motcomp(s->frame.data[0], s->frame.linesize[0], + s->last_frame.data[0], s->last_frame.linesize[0], + x*4, y*4, xoffset, yoffset, s->avctx->width, s->avctx->height); } i++; } From e8fd4a43ba758adb9378afe2cde4a5b9d4bda357 Mon Sep 17 00:00:00 2001 From: Laurent Aimar Date: Sat, 1 Oct 2011 00:45:01 +0200 Subject: [PATCH 0467/1119] Check for out of bound reads in the Electronic Arts CMV decoder. Signed-off-by: Michael Niedermayer (cherry picked from commit a5d46235f3f70f0b620f8e54649ece45ecc5b170) --- libavcodec/eacmv.c | 3 +++ 1 file changed, 3 insertions(+) diff --git a/libavcodec/eacmv.c b/libavcodec/eacmv.c index 6e3b51998a..4cd6a6fd1f 100644 --- a/libavcodec/eacmv.c +++ b/libavcodec/eacmv.c @@ -158,6 +158,9 @@ static int cmv_decode_frame(AVCodecContext *avctx, CmvContext *s = avctx->priv_data; const uint8_t *buf_end = buf + buf_size; + if (buf_end - buf < EA_PREAMBLE_SIZE) + return AVERROR_INVALIDDATA; + if (AV_RL32(buf)==MVIh_TAG||AV_RB32(buf)==MVIh_TAG) { cmv_process_header(s, buf+EA_PREAMBLE_SIZE, buf_end); return buf_size; From 802045777afe0c04cc42ef11f59e273239faaa99 Mon Sep 17 00:00:00 2001 From: Laurent Aimar Date: Sat, 1 Oct 2011 00:45:02 +0200 Subject: [PATCH 0468/1119] Fix out of bound reads due to integer overflow in the ADPCM IMA Electronic Arts EACS decoder. Signed-off-by: Michael Niedermayer (cherry picked from commit 346876ec168affe7c21be88d8f1acf1a75cc8409) --- libavcodec/adpcm.c | 6 ++++-- 1 file changed, 4 insertions(+), 2 deletions(-) diff --git a/libavcodec/adpcm.c b/libavcodec/adpcm.c index ba312558b0..de7bc7a45b 100644 --- a/libavcodec/adpcm.c +++ b/libavcodec/adpcm.c @@ -1333,10 +1333,11 @@ static int adpcm_decode_frame(AVCodecContext *avctx, buf_size -= 128; } break; - case CODEC_ID_ADPCM_IMA_EA_EACS: + case CODEC_ID_ADPCM_IMA_EA_EACS: { + unsigned header_size = 4 + (8<> (1-st); - if (samples_in_chunk > buf_size-4-(8< buf_size - header_size) { src += buf_size - 4; break; } @@ -1351,6 +1352,7 @@ static int adpcm_decode_frame(AVCodecContext *avctx, *samples++ = adpcm_ima_expand_nibble(&c->status[st], *src&0x0F, 3); } break; + } case CODEC_ID_ADPCM_IMA_EA_SEAD: for (; src < buf+buf_size; src++) { *samples++ = adpcm_ima_expand_nibble(&c->status[0], src[0] >> 4, 6); From e0fb22cea9056afd30848d9d51e92f5ae24ea0f6 Mon Sep 17 00:00:00 2001 From: Laurent Aimar Date: Sat, 1 Oct 2011 00:45:04 +0200 Subject: [PATCH 0469/1119] Fix out of bound reads in the QDM2 decoder. Signed-off-by: Michael Niedermayer (cherry picked from commit 491eaf35ae1f9b619441314bec33766e31580184) --- libavcodec/qdm2.c | 2 ++ 1 file changed, 2 insertions(+) diff --git a/libavcodec/qdm2.c b/libavcodec/qdm2.c index 6eb836456c..a6192e91c2 100644 --- a/libavcodec/qdm2.c +++ b/libavcodec/qdm2.c @@ -1353,6 +1353,8 @@ static void qdm2_fft_decode_tones (QDM2Context *q, int duration, GetBitContext * return; local_int_14 = (offset >> local_int_8); + if (local_int_14 >= FF_ARRAY_ELEMS(fft_level_index_table)) + return; if (q->nb_channels > 1) { channel = get_bits1(gb); From b08df314dca6946ed644caacb9d3a533a054c0f6 Mon Sep 17 00:00:00 2001 From: Laurent Aimar Date: Sat, 1 Oct 2011 00:45:05 +0200 Subject: [PATCH 0470/1119] Check for out of bound writes in the QDM2 decoder. Signed-off-by: Michael Niedermayer (cherry picked from commit 4a7876c6e4e62e94d51e364ba99aae4da7671238) --- libavcodec/qdm2.c | 4 ++++ 1 file changed, 4 insertions(+) diff --git a/libavcodec/qdm2.c b/libavcodec/qdm2.c index a6192e91c2..1665c8daed 100644 --- a/libavcodec/qdm2.c +++ b/libavcodec/qdm2.c @@ -1799,6 +1799,8 @@ static av_cold int qdm2_decode_init(AVCodecContext *avctx) avctx->channels = s->nb_channels = s->channels = AV_RB32(extradata); extradata += 4; + if (s->channels > MPA_MAX_CHANNELS) + return AVERROR_INVALIDDATA; avctx->sample_rate = AV_RB32(extradata); extradata += 4; @@ -1820,6 +1822,8 @@ static av_cold int qdm2_decode_init(AVCodecContext *avctx) // something like max decodable tones s->group_order = av_log2(s->group_size) + 1; s->frame_size = s->group_size / 16; // 16 iterations per super block + if (s->frame_size > FF_ARRAY_ELEMS(s->output_buffer) / 2) + return AVERROR_INVALIDDATA; s->sub_sampling = s->fft_order - 7; s->frequency_range = 255 / (1 << (2 - s->sub_sampling)); From f144a70d6011a71fe6a48ce1b67791301be9b788 Mon Sep 17 00:00:00 2001 From: Laurent Aimar Date: Sat, 1 Oct 2011 00:45:03 +0200 Subject: [PATCH 0471/1119] Fix out of bound reads/writes in the TIFF decoder. Signed-off-by: Michael Niedermayer (cherry picked from commit 5ca5d432e028ffdd4067b87aed6702168c3207b6) --- libavcodec/tiff.c | 40 +++++++++++++++++++++++++--------------- 1 file changed, 25 insertions(+), 15 deletions(-) diff --git a/libavcodec/tiff.c b/libavcodec/tiff.c index c54eaee346..ed01b70147 100644 --- a/libavcodec/tiff.c +++ b/libavcodec/tiff.c @@ -170,6 +170,8 @@ static int tiff_unpack_strip(TiffContext *s, uint8_t* dst, int stride, const uin } switch(s->compr){ case TIFF_RAW: + if (ssrc + size - src < width) + return AVERROR_INVALIDDATA; if (!s->fill_order) { memcpy(dst, src, width); } else { @@ -277,6 +279,8 @@ static int tiff_decode_tag(TiffContext *s, const uint8_t *start, const uint8_t * uint32_t *pal; const uint8_t *rp, *gp, *bp; + if (end_buf - buf < 12) + return -1; tag = tget_short(&buf, s->le); type = tget_short(&buf, s->le); count = tget_long(&buf, s->le); @@ -336,7 +340,7 @@ static int tiff_decode_tag(TiffContext *s, const uint8_t *start, const uint8_t * case TIFF_SHORT: case TIFF_LONG: s->bpp = 0; - for(i = 0; i < count; i++) s->bpp += tget(&buf, type, s->le); + for(i = 0; i < count && buf < end_buf; i++) s->bpp += tget(&buf, type, s->le); break; default: s->bpp = -1; @@ -450,6 +454,8 @@ static int tiff_decode_tag(TiffContext *s, const uint8_t *start, const uint8_t * case TIFF_PAL: pal = (uint32_t *) s->palette; off = type_sizes[type]; + if (count / 3 > 256 || end_buf - buf < count / 3 * off * 3) + return -1; rp = buf; gp = buf + count / 3 * off; bp = buf + count / 3 * off * 2; @@ -493,12 +499,16 @@ static int decode_frame(AVCodecContext *avctx, AVFrame *picture = data; AVFrame * const p= (AVFrame*)&s->picture; const uint8_t *orig_buf = buf, *end_buf = buf + buf_size; - int id, le, off, ret; + unsigned off; + int id, le, ret; int i, j, entries; - int stride, soff, ssize; + int stride; + unsigned soff, ssize; uint8_t *dst; //parse image header + if (end_buf - buf < 8) + return AVERROR_INVALIDDATA; id = AV_RL16(buf); buf += 2; if(id == 0x4949) le = 1; else if(id == 0x4D4D) le = 0; @@ -518,9 +528,9 @@ static int decode_frame(AVCodecContext *avctx, } /* parse image file directory */ off = tget_long(&buf, le); - if(orig_buf + off + 14 >= end_buf){ + if (off >= UINT_MAX - 14 || end_buf - orig_buf < off + 14) { av_log(avctx, AV_LOG_ERROR, "IFD offset is greater than image size\n"); - return -1; + return AVERROR_INVALIDDATA; } buf = orig_buf + off; entries = tget_short(&buf, le); @@ -544,23 +554,23 @@ static int decode_frame(AVCodecContext *avctx, stride = p->linesize[0]; dst = p->data[0]; for(i = 0; i < s->height; i += s->rps){ - if(s->stripsizes) + if(s->stripsizes) { + if (s->stripsizes >= end_buf) + return AVERROR_INVALIDDATA; ssize = tget(&s->stripsizes, s->sstype, s->le); - else + } else ssize = s->stripsize; - if (ssize > buf_size) { - av_log(avctx, AV_LOG_ERROR, "Buffer size is smaller than strip size\n"); - return -1; - } - if(s->stripdata){ + if (s->stripdata >= end_buf) + return AVERROR_INVALIDDATA; soff = tget(&s->stripdata, s->sot, s->le); }else soff = s->stripoff; - if (soff < 0) { - av_log(avctx, AV_LOG_ERROR, "Invalid stripoff: %d\n", soff); - return AVERROR(EINVAL); + + if (soff > buf_size || ssize > buf_size - soff) { + av_log(avctx, AV_LOG_ERROR, "Invalid strip size/offset\n"); + return -1; } if(tiff_unpack_strip(s, dst, stride, orig_buf + soff, ssize, FFMIN(s->rps, s->height - i)) < 0) break; From 00f6cbb53df64a3a730d9c841dddb534ba562d53 Mon Sep 17 00:00:00 2001 From: Michael Niedermayer Date: Sat, 1 Oct 2011 03:16:32 +0200 Subject: [PATCH 0472/1119] vf_scale.c: propagate error code Signed-off-by: Michael Niedermayer (cherry picked from commit 8447703c16b9e6fdc48ce92553ec1cfa2e359b84) --- libavfilter/vf_scale.c | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/libavfilter/vf_scale.c b/libavfilter/vf_scale.c index ba8f9e1e82..8f2f1d5f52 100644 --- a/libavfilter/vf_scale.c +++ b/libavfilter/vf_scale.c @@ -229,7 +229,7 @@ static int config_props(AVFilterLink *outlink) scale->isws[1] = sws_getContext(inlink ->w, inlink ->h/2, inlink ->format, outlink->w, outlink->h/2, outlink->format, scale->flags, NULL, NULL, NULL); - if (!scale->sws) + if (!scale->sws || !scale->isws[0] || !scale->isws[1]) return AVERROR(EINVAL); if (inlink->sample_aspect_ratio.num){ From 80331265cafe2e331fb47350e00b661eccbe6970 Mon Sep 17 00:00:00 2001 From: Michael Niedermayer Date: Sat, 1 Oct 2011 03:48:33 +0200 Subject: [PATCH 0473/1119] avienc: Add a limit on the number of skiped frames muxed in a row. Signed-off-by: Michael Niedermayer (cherry picked from commit 9cb9e39c41959961bdb5a1fd51cdd25e10c050f3) --- libavformat/avienc.c | 5 +++++ 1 file changed, 5 insertions(+) diff --git a/libavformat/avienc.c b/libavformat/avienc.c index deff1c8d20..1c8eedad09 100644 --- a/libavformat/avienc.c +++ b/libavformat/avienc.c @@ -523,6 +523,11 @@ static int avi_write_packet(AVFormatContext *s, AVPacket *pkt) while(enc->block_align==0 && pkt->dts != AV_NOPTS_VALUE && pkt->dts > avist->packet_count){ AVPacket empty_packet; + if(pkt->dts - avist->packet_count > 60000){ + av_log(s, AV_LOG_ERROR, "Too large number of skiped frames %Ld\n", pkt->dts - avist->packet_count); + return AVERROR(EINVAL); + } + av_init_packet(&empty_packet); empty_packet.size= 0; empty_packet.data= NULL; From 77a7092d1c22fc49a26514c1e7a36d6a971707d9 Mon Sep 17 00:00:00 2001 From: Michael Niedermayer Date: Sat, 1 Oct 2011 22:28:16 +0200 Subject: [PATCH 0474/1119] fate: fix motion pixels checksum change caused by backported bugfix Signed-off-by: Michael Niedermayer --- tests/ref/fate/motionpixels | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/tests/ref/fate/motionpixels b/tests/ref/fate/motionpixels index 30651e92c6..70413880f8 100644 --- a/tests/ref/fate/motionpixels +++ b/tests/ref/fate/motionpixels @@ -109,4 +109,4 @@ 0, 648003, 230400, 0xb343f372 0, 654003, 230400, 0xf7f1e588 0, 660003, 230400, 0x9682bdb2 -0, 666003, 230400, 0x16f9aad8 +0, 666003, 230400, 0x009f4640 From 2cd7580ab51b6173f516d9658949ae3da8601039 Mon Sep 17 00:00:00 2001 From: Michael Niedermayer Date: Sat, 1 Oct 2011 22:12:01 +0200 Subject: [PATCH 0475/1119] Remove Chnagelog it has nothing to do with reality Signed-off-by: Michael Niedermayer --- Changelog | 764 ------------------------------------------------------ 1 file changed, 764 deletions(-) delete mode 100644 Changelog diff --git a/Changelog b/Changelog deleted file mode 100644 index 7360b67eed..0000000000 --- a/Changelog +++ /dev/null @@ -1,764 +0,0 @@ -Entries are sorted chronologically from oldest to youngest within each release, -releases are sorted from youngest to oldest. - -version 0.7.2: - -- check buffer and input values in various parts of the code: - H.264, VC-1, APE, FLV, Indeo 2, XAN, Ogg, MXF, wavpack, ffv1, MOV, - cavs (OCERT-2011-002, CVE-2011-3362), Smacker, cpu detection, lavf, - Matroska (CVE-2011-3504), RV10, RV30/RV40 -- memory leaks: vf_scale, eval - -- ARM: workaround for bug in GNU assembler -- AVOptions: fix av_set_string3() doxy to match reality. (Bug #28) -- Reintroduce AVInputStream.nb_streams to avoid crashes -- aac: Only output configure if audio was found -- aac: Remove some suspicious illegal memcpy()s from LTP -- aacps: skip some memcpy() if src and dst would be equal -- adts: fix PCE copying -- alsa: fallback to buffer_size/4 for period_size -- alsa: limit buffer_size to 32768 frames -- cljr, indeo2: init_get_bits size in bits instead of bytes -- configure: add missing CFLAGS to fix building on the HURD -- dca: set AVCodecContext frame_size for DTS audio -- fate: allow testing with libavfilter disabled -- gxf: fix 25 fps DV material in GXF being misdetected as 50 fps -- h264: correct implicit weight table computation for long ref pics -- h264: correct the check for invalid long term frame index in MMCO decode -- h264: fix PCM intra-coded blocks in monochrome case -- jpegdec: actually search for and parse RSTn -- lavc: fix type for thread_type option -- lavf: fix context pointer in av_open_input_stream when avformat_open_input fails -- lavf: do not set codec_tag for rawvideo -- libx264: do not set pic quality if no frame is output -- movenc: create an alternate group for each media type -- mpegts: fix Continuity Counter error detection -- mxfenc: fix ignored drop flag in binary timecode representation -- fix crashes in 32-bit PIC builds (cf e.g. http://bugs.debian.org/639948) -- ppc64: fix cast related random failures -- riff: Add mpgv MPEG-2 fourcc -- swscale: don't use planar output functions to write to NV12/21 -- vc1: properly zero coded_block[] edges on new slice entry -- vp3/theora: flush after seek - -- various bug other fixes - - -version 0.7.1: - -- added various additional FOURCC codec identifiers -- H.264 4:4:4 fixes -- build system and compilation fixes -- Doxygen and general documentation corrections and improvements -- fixed segfault in ffprobe -- behavioral fix in av_open_input_stream() -- Licensing clarification for LGPL'ed vf_gradfun -- bugfixes while seeking in multithreaded decoding -- support newer versions of OpenCV -- ffmpeg: fix operation with --disable-avfilter -- fixed integer underflow in matroska decoder - - -version 0.7: - -- many many things we forgot because we rather write code than changelogs -- libmpcodecs video filter support (3 times as many filters than before) -- mpeg2 aspect ratio dection fixed -- libxvid aspect pickiness fixed -- Frame multithreaded decoding -- E-AC-3 audio encoder -- ac3enc: add channel coupling support -- floating-point sample format support for (E-)AC-3, DCA, AAC, Vorbis decoders -- H.264/MPEG frame-level multithreading -- av_metadata_* functions renamed to av_dict_* and moved to libavutil -- 4:4:4 H.264 decoding support -- 10-bit H.264 optimizations for x86 -- lut, lutrgb, and lutyuv filters added -- buffersink libavfilter sink added -- bump libswscale for recently reported ABI break - - -version 0.7_beta2: - -- VP8 frame-level multithreading -- NEON optimizations for VP8 -- removed a lot of deprecated API cruft -- FFT and IMDCT optimizations for AVX (Sandy Bridge) processors -- showinfo filter added -- DPX image encoder -- SMPTE 302M AES3 audio decoder -- Apple Core Audio Format muxer -- 9bit and 10bit per sample support in the H.264 decoder -- 9bit and 10bit FFV1 encoding / decoding -- split filter added -- select filter added -- sdl output device added - - -version 0.7_beta1: - -- WebM support in Matroska de/muxer -- low overhead Ogg muxing -- MMS-TCP support -- VP8 de/encoding via libvpx -- Demuxer for On2's IVF format -- Pictor/PC Paint decoder -- HE-AAC v2 decoder -- HE-AAC v2 encoding with libaacplus -- libfaad2 wrapper removed -- DTS-ES extension (XCh) decoding support -- native VP8 decoder -- RTSP tunneling over HTTP -- RTP depacketization of SVQ3 -- -strict inofficial replaced by -strict unofficial -- ffplay -exitonkeydown and -exitonmousedown options added -- native GSM / GSM MS decoder -- RTP depacketization of QDM2 -- ANSI/ASCII art playback system -- Lego Mindstorms RSO de/muxer -- libavcore added -- SubRip subtitle file muxer and demuxer -- Chinese AVS encoding via libxavs -- ffprobe -show_packets option added -- RTP packetization of Theora and Vorbis -- RTP depacketization of MP4A-LATM -- RTP packetization and depacketization of VP8 -- hflip filter -- Apple HTTP Live Streaming demuxer -- a64 codec -- MMS-HTTP support -- G.722 ADPCM audio encoder/decoder -- R10k video decoder -- ocv_smooth filter -- frei0r wrapper filter -- change crop filter syntax to width:height:x:y -- make the crop filter accept parametric expressions -- make ffprobe accept AVFormatContext options -- yadif filter -- blackframe filter -- Demuxer for Leitch/Harris' VR native stream format (LXF) -- RTP depacketization of the X-QT QuickTime format -- SAP (Session Announcement Protocol, RFC 2974) muxer and demuxer -- cropdetect filter -- ffmpeg -crop* options removed -- transpose filter added -- ffmpeg -force_key_frames option added -- demuxer for receiving raw rtp:// URLs without an SDP description -- single stream LATM/LOAS decoder -- setpts filter added -- Win64 support for optimized x86 assembly functions -- MJPEG/AVI1 to JPEG/JFIF bitstream filter -- ASS subtitle encoder and decoder -- IEC 61937 encapsulation for E-AC-3, TrueHD, DTS-HD (for HDMI passthrough) -- overlay filter added -- rename aspect filter to setdar, and pixelaspect to setsar -- IEC 61937 demuxer -- Mobotix .mxg demuxer -- frei0r source added -- hqdn3d filter added -- RTP depacketization of QCELP -- FLAC parser added -- gradfun filter added -- AMR-WB decoder -- replace the ocv_smooth filter with a more generic ocv filter -- Windows Televison (WTV) demuxer -- FFmpeg metadata format muxer and demuxer -- SubRip (srt) subtitle encoder and decoder -- floating-point AC-3 encoder added -- Lagarith decoder -- ffmpeg -copytb option added -- IVF muxer added -- Wing Commander IV movies decoder added -- movie source added -- Bink version 'b' audio and video decoder -- Bitmap Brothers JV playback system -- Apple HTTP Live Streaming protocol handler -- sndio support for playback and record -- Linux framebuffer input device added -- Chronomaster DFA decoder -- DPX image encoder -- MicroDVD subtitle file muxer and demuxer -- Playstation Portable PMP format demuxer -- fieldorder video filter added -- AAC encoding via libvo-aacenc -- AMR-WB encoding via libvo-amrwbenc -- xWMA demuxer -- Mobotix MxPEG decoder - - -version 0.6: - -- PB-frame decoding for H.263 -- deprecated vhook subsystem removed -- deprecated old scaler removed -- VQF demuxer -- Alpha channel scaler -- PCX encoder -- RTP packetization of H.263 -- RTP packetization of AMR -- RTP depacketization of Vorbis -- CorePNG decoding support -- Cook multichannel decoding support -- introduced avlanguage helpers in libavformat -- 8088flex TMV demuxer and decoder -- per-stream language-tags extraction in asfdec -- V210 decoder and encoder -- remaining GPL parts in AC-3 decoder converted to LGPL -- QCP demuxer -- SoX native format muxer and demuxer -- AMR-NB decoding/encoding, AMR-WB decoding via OpenCORE libraries -- DPX image decoder -- Electronic Arts Madcow decoder -- DivX (XSUB) subtitle encoder -- nonfree libamr support for AMR-NB/WB decoding/encoding removed -- experimental AAC encoder -- RTP depacketization of ASF and RTSP from WMS servers -- RTMP support in libavformat -- noX handling for OPT_BOOL X options -- Wave64 demuxer -- IEC-61937 compatible Muxer -- TwinVQ decoder -- Bluray (PGS) subtitle decoder -- LPCM support in MPEG-TS (HDMV RID as found on Blu-ray disks) -- WMA Pro decoder -- Core Audio Format demuxer -- Atrac1 decoder -- MD STUDIO audio demuxer -- RF64 support in WAV demuxer -- MPEG-4 Audio Lossless Coding (ALS) decoder -- -formats option split into -formats, -codecs, -bsfs, and -protocols -- IV8 demuxer -- CDG demuxer and decoder -- R210 decoder -- Auravision Aura 1 and 2 decoders -- Deluxe Paint Animation playback system -- SIPR decoder -- Adobe Filmstrip muxer and demuxer -- RTP depacketization of H.263 -- Bink demuxer and audio/video decoders -- enable symbol versioning by default for linkers that support it -- IFF PBM/ILBM bitmap decoder -- concat protocol -- Indeo 5 decoder -- RTP depacketization of AMR -- WMA Voice decoder -- ffprobe tool -- AMR-NB decoder -- RTSP muxer -- HE-AAC v1 decoder -- Kega Game Video (KGV1) decoder -- VorbisComment writing for FLAC, Ogg FLAC and Ogg Speex files -- RTP depacketization of Theora -- HTTP Digest authentication -- RTMP/RTMPT/RTMPS/RTMPE/RTMPTE protocol support via librtmp -- Psygnosis YOP demuxer and video decoder -- spectral extension support in the E-AC-3 decoder -- unsharp video filter -- RTP hinting in the mov/3gp/mp4 muxer -- Dirac in Ogg demuxing -- seek to keyframes in Ogg -- 4:2:2 and 4:4:4 Theora decoding -- 35% faster VP3/Theora decoding -- faster AAC decoding -- faster H.264 decoding -- RealAudio 1.0 (14.4K) encoder - - -version 0.5: - -- DV50 AKA DVCPRO50 encoder, decoder, muxer and demuxer -- TechSmith Camtasia (TSCC) video decoder -- IBM Ultimotion (ULTI) video decoder -- Sierra Online audio file demuxer and decoder -- Apple QuickDraw (qdrw) video decoder -- Creative ADPCM audio decoder (16 bits as well as 8 bits schemes) -- Electronic Arts Multimedia (WVE/UV2/etc.) file demuxer -- Miro VideoXL (VIXL) video decoder -- H.261 video encoder -- QPEG video decoder -- Nullsoft Video (NSV) file demuxer -- Shorten audio decoder -- LOCO video decoder -- Apple Lossless Audio Codec (ALAC) decoder -- Winnov WNV1 video decoder -- Autodesk Animator Studio Codec (AASC) decoder -- Indeo 2 video decoder -- Fraps FPS1 video decoder -- Snow video encoder/decoder -- Sonic audio encoder/decoder -- Vorbis audio decoder -- Macromedia ADPCM decoder -- Duck TrueMotion 2 video decoder -- support for decoding FLX and DTA extensions in FLIC files -- H.264 custom quantization matrices support -- ffserver fixed, it should now be usable again -- QDM2 audio decoder -- Real Cooker audio decoder -- TrueSpeech audio decoder -- WMA2 audio decoder fixed, now all files should play correctly -- RealAudio 14.4 and 28.8 decoders fixed -- JPEG-LS decoder -- build system improvements -- tabs and trailing whitespace removed from the codebase -- CamStudio video decoder -- AIFF/AIFF-C audio format, encoding and decoding -- ADTS AAC file reading and writing -- Creative VOC file reading and writing -- American Laser Games multimedia (*.mm) playback system -- Zip Motion Blocks Video decoder -- improved Theora/VP3 decoder -- True Audio (TTA) decoder -- AVS demuxer and video decoder -- JPEG-LS encoder -- Smacker demuxer and decoder -- NuppelVideo/MythTV demuxer and RTjpeg decoder -- KMVC decoder -- MPEG-2 intra VLC support -- MPEG-2 4:2:2 encoder -- Flash Screen Video decoder -- GXF demuxer -- Chinese AVS decoder -- GXF muxer -- MXF demuxer -- VC-1/WMV3/WMV9 video decoder -- MacIntel support -- AVISynth support -- VMware video decoder -- VP5 video decoder -- VP6 video decoder -- WavPack lossless audio decoder -- Targa (.TGA) picture decoder -- Vorbis audio encoder -- Delphine Software .cin demuxer/audio and video decoder -- Tiertex .seq demuxer/video decoder -- MTV demuxer -- TIFF picture encoder and decoder -- GIF picture decoder -- Intel Music Coder decoder -- Zip Motion Blocks Video encoder -- Musepack decoder -- Flash Screen Video encoder -- Theora encoding via libtheora -- BMP encoder -- WMA encoder -- GSM-MS encoder and decoder -- DCA decoder -- DXA demuxer and decoder -- DNxHD decoder -- Gamecube movie (.THP) playback system -- Blackfin optimizations -- Interplay C93 demuxer and video decoder -- Bethsoft VID demuxer and video decoder -- CRYO APC demuxer -- Atrac3 decoder -- V.Flash PTX decoder -- RoQ muxer, RoQ audio encoder -- Renderware TXD demuxer and decoder -- extern C declarations for C++ removed from headers -- sws_flags command line option -- codebook generator -- RoQ video encoder -- QTRLE encoder -- OS/2 support removed and restored again -- AC-3 decoder -- NUT muxer -- additional SPARC (VIS) optimizations -- Matroska muxer -- slice-based parallel H.264 decoding -- Monkey's Audio demuxer and decoder -- AMV audio and video decoder -- DNxHD encoder -- H.264 PAFF decoding -- Nellymoser ASAO decoder -- Beam Software SIFF demuxer and decoder -- libvorbis Vorbis decoding removed in favor of native decoder -- IntraX8 (J-Frame) subdecoder for WMV2 and VC-1 -- Ogg (Theora, Vorbis and FLAC) muxer -- The "device" muxers and demuxers are now in a new libavdevice library -- PC Paintbrush PCX decoder -- Sun Rasterfile decoder -- TechnoTrend PVA demuxer -- Linux Media Labs MPEG-4 (LMLM4) demuxer -- AVM2 (Flash 9) SWF muxer -- QT variant of IMA ADPCM encoder -- VFW grabber -- iPod/iPhone compatible mp4 muxer -- Mimic decoder -- MSN TCP Webcam stream demuxer -- RL2 demuxer / decoder -- IFF demuxer -- 8SVX audio decoder -- non-recursive Makefiles -- BFI demuxer -- MAXIS EA XA (.xa) demuxer / decoder -- BFI video decoder -- OMA demuxer -- MLP/TrueHD decoder -- Electronic Arts CMV decoder -- Motion Pixels Video decoder -- Motion Pixels MVI demuxer -- removed animated GIF decoder/demuxer -- D-Cinema audio muxer -- Electronic Arts TGV decoder -- Apple Lossless Audio Codec (ALAC) encoder -- AAC decoder -- floating point PCM encoder/decoder -- MXF muxer -- DV100 AKA DVCPRO HD decoder and demuxer -- E-AC-3 support added to AC-3 decoder -- Nellymoser ASAO encoder -- ASS and SSA demuxer and muxer -- liba52 wrapper removed -- SVQ3 watermark decoding support -- Speex decoding via libspeex -- Electronic Arts TGQ decoder -- RV40 decoder -- QCELP / PureVoice decoder -- RV30 decoder -- hybrid WavPack support -- R3D REDCODE demuxer -- ALSA support for playback and record -- Electronic Arts TQI decoder -- OpenJPEG based JPEG 2000 decoder -- NC (NC4600) camera file demuxer -- Gopher client support -- MXF D-10 muxer -- generic metadata API -- flash ScreenVideo2 encoder - - -version 0.4.9-pre1: - -- DV encoder, DV muxer -- Microsoft RLE video decoder -- Microsoft Video-1 decoder -- Apple Animation (RLE) decoder -- Apple Graphics (SMC) decoder -- Apple Video (RPZA) decoder -- Cinepak decoder -- Sega FILM (CPK) file demuxer -- Westwood multimedia support (VQA & AUD files) -- Id Quake II CIN playback support -- 8BPS video decoder -- FLIC playback support -- RealVideo 2.0 (RV20) decoder -- Duck TrueMotion v1 (DUCK) video decoder -- Sierra VMD demuxer and video decoder -- MSZH and ZLIB decoder support -- SVQ1 video encoder -- AMR-WB support -- PPC optimizations -- rate distortion optimal cbp support -- rate distorted optimal ac prediction for MPEG-4 -- rate distorted optimal lambda->qp support -- AAC encoding with libfaac -- Sunplus JPEG codec (SP5X) support -- use Lagrange multipler instead of QP for ratecontrol -- Theora/VP3 decoding support -- XA and ADX ADPCM codecs -- export MPEG-2 active display area / pan scan -- Add support for configuring with IBM XLC -- floating point AAN DCT -- initial support for zygo video (not complete) -- RGB ffv1 support -- new audio/video parser API -- av_log() system -- av_read_frame() and av_seek_frame() support -- missing last frame fixes -- seek by mouse in ffplay -- noise reduction of DCT coefficients -- H.263 OBMC & 4MV support -- H.263 alternative inter vlc support -- H.263 loop filter -- H.263 slice structured mode -- interlaced DCT support for MPEG-2 encoding -- stuffing to stay above min_bitrate -- MB type & QP visualization -- frame stepping for ffplay -- interlaced motion estimation -- alternate scantable support -- SVCD scan offset support -- closed GOP support -- SSE2 FDCT -- quantizer noise shaping -- G.726 ADPCM audio codec -- MS ADPCM encoding -- multithreaded/SMP motion estimation -- multithreaded/SMP encoding for MPEG-1/MPEG-2/MPEG-4/H.263 -- multithreaded/SMP decoding for MPEG-2 -- FLAC decoder -- Metrowerks CodeWarrior suppport -- H.263+ custom pcf support -- nicer output for 'ffmpeg -formats' -- Matroska demuxer -- SGI image format, encoding and decoding -- H.264 loop filter support -- H.264 CABAC support -- nicer looking arrows for the motion vector visualization -- improved VCD support -- audio timestamp drift compensation -- MPEG-2 YUV 422/444 support -- polyphase kaiser windowed sinc and blackman nuttall windowed sinc audio resample -- better image scaling -- H.261 support -- correctly interleave packets during encoding -- VIS optimized motion compensation -- intra_dc_precision>0 encoding support -- support reuse of motion vectors/MB types/field select values of the source video -- more accurate deblock filter -- padding support -- many optimizations and bugfixes -- FunCom ISS audio file demuxer and according ADPCM decoding - - -version 0.4.8: - -- MPEG-2 video encoding (Michael) -- Id RoQ playback subsystem (Mike Melanson and Tim Ferguson) -- Wing Commander III Movie (.mve) file playback subsystem (Mike Melanson - and Mario Brito) -- Xan DPCM audio decoder (Mario Brito) -- Interplay MVE playback subsystem (Mike Melanson) -- Duck DK3 and DK4 ADPCM audio decoders (Mike Melanson) - - -version 0.4.7: - -- RealAudio 1.0 (14_4) and 2.0 (28_8) native decoders. Author unknown, code from mplayerhq - (originally from public domain player for Amiga at http://www.honeypot.net/audio) -- current version now also compiles with older GCC (Fabrice) -- 4X multimedia playback system including 4xm file demuxer (Mike - Melanson), and 4X video and audio codecs (Michael) -- Creative YUV (CYUV) decoder (Mike Melanson) -- FFV1 codec (our very simple lossless intra only codec, compresses much better - than HuffYUV) (Michael) -- ASV1 (Asus), H.264, Intel indeo3 codecs have been added (various) -- tiny PNG encoder and decoder, tiny GIF decoder, PAM decoder (PPM with - alpha support), JPEG YUV colorspace support. (Fabrice Bellard) -- ffplay has been replaced with a newer version which uses SDL (optionally) - for multiplatform support (Fabrice) -- Sorenson Version 3 codec (SVQ3) support has been added (decoding only) - donated - by anonymous -- AMR format has been added (Johannes Carlsson) -- 3GP support has been added (Johannes Carlsson) -- VP3 codec has been added (Mike Melanson) -- more MPEG-1/2 fixes -- better multiplatform support, MS Visual Studio fixes (various) -- AltiVec optimizations (Magnus Damn and others) -- SH4 processor support has been added (BERO) -- new public interfaces (avcodec_get_pix_fmt) (Roman Shaposhnick) -- VOB streaming support (Brian Foley) -- better MP3 autodetection (Andriy Rysin) -- qpel encoding (Michael) -- 4mv+b frames encoding finally fixed (Michael) -- chroma ME (Michael) -- 5 comparison functions for ME (Michael) -- B-frame encoding speedup (Michael) -- WMV2 codec (unfinished - Michael) -- user specified diamond size for EPZS (Michael) -- Playstation STR playback subsystem, still experimental (Mike and Michael) -- ASV2 codec (Michael) -- CLJR decoder (Alex) - -.. And lots more new enhancements and fixes. - - -version 0.4.6: - -- completely new integer only MPEG audio layer 1/2/3 decoder rewritten - from scratch -- Recoded DCT and motion vector search with gcc (no longer depends on nasm) -- fix quantization bug in AC3 encoder -- added PCM codecs and format. Corrected WAV/AVI/ASF PCM issues -- added prototype ffplay program -- added GOB header parsing on H.263/H.263+ decoder (Juanjo) -- bug fix on MCBPC tables of H.263 (Juanjo) -- bug fix on DC coefficients of H.263 (Juanjo) -- added Advanced Prediction Mode on H.263/H.263+ decoder (Juanjo) -- now we can decode H.263 streams found in QuickTime files (Juanjo) -- now we can decode H.263 streams found in VIVO v1 files(Juanjo) -- preliminary RTP "friendly" mode for H.263/H.263+ coding. (Juanjo) -- added GOB header for H.263/H.263+ coding on RTP mode (Juanjo) -- now H.263 picture size is returned on the first decoded frame (Juanjo) -- added first regression tests -- added MPEG-2 TS demuxer -- new demux API for libav -- more accurate and faster IDCT (Michael) -- faster and entropy-controlled motion search (Michael) -- two pass video encoding (Michael) -- new video rate control (Michael) -- added MSMPEG4V1, MSMPEGV2 and WMV1 support (Michael) -- great performance improvement of video encoders and decoders (Michael) -- new and faster bit readers and vlc parsers (Michael) -- high quality encoding mode: tries all macroblock/VLC types (Michael) -- added DV video decoder -- preliminary RTP/RTSP support in ffserver and libavformat -- H.263+ AIC decoding/encoding support (Juanjo) -- VCD MPEG-PS mode (Juanjo) -- PSNR stuff (Juanjo) -- simple stats output (Juanjo) -- 16-bit and 15-bit RGB/BGR/GBR support (Bisqwit) - - -version 0.4.5: - -- some header fixes (Zdenek Kabelac ) -- many MMX optimizations (Nick Kurshev ) -- added configure system (actually a small shell script) -- added MPEG audio layer 1/2/3 decoding using LGPL'ed mpglib by - Michael Hipp (temporary solution - waiting for integer only - decoder) -- fixed VIDIOCSYNC interrupt -- added Intel H.263 decoding support ('I263' AVI fourCC) -- added Real Video 1.0 decoding (needs further testing) -- simplified image formats again. Added PGM format (=grey - pgm). Renamed old PGM to PGMYUV. -- fixed msmpeg4 slice issues (tell me if you still find problems) -- fixed OpenDivX bugs with newer versions (added VOL header decoding) -- added support for MPlayer interface -- added macroblock skip optimization -- added MJPEG decoder -- added mmx/mmxext IDCT from libmpeg2 -- added pgmyuvpipe, ppm, and ppm_pipe formats (original patch by Celer - ) -- added pixel format conversion layer (e.g. for MJPEG or PPM) -- added deinterlacing option -- MPEG-1/2 fixes -- MPEG-4 vol header fixes (Jonathan Marsden ) -- ARM optimizations (Lionel Ulmer ). -- Windows porting of file converter -- added MJPEG raw format (input/ouput) -- added JPEG image format support (input/output) - - -version 0.4.4: - -- fixed some std header definitions (Bjorn Lindgren - ). -- added MPEG demuxer (MPEG-1 and 2 compatible). -- added ASF demuxer -- added prototype RM demuxer -- added AC3 decoding (done with libac3 by Aaron Holtzman) -- added decoding codec parameter guessing (.e.g. for MPEG, because the - header does not include them) -- fixed header generation in MPEG-1, AVI and ASF muxer: wmplayer can now - play them (only tested video) -- fixed H.263 white bug -- fixed phase rounding in img resample filter -- add MMX code for polyphase img resample filter -- added CPU autodetection -- added generic title/author/copyright/comment string handling (ASF and RM - use them) -- added SWF demux to extract MP3 track (not usable yet because no MP3 - decoder) -- added fractional frame rate support -- codecs are no longer searched by read_header() (should fix ffserver - segfault) - - -version 0.4.3: - -- BGR24 patch (initial patch by Jeroen Vreeken ) -- fixed raw yuv output -- added motion rounding support in MPEG-4 -- fixed motion bug rounding in MSMPEG4 -- added B-frame handling in video core -- added full MPEG-1 decoding support -- added partial (frame only) MPEG-2 support -- changed the FOURCC code for H.263 to "U263" to be able to see the - +AVI/H.263 file with the UB Video H.263+ decoder. MPlayer works with - this +codec ;) (JuanJo). -- Halfpel motion estimation after MB type selection (JuanJo) -- added pgm and .Y.U.V output format -- suppressed 'img:' protocol. Simply use: /tmp/test%d.[pgm|Y] as input or - output. -- added pgmpipe I/O format (original patch from Martin Aumueller - , but changed completely since we use a format - instead of a protocol) - - -version 0.4.2: - -- added H.263/MPEG-4/MSMPEG4 decoding support. MPEG-4 decoding support - (for OpenDivX) is almost complete: 8x8 MVs and rounding are - missing. MSMPEG4 support is complete. -- added prototype MPEG-1 decoder. Only I- and P-frames handled yet (it - can decode ffmpeg MPEGs :-)). -- added libavcodec API documentation (see apiexample.c). -- fixed image polyphase bug (the bottom of some images could be - greenish) -- added support for non clipped motion vectors (decoding only) - and image sizes non-multiple of 16 -- added support for AC prediction (decoding only) -- added file overwrite confirmation (can be disabled with -y) -- added custom size picture to H.263 using H.263+ (Juanjo) - - -version 0.4.1: - -- added MSMPEG4 (aka DivX) compatible encoder. Changed default codec - of AVI and ASF to DIV3. -- added -me option to set motion estimation method - (default=log). suppressed redundant -hq option. -- added options -acodec and -vcodec to force a given codec (useful for - AVI for example) -- fixed -an option -- improved dct_quantize speed -- factorized some motion estimation code - - -version 0.4.0: - -- removing grab code from ffserver and moved it to ffmpeg. Added - multistream support to ffmpeg. -- added timeshifting support for live feeds (option ?date=xxx in the - URL) -- added high quality image resize code with polyphase filter (need - mmx/see optimization). Enable multiple image size support in ffserver. -- added multi live feed support in ffserver -- suppressed master feature from ffserver (it should be done with an - external program which opens the .ffm url and writes it to another - ffserver) -- added preliminary support for video stream parsing (WAV and AVI half - done). Added proper support for audio/video file conversion in - ffmpeg. -- added preliminary support for video file sending from ffserver -- redesigning I/O subsystem: now using URL based input and output - (see avio.h) -- added WAV format support -- added "tty user interface" to ffmpeg to stop grabbing gracefully -- added MMX/SSE optimizations to SAD (Sums of Absolutes Differences) - (Juan J. Sierralta P. a.k.a. "Juanjo" ) -- added MMX DCT from mpeg2_movie 1.5 (Juanjo) -- added new motion estimation algorithms, log and phods (Juanjo) -- changed directories: libav for format handling, libavcodec for - codecs - - -version 0.3.4: - -- added stereo in MPEG audio encoder - - -version 0.3.3: - -- added 'high quality' mode which use motion vectors. It can be used in - real time at low resolution. -- fixed rounding problems which caused quality problems at high - bitrates and large GOP size - - -version 0.3.2: small fixes - -- ASF fixes -- put_seek bug fix - - -version 0.3.1: added avi/divx support - -- added AVI support -- added MPEG-4 codec compatible with OpenDivX. It is based on the H.263 codec -- added sound for flash format (not tested) - - -version 0.3: initial public release From 3e0dbb8a7ed118308cdddac803063b2cd09de37b Mon Sep 17 00:00:00 2001 From: Michael Niedermayer Date: Sun, 2 Oct 2011 00:45:41 +0200 Subject: [PATCH 0476/1119] h264: set unused ref_counts to 0 as a precautionary meassure. Signed-off-by: Michael Niedermayer (cherry picked from commit 3af2de76ac8b7aa762e4ee129ec29140e6247d81) --- libavcodec/h264.c | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/libavcodec/h264.c b/libavcodec/h264.c index 9c7bf24b5f..a889f422e1 100644 --- a/libavcodec/h264.c +++ b/libavcodec/h264.c @@ -2901,7 +2901,7 @@ static int decode_slice_header(H264Context *h, H264Context *h0){ else h->list_count= 1; }else - h->list_count= 0; + h->ref_count[1]= h->ref_count[0]= h->list_count= 0; if(!default_ref_list_done){ ff_h264_fill_default_ref_list(h); From 86491c5dbc160a10926aa1cf4fa36864b09dfb31 Mon Sep 17 00:00:00 2001 From: Michael Niedermayer Date: Sun, 2 Oct 2011 00:47:54 +0200 Subject: [PATCH 0477/1119] h264: increase ref_poc size to 32 as it can be per field. Signed-off-by: Michael Niedermayer (cherry picked from commit 8c851ef5a81fb0429453c43fdcfc974ce1b6e447) --- libavcodec/mpegvideo.h | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/libavcodec/mpegvideo.h b/libavcodec/mpegvideo.h index 0b233d0a20..1b8483f9d5 100644 --- a/libavcodec/mpegvideo.h +++ b/libavcodec/mpegvideo.h @@ -123,7 +123,7 @@ typedef struct Picture{ int pic_id; /**< h264 pic_num (short -> no wrap version of pic_num, pic_num & max_pic_num; long -> long_pic_num) */ int long_ref; ///< 1->long term reference 0->short term reference - int ref_poc[2][2][16]; ///< h264 POCs of the frames used as reference (FIXME need per slice) + int ref_poc[2][2][32]; ///< h264 POCs of the frames/fields used as reference (FIXME need per slice) int ref_count[2][2]; ///< number of entries in ref_poc (FIXME need per slice) int mbaff; ///< h264 1 -> MBAFF frame 0-> not MBAFF int field_picture; ///< whether or not the picture was encoded in seperate fields From 2e342df4a266f903084a5f705c7f2932e79067de Mon Sep 17 00:00:00 2001 From: Laurent Aimar Date: Sun, 2 Oct 2011 00:38:26 +0200 Subject: [PATCH 0478/1119] Fix use of uninitialized memory in 4X Technologies demuxer. Signed-off-by: Michael Niedermayer (cherry picked from commit a1876e0072aa0c69f037e0cafaca1a54bf2e189b) --- libavformat/4xm.c | 6 ++++-- 1 file changed, 4 insertions(+), 2 deletions(-) diff --git a/libavformat/4xm.c b/libavformat/4xm.c index 0a314dc089..e3b696d57b 100644 --- a/libavformat/4xm.c +++ b/libavformat/4xm.c @@ -172,14 +172,16 @@ static int fourxm_read_header(AVFormatContext *s, goto fail; } if (current_track + 1 > fourxm->track_count) { - fourxm->track_count = current_track + 1; fourxm->tracks = av_realloc_f(fourxm->tracks, sizeof(AudioTrack), - fourxm->track_count); + current_track + 1); if (!fourxm->tracks) { ret= AVERROR(ENOMEM); goto fail; } + memset(&fourxm->tracks[fourxm->track_count], 0, + sizeof(AudioTrack) * (current_track + 1 - fourxm->track_count)); + fourxm->track_count = current_track + 1; } fourxm->tracks[current_track].adpcm = AV_RL32(&header[i + 12]); fourxm->tracks[current_track].channels = AV_RL32(&header[i + 36]); From 535112b3658c21d1f9c4d2b44689342a32ff6eea Mon Sep 17 00:00:00 2001 From: Laurent Aimar Date: Sun, 2 Oct 2011 00:38:28 +0200 Subject: [PATCH 0479/1119] Prevent NULL dereference when the huffman table is invalid in the 4xm decoder. Signed-off-by: Michael Niedermayer (cherry picked from commit 4a8ff0636d67c6df059f2ae2df49ad1181de14ca) --- libavcodec/4xm.c | 7 ++++--- 1 file changed, 4 insertions(+), 3 deletions(-) diff --git a/libavcodec/4xm.c b/libavcodec/4xm.c index d89b494b09..1ec64ae3e0 100644 --- a/libavcodec/4xm.c +++ b/libavcodec/4xm.c @@ -601,9 +601,10 @@ static const uint8_t *read_huffman_tables(FourXContext *f, const uint8_t * const len_tab[j]= len; } - init_vlc(&f->pre_vlc, ACDC_VLC_BITS, 257, - len_tab , 1, 1, - bits_tab, 4, 4, 0); + if (init_vlc(&f->pre_vlc, ACDC_VLC_BITS, 257, + len_tab , 1, 1, + bits_tab, 4, 4, 0)) + return NULL; return ptr; } From d2a276a3fd7b34583ee7e8e7ec4c8fb85791c674 Mon Sep 17 00:00:00 2001 From: Laurent Aimar Date: Sun, 2 Oct 2011 00:38:31 +0200 Subject: [PATCH 0480/1119] Fix the check for missing references in ff_er_frame_end() for H264. Signed-off-by: Michael Niedermayer --- libavcodec/error_resilience.c | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/libavcodec/error_resilience.c b/libavcodec/error_resilience.c index d6ac81f009..0e410f96e8 100644 --- a/libavcodec/error_resilience.c +++ b/libavcodec/error_resilience.c @@ -660,7 +660,7 @@ static int is_intra_more_likely(MpegEncContext *s){ if(s->codec_id == CODEC_ID_H264){ H264Context *h= (void*)s; - if(h->ref_count[0] <= 0 || !h->ref_list[0][0].data[0]) + if (h->list_count <= 0 || h->ref_count[0] <= 0 || !h->ref_list[0][0].data[0]) return 1; } From f421b534007ad791df593208d7998d07500a666e Mon Sep 17 00:00:00 2001 From: Laurent Aimar Date: Sun, 2 Oct 2011 00:38:30 +0200 Subject: [PATCH 0481/1119] Clear FF_INPUT_BUFFER_PADDING_SIZE bytes at the end of the temporary buffers used in 4xm decoder. Signed-off-by: Michael Niedermayer (cherry picked from commit 90a69b2f61cbd2d58723d712bdf283e5e56b2ea2) --- libavcodec/4xm.c | 2 ++ 1 file changed, 2 insertions(+) diff --git a/libavcodec/4xm.c b/libavcodec/4xm.c index 1ec64ae3e0..29cab37ada 100644 --- a/libavcodec/4xm.c +++ b/libavcodec/4xm.c @@ -399,6 +399,7 @@ static int decode_p_frame(FourXContext *f, const uint8_t *buf, int length){ if (!f->bitstream_buffer) return AVERROR(ENOMEM); f->dsp.bswap_buf(f->bitstream_buffer, (const uint32_t*)(buf + extra), bitstream_size/4); + memset((uint8_t*)f->bitstream_buffer + bitstream_size, 0, FF_INPUT_BUFFER_PADDING_SIZE); init_get_bits(&f->gb, f->bitstream_buffer, 8*bitstream_size); f->wordstream= (const uint16_t*)(buf + extra + bitstream_size); @@ -680,6 +681,7 @@ static int decode_i_frame(FourXContext *f, const uint8_t *buf, int length){ if (!f->bitstream_buffer) return AVERROR(ENOMEM); f->dsp.bswap_buf(f->bitstream_buffer, (const uint32_t*)prestream, prestream_size/4); + memset((uint8_t*)f->bitstream_buffer + prestream_size, 0, FF_INPUT_BUFFER_PADDING_SIZE); init_get_bits(&f->pre_gb, f->bitstream_buffer, 8*prestream_size); f->last_dc= 0*128*8*8; From 64a9004d0771473b10655a3779b63e4e64505aa7 Mon Sep 17 00:00:00 2001 From: Laurent Aimar Date: Sun, 2 Oct 2011 00:38:32 +0200 Subject: [PATCH 0482/1119] Check for out of bound reads in PTX decoder. Signed-off-by: Michael Niedermayer (cherry picked from commit 581898ae882dc37967b689b6ea5f2b2a9acd257a) --- libavcodec/ptx.c | 8 ++++++++ 1 file changed, 8 insertions(+) diff --git a/libavcodec/ptx.c b/libavcodec/ptx.c index 3273fd2f8e..756dbcd58b 100644 --- a/libavcodec/ptx.c +++ b/libavcodec/ptx.c @@ -39,12 +39,15 @@ static av_cold int ptx_init(AVCodecContext *avctx) { static int ptx_decode_frame(AVCodecContext *avctx, void *data, int *data_size, AVPacket *avpkt) { const uint8_t *buf = avpkt->data; + const uint8_t *buf_end = avpkt->data + avpkt->size; PTXContext * const s = avctx->priv_data; AVFrame *picture = data; AVFrame * const p = &s->picture; unsigned int offset, w, h, y, stride, bytes_per_pixel; uint8_t *ptr; + if (buf_end - buf < 14) + return AVERROR_INVALIDDATA; offset = AV_RL16(buf); w = AV_RL16(buf+8); h = AV_RL16(buf+10); @@ -57,6 +60,9 @@ static int ptx_decode_frame(AVCodecContext *avctx, void *data, int *data_size, avctx->pix_fmt = PIX_FMT_RGB555; + + if (buf_end - buf < offset) + return AVERROR_INVALIDDATA; if (offset != 0x2c) av_log_ask_for_sample(avctx, "offset != 0x2c\n"); @@ -80,6 +86,8 @@ static int ptx_decode_frame(AVCodecContext *avctx, void *data, int *data_size, stride = p->linesize[0]; for (y=0; y Date: Sat, 1 Oct 2011 00:43:05 +0200 Subject: [PATCH 0483/1119] Prevent block size from inreasing in the shorten decoder. Signed-off-by: Michael Niedermayer (cherry picked from commit b399cbfba5d901608c18e1a2d48a24c30541a634) --- libavcodec/shorten.c | 10 ++++++++-- 1 file changed, 8 insertions(+), 2 deletions(-) diff --git a/libavcodec/shorten.c b/libavcodec/shorten.c index 5e599fd504..4c1abe8e4c 100644 --- a/libavcodec/shorten.c +++ b/libavcodec/shorten.c @@ -483,9 +483,15 @@ static int shorten_decode_frame(AVCodecContext *avctx, case FN_BITSHIFT: s->bitshift = get_ur_golomb_shorten(&s->gb, BITSHIFTSIZE); break; - case FN_BLOCKSIZE: - s->blocksize = get_uint(s, av_log2(s->blocksize)); + case FN_BLOCKSIZE: { + int blocksize = get_uint(s, av_log2(s->blocksize)); + if (blocksize > s->blocksize) { + av_log(avctx, AV_LOG_ERROR, "Increasing block size is not supported\n"); + return AVERROR_PATCHWELCOME; + } + s->blocksize = blocksize; break; + } case FN_QUIT: *data_size = 0; return buf_size; From 2c282e96796039b73f0a4b42c97a4432ec51fcd4 Mon Sep 17 00:00:00 2001 From: Laurent Aimar Date: Sun, 2 Oct 2011 00:38:27 +0200 Subject: [PATCH 0484/1119] Check for out of bound accesses in the 4xm decoder. Signed-off-by: Michael Niedermayer (cherry picked from commit 9c661e952fbcbf044709f9a7031c68cc4860336b) --- libavcodec/4xm.c | 59 +++++++++++++++++++++++++++++++++++++----------- 1 file changed, 46 insertions(+), 13 deletions(-) diff --git a/libavcodec/4xm.c b/libavcodec/4xm.c index 29cab37ada..7b5df62a43 100644 --- a/libavcodec/4xm.c +++ b/libavcodec/4xm.c @@ -133,7 +133,9 @@ typedef struct FourXContext{ GetBitContext pre_gb; ///< ac/dc prefix GetBitContext gb; const uint8_t *bytestream; + const uint8_t *bytestream_end; const uint16_t *wordstream; + const uint16_t *wordstream_end; int mv[256]; VLC pre_vlc; int last_dc; @@ -328,6 +330,8 @@ static void decode_p_block(FourXContext *f, uint16_t *dst, uint16_t *src, int lo assert(code>=0 && code<=6); if(code == 0){ + if (f->bytestream_end - f->bytestream < 1) + return; src += f->mv[ *f->bytestream++ ]; if(start > src || src > end){ av_log(f->avctx, AV_LOG_ERROR, "mv out of pic\n"); @@ -345,15 +349,23 @@ static void decode_p_block(FourXContext *f, uint16_t *dst, uint16_t *src, int lo }else if(code == 3 && f->version<2){ mcdc(dst, src, log2w, h, stride, 1, 0); }else if(code == 4){ + if (f->bytestream_end - f->bytestream < 1) + return; src += f->mv[ *f->bytestream++ ]; if(start > src || src > end){ av_log(f->avctx, AV_LOG_ERROR, "mv out of pic\n"); return; } + if (f->wordstream_end - f->wordstream < 1) + return; mcdc(dst, src, log2w, h, stride, 1, av_le2ne16(*f->wordstream++)); }else if(code == 5){ + if (f->wordstream_end - f->wordstream < 1) + return; mcdc(dst, src, log2w, h, stride, 0, av_le2ne16(*f->wordstream++)); }else if(code == 6){ + if (f->wordstream_end - f->wordstream < 2) + return; if(log2w){ dst[0] = av_le2ne16(*f->wordstream++); dst[1] = av_le2ne16(*f->wordstream++); @@ -375,6 +387,8 @@ static int decode_p_frame(FourXContext *f, const uint8_t *buf, int length){ if(f->version>1){ extra=20; + if (length < extra) + return -1; bitstream_size= AV_RL32(buf+8); wordstream_size= AV_RL32(buf+12); bytestream_size= AV_RL32(buf+16); @@ -385,11 +399,10 @@ static int decode_p_frame(FourXContext *f, const uint8_t *buf, int length){ bytestream_size= FFMAX(length - bitstream_size - wordstream_size, 0); } - if(bitstream_size+ bytestream_size+ wordstream_size + extra != length - || bitstream_size > (1<<26) - || bytestream_size > (1<<26) - || wordstream_size > (1<<26) - ){ + if (bitstream_size > length || + bytestream_size > length - bitstream_size || + wordstream_size > length - bytestream_size - bitstream_size || + extra > length - bytestream_size - bitstream_size - wordstream_size){ av_log(f->avctx, AV_LOG_ERROR, "lengths %d %d %d %d\n", bitstream_size, bytestream_size, wordstream_size, bitstream_size+ bytestream_size+ wordstream_size - length); return -1; @@ -403,7 +416,9 @@ static int decode_p_frame(FourXContext *f, const uint8_t *buf, int length){ init_get_bits(&f->gb, f->bitstream_buffer, 8*bitstream_size); f->wordstream= (const uint16_t*)(buf + extra + bitstream_size); + f->wordstream_end= f->wordstream + wordstream_size/2; f->bytestream= buf + extra + bitstream_size + wordstream_size; + f->bytestream_end = f->bytestream + bytestream_size; init_mv(f); @@ -532,7 +547,7 @@ static int decode_i_mb(FourXContext *f){ return 0; } -static const uint8_t *read_huffman_tables(FourXContext *f, const uint8_t * const buf){ +static const uint8_t *read_huffman_tables(FourXContext *f, const uint8_t * const buf, int buf_size){ int frequency[512]; uint8_t flag[512]; int up[512]; @@ -540,6 +555,7 @@ static const uint8_t *read_huffman_tables(FourXContext *f, const uint8_t * const int bits_tab[257]; int start, end; const uint8_t *ptr= buf; + const uint8_t *ptr_end = buf + buf_size; int j; memset(frequency, 0, sizeof(frequency)); @@ -550,6 +566,8 @@ static const uint8_t *read_huffman_tables(FourXContext *f, const uint8_t * const for(;;){ int i; + if (start <= end && ptr_end - ptr < end - start + 1 + 1) + return NULL; for(i=start; i<=end; i++){ frequency[i]= *ptr++; } @@ -623,10 +641,13 @@ static int decode_i2_frame(FourXContext *f, const uint8_t *buf, int length){ const int height= f->avctx->height; uint16_t *dst= (uint16_t*)f->current_picture.data[0]; const int stride= f->current_picture.linesize[0]>>1; + const uint8_t *buf_end = buf + length; for(y=0; ycurrent_picture.data[0]; const int stride= f->current_picture.linesize[0]>>1; const unsigned int bitstream_size= AV_RL32(buf); - const int token_count av_unused = AV_RL32(buf + bitstream_size + 8); - unsigned int prestream_size= 4*AV_RL32(buf + bitstream_size + 4); - const uint8_t *prestream= buf + bitstream_size + 12; + unsigned int prestream_size; + const uint8_t *prestream; - if(prestream_size + bitstream_size + 12 != length - || bitstream_size > (1<<26) - || prestream_size > (1<<26)){ + if (bitstream_size > (1<<26) || length < bitstream_size + 12) + return -1; + prestream_size = 4*AV_RL32(buf + bitstream_size + 4); + prestream = buf + bitstream_size + 12; + + if (prestream_size > (1<<26) || + prestream_size != length - (bitstream_size + 12)){ av_log(f->avctx, AV_LOG_ERROR, "size mismatch %d %d %d\n", prestream_size, bitstream_size, length); return -1; } - prestream= read_huffman_tables(f, prestream); + prestream= read_huffman_tables(f, prestream, buf + length - prestream); + if (!prestream) + return -1; init_get_bits(&f->gb, buf + 4, 8*bitstream_size); @@ -713,6 +739,8 @@ static int decode_frame(AVCodecContext *avctx, AVFrame *p, temp; int i, frame_4cc, frame_size; + if (buf_size < 12) + return AVERROR_INVALIDDATA; frame_4cc= AV_RL32(buf); if(buf_size != AV_RL32(buf+4)+8 || buf_size < 20){ av_log(f->avctx, AV_LOG_ERROR, "size mismatch %d %d\n", buf_size, AV_RL32(buf+4)); @@ -725,6 +753,9 @@ static int decode_frame(AVCodecContext *avctx, const int whole_size= AV_RL32(buf+16); CFrameBuffer *cfrm; + if (data_size < 0 || whole_size < 0) + return AVERROR_INVALIDDATA; + for(i=0; icfrm[i].id && f->cfrm[i].id < avctx->frame_number) av_log(f->avctx, AV_LOG_ERROR, "lost c frame %d\n", f->cfrm[i].id); @@ -741,6 +772,8 @@ static int decode_frame(AVCodecContext *avctx, } cfrm= &f->cfrm[i]; + if (data_size > UINT_MAX - cfrm->size - FF_INPUT_BUFFER_PADDING_SIZE) + return AVERROR_INVALIDDATA; cfrm->data= av_fast_realloc(cfrm->data, &cfrm->allocated_size, cfrm->size + data_size + FF_INPUT_BUFFER_PADDING_SIZE); if(!cfrm->data){ //explicit check needed as memcpy below might not catch a NULL av_log(f->avctx, AV_LOG_ERROR, "realloc falure"); From 54a1e7b0f28ad4d5d9d50969df2cf786a9aa7e27 Mon Sep 17 00:00:00 2001 From: Michael Niedermayer Date: Sun, 2 Oct 2011 03:39:59 +0200 Subject: [PATCH 0485/1119] 4xm decoder: print some error messages in case of errors. Signed-off-by: Michael Niedermayer (cherry picked from commit 1008f639e2ebaa2b3d48ac765ca49c8869042d75) --- libavcodec/4xm.c | 36 +++++++++++++++++++++++++++--------- 1 file changed, 27 insertions(+), 9 deletions(-) diff --git a/libavcodec/4xm.c b/libavcodec/4xm.c index 7b5df62a43..92717d0fef 100644 --- a/libavcodec/4xm.c +++ b/libavcodec/4xm.c @@ -330,8 +330,10 @@ static void decode_p_block(FourXContext *f, uint16_t *dst, uint16_t *src, int lo assert(code>=0 && code<=6); if(code == 0){ - if (f->bytestream_end - f->bytestream < 1) + if (f->bytestream_end - f->bytestream < 1){ + av_log(f->avctx, AV_LOG_ERROR, "bytestream overread\n"); return; + } src += f->mv[ *f->bytestream++ ]; if(start > src || src > end){ av_log(f->avctx, AV_LOG_ERROR, "mv out of pic\n"); @@ -349,23 +351,31 @@ static void decode_p_block(FourXContext *f, uint16_t *dst, uint16_t *src, int lo }else if(code == 3 && f->version<2){ mcdc(dst, src, log2w, h, stride, 1, 0); }else if(code == 4){ - if (f->bytestream_end - f->bytestream < 1) + if (f->bytestream_end - f->bytestream < 1){ + av_log(f->avctx, AV_LOG_ERROR, "bytestream overread\n"); return; + } src += f->mv[ *f->bytestream++ ]; if(start > src || src > end){ av_log(f->avctx, AV_LOG_ERROR, "mv out of pic\n"); return; } - if (f->wordstream_end - f->wordstream < 1) + if (f->wordstream_end - f->wordstream < 1){ + av_log(f->avctx, AV_LOG_ERROR, "wordstream overread\n"); return; + } mcdc(dst, src, log2w, h, stride, 1, av_le2ne16(*f->wordstream++)); }else if(code == 5){ - if (f->wordstream_end - f->wordstream < 1) + if (f->wordstream_end - f->wordstream < 1){ + av_log(f->avctx, AV_LOG_ERROR, "wordstream overread\n"); return; + } mcdc(dst, src, log2w, h, stride, 0, av_le2ne16(*f->wordstream++)); }else if(code == 6){ - if (f->wordstream_end - f->wordstream < 2) + if (f->wordstream_end - f->wordstream < 2){ + av_log(f->avctx, AV_LOG_ERROR, "wordstream overread\n"); return; + } if(log2w){ dst[0] = av_le2ne16(*f->wordstream++); dst[1] = av_le2ne16(*f->wordstream++); @@ -753,8 +763,10 @@ static int decode_frame(AVCodecContext *avctx, const int whole_size= AV_RL32(buf+16); CFrameBuffer *cfrm; - if (data_size < 0 || whole_size < 0) + if (data_size < 0 || whole_size < 0){ + av_log(f->avctx, AV_LOG_ERROR, "sizes invalid\n"); return AVERROR_INVALIDDATA; + } for(i=0; icfrm[i].id && f->cfrm[i].id < avctx->frame_number) @@ -817,12 +829,16 @@ static int decode_frame(AVCodecContext *avctx, if(frame_4cc == AV_RL32("ifr2")){ p->pict_type= AV_PICTURE_TYPE_I; - if(decode_i2_frame(f, buf-4, frame_size) < 0) + if(decode_i2_frame(f, buf-4, frame_size) < 0){ + av_log(f->avctx, AV_LOG_ERROR, "decode i2 frame failed\n"); return -1; + } }else if(frame_4cc == AV_RL32("ifrm")){ p->pict_type= AV_PICTURE_TYPE_I; - if(decode_i_frame(f, buf, frame_size) < 0) + if(decode_i_frame(f, buf, frame_size) < 0){ + av_log(f->avctx, AV_LOG_ERROR, "decode i frame failed\n"); return -1; + } }else if(frame_4cc == AV_RL32("pfrm") || frame_4cc == AV_RL32("pfr2")){ if(!f->last_picture.data[0]){ f->last_picture.reference= 1; @@ -833,8 +849,10 @@ static int decode_frame(AVCodecContext *avctx, } p->pict_type= AV_PICTURE_TYPE_P; - if(decode_p_frame(f, buf, frame_size) < 0) + if(decode_p_frame(f, buf, frame_size) < 0){ + av_log(f->avctx, AV_LOG_ERROR, "decode p frame failed\n"); return -1; + } }else if(frame_4cc == AV_RL32("snd_")){ av_log(avctx, AV_LOG_ERROR, "ignoring snd_ chunk length:%d\n", buf_size); }else{ From 55a070870facd6bc72f9b943baba2833ce24f075 Mon Sep 17 00:00:00 2001 From: Michael Niedermayer Date: Sun, 2 Oct 2011 03:40:26 +0200 Subject: [PATCH 0486/1119] 4xm decoder: fix data size for i2 frames. Signed-off-by: Michael Niedermayer (cherry picked from commit 0a19b4b0bae772cac7f8341e94c319c96356ee69) --- libavcodec/4xm.c | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/libavcodec/4xm.c b/libavcodec/4xm.c index 92717d0fef..98169fd8ab 100644 --- a/libavcodec/4xm.c +++ b/libavcodec/4xm.c @@ -829,7 +829,7 @@ static int decode_frame(AVCodecContext *avctx, if(frame_4cc == AV_RL32("ifr2")){ p->pict_type= AV_PICTURE_TYPE_I; - if(decode_i2_frame(f, buf-4, frame_size) < 0){ + if(decode_i2_frame(f, buf-4, frame_size+4) < 0){ av_log(f->avctx, AV_LOG_ERROR, "decode i2 frame failed\n"); return -1; } From 6b998720b29b5fd1c94b01903b0d05c1141fb0c2 Mon Sep 17 00:00:00 2001 From: Laurent Aimar Date: Sat, 1 Oct 2011 02:04:45 +0200 Subject: [PATCH 0487/1119] Reject video with non multiple of 16 width/height in the 4xm decoder. Signed-off-by: Michael Niedermayer (cherry picked from commit db5b4875514eb7740844f514dbf236c9179a6a93) --- libavcodec/4xm.c | 4 ++++ 1 file changed, 4 insertions(+) diff --git a/libavcodec/4xm.c b/libavcodec/4xm.c index 98169fd8ab..7344f4cd1f 100644 --- a/libavcodec/4xm.c +++ b/libavcodec/4xm.c @@ -885,6 +885,10 @@ static av_cold int decode_init(AVCodecContext *avctx){ av_log(avctx, AV_LOG_ERROR, "extradata wrong or missing\n"); return 1; } + if((avctx->width % 16) || (avctx->height % 16)) { + av_log(avctx, AV_LOG_ERROR, "unsupported width/height\n"); + return AVERROR_INVALIDDATA; + } avcodec_get_frame_defaults(&f->current_picture); avcodec_get_frame_defaults(&f->last_picture); From cf0052931d5776eafacd7771bc9c40da86e31b09 Mon Sep 17 00:00:00 2001 From: Laurent Aimar Date: Sun, 2 Oct 2011 16:06:37 +0200 Subject: [PATCH 0488/1119] h264: do not let invalid values in h->ref_count on ff_h264_decode_ref_pic_list_reordering() errors. Signed-off-by: Michael Niedermayer (cherry picked from commit 2428b53f6d306d8d71dec34fa7b0af733d76cfac) --- libavcodec/h264.c | 4 +++- 1 file changed, 3 insertions(+), 1 deletion(-) diff --git a/libavcodec/h264.c b/libavcodec/h264.c index a889f422e1..dcca6bd73c 100644 --- a/libavcodec/h264.c +++ b/libavcodec/h264.c @@ -2907,8 +2907,10 @@ static int decode_slice_header(H264Context *h, H264Context *h0){ ff_h264_fill_default_ref_list(h); } - if(h->slice_type_nos!=AV_PICTURE_TYPE_I && ff_h264_decode_ref_pic_list_reordering(h) < 0) + if(h->slice_type_nos!=AV_PICTURE_TYPE_I && ff_h264_decode_ref_pic_list_reordering(h) < 0) { + h->ref_count[1]= h->ref_count[0]= 0; return -1; + } if(h->slice_type_nos!=AV_PICTURE_TYPE_I){ s->last_picture_ptr= &h->ref_list[0][0]; From bfd7238adbec83981ddd259e26e9e8f90d78f472 Mon Sep 17 00:00:00 2001 From: Laurent Aimar Date: Sun, 2 Oct 2011 16:06:38 +0200 Subject: [PATCH 0489/1119] h264: fix the check for invalid SPS:num_ref_frames. This patch set the limit to 16. For information, thoses previous commits: 41f7e2d11d2dca23842ee89d530ca9fa15cec9d8 5cbb0e70a0a2ee99eb3cb09e837b9a1f7355b9bc assumed it was either 30 or 32. Signed-off-by: Michael Niedermayer (cherry picked from commit bcf881a6858760ecbd9ff4352a38813dc4232dd6) --- libavcodec/h264_ps.c | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/libavcodec/h264_ps.c b/libavcodec/h264_ps.c index 61fb12ce0c..4bb02e0948 100644 --- a/libavcodec/h264_ps.c +++ b/libavcodec/h264_ps.c @@ -365,7 +365,7 @@ int ff_h264_decode_seq_parameter_set(H264Context *h){ } sps->ref_frame_count= get_ue_golomb_31(&s->gb); - if(sps->ref_frame_count > MAX_PICTURE_COUNT-2 || sps->ref_frame_count >= 32U){ + if(sps->ref_frame_count > MAX_PICTURE_COUNT-2 || sps->ref_frame_count > 16U){ av_log(h->s.avctx, AV_LOG_ERROR, "too many reference frames\n"); goto fail; } From 46edabac3c97669d491016903d0f9014692dfcaa Mon Sep 17 00:00:00 2001 From: Laurent Aimar Date: Sun, 2 Oct 2011 18:29:30 +0200 Subject: [PATCH 0490/1119] h264: add entries for 11 and 12 bits in ff_h264_chroma_qp[][] Signed-off-by: Michael Niedermayer (cherry picked from commit 27d3361e34cf19ad5c0bfb7cfacae0db99b26064) --- libavcodec/h264.h | 4 ++-- libavcodec/h264_ps.c | 15 ++++++++++++++- 2 files changed, 16 insertions(+), 3 deletions(-) diff --git a/libavcodec/h264.h b/libavcodec/h264.h index 822ba0271a..5b07f3775d 100644 --- a/libavcodec/h264.h +++ b/libavcodec/h264.h @@ -101,7 +101,7 @@ */ #define DELAYED_PIC_REF 4 -#define QP_MAX_NUM (51 + 2*6) // The maximum supported qp +#define QP_MAX_NUM (51 + 4*6) // The maximum supported qp /* NAL unit types */ enum { @@ -584,7 +584,7 @@ typedef struct H264Context{ }H264Context; -extern const uint8_t ff_h264_chroma_qp[3][QP_MAX_NUM+1]; ///< One chroma qp table for each supported bit depth (8, 9, 10). +extern const uint8_t ff_h264_chroma_qp[5][QP_MAX_NUM+1]; ///< One chroma qp table for each possible bit depth (8-12). /** * Decode SEI diff --git a/libavcodec/h264_ps.c b/libavcodec/h264_ps.c index 4bb02e0948..4342c4b1ec 100644 --- a/libavcodec/h264_ps.c +++ b/libavcodec/h264_ps.c @@ -70,7 +70,7 @@ static const AVRational pixel_aspect[17]={ QP(37,d), QP(37,d), QP(37,d), QP(38,d), QP(38,d), QP(38,d),\ QP(39,d), QP(39,d), QP(39,d), QP(39,d) -const uint8_t ff_h264_chroma_qp[3][QP_MAX_NUM+1] = { +const uint8_t ff_h264_chroma_qp[5][QP_MAX_NUM+1] = { { CHROMA_QP_TABLE_END(8) }, @@ -83,6 +83,19 @@ const uint8_t ff_h264_chroma_qp[3][QP_MAX_NUM+1] = { 6, 7, 8, 9, 10, 11, CHROMA_QP_TABLE_END(10) }, + { + 0, 1, 2, 3, 4, 5, + 6, 7, 8, 9, 10, 11, + 12,13,14,15, 16, 17, + CHROMA_QP_TABLE_END(11) + }, + { + 0, 1, 2, 3, 4, 5, + 6, 7, 8, 9, 10, 11, + 12,13,14,15, 16, 17, + 18,19,20,21, 22, 23, + CHROMA_QP_TABLE_END(12) + }, }; static const uint8_t default_scaling4[2][16]={ From efedf09378e82cc75d56e881842c5bf14b2c9d05 Mon Sep 17 00:00:00 2001 From: Laurent Aimar Date: Sun, 2 Oct 2011 18:29:31 +0200 Subject: [PATCH 0491/1119] h264: check for invalid bit depth value. Signed-off-by: Michael Niedermayer (cherry picked from commit c2b7f7748be447e1446f63b13da472ba7e00f329) --- libavcodec/h264_ps.c | 5 +++++ 1 file changed, 5 insertions(+) diff --git a/libavcodec/h264_ps.c b/libavcodec/h264_ps.c index 4342c4b1ec..423f54b324 100644 --- a/libavcodec/h264_ps.c +++ b/libavcodec/h264_ps.c @@ -346,6 +346,11 @@ int ff_h264_decode_seq_parameter_set(H264Context *h){ sps->residual_color_transform_flag = get_bits1(&s->gb); sps->bit_depth_luma = get_ue_golomb(&s->gb) + 8; sps->bit_depth_chroma = get_ue_golomb(&s->gb) + 8; + if (sps->bit_depth_luma > 12U || sps->bit_depth_chroma > 12U) { + av_log(h->s.avctx, AV_LOG_ERROR, "illegal bit depth value (%d, %d)\n", + sps->bit_depth_luma, sps->bit_depth_chroma); + goto fail; + } sps->transform_bypass = get_bits1(&s->gb); decode_scaling_matrices(h, sps, NULL, 1, sps->scaling_matrix4, sps->scaling_matrix8); }else{ From b89a0c9d7f4c4a23d709761033ad5e2f9c2881fa Mon Sep 17 00:00:00 2001 From: Laurent Aimar Date: Sun, 2 Oct 2011 21:07:41 +0200 Subject: [PATCH 0492/1119] h264: fix intra 16x16 mode check when using mbaff and constrained_intra_pred. Signed-off-by: Michael Niedermayer (cherry picked from commit a4fd95b5d511384ed3ce388d8d20a16b1c4c0530) --- libavcodec/h264.c | 26 ++++++++++++++++++++------ libavcodec/h264.h | 7 ++++++- libavcodec/h264_cabac.c | 4 ++-- libavcodec/h264_cavlc.c | 4 ++-- libavcodec/svq3.c | 4 ++-- 5 files changed, 32 insertions(+), 13 deletions(-) diff --git a/libavcodec/h264.c b/libavcodec/h264.c index dcca6bd73c..bab032b300 100644 --- a/libavcodec/h264.c +++ b/libavcodec/h264.c @@ -106,12 +106,9 @@ int ff_h264_check_intra4x4_pred_mode(H264Context *h){ } return 0; -} //FIXME cleanup like ff_h264_check_intra_pred_mode +} //FIXME cleanup like check_intra_pred_mode -/** - * checks if the top & left blocks are available if needed & changes the dc mode so it only uses the available blocks. - */ -int ff_h264_check_intra_pred_mode(H264Context *h, int mode){ +static int check_intra_pred_mode(H264Context *h, int mode, int is_chroma){ MpegEncContext * const s = &h->s; static const int8_t top [7]= {LEFT_DC_PRED8x8, 1,-1,-1}; static const int8_t left[7]= { TOP_DC_PRED8x8,-1, 2,-1,DC_128_PRED8x8}; @@ -131,7 +128,7 @@ int ff_h264_check_intra_pred_mode(H264Context *h, int mode){ if((h->left_samples_available&0x8080) != 0x8080){ mode= left[ mode ]; - if(h->left_samples_available&0x8080){ //mad cow disease mode, aka MBAFF + constrained_intra_pred + if(is_chroma && (h->left_samples_available&0x8080)){ //mad cow disease mode, aka MBAFF + constrained_intra_pred mode= ALZHEIMER_DC_L0T_PRED8x8 + (!(h->left_samples_available&0x8000)) + 2*(mode == DC_128_PRED8x8); } if(mode<0){ @@ -143,6 +140,23 @@ int ff_h264_check_intra_pred_mode(H264Context *h, int mode){ return mode; } +/** + * checks if the top & left blocks are available if needed & changes the dc mode so it only uses the available blocks. + */ +int ff_h264_check_intra16x16_pred_mode(H264Context *h, int mode) +{ + return check_intra_pred_mode(h, mode, 0); +} + +/** + * checks if the top & left blocks are available if needed & changes the dc mode so it only uses the available blocks. + */ +int ff_h264_check_intra_chroma_pred_mode(H264Context *h, int mode) +{ + return check_intra_pred_mode(h, mode, 1); +} + + const uint8_t *ff_h264_decode_nal(H264Context *h, const uint8_t *src, int *dst_length, int *consumed, int length){ int i, si, di; uint8_t *dst; diff --git a/libavcodec/h264.h b/libavcodec/h264.h index 5b07f3775d..0a380e03c1 100644 --- a/libavcodec/h264.h +++ b/libavcodec/h264.h @@ -658,7 +658,12 @@ int ff_h264_check_intra4x4_pred_mode(H264Context *h); /** * Check if the top & left blocks are available if needed & change the dc mode so it only uses the available blocks. */ -int ff_h264_check_intra_pred_mode(H264Context *h, int mode); +int ff_h264_check_intra16x16_pred_mode(H264Context *h, int mode); + +/** + * Check if the top & left blocks are available if needed & change the dc mode so it only uses the available blocks. + */ +int ff_h264_check_intra_chroma_pred_mode(H264Context *h, int mode); void ff_h264_write_back_intra_pred_mode(H264Context *h); void ff_h264_hl_decode_mb(H264Context *h); diff --git a/libavcodec/h264_cabac.c b/libavcodec/h264_cabac.c index 3975a61699..7aaecf3c2e 100644 --- a/libavcodec/h264_cabac.c +++ b/libavcodec/h264_cabac.c @@ -2003,14 +2003,14 @@ decode_intra_mb: ff_h264_write_back_intra_pred_mode(h); if( ff_h264_check_intra4x4_pred_mode(h) < 0 ) return -1; } else { - h->intra16x16_pred_mode= ff_h264_check_intra_pred_mode( h, h->intra16x16_pred_mode ); + h->intra16x16_pred_mode= ff_h264_check_intra16x16_pred_mode( h, h->intra16x16_pred_mode ); if( h->intra16x16_pred_mode < 0 ) return -1; } if(decode_chroma){ h->chroma_pred_mode_table[mb_xy] = pred_mode = decode_cabac_mb_chroma_pre_mode( h ); - pred_mode= ff_h264_check_intra_pred_mode( h, pred_mode ); + pred_mode= ff_h264_check_intra_chroma_pred_mode( h, pred_mode ); if( pred_mode < 0 ) return -1; h->chroma_pred_mode= pred_mode; } else { diff --git a/libavcodec/h264_cavlc.c b/libavcodec/h264_cavlc.c index 0ddc430661..92cae7fa93 100644 --- a/libavcodec/h264_cavlc.c +++ b/libavcodec/h264_cavlc.c @@ -735,12 +735,12 @@ decode_intra_mb: if( ff_h264_check_intra4x4_pred_mode(h) < 0) return -1; }else{ - h->intra16x16_pred_mode= ff_h264_check_intra_pred_mode(h, h->intra16x16_pred_mode); + h->intra16x16_pred_mode= ff_h264_check_intra16x16_pred_mode(h, h->intra16x16_pred_mode); if(h->intra16x16_pred_mode < 0) return -1; } if(decode_chroma){ - pred_mode= ff_h264_check_intra_pred_mode(h, get_ue_golomb_31(&s->gb)); + pred_mode= ff_h264_check_intra_chroma_pred_mode(h, get_ue_golomb_31(&s->gb)); if(pred_mode < 0) return -1; h->chroma_pred_mode= pred_mode; diff --git a/libavcodec/svq3.c b/libavcodec/svq3.c index e5c18c59c2..812ac962f2 100644 --- a/libavcodec/svq3.c +++ b/libavcodec/svq3.c @@ -612,7 +612,7 @@ static int svq3_decode_mb(SVQ3Context *svq3, unsigned int mb_type) dir = i_mb_type_info[mb_type - 8].pred_mode; dir = (dir >> 1) ^ 3*(dir & 1) ^ 1; - if ((h->intra16x16_pred_mode = ff_h264_check_intra_pred_mode(h, dir)) == -1){ + if ((h->intra16x16_pred_mode = ff_h264_check_intra16x16_pred_mode(h, dir)) == -1){ av_log(h->s.avctx, AV_LOG_ERROR, "check_intra_pred_mode = -1\n"); return -1; } @@ -711,7 +711,7 @@ static int svq3_decode_mb(SVQ3Context *svq3, unsigned int mb_type) s->current_picture.mb_type[mb_xy] = mb_type; if (IS_INTRA(mb_type)) { - h->chroma_pred_mode = ff_h264_check_intra_pred_mode(h, DC_PRED8x8); + h->chroma_pred_mode = ff_h264_check_intra_chroma_pred_mode(h, DC_PRED8x8); } return 0; From b38b6b27981aa13b5fad9b540b1ff6a7b3e8d04a Mon Sep 17 00:00:00 2001 From: Michael Niedermayer Date: Sun, 2 Oct 2011 22:01:44 +0200 Subject: [PATCH 0493/1119] Update for 0.7.6 Signed-off-by: Michael Niedermayer --- Doxyfile | 2 +- RELEASE | 2 +- VERSION | 2 +- 3 files changed, 3 insertions(+), 3 deletions(-) diff --git a/Doxyfile b/Doxyfile index bcb13563a5..24ceb58ecd 100644 --- a/Doxyfile +++ b/Doxyfile @@ -31,7 +31,7 @@ PROJECT_NAME = FFmpeg # This could be handy for archiving the generated documentation or # if some version control system is used. -PROJECT_NUMBER = 0.7.5 +PROJECT_NUMBER = 0.7.6 # The OUTPUT_DIRECTORY tag is used to specify the (relative or absolute) # base path where the generated documentation will be put. diff --git a/RELEASE b/RELEASE index 8bd6ba8c5c..c006218557 100644 --- a/RELEASE +++ b/RELEASE @@ -1 +1 @@ -0.7.5 +0.7.6 diff --git a/VERSION b/VERSION index 8bd6ba8c5c..c006218557 100644 --- a/VERSION +++ b/VERSION @@ -1 +1 @@ -0.7.5 +0.7.6 From 09d8f515b90d8acd71b4b897622927287e863346 Mon Sep 17 00:00:00 2001 From: Michael Niedermayer Date: Sun, 2 Oct 2011 22:02:45 +0200 Subject: [PATCH 0494/1119] Update for 0.8.5 Signed-off-by: Michael Niedermayer --- Doxyfile | 2 +- RELEASE | 2 +- VERSION | 2 +- 3 files changed, 3 insertions(+), 3 deletions(-) diff --git a/Doxyfile b/Doxyfile index 4f45f3417e..7b5b0df3c2 100644 --- a/Doxyfile +++ b/Doxyfile @@ -31,7 +31,7 @@ PROJECT_NAME = FFmpeg # This could be handy for archiving the generated documentation or # if some version control system is used. -PROJECT_NUMBER = 0.8.4 +PROJECT_NUMBER = 0.8.5 # The OUTPUT_DIRECTORY tag is used to specify the (relative or absolute) # base path where the generated documentation will be put. diff --git a/RELEASE b/RELEASE index b60d71966a..7ada0d303f 100644 --- a/RELEASE +++ b/RELEASE @@ -1 +1 @@ -0.8.4 +0.8.5 diff --git a/VERSION b/VERSION index b60d71966a..7ada0d303f 100644 --- a/VERSION +++ b/VERSION @@ -1 +1 @@ -0.8.4 +0.8.5 From 57f51e843e55815da5bb75ed32a81f60b7b45212 Mon Sep 17 00:00:00 2001 From: Michael Niedermayer Date: Mon, 3 Oct 2011 16:32:17 +0200 Subject: [PATCH 0495/1119] lavf/utils: fix overestimation of the rational number density. Fixes Ticket498 Signed-off-by: Michael Niedermayer --- libavformat/utils.c | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/libavformat/utils.c b/libavformat/utils.c index 3490270395..591a121ec2 100644 --- a/libavformat/utils.c +++ b/libavformat/utils.c @@ -3049,7 +3049,7 @@ int avformat_write_header(AVFormatContext *s, AVDictionary **options) goto fail; } if(av_cmp_q(st->sample_aspect_ratio, st->codec->sample_aspect_ratio) - && FFABS(av_q2d(st->sample_aspect_ratio) - av_q2d(st->codec->sample_aspect_ratio)) > 0.001 + && FFABS(av_q2d(st->sample_aspect_ratio) - av_q2d(st->codec->sample_aspect_ratio)) > 0.004*av_q2d(st->sample_aspect_ratio) ){ av_log(s, AV_LOG_ERROR, "Aspect ratio mismatch between encoder and muxer layer\n"); ret = AVERROR(EINVAL); From a39b603bf6d8c6f47c1864100bcd4d656445194c Mon Sep 17 00:00:00 2001 From: Michael Niedermayer Date: Mon, 3 Oct 2011 16:32:17 +0200 Subject: [PATCH 0496/1119] lavf/utils: fix overestimation of the rational number density. Fixes Ticket498 Signed-off-by: Michael Niedermayer --- libavformat/utils.c | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/libavformat/utils.c b/libavformat/utils.c index e79f98e62d..b15582acb1 100644 --- a/libavformat/utils.c +++ b/libavformat/utils.c @@ -2959,7 +2959,7 @@ int avformat_write_header(AVFormatContext *s, AVDictionary **options) goto fail; } if(av_cmp_q(st->sample_aspect_ratio, st->codec->sample_aspect_ratio) - && FFABS(av_q2d(st->sample_aspect_ratio) - av_q2d(st->codec->sample_aspect_ratio)) > 0.001 + && FFABS(av_q2d(st->sample_aspect_ratio) - av_q2d(st->codec->sample_aspect_ratio)) > 0.004*av_q2d(st->sample_aspect_ratio) ){ av_log(s, AV_LOG_ERROR, "Aspect ratio mismatch between encoder and muxer layer\n"); ret = AVERROR(EINVAL); From 60171d8fa68e90bd623daba970a65c4171cac502 Mon Sep 17 00:00:00 2001 From: Carl Eugen Hoyos Date: Sun, 28 Aug 2011 23:13:17 +0200 Subject: [PATCH 0497/1119] Do not set codec_tag property for matroska muxers. Fixes ticket #8, #537. --- libavformat/matroskaenc.c | 2 -- 1 file changed, 2 deletions(-) diff --git a/libavformat/matroskaenc.c b/libavformat/matroskaenc.c index e9c977a59f..986373c4cd 100644 --- a/libavformat/matroskaenc.c +++ b/libavformat/matroskaenc.c @@ -1209,7 +1209,6 @@ AVOutputFormat ff_matroska_muxer = { mkv_write_packet, mkv_write_trailer, .flags = AVFMT_GLOBALHEADER | AVFMT_VARIABLE_FPS, - .codec_tag = (const AVCodecTag* const []){ff_codec_bmp_tags, ff_codec_wav_tags, 0}, .subtitle_codec = CODEC_ID_TEXT, }; #endif @@ -1243,6 +1242,5 @@ AVOutputFormat ff_matroska_audio_muxer = { mkv_write_packet, mkv_write_trailer, .flags = AVFMT_GLOBALHEADER, - .codec_tag = (const AVCodecTag* const []){ff_codec_wav_tags, 0}, }; #endif From 638e183d11367f0ccc46bee6228e5b271fda5a8e Mon Sep 17 00:00:00 2001 From: Carl Eugen Hoyos Date: Sun, 28 Aug 2011 23:13:17 +0200 Subject: [PATCH 0498/1119] Do not set codec_tag property for matroska muxers. Fixes ticket #8, #537. (cherry picked from commit 60171d8fa68e90bd623daba970a65c4171cac502) --- libavformat/matroskaenc.c | 2 -- 1 file changed, 2 deletions(-) diff --git a/libavformat/matroskaenc.c b/libavformat/matroskaenc.c index e9c977a59f..986373c4cd 100644 --- a/libavformat/matroskaenc.c +++ b/libavformat/matroskaenc.c @@ -1209,7 +1209,6 @@ AVOutputFormat ff_matroska_muxer = { mkv_write_packet, mkv_write_trailer, .flags = AVFMT_GLOBALHEADER | AVFMT_VARIABLE_FPS, - .codec_tag = (const AVCodecTag* const []){ff_codec_bmp_tags, ff_codec_wav_tags, 0}, .subtitle_codec = CODEC_ID_TEXT, }; #endif @@ -1243,6 +1242,5 @@ AVOutputFormat ff_matroska_audio_muxer = { mkv_write_packet, mkv_write_trailer, .flags = AVFMT_GLOBALHEADER, - .codec_tag = (const AVCodecTag* const []){ff_codec_wav_tags, 0}, }; #endif From b981c5d4e0f0dd26fd1c03d70a38aef85d6131bc Mon Sep 17 00:00:00 2001 From: Loren Osborn Date: Mon, 3 Oct 2011 16:03:29 +0200 Subject: [PATCH 0499/1119] mpegtsenc: Lift limit on PMT PID Fixes Ticket518 (cherry picked from commit bf5c3bac51e422580aad011fcd927c818542f054) --- libavformat/mpegtsenc.c | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/libavformat/mpegtsenc.c b/libavformat/mpegtsenc.c index 7e9647257f..32dedfbae6 100644 --- a/libavformat/mpegtsenc.c +++ b/libavformat/mpegtsenc.c @@ -84,7 +84,7 @@ static const AVOption options[] = { { "mpegts_service_id", "Set service_id field.", offsetof(MpegTSWrite, service_id), FF_OPT_TYPE_INT, {.dbl = 0x0001 }, 0x0001, 0xffff, AV_OPT_FLAG_ENCODING_PARAM}, { "mpegts_pmt_start_pid", "Set the first pid of the PMT.", - offsetof(MpegTSWrite, pmt_start_pid), FF_OPT_TYPE_INT, {.dbl = 0x1000 }, 0x1000, 0x1f00, AV_OPT_FLAG_ENCODING_PARAM}, + offsetof(MpegTSWrite, pmt_start_pid), FF_OPT_TYPE_INT, {.dbl = 0x1000 }, 0x0010, 0x1f00, AV_OPT_FLAG_ENCODING_PARAM}, { "mpegts_start_pid", "Set the first pid.", offsetof(MpegTSWrite, start_pid), FF_OPT_TYPE_INT, {.dbl = 0x0100 }, 0x0100, 0x0f00, AV_OPT_FLAG_ENCODING_PARAM}, { NULL }, From 09a288476fecb855b77c2b13f939310467735af0 Mon Sep 17 00:00:00 2001 From: Michael Niedermayer Date: Tue, 4 Oct 2011 00:14:48 +0200 Subject: [PATCH 0500/1119] H264: hotfix for speedloss on frame threading and h264 files with slices. This fix is not ideal as it still limits the multithreading on field pictures to the 2nd field only. Ill try to fix it properly to allow both fields to decode concurrently but this needs more work. This bug exists since and was caused by: commit ea6331f8bbaf3343faec6ffe77a6218a016a3af5 Author: Ronald S. Bultje Date: Mon Jun 20 10:24:33 2011 -0400 h264-mt: fix deadlock in packets with multiple slices (e.g. MP4). (cherry picked from commit eaa21b6870ba8bba4b0370e91f1941307c1c9681) --- libavcodec/h264.c | 6 +++++- 1 file changed, 5 insertions(+), 1 deletion(-) diff --git a/libavcodec/h264.c b/libavcodec/h264.c index bab032b300..f6e93bd58d 100644 --- a/libavcodec/h264.c +++ b/libavcodec/h264.c @@ -3753,9 +3753,13 @@ static int decode_nal_units(H264Context *h, const uint8_t *buf, int buf_size){ switch (hx->nal_unit_type) { case NAL_SPS: case NAL_PPS: + nals_needed = nal_index; + break; case NAL_IDR_SLICE: case NAL_SLICE: - nals_needed = nal_index; + init_get_bits(&hx->s.gb, ptr, bit_length); + if(!get_ue_golomb(&hx->s.gb)) + nals_needed = nal_index; } continue; } From 414409e6c5260ff8a409a05b34f72ba3d44c61a3 Mon Sep 17 00:00:00 2001 From: =?UTF-8?q?Cl=C3=A9ment=20B=C5=93sch?= Date: Tue, 4 Oct 2011 21:34:55 +0200 Subject: [PATCH 0501/1119] configure: remove bashism equality check for target_os. (cherry picked from commit e39be59b85de63e036bd6db9b79a9a9f29a838f7) --- configure | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/configure b/configure index 576daf045b..be2f721f7a 100755 --- a/configure +++ b/configure @@ -3164,7 +3164,7 @@ check_deps $CONFIG_LIST \ enabled asm || { arch=c; disable $ARCH_LIST $ARCH_EXT_LIST; } -if test $target_os == "haiku"; then +if test $target_os = "haiku"; then disable memalign disable posix_memalign fi From e49abd1d92f4ef2258c82f233e138901839eee0c Mon Sep 17 00:00:00 2001 From: Michael Niedermayer Date: Tue, 4 Oct 2011 23:21:52 +0200 Subject: [PATCH 0502/1119] libx264: Fix loop failure due to bufsize becoming 0 Signed-off-by: Michael Niedermayer (cherry picked from commit 751a4efd4d754b15ebc6027b09051f27860bb1e8) --- libavcodec/libx264.c | 4 +++- 1 file changed, 3 insertions(+), 1 deletion(-) diff --git a/libavcodec/libx264.c b/libavcodec/libx264.c index bf542accdf..6477f3fbe0 100644 --- a/libavcodec/libx264.c +++ b/libavcodec/libx264.c @@ -101,13 +101,14 @@ static int encode_nals(AVCodecContext *ctx, uint8_t *buf, int size, } static int X264_frame(AVCodecContext *ctx, uint8_t *buf, - int bufsize, void *data) + int orig_bufsize, void *data) { X264Context *x4 = ctx->priv_data; AVFrame *frame = data; x264_nal_t *nal; int nnal, i; x264_picture_t pic_out; + int bufsize; x264_picture_init( &x4->pic ); x4->pic.img.i_csp = X264_CSP_I420; @@ -138,6 +139,7 @@ static int X264_frame(AVCodecContext *ctx, uint8_t *buf, } do { + bufsize = orig_bufsize; if (x264_encoder_encode(x4->enc, &nal, &nnal, frame? &x4->pic: NULL, &pic_out) < 0) return -1; From f74d1c6de7ef810544edae947db1eb1e2c7b6361 Mon Sep 17 00:00:00 2001 From: Laurent Aimar Date: Tue, 4 Oct 2011 22:13:58 +0200 Subject: [PATCH 0503/1119] h264: do not let invalid values in h->ref_count after a decoder reset. Signed-off-by: Michael Niedermayer (cherry picked from commit 0333d234b0355b375762447e93674e3fe3c5bff1) --- libavcodec/h264.c | 1 + 1 file changed, 1 insertion(+) diff --git a/libavcodec/h264.c b/libavcodec/h264.c index f6e93bd58d..96d8ecf77a 100644 --- a/libavcodec/h264.c +++ b/libavcodec/h264.c @@ -2633,6 +2633,7 @@ static int decode_slice_header(H264Context *h, H264Context *h0){ free_tables(h, 0); flush_dpb(s->avctx); MPV_common_end(s); + h->list_count = 0; } if (!s->context_initialized) { if (h != h0) { From 7275dc28f6eec4168dbef79275b605bc73dbc0e4 Mon Sep 17 00:00:00 2001 From: Gwenole Beauchesne Date: Thu, 6 Oct 2011 15:19:33 +0200 Subject: [PATCH 0504/1119] vaapi: fix VC-1 decoding (reconstruct bitstream TTFRM correctly). (cherry picked from commit 825dd135d829d85778e6c37f685a6088fef01b2e) --- libavcodec/vaapi_vc1.c | 14 +++++++++++++- 1 file changed, 13 insertions(+), 1 deletion(-) diff --git a/libavcodec/vaapi_vc1.c b/libavcodec/vaapi_vc1.c index d4d76c815f..09bef4a5f9 100644 --- a/libavcodec/vaapi_vc1.c +++ b/libavcodec/vaapi_vc1.c @@ -116,6 +116,18 @@ static inline VAMvModeVC1 vc1_get_MVMODE2(VC1Context *v) return 0; } +/** Reconstruct bitstream TTFRM (7.1.1.41, Table-53) */ +static inline int vc1_get_TTFRM(VC1Context *v) +{ + switch (v->ttfrm) { + case TT_8X8: return 0; + case TT_8X4: return 1; + case TT_4X8: return 2; + case TT_4X4: return 3; + } + return 0; +} + /** Pack FFmpeg bitplanes into a VABitPlaneBuffer element */ static inline void vc1_pack_bitplanes(uint8_t *bitplane, int n, const uint8_t *ff_bp[3], int x, int y, int stride) { @@ -239,7 +251,7 @@ static int vaapi_vc1_start_frame(AVCodecContext *avctx, av_unused const uint8_t pic_param->transform_fields.value = 0; /* reset all bits */ pic_param->transform_fields.bits.variable_sized_transform_flag = v->vstransform; pic_param->transform_fields.bits.mb_level_transform_type_flag = v->ttmbf; - pic_param->transform_fields.bits.frame_level_transform_type = v->ttfrm; + pic_param->transform_fields.bits.frame_level_transform_type = vc1_get_TTFRM(v); pic_param->transform_fields.bits.transform_ac_codingset_idx1 = v->c_ac_table_index; pic_param->transform_fields.bits.transform_ac_codingset_idx2 = v->y_ac_table_index; pic_param->transform_fields.bits.intra_transform_dc_table = v->s.dc_table_index; From 7d52ed686b2ccbb2e72d3930cfba69448c346204 Mon Sep 17 00:00:00 2001 From: Gwenole Beauchesne Date: Thu, 6 Oct 2011 15:19:33 +0200 Subject: [PATCH 0505/1119] vaapi: fix VC-1 decoding (reconstruct bitstream TTFRM correctly). (cherry picked from commit 825dd135d829d85778e6c37f685a6088fef01b2e) --- libavcodec/vaapi_vc1.c | 14 +++++++++++++- 1 file changed, 13 insertions(+), 1 deletion(-) diff --git a/libavcodec/vaapi_vc1.c b/libavcodec/vaapi_vc1.c index d4d76c815f..09bef4a5f9 100644 --- a/libavcodec/vaapi_vc1.c +++ b/libavcodec/vaapi_vc1.c @@ -116,6 +116,18 @@ static inline VAMvModeVC1 vc1_get_MVMODE2(VC1Context *v) return 0; } +/** Reconstruct bitstream TTFRM (7.1.1.41, Table-53) */ +static inline int vc1_get_TTFRM(VC1Context *v) +{ + switch (v->ttfrm) { + case TT_8X8: return 0; + case TT_8X4: return 1; + case TT_4X8: return 2; + case TT_4X4: return 3; + } + return 0; +} + /** Pack FFmpeg bitplanes into a VABitPlaneBuffer element */ static inline void vc1_pack_bitplanes(uint8_t *bitplane, int n, const uint8_t *ff_bp[3], int x, int y, int stride) { @@ -239,7 +251,7 @@ static int vaapi_vc1_start_frame(AVCodecContext *avctx, av_unused const uint8_t pic_param->transform_fields.value = 0; /* reset all bits */ pic_param->transform_fields.bits.variable_sized_transform_flag = v->vstransform; pic_param->transform_fields.bits.mb_level_transform_type_flag = v->ttmbf; - pic_param->transform_fields.bits.frame_level_transform_type = v->ttfrm; + pic_param->transform_fields.bits.frame_level_transform_type = vc1_get_TTFRM(v); pic_param->transform_fields.bits.transform_ac_codingset_idx1 = v->c_ac_table_index; pic_param->transform_fields.bits.transform_ac_codingset_idx2 = v->y_ac_table_index; pic_param->transform_fields.bits.intra_transform_dc_table = v->s.dc_table_index; From b833859daa4eb8fe0ec9117859b21a734905b895 Mon Sep 17 00:00:00 2001 From: Justin Ruggles Date: Tue, 13 Sep 2011 18:53:18 -0400 Subject: [PATCH 0506/1119] mpc7: check output buffer size before decoding (cherry picked from commit c8b5c4d27409dfdcec80868686b173ba446c998b) Signed-off-by: Michael Niedermayer --- libavcodec/mpc7.c | 10 ++++++++-- 1 file changed, 8 insertions(+), 2 deletions(-) diff --git a/libavcodec/mpc7.c b/libavcodec/mpc7.c index bb21469356..515bbf60a7 100644 --- a/libavcodec/mpc7.c +++ b/libavcodec/mpc7.c @@ -197,7 +197,7 @@ static int mpc7_decode_frame(AVCodecContext * avctx, int i, ch; int mb = -1; Band *bands = c->bands; - int off; + int off, out_size; int bits_used, bits_avail; memset(bands, 0, sizeof(bands)); @@ -205,6 +205,12 @@ static int mpc7_decode_frame(AVCodecContext * avctx, av_log(avctx, AV_LOG_ERROR, "Too small buffer passed (%i bytes)\n", buf_size); } + out_size = (buf[1] ? c->lastframelen : MPC_FRAME_SIZE) * 4; + if (*data_size < out_size) { + av_log(avctx, AV_LOG_ERROR, "Output buffer is too small\n"); + return AVERROR(EINVAL); + } + bits = av_malloc(((buf_size - 1) & ~3) + FF_INPUT_BUFFER_PADDING_SIZE); c->dsp.bswap_buf((uint32_t*)bits, (const uint32_t*)(buf + 4), (buf_size - 4) >> 2); init_get_bits(&gb, bits, (buf_size - 4)* 8); @@ -277,7 +283,7 @@ static int mpc7_decode_frame(AVCodecContext * avctx, *data_size = 0; return buf_size; } - *data_size = (buf[1] ? c->lastframelen : MPC_FRAME_SIZE) * 4; + *data_size = out_size; return buf_size; } From 490617b6ffa13f8e49a196a752f927d5ebad6e2b Mon Sep 17 00:00:00 2001 From: Justin Ruggles Date: Wed, 14 Sep 2011 11:16:42 -0400 Subject: [PATCH 0507/1119] mpc7: return error if packet is too small. (cherry picked from commit 8290d1f38b438f1b070de67645c8b4a42014c7ac) Signed-off-by: Michael Niedermayer --- libavcodec/mpc7.c | 1 + 1 file changed, 1 insertion(+) diff --git a/libavcodec/mpc7.c b/libavcodec/mpc7.c index 515bbf60a7..6477edcf28 100644 --- a/libavcodec/mpc7.c +++ b/libavcodec/mpc7.c @@ -203,6 +203,7 @@ static int mpc7_decode_frame(AVCodecContext * avctx, memset(bands, 0, sizeof(bands)); if(buf_size <= 4){ av_log(avctx, AV_LOG_ERROR, "Too small buffer passed (%i bytes)\n", buf_size); + return AVERROR(EINVAL); } out_size = (buf[1] ? c->lastframelen : MPC_FRAME_SIZE) * 4; From fc8c0ee09f8eb8eab6373e1b4946cb503caa9884 Mon Sep 17 00:00:00 2001 From: Justin Ruggles Date: Wed, 14 Sep 2011 11:39:21 -0400 Subject: [PATCH 0508/1119] mpc8: check output buffer size before decoding (cherry picked from commit 5674d4b0a35a34b75e3533a8580e0b5a0a8895a7) Signed-off-by: Michael Niedermayer --- libavcodec/mpc8.c | 10 ++++++++-- 1 file changed, 8 insertions(+), 2 deletions(-) diff --git a/libavcodec/mpc8.c b/libavcodec/mpc8.c index bca57451ca..90bc8c8b96 100644 --- a/libavcodec/mpc8.c +++ b/libavcodec/mpc8.c @@ -243,10 +243,16 @@ static int mpc8_decode_frame(AVCodecContext * avctx, GetBitContext gb2, *gb = &gb2; int i, j, k, ch, cnt, res, t; Band *bands = c->bands; - int off; + int off, out_size; int maxband, keyframe; int last[2]; + out_size = MPC_FRAME_SIZE * 2 * avctx->channels; + if (*data_size < out_size) { + av_log(avctx, AV_LOG_ERROR, "Output buffer is too small\n"); + return AVERROR(EINVAL); + } + keyframe = c->cur_frame == 0; if(keyframe){ @@ -404,7 +410,7 @@ static int mpc8_decode_frame(AVCodecContext * avctx, c->last_bits_used = get_bits_count(gb); if(c->cur_frame >= c->frames) c->cur_frame = 0; - *data_size = MPC_FRAME_SIZE * 2 * avctx->channels; + *data_size = out_size; return c->cur_frame ? c->last_bits_used >> 3 : buf_size; } From d33a1d650742b579c86df1b77fd9ee5a3dc99b87 Mon Sep 17 00:00:00 2001 From: Compn Date: Sun, 2 Oct 2011 17:39:03 -0400 Subject: [PATCH 0509/1119] riff: map 0x0038 to amrnb, works on http://video.mopoto.com/4/40/407/40709.avi (cherry picked from commit 3ebab62fc67591fd9313fad32892d7d32e805422) Signed-off-by: Michael Niedermayer --- libavformat/riff.c | 1 + 1 file changed, 1 insertion(+) diff --git a/libavformat/riff.c b/libavformat/riff.c index 1ccd9091be..a834084b71 100644 --- a/libavformat/riff.c +++ b/libavformat/riff.c @@ -287,6 +287,7 @@ const AVCodecTag ff_codec_wav_tags[] = { { CODEC_ID_ADPCM_YAMAHA, 0x0020 }, { CODEC_ID_TRUESPEECH, 0x0022 }, { CODEC_ID_GSM_MS, 0x0031 }, + { CODEC_ID_AMR_NB, 0x0038 }, /* rogue format number */ { CODEC_ID_ADPCM_G726, 0x0045 }, { CODEC_ID_MP2, 0x0050 }, { CODEC_ID_MP3, 0x0055 }, From 902e9595e3ac5afdedf273a4e69fb43e32d518af Mon Sep 17 00:00:00 2001 From: Michael Niedermayer Date: Mon, 3 Oct 2011 00:38:50 +0200 Subject: [PATCH 0510/1119] MAINTAINERS: new ffplay maintainer Signed-off-by: Michael Niedermayer (cherry picked from commit cffd20b90ee6f35e37cdb51dd94e6b2174fd31b6) Signed-off-by: Michael Niedermayer --- MAINTAINERS | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/MAINTAINERS b/MAINTAINERS index fb28a4e822..8409cd1930 100644 --- a/MAINTAINERS +++ b/MAINTAINERS @@ -19,7 +19,7 @@ ffmpeg: ffmpeg.c Michael Niedermayer ffplay: - ffplay.c Michael Niedermayer + ffplay.c Marton Balint ffprobe: ffprobe.c Stefano Sabatini From 78eab18740b457bc482845d5f4ec8fe484e0afb3 Mon Sep 17 00:00:00 2001 From: Justin Ruggles Date: Wed, 14 Sep 2011 13:57:04 -0400 Subject: [PATCH 0511/1119] qdm2: check output buffer size before decoding (cherry picked from commit 7d49f79f1cd47783a963a757a6563b9cac29db62) Signed-off-by: Michael Niedermayer --- libavcodec/qdm2.c | 11 +++++++++-- 1 file changed, 9 insertions(+), 2 deletions(-) diff --git a/libavcodec/qdm2.c b/libavcodec/qdm2.c index 1665c8daed..144ce98042 100644 --- a/libavcodec/qdm2.c +++ b/libavcodec/qdm2.c @@ -1958,13 +1958,20 @@ static int qdm2_decode_frame(AVCodecContext *avctx, int buf_size = avpkt->size; QDM2Context *s = avctx->priv_data; int16_t *out = data; - int i; + int i, out_size; if(!buf) return 0; if(buf_size < s->checksum_size) return -1; + out_size = 16 * s->channels * s->frame_size * + av_get_bytes_per_sample(avctx->sample_fmt); + if (*data_size < out_size) { + av_log(avctx, AV_LOG_ERROR, "Output buffer is too small\n"); + return AVERROR(EINVAL); + } + av_log(avctx, AV_LOG_DEBUG, "decode(%d): %p[%d] -> %p[%d]\n", buf_size, buf, s->checksum_size, data, *data_size); @@ -1974,7 +1981,7 @@ static int qdm2_decode_frame(AVCodecContext *avctx, out += s->channels * s->frame_size; } - *data_size = (uint8_t*)out - (uint8_t*)data; + *data_size = out_size; return s->checksum_size; } From 4f45967cf5138fb2c7567c5b3d0fb697998b2aeb Mon Sep 17 00:00:00 2001 From: Michael Niedermayer Date: Tue, 4 Oct 2011 04:21:19 +0200 Subject: [PATCH 0512/1119] ff_dv_frame_profile2: Check input buffer size. Based on code by DivX, Inc. / drffmpeg Signed-off-by: Michael Niedermayer (cherry picked from commit 51b0694bc051cda2bfed048a35e694d1047c6ef0) Signed-off-by: Michael Niedermayer --- libavcodec/dvdata.c | 8 +++++--- 1 file changed, 5 insertions(+), 3 deletions(-) diff --git a/libavcodec/dvdata.c b/libavcodec/dvdata.c index 05993d874f..db6ed2b871 100644 --- a/libavcodec/dvdata.c +++ b/libavcodec/dvdata.c @@ -248,11 +248,13 @@ static const DVprofile dv_profiles[] = { const DVprofile* ff_dv_frame_profile(const DVprofile *sys, const uint8_t* frame, unsigned buf_size) { - int i; + int i, dsf, stype; - int dsf = (frame[3] & 0x80) >> 7; + if(buf_size < DV_PROFILE_BYTES) + return NULL; - int stype = frame[80*5 + 48 + 3] & 0x1f; + dsf = (frame[3] & 0x80) >> 7; + stype = frame[80*5 + 48 + 3] & 0x1f; /* 576i50 25Mbps 4:1:1 is a special case */ if (dsf == 1 && stype == 0 && frame[4] & 0x07 /* the APT field */) { From c2d017e88ff6bb0f557dabfe795d0907c2d11849 Mon Sep 17 00:00:00 2001 From: Justin Ruggles Date: Tue, 20 Sep 2011 15:27:44 -0400 Subject: [PATCH 0513/1119] sipr: fix the output data size check and only calculate it once. (cherry picked from commit 1b5a189f06879338088809b3049ea7620f4e7e78) Signed-off-by: Michael Niedermayer --- libavcodec/sipr.c | 11 +++++++---- 1 file changed, 7 insertions(+), 4 deletions(-) diff --git a/libavcodec/sipr.c b/libavcodec/sipr.c index 9befe8a158..db5ded740f 100644 --- a/libavcodec/sipr.c +++ b/libavcodec/sipr.c @@ -509,7 +509,7 @@ static int sipr_decode_frame(AVCodecContext *avctx, void *datap, GetBitContext gb; float *data = datap; int subframe_size = ctx->mode == MODE_16k ? L_SUBFR_16k : SUBFR_SIZE; - int i; + int i, out_size; ctx->avctx = avctx; if (avpkt->size < (mode_par->bits_per_frame >> 3)) { @@ -520,7 +520,11 @@ static int sipr_decode_frame(AVCodecContext *avctx, void *datap, *data_size = 0; return -1; } - if (*data_size < subframe_size * mode_par->subframe_count * sizeof(float)) { + + out_size = mode_par->frames_per_packet * subframe_size * + mode_par->subframe_count * + av_get_bytes_per_sample(avctx->sample_fmt); + if (*data_size < out_size) { av_log(avctx, AV_LOG_ERROR, "Error processing packet: output buffer (%d) too small\n", *data_size); @@ -542,8 +546,7 @@ static int sipr_decode_frame(AVCodecContext *avctx, void *datap, data += subframe_size * mode_par->subframe_count; } - *data_size = mode_par->frames_per_packet * subframe_size * - mode_par->subframe_count * sizeof(float); + *data_size = out_size; return mode_par->bits_per_frame >> 3; } From 2809f4ab934ca94b32e64f3a70e6008cd3876420 Mon Sep 17 00:00:00 2001 From: Justin Ruggles Date: Wed, 14 Sep 2011 13:38:07 -0400 Subject: [PATCH 0514/1119] qcelp: check output buffer size before decoding (cherry picked from commit e43dd3d2a8e106169e707484090a2d973ece2184) Signed-off-by: Michael Niedermayer --- libavcodec/qcelpdec.c | 10 ++++++++-- 1 file changed, 8 insertions(+), 2 deletions(-) diff --git a/libavcodec/qcelpdec.c b/libavcodec/qcelpdec.c index e83704d801..61c812c85d 100644 --- a/libavcodec/qcelpdec.c +++ b/libavcodec/qcelpdec.c @@ -738,11 +738,17 @@ static int qcelp_decode_frame(AVCodecContext *avctx, void *data, int *data_size, int buf_size = avpkt->size; QCELPContext *q = avctx->priv_data; float *outbuffer = data; - int i; + int i, out_size; float quantized_lspf[10], lpc[10]; float gain[16]; float *formant_mem; + out_size = 160 * av_get_bytes_per_sample(avctx->sample_fmt); + if (*data_size < out_size) { + av_log(avctx, AV_LOG_ERROR, "Output buffer is too small\n"); + return AVERROR(EINVAL); + } + if((q->bitrate = determine_bitrate(avctx, buf_size, &buf)) == I_F_Q) { warn_insufficient_frame_quality(avctx, "bitrate cannot be determined."); @@ -837,7 +843,7 @@ erasure: memcpy(q->prev_lspf, quantized_lspf, sizeof(q->prev_lspf)); q->prev_bitrate = q->bitrate; - *data_size = 160 * sizeof(*outbuffer); + *data_size = out_size; return buf_size; } From b491c15c8530fafdf5fcef25b1918339f196fbad Mon Sep 17 00:00:00 2001 From: Laurent Aimar Date: Tue, 4 Oct 2011 22:13:56 +0200 Subject: [PATCH 0515/1119] h254: explicitly initialize bit depth/chroma idc Signed-off-by: Michael Niedermayer --- libavcodec/h264.c | 8 ++++++-- 1 file changed, 6 insertions(+), 2 deletions(-) diff --git a/libavcodec/h264.c b/libavcodec/h264.c index 96d8ecf77a..fd33aeff3e 100644 --- a/libavcodec/h264.c +++ b/libavcodec/h264.c @@ -1019,8 +1019,12 @@ static av_cold void common_init(H264Context *h){ s->height = s->avctx->height; s->codec_id= s->avctx->codec->id; - ff_h264dsp_init(&h->h264dsp, 8); - ff_h264_pred_init(&h->hpc, s->codec_id, 8); + s->avctx->bits_per_raw_sample = 8; + + ff_h264dsp_init(&h->h264dsp, + s->avctx->bits_per_raw_sample); + ff_h264_pred_init(&h->hpc, s->codec_id, + s->avctx->bits_per_raw_sample); h->dequant_coeff_pps= -1; s->unrestricted_mv=1; From 5d2b6006f0567629324613ee73b779acbaf8f039 Mon Sep 17 00:00:00 2001 From: "Ronald S. Bultje" Date: Mon, 3 Oct 2011 07:37:24 -0700 Subject: [PATCH 0516/1119] mpegvideo: fix position of bottom edge. It was wrong in colorspaces where horizontal and vertical chroma subsampling are not the same, e.g. 422. Signed-off-by: Michael Niedermayer --- libavcodec/mpegvideo.c | 15 +++++++++------ 1 file changed, 9 insertions(+), 6 deletions(-) diff --git a/libavcodec/mpegvideo.c b/libavcodec/mpegvideo.c index a505b9071c..9c47c15a51 100644 --- a/libavcodec/mpegvideo.c +++ b/libavcodec/mpegvideo.c @@ -2302,12 +2302,15 @@ void ff_draw_horiz_band(MpegEncContext *s, int y, int h){ edge_h= FFMIN(h, s->v_edge_pos - y); - s->dsp.draw_edges(s->current_picture_ptr->data[0] + y *s->linesize , s->linesize, - s->h_edge_pos , edge_h , EDGE_WIDTH , EDGE_WIDTH , sides); - s->dsp.draw_edges(s->current_picture_ptr->data[1] + (y>>vshift)*s->uvlinesize, s->uvlinesize, - s->h_edge_pos>>hshift, edge_h>>hshift, EDGE_WIDTH>>hshift, EDGE_WIDTH>>vshift, sides); - s->dsp.draw_edges(s->current_picture_ptr->data[2] + (y>>vshift)*s->uvlinesize, s->uvlinesize, - s->h_edge_pos>>hshift, edge_h>>hshift, EDGE_WIDTH>>hshift, EDGE_WIDTH>>vshift, sides); + s->dsp.draw_edges(s->current_picture_ptr->data[0] + y *s->linesize, + s->linesize, s->h_edge_pos, edge_h, + EDGE_WIDTH, EDGE_WIDTH, sides); + s->dsp.draw_edges(s->current_picture_ptr->data[1] + (y>>vshift)*s->uvlinesize, + s->uvlinesize, s->h_edge_pos>>hshift, edge_h>>vshift, + EDGE_WIDTH>>hshift, EDGE_WIDTH>>vshift, sides); + s->dsp.draw_edges(s->current_picture_ptr->data[2] + (y>>vshift)*s->uvlinesize, + s->uvlinesize, s->h_edge_pos>>hshift, edge_h>>vshift, + EDGE_WIDTH>>hshift, EDGE_WIDTH>>vshift, sides); } h= FFMIN(h, s->avctx->height - y); From 614ef0dc0d9f2d6ec7e2e41a00d285b7a6a2eea1 Mon Sep 17 00:00:00 2001 From: Michael Niedermayer Date: Thu, 6 Oct 2011 22:54:00 +0200 Subject: [PATCH 0517/1119] h264: fix fill_colmap() to not store entries mbaff style when the reference is not mbaff at all Signed-off-by: Michael Niedermayer (cherry picked from commit a3ba542af39ba4425cbb44d2a0ae09c212b40001) Signed-off-by: Michael Niedermayer --- libavcodec/h264_direct.c | 3 ++- 1 file changed, 2 insertions(+), 1 deletion(-) diff --git a/libavcodec/h264_direct.c b/libavcodec/h264_direct.c index 34a4ff727f..0b19353656 100644 --- a/libavcodec/h264_direct.c +++ b/libavcodec/h264_direct.c @@ -89,7 +89,8 @@ static void fill_colmap(H264Context *h, int map[2][16+32], int list, int field, for(j=start; jref_list[0][j].frame_num + (h->ref_list[0][j].reference&3) == poc){ int cur_ref= mbafi ? (j-16)^field : j; - map[list][2*old_ref + (rfield^field) + 16] = cur_ref; + if(ref1->mbaff) + map[list][2*old_ref + (rfield^field) + 16] = cur_ref; if(rfield == field || !interl) map[list][old_ref] = cur_ref; break; From 06b15b371539cb2f05f717b228d9173d4aee991d Mon Sep 17 00:00:00 2001 From: Laurent Aimar Date: Thu, 6 Oct 2011 21:55:44 +0200 Subject: [PATCH 0518/1119] h264: fix the size of PPS::chroma_qp_table Signed-off-by: Michael Niedermayer (cherry picked from commit e588a5c2d418fdcf08ece076a2642de44f444d55) Signed-off-by: Michael Niedermayer --- libavcodec/h264.h | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/libavcodec/h264.h b/libavcodec/h264.h index 0a380e03c1..a6f39730ff 100644 --- a/libavcodec/h264.h +++ b/libavcodec/h264.h @@ -227,7 +227,7 @@ typedef struct PPS{ int transform_8x8_mode; ///< transform_8x8_mode_flag uint8_t scaling_matrix4[6][16]; uint8_t scaling_matrix8[6][64]; - uint8_t chroma_qp_table[2][64]; ///< pre-scaled (with chroma_qp_index_offset) version of qp_table + uint8_t chroma_qp_table[2][QP_MAX_NUM+1]; ///< pre-scaled (with chroma_qp_index_offset) version of qp_table int chroma_qp_diff; }PPS; From 4c5cdb493c25a0ffb05022e7afa001725e0adc62 Mon Sep 17 00:00:00 2001 From: Mans Rullgard Date: Sat, 8 Oct 2011 02:09:42 +0100 Subject: [PATCH 0519/1119] put_bits: fix invalid shift by 32 in flush_put_bits() If flush_put_bits() is called when the 32-bit buffer is empty, e.g. after writing a multiple of 32 bits, and invalid shift by 32 is performed. Since flush_put_bits() is called infrequently, this additional check should have negligible performance impact. Signed-off-by: Mans Rullgard (cherry picked from commit ac6eab1496aad6f8b09deabbef4fe5fd829e142d) Signed-off-by: Michael Niedermayer --- libavcodec/put_bits.h | 3 ++- 1 file changed, 2 insertions(+), 1 deletion(-) diff --git a/libavcodec/put_bits.h b/libavcodec/put_bits.h index 79016912d5..ccd2565920 100644 --- a/libavcodec/put_bits.h +++ b/libavcodec/put_bits.h @@ -100,7 +100,8 @@ static inline void flush_put_bits(PutBitContext *s) align_put_bits(s); #else #ifndef BITSTREAM_WRITER_LE - s->bit_buf<<= s->bit_left; + if (s->bit_left < 32) + s->bit_buf<<= s->bit_left; #endif while (s->bit_left < 32) { /* XXX: should test end of buffer */ From c2c83dcb322504807388f804d73d75a45fab004b Mon Sep 17 00:00:00 2001 From: Mans Rullgard Date: Sat, 8 Oct 2011 13:41:23 +0100 Subject: [PATCH 0520/1119] aacdec: fix undefined shifts Since nnz can be zero, this is needed to avoid a shift by 32. Signed-off-by: Mans Rullgard (cherry picked from commit d12294304acd82cb219e3f66ca9cd6efb2194fa4) Signed-off-by: Michael Niedermayer --- libavcodec/aacdec.c | 4 ++-- 1 file changed, 2 insertions(+), 2 deletions(-) diff --git a/libavcodec/aacdec.c b/libavcodec/aacdec.c index 6cc0cec0f0..e9f2cc53e9 100644 --- a/libavcodec/aacdec.c +++ b/libavcodec/aacdec.c @@ -1090,7 +1090,7 @@ static int decode_spectrum_and_dequant(AACContext *ac, float coef[1024], GET_VLC(code, re, gb, vlc_tab, 8, 2); cb_idx = cb_vector_idx[code]; nnz = cb_idx >> 8 & 15; - bits = SHOW_UBITS(re, gb, nnz) << (32-nnz); + bits = nnz ? GET_CACHE(re, gb) : 0; LAST_SKIP_BITS(re, gb, nnz); cf = VMUL4S(cf, vq, cb_idx, bits, sf + idx); } while (len -= 4); @@ -1130,7 +1130,7 @@ static int decode_spectrum_and_dequant(AACContext *ac, float coef[1024], GET_VLC(code, re, gb, vlc_tab, 8, 2); cb_idx = cb_vector_idx[code]; nnz = cb_idx >> 8 & 15; - sign = SHOW_UBITS(re, gb, nnz) << (cb_idx >> 12); + sign = nnz ? SHOW_UBITS(re, gb, nnz) << (cb_idx >> 12) : 0; LAST_SKIP_BITS(re, gb, nnz); cf = VMUL2S(cf, vq, cb_idx, sign, sf + idx); } while (len -= 2); From 37ce6ba425d70718b646ba49ec23761abd511d9e Mon Sep 17 00:00:00 2001 From: Mans Rullgard Date: Sat, 8 Oct 2011 13:49:42 +0100 Subject: [PATCH 0521/1119] dca: fix signed overflow in shift Signed-off-by: Mans Rullgard (cherry picked from commit 559c244d42be7a02c23976216b47fd63b80d6c7f) Signed-off-by: Michael Niedermayer --- libavcodec/dca.c | 3 ++- 1 file changed, 2 insertions(+), 1 deletion(-) diff --git a/libavcodec/dca.c b/libavcodec/dca.c index 69df8f4597..24153ebdd2 100644 --- a/libavcodec/dca.c +++ b/libavcodec/dca.c @@ -905,7 +905,8 @@ static void qmf_32_subbands(DCAContext * s, int chans, for (subindex = 0; subindex < 8; subindex++) { /* Load in one sample from each subband and clear inactive subbands */ for (i = 0; i < sb_act; i++){ - uint32_t v = AV_RN32A(&samples_in[i][subindex]) ^ ((i-1)&2)<<30; + unsigned sign = (i - 1) & 2; + uint32_t v = AV_RN32A(&samples_in[i][subindex]) ^ sign << 30; AV_WN32A(&s->raXin[i], v); } From 4ba0e0375961fcb05d0d4258e75c807c1ed577f5 Mon Sep 17 00:00:00 2001 From: Mans Rullgard Date: Sat, 8 Oct 2011 13:52:44 +0100 Subject: [PATCH 0522/1119] motion_est: fix some signed overflows Signed-off-by: Mans Rullgard (cherry picked from commit e708afd3c026a9eb547dab07781320a7e2564312) Signed-off-by: Michael Niedermayer --- libavcodec/motion_est.c | 4 ++-- 1 file changed, 2 insertions(+), 2 deletions(-) diff --git a/libavcodec/motion_est.c b/libavcodec/motion_est.c index c12ebf4c7c..02e804d88f 100644 --- a/libavcodec/motion_est.c +++ b/libavcodec/motion_est.c @@ -1040,7 +1040,7 @@ void ff_estimate_p_frame_motion(MpegEncContext * s, /* intra / predictive decision */ pix = c->src[0][0]; sum = s->dsp.pix_sum(pix, s->linesize); - varc = s->dsp.pix_norm1(pix, s->linesize) - (((unsigned)(sum*sum))>>8) + 500; + varc = s->dsp.pix_norm1(pix, s->linesize) - (((unsigned)sum*sum)>>8) + 500; pic->mb_mean[s->mb_stride * mb_y + mb_x] = (sum+128)>>8; pic->mb_var [s->mb_stride * mb_y + mb_x] = (varc+128)>>8; @@ -1202,7 +1202,7 @@ void ff_estimate_p_frame_motion(MpegEncContext * s, if((c->avctx->mb_cmp&0xFF)==FF_CMP_SSE){ intra_score= varc - 500; }else{ - int mean= (sum+128)>>8; + unsigned mean = (sum+128)>>8; mean*= 0x01010101; for(i=0; i<16; i++){ From f7be632cbde8aa094535edf0af3a30a7556acbac Mon Sep 17 00:00:00 2001 From: Mans Rullgard Date: Sat, 8 Oct 2011 15:03:51 +0100 Subject: [PATCH 0523/1119] vp8: fix signed overflows In addition to avoiding undefined behaviour, an unsigned type makes more sense for packing multiple 8-bit values. Signed-off-by: Mans Rullgard (cherry picked from commit bb59156606e00057a706ed30165bc7329db3823f) Signed-off-by: Michael Niedermayer --- libavcodec/vp8.c | 5 +++-- 1 file changed, 3 insertions(+), 2 deletions(-) diff --git a/libavcodec/vp8.c b/libavcodec/vp8.c index 3e93653085..a417ae3672 100644 --- a/libavcodec/vp8.c +++ b/libavcodec/vp8.c @@ -919,7 +919,8 @@ void intra_predict(VP8Context *s, uint8_t *dst[3], VP8Macroblock *mb, int mb_x, int mb_y) { AVCodecContext *avctx = s->avctx; - int x, y, mode, nnz, tr; + int x, y, mode, nnz; + uint32_t tr; // for the first row, we need to run xchg_mb_border to init the top edge to 127 // otherwise, skip it if we aren't going to deblock @@ -948,7 +949,7 @@ void intra_predict(VP8Context *s, uint8_t *dst[3], VP8Macroblock *mb, // from the top macroblock if (!(!mb_y && avctx->flags & CODEC_FLAG_EMU_EDGE) && mb_x == s->mb_width-1) { - tr = tr_right[-1]*0x01010101; + tr = tr_right[-1]*0x01010101u; tr_right = (uint8_t *)&tr; } From edc942202b577946c265fe9fdff236fac2b2cc2f Mon Sep 17 00:00:00 2001 From: Mans Rullgard Date: Sat, 8 Oct 2011 02:06:26 +0100 Subject: [PATCH 0524/1119] lavf: fix signed overflow in avformat_find_stream_info() On the first iteration through this code, last_dts is always INT64_MIN (AV_NOPTS_VALUE) and the subtraction overflows in an invalid manner. Although the result is only used if the input values are valid, performing the subtraction is still not allowed in a strict environment. Signed-off-by: Mans Rullgard (cherry picked from commit a31e9f68a426f634e002282885c6c2eb1bfbea44) Signed-off-by: Michael Niedermayer --- libavformat/utils.c | 4 ++-- 1 file changed, 2 insertions(+), 2 deletions(-) diff --git a/libavformat/utils.c b/libavformat/utils.c index b15582acb1..400d96826d 100644 --- a/libavformat/utils.c +++ b/libavformat/utils.c @@ -2396,9 +2396,9 @@ int av_find_stream_info(AVFormatContext *ic) } { int64_t last = st->info->last_dts; - int64_t duration= pkt->dts - last; - if(pkt->dts != AV_NOPTS_VALUE && last != AV_NOPTS_VALUE && duration>0){ + if(pkt->dts != AV_NOPTS_VALUE && last != AV_NOPTS_VALUE && pkt->dts > last){ + int64_t duration= pkt->dts - last; double dur= duration * av_q2d(st->time_base); // if(st->codec->codec_type == AVMEDIA_TYPE_VIDEO) From 1646d2d2ae20c32b075cf271c7b276a1d587ebe4 Mon Sep 17 00:00:00 2001 From: Laurent Aimar Date: Sat, 8 Oct 2011 23:40:30 +0200 Subject: [PATCH 0525/1119] eamad: clear FF_INPUT_BUFFER_PADDING_SIZE bytes at the end of the temporary buffer Signed-off-by: Michael Niedermayer (cherry picked from commit 74b9c598396f76407c6b3841c10bc67ddddb2a98) Signed-off-by: Michael Niedermayer --- libavcodec/eamad.c | 1 + 1 file changed, 1 insertion(+) diff --git a/libavcodec/eamad.c b/libavcodec/eamad.c index d4881ab843..ee8158174a 100644 --- a/libavcodec/eamad.c +++ b/libavcodec/eamad.c @@ -280,6 +280,7 @@ static int decode_frame(AVCodecContext *avctx, if (!t->bitstream_buf) return AVERROR(ENOMEM); bswap16_buf(t->bitstream_buf, (const uint16_t*)buf, (buf_end-buf)/2); + memset((uint8_t*)t->bitstream_buf + (buf_end-buf), 0, FF_INPUT_BUFFER_PADDING_SIZE); init_get_bits(&s->gb, t->bitstream_buf, 8*(buf_end-buf)); for (s->mb_y=0; s->mb_y < (avctx->height+15)/16; s->mb_y++) From 44740513709cb326667fc8b7d24abb6e16aacee6 Mon Sep 17 00:00:00 2001 From: Laurent Aimar Date: Sat, 8 Oct 2011 23:40:27 +0200 Subject: [PATCH 0526/1119] eatgv: fix out of bound reads on corrupted motions vectors. Signed-off-by: Michael Niedermayer (cherry picked from commit 09302a897d1990b1338f049fcd29638d736b8823) Signed-off-by: Michael Niedermayer --- libavcodec/eatgv.c | 4 ++-- 1 file changed, 2 insertions(+), 2 deletions(-) diff --git a/libavcodec/eatgv.c b/libavcodec/eatgv.c index 0855f10417..f50a308467 100644 --- a/libavcodec/eatgv.c +++ b/libavcodec/eatgv.c @@ -138,7 +138,7 @@ static int unpack(const uint8_t *src, const uint8_t *src_end, unsigned char *dst * @return 0 on success, -1 on critical buffer underflow */ static int tgv_decode_inter(TgvContext * s, const uint8_t *buf, const uint8_t *buf_end){ - unsigned char *frame0_end = s->last_frame.data[0] + s->avctx->width*s->last_frame.linesize[0]; + unsigned char *frame0_end = s->last_frame.data[0] + s->avctx->height*s->last_frame.linesize[0]; int num_mvs; int num_blocks_raw; int num_blocks_packed; @@ -211,7 +211,7 @@ static int tgv_decode_inter(TgvContext * s, const uint8_t *buf, const uint8_t *b (y*4 + s->mv_codebook[vector][1])*s->last_frame.linesize[0] + x*4 + s->mv_codebook[vector][0]; src_stride = s->last_frame.linesize[0]; - if (src+3*src_stride+3>=frame0_end) + if (src < s->last_frame.data[0] || src+3*src_stride+3>=frame0_end) continue; }else{ int offset = vector - num_mvs; From 1b6e6439faafb8de96ce01f008918ea36eaff8c2 Mon Sep 17 00:00:00 2001 From: Laurent Aimar Date: Sat, 8 Oct 2011 23:40:28 +0200 Subject: [PATCH 0527/1119] eatgv: fix pointer arithmetic overflows. Signed-off-by: Michael Niedermayer (cherry picked from commit 6bfe0d4c3d7de11e859ea6720b011cf5fdf5ef03) Signed-off-by: Michael Niedermayer --- libavcodec/eatgv.c | 25 +++++++++++++++---------- 1 file changed, 15 insertions(+), 10 deletions(-) diff --git a/libavcodec/eatgv.c b/libavcodec/eatgv.c index f50a308467..fb88dce5d3 100644 --- a/libavcodec/eatgv.c +++ b/libavcodec/eatgv.c @@ -74,7 +74,7 @@ static int unpack(const uint8_t *src, const uint8_t *src_end, unsigned char *dst else src += 2; - if (src+3>src_end) + if (src_end - src < 3) return -1; size = AV_RB24(src); src += 3; @@ -138,7 +138,7 @@ static int unpack(const uint8_t *src, const uint8_t *src_end, unsigned char *dst * @return 0 on success, -1 on critical buffer underflow */ static int tgv_decode_inter(TgvContext * s, const uint8_t *buf, const uint8_t *buf_end){ - unsigned char *frame0_end = s->last_frame.data[0] + s->avctx->height*s->last_frame.linesize[0]; + unsigned last_frame_size = s->avctx->height*s->last_frame.linesize[0]; int num_mvs; int num_blocks_raw; int num_blocks_packed; @@ -148,7 +148,7 @@ static int tgv_decode_inter(TgvContext * s, const uint8_t *buf, const uint8_t *b int mvbits; const unsigned char *blocks_raw; - if(buf+12>buf_end) + if(buf_end - buf < 12) return -1; num_mvs = AV_RL16(&buf[0]); @@ -171,7 +171,7 @@ static int tgv_decode_inter(TgvContext * s, const uint8_t *buf, const uint8_t *b /* read motion vectors */ mvbits = (num_mvs*2*10+31) & ~31; - if (buf+(mvbits>>3)+16*num_blocks_raw+8*num_blocks_packed>buf_end) + if (buf_end - buf < (mvbits>>3)+16*num_blocks_raw+8*num_blocks_packed) return -1; init_get_bits(&gb, buf, mvbits); @@ -207,12 +207,14 @@ static int tgv_decode_inter(TgvContext * s, const uint8_t *buf, const uint8_t *b int src_stride; if (vector < num_mvs) { - src = s->last_frame.data[0] + - (y*4 + s->mv_codebook[vector][1])*s->last_frame.linesize[0] + - x*4 + s->mv_codebook[vector][0]; + unsigned offset = + (y*4 + s->mv_codebook[vector][1])*s->last_frame.linesize[0] + + x*4 + s->mv_codebook[vector][0]; + src_stride = s->last_frame.linesize[0]; - if (src < s->last_frame.data[0] || src+3*src_stride+3>=frame0_end) + if (offset >= last_frame_size - (3*src_stride+3)) continue; + src = s->last_frame.data[0] + offset; }else{ int offset = vector - num_mvs; if (offsetbuf_end) { + if(buf_end - buf < 12) { av_log(avctx, AV_LOG_WARNING, "truncated header\n"); return -1; } @@ -272,7 +277,7 @@ static int tgv_decode_frame(AVCodecContext *avctx, pal_count = AV_RL16(&buf[6]); buf += 12; - for(i=0; i= 3; i++) { s->palette[i] = AV_RB24(buf); buf += 3; } From 7b3c851526740cb77fe5af0e48c50b7ead1e0143 Mon Sep 17 00:00:00 2001 From: Laurent Aimar Date: Sat, 8 Oct 2011 23:40:32 +0200 Subject: [PATCH 0528/1119] eamad: avoid NULL derefence when missing the reference frame. Signed-off-by: Michael Niedermayer (cherry picked from commit 6e20554a6d33e92b81dc3cfed6082e03bff2a7f8) Signed-off-by: Michael Niedermayer --- libavcodec/eamad.c | 3 ++- 1 file changed, 2 insertions(+), 1 deletion(-) diff --git a/libavcodec/eamad.c b/libavcodec/eamad.c index ee8158174a..f5b25354f1 100644 --- a/libavcodec/eamad.c +++ b/libavcodec/eamad.c @@ -205,7 +205,8 @@ static void decode_mb(MadContext *t, int inter) for (j=0; j<6; j++) { if (mv_map & (1<gb); - comp_block(t, s->mb_x, s->mb_y, j, mv_x, mv_y, add); + if (t->last_frame.data[0]) + comp_block(t, s->mb_x, s->mb_y, j, mv_x, mv_y, add); } else { s->dsp.clear_block(t->block); decode_block_intra(t, t->block); From 79bafbb0dd6af48eae51eb69c472208f97eff11d Mon Sep 17 00:00:00 2001 From: Laurent Aimar Date: Sat, 8 Oct 2011 23:40:31 +0200 Subject: [PATCH 0529/1119] eamad: check for out of bound reads when doing MC Signed-off-by: Michael Niedermayer (cherry picked from commit da35797359cec148f3fe59894c62727b0422d75a) Signed-off-by: Michael Niedermayer --- libavcodec/eamad.c | 10 ++++++++-- 1 file changed, 8 insertions(+), 2 deletions(-) diff --git a/libavcodec/eamad.c b/libavcodec/eamad.c index f5b25354f1..150bd08108 100644 --- a/libavcodec/eamad.c +++ b/libavcodec/eamad.c @@ -85,15 +85,21 @@ static inline void comp_block(MadContext *t, int mb_x, int mb_y, { MpegEncContext *s = &t->s; if (j < 4) { + unsigned offset = (mb_y*16 + ((j&2)<<2) + mv_y)*t->last_frame.linesize[0] + mb_x*16 + ((j&1)<<3) + mv_x; + if (offset >= (s->height - 7) * t->last_frame.linesize[0] - 7) + return; comp(t->frame.data[0] + (mb_y*16 + ((j&2)<<2))*t->frame.linesize[0] + mb_x*16 + ((j&1)<<3), t->frame.linesize[0], - t->last_frame.data[0] + (mb_y*16 + ((j&2)<<2) + mv_y)*t->last_frame.linesize[0] + mb_x*16 + ((j&1)<<3) + mv_x, + t->last_frame.data[0] + offset, t->last_frame.linesize[0], add); } else if (!(s->avctx->flags & CODEC_FLAG_GRAY)) { int index = j - 3; + unsigned offset = (mb_y * 8 + (mv_y/2))*t->last_frame.linesize[index] + mb_x * 8 + (mv_x/2); + if (offset >= (s->height/2 - 7) * t->last_frame.linesize[index] - 7) + return; comp(t->frame.data[index] + (mb_y*8)*t->frame.linesize[index] + mb_x * 8, t->frame.linesize[index], - t->last_frame.data[index] + (mb_y * 8 + (mv_y/2))*t->last_frame.linesize[index] + mb_x * 8 + (mv_x/2), + t->last_frame.data[index] + offset, t->last_frame.linesize[index], add); } } From 5415c488f9c6103df06ccfdc77dd50d1f030d271 Mon Sep 17 00:00:00 2001 From: Laurent Aimar Date: Sat, 8 Oct 2011 23:40:33 +0200 Subject: [PATCH 0530/1119] eamad: release the reference frame on video size changes Signed-off-by: Michael Niedermayer (cherry picked from commit 6c1fb3e7631178c2a45c6c41b9b8d9ee3a5298fc) Signed-off-by: Michael Niedermayer --- libavcodec/eamad.c | 2 ++ 1 file changed, 2 insertions(+) diff --git a/libavcodec/eamad.c b/libavcodec/eamad.c index 150bd08108..602bbfcf93 100644 --- a/libavcodec/eamad.c +++ b/libavcodec/eamad.c @@ -273,6 +273,8 @@ static int decode_frame(AVCodecContext *avctx, avcodec_set_dimensions(avctx, s->width, s->height); if (t->frame.data[0]) avctx->release_buffer(avctx, &t->frame); + if (t->last_frame.data[0]) + avctx->release_buffer(avctx, &t->last_frame); } t->frame.reference = 1; From 2fdbc1d5533ce596bc7e4872dd801c5cdda58aeb Mon Sep 17 00:00:00 2001 From: Laurent Aimar Date: Sat, 8 Oct 2011 23:40:39 +0200 Subject: [PATCH 0531/1119] vqavideo: check for invalid/unsupported version Signed-off-by: Michael Niedermayer (cherry picked from commit b226af39107f09cd650875388250f4968eea54db) Signed-off-by: Michael Niedermayer --- libavcodec/vqavideo.c | 4 ++++ 1 file changed, 4 insertions(+) diff --git a/libavcodec/vqavideo.c b/libavcodec/vqavideo.c index ca4fd94d75..6d7f65a051 100644 --- a/libavcodec/vqavideo.c +++ b/libavcodec/vqavideo.c @@ -138,6 +138,10 @@ static av_cold int vqa_decode_init(AVCodecContext *avctx) /* load up the VQA parameters from the header */ vqa_header = (unsigned char *)s->avctx->extradata; s->vqa_version = vqa_header[0]; + if (s->vqa_version < 1 || s->vqa_version > 3) { + av_log(s->avctx, AV_LOG_ERROR, " VQA video: unsupported version %d\n", s->vqa_version); + return -1; + } s->width = AV_RL16(&vqa_header[6]); s->height = AV_RL16(&vqa_header[8]); if(av_image_check_size(s->width, s->height, 0, avctx)){ From b832e539c0dceb2108c8b7f824d9eff9d751853a Mon Sep 17 00:00:00 2001 From: Laurent Aimar Date: Sat, 8 Oct 2011 23:40:37 +0200 Subject: [PATCH 0532/1119] vqa: fix double free on corrupted streams Signed-off-by: Michael Niedermayer (cherry picked from commit e3123856c79c36507772ada1bcda6cfe36a1e297) Signed-off-by: Michael Niedermayer --- libavformat/westwood.c | 4 +--- 1 file changed, 1 insertion(+), 3 deletions(-) diff --git a/libavformat/westwood.c b/libavformat/westwood.c index 818fe2d8d3..dd6ddef905 100644 --- a/libavformat/westwood.c +++ b/libavformat/westwood.c @@ -277,10 +277,8 @@ static int wsvqa_read_header(AVFormatContext *s, /* there are 0 or more chunks before the FINF chunk; iterate until * FINF has been skipped and the file will be ready to be demuxed */ do { - if (avio_read(pb, scratch, VQA_PREAMBLE_SIZE) != VQA_PREAMBLE_SIZE) { - av_free(st->codec->extradata); + if (avio_read(pb, scratch, VQA_PREAMBLE_SIZE) != VQA_PREAMBLE_SIZE) return AVERROR(EIO); - } chunk_tag = AV_RB32(&scratch[0]); chunk_size = AV_RB32(&scratch[4]); From 7ab0b6b7eda60e235b7db07a6895fa8bdade01c8 Mon Sep 17 00:00:00 2001 From: Laurent Aimar Date: Sun, 9 Oct 2011 01:54:41 +0200 Subject: [PATCH 0533/1119] vqavideo: check for out of bound reads. Signed-off-by: Michael Niedermayer (cherry picked from commit 6d45702f7f257c1cfcd3ce3287bf258854528a4a) Signed-off-by: Michael Niedermayer --- libavcodec/vqavideo.c | 6 ++++++ 1 file changed, 6 insertions(+) diff --git a/libavcodec/vqavideo.c b/libavcodec/vqavideo.c index 6d7f65a051..64a68e1ca1 100644 --- a/libavcodec/vqavideo.c +++ b/libavcodec/vqavideo.c @@ -230,6 +230,8 @@ static void decode_format80(const unsigned char *src, int src_size, src_index += 2; av_dlog(NULL, "(1) copy %X bytes from absolute pos %X\n", count, src_pos); CHECK_COUNT(); + if (src_pos + count > dest_size) + return; for (i = 0; i < count; i++) dest[dest_index + i] = dest[src_pos + i]; dest_index += count; @@ -252,6 +254,8 @@ static void decode_format80(const unsigned char *src, int src_size, src_index += 2; av_dlog(NULL, "(3) copy %X bytes from absolute pos %X\n", count, src_pos); CHECK_COUNT(); + if (src_pos + count > dest_size) + return; for (i = 0; i < count; i++) dest[dest_index + i] = dest[src_pos + i]; dest_index += count; @@ -272,6 +276,8 @@ static void decode_format80(const unsigned char *src, int src_size, src_index += 2; av_dlog(NULL, "(5) copy %X bytes from relpos %X\n", count, src_pos); CHECK_COUNT(); + if (dest_index < src_pos) + return; for (i = 0; i < count; i++) dest[dest_index + i] = dest[dest_index - src_pos + i]; dest_index += count; From 67c46b9b3027fdd9fd737e21a80d3326748b1c15 Mon Sep 17 00:00:00 2001 From: Laurent Aimar Date: Sat, 8 Oct 2011 23:01:33 +0200 Subject: [PATCH 0534/1119] qtrle: check for invalid line offset Signed-off-by: Michael Niedermayer (cherry picked from commit a4ed7c3fe9f99b89f86b65710d8855dc572f1a25) Signed-off-by: Michael Niedermayer --- libavcodec/qtrle.c | 2 ++ 1 file changed, 2 insertions(+) diff --git a/libavcodec/qtrle.c b/libavcodec/qtrle.c index 2cc2de2e23..0f280f5829 100644 --- a/libavcodec/qtrle.c +++ b/libavcodec/qtrle.c @@ -464,6 +464,8 @@ static int qtrle_decode_frame(AVCodecContext *avctx, stream_ptr += 4; height = AV_RB16(&s->buf[stream_ptr]); stream_ptr += 4; + if (height > s->avctx->height - start_line) + goto done; } else { start_line = 0; height = s->avctx->height; From ca58b215ab2c4d593b8be04420dfa6c1720a409c Mon Sep 17 00:00:00 2001 From: Laurent Aimar Date: Sat, 8 Oct 2011 21:57:27 +0200 Subject: [PATCH 0535/1119] txd: check for out of bound reads. Signed-off-by: Michael Niedermayer (cherry picked from commit e182de9a98272fbe4f368000911191aaeb0d6fb3) Signed-off-by: Michael Niedermayer --- libavcodec/txd.c | 22 ++++++++++++++++++++-- 1 file changed, 20 insertions(+), 2 deletions(-) diff --git a/libavcodec/txd.c b/libavcodec/txd.c index 0e25458c86..219c337534 100644 --- a/libavcodec/txd.c +++ b/libavcodec/txd.c @@ -23,6 +23,7 @@ #include "libavutil/intreadwrite.h" #include "libavutil/imgutils.h" +#include "bytestream.h" #include "avcodec.h" #include "s3tc.h" @@ -42,6 +43,7 @@ static av_cold int txd_init(AVCodecContext *avctx) { static int txd_decode_frame(AVCodecContext *avctx, void *data, int *data_size, AVPacket *avpkt) { const uint8_t *buf = avpkt->data; + const uint8_t *buf_end = avpkt->data + avpkt->size; TXDContext * const s = avctx->priv_data; AVFrame *picture = data; AVFrame * const p = &s->picture; @@ -52,6 +54,8 @@ static int txd_decode_frame(AVCodecContext *avctx, void *data, int *data_size, const uint32_t *palette = (const uint32_t *)(cur + 88); uint32_t *pal; + if (buf_end - cur < 92) + return AVERROR_INVALIDDATA; version = AV_RL32(cur); d3d_format = AV_RL32(cur+76); w = AV_RL16(cur+80); @@ -69,6 +73,8 @@ static int txd_decode_frame(AVCodecContext *avctx, void *data, int *data_size, if (depth == 8) { avctx->pix_fmt = PIX_FMT_PAL8; + if (buf_end - cur < 1024) + return AVERROR_INVALIDDATA; cur += 1024; } else if (depth == 16 || depth == 32) avctx->pix_fmt = PIX_FMT_RGB32; @@ -100,6 +106,8 @@ static int txd_decode_frame(AVCodecContext *avctx, void *data, int *data_size, v = AV_RB32(palette+y); pal[y] = (v>>8) + (v<<24); } + if (buf_end - cur < w * h) + return AVERROR_INVALIDDATA; for (y=0; y 1; mipmap_count--) - cur += AV_RL32(cur) + 4; + for (; mipmap_count > 1 && buf_end - cur >= 4; mipmap_count--) { + uint32_t length = bytestream_get_le32(&cur); + if (buf_end - cur < length) + break; + cur += length; + } *picture = s->picture; *data_size = sizeof(AVPicture); From adb12c4deb7685037439ecaea5cac890a6e1f9c3 Mon Sep 17 00:00:00 2001 From: Laurent Aimar Date: Sat, 8 Oct 2011 23:40:34 +0200 Subject: [PATCH 0536/1119] xxan: check for out of bound accesses Signed-off-by: Michael Niedermayer (cherry picked from commit a68a6a4fb19caecc91d5f7fe3ef4f83f6d3c4586) Signed-off-by: Michael Niedermayer --- libavcodec/xxan.c | 13 ++++++++++--- 1 file changed, 10 insertions(+), 3 deletions(-) diff --git a/libavcodec/xxan.c b/libavcodec/xxan.c index 10ec53f467..c93ff43663 100644 --- a/libavcodec/xxan.c +++ b/libavcodec/xxan.c @@ -129,7 +129,9 @@ static int xan_unpack(uint8_t *dest, const int dest_len, if (size + size2 > dest_end - dest) break; } - if (src + size > src_end || dest + size + size2 > dest_end) + if (src + size > src_end || + dest + size + size2 > dest_end || + dest + size - orig_dest < back ) return -1; bytestream_get_buffer(&src, dest, size); dest += size; @@ -194,6 +196,8 @@ static int xan_decode_chroma(AVCodecContext *avctx, AVPacket *avpkt) if (mode) { for (j = 0; j < avctx->height >> 1; j++) { for (i = 0; i < avctx->width >> 1; i++) { + if (src_end - src < 1) + return 0; val = *src++; if (val) { val = AV_RL16(table + (val << 1)); @@ -202,8 +206,6 @@ static int xan_decode_chroma(AVCodecContext *avctx, AVPacket *avpkt) U[i] = uval | (uval >> 5); V[i] = vval | (vval >> 5); } - if (src == src_end) - return 0; } U += s->pic.linesize[1]; V += s->pic.linesize[2]; @@ -214,6 +216,8 @@ static int xan_decode_chroma(AVCodecContext *avctx, AVPacket *avpkt) for (j = 0; j < avctx->height >> 2; j++) { for (i = 0; i < avctx->width >> 1; i += 2) { + if (src_end - src < 1) + return 0; val = *src++; if (val) { val = AV_RL16(table + (val << 1)); @@ -302,6 +306,9 @@ static int xan_decode_frame_type0(AVCodecContext *avctx, AVPacket *avpkt) corr_end - corr_off); if (dec_size < 0) dec_size = 0; + else + dec_size = FFMIN(dec_size, s->buffer_size/2 - 1); + for (i = 0; i < dec_size; i++) s->y_buffer[i*2+1] = (s->y_buffer[i*2+1] + (s->scratch_buffer[i] << 1)) & 0x3F; } From a65045915f5b4ec6da73df54d1914b320a861223 Mon Sep 17 00:00:00 2001 From: Laurent Aimar Date: Sat, 8 Oct 2011 23:40:36 +0200 Subject: [PATCH 0537/1119] qtrle: check for out of bound writes. Signed-off-by: Michael Niedermayer (cherry picked from commit 7fb92be7e50ea4ba5712804326c6814ae02dd190) Signed-off-by: Michael Niedermayer --- libavcodec/qtrle.c | 5 +++++ 1 file changed, 5 insertions(+) diff --git a/libavcodec/qtrle.c b/libavcodec/qtrle.c index 0f280f5829..124106fc16 100644 --- a/libavcodec/qtrle.c +++ b/libavcodec/qtrle.c @@ -127,6 +127,7 @@ static inline void qtrle_decode_2n4bpp(QtrleContext *s, int stream_ptr, while (lines_to_change--) { CHECK_STREAM_PTR(2); pixel_ptr = row_ptr + (num_pixels * (s->buf[stream_ptr++] - 1)); + CHECK_PIXEL_PTR(0); /* make sure pixel_ptr is positive */ while ((rle_code = (signed char)s->buf[stream_ptr++]) != -1) { if (rle_code == 0) { @@ -183,6 +184,7 @@ static void qtrle_decode_8bpp(QtrleContext *s, int stream_ptr, int row_ptr, int while (lines_to_change--) { CHECK_STREAM_PTR(2); pixel_ptr = row_ptr + (4 * (s->buf[stream_ptr++] - 1)); + CHECK_PIXEL_PTR(0); /* make sure pixel_ptr is positive */ while ((rle_code = (signed char)s->buf[stream_ptr++]) != -1) { if (rle_code == 0) { @@ -236,6 +238,7 @@ static void qtrle_decode_16bpp(QtrleContext *s, int stream_ptr, int row_ptr, int while (lines_to_change--) { CHECK_STREAM_PTR(2); pixel_ptr = row_ptr + (s->buf[stream_ptr++] - 1) * 2; + CHECK_PIXEL_PTR(0); /* make sure pixel_ptr is positive */ while ((rle_code = (signed char)s->buf[stream_ptr++]) != -1) { if (rle_code == 0) { @@ -285,6 +288,7 @@ static void qtrle_decode_24bpp(QtrleContext *s, int stream_ptr, int row_ptr, int while (lines_to_change--) { CHECK_STREAM_PTR(2); pixel_ptr = row_ptr + (s->buf[stream_ptr++] - 1) * 3; + CHECK_PIXEL_PTR(0); /* make sure pixel_ptr is positive */ while ((rle_code = (signed char)s->buf[stream_ptr++]) != -1) { if (rle_code == 0) { @@ -336,6 +340,7 @@ static void qtrle_decode_32bpp(QtrleContext *s, int stream_ptr, int row_ptr, int while (lines_to_change--) { CHECK_STREAM_PTR(2); pixel_ptr = row_ptr + (s->buf[stream_ptr++] - 1) * 4; + CHECK_PIXEL_PTR(0); /* make sure pixel_ptr is positive */ while ((rle_code = (signed char)s->buf[stream_ptr++]) != -1) { if (rle_code == 0) { From 115d88c4b218a2659a5ed9437407ddeda0a7e32e Mon Sep 17 00:00:00 2001 From: Mans Rullgard Date: Sat, 8 Oct 2011 21:22:06 +0100 Subject: [PATCH 0538/1119] h264pred: use unsigned types for pixel values, fix signed overflows Signed-off-by: Mans Rullgard (cherry picked from commit 60f10e0ad37418cc697765d85b0bc22db70f726a) Signed-off-by: Michael Niedermayer --- libavcodec/h264pred.c | 10 +++++----- libavcodec/h264pred_template.c | 32 ++++++++++++++++---------------- 2 files changed, 21 insertions(+), 21 deletions(-) diff --git a/libavcodec/h264pred.c b/libavcodec/h264pred.c index f6533cf9ba..4917e0d3a0 100644 --- a/libavcodec/h264pred.c +++ b/libavcodec/h264pred.c @@ -40,7 +40,7 @@ #undef BIT_DEPTH static void pred4x4_vertical_vp8_c(uint8_t *src, const uint8_t *topright, int stride){ - const int lt= src[-1-1*stride]; + const unsigned lt = src[-1-1*stride]; LOAD_TOP_EDGE LOAD_TOP_RIGHT_EDGE uint32_t v = PACK_4U8((lt + 2*t0 + t1 + 2) >> 2, @@ -55,7 +55,7 @@ static void pred4x4_vertical_vp8_c(uint8_t *src, const uint8_t *topright, int st } static void pred4x4_horizontal_vp8_c(uint8_t *src, const uint8_t *topright, int stride){ - const int lt= src[-1-1*stride]; + const unsigned lt = src[-1-1*stride]; LOAD_LEFT_EDGE AV_WN32A(src+0*stride, ((lt + 2*l0 + l1 + 2) >> 2)*0x01010101); @@ -292,7 +292,7 @@ static void pred16x16_tm_vp8_c(uint8_t *src, int stride){ static void pred8x8_left_dc_rv40_c(uint8_t *src, int stride){ int i; - int dc0; + unsigned dc0; dc0=0; for(i=0;i<8; i++) @@ -307,7 +307,7 @@ static void pred8x8_left_dc_rv40_c(uint8_t *src, int stride){ static void pred8x8_top_dc_rv40_c(uint8_t *src, int stride){ int i; - int dc0; + unsigned dc0; dc0=0; for(i=0;i<8; i++) @@ -322,7 +322,7 @@ static void pred8x8_top_dc_rv40_c(uint8_t *src, int stride){ static void pred8x8_dc_rv40_c(uint8_t *src, int stride){ int i; - int dc0=0; + unsigned dc0 = 0; for(i=0;i<4; i++){ dc0+= src[-1+i*stride] + src[i-stride]; diff --git a/libavcodec/h264pred_template.c b/libavcodec/h264pred_template.c index 3cd4463d76..153aabc5f2 100644 --- a/libavcodec/h264pred_template.c +++ b/libavcodec/h264pred_template.c @@ -120,28 +120,28 @@ static void FUNCC(pred4x4_129_dc)(uint8_t *_src, const uint8_t *topright, int _s #define LOAD_TOP_RIGHT_EDGE\ - const int av_unused t4= topright[0];\ - const int av_unused t5= topright[1];\ - const int av_unused t6= topright[2];\ - const int av_unused t7= topright[3];\ + const unsigned av_unused t4 = topright[0];\ + const unsigned av_unused t5 = topright[1];\ + const unsigned av_unused t6 = topright[2];\ + const unsigned av_unused t7 = topright[3];\ #define LOAD_DOWN_LEFT_EDGE\ - const int av_unused l4= src[-1+4*stride];\ - const int av_unused l5= src[-1+5*stride];\ - const int av_unused l6= src[-1+6*stride];\ - const int av_unused l7= src[-1+7*stride];\ + const unsigned av_unused l4 = src[-1+4*stride];\ + const unsigned av_unused l5 = src[-1+5*stride];\ + const unsigned av_unused l6 = src[-1+6*stride];\ + const unsigned av_unused l7 = src[-1+7*stride];\ #define LOAD_LEFT_EDGE\ - const int av_unused l0= src[-1+0*stride];\ - const int av_unused l1= src[-1+1*stride];\ - const int av_unused l2= src[-1+2*stride];\ - const int av_unused l3= src[-1+3*stride];\ + const unsigned av_unused l0 = src[-1+0*stride];\ + const unsigned av_unused l1 = src[-1+1*stride];\ + const unsigned av_unused l2 = src[-1+2*stride];\ + const unsigned av_unused l3 = src[-1+3*stride];\ #define LOAD_TOP_EDGE\ - const int av_unused t0= src[ 0-1*stride];\ - const int av_unused t1= src[ 1-1*stride];\ - const int av_unused t2= src[ 2-1*stride];\ - const int av_unused t3= src[ 3-1*stride];\ + const unsigned av_unused t0 = src[ 0-1*stride];\ + const unsigned av_unused t1 = src[ 1-1*stride];\ + const unsigned av_unused t2 = src[ 2-1*stride];\ + const unsigned av_unused t3 = src[ 3-1*stride];\ static void FUNCC(pred4x4_down_right)(uint8_t *_src, const uint8_t *topright, int _stride){ pixel *src = (pixel*)_src; From f65e396aa13925f125c320895d4b9eda241fbba6 Mon Sep 17 00:00:00 2001 From: Mans Rullgard Date: Sat, 8 Oct 2011 01:59:51 +0100 Subject: [PATCH 0539/1119] crc: fix signed overflow This fixes a signed overflow from i << 24 when i == 255 by making i unsigned. The result of the shift is already assigned to an variable of unsigned type. Signed-off-by: Mans Rullgard (cherry picked from commit 8b19ae07616bbd18969b94cbf5d74308a8f2bbdf) Signed-off-by: Michael Niedermayer --- libavutil/crc.c | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/libavutil/crc.c b/libavutil/crc.c index c3d74a2ce9..d0e736ed4d 100644 --- a/libavutil/crc.c +++ b/libavutil/crc.c @@ -57,7 +57,7 @@ static AVCRC av_crc_table[AV_CRC_MAX][257]; * @return <0 on failure */ int av_crc_init(AVCRC *ctx, int le, int bits, uint32_t poly, int ctx_size){ - int i, j; + unsigned i, j; uint32_t c; if (bits < 8 || bits > 32 || poly >= (1LL< Date: Sun, 9 Oct 2011 20:32:58 +0100 Subject: [PATCH 0540/1119] mpegvideo_enc: fix a signed overflow Signed-off-by: Mans Rullgard (cherry picked from commit 05795f35be4b479bfa8d60ed3eb13e0f89e439c0) Signed-off-by: Michael Niedermayer --- libavcodec/mpegvideo_enc.c | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/libavcodec/mpegvideo_enc.c b/libavcodec/mpegvideo_enc.c index 3c92aa93f4..b9e141d4cd 100644 --- a/libavcodec/mpegvideo_enc.c +++ b/libavcodec/mpegvideo_enc.c @@ -2007,7 +2007,7 @@ static int mb_var_thread(AVCodecContext *c, void *arg){ int varc; int sum = s->dsp.pix_sum(pix, s->linesize); - varc = (s->dsp.pix_norm1(pix, s->linesize) - (((unsigned)(sum*sum))>>8) + 500 + 128)>>8; + varc = (s->dsp.pix_norm1(pix, s->linesize) - (((unsigned)sum*sum)>>8) + 500 + 128)>>8; s->current_picture.mb_var [s->mb_stride * mb_y + mb_x] = varc; s->current_picture.mb_mean[s->mb_stride * mb_y + mb_x] = (sum+128)>>8; From 33029d7353b2d005357ff7ef4d6968a9f70acb69 Mon Sep 17 00:00:00 2001 From: Mans Rullgard Date: Sun, 9 Oct 2011 20:46:22 +0100 Subject: [PATCH 0541/1119] wmavoice: fix a signed overflow Signed-off-by: Mans Rullgard (cherry picked from commit ba3f07d0611d9a6c10eaa90b3c058ecdffe76676) Signed-off-by: Michael Niedermayer --- libavcodec/wmavoice.c | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/libavcodec/wmavoice.c b/libavcodec/wmavoice.c index c343080b36..22273527af 100644 --- a/libavcodec/wmavoice.c +++ b/libavcodec/wmavoice.c @@ -1085,7 +1085,7 @@ static void aw_pulse_set2(WMAVoiceContext *s, GetBitContext *gb, int excl_range = s->aw_pulse_range; // always 16 or 24 uint16_t *use_mask_ptr = &use_mask[idx >> 4]; int first_sh = 16 - (idx & 15); - *use_mask_ptr++ &= 0xFFFF << first_sh; + *use_mask_ptr++ &= 0xFFFFu << first_sh; excl_range -= first_sh; if (excl_range >= 16) { *use_mask_ptr++ = 0; From 190807a56c88231d26c9f66f0dc19cb32db3afb4 Mon Sep 17 00:00:00 2001 From: Mans Rullgard Date: Sun, 9 Oct 2011 20:38:01 +0100 Subject: [PATCH 0542/1119] 4xm: fix signed overflow Signed-off-by: Mans Rullgard (cherry picked from commit 84dda407628e298f33d610e9e04a8b2945d24665) Signed-off-by: Michael Niedermayer --- libavcodec/4xm.c | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/libavcodec/4xm.c b/libavcodec/4xm.c index 7344f4cd1f..3f8061f942 100644 --- a/libavcodec/4xm.c +++ b/libavcodec/4xm.c @@ -279,7 +279,7 @@ static void init_mv(FourXContext *f){ } #endif -static inline void mcdc(uint16_t *dst, uint16_t *src, int log2w, int h, int stride, int scale, int dc){ +static inline void mcdc(uint16_t *dst, uint16_t *src, int log2w, int h, int stride, int scale, unsigned dc){ int i; dc*= 0x10001; From 9b6080f68523353122e1727a10999bb3bab38e15 Mon Sep 17 00:00:00 2001 From: Alex Converse Date: Fri, 7 Oct 2011 18:41:06 -0700 Subject: [PATCH 0543/1119] mxfdec: Fix some buffer overreads caused by the misuse of AVPacket related functions. (cherry picked from commit 0c46e958d1fd3817b8e9fa048d0450d509c80378) Signed-off-by: Michael Niedermayer --- libavformat/mxfdec.c | 24 ++++++++++++++++-------- 1 file changed, 16 insertions(+), 8 deletions(-) diff --git a/libavformat/mxfdec.c b/libavformat/mxfdec.c index a69944d8d2..953d3b0002 100644 --- a/libavformat/mxfdec.c +++ b/libavformat/mxfdec.c @@ -223,12 +223,13 @@ static int mxf_get_d10_aes3_packet(AVIOContext *pb, AVStream *st, AVPacket *pkt, if (length > 61444) /* worst case PAL 1920 samples 8 channels */ return -1; - av_new_packet(pkt, length); - avio_read(pb, pkt->data, length); + length = av_get_packet(pb, pkt, length); + if (length < 0) + return length; data_ptr = pkt->data; end_ptr = pkt->data + length; buf_ptr = pkt->data + 4; /* skip SMPTE 331M header */ - for (; buf_ptr < end_ptr; ) { + for (; buf_ptr + st->codec->channels*4 < end_ptr; ) { for (i = 0; i < st->codec->channels; i++) { uint32_t sample = bytestream_get_le32(&buf_ptr); if (st->codec->bits_per_coded_sample == 24) @@ -238,7 +239,7 @@ static int mxf_get_d10_aes3_packet(AVIOContext *pb, AVStream *st, AVPacket *pkt, } buf_ptr += 32 - st->codec->channels*4; // always 8 channels stored SMPTE 331M } - pkt->size = data_ptr - pkt->data; + av_shrink_packet(pkt, data_ptr - pkt->data); return 0; } @@ -290,12 +291,16 @@ static int mxf_decrypt_triplet(AVFormatContext *s, AVPacket *pkt, KLVPacket *klv if (memcmp(tmpbuf, checkv, 16)) av_log(s, AV_LOG_ERROR, "probably incorrect decryption key\n"); size -= 32; - av_get_packet(pb, pkt, size); + size = av_get_packet(pb, pkt, size); + if (size < 0) + return size; + else if (size < plaintext_size) + return AVERROR_INVALIDDATA; size -= plaintext_size; if (mxf->aesc) av_aes_crypt(mxf->aesc, &pkt->data[plaintext_size], &pkt->data[plaintext_size], size >> 4, ivec, 1); - pkt->size = orig_size; + av_shrink_packet(pkt, orig_size); pkt->stream_index = index; avio_skip(pb, end - avio_tell(pb)); return 0; @@ -332,8 +337,11 @@ static int mxf_read_packet(AVFormatContext *s, AVPacket *pkt) av_log(s, AV_LOG_ERROR, "error reading D-10 aes3 frame\n"); return -1; } - } else - av_get_packet(s->pb, pkt, klv.length); + } else { + int ret = av_get_packet(s->pb, pkt, klv.length); + if (ret < 0) + return ret; + } pkt->stream_index = index; pkt->pos = klv.offset; return 0; From 73f85eae68b6d40cad1cd53b04a6ed1a31cced1b Mon Sep 17 00:00:00 2001 From: Mans Rullgard Date: Mon, 10 Oct 2011 20:41:31 +0100 Subject: [PATCH 0544/1119] sipr: fix get_bits(0) calls Zero-length get_bits() is undefined, must check before calling. Signed-off-by: Mans Rullgard (cherry picked from commit c79d2a20bad59298188171f1316a830d563a41ee) Signed-off-by: Michael Niedermayer --- libavcodec/sipr.c | 6 ++++-- 1 file changed, 4 insertions(+), 2 deletions(-) diff --git a/libavcodec/sipr.c b/libavcodec/sipr.c index db5ded740f..bd7d22388a 100644 --- a/libavcodec/sipr.c +++ b/libavcodec/sipr.c @@ -194,14 +194,16 @@ static void decode_parameters(SiprParameters* parms, GetBitContext *pgb, { int i, j; - parms->ma_pred_switch = get_bits(pgb, p->ma_predictor_bits); + if (p->ma_predictor_bits) + parms->ma_pred_switch = get_bits(pgb, p->ma_predictor_bits); for (i = 0; i < 5; i++) parms->vq_indexes[i] = get_bits(pgb, p->vq_indexes_bits[i]); for (i = 0; i < p->subframe_count; i++) { parms->pitch_delay[i] = get_bits(pgb, p->pitch_delay_bits[i]); - parms->gp_index[i] = get_bits(pgb, p->gp_index_bits); + if (p->gp_index_bits) + parms->gp_index[i] = get_bits(pgb, p->gp_index_bits); for (j = 0; j < p->number_of_fc_indexes; j++) parms->fc_indexes[i][j] = get_bits(pgb, p->fc_index_bits[j]); From 7f7b2e89e270801ea5918afa1432d3bb32f6ebc7 Mon Sep 17 00:00:00 2001 From: Justin Ruggles Date: Wed, 21 Sep 2011 11:37:51 -0400 Subject: [PATCH 0545/1119] smacker: validate number of channels (cherry picked from commit e190e453bd1e4d4b409ed3556b3a50d1087c15d7) Signed-off-by: Michael Niedermayer --- libavcodec/smacker.c | 4 ++++ 1 file changed, 4 insertions(+) diff --git a/libavcodec/smacker.c b/libavcodec/smacker.c index be4bc2336f..30dbaa7dae 100644 --- a/libavcodec/smacker.c +++ b/libavcodec/smacker.c @@ -560,6 +560,10 @@ static av_cold int decode_end(AVCodecContext *avctx) static av_cold int smka_decode_init(AVCodecContext *avctx) { + if (avctx->channels < 1 || avctx->channels > 2) { + av_log(avctx, AV_LOG_ERROR, "invalid number of channels\n"); + return AVERROR(EINVAL); + } avctx->channel_layout = (avctx->channels==2) ? AV_CH_LAYOUT_STEREO : AV_CH_LAYOUT_MONO; avctx->sample_fmt = avctx->bits_per_coded_sample == 8 ? AV_SAMPLE_FMT_U8 : AV_SAMPLE_FMT_S16; return 0; From e6b225532933655d95266ce772b8a45b14aa27ec Mon Sep 17 00:00:00 2001 From: Justin Ruggles Date: Wed, 21 Sep 2011 11:42:55 -0400 Subject: [PATCH 0546/1119] smacker: check buffer size before reading output size (cherry picked from commit cf044f8bff0d28dbc34492f18b0d18b3ba8bad9d) Signed-off-by: Michael Niedermayer --- libavcodec/smacker.c | 5 +++++ 1 file changed, 5 insertions(+) diff --git a/libavcodec/smacker.c b/libavcodec/smacker.c index 30dbaa7dae..0c1aa16224 100644 --- a/libavcodec/smacker.c +++ b/libavcodec/smacker.c @@ -587,6 +587,11 @@ static int smka_decode_frame(AVCodecContext *avctx, void *data, int *data_size, int bits, stereo; int pred[2] = {0, 0}; + if (buf_size <= 4) { + av_log(avctx, AV_LOG_ERROR, "packet is too small\n"); + return AVERROR(EINVAL); + } + unp_size = AV_RL32(buf); init_get_bits(&gb, buf + 4, (buf_size - 4) * 8); From 800ab099e332c93c90634b14309c5d56659223a8 Mon Sep 17 00:00:00 2001 From: Justin Ruggles Date: Wed, 21 Sep 2011 11:49:33 -0400 Subject: [PATCH 0547/1119] smacker: validate channels and sample format. (cherry picked from commit ff1f89de2da3472d133e2c95bf7c9ad2d88df33d) Signed-off-by: Michael Niedermayer --- libavcodec/smacker.c | 8 ++++++++ 1 file changed, 8 insertions(+) diff --git a/libavcodec/smacker.c b/libavcodec/smacker.c index 0c1aa16224..0b7a19aa32 100644 --- a/libavcodec/smacker.c +++ b/libavcodec/smacker.c @@ -607,6 +607,14 @@ static int smka_decode_frame(AVCodecContext *avctx, void *data, int *data_size, av_log(avctx, AV_LOG_ERROR, "Frame is too large to fit in buffer\n"); return -1; } + if (stereo ^ (avctx->channels != 1)) { + av_log(avctx, AV_LOG_ERROR, "channels mismatch\n"); + return AVERROR(EINVAL); + } + if (bits && avctx->sample_fmt == AV_SAMPLE_FMT_U8) { + av_log(avctx, AV_LOG_ERROR, "sample format mismatch\n"); + return AVERROR(EINVAL); + } memset(vlc, 0, sizeof(VLC) * 4); memset(h, 0, sizeof(HuffContext) * 4); From 1c3d46a9246af544f3e9b3b81fe8589e58756484 Mon Sep 17 00:00:00 2001 From: Mans Rullgard Date: Tue, 11 Oct 2011 16:00:21 +0100 Subject: [PATCH 0548/1119] h264: fix HRD parameters parsing The bit_rate_value_minus1 and cpb_size_value_minus1 elements allow a wider range than get_ue_golomb() supports. This adds a get_ue_golomb_long() function supporting up to 31 leading zeros, which is the maximum for these syntax elements, and uses it in decode_hrd_parameters(). Signed-off-by: Mans Rullgard (cherry picked from commit fdba370f8a1bdfc22ecbdf3c7148c2f8680a4ac4) Signed-off-by: Michael Niedermayer --- libavcodec/golomb.h | 14 ++++++++++++++ libavcodec/h264_ps.c | 4 ++-- 2 files changed, 16 insertions(+), 2 deletions(-) diff --git a/libavcodec/golomb.h b/libavcodec/golomb.h index 90eeb30b54..8dff0322a7 100644 --- a/libavcodec/golomb.h +++ b/libavcodec/golomb.h @@ -75,6 +75,20 @@ static inline int get_ue_golomb(GetBitContext *gb){ } } +/** + * Read an unsigned Exp-Golomb code in the range 0 to UINT32_MAX-1. + */ +static inline unsigned get_ue_golomb_long(GetBitContext *gb) +{ + unsigned buf, log; + + buf = show_bits_long(gb, 32); + log = 31 - av_log2(buf); + skip_bits_long(gb, log); + + return get_bits_long(gb, log + 1) - 1; +} + /** * read unsigned exp golomb code, constraint to a max of 31. * the return value is undefined if the stored value exceeds 31. diff --git a/libavcodec/h264_ps.c b/libavcodec/h264_ps.c index 423f54b324..89e2502e0d 100644 --- a/libavcodec/h264_ps.c +++ b/libavcodec/h264_ps.c @@ -143,8 +143,8 @@ static inline int decode_hrd_parameters(H264Context *h, SPS *sps){ get_bits(&s->gb, 4); /* bit_rate_scale */ get_bits(&s->gb, 4); /* cpb_size_scale */ for(i=0; igb); /* bit_rate_value_minus1 */ - get_ue_golomb(&s->gb); /* cpb_size_value_minus1 */ + get_ue_golomb_long(&s->gb); /* bit_rate_value_minus1 */ + get_ue_golomb_long(&s->gb); /* cpb_size_value_minus1 */ get_bits1(&s->gb); /* cbr_flag */ } sps->initial_cpb_removal_delay_length = get_bits(&s->gb, 5) + 1; From 7d02df7036d4efef1410a840b3e5ffb7a8c42cf1 Mon Sep 17 00:00:00 2001 From: Michael Niedermayer Date: Tue, 11 Oct 2011 20:09:53 +0200 Subject: [PATCH 0549/1119] arm: fix av_clipl_int32() asm Note, the other arm asm code is likely affected too and should be changed as well. Signed-off-by: Michael Niedermayer (cherry picked from commit 96bc6485bc929741827fc0f08ef06bea662a3eea) Signed-off-by: Michael Niedermayer --- libavutil/arm/intmath.h | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/libavutil/arm/intmath.h b/libavutil/arm/intmath.h index 4130177549..1e9d3e8b15 100644 --- a/libavutil/arm/intmath.h +++ b/libavutil/arm/intmath.h @@ -104,7 +104,7 @@ static av_always_inline av_const int32_t av_clipl_int32_arm(int64_t a) "mvnne %1, #1<<31 \n\t" "moveq %0, %Q2 \n\t" "eorne %0, %1, %R2, asr #31 \n\t" - : "=r"(x), "=&r"(y) : "r"(a)); + : "=r"(x), "=&r"(y) : "r"(a):"cc"); return x; } From 5ae87280e219e843c71201c580780e8e30083559 Mon Sep 17 00:00:00 2001 From: Michael Niedermayer Date: Tue, 11 Oct 2011 22:03:19 +0200 Subject: [PATCH 0550/1119] mem: fix memalign hack av_realloc() Signed-off-by: Michael Niedermayer (cherry picked from commit fc11927890f38445a950b453d24928525da0e61a) Signed-off-by: Michael Niedermayer --- libavutil/mem.c | 4 +++- 1 file changed, 3 insertions(+), 1 deletion(-) diff --git a/libavutil/mem.c b/libavutil/mem.c index a58f432a2c..a53676c553 100644 --- a/libavutil/mem.c +++ b/libavutil/mem.c @@ -137,7 +137,9 @@ void *av_realloc(void *ptr, size_t size) //FIXME this isn't aligned correctly, though it probably isn't needed if(!ptr) return av_malloc(size); diff= ((char*)ptr)[-1]; - return (char*)realloc((char*)ptr - diff, size + diff) + diff; + ptr= realloc((char*)ptr - diff, size + diff); + if(ptr) ptr = (char*)ptr + diff; + return ptr; #else return realloc(ptr, size + !size); #endif From d398d042c1b141277b81a24ba800db2832c5fe9c Mon Sep 17 00:00:00 2001 From: John Brooks Date: Wed, 12 Oct 2011 11:06:26 +0300 Subject: [PATCH 0551/1119] rtpdec: Fix the minimum packet length for RTCP SR packets MIME-Version: 1.0 Content-Type: text/plain; charset=UTF-8 Content-Transfer-Encoding: 8bit We actually read 20 bytes of these packets. Signed-off-by: Martin Storsjö (cherry picked from commit 5d6ecf5345c0913e2b66427ea062e7989201a139) Signed-off-by: Michael Niedermayer --- libavformat/rtpdec.c | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/libavformat/rtpdec.c b/libavformat/rtpdec.c index 9fc30d7b66..bc0aea6100 100644 --- a/libavformat/rtpdec.c +++ b/libavformat/rtpdec.c @@ -114,7 +114,7 @@ static int rtcp_parse_packet(RTPDemuxContext *s, const unsigned char *buf, int l while (len >= 2) { switch (buf[1]) { case RTCP_SR: - if (len < 16) { + if (len < 20) { av_log(NULL, AV_LOG_ERROR, "Invalid length for RTCP SR packet\n"); return AVERROR_INVALIDDATA; } From 2c0cddf25517b2fbe208637e599d517832ebc0e3 Mon Sep 17 00:00:00 2001 From: John Brooks Date: Wed, 12 Oct 2011 00:53:12 -0600 Subject: [PATCH 0552/1119] rtpdec: Read the packet length for all RTCP packet types MIME-Version: 1.0 Content-Type: text/plain; charset=UTF-8 Content-Transfer-Encoding: 8bit This allows skipping past unsupported RTCP packet types, as RFC 3550 section 6.1 mandates. Currently this only has any practical effect if a sender puts an unrecognized type before RTCP_BYE in a compounded packet, or (incorrectly) does not put RTCP_SR first. Signed-off-by: Martin Storsjö (cherry picked from commit 07b77fe3871f86b87e35876d38f1969da5ece4b2) Signed-off-by: Michael Niedermayer --- libavformat/rtpdec.c | 14 +++++++------- 1 file changed, 7 insertions(+), 7 deletions(-) diff --git a/libavformat/rtpdec.c b/libavformat/rtpdec.c index bc0aea6100..130a78d0d1 100644 --- a/libavformat/rtpdec.c +++ b/libavformat/rtpdec.c @@ -111,14 +111,15 @@ RTPDynamicProtocolHandler *ff_rtp_handler_find_by_id(int id, static int rtcp_parse_packet(RTPDemuxContext *s, const unsigned char *buf, int len) { int payload_len; - while (len >= 2) { + while (len >= 4) { + payload_len = FFMIN(len, (AV_RB16(buf + 2) + 1) * 4); + switch (buf[1]) { case RTCP_SR: - if (len < 20) { + if (payload_len < 20) { av_log(NULL, AV_LOG_ERROR, "Invalid length for RTCP SR packet\n"); return AVERROR_INVALIDDATA; } - payload_len = (AV_RB16(buf + 2) + 1) * 4; s->last_rtcp_ntp_time = AV_RB64(buf + 8); s->last_rtcp_timestamp = AV_RB32(buf + 16); @@ -129,14 +130,13 @@ static int rtcp_parse_packet(RTPDemuxContext *s, const unsigned char *buf, int l s->rtcp_ts_offset = s->last_rtcp_timestamp - s->base_timestamp; } - buf += payload_len; - len -= payload_len; break; case RTCP_BYE: return -RTCP_BYE; - default: - return -1; } + + buf += payload_len; + len -= payload_len; } return -1; } From 7e95a12d51ffc5369f66ab46ce32f8c126678bbc Mon Sep 17 00:00:00 2001 From: Justin Ruggles Date: Wed, 12 Oct 2011 22:30:44 -0400 Subject: [PATCH 0553/1119] mlpdec: validate that the reported channel count matches the actual output channel count (cherry picked from commit caa845851d790f894a2ccbe12580934f75545f92) Signed-off-by: Michael Niedermayer --- libavcodec/mlpdec.c | 7 ++++++- 1 file changed, 6 insertions(+), 1 deletion(-) diff --git a/libavcodec/mlpdec.c b/libavcodec/mlpdec.c index b13d0795cd..baae9a321d 100644 --- a/libavcodec/mlpdec.c +++ b/libavcodec/mlpdec.c @@ -950,7 +950,12 @@ static int output_data_internal(MLPDecodeContext *m, unsigned int substr, int32_t *data_32 = (int32_t*) data; int16_t *data_16 = (int16_t*) data; - if (*data_size < (s->max_channel + 1) * s->blockpos * (is32 ? 4 : 2)) + if (m->avctx->channels != s->max_matrix_channel + 1) { + av_log(m->avctx, AV_LOG_ERROR, "channel count mismatch\n"); + return AVERROR_INVALIDDATA; + } + + if (*data_size < m->avctx->channels * s->blockpos * (is32 ? 4 : 2)) return -1; for (i = 0; i < s->blockpos; i++) { From 62cf52c8602efe8cf8c4713a8f44d5f76a908bb8 Mon Sep 17 00:00:00 2001 From: Justin Ruggles Date: Wed, 12 Oct 2011 23:23:18 -0400 Subject: [PATCH 0554/1119] truespeech: check to make sure channels == 1 (cherry picked from commit 3e7a176759e8a8e66d65c779b47b5bba793dfd4e) Signed-off-by: Michael Niedermayer --- libavcodec/truespeech.c | 5 +++++ 1 file changed, 5 insertions(+) diff --git a/libavcodec/truespeech.c b/libavcodec/truespeech.c index d903a0119e..b5f74662ba 100644 --- a/libavcodec/truespeech.c +++ b/libavcodec/truespeech.c @@ -56,6 +56,11 @@ static av_cold int truespeech_decode_init(AVCodecContext * avctx) { // TSContext *c = avctx->priv_data; + if (avctx->channels != 1) { + av_log_ask_for_sample(avctx, "Unsupported channel count: %d\n", avctx->channels); + return AVERROR(EINVAL); + } + avctx->sample_fmt = AV_SAMPLE_FMT_S16; return 0; } From 5c18bcfd9cb6b4bbb40d487b52226ed5cf79320e Mon Sep 17 00:00:00 2001 From: Alex Converse Date: Thu, 13 Oct 2011 14:47:06 -0700 Subject: [PATCH 0555/1119] mov: Prevent illegal writes when chapter titles are very short. Signed-off-by: Michael Niedermayer --- libavformat/mov.c | 23 +++++++++++++++-------- 1 file changed, 15 insertions(+), 8 deletions(-) diff --git a/libavformat/mov.c b/libavformat/mov.c index cdba33dcb0..553abc246a 100644 --- a/libavformat/mov.c +++ b/libavformat/mov.c @@ -2402,14 +2402,21 @@ static void mov_read_chapters(AVFormatContext *s) // The samples could theoretically be in any encoding if there's an encd // atom following, but in practice are only utf-8 or utf-16, distinguished // instead by the presence of a BOM - ch = avio_rb16(sc->pb); - if (ch == 0xfeff) - avio_get_str16be(sc->pb, len, title, title_len); - else if (ch == 0xfffe) - avio_get_str16le(sc->pb, len, title, title_len); - else { - AV_WB16(title, ch); - get_strz(sc->pb, title + 2, len - 1); + if (!len) { + title[0] = 0; + } else { + ch = avio_rb16(sc->pb); + if (ch == 0xfeff) + avio_get_str16be(sc->pb, len, title, title_len); + else if (ch == 0xfffe) + avio_get_str16le(sc->pb, len, title, title_len); + else { + AV_WB16(title, ch); + if (len == 1 || len == 2) + title[len] = '0'; + else + get_strz(sc->pb, title + 2, len - 1); + } } ff_new_chapter(s, i, st->time_base, sample->timestamp, end, title); From e58870a58749eb3266e16166d8370a5f2e960311 Mon Sep 17 00:00:00 2001 From: Alex Converse Date: Fri, 14 Oct 2011 10:38:42 -0700 Subject: [PATCH 0556/1119] mov: 10l: Terminate string with 0 not '0' (cherry picked from commit 7ad06beb2cf31d8a96f475361425d6cc95e8f176) Signed-off-by: Michael Niedermayer --- libavformat/mov.c | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/libavformat/mov.c b/libavformat/mov.c index 553abc246a..a1aaf4a963 100644 --- a/libavformat/mov.c +++ b/libavformat/mov.c @@ -2413,7 +2413,7 @@ static void mov_read_chapters(AVFormatContext *s) else { AV_WB16(title, ch); if (len == 1 || len == 2) - title[len] = '0'; + title[len] = 0; else get_strz(sc->pb, title + 2, len - 1); } From d51c7b4cbe022f6b3b026735dc7e29eb50bbf129 Mon Sep 17 00:00:00 2001 From: "Ronald S. Bultje" Date: Sat, 15 Oct 2011 00:03:55 +0200 Subject: [PATCH 0557/1119] matroskadec: fix out of bounds write Signed-off-by: Janne Grunau (cherry picked from commit 723229c11f1400e6a09c8a1c9c27193f376eb1d1) Signed-off-by: Michael Niedermayer --- libavformat/matroskadec.c | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/libavformat/matroskadec.c b/libavformat/matroskadec.c index 66d3e46b08..f5894124bc 100644 --- a/libavformat/matroskadec.c +++ b/libavformat/matroskadec.c @@ -1811,7 +1811,7 @@ static int matroska_parse_block(MatroskaDemuxContext *matroska, uint8_t *data, lace_size[n] = lace_size[n - 1] + snum; total += lace_size[n]; } - lace_size[n] = size - total; + lace_size[laces - 1] = size - total; break; } } From d1166f03bea9da2f14fbbfcc6987e6cef0132da1 Mon Sep 17 00:00:00 2001 From: "Ronald S. Bultje" Date: Fri, 14 Oct 2011 23:21:46 +0200 Subject: [PATCH 0558/1119] vp8: fix return value if update_dimensions fails Signed-off-by: Janne Grunau (cherry picked from commit f05c2fb6eb1f9ddaec3c07d1874ba62ec0891269) Signed-off-by: Michael Niedermayer --- libavcodec/vp8.c | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/libavcodec/vp8.c b/libavcodec/vp8.c index a417ae3672..6e25876b01 100644 --- a/libavcodec/vp8.c +++ b/libavcodec/vp8.c @@ -273,7 +273,7 @@ static int decode_frame_header(VP8Context *s, const uint8_t *buf, int buf_size) if (!s->macroblocks_base || /* first frame */ width != s->avctx->width || height != s->avctx->height) { - if ((ret = update_dimensions(s, width, height) < 0)) + if ((ret = update_dimensions(s, width, height)) < 0) return ret; } From 5f5f36b52e21d9aed347aef73aefe473e7d31409 Mon Sep 17 00:00:00 2001 From: "Ronald S. Bultje" Date: Fri, 14 Oct 2011 23:27:52 +0200 Subject: [PATCH 0559/1119] vp8: force reallocation in update_thread_context after frame size change Signed-off-by: Janne Grunau (cherry picked from commit 56535793810584f5b3ae59e62cea66fe22d0307d) Signed-off-by: Michael Niedermayer --- libavcodec/vp8.c | 28 +++++++++++++++++++--------- 1 file changed, 19 insertions(+), 9 deletions(-) diff --git a/libavcodec/vp8.c b/libavcodec/vp8.c index 6e25876b01..daaee83f2d 100644 --- a/libavcodec/vp8.c +++ b/libavcodec/vp8.c @@ -33,6 +33,19 @@ # include "arm/vp8.h" #endif +static void free_buffers(VP8Context *s) +{ + av_freep(&s->macroblocks_base); + av_freep(&s->filter_strength); + av_freep(&s->intra4x4_pred_mode_top); + av_freep(&s->top_nnz); + av_freep(&s->edge_emu_buffer); + av_freep(&s->top_border); + av_freep(&s->segmentation_map); + + s->macroblocks = NULL; +} + static void vp8_decode_flush(AVCodecContext *avctx) { VP8Context *s = avctx->priv_data; @@ -45,15 +58,7 @@ static void vp8_decode_flush(AVCodecContext *avctx) } memset(s->framep, 0, sizeof(s->framep)); - av_freep(&s->macroblocks_base); - av_freep(&s->filter_strength); - av_freep(&s->intra4x4_pred_mode_top); - av_freep(&s->top_nnz); - av_freep(&s->edge_emu_buffer); - av_freep(&s->top_border); - av_freep(&s->segmentation_map); - - s->macroblocks = NULL; + free_buffers(s); } static int update_dimensions(VP8Context *s, int width, int height) @@ -1750,6 +1755,11 @@ static int vp8_decode_update_thread_context(AVCodecContext *dst, const AVCodecCo { VP8Context *s = dst->priv_data, *s_src = src->priv_data; + if (s->macroblocks_base && + (s_src->mb_width != s->mb_width || s_src->mb_height != s->mb_height)) { + free_buffers(s); + } + s->prob[0] = s_src->prob[!s_src->update_probabilities]; s->segmentation = s_src->segmentation; s->lf_delta = s_src->lf_delta; From d32f509de1c6bbd2b441cf1ce9fda08504bfae6f Mon Sep 17 00:00:00 2001 From: "Ronald S. Bultje" Date: Fri, 14 Oct 2011 23:43:29 +0200 Subject: [PATCH 0560/1119] vp8: prevent read from uninitialized memory in decode_mvs Signed-off-by: Janne Grunau (cherry picked from commit 0f0b5d643401d4d83322eeee0e57eb5a226ef9ab) Signed-off-by: Michael Niedermayer --- libavcodec/vp8.c | 1 + 1 file changed, 1 insertion(+) diff --git a/libavcodec/vp8.c b/libavcodec/vp8.c index daaee83f2d..3217605e58 100644 --- a/libavcodec/vp8.c +++ b/libavcodec/vp8.c @@ -492,6 +492,7 @@ void decode_mvs(VP8Context *s, VP8Macroblock *mb, int mb_x, int mb_y) AV_ZERO32(&near_mv[0]); AV_ZERO32(&near_mv[1]); + AV_ZERO32(&near_mv[2]); /* Process MB on top, left and top-left */ #define MV_EDGE_CHECK(n)\ From 15a7fe106cb4ae57cf9d36bb1ed2006b5a59ba16 Mon Sep 17 00:00:00 2001 From: "Ronald S. Bultje" Date: Fri, 14 Oct 2011 23:46:06 +0200 Subject: [PATCH 0561/1119] pthread: copy coded frame dimensions in update_context_from_thread Signed-off-by: Janne Grunau (cherry picked from commit feadcd1bdcbb4601f4ff01878027264fde985ee1) Signed-off-by: Michael Niedermayer --- libavcodec/pthread.c | 3 +++ 1 file changed, 3 insertions(+) diff --git a/libavcodec/pthread.c b/libavcodec/pthread.c index fb5c2f1e1e..4feecbaaed 100644 --- a/libavcodec/pthread.c +++ b/libavcodec/pthread.c @@ -332,6 +332,9 @@ static int update_context_from_thread(AVCodecContext *dst, AVCodecContext *src, dst->height = src->height; dst->pix_fmt = src->pix_fmt; + dst->coded_width = src->coded_width; + dst->coded_height = src->coded_height; + dst->has_b_frames = src->has_b_frames; dst->idct_algo = src->idct_algo; dst->slice_count = src->slice_count; From e86e9f8b7acd8c68a3d4fefc803756d7ee8737eb Mon Sep 17 00:00:00 2001 From: Alex Converse Date: Fri, 14 Oct 2011 18:27:59 -0700 Subject: [PATCH 0562/1119] avio: Check for invalid buffer length. (cherry picked from commit ab2940691ba76e1a9b0ce608db0dfc45021d741e) Signed-off-by: Michael Niedermayer --- libavformat/aviobuf.c | 7 +++++-- 1 file changed, 5 insertions(+), 2 deletions(-) diff --git a/libavformat/aviobuf.c b/libavformat/aviobuf.c index c6a67c3acc..1f79531559 100644 --- a/libavformat/aviobuf.c +++ b/libavformat/aviobuf.c @@ -778,13 +778,14 @@ int avio_get_str(AVIOContext *s, int maxlen, char *buf, int buflen) { int i; + if (buflen <= 0) + return AVERROR(EINVAL); // reserve 1 byte for terminating 0 buflen = FFMIN(buflen - 1, maxlen); for (i = 0; i < buflen; i++) if (!(buf[i] = avio_r8(s))) return i + 1; - if (buflen) - buf[i] = 0; + buf[i] = 0; for (; i < maxlen; i++) if (!avio_r8(s)) return i + 1; @@ -796,6 +797,8 @@ int avio_get_str(AVIOContext *s, int maxlen, char *buf, int buflen) {\ char* q = buf;\ int ret = 0;\ + if (buflen <= 0) \ + return AVERROR(EINVAL); \ while (ret + 1 < maxlen) {\ uint8_t tmp;\ uint32_t ch;\ From f531193690d91399dd99ae1bf61af311d9734f32 Mon Sep 17 00:00:00 2001 From: Matthew Einhorn Date: Wed, 24 Aug 2011 20:14:03 -0400 Subject: [PATCH 0563/1119] Fixes avpicture_layout to not write past buffer end. avpicture_get_size() returns the size of buffer required for avpicture_layout. For pseudo-paletted formats (gray8...) this size does not include the palette. However, avpicture_layout doesn't know this and still writes the palette. Consequently, avpicture_layout writes passed the length of the buffer. This fixes it by fixing avpicture_layout so that it doesn't write the palette for these formats. Signed-off-by: Matthew Einhorn Signed-off-by: Michael Niedermayer (cherry picked from commit e662b263d9c500270a8f1dc7e1b81b51d5bdfd4e) Signed-off-by: Michael Niedermayer --- libavcodec/imgconvert.c | 10 ++++++++++ 1 file changed, 10 insertions(+) diff --git a/libavcodec/imgconvert.c b/libavcodec/imgconvert.c index 9aa584fa5c..04c58ca278 100644 --- a/libavcodec/imgconvert.c +++ b/libavcodec/imgconvert.c @@ -470,6 +470,16 @@ int avpicture_layout(const AVPicture* src, enum PixelFormat pix_fmt, int width, } } + switch (pix_fmt) { + case PIX_FMT_RGB8: + case PIX_FMT_BGR8: + case PIX_FMT_RGB4_BYTE: + case PIX_FMT_BGR4_BYTE: + case PIX_FMT_GRAY8: + // do not include palette for these pseudo-paletted formats + return size; + } + if (desc->flags & PIX_FMT_PAL) memcpy((unsigned char *)(((size_t)dest + 3) & ~3), src->data[1], 256 * 4); From feef77ec3a88baa830cfe71a17fe857339cc3ea3 Mon Sep 17 00:00:00 2001 From: Laurent Aimar Date: Sat, 8 Oct 2011 23:40:40 +0200 Subject: [PATCH 0564/1119] mpegts: fix return value when enough ts packets have been parsed or when the first PMT has been seen. Signed-off-by: Michael Niedermayer (cherry picked from commit 49ec0c818dc3c1c293a582b57fb58ba611a10b32) Signed-off-by: Michael Niedermayer --- libavformat/mpegts.c | 12 ++++++++---- 1 file changed, 8 insertions(+), 4 deletions(-) diff --git a/libavformat/mpegts.c b/libavformat/mpegts.c index 82f422161e..da8f228426 100644 --- a/libavformat/mpegts.c +++ b/libavformat/mpegts.c @@ -1083,7 +1083,7 @@ static void pmt_cb(MpegTSFilter *filter, const uint8_t *section, int section_len // stop parsing after pmt, we found header if (!ts->stream->nb_streams) - ts->stop_parse = 1; + ts->stop_parse = 2; for(;;) { st = 0; @@ -1403,11 +1403,15 @@ static int handle_packets(MpegTSContext *ts, int nb_packets) ts->stop_parse = 0; packet_num = 0; for(;;) { - if (ts->stop_parse>0) - break; packet_num++; - if (nb_packets != 0 && packet_num >= nb_packets) + if (nb_packets != 0 && packet_num >= nb_packets || + ts->stop_parse > 1) { + ret = AVERROR(EAGAIN); break; + } + if (ts->stop_parse > 0) + break; + ret = read_packet(s, packet, ts->raw_packet_size); if (ret != 0) return ret; From cbfd34246cdddc58a627dd10fc563245601b2162 Mon Sep 17 00:00:00 2001 From: Laurent Aimar Date: Sat, 8 Oct 2011 23:40:41 +0200 Subject: [PATCH 0565/1119] mpegts: do not return from ff_mpegts_parse_packet() after having seen the first PMT It prevents leaving the AVPacket uninitialized. Signed-off-by: Michael Niedermayer (cherry picked from commit bc38e83793be5f7a184c88be55e556453a25224b) Signed-off-by: Michael Niedermayer --- libavformat/mpegts.c | 6 +++--- 1 file changed, 3 insertions(+), 3 deletions(-) diff --git a/libavformat/mpegts.c b/libavformat/mpegts.c index da8f228426..618bd8f1b4 100644 --- a/libavformat/mpegts.c +++ b/libavformat/mpegts.c @@ -1862,10 +1862,8 @@ int ff_mpegts_parse_packet(MpegTSContext *ts, AVPacket *pkt, len1 = len; ts->pkt = pkt; - ts->stop_parse = 0; for(;;) { - if (ts->stop_parse>0) - break; + ts->stop_parse = 0; if (len < TS_PACKET_SIZE) return -1; if (buf[0] != 0x47) { @@ -1875,6 +1873,8 @@ int ff_mpegts_parse_packet(MpegTSContext *ts, AVPacket *pkt, handle_packet(ts, buf); buf += TS_PACKET_SIZE; len -= TS_PACKET_SIZE; + if (ts->stop_parse == 1) + break; } } return len1 - len; From e1ea35fb52d0ad2466c9c0565d99210df3f97237 Mon Sep 17 00:00:00 2001 From: Justin Ruggles Date: Thu, 15 Sep 2011 18:08:52 -0400 Subject: [PATCH 0566/1119] shorten: check for realloc failure (cherry picked from commit 9e5e2c2d010c05c10337e9c1ec9d0d61495e0c9c) Signed-off-by: Michael Niedermayer --- libavcodec/shorten.c | 20 +++++++++++++++++--- 1 file changed, 17 insertions(+), 3 deletions(-) diff --git a/libavcodec/shorten.c b/libavcodec/shorten.c index 4c1abe8e4c..8ebe033454 100644 --- a/libavcodec/shorten.c +++ b/libavcodec/shorten.c @@ -113,6 +113,7 @@ static int allocate_buffers(ShortenContext *s) { int i, chan; int *coeffs; + void *tmp_ptr; for (chan=0; chanchannels; chan++) { if(FFMAX(1, s->nmean) >= UINT_MAX/sizeof(int32_t)){ @@ -124,9 +125,15 @@ static int allocate_buffers(ShortenContext *s) return -1; } - s->offset[chan] = av_realloc(s->offset[chan], sizeof(int32_t)*FFMAX(1, s->nmean)); + tmp_ptr = av_realloc(s->offset[chan], sizeof(int32_t)*FFMAX(1, s->nmean)); + if (!tmp_ptr) + return AVERROR(ENOMEM); + s->offset[chan] = tmp_ptr; - s->decoded[chan] = av_realloc(s->decoded[chan], sizeof(int32_t)*(s->blocksize + s->nwrap)); + tmp_ptr = av_realloc(s->decoded[chan], sizeof(int32_t)*(s->blocksize + s->nwrap)); + if (!tmp_ptr) + return AVERROR(ENOMEM); + s->decoded[chan] = tmp_ptr; for (i=0; inwrap; i++) s->decoded[chan][i] = 0; s->decoded[chan] += s->nwrap; @@ -284,8 +291,15 @@ static int shorten_decode_frame(AVCodecContext *avctx, int i, input_buf_size = 0; int16_t *samples = data; if(s->max_framesize == 0){ + void *tmp_ptr; s->max_framesize= 1024; // should hopefully be enough for the first header - s->bitstream= av_fast_realloc(s->bitstream, &s->allocated_bitstream_size, s->max_framesize); + tmp_ptr = av_fast_realloc(s->bitstream, &s->allocated_bitstream_size, + s->max_framesize); + if (!tmp_ptr) { + av_log(avctx, AV_LOG_ERROR, "error allocating bitstream buffer\n"); + return AVERROR(ENOMEM); + } + s->bitstream = tmp_ptr; } if(1 && s->max_framesize){//FIXME truncated From b08001e00ac4be3dd586825d135b30bdf389d7b0 Mon Sep 17 00:00:00 2001 From: Justin Ruggles Date: Fri, 16 Sep 2011 18:01:28 -0400 Subject: [PATCH 0567/1119] shorten: check output buffer size before decoding Signed-off-by: Michael Niedermayer --- libavcodec/shorten.c | 6 ++++++ 1 file changed, 6 insertions(+) diff --git a/libavcodec/shorten.c b/libavcodec/shorten.c index 8ebe033454..0b9d420d86 100644 --- a/libavcodec/shorten.c +++ b/libavcodec/shorten.c @@ -481,6 +481,12 @@ static int shorten_decode_frame(AVCodecContext *avctx, s->cur_chan++; if (s->cur_chan == s->channels) { + int out_size = s->blocksize * s->channels * + av_get_bytes_per_sample(avctx->sample_fmt); + if (*data_size < out_size) { + av_log(avctx, AV_LOG_ERROR, "Output buffer is too small\n"); + return AVERROR(EINVAL); + } samples = interleave_buffer(samples, s->channels, s->blocksize, s->decoded); s->cur_chan = 0; goto frame_done; From 93f1159af5221e23c749be8fa0d3df3ef7a93fd0 Mon Sep 17 00:00:00 2001 From: Alex Converse Date: Thu, 3 Nov 2011 15:55:52 -0700 Subject: [PATCH 0568/1119] vp6: Fix illegal read. (cherry picked from commit 2a6eb06254df79e96b3d791b6b89b2534ced3119) Signed-off-by: Michael Niedermayer --- libavcodec/vp6.c | 4 +++- 1 file changed, 3 insertions(+), 1 deletion(-) diff --git a/libavcodec/vp6.c b/libavcodec/vp6.c index 3721d52192..c66d2e74ff 100644 --- a/libavcodec/vp6.c +++ b/libavcodec/vp6.c @@ -374,7 +374,7 @@ static void vp6_parse_coeff_huffman(VP56Context *s) if (b > 3) pt = 1; vlc_coeff = &s->dccv_vlc[pt]; - for (coeff_idx=0; coeff_idx<64; ) { + for (coeff_idx = 0;;) { int run = 1; if (coeff_idx<2 && s->nb_null[coeff_idx][pt]) { s->nb_null[coeff_idx][pt]--; @@ -411,6 +411,8 @@ static void vp6_parse_coeff_huffman(VP56Context *s) } } coeff_idx+=run; + if (coeff_idx >= 64) + break; cg = FFMIN(vp6_coeff_groups[coeff_idx], 3); vlc_coeff = &s->ract_vlc[pt][ct][cg]; } From e9de2d98a904aa6f13fd07cb776850569e110f22 Mon Sep 17 00:00:00 2001 From: Justin Ruggles Date: Fri, 23 Sep 2011 19:50:41 -0400 Subject: [PATCH 0569/1119] twinvq: check output buffer size before decoding (cherry picked from commit e53eecd0e7211973a1a9757f559bdd93a1848901) Signed-off-by: Michael Niedermayer --- libavcodec/twinvq.c | 11 +++++++++-- 1 file changed, 9 insertions(+), 2 deletions(-) diff --git a/libavcodec/twinvq.c b/libavcodec/twinvq.c index f8e75bb933..7be13bcf0c 100644 --- a/libavcodec/twinvq.c +++ b/libavcodec/twinvq.c @@ -822,7 +822,7 @@ static int twin_decode_frame(AVCodecContext * avctx, void *data, const ModeTab *mtab = tctx->mtab; float *out = data; enum FrameType ftype; - int window_type; + int window_type, out_size; static const enum FrameType wtype_to_ftype_table[] = { FT_LONG, FT_LONG, FT_SHORT, FT_LONG, FT_MEDIUM, FT_LONG, FT_LONG, FT_MEDIUM, FT_MEDIUM @@ -835,6 +835,13 @@ static int twin_decode_frame(AVCodecContext * avctx, void *data, return buf_size; } + out_size = mtab->size * avctx->channels * + av_get_bytes_per_sample(avctx->sample_fmt); + if (*data_size < out_size) { + av_log(avctx, AV_LOG_ERROR, "output buffer is too small\n"); + return AVERROR(EINVAL); + } + init_get_bits(&gb, buf, buf_size * 8); skip_bits(&gb, get_bits(&gb, 8)); window_type = get_bits(&gb, WINDOW_TYPE_BITS); @@ -857,7 +864,7 @@ static int twin_decode_frame(AVCodecContext * avctx, void *data, return buf_size; } - *data_size = mtab->size*avctx->channels*4; + *data_size = out_size; return buf_size; } From 2137d99086b36b95f589ec19ab3f906d32d31b4a Mon Sep 17 00:00:00 2001 From: Justin Ruggles Date: Fri, 23 Sep 2011 19:56:58 -0400 Subject: [PATCH 0570/1119] vorbisdec: check output buffer size before writing output (cherry picked from commit 60aa1a358d9c1c8f891e72246d5dcd897857eca8) Signed-off-by: Michael Niedermayer --- libavcodec/vorbisdec.c | 12 +++++++++--- 1 file changed, 9 insertions(+), 3 deletions(-) diff --git a/libavcodec/vorbisdec.c b/libavcodec/vorbisdec.c index 024c8fd3cf..8f16d3a5a5 100644 --- a/libavcodec/vorbisdec.c +++ b/libavcodec/vorbisdec.c @@ -1605,7 +1605,7 @@ static int vorbis_decode_frame(AVCodecContext *avccontext, vorbis_context *vc = avccontext->priv_data ; GetBitContext *gb = &(vc->gb); const float *channel_ptrs[255]; - int i, len; + int i, len, out_size; if (!buf_size) return 0; @@ -1630,6 +1630,13 @@ static int vorbis_decode_frame(AVCodecContext *avccontext, av_dlog(NULL, "parsed %d bytes %d bits, returned %d samples (*ch*bits) \n", get_bits_count(gb) / 8, get_bits_count(gb) % 8, len); + out_size = len * vc->audio_channels * + av_get_bytes_per_sample(avccontext->sample_fmt); + if (*data_size < out_size) { + av_log(avccontext, AV_LOG_ERROR, "output buffer is too small\n"); + return AVERROR(EINVAL); + } + if (vc->audio_channels > 8) { for (i = 0; i < vc->audio_channels; i++) channel_ptrs[i] = vc->channel_floors + i * len; @@ -1645,8 +1652,7 @@ static int vorbis_decode_frame(AVCodecContext *avccontext, vc->fmt_conv.float_to_int16_interleave(data, channel_ptrs, len, vc->audio_channels); - *data_size = len * vc->audio_channels * - av_get_bytes_per_sample(avccontext->sample_fmt); + *data_size = out_size; return buf_size ; } From 241f15f1c93f5bd661a187e42644220fd89ea7de Mon Sep 17 00:00:00 2001 From: Justin Ruggles Date: Fri, 23 Sep 2011 19:22:06 -0400 Subject: [PATCH 0571/1119] tta: check for extradata allocation failure in tta demuxer (cherry picked from commit f540ca22c5fb4504d959c295f55591a9ec2a8859) Signed-off-by: Michael Niedermayer --- libavformat/tta.c | 4 ++++ 1 file changed, 4 insertions(+) diff --git a/libavformat/tta.c b/libavformat/tta.c index c37039d0da..9df9763c74 100644 --- a/libavformat/tta.c +++ b/libavformat/tta.c @@ -107,6 +107,10 @@ static int tta_read_header(AVFormatContext *s, AVFormatParameters *ap) return -1; } st->codec->extradata = av_mallocz(st->codec->extradata_size+FF_INPUT_BUFFER_PADDING_SIZE); + if (!st->codec->extradata) { + st->codec->extradata_size = 0; + return AVERROR(ENOMEM); + } avio_seek(s->pb, start_offset, SEEK_SET); avio_read(s->pb, st->codec->extradata, st->codec->extradata_size); From 6ae93d030476ddd7fa2ab4d9d2dd25df85725390 Mon Sep 17 00:00:00 2001 From: Michael Niedermayer Date: Thu, 27 Oct 2011 14:31:53 +0200 Subject: [PATCH 0572/1119] resample: Fix overflow Found-by: Jim Radford Signed-off-by: Michael Niedermayer --- libavcodec/resample2.c | 6 ++++-- 1 file changed, 4 insertions(+), 2 deletions(-) diff --git a/libavcodec/resample2.c b/libavcodec/resample2.c index b940059d84..fc8ffea466 100644 --- a/libavcodec/resample2.c +++ b/libavcodec/resample2.c @@ -207,8 +207,10 @@ AVResampleContext *av_resample_init(int out_rate, int in_rate, int filter_size, memcpy(&c->filter_bank[c->filter_length*phase_count+1], c->filter_bank, (c->filter_length-1)*sizeof(FELEM)); c->filter_bank[c->filter_length*phase_count]= c->filter_bank[c->filter_length - 1]; - c->src_incr= out_rate; - c->ideal_dst_incr= c->dst_incr= in_rate * phase_count; + if(!av_reduce(&c->src_incr, &c->dst_incr, out_rate, in_rate * (int64_t)phase_count, INT32_MAX/2)) + goto error; + c->ideal_dst_incr= c->dst_incr; + c->index= -phase_count*((c->filter_length-1)/2); return c; From a39b5e8b323785695fb0e3c0f30bd9e24287db87 Mon Sep 17 00:00:00 2001 From: Michael Niedermayer Date: Thu, 27 Oct 2011 14:34:45 +0200 Subject: [PATCH 0573/1119] resample2: fix potential overflow Signed-off-by: Michael Niedermayer --- libavcodec/resample2.c | 5 ++--- 1 file changed, 2 insertions(+), 3 deletions(-) diff --git a/libavcodec/resample2.c b/libavcodec/resample2.c index fc8ffea466..5c425587ab 100644 --- a/libavcodec/resample2.c +++ b/libavcodec/resample2.c @@ -248,10 +248,9 @@ int av_resample(AVResampleContext *c, short *dst, short *src, int *consumed, int dst[dst_index] = src[index2>>32]; index2 += incr; } - frac += dst_index * dst_incr_frac; index += dst_index * dst_incr; - index += frac / c->src_incr; - frac %= c->src_incr; + index += (frac + dst_index * (int64_t)dst_incr_frac) / c->src_incr; + frac = (frac + dst_index * (int64_t)dst_incr_frac) % c->src_incr; }else{ for(dst_index=0; dst_index < dst_size; dst_index++){ FELEM *filter= c->filter_bank + c->filter_length*(index & c->phase_mask); From edf3c5a3ebeee8df55c6a05f88a682091f10a364 Mon Sep 17 00:00:00 2001 From: Michael Niedermayer Date: Thu, 27 Oct 2011 15:26:45 +0200 Subject: [PATCH 0574/1119] resample: Fix array size Found-by: Jim Radford Signed-off-by: Michael Niedermayer (cherry picked from commit 3e7db0a9ee758bf0570a141be1fea64f8d9c03db) Signed-off-by: Michael Niedermayer --- libavcodec/resample.c | 4 ++-- 1 file changed, 2 insertions(+), 2 deletions(-) diff --git a/libavcodec/resample.c b/libavcodec/resample.c index 33413dbeaf..68e604ee92 100644 --- a/libavcodec/resample.c +++ b/libavcodec/resample.c @@ -326,9 +326,9 @@ int audio_resample(ReSampleContext *s, short *output, short *input, int nb_sampl if (s->sample_fmt[1] != AV_SAMPLE_FMT_S16) { output_bak = output; - if (!s->buffer_size[1] || s->buffer_size[1] < lenout) { + if (!s->buffer_size[1] || s->buffer_size[1] < 2*lenout) { av_free(s->buffer[1]); - s->buffer_size[1] = lenout; + s->buffer_size[1] = 2*lenout; s->buffer[1] = av_malloc(s->buffer_size[1]); if (!s->buffer[1]) { av_log(s->resample_context, AV_LOG_ERROR, "Could not allocate buffer\n"); From 4a66fe21073e87079720b961c209ea55fc9234a3 Mon Sep 17 00:00:00 2001 From: Justin Ruggles Date: Tue, 27 Sep 2011 14:27:43 -0400 Subject: [PATCH 0575/1119] mpegaudiodec: check output data size based on avctx->frame_size Signed-off-by: Michael Niedermayer --- libavcodec/mpegaudiodec.c | 7 +++++-- 1 file changed, 5 insertions(+), 2 deletions(-) diff --git a/libavcodec/mpegaudiodec.c b/libavcodec/mpegaudiodec.c index 9fbae0c316..32dfd23bc1 100644 --- a/libavcodec/mpegaudiodec.c +++ b/libavcodec/mpegaudiodec.c @@ -1801,8 +1801,8 @@ static int decode_frame(AVCodecContext * avctx, avctx->bit_rate = s->bit_rate; avctx->sub_id = s->layer; - if(*data_size < 1152*avctx->channels*sizeof(OUT_INT)) - return -1; + if (*data_size < avctx->frame_size * avctx->channels * sizeof(OUT_INT)) + return AVERROR(EINVAL); *data_size = 0; if(s->frame_size<=0 || s->frame_size > buf_size){ @@ -1870,6 +1870,9 @@ static int decode_frame_adu(AVCodecContext * avctx, avctx->bit_rate = s->bit_rate; avctx->sub_id = s->layer; + if (*data_size < avctx->frame_size * avctx->channels * sizeof(OUT_INT)) + return AVERROR(EINVAL); + s->frame_size = len; if (avctx->parse_only) { From f19b8d95335a9fb616c7c1d806d3dd3abda031c9 Mon Sep 17 00:00:00 2001 From: Justin Ruggles Date: Tue, 11 Oct 2011 11:47:15 -0400 Subject: [PATCH 0576/1119] apedec: check for filter buffer allocation failure (cherry picked from commit 7500781313d11b37772c05a28da20fbc112db478) Signed-off-by: Michael Niedermayer --- libavcodec/apedec.c | 31 ++++++++++++++++++------------- 1 file changed, 18 insertions(+), 13 deletions(-) diff --git a/libavcodec/apedec.c b/libavcodec/apedec.c index f036c4a1d7..7cf72a00bd 100644 --- a/libavcodec/apedec.c +++ b/libavcodec/apedec.c @@ -163,6 +163,18 @@ typedef struct APEContext { // TODO: dsputilize +static av_cold int ape_decode_close(AVCodecContext * avctx) +{ + APEContext *s = avctx->priv_data; + int i; + + for (i = 0; i < APE_FILTER_LEVELS; i++) + av_freep(&s->filterbuf[i]); + + av_freep(&s->data); + return 0; +} + static av_cold int ape_decode_init(AVCodecContext * avctx) { APEContext *s = avctx->priv_data; @@ -195,25 +207,18 @@ static av_cold int ape_decode_init(AVCodecContext * avctx) for (i = 0; i < APE_FILTER_LEVELS; i++) { if (!ape_filter_orders[s->fset][i]) break; - s->filterbuf[i] = av_malloc((ape_filter_orders[s->fset][i] * 3 + HISTORY_SIZE) * 4); + FF_ALLOC_OR_GOTO(avctx, s->filterbuf[i], + (ape_filter_orders[s->fset][i] * 3 + HISTORY_SIZE) * 4, + filter_alloc_fail); } dsputil_init(&s->dsp, avctx); avctx->sample_fmt = AV_SAMPLE_FMT_S16; avctx->channel_layout = (avctx->channels==2) ? AV_CH_LAYOUT_STEREO : AV_CH_LAYOUT_MONO; return 0; -} - -static av_cold int ape_decode_close(AVCodecContext * avctx) -{ - APEContext *s = avctx->priv_data; - int i; - - for (i = 0; i < APE_FILTER_LEVELS; i++) - av_freep(&s->filterbuf[i]); - - av_freep(&s->data); - return 0; +filter_alloc_fail: + ape_decode_close(avctx); + return AVERROR(ENOMEM); } /** From 43fa5bf55ed5e1a26fff6d0cd434fb911250ee9a Mon Sep 17 00:00:00 2001 From: Justin Ruggles Date: Tue, 11 Oct 2011 12:47:11 -0400 Subject: [PATCH 0577/1119] apedec: check for data buffer realloc failure (cherry picked from commit 11ca8b2d7486e879926488404b3b79af774f0f2d) Signed-off-by: Michael Niedermayer --- libavcodec/apedec.c | 5 ++++- 1 file changed, 4 insertions(+), 1 deletion(-) diff --git a/libavcodec/apedec.c b/libavcodec/apedec.c index 7cf72a00bd..4c2d238b16 100644 --- a/libavcodec/apedec.c +++ b/libavcodec/apedec.c @@ -819,7 +819,10 @@ static int ape_decode_frame(AVCodecContext * avctx, } if(!s->samples){ - s->data = av_realloc(s->data, (buf_size + 3) & ~3); + void *tmp_data = av_realloc(s->data, (buf_size + 3) & ~3); + if (!tmp_data) + return AVERROR(ENOMEM); + s->data = tmp_data; s->dsp.bswap_buf((uint32_t*)s->data, (const uint32_t*)buf, buf_size >> 2); s->ptr = s->last_ptr = s->data; s->data_end = s->data + buf_size; From 998fc04bcfeeaa2b0885ee84e37bcd345797981a Mon Sep 17 00:00:00 2001 From: Justin Ruggles Date: Tue, 11 Oct 2011 13:17:44 -0400 Subject: [PATCH 0578/1119] apedec: use unsigned int for 'nblocks' and make sure that it's within int range Signed-off-by: Michael Niedermayer --- libavcodec/apedec.c | 7 ++++--- 1 file changed, 4 insertions(+), 3 deletions(-) diff --git a/libavcodec/apedec.c b/libavcodec/apedec.c index 4c2d238b16..260ef2efa0 100644 --- a/libavcodec/apedec.c +++ b/libavcodec/apedec.c @@ -802,7 +802,7 @@ static int ape_decode_frame(AVCodecContext * avctx, int buf_size = avpkt->size; APEContext *s = avctx->priv_data; int16_t *samples = data; - int nblocks; + uint32_t nblocks; int i, n; int blockstodecode; int bytes_used; @@ -838,9 +838,10 @@ static int ape_decode_frame(AVCodecContext * avctx, s->currentframeblocks = nblocks; buf += 4; - if (s->samples <= 0) { + if (!nblocks || nblocks > INT_MAX) { + av_log(avctx, AV_LOG_ERROR, "Invalid sample count: %u.\n", nblocks); *data_size = 0; - return buf_size; + return AVERROR_INVALIDDATA; } memset(s->decoded0, 0, sizeof(s->decoded0)); From ae2d3d6be01a520b1b3f71510359a99c82631751 Mon Sep 17 00:00:00 2001 From: Justin Ruggles Date: Tue, 11 Oct 2011 13:25:27 -0400 Subject: [PATCH 0579/1119] apedec: set s->currentframeblocks after validating nblocks --- libavcodec/apedec.c | 4 ++-- 1 file changed, 2 insertions(+), 2 deletions(-) diff --git a/libavcodec/apedec.c b/libavcodec/apedec.c index 260ef2efa0..4d8a9401c1 100644 --- a/libavcodec/apedec.c +++ b/libavcodec/apedec.c @@ -827,7 +827,7 @@ static int ape_decode_frame(AVCodecContext * avctx, s->ptr = s->last_ptr = s->data; s->data_end = s->data + buf_size; - nblocks = s->samples = bytestream_get_be32(&s->ptr); + nblocks = bytestream_get_be32(&s->ptr); n = bytestream_get_be32(&s->ptr); if(n < 0 || n > 3){ av_log(avctx, AV_LOG_ERROR, "Incorrect offset passed\n"); @@ -836,13 +836,13 @@ static int ape_decode_frame(AVCodecContext * avctx, } s->ptr += n; - s->currentframeblocks = nblocks; buf += 4; if (!nblocks || nblocks > INT_MAX) { av_log(avctx, AV_LOG_ERROR, "Invalid sample count: %u.\n", nblocks); *data_size = 0; return AVERROR_INVALIDDATA; } + s->currentframeblocks = s->samples = nblocks; memset(s->decoded0, 0, sizeof(s->decoded0)); memset(s->decoded1, 0, sizeof(s->decoded1)); From 0ac6777a34f4e53b36dc6665826f94798d1e195f Mon Sep 17 00:00:00 2001 From: "Ronald S. Bultje" Date: Fri, 28 Oct 2011 23:50:04 -0700 Subject: [PATCH 0580/1119] vp3: fix oob read for negative tokens and memleaks on error. (cherry picked from commit 8370e426e42f2e4b9d14a1fb8107ecfe5163ce7f) Signed-off-by: Michael Niedermayer --- libavcodec/vp3.c | 59 ++++++++++++++++++++++++++++++++++++------------ 1 file changed, 45 insertions(+), 14 deletions(-) diff --git a/libavcodec/vp3.c b/libavcodec/vp3.c index b9af998bc5..549f494ff6 100644 --- a/libavcodec/vp3.c +++ b/libavcodec/vp3.c @@ -45,6 +45,7 @@ #define FRAGMENT_PIXELS 8 static av_cold int vp3_decode_end(AVCodecContext *avctx); +static void vp3_decode_flush(AVCodecContext *avctx); //FIXME split things out into their own arrays typedef struct Vp3Fragment { @@ -890,7 +891,7 @@ static int unpack_vlcs(Vp3DecodeContext *s, GetBitContext *gb, /* decode a VLC into a token */ token = get_vlc2(gb, vlc_table, 11, 3); /* use the token to get a zero run, a coefficient, and an eob run */ - if (token <= 6) { + if ((unsigned) token <= 6U) { eob_run = eob_run_base[token]; if (eob_run_get_bits[token]) eob_run += get_bits(gb, eob_run_get_bits[token]); @@ -908,7 +909,7 @@ static int unpack_vlcs(Vp3DecodeContext *s, GetBitContext *gb, coeff_i += eob_run; eob_run = 0; } - } else { + } else if (token >= 0) { bits_to_get = coeff_get_bits[token]; if (bits_to_get) bits_to_get = get_bits(gb, bits_to_get); @@ -942,6 +943,10 @@ static int unpack_vlcs(Vp3DecodeContext *s, GetBitContext *gb, for (i = coeff_index+1; i <= coeff_index+zero_run; i++) s->num_coded_frags[plane][i]--; coeff_i++; + } else { + av_log(s->avctx, AV_LOG_ERROR, + "Invalid token %d\n", token); + return -1; } } @@ -991,6 +996,8 @@ static int unpack_dct_coeffs(Vp3DecodeContext *s, GetBitContext *gb) /* unpack the Y plane DC coefficients */ residual_eob_run = unpack_vlcs(s, gb, &s->dc_vlc[dc_y_table], 0, 0, residual_eob_run); + if (residual_eob_run < 0) + return residual_eob_run; /* reverse prediction of the Y-plane DC coefficients */ reverse_dc_prediction(s, 0, s->fragment_width[0], s->fragment_height[0]); @@ -998,8 +1005,12 @@ static int unpack_dct_coeffs(Vp3DecodeContext *s, GetBitContext *gb) /* unpack the C plane DC coefficients */ residual_eob_run = unpack_vlcs(s, gb, &s->dc_vlc[dc_c_table], 0, 1, residual_eob_run); + if (residual_eob_run < 0) + return residual_eob_run; residual_eob_run = unpack_vlcs(s, gb, &s->dc_vlc[dc_c_table], 0, 2, residual_eob_run); + if (residual_eob_run < 0) + return residual_eob_run; /* reverse prediction of the C-plane DC coefficients */ if (!(s->avctx->flags & CODEC_FLAG_GRAY)) @@ -1036,11 +1047,17 @@ static int unpack_dct_coeffs(Vp3DecodeContext *s, GetBitContext *gb) for (i = 1; i <= 63; i++) { residual_eob_run = unpack_vlcs(s, gb, y_tables[i], i, 0, residual_eob_run); + if (residual_eob_run < 0) + return residual_eob_run; residual_eob_run = unpack_vlcs(s, gb, c_tables[i], i, 1, residual_eob_run); + if (residual_eob_run < 0) + return residual_eob_run; residual_eob_run = unpack_vlcs(s, gb, c_tables[i], i, 2, residual_eob_run); + if (residual_eob_run < 0) + return residual_eob_run; } return 0; @@ -1777,10 +1794,15 @@ static int vp3_update_thread_context(AVCodecContext *dst, const AVCodecContext * Vp3DecodeContext *s = dst->priv_data, *s1 = src->priv_data; int qps_changed = 0, i, err; +#define copy_fields(to, from, start_field, end_field) memcpy(&to->start_field, &from->start_field, (char*)&to->end_field - (char*)&to->start_field) + if (!s1->current_frame.data[0] ||s->width != s1->width - ||s->height!= s1->height) + ||s->height!= s1->height) { + if (s != s1) + copy_fields(s, s1, golden_frame, current_frame); return -1; + } if (s != s1) { // init tables if the first frame hasn't been decoded @@ -1796,8 +1818,6 @@ static int vp3_update_thread_context(AVCodecContext *dst, const AVCodecContext * memcpy(s->motion_val[1], s1->motion_val[1], c_fragment_count * sizeof(*s->motion_val[1])); } -#define copy_fields(to, from, start_field, end_field) memcpy(&to->start_field, &from->start_field, (char*)&to->end_field - (char*)&to->start_field) - // copy previous frame data copy_fields(s, s1, golden_frame, dsp); @@ -1987,9 +2007,6 @@ static av_cold int vp3_decode_end(AVCodecContext *avctx) Vp3DecodeContext *s = avctx->priv_data; int i; - if (avctx->is_copy && !s->current_frame.data[0]) - return 0; - av_free(s->superblock_coding); av_free(s->all_fragments); av_free(s->coded_fragment_list[0]); @@ -2016,12 +2033,7 @@ static av_cold int vp3_decode_end(AVCodecContext *avctx) free_vlc(&s->motion_vector_vlc); /* release all frames */ - if (s->golden_frame.data[0]) - ff_thread_release_buffer(avctx, &s->golden_frame); - if (s->last_frame.data[0] && s->last_frame.type != FF_BUFFER_TYPE_COPY) - ff_thread_release_buffer(avctx, &s->last_frame); - /* no need to release the current_frame since it will always be pointing - * to the same frame as either the golden or last frame */ + vp3_decode_flush(avctx); return 0; } @@ -2341,6 +2353,23 @@ static void vp3_decode_flush(AVCodecContext *avctx) ff_thread_release_buffer(avctx, &s->current_frame); } +static int vp3_init_thread_copy(AVCodecContext *avctx) +{ + Vp3DecodeContext *s = avctx->priv_data; + + s->superblock_coding = NULL; + s->all_fragments = NULL; + s->coded_fragment_list[0] = NULL; + s->dct_tokens_base = NULL; + s->superblock_fragments = NULL; + s->macroblock_coding = NULL; + s->motion_val[0] = NULL; + s->motion_val[1] = NULL; + s->edge_emu_buffer = NULL; + + return 0; +} + AVCodec ff_theora_decoder = { "theora", AVMEDIA_TYPE_VIDEO, @@ -2354,6 +2383,7 @@ AVCodec ff_theora_decoder = { NULL, .flush = vp3_decode_flush, .long_name = NULL_IF_CONFIG_SMALL("Theora"), + .init_thread_copy = ONLY_IF_THREADS_ENABLED(vp3_init_thread_copy), .update_thread_context = ONLY_IF_THREADS_ENABLED(vp3_update_thread_context) }; #endif @@ -2371,5 +2401,6 @@ AVCodec ff_vp3_decoder = { NULL, .flush = vp3_decode_flush, .long_name = NULL_IF_CONFIG_SMALL("On2 VP3"), + .init_thread_copy = ONLY_IF_THREADS_ENABLED(vp3_init_thread_copy), .update_thread_context = ONLY_IF_THREADS_ENABLED(vp3_update_thread_context) }; From 346e089d25ba5f1f7509a7fbff6843471b7ccf6b Mon Sep 17 00:00:00 2001 From: Justin Ruggles Date: Fri, 14 Oct 2011 00:16:31 -0400 Subject: [PATCH 0581/1119] atrac1: check output buffer size before decoding (cherry picked from commit 33684b9c12b74c0140fb91e8150263db4a48d55e) Signed-off-by: Michael Niedermayer --- libavcodec/atrac1.c | 11 +++++++++-- 1 file changed, 9 insertions(+), 2 deletions(-) diff --git a/libavcodec/atrac1.c b/libavcodec/atrac1.c index 1f4c36c141..9d37e4c866 100644 --- a/libavcodec/atrac1.c +++ b/libavcodec/atrac1.c @@ -276,7 +276,7 @@ static int atrac1_decode_frame(AVCodecContext *avctx, void *data, const uint8_t *buf = avpkt->data; int buf_size = avpkt->size; AT1Ctx *q = avctx->priv_data; - int ch, ret, i; + int ch, ret, i, out_size; GetBitContext gb; float* samples = data; @@ -286,6 +286,13 @@ static int atrac1_decode_frame(AVCodecContext *avctx, void *data, return -1; } + out_size = q->channels * AT1_SU_SAMPLES * + av_get_bytes_per_sample(avctx->sample_fmt); + if (*data_size < out_size) { + av_log(avctx, AV_LOG_ERROR, "Output buffer is too small\n"); + return AVERROR(EINVAL); + } + for (ch = 0; ch < q->channels; ch++) { AT1SUCtx* su = &q->SUs[ch]; @@ -318,7 +325,7 @@ static int atrac1_decode_frame(AVCodecContext *avctx, void *data, } } - *data_size = q->channels * AT1_SU_SAMPLES * sizeof(*samples); + *data_size = out_size; return avctx->block_align; } From f98bb0d3ec73b047121bcdf172cc809ac3c47013 Mon Sep 17 00:00:00 2001 From: Justin Ruggles Date: Fri, 14 Oct 2011 00:24:50 -0400 Subject: [PATCH 0582/1119] atrac1: validate number of channels (cherry picked from commit bff5b2c1ca1290ea30587ff2f76171f9e3854872) Signed-off-by: Michael Niedermayer --- libavcodec/atrac1.c | 5 +++++ 1 file changed, 5 insertions(+) diff --git a/libavcodec/atrac1.c b/libavcodec/atrac1.c index 9d37e4c866..6897790307 100644 --- a/libavcodec/atrac1.c +++ b/libavcodec/atrac1.c @@ -336,6 +336,11 @@ static av_cold int atrac1_decode_init(AVCodecContext *avctx) avctx->sample_fmt = AV_SAMPLE_FMT_FLT; + if (avctx->channels < 1 || avctx->channels > AT1_MAX_CHANNELS) { + av_log(avctx, AV_LOG_ERROR, "Unsupported number of channels: %d\n", + avctx->channels); + return AVERROR(EINVAL); + } q->channels = avctx->channels; /* Init the mdct transforms */ From 8491677ab632f89f31bb26e48c8d1c429be07928 Mon Sep 17 00:00:00 2001 From: Justin Ruggles Date: Tue, 25 Oct 2011 13:47:50 -0400 Subject: [PATCH 0583/1119] binkaudio: add some buffer overread checks. This stops decoding before overreads instead of after. (cherry picked from commit 101ef19ef4dc9f5c3d536aee8fcc10fff2af4d9e) Signed-off-by: Michael Niedermayer --- libavcodec/binkaudio.c | 47 +++++++++++++++++++++++++++++++++--------- 1 file changed, 37 insertions(+), 10 deletions(-) diff --git a/libavcodec/binkaudio.c b/libavcodec/binkaudio.c index ff36458c7e..3b65a19261 100644 --- a/libavcodec/binkaudio.c +++ b/libavcodec/binkaudio.c @@ -153,11 +153,18 @@ static const uint8_t rle_length_tab[16] = { 2, 3, 4, 5, 6, 8, 9, 10, 11, 12, 13, 14, 15, 16, 32, 64 }; +#define GET_BITS_SAFE(out, nbits) do { \ + if (get_bits_left(gb) < nbits) \ + return AVERROR_INVALIDDATA; \ + out = get_bits(gb, nbits); \ +} while (0) + /** * Decode Bink Audio block * @param[out] out Output buffer (must contain s->block_size elements) + * @return 0 on success, negative error code on failure */ -static void decode_block(BinkAudioContext *s, short *out, int use_dct) +static int decode_block(BinkAudioContext *s, short *out, int use_dct) { int ch, i, j, k; float q, quant[25]; @@ -170,13 +177,19 @@ static void decode_block(BinkAudioContext *s, short *out, int use_dct) for (ch = 0; ch < s->channels; ch++) { FFTSample *coeffs = s->coeffs_ptr[ch]; if (s->version_b) { + if (get_bits_left(gb) < 64) + return AVERROR_INVALIDDATA; coeffs[0] = av_int2flt(get_bits(gb, 32)) * s->root; coeffs[1] = av_int2flt(get_bits(gb, 32)) * s->root; } else { + if (get_bits_left(gb) < 58) + return AVERROR_INVALIDDATA; coeffs[0] = get_float(gb) * s->root; coeffs[1] = get_float(gb) * s->root; } + if (get_bits_left(gb) < s->num_bands * 8) + return AVERROR_INVALIDDATA; for (i = 0; i < s->num_bands; i++) { /* constant is result of 0.066399999/log10(M_E) */ int value = get_bits(gb, 8); @@ -191,15 +204,20 @@ static void decode_block(BinkAudioContext *s, short *out, int use_dct) while (i < s->frame_len) { if (s->version_b) { j = i + 16; - } else if (get_bits1(gb)) { - j = i + rle_length_tab[get_bits(gb, 4)] * 8; } else { - j = i + 8; + int v; + GET_BITS_SAFE(v, 1); + if (v) { + GET_BITS_SAFE(v, 4); + j = i + rle_length_tab[v] * 8; + } else { + j = i + 8; + } } j = FFMIN(j, s->frame_len); - width = get_bits(gb, 4); + GET_BITS_SAFE(width, 4); if (width == 0) { memset(coeffs + i, 0, (j - i) * sizeof(*coeffs)); i = j; @@ -209,9 +227,11 @@ static void decode_block(BinkAudioContext *s, short *out, int use_dct) while (i < j) { if (s->bands[k] == i) q = quant[k++]; - coeff = get_bits(gb, width); + GET_BITS_SAFE(coeff, width); if (coeff) { - if (get_bits1(gb)) + int v; + GET_BITS_SAFE(v, 1); + if (v) coeffs[i] = -q * coeff; else coeffs[i] = q * coeff; @@ -247,6 +267,8 @@ static void decode_block(BinkAudioContext *s, short *out, int use_dct) s->overlap_len * s->channels * sizeof(*out)); s->first = 0; + + return 0; } static av_cold int decode_end(AVCodecContext *avctx) @@ -278,12 +300,17 @@ static int decode_frame(AVCodecContext *avctx, int reported_size; GetBitContext *gb = &s->gb; + if (buf_size < 4) { + av_log(avctx, AV_LOG_ERROR, "Packet is too small\n"); + return AVERROR_INVALIDDATA; + } + init_get_bits(gb, buf, buf_size * 8); reported_size = get_bits_long(gb, 32); - while (get_bits_count(gb) / 8 < buf_size && - samples + s->block_size <= samples_end) { - decode_block(s, samples, avctx->codec->id == CODEC_ID_BINKAUDIO_DCT); + while (samples + s->block_size <= samples_end) { + if (decode_block(s, samples, avctx->codec->id == CODEC_ID_BINKAUDIO_DCT)) + break; samples += s->block_size; get_bits_align32(gb); } From 711e6c947b728b23e84f15152fa59ef8ae20de63 Mon Sep 17 00:00:00 2001 From: Justin Ruggles Date: Thu, 27 Oct 2011 13:33:57 -0400 Subject: [PATCH 0584/1119] cin audio: validate the channel count Signed-off-by: Michael Niedermayer --- libavcodec/dsicinav.c | 5 +++++ 1 file changed, 5 insertions(+) diff --git a/libavcodec/dsicinav.c b/libavcodec/dsicinav.c index faca821c7d..d4dbb35472 100644 --- a/libavcodec/dsicinav.c +++ b/libavcodec/dsicinav.c @@ -310,6 +310,11 @@ static av_cold int cinaudio_decode_init(AVCodecContext *avctx) CinAudioContext *cin = avctx->priv_data; cin->avctx = avctx; + if (avctx->channels != 1) { + av_log_ask_for_sample(avctx, "Number of channels is not supported\n"); + return AVERROR_PATCHWELCOME; + } + cin->initial_decode_frame = 1; cin->delta = 0; avctx->sample_fmt = AV_SAMPLE_FMT_S16; From 0e3dec6b08b16307c2bc276d1b4f8b96ab52414e Mon Sep 17 00:00:00 2001 From: Michael Niedermayer Date: Mon, 31 Oct 2011 22:42:45 +0100 Subject: [PATCH 0585/1119] asfdec: Check packet_replic_size earlier Signed-off-by: Michael Niedermayer (cherry picked from commit 60fcc19bff49e0b1972eae014afc087afd94a415) Signed-off-by: Michael Niedermayer --- libavformat/asfdec.c | 8 ++++---- 1 file changed, 4 insertions(+), 4 deletions(-) diff --git a/libavformat/asfdec.c b/libavformat/asfdec.c index 033bdede13..be8885d904 100644 --- a/libavformat/asfdec.c +++ b/libavformat/asfdec.c @@ -808,6 +808,10 @@ static int asf_read_frame_header(AVFormatContext *s, AVIOContext *pb){ DO_2BITS(asf->packet_property >> 2, asf->packet_frag_offset, 0); DO_2BITS(asf->packet_property, asf->packet_replic_size, 0); //printf("key:%d stream:%d seq:%d offset:%d replic_size:%d\n", asf->packet_key_frame, asf->stream_index, asf->packet_seq, //asf->packet_frag_offset, asf->packet_replic_size); + if (rsize+asf->packet_replic_size > asf->packet_size_left) { + av_log(s, AV_LOG_ERROR, "packet_replic_size %d is invalid\n", asf->packet_replic_size); + return -1; + } if (asf->packet_replic_size >= 8) { asf->packet_obj_size = avio_rl32(pb); if(asf->packet_obj_size >= (1<<24) || asf->packet_obj_size <= 0){ @@ -842,10 +846,6 @@ static int asf_read_frame_header(AVFormatContext *s, AVIOContext *pb){ av_log(s, AV_LOG_ERROR, "unexpected packet_replic_size of %d\n", asf->packet_replic_size); return -1; } - if (rsize > asf->packet_size_left) { - av_log(s, AV_LOG_ERROR, "packet_replic_size is invalid\n"); - return -1; - } if (asf->packet_flags & 0x01) { DO_2BITS(asf->packet_segsizetype >> 6, asf->packet_frag_size, 0); // 0 is illegal if (rsize > asf->packet_size_left) { From d8acee792f9d3b2c271d480e4d72ff7e558e0c66 Mon Sep 17 00:00:00 2001 From: Tobias Rapp Date: Mon, 31 Oct 2011 15:11:37 +0100 Subject: [PATCH 0586/1119] mp3enc: avoid truncating id3v1 tags by one byte Avoid writing the trailing null-byte for id3v1 tags if length reaches max length. Signed-off-by: Michael Niedermayer (cherry picked from commit 0f39fa0279e12c7a174d1da9294bffd95cb15c4c) Signed-off-by: Michael Niedermayer --- libavformat/mp3enc.c | 11 ++++++----- 1 file changed, 6 insertions(+), 5 deletions(-) diff --git a/libavformat/mp3enc.c b/libavformat/mp3enc.c index 50342bb950..76d1813172 100644 --- a/libavformat/mp3enc.c +++ b/libavformat/mp3enc.c @@ -51,11 +51,12 @@ static int id3v1_create_tag(AVFormatContext *s, uint8_t *buf) buf[0] = 'T'; buf[1] = 'A'; buf[2] = 'G'; - count += id3v1_set_string(s, "TIT2", buf + 3, 30); //title - count += id3v1_set_string(s, "TPE1", buf + 33, 30); //author|artist - count += id3v1_set_string(s, "TALB", buf + 63, 30); //album - count += id3v1_set_string(s, "TDRL", buf + 93, 4); //date - count += id3v1_set_string(s, "comment", buf + 97, 30); + /* we knowingly overspecify each tag length by one byte to compensate for the mandatory null byte added by av_strlcpy */ + count += id3v1_set_string(s, "TIT2", buf + 3, 30 + 1); //title + count += id3v1_set_string(s, "TPE1", buf + 33, 30 + 1); //author|artist + count += id3v1_set_string(s, "TALB", buf + 63, 30 + 1); //album + count += id3v1_set_string(s, "TDRL", buf + 93, 4 + 1); //date + count += id3v1_set_string(s, "comment", buf + 97, 30 + 1); if ((tag = av_dict_get(s->metadata, "TRCK", NULL, 0))) { //track buf[125] = 0; buf[126] = atoi(tag->value); From 864581fea3afb40f1d40cee000da30be54ec049d Mon Sep 17 00:00:00 2001 From: Michael Niedermayer Date: Tue, 1 Nov 2011 14:46:18 +0100 Subject: [PATCH 0587/1119] configure: fix arch x86_32 Signed-off-by: Michael Niedermayer (cherry picked from commit 078811d9e484892e3ad49819148fe6ae65a1954b) Signed-off-by: Michael Niedermayer --- configure | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/configure b/configure index be2f721f7a..822c500eab 100755 --- a/configure +++ b/configure @@ -2203,7 +2203,7 @@ case "$arch" in arch="sparc" subarch="sparc64" ;; - i[3-6]86|i86pc|BePC|x86pc|x86_64|amd64) + i[3-6]86|i86pc|BePC|x86pc|x86_64|x86_32|amd64) arch="x86" ;; esac From 112431705d82eea875635641185a8aee27bcd86e Mon Sep 17 00:00:00 2001 From: Justin Ruggles Date: Fri, 28 Oct 2011 00:52:36 -0400 Subject: [PATCH 0588/1119] libgsmdec: check output buffer size before decoding (cherry picked from commit b03761b1309293bbf30edef767503875277b01cf) Signed-off-by: Michael Niedermayer --- libavcodec/libgsm.c | 11 +++++++++-- 1 file changed, 9 insertions(+), 2 deletions(-) diff --git a/libavcodec/libgsm.c b/libavcodec/libgsm.c index 1f76f82d55..073cf4498d 100644 --- a/libavcodec/libgsm.c +++ b/libavcodec/libgsm.c @@ -141,18 +141,25 @@ static int libgsm_decode_frame(AVCodecContext *avctx, AVPacket *avpkt) { const uint8_t *buf = avpkt->data; int buf_size = avpkt->size; + int out_size = avctx->frame_size * av_get_bytes_per_sample(avctx->sample_fmt); + + if (*data_size < out_size) { + av_log(avctx, AV_LOG_ERROR, "Output buffer is too small\n"); + return AVERROR(EINVAL); + } + *data_size = 0; /* In case of error */ if(buf_size < avctx->block_align) return -1; switch(avctx->codec_id) { case CODEC_ID_GSM: if(gsm_decode(avctx->priv_data,buf,data)) return -1; - *data_size = GSM_FRAME_SIZE*sizeof(int16_t); break; case CODEC_ID_GSM_MS: if(gsm_decode(avctx->priv_data,buf,data) || gsm_decode(avctx->priv_data,buf+33,((int16_t*)data)+GSM_FRAME_SIZE)) return -1; - *data_size = GSM_FRAME_SIZE*sizeof(int16_t)*2; } + + *data_size = out_size; return avctx->block_align; } From 5a3f494466afb9eb9c20e69fa92dfdbae386573a Mon Sep 17 00:00:00 2001 From: Justin Ruggles Date: Fri, 28 Oct 2011 18:25:49 -0400 Subject: [PATCH 0589/1119] imc: check for ff_fft_init() failure (cherry picked from commit 95fee70d6773fde1c34ff6422f48e5e66f37f263) Signed-off-by: Michael Niedermayer --- libavcodec/imc.c | 7 +++++-- 1 file changed, 5 insertions(+), 2 deletions(-) diff --git a/libavcodec/imc.c b/libavcodec/imc.c index f08efe46ec..ea0318c371 100644 --- a/libavcodec/imc.c +++ b/libavcodec/imc.c @@ -104,7 +104,7 @@ static VLC_TYPE vlc_tables[VLC_TABLES_SIZE][2]; static av_cold int imc_decode_init(AVCodecContext * avctx) { - int i, j; + int i, j, ret; IMCContext *q = avctx->priv_data; double r1, r2; @@ -156,7 +156,10 @@ static av_cold int imc_decode_init(AVCodecContext * avctx) } q->one_div_log2 = 1/log(2); - ff_fft_init(&q->fft, 7, 1); + if ((ret = ff_fft_init(&q->fft, 7, 1))) { + av_log(avctx, AV_LOG_INFO, "FFT init failed\n"); + return ret; + } dsputil_init(&q->dsp, avctx); avctx->sample_fmt = AV_SAMPLE_FMT_FLT; avctx->channel_layout = (avctx->channels==2) ? AV_CH_LAYOUT_STEREO : AV_CH_LAYOUT_MONO; From cba03dc66730cab43a4257bc027d35f09c393f62 Mon Sep 17 00:00:00 2001 From: Justin Ruggles Date: Fri, 28 Oct 2011 18:31:21 -0400 Subject: [PATCH 0590/1119] imc: validate channel count ask for a sample if not mono (cherry picked from commit 7b7f47e73356d113cace74b922eee0b6ff5ffe0b) Signed-off-by: Michael Niedermayer --- libavcodec/imc.c | 5 +++++ 1 file changed, 5 insertions(+) diff --git a/libavcodec/imc.c b/libavcodec/imc.c index ea0318c371..bc1a6a9f3c 100644 --- a/libavcodec/imc.c +++ b/libavcodec/imc.c @@ -108,6 +108,11 @@ static av_cold int imc_decode_init(AVCodecContext * avctx) IMCContext *q = avctx->priv_data; double r1, r2; + if (avctx->channels != 1) { + av_log_ask_for_sample(avctx, "Number of channels is not supported\n"); + return AVERROR_PATCHWELCOME; + } + q->decoder_reset = 1; for(i = 0; i < BANDS; i++) From c4a34f402528502a857e134a670421048c388c93 Mon Sep 17 00:00:00 2001 From: Michael Niedermayer Date: Wed, 26 Oct 2011 15:47:14 +0200 Subject: [PATCH 0591/1119] snow: emu edge support Fixes Ticket592 Signed-off-by: Michael Niedermayer (cherry picked from commit 4416931fc069332e267ab6df037a1227c051d7b1) Signed-off-by: Michael Niedermayer --- libavcodec/snow.c | 4 +--- 1 file changed, 1 insertion(+), 3 deletions(-) diff --git a/libavcodec/snow.c b/libavcodec/snow.c index 43a71904eb..86ab710f80 100644 --- a/libavcodec/snow.c +++ b/libavcodec/snow.c @@ -1917,8 +1917,6 @@ static void dwt_quantize(SnowContext *s, Plane *p, DWTELEM *buffer, int width, i static void halfpel_interpol(SnowContext *s, uint8_t *halfpel[4][4], AVFrame *frame){ int p,x,y; - assert(!(s->avctx->flags & CODEC_FLAG_EMU_EDGE)); - for(p=0; p<3; p++){ int is_chroma= !!p; int w= s->avctx->width >>is_chroma; @@ -1975,7 +1973,7 @@ static int frame_start(SnowContext *s){ int w= s->avctx->width; //FIXME round up to x16 ? int h= s->avctx->height; - if(s->current_picture.data[0]){ + if(s->current_picture.data[0] && !(s->avctx->flags&CODEC_FLAG_EMU_EDGE)){ s->dsp.draw_edges(s->current_picture.data[0], s->current_picture.linesize[0], w , h , EDGE_WIDTH , EDGE_WIDTH , EDGE_TOP | EDGE_BOTTOM); From 1e1015fd223ff33a88585db13047ce766369c21b Mon Sep 17 00:00:00 2001 From: Michael Niedermayer Date: Fri, 4 Nov 2011 13:37:27 +0100 Subject: [PATCH 0592/1119] Version numbers for 0.8.6 Signed-off-by: Michael Niedermayer --- Doxyfile | 2 +- RELEASE | 2 +- VERSION | 2 +- 3 files changed, 3 insertions(+), 3 deletions(-) diff --git a/Doxyfile b/Doxyfile index 7b5b0df3c2..b52216e198 100644 --- a/Doxyfile +++ b/Doxyfile @@ -31,7 +31,7 @@ PROJECT_NAME = FFmpeg # This could be handy for archiving the generated documentation or # if some version control system is used. -PROJECT_NUMBER = 0.8.5 +PROJECT_NUMBER = 0.8.6 # The OUTPUT_DIRECTORY tag is used to specify the (relative or absolute) # base path where the generated documentation will be put. diff --git a/RELEASE b/RELEASE index 7ada0d303f..7fc2521fd7 100644 --- a/RELEASE +++ b/RELEASE @@ -1 +1 @@ -0.8.5 +0.8.6 diff --git a/VERSION b/VERSION index 7ada0d303f..7fc2521fd7 100644 --- a/VERSION +++ b/VERSION @@ -1 +1 @@ -0.8.5 +0.8.6 From 8045254bacca54bc5bb242f43b72564037b8a50d Mon Sep 17 00:00:00 2001 From: Michael Niedermayer Date: Fri, 4 Nov 2011 22:05:34 +0100 Subject: [PATCH 0593/1119] update versions for 0.7 branch Signed-off-by: Michael Niedermayer --- Doxyfile | 2 +- RELEASE | 2 +- VERSION | 2 +- 3 files changed, 3 insertions(+), 3 deletions(-) diff --git a/Doxyfile b/Doxyfile index 24ceb58ecd..61156c4f62 100644 --- a/Doxyfile +++ b/Doxyfile @@ -31,7 +31,7 @@ PROJECT_NAME = FFmpeg # This could be handy for archiving the generated documentation or # if some version control system is used. -PROJECT_NUMBER = 0.7.6 +PROJECT_NUMBER = 0.7.7 # The OUTPUT_DIRECTORY tag is used to specify the (relative or absolute) # base path where the generated documentation will be put. diff --git a/RELEASE b/RELEASE index c006218557..879be8a98f 100644 --- a/RELEASE +++ b/RELEASE @@ -1 +1 @@ -0.7.6 +0.7.7 diff --git a/VERSION b/VERSION index c006218557..879be8a98f 100644 --- a/VERSION +++ b/VERSION @@ -1 +1 @@ -0.7.6 +0.7.7 From 54e4bf32968546cee1b3842ada696763ee0d4a48 Mon Sep 17 00:00:00 2001 From: =?UTF-8?q?Reimar=20D=C3=B6ffinger?= Date: Wed, 19 Oct 2011 18:41:02 +0200 Subject: [PATCH 0594/1119] Do not call parse_keyframes_index with NULL stream. MIME-Version: 1.0 Content-Type: text/plain; charset=UTF-8 Content-Transfer-Encoding: 8bit Seems to fix trac issue #569. Sample is unfortunately not available, but it might be caused by an index existing for non-existing audio stream (?). Signed-off-by: Reimar Döffinger (cherry picked from commit 6ea6ff053af2aff8a9a898292f9640efa9290c9f) --- libavformat/flvdec.c | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/libavformat/flvdec.c b/libavformat/flvdec.c index a2a3c5c493..c48224b445 100644 --- a/libavformat/flvdec.c +++ b/libavformat/flvdec.c @@ -210,7 +210,7 @@ static int amf_parse_object(AVFormatContext *s, AVStream *astream, AVStream *vst case AMF_DATA_TYPE_OBJECT: { unsigned int keylen; - if (ioc->seekable && key && !strcmp(KEYFRAMES_TAG, key) && depth == 1) + if (vstream && ioc->seekable && key && !strcmp(KEYFRAMES_TAG, key) && depth == 1) if (parse_keyframes_index(s, ioc, vstream, max_pos) < 0) av_log(s, AV_LOG_ERROR, "Keyframe index parsing failed\n"); From d484a07f1cb2fd416dd4e733ee793a1603c507bf Mon Sep 17 00:00:00 2001 From: =?UTF-8?q?Reimar=20D=C3=B6ffinger?= Date: Wed, 19 Oct 2011 18:41:02 +0200 Subject: [PATCH 0595/1119] Do not call parse_keyframes_index with NULL stream. MIME-Version: 1.0 Content-Type: text/plain; charset=UTF-8 Content-Transfer-Encoding: 8bit Seems to fix trac issue #569. Sample is unfortunately not available, but it might be caused by an index existing for non-existing audio stream (?). Signed-off-by: Reimar Döffinger (cherry picked from commit 6ea6ff053af2aff8a9a898292f9640efa9290c9f) --- libavformat/flvdec.c | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/libavformat/flvdec.c b/libavformat/flvdec.c index a2a3c5c493..c48224b445 100644 --- a/libavformat/flvdec.c +++ b/libavformat/flvdec.c @@ -210,7 +210,7 @@ static int amf_parse_object(AVFormatContext *s, AVStream *astream, AVStream *vst case AMF_DATA_TYPE_OBJECT: { unsigned int keylen; - if (ioc->seekable && key && !strcmp(KEYFRAMES_TAG, key) && depth == 1) + if (vstream && ioc->seekable && key && !strcmp(KEYFRAMES_TAG, key) && depth == 1) if (parse_keyframes_index(s, ioc, vstream, max_pos) < 0) av_log(s, AV_LOG_ERROR, "Keyframe index parsing failed\n"); From fd30240e98eb7e4ebdae26c17f9e7e49c99de709 Mon Sep 17 00:00:00 2001 From: =?UTF-8?q?Miroslav=20Sluge=C5=88?= Date: Mon, 7 Nov 2011 12:13:55 +0100 Subject: [PATCH 0596/1119] libavformat: add support for G726 audio decoder in RTP and RTSP streams Fixes Ticket611 Signed-off-by: Michael Niedermayer (cherry picked from commit df9c1cfb48c2d8ddb3c11b4d1e8c4c33c6b0d8a2) --- libavformat/Makefile | 1 + libavformat/rtpdec.c | 5 ++ libavformat/rtpdec_formats.h | 4 ++ libavformat/rtpdec_g726.c | 94 ++++++++++++++++++++++++++++++++++++ 4 files changed, 104 insertions(+) create mode 100644 libavformat/rtpdec_g726.c diff --git a/libavformat/Makefile b/libavformat/Makefile index e5ec44bfb6..b84bb581e5 100644 --- a/libavformat/Makefile +++ b/libavformat/Makefile @@ -247,6 +247,7 @@ OBJS-$(CONFIG_RTPDEC) += rdt.o \ rtpdec.o \ rtpdec_amr.o \ rtpdec_asf.o \ + rtpdec_g726.o \ rtpdec_h263.o \ rtpdec_h264.o \ rtpdec_latm.o \ diff --git a/libavformat/rtpdec.c b/libavformat/rtpdec.c index 130a78d0d1..db96a46849 100644 --- a/libavformat/rtpdec.c +++ b/libavformat/rtpdec.c @@ -82,6 +82,11 @@ void av_register_rtp_dynamic_payload_handlers(void) ff_register_dynamic_payload_handler(&ff_qt_rtp_vid_handler); ff_register_dynamic_payload_handler(&ff_quicktime_rtp_aud_handler); ff_register_dynamic_payload_handler(&ff_quicktime_rtp_vid_handler); + + ff_register_dynamic_payload_handler(&ff_g726_16_dynamic_handler); + ff_register_dynamic_payload_handler(&ff_g726_24_dynamic_handler); + ff_register_dynamic_payload_handler(&ff_g726_32_dynamic_handler); + ff_register_dynamic_payload_handler(&ff_g726_40_dynamic_handler); } RTPDynamicProtocolHandler *ff_rtp_handler_find_by_name(const char *name, diff --git a/libavformat/rtpdec_formats.h b/libavformat/rtpdec_formats.h index 16f5a9d3e4..afd047be21 100644 --- a/libavformat/rtpdec_formats.h +++ b/libavformat/rtpdec_formats.h @@ -33,6 +33,10 @@ int ff_wms_parse_sdp_a_line(AVFormatContext *s, const char *p); extern RTPDynamicProtocolHandler ff_amr_nb_dynamic_handler; extern RTPDynamicProtocolHandler ff_amr_wb_dynamic_handler; +extern RTPDynamicProtocolHandler ff_g726_16_dynamic_handler; +extern RTPDynamicProtocolHandler ff_g726_24_dynamic_handler; +extern RTPDynamicProtocolHandler ff_g726_32_dynamic_handler; +extern RTPDynamicProtocolHandler ff_g726_40_dynamic_handler; extern RTPDynamicProtocolHandler ff_h263_1998_dynamic_handler; extern RTPDynamicProtocolHandler ff_h263_2000_dynamic_handler; extern RTPDynamicProtocolHandler ff_h264_dynamic_handler; diff --git a/libavformat/rtpdec_g726.c b/libavformat/rtpdec_g726.c new file mode 100644 index 0000000000..cde832b21a --- /dev/null +++ b/libavformat/rtpdec_g726.c @@ -0,0 +1,94 @@ +/* + * Copyright (c) 2011 Miroslav Slugeň + * + * This file is part of FFmpeg. + * + * FFmpeg is free software; you can redistribute it and/or + * modify it under the terms of the GNU Lesser General Public + * License as published by the Free Software Foundation; either + * version 2.1 of the License, or (at your option) any later version. + * + * FFmpeg is distributed in the hope that it will be useful, + * but WITHOUT ANY WARRANTY; without even the implied warranty of + * MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the GNU + * Lesser General Public License for more details. + * + * You should have received a copy of the GNU Lesser General Public + * License along with FFmpeg; if not, write to the Free Software + * Foundation, Inc., 51 Franklin Street, Fifth Floor, Boston, MA 02110-1301 USA + */ + +#include "avformat.h" +#include "rtpdec_formats.h" + +static int g726_16_parse_sdp_line(AVFormatContext *s, int st_index, + PayloadContext *data, const char *line) +{ + AVStream *stream = s->streams[st_index]; + AVCodecContext *codec = stream->codec; + + codec->bit_rate = 16000; + + return 0; +} + +static int g726_24_parse_sdp_line(AVFormatContext *s, int st_index, + PayloadContext *data, const char *line) +{ + AVStream *stream = s->streams[st_index]; + AVCodecContext *codec = stream->codec; + + codec->bit_rate = 24000; + + return 0; +} + +static int g726_32_parse_sdp_line(AVFormatContext *s, int st_index, + PayloadContext *data, const char *line) +{ + AVStream *stream = s->streams[st_index]; + AVCodecContext *codec = stream->codec; + + codec->bit_rate = 32000; + + return 0; +} + +static int g726_40_parse_sdp_line(AVFormatContext *s, int st_index, + PayloadContext *data, const char *line) +{ + AVStream *stream = s->streams[st_index]; + AVCodecContext *codec = stream->codec; + + codec->bit_rate = 40000; + + return 0; +} + +RTPDynamicProtocolHandler ff_g726_16_dynamic_handler = { + .enc_name = "G726-16", + .codec_type = AVMEDIA_TYPE_AUDIO, + .codec_id = CODEC_ID_ADPCM_G726, + .parse_sdp_a_line = g726_16_parse_sdp_line, +}; + +RTPDynamicProtocolHandler ff_g726_24_dynamic_handler = { + .enc_name = "G726-24", + .codec_type = AVMEDIA_TYPE_AUDIO, + .codec_id = CODEC_ID_ADPCM_G726, + .parse_sdp_a_line = g726_24_parse_sdp_line, +}; + +RTPDynamicProtocolHandler ff_g726_32_dynamic_handler = { + .enc_name = "G726-32", + .codec_type = AVMEDIA_TYPE_AUDIO, + .codec_id = CODEC_ID_ADPCM_G726, + .parse_sdp_a_line = g726_32_parse_sdp_line, +}; + +RTPDynamicProtocolHandler ff_g726_40_dynamic_handler = { + .enc_name = "G726-40", + .codec_type = AVMEDIA_TYPE_AUDIO, + .codec_id = CODEC_ID_ADPCM_G726, + .parse_sdp_a_line = g726_40_parse_sdp_line, +}; From 0411b1928965050a940155984a16ad82fe462fc1 Mon Sep 17 00:00:00 2001 From: =?UTF-8?q?Reimar=20D=C3=B6ffinger?= Date: Sat, 5 Nov 2011 21:45:31 +0100 Subject: [PATCH 0597/1119] av_lzo1x_decode: properly handle negative buffer length. MIME-Version: 1.0 Content-Type: text/plain; charset=UTF-8 Content-Transfer-Encoding: 8bit Treating them like 0 is safest, current code would invoke undefined pointer arithmetic behaviour in this case. Signed-off-by: Reimar Döffinger (cherry picked from commit b9242fd12f4be4a79e31fd0aa125ab8a48226896) --- libavutil/lzo.c | 6 +++--- 1 file changed, 3 insertions(+), 3 deletions(-) diff --git a/libavutil/lzo.c b/libavutil/lzo.c index 40a41a424d..8407d7d376 100644 --- a/libavutil/lzo.c +++ b/libavutil/lzo.c @@ -175,11 +175,11 @@ int av_lzo1x_decode(void *out, int *outlen, const void *in, int *inlen) { int state= 0; int x; LZOContext c; - if (!*outlen || !*inlen) { + if (*outlen <= 0 || *inlen <= 0) { int res = 0; - if (!*outlen) + if (*outlen <= 0) res |= AV_LZO_OUTPUT_FULL; - if (!*inlen) + if (*inlen <= 0) res |= AV_LZO_INPUT_DEPLETED; return res; } From d58c5586eca69dcfbce299dfb2e622dfc3319faa Mon Sep 17 00:00:00 2001 From: =?UTF-8?q?Reimar=20D=C3=B6ffinger?= Date: Sat, 5 Nov 2011 22:34:09 +0100 Subject: [PATCH 0598/1119] nuv: Fix combination of size changes and LZO compression. MIME-Version: 1.0 Content-Type: text/plain; charset=UTF-8 Content-Transfer-Encoding: 8bit There were multiple issues, for example might we have to re-run the decompression when the size of the buffer increased, we should always use a decompression buffer large enough for the header (so we do not get stuck when the size is too small). Signed-off-by: Reimar Döffinger --- libavcodec/nuv.c | 38 ++++++++++++++++++++++++++------------ 1 file changed, 26 insertions(+), 12 deletions(-) diff --git a/libavcodec/nuv.c b/libavcodec/nuv.c index 6eb6de3101..3381e275b1 100644 --- a/libavcodec/nuv.c +++ b/libavcodec/nuv.c @@ -20,6 +20,7 @@ */ #include #include +#include #include "libavutil/bswap.h" #include "libavutil/lzo.h" @@ -112,19 +113,23 @@ static int codec_reinit(AVCodecContext *avctx, int width, int height, int qualit if (quality >= 0) get_quant_quality(c, quality); if (width != c->width || height != c->height) { - if (av_image_check_size(height, width, 0, avctx) < 0) - return 0; + // also reserve space for a possible additional header + int buf_size = 24 + height * width * 3 / 2 + AV_LZO_OUTPUT_PADDING; + if (av_image_check_size(height, width, 0, avctx) < 0 || + buf_size > INT_MAX/8) + return -1; avctx->width = c->width = width; avctx->height = c->height = height; - av_fast_malloc(&c->decomp_buf, &c->decomp_size, c->height * c->width * 3 / 2); + av_fast_malloc(&c->decomp_buf, &c->decomp_size, buf_size); if (!c->decomp_buf) { av_log(avctx, AV_LOG_ERROR, "Can't allocate decompression buffer.\n"); - return 0; + return AVERROR(ENOMEM); } rtjpeg_decode_init(&c->rtj, &c->dsp, c->width, c->height, c->lq, c->cq); + return 1; } else if (quality != c->quality) rtjpeg_decode_init(&c->rtj, &c->dsp, c->width, c->height, c->lq, c->cq); - return 1; + return 0; } static int decode_frame(AVCodecContext *avctx, void *data, int *data_size, @@ -135,6 +140,7 @@ static int decode_frame(AVCodecContext *avctx, void *data, int *data_size, AVFrame *picture = data; int orig_size = buf_size; int keyframe; + int size_change = 0; int result; enum {NUV_UNCOMPRESSED = '0', NUV_RTJPEG = '1', NUV_RTJPEG_IN_LZO = '2', NUV_LZO = '3', @@ -172,18 +178,19 @@ static int decode_frame(AVCodecContext *avctx, void *data, int *data_size, default: keyframe = 1; break; } +retry: // skip rest of the frameheader. buf = &buf[12]; buf_size -= 12; if (comptype == NUV_RTJPEG_IN_LZO || comptype == NUV_LZO) { - int outlen = c->decomp_size, inlen = buf_size; + int outlen = c->decomp_size - AV_LZO_OUTPUT_PADDING, inlen = buf_size; if (av_lzo1x_decode(c->decomp_buf, &outlen, buf, &inlen)) av_log(avctx, AV_LOG_ERROR, "error during lzo decompression\n"); buf = c->decomp_buf; - buf_size = c->decomp_size; + buf_size = c->decomp_size - AV_LZO_OUTPUT_PADDING; } if (c->codec_frameheader) { - int w, h, q; + int w, h, q, res; if (buf_size < 12) { av_log(avctx, AV_LOG_ERROR, "invalid nuv video frame\n"); return -1; @@ -191,13 +198,20 @@ static int decode_frame(AVCodecContext *avctx, void *data, int *data_size, w = AV_RL16(&buf[6]); h = AV_RL16(&buf[8]); q = buf[10]; - if (!codec_reinit(avctx, w, h, q)) - return -1; + res = codec_reinit(avctx, w, h, q); + if (res < 0) + return res; + if (res) { + buf = avpkt->data; + buf_size = avpkt->size; + size_change = 1; + goto retry; + } buf = &buf[12]; buf_size -= 12; } - if (keyframe && c->pic.data[0]) + if ((size_change || keyframe) && c->pic.data[0]) avctx->release_buffer(avctx, &c->pic); c->pic.reference = 3; c->pic.buffer_hints = FF_BUFFER_HINTS_VALID | FF_BUFFER_HINTS_READABLE | @@ -259,7 +273,7 @@ static av_cold int decode_init(AVCodecContext *avctx) { if (avctx->extradata_size) get_quant(avctx, c, avctx->extradata, avctx->extradata_size); dsputil_init(&c->dsp, avctx); - if (!codec_reinit(avctx, avctx->width, avctx->height, -1)) + if (codec_reinit(avctx, avctx->width, avctx->height, -1) < 0) return 1; return 0; } From 80a173a33b8abe961397834843881d90a1ddb2a7 Mon Sep 17 00:00:00 2001 From: =?UTF-8?q?Reimar=20D=C3=B6ffinger?= Date: Sat, 5 Nov 2011 21:45:31 +0100 Subject: [PATCH 0599/1119] av_lzo1x_decode: properly handle negative buffer length. MIME-Version: 1.0 Content-Type: text/plain; charset=UTF-8 Content-Transfer-Encoding: 8bit Treating them like 0 is safest, current code would invoke undefined pointer arithmetic behaviour in this case. Signed-off-by: Reimar Döffinger (cherry picked from commit b9242fd12f4be4a79e31fd0aa125ab8a48226896) (cherry picked from commit 0411b1928965050a940155984a16ad82fe462fc1) --- libavutil/lzo.c | 6 +++--- 1 file changed, 3 insertions(+), 3 deletions(-) diff --git a/libavutil/lzo.c b/libavutil/lzo.c index 40a41a424d..8407d7d376 100644 --- a/libavutil/lzo.c +++ b/libavutil/lzo.c @@ -175,11 +175,11 @@ int av_lzo1x_decode(void *out, int *outlen, const void *in, int *inlen) { int state= 0; int x; LZOContext c; - if (!*outlen || !*inlen) { + if (*outlen <= 0 || *inlen <= 0) { int res = 0; - if (!*outlen) + if (*outlen <= 0) res |= AV_LZO_OUTPUT_FULL; - if (!*inlen) + if (*inlen <= 0) res |= AV_LZO_INPUT_DEPLETED; return res; } From 3970d4e72809d9c9bf4c463ba1a6ab2650e3252b Mon Sep 17 00:00:00 2001 From: =?UTF-8?q?Reimar=20D=C3=B6ffinger?= Date: Sat, 5 Nov 2011 22:34:09 +0100 Subject: [PATCH 0600/1119] nuv: Fix combination of size changes and LZO compression. MIME-Version: 1.0 Content-Type: text/plain; charset=UTF-8 Content-Transfer-Encoding: 8bit There were multiple issues, for example might we have to re-run the decompression when the size of the buffer increased, we should always use a decompression buffer large enough for the header (so we do not get stuck when the size is too small). Signed-off-by: Reimar Döffinger --- libavcodec/nuv.c | 38 ++++++++++++++++++++++++++------------ 1 file changed, 26 insertions(+), 12 deletions(-) diff --git a/libavcodec/nuv.c b/libavcodec/nuv.c index 6eb6de3101..3381e275b1 100644 --- a/libavcodec/nuv.c +++ b/libavcodec/nuv.c @@ -20,6 +20,7 @@ */ #include #include +#include #include "libavutil/bswap.h" #include "libavutil/lzo.h" @@ -112,19 +113,23 @@ static int codec_reinit(AVCodecContext *avctx, int width, int height, int qualit if (quality >= 0) get_quant_quality(c, quality); if (width != c->width || height != c->height) { - if (av_image_check_size(height, width, 0, avctx) < 0) - return 0; + // also reserve space for a possible additional header + int buf_size = 24 + height * width * 3 / 2 + AV_LZO_OUTPUT_PADDING; + if (av_image_check_size(height, width, 0, avctx) < 0 || + buf_size > INT_MAX/8) + return -1; avctx->width = c->width = width; avctx->height = c->height = height; - av_fast_malloc(&c->decomp_buf, &c->decomp_size, c->height * c->width * 3 / 2); + av_fast_malloc(&c->decomp_buf, &c->decomp_size, buf_size); if (!c->decomp_buf) { av_log(avctx, AV_LOG_ERROR, "Can't allocate decompression buffer.\n"); - return 0; + return AVERROR(ENOMEM); } rtjpeg_decode_init(&c->rtj, &c->dsp, c->width, c->height, c->lq, c->cq); + return 1; } else if (quality != c->quality) rtjpeg_decode_init(&c->rtj, &c->dsp, c->width, c->height, c->lq, c->cq); - return 1; + return 0; } static int decode_frame(AVCodecContext *avctx, void *data, int *data_size, @@ -135,6 +140,7 @@ static int decode_frame(AVCodecContext *avctx, void *data, int *data_size, AVFrame *picture = data; int orig_size = buf_size; int keyframe; + int size_change = 0; int result; enum {NUV_UNCOMPRESSED = '0', NUV_RTJPEG = '1', NUV_RTJPEG_IN_LZO = '2', NUV_LZO = '3', @@ -172,18 +178,19 @@ static int decode_frame(AVCodecContext *avctx, void *data, int *data_size, default: keyframe = 1; break; } +retry: // skip rest of the frameheader. buf = &buf[12]; buf_size -= 12; if (comptype == NUV_RTJPEG_IN_LZO || comptype == NUV_LZO) { - int outlen = c->decomp_size, inlen = buf_size; + int outlen = c->decomp_size - AV_LZO_OUTPUT_PADDING, inlen = buf_size; if (av_lzo1x_decode(c->decomp_buf, &outlen, buf, &inlen)) av_log(avctx, AV_LOG_ERROR, "error during lzo decompression\n"); buf = c->decomp_buf; - buf_size = c->decomp_size; + buf_size = c->decomp_size - AV_LZO_OUTPUT_PADDING; } if (c->codec_frameheader) { - int w, h, q; + int w, h, q, res; if (buf_size < 12) { av_log(avctx, AV_LOG_ERROR, "invalid nuv video frame\n"); return -1; @@ -191,13 +198,20 @@ static int decode_frame(AVCodecContext *avctx, void *data, int *data_size, w = AV_RL16(&buf[6]); h = AV_RL16(&buf[8]); q = buf[10]; - if (!codec_reinit(avctx, w, h, q)) - return -1; + res = codec_reinit(avctx, w, h, q); + if (res < 0) + return res; + if (res) { + buf = avpkt->data; + buf_size = avpkt->size; + size_change = 1; + goto retry; + } buf = &buf[12]; buf_size -= 12; } - if (keyframe && c->pic.data[0]) + if ((size_change || keyframe) && c->pic.data[0]) avctx->release_buffer(avctx, &c->pic); c->pic.reference = 3; c->pic.buffer_hints = FF_BUFFER_HINTS_VALID | FF_BUFFER_HINTS_READABLE | @@ -259,7 +273,7 @@ static av_cold int decode_init(AVCodecContext *avctx) { if (avctx->extradata_size) get_quant(avctx, c, avctx->extradata, avctx->extradata_size); dsputil_init(&c->dsp, avctx); - if (!codec_reinit(avctx, avctx->width, avctx->height, -1)) + if (codec_reinit(avctx, avctx->width, avctx->height, -1) < 0) return 1; return 0; } From fe06305b0dc50835c39722629a685aee0e184af6 Mon Sep 17 00:00:00 2001 From: Stefano Sabatini Date: Fri, 29 Jul 2011 20:19:04 +0200 Subject: [PATCH 0601/1119] vf_transpose: avoid multiple calls to avfilter_draw_slice() avfilter_draw_slice() is already called in the end_frame() callback, this avoids multiple calls. This is done by adding a null draw_slice() callback. In particular fix crash occurring with -vf transpose=3,hflip, fix trac issue #371. (cherry picked from commit d9c23a0d5a56488b146eef17a19a9b47643be333) --- libavfilter/vf_transpose.c | 3 +++ 1 file changed, 3 insertions(+) diff --git a/libavfilter/vf_transpose.c b/libavfilter/vf_transpose.c index 8b11ae8d53..f4f72b9c64 100644 --- a/libavfilter/vf_transpose.c +++ b/libavfilter/vf_transpose.c @@ -195,6 +195,8 @@ static void end_frame(AVFilterLink *inlink) avfilter_unref_buffer(outpic); } +static void null_draw_slice(AVFilterLink *link, int y, int h, int slice_dir) { } + AVFilter avfilter_vf_transpose = { .name = "transpose", .description = NULL_IF_CONFIG_SMALL("Transpose input video."), @@ -207,6 +209,7 @@ AVFilter avfilter_vf_transpose = { .inputs = (AVFilterPad[]) {{ .name = "default", .type = AVMEDIA_TYPE_VIDEO, .start_frame = start_frame, + .draw_slice = null_draw_slice, .end_frame = end_frame, .min_perms = AV_PERM_READ, }, { .name = NULL}}, From 87ae12009ea489c5c34e953b2b0194a8ba669fb2 Mon Sep 17 00:00:00 2001 From: Stefano Sabatini Date: Fri, 29 Jul 2011 20:19:04 +0200 Subject: [PATCH 0602/1119] vf_transpose: avoid multiple calls to avfilter_draw_slice() avfilter_draw_slice() is already called in the end_frame() callback, this avoids multiple calls. This is done by adding a null draw_slice() callback. In particular fix crash occurring with -vf transpose=3,hflip, fix trac issue #371. (cherry picked from commit d9c23a0d5a56488b146eef17a19a9b47643be333) --- libavfilter/vf_transpose.c | 3 +++ 1 file changed, 3 insertions(+) diff --git a/libavfilter/vf_transpose.c b/libavfilter/vf_transpose.c index 8b11ae8d53..f4f72b9c64 100644 --- a/libavfilter/vf_transpose.c +++ b/libavfilter/vf_transpose.c @@ -195,6 +195,8 @@ static void end_frame(AVFilterLink *inlink) avfilter_unref_buffer(outpic); } +static void null_draw_slice(AVFilterLink *link, int y, int h, int slice_dir) { } + AVFilter avfilter_vf_transpose = { .name = "transpose", .description = NULL_IF_CONFIG_SMALL("Transpose input video."), @@ -207,6 +209,7 @@ AVFilter avfilter_vf_transpose = { .inputs = (AVFilterPad[]) {{ .name = "default", .type = AVMEDIA_TYPE_VIDEO, .start_frame = start_frame, + .draw_slice = null_draw_slice, .end_frame = end_frame, .min_perms = AV_PERM_READ, }, { .name = NULL}}, From 8a63deab15ef41fd439be1b46d8dcb73669ccfc1 Mon Sep 17 00:00:00 2001 From: Thierry Foucu Date: Thu, 17 Nov 2011 09:39:52 -0800 Subject: [PATCH 0603/1119] vp6: Fix illegal read. Found with Address Sanitizer Signed-off-by: Alex Converse (cherry picked from commit e0966eb140b3569b3d6b5b5008961944ef229c06) Signed-off-by: Michael Niedermayer --- libavcodec/vp6.c | 9 ++++++--- 1 file changed, 6 insertions(+), 3 deletions(-) diff --git a/libavcodec/vp6.c b/libavcodec/vp6.c index c66d2e74ff..bcb437db57 100644 --- a/libavcodec/vp6.c +++ b/libavcodec/vp6.c @@ -440,7 +440,8 @@ static void vp6_parse_coeff(VP56Context *s) model1 = model->coeff_dccv[pt]; model2 = model->coeff_dcct[pt][ctx]; - for (coeff_idx=0; coeff_idx<64; ) { + coeff_idx = 0; + for (;;) { if ((coeff_idx>1 && ct==0) || vp56_rac_get_prob(c, model2[0])) { /* parse a coeff */ if (vp56_rac_get_prob(c, model2[2])) { @@ -481,8 +482,10 @@ static void vp6_parse_coeff(VP56Context *s) run += vp56_rac_get_prob(c, model3[i+8]) << i; } } - - cg = vp6_coeff_groups[coeff_idx+=run]; + coeff_idx += run; + if (coeff_idx >= 64) + break; + cg = vp6_coeff_groups[coeff_idx]; model1 = model2 = model->coeff_ract[pt][ct][cg]; } From f62fa1ce9f12e4a43b41401a7416c6fa8da579c9 Mon Sep 17 00:00:00 2001 From: Alex Converse Date: Thu, 17 Nov 2011 10:06:14 -0800 Subject: [PATCH 0604/1119] vp5: Fix illegal read. Found with Address Sanitizer (cherry picked from commit bb4b0ad83b13c3af57675e80163f3f333adef96f) Signed-off-by: Michael Niedermayer --- libavcodec/vp5.c | 8 ++++++-- 1 file changed, 6 insertions(+), 2 deletions(-) diff --git a/libavcodec/vp5.c b/libavcodec/vp5.c index f1b0169ae1..47a82e0253 100644 --- a/libavcodec/vp5.c +++ b/libavcodec/vp5.c @@ -183,7 +183,8 @@ static void vp5_parse_coeff(VP56Context *s) model1 = model->coeff_dccv[pt]; model2 = model->coeff_dcct[pt][ctx]; - for (coeff_idx=0; coeff_idx<64; ) { + coeff_idx = 0; + for (;;) { if (vp56_rac_get_prob(c, model2[0])) { if (vp56_rac_get_prob(c, model2[2])) { if (vp56_rac_get_prob(c, model2[3])) { @@ -220,8 +221,11 @@ static void vp5_parse_coeff(VP56Context *s) ct = 0; s->coeff_ctx[vp56_b6to4[b]][coeff_idx] = 0; } + coeff_idx++; + if (coeff_idx >= 64) + break; - cg = vp5_coeff_groups[++coeff_idx]; + cg = vp5_coeff_groups[coeff_idx]; ctx = s->coeff_ctx[vp56_b6to4[b]][coeff_idx]; model1 = model->coeff_ract[pt][ct][cg]; model2 = cg > 2 ? model1 : model->coeff_acct[pt][ct][cg][ctx]; From 4e0fae982e5317b3fbaae5e506c75237dbe77214 Mon Sep 17 00:00:00 2001 From: Michael Niedermayer Date: Tue, 1 Nov 2011 23:45:28 +0100 Subject: [PATCH 0605/1119] vf_transpose: remove pix_fmts which can currently not be supported. Signed-off-by: Michael Niedermayer (cherry picked from commit 3fd0f6ed252e51ffaec7765a2637794366a513ba) Signed-off-by: Michael Niedermayer --- libavfilter/vf_transpose.c | 7 ++----- 1 file changed, 2 insertions(+), 5 deletions(-) diff --git a/libavfilter/vf_transpose.c b/libavfilter/vf_transpose.c index f4f72b9c64..64e1ab5e3e 100644 --- a/libavfilter/vf_transpose.c +++ b/libavfilter/vf_transpose.c @@ -69,16 +69,13 @@ static int query_formats(AVFilterContext *ctx) PIX_FMT_BGR555BE, PIX_FMT_BGR555LE, PIX_FMT_GRAY16BE, PIX_FMT_GRAY16LE, PIX_FMT_YUV420P16LE, PIX_FMT_YUV420P16BE, - PIX_FMT_YUV422P16LE, PIX_FMT_YUV422P16BE, PIX_FMT_YUV444P16LE, PIX_FMT_YUV444P16BE, PIX_FMT_NV12, PIX_FMT_NV21, PIX_FMT_RGB8, PIX_FMT_BGR8, PIX_FMT_RGB4_BYTE, PIX_FMT_BGR4_BYTE, - PIX_FMT_YUV444P, PIX_FMT_YUV422P, + PIX_FMT_YUV444P, PIX_FMT_YUVJ444P, PIX_FMT_YUV420P, PIX_FMT_YUVJ420P, - PIX_FMT_YUV411P, PIX_FMT_YUV410P, - PIX_FMT_YUVJ444P, PIX_FMT_YUVJ422P, - PIX_FMT_YUV440P, PIX_FMT_YUVJ440P, + PIX_FMT_YUV410P, PIX_FMT_YUVA420P, PIX_FMT_GRAY8, PIX_FMT_NONE }; From e5578ad3cd96211f48d3d3ed4894f15f82045c1d Mon Sep 17 00:00:00 2001 From: Michael Niedermayer Date: Tue, 8 Nov 2011 01:20:35 +0100 Subject: [PATCH 0606/1119] v4l2: fix uninitialized variable Signed-off-by: Michael Niedermayer --- libavdevice/v4l2.c | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/libavdevice/v4l2.c b/libavdevice/v4l2.c index 7223654891..163a4cdc03 100644 --- a/libavdevice/v4l2.c +++ b/libavdevice/v4l2.c @@ -439,7 +439,7 @@ static int v4l2_set_parameters(AVFormatContext *s1, AVFormatParameters *ap) struct v4l2_streamparm streamparm = {0}; struct v4l2_fract *tpf = &streamparm.parm.capture.timeperframe; int i, ret; - AVRational fps; + AVRational fps={0}; streamparm.type = V4L2_BUF_TYPE_VIDEO_CAPTURE; From abaf8c386e6bc5080f5349b66ba31b42110ad84f Mon Sep 17 00:00:00 2001 From: Michael Niedermayer Date: Tue, 8 Nov 2011 03:14:13 +0100 Subject: [PATCH 0607/1119] ffplay: limit lowres to the maximum supported. Fixes Ticket591 Signed-off-by: Michael Niedermayer Signed-off-by: Marton Balint (cherry picked from commit d8407ee2b1e9f62763a2f47d55f80f7993718c99) Signed-off-by: Michael Niedermayer --- ffplay.c | 7 ++++++- 1 file changed, 6 insertions(+), 1 deletion(-) diff --git a/ffplay.c b/ffplay.c index 6ac8f34fa0..cf7962aa89 100644 --- a/ffplay.c +++ b/ffplay.c @@ -2135,7 +2135,12 @@ static int stream_component_open(VideoState *is, int stream_index) avctx->workaround_bugs = workaround_bugs; avctx->lowres = lowres; - if(lowres) avctx->flags |= CODEC_FLAG_EMU_EDGE; + if(avctx->lowres > codec->max_lowres){ + av_log(avctx, AV_LOG_WARNING, "The maximum value for lowres supported by the decoder is %d\n", + codec->max_lowres); + avctx->lowres= codec->max_lowres; + } + if(avctx->lowres) avctx->flags |= CODEC_FLAG_EMU_EDGE; avctx->idct_algo= idct; if(fast) avctx->flags2 |= CODEC_FLAG2_FAST; avctx->skip_frame= skip_frame; From 807342e1cfe8a33dbe929d896d56725f88514324 Mon Sep 17 00:00:00 2001 From: "K.Y.H" Date: Fri, 11 Nov 2011 00:30:39 +0100 Subject: [PATCH 0608/1119] cook: fix apparent typo in extradata parsing Signed-off-by: Michael Niedermayer (cherry picked from commit 554caed2d397e137286f2cc71c6bac477b41fa96) Signed-off-by: Michael Niedermayer --- libavcodec/cook.c | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/libavcodec/cook.c b/libavcodec/cook.c index 192ec5bdf1..96b889380a 100644 --- a/libavcodec/cook.c +++ b/libavcodec/cook.c @@ -1079,7 +1079,7 @@ static av_cold int cook_decode_init(AVCodecContext *avctx) q->subpacket[s].subbands = bytestream_get_be16(&edata_ptr); extradata_size -= 8; } - if (avctx->extradata_size >= 8){ + if (extradata_size >= 8){ bytestream_get_be32(&edata_ptr); //Unknown unused q->subpacket[s].js_subband_start = bytestream_get_be16(&edata_ptr); q->subpacket[s].js_vlc_bits = bytestream_get_be16(&edata_ptr); From 00d35e82b2500f69db9d482db76e8c2f53521f2d Mon Sep 17 00:00:00 2001 From: Carl Eugen Hoyos Date: Sat, 12 Nov 2011 19:30:27 +0100 Subject: [PATCH 0609/1119] Do not try to read 16bit gray png files with alpha channel. FFmpeg does not support gray16a. Fixes the crash in ticket #644. (cherry picked from commit 0c5fd6372e6c257912d7ae64cbfc4d8541f0452f) Signed-off-by: Michael Niedermayer --- libavcodec/pngdec.c | 3 ++- 1 file changed, 2 insertions(+), 1 deletion(-) diff --git a/libavcodec/pngdec.c b/libavcodec/pngdec.c index 05ba027802..f8ebb1b02d 100644 --- a/libavcodec/pngdec.c +++ b/libavcodec/pngdec.c @@ -471,7 +471,8 @@ static int decode_frame(AVCodecContext *avctx, avctx->pix_fmt = PIX_FMT_MONOBLACK; } else if (s->color_type == PNG_COLOR_TYPE_PALETTE) { avctx->pix_fmt = PIX_FMT_PAL8; - } else if (s->color_type == PNG_COLOR_TYPE_GRAY_ALPHA) { + } else if (s->bit_depth == 8 && + s->color_type == PNG_COLOR_TYPE_GRAY_ALPHA) { avctx->pix_fmt = PIX_FMT_GRAY8A; } else { goto fail; From fdd09e5d7b2b0fff9458e287c41aea2e89359b23 Mon Sep 17 00:00:00 2001 From: Michael Niedermayer Date: Wed, 16 Nov 2011 03:31:25 +0100 Subject: [PATCH 0610/1119] wma: Check channel number before init. Fixes Ticket240 Based on patch by ami_stuff Signed-off-by: Michael Niedermayer (cherry picked from commit 20431a9982b9bd2c475042d919890a941ad70c71) Signed-off-by: Michael Niedermayer --- libavcodec/wmadec.c | 5 +++++ 1 file changed, 5 insertions(+) diff --git a/libavcodec/wmadec.c b/libavcodec/wmadec.c index 9eaf230b01..11895a3996 100644 --- a/libavcodec/wmadec.c +++ b/libavcodec/wmadec.c @@ -109,6 +109,11 @@ static int wma_decode_init(AVCodecContext * avctx) } } + if(avctx->channels > MAX_CHANNELS){ + av_log(avctx, AV_LOG_ERROR, "Invalid number of channels (%d)\n", avctx->channels); + return -1; + } + if(ff_wma_init(avctx, flags2)<0) return -1; From 211a107208ee636da81d2a89592181e2d78a0c8c Mon Sep 17 00:00:00 2001 From: Michael Niedermayer Date: Wed, 16 Nov 2011 17:21:42 +0100 Subject: [PATCH 0611/1119] cinepak: check strip_size Signed-off-by: Michael Niedermayer (cherry picked from commit cea0c82d9b9771dfa2ac729c13c0d9e03ea352a7) Signed-off-by: Michael Niedermayer --- libavcodec/cinepak.c | 2 ++ 1 file changed, 2 insertions(+) diff --git a/libavcodec/cinepak.c b/libavcodec/cinepak.c index 0b822d2b7a..6d1061b558 100644 --- a/libavcodec/cinepak.c +++ b/libavcodec/cinepak.c @@ -366,6 +366,8 @@ static int cinepak_decode (CinepakContext *s) s->strips[i].x2 = s->avctx->width; strip_size = AV_RB24 (&s->data[1]) - 12; + if(strip_size < 0) + return -1; s->data += 12; strip_size = ((s->data + strip_size) > eod) ? (eod - s->data) : strip_size; From 8120a1d9bd4bcc4434b4f588f50c9d81aa8ad0e0 Mon Sep 17 00:00:00 2001 From: Michael Niedermayer Date: Fri, 18 Nov 2011 17:56:24 +0100 Subject: [PATCH 0612/1119] qdm2dec: check remaining input bits in the mainloop of qdm2_fft_decode_tones() This is neccessary but likely not sufficient to prevent out of array reads. Signed-off-by: Michael Niedermayer (cherry picked from commit 14db3af4f26dad8e6ddf2147e96ccc710952ad4d) Signed-off-by: Michael Niedermayer --- libavcodec/qdm2.c | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/libavcodec/qdm2.c b/libavcodec/qdm2.c index 144ce98042..3aa9e5b6c3 100644 --- a/libavcodec/qdm2.c +++ b/libavcodec/qdm2.c @@ -1327,7 +1327,7 @@ static void qdm2_fft_decode_tones (QDM2Context *q, int duration, GetBitContext * local_int_10 = 1 << (q->group_order - duration - 1); offset = 1; - while (1) { + while (get_bits_left(gb)>0) { if (q->superblocktype_2_3) { while ((n = qdm2_get_vlc(gb, &vlc_tab_fft_tone_offset[local_int_8], 1, 2)) < 2) { offset = 1; From 91805f06a39ca82e1463ebce578452d0e2f22bf6 Mon Sep 17 00:00:00 2001 From: Stefano Sabatini Date: Thu, 27 Oct 2011 01:38:21 +0200 Subject: [PATCH 0613/1119] rawdec: add check on sample_rate Prevent error condition in case sample_rate is unset or set to a negative value. In particular, fix divide-by-zero error occurring in ffmpeg due to sample_rate set to 0 in output_packet(), in code: ist->next_pts += ((int64_t)AV_TIME_BASE * ist->st->codec->frame_size) / ist->st->codec->sample_rate; Fix trac ticket #324. Signed-off-by: Michael Niedermayer --- libavformat/rawdec.c | 6 ++++++ 1 file changed, 6 insertions(+) diff --git a/libavformat/rawdec.c b/libavformat/rawdec.c index a4e009b7e0..02e335ad1b 100644 --- a/libavformat/rawdec.c +++ b/libavformat/rawdec.c @@ -59,6 +59,12 @@ int ff_raw_read_header(AVFormatContext *s, AVFormatParameters *ap) if (s1->sample_rate) st->codec->sample_rate = s1->sample_rate; + if (st->codec->sample_rate <= 0) { + av_log(s, AV_LOG_ERROR, "Invalid sample rate %d specified\n", + st->codec->sample_rate); + return AVERROR(EINVAL); + } + if (s1->channels) st->codec->channels = s1->channels; From 64a854d06bb36bd417bdd1ea16567732dc890ad3 Mon Sep 17 00:00:00 2001 From: Michael Niedermayer Date: Fri, 18 Nov 2011 22:34:41 +0100 Subject: [PATCH 0614/1119] rawdec: use a default sample rate if none is specified. Fixes "ffmpeg -f s16le -i /dev/zero" Signed-off-by: Michael Niedermayer (cherry picked from commit fca85ce5ecc8acba6a5cf10c5f99e932b26c6367) Signed-off-by: Michael Niedermayer --- libavformat/rawdec.c | 4 ++-- 1 file changed, 2 insertions(+), 2 deletions(-) diff --git a/libavformat/rawdec.c b/libavformat/rawdec.c index 02e335ad1b..d4383d5b49 100644 --- a/libavformat/rawdec.c +++ b/libavformat/rawdec.c @@ -60,9 +60,9 @@ int ff_raw_read_header(AVFormatContext *s, AVFormatParameters *ap) if (s1->sample_rate) st->codec->sample_rate = s1->sample_rate; if (st->codec->sample_rate <= 0) { - av_log(s, AV_LOG_ERROR, "Invalid sample rate %d specified\n", + av_log(s, AV_LOG_WARNING, "Invalid sample rate %d specified using default of 44100\n", st->codec->sample_rate); - return AVERROR(EINVAL); + st->codec->sample_rate= 44100; } if (s1->channels) From 47953c33ea8dc3b5da1903b0c5055043b82db3e7 Mon Sep 17 00:00:00 2001 From: Anton Khirnov Date: Sun, 22 May 2011 14:10:49 +0200 Subject: [PATCH 0615/1119] lavc: introduce avcodec_open2() as a replacement for avcodec_open(). Adds support for decoder-private options and makes setting other options simpler. (cherry picked from commit 0b950fe240936fa48fd41204bcfd04f35bbf39c3) Conflicts: libavcodec/avcodec.h Signed-off-by: Anton Khirnov --- ffprobe.c | 2 +- ffserver.c | 2 +- libavcodec/avcodec.h | 39 ++++++++++++++++++++++++++++++++++++++ libavcodec/mpegvideo_enc.c | 2 +- libavcodec/utils.c | 24 ++++++++++++++++++++++- libavcodec/version.h | 3 +++ libavfilter/vsrc_movie.c | 2 +- 7 files changed, 69 insertions(+), 5 deletions(-) diff --git a/ffprobe.c b/ffprobe.c index edda454cde..cb4a4c3106 100644 --- a/ffprobe.c +++ b/ffprobe.c @@ -291,7 +291,7 @@ static int open_input_file(AVFormatContext **fmt_ctx_ptr, const char *filename) if (!(codec = avcodec_find_decoder(stream->codec->codec_id))) { fprintf(stderr, "Unsupported codec with id %d for input stream %d\n", stream->codec->codec_id, stream->index); - } else if (avcodec_open(stream->codec, codec) < 0) { + } else if (avcodec_open2(stream->codec, codec, NULL) < 0) { fprintf(stderr, "Error while opening codec for input stream %d\n", stream->index); } diff --git a/ffserver.c b/ffserver.c index 65a97b20cc..179cac4d96 100644 --- a/ffserver.c +++ b/ffserver.c @@ -2116,7 +2116,7 @@ static void open_parser(AVFormatContext *s, int i) codec = avcodec_find_decoder(st->codec->codec_id); if (codec && (codec->capabilities & CODEC_CAP_PARSE_ONLY)) { st->codec->parse_only = 1; - if (avcodec_open(st->codec, codec) < 0) + if (avcodec_open2(st->codec, codec, NULL) < 0) st->codec->parse_only = 0; } } diff --git a/libavcodec/avcodec.h b/libavcodec/avcodec.h index 0269892028..2dbdc86e6a 100644 --- a/libavcodec/avcodec.h +++ b/libavcodec/avcodec.h @@ -30,6 +30,7 @@ #include "libavutil/samplefmt.h" #include "libavutil/avutil.h" #include "libavutil/cpu.h" +#include "libavutil/dict.h" #include "libavcodec/version.h" @@ -3615,6 +3616,7 @@ int avcodec_default_execute(AVCodecContext *c, int (*func)(AVCodecContext *c2, v int avcodec_default_execute2(AVCodecContext *c, int (*func)(AVCodecContext *c2, void *arg2, int, int),void *arg, int *ret, int count); //FIXME func typedef +#if FF_API_AVCODEC_OPEN /** * Initialize the AVCodecContext to use the given AVCodec. Prior to using this * function the context has to be allocated. @@ -3641,8 +3643,45 @@ int avcodec_default_execute2(AVCodecContext *c, int (*func)(AVCodecContext *c2, * @param codec The codec to use within the context. * @return zero on success, a negative value on error * @see avcodec_alloc_context, avcodec_find_decoder, avcodec_find_encoder, avcodec_close + * + * @deprecated use avcodec_open2 */ +attribute_deprecated int avcodec_open(AVCodecContext *avctx, AVCodec *codec); +#endif + +/** + * Initialize the AVCodecContext to use the given AVCodec. Prior to using this + * function the context has to be allocated with avcodec_alloc_context(). + * + * The functions avcodec_find_decoder_by_name(), avcodec_find_encoder_by_name(), + * avcodec_find_decoder() and avcodec_find_encoder() provide an easy way for + * retrieving a codec. + * + * @warning This function is not thread safe! + * + * @code + * avcodec_register_all(); + * av_dict_set(&opts, "b", "2.5M", 0); + * codec = avcodec_find_decoder(CODEC_ID_H264); + * if (!codec) + * exit(1); + * + * context = avcodec_alloc_context(); + * + * if (avcodec_open(context, codec, opts) < 0) + * exit(1); + * @endcode + * + * @param avctx The context to initialize. + * @param options A dictionary filled with AVCodecContext and codec-private options. + * On return this object will be filled with options that were not found. + * + * @return zero on success, a negative value on error + * @see avcodec_alloc_context3(), avcodec_find_decoder(), avcodec_find_encoder(), + * av_dict_set(), av_opt_find(). + */ +int avcodec_open2(AVCodecContext *avctx, AVCodec *codec, AVDictionary **options); /** * Decode the audio frame of size avpkt->size from avpkt->data into samples. diff --git a/libavcodec/mpegvideo_enc.c b/libavcodec/mpegvideo_enc.c index b5a1872eb1..51713a223f 100644 --- a/libavcodec/mpegvideo_enc.c +++ b/libavcodec/mpegvideo_enc.c @@ -972,7 +972,7 @@ static int estimate_best_b_count(MpegEncContext *s){ c->time_base= s->avctx->time_base; c->max_b_frames= s->max_b_frames; - if (avcodec_open(c, codec) < 0) + if (avcodec_open2(c, codec, NULL) < 0) return -1; for(i=0; imax_b_frames+2; i++){ diff --git a/libavcodec/utils.c b/libavcodec/utils.c index bbed7263ab..b264fe422e 100644 --- a/libavcodec/utils.c +++ b/libavcodec/utils.c @@ -32,6 +32,7 @@ #include "libavutil/audioconvert.h" #include "libavutil/imgutils.h" #include "libavutil/samplefmt.h" +#include "libavutil/dict.h" #include "avcodec.h" #include "dsputil.h" #include "libavutil/opt.h" @@ -467,9 +468,20 @@ AVFrame *avcodec_alloc_frame(void){ return pic; } +#if FF_API_AVCODEC_OPEN int attribute_align_arg avcodec_open(AVCodecContext *avctx, AVCodec *codec) +{ + return avcodec_open2(avctx, codec, NULL); +} +#endif + +int attribute_align_arg avcodec_open2(AVCodecContext *avctx, AVCodec *codec, AVDictionary **options) { int ret = 0; + AVDictionary *tmp = NULL; + + if (options) + av_dict_copy(&tmp, *options, 0); /* If there is a user-supplied mutex locking routine, call it. */ if (ff_lockmgr_cb) { @@ -496,14 +508,18 @@ int attribute_align_arg avcodec_open(AVCodecContext *avctx, AVCodec *codec) ret = AVERROR(ENOMEM); goto end; } - if(codec->priv_class){ //this can be droped once all user apps use avcodec_get_context_defaults3() + if (codec->priv_class) { *(AVClass**)avctx->priv_data= codec->priv_class; av_opt_set_defaults(avctx->priv_data); } } + if (codec->priv_class && (ret = av_opt_set_dict(avctx->priv_data, &tmp) < 0)) + goto free_and_end; } else { avctx->priv_data = NULL; } + if ((ret = av_opt_set_dict(avctx, &tmp)) < 0) + goto free_and_end; if(avctx->coded_width && avctx->coded_height) avcodec_set_dimensions(avctx, avctx->coded_width, avctx->coded_height); @@ -615,8 +631,14 @@ end: if (ff_lockmgr_cb) { (*ff_lockmgr_cb)(&codec_mutex, AV_LOCK_RELEASE); } + if (options) { + av_dict_free(options); + *options = tmp; + } + return ret; free_and_end: + av_dict_free(&tmp); av_freep(&avctx->priv_data); avctx->codec= NULL; goto end; diff --git a/libavcodec/version.h b/libavcodec/version.h index aded68e83e..f4a0ecd868 100644 --- a/libavcodec/version.h +++ b/libavcodec/version.h @@ -68,5 +68,8 @@ #ifndef FF_API_GET_PIX_FMT_NAME #define FF_API_GET_PIX_FMT_NAME (LIBAVCODEC_VERSION_MAJOR < 54) #endif +#ifndef FF_API_AVCODEC_OPEN +#define FF_API_AVCODEC_OPEN (LIBAVCODEC_VERSION_MAJOR < 54) +#endif #endif /* AVCODEC_VERSION_H */ diff --git a/libavfilter/vsrc_movie.c b/libavfilter/vsrc_movie.c index 7556fa2e9e..bd74f95545 100644 --- a/libavfilter/vsrc_movie.c +++ b/libavfilter/vsrc_movie.c @@ -139,7 +139,7 @@ static int movie_init(AVFilterContext *ctx) return AVERROR(EINVAL); } - if ((ret = avcodec_open(movie->codec_ctx, codec)) < 0) { + if ((ret = avcodec_open2(movie->codec_ctx, codec, NULL)) < 0) { av_log(ctx, AV_LOG_ERROR, "Failed to open codec\n"); return ret; } From 23f0d0f16bb2accc661ab8c135362ee75987c549 Mon Sep 17 00:00:00 2001 From: Baptiste Coudurier Date: Mon, 8 Aug 2011 23:41:50 -0700 Subject: [PATCH 0616/1119] lavc: fix parentheses placement in avcodec_open2(). Signed-off-by: Anton Khirnov (cherry picked from commit 1d36fb13b088f55ece155153fb6ca8ea278fc837) Signed-off-by: Anton Khirnov --- libavcodec/utils.c | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/libavcodec/utils.c b/libavcodec/utils.c index b264fe422e..5c19dd7d35 100644 --- a/libavcodec/utils.c +++ b/libavcodec/utils.c @@ -513,7 +513,7 @@ int attribute_align_arg avcodec_open2(AVCodecContext *avctx, AVCodec *codec, AVD av_opt_set_defaults(avctx->priv_data); } } - if (codec->priv_class && (ret = av_opt_set_dict(avctx->priv_data, &tmp) < 0)) + if (codec->priv_class && (ret = av_opt_set_dict(avctx->priv_data, &tmp)) < 0) goto free_and_end; } else { avctx->priv_data = NULL; From afe2726089a9f45d89e81217cd69505c14b94445 Mon Sep 17 00:00:00 2001 From: Anton Khirnov Date: Sun, 22 May 2011 19:24:59 +0200 Subject: [PATCH 0617/1119] lavf: add avformat_find_stream_info() It supports passing options to codecs. (cherry picked from commit a67c061e0f3b55ffcc96f336fc0998e44b86c8e4) Conflicts: libavformat/utils.c Signed-off-by: Anton Khirnov --- libavfilter/vsrc_movie.c | 2 +- libavformat/avformat.h | 27 +++++++++++++++++++++++++++ libavformat/utils.c | 18 +++++++++++++----- 3 files changed, 41 insertions(+), 6 deletions(-) diff --git a/libavfilter/vsrc_movie.c b/libavfilter/vsrc_movie.c index bd74f95545..b018ba7418 100644 --- a/libavfilter/vsrc_movie.c +++ b/libavfilter/vsrc_movie.c @@ -96,7 +96,7 @@ static int movie_init(AVFilterContext *ctx) "Failed to avformat_open_input '%s'\n", movie->file_name); return ret; } - if ((ret = av_find_stream_info(movie->format_ctx)) < 0) + if ((ret = avformat_find_stream_info(movie->format_ctx, NULL)) < 0) av_log(ctx, AV_LOG_WARNING, "Failed to find stream info\n"); // if seeking requested, we execute it diff --git a/libavformat/avformat.h b/libavformat/avformat.h index 8561a50c01..c11d650e85 100644 --- a/libavformat/avformat.h +++ b/libavformat/avformat.h @@ -1081,6 +1081,7 @@ int avformat_open_input(AVFormatContext **ps, const char *filename, AVInputForma */ AVFormatContext *avformat_alloc_context(void); +#if FF_API_FORMAT_PARAMETERS /** * Read packets of a media file to get stream information. This * is useful for file formats with no headers such as MPEG. This @@ -1093,8 +1094,34 @@ AVFormatContext *avformat_alloc_context(void); * @return >=0 if OK, AVERROR_xxx on error * @todo Let the user decide somehow what information is needed so that * we do not waste time getting stuff the user does not need. + * + * @deprecated use avformat_find_stream_info. */ int av_find_stream_info(AVFormatContext *ic); +#endif + +/** + * Read packets of a media file to get stream information. This + * is useful for file formats with no headers such as MPEG. This + * function also computes the real framerate in case of MPEG-2 repeat + * frame mode. + * The logical file position is not changed by this function; + * examined packets may be buffered for later processing. + * + * @param ic media file handle + * @param options If non-NULL, an ic.nb_streams long array of pointers to + * dictionaries, where i-th member contains options for + * codec corresponding to i-th stream. + * On return each dictionary will be filled with options that were not found. + * @return >=0 if OK, AVERROR_xxx on error + * + * @note this function isn't guaranteed to open all the codecs, so + * options being non-empty at return is a perfectly normal behavior. + * + * @todo Let the user decide somehow what information is needed so that + * we do not waste time getting stuff the user does not need. + */ +int avformat_find_stream_info(AVFormatContext *ic, AVDictionary **options); /** * Find the "best" stream in the file. diff --git a/libavformat/utils.c b/libavformat/utils.c index e3c7d4aa84..15fed3287a 100644 --- a/libavformat/utils.c +++ b/libavformat/utils.c @@ -2074,7 +2074,7 @@ static int has_decode_delay_been_guessed(AVStream *st) st->codec_info_nb_frames >= 6 + st->codec->has_b_frames; } -static int try_decode_frame(AVStream *st, AVPacket *avpkt) +static int try_decode_frame(AVStream *st, AVPacket *avpkt, AVDictionary **options) { int16_t *samples; AVCodec *codec; @@ -2085,7 +2085,7 @@ static int try_decode_frame(AVStream *st, AVPacket *avpkt) codec = avcodec_find_decoder(st->codec->codec_id); if (!codec) return -1; - ret = avcodec_open(st->codec, codec); + ret = avcodec_open2(st->codec, codec, options); if (ret < 0) return ret; } @@ -2204,12 +2204,20 @@ static int tb_unreliable(AVCodecContext *c){ return 0; } +#if FF_API_FORMAT_PARAMETERS int av_find_stream_info(AVFormatContext *ic) +{ + return avformat_find_stream_info(ic, NULL); +} +#endif + +int avformat_find_stream_info(AVFormatContext *ic, AVDictionary **options) { int i, count, ret, read_size, j; AVStream *st; AVPacket pkt1, *pkt; int64_t old_offset = avio_tell(ic->pb); + int orig_nb_streams = ic->nb_streams; // new streams might appear, no options for those for(i=0;inb_streams;i++) { AVCodec *codec; @@ -2246,12 +2254,12 @@ int av_find_stream_info(AVFormatContext *ic) /* Ensure that subtitle_header is properly set. */ if (st->codec->codec_type == AVMEDIA_TYPE_SUBTITLE && codec && !st->codec->codec) - avcodec_open(st->codec, codec); + avcodec_open2(st->codec, codec, options ? &options[i] : NULL); //try to just open decoders, in case this is enough to get parameters if(!has_codec_parameters(st->codec)){ if (codec && !st->codec->codec) - avcodec_open(st->codec, codec); + avcodec_open2(st->codec, codec, options ? &options[i] : NULL); } } @@ -2386,7 +2394,7 @@ int av_find_stream_info(AVFormatContext *ic) it takes longer and uses more memory. For MPEG-4, we need to decompress for QuickTime. */ if (!has_codec_parameters(st->codec) || !has_decode_delay_been_guessed(st)) - try_decode_frame(st, pkt); + try_decode_frame(st, pkt, (options && i <= orig_nb_streams )? &options[i] : NULL); st->codec_info_nb_frames++; count++; From e297459eb694490c25acc65bcf75ee1630bd34b6 Mon Sep 17 00:00:00 2001 From: Anton Khirnov Date: Thu, 14 Jul 2011 03:08:53 +0200 Subject: [PATCH 0618/1119] lavf: fix invalid reads in avformat_find_stream_info() (cherry picked from commit e358f7ee90fec591348ca05dff94ebaf4c1a098b) Conflicts: libavformat/utils.c Signed-off-by: Anton Khirnov --- libavformat/utils.c | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/libavformat/utils.c b/libavformat/utils.c index 15fed3287a..d155599058 100644 --- a/libavformat/utils.c +++ b/libavformat/utils.c @@ -2394,7 +2394,7 @@ int avformat_find_stream_info(AVFormatContext *ic, AVDictionary **options) it takes longer and uses more memory. For MPEG-4, we need to decompress for QuickTime. */ if (!has_codec_parameters(st->codec) || !has_decode_delay_been_guessed(st)) - try_decode_frame(st, pkt, (options && i <= orig_nb_streams )? &options[i] : NULL); + try_decode_frame(st, pkt, (options && i < orig_nb_streams )? &options[i] : NULL); st->codec_info_nb_frames++; count++; From d6f763659c6115e91d2fa981faffdb041d93f7a4 Mon Sep 17 00:00:00 2001 From: Mans Rullgard Date: Tue, 15 Nov 2011 22:33:49 +0000 Subject: [PATCH 0619/1119] lavf: fix multiplication overflow in avformat_find_stream_info() Converting to double before the multiplication rather than after avoids an integer overflow in some cases. Signed-off-by: Mans Rullgard (cherry picked from commit 52767d891c665ab1124fe4ce82d99b59673de7d2) Signed-off-by: Anton Khirnov --- libavformat/utils.c | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/libavformat/utils.c b/libavformat/utils.c index d155599058..aa3ca5990b 100644 --- a/libavformat/utils.c +++ b/libavformat/utils.c @@ -2368,7 +2368,7 @@ int avformat_find_stream_info(AVFormatContext *ic, AVDictionary **options) for (i=1; iinfo->duration_error); i++) { int framerate= get_std_framerate(i); int ticks= lrintf(dur*framerate/(1001*12)); - double error= dur - ticks*1001*12/(double)framerate; + double error = dur - (double)ticks*1001*12 / framerate; st->info->duration_error[i] += error*error; } st->info->duration_count++; From 07624cfeaa8ea11d213032135fb56ffd5022b73a Mon Sep 17 00:00:00 2001 From: Anton Khirnov Date: Sat, 19 Nov 2011 08:51:26 +0100 Subject: [PATCH 0620/1119] Add a version bump and APIchanges entry for avcodec_open2 and avformat_find_stream_info. --- doc/APIchanges | 6 ++++++ libavcodec/version.h | 2 +- libavformat/version.h | 2 +- 3 files changed, 8 insertions(+), 2 deletions(-) diff --git a/doc/APIchanges b/doc/APIchanges index 79d9749373..165ea98392 100644 --- a/doc/APIchanges +++ b/doc/APIchanges @@ -13,6 +13,12 @@ libavutil: 2011-04-18 API changes, most recent first: +2011-07-10 - xxxxxxx - lavf 53.3.0 + Add avformat_find_stream_info(), deprecate av_find_stream_info(). + +2011-07-10 - xxxxxxx - lavc 53.6.0 + Add avcodec_open2(), deprecate avcodec_open(). + 2011-06-xx - xxxxxxx - lavf 53.2.0 - avformat.h Add avformat_open_input and avformat_write_header(). Deprecate av_open_input_stream, av_open_input_file, diff --git a/libavcodec/version.h b/libavcodec/version.h index f4a0ecd868..44c9198125 100644 --- a/libavcodec/version.h +++ b/libavcodec/version.h @@ -21,7 +21,7 @@ #define AVCODEC_VERSION_H #define LIBAVCODEC_VERSION_MAJOR 53 -#define LIBAVCODEC_VERSION_MINOR 5 +#define LIBAVCODEC_VERSION_MINOR 6 #define LIBAVCODEC_VERSION_MICRO 0 #define LIBAVCODEC_VERSION_INT AV_VERSION_INT(LIBAVCODEC_VERSION_MAJOR, \ diff --git a/libavformat/version.h b/libavformat/version.h index 3cc1718f2b..635b582e87 100644 --- a/libavformat/version.h +++ b/libavformat/version.h @@ -24,7 +24,7 @@ #include "libavutil/avutil.h" #define LIBAVFORMAT_VERSION_MAJOR 53 -#define LIBAVFORMAT_VERSION_MINOR 2 +#define LIBAVFORMAT_VERSION_MINOR 3 #define LIBAVFORMAT_VERSION_MICRO 0 #define LIBAVFORMAT_VERSION_INT AV_VERSION_INT(LIBAVFORMAT_VERSION_MAJOR, \ From 17c54e93176b8d1b39de3d4e892df9befeb07b73 Mon Sep 17 00:00:00 2001 From: Michael Niedermayer Date: Thu, 17 Nov 2011 03:13:50 +0100 Subject: [PATCH 0621/1119] mjpeg: support mpo Fixes stereoscopic_photo.mpo Signed-off-by: Michael Niedermayer (cherry picked from commit 1d23e5246c67f765dd5d119c9f3197bdae07330c) Signed-off-by: Michael Niedermayer --- libavformat/rawdec.c | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/libavformat/rawdec.c b/libavformat/rawdec.c index d4383d5b49..76e05237ca 100644 --- a/libavformat/rawdec.c +++ b/libavformat/rawdec.c @@ -252,7 +252,7 @@ AVInputFormat ff_gsm_demuxer = { #endif #if CONFIG_MJPEG_DEMUXER -FF_DEF_RAWVIDEO_DEMUXER(mjpeg, "raw MJPEG video", NULL, "mjpg,mjpeg", CODEC_ID_MJPEG) +FF_DEF_RAWVIDEO_DEMUXER(mjpeg, "raw MJPEG video", NULL, "mjpg,mjpeg,mpo", CODEC_ID_MJPEG) #endif #if CONFIG_MLP_DEMUXER From 5c6a2d9878f12da2730e06fbcc79f35d82f906cf Mon Sep 17 00:00:00 2001 From: Michael Niedermayer Date: Thu, 17 Nov 2011 19:38:47 +0100 Subject: [PATCH 0622/1119] ac3probe: Detect Sonic Foundry Soft Encode AC3 as raw AC3. Our ac3 code chain can handle it fine. More ideal would be to write a demuxer that actually extracts what can be from the additional headers and uses it for whatever it can be used for. Signed-off-by: Michael Niedermayer (cherry picked from commit 30ca700ba17b9ba46f4648afa30559ad890f0221) Signed-off-by: Michael Niedermayer --- libavformat/ac3dec.c | 2 ++ 1 file changed, 2 insertions(+) diff --git a/libavformat/ac3dec.c b/libavformat/ac3dec.c index fcf99363ee..92e468da43 100644 --- a/libavformat/ac3dec.c +++ b/libavformat/ac3dec.c @@ -40,6 +40,8 @@ static int ac3_eac3_probe(AVProbeData *p, enum CodecID expected_codec_id) buf2 = buf; for(frames = 0; buf2 < end; frames++) { + if(!memcmp(buf2, "\x1\x10\0\0\0\0\0\0", 8)) + buf2+=16; init_get_bits(&gbc, buf2, 54); if(ff_ac3_parse_header(&gbc, &hdr) < 0) break; From 4007352bd054936fe06cb8b726db008b47101d91 Mon Sep 17 00:00:00 2001 From: Thierry Foucu Date: Fri, 18 Nov 2011 17:36:50 -0800 Subject: [PATCH 0623/1119] imgutils: Fix illegal read. Found with address sanitizer. Signed-off-by: Alex Converse (cherry picked from commit c693aa6f71b4f539cf9df67ba42f4b1932981687) Signed-off-by: Michael Niedermayer --- libavutil/imgutils.c | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/libavutil/imgutils.c b/libavutil/imgutils.c index e04c307f62..5033d0d4c1 100644 --- a/libavutil/imgutils.c +++ b/libavutil/imgutils.c @@ -125,7 +125,7 @@ int av_image_fill_pointers(uint8_t *data[4], enum PixelFormat pix_fmt, int heigh has_plane[desc->comp[i].plane] = 1; total_size = size[0]; - for (i = 1; has_plane[i] && i < 4; i++) { + for (i = 1; i < 4 && has_plane[i]; i++) { int h, s = (i == 1 || i == 2) ? desc->log2_chroma_h : 0; data[i] = data[i-1] + size[i-1]; h = (height + (1 << s) - 1) >> s; From 9b667da05d43063f602715feca037a999dee8000 Mon Sep 17 00:00:00 2001 From: Michael Niedermayer Date: Sun, 20 Nov 2011 17:19:25 +0100 Subject: [PATCH 0624/1119] mpegvideo: dont use ff_mspel_motion() for vc1 Fixes Ticket655 Signed-off-by: Michael Niedermayer (cherry picked from commit 50d6f8195658d529c57bb42dfd8d7a71d60a9f1d) Signed-off-by: Michael Niedermayer --- libavcodec/mpegvideo_common.h | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/libavcodec/mpegvideo_common.h b/libavcodec/mpegvideo_common.h index 18e49a63c3..50cd851654 100644 --- a/libavcodec/mpegvideo_common.h +++ b/libavcodec/mpegvideo_common.h @@ -725,7 +725,7 @@ static av_always_inline void MPV_motion_internal(MpegEncContext *s, 0, 0, 0, ref_picture, pix_op, qpix_op, s->mv[dir][0][0], s->mv[dir][0][1], 16); - }else if(!is_mpeg12 && (CONFIG_WMV2_DECODER || CONFIG_WMV2_ENCODER) && s->mspel){ + }else if(!is_mpeg12 && (CONFIG_WMV2_DECODER || CONFIG_WMV2_ENCODER) && s->mspel && s->codec_id == CODEC_ID_WMV2){ ff_mspel_motion(s, dest_y, dest_cb, dest_cr, ref_picture, pix_op, s->mv[dir][0][0], s->mv[dir][0][1], 16); From b8fc3017690f89748948b861e09971a5e1a7bd07 Mon Sep 17 00:00:00 2001 From: Michael Niedermayer Date: Mon, 21 Nov 2011 02:03:13 +0100 Subject: [PATCH 0625/1119] h264: Fix invalid interlaced progressive MB combinations for direct mode prediction. Fixes Ticket312 Signed-off-by: Michael Niedermayer (cherry picked from commit 833a195905405fc9646c7544ce9d0f3279608977) Signed-off-by: Michael Niedermayer --- libavcodec/h264_direct.c | 4 ++++ 1 file changed, 4 insertions(+) diff --git a/libavcodec/h264_direct.c b/libavcodec/h264_direct.c index 0b19353656..4ebb60e41c 100644 --- a/libavcodec/h264_direct.c +++ b/libavcodec/h264_direct.c @@ -253,6 +253,10 @@ static void pred_spatial_direct_motion(H264Context * const h, int *mb_type){ mb_type_col[1] = h->ref_list[1][0].mb_type[mb_xy + s->mb_stride]; b8_stride = 2+4*s->mb_stride; b4_stride *= 6; + if(IS_INTERLACED(mb_type_col[0]) != IS_INTERLACED(mb_type_col[1])){ + mb_type_col[0] &= ~MB_TYPE_INTERLACED; + mb_type_col[1] &= ~MB_TYPE_INTERLACED; + } sub_mb_type |= MB_TYPE_16x16|MB_TYPE_DIRECT2; /* B_SUB_8x8 */ if( (mb_type_col[0] & MB_TYPE_16x16_OR_INTRA) From a6a61a6d1d4da219a6fe29250e2a6b28f9d05524 Mon Sep 17 00:00:00 2001 From: Michael Niedermayer Date: Fri, 18 Nov 2011 17:48:31 +0100 Subject: [PATCH 0626/1119] qdm2dec: fix buffer overflow. Fixes NGS00144 This also adds a few lines of code from master that are needed for this fix. Thanks to Phillip for suggestions to improve the patch. Found-by: Phillip Langlois Signed-off-by: Michael Niedermayer --- libavcodec/qdm2.c | 9 +++++++-- 1 file changed, 7 insertions(+), 2 deletions(-) diff --git a/libavcodec/qdm2.c b/libavcodec/qdm2.c index 3aa9e5b6c3..e000df8efd 100644 --- a/libavcodec/qdm2.c +++ b/libavcodec/qdm2.c @@ -76,6 +76,7 @@ do { \ #define SAMPLES_NEEDED_2(why) \ av_log (NULL,AV_LOG_INFO,"This file triggers some missing code. Please contact the developers.\nPosition: %s\n",why); +#define QDM2_MAX_FRAME_SIZE 512 typedef int8_t sb_int8_array[2][30][64]; @@ -168,7 +169,7 @@ typedef struct { /// I/O data const uint8_t *compressed_data; int compressed_size; - float output_buffer[1024]; + float output_buffer[QDM2_MAX_FRAME_SIZE * MPA_MAX_CHANNELS * 2]; /// Synthesis filter MPADSPContext mpadsp; @@ -1822,7 +1823,8 @@ static av_cold int qdm2_decode_init(AVCodecContext *avctx) // something like max decodable tones s->group_order = av_log2(s->group_size) + 1; s->frame_size = s->group_size / 16; // 16 iterations per super block - if (s->frame_size > FF_ARRAY_ELEMS(s->output_buffer) / 2) + + if (s->frame_size > QDM2_MAX_FRAME_SIZE) return AVERROR_INVALIDDATA; s->sub_sampling = s->fft_order - 7; @@ -1893,6 +1895,9 @@ static int qdm2_decode (QDM2Context *q, const uint8_t *in, int16_t *out) int ch, i; const int frame_size = (q->frame_size * q->channels); + if((unsigned)frame_size > FF_ARRAY_ELEMS(q->output_buffer)/2) + return -1; + /* select input buffer */ q->compressed_data = in; q->compressed_size = q->checksum_size; From fa5292d9d42f10841e3a889bca4ebd878c965268 Mon Sep 17 00:00:00 2001 From: Michael Niedermayer Date: Fri, 18 Nov 2011 18:08:31 +0100 Subject: [PATCH 0627/1119] vp3dec: Check coefficient index in vp3_dequant() Fixes NGS00145 Found-by: Phillip Langlois Signed-off-by: Michael Niedermayer (cherry picked from commit eef5c35b4352ec49ca41f6198bee8a976b1f81e5) Signed-off-by: Michael Niedermayer --- libavcodec/vp3.c | 4 ++++ 1 file changed, 4 insertions(+) diff --git a/libavcodec/vp3.c b/libavcodec/vp3.c index 549f494ff6..2f07af8c4b 100644 --- a/libavcodec/vp3.c +++ b/libavcodec/vp3.c @@ -1308,6 +1308,10 @@ static inline int vp3_dequant(Vp3DecodeContext *s, Vp3Fragment *frag, case 1: // zero run s->dct_tokens[plane][i]++; i += (token >> 2) & 0x7f; + if(i>63){ + av_log(s->avctx, AV_LOG_ERROR, "Coefficient index overflow\n"); + return -1; + } block[perm[i]] = (token >> 9) * dequantizer[perm[i]]; i++; break; From 661ee45f8881bb551eb403472e60c38a7c2818aa Mon Sep 17 00:00:00 2001 From: Michael Niedermayer Date: Fri, 18 Nov 2011 19:10:21 +0100 Subject: [PATCH 0628/1119] svq1dec: call avcodec_set_dimensions() after dimensions changed. Fixes NGS00148 Found-by: Phillip Langlois Signed-off-by: Michael Niedermayer (cherry picked from commit 4931c8f0f10bf8dedcf626104a6b85bfefadc6f2) Signed-off-by: Michael Niedermayer --- libavcodec/svq1dec.c | 1 + 1 file changed, 1 insertion(+) diff --git a/libavcodec/svq1dec.c b/libavcodec/svq1dec.c index f2690fbf33..9553979d45 100644 --- a/libavcodec/svq1dec.c +++ b/libavcodec/svq1dec.c @@ -658,6 +658,7 @@ static int svq1_decode_frame(AVCodecContext *avctx, av_dlog(s->avctx, "Error in svq1_decode_frame_header %i\n",result); return result; } + avcodec_set_dimensions(avctx, s->width, s->height); //FIXME this avoids some confusion for "B frames" without 2 references //this should be removed after libavcodec can handle more flexible picture types & ordering From 4e9b2c57326fe254d0251fbf268b3481705b4c65 Mon Sep 17 00:00:00 2001 From: Michael Niedermayer Date: Mon, 21 Nov 2011 20:00:13 +0100 Subject: [PATCH 0629/1119] Update for 0.7.8 Signed-off-by: Michael Niedermayer --- Doxyfile | 2 +- RELEASE | 2 +- VERSION | 2 +- 3 files changed, 3 insertions(+), 3 deletions(-) diff --git a/Doxyfile b/Doxyfile index 61156c4f62..bb2f7e730f 100644 --- a/Doxyfile +++ b/Doxyfile @@ -31,7 +31,7 @@ PROJECT_NAME = FFmpeg # This could be handy for archiving the generated documentation or # if some version control system is used. -PROJECT_NUMBER = 0.7.7 +PROJECT_NUMBER = 0.7.8 # The OUTPUT_DIRECTORY tag is used to specify the (relative or absolute) # base path where the generated documentation will be put. diff --git a/RELEASE b/RELEASE index 879be8a98f..e7c7d3cc3c 100644 --- a/RELEASE +++ b/RELEASE @@ -1 +1 @@ -0.7.7 +0.7.8 diff --git a/VERSION b/VERSION index 879be8a98f..e7c7d3cc3c 100644 --- a/VERSION +++ b/VERSION @@ -1 +1 @@ -0.7.7 +0.7.8 From e66860a66b7237c744d269d60dc49153410b28d8 Mon Sep 17 00:00:00 2001 From: Michael Niedermayer Date: Mon, 21 Nov 2011 20:00:52 +0100 Subject: [PATCH 0630/1119] Update for 0.8.7 Signed-off-by: Michael Niedermayer --- Doxyfile | 2 +- RELEASE | 2 +- VERSION | 2 +- 3 files changed, 3 insertions(+), 3 deletions(-) diff --git a/Doxyfile b/Doxyfile index b52216e198..890f7737d0 100644 --- a/Doxyfile +++ b/Doxyfile @@ -31,7 +31,7 @@ PROJECT_NAME = FFmpeg # This could be handy for archiving the generated documentation or # if some version control system is used. -PROJECT_NUMBER = 0.8.6 +PROJECT_NUMBER = 0.8.7 # The OUTPUT_DIRECTORY tag is used to specify the (relative or absolute) # base path where the generated documentation will be put. diff --git a/RELEASE b/RELEASE index 7fc2521fd7..1e9b46b229 100644 --- a/RELEASE +++ b/RELEASE @@ -1 +1 @@ -0.8.6 +0.8.7 diff --git a/VERSION b/VERSION index 7fc2521fd7..1e9b46b229 100644 --- a/VERSION +++ b/VERSION @@ -1 +1 @@ -0.8.6 +0.8.7 From 47b5fabd6a4227cb4e978fa8a19ef43d4d9bbec0 Mon Sep 17 00:00:00 2001 From: Sergiy Gur'yev Date: Thu, 24 Nov 2011 14:53:19 +0200 Subject: [PATCH 0631/1119] Fix adts format creation in aac+ encoder modified: libavcodec/libaacplus.c Signed-off-by: Michael Niedermayer (cherry picked from commit 32ed7da1350e551ec005b75e482da74f2e93fbb9) --- libavcodec/libaacplus.c | 4 +--- 1 file changed, 1 insertion(+), 3 deletions(-) diff --git a/libavcodec/libaacplus.c b/libavcodec/libaacplus.c index c8c87be549..a5ededbf39 100644 --- a/libavcodec/libaacplus.c +++ b/libavcodec/libaacplus.c @@ -63,9 +63,7 @@ static av_cold int aacPlus_encode_init(AVCodecContext *avctx) aacplus_cfg->bitRate = avctx->bit_rate; aacplus_cfg->bandWidth = avctx->cutoff; - if (avctx->flags & CODEC_FLAG_GLOBAL_HEADER) { - aacplus_cfg->outputFormat = 0; //raw aac - } + aacplus_cfg->outputFormat = !(avctx->flags & CODEC_FLAG_GLOBAL_HEADER); aacplus_cfg->inputFormat = AACPLUS_INPUT_16BIT; if (!aacplusEncSetConfiguration(s->aacplus_handle, aacplus_cfg)) { av_log(avctx, AV_LOG_ERROR, "libaacplus doesn't support this output format!\n"); From 4f58d8ebc1a75f85495e846941d3893508449f16 Mon Sep 17 00:00:00 2001 From: Sergiy Gur'yev Date: Thu, 24 Nov 2011 14:53:19 +0200 Subject: [PATCH 0632/1119] Fix adts format creation in aac+ encoder modified: libavcodec/libaacplus.c Signed-off-by: Michael Niedermayer (cherry picked from commit 32ed7da1350e551ec005b75e482da74f2e93fbb9) --- libavcodec/libaacplus.c | 4 +--- 1 file changed, 1 insertion(+), 3 deletions(-) diff --git a/libavcodec/libaacplus.c b/libavcodec/libaacplus.c index c8c87be549..a5ededbf39 100644 --- a/libavcodec/libaacplus.c +++ b/libavcodec/libaacplus.c @@ -63,9 +63,7 @@ static av_cold int aacPlus_encode_init(AVCodecContext *avctx) aacplus_cfg->bitRate = avctx->bit_rate; aacplus_cfg->bandWidth = avctx->cutoff; - if (avctx->flags & CODEC_FLAG_GLOBAL_HEADER) { - aacplus_cfg->outputFormat = 0; //raw aac - } + aacplus_cfg->outputFormat = !(avctx->flags & CODEC_FLAG_GLOBAL_HEADER); aacplus_cfg->inputFormat = AACPLUS_INPUT_16BIT; if (!aacplusEncSetConfiguration(s->aacplus_handle, aacplus_cfg)) { av_log(avctx, AV_LOG_ERROR, "libaacplus doesn't support this output format!\n"); From 494cfacdb9ba3f0549e37f76b3a2f86a7aeeac3c Mon Sep 17 00:00:00 2001 From: Laurent Aimar Date: Sun, 11 Sep 2011 19:17:45 +0200 Subject: [PATCH 0633/1119] vmd: fix segfaults on corruped streams Signed-off-by: Janne Grunau Signed-off-by: Reinhard Tartler --- libavcodec/vmdav.c | 104 ++++++++++++++++++++++++++++++++++----------- 1 file changed, 80 insertions(+), 24 deletions(-) diff --git a/libavcodec/vmdav.c b/libavcodec/vmdav.c index d258252d95..500adcb354 100644 --- a/libavcodec/vmdav.c +++ b/libavcodec/vmdav.c @@ -72,9 +72,11 @@ typedef struct VmdVideoContext { #define QUEUE_SIZE 0x1000 #define QUEUE_MASK 0x0FFF -static void lz_unpack(const unsigned char *src, unsigned char *dest, int dest_len) +static void lz_unpack(const unsigned char *src, int src_len, + unsigned char *dest, int dest_len) { const unsigned char *s; + unsigned int s_len; unsigned char *d; unsigned char *d_end; unsigned char queue[QUEUE_SIZE]; @@ -87,13 +89,16 @@ static void lz_unpack(const unsigned char *src, unsigned char *dest, int dest_le unsigned int i, j; s = src; + s_len = src_len; d = dest; d_end = d + dest_len; dataleft = AV_RL32(s); - s += 4; + s += 4; s_len -= 4; memset(queue, 0x20, QUEUE_SIZE); + if (s_len < 4) + return; if (AV_RL32(s) == 0x56781234) { - s += 4; + s += 4; s_len -= 4; qpos = 0x111; speclen = 0xF + 3; } else { @@ -101,32 +106,41 @@ static void lz_unpack(const unsigned char *src, unsigned char *dest, int dest_le speclen = 100; /* no speclen */ } - while (dataleft > 0) { - tag = *s++; + while (dataleft > 0 && s_len > 0) { + tag = *s++; s_len--; if ((tag == 0xFF) && (dataleft > 8)) { - if (d + 8 > d_end) + if (d + 8 > d_end || s_len < 8) return; for (i = 0; i < 8; i++) { queue[qpos++] = *d++ = *s++; qpos &= QUEUE_MASK; } + s_len -= 8; dataleft -= 8; } else { for (i = 0; i < 8; i++) { if (dataleft == 0) break; if (tag & 0x01) { - if (d + 1 > d_end) + if (d + 1 > d_end || s_len < 1) return; queue[qpos++] = *d++ = *s++; qpos &= QUEUE_MASK; dataleft--; + s_len--; } else { + if (s_len < 2) + return; chainofs = *s++; chainofs |= ((*s & 0xF0) << 4); chainlen = (*s++ & 0x0F) + 3; - if (chainlen == speclen) + s_len -= 2; + if (chainlen == speclen) { + if (s_len < 1) + return; chainlen = *s++ + 0xF + 3; + s_len--; + } if (d + chainlen > d_end) return; for (j = 0; j < chainlen; j++) { @@ -143,7 +157,7 @@ static void lz_unpack(const unsigned char *src, unsigned char *dest, int dest_le } static int rle_unpack(const unsigned char *src, unsigned char *dest, - int src_len, int dest_len) + int src_count, int src_size, int dest_len) { const unsigned char *ps; unsigned char *pd; @@ -152,31 +166,40 @@ static int rle_unpack(const unsigned char *src, unsigned char *dest, ps = src; pd = dest; - if (src_len & 1) + if (src_count & 1) { + if (src_size < 1) + return 0; *pd++ = *ps++; + src_size--; + } - src_len >>= 1; + src_count >>= 1; i = 0; do { + if (src_size < 1) + break; l = *ps++; + src_size--; if (l & 0x80) { l = (l & 0x7F) * 2; - if (pd + l > dest_end) + if (pd + l > dest_end || src_size < l) return ps - src; memcpy(pd, ps, l); ps += l; + src_size -= l; pd += l; } else { - if (pd + i > dest_end) + if (pd + i > dest_end || src_size < 2) return ps - src; for (i = 0; i < l; i++) { *pd++ = ps[0]; *pd++ = ps[1]; } ps += 2; + src_size -= 2; } i += l; - } while (i < src_len); + } while (i < src_count); return ps - src; } @@ -191,6 +214,7 @@ static void vmd_decode(VmdVideoContext *s) const unsigned char *p = s->buf + 16; const unsigned char *pb; + unsigned int pb_size; unsigned char meth; unsigned char *dp; /* pointer to current frame */ unsigned char *pp; /* pointer to previous frame */ @@ -204,6 +228,16 @@ static void vmd_decode(VmdVideoContext *s) frame_y = AV_RL16(&s->buf[8]); frame_width = AV_RL16(&s->buf[10]) - frame_x + 1; frame_height = AV_RL16(&s->buf[12]) - frame_y + 1; + if (frame_x < 0 || frame_width < 0 || + frame_x >= s->avctx->width || + frame_width > s->avctx->width || + frame_x + frame_width > s->avctx->width) + return; + if (frame_y < 0 || frame_height < 0 || + frame_y >= s->avctx->height || + frame_height > s->avctx->height || + frame_y + frame_height > s->avctx->height) + return; if ((frame_width == s->avctx->width && frame_height == s->avctx->height) && (frame_x || frame_y)) { @@ -216,8 +250,9 @@ static void vmd_decode(VmdVideoContext *s) /* if only a certain region will be updated, copy the entire previous * frame before the decode */ - if (frame_x || frame_y || (frame_width != s->avctx->width) || - (frame_height != s->avctx->height)) { + if (s->prev_frame.data[0] && + (frame_x || frame_y || (frame_width != s->avctx->width) || + (frame_height != s->avctx->height))) { memcpy(s->frame.data[0], s->prev_frame.data[0], s->avctx->height * s->frame.linesize[0]); @@ -235,14 +270,19 @@ static void vmd_decode(VmdVideoContext *s) } s->size -= (256 * 3 + 2); } - if (s->size >= 0) { + if (s->size > 0) { /* originally UnpackFrame in VAG's code */ pb = p; - meth = *pb++; + pb_size = s->buf + s->size - pb; + if (pb_size < 1) + return; + meth = *pb++; pb_size--; if (meth & 0x80) { - lz_unpack(pb, s->unpack_buffer, s->unpack_buffer_size); + lz_unpack(pb, pb_size, + s->unpack_buffer, s->unpack_buffer_size); meth &= 0x7F; pb = s->unpack_buffer; + pb_size = s->unpack_buffer_size; } dp = &s->frame.data[0][frame_y * s->frame.linesize[0] + frame_x]; @@ -252,17 +292,21 @@ static void vmd_decode(VmdVideoContext *s) for (i = 0; i < frame_height; i++) { ofs = 0; do { + if (pb_size < 1) + return; len = *pb++; + pb_size--; if (len & 0x80) { len = (len & 0x7F) + 1; - if (ofs + len > frame_width) + if (ofs + len > frame_width || pb_size < len) return; memcpy(&dp[ofs], pb, len); pb += len; + pb_size -= len; ofs += len; } else { /* interframe pixel copy */ - if (ofs + len + 1 > frame_width) + if (ofs + len + 1 > frame_width || !s->prev_frame.data[0]) return; memcpy(&dp[ofs], &pp[ofs], len + 1); ofs += len + 1; @@ -280,8 +324,11 @@ static void vmd_decode(VmdVideoContext *s) case 2: for (i = 0; i < frame_height; i++) { + if (pb_size < frame_width) + return; memcpy(dp, pb, frame_width); pb += frame_width; + pb_size -= frame_width; dp += s->frame.linesize[0]; pp += s->prev_frame.linesize[0]; } @@ -291,18 +338,27 @@ static void vmd_decode(VmdVideoContext *s) for (i = 0; i < frame_height; i++) { ofs = 0; do { + if (pb_size < 1) + return; len = *pb++; + pb_size--; if (len & 0x80) { len = (len & 0x7F) + 1; + if (pb_size < 1) + return; if (*pb++ == 0xFF) - len = rle_unpack(pb, &dp[ofs], len, frame_width - ofs); - else + len = rle_unpack(pb, &dp[ofs], len, pb_size, frame_width - ofs); + else { + if (pb_size < len) + return; memcpy(&dp[ofs], pb, len); + } pb += len; + pb_size -= 1 + len; ofs += len; } else { /* interframe pixel copy */ - if (ofs + len + 1 > frame_width) + if (ofs + len + 1 > frame_width || !s->prev_frame.data[0]) return; memcpy(&dp[ofs], &pp[ofs], len + 1); ofs += len + 1; From a31ccacb1a9b2abc0e140a812fb0ffca6f7c2591 Mon Sep 17 00:00:00 2001 From: Laurent Aimar Date: Sat, 1 Oct 2011 00:45:05 +0200 Subject: [PATCH 0634/1119] Check for out of bound writes in the QDM2 decoder. Signed-off-by: Michael Niedermayer Signed-off-by: Justin Ruggles (cherry picked from commit 291d74a46d32183653db07818c7b3407fd50a288) Signed-off-by: Reinhard Tartler --- libavcodec/qdm2.c | 7 ++++++- 1 file changed, 6 insertions(+), 1 deletion(-) diff --git a/libavcodec/qdm2.c b/libavcodec/qdm2.c index 86847adc10..eeb7fa3528 100644 --- a/libavcodec/qdm2.c +++ b/libavcodec/qdm2.c @@ -76,6 +76,7 @@ do { \ #define SAMPLES_NEEDED_2(why) \ av_log (NULL,AV_LOG_INFO,"This file triggers some missing code. Please contact the developers.\nPosition: %s\n",why); +#define QDM2_MAX_FRAME_SIZE 512 typedef int8_t sb_int8_array[2][30][64]; @@ -168,7 +169,7 @@ typedef struct { /// I/O data const uint8_t *compressed_data; int compressed_size; - float output_buffer[1024]; + float output_buffer[QDM2_MAX_FRAME_SIZE * 2]; /// Synthesis filter MPADSPContext mpadsp; @@ -1797,6 +1798,8 @@ static av_cold int qdm2_decode_init(AVCodecContext *avctx) avctx->channels = s->nb_channels = s->channels = AV_RB32(extradata); extradata += 4; + if (s->channels > MPA_MAX_CHANNELS) + return AVERROR_INVALIDDATA; avctx->sample_rate = AV_RB32(extradata); extradata += 4; @@ -1818,6 +1821,8 @@ static av_cold int qdm2_decode_init(AVCodecContext *avctx) // something like max decodable tones s->group_order = av_log2(s->group_size) + 1; s->frame_size = s->group_size / 16; // 16 iterations per super block + if (s->frame_size > QDM2_MAX_FRAME_SIZE) + return AVERROR_INVALIDDATA; s->sub_sampling = s->fft_order - 7; s->frequency_range = 255 / (1 << (2 - s->sub_sampling)); From 0d93d5c4614fafea74bdac681673f5b32eb49063 Mon Sep 17 00:00:00 2001 From: Laurent Aimar Date: Sat, 1 Oct 2011 00:45:04 +0200 Subject: [PATCH 0635/1119] Fix out of bound reads in the QDM2 decoder. Signed-off-by: Michael Niedermayer Signed-off-by: Justin Ruggles (cherry picked from commit 5a19acb17ceb71657b0eec51dac651953520e5c8) Signed-off-by: Reinhard Tartler --- libavcodec/qdm2.c | 2 ++ 1 file changed, 2 insertions(+) diff --git a/libavcodec/qdm2.c b/libavcodec/qdm2.c index eeb7fa3528..d1619ef131 100644 --- a/libavcodec/qdm2.c +++ b/libavcodec/qdm2.c @@ -1354,6 +1354,8 @@ static void qdm2_fft_decode_tones (QDM2Context *q, int duration, GetBitContext * return; local_int_14 = (offset >> local_int_8); + if (local_int_14 >= FF_ARRAY_ELEMS(fft_level_index_table)) + return; if (q->nb_channels > 1) { channel = get_bits1(gb); From 73472053516f82b7d273a3d42c583f894077a191 Mon Sep 17 00:00:00 2001 From: Justin Ruggles Date: Wed, 14 Sep 2011 13:57:04 -0400 Subject: [PATCH 0636/1119] qdm2: check output buffer size before decoding (cherry picked from commit 7d49f79f1cd47783a963a757a6563b9cac29db62) Signed-off-by: Reinhard Tartler --- libavcodec/qdm2.c | 11 +++++++++-- 1 file changed, 9 insertions(+), 2 deletions(-) diff --git a/libavcodec/qdm2.c b/libavcodec/qdm2.c index d1619ef131..7e7051fc6d 100644 --- a/libavcodec/qdm2.c +++ b/libavcodec/qdm2.c @@ -1959,13 +1959,20 @@ static int qdm2_decode_frame(AVCodecContext *avctx, int buf_size = avpkt->size; QDM2Context *s = avctx->priv_data; int16_t *out = data; - int i; + int i, out_size; if(!buf) return 0; if(buf_size < s->checksum_size) return -1; + out_size = 16 * s->channels * s->frame_size * + av_get_bytes_per_sample(avctx->sample_fmt); + if (*data_size < out_size) { + av_log(avctx, AV_LOG_ERROR, "Output buffer is too small\n"); + return AVERROR(EINVAL); + } + av_log(avctx, AV_LOG_DEBUG, "decode(%d): %p[%d] -> %p[%d]\n", buf_size, buf, s->checksum_size, data, *data_size); @@ -1975,7 +1982,7 @@ static int qdm2_decode_frame(AVCodecContext *avctx, out += s->channels * s->frame_size; } - *data_size = (uint8_t*)out - (uint8_t*)data; + *data_size = out_size; return s->checksum_size; } From 28acce2861a07b6b78204a2cbc90bbdeed285405 Mon Sep 17 00:00:00 2001 From: Thierry Foucu Date: Fri, 18 Nov 2011 17:36:50 -0800 Subject: [PATCH 0637/1119] imgutils: Fix illegal read. Found with address sanitizer. Signed-off-by: Alex Converse (cherry picked from commit c693aa6f71b4f539cf9df67ba42f4b1932981687) Signed-off-by: Reinhard Tartler --- libavutil/imgutils.c | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/libavutil/imgutils.c b/libavutil/imgutils.c index 46853cafcb..9dc4f01078 100644 --- a/libavutil/imgutils.c +++ b/libavutil/imgutils.c @@ -117,7 +117,7 @@ int av_image_fill_pointers(uint8_t *data[4], enum PixelFormat pix_fmt, int heigh has_plane[desc->comp[i].plane] = 1; total_size = size[0]; - for (i = 1; has_plane[i] && i < 4; i++) { + for (i = 1; i < 4 && has_plane[i]; i++) { int h, s = (i == 1 || i == 2) ? desc->log2_chroma_h : 0; data[i] = data[i-1] + size[i-1]; h = (height + (1 << s) - 1) >> s; From 7367cbec1b8cf0cbb49707fb0fdfded8ec397b0d Mon Sep 17 00:00:00 2001 From: Dustin Brody Date: Tue, 16 Aug 2011 16:46:34 -0400 Subject: [PATCH 0638/1119] vp6: partially propagate huffman tree building errors during coeff model parsing and fix misspelling Signed-off-by: Ronald S. Bultje (cherry picked from commit f913eeea43078b3b9052efd8d8d29e7b29b39208) Signed-off-by: Reinhard Tartler --- libavcodec/vp6.c | 10 +++++----- 1 file changed, 5 insertions(+), 5 deletions(-) diff --git a/libavcodec/vp6.c b/libavcodec/vp6.c index 4f3f402c70..99e2dbfa56 100644 --- a/libavcodec/vp6.c +++ b/libavcodec/vp6.c @@ -213,8 +213,8 @@ static int vp6_huff_cmp(const void *va, const void *vb) return (a->count - b->count)*16 + (b->sym - a->sym); } -static void vp6_build_huff_tree(VP56Context *s, uint8_t coeff_model[], - const uint8_t *map, unsigned size, VLC *vlc) +static int vp6_build_huff_tree(VP56Context *s, uint8_t coeff_model[], + const uint8_t *map, unsigned size, VLC *vlc) { Node nodes[2*VP6_MAX_HUFF_SIZE], *tmp = &nodes[size]; int a, b, i; @@ -229,9 +229,9 @@ static void vp6_build_huff_tree(VP56Context *s, uint8_t coeff_model[], } free_vlc(vlc); - /* then build the huffman tree accodring to probabilities */ - ff_huff_build_tree(s->avctx, vlc, size, nodes, vp6_huff_cmp, - FF_HUFFMAN_FLAG_HNODE_FIRST); + /* then build the huffman tree according to probabilities */ + return ff_huff_build_tree(s->avctx, vlc, size, nodes, vp6_huff_cmp, + FF_HUFFMAN_FLAG_HNODE_FIRST); } static void vp6_parse_coeff_models(VP56Context *s) From 30c08e226156e5a36a835c008c67114f22c8da8f Mon Sep 17 00:00:00 2001 From: Laurent Aimar Date: Wed, 21 Sep 2011 20:46:32 +0200 Subject: [PATCH 0639/1119] vp6: Check for huffman tree build errors Signed-off-by: Janne Grunau (cherry picked from commit 066fff755a5d8edc660c010ddb08474d208eeade) Signed-off-by: Reinhard Tartler --- libavcodec/vp5.c | 3 ++- libavcodec/vp56.c | 4 +++- libavcodec/vp56.h | 2 +- libavcodec/vp6.c | 20 ++++++++++++-------- 4 files changed, 18 insertions(+), 11 deletions(-) diff --git a/libavcodec/vp5.c b/libavcodec/vp5.c index 807309f603..d61163e64c 100644 --- a/libavcodec/vp5.c +++ b/libavcodec/vp5.c @@ -116,7 +116,7 @@ static void vp5_parse_vector_models(VP56Context *s) model->vector_pdv[comp][node] = vp56_rac_gets_nn(c, 7); } -static void vp5_parse_coeff_models(VP56Context *s) +static int vp5_parse_coeff_models(VP56Context *s) { VP56RangeCoder *c = &s->c; VP56Model *model = s->modelp; @@ -160,6 +160,7 @@ static void vp5_parse_coeff_models(VP56Context *s) for (ctx=0; ctx<6; ctx++) for (node=0; node<5; node++) model->coeff_acct[pt][ct][cg][ctx][node] = av_clip(((model->coeff_ract[pt][ct][cg][node] * vp5_ract_lc[ct][cg][node][ctx][0] + 128) >> 8) + vp5_ract_lc[ct][cg][node][ctx][1], 1, 254); + return 0; } static void vp5_parse_coeff(VP56Context *s) diff --git a/libavcodec/vp56.c b/libavcodec/vp56.c index a181978334..a6b201478e 100644 --- a/libavcodec/vp56.c +++ b/libavcodec/vp56.c @@ -537,7 +537,8 @@ int ff_vp56_decode_frame(AVCodecContext *avctx, void *data, int *data_size, s->mb_type = VP56_MB_INTER_NOVEC_PF; } - s->parse_coeff_models(s); + if (s->parse_coeff_models(s)) + goto next; memset(s->prev_dc, 0, sizeof(s->prev_dc)); s->prev_dc[1][VP56_FRAME_CURRENT] = 128; @@ -601,6 +602,7 @@ int ff_vp56_decode_frame(AVCodecContext *avctx, void *data, int *data_size, } } + next: if (p->key_frame || golden_frame) { if (s->framep[VP56_FRAME_GOLDEN]->data[0] && s->framep[VP56_FRAME_GOLDEN] != s->framep[VP56_FRAME_GOLDEN2]) diff --git a/libavcodec/vp56.h b/libavcodec/vp56.h index 5a55f7d6a1..0c34438c8f 100644 --- a/libavcodec/vp56.h +++ b/libavcodec/vp56.h @@ -46,7 +46,7 @@ typedef void (*VP56Filter)(VP56Context *s, uint8_t *dst, uint8_t *src, typedef void (*VP56ParseCoeff)(VP56Context *s); typedef void (*VP56DefaultModelsInit)(VP56Context *s); typedef void (*VP56ParseVectorModels)(VP56Context *s); -typedef void (*VP56ParseCoeffModels)(VP56Context *s); +typedef int (*VP56ParseCoeffModels)(VP56Context *s); typedef int (*VP56ParseHeader)(VP56Context *s, const uint8_t *buf, int buf_size, int *golden_frame); diff --git a/libavcodec/vp6.c b/libavcodec/vp6.c index 99e2dbfa56..3da2e2cbfa 100644 --- a/libavcodec/vp6.c +++ b/libavcodec/vp6.c @@ -234,7 +234,7 @@ static int vp6_build_huff_tree(VP56Context *s, uint8_t coeff_model[], FF_HUFFMAN_FLAG_HNODE_FIRST); } -static void vp6_parse_coeff_models(VP56Context *s) +static int vp6_parse_coeff_models(VP56Context *s) { VP56RangeCoder *c = &s->c; VP56Model *model = s->modelp; @@ -279,15 +279,18 @@ static void vp6_parse_coeff_models(VP56Context *s) if (s->use_huffman) { for (pt=0; pt<2; pt++) { - vp6_build_huff_tree(s, model->coeff_dccv[pt], - vp6_huff_coeff_map, 12, &s->dccv_vlc[pt]); - vp6_build_huff_tree(s, model->coeff_runv[pt], - vp6_huff_run_map, 9, &s->runv_vlc[pt]); + if (vp6_build_huff_tree(s, model->coeff_dccv[pt], + vp6_huff_coeff_map, 12, &s->dccv_vlc[pt])) + return -1; + if (vp6_build_huff_tree(s, model->coeff_runv[pt], + vp6_huff_run_map, 9, &s->runv_vlc[pt])) + return -1; for (ct=0; ct<3; ct++) for (cg = 0; cg < 6; cg++) - vp6_build_huff_tree(s, model->coeff_ract[pt][ct][cg], - vp6_huff_coeff_map, 12, - &s->ract_vlc[pt][ct][cg]); + if (vp6_build_huff_tree(s, model->coeff_ract[pt][ct][cg], + vp6_huff_coeff_map, 12, + &s->ract_vlc[pt][ct][cg])) + return -1; } memset(s->nb_null, 0, sizeof(s->nb_null)); } else { @@ -297,6 +300,7 @@ static void vp6_parse_coeff_models(VP56Context *s) for (node=0; node<5; node++) model->coeff_dcct[pt][ctx][node] = av_clip(((model->coeff_dccv[pt][node] * vp6_dccv_lc[ctx][node][0] + 128) >> 8) + vp6_dccv_lc[ctx][node][1], 1, 255); } + return 0; } static void vp6_parse_vector_adjustment(VP56Context *s, VP56mv *vect) From c76505e0dee0890e39636ddebd2707ab3ea5b8de Mon Sep 17 00:00:00 2001 From: Laurent Aimar Date: Fri, 23 Sep 2011 22:36:11 +0200 Subject: [PATCH 0640/1119] vp6: Reset the internal state when aborting key frames header parsing It prevents leaving the state only half initialized. Signed-off-by: Janne Grunau (cherry picked from commit a72cad0a6c05aa74940101e937cb3dc602d7d67b) Signed-off-by: Reinhard Tartler --- libavcodec/vp6.c | 5 ++++- 1 file changed, 4 insertions(+), 1 deletion(-) diff --git a/libavcodec/vp6.c b/libavcodec/vp6.c index 3da2e2cbfa..48d7e7bf5b 100644 --- a/libavcodec/vp6.c +++ b/libavcodec/vp6.c @@ -137,8 +137,11 @@ static int vp6_parse_header(VP56Context *s, const uint8_t *buf, int buf_size, if (coeff_offset) { buf += coeff_offset; buf_size -= coeff_offset; - if (buf_size < 0) + if (buf_size < 0) { + if (s->framep[VP56_FRAME_CURRENT]->key_frame) + avcodec_set_dimensions(s->avctx, 0, 0); return 0; + } if (s->use_huffman) { s->parse_coeff = vp6_parse_coeff_huffman; init_get_bits(&s->gb, buf, buf_size<<3); From 67a7ed623b678a84c992dd7bf3e3d0329f83621b Mon Sep 17 00:00:00 2001 From: Alex Converse Date: Thu, 3 Nov 2011 15:55:52 -0700 Subject: [PATCH 0641/1119] vp6: Fix illegal read. (cherry picked from commit 2a6eb06254df79e96b3d791b6b89b2534ced3119) Signed-off-by: Reinhard Tartler --- libavcodec/vp6.c | 4 +++- 1 file changed, 3 insertions(+), 1 deletion(-) diff --git a/libavcodec/vp6.c b/libavcodec/vp6.c index 48d7e7bf5b..ecfc81f048 100644 --- a/libavcodec/vp6.c +++ b/libavcodec/vp6.c @@ -374,7 +374,7 @@ static void vp6_parse_coeff_huffman(VP56Context *s) if (b > 3) pt = 1; vlc_coeff = &s->dccv_vlc[pt]; - for (coeff_idx=0; coeff_idx<64; ) { + for (coeff_idx = 0;;) { int run = 1; if (coeff_idx<2 && s->nb_null[coeff_idx][pt]) { s->nb_null[coeff_idx][pt]--; @@ -411,6 +411,8 @@ static void vp6_parse_coeff_huffman(VP56Context *s) } } coeff_idx+=run; + if (coeff_idx >= 64) + break; cg = FFMIN(vp6_coeff_groups[coeff_idx], 3); vlc_coeff = &s->ract_vlc[pt][ct][cg]; } From ba4b08b78918f399f9c9524750b26e904d146078 Mon Sep 17 00:00:00 2001 From: Thierry Foucu Date: Thu, 17 Nov 2011 09:39:52 -0800 Subject: [PATCH 0642/1119] vp6: Fix illegal read. Found with Address Sanitizer Signed-off-by: Alex Converse (cherry picked from commit e0966eb140b3569b3d6b5b5008961944ef229c06) Signed-off-by: Reinhard Tartler --- libavcodec/vp6.c | 9 ++++++--- 1 file changed, 6 insertions(+), 3 deletions(-) diff --git a/libavcodec/vp6.c b/libavcodec/vp6.c index ecfc81f048..02fe70bf7f 100644 --- a/libavcodec/vp6.c +++ b/libavcodec/vp6.c @@ -440,7 +440,8 @@ static void vp6_parse_coeff(VP56Context *s) model1 = model->coeff_dccv[pt]; model2 = model->coeff_dcct[pt][ctx]; - for (coeff_idx=0; coeff_idx<64; ) { + coeff_idx = 0; + for (;;) { if ((coeff_idx>1 && ct==0) || vp56_rac_get_prob(c, model2[0])) { /* parse a coeff */ if (vp56_rac_get_prob(c, model2[2])) { @@ -481,8 +482,10 @@ static void vp6_parse_coeff(VP56Context *s) run += vp56_rac_get_prob(c, model3[i+8]) << i; } } - - cg = vp6_coeff_groups[coeff_idx+=run]; + coeff_idx += run; + if (coeff_idx >= 64) + break; + cg = vp6_coeff_groups[coeff_idx]; model1 = model2 = model->coeff_ract[pt][ct][cg]; } From 38a511e84cb776ec16cb7edcf8ed5e878af0a374 Mon Sep 17 00:00:00 2001 From: =?UTF-8?q?Martin=20Storsj=C3=B6?= Date: Fri, 25 Nov 2011 00:45:16 +0200 Subject: [PATCH 0643/1119] swscale: Readd #define _SVID_SOURCE MIME-Version: 1.0 Content-Type: text/plain; charset=UTF-8 Content-Transfer-Encoding: 8bit This was removed erroneously in 046f081b46c8479820409cf8f530b988221bd15b. This define still is necessary for getting MAP_ANONYMOUS defined on linux/glibc, despite the define reshuffling done in that commit. Without MAP_ANONYMOUS defined, the mprotect calls for setting the generated mmx2 scaler code pages executable are left out, causing crashes if that codepath is chosen. This patch fixes scaling from 192x144 to 320x240 with -sws_flags fast_bilinear, which crashes on linux at the moment. Signed-off-by: Martin Storsjö (cherry picked from commit f32dfad9dc64acf0fd1bb867e127a9efe6380676) Signed-off-by: Reinhard Tartler --- libswscale/utils.c | 1 + 1 file changed, 1 insertion(+) diff --git a/libswscale/utils.c b/libswscale/utils.c index d048b22e24..43efa0ce0e 100644 --- a/libswscale/utils.c +++ b/libswscale/utils.c @@ -18,6 +18,7 @@ * Foundation, Inc., 51 Franklin Street, Fifth Floor, Boston, MA 02110-1301 USA */ +#define _SVID_SOURCE //needed for MAP_ANONYMOUS #include #include #include From 1550c0885db601fadc1190b14cb40e870787e150 Mon Sep 17 00:00:00 2001 From: Michael Niedermayer Date: Sat, 12 Nov 2011 21:10:15 +0100 Subject: [PATCH 0644/1119] h264: Use mismatching frame numbers in fields to synchronize the first/second field state independant of them being reference or not. Fixes Ticket354 Signed-off-by: Michael Niedermayer (cherry picked from commit 545ec935a4b4e0f032ebd975907b41f6fe4465c9) --- libavcodec/h264.c | 6 ++---- 1 file changed, 2 insertions(+), 4 deletions(-) diff --git a/libavcodec/h264.c b/libavcodec/h264.c index fd33aeff3e..c93c0ecec2 100644 --- a/libavcodec/h264.c +++ b/libavcodec/h264.c @@ -2810,11 +2810,9 @@ static int decode_slice_header(H264Context *h, H264Context *h0){ s0->first_field = FIELD_PICTURE; } else { - if (h->nal_ref_idc && - s0->current_picture_ptr->reference && - s0->current_picture_ptr->frame_num != h->frame_num) { + if (s0->current_picture_ptr->frame_num != h->frame_num) { /* - * This and previous field were reference, but had + * This and previous field had * different frame_nums. Consider this field first in * pair. Throw away previous field except for reference * purposes. From ba5bb0562b37313540845ae7fa069134aad6e0c9 Mon Sep 17 00:00:00 2001 From: Michael Niedermayer Date: Sat, 12 Nov 2011 21:10:15 +0100 Subject: [PATCH 0645/1119] h264: Use mismatching frame numbers in fields to synchronize the first/second field state independant of them being reference or not. Fixes Ticket354 Signed-off-by: Michael Niedermayer (cherry picked from commit 545ec935a4b4e0f032ebd975907b41f6fe4465c9) --- libavcodec/h264.c | 6 ++---- 1 file changed, 2 insertions(+), 4 deletions(-) diff --git a/libavcodec/h264.c b/libavcodec/h264.c index ff38bd7db7..27833f554a 100644 --- a/libavcodec/h264.c +++ b/libavcodec/h264.c @@ -2810,11 +2810,9 @@ static int decode_slice_header(H264Context *h, H264Context *h0){ s0->first_field = FIELD_PICTURE; } else { - if (h->nal_ref_idc && - s0->current_picture_ptr->reference && - s0->current_picture_ptr->frame_num != h->frame_num) { + if (s0->current_picture_ptr->frame_num != h->frame_num) { /* - * This and previous field were reference, but had + * This and previous field had * different frame_nums. Consider this field first in * pair. Throw away previous field except for reference * purposes. From d38580a7bb811028b5d3bac4924fd486c06b816f Mon Sep 17 00:00:00 2001 From: Michael Niedermayer Date: Wed, 19 Oct 2011 22:57:36 +0200 Subject: [PATCH 0646/1119] mpegtsenc: fix handling of large audio packets (sorry i have no sample, just a user report) Signed-off-by: Michael Niedermayer (cherry picked from commit e31c5ebe1146d98d17a5121312c5444432c81904) Conflicts: libavformat/mpegtsenc.c Signed-off-by: Michael Niedermayer --- libavformat/mpegtsenc.c | 16 +++++++++------- 1 file changed, 9 insertions(+), 7 deletions(-) diff --git a/libavformat/mpegtsenc.c b/libavformat/mpegtsenc.c index 32dedfbae6..45a6f2213b 100644 --- a/libavformat/mpegtsenc.c +++ b/libavformat/mpegtsenc.c @@ -23,6 +23,7 @@ #include "libavutil/crc.h" #include "libavutil/dict.h" #include "libavutil/opt.h" +#include "libavutil/avassert.h" #include "libavcodec/mpegvideo.h" #include "avformat.h" #include "internal.h" @@ -947,19 +948,20 @@ static int mpegts_write_packet(AVFormatContext *s, AVPacket *pkt) } } - if (st->codec->codec_type != AVMEDIA_TYPE_AUDIO) { + if (ts_st->payload_index && ts_st->payload_index + size > DEFAULT_PES_PAYLOAD_SIZE) { + mpegts_write_pes(s, st, ts_st->payload, ts_st->payload_index, + ts_st->payload_pts, ts_st->payload_dts); + ts_st->payload_index = 0; + } + + if (st->codec->codec_type != AVMEDIA_TYPE_AUDIO || size > DEFAULT_PES_PAYLOAD_SIZE) { + av_assert0(!ts_st->payload_index); // for video and subtitle, write a single pes packet mpegts_write_pes(s, st, buf, size, pts, dts); av_free(data); return 0; } - if (ts_st->payload_index + size > DEFAULT_PES_PAYLOAD_SIZE) { - mpegts_write_pes(s, st, ts_st->payload, ts_st->payload_index, - ts_st->payload_pts, ts_st->payload_dts); - ts_st->payload_index = 0; - } - if (!ts_st->payload_index) { ts_st->payload_pts = pts; ts_st->payload_dts = dts; From 0125c10217d37d5706835762b985b8e697d1ca1f Mon Sep 17 00:00:00 2001 From: Michael Niedermayer Date: Wed, 19 Oct 2011 22:57:36 +0200 Subject: [PATCH 0647/1119] mpegtsenc: fix handling of large audio packets (sorry i have no sample, just a user report) Signed-off-by: Michael Niedermayer (cherry picked from commit e31c5ebe1146d98d17a5121312c5444432c81904) Conflicts: libavformat/mpegtsenc.c Signed-off-by: Michael Niedermayer --- libavformat/mpegtsenc.c | 16 +++++++++------- 1 file changed, 9 insertions(+), 7 deletions(-) diff --git a/libavformat/mpegtsenc.c b/libavformat/mpegtsenc.c index 32dedfbae6..45a6f2213b 100644 --- a/libavformat/mpegtsenc.c +++ b/libavformat/mpegtsenc.c @@ -23,6 +23,7 @@ #include "libavutil/crc.h" #include "libavutil/dict.h" #include "libavutil/opt.h" +#include "libavutil/avassert.h" #include "libavcodec/mpegvideo.h" #include "avformat.h" #include "internal.h" @@ -947,19 +948,20 @@ static int mpegts_write_packet(AVFormatContext *s, AVPacket *pkt) } } - if (st->codec->codec_type != AVMEDIA_TYPE_AUDIO) { + if (ts_st->payload_index && ts_st->payload_index + size > DEFAULT_PES_PAYLOAD_SIZE) { + mpegts_write_pes(s, st, ts_st->payload, ts_st->payload_index, + ts_st->payload_pts, ts_st->payload_dts); + ts_st->payload_index = 0; + } + + if (st->codec->codec_type != AVMEDIA_TYPE_AUDIO || size > DEFAULT_PES_PAYLOAD_SIZE) { + av_assert0(!ts_st->payload_index); // for video and subtitle, write a single pes packet mpegts_write_pes(s, st, buf, size, pts, dts); av_free(data); return 0; } - if (ts_st->payload_index + size > DEFAULT_PES_PAYLOAD_SIZE) { - mpegts_write_pes(s, st, ts_st->payload, ts_st->payload_index, - ts_st->payload_pts, ts_st->payload_dts); - ts_st->payload_index = 0; - } - if (!ts_st->payload_index) { ts_st->payload_pts = pts; ts_st->payload_dts = dts; From 0eca0da06e40b73af495cc05fbcfaa030fcf78ea Mon Sep 17 00:00:00 2001 From: Michael Niedermayer Date: Fri, 18 Nov 2011 19:10:21 +0100 Subject: [PATCH 0648/1119] svq1dec: call avcodec_set_dimensions() after dimensions changed. Fixes NGS00148, CVE-2011-4579 Found-by: Phillip Langlois Signed-off-by: Michael Niedermayer (cherry picked from commit 6e24b9488e67849a28e64a8056e05f83cf439229) Signed-off-by: Reinhard Tartler --- libavcodec/svq1dec.c | 1 + 1 file changed, 1 insertion(+) diff --git a/libavcodec/svq1dec.c b/libavcodec/svq1dec.c index 2a80374569..325cc1289b 100644 --- a/libavcodec/svq1dec.c +++ b/libavcodec/svq1dec.c @@ -658,6 +658,7 @@ static int svq1_decode_frame(AVCodecContext *avctx, av_dlog(s->avctx, "Error in svq1_decode_frame_header %i\n",result); return result; } + avcodec_set_dimensions(avctx, s->width, s->height); //FIXME this avoids some confusion for "B frames" without 2 references //this should be removed after libavcodec can handle more flexible picture types & ordering From bba709214a51ffd665a67404d3beb3727bb3f319 Mon Sep 17 00:00:00 2001 From: Reinhard Tartler Date: Sun, 4 Dec 2011 10:10:33 +0100 Subject: [PATCH 0649/1119] vp3dec: Check coefficient index in vp3_dequant() Based on a patch by Michael Niedermayer Fixes NGS00145, CVE-2011-4352 Found-by: Phillip Langlois Signed-off-by: Reinhard Tartler (cherry picked from commit 8b94df0f2047e9728cb872adc9e64557b7a5152f) Signed-off-by: Reinhard Tartler --- libavcodec/vp3.c | 14 ++++++++++++-- 1 file changed, 12 insertions(+), 2 deletions(-) diff --git a/libavcodec/vp3.c b/libavcodec/vp3.c index c117a64084..890db5c59f 100644 --- a/libavcodec/vp3.c +++ b/libavcodec/vp3.c @@ -1291,6 +1291,10 @@ static inline int vp3_dequant(Vp3DecodeContext *s, Vp3Fragment *frag, case 1: // zero run s->dct_tokens[plane][i]++; i += (token >> 2) & 0x7f; + if (i > 63) { + av_log(s->avctx, AV_LOG_ERROR, "Coefficient index overflow\n"); + return i; + } block[perm[i]] = (token >> 9) * dequantizer[perm[i]]; i++; break; @@ -1493,7 +1497,10 @@ static void render_slice(Vp3DecodeContext *s, int slice) /* invert DCT and place (or add) in final output */ if (s->all_fragments[i].coding_method == MODE_INTRA) { - vp3_dequant(s, s->all_fragments + i, plane, 0, block); + int index; + index = vp3_dequant(s, s->all_fragments + i, plane, 0, block); + if (index > 63) + continue; if(s->avctx->idct_algo!=FF_IDCT_VP3) block[0] += 128<<3; s->dsp.idct_put( @@ -1501,7 +1508,10 @@ static void render_slice(Vp3DecodeContext *s, int slice) stride, block); } else { - if (vp3_dequant(s, s->all_fragments + i, plane, 1, block)) { + int index = vp3_dequant(s, s->all_fragments + i, plane, 1, block); + if (index > 63) + continue; + if (index > 0) { s->dsp.idct_add( output_plane + first_pixel, stride, From 851098c9e004b2ce294b687cb18633b038dcc3fe Mon Sep 17 00:00:00 2001 From: Reinhard Tartler Date: Thu, 1 Dec 2011 18:48:33 +0100 Subject: [PATCH 0650/1119] swscale: #include "libavutil/mathematics.h" this file uses the M_PI macro since 4e74187db2f5db52f88729efc662df9d6bc763e1, so include the correct header directly. Signed-off-by: Reinhard Tartler (cherry picked from commit 5089ce1b5abe2ecbbfd7235aeb0ad47ba38305c1) Signed-off-by: Reinhard Tartler --- libswscale/utils.c | 1 + 1 file changed, 1 insertion(+) diff --git a/libswscale/utils.c b/libswscale/utils.c index 43efa0ce0e..ac22dfe688 100644 --- a/libswscale/utils.c +++ b/libswscale/utils.c @@ -43,6 +43,7 @@ #include "libavutil/cpu.h" #include "libavutil/avutil.h" #include "libavutil/bswap.h" +#include "libavutil/mathematics.h" #include "libavutil/opt.h" #include "libavutil/pixdesc.h" From 7ce728050b6157fc926bc399393d8c1161c9efd6 Mon Sep 17 00:00:00 2001 From: Reinhard Tartler Date: Fri, 23 Dec 2011 16:00:17 +0100 Subject: [PATCH 0651/1119] Update RELEASE file for 0.7.3 --- RELEASE | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/RELEASE b/RELEASE index 7486fdbc50..f38fc5393f 100644 --- a/RELEASE +++ b/RELEASE @@ -1 +1 @@ -0.7.2 +0.7.3 From 8dba5608dcf76032d8a9aa4bd8a3fc1392682281 Mon Sep 17 00:00:00 2001 From: Justin Ruggles Date: Tue, 22 Nov 2011 13:37:52 -0500 Subject: [PATCH 0652/1119] wma: initialize prev_block_len_bits, next_block_len_bits, and block_len_bits. The initial values are not checked against the number of block sizes. Initializing them to frame_len_bits will result in a block size index of 0 in these cases instead of something that might be out-of-range. Fixes Bug 81. (cherry picked from commit 05d1e45d1f42cc90d1f2f36c546d0096cea126a8) Signed-off-by: Reinhard Tartler --- libavcodec/wma.c | 3 +++ 1 file changed, 3 insertions(+) diff --git a/libavcodec/wma.c b/libavcodec/wma.c index bed47ec35b..4cdffcd101 100644 --- a/libavcodec/wma.c +++ b/libavcodec/wma.c @@ -137,6 +137,9 @@ int ff_wma_init(AVCodecContext *avctx, int flags2) /* compute MDCT block size */ s->frame_len_bits = ff_wma_get_frame_len_bits(s->sample_rate, s->version, 0); + s->next_block_len_bits = s->frame_len_bits; + s->prev_block_len_bits = s->frame_len_bits; + s->block_len_bits = s->frame_len_bits; s->frame_len = 1 << s->frame_len_bits; if (s->use_variable_block_len) { From d912a30c7d5cf9b8fdb26402804c9b0f999b4ff1 Mon Sep 17 00:00:00 2001 From: Shitiz Garg Date: Wed, 14 Dec 2011 18:29:21 +0530 Subject: [PATCH 0653/1119] 4xm: Add a check in decode_i_frame to prevent buffer overreads Fixes bugzilla #135 Signed-off-by: Janne Grunau (cherry picked from commit 355d917c0bd8163a3f1c7d4a6866dac749efdb84) Signed-off-by: Reinhard Tartler --- libavcodec/4xm.c | 15 ++++++++++++--- 1 file changed, 12 insertions(+), 3 deletions(-) diff --git a/libavcodec/4xm.c b/libavcodec/4xm.c index 176feb94c0..ed832598b0 100644 --- a/libavcodec/4xm.c +++ b/libavcodec/4xm.c @@ -658,9 +658,18 @@ static int decode_i_frame(FourXContext *f, const uint8_t *buf, int length){ uint16_t *dst= (uint16_t*)f->current_picture.data[0]; const int stride= f->current_picture.linesize[0]>>1; const unsigned int bitstream_size= AV_RL32(buf); - const int token_count av_unused = AV_RL32(buf + bitstream_size + 8); - unsigned int prestream_size= 4*AV_RL32(buf + bitstream_size + 4); - const uint8_t *prestream= buf + bitstream_size + 12; + int token_count av_unused; + unsigned int prestream_size; + const uint8_t *prestream; + + if (length < bitstream_size + 12) { + av_log(f->avctx, AV_LOG_ERROR, "packet size too small\n"); + return AVERROR_INVALIDDATA; + } + + token_count = AV_RL32(buf + bitstream_size + 8); + prestream_size = 4 * AV_RL32(buf + bitstream_size + 4); + prestream = buf + bitstream_size + 12; if(prestream_size + bitstream_size + 12 != length || bitstream_size > (1<<26) From d61b38b9db9bdc5e98f529c043767f8fd5369859 Mon Sep 17 00:00:00 2001 From: Reinhard Tartler Date: Fri, 23 Dec 2011 22:40:24 +0100 Subject: [PATCH 0654/1119] Update Changelog for 0.7.3 release --- Changelog | 9 +++++++++ 1 file changed, 9 insertions(+) diff --git a/Changelog b/Changelog index ab02a02bf5..e8fcf8257f 100644 --- a/Changelog +++ b/Changelog @@ -1,6 +1,15 @@ Entries are sorted chronologically from oldest to youngest within each release, releases are sorted from youngest to oldest. +version 0.7.3: + +- check buffer and input values in various parts of the code: + vmd (CVE-2011-4364), qdm2 (CVE-2011-4351), imgutils (several codecs), + vp6 (CVE-2011-4353), svq1 (CVE-2011-4579), vp3 (CVE-2011-4352), wma, 4xm +- backport avcodec_open2() as a replacement for avcodec_open() +- backport avformat_find_stream_info() + + version 0.7.2: - check buffer and input values in various parts of the code: From ccdc68eb35b17b227a24303fbaf52df73c9911e3 Mon Sep 17 00:00:00 2001 From: Michael Niedermayer Date: Sun, 25 Dec 2011 21:45:24 +0100 Subject: [PATCH 0655/1119] Update for 0.7.9 Signed-off-by: Michael Niedermayer --- Doxyfile | 2 +- RELEASE | 2 +- VERSION | 2 +- 3 files changed, 3 insertions(+), 3 deletions(-) diff --git a/Doxyfile b/Doxyfile index bb2f7e730f..6777f13149 100644 --- a/Doxyfile +++ b/Doxyfile @@ -31,7 +31,7 @@ PROJECT_NAME = FFmpeg # This could be handy for archiving the generated documentation or # if some version control system is used. -PROJECT_NUMBER = 0.7.8 +PROJECT_NUMBER = 0.7.9 # The OUTPUT_DIRECTORY tag is used to specify the (relative or absolute) # base path where the generated documentation will be put. diff --git a/RELEASE b/RELEASE index e7c7d3cc3c..972ef76ad1 100644 --- a/RELEASE +++ b/RELEASE @@ -1 +1 @@ -0.7.8 +0.7.9 diff --git a/VERSION b/VERSION index e7c7d3cc3c..972ef76ad1 100644 --- a/VERSION +++ b/VERSION @@ -1 +1 @@ -0.7.8 +0.7.9 From d75909f24719d81ea8b4ca4117a13b32234e93d0 Mon Sep 17 00:00:00 2001 From: Michael Niedermayer Date: Sun, 25 Dec 2011 21:45:57 +0100 Subject: [PATCH 0656/1119] Update for 0.8.8 Signed-off-by: Michael Niedermayer --- Doxyfile | 2 +- RELEASE | 2 +- VERSION | 2 +- 3 files changed, 3 insertions(+), 3 deletions(-) diff --git a/Doxyfile b/Doxyfile index 890f7737d0..4672ded1a8 100644 --- a/Doxyfile +++ b/Doxyfile @@ -31,7 +31,7 @@ PROJECT_NAME = FFmpeg # This could be handy for archiving the generated documentation or # if some version control system is used. -PROJECT_NUMBER = 0.8.7 +PROJECT_NUMBER = 0.8.8 # The OUTPUT_DIRECTORY tag is used to specify the (relative or absolute) # base path where the generated documentation will be put. diff --git a/RELEASE b/RELEASE index 1e9b46b229..6201b5f77f 100644 --- a/RELEASE +++ b/RELEASE @@ -1 +1 @@ -0.8.7 +0.8.8 diff --git a/VERSION b/VERSION index 1e9b46b229..6201b5f77f 100644 --- a/VERSION +++ b/VERSION @@ -1 +1 @@ -0.8.7 +0.8.8 From 680880c98db2817437e19c3fc7f6349261bbbbb0 Mon Sep 17 00:00:00 2001 From: Michael Niedermayer Date: Sat, 17 Dec 2011 04:42:04 +0100 Subject: [PATCH 0657/1119] h264: fix init of topleft ref/mv. Fixes Ticket778 Signed-off-by: Michael Niedermayer --- libavcodec/h264.h | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/libavcodec/h264.h b/libavcodec/h264.h index a6f39730ff..f7948a5a5a 100644 --- a/libavcodec/h264.h +++ b/libavcodec/h264.h @@ -1075,7 +1075,7 @@ static void fill_decode_caches(H264Context *h, int mb_type){ AV_ZERO32(h->mv_cache [list][scan8[0] + 4 - 1*8]); h->ref_cache[list][scan8[0] + 4 - 1*8]= topright_type ? LIST_NOT_USED : PART_NOT_AVAILABLE; } - if(h->ref_cache[list][scan8[0] + 4 - 1*8] < 0){ + if(h->ref_cache[list][scan8[0] + 2 - 1*8] < 0 || h->ref_cache[list][scan8[0] + 4 - 1*8] < 0){ if(USES_LIST(topleft_type, list)){ const int b_xy = h->mb2b_xy [topleft_xy] + 3 + h->b_stride + (h->topleft_partition & 2*h->b_stride); const int b8_xy= 4*topleft_xy + 1 + (h->topleft_partition & 2); From 575cbbffaaa16fde167e6c7a577799da68b6937b Mon Sep 17 00:00:00 2001 From: Michael Niedermayer Date: Sat, 17 Dec 2011 04:42:04 +0100 Subject: [PATCH 0658/1119] h264: fix init of topleft ref/mv. Fixes Ticket778 Signed-off-by: Michael Niedermayer (cherry picked from commit 680880c98db2817437e19c3fc7f6349261bbbbb0) --- libavcodec/h264.h | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/libavcodec/h264.h b/libavcodec/h264.h index a6f39730ff..f7948a5a5a 100644 --- a/libavcodec/h264.h +++ b/libavcodec/h264.h @@ -1075,7 +1075,7 @@ static void fill_decode_caches(H264Context *h, int mb_type){ AV_ZERO32(h->mv_cache [list][scan8[0] + 4 - 1*8]); h->ref_cache[list][scan8[0] + 4 - 1*8]= topright_type ? LIST_NOT_USED : PART_NOT_AVAILABLE; } - if(h->ref_cache[list][scan8[0] + 4 - 1*8] < 0){ + if(h->ref_cache[list][scan8[0] + 2 - 1*8] < 0 || h->ref_cache[list][scan8[0] + 4 - 1*8] < 0){ if(USES_LIST(topleft_type, list)){ const int b_xy = h->mb2b_xy [topleft_xy] + 3 + h->b_stride + (h->topleft_partition & 2*h->b_stride); const int b8_xy= 4*topleft_xy + 1 + (h->topleft_partition & 2); From c409ac5adc924aeb126a078a0297be8a8acf13e7 Mon Sep 17 00:00:00 2001 From: Michael Niedermayer Date: Mon, 2 Jan 2012 15:27:43 +0100 Subject: [PATCH 0659/1119] vp3: fix regression with mplayer-crash.ogv Signed-off-by: Michael Niedermayer (cherry picked from commit a2a12e3358c3bbdc0246ffc94973e58eba50ee30) --- libavcodec/vp3.c | 10 ++-------- 1 file changed, 2 insertions(+), 8 deletions(-) diff --git a/libavcodec/vp3.c b/libavcodec/vp3.c index 3abc78b85a..2f07af8c4b 100644 --- a/libavcodec/vp3.c +++ b/libavcodec/vp3.c @@ -1514,10 +1514,7 @@ static void render_slice(Vp3DecodeContext *s, int slice) /* invert DCT and place (or add) in final output */ if (s->all_fragments[i].coding_method == MODE_INTRA) { - int index; - index = vp3_dequant(s, s->all_fragments + i, plane, 0, block); - if (index > 63) - continue; + vp3_dequant(s, s->all_fragments + i, plane, 0, block); if(s->avctx->idct_algo!=FF_IDCT_VP3) block[0] += 128<<3; s->dsp.idct_put( @@ -1525,10 +1522,7 @@ static void render_slice(Vp3DecodeContext *s, int slice) stride, block); } else { - int index = vp3_dequant(s, s->all_fragments + i, plane, 1, block); - if (index > 63) - continue; - if (index > 0) { + if (vp3_dequant(s, s->all_fragments + i, plane, 1, block)) { s->dsp.idct_add( output_plane + first_pixel, stride, From 1218f8ed499509e67bdb03600a80bd382fb8fb50 Mon Sep 17 00:00:00 2001 From: Michael Niedermayer Date: Mon, 2 Jan 2012 15:27:43 +0100 Subject: [PATCH 0660/1119] vp3: fix regression with mplayer-crash.ogv Signed-off-by: Michael Niedermayer (cherry picked from commit a2a12e3358c3bbdc0246ffc94973e58eba50ee30) --- libavcodec/vp3.c | 10 ++-------- 1 file changed, 2 insertions(+), 8 deletions(-) diff --git a/libavcodec/vp3.c b/libavcodec/vp3.c index 3abc78b85a..2f07af8c4b 100644 --- a/libavcodec/vp3.c +++ b/libavcodec/vp3.c @@ -1514,10 +1514,7 @@ static void render_slice(Vp3DecodeContext *s, int slice) /* invert DCT and place (or add) in final output */ if (s->all_fragments[i].coding_method == MODE_INTRA) { - int index; - index = vp3_dequant(s, s->all_fragments + i, plane, 0, block); - if (index > 63) - continue; + vp3_dequant(s, s->all_fragments + i, plane, 0, block); if(s->avctx->idct_algo!=FF_IDCT_VP3) block[0] += 128<<3; s->dsp.idct_put( @@ -1525,10 +1522,7 @@ static void render_slice(Vp3DecodeContext *s, int slice) stride, block); } else { - int index = vp3_dequant(s, s->all_fragments + i, plane, 1, block); - if (index > 63) - continue; - if (index > 0) { + if (vp3_dequant(s, s->all_fragments + i, plane, 1, block)) { s->dsp.idct_add( output_plane + first_pixel, stride, From 870e74dc435e76cecdbe936329a04845d680ed29 Mon Sep 17 00:00:00 2001 From: Michael Niedermayer Date: Mon, 2 Jan 2012 20:19:40 +0100 Subject: [PATCH 0661/1119] Update for 0.7.10 Signed-off-by: Michael Niedermayer --- Doxyfile | 2 +- RELEASE | 2 +- VERSION | 2 +- 3 files changed, 3 insertions(+), 3 deletions(-) diff --git a/Doxyfile b/Doxyfile index 6777f13149..7fce60df11 100644 --- a/Doxyfile +++ b/Doxyfile @@ -31,7 +31,7 @@ PROJECT_NAME = FFmpeg # This could be handy for archiving the generated documentation or # if some version control system is used. -PROJECT_NUMBER = 0.7.9 +PROJECT_NUMBER = 0.7.10 # The OUTPUT_DIRECTORY tag is used to specify the (relative or absolute) # base path where the generated documentation will be put. diff --git a/RELEASE b/RELEASE index 972ef76ad1..5b209ea206 100644 --- a/RELEASE +++ b/RELEASE @@ -1 +1 @@ -0.7.9 +0.7.10 diff --git a/VERSION b/VERSION index 972ef76ad1..5b209ea206 100644 --- a/VERSION +++ b/VERSION @@ -1 +1 @@ -0.7.9 +0.7.10 From cee1568ae18696919ad9cfea1d536364e4d53d9b Mon Sep 17 00:00:00 2001 From: Michael Niedermayer Date: Mon, 2 Jan 2012 20:20:14 +0100 Subject: [PATCH 0662/1119] Update for 0.8.9 Signed-off-by: Michael Niedermayer --- Doxyfile | 2 +- RELEASE | 2 +- VERSION | 2 +- 3 files changed, 3 insertions(+), 3 deletions(-) diff --git a/Doxyfile b/Doxyfile index 4672ded1a8..a7b2956401 100644 --- a/Doxyfile +++ b/Doxyfile @@ -31,7 +31,7 @@ PROJECT_NAME = FFmpeg # This could be handy for archiving the generated documentation or # if some version control system is used. -PROJECT_NUMBER = 0.8.8 +PROJECT_NUMBER = 0.8.9 # The OUTPUT_DIRECTORY tag is used to specify the (relative or absolute) # base path where the generated documentation will be put. diff --git a/RELEASE b/RELEASE index 6201b5f77f..55485e1793 100644 --- a/RELEASE +++ b/RELEASE @@ -1 +1 @@ -0.8.8 +0.8.9 diff --git a/VERSION b/VERSION index 6201b5f77f..55485e1793 100644 --- a/VERSION +++ b/VERSION @@ -1 +1 @@ -0.8.8 +0.8.9 From 82a11fcff24d9827070d77f1a3c6ba5d4dc12984 Mon Sep 17 00:00:00 2001 From: Janne Grunau Date: Tue, 3 Jan 2012 13:38:01 +0100 Subject: [PATCH 0663/1119] vp3: fix streams with non-zero last coefficient Fixes a regression introduced in 8b94df0f2047e972. (cherry picked from commit 9b4767e4784577f3107730316fe652ccaccd9b3a) Signed-off-by: Reinhard Tartler --- libavcodec/vp3.c | 2 ++ 1 file changed, 2 insertions(+) diff --git a/libavcodec/vp3.c b/libavcodec/vp3.c index 890db5c59f..2b47e93479 100644 --- a/libavcodec/vp3.c +++ b/libavcodec/vp3.c @@ -1306,6 +1306,8 @@ static inline int vp3_dequant(Vp3DecodeContext *s, Vp3Fragment *frag, return i; } } while (i < 64); + // return value is expected to be a valid level + i--; end: // the actual DC+prediction is in the fragment structure block[0] = frag->dc * s->qmat[0][inter][plane][0]; From 06df5420670013c43c074aa402cc2a418d6ba502 Mon Sep 17 00:00:00 2001 From: Nathan Caldwell Date: Tue, 27 Sep 2011 18:48:43 -0600 Subject: [PATCH 0664/1119] avserver: Fix a bug where the socket is IPv4, but IPv6 is autoselected for the loopback address. This fixes bind(8080): Address family not supported by protocol. Signed-off-by: Anton Khirnov (cherry picked from commit f5e717f3c735af5c941b458d42615c97028aa916) Signed-off-by: Reinhard Tartler --- ffserver.c | 1 + 1 file changed, 1 insertion(+) diff --git a/ffserver.c b/ffserver.c index 179cac4d96..bab58d1532 100644 --- a/ffserver.c +++ b/ffserver.c @@ -516,6 +516,7 @@ static int socket_open_listen(struct sockaddr_in *my_addr) tmp = 1; setsockopt(server_fd, SOL_SOCKET, SO_REUSEADDR, &tmp, sizeof(tmp)); + my_addr->sin_family = AF_INET; if (bind (server_fd, (struct sockaddr *) my_addr, sizeof (*my_addr)) < 0) { char bindmsg[32]; snprintf(bindmsg, sizeof(bindmsg), "bind(port %d)", ntohs(my_addr->sin_port)); From c624935554332f8921a15265b8720f0c7b3c8cc2 Mon Sep 17 00:00:00 2001 From: "Ronald S. Bultje" Date: Fri, 28 Oct 2011 23:50:04 -0700 Subject: [PATCH 0665/1119] vp3: fix oob read for negative tokens and memleaks on error. (cherry picked from commit 8370e426e42f2e4b9d14a1fb8107ecfe5163ce7f) Fixes: #189 Chromium-Bug: 101172,100465 CVE-2011-3892 Signed-off-by: Reinhard Tartler --- libavcodec/vp3.c | 59 ++++++++++++++++++++++++++++++++++++------------ 1 file changed, 45 insertions(+), 14 deletions(-) diff --git a/libavcodec/vp3.c b/libavcodec/vp3.c index 2b47e93479..69e3d33e0e 100644 --- a/libavcodec/vp3.c +++ b/libavcodec/vp3.c @@ -45,6 +45,7 @@ #define FRAGMENT_PIXELS 8 static av_cold int vp3_decode_end(AVCodecContext *avctx); +static void vp3_decode_flush(AVCodecContext *avctx); //FIXME split things out into their own arrays typedef struct Vp3Fragment { @@ -890,7 +891,7 @@ static int unpack_vlcs(Vp3DecodeContext *s, GetBitContext *gb, /* decode a VLC into a token */ token = get_vlc2(gb, vlc_table, 11, 3); /* use the token to get a zero run, a coefficient, and an eob run */ - if (token <= 6) { + if ((unsigned) token <= 6U) { eob_run = eob_run_base[token]; if (eob_run_get_bits[token]) eob_run += get_bits(gb, eob_run_get_bits[token]); @@ -908,7 +909,7 @@ static int unpack_vlcs(Vp3DecodeContext *s, GetBitContext *gb, coeff_i += eob_run; eob_run = 0; } - } else { + } else if (token >= 0) { bits_to_get = coeff_get_bits[token]; if (bits_to_get) bits_to_get = get_bits(gb, bits_to_get); @@ -942,6 +943,10 @@ static int unpack_vlcs(Vp3DecodeContext *s, GetBitContext *gb, for (i = coeff_index+1; i <= coeff_index+zero_run; i++) s->num_coded_frags[plane][i]--; coeff_i++; + } else { + av_log(s->avctx, AV_LOG_ERROR, + "Invalid token %d\n", token); + return -1; } } @@ -991,6 +996,8 @@ static int unpack_dct_coeffs(Vp3DecodeContext *s, GetBitContext *gb) /* unpack the Y plane DC coefficients */ residual_eob_run = unpack_vlcs(s, gb, &s->dc_vlc[dc_y_table], 0, 0, residual_eob_run); + if (residual_eob_run < 0) + return residual_eob_run; /* reverse prediction of the Y-plane DC coefficients */ reverse_dc_prediction(s, 0, s->fragment_width[0], s->fragment_height[0]); @@ -998,8 +1005,12 @@ static int unpack_dct_coeffs(Vp3DecodeContext *s, GetBitContext *gb) /* unpack the C plane DC coefficients */ residual_eob_run = unpack_vlcs(s, gb, &s->dc_vlc[dc_c_table], 0, 1, residual_eob_run); + if (residual_eob_run < 0) + return residual_eob_run; residual_eob_run = unpack_vlcs(s, gb, &s->dc_vlc[dc_c_table], 0, 2, residual_eob_run); + if (residual_eob_run < 0) + return residual_eob_run; /* reverse prediction of the C-plane DC coefficients */ if (!(s->avctx->flags & CODEC_FLAG_GRAY)) @@ -1036,11 +1047,17 @@ static int unpack_dct_coeffs(Vp3DecodeContext *s, GetBitContext *gb) for (i = 1; i <= 63; i++) { residual_eob_run = unpack_vlcs(s, gb, y_tables[i], i, 0, residual_eob_run); + if (residual_eob_run < 0) + return residual_eob_run; residual_eob_run = unpack_vlcs(s, gb, c_tables[i], i, 1, residual_eob_run); + if (residual_eob_run < 0) + return residual_eob_run; residual_eob_run = unpack_vlcs(s, gb, c_tables[i], i, 2, residual_eob_run); + if (residual_eob_run < 0) + return residual_eob_run; } return 0; @@ -1789,10 +1806,15 @@ static int vp3_update_thread_context(AVCodecContext *dst, const AVCodecContext * Vp3DecodeContext *s = dst->priv_data, *s1 = src->priv_data; int qps_changed = 0, i, err; +#define copy_fields(to, from, start_field, end_field) memcpy(&to->start_field, &from->start_field, (char*)&to->end_field - (char*)&to->start_field) + if (!s1->current_frame.data[0] ||s->width != s1->width - ||s->height!= s1->height) + ||s->height!= s1->height) { + if (s != s1) + copy_fields(s, s1, golden_frame, current_frame); return -1; + } if (s != s1) { // init tables if the first frame hasn't been decoded @@ -1808,8 +1830,6 @@ static int vp3_update_thread_context(AVCodecContext *dst, const AVCodecContext * memcpy(s->motion_val[1], s1->motion_val[1], c_fragment_count * sizeof(*s->motion_val[1])); } -#define copy_fields(to, from, start_field, end_field) memcpy(&to->start_field, &from->start_field, (char*)&to->end_field - (char*)&to->start_field) - // copy previous frame data copy_fields(s, s1, golden_frame, dsp); @@ -1999,9 +2019,6 @@ static av_cold int vp3_decode_end(AVCodecContext *avctx) Vp3DecodeContext *s = avctx->priv_data; int i; - if (avctx->is_copy && !s->current_frame.data[0]) - return 0; - av_free(s->superblock_coding); av_free(s->all_fragments); av_free(s->coded_fragment_list[0]); @@ -2028,12 +2045,7 @@ static av_cold int vp3_decode_end(AVCodecContext *avctx) free_vlc(&s->motion_vector_vlc); /* release all frames */ - if (s->golden_frame.data[0]) - ff_thread_release_buffer(avctx, &s->golden_frame); - if (s->last_frame.data[0] && s->last_frame.type != FF_BUFFER_TYPE_COPY) - ff_thread_release_buffer(avctx, &s->last_frame); - /* no need to release the current_frame since it will always be pointing - * to the same frame as either the golden or last frame */ + vp3_decode_flush(avctx); return 0; } @@ -2353,6 +2365,23 @@ static void vp3_decode_flush(AVCodecContext *avctx) ff_thread_release_buffer(avctx, &s->current_frame); } +static int vp3_init_thread_copy(AVCodecContext *avctx) +{ + Vp3DecodeContext *s = avctx->priv_data; + + s->superblock_coding = NULL; + s->all_fragments = NULL; + s->coded_fragment_list[0] = NULL; + s->dct_tokens_base = NULL; + s->superblock_fragments = NULL; + s->macroblock_coding = NULL; + s->motion_val[0] = NULL; + s->motion_val[1] = NULL; + s->edge_emu_buffer = NULL; + + return 0; +} + AVCodec ff_theora_decoder = { "theora", AVMEDIA_TYPE_VIDEO, @@ -2366,6 +2395,7 @@ AVCodec ff_theora_decoder = { NULL, .flush = vp3_decode_flush, .long_name = NULL_IF_CONFIG_SMALL("Theora"), + .init_thread_copy = ONLY_IF_THREADS_ENABLED(vp3_init_thread_copy), .update_thread_context = ONLY_IF_THREADS_ENABLED(vp3_update_thread_context) }; #endif @@ -2383,5 +2413,6 @@ AVCodec ff_vp3_decoder = { NULL, .flush = vp3_decode_flush, .long_name = NULL_IF_CONFIG_SMALL("On2 VP3"), + .init_thread_copy = ONLY_IF_THREADS_ENABLED(vp3_init_thread_copy), .update_thread_context = ONLY_IF_THREADS_ENABLED(vp3_update_thread_context) }; From 4a94678f1be4b7d47f862e9523ca3358255da5d4 Mon Sep 17 00:00:00 2001 From: Chris Evans Date: Thu, 5 Jan 2012 21:25:41 +0100 Subject: [PATCH 0666/1119] vorbis: Avoid some out-of-bounds reads Fixes Bug: #190 Chromium Bug: #100543 Related to CVE-2011-3893 Signed-off-by: Reinhard Tartler (cherry picked from commit 57cd6d709565e84e84385f8f2a9641ca3fa718be) Signed-off-by: Reinhard Tartler --- libavcodec/vorbis.c | 15 ++++++++------- 1 file changed, 8 insertions(+), 7 deletions(-) diff --git a/libavcodec/vorbis.c b/libavcodec/vorbis.c index f413170b6a..cc039be190 100644 --- a/libavcodec/vorbis.c +++ b/libavcodec/vorbis.c @@ -150,7 +150,7 @@ void ff_vorbis_ready_floor1_list(vorbis_floor1_entry * list, int values) } } -static inline void render_line_unrolled(intptr_t x, intptr_t y, int x1, +static inline void render_line_unrolled(intptr_t x, uint8_t y, int x1, intptr_t sy, int ady, int adx, float *buf) { @@ -173,7 +173,7 @@ static inline void render_line_unrolled(intptr_t x, intptr_t y, int x1, } } -static void render_line(int x0, int y0, int x1, int y1, float *buf) +static void render_line(int x0, uint8_t y0, int x1, int y1, float *buf) { int dy = y1 - y0; int adx = x1 - x0; @@ -183,10 +183,10 @@ static void render_line(int x0, int y0, int x1, int y1, float *buf) if (ady*2 <= adx) { // optimized common case render_line_unrolled(x0, y0, x1, sy, ady, adx, buf); } else { - int base = dy / adx; - int x = x0; - int y = y0; - int err = -adx; + int base = dy / adx; + int x = x0; + uint8_t y = y0; + int err = -adx; ady -= FFABS(base) * adx; while (++x < x1) { y += base; @@ -204,7 +204,8 @@ void ff_vorbis_floor1_render_list(vorbis_floor1_entry * list, int values, uint16_t *y_list, int *flag, int multiplier, float *out, int samples) { - int lx, ly, i; + int lx, i; + uint8_t ly; lx = 0; ly = y_list[0] * multiplier; for (i = 1; i < values; i++) { From 1f625431e2bb9564760fba3ab8077ae07ce7c7a1 Mon Sep 17 00:00:00 2001 From: Chris Evans Date: Thu, 5 Jan 2012 21:19:30 +0100 Subject: [PATCH 0667/1119] matroskadec: Fix a bug where a pointer was cached to an array that might later move due to a realloc() Fixes bug #190 Chromium bug #100492 related to CVE-2011-3893 Signed-off-by: Reinhard Tartler (cherry-picked from commit faaec4676cb4c7a2303d50df66c6290bc96a7657) Signed-off-by: Reinhard Tartler --- libavformat/matroskadec.c | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/libavformat/matroskadec.c b/libavformat/matroskadec.c index 59dce4f59f..fad554f09f 100644 --- a/libavformat/matroskadec.c +++ b/libavformat/matroskadec.c @@ -1134,7 +1134,6 @@ static void matroska_convert_tags(AVFormatContext *s) static void matroska_execute_seekhead(MatroskaDemuxContext *matroska) { EbmlList *seekhead_list = &matroska->seekhead; - MatroskaSeekhead *seekhead = seekhead_list->elem; uint32_t level_up = matroska->level_up; int64_t before_pos = avio_tell(matroska->ctx->pb); uint32_t saved_id = matroska->current_id; @@ -1147,6 +1146,7 @@ static void matroska_execute_seekhead(MatroskaDemuxContext *matroska) return; for (i=0; inb_elem; i++) { + MatroskaSeekhead *seekhead = seekhead_list->elem; int64_t offset = seekhead[i].pos + matroska->segment_start; if (seekhead[i].pos <= before_pos From 97f23c72a3815739ab28e297ce60f943349f6939 Mon Sep 17 00:00:00 2001 From: Reinhard Tartler Date: Thu, 5 Jan 2012 21:40:18 +0100 Subject: [PATCH 0668/1119] vorbisdec: Fix decoding bug with channel handling Fixes Bug: #191 Chromium Bug: #101458 CVE-2011-3895 Signed-off-by: Reinhard Tartler (cherry picked from commit e6d527ff729e42d80e4756cab779ff4ad693631b) Signed-off-by: Reinhard Tartler --- libavcodec/vorbisdec.c | 8 +++++++- 1 file changed, 7 insertions(+), 1 deletion(-) diff --git a/libavcodec/vorbisdec.c b/libavcodec/vorbisdec.c index 017102e777..81458144df 100644 --- a/libavcodec/vorbisdec.c +++ b/libavcodec/vorbisdec.c @@ -660,7 +660,7 @@ static int vorbis_parse_setup_hdr_residues(vorbis_context *vc) res_setup->partition_size = get_bits(gb, 24) + 1; /* Validations to prevent a buffer overflow later. */ if (res_setup->begin>res_setup->end || - res_setup->end > vc->avccontext->channels * vc->blocksize[1] / 2 || + res_setup->end > (res_setup->type == 2 ? vc->avccontext->channels : 1) * vc->blocksize[1] / 2 || (res_setup->end-res_setup->begin) / res_setup->partition_size > V_MAX_PARTITIONS) { av_log(vc->avccontext, AV_LOG_ERROR, "partition out of bounds: type, begin, end, size, blocksize: %"PRIu16", %"PRIu32", %"PRIu32", %u, %"PRIu32"\n", @@ -1466,6 +1466,7 @@ static int vorbis_parse_audio_packet(vorbis_context *vc) uint8_t res_chan[255]; unsigned res_num = 0; int retlen = 0; + int ch_left = vc->audio_channels; if (get_bits1(gb)) { av_log(vc->avccontext, AV_LOG_ERROR, "Not a Vorbis I audio packet.\n"); @@ -1540,9 +1541,14 @@ static int vorbis_parse_audio_packet(vorbis_context *vc) } } residue = &vc->residues[mapping->submap_residue[i]]; + if (ch_left < ch) { + av_log(vc->avccontext, AV_LOG_ERROR, "Too many channels in vorbis_floor_decode.\n"); + return -1; + } vorbis_residue_decode(vc, residue, ch, do_not_decode, ch_res_ptr, blocksize/2); ch_res_ptr += ch * blocksize / 2; + ch_left -= ch; } // Inverse coupling From b0283ccb9e8945ce9e56f7c6ba0c676e7179d7a3 Mon Sep 17 00:00:00 2001 From: Chris Evans Date: Thu, 5 Jan 2012 21:25:41 +0100 Subject: [PATCH 0669/1119] vorbis: An additional defense in the Vorbis codec. Fixes Bug: #190 Chromium Bug: #100543 Related to CVE-2011-3893 Signed-off-by: Reinhard Tartler (cherry picked from commit afb2aa537954db537d54358997b68f46561fd5a7) Signed-off-by: Reinhard Tartler --- libavcodec/vorbisdec.c | 37 +++++++++++++++++++++++++++---------- 1 file changed, 27 insertions(+), 10 deletions(-) diff --git a/libavcodec/vorbisdec.c b/libavcodec/vorbisdec.c index 81458144df..572e06ebc3 100644 --- a/libavcodec/vorbisdec.c +++ b/libavcodec/vorbisdec.c @@ -1269,6 +1269,7 @@ static av_always_inline int vorbis_residue_decode_internal(vorbis_context *vc, uint8_t *do_not_decode, float *vec, unsigned vlen, + unsigned ch_left, int vr_type) { GetBitContext *gb = &vc->gb; @@ -1276,6 +1277,7 @@ static av_always_inline int vorbis_residue_decode_internal(vorbis_context *vc, unsigned ptns_to_read = vr->ptns_to_read; uint8_t *classifs = vr->classifs; unsigned pass, ch_used, i, j, k, l; + unsigned max_output = (ch - 1) * vlen; if (vr_type == 2) { for (j = 1; j < ch; ++j) @@ -1283,8 +1285,15 @@ static av_always_inline int vorbis_residue_decode_internal(vorbis_context *vc, if (do_not_decode[0]) return 0; ch_used = 1; + max_output += vr->end / ch; } else { ch_used = ch; + max_output += vr->end; + } + + if (max_output > ch_left * vlen) { + av_log(vc->avccontext, AV_LOG_ERROR, "Insufficient output buffer\n"); + return -1; } av_dlog(NULL, " residue type 0/1/2 decode begin, ch: %d cpc %d \n", ch, c_p_c); @@ -1411,14 +1420,15 @@ static av_always_inline int vorbis_residue_decode_internal(vorbis_context *vc, static inline int vorbis_residue_decode(vorbis_context *vc, vorbis_residue *vr, unsigned ch, uint8_t *do_not_decode, - float *vec, unsigned vlen) + float *vec, unsigned vlen, + unsigned ch_left) { if (vr->type == 2) - return vorbis_residue_decode_internal(vc, vr, ch, do_not_decode, vec, vlen, 2); + return vorbis_residue_decode_internal(vc, vr, ch, do_not_decode, vec, vlen, ch_left, 2); else if (vr->type == 1) - return vorbis_residue_decode_internal(vc, vr, ch, do_not_decode, vec, vlen, 1); + return vorbis_residue_decode_internal(vc, vr, ch, do_not_decode, vec, vlen, ch_left, 1); else if (vr->type == 0) - return vorbis_residue_decode_internal(vc, vr, ch, do_not_decode, vec, vlen, 0); + return vorbis_residue_decode_internal(vc, vr, ch, do_not_decode, vec, vlen, ch_left, 0); else { av_log(vc->avccontext, AV_LOG_ERROR, " Invalid residue type while residue decode?! \n"); return -1; @@ -1466,7 +1476,8 @@ static int vorbis_parse_audio_packet(vorbis_context *vc) uint8_t res_chan[255]; unsigned res_num = 0; int retlen = 0; - int ch_left = vc->audio_channels; + unsigned ch_left = vc->audio_channels; + unsigned vlen; if (get_bits1(gb)) { av_log(vc->avccontext, AV_LOG_ERROR, "Not a Vorbis I audio packet.\n"); @@ -1486,11 +1497,12 @@ static int vorbis_parse_audio_packet(vorbis_context *vc) blockflag = vc->modes[mode_number].blockflag; blocksize = vc->blocksize[blockflag]; + vlen = blocksize / 2; if (blockflag) skip_bits(gb, 2); // previous_window, next_window - memset(ch_res_ptr, 0, sizeof(float) * vc->audio_channels * blocksize / 2); //FIXME can this be removed ? - memset(ch_floor_ptr, 0, sizeof(float) * vc->audio_channels * blocksize / 2); //FIXME can this be removed ? + memset(ch_res_ptr, 0, sizeof(float) * vc->audio_channels * vlen); //FIXME can this be removed ? + memset(ch_floor_ptr, 0, sizeof(float) * vc->audio_channels * vlen); //FIXME can this be removed ? // Decode floor @@ -1510,7 +1522,7 @@ static int vorbis_parse_audio_packet(vorbis_context *vc) return -1; } no_residue[i] = ret; - ch_floor_ptr += blocksize / 2; + ch_floor_ptr += vlen; } // Nonzero vector propagate @@ -1527,6 +1539,7 @@ static int vorbis_parse_audio_packet(vorbis_context *vc) for (i = 0; i < mapping->submaps; ++i) { vorbis_residue *residue; unsigned ch = 0; + int ret; for (j = 0; j < vc->audio_channels; ++j) { if ((mapping->submaps == 1) || (i == mapping->mux[j])) { @@ -1545,9 +1558,13 @@ static int vorbis_parse_audio_packet(vorbis_context *vc) av_log(vc->avccontext, AV_LOG_ERROR, "Too many channels in vorbis_floor_decode.\n"); return -1; } - vorbis_residue_decode(vc, residue, ch, do_not_decode, ch_res_ptr, blocksize/2); + if (ch) { + ret = vorbis_residue_decode(vc, residue, ch, do_not_decode, ch_res_ptr, vlen, ch_left); + if (ret < 0) + return ret; + } - ch_res_ptr += ch * blocksize / 2; + ch_res_ptr += ch * vlen; ch_left -= ch; } From dd8228dcffc10b00c1f496e11e7ed7c6d07403c4 Mon Sep 17 00:00:00 2001 From: "Ronald S. Bultje" Date: Sun, 20 Nov 2011 15:54:15 -0800 Subject: [PATCH 0670/1119] swscale: fix crash in fast_bilinear code when compiled with -mred-zone. MIME-Version: 1.0 Content-Type: text/plain; charset=UTF-8 Content-Transfer-Encoding: 8bit Additional comments from Måns Rullgard have been integrated by Reinhard Tartler. Signed-off-by: Reinhard Tartler (cherry picked from commit b14fa5572c2a3bb1d8cd6327c4687a2eee363bbb) Signed-off-by: Reinhard Tartler --- libswscale/x86/swscale_template.c | 50 ++++++++++++++++++++++++++++++- 1 file changed, 49 insertions(+), 1 deletion(-) diff --git a/libswscale/x86/swscale_template.c b/libswscale/x86/swscale_template.c index dc92cddff5..670b68eb51 100644 --- a/libswscale/x86/swscale_template.c +++ b/libswscale/x86/swscale_template.c @@ -2072,12 +2072,24 @@ static void RENAME(hyscale_fast)(SwsContext *c, int16_t *dst, void *mmx2FilterCode= c->lumMmx2FilterCode; int i; #if defined(PIC) - DECLARE_ALIGNED(8, uint64_t, ebxsave); + uint64_t ebxsave; +#endif +#if ARCH_X86_64 + uint64_t retsave; #endif __asm__ volatile( #if defined(PIC) "mov %%"REG_b", %5 \n\t" +#if ARCH_X86_64 + "mov -8(%%rsp), %%"REG_a" \n\t" + "mov %%"REG_a", %6 \n\t" +#endif +#else +#if ARCH_X86_64 + "mov -8(%%rsp), %%"REG_a" \n\t" + "mov %%"REG_a", %5 \n\t" +#endif #endif "pxor %%mm7, %%mm7 \n\t" "mov %0, %%"REG_c" \n\t" @@ -2119,11 +2131,23 @@ static void RENAME(hyscale_fast)(SwsContext *c, int16_t *dst, #if defined(PIC) "mov %5, %%"REG_b" \n\t" +#if ARCH_X86_64 + "mov %6, %%"REG_a" \n\t" + "mov %%"REG_a", -8(%%rsp) \n\t" +#endif +#else +#if ARCH_X86_64 + "mov %5, %%"REG_a" \n\t" + "mov %%"REG_a", -8(%%rsp) \n\t" +#endif #endif :: "m" (src), "m" (dst), "m" (filter), "m" (filterPos), "m" (mmx2FilterCode) #if defined(PIC) ,"m" (ebxsave) +#endif +#if ARCH_X86_64 + ,"m"(retsave) #endif : "%"REG_a, "%"REG_c, "%"REG_d, "%"REG_S, "%"REG_D #if !defined(PIC) @@ -2146,10 +2170,22 @@ static void RENAME(hcscale_fast)(SwsContext *c, int16_t *dst1, int16_t *dst2, #if defined(PIC) DECLARE_ALIGNED(8, uint64_t, ebxsave); #endif +#if ARCH_X86_64 + DECLARE_ALIGNED(8, uint64_t, retsave); +#endif __asm__ volatile( #if defined(PIC) "mov %%"REG_b", %7 \n\t" +#if ARCH_X86_64 + "mov -8(%%rsp), %%"REG_a" \n\t" + "mov %%"REG_a", %8 \n\t" +#endif +#else +#if ARCH_X86_64 + "mov -8(%%rsp), %%"REG_a" \n\t" + "mov %%"REG_a", %7 \n\t" +#endif #endif "pxor %%mm7, %%mm7 \n\t" "mov %0, %%"REG_c" \n\t" @@ -2179,11 +2215,23 @@ static void RENAME(hcscale_fast)(SwsContext *c, int16_t *dst1, int16_t *dst2, #if defined(PIC) "mov %7, %%"REG_b" \n\t" +#if ARCH_X86_64 + "mov %8, %%"REG_a" \n\t" + "mov %%"REG_a", -8(%%rsp) \n\t" +#endif +#else +#if ARCH_X86_64 + "mov %7, %%"REG_a" \n\t" + "mov %%"REG_a", -8(%%rsp) \n\t" +#endif #endif :: "m" (src1), "m" (dst1), "m" (filter), "m" (filterPos), "m" (mmx2FilterCode), "m" (src2), "m"(dst2) #if defined(PIC) ,"m" (ebxsave) +#endif +#if ARCH_X86_64 + ,"m"(retsave) #endif : "%"REG_a, "%"REG_c, "%"REG_d, "%"REG_S, "%"REG_D #if !defined(PIC) From 8f17d7dd4bf7a6e7cda550aa935e60125d808d49 Mon Sep 17 00:00:00 2001 From: Reinhard Tartler Date: Sun, 8 Jan 2012 17:34:06 +0100 Subject: [PATCH 0671/1119] Update RELEASE file for 0.7.4 --- RELEASE | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/RELEASE b/RELEASE index f38fc5393f..0a1ffad4b4 100644 --- a/RELEASE +++ b/RELEASE @@ -1 +1 @@ -0.7.3 +0.7.4 From d4653e882fee5a2876c3878bc23d26799e3380ad Mon Sep 17 00:00:00 2001 From: Reinhard Tartler Date: Sun, 8 Jan 2012 17:34:17 +0100 Subject: [PATCH 0672/1119] Update Changelog for 0.7.4 release --- Changelog | 14 ++++++++++++++ 1 file changed, 14 insertions(+) diff --git a/Changelog b/Changelog index e8fcf8257f..30c5b8f8de 100644 --- a/Changelog +++ b/Changelog @@ -1,6 +1,20 @@ Entries are sorted chronologically from oldest to youngest within each release, releases are sorted from youngest to oldest. +version 0.7.4: + +- vorbis: An additional defense in the Vorbis codec. (CVE-2011-3895) +- vorbisdec: Fix decoding bug with channel handling. +- matroskadec: Fix a bug where a pointer was cached to an array that might + later move due to a realloc(). (CVE-2011-3893) +- vorbis: Avoid some out-of-bounds reads. (CVE-2011-3893) +- vp3: fix oob read for negative tokens and memleaks on error, (CVE-2011-3892) +- avserver: Fix a bug where the socket is IPv4, but IPv6 is autoselected + for the loopback address. +- vp3: fix streams with non-zero last coefficient. +- swscale: fix crash in fast_bilinear code when compiled with -mred-zone. + + version 0.7.3: - check buffer and input values in various parts of the code: From c4cc8584d0e48a9474a52eed725ed726d14d3f2f Mon Sep 17 00:00:00 2001 From: Stefano Sabatini Date: Tue, 27 Dec 2011 15:15:02 +0100 Subject: [PATCH 0673/1119] lavfi: add missing check in avfilter_filter_samples() Avoid out-of-buffer data access when nb_channels is 8. (cherry picked from commit ae21776207e8a2bbe268e7c9e203f7599dd87ddb) Signed-off-by: Michael Niedermayer --- libavfilter/avfilter.c | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/libavfilter/avfilter.c b/libavfilter/avfilter.c index a57677c0e4..d2b4986cef 100644 --- a/libavfilter/avfilter.c +++ b/libavfilter/avfilter.c @@ -614,7 +614,7 @@ void avfilter_filter_samples(AVFilterLink *link, AVFilterBufferRef *samplesref) link->cur_buf->audio->sample_rate = samplesref->audio->sample_rate; /* Copy actual data into new samples buffer */ - for (i = 0; samplesref->data[i]; i++) + for (i = 0; samplesref->data[i] && i < 8; i++) memcpy(link->cur_buf->data[i], samplesref->data[i], samplesref->linesize[0]); avfilter_unref_buffer(samplesref); From d80db23e7d3130ee5f5f6fff7e6db3274cdd6a98 Mon Sep 17 00:00:00 2001 From: Michael Niedermayer Date: Sun, 25 Dec 2011 00:10:27 +0100 Subject: [PATCH 0674/1119] ws_snd1: Fix wrong samples count and crash. Signed-off-by: Michael Niedermayer (cherry picked from commit 5257743aee0c3982f0079e6553aabc6aa39401d2) Signed-off-by: Michael Niedermayer --- libavcodec/ws-snd1.c | 4 ++-- 1 file changed, 2 insertions(+), 2 deletions(-) diff --git a/libavcodec/ws-snd1.c b/libavcodec/ws-snd1.c index f92c3531e0..c28d1a8d6a 100644 --- a/libavcodec/ws-snd1.c +++ b/libavcodec/ws-snd1.c @@ -100,8 +100,8 @@ static int ws_snd_decode_frame(AVCodecContext *avctx, /* make sure we don't write more than out_size samples */ switch (code) { - case 0: smp = 4; break; - case 1: smp = 2; break; + case 0: smp = 4*(count+1); break; + case 1: smp = 2*(count+1); break; case 2: smp = (count & 0x20) ? 1 : count + 1; break; default: smp = count + 1; break; } From 56173eabb6fb508574150098ac835b3b3e6a8569 Mon Sep 17 00:00:00 2001 From: Michael Niedermayer Date: Fri, 16 Dec 2011 04:16:01 +0100 Subject: [PATCH 0675/1119] j2kdec: Fix integer overflow leading to a segfault Fixes Ticket776 Bug found by: Diana Elena Muscalu Signed-off-by: Michael Niedermayer (cherry picked from commit 1f99939a6361e2e6d6788494dd7c682b051c6c34) Signed-off-by: Michael Niedermayer --- libavcodec/j2k_dwt.c | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/libavcodec/j2k_dwt.c b/libavcodec/j2k_dwt.c index ab7a1ab757..48aa33735e 100644 --- a/libavcodec/j2k_dwt.c +++ b/libavcodec/j2k_dwt.c @@ -321,7 +321,7 @@ int ff_j2k_dwt_init(DWTContext *s, uint16_t border[2][2], int decomp_levels, int int i, j, lev = decomp_levels, maxlen, b[2][2]; - if (decomp_levels >= FF_DWT_MAX_DECLVLS) + if ((unsigned)decomp_levels >= FF_DWT_MAX_DECLVLS) return AVERROR_INVALIDDATA; s->ndeclevels = decomp_levels; s->type = type; From 6f0e349a023c9690ef21a94ac5eb8451cf1cce95 Mon Sep 17 00:00:00 2001 From: Michael Niedermayer Date: Thu, 15 Dec 2011 03:59:29 +0100 Subject: [PATCH 0676/1119] aacsbr: Fix memory corruption. Fixes Ticket760 and Ticket761 Bug Found by: Diana Elena Muscalu Signed-off-by: Michael Niedermayer (cherry picked from commit 944f5b2779e4aa63f7624df6cd4de832a53db81b) Signed-off-by: Michael Niedermayer --- libavcodec/aacsbr.c | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/libavcodec/aacsbr.c b/libavcodec/aacsbr.c index 10b8daf280..866482aac3 100644 --- a/libavcodec/aacsbr.c +++ b/libavcodec/aacsbr.c @@ -1185,7 +1185,7 @@ static void sbr_qmf_synthesis(DSPContext *dsp, FFTContext *mdct, const float *sbr_qmf_window = div ? sbr_qmf_window_ds : sbr_qmf_window_us; float *v; for (i = 0; i < 32; i++) { - if (*v_off == 0) { + if (*v_off < 128 >> div) { int saved_samples = (1280 - 128) >> div; memcpy(&v0[SBR_SYNTHESIS_BUF_SIZE - saved_samples], v0, saved_samples * sizeof(float)); *v_off = SBR_SYNTHESIS_BUF_SIZE - saved_samples - (128 >> div); From 8454d81ebe672e33022bc06e461676ca6d7b3299 Mon Sep 17 00:00:00 2001 From: Michael Niedermayer Date: Thu, 15 Dec 2011 02:43:03 +0100 Subject: [PATCH 0677/1119] h264: check chroma_format_idc range. Fixes Ticket758 Bug found by: Diana Elena Muscalu Signed-off-by: Michael Niedermayer (cherry picked from commit 7fff64e00d886fde11d61958888c82b461cf99b9) Signed-off-by: Michael Niedermayer --- libavcodec/h264_ps.c | 4 ++++ 1 file changed, 4 insertions(+) diff --git a/libavcodec/h264_ps.c b/libavcodec/h264_ps.c index 89e2502e0d..680db1e5a6 100644 --- a/libavcodec/h264_ps.c +++ b/libavcodec/h264_ps.c @@ -342,6 +342,10 @@ int ff_h264_decode_seq_parameter_set(H264Context *h){ if(sps->profile_idc >= 100){ //high profile sps->chroma_format_idc= get_ue_golomb_31(&s->gb); + if (sps->chroma_format_idc > 3U) { + av_log(h->s.avctx, AV_LOG_ERROR, "chroma_format_idc %d is illegal\n", sps->chroma_format_idc); + goto fail; + } if(sps->chroma_format_idc == 3) sps->residual_color_transform_flag = get_bits1(&s->gb); sps->bit_depth_luma = get_ue_golomb(&s->gb) + 8; From 049b08d04cd5a6e53e0b0814525313fe5bd3e47a Mon Sep 17 00:00:00 2001 From: Michael Niedermayer Date: Sat, 17 Dec 2011 03:18:58 +0100 Subject: [PATCH 0678/1119] atrac3: Fix crash in tonal component decoding. Fixes Ticket780 Bug Found by: cosminamironesei Signed-off-by: Michael Niedermayer (cherry picked from commit 9af6abdc17deb95c9b1f1d9242ba49b8b5e0b016) Signed-off-by: Michael Niedermayer --- libavcodec/atrac3.c | 2 ++ 1 file changed, 2 insertions(+) diff --git a/libavcodec/atrac3.c b/libavcodec/atrac3.c index 20ab75dfd7..f16630450d 100644 --- a/libavcodec/atrac3.c +++ b/libavcodec/atrac3.c @@ -395,6 +395,8 @@ static int decodeTonalComponents (GetBitContext *gb, tonal_component *pComponent for (k=0; k=64) + return AVERROR_INVALIDDATA; pComponent[component_count].pos = j * 64 + (get_bits(gb,6)); max_coded_values = 1024 - pComponent[component_count].pos; coded_values = coded_values_per_component + 1; From 6b4c38b362a59a28860e0e2e3d92a82dc38479cc Mon Sep 17 00:00:00 2001 From: Michael Niedermayer Date: Sat, 24 Dec 2011 05:06:20 +0100 Subject: [PATCH 0679/1119] j2kdec: Check curtileno for validity Signed-off-by: Michael Niedermayer (cherry picked from commit 3eedf9f716733b3b4c5205726d2c1ca52b3d3d78) Signed-off-by: Michael Niedermayer --- libavcodec/j2kdec.c | 4 ++++ 1 file changed, 4 insertions(+) diff --git a/libavcodec/j2kdec.c b/libavcodec/j2kdec.c index 96b4f64098..3b94497293 100644 --- a/libavcodec/j2kdec.c +++ b/libavcodec/j2kdec.c @@ -421,6 +421,10 @@ static uint8_t get_sot(J2kDecoderContext *s) return AVERROR(EINVAL); s->curtileno = bytestream_get_be16(&s->buf); ///< Isot + if((unsigned)s->curtileno >= s->numXtiles * s->numYtiles){ + s->curtileno=0; + return AVERROR(EINVAL); + } s->buf += 4; ///< Psot (ignored) From 4ad5618210edabcc28b8ceee77d22e2e1e7eb822 Mon Sep 17 00:00:00 2001 From: Michael Niedermayer Date: Sat, 24 Dec 2011 06:17:12 +0100 Subject: [PATCH 0680/1119] j2kdec: Fix crash in get_qcx Signed-off-by: Michael Niedermayer (cherry picked from commit 282bb02839b1ce73963c8e3ee46804f1ade8b12a) Signed-off-by: Michael Niedermayer --- libavcodec/j2kdec.c | 4 ++-- 1 file changed, 2 insertions(+), 2 deletions(-) diff --git a/libavcodec/j2kdec.c b/libavcodec/j2kdec.c index 3b94497293..3315a835d7 100644 --- a/libavcodec/j2kdec.c +++ b/libavcodec/j2kdec.c @@ -359,7 +359,7 @@ static int get_qcx(J2kDecoderContext *s, int n, J2kQuantStyle *q) if (q->quantsty == J2K_QSTY_NONE){ n -= 3; - if (s->buf_end - s->buf < n) + if (s->buf_end - s->buf < n || 32*3 < n) return AVERROR(EINVAL); for (i = 0; i < n; i++) q->expn[i] = bytestream_get_byte(&s->buf) >> 3; @@ -376,7 +376,7 @@ static int get_qcx(J2kDecoderContext *s, int n, J2kQuantStyle *q) } } else{ n = (n - 3) >> 1; - if (s->buf_end - s->buf < n) + if (s->buf_end - s->buf < n || 32*3 < n) return AVERROR(EINVAL); for (i = 0; i < n; i++){ x = bytestream_get_be16(&s->buf); From 8935e7474ada9f18e9c21ec3a0a1706040e7b3be Mon Sep 17 00:00:00 2001 From: Michael Niedermayer Date: Sun, 25 Dec 2011 12:28:50 +0100 Subject: [PATCH 0681/1119] shorten: Fix invalid free() Signed-off-by: Michael Niedermayer (cherry picked from commit 18bcfc912e48bf77a5202a0e24a3b884b9b2ff2c) Signed-off-by: Michael Niedermayer --- libavcodec/shorten.c | 13 +++++++------ 1 file changed, 7 insertions(+), 6 deletions(-) diff --git a/libavcodec/shorten.c b/libavcodec/shorten.c index 0b9d420d86..621281fc75 100644 --- a/libavcodec/shorten.c +++ b/libavcodec/shorten.c @@ -81,6 +81,7 @@ typedef struct ShortenContext { int channels; int32_t *decoded[MAX_CHANNELS]; + int32_t *decoded_base[MAX_CHANNELS]; int32_t *offset[MAX_CHANNELS]; int *coeffs; uint8_t *bitstream; @@ -130,13 +131,13 @@ static int allocate_buffers(ShortenContext *s) return AVERROR(ENOMEM); s->offset[chan] = tmp_ptr; - tmp_ptr = av_realloc(s->decoded[chan], sizeof(int32_t)*(s->blocksize + s->nwrap)); + tmp_ptr = av_realloc(s->decoded_base[chan], sizeof(int32_t)*(s->blocksize + s->nwrap)); if (!tmp_ptr) return AVERROR(ENOMEM); - s->decoded[chan] = tmp_ptr; + s->decoded_base[chan] = tmp_ptr; for (i=0; inwrap; i++) - s->decoded[chan][i] = 0; - s->decoded[chan] += s->nwrap; + s->decoded_base[chan][i] = 0; + s->decoded[chan] = s->decoded_base[chan] + s->nwrap; } coeffs = av_realloc(s->coeffs, s->nwrap * sizeof(*s->coeffs)); @@ -548,8 +549,8 @@ static av_cold int shorten_decode_close(AVCodecContext *avctx) int i; for (i = 0; i < s->channels; i++) { - s->decoded[i] -= s->nwrap; - av_freep(&s->decoded[i]); + s->decoded[i] = NULL; + av_freep(&s->decoded_base[i]); av_freep(&s->offset[i]); } av_freep(&s->bitstream); From f682094aaab8f7c0a1a728c0d39d14fe52121aa0 Mon Sep 17 00:00:00 2001 From: Michael Niedermayer Date: Thu, 12 Jan 2012 22:20:25 +0100 Subject: [PATCH 0682/1119] Update for 0.7.11 Signed-off-by: Michael Niedermayer --- Doxyfile | 2 +- RELEASE | 2 +- VERSION | 2 +- 3 files changed, 3 insertions(+), 3 deletions(-) diff --git a/Doxyfile b/Doxyfile index 7fce60df11..1534700d53 100644 --- a/Doxyfile +++ b/Doxyfile @@ -31,7 +31,7 @@ PROJECT_NAME = FFmpeg # This could be handy for archiving the generated documentation or # if some version control system is used. -PROJECT_NUMBER = 0.7.10 +PROJECT_NUMBER = 0.7.11 # The OUTPUT_DIRECTORY tag is used to specify the (relative or absolute) # base path where the generated documentation will be put. diff --git a/RELEASE b/RELEASE index 5b209ea206..b4d6d12101 100644 --- a/RELEASE +++ b/RELEASE @@ -1 +1 @@ -0.7.10 +0.7.11 diff --git a/VERSION b/VERSION index 5b209ea206..b4d6d12101 100644 --- a/VERSION +++ b/VERSION @@ -1 +1 @@ -0.7.10 +0.7.11 From 3a3f2b515fa54937efe1a9f0e1657c37266a98e1 Mon Sep 17 00:00:00 2001 From: Michael Niedermayer Date: Thu, 12 Jan 2012 22:25:00 +0100 Subject: [PATCH 0683/1119] Update for 0.8.10 Signed-off-by: Michael Niedermayer --- Doxyfile | 2 +- RELEASE | 2 +- VERSION | 2 +- 3 files changed, 3 insertions(+), 3 deletions(-) diff --git a/Doxyfile b/Doxyfile index a7b2956401..722a86058c 100644 --- a/Doxyfile +++ b/Doxyfile @@ -31,7 +31,7 @@ PROJECT_NAME = FFmpeg # This could be handy for archiving the generated documentation or # if some version control system is used. -PROJECT_NUMBER = 0.8.9 +PROJECT_NUMBER = 0.8.10 # The OUTPUT_DIRECTORY tag is used to specify the (relative or absolute) # base path where the generated documentation will be put. diff --git a/RELEASE b/RELEASE index 55485e1793..ef50561618 100644 --- a/RELEASE +++ b/RELEASE @@ -1 +1 @@ -0.8.9 +0.8.10 diff --git a/VERSION b/VERSION index 55485e1793..ef50561618 100644 --- a/VERSION +++ b/VERSION @@ -1 +1 @@ -0.8.9 +0.8.10 From 4a2287667590ad932b012a1a760b67cdf3ad1c14 Mon Sep 17 00:00:00 2001 From: Joakim Plate Date: Thu, 14 Jul 2011 22:31:37 +0200 Subject: [PATCH 0684/1119] vf_yadif: copy buffer properties like aspect for second frame as well Signed-off-by: Anton Khirnov (cherry picked from commit 5feb67f8a1a17a4dd3cec0aa80ef0dc543fc7673) Signed-off-by: Anton Khirnov Signed-off-by: Reinhard Tartler --- libavfilter/vf_yadif.c | 5 ++++- 1 file changed, 4 insertions(+), 1 deletion(-) diff --git a/libavfilter/vf_yadif.c b/libavfilter/vf_yadif.c index 42a7219d26..c7fc4393fd 100644 --- a/libavfilter/vf_yadif.c +++ b/libavfilter/vf_yadif.c @@ -197,9 +197,12 @@ static void return_frame(AVFilterContext *ctx, int is_second) tff = yadif->parity^1; } - if (is_second) + if (is_second) { yadif->out = avfilter_get_video_buffer(link, AV_PERM_WRITE | AV_PERM_PRESERVE | AV_PERM_REUSE, link->w, link->h); + avfilter_copy_buffer_ref_props(yadif->out, yadif->cur); + yadif->out->video->interlaced = 0; + } if (!yadif->csp) yadif->csp = &av_pix_fmt_descriptors[link->format]; From 5c9ca599a70c0babdc4af301753e7067888611d6 Mon Sep 17 00:00:00 2001 From: Stefano Sabatini Date: Thu, 4 Aug 2011 00:25:35 +0200 Subject: [PATCH 0685/1119] vf_yadif: correct documentation on the parity parameter 0 is top-field-first, 1 is bottom-field-first, not the other way around. Signed-off-by: Anton Khirnov (cherry picked from commit 4703a7b50b098a53ec2f806bd41a00fd87ea9d8c) Signed-off-by: Anton Khirnov Signed-off-by: Reinhard Tartler --- doc/filters.texi | 4 ++-- libavfilter/vf_yadif.c | 4 ++-- 2 files changed, 4 insertions(+), 4 deletions(-) diff --git a/doc/filters.texi b/doc/filters.texi index 9666f582f2..c1cf0084f8 100644 --- a/doc/filters.texi +++ b/doc/filters.texi @@ -1353,9 +1353,9 @@ interlaced video, accepts one of the following values: @table @option @item 0 -assume bottom field first -@item 1 assume top field first +@item 1 +assume bottom field first @item -1 enable automatic detection @end table diff --git a/libavfilter/vf_yadif.c b/libavfilter/vf_yadif.c index c7fc4393fd..e9f9bb6afa 100644 --- a/libavfilter/vf_yadif.c +++ b/libavfilter/vf_yadif.c @@ -38,8 +38,8 @@ typedef struct { int mode; /** - * 0: bottom field first - * 1: top field first + * 0: top field first + * 1: bottom field first * -1: auto-detection */ int parity; From af58dd479859001808a9b7c085e1d271b8e8962b Mon Sep 17 00:00:00 2001 From: Stefano Sabatini Date: Mon, 4 Jul 2011 11:15:14 +0200 Subject: [PATCH 0686/1119] vf_pad: fix "vsub" variable value computation It was shifting 2 rather than 1, +10l. Signed-off-by: Anton Khirnov (cherry picked from commit 80de930a781c177dc54f3836f57aa8959597bcda) Signed-off-by: Anton Khirnov Signed-off-by: Reinhard Tartler --- libavfilter/vf_pad.c | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/libavfilter/vf_pad.c b/libavfilter/vf_pad.c index 18873b8837..d4d2b205d3 100644 --- a/libavfilter/vf_pad.c +++ b/libavfilter/vf_pad.c @@ -157,7 +157,7 @@ static int config_input(AVFilterLink *inlink) var_values[VAR_OUT_H] = var_values[VAR_OH] = NAN; var_values[VAR_A] = (float) inlink->w / inlink->h; var_values[VAR_HSUB] = 1<hsub; - var_values[VAR_VSUB] = 2<vsub; + var_values[VAR_VSUB] = 1<vsub; /* evaluate width and height */ av_expr_parse_and_eval(&res, (expr = pad->w_expr), From 7f62cf120bd066964d93617c73bd5f9f2ee9de00 Mon Sep 17 00:00:00 2001 From: Michael Niedermayer Date: Sat, 27 Aug 2011 01:49:55 +0200 Subject: [PATCH 0687/1119] vf_scale: apply the same transform to the aspect during init that is applied per frame Signed-off-by: Anton Khirnov (cherry picked from commit d33e0c6bc819048b05c168d304fba7bdd75a80e1) Signed-off-by: Anton Khirnov Signed-off-by: Reinhard Tartler --- libavfilter/vf_scale.c | 8 ++++++++ 1 file changed, 8 insertions(+) diff --git a/libavfilter/vf_scale.c b/libavfilter/vf_scale.c index 5288d32116..bbc8321c01 100644 --- a/libavfilter/vf_scale.c +++ b/libavfilter/vf_scale.c @@ -213,6 +213,14 @@ static int config_props(AVFilterLink *outlink) if (!scale->sws) return AVERROR(EINVAL); + + if (inlink->sample_aspect_ratio.num) + outlink->sample_aspect_ratio = av_mul_q((AVRational){outlink->h*inlink->w, + outlink->w*inlink->h}, + inlink->sample_aspect_ratio); + else + outlink->sample_aspect_ratio = inlink->sample_aspect_ratio; + return 0; fail: From 734a9bb05f2b5c09c43d6c26c75dae6af3f51fa2 Mon Sep 17 00:00:00 2001 From: Stefano Sabatini Date: Fri, 12 Aug 2011 08:42:35 +0200 Subject: [PATCH 0688/1119] vf_unsharp: fix out-of-buffer read In apply_unsharp(), when y is >= height, prevent out-of-buffer reading from src, read from the last buffer line in src2 instead. The check was implemented in the original unsharp libmpcodecs code and lost in the port. This also fixes output discrepancy between the two filters. Signed-off-by: Anton Khirnov (cherry picked from commit 998e8519efbc772994c5ba19c0d39573998be9db) Signed-off-by: Anton Khirnov Signed-off-by: Reinhard Tartler --- libavfilter/vf_unsharp.c | 6 +++++- 1 file changed, 5 insertions(+), 1 deletion(-) diff --git a/libavfilter/vf_unsharp.c b/libavfilter/vf_unsharp.c index 274b13c296..1c3d577ad1 100644 --- a/libavfilter/vf_unsharp.c +++ b/libavfilter/vf_unsharp.c @@ -70,6 +70,7 @@ static void unsharpen(uint8_t *dst, uint8_t *src, int dst_stride, int src_stride int32_t res; int x, y, z; + const uint8_t *src2; if (!fp->amount) { if (dst_stride == src_stride) @@ -84,9 +85,12 @@ static void unsharpen(uint8_t *dst, uint8_t *src, int dst_stride, int src_stride memset(sc[y], 0, sizeof(sc[y][0]) * (width + 2 * fp->steps_x)); for (y = -fp->steps_y; y < height + fp->steps_y; y++) { + if (y < height) + src2 = src; + memset(sr, 0, sizeof(sr[0]) * (2 * fp->steps_x - 1)); for (x = -fp->steps_x; x < width + fp->steps_x; x++) { - tmp1 = x <= 0 ? src[0] : x >= width ? src[width-1] : src[x]; + tmp1 = x <= 0 ? src2[0] : x >= width ? src2[width-1] : src2[x]; for (z = 0; z < fp->steps_x * 2; z += 2) { tmp2 = sr[z + 0] + tmp1; sr[z + 0] = tmp1; tmp1 = sr[z + 1] + tmp2; sr[z + 1] = tmp2; From 958e0f705dab60f4d11ab90e2ebe2b4e7393fb41 Mon Sep 17 00:00:00 2001 From: Stefano Sabatini Date: Sun, 19 Jun 2011 22:07:18 +0200 Subject: [PATCH 0689/1119] lavfi: fix realloc size computation in avfilter_add_format() Replace sizeof((*avff)->formats) with sizeof(*(*avff)->formats) as the size of the array element is given by the pointed element rather than by its pointer. In particular fix computation with the pending patch when sizeof(int64_t) != sizeof(int64_t *). Signed-off-by: Anton Khirnov (cherry picked from commit 0ec56d1144fa4ea36950295987bb5f49c9747046) Signed-off-by: Anton Khirnov Signed-off-by: Reinhard Tartler --- libavfilter/formats.c | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/libavfilter/formats.c b/libavfilter/formats.c index bb7b921552..ae916cf16c 100644 --- a/libavfilter/formats.c +++ b/libavfilter/formats.c @@ -94,7 +94,7 @@ int avfilter_add_format(AVFilterFormats **avff, int fmt) return AVERROR(ENOMEM); fmts = av_realloc((*avff)->formats, - sizeof((*avff)->formats) * ((*avff)->format_count+1)); + sizeof(*(*avff)->formats) * ((*avff)->format_count+1)); if (!fmts) return AVERROR(ENOMEM); From ec2a1d91e216c30a1e286b2141eaabe64a0296f5 Mon Sep 17 00:00:00 2001 From: Laurent Aimar Date: Sat, 24 Sep 2011 16:16:39 +0200 Subject: [PATCH 0690/1119] h264: check for out of bounds reads in ff_h264_decode_extradata(). Signed-off-by: Anton Khirnov (cherry picked from commit d1186ff72d75b6067770890758c4feb92abd84f7) Signed-off-by: Anton Khirnov --- libavcodec/h264.c | 4 ++++ 1 file changed, 4 insertions(+) diff --git a/libavcodec/h264.c b/libavcodec/h264.c index 75075f6b3c..276ace280e 100644 --- a/libavcodec/h264.c +++ b/libavcodec/h264.c @@ -1032,6 +1032,8 @@ int ff_h264_decode_extradata(H264Context *h) p += 6; for (i = 0; i < cnt; i++) { nalsize = AV_RB16(p) + 2; + if (p - avctx->extradata + nalsize > avctx->extradata_size) + return -1; if(decode_nal_units(h, p, nalsize) < 0) { av_log(avctx, AV_LOG_ERROR, "Decoding sps %d from avcC failed\n", i); return -1; @@ -1042,6 +1044,8 @@ int ff_h264_decode_extradata(H264Context *h) cnt = *(p++); // Number of pps for (i = 0; i < cnt; i++) { nalsize = AV_RB16(p) + 2; + if (p - avctx->extradata + nalsize > avctx->extradata_size) + return -1; if (decode_nal_units(h, p, nalsize) < 0) { av_log(avctx, AV_LOG_ERROR, "Decoding pps %d from avcC failed\n", i); return -1; From 485f85aa900df0e50dd2300509ed8331e7bf6301 Mon Sep 17 00:00:00 2001 From: "Ronald S. Bultje" Date: Mon, 3 Oct 2011 08:41:51 -0700 Subject: [PATCH 0691/1119] h264: correct implicit_weight for field-interlaced pictures. (cherry picked from commit 4418aa9cb3b2f0b83748e37d2952560cf84b3611) Signed-off-by: Anton Khirnov --- libavcodec/h264.c | 6 +++++- 1 file changed, 5 insertions(+), 1 deletion(-) diff --git a/libavcodec/h264.c b/libavcodec/h264.c index 276ace280e..f2fa9aa403 100644 --- a/libavcodec/h264.c +++ b/libavcodec/h264.c @@ -2199,7 +2199,11 @@ static void implicit_weight_table(H264Context *h, int field){ } if(field < 0){ - cur_poc = s->current_picture_ptr->poc; + if (s->picture_structure == PICT_FRAME) { + cur_poc = s->current_picture_ptr->poc; + } else { + cur_poc = s->current_picture_ptr->field_poc[s->picture_structure - 1]; + } if( h->ref_count[0] == 1 && h->ref_count[1] == 1 && !FRAME_MBAFF && h->ref_list[0][0].poc + h->ref_list[1][0].poc == 2*cur_poc){ h->use_weight= 0; From c6bb93dcd96ae1ece3c2a505f296f2f4a28134a8 Mon Sep 17 00:00:00 2001 From: Michael Niedermayer Date: Tue, 4 Oct 2011 00:14:48 +0200 Subject: [PATCH 0692/1119] H264: Only wait before triggering ff_thread_setup_complete() until the next slice that contains a start-of-field/frame macroblock This allows concurrent decoding of the last field/frame, rather than only the last slice, of data packets with multiple NAL units packed together. This will fix the slowdown reported in e.g. bug 52. Signed-off-by: Anton Khirnov (cherry picked from commit 14c21c1ff509eac97f6437aeb51202b15af3a700) Signed-off-by: Anton Khirnov --- libavcodec/h264.c | 6 +++++- 1 file changed, 5 insertions(+), 1 deletion(-) diff --git a/libavcodec/h264.c b/libavcodec/h264.c index f2fa9aa403..9d40100f66 100644 --- a/libavcodec/h264.c +++ b/libavcodec/h264.c @@ -3724,9 +3724,13 @@ static int decode_nal_units(H264Context *h, const uint8_t *buf, int buf_size){ switch (hx->nal_unit_type) { case NAL_SPS: case NAL_PPS: + nals_needed = nal_index; + break; case NAL_IDR_SLICE: case NAL_SLICE: - nals_needed = nal_index; + init_get_bits(&hx->s.gb, ptr, bit_length); + if (!get_ue_golomb(&hx->s.gb)) + nals_needed = nal_index; } continue; } From 1e809ab887d401c2ff22a7882ff900f8b4172da9 Mon Sep 17 00:00:00 2001 From: Mans Rullgard Date: Sat, 8 Oct 2011 21:22:06 +0100 Subject: [PATCH 0693/1119] h264pred: use unsigned types for pixel values, fix signed overflows Signed-off-by: Mans Rullgard (cherry picked from commit 60f10e0ad37418cc697765d85b0bc22db70f726a) Signed-off-by: Anton Khirnov --- libavcodec/h264pred.c | 10 +++++----- libavcodec/h264pred_template.c | 32 ++++++++++++++++---------------- 2 files changed, 21 insertions(+), 21 deletions(-) diff --git a/libavcodec/h264pred.c b/libavcodec/h264pred.c index b3701ef3b8..484e527777 100644 --- a/libavcodec/h264pred.c +++ b/libavcodec/h264pred.c @@ -40,7 +40,7 @@ #undef BIT_DEPTH static void pred4x4_vertical_vp8_c(uint8_t *src, const uint8_t *topright, int stride){ - const int lt= src[-1-1*stride]; + const unsigned lt = src[-1-1*stride]; LOAD_TOP_EDGE LOAD_TOP_RIGHT_EDGE uint32_t v = PACK_4U8((lt + 2*t0 + t1 + 2) >> 2, @@ -55,7 +55,7 @@ static void pred4x4_vertical_vp8_c(uint8_t *src, const uint8_t *topright, int st } static void pred4x4_horizontal_vp8_c(uint8_t *src, const uint8_t *topright, int stride){ - const int lt= src[-1-1*stride]; + const unsigned lt = src[-1-1*stride]; LOAD_LEFT_EDGE AV_WN32A(src+0*stride, ((lt + 2*l0 + l1 + 2) >> 2)*0x01010101); @@ -292,7 +292,7 @@ static void pred16x16_tm_vp8_c(uint8_t *src, int stride){ static void pred8x8_left_dc_rv40_c(uint8_t *src, int stride){ int i; - int dc0; + unsigned dc0; dc0=0; for(i=0;i<8; i++) @@ -307,7 +307,7 @@ static void pred8x8_left_dc_rv40_c(uint8_t *src, int stride){ static void pred8x8_top_dc_rv40_c(uint8_t *src, int stride){ int i; - int dc0; + unsigned dc0; dc0=0; for(i=0;i<8; i++) @@ -322,7 +322,7 @@ static void pred8x8_top_dc_rv40_c(uint8_t *src, int stride){ static void pred8x8_dc_rv40_c(uint8_t *src, int stride){ int i; - int dc0=0; + unsigned dc0 = 0; for(i=0;i<4; i++){ dc0+= src[-1+i*stride] + src[i-stride]; diff --git a/libavcodec/h264pred_template.c b/libavcodec/h264pred_template.c index 1c1fe0bc31..cdc27c4e2e 100644 --- a/libavcodec/h264pred_template.c +++ b/libavcodec/h264pred_template.c @@ -120,28 +120,28 @@ static void FUNCC(pred4x4_129_dc)(uint8_t *_src, const uint8_t *topright, int _s #define LOAD_TOP_RIGHT_EDGE\ - const int av_unused t4= topright[0];\ - const int av_unused t5= topright[1];\ - const int av_unused t6= topright[2];\ - const int av_unused t7= topright[3];\ + const unsigned av_unused t4 = topright[0];\ + const unsigned av_unused t5 = topright[1];\ + const unsigned av_unused t6 = topright[2];\ + const unsigned av_unused t7 = topright[3];\ #define LOAD_DOWN_LEFT_EDGE\ - const int av_unused l4= src[-1+4*stride];\ - const int av_unused l5= src[-1+5*stride];\ - const int av_unused l6= src[-1+6*stride];\ - const int av_unused l7= src[-1+7*stride];\ + const unsigned av_unused l4 = src[-1+4*stride];\ + const unsigned av_unused l5 = src[-1+5*stride];\ + const unsigned av_unused l6 = src[-1+6*stride];\ + const unsigned av_unused l7 = src[-1+7*stride];\ #define LOAD_LEFT_EDGE\ - const int av_unused l0= src[-1+0*stride];\ - const int av_unused l1= src[-1+1*stride];\ - const int av_unused l2= src[-1+2*stride];\ - const int av_unused l3= src[-1+3*stride];\ + const unsigned av_unused l0 = src[-1+0*stride];\ + const unsigned av_unused l1 = src[-1+1*stride];\ + const unsigned av_unused l2 = src[-1+2*stride];\ + const unsigned av_unused l3 = src[-1+3*stride];\ #define LOAD_TOP_EDGE\ - const int av_unused t0= src[ 0-1*stride];\ - const int av_unused t1= src[ 1-1*stride];\ - const int av_unused t2= src[ 2-1*stride];\ - const int av_unused t3= src[ 3-1*stride];\ + const unsigned av_unused t0 = src[ 0-1*stride];\ + const unsigned av_unused t1 = src[ 1-1*stride];\ + const unsigned av_unused t2 = src[ 2-1*stride];\ + const unsigned av_unused t3 = src[ 3-1*stride];\ static void FUNCC(pred4x4_down_right)(uint8_t *_src, const uint8_t *topright, int _stride){ pixel *src = (pixel*)_src; From ba31a0168131a5dfc4ca521720f998229abbb1a5 Mon Sep 17 00:00:00 2001 From: Laurent Aimar Date: Sun, 2 Oct 2011 14:03:47 +0000 Subject: [PATCH 0694/1119] h264: reset h->ref_count in case of errors in ff_h264_decode_ref_pic_list_reordering() Signed-off-by: Janne Grunau (cherry picked from commit 4c7a232fc81fdbdee279ab819a255f624a22b083) Signed-off-by: Anton Khirnov --- libavcodec/h264.c | 4 +++- 1 file changed, 3 insertions(+), 1 deletion(-) diff --git a/libavcodec/h264.c b/libavcodec/h264.c index 9d40100f66..c9187e6d6c 100644 --- a/libavcodec/h264.c +++ b/libavcodec/h264.c @@ -2896,8 +2896,10 @@ static int decode_slice_header(H264Context *h, H264Context *h0){ ff_h264_fill_default_ref_list(h); } - if(h->slice_type_nos!=AV_PICTURE_TYPE_I && ff_h264_decode_ref_pic_list_reordering(h) < 0) + if(h->slice_type_nos!=AV_PICTURE_TYPE_I && ff_h264_decode_ref_pic_list_reordering(h) < 0) { + h->ref_count[1]= h->ref_count[0]= 0; return -1; + } if(h->slice_type_nos!=AV_PICTURE_TYPE_I){ s->last_picture_ptr= &h->ref_list[0][0]; From 4ed486dc3aff211861dafa23ccec5b37b8bd9e38 Mon Sep 17 00:00:00 2001 From: Mans Rullgard Date: Tue, 11 Oct 2011 00:58:03 +0100 Subject: [PATCH 0695/1119] h264: fix detection of optional trailing PPS elements The PPS may contain a few trailing elements whose presence is only signalled by data remaining after the the mandatory part has been parsed. The current code fails to take into account the rbsp_trailing_bits() when deciding whether to parse these optional elements. Assuming no unnecessary padding bytes are passed to this function, the optional elements are present if either more than 8 extra bits remain or the remaining bits do not form a valid rbsp_trailing_bits() after the mandatory PPS elements have been parsed. Signed-off-by: Mans Rullgard (cherry picked from commit be1242a3f2b28e9cb08515bdc1db6c14403c279a) Signed-off-by: Anton Khirnov --- libavcodec/h264_ps.c | 5 ++++- 1 file changed, 4 insertions(+), 1 deletion(-) diff --git a/libavcodec/h264_ps.c b/libavcodec/h264_ps.c index 7491807460..bb673e9d4e 100644 --- a/libavcodec/h264_ps.c +++ b/libavcodec/h264_ps.c @@ -462,6 +462,7 @@ int ff_h264_decode_picture_parameter_set(H264Context *h, int bit_length){ unsigned int pps_id= get_ue_golomb(&s->gb); PPS *pps; const int qp_bd_offset = 6*(h->sps.bit_depth_luma-8); + int bits_left; if(pps_id >= MAX_PPS_COUNT) { av_log(h->s.avctx, AV_LOG_ERROR, "pps_id (%d) out of range\n", pps_id); @@ -538,7 +539,9 @@ int ff_h264_decode_picture_parameter_set(H264Context *h, int bit_length){ memcpy(pps->scaling_matrix4, h->sps_buffers[pps->sps_id]->scaling_matrix4, sizeof(pps->scaling_matrix4)); memcpy(pps->scaling_matrix8, h->sps_buffers[pps->sps_id]->scaling_matrix8, sizeof(pps->scaling_matrix8)); - if(get_bits_count(&s->gb) < bit_length){ + bits_left = bit_length - get_bits_count(&s->gb); + if (bits_left && (bits_left > 8 || + show_bits(&s->gb, bits_left) != 1 << (bits_left - 1))) { pps->transform_8x8_mode= get_bits1(&s->gb); decode_scaling_matrices(h, h->sps_buffers[pps->sps_id], pps, 0, pps->scaling_matrix4, pps->scaling_matrix8); pps->chroma_qp_index_offset[1]= get_se_golomb(&s->gb); //second_chroma_qp_index_offset From ccb3b71b424680dd4cd1d99002befeed6ac95d00 Mon Sep 17 00:00:00 2001 From: Mans Rullgard Date: Tue, 11 Oct 2011 12:58:31 +0100 Subject: [PATCH 0696/1119] h264: fix invalid shifts in init_cavlc_level_tab() The level_code expression includes a shift which is invalid in those cases where the value is not used. Moving the calculation to the branch where the result is used avoids these. Signed-off-by: Mans Rullgard (cherry picked from commit 8babfc033ecb6332155c1f8879e54dee41d16952) Signed-off-by: Anton Khirnov --- libavcodec/h264_cavlc.c | 9 +++++---- 1 file changed, 5 insertions(+), 4 deletions(-) diff --git a/libavcodec/h264_cavlc.c b/libavcodec/h264_cavlc.c index 497166b423..2661ab2d17 100644 --- a/libavcodec/h264_cavlc.c +++ b/libavcodec/h264_cavlc.c @@ -238,17 +238,18 @@ static inline int pred_non_zero_count(H264Context *h, int n){ } static av_cold void init_cavlc_level_tab(void){ - int suffix_length, mask; + int suffix_length; unsigned int i; for(suffix_length=0; suffix_length<7; suffix_length++){ for(i=0; i<(1<>(LEVEL_TAB_BITS-prefix-1-suffix_length)) - (1<>1) ^ mask) - mask; if(prefix + 1 + suffix_length <= LEVEL_TAB_BITS){ + int level_code = (prefix << suffix_length) + + (i >> (av_log2(i) - suffix_length)) - (1 << suffix_length); + int mask = -(level_code&1); + level_code = (((2 + level_code) >> 1) ^ mask) - mask; cavlc_level_tab[suffix_length][i][0]= level_code; cavlc_level_tab[suffix_length][i][1]= prefix + 1 + suffix_length; }else if(prefix + 1 <= LEVEL_TAB_BITS){ From 6362264e2d97f141dfb13fc191d153966c2963f9 Mon Sep 17 00:00:00 2001 From: Mans Rullgard Date: Tue, 11 Oct 2011 16:00:21 +0100 Subject: [PATCH 0697/1119] h264: fix HRD parameters parsing The bit_rate_value_minus1 and cpb_size_value_minus1 elements allow a wider range than get_ue_golomb() supports. This adds a get_ue_golomb_long() function supporting up to 31 leading zeros, which is the maximum for these syntax elements, and uses it in decode_hrd_parameters(). Signed-off-by: Mans Rullgard (cherry picked from commit fdba370f8a1bdfc22ecbdf3c7148c2f8680a4ac4) Signed-off-by: Anton Khirnov --- libavcodec/golomb.h | 14 ++++++++++++++ libavcodec/h264_ps.c | 4 ++-- 2 files changed, 16 insertions(+), 2 deletions(-) diff --git a/libavcodec/golomb.h b/libavcodec/golomb.h index 83d277f963..503aa1416a 100644 --- a/libavcodec/golomb.h +++ b/libavcodec/golomb.h @@ -75,6 +75,20 @@ static inline int get_ue_golomb(GetBitContext *gb){ } } +/** + * Read an unsigned Exp-Golomb code in the range 0 to UINT32_MAX-1. + */ +static inline unsigned get_ue_golomb_long(GetBitContext *gb) +{ + unsigned buf, log; + + buf = show_bits_long(gb, 32); + log = 31 - av_log2(buf); + skip_bits_long(gb, log); + + return get_bits_long(gb, log + 1) - 1; +} + /** * read unsigned exp golomb code, constraint to a max of 31. * the return value is undefined if the stored value exceeds 31. diff --git a/libavcodec/h264_ps.c b/libavcodec/h264_ps.c index bb673e9d4e..677ca80abb 100644 --- a/libavcodec/h264_ps.c +++ b/libavcodec/h264_ps.c @@ -130,8 +130,8 @@ static inline int decode_hrd_parameters(H264Context *h, SPS *sps){ get_bits(&s->gb, 4); /* bit_rate_scale */ get_bits(&s->gb, 4); /* cpb_size_scale */ for(i=0; igb); /* bit_rate_value_minus1 */ - get_ue_golomb(&s->gb); /* cpb_size_value_minus1 */ + get_ue_golomb_long(&s->gb); /* bit_rate_value_minus1 */ + get_ue_golomb_long(&s->gb); /* cpb_size_value_minus1 */ get_bits1(&s->gb); /* cbr_flag */ } sps->initial_cpb_removal_delay_length = get_bits(&s->gb, 5) + 1; From 047c6ad752386e892afd45fd97214108e303776f Mon Sep 17 00:00:00 2001 From: "Ronald S. Bultje" Date: Thu, 9 Feb 2012 22:57:01 -0800 Subject: [PATCH 0698/1119] h264: disallow constrained intra prediction modes for luma. Conversion of the luma intra prediction mode to one of the constrained ("alzheimer") ones can happen by crafting special bitstreams, causing a crash because we'll call a NULL function pointer for 16x16 block intra prediction, since constrained intra prediction functions are only implemented for chroma (8x8 blocks). Found-by: Mateusz "j00ru" Jurczyk and Gynvael Coldwind CC: libav-stable@libav.org (cherry picked from commit 45b7bd7c53b41bc5ff6fc2158831f2b1b1256113) Signed-off-by: Reinhard Tartler (cherry picked from commit 248d4e461578ff327a2fd75fd0db4f38c270918a) Signed-off-by: Reinhard Tartler --- libavcodec/h264.c | 4 ++-- libavcodec/h264.h | 2 +- libavcodec/h264_cabac.c | 4 ++-- libavcodec/h264_cavlc.c | 4 ++-- libavcodec/svq3.c | 4 ++-- 5 files changed, 9 insertions(+), 9 deletions(-) diff --git a/libavcodec/h264.c b/libavcodec/h264.c index c9187e6d6c..dbf8e6aca1 100644 --- a/libavcodec/h264.c +++ b/libavcodec/h264.c @@ -111,7 +111,7 @@ int ff_h264_check_intra4x4_pred_mode(H264Context *h){ /** * checks if the top & left blocks are available if needed & changes the dc mode so it only uses the available blocks. */ -int ff_h264_check_intra_pred_mode(H264Context *h, int mode){ +int ff_h264_check_intra_pred_mode(H264Context *h, int mode, int is_chroma){ MpegEncContext * const s = &h->s; static const int8_t top [7]= {LEFT_DC_PRED8x8, 1,-1,-1}; static const int8_t left[7]= { TOP_DC_PRED8x8,-1, 2,-1,DC_128_PRED8x8}; @@ -131,7 +131,7 @@ int ff_h264_check_intra_pred_mode(H264Context *h, int mode){ if((h->left_samples_available&0x8080) != 0x8080){ mode= left[ mode ]; - if(h->left_samples_available&0x8080){ //mad cow disease mode, aka MBAFF + constrained_intra_pred + if(is_chroma && (h->left_samples_available&0x8080)){ //mad cow disease mode, aka MBAFF + constrained_intra_pred mode= ALZHEIMER_DC_L0T_PRED8x8 + (!(h->left_samples_available&0x8000)) + 2*(mode == DC_128_PRED8x8); } if(mode<0){ diff --git a/libavcodec/h264.h b/libavcodec/h264.h index e3cc815565..507e78fd6f 100644 --- a/libavcodec/h264.h +++ b/libavcodec/h264.h @@ -656,7 +656,7 @@ int ff_h264_check_intra4x4_pred_mode(H264Context *h); /** * Check if the top & left blocks are available if needed & change the dc mode so it only uses the available blocks. */ -int ff_h264_check_intra_pred_mode(H264Context *h, int mode); +int ff_h264_check_intra_pred_mode(H264Context *h, int mode, int is_chroma); void ff_h264_write_back_intra_pred_mode(H264Context *h); void ff_h264_hl_decode_mb(H264Context *h); diff --git a/libavcodec/h264_cabac.c b/libavcodec/h264_cabac.c index f30f4e1c9c..e8c8503857 100644 --- a/libavcodec/h264_cabac.c +++ b/libavcodec/h264_cabac.c @@ -2002,14 +2002,14 @@ decode_intra_mb: ff_h264_write_back_intra_pred_mode(h); if( ff_h264_check_intra4x4_pred_mode(h) < 0 ) return -1; } else { - h->intra16x16_pred_mode= ff_h264_check_intra_pred_mode( h, h->intra16x16_pred_mode ); + h->intra16x16_pred_mode= ff_h264_check_intra_pred_mode( h, h->intra16x16_pred_mode, 0 ); if( h->intra16x16_pred_mode < 0 ) return -1; } if(decode_chroma){ h->chroma_pred_mode_table[mb_xy] = pred_mode = decode_cabac_mb_chroma_pre_mode( h ); - pred_mode= ff_h264_check_intra_pred_mode( h, pred_mode ); + pred_mode= ff_h264_check_intra_pred_mode( h, pred_mode, 1 ); if( pred_mode < 0 ) return -1; h->chroma_pred_mode= pred_mode; } else { diff --git a/libavcodec/h264_cavlc.c b/libavcodec/h264_cavlc.c index 2661ab2d17..cd4f336d53 100644 --- a/libavcodec/h264_cavlc.c +++ b/libavcodec/h264_cavlc.c @@ -736,12 +736,12 @@ decode_intra_mb: if( ff_h264_check_intra4x4_pred_mode(h) < 0) return -1; }else{ - h->intra16x16_pred_mode= ff_h264_check_intra_pred_mode(h, h->intra16x16_pred_mode); + h->intra16x16_pred_mode= ff_h264_check_intra_pred_mode(h, h->intra16x16_pred_mode, 0); if(h->intra16x16_pred_mode < 0) return -1; } if(decode_chroma){ - pred_mode= ff_h264_check_intra_pred_mode(h, get_ue_golomb_31(&s->gb)); + pred_mode= ff_h264_check_intra_pred_mode(h, get_ue_golomb_31(&s->gb), 1); if(pred_mode < 0) return -1; h->chroma_pred_mode= pred_mode; diff --git a/libavcodec/svq3.c b/libavcodec/svq3.c index 23ab209312..09d598c044 100644 --- a/libavcodec/svq3.c +++ b/libavcodec/svq3.c @@ -610,7 +610,7 @@ static int svq3_decode_mb(SVQ3Context *svq3, unsigned int mb_type) dir = i_mb_type_info[mb_type - 8].pred_mode; dir = (dir >> 1) ^ 3*(dir & 1) ^ 1; - if ((h->intra16x16_pred_mode = ff_h264_check_intra_pred_mode(h, dir)) == -1){ + if ((h->intra16x16_pred_mode = ff_h264_check_intra_pred_mode(h, dir, 0)) == -1){ av_log(h->s.avctx, AV_LOG_ERROR, "check_intra_pred_mode = -1\n"); return -1; } @@ -709,7 +709,7 @@ static int svq3_decode_mb(SVQ3Context *svq3, unsigned int mb_type) s->current_picture.mb_type[mb_xy] = mb_type; if (IS_INTRA(mb_type)) { - h->chroma_pred_mode = ff_h264_check_intra_pred_mode(h, DC_PRED8x8); + h->chroma_pred_mode = ff_h264_check_intra_pred_mode(h, DC_PRED8x8, 1); } return 0; From 000bd5209f91bbdaf08a29271b6b5bd8c6058c3e Mon Sep 17 00:00:00 2001 From: Laurent Aimar Date: Wed, 21 Sep 2011 20:46:31 +0200 Subject: [PATCH 0699/1119] rv34: Check for invalid slices offsets MIME-Version: 1.0 Content-Type: text/plain; charset=UTF-8 Content-Transfer-Encoding: 8bit Signed-off-by: Martin Storsjö (cherry picked from commit fe476e5a9b5a1e56e53f1fa62374778fa00ec1fd) Signed-off-by: Anton Khirnov --- libavcodec/rv34.c | 11 ++++++++++- 1 file changed, 10 insertions(+), 1 deletion(-) diff --git a/libavcodec/rv34.c b/libavcodec/rv34.c index 70c35ef4ff..cc1cae2616 100644 --- a/libavcodec/rv34.c +++ b/libavcodec/rv34.c @@ -1466,13 +1466,18 @@ int ff_rv34_decode_frame(AVCodecContext *avctx, else size= get_slice_offset(avctx, slices_hdr, i+1) - offset; - if(offset < 0 || offset > buf_size || size < 0){ + if(offset < 0 || offset > buf_size){ av_log(avctx, AV_LOG_ERROR, "Slice offset is invalid\n"); break; } r->si.end = s->mb_width * s->mb_height; if(i+1 < slice_count){ + if (get_slice_offset(avctx, slices_hdr, i+1) < 0 || + get_slice_offset(avctx, slices_hdr, i+1) > buf_size) { + av_log(avctx, AV_LOG_ERROR, "Slice offset is invalid\n"); + break; + } init_get_bits(&s->gb, buf+get_slice_offset(avctx, slices_hdr, i+1), (buf_size-get_slice_offset(avctx, slices_hdr, i+1))*8); if(r->parse_slice_header(r, &r->s.gb, &si) < 0){ if(i+2 < slice_count) @@ -1482,6 +1487,10 @@ int ff_rv34_decode_frame(AVCodecContext *avctx, }else r->si.end = si.start; } + if (size < 0 || size > buf_size - offset) { + av_log(avctx, AV_LOG_ERROR, "Slice size is invalid\n"); + break; + } last = rv34_decode_slice(r, r->si.end, buf + offset, size); s->mb_num_left = r->s.mb_x + r->s.mb_y*r->s.mb_width - r->si.start; if(last) From 684f671f2874855d6e9872213097e732bc5cfb18 Mon Sep 17 00:00:00 2001 From: Alex Converse Date: Wed, 21 Sep 2011 15:26:35 -0700 Subject: [PATCH 0700/1119] mp4: Don't read an empty Decoder Config Descriptor (cherry picked from commit 1c2e07b8111b24f62b8d1bda62907848e34dfbcb) Signed-off-by: Anton Khirnov --- libavformat/isom.c | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/libavformat/isom.c b/libavformat/isom.c index eb17e25474..fb2ce236ee 100644 --- a/libavformat/isom.c +++ b/libavformat/isom.c @@ -395,7 +395,7 @@ int ff_mp4_read_dec_config_descr(AVFormatContext *fc, AVStream *st, AVIOContext len = ff_mp4_read_descr(fc, pb, &tag); if (tag == MP4DecSpecificDescrTag) { av_dlog(fc, "Specific MPEG4 header len=%d\n", len); - if((uint64_t)len > (1<<30)) + if (!len || (uint64_t)len > (1<<30)) return -1; av_free(st->codec->extradata); st->codec->extradata = av_mallocz(len + FF_INPUT_BUFFER_PADDING_SIZE); From 2f62b677cc1ee6002ed953b4515807a170fd51b3 Mon Sep 17 00:00:00 2001 From: Alex Converse Date: Fri, 23 Sep 2011 16:28:23 -0700 Subject: [PATCH 0701/1119] mpegps: Handle buffer exhaustion when reading packets. (cherry picked from commit 9fba8ebe0acdc28193d37b5e1f4c0d73c589ede2) Signed-off-by: Anton Khirnov --- libavformat/mpeg.c | 12 +++++++++--- 1 file changed, 9 insertions(+), 3 deletions(-) diff --git a/libavformat/mpeg.c b/libavformat/mpeg.c index 496b9d45f5..9407b3f5b6 100644 --- a/libavformat/mpeg.c +++ b/libavformat/mpeg.c @@ -418,7 +418,7 @@ static int mpegps_read_packet(AVFormatContext *s, { MpegDemuxContext *m = s->priv_data; AVStream *st; - int len, startcode, i, es_type; + int len, startcode, i, es_type, ret; enum CodecID codec_id = CODEC_ID_NONE; enum AVMediaType type; int64_t pts, dts, dummy_pos; //dummy_pos is needed for the index building to work @@ -562,7 +562,13 @@ static int mpegps_read_packet(AVFormatContext *s, return AVERROR(EINVAL); } av_new_packet(pkt, len); - avio_read(s->pb, pkt->data, pkt->size); + ret = avio_read(s->pb, pkt->data, pkt->size); + if (ret < 0) { + pkt->size = 0; + } else if (ret < pkt->size) { + pkt->size = ret; + memset(pkt->data + ret, 0, FF_INPUT_BUFFER_PADDING_SIZE); + } pkt->pts = pts; pkt->dts = dts; pkt->pos = dummy_pos; @@ -571,7 +577,7 @@ static int mpegps_read_packet(AVFormatContext *s, pkt->stream_index, pkt->pts / 90000.0, pkt->dts / 90000.0, pkt->size); - return 0; + return (ret < 0) ? ret : 0; } static int64_t mpegps_read_dts(AVFormatContext *s, int stream_index, From 2ba86066be79d68a3d0927425b407c5149a4a240 Mon Sep 17 00:00:00 2001 From: Sean McGovern Date: Mon, 19 Sep 2011 21:32:09 -0400 Subject: [PATCH 0702/1119] fft: avoid a signed overflow As a signed integer, 1<<31 overflows, so force it to unsigned. Signed-off-by: Alex Converse (cherry picked from commit c2d3f561072132044114588a5f56b8e1974a2af7) Signed-off-by: Anton Khirnov --- libavcodec/x86/fft_3dn2.c | 4 ++-- libavcodec/x86/fft_sse.c | 4 ++-- 2 files changed, 4 insertions(+), 4 deletions(-) diff --git a/libavcodec/x86/fft_3dn2.c b/libavcodec/x86/fft_3dn2.c index 05c0467f08..a724398aff 100644 --- a/libavcodec/x86/fft_3dn2.c +++ b/libavcodec/x86/fft_3dn2.c @@ -23,7 +23,7 @@ #include "libavcodec/dsputil.h" #include "fft.h" -DECLARE_ALIGNED(8, static const int, m1m1)[2] = { 1<<31, 1<<31 }; +DECLARE_ALIGNED(8, static const unsigned int, m1m1)[2] = { 1U<<31, 1U<<31 }; #ifdef EMULATE_3DNOWEXT #define PSWAPD(s,d)\ @@ -70,7 +70,7 @@ void ff_imdct_half_3dn2(FFTContext *s, FFTSample *output, const FFTSample *input in1 = input; in2 = input + n2 - 1; #ifdef EMULATE_3DNOWEXT - __asm__ volatile("movd %0, %%mm7" ::"r"(1<<31)); + __asm__ volatile("movd %0, %%mm7" ::"r"(1U<<31)); #endif for(k = 0; k < n4; k++) { // FIXME a single block is faster, but gcc 2.95 and 3.4.x on 32bit can't compile it diff --git a/libavcodec/x86/fft_sse.c b/libavcodec/x86/fft_sse.c index add20dd5b2..6be5be9611 100644 --- a/libavcodec/x86/fft_sse.c +++ b/libavcodec/x86/fft_sse.c @@ -24,8 +24,8 @@ #include "fft.h" #include "config.h" -DECLARE_ASM_CONST(16, int, ff_m1m1m1m1)[4] = - { 1 << 31, 1 << 31, 1 << 31, 1 << 31 }; +DECLARE_ASM_CONST(16, unsigned int, ff_m1m1m1m1)[4] = + { 1U << 31, 1U << 31, 1U << 31, 1U << 31 }; void ff_fft_dispatch_sse(FFTComplex *z, int nbits); void ff_fft_dispatch_interleave_sse(FFTComplex *z, int nbits); From 282a1a960a75d853928b6b2b2c90951b58cb56dc Mon Sep 17 00:00:00 2001 From: =?UTF-8?q?Reimar=20D=C3=B6ffinger?= Date: Wed, 7 Sep 2011 22:14:07 -0400 Subject: [PATCH 0703/1119] Fix input buffer size check in adpcm_ea decoder. Unfortunately the output buffer size check assumes that the input buffer is never over-consumed, thus this actually also allowed to write outside the output buffer if "lucky". Based on: git.videolan.org/ffmpeg.git commit 701d0eb185192542c4a17f296e39e37cedf7abc6 (cherry picked from commit ffe92ff9f0c7f390d895de12c8ffef959ced3cd8) Signed-off-by: Anton Khirnov --- libavcodec/adpcm.c | 12 +++++++++--- 1 file changed, 9 insertions(+), 3 deletions(-) diff --git a/libavcodec/adpcm.c b/libavcodec/adpcm.c index 70a5360ce8..277334a65c 100644 --- a/libavcodec/adpcm.c +++ b/libavcodec/adpcm.c @@ -1291,11 +1291,17 @@ static int adpcm_decode_frame(AVCodecContext *avctx, } break; case CODEC_ID_ADPCM_EA: - if (buf_size < 4 || AV_RL32(src) >= ((buf_size - 12) * 2)) { - src += buf_size; - break; + /* Each EA ADPCM frame has a 12-byte header followed by 30-byte pieces, + each coding 28 stereo samples. */ + if (buf_size < 12) { + av_log(avctx, AV_LOG_ERROR, "frame too small\n"); + return AVERROR(EINVAL); } samples_in_chunk = AV_RL32(src); + if (samples_in_chunk / 28 > (buf_size - 12) / 30) { + av_log(avctx, AV_LOG_ERROR, "invalid frame\n"); + return AVERROR(EINVAL); + } src += 4; current_left_sample = (int16_t)bytestream_get_le16(&src); previous_left_sample = (int16_t)bytestream_get_le16(&src); From 8475df81587d6b7d2753574a5afa842b4893d126 Mon Sep 17 00:00:00 2001 From: Peter Ross Date: Sat, 23 Apr 2011 22:08:48 +1000 Subject: [PATCH 0704/1119] permit decoding of multichannel ADPCM_EA_XAS Signed-off-by: Michael Niedermayer (cherry picked from commit 3a549eb82be709d633a0ba964b037ee2f700e0c9) Signed-off-by: Anton Khirnov --- libavcodec/adpcm.c | 1 + 1 file changed, 1 insertion(+) diff --git a/libavcodec/adpcm.c b/libavcodec/adpcm.c index 277334a65c..b2d79a2ece 100644 --- a/libavcodec/adpcm.c +++ b/libavcodec/adpcm.c @@ -750,6 +750,7 @@ static av_cold int adpcm_decode_init(AVCodecContext * avctx) case CODEC_ID_ADPCM_EA_R1: case CODEC_ID_ADPCM_EA_R2: case CODEC_ID_ADPCM_EA_R3: + case CODEC_ID_ADPCM_EA_XAS: max_channels = 6; break; } From 74f4c1358c27d168bd346d3d3db6a097b9f71558 Mon Sep 17 00:00:00 2001 From: Laurent Aimar Date: Sat, 24 Sep 2011 16:16:38 +0200 Subject: [PATCH 0705/1119] flvdec: Fix invalid pointer deferences when parsing index MIME-Version: 1.0 Content-Type: text/plain; charset=UTF-8 Content-Transfer-Encoding: 8bit Signed-off-by: Martin Storsjö (cherry picked from commit 2b4e49d4281690db67073ba644ad2ffc17767cdf) Signed-off-by: Anton Khirnov --- libavformat/flvdec.c | 4 ++-- 1 file changed, 2 insertions(+), 2 deletions(-) diff --git a/libavformat/flvdec.c b/libavformat/flvdec.c index 5f442f7265..a07ac60f8b 100644 --- a/libavformat/flvdec.c +++ b/libavformat/flvdec.c @@ -185,8 +185,8 @@ static int parse_keyframes_index(AVFormatContext *s, AVIOContext *ioc, AVStream } } - if (timeslen == fileposlen) - for(i = 0; i < arraylen; i++) + if (!ret && timeslen == fileposlen) + for (i = 0; i < fileposlen; i++) av_add_index_entry(vstream, filepositions[i], times[i]*1000, 0, 0, AVINDEX_KEYFRAME); else av_log(s, AV_LOG_WARNING, "Invalid keyframes object, skipping.\n"); From ce80957cf10e2ddbdbe6f74912c69228a8efaf35 Mon Sep 17 00:00:00 2001 From: Justin Ruggles Date: Fri, 23 Sep 2011 21:43:43 -0400 Subject: [PATCH 0706/1119] sol: return error if av_get_packet() fails. This prevents sending a packet with data=NULL size=AVERROR_EOF. (cherry picked from commit b15a9888a8f8e8cc9784ffd8d5d0307900fb78bb) Signed-off-by: Anton Khirnov --- libavformat/sol.c | 2 ++ 1 file changed, 2 insertions(+) diff --git a/libavformat/sol.c b/libavformat/sol.c index 1ebb4d2e30..83e85c882e 100644 --- a/libavformat/sol.c +++ b/libavformat/sol.c @@ -132,6 +132,8 @@ static int sol_read_packet(AVFormatContext *s, if (s->pb->eof_reached) return AVERROR(EIO); ret= av_get_packet(s->pb, pkt, MAX_SIZE); + if (ret < 0) + return ret; pkt->stream_index = 0; /* note: we need to modify the packet size here to handle the last From 7fc9aa6d359e6c594a367e4db6366bc661581f56 Mon Sep 17 00:00:00 2001 From: Justin Ruggles Date: Tue, 13 Sep 2011 15:13:44 -0400 Subject: [PATCH 0707/1119] flacdec: fix buffer size checking in get_metadata_size() Adds an additional check before reading the next block header and avoids a potential integer overflow when checking the metadata size against the remaining buffer size. (cherry picked from commit 4c5e7b27d57dd2be777780e840eef9be63242158) Signed-off-by: Anton Khirnov --- libavcodec/flacdec.c | 4 +++- 1 file changed, 3 insertions(+), 1 deletion(-) diff --git a/libavcodec/flacdec.c b/libavcodec/flacdec.c index 1ce8559de6..7331c5cdd1 100644 --- a/libavcodec/flacdec.c +++ b/libavcodec/flacdec.c @@ -228,9 +228,11 @@ static int get_metadata_size(const uint8_t *buf, int buf_size) buf += 4; do { + if (buf_end - buf < 4) + return 0; ff_flac_parse_block_header(buf, &metadata_last, NULL, &metadata_size); buf += 4; - if (buf + metadata_size > buf_end) { + if (buf_end - buf < metadata_size) { /* need more data in order to read the complete header */ return 0; } From f74a4b621fed92f964ed58bae00721f8785fe90b Mon Sep 17 00:00:00 2001 From: Stefano Sabatini Date: Sat, 11 Jun 2011 11:15:40 +0200 Subject: [PATCH 0708/1119] avfiltergraph: use meaningful error codes Signed-off-by: Anton Khirnov (cherry picked from commit 59cef18c24ab21de4e652e130ac25905c1141f62) Signed-off-by: Anton Khirnov --- libavfilter/avfiltergraph.c | 12 +++++++----- 1 file changed, 7 insertions(+), 5 deletions(-) diff --git a/libavfilter/avfiltergraph.c b/libavfilter/avfiltergraph.c index b503c366f8..af96807531 100644 --- a/libavfilter/avfiltergraph.c +++ b/libavfilter/avfiltergraph.c @@ -90,7 +90,7 @@ int ff_avfilter_graph_check_validity(AVFilterGraph *graph, AVClass *log_ctx) av_log(log_ctx, AV_LOG_ERROR, "Input pad \"%s\" for the filter \"%s\" of type \"%s\" not connected to any source\n", filt->input_pads[j].name, filt->name, filt->filter->name); - return -1; + return AVERROR(EINVAL); } } @@ -99,7 +99,7 @@ int ff_avfilter_graph_check_validity(AVFilterGraph *graph, AVClass *log_ctx) av_log(log_ctx, AV_LOG_ERROR, "Output pad \"%s\" for the filter \"%s\" of type \"%s\" not connected to any destination\n", filt->output_pads[j].name, filt->name, filt->filter->name); - return -1; + return AVERROR(EINVAL); } } } @@ -178,7 +178,7 @@ static int query_formats(AVFilterGraph *graph, AVClass *log_ctx) av_log(log_ctx, AV_LOG_ERROR, "Impossible to convert between the formats supported by the filter " "'%s' and the filter '%s'\n", link->src->name, link->dst->name); - return -1; + return AVERROR(EINVAL); } } } @@ -216,9 +216,11 @@ static void pick_formats(AVFilterGraph *graph) int ff_avfilter_graph_config_formats(AVFilterGraph *graph, AVClass *log_ctx) { + int ret; + /* find supported formats from sub-filters, and merge along links */ - if (query_formats(graph, log_ctx)) - return -1; + if ((ret = query_formats(graph, log_ctx)) < 0) + return ret; /* Once everything is merged, it's possible that we'll still have * multiple valid media format choices. We pick the first one. */ From 151aaf539f0d1010471f916082742b3d80da1359 Mon Sep 17 00:00:00 2001 From: =?UTF-8?q?Martin=20Storsj=C3=B6?= Date: Fri, 30 Sep 2011 20:30:35 +0300 Subject: [PATCH 0709/1119] lavf: Avoid using av_malloc(0) in av_dump_format MIME-Version: 1.0 Content-Type: text/plain; charset=UTF-8 Content-Transfer-Encoding: 8bit On OS X, av_malloc(0) returns pointers that cause crashes when freed. Signed-off-by: Martin Storsjö (cherry picked from commit e81e5e8ad2bb5746df0c343c396019aca165cf66) Signed-off-by: Anton Khirnov --- libavformat/utils.c | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/libavformat/utils.c b/libavformat/utils.c index aa3ca5990b..65176d416f 100644 --- a/libavformat/utils.c +++ b/libavformat/utils.c @@ -3320,7 +3320,7 @@ void av_dump_format(AVFormatContext *ic, int is_output) { int i; - uint8_t *printed = av_mallocz(ic->nb_streams); + uint8_t *printed = ic->nb_streams ? av_mallocz(ic->nb_streams) : NULL; if (ic->nb_streams && !printed) return; From d46efbebe7c54932d5a4a1e807607424c2986481 Mon Sep 17 00:00:00 2001 From: Justin Ruggles Date: Wed, 14 Sep 2011 12:16:05 -0400 Subject: [PATCH 0710/1119] nellymoser: check output buffer size before decoding (cherry picked from commit 8b31c086b6065084644b86a63c9171f3094cf6ad) Signed-off-by: Anton Khirnov --- libavcodec/nellymoserdec.c | 17 ++++++++++++----- 1 file changed, 12 insertions(+), 5 deletions(-) diff --git a/libavcodec/nellymoserdec.c b/libavcodec/nellymoserdec.c index 59c1b3bdd8..2e4c5b04eb 100644 --- a/libavcodec/nellymoserdec.c +++ b/libavcodec/nellymoserdec.c @@ -156,19 +156,26 @@ static int decode_tag(AVCodecContext * avctx, const uint8_t *buf = avpkt->data; int buf_size = avpkt->size; NellyMoserDecodeContext *s = avctx->priv_data; - int blocks, i; + int blocks, i, block_size; int16_t* samples; - *data_size = 0; samples = (int16_t*)data; - if (buf_size < avctx->block_align) + if (buf_size < avctx->block_align) { + *data_size = 0; return buf_size; + } if (buf_size % 64) { av_log(avctx, AV_LOG_ERROR, "Tag size %d.\n", buf_size); + *data_size = 0; return buf_size; } - blocks = buf_size / 64; + block_size = NELLY_SAMPLES * av_get_bytes_per_sample(avctx->sample_fmt); + blocks = FFMIN(buf_size / 64, *data_size / block_size); + if (blocks <= 0) { + av_log(avctx, AV_LOG_ERROR, "Output buffer is too small\n"); + return AVERROR(EINVAL); + } /* Normal numbers of blocks for sample rates: * 8000 Hz - 1 * 11025 Hz - 2 @@ -180,8 +187,8 @@ static int decode_tag(AVCodecContext * avctx, for (i=0 ; ifloat_buf); s->fmt_conv.float_to_int16(&samples[i*NELLY_SAMPLES], s->float_buf, NELLY_SAMPLES); - *data_size += NELLY_SAMPLES*sizeof(int16_t); } + *data_size = blocks * block_size; return buf_size; } From ce3e0d48f8b6dd90f42fa9157bbd76a573cbf4c7 Mon Sep 17 00:00:00 2001 From: Justin Ruggles Date: Tue, 13 Sep 2011 18:53:18 -0400 Subject: [PATCH 0711/1119] mpc7: check output buffer size before decoding (cherry picked from commit c8b5c4d27409dfdcec80868686b173ba446c998b) Signed-off-by: Anton Khirnov --- libavcodec/mpc7.c | 10 ++++++++-- 1 file changed, 8 insertions(+), 2 deletions(-) diff --git a/libavcodec/mpc7.c b/libavcodec/mpc7.c index dbfa3c8636..8d2c023fd5 100644 --- a/libavcodec/mpc7.c +++ b/libavcodec/mpc7.c @@ -197,7 +197,7 @@ static int mpc7_decode_frame(AVCodecContext * avctx, int i, ch; int mb = -1; Band *bands = c->bands; - int off; + int off, out_size; int bits_used, bits_avail; memset(bands, 0, sizeof(bands)); @@ -205,6 +205,12 @@ static int mpc7_decode_frame(AVCodecContext * avctx, av_log(avctx, AV_LOG_ERROR, "Too small buffer passed (%i bytes)\n", buf_size); } + out_size = (buf[1] ? c->lastframelen : MPC_FRAME_SIZE) * 4; + if (*data_size < out_size) { + av_log(avctx, AV_LOG_ERROR, "Output buffer is too small\n"); + return AVERROR(EINVAL); + } + bits = av_malloc(((buf_size - 1) & ~3) + FF_INPUT_BUFFER_PADDING_SIZE); c->dsp.bswap_buf((uint32_t*)bits, (const uint32_t*)(buf + 4), (buf_size - 4) >> 2); init_get_bits(&gb, bits, (buf_size - 4)* 8); @@ -277,7 +283,7 @@ static int mpc7_decode_frame(AVCodecContext * avctx, *data_size = 0; return buf_size; } - *data_size = (buf[1] ? c->lastframelen : MPC_FRAME_SIZE) * 4; + *data_size = out_size; return buf_size; } From 56fe62ec944a0f1999d9d5cd6b61bbc340105256 Mon Sep 17 00:00:00 2001 From: Justin Ruggles Date: Wed, 14 Sep 2011 11:16:42 -0400 Subject: [PATCH 0712/1119] mpc7: return error if packet is too small. (cherry picked from commit 8290d1f38b438f1b070de67645c8b4a42014c7ac) Signed-off-by: Anton Khirnov --- libavcodec/mpc7.c | 1 + 1 file changed, 1 insertion(+) diff --git a/libavcodec/mpc7.c b/libavcodec/mpc7.c index 8d2c023fd5..c6b63ad5c1 100644 --- a/libavcodec/mpc7.c +++ b/libavcodec/mpc7.c @@ -203,6 +203,7 @@ static int mpc7_decode_frame(AVCodecContext * avctx, memset(bands, 0, sizeof(bands)); if(buf_size <= 4){ av_log(avctx, AV_LOG_ERROR, "Too small buffer passed (%i bytes)\n", buf_size); + return AVERROR(EINVAL); } out_size = (buf[1] ? c->lastframelen : MPC_FRAME_SIZE) * 4; From fc0e151cdc03420af92bc21b5399eefcde5efd7c Mon Sep 17 00:00:00 2001 From: Justin Ruggles Date: Wed, 14 Sep 2011 11:39:21 -0400 Subject: [PATCH 0713/1119] mpc8: check output buffer size before decoding (cherry picked from commit 5674d4b0a35a34b75e3533a8580e0b5a0a8895a7) Signed-off-by: Anton Khirnov --- libavcodec/mpc8.c | 10 ++++++++-- 1 file changed, 8 insertions(+), 2 deletions(-) diff --git a/libavcodec/mpc8.c b/libavcodec/mpc8.c index 3177faf1c4..85c6621235 100644 --- a/libavcodec/mpc8.c +++ b/libavcodec/mpc8.c @@ -241,10 +241,16 @@ static int mpc8_decode_frame(AVCodecContext * avctx, GetBitContext gb2, *gb = &gb2; int i, j, k, ch, cnt, res, t; Band *bands = c->bands; - int off; + int off, out_size; int maxband, keyframe; int last[2]; + out_size = MPC_FRAME_SIZE * 2 * avctx->channels; + if (*data_size < out_size) { + av_log(avctx, AV_LOG_ERROR, "Output buffer is too small\n"); + return AVERROR(EINVAL); + } + keyframe = c->cur_frame == 0; if(keyframe){ @@ -400,7 +406,7 @@ static int mpc8_decode_frame(AVCodecContext * avctx, c->last_bits_used = get_bits_count(gb); if(c->cur_frame >= c->frames) c->cur_frame = 0; - *data_size = MPC_FRAME_SIZE * 2 * avctx->channels; + *data_size = out_size; return c->cur_frame ? c->last_bits_used >> 3 : buf_size; } From 4562f95ba85c3f3187fb1bca8ed3131b82fb3a23 Mon Sep 17 00:00:00 2001 From: Justin Ruggles Date: Tue, 20 Sep 2011 15:27:44 -0400 Subject: [PATCH 0714/1119] sipr: fix the output data size check and only calculate it once. (cherry picked from commit 1b5a189f06879338088809b3049ea7620f4e7e78) Signed-off-by: Anton Khirnov --- libavcodec/sipr.c | 11 +++++++---- 1 file changed, 7 insertions(+), 4 deletions(-) diff --git a/libavcodec/sipr.c b/libavcodec/sipr.c index 2e86861706..fa57b43eb1 100644 --- a/libavcodec/sipr.c +++ b/libavcodec/sipr.c @@ -509,7 +509,7 @@ static int sipr_decode_frame(AVCodecContext *avctx, void *datap, GetBitContext gb; float *data = datap; int subframe_size = ctx->mode == MODE_16k ? L_SUBFR_16k : SUBFR_SIZE; - int i; + int i, out_size; ctx->avctx = avctx; if (avpkt->size < (mode_par->bits_per_frame >> 3)) { @@ -520,7 +520,11 @@ static int sipr_decode_frame(AVCodecContext *avctx, void *datap, *data_size = 0; return -1; } - if (*data_size < subframe_size * mode_par->subframe_count * sizeof(float)) { + + out_size = mode_par->frames_per_packet * subframe_size * + mode_par->subframe_count * + av_get_bytes_per_sample(avctx->sample_fmt); + if (*data_size < out_size) { av_log(avctx, AV_LOG_ERROR, "Error processing packet: output buffer (%d) too small\n", *data_size); @@ -542,8 +546,7 @@ static int sipr_decode_frame(AVCodecContext *avctx, void *datap, data += subframe_size * mode_par->subframe_count; } - *data_size = mode_par->frames_per_packet * subframe_size * - mode_par->subframe_count * sizeof(float); + *data_size = out_size; return mode_par->bits_per_frame >> 3; } From ea311af23dbed93c7638b7a1c14ec0b0c1ea6060 Mon Sep 17 00:00:00 2001 From: Chris Rankin Date: Wed, 7 Sep 2011 10:17:30 +0100 Subject: [PATCH 0715/1119] qcelpdec: fix the return value of qcelp_decode_frame(). Signed-off-by: Justin Ruggles (cherry picked from commit bde25700134b98068e2ad21c1f92955a4b489cdc) Signed-off-by: Anton Khirnov --- libavcodec/qcelpdec.c | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/libavcodec/qcelpdec.c b/libavcodec/qcelpdec.c index 3095a2464d..792b746fce 100644 --- a/libavcodec/qcelpdec.c +++ b/libavcodec/qcelpdec.c @@ -839,7 +839,7 @@ erasure: *data_size = 160 * sizeof(*outbuffer); - return *data_size; + return buf_size; } AVCodec ff_qcelp_decoder = From bb7fd94eebbc6470588cc88ca6713e5ac5e419d3 Mon Sep 17 00:00:00 2001 From: "Ronald S. Bultje" Date: Mon, 3 Oct 2011 07:37:24 -0700 Subject: [PATCH 0716/1119] mpegvideo: fix position of bottom edge. It was wrong in colorspaces where horizontal and vertical chroma subsampling are not the same, e.g. 422. (cherry picked from commit 0884dd5a1b87aff6c8a06e6492dece5cef8f3978) Conflicts: libavcodec/mpegvideo.c Signed-off-by: Anton Khirnov --- libavcodec/mpegvideo.c | 15 +++++++++------ 1 file changed, 9 insertions(+), 6 deletions(-) diff --git a/libavcodec/mpegvideo.c b/libavcodec/mpegvideo.c index ceed41f230..1632564cae 100644 --- a/libavcodec/mpegvideo.c +++ b/libavcodec/mpegvideo.c @@ -2294,12 +2294,15 @@ void ff_draw_horiz_band(MpegEncContext *s, int y, int h){ edge_h= FFMIN(h, s->v_edge_pos - y); - s->dsp.draw_edges(s->current_picture_ptr->data[0] + y *s->linesize , s->linesize, - s->h_edge_pos , edge_h , EDGE_WIDTH , EDGE_WIDTH , sides); - s->dsp.draw_edges(s->current_picture_ptr->data[1] + (y>>vshift)*s->uvlinesize, s->uvlinesize, - s->h_edge_pos>>hshift, edge_h>>hshift, EDGE_WIDTH>>hshift, EDGE_WIDTH>>vshift, sides); - s->dsp.draw_edges(s->current_picture_ptr->data[2] + (y>>vshift)*s->uvlinesize, s->uvlinesize, - s->h_edge_pos>>hshift, edge_h>>hshift, EDGE_WIDTH>>hshift, EDGE_WIDTH>>vshift, sides); + s->dsp.draw_edges(s->current_picture_ptr->data[0] + y *s->linesize, + s->linesize, s->h_edge_pos, edge_h, + EDGE_WIDTH, EDGE_WIDTH, sides); + s->dsp.draw_edges(s->current_picture_ptr->data[1] + (y>>vshift)*s->uvlinesize, + s->uvlinesize, s->h_edge_pos>>hshift, edge_h>>vshift, + EDGE_WIDTH>>hshift, EDGE_WIDTH>>vshift, sides); + s->dsp.draw_edges(s->current_picture_ptr->data[2] + (y>>vshift)*s->uvlinesize, + s->uvlinesize, s->h_edge_pos>>hshift, edge_h>>vshift, + EDGE_WIDTH>>hshift, EDGE_WIDTH>>vshift, sides); } h= FFMIN(h, s->avctx->height - y); From 8099d77ca4e7f1afb3315eae0cf3777644238a96 Mon Sep 17 00:00:00 2001 From: "Ronald S. Bultje" Date: Mon, 3 Oct 2011 08:38:03 -0700 Subject: [PATCH 0717/1119] mpegvideo: set correct offset for edge emulation buffer. Using the old code, half of it was unused and the other half was too small for e.g. >8bpp interlaced data, causing random buffer overruns. (cherry picked from commit 330deb75923675224fb9aed311d3d6ce3ec52420) Signed-off-by: Anton Khirnov --- libavcodec/mpegvideo.c | 6 ++---- libavcodec/mpegvideo.h | 3 +-- 2 files changed, 3 insertions(+), 6 deletions(-) diff --git a/libavcodec/mpegvideo.c b/libavcodec/mpegvideo.c index 1632564cae..08ac0e6bed 100644 --- a/libavcodec/mpegvideo.c +++ b/libavcodec/mpegvideo.c @@ -366,8 +366,7 @@ static int init_duplicate_context(MpegEncContext *s, MpegEncContext *base){ int i; // edge emu needs blocksize + filter length - 1 (=17x17 for halfpel / 21x21 for h264) - FF_ALLOCZ_OR_GOTO(s->avctx, s->allocated_edge_emu_buffer, (s->width+64)*2*21*2, fail); //(width + edge + align)*interlaced*MBsize*tolerance - s->edge_emu_buffer= s->allocated_edge_emu_buffer + (s->width+64)*2*21; + FF_ALLOCZ_OR_GOTO(s->avctx, s->edge_emu_buffer, (s->width+64)*2*21*2, fail); //(width + edge + align)*interlaced*MBsize*tolerance //FIXME should be linesize instead of s->width*2 but that is not known before get_buffer() FF_ALLOCZ_OR_GOTO(s->avctx, s->me.scratchpad, (s->width+64)*4*16*2*sizeof(uint8_t), fail) @@ -405,7 +404,7 @@ fail: static void free_duplicate_context(MpegEncContext *s){ if(s==NULL) return; - av_freep(&s->allocated_edge_emu_buffer); s->edge_emu_buffer= NULL; + av_freep(&s->edge_emu_buffer); av_freep(&s->me.scratchpad); s->me.temp= s->rd_scratchpad= @@ -422,7 +421,6 @@ static void free_duplicate_context(MpegEncContext *s){ static void backup_duplicate_context(MpegEncContext *bak, MpegEncContext *src){ #define COPY(a) bak->a= src->a - COPY(allocated_edge_emu_buffer); COPY(edge_emu_buffer); COPY(me.scratchpad); COPY(me.temp); diff --git a/libavcodec/mpegvideo.h b/libavcodec/mpegvideo.h index f37977c941..0fc32b9abe 100644 --- a/libavcodec/mpegvideo.h +++ b/libavcodec/mpegvideo.h @@ -316,8 +316,7 @@ typedef struct MpegEncContext { uint8_t *mbintra_table; ///< used to avoid setting {ac, dc, cbp}-pred stuff to zero on inter MB decoding uint8_t *cbp_table; ///< used to store cbp, ac_pred for partitioned decoding uint8_t *pred_dir_table; ///< used to store pred_dir for partitioned decoding - uint8_t *allocated_edge_emu_buffer; - uint8_t *edge_emu_buffer; ///< points into the middle of allocated_edge_emu_buffer + uint8_t *edge_emu_buffer; ///< temporary buffer for if MVs point to out-of-frame data uint8_t *rd_scratchpad; ///< scratchpad for rate distortion mb decision uint8_t *obmc_scratchpad; uint8_t *b_scratchpad; ///< scratchpad used for writing into write only buffers From 619aab2f41b11f289411b542e3816f90a9209438 Mon Sep 17 00:00:00 2001 From: Laurent Aimar Date: Sat, 10 Sep 2011 13:28:13 +0200 Subject: [PATCH 0718/1119] Fixed deference of NULL pointer in motionpixels decoder. Some of the arguments given to init_vlc() come from the stream and can be corrupted. Signed-off-by: Janne Grunau (cherry picked from commit 69a0bce753a5d5556d5bc0888afe390e22611dd8) Signed-off-by: Anton Khirnov --- libavcodec/motionpixels.c | 3 ++- 1 file changed, 2 insertions(+), 1 deletion(-) diff --git a/libavcodec/motionpixels.c b/libavcodec/motionpixels.c index ebc4b31201..54559350b8 100644 --- a/libavcodec/motionpixels.c +++ b/libavcodec/motionpixels.c @@ -278,7 +278,8 @@ static int mp_decode_frame(AVCodecContext *avctx, if (sz == 0) goto end; - init_vlc(&mp->vlc, mp->max_codes_bits, mp->codes_count, &mp->codes[0].size, sizeof(HuffCode), 1, &mp->codes[0].code, sizeof(HuffCode), 4, 0); + if (init_vlc(&mp->vlc, mp->max_codes_bits, mp->codes_count, &mp->codes[0].size, sizeof(HuffCode), 1, &mp->codes[0].code, sizeof(HuffCode), 4, 0)) + goto end; mp_decode_frame_helper(mp, &gb); free_vlc(&mp->vlc); From ea5a5f09088c94d32492173c2fc39b8eb36e56d1 Mon Sep 17 00:00:00 2001 From: Laurent Aimar Date: Thu, 6 Oct 2011 22:53:41 +0200 Subject: [PATCH 0719/1119] segafilm: Check for memory allocation failures in segafilm demuxer. Signed-off-by: Janne Grunau (cherry picked from commit 1775b92fee43f0527e2f5892a5a30450fa929722) Signed-off-by: Anton Khirnov --- libavformat/segafilm.c | 4 ++++ 1 file changed, 4 insertions(+) diff --git a/libavformat/segafilm.c b/libavformat/segafilm.c index 0ad5fbbe0b..6cd061552d 100644 --- a/libavformat/segafilm.c +++ b/libavformat/segafilm.c @@ -238,6 +238,10 @@ static int film_read_packet(AVFormatContext *s, av_free(film->stereo_buffer); film->stereo_buffer_size = sample->sample_size; film->stereo_buffer = av_malloc(film->stereo_buffer_size); + if (!film->stereo_buffer) { + film->stereo_buffer_size = 0; + return AVERROR(ENOMEM); + } } pkt->pos= avio_tell(pb); From 5bb9ce755b5913f53eb72c2f18942671d6f3a850 Mon Sep 17 00:00:00 2001 From: Laurent Aimar Date: Sat, 17 Sep 2011 16:56:35 +0200 Subject: [PATCH 0720/1119] cook: Fix js_vlc_bits value validation for joint stereo Signed-off-by: Janne Grunau (cherry picked from commit 3a742470a845c24e7c3a40c0a228705ca951e673) Signed-off-by: Anton Khirnov --- libavcodec/cook.c | 5 +++-- 1 file changed, 3 insertions(+), 2 deletions(-) diff --git a/libavcodec/cook.c b/libavcodec/cook.c index 05d8d7a3cf..a8fa01e5d2 100644 --- a/libavcodec/cook.c +++ b/libavcodec/cook.c @@ -1175,8 +1175,9 @@ static av_cold int cook_decode_init(AVCodecContext *avctx) return -1; } - if ((q->subpacket[s].js_vlc_bits > 6) || (q->subpacket[s].js_vlc_bits < 0)) { - av_log(avctx,AV_LOG_ERROR,"js_vlc_bits = %d, only >= 0 and <= 6 allowed!\n",q->subpacket[s].js_vlc_bits); + if ((q->subpacket[s].js_vlc_bits > 6) || (q->subpacket[s].js_vlc_bits < 2*q->subpacket[s].joint_stereo)) { + av_log(avctx,AV_LOG_ERROR,"js_vlc_bits = %d, only >= %d and <= 6 allowed!\n", + q->subpacket[s].js_vlc_bits, 2*q->subpacket[s].joint_stereo); return -1; } From 987f5dc55ed5b1d882ad8d8adb3e51b4e3aa4679 Mon Sep 17 00:00:00 2001 From: Laurent Aimar Date: Sun, 11 Sep 2011 19:17:43 +0200 Subject: [PATCH 0721/1119] cinepak: Fix invalid read access on extra data Signed-off-by: Janne Grunau (cherry picked from commit d239d4b447885cb7c5eee9ce359f34ad6b64f373) Signed-off-by: Anton Khirnov --- libavcodec/cinepak.c | 3 ++- 1 file changed, 2 insertions(+), 1 deletion(-) diff --git a/libavcodec/cinepak.c b/libavcodec/cinepak.c index 4bda2a74eb..c67af0a413 100644 --- a/libavcodec/cinepak.c +++ b/libavcodec/cinepak.c @@ -336,7 +336,8 @@ static int cinepak_decode (CinepakContext *s) * If the frame header is followed by the bytes FE 00 00 06 00 00 then * this is probably one of the two known files that have 6 extra bytes * after the frame header. Else, assume 2 extra bytes. */ - if ((s->data[10] == 0xFE) && + if (s->size >= 16 && + (s->data[10] == 0xFE) && (s->data[11] == 0x00) && (s->data[12] == 0x00) && (s->data[13] == 0x06) && From efe3fb13a79957ea94f2766c3f3e502ae775eace Mon Sep 17 00:00:00 2001 From: Laurent Aimar Date: Wed, 21 Sep 2011 20:46:30 +0200 Subject: [PATCH 0722/1119] vp56: Check for missing reference frame data Signed-off-by: Janne Grunau (cherry picked from commit 0ec6d6e9b682318b5b5b5457e09fbf3c4ca41335) Signed-off-by: Anton Khirnov --- libavcodec/vp56.c | 2 ++ 1 file changed, 2 insertions(+) diff --git a/libavcodec/vp56.c b/libavcodec/vp56.c index a6b201478e..4fd1341bdb 100644 --- a/libavcodec/vp56.c +++ b/libavcodec/vp56.c @@ -399,6 +399,8 @@ static void vp56_decode_mb(VP56Context *s, int row, int col, int is_alpha) frame_current = s->framep[VP56_FRAME_CURRENT]; frame_ref = s->framep[ref_frame]; + if (mb_type != VP56_MB_INTRA && !frame_ref->data[0]) + return; ab = 6*is_alpha; b_max = 6 - 2*is_alpha; From 3e1b5981ba11a5eb317282078766ebb9e57b7781 Mon Sep 17 00:00:00 2001 From: Laurent Aimar Date: Wed, 21 Sep 2011 20:46:33 +0200 Subject: [PATCH 0723/1119] vp56: Release old pictures after a resolution changes Signed-off-by: Janne Grunau (cherry picked from commit 3d09d0017d10a0d738141a955c75c555133e41b2) Signed-off-by: Anton Khirnov --- libavcodec/vp56.c | 13 +++++++++++++ 1 file changed, 13 insertions(+) diff --git a/libavcodec/vp56.c b/libavcodec/vp56.c index 4fd1341bdb..dd9dd77527 100644 --- a/libavcodec/vp56.c +++ b/libavcodec/vp56.c @@ -465,6 +465,7 @@ static int vp56_size_changed(AVCodecContext *avctx) s->mb_height = (avctx->coded_height+15) / 16; if (s->mb_width > 1000 || s->mb_height > 1000) { + avcodec_set_dimensions(avctx, 0, 0); av_log(avctx, AV_LOG_ERROR, "picture too big\n"); return -1; } @@ -513,6 +514,18 @@ int ff_vp56_decode_frame(AVCodecContext *avctx, void *data, int *data_size, if (!res) return -1; + if (res == 2) { + int i; + for (i = 0; i < 4; i++) { + if (s->frames[i].data[0]) + avctx->release_buffer(avctx, &s->frames[i]); + } + if (is_alpha) { + avcodec_set_dimensions(avctx, 0, 0); + return -1; + } + } + if (!is_alpha) { p->reference = 1; if (avctx->get_buffer(avctx, p) < 0) { From 8751941030462a4623b1c4ded425632f48063f6f Mon Sep 17 00:00:00 2001 From: Laurent Aimar Date: Tue, 27 Sep 2011 22:15:33 +0000 Subject: [PATCH 0724/1119] xan: Prevent out of bound accesses Signed-off-by: Janne Grunau (cherry picked from commit 124a16f678ddcffe8f1825efb29a6e8da1d580ac) Signed-off-by: Anton Khirnov --- libavcodec/xan.c | 25 ++++++++++++++++++++----- 1 file changed, 20 insertions(+), 5 deletions(-) diff --git a/libavcodec/xan.c b/libavcodec/xan.c index 88a9adbc30..0f16e8849b 100644 --- a/libavcodec/xan.c +++ b/libavcodec/xan.c @@ -218,6 +218,10 @@ static inline void xan_wc3_copy_pixel_run(XanContext *s, int width = s->avctx->width; unsigned char *palette_plane, *prev_palette_plane; + if ( y + motion_y < 0 || y + motion_y >= s->avctx->height || + x + motion_x < 0 || x + motion_x >= s->avctx->width) + return; + palette_plane = s->current_frame.data[0]; prev_palette_plane = s->last_frame.data[0]; stride = s->current_frame.linesize[0]; @@ -226,7 +230,9 @@ static inline void xan_wc3_copy_pixel_run(XanContext *s, curframe_x = x; prevframe_index = (y + motion_y) * stride + x + motion_x; prevframe_x = x + motion_x; - while(pixel_count && (curframe_index < s->frame_size)) { + while(pixel_count && + curframe_index < s->frame_size && + prevframe_index < s->frame_size) { int count = FFMIN3(pixel_count, width - curframe_x, width - prevframe_x); memcpy(palette_plane + curframe_index, prev_palette_plane + prevframe_index, count); @@ -260,6 +266,7 @@ static int xan_wc3_decode_frame(XanContext *s) { int x, y; unsigned char *opcode_buffer = s->buffer1; + unsigned char *opcode_buffer_end = s->buffer1 + s->buffer1_size; int opcode_buffer_size = s->buffer1_size; const unsigned char *imagedata_buffer = s->buffer2; @@ -268,7 +275,7 @@ static int xan_wc3_decode_frame(XanContext *s) { const unsigned char *size_segment; const unsigned char *vector_segment; const unsigned char *imagedata_segment; - int huffman_offset, size_offset, vector_offset, imagedata_offset; + int huffman_offset, size_offset, vector_offset, imagedata_offset, imagedata_size; if (s->size < 8) return AVERROR_INVALIDDATA; @@ -293,14 +300,17 @@ static int xan_wc3_decode_frame(XanContext *s) { huffman_segment, s->size - huffman_offset) < 0) return AVERROR_INVALIDDATA; - if (imagedata_segment[0] == 2) + if (imagedata_segment[0] == 2) { xan_unpack(s->buffer2, &imagedata_segment[1], s->buffer2_size); - else + imagedata_size = s->buffer2_size; + } else { + imagedata_size = s->size - imagedata_offset - 1; imagedata_buffer = &imagedata_segment[1]; + } /* use the decoded data segments to build the frame */ x = y = 0; - while (total_pixels) { + while (total_pixels && opcode_buffer < opcode_buffer_end) { opcode = *opcode_buffer++; size = 0; @@ -349,6 +359,8 @@ static int xan_wc3_decode_frame(XanContext *s) { size_segment += 3; break; } + if (size > total_pixels) + break; if (opcode < 12) { flag ^= 1; @@ -357,8 +369,11 @@ static int xan_wc3_decode_frame(XanContext *s) { xan_wc3_copy_pixel_run(s, x, y, size, 0, 0); } else { /* output a run of pixels from imagedata_buffer */ + if (imagedata_size < size) + break; xan_wc3_output_pixel_run(s, imagedata_buffer, x, y, size); imagedata_buffer += size; + imagedata_size -= size; } } else { /* run-based motion compensation from last frame */ From 22949c42edf5352c5fa8c43870efe20698432b35 Mon Sep 17 00:00:00 2001 From: Laurent Aimar Date: Sun, 2 Oct 2011 00:48:12 +0000 Subject: [PATCH 0725/1119] shorten: Prevent block size from increasing Signed-off-by: Janne Grunau (cherry picked from commit 95010d18b2d808db9a49377e41bc2f7cf4dfa03e) Signed-off-by: Anton Khirnov --- libavcodec/shorten.c | 10 ++++++++-- 1 file changed, 8 insertions(+), 2 deletions(-) diff --git a/libavcodec/shorten.c b/libavcodec/shorten.c index a6e00750e9..3d441e4f5d 100644 --- a/libavcodec/shorten.c +++ b/libavcodec/shorten.c @@ -483,9 +483,15 @@ static int shorten_decode_frame(AVCodecContext *avctx, case FN_BITSHIFT: s->bitshift = get_ur_golomb_shorten(&s->gb, BITSHIFTSIZE); break; - case FN_BLOCKSIZE: - s->blocksize = get_uint(s, av_log2(s->blocksize)); + case FN_BLOCKSIZE: { + int blocksize = get_uint(s, av_log2(s->blocksize)); + if (blocksize > s->blocksize) { + av_log(avctx, AV_LOG_ERROR, "Increasing block size is not supported\n"); + return AVERROR_PATCHWELCOME; + } + s->blocksize = blocksize; break; + } case FN_QUIT: *data_size = 0; return buf_size; From fce03f878314e2989eb26f4f3330848bfb4e27e6 Mon Sep 17 00:00:00 2001 From: Laurent Aimar Date: Sun, 25 Sep 2011 20:06:19 +0000 Subject: [PATCH 0726/1119] mpc8: Fix return value on EOF Signed-off-by: Janne Grunau (cherry picked from commit 1e3336de69d1c4c28a5e306fab20555f4078f2d7) Signed-off-by: Anton Khirnov --- libavformat/mpc8.c | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/libavformat/mpc8.c b/libavformat/mpc8.c index c4810f6eaf..f36d45283c 100644 --- a/libavformat/mpc8.c +++ b/libavformat/mpc8.c @@ -264,7 +264,7 @@ static int mpc8_read_packet(AVFormatContext *s, AVPacket *pkt) return AVERROR(EIO); mpc8_handle_chunk(s, tag, pos, size); } - return 0; + return AVERROR_EOF; } static int mpc8_read_seek(AVFormatContext *s, int stream_index, int64_t timestamp, int flags) From 04b71cdedd7421d09e12600d7999fab87d35a908 Mon Sep 17 00:00:00 2001 From: Laurent Aimar Date: Mon, 26 Sep 2011 22:18:29 +0000 Subject: [PATCH 0727/1119] wmapro: Validate the number of audio channels before using it Signed-off-by: Janne Grunau (cherry picked from commit 2c1ba7994190fa2f1ad430594551070a49353bd1) Signed-off-by: Anton Khirnov --- libavcodec/wmaprodec.c | 24 ++++++++++++------------ 1 file changed, 12 insertions(+), 12 deletions(-) diff --git a/libavcodec/wmaprodec.c b/libavcodec/wmaprodec.c index 4ba8c455ab..8fa1573354 100644 --- a/libavcodec/wmaprodec.c +++ b/libavcodec/wmaprodec.c @@ -309,10 +309,6 @@ static av_cold int decode_init(AVCodecContext *avctx) s->samples_per_frame = 1 << ff_wma_get_frame_len_bits(avctx->sample_rate, 3, s->decode_flags); - /** init previous block len */ - for (i = 0; i < avctx->channels; i++) - s->channel[i].prev_block_len = s->samples_per_frame; - /** subframe info */ log2_max_num_subframes = ((s->decode_flags & 0x38) >> 3); s->max_num_subframes = 1 << log2_max_num_subframes; @@ -332,6 +328,18 @@ static av_cold int decode_init(AVCodecContext *avctx) s->num_channels = avctx->channels; + if (s->num_channels < 0) { + av_log(avctx, AV_LOG_ERROR, "invalid number of channels %d\n", s->num_channels); + return AVERROR_INVALIDDATA; + } else if (s->num_channels > WMAPRO_MAX_CHANNELS) { + av_log_ask_for_sample(avctx, "unsupported number of channels\n"); + return AVERROR_PATCHWELCOME; + } + + /** init previous block len */ + for (i = 0; i < s->num_channels; i++) + s->channel[i].prev_block_len = s->samples_per_frame; + /** extract lfe channel position */ s->lfe_channel = -1; @@ -343,14 +351,6 @@ static av_cold int decode_init(AVCodecContext *avctx) } } - if (s->num_channels < 0) { - av_log(avctx, AV_LOG_ERROR, "invalid number of channels %d\n", s->num_channels); - return AVERROR_INVALIDDATA; - } else if (s->num_channels > WMAPRO_MAX_CHANNELS) { - av_log_ask_for_sample(avctx, "unsupported number of channels\n"); - return AVERROR_PATCHWELCOME; - } - INIT_VLC_STATIC(&sf_vlc, SCALEVLCBITS, HUFF_SCALE_SIZE, scale_huffbits, 1, 1, scale_huffcodes, 2, 2, 616); From d646cce15f140730f288c1a38a79dc7232b31e69 Mon Sep 17 00:00:00 2001 From: Laurent Aimar Date: Mon, 26 Sep 2011 22:18:29 +0000 Subject: [PATCH 0728/1119] wavpack: Reset internal state on corrupted blocks wavpack_decode_block() supposes that it is called back with the exact same buffer unless it has returned with an error. With multi-channels files, wavpack_decode_frame() was breaking this assumption. Signed-off-by: Janne Grunau (cherry picked from commit 2c6cf1394096d08396faadc6e7c0b404fd6df006) Signed-off-by: Anton Khirnov --- libavcodec/wavpack.c | 14 +++++++++++++- 1 file changed, 13 insertions(+), 1 deletion(-) diff --git a/libavcodec/wavpack.c b/libavcodec/wavpack.c index 155633f3ac..43e191801a 100644 --- a/libavcodec/wavpack.c +++ b/libavcodec/wavpack.c @@ -1173,6 +1173,15 @@ static int wavpack_decode_block(AVCodecContext *avctx, int block_no, return samplecount * bpp; } +static void wavpack_decode_flush(AVCodecContext *avctx) +{ + WavpackContext *s = avctx->priv_data; + int i; + + for (i = 0; i < s->fdec_num; i++) + wv_reset_saved_context(s->fdec[i]); +} + static int wavpack_decode_frame(AVCodecContext *avctx, void *data, int *data_size, AVPacket *avpkt) @@ -1205,11 +1214,14 @@ static int wavpack_decode_frame(AVCodecContext *avctx, if(frame_size < 0 || frame_size > buf_size){ av_log(avctx, AV_LOG_ERROR, "Block %d has invalid size (size %d vs. %d bytes left)\n", s->block, frame_size, buf_size); + wavpack_decode_flush(avctx); return -1; } if((samplecount = wavpack_decode_block(avctx, s->block, data, - data_size, buf, frame_size)) < 0) + data_size, buf, frame_size)) < 0) { + wavpack_decode_flush(avctx); return -1; + } s->block++; buf += frame_size; buf_size -= frame_size; } From c5766b55c41c702cf0961253e737b86fe7c28308 Mon Sep 17 00:00:00 2001 From: Laurent Aimar Date: Tue, 27 Sep 2011 22:15:31 +0000 Subject: [PATCH 0729/1119] bink: Prevent NULL dereferences with missing reference frame Signed-off-by: Janne Grunau (cherry picked from commit c7e631986b4a326a71a20a1a51000f3fbf6e64e7) Signed-off-by: Anton Khirnov --- libavcodec/bink.c | 8 +++++--- 1 file changed, 5 insertions(+), 3 deletions(-) diff --git a/libavcodec/bink.c b/libavcodec/bink.c index e085aa54e2..4f30618ff5 100644 --- a/libavcodec/bink.c +++ b/libavcodec/bink.c @@ -948,8 +948,9 @@ static int bink_decode_plane(BinkContext *c, GetBitContext *gb, int plane_idx, for (i = 0; i < BINK_NB_SRC; i++) read_bundle(gb, c, i); - ref_start = c->last.data[plane_idx]; - ref_end = c->last.data[plane_idx] + ref_start = c->last.data[plane_idx] ? c->last.data[plane_idx] + : c->pic.data[plane_idx]; + ref_end = ref_start + (bw - 1 + c->last.linesize[plane_idx] * (bh - 1)) * 8; for (i = 0; i < 64; i++) @@ -978,7 +979,8 @@ static int bink_decode_plane(BinkContext *c, GetBitContext *gb, int plane_idx, if (by == bh) break; dst = c->pic.data[plane_idx] + 8*by*stride; - prev = c->last.data[plane_idx] + 8*by*stride; + prev = (c->last.data[plane_idx] ? c->last.data[plane_idx] + : c->pic.data[plane_idx]) + 8*by*stride; for (bx = 0; bx < bw; bx++, dst += 8, prev += 8) { blk = get_value(c, BINK_SRC_BLOCK_TYPES); // 16x16 block type on odd line means part of the already decoded block, so skip it From fb20141563d740a979f3e4db6db0e3908c5c6962 Mon Sep 17 00:00:00 2001 From: Laurent Aimar Date: Tue, 27 Sep 2011 22:15:32 +0000 Subject: [PATCH 0730/1119] xan: Prevent NULL dereferences with missing reference frame Signed-off-by: Janne Grunau (cherry picked from commit 06be075cda0a6ba8bab8f543571b380884f562ac) Signed-off-by: Anton Khirnov --- libavcodec/xan.c | 2 ++ 1 file changed, 2 insertions(+) diff --git a/libavcodec/xan.c b/libavcodec/xan.c index 0f16e8849b..6c779c49ba 100644 --- a/libavcodec/xan.c +++ b/libavcodec/xan.c @@ -224,6 +224,8 @@ static inline void xan_wc3_copy_pixel_run(XanContext *s, palette_plane = s->current_frame.data[0]; prev_palette_plane = s->last_frame.data[0]; + if (!prev_palette_plane) + prev_palette_plane = palette_plane; stride = s->current_frame.linesize[0]; line_inc = stride - width; curframe_index = y * stride + x; From 95605595b57e8fdfd9fdc591766b8286dd017ee4 Mon Sep 17 00:00:00 2001 From: Laurent Aimar Date: Tue, 27 Sep 2011 22:15:31 +0000 Subject: [PATCH 0731/1119] wmavoice: Check for out of bound writes Signed-off-by: Janne Grunau (cherry picked from commit 1c1449b548a2a0bf0295a522051b04107286653c) Signed-off-by: Anton Khirnov --- libavcodec/wmavoice.c | 2 ++ 1 file changed, 2 insertions(+) diff --git a/libavcodec/wmavoice.c b/libavcodec/wmavoice.c index eb3bcb0629..95376163a7 100644 --- a/libavcodec/wmavoice.c +++ b/libavcodec/wmavoice.c @@ -1880,6 +1880,8 @@ static void copy_bits(PutBitContext *pb, rmn_bits = rmn_bytes = get_bits_left(gb); if (rmn_bits < nbits) return; + if (nbits > pb->size_in_bits - put_bits_count(pb)) + return; rmn_bits &= 7; rmn_bytes >>= 3; if ((rmn_bits = FFMIN(rmn_bits, nbits)) > 0) put_bits(pb, rmn_bits, get_bits(gb, rmn_bits)); From 905d0633a6e8f345bd6a0ae442d77cc03cf62c4b Mon Sep 17 00:00:00 2001 From: Laurent Aimar Date: Tue, 27 Sep 2011 22:15:31 +0000 Subject: [PATCH 0732/1119] wmavoice: Check for corrupted extra data Signed-off-by: Janne Grunau (cherry picked from commit d99427cb8ba099375d8cce6df808d4acf045ab43) Signed-off-by: Anton Khirnov --- libavcodec/wmavoice.c | 8 ++++++++ 1 file changed, 8 insertions(+) diff --git a/libavcodec/wmavoice.c b/libavcodec/wmavoice.c index 95376163a7..9588ecd807 100644 --- a/libavcodec/wmavoice.c +++ b/libavcodec/wmavoice.c @@ -401,6 +401,10 @@ static av_cold int wmavoice_decode_init(AVCodecContext *ctx) s->min_pitch_val = ((ctx->sample_rate << 8) / 400 + 50) >> 8; s->max_pitch_val = ((ctx->sample_rate << 8) * 37 / 2000 + 50) >> 8; pitch_range = s->max_pitch_val - s->min_pitch_val; + if (pitch_range <= 0) { + av_log(ctx, AV_LOG_ERROR, "Invalid pitch range; broken extradata?\n"); + return -1; + } s->pitch_nbits = av_ceil_log2(pitch_range); s->last_pitch_val = 40; s->last_acb_type = ACB_TYPE_NONE; @@ -422,6 +426,10 @@ static av_cold int wmavoice_decode_init(AVCodecContext *ctx) s->block_conv_table[2] = (pitch_range * 44) >> 6; s->block_conv_table[3] = s->max_pitch_val - 1; s->block_delta_pitch_hrange = (pitch_range >> 3) & ~0xF; + if (s->block_delta_pitch_hrange <= 0) { + av_log(ctx, AV_LOG_ERROR, "Invalid delta pitch hrange; broken extradata?\n"); + return -1; + } s->block_delta_pitch_nbits = 1 + av_ceil_log2(s->block_delta_pitch_hrange); s->block_pitch_range = s->block_conv_table[2] + s->block_conv_table[3] + 1 + From f2f2a00d39a458e23c018744b9aacb3f94501d67 Mon Sep 17 00:00:00 2001 From: Laurent Aimar Date: Thu, 29 Sep 2011 23:13:35 +0000 Subject: [PATCH 0733/1119] motionpixels: Clear FF_INPUT_BUFFER_PADDING_SIZE bytes at the end of the temporary buffer Signed-off-by: Janne Grunau (cherry picked from commit d337dd3a907110b32c6305bb65e4beca5b830c5d) Signed-off-by: Anton Khirnov --- libavcodec/motionpixels.c | 1 + tests/ref/fate/motionpixels | 2 +- 2 files changed, 2 insertions(+), 1 deletion(-) diff --git a/libavcodec/motionpixels.c b/libavcodec/motionpixels.c index 54559350b8..91eb7f9017 100644 --- a/libavcodec/motionpixels.c +++ b/libavcodec/motionpixels.c @@ -252,6 +252,7 @@ static int mp_decode_frame(AVCodecContext *avctx, mp->dsp.bswap_buf((uint32_t *)mp->bswapbuf, (const uint32_t *)buf, buf_size / 4); if (buf_size & 3) memcpy(mp->bswapbuf + (buf_size & ~3), buf + (buf_size & ~3), buf_size & 3); + memset(mp->bswapbuf + buf_size, 0, FF_INPUT_BUFFER_PADDING_SIZE); init_get_bits(&gb, mp->bswapbuf, buf_size * 8); memset(mp->changes_map, 0, avctx->width * avctx->height); diff --git a/tests/ref/fate/motionpixels b/tests/ref/fate/motionpixels index e588ed3e18..30651e92c6 100644 --- a/tests/ref/fate/motionpixels +++ b/tests/ref/fate/motionpixels @@ -109,4 +109,4 @@ 0, 648003, 230400, 0xb343f372 0, 654003, 230400, 0xf7f1e588 0, 660003, 230400, 0x9682bdb2 -0, 666003, 230400, 0x538a3db8 +0, 666003, 230400, 0x16f9aad8 From 39de0e008d473662fd8381da4cbd5887e4fd5cc2 Mon Sep 17 00:00:00 2001 From: Laurent Aimar Date: Thu, 29 Sep 2011 23:13:35 +0000 Subject: [PATCH 0734/1119] motionpixels: Fix the size of workspace buffers Some buffers must be mod 4 in width and/or height. Signed-off-by: Janne Grunau (cherry picked from commit 210c80331e0604edf9c800865c26ba06ed3c2082) Signed-off-by: Anton Khirnov --- libavcodec/motionpixels.c | 6 ++++-- 1 file changed, 4 insertions(+), 2 deletions(-) diff --git a/libavcodec/motionpixels.c b/libavcodec/motionpixels.c index 91eb7f9017..cee21d3aa1 100644 --- a/libavcodec/motionpixels.c +++ b/libavcodec/motionpixels.c @@ -52,14 +52,16 @@ typedef struct MotionPixelsContext { static av_cold int mp_decode_init(AVCodecContext *avctx) { MotionPixelsContext *mp = avctx->priv_data; + int w4 = (avctx->width + 3) & ~3; + int h4 = (avctx->height + 3) & ~3; motionpixels_tableinit(); mp->avctx = avctx; dsputil_init(&mp->dsp, avctx); - mp->changes_map = av_mallocz(avctx->width * avctx->height); + mp->changes_map = av_mallocz(avctx->width * h4); mp->offset_bits_len = av_log2(avctx->width * avctx->height) + 1; mp->vpt = av_mallocz(avctx->height * sizeof(YuvPixel)); - mp->hpt = av_mallocz(avctx->height * avctx->width / 16 * sizeof(YuvPixel)); + mp->hpt = av_mallocz(h4 * w4 / 16 * sizeof(YuvPixel)); avctx->pix_fmt = PIX_FMT_RGB555; return 0; } From 914b9b0b2b162a70a5fd4d61dc79f98e607af6a9 Mon Sep 17 00:00:00 2001 From: Laurent Aimar Date: Thu, 29 Sep 2011 23:13:35 +0000 Subject: [PATCH 0735/1119] dsicinav: Check for out of bounds reads Signed-off-by: Janne Grunau (cherry picked from commit e3ca9b93d9f464861638dda3280fcf65e402466a) Signed-off-by: Anton Khirnov --- libavcodec/dsicinav.c | 2 ++ 1 file changed, 2 insertions(+) diff --git a/libavcodec/dsicinav.c b/libavcodec/dsicinav.c index 643aed946b..d8c99b508e 100644 --- a/libavcodec/dsicinav.c +++ b/libavcodec/dsicinav.c @@ -216,6 +216,8 @@ static int cinvideo_decode_frame(AVCodecContext *avctx, bitmap_frame_size = buf_size - 4; /* handle palette */ + if (bitmap_frame_size < palette_colors_count * (3 + (palette_type != 0))) + return AVERROR_INVALIDDATA; if (palette_type == 0) { for (i = 0; i < palette_colors_count; ++i) { cin->palette[i] = bytestream_get_le24(&buf); From 97a1ab4bcea7a029a02c09b1c22a177911bb8a95 Mon Sep 17 00:00:00 2001 From: Laurent Aimar Date: Thu, 29 Sep 2011 23:13:35 +0000 Subject: [PATCH 0736/1119] quickdraw: Check for out of bound reads Signed-off-by: Janne Grunau (cherry picked from commit 4fd56f842cbaecf74df94c38f9c10452342f436a) Signed-off-by: Anton Khirnov --- libavcodec/qdrw.c | 12 ++++++++++++ 1 file changed, 12 insertions(+) diff --git a/libavcodec/qdrw.c b/libavcodec/qdrw.c index 07ac9aa69d..e3f75e7657 100644 --- a/libavcodec/qdrw.c +++ b/libavcodec/qdrw.c @@ -37,6 +37,7 @@ static int decode_frame(AVCodecContext *avctx, AVPacket *avpkt) { const uint8_t *buf = avpkt->data; + const uint8_t *buf_end = avpkt->data + avpkt->size; int buf_size = avpkt->size; QdrawContext * const a = avctx->priv_data; AVFrame * const p= (AVFrame*)&a->pic; @@ -59,6 +60,8 @@ static int decode_frame(AVCodecContext *avctx, outdata = a->pic.data[0]; + if (buf_end - buf < 0x68 + 4) + return AVERROR_INVALIDDATA; buf += 0x68; /* jump to palette */ colors = AV_RB32(buf); buf += 4; @@ -67,6 +70,8 @@ static int decode_frame(AVCodecContext *avctx, av_log(avctx, AV_LOG_ERROR, "Error color count - %i(0x%X)\n", colors, colors); return -1; } + if (buf_end - buf < (colors + 1) * 8) + return AVERROR_INVALIDDATA; pal = (uint32_t*)p->data[1]; for (i = 0; i <= colors; i++) { @@ -89,6 +94,8 @@ static int decode_frame(AVCodecContext *avctx, } p->palette_has_changed = 1; + if (buf_end - buf < 18) + return AVERROR_INVALIDDATA; buf += 18; /* skip unneeded data */ for (i = 0; i < avctx->height; i++) { int size, left, code, pix; @@ -100,6 +107,9 @@ static int decode_frame(AVCodecContext *avctx, out = outdata; size = AV_RB16(buf); /* size of packed line */ buf += 2; + if (buf_end - buf < size) + return AVERROR_INVALIDDATA; + left = size; next = buf + size; while (left > 0) { @@ -115,6 +125,8 @@ static int decode_frame(AVCodecContext *avctx, } else { /* copy */ if ((out + code) > (outdata + a->pic.linesize[0])) break; + if (buf_end - buf < code + 1) + return AVERROR_INVALIDDATA; memcpy(out, buf, code + 1); out += code + 1; buf += code + 1; From d57d039e04b9955beb603d1a85971bdd6dec5d02 Mon Sep 17 00:00:00 2001 From: Laurent Aimar Date: Thu, 29 Sep 2011 23:13:35 +0000 Subject: [PATCH 0737/1119] tiertexseqv: Check for out of bound reads Signed-off-by: Janne Grunau (cherry picked from commit 64263dd526ec25ede1591fc1144715a20cc7bc4e) Signed-off-by: Anton Khirnov --- libavcodec/tiertexseqv.c | 65 +++++++++++++++++++++++++++++++--------- 1 file changed, 51 insertions(+), 14 deletions(-) diff --git a/libavcodec/tiertexseqv.c b/libavcodec/tiertexseqv.c index 4468f00df1..911028e10d 100644 --- a/libavcodec/tiertexseqv.c +++ b/libavcodec/tiertexseqv.c @@ -35,15 +35,19 @@ typedef struct SeqVideoContext { } SeqVideoContext; -static const unsigned char *seq_unpack_rle_block(const unsigned char *src, unsigned char *dst, int dst_size) +static const unsigned char *seq_unpack_rle_block(const unsigned char *src, + const unsigned char *src_end, + unsigned char *dst, int dst_size) { int i, len, sz; GetBitContext gb; int code_table[64]; - /* get the rle codes (at most 64 bytes) */ - init_get_bits(&gb, src, 64 * 8); + /* get the rle codes */ + init_get_bits(&gb, src, (src_end - src) * 8); for (i = 0, sz = 0; i < 64 && sz < dst_size; i++) { + if (get_bits_left(&gb) < 4) + return NULL; code_table[i] = get_sbits(&gb, 4); sz += FFABS(code_table[i]); } @@ -54,8 +58,12 @@ static const unsigned char *seq_unpack_rle_block(const unsigned char *src, unsig len = code_table[i]; if (len < 0) { len = -len; + if (src_end - src < 1) + return NULL; memset(dst, *src++, FFMIN(len, dst_size)); } else { + if (src_end - src < len) + return NULL; memcpy(dst, src, FFMIN(len, dst_size)); src += len; } @@ -65,25 +73,30 @@ static const unsigned char *seq_unpack_rle_block(const unsigned char *src, unsig return src; } -static const unsigned char *seq_decode_op1(SeqVideoContext *seq, const unsigned char *src, unsigned char *dst) +static const unsigned char *seq_decode_op1(SeqVideoContext *seq, + const unsigned char *src, + const unsigned char *src_end, + unsigned char *dst) { const unsigned char *color_table; int b, i, len, bits; GetBitContext gb; unsigned char block[8 * 8]; + if (src_end - src < 1) + return NULL; len = *src++; if (len & 0x80) { switch (len & 3) { case 1: - src = seq_unpack_rle_block(src, block, sizeof(block)); + src = seq_unpack_rle_block(src, src_end, block, sizeof(block)); for (b = 0; b < 8; b++) { memcpy(dst, &block[b * 8], 8); dst += seq->frame.linesize[0]; } break; case 2: - src = seq_unpack_rle_block(src, block, sizeof(block)); + src = seq_unpack_rle_block(src, src_end, block, sizeof(block)); for (i = 0; i < 8; i++) { for (b = 0; b < 8; b++) dst[b * seq->frame.linesize[0]] = block[i * 8 + b]; @@ -92,9 +105,13 @@ static const unsigned char *seq_decode_op1(SeqVideoContext *seq, const unsigned break; } } else { + if (len <= 0) + return NULL; + bits = ff_log2_tab[len - 1] + 1; + if (src_end - src < len + 8 * bits) + return NULL; color_table = src; src += len; - bits = ff_log2_tab[len - 1] + 1; init_get_bits(&gb, src, bits * 8 * 8); src += bits * 8; for (b = 0; b < 8; b++) { for (i = 0; i < 8; i++) @@ -106,10 +123,16 @@ static const unsigned char *seq_decode_op1(SeqVideoContext *seq, const unsigned return src; } -static const unsigned char *seq_decode_op2(SeqVideoContext *seq, const unsigned char *src, unsigned char *dst) +static const unsigned char *seq_decode_op2(SeqVideoContext *seq, + const unsigned char *src, + const unsigned char *src_end, + unsigned char *dst) { int i; + if (src_end - src < 8 * 8) + return NULL; + for (i = 0; i < 8; i++) { memcpy(dst, src, 8); src += 8; @@ -119,11 +142,16 @@ static const unsigned char *seq_decode_op2(SeqVideoContext *seq, const unsigned return src; } -static const unsigned char *seq_decode_op3(SeqVideoContext *seq, const unsigned char *src, unsigned char *dst) +static const unsigned char *seq_decode_op3(SeqVideoContext *seq, + const unsigned char *src, + const unsigned char *src_end, + unsigned char *dst) { int pos, offset; do { + if (src_end - src < 2) + return NULL; pos = *src++; offset = ((pos >> 3) & 7) * seq->frame.linesize[0] + (pos & 7); dst[offset] = *src++; @@ -132,8 +160,9 @@ static const unsigned char *seq_decode_op3(SeqVideoContext *seq, const unsigned return src; } -static void seqvideo_decode(SeqVideoContext *seq, const unsigned char *data, int data_size) +static int seqvideo_decode(SeqVideoContext *seq, const unsigned char *data, int data_size) { + const unsigned char *data_end = data + data_size; GetBitContext gb; int flags, i, j, x, y, op; unsigned char c[3]; @@ -144,6 +173,8 @@ static void seqvideo_decode(SeqVideoContext *seq, const unsigned char *data, int if (flags & 1) { palette = (uint32_t *)seq->frame.data[1]; + if (data_end - data < 256 * 3) + return AVERROR_INVALIDDATA; for (i = 0; i < 256; i++) { for (j = 0; j < 3; j++, data++) c[j] = (*data << 2) | (*data >> 4); @@ -153,6 +184,8 @@ static void seqvideo_decode(SeqVideoContext *seq, const unsigned char *data, int } if (flags & 2) { + if (data_end - data < 128) + return AVERROR_INVALIDDATA; init_get_bits(&gb, data, 128 * 8); data += 128; for (y = 0; y < 128; y += 8) for (x = 0; x < 256; x += 8) { @@ -160,17 +193,20 @@ static void seqvideo_decode(SeqVideoContext *seq, const unsigned char *data, int op = get_bits(&gb, 2); switch (op) { case 1: - data = seq_decode_op1(seq, data, dst); + data = seq_decode_op1(seq, data, data_end, dst); break; case 2: - data = seq_decode_op2(seq, data, dst); + data = seq_decode_op2(seq, data, data_end, dst); break; case 3: - data = seq_decode_op3(seq, data, dst); + data = seq_decode_op3(seq, data, data_end, dst); break; } + if (!data) + return AVERROR_INVALIDDATA; } } + return 0; } static av_cold int seqvideo_decode_init(AVCodecContext *avctx) @@ -201,7 +237,8 @@ static int seqvideo_decode_frame(AVCodecContext *avctx, return -1; } - seqvideo_decode(seq, buf, buf_size); + if (seqvideo_decode(seq, buf, buf_size)) + return AVERROR_INVALIDDATA; *data_size = sizeof(AVFrame); *(AVFrame *)data = seq->frame; From aa9e308580dc929d920c93b130e10153414a9ffb Mon Sep 17 00:00:00 2001 From: Laurent Aimar Date: Thu, 29 Sep 2011 23:13:35 +0000 Subject: [PATCH 0738/1119] dsicinav: Check for out of bounds writes Signed-off-by: Janne Grunau (cherry picked from commit 172060328771d149b076f00352b004b5b5272d38) Signed-off-by: Anton Khirnov --- libavcodec/dsicinav.c | 2 ++ 1 file changed, 2 insertions(+) diff --git a/libavcodec/dsicinav.c b/libavcodec/dsicinav.c index d8c99b508e..11547c2ded 100644 --- a/libavcodec/dsicinav.c +++ b/libavcodec/dsicinav.c @@ -219,6 +219,8 @@ static int cinvideo_decode_frame(AVCodecContext *avctx, if (bitmap_frame_size < palette_colors_count * (3 + (palette_type != 0))) return AVERROR_INVALIDDATA; if (palette_type == 0) { + if (palette_colors_count > 256) + return AVERROR_INVALIDDATA; for (i = 0; i < palette_colors_count; ++i) { cin->palette[i] = bytestream_get_le24(&buf); bitmap_frame_size -= 3; From 737bea21b6c2c1d4dca0b7b18824c0a3205556d2 Mon Sep 17 00:00:00 2001 From: Laurent Aimar Date: Fri, 30 Sep 2011 01:26:22 +0000 Subject: [PATCH 0739/1119] shorten: Fix out of bound writes in fix_bitshift() The data pointers s->decoded[*] already take into account s->nwrap. Signed-off-by: Janne Grunau (cherry picked from commit 5f05cf4ea9aaafed8edcabe785c2719786103ec1) Signed-off-by: Anton Khirnov --- libavcodec/shorten.c | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/libavcodec/shorten.c b/libavcodec/shorten.c index 3d441e4f5d..13381f6c95 100644 --- a/libavcodec/shorten.c +++ b/libavcodec/shorten.c @@ -155,7 +155,7 @@ static void fix_bitshift(ShortenContext *s, int32_t *buffer) if (s->bitshift != 0) for (i = 0; i < s->blocksize; i++) - buffer[s->nwrap + i] <<= s->bitshift; + buffer[i] <<= s->bitshift; } From 5fa8e43b547859fe0963c127e67832789564bf1e Mon Sep 17 00:00:00 2001 From: Laurent Aimar Date: Thu, 29 Sep 2011 03:12:07 +0000 Subject: [PATCH 0740/1119] motionpixels: Prevent calling init_vlc() with invalid parameters Signed-off-by: Janne Grunau (cherry picked from commit 1cd0a5516396bd6fb54e4df1e7c88ed18416299b) Signed-off-by: Anton Khirnov --- libavcodec/motionpixels.c | 2 ++ 1 file changed, 2 insertions(+) diff --git a/libavcodec/motionpixels.c b/libavcodec/motionpixels.c index cee21d3aa1..23433a1caf 100644 --- a/libavcodec/motionpixels.c +++ b/libavcodec/motionpixels.c @@ -281,6 +281,8 @@ static int mp_decode_frame(AVCodecContext *avctx, if (sz == 0) goto end; + if (mp->max_codes_bits <= 0) + goto end; if (init_vlc(&mp->vlc, mp->max_codes_bits, mp->codes_count, &mp->codes[0].size, sizeof(HuffCode), 1, &mp->codes[0].code, sizeof(HuffCode), 4, 0)) goto end; mp_decode_frame_helper(mp, &gb); From 0277c82de21c22d4d5438e0054f377b3fe2357de Mon Sep 17 00:00:00 2001 From: Laurent Aimar Date: Thu, 29 Sep 2011 03:12:07 +0000 Subject: [PATCH 0741/1119] xan: Fixed out of bound accesses in xan_unpack() Signed-off-by: Janne Grunau (cherry picked from commit 3e0757c2a87c8cf3e452f67bca279001c64cedff) Signed-off-by: Anton Khirnov --- libavcodec/xan.c | 18 +++++++++++++----- 1 file changed, 13 insertions(+), 5 deletions(-) diff --git a/libavcodec/xan.c b/libavcodec/xan.c index 6c779c49ba..26c6db50c8 100644 --- a/libavcodec/xan.c +++ b/libavcodec/xan.c @@ -130,13 +130,16 @@ static int xan_huffman_decode(unsigned char *dest, int dest_len, * * @param dest destination buffer of dest_len, must be padded with at least 130 bytes */ -static void xan_unpack(unsigned char *dest, const unsigned char *src, int dest_len) +static void xan_unpack(unsigned char *dest, int dest_len, + const unsigned char *src, int src_len) { unsigned char opcode; int size; + unsigned char *dest_org = dest; unsigned char *dest_end = dest + dest_len; + const unsigned char *src_end = src + src_len; - while (dest < dest_end) { + while (dest < dest_end && src < src_end) { opcode = *src++; if (opcode < 0xe0) { @@ -161,9 +164,11 @@ static void xan_unpack(unsigned char *dest, const unsigned char *src, int dest_l back = ((opcode & 0x10) << 12) + bytestream_get_be16(&src) + 1; size2 = ((opcode & 0x0c) << 6) + *src++ + 5; - if (size + size2 > dest_end - dest) - return; } + if (dest_end - dest < size + size2 || + dest + size - dest_org < back || + src_end - src < size) + return; memcpy(dest, src, size); dest += size; src += size; av_memcpy_backptr(dest, back, size2); dest += size2; @@ -171,6 +176,8 @@ static void xan_unpack(unsigned char *dest, const unsigned char *src, int dest_l int finish = opcode >= 0xfc; size = finish ? opcode & 3 : ((opcode & 0x1f) << 2) + 4; + if (dest_end - dest < size || src_end - src < size) + return; memcpy(dest, src, size); dest += size; src += size; if (finish) return; @@ -303,7 +310,8 @@ static int xan_wc3_decode_frame(XanContext *s) { return AVERROR_INVALIDDATA; if (imagedata_segment[0] == 2) { - xan_unpack(s->buffer2, &imagedata_segment[1], s->buffer2_size); + xan_unpack(s->buffer2, s->buffer2_size, + &imagedata_segment[1], s->size - imagedata_offset - 1); imagedata_size = s->buffer2_size; } else { imagedata_size = s->size - imagedata_offset - 1; From 49007b494eaf7727e445a62a4eb040b080a91f00 Mon Sep 17 00:00:00 2001 From: Laurent Aimar Date: Thu, 29 Sep 2011 20:38:01 +0000 Subject: [PATCH 0742/1119] xan: Check for out of bound reads in xan_huffman_decode() Signed-off-by: Janne Grunau (cherry picked from commit 3db3fdf4c669aed9379be430c17f151d4d0697c5) Signed-off-by: Anton Khirnov --- libavcodec/xan.c | 5 ++++- 1 file changed, 4 insertions(+), 1 deletion(-) diff --git a/libavcodec/xan.c b/libavcodec/xan.c index 26c6db50c8..2b3a4090c2 100644 --- a/libavcodec/xan.c +++ b/libavcodec/xan.c @@ -112,7 +112,10 @@ static int xan_huffman_decode(unsigned char *dest, int dest_len, init_get_bits(&gb, ptr, ptr_len * 8); while ( val != 0x16 ) { - val = src[val - 0x17 + get_bits1(&gb) * byte]; + unsigned idx = val - 0x17 + get_bits1(&gb) * byte; + if (idx >= 2 * byte) + return -1; + val = src[idx]; if ( val < 0x16 ) { if (dest >= dest_end) From be2404b06d7cddc8152337e51ae2ca97b6536eea Mon Sep 17 00:00:00 2001 From: Laurent Aimar Date: Thu, 29 Sep 2011 03:12:07 +0000 Subject: [PATCH 0743/1119] xan: Prevent NULL dereference with missing palette Signed-off-by: Janne Grunau (cherry picked from commit 7d17a794f0348ba40d5cda7d969564cb83981001) Signed-off-by: Anton Khirnov --- libavcodec/xan.c | 5 +++++ 1 file changed, 5 insertions(+) diff --git a/libavcodec/xan.c b/libavcodec/xan.c index 2b3a4090c2..d57a4fb510 100644 --- a/libavcodec/xan.c +++ b/libavcodec/xan.c @@ -553,6 +553,11 @@ static int xan_decode_frame(AVCodecContext *avctx, } buf_size = buf_end - buf; } + if (s->palettes_count <= 0) { + av_log(s->avctx, AV_LOG_ERROR, "No palette found\n"); + return AVERROR_INVALIDDATA; + } + if ((ret = avctx->get_buffer(avctx, &s->current_frame))) { av_log(s->avctx, AV_LOG_ERROR, "get_buffer() failed\n"); return ret; From 59050c0629870d3261b6e686725759e667e4e91f Mon Sep 17 00:00:00 2001 From: Laurent Aimar Date: Sun, 25 Sep 2011 20:06:20 +0000 Subject: [PATCH 0744/1119] mpc8: Check out of bound bands limit Signed-off-by: Janne Grunau (cherry picked from commit 9bd854b1ff342f82efa6d2ad4e8fefddce5fa731) Signed-off-by: Anton Khirnov --- libavcodec/mpc8.c | 2 ++ 1 file changed, 2 insertions(+) diff --git a/libavcodec/mpc8.c b/libavcodec/mpc8.c index 85c6621235..e4d7ac109b 100644 --- a/libavcodec/mpc8.c +++ b/libavcodec/mpc8.c @@ -266,6 +266,8 @@ static int mpc8_decode_frame(AVCodecContext * avctx, maxband = c->last_max_band + get_vlc2(gb, band_vlc.table, MPC8_BANDS_BITS, 2); if(maxband > 32) maxband -= 33; } + if(maxband > c->maxbands) + return AVERROR_INVALIDDATA; c->last_max_band = maxband; /* read subband indexes */ From 90d7146511db0e2dd2d2b1baf2ceb7177b30dd8d Mon Sep 17 00:00:00 2001 From: Janne Grunau Date: Fri, 7 Oct 2011 18:08:55 +0200 Subject: [PATCH 0745/1119] motionpixels: decode only the 111 complete frames for fate Signed-off-by: Janne Grunau (cherry picked from commit c2f2dfb3dd20e036b8b08c0fd1486a3044e8f02a) Signed-off-by: Anton Khirnov --- tests/fate.mak | 2 +- tests/ref/fate/motionpixels | 1 - 2 files changed, 1 insertion(+), 2 deletions(-) diff --git a/tests/fate.mak b/tests/fate.mak index cf6c44e8e4..c6550a9a31 100644 --- a/tests/fate.mak +++ b/tests/fate.mak @@ -175,7 +175,7 @@ fate-maxis-xa: CMD = md5 -i $(SAMPLES)/maxis-xa/SC2KBUG.XA -f s16le FATE_TESTS += fate-mimic fate-mimic: CMD = framecrc -idct simple -i $(SAMPLES)/mimic/mimic2-womanloveffmpeg.cam -vsync 0 FATE_TESTS += fate-motionpixels -fate-motionpixels: CMD = framecrc -i $(SAMPLES)/motion-pixels/INTRO-partial.MVI -an -pix_fmt rgb24 +fate-motionpixels: CMD = framecrc -i $(SAMPLES)/motion-pixels/INTRO-partial.MVI -an -pix_fmt rgb24 -vframes 111 FATE_TESTS += fate-mpc7-demux fate-mpc7-demux: CMD = crc -i $(SAMPLES)/musepack/inside-mp7.mpc -acodec copy FATE_TESTS += fate-mpc8-demux diff --git a/tests/ref/fate/motionpixels b/tests/ref/fate/motionpixels index 30651e92c6..fa86f7379f 100644 --- a/tests/ref/fate/motionpixels +++ b/tests/ref/fate/motionpixels @@ -109,4 +109,3 @@ 0, 648003, 230400, 0xb343f372 0, 654003, 230400, 0xf7f1e588 0, 660003, 230400, 0x9682bdb2 -0, 666003, 230400, 0x16f9aad8 From 4faa00b256bfdecb4ee1c14f332a7d0b2f539e94 Mon Sep 17 00:00:00 2001 From: Alex Converse Date: Fri, 7 Oct 2011 17:02:36 -0700 Subject: [PATCH 0746/1119] mpegps: Use av_get_packet() instead of poorly emulating it. (cherry picked from commit 98ef887a759c66febcb612407c6bb361c4d50bcb) Signed-off-by: Anton Khirnov --- libavformat/mpeg.c | 9 +-------- 1 file changed, 1 insertion(+), 8 deletions(-) diff --git a/libavformat/mpeg.c b/libavformat/mpeg.c index 9407b3f5b6..3fc83bb167 100644 --- a/libavformat/mpeg.c +++ b/libavformat/mpeg.c @@ -561,14 +561,7 @@ static int mpegps_read_packet(AVFormatContext *s, else if (st->codec->bits_per_coded_sample == 28) return AVERROR(EINVAL); } - av_new_packet(pkt, len); - ret = avio_read(s->pb, pkt->data, pkt->size); - if (ret < 0) { - pkt->size = 0; - } else if (ret < pkt->size) { - pkt->size = ret; - memset(pkt->data + ret, 0, FF_INPUT_BUFFER_PADDING_SIZE); - } + ret = av_get_packet(s->pb, pkt, len); pkt->pts = pts; pkt->dts = dts; pkt->pos = dummy_pos; From e52e85ac3ab6527a38e950142ea92f203909bf96 Mon Sep 17 00:00:00 2001 From: Mans Rullgard Date: Sat, 8 Oct 2011 02:09:42 +0100 Subject: [PATCH 0747/1119] put_bits: fix invalid shift by 32 in flush_put_bits() If flush_put_bits() is called when the 32-bit buffer is empty, e.g. after writing a multiple of 32 bits, and invalid shift by 32 is performed. Since flush_put_bits() is called infrequently, this additional check should have negligible performance impact. Signed-off-by: Mans Rullgard (cherry picked from commit ac6eab1496aad6f8b09deabbef4fe5fd829e142d) Signed-off-by: Anton Khirnov --- libavcodec/put_bits.h | 3 ++- 1 file changed, 2 insertions(+), 1 deletion(-) diff --git a/libavcodec/put_bits.h b/libavcodec/put_bits.h index 3849e6d339..2cae36e0b2 100644 --- a/libavcodec/put_bits.h +++ b/libavcodec/put_bits.h @@ -100,7 +100,8 @@ static inline void flush_put_bits(PutBitContext *s) align_put_bits(s); #else #ifndef BITSTREAM_WRITER_LE - s->bit_buf<<= s->bit_left; + if (s->bit_left < 32) + s->bit_buf<<= s->bit_left; #endif while (s->bit_left < 32) { /* XXX: should test end of buffer */ From c98d7882d8c67475bc756ebc956fed3d4d2ca696 Mon Sep 17 00:00:00 2001 From: Laurent Aimar Date: Tue, 27 Sep 2011 12:16:41 +0000 Subject: [PATCH 0748/1119] bink: Check for out of bound writes when building tree Signed-off-by: Janne Grunau (cherry picked from commit 24adf7832b8370f3c1febbef6c686f574d360d32) Signed-off-by: Anton Khirnov --- libavcodec/bink.c | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/libavcodec/bink.c b/libavcodec/bink.c index 4f30618ff5..420d08a0f4 100644 --- a/libavcodec/bink.c +++ b/libavcodec/bink.c @@ -246,7 +246,7 @@ static void read_tree(GetBitContext *gb, Tree *tree) tree->syms[i] = get_bits(gb, 4); tmp1[tree->syms[i]] = 1; } - for (i = 0; i < 16; i++) + for (i = 0; i < 16 && len < 16 - 1; i++) if (!tmp1[i]) tree->syms[++len] = i; } else { From 9c78fe936013dfb6be0df46e4fb5c097f8a3b994 Mon Sep 17 00:00:00 2001 From: Laurent Aimar Date: Tue, 27 Sep 2011 12:16:41 +0000 Subject: [PATCH 0749/1119] bink: Check for various out of bound writes Signed-off-by: Janne Grunau (cherry picked from commit a00676e48e49a3d794d6d2063ceca539e945a4a4) Signed-off-by: Anton Khirnov --- libavcodec/bink.c | 19 ++++++++++++++----- 1 file changed, 14 insertions(+), 5 deletions(-) diff --git a/libavcodec/bink.c b/libavcodec/bink.c index 420d08a0f4..7e48608127 100644 --- a/libavcodec/bink.c +++ b/libavcodec/bink.c @@ -343,14 +343,14 @@ static int read_motion_values(AVCodecContext *avctx, GetBitContext *gb, Bundle * memset(b->cur_dec, v, t); b->cur_dec += t; } else { - do { + while (b->cur_dec < dec_end) { v = GET_HUFF(gb, b->tree); if (v) { sign = -get_bits1(gb); v = (v ^ sign) - sign; } *b->cur_dec++ = v; - } while (b->cur_dec < dec_end); + } } return 0; } @@ -374,7 +374,7 @@ static int read_block_types(AVCodecContext *avctx, GetBitContext *gb, Bundle *b) memset(b->cur_dec, v, t); b->cur_dec += t; } else { - do { + while (b->cur_dec < dec_end) { v = GET_HUFF(gb, b->tree); if (v < 12) { last = v; @@ -382,10 +382,12 @@ static int read_block_types(AVCodecContext *avctx, GetBitContext *gb, Bundle *b) } else { int run = bink_rlelens[v - 12]; + if (dec_end - b->cur_dec < run) + return -1; memset(b->cur_dec, last, run); b->cur_dec += run; } - } while (b->cur_dec < dec_end); + } } return 0; } @@ -455,7 +457,8 @@ static int read_dcs(AVCodecContext *avctx, GetBitContext *gb, Bundle *b, int start_bits, int has_sign) { int i, j, len, len2, bsize, sign, v, v2; - int16_t *dst = (int16_t*)b->cur_dec; + int16_t *dst = (int16_t*)b->cur_dec; + int16_t *dst_end = (int16_t*)b->data_end; CHECK_READ_VAL(gb, b, len); v = get_bits(gb, start_bits - has_sign); @@ -463,10 +466,14 @@ static int read_dcs(AVCodecContext *avctx, GetBitContext *gb, Bundle *b, sign = -get_bits1(gb); v = (v ^ sign) - sign; } + if (dst_end - dst < 1) + return -1; *dst++ = v; len--; for (i = 0; i < len; i += 8) { len2 = FFMIN(len - i, 8); + if (dst_end - dst < len2) + return -1; bsize = get_bits(gb, 4); if (bsize) { for (j = 0; j < len2; j++) { @@ -534,6 +541,8 @@ static int binkb_read_bundle(BinkContext *c, GetBitContext *gb, int bundle_num) int i, len; CHECK_READ_VAL(gb, b, len); + if (b->data_end - b->cur_dec < len * (1 + (bits > 8))) + return -1; if (bits <= 8) { if (!issigned) { for (i = 0; i < len; i++) From 8c2ae575ad5f4aadad65186e4c7bc3f4db2a62c5 Mon Sep 17 00:00:00 2001 From: Mans Rullgard Date: Sat, 8 Oct 2011 13:41:23 +0100 Subject: [PATCH 0750/1119] aacdec: fix undefined shifts Since nnz can be zero, this is needed to avoid a shift by 32. Signed-off-by: Mans Rullgard (cherry picked from commit d12294304acd82cb219e3f66ca9cd6efb2194fa4) Signed-off-by: Anton Khirnov --- libavcodec/aacdec.c | 4 ++-- 1 file changed, 2 insertions(+), 2 deletions(-) diff --git a/libavcodec/aacdec.c b/libavcodec/aacdec.c index 2958ddbe72..f1203d307e 100644 --- a/libavcodec/aacdec.c +++ b/libavcodec/aacdec.c @@ -1088,7 +1088,7 @@ static int decode_spectrum_and_dequant(AACContext *ac, float coef[1024], GET_VLC(code, re, gb, vlc_tab, 8, 2); cb_idx = cb_vector_idx[code]; nnz = cb_idx >> 8 & 15; - bits = SHOW_UBITS(re, gb, nnz) << (32-nnz); + bits = nnz ? GET_CACHE(re, gb) : 0; LAST_SKIP_BITS(re, gb, nnz); cf = VMUL4S(cf, vq, cb_idx, bits, sf + idx); } while (len -= 4); @@ -1128,7 +1128,7 @@ static int decode_spectrum_and_dequant(AACContext *ac, float coef[1024], GET_VLC(code, re, gb, vlc_tab, 8, 2); cb_idx = cb_vector_idx[code]; nnz = cb_idx >> 8 & 15; - sign = SHOW_UBITS(re, gb, nnz) << (cb_idx >> 12); + sign = nnz ? SHOW_UBITS(re, gb, nnz) << (cb_idx >> 12) : 0; LAST_SKIP_BITS(re, gb, nnz); cf = VMUL2S(cf, vq, cb_idx, sign, sf + idx); } while (len -= 2); From 58afe6061adf61c17a876ce22b4dae03d0c0299a Mon Sep 17 00:00:00 2001 From: Mans Rullgard Date: Sat, 8 Oct 2011 13:49:42 +0100 Subject: [PATCH 0751/1119] dca: fix signed overflow in shift Signed-off-by: Mans Rullgard (cherry picked from commit 559c244d42be7a02c23976216b47fd63b80d6c7f) Signed-off-by: Anton Khirnov --- libavcodec/dca.c | 3 ++- 1 file changed, 2 insertions(+), 1 deletion(-) diff --git a/libavcodec/dca.c b/libavcodec/dca.c index fad6bce7a9..19d24c55d1 100644 --- a/libavcodec/dca.c +++ b/libavcodec/dca.c @@ -902,7 +902,8 @@ static void qmf_32_subbands(DCAContext * s, int chans, for (subindex = 0; subindex < 8; subindex++) { /* Load in one sample from each subband and clear inactive subbands */ for (i = 0; i < sb_act; i++){ - uint32_t v = AV_RN32A(&samples_in[i][subindex]) ^ ((i-1)&2)<<30; + unsigned sign = (i - 1) & 2; + uint32_t v = AV_RN32A(&samples_in[i][subindex]) ^ sign << 30; AV_WN32A(&s->raXin[i], v); } for (; i < 32; i++) From fe3314a4137682bd7556d8c20798ea9e45f9863f Mon Sep 17 00:00:00 2001 From: Mans Rullgard Date: Sat, 8 Oct 2011 13:52:44 +0100 Subject: [PATCH 0752/1119] motion_est: fix some signed overflows Signed-off-by: Mans Rullgard (cherry picked from commit e708afd3c026a9eb547dab07781320a7e2564312) Signed-off-by: Anton Khirnov --- libavcodec/motion_est.c | 4 ++-- 1 file changed, 2 insertions(+), 2 deletions(-) diff --git a/libavcodec/motion_est.c b/libavcodec/motion_est.c index 5f10456d3b..72184ed560 100644 --- a/libavcodec/motion_est.c +++ b/libavcodec/motion_est.c @@ -1040,7 +1040,7 @@ void ff_estimate_p_frame_motion(MpegEncContext * s, /* intra / predictive decision */ pix = c->src[0][0]; sum = s->dsp.pix_sum(pix, s->linesize); - varc = s->dsp.pix_norm1(pix, s->linesize) - (((unsigned)(sum*sum))>>8) + 500; + varc = s->dsp.pix_norm1(pix, s->linesize) - (((unsigned)sum*sum)>>8) + 500; pic->mb_mean[s->mb_stride * mb_y + mb_x] = (sum+128)>>8; pic->mb_var [s->mb_stride * mb_y + mb_x] = (varc+128)>>8; @@ -1202,7 +1202,7 @@ void ff_estimate_p_frame_motion(MpegEncContext * s, if((c->avctx->mb_cmp&0xFF)==FF_CMP_SSE){ intra_score= varc - 500; }else{ - int mean= (sum+128)>>8; + unsigned mean = (sum+128)>>8; mean*= 0x01010101; for(i=0; i<16; i++){ From fdc669fcbb855a35fcc0352d3ab75064b85194a0 Mon Sep 17 00:00:00 2001 From: Mans Rullgard Date: Sat, 8 Oct 2011 15:03:51 +0100 Subject: [PATCH 0753/1119] vp8: fix signed overflows In addition to avoiding undefined behaviour, an unsigned type makes more sense for packing multiple 8-bit values. Signed-off-by: Mans Rullgard (cherry picked from commit bb59156606e00057a706ed30165bc7329db3823f) Signed-off-by: Anton Khirnov --- libavcodec/vp8.c | 5 +++-- 1 file changed, 3 insertions(+), 2 deletions(-) diff --git a/libavcodec/vp8.c b/libavcodec/vp8.c index 5e331c9856..7e82bbbe82 100644 --- a/libavcodec/vp8.c +++ b/libavcodec/vp8.c @@ -919,7 +919,8 @@ void intra_predict(VP8Context *s, uint8_t *dst[3], VP8Macroblock *mb, int mb_x, int mb_y) { AVCodecContext *avctx = s->avctx; - int x, y, mode, nnz, tr; + int x, y, mode, nnz; + uint32_t tr; // for the first row, we need to run xchg_mb_border to init the top edge to 127 // otherwise, skip it if we aren't going to deblock @@ -948,7 +949,7 @@ void intra_predict(VP8Context *s, uint8_t *dst[3], VP8Macroblock *mb, // from the top macroblock if (!(!mb_y && avctx->flags & CODEC_FLAG_EMU_EDGE) && mb_x == s->mb_width-1) { - tr = tr_right[-1]*0x01010101; + tr = tr_right[-1]*0x01010101u; tr_right = (uint8_t *)&tr; } From 2c99aa48d7073a6ccdecc7ff1f88a781a5a62a86 Mon Sep 17 00:00:00 2001 From: Mans Rullgard Date: Sat, 8 Oct 2011 02:06:26 +0100 Subject: [PATCH 0754/1119] lavf: fix signed overflow in avformat_find_stream_info() On the first iteration through this code, last_dts is always INT64_MIN (AV_NOPTS_VALUE) and the subtraction overflows in an invalid manner. Although the result is only used if the input values are valid, performing the subtraction is still not allowed in a strict environment. Signed-off-by: Mans Rullgard (cherry picked from commit a31e9f68a426f634e002282885c6c2eb1bfbea44) Signed-off-by: Anton Khirnov --- libavformat/utils.c | 4 ++-- 1 file changed, 2 insertions(+), 2 deletions(-) diff --git a/libavformat/utils.c b/libavformat/utils.c index 65176d416f..57fc836c64 100644 --- a/libavformat/utils.c +++ b/libavformat/utils.c @@ -2356,9 +2356,9 @@ int avformat_find_stream_info(AVFormatContext *ic, AVDictionary **options) } { int64_t last = st->info->last_dts; - int64_t duration= pkt->dts - last; - if(pkt->dts != AV_NOPTS_VALUE && last != AV_NOPTS_VALUE && duration>0){ + if(pkt->dts != AV_NOPTS_VALUE && last != AV_NOPTS_VALUE && pkt->dts > last){ + int64_t duration= pkt->dts - last; double dur= duration * av_q2d(st->time_base); // if(st->codec->codec_type == AVMEDIA_TYPE_VIDEO) From 48f9a800722736c9fd1ed37562a8760417f8f221 Mon Sep 17 00:00:00 2001 From: Mans Rullgard Date: Sat, 8 Oct 2011 12:56:54 +0100 Subject: [PATCH 0755/1119] mpeg12enc: use sign_extend() function Signed-off-by: Mans Rullgard (cherry picked from commit 2f329db90e5d72ad383a0ba05fde3641a34ef73b) Signed-off-by: Anton Khirnov --- libavcodec/mpeg12enc.c | 4 ++-- 1 file changed, 2 insertions(+), 2 deletions(-) diff --git a/libavcodec/mpeg12enc.c b/libavcodec/mpeg12enc.c index eb07ecfc5e..f77677a239 100644 --- a/libavcodec/mpeg12enc.c +++ b/libavcodec/mpeg12enc.c @@ -27,6 +27,7 @@ #include "avcodec.h" #include "dsputil.h" +#include "mathops.h" #include "mpegvideo.h" #include "mpeg12.h" @@ -681,8 +682,7 @@ static void mpeg1_encode_motion(MpegEncContext *s, int val, int f_or_b_code) int bit_size = f_or_b_code - 1; int range = 1 << bit_size; /* modulo encoding */ - int l= INT_BIT - 5 - bit_size; - val= (val<>l; + val = sign_extend(val, 5 + bit_size); if (val >= 0) { val--; From 5e3ba60e6f6a949e030d479cb4bcd8dd63b76a5d Mon Sep 17 00:00:00 2001 From: Mans Rullgard Date: Sat, 8 Oct 2011 01:59:51 +0100 Subject: [PATCH 0756/1119] crc: fix signed overflow This fixes a signed overflow from i << 24 when i == 255 by making i unsigned. The result of the shift is already assigned to an variable of unsigned type. Signed-off-by: Mans Rullgard (cherry picked from commit 8b19ae07616bbd18969b94cbf5d74308a8f2bbdf) Signed-off-by: Anton Khirnov --- libavutil/crc.c | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/libavutil/crc.c b/libavutil/crc.c index 6c9f92809f..44719ffaee 100644 --- a/libavutil/crc.c +++ b/libavutil/crc.c @@ -57,7 +57,7 @@ static AVCRC av_crc_table[AV_CRC_MAX][257]; * @return <0 on failure */ int av_crc_init(AVCRC *ctx, int le, int bits, uint32_t poly, int ctx_size){ - int i, j; + unsigned i, j; uint32_t c; if (bits < 8 || bits > 32 || poly >= (1LL< Date: Sun, 9 Oct 2011 20:32:58 +0100 Subject: [PATCH 0757/1119] mpegvideo_enc: fix a signed overflow Signed-off-by: Mans Rullgard (cherry picked from commit 05795f35be4b479bfa8d60ed3eb13e0f89e439c0) Signed-off-by: Anton Khirnov --- libavcodec/mpegvideo_enc.c | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/libavcodec/mpegvideo_enc.c b/libavcodec/mpegvideo_enc.c index 51713a223f..ab717ebf4e 100644 --- a/libavcodec/mpegvideo_enc.c +++ b/libavcodec/mpegvideo_enc.c @@ -2006,7 +2006,7 @@ static int mb_var_thread(AVCodecContext *c, void *arg){ int varc; int sum = s->dsp.pix_sum(pix, s->linesize); - varc = (s->dsp.pix_norm1(pix, s->linesize) - (((unsigned)(sum*sum))>>8) + 500 + 128)>>8; + varc = (s->dsp.pix_norm1(pix, s->linesize) - (((unsigned)sum*sum)>>8) + 500 + 128)>>8; s->current_picture.mb_var [s->mb_stride * mb_y + mb_x] = varc; s->current_picture.mb_mean[s->mb_stride * mb_y + mb_x] = (sum+128)>>8; From 0b1ac7bf4f8d091e03736decc7f8ac0357e80e5c Mon Sep 17 00:00:00 2001 From: Mans Rullgard Date: Sun, 9 Oct 2011 20:46:22 +0100 Subject: [PATCH 0758/1119] wmavoice: fix a signed overflow Signed-off-by: Mans Rullgard (cherry picked from commit ba3f07d0611d9a6c10eaa90b3c058ecdffe76676) Signed-off-by: Anton Khirnov --- libavcodec/wmavoice.c | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/libavcodec/wmavoice.c b/libavcodec/wmavoice.c index 9588ecd807..1076539019 100644 --- a/libavcodec/wmavoice.c +++ b/libavcodec/wmavoice.c @@ -1085,7 +1085,7 @@ static void aw_pulse_set2(WMAVoiceContext *s, GetBitContext *gb, int excl_range = s->aw_pulse_range; // always 16 or 24 uint16_t *use_mask_ptr = &use_mask[idx >> 4]; int first_sh = 16 - (idx & 15); - *use_mask_ptr++ &= 0xFFFF << first_sh; + *use_mask_ptr++ &= 0xFFFFu << first_sh; excl_range -= first_sh; if (excl_range >= 16) { *use_mask_ptr++ = 0; From f9d17e6f54bad7a3fa287882dad7780b188b59bf Mon Sep 17 00:00:00 2001 From: Mans Rullgard Date: Sun, 9 Oct 2011 20:38:01 +0100 Subject: [PATCH 0759/1119] 4xm: fix signed overflow Signed-off-by: Mans Rullgard (cherry picked from commit 84dda407628e298f33d610e9e04a8b2945d24665) Signed-off-by: Anton Khirnov --- libavcodec/4xm.c | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/libavcodec/4xm.c b/libavcodec/4xm.c index ed832598b0..b0b01631c2 100644 --- a/libavcodec/4xm.c +++ b/libavcodec/4xm.c @@ -277,7 +277,7 @@ static void init_mv(FourXContext *f){ } #endif -static inline void mcdc(uint16_t *dst, uint16_t *src, int log2w, int h, int stride, int scale, int dc){ +static inline void mcdc(uint16_t *dst, uint16_t *src, int log2w, int h, int stride, int scale, unsigned dc){ int i; dc*= 0x10001; From 559261ce499029fdd32b2793c143b16663fc73e1 Mon Sep 17 00:00:00 2001 From: Gwenole Beauchesne Date: Mon, 10 Oct 2011 13:51:41 +0200 Subject: [PATCH 0760/1119] vaapi: Fix VC-1 decoding (reconstruct bitstream TTFRM correctly). Signed-off-by: Diego Biurrun (cherry picked from commit 53efb758c045900f512c947074900c0dbc988685) Signed-off-by: Anton Khirnov --- libavcodec/vaapi_vc1.c | 14 +++++++++++++- 1 file changed, 13 insertions(+), 1 deletion(-) diff --git a/libavcodec/vaapi_vc1.c b/libavcodec/vaapi_vc1.c index 19865dc0e8..452b97d25a 100644 --- a/libavcodec/vaapi_vc1.c +++ b/libavcodec/vaapi_vc1.c @@ -116,6 +116,18 @@ static inline VAMvModeVC1 vc1_get_MVMODE2(VC1Context *v) return 0; } +/** Reconstruct bitstream TTFRM (7.1.1.41, Table-53) */ +static inline int vc1_get_TTFRM(VC1Context *v) +{ + switch (v->ttfrm) { + case TT_8X8: return 0; + case TT_8X4: return 1; + case TT_4X8: return 2; + case TT_4X4: return 3; + } + return 0; +} + /** Pack Libav bitplanes into a VABitPlaneBuffer element */ static inline void vc1_pack_bitplanes(uint8_t *bitplane, int n, const uint8_t *ff_bp[3], int x, int y, int stride) { @@ -239,7 +251,7 @@ static int vaapi_vc1_start_frame(AVCodecContext *avctx, av_unused const uint8_t pic_param->transform_fields.value = 0; /* reset all bits */ pic_param->transform_fields.bits.variable_sized_transform_flag = v->vstransform; pic_param->transform_fields.bits.mb_level_transform_type_flag = v->ttmbf; - pic_param->transform_fields.bits.frame_level_transform_type = v->ttfrm; + pic_param->transform_fields.bits.frame_level_transform_type = vc1_get_TTFRM(v); pic_param->transform_fields.bits.transform_ac_codingset_idx1 = v->c_ac_table_index; pic_param->transform_fields.bits.transform_ac_codingset_idx2 = v->y_ac_table_index; pic_param->transform_fields.bits.intra_transform_dc_table = v->s.dc_table_index; From a23bcc923d73bfe5fe1d4c8e43359466b24bb0ab Mon Sep 17 00:00:00 2001 From: Alex Converse Date: Fri, 7 Oct 2011 18:41:06 -0700 Subject: [PATCH 0761/1119] mxfdec: Fix some buffer overreads caused by the misuse of AVPacket related functions. (cherry picked from commit 0c46e958d1fd3817b8e9fa048d0450d509c80378) Signed-off-by: Anton Khirnov --- libavformat/mxfdec.c | 24 ++++++++++++++++-------- 1 file changed, 16 insertions(+), 8 deletions(-) diff --git a/libavformat/mxfdec.c b/libavformat/mxfdec.c index fcee7a7b83..044aa415a9 100644 --- a/libavformat/mxfdec.c +++ b/libavformat/mxfdec.c @@ -223,12 +223,13 @@ static int mxf_get_d10_aes3_packet(AVIOContext *pb, AVStream *st, AVPacket *pkt, if (length > 61444) /* worst case PAL 1920 samples 8 channels */ return -1; - av_new_packet(pkt, length); - avio_read(pb, pkt->data, length); + length = av_get_packet(pb, pkt, length); + if (length < 0) + return length; data_ptr = pkt->data; end_ptr = pkt->data + length; buf_ptr = pkt->data + 4; /* skip SMPTE 331M header */ - for (; buf_ptr < end_ptr; ) { + for (; buf_ptr + st->codec->channels*4 < end_ptr; ) { for (i = 0; i < st->codec->channels; i++) { uint32_t sample = bytestream_get_le32(&buf_ptr); if (st->codec->bits_per_coded_sample == 24) @@ -238,7 +239,7 @@ static int mxf_get_d10_aes3_packet(AVIOContext *pb, AVStream *st, AVPacket *pkt, } buf_ptr += 32 - st->codec->channels*4; // always 8 channels stored SMPTE 331M } - pkt->size = data_ptr - pkt->data; + av_shrink_packet(pkt, data_ptr - pkt->data); return 0; } @@ -290,12 +291,16 @@ static int mxf_decrypt_triplet(AVFormatContext *s, AVPacket *pkt, KLVPacket *klv if (memcmp(tmpbuf, checkv, 16)) av_log(s, AV_LOG_ERROR, "probably incorrect decryption key\n"); size -= 32; - av_get_packet(pb, pkt, size); + size = av_get_packet(pb, pkt, size); + if (size < 0) + return size; + else if (size < plaintext_size) + return AVERROR_INVALIDDATA; size -= plaintext_size; if (mxf->aesc) av_aes_crypt(mxf->aesc, &pkt->data[plaintext_size], &pkt->data[plaintext_size], size >> 4, ivec, 1); - pkt->size = orig_size; + av_shrink_packet(pkt, orig_size); pkt->stream_index = index; avio_skip(pb, end - avio_tell(pb)); return 0; @@ -332,8 +337,11 @@ static int mxf_read_packet(AVFormatContext *s, AVPacket *pkt) av_log(s, AV_LOG_ERROR, "error reading D-10 aes3 frame\n"); return -1; } - } else - av_get_packet(s->pb, pkt, klv.length); + } else { + int ret = av_get_packet(s->pb, pkt, klv.length); + if (ret < 0) + return ret; + } pkt->stream_index = index; pkt->pos = klv.offset; return 0; From b696d61518bba0514cf72ce765572275d12c0bf7 Mon Sep 17 00:00:00 2001 From: Laurent Aimar Date: Fri, 30 Sep 2011 23:42:31 +0000 Subject: [PATCH 0762/1119] avsdemux: check for corrupted data Signed-off-by: Janne Grunau (cherry picked from commit 76c6971a6464705f263fc30e537b370a3a7c853b) Signed-off-by: Anton Khirnov --- libavformat/avs.c | 2 ++ 1 file changed, 2 insertions(+) diff --git a/libavformat/avs.c b/libavformat/avs.c index bd9b31d0f4..52294b0b40 100644 --- a/libavformat/avs.c +++ b/libavformat/avs.c @@ -163,6 +163,8 @@ static int avs_read_packet(AVFormatContext * s, AVPacket * pkt) sub_type = avio_r8(s->pb); type = avio_r8(s->pb); size = avio_rl16(s->pb); + if (size < 4) + return AVERROR_INVALIDDATA; avs->remaining_frame_size -= size; switch (type) { From ab201f6f1bca54324c05f8e7254a7a183999fbfc Mon Sep 17 00:00:00 2001 From: Laurent Aimar Date: Fri, 30 Sep 2011 23:42:31 +0000 Subject: [PATCH 0763/1119] avs: check for out of bound reads Signed-off-by: Janne Grunau (cherry picked from commit de049a95f4a8089b2878c7fcef6cac7e88a8f1bf) Signed-off-by: Anton Khirnov --- libavcodec/avs.c | 11 +++++++++++ 1 file changed, 11 insertions(+) diff --git a/libavcodec/avs.c b/libavcodec/avs.c index 1a5e44401c..3ad3d879b5 100644 --- a/libavcodec/avs.c +++ b/libavcodec/avs.c @@ -47,6 +47,7 @@ avs_decode_frame(AVCodecContext * avctx, void *data, int *data_size, AVPacket *avpkt) { const uint8_t *buf = avpkt->data; + const uint8_t *buf_end = avpkt->data + avpkt->size; int buf_size = avpkt->size; AvsContext *const avs = avctx->priv_data; AVFrame *picture = data; @@ -69,6 +70,8 @@ avs_decode_frame(AVCodecContext * avctx, out = avs->picture.data[0]; stride = avs->picture.linesize[0]; + if (buf_end - buf < 4) + return AVERROR_INVALIDDATA; sub_type = buf[0]; type = buf[1]; buf += 4; @@ -79,6 +82,8 @@ avs_decode_frame(AVCodecContext * avctx, first = AV_RL16(buf); last = first + AV_RL16(buf + 2); + if (first >= 256 || last > 256 || buf_end - buf < 4 + 4 + 3 * (last - first)) + return AVERROR_INVALIDDATA; buf += 4; for (i=first; i Date: Fri, 30 Sep 2011 23:42:31 +0000 Subject: [PATCH 0764/1119] avsdemux: check for out of bound writes Signed-off-by: Janne Grunau (cherry picked from commit 6de33611c918e6ad5bbc878840a59607cb42b8c0) Signed-off-by: Anton Khirnov --- libavformat/avs.c | 2 ++ 1 file changed, 2 insertions(+) diff --git a/libavformat/avs.c b/libavformat/avs.c index 52294b0b40..084d461dc1 100644 --- a/libavformat/avs.c +++ b/libavformat/avs.c @@ -169,6 +169,8 @@ static int avs_read_packet(AVFormatContext * s, AVPacket * pkt) switch (type) { case AVS_PALETTE: + if (size - 4 > sizeof(palette)) + return AVERROR_INVALIDDATA; ret = avio_read(s->pb, palette, size - 4); if (ret < size - 4) return AVERROR(EIO); From 39fed2e95b74dcfe8f4a87835bb2c00ab07d030d Mon Sep 17 00:00:00 2001 From: Laurent Aimar Date: Fri, 30 Sep 2011 23:42:32 +0000 Subject: [PATCH 0765/1119] anm: prevent infinite loop Signed-off-by: Janne Grunau (cherry picked from commit 2475f1a83ccf313d828b25f1769e3a37442ecf64) Signed-off-by: Anton Khirnov --- libavcodec/anm.c | 2 ++ 1 file changed, 2 insertions(+) diff --git a/libavcodec/anm.c b/libavcodec/anm.c index ef037f2468..e2ddacc200 100644 --- a/libavcodec/anm.c +++ b/libavcodec/anm.c @@ -81,6 +81,8 @@ static inline int op(uint8_t **dst, const uint8_t *dst_end, int striplen = FFMIN(count, remaining); if (buf) { striplen = FFMIN(striplen, buf_end - *buf); + if (*buf >= buf_end) + goto exhausted; memcpy(*dst, *buf, striplen); *buf += striplen; } else if (pixel >= 0) From 518c72474d3fa3e90c80b2a9c6b8851f4be26544 Mon Sep 17 00:00:00 2001 From: Laurent Aimar Date: Fri, 30 Sep 2011 23:42:32 +0000 Subject: [PATCH 0766/1119] adpcm: fix out of bound reads due to integer overflow Signed-off-by: Janne Grunau (cherry picked from commit c7f89064e2f0fef8198aadf64b0daf12787404ee) Signed-off-by: Anton Khirnov --- libavcodec/adpcm.c | 6 ++++-- 1 file changed, 4 insertions(+), 2 deletions(-) diff --git a/libavcodec/adpcm.c b/libavcodec/adpcm.c index b2d79a2ece..069690a64a 100644 --- a/libavcodec/adpcm.c +++ b/libavcodec/adpcm.c @@ -1267,10 +1267,11 @@ static int adpcm_decode_frame(AVCodecContext *avctx, buf_size -= 128; } break; - case CODEC_ID_ADPCM_IMA_EA_EACS: + case CODEC_ID_ADPCM_IMA_EA_EACS: { + unsigned header_size = 4 + (8<> (1-st); - if (samples_in_chunk > buf_size-4-(8< buf_size - header_size) { src += buf_size - 4; break; } @@ -1285,6 +1286,7 @@ static int adpcm_decode_frame(AVCodecContext *avctx, *samples++ = adpcm_ima_expand_nibble(&c->status[st], *src&0x0F, 3); } break; + } case CODEC_ID_ADPCM_IMA_EA_SEAD: for (; src < buf+buf_size; src++) { *samples++ = adpcm_ima_expand_nibble(&c->status[0], src[0] >> 4, 6); From 34d6f22a571e230b519223e779e14b93d7e20989 Mon Sep 17 00:00:00 2001 From: Laurent Aimar Date: Fri, 30 Sep 2011 23:42:32 +0000 Subject: [PATCH 0767/1119] eacmv: fix potential pointer arithmetic overflows Signed-off-by: Janne Grunau (cherry picked from commit 8df8a87e3fd5bd0c3dabc676aae8fd84992932dc) Signed-off-by: Anton Khirnov --- libavcodec/eacmv.c | 8 ++++---- 1 file changed, 4 insertions(+), 4 deletions(-) diff --git a/libavcodec/eacmv.c b/libavcodec/eacmv.c index c968a3d403..d848208ec8 100644 --- a/libavcodec/eacmv.c +++ b/libavcodec/eacmv.c @@ -52,7 +52,7 @@ static void cmv_decode_intra(CmvContext * s, const uint8_t *buf, const uint8_t * unsigned char *dst = s->frame.data[0]; int i; - for (i=0; i < s->avctx->height && buf+s->avctx->width<=buf_end; i++) { + for (i=0; i < s->avctx->height && buf_end - buf >= s->avctx->width; i++) { memcpy(dst, buf, s->avctx->width); dst += s->frame.linesize[0]; buf += s->avctx->width; @@ -84,7 +84,7 @@ static void cmv_decode_inter(CmvContext * s, const uint8_t *buf, const uint8_t * i = 0; for(y=0; yavctx->height/4; y++) - for(x=0; xavctx->width/4 && buf+iavctx->width/4 && buf_end - buf > i; x++) { if (buf[i]==0xFF) { unsigned char *dst = s->frame.data[0] + (y*4)*s->frame.linesize[0] + x*4; if (raw+16=buf_end) { + if(buf_end - buf < 16) { av_log(s->avctx, AV_LOG_WARNING, "truncated header\n"); return; } @@ -135,7 +135,7 @@ static void cmv_process_header(CmvContext *s, const uint8_t *buf, const uint8_t pal_count = AV_RL16(&buf[14]); buf += 16; - for (i=pal_start; i= 3; i++) { s->palette[i] = AV_RB24(buf); buf += 3; } From d75c80e9427eef962b1de8ce3dd0246dd2ec5c05 Mon Sep 17 00:00:00 2001 From: Laurent Aimar Date: Fri, 30 Sep 2011 23:42:32 +0000 Subject: [PATCH 0768/1119] eacmv: check for out of bound reads Signed-off-by: Janne Grunau (cherry picked from commit 46cb2f6a2928a7fa4bee3f09b0475ccb8cdd2064) Signed-off-by: Anton Khirnov --- libavcodec/eacmv.c | 3 +++ 1 file changed, 3 insertions(+) diff --git a/libavcodec/eacmv.c b/libavcodec/eacmv.c index d848208ec8..2b9e6803e2 100644 --- a/libavcodec/eacmv.c +++ b/libavcodec/eacmv.c @@ -153,6 +153,9 @@ static int cmv_decode_frame(AVCodecContext *avctx, CmvContext *s = avctx->priv_data; const uint8_t *buf_end = buf + buf_size; + if (buf_end - buf < EA_PREAMBLE_SIZE) + return AVERROR_INVALIDDATA; + if (AV_RL32(buf)==MVIh_TAG||AV_RB32(buf)==MVIh_TAG) { cmv_process_header(s, buf+EA_PREAMBLE_SIZE, buf_end); return buf_size; From 4eb51d96dd27bcd21ec2248bd3475d6ed2df42fc Mon Sep 17 00:00:00 2001 From: Laurent Aimar Date: Fri, 30 Sep 2011 23:42:33 +0000 Subject: [PATCH 0769/1119] tiffdec: fix out of bound reads/writes Signed-off-by: Janne Grunau (cherry picked from commit 04a845caa7cdcdd1457f8c0dde52a7b2085ed92f) Signed-off-by: Anton Khirnov --- libavcodec/tiff.c | 40 +++++++++++++++++++++++++--------------- 1 file changed, 25 insertions(+), 15 deletions(-) diff --git a/libavcodec/tiff.c b/libavcodec/tiff.c index 08cd3b0a6f..6bfef220f4 100644 --- a/libavcodec/tiff.c +++ b/libavcodec/tiff.c @@ -172,6 +172,8 @@ static int tiff_unpack_strip(TiffContext *s, uint8_t* dst, int stride, const uin } switch(s->compr){ case TIFF_RAW: + if (ssrc + size - src < width) + return AVERROR_INVALIDDATA; if (!s->fill_order) { memcpy(dst, src, width); } else { @@ -279,6 +281,8 @@ static int tiff_decode_tag(TiffContext *s, const uint8_t *start, const uint8_t * uint32_t *pal; const uint8_t *rp, *gp, *bp; + if (end_buf - buf < 12) + return -1; tag = tget_short(&buf, s->le); type = tget_short(&buf, s->le); count = tget_long(&buf, s->le); @@ -338,7 +342,7 @@ static int tiff_decode_tag(TiffContext *s, const uint8_t *start, const uint8_t * case TIFF_SHORT: case TIFF_LONG: s->bpp = 0; - for(i = 0; i < count; i++) s->bpp += tget(&buf, type, s->le); + for(i = 0; i < count && buf < end_buf; i++) s->bpp += tget(&buf, type, s->le); break; default: s->bpp = -1; @@ -452,6 +456,8 @@ static int tiff_decode_tag(TiffContext *s, const uint8_t *start, const uint8_t * case TIFF_PAL: pal = (uint32_t *) s->palette; off = type_sizes[type]; + if (count / 3 > 256 || end_buf - buf < count / 3 * off * 3) + return -1; rp = buf; gp = buf + count / 3 * off; bp = buf + count / 3 * off * 2; @@ -494,12 +500,16 @@ static int decode_frame(AVCodecContext *avctx, AVFrame *picture = data; AVFrame * const p= (AVFrame*)&s->picture; const uint8_t *orig_buf = buf, *end_buf = buf + buf_size; - int id, le, off, ret; + unsigned off; + int id, le, ret; int i, j, entries; - int stride, soff, ssize; + int stride; + unsigned soff, ssize; uint8_t *dst; //parse image header + if (end_buf - buf < 8) + return AVERROR_INVALIDDATA; id = AV_RL16(buf); buf += 2; if(id == 0x4949) le = 1; else if(id == 0x4D4D) le = 0; @@ -519,9 +529,9 @@ static int decode_frame(AVCodecContext *avctx, } /* parse image file directory */ off = tget_long(&buf, le); - if(orig_buf + off + 14 >= end_buf){ + if (off >= UINT_MAX - 14 || end_buf - orig_buf < off + 14) { av_log(avctx, AV_LOG_ERROR, "IFD offset is greater than image size\n"); - return -1; + return AVERROR_INVALIDDATA; } buf = orig_buf + off; entries = tget_short(&buf, le); @@ -545,23 +555,23 @@ static int decode_frame(AVCodecContext *avctx, stride = p->linesize[0]; dst = p->data[0]; for(i = 0; i < s->height; i += s->rps){ - if(s->stripsizes) + if(s->stripsizes) { + if (s->stripsizes >= end_buf) + return AVERROR_INVALIDDATA; ssize = tget(&s->stripsizes, s->sstype, s->le); - else + } else ssize = s->stripsize; - if (ssize > buf_size) { - av_log(avctx, AV_LOG_ERROR, "Buffer size is smaller than strip size\n"); - return -1; - } - if(s->stripdata){ + if (s->stripdata >= end_buf) + return AVERROR_INVALIDDATA; soff = tget(&s->stripdata, s->sot, s->le); }else soff = s->stripoff; - if (soff < 0) { - av_log(avctx, AV_LOG_ERROR, "Invalid stripoff: %d\n", soff); - return AVERROR(EINVAL); + + if (soff > buf_size || ssize > buf_size - soff) { + av_log(avctx, AV_LOG_ERROR, "Invalid strip size/offset\n"); + return -1; } if(tiff_unpack_strip(s, dst, stride, orig_buf + soff, ssize, FFMIN(s->rps, s->height - i)) < 0) break; From b3bdefb01b0dabcbb55a07d0f3370cb7ef903e85 Mon Sep 17 00:00:00 2001 From: Laurent Aimar Date: Sun, 2 Oct 2011 00:48:12 +0000 Subject: [PATCH 0770/1119] ptx: check for out of bound reads Signed-off-by: Janne Grunau (cherry picked from commit dc64f203a62083c3d5f81e8201018279c29581af) Signed-off-by: Anton Khirnov --- libavcodec/ptx.c | 7 +++++++ 1 file changed, 7 insertions(+) diff --git a/libavcodec/ptx.c b/libavcodec/ptx.c index c993f6c0f0..0fae37e084 100644 --- a/libavcodec/ptx.c +++ b/libavcodec/ptx.c @@ -39,12 +39,15 @@ static av_cold int ptx_init(AVCodecContext *avctx) { static int ptx_decode_frame(AVCodecContext *avctx, void *data, int *data_size, AVPacket *avpkt) { const uint8_t *buf = avpkt->data; + const uint8_t *buf_end = avpkt->data + avpkt->size; PTXContext * const s = avctx->priv_data; AVFrame *picture = data; AVFrame * const p = &s->picture; unsigned int offset, w, h, y, stride, bytes_per_pixel; uint8_t *ptr; + if (buf_end - buf < 14) + return AVERROR_INVALIDDATA; offset = AV_RL16(buf); w = AV_RL16(buf+8); h = AV_RL16(buf+10); @@ -57,6 +60,8 @@ static int ptx_decode_frame(AVCodecContext *avctx, void *data, int *data_size, avctx->pix_fmt = PIX_FMT_RGB555; + if (buf_end - buf < offset) + return AVERROR_INVALIDDATA; if (offset != 0x2c) av_log_ask_for_sample(avctx, "offset != 0x2c\n"); @@ -80,6 +85,8 @@ static int ptx_decode_frame(AVCodecContext *avctx, void *data, int *data_size, stride = p->linesize[0]; for (y=0; y Date: Sun, 2 Oct 2011 00:48:11 +0000 Subject: [PATCH 0771/1119] 4xm: clear FF_INPUT_BUFFER_PADDING_SIZE bytes in temporary buffers Signed-off-by: Janne Grunau (cherry picked from commit 8d518a9c4fe92e2497565f1765da7f913be8b1e7) Signed-off-by: Anton Khirnov --- libavcodec/4xm.c | 2 ++ 1 file changed, 2 insertions(+) diff --git a/libavcodec/4xm.c b/libavcodec/4xm.c index b0b01631c2..e6ec6a6d23 100644 --- a/libavcodec/4xm.c +++ b/libavcodec/4xm.c @@ -399,6 +399,7 @@ static int decode_p_frame(FourXContext *f, const uint8_t *buf, int length){ if (!f->bitstream_buffer) return AVERROR(ENOMEM); f->dsp.bswap_buf(f->bitstream_buffer, (const uint32_t*)(buf + extra), bitstream_size/4); + memset((uint8_t*)f->bitstream_buffer + bitstream_size, 0, FF_INPUT_BUFFER_PADDING_SIZE); init_get_bits(&f->gb, f->bitstream_buffer, 8*bitstream_size); f->wordstream= (const uint16_t*)(buf + extra + bitstream_size); @@ -688,6 +689,7 @@ static int decode_i_frame(FourXContext *f, const uint8_t *buf, int length){ if (!f->bitstream_buffer) return AVERROR(ENOMEM); f->dsp.bswap_buf(f->bitstream_buffer, (const uint32_t*)prestream, prestream_size/4); + memset((uint8_t*)f->bitstream_buffer + prestream_size, 0, FF_INPUT_BUFFER_PADDING_SIZE); init_get_bits(&f->pre_gb, f->bitstream_buffer, 8*prestream_size); f->last_dc= 0*128*8*8; From 5ab326d7db3fd3feba570188b49dd4cd69105e9c Mon Sep 17 00:00:00 2001 From: Laurent Aimar Date: Sun, 2 Oct 2011 00:48:11 +0000 Subject: [PATCH 0772/1119] 4xmdemux: prevent use of uninitialized memory Signed-off-by: Janne Grunau (cherry picked from commit 79964745b3ed5a700f4f0dda56c7360497328c88) Signed-off-by: Anton Khirnov --- libavformat/4xm.c | 8 +++++--- 1 file changed, 5 insertions(+), 3 deletions(-) diff --git a/libavformat/4xm.c b/libavformat/4xm.c index 93c90e8cbc..5477ed0938 100644 --- a/libavformat/4xm.c +++ b/libavformat/4xm.c @@ -172,13 +172,15 @@ static int fourxm_read_header(AVFormatContext *s, goto fail; } if (current_track + 1 > fourxm->track_count) { - fourxm->track_count = current_track + 1; fourxm->tracks = av_realloc(fourxm->tracks, - fourxm->track_count * sizeof(AudioTrack)); + (current_track + 1) * sizeof(AudioTrack)); if (!fourxm->tracks) { - ret= AVERROR(ENOMEM); + ret = AVERROR(ENOMEM); goto fail; } + memset(&fourxm->tracks[fourxm->track_count], 0, + sizeof(AudioTrack) * (current_track + 1 - fourxm->track_count)); + fourxm->track_count = current_track + 1; } fourxm->tracks[current_track].adpcm = AV_RL32(&header[i + 12]); fourxm->tracks[current_track].channels = AV_RL32(&header[i + 36]); From 6b011631e92073b68a1f67c8769946db1c28d623 Mon Sep 17 00:00:00 2001 From: Laurent Aimar Date: Sun, 2 Oct 2011 00:48:11 +0000 Subject: [PATCH 0773/1119] 4xm: prevent NULL dereference with invalid huffman table Signed-off-by: Janne Grunau (cherry picked from commit 1b1182ce97db7a97914bb7713eba66fee5d93937) Signed-off-by: Anton Khirnov --- libavcodec/4xm.c | 7 ++++--- 1 file changed, 4 insertions(+), 3 deletions(-) diff --git a/libavcodec/4xm.c b/libavcodec/4xm.c index e6ec6a6d23..8f9ab241ca 100644 --- a/libavcodec/4xm.c +++ b/libavcodec/4xm.c @@ -602,9 +602,10 @@ static const uint8_t *read_huffman_tables(FourXContext *f, const uint8_t * const len_tab[j]= len; } - init_vlc(&f->pre_vlc, ACDC_VLC_BITS, 257, - len_tab , 1, 1, - bits_tab, 4, 4, 0); + if (init_vlc(&f->pre_vlc, ACDC_VLC_BITS, 257, + len_tab , 1, 1, + bits_tab, 4, 4, 0)) + return NULL; return ptr; } From da73a2005aa4fbea03226eadbb4a1afd1d860cca Mon Sep 17 00:00:00 2001 From: Mans Rullgard Date: Sun, 9 Oct 2011 20:18:34 +0100 Subject: [PATCH 0774/1119] motion_est: make MotionExtContext.map_generation unsigned The way this value is used, it should be an unsigned type. While the numerical value has no meaning, unsigned wraparound is relied upon. Signed-off-by: Mans Rullgard (cherry picked from commit cb668476ab1343d27e03edc0b32f57ca7a187471) Signed-off-by: Anton Khirnov --- libavcodec/motion_est.c | 2 +- libavcodec/motion_est_template.c | 36 ++++++++++++++++---------------- libavcodec/mpegvideo.h | 2 +- 3 files changed, 20 insertions(+), 20 deletions(-) diff --git a/libavcodec/motion_est.c b/libavcodec/motion_est.c index 72184ed560..cabff8b894 100644 --- a/libavcodec/motion_est.c +++ b/libavcodec/motion_est.c @@ -52,7 +52,7 @@ static inline int sad_hpel_motion_search(MpegEncContext * s, int src_index, int ref_index, int size, int h); -static inline int update_map_generation(MotionEstContext *c) +static inline unsigned update_map_generation(MotionEstContext *c) { c->map_generation+= 1<<(ME_MAP_MV_BITS*2); if(c->map_generation==0){ diff --git a/libavcodec/motion_est_template.c b/libavcodec/motion_est_template.c index d65edd933a..d104954aab 100644 --- a/libavcodec/motion_est_template.c +++ b/libavcodec/motion_est_template.c @@ -158,8 +158,8 @@ static int hpel_motion_search(MpegEncContext * s, const int b= score_map[(index+(1<penalty_factor; - int key; - int map_generation= c->map_generation; + unsigned key; + unsigned map_generation= c->map_generation; #ifndef NDEBUG uint32_t *map= c->map; #endif @@ -278,7 +278,7 @@ static int qpel_motion_search(MpegEncContext * s, const int mx = *mx_ptr; const int my = *my_ptr; const int penalty_factor= c->sub_penalty_factor; - const int map_generation= c->map_generation; + const unsigned map_generation = c->map_generation; const int subpel_quality= c->avctx->me_subpel_quality; uint32_t *map= c->map; me_cmp_func cmpf, chroma_cmpf; @@ -495,7 +495,7 @@ static int qpel_motion_search(MpegEncContext * s, #define CHECK_MV(x,y)\ {\ - const int key= ((y)<= xmin);\ assert((x) <= xmax);\ @@ -523,7 +523,7 @@ static int qpel_motion_search(MpegEncContext * s, #define CHECK_MV_DIR(x,y,new_dir)\ {\ - const int key= ((y)<map_generation; + unsigned map_generation = c->map_generation; cmpf= s->dsp.me_cmp[size]; chroma_cmpf= s->dsp.me_cmp[size+1]; { /* ensure that the best point is in the MAP as h/qpel refinement needs it */ - const int key= (best[1]<map_generation; + unsigned map_generation = c->map_generation; cmpf= s->dsp.me_cmp[size]; chroma_cmpf= s->dsp.me_cmp[size+1]; @@ -644,7 +644,7 @@ static int hex_search(MpegEncContext * s, int *best, int dmin, me_cmp_func cmpf, chroma_cmpf; LOAD_COMMON LOAD_COMMON2 - int map_generation= c->map_generation; + unsigned map_generation = c->map_generation; int x,y,d; const int dec= dia_size & (dia_size-1); @@ -678,7 +678,7 @@ static int l2s_dia_search(MpegEncContext * s, int *best, int dmin, me_cmp_func cmpf, chroma_cmpf; LOAD_COMMON LOAD_COMMON2 - int map_generation= c->map_generation; + unsigned map_generation = c->map_generation; int x,y,i,d; int dia_size= c->dia_size&0xFF; const int dec= dia_size & (dia_size-1); @@ -716,7 +716,7 @@ static int umh_search(MpegEncContext * s, int *best, int dmin, me_cmp_func cmpf, chroma_cmpf; LOAD_COMMON LOAD_COMMON2 - int map_generation= c->map_generation; + unsigned map_generation = c->map_generation; int x,y,x2,y2, i, j, d; const int dia_size= c->dia_size&0xFE; static const int hex[16][2]={{-4,-2}, {-4,-1}, {-4, 0}, {-4, 1}, {-4, 2}, @@ -763,7 +763,7 @@ static int full_search(MpegEncContext * s, int *best, int dmin, me_cmp_func cmpf, chroma_cmpf; LOAD_COMMON LOAD_COMMON2 - int map_generation= c->map_generation; + unsigned map_generation = c->map_generation; int x,y, d; const int dia_size= c->dia_size&0xFF; @@ -792,7 +792,7 @@ static int full_search(MpegEncContext * s, int *best, int dmin, #define SAB_CHECK_MV(ax,ay)\ {\ - const int key= ((ay)<map_generation; + unsigned map_generation = c->map_generation; cmpf= s->dsp.me_cmp[size]; chroma_cmpf= s->dsp.me_cmp[size+1]; @@ -916,7 +916,7 @@ static int var_diamond_search(MpegEncContext * s, int *best, int dmin, int dia_size; LOAD_COMMON LOAD_COMMON2 - int map_generation= c->map_generation; + unsigned map_generation = c->map_generation; cmpf= s->dsp.me_cmp[size]; chroma_cmpf= s->dsp.me_cmp[size+1]; @@ -1008,7 +1008,7 @@ static av_always_inline int epzs_motion_search_internal(MpegEncContext * s, int int d; ///< the score (cmp + penalty) of any given mv int dmin; /*!< the best value of d, i.e. the score corresponding to the mv stored in best[]. */ - int map_generation; + unsigned map_generation; int penalty_factor; const int ref_mv_stride= s->mb_stride; //pass as arg FIXME const int ref_mv_xy= s->mb_x + s->mb_y*ref_mv_stride; //add to last_mv beforepassing FIXME @@ -1136,7 +1136,7 @@ static int epzs_motion_search4(MpegEncContext * s, MotionEstContext * const c= &s->me; int best[2]={0, 0}; int d, dmin; - int map_generation; + unsigned map_generation; const int penalty_factor= c->penalty_factor; const int size=1; const int h=8; @@ -1196,7 +1196,7 @@ static int epzs_motion_search2(MpegEncContext * s, MotionEstContext * const c= &s->me; int best[2]={0, 0}; int d, dmin; - int map_generation; + unsigned map_generation; const int penalty_factor= c->penalty_factor; const int size=0; //FIXME pass as arg const int h=8; diff --git a/libavcodec/mpegvideo.h b/libavcodec/mpegvideo.h index 0fc32b9abe..e7ab58f46b 100644 --- a/libavcodec/mpegvideo.h +++ b/libavcodec/mpegvideo.h @@ -153,7 +153,7 @@ typedef struct MotionEstContext{ int best_bits; uint32_t *map; ///< map to avoid duplicate evaluations uint32_t *score_map; ///< map to store the scores - int map_generation; + unsigned map_generation; int pre_penalty_factor; int penalty_factor; /*!< an estimate of the bits required to code a given mv value, e.g. (1,0) takes From 3b7a1ba90ec94fe052b6ea085ae6f3f3bfd9ba27 Mon Sep 17 00:00:00 2001 From: Mans Rullgard Date: Mon, 10 Oct 2011 20:41:31 +0100 Subject: [PATCH 0775/1119] sipr: fix get_bits(0) calls Zero-length get_bits() is undefined, must check before calling. Signed-off-by: Mans Rullgard (cherry picked from commit c79d2a20bad59298188171f1316a830d563a41ee) Signed-off-by: Anton Khirnov --- libavcodec/sipr.c | 6 ++++-- 1 file changed, 4 insertions(+), 2 deletions(-) diff --git a/libavcodec/sipr.c b/libavcodec/sipr.c index fa57b43eb1..ccd0eeb1fb 100644 --- a/libavcodec/sipr.c +++ b/libavcodec/sipr.c @@ -194,14 +194,16 @@ static void decode_parameters(SiprParameters* parms, GetBitContext *pgb, { int i, j; - parms->ma_pred_switch = get_bits(pgb, p->ma_predictor_bits); + if (p->ma_predictor_bits) + parms->ma_pred_switch = get_bits(pgb, p->ma_predictor_bits); for (i = 0; i < 5; i++) parms->vq_indexes[i] = get_bits(pgb, p->vq_indexes_bits[i]); for (i = 0; i < p->subframe_count; i++) { parms->pitch_delay[i] = get_bits(pgb, p->pitch_delay_bits[i]); - parms->gp_index[i] = get_bits(pgb, p->gp_index_bits); + if (p->gp_index_bits) + parms->gp_index[i] = get_bits(pgb, p->gp_index_bits); for (j = 0; j < p->number_of_fc_indexes; j++) parms->fc_indexes[i][j] = get_bits(pgb, p->fc_index_bits[j]); From ef7a4df4584db51a97edea3b1140661faf4ddf56 Mon Sep 17 00:00:00 2001 From: Justin Ruggles Date: Wed, 21 Sep 2011 11:37:51 -0400 Subject: [PATCH 0776/1119] smacker: validate number of channels (cherry picked from commit e190e453bd1e4d4b409ed3556b3a50d1087c15d7) Signed-off-by: Anton Khirnov --- libavcodec/smacker.c | 4 ++++ 1 file changed, 4 insertions(+) diff --git a/libavcodec/smacker.c b/libavcodec/smacker.c index 1fa40def62..33ea7b95d6 100644 --- a/libavcodec/smacker.c +++ b/libavcodec/smacker.c @@ -559,6 +559,10 @@ static av_cold int decode_end(AVCodecContext *avctx) static av_cold int smka_decode_init(AVCodecContext *avctx) { + if (avctx->channels < 1 || avctx->channels > 2) { + av_log(avctx, AV_LOG_ERROR, "invalid number of channels\n"); + return AVERROR(EINVAL); + } avctx->channel_layout = (avctx->channels==2) ? AV_CH_LAYOUT_STEREO : AV_CH_LAYOUT_MONO; avctx->sample_fmt = avctx->bits_per_coded_sample == 8 ? AV_SAMPLE_FMT_U8 : AV_SAMPLE_FMT_S16; return 0; From b3d7fffee3bf0e2b28ce98ba609b7fd2099938db Mon Sep 17 00:00:00 2001 From: Justin Ruggles Date: Wed, 21 Sep 2011 11:42:55 -0400 Subject: [PATCH 0777/1119] smacker: check buffer size before reading output size (cherry picked from commit cf044f8bff0d28dbc34492f18b0d18b3ba8bad9d) Signed-off-by: Anton Khirnov --- libavcodec/smacker.c | 5 +++++ 1 file changed, 5 insertions(+) diff --git a/libavcodec/smacker.c b/libavcodec/smacker.c index 33ea7b95d6..f3c59da7db 100644 --- a/libavcodec/smacker.c +++ b/libavcodec/smacker.c @@ -586,6 +586,11 @@ static int smka_decode_frame(AVCodecContext *avctx, void *data, int *data_size, int bits, stereo; int pred[2] = {0, 0}; + if (buf_size <= 4) { + av_log(avctx, AV_LOG_ERROR, "packet is too small\n"); + return AVERROR(EINVAL); + } + unp_size = AV_RL32(buf); init_get_bits(&gb, buf + 4, (buf_size - 4) * 8); From 1cc0b0863572cc4339ff38b04f48b13ec64062a2 Mon Sep 17 00:00:00 2001 From: Justin Ruggles Date: Wed, 21 Sep 2011 11:49:33 -0400 Subject: [PATCH 0778/1119] smacker: validate channels and sample format. (cherry picked from commit ff1f89de2da3472d133e2c95bf7c9ad2d88df33d) Signed-off-by: Anton Khirnov --- libavcodec/smacker.c | 8 ++++++++ 1 file changed, 8 insertions(+) diff --git a/libavcodec/smacker.c b/libavcodec/smacker.c index f3c59da7db..fd88fd2c60 100644 --- a/libavcodec/smacker.c +++ b/libavcodec/smacker.c @@ -606,6 +606,14 @@ static int smka_decode_frame(AVCodecContext *avctx, void *data, int *data_size, av_log(avctx, AV_LOG_ERROR, "Frame is too large to fit in buffer\n"); return -1; } + if (stereo ^ (avctx->channels != 1)) { + av_log(avctx, AV_LOG_ERROR, "channels mismatch\n"); + return AVERROR(EINVAL); + } + if (bits && avctx->sample_fmt == AV_SAMPLE_FMT_U8) { + av_log(avctx, AV_LOG_ERROR, "sample format mismatch\n"); + return AVERROR(EINVAL); + } memset(vlc, 0, sizeof(VLC) * 4); memset(h, 0, sizeof(HuffContext) * 4); From 73ad066939bc435ba2cc47071a9dc617f8a9dda4 Mon Sep 17 00:00:00 2001 From: Mans Rullgard Date: Sat, 8 Oct 2011 02:16:29 +0100 Subject: [PATCH 0779/1119] intfloat_readwrite: fix signed addition overflows These additions might overflow the signed range for large input values. Converting to unsigned before the addition rather than after avoids such undefined behaviour. The result under normal two's complement wraparound remains unchanged. Signed-off-by: Mans Rullgard (cherry picked from commit 88d1e2b2b0a129365a62efd666db0394e8ffbe08) Signed-off-by: Anton Khirnov --- libavutil/intfloat_readwrite.c | 4 ++-- 1 file changed, 2 insertions(+), 2 deletions(-) diff --git a/libavutil/intfloat_readwrite.c b/libavutil/intfloat_readwrite.c index 21a1c31667..4c8de7b7a8 100644 --- a/libavutil/intfloat_readwrite.c +++ b/libavutil/intfloat_readwrite.c @@ -30,13 +30,13 @@ #include "intfloat_readwrite.h" double av_int2dbl(int64_t v){ - if(v+v > 0xFFEULL<<52) + if((uint64_t)v+v > 0xFFEULL<<52) return NAN; return ldexp(((v&((1LL<<52)-1)) + (1LL<<52)) * (v>>63|1), (v>>52&0x7FF)-1075); } float av_int2flt(int32_t v){ - if(v+v > 0xFF000000U) + if((uint32_t)v+v > 0xFF000000U) return NAN; return ldexp(((v&0x7FFFFF) + (1<<23)) * (v>>31|1), (v>>23&0xFF)-150); } From c321f2abca6a5bd4b1600ffa35bf2175dd55b388 Mon Sep 17 00:00:00 2001 From: =?UTF-8?q?Martin=20Storsj=C3=B6?= Date: Wed, 2 Nov 2011 17:54:00 +0200 Subject: [PATCH 0780/1119] avcodec: Remove a misplaced and useless attribute_deprecated MIME-Version: 1.0 Content-Type: text/plain; charset=UTF-8 Content-Transfer-Encoding: 8bit If attribute_deprecated is used in an enum declaration, it should follow the 'enum' keyword, otherwise it's ignored silently. This is the only case of attribute_deprecated for enum declarations currently. Currently, this attribute_deprecated doesn't have any effect. If moved to the right place, it emits a warning every single time avcodec.h is included, like this: avcodec.h:2827: warning: ‘AVLPCType’ is deprecated (declared at avcodec.h:543) There is already a working attribute_deprecated for the corresponding field in AVCodecContext, so therefore this one shouldn't be needed. Signed-off-by: Martin Storsjö (cherry picked from commit 1b6da627d49e98fe7661c9aa9ec4e16ab04dfda4) Signed-off-by: Martin Storsjö --- libavcodec/avcodec.h | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/libavcodec/avcodec.h b/libavcodec/avcodec.h index 2dbdc86e6a..179d97c91c 100644 --- a/libavcodec/avcodec.h +++ b/libavcodec/avcodec.h @@ -520,7 +520,7 @@ enum AVChromaLocation{ /** * LPC analysis type */ -attribute_deprecated enum AVLPCType { +enum AVLPCType { AV_LPC_TYPE_DEFAULT = -1, ///< use the codec default LPC type AV_LPC_TYPE_NONE = 0, ///< do not use LPC prediction or use all zero coefficients AV_LPC_TYPE_FIXED = 1, ///< fixed LPC coefficients From ceeaf424513fc019228f2cb88ea468940eb61648 Mon Sep 17 00:00:00 2001 From: =?UTF-8?q?Martin=20Storsj=C3=B6?= Date: Wed, 2 Nov 2011 17:54:00 +0200 Subject: [PATCH 0781/1119] avcodec: Remove a misplaced and useless attribute_deprecated MIME-Version: 1.0 Content-Type: text/plain; charset=UTF-8 Content-Transfer-Encoding: 8bit If attribute_deprecated is used in an enum declaration, it should follow the 'enum' keyword, otherwise it's ignored silently. This is the only case of attribute_deprecated for enum declarations currently. Currently, this attribute_deprecated doesn't have any effect. If moved to the right place, it emits a warning every single time avcodec.h is included, like this: avcodec.h:2827: warning: ‘AVLPCType’ is deprecated (declared at avcodec.h:543) There is already a working attribute_deprecated for the corresponding field in AVCodecContext, so therefore this one shouldn't be needed. Signed-off-by: Martin Storsjö (cherry picked from commit 1b6da627d49e98fe7661c9aa9ec4e16ab04dfda4) Signed-off-by: Michael Niedermayer --- libavcodec/avcodec.h | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/libavcodec/avcodec.h b/libavcodec/avcodec.h index e827568f56..21cdbed1fa 100644 --- a/libavcodec/avcodec.h +++ b/libavcodec/avcodec.h @@ -523,7 +523,7 @@ enum AVChromaLocation{ /** * LPC analysis type */ -attribute_deprecated enum AVLPCType { +enum AVLPCType { AV_LPC_TYPE_DEFAULT = -1, ///< use the codec default LPC type AV_LPC_TYPE_NONE = 0, ///< do not use LPC prediction or use all zero coefficients AV_LPC_TYPE_FIXED = 1, ///< fixed LPC coefficients From e00d6e80ff62d151fb9c20336ee365ca42854a69 Mon Sep 17 00:00:00 2001 From: =?UTF-8?q?Martin=20Storsj=C3=B6?= Date: Wed, 2 Nov 2011 17:54:00 +0200 Subject: [PATCH 0782/1119] avcodec: Remove a misplaced and useless attribute_deprecated MIME-Version: 1.0 Content-Type: text/plain; charset=UTF-8 Content-Transfer-Encoding: 8bit If attribute_deprecated is used in an enum declaration, it should follow the 'enum' keyword, otherwise it's ignored silently. This is the only case of attribute_deprecated for enum declarations currently. Currently, this attribute_deprecated doesn't have any effect. If moved to the right place, it emits a warning every single time avcodec.h is included, like this: avcodec.h:2827: warning: ‘AVLPCType’ is deprecated (declared at avcodec.h:543) There is already a working attribute_deprecated for the corresponding field in AVCodecContext, so therefore this one shouldn't be needed. Signed-off-by: Martin Storsjö (cherry picked from commit 1b6da627d49e98fe7661c9aa9ec4e16ab04dfda4) Signed-off-by: Michael Niedermayer --- libavcodec/avcodec.h | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/libavcodec/avcodec.h b/libavcodec/avcodec.h index 51c2c2a4b3..10c628862c 100644 --- a/libavcodec/avcodec.h +++ b/libavcodec/avcodec.h @@ -544,7 +544,7 @@ enum AVChromaLocation{ /** * LPC analysis type */ -attribute_deprecated enum AVLPCType { +enum AVLPCType { AV_LPC_TYPE_DEFAULT = -1, ///< use the codec default LPC type AV_LPC_TYPE_NONE = 0, ///< do not use LPC prediction or use all zero coefficients AV_LPC_TYPE_FIXED = 1, ///< fixed LPC coefficients From ccd528cc32024195c0ae1e5420223bff6ffc5317 Mon Sep 17 00:00:00 2001 From: Alex Converse Date: Wed, 25 Jan 2012 15:27:11 -0800 Subject: [PATCH 0783/1119] qdm2: Check data block size for bytes to bits overflow. Found-by: Mateusz "j00ru" Jurczyk and Gynvael Coldwind CC: libav-stable@libav.org (cherry picked from commit dac56d9ce01eb9963f28f26b97a81db5cbd46c1c) Signed-off-by: Reinhard Tartler --- libavcodec/qdm2.c | 4 ++++ 1 file changed, 4 insertions(+) diff --git a/libavcodec/qdm2.c b/libavcodec/qdm2.c index 7e7051fc6d..184c97dfb6 100644 --- a/libavcodec/qdm2.c +++ b/libavcodec/qdm2.c @@ -1816,6 +1816,10 @@ static av_cold int qdm2_decode_init(AVCodecContext *avctx) extradata += 4; s->checksum_size = AV_RB32(extradata); + if (s->checksum_size >= 1U << 28) { + av_log(avctx, AV_LOG_ERROR, "data block size too large (%u)\n", s->checksum_size); + return AVERROR_INVALIDDATA; + } s->fft_order = av_log2(s->fft_size) + 1; s->fft_frame_size = 2 * s->fft_size; // complex has two floats From 3b5e1494c6e4bee4a0823b02d1342185252461d6 Mon Sep 17 00:00:00 2001 From: "Ronald S. Bultje" Date: Tue, 14 Feb 2012 11:50:57 -0800 Subject: [PATCH 0784/1119] golomb: avoid infinite loop on all-zero input (or end of buffer). Found-by: Mateusz "j00ru" Jurczyk and Gynvael Coldwind CC: libav-stable@libav.org (cherry picked from commit c6643fddba73560f26f90d327c84d8832222a720) Signed-off-by: Reinhard Tartler --- libavcodec/golomb.h | 4 ++-- 1 file changed, 2 insertions(+), 2 deletions(-) diff --git a/libavcodec/golomb.h b/libavcodec/golomb.h index 503aa1416a..e19064c642 100644 --- a/libavcodec/golomb.h +++ b/libavcodec/golomb.h @@ -123,7 +123,7 @@ static inline int svq3_get_ue_golomb(GetBitContext *gb){ }else{ int ret = 1; - while (1) { + do { buf >>= 32 - 8; LAST_SKIP_BITS(re, gb, FFMIN(ff_interleaved_golomb_vlc_len[buf], 8)); @@ -135,7 +135,7 @@ static inline int svq3_get_ue_golomb(GetBitContext *gb){ ret = (ret << 4) | ff_interleaved_dirac_golomb_vlc_code[buf]; UPDATE_CACHE(re, gb); buf = GET_CACHE(re, gb); - } + } while (ret); CLOSE_READER(re, gb); return ret - 1; From ec961c89194aa090ab39f2cd4336479c909e532b Mon Sep 17 00:00:00 2001 From: "Ronald S. Bultje" Date: Wed, 15 Feb 2012 09:52:11 -0800 Subject: [PATCH 0785/1119] flac: fix infinite loops on all-zero input or end-of-stream. Found-by: Mateusz "j00ru" Jurczyk and Gynvael Coldwind CC: libav-stable@libav.org (cherry picked from commit 52e4018be47697a60f4f18f83551766df31f5adf) Signed-off-by: Reinhard Tartler --- libavcodec/flacdec.c | 9 +++++++++ libavcodec/golomb.h | 2 +- 2 files changed, 10 insertions(+), 1 deletion(-) diff --git a/libavcodec/flacdec.c b/libavcodec/flacdec.c index 7331c5cdd1..c74ebb0c14 100644 --- a/libavcodec/flacdec.c +++ b/libavcodec/flacdec.c @@ -420,7 +420,16 @@ static inline int decode_subframe(FLACContext *s, int channel) type = get_bits(&s->gb, 6); if (get_bits1(&s->gb)) { + int left = get_bits_left(&s->gb); wasted = 1; + if ( left < 0 || + (left < s->curr_bps && !show_bits_long(&s->gb, left)) || + !show_bits_long(&s->gb, s->curr_bps)) { + av_log(s->avctx, AV_LOG_ERROR, + "Invalid number of wasted bits > available bits (%d) - left=%d\n", + s->curr_bps, left); + return AVERROR_INVALIDDATA; + } while (!get_bits1(&s->gb)) wasted++; s->curr_bps -= wasted; diff --git a/libavcodec/golomb.h b/libavcodec/golomb.h index e19064c642..5f720c03f3 100644 --- a/libavcodec/golomb.h +++ b/libavcodec/golomb.h @@ -301,7 +301,7 @@ static inline int get_ur_golomb_jpegls(GetBitContext *gb, int k, int limit, int return buf; }else{ int i; - for(i=0; SHOW_UBITS(re, gb, 1) == 0; i++){ + for (i = 0; i < limit && SHOW_UBITS(re, gb, 1) == 0; i++) { LAST_SKIP_BITS(re, gb, 1); UPDATE_CACHE(re, gb); } From 0fbde741cbca76e826d0dce446480b02da5f6706 Mon Sep 17 00:00:00 2001 From: Alex Converse Date: Tue, 24 Jan 2012 18:43:43 -0800 Subject: [PATCH 0786/1119] wma: Clip WMA1 and WMA2 frame length to 11 bits. The MDCT buffers in the decoder are only sized for up to 11 bits. The reverse engineered documentation for WMA1/2 headers say that that for all samplerates above 32kHz 11 bits are used. 12 and 13 bit support were added for WMAPro. I was unable to make any Microsoft tools generate a test file at a samplerate above 48kHz. Discovered by: Mateusz "j00ru" Jurczyk and Gynvael Coldwind CC: libav-stable@libav.org (cherry picked from commit d78bb1a4b2a3a415b68e4e6dd448779eccec64e3) Signed-off-by: Anton Khirnov Signed-off-by: Reinhard Tartler --- libavcodec/wma.c | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/libavcodec/wma.c b/libavcodec/wma.c index 4cdffcd101..d82fde7b18 100644 --- a/libavcodec/wma.c +++ b/libavcodec/wma.c @@ -85,7 +85,7 @@ int av_cold ff_wma_get_frame_len_bits(int sample_rate, int version, } else if (sample_rate <= 22050 || (sample_rate <= 32000 && version == 1)) { frame_len_bits = 10; - } else if (sample_rate <= 48000) { + } else if (sample_rate <= 48000 || version < 3) { frame_len_bits = 11; } else if (sample_rate <= 96000) { frame_len_bits = 12; From bf9f26cef73eea9d9c2e73b89a5fe88e5aedc737 Mon Sep 17 00:00:00 2001 From: Alex Converse Date: Wed, 22 Feb 2012 11:05:42 -0800 Subject: [PATCH 0787/1119] aac: fix infinite loop on end-of-frame with sequence of 1-bits. Based-on-work-by: Ronald S. Bultje Found-by: Mateusz "j00ru" Jurczyk and Gynvael Coldwind CC: libav-stable@libav.org (cherry picked from commit 1cd9a6154bc1ac1193c703cea980ed21c3e53792) Signed-off-by: Anton Khirnov Signed-off-by: Reinhard Tartler --- libavcodec/aacdec.c | 25 +++++++++++++------------ 1 file changed, 13 insertions(+), 12 deletions(-) diff --git a/libavcodec/aacdec.c b/libavcodec/aacdec.c index f1203d307e..cf7b43d53f 100644 --- a/libavcodec/aacdec.c +++ b/libavcodec/aacdec.c @@ -752,19 +752,20 @@ static int decode_band_types(AACContext *ac, enum BandType band_type[120], av_log(ac->avctx, AV_LOG_ERROR, "invalid band type\n"); return -1; } - while ((sect_len_incr = get_bits(gb, bits)) == (1 << bits) - 1) + do { + sect_len_incr = get_bits(gb, bits); sect_end += sect_len_incr; - sect_end += sect_len_incr; - if (get_bits_left(gb) < 0) { - av_log(ac->avctx, AV_LOG_ERROR, overread_err); - return -1; - } - if (sect_end > ics->max_sfb) { - av_log(ac->avctx, AV_LOG_ERROR, - "Number of bands (%d) exceeds limit (%d).\n", - sect_end, ics->max_sfb); - return -1; - } + if (get_bits_left(gb) < 0) { + av_log(ac->avctx, AV_LOG_ERROR, overread_err); + return -1; + } + if (sect_end > ics->max_sfb) { + av_log(ac->avctx, AV_LOG_ERROR, + "Number of bands (%d) exceeds limit (%d).\n", + sect_end, ics->max_sfb); + return -1; + } + } while (sect_len_incr == (1 << bits) - 1); for (; k < sect_end; k++) { band_type [idx] = sect_band_type; band_type_run_end[idx++] = sect_end; From dd7b323d9a2f6ddc0e277403fdbd06226306f4a1 Mon Sep 17 00:00:00 2001 From: Alex Converse Date: Wed, 25 Jan 2012 14:34:21 -0800 Subject: [PATCH 0788/1119] matroskadec: Pad AAC extradata. Found-by: Mateusz "j00ru" Jurczyk and Gynvael Coldwind CC: libav-stable@libav.org (cherry picked from commit d2ee8c17793201ce969afd1f433ba1580c143cd2) Signed-off-by: Anton Khirnov Signed-off-by: Reinhard Tartler --- libavformat/matroskadec.c | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/libavformat/matroskadec.c b/libavformat/matroskadec.c index fad554f09f..5c814f483f 100644 --- a/libavformat/matroskadec.c +++ b/libavformat/matroskadec.c @@ -1384,7 +1384,7 @@ static int matroska_read_header(AVFormatContext *s, AVFormatParameters *ap) } else if (codec_id == CODEC_ID_AAC && !track->codec_priv.size) { int profile = matroska_aac_profile(track->codec_id); int sri = matroska_aac_sri(track->audio.samplerate); - extradata = av_malloc(5); + extradata = av_mallocz(5 + FF_INPUT_BUFFER_PADDING_SIZE); if (extradata == NULL) return AVERROR(ENOMEM); extradata[0] = (profile << 3) | ((sri&0x0E) >> 1); From 6c12293f6c3c91d5fbbb1146ad0f77b887abed48 Mon Sep 17 00:00:00 2001 From: "Ronald S. Bultje" Date: Fri, 24 Feb 2012 16:12:18 -0800 Subject: [PATCH 0789/1119] matroska: don't overwrite string values until read/alloc was succesful. This prevents certain tags with a default value assigned to them (as per the EBML syntax elements) from ever being assigned a NULL value. Other parts of the code rely on these being non-NULL (i.e. they don't check for NULL before e.g. using the string in strcmp() or similar), and thus in effect this prevents crashes when reading of such specific tags fails, either because of low memory or because of targeted file corruption. Found-by: Mateusz "j00ru" Jurczyk and Gynvael Coldwind CC: libav-stable@libav.org (cherry picked from commit cd40c31ee9ad2cca6f3635950b002fd46be07e98) Signed-off-by: Anton Khirnov Signed-off-by: Reinhard Tartler --- libavformat/matroskadec.c | 13 ++++++++----- 1 file changed, 8 insertions(+), 5 deletions(-) diff --git a/libavformat/matroskadec.c b/libavformat/matroskadec.c index 5c814f483f..f74d028923 100644 --- a/libavformat/matroskadec.c +++ b/libavformat/matroskadec.c @@ -636,16 +636,19 @@ static int ebml_read_float(AVIOContext *pb, int size, double *num) */ static int ebml_read_ascii(AVIOContext *pb, int size, char **str) { - av_free(*str); + char *res; + /* EBML strings are usually not 0-terminated, so we allocate one * byte more, read the string and NULL-terminate it ourselves. */ - if (!(*str = av_malloc(size + 1))) + if (!(res = av_malloc(size + 1))) return AVERROR(ENOMEM); - if (avio_read(pb, (uint8_t *) *str, size) != size) { - av_freep(str); + if (avio_read(pb, (uint8_t *) res, size) != size) { + av_free(res); return AVERROR(EIO); } - (*str)[size] = '\0'; + (res)[size] = '\0'; + av_free(*str); + *str = res; return 0; } From fd3af2950ace3b78e3003432873509dd3544f982 Mon Sep 17 00:00:00 2001 From: Alex Converse Date: Wed, 25 Jan 2012 16:12:42 -0800 Subject: [PATCH 0790/1119] smacker: Sanity check huffman tables found in the headers. Found-by: Mateusz "j00ru" Jurczyk and Gynvael Coldwind CC: libav-stable@libav.org (cherry picked from commit 9adf25c1cf78dbf1d71bf386c49dc74cb8a60df0) Signed-off-by: Anton Khirnov Signed-off-by: Reinhard Tartler --- libavcodec/smacker.c | 22 +++++++++++++--------- 1 file changed, 13 insertions(+), 9 deletions(-) diff --git a/libavcodec/smacker.c b/libavcodec/smacker.c index fd88fd2c60..eb4427c100 100644 --- a/libavcodec/smacker.c +++ b/libavcodec/smacker.c @@ -127,12 +127,12 @@ static int smacker_decode_tree(GetBitContext *gb, HuffContext *hc, uint32_t pref */ static int smacker_decode_bigtree(GetBitContext *gb, HuffContext *hc, DBCtx *ctx) { + if (hc->current + 1 >= hc->length) { + av_log(NULL, AV_LOG_ERROR, "Tree size exceeded!\n"); + return -1; + } if(!get_bits1(gb)){ //Leaf int val, i1, i2, b1, b2; - if(hc->current >= hc->length){ - av_log(NULL, AV_LOG_ERROR, "Tree size exceeded!\n"); - return -1; - } b1 = get_bits_count(gb); i1 = ctx->v1->table ? get_vlc2(gb, ctx->v1->table, SMKTREE_BITS, 3) : 0; b1 = get_bits_count(gb) - b1; @@ -156,7 +156,7 @@ static int smacker_decode_bigtree(GetBitContext *gb, HuffContext *hc, DBCtx *ctx hc->values[hc->current++] = val; return 1; } else { //Node - int r = 0, t; + int r = 0, r_new, t; t = hc->current++; r = smacker_decode_bigtree(gb, hc, ctx); @@ -164,8 +164,10 @@ static int smacker_decode_bigtree(GetBitContext *gb, HuffContext *hc, DBCtx *ctx return r; hc->values[t] = SMK_NODE | r; r++; - r += smacker_decode_bigtree(gb, hc, ctx); - return r; + r_new = smacker_decode_bigtree(gb, hc, ctx); + if (r_new < 0) + return r_new; + return r + r_new; } } @@ -180,6 +182,7 @@ static int smacker_decode_header_tree(SmackVContext *smk, GetBitContext *gb, int VLC vlc[2]; int escapes[3]; DBCtx ctx; + int err = 0; if(size >= UINT_MAX>>4){ // (((size + 3) >> 2) + 3) << 2 must not overflow av_log(smk->avctx, AV_LOG_ERROR, "size too large\n"); @@ -253,7 +256,8 @@ static int smacker_decode_header_tree(SmackVContext *smk, GetBitContext *gb, int huff.current = 0; huff.values = av_mallocz(huff.length * sizeof(int)); - smacker_decode_bigtree(gb, &huff, &ctx); + if (smacker_decode_bigtree(gb, &huff, &ctx) < 0) + err = -1; skip_bits1(gb); if(ctx.last[0] == -1) ctx.last[0] = huff.current++; if(ctx.last[1] == -1) ctx.last[1] = huff.current++; @@ -272,7 +276,7 @@ static int smacker_decode_header_tree(SmackVContext *smk, GetBitContext *gb, int av_free(tmp2.lengths); av_free(tmp2.values); - return 0; + return err; } static int decode_header_trees(SmackVContext *smk) { From ce99c1bfb5968ea680c6c48a52c407677db2fe82 Mon Sep 17 00:00:00 2001 From: "Ronald S. Bultje" Date: Sat, 11 Feb 2012 08:42:28 -0800 Subject: [PATCH 0791/1119] swscale: enforce a minimum filtersize. At very small dimensions, this calculation could lead to zero-sized filters, which leads to uninitialized output, zero-sized allocations, loop overflows in SIMD that uses do{..}while(i++ Signed-off-by: Reinhard Tartler --- libswscale/utils.c | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/libswscale/utils.c b/libswscale/utils.c index ac22dfe688..221b993305 100644 --- a/libswscale/utils.c +++ b/libswscale/utils.c @@ -289,7 +289,7 @@ static int initFilter(int16_t **outFilter, int16_t **filterPos, int *outFilterSi if (xInc <= 1<<16) filterSize= 1 + sizeFactor; // upscale else filterSize= 1 + (sizeFactor*srcW + dstW - 1)/ dstW; - if (filterSize > srcW-2) filterSize=srcW-2; + filterSize = av_clip(filterSize, 1, srcW - 2); FF_ALLOC_OR_GOTO(NULL, filter, dstW*sizeof(*filter)*filterSize, fail); From b2b2dc61fa95279f78a8c425f02bdca09bdf2821 Mon Sep 17 00:00:00 2001 From: "Ronald S. Bultje" Date: Wed, 22 Feb 2012 16:46:31 -0800 Subject: [PATCH 0792/1119] swscale: fix overflows in filterPos[] calculation for large sizes. Found-by: Mateusz "j00ru" Jurczyk and Gynvael Coldwind CC: libav-stable@libav.org (cherry picked from commit 19a65b5be47944c607a9e979edb098924d95f2e4) Signed-off-by: Anton Khirnov Signed-off-by: Reinhard Tartler --- libswscale/utils.c | 14 +++++++------- 1 file changed, 7 insertions(+), 7 deletions(-) diff --git a/libswscale/utils.c b/libswscale/utils.c index 221b993305..0aeec6f0fc 100644 --- a/libswscale/utils.c +++ b/libswscale/utils.c @@ -270,7 +270,7 @@ static int initFilter(int16_t **outFilter, int16_t **filterPos, int *outFilterSi xDstInSrc+= xInc; } } else { - int xDstInSrc; + int64_t xDstInSrc; int sizeFactor; if (flags&SWS_BICUBIC) sizeFactor= 4; @@ -822,8 +822,8 @@ int sws_init_context(SwsContext *c, SwsFilter *srcFilter, SwsFilter *dstFilter) if (!dstFilter) dstFilter= &dummyFilter; if (!srcFilter) srcFilter= &dummyFilter; - c->lumXInc= ((srcW<<16) + (dstW>>1))/dstW; - c->lumYInc= ((srcH<<16) + (dstH>>1))/dstH; + c->lumXInc= (((int64_t)srcW<<16) + (dstW>>1))/dstW; + c->lumYInc= (((int64_t)srcH<<16) + (dstH>>1))/dstH; c->dstFormatBpp = av_get_bits_per_pixel(&av_pix_fmt_descriptors[dstFormat]); c->srcFormatBpp = av_get_bits_per_pixel(&av_pix_fmt_descriptors[srcFormat]); c->vRounder= 4* 0x0001000100010001ULL; @@ -885,8 +885,8 @@ int sws_init_context(SwsContext *c, SwsFilter *srcFilter, SwsFilter *dstFilter) else c->canMMX2BeUsed=0; - c->chrXInc= ((c->chrSrcW<<16) + (c->chrDstW>>1))/c->chrDstW; - c->chrYInc= ((c->chrSrcH<<16) + (c->chrDstH>>1))/c->chrDstH; + c->chrXInc= (((int64_t)c->chrSrcW<<16) + (c->chrDstW>>1))/c->chrDstW; + c->chrYInc= (((int64_t)c->chrSrcH<<16) + (c->chrDstH>>1))/c->chrDstH; // match pixel 0 of the src to pixel 0 of dst and match pixel n-2 of src to pixel n-2 of dst // but only for the FAST_BILINEAR mode otherwise do correct scaling @@ -901,8 +901,8 @@ int sws_init_context(SwsContext *c, SwsFilter *srcFilter, SwsFilter *dstFilter) } //we don't use the x86 asm scaler if MMX is available else if (HAVE_MMX && cpu_flags & AV_CPU_FLAG_MMX) { - c->lumXInc = ((srcW-2)<<16)/(dstW-2) - 20; - c->chrXInc = ((c->chrSrcW-2)<<16)/(c->chrDstW-2) - 20; + c->lumXInc = ((int64_t)(srcW-2)<<16)/(dstW-2) - 20; + c->chrXInc = ((int64_t)(c->chrSrcW-2)<<16)/(c->chrDstW-2) - 20; } } From 0fe53216340e2bab1bb07df6fcdc14f742f3e69c Mon Sep 17 00:00:00 2001 From: "Ronald S. Bultje" Date: Wed, 22 Feb 2012 16:48:38 -0800 Subject: [PATCH 0793/1119] swscale: take first/lastline over/underflows into account for MMX. Fixes crashes for extremely large resizes (several 100-fold). Found-by: Mateusz "j00ru" Jurczyk and Gynvael Coldwind CC: libav-stable@libav.org (cherry picked from commit 1d8c4af396b6ed84c84b5ebf0bf1163c4a7a3017) Signed-off-by: Anton Khirnov Signed-off-by: Reinhard Tartler --- libswscale/x86/swscale_mmx.c | 38 ++++++++++++++++++++++++++++++++++++ 1 file changed, 38 insertions(+) diff --git a/libswscale/x86/swscale_mmx.c b/libswscale/x86/swscale_mmx.c index f855a75212..a245106dd9 100644 --- a/libswscale/x86/swscale_mmx.c +++ b/libswscale/x86/swscale_mmx.c @@ -132,6 +132,44 @@ void updateMMXDitherTables(SwsContext *c, int dstY, int lumBufIndex, int chrBufI const int16_t **chrUSrcPtr= (const int16_t **) chrUPixBuf + chrBufIndex + firstChrSrcY - lastInChrBuf + vChrBufSize; const int16_t **alpSrcPtr= (CONFIG_SWSCALE_ALPHA && alpPixBuf) ? (const int16_t **) alpPixBuf + lumBufIndex + firstLumSrcY - lastInLumBuf + vLumBufSize : NULL; int i; + + if (firstLumSrcY < 0 || firstLumSrcY + vLumFilterSize > c->srcH) { + const int16_t **tmpY = (const int16_t **) lumPixBuf + 2 * vLumBufSize; + int neg = -firstLumSrcY, i, end = FFMIN(c->srcH - firstLumSrcY, vLumFilterSize); + for (i = 0; i < neg; i++) + tmpY[i] = lumSrcPtr[neg]; + for ( ; i < end; i++) + tmpY[i] = lumSrcPtr[i]; + for ( ; i < vLumFilterSize; i++) + tmpY[i] = tmpY[i-1]; + lumSrcPtr = tmpY; + + if (alpSrcPtr) { + const int16_t **tmpA = (const int16_t **) alpPixBuf + 2 * vLumBufSize; + for (i = 0; i < neg; i++) + tmpA[i] = alpSrcPtr[neg]; + for ( ; i < end; i++) + tmpA[i] = alpSrcPtr[i]; + for ( ; i < vLumFilterSize; i++) + tmpA[i] = tmpA[i - 1]; + alpSrcPtr = tmpA; + } + } + if (firstChrSrcY < 0 || firstChrSrcY + vChrFilterSize > c->chrSrcH) { + const int16_t **tmpU = (const int16_t **) chrUPixBuf + 2 * vChrBufSize; + int neg = -firstChrSrcY, i, end = FFMIN(c->chrSrcH - firstChrSrcY, vChrFilterSize); + for (i = 0; i < neg; i++) { + tmpU[i] = chrUSrcPtr[neg]; + } + for ( ; i < end; i++) { + tmpU[i] = chrUSrcPtr[i]; + } + for ( ; i < vChrFilterSize; i++) { + tmpU[i] = tmpU[i - 1]; + } + chrUSrcPtr = tmpU; + } + if (flags & SWS_ACCURATE_RND) { int s= APCK_SIZE / 8; for (i=0; i Date: Fri, 17 Feb 2012 12:10:33 -0800 Subject: [PATCH 0794/1119] cook: prevent div-by-zero if channels is zero. Found-by: Mateusz "j00ru" Jurczyk and Gynvael Coldwind CC: libav-stable@libav.org (cherry picked from commit 941fc1ea1ed7f7d99a8b9e2607b41f2f2820394a) Signed-off-by: Anton Khirnov Signed-off-by: Reinhard Tartler --- libavcodec/cook.c | 4 ++++ 1 file changed, 4 insertions(+) diff --git a/libavcodec/cook.c b/libavcodec/cook.c index a8fa01e5d2..429b4d0155 100644 --- a/libavcodec/cook.c +++ b/libavcodec/cook.c @@ -1066,6 +1066,10 @@ static av_cold int cook_decode_init(AVCodecContext *avctx) q->sample_rate = avctx->sample_rate; q->nb_channels = avctx->channels; q->bit_rate = avctx->bit_rate; + if (!q->nb_channels) { + av_log(avctx, AV_LOG_ERROR, "Invalid number of channels\n"); + return AVERROR_INVALIDDATA; + } /* Initialize RNG. */ av_lfg_init(&q->random_state, 0); From 4509129e9d04c93a3de4005787a058d1b950eb03 Mon Sep 17 00:00:00 2001 From: "Ronald S. Bultje" Date: Fri, 17 Feb 2012 12:28:26 -0800 Subject: [PATCH 0795/1119] als: prevent infinite loop in zero_remaining(). Found-by: Mateusz "j00ru" Jurczyk and Gynvael Coldwind CC: libav-stable@libav.org (cherry picked from commit af468015d972c0dec5c8c37b2685ffa5cbe4ae87) Signed-off-by: Anton Khirnov Signed-off-by: Reinhard Tartler --- libavcodec/alsdec.c | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/libavcodec/alsdec.c b/libavcodec/alsdec.c index 17c54900f7..f2944c6038 100644 --- a/libavcodec/alsdec.c +++ b/libavcodec/alsdec.c @@ -1010,7 +1010,7 @@ static void zero_remaining(unsigned int b, unsigned int b_max, { unsigned int count = 0; - while (b < b_max) + for (; b < b_max; b++) count += div_blocks[b]; if (count) From 2380a3d37f0b94436db53aa56491cbc9203bc8fe Mon Sep 17 00:00:00 2001 From: "Ronald S. Bultje" Date: Fri, 17 Feb 2012 15:00:47 -0800 Subject: [PATCH 0796/1119] huffyuv: error out on bit overrun. On EOF, get_bits() will continuously return 0, causing an infinite loop. Found-by: Mateusz "j00ru" Jurczyk and Gynvael Coldwind CC: libav-stable@libav.org (cherry picked from commit 84c202cc37024bd78261e4222e46631ea73c48dd) Signed-off-by: Anton Khirnov Signed-off-by: Reinhard Tartler --- libavcodec/huffyuv.c | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/libavcodec/huffyuv.c b/libavcodec/huffyuv.c index a399142d59..d211964eca 100644 --- a/libavcodec/huffyuv.c +++ b/libavcodec/huffyuv.c @@ -184,7 +184,7 @@ static int read_len_table(uint8_t *dst, GetBitContext *gb){ if(repeat==0) repeat= get_bits(gb, 8); //printf("%d %d\n", val, repeat); - if(i+repeat > 256) { + if(i+repeat > 256 || get_bits_left(gb) < 0) { av_log(NULL, AV_LOG_ERROR, "Error reading huffman table\n"); return -1; } From 9a331217b00be566e8cc7afcd4df916b43e1756b Mon Sep 17 00:00:00 2001 From: "Ronald S. Bultje" Date: Fri, 17 Feb 2012 12:21:18 -0800 Subject: [PATCH 0797/1119] asf: prevent packet_size_left from going negative if hdrlen > pktlen. This prevents failed assertions further down in the packet processing where we require non-negative values for packet_size_left. Found-by: Mateusz "j00ru" Jurczyk and Gynvael Coldwind CC: libav-stable@libav.org (cherry picked from commit 41afac7f7a67c634c86b1d17fc930e9183d4aaa0) Signed-off-by: Anton Khirnov Signed-off-by: Reinhard Tartler --- libavformat/asfdec.c | 7 +++++++ 1 file changed, 7 insertions(+) diff --git a/libavformat/asfdec.c b/libavformat/asfdec.c index 16bba93c37..603886754d 100644 --- a/libavformat/asfdec.c +++ b/libavformat/asfdec.c @@ -789,6 +789,13 @@ static int ff_asf_get_packet(AVFormatContext *s, AVIOContext *pb) asf->packet_segments = 1; asf->packet_segsizetype = 0x80; } + if (rsize > packet_length - padsize) { + asf->packet_size_left = 0; + av_log(s, AV_LOG_ERROR, + "invalid packet header length %d for pktlen %d-%d at %"PRId64"\n", + rsize, packet_length, padsize, avio_tell(pb)); + return -1; + } asf->packet_size_left = packet_length - padsize - rsize; if (packet_length < asf->hdr.min_pktsize) padsize += asf->hdr.min_pktsize - packet_length; From 33149928edef047fb6391cf8a84602a213c62921 Mon Sep 17 00:00:00 2001 From: "Ronald S. Bultje" Date: Fri, 17 Feb 2012 16:27:36 -0800 Subject: [PATCH 0798/1119] mjpegb: don't return 0 at the end of frame decoding. Return 0 indicates "please return the same data again", i.e. it causes an infinite loop. Instead, return that we consumed the buffer if we finished decoding succesfully, or return an error if an error occurred. Found-by: Mateusz "j00ru" Jurczyk and Gynvael Coldwind CC: libav-stable@libav.org (cherry picked from commit 74699ac8c8b562e9f8d26e21482b89585365774a) Signed-off-by: Anton Khirnov Signed-off-by: Reinhard Tartler --- libavcodec/mjpegbdec.c | 4 ++-- 1 file changed, 2 insertions(+), 2 deletions(-) diff --git a/libavcodec/mjpegbdec.c b/libavcodec/mjpegbdec.c index 837304ea74..454ba6ffc9 100644 --- a/libavcodec/mjpegbdec.c +++ b/libavcodec/mjpegbdec.c @@ -66,7 +66,7 @@ read_header: if (get_bits_long(&hgb, 32) != MKBETAG('m','j','p','g')) { av_log(avctx, AV_LOG_WARNING, "not mjpeg-b (bad fourcc)\n"); - return 0; + return AVERROR_INVALIDDATA; } field_size = get_bits_long(&hgb, 32); /* field size */ @@ -142,7 +142,7 @@ read_header: picture->quality*= FF_QP2LAMBDA; } - return buf_ptr - buf; + return buf_size; } AVCodec ff_mjpegb_decoder = { From 18b2f23ef83cf317fcf0de6035878407ba68829c Mon Sep 17 00:00:00 2001 From: "Ronald S. Bultje" Date: Wed, 22 Feb 2012 12:19:52 -0800 Subject: [PATCH 0799/1119] truemotion2: error out if the huffman tree has no nodes. This prevents crashers and errors further down when reading nodes in the empty tree. Found-by: Mateusz "j00ru" Jurczyk and Gynvael Coldwind CC: libav-stable@libav.org (cherry picked from commit 2b83e8b7005d531bc78b0fd4f699e9faa54ce9bb) Signed-off-by: Anton Khirnov Signed-off-by: Reinhard Tartler --- libavcodec/truemotion2.c | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/libavcodec/truemotion2.c b/libavcodec/truemotion2.c index 23abade214..6ca97338e1 100644 --- a/libavcodec/truemotion2.c +++ b/libavcodec/truemotion2.c @@ -132,7 +132,7 @@ static int tm2_build_huff_table(TM2Context *ctx, TM2Codes *code) huff.val_bits, huff.max_bits); return -1; } - if((huff.nodes < 0) || (huff.nodes > 0x10000)) { + if((huff.nodes <= 0) || (huff.nodes > 0x10000)) { av_log(ctx->avctx, AV_LOG_ERROR, "Incorrect number of Huffman tree nodes: %i\n", huff.nodes); return -1; } From cd6c5e16c6ae536435bfde9b455b0aca6e09cbae Mon Sep 17 00:00:00 2001 From: "Ronald S. Bultje" Date: Thu, 23 Feb 2012 11:53:27 -0800 Subject: [PATCH 0800/1119] swf: check return values for av_get/new_packet(). Prevents crashers when using the packet if allocation failed. Found-by: Mateusz "j00ru" Jurczyk and Gynvael Coldwind CC: libav-stable@libav.org (cherry picked from commit 31632e73f47d25e2077fce729571259ee6354854) Signed-off-by: Anton Khirnov Signed-off-by: Reinhard Tartler --- libavformat/swfdec.c | 14 +++++++++----- 1 file changed, 9 insertions(+), 5 deletions(-) diff --git a/libavformat/swfdec.c b/libavformat/swfdec.c index eec9524ecf..2df3520722 100644 --- a/libavformat/swfdec.c +++ b/libavformat/swfdec.c @@ -84,7 +84,7 @@ static int swf_read_packet(AVFormatContext *s, AVPacket *pkt) SWFContext *swf = s->priv_data; AVIOContext *pb = s->pb; AVStream *vst = NULL, *ast = NULL, *st = 0; - int tag, len, i, frame, v; + int tag, len, i, frame, v, res; for(;;) { uint64_t pos = avio_tell(pb); @@ -147,7 +147,8 @@ static int swf_read_packet(AVFormatContext *s, AVPacket *pkt) st = s->streams[i]; if (st->codec->codec_type == AVMEDIA_TYPE_VIDEO && st->id == ch_id) { frame = avio_rl16(pb); - av_get_packet(pb, pkt, len-2); + if ((res = av_get_packet(pb, pkt, len-2)) < 0) + return res; pkt->pos = pos; pkt->pts = frame; pkt->stream_index = st->index; @@ -160,9 +161,11 @@ static int swf_read_packet(AVFormatContext *s, AVPacket *pkt) if (st->codec->codec_type == AVMEDIA_TYPE_AUDIO && st->id == -1) { if (st->codec->codec_id == CODEC_ID_MP3) { avio_skip(pb, 4); - av_get_packet(pb, pkt, len-4); + if ((res = av_get_packet(pb, pkt, len-4)) < 0) + return res; } else { // ADPCM, PCM - av_get_packet(pb, pkt, len); + if ((res = av_get_packet(pb, pkt, len)) < 0) + return res; } pkt->pos = pos; pkt->stream_index = st->index; @@ -186,7 +189,8 @@ static int swf_read_packet(AVFormatContext *s, AVPacket *pkt) st = vst; } avio_rl16(pb); /* BITMAP_ID */ - av_new_packet(pkt, len-2); + if ((res = av_new_packet(pkt, len-2)) < 0) + return res; avio_read(pb, pkt->data, 4); if (AV_RB32(pkt->data) == 0xffd8ffd9 || AV_RB32(pkt->data) == 0xffd9ffd8) { From b1d9a808633f695aa74b5c8b59eb628bc1bea1e2 Mon Sep 17 00:00:00 2001 From: Alex Converse Date: Thu, 23 Feb 2012 10:47:50 -0800 Subject: [PATCH 0801/1119] tiff: Prevent overreads in the type_sizes array. Found-by: Mateusz "j00ru" Jurczyk and Gynvael Coldwind CC: libav-stable@libav.org (cherry picked from commit 447363870f2f91e125e07ac2d0820359a5d86b06) Signed-off-by: Anton Khirnov Signed-off-by: Reinhard Tartler --- libavcodec/tiff.c | 15 +++++++++++---- 1 file changed, 11 insertions(+), 4 deletions(-) diff --git a/libavcodec/tiff.c b/libavcodec/tiff.c index 6bfef220f4..71a4e70e3e 100644 --- a/libavcodec/tiff.c +++ b/libavcodec/tiff.c @@ -288,6 +288,11 @@ static int tiff_decode_tag(TiffContext *s, const uint8_t *start, const uint8_t * count = tget_long(&buf, s->le); off = tget_long(&buf, s->le); + if (type == 0 || type >= FF_ARRAY_ELEMS(type_sizes)) { + av_log(s->avctx, AV_LOG_DEBUG, "Unknown tiff type (%u) encountered\n", type); + return 0; + } + if(count == 1){ switch(type){ case TIFF_BYTE: @@ -309,10 +314,12 @@ static int tiff_decode_tag(TiffContext *s, const uint8_t *start, const uint8_t * value = -1; buf = start + off; } - }else if(type_sizes[type] * count <= 4){ - buf -= 4; - }else{ - buf = start + off; + } else { + if (count <= 4 && type_sizes[type] * count <= 4) { + buf -= 4; + } else { + buf = start + off; + } } if(buf && (buf < start || buf > end_buf)){ From d10c22d33ce3d134025bc7fb0b2acbd58a0cef50 Mon Sep 17 00:00:00 2001 From: "Ronald S. Bultje" Date: Thu, 23 Feb 2012 16:09:36 -0800 Subject: [PATCH 0802/1119] lcl: error out if uncompressed input buffer is smaller than framesize. This prevents crashes when trying to read beyond the end of the buffer while decoding frame data. Found-by: Mateusz "j00ru" Jurczyk and Gynvael Coldwind CC: libav-stable@libav.org (cherry picked from commit be129271eac04f91393bf42a490ec631e1a9abea) Signed-off-by: Anton Khirnov Signed-off-by: Reinhard Tartler --- libavcodec/lcldec.c | 23 ++++++++++++++++++++++- 1 file changed, 22 insertions(+), 1 deletion(-) diff --git a/libavcodec/lcldec.c b/libavcodec/lcldec.c index 70414d4d55..017df55da7 100644 --- a/libavcodec/lcldec.c +++ b/libavcodec/lcldec.c @@ -223,8 +223,29 @@ static int decode_frame(AVCodecContext *avctx, void *data, int *data_size, AVPac len = mszh_dlen; } break; - case COMP_MSZH_NOCOMP: + case COMP_MSZH_NOCOMP: { + int bppx2; + switch (c->imgtype) { + case IMGTYPE_YUV111: + case IMGTYPE_RGB24: + bppx2 = 6; + break; + case IMGTYPE_YUV422: + case IMGTYPE_YUV211: + bppx2 = 4; + break; + case IMGTYPE_YUV411: + case IMGTYPE_YUV420: + bppx2 = 3; + break; + default: + bppx2 = 0; // will error out below + break; + } + if (len < ((width * height * bppx2) >> 1)) + return AVERROR_INVALIDDATA; break; + } default: av_log(avctx, AV_LOG_ERROR, "BUG! Unknown MSZH compression in frame decoder.\n"); return -1; From 25784c040904d3b5bc532583495b0a473360e246 Mon Sep 17 00:00:00 2001 From: "Ronald S. Bultje" Date: Fri, 24 Feb 2012 16:27:53 -0800 Subject: [PATCH 0803/1119] kgv1: release reference picture on size change. Found-by: Mateusz "j00ru" Jurczyk and Gynvael Coldwind CC: libav-stable@libav.org (cherry picked from commit 6c4c27adb61b2881a94ce5c7d97ee1c8adadb5fe) Signed-off-by: Anton Khirnov Signed-off-by: Reinhard Tartler --- libavcodec/kgv1dec.c | 5 ++++- 1 file changed, 4 insertions(+), 1 deletion(-) diff --git a/libavcodec/kgv1dec.c b/libavcodec/kgv1dec.c index 88c54bf817..e26fd81ffb 100644 --- a/libavcodec/kgv1dec.c +++ b/libavcodec/kgv1dec.c @@ -54,8 +54,11 @@ static int decode_frame(AVCodecContext *avctx, void *data, int *data_size, AVPac if (av_image_check_size(w, h, 0, avctx)) return -1; - if (w != avctx->width || h != avctx->height) + if (w != avctx->width || h != avctx->height) { + if (c->prev.data[0]) + avctx->release_buffer(avctx, &c->prev); avcodec_set_dimensions(avctx, w, h); + } maxcnt = w * h; From 678737c26be4fb93dc6b3ede04b8231bd39b2e3b Mon Sep 17 00:00:00 2001 From: "Ronald S. Bultje" Date: Fri, 24 Feb 2012 14:11:04 -0800 Subject: [PATCH 0804/1119] fraps: release reference buffer on pix_fmt change. Prevents crash when trying to copy from a non-existing plane in e.g. a RGB32 reference image to a YUV420P target image Found-by: Mateusz "j00ru" Jurczyk and Gynvael Coldwind CC: libav-stable@libav.org (cherry picked from commit 830f70442a87a31f7c75565e9380e3caf8333b8a) Signed-off-by: Anton Khirnov Signed-off-by: Reinhard Tartler --- libavcodec/fraps.c | 14 +++++++------- 1 file changed, 7 insertions(+), 7 deletions(-) diff --git a/libavcodec/fraps.c b/libavcodec/fraps.c index 2bbc7b9f01..90989e8f08 100644 --- a/libavcodec/fraps.c +++ b/libavcodec/fraps.c @@ -134,7 +134,7 @@ static int decode_frame(AVCodecContext *avctx, uint32_t *luma1,*luma2,*cb,*cr; uint32_t offs[4]; int i, j, is_chroma, planes; - + enum PixelFormat pix_fmt; header = AV_RL32(buf); version = header & 0xff; @@ -151,12 +151,16 @@ static int decode_frame(AVCodecContext *avctx, if (header_size == 8) buf+=4; + pix_fmt = version & 1 ? PIX_FMT_BGR24 : PIX_FMT_YUVJ420P; + if (avctx->pix_fmt != pix_fmt && f->data[0]) { + avctx->release_buffer(avctx, f); + } + avctx->pix_fmt = pix_fmt; + switch(version) { case 0: default: /* Fraps v0 is a reordered YUV420 */ - avctx->pix_fmt = PIX_FMT_YUVJ420P; - if ( (buf_size != avctx->width*avctx->height*3/2+header_size) && (buf_size != header_size) ) { av_log(avctx, AV_LOG_ERROR, @@ -204,8 +208,6 @@ static int decode_frame(AVCodecContext *avctx, case 1: /* Fraps v1 is an upside-down BGR24 */ - avctx->pix_fmt = PIX_FMT_BGR24; - if ( (buf_size != avctx->width*avctx->height*3+header_size) && (buf_size != header_size) ) { av_log(avctx, AV_LOG_ERROR, @@ -240,7 +242,6 @@ static int decode_frame(AVCodecContext *avctx, * Fraps v2 is Huffman-coded YUV420 planes * Fraps v4 is virtually the same */ - avctx->pix_fmt = PIX_FMT_YUVJ420P; planes = 3; f->reference = 1; f->buffer_hints = FF_BUFFER_HINTS_VALID | @@ -283,7 +284,6 @@ static int decode_frame(AVCodecContext *avctx, case 3: case 5: /* Virtually the same as version 4, but is for RGB24 */ - avctx->pix_fmt = PIX_FMT_BGR24; planes = 3; f->reference = 1; f->buffer_hints = FF_BUFFER_HINTS_VALID | From 811989e91092bfa8cbcf6305eee7c1353da99809 Mon Sep 17 00:00:00 2001 From: "Ronald S. Bultje" Date: Wed, 22 Feb 2012 11:33:24 -0800 Subject: [PATCH 0805/1119] rm: prevent infinite loops for index parsing. Specifically, prevent jumping back in the file for the next index, since this can lead to infinite loops where we jump between indexes referring to each other, and don't read indexes that don't fit in the file. Found-by: Mateusz "j00ru" Jurczyk and Gynvael Coldwind CC: libav-stable@libav.org (cherry picked from commit aac07a7a4c2c7a4a29cf6dbc88c1b9fdd191b99d) Signed-off-by: Reinhard Tartler --- libavformat/rmdec.c | 20 +++++++++++++++++--- 1 file changed, 17 insertions(+), 3 deletions(-) diff --git a/libavformat/rmdec.c b/libavformat/rmdec.c index fbc4d0cee6..dbfeb927cf 100644 --- a/libavformat/rmdec.c +++ b/libavformat/rmdec.c @@ -350,8 +350,19 @@ static int rm_read_index(AVFormatContext *s) st = s->streams[n]; break; } - if (n == s->nb_streams) + if (n == s->nb_streams) { + av_log(s, AV_LOG_ERROR, + "Invalid stream index %d for index at pos %"PRId64"\n", + str_id, avio_tell(pb)); goto skip; + } else if ((avio_size(pb) - avio_tell(pb)) / 14 < n_pkts) { + av_log(s, AV_LOG_ERROR, + "Nr. of packets in packet index for stream index %d " + "exceeds filesize (%"PRId64" at %"PRId64" = %d)\n", + str_id, avio_size(pb), avio_tell(pb), + (avio_size(pb) - avio_tell(pb)) / 14); + goto skip; + } for (n = 0; n < n_pkts; n++) { avio_skip(pb, 2); @@ -363,9 +374,12 @@ static int rm_read_index(AVFormatContext *s) } skip: - if (next_off && avio_tell(pb) != next_off && - avio_seek(pb, next_off, SEEK_SET) < 0) + if (next_off && avio_tell(pb) < next_off && + avio_seek(pb, next_off, SEEK_SET) < 0) { + av_log(s, AV_LOG_ERROR, + "Non-linear index detected, not supported\n"); return -1; + } } while (next_off); return 0; From a02da9ceaf298e57bd6f579ea6158164d32ed18e Mon Sep 17 00:00:00 2001 From: Reinhard Tartler Date: Sun, 26 Feb 2012 10:50:45 +0100 Subject: [PATCH 0806/1119] Fix parser not to clobber has_b_frames when extradata is set. MIME-Version: 1.0 Content-Type: text/plain; charset=UTF-8 Content-Transfer-Encoding: 8bit Because in contrast to the decoder, the parser does not setup low_delay. The code in parse_nal_units would always end up setting has_b_frames to "1", except when stream is explicitly marked as low delay. Since the parser itself would create 'extradata', simply reopening the parser would cause this. This happens for instance in estimate_timings_from_pts(), which causes the parser to be reopened on the same stream. This fixes Libav #22 and FFmpeg (trac) #360 CC: libav-stable@libav.org Based on a patch by Reimar Döffinger (commit 31ac0ac29b6bba744493f7d1040757a3f51b9ad7) Comments and description adapted by Reinhard Tartler. Signed-off-by: Reinhard Tartler (cherry picked from commit 790a367d9ecd04360f78616765ee723f3fe65645) Signed-off-by: Reinhard Tartler --- libavcodec/h264_parser.c | 7 +++++++ 1 file changed, 7 insertions(+) diff --git a/libavcodec/h264_parser.c b/libavcodec/h264_parser.c index c39baeb739..4263c4b2e9 100644 --- a/libavcodec/h264_parser.c +++ b/libavcodec/h264_parser.c @@ -251,6 +251,13 @@ static int h264_parse(AVCodecParserContext *s, h->got_first = 1; if (avctx->extradata_size) { h->s.avctx = avctx; + // must be done like in the decoder. + // otherwise opening the parser, creating extradata, + // and then closing and opening again + // will cause has_b_frames to be always set. + // NB: estimate_timings_from_pts behaves exactly like this. + if (!avctx->has_b_frames) + h->s.low_delay = 1; ff_h264_decode_extradata(h); } } From 117b8b00cc12efb473402a8d6ab1e9013ea0a851 Mon Sep 17 00:00:00 2001 From: "Ronald S. Bultje" Date: Tue, 10 Jan 2012 17:01:26 -0800 Subject: [PATCH 0807/1119] vorbis: fix overflows in floor1[] vector and inverse db table index. (cherry picked from commit 24947d4988012f1f0fd467c83418615adc11c3e8) Signed-off-by: Reinhard Tartler --- libavcodec/vorbis.c | 19 +++++++++---------- libavcodec/vorbisdec.c | 10 +++++----- 2 files changed, 14 insertions(+), 15 deletions(-) diff --git a/libavcodec/vorbis.c b/libavcodec/vorbis.c index cc039be190..20be707313 100644 --- a/libavcodec/vorbis.c +++ b/libavcodec/vorbis.c @@ -150,7 +150,7 @@ void ff_vorbis_ready_floor1_list(vorbis_floor1_entry * list, int values) } } -static inline void render_line_unrolled(intptr_t x, uint8_t y, int x1, +static inline void render_line_unrolled(intptr_t x, int y, int x1, intptr_t sy, int ady, int adx, float *buf) { @@ -162,30 +162,30 @@ static inline void render_line_unrolled(intptr_t x, uint8_t y, int x1, if (err >= 0) { err += ady - adx; y += sy; - buf[x++] = ff_vorbis_floor1_inverse_db_table[y]; + buf[x++] = ff_vorbis_floor1_inverse_db_table[av_clip_uint8(y)]; } - buf[x] = ff_vorbis_floor1_inverse_db_table[y]; + buf[x] = ff_vorbis_floor1_inverse_db_table[av_clip_uint8(y)]; } if (x <= 0) { if (err + ady >= 0) y += sy; - buf[x] = ff_vorbis_floor1_inverse_db_table[y]; + buf[x] = ff_vorbis_floor1_inverse_db_table[av_clip_uint8(y)]; } } -static void render_line(int x0, uint8_t y0, int x1, int y1, float *buf) +static void render_line(int x0, int y0, int x1, int y1, float *buf) { int dy = y1 - y0; int adx = x1 - x0; int ady = FFABS(dy); int sy = dy < 0 ? -1 : 1; - buf[x0] = ff_vorbis_floor1_inverse_db_table[y0]; + buf[x0] = ff_vorbis_floor1_inverse_db_table[av_clip_uint8(y0)]; if (ady*2 <= adx) { // optimized common case render_line_unrolled(x0, y0, x1, sy, ady, adx, buf); } else { int base = dy / adx; int x = x0; - uint8_t y = y0; + int y = y0; int err = -adx; ady -= FFABS(base) * adx; while (++x < x1) { @@ -195,7 +195,7 @@ static void render_line(int x0, uint8_t y0, int x1, int y1, float *buf) err -= adx; y += sy; } - buf[x] = ff_vorbis_floor1_inverse_db_table[y]; + buf[x] = ff_vorbis_floor1_inverse_db_table[av_clip_uint8(y)]; } } } @@ -204,8 +204,7 @@ void ff_vorbis_floor1_render_list(vorbis_floor1_entry * list, int values, uint16_t *y_list, int *flag, int multiplier, float *out, int samples) { - int lx, i; - uint8_t ly; + int lx, ly, i; lx = 0; ly = y_list[0] * multiplier; for (i = 1; i < values; i++) { diff --git a/libavcodec/vorbisdec.c b/libavcodec/vorbisdec.c index 572e06ebc3..d6850b7f48 100644 --- a/libavcodec/vorbisdec.c +++ b/libavcodec/vorbisdec.c @@ -1232,20 +1232,20 @@ static int vorbis_floor1_decode(vorbis_context *vc, floor1_flag[i] = 1; if (val >= room) { if (highroom > lowroom) { - floor1_Y_final[i] = val - lowroom + predicted; + floor1_Y_final[i] = av_clip_uint16(val - lowroom + predicted); } else { - floor1_Y_final[i] = predicted - val + highroom - 1; + floor1_Y_final[i] = av_clip_uint16(predicted - val + highroom - 1); } } else { if (val & 1) { - floor1_Y_final[i] = predicted - (val + 1) / 2; + floor1_Y_final[i] = av_clip_uint16(predicted - (val + 1) / 2); } else { - floor1_Y_final[i] = predicted + val / 2; + floor1_Y_final[i] = av_clip_uint16(predicted + val / 2); } } } else { floor1_flag[i] = 0; - floor1_Y_final[i] = predicted; + floor1_Y_final[i] = av_clip_uint16(predicted); } av_dlog(NULL, " Decoded floor(%d) = %u / val %u\n", From 18caebca4c91605fd0a9f5bc339a63be9a6c977a Mon Sep 17 00:00:00 2001 From: "Ronald S. Bultje" Date: Fri, 17 Feb 2012 12:21:22 -0800 Subject: [PATCH 0808/1119] asf: error out on ridiculously large minpktsize values. They cause various issues further down in demuxing. Found-by: Mateusz "j00ru" Jurczyk and Gynvael Coldwind CC: libav-stable@libav.org (cherry picked from commit 6e57a02b9f639af53acfa9fc742c1341400818f8) Signed-off-by: Reinhard Tartler --- libavformat/asfdec.c | 6 +++++- 1 file changed, 5 insertions(+), 1 deletion(-) diff --git a/libavformat/asfdec.c b/libavformat/asfdec.c index 603886754d..61721704d5 100644 --- a/libavformat/asfdec.c +++ b/libavformat/asfdec.c @@ -202,6 +202,8 @@ static int asf_read_file_properties(AVFormatContext *s, int64_t size) asf->hdr.flags = avio_rl32(pb); asf->hdr.min_pktsize = avio_rl32(pb); asf->hdr.max_pktsize = avio_rl32(pb); + if (asf->hdr.min_pktsize >= (1U<<29)) + return AVERROR_INVALIDDATA; asf->hdr.max_bitrate = avio_rl32(pb); s->packet_size = asf->hdr.max_pktsize; @@ -616,7 +618,9 @@ static int asf_read_header(AVFormatContext *s, AVFormatParameters *ap) if (gsize < 24) return -1; if (!ff_guidcmp(&g, &ff_asf_file_header)) { - asf_read_file_properties(s, gsize); + int ret = asf_read_file_properties(s, gsize); + if (ret < 0) + return ret; } else if (!ff_guidcmp(&g, &ff_asf_stream_header)) { asf_read_stream_properties(s, gsize); } else if (!ff_guidcmp(&g, &ff_asf_comment_header)) { From a2d5e741a889bfed621e18a94ff266d49d280557 Mon Sep 17 00:00:00 2001 From: "Ronald S. Bultje" Date: Tue, 28 Feb 2012 16:13:46 -0800 Subject: [PATCH 0809/1119] asf: don't seek back on EOF. Seeking back on EOF will reset the EOF flag, causing us to re-enter the loop to find the next marker in the ASF file, thus potentially causing an infinite loop. Found-by: Mateusz "j00ru" Jurczyk and Gynvael Coldwind CC: libav-stable@libav.org (cherry picked from commit bb6d5411e1e1a8e0608b1af1c4addee654dcbac5) Signed-off-by: Reinhard Tartler --- libavformat/asfdec.c | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/libavformat/asfdec.c b/libavformat/asfdec.c index 61721704d5..47d5b190c3 100644 --- a/libavformat/asfdec.c +++ b/libavformat/asfdec.c @@ -761,7 +761,7 @@ static int ff_asf_get_packet(AVFormatContext *s, AVIOContext *pb) c= avio_r8(pb); d= avio_r8(pb); rsize+=3; - }else{ + } else if (!pb->eof_reached) { avio_seek(pb, -1, SEEK_CUR); //FIXME } From f28ec733798ceb2fc4a9c8a9c39c73e8d447310f Mon Sep 17 00:00:00 2001 From: "Ronald S. Bultje" Date: Thu, 23 Feb 2012 11:19:33 -0800 Subject: [PATCH 0810/1119] vp56: error out on invalid stream dimensions. Prevents crashes when playing corrupt vp5/6 streams. Found-by: Mateusz "j00ru" Jurczyk and Gynvael Coldwind CC: libav-stable@libav.org (cherry picked from commit 8bc396fc0e8769a056375c1c211f389ce0e3ecc5) Signed-off-by: Reinhard Tartler --- libavcodec/vp5.c | 5 +++++ libavcodec/vp6.c | 6 +++++- 2 files changed, 10 insertions(+), 1 deletion(-) diff --git a/libavcodec/vp5.c b/libavcodec/vp5.c index d61163e64c..2b975801d0 100644 --- a/libavcodec/vp5.c +++ b/libavcodec/vp5.c @@ -55,6 +55,11 @@ static int vp5_parse_header(VP56Context *s, const uint8_t *buf, int buf_size, } rows = vp56_rac_gets(c, 8); /* number of stored macroblock rows */ cols = vp56_rac_gets(c, 8); /* number of stored macroblock cols */ + if (!rows || !cols) { + av_log(s->avctx, AV_LOG_ERROR, "Invalid size %dx%d\n", + cols << 4, rows << 4); + return 0; + } vp56_rac_gets(c, 8); /* number of displayed macroblock rows */ vp56_rac_gets(c, 8); /* number of displayed macroblock cols */ vp56_rac_gets(c, 2); diff --git a/libavcodec/vp6.c b/libavcodec/vp6.c index 02fe70bf7f..b0d8642465 100644 --- a/libavcodec/vp6.c +++ b/libavcodec/vp6.c @@ -75,6 +75,10 @@ static int vp6_parse_header(VP56Context *s, const uint8_t *buf, int buf_size, cols = buf[3]; /* number of stored macroblock cols */ /* buf[4] is number of displayed macroblock rows */ /* buf[5] is number of displayed macroblock cols */ + if (!rows || !cols) { + av_log(s->avctx, AV_LOG_ERROR, "Invalid size %dx%d\n", cols << 4, rows << 4); + return 0; + } if (!s->macroblocks || /* first frame */ 16*cols != s->avctx->coded_width || @@ -95,7 +99,7 @@ static int vp6_parse_header(VP56Context *s, const uint8_t *buf, int buf_size, vrt_shift = 5; s->sub_version = sub_version; } else { - if (!s->sub_version) + if (!s->sub_version || !s->avctx->coded_width || !s->avctx->coded_height) return 0; if (separated_coeff || !s->filter_header) { From 4f64456a144d89cc026048816031e8c3dcd29737 Mon Sep 17 00:00:00 2001 From: "Ronald S. Bultje" Date: Tue, 28 Feb 2012 18:21:31 -0800 Subject: [PATCH 0811/1119] swscale: fix another integer overflow. Found-by: Mateusz "j00ru" Jurczyk and Gynvael Coldwind CC: libav-stable@libav.org (cherry picked from commit 791de61bbb0d2bceb1037597b310e2a4a94494fd) Signed-off-by: Reinhard Tartler --- libswscale/utils.c | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/libswscale/utils.c b/libswscale/utils.c index 0aeec6f0fc..70a38b5962 100644 --- a/libswscale/utils.c +++ b/libswscale/utils.c @@ -1002,7 +1002,7 @@ int sws_init_context(SwsContext *c, SwsFilter *srcFilter, SwsFilter *dstFilter) c->vLumBufSize= c->vLumFilterSize; c->vChrBufSize= c->vChrFilterSize; for (i=0; ichrDstH / dstH; + int chrI = (int64_t) i * c->chrDstH / dstH; int nextSlice= FFMAX(c->vLumFilterPos[i ] + c->vLumFilterSize - 1, ((c->vChrFilterPos[chrI] + c->vChrFilterSize - 1)<chrSrcVSubSample)); From 87a1169ab85d4232daff457b16c2fac9280fe608 Mon Sep 17 00:00:00 2001 From: "Ronald S. Bultje" Date: Tue, 28 Feb 2012 19:00:39 -0800 Subject: [PATCH 0812/1119] qtrle: return error on decode_init() failure. Found-by: Mateusz "j00ru" Jurczyk and Gynvael Coldwind CC: libav-stable@libav.org (cherry picked from commit e54ae60e46f737b8e9a96548971091f7ab6b8f7c) Signed-off-by: Reinhard Tartler --- libavcodec/qtrle.c | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/libavcodec/qtrle.c b/libavcodec/qtrle.c index e14c306c6b..6f65d1ec66 100644 --- a/libavcodec/qtrle.c +++ b/libavcodec/qtrle.c @@ -414,7 +414,7 @@ static av_cold int qtrle_decode_init(AVCodecContext *avctx) default: av_log (avctx, AV_LOG_ERROR, "Unsupported colorspace: %d bits/sample?\n", avctx->bits_per_coded_sample); - break; + return AVERROR_INVALIDDATA; } s->frame.data[0] = NULL; From e15d137ecfa9e78797e7f25b5aa32834f00f2559 Mon Sep 17 00:00:00 2001 From: "Ronald S. Bultje" Date: Tue, 28 Feb 2012 17:04:33 -0800 Subject: [PATCH 0813/1119] rpza: error out on buffer overreads. Found-by: Mateusz "j00ru" Jurczyk and Gynvael Coldwind CC: libav-stable@libav.org (cherry picked from commit 78e9852a2e3b198ecd69ffa0deab3fa22a8e5378) Signed-off-by: Reinhard Tartler --- libavcodec/rpza.c | 4 ++++ 1 file changed, 4 insertions(+) diff --git a/libavcodec/rpza.c b/libavcodec/rpza.c index 958f103865..d1803fccc5 100644 --- a/libavcodec/rpza.c +++ b/libavcodec/rpza.c @@ -183,6 +183,8 @@ static void rpza_decode_stream(RpzaContext *s) color4[1] |= ((11 * ta + 21 * tb) >> 5); color4[2] |= ((21 * ta + 11 * tb) >> 5); + if (s->size - stream_ptr < n_blocks * 4) + return; while (n_blocks--) { block_ptr = row_ptr + pixel_ptr; for (pixel_y = 0; pixel_y < 4; pixel_y++) { @@ -200,6 +202,8 @@ static void rpza_decode_stream(RpzaContext *s) /* Fill block with 16 colors */ case 0x00: + if (s->size - stream_ptr < 16) + return; block_ptr = row_ptr + pixel_ptr; for (pixel_y = 0; pixel_y < 4; pixel_y++) { for (pixel_x = 0; pixel_x < 4; pixel_x++){ From ced190c96c1fa99ca395ad02290f9784f07b07ee Mon Sep 17 00:00:00 2001 From: "Ronald S. Bultje" Date: Tue, 28 Feb 2012 19:00:48 -0800 Subject: [PATCH 0814/1119] vmnc: return error on decode_init() failure. Found-by: Mateusz "j00ru" Jurczyk and Gynvael Coldwind CC: libav-stable@libav.org (cherry picked from commit 07a180972fb369bb59bf6d4f8edb4598c51e80d2) Signed-off-by: Reinhard Tartler --- libavcodec/vmnc.c | 1 + 1 file changed, 1 insertion(+) diff --git a/libavcodec/vmnc.c b/libavcodec/vmnc.c index f95bef7e1d..4521d1598b 100644 --- a/libavcodec/vmnc.c +++ b/libavcodec/vmnc.c @@ -483,6 +483,7 @@ static av_cold int decode_init(AVCodecContext *avctx) break; default: av_log(avctx, AV_LOG_ERROR, "Unsupported bitdepth %i\n", c->bpp); + return AVERROR_INVALIDDATA; } return 0; From d680295d0c3662793292338d0fd01b044601f338 Mon Sep 17 00:00:00 2001 From: "Ronald S. Bultje" Date: Thu, 1 Mar 2012 09:41:22 -0800 Subject: [PATCH 0815/1119] huffyuv: do not abort on unknown pix_fmt; instead, return an error. Found-by: Mateusz "j00ru" Jurczyk and Gynvael Coldwind CC: libav-stable@libav.org (cherry picked from commit 63c9de6469005974288f4e4d89fc79a590e38c06) Signed-off-by: Reinhard Tartler --- libavcodec/huffyuv.c | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/libavcodec/huffyuv.c b/libavcodec/huffyuv.c index d211964eca..eb13d87f87 100644 --- a/libavcodec/huffyuv.c +++ b/libavcodec/huffyuv.c @@ -514,7 +514,7 @@ s->bgr32=1; } break; default: - assert(0); + return AVERROR_INVALIDDATA; } alloc_temp(s); From bd0d32d13181c452906011e33000fc4328771005 Mon Sep 17 00:00:00 2001 From: "Ronald S. Bultje" Date: Wed, 29 Feb 2012 17:50:28 -0800 Subject: [PATCH 0816/1119] lcl: return negative error codes on decode_init() errors. Found-by: Mateusz "j00ru" Jurczyk and Gynvael Coldwind CC: libav-stable@libav.org (cherry picked from commit bd17a40a7e0eba21b5d27c67aff795e2910766e4) Signed-off-by: Reinhard Tartler --- libavcodec/lcldec.c | 14 +++++++------- 1 file changed, 7 insertions(+), 7 deletions(-) diff --git a/libavcodec/lcldec.c b/libavcodec/lcldec.c index 017df55da7..8f203eb740 100644 --- a/libavcodec/lcldec.c +++ b/libavcodec/lcldec.c @@ -476,7 +476,7 @@ static av_cold int decode_init(AVCodecContext *avctx) if (avctx->extradata_size < 8) { av_log(avctx, AV_LOG_ERROR, "Extradata size too small.\n"); - return 1; + return AVERROR_INVALIDDATA; } /* Check codec type */ @@ -525,7 +525,7 @@ static av_cold int decode_init(AVCodecContext *avctx) break; default: av_log(avctx, AV_LOG_ERROR, "Unsupported image format %d.\n", c->imgtype); - return 1; + return AVERROR_INVALIDDATA; } /* Detect compression method */ @@ -542,7 +542,7 @@ static av_cold int decode_init(AVCodecContext *avctx) break; default: av_log(avctx, AV_LOG_ERROR, "Unsupported compression format for MSZH (%d).\n", c->compression); - return 1; + return AVERROR_INVALIDDATA; } break; #if CONFIG_ZLIB_DECODER @@ -560,7 +560,7 @@ static av_cold int decode_init(AVCodecContext *avctx) default: if (c->compression < Z_NO_COMPRESSION || c->compression > Z_BEST_COMPRESSION) { av_log(avctx, AV_LOG_ERROR, "Unsupported compression level for ZLIB: (%d).\n", c->compression); - return 1; + return AVERROR_INVALIDDATA; } av_log(avctx, AV_LOG_DEBUG, "Compression level for ZLIB: (%d).\n", c->compression); } @@ -568,14 +568,14 @@ static av_cold int decode_init(AVCodecContext *avctx) #endif default: av_log(avctx, AV_LOG_ERROR, "BUG! Unknown codec in compression switch.\n"); - return 1; + return AVERROR_INVALIDDATA; } /* Allocate decompression buffer */ if (c->decomp_size) { if ((c->decomp_buf = av_malloc(max_decomp_size)) == NULL) { av_log(avctx, AV_LOG_ERROR, "Can't allocate decompression buffer.\n"); - return 1; + return AVERROR(ENOMEM); } } @@ -601,7 +601,7 @@ static av_cold int decode_init(AVCodecContext *avctx) if (zret != Z_OK) { av_log(avctx, AV_LOG_ERROR, "Inflate init error: %d\n", zret); av_freep(&c->decomp_buf); - return 1; + return AVERROR_UNKNOWN; } } #endif From b56b7b9081d5b9048732c0db171c7b6af9831bad Mon Sep 17 00:00:00 2001 From: Alex Converse Date: Thu, 1 Mar 2012 14:07:22 -0800 Subject: [PATCH 0817/1119] rv10/20: Fix a buffer overread caused by losing track of the remaining buffer size. Found-by: Mateusz "j00ru" Jurczyk and Gynvael Coldwind CC: libav-stable@libav.org (cherry picked from commit 2f6528537fdd88820f3a4683d5e595d7b3a62689) Signed-off-by: Reinhard Tartler --- libavcodec/rv10.c | 6 +++++- 1 file changed, 5 insertions(+), 1 deletion(-) diff --git a/libavcodec/rv10.c b/libavcodec/rv10.c index 223500c356..3ac0378d7d 100644 --- a/libavcodec/rv10.c +++ b/libavcodec/rv10.c @@ -653,8 +653,12 @@ static int rv10_decode_frame(AVCodecContext *avctx, if(!avctx->slice_count){ slice_count = (*buf++) + 1; + buf_size--; slices_hdr = buf + 4; buf += 8 * slice_count; + buf_size -= 8 * slice_count; + if (buf_size <= 0) + return AVERROR_INVALIDDATA; }else slice_count = avctx->slice_count; @@ -693,7 +697,7 @@ static int rv10_decode_frame(AVCodecContext *avctx, s->current_picture_ptr= NULL; //so we can detect if frame_end wasnt called (find some nicer solution...) } - return buf_size; + return avpkt->size; } AVCodec ff_rv10_decoder = { From 88b47010c4e2ed0d756f30c54b0d88153c33aec5 Mon Sep 17 00:00:00 2001 From: Alex Converse Date: Fri, 27 Jan 2012 14:24:07 -0800 Subject: [PATCH 0818/1119] wmadec: Verify bitstream size makes sense before calling init_get_bits. Found-by: Mateusz "j00ru" Jurczyk and Gynvael Coldwind (cherry picked from commit 48f1e5212c90b511c90fa0449655abb06a9edda2) Signed-off-by: Reinhard Tartler --- libavcodec/wmadec.c | 2 ++ 1 file changed, 2 insertions(+) diff --git a/libavcodec/wmadec.c b/libavcodec/wmadec.c index 479b34c3e0..c8e1de2c32 100644 --- a/libavcodec/wmadec.c +++ b/libavcodec/wmadec.c @@ -864,6 +864,8 @@ static int wma_decode_superframe(AVCodecContext *avctx, /* read each frame starting from bit_offset */ pos = bit_offset + 4 + 4 + s->byte_offset_bits + 3; + if (pos >= MAX_CODED_SUPERFRAME_SIZE * 8) + return AVERROR_INVALIDDATA; init_get_bits(&s->gb, buf + (pos >> 3), (MAX_CODED_SUPERFRAME_SIZE - (pos >> 3))*8); len = pos & 7; if (len > 0) From 433aaeb2f1cf679f254f5f1c7220b4100bc89c68 Mon Sep 17 00:00:00 2001 From: "Ronald S. Bultje" Date: Thu, 1 Mar 2012 17:01:22 -0800 Subject: [PATCH 0819/1119] matroska: check buffer size for RM-style byte reordering. Found-by: Mateusz "j00ru" Jurczyk and Gynvael Coldwind CC: libav-stable@libav.org (cherry picked from commit 9c239f6026a170866a4a0c96908980ac2cfaa8b3) Signed-off-by: Reinhard Tartler --- libavformat/matroskadec.c | 22 +++++++++++++++++++--- 1 file changed, 19 insertions(+), 3 deletions(-) diff --git a/libavformat/matroskadec.c b/libavformat/matroskadec.c index f74d028923..a70f2ef86a 100644 --- a/libavformat/matroskadec.c +++ b/libavformat/matroskadec.c @@ -1775,15 +1775,31 @@ static int matroska_parse_block(MatroskaDemuxContext *matroska, uint8_t *data, if (!track->audio.pkt_cnt) { if (track->audio.sub_packet_cnt == 0) track->audio.buf_timecode = timecode; - if (st->codec->codec_id == CODEC_ID_RA_288) + if (st->codec->codec_id == CODEC_ID_RA_288) { + if (size < cfs * h / 2) { + av_log(matroska->ctx, AV_LOG_ERROR, + "Corrupt int4 RM-style audio packet size\n"); + return AVERROR_INVALIDDATA; + } for (x=0; xaudio.buf+x*2*w+y*cfs, data+x*cfs, cfs); - else if (st->codec->codec_id == CODEC_ID_SIPR) + } else if (st->codec->codec_id == CODEC_ID_SIPR) { + if (size < w) { + av_log(matroska->ctx, AV_LOG_ERROR, + "Corrupt sipr RM-style audio packet size\n"); + return AVERROR_INVALIDDATA; + } memcpy(track->audio.buf + y*w, data, w); - else + } else { + if (size < sps * w / sps) { + av_log(matroska->ctx, AV_LOG_ERROR, + "Corrupt generic RM-style audio packet size\n"); + return AVERROR_INVALIDDATA; + } for (x=0; xaudio.buf+sps*(h*x+((h+1)/2)*(y&1)+(y>>1)), data+x*sps, sps); + } if (++track->audio.sub_packet_cnt >= h) { if (st->codec->codec_id == CODEC_ID_SIPR) From c932844882f315928688c704fd9cdcb7eee37d17 Mon Sep 17 00:00:00 2001 From: Justin Ruggles Date: Fri, 2 Mar 2012 16:33:33 -0500 Subject: [PATCH 0820/1119] wmaenc: require a large enough output buffer to prevent overwrites The maximum theoretical frame size is around 17000 bytes. Although in practice it will generally be much smaller, we require a larger buffer just to be safe. CC: libav-stable@libav.org (cherry picked from commit dfc4fdedf8cfc56a505579b1f2c1c5efbce4b97e) Signed-off-by: Reinhard Tartler --- libavcodec/wmaenc.c | 5 +++++ 1 file changed, 5 insertions(+) diff --git a/libavcodec/wmaenc.c b/libavcodec/wmaenc.c index 3cdb4a0b9b..a002c32b5d 100644 --- a/libavcodec/wmaenc.c +++ b/libavcodec/wmaenc.c @@ -355,6 +355,11 @@ static int encode_superframe(AVCodecContext *avctx, } } + if (buf_size < 2 * MAX_CODED_SUPERFRAME_SIZE) { + av_log(avctx, AV_LOG_ERROR, "output buffer size is too small\n"); + return AVERROR(EINVAL); + } + #if 1 total_gain= 128; for(i=64; i; i>>=1){ From 74bd46e82ad6e1cf57b5427a53a5213e7dfa61cd Mon Sep 17 00:00:00 2001 From: Justin Ruggles Date: Fri, 2 Mar 2012 16:10:00 -0500 Subject: [PATCH 0821/1119] wmaenc: limit block_align to MAX_CODED_SUPERFRAME_SIZE This is near the theoretical limit for wma frame size and is the most that our decoder can handle. Allowing higher bit rates will just end up padding each frame with empty bytes. Fixes invalid writes for avconv when using very high bit rates. CC:libav-stable@libav.org (cherry picked from commit c2b8dea1828f35c808adcf12615893d5c740bc0a) Signed-off-by: Reinhard Tartler --- libavcodec/wmaenc.c | 8 ++++++-- 1 file changed, 6 insertions(+), 2 deletions(-) diff --git a/libavcodec/wmaenc.c b/libavcodec/wmaenc.c index a002c32b5d..5f272f3748 100644 --- a/libavcodec/wmaenc.c +++ b/libavcodec/wmaenc.c @@ -71,8 +71,12 @@ static int encode_init(AVCodecContext * avctx){ for(i = 0; i < s->nb_block_sizes; i++) ff_mdct_init(&s->mdct_ctx[i], s->frame_len_bits - i + 1, 0, 1.0); - avctx->block_align= - s->block_align= avctx->bit_rate*(int64_t)s->frame_len / (avctx->sample_rate*8); + s->block_align = avctx->bit_rate * (int64_t)s->frame_len / + (avctx->sample_rate * 8); + s->block_align = FFMIN(s->block_align, MAX_CODED_SUPERFRAME_SIZE); + avctx->block_align = s->block_align; + avctx->bit_rate = avctx->block_align * 8LL * avctx->sample_rate / + s->frame_len; //av_log(NULL, AV_LOG_ERROR, "%d %d %d %d\n", s->block_align, avctx->bit_rate, s->frame_len, avctx->sample_rate); avctx->frame_size= s->frame_len; From 43e3e7764c498138c28507c5a7dfcd08c0748633 Mon Sep 17 00:00:00 2001 From: Justin Ruggles Date: Fri, 2 Mar 2012 16:27:57 -0500 Subject: [PATCH 0822/1119] wmaenc: limit allowed sample rate to 48kHz ff_wma_init() allows up to 50kHz, but this generates an exponent band size table that requires 65 bands. The code assumes 25 bands in many places, and using sample rates higher than 48kHz will lead to buffer overwrites. CC:libav-stable@libav.org (cherry picked from commit 1ec075cfecac01f9a289965db06f76365b0b1737) Signed-off-by: Reinhard Tartler --- libavcodec/wmaenc.c | 6 ++++++ 1 file changed, 6 insertions(+) diff --git a/libavcodec/wmaenc.c b/libavcodec/wmaenc.c index 5f272f3748..bf451aa258 100644 --- a/libavcodec/wmaenc.c +++ b/libavcodec/wmaenc.c @@ -39,6 +39,12 @@ static int encode_init(AVCodecContext * avctx){ return AVERROR(EINVAL); } + if (avctx->sample_rate > 48000) { + av_log(avctx, AV_LOG_ERROR, "sample rate is too high: %d > 48kHz", + avctx->sample_rate); + return AVERROR(EINVAL); + } + if(avctx->bit_rate < 24*1000) { av_log(avctx, AV_LOG_ERROR, "bitrate too low: got %i, need 24000 or higher\n", avctx->bit_rate); From 58133bb010c1587515ab4a8bf990760ca28b4dda Mon Sep 17 00:00:00 2001 From: Justin Ruggles Date: Fri, 2 Mar 2012 17:11:25 -0500 Subject: [PATCH 0823/1119] wmaenc: fix m/s stereo encoding for the first frame We need to set ms_stereo in encode_init() in order to avoid incorrectly encoding the first frame as non-m/s while flagging it as m/s. Fixes an uncomfortable pop in the left channel at the start of playback. CC:libav-stable@libav.org (cherry picked from commit 51ddf35c9017018e58c15275ff5b129647a0c94d) Signed-off-by: Reinhard Tartler --- libavcodec/wmaenc.c | 4 +++- tests/ref/acodec/wmav1 | 6 +++--- tests/ref/acodec/wmav2 | 6 +++--- 3 files changed, 9 insertions(+), 7 deletions(-) diff --git a/libavcodec/wmaenc.c b/libavcodec/wmaenc.c index bf451aa258..f83dd37520 100644 --- a/libavcodec/wmaenc.c +++ b/libavcodec/wmaenc.c @@ -70,6 +70,8 @@ static int encode_init(AVCodecContext * avctx){ s->use_exp_vlc = flags2 & 0x0001; s->use_bit_reservoir = flags2 & 0x0002; s->use_variable_block_len = flags2 & 0x0004; + if (avctx->channels == 2) + s->ms_stereo = 1; ff_wma_init(avctx, flags2); @@ -191,7 +193,7 @@ static int encode_block(WMACodecContext *s, float (*src_coefs)[BLOCK_MAX_SIZE], } if (s->nb_channels == 2) { - put_bits(&s->pb, 1, s->ms_stereo= 1); + put_bits(&s->pb, 1, !!s->ms_stereo); } for(ch = 0; ch < s->nb_channels; ch++) { diff --git a/tests/ref/acodec/wmav1 b/tests/ref/acodec/wmav1 index 916e4a8ab6..117aa12a8c 100644 --- a/tests/ref/acodec/wmav1 +++ b/tests/ref/acodec/wmav1 @@ -1,4 +1,4 @@ -26a7f6b0f0b7181df8df3fa589f6bf81 *./tests/data/acodec/wmav1.asf +0260385b8a54df11ad349f9ba8240fd8 *./tests/data/acodec/wmav1.asf 106004 ./tests/data/acodec/wmav1.asf -stddev:12245.52 PSNR: 14.57 MAXDIFF:65521 bytes: 1064960/ 1058400 -stddev: 2095.89 PSNR: 29.90 MAXDIFF:27658 bytes: 1056768/ 1058400 +stddev:12241.90 PSNR: 14.57 MAXDIFF:65521 bytes: 1064960/ 1058400 +stddev: 2074.79 PSNR: 29.99 MAXDIFF:27658 bytes: 1056768/ 1058400 diff --git a/tests/ref/acodec/wmav2 b/tests/ref/acodec/wmav2 index 622b6fcc36..43b19b7530 100644 --- a/tests/ref/acodec/wmav2 +++ b/tests/ref/acodec/wmav2 @@ -1,4 +1,4 @@ -7c6c0cb692af01b312ae345723674b5f *./tests/data/acodec/wmav2.asf +bdb4c312fb109f990be83a70f8ec9bdc *./tests/data/acodec/wmav2.asf 106044 ./tests/data/acodec/wmav2.asf -stddev:12249.93 PSNR: 14.57 MAXDIFF:65521 bytes: 1064960/ 1058400 -stddev: 2089.21 PSNR: 29.93 MAXDIFF:27650 bytes: 1056768/ 1058400 +stddev:12246.35 PSNR: 14.57 MAXDIFF:65521 bytes: 1064960/ 1058400 +stddev: 2068.08 PSNR: 30.02 MAXDIFF:27650 bytes: 1056768/ 1058400 From bd37b95383b6bd6b69aa8dba8eebd2cbef2aeed8 Mon Sep 17 00:00:00 2001 From: "Ronald S. Bultje" Date: Tue, 28 Feb 2012 18:48:27 -0800 Subject: [PATCH 0824/1119] h264: prevent overreads in intra PCM decoding. Found-by: Mateusz "j00ru" Jurczyk and Gynvael Coldwind CC: libav-stable@libav.org (cherry picked from commit d1604b3de96575195b219028e2c4f08b2259aa7d) Signed-off-by: Reinhard Tartler --- libavcodec/h264_cabac.c | 2 ++ 1 file changed, 2 insertions(+) diff --git a/libavcodec/h264_cabac.c b/libavcodec/h264_cabac.c index e8c8503857..ae3318da53 100644 --- a/libavcodec/h264_cabac.c +++ b/libavcodec/h264_cabac.c @@ -1958,6 +1958,8 @@ decode_intra_mb: } // The pixels are stored in the same order as levels in h->mb array. + if ((int) (h->cabac.bytestream_end - ptr) < mb_size) + return -1; memcpy(h->mb, ptr, mb_size); ptr+=mb_size; ff_init_cabac_decoder(&h->cabac, ptr, h->cabac.bytestream_end - ptr); From e3e05963c1eff2481da3a2ea9ce662336391e2ca Mon Sep 17 00:00:00 2001 From: "Ronald S. Bultje" Date: Wed, 29 Feb 2012 13:55:09 -0800 Subject: [PATCH 0825/1119] cscd: use negative error values to indicate decode_init() failures. Found-by: Mateusz "j00ru" Jurczyk and Gynvael Coldwind CC: libav-stable@libav.org (cherry picked from commit 8a9faf33f2b4f40afbc3393b2be49867cea0c92d) Signed-off-by: Reinhard Tartler --- libavcodec/cscd.c | 4 ++-- 1 file changed, 2 insertions(+), 2 deletions(-) diff --git a/libavcodec/cscd.c b/libavcodec/cscd.c index 3518929c18..52040bf821 100644 --- a/libavcodec/cscd.c +++ b/libavcodec/cscd.c @@ -228,7 +228,7 @@ static av_cold int decode_init(AVCodecContext *avctx) { av_log(avctx, AV_LOG_ERROR, "CamStudio codec error: invalid depth %i bpp\n", avctx->bits_per_coded_sample); - return 1; + return AVERROR_INVALIDDATA; } c->bpp = avctx->bits_per_coded_sample; c->pic.data[0] = NULL; @@ -241,7 +241,7 @@ static av_cold int decode_init(AVCodecContext *avctx) { c->decomp_buf = av_malloc(c->decomp_size + AV_LZO_OUTPUT_PADDING); if (!c->decomp_buf) { av_log(avctx, AV_LOG_ERROR, "Can't allocate decompression buffer.\n"); - return 1; + return AVERROR(ENOMEM); } return 0; } From 54e947273cefc4791d7b9e10823ffd1756cadf17 Mon Sep 17 00:00:00 2001 From: "Ronald S. Bultje" Date: Sun, 26 Feb 2012 08:57:14 -0800 Subject: [PATCH 0826/1119] h264: fix mmxext chroma deblock to use correct TC values. (cherry picked from commit b0c4f04338234ee011d7b704621347ef232294fe) Signed-off-by: Reinhard Tartler --- libavcodec/x86/h264_deblock_10bit.asm | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/libavcodec/x86/h264_deblock_10bit.asm b/libavcodec/x86/h264_deblock_10bit.asm index baac725eec..6744661d65 100644 --- a/libavcodec/x86/h264_deblock_10bit.asm +++ b/libavcodec/x86/h264_deblock_10bit.asm @@ -870,7 +870,7 @@ cglobal deblock_v_chroma_10_%1, 5,7-(mmsize/16),8*(mmsize/16) %if mmsize < 16 add r0, mmsize add r5, mmsize - add r4, mmsize/8 + add r4, mmsize/4 dec r6 jg .loop REP_RET From f375e19f37c7d1738cde70e43c3f64c6ab68c928 Mon Sep 17 00:00:00 2001 From: Fabian Greffrath Date: Mon, 5 Mar 2012 16:06:01 +0100 Subject: [PATCH 0827/1119] Fix format string vulnerability detected by -Wformat-security. Signed-off-by: Diego Biurrun (cherry picked from commit c9dbac36ad4bac07f6c1d06d465e361ab55bcb95) Signed-off-by: Reinhard Tartler --- libavcodec/srtdec.c | 4 ++-- 1 file changed, 2 insertions(+), 2 deletions(-) diff --git a/libavcodec/srtdec.c b/libavcodec/srtdec.c index 677c5501f8..99cbd9428b 100644 --- a/libavcodec/srtdec.c +++ b/libavcodec/srtdec.c @@ -110,7 +110,7 @@ static const char *srt_to_ass(AVCodecContext *avctx, char *out, char *out_end, for (j=sptr-2; j>=0; j--) if (stack[j].param[i][0]) { out += snprintf(out, out_end-out, - stack[j].param[i]); + "%s", stack[j].param[i]); break; } } else { @@ -146,7 +146,7 @@ static const char *srt_to_ass(AVCodecContext *avctx, char *out, char *out_end, for (i=0; i Date: Tue, 24 Jan 2012 22:20:26 +0100 Subject: [PATCH 0828/1119] nsvdec: Fix use of uninitialized streams. Fixes CVE-2011-3940 (Out of bounds read resulting in out of bounds write) Found-by: Mateusz "j00ru" Jurczyk and Gynvael Coldwind Signed-off-by: Michael Niedermayer (cherry picked from commit 5c011706bc752d34bc6ada31d7df2ca0c9af7c6b) Signed-off-by: Alex Converse (cherry picked from commit 6a89b41d9780325ba6d89a37f2aeb925aa68e6a3) Signed-off-by: Reinhard Tartler --- libavformat/nsvdec.c | 8 ++++---- 1 file changed, 4 insertions(+), 4 deletions(-) diff --git a/libavformat/nsvdec.c b/libavformat/nsvdec.c index 9adb2f4729..c37300f5a1 100644 --- a/libavformat/nsvdec.c +++ b/libavformat/nsvdec.c @@ -596,12 +596,12 @@ null_chunk_retry: } /* map back streams to v,a */ - if (s->streams[0]) + if (s->nb_streams > 0) st[s->streams[0]->id] = s->streams[0]; - if (s->streams[1]) + if (s->nb_streams > 1) st[s->streams[1]->id] = s->streams[1]; - if (vsize/* && st[NSV_ST_VIDEO]*/) { + if (vsize && st[NSV_ST_VIDEO]) { nst = st[NSV_ST_VIDEO]->priv_data; pkt = &nsv->ahead[NSV_ST_VIDEO]; av_get_packet(pb, pkt, vsize); @@ -614,7 +614,7 @@ null_chunk_retry: if(st[NSV_ST_VIDEO]) ((NSVStream*)st[NSV_ST_VIDEO]->priv_data)->frame_offset++; - if (asize/*st[NSV_ST_AUDIO]*/) { + if (asize && st[NSV_ST_AUDIO]) { nst = st[NSV_ST_AUDIO]->priv_data; pkt = &nsv->ahead[NSV_ST_AUDIO]; /* read raw audio specific header on the first audio chunk... */ From be524c186b50337db64d34a5726dfe3e8ea94f09 Mon Sep 17 00:00:00 2001 From: Alex Converse Date: Thu, 26 Jan 2012 17:21:46 -0800 Subject: [PATCH 0829/1119] nsvdec: Be more careful with av_malloc(). Check results for av_malloc() and fix an overflow in one call. Related to CVE-2011-3940. Based in part on work from Michael Niedermayer. Found-by: Mateusz "j00ru" Jurczyk and Gynvael Coldwind (cherry picked from commit 8fd8a48263ff1437f9d02d7e78dc63efb9b5ed3a) Signed-off-by: Reinhard Tartler --- libavformat/nsvdec.c | 8 +++++++- 1 file changed, 7 insertions(+), 1 deletion(-) diff --git a/libavformat/nsvdec.c b/libavformat/nsvdec.c index c37300f5a1..7041523cb0 100644 --- a/libavformat/nsvdec.c +++ b/libavformat/nsvdec.c @@ -307,7 +307,9 @@ static int nsv_parse_NSVf_header(AVFormatContext *s, AVFormatParameters *ap) char *token, *value; char quote; - p = strings = av_mallocz(strings_size + 1); + p = strings = av_mallocz((size_t)strings_size + 1); + if (!p) + return AVERROR(ENOMEM); endp = strings + strings_size; avio_read(pb, strings, strings_size); while (p < endp) { @@ -342,6 +344,8 @@ static int nsv_parse_NSVf_header(AVFormatContext *s, AVFormatParameters *ap) if((unsigned)table_entries_used >= UINT_MAX / sizeof(uint32_t)) return -1; nsv->nsvs_file_offset = av_malloc((unsigned)table_entries_used * sizeof(uint32_t)); + if (!nsv->nsvs_file_offset) + return AVERROR(ENOMEM); for(i=0;insvs_file_offset[i] = avio_rl32(pb) + size; @@ -349,6 +353,8 @@ static int nsv_parse_NSVf_header(AVFormatContext *s, AVFormatParameters *ap) if(table_entries > table_entries_used && avio_rl32(pb) == MKTAG('T','O','C','2')) { nsv->nsvs_timestamps = av_malloc((unsigned)table_entries_used*sizeof(uint32_t)); + if (!nsv->nsvs_timestamps) + return AVERROR(ENOMEM); for(i=0;insvs_timestamps[i] = avio_rl32(pb); } From 0100c4b1b0736e0f5b3c98f9b0ab8acbef574888 Mon Sep 17 00:00:00 2001 From: Alex Converse Date: Thu, 26 Jan 2012 17:23:09 -0800 Subject: [PATCH 0830/1119] nsvdec: Propagate errors Related to CVE-2011-3940. Found-by: Mateusz "j00ru" Jurczyk and Gynvael Coldwind (cherry picked from commit c898431ca5ef2a997fe9388b650f658fb60783e5) Conflicts: libavformat/nsvdec.c Signed-off-by: Reinhard Tartler --- libavformat/nsvdec.c | 7 ++++++- 1 file changed, 6 insertions(+), 1 deletion(-) diff --git a/libavformat/nsvdec.c b/libavformat/nsvdec.c index 7041523cb0..67c103d21f 100644 --- a/libavformat/nsvdec.c +++ b/libavformat/nsvdec.c @@ -523,11 +523,16 @@ static int nsv_read_header(AVFormatContext *s, AVFormatParameters *ap) for (i = 0; i < NSV_MAX_RESYNC_TRIES; i++) { if (nsv_resync(s) < 0) return -1; - if (nsv->state == NSV_FOUND_NSVF) + if (nsv->state == NSV_FOUND_NSVF) { err = nsv_parse_NSVf_header(s, ap); + if (err < 0) + return err; + } /* we need the first NSVs also... */ if (nsv->state == NSV_FOUND_NSVS) { err = nsv_parse_NSVs_header(s, ap); + if (err < 0) + return err; break; /* we just want the first one */ } } From bb737d381f6d6413899a0697f426fb082eac66fc Mon Sep 17 00:00:00 2001 From: Michael Niedermayer Date: Tue, 24 Jan 2012 17:48:23 +0100 Subject: [PATCH 0831/1119] dv: check stype dv: check stype Fixes part1 of CVE-2011-3929 Possibly fixes part of CVE-2011-3936 Found-by: Mateusz "j00ru" Jurczyk and Gynvael Coldwind Reviewed-by: Roman Shaposhnik Signed-off-by: Michael Niedermayer Signed-off-by: Alex Converse (cherry picked from commit 635bcfccd439480003b74a665b5aa7c872c1ad6b) Signed-off-by: Reinhard Tartler --- libavformat/dv.c | 6 ++++++ 1 file changed, 6 insertions(+) diff --git a/libavformat/dv.c b/libavformat/dv.c index 4b41e0aa8e..fe6dac600e 100644 --- a/libavformat/dv.c +++ b/libavformat/dv.c @@ -202,6 +202,12 @@ static int dv_extract_audio_info(DVDemuxContext* c, uint8_t* frame) stype = (as_pack[3] & 0x1f); /* 0 - 2CH, 2 - 4CH, 3 - 8CH */ quant = as_pack[4] & 0x07; /* 0 - 16bit linear, 1 - 12bit nonlinear */ + if (stype > 3) { + av_log(c->fctx, AV_LOG_ERROR, "stype %d is invalid\n", stype); + c->ach = 0; + return 0; + } + /* note: ach counts PAIRS of channels (i.e. stereo channels) */ ach = ((int[4]){ 1, 0, 2, 4})[stype]; if (ach == 1 && quant && freq == 2) From 44e182d41e3a73548f3f5e8445ec428d3846e6d6 Mon Sep 17 00:00:00 2001 From: Michael Niedermayer Date: Tue, 24 Jan 2012 17:51:40 +0100 Subject: [PATCH 0832/1119] dv: Fix null pointer dereference due to ach=0 dv: Fix null pointer dereference due to ach=0 Fixes part2 of CVE-2011-3929 Found-by: Mateusz "j00ru" Jurczyk and Gynvael Coldwind Reviewed-by: Roman Shaposhnik Signed-off-by: Michael Niedermayer Signed-off-by: Alex Converse (cherry picked from commit 5a396bb3a66a61a68b80f2369d0249729bf85e04) Signed-off-by: Reinhard Tartler --- libavformat/dv.c | 3 ++- 1 file changed, 2 insertions(+), 1 deletion(-) diff --git a/libavformat/dv.c b/libavformat/dv.c index fe6dac600e..cd1efddaad 100644 --- a/libavformat/dv.c +++ b/libavformat/dv.c @@ -341,7 +341,8 @@ int dv_produce_packet(DVDemuxContext *c, AVPacket *pkt, c->audio_pkt[i].pts = c->abytes * 30000*8 / c->ast[i]->codec->bit_rate; ppcm[i] = c->audio_buf[i]; } - dv_extract_audio(buf, ppcm, c->sys); + if (c->ach) + dv_extract_audio(buf, ppcm, c->sys); /* We work with 720p frames split in half, thus even frames have * channels 0,1 and odd 2,3. */ From 00fa6ffe1a0b252d6a81815e51f125225cd0b97a Mon Sep 17 00:00:00 2001 From: Alex Converse Date: Thu, 26 Jan 2012 15:08:26 -0800 Subject: [PATCH 0833/1119] dv: Fix small stack overread related to CVE-2011-3929 and CVE-2011-3936. Found with asan. Found-by: Mateusz "j00ru" Jurczyk and Gynvael Coldwind Signed-off-by: Alex Converse (cherry picked from commit 2d1c0dea5f6b91bec7f5fa53ec050913d851e366) Signed-off-by: Reinhard Tartler --- libavformat/dv.c | 11 +++++------ 1 file changed, 5 insertions(+), 6 deletions(-) diff --git a/libavformat/dv.c b/libavformat/dv.c index cd1efddaad..389cf063e6 100644 --- a/libavformat/dv.c +++ b/libavformat/dv.c @@ -125,10 +125,14 @@ static int dv_extract_audio(uint8_t* frame, uint8_t* ppcm[4], /* We work with 720p frames split in half, thus even frames have * channels 0,1 and odd 2,3. */ ipcm = (sys->height == 720 && !(frame[1] & 0x0C)) ? 2 : 0; - pcm = ppcm[ipcm++]; /* for each DIF channel */ for (chan = 0; chan < sys->n_difchan; chan++) { + /* next stereo channel (50Mbps and 100Mbps only) */ + pcm = ppcm[ipcm++]; + if (!pcm) + break; + /* for each DIF segment */ for (i = 0; i < sys->difseg_size; i++) { frame += 6 * 80; /* skip DIF segment header */ @@ -176,11 +180,6 @@ static int dv_extract_audio(uint8_t* frame, uint8_t* ppcm[4], frame += 16 * 80; /* 15 Video DIFs + 1 Audio DIF */ } } - - /* next stereo channel (50Mbps and 100Mbps only) */ - pcm = ppcm[ipcm++]; - if (!pcm) - break; } return size; From 2c199cb253cb98fdc26b26eba1e401daf4dc1d80 Mon Sep 17 00:00:00 2001 From: Mans Rullgard Date: Tue, 31 Jan 2012 10:20:33 -0800 Subject: [PATCH 0834/1119] ac3: Do not read past the end of ff_ac3_band_start_tab. Found-by: Mateusz "j00ru" Jurczyk and Gynvael Coldwind Signed-off-by: Alex Converse (cherry picked from commit 034b03e7a0e8e4f8f66c82b736f2c0aa7c063ec0) Signed-off-by: Reinhard Tartler --- libavcodec/ac3dsp.c | 8 +++++--- 1 file changed, 5 insertions(+), 3 deletions(-) diff --git a/libavcodec/ac3dsp.c b/libavcodec/ac3dsp.c index 8ce5f8d2c5..cedc81c676 100644 --- a/libavcodec/ac3dsp.c +++ b/libavcodec/ac3dsp.c @@ -108,7 +108,7 @@ static void ac3_bit_alloc_calc_bap_c(int16_t *mask, int16_t *psd, int snr_offset, int floor, const uint8_t *bap_tab, uint8_t *bap) { - int bin, band; + int bin, band, band_end; /* special case, if snr offset is -960, set all bap's to zero */ if (snr_offset == -960) { @@ -120,12 +120,14 @@ static void ac3_bit_alloc_calc_bap_c(int16_t *mask, int16_t *psd, band = ff_ac3_bin_to_band_tab[start]; do { int m = (FFMAX(mask[band] - snr_offset - floor, 0) & 0x1FE0) + floor; - int band_end = FFMIN(ff_ac3_band_start_tab[band+1], end); + band_end = ff_ac3_band_start_tab[++band]; + band_end = FFMIN(band_end, end); + for (; bin < band_end; bin++) { int address = av_clip((psd[bin] - m) >> 5, 0, 63); bap[bin] = bap_tab[address]; } - } while (end > ff_ac3_band_start_tab[band++]); + } while (end > band_end); } static void ac3_update_bap_counts_c(uint16_t mant_cnt[16], uint8_t *bap, From b0888b8a48dbc4a5aa0aaed016b72fbbb7c30261 Mon Sep 17 00:00:00 2001 From: Alex Converse Date: Thu, 9 Feb 2012 17:11:55 -0800 Subject: [PATCH 0835/1119] dv: Fix small overread in audio frequency table. Found-by: Mateusz "j00ru" Jurczyk and Gynvael Coldwind (cherry picked from commit 0ab3687924457cb4fd81897bd39ab3cc5b699588) Signed-off-by: Reinhard Tartler --- libavformat/dv.c | 9 +++++++++ 1 file changed, 9 insertions(+) diff --git a/libavformat/dv.c b/libavformat/dv.c index 389cf063e6..9383db2214 100644 --- a/libavformat/dv.c +++ b/libavformat/dv.c @@ -119,6 +119,9 @@ static int dv_extract_audio(uint8_t* frame, uint8_t* ppcm[4], if (quant > 1) return -1; /* unsupported quantization */ + if (freq >= FF_ARRAY_ELEMS(dv_audio_frequency)) + return AVERROR_INVALIDDATA; + size = (sys->audio_min_samples[freq] + smpls) * 4; /* 2ch, 2bytes */ half_ch = sys->difseg_size / 2; @@ -201,6 +204,12 @@ static int dv_extract_audio_info(DVDemuxContext* c, uint8_t* frame) stype = (as_pack[3] & 0x1f); /* 0 - 2CH, 2 - 4CH, 3 - 8CH */ quant = as_pack[4] & 0x07; /* 0 - 16bit linear, 1 - 12bit nonlinear */ + if (freq >= FF_ARRAY_ELEMS(dv_audio_frequency)) { + av_log(c->fctx, AV_LOG_ERROR, + "Unrecognized audio sample rate index (%d)\n", freq); + return 0; + } + if (stype > 3) { av_log(c->fctx, AV_LOG_ERROR, "stype %d is invalid\n", stype); c->ach = 0; From f5ce67d837cd686f12c515e601acd6e2a5df05a7 Mon Sep 17 00:00:00 2001 From: Alex Converse Date: Thu, 9 Feb 2012 20:21:47 -0800 Subject: [PATCH 0836/1119] svq3: Prevent illegal reads while parsing extradata. Found-by: Mateusz "j00ru" Jurczyk and Gynvael Coldwind (cherry picked from commit 9e1db721c4329f4ac166a0bcc002c8d75f831aba) Signed-off-by: Reinhard Tartler --- libavcodec/svq3.c | 19 ++++++++++++++----- 1 file changed, 14 insertions(+), 5 deletions(-) diff --git a/libavcodec/svq3.c b/libavcodec/svq3.c index 09d598c044..662d74d6fb 100644 --- a/libavcodec/svq3.c +++ b/libavcodec/svq3.c @@ -809,7 +809,9 @@ static av_cold int svq3_decode_init(AVCodecContext *avctx) MpegEncContext *s = &h->s; int m; unsigned char *extradata; + unsigned char *extradata_end; unsigned int size; + int marker_found = 0; if (ff_h264_decode_init(avctx) < 0) return -1; @@ -829,19 +831,26 @@ static av_cold int svq3_decode_init(AVCodecContext *avctx) /* prowl for the "SEQH" marker in the extradata */ extradata = (unsigned char *)avctx->extradata; - for (m = 0; m < avctx->extradata_size; m++) { - if (!memcmp(extradata, "SEQH", 4)) - break; - extradata++; + extradata_end = avctx->extradata + avctx->extradata_size; + if (extradata) { + for (m = 0; m + 8 < avctx->extradata_size; m++) { + if (!memcmp(extradata, "SEQH", 4)) { + marker_found = 1; + break; + } + extradata++; + } } /* if a match was found, parse the extra data */ - if (extradata && !memcmp(extradata, "SEQH", 4)) { + if (marker_found) { GetBitContext gb; int frame_size_code; size = AV_RB32(&extradata[4]); + if (size > extradata_end - extradata - 8) + return AVERROR_INVALIDDATA; init_get_bits(&gb, extradata + 8, size*8); /* 'frame size code' and optional 'width, height' */ From a642953b0f1c87592d2e7bff5b67ed024bc29a64 Mon Sep 17 00:00:00 2001 From: Alex Converse Date: Thu, 23 Feb 2012 10:22:51 -0800 Subject: [PATCH 0837/1119] tiff: Make the TIFF_LONG and TIFF_SHORT types unsigned. TIFF v6.0 (unimplemented) adds signed equivalents. (cherry picked from commit e32548d1331ce05a054f1028fcdda8823a4f215a) Signed-off-by: Reinhard Tartler --- libavcodec/tiff.c | 18 +++++++++--------- 1 file changed, 9 insertions(+), 9 deletions(-) diff --git a/libavcodec/tiff.c b/libavcodec/tiff.c index 71a4e70e3e..1866dab9e7 100644 --- a/libavcodec/tiff.c +++ b/libavcodec/tiff.c @@ -58,24 +58,24 @@ typedef struct TiffContext { LZWState *lzw; } TiffContext; -static int tget_short(const uint8_t **p, int le){ - int v = le ? AV_RL16(*p) : AV_RB16(*p); +static unsigned tget_short(const uint8_t **p, int le) { + unsigned v = le ? AV_RL16(*p) : AV_RB16(*p); *p += 2; return v; } -static int tget_long(const uint8_t **p, int le){ - int v = le ? AV_RL32(*p) : AV_RB32(*p); +static unsigned tget_long(const uint8_t **p, int le) { + unsigned v = le ? AV_RL32(*p) : AV_RB32(*p); *p += 4; return v; } -static int tget(const uint8_t **p, int type, int le){ +static unsigned tget(const uint8_t **p, int type, int le) { switch(type){ case TIFF_BYTE : return *(*p)++; case TIFF_SHORT: return tget_short(p, le); case TIFF_LONG : return tget_long (p, le); - default : return -1; + default : return UINT_MAX; } } @@ -276,7 +276,7 @@ static int init_image(TiffContext *s) static int tiff_decode_tag(TiffContext *s, const uint8_t *start, const uint8_t *buf, const uint8_t *end_buf) { - int tag, type, count, off, value = 0; + unsigned tag, type, count, off, value = 0; int i, j; uint32_t *pal; const uint8_t *rp, *gp, *bp; @@ -311,7 +311,7 @@ static int tiff_decode_tag(TiffContext *s, const uint8_t *start, const uint8_t * break; } default: - value = -1; + value = UINT_MAX; buf = start + off; } } else { @@ -397,7 +397,7 @@ static int tiff_decode_tag(TiffContext *s, const uint8_t *start, const uint8_t * } break; case TIFF_ROWSPERSTRIP: - if(type == TIFF_LONG && value == -1) + if (type == TIFF_LONG && value == UINT_MAX) value = s->avctx->height; if(value < 1){ av_log(s->avctx, AV_LOG_ERROR, "Incorrect value of rows per strip\n"); From 4be63587e110c05cda3101abf2e3745d919f3fae Mon Sep 17 00:00:00 2001 From: Michael Niedermayer Date: Fri, 17 Feb 2012 13:35:10 -0800 Subject: [PATCH 0838/1119] h263dec: Disallow width/height changing with frame threads. Fixes CVE-2011-3937 Found-by: Mateusz "j00ru" Jurczyk and Gynvael Coldwind Signed-off-by: Michael Niedermayer (cherry picked from commit 71db86d53b5c6872cea31bf714a1a38ec78feaba) Conflicts: libavcodec/h263dec.c Signed-off-by: Alex Converse Signed-off-by: Reinhard Tartler --- libavcodec/h263dec.c | 9 +++++++-- 1 file changed, 7 insertions(+), 2 deletions(-) diff --git a/libavcodec/h263dec.c b/libavcodec/h263dec.c index bc6d613be4..abdaf2bf24 100644 --- a/libavcodec/h263dec.c +++ b/libavcodec/h263dec.c @@ -552,8 +552,7 @@ retry: #if HAVE_MMX if (s->codec_id == CODEC_ID_MPEG4 && s->xvid_build>=0 && avctx->idct_algo == FF_IDCT_AUTO && (av_get_cpu_flags() & AV_CPU_FLAG_MMX)) { avctx->idct_algo= FF_IDCT_XVIDMMX; - avctx->coded_width= 0; // force reinit -// dsputil_init(&s->dsp, avctx); + ff_dct_common_init(s); s->picture_number=0; } #endif @@ -567,6 +566,12 @@ retry: || s->height != avctx->coded_height) { /* H.263 could change picture size any time */ ParseContext pc= s->parse_context; //FIXME move these demuxng hack to avformat + + if (HAVE_THREADS && (s->avctx->active_thread_type&FF_THREAD_FRAME)) { + av_log_missing_feature(s->avctx, "Width/height/bit depth/chroma idc changing with threads is", 0); + return -1; // width / height changed during parallelized decoding + } + s->parse_context.buffer=0; MPV_common_end(s); s->parse_context= pc; From 5015ada0ec11b2ace2588153451775487731b97b Mon Sep 17 00:00:00 2001 From: Alex Converse Date: Tue, 21 Feb 2012 14:08:02 -0800 Subject: [PATCH 0839/1119] mov: Add support for MPEG2 HDV 720p24 (hdv4) (cherry picked from commit 0ad522afb3a3b3d22402ecb82dd4609f7655031b) Signed-off-by: Reinhard Tartler --- libavformat/isom.c | 1 + 1 file changed, 1 insertion(+) diff --git a/libavformat/isom.c b/libavformat/isom.c index fb2ce236ee..27c61e7dd1 100644 --- a/libavformat/isom.c +++ b/libavformat/isom.c @@ -149,6 +149,7 @@ const AVCodecTag codec_movvideo_tags[] = { { CODEC_ID_MPEG2VIDEO, MKTAG('h', 'd', 'v', '1') }, /* MPEG2 HDV 720p30 */ { CODEC_ID_MPEG2VIDEO, MKTAG('h', 'd', 'v', '2') }, /* MPEG2 HDV 1080i60 */ { CODEC_ID_MPEG2VIDEO, MKTAG('h', 'd', 'v', '3') }, /* MPEG2 HDV 1080i50 */ + { CODEC_ID_MPEG2VIDEO, MKTAG('h', 'd', 'v', '4') }, /* MPEG2 HDV 720p24 */ { CODEC_ID_MPEG2VIDEO, MKTAG('h', 'd', 'v', '5') }, /* MPEG2 HDV 720p25 */ { CODEC_ID_MPEG2VIDEO, MKTAG('h', 'd', 'v', '6') }, /* MPEG2 HDV 1080p24 */ { CODEC_ID_MPEG2VIDEO, MKTAG('h', 'd', 'v', '7') }, /* MPEG2 HDV 1080p25 */ From 853ce33dbc372071fda0a20182b07f00d6eb2a0d Mon Sep 17 00:00:00 2001 From: Alex Converse Date: Tue, 21 Feb 2012 15:37:35 -0800 Subject: [PATCH 0840/1119] mov: Add more HDV and XDCAM FourCCs. Reference: VLC (cherry picked from commit b142496c5630b9bc88fb9eaccae7f6bd62fb23e7) Signed-off-by: Reinhard Tartler --- libavformat/isom.c | 4 ++++ 1 file changed, 4 insertions(+) diff --git a/libavformat/isom.c b/libavformat/isom.c index 27c61e7dd1..b865531223 100644 --- a/libavformat/isom.c +++ b/libavformat/isom.c @@ -154,6 +154,8 @@ const AVCodecTag codec_movvideo_tags[] = { { CODEC_ID_MPEG2VIDEO, MKTAG('h', 'd', 'v', '6') }, /* MPEG2 HDV 1080p24 */ { CODEC_ID_MPEG2VIDEO, MKTAG('h', 'd', 'v', '7') }, /* MPEG2 HDV 1080p25 */ { CODEC_ID_MPEG2VIDEO, MKTAG('h', 'd', 'v', '8') }, /* MPEG2 HDV 1080p30 */ + { CODEC_ID_MPEG2VIDEO, MKTAG('h', 'd', 'v', '9') }, /* MPEG2 HDV 720p60 JVC */ + { CODEC_ID_MPEG2VIDEO, MKTAG('h', 'd', 'v', 'a') }, /* MPEG2 HDV 720p50 */ { CODEC_ID_MPEG2VIDEO, MKTAG('m', 'x', '5', 'n') }, /* MPEG2 IMX NTSC 525/60 50mb/s produced by FCP */ { CODEC_ID_MPEG2VIDEO, MKTAG('m', 'x', '5', 'p') }, /* MPEG2 IMX PAL 625/50 50mb/s produced by FCP */ { CODEC_ID_MPEG2VIDEO, MKTAG('m', 'x', '4', 'n') }, /* MPEG2 IMX NTSC 525/60 40mb/s produced by FCP */ @@ -184,6 +186,8 @@ const AVCodecTag codec_movvideo_tags[] = { { CODEC_ID_MPEG2VIDEO, MKTAG('x', 'd', 'v', 'd') }, /* XDCAM EX 1080p24 VBR */ { CODEC_ID_MPEG2VIDEO, MKTAG('x', 'd', 'v', 'e') }, /* XDCAM EX 1080p25 VBR */ { CODEC_ID_MPEG2VIDEO, MKTAG('x', 'd', 'v', 'f') }, /* XDCAM EX 1080p30 VBR */ + { CODEC_ID_MPEG2VIDEO, MKTAG('x', 'd', 'h', 'd') }, /* XDCAM HD 540p */ + { CODEC_ID_MPEG2VIDEO, MKTAG('x', 'd', 'h', '2') }, /* XDCAM HD422 540p */ { CODEC_ID_MPEG2VIDEO, MKTAG('A', 'V', 'm', 'p') }, /* AVID IMX PAL */ { CODEC_ID_JPEG2000, MKTAG('m', 'j', 'p', '2') }, /* JPEG 2000 produced by FCP */ From 6dfe865aed25b52b181afddd37e1622d34f57d0b Mon Sep 17 00:00:00 2001 From: "Ronald S. Bultje" Date: Mon, 5 Mar 2012 17:03:32 -0800 Subject: [PATCH 0841/1119] svq3: protect against negative quantizers. Found-by: Mateusz "j00ru" Jurczyk and Gynvael Coldwind CC: libav-stable@libav.org (cherry picked from commit 11b940a1a8e7e5d5b212935a3ce78aeda577f5f2) Signed-off-by: Reinhard Tartler --- libavcodec/svq3.c | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/libavcodec/svq3.c b/libavcodec/svq3.c index 662d74d6fb..ec9d791295 100644 --- a/libavcodec/svq3.c +++ b/libavcodec/svq3.c @@ -649,7 +649,7 @@ static int svq3_decode_mb(SVQ3Context *svq3, unsigned int mb_type) if (IS_INTRA16x16(mb_type) || (s->pict_type != AV_PICTURE_TYPE_I && s->adaptive_quant && cbp)) { s->qscale += svq3_get_se_golomb(&s->gb); - if (s->qscale > 31){ + if (s->qscale > 31u){ av_log(h->s.avctx, AV_LOG_ERROR, "qscale:%d\n", s->qscale); return -1; } From f2e412d050ae9a0dcdea515f1c02620c6dcf8c47 Mon Sep 17 00:00:00 2001 From: "Ronald S. Bultje" Date: Tue, 6 Mar 2012 17:24:20 -0800 Subject: [PATCH 0842/1119] smacker: error out if palette copy-with-offset overruns palette size. Found-by: Mateusz "j00ru" Jurczyk and Gynvael Coldwind CC: libav-stable@libav.org (cherry picked from commit a93b572ae4f517ce0c35cf085167c318e9215908) Signed-off-by: Reinhard Tartler --- libavformat/smacker.c | 9 ++++++++- 1 file changed, 8 insertions(+), 1 deletion(-) diff --git a/libavformat/smacker.c b/libavformat/smacker.c index a817c31355..7ec8099376 100644 --- a/libavformat/smacker.c +++ b/libavformat/smacker.c @@ -261,8 +261,15 @@ static int smacker_read_packet(AVFormatContext *s, AVPacket *pkt) sz += (t & 0x7F) + 1; pal += ((t & 0x7F) + 1) * 3; } else if(t & 0x40){ /* copy with offset */ - off = avio_r8(s->pb) * 3; + off = avio_r8(s->pb); j = (t & 0x3F) + 1; + if (off + j > 0xff) { + av_log(s, AV_LOG_ERROR, + "Invalid palette update, offset=%d length=%d extends beyond palette size\n", + off, j); + return AVERROR_INVALIDDATA; + } + off *= 3; while(j-- && sz < 256) { *pal++ = oldpal[off + 0]; *pal++ = oldpal[off + 1]; From 4924520513d06b4d9169a1d3e0374d5a48bc02e0 Mon Sep 17 00:00:00 2001 From: "Ronald S. Bultje" Date: Tue, 6 Mar 2012 16:08:10 -0800 Subject: [PATCH 0843/1119] raw: move buffer size check up. This way, it protects against overreads for 4bpp/2bpp content also. Found-by: Mateusz "j00ru" Jurczyk and Gynvael Coldwind CC: libav-stable@libav.org (cherry picked from commit cc5dd632cecc5114717d0b90f8c2be162b1c6ee8) Signed-off-by: Reinhard Tartler --- libavcodec/rawdec.c | 6 +++--- 1 file changed, 3 insertions(+), 3 deletions(-) diff --git a/libavcodec/rawdec.c b/libavcodec/rawdec.c index 5e8e6c4c43..05a032e62c 100644 --- a/libavcodec/rawdec.c +++ b/libavcodec/rawdec.c @@ -127,6 +127,9 @@ static int raw_decode(AVCodecContext *avctx, frame->reordered_opaque = avctx->reordered_opaque; frame->pkt_pts = avctx->pkt->pts; + if(buf_size < context->length - (avctx->pix_fmt==PIX_FMT_PAL8 ? 256*4 : 0)) + return -1; + //2bpp and 4bpp raw in avi and mov (yes this is ugly ...) if (context->buffer) { int i; @@ -151,9 +154,6 @@ static int raw_decode(AVCodecContext *avctx, avctx->codec_tag == MKTAG('A', 'V', 'u', 'p')) buf += buf_size - context->length; - if(buf_size < context->length - (avctx->pix_fmt==PIX_FMT_PAL8 ? 256*4 : 0)) - return -1; - avpicture_fill(picture, buf, avctx->pix_fmt, avctx->width, avctx->height); if((avctx->pix_fmt==PIX_FMT_PAL8 && buf_size < context->length) || (avctx->pix_fmt!=PIX_FMT_PAL8 && From b4a223fd1936f8c7d3dd48f37f49790b0d04f429 Mon Sep 17 00:00:00 2001 From: "Ronald S. Bultje" Date: Wed, 7 Mar 2012 14:18:14 -0800 Subject: [PATCH 0844/1119] wma: fix off-by-one in array bounds check. Found-by: Mateusz "j00ru" Jurczyk and Gynvael Coldwind CC: libav-stable@libav.org (cherry picked from commit b4bccf3e4e58f6fe58043791ca09db01a4343fac) Signed-off-by: Reinhard Tartler --- libavcodec/wmadec.c | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/libavcodec/wmadec.c b/libavcodec/wmadec.c index c8e1de2c32..f0b043feef 100644 --- a/libavcodec/wmadec.c +++ b/libavcodec/wmadec.c @@ -352,7 +352,7 @@ static int decode_exp_vlc(WMACodecContext *s, int ch) } /* NOTE: this offset is the same as MPEG4 AAC ! */ last_exp += code - 60; - if ((unsigned)last_exp + 60 > FF_ARRAY_ELEMS(pow_tab)) { + if ((unsigned)last_exp + 60 >= FF_ARRAY_ELEMS(pow_tab)) { av_log(s->avctx, AV_LOG_ERROR, "Exponent out of range: %d\n", last_exp); return -1; From bbe316dfb425edecd98e3fbef93c17abe6bb5cb8 Mon Sep 17 00:00:00 2001 From: Alex Converse Date: Tue, 6 Mar 2012 17:00:29 -0800 Subject: [PATCH 0845/1119] tiffdec: Prevent illegal memory access caused by recycled pointers. Found-by: Mateusz "j00ru" Jurczyk and Gynvael Coldwind CC: libav-stable@libav.org (cherry picked from commit fd0be63049ed46660993d0550a4f0847a0b942ea) Signed-off-by: Reinhard Tartler --- libavcodec/tiff.c | 2 ++ 1 file changed, 2 insertions(+) diff --git a/libavcodec/tiff.c b/libavcodec/tiff.c index 1866dab9e7..0a0973c6d9 100644 --- a/libavcodec/tiff.c +++ b/libavcodec/tiff.c @@ -534,6 +534,8 @@ static int decode_frame(AVCodecContext *avctx, av_log(avctx, AV_LOG_ERROR, "The answer to life, universe and everything is not correct!\n"); return -1; } + // Reset these pointers so we can tell if they were set this frame + s->stripsizes = s->stripdata = NULL; /* parse image file directory */ off = tget_long(&buf, le); if (off >= UINT_MAX - 14 || end_buf - orig_buf < off + 14) { From 99536be9d46b49e9496cfe6d49d82d3b0fe5e44c Mon Sep 17 00:00:00 2001 From: "Ronald S. Bultje" Date: Wed, 7 Mar 2012 16:29:23 -0800 Subject: [PATCH 0846/1119] huffyuv: add padding to classic (v1) huffman tables. We slightly overread the input buffer, so we require padding at the end of the buffer, as is documented in the get_bits API. Without padding, we'll read uninitialized data or beyond the end of the .rodata, which may crash. Found-by: Mateusz "j00ru" Jurczyk and Gynvael Coldwind CC: libav-stable@libav.org (cherry picked from commit 4ffe5e2aa5241f8da9afd2c8fbc854dcc916c5f9) Signed-off-by: Reinhard Tartler --- libavcodec/huffyuv.c | 10 ++++++---- 1 file changed, 6 insertions(+), 4 deletions(-) diff --git a/libavcodec/huffyuv.c b/libavcodec/huffyuv.c index eb13d87f87..b25a689d64 100644 --- a/libavcodec/huffyuv.c +++ b/libavcodec/huffyuv.c @@ -82,13 +82,15 @@ typedef struct HYuvContext{ DSPContext dsp; }HYuvContext; -static const unsigned char classic_shift_luma[] = { +#define classic_shift_luma_table_size 42 +static const unsigned char classic_shift_luma[classic_shift_luma_table_size + FF_INPUT_BUFFER_PADDING_SIZE] = { 34,36,35,69,135,232,9,16,10,24,11,23,12,16,13,10,14,8,15,8, 16,8,17,20,16,10,207,206,205,236,11,8,10,21,9,23,8,8,199,70, 69,68, 0 }; -static const unsigned char classic_shift_chroma[] = { +#define classic_shift_chroma_table_size 59 +static const unsigned char classic_shift_chroma[classic_shift_chroma_table_size + FF_INPUT_BUFFER_PADDING_SIZE] = { 66,36,37,38,39,40,41,75,76,77,110,239,144,81,82,83,84,85,118,183, 56,57,88,89,56,89,154,57,58,57,26,141,57,56,58,57,58,57,184,119, 214,245,116,83,82,49,80,79,78,77,44,75,41,40,39,38,37,36,34, 0 @@ -366,10 +368,10 @@ static int read_old_huffman_tables(HYuvContext *s){ GetBitContext gb; int i; - init_get_bits(&gb, classic_shift_luma, sizeof(classic_shift_luma)*8); + init_get_bits(&gb, classic_shift_luma, classic_shift_luma_table_size*8); if(read_len_table(s->len[0], &gb)<0) return -1; - init_get_bits(&gb, classic_shift_chroma, sizeof(classic_shift_chroma)*8); + init_get_bits(&gb, classic_shift_chroma, classic_shift_chroma_table_size*8); if(read_len_table(s->len[1], &gb)<0) return -1; From 311361348dc5af77ad189bba846f2fdaff85a5c4 Mon Sep 17 00:00:00 2001 From: "Ronald S. Bultje" Date: Sun, 11 Mar 2012 07:28:54 -0700 Subject: [PATCH 0847/1119] dsicinvideo: validate buffer offset before copying pixels. Found-by: Mateusz "j00ru" Jurczyk and Gynvael Coldwind CC: libav-stable@libav.org (cherry picked from commit c95fefa0420be9cc0f09a95041acf11114aaacd0) Signed-off-by: Reinhard Tartler --- libavcodec/dsicinav.c | 40 +++++++++++++++++++++++++--------------- 1 file changed, 25 insertions(+), 15 deletions(-) diff --git a/libavcodec/dsicinav.c b/libavcodec/dsicinav.c index 11547c2ded..5ba2b1974c 100644 --- a/libavcodec/dsicinav.c +++ b/libavcodec/dsicinav.c @@ -145,11 +145,11 @@ static int cin_decode_huffman(const unsigned char *src, int src_size, unsigned c return dst_cur - dst; } -static void cin_decode_lzss(const unsigned char *src, int src_size, unsigned char *dst, int dst_size) +static int cin_decode_lzss(const unsigned char *src, int src_size, unsigned char *dst, int dst_size) { uint16_t cmd; int i, sz, offset, code; - unsigned char *dst_end = dst + dst_size; + unsigned char *dst_end = dst + dst_size, *dst_start = dst; const unsigned char *src_end = src + src_size; while (src < src_end && dst < dst_end) { @@ -160,6 +160,8 @@ static void cin_decode_lzss(const unsigned char *src, int src_size, unsigned cha } else { cmd = AV_RL16(src); src += 2; offset = cmd >> 4; + if ((int) (dst - dst_start) < offset + 1) + return AVERROR_INVALIDDATA; sz = (cmd & 0xF) + 2; /* don't use memcpy/memmove here as the decoding routine (ab)uses */ /* buffer overlappings to repeat bytes in the destination */ @@ -171,6 +173,8 @@ static void cin_decode_lzss(const unsigned char *src, int src_size, unsigned cha } } } + + return 0; } static void cin_decode_rle(const unsigned char *src, int src_size, unsigned char *dst, int dst_size) @@ -200,13 +204,7 @@ static int cinvideo_decode_frame(AVCodecContext *avctx, const uint8_t *buf = avpkt->data; int buf_size = avpkt->size; CinVideoContext *cin = avctx->priv_data; - int i, y, palette_type, palette_colors_count, bitmap_frame_type, bitmap_frame_size; - - cin->frame.buffer_hints = FF_BUFFER_HINTS_VALID | FF_BUFFER_HINTS_PRESERVE | FF_BUFFER_HINTS_REUSABLE; - if (avctx->reget_buffer(avctx, &cin->frame)) { - av_log(cin->avctx, AV_LOG_ERROR, "delphinecinvideo: reget_buffer() failed to allocate a frame\n"); - return -1; - } + int i, y, palette_type, palette_colors_count, bitmap_frame_type, bitmap_frame_size, res = 0; palette_type = buf[0]; palette_colors_count = AV_RL16(buf+1); @@ -232,8 +230,6 @@ static int cinvideo_decode_frame(AVCodecContext *avctx, bitmap_frame_size -= 4; } } - memcpy(cin->frame.data[1], cin->palette, sizeof(cin->palette)); - cin->frame.palette_has_changed = 1; /* note: the decoding routines below assumes that surface.width = surface.pitch */ switch (bitmap_frame_type) { @@ -266,17 +262,31 @@ static int cinvideo_decode_frame(AVCodecContext *avctx, cin->bitmap_table[CIN_CUR_BMP], cin->bitmap_size); break; case 38: - cin_decode_lzss(buf, bitmap_frame_size, - cin->bitmap_table[CIN_CUR_BMP], cin->bitmap_size); + res = cin_decode_lzss(buf, bitmap_frame_size, + cin->bitmap_table[CIN_CUR_BMP], + cin->bitmap_size); + if (res < 0) + return res; break; case 39: - cin_decode_lzss(buf, bitmap_frame_size, - cin->bitmap_table[CIN_CUR_BMP], cin->bitmap_size); + res = cin_decode_lzss(buf, bitmap_frame_size, + cin->bitmap_table[CIN_CUR_BMP], + cin->bitmap_size); + if (res < 0) + return res; cin_apply_delta_data(cin->bitmap_table[CIN_PRE_BMP], cin->bitmap_table[CIN_CUR_BMP], cin->bitmap_size); break; } + cin->frame.buffer_hints = FF_BUFFER_HINTS_VALID | FF_BUFFER_HINTS_PRESERVE | FF_BUFFER_HINTS_REUSABLE; + if (avctx->reget_buffer(avctx, &cin->frame)) { + av_log(cin->avctx, AV_LOG_ERROR, "delphinecinvideo: reget_buffer() failed to allocate a frame\n"); + return -1; + } + + memcpy(cin->frame.data[1], cin->palette, sizeof(cin->palette)); + cin->frame.palette_has_changed = 1; for (y = 0; y < cin->avctx->height; ++y) memcpy(cin->frame.data[0] + (cin->avctx->height - 1 - y) * cin->frame.linesize[0], cin->bitmap_table[CIN_CUR_BMP] + y * cin->avctx->width, From 5ae49ddaa447bb4fba287f92ca508caba399ffbd Mon Sep 17 00:00:00 2001 From: "Ronald S. Bultje" Date: Thu, 8 Mar 2012 16:32:46 -0800 Subject: [PATCH 0848/1119] xxan: don't read before start of buffer in av_memcpy_backptr(). Found-by: Mateusz "j00ru" Jurczyk and Gynvael Coldwind CC: libav-stable@libav.org (cherry picked from commit f1279e286b00e99f343adb51e251f036a3df6f32) Signed-off-by: Reinhard Tartler --- libavcodec/xxan.c | 3 ++- 1 file changed, 2 insertions(+), 1 deletion(-) diff --git a/libavcodec/xxan.c b/libavcodec/xxan.c index 28c868d5ba..daaba6389a 100644 --- a/libavcodec/xxan.c +++ b/libavcodec/xxan.c @@ -129,7 +129,8 @@ static int xan_unpack(uint8_t *dest, const int dest_len, if (size + size2 > dest_end - dest) break; } - if (src + size > src_end || dest + size + size2 > dest_end) + if (src + size > src_end || dest + size + size2 > dest_end || + dest - orig_dest + size < back) return -1; bytestream_get_buffer(&src, dest, size); dest += size; From 81c5b4ddcb08d65b691e944d8d8cdc144c19dc9b Mon Sep 17 00:00:00 2001 From: Paul B Mahol Date: Wed, 14 Mar 2012 03:02:02 +0000 Subject: [PATCH 0849/1119] jvdec: unbreak video decoding The safe bitstream reader broke it since the buffer size was specified in bytes instead of bits. Signed-off-by: Janne Grunau CC: libav-stable@libav.org (cherry picked from commit a1c036e961a32f7208e7315dabfa0ee99d779edb) Signed-off-by: Reinhard Tartler --- libavcodec/jvdec.c | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/libavcodec/jvdec.c b/libavcodec/jvdec.c index 5249764347..f2c97526c0 100644 --- a/libavcodec/jvdec.c +++ b/libavcodec/jvdec.c @@ -150,7 +150,7 @@ static int decode_frame(AVCodecContext *avctx, if (video_type == 0 || video_type == 1) { GetBitContext gb; - init_get_bits(&gb, buf, FFMIN(video_size, (buf_end - buf) * 8)); + init_get_bits(&gb, buf, 8 * FFMIN(video_size, buf_end - buf)); for (j = 0; j < avctx->height; j += 8) for (i = 0; i < avctx->width; i += 8) From 8b819fd9d3f363483559a3e9aeb8b78acba47bb7 Mon Sep 17 00:00:00 2001 From: "Ronald S. Bultje" Date: Tue, 13 Mar 2012 16:26:44 -0700 Subject: [PATCH 0850/1119] h264: stricter reference limit enforcement. Progressive images can have only 16 references, error out if there are more, since the data is almost certainly corrupt, and the invalid value will lead to random crashes or invalid writes later on. Found-by: Mateusz "j00ru" Jurczyk and Gynvael Coldwind CC: libav-stable@libav.org (cherry picked from commit e0febda22d0e0fab094a9c886b0e0f0f662df1ef) Signed-off-by: Reinhard Tartler --- libavcodec/h264.c | 15 +++++++++------ 1 file changed, 9 insertions(+), 6 deletions(-) diff --git a/libavcodec/h264.c b/libavcodec/h264.c index dbf8e6aca1..f1ccc8af38 100644 --- a/libavcodec/h264.c +++ b/libavcodec/h264.c @@ -2869,6 +2869,8 @@ static int decode_slice_header(H264Context *h, H264Context *h0){ h->ref_count[1]= h->pps.ref_count[1]; if(h->slice_type_nos != AV_PICTURE_TYPE_I){ + int max_refs = s->picture_structure == PICT_FRAME ? 16 : 32; + if(h->slice_type_nos == AV_PICTURE_TYPE_B){ h->direct_spatial_mv_pred= get_bits1(&s->gb); } @@ -2878,13 +2880,14 @@ static int decode_slice_header(H264Context *h, H264Context *h0){ h->ref_count[0]= get_ue_golomb(&s->gb) + 1; if(h->slice_type_nos==AV_PICTURE_TYPE_B) h->ref_count[1]= get_ue_golomb(&s->gb) + 1; - - if(h->ref_count[0]-1 > 32-1 || h->ref_count[1]-1 > 32-1){ - av_log(h->s.avctx, AV_LOG_ERROR, "reference overflow\n"); - h->ref_count[0]= h->ref_count[1]= 1; - return -1; - } } + + if (h->ref_count[0] > max_refs || h->ref_count[1] > max_refs) { + av_log(h->s.avctx, AV_LOG_ERROR, "reference overflow\n"); + h->ref_count[0] = h->ref_count[1] = 1; + return AVERROR_INVALIDDATA; + } + if(h->slice_type_nos == AV_PICTURE_TYPE_B) h->list_count= 2; else From 90db3c435ea5e77befe186b7079c8a7f4bf457d2 Mon Sep 17 00:00:00 2001 From: Kostya Shishkov Date: Wed, 7 Mar 2012 20:07:17 +0100 Subject: [PATCH 0851/1119] dca: include libavutil/mathematics.h for possibly missing M_SQRT1_2 Signed-off-by: Janne Grunau Signed-off-by: Reinhard Tartler --- libavcodec/dca.c | 1 + 1 file changed, 1 insertion(+) diff --git a/libavcodec/dca.c b/libavcodec/dca.c index 19d24c55d1..38a641bd69 100644 --- a/libavcodec/dca.c +++ b/libavcodec/dca.c @@ -29,6 +29,7 @@ #include "libavutil/common.h" #include "libavutil/intmath.h" #include "libavutil/intreadwrite.h" +#include "libavutil/mathematics.h" #include "libavutil/audioconvert.h" #include "avcodec.h" #include "dsputil.h" From 137007b5bfbee8992ac088732c39cc1301bb7a3a Mon Sep 17 00:00:00 2001 From: Justin Ruggles Date: Mon, 12 Sep 2011 08:55:43 -0400 Subject: [PATCH 0852/1119] ws_snd: decode to AV_SAMPLE_FMT_U8 instead of S16. 8-bit unsigned is the native sample format. (cherry picked from commit 2322ced8da990835717a176b8d2c32961cfecd3e) Signed-off-by: Reinhard Tartler --- libavcodec/ws-snd1.c | 47 ++++++++++++++++++++++---------------------- 1 file changed, 24 insertions(+), 23 deletions(-) diff --git a/libavcodec/ws-snd1.c b/libavcodec/ws-snd1.c index 534be5661b..959c7bb1d9 100644 --- a/libavcodec/ws-snd1.c +++ b/libavcodec/ws-snd1.c @@ -37,13 +37,11 @@ static const int8_t ws_adpcm_4bit[] = { -9, -8, -6, -5, -4, -3, -2, -1, 0, 1, 2, 3, 4, 5, 6, 8 }; -#define CLIP8(a) if(a>127)a=127;if(a<-128)a=-128; - static av_cold int ws_snd_decode_init(AVCodecContext * avctx) { // WSSNDContext *c = avctx->priv_data; - avctx->sample_fmt = AV_SAMPLE_FMT_S16; + avctx->sample_fmt = AV_SAMPLE_FMT_U8; return 0; } @@ -56,15 +54,14 @@ static int ws_snd_decode_frame(AVCodecContext *avctx, // WSSNDContext *c = avctx->priv_data; int in_size, out_size; - int sample = 0; + int sample = 128; int i; - short *samples = data; + uint8_t *samples = data; if (!buf_size) return 0; out_size = AV_RL16(&buf[0]); - *data_size = out_size * 2; in_size = AV_RL16(&buf[2]); buf += 4; @@ -76,9 +73,12 @@ static int ws_snd_decode_frame(AVCodecContext *avctx, av_log(avctx, AV_LOG_ERROR, "Frame data is larger than input buffer\n"); return -1; } + + *data_size = out_size; + if (in_size == out_size) { for (i = 0; i < out_size; i++) - *samples++ = (*buf++ - 0x80) << 8; + *samples++ = *buf++; return buf_size; } @@ -93,17 +93,17 @@ static int ws_snd_decode_frame(AVCodecContext *avctx, for (count++; count > 0; count--) { code = *buf++; sample += ws_adpcm_2bit[code & 0x3]; - CLIP8(sample); - *samples++ = sample << 8; + sample = av_clip_uint8(sample); + *samples++ = sample; sample += ws_adpcm_2bit[(code >> 2) & 0x3]; - CLIP8(sample); - *samples++ = sample << 8; + sample = av_clip_uint8(sample); + *samples++ = sample; sample += ws_adpcm_2bit[(code >> 4) & 0x3]; - CLIP8(sample); - *samples++ = sample << 8; + sample = av_clip_uint8(sample); + *samples++ = sample; sample += ws_adpcm_2bit[(code >> 6) & 0x3]; - CLIP8(sample); - *samples++ = sample << 8; + sample = av_clip_uint8(sample); + *samples++ = sample; out_size -= 4; } break; @@ -111,11 +111,11 @@ static int ws_snd_decode_frame(AVCodecContext *avctx, for (count++; count > 0; count--) { code = *buf++; sample += ws_adpcm_4bit[code & 0xF]; - CLIP8(sample); - *samples++ = sample << 8; + sample = av_clip_uint8(sample); + *samples++ = sample; sample += ws_adpcm_4bit[code >> 4]; - CLIP8(sample); - *samples++ = sample << 8; + sample = av_clip_uint8(sample); + *samples++ = sample; out_size -= 2; } break; @@ -125,19 +125,20 @@ static int ws_snd_decode_frame(AVCodecContext *avctx, t = count; t <<= 3; sample += t >> 3; - *samples++ = sample << 8; + sample = av_clip_uint8(sample); + *samples++ = sample; out_size--; } else { /* copy */ for (count++; count > 0; count--) { - *samples++ = (*buf++ - 0x80) << 8; + *samples++ = *buf++; out_size--; } - sample = buf[-1] - 0x80; + sample = buf[-1]; } break; default: /* run */ for(count++; count > 0; count--) { - *samples++ = sample << 8; + *samples++ = sample; out_size--; } } From 847c7cd0c8795bb68e8729f74969aa49a5dc10ad Mon Sep 17 00:00:00 2001 From: Justin Ruggles Date: Mon, 12 Sep 2011 09:41:06 -0400 Subject: [PATCH 0853/1119] ws_snd: add some checks to prevent buffer overread or overwrite. (cherry picked from commit 417364ce1f979031ef6fee661fc15e1869bdb1b4) Signed-off-by: Reinhard Tartler --- libavcodec/ws-snd1.c | 32 ++++++++++++++++++++++++++++---- 1 file changed, 28 insertions(+), 4 deletions(-) diff --git a/libavcodec/ws-snd1.c b/libavcodec/ws-snd1.c index 959c7bb1d9..06bd18c529 100644 --- a/libavcodec/ws-snd1.c +++ b/libavcodec/ws-snd1.c @@ -61,6 +61,11 @@ static int ws_snd_decode_frame(AVCodecContext *avctx, if (!buf_size) return 0; + if (buf_size < 4) { + av_log(avctx, AV_LOG_ERROR, "packet is too small\n"); + return AVERROR(EINVAL); + } + out_size = AV_RL16(&buf[0]); in_size = AV_RL16(&buf[2]); buf += 4; @@ -74,20 +79,37 @@ static int ws_snd_decode_frame(AVCodecContext *avctx, return -1; } - *data_size = out_size; - if (in_size == out_size) { for (i = 0; i < out_size; i++) *samples++ = *buf++; + *data_size = out_size; return buf_size; } - while (out_size > 0) { - int code; + while (out_size > 0 && buf - avpkt->data < buf_size) { + int code, smp, size; uint8_t count; code = (*buf) >> 6; count = (*buf) & 0x3F; buf++; + + /* make sure we don't write more than out_size samples */ + switch (code) { + case 0: smp = 4; break; + case 1: smp = 2; break; + case 2: smp = (count & 0x20) ? 1 : count + 1; break; + default: smp = count + 1; break; + } + if (out_size < smp) { + out_size = 0; + break; + } + + /* make sure we don't read past the input buffer */ + size = ((code == 2 && (count & 0x20)) || code == 3) ? 0 : count + 1; + if ((buf - avpkt->data) + size > buf_size) + break; + switch(code) { case 0: /* ADPCM 2-bit */ for (count++; count > 0; count--) { @@ -144,6 +166,8 @@ static int ws_snd_decode_frame(AVCodecContext *avctx, } } + *data_size = samples - (uint8_t *)data; + return buf_size; } From e676bbb8cfb7401cfc189a88c61e7e7c22557fa7 Mon Sep 17 00:00:00 2001 From: Michael Niedermayer Date: Sun, 25 Dec 2011 00:10:27 +0100 Subject: [PATCH 0854/1119] ws_snd1: Fix wrong samples count and crash. Signed-off-by: Michael Niedermayer (cherry picked from commit 9fb7a5af97d8c084c3af2566070d09eae0ab49fc) Addresses CVE-2012-0848 Reviewed-by: Justin Ruggles Signed-off-by: Reinhard Tartler (cherry picked from commit 697a45d861b7cd6a96718383a44f41348487f844) Signed-off-by: Reinhard Tartler --- libavcodec/ws-snd1.c | 4 ++-- 1 file changed, 2 insertions(+), 2 deletions(-) diff --git a/libavcodec/ws-snd1.c b/libavcodec/ws-snd1.c index 06bd18c529..e17c84ca30 100644 --- a/libavcodec/ws-snd1.c +++ b/libavcodec/ws-snd1.c @@ -95,8 +95,8 @@ static int ws_snd_decode_frame(AVCodecContext *avctx, /* make sure we don't write more than out_size samples */ switch (code) { - case 0: smp = 4; break; - case 1: smp = 2; break; + case 0: smp = 4*(count+1); break; + case 1: smp = 2*(count+1); break; case 2: smp = (count & 0x20) ? 1 : count + 1; break; default: smp = count + 1; break; } From f728ad26f0ec87650d2986a892785c0e2b97d161 Mon Sep 17 00:00:00 2001 From: Michael Niedermayer Date: Sat, 17 Dec 2011 03:18:58 +0100 Subject: [PATCH 0855/1119] atrac3: Fix crash in tonal component decoding. Add a check to avoid writing past the end of the channel_unit.components[] array. Bug Found by: cosminamironesei Fixes CVE-2012-0853 CC: libav-stable@libav.org Signed-off-by: Michael Niedermayer Signed-off-by: Justin Ruggles (cherry picked from commit c509f4f74713b035a06f79cb4d00e708f5226bc5) Signed-off-by: Reinhard Tartler (cherry picked from commit f43b6e2b1ed47a1254a5d44c700a7fad5e9784be) Signed-off-by: Reinhard Tartler --- libavcodec/atrac3.c | 2 ++ 1 file changed, 2 insertions(+) diff --git a/libavcodec/atrac3.c b/libavcodec/atrac3.c index accaae3d65..914998e7d9 100644 --- a/libavcodec/atrac3.c +++ b/libavcodec/atrac3.c @@ -395,6 +395,8 @@ static int decodeTonalComponents (GetBitContext *gb, tonal_component *pComponent for (k=0; k= 64) + return AVERROR_INVALIDDATA; pComponent[component_count].pos = j * 64 + (get_bits(gb,6)); max_coded_values = 1024 - pComponent[component_count].pos; coded_values = coded_values_per_component + 1; From a207a2fecc6a77735ab0cf209fdba0b4dd942a86 Mon Sep 17 00:00:00 2001 From: Justin Ruggles Date: Thu, 15 Sep 2011 18:08:52 -0400 Subject: [PATCH 0856/1119] shorten: check for realloc failure (cherry picked from commit 9e5e2c2d010c05c10337e9c1ec9d0d61495e0c9c) Signed-off-by: Reinhard Tartler --- libavcodec/shorten.c | 20 +++++++++++++++++--- 1 file changed, 17 insertions(+), 3 deletions(-) diff --git a/libavcodec/shorten.c b/libavcodec/shorten.c index 13381f6c95..7ce58ef0d3 100644 --- a/libavcodec/shorten.c +++ b/libavcodec/shorten.c @@ -113,6 +113,7 @@ static int allocate_buffers(ShortenContext *s) { int i, chan; int *coeffs; + void *tmp_ptr; for (chan=0; chanchannels; chan++) { if(FFMAX(1, s->nmean) >= UINT_MAX/sizeof(int32_t)){ @@ -124,9 +125,15 @@ static int allocate_buffers(ShortenContext *s) return -1; } - s->offset[chan] = av_realloc(s->offset[chan], sizeof(int32_t)*FFMAX(1, s->nmean)); + tmp_ptr = av_realloc(s->offset[chan], sizeof(int32_t)*FFMAX(1, s->nmean)); + if (!tmp_ptr) + return AVERROR(ENOMEM); + s->offset[chan] = tmp_ptr; - s->decoded[chan] = av_realloc(s->decoded[chan], sizeof(int32_t)*(s->blocksize + s->nwrap)); + tmp_ptr = av_realloc(s->decoded[chan], sizeof(int32_t)*(s->blocksize + s->nwrap)); + if (!tmp_ptr) + return AVERROR(ENOMEM); + s->decoded[chan] = tmp_ptr; for (i=0; inwrap; i++) s->decoded[chan][i] = 0; s->decoded[chan] += s->nwrap; @@ -284,8 +291,15 @@ static int shorten_decode_frame(AVCodecContext *avctx, int i, input_buf_size = 0; int16_t *samples = data; if(s->max_framesize == 0){ + void *tmp_ptr; s->max_framesize= 1024; // should hopefully be enough for the first header - s->bitstream= av_fast_realloc(s->bitstream, &s->allocated_bitstream_size, s->max_framesize); + tmp_ptr = av_fast_realloc(s->bitstream, &s->allocated_bitstream_size, + s->max_framesize); + if (!tmp_ptr) { + av_log(avctx, AV_LOG_ERROR, "error allocating bitstream buffer\n"); + return AVERROR(ENOMEM); + } + s->bitstream = tmp_ptr; } if(1 && s->max_framesize){//FIXME truncated From 96ed18cab1048f03ff1c825f46b25d49218f1da4 Mon Sep 17 00:00:00 2001 From: Michael Niedermayer Date: Sun, 25 Dec 2011 12:28:50 +0100 Subject: [PATCH 0857/1119] shorten: Use separate pointers for the allocated memory for decoded samples. Fixes invalid free() if any of the buffers are not allocated due to either not decoding a header or an error prior to allocating all buffers. Fixes CVE-2012-0858 CC: libav-stable@libav.org Signed-off-by: Michael Niedermayer Signed-off-by: Justin Ruggles (cherry picked from commit 204cb29b3c84a74cbcd059d353c70c8bdc567d98) Signed-off-by: Reinhard Tartler (cherry picked from commit 6fc3287b9ccece290c5881b92948772bbf72e68c) Signed-off-by: Reinhard Tartler --- libavcodec/shorten.c | 14 ++++++++------ 1 file changed, 8 insertions(+), 6 deletions(-) diff --git a/libavcodec/shorten.c b/libavcodec/shorten.c index 7ce58ef0d3..b8c1908357 100644 --- a/libavcodec/shorten.c +++ b/libavcodec/shorten.c @@ -81,6 +81,7 @@ typedef struct ShortenContext { int channels; int32_t *decoded[MAX_CHANNELS]; + int32_t *decoded_base[MAX_CHANNELS]; int32_t *offset[MAX_CHANNELS]; int *coeffs; uint8_t *bitstream; @@ -130,13 +131,14 @@ static int allocate_buffers(ShortenContext *s) return AVERROR(ENOMEM); s->offset[chan] = tmp_ptr; - tmp_ptr = av_realloc(s->decoded[chan], sizeof(int32_t)*(s->blocksize + s->nwrap)); + tmp_ptr = av_realloc(s->decoded_base[chan], (s->blocksize + s->nwrap) * + sizeof(s->decoded_base[0][0])); if (!tmp_ptr) return AVERROR(ENOMEM); - s->decoded[chan] = tmp_ptr; + s->decoded_base[chan] = tmp_ptr; for (i=0; inwrap; i++) - s->decoded[chan][i] = 0; - s->decoded[chan] += s->nwrap; + s->decoded_base[chan][i] = 0; + s->decoded[chan] = s->decoded_base[chan] + s->nwrap; } coeffs = av_realloc(s->coeffs, s->nwrap * sizeof(*s->coeffs)); @@ -542,8 +544,8 @@ static av_cold int shorten_decode_close(AVCodecContext *avctx) int i; for (i = 0; i < s->channels; i++) { - s->decoded[i] -= s->nwrap; - av_freep(&s->decoded[i]); + s->decoded[i] = NULL; + av_freep(&s->decoded_base[i]); av_freep(&s->offset[i]); } av_freep(&s->bitstream); From 6ae95a0b93e8df15fe5f364535a7214be0817736 Mon Sep 17 00:00:00 2001 From: Alex Converse Date: Wed, 25 Jan 2012 13:39:24 -0800 Subject: [PATCH 0858/1119] mjpegbdec: Fix overflow in SOS. Based in part by a fix from Michael Niedermayer Fixes CVE-2011-3947 Found-by: Mateusz "j00ru" Jurczyk and Gynvael Coldwind (cherry picked from commit b57d262412204e54a7ef8fa1b23ff4dcede622e5) Signed-off-by: Reinhard Tartler (cherry picked from commit 083a8a00373b12dc06b8ae4c49eec61fb5e55f4b) Signed-off-by: Reinhard Tartler --- libavcodec/mjpegbdec.c | 7 +++++-- 1 file changed, 5 insertions(+), 2 deletions(-) diff --git a/libavcodec/mjpegbdec.c b/libavcodec/mjpegbdec.c index 454ba6ffc9..6455b19846 100644 --- a/libavcodec/mjpegbdec.c +++ b/libavcodec/mjpegbdec.c @@ -59,6 +59,9 @@ read_header: s->restart_count = 0; s->mjpb_skiptosod = 0; + if (buf_end - buf_ptr >= 1 << 28) + return AVERROR_INVALIDDATA; + init_get_bits(&hgb, buf_ptr, /*buf_size*/(buf_end - buf_ptr)*8); skip_bits(&hgb, 32); /* reserved zeros */ @@ -109,8 +112,8 @@ read_header: av_log(avctx, AV_LOG_DEBUG, "sod offs: 0x%x\n", sod_offs); if (sos_offs) { -// init_get_bits(&s->gb, buf+sos_offs, (buf_end - (buf+sos_offs))*8); - init_get_bits(&s->gb, buf_ptr+sos_offs, field_size*8); + init_get_bits(&s->gb, buf_ptr + sos_offs, + 8 * FFMIN(field_size, buf_end - buf_ptr - sos_offs)); s->mjpb_skiptosod = (sod_offs - sos_offs - show_bits(&s->gb, 16)); s->start_code = SOS; ff_mjpeg_decode_sos(s, NULL, NULL); From 6fe5038753ec8da6770b1872588f5d83f6f13963 Mon Sep 17 00:00:00 2001 From: Diego Biurrun Date: Thu, 23 Jun 2011 13:27:21 +0200 Subject: [PATCH 0859/1119] nsvdec: Propagate error values instead of returning 0 in nsv_read_header(). This eliminates a warning about a set-but-unused variable. (cherry picked from commit 35fa0d47585cef28cd8191dccf0607d90c7667a6) Signed-off-by: Reinhard Tartler --- libavformat/nsvdec.c | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/libavformat/nsvdec.c b/libavformat/nsvdec.c index 67c103d21f..61cc69ffe1 100644 --- a/libavformat/nsvdec.c +++ b/libavformat/nsvdec.c @@ -542,7 +542,7 @@ static int nsv_read_header(AVFormatContext *s, AVFormatParameters *ap) err = nsv_read_chunk(s, 1); av_dlog(s, "parsed header\n"); - return 0; + return err; } static int nsv_read_chunk(AVFormatContext *s, int fill_header) From 24eabc53bae467cfe57e2c24dee0f33e11e697a1 Mon Sep 17 00:00:00 2001 From: Gaurav Narula Date: Mon, 12 Dec 2011 20:24:54 +0530 Subject: [PATCH 0860/1119] kvmc: fix invalid reads Signed-off-by: Janne Grunau (cherry picked from commit ad3161ec1d70291efcf40121d703ef73c0b08e5b) Signed-off-by: Reinhard Tartler --- libavcodec/kmvc.c | 82 ++++++++++++++++++++++++++++++++++++++--------- 1 file changed, 66 insertions(+), 16 deletions(-) diff --git a/libavcodec/kmvc.c b/libavcodec/kmvc.c index 718cdfd932..033d3d7998 100644 --- a/libavcodec/kmvc.c +++ b/libavcodec/kmvc.c @@ -57,17 +57,21 @@ typedef struct BitBuf { #define kmvc_init_getbits(bb, src) bb.bits = 7; bb.bitbuf = *src++; -#define kmvc_getbit(bb, src, res) {\ +#define kmvc_getbit(bb, src, src_end, res) {\ res = 0; \ if (bb.bitbuf & (1 << bb.bits)) res = 1; \ bb.bits--; \ if(bb.bits == -1) { \ + if (src >= src_end) { \ + av_log(ctx->avctx, AV_LOG_ERROR, "Data overrun\n"); \ + return AVERROR_INVALIDDATA; \ + } \ bb.bitbuf = *src++; \ bb.bits = 7; \ } \ } -static void kmvc_decode_intra_8x8(KmvcContext * ctx, const uint8_t * src, int w, int h) +static int kmvc_decode_intra_8x8(KmvcContext * ctx, const uint8_t * src, int src_size, int w, int h) { BitBuf bb; int res, val; @@ -75,13 +79,18 @@ static void kmvc_decode_intra_8x8(KmvcContext * ctx, const uint8_t * src, int w, int bx, by; int l0x, l1x, l0y, l1y; int mx, my; + const uint8_t *src_end = src + src_size; kmvc_init_getbits(bb, src); for (by = 0; by < h; by += 8) for (bx = 0; bx < w; bx += 8) { - kmvc_getbit(bb, src, res); + kmvc_getbit(bb, src, src_end, res); if (!res) { // fill whole 8x8 block + if (src >= src_end) { + av_log(ctx->avctx, AV_LOG_ERROR, "Data overrun\n"); + return AVERROR_INVALIDDATA; + } val = *src++; for (i = 0; i < 64; i++) BLK(ctx->cur, bx + (i & 0x7), by + (i >> 3)) = val; @@ -89,14 +98,22 @@ static void kmvc_decode_intra_8x8(KmvcContext * ctx, const uint8_t * src, int w, for (i = 0; i < 4; i++) { l0x = bx + (i & 1) * 4; l0y = by + (i & 2) * 2; - kmvc_getbit(bb, src, res); + kmvc_getbit(bb, src, src_end, res); if (!res) { - kmvc_getbit(bb, src, res); + kmvc_getbit(bb, src, src_end, res); if (!res) { // fill whole 4x4 block + if (src >= src_end) { + av_log(ctx->avctx, AV_LOG_ERROR, "Data overrun\n"); + return AVERROR_INVALIDDATA; + } val = *src++; for (j = 0; j < 16; j++) BLK(ctx->cur, l0x + (j & 3), l0y + (j >> 2)) = val; } else { // copy block from already decoded place + if (src >= src_end) { + av_log(ctx->avctx, AV_LOG_ERROR, "Data overrun\n"); + return AVERROR_INVALIDDATA; + } val = *src++; mx = val & 0xF; my = val >> 4; @@ -108,16 +125,24 @@ static void kmvc_decode_intra_8x8(KmvcContext * ctx, const uint8_t * src, int w, for (j = 0; j < 4; j++) { l1x = l0x + (j & 1) * 2; l1y = l0y + (j & 2); - kmvc_getbit(bb, src, res); + kmvc_getbit(bb, src, src_end, res); if (!res) { - kmvc_getbit(bb, src, res); + kmvc_getbit(bb, src, src_end, res); if (!res) { // fill whole 2x2 block + if (src >= src_end) { + av_log(ctx->avctx, AV_LOG_ERROR, "Data overrun\n"); + return AVERROR_INVALIDDATA; + } val = *src++; BLK(ctx->cur, l1x, l1y) = val; BLK(ctx->cur, l1x + 1, l1y) = val; BLK(ctx->cur, l1x, l1y + 1) = val; BLK(ctx->cur, l1x + 1, l1y + 1) = val; } else { // copy block from already decoded place + if (src >= src_end) { + av_log(ctx->avctx, AV_LOG_ERROR, "Data overrun\n"); + return AVERROR_INVALIDDATA; + } val = *src++; mx = val & 0xF; my = val >> 4; @@ -140,9 +165,11 @@ static void kmvc_decode_intra_8x8(KmvcContext * ctx, const uint8_t * src, int w, } } } + + return 0; } -static void kmvc_decode_inter_8x8(KmvcContext * ctx, const uint8_t * src, int w, int h) +static int kmvc_decode_inter_8x8(KmvcContext * ctx, const uint8_t * src, int src_size, int w, int h) { BitBuf bb; int res, val; @@ -150,15 +177,20 @@ static void kmvc_decode_inter_8x8(KmvcContext * ctx, const uint8_t * src, int w, int bx, by; int l0x, l1x, l0y, l1y; int mx, my; + const uint8_t *src_end = src + src_size; kmvc_init_getbits(bb, src); for (by = 0; by < h; by += 8) for (bx = 0; bx < w; bx += 8) { - kmvc_getbit(bb, src, res); + kmvc_getbit(bb, src, src_end, res); if (!res) { - kmvc_getbit(bb, src, res); + kmvc_getbit(bb, src, src_end, res); if (!res) { // fill whole 8x8 block + if (src >= src_end) { + av_log(ctx->avctx, AV_LOG_ERROR, "Data overrun\n"); + return AVERROR_INVALIDDATA; + } val = *src++; for (i = 0; i < 64; i++) BLK(ctx->cur, bx + (i & 0x7), by + (i >> 3)) = val; @@ -171,14 +203,22 @@ static void kmvc_decode_inter_8x8(KmvcContext * ctx, const uint8_t * src, int w, for (i = 0; i < 4; i++) { l0x = bx + (i & 1) * 4; l0y = by + (i & 2) * 2; - kmvc_getbit(bb, src, res); + kmvc_getbit(bb, src, src_end, res); if (!res) { - kmvc_getbit(bb, src, res); + kmvc_getbit(bb, src, src_end, res); if (!res) { // fill whole 4x4 block + if (src >= src_end) { + av_log(ctx->avctx, AV_LOG_ERROR, "Data overrun\n"); + return AVERROR_INVALIDDATA; + } val = *src++; for (j = 0; j < 16; j++) BLK(ctx->cur, l0x + (j & 3), l0y + (j >> 2)) = val; } else { // copy block + if (src >= src_end) { + av_log(ctx->avctx, AV_LOG_ERROR, "Data overrun\n"); + return AVERROR_INVALIDDATA; + } val = *src++; mx = (val & 0xF) - 8; my = (val >> 4) - 8; @@ -190,16 +230,24 @@ static void kmvc_decode_inter_8x8(KmvcContext * ctx, const uint8_t * src, int w, for (j = 0; j < 4; j++) { l1x = l0x + (j & 1) * 2; l1y = l0y + (j & 2); - kmvc_getbit(bb, src, res); + kmvc_getbit(bb, src, src_end, res); if (!res) { - kmvc_getbit(bb, src, res); + kmvc_getbit(bb, src, src_end, res); if (!res) { // fill whole 2x2 block + if (src >= src_end) { + av_log(ctx->avctx, AV_LOG_ERROR, "Data overrun\n"); + return AVERROR_INVALIDDATA; + } val = *src++; BLK(ctx->cur, l1x, l1y) = val; BLK(ctx->cur, l1x + 1, l1y) = val; BLK(ctx->cur, l1x, l1y + 1) = val; BLK(ctx->cur, l1x + 1, l1y + 1) = val; } else { // copy block + if (src >= src_end) { + av_log(ctx->avctx, AV_LOG_ERROR, "Data overrun\n"); + return AVERROR_INVALIDDATA; + } val = *src++; mx = (val & 0xF) - 8; my = (val >> 4) - 8; @@ -222,6 +270,8 @@ static void kmvc_decode_inter_8x8(KmvcContext * ctx, const uint8_t * src, int w, } } } + + return 0; } static int decode_frame(AVCodecContext * avctx, void *data, int *data_size, AVPacket *avpkt) @@ -299,10 +349,10 @@ static int decode_frame(AVCodecContext * avctx, void *data, int *data_size, AVPa memcpy(ctx->cur, ctx->prev, 320 * 200); break; case 3: - kmvc_decode_intra_8x8(ctx, buf, avctx->width, avctx->height); + kmvc_decode_intra_8x8(ctx, buf, buf_size, avctx->width, avctx->height); break; case 4: - kmvc_decode_inter_8x8(ctx, buf, avctx->width, avctx->height); + kmvc_decode_inter_8x8(ctx, buf, buf_size, avctx->width, avctx->height); break; default: av_log(avctx, AV_LOG_ERROR, "Unknown compression method %i\n", header & KMVC_METHOD); From cb8a17ddaccdbbe47748ba7ac4ce7303e47732fe Mon Sep 17 00:00:00 2001 From: "Ronald S. Bultje" Date: Thu, 29 Dec 2011 09:07:32 -0800 Subject: [PATCH 0861/1119] kgv1: use avctx->get/release_buffer(). Also fixes crashes on corrupt bitstreams. Found-by: Mateusz "j00ru" Jurczyk and Gynvael Coldwind CC: libav-stable@libav.org (cherry picked from commit 33cd32b389864f2437c94e6fd7dc109ff5f0ed06) Signed-off-by: Anton Khirnov (cherry picked from commit e537dc230b2e123be8aebdaeee5a7d7787328b0b) Conflicts: libavcodec/kgv1dec.c Signed-off-by: Reinhard Tartler --- libavcodec/kgv1dec.c | 79 ++++++++++++++++++++++++++------------------ 1 file changed, 46 insertions(+), 33 deletions(-) diff --git a/libavcodec/kgv1dec.c b/libavcodec/kgv1dec.c index e26fd81ffb..c4c3dac016 100644 --- a/libavcodec/kgv1dec.c +++ b/libavcodec/kgv1dec.c @@ -30,10 +30,17 @@ typedef struct { AVCodecContext *avctx; - AVFrame pic; - uint16_t *prev, *cur; + AVFrame prev, cur; } KgvContext; +static void decode_flush(AVCodecContext *avctx) +{ + KgvContext * const c = avctx->priv_data; + + if (c->prev.data[0]) + avctx->release_buffer(avctx, &c->prev); +} + static int decode_frame(AVCodecContext *avctx, void *data, int *data_size, AVPacket *avpkt) { const uint8_t *buf = avpkt->data; @@ -42,7 +49,7 @@ static int decode_frame(AVCodecContext *avctx, void *data, int *data_size, AVPac int offsets[7]; uint16_t *out, *prev; int outcnt = 0, maxcnt; - int w, h, i; + int w, h, i, res; if (avpkt->size < 2) return -1; @@ -62,15 +69,15 @@ static int decode_frame(AVCodecContext *avctx, void *data, int *data_size, AVPac maxcnt = w * h; - out = av_realloc(c->cur, w * h * 2); - if (!out) - return -1; - c->cur = out; - - prev = av_realloc(c->prev, w * h * 2); - if (!prev) - return -1; - c->prev = prev; + c->cur.reference = 3; + if ((res = avctx->get_buffer(avctx, &c->cur)) < 0) + return res; + out = (uint16_t *) c->cur.data[0]; + if (c->prev.data[0]) { + prev = (uint16_t *) c->prev.data[0]; + } else { + prev = NULL; + } for (i = 0; i < 7; i++) offsets[i] = -1; @@ -83,6 +90,7 @@ static int decode_frame(AVCodecContext *avctx, void *data, int *data_size, AVPac out[outcnt++] = code; // rgb555 pixel coded directly } else { int count; + int inp_off; uint16_t *inp; if ((code & 0x6000) == 0x6000) { @@ -104,7 +112,14 @@ static int decode_frame(AVCodecContext *avctx, void *data, int *data_size, AVPac if (maxcnt - start < count) break; - inp = prev + start; + if (!prev) { + av_log(avctx, AV_LOG_ERROR, + "Frame reference does not exist\n"); + break; + } + + inp = prev; + inp_off = start; } else { // copy from earlier in this frame int offset = (code & 0x1FFF) + 1; @@ -122,27 +137,28 @@ static int decode_frame(AVCodecContext *avctx, void *data, int *data_size, AVPac if (outcnt < offset) break; - inp = out + outcnt - offset; + inp = out; + inp_off = outcnt - offset; } if (maxcnt - outcnt < count) break; - for (i = 0; i < count; i++) + for (i = inp_off; i < count + inp_off; i++) { out[outcnt++] = inp[i]; + } } } if (outcnt - maxcnt) av_log(avctx, AV_LOG_DEBUG, "frame finished with %d diff\n", outcnt - maxcnt); - c->pic.data[0] = (uint8_t *)c->cur; - c->pic.linesize[0] = w * 2; - *data_size = sizeof(AVFrame); - *(AVFrame*)data = c->pic; + *(AVFrame*)data = c->cur; - FFSWAP(uint16_t *, c->cur, c->prev); + if (c->prev.data[0]) + avctx->release_buffer(avctx, &c->prev); + FFSWAP(AVFrame, c->cur, c->prev); return avpkt->size; } @@ -153,28 +169,25 @@ static av_cold int decode_init(AVCodecContext *avctx) c->avctx = avctx; avctx->pix_fmt = PIX_FMT_RGB555; + avctx->flags |= CODEC_FLAG_EMU_EDGE; return 0; } static av_cold int decode_end(AVCodecContext *avctx) { - KgvContext * const c = avctx->priv_data; - - av_freep(&c->cur); - av_freep(&c->prev); - + decode_flush(avctx); return 0; } AVCodec ff_kgv1_decoder = { - "kgv1", - AVMEDIA_TYPE_VIDEO, - CODEC_ID_KGV1, - sizeof(KgvContext), - decode_init, - NULL, - decode_end, - decode_frame, + .name = "kgv1", + .type = AVMEDIA_TYPE_VIDEO, + .id = CODEC_ID_KGV1, + .priv_data_size = sizeof(KgvContext), + .init = decode_init, + .close = decode_end, + .decode = decode_frame, + .flush = decode_flush, .long_name = NULL_IF_CONFIG_SMALL("Kega Game Video"), }; From a0b65938b7cf37680a4ce0667444a217a151c551 Mon Sep 17 00:00:00 2001 From: Michael Niedermayer Date: Wed, 25 Jan 2012 23:23:35 +0100 Subject: [PATCH 0862/1119] kgv1dec: Increase offsets array size so it is large enough. Fixes CVE-2011-3945 Found-by: Mateusz "j00ru" Jurczyk and Gynvael Coldwind Signed-off-by: Michael Niedermayer (cherry picked from commit 807a045ab7f51993a2c1b3116016cbbd4f3d20d6) Signed-off-by: Alex Converse (cherry picked from commit a02e8df973f5478ec82f4c507f5b5b191a5ecb6b) (cherry picked from commit d5f2382d0389ed47a566ea536887af908bf9b14f) Signed-off-by: Reinhard Tartler --- libavcodec/kgv1dec.c | 4 ++-- 1 file changed, 2 insertions(+), 2 deletions(-) diff --git a/libavcodec/kgv1dec.c b/libavcodec/kgv1dec.c index c4c3dac016..42bbcae530 100644 --- a/libavcodec/kgv1dec.c +++ b/libavcodec/kgv1dec.c @@ -46,7 +46,7 @@ static int decode_frame(AVCodecContext *avctx, void *data, int *data_size, AVPac const uint8_t *buf = avpkt->data; const uint8_t *buf_end = buf + avpkt->size; KgvContext * const c = avctx->priv_data; - int offsets[7]; + int offsets[8]; uint16_t *out, *prev; int outcnt = 0, maxcnt; int w, h, i, res; @@ -79,7 +79,7 @@ static int decode_frame(AVCodecContext *avctx, void *data, int *data_size, AVPac prev = NULL; } - for (i = 0; i < 7; i++) + for (i = 0; i < 8; i++) offsets[i] = -1; while (outcnt < maxcnt && buf_end - 2 > buf) { From fd53da21a1707225ba9b69f3452725b175e2d8b8 Mon Sep 17 00:00:00 2001 From: Reinhard Tartler Date: Sun, 18 Mar 2012 19:08:15 +0100 Subject: [PATCH 0863/1119] lcl: use AVERROR_INVALIDDATA instead of AVERROR_UNKNOWN While bogus, this change avoids the necessity to backport AVERROR_UNKNOWN, which is not entirely trivial. Signed-off-by: Reinhard Tartler --- libavcodec/lcldec.c | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/libavcodec/lcldec.c b/libavcodec/lcldec.c index 8f203eb740..be5189a93b 100644 --- a/libavcodec/lcldec.c +++ b/libavcodec/lcldec.c @@ -601,7 +601,7 @@ static av_cold int decode_init(AVCodecContext *avctx) if (zret != Z_OK) { av_log(avctx, AV_LOG_ERROR, "Inflate init error: %d\n", zret); av_freep(&c->decomp_buf); - return AVERROR_UNKNOWN; + return AVERROR_INVALIDDATA; } } #endif From 1687c55e24cdc9d23401795e86928d3eb37a60f7 Mon Sep 17 00:00:00 2001 From: Reinhard Tartler Date: Sun, 1 Apr 2012 19:08:06 +0200 Subject: [PATCH 0864/1119] Update RELEASE file for 0.7.5 --- RELEASE | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/RELEASE b/RELEASE index 0a1ffad4b4..8bd6ba8c5c 100644 --- a/RELEASE +++ b/RELEASE @@ -1 +1 @@ -0.7.4 +0.7.5 From bc5d86d23d1ad377addf54d65ee665327836075e Mon Sep 17 00:00:00 2001 From: Anton Khirnov Date: Sat, 31 Mar 2012 07:52:42 +0200 Subject: [PATCH 0865/1119] id3v2: fix skipping extended header in id3v2.4 In v2.4, the length includes the length field itself. (cherry picked from commit ddb4431208745ea270dce8fce4cba999f0ed4303) Signed-off-by: Anton Khirnov --- libavformat/id3v2.c | 13 +++++++++++-- 1 file changed, 11 insertions(+), 2 deletions(-) diff --git a/libavformat/id3v2.c b/libavformat/id3v2.c index be6c03bbe5..326dd145ef 100644 --- a/libavformat/id3v2.c +++ b/libavformat/id3v2.c @@ -216,8 +216,17 @@ static void ff_id3v2_parse(AVFormatContext *s, int len, uint8_t version, uint8_t unsync = flags & 0x80; - if (isv34 && flags & 0x40) /* Extended header present, just skip over it */ - avio_skip(s->pb, get_size(s->pb, 4)); + if (isv34 && flags & 0x40) { /* Extended header present, just skip over it */ + int extlen = get_size(s->pb, 4); + if (version == 4) + extlen -= 4; // in v2.4 the length includes the length field we just read + + if (extlen < 0) { + reason = "invalid extended header length"; + goto error; + } + avio_skip(s->pb, extlen); + } while (len >= taghdrlen) { unsigned int tflags = 0; From 808686375d1c80b0eb1b12a78838a3ba010fce69 Mon Sep 17 00:00:00 2001 From: Reinhard Tartler Date: Sun, 1 Apr 2012 19:45:27 +0200 Subject: [PATCH 0866/1119] Update changelog for 0.7.5 release --- Changelog | 47 +++++++++++++++++++++++++++++++++++++++++++++++ 1 file changed, 47 insertions(+) diff --git a/Changelog b/Changelog index 30c5b8f8de..425f6e2b96 100644 --- a/Changelog +++ b/Changelog @@ -1,6 +1,53 @@ Entries are sorted chronologically from oldest to youngest within each release, releases are sorted from youngest to oldest. +version 0.7.5: + +Security updates: + +- kgv1dec: Increase offsets array size so it is large enough. (CVE-2011-3945) +- mjpegbdec: Fix overflow in SOS. (CVE-2011-3947) +- shorten: Use separate pointers for the allocated memory for decoded samples. (CVE-2012-0858) +- atrac3: Fix crash in tonal component decoding. (CVE-2012-0853) +- ws_snd1: Fix wrong samples count and crash. (CVE-2012-0848) +- h263dec: Disallow width/height changing with frame threads. (CVE-2011-3937) +- dv: Several bugfixes (CVE-2011-3929 and CVE-2011-3936) +- nsvdec: Several bugfixes (CVE-2011-3940) + +Further bugfixes in the following codecs: + + 4xm, AAC, AC3, ADPCM.C, ALS, ANM, AVS, Atrac3, Bink, Bitmap Brothers + JV, COOK, CamStudio, Cinepak, DCA, DSI CIN, EA CMV, FLAC, Fraps FPS1, + H263, H264, Huffyuv, KMVC, Kega Game Video, LCL, MJPEG, MPEG1/2 + encoder, Motion Pixels, Musepack SV7, Musepack SV8, Nellymoser, QCELP, + QDM2, QT RPZA, QT SVQ3, Qt RLE, QuickDraw, RAW, RV10, RV34, SIPR, + Shorten, Smacker, SubRib, TIFF, Tiertex Limited SEQ, Truemotion2, + V.Flash PTX, VC1, VMware Screen Codec, VP5, VP6, VP8, Vorbis, WMA, WMA + PRO, WMA Voice.c, Wavpack, Westwood SNDx, Wing Commander/Xan + +Further bugfixes in the following formats + + 4xm, ASF, AVS, DV, FLV, Matroska, Musepack SV8, MPEG, MXF, NSV, RM, + Segafilm, Smacker, Sierra SOL, SWF + +Further bugfixes in the following filters included in libavfilter: + + avfiltergraph: use meaningful error codes + lavfi: fix realloc size computation in avfilter_add_format() + vf_unsharp: fix out-of-buffer read + vf_scale: apply the same transform to the aspect during init that is applied per frame + vf_pad: fix "vsub" variable value computation + vf_yadif: correct documentation on the parity parameter + vf_yadif: copy buffer properties like aspect for second frame as well + +Libswscale updates: + + fix another integer overflow. + take first/lastline over/underflows into account for MMX. + fix overflows in filterPos[] calculation for large sizes. + enforce a minimum filtersize. + + version 0.7.4: - vorbis: An additional defense in the Vorbis codec. (CVE-2011-3895) From 9208848b99196d71602e9e2b31597a1bc5cce3b0 Mon Sep 17 00:00:00 2001 From: ami_stuff Date: Thu, 22 Mar 2012 19:28:52 +0100 Subject: [PATCH 0867/1119] Replace SSE2 instruction in scalarproduct_float_sse() by SSE equivalent. Fixes an AAC decoding issue with the sample from ticket #213 on machines with SSE but without SSE2. Based on 89411a by Reimar. (cherry picked from commit f6b78638086beae9bcab672d4c9de1790be5a928) --- libavcodec/x86/dsputil_yasm.asm | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/libavcodec/x86/dsputil_yasm.asm b/libavcodec/x86/dsputil_yasm.asm index 695aba5ec3..a114153585 100644 --- a/libavcodec/x86/dsputil_yasm.asm +++ b/libavcodec/x86/dsputil_yasm.asm @@ -474,7 +474,7 @@ cglobal scalarproduct_float_sse, 3,3,2, v1, v2, offset shufps xmm0, xmm0, 1 addss xmm0, xmm1 %ifndef ARCH_X86_64 - movd r0m, xmm0 + movss r0m, xmm0 fld dword r0m %endif RET From 10848d08625274e665c0ae3ad054e16732daf23c Mon Sep 17 00:00:00 2001 From: ami_stuff Date: Thu, 22 Mar 2012 19:28:52 +0100 Subject: [PATCH 0868/1119] Replace SSE2 instruction in scalarproduct_float_sse() by SSE equivalent. Fixes an AAC decoding issue with the sample from ticket #213 on machines with SSE but without SSE2. Based on 89411a by Reimar. (cherry picked from commit f6b78638086beae9bcab672d4c9de1790be5a928) --- libavcodec/x86/dsputil_yasm.asm | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/libavcodec/x86/dsputil_yasm.asm b/libavcodec/x86/dsputil_yasm.asm index 695aba5ec3..a114153585 100644 --- a/libavcodec/x86/dsputil_yasm.asm +++ b/libavcodec/x86/dsputil_yasm.asm @@ -474,7 +474,7 @@ cglobal scalarproduct_float_sse, 3,3,2, v1, v2, offset shufps xmm0, xmm0, 1 addss xmm0, xmm1 %ifndef ARCH_X86_64 - movd r0m, xmm0 + movss r0m, xmm0 fld dword r0m %endif RET From 7ca2ed716d0b587114b7786c6ea291c839a1ea20 Mon Sep 17 00:00:00 2001 From: Michael Niedermayer Date: Sat, 17 Mar 2012 20:45:45 +0100 Subject: [PATCH 0869/1119] dsp: fix diff_bytes_mmx() with small width Fixes Ticket1068 Signed-off-by: Michael Niedermayer (cherry picked from commit 73089eccd3e48539555349b36d8aabbf1cea416e) Signed-off-by: Michael Niedermayer --- libavcodec/x86/dsputilenc_mmx.c | 1 + 1 file changed, 1 insertion(+) diff --git a/libavcodec/x86/dsputilenc_mmx.c b/libavcodec/x86/dsputilenc_mmx.c index bd31205a6b..0234eaad6e 100644 --- a/libavcodec/x86/dsputilenc_mmx.c +++ b/libavcodec/x86/dsputilenc_mmx.c @@ -823,6 +823,7 @@ static int vsad16_mmx2(void *v, uint8_t * pix1, uint8_t * pix2, int line_size, i static void diff_bytes_mmx(uint8_t *dst, uint8_t *src1, uint8_t *src2, int w){ x86_reg i=0; + if(w>=16) __asm__ volatile( "1: \n\t" "movq (%2, %0), %%mm0 \n\t" From c9d12a4692e8a39c8817483d522ffbfd88c4e073 Mon Sep 17 00:00:00 2001 From: Michael Niedermayer Date: Tue, 20 Mar 2012 20:39:32 +0100 Subject: [PATCH 0870/1119] pngenc: Fix incorrect mask used for interlaced mode. Fixes Ticket1109 Signed-off-by: Michael Niedermayer (cherry picked from commit 15db6a959057b92245a384909ec7d413d5c16461) Signed-off-by: Michael Niedermayer --- libavcodec/pngenc.c | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/libavcodec/pngenc.c b/libavcodec/pngenc.c index c4ef2fd945..5812cdad75 100644 --- a/libavcodec/pngenc.c +++ b/libavcodec/pngenc.c @@ -55,7 +55,7 @@ static void png_get_interlaced_row(uint8_t *dst, int row_size, uint8_t *d; const uint8_t *s; - mask = ff_png_pass_mask[pass]; + mask = (int[]){0x80, 0x08, 0x88, 0x22, 0xaa, 0x55, 0xff}[pass]; switch(bits_per_pixel) { case 1: memset(dst, 0, row_size); From 3b18d820cc10e87d0e1453ffe51bd55501c665d1 Mon Sep 17 00:00:00 2001 From: Michael Niedermayer Date: Mon, 9 Apr 2012 17:53:17 +0200 Subject: [PATCH 0871/1119] Changelog, delete, its too inaccurate, git log is better. Signed-off-by: Michael Niedermayer --- Changelog | 816 ------------------------------------------------------ 1 file changed, 816 deletions(-) delete mode 100644 Changelog diff --git a/Changelog b/Changelog deleted file mode 100644 index 425f6e2b96..0000000000 --- a/Changelog +++ /dev/null @@ -1,816 +0,0 @@ -Entries are sorted chronologically from oldest to youngest within each release, -releases are sorted from youngest to oldest. - -version 0.7.5: - -Security updates: - -- kgv1dec: Increase offsets array size so it is large enough. (CVE-2011-3945) -- mjpegbdec: Fix overflow in SOS. (CVE-2011-3947) -- shorten: Use separate pointers for the allocated memory for decoded samples. (CVE-2012-0858) -- atrac3: Fix crash in tonal component decoding. (CVE-2012-0853) -- ws_snd1: Fix wrong samples count and crash. (CVE-2012-0848) -- h263dec: Disallow width/height changing with frame threads. (CVE-2011-3937) -- dv: Several bugfixes (CVE-2011-3929 and CVE-2011-3936) -- nsvdec: Several bugfixes (CVE-2011-3940) - -Further bugfixes in the following codecs: - - 4xm, AAC, AC3, ADPCM.C, ALS, ANM, AVS, Atrac3, Bink, Bitmap Brothers - JV, COOK, CamStudio, Cinepak, DCA, DSI CIN, EA CMV, FLAC, Fraps FPS1, - H263, H264, Huffyuv, KMVC, Kega Game Video, LCL, MJPEG, MPEG1/2 - encoder, Motion Pixels, Musepack SV7, Musepack SV8, Nellymoser, QCELP, - QDM2, QT RPZA, QT SVQ3, Qt RLE, QuickDraw, RAW, RV10, RV34, SIPR, - Shorten, Smacker, SubRib, TIFF, Tiertex Limited SEQ, Truemotion2, - V.Flash PTX, VC1, VMware Screen Codec, VP5, VP6, VP8, Vorbis, WMA, WMA - PRO, WMA Voice.c, Wavpack, Westwood SNDx, Wing Commander/Xan - -Further bugfixes in the following formats - - 4xm, ASF, AVS, DV, FLV, Matroska, Musepack SV8, MPEG, MXF, NSV, RM, - Segafilm, Smacker, Sierra SOL, SWF - -Further bugfixes in the following filters included in libavfilter: - - avfiltergraph: use meaningful error codes - lavfi: fix realloc size computation in avfilter_add_format() - vf_unsharp: fix out-of-buffer read - vf_scale: apply the same transform to the aspect during init that is applied per frame - vf_pad: fix "vsub" variable value computation - vf_yadif: correct documentation on the parity parameter - vf_yadif: copy buffer properties like aspect for second frame as well - -Libswscale updates: - - fix another integer overflow. - take first/lastline over/underflows into account for MMX. - fix overflows in filterPos[] calculation for large sizes. - enforce a minimum filtersize. - - -version 0.7.4: - -- vorbis: An additional defense in the Vorbis codec. (CVE-2011-3895) -- vorbisdec: Fix decoding bug with channel handling. -- matroskadec: Fix a bug where a pointer was cached to an array that might - later move due to a realloc(). (CVE-2011-3893) -- vorbis: Avoid some out-of-bounds reads. (CVE-2011-3893) -- vp3: fix oob read for negative tokens and memleaks on error, (CVE-2011-3892) -- avserver: Fix a bug where the socket is IPv4, but IPv6 is autoselected - for the loopback address. -- vp3: fix streams with non-zero last coefficient. -- swscale: fix crash in fast_bilinear code when compiled with -mred-zone. - - -version 0.7.3: - -- check buffer and input values in various parts of the code: - vmd (CVE-2011-4364), qdm2 (CVE-2011-4351), imgutils (several codecs), - vp6 (CVE-2011-4353), svq1 (CVE-2011-4579), vp3 (CVE-2011-4352), wma, 4xm -- backport avcodec_open2() as a replacement for avcodec_open() -- backport avformat_find_stream_info() - - -version 0.7.2: - -- check buffer and input values in various parts of the code: - H.264, VC-1, APE, FLV, Indeo 2, XAN, Ogg, MXF, wavpack, ffv1, MOV, - cavs (OCERT-2011-002, CVE-2011-3362), Smacker, cpu detection, lavf, - Matroska (CVE-2011-3504), RV10, RV30/RV40 -- memory leaks: vf_scale, eval - -- ARM: workaround for bug in GNU assembler -- AVOptions: fix av_set_string3() doxy to match reality. (Bug #28) -- Reintroduce AVInputStream.nb_streams to avoid crashes -- aac: Only output configure if audio was found -- aac: Remove some suspicious illegal memcpy()s from LTP -- aacps: skip some memcpy() if src and dst would be equal -- adts: fix PCE copying -- alsa: fallback to buffer_size/4 for period_size -- alsa: limit buffer_size to 32768 frames -- cljr, indeo2: init_get_bits size in bits instead of bytes -- configure: add missing CFLAGS to fix building on the HURD -- dca: set AVCodecContext frame_size for DTS audio -- fate: allow testing with libavfilter disabled -- gxf: fix 25 fps DV material in GXF being misdetected as 50 fps -- h264: correct implicit weight table computation for long ref pics -- h264: correct the check for invalid long term frame index in MMCO decode -- h264: fix PCM intra-coded blocks in monochrome case -- jpegdec: actually search for and parse RSTn -- lavc: fix type for thread_type option -- lavf: fix context pointer in av_open_input_stream when avformat_open_input fails -- lavf: do not set codec_tag for rawvideo -- libx264: do not set pic quality if no frame is output -- movenc: create an alternate group for each media type -- mpegts: fix Continuity Counter error detection -- mxfenc: fix ignored drop flag in binary timecode representation -- fix crashes in 32-bit PIC builds (cf e.g. http://bugs.debian.org/639948) -- ppc64: fix cast related random failures -- riff: Add mpgv MPEG-2 fourcc -- swscale: don't use planar output functions to write to NV12/21 -- vc1: properly zero coded_block[] edges on new slice entry -- vp3/theora: flush after seek - -- various bug other fixes - - -version 0.7.1: - -- added various additional FOURCC codec identifiers -- H.264 4:4:4 fixes -- build system and compilation fixes -- Doxygen and general documentation corrections and improvements -- fixed segfault in ffprobe -- behavioral fix in av_open_input_stream() -- Licensing clarification for LGPL'ed vf_gradfun -- bugfixes while seeking in multithreaded decoding -- support newer versions of OpenCV -- ffmpeg: fix operation with --disable-avfilter -- fixed integer underflow in matroska decoder - - -version 0.7: - -- E-AC-3 audio encoder -- ac3enc: add channel coupling support -- floating-point sample format support for (E-)AC-3, DCA, AAC, Vorbis decoders -- H.264/MPEG frame-level multithreading -- av_metadata_* functions renamed to av_dict_* and moved to libavutil -- 4:4:4 H.264 decoding support -- 10-bit H.264 optimizations for x86 -- bump libswscale for recently reported ABI break - - -version 0.7_beta2: - -- VP8 frame-level multithreading -- NEON optimizations for VP8 -- removed a lot of deprecated API cruft -- FFT and IMDCT optimizations for AVX (Sandy Bridge) processors -- DPX image encoder -- SMPTE 302M AES3 audio decoder -- ffmpeg no longer quits after the 'q' key is pressed; use 'ctrl+c' instead -- 9bit and 10bit per sample support in the H.264 decoder - - -version 0.7_beta1: - -- WebM support in Matroska de/muxer -- low overhead Ogg muxing -- MMS-TCP support -- VP8 de/encoding via libvpx -- Demuxer for On2's IVF format -- Pictor/PC Paint decoder -- HE-AAC v2 decoder -- libfaad2 wrapper removed -- DTS-ES extension (XCh) decoding support -- native VP8 decoder -- RTSP tunneling over HTTP -- RTP depacketization of SVQ3 -- -strict inofficial replaced by -strict unofficial -- ffplay -exitonkeydown and -exitonmousedown options added -- native GSM / GSM MS decoder -- RTP depacketization of QDM2 -- ANSI/ASCII art playback system -- Lego Mindstorms RSO de/muxer -- SubRip subtitle file muxer and demuxer -- Chinese AVS encoding via libxavs -- ffprobe -show_packets option added -- RTP packetization of Theora and Vorbis -- RTP depacketization of MP4A-LATM -- RTP packetization and depacketization of VP8 -- hflip filter -- Apple HTTP Live Streaming demuxer -- a64 codec -- MMS-HTTP support -- G.722 ADPCM audio encoder/decoder -- R10k video decoder -- ocv_smooth filter -- frei0r wrapper filter -- change crop filter syntax to width:height:x:y -- make the crop filter accept parametric expressions -- make ffprobe accept AVFormatContext options -- yadif filter -- blackframe filter -- Demuxer for Leitch/Harris' VR native stream format (LXF) -- RTP depacketization of the X-QT QuickTime format -- SAP (Session Announcement Protocol, RFC 2974) muxer and demuxer -- cropdetect filter -- ffmpeg -crop* options removed -- transpose filter added -- ffmpeg -force_key_frames option added -- demuxer for receiving raw rtp:// URLs without an SDP description -- single stream LATM/LOAS decoder -- setpts filter added -- Win64 support for optimized x86 assembly functions -- MJPEG/AVI1 to JPEG/JFIF bitstream filter -- ASS subtitle encoder and decoder -- IEC 61937 encapsulation for E-AC-3, TrueHD, DTS-HD (for HDMI passthrough) -- overlay filter added -- rename aspect filter to setdar, and pixelaspect to setsar -- IEC 61937 demuxer -- Mobotix .mxg demuxer -- frei0r source added -- hqdn3d filter added -- RTP depacketization of QCELP -- FLAC parser added -- gradfun filter added -- AMR-WB decoder -- replace the ocv_smooth filter with a more generic ocv filter -- Windows Televison (WTV) demuxer -- FFmpeg metadata format muxer and demuxer -- SubRip (srt) subtitle decoder -- floating-point AC-3 encoder added -- Lagarith decoder -- ffmpeg -copytb option added -- IVF muxer added -- Wing Commander IV movies decoder added -- movie source added -- Bink version 'b' audio and video decoder -- Bitmap Brothers JV playback system -- Apple HTTP Live Streaming protocol handler -- sndio support for playback and record -- Linux framebuffer input device added -- Chronomaster DFA decoder -- Mobotix MxPEG decoder -- AAC encoding via libvo-aacenc -- AMR-WB encoding via libvo-amrwbenc -- xWMA demuxer -- fieldorder video filter added - - -version 0.6: - -- PB-frame decoding for H.263 -- deprecated vhook subsystem removed -- deprecated old scaler removed -- VQF demuxer -- Alpha channel scaler -- PCX encoder -- RTP packetization of H.263 -- RTP packetization of AMR -- RTP depacketization of Vorbis -- CorePNG decoding support -- Cook multichannel decoding support -- introduced avlanguage helpers in libavformat -- 8088flex TMV demuxer and decoder -- per-stream language-tags extraction in asfdec -- V210 decoder and encoder -- remaining GPL parts in AC-3 decoder converted to LGPL -- QCP demuxer -- SoX native format muxer and demuxer -- AMR-NB decoding/encoding, AMR-WB decoding via OpenCORE libraries -- DPX image decoder -- Electronic Arts Madcow decoder -- DivX (XSUB) subtitle encoder -- nonfree libamr support for AMR-NB/WB decoding/encoding removed -- experimental AAC encoder -- RTP depacketization of ASF and RTSP from WMS servers -- RTMP support in libavformat -- noX handling for OPT_BOOL X options -- Wave64 demuxer -- IEC-61937 compatible Muxer -- TwinVQ decoder -- Bluray (PGS) subtitle decoder -- LPCM support in MPEG-TS (HDMV RID as found on Blu-ray disks) -- WMA Pro decoder -- Core Audio Format demuxer -- Atrac1 decoder -- MD STUDIO audio demuxer -- RF64 support in WAV demuxer -- MPEG-4 Audio Lossless Coding (ALS) decoder -- -formats option split into -formats, -codecs, -bsfs, and -protocols -- IV8 demuxer -- CDG demuxer and decoder -- R210 decoder -- Auravision Aura 1 and 2 decoders -- Deluxe Paint Animation playback system -- SIPR decoder -- Adobe Filmstrip muxer and demuxer -- RTP depacketization of H.263 -- Bink demuxer and audio/video decoders -- enable symbol versioning by default for linkers that support it -- IFF PBM/ILBM bitmap decoder -- concat protocol -- Indeo 5 decoder -- RTP depacketization of AMR -- WMA Voice decoder -- ffprobe tool -- AMR-NB decoder -- RTSP muxer -- HE-AAC v1 decoder -- Kega Game Video (KGV1) decoder -- VorbisComment writing for FLAC, Ogg FLAC and Ogg Speex files -- RTP depacketization of Theora -- HTTP Digest authentication -- RTMP/RTMPT/RTMPS/RTMPE/RTMPTE protocol support via librtmp -- Psygnosis YOP demuxer and video decoder -- spectral extension support in the E-AC-3 decoder -- unsharp video filter -- RTP hinting in the mov/3gp/mp4 muxer -- Dirac in Ogg demuxing -- seek to keyframes in Ogg -- 4:2:2 and 4:4:4 Theora decoding -- 35% faster VP3/Theora decoding -- faster AAC decoding -- faster H.264 decoding -- RealAudio 1.0 (14.4K) encoder - - -version 0.5: - -- DV50 AKA DVCPRO50 encoder, decoder, muxer and demuxer -- TechSmith Camtasia (TSCC) video decoder -- IBM Ultimotion (ULTI) video decoder -- Sierra Online audio file demuxer and decoder -- Apple QuickDraw (qdrw) video decoder -- Creative ADPCM audio decoder (16 bits as well as 8 bits schemes) -- Electronic Arts Multimedia (WVE/UV2/etc.) file demuxer -- Miro VideoXL (VIXL) video decoder -- H.261 video encoder -- QPEG video decoder -- Nullsoft Video (NSV) file demuxer -- Shorten audio decoder -- LOCO video decoder -- Apple Lossless Audio Codec (ALAC) decoder -- Winnov WNV1 video decoder -- Autodesk Animator Studio Codec (AASC) decoder -- Indeo 2 video decoder -- Fraps FPS1 video decoder -- Snow video encoder/decoder -- Sonic audio encoder/decoder -- Vorbis audio decoder -- Macromedia ADPCM decoder -- Duck TrueMotion 2 video decoder -- support for decoding FLX and DTA extensions in FLIC files -- H.264 custom quantization matrices support -- ffserver fixed, it should now be usable again -- QDM2 audio decoder -- Real Cooker audio decoder -- TrueSpeech audio decoder -- WMA2 audio decoder fixed, now all files should play correctly -- RealAudio 14.4 and 28.8 decoders fixed -- JPEG-LS decoder -- build system improvements -- tabs and trailing whitespace removed from the codebase -- CamStudio video decoder -- AIFF/AIFF-C audio format, encoding and decoding -- ADTS AAC file reading and writing -- Creative VOC file reading and writing -- American Laser Games multimedia (*.mm) playback system -- Zip Motion Blocks Video decoder -- improved Theora/VP3 decoder -- True Audio (TTA) decoder -- AVS demuxer and video decoder -- JPEG-LS encoder -- Smacker demuxer and decoder -- NuppelVideo/MythTV demuxer and RTjpeg decoder -- KMVC decoder -- MPEG-2 intra VLC support -- MPEG-2 4:2:2 encoder -- Flash Screen Video decoder -- GXF demuxer -- Chinese AVS decoder -- GXF muxer -- MXF demuxer -- VC-1/WMV3/WMV9 video decoder -- MacIntel support -- AVISynth support -- VMware video decoder -- VP5 video decoder -- VP6 video decoder -- WavPack lossless audio decoder -- Targa (.TGA) picture decoder -- Vorbis audio encoder -- Delphine Software .cin demuxer/audio and video decoder -- Tiertex .seq demuxer/video decoder -- MTV demuxer -- TIFF picture encoder and decoder -- GIF picture decoder -- Intel Music Coder decoder -- Zip Motion Blocks Video encoder -- Musepack decoder -- Flash Screen Video encoder -- Theora encoding via libtheora -- BMP encoder -- WMA encoder -- GSM-MS encoder and decoder -- DCA decoder -- DXA demuxer and decoder -- DNxHD decoder -- Gamecube movie (.THP) playback system -- Blackfin optimizations -- Interplay C93 demuxer and video decoder -- Bethsoft VID demuxer and video decoder -- CRYO APC demuxer -- Atrac3 decoder -- V.Flash PTX decoder -- RoQ muxer, RoQ audio encoder -- Renderware TXD demuxer and decoder -- extern C declarations for C++ removed from headers -- sws_flags command line option -- codebook generator -- RoQ video encoder -- QTRLE encoder -- OS/2 support removed and restored again -- AC-3 decoder -- NUT muxer -- additional SPARC (VIS) optimizations -- Matroska muxer -- slice-based parallel H.264 decoding -- Monkey's Audio demuxer and decoder -- AMV audio and video decoder -- DNxHD encoder -- H.264 PAFF decoding -- Nellymoser ASAO decoder -- Beam Software SIFF demuxer and decoder -- libvorbis Vorbis decoding removed in favor of native decoder -- IntraX8 (J-Frame) subdecoder for WMV2 and VC-1 -- Ogg (Theora, Vorbis and FLAC) muxer -- The "device" muxers and demuxers are now in a new libavdevice library -- PC Paintbrush PCX decoder -- Sun Rasterfile decoder -- TechnoTrend PVA demuxer -- Linux Media Labs MPEG-4 (LMLM4) demuxer -- AVM2 (Flash 9) SWF muxer -- QT variant of IMA ADPCM encoder -- VFW grabber -- iPod/iPhone compatible mp4 muxer -- Mimic decoder -- MSN TCP Webcam stream demuxer -- RL2 demuxer / decoder -- IFF demuxer -- 8SVX audio decoder -- non-recursive Makefiles -- BFI demuxer -- MAXIS EA XA (.xa) demuxer / decoder -- BFI video decoder -- OMA demuxer -- MLP/TrueHD decoder -- Electronic Arts CMV decoder -- Motion Pixels Video decoder -- Motion Pixels MVI demuxer -- removed animated GIF decoder/demuxer -- D-Cinema audio muxer -- Electronic Arts TGV decoder -- Apple Lossless Audio Codec (ALAC) encoder -- AAC decoder -- floating point PCM encoder/decoder -- MXF muxer -- DV100 AKA DVCPRO HD decoder and demuxer -- E-AC-3 support added to AC-3 decoder -- Nellymoser ASAO encoder -- ASS and SSA demuxer and muxer -- liba52 wrapper removed -- SVQ3 watermark decoding support -- Speex decoding via libspeex -- Electronic Arts TGQ decoder -- RV40 decoder -- QCELP / PureVoice decoder -- RV30 decoder -- hybrid WavPack support -- R3D REDCODE demuxer -- ALSA support for playback and record -- Electronic Arts TQI decoder -- OpenJPEG based JPEG 2000 decoder -- NC (NC4600) camera file demuxer -- Gopher client support -- MXF D-10 muxer -- generic metadata API - - -version 0.4.9-pre1: - -- DV encoder, DV muxer -- Microsoft RLE video decoder -- Microsoft Video-1 decoder -- Apple Animation (RLE) decoder -- Apple Graphics (SMC) decoder -- Apple Video (RPZA) decoder -- Cinepak decoder -- Sega FILM (CPK) file demuxer -- Westwood multimedia support (VQA & AUD files) -- Id Quake II CIN playback support -- 8BPS video decoder -- FLIC playback support -- RealVideo 2.0 (RV20) decoder -- Duck TrueMotion v1 (DUCK) video decoder -- Sierra VMD demuxer and video decoder -- MSZH and ZLIB decoder support -- SVQ1 video encoder -- AMR-WB support -- PPC optimizations -- rate distortion optimal cbp support -- rate distorted optimal ac prediction for MPEG-4 -- rate distorted optimal lambda->qp support -- AAC encoding with libfaac -- Sunplus JPEG codec (SP5X) support -- use Lagrange multipler instead of QP for ratecontrol -- Theora/VP3 decoding support -- XA and ADX ADPCM codecs -- export MPEG-2 active display area / pan scan -- Add support for configuring with IBM XLC -- floating point AAN DCT -- initial support for zygo video (not complete) -- RGB ffv1 support -- new audio/video parser API -- av_log() system -- av_read_frame() and av_seek_frame() support -- missing last frame fixes -- seek by mouse in ffplay -- noise reduction of DCT coefficients -- H.263 OBMC & 4MV support -- H.263 alternative inter vlc support -- H.263 loop filter -- H.263 slice structured mode -- interlaced DCT support for MPEG-2 encoding -- stuffing to stay above min_bitrate -- MB type & QP visualization -- frame stepping for ffplay -- interlaced motion estimation -- alternate scantable support -- SVCD scan offset support -- closed GOP support -- SSE2 FDCT -- quantizer noise shaping -- G.726 ADPCM audio codec -- MS ADPCM encoding -- multithreaded/SMP motion estimation -- multithreaded/SMP encoding for MPEG-1/MPEG-2/MPEG-4/H.263 -- multithreaded/SMP decoding for MPEG-2 -- FLAC decoder -- Metrowerks CodeWarrior suppport -- H.263+ custom pcf support -- nicer output for 'ffmpeg -formats' -- Matroska demuxer -- SGI image format, encoding and decoding -- H.264 loop filter support -- H.264 CABAC support -- nicer looking arrows for the motion vector visualization -- improved VCD support -- audio timestamp drift compensation -- MPEG-2 YUV 422/444 support -- polyphase kaiser windowed sinc and blackman nuttall windowed sinc audio resample -- better image scaling -- H.261 support -- correctly interleave packets during encoding -- VIS optimized motion compensation -- intra_dc_precision>0 encoding support -- support reuse of motion vectors/MB types/field select values of the source video -- more accurate deblock filter -- padding support -- many optimizations and bugfixes -- FunCom ISS audio file demuxer and according ADPCM decoding - - -version 0.4.8: - -- MPEG-2 video encoding (Michael) -- Id RoQ playback subsystem (Mike Melanson and Tim Ferguson) -- Wing Commander III Movie (.mve) file playback subsystem (Mike Melanson - and Mario Brito) -- Xan DPCM audio decoder (Mario Brito) -- Interplay MVE playback subsystem (Mike Melanson) -- Duck DK3 and DK4 ADPCM audio decoders (Mike Melanson) - - -version 0.4.7: - -- RealAudio 1.0 (14_4) and 2.0 (28_8) native decoders. Author unknown, code from mplayerhq - (originally from public domain player for Amiga at http://www.honeypot.net/audio) -- current version now also compiles with older GCC (Fabrice) -- 4X multimedia playback system including 4xm file demuxer (Mike - Melanson), and 4X video and audio codecs (Michael) -- Creative YUV (CYUV) decoder (Mike Melanson) -- FFV1 codec (our very simple lossless intra only codec, compresses much better - than HuffYUV) (Michael) -- ASV1 (Asus), H.264, Intel indeo3 codecs have been added (various) -- tiny PNG encoder and decoder, tiny GIF decoder, PAM decoder (PPM with - alpha support), JPEG YUV colorspace support. (Fabrice Bellard) -- ffplay has been replaced with a newer version which uses SDL (optionally) - for multiplatform support (Fabrice) -- Sorenson Version 3 codec (SVQ3) support has been added (decoding only) - donated - by anonymous -- AMR format has been added (Johannes Carlsson) -- 3GP support has been added (Johannes Carlsson) -- VP3 codec has been added (Mike Melanson) -- more MPEG-1/2 fixes -- better multiplatform support, MS Visual Studio fixes (various) -- AltiVec optimizations (Magnus Damn and others) -- SH4 processor support has been added (BERO) -- new public interfaces (avcodec_get_pix_fmt) (Roman Shaposhnick) -- VOB streaming support (Brian Foley) -- better MP3 autodetection (Andriy Rysin) -- qpel encoding (Michael) -- 4mv+b frames encoding finally fixed (Michael) -- chroma ME (Michael) -- 5 comparison functions for ME (Michael) -- B-frame encoding speedup (Michael) -- WMV2 codec (unfinished - Michael) -- user specified diamond size for EPZS (Michael) -- Playstation STR playback subsystem, still experimental (Mike and Michael) -- ASV2 codec (Michael) -- CLJR decoder (Alex) - -.. And lots more new enhancements and fixes. - - -version 0.4.6: - -- completely new integer only MPEG audio layer 1/2/3 decoder rewritten - from scratch -- Recoded DCT and motion vector search with gcc (no longer depends on nasm) -- fix quantization bug in AC3 encoder -- added PCM codecs and format. Corrected WAV/AVI/ASF PCM issues -- added prototype ffplay program -- added GOB header parsing on H.263/H.263+ decoder (Juanjo) -- bug fix on MCBPC tables of H.263 (Juanjo) -- bug fix on DC coefficients of H.263 (Juanjo) -- added Advanced Prediction Mode on H.263/H.263+ decoder (Juanjo) -- now we can decode H.263 streams found in QuickTime files (Juanjo) -- now we can decode H.263 streams found in VIVO v1 files(Juanjo) -- preliminary RTP "friendly" mode for H.263/H.263+ coding. (Juanjo) -- added GOB header for H.263/H.263+ coding on RTP mode (Juanjo) -- now H.263 picture size is returned on the first decoded frame (Juanjo) -- added first regression tests -- added MPEG-2 TS demuxer -- new demux API for libav -- more accurate and faster IDCT (Michael) -- faster and entropy-controlled motion search (Michael) -- two pass video encoding (Michael) -- new video rate control (Michael) -- added MSMPEG4V1, MSMPEGV2 and WMV1 support (Michael) -- great performance improvement of video encoders and decoders (Michael) -- new and faster bit readers and vlc parsers (Michael) -- high quality encoding mode: tries all macroblock/VLC types (Michael) -- added DV video decoder -- preliminary RTP/RTSP support in ffserver and libavformat -- H.263+ AIC decoding/encoding support (Juanjo) -- VCD MPEG-PS mode (Juanjo) -- PSNR stuff (Juanjo) -- simple stats output (Juanjo) -- 16-bit and 15-bit RGB/BGR/GBR support (Bisqwit) - - -version 0.4.5: - -- some header fixes (Zdenek Kabelac ) -- many MMX optimizations (Nick Kurshev ) -- added configure system (actually a small shell script) -- added MPEG audio layer 1/2/3 decoding using LGPL'ed mpglib by - Michael Hipp (temporary solution - waiting for integer only - decoder) -- fixed VIDIOCSYNC interrupt -- added Intel H.263 decoding support ('I263' AVI fourCC) -- added Real Video 1.0 decoding (needs further testing) -- simplified image formats again. Added PGM format (=grey - pgm). Renamed old PGM to PGMYUV. -- fixed msmpeg4 slice issues (tell me if you still find problems) -- fixed OpenDivX bugs with newer versions (added VOL header decoding) -- added support for MPlayer interface -- added macroblock skip optimization -- added MJPEG decoder -- added mmx/mmxext IDCT from libmpeg2 -- added pgmyuvpipe, ppm, and ppm_pipe formats (original patch by Celer - ) -- added pixel format conversion layer (e.g. for MJPEG or PPM) -- added deinterlacing option -- MPEG-1/2 fixes -- MPEG-4 vol header fixes (Jonathan Marsden ) -- ARM optimizations (Lionel Ulmer ). -- Windows porting of file converter -- added MJPEG raw format (input/ouput) -- added JPEG image format support (input/output) - - -version 0.4.4: - -- fixed some std header definitions (Bjorn Lindgren - ). -- added MPEG demuxer (MPEG-1 and 2 compatible). -- added ASF demuxer -- added prototype RM demuxer -- added AC3 decoding (done with libac3 by Aaron Holtzman) -- added decoding codec parameter guessing (.e.g. for MPEG, because the - header does not include them) -- fixed header generation in MPEG-1, AVI and ASF muxer: wmplayer can now - play them (only tested video) -- fixed H.263 white bug -- fixed phase rounding in img resample filter -- add MMX code for polyphase img resample filter -- added CPU autodetection -- added generic title/author/copyright/comment string handling (ASF and RM - use them) -- added SWF demux to extract MP3 track (not usable yet because no MP3 - decoder) -- added fractional frame rate support -- codecs are no longer searched by read_header() (should fix ffserver - segfault) - - -version 0.4.3: - -- BGR24 patch (initial patch by Jeroen Vreeken ) -- fixed raw yuv output -- added motion rounding support in MPEG-4 -- fixed motion bug rounding in MSMPEG4 -- added B-frame handling in video core -- added full MPEG-1 decoding support -- added partial (frame only) MPEG-2 support -- changed the FOURCC code for H.263 to "U263" to be able to see the - +AVI/H.263 file with the UB Video H.263+ decoder. MPlayer works with - this +codec ;) (JuanJo). -- Halfpel motion estimation after MB type selection (JuanJo) -- added pgm and .Y.U.V output format -- suppressed 'img:' protocol. Simply use: /tmp/test%d.[pgm|Y] as input or - output. -- added pgmpipe I/O format (original patch from Martin Aumueller - , but changed completely since we use a format - instead of a protocol) - - -version 0.4.2: - -- added H.263/MPEG-4/MSMPEG4 decoding support. MPEG-4 decoding support - (for OpenDivX) is almost complete: 8x8 MVs and rounding are - missing. MSMPEG4 support is complete. -- added prototype MPEG-1 decoder. Only I- and P-frames handled yet (it - can decode ffmpeg MPEGs :-)). -- added libavcodec API documentation (see apiexample.c). -- fixed image polyphase bug (the bottom of some images could be - greenish) -- added support for non clipped motion vectors (decoding only) - and image sizes non-multiple of 16 -- added support for AC prediction (decoding only) -- added file overwrite confirmation (can be disabled with -y) -- added custom size picture to H.263 using H.263+ (Juanjo) - - -version 0.4.1: - -- added MSMPEG4 (aka DivX) compatible encoder. Changed default codec - of AVI and ASF to DIV3. -- added -me option to set motion estimation method - (default=log). suppressed redundant -hq option. -- added options -acodec and -vcodec to force a given codec (useful for - AVI for example) -- fixed -an option -- improved dct_quantize speed -- factorized some motion estimation code - - -version 0.4.0: - -- removing grab code from ffserver and moved it to ffmpeg. Added - multistream support to ffmpeg. -- added timeshifting support for live feeds (option ?date=xxx in the - URL) -- added high quality image resize code with polyphase filter (need - mmx/see optimization). Enable multiple image size support in ffserver. -- added multi live feed support in ffserver -- suppressed master feature from ffserver (it should be done with an - external program which opens the .ffm url and writes it to another - ffserver) -- added preliminary support for video stream parsing (WAV and AVI half - done). Added proper support for audio/video file conversion in - ffmpeg. -- added preliminary support for video file sending from ffserver -- redesigning I/O subsystem: now using URL based input and output - (see avio.h) -- added WAV format support -- added "tty user interface" to ffmpeg to stop grabbing gracefully -- added MMX/SSE optimizations to SAD (Sums of Absolutes Differences) - (Juan J. Sierralta P. a.k.a. "Juanjo" ) -- added MMX DCT from mpeg2_movie 1.5 (Juanjo) -- added new motion estimation algorithms, log and phods (Juanjo) -- changed directories: libav for format handling, libavcodec for - codecs - - -version 0.3.4: - -- added stereo in MPEG audio encoder - - -version 0.3.3: - -- added 'high quality' mode which use motion vectors. It can be used in - real time at low resolution. -- fixed rounding problems which caused quality problems at high - bitrates and large GOP size - - -version 0.3.2: small fixes - -- ASF fixes -- put_seek bug fix - - -version 0.3.1: added avi/divx support - -- added AVI support -- added MPEG-4 codec compatible with OpenDivX. It is based on the H.263 codec -- added sound for flash format (not tested) - - -version 0.3: initial public release From e05fd37e028aae55abe9725a18bea9c83e63bcfa Mon Sep 17 00:00:00 2001 From: Michael Niedermayer Date: Mon, 9 Apr 2012 18:49:11 +0200 Subject: [PATCH 0872/1119] Update for 0.7.12 Signed-off-by: Michael Niedermayer --- Doxyfile | 2 +- RELEASE | 2 +- VERSION | 2 +- 3 files changed, 3 insertions(+), 3 deletions(-) diff --git a/Doxyfile b/Doxyfile index 1534700d53..9e056efe7e 100644 --- a/Doxyfile +++ b/Doxyfile @@ -31,7 +31,7 @@ PROJECT_NAME = FFmpeg # This could be handy for archiving the generated documentation or # if some version control system is used. -PROJECT_NUMBER = 0.7.11 +PROJECT_NUMBER = 0.7.12 # The OUTPUT_DIRECTORY tag is used to specify the (relative or absolute) # base path where the generated documentation will be put. diff --git a/RELEASE b/RELEASE index b4d6d12101..88a7b22857 100644 --- a/RELEASE +++ b/RELEASE @@ -1 +1 @@ -0.7.11 +0.7.12 diff --git a/VERSION b/VERSION index b4d6d12101..88a7b22857 100644 --- a/VERSION +++ b/VERSION @@ -1 +1 @@ -0.7.11 +0.7.12 From 4169912f3969f9207c3a5fefdf1b7a4185edb1c8 Mon Sep 17 00:00:00 2001 From: Michael Niedermayer Date: Mon, 9 Apr 2012 18:49:50 +0200 Subject: [PATCH 0873/1119] Update for 0.8.11 Signed-off-by: Michael Niedermayer --- Doxyfile | 2 +- RELEASE | 2 +- VERSION | 2 +- 3 files changed, 3 insertions(+), 3 deletions(-) diff --git a/Doxyfile b/Doxyfile index 722a86058c..d60e276989 100644 --- a/Doxyfile +++ b/Doxyfile @@ -31,7 +31,7 @@ PROJECT_NAME = FFmpeg # This could be handy for archiving the generated documentation or # if some version control system is used. -PROJECT_NUMBER = 0.8.10 +PROJECT_NUMBER = 0.8.11 # The OUTPUT_DIRECTORY tag is used to specify the (relative or absolute) # base path where the generated documentation will be put. diff --git a/RELEASE b/RELEASE index ef50561618..83ce05d72f 100644 --- a/RELEASE +++ b/RELEASE @@ -1 +1 @@ -0.8.10 +0.8.11 diff --git a/VERSION b/VERSION index ef50561618..83ce05d72f 100644 --- a/VERSION +++ b/VERSION @@ -1 +1 @@ -0.8.10 +0.8.11 From 26ac878cc206462de307d85466bc43972e264aee Mon Sep 17 00:00:00 2001 From: "Ronald S. Bultje" Date: Thu, 29 Mar 2012 16:37:09 -0700 Subject: [PATCH 0874/1119] h264: additional protection against unsupported size/bitdepth changes. Fixes crashes in codepaths not covered by original checks. Found-by: Mateusz "j00ru" Jurczyk and Gynvael Coldwind (cherry picked from commit 732f9fcfe54fc9a0a7bbce53fe86b38744c2d301) Conflicts: libavcodec/h264.c Signed-off-by: Reinhard Tartler (cherry picked from commit 746f1594d71dece6fd6f786447e19be9c200a07d) Signed-off-by: Reinhard Tartler --- libavcodec/h264.c | 4 ++-- libavcodec/h264_ps.c | 3 +++ 2 files changed, 5 insertions(+), 2 deletions(-) diff --git a/libavcodec/h264.c b/libavcodec/h264.c index f1ccc8af38..beb89a07e1 100644 --- a/libavcodec/h264.c +++ b/libavcodec/h264.c @@ -2602,9 +2602,9 @@ static int decode_slice_header(H264Context *h, H264Context *h0){ if (s->context_initialized && ( s->width != s->avctx->width || s->height != s->avctx->height || av_cmp_q(h->sps.sar, s->avctx->sample_aspect_ratio))) { - if(h != h0) { + if(h != h0 || (HAVE_THREADS && h->s.avctx->active_thread_type & FF_THREAD_FRAME)) { av_log_missing_feature(s->avctx, "Width/height changing with threads is", 0); - return -1; // width / height changed during parallelized decoding + return AVERROR_PATCHWELCOME; // width / height changed during parallelized decoding } free_tables(h, 0); flush_dpb(s->avctx); diff --git a/libavcodec/h264_ps.c b/libavcodec/h264_ps.c index 677ca80abb..fe988e9e78 100644 --- a/libavcodec/h264_ps.c +++ b/libavcodec/h264_ps.c @@ -467,6 +467,9 @@ int ff_h264_decode_picture_parameter_set(H264Context *h, int bit_length){ if(pps_id >= MAX_PPS_COUNT) { av_log(h->s.avctx, AV_LOG_ERROR, "pps_id (%d) out of range\n", pps_id); return -1; + } else if (h->sps.bit_depth_luma > 10) { + av_log(h->s.avctx, AV_LOG_ERROR, "Unimplemented luma bit depth=%d (max=10)\n", h->sps.bit_depth_luma); + return AVERROR_PATCHWELCOME; } pps= av_mallocz(sizeof(PPS)); From 3fc967f6c7ab2a21e9e4cca93487286b431cd64a Mon Sep 17 00:00:00 2001 From: "Ronald S. Bultje" Date: Thu, 29 Mar 2012 12:24:10 -0700 Subject: [PATCH 0875/1119] h263: more strictly forbid frame size changes with frame-mt. Prevents crashes because the old check was incomplete. Found-by: Mateusz "j00ru" Jurczyk and Gynvael Coldwind CC: libav-stable@libav.org (cherry picked from commit 2d22d4307dcc1461f39a2ffb9c8db6c6b23fd080) Signed-off-by: Reinhard Tartler (cherry picked from commit 7fe4c8cb761b0fc8685dacf9f187311b9d124a52) Signed-off-by: Reinhard Tartler --- libavcodec/h263dec.c | 12 +++++++----- 1 file changed, 7 insertions(+), 5 deletions(-) diff --git a/libavcodec/h263dec.c b/libavcodec/h263dec.c index abdaf2bf24..021e172c68 100644 --- a/libavcodec/h263dec.c +++ b/libavcodec/h263dec.c @@ -426,6 +426,13 @@ retry: if (ret < 0){ av_log(s->avctx, AV_LOG_ERROR, "header damaged\n"); return -1; + } else if ((s->width != avctx->coded_width || + s->height != avctx->coded_height || + (s->width + 15) >> 4 != s->mb_width || + (s->height + 15) >> 4 != s->mb_height) && + (HAVE_THREADS && (s->avctx->active_thread_type & FF_THREAD_FRAME))) { + av_log_missing_feature(s->avctx, "Width/height/bit depth/chroma idc changing with threads is", 0); + return AVERROR_PATCHWELCOME; // width / height changed during parallelized decoding } avctx->has_b_frames= !s->low_delay; @@ -567,11 +574,6 @@ retry: /* H.263 could change picture size any time */ ParseContext pc= s->parse_context; //FIXME move these demuxng hack to avformat - if (HAVE_THREADS && (s->avctx->active_thread_type&FF_THREAD_FRAME)) { - av_log_missing_feature(s->avctx, "Width/height/bit depth/chroma idc changing with threads is", 0); - return -1; // width / height changed during parallelized decoding - } - s->parse_context.buffer=0; MPV_common_end(s); s->parse_context= pc; From 50073e2395522b6e2b8698ff0dd06ffaf8cbf8ce Mon Sep 17 00:00:00 2001 From: Alex Converse Date: Wed, 2 May 2012 12:08:03 -0700 Subject: [PATCH 0876/1119] motionpixels: Clip YUV values after applying a gradient. Prevents illegal reads on truncated and malformed input. CC: libav-stable@libav.org (cherry picked from commit b5da848facd41169283d7bfe568b83bdfa7fc42e) Signed-off-by: Reinhard Tartler (cherry picked from commit aaa6a666774eb02c351c84e80622a5c69e9b642e) Signed-off-by: Reinhard Tartler --- libavcodec/motionpixels.c | 6 ++++++ 1 file changed, 6 insertions(+) diff --git a/libavcodec/motionpixels.c b/libavcodec/motionpixels.c index 23433a1caf..fd37622603 100644 --- a/libavcodec/motionpixels.c +++ b/libavcodec/motionpixels.c @@ -190,10 +190,13 @@ static void mp_decode_line(MotionPixelsContext *mp, GetBitContext *gb, int y) p = mp_get_yuv_from_rgb(mp, x - 1, y); } else { p.y += mp_gradient(mp, 0, mp_get_vlc(mp, gb)); + p.y = av_clip(p.y, 0, 31); if ((x & 3) == 0) { if ((y & 3) == 0) { p.v += mp_gradient(mp, 1, mp_get_vlc(mp, gb)); + p.v = av_clip(p.v, -32, 31); p.u += mp_gradient(mp, 2, mp_get_vlc(mp, gb)); + p.u = av_clip(p.u, -32, 31); mp->hpt[((y / 4) * mp->avctx->width + x) / 4] = p; } else { p.v = mp->hpt[((y / 4) * mp->avctx->width + x) / 4].v; @@ -217,9 +220,12 @@ static void mp_decode_frame_helper(MotionPixelsContext *mp, GetBitContext *gb) p = mp_get_yuv_from_rgb(mp, 0, y); } else { p.y += mp_gradient(mp, 0, mp_get_vlc(mp, gb)); + p.y = av_clip(p.y, 0, 31); if ((y & 3) == 0) { p.v += mp_gradient(mp, 1, mp_get_vlc(mp, gb)); + p.v = av_clip(p.v, -32, 31); p.u += mp_gradient(mp, 2, mp_get_vlc(mp, gb)); + p.u = av_clip(p.u, -32, 31); } mp->vpt[y] = p; mp_set_rgb_from_yuv(mp, 0, y, &p); From 08c81f7365af96c1655767e68d6ec85bea50600c Mon Sep 17 00:00:00 2001 From: Alex Converse Date: Fri, 4 May 2012 10:27:03 -0700 Subject: [PATCH 0877/1119] celp filters: Do not read earlier than the start of the 'out' vector. CC: libav-stable@libav.org (cherry picked from commit 37ddd3833219fa7b913fff3f5cccc6878b047e6b) Signed-off-by: Reinhard Tartler (cherry picked from commit 9ea94c44b1b414ab3bc6e9220ebb77621423ca38) Signed-off-by: Reinhard Tartler --- libavcodec/celp_filters.c | 4 +--- 1 file changed, 1 insertion(+), 3 deletions(-) diff --git a/libavcodec/celp_filters.c b/libavcodec/celp_filters.c index 25a6744b04..849cda439e 100644 --- a/libavcodec/celp_filters.c +++ b/libavcodec/celp_filters.c @@ -133,9 +133,8 @@ void ff_celp_lp_synthesis_filterf(float *out, const float *filter_coeffs, out2 -= val * old_out2; out3 -= val * old_out3; - old_out3 = out[-5]; - for (i = 5; i <= filter_length; i += 2) { + old_out3 = out[-i]; val = filter_coeffs[i-1]; out0 -= val * old_out3; @@ -154,7 +153,6 @@ void ff_celp_lp_synthesis_filterf(float *out, const float *filter_coeffs, FFSWAP(float, old_out0, old_out2); old_out1 = old_out3; - old_out3 = out[-i-2]; } tmp0 = out0; From c71c77e56fcc6d469d45e1c8ce04aa053124d3f8 Mon Sep 17 00:00:00 2001 From: Mans Rullgard Date: Mon, 23 Apr 2012 13:16:33 +0100 Subject: [PATCH 0878/1119] vqavideo: return error if image size is not a multiple of block size The decoder assumes in various places that the image size is a multiple of the block size, and there is no obvious way to support odd sizes. Bailing out early if the header specifies a bad size avoids various errors later on. Fixes CVE-2012-0947. Signed-off-by: Mans Rullgard (cherry picked from commit 58b2e0f0f2fc96c1158e04f8aba95cbe6157a1a3) Signed-off-by: Reinhard Tartler (cherry picked from commit d5207e2af81580dd5e6277b354c8b459c3624f26) Signed-off-by: Reinhard Tartler --- libavcodec/vqavideo.c | 6 ++++++ 1 file changed, 6 insertions(+) diff --git a/libavcodec/vqavideo.c b/libavcodec/vqavideo.c index caffddbfa4..81b08d11a8 100644 --- a/libavcodec/vqavideo.c +++ b/libavcodec/vqavideo.c @@ -155,6 +155,12 @@ static av_cold int vqa_decode_init(AVCodecContext *avctx) return -1; } + if (s->width & (s->vector_width - 1) || + s->height & (s->vector_height - 1)) { + av_log(avctx, AV_LOG_ERROR, "Image size not multiple of block size\n"); + return AVERROR_INVALIDDATA; + } + /* allocate codebooks */ s->codebook_size = MAX_CODEBOOK_SIZE; s->codebook = av_malloc(s->codebook_size); From 3313f31f012a434a7c7aac6cb2c554d5cbac88fc Mon Sep 17 00:00:00 2001 From: Michael Niedermayer Date: Fri, 17 Feb 2012 13:35:10 -0800 Subject: [PATCH 0879/1119] h263dec: Disallow width/height changing with frame threads. Fixes CVE-2011-3937 Found-by: Mateusz "j00ru" Jurczyk and Gynvael Coldwind Signed-off-by: Michael Niedermayer (cherry picked from commit 71db86d53b5c6872cea31bf714a1a38ec78feaba) Conflicts: libavcodec/h263dec.c Signed-off-by: Alex Converse Signed-off-by: Reinhard Tartler (cherry picked from commit 4be63587e110c05cda3101abf2e3745d919f3fae) Conflicts: libavcodec/h263dec.c Signed-off-by: Reinhard Tartler --- libavcodec/h263dec.c | 5 +++++ 1 file changed, 5 insertions(+) diff --git a/libavcodec/h263dec.c b/libavcodec/h263dec.c index 021e172c68..15fc724e54 100644 --- a/libavcodec/h263dec.c +++ b/libavcodec/h263dec.c @@ -574,6 +574,11 @@ retry: /* H.263 could change picture size any time */ ParseContext pc= s->parse_context; //FIXME move these demuxng hack to avformat + if (HAVE_THREADS && (s->avctx->active_thread_type&FF_THREAD_FRAME)) { + av_log_missing_feature(s->avctx, "Width/height/bit depth/chroma idc changing with threads is", 0); + return -1; // width / height changed during parallelized decoding + } + s->parse_context.buffer=0; MPV_common_end(s); s->parse_context= pc; From b581580bd1cc8506befa65b0a5c9ae429240f21f Mon Sep 17 00:00:00 2001 From: Janne Grunau Date: Thu, 5 Jan 2012 20:50:55 +0100 Subject: [PATCH 0880/1119] adpcm: ADPCM Electronic Arts has always two channels Fixes half of http://ffmpeg.org/trac/ffmpeg/ticket/794 Adresses CVE-2012-0852 (cherry picked from commit bb5b3940b08d8dad5b7e948e8f3b02cd2eb70716) Conflicts: libavcodec/adpcm.c Signed-off-by: Reinhard Tartler --- libavcodec/adpcm.c | 10 ++++++++-- 1 file changed, 8 insertions(+), 2 deletions(-) diff --git a/libavcodec/adpcm.c b/libavcodec/adpcm.c index 069690a64a..4384e1dcee 100644 --- a/libavcodec/adpcm.c +++ b/libavcodec/adpcm.c @@ -744,9 +744,13 @@ static int adpcm_encode_frame(AVCodecContext *avctx, static av_cold int adpcm_decode_init(AVCodecContext * avctx) { ADPCMContext *c = avctx->priv_data; + unsigned int min_channels = 1; unsigned int max_channels = 2; switch(avctx->codec->id) { + case CODEC_ID_ADPCM_EA: + min_channels = 2; + break; case CODEC_ID_ADPCM_EA_R1: case CODEC_ID_ADPCM_EA_R2: case CODEC_ID_ADPCM_EA_R3: @@ -754,8 +758,10 @@ static av_cold int adpcm_decode_init(AVCodecContext * avctx) max_channels = 6; break; } - if(avctx->channels > max_channels){ - return -1; + + if (avctx->channels < min_channels || avctx->channels > max_channels) { + av_log(avctx, AV_LOG_ERROR, "Invalid number of channels\n"); + return AVERROR(EINVAL); } switch(avctx->codec->id) { From c5f7c755cfccd7aa01010a2d566104c2b0fa6d86 Mon Sep 17 00:00:00 2001 From: Alexander Strange Date: Sat, 24 Mar 2012 17:32:14 -0400 Subject: [PATCH 0881/1119] h264: Add check for invalid chroma_format_idc Fixes a crash when FF_DEBUG_PICT_INFO is used. Signed-off-by: Ronald S. Bultje (cherry picked from commit 6ef4063957aa5025c8d2cd757b6a537e4b6874df) Fixes: CVE-2012-0851 Signed-off-by: Reinhard Tartler (cherry picked from commit 47132345184dc3d0ff962a57a1225564fe979548) Signed-off-by: Reinhard Tartler --- libavcodec/h264_ps.c | 6 +++++- 1 file changed, 5 insertions(+), 1 deletion(-) diff --git a/libavcodec/h264_ps.c b/libavcodec/h264_ps.c index fe988e9e78..9eeff59762 100644 --- a/libavcodec/h264_ps.c +++ b/libavcodec/h264_ps.c @@ -329,8 +329,12 @@ int ff_h264_decode_seq_parameter_set(H264Context *h){ if(sps->profile_idc >= 100){ //high profile sps->chroma_format_idc= get_ue_golomb_31(&s->gb); - if(sps->chroma_format_idc == 3) + if(sps->chroma_format_idc > 3) { + av_log(h->s.avctx, AV_LOG_ERROR, "chroma_format_idc (%u) out of range\n", sps->chroma_format_idc); + return -1; + } else if(sps->chroma_format_idc == 3) { sps->residual_color_transform_flag = get_bits1(&s->gb); + } sps->bit_depth_luma = get_ue_golomb(&s->gb) + 8; sps->bit_depth_chroma = get_ue_golomb(&s->gb) + 8; sps->transform_bypass = get_bits1(&s->gb); From 2f2fd8c6d1c51a6b817e6c0bc4eff308b8f9cd18 Mon Sep 17 00:00:00 2001 From: Michael Niedermayer Date: Mon, 19 Dec 2011 04:13:37 +0100 Subject: [PATCH 0882/1119] tqi: Pass errors from the MB decoder This silences some valgrind warnings. CC: libav-stable@libav.org Fixes second half of http://ffmpeg.org/trac/ffmpeg/ticket/794 Bug found by: Oana Stratulat Signed-off-by: Michael Niedermayer Signed-off-by: Reinhard Tartler (cherry picked from commit f85334f58e1286287d0547a49fa9c93b40cbf48f) (cherry picked from commit 90290a5150e84fb138ccde57657dc03830f08c1c) Signed-off-by: Reinhard Tartler (cherry picked from commit 5872580e65aab026b77754eb184f97ba7cc6ea35) Signed-off-by: Reinhard Tartler --- libavcodec/eatqi.c | 10 +++++++--- 1 file changed, 7 insertions(+), 3 deletions(-) diff --git a/libavcodec/eatqi.c b/libavcodec/eatqi.c index aa96437013..6c5604820a 100644 --- a/libavcodec/eatqi.c +++ b/libavcodec/eatqi.c @@ -59,12 +59,15 @@ static av_cold int tqi_decode_init(AVCodecContext *avctx) return 0; } -static void tqi_decode_mb(MpegEncContext *s, DCTELEM (*block)[64]) +static int tqi_decode_mb(MpegEncContext *s, DCTELEM (*block)[64]) { int n; s->dsp.clear_blocks(block[0]); for (n=0; n<6; n++) - ff_mpeg1_decode_block_intra(s, block[n], n); + if (ff_mpeg1_decode_block_intra(s, block[n], n) < 0) + return -1; + + return 0; } static inline void tqi_idct_put(TqiContext *t, DCTELEM (*block)[64]) @@ -136,7 +139,8 @@ static int tqi_decode_frame(AVCodecContext *avctx, for (s->mb_y=0; s->mb_y<(avctx->height+15)/16; s->mb_y++) for (s->mb_x=0; s->mb_x<(avctx->width+15)/16; s->mb_x++) { - tqi_decode_mb(s, t->block); + if (tqi_decode_mb(s, t->block) < 0) + break; tqi_idct_put(t, t->block); } From 654b24f68a803fbc85764899a07294483dccf54f Mon Sep 17 00:00:00 2001 From: Alex Converse Date: Fri, 17 Feb 2012 14:13:40 -0800 Subject: [PATCH 0883/1119] dpcm: ignore extra unpaired bytes in stereo streams. Fixes: CVE-2011-3951 Found-by: Mateusz "j00ru" Jurczyk and Gynvael Coldwind (cherry picked from commit ce7aee9b733134649a6ce2fa743e51733f33e67e) (cherry picked from commit eaeaeb265fe46e1d81452960de918227541873b4) Conflicts: libavcodec/dpcm.c Signed-off-by: Reinhard Tartler --- libavcodec/dpcm.c | 6 +++++- 1 file changed, 5 insertions(+), 1 deletion(-) diff --git a/libavcodec/dpcm.c b/libavcodec/dpcm.c index af5bf8abea..9cf924821a 100644 --- a/libavcodec/dpcm.c +++ b/libavcodec/dpcm.c @@ -169,6 +169,7 @@ static int dpcm_decode_frame(AVCodecContext *avctx, int in, out = 0; int predictor[2]; int channel_number = 0; + int stereo = s->channels - 1; short *output_samples = data; int shift[2]; unsigned char byte; @@ -177,6 +178,9 @@ static int dpcm_decode_frame(AVCodecContext *avctx, if (!buf_size) return 0; + if (stereo && (buf_size & 1)) + buf_size--; + // almost every DPCM variant expands one byte of data into two if(*data_size/2 < buf_size) return -1; @@ -295,7 +299,7 @@ static int dpcm_decode_frame(AVCodecContext *avctx, } *data_size = out * sizeof(short); - return buf_size; + return avpkt->size; } #define DPCM_DECODER(id, name, long_name_) \ From b15e85d8207bf644e5fc8837b4fad2ae3f33d021 Mon Sep 17 00:00:00 2001 From: Michael Niedermayer Date: Wed, 7 Sep 2011 14:12:42 +0200 Subject: [PATCH 0884/1119] rtpdec_asf: Fix integer underflow that could allow remote code execution MIME-Version: 1.0 Content-Type: text/plain; charset=UTF-8 Content-Transfer-Encoding: 8bit Fixes MSVR-11-0088 Fixes CVE-2011-4031 Credit: Jeong Wook Oh of Microsoft and Microsoft Vulnerability Research (MSVR) Signed-off-by: Michael Niedermayer Signed-off-by: Martin Storsjö (cherry picked from commit 5ea091fb5a12dc0210b8efdf30b573b87e21652b) Signed-off-by: Reinhard Tartler --- libavformat/rtpdec_asf.c | 8 +++++++- 1 file changed, 7 insertions(+), 1 deletion(-) diff --git a/libavformat/rtpdec_asf.c b/libavformat/rtpdec_asf.c index 287025f377..9d8c87b889 100644 --- a/libavformat/rtpdec_asf.c +++ b/libavformat/rtpdec_asf.c @@ -233,8 +233,14 @@ static int asfrtp_parse_packet(AVFormatContext *s, PayloadContext *asf, int cur_len = start_off + len_off - off; int prev_len = out_len; + void *newmem; out_len += cur_len; - asf->buf = av_realloc(asf->buf, out_len); + if (FFMIN(cur_len, len - off) < 0) + return -1; + newmem = av_realloc(asf->buf, out_len); + if (!newmem) + return -1; + asf->buf = newmem; memcpy(asf->buf + prev_len, buf + off, FFMIN(cur_len, len - off)); avio_skip(pb, cur_len); From d87997b56f2725dc33ba262d895060a29ba5000d Mon Sep 17 00:00:00 2001 From: Alex Converse Date: Tue, 10 Jan 2012 13:07:09 -0800 Subject: [PATCH 0885/1119] aacsbr: prevent out of bounds memcpy(). Fixes Libav Bug 195. Fixes CVE-2012-0850 This doesn't make the code handle sample rate or upsample/downsample change properly but this is still a good sanity check. Based on change by Michael Niedermayer. Signed-off-by: Alex Converse (cherry picked from commit 17ce52912f59a74ecc265e062578fb1181456e18) Signed-off-by: Reinhard Tartler --- libavcodec/aacsbr.c | 7 ++++--- 1 file changed, 4 insertions(+), 3 deletions(-) diff --git a/libavcodec/aacsbr.c b/libavcodec/aacsbr.c index 81b0b4c001..0bfcabb06b 100644 --- a/libavcodec/aacsbr.c +++ b/libavcodec/aacsbr.c @@ -1181,14 +1181,15 @@ static void sbr_qmf_synthesis(DSPContext *dsp, FFTContext *mdct, { int i, n; const float *sbr_qmf_window = div ? sbr_qmf_window_ds : sbr_qmf_window_us; + const int step = 128 >> div; float *v; for (i = 0; i < 32; i++) { - if (*v_off == 0) { + if (*v_off < step) { int saved_samples = (1280 - 128) >> div; memcpy(&v0[SBR_SYNTHESIS_BUF_SIZE - saved_samples], v0, saved_samples * sizeof(float)); - *v_off = SBR_SYNTHESIS_BUF_SIZE - saved_samples - (128 >> div); + *v_off = SBR_SYNTHESIS_BUF_SIZE - saved_samples - step; } else { - *v_off -= 128 >> div; + *v_off -= step; } v = v0 + *v_off; if (div) { From 75d8cccf0efb95c8a43b2a84f18013600eed877f Mon Sep 17 00:00:00 2001 From: Alex Converse Date: Thu, 26 Jan 2012 17:30:49 +0100 Subject: [PATCH 0886/1119] kmvc: Check palsize. Fixes: CVE-2011-3952 Found-by: Mateusz "j00ru" Jurczyk and Gynvael Coldwind Based on fix by Michael Niedermayer (cherry picked from commit 386741f887714d3e46c9e8fe577e326a7964037b) (cherry picked from commit 416849f2e06227b1b4a451c392f100db1d709a0c) Signed-off-by: Reinhard Tartler --- libavcodec/kmvc.c | 7 ++++++- 1 file changed, 6 insertions(+), 1 deletion(-) diff --git a/libavcodec/kmvc.c b/libavcodec/kmvc.c index 033d3d7998..ff83b86ddf 100644 --- a/libavcodec/kmvc.c +++ b/libavcodec/kmvc.c @@ -33,6 +33,7 @@ #define KMVC_KEYFRAME 0x80 #define KMVC_PALETTE 0x40 #define KMVC_METHOD 0x0F +#define MAX_PALSIZE 256 /* * Decoder context @@ -43,7 +44,7 @@ typedef struct KmvcContext { int setpal; int palsize; - uint32_t pal[256]; + uint32_t pal[MAX_PALSIZE]; uint8_t *cur, *prev; uint8_t *frm0, *frm1; } KmvcContext; @@ -414,6 +415,10 @@ static av_cold int decode_init(AVCodecContext * avctx) c->palsize = 127; } else { c->palsize = AV_RL16(avctx->extradata + 10); + if (c->palsize >= MAX_PALSIZE) { + av_log(avctx, AV_LOG_ERROR, "KMVC palette too large\n"); + return AVERROR_INVALIDDATA; + } } if (avctx->extradata_size == 1036) { // palette in extradata From 628b82294a6f51d0d9c51981d737c70e287e1ba3 Mon Sep 17 00:00:00 2001 From: "Ronald S. Bultje" Date: Wed, 2 May 2012 16:12:46 +0000 Subject: [PATCH 0887/1119] qdm2: clip array indices returned by qdm2_get_vlc(). Prevents subsequent overreads when these numbers are used as indices in arrays. Found-by: Mateusz "j00ru" Jurczyk and Gynvael Coldwind CC: libav-stable@libav.org Signed-off-by: Justin Ruggles (cherry picked from commit 64953f67f98da2e787aeb45cc7f504390fa32a69) Signed-off-by: Derek Buitenhuis Conflicts: libavcodec/qdm2.c --- libavcodec/qdm2.c | 18 +++++++++++++----- 1 file changed, 13 insertions(+), 5 deletions(-) diff --git a/libavcodec/qdm2.c b/libavcodec/qdm2.c index 184c97dfb6..258a343837 100644 --- a/libavcodec/qdm2.c +++ b/libavcodec/qdm2.c @@ -881,9 +881,13 @@ static void synthfilt_build_sb_samples (QDM2Context *q, GetBitContext *gb, int l break; case 30: - if (BITS_LEFT(length,gb) >= 4) - samples[0] = type30_dequant[qdm2_get_vlc(gb, &vlc_tab_type30, 0, 1)]; - else + if (BITS_LEFT(length,gb) >= 4) { + unsigned index = qdm2_get_vlc(gb, &vlc_tab_type30, 0, 1); + if (index < FF_ARRAY_ELEMS(type30_dequant)) { + samples[0] = type30_dequant[index]; + } else + samples[0] = SB_DITHERING_NOISE(sb,q->noise_idx); + } else samples[0] = SB_DITHERING_NOISE(sb,q->noise_idx); run = 1; @@ -897,8 +901,12 @@ static void synthfilt_build_sb_samples (QDM2Context *q, GetBitContext *gb, int l type34_predictor = samples[0]; type34_first = 0; } else { - samples[0] = type34_delta[qdm2_get_vlc(gb, &vlc_tab_type34, 0, 1)] / type34_div + type34_predictor; - type34_predictor = samples[0]; + unsigned index = qdm2_get_vlc(gb, &vlc_tab_type34, 0, 1); + if (index < FF_ARRAY_ELEMS(type34_delta)) { + samples[0] = type34_delta[index] / type34_div + type34_predictor; + type34_predictor = samples[0]; + } else + samples[0] = SB_DITHERING_NOISE(sb,q->noise_idx); } } else { samples[0] = SB_DITHERING_NOISE(sb,q->noise_idx); From 850298ef2538f02cd4671a4cc5035026b35c7bf5 Mon Sep 17 00:00:00 2001 From: Mans Rullgard Date: Tue, 26 Jul 2011 12:23:43 +0100 Subject: [PATCH 0888/1119] x86: fix build with gcc 4.7 The upcoming gcc 4.7 has more advanced constant propagation resulting some inline asm operands becoming constants and thus emitted as literals, sometimes in contexts where this results in invalid instructions. This patch changes the constraints of the relevant operands to "rm" thus forcing a valid type. While obviously suboptimal, this is what older gcc versions already did, and there is no change to the code generated with these. Signed-off-by: Mans Rullgard (cherry picked from commit da4c7cce2100a4e4f9276b4f17e260be47b53f41) Signed-off-by: Derek Buitenhuis --- libavcodec/x86/h264_qpel_mmx.c | 8 ++++---- 1 file changed, 4 insertions(+), 4 deletions(-) diff --git a/libavcodec/x86/h264_qpel_mmx.c b/libavcodec/x86/h264_qpel_mmx.c index 066f794fb6..b322d5c89c 100644 --- a/libavcodec/x86/h264_qpel_mmx.c +++ b/libavcodec/x86/h264_qpel_mmx.c @@ -398,7 +398,7 @@ static av_noinline void OPNAME ## h264_qpel8or16_v_lowpass_ ## MMX(uint8_t *dst, "2: \n\t"\ \ : "+a"(src), "+c"(dst)\ - : "S"((x86_reg)srcStride), "D"((x86_reg)dstStride), "g"(h)\ + : "S"((x86_reg)srcStride), "D"((x86_reg)dstStride), "rm"(h)\ : "memory"\ );\ src += 4-(h+5)*srcStride;\ @@ -446,7 +446,7 @@ static av_always_inline void OPNAME ## h264_qpel8or16_hv1_lowpass_ ## MMX(int16_ QPEL_H264HV(%%mm3, %%mm4, %%mm5, %%mm0, %%mm1, %%mm2, 15*48)\ "2: \n\t"\ : "+a"(src)\ - : "c"(tmp), "S"((x86_reg)srcStride), "g"(size)\ + : "c"(tmp), "S"((x86_reg)srcStride), "rm"(size)\ : "memory"\ );\ tmp += 4;\ @@ -823,7 +823,7 @@ static av_noinline void OPNAME ## h264_qpel8or16_v_lowpass_ ## MMX(uint8_t *dst, "2: \n\t"\ \ : "+a"(src), "+c"(dst)\ - : "S"((x86_reg)srcStride), "D"((x86_reg)dstStride), "g"(h)\ + : "S"((x86_reg)srcStride), "D"((x86_reg)dstStride), "rm"(h)\ : XMM_CLOBBERS("%xmm0", "%xmm1", "%xmm2", "%xmm3", \ "%xmm4", "%xmm5", "%xmm6", "%xmm7",)\ "memory"\ @@ -878,7 +878,7 @@ static av_always_inline void put_h264_qpel8or16_hv1_lowpass_sse2(int16_t *tmp, u QPEL_H264HV_XMM(%%xmm3, %%xmm4, %%xmm5, %%xmm0, %%xmm1, %%xmm2, 15*48) "2: \n\t" : "+a"(src) - : "c"(tmp), "S"((x86_reg)srcStride), "g"(size) + : "c"(tmp), "S"((x86_reg)srcStride), "rm"(size) : XMM_CLOBBERS("%xmm0", "%xmm1", "%xmm2", "%xmm3", "%xmm4", "%xmm5", "%xmm6", "%xmm7",) "memory" From 269dbc53599e588efc6027df634a9d5b9476c3fc Mon Sep 17 00:00:00 2001 From: "Ronald S. Bultje" Date: Wed, 2 May 2012 10:58:55 -0700 Subject: [PATCH 0889/1119] png: check bit depth for PAL8/Y400A pixel formats. Wrong bit depth can lead to invalid rowsize values, which crashes the decoder further down. Found-by: Mateusz "j00ru" Jurczyk and Gynvael Coldwind CC: libav-stable@libav.org (cherry picked from commit d2205d6543881f2e6fa18c8a354bbcf91a1235f7) Signed-off-by: Reinhard Tartler (cherry picked from commit b8d6ba9d50e80fdce2ed74cdaffd4960df8a21c5) Signed-off-by: Reinhard Tartler --- libavcodec/pngdec.c | 6 ++++-- 1 file changed, 4 insertions(+), 2 deletions(-) diff --git a/libavcodec/pngdec.c b/libavcodec/pngdec.c index 1268c9e781..aed3d609fd 100644 --- a/libavcodec/pngdec.c +++ b/libavcodec/pngdec.c @@ -488,9 +488,11 @@ static int decode_frame(AVCodecContext *avctx, } else if (s->bit_depth == 1 && s->color_type == PNG_COLOR_TYPE_GRAY) { avctx->pix_fmt = PIX_FMT_MONOBLACK; - } else if (s->color_type == PNG_COLOR_TYPE_PALETTE) { + } else if (s->bit_depth == 8 && + s->color_type == PNG_COLOR_TYPE_PALETTE) { avctx->pix_fmt = PIX_FMT_PAL8; - } else if (s->color_type == PNG_COLOR_TYPE_GRAY_ALPHA) { + } else if (s->bit_depth == 8 && + s->color_type == PNG_COLOR_TYPE_GRAY_ALPHA) { avctx->pix_fmt = PIX_FMT_Y400A; } else { goto fail; From 50336dc4f12d629492b236c84b9ea2adead720db Mon Sep 17 00:00:00 2001 From: "Ronald S. Bultje" Date: Fri, 4 May 2012 16:06:26 -0700 Subject: [PATCH 0890/1119] ea: check chunk_size for validity. Found-by: Mateusz "j00ru" Jurczyk and Gynvael Coldwind CC: libav-stable@libav.org (cherry picked from commit 273e6af47b38391f2bcc157cca0423fe7fcbf55c) Signed-off-by: Reinhard Tartler (cherry picked from commit 6a86b705e1d4b72f0dddfbe23ad3eed9947001d5) Signed-off-by: Reinhard Tartler --- libavformat/electronicarts.c | 7 ++++++- 1 file changed, 6 insertions(+), 1 deletion(-) diff --git a/libavformat/electronicarts.c b/libavformat/electronicarts.c index 06689ddfb7..0a6cdd5fd4 100644 --- a/libavformat/electronicarts.c +++ b/libavformat/electronicarts.c @@ -468,12 +468,17 @@ static int ea_read_packet(AVFormatContext *s, while (!packet_read) { chunk_type = avio_rl32(pb); - chunk_size = (ea->big_endian ? avio_rb32(pb) : avio_rl32(pb)) - 8; + chunk_size = ea->big_endian ? avio_rb32(pb) : avio_rl32(pb); + if (chunk_size <= 8) + return AVERROR_INVALIDDATA; + chunk_size -= 8; switch (chunk_type) { /* audio data */ case ISNh_TAG: /* header chunk also contains data; skip over the header portion*/ + if (chunk_size < 32) + return AVERROR_INVALIDDATA; avio_skip(pb, 32); chunk_size -= 32; case ISNd_TAG: From ee66a7198eea0ab3aefae0b3de5a17473f4374cf Mon Sep 17 00:00:00 2001 From: Reinhard Tartler Date: Sun, 3 Jun 2012 19:22:09 +0200 Subject: [PATCH 0891/1119] Update changelog for 0.7.6 release --- Changelog | 18 ++++++++++++++++++ 1 file changed, 18 insertions(+) diff --git a/Changelog b/Changelog index 425f6e2b96..f434aa13b5 100644 --- a/Changelog +++ b/Changelog @@ -1,6 +1,24 @@ Entries are sorted chronologically from oldest to youngest within each release, releases are sorted from youngest to oldest. +version 0.7.6: + +Security Updates: + +- vqavideo: return error if image size is not a multiple of block size (CVE-2012-0947) +- h263dec: Disallow width/height changing with frame threads (CVE-2011-3937) +- adpcm: ADPCM Electronic Arts has always two channels (CVE-2012-0852) +- h264: Add check for invalid chroma_format_idc (CVE-2012-0851) +- dpcm: ignore extra unpaired bytes in stereo streams (CVE-2011-3951) +- rtpdec_asf: Fix integer underflow that could allow remote code execution (CVE-2011-4031) +- aacsbr: prevent out of bounds memcpy() (CVE-2012-0850) +- kmvc: Check palsize (CVE-2011-3952) + +Further bugfixes in the following codecs: + + ea, png, qdm2, tqi, motionpixels, and a compilation failure with gcc 4.7 + + version 0.7.5: Security updates: From b61e311b0eeabaab8eb05f4e5e5c6c8c9d84f3cf Mon Sep 17 00:00:00 2001 From: Reinhard Tartler Date: Sun, 3 Jun 2012 19:22:20 +0200 Subject: [PATCH 0892/1119] Update RELEASE file for 0.7.6 --- RELEASE | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/RELEASE b/RELEASE index 8bd6ba8c5c..c006218557 100644 --- a/RELEASE +++ b/RELEASE @@ -1 +1 @@ -0.7.5 +0.7.6 From 0aefcb6aa86b80729b2475d192940801892d97ff Mon Sep 17 00:00:00 2001 From: Michael Niedermayer Date: Mon, 28 May 2012 16:50:15 +0200 Subject: [PATCH 0893/1119] cdgraphics: Fix out of array write Fixes Ticket1359 Found-by: Piotr Bandurski Signed-off-by: Michael Niedermayer (cherry picked from commit 1e5c7376c4ed733910845c9a09e272ac7696b1f4) Signed-off-by: Michael Niedermayer --- libavcodec/cdgraphics.c | 4 ++++ 1 file changed, 4 insertions(+) diff --git a/libavcodec/cdgraphics.c b/libavcodec/cdgraphics.c index aae7bbbb1b..3edeefc6d7 100644 --- a/libavcodec/cdgraphics.c +++ b/libavcodec/cdgraphics.c @@ -280,6 +280,10 @@ static int cdg_decode_frame(AVCodecContext *avctx, av_log(avctx, AV_LOG_ERROR, "buffer too small for decoder\n"); return AVERROR(EINVAL); } + if (buf_size > CDG_HEADER_SIZE + CDG_DATA_SIZE) { + av_log(avctx, AV_LOG_ERROR, "buffer too big for decoder\n"); + return AVERROR(EINVAL); + } ret = avctx->reget_buffer(avctx, &cc->frame); if (ret) { From 1285fe5530437132a9d68d336d08b21c0e4ad58c Mon Sep 17 00:00:00 2001 From: Michael Niedermayer Date: Mon, 28 May 2012 17:04:38 +0200 Subject: [PATCH 0894/1119] xan: fix out of array read Fixes ticket1360 Signed-off-by: Michael Niedermayer (cherry picked from commit 01900fcc45e99ee4556e0a5d87ff57b2f150dad4) Signed-off-by: Michael Niedermayer --- libavcodec/xan.c | 4 ++++ 1 file changed, 4 insertions(+) diff --git a/libavcodec/xan.c b/libavcodec/xan.c index 17b994bd81..5341e0eb70 100644 --- a/libavcodec/xan.c +++ b/libavcodec/xan.c @@ -511,6 +511,10 @@ static int xan_decode_frame(AVCodecContext *avctx, int i; tag = bytestream_get_le32(&buf); size = bytestream_get_be32(&buf); + if(size < 0) { + av_log(avctx, AV_LOG_ERROR, "Invalid tag size %d\n", size); + return AVERROR_INVALIDDATA; + } size = FFMIN(size, buf_end - buf); switch (tag) { case PALT_TAG: From 0f5840b51abe873da8e7805bc0aeb6ea9725b78a Mon Sep 17 00:00:00 2001 From: Michael Niedermayer Date: Mon, 28 May 2012 17:08:06 +0200 Subject: [PATCH 0895/1119] yop: check for missing extradata Fixes null ptr deref Fixes Ticket1361 Signed-off-by: Michael Niedermayer (cherry picked from commit 77a4c8b959fa9bc6bcaa42b40a0b046cdf3fec38) Signed-off-by: Michael Niedermayer --- libavcodec/yop.c | 5 +++++ 1 file changed, 5 insertions(+) diff --git a/libavcodec/yop.c b/libavcodec/yop.c index 45a3344b9e..40d9f7a818 100644 --- a/libavcodec/yop.c +++ b/libavcodec/yop.c @@ -90,6 +90,11 @@ static av_cold int yop_decode_init(AVCodecContext *avctx) return -1; } + if (!avctx->extradata) { + av_log(avctx, AV_LOG_ERROR, "extradata missing\n"); + return AVERROR_INVALIDDATA; + } + avctx->pix_fmt = PIX_FMT_PAL8; avcodec_get_frame_defaults(&s->frame); From a85c3fff37a9f410aded0cbcdae08e724adbea21 Mon Sep 17 00:00:00 2001 From: Michael Niedermayer Date: Mon, 28 May 2012 17:13:10 +0200 Subject: [PATCH 0896/1119] iff_ilbm: fix null ptr deref Fixes Ticket1362 Signed-off-by: Michael Niedermayer (cherry picked from commit 849d4b041351ef8d77c4231cf417f997e79f9ab7) Signed-off-by: Michael Niedermayer --- libavcodec/iff.c | 10 +++++++--- 1 file changed, 7 insertions(+), 3 deletions(-) diff --git a/libavcodec/iff.c b/libavcodec/iff.c index 195ef10ac7..9e74365f11 100644 --- a/libavcodec/iff.c +++ b/libavcodec/iff.c @@ -176,7 +176,13 @@ static int extract_header(AVCodecContext *const avctx, const uint8_t *buf; unsigned buf_size; IffContext *s = avctx->priv_data; - int palette_size = avctx->extradata_size - AV_RB16(avctx->extradata); + int palette_size; + + if (avctx->extradata_size < 2) { + av_log(avctx, AV_LOG_ERROR, "not enough extradata\n"); + return AVERROR_INVALIDDATA; + } + palette_size = avctx->extradata_size - AV_RB16(avctx->extradata); if (avpkt) { int image_size; @@ -192,8 +198,6 @@ static int extract_header(AVCodecContext *const avctx, return AVERROR_INVALIDDATA; } } else { - if (avctx->extradata_size < 2) - return AVERROR_INVALIDDATA; buf = avctx->extradata; buf_size = bytestream_get_be16(&buf); if (buf_size <= 1 || palette_size < 0) { From 25594f0018e00a092615ec67629e287c7c6d181f Mon Sep 17 00:00:00 2001 From: Michael Niedermayer Date: Mon, 28 May 2012 17:17:49 +0200 Subject: [PATCH 0897/1119] motionpixels: check extradata size Fixes null ptr derefernce Fixes Ticket1363 Signed-off-by: Michael Niedermayer (cherry picked from commit 50122084a6b3be06781a2b3d8ec036f2d67c32e3) Signed-off-by: Michael Niedermayer --- libavcodec/motionpixels.c | 5 +++++ 1 file changed, 5 insertions(+) diff --git a/libavcodec/motionpixels.c b/libavcodec/motionpixels.c index aa398c9592..1806e4703d 100644 --- a/libavcodec/motionpixels.c +++ b/libavcodec/motionpixels.c @@ -55,6 +55,11 @@ static av_cold int mp_decode_init(AVCodecContext *avctx) int w4 = (avctx->width + 3) & ~3; int h4 = (avctx->height + 3) & ~3; + if(avctx->extradata_size < 2){ + av_log(avctx, AV_LOG_ERROR, "extradata too small\n"); + return AVERROR_INVALIDDATA; + } + motionpixels_tableinit(); mp->avctx = avctx; dsputil_init(&mp->dsp, avctx); From 9e4a68a76c25f82ec30d6d02ee3dba6db787de4d Mon Sep 17 00:00:00 2001 From: Michael Niedermayer Date: Mon, 28 May 2012 17:21:29 +0200 Subject: [PATCH 0898/1119] jvdec: check videosize Fixes null ptr dereference fixes Ticket1364 Signed-off-by: Michael Niedermayer (cherry picked from commit b4904e804d3b1c56ac4f5d3386b15daae98fca2d) Signed-off-by: Michael Niedermayer --- libavcodec/jvdec.c | 4 ++++ 1 file changed, 4 insertions(+) diff --git a/libavcodec/jvdec.c b/libavcodec/jvdec.c index 288e53c9d8..238cfffe7d 100644 --- a/libavcodec/jvdec.c +++ b/libavcodec/jvdec.c @@ -143,6 +143,10 @@ static int decode_frame(AVCodecContext *avctx, buf += 5; if (video_size) { + if(video_size < 0) { + av_log(avctx, AV_LOG_ERROR, "video size %d invalid\n", video_size); + return AVERROR_INVALIDDATA; + } if (avctx->reget_buffer(avctx, &s->frame) < 0) { av_log(avctx, AV_LOG_ERROR, "get_buffer() failed\n"); return -1; From ee6c1670df0bc230e99c3b68f66807af4ebf5e69 Mon Sep 17 00:00:00 2001 From: Michael Niedermayer Date: Tue, 29 May 2012 19:16:22 +0200 Subject: [PATCH 0899/1119] 4xm: fix division by zero caused by bps<8 Found-by: Mateusz "j00ru" Jurczyk and Gynvael Coldwind Signed-off-by: Michael Niedermayer (cherry picked from commit 1b8741a6843f3f4667c81c2d63d3182858aa534f) Signed-off-by: Michael Niedermayer --- libavformat/4xm.c | 5 +++++ 1 file changed, 5 insertions(+) diff --git a/libavformat/4xm.c b/libavformat/4xm.c index b4dd3d4416..755a21168c 100644 --- a/libavformat/4xm.c +++ b/libavformat/4xm.c @@ -195,6 +195,11 @@ static int fourxm_read_header(AVFormatContext *s, ret= -1; goto fail; } + if(!fourxm->tracks[current_track].adpcm && fourxm->tracks[current_track].bits<8){ + av_log(s, AV_LOG_ERROR, "bits unspecified for non ADPCM\n"); + ret = AVERROR_INVALIDDATA; + goto fail; + } i += 8 + size; /* allocate a new AVStream */ From b3e5c8de6a46dd5acb510147df22818d8a971607 Mon Sep 17 00:00:00 2001 From: Michael Niedermayer Date: Tue, 29 May 2012 19:50:15 +0200 Subject: [PATCH 0900/1119] ape: Fix null ptr dereference with files missing a seekatable. Such files are currently not supported as the table is used at several points Found-by: Mateusz "j00ru" Jurczyk and Gynvael Coldwind Signed-off-by: Michael Niedermayer (cherry picked from commit e7cb161515fc9fb6d30d1681d64d9ba7ad737a4e) Signed-off-by: Michael Niedermayer --- libavformat/ape.c | 3 +++ 1 file changed, 3 insertions(+) diff --git a/libavformat/ape.c b/libavformat/ape.c index b0f2394ad8..7e18a403c3 100644 --- a/libavformat/ape.c +++ b/libavformat/ape.c @@ -274,6 +274,9 @@ static int ape_read_header(AVFormatContext * s, AVFormatParameters * ap) return AVERROR(ENOMEM); for (i = 0; i < ape->seektablelength / sizeof(uint32_t); i++) ape->seektable[i] = avio_rl32(pb); + }else{ + av_log(s, AV_LOG_ERROR, "Missing seektable\n"); + return -1; } ape->frames[0].pos = ape->firstframe; From c761e144f63735d9ad31dcd8971139837523acc3 Mon Sep 17 00:00:00 2001 From: Paul B Mahol Date: Wed, 30 May 2012 07:50:32 +0000 Subject: [PATCH 0901/1119] iff: check if there is extradata Fixes #1368. Signed-off-by: Paul B Mahol (cherry picked from commit 8f61526978697e51d3b9e61ea84daf13c42717af) Signed-off-by: Michael Niedermayer --- libavcodec/iff.c | 7 ++++++- 1 file changed, 6 insertions(+), 1 deletion(-) diff --git a/libavcodec/iff.c b/libavcodec/iff.c index 9e74365f11..622bd4f020 100644 --- a/libavcodec/iff.c +++ b/libavcodec/iff.c @@ -285,7 +285,12 @@ static av_cold int decode_init(AVCodecContext *avctx) int err; if (avctx->bits_per_coded_sample <= 8) { - int palette_size = avctx->extradata_size - AV_RB16(avctx->extradata); + int palette_size; + + if (avctx->extradata_size >= 2) + palette_size = avctx->extradata_size - AV_RB16(avctx->extradata); + else + palette_size = 0; avctx->pix_fmt = (avctx->bits_per_coded_sample < 8) || (avctx->extradata_size >= 2 && palette_size) ? PIX_FMT_PAL8 : PIX_FMT_GRAY8; } else if (avctx->bits_per_coded_sample <= 32) { From 688da036b15881e5e3cce54147b3d6862452a6c3 Mon Sep 17 00:00:00 2001 From: Michael Niedermayer Date: Wed, 30 May 2012 16:19:36 +0200 Subject: [PATCH 0902/1119] truemotion1: Check index, fix out of array read Found-by: Mateusz "j00ru" Jurczyk and Gynvael Coldwind Signed-off-by: Michael Niedermayer (cherry picked from commit fd4c1c0b70b5a06dd572d7e27799a2f4c3d9b984) Signed-off-by: Michael Niedermayer --- libavcodec/truemotion1.c | 16 ++++++++++++++++ 1 file changed, 16 insertions(+) diff --git a/libavcodec/truemotion1.c b/libavcodec/truemotion1.c index 284dbd8e12..839af44fd5 100644 --- a/libavcodec/truemotion1.c +++ b/libavcodec/truemotion1.c @@ -520,6 +520,10 @@ hres,vres,i,i%vres (0 < i < 4) } #define APPLY_C_PREDICTOR() \ + if(index > 1023){\ + av_log(s->avctx, AV_LOG_ERROR, " index %d went out of bounds\n", index); \ + return; \ + }\ predictor_pair = s->c_predictor_table[index]; \ horiz_pred += (predictor_pair >> 1); \ if (predictor_pair & 1) { \ @@ -537,6 +541,10 @@ hres,vres,i,i%vres (0 < i < 4) index++; #define APPLY_C_PREDICTOR_24() \ + if(index > 1023){\ + av_log(s->avctx, AV_LOG_ERROR, " index %d went out of bounds\n", index); \ + return; \ + }\ predictor_pair = s->c_predictor_table[index]; \ horiz_pred += (predictor_pair >> 1); \ if (predictor_pair & 1) { \ @@ -555,6 +563,10 @@ hres,vres,i,i%vres (0 < i < 4) #define APPLY_Y_PREDICTOR() \ + if(index > 1023){\ + av_log(s->avctx, AV_LOG_ERROR, " index %d went out of bounds\n", index); \ + return; \ + }\ predictor_pair = s->y_predictor_table[index]; \ horiz_pred += (predictor_pair >> 1); \ if (predictor_pair & 1) { \ @@ -572,6 +584,10 @@ hres,vres,i,i%vres (0 < i < 4) index++; #define APPLY_Y_PREDICTOR_24() \ + if(index > 1023){\ + av_log(s->avctx, AV_LOG_ERROR, " index %d went out of bounds\n", index); \ + return; \ + }\ predictor_pair = s->y_predictor_table[index]; \ horiz_pred += (predictor_pair >> 1); \ if (predictor_pair & 1) { \ From 03e404740eb13d0483cc0a3e685802fdd79c1bae Mon Sep 17 00:00:00 2001 From: Michael Niedermayer Date: Thu, 31 May 2012 05:01:28 +0200 Subject: [PATCH 0903/1119] indeo5: check quant_mat prevents out of array read Found-by: Mateusz "j00ru" Jurczyk and Gynvael Coldwind Signed-off-by: Michael Niedermayer (cherry picked from commit 8aaa00c3012d425ce50efffadb813ad62d1ff3d5) Signed-off-by: Michael Niedermayer --- libavcodec/indeo5.c | 4 ++++ 1 file changed, 4 insertions(+) diff --git a/libavcodec/indeo5.c b/libavcodec/indeo5.c index 4c6bfd66d1..eb16726a81 100644 --- a/libavcodec/indeo5.c +++ b/libavcodec/indeo5.c @@ -219,6 +219,10 @@ static int decode_gop_header(IVI5DecContext *ctx, AVCodecContext *avctx) } if (band->blk_size == 8) { + if(quant_mat >= 5){ + av_log(avctx, AV_LOG_ERROR, "quant_mat %d too large!\n", quant_mat); + return -1; + } band->intra_base = &ivi5_base_quant_8x8_intra[quant_mat][0]; band->inter_base = &ivi5_base_quant_8x8_inter[quant_mat][0]; band->intra_scale = &ivi5_scale_quant_8x8_intra[quant_mat][0]; From 8502b4aef68b7f5c06018f18c89a2fd6586f3b79 Mon Sep 17 00:00:00 2001 From: Paul B Mahol Date: Thu, 31 May 2012 08:58:31 +0000 Subject: [PATCH 0904/1119] binkaudio: check number of channels Fixes #1380. Signed-off-by: Paul B Mahol (cherry picked from commit 824a6975ee066e944b7a20d1e220fd8974fb6174) Signed-off-by: Michael Niedermayer --- libavcodec/binkaudio.c | 6 +++--- 1 file changed, 3 insertions(+), 3 deletions(-) diff --git a/libavcodec/binkaudio.c b/libavcodec/binkaudio.c index 3b65a19261..a93131dcbb 100644 --- a/libavcodec/binkaudio.c +++ b/libavcodec/binkaudio.c @@ -85,9 +85,9 @@ static av_cold int decode_init(AVCodecContext *avctx) frame_len_bits = 11; } - if (avctx->channels > MAX_CHANNELS) { - av_log(avctx, AV_LOG_ERROR, "too many channels: %d\n", avctx->channels); - return -1; + if (avctx->channels < 1 || avctx->channels > MAX_CHANNELS) { + av_log(avctx, AV_LOG_ERROR, "invalid number of channels: %d\n", avctx->channels); + return AVERROR_INVALIDDATA; } if (avctx->extradata && avctx->extradata_size > 0) From a4bf9033c37897dbef39daaf073a8ecdb5c0888c Mon Sep 17 00:00:00 2001 From: Michael Niedermayer Date: Fri, 1 Jun 2012 01:33:00 +0200 Subject: [PATCH 0905/1119] 8svx: fix crash Fixes Ticket1377 Found-by: Piotr Bandurski Signed-off-by: Michael Niedermayer (cherry picked from commit 03ce421c1361e4ce79468de8269ad51ba2ae4c16) Signed-off-by: Michael Niedermayer --- libavcodec/8svx.c | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/libavcodec/8svx.c b/libavcodec/8svx.c index 5d94e005a2..336fa70852 100644 --- a/libavcodec/8svx.c +++ b/libavcodec/8svx.c @@ -44,7 +44,7 @@ typedef struct EightSvxContext { /* buffer used to store the whole audio decoded/interleaved chunk, * which is sent with the first packet */ uint8_t *samples; - size_t samples_size; + int64_t samples_size; int samples_idx; } EightSvxContext; From 89409be50c212519f6313ad9144d7c5b17867728 Mon Sep 17 00:00:00 2001 From: Michael Niedermayer Date: Fri, 1 Jun 2012 15:51:50 +0200 Subject: [PATCH 0906/1119] yopdec: check that palette fits in the packet Signed-off-by: Michael Niedermayer (cherry picked from commit b6fdf8dea7aaf3cb9a979dce91f752c2ce3086a3) Signed-off-by: Michael Niedermayer --- libavcodec/yop.c | 5 +++++ 1 file changed, 5 insertions(+) diff --git a/libavcodec/yop.c b/libavcodec/yop.c index 40d9f7a818..21ccabd243 100644 --- a/libavcodec/yop.c +++ b/libavcodec/yop.c @@ -205,6 +205,11 @@ static int yop_decode_frame(AVCodecContext *avctx, void *data, int *data_size, if (s->frame.data[0]) avctx->release_buffer(avctx, &s->frame); + if (avpkt->size < 4 + 3*s->num_pal_colors) { + av_log(avctx, AV_LOG_ERROR, "packet of size %d too small\n", avpkt->size); + return AVERROR_INVALIDDATA; + } + ret = avctx->get_buffer(avctx, &s->frame); if (ret < 0) { av_log(avctx, AV_LOG_ERROR, "get_buffer() failed\n"); From 35bf5f7966768a5f01467ff721b6f98375b1a52c Mon Sep 17 00:00:00 2001 From: Michael Niedermayer Date: Fri, 1 Jun 2012 15:52:20 +0200 Subject: [PATCH 0907/1119] yopdec: check frame oddness to be within supported limits Fixes Ticket1365 Signed-off-by: Michael Niedermayer (cherry picked from commit febc013dc5d6db1535a4f91cf02fa8089038937c) Signed-off-by: Michael Niedermayer --- libavcodec/yop.c | 4 ++++ 1 file changed, 4 insertions(+) diff --git a/libavcodec/yop.c b/libavcodec/yop.c index 21ccabd243..bbe78bc0a7 100644 --- a/libavcodec/yop.c +++ b/libavcodec/yop.c @@ -225,6 +225,10 @@ static int yop_decode_frame(AVCodecContext *avctx, void *data, int *data_size, s->low_nibble = NULL; is_odd_frame = avpkt->data[0]; + if(is_odd_frame>1){ + av_log(avctx, AV_LOG_ERROR, "frame is too odd %d\n", is_odd_frame); + return AVERROR_INVALIDDATA; + } firstcolor = s->first_color[is_odd_frame]; palette = (uint32_t *)s->frame.data[1]; From 316589e1db5a563533843994d4a074f3d667958d Mon Sep 17 00:00:00 2001 From: Michael Niedermayer Date: Fri, 1 Jun 2012 21:42:29 +0200 Subject: [PATCH 0908/1119] wmv1: check that the input buffer is large enough Fixes null ptr deref Fixes Ticket1367 Signed-off-by: Michael Niedermayer (cherry picked from commit f23a2418fb0ccc56fdae4dbf83a5994cc917c475) Signed-off-by: Michael Niedermayer --- libavcodec/wnv1.c | 5 +++++ 1 file changed, 5 insertions(+) diff --git a/libavcodec/wnv1.c b/libavcodec/wnv1.c index 197cf7985d..4947ea5598 100644 --- a/libavcodec/wnv1.c +++ b/libavcodec/wnv1.c @@ -70,6 +70,11 @@ static int decode_frame(AVCodecContext *avctx, int prev_y = 0, prev_u = 0, prev_v = 0; uint8_t *rbuf; + if(buf_size<=8) { + av_log(avctx, AV_LOG_ERROR, "buf_size %d is too small\n", buf_size); + return AVERROR_INVALIDDATA; + } + rbuf = av_malloc(buf_size + FF_INPUT_BUFFER_PADDING_SIZE); if(!rbuf){ av_log(avctx, AV_LOG_ERROR, "Cannot allocate temporary buffer\n"); From 6a441ee78ee7bc49311994583455755663811243 Mon Sep 17 00:00:00 2001 From: Michael Niedermayer Date: Sun, 3 Jun 2012 14:41:21 +0200 Subject: [PATCH 0909/1119] h263: disable loop filter with lowres Fixes ticket1212 Found-by: Piotr Bandurski Signed-off-by: Michael Niedermayer (cherry picked from commit cc229d4e83889d1298f1a0863b55feec6c5c339a) Signed-off-by: Michael Niedermayer --- libavcodec/intelh263dec.c | 2 +- libavcodec/ituh263dec.c | 2 ++ 2 files changed, 3 insertions(+), 1 deletion(-) diff --git a/libavcodec/intelh263dec.c b/libavcodec/intelh263dec.c index a011a9f597..a2ce68be78 100644 --- a/libavcodec/intelh263dec.c +++ b/libavcodec/intelh263dec.c @@ -77,7 +77,7 @@ int ff_intel_h263_decode_picture_header(MpegEncContext *s) } if(get_bits(&s->gb, 2)) av_log(s->avctx, AV_LOG_ERROR, "Bad value for reserved field\n"); - s->loop_filter = get_bits1(&s->gb); + s->loop_filter = get_bits1(&s->gb) * !s->avctx->lowres; if(get_bits1(&s->gb)) av_log(s->avctx, AV_LOG_ERROR, "Bad value for reserved field\n"); if(get_bits1(&s->gb)) diff --git a/libavcodec/ituh263dec.c b/libavcodec/ituh263dec.c index b1e67231fd..634fd8a32b 100644 --- a/libavcodec/ituh263dec.c +++ b/libavcodec/ituh263dec.c @@ -961,6 +961,8 @@ int h263_decode_picture_header(MpegEncContext *s) s->h263_aic = get_bits1(&s->gb); /* Advanced Intra Coding (AIC) */ s->loop_filter= get_bits1(&s->gb); s->unrestricted_mv = s->umvplus || s->obmc || s->loop_filter; + if(s->avctx->lowres) + s->loop_filter = 0; s->h263_slice_structured= get_bits1(&s->gb); if (get_bits1(&s->gb) != 0) { From 5e87fa347c5b1c4b26a189c077158986d66ec6d7 Mon Sep 17 00:00:00 2001 From: Michael Niedermayer Date: Sun, 3 Jun 2012 17:40:30 +0200 Subject: [PATCH 0910/1119] mpc8: fix channel checks fix heap array overflow Found-by: Piotr Bandurski Signed-off-by: Michael Niedermayer (cherry picked from commit 44c10168cff41c200825448b77cb8feff0d316c9) Signed-off-by: Michael Niedermayer --- libavcodec/mpc8.c | 3 ++- 1 file changed, 2 insertions(+), 1 deletion(-) diff --git a/libavcodec/mpc8.c b/libavcodec/mpc8.c index 90bc8c8b96..4adc28ed25 100644 --- a/libavcodec/mpc8.c +++ b/libavcodec/mpc8.c @@ -138,7 +138,8 @@ static av_cold int mpc8_decode_init(AVCodecContext * avctx) c->frames = 1 << (get_bits(&gb, 3) * 2); avctx->sample_fmt = AV_SAMPLE_FMT_S16; - avctx->channel_layout = (avctx->channels==2) ? AV_CH_LAYOUT_STEREO : AV_CH_LAYOUT_MONO; + avctx->channel_layout = (channels==2) ? AV_CH_LAYOUT_STEREO : AV_CH_LAYOUT_MONO; + avctx->channels = channels; if(vlc_initialized) return 0; av_log(avctx, AV_LOG_DEBUG, "Initing VLC\n"); From 858c3158b58eafee2fedd9d83651c06aa57ef217 Mon Sep 17 00:00:00 2001 From: Michael Niedermayer Date: Sat, 9 Jun 2012 21:09:06 +0200 Subject: [PATCH 0911/1119] Update for 0.8.12 Signed-off-by: Michael Niedermayer --- Doxyfile | 2 +- RELEASE | 2 +- VERSION | 2 +- 3 files changed, 3 insertions(+), 3 deletions(-) diff --git a/Doxyfile b/Doxyfile index d60e276989..887b874e78 100644 --- a/Doxyfile +++ b/Doxyfile @@ -31,7 +31,7 @@ PROJECT_NAME = FFmpeg # This could be handy for archiving the generated documentation or # if some version control system is used. -PROJECT_NUMBER = 0.8.11 +PROJECT_NUMBER = 0.8.12 # The OUTPUT_DIRECTORY tag is used to specify the (relative or absolute) # base path where the generated documentation will be put. diff --git a/RELEASE b/RELEASE index 83ce05d72f..7eff8ab952 100644 --- a/RELEASE +++ b/RELEASE @@ -1 +1 @@ -0.8.11 +0.8.12 diff --git a/VERSION b/VERSION index 83ce05d72f..7eff8ab952 100644 --- a/VERSION +++ b/VERSION @@ -1 +1 @@ -0.8.11 +0.8.12 From 84ffe14e2a9abce1e51cbe91988de57bd260327c Mon Sep 17 00:00:00 2001 From: Michael Niedermayer Date: Sat, 9 Jun 2012 21:17:02 +0200 Subject: [PATCH 0912/1119] Update for 0.7.13 Signed-off-by: Michael Niedermayer --- Doxyfile | 2 +- RELEASE | 2 +- VERSION | 2 +- 3 files changed, 3 insertions(+), 3 deletions(-) diff --git a/Doxyfile b/Doxyfile index 9e056efe7e..93fce23685 100644 --- a/Doxyfile +++ b/Doxyfile @@ -31,7 +31,7 @@ PROJECT_NAME = FFmpeg # This could be handy for archiving the generated documentation or # if some version control system is used. -PROJECT_NUMBER = 0.7.12 +PROJECT_NUMBER = 0.7.13 # The OUTPUT_DIRECTORY tag is used to specify the (relative or absolute) # base path where the generated documentation will be put. diff --git a/RELEASE b/RELEASE index 88a7b22857..a48658c949 100644 --- a/RELEASE +++ b/RELEASE @@ -1 +1 @@ -0.7.12 +0.7.13 diff --git a/VERSION b/VERSION index 88a7b22857..a48658c949 100644 --- a/VERSION +++ b/VERSION @@ -1 +1 @@ -0.7.12 +0.7.13 From b102d5d97daedb717c023ec7bfa43047d97de284 Mon Sep 17 00:00:00 2001 From: Mans Rullgard Date: Wed, 30 May 2012 04:04:54 +0100 Subject: [PATCH 0913/1119] h264: allow cropping to AVCodecContext.width/height Override the frame size from the SPS with AVCodecContext values if the latter specify a size smaller by less than one macroblock. This is required for correct cropping of MOV files from Canon cameras. Signed-off-by: Mans Rullgard (cherry picked from commit 30f515091c323da59c0f1b533703dedca2f4b95d) Conflicts: libavcodec/h264.c (cherry picked from commit e1608014c50eeb9f4744a53de0794eb6bb1269a2) Signed-off-by: Reinhard Tartler --- libavcodec/h264.c | 6 ++++++ 1 file changed, 6 insertions(+) diff --git a/libavcodec/h264.c b/libavcodec/h264.c index beb89a07e1..90293f17f4 100644 --- a/libavcodec/h264.c +++ b/libavcodec/h264.c @@ -2599,6 +2599,12 @@ static int decode_slice_header(H264Context *h, H264Context *h0){ else s->height= 16*s->mb_height - (4>>CHROMA444)*FFMIN(h->sps.crop_bottom, (8<avctx->width, 16) == s->width && + FFALIGN(s->avctx->height, 16) == s->height) { + s->width = s->avctx->width; + s->height = s->avctx->height; + } + if (s->context_initialized && ( s->width != s->avctx->width || s->height != s->avctx->height || av_cmp_q(h->sps.sar, s->avctx->sample_aspect_ratio))) { From 0054d70f23edd1f61a10a1c2c687b3a04831feb9 Mon Sep 17 00:00:00 2001 From: Mans Rullgard Date: Wed, 30 May 2012 04:06:00 +0100 Subject: [PATCH 0914/1119] mov: set AVCodecContext.width/height for h264 This is required for correct cropping of files from Canon cameras. Signed-off-by: Mans Rullgard (cherry picked from commit 8aa93e900449c88c3169ff5636fed03f41779cac) Signed-off-by: Reinhard Tartler (cherry picked from commit 2fb4be9a99a2c2a9435339830e3d940171cc0d9b) Signed-off-by: Reinhard Tartler --- libavformat/mov.c | 3 --- 1 file changed, 3 deletions(-) diff --git a/libavformat/mov.c b/libavformat/mov.c index c720440472..b1458775aa 100644 --- a/libavformat/mov.c +++ b/libavformat/mov.c @@ -1818,9 +1818,6 @@ static int mov_read_trak(MOVContext *c, AVIOContext *pb, MOVAtom atom) #if CONFIG_H263_DECODER case CODEC_ID_H263: #endif -#if CONFIG_H264_DECODER - case CODEC_ID_H264: -#endif #if CONFIG_MPEG4_DECODER case CODEC_ID_MPEG4: #endif From c497d71a026a6c946529d661e72b7542203b26b6 Mon Sep 17 00:00:00 2001 From: Carl Eugen Hoyos Date: Fri, 31 Aug 2012 14:17:33 +0200 Subject: [PATCH 0915/1119] Clarify that -passlogfile has a different syntax when used with -vcodec libx264. --- doc/ffmpeg.texi | 4 ++++ 1 file changed, 4 insertions(+) diff --git a/doc/ffmpeg.texi b/doc/ffmpeg.texi index daf5d36de8..95b405ccb3 100644 --- a/doc/ffmpeg.texi +++ b/doc/ffmpeg.texi @@ -299,6 +299,10 @@ prefix is ``ffmpeg2pass''. The complete file name will be @file{PREFIX-N.log}, where N is a number specific to the output stream. +Note that this option is overwritten by a local option of the same name +when using @code{-vcodec libx264}. That option maps to the x264 option stats +which has a different syntax. + @item -newvideo Add a new video stream to the current output stream. From f50bb62eca027374c9f740c14c5b7deb5b23b56c Mon Sep 17 00:00:00 2001 From: Carl Eugen Hoyos Date: Fri, 31 Aug 2012 14:17:45 +0200 Subject: [PATCH 0916/1119] Clarify that -passlogfile has a different syntax when used with -vcodec libx264. --- doc/ffmpeg.texi | 4 ++++ 1 file changed, 4 insertions(+) diff --git a/doc/ffmpeg.texi b/doc/ffmpeg.texi index daf5d36de8..95b405ccb3 100644 --- a/doc/ffmpeg.texi +++ b/doc/ffmpeg.texi @@ -299,6 +299,10 @@ prefix is ``ffmpeg2pass''. The complete file name will be @file{PREFIX-N.log}, where N is a number specific to the output stream. +Note that this option is overwritten by a local option of the same name +when using @code{-vcodec libx264}. That option maps to the x264 option stats +which has a different syntax. + @item -newvideo Add a new video stream to the current output stream. From 9a5e81235e6293cd5ac94e629cb2d8712dfcecfc Mon Sep 17 00:00:00 2001 From: "Ronald S. Bultje" Date: Sun, 24 Jun 2012 11:17:13 +0100 Subject: [PATCH 0917/1119] dxva2: include dxva.h if found MIME-Version: 1.0 Content-Type: text/plain; charset=UTF-8 Content-Transfer-Encoding: 8bit Apparently, some build environments require dxva.h even for dxva2, while others lack this header entirely. Including it conditionally allows building in both cases. Signed-off-by: Martin Storsjö (cherry picked from commit fa84506177f0246b30d4ea6a99ee5d419f3e4550) Signed-off-by: Michael Niedermayer --- configure | 2 ++ libavcodec/dxva2_internal.h | 7 +++++++ 2 files changed, 9 insertions(+) diff --git a/configure b/configure index 822c500eab..4fde69c0cc 100755 --- a/configure +++ b/configure @@ -1057,6 +1057,7 @@ HAVE_LIST=" dlfcn_h dlopen dos_paths + dxva_h ebp_available ebx_available exp2 @@ -2859,6 +2860,7 @@ check_func_headers windows.h MapViewOfFile check_func_headers windows.h VirtualAlloc check_header dlfcn.h +check_header dxva.h check_header dxva2api.h check_header libcrystalhd/libcrystalhd_if.h check_header malloc.h diff --git a/libavcodec/dxva2_internal.h b/libavcodec/dxva2_internal.h index 23d4d87522..fcf45bc664 100644 --- a/libavcodec/dxva2_internal.h +++ b/libavcodec/dxva2_internal.h @@ -25,7 +25,14 @@ #define _WIN32_WINNT 0x0600 #define COBJMACROS + +#include "config.h" + #include "dxva2.h" +#if HAVE_DXVA_H +#include +#endif + #include "avcodec.h" #include "mpegvideo.h" From 8582e6e9a3ce72fd7475c2ae8ed4c5198dc02a79 Mon Sep 17 00:00:00 2001 From: Carl Eugen Hoyos Date: Wed, 12 Sep 2012 13:08:27 +0200 Subject: [PATCH 0918/1119] Fix muxing mjpeg in swf. (cherry picked from commit 7680d99b4302e476076cc1b8f2567f47c2aaef4d) --- libavformat/swfenc.c | 2 ++ 1 file changed, 2 insertions(+) diff --git a/libavformat/swfenc.c b/libavformat/swfenc.c index 09c2d61f28..7d7daacee1 100644 --- a/libavformat/swfenc.c +++ b/libavformat/swfenc.c @@ -498,8 +498,10 @@ static int swf_write_trailer(AVFormatContext *s) avio_wl32(pb, file_size); avio_seek(pb, swf->duration_pos, SEEK_SET); avio_wl16(pb, swf->video_frame_number); + if (swf->vframes_pos) { avio_seek(pb, swf->vframes_pos, SEEK_SET); avio_wl16(pb, swf->video_frame_number); + } avio_seek(pb, file_size, SEEK_SET); } return 0; From 3ed505863b067e73eee837a9e9f76efdbc692142 Mon Sep 17 00:00:00 2001 From: Carl Eugen Hoyos Date: Wed, 12 Sep 2012 13:08:27 +0200 Subject: [PATCH 0919/1119] Fix muxing mjpeg in swf. (cherry picked from commit 7680d99b4302e476076cc1b8f2567f47c2aaef4d) --- libavformat/swfenc.c | 2 ++ 1 file changed, 2 insertions(+) diff --git a/libavformat/swfenc.c b/libavformat/swfenc.c index 09c2d61f28..7d7daacee1 100644 --- a/libavformat/swfenc.c +++ b/libavformat/swfenc.c @@ -498,8 +498,10 @@ static int swf_write_trailer(AVFormatContext *s) avio_wl32(pb, file_size); avio_seek(pb, swf->duration_pos, SEEK_SET); avio_wl16(pb, swf->video_frame_number); + if (swf->vframes_pos) { avio_seek(pb, swf->vframes_pos, SEEK_SET); avio_wl16(pb, swf->video_frame_number); + } avio_seek(pb, file_size, SEEK_SET); } return 0; From a60eb6ef12df472554e93916aaeae729b0c8db03 Mon Sep 17 00:00:00 2001 From: Anton Khirnov Date: Sat, 6 Oct 2012 09:21:29 +0200 Subject: [PATCH 0920/1119] ffmpeg: fix -force_key_frames Based on commit 19ad567311b29a42e308317b5329218c590afac8 in master. --- ffmpeg.c | 12 +++++++++--- 1 file changed, 9 insertions(+), 3 deletions(-) diff --git a/ffmpeg.c b/ffmpeg.c index 76d1cf363c..30ff5382ba 100644 --- a/ffmpeg.c +++ b/ffmpeg.c @@ -298,6 +298,7 @@ typedef struct AVOutputStream { #endif int sws_flags; + char *forced_key_frames; } AVOutputStream; static AVOutputStream **output_streams_for_file[MAX_FILES] = { NULL }; @@ -2254,6 +2255,9 @@ static int transcode(AVFormatContext **output_files, } codec->time_base = (AVRational){ost->frame_rate.den, ost->frame_rate.num}; + if (ost->forced_key_frames) + parse_forced_key_frames(ost->forced_key_frames, ost, codec); + #if CONFIG_AVFILTER if (configure_video_filters(ist, ost)) { fprintf(stderr, "Error opening filters!\n"); @@ -2729,6 +2733,7 @@ static int transcode(AVFormatContext **output_files, av_freep(&ost->st->codec->subtitle_header); av_free(ost->pict_tmp.data[0]); av_free(ost->forced_kf_pts); + av_free(ost->forced_key_frames); if (ost->video_resample) sws_freeContext(ost->img_resample_ctx); if (ost->resample) @@ -3550,8 +3555,10 @@ static void new_video_stream(AVFormatContext *oc, int file_idx) } } - if (forced_key_frames) - parse_forced_key_frames(forced_key_frames, ost, video_enc); + if (forced_key_frames) { + ost->forced_key_frames = forced_key_frames; + forced_key_frames = NULL; + } } if (video_language) { av_dict_set(&st->metadata, "language", video_language, 0); @@ -3561,7 +3568,6 @@ static void new_video_stream(AVFormatContext *oc, int file_idx) /* reset some key parameters */ video_disable = 0; av_freep(&video_codec_name); - av_freep(&forced_key_frames); video_stream_copy = 0; frame_pix_fmt = PIX_FMT_NONE; } From 0173a7966b331105158a88f96b9afcc431d2fef8 Mon Sep 17 00:00:00 2001 From: Kostya Shishkov Date: Thu, 27 Sep 2012 19:25:06 +0200 Subject: [PATCH 0921/1119] vc1dec: add flush function for WMV9 and VC-1 decoders CC: libav-stable@libav.org (cherry picked from commit 4dc8c8386eef942dba35c4f2fb3210e22b511a5b) Signed-off-by: Anton Khirnov (cherry picked from commit 02b72394627933dc8ce26445231a69f00dba491b) Conflicts: libavcodec/vc1dec.c Signed-off-by: Anton Khirnov --- libavcodec/vc1dec.c | 2 ++ 1 file changed, 2 insertions(+) diff --git a/libavcodec/vc1dec.c b/libavcodec/vc1dec.c index c87558bc50..1474e9fedd 100644 --- a/libavcodec/vc1dec.c +++ b/libavcodec/vc1dec.c @@ -3831,6 +3831,7 @@ AVCodec ff_vc1_decoder = { vc1_decode_frame, CODEC_CAP_DR1 | CODEC_CAP_DELAY, NULL, + .flush = ff_mpeg_flush, .long_name = NULL_IF_CONFIG_SMALL("SMPTE VC-1"), .pix_fmts = ff_hwaccel_pixfmt_list_420, .profiles = NULL_IF_CONFIG_SMALL(profiles) @@ -3848,6 +3849,7 @@ AVCodec ff_wmv3_decoder = { vc1_decode_frame, CODEC_CAP_DR1 | CODEC_CAP_DELAY, NULL, + .flush = ff_mpeg_flush, .long_name = NULL_IF_CONFIG_SMALL("Windows Media Video 9"), .pix_fmts = ff_hwaccel_pixfmt_list_420, .profiles = NULL_IF_CONFIG_SMALL(profiles) From f31170d4e7f9671e019315391160d454b18d7296 Mon Sep 17 00:00:00 2001 From: Janne Grunau Date: Mon, 6 Aug 2012 13:59:04 +0200 Subject: [PATCH 0922/1119] nuv: check RTjpeg header for validity CC: libav-stable@libav.org (cherry picked from commit 859a579e9bbf47fae2e09494c43bcf813dcb2fad) Signed-off-by: Anton Khirnov (cherry picked from commit 6704522ca9dd32c858ee474492be568c386910f9) Signed-off-by: Anton Khirnov --- libavcodec/nuv.c | 9 +++++---- libavcodec/rtjpeg.h | 3 +++ 2 files changed, 8 insertions(+), 4 deletions(-) diff --git a/libavcodec/nuv.c b/libavcodec/nuv.c index 0c5e42fe78..00767c5873 100644 --- a/libavcodec/nuv.c +++ b/libavcodec/nuv.c @@ -184,17 +184,18 @@ static int decode_frame(AVCodecContext *avctx, void *data, int *data_size, } if (c->codec_frameheader) { int w, h, q; - if (buf_size < 12) { + if (buf_size < RTJPEG_HEADER_SIZE || buf[4] != RTJPEG_HEADER_SIZE || + buf[5] != RTJPEG_FILE_VERSION) { av_log(avctx, AV_LOG_ERROR, "invalid nuv video frame\n"); - return -1; + return AVERROR_INVALIDDATA; } w = AV_RL16(&buf[6]); h = AV_RL16(&buf[8]); q = buf[10]; if (!codec_reinit(avctx, w, h, q)) return -1; - buf = &buf[12]; - buf_size -= 12; + buf = &buf[RTJPEG_HEADER_SIZE]; + buf_size -= RTJPEG_HEADER_SIZE; } if (keyframe && c->pic.data[0]) diff --git a/libavcodec/rtjpeg.h b/libavcodec/rtjpeg.h index d537c93ff4..4b46689f9c 100644 --- a/libavcodec/rtjpeg.h +++ b/libavcodec/rtjpeg.h @@ -25,6 +25,9 @@ #include #include "dsputil.h" +#define RTJPEG_FILE_VERSION 0 +#define RTJPEG_HEADER_SIZE 12 + typedef struct { int w, h; DSPContext *dsp; From 8812b5f164109553f009ce385e17a1af16b6ea53 Mon Sep 17 00:00:00 2001 From: Janne Grunau Date: Mon, 2 Jul 2012 10:46:39 +0200 Subject: [PATCH 0923/1119] imgconvert: avoid undefined left shift in avcodec_find_best_pix_fmt CC: libav-stable@libav.org (cherry picked from commit 39bb27bf79bc4c2d8beaed637a14176264cb1916) Signed-off-by: Anton Khirnov (cherry picked from commit 7a7229b52d1900279041991fadbd29b27e8dfe95) Signed-off-by: Anton Khirnov --- libavcodec/imgconvert.c | 3 ++- 1 file changed, 2 insertions(+), 1 deletion(-) diff --git a/libavcodec/imgconvert.c b/libavcodec/imgconvert.c index 351ed7ada7..8da11a5c98 100644 --- a/libavcodec/imgconvert.c +++ b/libavcodec/imgconvert.c @@ -615,7 +615,8 @@ static enum PixelFormat avcodec_find_best_pix_fmt1(int64_t pix_fmt_mask, /* find exact color match with smallest size */ dst_pix_fmt = PIX_FMT_NONE; min_dist = 0x7fffffff; - for(i = 0;i < PIX_FMT_NB; i++) { + /* test only the first 64 pixel formats to avoid undefined behaviour */ + for (i = 0; i < 64; i++) { if (pix_fmt_mask & (1ULL << i)) { loss = avcodec_get_pix_fmt_loss(i, src_pix_fmt, has_alpha) & loss_mask; if (loss == 0) { From 899d95efe12f1e250b361837c1c8c06df9ac9b86 Mon Sep 17 00:00:00 2001 From: Michael Niedermayer Date: Sun, 20 Nov 2011 17:19:25 +0100 Subject: [PATCH 0924/1119] mpegvideo: Don't use ff_mspel_motion() for vc1 MIME-Version: 1.0 Content-Type: text/plain; charset=UTF-8 Content-Transfer-Encoding: 8bit Using ff_mspel_motion assumes that s (a MpegEncContext poiinter) really is a Wmv2Context. This fixes crashes in error resilience on vc1/wmv3 videos. CC: libav-stable@libav.org Signed-off-by: Martin Storsjö (cherry picked from commit 18f2d5cb9c48d06895960f37467576725c9dc2d1) Signed-off-by: Anton Khirnov (cherry picked from commit da0c457663479bc1828918e1bb3e4a5e4de0d557) Signed-off-by: Anton Khirnov --- libavcodec/mpegvideo_common.h | 3 ++- 1 file changed, 2 insertions(+), 1 deletion(-) diff --git a/libavcodec/mpegvideo_common.h b/libavcodec/mpegvideo_common.h index d0093ce8d2..dfedc6bade 100644 --- a/libavcodec/mpegvideo_common.h +++ b/libavcodec/mpegvideo_common.h @@ -725,7 +725,8 @@ static av_always_inline void MPV_motion_internal(MpegEncContext *s, 0, 0, 0, ref_picture, pix_op, qpix_op, s->mv[dir][0][0], s->mv[dir][0][1], 16); - }else if(!is_mpeg12 && (CONFIG_WMV2_DECODER || CONFIG_WMV2_ENCODER) && s->mspel){ + } else if (!is_mpeg12 && (CONFIG_WMV2_DECODER || CONFIG_WMV2_ENCODER) && + s->mspel && s->codec_id == CODEC_ID_WMV2) { ff_mspel_motion(s, dest_y, dest_cb, dest_cr, ref_picture, pix_op, s->mv[dir][0][0], s->mv[dir][0][1], 16); From 77d43bf42d76a1a3ccd8ea25937664c7f9d4bcac Mon Sep 17 00:00:00 2001 From: Anton Khirnov Date: Fri, 15 Jun 2012 19:58:11 +0200 Subject: [PATCH 0925/1119] lavf: don't segfault when a NULL filename is passed to avformat_open_input() This can easily happen when the caller is using a custom AVIOContext. Behave as if the filename was an empty string in this case. CC: libav-stable@libav.org (cherry picked from commit a5db8e4a1a5449cc7a61e963c9fa698a4f22131b) Signed-off-by: Anton Khirnov (cherry picked from commit 7124fa5d3640e5b8089dd13b22a09038b2ec5216) Signed-off-by: Anton Khirnov --- libavformat/utils.c | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/libavformat/utils.c b/libavformat/utils.c index 57fc836c64..5f3da495fd 100644 --- a/libavformat/utils.c +++ b/libavformat/utils.c @@ -622,7 +622,7 @@ int avformat_open_input(AVFormatContext **ps, const char *filename, AVInputForma } s->duration = s->start_time = AV_NOPTS_VALUE; - av_strlcpy(s->filename, filename, sizeof(s->filename)); + av_strlcpy(s->filename, filename ? filename : "", sizeof(s->filename)); /* allocate private data */ if (s->iformat->priv_data_size > 0) { From b6ba39f931a82561389553ab2ac0ddb61b73a1e3 Mon Sep 17 00:00:00 2001 From: Michael Niedermayer Date: Sat, 24 Mar 2012 01:39:13 +0100 Subject: [PATCH 0926/1119] alsdec: check opt_order. Fixes out of array write in quant_cof. Also make sure no invalid opt_order stays in the context. Fixes CVE-2012-2775 Found-by: Mateusz "j00ru" Jurczyk and Gynvael Coldwind Signed-off-by: Michael Niedermayer Signed-off-by: Justin Ruggles (cherry picked from commit 9853e41aa0a6cfff629ff7009685eb8bf8d64e7f) Signed-off-by: Anton Khirnov (cherry picked from commit a1b127515bb79c715933d0d4201e4ef3152b3dcb) Signed-off-by: Anton Khirnov --- libavcodec/alsdec.c | 5 +++++ 1 file changed, 5 insertions(+) diff --git a/libavcodec/alsdec.c b/libavcodec/alsdec.c index f2944c6038..cdf2a7c0f1 100644 --- a/libavcodec/alsdec.c +++ b/libavcodec/alsdec.c @@ -662,6 +662,11 @@ static int read_var_block_data(ALSDecContext *ctx, ALSBlockData *bd) int opt_order_length = av_ceil_log2(av_clip((bd->block_length >> 3) - 1, 2, sconf->max_order + 1)); *bd->opt_order = get_bits(gb, opt_order_length); + if (*bd->opt_order > sconf->max_order) { + *bd->opt_order = sconf->max_order; + av_log(avctx, AV_LOG_ERROR, "Predictor order too large!\n"); + return AVERROR_INVALIDDATA; + } } else { *bd->opt_order = sconf->max_order; } From b6c5848a1f8fc2755ea70d325acaddae9fac45ab Mon Sep 17 00:00:00 2001 From: Mina Nagy Zaki Date: Wed, 8 Jun 2011 19:24:25 +0300 Subject: [PATCH 0927/1119] lavfi: avfilter_merge_formats: handle case where inputs are same This fixes a double-free crash if lists are the same due to the two merge_ref() calls at the end of the (useless) merging that happens. Signed-off-by: Anton Khirnov (cherry picked from commit 11b6a82412bcd372adf694a26d83b07d337e1325) Conflicts: libavfilter/formats.c Signed-off-by: Reinhard Tartler (cherry picked from commit e5f4e249422834f727bcd432b73af971277f1371) Signed-off-by: Anton Khirnov --- libavfilter/formats.c | 3 +++ 1 file changed, 3 insertions(+) diff --git a/libavfilter/formats.c b/libavfilter/formats.c index ae916cf16c..1b58b50e9f 100644 --- a/libavfilter/formats.c +++ b/libavfilter/formats.c @@ -44,6 +44,9 @@ AVFilterFormats *avfilter_merge_formats(AVFilterFormats *a, AVFilterFormats *b) AVFilterFormats *ret; unsigned i, j, k = 0; + if (a == b) + return a; + ret = av_mallocz(sizeof(AVFilterFormats)); /* merge list of formats */ From 61ece41372989cca40634a4f32ff6131d19f99a2 Mon Sep 17 00:00:00 2001 From: Justin Ruggles Date: Wed, 22 Feb 2012 19:23:18 -0500 Subject: [PATCH 0928/1119] vorbisenc: check all allocations for failure (cherry picked from commit be8d812c9635f31f69c30dff9ebf565a07a7dab7) Signed-off-by: Anton Khirnov (cherry picked from commit e46cf805b10070327026f8e2880fe29e5e9ac1af) Signed-off-by: Anton Khirnov --- libavcodec/vorbisenc.c | 127 +++++++++++++++++++++++++++++------------ 1 file changed, 92 insertions(+), 35 deletions(-) diff --git a/libavcodec/vorbisenc.c b/libavcodec/vorbisenc.c index 67d094b37d..ad69c61695 100644 --- a/libavcodec/vorbisenc.c +++ b/libavcodec/vorbisenc.c @@ -155,7 +155,7 @@ static int cb_lookup_vals(int lookup, int dimentions, int entries) return 0; } -static void ready_codebook(vorbis_enc_codebook *cb) +static int ready_codebook(vorbis_enc_codebook *cb) { int i; @@ -167,6 +167,8 @@ static void ready_codebook(vorbis_enc_codebook *cb) int vals = cb_lookup_vals(cb->lookup, cb->ndimentions, cb->nentries); cb->dimentions = av_malloc(sizeof(float) * cb->nentries * cb->ndimentions); cb->pow2 = av_mallocz(sizeof(float) * cb->nentries); + if (!cb->dimentions || !cb->pow2) + return AVERROR(ENOMEM); for (i = 0; i < cb->nentries; i++) { float last = 0; int j; @@ -187,13 +189,16 @@ static void ready_codebook(vorbis_enc_codebook *cb) cb->pow2[i] /= 2.; } } + return 0; } -static void ready_residue(vorbis_enc_residue *rc, vorbis_enc_context *venc) +static int ready_residue(vorbis_enc_residue *rc, vorbis_enc_context *venc) { int i; assert(rc->type == 2); rc->maxes = av_mallocz(sizeof(float[2]) * rc->classifications); + if (!rc->maxes) + return AVERROR(ENOMEM); for (i = 0; i < rc->classifications; i++) { int j; vorbis_enc_codebook * cb; @@ -223,15 +228,16 @@ static void ready_residue(vorbis_enc_residue *rc, vorbis_enc_context *venc) rc->maxes[i][0] += 0.8; rc->maxes[i][1] += 0.8; } + return 0; } -static void create_vorbis_context(vorbis_enc_context *venc, - AVCodecContext *avccontext) +static int create_vorbis_context(vorbis_enc_context *venc, + AVCodecContext *avccontext) { vorbis_enc_floor *fc; vorbis_enc_residue *rc; vorbis_enc_mapping *mc; - int i, book; + int i, book, ret; venc->channels = avccontext->channels; venc->sample_rate = avccontext->sample_rate; @@ -239,6 +245,8 @@ static void create_vorbis_context(vorbis_enc_context *venc, venc->ncodebooks = FF_ARRAY_ELEMS(cvectors); venc->codebooks = av_malloc(sizeof(vorbis_enc_codebook) * venc->ncodebooks); + if (!venc->codebooks) + return AVERROR(ENOMEM); // codebook 0..14 - floor1 book, values 0..255 // codebook 15 residue masterbook @@ -255,27 +263,36 @@ static void create_vorbis_context(vorbis_enc_context *venc, cb->lens = av_malloc(sizeof(uint8_t) * cb->nentries); cb->codewords = av_malloc(sizeof(uint32_t) * cb->nentries); + if (!cb->lens || !cb->codewords) + return AVERROR(ENOMEM); memcpy(cb->lens, cvectors[book].clens, cvectors[book].len); memset(cb->lens + cvectors[book].len, 0, cb->nentries - cvectors[book].len); if (cb->lookup) { vals = cb_lookup_vals(cb->lookup, cb->ndimentions, cb->nentries); cb->quantlist = av_malloc(sizeof(int) * vals); + if (!cb->quantlist) + return AVERROR(ENOMEM); for (i = 0; i < vals; i++) cb->quantlist[i] = cvectors[book].quant[i]; } else { cb->quantlist = NULL; } - ready_codebook(cb); + if ((ret = ready_codebook(cb)) < 0) + return ret; } venc->nfloors = 1; venc->floors = av_malloc(sizeof(vorbis_enc_floor) * venc->nfloors); + if (!venc->floors) + return AVERROR(ENOMEM); // just 1 floor fc = &venc->floors[0]; fc->partitions = NUM_FLOOR_PARTITIONS; fc->partition_to_class = av_malloc(sizeof(int) * fc->partitions); + if (!fc->partition_to_class) + return AVERROR(ENOMEM); fc->nclasses = 0; for (i = 0; i < fc->partitions; i++) { static const int a[] = {0, 1, 2, 2, 3, 3, 4, 4}; @@ -284,6 +301,8 @@ static void create_vorbis_context(vorbis_enc_context *venc, } fc->nclasses++; fc->classes = av_malloc(sizeof(vorbis_enc_floor_class) * fc->nclasses); + if (!fc->classes) + return AVERROR(ENOMEM); for (i = 0; i < fc->nclasses; i++) { vorbis_enc_floor_class * c = &fc->classes[i]; int j, books; @@ -292,6 +311,8 @@ static void create_vorbis_context(vorbis_enc_context *venc, c->masterbook = floor_classes[i].masterbook; books = (1 << c->subclass); c->books = av_malloc(sizeof(int) * books); + if (!c->books) + return AVERROR(ENOMEM); for (j = 0; j < books; j++) c->books[j] = floor_classes[i].nbooks[j]; } @@ -303,6 +324,8 @@ static void create_vorbis_context(vorbis_enc_context *venc, fc->values += fc->classes[fc->partition_to_class[i]].dim; fc->list = av_malloc(sizeof(vorbis_floor1_entry) * fc->values); + if (!fc->list) + return AVERROR(ENOMEM); fc->list[0].x = 0; fc->list[1].x = 1 << fc->rangebits; for (i = 2; i < fc->values; i++) { @@ -317,6 +340,8 @@ static void create_vorbis_context(vorbis_enc_context *venc, venc->nresidues = 1; venc->residues = av_malloc(sizeof(vorbis_enc_residue) * venc->nresidues); + if (!venc->residues) + return AVERROR(ENOMEM); // single residue rc = &venc->residues[0]; @@ -327,6 +352,8 @@ static void create_vorbis_context(vorbis_enc_context *venc, rc->classifications = 10; rc->classbook = 15; rc->books = av_malloc(sizeof(*rc->books) * rc->classifications); + if (!rc->books) + return AVERROR(ENOMEM); { static const int8_t a[10][8] = { { -1, -1, -1, -1, -1, -1, -1, -1, }, @@ -342,19 +369,26 @@ static void create_vorbis_context(vorbis_enc_context *venc, }; memcpy(rc->books, a, sizeof a); } - ready_residue(rc, venc); + if ((ret = ready_residue(rc, venc)) < 0) + return ret; venc->nmappings = 1; venc->mappings = av_malloc(sizeof(vorbis_enc_mapping) * venc->nmappings); + if (!venc->mappings) + return AVERROR(ENOMEM); // single mapping mc = &venc->mappings[0]; mc->submaps = 1; mc->mux = av_malloc(sizeof(int) * venc->channels); + if (!mc->mux) + return AVERROR(ENOMEM); for (i = 0; i < venc->channels; i++) mc->mux[i] = 0; mc->floor = av_malloc(sizeof(int) * mc->submaps); mc->residue = av_malloc(sizeof(int) * mc->submaps); + if (!mc->floor || !mc->residue) + return AVERROR(ENOMEM); for (i = 0; i < mc->submaps; i++) { mc->floor[i] = 0; mc->residue[i] = 0; @@ -362,6 +396,8 @@ static void create_vorbis_context(vorbis_enc_context *venc, mc->coupling_steps = venc->channels == 2 ? 1 : 0; mc->magnitude = av_malloc(sizeof(int) * mc->coupling_steps); mc->angle = av_malloc(sizeof(int) * mc->coupling_steps); + if (!mc->magnitude || !mc->angle) + return AVERROR(ENOMEM); if (mc->coupling_steps) { mc->magnitude[0] = 0; mc->angle[0] = 1; @@ -369,6 +405,8 @@ static void create_vorbis_context(vorbis_enc_context *venc, venc->nmodes = 1; venc->modes = av_malloc(sizeof(vorbis_enc_mode) * venc->nmodes); + if (!venc->modes) + return AVERROR(ENOMEM); // single mode venc->modes[0].blockflag = 0; @@ -379,12 +417,18 @@ static void create_vorbis_context(vorbis_enc_context *venc, venc->samples = av_malloc(sizeof(float) * venc->channels * (1 << venc->log2_blocksize[1])); venc->floor = av_malloc(sizeof(float) * venc->channels * (1 << venc->log2_blocksize[1]) / 2); venc->coeffs = av_malloc(sizeof(float) * venc->channels * (1 << venc->log2_blocksize[1]) / 2); + if (!venc->saved || !venc->samples || !venc->floor || !venc->coeffs) + return AVERROR(ENOMEM); venc->win[0] = ff_vorbis_vwin[venc->log2_blocksize[0] - 6]; venc->win[1] = ff_vorbis_vwin[venc->log2_blocksize[1] - 6]; - ff_mdct_init(&venc->mdct[0], venc->log2_blocksize[0], 0, 1.0); - ff_mdct_init(&venc->mdct[1], venc->log2_blocksize[1], 0, 1.0); + if ((ret = ff_mdct_init(&venc->mdct[0], venc->log2_blocksize[0], 0, 1.0)) < 0) + return ret; + if ((ret = ff_mdct_init(&venc->mdct[1], venc->log2_blocksize[1], 0, 1.0)) < 0) + return ret; + + return 0; } static void put_float(PutBitContext *pb, float f) @@ -647,6 +691,8 @@ static int put_main_header(vorbis_enc_context *venc, uint8_t **out) len = hlens[0] + hlens[1] + hlens[2]; p = *out = av_mallocz(64 + len + len/255); + if (!p) + return AVERROR(ENOMEM); *p++ = 2; p += av_xiphlacing(p, hlens[0]); @@ -952,32 +998,6 @@ static int apply_window_and_mdct(vorbis_enc_context *venc, const signed short *a return 1; } -static av_cold int vorbis_encode_init(AVCodecContext *avccontext) -{ - vorbis_enc_context *venc = avccontext->priv_data; - - if (avccontext->channels != 2) { - av_log(avccontext, AV_LOG_ERROR, "Current Libav Vorbis encoder only supports 2 channels.\n"); - return -1; - } - - create_vorbis_context(venc, avccontext); - - if (avccontext->flags & CODEC_FLAG_QSCALE) - venc->quality = avccontext->global_quality / (float)FF_QP2LAMBDA / 10.; - else - venc->quality = 0.03; - venc->quality *= venc->quality; - - avccontext->extradata_size = put_main_header(venc, (uint8_t**)&avccontext->extradata); - - avccontext->frame_size = 1 << (venc->log2_blocksize[0] - 1); - - avccontext->coded_frame = avcodec_alloc_frame(); - avccontext->coded_frame->key_frame = 1; - - return 0; -} static int vorbis_encode_frame(AVCodecContext *avccontext, unsigned char *packets, @@ -1102,6 +1122,43 @@ static av_cold int vorbis_encode_close(AVCodecContext *avccontext) return 0 ; } +static av_cold int vorbis_encode_init(AVCodecContext *avccontext) +{ + vorbis_enc_context *venc = avccontext->priv_data; + int ret; + + if (avccontext->channels != 2) { + av_log(avccontext, AV_LOG_ERROR, "Current Libav Vorbis encoder only supports 2 channels.\n"); + return -1; + } + + if ((ret = create_vorbis_context(venc, avccontext)) < 0) + goto error; + + if (avccontext->flags & CODEC_FLAG_QSCALE) + venc->quality = avccontext->global_quality / (float)FF_QP2LAMBDA / 10.; + else + venc->quality = 0.03; + venc->quality *= venc->quality; + + if ((ret = put_main_header(venc, (uint8_t**)&avccontext->extradata)) < 0) + goto error; + avccontext->extradata_size = ret; + + avccontext->frame_size = 1 << (venc->log2_blocksize[0] - 1); + + avccontext->coded_frame = avcodec_alloc_frame(); + if (!avccontext->coded_frame) { + ret = AVERROR(ENOMEM); + goto error; + } + + return 0; +error: + vorbis_encode_close(avccontext); + return ret; +} + AVCodec ff_vorbis_encoder = { "vorbis", AVMEDIA_TYPE_AUDIO, From d6e250abfc36b239ef0c1fc9d45d588b853bfcb9 Mon Sep 17 00:00:00 2001 From: Alex Converse Date: Mon, 4 Jun 2012 18:27:03 -0700 Subject: [PATCH 0929/1119] vorbis: Validate that the floor 1 X values contain no duplicates. Duplicate values in this vector are explicitly banned by the Vorbis I spec and cause divide-by-zero crashes later on. (cherry picked from commit ecf79c4d3e8baaf2f303278ef81db6f8407656bc) Signed-off-by: Reinhard Tartler (cherry picked from commit 9aaaeba45c41cf2b3fa4100abbdee7437428f93c) Signed-off-by: Anton Khirnov --- libavcodec/vorbis.c | 9 ++++++++- libavcodec/vorbis.h | 3 ++- libavcodec/vorbisdec.c | 6 +++++- libavcodec/vorbisenc.c | 3 ++- 4 files changed, 17 insertions(+), 4 deletions(-) diff --git a/libavcodec/vorbis.c b/libavcodec/vorbis.c index 20be707313..e0eda46f71 100644 --- a/libavcodec/vorbis.c +++ b/libavcodec/vorbis.c @@ -117,7 +117,8 @@ int ff_vorbis_len2vlc(uint8_t *bits, uint32_t *codes, unsigned num) return 0; } -void ff_vorbis_ready_floor1_list(vorbis_floor1_entry * list, int values) +int ff_vorbis_ready_floor1_list(AVCodecContext *avccontext, + vorbis_floor1_entry *list, int values) { int i; list[0].sort = 0; @@ -141,6 +142,11 @@ void ff_vorbis_ready_floor1_list(vorbis_floor1_entry * list, int values) for (i = 0; i < values - 1; i++) { int j; for (j = i + 1; j < values; j++) { + if (list[i].x == list[j].x) { + av_log(avccontext, AV_LOG_ERROR, + "Duplicate value found in floor 1 X coordinates\n"); + return AVERROR_INVALIDDATA; + } if (list[list[i].sort].x > list[list[j].sort].x) { int tmp = list[i].sort; list[i].sort = list[j].sort; @@ -148,6 +154,7 @@ void ff_vorbis_ready_floor1_list(vorbis_floor1_entry * list, int values) } } } + return 0; } static inline void render_line_unrolled(intptr_t x, int y, int x1, diff --git a/libavcodec/vorbis.h b/libavcodec/vorbis.h index 8501e0a178..b4346fbbe7 100644 --- a/libavcodec/vorbis.h +++ b/libavcodec/vorbis.h @@ -36,7 +36,8 @@ typedef struct { uint16_t high; } vorbis_floor1_entry; -void ff_vorbis_ready_floor1_list(vorbis_floor1_entry * list, int values); +int ff_vorbis_ready_floor1_list(AVCodecContext *avccontext, + vorbis_floor1_entry *list, int values); unsigned int ff_vorbis_nth_root(unsigned int x, unsigned int n); // x^(1/n) int ff_vorbis_len2vlc(uint8_t *bits, uint32_t *codes, unsigned num); void ff_vorbis_floor1_render_list(vorbis_floor1_entry * list, int values, diff --git a/libavcodec/vorbisdec.c b/libavcodec/vorbisdec.c index d6850b7f48..3805d27627 100644 --- a/libavcodec/vorbisdec.c +++ b/libavcodec/vorbisdec.c @@ -559,7 +559,11 @@ static int vorbis_parse_setup_hdr_floors(vorbis_context *vc) } // Precalculate order of x coordinates - needed for decode - ff_vorbis_ready_floor1_list(floor_setup->data.t1.list, floor_setup->data.t1.x_list_dim); + if (ff_vorbis_ready_floor1_list(vc->avccontext, + floor_setup->data.t1.list, + floor_setup->data.t1.x_list_dim)) { + return AVERROR_INVALIDDATA; + } } else if (floor_setup->floor_type == 0) { unsigned max_codebook_dim = 0; diff --git a/libavcodec/vorbisenc.c b/libavcodec/vorbisenc.c index ad69c61695..7311c05d36 100644 --- a/libavcodec/vorbisenc.c +++ b/libavcodec/vorbisenc.c @@ -336,7 +336,8 @@ static int create_vorbis_context(vorbis_enc_context *venc, }; fc->list[i].x = a[i - 2]; } - ff_vorbis_ready_floor1_list(fc->list, fc->values); + if (ff_vorbis_ready_floor1_list(avccontext, fc->list, fc->values)) + return AVERROR(EINVAL); venc->nresidues = 1; venc->residues = av_malloc(sizeof(vorbis_enc_residue) * venc->nresidues); From 7b91e52eb9fd6012a0804febc7821b9484e6faa6 Mon Sep 17 00:00:00 2001 From: Diego Biurrun Date: Sun, 11 Nov 2012 22:41:46 +0100 Subject: [PATCH 0930/1119] x86: Require an assembler able to cope with AVX instructions All modern assemblers have this capability. Older NASM versions that lack the capability produce code that crashes at runtime, so it's better to error out during the build process instead. (cherry picked from commit e287201c77dc7a7a9759d56d8f48ae719b7e69a9) Signed-off-by: Diego Biurrun --- configure | 3 +-- 1 file changed, 1 insertion(+), 2 deletions(-) diff --git a/configure b/configure index f4c327439a..6a2ff4fa01 100755 --- a/configure +++ b/configure @@ -2739,9 +2739,8 @@ EOF elf*) enabled debug && append YASMFLAGS $yasm_debug ;; esac - check_yasm "pextrd [eax], xmm0, 1" && enable yasm || + check_yasm "vextractf128 xmm0, ymm0, 0" && enable yasm || die "yasm not found, use --disable-yasm for a crippled build" - check_yasm "vextractf128 xmm0, ymm0, 0" || disable avx fi case "$cpu" in From 80b8dc30dc96190b6f9c3ab1d9263490232b328b Mon Sep 17 00:00:00 2001 From: =?UTF-8?q?Cl=C3=A9ment=20B=C5=93sch?= Date: Sun, 30 Dec 2012 06:53:48 +0100 Subject: [PATCH 0931/1119] lavc/ass_split: check for NULL pointer in ff_ass_split_override_codes(). This is consistent with the other ff_ass_split_* functions. It also fixes a crash when trying to split a dialog with text=NULL (which seems to happen when the text of the dialog is empty); basically, this commit fixes crashes when trying to encode an empty text subtitle dialog (see subrip and mov_text encoders). Fixes Ticket2048. (cherry picked from commit c83002a4f8042ccfa0688a9a18e8fa0369c1fda8) --- libavcodec/ass_split.c | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/libavcodec/ass_split.c b/libavcodec/ass_split.c index 2a3b76445e..33c1c2714f 100644 --- a/libavcodec/ass_split.c +++ b/libavcodec/ass_split.c @@ -366,7 +366,7 @@ int ff_ass_split_override_codes(const ASSCodesCallbacks *callbacks, void *priv, char new_line[2]; int text_len = 0; - while (*buf) { + while (buf && *buf) { if (text && callbacks->text && (sscanf(buf, "\\%1[nN]", new_line) == 1 || !strncmp(buf, "{\\", 2))) { From 20940780c72605207783880dfd1d3c2741151abf Mon Sep 17 00:00:00 2001 From: =?UTF-8?q?Cl=C3=A9ment=20B=C5=93sch?= Date: Sun, 30 Dec 2012 06:53:48 +0100 Subject: [PATCH 0932/1119] lavc/ass_split: check for NULL pointer in ff_ass_split_override_codes(). This is consistent with the other ff_ass_split_* functions. It also fixes a crash when trying to split a dialog with text=NULL (which seems to happen when the text of the dialog is empty); basically, this commit fixes crashes when trying to encode an empty text subtitle dialog (see subrip and mov_text encoders). Fixes Ticket2048. (cherry picked from commit c83002a4f8042ccfa0688a9a18e8fa0369c1fda8) --- libavcodec/ass_split.c | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/libavcodec/ass_split.c b/libavcodec/ass_split.c index 2a3b76445e..33c1c2714f 100644 --- a/libavcodec/ass_split.c +++ b/libavcodec/ass_split.c @@ -366,7 +366,7 @@ int ff_ass_split_override_codes(const ASSCodesCallbacks *callbacks, void *priv, char new_line[2]; int text_len = 0; - while (*buf) { + while (buf && *buf) { if (text && callbacks->text && (sscanf(buf, "\\%1[nN]", new_line) == 1 || !strncmp(buf, "{\\", 2))) { From a2ae183a382f063c5403922b5151d865ce7252a2 Mon Sep 17 00:00:00 2001 From: Mans Rullgard Date: Wed, 30 May 2012 04:04:54 +0100 Subject: [PATCH 0933/1119] h264: allow cropping to AVCodecContext.width/height Override the frame size from the SPS with AVCodecContext values if the latter specify a size smaller by less than one macroblock. This is required for correct cropping of MOV files from Canon cameras. Signed-off-by: Mans Rullgard (cherry picked from commit 30f515091c323da59c0f1b533703dedca2f4b95d) Conflicts: libavcodec/h264.c --- libavcodec/h264.c | 6 ++++++ 1 file changed, 6 insertions(+) diff --git a/libavcodec/h264.c b/libavcodec/h264.c index 90293f17f4..ac7eb20f35 100644 --- a/libavcodec/h264.c +++ b/libavcodec/h264.c @@ -2605,6 +2605,12 @@ static int decode_slice_header(H264Context *h, H264Context *h0){ s->height = s->avctx->height; } + if (FFALIGN(s->avctx->width, 16) == s->width && + FFALIGN(s->avctx->height, 16) == s->height) { + s->width = s->avctx->width; + s->height = s->avctx->height; + } + if (s->context_initialized && ( s->width != s->avctx->width || s->height != s->avctx->height || av_cmp_q(h->sps.sar, s->avctx->sample_aspect_ratio))) { From e39fc137aeace9420690c264067c37ff516b4743 Mon Sep 17 00:00:00 2001 From: Kostya Shishkov Date: Thu, 27 Sep 2012 19:25:06 +0200 Subject: [PATCH 0934/1119] vc1dec: add flush function for WMV9 and VC-1 decoders CC: libav-stable@libav.org (cherry picked from commit 4dc8c8386eef942dba35c4f2fb3210e22b511a5b) Signed-off-by: Anton Khirnov --- libavcodec/vc1dec.c | 6 ++++-- 1 file changed, 4 insertions(+), 2 deletions(-) diff --git a/libavcodec/vc1dec.c b/libavcodec/vc1dec.c index 1474e9fedd..34bf04fae0 100644 --- a/libavcodec/vc1dec.c +++ b/libavcodec/vc1dec.c @@ -3834,7 +3834,8 @@ AVCodec ff_vc1_decoder = { .flush = ff_mpeg_flush, .long_name = NULL_IF_CONFIG_SMALL("SMPTE VC-1"), .pix_fmts = ff_hwaccel_pixfmt_list_420, - .profiles = NULL_IF_CONFIG_SMALL(profiles) + .profiles = NULL_IF_CONFIG_SMALL(profiles), + .flush = ff_mpeg_flush, }; #if CONFIG_WMV3_DECODER @@ -3852,7 +3853,8 @@ AVCodec ff_wmv3_decoder = { .flush = ff_mpeg_flush, .long_name = NULL_IF_CONFIG_SMALL("Windows Media Video 9"), .pix_fmts = ff_hwaccel_pixfmt_list_420, - .profiles = NULL_IF_CONFIG_SMALL(profiles) + .profiles = NULL_IF_CONFIG_SMALL(profiles), + .flush = ff_mpeg_flush, }; #endif From d3e2f35f7addb6cb3a59aa823b716c8fa0b32b51 Mon Sep 17 00:00:00 2001 From: Anton Khirnov Date: Sun, 16 Sep 2012 08:33:09 +0200 Subject: [PATCH 0935/1119] bmpdec: only initialize palette for pal8. Gray8 is not considered to be paletted, so this would cause an invalid write. Fixes bug 367. CC: libav-stable@libav.org (cherry picked from commit 8b78c2969a5b7dca939d93bf525aa2bcd737b5d9) Signed-off-by: Anton Khirnov --- libavcodec/bmp.c | 6 +++--- 1 file changed, 3 insertions(+), 3 deletions(-) diff --git a/libavcodec/bmp.c b/libavcodec/bmp.c index b7fee130bc..51947adad8 100644 --- a/libavcodec/bmp.c +++ b/libavcodec/bmp.c @@ -219,9 +219,6 @@ static int bmp_decode_frame(AVCodecContext *avctx, if(comp == BMP_RLE4 || comp == BMP_RLE8) memset(p->data[0], 0, avctx->height * p->linesize[0]); - if(depth == 4 || depth == 8) - memset(p->data[1], 0, 1024); - if(height > 0){ ptr = p->data[0] + (avctx->height - 1) * p->linesize[0]; linesize = -p->linesize[0]; @@ -232,6 +229,9 @@ static int bmp_decode_frame(AVCodecContext *avctx, if(avctx->pix_fmt == PIX_FMT_PAL8){ int colors = 1 << depth; + + memset(p->data[1], 0, 1024); + if(ihsize >= 36){ int t; buf = buf0 + 46; From 0892a6340f86ff6ae4346fbb86d339ec1c58877b Mon Sep 17 00:00:00 2001 From: Max Lazarov Date: Fri, 30 Mar 2012 23:56:56 -0700 Subject: [PATCH 0936/1119] eval: fix swapping of lt() and lte() CC: libav-stable@libav.org (cherry picked from commit caac3ab6efde4fc9769e8a7472269356f262970a) Signed-off-by: Anton Khirnov --- libavutil/eval.c | 4 ++-- 1 file changed, 2 insertions(+), 2 deletions(-) diff --git a/libavutil/eval.c b/libavutil/eval.c index 8bcba3632d..7dd1d03a26 100644 --- a/libavutil/eval.c +++ b/libavutil/eval.c @@ -273,8 +273,8 @@ static int parse_primary(AVExpr **e, Parser *p) else if (strmatch(next, "eq" )) d->type = e_eq; else if (strmatch(next, "gte" )) d->type = e_gte; else if (strmatch(next, "gt" )) d->type = e_gt; - else if (strmatch(next, "lte" )) { AVExpr *tmp = d->param[1]; d->param[1] = d->param[0]; d->param[0] = tmp; d->type = e_gt; } - else if (strmatch(next, "lt" )) { AVExpr *tmp = d->param[1]; d->param[1] = d->param[0]; d->param[0] = tmp; d->type = e_gte; } + else if (strmatch(next, "lte" )) { AVExpr *tmp = d->param[1]; d->param[1] = d->param[0]; d->param[0] = tmp; d->type = e_gte; } + else if (strmatch(next, "lt" )) { AVExpr *tmp = d->param[1]; d->param[1] = d->param[0]; d->param[0] = tmp; d->type = e_gt; } else if (strmatch(next, "ld" )) d->type = e_ld; else if (strmatch(next, "isnan" )) d->type = e_isnan; else if (strmatch(next, "st" )) d->type = e_st; From a81c1ea2eb6621995bdab5e7b7ebdab020fbff5a Mon Sep 17 00:00:00 2001 From: =?UTF-8?q?Martin=20Storsj=C3=B6?= Date: Thu, 9 Feb 2012 11:28:46 +0200 Subject: [PATCH 0937/1119] h263: Add ff_ prefix to nonstatic symbols MIME-Version: 1.0 Content-Type: text/plain; charset=UTF-8 Content-Transfer-Encoding: 8bit Signed-off-by: Martin Storsjö (cherry picked from commit ddce8953a5056800ec795df2dfd84fc17a11b5fc) Signed-off-by: Anton Khirnov --- libavcodec/h263.c | 8 ++-- libavcodec/h263.h | 42 ++++++++++---------- libavcodec/h263data.h | 24 ++++++------ libavcodec/h263dec.c | 4 +- libavcodec/intelh263dec.c | 4 +- libavcodec/ituh263dec.c | 78 +++++++++++++++++++------------------- libavcodec/ituh263enc.c | 44 ++++++++++----------- libavcodec/mpeg4videodec.c | 50 ++++++++++++------------ libavcodec/mpeg4videoenc.c | 6 +-- libavcodec/mpegvideo_enc.c | 10 ++--- libavcodec/msmpeg4.c | 16 ++++---- libavcodec/msmpeg4data.c | 12 +++--- libavcodec/rv10.c | 2 +- libavcodec/rv34data.h | 2 +- libavcodec/snow.c | 2 +- libavcodec/svq1dec.c | 6 +-- libavcodec/svq1enc.c | 4 +- libavcodec/wmv2enc.c | 2 +- 18 files changed, 158 insertions(+), 158 deletions(-) diff --git a/libavcodec/h263.c b/libavcodec/h263.c index 5c25df2272..ad045af7a5 100644 --- a/libavcodec/h263.c +++ b/libavcodec/h263.c @@ -98,7 +98,7 @@ void ff_h263_update_motion_val(MpegEncContext * s){ } } -int h263_pred_dc(MpegEncContext * s, int n, int16_t **dc_val_ptr) +int ff_h263_pred_dc(MpegEncContext * s, int n, int16_t **dc_val_ptr) { int x, y, wrap, a, c, pred_dc; int16_t *dc_val; @@ -226,7 +226,7 @@ void ff_h263_loop_filter(MpegEncContext * s){ } } -void h263_pred_acdc(MpegEncContext * s, DCTELEM *block, int n) +void ff_h263_pred_acdc(MpegEncContext * s, DCTELEM *block, int n) { int x, y, wrap, a, c, pred_dc, scale, i; int16_t *dc_val, *ac_val, *ac_val1; @@ -313,8 +313,8 @@ void h263_pred_acdc(MpegEncContext * s, DCTELEM *block, int n) ac_val1[8 + i] = block[s->dsp.idct_permutation[i ]]; } -int16_t *h263_pred_motion(MpegEncContext * s, int block, int dir, - int *px, int *py) +int16_t *ff_h263_pred_motion(MpegEncContext * s, int block, int dir, + int *px, int *py) { int wrap; int16_t *A, *B, *C, (*mot_val)[2]; diff --git a/libavcodec/h263.h b/libavcodec/h263.h index 1dc300709e..77f7c3bc52 100644 --- a/libavcodec/h263.h +++ b/libavcodec/h263.h @@ -38,16 +38,16 @@ extern const AVRational ff_h263_pixel_aspect[16]; extern const uint8_t ff_h263_cbpy_tab[16][2]; -extern const uint8_t cbpc_b_tab[4][2]; +extern const uint8_t ff_cbpc_b_tab[4][2]; -extern const uint8_t mvtab[33][2]; +extern const uint8_t ff_mvtab[33][2]; extern const uint8_t ff_h263_intra_MCBPC_code[9]; extern const uint8_t ff_h263_intra_MCBPC_bits[9]; extern const uint8_t ff_h263_inter_MCBPC_code[28]; extern const uint8_t ff_h263_inter_MCBPC_bits[28]; -extern const uint8_t h263_mbtype_b_tab[15][2]; +extern const uint8_t ff_h263_mbtype_b_tab[15][2]; extern VLC ff_h263_intra_MCBPC_vlc; extern VLC ff_h263_inter_MCBPC_vlc; @@ -55,41 +55,41 @@ extern VLC ff_h263_cbpy_vlc; extern RLTable ff_h263_rl_inter; -extern RLTable rl_intra_aic; +extern RLTable ff_rl_intra_aic; -extern const uint16_t h263_format[8][2]; -extern const uint8_t modified_quant_tab[2][32]; +extern const uint16_t ff_h263_format[8][2]; +extern const uint8_t ff_modified_quant_tab[2][32]; extern uint16_t ff_mba_max[6]; extern uint8_t ff_mba_length[7]; extern uint8_t ff_h263_static_rl_table_store[2][2][2*MAX_RUN + MAX_LEVEL + 3]; -int h263_decode_motion(MpegEncContext * s, int pred, int f_code); +int ff_h263_decode_motion(MpegEncContext * s, int pred, int f_code); av_const int ff_h263_aspect_to_info(AVRational aspect); int ff_h263_decode_init(AVCodecContext *avctx); int ff_h263_decode_frame(AVCodecContext *avctx, void *data, int *data_size, AVPacket *avpkt); int ff_h263_decode_end(AVCodecContext *avctx); -void h263_encode_mb(MpegEncContext *s, - DCTELEM block[6][64], - int motion_x, int motion_y); -void h263_encode_picture_header(MpegEncContext *s, int picture_number); -void h263_encode_gob_header(MpegEncContext * s, int mb_line); -int16_t *h263_pred_motion(MpegEncContext * s, int block, int dir, - int *px, int *py); -void h263_encode_init(MpegEncContext *s); -void h263_decode_init_vlc(MpegEncContext *s); -int h263_decode_picture_header(MpegEncContext *s); +void ff_h263_encode_mb(MpegEncContext *s, + DCTELEM block[6][64], + int motion_x, int motion_y); +void ff_h263_encode_picture_header(MpegEncContext *s, int picture_number); +void ff_h263_encode_gob_header(MpegEncContext * s, int mb_line); +int16_t *ff_h263_pred_motion(MpegEncContext * s, int block, int dir, + int *px, int *py); +void ff_h263_encode_init(MpegEncContext *s); +void ff_h263_decode_init_vlc(MpegEncContext *s); +int ff_h263_decode_picture_header(MpegEncContext *s); int ff_h263_decode_gob_header(MpegEncContext *s); void ff_h263_update_motion_val(MpegEncContext * s); void ff_h263_loop_filter(MpegEncContext * s); int ff_h263_decode_mba(MpegEncContext *s); void ff_h263_encode_mba(MpegEncContext *s); void ff_init_qscale_tab(MpegEncContext *s); -int h263_pred_dc(MpegEncContext * s, int n, int16_t **dc_val_ptr); -void h263_pred_acdc(MpegEncContext * s, DCTELEM *block, int n); +int ff_h263_pred_dc(MpegEncContext * s, int n, int16_t **dc_val_ptr); +void ff_h263_pred_acdc(MpegEncContext * s, DCTELEM *block, int n); /** @@ -119,7 +119,7 @@ static inline int h263_get_motion_length(MpegEncContext * s, int val, int f_code int l, bit_size, code; if (val == 0) { - return mvtab[0][1]; + return ff_mvtab[0][1]; } else { bit_size = f_code - 1; /* modulo encoding */ @@ -128,7 +128,7 @@ static inline int h263_get_motion_length(MpegEncContext * s, int val, int f_code val--; code = (val >> bit_size) + 1; - return mvtab[code][1] + 1 + bit_size; + return ff_mvtab[code][1] + 1 + bit_size; } } diff --git a/libavcodec/h263data.h b/libavcodec/h263data.h index 966da56110..e3b83ad2e4 100644 --- a/libavcodec/h263data.h +++ b/libavcodec/h263data.h @@ -57,7 +57,7 @@ const uint8_t ff_h263_inter_MCBPC_bits[28] = { 11, 13, 13, 13,/* inter4Q*/ }; -const uint8_t h263_mbtype_b_tab[15][2] = { +const uint8_t ff_h263_mbtype_b_tab[15][2] = { {1, 1}, {3, 3}, {1, 5}, @@ -75,7 +75,7 @@ const uint8_t h263_mbtype_b_tab[15][2] = { {1, 8}, }; -const uint8_t cbpc_b_tab[4][2] = { +const uint8_t ff_cbpc_b_tab[4][2] = { {0, 1}, {2, 2}, {7, 3}, @@ -88,7 +88,7 @@ const uint8_t ff_h263_cbpy_tab[16][2] = {2,5}, {3,6}, {5,4}, {10,4}, {4,4}, {8,4}, {6,4}, {3,2} }; -const uint8_t mvtab[33][2] = +const uint8_t ff_mvtab[33][2] = { {1,1}, {1,2}, {1,3}, {1,4}, {3,6}, {5,7}, {4,7}, {3,7}, {11,9}, {10,9}, {9,9}, {17,10}, {16,10}, {15,10}, {14,10}, {13,10}, @@ -98,7 +98,7 @@ const uint8_t mvtab[33][2] = }; /* third non intra table */ -const uint16_t inter_vlc[103][2] = { +const uint16_t ff_inter_vlc[103][2] = { { 0x2, 2 },{ 0xf, 4 },{ 0x15, 6 },{ 0x17, 7 }, { 0x1f, 8 },{ 0x25, 9 },{ 0x24, 9 },{ 0x21, 10 }, { 0x20, 10 },{ 0x7, 11 },{ 0x6, 11 },{ 0x20, 11 }, @@ -127,7 +127,7 @@ const uint16_t inter_vlc[103][2] = { { 0x5e, 12 },{ 0x5f, 12 },{ 0x3, 7 }, }; -const int8_t inter_level[102] = { +const int8_t ff_inter_level[102] = { 1, 2, 3, 4, 5, 6, 7, 8, 9, 10, 11, 12, 1, 2, 3, 4, 5, 6, 1, 2, 3, 4, 1, 2, @@ -143,7 +143,7 @@ const int8_t inter_level[102] = { 1, 1, 1, 1, 1, 1, }; -const int8_t inter_run[102] = { +const int8_t ff_inter_run[102] = { 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 1, 1, 1, 1, 1, 1, 2, 2, 2, 2, 3, 3, @@ -162,9 +162,9 @@ const int8_t inter_run[102] = { RLTable ff_h263_rl_inter = { 102, 58, - inter_vlc, - inter_run, - inter_level, + ff_inter_vlc, + ff_inter_run, + ff_inter_level, }; static const uint16_t intra_vlc_aic[103][2] = { @@ -228,7 +228,7 @@ static const int8_t intra_level_aic[102] = { 1, 1, 1, 1, 1, 1, }; -RLTable rl_intra_aic = { +RLTable ff_rl_intra_aic = { 102, 58, intra_vlc_aic, @@ -236,7 +236,7 @@ RLTable rl_intra_aic = { intra_level_aic, }; -const uint16_t h263_format[8][2] = { +const uint16_t ff_h263_format[8][2] = { { 0, 0 }, { 128, 96 }, { 176, 144 }, @@ -250,7 +250,7 @@ const uint8_t ff_aic_dc_scale_table[32]={ 0, 2, 4, 6, 8,10,12,14,16,18,20,22,24,26,28,30,32,34,36,38,40,42,44,46,48,50,52,54,56,58,60,62 }; -const uint8_t modified_quant_tab[2][32]={ +const uint8_t ff_modified_quant_tab[2][32]={ // 0 1 2 3 4 5 6 7 8 9 10 11 12 13 14 15 16 17 18 19 20 21 22 23 24 25 26 27 28 29 30 31 { 0, 3, 1, 2, 3, 4, 5, 6, 7, 8, 9, 9,10,11,12,13,14,15,16,17,18,18,19,20,21,22,23,24,25,26,27,28 diff --git a/libavcodec/h263dec.c b/libavcodec/h263dec.c index 15fc724e54..38fd85abe2 100644 --- a/libavcodec/h263dec.c +++ b/libavcodec/h263dec.c @@ -111,7 +111,7 @@ av_cold int ff_h263_decode_init(AVCodecContext *avctx) if (MPV_common_init(s) < 0) return -1; - h263_decode_init_vlc(s); + ff_h263_decode_init_vlc(s); return 0; } @@ -417,7 +417,7 @@ retry: } else if (CONFIG_FLV_DECODER && s->h263_flv) { ret = ff_flv_decode_picture_header(s); } else { - ret = h263_decode_picture_header(s); + ret = ff_h263_decode_picture_header(s); } if(ret==FRAME_SKIPPED) return get_consumed_bytes(s, buf_size); diff --git a/libavcodec/intelh263dec.c b/libavcodec/intelh263dec.c index 83049bcc6f..0a2431ecd6 100644 --- a/libavcodec/intelh263dec.c +++ b/libavcodec/intelh263dec.c @@ -65,8 +65,8 @@ int ff_intel_h263_decode_picture_header(MpegEncContext *s) s->pb_frame = get_bits1(&s->gb); if (format < 6) { - s->width = h263_format[format][0]; - s->height = h263_format[format][1]; + s->width = ff_h263_format[format][0]; + s->height = ff_h263_format[format][1]; s->avctx->sample_aspect_ratio.num = 12; s->avctx->sample_aspect_ratio.den = 11; } else { diff --git a/libavcodec/ituh263dec.c b/libavcodec/ituh263dec.c index 0bb92da833..1359c0026f 100644 --- a/libavcodec/ituh263dec.c +++ b/libavcodec/ituh263dec.c @@ -100,7 +100,7 @@ static VLC cbpc_b_vlc; /* init vlcs */ /* XXX: find a better solution to handle static init */ -void h263_decode_init_vlc(MpegEncContext *s) +void ff_h263_decode_init_vlc(MpegEncContext *s) { static int done = 0; @@ -117,18 +117,18 @@ void h263_decode_init_vlc(MpegEncContext *s) &ff_h263_cbpy_tab[0][1], 2, 1, &ff_h263_cbpy_tab[0][0], 2, 1, 64); INIT_VLC_STATIC(&mv_vlc, MV_VLC_BITS, 33, - &mvtab[0][1], 2, 1, - &mvtab[0][0], 2, 1, 538); + &ff_mvtab[0][1], 2, 1, + &ff_mvtab[0][0], 2, 1, 538); init_rl(&ff_h263_rl_inter, ff_h263_static_rl_table_store[0]); - init_rl(&rl_intra_aic, ff_h263_static_rl_table_store[1]); + init_rl(&ff_rl_intra_aic, ff_h263_static_rl_table_store[1]); INIT_VLC_RL(ff_h263_rl_inter, 554); - INIT_VLC_RL(rl_intra_aic, 554); + INIT_VLC_RL(ff_rl_intra_aic, 554); INIT_VLC_STATIC(&h263_mbtype_b_vlc, H263_MBTYPE_B_VLC_BITS, 15, - &h263_mbtype_b_tab[0][1], 2, 1, - &h263_mbtype_b_tab[0][0], 2, 1, 80); + &ff_h263_mbtype_b_tab[0][1], 2, 1, + &ff_h263_mbtype_b_tab[0][0], 2, 1, 80); INIT_VLC_STATIC(&cbpc_b_vlc, CBPC_B_VLC_BITS, 4, - &cbpc_b_tab[0][1], 2, 1, - &cbpc_b_tab[0][0], 2, 1, 8); + &ff_cbpc_b_tab[0][1], 2, 1, + &ff_cbpc_b_tab[0][0], 2, 1, 8); } } @@ -268,7 +268,7 @@ int ff_h263_resync(MpegEncContext *s){ return -1; } -int h263_decode_motion(MpegEncContext * s, int pred, int f_code) +int ff_h263_decode_motion(MpegEncContext * s, int pred, int f_code) { int code, val, sign, shift, l; code = get_vlc2(&s->gb, mv_vlc.table, MV_VLC_BITS, 2); @@ -379,16 +379,16 @@ static void preview_obmc(MpegEncContext *s){ if ((cbpc & 16) == 0) { s->current_picture.mb_type[xy]= MB_TYPE_16x16 | MB_TYPE_L0; /* 16x16 motion prediction */ - mot_val= h263_pred_motion(s, 0, 0, &pred_x, &pred_y); + mot_val= ff_h263_pred_motion(s, 0, 0, &pred_x, &pred_y); if (s->umvplus) mx = h263p_decode_umotion(s, pred_x); else - mx = h263_decode_motion(s, pred_x, 1); + mx = ff_h263_decode_motion(s, pred_x, 1); if (s->umvplus) my = h263p_decode_umotion(s, pred_y); else - my = h263_decode_motion(s, pred_y, 1); + my = ff_h263_decode_motion(s, pred_y, 1); mot_val[0 ]= mot_val[2 ]= mot_val[0+stride]= mot_val[2+stride]= mx; @@ -397,16 +397,16 @@ static void preview_obmc(MpegEncContext *s){ } else { s->current_picture.mb_type[xy]= MB_TYPE_8x8 | MB_TYPE_L0; for(i=0;i<4;i++) { - mot_val = h263_pred_motion(s, i, 0, &pred_x, &pred_y); + mot_val = ff_h263_pred_motion(s, i, 0, &pred_x, &pred_y); if (s->umvplus) mx = h263p_decode_umotion(s, pred_x); else - mx = h263_decode_motion(s, pred_x, 1); + mx = ff_h263_decode_motion(s, pred_x, 1); if (s->umvplus) my = h263p_decode_umotion(s, pred_y); else - my = h263_decode_motion(s, pred_y, 1); + my = ff_h263_decode_motion(s, pred_y, 1); if (s->umvplus && (mx - pred_x) == 1 && (my - pred_y) == 1) skip_bits1(&s->gb); /* Bit stuffing to prevent PSC */ mot_val[0] = mx; @@ -430,7 +430,7 @@ static void h263_decode_dquant(MpegEncContext *s){ if(s->modified_quant){ if(get_bits1(&s->gb)) - s->qscale= modified_quant_tab[get_bits1(&s->gb)][ s->qscale ]; + s->qscale= ff_modified_quant_tab[get_bits1(&s->gb)][ s->qscale ]; else s->qscale= get_bits(&s->gb, 5); }else @@ -448,7 +448,7 @@ static int h263_decode_block(MpegEncContext * s, DCTELEM * block, scan_table = s->intra_scantable.permutated; if (s->h263_aic && s->mb_intra) { - rl = &rl_intra_aic; + rl = &ff_rl_intra_aic; i = 0; if (s->ac_pred) { if (s->h263_aic_dir) @@ -537,7 +537,7 @@ retry: if (i >= 64){ if(s->alt_inter_vlc && rl == &ff_h263_rl_inter && !s->mb_intra){ //Looks like a hack but no, it's the way it is supposed to work ... - rl = &rl_intra_aic; + rl = &ff_rl_intra_aic; i = 0; s->gb= gb; s->dsp.clear_block(block); @@ -554,7 +554,7 @@ retry: } not_coded: if (s->mb_intra && s->h263_aic) { - h263_pred_acdc(s, block, n); + ff_h263_pred_acdc(s, block, n); i = 63; } s->block_last_index[n] = i; @@ -653,11 +653,11 @@ int ff_h263_decode_mb(MpegEncContext *s, s->current_picture.mb_type[xy]= MB_TYPE_16x16 | MB_TYPE_L0; /* 16x16 motion prediction */ s->mv_type = MV_TYPE_16X16; - h263_pred_motion(s, 0, 0, &pred_x, &pred_y); + ff_h263_pred_motion(s, 0, 0, &pred_x, &pred_y); if (s->umvplus) mx = h263p_decode_umotion(s, pred_x); else - mx = h263_decode_motion(s, pred_x, 1); + mx = ff_h263_decode_motion(s, pred_x, 1); if (mx >= 0xffff) return -1; @@ -665,7 +665,7 @@ int ff_h263_decode_mb(MpegEncContext *s, if (s->umvplus) my = h263p_decode_umotion(s, pred_y); else - my = h263_decode_motion(s, pred_y, 1); + my = ff_h263_decode_motion(s, pred_y, 1); if (my >= 0xffff) return -1; @@ -678,18 +678,18 @@ int ff_h263_decode_mb(MpegEncContext *s, s->current_picture.mb_type[xy]= MB_TYPE_8x8 | MB_TYPE_L0; s->mv_type = MV_TYPE_8X8; for(i=0;i<4;i++) { - mot_val = h263_pred_motion(s, i, 0, &pred_x, &pred_y); + mot_val = ff_h263_pred_motion(s, i, 0, &pred_x, &pred_y); if (s->umvplus) mx = h263p_decode_umotion(s, pred_x); else - mx = h263_decode_motion(s, pred_x, 1); + mx = ff_h263_decode_motion(s, pred_x, 1); if (mx >= 0xffff) return -1; if (s->umvplus) my = h263p_decode_umotion(s, pred_y); else - my = h263_decode_motion(s, pred_y, 1); + my = ff_h263_decode_motion(s, pred_y, 1); if (my >= 0xffff) return -1; s->mv[0][i][0] = mx; @@ -761,11 +761,11 @@ int ff_h263_decode_mb(MpegEncContext *s, //FIXME UMV if(USES_LIST(mb_type, 0)){ - int16_t *mot_val= h263_pred_motion(s, 0, 0, &mx, &my); + int16_t *mot_val= ff_h263_pred_motion(s, 0, 0, &mx, &my); s->mv_dir = MV_DIR_FORWARD; - mx = h263_decode_motion(s, mx, 1); - my = h263_decode_motion(s, my, 1); + mx = ff_h263_decode_motion(s, mx, 1); + my = ff_h263_decode_motion(s, my, 1); s->mv[0][0][0] = mx; s->mv[0][0][1] = my; @@ -774,11 +774,11 @@ int ff_h263_decode_mb(MpegEncContext *s, } if(USES_LIST(mb_type, 1)){ - int16_t *mot_val= h263_pred_motion(s, 0, 1, &mx, &my); + int16_t *mot_val= ff_h263_pred_motion(s, 0, 1, &mx, &my); s->mv_dir |= MV_DIR_BACKWARD; - mx = h263_decode_motion(s, mx, 1); - my = h263_decode_motion(s, my, 1); + mx = ff_h263_decode_motion(s, mx, 1); + my = ff_h263_decode_motion(s, my, 1); s->mv[1][0][0] = mx; s->mv[1][0][1] = my; @@ -829,8 +829,8 @@ intra: } while(pb_mv_count--){ - h263_decode_motion(s, 0, 1); - h263_decode_motion(s, 0, 1); + ff_h263_decode_motion(s, 0, 1); + ff_h263_decode_motion(s, 0, 1); } /* decode each block */ @@ -864,7 +864,7 @@ end: } /* most is hardcoded. should extend to handle all h263 streams */ -int h263_decode_picture_header(MpegEncContext *s) +int ff_h263_decode_picture_header(MpegEncContext *s) { int format, width, height, i; uint32_t startcode; @@ -916,8 +916,8 @@ int h263_decode_picture_header(MpegEncContext *s) if (format != 7 && format != 6) { s->h263_plus = 0; /* H.263v1 */ - width = h263_format[format][0]; - height = h263_format[format][1]; + width = ff_h263_format[format][0]; + height = ff_h263_format[format][1]; if (!width) return -1; @@ -1024,8 +1024,8 @@ int h263_decode_picture_header(MpegEncContext *s) s->avctx->sample_aspect_ratio= ff_h263_pixel_aspect[s->aspect_ratio_info]; } } else { - width = h263_format[format][0]; - height = h263_format[format][1]; + width = ff_h263_format[format][0]; + height = ff_h263_format[format][1]; s->avctx->sample_aspect_ratio= (AVRational){12,11}; } if ((width == 0) || (height == 0)) diff --git a/libavcodec/ituh263enc.c b/libavcodec/ituh263enc.c index cadf389866..1c7c1a1e83 100644 --- a/libavcodec/ituh263enc.c +++ b/libavcodec/ituh263enc.c @@ -102,7 +102,7 @@ av_const int ff_h263_aspect_to_info(AVRational aspect){ return FF_ASPECT_EXTENDED; } -void h263_encode_picture_header(MpegEncContext * s, int picture_number) +void ff_h263_encode_picture_header(MpegEncContext * s, int picture_number) { int format, coded_frame_rate, coded_frame_rate_base, i, temp_ref; int best_clock_code=1; @@ -141,7 +141,7 @@ void h263_encode_picture_header(MpegEncContext * s, int picture_number) put_bits(&s->pb, 1, 0); /* camera off */ put_bits(&s->pb, 1, 0); /* freeze picture release off */ - format = ff_match_2uint16(h263_format, FF_ARRAY_ELEMS(h263_format), s->width, s->height); + format = ff_match_2uint16(ff_h263_format, FF_ARRAY_ELEMS(ff_h263_format), s->width, s->height); if (!s->h263_plus) { /* H.263v1 */ put_bits(&s->pb, 3, format); @@ -247,7 +247,7 @@ void h263_encode_picture_header(MpegEncContext * s, int picture_number) /** * Encode a group of blocks header. */ -void h263_encode_gob_header(MpegEncContext * s, int mb_line) +void ff_h263_encode_gob_header(MpegEncContext * s, int mb_line) { put_bits(&s->pb, 17, 1); /* GBSC */ @@ -333,7 +333,7 @@ static void h263_encode_block(MpegEncContext * s, DCTELEM * block, int n) } else { i = 0; if (s->h263_aic && s->mb_intra) - rl = &rl_intra_aic; + rl = &ff_rl_intra_aic; if(s->alt_inter_vlc && !s->mb_intra){ int aic_vlc_bits=0; @@ -353,14 +353,14 @@ static void h263_encode_block(MpegEncContext * s, DCTELEM * block, int n) if(level<0) level= -level; code = get_rl_index(rl, last, run, level); - aic_code = get_rl_index(&rl_intra_aic, last, run, level); + aic_code = get_rl_index(&ff_rl_intra_aic, last, run, level); inter_vlc_bits += rl->table_vlc[code][1]+1; - aic_vlc_bits += rl_intra_aic.table_vlc[aic_code][1]+1; + aic_vlc_bits += ff_rl_intra_aic.table_vlc[aic_code][1]+1; if (code == rl->n) { inter_vlc_bits += 1+6+8-1; } - if (aic_code == rl_intra_aic.n) { + if (aic_code == ff_rl_intra_aic.n) { aic_vlc_bits += 1+6+8-1; wrong_pos += run + 1; }else @@ -370,7 +370,7 @@ static void h263_encode_block(MpegEncContext * s, DCTELEM * block, int n) } i = 0; if(aic_vlc_bits < inter_vlc_bits && wrong_pos > 63) - rl = &rl_intra_aic; + rl = &ff_rl_intra_aic; } } @@ -454,9 +454,9 @@ static void h263p_encode_umotion(MpegEncContext * s, int val) } } -void h263_encode_mb(MpegEncContext * s, - DCTELEM block[6][64], - int motion_x, int motion_y) +void ff_h263_encode_mb(MpegEncContext * s, + DCTELEM block[6][64], + int motion_x, int motion_y) { int cbpc, cbpy, i, cbp, pred_x, pred_y; int16_t pred_dc; @@ -500,7 +500,7 @@ void h263_encode_mb(MpegEncContext * s, } /* motion vectors: 16x16 mode */ - h263_pred_motion(s, 0, 0, &pred_x, &pred_y); + ff_h263_pred_motion(s, 0, 0, &pred_x, &pred_y); if (!s->umvplus) { ff_h263_encode_motion_vector(s, motion_x - pred_x, @@ -527,7 +527,7 @@ void h263_encode_mb(MpegEncContext * s, for(i=0; i<4; i++){ /* motion vectors: 8x8 mode*/ - h263_pred_motion(s, i, 0, &pred_x, &pred_y); + ff_h263_pred_motion(s, i, 0, &pred_x, &pred_y); motion_x= s->current_picture.motion_val[0][ s->block_index[i] ][0]; motion_y= s->current_picture.motion_val[0][ s->block_index[i] ][1]; @@ -561,7 +561,7 @@ void h263_encode_mb(MpegEncContext * s, if(i<4) scale= s->y_dc_scale; else scale= s->c_dc_scale; - pred_dc = h263_pred_dc(s, i, &dc_ptr[i]); + pred_dc = ff_h263_pred_dc(s, i, &dc_ptr[i]); level -= pred_dc; /* Quant */ if (level >= 0) @@ -662,7 +662,7 @@ void ff_h263_encode_motion(MpegEncContext * s, int val, int f_code) if (val == 0) { /* zero vector */ code = 0; - put_bits(&s->pb, mvtab[code][1], mvtab[code][0]); + put_bits(&s->pb, ff_mvtab[code][1], ff_mvtab[code][0]); } else { bit_size = f_code - 1; range = 1 << bit_size; @@ -677,7 +677,7 @@ void ff_h263_encode_motion(MpegEncContext * s, int val, int f_code) code = (val >> bit_size) + 1; bits = val & (range - 1); - put_bits(&s->pb, mvtab[code][1] + 1, (mvtab[code][0] << 1) | sign); + put_bits(&s->pb, ff_mvtab[code][1] + 1, (ff_mvtab[code][0] << 1) | sign); if (bit_size > 0) { put_bits(&s->pb, bit_size, bits); } @@ -693,7 +693,7 @@ static void init_mv_penalty_and_fcode(MpegEncContext *s) for(mv=-MAX_MV; mv<=MAX_MV; mv++){ int len; - if(mv==0) len= mvtab[0][1]; + if(mv==0) len= ff_mvtab[0][1]; else{ int val, bit_size, code; @@ -705,9 +705,9 @@ static void init_mv_penalty_and_fcode(MpegEncContext *s) val--; code = (val >> bit_size) + 1; if(code<33){ - len= mvtab[code][1] + 1 + bit_size; + len= ff_mvtab[code][1] + 1 + bit_size; }else{ - len= mvtab[32][1] + av_log2(code>>5) + 2 + bit_size; + len= ff_mvtab[32][1] + av_log2(code>>5) + 2 + bit_size; } } @@ -769,7 +769,7 @@ static void init_uni_h263_rl_tab(RLTable *rl, uint32_t *bits_tab, uint8_t *len_t } } -void h263_encode_init(MpegEncContext *s) +void ff_h263_encode_init(MpegEncContext *s) { static int done = 0; @@ -777,9 +777,9 @@ void h263_encode_init(MpegEncContext *s) done = 1; init_rl(&ff_h263_rl_inter, ff_h263_static_rl_table_store[0]); - init_rl(&rl_intra_aic, ff_h263_static_rl_table_store[1]); + init_rl(&ff_rl_intra_aic, ff_h263_static_rl_table_store[1]); - init_uni_h263_rl_tab(&rl_intra_aic, NULL, uni_h263_intra_aic_rl_len); + init_uni_h263_rl_tab(&ff_rl_intra_aic, NULL, uni_h263_intra_aic_rl_len); init_uni_h263_rl_tab(&ff_h263_rl_inter , NULL, uni_h263_inter_rl_len); init_mv_penalty_and_fcode(s); diff --git a/libavcodec/mpeg4videodec.c b/libavcodec/mpeg4videodec.c index 22d7ace789..96f077a55c 100644 --- a/libavcodec/mpeg4videodec.c +++ b/libavcodec/mpeg4videodec.c @@ -651,13 +651,13 @@ try_again: if ((cbpc & 16) == 0) { /* 16x16 motion prediction */ - h263_pred_motion(s, 0, 0, &pred_x, &pred_y); + ff_h263_pred_motion(s, 0, 0, &pred_x, &pred_y); if(!s->mcsel){ - mx = h263_decode_motion(s, pred_x, s->f_code); + mx = ff_h263_decode_motion(s, pred_x, s->f_code); if (mx >= 0xffff) return -1; - my = h263_decode_motion(s, pred_y, s->f_code); + my = ff_h263_decode_motion(s, pred_y, s->f_code); if (my >= 0xffff) return -1; s->current_picture.mb_type[xy]= MB_TYPE_16x16 | MB_TYPE_L0; @@ -675,12 +675,12 @@ try_again: int i; s->current_picture.mb_type[xy]= MB_TYPE_8x8 | MB_TYPE_L0; for(i=0;i<4;i++) { - int16_t *mot_val= h263_pred_motion(s, i, 0, &pred_x, &pred_y); - mx = h263_decode_motion(s, pred_x, s->f_code); + int16_t *mot_val= ff_h263_pred_motion(s, i, 0, &pred_x, &pred_y); + mx = ff_h263_decode_motion(s, pred_x, s->f_code); if (mx >= 0xffff) return -1; - my = h263_decode_motion(s, pred_y, s->f_code); + my = ff_h263_decode_motion(s, pred_y, s->f_code); if (my >= 0xffff) return -1; mot_val[0] = mx; @@ -1245,14 +1245,14 @@ static int mpeg4_decode_mb(MpegEncContext *s, s->field_select[0][0]= get_bits1(&s->gb); s->field_select[0][1]= get_bits1(&s->gb); - h263_pred_motion(s, 0, 0, &pred_x, &pred_y); + ff_h263_pred_motion(s, 0, 0, &pred_x, &pred_y); for(i=0; i<2; i++){ - mx = h263_decode_motion(s, pred_x, s->f_code); + mx = ff_h263_decode_motion(s, pred_x, s->f_code); if (mx >= 0xffff) return -1; - my = h263_decode_motion(s, pred_y/2, s->f_code); + my = ff_h263_decode_motion(s, pred_y/2, s->f_code); if (my >= 0xffff) return -1; @@ -1263,13 +1263,13 @@ static int mpeg4_decode_mb(MpegEncContext *s, s->current_picture.mb_type[xy]= MB_TYPE_16x16 | MB_TYPE_L0; /* 16x16 motion prediction */ s->mv_type = MV_TYPE_16X16; - h263_pred_motion(s, 0, 0, &pred_x, &pred_y); - mx = h263_decode_motion(s, pred_x, s->f_code); + ff_h263_pred_motion(s, 0, 0, &pred_x, &pred_y); + mx = ff_h263_decode_motion(s, pred_x, s->f_code); if (mx >= 0xffff) return -1; - my = h263_decode_motion(s, pred_y, s->f_code); + my = ff_h263_decode_motion(s, pred_y, s->f_code); if (my >= 0xffff) return -1; @@ -1280,12 +1280,12 @@ static int mpeg4_decode_mb(MpegEncContext *s, s->current_picture.mb_type[xy]= MB_TYPE_8x8 | MB_TYPE_L0; s->mv_type = MV_TYPE_8X8; for(i=0;i<4;i++) { - mot_val = h263_pred_motion(s, i, 0, &pred_x, &pred_y); - mx = h263_decode_motion(s, pred_x, s->f_code); + mot_val = ff_h263_pred_motion(s, i, 0, &pred_x, &pred_y); + mx = ff_h263_decode_motion(s, pred_x, s->f_code); if (mx >= 0xffff) return -1; - my = h263_decode_motion(s, pred_y, s->f_code); + my = ff_h263_decode_motion(s, pred_y, s->f_code); if (my >= 0xffff) return -1; s->mv[0][i][0] = mx; @@ -1381,8 +1381,8 @@ static int mpeg4_decode_mb(MpegEncContext *s, if(USES_LIST(mb_type, 0)){ s->mv_dir = MV_DIR_FORWARD; - mx = h263_decode_motion(s, s->last_mv[0][0][0], s->f_code); - my = h263_decode_motion(s, s->last_mv[0][0][1], s->f_code); + mx = ff_h263_decode_motion(s, s->last_mv[0][0][0], s->f_code); + my = ff_h263_decode_motion(s, s->last_mv[0][0][1], s->f_code); s->last_mv[0][1][0]= s->last_mv[0][0][0]= s->mv[0][0][0] = mx; s->last_mv[0][1][1]= s->last_mv[0][0][1]= s->mv[0][0][1] = my; } @@ -1390,8 +1390,8 @@ static int mpeg4_decode_mb(MpegEncContext *s, if(USES_LIST(mb_type, 1)){ s->mv_dir |= MV_DIR_BACKWARD; - mx = h263_decode_motion(s, s->last_mv[1][0][0], s->b_code); - my = h263_decode_motion(s, s->last_mv[1][0][1], s->b_code); + mx = ff_h263_decode_motion(s, s->last_mv[1][0][0], s->b_code); + my = ff_h263_decode_motion(s, s->last_mv[1][0][1], s->b_code); s->last_mv[1][1][0]= s->last_mv[1][0][0]= s->mv[1][0][0] = mx; s->last_mv[1][1][1]= s->last_mv[1][0][1]= s->mv[1][0][1] = my; } @@ -1402,8 +1402,8 @@ static int mpeg4_decode_mb(MpegEncContext *s, s->mv_dir = MV_DIR_FORWARD; for(i=0; i<2; i++){ - mx = h263_decode_motion(s, s->last_mv[0][i][0] , s->f_code); - my = h263_decode_motion(s, s->last_mv[0][i][1]/2, s->f_code); + mx = ff_h263_decode_motion(s, s->last_mv[0][i][0] , s->f_code); + my = ff_h263_decode_motion(s, s->last_mv[0][i][1]/2, s->f_code); s->last_mv[0][i][0]= s->mv[0][i][0] = mx; s->last_mv[0][i][1]= (s->mv[0][i][1] = my)*2; } @@ -1413,8 +1413,8 @@ static int mpeg4_decode_mb(MpegEncContext *s, s->mv_dir |= MV_DIR_BACKWARD; for(i=0; i<2; i++){ - mx = h263_decode_motion(s, s->last_mv[1][i][0] , s->b_code); - my = h263_decode_motion(s, s->last_mv[1][i][1]/2, s->b_code); + mx = ff_h263_decode_motion(s, s->last_mv[1][i][0] , s->b_code); + my = ff_h263_decode_motion(s, s->last_mv[1][i][1]/2, s->b_code); s->last_mv[1][i][0]= s->mv[1][i][0] = mx; s->last_mv[1][i][1]= (s->mv[1][i][1] = my)*2; } @@ -1426,8 +1426,8 @@ static int mpeg4_decode_mb(MpegEncContext *s, if(IS_SKIP(mb_type)) mx=my=0; else{ - mx = h263_decode_motion(s, 0, 1); - my = h263_decode_motion(s, 0, 1); + mx = ff_h263_decode_motion(s, 0, 1); + my = ff_h263_decode_motion(s, 0, 1); } s->mv_dir = MV_DIR_FORWARD | MV_DIR_BACKWARD | MV_DIRECT; diff --git a/libavcodec/mpeg4videoenc.c b/libavcodec/mpeg4videoenc.c index 8a9bd198df..9d33ff9f3b 100644 --- a/libavcodec/mpeg4videoenc.c +++ b/libavcodec/mpeg4videoenc.c @@ -715,7 +715,7 @@ void mpeg4_encode_mb(MpegEncContext * s, } /* motion vectors: 16x16 mode */ - h263_pred_motion(s, 0, 0, &pred_x, &pred_y); + ff_h263_pred_motion(s, 0, 0, &pred_x, &pred_y); ff_h263_encode_motion_vector(s, motion_x - pred_x, motion_y - pred_y, s->f_code); @@ -739,7 +739,7 @@ void mpeg4_encode_mb(MpegEncContext * s, } /* motion vectors: 16x8 interlaced mode */ - h263_pred_motion(s, 0, 0, &pred_x, &pred_y); + ff_h263_pred_motion(s, 0, 0, &pred_x, &pred_y); pred_y /=2; put_bits(&s->pb, 1, s->field_select[0][0]); @@ -767,7 +767,7 @@ void mpeg4_encode_mb(MpegEncContext * s, for(i=0; i<4; i++){ /* motion vectors: 8x8 mode*/ - h263_pred_motion(s, i, 0, &pred_x, &pred_y); + ff_h263_pred_motion(s, i, 0, &pred_x, &pred_y); ff_h263_encode_motion_vector(s, s->current_picture.motion_val[0][ s->block_index[i] ][0] - pred_x, s->current_picture.motion_val[0][ s->block_index[i] ][1] - pred_y, s->f_code); diff --git a/libavcodec/mpegvideo_enc.c b/libavcodec/mpegvideo_enc.c index ab717ebf4e..61d00ede29 100644 --- a/libavcodec/mpegvideo_enc.c +++ b/libavcodec/mpegvideo_enc.c @@ -581,7 +581,7 @@ av_cold int MPV_encode_init(AVCodecContext *avctx) break; case CODEC_ID_H263: if (!CONFIG_H263_ENCODER) return -1; - if (ff_match_2uint16(h263_format, FF_ARRAY_ELEMS(h263_format), s->width, s->height) == 8) { + if (ff_match_2uint16(ff_h263_format, FF_ARRAY_ELEMS(ff_h263_format), s->width, s->height) == 8) { av_log(avctx, AV_LOG_INFO, "The specified picture size of %dx%d is not valid for the H.263 codec.\nValid sizes are 128x96, 176x144, 352x288, 704x576, and 1408x1152. Try H.263+.\n", s->width, s->height); return -1; } @@ -707,7 +707,7 @@ av_cold int MPV_encode_init(AVCodecContext *avctx) if (CONFIG_H261_ENCODER && s->out_format == FMT_H261) ff_h261_encode_init(s); if (CONFIG_H263_ENCODER && s->out_format == FMT_H263) - h263_encode_init(s); + ff_h263_encode_init(s); if (CONFIG_MSMPEG4_ENCODER && s->msmpeg4_version) ff_msmpeg4_encode_init(s); if ((CONFIG_MPEG1VIDEO_ENCODER || CONFIG_MPEG2VIDEO_ENCODER) @@ -1767,7 +1767,7 @@ static av_always_inline void encode_mb_internal(MpegEncContext *s, int motion_x, case CODEC_ID_RV10: case CODEC_ID_RV20: if (CONFIG_H263_ENCODER) - h263_encode_mb(s, s->block, motion_x, motion_y); + ff_h263_encode_mb(s, s->block, motion_x, motion_y); break; case CODEC_ID_MJPEG: if (CONFIG_MJPEG_ENCODER) @@ -2199,7 +2199,7 @@ static int encode_thread(AVCodecContext *c, void *arg){ case CODEC_ID_H263: case CODEC_ID_H263P: if (CONFIG_H263_ENCODER) - h263_encode_gob_header(s, mb_y); + ff_h263_encode_gob_header(s, mb_y); break; } @@ -2949,7 +2949,7 @@ static int encode_picture(MpegEncContext *s, int picture_number) else if (CONFIG_FLV_ENCODER && s->codec_id == CODEC_ID_FLV1) ff_flv_encode_picture_header(s, picture_number); else if (CONFIG_H263_ENCODER) - h263_encode_picture_header(s, picture_number); + ff_h263_encode_picture_header(s, picture_number); break; case FMT_MPEG1: if (CONFIG_MPEG1VIDEO_ENCODER || CONFIG_MPEG2VIDEO_ENCODER) diff --git a/libavcodec/msmpeg4.c b/libavcodec/msmpeg4.c index c740cfa0bd..f055f64a1c 100644 --- a/libavcodec/msmpeg4.c +++ b/libavcodec/msmpeg4.c @@ -511,7 +511,7 @@ static void msmpeg4v2_encode_motion(MpegEncContext * s, int val) if (val == 0) { /* zero vector */ code = 0; - put_bits(&s->pb, mvtab[code][1], mvtab[code][0]); + put_bits(&s->pb, ff_mvtab[code][1], ff_mvtab[code][0]); } else { bit_size = s->f_code - 1; range = 1 << bit_size; @@ -530,7 +530,7 @@ static void msmpeg4v2_encode_motion(MpegEncContext * s, int val) code = (val >> bit_size) + 1; bits = val & (range - 1); - put_bits(&s->pb, mvtab[code][1] + 1, (mvtab[code][0] << 1) | sign); + put_bits(&s->pb, ff_mvtab[code][1] + 1, (ff_mvtab[code][0] << 1) | sign); if (bit_size > 0) { put_bits(&s->pb, bit_size, bits); } @@ -579,7 +579,7 @@ void msmpeg4_encode_mb(MpegEncContext * s, s->misc_bits += get_bits_diff(s); - h263_pred_motion(s, 0, 0, &pred_x, &pred_y); + ff_h263_pred_motion(s, 0, 0, &pred_x, &pred_y); msmpeg4v2_encode_motion(s, motion_x - pred_x); msmpeg4v2_encode_motion(s, motion_y - pred_y); }else{ @@ -590,7 +590,7 @@ void msmpeg4_encode_mb(MpegEncContext * s, s->misc_bits += get_bits_diff(s); /* motion vector */ - h263_pred_motion(s, 0, 0, &pred_x, &pred_y); + ff_h263_pred_motion(s, 0, 0, &pred_x, &pred_y); ff_msmpeg4_encode_motion(s, motion_x - pred_x, motion_y - pred_y); } @@ -1138,7 +1138,7 @@ static int msmpeg4v12_decode_mb(MpegEncContext *s, DCTELEM block[6][64]) cbp|= cbpy<<2; if(s->msmpeg4_version==1 || (cbp&3) != 3) cbp^= 0x3C; - h263_pred_motion(s, 0, 0, &mx, &my); + ff_h263_pred_motion(s, 0, 0, &mx, &my); mx= msmpeg4v2_decode_motion(s, mx, 1); my= msmpeg4v2_decode_motion(s, my, 1); @@ -1224,7 +1224,7 @@ static int msmpeg4v34_decode_mb(MpegEncContext *s, DCTELEM block[6][64]) s->rl_table_index = decode012(&s->gb); s->rl_chroma_table_index = s->rl_table_index; } - h263_pred_motion(s, 0, 0, &mx, &my); + ff_h263_pred_motion(s, 0, 0, &mx, &my); if (ff_msmpeg4_decode_motion(s, &mx, &my) < 0) return -1; s->mv_dir = MV_DIR_FORWARD; @@ -1320,8 +1320,8 @@ av_cold int ff_msmpeg4_decode_init(AVCodecContext *avctx) &v2_mb_type[0][1], 2, 1, &v2_mb_type[0][0], 2, 1, 128); INIT_VLC_STATIC(&v2_mv_vlc, V2_MV_VLC_BITS, 33, - &mvtab[0][1], 2, 1, - &mvtab[0][0], 2, 1, 538); + &ff_mvtab[0][1], 2, 1, + &ff_mvtab[0][0], 2, 1, 538); INIT_VLC_STATIC(&ff_mb_non_intra_vlc[0], MB_NON_INTRA_VLC_BITS, 128, &wmv2_inter_table[0][0][1], 8, 4, diff --git a/libavcodec/msmpeg4data.c b/libavcodec/msmpeg4data.c index eeb812297d..811086364c 100644 --- a/libavcodec/msmpeg4data.c +++ b/libavcodec/msmpeg4data.c @@ -592,9 +592,9 @@ static const int8_t table4_run[168] = { 29, 30, 31, 32, 33, 34, 35, 36, }; -extern const uint16_t inter_vlc[103][2]; -extern const int8_t inter_level[102]; -extern const int8_t inter_run[102]; +extern const uint16_t ff_inter_vlc[103][2]; +extern const int8_t ff_inter_level[102]; +extern const int8_t ff_inter_run[102]; extern const uint16_t ff_mpeg4_intra_vlc[103][2]; extern const int8_t ff_mpeg4_intra_level[102]; @@ -647,9 +647,9 @@ RLTable rl_table[NB_RL_TABLES] = { { 102, 58, - inter_vlc, - inter_run, - inter_level, + ff_inter_vlc, + ff_inter_run, + ff_inter_level, }, }; diff --git a/libavcodec/rv10.c b/libavcodec/rv10.c index 3ac0378d7d..8d5b62f925 100644 --- a/libavcodec/rv10.c +++ b/libavcodec/rv10.c @@ -482,7 +482,7 @@ static av_cold int rv10_decode_init(AVCodecContext *avctx) if (MPV_common_init(s) < 0) return -1; - h263_decode_init_vlc(s); + ff_h263_decode_init_vlc(s); /* init rv vlc */ if (!done) { diff --git a/libavcodec/rv34data.h b/libavcodec/rv34data.h index f8f941d061..d7e177d189 100644 --- a/libavcodec/rv34data.h +++ b/libavcodec/rv34data.h @@ -123,7 +123,7 @@ static const uint8_t rv34_quant_to_vlc_set[2][31] = { /** * table for obtaining the quantizer difference - * @todo Use with modified_quant_tab from h263data.h. + * @todo Use with ff_modified_quant_tab from h263data.h. */ static const uint8_t rv34_dquant_tab[2][32]={ // 0 1 2 3 4 5 6 7 8 9 10 11 12 13 14 15 16 17 18 19 20 21 22 23 24 25 26 27 28 29 30 31 diff --git a/libavcodec/snow.c b/libavcodec/snow.c index 28f04f119b..ac27637f08 100644 --- a/libavcodec/snow.c +++ b/libavcodec/snow.c @@ -2301,7 +2301,7 @@ static av_cold int encode_init(AVCodecContext *avctx) s->m.me.map = av_mallocz(ME_MAP_SIZE*sizeof(uint32_t)); s->m.me.score_map = av_mallocz(ME_MAP_SIZE*sizeof(uint32_t)); s->m.obmc_scratchpad= av_mallocz(MB_SIZE*MB_SIZE*12*sizeof(uint32_t)); - h263_encode_init(&s->m); //mv_penalty + ff_h263_encode_init(&s->m); //mv_penalty s->max_ref_frames = FFMAX(FFMIN(avctx->refs, MAX_REF_FRAMES), 1); diff --git a/libavcodec/svq1dec.c b/libavcodec/svq1dec.c index 325cc1289b..b5159df4b8 100644 --- a/libavcodec/svq1dec.c +++ b/libavcodec/svq1dec.c @@ -43,7 +43,7 @@ #undef NDEBUG #include -extern const uint8_t mvtab[33][2]; +extern const uint8_t ff_mvtab[33][2]; static VLC svq1_block_type; static VLC svq1_motion_component; @@ -768,8 +768,8 @@ static av_cold int svq1_decode_init(AVCodecContext *avctx) &ff_svq1_block_type_vlc[0][0], 2, 1, 6); INIT_VLC_STATIC(&svq1_motion_component, 7, 33, - &mvtab[0][1], 2, 1, - &mvtab[0][0], 2, 1, 176); + &ff_mvtab[0][1], 2, 1, + &ff_mvtab[0][0], 2, 1, 176); for (i = 0; i < 6; i++) { static const uint8_t sizes[2][6] = {{14, 10, 14, 18, 16, 18}, {10, 10, 14, 14, 14, 16}}; diff --git a/libavcodec/svq1enc.c b/libavcodec/svq1enc.c index fbeca803f0..d8980c6927 100644 --- a/libavcodec/svq1enc.c +++ b/libavcodec/svq1enc.c @@ -406,7 +406,7 @@ static int svq1_encode_plane(SVQ1Context *s, int plane, unsigned char *src_plane int mx, my, pred_x, pred_y, dxy; int16_t *motion_ptr; - motion_ptr= h263_pred_motion(&s->m, 0, 0, &pred_x, &pred_y); + motion_ptr= ff_h263_pred_motion(&s->m, 0, 0, &pred_x, &pred_y); if(s->m.mb_type[x + y*s->m.mb_stride]&CANDIDATE_MB_TYPE_INTER){ for(i=0; i<6; i++) init_put_bits(&s->reorder_pb[i], reorder_buffer[1][i], 7*32); @@ -496,7 +496,7 @@ static av_cold int svq1_encode_init(AVCodecContext *avctx) s->m.me.score_map = av_mallocz(ME_MAP_SIZE*sizeof(uint32_t)); s->mb_type = av_mallocz((s->y_block_width+1)*s->y_block_height*sizeof(int16_t)); s->dummy = av_mallocz((s->y_block_width+1)*s->y_block_height*sizeof(int32_t)); - h263_encode_init(&s->m); //mv_penalty + ff_h263_encode_init(&s->m); //mv_penalty return 0; } diff --git a/libavcodec/wmv2enc.c b/libavcodec/wmv2enc.c index 9b7890c0f0..6a3ac3e983 100644 --- a/libavcodec/wmv2enc.c +++ b/libavcodec/wmv2enc.c @@ -171,7 +171,7 @@ void ff_wmv2_encode_mb(MpegEncContext * s, wmv2_inter_table[w->cbp_table_index][cbp + 64][0]); /* motion vector */ - h263_pred_motion(s, 0, 0, &pred_x, &pred_y); + ff_h263_pred_motion(s, 0, 0, &pred_x, &pred_y); ff_msmpeg4_encode_motion(s, motion_x - pred_x, motion_y - pred_y); } else { From 99008ba3667a28af5efe0934aa20aa37df8dbd86 Mon Sep 17 00:00:00 2001 From: Janne Grunau Date: Mon, 13 Feb 2012 21:14:19 +0100 Subject: [PATCH 0938/1119] rv34: use AVERROR return values in ff_rv34_decode_frame() Also adds an error message. (cherry picked from commit 29330721b0e8514f9f8b4d54be75a662a2b79e44) Signed-off-by: Anton Khirnov --- libavcodec/rv34.c | 13 +++++++++---- 1 file changed, 9 insertions(+), 4 deletions(-) diff --git a/libavcodec/rv34.c b/libavcodec/rv34.c index cc1cae2616..a20a9892b8 100644 --- a/libavcodec/rv34.c +++ b/libavcodec/rv34.c @@ -1444,15 +1444,20 @@ int ff_rv34_decode_frame(AVCodecContext *avctx, if(get_slice_offset(avctx, slices_hdr, 0) < 0 || get_slice_offset(avctx, slices_hdr, 0) > buf_size){ av_log(avctx, AV_LOG_ERROR, "Slice offset is invalid\n"); - return -1; + return AVERROR_INVALIDDATA; } init_get_bits(&s->gb, buf+get_slice_offset(avctx, slices_hdr, 0), (buf_size-get_slice_offset(avctx, slices_hdr, 0))*8); if(r->parse_slice_header(r, &r->s.gb, &si) < 0 || si.start){ av_log(avctx, AV_LOG_ERROR, "First slice header is incorrect\n"); - return -1; + return AVERROR_INVALIDDATA; } - if((!s->last_picture_ptr || !s->last_picture_ptr->data[0]) && si.type == AV_PICTURE_TYPE_B) - return -1; + if ((!s->last_picture_ptr || !s->last_picture_ptr->data[0]) && + si.type == AV_PICTURE_TYPE_B) { + av_log(avctx, AV_LOG_ERROR, "Invalid decoder state: B-frame without " + "reference data.\n"); + return AVERROR_INVALIDDATA; + } + if( (avctx->skip_frame >= AVDISCARD_NONREF && si.type==AV_PICTURE_TYPE_B) || (avctx->skip_frame >= AVDISCARD_NONKEY && si.type!=AV_PICTURE_TYPE_I) || avctx->skip_frame >= AVDISCARD_ALL) From 10c244cc89e80e1e924d442ccf40935bd7162178 Mon Sep 17 00:00:00 2001 From: Mina Nagy Zaki Date: Wed, 8 Jun 2011 19:24:25 +0300 Subject: [PATCH 0939/1119] lavfi: avfilter_merge_formats: handle case where inputs are same This fixes a double-free crash if lists are the same due to the two merge_ref() calls at the end of the (useless) merging that happens. Signed-off-by: Anton Khirnov (cherry picked from commit 11b6a82412bcd372adf694a26d83b07d337e1325) Conflicts: libavfilter/formats.c Signed-off-by: Reinhard Tartler --- libavfilter/formats.c | 3 +++ 1 file changed, 3 insertions(+) diff --git a/libavfilter/formats.c b/libavfilter/formats.c index 1b58b50e9f..79baed03dc 100644 --- a/libavfilter/formats.c +++ b/libavfilter/formats.c @@ -44,6 +44,9 @@ AVFilterFormats *avfilter_merge_formats(AVFilterFormats *a, AVFilterFormats *b) AVFilterFormats *ret; unsigned i, j, k = 0; + if (a == b) + return a; + if (a == b) return a; From 7a0ff7566b66da0b75dfaaca4347c7b41970f0ef Mon Sep 17 00:00:00 2001 From: Michael Niedermayer Date: Fri, 20 Apr 2012 17:42:18 +0200 Subject: [PATCH 0940/1119] avsdec: Set dimensions instead of relying on the demuxer. The decode function assumes that the video will have those dimensions. Fixes CVE-2012-2801 CC:libav-stable@libav.org Found-by: Mateusz "j00ru" Jurczyk and Gynvael Coldwind Signed-off-by: Anton Khirnov (cherry picked from commit 85f477935cd6b34e6ec2716b20e15ce748277a89) Signed-off-by: Reinhard Tartler --- libavcodec/avs.c | 1 + 1 file changed, 1 insertion(+) diff --git a/libavcodec/avs.c b/libavcodec/avs.c index 3ad3d879b5..628a6e3d68 100644 --- a/libavcodec/avs.c +++ b/libavcodec/avs.c @@ -158,6 +158,7 @@ avs_decode_frame(AVCodecContext * avctx, static av_cold int avs_decode_init(AVCodecContext * avctx) { avctx->pix_fmt = PIX_FMT_PAL8; + avcodec_set_dimensions(avctx, 318, 198); return 0; } From 42c3a3719b055836291eec5765857872fb75a1f8 Mon Sep 17 00:00:00 2001 From: Aneesh Dogra Date: Tue, 20 Dec 2011 03:54:50 +0530 Subject: [PATCH 0941/1119] bytestream: add a new set of bytestream functions with overread checking Signed-off-by: Justin Ruggles --- libavcodec/bytestream.h | 44 +++++++++++++++++++++++++++++++++++++++++ 1 file changed, 44 insertions(+) diff --git a/libavcodec/bytestream.h b/libavcodec/bytestream.h index 98f00879be..ba3e4e8802 100644 --- a/libavcodec/bytestream.h +++ b/libavcodec/bytestream.h @@ -26,6 +26,10 @@ #include "libavutil/common.h" #include "libavutil/intreadwrite.h" +typedef struct { + const uint8_t *buffer, *buffer_end; +} GetByteContext; + #define DEF_T(type, name, bytes, read, write) \ static av_always_inline type bytestream_get_ ## name(const uint8_t **b){\ (*b) += bytes;\ @@ -34,6 +38,18 @@ static av_always_inline type bytestream_get_ ## name(const uint8_t **b){\ static av_always_inline void bytestream_put_ ##name(uint8_t **b, const type value){\ write(*b, value);\ (*b) += bytes;\ +}\ +static av_always_inline type bytestream2_get_ ## name(GetByteContext *g)\ +{\ + if (g->buffer_end - g->buffer < bytes)\ + return 0;\ + return bytestream_get_ ## name(&g->buffer);\ +}\ +static av_always_inline type bytestream2_peek_ ## name(GetByteContext *g)\ +{\ + if (g->buffer_end - g->buffer < bytes)\ + return 0;\ + return read(g->buffer);\ } #define DEF(name, bytes, read, write) \ @@ -55,6 +71,34 @@ DEF (byte, 1, AV_RB8 , AV_WB8 ) #undef DEF64 #undef DEF_T +static av_always_inline void bytestream2_init(GetByteContext *g, + const uint8_t *buf, int buf_size) +{ + g->buffer = buf; + g->buffer_end = buf + buf_size; +} + +static av_always_inline unsigned int bytestream2_get_bytes_left(GetByteContext *g) +{ + return g->buffer_end - g->buffer; +} + +static av_always_inline void bytestream2_skip(GetByteContext *g, + unsigned int size) +{ + g->buffer += FFMIN(g->buffer_end - g->buffer, size); +} + +static av_always_inline unsigned int bytestream2_get_buffer(GetByteContext *g, + uint8_t *dst, + unsigned int size) +{ + int size2 = FFMIN(g->buffer_end - g->buffer, size); + memcpy(dst, g->buffer, size2); + g->buffer += size2; + return size2; +} + static av_always_inline unsigned int bytestream_get_buffer(const uint8_t **b, uint8_t *dst, unsigned int size) { memcpy(dst, *b, size); From 4c849c69910c6c59ba57022ef28aaf70192a0e12 Mon Sep 17 00:00:00 2001 From: Anton Khirnov Date: Fri, 28 Sep 2012 14:47:56 +0200 Subject: [PATCH 0942/1119] dfa: check that the caller set width/height properly. Fixes CVE-2012-2786. (cherry picked from commit ee715f49a06bf3898246d01b056284a9bb1bcbb9) Signed-off-by: Reinhard Tartler --- libavcodec/dfa.c | 6 ++++++ 1 file changed, 6 insertions(+) diff --git a/libavcodec/dfa.c b/libavcodec/dfa.c index 919375baf0..1cb97dc017 100644 --- a/libavcodec/dfa.c +++ b/libavcodec/dfa.c @@ -23,6 +23,8 @@ #include "avcodec.h" #include "libavutil/intreadwrite.h" #include "bytestream.h" + +#include "libavutil/imgutils.h" #include "libavutil/lzo.h" // for av_memcpy_backptr typedef struct DfaContext { @@ -35,9 +37,13 @@ typedef struct DfaContext { static av_cold int dfa_decode_init(AVCodecContext *avctx) { DfaContext *s = avctx->priv_data; + int ret; avctx->pix_fmt = PIX_FMT_PAL8; + if ((ret = av_image_check_size(avctx->width, avctx->height, 0, avctx)) < 0) + return ret; + s->frame_buf = av_mallocz(avctx->width * avctx->height + AV_LZO_OUTPUT_PADDING); if (!s->frame_buf) return AVERROR(ENOMEM); From 2d63f9b4effc062138537190d4b9201d5e51cb8d Mon Sep 17 00:00:00 2001 From: Kostya Shishkov Date: Thu, 3 May 2012 20:10:36 +0200 Subject: [PATCH 0943/1119] dfa: add some checks to ensure that decoder won't write past frame end (cherry picked from commit 8099187e897ddc90cb3902332c76fb2542dac308) Signed-off-by: Reinhard Tartler --- libavcodec/dfa.c | 8 +++++++- 1 file changed, 7 insertions(+), 1 deletion(-) diff --git a/libavcodec/dfa.c b/libavcodec/dfa.c index 1cb97dc017..eeb96cf7b1 100644 --- a/libavcodec/dfa.c +++ b/libavcodec/dfa.c @@ -176,6 +176,8 @@ static int decode_dds1(uint8_t *frame, int width, int height, } else if (bitbuf & (mask << 1)) { frame += bytestream_get_le16(&src) * 2; } else { + if (frame_end - frame < width + 2) + return AVERROR_INVALIDDATA; frame[0] = frame[1] = frame[width] = frame[width + 1] = *src++; frame += 2; @@ -237,6 +239,7 @@ static int decode_wdlt(uint8_t *frame, int width, int height, const uint8_t *frame_end = frame + width * height; uint8_t *line_ptr; int count, i, v, lines, segments; + int y = 0; lines = bytestream_get_le16(&src); if (lines > height || src >= src_end) @@ -245,10 +248,12 @@ static int decode_wdlt(uint8_t *frame, int width, int height, while (lines--) { segments = bytestream_get_le16(&src); while ((segments & 0xC000) == 0xC000) { + unsigned skip_lines = -(int16_t)segments; unsigned delta = -((int16_t)segments * width); - if (frame_end - frame <= delta) + if (frame_end - frame <= delta || y + lines + skip_lines > height) return -1; frame += delta; + y += skip_lines; segments = bytestream_get_le16(&src); } if (segments & 0x8000) { @@ -257,6 +262,7 @@ static int decode_wdlt(uint8_t *frame, int width, int height, } line_ptr = frame; frame += width; + y++; while (segments--) { if (src_end - src < 2) return -1; From c0df6a24ce9e1557208c33a907346e2d709b1816 Mon Sep 17 00:00:00 2001 From: Kostya Shishkov Date: Sat, 19 May 2012 12:39:49 +0200 Subject: [PATCH 0944/1119] indeo: check custom Huffman tables for errors (cherry picked from commit fe7a37c36febd71576cbefc385d995a8d6e444e7) Signed-off-by: Reinhard Tartler --- libavcodec/ivi_common.c | 7 ++++++- 1 file changed, 6 insertions(+), 1 deletion(-) diff --git a/libavcodec/ivi_common.c b/libavcodec/ivi_common.c index bd3d4e6fd4..dac8d696d4 100644 --- a/libavcodec/ivi_common.c +++ b/libavcodec/ivi_common.c @@ -123,6 +123,10 @@ int ff_ivi_dec_huff_desc(GetBitContext *gb, int desc_coded, int which_tab, if (huff_tab->tab_sel == 7) { /* custom huffman table (explicitly encoded) */ new_huff.num_rows = get_bits(gb, 4); + if (!new_huff.num_rows) { + av_log(avctx, AV_LOG_ERROR, "Empty custom Huffman table!\n"); + return AVERROR_INVALIDDATA; + } for (i = 0; i < new_huff.num_rows; i++) new_huff.xbits[i] = get_bits(gb, 4); @@ -136,9 +140,10 @@ int ff_ivi_dec_huff_desc(GetBitContext *gb, int desc_coded, int which_tab, result = ff_ivi_create_huff_from_desc(&huff_tab->cust_desc, &huff_tab->cust_tab, 0); if (result) { + huff_tab->cust_desc.num_rows = 0; // reset faulty description av_log(avctx, AV_LOG_ERROR, "Error while initializing custom vlc table!\n"); - return -1; + return result; } } huff_tab->tab = &huff_tab->cust_tab; From 601fa565823b00424b51b66c414331fe33f18d1d Mon Sep 17 00:00:00 2001 From: Kostya Shishkov Date: Sat, 19 May 2012 13:39:15 +0200 Subject: [PATCH 0945/1119] indeo: clear allocated band buffers (cherry picked from commit 23ba1503f2b11057c65052b4a07961236d8d69c7) Signed-off-by: Reinhard Tartler --- libavcodec/ivi_common.c | 6 +++--- 1 file changed, 3 insertions(+), 3 deletions(-) diff --git a/libavcodec/ivi_common.c b/libavcodec/ivi_common.c index dac8d696d4..2cd65e5552 100644 --- a/libavcodec/ivi_common.c +++ b/libavcodec/ivi_common.c @@ -212,14 +212,14 @@ int av_cold ff_ivi_init_planes(IVIPlaneDesc *planes, const IVIPicConfig *cfg) band->width = b_width; band->height = b_height; band->pitch = width_aligned; - band->bufs[0] = av_malloc(buf_size); - band->bufs[1] = av_malloc(buf_size); + band->bufs[0] = av_mallocz(buf_size); + band->bufs[1] = av_mallocz(buf_size); if (!band->bufs[0] || !band->bufs[1]) return AVERROR(ENOMEM); /* allocate the 3rd band buffer for scalability mode */ if (cfg->luma_bands > 1) { - band->bufs[2] = av_malloc(buf_size); + band->bufs[2] = av_mallocz(buf_size); if (!band->bufs[2]) return AVERROR(ENOMEM); } From 3c0f84402b2b12a9982e59d584768a3a5ef454f5 Mon Sep 17 00:00:00 2001 From: Kostya Shishkov Date: Sat, 19 May 2012 16:07:42 +0200 Subject: [PATCH 0946/1119] indeo: check for invalid motion vectors (cherry picked from commit cf61aaaca16810b9b3a28395ed48fda8db0e87d9) Signed-off-by: Reinhard Tartler --- libavcodec/ivi_common.c | 16 ++++++++++++++++ libavcodec/ivi_common.h | 1 + 2 files changed, 17 insertions(+) diff --git a/libavcodec/ivi_common.c b/libavcodec/ivi_common.c index 2cd65e5552..22af3a7314 100644 --- a/libavcodec/ivi_common.c +++ b/libavcodec/ivi_common.c @@ -212,6 +212,7 @@ int av_cold ff_ivi_init_planes(IVIPlaneDesc *planes, const IVIPicConfig *cfg) band->width = b_width; band->height = b_height; band->pitch = width_aligned; + band->aheight = height_aligned; band->bufs[0] = av_mallocz(buf_size); band->bufs[1] = av_mallocz(buf_size); if (!band->bufs[0] || !band->bufs[1]) @@ -382,6 +383,21 @@ int ff_ivi_decode_blocks(GetBitContext *gb, IVIBandDesc *band, IVITile *tile) mv_x >>= 1; mv_y >>= 1; /* convert halfpel vectors into fullpel ones */ } + if (mb->type) { + int dmv_x, dmv_y, cx, cy; + + dmv_x = mb->mv_x >> band->is_halfpel; + dmv_y = mb->mv_y >> band->is_halfpel; + cx = mb->mv_x & band->is_halfpel; + cy = mb->mv_y & band->is_halfpel; + + if ( mb->xpos + dmv_x < 0 + || mb->xpos + dmv_x + band->mb_size + cx > band->pitch + || mb->ypos + dmv_y < 0 + || mb->ypos + dmv_y + band->mb_size + cy > band->aheight) { + return AVERROR_INVALIDDATA; + } + } } for (blk = 0; blk < num_blocks; blk++) { diff --git a/libavcodec/ivi_common.h b/libavcodec/ivi_common.h index fd3d82515a..cd9847d08a 100644 --- a/libavcodec/ivi_common.h +++ b/libavcodec/ivi_common.h @@ -132,6 +132,7 @@ typedef struct { int band_num; ///< band number int width; int height; + int aheight; ///< aligned band height const uint8_t *data_ptr; ///< ptr to the first byte of the band data int data_size; ///< size of the band data int16_t *buf; ///< pointer to the output buffer for this band From 8148833193c6773b3db9b1759e62c2295d487ec7 Mon Sep 17 00:00:00 2001 From: Janne Grunau Date: Mon, 23 Jan 2012 21:33:34 +0100 Subject: [PATCH 0947/1119] indeo5: prevent null pointer dereference on broken files Found by John Villamil (cherry picked from commit 366ac22ea5a8bab63c7f46cdad2ddb2ff22cdbed) Signed-off-by: Reinhard Tartler --- libavcodec/indeo5.c | 4 ++++ 1 file changed, 4 insertions(+) diff --git a/libavcodec/indeo5.c b/libavcodec/indeo5.c index ba1bc18eff..c3f73ea1f5 100644 --- a/libavcodec/indeo5.c +++ b/libavcodec/indeo5.c @@ -453,6 +453,10 @@ static int decode_mb_info(IVI5DecContext *ctx, IVIBandDesc *band, ref_mb = tile->ref_mbs; offs = tile->ypos * band->pitch + tile->xpos; + if (!ref_mb && + ((band->qdelta_present && band->inherit_qdelta) || band->inherit_mv)) + return AVERROR_INVALIDDATA; + /* scale factor for motion vectors */ mv_scale = (ctx->planes[0].bands[0].mb_size >> 3) - (band->mb_size >> 3); mv_x = mv_y = 0; From aa097b4d5fd41679cda6780fd8d70a3de33c6820 Mon Sep 17 00:00:00 2001 From: Michael Niedermayer Date: Sun, 15 Apr 2012 14:11:50 +0200 Subject: [PATCH 0948/1119] indeo5: check tile size in decode_mb_info(). This prevents writing into a too small array if some parameters changed without the tile being reallocated. Fixes CVE-2012-2794 CC:libav-stable@libav.org Found-by: Mateusz "j00ru" Jurczyk and Gynvael Coldwind Signed-off-by: Anton Khirnov (cherry picked from commit 2d09cdbaf2f449ba23d54e97e94bd97ca22208c6) Signed-off-by: Reinhard Tartler --- libavcodec/indeo5.c | 6 ++++++ 1 file changed, 6 insertions(+) diff --git a/libavcodec/indeo5.c b/libavcodec/indeo5.c index c3f73ea1f5..e12cd61419 100644 --- a/libavcodec/indeo5.c +++ b/libavcodec/indeo5.c @@ -457,6 +457,12 @@ static int decode_mb_info(IVI5DecContext *ctx, IVIBandDesc *band, ((band->qdelta_present && band->inherit_qdelta) || band->inherit_mv)) return AVERROR_INVALIDDATA; + if (tile->num_MBs != IVI_MBs_PER_TILE(tile->width, tile->height, band->mb_size)) { + av_log(avctx, AV_LOG_ERROR, "Allocated tile size %d mismatches parameters %d\n", + tile->num_MBs, IVI_MBs_PER_TILE(tile->width, tile->height, band->mb_size)); + return AVERROR_INVALIDDATA; + } + /* scale factor for motion vectors */ mv_scale = (ctx->planes[0].bands[0].mb_size >> 3) - (band->mb_size >> 3); mv_x = mv_y = 0; From 44da556815fc02ed0c763e8e8bda3ea7824b7954 Mon Sep 17 00:00:00 2001 From: Michael Niedermayer Date: Sat, 14 Apr 2012 18:28:31 +0200 Subject: [PATCH 0949/1119] lagarith: check count before writing zeros. Fixes CVE-2012-2793 Found-by: Mateusz "j00ru" Jurczyk and Gynvael Coldwind Signed-off-by: Anton Khirnov (cherry picked from commit b631e4ed64f7d1b9ca8f897fda31140e8d1fad81) Signed-off-by: Reinhard Tartler --- libavcodec/lagarith.c | 5 +++++ 1 file changed, 5 insertions(+) diff --git a/libavcodec/lagarith.c b/libavcodec/lagarith.c index 3d53536d13..5e00a75b5a 100644 --- a/libavcodec/lagarith.c +++ b/libavcodec/lagarith.c @@ -322,6 +322,11 @@ static int lag_decode_zero_run_line(LagarithContext *l, uint8_t *dst, output_zeros: if (l->zeros_rem) { count = FFMIN(l->zeros_rem, width - i); + if (end - dst < count) { + av_log(l->avctx, AV_LOG_ERROR, "Too many zeros remaining.\n"); + return AVERROR_INVALIDDATA; + } + memset(dst, 0, count); l->zeros_rem -= count; dst += count; From 4a636a5e43685637129efbf2ac65f4bdad011e37 Mon Sep 17 00:00:00 2001 From: Michael Niedermayer Date: Sat, 14 Apr 2012 11:07:11 +0200 Subject: [PATCH 0950/1119] wmaprodec: check num_vec_coeffs for validity Fixes CVE-2012-2789 Found-by: Mateusz "j00ru" Jurczyk and Gynvael Coldwind Signed-off-by: Anton Khirnov (cherry picked from commit 99f392a584dd10b553facc8e819f2c7e982e176d) Signed-off-by: Reinhard Tartler --- libavcodec/wmaprodec.c | 7 ++++++- 1 file changed, 6 insertions(+), 1 deletion(-) diff --git a/libavcodec/wmaprodec.c b/libavcodec/wmaprodec.c index 8fa1573354..0ae73070d2 100644 --- a/libavcodec/wmaprodec.c +++ b/libavcodec/wmaprodec.c @@ -1158,7 +1158,12 @@ static int decode_subframe(WMAProDecodeCtx *s) int num_bits = av_log2((s->subframe_len + 3)/4) + 1; for (i = 0; i < s->channels_for_cur_subframe; i++) { int c = s->channel_indexes_for_cur_subframe[i]; - s->channel[c].num_vec_coeffs = get_bits(&s->gb, num_bits) << 2; + int num_vec_coeffs = get_bits(&s->gb, num_bits) << 2; + if (num_vec_coeffs > WMAPRO_BLOCK_MAX_SIZE) { + av_log(s->avctx, AV_LOG_ERROR, "num_vec_coeffs %d is too large\n", num_vec_coeffs); + return AVERROR_INVALIDDATA; + } + s->channel[c].num_vec_coeffs = num_vec_coeffs; } } else { for (i = 0; i < s->channels_for_cur_subframe; i++) { From 05f5a2eb62db2ffb802b2c317cb48c769ab02b3b Mon Sep 17 00:00:00 2001 From: Anton Khirnov Date: Fri, 28 Sep 2012 15:42:29 +0200 Subject: [PATCH 0951/1119] avidec: use actually read size instead of requested size Fixes CVE-2012-2788 (cherry picked from commit 0af49a63c7f87876486ab09482d5b26b95abce60) Signed-off-by: Reinhard Tartler --- libavformat/avidec.c | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/libavformat/avidec.c b/libavformat/avidec.c index 85fc794362..a35290b19f 100644 --- a/libavformat/avidec.c +++ b/libavformat/avidec.c @@ -984,7 +984,7 @@ resync: } ast->frame_offset += get_duration(ast, pkt->size); } - ast->remaining -= size; + ast->remaining -= err; if(!ast->remaining){ avi->stream_index= -1; ast->packet_size= 0; From 6996a2f796898753b85d9465653f995148ebc753 Mon Sep 17 00:00:00 2001 From: Michael Niedermayer Date: Sat, 24 Mar 2012 02:40:24 +0100 Subject: [PATCH 0952/1119] cavsdec: check for changing w/h. Our decoder does not support changing w/h. Fixes CVE-2012-2777 and CVE-2012-2784. Found-by: Mateusz "j00ru" Jurczyk and Gynvael Coldwind Signed-off-by: Anton Khirnov (cherry picked from commit c20a69630619d14ae92c5541d52c579d7c8f3e94) Signed-off-by: Reinhard Tartler --- libavcodec/cavsdec.c | 13 +++++++++++-- 1 file changed, 11 insertions(+), 2 deletions(-) diff --git a/libavcodec/cavsdec.c b/libavcodec/cavsdec.c index 35c37d0768..93e2539f31 100644 --- a/libavcodec/cavsdec.c +++ b/libavcodec/cavsdec.c @@ -608,12 +608,21 @@ static int decode_pic(AVSContext *h) { static int decode_seq_header(AVSContext *h) { MpegEncContext *s = &h->s; int frame_rate_code; + int width, height; h->profile = get_bits(&s->gb,8); h->level = get_bits(&s->gb,8); skip_bits1(&s->gb); //progressive sequence - s->width = get_bits(&s->gb,14); - s->height = get_bits(&s->gb,14); + + width = get_bits(&s->gb, 14); + height = get_bits(&s->gb, 14); + if ((s->width || s->height) && (s->width != width || s->height != height)) { + av_log_missing_feature(s, "Width/height changing in CAVS is", 0); + return AVERROR_PATCHWELCOME; + } + s->width = width; + s->height = height; + skip_bits(&s->gb,2); //chroma format skip_bits(&s->gb,3); //sample_precision h->aspect_ratio = get_bits(&s->gb,4); From e3e369f6962cb73ead3ca5d49a5cc313eb85e5fc Mon Sep 17 00:00:00 2001 From: Michael Niedermayer Date: Wed, 29 Feb 2012 06:10:17 +0100 Subject: [PATCH 0953/1119] alsdec: Check that quantized parcor coeffs are within range. ALS spec: 11.6.3.1.1 Quantization and encoding of parcor coefficients ... In all cases the resulting quantized values ak are restricted to the range [-64,63]. Found-by: Mateusz "j00ru" Jurczyk and Gynvael Coldwind Signed-off-by: Michael Niedermayer Signed-off-by: Justin Ruggles (cherry picked from commit 5b051ec3bdc78f3d89e8d1425674cde8fd6c9ccc) Signed-off-by: Reinhard Tartler --- libavcodec/alsdec.c | 4 ++++ 1 file changed, 4 insertions(+) diff --git a/libavcodec/alsdec.c b/libavcodec/alsdec.c index cfe8fd37cb..4f4176ecee 100644 --- a/libavcodec/alsdec.c +++ b/libavcodec/alsdec.c @@ -704,6 +704,10 @@ static int read_var_block_data(ALSDecContext *ctx, ALSBlockData *bd) int rice_param = parcor_rice_table[sconf->coef_table][k][1]; int offset = parcor_rice_table[sconf->coef_table][k][0]; quant_cof[k] = decode_rice(gb, rice_param) + offset; + if (quant_cof[k] < -64 || quant_cof[k] > 63) { + av_log(avctx, AV_LOG_ERROR, "quant_cof %d is out of range\n", quant_cof[k]); + return AVERROR_INVALIDDATA; + } } // read coefficients 20 to 126 From 1b48a426a96f361ee659f2054a48da312f69fc8a Mon Sep 17 00:00:00 2001 From: Thilo Borgmann Date: Sun, 11 Mar 2012 16:56:23 +0100 Subject: [PATCH 0954/1119] alsdec: Fix out of ltp_gain_values read. Found-by: Mateusz "j00ru" Jurczyk and Gynvael Coldwind Signed-off-by: Michael Niedermayer Signed-off-by: Justin Ruggles (cherry picked from commit 97f0efbfb86d24f081b2caa39f6249e05c95c2ef) Signed-off-by: Reinhard Tartler --- libavcodec/alsdec.c | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/libavcodec/alsdec.c b/libavcodec/alsdec.c index 4f4176ecee..25a9c5433e 100644 --- a/libavcodec/alsdec.c +++ b/libavcodec/alsdec.c @@ -740,7 +740,7 @@ static int read_var_block_data(ALSDecContext *ctx, ALSBlockData *bd) bd->ltp_gain[0] = decode_rice(gb, 1) << 3; bd->ltp_gain[1] = decode_rice(gb, 2) << 3; - r = get_unary(gb, 0, 4); + r = get_unary(gb, 0, 3); c = get_bits(gb, 2); bd->ltp_gain[2] = ltp_gain_values[r][c]; From 7e070cf2025fe7d0d7f296b7c7592e2c9b8cd1e5 Mon Sep 17 00:00:00 2001 From: Mans Rullgard Date: Sun, 1 Jul 2012 13:36:30 +0100 Subject: [PATCH 0955/1119] alsdec: remove dead assignments Signed-off-by: Mans Rullgard (cherry picked from commit 4ca6d206d1b5beea42c4290d2ee801aaf5cd31f0) Signed-off-by: Reinhard Tartler --- libavcodec/alsdec.c | 4 ++-- 1 file changed, 2 insertions(+), 2 deletions(-) diff --git a/libavcodec/alsdec.c b/libavcodec/alsdec.c index 25a9c5433e..a7d7fd732f 100644 --- a/libavcodec/alsdec.c +++ b/libavcodec/alsdec.c @@ -769,7 +769,7 @@ static int read_var_block_data(ALSDecContext *ctx, ALSBlockData *bd) int delta[8]; unsigned int k [8]; unsigned int b = av_clip((av_ceil_log2(bd->block_length) - 3) >> 1, 0, 5); - unsigned int i = start; + unsigned int i; // read most significant bits unsigned int high; @@ -780,7 +780,7 @@ static int read_var_block_data(ALSDecContext *ctx, ALSBlockData *bd) current_res = bd->raw_samples + start; - for (sb = 0; sb < sub_blocks; sb++, i = 0) { + for (sb = 0; sb < sub_blocks; sb++) { k [sb] = s[sb] > b ? s[sb] - b : 0; delta[sb] = 5 - s[sb] + k[sb]; From 9474c93028444f0524e8a09a115fbdc3a3756cd0 Mon Sep 17 00:00:00 2001 From: Thilo Borgmann Date: Sun, 15 Apr 2012 18:07:12 +0200 Subject: [PATCH 0956/1119] alsdec: fix number of decoded samples in first sub-block in BGMC mode. Fixes CVE-2012-2790 Found-by: Mateusz "j00ru" Jurczyk and Gynvael Coldwind Signed-off-by: Michael Niedermayer Signed-off-by: Justin Ruggles (cherry picked from commit 66197988b1ee914825afbc3084e6da63f862068a) Signed-off-by: Reinhard Tartler --- libavcodec/alsdec.c | 12 ++++++------ 1 file changed, 6 insertions(+), 6 deletions(-) diff --git a/libavcodec/alsdec.c b/libavcodec/alsdec.c index a7d7fd732f..6678daadac 100644 --- a/libavcodec/alsdec.c +++ b/libavcodec/alsdec.c @@ -769,7 +769,6 @@ static int read_var_block_data(ALSDecContext *ctx, ALSBlockData *bd) int delta[8]; unsigned int k [8]; unsigned int b = av_clip((av_ceil_log2(bd->block_length) - 3) >> 1, 0, 5); - unsigned int i; // read most significant bits unsigned int high; @@ -781,28 +780,29 @@ static int read_var_block_data(ALSDecContext *ctx, ALSBlockData *bd) current_res = bd->raw_samples + start; for (sb = 0; sb < sub_blocks; sb++) { + unsigned int sb_len = sb_length - (sb ? 0 : start); + k [sb] = s[sb] > b ? s[sb] - b : 0; delta[sb] = 5 - s[sb] + k[sb]; - ff_bgmc_decode(gb, sb_length, current_res, + ff_bgmc_decode(gb, sb_len, current_res, delta[sb], sx[sb], &high, &low, &value, ctx->bgmc_lut, ctx->bgmc_lut_status); - current_res += sb_length; + current_res += sb_len; } ff_bgmc_decode_end(gb); // read least significant bits and tails - i = start; current_res = bd->raw_samples + start; - for (sb = 0; sb < sub_blocks; sb++, i = 0) { + for (sb = 0; sb < sub_blocks; sb++, start = 0) { unsigned int cur_tail_code = tail_code[sx[sb]][delta[sb]]; unsigned int cur_k = k[sb]; unsigned int cur_s = s[sb]; - for (; i < sb_length; i++) { + for (; start < sb_length; start++) { int32_t res = *current_res; if (res == cur_tail_code) { From dd14723602f278966bdc1b5a39c34fcc8b9afa0e Mon Sep 17 00:00:00 2001 From: Sean McGovern Date: Thu, 2 Aug 2012 15:37:28 -0400 Subject: [PATCH 0957/1119] wmapro: prevent division by zero when sample rate is unspecified This fixes Bugzilla #327: Signed-off-by: Kostya Shishkov (cherry picked from commit 3680b2435101a5de56821718a71c828320d535a0) Signed-off-by: Anton Khirnov --- libavcodec/wmaprodec.c | 5 +++++ 1 file changed, 5 insertions(+) diff --git a/libavcodec/wmaprodec.c b/libavcodec/wmaprodec.c index 0ae73070d2..91972c9f5c 100644 --- a/libavcodec/wmaprodec.c +++ b/libavcodec/wmaprodec.c @@ -326,6 +326,11 @@ static av_cold int decode_init(AVCodecContext *avctx) return AVERROR_INVALIDDATA; } + if (s->avctx->sample_rate <= 0) { + av_log(avctx, AV_LOG_ERROR, "invalid sample rate\n"); + return AVERROR_INVALIDDATA; + } + s->num_channels = avctx->channels; if (s->num_channels < 0) { From 562d6fd5b577aeab7218ce5d1cb8547aa1f4b66c Mon Sep 17 00:00:00 2001 From: Anton Khirnov Date: Fri, 28 Sep 2012 15:26:48 +0200 Subject: [PATCH 0958/1119] avidec: return 0, not packet size from read_packet(). (cherry picked from commit eeade678f0a2bac127aeed2fb68d8717a6463420) Signed-off-by: Anton Khirnov --- libavformat/avidec.c | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/libavformat/avidec.c b/libavformat/avidec.c index a35290b19f..2083f28708 100644 --- a/libavformat/avidec.c +++ b/libavformat/avidec.c @@ -990,7 +990,7 @@ resync: ast->packet_size= 0; } - return size; + return 0; } memset(d, -1, sizeof(int)*8); From 8168a7cec951b34947c55bb14a1ba2f987ab13a3 Mon Sep 17 00:00:00 2001 From: Anton Khirnov Date: Sun, 8 Jul 2012 17:01:17 +0200 Subject: [PATCH 0959/1119] vf_pad: don't give up its own reference to the output buffer. Conflicts: libavfilter/vf_pad.c Fixes Bug 245 Signed-off-by: Anton Khirnov --- libavfilter/vf_pad.c | 5 ++++- 1 file changed, 4 insertions(+), 1 deletion(-) diff --git a/libavfilter/vf_pad.c b/libavfilter/vf_pad.c index d4d2b205d3..ef7cc88625 100644 --- a/libavfilter/vf_pad.c +++ b/libavfilter/vf_pad.c @@ -299,6 +299,7 @@ static void start_frame(AVFilterLink *inlink, AVFilterBufferRef *inpicref) { PadContext *pad = inlink->dst->priv; AVFilterBufferRef *outpicref = avfilter_ref_buffer(inpicref, ~0); + AVFilterBufferRef *for_next_filter; int plane; for (plane = 0; plane < 4 && outpicref->data[plane]; plane++) { @@ -335,12 +336,14 @@ static void start_frame(AVFilterLink *inlink, AVFilterBufferRef *inpicref) outpicref->video->w = pad->w; outpicref->video->h = pad->h; - avfilter_start_frame(inlink->dst->outputs[0], outpicref); + for_next_filter = avfilter_ref_buffer(outpicref, ~0); + avfilter_start_frame(inlink->dst->outputs[0], for_next_filter); } static void end_frame(AVFilterLink *link) { avfilter_end_frame(link->dst->outputs[0]); + avfilter_unref_buffer(link->dst->outputs[0]->out_buf); avfilter_unref_buffer(link->cur_buf); } From fb3189ce8b8a5ddc44b460f9fb1b5b4e8ddea2f2 Mon Sep 17 00:00:00 2001 From: =?UTF-8?q?Franz=20Brau=C3=9Fe?= Date: Fri, 30 Mar 2012 14:40:14 -0400 Subject: [PATCH 0960/1119] smacker audio: sign-extend the initial 16-bit predicted value Fixes Bug #265 Signed-off-by: Justin Ruggles (cherry picked from commit 12cbbbb4abda2de0ea123282ccf7ebee61517f7d) Signed-off-by: Anton Khirnov --- libavcodec/smacker.c | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/libavcodec/smacker.c b/libavcodec/smacker.c index eb4427c100..ff2cdebf1e 100644 --- a/libavcodec/smacker.c +++ b/libavcodec/smacker.c @@ -644,7 +644,7 @@ static int smka_decode_frame(AVCodecContext *avctx, void *data, int *data_size, } if(bits) { //decode 16-bit data for(i = stereo; i >= 0; i--) - pred[i] = av_bswap16(get_bits(&gb, 16)); + pred[i] = sign_extend(av_bswap16(get_bits(&gb, 16)), 16); for(i = 0; i <= stereo; i++) *samples++ = pred[i]; for(; i < unp_size / 2; i++) { From 5754176b5bfb4a298c376b4bdcce218848d15936 Mon Sep 17 00:00:00 2001 From: Anton Khirnov Date: Fri, 5 Oct 2012 15:53:32 +0200 Subject: [PATCH 0961/1119] yuv4mpeg: return proper error codes. Fixes Bug 373. CC:libav-stable@libav.org (cherry picked from commit d3a72becc6371563185a509b94f5daf32ddbb485) Signed-off-by: Reinhard Tartler --- libavformat/yuv4mpeg.c | 22 ++++++++++++++++------ 1 file changed, 16 insertions(+), 6 deletions(-) diff --git a/libavformat/yuv4mpeg.c b/libavformat/yuv4mpeg.c index 9a6a0c8315..dd785c674f 100644 --- a/libavformat/yuv4mpeg.c +++ b/libavformat/yuv4mpeg.c @@ -347,7 +347,7 @@ static int yuv4_read_packet(AVFormatContext *s, AVPacket *pkt) { int i; char header[MAX_FRAME_HEADER+1]; - int packet_size, width, height; + int packet_size, width, height, ret; AVStream *st = s->streams[0]; struct frame_attributes *s1 = s->priv_data; @@ -358,18 +358,28 @@ static int yuv4_read_packet(AVFormatContext *s, AVPacket *pkt) break; } } - if (i == MAX_FRAME_HEADER) return -1; - if (strncmp(header, Y4M_FRAME_MAGIC, strlen(Y4M_FRAME_MAGIC))) return -1; + if (s->pb->error) + return s->pb->error; + else if (s->pb->eof_reached) + return AVERROR_EOF; + else if (i == MAX_FRAME_HEADER) + return AVERROR_INVALIDDATA; + + if (strncmp(header, Y4M_FRAME_MAGIC, strlen(Y4M_FRAME_MAGIC))) + return AVERROR_INVALIDDATA; width = st->codec->width; height = st->codec->height; packet_size = avpicture_get_size(st->codec->pix_fmt, width, height); if (packet_size < 0) - return -1; + return packet_size; - if (av_get_packet(s->pb, pkt, packet_size) != packet_size) - return AVERROR(EIO); + ret = av_get_packet(s->pb, pkt, packet_size); + if (ret < 0) + return ret; + else if (ret != packet_size) + return s->pb->eof_reached ? AVERROR_EOF : AVERROR(EIO); if (s->streams[0]->codec->coded_frame) { s->streams[0]->codec->coded_frame->interlaced_frame = s1->interlaced_frame; From 11ecd8574a2edd482c687123f374f22c3390c6dc Mon Sep 17 00:00:00 2001 From: =?UTF-8?q?Jind=C5=99ich=20Makovi=C4=8Dka?= Date: Sat, 29 Sep 2012 11:16:45 +0200 Subject: [PATCH 0962/1119] h264: avoid stuck buffer pointer in decode_nal_units MIME-Version: 1.0 Content-Type: text/plain; charset=UTF-8 Content-Transfer-Encoding: 8bit When decode_nal_units() previously encountered a NAL_END_SEQUENCE, and there are some junk bytes left in the input buffer, but no start codes, buf_index gets stuck 3 bytes before the end of the buffer. This can trigger an infinite loop in the caller code, eg. in try_decode_trame(), as avcodec_decode_video() then keeps returning zeroes, with 3 bytes of the input packet still available. With this change, the remaining bytes are skipped so the whole packet gets consumed. CC:libav-stable@libav.org Signed-off-by: Jindřich Makovička Signed-off-by: Anton Khirnov (cherry picked from commit 1a8c6917f68f7378465e18f7615762bfd22704c2) Conflicts: libavcodec/h264.c --- libavcodec/h264.c | 6 +++++- 1 file changed, 5 insertions(+), 1 deletion(-) diff --git a/libavcodec/h264.c b/libavcodec/h264.c index ac7eb20f35..adb01d4a5e 100644 --- a/libavcodec/h264.c +++ b/libavcodec/h264.c @@ -3700,7 +3700,11 @@ static int decode_nal_units(H264Context *h, const uint8_t *buf, int buf_size){ break; } - if(buf_index+3 >= buf_size) break; + + if (buf_index + 3 >= buf_size) { + buf_index = buf_size; + break; + } buf_index+=3; if(buf_index >= next_avc) continue; From ec6719f6551db6e93d8af9bffdaf0163b5d59b5b Mon Sep 17 00:00:00 2001 From: Luca Barbato Date: Fri, 28 Sep 2012 14:38:13 +0200 Subject: [PATCH 0963/1119] mpegaudiodec: fix short_start calculation The value should be always 3, as it follows from the specification. Fix a stack buffer overflow in exponents_from_scale_factors as reported by asan. Thanks to Dale Curtis for the sample vector. (cherry picked from commit 97cfa55eea39cef30abe14682c56c1e4e7f6f10d) Signed-off-by: Reinhard Tartler --- libavcodec/mpegaudiodec.c | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/libavcodec/mpegaudiodec.c b/libavcodec/mpegaudiodec.c index 033d76e049..fd94fb1dcc 100644 --- a/libavcodec/mpegaudiodec.c +++ b/libavcodec/mpegaudiodec.c @@ -210,7 +210,7 @@ static void ff_compute_band_indexes(MPADecodeContext *s, GranuleDef *g){ else g->long_end = 4; /* 8000 Hz */ - g->short_start = 2 + (s->sample_rate_index != 8); + g->short_start = 3; } else { g->long_end = 0; g->short_start = 0; From 549b8083d6e049061a063df68b49e0bae4340601 Mon Sep 17 00:00:00 2001 From: Alex Converse Date: Wed, 19 Sep 2012 11:12:58 -0700 Subject: [PATCH 0964/1119] tiffenc: Check av_malloc() results. (cherry picked from commit b92dfb56d4582633571db18c3d904f8602eaa2a6) Conflicts: libavcodec/tiffenc.c Signed-off-by: Reinhard Tartler --- libavcodec/tiffenc.c | 16 +++++++++++++++- 1 file changed, 15 insertions(+), 1 deletion(-) diff --git a/libavcodec/tiffenc.c b/libavcodec/tiffenc.c index 5cff13bca0..4d3e6debc9 100644 --- a/libavcodec/tiffenc.c +++ b/libavcodec/tiffenc.c @@ -305,6 +305,10 @@ static int encode_frame(AVCodecContext * avctx, unsigned char *buf, strip_sizes = av_mallocz(sizeof(*strip_sizes) * strips); strip_offsets = av_mallocz(sizeof(*strip_offsets) * strips); + if (!strip_sizes || !strip_offsets) { + ret = AVERROR(ENOMEM); + goto fail; + } bytes_per_row = (((s->width - 1)/s->subsampling[0] + 1) * s->bpp * s->subsampling[0] * s->subsampling[1] + 7) >> 3; @@ -312,6 +316,7 @@ static int encode_frame(AVCodecContext * avctx, unsigned char *buf, yuv_line = av_malloc(bytes_per_row); if (yuv_line == NULL){ av_log(s->avctx, AV_LOG_ERROR, "Not enough memory\n"); + ret = AVERROR(ENOMEM); goto fail; } } @@ -324,6 +329,10 @@ static int encode_frame(AVCodecContext * avctx, unsigned char *buf, zlen = bytes_per_row * s->rps; zbuf = av_malloc(zlen); + if (!zbuf) { + ret = AVERROR(ENOMEM); + goto fail; + } strip_offsets[0] = ptr - buf; zn = 0; for (j = 0; j < s->rps; j++) { @@ -348,8 +357,13 @@ static int encode_frame(AVCodecContext * avctx, unsigned char *buf, } else #endif { - if(s->compr == TIFF_LZW) + if (s->compr == TIFF_LZW) { s->lzws = av_malloc(ff_lzw_encode_state_size); + if (!s->lzws) { + ret = AVERROR(ENOMEM); + goto fail; + } + } for (i = 0; i < s->height; i++) { if (strip_sizes[i / s->rps] == 0) { if(s->compr == TIFF_LZW){ From aa45b90804ab21175b8c116bd8e5eb4b4e85fbcb Mon Sep 17 00:00:00 2001 From: Michael Niedermayer Date: Sat, 7 Apr 2012 17:25:47 +0200 Subject: [PATCH 0965/1119] alsdec: Check k used for rice decoder. Values that fail this check will cause failure of decode_rice() Signed-off-by: Michael Niedermayer Signed-off-by: Justin Ruggles (cherry picked from commit 23aae62c2cb4504a09ceb8cd0cabc1c8b260f521) Signed-off-by: Reinhard Tartler --- libavcodec/alsdec.c | 5 +++++ 1 file changed, 5 insertions(+) diff --git a/libavcodec/alsdec.c b/libavcodec/alsdec.c index cdf2a7c0f1..cfe8fd37cb 100644 --- a/libavcodec/alsdec.c +++ b/libavcodec/alsdec.c @@ -650,6 +650,11 @@ static int read_var_block_data(ALSDecContext *ctx, ALSBlockData *bd) for (k = 1; k < sub_blocks; k++) s[k] = s[k - 1] + decode_rice(gb, 0); } + for (k = 1; k < sub_blocks; k++) + if (s[k] > 32) { + av_log(avctx, AV_LOG_ERROR, "k invalid for rice code.\n"); + return AVERROR_INVALIDDATA; + } if (get_bits1(gb)) *bd->shift_lsbs = get_bits(gb, 4) + 1; From 642d758a2d829e62e32f08ae3369b41299a5bcc1 Mon Sep 17 00:00:00 2001 From: Reinhard Tartler Date: Wed, 2 Jan 2013 22:14:36 +0100 Subject: [PATCH 0966/1119] Update RELEASE file for 0.7.7 --- RELEASE | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/RELEASE b/RELEASE index c006218557..879be8a98f 100644 --- a/RELEASE +++ b/RELEASE @@ -1 +1 @@ -0.7.6 +0.7.7 From fe9cbf582b094dff507df287bfa61b54755fa6c9 Mon Sep 17 00:00:00 2001 From: Piotr Bandurski Date: Sun, 6 Jan 2013 01:56:23 +0100 Subject: [PATCH 0967/1119] tiffdec: Use the correct height field. Fixes Ticket913 Signed-off-by: Michael Niedermayer (cherry picked from commit 4784a135b2b0fe4d1b4c6256bd37265fc45aed3d) Conflicts: libavcodec/tiff.c (cherry picked from commit fe0e64ca6431c2f606bc702c1a4e230f22531a4f) --- libavcodec/tiff.c | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/libavcodec/tiff.c b/libavcodec/tiff.c index e43cecb22c..2ca6d5ca62 100644 --- a/libavcodec/tiff.c +++ b/libavcodec/tiff.c @@ -396,7 +396,7 @@ static int tiff_decode_tag(TiffContext *s, const uint8_t *start, const uint8_t * break; case TIFF_ROWSPERSTRIP: if (type == TIFF_LONG && value == UINT_MAX) - value = s->avctx->height; + value = s->height; if(value < 1){ av_log(s->avctx, AV_LOG_ERROR, "Incorrect value of rows per strip\n"); return -1; From da5f4e4d19917bce4b9213ff3d433ddf30e22fe5 Mon Sep 17 00:00:00 2001 From: Piotr Bandurski Date: Sun, 6 Jan 2013 01:56:23 +0100 Subject: [PATCH 0968/1119] tiffdec: Use the correct height field. Fixes Ticket913 Signed-off-by: Michael Niedermayer (cherry picked from commit 4784a135b2b0fe4d1b4c6256bd37265fc45aed3d) Conflicts: libavcodec/tiff.c (cherry picked from commit fe0e64ca6431c2f606bc702c1a4e230f22531a4f) --- libavcodec/tiff.c | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/libavcodec/tiff.c b/libavcodec/tiff.c index e43cecb22c..2ca6d5ca62 100644 --- a/libavcodec/tiff.c +++ b/libavcodec/tiff.c @@ -396,7 +396,7 @@ static int tiff_decode_tag(TiffContext *s, const uint8_t *start, const uint8_t * break; case TIFF_ROWSPERSTRIP: if (type == TIFF_LONG && value == UINT_MAX) - value = s->avctx->height; + value = s->height; if(value < 1){ av_log(s->avctx, AV_LOG_ERROR, "Incorrect value of rows per strip\n"); return -1; From 9f8071245491b7060fac823b8060e06e14ca403b Mon Sep 17 00:00:00 2001 From: Anton Khirnov Date: Thu, 13 Dec 2012 19:38:20 +0100 Subject: [PATCH 0969/1119] ivi_common: check that scan pattern is set before using it. Fixes CVE-2012-2791. CC: libav-stable@libav.org (cherry picked from commit deabb52ab4c1fdb3dd319f3980b1489a182011f1) Signed-off-by: Reinhard Tartler --- libavcodec/ivi_common.c | 5 +++++ 1 file changed, 5 insertions(+) diff --git a/libavcodec/ivi_common.c b/libavcodec/ivi_common.c index 22af3a7314..f55371cf73 100644 --- a/libavcodec/ivi_common.c +++ b/libavcodec/ivi_common.c @@ -410,6 +410,11 @@ int ff_ivi_decode_blocks(GetBitContext *gb, IVIBandDesc *band, IVITile *tile) } if (cbp & 1) { /* block coded ? */ + if (!band->scan) { + av_log(NULL, AV_LOG_ERROR, "Scan pattern is not set.\n"); + return AVERROR_INVALIDDATA; + } + scan_pos = -1; memset(trvec, 0, num_coeffs*sizeof(trvec[0])); /* zero transform vector */ memset(col_flags, 0, sizeof(col_flags)); /* zero column flags */ From 700fb8c8dd0622fcadb1a35eb2363e1e4c94e663 Mon Sep 17 00:00:00 2001 From: Luca Barbato Date: Fri, 14 Dec 2012 08:22:06 +0100 Subject: [PATCH 0970/1119] vp56: make parse_header return standard error codes Returning 0 for failure is misleading. CC: libav-stable@libav.org (cherry picked from commit bb675d3ac6d722d5e117ae9042a996b55ca05b1d) Signed-off-by: Reinhard Tartler --- libavcodec/vp5.c | 12 ++++++------ libavcodec/vp56.c | 8 ++++---- libavcodec/vp56.h | 2 ++ libavcodec/vp6.c | 12 ++++++------ 4 files changed, 18 insertions(+), 16 deletions(-) diff --git a/libavcodec/vp5.c b/libavcodec/vp5.c index 2b975801d0..bb6c224309 100644 --- a/libavcodec/vp5.c +++ b/libavcodec/vp5.c @@ -47,18 +47,18 @@ static int vp5_parse_header(VP56Context *s, const uint8_t *buf, int buf_size, { vp56_rac_gets(c, 8); if(vp56_rac_gets(c, 5) > 5) - return 0; + return AVERROR_INVALIDDATA; vp56_rac_gets(c, 2); if (vp56_rac_get(c)) { av_log(s->avctx, AV_LOG_ERROR, "interlacing not supported\n"); - return 0; + return AVERROR_PATCHWELCOME; } rows = vp56_rac_gets(c, 8); /* number of stored macroblock rows */ cols = vp56_rac_gets(c, 8); /* number of stored macroblock cols */ if (!rows || !cols) { av_log(s->avctx, AV_LOG_ERROR, "Invalid size %dx%d\n", cols << 4, rows << 4); - return 0; + return AVERROR_INVALIDDATA; } vp56_rac_gets(c, 8); /* number of displayed macroblock rows */ vp56_rac_gets(c, 8); /* number of displayed macroblock cols */ @@ -67,11 +67,11 @@ static int vp5_parse_header(VP56Context *s, const uint8_t *buf, int buf_size, 16*cols != s->avctx->coded_width || 16*rows != s->avctx->coded_height) { avcodec_set_dimensions(s->avctx, 16*cols, 16*rows); - return 2; + return VP56_SIZE_CHANGE; } } else if (!s->macroblocks) - return 0; - return 1; + return AVERROR_INVALIDDATA; + return 0; } static void vp5_parse_vector_adjustment(VP56Context *s, VP56mv *vect) diff --git a/libavcodec/vp56.c b/libavcodec/vp56.c index dd9dd77527..96f40a1bd0 100644 --- a/libavcodec/vp56.c +++ b/libavcodec/vp56.c @@ -511,10 +511,10 @@ int ff_vp56_decode_frame(AVCodecContext *avctx, void *data, int *data_size, s->modelp = &s->models[is_alpha]; res = s->parse_header(s, buf, remaining_buf_size, &golden_frame); - if (!res) - return -1; + if (res < 0) + return res; - if (res == 2) { + if (res == VP56_SIZE_CHANGE) { int i; for (i = 0; i < 4; i++) { if (s->frames[i].data[0]) @@ -533,7 +533,7 @@ int ff_vp56_decode_frame(AVCodecContext *avctx, void *data, int *data_size, return -1; } - if (res == 2) + if (res == VP56_SIZE_CHANGE) if (vp56_size_changed(avctx)) { avctx->release_buffer(avctx, p); return -1; diff --git a/libavcodec/vp56.h b/libavcodec/vp56.h index 0c34438c8f..ad6977351a 100644 --- a/libavcodec/vp56.h +++ b/libavcodec/vp56.h @@ -38,6 +38,8 @@ typedef struct { int16_t y; } DECLARE_ALIGNED(4, , VP56mv); +#define VP56_SIZE_CHANGE 1 + typedef void (*VP56ParseVectorAdjustment)(VP56Context *s, VP56mv *vect); typedef void (*VP56Filter)(VP56Context *s, uint8_t *dst, uint8_t *src, diff --git a/libavcodec/vp6.c b/libavcodec/vp6.c index b0d8642465..7347f9fac2 100644 --- a/libavcodec/vp6.c +++ b/libavcodec/vp6.c @@ -50,7 +50,7 @@ static int vp6_parse_header(VP56Context *s, const uint8_t *buf, int buf_size, int vrt_shift = 0; int sub_version; int rows, cols; - int res = 1; + int res = 0; int separated_coeff = buf[0] & 1; s->framep[VP56_FRAME_CURRENT]->key_frame = !(buf[0] & 0x80); @@ -59,7 +59,7 @@ static int vp6_parse_header(VP56Context *s, const uint8_t *buf, int buf_size, if (s->framep[VP56_FRAME_CURRENT]->key_frame) { sub_version = buf[1] >> 3; if (sub_version > 8) - return 0; + return AVERROR_INVALIDDATA; s->filter_header = buf[1] & 0x06; if (buf[1] & 1) { av_log(s->avctx, AV_LOG_ERROR, "interlacing not supported\n"); @@ -77,7 +77,7 @@ static int vp6_parse_header(VP56Context *s, const uint8_t *buf, int buf_size, /* buf[5] is number of displayed macroblock cols */ if (!rows || !cols) { av_log(s->avctx, AV_LOG_ERROR, "Invalid size %dx%d\n", cols << 4, rows << 4); - return 0; + return AVERROR_INVALIDDATA; } if (!s->macroblocks || /* first frame */ @@ -88,7 +88,7 @@ static int vp6_parse_header(VP56Context *s, const uint8_t *buf, int buf_size, s->avctx->width -= s->avctx->extradata[0] >> 4; s->avctx->height -= s->avctx->extradata[0] & 0x0F; } - res = 2; + res = VP56_SIZE_CHANGE; } ff_vp56_init_range_decoder(c, buf+6, buf_size-6); @@ -100,7 +100,7 @@ static int vp6_parse_header(VP56Context *s, const uint8_t *buf, int buf_size, s->sub_version = sub_version; } else { if (!s->sub_version || !s->avctx->coded_width || !s->avctx->coded_height) - return 0; + return AVERROR_INVALIDDATA; if (separated_coeff || !s->filter_header) { coeff_offset = AV_RB16(buf+1) - 2; @@ -144,7 +144,7 @@ static int vp6_parse_header(VP56Context *s, const uint8_t *buf, int buf_size, if (buf_size < 0) { if (s->framep[VP56_FRAME_CURRENT]->key_frame) avcodec_set_dimensions(s->avctx, 0, 0); - return 0; + return AVERROR_INVALIDDATA; } if (s->use_huffman) { s->parse_coeff = vp6_parse_coeff_huffman; From 7fd7950174f9f2935fbf5bf1435fd0dc37be5c61 Mon Sep 17 00:00:00 2001 From: Luca Barbato Date: Fri, 14 Dec 2012 09:55:04 +0100 Subject: [PATCH 0971/1119] vp56: release frames on error Fixes CVE-2012-2783 CC: libav-stable@libav.org (cherry picked from commit f33b5ba63eee96c9d1c7f0e568169cb0c3694238) Signed-off-by: Reinhard Tartler --- libavcodec/vp56.c | 8 +++++++- 1 file changed, 7 insertions(+), 1 deletion(-) diff --git a/libavcodec/vp56.c b/libavcodec/vp56.c index 96f40a1bd0..b06ea7a5b2 100644 --- a/libavcodec/vp56.c +++ b/libavcodec/vp56.c @@ -511,8 +511,14 @@ int ff_vp56_decode_frame(AVCodecContext *avctx, void *data, int *data_size, s->modelp = &s->models[is_alpha]; res = s->parse_header(s, buf, remaining_buf_size, &golden_frame); - if (res < 0) + if (res < 0) { + int i; + for (i = 0; i < 4; i++) { + if (s->frames[i].data[0]) + avctx->release_buffer(avctx, &s->frames[i]); + } return res; + } if (res == VP56_SIZE_CHANGE) { int i; From bfbff1c7483cd423ef7e0618cd67adf7d988376a Mon Sep 17 00:00:00 2001 From: Sami Pietila Date: Fri, 12 Oct 2012 07:12:49 -0700 Subject: [PATCH 0972/1119] vp8: reset loopfilter delta values at keyframes. Signed-off-by: Ronald S. Bultje (cherry picked from commit 0bf511d579c7b21f1244eec688abf571ca1235bd) Signed-off-by: Reinhard Tartler --- libavcodec/vp8.c | 1 + 1 file changed, 1 insertion(+) diff --git a/libavcodec/vp8.c b/libavcodec/vp8.c index 7e82bbbe82..e00389a4ba 100644 --- a/libavcodec/vp8.c +++ b/libavcodec/vp8.c @@ -269,6 +269,7 @@ static int decode_frame_header(VP8Context *s, const uint8_t *buf, int buf_size) memcpy(s->prob->pred8x8c , vp8_pred8x8c_prob_inter , sizeof(s->prob->pred8x8c)); memcpy(s->prob->mvc , vp8_mv_default_prob , sizeof(s->prob->mvc)); memset(&s->segmentation, 0, sizeof(s->segmentation)); + memset(&s->lf_delta, 0, sizeof(s->lf_delta)); } if (!s->macroblocks_base || /* first frame */ From f3f22f183fa298f73b1c6a27a19436a22d7ff23a Mon Sep 17 00:00:00 2001 From: Luca Barbato Date: Fri, 26 Oct 2012 22:55:04 +0200 Subject: [PATCH 0973/1119] yuv4mpeg: reject unsupported codecs The muxer already rejects unsupported pixel formats, reject also unsupported codecs to prevent dangerous misuses. (cherry picked from commit 424b1e764263b1493de4c34365ef367ddae856db) Conflicts: libavformat/yuv4mpeg.c Signed-off-by: Reinhard Tartler --- libavformat/yuv4mpeg.c | 5 +++++ 1 file changed, 5 insertions(+) diff --git a/libavformat/yuv4mpeg.c b/libavformat/yuv4mpeg.c index dd785c674f..e4b1e12266 100644 --- a/libavformat/yuv4mpeg.c +++ b/libavformat/yuv4mpeg.c @@ -154,6 +154,11 @@ static int yuv4_write_header(AVFormatContext *s) if (s->nb_streams != 1) return AVERROR(EIO); + if (s->streams[0]->codec->codec_id != CODEC_ID_RAWVIDEO) { + av_log(s, AV_LOG_ERROR, "ERROR: Only rawvideo supported.\n"); + return AVERROR_INVALIDDATA; + } + if (s->streams[0]->codec->pix_fmt == PIX_FMT_YUV411P) { av_log(s, AV_LOG_ERROR, "Warning: generating rarely used 4:1:1 YUV stream, some mjpegtools might not work.\n"); } From 3d0c9c9af687fd2dd4fbaefdb4d7d85c59f7d19f Mon Sep 17 00:00:00 2001 From: Justin Ruggles Date: Wed, 7 Nov 2012 14:48:28 -0500 Subject: [PATCH 0974/1119] flacenc: ensure the order is within the min/max range in LPC order search This fixes use of uninitialized values when the FLAC encoder uses the 2-level, 4-level, and 8-level search methods. Fixes failure of the fate-flac-24-comp-8 test when run using valgrind. (cherry picked from commit 3a2731cbd31d0c5681ddbc7c78edd5c53c4d0032) Conflicts: libavcodec/flacenc.c Signed-off-by: Reinhard Tartler --- libavcodec/flacenc.c | 8 +++++--- 1 file changed, 5 insertions(+), 3 deletions(-) diff --git a/libavcodec/flacenc.c b/libavcodec/flacenc.c index be775cabd3..1c10d2b585 100644 --- a/libavcodec/flacenc.c +++ b/libavcodec/flacenc.c @@ -915,14 +915,16 @@ static int encode_residual_ch(FlacEncodeContext *s, int ch) omethod == ORDER_METHOD_8LEVEL) { int levels = 1 << omethod; uint32_t bits[1 << ORDER_METHOD_8LEVEL]; - int order; + int order = -1; int opt_index = levels-1; opt_order = max_order-1; bits[opt_index] = UINT32_MAX; for (i = levels-1; i >= 0; i--) { + int last_order = order; order = min_order + (((max_order-min_order+1) * (i+1)) / levels)-1; - if (order < 0) - order = 0; + order = av_clip(order, min_order - 1, max_order - 1); + if (order == last_order) + continue; encode_residual_lpc(res, smp, n, order+1, coefs[order], shift[order]); bits[i] = find_subframe_rice_params(s, sub, order+1); if (bits[i] < bits[opt_index]) { From ce8910d861c14a7fcc1c550380e1011a3a3b3e8c Mon Sep 17 00:00:00 2001 From: Reinhard Tartler Date: Sat, 12 Jan 2013 19:22:22 +0100 Subject: [PATCH 0975/1119] h264: Fix parameters to ff_er_add_slice() call s->mb_x is reset to zero a couple of lines above. It does not make sense to call ff_er_add_slice() with 0 as endx when the end of the macroblock row was reached. Fixes unnecessary and counterproductive error resilience in https://bugzilla.libav.org/show_bug.cgi?id=394. (cherry picked from commit e6160bda98641b7d4f86de15761ad2a962f21a36) Conflicts: libavcodec/h264.c Signed-off-by: Reinhard Tartler Conflicts: libavcodec/h264.c --- libavcodec/h264.c | 4 +++- 1 file changed, 3 insertions(+), 1 deletion(-) diff --git a/libavcodec/h264.c b/libavcodec/h264.c index adb01d4a5e..0940335edf 100644 --- a/libavcodec/h264.c +++ b/libavcodec/h264.c @@ -3539,7 +3539,9 @@ static int decode_slice(struct AVCodecContext *avctx, void *arg){ return 0; }else{ - ff_er_add_slice(s, s->resync_mb_x, s->resync_mb_y, s->mb_x, s->mb_y, (AC_END|DC_END|MV_END)&part_mask); + ff_er_add_slice(s, s->resync_mb_x, s->resync_mb_y, + s->mb_x - 1, s->mb_y, + (AC_END|DC_END|MV_END)&part_mask); return -1; } From 4ede95e69cf964cd46b1e9fcd48da80d8d92c433 Mon Sep 17 00:00:00 2001 From: Luca Barbato Date: Thu, 13 Dec 2012 16:20:19 +0100 Subject: [PATCH 0976/1119] vp6: properly fail on unsupported feature Interlacing is not supported at all and mismanaged down the normal codepaths causing possible buffer management issues. Fixes: CVE-2012-2783 (cherry picked from commit be75fed9755c1285ba084574aff2d7ee0f81110d) Signed-off-by: Reinhard Tartler --- libavcodec/vp6.c | 4 ++-- 1 file changed, 2 insertions(+), 2 deletions(-) diff --git a/libavcodec/vp6.c b/libavcodec/vp6.c index 7347f9fac2..309e856de3 100644 --- a/libavcodec/vp6.c +++ b/libavcodec/vp6.c @@ -62,8 +62,8 @@ static int vp6_parse_header(VP56Context *s, const uint8_t *buf, int buf_size, return AVERROR_INVALIDDATA; s->filter_header = buf[1] & 0x06; if (buf[1] & 1) { - av_log(s->avctx, AV_LOG_ERROR, "interlacing not supported\n"); - return 0; + av_log_missing_feature(s->avctx, "Interlacing", 0); + return AVERROR_PATCHWELCOME; } if (separated_coeff || !s->filter_header) { coeff_offset = AV_RB16(buf+2) - 2; From 10ff052c601368f129466e6de19e9862aaaec7d1 Mon Sep 17 00:00:00 2001 From: Janne Grunau Date: Fri, 23 Nov 2012 14:05:36 +0100 Subject: [PATCH 0977/1119] lavf: avoid integer overflow in ff_compute_frame_duration() Scaling the denominator instead of the numerator if it is too large loses precision. Fixes an assert caused by a negative frame duration in the fuzzed sample nasa-8s2.ts_s202310. CC: libav-stable@libav.org (cherry picked from commit 7709ce029a7bc101b9ac1ceee607cda10dcb89dc) Signed-off-by: Reinhard Tartler --- libavformat/utils.c | 5 ++++- 1 file changed, 4 insertions(+), 1 deletion(-) diff --git a/libavformat/utils.c b/libavformat/utils.c index 5f3da495fd..be679258a0 100644 --- a/libavformat/utils.c +++ b/libavformat/utils.c @@ -813,7 +813,10 @@ static void compute_frame_duration(int *pnum, int *pden, AVStream *st, *pnum = st->codec->time_base.num; *pden = st->codec->time_base.den; if (pc && pc->repeat_pict) { - *pnum = (*pnum) * (1 + pc->repeat_pict); + if (*pnum > INT_MAX / (1 + pc->repeat_pict)) + *pden /= 1 + pc->repeat_pict; + else + *pnum *= 1 + pc->repeat_pict; } //If this codec can be interlaced or progressive then we need a parser to compute duration of a packet //Thus if we have no parser in such case leave duration undefined. From b143844ea0f6246e0d5a938d743e2e8a98453bec Mon Sep 17 00:00:00 2001 From: Alex Converse Date: Tue, 11 Dec 2012 17:26:10 -0800 Subject: [PATCH 0978/1119] aacdec: Fix an off-by-one overwrite when switching to LTP profile from MAIN. Found-by: pawlkt CC: libav-stable@libav.org Fixes: CVE-2012-5144 (cherry picked from commit 6d5b0092678b2a95dfe209a207550bd2fe9ef646) Signed-off-by: Reinhard Tartler --- libavcodec/aacdec.c | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/libavcodec/aacdec.c b/libavcodec/aacdec.c index cf7b43d53f..d479c947a9 100644 --- a/libavcodec/aacdec.c +++ b/libavcodec/aacdec.c @@ -1692,7 +1692,7 @@ static void apply_tns(float coef[1024], TemporalNoiseShaping *tns, int w, filt, m, i; int bottom, top, order, start, end, size, inc; float lpc[TNS_MAX_ORDER]; - float tmp[TNS_MAX_ORDER]; + float tmp[TNS_MAX_ORDER + 1]; for (w = 0; w < ics->num_windows; w++) { bottom = ics->num_swb; From 5fa739e685bcbd29dd83139c245935099112beed Mon Sep 17 00:00:00 2001 From: Janne Grunau Date: Fri, 16 Nov 2012 14:31:09 +0100 Subject: [PATCH 0979/1119] h264: enable low delay only if no delayed frames were seen Dropping frames is undesirable but that is the only way by which the decoder could return to low delay mode. Instead emit a warning and continue with delayed frames. Fixes a crash in fuzzed sample nasa-8s2.ts_s20033 caused by a larger than expected has_b_frames value. Low delay keeps getting re-enabled from a presumely broken SPS. CC: libav-stable@libav.org (cherry picked from commit 706acb558a38eba633056773280155d66c2f4b24) Conflicts: libavcodec/h264.c --- libavcodec/h264.c | 13 ++++++++++--- 1 file changed, 10 insertions(+), 3 deletions(-) diff --git a/libavcodec/h264.c b/libavcodec/h264.c index 0940335edf..98c68d873f 100644 --- a/libavcodec/h264.c +++ b/libavcodec/h264.c @@ -3847,9 +3847,16 @@ static int decode_nal_units(H264Context *h, const uint8_t *buf, int buf_size){ init_get_bits(&s->gb, ptr, bit_length); ff_h264_decode_seq_parameter_set(h); - if (s->flags& CODEC_FLAG_LOW_DELAY || - (h->sps.bitstream_restriction_flag && !h->sps.num_reorder_frames)) - s->low_delay=1; + if (s->flags & CODEC_FLAG_LOW_DELAY || + (h->sps.bitstream_restriction_flag && + !h->sps.num_reorder_frames)) { + if (s->avctx->has_b_frames > 1 || h->delayed_pic[0]) + av_log(avctx, AV_LOG_WARNING, "Delayed frames seen " + "reenabling low delay requires a codec " + "flush.\n"); + else + s->low_delay = 1; + } if(avctx->has_b_frames < 2) avctx->has_b_frames= !s->low_delay; From 08d9fd611eac18be52e0bd3430ba6acb740cd79f Mon Sep 17 00:00:00 2001 From: Luca Barbato Date: Mon, 3 Dec 2012 22:53:30 +0100 Subject: [PATCH 0980/1119] ppc: always use pic for shared libraries CC: libav-stable@libav.org (cherry picked from commit 1944d532a8a1c4b12222f0acfeb1153630dbc996) Conflicts: configure --- configure | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/configure b/configure index 6a2ff4fa01..05a7161ef8 100755 --- a/configure +++ b/configure @@ -2342,7 +2342,7 @@ check_host_cflags -std=c99 check_host_cflags -Wall case "$arch" in - alpha|ia64|mips|parisc|sparc) + alpha|ia64|mips|parisc|ppc|sparc) spic=$shared ;; x86) From 4457e6137d83d3b65d919608cd0f12bc62d57c67 Mon Sep 17 00:00:00 2001 From: Janne Grunau Date: Sun, 25 Nov 2012 12:56:04 +0100 Subject: [PATCH 0981/1119] h264: check sps.log2_max_frame_num for validity Fixes infinite or long taking loop in frame num gap code in the fuzzed sample bipbop234.ts_s223302. CC: libav-stable@libav.org (cherry picked from commit d7d6efe42b0d2057e67999b96b9a391f533d2333) Signed-off-by: Reinhard Tartler --- libavcodec/h264_ps.c | 16 ++++++++++++++-- 1 file changed, 14 insertions(+), 2 deletions(-) diff --git a/libavcodec/h264_ps.c b/libavcodec/h264_ps.c index 9eeff59762..367138a8c0 100644 --- a/libavcodec/h264_ps.c +++ b/libavcodec/h264_ps.c @@ -37,6 +37,9 @@ //#undef NDEBUG #include +#define MAX_LOG2_MAX_FRAME_NUM (12 + 4) +#define MIN_LOG2_MAX_FRAME_NUM 4 + static const AVRational pixel_aspect[17]={ {0, 1}, {1, 1}, @@ -298,7 +301,7 @@ int ff_h264_decode_seq_parameter_set(H264Context *h){ MpegEncContext * const s = &h->s; int profile_idc, level_idc, constraint_set_flags = 0; unsigned int sps_id; - int i; + int i, log2_max_frame_num_minus4; SPS *sps; profile_idc= get_bits(&s->gb, 8); @@ -345,7 +348,16 @@ int ff_h264_decode_seq_parameter_set(H264Context *h){ sps->bit_depth_chroma = 8; } - sps->log2_max_frame_num= get_ue_golomb(&s->gb) + 4; + log2_max_frame_num_minus4 = get_ue_golomb(&s->gb); + if (log2_max_frame_num_minus4 < MIN_LOG2_MAX_FRAME_NUM - 4 || + log2_max_frame_num_minus4 > MAX_LOG2_MAX_FRAME_NUM - 4) { + av_log(h->s.avctx, AV_LOG_ERROR, + "log2_max_frame_num_minus4 out of range (0-12): %d\n", + log2_max_frame_num_minus4); + return AVERROR_INVALIDDATA; + } + sps->log2_max_frame_num = log2_max_frame_num_minus4 + 4; + sps->poc_type= get_ue_golomb_31(&s->gb); if(sps->poc_type == 0){ //FIXME #define From 884a9b0d298acfba29c01690e27419ab646fa51a Mon Sep 17 00:00:00 2001 From: Victor Lopez Date: Wed, 19 Dec 2012 09:12:24 +0100 Subject: [PATCH 0982/1119] h264: fix sps parsing for SVC and CAVLC 4:4:4 Intra profiles Fixes bug 396. CC: libav-stable@libav.org (cherry picked from commit 1c8bf3bfed5ff5c504c8e3de96188a977f67cce0) Signed-off-by: Reinhard Tartler --- libavcodec/h264_ps.c | 6 +++++- 1 file changed, 5 insertions(+), 1 deletion(-) diff --git a/libavcodec/h264_ps.c b/libavcodec/h264_ps.c index 367138a8c0..26db079af3 100644 --- a/libavcodec/h264_ps.c +++ b/libavcodec/h264_ps.c @@ -330,7 +330,11 @@ int ff_h264_decode_seq_parameter_set(H264Context *h){ memset(sps->scaling_matrix8, 16, sizeof(sps->scaling_matrix8)); sps->scaling_matrix_present = 0; - if(sps->profile_idc >= 100){ //high profile + if (sps->profile_idc == 100 || sps->profile_idc == 110 || + sps->profile_idc == 122 || sps->profile_idc == 244 || + sps->profile_idc == 44 || sps->profile_idc == 83 || + sps->profile_idc == 86 || sps->profile_idc == 118 || + sps->profile_idc == 128 || sps->profile_idc == 144) { sps->chroma_format_idc= get_ue_golomb_31(&s->gb); if(sps->chroma_format_idc > 3) { av_log(h->s.avctx, AV_LOG_ERROR, "chroma_format_idc (%u) out of range\n", sps->chroma_format_idc); From a39c6bf1b878f6667697225299707ef08a9482c8 Mon Sep 17 00:00:00 2001 From: Justin Ruggles Date: Sat, 22 Dec 2012 01:21:09 -0500 Subject: [PATCH 0983/1119] alacdec: do not be too strict about the extradata size Sometimes the extradata has duplicate atoms, but that shouldn't prevent decoding. Just ensure that it is at least 36 bytes as a sanity check. CC: libav-stable@libav.org (cherry picked from commit 68a04b0ccee66f57516e129dd3ec457fd50b4bec) Signed-off-by: Reinhard Tartler --- libavcodec/alac.c | 7 +++---- 1 file changed, 3 insertions(+), 4 deletions(-) diff --git a/libavcodec/alac.c b/libavcodec/alac.c index 4ea3f7ee84..37e957eed5 100644 --- a/libavcodec/alac.c +++ b/libavcodec/alac.c @@ -664,10 +664,9 @@ static av_cold int alac_decode_init(AVCodecContext * avctx) alac->numchannels = alac->avctx->channels; /* initialize from the extradata */ - if (alac->avctx->extradata_size != ALAC_EXTRADATA_SIZE) { - av_log(avctx, AV_LOG_ERROR, "alac: expected %d extradata bytes\n", - ALAC_EXTRADATA_SIZE); - return -1; + if (alac->avctx->extradata_size < ALAC_EXTRADATA_SIZE) { + av_log(avctx, AV_LOG_ERROR, "alac: extradata is too small\n"); + return AVERROR_INVALIDDATA; } if (alac_set_info(alac)) { av_log(avctx, AV_LOG_ERROR, "alac: set_info failed\n"); From 808187965570012cca99a7c0fdf1d93652947285 Mon Sep 17 00:00:00 2001 From: =?UTF-8?q?Martin=20Storsj=C3=B6?= Date: Mon, 7 Jan 2013 18:39:04 +0200 Subject: [PATCH 0984/1119] rtsp: Recheck the reordering queue if getting a new packet MIME-Version: 1.0 Content-Type: text/plain; charset=UTF-8 Content-Transfer-Encoding: 8bit If we timed out and consumed a packet from the reordering queue, but didn't return a packet to the caller, recheck the queue status. Otherwise, we could end up in an infinite loop, trying to consume a queued packet that has already been consumed. CC: libav-stable@libav.org Signed-off-by: Martin Storsjö (cherry picked from commit 8729698d50739524665090e083d1bfdf28235724) Signed-off-by: Reinhard Tartler --- libavformat/rtsp.c | 8 ++++++-- 1 file changed, 6 insertions(+), 2 deletions(-) diff --git a/libavformat/rtsp.c b/libavformat/rtsp.c index 80cd587144..25aba7de67 100644 --- a/libavformat/rtsp.c +++ b/libavformat/rtsp.c @@ -1641,6 +1641,7 @@ int ff_rtsp_fetch_packet(AVFormatContext *s, AVPacket *pkt) rt->cur_transport_priv = NULL; } +redo: if (rt->transport == RTSP_TRANSPORT_RTP) { int i; int64_t first_queue_time = 0; @@ -1656,12 +1657,15 @@ int ff_rtsp_fetch_packet(AVFormatContext *s, AVPacket *pkt) first_queue_st = rt->rtsp_streams[i]; } } - if (first_queue_time) + if (first_queue_time) { wait_end = first_queue_time + s->max_delay; + } else { + wait_end = 0; + first_queue_st = NULL; + } } /* read next RTP packet */ - redo: if (!rt->recvbuf) { rt->recvbuf = av_malloc(RECVBUF_SIZE); if (!rt->recvbuf) From 55065315caf138223b1f2f4e168fc64f601d1352 Mon Sep 17 00:00:00 2001 From: Dale Curtis Date: Wed, 7 Mar 2012 14:26:58 -0800 Subject: [PATCH 0985/1119] Fix uninitialized reads on malformed ogg files. The ogg decoder wasn't padding the input buffer with the appropriate FF_INPUT_BUFFER_PADDING_SIZE bytes. Which led to uninitialized reads in various pieces of parsing code when they thought they had more data than they actually did. Signed-off-by: Dale Curtis Signed-off-by: Ronald S. Bultje (cherry picked from commit ef0d779706c77ca9007527bd8d41e9400682f4e4) Signed-off-by: Reinhard Tartler --- libavformat/oggdec.c | 10 +++++----- 1 file changed, 5 insertions(+), 5 deletions(-) diff --git a/libavformat/oggdec.c b/libavformat/oggdec.c index 18201677b8..8c94f4e618 100644 --- a/libavformat/oggdec.c +++ b/libavformat/oggdec.c @@ -69,8 +69,7 @@ static int ogg_save(AVFormatContext *s) for (i = 0; i < ogg->nstreams; i++){ struct ogg_stream *os = ogg->streams + i; - os->buf = av_malloc (os->bufsize); - memset (os->buf, 0, os->bufsize); + os->buf = av_mallocz (os->bufsize + FF_INPUT_BUFFER_PADDING_SIZE); memcpy (os->buf, ost->streams[i].buf, os->bufpos); } @@ -167,7 +166,7 @@ static int ogg_new_stream(AVFormatContext *s, uint32_t serial, int new_avstream) os = ogg->streams + idx; os->serial = serial; os->bufsize = DECODER_BUFFER_SIZE; - os->buf = av_malloc(os->bufsize); + os->buf = av_malloc(os->bufsize + FF_INPUT_BUFFER_PADDING_SIZE); os->header = -1; if (new_avstream) { @@ -184,7 +183,7 @@ static int ogg_new_stream(AVFormatContext *s, uint32_t serial, int new_avstream) static int ogg_new_buf(struct ogg *ogg, int idx) { struct ogg_stream *os = ogg->streams + idx; - uint8_t *nb = av_malloc(os->bufsize); + uint8_t *nb = av_malloc(os->bufsize + FF_INPUT_BUFFER_PADDING_SIZE); int size = os->bufpos - os->pstart; if(os->buf){ memcpy(nb, os->buf + os->pstart, size); @@ -293,7 +292,7 @@ static int ogg_read_page(AVFormatContext *s, int *str) } if (os->bufsize - os->bufpos < size){ - uint8_t *nb = av_malloc (os->bufsize *= 2); + uint8_t *nb = av_malloc ((os->bufsize *= 2) + FF_INPUT_BUFFER_PADDING_SIZE); memcpy (nb, os->buf, os->bufpos); av_free (os->buf); os->buf = nb; @@ -306,6 +305,7 @@ static int ogg_read_page(AVFormatContext *s, int *str) os->granule = gp; os->flags = flags; + memset(os->buf + os->bufpos, 0, FF_INPUT_BUFFER_PADDING_SIZE); if (str) *str = idx; From 910c1f2352830f1c0e7505cc96c77eac556df083 Mon Sep 17 00:00:00 2001 From: Luca Barbato Date: Sat, 22 Dec 2012 17:58:24 +0100 Subject: [PATCH 0986/1119] oggdec: check memory allocation (cherry picked from commit ba064ebe48376e199f353ef0b335ed8a39c638c5) Conflicts: libavformat/oggdec.c --- libavformat/oggdec.c | 11 +++++++++-- 1 file changed, 9 insertions(+), 2 deletions(-) diff --git a/libavformat/oggdec.c b/libavformat/oggdec.c index 8c94f4e618..a28232a04e 100644 --- a/libavformat/oggdec.c +++ b/libavformat/oggdec.c @@ -160,8 +160,13 @@ static int ogg_new_stream(AVFormatContext *s, uint32_t serial, int new_avstream) AVStream *st; struct ogg_stream *os; - ogg->streams = av_realloc (ogg->streams, - ogg->nstreams * sizeof (*ogg->streams)); + os = av_realloc (ogg->streams, ogg->nstreams * sizeof (*ogg->streams)); + + if (!os) + return AVERROR(ENOMEM); + + ogg->streams = os; + memset (ogg->streams + idx, 0, sizeof (*ogg->streams)); os = ogg->streams + idx; os->serial = serial; @@ -293,6 +298,8 @@ static int ogg_read_page(AVFormatContext *s, int *str) if (os->bufsize - os->bufpos < size){ uint8_t *nb = av_malloc ((os->bufsize *= 2) + FF_INPUT_BUFFER_PADDING_SIZE); + if (!nb) + return AVERROR(ENOMEM); memcpy (nb, os->buf, os->bufpos); av_free (os->buf); os->buf = nb; From 3bc9cfe66e1a34c6d9dc45fde2a44aa38e6363ce Mon Sep 17 00:00:00 2001 From: Reinhard Tartler Date: Sat, 12 Jan 2013 19:36:27 +0100 Subject: [PATCH 0987/1119] oggdec: free the ogg streams on read_header failure Plug an annoying memory leak on broken files. (cherry picked from commit 89b51b570daa80e6e3790fcd449fe61fc5574e07) Signed-off-by: Luca Barbato (cherry picked from commit 42bd6d9cf681306d14c92af97a40116fe4eb2522) Conflicts: libavformat/oggdec.c Conflicts: libavformat/oggdec.c --- libavformat/oggdec.c | 34 ++++++++++++++++++---------------- 1 file changed, 18 insertions(+), 16 deletions(-) diff --git a/libavformat/oggdec.c b/libavformat/oggdec.c index a28232a04e..cab6da7b13 100644 --- a/libavformat/oggdec.c +++ b/libavformat/oggdec.c @@ -492,14 +492,29 @@ static int ogg_get_length(AVFormatContext *s) return 0; } -static int ogg_read_header(AVFormatContext *s, AVFormatParameters *ap) +static int ogg_read_close(AVFormatContext *s) { struct ogg *ogg = s->priv_data; int i; + + for (i = 0; i < ogg->nstreams; i++) { + av_free(ogg->streams[i].buf); + av_free(ogg->streams[i].private); + } + av_free(ogg->streams); + return 0; +} + +static int ogg_read_header(AVFormatContext *s) +{ + struct ogg *ogg = s->priv_data; + int i, ret; ogg->curidx = -1; //linear headers seek from start - if (ogg_get_headers (s) < 0){ - return -1; + ret = ogg_get_headers(s); + if (ret < 0) { + ogg_read_close(s); + return ret; } for (i = 0; i < ogg->nstreams; i++) @@ -583,19 +598,6 @@ retry: return psize; } -static int ogg_read_close(AVFormatContext *s) -{ - struct ogg *ogg = s->priv_data; - int i; - - for (i = 0; i < ogg->nstreams; i++){ - av_free (ogg->streams[i].buf); - av_free (ogg->streams[i].private); - } - av_free (ogg->streams); - return 0; -} - static int64_t ogg_read_timestamp(AVFormatContext *s, int stream_index, int64_t *pos_arg, int64_t pos_limit) { From ad025377462cd01c11f1fe67d087804999af9d49 Mon Sep 17 00:00:00 2001 From: Janne Grunau Date: Wed, 28 Nov 2012 22:17:14 +0100 Subject: [PATCH 0988/1119] h264: check context state before decoding slice data partitions Fixes mov_h264_aac__Demo_FlagOfOurFathers.mov.SIGSEGV.4e9.656. Found-by: Mateusz "j00ru" Jurczyk CC: libav-stable@libav.org (cherry-picked from commit c1fcf563b13051f280db169ba41c6a1b21b25e08) Signed-off-by: Reinhard Tartler --- libavcodec/h264.c | 1 + 1 file changed, 1 insertion(+) diff --git a/libavcodec/h264.c b/libavcodec/h264.c index 98c68d873f..1f85eea24d 100644 --- a/libavcodec/h264.c +++ b/libavcodec/h264.c @@ -3832,6 +3832,7 @@ static int decode_nal_units(H264Context *h, const uint8_t *buf, int buf_size){ hx->inter_gb_ptr= &hx->inter_gb; if(hx->redundant_pic_count==0 && hx->intra_gb_ptr && hx->s.data_partitioning + && s->current_picture_ptr && s->context_initialized && (avctx->skip_frame < AVDISCARD_NONREF || hx->nal_ref_idc) && (avctx->skip_frame < AVDISCARD_BIDIR || hx->slice_type_nos!=AV_PICTURE_TYPE_B) From dd0c5e0fa909bac905ea8baa49b704892792a1c9 Mon Sep 17 00:00:00 2001 From: Janne Grunau Date: Sat, 12 Jan 2013 17:22:50 +0100 Subject: [PATCH 0989/1119] h264: check ref_count validity for num_ref_idx_active_override_flag Fixes segfault in the fuzzed sample bipbop234.ts_s226407. CC: libav-stable@libav.org (cherry-picked from commit 6e5cdf26281945ddea3aaf5eca4d127791f23ca8) Signed-off-by: Janne Grunau --- libavcodec/h264.c | 7 ++++++- 1 file changed, 6 insertions(+), 1 deletion(-) diff --git a/libavcodec/h264.c b/libavcodec/h264.c index 1f85eea24d..739b9d2e51 100644 --- a/libavcodec/h264.c +++ b/libavcodec/h264.c @@ -2890,8 +2890,13 @@ static int decode_slice_header(H264Context *h, H264Context *h0){ if(num_ref_idx_active_override_flag){ h->ref_count[0]= get_ue_golomb(&s->gb) + 1; - if(h->slice_type_nos==AV_PICTURE_TYPE_B) + if (h->ref_count[0] < 1) + return AVERROR_INVALIDDATA; + if (h->slice_type_nos == AV_PICTURE_TYPE_B) { h->ref_count[1]= get_ue_golomb(&s->gb) + 1; + if (h->ref_count[1] < 1) + return AVERROR_INVALIDDATA; + } } if (h->ref_count[0] > max_refs || h->ref_count[1] > max_refs) { From 56cc629a645e479c233750a60a35264b4aa9a651 Mon Sep 17 00:00:00 2001 From: Michael Niedermayer Date: Sat, 19 Jan 2013 13:34:41 +0100 Subject: [PATCH 0990/1119] Revert "h264: allow cropping to AVCodecContext.width/height" This reverts commit a2ae183a382f063c5403922b5151d865ce7252a2. This removes a duplicate hunk Found-by: Joakim Plate --- libavcodec/h264.c | 6 ------ 1 file changed, 6 deletions(-) diff --git a/libavcodec/h264.c b/libavcodec/h264.c index 8c7ebcab55..97b46fdcd7 100644 --- a/libavcodec/h264.c +++ b/libavcodec/h264.c @@ -2623,12 +2623,6 @@ static int decode_slice_header(H264Context *h, H264Context *h0){ s->height = s->avctx->height; } - if (FFALIGN(s->avctx->width, 16) == s->width && - FFALIGN(s->avctx->height, 16) == s->height) { - s->width = s->avctx->width; - s->height = s->avctx->height; - } - if (s->context_initialized && ( s->width != s->avctx->width || s->height != s->avctx->height || av_cmp_q(h->sps.sar, s->avctx->sample_aspect_ratio))) { From e163d884ef6ccc52f02a176105098d15c451d6af Mon Sep 17 00:00:00 2001 From: Xi Wang Date: Tue, 22 Jan 2013 17:49:29 -0500 Subject: [PATCH 0991/1119] rtmp: fix multiple broken overflow checks Sanity checks like `data + size >= data_end || data + size < data' are broken, because `data + size < data' assumes pointer overflow, which is undefined behavior in C. Many compilers such as gcc/clang optimize such checks away. Use `size < 0 || size >= data_end - data' instead. Signed-off-by: Xi Wang Signed-off-by: Michael Niedermayer (cherry picked from commit 902cfe2f74d777a7dc20ac68f2393b9f84b790c1) Signed-off-by: Michael Niedermayer --- libavformat/rtmppkt.c | 12 ++++++------ 1 file changed, 6 insertions(+), 6 deletions(-) diff --git a/libavformat/rtmppkt.c b/libavformat/rtmppkt.c index 4b6d549f74..5e75e3bd27 100644 --- a/libavformat/rtmppkt.c +++ b/libavformat/rtmppkt.c @@ -278,11 +278,11 @@ int ff_amf_tag_size(const uint8_t *data, const uint8_t *data_end) data++; break; } - if (data + size >= data_end || data + size < data) + if (size < 0 || size >= data_end - data) return -1; data += size; t = ff_amf_tag_size(data, data_end); - if (t < 0 || data + t >= data_end) + if (t < 0 || t >= data_end - data) return -1; data += t; } @@ -311,7 +311,7 @@ int ff_amf_get_field_value(const uint8_t *data, const uint8_t *data_end, int size = bytestream_get_be16(&data); if (!size) break; - if (data + size >= data_end || data + size < data) + if (size < 0 || size >= data_end - data) return -1; data += size; if (size == namelen && !memcmp(data-size, name, namelen)) { @@ -332,7 +332,7 @@ int ff_amf_get_field_value(const uint8_t *data, const uint8_t *data_end, return 0; } len = ff_amf_tag_size(data, data_end); - if (len < 0 || data + len >= data_end || data + len < data) + if (len < 0 || len >= data_end - data) return -1; data += len; } @@ -403,13 +403,13 @@ static void ff_amf_tag_contents(void *ctx, const uint8_t *data, const uint8_t *d data++; break; } - if (data + size >= data_end || data + size < data) + if (size < 0 || size >= data_end - data) return; data += size; av_log(ctx, AV_LOG_DEBUG, " %s: ", buf); ff_amf_tag_contents(ctx, data, data_end); t = ff_amf_tag_size(data, data_end); - if (t < 0 || data + t >= data_end) + if (t < 0 || t >= data_end - data) return; data += t; } From b59ee5dcf119f900a3e9f45098f9e992a5f26fd0 Mon Sep 17 00:00:00 2001 From: Xi Wang Date: Tue, 22 Jan 2013 21:40:05 -0500 Subject: [PATCH 0992/1119] rtmp: fix buffer overflows in ff_amf_tag_contents() A negative `size' will bypass FFMIN(). In the subsequent memcpy() call, `size' will be considered as a large positive value, leading to a buffer overflow. Change the type of `size' to unsigned int to avoid buffer overflow, and simplify overflow checks accordingly. Signed-off-by: Xi Wang Signed-off-by: Michael Niedermayer (cherry picked from commit 4e692374f7962ea358c329de38c380103f8991b6) Signed-off-by: Michael Niedermayer --- libavformat/rtmppkt.c | 11 +++++------ 1 file changed, 5 insertions(+), 6 deletions(-) diff --git a/libavformat/rtmppkt.c b/libavformat/rtmppkt.c index 5e75e3bd27..c65cfc1439 100644 --- a/libavformat/rtmppkt.c +++ b/libavformat/rtmppkt.c @@ -362,7 +362,7 @@ static const char* rtmp_packet_type(int type) static void ff_amf_tag_contents(void *ctx, const uint8_t *data, const uint8_t *data_end) { - int size; + unsigned int size; char buf[1024]; if (data >= data_end) @@ -381,7 +381,7 @@ static void ff_amf_tag_contents(void *ctx, const uint8_t *data, const uint8_t *d } else { size = bytestream_get_be32(&data); } - size = FFMIN(size, 1023); + size = FFMIN(size, sizeof(buf) - 1); memcpy(buf, data, size); buf[size] = 0; av_log(ctx, AV_LOG_DEBUG, " string '%s'\n", buf); @@ -394,16 +394,15 @@ static void ff_amf_tag_contents(void *ctx, const uint8_t *data, const uint8_t *d case AMF_DATA_TYPE_OBJECT: av_log(ctx, AV_LOG_DEBUG, " {\n"); for (;;) { - int size = bytestream_get_be16(&data); int t; - memcpy(buf, data, size); - buf[size] = 0; + size = bytestream_get_be16(&data); + av_strlcpy(buf, data, FFMIN(sizeof(buf), size + 1)); if (!size) { av_log(ctx, AV_LOG_DEBUG, " }\n"); data++; break; } - if (size < 0 || size >= data_end - data) + if (size >= data_end - data) return; data += size; av_log(ctx, AV_LOG_DEBUG, " %s: ", buf); From 801eff785aa1c791d75afaa59233e9b5e9e0f4c7 Mon Sep 17 00:00:00 2001 From: Janne Grunau Date: Fri, 23 Mar 2012 22:30:38 +0100 Subject: [PATCH 0993/1119] rv34: error out on size changes with frame threading (cherry picked from commit cb7190cd2c691fd93e4d3664f3fce6c19ee001dd) Fixes: CVE-2012-2772 (according to Ubuntu) --- libavcodec/rv34.c | 8 ++++++++ 1 file changed, 8 insertions(+) diff --git a/libavcodec/rv34.c b/libavcodec/rv34.c index a20a9892b8..95ad5dd06e 100644 --- a/libavcodec/rv34.c +++ b/libavcodec/rv34.c @@ -1280,6 +1280,14 @@ static int rv34_decode_slice(RV34DecContext *r, int end, const uint8_t* buf, int if ((s->mb_x == 0 && s->mb_y == 0) || s->current_picture_ptr==NULL) { if(s->width != r->si.width || s->height != r->si.height){ + + if (HAVE_THREADS && + (s->avctx->active_thread_type & FF_THREAD_FRAME)) { + av_log_missing_feature(s->avctx, "Width/height changing with " + "frame threading is", 0); + return AVERROR_PATCHWELCOME; + } + av_log(s->avctx, AV_LOG_DEBUG, "Changing dimensions to %dx%d\n", r->si.width,r->si.height); MPV_common_end(s); s->width = r->si.width; From 03ddc260668beaf62f6f7fe64a08b5a71be5bb27 Mon Sep 17 00:00:00 2001 From: Michael Niedermayer Date: Sat, 24 Mar 2012 17:43:55 +0100 Subject: [PATCH 0994/1119] indeo5dec: Make sure we have had a valid gop header. This prevents decoding happening on a half initialized context. Fixes CVE-2012-2779 Found-by: Mateusz "j00ru" Jurczyk and Gynvael Coldwind Signed-off-by: Anton Khirnov (cherry picked from commit 891918431db628db17885ed947ee387b29826a64) Conflicts: libavcodec/ivi_common.c libavcodec/ivi_common.h --- libavcodec/indeo5.c | 12 ++++++++++-- 1 file changed, 10 insertions(+), 2 deletions(-) diff --git a/libavcodec/indeo5.c b/libavcodec/indeo5.c index e12cd61419..bb491fe15a 100644 --- a/libavcodec/indeo5.c +++ b/libavcodec/indeo5.c @@ -76,6 +76,8 @@ typedef struct { int is_scalable; uint32_t lock_word; IVIPicConfig pic_conf; + + int gop_invalid; } IVI5DecContext; @@ -335,8 +337,12 @@ static int decode_pic_hdr(IVI5DecContext *ctx, AVCodecContext *avctx) ctx->frame_num = get_bits(&ctx->gb, 8); if (ctx->frame_type == FRAMETYPE_INTRA) { - if (decode_gop_header(ctx, avctx)) - return -1; + ctx->gop_invalid = 1; + if (decode_gop_header(ctx, avctx)) { + av_log(avctx, AV_LOG_ERROR, "Invalid GOP header, skipping frames.\n"); + return AVERROR_INVALIDDATA; + } + ctx->gop_invalid = 0; } if (ctx->frame_type != FRAMETYPE_NULL) { @@ -759,6 +765,8 @@ static int decode_frame(AVCodecContext *avctx, void *data, int *data_size, "Error while decoding picture header: %d\n", result); return -1; } + if (ctx->gop_invalid) + return AVERROR_INVALIDDATA; if (ctx->gop_flags & IVI5_IS_PROTECTED) { av_log(avctx, AV_LOG_ERROR, "Password-protected clip!\n"); From 604d72aa0d050a95aefdc15fc57743415af8283b Mon Sep 17 00:00:00 2001 From: Anton Khirnov Date: Sat, 29 Sep 2012 13:25:28 +0200 Subject: [PATCH 0995/1119] dfa: improve boundary checks in decode_dds1() Fixes CVE-2012-2798 CC:libav-stable@libav.org (cherry picked from commit d05f72c75445969cd7bdb1d860635c9880c67fb6) Conflicts: libavcodec/dfa.c --- libavcodec/dfa.c | 10 ++++++---- 1 file changed, 6 insertions(+), 4 deletions(-) diff --git a/libavcodec/dfa.c b/libavcodec/dfa.c index eeb96cf7b1..9c80b3c4e8 100644 --- a/libavcodec/dfa.c +++ b/libavcodec/dfa.c @@ -159,8 +159,7 @@ static int decode_dds1(uint8_t *frame, int width, int height, bitbuf = bytestream_get_le16(&src); mask = 1; } - if (src_end - src < 2 || frame_end - frame < 2) - return -1; + if (bitbuf & mask) { v = bytestream_get_le16(&src); offset = (v & 0x1FFF) << 2; @@ -174,9 +173,12 @@ static int decode_dds1(uint8_t *frame, int width, int height, frame += 2; } } else if (bitbuf & (mask << 1)) { - frame += bytestream_get_le16(&src) * 2; + v = bytestream_get_le16(&src)*2; + if (frame - frame_end < v) + return AVERROR_INVALIDDATA; + frame += v; } else { - if (frame_end - frame < width + 2) + if (frame_end - frame < width + 3) return AVERROR_INVALIDDATA; frame[0] = frame[1] = frame[width] = frame[width + 1] = *src++; From 440e98574bde9ca606dfea60c7dda8de555067f7 Mon Sep 17 00:00:00 2001 From: Anton Khirnov Date: Sat, 29 Sep 2012 11:07:58 +0200 Subject: [PATCH 0996/1119] indeo4/5: check empty tile size in decode_mb_info(). This prevents writing into a too small array if some parameters changed without the tile being reallocated. Based on a patch by Michael Niedermayer Fixes CVE-2012-2800 Found-by: Mateusz "j00ru" Jurczyk and Gynvael Coldwind (cherry picked from commit ae3da0ae5550053583a6f281ea7fd940497ea0d1) Conflicts: libavcodec/ivi_common.c --- libavcodec/indeo5.c | 4 +++- libavcodec/ivi_common.c | 11 ++++++++++- libavcodec/ivi_common.h | 2 +- 3 files changed, 14 insertions(+), 3 deletions(-) diff --git a/libavcodec/indeo5.c b/libavcodec/indeo5.c index bb491fe15a..45460a40fd 100644 --- a/libavcodec/indeo5.c +++ b/libavcodec/indeo5.c @@ -619,8 +619,10 @@ static int decode_band(IVI5DecContext *ctx, int plane_num, tile->is_empty = get_bits1(&ctx->gb); if (tile->is_empty) { - ff_ivi_process_empty_tile(avctx, band, tile, + result = ff_ivi_process_empty_tile(avctx, band, tile, (ctx->planes[0].bands[0].mb_size >> 3) - (band->mb_size >> 3)); + if (result < 0) + break; } else { tile->data_size = ff_ivi_dec_tile_data_size(&ctx->gb); diff --git a/libavcodec/ivi_common.c b/libavcodec/ivi_common.c index f55371cf73..38cb3a8b33 100644 --- a/libavcodec/ivi_common.c +++ b/libavcodec/ivi_common.c @@ -495,7 +495,7 @@ int ff_ivi_decode_blocks(GetBitContext *gb, IVIBandDesc *band, IVITile *tile) return 0; } -void ff_ivi_process_empty_tile(AVCodecContext *avctx, IVIBandDesc *band, +int ff_ivi_process_empty_tile(AVCodecContext *avctx, IVIBandDesc *band, IVITile *tile, int32_t mv_scale) { int x, y, need_mc, mbn, blk, num_blocks, mv_x, mv_y, mc_type; @@ -506,6 +506,13 @@ void ff_ivi_process_empty_tile(AVCodecContext *avctx, IVIBandDesc *band, void (*mc_no_delta_func)(int16_t *buf, const int16_t *ref_buf, uint32_t pitch, int mc_type); + if (tile->num_MBs != IVI_MBs_PER_TILE(tile->width, tile->height, band->mb_size)) { + av_log(avctx, AV_LOG_ERROR, "Allocated tile size %d mismatches " + "parameters %d in ivi_process_empty_tile()\n", + tile->num_MBs, IVI_MBs_PER_TILE(tile->width, tile->height, band->mb_size)); + return AVERROR_INVALIDDATA; + } + offs = tile->ypos * band->pitch + tile->xpos; mb = tile->mbs; ref_mb = tile->ref_mbs; @@ -586,6 +593,8 @@ void ff_ivi_process_empty_tile(AVCodecContext *avctx, IVIBandDesc *band, dst += band->pitch; } } + + return 0; } diff --git a/libavcodec/ivi_common.h b/libavcodec/ivi_common.h index cd9847d08a..3a328c469a 100644 --- a/libavcodec/ivi_common.h +++ b/libavcodec/ivi_common.h @@ -325,7 +325,7 @@ int ff_ivi_decode_blocks(GetBitContext *gb, IVIBandDesc *band, IVITile *tile); * @param[in] tile pointer to the tile descriptor * @param[in] mv_scale scaling factor for motion vectors */ -void ff_ivi_process_empty_tile(AVCodecContext *avctx, IVIBandDesc *band, +int ff_ivi_process_empty_tile(AVCodecContext *avctx, IVIBandDesc *band, IVITile *tile, int32_t mv_scale); /** From 301761792a693a1f3303a2af34a0fb066a03c10c Mon Sep 17 00:00:00 2001 From: Anton Khirnov Date: Thu, 13 Dec 2012 17:53:31 +0100 Subject: [PATCH 0997/1119] mpeg12: do not decode extradata more than once. Fixes CVE-2012-2803. (cherry picked from commit 582368626188c070d4300913c6da5efa4c24cfb2) Conflicts: libavcodec/mpeg12.c libavcodec/mpeg12.h --- libavcodec/mpeg12.c | 5 ++++- 1 file changed, 4 insertions(+), 1 deletion(-) diff --git a/libavcodec/mpeg12.c b/libavcodec/mpeg12.c index 03c95c191d..047c38f18a 100644 --- a/libavcodec/mpeg12.c +++ b/libavcodec/mpeg12.c @@ -1147,6 +1147,7 @@ typedef struct Mpeg1Context { int save_width, save_height, save_progressive_seq; AVRational frame_rate_ext; ///< MPEG-2 specific framerate modificator int sync; ///< Did we reach a sync point like a GOP/SEQ/KEYFrame? + int extradata_decoded; } Mpeg1Context; static av_cold int mpeg_decode_init(AVCodecContext *avctx) @@ -2279,8 +2280,10 @@ static int mpeg_decode_frame(AVCodecContext *avctx, s->slice_count= 0; - if(avctx->extradata && !avctx->frame_number) + if (avctx->extradata && !s->extradata_decoded) { decode_chunks(avctx, picture, data_size, avctx->extradata, avctx->extradata_size); + s->extradata_decoded = 1; + } return decode_chunks(avctx, picture, data_size, buf, buf_size); } From db5b454c3d20f0e2e7fff8f0091e776ae9757725 Mon Sep 17 00:00:00 2001 From: Reinhard Tartler Date: Thu, 24 Jan 2013 14:01:42 +0100 Subject: [PATCH 0998/1119] Update changelog for 0.7.7 release --- Changelog | 32 ++++++++++++++++++++++++++++++++ 1 file changed, 32 insertions(+) diff --git a/Changelog b/Changelog index f434aa13b5..a7410d9dc3 100644 --- a/Changelog +++ b/Changelog @@ -1,6 +1,38 @@ Entries are sorted chronologically from oldest to youngest within each release, releases are sorted from youngest to oldest. +version 0.7.7: + +Security Updates: + +- aacdec: Fix an off-by-one overwrite when switching to LTP profile from MAIN (CVE-2012-5144) +- alsdec: check opt_order (CVE-2012-2775) +- alsdec: fix number of decoded samples in first sub-block in BGMC mode (CVE-2012-2790) +- avidec: use actually read size instead of requested size (CVE-2012-2788) +- avsdec: Set dimensions instead of relying on the demuxer (CVE-2012-2801) +- cavsdec: check for changing w/h (CVE-2012-2777 and CVE-2012-2784) +- dfa: check that the caller set width/height properly (CVE-2012-2786) +- dfa: improve boundary checks in decode_dds1() (CVE-2012-2798) +- indeo4/5: check empty tile size in decode_mb_info() (CVE-2012-2800) +- indeo5: Make sure we have had a valid gop header (CVE-2012-2779) +- indeo5: check tile size in decode_mb_info() (CVE-2012-2794) +- ivi_common: check that scan pattern is set before using it (CVE-2012-2791) +- lagarith: check count before writing zeros (CVE-2012-2793) +- mpeg12: do not decode extradata more than once (CVE-2012-2803) +- rv34: error out on size changes with frame threading (CVE-2012-2772) +- vp56: release frames on error (CVE-2012-2783) +- wmaprodec: check num_vec_coeffs for validity (CVE-2012-2789) + + +Further bugfixes in the following codecs: + h264, vc1, nuv, imgconvert, vorbisenc, flacenc + +Other noteworthy changes: +- fix segfault in avformat_open_input() +- rtsp: Recheck the reordering queue if getting a new packet +- fix uninitialized reads and memory leaks on malformed ogg files + + version 0.7.6: Security Updates: From e4831bb9a678dea50b535638aa81eaf4aea0184c Mon Sep 17 00:00:00 2001 From: Michael Niedermayer Date: Tue, 29 Jan 2013 18:29:41 +0100 Subject: [PATCH 0999/1119] huffyuvdec: Check init_vlc() return codes. Prevents out of array writes Found-by: Mateusz "j00ru" Jurczyk and Gynvael Coldwind Signed-off-by: Michael Niedermayer (cherry picked from commit f67a0d115254461649470452058fa3c28c0df294) Signed-off-by: Michael Niedermayer (cherry picked from commit 95ab8d33e1a680f30a5a9605175112008ab81afc) Conflicts: libavcodec/huffyuv.c (cherry picked from commit 277def59fce10d91e3113e5c0f63e22bc4abfa88) Conflicts: libavcodec/huffyuv.c (cherry picked from commit adf022f458d75e2c8041262e1906a249366ad518) Signed-off-by: Michael Niedermayer --- libavcodec/huffyuv.c | 11 +++++++++-- 1 file changed, 9 insertions(+), 2 deletions(-) diff --git a/libavcodec/huffyuv.c b/libavcodec/huffyuv.c index b69be258f9..db9a346996 100644 --- a/libavcodec/huffyuv.c +++ b/libavcodec/huffyuv.c @@ -28,6 +28,7 @@ * huffyuv codec for libavcodec. */ +#include "libavutil/avassert.h" #include "avcodec.h" #include "get_bits.h" #include "put_bits.h" @@ -289,6 +290,7 @@ static void generate_joint_tables(HYuvContext *s){ int len1 = s->len[p][u]; if(len1 > limit) continue; + av_assert0(i < (1 << VLC_BITS)); len[i] = len0 + len1; bits[i] = (s->bits[0][y] << len1) + s->bits[p][u]; symbols[i] = (y<<8) + u; @@ -322,6 +324,7 @@ static void generate_joint_tables(HYuvContext *s){ int len2 = s->len[2][r&255]; if(len2 > limit1) continue; + av_assert0(i < (1 << VLC_BITS)); len[i] = len0 + len1 + len2; bits[i] = (code << len2) + s->bits[2][r&255]; if(s->decorrelate){ @@ -345,6 +348,7 @@ static void generate_joint_tables(HYuvContext *s){ static int read_huffman_tables(HYuvContext *s, const uint8_t *src, int length){ GetBitContext gb; int i; + int ret; init_get_bits(&gb, src, length*8); @@ -355,7 +359,8 @@ static int read_huffman_tables(HYuvContext *s, const uint8_t *src, int length){ return -1; } free_vlc(&s->vlc[i]); - init_vlc(&s->vlc[i], VLC_BITS, 256, s->len[i], 1, 1, s->bits[i], 4, 4, 0); + if ((ret = init_vlc(&s->vlc[i], VLC_BITS, 256, s->len[i], 1, 1, s->bits[i], 4, 4, 0)) < 0) + return ret; } generate_joint_tables(s); @@ -367,6 +372,7 @@ static int read_old_huffman_tables(HYuvContext *s){ #if 1 GetBitContext gb; int i; + int ret; init_get_bits(&gb, classic_shift_luma, classic_shift_luma_table_size*8); if(read_len_table(s->len[0], &gb)<0) @@ -387,7 +393,8 @@ static int read_old_huffman_tables(HYuvContext *s){ for(i=0; i<3; i++){ free_vlc(&s->vlc[i]); - init_vlc(&s->vlc[i], VLC_BITS, 256, s->len[i], 1, 1, s->bits[i], 4, 4, 0); + if ((ret = init_vlc(&s->vlc[i], VLC_BITS, 256, s->len[i], 1, 1, s->bits[i], 4, 4, 0)) < 0) + return ret; } generate_joint_tables(s); From 4f91c45644931064901986bca70a8903c7956564 Mon Sep 17 00:00:00 2001 From: Michael Niedermayer Date: Tue, 29 Jan 2013 19:22:33 +0100 Subject: [PATCH 1000/1119] huffyuvdec: Skip len==0 cases Fixes vlc decoding for hypothetical files that would contain such cases. Signed-off-by: Michael Niedermayer (cherry picked from commit 0dfc01c2bbf4b71bb56201bc4a393321e15d1b31) Signed-off-by: Michael Niedermayer (cherry picked from commit 5ff41ffeb4cb9ea6df49757dc859619dc3d3ab4f) Conflicts: libavcodec/huffyuv.c (cherry picked from commit 9bc70fe1ae50fd2faa0b9429d47cfbda01a92ebc) Signed-off-by: Michael Niedermayer --- libavcodec/huffyuv.c | 10 +++++----- 1 file changed, 5 insertions(+), 5 deletions(-) diff --git a/libavcodec/huffyuv.c b/libavcodec/huffyuv.c index db9a346996..20589652ff 100644 --- a/libavcodec/huffyuv.c +++ b/libavcodec/huffyuv.c @@ -284,11 +284,11 @@ static void generate_joint_tables(HYuvContext *s){ for(i=y=0; y<256; y++){ int len0 = s->len[0][y]; int limit = VLC_BITS - len0; - if(limit <= 0) + if(limit <= 0 || !len0) continue; for(u=0; u<256; u++){ int len1 = s->len[p][u]; - if(len1 > limit) + if (len1 > limit || !len1) continue; av_assert0(i < (1 << VLC_BITS)); len[i] = len0 + len1; @@ -312,17 +312,17 @@ static void generate_joint_tables(HYuvContext *s){ for(i=0, g=-16; g<16; g++){ int len0 = s->len[p0][g&255]; int limit0 = VLC_BITS - len0; - if(limit0 < 2) + if (limit0 < 2 || !len0) continue; for(b=-16; b<16; b++){ int len1 = s->len[p1][b&255]; int limit1 = limit0 - len1; - if(limit1 < 1) + if (limit1 < 1 || !len1) continue; code = (s->bits[p0][g&255] << len1) + s->bits[p1][b&255]; for(r=-16; r<16; r++){ int len2 = s->len[2][r&255]; - if(len2 > limit1) + if (len2 > limit1 || !len2) continue; av_assert0(i < (1 << VLC_BITS)); len[i] = len0 + len1 + len2; From 760929117df0d6349a2cb56af084d8a13ee7f33a Mon Sep 17 00:00:00 2001 From: Michael Niedermayer Date: Wed, 12 Dec 2012 12:28:45 +0100 Subject: [PATCH 1001/1119] alsdec: check block length Fix writing over the end Found-by: Mateusz "j00ru" Jurczyk and Gynvael Coldwind Signed-off-by: Michael Niedermayer (cherry picked from commit 0ceca269b66ec12a23bf0907bd2c220513cdbf16) Signed-off-by: Michael Niedermayer --- libavcodec/alsdec.c | 10 ++++++++-- 1 file changed, 8 insertions(+), 2 deletions(-) diff --git a/libavcodec/alsdec.c b/libavcodec/alsdec.c index cb679d9955..8cb5a6089c 100644 --- a/libavcodec/alsdec.c +++ b/libavcodec/alsdec.c @@ -551,12 +551,15 @@ static void get_block_sizes(ALSDecContext *ctx, unsigned int *div_blocks, /** Read the block data for a constant block */ -static void read_const_block_data(ALSDecContext *ctx, ALSBlockData *bd) +static int read_const_block_data(ALSDecContext *ctx, ALSBlockData *bd) { ALSSpecificConfig *sconf = &ctx->sconf; AVCodecContext *avctx = ctx->avctx; GetBitContext *gb = &ctx->gb; + if (bd->block_length <= 0) + return -1; + *bd->raw_samples = 0; *bd->const_block = get_bits1(gb); // 1 = constant value, 0 = zero block (silence) bd->js_blocks = get_bits1(gb); @@ -571,6 +574,8 @@ static void read_const_block_data(ALSDecContext *ctx, ALSBlockData *bd) // ensure constant block decoding by reusing this field *bd->const_block = 1; + + return 0; } @@ -970,7 +975,8 @@ static int read_block(ALSDecContext *ctx, ALSBlockData *bd) if (read_var_block_data(ctx, bd)) return -1; } else { - read_const_block_data(ctx, bd); + if (read_const_block_data(ctx, bd) < 0) + return -1; } return 0; From caeca53a09fd5d23e7da2725fb2fba27b9429d72 Mon Sep 17 00:00:00 2001 From: Michael Niedermayer Date: Fri, 30 Nov 2012 23:59:40 +0100 Subject: [PATCH 1002/1119] qdm2: check array index before use, fix out of array accesses Found-by: Mateusz "j00ru" Jurczyk and Gynvael Coldwind Signed-off-by: Michael Niedermayer (cherry picked from commit a7ee6281f7ef1c29284e3a4cadfe0f227ffde1ed) Signed-off-by: Michael Niedermayer --- libavcodec/qdm2.c | 5 +++++ 1 file changed, 5 insertions(+) diff --git a/libavcodec/qdm2.c b/libavcodec/qdm2.c index e237157f48..e311afdeee 100644 --- a/libavcodec/qdm2.c +++ b/libavcodec/qdm2.c @@ -1238,6 +1238,11 @@ static void qdm2_decode_super_block (QDM2Context *q) for (i = 0; packet_bytes > 0; i++) { int j; + if (i>=FF_ARRAY_ELEMS(q->sub_packet_list_A)) { + SAMPLES_NEEDED_2("too many packet bytes"); + return; + } + q->sub_packet_list_A[i].next = NULL; if (i > 0) { From 391e0fc6c90ced6656b74f50f3a487b6dc76ea63 Mon Sep 17 00:00:00 2001 From: Michael Niedermayer Date: Thu, 29 Nov 2012 15:18:17 +0100 Subject: [PATCH 1003/1119] roqvideodec: check dimensions validity Found-by: Mateusz "j00ru" Jurczyk and Gynvael Coldwind Signed-off-by: Michael Niedermayer (cherry picked from commit 3ae610451170cd5a28b33950006ff0bd23036845) Signed-off-by: Michael Niedermayer --- libavcodec/roqvideodec.c | 6 ++++++ 1 file changed, 6 insertions(+) diff --git a/libavcodec/roqvideodec.c b/libavcodec/roqvideodec.c index f0977f6491..4e34231aa4 100644 --- a/libavcodec/roqvideodec.c +++ b/libavcodec/roqvideodec.c @@ -157,6 +157,12 @@ static av_cold int roq_decode_init(AVCodecContext *avctx) RoqContext *s = avctx->priv_data; s->avctx = avctx; + + if (avctx->width%16 || avctx->height%16) { + av_log_ask_for_sample(avctx, "dimensions not being a multiple of 16 are unsupported\n"); + return AVERROR_PATCHWELCOME; + } + s->width = avctx->width; s->height = avctx->height; avcodec_get_frame_defaults(&s->frames[0]); From af343f5cddc5b40cea53ea7c38e582dc9caae15b Mon Sep 17 00:00:00 2001 From: Michael Niedermayer Date: Sat, 17 Nov 2012 16:26:55 +0100 Subject: [PATCH 1004/1119] eamad: fix out of array accesses Found-by: Mateusz "j00ru" Jurczyk and Gynvael Coldwind Signed-off-by: Michael Niedermayer (cherry picked from commit 63ac64864c6e0e84355aa3caa5b92208997a9a8d) Signed-off-by: Michael Niedermayer --- libavcodec/eamad.c | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/libavcodec/eamad.c b/libavcodec/eamad.c index 602bbfcf93..a431bbcdd5 100644 --- a/libavcodec/eamad.c +++ b/libavcodec/eamad.c @@ -249,7 +249,7 @@ static int decode_frame(AVCodecContext *avctx, int chunk_type; int inter; - if (buf_size < 17) { + if (buf_size < 26) { av_log(avctx, AV_LOG_ERROR, "Input buffer too small\n"); *data_size = 0; return -1; From 2cac35086c9e103fa98960c546d5017e7363803a Mon Sep 17 00:00:00 2001 From: Michael Niedermayer Date: Fri, 25 Jan 2013 06:11:59 +0100 Subject: [PATCH 1005/1119] vqavideo: check chunk sizes before reading chunks Fixes out of array writes Found-by: Mateusz "j00ru" Jurczyk and Gynvael Coldwind Signed-off-by: Michael Niedermayer (cherry picked from commit ab6c9332bfa1e20127a16392a0b85a4aa4840889) Signed-off-by: Michael Niedermayer --- libavcodec/vqavideo.c | 10 ++++++++++ 1 file changed, 10 insertions(+) diff --git a/libavcodec/vqavideo.c b/libavcodec/vqavideo.c index d1eab5bfa1..6e1ce6c0d2 100644 --- a/libavcodec/vqavideo.c +++ b/libavcodec/vqavideo.c @@ -527,6 +527,11 @@ static void vqa_decode_chunk(VqaContext *s) chunk_size = AV_RB32(&s->buf[cbp0_chunk + 4]); cbp0_chunk += CHUNK_PREAMBLE_SIZE; + if (chunk_size > MAX_CODEBOOK_SIZE - s->next_codebook_buffer_index) { + av_log(s->avctx, AV_LOG_ERROR, "cbp0 chunk too large (0x%X bytes)\n", chunk_size); + return AVERROR_INVALIDDATA; + } + /* accumulate partial codebook */ memcpy(&s->next_codebook_buffer[s->next_codebook_buffer_index], &s->buf[cbp0_chunk], chunk_size); @@ -550,6 +555,11 @@ static void vqa_decode_chunk(VqaContext *s) chunk_size = AV_RB32(&s->buf[cbpz_chunk + 4]); cbpz_chunk += CHUNK_PREAMBLE_SIZE; + if (chunk_size > MAX_CODEBOOK_SIZE - s->next_codebook_buffer_index) { + av_log(s->avctx, AV_LOG_ERROR, "cbpz chunk too large (0x%X bytes)\n", chunk_size); + return AVERROR_INVALIDDATA; + } + /* accumulate partial codebook */ memcpy(&s->next_codebook_buffer[s->next_codebook_buffer_index], &s->buf[cbpz_chunk], chunk_size); From e6ac11e41734cbb24ec5e6c73264d030e5f07a64 Mon Sep 17 00:00:00 2001 From: Michael Niedermayer Date: Sun, 27 Jan 2013 20:37:27 +0100 Subject: [PATCH 1006/1119] aacdec: check channel count Prevent out of array accesses Found-by: Mateusz "j00ru" Jurczyk and Gynvael Coldwind Signed-off-by: Michael Niedermayer (cherry picked from commit 96f452ac647dae33c53c242ef3266b65a9beafb6) Signed-off-by: Michael Niedermayer --- libavcodec/aacdec.c | 5 +++++ 1 file changed, 5 insertions(+) diff --git a/libavcodec/aacdec.c b/libavcodec/aacdec.c index a0f5344bee..78176d0053 100644 --- a/libavcodec/aacdec.c +++ b/libavcodec/aacdec.c @@ -568,6 +568,11 @@ static av_cold int aac_decode_init(AVCodecContext *avctx) output_scale_factor = 1.0; } + if (avctx->channels > MAX_CHANNELS) { + av_log(avctx, AV_LOG_ERROR, "Too many channels\n"); + return AVERROR_INVALIDDATA; + } + AAC_INIT_VLC_STATIC( 0, 304); AAC_INIT_VLC_STATIC( 1, 270); AAC_INIT_VLC_STATIC( 2, 550); From 41eda870483fd1f2dc6f7f17cd68e360626180c9 Mon Sep 17 00:00:00 2001 From: Michael Niedermayer Date: Tue, 12 Feb 2013 19:53:40 +0100 Subject: [PATCH 1007/1119] pngdec/filter: dont access out of array elements at the end Found-by: Mateusz "j00ru" Jurczyk and Gynvael Coldwind Signed-off-by: Michael Niedermayer (cherry picked from commit 1ac0fa50eff30d413206cffa5f47f7fe6d4849b1) Signed-off-by: Michael Niedermayer --- libavcodec/pngdec.c | 12 ++++-------- 1 file changed, 4 insertions(+), 8 deletions(-) diff --git a/libavcodec/pngdec.c b/libavcodec/pngdec.c index 3c6284fc10..ae932991d3 100644 --- a/libavcodec/pngdec.c +++ b/libavcodec/pngdec.c @@ -148,7 +148,7 @@ static void add_paeth_prediction_c(uint8_t *dst, uint8_t *src, uint8_t *top, int if(bpp >= 2) g = dst[1];\ if(bpp >= 3) b = dst[2];\ if(bpp >= 4) a = dst[3];\ - for(; i < size; i+=bpp) {\ + for(; i <= size - bpp; i+=bpp) {\ dst[i+0] = r = op(r, src[i+0], last[i+0]);\ if(bpp == 1) continue;\ dst[i+1] = g = op(g, src[i+1], last[i+1]);\ @@ -164,13 +164,9 @@ static void add_paeth_prediction_c(uint8_t *dst, uint8_t *src, uint8_t *top, int else if(bpp == 2) UNROLL1(2, op)\ else if(bpp == 3) UNROLL1(3, op)\ else if(bpp == 4) UNROLL1(4, op)\ - else {\ - for (; i < size; i += bpp) {\ - int j;\ - for (j = 0; j < bpp; j++)\ - dst[i+j] = op(dst[i+j-bpp], src[i+j], last[i+j]);\ - }\ - } + for (; i < size; i++) {\ + dst[i] = op(dst[i-bpp], src[i], last[i]);\ + }\ /* NOTE: 'dst' can be equal to 'last' */ static void png_filter_row(PNGDecContext *s, uint8_t *dst, int filter_type, From 377fabc9e687a3c73fdb235f773f6e9151378ca5 Mon Sep 17 00:00:00 2001 From: Michael Niedermayer Date: Sun, 17 Feb 2013 23:41:01 +0100 Subject: [PATCH 1008/1119] Update for 0.8.13 Signed-off-by: Michael Niedermayer --- Doxyfile | 2 +- RELEASE | 2 +- VERSION | 2 +- cmdutils.c | 2 +- 4 files changed, 4 insertions(+), 4 deletions(-) diff --git a/Doxyfile b/Doxyfile index 887b874e78..e28a87ee64 100644 --- a/Doxyfile +++ b/Doxyfile @@ -31,7 +31,7 @@ PROJECT_NAME = FFmpeg # This could be handy for archiving the generated documentation or # if some version control system is used. -PROJECT_NUMBER = 0.8.12 +PROJECT_NUMBER = 0.8.13 # The OUTPUT_DIRECTORY tag is used to specify the (relative or absolute) # base path where the generated documentation will be put. diff --git a/RELEASE b/RELEASE index 7eff8ab952..c2f73c6ecf 100644 --- a/RELEASE +++ b/RELEASE @@ -1 +1 @@ -0.8.12 +0.8.13 diff --git a/VERSION b/VERSION index 7eff8ab952..c2f73c6ecf 100644 --- a/VERSION +++ b/VERSION @@ -1 +1 @@ -0.8.12 +0.8.13 diff --git a/cmdutils.c b/cmdutils.c index 62fe6e96ab..b919bae92e 100644 --- a/cmdutils.c +++ b/cmdutils.c @@ -57,7 +57,7 @@ AVFormatContext *avformat_opts; struct SwsContext *sws_opts; AVDictionary *format_opts, *video_opts, *audio_opts, *sub_opts; -static const int this_year = 2011; +static const int this_year = 2013; void init_opts(void) { From f86da592c3399c749442d8e70d9aef346dac3464 Mon Sep 17 00:00:00 2001 From: Michael Niedermayer Date: Mon, 18 Feb 2013 01:12:02 +0100 Subject: [PATCH 1009/1119] update for 0.7.14 Signed-off-by: Michael Niedermayer --- Doxyfile | 2 +- RELEASE | 2 +- VERSION | 2 +- 3 files changed, 3 insertions(+), 3 deletions(-) diff --git a/Doxyfile b/Doxyfile index 93fce23685..efefceab70 100644 --- a/Doxyfile +++ b/Doxyfile @@ -31,7 +31,7 @@ PROJECT_NAME = FFmpeg # This could be handy for archiving the generated documentation or # if some version control system is used. -PROJECT_NUMBER = 0.7.13 +PROJECT_NUMBER = 0.7.14 # The OUTPUT_DIRECTORY tag is used to specify the (relative or absolute) # base path where the generated documentation will be put. diff --git a/RELEASE b/RELEASE index a48658c949..a597e4f317 100644 --- a/RELEASE +++ b/RELEASE @@ -1 +1 @@ -0.7.13 +0.7.14 diff --git a/VERSION b/VERSION index a48658c949..a597e4f317 100644 --- a/VERSION +++ b/VERSION @@ -1 +1 @@ -0.7.13 +0.7.14 From 1fd86f9a2136165205b0370d5a6e916499f1da7f Mon Sep 17 00:00:00 2001 From: Michael Niedermayer Date: Wed, 20 Feb 2013 00:47:13 +0100 Subject: [PATCH 1010/1119] vqavideo: fix return type Fixes Ticket2281 Signed-off-by: Michael Niedermayer --- libavcodec/vqavideo.c | 4 ++-- 1 file changed, 2 insertions(+), 2 deletions(-) diff --git a/libavcodec/vqavideo.c b/libavcodec/vqavideo.c index 6e1ce6c0d2..e7b2cae26a 100644 --- a/libavcodec/vqavideo.c +++ b/libavcodec/vqavideo.c @@ -529,7 +529,7 @@ static void vqa_decode_chunk(VqaContext *s) if (chunk_size > MAX_CODEBOOK_SIZE - s->next_codebook_buffer_index) { av_log(s->avctx, AV_LOG_ERROR, "cbp0 chunk too large (0x%X bytes)\n", chunk_size); - return AVERROR_INVALIDDATA; + return; } /* accumulate partial codebook */ @@ -557,7 +557,7 @@ static void vqa_decode_chunk(VqaContext *s) if (chunk_size > MAX_CODEBOOK_SIZE - s->next_codebook_buffer_index) { av_log(s->avctx, AV_LOG_ERROR, "cbpz chunk too large (0x%X bytes)\n", chunk_size); - return AVERROR_INVALIDDATA; + return; } /* accumulate partial codebook */ From 8aedb751567457d6f0d16ba3c5b6400f99791fb7 Mon Sep 17 00:00:00 2001 From: Michael Niedermayer Date: Tue, 19 Feb 2013 17:48:56 +0100 Subject: [PATCH 1011/1119] tiff: check bppcount Fixes division by 0 Found-by: Mateusz "j00ru" Jurczyk and Gynvael Coldwind Signed-off-by: Michael Niedermayer (cherry picked from commit a34418c28e0accd1468ca15fff4d4f138a609f4e) Signed-off-by: Michael Niedermayer --- libavcodec/tiff.c | 5 +++++ 1 file changed, 5 insertions(+) diff --git a/libavcodec/tiff.c b/libavcodec/tiff.c index 2ca6d5ca62..d26135ecda 100644 --- a/libavcodec/tiff.c +++ b/libavcodec/tiff.c @@ -360,6 +360,11 @@ static int tiff_decode_tag(TiffContext *s, const uint8_t *start, const uint8_t * "Samples per pixel requires a single value, many provided\n"); return AVERROR_INVALIDDATA; } + if (value > 4U) { + av_log(s->avctx, AV_LOG_ERROR, + "Samples per pixel %d is too large\n", value); + return AVERROR_INVALIDDATA; + } if (s->bppcount == 1) s->bpp *= value; s->bppcount = value; From 5af2fd317d841f50390ada3b6e8d6618bcd82cb0 Mon Sep 17 00:00:00 2001 From: Michael Niedermayer Date: Wed, 30 Jan 2013 22:56:45 +0100 Subject: [PATCH 1012/1119] wma: check byte_offset_bits Fixes assertion failure Found-by: Mateusz "j00ru" Jurczyk and Gynvael Coldwind Signed-off-by: Michael Niedermayer (cherry picked from commit 984add64a41c3296a8a82051cc90bff2eb449609) Signed-off-by: Michael Niedermayer --- libavcodec/wma.c | 4 ++++ 1 file changed, 4 insertions(+) diff --git a/libavcodec/wma.c b/libavcodec/wma.c index feb121b591..2e8ac979a5 100644 --- a/libavcodec/wma.c +++ b/libavcodec/wma.c @@ -177,6 +177,10 @@ int ff_wma_init(AVCodecContext *avctx, int flags2) bps = (float)s->bit_rate / (float)(s->nb_channels * s->sample_rate); s->byte_offset_bits = av_log2((int)(bps * s->frame_len / 8.0 + 0.5)) + 2; + if (s->byte_offset_bits + 3 > MIN_CACHE_BITS) { + av_log(avctx, AV_LOG_ERROR, "byte_offset_bits %d is too large\n", s->byte_offset_bits); + return AVERROR_PATCHWELCOME; + } /* compute high frequency value and choose if noise coding should be activated */ From 17966ae5bb439c2b3d5c62878d6679c8fc4fba76 Mon Sep 17 00:00:00 2001 From: Michael Niedermayer Date: Mon, 28 Jan 2013 19:34:55 +0100 Subject: [PATCH 1013/1119] qdm2: increase noise_table size This prevents out of array reads. An alternative solution would be to check the index but this would require several checks in the inner loops Yet another alternative would be to change the index reset logic but this likely would introduce a difference to the binary decoder Found-by: Mateusz "j00ru" Jurczyk and Gynvael Coldwind Signed-off-by: Michael Niedermayer (cherry picked from commit 8c4aebb58d00fd613f3f684bf0f869966149ae78) Signed-off-by: Michael Niedermayer --- libavcodec/qdm2_tablegen.h | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/libavcodec/qdm2_tablegen.h b/libavcodec/qdm2_tablegen.h index f215b15ffc..38adb97dc5 100644 --- a/libavcodec/qdm2_tablegen.h +++ b/libavcodec/qdm2_tablegen.h @@ -37,7 +37,7 @@ #include "libavcodec/qdm2_tables.h" #else static uint16_t softclip_table[HARDCLIP_THRESHOLD - SOFTCLIP_THRESHOLD + 1]; -static float noise_table[4096]; +static float noise_table[4096 + 20]; static uint8_t random_dequant_index[256][5]; static uint8_t random_dequant_type24[128][3]; static float noise_samples[128]; From 0a57df38f468e905f0fe834ac5e21b89f68f5ce6 Mon Sep 17 00:00:00 2001 From: Michael Niedermayer Date: Wed, 20 Feb 2013 01:26:33 +0100 Subject: [PATCH 1014/1119] Update for 0.8.14 Signed-off-by: Michael Niedermayer --- Doxyfile | 2 +- RELEASE | 2 +- VERSION | 2 +- 3 files changed, 3 insertions(+), 3 deletions(-) diff --git a/Doxyfile b/Doxyfile index e28a87ee64..21a71479f5 100644 --- a/Doxyfile +++ b/Doxyfile @@ -31,7 +31,7 @@ PROJECT_NAME = FFmpeg # This could be handy for archiving the generated documentation or # if some version control system is used. -PROJECT_NUMBER = 0.8.13 +PROJECT_NUMBER = 0.8.14 # The OUTPUT_DIRECTORY tag is used to specify the (relative or absolute) # base path where the generated documentation will be put. diff --git a/RELEASE b/RELEASE index c2f73c6ecf..832bad2740 100644 --- a/RELEASE +++ b/RELEASE @@ -1 +1 @@ -0.8.13 +0.8.14 diff --git a/VERSION b/VERSION index c2f73c6ecf..832bad2740 100644 --- a/VERSION +++ b/VERSION @@ -1 +1 @@ -0.8.13 +0.8.14 From 2b6f3be08250683407c7a9846d7133b116661eae Mon Sep 17 00:00:00 2001 From: Michael Niedermayer Date: Wed, 20 Feb 2013 02:24:30 +0100 Subject: [PATCH 1015/1119] avcodec_align_dimensions2: Ensure cinepak has large enough buffers. This is partly redundant with the following patches, but its safer Found-by: u-bo1b@0w.se Signed-off-by: Michael Niedermayer (cherry picked from commit f5c00b347dc76285c639d9878a014c40395c5228) Conflicts: libavcodec/utils.c Signed-off-by: Michael Niedermayer --- libavcodec/utils.c | 13 ++++++++++--- 1 file changed, 10 insertions(+), 3 deletions(-) diff --git a/libavcodec/utils.c b/libavcodec/utils.c index 8d5208f087..8a7f18575c 100644 --- a/libavcodec/utils.c +++ b/libavcodec/utils.c @@ -170,9 +170,10 @@ void avcodec_align_dimensions2(AVCodecContext *s, int *width, int *height, int l case PIX_FMT_PAL8: case PIX_FMT_BGR8: case PIX_FMT_RGB8: - if(s->codec_id == CODEC_ID_SMC){ - w_align=4; - h_align=4; + if (s->codec_id == CODEC_ID_SMC || + s->codec_id == CODEC_ID_CINEPAK) { + w_align = 4; + h_align = 4; } break; case PIX_FMT_BGR24: @@ -181,6 +182,12 @@ void avcodec_align_dimensions2(AVCodecContext *s, int *width, int *height, int l h_align=4; } break; + case PIX_FMT_RGB24: + if (s->codec_id == CODEC_ID_CINEPAK) { + w_align = 4; + h_align = 4; + } + break; default: w_align= 1; h_align= 1; From dfeef3a209ecb3dcf01a1ad14e7fc4586e630e93 Mon Sep 17 00:00:00 2001 From: Michael Niedermayer Date: Wed, 20 Feb 2013 00:19:39 +0100 Subject: [PATCH 1016/1119] cook: check js_subband_start for validity Fixes out of array read Found-by: Mateusz "j00ru" Jurczyk and Gynvael Coldwind Signed-off-by: Michael Niedermayer (cherry picked from commit c69315a5deb0f8095e6b4746b69171d6f3059b2f) Signed-off-by: Michael Niedermayer --- libavcodec/cook.c | 5 +++++ 1 file changed, 5 insertions(+) diff --git a/libavcodec/cook.c b/libavcodec/cook.c index a5da74efcc..14614c9316 100644 --- a/libavcodec/cook.c +++ b/libavcodec/cook.c @@ -1086,6 +1086,11 @@ static av_cold int cook_decode_init(AVCodecContext *avctx) if (extradata_size >= 8){ bytestream_get_be32(&edata_ptr); //Unknown unused q->subpacket[s].js_subband_start = bytestream_get_be16(&edata_ptr); + if (q->subpacket[s].js_subband_start >= 51) { + av_log(avctx, AV_LOG_ERROR, "js_subband_start %d is too large\n", q->subpacket[s].js_subband_start); + return AVERROR_INVALIDDATA; + } + q->subpacket[s].js_vlc_bits = bytestream_get_be16(&edata_ptr); extradata_size -= 8; } From 3be6a8e1eb97d2bdcb0b1b1cd6cd0fc081c40114 Mon Sep 17 00:00:00 2001 From: Michael Niedermayer Date: Thu, 21 Feb 2013 03:28:32 +0100 Subject: [PATCH 1017/1119] update for 0.7.15 Signed-off-by: Michael Niedermayer --- Doxyfile | 2 +- RELEASE | 2 +- VERSION | 2 +- 3 files changed, 3 insertions(+), 3 deletions(-) diff --git a/Doxyfile b/Doxyfile index efefceab70..05f6e5c191 100644 --- a/Doxyfile +++ b/Doxyfile @@ -31,7 +31,7 @@ PROJECT_NAME = FFmpeg # This could be handy for archiving the generated documentation or # if some version control system is used. -PROJECT_NUMBER = 0.7.14 +PROJECT_NUMBER = 0.7.15 # The OUTPUT_DIRECTORY tag is used to specify the (relative or absolute) # base path where the generated documentation will be put. diff --git a/RELEASE b/RELEASE index a597e4f317..def4250351 100644 --- a/RELEASE +++ b/RELEASE @@ -1 +1 @@ -0.7.14 +0.7.15 diff --git a/VERSION b/VERSION index a597e4f317..def4250351 100644 --- a/VERSION +++ b/VERSION @@ -1 +1 @@ -0.7.14 +0.7.15 From c10582e703c514aa5446b75d71ee9f0460767e2b Mon Sep 17 00:00:00 2001 From: Vicente Jimenez Aguilar Date: Wed, 20 Feb 2013 02:35:00 +0100 Subject: [PATCH 1018/1119] doc: filters: Correct BNF FILTER description Signed-off-by: Diego Biurrun (cherry picked from commit b5ad422bf4e671a8b30ce73ad236cd6b49940af9) --- doc/filters.texi | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/doc/filters.texi b/doc/filters.texi index c1cf0084f8..e907b776a4 100644 --- a/doc/filters.texi +++ b/doc/filters.texi @@ -82,7 +82,7 @@ Follows a BNF description for the filtergraph syntax: @var{LINKLABEL} ::= "[" @var{NAME} "]" @var{LINKLABELS} ::= @var{LINKLABEL} [@var{LINKLABELS}] @var{FILTER_ARGUMENTS} ::= sequence of chars (eventually quoted) -@var{FILTER} ::= [@var{LINKNAMES}] @var{NAME} ["=" @var{ARGUMENTS}] [@var{LINKNAMES}] +@var{FILTER} ::= [@var{LINKLABELS}] @var{NAME} ["=" @var{FILTER_ARGUMENTS}] [@var{LINKLABELS}] @var{FILTERCHAIN} ::= @var{FILTER} [,@var{FILTERCHAIN}] @var{FILTERGRAPH} ::= @var{FILTERCHAIN} [;@var{FILTERGRAPH}] @end example From 537c17385350015aa19e61434af89266f4b74641 Mon Sep 17 00:00:00 2001 From: Paul B Mahol Date: Wed, 3 Apr 2013 12:57:58 +0000 Subject: [PATCH 1019/1119] smacker: fix off by one error Regression since a93b572ae4f517ce0c35cf085167c318e9215908. Fixes #2426. Signed-off-by: Paul B Mahol (cherry picked from commit e3cc92a623a6ece42816c7a692c8815688a99ab0) --- libavformat/smacker.c | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/libavformat/smacker.c b/libavformat/smacker.c index 80e2fa694e..b2c442e2d8 100644 --- a/libavformat/smacker.c +++ b/libavformat/smacker.c @@ -263,7 +263,7 @@ static int smacker_read_packet(AVFormatContext *s, AVPacket *pkt) } else if(t & 0x40){ /* copy with offset */ off = avio_r8(s->pb); j = (t & 0x3F) + 1; - if (off + j > 0xff) { + if (off + j - 1 > 0xff) { av_log(s, AV_LOG_ERROR, "Invalid palette update, offset=%d length=%d extends beyond palette size\n", off, j); From 8c5140df2b53e3d4ff02aa607ce41abd64d204d8 Mon Sep 17 00:00:00 2001 From: Paul B Mahol Date: Wed, 3 Apr 2013 12:57:58 +0000 Subject: [PATCH 1020/1119] smacker: fix off by one error Regression since a93b572ae4f517ce0c35cf085167c318e9215908. Fixes #2426. Signed-off-by: Paul B Mahol (cherry picked from commit e3cc92a623a6ece42816c7a692c8815688a99ab0) --- libavformat/smacker.c | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/libavformat/smacker.c b/libavformat/smacker.c index 80e2fa694e..b2c442e2d8 100644 --- a/libavformat/smacker.c +++ b/libavformat/smacker.c @@ -263,7 +263,7 @@ static int smacker_read_packet(AVFormatContext *s, AVPacket *pkt) } else if(t & 0x40){ /* copy with offset */ off = avio_r8(s->pb); j = (t & 0x3F) + 1; - if (off + j > 0xff) { + if (off + j - 1 > 0xff) { av_log(s, AV_LOG_ERROR, "Invalid palette update, offset=%d length=%d extends beyond palette size\n", off, j); From 11dd8eb48ba4b08bced8fb3b966320407c0368fa Mon Sep 17 00:00:00 2001 From: Carl Eugen Hoyos Date: Sun, 5 May 2013 19:29:00 +0200 Subject: [PATCH 1021/1119] Fix type of shared flac table ff_flac_blocksize_table[]. Fixes ticket #2533. (cherry picked from commit a07ac1f7888fd08e42da2bed0421e74f1cfac177) --- libavcodec/flacdata.c | 2 +- libavcodec/flacdata.h | 2 +- 2 files changed, 2 insertions(+), 2 deletions(-) diff --git a/libavcodec/flacdata.c b/libavcodec/flacdata.c index 6fcbe3955a..1954f32d32 100644 --- a/libavcodec/flacdata.c +++ b/libavcodec/flacdata.c @@ -27,7 +27,7 @@ const int ff_flac_sample_rate_table[16] = 8000, 16000, 22050, 24000, 32000, 44100, 48000, 96000, 0, 0, 0, 0 }; -const int16_t ff_flac_blocksize_table[16] = { +const int32_t ff_flac_blocksize_table[16] = { 0, 192, 576<<0, 576<<1, 576<<2, 576<<3, 0, 0, 256<<0, 256<<1, 256<<2, 256<<3, 256<<4, 256<<5, 256<<6, 256<<7 }; diff --git a/libavcodec/flacdata.h b/libavcodec/flacdata.h index 96a50b9183..e2c1e5d7f2 100644 --- a/libavcodec/flacdata.h +++ b/libavcodec/flacdata.h @@ -26,6 +26,6 @@ extern const int ff_flac_sample_rate_table[16]; -extern const int16_t ff_flac_blocksize_table[16]; +extern const int32_t ff_flac_blocksize_table[16]; #endif /* AVCODEC_FLACDATA_H */ From e2d529424f3f8c6908c9d91e5f1f842afd136ab6 Mon Sep 17 00:00:00 2001 From: Carl Eugen Hoyos Date: Sun, 5 May 2013 19:29:00 +0200 Subject: [PATCH 1022/1119] Fix type of shared flac table ff_flac_blocksize_table[]. Fixes ticket #2533. (cherry picked from commit a07ac1f7888fd08e42da2bed0421e74f1cfac177) --- libavcodec/flacdata.c | 2 +- libavcodec/flacdata.h | 2 +- 2 files changed, 2 insertions(+), 2 deletions(-) diff --git a/libavcodec/flacdata.c b/libavcodec/flacdata.c index 6fcbe3955a..1954f32d32 100644 --- a/libavcodec/flacdata.c +++ b/libavcodec/flacdata.c @@ -27,7 +27,7 @@ const int ff_flac_sample_rate_table[16] = 8000, 16000, 22050, 24000, 32000, 44100, 48000, 96000, 0, 0, 0, 0 }; -const int16_t ff_flac_blocksize_table[16] = { +const int32_t ff_flac_blocksize_table[16] = { 0, 192, 576<<0, 576<<1, 576<<2, 576<<3, 0, 0, 256<<0, 256<<1, 256<<2, 256<<3, 256<<4, 256<<5, 256<<6, 256<<7 }; diff --git a/libavcodec/flacdata.h b/libavcodec/flacdata.h index 96a50b9183..e2c1e5d7f2 100644 --- a/libavcodec/flacdata.h +++ b/libavcodec/flacdata.h @@ -26,6 +26,6 @@ extern const int ff_flac_sample_rate_table[16]; -extern const int16_t ff_flac_blocksize_table[16]; +extern const int32_t ff_flac_blocksize_table[16]; #endif /* AVCODEC_FLACDATA_H */ From b6783b882682a95633b6db70ee80fffe61168256 Mon Sep 17 00:00:00 2001 From: Michael Niedermayer Date: Sat, 14 Apr 2012 20:04:05 +0200 Subject: [PATCH 1023/1119] indeo5: update AVCodecContext width/height on size change Fixes CVE-2012-2787 Note that in 0.7, there is only indeo 5, no indeo 4 decoder Found-by: Mateusz "j00ru" Jurczyk and Gynvael Coldwind Signed-off-by: Anton Khirnov (cherry picked from commit b146d74730ab9ec5abede9066f770ad851e45fbc) Signed-off-by: Reinhard Tartler (cherry picked from commit 2bc1e4fcb96c470e2ccb2a0a78a415d5eab960c8) Conflicts: libavcodec/ivi_common.c --- libavcodec/indeo5.c | 1 + 1 file changed, 1 insertion(+) diff --git a/libavcodec/indeo5.c b/libavcodec/indeo5.c index 45460a40fd..bdb53cad12 100644 --- a/libavcodec/indeo5.c +++ b/libavcodec/indeo5.c @@ -798,6 +798,7 @@ static int decode_frame(AVCodecContext *avctx, void *data, int *data_size, avctx->release_buffer(avctx, &ctx->frame); ctx->frame.reference = 0; + avcodec_set_dimensions(avctx, ctx->planes[0].width, ctx->planes[0].height); if (avctx->get_buffer(avctx, &ctx->frame) < 0) { av_log(avctx, AV_LOG_ERROR, "get_buffer() failed\n"); return -1; From ee6b868ac835266ebdc10291f5485ace7769bb2e Mon Sep 17 00:00:00 2001 From: Luca Barbato Date: Fri, 4 Jan 2013 16:05:51 +0100 Subject: [PATCH 1024/1119] oggdec: make sure the private parse data is cleaned up Related to CVE-2012-2882 (cherry picked from commit d894f74762bc95310ba23f804b7ba8dffc8f6646) Conflicts: libavformat/oggdec.h libavformat/oggparsevorbis.c (cherry picked from commit b0240165d93d4a08d15d244953219a4d4e725d3f) Signed-off-by: Reinhard Tartler --- libavformat/oggdec.c | 4 ++++ libavformat/oggdec.h | 5 +++++ libavformat/oggparsevorbis.c | 14 +++++++++++++- 3 files changed, 22 insertions(+), 1 deletion(-) diff --git a/libavformat/oggdec.c b/libavformat/oggdec.c index cab6da7b13..8c2d786f3a 100644 --- a/libavformat/oggdec.c +++ b/libavformat/oggdec.c @@ -499,6 +499,10 @@ static int ogg_read_close(AVFormatContext *s) for (i = 0; i < ogg->nstreams; i++) { av_free(ogg->streams[i].buf); + if (ogg->streams[i].codec && + ogg->streams[i].codec->cleanup) { + ogg->streams[i].codec->cleanup(s, i); + } av_free(ogg->streams[i].private); } av_free(ogg->streams); diff --git a/libavformat/oggdec.h b/libavformat/oggdec.h index e7d1022734..e6d9230b53 100644 --- a/libavformat/oggdec.h +++ b/libavformat/oggdec.h @@ -51,6 +51,11 @@ struct ogg_codec { * 0 if granule is the end time of the associated packet. */ int granule_is_start; + /** + * Number of expected headers + */ + int nb_header; + void (*cleanup)(AVFormatContext *s, int idx); }; struct ogg_stream { diff --git a/libavformat/oggparsevorbis.c b/libavformat/oggparsevorbis.c index 86951f3e2f..f276a131af 100644 --- a/libavformat/oggparsevorbis.c +++ b/libavformat/oggparsevorbis.c @@ -188,6 +188,16 @@ fixup_vorbis_headers(AVFormatContext * as, struct oggvorbis_private *priv, return offset; } +static int vorbis_cleanup(AVFormatContext *s, int idx) +{ + struct ogg *ogg = s->priv_data; + struct ogg_stream *os = ogg->streams + idx; + struct oggvorbis_private *priv = os->private; + int i; + if (os->private) + for (i = 0; i < 3; i++) + av_freep(&priv->packet[i]); +} static int vorbis_header (AVFormatContext * s, int idx) @@ -278,5 +288,7 @@ vorbis_header (AVFormatContext * s, int idx) const struct ogg_codec ff_vorbis_codec = { .magic = "\001vorbis", .magicsize = 7, - .header = vorbis_header + .header = vorbis_header, + .cleanup= vorbis_cleanup, + .nb_header = 3, }; From 8489c0599f0e5b4377976d155b942ea4f8b83381 Mon Sep 17 00:00:00 2001 From: Reinhard Tartler Date: Sun, 17 Feb 2013 09:10:16 +0100 Subject: [PATCH 1025/1119] update year to 2013 Signed-off-by: Reinhard Tartler --- cmdutils.c | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/cmdutils.c b/cmdutils.c index 943a77c82c..3549c95c29 100644 --- a/cmdutils.c +++ b/cmdutils.c @@ -57,7 +57,7 @@ AVFormatContext *avformat_opts; struct SwsContext *sws_opts; AVDictionary *format_opts, *video_opts, *audio_opts, *sub_opts; -static const int this_year = 2011; +static const int this_year = 2013; void init_opts(void) { From f13f6f82c63f5b8fc3235c750a69c6ba8ac4cae1 Mon Sep 17 00:00:00 2001 From: Anton Khirnov Date: Wed, 6 Mar 2013 09:58:00 +0100 Subject: [PATCH 1026/1119] wmadec: require block_align to be set. Avoids an infinite loop in the calling programs with decoder not consuming any input and not returning output. CC:libav-stable@libav.org (cherry picked from commit ea1136baafb1fe271cb56c3f4d7bff0267e3c70f) Signed-off-by: Reinhard Tartler (cherry picked from commit c1f479e8df24284237c80ad959619fc85e29a26d) Signed-off-by: Reinhard Tartler --- libavcodec/wmadec.c | 5 +++++ 1 file changed, 5 insertions(+) diff --git a/libavcodec/wmadec.c b/libavcodec/wmadec.c index f0b043feef..a6f1714f72 100644 --- a/libavcodec/wmadec.c +++ b/libavcodec/wmadec.c @@ -85,6 +85,11 @@ static int wma_decode_init(AVCodecContext * avctx) int i, flags2; uint8_t *extradata; + if (!avctx->block_align) { + av_log(avctx, AV_LOG_ERROR, "block_align is not set\n"); + return AVERROR(EINVAL); + } + s->avctx = avctx; /* extract flag infos */ From 7e6625a9afbe247e5b5da1f1bc4071cb8ae83192 Mon Sep 17 00:00:00 2001 From: Reinhard Tartler Date: Tue, 7 May 2013 07:24:16 +0200 Subject: [PATCH 1027/1119] xxan: fix invalid memory access in xan_decode_frame_type0() The loop a few lines below the xan_unpack() call accesses up to dec_size * 2 bytes into y_buffer, so dec_size must be limited to buffer_size / 2. CC:libav-stable@libav.org (cherry picked from commit 8a49d2bcbe7573bb4b765728b2578fac0d19763f) Signed-off-by: Reinhard Tartler (cherry picked from commit 62a657de168cf501acb23d48cc1aa00793dc83f3) Signed-off-by: Reinhard Tartler Conflicts: libavcodec/xxan.c --- libavcodec/xxan.c | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/libavcodec/xxan.c b/libavcodec/xxan.c index daaba6389a..12f7d3ada1 100644 --- a/libavcodec/xxan.c +++ b/libavcodec/xxan.c @@ -298,7 +298,7 @@ static int xan_decode_frame_type0(AVCodecContext *avctx, AVPacket *avpkt) corr_end = avpkt->size; if (chroma_off > corr_off) corr_end = chroma_off; - dec_size = xan_unpack(s->scratch_buffer, s->buffer_size, + dec_size = xan_unpack(s->scratch_buffer, s->buffer_size / 2, avpkt->data + 8 + corr_off, corr_end - corr_off); if (dec_size < 0) From c313f3160ae18ada6b075cbe7a891ea076d1f8d3 Mon Sep 17 00:00:00 2001 From: Reinhard Tartler Date: Sun, 17 Feb 2013 09:10:52 +0100 Subject: [PATCH 1028/1119] Update RELEASE file for 0.7.8 --- RELEASE | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/RELEASE b/RELEASE index 879be8a98f..e7c7d3cc3c 100644 --- a/RELEASE +++ b/RELEASE @@ -1 +1 @@ -0.7.7 +0.7.8 From 7d4c38d58d01832498302a5fc224880f1bd8b494 Mon Sep 17 00:00:00 2001 From: Reinhard Tartler Date: Tue, 7 May 2013 07:25:10 +0200 Subject: [PATCH 1029/1119] h264: check for luma and chroma bit depth being equal The decoder assumes a single bit depth for all the planes while the specification allows different bit depths for luma and chroma. Avoid the possible problems described in CVE-2013-2277 Conflicts: libavcodec/h264.c --- libavcodec/h264.c | 6 ++++++ 1 file changed, 6 insertions(+) diff --git a/libavcodec/h264.c b/libavcodec/h264.c index 739b9d2e51..ae2cf23a64 100644 --- a/libavcodec/h264.c +++ b/libavcodec/h264.c @@ -3867,6 +3867,12 @@ static int decode_nal_units(H264Context *h, const uint8_t *buf, int buf_size){ if(avctx->has_b_frames < 2) avctx->has_b_frames= !s->low_delay; + if (h->sps.bit_depth_luma != h->sps.bit_depth_chroma) { + av_log_missing_feature(s->avctx, + "Different bit depth between chroma and luma", 1); + return AVERROR_PATCHWELCOME; + } + if (avctx->bits_per_raw_sample != h->sps.bit_depth_luma) { if (h->sps.bit_depth_luma >= 8 && h->sps.bit_depth_luma <= 10) { avctx->bits_per_raw_sample = h->sps.bit_depth_luma; From d86a5ce03f6993aaf7a28f2c2b29a788d7ea76ab Mon Sep 17 00:00:00 2001 From: Michael Niedermayer Date: Fri, 11 Jan 2013 00:54:12 +0100 Subject: [PATCH 1030/1119] vorbisdec: Error on bark_map_size equal to 0. The value is used to calculate output LSP curve and a division by zero and out of array accesses would occur. CVE-2013-0894 CC: libav-stable@libav.org Reported-by: Dale Curtis Found-by: inferno@chromium.org Signed-off-by: Michael Niedermayer Signed-off-by: Luca Barbato (cherry picked from commit 11dcecfcca0eca1a571792c4fa3c21fb2cfddddc) Signed-off-by: Reinhard Tartler (cherry picked from commit 494ddd377ada76ed555f7a3f49391455daa099c9) Signed-off-by: Reinhard Tartler --- libavcodec/vorbisdec.c | 5 +++++ 1 file changed, 5 insertions(+) diff --git a/libavcodec/vorbisdec.c b/libavcodec/vorbisdec.c index 3805d27627..790abb6111 100644 --- a/libavcodec/vorbisdec.c +++ b/libavcodec/vorbisdec.c @@ -572,6 +572,11 @@ static int vorbis_parse_setup_hdr_floors(vorbis_context *vc) floor_setup->data.t0.order = get_bits(gb, 8); floor_setup->data.t0.rate = get_bits(gb, 16); floor_setup->data.t0.bark_map_size = get_bits(gb, 16); + if (floor_setup->data.t0.bark_map_size == 0) { + av_log(vc->avccontext, AV_LOG_ERROR, + "Floor 0 bark map size is 0.\n"); + return AVERROR_INVALIDDATA; + } floor_setup->data.t0.amplitude_bits = get_bits(gb, 6); /* zero would result in a div by zero later * * 2^0 - 1 == 0 */ From 5bfa208e6565fdea62898080b8fecbbd799d1454 Mon Sep 17 00:00:00 2001 From: Luca Barbato Date: Tue, 12 Mar 2013 18:56:28 +0100 Subject: [PATCH 1031/1119] matroskadec: request a read buffer for the wav header Solve an infiniloop. CC: libav-stable@libav.org (cherry picked from commit 37cb3b180a1dc3d6f123f68e0806585ebc2578b6) Signed-off-by: Luca Barbato --- libavformat/matroskadec.c | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/libavformat/matroskadec.c b/libavformat/matroskadec.c index a70f2ef86a..e7406d56c4 100644 --- a/libavformat/matroskadec.c +++ b/libavformat/matroskadec.c @@ -1359,7 +1359,7 @@ static int matroska_read_header(AVFormatContext *s, AVFormatParameters *ap) && track->codec_priv.data != NULL) { int ret; ffio_init_context(&b, track->codec_priv.data, track->codec_priv.size, - AVIO_FLAG_READ, NULL, NULL, NULL, NULL); + 0, NULL, NULL, NULL, NULL); ret = ff_get_wav_header(&b, st->codec, track->codec_priv.size); if (ret < 0) return ret; From 5025dbc577c9a9e0109cb363ac630a9eeda6dc1d Mon Sep 17 00:00:00 2001 From: Anton Khirnov Date: Wed, 6 Mar 2013 10:02:50 +0100 Subject: [PATCH 1032/1119] wmaprodec: return an error, not 0, when the input is too small. Returning 0 may result in an infinite loop in valid calling programs. A decoder should never return 0 without producing any output. CC:libav-stable@libav.org (cherry picked from commit 4c0080b7e7d501e2720d2a61f5186a18377f9d63) Signed-off-by: Reinhard Tartler (cherry picked from commit 60dd8b5733f9ec4919fbc732ace1be8184dde880) Signed-off-by: Reinhard Tartler --- libavcodec/wmaprodec.c | 7 +++++-- 1 file changed, 5 insertions(+), 2 deletions(-) diff --git a/libavcodec/wmaprodec.c b/libavcodec/wmaprodec.c index 91972c9f5c..2dfdde70b6 100644 --- a/libavcodec/wmaprodec.c +++ b/libavcodec/wmaprodec.c @@ -1502,8 +1502,11 @@ static int decode_packet(AVCodecContext *avctx, s->packet_done = 0; /** sanity check for the buffer length */ - if (buf_size < avctx->block_align) - return 0; + if (buf_size < avctx->block_align) { + av_log(avctx, AV_LOG_ERROR, "Input packet too small (%d < %d)\n", + buf_size, avctx->block_align); + return AVERROR_INVALIDDATA; + } s->next_packet_start = buf_size - avctx->block_align; buf_size = avctx->block_align; From d785f6940144eb6ce4c24309ed034056b81395bc Mon Sep 17 00:00:00 2001 From: Justin Ruggles Date: Tue, 23 Oct 2012 00:40:51 -0400 Subject: [PATCH 1033/1119] shorten: validate that the channel count in the header is not <= 0 (cherry picked from commit 4c53f4aed3edfa58360c7a2a468782eae31d3176) Signed-off-by: Reinhard Tartler Conflicts: libavcodec/shorten.c --- libavcodec/shorten.c | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/libavcodec/shorten.c b/libavcodec/shorten.c index b8c1908357..cb3d09dea1 100644 --- a/libavcodec/shorten.c +++ b/libavcodec/shorten.c @@ -342,7 +342,7 @@ static int shorten_decode_frame(AVCodecContext *avctx, s->internal_ftype = get_uint(s, TYPESIZE); s->channels = get_uint(s, CHANSIZE); - if (s->channels > MAX_CHANNELS) { + if (s->channels <= 0 || s->channels > MAX_CHANNELS) { av_log(s->avctx, AV_LOG_ERROR, "too many channels: %d\n", s->channels); return -1; } From a694b2b15865f6fd42217c82146e1be43f3b3f9b Mon Sep 17 00:00:00 2001 From: Reinhard Tartler Date: Tue, 7 May 2013 07:26:19 +0200 Subject: [PATCH 1034/1119] shorten: set invalid channels count to 0 Prevent the loop shorten_decode_close from writing and freeing out of the array boundary. Found-by: Mateusz "j00ru" Jurczyk and Gynvael Coldwind Signed-off-by: Luca Barbato CC: libav-stable@libav.org (cherry picked from commit c10da30d8426a1f681d99a780b6e311f7fb4e5c5) (cherry picked from commit 21d568be179c54a1596d1377b4da7fbe755bfe7f) Signed-off-by: Luca Barbato Conflicts: libavcodec/shorten.c --- libavcodec/shorten.c | 1 + 1 file changed, 1 insertion(+) diff --git a/libavcodec/shorten.c b/libavcodec/shorten.c index cb3d09dea1..b12d6e652d 100644 --- a/libavcodec/shorten.c +++ b/libavcodec/shorten.c @@ -344,6 +344,7 @@ static int shorten_decode_frame(AVCodecContext *avctx, s->channels = get_uint(s, CHANSIZE); if (s->channels <= 0 || s->channels > MAX_CHANNELS) { av_log(s->avctx, AV_LOG_ERROR, "too many channels: %d\n", s->channels); + s->channels = 0; return -1; } From 5ebb5a32bdd910a8afb316c51ed0b322f5600ae5 Mon Sep 17 00:00:00 2001 From: Reinhard Tartler Date: Tue, 7 May 2013 07:29:06 +0200 Subject: [PATCH 1035/1119] shorten: report meaningful errors (cherry picked from commit 4c364eb2b856fc33cf7b42f7c7b979e69fde5f3a) (cherry picked from commit 0daf1428e82926dc5a8c72a0ff4c93aaa8a84ed9) Signed-off-by: Luca Barbato Conflicts: libavcodec/shorten.c --- libavcodec/shorten.c | 16 ++++++++-------- 1 file changed, 8 insertions(+), 8 deletions(-) diff --git a/libavcodec/shorten.c b/libavcodec/shorten.c index b12d6e652d..b5473dd10f 100644 --- a/libavcodec/shorten.c +++ b/libavcodec/shorten.c @@ -119,11 +119,11 @@ static int allocate_buffers(ShortenContext *s) for (chan=0; chanchannels; chan++) { if(FFMAX(1, s->nmean) >= UINT_MAX/sizeof(int32_t)){ av_log(s->avctx, AV_LOG_ERROR, "nmean too large\n"); - return -1; + return AVERROR_INVALIDDATA; } if(s->blocksize + s->nwrap >= UINT_MAX/sizeof(int32_t) || s->blocksize + s->nwrap <= (unsigned)s->nwrap){ av_log(s->avctx, AV_LOG_ERROR, "s->blocksize + s->nwrap too large\n"); - return -1; + return AVERROR_INVALIDDATA; } tmp_ptr = av_realloc(s->offset[chan], sizeof(int32_t)*FFMAX(1, s->nmean)); @@ -209,14 +209,14 @@ static int decode_wave_header(AVCodecContext *avctx, uint8_t *header, int header init_get_bits(&hb, header, header_size*8); if (get_le32(&hb) != MKTAG('R','I','F','F')) { av_log(avctx, AV_LOG_ERROR, "missing RIFF tag\n"); - return -1; + return AVERROR_INVALIDDATA; } skip_bits_long(&hb, 32); /* chunk_size */ if (get_le32(&hb) != MKTAG('W','A','V','E')) { av_log(avctx, AV_LOG_ERROR, "missing WAVE tag\n"); - return -1; + return AVERROR_INVALIDDATA; } while (get_le32(&hb) != MKTAG('f','m','t',' ')) { @@ -227,7 +227,7 @@ static int decode_wave_header(AVCodecContext *avctx, uint8_t *header, int header if (len < 16) { av_log(avctx, AV_LOG_ERROR, "fmt chunk was too short\n"); - return -1; + return AVERROR_INVALIDDATA; } wave_format = get_le16(&hb); @@ -237,7 +237,7 @@ static int decode_wave_header(AVCodecContext *avctx, uint8_t *header, int header break; default: av_log(avctx, AV_LOG_ERROR, "unsupported wave format\n"); - return -1; + return AVERROR(ENOSYS); } avctx->channels = get_le16(&hb); @@ -248,7 +248,7 @@ static int decode_wave_header(AVCodecContext *avctx, uint8_t *header, int header if (avctx->bits_per_coded_sample != 16) { av_log(avctx, AV_LOG_ERROR, "unsupported number of bits per sample\n"); - return -1; + return AVERROR(ENOSYS); } len -= 16; @@ -529,7 +529,7 @@ frame_done: av_log(s->avctx, AV_LOG_ERROR, "overread: %d\n", i - buf_size); s->bitstream_size=0; s->bitstream_index=0; - return -1; + return AVERROR_INVALIDDATA; } if (s->bitstream_size) { s->bitstream_index += i; From 6d4d186e9e9fcba9f9058691ab00eade028fceff Mon Sep 17 00:00:00 2001 From: Luca Barbato Date: Tue, 5 Mar 2013 17:12:35 +0100 Subject: [PATCH 1036/1119] shorten: use the unsigned type where needed get_uint returns an unsigned value, use an unsigned to store blocksize to make sure the comparison logic is correct and report correctly the error for the channel count not supported. CC: libav-stable@libav.org (cherry picked from commit 5cf7c72757779a740e897a97710aac044fe5258c) (cherry picked from commit 88089eecfd7e604d40d078b4f4206c647cb2e2b4) (cherry picked from commit f42d03746afe491dd02bb6372961e85e78299864) Signed-off-by: Luca Barbato Signed-off-by: Reinhard Tartler Conflicts: libavcodec/shorten.c --- libavcodec/shorten.c | 8 ++++++-- 1 file changed, 6 insertions(+), 2 deletions(-) diff --git a/libavcodec/shorten.c b/libavcodec/shorten.c index b5473dd10f..3ca2835a31 100644 --- a/libavcodec/shorten.c +++ b/libavcodec/shorten.c @@ -78,7 +78,7 @@ typedef struct ShortenContext { GetBitContext gb; int min_framesize, max_framesize; - int channels; + unsigned channels; int32_t *decoded[MAX_CHANNELS]; int32_t *decoded_base[MAX_CHANNELS]; @@ -342,6 +342,10 @@ static int shorten_decode_frame(AVCodecContext *avctx, s->internal_ftype = get_uint(s, TYPESIZE); s->channels = get_uint(s, CHANSIZE); + if (!s->channels) { + av_log(s->avctx, AV_LOG_ERROR, "No channels reported\n"); + return AVERROR_INVALIDDATA; + } if (s->channels <= 0 || s->channels > MAX_CHANNELS) { av_log(s->avctx, AV_LOG_ERROR, "too many channels: %d\n", s->channels); s->channels = 0; @@ -501,7 +505,7 @@ static int shorten_decode_frame(AVCodecContext *avctx, s->bitshift = get_ur_golomb_shorten(&s->gb, BITSHIFTSIZE); break; case FN_BLOCKSIZE: { - int blocksize = get_uint(s, av_log2(s->blocksize)); + unsigned blocksize = get_uint(s, av_log2(s->blocksize)); if (blocksize > s->blocksize) { av_log(avctx, AV_LOG_ERROR, "Increasing block size is not supported\n"); return AVERROR_PATCHWELCOME; From c65763a2c677d75388828b9411a69e95bd3ab7af Mon Sep 17 00:00:00 2001 From: Mans Rullgard Date: Fri, 7 Dec 2012 13:53:56 +0000 Subject: [PATCH 1037/1119] lavf: fix arithmetic overflows in avformat_seek_file() The values compared here can be more than INT64_MAX apart. Since the difference is always positive, converting to uint64_t before subtracting gives the correct result without overflows. Signed-off-by: Mans Rullgard (cherry picked from commit 91ac403b1316d59b4f43c4ea0f237e24cec2819a) Signed-off-by: Luca Barbato --- libavformat/utils.c | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/libavformat/utils.c b/libavformat/utils.c index be679258a0..b97809f8e6 100644 --- a/libavformat/utils.c +++ b/libavformat/utils.c @@ -1791,7 +1791,7 @@ int avformat_seek_file(AVFormatContext *s, int stream_index, int64_t min_ts, int //Fallback to old API if new is not implemented but old is //Note the old has somewat different sematics if(s->iformat->read_seek || 1) - return av_seek_frame(s, stream_index, ts, flags | (ts - min_ts > (uint64_t)(max_ts - ts) ? AVSEEK_FLAG_BACKWARD : 0)); + return av_seek_frame(s, stream_index, ts, flags | ((uint64_t)ts - min_ts > (uint64_t)max_ts - ts ? AVSEEK_FLAG_BACKWARD : 0)); // try some generic seek like av_seek_frame_generic() but with new ts semantics } From 78889be3fb4b78a980de283a80a6eabb307db882 Mon Sep 17 00:00:00 2001 From: Xi Wang Date: Fri, 15 Mar 2013 06:31:21 -0400 Subject: [PATCH 1038/1119] atrac3: avoid oversized shifting in decode_bytes() When `off' is 0, `0x537F6103 << 32' in the following expression invokes undefined behavior, the result of which is not necessarily 0. (0x537F6103 >> (off * 8)) | (0x537F6103 << (32 - (off * 8))) Avoid oversized shifting. CC: libav-stable@libav.org Signed-off-by: Xi Wang Signed-off-by: Luca Barbato (cherry picked from commit eba1ff31304e407db3cefd7532108408f364367b) Conflicts: libavcodec/atrac3.c --- libavcodec/atrac3.c | 7 +++++-- 1 file changed, 5 insertions(+), 2 deletions(-) diff --git a/libavcodec/atrac3.c b/libavcodec/atrac3.c index 914998e7d9..78312258d4 100644 --- a/libavcodec/atrac3.c +++ b/libavcodec/atrac3.c @@ -179,8 +179,11 @@ static int decode_bytes(const uint8_t* inbuffer, uint8_t* out, int bytes){ uint32_t* obuf = (uint32_t*) out; off = (intptr_t)inbuffer & 3; - buf = (const uint32_t*) (inbuffer - off); - c = av_be2ne32((0x537F6103 >> (off*8)) | (0x537F6103 << (32-(off*8)))); + buf = (const uint32_t *)(inbuffer - off); + if (off) + c = av_be2ne32((0x537F6103U >> (off * 8)) | (0x537F6103U << (32 - (off * 8)))); + else + c = av_be2ne32(0x537F6103U); bytes += 3 + off; for (i = 0; i < bytes/4; i++) obuf[i] = c ^ buf[i]; From f8d3bb8961d2cdea38ae2971436deae556d78f08 Mon Sep 17 00:00:00 2001 From: Xi Wang Date: Fri, 15 Mar 2013 07:11:47 -0400 Subject: [PATCH 1039/1119] flacdec: simplify bounds checking in flac_probe() Simplify `p->buf > p->buf + p->buf_size - 4' as `p->buf_size < 4'. Avoid a possible out-of-bounds pointer, which is undefined behavior in C. CC: libav-stable@libav.org Signed-off-by: Xi Wang Signed-off-by: Luca Barbato (cherry picked from commit 8425d693eefbedbb41f91735614d41067695aa37) --- libavformat/flacdec.c | 8 +++----- 1 file changed, 3 insertions(+), 5 deletions(-) diff --git a/libavformat/flacdec.c b/libavformat/flacdec.c index 02452b4c7c..32b583f725 100644 --- a/libavformat/flacdec.c +++ b/libavformat/flacdec.c @@ -116,11 +116,9 @@ static int flac_read_header(AVFormatContext *s, static int flac_probe(AVProbeData *p) { - uint8_t *bufptr = p->buf; - uint8_t *end = p->buf + p->buf_size; - - if(bufptr > end-4 || memcmp(bufptr, "fLaC", 4)) return 0; - else return AVPROBE_SCORE_MAX/2; + if (p->buf_size < 4 || memcmp(p->buf, "fLaC", 4)) + return 0; + return AVPROBE_SCORE_MAX/2; } AVInputFormat ff_flac_demuxer = { From 799000af702ae91c069b330b76355c5c76f70b9b Mon Sep 17 00:00:00 2001 From: Mans Rullgard Date: Thu, 26 Apr 2012 14:00:43 +0100 Subject: [PATCH 1040/1119] dsputil: fix invalid array indexing Indexing outside an array is invalid and causes errors with gcc 4.8. Signed-off-by: Mans Rullgard (cherry picked from commit 0a07f2b346433a9a2677c69c6b29a1a827e39109) Signed-off-by: Diego Biurrun --- libavcodec/dsputil.c | 16 ++++++++++------ 1 file changed, 10 insertions(+), 6 deletions(-) diff --git a/libavcodec/dsputil.c b/libavcodec/dsputil.c index 4389289d82..d054583155 100644 --- a/libavcodec/dsputil.c +++ b/libavcodec/dsputil.c @@ -2848,7 +2848,7 @@ int ff_check_alignment(void){ av_cold void dsputil_init(DSPContext* c, AVCodecContext *avctx) { - int i; + int i, j; ff_check_alignment(); @@ -3238,11 +3238,15 @@ av_cold void dsputil_init(DSPContext* c, AVCodecContext *avctx) if (ARCH_SH4) dsputil_init_sh4 (c, avctx); if (ARCH_BFIN) dsputil_init_bfin (c, avctx); - for(i=0; i<64; i++){ - if(!c->put_2tap_qpel_pixels_tab[0][i]) - c->put_2tap_qpel_pixels_tab[0][i]= c->put_h264_qpel_pixels_tab[0][i]; - if(!c->avg_2tap_qpel_pixels_tab[0][i]) - c->avg_2tap_qpel_pixels_tab[0][i]= c->avg_h264_qpel_pixels_tab[0][i]; + for (i = 0; i < 4; i++) { + for (j = 0; j < 16; j++) { + if(!c->put_2tap_qpel_pixels_tab[i][j]) + c->put_2tap_qpel_pixels_tab[i][j] = + c->put_h264_qpel_pixels_tab[i][j]; + if(!c->avg_2tap_qpel_pixels_tab[i][j]) + c->avg_2tap_qpel_pixels_tab[i][j] = + c->avg_h264_qpel_pixels_tab[i][j]; + } } c->put_rv30_tpel_pixels_tab[0][0] = c->put_h264_qpel_pixels_tab[0][0]; From 530d10792de29a25dc56781abe6864e5b31b8ced Mon Sep 17 00:00:00 2001 From: Xi Wang Date: Fri, 15 Mar 2013 06:59:22 -0400 Subject: [PATCH 1041/1119] lzo: fix overflow checking in copy_backptr() The check `src > dst' in the form `&c->out[-back] > c->out' invokes pointer overflow, which is undefined behavior in C. Remove the check. Also replace `&c->out[-back] < c->out_start' with a safe form `c->out - c->out_start < back' to avoid overflow. CC: libav-stable@libav.org Signed-off-by: Xi Wang Signed-off-by: Luca Barbato (cherry picked from commit ca6c3f2c53be70aa3c38e8f1292809db89ea1ba6) Conflicts: libavutil/lzo.c --- libavutil/lzo.c | 3 +-- 1 file changed, 1 insertion(+), 2 deletions(-) diff --git a/libavutil/lzo.c b/libavutil/lzo.c index ef01653aa8..9cc82dce91 100644 --- a/libavutil/lzo.c +++ b/libavutil/lzo.c @@ -119,9 +119,8 @@ static inline void memcpy_backptr(uint8_t *dst, int back, int cnt); * thus creating a repeating pattern with a period length of back. */ static inline void copy_backptr(LZOContext *c, int back, int cnt) { - register const uint8_t *src = &c->out[-back]; register uint8_t *dst = c->out; - if (src < c->out_start || src > dst) { + if (dst - c->out_start < back) { c->error |= AV_LZO_INVALID_BACKPTR; return; } From 9c713f30e4913a28d93eb37ea5db7f62be4c0ef6 Mon Sep 17 00:00:00 2001 From: Michael Niedermayer Date: Wed, 3 Oct 2012 16:06:23 +0200 Subject: [PATCH 1042/1119] parser: fix large overreads Signed-off-by: Michael Niedermayer Signed-off-by: Justin Ruggles (cherry picked from commit 096abfa15052977eed93f0b5e01afd2d47c53c1f) Signed-off-by: Luca Barbato --- libavcodec/parser.c | 4 +++- 1 file changed, 3 insertions(+), 1 deletion(-) diff --git a/libavcodec/parser.c b/libavcodec/parser.c index 03f548ef6a..aeabf690f0 100644 --- a/libavcodec/parser.c +++ b/libavcodec/parser.c @@ -261,7 +261,9 @@ int ff_combine_frame(ParseContext *pc, int next, const uint8_t **buf, int *buf_s if(!new_buffer) return AVERROR(ENOMEM); pc->buffer = new_buffer; - memcpy(&pc->buffer[pc->index], *buf, next + FF_INPUT_BUFFER_PADDING_SIZE ); + if (next > -FF_INPUT_BUFFER_PADDING_SIZE) + memcpy(&pc->buffer[pc->index], *buf, + next + FF_INPUT_BUFFER_PADDING_SIZE); pc->index = 0; *buf= pc->buffer; } From 33c9e18b09f4025ae635ef24bab8eab1a686a711 Mon Sep 17 00:00:00 2001 From: Anton Khirnov Date: Sun, 17 Mar 2013 16:14:58 +0100 Subject: [PATCH 1043/1119] avfiltergraph: check for sws opts being non-NULL before using them. Avoid snprintfing a NULL pointer. CC: libav-stable@libav.org (cherry picked from commit 6e3c13a559e9ff300b5ca60e1d503e594d7f055c) Signed-off-by: Reinhard Tartler --- libavfilter/avfiltergraph.c | 7 ++++++- libavfilter/graphparser.c | 3 ++- 2 files changed, 8 insertions(+), 2 deletions(-) diff --git a/libavfilter/avfiltergraph.c b/libavfilter/avfiltergraph.c index af96807531..b7dce7576f 100644 --- a/libavfilter/avfiltergraph.c +++ b/libavfilter/avfiltergraph.c @@ -23,6 +23,7 @@ #include #include +#include "libavutil/avstring.h" #include "avfilter.h" #include "avfiltergraph.h" #include "internal.h" @@ -163,7 +164,11 @@ static int query_formats(AVFilterGraph *graph, AVClass *log_ctx) /* couldn't merge format lists. auto-insert scale filter */ snprintf(inst_name, sizeof(inst_name), "auto-inserted scaler %d", scaler_count++); - snprintf(scale_args, sizeof(scale_args), "0:0:%s", graph->scale_sws_opts); + av_strlcpy(scale_args, "0:0", sizeof(scale_args)); + if (graph->scale_sws_opts) { + av_strlcat(scale_args, ":", sizeof(scale_args)); + av_strlcat(scale_args, graph->scale_sws_opts, sizeof(scale_args)); + } if ((ret = avfilter_graph_create_filter(&scale, avfilter_get_by_name("scale"), inst_name, scale_args, NULL, graph)) < 0) return ret; diff --git a/libavfilter/graphparser.c b/libavfilter/graphparser.c index 00fb57ad57..0678cd0b35 100644 --- a/libavfilter/graphparser.c +++ b/libavfilter/graphparser.c @@ -121,7 +121,8 @@ static int create_filter(AVFilterContext **filt_ctx, AVFilterGraph *ctx, int ind return ret; } - if (!strcmp(filt_name, "scale") && args && !strstr(args, "flags")) { + if (!strcmp(filt_name, "scale") && args && !strstr(args, "flags") && + ctx->scale_sws_opts) { snprintf(tmp_args, sizeof(tmp_args), "%s:%s", args, ctx->scale_sws_opts); args = tmp_args; From 96cf80609af6372d4e0d150b8a5ca517c072e897 Mon Sep 17 00:00:00 2001 From: Anton Khirnov Date: Wed, 27 Mar 2013 18:18:38 +0100 Subject: [PATCH 1044/1119] dfa: check for invalid access in decode_wdlt(). This can happen when the number of skipped lines is not consistent with the number of coded lines. Reported-by: Mateusz "j00ru" Jurczyk and Gynvael Coldwind CC: libav-stable@libav.org (cherry picked from commit 3623589edc7b1257bb45aa9e52c9631e133f22b6) Signed-off-by: Reinhard Tartler --- libavcodec/dfa.c | 2 ++ 1 file changed, 2 insertions(+) diff --git a/libavcodec/dfa.c b/libavcodec/dfa.c index 9c80b3c4e8..563d7d5a1d 100644 --- a/libavcodec/dfa.c +++ b/libavcodec/dfa.c @@ -263,6 +263,8 @@ static int decode_wdlt(uint8_t *frame, int width, int height, segments = bytestream_get_le16(&src); } line_ptr = frame; + if (frame_end - frame < width) + return AVERROR_INVALIDDATA; frame += width; y++; while (segments--) { From 280998b13cb8f8c8f771fbdf9257c6a8694577da Mon Sep 17 00:00:00 2001 From: Anton Khirnov Date: Wed, 6 Mar 2013 09:58:00 +0100 Subject: [PATCH 1045/1119] wmaprodec: require block_align to be set. Avoids an infinite loop in the calling programs with decoder not consuming any input and not returning output. CC:libav-stable@libav.org (cherry picked from commit cacad1c058f66558ec727faac3b277d2dee264d4) Signed-off-by: Reinhard Tartler (cherry picked from commit 20373a66ec68d958c266f643a7d0e5ec254c0fcc) Signed-off-by: Reinhard Tartler --- libavcodec/wmaprodec.c | 5 +++++ 1 file changed, 5 insertions(+) diff --git a/libavcodec/wmaprodec.c b/libavcodec/wmaprodec.c index 2dfdde70b6..3c21d537cf 100644 --- a/libavcodec/wmaprodec.c +++ b/libavcodec/wmaprodec.c @@ -277,6 +277,11 @@ static av_cold int decode_init(AVCodecContext *avctx) int log2_max_num_subframes; int num_possible_block_sizes; + if (!avctx->block_align) { + av_log(avctx, AV_LOG_ERROR, "block_align is not set\n"); + return AVERROR(EINVAL); + } + s->avctx = avctx; dsputil_init(&s->dsp, avctx); init_put_bits(&s->pb, s->frame_data, MAX_FRAMESIZE); From 76c97f19634fb43c265ce33d9bce10f908cdc26c Mon Sep 17 00:00:00 2001 From: Anton Khirnov Date: Wed, 27 Mar 2013 17:56:59 +0100 Subject: [PATCH 1046/1119] lavf: make sure stream probe data gets freed. Reported-by: Mateusz "j00ru" Jurczyk and Gynvael Coldwind CC: libav-stable@libav.org (cherry picked from commit dbb1425811a672eddf4acf0513237cdf20f83756) Signed-off-by: Reinhard Tartler --- libavformat/utils.c | 1 + 1 file changed, 1 insertion(+) diff --git a/libavformat/utils.c b/libavformat/utils.c index b97809f8e6..6a38064a5e 100644 --- a/libavformat/utils.c +++ b/libavformat/utils.c @@ -2616,6 +2616,7 @@ void avformat_free_context(AVFormatContext *s) av_free_packet(&st->cur_pkt); } av_dict_free(&st->metadata); + av_freep(&st->probe_data.buf); av_free(st->index_entries); av_free(st->codec->extradata); av_free(st->codec->subtitle_header); From f844cb9bced3148fca2db5bbb092929526108005 Mon Sep 17 00:00:00 2001 From: Kostya Shishkov Date: Sun, 17 Mar 2013 20:22:19 +0100 Subject: [PATCH 1047/1119] iff: validate CMAP palette size Fixes CVE-2013-2495 Found-by: Mateusz "j00ru" Jurczyk and Gynvael Coldwind Signed-off-by: Luca Barbato CC: libav-stable@libav.org (cherry picked from commit 50c449ac24fbb4c03c15d2e2026cef2204b80385) Signed-off-by: Reinhard Tartler (cherry picked from commit 31a77177ff323ef83944c60a8654891213ab6691) Signed-off-by: Reinhard Tartler --- libavformat/iff.c | 5 +++++ 1 file changed, 5 insertions(+) diff --git a/libavformat/iff.c b/libavformat/iff.c index 2b84986aff..2943f7edab 100644 --- a/libavformat/iff.c +++ b/libavformat/iff.c @@ -173,6 +173,11 @@ static int iff_read_header(AVFormatContext *s, break; case ID_CMAP: + if (data_size < 3 || data_size > 768 || data_size % 3) { + av_log(s, AV_LOG_ERROR, "Invalid CMAP chunk size %d\n", + data_size); + return AVERROR_INVALIDDATA; + } st->codec->extradata_size = data_size; st->codec->extradata = av_malloc(data_size); if (!st->codec->extradata) From 9b052bfb8609f2279c33dc9aa9fb39d2e7a53ef2 Mon Sep 17 00:00:00 2001 From: Anton Khirnov Date: Tue, 9 Apr 2013 20:33:25 +0200 Subject: [PATCH 1048/1119] rv10: check that extradata is large enough Reported-by: Mateusz "j00ru" Jurczyk and Gynvael Coldwind CC:libav-stable@libav.org (cherry picked from commit 01d376f598fe95478036f5d1e3e5e14ffe32d4bf) Conflicts: libavcodec/rv10.c --- libavcodec/rv10.c | 5 +++++ 1 file changed, 5 insertions(+) diff --git a/libavcodec/rv10.c b/libavcodec/rv10.c index 8d5b62f925..bd58dec549 100644 --- a/libavcodec/rv10.c +++ b/libavcodec/rv10.c @@ -345,6 +345,11 @@ static int rv20_decode_picture_header(MpegEncContext *s) f= get_bits(&s->gb, av_log2(v)+1); if(f){ + if (s->avctx->extradata_size < 8 + 2 * f) { + av_log(s->avctx, AV_LOG_ERROR, "Extradata too small.\n"); + return AVERROR_INVALIDDATA; + } + new_w= 4*((uint8_t*)s->avctx->extradata)[6+2*f]; new_h= 4*((uint8_t*)s->avctx->extradata)[7+2*f]; }else{ From 96481c5e1843dda64df1df22f3bc12e6b10505fd Mon Sep 17 00:00:00 2001 From: Anton Khirnov Date: Tue, 9 Apr 2013 15:25:20 +0200 Subject: [PATCH 1049/1119] qdm2: check that the FFT size is a power of 2 Reported-by: Mateusz "j00ru" Jurczyk and Gynvael Coldwind CC:libav-stable@libav.org (cherry picked from commit 34f87a58532ed652a6e0283c1d044ee5df0aef0b) Signed-off-by: Reinhard Tartler --- libavcodec/qdm2.c | 4 ++++ 1 file changed, 4 insertions(+) diff --git a/libavcodec/qdm2.c b/libavcodec/qdm2.c index 258a343837..87ace655e0 100644 --- a/libavcodec/qdm2.c +++ b/libavcodec/qdm2.c @@ -1878,6 +1878,10 @@ static av_cold int qdm2_decode_init(AVCodecContext *avctx) av_log(avctx, AV_LOG_ERROR, "Unknown FFT order (%d), contact the developers!\n", s->fft_order); return -1; } + if (s->fft_size != (1 << (s->fft_order - 1))) { + av_log(avctx, AV_LOG_ERROR, "FFT size %d not power of 2.\n", s->fft_size); + return AVERROR_INVALIDDATA; + } ff_rdft_init(&s->rdft_ctx, s->fft_order, IDFT_C2R); ff_mpadsp_init(&s->mpadsp); From 053c19cd88b64a7e66231a41a4d81898aef1b6dd Mon Sep 17 00:00:00 2001 From: Luca Barbato Date: Wed, 9 Jan 2013 20:49:34 +0100 Subject: [PATCH 1050/1119] oggdec: fix faulty cleanup prototype (cherry picked from commit fba8e5b608577fc660989d0057a55818254a3744) Signed-off-by: Reinhard Tartler --- libavformat/oggparsevorbis.c | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/libavformat/oggparsevorbis.c b/libavformat/oggparsevorbis.c index f276a131af..514ed9ff28 100644 --- a/libavformat/oggparsevorbis.c +++ b/libavformat/oggparsevorbis.c @@ -188,7 +188,7 @@ fixup_vorbis_headers(AVFormatContext * as, struct oggvorbis_private *priv, return offset; } -static int vorbis_cleanup(AVFormatContext *s, int idx) +static void vorbis_cleanup(AVFormatContext *s, int idx) { struct ogg *ogg = s->priv_data; struct ogg_stream *os = ogg->streams + idx; From ade4f3e74635d1fa4b3c34c3a1724b43d92b08b5 Mon Sep 17 00:00:00 2001 From: Reinhard Tartler Date: Tue, 7 May 2013 07:13:50 +0200 Subject: [PATCH 1051/1119] aac: check the maximum number of channels Broken bitstreams could report a larger than specified number of channels and cause outbound writes. CC:libav-stable@libav.org (cherry picked from commit a943a132f36f4df8fe2f749744677b71984abce7) Signed-off-by: Luca Barbato Conflicts: libavcodec/aacdec.c --- libavcodec/aacdec.c | 2 ++ 1 file changed, 2 insertions(+) diff --git a/libavcodec/aacdec.c b/libavcodec/aacdec.c index d479c947a9..b9c8c072c7 100644 --- a/libavcodec/aacdec.c +++ b/libavcodec/aacdec.c @@ -183,6 +183,8 @@ static av_cold int che_configure(AACContext *ac, enum ChannelPosition che_pos[4][MAX_ELEM_ID], int type, int id, int *channels) { + if (*channels >= MAX_CHANNELS) + return AVERROR_INVALIDDATA; if (che_pos[type][id]) { if (!ac->che[type][id] && !(ac->che[type][id] = av_mallocz(sizeof(ChannelElement)))) return AVERROR(ENOMEM); From 3197a9c4fa46972077e12065047c3d52ef4b40f6 Mon Sep 17 00:00:00 2001 From: Reinhard Tartler Date: Sat, 11 May 2013 12:08:35 +0200 Subject: [PATCH 1052/1119] Update changelog for 0.7.8 release --- Changelog | 29 +++++++++++++++++++++++++++++ 1 file changed, 29 insertions(+) diff --git a/Changelog b/Changelog index a7410d9dc3..6373a24390 100644 --- a/Changelog +++ b/Changelog @@ -1,6 +1,35 @@ Entries are sorted chronologically from oldest to youngest within each release, releases are sorted from youngest to oldest. +version 0.7.8: +- indeo5: update AVCodecContext width/height on size change, CVE-2012-2787 +- oggdec: make sure the private parse data is cleaned up, CVE-2012-2882 +- vorbisdec: Error on bark_map_size equal to 0, CVE-2013-0894 +- wmaprodec: return an error, not 0, when the input is too small +- wmadec: require block_align to be set +- xxan: fix invalid memory access in xan_decode_frame_type0() +- h264: check for luma and chroma bit depth being equal, CVE-2013-2277 +- matroskadec: request a read buffer for the wav header +- shorten: validate that the channel count in the header is not <= 0 +- shorten: set invalid channels count to 0 +- shorten: report meaningful errors +- shorten: use the unsigned type where needed +- dsputil: fix invalid array indexing +- parser: fix large overreads +- lavf: fix arithmetic overflows in avformat_seek_file() +- atrac3: avoid oversized shifting in decode_bytes() +- flacdec: simplify bounds checking in flac_probe() +- lzo: fix overflow checking in copy_backptr() +- wmaprodec: require block_align to be set +- iff: validate CMAP palette size, CVE-2013-2495 +- avfiltergraph: check for sws opts being non-NULL before using them. +- dfa: check for invalid access in decode_wdlt() +- lavf: make sure stream probe data gets freed +- rv10: check that extradata is large enough +- qdm2: check that the FFT size is a power of 2 +- oggdec: fix faulty cleanup prototype +- aac: check the maximum number of channels + version 0.7.7: Security Updates: From d04dc7b5a78b825aa3241ca331780d82f546a985 Mon Sep 17 00:00:00 2001 From: Michael Niedermayer Date: Thu, 30 May 2013 18:30:42 +0200 Subject: [PATCH 1053/1119] h264_cavlc: fix reading skip run Fixes Ticket2606 Signed-off-by: Michael Niedermayer (cherry picked from commit 826b3a75cd295c03720e00d3de83e1abcbedd4b9) Conflicts: libavcodec/h264_cavlc.c --- libavcodec/h264_cavlc.c | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/libavcodec/h264_cavlc.c b/libavcodec/h264_cavlc.c index 0d076c3575..1a438cf7bc 100644 --- a/libavcodec/h264_cavlc.c +++ b/libavcodec/h264_cavlc.c @@ -621,7 +621,7 @@ int ff_h264_decode_mb_cavlc(H264Context *h){ down the code */ if(h->slice_type_nos != AV_PICTURE_TYPE_I){ if(s->mb_skip_run==-1) - s->mb_skip_run= get_ue_golomb(&s->gb); + s->mb_skip_run= get_ue_golomb_long(&s->gb); if (s->mb_skip_run--) { if(FRAME_MBAFF && (s->mb_y&1) == 0){ From 746c7480703cd0465c38837fe80cbd4ea56facc1 Mon Sep 17 00:00:00 2001 From: Michael Niedermayer Date: Thu, 30 May 2013 18:30:42 +0200 Subject: [PATCH 1054/1119] h264_cavlc: fix reading skip run Fixes Ticket2606 Signed-off-by: Michael Niedermayer (cherry picked from commit 826b3a75cd295c03720e00d3de83e1abcbedd4b9) Conflicts: libavcodec/h264_cavlc.c --- libavcodec/h264_cavlc.c | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/libavcodec/h264_cavlc.c b/libavcodec/h264_cavlc.c index 0d076c3575..1a438cf7bc 100644 --- a/libavcodec/h264_cavlc.c +++ b/libavcodec/h264_cavlc.c @@ -621,7 +621,7 @@ int ff_h264_decode_mb_cavlc(H264Context *h){ down the code */ if(h->slice_type_nos != AV_PICTURE_TYPE_I){ if(s->mb_skip_run==-1) - s->mb_skip_run= get_ue_golomb(&s->gb); + s->mb_skip_run= get_ue_golomb_long(&s->gb); if (s->mb_skip_run--) { if(FRAME_MBAFF && (s->mb_y&1) == 0){ From 23d835f6113b92f7a3ae9ab8eb091a554ef47d51 Mon Sep 17 00:00:00 2001 From: Michael Niedermayer Date: Thu, 13 Jun 2013 00:01:13 +0200 Subject: [PATCH 1055/1119] alacenc: Fix missing sign_extend() Fixes ticket #2497 Signed-off-by: Michael Niedermayer (cherry picked from commit 8aea2f05dc56f7e7d60767dd27ba8e846a05e8ae) Conflicts: libavcodec/alacenc.c --- libavcodec/alacenc.c | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/libavcodec/alacenc.c b/libavcodec/alacenc.c index bb618e16f2..235bff6637 100644 --- a/libavcodec/alacenc.c +++ b/libavcodec/alacenc.c @@ -257,7 +257,7 @@ static void alac_linear_predictor(AlacEncodeContext *s, int ch) // generate warm-up samples residual[0] = samples[0]; for(i=1;i<=lpc.lpc_order;i++) - residual[i] = samples[i] - samples[i-1]; + residual[i] = sign_extend(samples[i] - samples[i-1], s->write_sample_size); // perform lpc on remaining samples for(i = lpc.lpc_order + 1; i < s->avctx->frame_size; i++) { From 508de3d6e942d051bc6f11291654438b4d84428e Mon Sep 17 00:00:00 2001 From: Michael Niedermayer Date: Thu, 13 Jun 2013 00:01:13 +0200 Subject: [PATCH 1056/1119] alacenc: Fix missing sign_extend() Fixes ticket #2497 Signed-off-by: Michael Niedermayer (cherry picked from commit 8aea2f05dc56f7e7d60767dd27ba8e846a05e8ae) Conflicts: libavcodec/alacenc.c --- libavcodec/alacenc.c | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/libavcodec/alacenc.c b/libavcodec/alacenc.c index bb618e16f2..235bff6637 100644 --- a/libavcodec/alacenc.c +++ b/libavcodec/alacenc.c @@ -257,7 +257,7 @@ static void alac_linear_predictor(AlacEncodeContext *s, int ch) // generate warm-up samples residual[0] = samples[0]; for(i=1;i<=lpc.lpc_order;i++) - residual[i] = samples[i] - samples[i-1]; + residual[i] = sign_extend(samples[i] - samples[i-1], s->write_sample_size); // perform lpc on remaining samples for(i = lpc.lpc_order + 1; i < s->avctx->frame_size; i++) { From 2a1bebfc83db072cb2c984e4cebb4dd261f9d51f Mon Sep 17 00:00:00 2001 From: Carl Eugen Hoyos Date: Wed, 19 Jun 2013 16:31:10 +0200 Subject: [PATCH 1057/1119] Autodetect idcin only if audio properties allow decoding. Fixes ticket #2688. (cherry picked from commit 06bede95fcea47d2e51e8ff248c15311f335b898) --- libavformat/idcin.c | 10 +++++----- 1 file changed, 5 insertions(+), 5 deletions(-) diff --git a/libavformat/idcin.c b/libavformat/idcin.c index baff2d446d..6aa259ca9f 100644 --- a/libavformat/idcin.c +++ b/libavformat/idcin.c @@ -90,7 +90,7 @@ typedef struct IdcinDemuxContext { static int idcin_probe(AVProbeData *p) { - unsigned int number; + unsigned int number, sample_rate; /* * This is what you could call a "probabilistic" file check: id CIN @@ -119,18 +119,18 @@ static int idcin_probe(AVProbeData *p) return 0; /* check the audio sample rate */ - number = AV_RL32(&p->buf[8]); - if ((number != 0) && ((number < 8000) | (number > 48000))) + sample_rate = AV_RL32(&p->buf[8]); + if (sample_rate && (sample_rate < 8000 || sample_rate > 48000)) return 0; /* check the audio bytes/sample */ number = AV_RL32(&p->buf[12]); - if (number > 2) + if (number > 2 || sample_rate && !number) return 0; /* check the audio channels */ number = AV_RL32(&p->buf[16]); - if (number > 2) + if (number > 2 || sample_rate && !number) return 0; /* return half certainly since this check is a bit sketchy */ From dba1211a3eaf2e054bcfc5fe113b5e14474ca8d9 Mon Sep 17 00:00:00 2001 From: Carl Eugen Hoyos Date: Wed, 19 Jun 2013 16:31:10 +0200 Subject: [PATCH 1058/1119] Autodetect idcin only if audio properties allow decoding. Fixes ticket #2688. (cherry picked from commit 06bede95fcea47d2e51e8ff248c15311f335b898) --- libavformat/idcin.c | 10 +++++----- 1 file changed, 5 insertions(+), 5 deletions(-) diff --git a/libavformat/idcin.c b/libavformat/idcin.c index fb07788655..8fd84f0728 100644 --- a/libavformat/idcin.c +++ b/libavformat/idcin.c @@ -92,7 +92,7 @@ typedef struct IdcinDemuxContext { static int idcin_probe(AVProbeData *p) { - unsigned int number; + unsigned int number, sample_rate; /* * This is what you could call a "probabilistic" file check: id CIN @@ -121,18 +121,18 @@ static int idcin_probe(AVProbeData *p) return 0; /* check the audio sample rate */ - number = AV_RL32(&p->buf[8]); - if ((number != 0) && ((number < 8000) | (number > 48000))) + sample_rate = AV_RL32(&p->buf[8]); + if (sample_rate && (sample_rate < 8000 || sample_rate > 48000)) return 0; /* check the audio bytes/sample */ number = AV_RL32(&p->buf[12]); - if (number > 2) + if (number > 2 || sample_rate && !number) return 0; /* check the audio channels */ number = AV_RL32(&p->buf[16]); - if (number > 2) + if (number > 2 || sample_rate && !number) return 0; /* return half certainly since this check is a bit sketchy */ From c997dcd38be70568e4133125f8e68a2ef837646e Mon Sep 17 00:00:00 2001 From: Michael Niedermayer Date: Fri, 5 Jul 2013 03:27:07 +0200 Subject: [PATCH 1059/1119] mpegts: only reopen pmt_cb filter if its different from the previous. Fixes Ticket2632 Signed-off-by: Michael Niedermayer (cherry picked from commit b009267910df10c004b5f340a090d45da29089a0) --- libavformat/mpegts.c | 12 +++++++++--- 1 file changed, 9 insertions(+), 3 deletions(-) diff --git a/libavformat/mpegts.c b/libavformat/mpegts.c index 618bd8f1b4..b15c9bc6d5 100644 --- a/libavformat/mpegts.c +++ b/libavformat/mpegts.c @@ -1174,12 +1174,18 @@ static void pat_cb(MpegTSFilter *filter, const uint8_t *section, int section_len if (sid == 0x0000) { /* NIT info */ } else { + MpegTSFilter *fil = ts->pids[pmt_pid]; program = av_new_program(ts->stream, sid); program->program_num = sid; program->pmt_pid = pmt_pid; - if (ts->pids[pmt_pid]) - mpegts_close_filter(ts, ts->pids[pmt_pid]); - mpegts_open_section_filter(ts, pmt_pid, pmt_cb, ts, 1); + if (fil) + if ( fil->type != MPEGTS_SECTION + || fil->pid != pmt_pid + || fil->u.section_filter.section_cb != pmt_cb) + mpegts_close_filter(ts, ts->pids[pmt_pid]); + + if (!ts->pids[pmt_pid]) + mpegts_open_section_filter(ts, pmt_pid, pmt_cb, ts, 1); add_pat_entry(ts, sid); add_pid_to_pmt(ts, sid, 0); //add pat pid to program add_pid_to_pmt(ts, sid, pmt_pid); From dc61d44842699f95e8387144c6046170d1f90d62 Mon Sep 17 00:00:00 2001 From: Michael Niedermayer Date: Fri, 5 Jul 2013 03:27:07 +0200 Subject: [PATCH 1060/1119] mpegts: only reopen pmt_cb filter if its different from the previous. Fixes Ticket2632 Signed-off-by: Michael Niedermayer (cherry picked from commit b009267910df10c004b5f340a090d45da29089a0) --- libavformat/mpegts.c | 12 +++++++++--- 1 file changed, 9 insertions(+), 3 deletions(-) diff --git a/libavformat/mpegts.c b/libavformat/mpegts.c index e5c21ccbf3..bcf9b00814 100644 --- a/libavformat/mpegts.c +++ b/libavformat/mpegts.c @@ -1179,12 +1179,18 @@ static void pat_cb(MpegTSFilter *filter, const uint8_t *section, int section_len if (sid == 0x0000) { /* NIT info */ } else { + MpegTSFilter *fil = ts->pids[pmt_pid]; program = av_new_program(ts->stream, sid); program->program_num = sid; program->pmt_pid = pmt_pid; - if (ts->pids[pmt_pid]) - mpegts_close_filter(ts, ts->pids[pmt_pid]); - mpegts_open_section_filter(ts, pmt_pid, pmt_cb, ts, 1); + if (fil) + if ( fil->type != MPEGTS_SECTION + || fil->pid != pmt_pid + || fil->u.section_filter.section_cb != pmt_cb) + mpegts_close_filter(ts, ts->pids[pmt_pid]); + + if (!ts->pids[pmt_pid]) + mpegts_open_section_filter(ts, pmt_pid, pmt_cb, ts, 1); add_pat_entry(ts, sid); add_pid_to_pmt(ts, sid, 0); //add pat pid to program add_pid_to_pmt(ts, sid, pmt_pid); From f8c4dbe45ee2d76340e5b1071d998f6fb15e1aca Mon Sep 17 00:00:00 2001 From: Michael Niedermayer Date: Mon, 8 Jul 2013 21:46:20 +0200 Subject: [PATCH 1061/1119] mpeg12dec: avoid reinitialization on PS changes when possible. Fixes Ticket2574 Signed-off-by: Michael Niedermayer (cherry picked from commit 970c8df73528659925819dec31c4c8c0887f0321) Conflicts: libavcodec/mpeg12.c --- libavcodec/mpeg12.c | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/libavcodec/mpeg12.c b/libavcodec/mpeg12.c index 671406746b..0cf9aa1843 100644 --- a/libavcodec/mpeg12.c +++ b/libavcodec/mpeg12.c @@ -1288,7 +1288,7 @@ static int mpeg_decode_postinit(AVCodecContext *avctx){ s1->save_width != s->width || s1->save_height != s->height || s1->save_aspect_info != s->aspect_ratio_info|| - s1->save_progressive_seq != s->progressive_sequence || + (s1->save_progressive_seq != s->progressive_sequence && (s->height&31)) || 0) { From 82c6b76d701a44941da47fb60ddf13d94769b91e Mon Sep 17 00:00:00 2001 From: Michael Niedermayer Date: Mon, 8 Jul 2013 21:46:20 +0200 Subject: [PATCH 1062/1119] mpeg12dec: avoid reinitialization on PS changes when possible. Fixes Ticket2574 Signed-off-by: Michael Niedermayer (cherry picked from commit 970c8df73528659925819dec31c4c8c0887f0321) Conflicts: libavcodec/mpeg12.c --- libavcodec/mpeg12.c | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/libavcodec/mpeg12.c b/libavcodec/mpeg12.c index 112d8fe8cd..ab6baa9bb6 100644 --- a/libavcodec/mpeg12.c +++ b/libavcodec/mpeg12.c @@ -1288,7 +1288,7 @@ static int mpeg_decode_postinit(AVCodecContext *avctx){ s1->save_width != s->width || s1->save_height != s->height || s1->save_aspect_info != s->aspect_ratio_info|| - s1->save_progressive_seq != s->progressive_sequence || + (s1->save_progressive_seq != s->progressive_sequence && (s->height&31)) || 0) { From eec833b10ddaf656d7840208c9fbe3458c8c8c3d Mon Sep 17 00:00:00 2001 From: Michael Niedermayer Date: Thu, 26 Sep 2013 21:03:48 +0200 Subject: [PATCH 1063/1119] avcodec/parser: reset indexes on realloc failure Fixes Ticket2982 Signed-off-by: Michael Niedermayer (cherry picked from commit f31011e9abfb2ae75bb32bc44e2c34194c8dc40a) Signed-off-by: Michael Niedermayer --- libavcodec/parser.c | 10 +++++++--- 1 file changed, 7 insertions(+), 3 deletions(-) diff --git a/libavcodec/parser.c b/libavcodec/parser.c index 7f18a26631..8530673cd5 100644 --- a/libavcodec/parser.c +++ b/libavcodec/parser.c @@ -242,8 +242,10 @@ int ff_combine_frame(ParseContext *pc, int next, const uint8_t **buf, int *buf_s if(next == END_NOT_FOUND){ void* new_buffer = av_fast_realloc(pc->buffer, &pc->buffer_size, (*buf_size) + pc->index + FF_INPUT_BUFFER_PADDING_SIZE); - if(!new_buffer) + if(!new_buffer) { + pc->index = 0; return AVERROR(ENOMEM); + } pc->buffer = new_buffer; memcpy(&pc->buffer[pc->index], *buf, *buf_size); pc->index += *buf_size; @@ -256,9 +258,11 @@ int ff_combine_frame(ParseContext *pc, int next, const uint8_t **buf, int *buf_s /* append to buffer */ if(pc->index){ void* new_buffer = av_fast_realloc(pc->buffer, &pc->buffer_size, next + pc->index + FF_INPUT_BUFFER_PADDING_SIZE); - - if(!new_buffer) + if(!new_buffer) { + pc->overread_index = + pc->index = 0; return AVERROR(ENOMEM); + } pc->buffer = new_buffer; if (next > -FF_INPUT_BUFFER_PADDING_SIZE) memcpy(&pc->buffer[pc->index], *buf, From 510da4fe2b45a4015a9670c11d9bef90a38e137e Mon Sep 17 00:00:00 2001 From: Michael Niedermayer Date: Thu, 14 Feb 2013 21:13:32 +0100 Subject: [PATCH 1064/1119] apichanges: fix 2 wrong hashes Signed-off-by: Michael Niedermayer (cherry picked from commit 2f3bc5122822687dc388f7352c92cf6db456cf7c) Signed-off-by: Michael Niedermayer --- doc/APIchanges | 4 ++-- 1 file changed, 2 insertions(+), 2 deletions(-) diff --git a/doc/APIchanges b/doc/APIchanges index b81c5bf8d9..5665447552 100644 --- a/doc/APIchanges +++ b/doc/APIchanges @@ -288,11 +288,11 @@ API changes, most recent first: 2011-02-10 - 12c14cd - lavf 52.99.0 - AVStream.disposition Add AV_DISPOSITION_HEARING_IMPAIRED and AV_DISPOSITION_VISUAL_IMPAIRED. -2011-02-09 - 5592734 - lavc 52.112.0 - avcodec_thread_init() +2011-02-09 - c0b102c - lavc 52.112.0 - avcodec_thread_init() Deprecate avcodec_thread_init()/avcodec_thread_free() use; instead set thread_count before calling avcodec_open. -2011-02-09 - 778b08a - lavc 52.111.0 - threading API +2011-02-09 - 37b00b4 - lavc 52.111.0 - threading API Add CODEC_CAP_FRAME_THREADS with new restrictions on get_buffer()/ release_buffer()/draw_horiz_band() callbacks for appropriate codecs. Add thread_type and active_thread_type fields to AVCodecContext. From ba7cd748c1794914f4e959e3923a59169363f4d7 Mon Sep 17 00:00:00 2001 From: Michael Niedermayer Date: Wed, 13 Feb 2013 03:32:23 +0100 Subject: [PATCH 1065/1119] doc/APIchanges: List merge commit hashes and version numbers Signed-off-by: Michael Niedermayer --- doc/APIchanges | 116 ++++++++++++++++++++++++------------------------- 1 file changed, 58 insertions(+), 58 deletions(-) diff --git a/doc/APIchanges b/doc/APIchanges index 5665447552..d030f820d2 100644 --- a/doc/APIchanges +++ b/doc/APIchanges @@ -66,16 +66,16 @@ API changes, most recent first: 2011-06-10 - c381960 - lavfi 2.15.0 - avfilter_get_audio_buffer_ref_from_arrays Add avfilter_get_audio_buffer_ref_from_arrays() to avfilter.h. -2011-06-09 - d9f80ea - lavu 51.8.0 - AVMetadata +2011-06-09 - f9ecb84 / d9f80ea - lavu 51.8.0 - AVMetadata Move AVMetadata from lavf to lavu and rename it to AVDictionary -- new installed header dict.h. All av_metadata_* functions renamed to av_dict_*. -2011-06-07 - a6703fa - lavu 51.8.0 - av_get_bytes_per_sample() +2011-06-07 - d552f61 / a6703fa - lavu 51.8.0 - av_get_bytes_per_sample() Add av_get_bytes_per_sample() in libavutil/samplefmt.h. Deprecate av_get_bits_per_sample_fmt(). -2011-06-xx - b39b062 - lavu 51.8.0 - opt.h +2011-06-xx - f956924 / b39b062 - lavu 51.8.0 - opt.h Add av_opt_free convenience function. 2011-06-06 - 95a0242 - lavfi 2.14.0 - AVFilterBufferRefAudioProps @@ -105,7 +105,7 @@ API changes, most recent first: Add av_get_pix_fmt_name() in libavutil/pixdesc.h, and deprecate avcodec_get_pix_fmt_name() in libavcodec/avcodec.h in its favor. -2011-05-25 - 30315a8 - lavf 53.3.0 - avformat.h +2011-05-25 - 39e4206 / 30315a8 - lavf 53.3.0 - avformat.h Add fps_probe_size to AVFormatContext. 2011-05-22 - 5ecdfd0 - lavf 53.2.0 - avformat.h @@ -121,10 +121,10 @@ API changes, most recent first: 2011-05-14 - 9fdf772 - lavfi 2.6.0 - avcodec.h Add avfilter_get_video_buffer_ref_from_frame() to libavfilter/avcodec.h. -2011-05-18 - 64150ff - lavc 53.7.0 - AVCodecContext.request_sample_fmt +2011-05-18 - 75a37b5 / 64150ff - lavc 53.7.0 - AVCodecContext.request_sample_fmt Add request_sample_fmt field to AVCodecContext. -2011-05-10 - 188dea1 - lavc 53.6.0 - avcodec.h +2011-05-10 - 59eb12f / 188dea1 - lavc 53.6.0 - avcodec.h Deprecate AVLPCType and the following fields in AVCodecContext: lpc_coeff_precision, prediction_order_method, min_partition_order, max_partition_order, lpc_type, lpc_passes. @@ -154,81 +154,81 @@ API changes, most recent first: Add av_dynarray_add function for adding an element to a dynamic array. -2011-04-26 - bebe72f - lavu 51.1.0 - avutil.h +2011-04-26 - d7e5aeb / bebe72f - lavu 51.1.0 - avutil.h Add AVPictureType enum and av_get_picture_type_char(), deprecate FF_*_TYPE defines and av_get_pict_type_char() defined in libavcodec/avcodec.h. -2011-04-26 - 10d3940 - lavfi 2.3.0 - avfilter.h +2011-04-26 - d7e5aeb / 10d3940 - lavfi 2.3.0 - avfilter.h Add pict_type and key_frame fields to AVFilterBufferRefVideo. -2011-04-26 - 7a11c82 - lavfi 2.2.0 - vsrc_buffer +2011-04-26 - d7e5aeb / 7a11c82 - lavfi 2.2.0 - vsrc_buffer Add sample_aspect_ratio fields to vsrc_buffer arguments -2011-04-21 - 94f7451 - lavc 53.1.0 - avcodec.h +2011-04-21 - 8772156 / 94f7451 - lavc 53.1.0 - avcodec.h Add CODEC_CAP_SLICE_THREADS for codecs supporting sliced threading. 2011-04-15 - lavc 52.120.0 - avcodec.h AVPacket structure got additional members for passing side information: - 4de339e introduce side information for AVPacket - 2d8591c make containers pass palette change in AVPacket + c407984 / 4de339e introduce side information for AVPacket + c407984 / 2d8591c make containers pass palette change in AVPacket 2011-04-12 - lavf 52.107.0 - avio.h Avio cleanup, part II - deprecate the entire URLContext API: - 175389c add avio_check as a replacement for url_exist - ff1ec0c add avio_pause and avio_seek_time as replacements + c55780d / 175389c add avio_check as a replacement for url_exist + 9891004 / ff1ec0c add avio_pause and avio_seek_time as replacements for _av_url_read_fseek/fpause - cdc6a87 deprecate av_protocol_next(), avio_enum_protocols + d4d0932 / cdc6a87 deprecate av_protocol_next(), avio_enum_protocols should be used instead. - 80c6e23 rename url_set_interrupt_cb->avio_set_interrupt_cb. - f87b1b3 rename open flags: URL_* -> AVIO_* - f8270bb add avio_enum_protocols. - 5593f03 deprecate URLProtocol. - c486dad deprecate URLContext. - 026e175 deprecate the typedef for URLInterruptCB - 8e76a19 deprecate av_register_protocol2. - b840484 deprecate URL_PROTOCOL_FLAG_NESTED_SCHEME - 1305d93 deprecate av_url_read_seek - fa104e1 deprecate av_url_read_pause - 727c7aa deprecate url_get_filename(). - 5958df3 deprecate url_max_packet_size(). - 1869ea0 deprecate url_get_file_handle(). - 32a97d4 deprecate url_filesize(). - e52a914 deprecate url_close(). - 58a48c6 deprecate url_seek(). - 925e908 deprecate url_write(). - dce3756 deprecate url_read_complete(). - bc371ac deprecate url_read(). - 0589da0 deprecate url_open(). - 62eaaea deprecate url_connect. - 5652bb9 deprecate url_alloc. - 333e894 deprecate url_open_protocol - e230705 deprecate url_poll and URLPollEntry + c88caa5 / 80c6e23 rename url_set_interrupt_cb->avio_set_interrupt_cb. + c88caa5 / f87b1b3 rename open flags: URL_* -> AVIO_* + d4d0932 / f8270bb add avio_enum_protocols. + d4d0932 / 5593f03 deprecate URLProtocol. + d4d0932 / c486dad deprecate URLContext. + d4d0932 / 026e175 deprecate the typedef for URLInterruptCB + c88caa5 / 8e76a19 deprecate av_register_protocol2. + 11d7841 / b840484 deprecate URL_PROTOCOL_FLAG_NESTED_SCHEME + 11d7841 / 1305d93 deprecate av_url_read_seek + 11d7841 / fa104e1 deprecate av_url_read_pause + 434f248 / 727c7aa deprecate url_get_filename(). + 434f248 / 5958df3 deprecate url_max_packet_size(). + 434f248 / 1869ea0 deprecate url_get_file_handle(). + 434f248 / 32a97d4 deprecate url_filesize(). + 434f248 / e52a914 deprecate url_close(). + 434f248 / 58a48c6 deprecate url_seek(). + 434f248 / 925e908 deprecate url_write(). + 434f248 / dce3756 deprecate url_read_complete(). + 434f248 / bc371ac deprecate url_read(). + 434f248 / 0589da0 deprecate url_open(). + 434f248 / 62eaaea deprecate url_connect. + 434f248 / 5652bb9 deprecate url_alloc. + 434f248 / 333e894 deprecate url_open_protocol + 434f248 / e230705 deprecate url_poll and URLPollEntry 2011-04-08 - lavf 52.106.0 - avformat.h Minor avformat.h cleanup: - a9bf9d8 deprecate av_guess_image2_codec - c3675df rename avf_sdp_create->av_sdp_create + d4d0932 / a9bf9d8 deprecate av_guess_image2_codec + d4d0932 / c3675df rename avf_sdp_create->av_sdp_create 2011-04-03 - lavf 52.105.0 - avio.h Large-scale renaming/deprecating of AVIOContext-related functions: - 724f6a0 deprecate url_fdopen - 403ee83 deprecate url_open_dyn_packet_buf - 6dc7d80 rename url_close_dyn_buf -> avio_close_dyn_buf - b92c545 rename url_open_dyn_buf -> avio_open_dyn_buf - 8978fed introduce an AVIOContext.seekable field as a replacement for + 2cae980 / 724f6a0 deprecate url_fdopen + 2cae980 / 403ee83 deprecate url_open_dyn_packet_buf + 2cae980 / 6dc7d80 rename url_close_dyn_buf -> avio_close_dyn_buf + 2cae980 / b92c545 rename url_open_dyn_buf -> avio_open_dyn_buf + 2cae980 / 8978fed introduce an AVIOContext.seekable field as a replacement for AVIOContext.is_streamed and url_is_streamed() - b64030f deprecate get_checksum() - 4c4427a deprecate init_checksum() - 4ec153b deprecate udp_set_remote_url/get_local_port - 933e90a deprecate av_url_read_fseek/fpause - 8d9769a deprecate url_fileno - b7f2fdd rename put_flush_packet -> avio_flush - 35f1023 deprecate url_close_buf - 83fddae deprecate url_open_buf - d9d86e0 rename url_fprintf -> avio_printf - 59f65d9 deprecate url_setbufsize - 3e68b3b deprecate url_ferror + 1caa412 / b64030f deprecate get_checksum() + 1caa412 / 4c4427a deprecate init_checksum() + 2fd41c9 / 4ec153b deprecate udp_set_remote_url/get_local_port + 4fa0e24 / 933e90a deprecate av_url_read_fseek/fpause + 4fa0e24 / 8d9769a deprecate url_fileno + 0fecf26 / b7f2fdd rename put_flush_packet -> avio_flush + 0fecf26 / 35f1023 deprecate url_close_buf + 0fecf26 / 83fddae deprecate url_open_buf + 0fecf26 / d9d86e0 rename url_fprintf -> avio_printf + 0fecf26 / 59f65d9 deprecate url_setbufsize + 6947b0c / 3e68b3b deprecate url_ferror 66e5b1d deprecate url_feof e8bb2e2 deprecate url_fget_max_packet_size 76aa876 rename url_fsize -> avio_size @@ -250,7 +250,7 @@ API changes, most recent first: b3db9ce deprecate get_partial_buffer 8d9ac96 rename av_alloc_put_byte -> avio_alloc_context -2011-03-25 - 34b47d7 - lavc 52.115.0 - AVCodecContext.audio_service_type +2011-03-25 - 27ef7b1 / 34b47d7 - lavc 52.115.0 - AVCodecContext.audio_service_type Add audio_service_type field to AVCodecContext. 2011-03-17 - e309fdc - lavu 50.40.0 - pixfmt.h From ff29290e265d2efb109fe8e1812f1269487871ca Mon Sep 17 00:00:00 2001 From: Michael Niedermayer Date: Sat, 29 Jun 2013 19:48:27 +0200 Subject: [PATCH 1066/1119] update all trac links to use the trac subdomain Signed-off-by: Michael Niedermayer --- doc/issue_tracker.txt | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/doc/issue_tracker.txt b/doc/issue_tracker.txt index a41b8e5044..32a2c8c59c 100644 --- a/doc/issue_tracker.txt +++ b/doc/issue_tracker.txt @@ -15,7 +15,7 @@ be properly added to the respective issue. The subscription URL for the ffmpeg-trac list is: http(s)://ffmpeg.org/mailman/listinfo/ffmpeg-trac The URL of the webinterface of the tracker is: -http(s)://ffmpeg.org/trac/ffmpeg +http(s)://trac.ffmpeg.org NOTE: issue = (bug report || patch || feature request) From 0dff3171ce102915812a3f5b42d4a865790b1b77 Mon Sep 17 00:00:00 2001 From: Michael Niedermayer Date: Thu, 22 Aug 2013 01:07:32 +0200 Subject: [PATCH 1067/1119] avcodec/rpza: Perform pointer advance and checks before using the pointers Fixes out of array accesses Fixes Ticket2850 Signed-off-by: Michael Niedermayer (cherry picked from commit 3819db745da2ac7fb3faacb116788c32f4753f34) Signed-off-by: Michael Niedermayer --- libavcodec/rpza.c | 8 ++++---- 1 file changed, 4 insertions(+), 4 deletions(-) diff --git a/libavcodec/rpza.c b/libavcodec/rpza.c index d8082f6d8e..f7240ab330 100644 --- a/libavcodec/rpza.c +++ b/libavcodec/rpza.c @@ -83,7 +83,7 @@ static void rpza_decode_stream(RpzaContext *s) unsigned short *pixels = (unsigned short *)s->frame.data[0]; int row_ptr = 0; - int pixel_ptr = 0; + int pixel_ptr = -4; int block_ptr; int pixel_x, pixel_y; int total_blocks; @@ -139,6 +139,7 @@ static void rpza_decode_stream(RpzaContext *s) colorA = AV_RB16 (&s->buf[stream_ptr]); stream_ptr += 2; while (n_blocks--) { + ADVANCE_BLOCK() block_ptr = row_ptr + pixel_ptr; for (pixel_y = 0; pixel_y < 4; pixel_y++) { for (pixel_x = 0; pixel_x < 4; pixel_x++){ @@ -147,7 +148,6 @@ static void rpza_decode_stream(RpzaContext *s) } block_ptr += row_inc; } - ADVANCE_BLOCK(); } break; @@ -186,6 +186,7 @@ static void rpza_decode_stream(RpzaContext *s) if (s->size - stream_ptr < n_blocks * 4) return; while (n_blocks--) { + ADVANCE_BLOCK(); block_ptr = row_ptr + pixel_ptr; for (pixel_y = 0; pixel_y < 4; pixel_y++) { index = s->buf[stream_ptr++]; @@ -196,7 +197,6 @@ static void rpza_decode_stream(RpzaContext *s) } block_ptr += row_inc; } - ADVANCE_BLOCK(); } break; @@ -204,6 +204,7 @@ static void rpza_decode_stream(RpzaContext *s) case 0x00: if (s->size - stream_ptr < 16) return; + ADVANCE_BLOCK(); block_ptr = row_ptr + pixel_ptr; for (pixel_y = 0; pixel_y < 4; pixel_y++) { for (pixel_x = 0; pixel_x < 4; pixel_x++){ @@ -217,7 +218,6 @@ static void rpza_decode_stream(RpzaContext *s) } block_ptr += row_inc; } - ADVANCE_BLOCK(); break; /* Unknown opcode */ From 38ca79b04d9a16790be7941950152b514a237759 Mon Sep 17 00:00:00 2001 From: Michael Niedermayer Date: Sat, 24 Aug 2013 03:19:40 +0200 Subject: [PATCH 1068/1119] jpeg2000: check log2_cblk dimensions Fixes out of array access Fixes Ticket2895 Found-by: Piotr Bandurski Signed-off-by: Michael Niedermayer (cherry picked from commit 9a271a9368eaabf99e6c2046103acb33957e63b7) Conflicts: libavcodec/jpeg2000dec.c Signed-off-by: Michael Niedermayer Conflicts: libavcodec/j2kdec.c Signed-off-by: Michael Niedermayer --- libavcodec/j2kdec.c | 8 ++++++++ 1 file changed, 8 insertions(+) diff --git a/libavcodec/j2kdec.c b/libavcodec/j2kdec.c index 3315a835d7..2b6929d18e 100644 --- a/libavcodec/j2kdec.c +++ b/libavcodec/j2kdec.c @@ -28,6 +28,7 @@ #include "avcodec.h" #include "bytestream.h" #include "j2k.h" +#include "libavutil/avassert.h" #include "libavutil/common.h" #define JP2_SIG_TYPE 0x6A502020 @@ -283,6 +284,10 @@ static int get_cox(J2kDecoderContext *s, J2kCodingStyle *c) c->log2_cblk_width = bytestream_get_byte(&s->buf) + 2; // cblk width c->log2_cblk_height = bytestream_get_byte(&s->buf) + 2; // cblk height + if (c->log2_cblk_width > 6 || c->log2_cblk_height > 6) { + return AVERROR_PATCHWELCOME; + } + c->cblk_style = bytestream_get_byte(&s->buf); if (c->cblk_style != 0){ // cblk style av_log(s->avctx, AV_LOG_WARNING, "extra cblk styles %X\n", c->cblk_style); @@ -699,6 +704,9 @@ static int decode_cblk(J2kDecoderContext *s, J2kCodingStyle *codsty, J2kT1Contex int bpass_csty_symbol = J2K_CBLK_BYPASS & codsty->cblk_style; int vert_causal_ctx_csty_symbol = J2K_CBLK_VSC & codsty->cblk_style; + av_assert0(width <= J2K_MAX_CBLKW); + av_assert0(height <= J2K_MAX_CBLKH); + for (y = 0; y < height+2; y++) memset(t1->flags[y], 0, (width+2)*sizeof(int)); From 1b05b0005becac06c892ea07c3dbb11f3eb5ece1 Mon Sep 17 00:00:00 2001 From: Michael Niedermayer Date: Mon, 20 May 2013 04:00:30 +0200 Subject: [PATCH 1069/1119] matroska_read_seek: Fix used streams for subtitle index compensation Might fix Ticket1907 (I have no testcase so i cant test) Signed-off-by: Michael Niedermayer (cherry picked from commit 4758e32a6c48044f77102a49110c79b4f338f648) Signed-off-by: Michael Niedermayer --- libavformat/matroskadec.c | 9 +++++---- 1 file changed, 5 insertions(+), 4 deletions(-) diff --git a/libavformat/matroskadec.c b/libavformat/matroskadec.c index 4b95abe1e4..499a3417cb 100644 --- a/libavformat/matroskadec.c +++ b/libavformat/matroskadec.c @@ -2028,10 +2028,11 @@ static int matroska_read_seek(AVFormatContext *s, int stream_index, if (tracks[i].type == MATROSKA_TRACK_TYPE_SUBTITLE && !tracks[i].stream->discard != AVDISCARD_ALL) { index_sub = av_index_search_timestamp(tracks[i].stream, st->index_entries[index].timestamp, AVSEEK_FLAG_BACKWARD); - if (index_sub >= 0 - && st->index_entries[index_sub].pos < st->index_entries[index_min].pos - && st->index_entries[index].timestamp - st->index_entries[index_sub].timestamp < 30000000000/matroska->time_scale) - index_min = index_sub; + while(index_sub >= 0 + && index_min >= 0 + && tracks[i].stream->index_entries[index_sub].pos < st->index_entries[index_min].pos + && st->index_entries[index].timestamp - tracks[i].stream->index_entries[index_sub].timestamp < 30000000000/matroska->time_scale) + index_min--; } } From e3d643cf758793577e9f99018cc7dcf753970c1d Mon Sep 17 00:00:00 2001 From: Michael Niedermayer Date: Fri, 30 Aug 2013 23:14:32 +0200 Subject: [PATCH 1070/1119] avcodec/pngdsp: fix (un)signed type in end comparission Fixes out of array accesses Fixes Ticket2919 Found_by: ami_stuff Signed-off-by: Michael Niedermayer (cherry picked from commit 86736f59d6a527d8bc807d09b93f971c0fe0bb07) Conflicts: libavcodec/pngdsp.c Signed-off-by: Michael Niedermayer --- libavcodec/pngdec.c | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/libavcodec/pngdec.c b/libavcodec/pngdec.c index ae932991d3..9afa0932e1 100644 --- a/libavcodec/pngdec.c +++ b/libavcodec/pngdec.c @@ -107,7 +107,7 @@ static void png_put_interlaced_row(uint8_t *dst, int width, static void add_bytes_l2_c(uint8_t *dst, uint8_t *src1, uint8_t *src2, int w) { long i; - for(i=0; i<=w-sizeof(long); i+=sizeof(long)){ + for(i=0; i<=w-(int)sizeof(long); i+=sizeof(long)){ long a = *(long*)(src1+i); long b = *(long*)(src2+i); *(long*)(dst+i) = ((a&pb_7f) + (b&pb_7f)) ^ ((a^b)&pb_80); From 90ee388b2883502a013dac12899c09303b08806d Mon Sep 17 00:00:00 2001 From: Michael Niedermayer Date: Fri, 30 Aug 2013 23:40:47 +0200 Subject: [PATCH 1071/1119] avcodec/dsputil: fix signedness in sizeof() comparissions Signed-off-by: Michael Niedermayer (cherry picked from commit 454a11a1c9c686c78aa97954306fb63453299760) Signed-off-by: Michael Niedermayer --- libavcodec/dsputil.c | 4 ++-- 1 file changed, 2 insertions(+), 2 deletions(-) diff --git a/libavcodec/dsputil.c b/libavcodec/dsputil.c index 89b0d5871e..e7efde3945 100644 --- a/libavcodec/dsputil.c +++ b/libavcodec/dsputil.c @@ -1914,7 +1914,7 @@ void ff_set_cmp(DSPContext* c, me_cmp_func *cmp, int type){ static void add_bytes_c(uint8_t *dst, uint8_t *src, int w){ long i; - for(i=0; i<=w-sizeof(long); i+=sizeof(long)){ + for(i=0; i<=w-(int)sizeof(long); i+=sizeof(long)){ long a = *(long*)(src+i); long b = *(long*)(dst+i); *(long*)(dst+i) = ((a&pb_7f) + (b&pb_7f)) ^ ((a^b)&pb_80); @@ -1939,7 +1939,7 @@ static void diff_bytes_c(uint8_t *dst, uint8_t *src1, uint8_t *src2, int w){ } }else #endif - for(i=0; i<=w-sizeof(long); i+=sizeof(long)){ + for(i=0; i<=w-(int)sizeof(long); i+=sizeof(long)){ long a = *(long*)(src1+i); long b = *(long*)(src2+i); *(long*)(dst+i) = ((a|pb_80) - (b&pb_7f)) ^ ((a^b^pb_80)&pb_80); From bd66456866e9325ffddfd5a369b9991cf43b1d54 Mon Sep 17 00:00:00 2001 From: Michael Niedermayer Date: Mon, 9 Sep 2013 17:58:18 +0200 Subject: [PATCH 1072/1119] avcodec/ffv1enc: update buffer check for 16bps Signed-off-by: Michael Niedermayer (cherry picked from commit 3728603f1854b5c79d1a64dd3b41b80640ef1e7f) Conflicts: libavcodec/ffv1enc.c (cherry picked from commit c900c6e5c26cd86cf34f9c8d4347cedbd01f3935) --- libavcodec/ffv1.c | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/libavcodec/ffv1.c b/libavcodec/ffv1.c index 8fe725f78a..ebf3a57569 100644 --- a/libavcodec/ffv1.c +++ b/libavcodec/ffv1.c @@ -522,7 +522,7 @@ static av_always_inline int encode_line(FFV1Context *s, int w, int run_mode=0; if(s->ac){ - if(c->bytestream_end - c->bytestream < w*20){ + if(c->bytestream_end - c->bytestream < w*35){ av_log(s->avctx, AV_LOG_ERROR, "encoded frame too large\n"); return -1; } From a248117f2618e9e4de3c87e685bce44578b11657 Mon Sep 17 00:00:00 2001 From: Michael Niedermayer Date: Sun, 6 Oct 2013 17:48:25 +0200 Subject: [PATCH 1073/1119] update for 0.8.15 Signed-off-by: Michael Niedermayer --- Doxyfile | 2 +- RELEASE | 2 +- VERSION | 2 +- 3 files changed, 3 insertions(+), 3 deletions(-) diff --git a/Doxyfile b/Doxyfile index 21a71479f5..39ca7a45f4 100644 --- a/Doxyfile +++ b/Doxyfile @@ -31,7 +31,7 @@ PROJECT_NAME = FFmpeg # This could be handy for archiving the generated documentation or # if some version control system is used. -PROJECT_NUMBER = 0.8.14 +PROJECT_NUMBER = 0.8.15 # The OUTPUT_DIRECTORY tag is used to specify the (relative or absolute) # base path where the generated documentation will be put. diff --git a/RELEASE b/RELEASE index 832bad2740..7d87d9947c 100644 --- a/RELEASE +++ b/RELEASE @@ -1 +1 @@ -0.8.14 +0.8.15 diff --git a/VERSION b/VERSION index 832bad2740..7d87d9947c 100644 --- a/VERSION +++ b/VERSION @@ -1 +1 @@ -0.8.14 +0.8.15 From 63d5db37cba39a996a7bde482dfddc1d3422caf6 Mon Sep 17 00:00:00 2001 From: Michael Niedermayer Date: Sun, 6 Oct 2013 19:07:56 +0200 Subject: [PATCH 1074/1119] update for 0.7.16 Signed-off-by: Michael Niedermayer --- Doxyfile | 2 +- RELEASE | 2 +- VERSION | 2 +- 3 files changed, 3 insertions(+), 3 deletions(-) diff --git a/Doxyfile b/Doxyfile index 05f6e5c191..2b03049d02 100644 --- a/Doxyfile +++ b/Doxyfile @@ -31,7 +31,7 @@ PROJECT_NAME = FFmpeg # This could be handy for archiving the generated documentation or # if some version control system is used. -PROJECT_NUMBER = 0.7.15 +PROJECT_NUMBER = 0.7.16 # The OUTPUT_DIRECTORY tag is used to specify the (relative or absolute) # base path where the generated documentation will be put. diff --git a/RELEASE b/RELEASE index def4250351..bf7b715d27 100644 --- a/RELEASE +++ b/RELEASE @@ -1 +1 @@ -0.7.15 +0.7.16 diff --git a/VERSION b/VERSION index def4250351..bf7b715d27 100644 --- a/VERSION +++ b/VERSION @@ -1 +1 @@ -0.7.15 +0.7.16 From 1049328cf013c84b89a1ecbb90c947f1a3fe68b0 Mon Sep 17 00:00:00 2001 From: Michael Niedermayer Date: Sun, 27 Oct 2013 01:03:19 +0200 Subject: [PATCH 1075/1119] avformat/utils: do not override pts in h264 when they are provided from the demuxer Fixes Ticket2143 Signed-off-by: Michael Niedermayer (cherry picked from commit 1e5271a9fd6ddcceb083f2185a4bbd8d44c9a813) --- libavformat/utils.c | 6 ++++-- 1 file changed, 4 insertions(+), 2 deletions(-) diff --git a/libavformat/utils.c b/libavformat/utils.c index d90047b199..e2418e72a8 100644 --- a/libavformat/utils.c +++ b/libavformat/utils.c @@ -1103,12 +1103,14 @@ static void compute_pkt_fields(AVFormatContext *s, AVStream *st, if (pkt->dts != AV_NOPTS_VALUE) { // got DTS from the stream, update reference timestamp st->reference_dts = pkt->dts - pc->dts_ref_dts_delta * num / den; - pkt->pts = pkt->dts + pc->pts_dts_delta * num / den; } else if (st->reference_dts != AV_NOPTS_VALUE) { // compute DTS based on reference timestamp pkt->dts = st->reference_dts + pc->dts_ref_dts_delta * num / den; - pkt->pts = pkt->dts + pc->pts_dts_delta * num / den; } + + if (st->reference_dts != AV_NOPTS_VALUE && pkt->pts == AV_NOPTS_VALUE) + pkt->pts = pkt->dts + pc->pts_dts_delta * num / den; + if (pc->dts_sync_point > 0) st->reference_dts = pkt->dts; // new reference } From cce6bdc7583997420a7a55406366afbe97f16de6 Mon Sep 17 00:00:00 2001 From: =?UTF-8?q?Martin=20Storsj=C3=B6?= Date: Fri, 20 Dec 2013 15:02:35 +0200 Subject: [PATCH 1076/1119] arm: Don't clobber callee saved registers in scalarproduct MIME-Version: 1.0 Content-Type: text/plain; charset=UTF-8 Content-Transfer-Encoding: 8bit q4-q7/d8-d15 are supposed to not be clobbered by the callee. CC: libav-stable@libav.org Signed-off-by: Martin Storsjö (cherry picked from commit d307e408d4a9ada22df443cc38be77cc5e492694) --- libavcodec/arm/int_neon.S | 12 ++++++------ 1 file changed, 6 insertions(+), 6 deletions(-) diff --git a/libavcodec/arm/int_neon.S b/libavcodec/arm/int_neon.S index e8023e0686..f86bf53f95 100644 --- a/libavcodec/arm/int_neon.S +++ b/libavcodec/arm/int_neon.S @@ -67,10 +67,10 @@ function ff_scalarproduct_int16_neon, export=1 3: vpadd.s32 d16, d0, d1 vpadd.s32 d17, d2, d3 - vpadd.s32 d10, d4, d5 - vpadd.s32 d11, d6, d7 + vpadd.s32 d18, d4, d5 + vpadd.s32 d19, d6, d7 vpadd.s32 d0, d16, d17 - vpadd.s32 d1, d10, d11 + vpadd.s32 d1, d18, d19 vpadd.s32 d2, d0, d1 vpaddl.s32 d3, d2 vmov.32 r0, d3[0] @@ -107,10 +107,10 @@ function ff_scalarproduct_and_madd_int16_neon, export=1 vpadd.s32 d16, d0, d1 vpadd.s32 d17, d2, d3 - vpadd.s32 d10, d4, d5 - vpadd.s32 d11, d6, d7 + vpadd.s32 d18, d4, d5 + vpadd.s32 d19, d6, d7 vpadd.s32 d0, d16, d17 - vpadd.s32 d1, d10, d11 + vpadd.s32 d1, d18, d19 vpadd.s32 d2, d0, d1 vpaddl.s32 d3, d2 vmov.32 r0, d3[0] From 0701f7c5c3f9e8a336d1f5773a89a5e63f8f5497 Mon Sep 17 00:00:00 2001 From: Michael Niedermayer Date: Fri, 17 Jan 2014 20:09:48 +0100 Subject: [PATCH 1077/1119] dnxhdenc: fix mb_rc size Fixes out of array access with RC_VARIANCE set to 0 Signed-off-by: Michael Niedermayer (cherry picked from commit f1caaa1c61310beba705957e6366f0392a0b005b) Signed-off-by: Michael Niedermayer --- libavcodec/dnxhdenc.c | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/libavcodec/dnxhdenc.c b/libavcodec/dnxhdenc.c index 62bc9f0dd5..0c2a965eb7 100644 --- a/libavcodec/dnxhdenc.c +++ b/libavcodec/dnxhdenc.c @@ -151,7 +151,7 @@ static int dnxhd_init_qmat(DNXHDEncContext *ctx, int lbias, int cbias) static int dnxhd_init_rc(DNXHDEncContext *ctx) { - FF_ALLOCZ_OR_GOTO(ctx->m.avctx, ctx->mb_rc, 8160*ctx->m.avctx->qmax*sizeof(RCEntry), fail); + FF_ALLOCZ_OR_GOTO(ctx->m.avctx, ctx->mb_rc, 8160*(ctx->m.avctx->qmax + 1)*sizeof(RCEntry), fail); if (ctx->m.avctx->mb_decision != FF_MB_DECISION_RD) FF_ALLOCZ_OR_GOTO(ctx->m.avctx, ctx->mb_cmp, ctx->m.mb_num*sizeof(RCCMPEntry), fail); From c3ece52decafc4923aebe7fd74b274e9ebb1962e Mon Sep 17 00:00:00 2001 From: Dale Curtis Date: Thu, 10 Jan 2013 11:05:29 -0800 Subject: [PATCH 1078/1119] matroska: Fix use after free Signed-off-by: Dale Curtis Signed-off-by: Luca Barbato (cherry picked from commit ae3d41636942cbc0236bad21ad06c65f4eb0f096) Signed-off-by: Michael Niedermayer --- libavformat/matroskadec.c | 1 + 1 file changed, 1 insertion(+) diff --git a/libavformat/matroskadec.c b/libavformat/matroskadec.c index 2fe1db5301..ac91f67ad5 100644 --- a/libavformat/matroskadec.c +++ b/libavformat/matroskadec.c @@ -1676,6 +1676,7 @@ static int matroska_deliver_packet(MatroskaDemuxContext *matroska, */ static void matroska_clear_queue(MatroskaDemuxContext *matroska) { + matroska->prev_pkt = NULL; if (matroska->packets) { int n; for (n = 0; n < matroska->num_packets; n++) { From 1b291e0466308b341bc2e8c2a49d44862400f014 Mon Sep 17 00:00:00 2001 From: Michael Niedermayer Date: Fri, 20 Jun 2014 03:15:28 +0200 Subject: [PATCH 1079/1119] avutil/lzo: Fix integer overflow Embargoed-till: 2014-06-27 requested by researcher, but embargo broken by libav today (git and mailing list) Fixes: LMS-2014-06-16-4 Found-by: "Don A. Bailey" See: ccda51b14c0fcae2fad73a24872dce75a7964996 Signed-off-by: Michael Niedermayer (cherry picked from commit d6af26c55c1ea30f85a7d9edbc373f53be1743ee) Conflicts: libavutil/lzo.c (cherry picked from commit 7b5c706494a775b2b0d0e0a38448610802eef8f4) Signed-off-by: Michael Niedermayer --- libavutil/lzo.c | 8 +++++++- 1 file changed, 7 insertions(+), 1 deletion(-) diff --git a/libavutil/lzo.c b/libavutil/lzo.c index d2e86bc30a..d91fbfc6a6 100644 --- a/libavutil/lzo.c +++ b/libavutil/lzo.c @@ -62,7 +62,13 @@ static inline int get_byte(LZOContext *c) { static inline int get_len(LZOContext *c, int x, int mask) { int cnt = x & mask; if (!cnt) { - while (!(x = get_byte(c))) cnt += 255; + while (!(x = get_byte(c))) { + if (cnt >= INT_MAX - 1000) { + c->error |= AV_LZO_ERROR; + break; + } + cnt += 255; + } cnt += mask + x; } return cnt; From 3ab6c0c4ecfd4880096f98474f8ac6b5f39dd924 Mon Sep 17 00:00:00 2001 From: =?UTF-8?q?Reimar=20D=C3=B6ffinger?= Date: Sun, 21 Sep 2014 09:58:10 +0100 Subject: [PATCH 1080/1119] configure: add noexecstack to linker options if supported. MIME-Version: 1.0 Content-Type: text/plain; charset=UTF-8 Content-Transfer-Encoding: 8bit Signed-off-by: Reimar Döffinger (cherry picked from commit b7082d953fda93f7841ffffe7d15a6c3cd15bdee) Signed-off-by: Michael Niedermayer --- configure | 1 + 1 file changed, 1 insertion(+) diff --git a/configure b/configure index 8f5829612f..ed228e49a5 100755 --- a/configure +++ b/configure @@ -2799,6 +2799,7 @@ if enabled asm; then fi check_ldflags -Wl,--as-needed +check_ldflags -Wl,-z,noexecstack if check_func dlopen; then ldl= From 794fcabfe8b8506dbdf33a735318d1a2aecfb150 Mon Sep 17 00:00:00 2001 From: Michael Niedermayer Date: Thu, 2 Oct 2014 23:17:21 +0200 Subject: [PATCH 1081/1119] avcodec/jpeglsdec: Check run value more completely in ls_decode_line() previously it could have been by 1 too large Fixes out of array access Fixes: asan_heap-oob_12240f5_1_asan_heap-oob_12240f5_448_t8c1e3.jls Fixes: asan_heap-oob_12240f5_1_asan_heap-oob_12240f5_448_t8nde0.jls Fixes: asan_heap-oob_12240fa_1_asan_heap-oob_12240fa_448_t16e3.jls Found-by: Mateusz "j00ru" Jurczyk and Gynvael Coldwind Signed-off-by: Michael Niedermayer (cherry picked from commit 06e7d58410a17dc72c30ee7f3145fcacc425f4f2) Signed-off-by: Michael Niedermayer --- libavcodec/jpeglsdec.c | 5 +++++ 1 file changed, 5 insertions(+) diff --git a/libavcodec/jpeglsdec.c b/libavcodec/jpeglsdec.c index 7278e020da..628fed1836 100644 --- a/libavcodec/jpeglsdec.c +++ b/libavcodec/jpeglsdec.c @@ -203,6 +203,11 @@ static inline void ls_decode_line(JLSState *state, MJpegDecodeContext *s, void * x += stride; } + if (x >= w) { + av_log(NULL, AV_LOG_ERROR, "run overflow\n"); + return; + } + /* decode run termination value */ Rb = R(last, x); RItype = (FFABS(Ra - Rb) <= state->near) ? 1 : 0; From b5e661bcd2bb4fe771cb2c1e21215c68e6a17665 Mon Sep 17 00:00:00 2001 From: Michael Niedermayer Date: Fri, 3 Oct 2014 01:50:27 +0200 Subject: [PATCH 1082/1119] avcodec/mjpegdec: check bits per pixel for changes similar to dimensions Fixes out of array accesses Fixes: asan_heap-oob_16668e9_2_asan_heap-oob_16668e9_346_miss_congeniality_pegasus_mjpg.avi Found-by: Mateusz "j00ru" Jurczyk and Gynvael Coldwind Signed-off-by: Michael Niedermayer (cherry picked from commit 5c378d6a6df8243f06c87962b873bd563e58cd39) Conflicts: libavcodec/mjpegdec.c (cherry picked from commit 94371a404c663c3dae3d542fa43951567ab67f82) Conflicts: libavcodec/mjpegdec.c Signed-off-by: Michael Niedermayer --- libavcodec/mjpegdec.c | 17 ++++++++++------- 1 file changed, 10 insertions(+), 7 deletions(-) diff --git a/libavcodec/mjpegdec.c b/libavcodec/mjpegdec.c index 817636fa47..6d0ec63b95 100644 --- a/libavcodec/mjpegdec.c +++ b/libavcodec/mjpegdec.c @@ -212,16 +212,16 @@ int ff_mjpeg_decode_dht(MJpegDecodeContext *s) int ff_mjpeg_decode_sof(MJpegDecodeContext *s) { - int len, nb_components, i, width, height, pix_fmt_id; + int len, nb_components, i, width, height, bits, pix_fmt_id; /* XXX: verify len field validity */ len = get_bits(&s->gb, 16); - s->bits= get_bits(&s->gb, 8); + bits= get_bits(&s->gb, 8); - if(s->pegasus_rct) s->bits=9; - if(s->bits==9 && !s->pegasus_rct) s->rct=1; //FIXME ugly + if(s->pegasus_rct) bits=9; + if(bits==9 && !s->pegasus_rct) s->rct=1; //FIXME ugly - if (s->bits != 8 && !s->lossless){ + if (bits != 8 && !s->lossless){ av_log(s->avctx, AV_LOG_ERROR, "only 8 bits/component accepted\n"); return -1; } @@ -241,7 +241,7 @@ int ff_mjpeg_decode_sof(MJpegDecodeContext *s) if (nb_components <= 0 || nb_components > MAX_COMPONENTS) return -1; - if (s->ls && !(s->bits <= 8 || nb_components == 1)){ + if (s->ls && !(bits <= 8 || nb_components == 1)){ av_log(s->avctx, AV_LOG_ERROR, "only <= 8 bits/component or 16-bit gray accepted for JPEG-LS\n"); return -1; } @@ -274,11 +274,14 @@ int ff_mjpeg_decode_sof(MJpegDecodeContext *s) /* if different size, realloc/alloc picture */ /* XXX: also check h_count and v_count */ - if (width != s->width || height != s->height) { + if ( width != s->width || height != s->height + || bits != s->bits + ) { av_freep(&s->qscale_table); s->width = width; s->height = height; + s->bits = bits; s->interlaced = 0; /* test interlaced mode */ From cd3c4d8c55222337b0b59af4ea1fecfb46606e5e Mon Sep 17 00:00:00 2001 From: Michael Niedermayer Date: Fri, 3 Oct 2014 04:30:58 +0200 Subject: [PATCH 1083/1119] avcodec/utils: Add case for jv to avcodec_align_dimensions2() Fixes out of array accesses Fixes: asan_heap-oob_12304aa_8_asan_heap-oob_4da4f3_300_intro.jv Found-by: Mateusz "j00ru" Jurczyk and Gynvael Coldwind Signed-off-by: Michael Niedermayer (cherry picked from commit 105654e376a736d243aef4a1d121abebce912e6b) Conflicts: libavcodec/utils.c --- libavcodec/utils.c | 4 ++++ 1 file changed, 4 insertions(+) diff --git a/libavcodec/utils.c b/libavcodec/utils.c index 8eca9c67eb..27feb53b43 100644 --- a/libavcodec/utils.c +++ b/libavcodec/utils.c @@ -182,6 +182,10 @@ void avcodec_align_dimensions2(AVCodecContext *s, int *width, int *height, int l w_align = 4; h_align = 4; } + if (s->codec_id == CODEC_ID_JV) { + w_align = 8; + h_align = 8; + } break; case PIX_FMT_BGR24: if((s->codec_id == CODEC_ID_MSZH) || (s->codec_id == CODEC_ID_ZLIB)){ From 73962e677d871fa0dde5385ee04ea07c048d8864 Mon Sep 17 00:00:00 2001 From: Michael Niedermayer Date: Fri, 3 Oct 2014 14:45:04 +0200 Subject: [PATCH 1084/1119] avcodec/mmvideo: Bounds check 2nd line of HHV Intra blocks Fixes out of array access Fixes: asan_heap-oob_4da4f3_8_asan_heap-oob_4da4f3_419_scene1a.mm Found-by: Mateusz "j00ru" Jurczyk and Gynvael Coldwind Signed-off-by: Michael Niedermayer (cherry picked from commit 8b0e96e1f21b761ca15dbb470cd619a1ebf86c3e) Conflicts: libavcodec/mmvideo.c Signed-off-by: Michael Niedermayer --- libavcodec/mmvideo.c | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/libavcodec/mmvideo.c b/libavcodec/mmvideo.c index 707ddc5f7e..0136bf8a9e 100644 --- a/libavcodec/mmvideo.c +++ b/libavcodec/mmvideo.c @@ -105,7 +105,7 @@ static void mm_decode_intra(MmContext * s, int half_horiz, int half_vert, const if (color) { memset(s->frame.data[0] + y*s->frame.linesize[0] + x, color, run_length); - if (half_vert) + if (half_vert && y + half_vert < s->avctx->height) memset(s->frame.data[0] + (y+1)*s->frame.linesize[0] + x, color, run_length); } x+= run_length; From 7a5590ef4282e19d48d70cba0bc4628c13ec6fd8 Mon Sep 17 00:00:00 2001 From: Michael Niedermayer Date: Fri, 3 Oct 2014 17:35:58 +0200 Subject: [PATCH 1085/1119] avcodec/pngdec: Check bits per pixel before setting monoblack pixel format Fixes out of array accesses Fixes: asan_heap-oob_14dbfcf_4_asan_heap-oob_1ce5767_179_add_method_small.png Found-by: Mateusz "j00ru" Jurczyk and Gynvael Coldwind Signed-off-by: Michael Niedermayer (cherry picked from commit 3e2b745020c2dbf0201fe7df3dad9e7e0b2e1bb6) Conflicts: libavcodec/pngdec.c --- libavcodec/pngdec.c | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/libavcodec/pngdec.c b/libavcodec/pngdec.c index 9afa0932e1..6a4953057e 100644 --- a/libavcodec/pngdec.c +++ b/libavcodec/pngdec.c @@ -463,7 +463,7 @@ static int decode_frame(AVCodecContext *avctx, } else if (s->bit_depth == 16 && s->color_type == PNG_COLOR_TYPE_RGB) { avctx->pix_fmt = PIX_FMT_RGB48BE; - } else if (s->bit_depth == 1) { + } else if (s->bit_depth == 1 && s->bits_per_pixel == 1) { avctx->pix_fmt = PIX_FMT_MONOBLACK; } else if (s->bit_depth == 8 && s->color_type == PNG_COLOR_TYPE_PALETTE) { From fd36238c402d69438edab22fd81a7ab5397fee93 Mon Sep 17 00:00:00 2001 From: Michael Niedermayer Date: Fri, 3 Oct 2014 17:54:21 +0200 Subject: [PATCH 1086/1119] avcodec/pngdec: Calculate MPNG bytewidth more defensively Signed-off-by: Michael Niedermayer (cherry picked from commit e830902934a29df05c7af65aef2a480b15f572c4) Conflicts: libavcodec/pngdec.c --- libavcodec/pngdec.c | 3 ++- 1 file changed, 2 insertions(+), 1 deletion(-) diff --git a/libavcodec/pngdec.c b/libavcodec/pngdec.c index 6a4953057e..22c50b720e 100644 --- a/libavcodec/pngdec.c +++ b/libavcodec/pngdec.c @@ -584,9 +584,10 @@ static int decode_frame(AVCodecContext *avctx, int i, j; uint8_t *pd = s->current_picture->data[0]; uint8_t *pd_last = s->last_picture->data[0]; + int ls = FFMIN(av_image_get_linesize(s->current_picture->format, s->width, 0), s->width * s->bpp); for(j=0; j < s->height; j++) { - for(i=0; i < s->width * s->bpp; i++) { + for(i=0; i < ls; i++) { pd[i] += pd_last[i]; } pd += s->image_linesize; From ef32bc8dde52439afd13988f56012a9f4dd55a83 Mon Sep 17 00:00:00 2001 From: Michael Niedermayer Date: Fri, 3 Oct 2014 20:15:52 +0200 Subject: [PATCH 1087/1119] avcodec/gifdec: factorize interleave end handling out also change it to a loop Fixes out of array access Fixes: asan_heap-oob_ca5410_8_asan_heap-oob_ca5410_97_ID_LSD_Size_Less_Then_Data_Inter_3.gif Found-by: Mateusz "j00ru" Jurczyk and Gynvael Coldwind Signed-off-by: Michael Niedermayer (cherry picked from commit 8f1457864be8fb9653643519dea1c6492f1dde57) Signed-off-by: Michael Niedermayer --- libavcodec/gifdec.c | 15 +++++---------- 1 file changed, 5 insertions(+), 10 deletions(-) diff --git a/libavcodec/gifdec.c b/libavcodec/gifdec.c index 39d0db9c24..1c9358f304 100644 --- a/libavcodec/gifdec.c +++ b/libavcodec/gifdec.c @@ -125,26 +125,21 @@ static int gif_read_image(GifState *s) case 1: y1 += 8; ptr += linesize * 8; - if (y1 >= height) { - y1 = pass ? 2 : 4; - ptr = ptr1 + linesize * y1; - pass++; - } break; case 2: y1 += 4; ptr += linesize * 4; - if (y1 >= height) { - y1 = 1; - ptr = ptr1 + linesize; - pass++; - } break; case 3: y1 += 2; ptr += linesize * 2; break; } + while (y1 >= height) { + y1 = 4 >> pass; + ptr = ptr1 + linesize * y1; + pass++; + } } else { ptr += linesize; } From faf293a83af1133e3c54f901d00aadb70e81977f Mon Sep 17 00:00:00 2001 From: Michael Niedermayer Date: Fri, 3 Oct 2014 21:08:52 +0200 Subject: [PATCH 1088/1119] avcodec/qpeg: fix off by 1 error in MV bounds check Fixes out of array access Fixes: asan_heap-oob_153760f_4_asan_heap-oob_1d7a4cf_164_VWbig6.avi Found-by: Mateusz "j00ru" Jurczyk and Gynvael Coldwind Signed-off-by: Michael Niedermayer (cherry picked from commit dd3bfe3cc1ca26d0fff3a3baf61a40207032143f) Signed-off-by: Michael Niedermayer --- libavcodec/qpeg.c | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/libavcodec/qpeg.c b/libavcodec/qpeg.c index 39d8171951..24dfdb6452 100644 --- a/libavcodec/qpeg.c +++ b/libavcodec/qpeg.c @@ -168,7 +168,7 @@ static void qpeg_decode_inter(const uint8_t *src, uint8_t *dst, int size, /* check motion vector */ if ((me_x + filled < 0) || (me_x + me_w + filled > width) || - (height - me_y - me_h < 0) || (height - me_y > orig_height) || + (height - me_y - me_h < 0) || (height - me_y >= orig_height) || (filled + me_w > width) || (height - me_h < 0)) av_log(NULL, AV_LOG_ERROR, "Bogus motion vector (%i,%i), block size %ix%i at %i,%i\n", me_x, me_y, me_w, me_h, filled, height); From 5b2097626d0e4ccb432d7d8ab040aa8dbde9eb3a Mon Sep 17 00:00:00 2001 From: Michael Niedermayer Date: Fri, 3 Oct 2014 22:50:45 +0200 Subject: [PATCH 1089/1119] avcodec/smc: fix off by 1 error Fixes out of array access Fixes: asan_heap-oob_1685bf0_5_asan_heap-oob_1f35116_430_smc.mov Found-by: Mateusz "j00ru" Jurczyk and Gynvael Coldwind Signed-off-by: Michael Niedermayer (cherry picked from commit c727401aa9d62335e89d118a5b4e202edf39d905) Signed-off-by: Michael Niedermayer --- libavcodec/smc.c | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/libavcodec/smc.c b/libavcodec/smc.c index fddd5ab32a..ff185fbc3c 100644 --- a/libavcodec/smc.c +++ b/libavcodec/smc.c @@ -68,7 +68,7 @@ typedef struct SmcContext { row_ptr += stride * 4; \ } \ total_blocks--; \ - if (total_blocks < 0) \ + if (total_blocks < 0 + !!n_blocks) \ { \ av_log(s->avctx, AV_LOG_INFO, "warning: block counter just went negative (this should not happen)\n"); \ return; \ From 79891f5b87baa9c17366a84950cb81b8f4f6e5f1 Mon Sep 17 00:00:00 2001 From: Michael Niedermayer Date: Sat, 4 Oct 2014 04:29:40 +0200 Subject: [PATCH 1090/1119] avformat/mpegts: Check desc_len / get8() return code Fixes out of array read Fixes: signal_sigsegv_844d59_10_signal_sigsegv_a17bb7_366_mpegts_mpeg2video_mp2_dvbsub_topfield.rec Found-by: Mateusz "j00ru" Jurczyk and Gynvael Coldwind Signed-off-by: Michael Niedermayer (cherry picked from commit c3d7f00ee3e09801f56f25db8b5961f25e842bd2) Signed-off-by: Michael Niedermayer --- libavformat/mpegts.c | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/libavformat/mpegts.c b/libavformat/mpegts.c index bcf9b00814..28ec4926f5 100644 --- a/libavformat/mpegts.c +++ b/libavformat/mpegts.c @@ -1240,7 +1240,7 @@ static void sdt_cb(MpegTSFilter *filter, const uint8_t *section, int section_len break; desc_len = get8(&p, desc_list_end); desc_end = p + desc_len; - if (desc_end > desc_list_end) + if (desc_len < 0 || desc_end > desc_list_end) break; av_dlog(ts->stream, "tag: 0x%02x len=%d\n", From f3cdeeb070d4793d98b16a7ad66049e537ab7ba7 Mon Sep 17 00:00:00 2001 From: Michael Niedermayer Date: Tue, 28 Oct 2014 15:26:42 +0100 Subject: [PATCH 1091/1119] avcodec/dxa: check dimensions Fixes out of array access Fixes: asan_heap-oob_11222fb_21_020.dxa Found-by: Mateusz "j00ru" Jurczyk and Gynvael Coldwind Signed-off-by: Michael Niedermayer (cherry picked from commit e70312dfc22c4e54d5716f28f28db8f99c74cc90) Conflicts: libavcodec/dxa.c Signed-off-by: Michael Niedermayer --- libavcodec/dxa.c | 5 +++++ 1 file changed, 5 insertions(+) diff --git a/libavcodec/dxa.c b/libavcodec/dxa.c index 807ecd85ee..7f4321ce91 100644 --- a/libavcodec/dxa.c +++ b/libavcodec/dxa.c @@ -295,6 +295,11 @@ static av_cold int decode_init(AVCodecContext *avctx) c->avctx = avctx; avctx->pix_fmt = PIX_FMT_PAL8; + if (avctx->width%4 || avctx->height%4) { + av_log(avctx, AV_LOG_ERROR, "dimensions are not a multiple of 4"); + return AVERROR_INVALIDDATA; + } + avcodec_get_frame_defaults(&c->pic); avcodec_get_frame_defaults(&c->prev); From f78f7eca1a5ce67db6b1f8a159dc47cc57e8d43a Mon Sep 17 00:00:00 2001 From: Michael Niedermayer Date: Mon, 10 Nov 2014 23:07:50 +0100 Subject: [PATCH 1092/1119] avcodec/wmaprodec: Fix integer overflow in sfb_offsets initialization Fixes out of array read Fixes: asan_heap-oob_2aec5b0_1828_classical_22_16_2_16000_v3c_0_exclusive_0_29.wma Found-by: Mateusz "j00ru" Jurczyk and Gynvael Coldwind Signed-off-by: Michael Niedermayer (cherry picked from commit 5dcb99033df16eccc4dbbc4a099ad64457f9f090) Signed-off-by: Michael Niedermayer --- libavcodec/wmaprodec.c | 3 +++ 1 file changed, 3 insertions(+) diff --git a/libavcodec/wmaprodec.c b/libavcodec/wmaprodec.c index 816d95ffc0..67c62a4da0 100644 --- a/libavcodec/wmaprodec.c +++ b/libavcodec/wmaprodec.c @@ -404,6 +404,9 @@ static av_cold int decode_init(AVCodecContext *avctx) offset &= ~3; if (offset > s->sfb_offsets[i][band - 1]) s->sfb_offsets[i][band++] = offset; + + if (offset >= subframe_len) + break; } s->sfb_offsets[i][band - 1] = subframe_len; s->num_sfb[i] = band - 1; From 30e8a375901f8802853fd6d478b77a127d208bd6 Mon Sep 17 00:00:00 2001 From: Michael Niedermayer Date: Tue, 25 Nov 2014 13:53:06 +0100 Subject: [PATCH 1093/1119] avcodec/mjpegdec: Fix context fields becoming inconsistent Fixes out of array access Fixes: asan_heap-oob_1ca4f85_2760_cov_144449187_miss_congeniality_pegasus_ljpg.avi Found-by: Mateusz "j00ru" Jurczyk and Gynvael Coldwind Signed-off-by: Michael Niedermayer (cherry picked from commit 0eecf40935b22644e6cd74c586057237ecfd6844) Conflicts: libavcodec/mjpegdec.c (cherry picked from commit 32d3acac727f3f4a6489ca129a5ea4ccdfcb34a5) Conflicts: libavcodec/mjpegdec.c (cherry picked from commit 8d8ac60d70aee50d44a3e1d7de276598de041640) Signed-off-by: Michael Niedermayer --- libavcodec/mjpegdec.c | 20 ++++++++++++++++---- 1 file changed, 16 insertions(+), 4 deletions(-) diff --git a/libavcodec/mjpegdec.c b/libavcodec/mjpegdec.c index 6d0ec63b95..8a6d50de0f 100644 --- a/libavcodec/mjpegdec.c +++ b/libavcodec/mjpegdec.c @@ -1177,6 +1177,8 @@ static int mjpeg_decode_app(MJpegDecodeContext *s) } if (id == AV_RL32("LJIF")){ + int rgb = s->rgb; + int pegasus_rct = s->pegasus_rct; if (s->avctx->debug & FF_DEBUG_PICT_INFO) av_log(s->avctx, AV_LOG_INFO, "Pegasus lossless jpeg header found\n"); skip_bits(&s->gb, 16); /* version ? */ @@ -1185,17 +1187,27 @@ static int mjpeg_decode_app(MJpegDecodeContext *s) skip_bits(&s->gb, 16); /* unknwon always 0? */ switch( get_bits(&s->gb, 8)){ case 1: - s->rgb= 1; - s->pegasus_rct=0; + rgb = 1; + pegasus_rct = 0; break; case 2: - s->rgb= 1; - s->pegasus_rct=1; + rgb = 1; + pegasus_rct = 1; break; default: av_log(s->avctx, AV_LOG_ERROR, "unknown colorspace\n"); } + len -= 9; + if (s->got_picture) + if (rgb != s->rgb || pegasus_rct != s->pegasus_rct) { + av_log(s->avctx, AV_LOG_WARNING, "Mismatching LJIF tag\n"); + goto out; + } + + s->rgb = rgb; + s->pegasus_rct = pegasus_rct; + goto out; } From cb1db92cca98f963e91f421ee0c84f8866325a73 Mon Sep 17 00:00:00 2001 From: Michael Niedermayer Date: Wed, 26 Nov 2014 15:45:47 +0100 Subject: [PATCH 1094/1119] avcodec/pngdec: Check IHDR/IDAT order Fixes out of array access Fixes: asan_heap-oob_20a6c26_2690_cov_3434532168_mail.png Found-by: Mateusz "j00ru" Jurczyk and Gynvael Coldwind Signed-off-by: Michael Niedermayer (cherry picked from commit 79ceaf827be0b070675d4cd0a55c3386542defd8) Conflicts: libavcodec/pngdec.c --- libavcodec/pngdec.c | 6 ++++++ 1 file changed, 6 insertions(+) diff --git a/libavcodec/pngdec.c b/libavcodec/pngdec.c index 22c50b720e..a8c1d88449 100644 --- a/libavcodec/pngdec.c +++ b/libavcodec/pngdec.c @@ -418,6 +418,12 @@ static int decode_frame(AVCodecContext *avctx, case MKTAG('I', 'H', 'D', 'R'): if (length != 13) goto fail; + + if (s->state & PNG_IDAT) { + av_log(avctx, AV_LOG_ERROR, "IHDR after IDAT\n"); + goto fail; + } + s->width = bytestream_get_be32(&s->bytestream); s->height = bytestream_get_be32(&s->bytestream); if(av_image_check_size(s->width, s->height, 0, avctx)){ From 9f993d2d4ba256155b52529922e7da0144e64b99 Mon Sep 17 00:00:00 2001 From: Michael Niedermayer Date: Wed, 3 Dec 2014 20:21:56 +0100 Subject: [PATCH 1095/1119] swscale/x86/rgb2rgb_template: fix crash with tiny size and nv12 output Fixes Ticket4151 Signed-off-by: Michael Niedermayer (cherry picked from commit 8524558858b7e14bc50afa10233e0194f591ab9d) Signed-off-by: Michael Niedermayer --- libswscale/x86/rgb2rgb_template.c | 1 + 1 file changed, 1 insertion(+) diff --git a/libswscale/x86/rgb2rgb_template.c b/libswscale/x86/rgb2rgb_template.c index baef3f8ae5..bfa0d4fbd6 100644 --- a/libswscale/x86/rgb2rgb_template.c +++ b/libswscale/x86/rgb2rgb_template.c @@ -1971,6 +1971,7 @@ static void RENAME(interleaveBytes)(const uint8_t *src1, const uint8_t *src2, ui for (h=0; h < height; h++) { int w; + if (width >= 16) #if COMPILE_TEMPLATE_SSE2 __asm__( "xor %%"REG_a", %%"REG_a" \n\t" From 1aedd7645a3d01a9a674a7e62d90811a88bc6b04 Mon Sep 17 00:00:00 2001 From: Michael Niedermayer Date: Sun, 14 Dec 2014 17:26:11 +0100 Subject: [PATCH 1096/1119] avformat/aviobuf: Check that avio_seek() target is non negative Fixes out of array access Suggested-by: Andrew Scherkus Signed-off-by: Michael Niedermayer (cherry picked from commit ed86dbd05d61363dc1c0d33f3267e2177c985fdd) Signed-off-by: Michael Niedermayer --- libavformat/aviobuf.c | 3 +++ 1 file changed, 3 insertions(+) diff --git a/libavformat/aviobuf.c b/libavformat/aviobuf.c index 626261ab24..8c6be84017 100644 --- a/libavformat/aviobuf.c +++ b/libavformat/aviobuf.c @@ -203,6 +203,9 @@ int64_t avio_seek(AVIOContext *s, int64_t offset, int whence) return offset1; offset += offset1; } + if (offset < 0) + return AVERROR(EINVAL); + offset1 = offset - pos; if (!s->must_flush && offset1 >= 0 && offset1 <= (s->buf_end - s->buffer)) { From fac6f744d8170585f05e098ce9c9f27eeffa818e Mon Sep 17 00:00:00 2001 From: Michael Niedermayer Date: Tue, 16 Dec 2014 16:24:55 +0100 Subject: [PATCH 1097/1119] avcodec/vmdvideo: Check len before using it in method 3 Fixes out of array access Fixes: asan_heap-oob_4d23ba_91_cov_3853393937_128.vmd Found-by: Mateusz "j00ru" Jurczyk and Gynvael Coldwind Signed-off-by: Michael Niedermayer (cherry picked from commit 3030fb7e0d41836f8add6399e9a7c7b740b48bfd) Conflicts: libavcodec/vmdvideo.c --- libavcodec/vmdav.c | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/libavcodec/vmdav.c b/libavcodec/vmdav.c index 1f9694ea29..94ae895057 100644 --- a/libavcodec/vmdav.c +++ b/libavcodec/vmdav.c @@ -339,7 +339,7 @@ static void vmd_decode(VmdVideoContext *s) if (*pb++ == 0xFF) len = rle_unpack(pb, pb_end - pb, len, &dp[ofs], frame_width - ofs); else { - if (pb_end - pb < len) + if (ofs + len > frame_width || pb_end - pb < len) return; memcpy(&dp[ofs], pb, len); } From ae82abbbcf0ca680d2458f81d431afabd12b7d0c Mon Sep 17 00:00:00 2001 From: Michael Niedermayer Date: Sat, 17 Jan 2015 01:56:03 +0100 Subject: [PATCH 1098/1119] avcodec/flac_parser: fix handling EOF if no headers are found Fixes assertion failure Fixes Ticket4269 Signed-off-by: Michael Niedermayer (cherry picked from commit c4d85fc23c100f7a27d9bad710eb153214868e27) Signed-off-by: Michael Niedermayer --- libavcodec/flac_parser.c | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/libavcodec/flac_parser.c b/libavcodec/flac_parser.c index 50ad72b7c0..dac1c26c7e 100644 --- a/libavcodec/flac_parser.c +++ b/libavcodec/flac_parser.c @@ -646,7 +646,7 @@ static int flac_parse(AVCodecParserContext *s, AVCodecContext *avctx, handle_error: *poutbuf = NULL; *poutbuf_size = 0; - return read_end - buf; + return buf_size ? read_end - buf : 0; } static int flac_parse_init(AVCodecParserContext *c) From 42f8a33c3c396b84932b0badca1cff5d0b6aff5e Mon Sep 17 00:00:00 2001 From: Michael Niedermayer Date: Sun, 1 Feb 2015 19:19:25 +0100 Subject: [PATCH 1099/1119] avformat/utils: Fix number suffixes in tb_unreliable() Signed-off-by: Michael Niedermayer (cherry picked from commit 4b15bba2aec93776bfdc69a1bca42a4795a7d191) Conflicts: libavformat/utils.c (cherry picked from commit e651a2f88c219e74c9851563e74100f7652a6005) --- libavformat/utils.c | 4 ++-- 1 file changed, 2 insertions(+), 2 deletions(-) diff --git a/libavformat/utils.c b/libavformat/utils.c index e2418e72a8..69765ea2b4 100644 --- a/libavformat/utils.c +++ b/libavformat/utils.c @@ -2314,8 +2314,8 @@ static int get_std_framerate(int i){ * And there are "variable" fps files this needs to detect as well. */ static int tb_unreliable(AVCodecContext *c){ - if( c->time_base.den >= 101L*c->time_base.num - || c->time_base.den < 5L*c->time_base.num + if( c->time_base.den >= 101LL*c->time_base.num + || c->time_base.den < 5LL*c->time_base.num /* || c->codec_tag == AV_RL32("DIVX") || c->codec_tag == AV_RL32("XVID")*/ || c->codec_id == CODEC_ID_MPEG2VIDEO From 127a2902533cfb6d55cf1960d5f184eb4f02211f Mon Sep 17 00:00:00 2001 From: Michael Niedermayer Date: Fri, 16 Dec 2011 02:57:22 +0100 Subject: [PATCH 1100/1119] smackerdemuxer: check some values before instead of just after malloc() Fixes Ticket777 Bug Found by: Diana Elena Muscalu Signed-off-by: Michael Niedermayer (cherry picked from commit c402c1c976dc5bd63908d1aaff5b60521cbbee92) Signed-off-by: Michael Niedermayer --- libavformat/smacker.c | 6 +++++- 1 file changed, 5 insertions(+), 1 deletion(-) diff --git a/libavformat/smacker.c b/libavformat/smacker.c index b2c442e2d8..faf85a5261 100644 --- a/libavformat/smacker.c +++ b/libavformat/smacker.c @@ -251,6 +251,8 @@ static int smacker_read_packet(AVFormatContext *s, AVPacket *pkt) memcpy(oldpal, pal, 768); size = avio_r8(s->pb); size = size * 4 - 1; + if(size + 1 > frame_size) + return AVERROR_INVALIDDATA; frame_size -= size; frame_size--; sz = 0; @@ -292,10 +294,12 @@ static int smacker_read_packet(AVFormatContext *s, AVPacket *pkt) /* if audio chunks are present, put them to stack and retrieve later */ for(i = 0; i < 7; i++) { if(flags & 1) { - int size; + unsigned int size; uint8_t *tmpbuf; size = avio_rl32(s->pb) - 4; + if(size + 4L > frame_size) + return AVERROR_INVALIDDATA; frame_size -= size; frame_size -= 4; smk->curstream++; From 8cf62b34e4286d3ec2645afc8ef4329bc08f72e1 Mon Sep 17 00:00:00 2001 From: Michael Niedermayer Date: Sun, 1 Feb 2015 19:36:13 +0100 Subject: [PATCH 1101/1119] avformat/smacker: Fix number suffix Signed-off-by: Michael Niedermayer (cherry picked from commit 465f3705b1ef832fd6904750d018f81f9044f3ab) Conflicts: libavformat/smacker.c (cherry picked from commit ef3687998fb46d7d936bb6023f25c1dc324a4640) --- libavformat/smacker.c | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/libavformat/smacker.c b/libavformat/smacker.c index faf85a5261..6a81a48811 100644 --- a/libavformat/smacker.c +++ b/libavformat/smacker.c @@ -298,7 +298,7 @@ static int smacker_read_packet(AVFormatContext *s, AVPacket *pkt) uint8_t *tmpbuf; size = avio_rl32(s->pb) - 4; - if(size + 4L > frame_size) + if(size + 4LL > frame_size) return AVERROR_INVALIDDATA; frame_size -= size; frame_size -= 4; From 42b4ba4a8ae261609100ed41b773b26f9989941e Mon Sep 17 00:00:00 2001 From: wm4 Date: Tue, 3 Feb 2015 19:04:12 +0100 Subject: [PATCH 1102/1119] avformat/mpc8: fix hang with fuzzed file This can lead to an endless loop by seeking back a few bytes after each attempted chunk read. Assuming negative sizes are always invalid, this is easy to fix. Other code in this demuxer treats negative sizes as invalid as well. Fixes ticket #4262. Signed-off-by: Michael Niedermayer (cherry picked from commit 56cc024220886927350cfc26ee695062ca7ecaf4) Signed-off-by: Michael Niedermayer --- libavformat/mpc8.c | 4 ++++ 1 file changed, 4 insertions(+) diff --git a/libavformat/mpc8.c b/libavformat/mpc8.c index db23781613..161cee3367 100644 --- a/libavformat/mpc8.c +++ b/libavformat/mpc8.c @@ -204,6 +204,10 @@ static int mpc8_read_header(AVFormatContext *s, AVFormatParameters *ap) while(!url_feof(pb)){ pos = avio_tell(pb); mpc8_get_chunk_header(pb, &tag, &size); + if (size < 0) { + av_log(s, AV_LOG_ERROR, "Invalid chunk length\n"); + return AVERROR_INVALIDDATA; + } if(tag == TAG_STREAMHDR) break; mpc8_handle_chunk(s, tag, pos, size); From a58b8e99c4211c17361d0469ff522298cfb01344 Mon Sep 17 00:00:00 2001 From: wm4 Date: Tue, 3 Feb 2015 19:04:11 +0100 Subject: [PATCH 1103/1119] avformat/mpc8: fix broken pointer math MIME-Version: 1.0 Content-Type: text/plain; charset=UTF-8 Content-Transfer-Encoding: 8bit This could overflow and crash at least on 32 bit systems. Reviewed-by: Reimar Döffinger Signed-off-by: Michael Niedermayer (cherry picked from commit b737a2c52857b214be246ff615c6293730033cfa) Conflicts: libavformat/mpc8.c (cherry picked from commit 49dd89f9027f3def12e170bb7d986d37812eedba) Signed-off-by: Michael Niedermayer --- libavformat/mpc8.c | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/libavformat/mpc8.c b/libavformat/mpc8.c index 161cee3367..4d95a1dbf2 100644 --- a/libavformat/mpc8.c +++ b/libavformat/mpc8.c @@ -88,7 +88,7 @@ static int mpc8_probe(AVProbeData *p) size = bs_get_v(&bs); if (size < 2) return 0; - if (bs + size - 2 >= bs_end) + if (size >= bs_end - bs + 2) return AVPROBE_SCORE_MAX / 4 - 1; //seems to be valid MPC but no header yet if (header_found) { if (size < 11 || size > 28) From c68fe8ac8b9d0602e24e1c8c5d575fb21a8b3364 Mon Sep 17 00:00:00 2001 From: Michael Niedermayer Date: Wed, 4 Feb 2015 14:47:41 +0100 Subject: [PATCH 1104/1119] avformat/mpc8: Use uint64_t in *_get_v() to avoid undefined behavior Signed-off-by: Michael Niedermayer (cherry picked from commit 05e161952954acf247e0fd1fdef00559675c4d4d) Signed-off-by: Michael Niedermayer --- libavformat/mpc8.c | 4 ++-- 1 file changed, 2 insertions(+), 2 deletions(-) diff --git a/libavformat/mpc8.c b/libavformat/mpc8.c index 4d95a1dbf2..3193f5d570 100644 --- a/libavformat/mpc8.c +++ b/libavformat/mpc8.c @@ -54,7 +54,7 @@ typedef struct { static inline int64_t bs_get_v(uint8_t **bs) { - int64_t v = 0; + uint64_t v = 0; int br = 0; int c; @@ -105,7 +105,7 @@ static int mpc8_probe(AVProbeData *p) static inline int64_t gb_get_v(GetBitContext *gb) { - int64_t v = 0; + uint64_t v = 0; int bits = 0; while(get_bits1(gb) && bits < 64-7){ v <<= 7; From 75b0cfcf105c8720a47a2ee80a70ba16799d71b7 Mon Sep 17 00:00:00 2001 From: Michael Niedermayer Date: Wed, 4 Feb 2015 20:48:30 +0100 Subject: [PATCH 1105/1119] avcodec/mjpegdec: Check number of components for JPEG-LS Fixes out of array accesses Fixes: asan_heap-oob_1c1a4ea_1242_cov_2274415971_TESTcmyk.jpg Found-by: Mateusz "j00ru" Jurczyk and Gynvael Coldwind Signed-off-by: Michael Niedermayer (cherry picked from commit fabbfaa095660982cc0bc63242c459561fa37037) Conflicts: libavcodec/mjpegdec.c --- libavcodec/mjpegdec.c | 7 +++++-- 1 file changed, 5 insertions(+), 2 deletions(-) diff --git a/libavcodec/mjpegdec.c b/libavcodec/mjpegdec.c index 8a6d50de0f..a0dcbc76e5 100644 --- a/libavcodec/mjpegdec.c +++ b/libavcodec/mjpegdec.c @@ -347,9 +347,12 @@ int ff_mjpeg_decode_sof(MJpegDecodeContext *s) return -1; } if(s->ls){ - if(s->nb_components > 1) + if(s->nb_components == 3) { s->avctx->pix_fmt = PIX_FMT_RGB24; - else if(s->bits <= 8) + } else if (s->nb_components != 1) { + av_log(s->avctx, AV_LOG_ERROR, "Unsupported number of components %d\n", s->nb_components); + return AVERROR_PATCHWELCOME; + } else if (s->bits <= 8) s->avctx->pix_fmt = PIX_FMT_GRAY8; else s->avctx->pix_fmt = PIX_FMT_GRAY16; From f3a776a9433cfc935d56264f1c52873249477e12 Mon Sep 17 00:00:00 2001 From: Michael Niedermayer Date: Thu, 5 Feb 2015 03:45:21 +0100 Subject: [PATCH 1106/1119] avformat/thp: Check av_get_packet() for failure not only for partial output Fixes null pointer dereference Fixes: signal_sigsegv_db2c1f_3108_cov_163322880_pikmin2_opening1_partial.thp Found-by: Mateusz "j00ru" Jurczyk and Gynvael Coldwind Signed-off-by: Michael Niedermayer (cherry picked from commit f2579dbb4b31e6ae731e7f5555680528ef3020ab) Signed-off-by: Michael Niedermayer --- libavformat/thp.c | 2 ++ 1 file changed, 2 insertions(+) diff --git a/libavformat/thp.c b/libavformat/thp.c index 2d1f74e38b..ec2bb18076 100644 --- a/libavformat/thp.c +++ b/libavformat/thp.c @@ -174,6 +174,8 @@ static int thp_read_packet(AVFormatContext *s, pkt->stream_index = thp->video_stream_index; } else { ret = av_get_packet(pb, pkt, thp->audiosize); + if (ret < 0) + return ret; if (ret != thp->audiosize) { av_free_packet(pkt); return AVERROR(EIO); From 3eb6eeaab0cd42886abbae76c90d005ac82ec9ba Mon Sep 17 00:00:00 2001 From: Michael Niedermayer Date: Fri, 6 Feb 2015 04:11:56 +0100 Subject: [PATCH 1107/1119] avcodec/h264_ps: More completely check the bit depths Fixes out of array read Fixes: asan_static-oob_30328b6_719_cov_3325483287_H264_artifacts_motion.h264 Found-by: Mateusz "j00ru" Jurczyk and Gynvael Coldwind Signed-off-by: Michael Niedermayer (cherry picked from commit 69aa79365c1e8e1cb597d33e77bf1062c2ef47d4) Conflicts: libavcodec/h264_ps.c Signed-off-by: Michael Niedermayer --- libavcodec/h264_ps.c | 4 +++- 1 file changed, 3 insertions(+), 1 deletion(-) diff --git a/libavcodec/h264_ps.c b/libavcodec/h264_ps.c index 6af0680ef8..8f2aa62dfc 100644 --- a/libavcodec/h264_ps.c +++ b/libavcodec/h264_ps.c @@ -357,7 +357,9 @@ int ff_h264_decode_seq_parameter_set(H264Context *h){ } sps->bit_depth_luma = get_ue_golomb(&s->gb) + 8; sps->bit_depth_chroma = get_ue_golomb(&s->gb) + 8; - if (sps->bit_depth_luma > 12U || sps->bit_depth_chroma > 12U) { + if (sps->bit_depth_luma < 8 || sps->bit_depth_luma > 12 || + sps->bit_depth_chroma < 8 || sps->bit_depth_chroma > 12 || + sps->bit_depth_luma != sps->bit_depth_chroma) { av_log(h->s.avctx, AV_LOG_ERROR, "illegal bit depth value (%d, %d)\n", sps->bit_depth_luma, sps->bit_depth_chroma); goto fail; From 2b8c9c1f7de835d50937a8bf2ae90a61929b3bdd Mon Sep 17 00:00:00 2001 From: Michael Niedermayer Date: Wed, 11 Feb 2015 03:33:53 +0100 Subject: [PATCH 1108/1119] avcodec/mjpegdec: Skip blocks which are outside the visible area Fixes out of array accesses Fixes: ffmpeg_mjpeg_crash.avi Found-by: Thomas Lindroth Signed-off-by: Michael Niedermayer (cherry picked from commit 08509c8f86626815a3e9e68d600d1aacbb8df4bf) Conflicts: libavcodec/mjpegdec.c (cherry picked from commit 5553947db2af443778f781a107d9fe9ad6ec5d17) Signed-off-by: Michael Niedermayer --- libavcodec/mjpegdec.c | 31 ++++++++++++++++++++----------- 1 file changed, 20 insertions(+), 11 deletions(-) diff --git a/libavcodec/mjpegdec.c b/libavcodec/mjpegdec.c index a0dcbc76e5..9323d53db6 100644 --- a/libavcodec/mjpegdec.c +++ b/libavcodec/mjpegdec.c @@ -859,19 +859,28 @@ static int mjpeg_decode_scan(MJpegDecodeContext *s, int nb_components, int Ah, i if(s->interlaced && s->bottom_field) block_offset += linesize[c] >> 1; - ptr = data[c] + block_offset; - if(!s->progressive) { + if ( 8*(h * mb_x + x) < s->width + && 8*(v * mb_y + y) < s->height) { + ptr = data[c] + block_offset; + } else + ptr = NULL; + if (!s->progressive) { if (copy_mb) { - mjpeg_copy_block(ptr, reference_data[c] + block_offset, linesize[c], s->avctx->lowres); + if (ptr) + mjpeg_copy_block(ptr, reference_data[c] + block_offset, + linesize[c], s->avctx->lowres); } else { - s->dsp.clear_block(s->block); - if(decode_block(s, s->block, i, - s->dc_index[i], s->ac_index[i], - s->quant_matrixes[ s->quant_index[c] ]) < 0) { - av_log(s->avctx, AV_LOG_ERROR, "error y=%d x=%d\n", mb_y, mb_x); - return -1; - } - s->dsp.idct_put(ptr, linesize[c], s->block); + s->dsp.clear_block(s->block); + if (decode_block(s, s->block, i, + s->dc_index[i], s->ac_index[i], + s->quant_matrixes[s->quant_index[c]]) < 0) { + av_log(s->avctx, AV_LOG_ERROR, + "error y=%d x=%d\n", mb_y, mb_x); + return -1; + } + if (ptr) { + s->dsp.idct_put(ptr, linesize[c], s->block); + } } } else { int block_idx = s->block_stride[c] * (v * mb_y + y) + (h * mb_x + x); From 286915cb846fe3aeda066e60e57238c0f581546a Mon Sep 17 00:00:00 2001 From: Michael Niedermayer Date: Fri, 20 Feb 2015 20:14:56 +0100 Subject: [PATCH 1109/1119] avformat/gxf: Use 64bit for res to avoid overflow Signed-off-by: Michael Niedermayer (cherry picked from commit 12987f89007ee82b9d3a6090085dfaef8461ab8b) Signed-off-by: Michael Niedermayer --- libavformat/gxf.c | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/libavformat/gxf.c b/libavformat/gxf.c index 145b4adf3f..50dc2f04ae 100644 --- a/libavformat/gxf.c +++ b/libavformat/gxf.c @@ -486,7 +486,7 @@ static int gxf_packet(AVFormatContext *s, AVPacket *pkt) { } static int gxf_seek(AVFormatContext *s, int stream_index, int64_t timestamp, int flags) { - int res = 0; + int64_t res = 0; uint64_t pos; uint64_t maxlen = 100 * 1024 * 1024; AVStream *st = s->streams[0]; From 20446996f367bebba64197c1c18fe86a9ef2cb66 Mon Sep 17 00:00:00 2001 From: Michael Niedermayer Date: Fri, 20 Feb 2015 21:00:57 +0100 Subject: [PATCH 1110/1119] avformat/vqf: Use 64bit for ret to avoid overflow Signed-off-by: Michael Niedermayer (cherry picked from commit cb08687180683a755d0fe9d425280d0e4d1e6db2) Signed-off-by: Michael Niedermayer --- libavformat/vqf.c | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/libavformat/vqf.c b/libavformat/vqf.c index e06f39349b..884611b8e4 100644 --- a/libavformat/vqf.c +++ b/libavformat/vqf.c @@ -227,7 +227,7 @@ static int vqf_read_seek(AVFormatContext *s, { VqfContext *c = s->priv_data; AVStream *st; - int ret; + int64_t ret; int64_t pos; st = s->streams[stream_index]; From 2ddabbb40f0c7b9f43a4c0db3d45938f56d3b21c Mon Sep 17 00:00:00 2001 From: Michael Niedermayer Date: Thu, 19 Feb 2015 16:25:29 +0100 Subject: [PATCH 1111/1119] avcodec/x86/mlpdsp_init: Simplify mlp_filter_channel_x86() MIME-Version: 1.0 Content-Type: text/plain; charset=UTF-8 Content-Transfer-Encoding: 8bit Based on patch by Francisco Blas Izquierdo Riera Commit message partly taken from carl fixes a compilation error in mlpdsp_init.c with -fstack-check and some gcc compilers (I reproduced the issue with gcc 4.7.3) by simplifying the code. See also https://bugs.gentoo.org/show_bug.cgi?id=471756 $ make libavcodec/x86/mlpdsp_init.o libavcodec/x86/mlpdsp_init.c: In function ‘mlp_filter_channel_x86’: libavcodec/x86/mlpdsp_init.c:142:5: error: can’t find a register in class ‘GENERAL_REGS’ while reloading ‘asm’ libavcodec/x86/mlpdsp_init.c:142:5: error: ‘asm’ operand has impossible constraints 4551 -> 4509 dezicycles Reviewed-by: Ramiro Polla Signed-off-by: Michael Niedermayer (cherry picked from commit 03f39fbb2a558153a3c464edec1378d637a755fe) Signed-off-by: Michael Niedermayer --- libavcodec/x86/mlpdsp.c | 6 ++---- 1 file changed, 2 insertions(+), 4 deletions(-) diff --git a/libavcodec/x86/mlpdsp.c b/libavcodec/x86/mlpdsp.c index 486a927ad7..77e3df609e 100644 --- a/libavcodec/x86/mlpdsp.c +++ b/libavcodec/x86/mlpdsp.c @@ -129,8 +129,8 @@ static void mlp_filter_channel_x86(int32_t *state, const int32_t *coeff, FIRMUL (ff_mlp_firorder_6, 0x14 ) FIRMUL (ff_mlp_firorder_5, 0x10 ) FIRMUL (ff_mlp_firorder_4, 0x0c ) - FIRMULREG(ff_mlp_firorder_3, 0x08,10) - FIRMULREG(ff_mlp_firorder_2, 0x04, 9) + FIRMUL (ff_mlp_firorder_3, 0x08 ) + FIRMUL (ff_mlp_firorder_2, 0x04 ) FIRMULREG(ff_mlp_firorder_1, 0x00, 8) LABEL_MANGLE(ff_mlp_firorder_0)":\n\t" "jmp *%6 \n\t" @@ -159,8 +159,6 @@ static void mlp_filter_channel_x86(int32_t *state, const int32_t *coeff, : /* 4*/"r"((x86_reg)mask), /* 5*/"r"(firjump), /* 6*/"r"(iirjump) , /* 7*/"c"(filter_shift) , /* 8*/"r"((int64_t)coeff[0]) - , /* 9*/"r"((int64_t)coeff[1]) - , /*10*/"r"((int64_t)coeff[2]) : "rax", "rdx", "rsi" #else /* ARCH_X86_32 */ /* 3*/"+m"(blocksize) From 1979bfecc78034426bf39442cfbd8a3c8c35e6ae Mon Sep 17 00:00:00 2001 From: Andreas Cadhalpun Date: Sun, 22 Feb 2015 20:48:38 +0100 Subject: [PATCH 1112/1119] avcodec/a64multienc: fix use of uninitialized values in to_meta_with_crop Averaging over 2 pixels doesn't work correctly for the last pixel, because the rest of the buffer is not initialized. Signed-off-by: Michael Niedermayer (cherry picked from commit 87513d654546a99f8ddb045ca4fa5d33778a617e) Signed-off-by: Michael Niedermayer --- libavcodec/a64multienc.c | 10 +++++++--- 1 file changed, 7 insertions(+), 3 deletions(-) diff --git a/libavcodec/a64multienc.c b/libavcodec/a64multienc.c index 5a665d0592..c029e9e6bf 100644 --- a/libavcodec/a64multienc.c +++ b/libavcodec/a64multienc.c @@ -55,9 +55,13 @@ static void to_meta_with_crop(AVCodecContext *avctx, AVFrame *p, int *dest) for (y = blocky; y < blocky + 8 && y < C64YRES; y++) { for (x = blockx; x < blockx + 8 && x < C64XRES; x += 2) { if(x < width && y < height) { - /* build average over 2 pixels */ - luma = (src[(x + 0 + y * p->linesize[0])] + - src[(x + 1 + y * p->linesize[0])]) / 2; + if (x + 1 < width) { + /* build average over 2 pixels */ + luma = (src[(x + 0 + y * p->linesize[0])] + + src[(x + 1 + y * p->linesize[0])]) / 2; + } else { + luma = src[(x + y * p->linesize[0])]; + } /* write blocks as linear data now so they are suitable for elbg */ dest[0] = luma; } From c681f86a324d6181c31006edb300356af47e91cd Mon Sep 17 00:00:00 2001 From: Dyami Caliri Date: Thu, 26 Feb 2015 10:17:01 -0800 Subject: [PATCH 1113/1119] Fix buffer_size argument to init_put_bits() in multiple encoders. Several encoders were multiplying the buffer size by 8, in order to get a bit size. However, the buffer_size argument is for the byte size of the buffer. We had experienced crashes encoding prores (Anatoliy) at size 4096x4096. (cherry picked from commit 50833c9f7b4e1922197a8955669f8ab3589c8cef) Conflicts: libavcodec/proresenc_kostya.c Conflicts: libavcodec/faxcompr.c libavcodec/s302menc.c Conflicts: libavcodec/adpcmenc.c Conflicts: libavcodec/adpcmenc.c libavcodec/proresenc.c --- libavcodec/aacenc.c | 2 +- libavcodec/faxcompr.c | 2 +- libavcodec/flashsv2enc.c | 2 +- libavcodec/flashsvenc.c | 2 +- libavcodec/nellymoserenc.c | 2 +- 5 files changed, 5 insertions(+), 5 deletions(-) diff --git a/libavcodec/aacenc.c b/libavcodec/aacenc.c index 0de6622389..68fa0aa331 100644 --- a/libavcodec/aacenc.c +++ b/libavcodec/aacenc.c @@ -153,7 +153,7 @@ static void put_audio_specific_config(AVCodecContext *avctx) PutBitContext pb; AACEncContext *s = avctx->priv_data; - init_put_bits(&pb, avctx->extradata, avctx->extradata_size*8); + init_put_bits(&pb, avctx->extradata, avctx->extradata_size); put_bits(&pb, 5, 2); //object type - AAC-LC put_bits(&pb, 4, s->samplerate_index); //sample rate index put_bits(&pb, 4, avctx->channels); diff --git a/libavcodec/faxcompr.c b/libavcodec/faxcompr.c index 34aa576660..099581192b 100644 --- a/libavcodec/faxcompr.c +++ b/libavcodec/faxcompr.c @@ -243,7 +243,7 @@ static void put_line(uint8_t *dst, int size, int width, const int *runs) PutBitContext pb; int run, mode = ~0, pix_left = width, run_idx = 0; - init_put_bits(&pb, dst, size*8); + init_put_bits(&pb, dst, size); while(pix_left > 0){ run = runs[run_idx++]; mode = ~mode; diff --git a/libavcodec/flashsv2enc.c b/libavcodec/flashsv2enc.c index 7ee299cf7c..86a35b6f34 100644 --- a/libavcodec/flashsv2enc.c +++ b/libavcodec/flashsv2enc.c @@ -270,7 +270,7 @@ static int write_header(FlashSV2Context * s, uint8_t * buf, int buf_size) if (buf_size < 5) return -1; - init_put_bits(&pb, buf, buf_size * 8); + init_put_bits(&pb, buf, buf_size); put_bits(&pb, 4, (s->block_width >> 4) - 1); put_bits(&pb, 12, s->image_width); diff --git a/libavcodec/flashsvenc.c b/libavcodec/flashsvenc.c index c0327a911b..8a813f2b14 100644 --- a/libavcodec/flashsvenc.c +++ b/libavcodec/flashsvenc.c @@ -139,7 +139,7 @@ static int encode_bitstream(FlashSVContext *s, AVFrame *p, uint8_t *buf, int buf_pos, res; int pred_blocks = 0; - init_put_bits(&pb, buf, buf_size * 8); + init_put_bits(&pb, buf, buf_size); put_bits(&pb, 4, (block_width / 16) - 1); put_bits(&pb, 12, s->image_width); diff --git a/libavcodec/nellymoserenc.c b/libavcodec/nellymoserenc.c index 1d35cda9a1..f32b5b2f10 100644 --- a/libavcodec/nellymoserenc.c +++ b/libavcodec/nellymoserenc.c @@ -287,7 +287,7 @@ static void encode_block(NellyMoserEncodeContext *s, unsigned char *output, int apply_mdct(s); - init_put_bits(&pb, output, output_size * 8); + init_put_bits(&pb, output, output_size); i = 0; for (band = 0; band < NELLY_BANDS; band++) { From bd92af66a1f0cfbb2bb6d372dbf1fac7caaa1732 Mon Sep 17 00:00:00 2001 From: Michael Niedermayer Date: Sat, 7 Mar 2015 14:30:34 +0100 Subject: [PATCH 1114/1119] avcodec/utils: Align YUV411 by as much as the other YUV variants Fixes out of array accesses Fixes: ffmpeg_mjpeg_crash2.avi Found-by: Thomas Lindroth Tested-by: Thomas Lindroth Signed-off-by: Michael Niedermayer (cherry picked from commit e3201c38d53d2b8b24d0bc95d726b2cb1752dc12) Conflicts: libavcodec/utils.c --- libavcodec/utils.c | 4 ++-- 1 file changed, 2 insertions(+), 2 deletions(-) diff --git a/libavcodec/utils.c b/libavcodec/utils.c index 27feb53b43..569047fde7 100644 --- a/libavcodec/utils.c +++ b/libavcodec/utils.c @@ -161,8 +161,8 @@ void avcodec_align_dimensions2(AVCodecContext *s, int *width, int *height, int l break; case PIX_FMT_YUV411P: case PIX_FMT_UYYVYY411: - w_align=32; - h_align=8; + w_align = 32; + h_align = 16 * 2; break; case PIX_FMT_YUV410P: if(s->codec_id == CODEC_ID_SVQ1){ From 5333edcc869181649d7f9d6cdde9f975531c0b8c Mon Sep 17 00:00:00 2001 From: Michael Niedermayer Date: Sun, 8 Mar 2015 23:27:43 +0100 Subject: [PATCH 1115/1119] avcodec/tiff: move bpp check to after "end:" This ensures that all current and future code-pathes get bpp checked Signed-off-by: Michael Niedermayer (cherry picked from commit d5e9fc782150d4596c72440a0aa02b7f4f1254b1) Conflicts: libavcodec/tiff.c --- libavcodec/tiff.c | 7 +++++++ 1 file changed, 7 insertions(+) diff --git a/libavcodec/tiff.c b/libavcodec/tiff.c index d26135ecda..21588e72f8 100644 --- a/libavcodec/tiff.c +++ b/libavcodec/tiff.c @@ -498,6 +498,13 @@ static int tiff_decode_tag(TiffContext *s, const uint8_t *start, const uint8_t * default: av_log(s->avctx, AV_LOG_DEBUG, "Unknown or unsupported tag %d/0X%0X\n", tag, tag); } + if (s->bpp > 64U) { + av_log(s->avctx, AV_LOG_ERROR, + "This format is not supported (bpp=%d, %d components)\n", + s->bpp, count); + s->bpp = 0; + return AVERROR_INVALIDDATA; + } return 0; } From a83b9f363c24f5d1482f9722c14fc02f3ca5a1d0 Mon Sep 17 00:00:00 2001 From: Andreas Cadhalpun Date: Mon, 9 Mar 2015 19:24:09 +0100 Subject: [PATCH 1116/1119] roqvideoenc: set enc->avctx in roq_encode_init So far it is only set in roq_encode_frame, but it is used in roq_encode_end to free the coded_frame. This currently segfaults if roq_encode_frame is not called between roq_encode_init and roq_encode_end. Signed-off-by: Andreas Cadhalpun Signed-off-by: Michael Niedermayer (cherry picked from commit cf82c426fadf90105e1fb9d5ecd267cc3aa2b288) Signed-off-by: Michael Niedermayer --- libavcodec/roqvideoenc.c | 2 ++ 1 file changed, 2 insertions(+) diff --git a/libavcodec/roqvideoenc.c b/libavcodec/roqvideoenc.c index 9030affb31..39088fe207 100644 --- a/libavcodec/roqvideoenc.c +++ b/libavcodec/roqvideoenc.c @@ -941,6 +941,8 @@ static int roq_encode_init(AVCodecContext *avctx) av_lfg_init(&enc->randctx, 1); + enc->avctx = avctx; + enc->framesSinceKeyframe = 0; if ((avctx->width & 0xf) || (avctx->height & 0xf)) { av_log(avctx, AV_LOG_ERROR, "Dimensions must be divisible by 16\n"); From 98b0751e895e6065cfae65008bee402481a4158c Mon Sep 17 00:00:00 2001 From: Michael Niedermayer Date: Thu, 31 Jan 2013 04:20:24 +0100 Subject: [PATCH 1117/1119] h264/cabac: check loop index fix out of array read Found-by: Mateusz "j00ru" Jurczyk and Gynvael Coldwind Signed-off-by: Michael Niedermayer (cherry picked from commit cdf0877bc341684c56ac1fe057397adbadf329ee) Signed-off-by: Michael Niedermayer --- libavcodec/h264_cabac.c | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/libavcodec/h264_cabac.c b/libavcodec/h264_cabac.c index b91883a8f5..c1f4f7c8ee 100644 --- a/libavcodec/h264_cabac.c +++ b/libavcodec/h264_cabac.c @@ -1701,7 +1701,7 @@ static av_always_inline void decode_cabac_residual_internal( H264Context *h, DCT \ if( coeff_abs >= 15 ) { \ int j = 0; \ - while( get_cabac_bypass( CC ) ) { \ + while(get_cabac_bypass( CC ) && j<30) { \ j++; \ } \ \ From 6f4cda4a6b66cb3882c63e18a35937284c446c44 Mon Sep 17 00:00:00 2001 From: Michael Niedermayer Date: Thu, 12 Mar 2015 00:54:14 +0100 Subject: [PATCH 1118/1119] Update for 0.7.17 Signed-off-by: Michael Niedermayer --- Doxyfile | 2 +- RELEASE | 2 +- VERSION | 2 +- cmdutils.c | 2 +- 4 files changed, 4 insertions(+), 4 deletions(-) diff --git a/Doxyfile b/Doxyfile index 2b03049d02..be951830ef 100644 --- a/Doxyfile +++ b/Doxyfile @@ -31,7 +31,7 @@ PROJECT_NAME = FFmpeg # This could be handy for archiving the generated documentation or # if some version control system is used. -PROJECT_NUMBER = 0.7.16 +PROJECT_NUMBER = 0.7.17 # The OUTPUT_DIRECTORY tag is used to specify the (relative or absolute) # base path where the generated documentation will be put. diff --git a/RELEASE b/RELEASE index bf7b715d27..b22af294b9 100644 --- a/RELEASE +++ b/RELEASE @@ -1 +1 @@ -0.7.16 +0.7.17 diff --git a/VERSION b/VERSION index bf7b715d27..b22af294b9 100644 --- a/VERSION +++ b/VERSION @@ -1 +1 @@ -0.7.16 +0.7.17 diff --git a/cmdutils.c b/cmdutils.c index b919bae92e..21922ae304 100644 --- a/cmdutils.c +++ b/cmdutils.c @@ -57,7 +57,7 @@ AVFormatContext *avformat_opts; struct SwsContext *sws_opts; AVDictionary *format_opts, *video_opts, *audio_opts, *sub_opts; -static const int this_year = 2013; +static const int this_year = 2015; void init_opts(void) { From 9526ad4f25f6f379f520e847f15c1be79a149d2f Mon Sep 17 00:00:00 2001 From: Michael Niedermayer Date: Fri, 31 Jul 2015 15:54:38 +0200 Subject: [PATCH 1119/1119] MAINTAINERS: Remove myself as leader Signed-off-by: Michael Niedermayer (cherry picked from commit f2c58931e629343f7d68258cc2b2d62c5f501ba5) Signed-off-by: Michael Niedermayer --- MAINTAINERS | 1 - 1 file changed, 1 deletion(-) diff --git a/MAINTAINERS b/MAINTAINERS index 8409cd1930..d975553bdb 100644 --- a/MAINTAINERS +++ b/MAINTAINERS @@ -8,7 +8,6 @@ FFmpeg code. Project Leader ============== -Michael Niedermayer final design decisions