From 83d78fece0f32daf367c4e87c967b39f04ddae35 Mon Sep 17 00:00:00 2001 From: Michael Niedermayer Date: Thu, 26 Jan 2012 21:15:55 +0100 Subject: [PATCH 001/991] Update for 0.10 Signed-off-by: Michael Niedermayer --- Doxyfile | 2 +- RELEASE | 2 +- VERSION | 1 + 3 files changed, 3 insertions(+), 2 deletions(-) create mode 100644 VERSION diff --git a/Doxyfile b/Doxyfile index 97896aa071..f4beab55f5 100644 --- a/Doxyfile +++ b/Doxyfile @@ -31,7 +31,7 @@ PROJECT_NAME = FFmpeg # This could be handy for archiving the generated documentation or # if some version control system is used. -PROJECT_NUMBER = +PROJECT_NUMBER = 0.10 # With the PROJECT_LOGO tag one can specify an logo or icon that is included # in the documentation. The maximum height of the logo should not exceed 55 diff --git a/RELEASE b/RELEASE index 4fda45b376..68c123cf10 100644 --- a/RELEASE +++ b/RELEASE @@ -1 +1 @@ -0.9.1.git +0.10 diff --git a/VERSION b/VERSION new file mode 100644 index 0000000000..688abaae7a --- /dev/null +++ b/VERSION @@ -0,0 +1 @@ +0.10 \ No newline at end of file From 7e16636995fd6710164f7622cd77abc94c27a064 Mon Sep 17 00:00:00 2001 From: Michael Niedermayer Date: Thu, 26 Jan 2012 22:44:59 +0100 Subject: [PATCH 002/991] doc: remove doc/ffmpeg-mt-authorship.txt for release/0.10 we dont carry the whole git history in releases so theres no point in having this in them either. Signed-off-by: Michael Niedermayer --- doc/ffmpeg-mt-authorship.txt | 4561 ---------------------------------- 1 file changed, 4561 deletions(-) delete mode 100644 doc/ffmpeg-mt-authorship.txt diff --git a/doc/ffmpeg-mt-authorship.txt b/doc/ffmpeg-mt-authorship.txt deleted file mode 100644 index d8c405f948..0000000000 --- a/doc/ffmpeg-mt-authorship.txt +++ /dev/null @@ -1,4561 +0,0 @@ -This file lists authorship of commits that have been merged from -ffmpeg-mt. These commits where not classically merged because this -would have pulled in duplicated history of all commits in ffmpeg. -Which a majority of developers opposed. - - -commit 002a0939cdf01faa8270d41b3045c08ac12d8975 -Author: Alexander Strange -Date: Sat Feb 20 20:24:36 2010 -0500 - - Update todo - -commit 0040d6f2ba7189ca9bab4cf17c0d150416391dec -Author: Alexander Strange -Date: Sun Jan 24 18:33:16 2010 -0500 - - Remove a malloc() per frame by keeping an array of 32 buffers. - - Requested in original review. Should be slightly faster but does - have a 32-element linear search (since buffers are freed out of order). - - Introducing array_next_nonzero or something would speed up this - and h264 decoding. - -commit 00425e98fba903dceecb89763b57b8f3b7a1abf3 -Merge: 20997d6 e320c22 -Author: Alexander Strange -Date: Thu Jul 2 04:59:42 2009 -0400 - - Merge mainline. - - Having to move the setting of key_frame confused me for far too - long. - -commit 0097d3b01e33d1e0f636a19778a0435a730d4590 -Merge: 9e981c8 44c4fd1 -Author: Alexander Strange -Date: Thu Sep 9 19:19:34 2010 -0400 - - Merge mainline and libswscale. - - Another one coming after h264 is converted to yasm. - - Conflicts: - libavcodec/avcodec.h - -commit 00bbca77f3fe0960cbf0986ea214ce022204837c -Author: Alexander Strange -Date: Sun Jan 16 02:18:12 2011 -0500 - - h264: Early-exit condition for await_references() - - Saves even more zero checking in refs[][], although it still leaves many - useless checks when nrefs[i]>1, because the array indexes are scattered. - - About ~.8% faster decoding. - -commit 00c4b0bb5a7801d14627015d38762ec314639d3d -Merge: 63d086d feadf1b -Author: Alexander Strange -Date: Fri Mar 13 23:50:33 2009 -0400 - - Merge mainline. - - Conflicts: - libavcodec/avcodec.h - libavcodec/h263.c - libavcodec/h263dec.c - libavcodec/h264.c - libavcodec/mpeg12.c - libavcodec/mpegvideo.c - libavcodec/options.c - libavutil/log.c - -commit 01006069782b1b8fe0bfe0eabe4876062e057c11 -Author: Alexander Strange -Date: Tue Jan 13 01:30:01 2009 -0500 - - Fix possibly not allocating obmc_scratchpad with PAFF/weighted prediction - -commit 011a76824f384a315ce4b0474a2811d463b5746b -Author: Alexander Strange -Date: Mon Sep 1 00:40:40 2008 -0400 - - Whitespace and variable name cosmetics for clarity. - -commit 02376cec6531a931330798af67c62a029a3435a1 -Author: Alexander Strange -Date: Thu Jun 11 14:40:27 2009 -0700 - - Normalize how decode_postinit() is called. - - Move it next to the hwaccel call to save an if statement. - -commit 031abc50708c616058020dcf7a1b62bc9b895446 -Author: Alexander Strange -Date: Fri Aug 22 20:43:38 2008 -0400 - - Improve comments in thread.h - -commit 032432ad56fd88a7e9ba6ce9ccd39925854b027a -Author: Alexander Strange -Date: Sat Feb 20 20:48:10 2010 -0500 - - Remove FF_THREAD_DEFAULT. - - It obviously makes no sense to define the default in a public header. - -commit 03980f22907206b52e64439ebcc4445719801035 -Author: Alexander Strange -Date: Fri Jul 11 17:22:22 2008 -0400 - - Mark functions inline to avoid unused function warnings. - -commit 0488ed2d9ff609ec4a6be008c81603b62ce67785 -Author: Alexander Strange -Date: Wed Jun 4 15:55:00 2008 -0400 - - Align the stack in decode_frame_thread. - -commit 0553196aa797d58f0687890c66e1b1cdfa52f419 -Author: Alexander Strange -Date: Wed May 28 00:44:13 2008 -0400 - - Add the frame-threading support code. - -commit 056dce6c969acec1224eaa9fc73d930d1e56b299 -Author: Alexander Strange -Date: Fri Aug 15 16:44:33 2008 -0400 - - h264: Redo finding the output frame during header parsing after merging mainline. - - This works with PAFF and CODEC_FLAG2_CHUNKS, though the second is useless and should be removed. - -commit 05a3af85edd15fef223f0376d3241cc5c7aa3ed5 -Merge: 8ba50a9 fa43cf8 -Author: Alexander Strange -Date: Mon Apr 19 02:41:54 2010 -0400 - - Merge mainline. - - Conflicts: - libavcodec/avcodec.h - libavcodec/h264.c - -commit 05e37cada02dc1ac58e7ce93418cbf33e3a09ad6 -Author: Alexander Strange -Date: Tue May 27 21:00:34 2008 -0400 - - Add the AVCodec/AVCodecContext fields needed for multithreading and increment the API minor version. - -commit 061586a260a564080be8c1ed9af4e83888fe3543 -Author: Alexander Strange -Date: Thu Sep 4 01:41:53 2008 -0400 - - Remove error check that can never fail. - -commit 06407ff8706c7fe28c5b925c4b1dd52641714cb9 -Author: Alexander Strange -Date: Mon Jun 16 18:21:04 2008 -0400 - - Multithreading support for MPEG-1. - -commit 065ee0d04a6539c08bddfa1edc628906494c22f2 -Author: Alexander Strange -Date: Mon Nov 1 12:24:37 2010 -0400 - - vp3: Report INT_MAX instead of height at the end of a frame - - This saves having to clip to height in await_reference_row. - -commit 067c30c63499d5cca5613725de936fb70047aec3 -Author: Alexander Strange -Date: Sun Jun 22 03:29:23 2008 -0400 - - Cosmetics: opening function braces on their own line. - -commit 06ac5ac98dbf03889eb7cccf67fe0cb95615613d -Merge: febe154 987789a -Author: Alexander Strange -Date: Sun Jun 20 04:29:03 2010 -0700 - - Merge mainline. - - Document ONLY_IF_THREADS_ENABLED along the way. - - Conflicts: - libavutil/internal.h - -commit 07474003407915e5462ed3582a1dae8baa06f296 -Author: Alexander Strange -Date: Wed Jun 10 11:25:48 2009 -0700 - - Move frame_thread_init() down to avoid prototyping its callees. - -commit 076bf916d79c39ec055a53f2ee5eadf20c21b988 -Author: Alexander Strange -Date: Mon Aug 25 14:32:41 2008 -0400 - - Increase max delayed buffers for safety - -commit 079cd64ef92cb1670a420a16e38c645cc8f28caa -Author: Alexander Strange -Date: Tue Sep 2 11:38:29 2008 -0400 - - Ignore codecs returning NULL when draining frames. - -commit 090c1f4c99b9c5cefa3bad7698f33516baa87c6e -Author: benoit -Date: Tue Nov 6 13:08:04 2007 +0000 - - fix predictor initialization for adpcm-ima encoder not to lose first sample - in block in adpcm-ima decoder - Patch by Timofei V. Bondarenko: tim commit 09bb0dafa746203f98ff478a5121b3b0ffb3f46e -Author: Alexander Strange -Date: Tue Jul 22 22:20:47 2008 -0400 - - Switch from MB row to pixel row precision for h264 progress. - - This makes it easier to think about interlacing and the deblock filter, and also fixes decoding entirely. - -commit 0a51c1e9ebf09d302e44daaca3147e7cca2f0457 -Author: Alexander Strange -Date: Tue Jun 3 16:04:31 2008 -0400 - - Use threading macros in mpeg12.c. - -commit 0ac282b447075a0645036fba56d2881bbcc8f471 -Author: Alexander Strange -Date: Mon Jan 17 03:44:26 2011 -0500 - - Update multithreading.txt for thread_safe_callbacks and pkt_dts - -commit 0b64ceb6b15560313d0a6ac7cffe9270d7b8e0e8 -Merge: 9ec9f08 e220e91 -Author: Alexander Strange -Date: Tue Aug 10 03:22:51 2010 -0700 - - Merge mainline. - - Conflicts: - libavcodec/avcodec.h - -commit 0b8add0862f841dfc8dbbc8d89dfb3712ce3a698 -Author: Alexander Strange -Date: Mon Aug 18 16:47:21 2008 -0400 - - Allow avcodec_default_release_buffer to be called after avcodec_default_free_buffers. - -commit 0b8c3d23339b5f646ae702f30141e223596f9ff9 -Author: Alexander Strange -Date: Sun Jul 27 21:55:53 2008 -0400 - - Reindent. - -commit 0be0d5714347f63b0e391ad3e9202f9d5107bb5f -Merge: f550857 8c00628 -Author: Alexander Strange -Date: Sun Mar 28 03:40:27 2010 -0400 - - Merge mainline. - -commit 0c73945d0cc40a6ade8ca78dfa0d9bea178f4743 -Author: Alexander Strange -Date: Tue Aug 19 01:07:17 2008 -0400 - - Clarify comment for new AVFrame members - - They are set by libavcodec even if they aren't used for anything useful ATM. - -commit 0cac0f3bd81287db20bbbae5aaff22e381e09663 -Author: Alexander Strange -Date: Sun Jul 13 02:40:22 2008 -0400 - - Add report/await_decode_progress for progressive H264 - Multithreading works with no visible problems for progressive sequences, but there is still some problem causing framecrc differences. - 1 thread - 99% cpu 14s - 2 threads - 183% cpu 8.6s - -commit 0cae6d85e8a33b826611ced69902f2a4d16f0c7a -Author: benoit -Date: Fri Jun 1 12:03:33 2007 +0000 - - A bit more clear FAQ 1.2 - Patch by V -�commit 0d25fc9993407335bc98b91296f9f78b634dd8a0 -Author: Alexander Strange -Date: Tue Jun 24 21:39:39 2008 -0400 - - Remove newly-duplicated memset(). - -commit 0e41f7596f06a758c0f1cb9e48e67ef896c5c05a -Author: Alexander Strange -Date: Fri Jul 11 18:09:02 2008 -0400 - - Reindent. - -commit 0ef99ed28b24757a30b1e805f2ff1ea6d90b9b71 -Author: Alexander Strange -Date: Mon Jan 25 03:17:46 2010 -0500 - - Remove item from todo - -commit 0fad6cca0a7e34dfa62c3934eb5316e2c9649e66 -Author: Alexander Strange -Date: Tue Jul 22 01:00:07 2008 -0400 - - Fix height passed to ff_draw_band for interlaced H.264. - - Without this, it passes y 0 h 16, y 32 h 16, etc. - -commit 0fb994fbdbf4f985ec9c0d5a681e7a5bf620a765 -Merge: 5eb0c64 ace7af3 -Author: Alexander Strange -Date: Wed Jan 20 01:58:15 2010 -0500 - - Merge mainline. - - This was done by hand since git can't track the h264/h263 decoder - splits properly. - - Conflicts: - libavcodec/avcodec.h - libavcodec/h263.c - libavcodec/h263dec.c - libavcodec/h264.c - -commit 0ff629947b15955603cdb7978770ca64c2323262 -Author: Alexander Strange -Date: Thu Jun 18 05:09:01 2009 -0400 - - Don't call report_field_progress for non-referenced H264 frames. - -commit 111fa56db1bfefc245c499f465783a5abc04f7c2 -Author: Alexander Strange -Date: Sat Jul 19 00:12:00 2008 -0400 - - Set start/end_mb_y properly in MpegEncContext. - -commit 115adc279240b6c7155781b5a16177a140eaad4f -Author: Alexander Strange -Date: Sat Jun 21 23:10:18 2008 -0400 - - Add an update_context for codecs that just use MpegEncContext. - -commit 116ca147f03ca02b55c2fceef7b82c1b251b32f6 -Author: Alexander Strange -Date: Sat Aug 16 14:10:31 2008 -0400 - - Merge fallout: move AVCodec additions back to the end of the struct - -commit 11b1a8ee92128524a3259903c28da54ffd9a60fa -Author: Alexander Strange -Date: Sun May 30 10:02:16 2010 -0700 - - Update todo. - - I appear to have fixed the bug (the problem doesn't show in test.sh - anymore). Of course, there might be more. - -commit 120d790a3918f77444eed295aec6d8c34e4b532a -Author: Alexander Strange -Date: Thu Jul 17 18:00:07 2008 -0400 - - Simplify draw_edges changes and handle interlacing properly. - -commit 1239bcba12d0c57005ae59405e8b080ac3c7bd65 -Author: Alexander Strange -Date: Mon Aug 18 18:59:29 2008 -0400 - - Simplify: store FrameThreadContext in the user's context. - -commit 1292a1840bb5319f1438b63b7be35363ba4fe5b6 -Author: Alexander Strange -Date: Tue Jan 13 01:33:47 2009 -0500 - - Copy width/height between thread contexts for all codecs. - - This makes it user-visible and fixes compatibility with - bad demuxers that don't set it in avctx. - -commit 12c5de8ead7c7a1b4c03eb095a2db4357aa2538d -Author: benoit -Date: Thu Jan 3 08:39:38 2008 +0000 - - Make filterDelimiters and optionDelimiters two static constant array of - characters, should move them to .rodata. - Patch by Diego 'Flameeyes' Petten -� flameeyes commit 1327c17ca423f248dbce8172476dd69208f7d74b -Author: Alexander Strange -Date: Sat May 23 21:52:24 2009 -0400 - - Stopgap hack: don't crash with size-changing streams+frame threads - - MPEG1 and H.264 need their own checks, otherwise they immediately - deallocate shared data and crash. Another check is added to get_buffer - to cover remaining codecs (although it may not actually do this). - - This currently involves ugly code duplication, which can hopefully - be eventually removed. Unfortunately this is already not handled - well on mainline (such as in the previous commit). - -commit 138ec8aad228862d58582aa4bbd367b7fa7b8d81 -Author: Alexander Strange -Date: Thu Jul 24 16:06:17 2008 -0400 - - Factor out copying picture pointers in update_context. - -commit 13c48792ac24329c9055f6e98b5e61c278f1aa57 -Author: Alexander Strange -Date: Tue Mar 9 00:02:20 2010 -0500 - - Fix wrong timestamps with -threads 2 and BBB 1080p Theora - - It was caused by adding thread delay to has_b_frames. - -threads 2 -> has_b_frames 1 -> "delay==1" is true and the - "invalid dts/pts combination" was triggered. Not sure about this fix, - but I think it's harmless. - -commit 141516ca4f2b0008539ceeb70b46ebb6cfe4a1c0 -Author: Alexander Strange -Date: Sun Jun 15 17:44:29 2008 -0400 - - Cosmetics: use USE_ macro. - -commit 14476d56276a77a237834e88b28427fe491ac689 -Author: Alexander Strange -Date: Sat Aug 16 14:11:41 2008 -0400 - - Correct AVCodec member comments - -commit 14bdf768314413a099fe570891761360733b148c -Author: Alexander Strange -Date: Tue Mar 9 01:15:03 2010 -0500 - - Update sws. - -commit 14df94ceacecf041d33b8600bc9097d4befd79dd -Author: Alexander Strange -Date: Sun Feb 14 23:57:37 2010 -0500 - - Add a convenience function for avoiding deadlocks with decoder errors - -commit 156f6ba4db96f57c3c105b71986acaa9be13d5ab -Author: Alexander Strange -Date: Sun Aug 17 00:19:10 2008 -0400 - - Update todo - -commit 16343b25d2ffc7c18a00ec62db8e76d7f8217de5 -Author: Alexander Strange -Date: Sat Feb 20 22:39:05 2010 -0500 - - Rewrite comments for new codec callbacks - -commit 16b71c003150c3a44135ffa1bbc870ea43c15f7a -Author: Alexander Strange -Date: Thu Dec 18 14:37:04 2008 -0500 - - Some todo entries I forgot to add - -commit 16bde8c7df438f5283de102e3c872ef309a8d0b5 -Author: Alexander Strange -Date: Thu Jun 5 00:11:43 2008 -0400 - - Implement avcodec_flush_buffers for multithreaded codecs. - -commit 17b3c2a080f7ec1f548494e0e2b905ad0e2690c0 -Author: Alexander Strange -Date: Mon Aug 18 20:36:54 2008 -0400 - - Clarify use of is_copy - -commit 17d7a98c7aadc2be1ceadf875ae2ca71b08a5611 -Merge: 0097d3b 981f8d0 -Author: Alexander Strange -Date: Wed Sep 29 22:55:44 2010 -0400 - - Merge mainline. - - Fix misplaced lowres check from previous merge. (or maybe it was fine?) - - Conflicts: - libavcodec/avcodec.h - libavcodec/utils.c - -commit 17dcbec74c0630e44029dd5e4efd8f9bb2ddee13 -Author: Alexander Strange -Date: Fri Jul 24 16:51:14 2009 -0400 - - Fix typo in huffyuv, broke mt decoding with newer huffyuv versions. - -commit 17ef916da54e5cbaf2ce97cba565ba4730dcd847 -Author: Alexander Strange -Date: Tue May 11 14:39:44 2010 -0400 - - Cosmetics: remove stray spaces in pthread.c - -commit 1846cc0549bf3d45fb2a5a2152b7335c794146e8 -Merge: 5323bc6 cd23ede -Author: Alexander Strange -Date: Mon Mar 8 04:30:32 2010 -0500 - - Merge mainline. - - The VP3 decoder has been heavily changed upstream and this commit - removes mt optimizations. They will be readded later. - - Conflicts: - libavcodec/avcodec.h - libavcodec/h264.c - libavcodec/h264.h - libavcodec/h264_direct.c - libavcodec/vp3.c - -commit 1878dce0e65b2fab94612c950fac51e3de741636 -Merge: b7d1826 2b13612 -Author: Alexander Strange -Date: Sun May 24 01:37:21 2009 -0400 - - Merge mainline. - -commit 1884de3ffb775bb23cbfbf977ea48841c2b2ae16 -Author: Alexander Strange -Date: Fri May 8 00:15:50 2009 -0400 - - Correct comment about decoding delay. - -commit 18893e1423c3d8a65ca753806638ac160fefe342 -Author: Alexander Strange -Date: Sat Oct 23 18:13:56 2010 -0400 - - Add a -vsync test to test.sh. - - The files x-1-vsync.txt and x-3-vsync.txt should have the same MD5. - Even more ideally, all files should have the same MD5, but it's not our problem if they don't. - - h264 and theora pass, didn't test others. - -commit 18dc6b6010200c45827d14594a5d7b7b2b28d8e0 -Author: Alexander Strange -Date: Wed Aug 6 20:31:04 2008 -0400 - - Move ff_frame_thread_init above its uses and make it static since it has only one caller. - -commit 190d65b24795208e30c06369e34769ffeb9b5cc8 -Author: Alexander Strange -Date: Sun Aug 24 01:31:00 2008 -0400 - - Add a longer comment for update_context - -commit 19b159260eb5eddfd296cac179d59ba218f881ac -Author: Alexander Strange -Date: Fri Jan 21 01:22:43 2011 -0500 - - Adopt pkt_pts/pkt_dts in lavc clients - - This makes DTS reliable with threads. - -commit 1a0d8d0cd0d7d0dc44d1747b2c8c93c73bc09cd8 -Author: Alexander Strange -Date: Mon Jan 4 03:59:20 2010 -0500 - - Note in todo that 'make test' doesn't pass ATM. - - Also note a harmless warning emitted, which I haven't - though of a good fix for yet. - -commit 1a216093ed2f201814287a32b5d8f22781c6d8d1 -Author: Alexander Strange -Date: Mon Aug 25 01:02:29 2008 -0400 - - Comment another strange line - -commit 1a4740fed38a69202c762e3cd786dd3c7c23dd40 -Author: Alexander Strange -Date: Sat Jan 15 17:02:46 2011 -0500 - - Make ARM asm #error out, since the offset values are out of date here - -commit 1ac02d2ff0dd39d8baf68cf7e0490de4db9b88cc -Author: Alexander Strange -Date: Fri Jul 10 14:24:40 2009 -0400 - - Fix the error in avcodec_thread_init to actually not do anything. - -commit 1b735c493b0fe8c1aaff3d06214c24e8556b111c -Author: Alexander Strange -Date: Mon Aug 25 14:40:54 2008 -0400 - - Remove some context variable copies which were overwriting user settings - -commit 1b755181905bed35b2edd723c137b8f0af9c31c3 -Author: Alexander Strange -Date: Sat Aug 23 23:14:20 2008 -0400 - - Add a FIXME for PAFF - -commit 1c187ba01c332b3d99681cfffb90f0247a836303 -Merge: 8022069 0309093 -Author: Alexander Strange -Date: Mon Nov 15 05:32:06 2010 -0500 - - Merge mainline. - - Conflicts: - doc/APIchanges - libavcodec/avcodec.h - -commit 1c39407876cb6689e313ce27a51d83d77ac0c4e4 -Author: Alexander Strange -Date: Sun May 23 03:40:43 2010 -0400 - - Fix crash with ffplay. - - Caused by the buffer functions being changed after codec init. - -commit 1c70dfb14a5e6e322f66d1175045eb13ac96d2f8 -Author: Alexander Strange -Date: Sat Feb 20 22:10:38 2010 -0500 - - Rewrite thread.h comments for clarity - -commit 1c8037ec029ffe790b39b0cf0e67468db5f8c4a8 -Author: Alexander Strange -Date: Mon Jan 25 03:59:02 2010 -0500 - - Fix references to renamed avail_motion() in the todo. - - Delete the second entry mentioning it, since I don't think it's a - good idea anymore. - -commit 1ca44079c06a2080c2a0deb9cbc8fa757a5be540 -Author: Alexander Strange -Date: Sun Jun 15 20:34:08 2008 -0400 - - Delete unused variables. The frame counters will stay around for now for debugging. - -commit 1d15df4fd2b4583d56159a7938ef3699c7f46261 -Merge: 8f759fa b3b80f1 -Author: Luca Barbato -Date: Sat May 31 17:56:44 2008 +0200 - - Merge branch 'master' of git://git.mplayerhq.hu/ffmpeg - -commit 1da82befe53bc245ba94cf1012fcd0156040353c -Author: benoit -Date: Mon Jan 7 12:40:39 2008 +0000 - - Remove unused symbol. - - Patch by Diego 'Flameeyes' Petten -� flameeyes commit 1e8abec2eecd831c55e34c09fc9a38833d69c180 -Author: Alexander Strange -Date: Fri Jul 10 14:28:54 2009 -0400 - - Fix default value of thread_count. - - Adding a flag named "threads" somehow disabled the default value - of the option named "threads", which allowed thread_count to be 0 - for non-ffmpeg/ffplay clients (which don't always reset it). - - Not sure why AVOption works this way. - -commit 1eff8ec8e1772334cd74129f8cc068483c757b40 -Author: benoit -Date: Fri Aug 10 07:28:18 2007 +0000 - - Prefix with "opt_" the functions ffmpeg.c:show_{version,license,formats}. - patch by Stefano Sabatini [stefano tod sabatini-lala commit 1fae9e952cee3c499313b5a9b5c2e3dda096ee30 -Author: Alexander Strange -Date: Thu Mar 10 01:44:05 2011 -0500 - - Delete the libswscale submodule for svn->git merge. - -commit 2037d9714bc51ccb57a82aba95a52a5b49bdc401 -Author: Alexander Strange -Date: Sun Aug 24 21:16:50 2008 -0400 - - Comment this just in case someone doesn't get it - -commit 2063f77f904af3544021e16d6da76acf5d9beaed -Author: Alexander Strange -Date: Mon Nov 15 05:40:04 2010 -0500 - - Delete beosthread.c which is gone from mainline - -commit 207f434446b40b29311e81233167bd03de16bf0c -Author: Alexander Strange -Date: Wed Jul 30 20:14:56 2008 -0400 - - Cosmetics: whitespace adjustments. - -commit 20997d60c8ec84dd0dd68055901e847c4b4e171a -Author: Alexander Strange -Date: Sat Jun 27 22:33:17 2009 -0400 - - Frame threading for VP3 [2/2]. - - The performance with different thread counts is different from - MPEG codecs; trying more or less granular synchronization would - be interesting. - -commit 20a85842c46b547331c5884e015dd781108c6d17 -Author: Alexander Strange -Date: Sat Oct 11 16:43:39 2008 -0400 - - Save PAFF vs MBAFF information for pictures. - - This already exists differently in mainline, but this way is more useful - since MPEG-2 has field pictures but not MBAFF. - -commit 20d6c336b37a7bf7313865a397f19ef33595adf8 -Author: Alexander Strange -Date: Tue Dec 23 17:49:51 2008 -0500 - - More todo entries - -commit 210b4a63100e5f4ba5ab23e84460614ca59b7817 -Merge: fc957c7 59b0bd5 -Author: Alexander Strange -Date: Mon May 24 22:26:23 2010 -0400 - - Merge mainline. - -commit 21cede4223d4bcfcc0f6a91bbc84354238201fea -Author: Alexander Strange -Date: Mon Apr 19 03:30:45 2010 -0400 - - Fix possible overlapping memcpy()+crash at the end of decode - - Increasingly dissatisfied with having to do this. - -commit 22a56df3f22e5c32c5f2fd06db8d644157da1877 -Author: Alexander Strange -Date: Mon Jul 14 23:12:17 2008 -0400 - - Remove dead code. - -commit 22d953bd1ef2b61ec272be03aa8f81587e0ac046 -Author: Alexander Strange -Date: Wed Jun 25 04:54:34 2008 -0400 - - Remove zeroing mbskip_table - It's unnecessary with the previous commit. - -commit 22e9455a663acc4d34f76130f2603b41b3940b9e -Author: Alexander Strange -Date: Fri Aug 22 16:25:45 2008 -0400 - - Comment and rename context variables in pthread.c. - -commit 2331711a5ff0908a37005a0e500804a5a8a61e5d -Author: Michael Niedermayer -Date: Wed Apr 6 00:15:42 2011 +0200 - - Fix ffmpeg-mt fixme in h264 - - Uncommenting this code no longer seems to cause valgrind problems or crashes. - Behavior is unchanged. - -commit 234887b836f9b0306388d20499c8025ac916e11b -Author: Alexander Strange -Date: Tue Aug 19 21:17:15 2008 -0400 - - Normalize if (err) - -commit 2412ad4778734a19638c997d5567f5d53d135a9a -Author: Alexander Strange -Date: Mon Jan 17 15:57:00 2011 -0500 - - pthread: Document release_delayed_buffers - -commit 24345e509df0b92a3592cfb15db12b1aecd78ffe -Author: Alexander Strange -Date: Tue Aug 26 02:26:07 2008 -0400 - - Fix spelling and rewrap multithreading.txt to the right number of columns. - -commit 2485cfd74cf5012fdce8582b7094ddbd09bd70c9 -Author: Alexander Strange -Date: Sun May 24 03:38:22 2009 -0400 - - 10l: pred_direct_motion fix missed several mb_type accesses - - I have not proven this correct yet; it's not too hard with some work - (record the last row accessed and waited for, and make sure they - correspond). Therefore, I suspect it still isn't correct, since - framecrc still shows mismatches. It does fix the worst visible - errors, though. - -commit 25a2f117ad6d6dc2592e77369bed23e53241b218 -Author: Alexander Strange -Date: Fri Jan 21 03:24:41 2011 -0500 - - Cosmetic: shorter line variable declaration - -commit 26151296236e0381c1c40e0d97ead8c5ab26b57c -Author: Alexander Strange -Date: Tue Nov 2 02:33:12 2010 -0400 - - vp3: Lift up loop-invariant checks and simplify away 'border' which == 1 - -commit 27026500c9a25bf409b55186d9bceada4bf2ba5c -Author: Alexander Strange -Date: Sat Jul 19 02:09:18 2008 -0400 - - Fix mpegvideo crashing without --enable-pthreads due to the number of thread_contexts changing. - - -threads X no longer has any effect since all threading code is now gone without an actual threading library. - I think this is a nice minor size optimization, but if it's necessary to keep regression tests working with frame-threaded encoding I'll have to revisit it. - -commit 2742b2a142ff98e4611f96ddf47ab5a5233f4692 -Author: benoit -Date: Thu Jan 10 10:15:07 2008 +0000 - - Reduce the size of the replaceTable entries. - Patch by Diego 'Flameeyes' Petten -� flameeyes commit 287e761820e85514e00eb6c5958496ecb61825cb -Author: Alexander Strange -Date: Thu Dec 24 22:21:37 2009 -0500 - - Fix error return being ignored in VP3 allocate_tables(). - - Based on a patch by Yuriy M. Kaminskiy. - -commit 29c2b04f5074e49aa63cf50fb90e3a51e853ad9d -Author: Alexander Strange -Date: Sat Apr 4 00:35:28 2009 -0400 - - More todos related to init api - -commit 2a7a86a64f153befafabcbb987e2793fa4bb0e18 -Author: Alexander Strange -Date: Sat Jun 27 22:17:41 2009 -0400 - - Split out error returns in VP3. - -commit 2a9b493a5a0f46f43959ce2466849dd6a6217012 -Author: Alexander Strange -Date: Wed Feb 2 02:12:29 2011 -0500 - - Fix memory abandonment + unnecessary realloc in mpeg4 - - Fixes Sample1.mkv from ffms running out of address space (and more). - Note the file doesn't display properly in ffplay, so there's still bugs left. - -commit 2ae310bf292c1f34be006e9be7fbceb4c0f1b068 -Author: Alexander Strange -Date: Tue Jun 3 04:20:42 2008 -0400 - - Comment next_*_index. - -commit 2b74560715c3d4f331156d8745ce801c1de4d467 -Author: Alexander Strange -Date: Tue Nov 18 14:31:17 2008 -0500 - - Revert accidental warning change - -commit 2b7d2acccb45e89bfc77564bcdaee68fcb4ac4c7 -Author: Alexander Strange -Date: Tue Feb 1 23:05:43 2011 -0500 - - Revert 99ed04d4d7b7183a4d0a1b8833eee3b506e13ff0 - - Broke big_buck_bunny_720p_stereo.ogg with 2 threads. - -commit 2bbb64dae018cbb09ea47a6bdcb184f551136c26 -Author: Alexander Strange -Date: Wed Dec 15 16:15:21 2010 -0500 - - Fix definition of CODEC_CAP_FRAME_THREADS to not conflict. - -commit 2bc23e009291d727eed7a4f803a2793f5fa715b0 -Author: Alexander Strange -Date: Tue Aug 26 03:03:38 2008 -0400 - - Update avcodec.h comments - -commit 2bcbffdbf53bd2918ba6ade66d12fb97021032c7 -Author: Alexander Strange -Date: Sun Jun 15 20:26:59 2008 -0400 - - Combine all the condition variables into one. - -commit 2beb042a202d00dbb2baef3970f058994aeec027 -Author: Alexander Strange -Date: Sat Aug 23 19:32:56 2008 -0400 - - Split thread_algorithm into two more sanely defined variables. - - Also improves correctness in some ways. - -commit 2c0e016af759adfdc34a6a1b8592ec0a1ef56da9 -Merge: d5ea5fc c2c8552 -Author: Alexander Strange -Date: Thu May 7 17:36:13 2009 -0400 - - Merge mainline. - - Uses the minimal changes to get the new AVPacket API working. - - Conflicts: - libavcodec/avcodec.h - libavcodec/h264.c - libavcodec/mimic.c - libavcodec/options.c - libavcodec/utils.c - -commit 2c3cd96bf1cb1757407c973416f7928d492e2156 -Author: Alexander Strange -Date: Mon Aug 18 22:59:19 2008 -0400 - - Cosmetic rearranging of MPEG update_context functions - -commit 2cb0db5ba7d77ed8180f0551462c836047ea262e -Author: Alexander Strange -Date: Thu Jun 18 16:19:33 2009 -0400 - - Fix invalid Mimic stream handling + frame threads - - Releasing a frame after frame_setup_done isn't allowed, and - it must do report_decode_progress as if it was finished. - -commit 2d0370118996148f1c64b9c6b4a2ff632fcaf609 -Author: Alexander Strange -Date: Sun Aug 31 03:56:04 2008 -0400 - - Add fixme for copying packet data. - -commit 2e121780400cb6630a66a0b7bd3fe84ad539b882 -Author: Alexander Strange -Date: Fri Jul 11 18:21:08 2008 -0400 - - Increase the released buffer size to 16. H264 can release this many at an IDR, can other codecs have even more? - -commit 2e5a5baf540ae0d1ac16ae52f66254b7233aabf7 -Merge: 5d82241 31f0027 -Author: Alexander Strange -Date: Tue Mar 29 04:35:46 2011 -0400 - - Merge branch 'master' of git://git.libav.org/libav - - Conflicts: - libavcodec/dsputil.c - libavcodec/mpegvideo.c - libavcodec/snow.c - libavcodec/vp8.c - libavcodec/x86/dsputil_mmx.c - -commit 2e9d8893eac232b782b479378cf13d484ab9cc1e -Author: Alexander Strange -Date: Wed May 28 22:49:33 2008 -0400 - - Add thread.h - -commit 2eeab8f6ad07611e46b3377ddf73e1d7f1f2bb78 -Author: Alexander Strange -Date: Sun Aug 24 21:16:31 2008 -0400 - - General description and porting guide - -commit 2f1fec650f4bb351fa819fb7e11b4766a43fa30f -Author: Alexander Strange -Date: Tue Aug 19 01:20:32 2008 -0400 - - Simplify mimic_decode_end changes - -commit 2f48eac011767ba2d60329c10a22499c228a31d8 -Author: Alexander Strange -Date: Tue Nov 18 15:27:24 2008 -0500 - - Missed fixing pthread.c in merge. - -commit 2f8f77021011eec5af8cab80ee7bdc574ad3f37b -Author: Alexander Strange -Date: Fri Jan 21 03:01:42 2011 -0500 - - pthread: Style and comment nitpick for validate_thread_parameters() - -commit 300b5819426ed6b35aaa480502070382e5295111 -Author: Alexander Strange -Date: Sun Aug 17 14:07:06 2008 -0400 - - Copy aspect ratio info between contexts. - -commit 3029628ce39e37c9ae77cb78f22ab9d4846e6610 -Author: Alexander Strange -Date: Sun Aug 31 15:15:15 2008 -0400 - - Fix compiler warnings - -commit 303cd6307958792faac1ce8c8c81eea2651b002f -Author: Alexander Strange -Date: Thu Jun 19 18:31:17 2008 -0400 - - Use MPV_report_decode_progress in mpeg12, and call it before mb_y++. - -commit 30e540672df8523a47013d92592b744459040904 -Author: Alexander Strange -Date: Mon Oct 13 15:00:39 2008 -0400 - - Make every thread lock the same buffer_mutex for get_buffer. - - Otherwise it isn't actually protecting anything... - -commit 3106e8ebe7c55eba3e41f3a11cc23eb249a4ff3b -Author: Alexander Strange -Date: Mon Jul 14 23:09:47 2008 -0400 - - Always set thread_context[0] in MpegEncContext. - This fixes mpeg* encoders always crashing, but most of the regression tests are still failing. - -commit 3127a4bd6e36bb2d9cd2fe12a96fa776d94fed94 -Author: michaelni -Date: Sat Nov 2 10:47:44 2002 +0000 - - added BeOS net_server support (R5 network stack), basically the same - problems as with winsock (sockets != fd), and the broken select(). - based on older patch by Andrew Bachmann. - patch by (Fran -commit 314c2b1d2f94be3b6aca3dd1ae0f30c05f10f2ee -Merge: 9816b66 bd8850b -Author: Alexander Strange -Date: Tue Feb 17 22:41:31 2009 -0500 - - Merge branch 'master' of git://git.mplayerhq.hu/ffmpeg - - Conflicts: - - libavcodec/avcodec.h - libavcodec/mimic.c - libavcodec/mpeg12.c - libavcodec/mpegvideo.c - -commit 314e5630e389457319ff2d11e856fab6b1d8b250 -Author: benoit -Date: Mon Jan 7 12:47:14 2008 +0000 - - Move wmv1_scantable to .rodata section by making it an array of arrays. - Patch by Diego 'Flameeyes' Petten -� flameeyes commit 31e3f669b598302b2a487dab84e08bf4d1e79983 -Author: Alexander Strange -Date: Thu May 7 18:06:52 2009 -0400 - - Fix mplayer patch's calculation of extra delay. - - It's only (num_threads-1) frames with MT on, not num_threads. - -commit 31f1a603dcfe885c41d123832f102a3ccc55c6dd -Author: Alexander Strange -Date: Sun Aug 24 00:20:03 2008 -0400 - - Rename threading functions with 'decode' in their name - -commit 333777b56b942a11db5d672433357bcbbf0d6e47 -Author: Alexander Strange -Date: Tue Aug 19 01:14:48 2008 -0400 - - Cosmetic changes to mimic - -commit 33bc3cc94a5a6e2679306da899afb1e0ce6b78c6 -Author: Alexander Strange -Date: Thu Aug 14 14:01:15 2008 -0400 - - Reindent. - -commit 3444ffe523dd65b788791dfb2c6cbd7031cfec97 -Author: Alexander Strange -Date: Wed Aug 6 20:24:44 2008 -0400 - - Cosmetics: rename last_thread to prev_thread to avoid final vs. previous confusion. - -commit 344df336a0b5e70ef9fcea33f612f759bc045552 -Author: Alexander Strange -Date: Mon Apr 19 03:31:30 2010 -0400 - - Reindent - -commit 3547c7f44108f1080f90de1844c36fb172528994 -Author: Alexander Strange -Date: Sat Feb 20 19:40:48 2010 -0500 - - API simplification: remove ff_report/await_frame_progress() - - The field variants are enough. - Note that mpegvideo.c thread code doesn't need to support any codecs - with field pictures. - -commit 3630d89a7bd6443f9aeda2f6997fb2ea5da5c97d -Author: Alexander Strange -Date: Thu Dec 18 12:36:20 2008 -0500 - - Copy dequant4/8_buffer between H264 decoding threads. - - Fixes at least: - MSG00 ED.mkv - freedom EP1 sample.mkv - made with unknown encoders. - -commit 36977df5243521eaa3ab1b67f3c89d1a1ba4c8f7 -Author: Alexander Strange -Date: Mon Aug 18 22:03:25 2008 -0400 - - Move copying idct_algo to the right place - -commit 379271216e0d522b675e97189ab5d4e5cf7f5f70 -Author: Alexander Strange -Date: Mon Apr 19 03:35:28 2010 -0400 - - Update todo. - -commit 37b38ff868fa39f75df9c1bd543fd1c2dc7134ae -Author: Alexander Strange -Date: Sat Feb 20 20:31:16 2010 -0500 - - Update the comment for FF_THREAD_FRAME. - -commit 382e06ef4ba568c565b9d67b33b1688a32b2b80e -Author: Alexander Strange -Date: Tue May 11 06:21:06 2010 -0400 - - pthread: Use av_fast_malloc to allocate the frame buffer - - Also delete the FIXME; it's impossible because the AVPacket memory - API doesn't actually work. - -commit 3934d02026fb67b46441176c4160c0f854c12825 -Author: Alexander Strange -Date: Mon Jul 21 18:10:58 2008 -0400 - - Reindent. - -commit 39eee0b91b9b6b75c54ff68d51ecc0ba1816c88f -Author: Alexander Strange -Date: Sun Jun 22 03:36:24 2008 -0400 - - Multithreading support for MPEG-4 - This requires more parallelism barriers than usual because of the horrible skip MB structure in B-frames. - -commit 3ad85b1741ca6d36126bbf674f5b82d550107bae -Merge: ff4c627 4495490 -Author: Alexander Strange -Date: Tue Oct 6 16:12:06 2009 -0400 - - Merge branch 'master' of git://git.mplayerhq.hu/ffmpeg - - Conflicts: - libavcodec/avcodec.h - libavcodec/mpegvideo_enc.c - libavcodec/snow.c - libavcodec/vp3.c - -commit 3afd3f52b940d0bfa756e1a7496a20d103c5a7f0 -Author: Alexander Strange -Date: Fri Jul 25 03:25:00 2008 -0400 - - Merge MPV_update_picture_pointers() into its only caller. - -commit 3ba8143c5da92197eb45fa120bfa95b38adfd3bf -Author: michaelni -Date: Sat Nov 2 10:35:07 2002 +0000 - - added BeOS net_server support (R5 network stack), basically the same - problems as with winsock (sockets != fd), and the broken select(). - based on older patch by Andrew Bachmann. - patch by (Fran -commit 3bac11e47a0ec7c6036c53a1173bce276abccfeb -Merge: 53fff22 3d42d49 -Author: Alexander Strange -Date: Sat Apr 9 21:30:16 2011 -0400 - - Merge mainline. - - Conflicts: - libavcodec/h264.c - -commit 3bef1503e0f23c0f30c2e3b2de64a9b2618807d2 -Author: Alexander Strange -Date: Sat Jun 27 16:18:44 2009 -0400 - - Add debugging hooks to show ff_report/ff_await calls. - -commit 3c3a3648317737830fc863371b455624d093f8e6 -Author: Alexander Strange -Date: Sat Oct 18 17:39:17 2008 -0400 - - Fix possible null pointer access after seek. - -commit 3c7a8d94b97003b118c2438343d06ad7cf26198a -Author: Alexander Strange -Date: Tue Mar 9 00:04:51 2010 -0500 - - Reimplement VP3 multithreading. - - Synchronization is now not very fine-grained, because it reuses - vp3_draw_horiz_band which runs every ~64 pixel rows. - -commit 3cfd7b2e788c3d8e31c91ed529f3e3730f836395 -Author: Alexander Strange -Date: Mon Jun 23 23:14:05 2008 -0400 - - Wrong kind of #if. - -commit 3f7521893b9072181763ea176ef8da0c0ad1922a -Merge: ed42183 206c937 -Author: Alexander Strange -Date: Sun Oct 10 01:47:32 2010 -0400 - - Merge mainline. - - API change: CODEC_CAP_FRAME_THREADS is now defined as 0x800. - - Conflicts: - libavcodec/avcodec.h - -commit 3f858091f8f3cd43f1eed396e85f6956ee5068a0 -Author: Alexander Strange -Date: Tue Aug 19 02:35:52 2008 -0400 - - Fix losing frames at the end of an encode - -commit 3ffe81697018042b27a31f20c1d30c988b688d60 -Author: Alexander Strange -Date: Thu Jun 12 18:22:42 2008 -0400 - - Reindent. - -commit 401a6bc7f0fe26963f63778c5092ae96c4262634 -Author: Alexander Strange -Date: Thu Jun 25 19:07:58 2009 -0400 - - Frame threading for VP3 [1/2] - - update_context function and compatibility fixes. - -commit 40265f10de7698bb2fe23857cf261a0f04fe18a1 -Author: Alexander Strange -Date: Mon Oct 13 14:19:27 2008 -0400 - - Fix edge drawing for non-mod-16 files. - -commit 4074c8bfba918988029ce106eda3d41486f12966 -Author: Alexander Strange -Date: Sat Jul 12 00:11:35 2008 -0400 - - Copy more MpegEncContext variables. - These are needed for proper DivX/H.264 decoding. - -commit 40ffd3a664e36f44ebdf4d2603e42c7c59502599 -Author: Alexander Strange -Date: Thu Jul 23 21:40:06 2009 -0400 - - 100l, fix compile error introduced by automerge - -commit 4118a72e28be1cee657561a1f45dc3ce160dbf07 -Author: Alexander Strange -Date: Thu Mar 10 02:46:14 2011 -0500 - - Update todo.txt - -commit 41e0f81a58493a0a15cb18c7ff00920f0fd124a3 -Author: Alexander Strange -Date: Sun Aug 24 02:52:18 2008 -0400 - - Remove unneeded stubs from thread.h - -commit 4259f9fcf4edc5c92bc02d37d85493b3eb917075 -Merge: 2615129 fb61692 -Author: Alexander Strange -Date: Tue Nov 2 02:36:20 2010 -0400 - - Merge branch 'master' of git://git.mplayerhq.hu/ffmpeg - -commit 4293f5ba301cd751257705bfe6fc8b12337dccab -Author: Alexander Strange -Date: Mon Jul 14 23:20:17 2008 -0400 - - Disable multithreading for packed B-frames. - The bitstream buffer is updated after decoding, so it has to be changed to find the frame end before starting the actual decode. Assuming that's not too slow. - -commit 42b521db9177ed2d4e62845659fdcd44c59757f9 -Author: Alexander Strange -Date: Fri May 8 00:40:57 2009 -0400 - - 10l: dequant_coeff must be copied along with dequant_buffer - - Fixes more Blu-Ray streams which change CQM, including Slumdog - Millionaire. - - Noticed by Haruhiko Yamagata. - -commit 435ace7689e2794ddbb4013de097bdaf487f7365 -Author: Alexander Strange -Date: Sat Apr 9 21:47:12 2011 -0400 - - Update test scripts to use ffmpeg instead of ffmpeg_g - -commit 435adcd213762869c6a6f806481450216720b364 -Merge: 6ee99a7 11dcccd -Author: Alexander Strange -Date: Thu Mar 10 01:25:24 2011 -0500 - - Merge remote-tracking branch 'socrep/last_mainline_point' into last_git_point - -commit 451af22792e7bec6f3b347ba801ba186102a85da -Author: Alexander Strange -Date: Mon Jul 14 04:13:33 2008 -0400 - - Call draw_edges per-MB-row instead of per-frame when possible. - This is necessary for multithreading, since rows aren't complete until their edges are mirrored. - It should also be somewhat more cache-efficient, but I haven't benchmarked it properly yet. - I don't like adding new MpegEncContext variables, but edge_y lets it do the right thing wrt. error resilience and codecs that don't call ff_draw_horiz_slice. - -commit 452fb04633126605afbb2cd0d6383bb75fe01f38 -Author: michaelni -Date: Fri Nov 8 20:54:44 2002 +0000 - - ringbuffer patch by (Fran -commit 4681ac8f618586d4a3ecb04784b9cf896d070f1b -Author: Alexander Strange -Date: Tue May 11 14:43:29 2010 -0400 - - Cosmetics: vertical alignment - -commit 468eba33060aa87117ac6b617d4eae776951cbf6 -Merge: 3c7a8d9 aa86abc -Author: Alexander Strange -Date: Tue Mar 9 00:55:42 2010 -0500 - - Merge mainline. - - The error condition in vp3_decode_frame was uglified to make the - diff simpler. - - Conflicts: - libavcodec/vp3.c - -commit 46a45ad599db4037006b335fca2c7b7bed7018ab -Author: Alexander Strange -Date: Sat Aug 2 00:22:16 2008 -0400 - - Clear thread variables in avcodec after freeing them. - -commit 46b495ebc4a7fb7662580791e4ed10130b00fead -Author: Alexander Strange -Date: Thu Jun 12 17:16:31 2008 -0400 - - Don't allocate duplicate contexts if they're not going to be used. - -commit 46ec6b90e7b2d6b1d83a207025a691c56176d686 -Author: Alexander Strange -Date: Mon Jun 16 18:21:04 2008 -0400 - - Multithreading support for MPEG-1. - -commit 46fc25f5c225e2f33430e31a0d0ad375455e9cef -Author: Alexander Strange -Date: Mon Nov 1 12:20:12 2010 -0400 - - Update todo.txt - -commit 473799e0c3b647d73046c3b4de30e85bf57ba610 -Author: Alexander Strange -Date: Tue Aug 19 21:16:59 2008 -0400 - - Whitespace fix - -commit 47869edb7f0aede0a2bfd178ef9937e28bf8b01f -Author: Alexander Strange -Date: Sun Feb 14 23:41:12 2010 -0500 - - Fix buffer leak in VP3 by allowing update_context() with the same context. - - I assumed update_context() would only be used to copy values, so skipped - calling it with duplicate parameters (during flush and free) for optimization. - - But VP3's release_buffer call was moved from the end of decoding to the - end of update_context(), so flushing would skip releasing a frame and - eventually run out of buffers. - - Unfortunately this makes update_context() much uglier in codecs that - already worked, because memcpy doesn't allow src and dst to be the same. - -commit 480a82da7912bc5034a4b0bc2090879920567521 -Author: Alexander Strange -Date: Thu Sep 30 01:13:43 2010 -0400 - - Update todo. - - ffplay/ffmpeg support for better a/v sync support is in progress. - If Theora uses PTS (I think it does), then once ffmpeg.c i - ready it can be submitted to mainline. - -commit 4845b04ed3d6bc513a272da718629d110bc8186f -Author: benoit -Date: Mon Jan 7 12:43:04 2008 +0000 - - Mark the tables in g726.c as constant. - Patch by Diego 'Flameeyes' Petten -� flameeyes commit 485d8e9e3c5de803075c8440922e6e09b10a1e57 -Author: Alexander Strange -Date: Sun Sep 14 20:45:58 2008 -0400 - - Fix ff_report_*_progress side of H264 multithreading and merge draw_horiz_band into it. - -commit 4874d258345ec305b0eca78c41491878d42a900d -Author: Alexander Strange -Date: Tue May 11 14:45:39 2010 -0400 - - Cosmetics: reorder variable declarations - -commit 48d2183d902db7cc42c9f84d2bad6eccc35d0221 -Author: Ronald Bultje -Date: Mon Apr 11 14:58:11 2011 -0400 - - Release unused pictures even when not calling ff_h264_frame_start() - - Unused pictures assigned to the thread can build up and cause it to - run out of buffers if the thread only ever decodes bottom field pictures. - -commit 48d7f5a8f3f14535d74f0e4b0a736e3f5dc336b2 -Author: Alexander Strange -Date: Mon Aug 18 19:58:18 2008 -0400 - - Factor out freeing delayed released buffers. - -commit 49652059c673eb977e5b69ffb0c8a543c3210e16 -Merge: a2efd25 48e59eb -Author: Alexander Strange -Date: Sat Jan 15 17:01:41 2011 -0500 - - Merge mainline. - - Conflicts: - doc/APIchanges - libavcodec/avcodec.h - libavcodec/h264.c - libavcodec/utils.c - -commit 4969bb89e592c003a560e321f3cacb412a192db9 -Author: Alexander Strange -Date: Thu Jul 31 14:30:40 2008 -0400 - - Copy avcC variables in H264Context. - -commit 496ec27adcef84278e650b29f4d22aba383d705a -Author: Alexander Strange -Date: Sat Sep 13 16:20:03 2008 -0400 - - Correct interlaced draw_edges. - - There is still a race condition when fields are decoded in different threads, - so for now we pretend EMU_EDGE is set instead of using the edges. - -commit 498ddbb3b2d78819540c1b8fff9a2bc495a33346 -Merge: aaa05da 95b6213 -Author: Alexander Strange -Date: Wed Nov 3 18:34:04 2010 -0400 - - Merge mainline. - - Conflicts: - libavcodec/avcodec.h - -commit 49e377f9f23904ed790e98175b1575bba6ecc6cb -Author: Alexander Strange -Date: Tue Jul 15 03:30:28 2008 -0400 - - Add update_context() for H.264. - This seems to lose reference frames for my PAFF sample, which I'll fix after I find out how PAFF works. - -commit 4adb7fbed7dcb12dda0f3919188334a3b96efb0a -Author: Alexander Strange -Date: Mon Aug 18 20:02:12 2008 -0400 - - Cosmetics: get rid of unhelpful comments, useless braces, and some whitespace/align issues - -commit 4af5480a021156089c193ce2215994cfd170e4e6 -Merge: 2f48eac 1bf5327 -Author: Alexander Strange -Date: Fri Nov 28 22:48:24 2008 -0500 - - Merge mainline. - - Conflicts: - - libavcodec/h264.c - libavcodec/mpegvideo_enc.c - -commit 4b9ce55576ab27f6a45d542bfda7c1e21fb967f8 -Merge: 1fae9e9 435adcd -Author: Alexander Strange -Date: Thu Mar 10 01:54:16 2011 -0500 - - Merge branch 'git_equiv_of_mainline' - -commit 4c726e5e30e1f48619eecbec5442acd63e895318 -Author: Alexander Strange -Date: Wed May 28 22:40:30 2008 -0400 - - Rename pthread.c to thread.c - The remaining *thread.c files will be merged into it later. - -commit 4c802e44f13672dd4527f51fc2f07a1e21be4a5c -Author: Alexander Strange -Date: Mon Jun 2 04:31:45 2008 -0400 - - Simplify ff_await_decode_progress. - - Always set and allocate the progress pointer, so ff_await_decode_progress doesn't have to check for threading to be on. - -commit 4cdd15a3cf5dfec32ace278cd445f04130ddbee0 -Author: Alexander Strange -Date: Sat Jan 15 19:26:14 2011 -0500 - - pthread: Call external get_buffer() on the client's thread by default - - This fixes several mplayer VOs that crashed when they were called from decoding - threads. - - Not a complete fix as mplayer still doesn't work right with draw_horiz_band() - being called from decoding threads, but that doesn't crash at least. - -commit 4d2f536b72ec9121b5afe858b69c93d9cc75f20a -Author: Alexander Strange -Date: Sat Aug 30 04:20:20 2008 -0400 - - Simplify draw_edges changes by removing edge_y (which is useless with slices) - -commit 4d8525ab388d34e128629b08ab88c6a16f3aa406 -Author: michaelni -Date: Sun Jul 21 07:59:17 2002 +0000 - - nanosleep patch by Fran -commit 4edb9a7f780a6eaef36512724e6a34c3f38d67ce -Author: Alexander Strange -Date: Mon Feb 15 00:31:31 2010 -0500 - - Disable mpeg1 frame threading. - - Seeking doesn't work (it triggers false error conditions) and it doesn't - pass test.sh (-threads 2-4 match but 1 doesn't somehow). Will be reenabled - when those are fixed. - -commit 4f9364563f388af84b9a02930b375ff52eee1394 -Merge: 3bac11e 347b375 -Author: Alexander Strange -Date: Sat Apr 9 21:30:47 2011 -0400 - - Merge branch 'master' of git://git.libav.org/libav - -commit 4fb1fdf1ca1a48aff176b8f833ca596d245d6d36 -Author: Alexander Strange -Date: Tue Jul 15 03:30:50 2008 -0400 - - Reindent. - -commit 4fb33e68ec34cbc135ce4ebb86f7e1399ba97115 -Author: Alexander Strange -Date: Mon Jun 23 22:11:58 2008 -0400 - - Merge statements. - -commit 5022ee29ac6d4b2ee992115c3bf997e7bd1ab7a4 -Author: Alexander Strange -Date: Thu Jun 5 20:30:27 2008 -0400 - - Add delayed_release_buffer for handling reference frames. - -commit 5066a4656963dd3b4e847a540353bf71d318de14 -Author: michaelni -Date: Tue Nov 5 00:07:05 2002 +0000 - - lrintf detection (based upon a patch by Fran -commit 50d1ce2db57e39b6115642d3c4397e9f67f758e3 -Author: Alexander Strange -Date: Sun May 24 00:08:03 2009 -0400 - - Call codec init at a more reasonable time. - - Previously it was delayed until the first decode_video() call, - but it can be moved into avcodec_thread_init(). This makes pix_fmt - available to clients after init again, which should make them happier. - -commit 50eaf4979eb085e2c58c06912bb0c885404d4470 -Author: Alexander Strange -Date: Thu Aug 28 17:39:28 2008 -0400 - - Simplify changes to non-pthreads and don't call thread_init from open if it was already called. - - This will cause an assert failure if clients call thread_init again after open. - -commit 51428e56c71512a57f81d85acee3ced7cc0d2983 -Merge: 00425e9 03586fd -Author: Alexander Strange -Date: Sat Jul 4 16:41:31 2009 -0400 - - Merge branch 'master' of git://git.mplayerhq.hu/ffmpeg - -commit 517d68c2642aee3c14fc71031c1e44c0803a664e -Author: Alexander Strange -Date: Mon Mar 8 04:43:06 2010 -0500 - - h264: change the definition of col_fieldoff to avoid divisions - -commit 5186276ed120294fb6a4f2cf5a40d5019012482f -Author: Alexander Strange -Date: Sun Jan 16 22:01:18 2011 -0500 - - libavfilter input_get_buffer is thread-safe - - Slightly faster ffplay playback - -commit 51ead6d2c40c5defdd211f435aec49b19f5f6a18 -Author: Ronald Bultje -Date: Mon Apr 11 10:14:38 2011 -0400 - - h264: Fix decoding race condition with PAFF - - A thread can release a Picture and immediately reuse the same Picture - for a different frame. This is fine, unless the picture released was - a field-picture. In that case, there may be a future thread still decoding - the second field of the picture, and reusing it overwrites the shared fields - in the Picture. - - Fixed by tracking ownership of Pictures and allowing it to be reassigned - to the second thread's context. - - Fixes conformance sample HPCAMAPALQ_BRCM_B.264. - vsync still fails, and therefore FATE does as well. - -commit 521f07e3cf2dfb9b0473027ae2fbb6bd4f203ce4 -Merge: 7d0709e 4a8d06e -Author: Alexander Strange -Date: Sun May 31 00:08:08 2009 -0400 - - Merge mainline. - - Conflicts: - libavcodec/avcodec.h - -commit 52b214211060b56e7aac6b9743fa27bc79f789d1 -Author: Alexander Strange -Date: Wed May 28 02:15:47 2008 -0400 - - Enable multithreading for Mimic. - -commit 5323bc6e8adbff2b6849a08e9e071f22241fd807 -Author: Alexander Strange -Date: Sat Feb 20 22:48:51 2010 -0500 - - Cosmetics: add () to function name - -commit 5340d1ffae10b1545d88b9dd8ca86a5a3aaffca7 -Author: Alexander Strange -Date: Wed May 28 02:15:47 2008 -0400 - - Enable multithreading for Mimic. - -commit 534516ac79adc69d8773ff934955532a92db2cf1 -Author: Alexander Strange -Date: Sat Aug 16 00:01:07 2008 -0400 - - Fix a memory corruption bug in update_context and reenable H264 multithreading. - -commit 535de6d374ab6b06041f5e3cb392327abd2ce054 -Merge: 6abde3d cc8161e -Author: Alexander Strange -Date: Tue May 11 04:08:37 2010 -0400 - - Merge mainline. - -commit 5380fee33a871580fe9f3424767eaf2362c8cde0 -Merge: ef2d866 08c0efd -Author: Alexander Strange -Date: Sun Jun 13 23:43:37 2010 -0700 - - Merge mainline. - -commit 538a29e12f115390a64ceb3d4909a4a67cad26cd -Author: Alexander Strange -Date: Tue Aug 19 15:48:55 2008 -0400 - - Make diff smaller - -commit 53c86e82af6757c12df3a99aede6862a311f050b -Merge: fa8a82e ae2df26 -Author: Luca Barbato -Date: Sat May 3 16:13:06 2008 +0200 - - Merge branch 'master' of git://git.mplayerhq.hu/ffmpeg - -commit 53cd195c8885125351a03cfb6f1d93e66d433b86 -Author: Alexander Strange -Date: Mon Nov 15 05:00:01 2010 -0500 - - Rewrite multithreading.txt - -commit 53fff221cdb9f18df2f2f52bd48731ce0fa9e114 -Author: Maksym Veremeyenko -Date: Wed Mar 30 13:20:23 2011 +0300 - - mingw32 compilation after 'unbreak avcodec_thread_init' - -commit 5402adfa2e9c159e7d13ee07e142cb035a77ef95 -Author: Alexander Strange -Date: Tue Dec 16 16:54:20 2008 -0500 - - Only write to stderr once for each av_log(). - - This makes logging somewhat easier to read with multiple threads. - -commit 541d79def90226cc9b17e6ccc9eb2ff2549bea46 -Author: Alexander Strange -Date: Fri May 15 17:54:20 2009 -0400 - - Remove useless volatile qualifiers - - All such accesses must be protected by a mutex anyway, which is - already a memory barrier, so this doesn't change anything (assuming - a working compiler). - -commit 544c6a6709833f1a449b8faf4478ab529e269240 -Author: Alexander Strange -Date: Sun Mar 29 02:28:29 2009 -0400 - - Frame threading support for HuffYUV decoding - -commit 54c0c3d2ce69606a5aa508659d3322f48ada77cb -Author: Alexander Strange -Date: Wed Sep 3 11:59:59 2008 -0400 - - Call decode_postinit from the right place to avoid race conditions - -commit 552a89508fddc64d4217b9d845e458f504b63593 -Author: Alexander Strange -Date: Sat Jun 27 15:22:52 2009 -0400 - - Print md5s of test output files in test.sh. - -commit 55c511eedb24ffb09aef7072c02e911576c9900b -Author: Alexander Strange -Date: Mon Jan 25 02:47:19 2010 -0500 - - Did a todo item - -commit 574d2e5b942aa1e093bf768cc6321f3b081d3aeb -Author: Alexander Strange -Date: Sat Jul 5 23:36:08 2008 -0400 - - Merge enum with its only use. - -commit 578f45c15026e778ef54694d98a9ec446810a897 -Author: Alexander Strange -Date: Sun Jun 15 17:42:56 2008 -0400 - - Reindent. - -commit 5918efedbb7928031b6af745acb8b4233c08fb06 -Merge: 7d09b68 c2a400d -Author: Alexander Strange -Date: Thu Aug 14 21:37:03 2008 -0400 - - Merge branch 'mainline' - -commit 59d787ffccaf42e992229649c23e624ea7d71635 -Author: Alexander Strange -Date: Mon Nov 15 05:39:12 2010 -0500 - - Delete os2thread.c which is gone from mainline - -commit 5a7146bf75a2170f33ff25b88b91f667574d2919 -Author: Alexander Strange -Date: Wed Aug 11 01:33:20 2010 -0700 - - vp3: Fix a crash decoding files with -Date: Fri Apr 1 19:19:34 2011 -0400 - - pthread: validate_thread_parameters() ignored slice-threading being intentionally off - -commit 5b7c668d1f64facfe8b9f86e2491085595fa9bc7 -Author: Alexander Strange -Date: Tue Aug 12 20:26:26 2008 -0400 - - Document thread-safety requirements for user callbacks in AVCodecContext. - -commit 5bacdcc1a52e2b1d32bad9e9f250ceb6cc37f366 -Author: Alexander Strange -Date: Sat Oct 11 15:40:47 2008 -0400 - - Fix progressive height values in avail_motion() - -commit 5c46573ed07b092aea0db6560ade77bc299c28cb -Author: Alexander Strange -Date: Mon May 25 22:16:23 2009 -0400 - - Whitespace error - -commit 5c4c8ed51da0be4f141a4de339db77f4a0a6c783 -Author: Alexander Strange -Date: Mon Sep 1 03:18:55 2008 -0400 - - Remove unused variable - -commit 5d3c2f7512746dd0adf067952ed38d8111d7571d -Merge: 7041a16 5a70b15 -Author: Luca Barbato -Date: Sun Jul 6 12:38:18 2008 +0900 - - Merge branch 'master' of git://git.mplayerhq.hu/ffmpeg - -commit 5d53ada4cbd323d66b61965b1442d0abd63361b2 -Author: Alexander Strange -Date: Sun Jan 24 17:00:18 2010 -0500 - - Don't load PerThreadContext until it's needed in ff_await/report_*. - - Should avoid crashes if anything calls them without using ff_get_buffer. - -commit 5d7dfbb887f263b036224bf4510db176fa6cff73 -Author: Alexander Strange -Date: Mon Jun 16 18:18:53 2008 -0400 - - Utility functions for mpegvideo threading. - -commit 5d82241b49a1fb1dbecd1b279045cce9f099c775 -Author: Alexander Strange -Date: Thu Mar 24 03:34:48 2011 -0400 - - Update todo. - -commit 5eb0c649c780e26a77085bd213f945d88761ad00 -Author: Alexander Strange -Date: Mon Jan 4 04:12:44 2010 -0500 - - Make ffplay -drp the default. - - Ignoring reordered/delayed PTS never works with frame threading. - This may be changing behavior too much; I haven't tested this - with non-mt files, but I think the current behavior must cause - A/V desync even there. - -commit 5eb679f0fff432ba2c9e0cdada254dbe4bd4a45d -Author: Alexander Strange -Date: Mon Nov 15 02:53:14 2010 -0500 - - Remove width/height changing checks from h264/mpeg12 - - These should be moved to pthread.c update_context_from_thread() if they're needed, - not kept in specific codecs. Hopefully the error return from get_buffer() is - enough to make it not crash anyway. - -commit 5edf2cc5acbb410ba50a3770e8565fb39206f406 -Author: Alexander Strange -Date: Mon Jun 16 18:20:54 2008 -0400 - - Multithreading support for mpegvideo decoding in general. - -commit 5ef4af7de47c3913ddc1e09e43887ac04ecfaba3 -Author: Alexander Strange -Date: Sun Jun 15 01:58:15 2008 -0400 - - Fix ff_delayed_release_buffer crashing with slice-threading. - -commit 604ee5471f21d310f4014011a20c00c28a31995b -Merge: 3792712 7838828 -Author: Alexander Strange -Date: Wed Apr 21 22:04:21 2010 -0400 - - Merge branch 'master' of git://git.mplayerhq.hu/ffmpeg - -commit 607edd221a3b7a300fbaa4a5495ffd30f8dc9fa8 -Author: stefano -Date: Mon Jul 26 14:30:47 2010 +0000 - - Define static functions fill_image_linesize() and - fill_image_data_ptr(). ff_fill_linesize() and ff_fill_pointer() now wrap - these functions. - - The new functions are more generic, and are going to be exported in a - future patch. - - Patch by S.N. Hemanth Meenakshisundaram smeenaks # ucsd commit 60be6c15c4d23c5107f14e408043988918a44c76 -Author: Alexander Strange -Date: Sat Jun 20 16:07:58 2009 -0400 - - Add a valgrind script so I don't have to type it all the time. - -commit 614d2308b343ec6af6bf72ada08884684bb66df0 -Author: Alexander Strange -Date: Wed Sep 3 22:55:22 2008 -0400 - - Update header guard - -commit 62830f5772dd8971032aa9f8d52a8f6c00c92487 -Author: Alexander Strange -Date: Thu Jul 17 19:04:19 2008 -0400 - - Remove next_delayed_pic, it doesn't prevent any race conditions. - - This part is now entirely out of sync with mainline. - -commit 62ba7a4acc98b691ab3152356cf0c21a52f7e03b -Author: Alexander Strange -Date: Sun Jun 15 19:22:41 2008 -0400 - - Fix the main thread hanging if there's an error before all of the frame is decoded. - -commit 63d086d2585d3275a6b9068ee1ca957617ecf902 -Merge: 314c2b1 712afbf -Author: Alexander Strange -Date: Wed Feb 18 21:29:44 2009 -0500 - - Merge branch 'master' of git://git.mplayerhq.hu/ffmpeg - -commit 63f663f09320851b9ed76f489fdab590da2fc7f0 -Merge: 64df3aa d61efce -Author: Luca Barbato -Date: Sat May 10 07:51:22 2008 +0200 - - Merge branch 'master' of git://git.mplayerhq.hu/ffmpeg - -commit 63ff6aa525faf65f86dfbc8ec571fd260844100f -Author: Alexander Strange -Date: Sat Oct 23 18:07:14 2010 -0400 - - Don't set avctx->thread_count to 0 in avcodec_thread_init. - - h264 crashes during decode init with 0 (instead of 1) threads. - Note that this isn't a regression from -mt, but is actually a bug present in mainline. - - -threads 0 should preferrably set auto threads, but doesn't. - -commit 641f2752c16aaa25c5854d34726b72f226003b87 -Author: Luca Barbato -Date: Sat May 3 12:20:42 2008 +0200 - - Ignore stuff - -commit 6446d2b0931c6a9637077b18b98af911d438057f -Author: Alexander Strange -Date: Thu May 7 01:38:16 2009 -0400 - - Update mplayer.diff line numbers to match mplayer r29269 (20090505) - -commit 647f6cf3144934e3c2c22b06601d23a1217a2b86 -Author: Alexander Strange -Date: Sat May 23 20:09:07 2009 -0400 - - H264: Print an error instead of failing silently for size changes with slice threads. - -commit 64df3aa6a32a87d96f650b8535c88e1d65b52524 -Merge: 53c86e8 72c8992 -Author: Luca Barbato -Date: Sun May 4 22:24:35 2008 +0200 - - Merge branch 'master' of git://git.mplayerhq.hu/ffmpeg - -commit 65b3e34fc8a52f4f1a48fce7c8cddd80db8fade9 -Author: Alexander Strange -Date: Mon Nov 1 12:20:24 2010 -0400 - - Update the test script to show results more clearly - -commit 65e8486a1dd1efbf2750d0bc25c326f8dc836bcd -Author: Alexander Strange -Date: Sun Mar 29 03:10:53 2009 -0400 - - Fix nonsense 2am code - left the huffman tables uninited. - - It would be faster to copy the VLCs but it would require more code. - And this could be factored into another function. - -commit 661ca4010c548e135ce1c0c819d0c05a94b66985 -Author: Alexander Strange -Date: Fri Jul 10 14:32:04 2009 -0400 - - Cosmetics: get rid of pointless parameter. - -commit 66204771dd8e479d30ef71ad85c162e1a34e4104 -Merge: 3f75218 76dd0e7 -Author: Alexander Strange -Date: Sat Oct 23 17:41:42 2010 -0400 - - Merge mainline. - - Conflicts: - libavcodec/avcodec.h - libavcodec/options.c - -commit 66a34dee4443dd6ccabb53ca09a1c45bc95f4d24 -Author: Alexander Strange -Date: Tue Aug 12 00:39:28 2008 -0400 - - Don't run the last part of decode_update_context() when the last frame was dropped. - - This fixes mplayer -framedrop crashing. Of course, they're still run in some cases when it wouldn't be without threads, but those are all error conditions. - -commit 66cf3f781d73fed502d80cce01dbd16b25bc3a71 -Author: Alexander Strange -Date: Sat Aug 2 19:27:12 2008 -0400 - - Correct 6b037a88 for PAFF/MBAFF. - -commit 66d9c0c9f6b2a4309dd4a41f88dd9a1dccb323e3 -Author: Alexander Strange -Date: Sat Aug 23 19:56:21 2008 -0400 - - Wait for predecode to finish just before calling update_context, instead of as soon as possible. - -commit 66ef4712c357514602f6b47311874e9ebf7376e3 -Author: Alexander Strange -Date: Wed Jun 4 15:57:36 2008 -0400 - - Handle zero-byte input correctly. (for CODEC_CAP_DELAY) - -commit 68682144289b05c830fd64a651526c4708666874 -Author: Alexander Strange -Date: Tue Aug 19 04:08:42 2008 -0400 - - Fix accidentally calling execute_ref_pic_marking() while draining delayed_pics at the end. - -commit 686ea24614fded4d7501f71901aae61f5160f018 -Author: Alexander Strange -Date: Sun Jan 16 22:15:28 2011 -0500 - - Update APIchanges to match mainline_patches branch - -commit 68ef172444124e9e6dd2a69df00ae72a64e795cb -Author: Alexander Strange -Date: Tue May 11 05:34:20 2010 -0400 - - Pass the complete AVPacket through pthread.c decoding - - Part of a patch from VLC. - -commit 6913bf9451bdaef16cd7748c93358baeec57d33b -Author: Michael Niedermayer -Date: Wed Apr 6 00:14:56 2011 +0200 - - Fix REBASE_PICTURE with h.264 - - It was possible for last_picture_ptr to point into h.ref_list - instead of h.s.picture, which caused a bad pointer to be set. - Fixes some valgrind warnings, presumably improves behavior but - no changes were found. - -commit 6998f46dec036f2ab39d6389747a95a7f5808f19 -Author: Alexander Strange -Date: Sat Feb 20 22:32:39 2010 -0500 - - Cosmetics: Rename init_copy and update_context to have 'thread' in the name - -commit 69f085cebf61a64352e623d3c4a5d6032329473d -Author: Alexander Strange -Date: Wed Jun 10 11:33:47 2009 -0700 - - Don't change avctx->thread_count if frame_thread_init() fails. - -commit 69f6e77a9a9ddfc386d43f5a350df5c960c0203d -Author: Alexander Strange -Date: Sun Aug 24 04:11:52 2008 -0400 - - Remove useless check - -commit 6a26fe72383c0ab088c8d92733221bf2911231ce -Author: Alexander Strange -Date: Fri Oct 17 14:45:47 2008 -0400 - - Fix nonsense logic in copy_parameter_set() - -commit 6a3821cf92ef5aaba020a0b7c8d06df5926bd362 -Author: Alexander Strange -Date: Tue Jun 3 04:13:55 2008 -0400 - - Merge statements in mimic. - -commit 6abde3d9e6ccfb062c6f547334171665386b0d85 -Merge: d8014c6 4448f8c -Author: Alexander Strange -Date: Fri May 7 04:42:38 2010 -0400 - - Merge mainline. - - Conflicts: - libavcodec/avcodec.h - libavcodec/options.c - -commit 6ae441be729df8064f1b1244acc82fead9cb1918 -Author: Alexander Strange -Date: Tue Aug 19 01:27:54 2008 -0400 - - Reduce code duplication in MPV_lowest_referenced_row - -commit 6b037a889a34f8f2dd8ad188cda6f4d09d9f4710 -Author: Alexander Strange -Date: Sun Jul 27 00:58:54 2008 -0400 - - Avoid a deadlock in damaged streams where the current picture ends up in h->ref_list. - -commit 6b5aa5cb4d105c4ed118d5ea07f64bbe1e94d135 -Author: Alexander Strange -Date: Sat May 23 23:10:33 2009 -0400 - - Remove inaccurate comment. - - ff_report_frame_setup_done() is called properly for the first field. - -commit 6c575595d9d0e2974e326ad86db61bb61163753a -Author: Alexander Strange -Date: Tue Aug 19 21:01:51 2008 -0400 - - Add flag for thread algorithm - -commit 6d4679e9d5fedff6aa1eed964aa1449716f02682 -Author: Alexander Strange -Date: Wed Jan 20 02:17:36 2010 -0500 - - Add a FIXME comment to a commented-out part of h264.c. - -commit 6e508a7ab927ce7280688d822d3529dfbf17ec88 -Author: Alexander Strange -Date: Thu Sep 4 17:40:59 2008 -0400 - - Fix field progress allocation. - -commit 6fad2f2300fb9e6288d4c9cdf3028d07d3dd63a9 -Author: Alexander Strange -Date: Mon Jan 17 15:41:20 2011 -0500 - - pthread: Fix missing mutex unlock in error condition - - Also remove stray ; - -commit 700a6622f378b5169d8d54ea5bdb4d8b67262a22 -Author: Alexander Strange -Date: Tue Jun 24 23:29:40 2008 -0400 - - Merge another ++. - -commit 701ddc74e17de9f76eabf00a9e8d16adac7c2954 -Author: michaelni -Date: Tue Nov 5 00:38:06 2002 +0000 - - BeOS Audio ouput patch by (Fran -commit 7041a164baed1c643f0cfa1207fbb2fd06d81f38 -Merge: 84cde2e 483385a -Author: Luca Barbato -Date: Sun Jun 29 16:34:45 2008 +0900 - - Merge branch 'master' of git://git.mplayerhq.hu/ffmpeg - -commit 70595dcbdbc01bb1f8f331c0998ee11f04577091 -Author: Alexander Strange -Date: Sun Jan 24 17:33:22 2010 -0500 - - unnecessary freep - -commit 706e94d6531daa0b179613dbef51af8ec5bbe1dd -Merge: 7e928f6 e42b282 -Author: Alexander Strange -Date: Sat Jul 17 18:47:45 2010 -0700 - - Merge mainline and swscale. - - One valgrind test currently fails. - - Conflicts: - libavcodec/avcodec.h - libavcodec/beosthread.c - libavcodec/h264.c - libavcodec/options.c - libavcodec/os2thread.c - libavcodec/utils.c - tests/ref/vsynth1/rgb - tests/ref/vsynth1/yuv - tests/ref/vsynth2/rgb - tests/ref/vsynth2/yuv - -commit 70bf5912700d0519f3d607784654c394633effac -Author: Alexander Strange -Date: Wed Jun 18 21:58:17 2008 -0400 - - Add an mpegvideo wrapper around ff_report_decode_progress. - -commit 70fb3fdcf2c5f01a555d87f8113efb50286493f7 -Merge: 1d15df4 0b034be -Author: Luca Barbato -Date: Mon Jun 9 18:03:54 2008 +0200 - - Merge branch 'master' of git://git.mplayerhq.hu/ffmpeg - -commit 71419720215a7ca7d1b1780564f21cb51d9df0a2 -Author: Alexander Strange -Date: Wed Aug 6 15:45:52 2008 -0400 - - Copy all the MPEG-2 interlacing flags, as well as *_picture, in ff_mpeg_update_context(). - -commit 73608e1fa14434599aab86d2198a05ec4ca21c59 -Merge: a5285ae 6a7ac9c -Author: Alexander Strange -Date: Wed Sep 16 14:38:47 2009 -0400 - - Merge branch 'master' of git://git.mplayerhq.hu/ffmpeg - - The definition of CODEC_CAP_FRAME_THREADS changed, but - clients shouldn't have had to check it for anything. - -commit 73ad08d3b0867db89e5a81b9aec44b053e855ab3 -Author: Alexander Strange -Date: Thu Mar 24 03:31:14 2011 -0400 - - Draw edges in MPV_frame_end when encoding - - These pictures don't get draw_horiz_band called on them. - I thought I had tried this, but after thinking about it realized I'd made - a typo the first time. - - Fixes make test. - -commit 74f382ae597d9cf69c885bc03c716d18fdbd413c -Author: Alexander Strange -Date: Mon Mar 16 23:12:44 2009 -0400 - - Disable frame threading for MPEG-4 - - It seems to have problems with packed B-frames in mplayer. - I don't know if any other players work (at least ffplay does). - -commit 753aecc29f8f4727326f0f371fa99fefbc369d0c -Author: Alexander Strange -Date: Tue Jul 15 02:58:51 2008 -0400 - - Lift H.264 display-order code before decode_slices. - This is needed for multithreading and should get us closer to CODEC_CAP_DRAW_HORIZ_BAND. - -commit 759176e401ebe8911e071f860f59b05d482315d0 -Author: Alexander Strange -Date: Thu Mar 10 02:36:33 2011 -0500 - - Reorder picture_count in mpegvideo to fix ARM asm - -commit 75d4208c3a6ea4b9973b05ce930258ca8c3db224 -Author: Alexander Strange -Date: Wed Jun 25 01:06:31 2008 -0400 - - Disable mbskip copy avoidance harder with threads on - Fixes seeking in mpeg4. - -commit 76211d5890819ae687cc73520bcda17115a65697 -Author: Alexander Strange -Date: Sat Aug 23 23:14:10 2008 -0400 - - Update threading comments in avcodec.h - -commit 776e2fc2d7df09d184caf414cb1d93829fe1c38d -Author: Alexander Strange -Date: Tue Mar 9 01:11:58 2010 -0500 - - Fix missed things in previous VP3 commits - - Optimization improvements only, because the pessimizations hid the bugs. - -commit 77f7818ac7b881a5aa024e31147255ed3a413141 -Author: Alexander Strange -Date: Sun Jan 24 19:00:24 2010 -0500 - - Fixed memory leak in todo - -commit 78c5ca40fac2dc13dac72cada9cc4b80551ee94c -Author: Alexander Strange -Date: Sun Jan 16 02:31:44 2011 -0500 - - Update todo.txt - -commit 78feacc6fae50a72dff68e75d0f718bc136dbe7b -Author: Alexander Strange -Date: Sat Jun 21 23:05:45 2008 -0400 - - Copy the other parts of MpegEncContext needed for h263 - I'm not sure if mbskip can be made compatible with frame threads yet, so it's all zeroed for now. - -commit 795b6f2d87b241e98472c8d9771d4327712c6db9 -Merge: 20d6c33 4f24e1c -Author: Alexander Strange -Date: Tue Jan 13 01:52:27 2009 -0500 - - Merge mainline. - - The conflict fix in h264.c has a strange-looking diff - but probably isn't a problem. - Reverted regression tests to mainline's. - - Conflicts: - - libavcodec/avcodec.h - libavcodec/h264.c - libavcodec/mpegvideo.c - libavcodec/utils.c - tests/seek.regression.ref - -commit 79f3159ebbc55b4f2f885943badc5a847ecd612f -Author: Alexander Strange -Date: Tue Aug 26 03:09:09 2008 -0400 - - Split longer lines - -commit 7a08d7653f38851bd950264fa78174616395fd9a -Author: Alexander Strange -Date: Sat Jun 21 22:09:12 2008 -0400 - - Park all the threads in ff_frame_thread_free before ending them. - -commit 7aabc98254731f46d39fb0770b1445fe332797de -Author: Alexander Strange -Date: Wed Jan 20 02:38:42 2010 -0500 - - The mplayer patch doesn't need to change vd_ffmpeg anymore. - -commit 7b14ed499f5dab39586f3b75ee03e29425b9383e -Author: Alexander Strange -Date: Fri Aug 22 16:25:59 2008 -0400 - - Remove an unused variable. - -commit 7b46b8dc0c04a77108f0150a6fdf58a9b65d4aed -Author: Alexander Strange -Date: Fri Jul 11 18:02:57 2008 -0400 - - Use USE_AVCODEC_EXECUTE instead of checking thread_count in h264. - -commit 7c7f43547b0ad8907d097b99a66f0fc3f171c9f3 -Author: Alexander Strange -Date: Thu Jul 31 18:22:55 2008 -0400 - - Rename H264Context got_avcC to got_extradata. - -commit 7d0709ea04d6f2023052506c969d6db9b79f2963 -Author: Alexander Strange -Date: Tue May 26 00:39:26 2009 -0400 - - Reindent - -commit 7d09b684e9948bbe0e663e40ff0ce616018c0091 -Author: Alexander Strange -Date: Thu Aug 14 20:30:42 2008 -0400 - - Revert some h264 multithreading changes to make merging easier. - -commit 7e85791de30c9005ac722afd59c713c7faef5d7e -Author: Alexander Strange -Date: Tue Aug 19 15:41:14 2008 -0400 - - Retypeset/fix comments - -commit 7e8d959053b29d975c600eb89eb453496a860961 -Author: stefano -Date: Sat May 15 17:34:45 2010 +0000 - - Avoid mixed declaration and code, fix C89 compatibility. - - Patch by Fran -commit 7e928f69148f6c90d35715f4380accb6fc4e88c4 -Author: Alexander Strange -Date: Thu Jun 24 02:41:43 2010 -0700 - - todo: Add secondary bug not fixed in last commit - -commit 7eac0bccc22daa54db7c40b530cf692af3f41274 -Author: Alexander Strange -Date: Thu Jun 18 16:55:03 2009 -0400 - - Update todo. - -commit 7ec92357ae09969eb5254ab6954b712d95b4630f -Author: benoit -Date: Tue May 22 07:58:22 2007 +0000 - - cosmetic v1/v2 renaming - patch by Andreas -�commit 7f86539559480910beab0ef568571dbe524ecda1 -Author: Alexander Strange -Date: Mon Jan 25 02:46:29 2010 -0500 - - Rename avail_motion() and associated functions to something better. - - What did "avail" mean, anyway? - -commit 7fc3b0d1f996b8a832017095244a3187b8d80f38 -Author: Alexander Strange -Date: Sat Apr 4 00:23:21 2009 -0400 - - Remove client calls to avcodec_thread_init. - - This function has no effect under ffmpeg-mt, since avcodec_open() - calls it anyway. - -commit 802206985550e6f685e42595f529133186388acc -Author: Alexander Strange -Date: Mon Nov 15 05:19:58 2010 -0500 - - Update todo.txt - -commit 8047714299aa3fb377b011cd68858b76a666c7cc -Author: Alexander Strange -Date: Mon Aug 25 19:39:24 2008 -0400 - - Whitespace nits - -commit 80a20f0fda854e6c8de05b971164d25425105c82 -Author: Alexander Strange -Date: Sat Aug 23 21:52:47 2008 -0400 - - Don't call ff_report_decode_progress for h264 B-frames. - -commit 80a7538f955a9cd931d840e1cb4e4c81e9d85165 -Author: Alexander Strange -Date: Mon Nov 15 04:14:51 2010 -0500 - - Write APIchanges. - - avcodec_thread_init() will not be deprecated in this repository to - avoid generating warnings for users who shouldn't remove it just yet. - -commit 80ab88e74f9864442afca19ecc6ee0428623ff22 -Author: Alexander Strange -Date: Sun Jun 15 17:46:30 2008 -0400 - - Cosmetics: rename context variable. - -commit 8218d5319067aa1ac06c601e5dc530ebdab7c01f -Author: Alexander Strange -Date: Mon Aug 18 18:43:02 2008 -0400 - - Properly handle error returns from codec functions. - -commit 821c4d0996689ab27d5ab1b6bca0695503b02670 -Author: Alexander Strange -Date: Sat Jun 21 22:54:52 2008 -0400 - - Add 16x8 and 8x8 MVs to MPV_lowest_referenced_row() - -commit 822ed86c0ac4de7c38d443e23fcabf1b627118ea -Merge: e340cac 17c125c -Author: Alexander Strange -Date: Tue Nov 18 13:58:23 2008 -0500 - - Merge mainline. - - Conflicts: - - libavcodec/h264.c - libavcodec/mpegvideo_enc.c - -commit 82324906156d303d5f3b3e10a1855bf05614ebfc -Author: Alexander Strange -Date: Sun Jul 18 02:24:09 2010 -0700 - - Revisit d812c6f8b1d897734d6f7b5f1a5c95d3aa10a3ea - - The sps/pps_buffers logic wasn't correct, considering that SPS/PPS - can be found far before the first working frame. - - Unfortunately this adds more code than it removes. - - Fixes a crash and a memory leak in premiere_paff.ts. - -commit 824ee1ac826b89b84cc93fb77f38ec6530909f2b -Merge: 686ea24 11dcccd -Author: Alexander Strange -Date: Mon Jan 17 03:39:49 2011 -0500 - - Merge remote branch 'mainline/master' - -commit 83b344d87b97ef6b72e84c145f2185f87ce22e9b -Author: Alexander Strange -Date: Sat Apr 4 00:27:47 2009 -0400 - - Forbid calling avcodec_thread_init after avcodec_open. - - Although ffplay used to do this, it never worked, since codecs - were free to check thread_count in their init functions. - -commit 83c7cc1ca1afe68b339b8554634a3a1effc76b45 -Author: Alexander Strange -Date: Tue Aug 19 21:24:03 2008 -0400 - - Add more to todo - -commit 83cbbb1a92d58a850d5b254b5f54e78a7bad8ca5 -Merge: ae7e6bb 7e61a90 -Author: Alexander Strange -Date: Sun May 30 09:59:29 2010 -0700 - - Merge mainline. - - Conflicts: - libavcodec/avcodec.h - libavcodec/h264.c - -commit 8414fc85d03776bc622c9451e9b08f047af42676 -Author: Uoti Urpala -Date: Sun Jan 2 11:52:30 2011 +0200 - - pthread: fix failure to initialize frame fields after flush - - Commit b67d7055bf ("Clear returned pictures immediately after copying - them.") moved some code used to (re)initialize per-thread data before - starting to decode a new frame. The commit changed this to be done - after the results of decoding the previous frame had been returned to - the caller. This was buggy: when decoding state is flushed some - decoded frames may never be returned to caller, and thus there would - be no reinitialization before reusing the same thread for another - frame after the flush. In particular, *got_picture_ptr could be - incorrectly set when calling avcodec_decode_video2() after seeking. - - Move the initialization code back to the previous location before - starting to decode a frame, but leave a line setting - PerThreadContext->got_picture to 0 also after returning a frame and - add a comment explaining why it is there. - -commit 846ae640182b4775db5b32cb027d964bf85d54a5 -Author: Alexander Strange -Date: Fri Jan 21 03:16:03 2011 -0500 - - Longer comments in thread.h - -commit 84a94407509525ffca2e1691a73d186d0d10b1fd -Author: Alexander Strange -Date: Tue Aug 19 01:14:36 2008 -0400 - - Remove whitespace change from mainline - -commit 84cde2e4c7d97f3a9b5f9d4a4c722ccf38c82742 -Merge: f139f42 e73c602 -Author: Luca Barbato -Date: Tue Jun 24 13:31:01 2008 +0200 - - Merge branch 'master' of git://git.mplayerhq.hu/ffmpeg - -commit 854cff1a75a0c4433d6a25517326b2660a56693d -Author: Alexander Strange -Date: Wed May 28 01:05:33 2008 -0400 - - Enable multithreaded MDEC. - -commit 85730bc96115f75524f2780059a26ee6dbd8695e -Author: Alexander Strange -Date: Sat Aug 16 01:30:59 2008 -0400 - - H264: Skip filling in the parts of frame num gaps that are bigger than the number of reference frames. - - My sample with a 256 frame or so gap doesn't work with ff_delayed_release_buffer otherwise. - No change on MR3_TANDBERG_B.264. - -commit 8666b987a1df652d830db8bae9c2d56287a8fc88 -Author: Alexander Strange -Date: Sat Aug 16 14:18:13 2008 -0400 - - Clarify comment for AVCodecContext frame_number - - Number of frames returned vs. decoded isn't the same anymore - -commit 8682f8c0c7396bfe1bf9b4be3293beb4c6a10927 -Author: Alexander Strange -Date: Fri Aug 22 03:25:03 2008 -0400 - - Rename and update comments for AVCodecContext variables. - -commit 86c6c4cff0bf8a734592f31591ec6fafb456387b -Author: Alexander Strange -Date: Tue Mar 9 01:46:32 2010 -0500 - - Cosmetics: fix overindent - -commit 878ad7601ad8eddec124877eb9b30b3df4a8c8b8 -Author: Alexander Strange -Date: Tue Feb 1 21:45:18 2011 -0500 - - Add missing test script. - - Haven't used this one in a while. - -commit 87a9ad1b28ec7a4c9b08b949486010098c06a752 -Author: Alexander Strange -Date: Mon Jul 14 23:17:13 2008 -0400 - - Don't copy padding_bug_score. - This changes during h263 decode so it introduces a race condition. - Having a score for only every 1/n-threads frames is hopefully not too much less inaccurate. - -commit 880990f352fd8d557538535fc0496aec47d1c407 -Author: Alexander Strange -Date: Tue Aug 19 00:42:56 2008 -0400 - - Cosmetics: rename input and output context members - -commit 8884655418183d2ccde654febc9a88e8398c978a -Merge: 8232490 f991c07 -Author: Alexander Strange -Date: Sun Aug 1 04:46:21 2010 -0700 - - Merge mainline. - - Conflicts: - libavcodec/avcodec.h - libavcodec/vp8.c - -commit 8919a66d8ff492adc9455fd73f1da05d154281ff -Author: Alexander Strange -Date: Sat Jan 15 19:27:39 2011 -0500 - - Re-enable multithreaded mpeg4. - - Seems to work in mplayer, and is needed so I can investigate fixing the buffer - age+skip optimization. - -commit 8969edf8b07437e9110db82b7c75e57c00c3e842 -Author: Alexander Strange -Date: Fri Aug 22 02:53:04 2008 -0400 - - Split a long line further. - -commit 899a30063b23ff008bbea3560c28fa194cfb1d77 -Author: Alexander Strange -Date: Mon Aug 11 18:04:42 2008 -0400 - - Simple patch to keep the non-pthreads OSes working. - - They ignore thread_algorithm being set by the user for some minor simplicity gain, since I'd still like to see these files gone from mainline. - -commit 8a2e487269389d778ddf517baaff590b0a7b3f46 -Author: Alexander Strange -Date: Sun Jan 24 16:55:35 2010 -0500 - - Don't allocate thread_opaque progress with frame threading off. - - It's not needed for anything and the extra check in ff_await/report_* - isn't slow. - -commit 8aa204a70a7f068f46f00e0983b4617f8030544a -Author: Alexander Strange -Date: Thu May 29 00:19:26 2008 -0400 - - Fix comments for new avcodec fields. - -commit 8ae6601b670156b36b227e2a3c0d9cdc72294bd5 -Merge: c91d7a2 cef0309 -Author: Alexander Strange -Date: Sun May 23 01:43:27 2010 -0400 - - Merge mainline. - - Conflicts: - libavcodec/avcodec.h - -commit 8ae9683ebce1e42c5bd1a24a2bcdcbf2cbfe6ccb -Author: Alexander Strange -Date: Sun Jan 16 02:29:08 2011 -0500 - - Update mplayer.diff to work around incompatibility with draw_horiz_band() - -commit 8af63f450185c3b15cc2ca32d2bc1a19f5d2a28e -Author: Alexander Strange -Date: Sat Feb 20 20:02:34 2010 -0500 - - Cosmetics: rename thread.h functions for consistency - -commit 8b7a5375ad0956f546c2b614594b79c3ec54de3d -Merge: 3ad85b1 875fcc3 -Author: Alexander Strange -Date: Wed Oct 28 13:11:58 2009 -0400 - - Merge mainline. - -commit 8ba50a98f87edb2b87df042f09573ea8be4a8696 -Author: Alexander Strange -Date: Sun Mar 28 03:54:31 2010 -0400 - - h264: Fix ff_h264_execute_ref_pic_marking() not being called with PAFF+threads - - With some PAFF files, field_end() can call ff_h264_execute_ref_pic_marking() - during slice header decoding. This was disabled with threads on, which was wrong. - - This patch fixes it at the cost of making control flow more confusing. - - Partial fix for Chalet-Tire.mp4 from ffdshow. - -commit 8c946d1672281fc997dfb2679e7cbed48dd09216 -Author: Alexander Strange -Date: Mon Jul 14 23:07:07 2008 -0400 - - Set decoding progress as high as possible when multithreading is off. - This avoids possible crashes from trying to lock progress_mutex when it hasn't been created. - -commit 8d466e182aa89ca8cfbe57ce60f2a1e2a7ecebc7 -Author: Alexander Strange -Date: Mon Oct 13 14:37:22 2008 -0400 - - Fix incorrect frame num gap handling. - - Fixes ORF1HD.Demo-Loop.720p.DD5.1.mkv from x264 samples. - -commit 8d8229014f489e1b2417676d9753f784d995e6c0 -Author: Alexander Strange -Date: Mon Dec 1 17:21:38 2008 -0500 - - Don't crash if flush_buffers is called after init and before the first decode. - - Fixes mplayer -ss - -commit 8f759fa0e956f8cc33ccd423cefae23e25c16caf -Merge: 9be00ab 1e8ecf7 -Author: Luca Barbato -Date: Tue May 20 11:46:04 2008 +0200 - - Merge branch 'master' of git://git.mplayerhq.hu/ffmpeg - -commit 9017898687ebedca27e47fdd13e6e5e208a5fbb6 -Author: Alexander Strange -Date: Thu Aug 28 00:52:29 2008 -0400 - - Pad the frame data properly - -commit 9059683b29cd601361e477289a194e679aa72f8c -Author: Alexander Strange -Date: Thu Jun 12 16:22:27 2008 -0400 - - Limit ff_find_unused_picture to only part of s->picture. - - Otherwise, a thread may call delayed_release_buffer and then later allocate a picture in the same place, reusing the other Picture variables while they're still in use. - -commit 9077d0ba4ed18e1f106723d155e81461c8951764 -Author: Alexander Strange -Date: Wed Feb 17 00:55:36 2010 -0500 - - Comment recent change to update_context API. - - Notes: - - It might be possible to revert this by making the vp3 decoder - behave like mpegvideo. Not faster but the code will be simpler. - - I don't like any of the old comments, they're too wordy. - -commit 9153938f1c1f0933ec59cee14cc26b8f99bd9090 -Merge: 661ca40 e48fb07 -Author: Alexander Strange -Date: Thu Jul 23 21:14:58 2009 -0400 - - Merge mainline. - -commit 91a7b18346baf82e0ccf6dfb53ada22299396f17 -Author: Alexander Strange -Date: Sat Aug 16 16:42:33 2008 -0400 - - Call codec init and free on the first thread context instead of the main context. - - This is needed so we can stop using the main context for decoding threads. - -commit 91a7c2254bb3e82862c4cd916bd9f2ac1dd4c170 -Author: lucabe -Date: Thu Sep 23 09:16:05 2010 +0000 - - Allow to set the frame rate in v4l2 devices - Patch by Jos -� Miguel Gon -commit 91cd95a84759702b85de68047d21a6ef9d32eaca -Merge: 77f7818 f9f7b02 -Author: Alexander Strange -Date: Sun Jan 24 21:39:20 2010 -0500 - - Merge mainline and libswscale. - - Upstream now always calls avcodec_thread_init(). - It's better to do that differently here, so the - current code in ffmpeg.c has been kept. - -commit 92672ea0eee93244cc78e5023f6469c5b21754b5 -Author: Alexander Strange -Date: Mon Aug 18 19:10:01 2008 -0400 - - Simplify: better use of variable names instead of weird struct accesses - -commit 93ac615ccf788df20279aa613f3fdc78d4bfcf18 -Author: Alexander Strange -Date: Mon Jul 14 23:56:22 2008 -0400 - - Simplify assert. - -commit 9457fb1458998f893b7e1f06f1144f8203cd0025 -Author: Alexander Strange -Date: Mon May 25 22:38:36 2009 -0400 - - Don't try to check list1 when it's not filled. - - 9.1s -> 9.0s on 5cm.mp4 - -commit 94985fa9745e2affd0cf3145fa35cb8ae87e7848 -Author: Alexander Strange -Date: Sun May 31 00:08:41 2009 -0400 - - Ensure the minor version is higher than mainline. - - Missed this in previous merges, but I think it's important - to avoid confusing anyone reading ffmpeg tool output. - -commit 9576774bbee0215c0ab7bbb868ff35dff00ab900 -Author: Alexander Strange -Date: Sun Aug 24 03:02:44 2008 -0400 - - Merge ff_*_release_buffer into one function for simplicity and correctness (the non-delayed version was not really ever safe). - -commit 967e65496780c089956f2dc199b541dae3a3d9cb -Author: Alexander Strange -Date: Thu Dec 18 14:37:04 2008 -0500 - - Some todo entries I forgot to add - -commit 96d6751af35556785037bdddb500eeb7b47795e6 -Author: Alexander Strange -Date: Mon Jul 14 23:08:45 2008 -0400 - - Call ff_thread_init() before the codec init. - This makes USE_AVCODEC_EXECUTE() properly available during init. - -commit 9816b66fb55fe03fd6f2a4db9390bdaa59eac697 -Merge: 1292a18 918f7b5 -Author: Alexander Strange -Date: Thu Jan 22 03:39:04 2009 -0500 - - Merge branch 'master' of git://git.mplayerhq.hu/ffmpeg - - Changed the value of CODEC_CAP_FRAME_THREADS and - adjusted use of config variables to match mainline. - - Conflicts: - - libavcodec/h263.c - libavcodec/h264.c - libavcodec/mpeg12.c - libavcodec/mpegvideo.c - libavcodec/pthread.c - libavutil/common.h - -commit 99ed04d4d7b7183a4d0a1b8833eee3b506e13ff0 -Author: Alexander Strange -Date: Fri Jan 21 01:34:57 2011 -0500 - - Remove change to compute_pkt_fields which is no longer needed - - May have been fixed by introduction of pkt_dts, but I'm not sure. - Either way, tests pass. - -commit 9a88884c03cd40d1fcbd247f1b004848fb629a11 -Author: Alexander Strange -Date: Wed Aug 6 20:55:20 2008 -0400 - - Simplify thread init and make more of its functions static. - -commit 9b27ce1e721a021128380e47e83a06f25c52e998 -Author: Alexander Strange -Date: Fri May 15 15:53:28 2009 -0400 - - Fix race condition decoding H264 direct prediction - - There may be some code merging possible here. - -commit 9bac2ee137d9b8152e3beb98681b07f665cd58ee -Author: Alexander Strange -Date: Thu Jun 5 20:36:38 2008 -0400 - - Cosmetics: rename ff_mt_*_buffer. - -commit 9be00ab6113d71a020eea4fd4483b8483efbb29d -Merge: 63f663f 1531623 -Author: Luca Barbato -Date: Sun May 11 08:53:10 2008 +0200 - - Merge branch 'master' of git://git.mplayerhq.hu/ffmpeg - -commit 9c241058a255e1da6adec7db81e22d4ff8b2b6b2 -Author: Alexander Strange -Date: Tue Aug 19 04:09:25 2008 -0400 - - Copy the entire reference list arrays in case they're used. - - And that's it for SoC period commits. - -commit 9cd1083269334de974acdf13dd94451c178a0eca -Author: Alexander Strange -Date: Tue Mar 29 04:47:23 2011 -0400 - - Fix mdec - - init_copy rotted due to data structure changes. - -commit 9e0e492fe88ec0c7ec400e9afdbef8356280fc16 -Author: Alexander Strange -Date: Tue Aug 5 00:21:25 2008 -0400 - - Update the guard clause on avcodec_thread_execute(). - - It already works fine, since all codecs check USE_AVCODEC_EXECUTE themselves before calling it, but the function is for some reason part of the public API. - -commit 9e615b8534c98947cbbe6ada5047e95c36e14cde -Author: Alexander Strange -Date: Wed Sep 3 20:40:45 2008 -0400 - - Rename symbols to not mention decoding - -commit 9e981c8d263986e67de6170895125b1de7e62ddd -Author: Alexander Strange -Date: Wed Aug 11 02:05:50 2010 -0700 - - vp3: fix mt decode of 4:2:2 and 4:4:4 content - - The threading improvements are poor and looks strange: - real 0m14.337s - user 0m13.200s - sys 0m1.132s - - real 0m13.434s - user 0m19.409s - sys 0m7.091s - - real 0m11.610s - user 0m21.870s - sys 0m7.303s - - real 0m7.976s - user 0m20.681s - sys 0m3.277s - - There may be a bug related to await_reference_row() being called too many times, - as it's in a loop per-chroma superblock and there are 2x as many of those - in 4:2:2, but not 2x as many MVs. - - No idea why 4 threads have less sys overhead. - -commit 9ec47e33af6776b94875c91288db852a333a6f63 -Author: Alexander Strange -Date: Sat Jun 21 22:01:43 2008 -0400 - - Split the code for completing all current frames out of ff_frame_thread_flush. - -commit 9ec9f0868de2df3d3448dec887e7440ebb006b27 -Author: Alexander Strange -Date: Mon Aug 2 16:14:21 2010 -0700 - - Fix the last commit testing the wrong variable. - - Luckily the idea was still right. - -commit 9ede817a98a263093ca7965f8754a1770ef031de -Author: Alexander Strange -Date: Fri Jul 11 23:01:47 2008 -0400 - - Add a new -debug for tracing get_buffer calls. - -commit 9f15b87679392902206264383c16c7440d8c0f06 -Author: Alexander Strange -Date: Sun Jul 6 15:35:10 2008 -0400 - - Extra line snuck in while merging mainline. - -commit 9f6a425684e0fd0ac3f8bbd37ca4e2bc96e05d5b -Author: Alexander Strange -Date: Mon May 25 20:30:08 2009 -0400 - - Fix race condition with MBAFF frames. - - mb_linesize is 2*linesize for MB_MBAFF too, which wasn't counted - in mc_dir_part_y, so the part of the MV added to 16*mb_y was 1/2 - the right magnitude. Fix this by halving mb_y too (safe) and - doubling row values for MBAFF later. - -commit 9ff8764a15cce3fcf3f64270d7d4ec52a3ca7d1a -Merge: 94985fa 08bbd7d -Author: Alexander Strange -Date: Sun May 31 01:19:07 2009 -0400 - - Merge branch 'master' of git://git.mplayerhq.hu/ffmpeg - -commit a1005396f05f5bc13c6aa6875337dbd0e6c4cd03 -Author: Alexander Strange -Date: Wed Aug 6 20:45:06 2008 -0400 - - Merge framethread.c into pthread.c. - - Git doesn't track this very well... - -commit a1a5c549efd3a376fd5c8c77d49acfab89f8fdba -Author: Alexander Strange -Date: Sat Jul 12 02:19:59 2008 -0400 - - Factor out size of delayed_pic. - -commit a210b422361b051ba73c115fe6bf65eaa745b19a -Merge: f9515a4 ec6213f -Author: Alexander Strange -Date: Thu Dec 24 22:08:34 2009 -0500 - - Merge mainline and update swscale. - - As a side effect, this fixes Theora/VP3 decode being broken. - - Conflicts: - ffmpeg.c - libavcodec/avcodec.h - libavcodec/h264.c - libavcodec/mpeg12.c - libavcodec/mpegvideo.c - libavcodec/vp3.c - -commit a2371d6c9b8837b472e22539642883979eac2ddf -Author: Alexander Strange -Date: Tue Nov 18 14:26:37 2008 -0500 - - Update todo. - -commit a2efd25ba04e0cb61823cbf765651f437b691b09 -Author: Alexander Strange -Date: Thu Jan 6 06:31:45 2011 -0500 - - Update todo.txt and move one issue out of bug fixes that isn't a major issue - -commit a2fb22fb6988742ee28ee61e2e21fa05125517a9 -Author: Alexander Strange -Date: Sat Aug 30 04:20:03 2008 -0400 - - Don't prefix static function names. - -commit a3a2674e27f8f2641d1603ee9e92e854289a0527 -Author: Alexander Strange -Date: Tue Feb 1 23:13:49 2011 -0500 - - Fix pkt_pts change to ffmpeg.c - - Caused tons of regressions in make fate. - This needs to be merged to mainline_patches. - -commit a4599a7f4e4a865a0b402297b4f5a11e9ca34a27 -Author: benoit -Date: Thu Jan 10 10:16:36 2008 +0000 - - Make pp_help a constant array of characters to move it to .rodata. - Patch by Diego 'Flameeyes' Petten -� flameeyes commit a5285ae4d452abed92f43e2a7a24dd821343a39c -Merge: a7b8cb3 6a3f0e9 -Author: Alexander Strange -Date: Sun Aug 23 22:31:19 2009 -0400 - - Merge branch 'master' of git://git.mplayerhq.hu/ffmpeg - -commit a564fda546ce3bfd04cf8a0e4ec4fb1b6d40e010 -Merge: 287e761 5b4608b -Author: Alexander Strange -Date: Mon Jan 4 03:56:32 2010 -0500 - - Merge mainline and libswscale. - - Auto-merge failed on h263.c for no apparent reason; the patch was - reimplemented by hand. Note that mt isn't enabled for h263 at the moment. - - Conflicts: - ffmpeg.c - ffplay.c - libavcodec/h263.c - -commit a5cdcc9d4efcc043c01019f632dc1e5ad318802a -Author: Alexander Strange -Date: Mon May 25 20:16:54 2009 -0400 - - Rewrite mc_dir_part_y(). - - The previous one used a completely wrong value for filter_height - and didn't properly account for MVs extending past the top of the screen. - I'm not sure if MVs can be more than -pic_height, if they can this - may still be wrong. - -commit a61ab604725f647c1bcb46aa8cfb303a5c78a2b0 -Author: Alexander Strange -Date: Thu Jun 25 16:39:14 2009 -0400 - - Theora: factor out updating last_frame. - -commit a74b85567073a424d5b7fc4bd8cc1e125df170f5 -Author: Alexander Strange -Date: Mon Sep 1 02:34:59 2008 -0400 - - Comment adjustment - -commit a7b8cb3c942fed6c80111519ba5505f11d61f3af -Merge: 17dcbec 23e6da5 -Author: Alexander Strange -Date: Thu Aug 20 16:47:50 2009 -0400 - - Merge branch 'master' of git://git.mplayerhq.hu/ffmpeg - -commit a903974adc7c8dd33dfb0acc4e2d6d10c09a23c8 -Author: Alexander Strange -Date: Wed Nov 11 12:45:09 2009 -0500 - - Add a next_outputed_poc to H264Context. - - Doesn't do anything yet, but makes the next merge easier. - -commit aa11b5e0df5dfcaba21552e4864807f7aa65f5c5 -Author: Alexander Strange -Date: Tue May 11 06:36:55 2010 -0400 - - pthread: Remove pointless line from frame_worker_thread() - - It was introduced in the first commit, where it probably did something. - -commit aaa05da15fa7710503544d4a94319cb10d49a8f2 -Author: Alexander Strange -Date: Tue Nov 2 02:59:16 2010 -0400 - - vp3: Remove redundant y*fragment_width+x calculations - -commit aacc74c0e2b047340a1a22f5c28aa03a4294aa03 -Author: Alexander Strange -Date: Mon Jul 14 03:40:15 2008 -0400 - - Reindent. - -commit ab4c84dd28c0375a6ed4f77f37ada3b94b2136a0 -Author: Alexander Strange -Date: Mon Dec 1 17:20:10 2008 -0500 - - Don't hide the warning about direct rendering in mplayer. - -commit abb53ce0e02d31fb282f55cecb58f9b0c4f5c136 -Author: Alexander Strange -Date: Sun Feb 6 19:18:31 2011 -0500 - - pthread: Remove useless line - -commit ac2e1b12b5e608b80581d731c4f3a0d6c033e9e0 -Author: benoit -Date: Tue May 29 14:35:29 2007 +0000 - - allocate PPS and SPS dynamically - patch by Andreas -�commit ac4539fba6d825d683d4a7d27f0045d068fe4595 -Author: benoit -Date: Mon Jan 7 12:48:42 2008 +0000 - - Mark the ff_svq1_frame_size_table as constant. - Patch by Diego 'Flameeyes' Petten -� flameeyes commit ac4c37360b21a14e9b26502a299f831b8448a10b -Author: Alexander Strange -Date: Mon Nov 15 02:43:15 2010 -0500 - - Cosmetics: remove the COPY() macro - -commit ac7f2102c4249a89144c36944e13bf6be56e9190 -Author: kabi -Date: Mon Apr 8 12:32:01 2002 +0000 - - * support for .au .gif .mov .mp4 by Fran -commit adfaa1f86196156e30c54799303269f4a4f84a2d -Author: Alexander Strange -Date: Sat Jul 26 16:14:00 2008 -0400 - - Cosmetics: split a long line. - -commit ae2790af78a332a6aa836607a14546c5cc1865e5 -Author: Alexander Strange -Date: Sun Oct 12 18:55:48 2008 -0400 - - Add multithreading for PAFF/MBAFF. - -commit ae4251429ee5e333fc705c61959417c1d9364b9e -Author: Alexander Strange -Date: Tue Nov 18 14:15:24 2008 -0500 - - Switch to mphq git module - -commit ae7e6bb9708a0f0dac89295c788266e0f15899d2 -Author: Alexander Strange -Date: Tue May 25 03:14:27 2010 -0400 - - H.264: Fix rare race condition. - - h->mb was not cleared when initializing a new decoder thread. - This could cause wrong pixel values in the first macroblock of - the first frame to be decoded by each thread. - - I suspect this is nearly the last visible bug affecting x264 content. - - Fixes [SS]_Angel_Beats!_-_06_(1280x720_H.264)_[A01DDBD8].mkv. - -commit af52a126f36cd6339f9f4a1152103ef88b4b8fee -Author: Alexander Strange -Date: Sat Jun 27 18:09:49 2009 -0400 - - Call handle_delayed_releases() before update_context(). - - This allows releasing frames in update_context(), which would - previously cause a race condition/deadlock. - -commit af79370b65b396e05c319d29356e456a8f5e8233 -Author: benoit -Date: Mon Jan 7 12:44:49 2008 +0000 - - Make the av_class member of PPContext a poiner to constant AVClass. - Patch by Diego 'Flameeyes' Petten -� flameeyes commit afafe7361da5a9373d02dc60d597da8f2185edd3 -Author: michaelni -Date: Sat Nov 2 10:31:37 2002 +0000 - - added perm inheritance from ffmpeg_g (it looks like 'strip' in BeOS doesn't keep them, though the Linux one does !?) - patch by (Fran -commit afc391b7ab5eda271733bbe55ef46118aba75bff -Author: michaelni -Date: Sat Jul 20 20:05:50 2002 +0000 - - beos/mov/adpcm patch by Fran -commit afe0428ae38f68a467b43cc9358b7a1a2f85d36b -Author: Alexander Strange -Date: Sat Aug 16 18:09:11 2008 -0400 - - Fix memory leak in mpegvideo - -commit b05eb30ba838b981c769217e1d2215777484f25a -Author: Alexander Strange -Date: Fri Jan 21 02:34:46 2011 -0500 - - Make the src parameter of update_thread_context() const - -commit b07e45974b2772e3a747502f976dc08d0ffcff74 -Author: Alexander Strange -Date: Thu Jun 18 16:21:03 2009 -0400 - - Indent. - -commit b125b68fe6dc2d0064d45d0cffc3bcb47263f32c -Author: Alexander Strange -Date: Sun Jan 24 18:50:32 2010 -0500 - - Remove fixed entry from the todo. - -commit b18683e3adc997b19cf56f459ce5f8a7428c0909 -Author: diego -Date: Sun Oct 18 14:34:45 2009 +0000 - - Fix typo that mistakenly slipped into previous commit: - CONFIG_MPEG_XVMC_DECODER was changed to CONFIG_MPEGVIDEO_XVMC_DECODER. - patch by Onur K -� -commit b1c8c18fe11d3155b1df6a19117d14fa633bcd15 -Author: michaelni -Date: Sat Nov 2 10:39:22 2002 +0000 - - added MACE (Macintosh Audio Compression/Expansion) 3:1 & 6:1 support - contribution by Laszlo Torok - 4CC 'MAC3' and 'MAC6' in Quicktime. - It works for mono streams, needs to be fixed for stereo when I get my hands on a stereo sample :) - patch by (Fran -commit b3cdfccd2b11e247e0c17e02d0c958888da5585b -Author: Alexander Strange -Date: Mon Nov 15 04:14:41 2010 -0500 - - avcodec.h: Update comments - -commit b3d5e9333051802b20446076605b404e418323c4 -Author: Alexander Strange -Date: Tue May 26 00:34:11 2009 -0400 - - Skip unnecessary lock-wait-unlocks for condition variables. - -commit b3e3f071ca5ad99444bac95e4128c01a8ae7bae3 -Author: Alexander Strange -Date: Thu Jun 11 11:32:00 2009 -0700 - - Split out if (current_slice == 1) - -commit b4221d5453d6dc893e87b77eecc845da121ddb56 -Author: Alexander Strange -Date: Mon Aug 18 17:06:32 2008 -0400 - - Reorder ff_frame_thread_free to fix memory errors. - - This fixes using mutexes after they're destroyed and not calling release_buffer on every buffer. - Unfortunately the change to MPV_common_end is exactly the opposite of what's needed for supporting width/height changes. - -commit b483ed4f4af9444cfaa6ff9336645d799d2254dd -Author: Alexander Strange -Date: Wed Aug 6 20:33:51 2008 -0400 - - Remove the unused debugging counters from frame threading. - -commit b67d7055bf60313c40b6369f98cfc9d1eae3aefb -Author: Alexander Strange -Date: Tue Sep 2 00:52:48 2008 -0400 - - Clear returned pictures immediately after copying them. - - This isn't protected by a mutex but is still safe. - Needed for the next commit. - -commit b68110d079914d16c9fc5d1cc8c6e10d78dbdbca -Author: Alexander Strange -Date: Sat Aug 16 15:05:49 2008 -0400 - - H264: Set the decode progress for fake reference frames to the maximum. - - Fixes deadlock in premiere-paff.ts at the expense of some indeterminism on the first frame. - -commit b77accec9077ae8f072091fc7301d661bc9487ba -Merge: 5d3c2f7 392faa1 -Author: Luca Barbato -Date: Tue Jul 29 15:11:05 2008 +0200 - - Merge branch 'master' of git://git.mplayerhq.hu/ffmpeg - -commit b7d182610b592eef0714c1d2de18c3233a289b69 -Author: Alexander Strange -Date: Sun May 24 01:06:33 2009 -0400 - - Update mplayer.diff whitespace - -commit b7e0f1a3bfd00b0256dcdd3efc4b7b77c086e70e -Author: Alexander Strange -Date: Sun Aug 24 22:38:42 2008 -0400 - - Rename doxygen group to not conflict with h264 - -commit b88c3baf94247f2687ca0c05b0ce6af7c905e02a -Author: Alexander Strange -Date: Mon May 24 22:40:00 2010 -0400 - - Fix more old merge glitches. - -commit b9a8973031be583af53be890ccdef07841394385 -Author: Alexander Strange -Date: Sun Jun 15 22:31:35 2008 -0400 - - Use output_cond for notifying the main thread. - -commit ba073d39f18679835b48b96f20feae96dad1f343 -Author: Alexander Strange -Date: Mon Apr 11 23:00:19 2011 -0400 - - h264: cosmetic whitespace change - -commit ba8b789143dc6a14c29393e40fb361c1a3e2ccd4 -Author: Alexander Strange -Date: Sat Aug 16 01:53:10 2008 -0400 - - Update todo - -commit babb66241ae51e2956aa698d425c645ad056936e -Author: Alexander Strange -Date: Fri Oct 17 14:52:35 2008 -0400 - - Copy avctx->height/width for mpegvideo. - - Not sure what the difference between the three width variables is, really. - -commit bad2bf8621c04791f0d9a0a2873a3b6042d4ba83 -Author: Alexander Strange -Date: Sun May 24 00:48:57 2009 -0400 - - Copy new fields in update_context_from_copy(). - -commit bb67674aa57e23893f2f19bd4ffb4a92b5a01e83 -Merge: 06ac5ac 6051838 -Author: Alexander Strange -Date: Sun Jun 20 17:39:15 2010 -0700 - - Merge branch 'master' of git://git.mplayerhq.hu/ffmpeg - -commit bba0e098a75f14af80bfd4fdfdf9edcaf8f3fee5 -Author: Alexander Strange -Date: Sat Jun 20 03:32:19 2009 -0400 - - Factor out vp3 table allocation into new function. - -commit bbc5744117da188c43e00c4f02f6ff0fe984d4f8 -Author: Alexander Strange -Date: Sun Jul 13 15:52:21 2008 -0400 - - Print the AVCodecContext address in av_log instead of AVClass. - This makes logging much easier to read when there's more than one context. - -commit bc1cc6f39a0f6df2cc1d0fecd3eb14efd150763a -Author: Alexander Strange -Date: Wed Feb 3 01:29:21 2010 -0500 - - Cosmetics: Don't use #if HAVE_PTHREADS in thread.h. - - These two macros will be removed entirely in the future. - -commit bd392934097dc5c909e9b06550ec1d13d92fa134 -Author: Alexander Strange -Date: Fri Aug 15 23:34:32 2008 -0400 - - Set output_size properly before calling the decoder so it doesn't return nonsense and crash at the end - -commit bd63cf4721466aea490f6f0455a32060d572d5ba -Author: michaelni -Date: Sun Jul 21 07:54:53 2002 +0000 - - YUV410P to YUV420P patch by Fran -commit bdaeaaa58f24393027e112c02896b23fe0b3cc01 -Author: Alexander Strange -Date: Mon Oct 13 11:23:47 2008 -0400 - - Add buffer padding to the end of bitstream_buffer. - - Fixes a warning in valgrind. - -commit bdef29429d4f488012cb492e61cf20ffe0b858a7 -Author: Alexander Strange -Date: Sun Jul 6 15:48:52 2008 -0400 - - Fix compilation with threads disabled. - -commit be45bc423ba576e1d06df3664cfe91e02d78ffa5 -Author: Alexander Strange -Date: Mon Feb 15 00:00:35 2010 -0500 - - Fix a deadlock in mpeg1 threaded decoding - - Fake frames need their progress set to INT_MAX. - - This can be triggered by seeking in mpeg1, but this is not the correct fix, - since seeking to keyframes does seem to work properly without threads. - -commit bf806642ab67148d93a4f24e7dbdc8644575c45b -Author: Alexander Strange -Date: Sun Jan 24 18:59:28 2010 -0500 - - When frame_thread_init() fails, free the failed thread context as well. - -commit bffb1c874ec2c9f7ea9c6830d852955a3c2805a0 -Author: Alexander Strange -Date: Wed Aug 6 20:51:34 2008 -0400 - - Make ff_*_thread_free static. - -commit c01185fe11dd2ce35f798d16faec17fcfc64c7c4 -Author: kabi -Date: Fri Mar 8 09:09:57 2002 +0000 - - * BeOS patch by Fran -commit c05a51580b56d1479083b1460dc29492b3fb6b16 -Author: Alexander Strange -Date: Tue Aug 19 00:53:15 2008 -0400 - - Track allocated buffer size properly. Don't allocate buffer padding since the user already did it. - -commit c1b0bddeaf947ef49c63b412918d73fe7a645ba5 -Author: Alexander Strange -Date: Mon Nov 15 04:08:01 2010 -0500 - - pthread: Update and sort the fields copied in update_context_from_thread/update_context_from_user - - Changes to pthread.c are finished. - -commit c29d645dfd2c8168e7c9009638ddb88928e706be -Author: Alexander Strange -Date: Tue May 11 06:12:26 2010 -0400 - - Copy time_base between threads. - - Appears to be used by the h263 decoder. - -commit c2a400d3a5da10f8f2a9c2aa89d9396efe428029 -Merge: b77acce e96a4b0 -Author: Luca Barbato -Date: Thu Aug 14 22:16:09 2008 +0200 - - Merge branch 'master' of git://git.mplayerhq.hu/ffmpeg - -commit c2e19261fe08c2d96d4bf082e97bebcdf12566f2 -Author: Alexander Strange -Date: Sat Feb 20 21:24:24 2010 -0500 - - Remove USE_FRAME_THREADING and USE_AVCODEC_EXECUTE macros. - - Requested in original review, might help making sure pthread emulation - works for encoding tests. - -commit c2e9a1fc965de63271c7c4ddffd7e938ce1bfd93 -Author: benoit -Date: Tue Nov 6 16:28:32 2007 +0000 - - ffplay currently needs special handling for pausing in some protocols. - Patch by Bj -�rn Axelsson: bjorn ; axelsson commit c2eed2a91101a90f2172e81755ca4d655de90443 -Author: Alexander Strange -Date: Wed Nov 3 22:13:07 2010 -0400 - - vp3: Cosmetic changes - -commit c370b927b6d1f0e092e43d58ee29046e5accad1a -Author: Alexander Strange -Date: Sun Feb 6 19:18:10 2011 -0500 - - Improve comment in avcodec.h - -commit c378f545f65d536e55ebe1ac85d170a15e7748eb -Author: Alexander Strange -Date: Wed Aug 6 20:12:01 2008 -0400 - - Reindent. - -commit c45bb41ec61522dcdb97618a0f6fafd8a32d529b -Author: benoit -Date: Mon Jan 7 12:42:02 2008 +0000 - - Make v4l.c's video_formats constant and static. - Patch by Diego 'Flameeyes' Petten -� flameeyes commit c4649d2e370c04c7f5cfcf0b444edc6116ba03f8 -Author: Alexander Strange -Date: Mon Jan 25 03:16:09 2010 -0500 - - Avoid freeing buffers twice when closing mpegvideo. - - This fixes a harmless "unreleased buffers" warning due to the design - of delayed releasing. This is probably a bad way to do it (won't - work if resolution changing is supported) but I can't think of a - better one that's simple. - -commit c5137d0d9e355aecc7e60cef0d2314468b77a147 -Author: Alexander Strange -Date: Sat Jan 15 22:52:30 2011 -0500 - - Update todo.txt - -commit c563b57b187279c1af0f723110bdab815fac6385 -Merge: 65e8486 6a3327b -Author: Alexander Strange -Date: Fri Apr 3 21:23:47 2009 -0400 - - Merge mainline. - - Conflicts: - libavcodec/avcodec.h - libavcodec/mpegvideo.c - -commit c58218c681e51a1b392ddb0177dcff8fc8e99d1c -Author: Alexander Strange -Date: Tue Aug 12 00:45:01 2008 -0400 - - Use HAVE_PTHREADS instead of ENABLE_PTHREADS for mplayer compatibility. - -commit c5ca1f6b5227f8f7a26f889c123c4358ee15596e -Author: Alexander Strange -Date: Sat Jan 15 22:51:43 2011 -0500 - - Pass pkt_dts properly through multithreading - - A/V sync should work in all cases now once guess_correct_pts()/clients - adopt AVFrame.pkt_dts. - -commit c6a59ddd734c7ca92862bce47ec686e16da627ee -Author: Alexander Strange -Date: Fri Jun 19 18:32:12 2009 -0400 - - Remove frame_num stuff from todo. - - The current code is actually correct. - -commit c6bbd5d91408d6dd795dfbbdfba2cef62696d765 -Author: michael -Date: Sun Jan 8 17:06:26 2006 +0000 - - fixing second last time Fran -commit c6f5097967de5ed420cd56a1a77b60a705fcee48 -Author: Alexander Strange -Date: Sat Aug 16 05:09:03 2008 -0400 - - Disable frame threading if low_delay or randomly truncated frames are used. - -commit c75cec5217fc23206476e2d1c894e8a6ddcd81b9 -Author: Alexander Strange -Date: Sun Mar 29 02:25:19 2009 -0400 - - Fix missing ff_get/release_buffer calls in mdec. - -commit c83670eeb613b9509555d4ddcac559a37cc1c5bc -Merge: 2063f77 dde06af -Author: Alexander Strange -Date: Wed Dec 15 15:20:06 2010 -0500 - - Merge mainline. - - Version wasn't updated this time. - - Conflicts: - doc/APIchanges - libavcodec/avcodec.h - -commit c91d7a205df4dd224461b96749b9ce12e2bf6825 -Merge: 4874d25 04c74fc -Author: Alexander Strange -Date: Wed May 19 16:51:42 2010 -0400 - - Merge mainline. - - Conflicts: - libavcodec/avcodec.h - libavcodec/options.c - libavcodec/utils.c - -commit ca89b49eff34604b1354888cd041f474d988c122 -Author: Alexander Strange -Date: Mon Jun 23 04:16:16 2008 -0400 - - Fix ff_frame_thread_flush() - It should setup the context to be just like decoding starting from scratch. - -commit cac4bca0570a9b9ffdd3b49590fe1e41fd5568b0 -Author: Alexander Strange -Date: Sat Jun 27 15:02:21 2009 -0400 - - Fix conditions for drawing edges. - - They shouldn't be drawn for B-frames/intra only (for speed) - and when hwaccel is on (for correctness). - -commit cba830597c99b7a6de57b3cd2209d22598bb72b1 -Author: Alexander Strange -Date: Sat Feb 13 22:45:07 2010 -0500 - - Backport VP3 crash/deadlock fix from mainline r21781. - - Previously, if get_buffer() failed when allocating a golden frame, - it would access it in a later frame without checking it first. - r21781 unintentionally fixed this. - - This should be impossible to trigger, but some other bug in -mt - causes this with frequent seeking. - -commit cbaa375d4cb1320093199e8abe1ce7bcf389036d -Author: michaelni -Date: Sat Nov 2 21:05:54 2002 +0000 - - gcc optimization on BeOS (patch by Fran -commit cbc8d8bec42b371522b0724f27454a96881c4164 -Author: Alexander Strange -Date: Mon Apr 19 02:47:32 2010 -0400 - - Disable multithreading the first field in PAFF. - - At least one PAFF .mp4 file has two fields per packet, which can't - work with -mt - instead it needs to split the fields up like packed - B-frames do. - - Fixes Chalet-Tire.mp4. Pessimizes otherwise working files. - -commit cc33ba7cd7ebbf14b62b0783fb7272e41b484aea -Author: Alexander Strange -Date: Tue May 11 14:41:53 2010 -0400 - - Cosmetics: arbitrary reordering of some pthread struct members - -commit ccd0d039a3d2fd70a9e947cc2faf79ca091dd687 -Author: Luca Barbato -Date: Fri Apr 25 21:52:45 2008 +0200 - - Incorporate swscale as submodule - -commit cd71fb4386961bc860c3abc4cf464b580366d57d -Author: Alexander Strange -Date: Tue Jan 25 16:33:26 2011 -0500 - - Forgot to git add the test failures list - -commit cdc193d0dbc2f0775d177f46036eca0d813f56ff -Author: Alexander Strange -Date: Sun Jul 6 15:53:33 2008 -0400 - - Use static functions instead of macros for consistency. - -commit cf2561f8dcc3143f9c479bba1d9be91339f23726 -Author: Alexander Strange -Date: Fri Jan 21 02:22:56 2011 -0500 - - Write longer comments for callbacks - - Also neglected to update get_buffer to mention thread_safe_callbacks - -commit cf528d74cd7321219880eb06b94a8de0ba5741ff -Author: Alexander Strange -Date: Sun Aug 17 16:50:51 2008 -0400 - - Fix another memory leak. - -commit cf56bb126e7c056740e51c6c13304b03260b4b47 -Merge: ccd0d03 08baa31 -Author: Luca Barbato -Date: Sat May 3 12:18:40 2008 +0200 - - Merge branch 'master' of git://git.mplayerhq.hu/ffmpeg - -commit d0c772c8021702ca79ce2aceeba75902231c0101 -Author: michaelni -Date: Tue Jul 23 22:05:35 2002 +0000 - - patch by Fran -commit d103d4fac41b32915b45534d49d1e6a195b4220b -Author: Alexander Strange -Date: Wed Feb 3 01:00:14 2010 -0500 - - Simplify thread.h by removing the stub functions. - - They don't really help anything, if (HAVE_PTHREADS && ...) is sufficient. - -commit d15ab0f03a257293c0e13eac8b9b031da73c48f3 -Author: Alexander Strange -Date: Tue Jun 3 04:41:33 2008 -0400 - - Macroize some threading checks. - -commit d21f769ead6bd4c24d867b7e9beeb8ffcc86b271 -Author: Alexander Strange -Date: Wed Aug 6 20:36:04 2008 -0400 - - Revert renaming pthread.c. - -commit d2f8287d8526f814bcc88d827775d39ddc5c5f22 -Author: Alexander Strange -Date: Mon Jan 17 14:34:22 2011 -0500 - - Update todo.txt to put important things at the top - -commit d359ab19a25afa7dae20229e62dc0e37b6179ea7 -Author: michaelni -Date: Mon Jul 22 01:44:08 2002 +0000 - - adpcm encoding patch by Fran -commit d419a1c1d30e1b171fba7dc31a909e77a08016ba -Author: Alexander Strange -Date: Sun Aug 24 03:51:18 2008 -0400 - - Comment utility functions in pthread.c - -commit d460fd8d253c90f20536dffe69a6ea20dc113106 -Author: Alexander Strange -Date: Tue Aug 19 15:57:28 2008 -0400 - - Simplify codec close - -commit d4fad7c7f05e6fd7d677eaf1069e04c94b946a0c -Merge: f3f3d11 980ab8d -Author: Alexander Strange -Date: Tue Feb 2 21:41:11 2010 -0500 - - Merge mainline and libswscale. - - ffplay's pts reordering is better now, so ffplay.c has been reverted - to mainline. - - Conflicts: - ffplay.c - libavcodec/avcodec.h - libavcodec/h264.c - -commit d5227efafd855f028338480f937b6ad4a86ef7ac -Author: Alexander Strange -Date: Thu Jun 12 18:24:28 2008 -0400 - - Don't check MAX_THREADS unless slice threading is on. - -commit d5c16c23327d84373fca125b884254550b79c8d7 -Author: mmu_man -Date: Sun Jan 23 09:59:36 2005 +0000 - - Revert the fixed-size-sample patch as it brokes and others - WTF I thought I had commited this yesterday... was probably too asleep :commit d5ea5fc7342e3a1b082659bccd5ffd90a911b780 -Author: Alexander Strange -Date: Thu May 7 01:19:55 2009 -0400 - - Replace the number of frames option with a number of frames to skip. - - The old option wasn't really useful (ffmpeg -t saves more time) - and this is needed to deal with broken stream clips, which are - common and tend to decode differently under mt anyway, which I - don't really care about. - -commit d611b2bcb3ce231242f566cee08a61798a36abc8 -Author: Alexander Strange -Date: Thu Jun 18 05:03:36 2009 -0400 - - Fix race condition upon return from decode_init(). - - We can't call report_frame_progress on every returned frame, - because they may be returned while a past thread is still decoding - them. Instead ensure frames always have this called on them after - their decode is done. - - Should fix all bugs for valid H.264 streams without frame num gaps. - -commit d62b7c03b163c3dc067f122ab9fec44de87b37ae -Author: Alexander Strange -Date: Tue Mar 9 01:54:27 2010 -0500 - - VP3: Only call await_reference_row() for luma - - 4.3% -> 2.1% cpu on big_buck_bunny_1080p_stereo.ogg. - It should be further reducable since VP3 has limited MV range. - -commit d6bb0443c9b316b8cf29720524b4819fb2e6b6a1 -Author: Alexander Strange -Date: Thu Sep 4 01:50:20 2008 -0400 - - Don't mention nonexistant variables in comments - -commit d71a7eef9e540b00b0f91d840116e43206390645 -Author: Alexander Strange -Date: Mon May 24 16:45:27 2010 -0400 - - h264: Delete lines accidentally left behind during a merge - -commit d7cfe6d5cbffa42e178d88d7c647d37431e21861 -Author: Alexander Strange -Date: Tue Feb 1 22:20:19 2011 -0500 - - Fix dropped frames at the beginning of h264 decoding, fixes FATE tests - - Patch by Ronald Bultje (rsbultje@gmail.com) - -commit d8014c67ff1ef20ca05302dea9e262a3089d996e -Merge: 604ee54 4ce0d81 -Author: Alexander Strange -Date: Sat May 1 04:03:03 2010 -0400 - - Merge branch 'master' of git://git.mplayerhq.hu/ffmpeg - -commit d812c6f8b1d897734d6f7b5f1a5c95d3aa10a3ea -Author: Alexander Strange -Date: Thu Jun 24 02:25:25 2010 -0700 - - Fix crash on close when decoding a single-frame h264 file with 3+ threads - - Problematic code path: - 1. sps_buffers[0] is allocated in the first thread's codec context when the - decoder is opened. - 2. The first thread context is memcpy'd to the other threads by frame_thread_init(). - 3. The first thread is closed and its sps_buffers[0] is freed. - 4. The third thread is closed. - Because it never got to decode a frame, update_thread_context was never called, - and sps_buffers[0] still contained the first thread's pointer. - - Fixed by not trying to free sps/pps buffers if the thread wasn't initialized. - I didn't properly consider this when designing it but this seems to be the - best approach anyway. - - Fixes still2.mp4 crash from Chromium - -commit d84fc3dfd3e051c782d063ccba4cc8cadba38797 -Author: michaelni -Date: Tue Nov 5 00:56:08 2002 +0000 - - MIN/MAX sys/param.h patch by (Fran -commit d93fe0ea6b1b8121fdb9521fa7eeac0dc494deeb -Author: benoit -Date: Tue Nov 6 16:19:09 2007 +0000 - - Allow propagation of stream selection through the ASF demuxer to the - MMSH protocol handler. - Patch by Bj -�rn Axelsson: bjorn ; axelsson commit d955ab0dfa73578eaa6a9d1dcb821ce9db409738 -Author: Alexander Strange -Date: Tue Mar 29 04:53:11 2011 -0400 - - Update todo. More items appeared... - -commit da70ded7141aa191b92672c343cd29a0014d861f -Author: Alexander Strange -Date: Thu Dec 18 13:27:51 2008 -0500 - - Update todo - -commit da7bdb1273da15a90bfe08ead91e397247916d11 -Author: Alexander Strange -Date: Tue Jun 24 03:24:17 2008 -0400 - - Get rid of tabs - -commit da86d2da9f6a76238a9d788ecd77f714981e666d -Author: Alexander Strange -Date: Thu Sep 4 01:40:51 2008 -0400 - - Reindent. - -commit da95175e7ce1f911db992fef213322345200feaf -Author: Alexander Strange -Date: Mon Jul 14 01:52:37 2008 -0400 - - Add a parameter to not draw top/bottom in draw_edges. - -commit db2a99d28931128c8598067ae06444ab79f579f8 -Author: Alexander Strange -Date: Tue Jun 9 17:29:47 2009 -0700 - - Fix typo in comment. - -commit dbfbadaa095b65a724ac848d551cfa2aa33e2f6a -Author: Alexander Strange -Date: Tue May 11 05:16:14 2010 -0400 - - Update todo. - - Got another h264 bug report with the same cause as before. - -commit dc53861aadac1d43391b28e4e9793393b26394b9 -Author: Alexander Strange -Date: Wed Jun 18 20:52:34 2008 -0400 - - Always set decode progress to the maximum at the end of decoding - This saves doing it for frames with AC partitioning and such. - We can't do it if the codec didn't return a frame, so there is still an opportunity for deadlocks here, maybe. - -commit dc7c4d436681e43a9f351dd18f70d0dc008aa55e -Author: benoit -Date: Thu Jan 10 10:18:00 2008 +0000 - - Make MMX vectors constants. - Patch by Diego 'Flameeyes' Petten -� flameeyes commit dd9e04497937b7fffdcc65a2b41e36089412d975 -Author: Alexander Strange -Date: Tue Mar 29 17:18:21 2011 -0400 - - Remove unnecessary parameter from ff_thread_init() and fix behavior - - thread_count passed to ff_thread_init() is only used to set AVCodecContext. - thread_count, and can be removed. Instead move it to the legacy implementation - of avcodec_thread_init(). - - This also fixes the problem that calling avcodec_thread_init() with pthreads - enabled did not set it since ff1efc524cb3c60f2f746e3b4550bb1a86c65316. - -commit ddc8310d2a9300139d1821954dfa2d0b775edaa1 -Author: Alexander Strange -Date: Thu Feb 11 22:12:03 2010 -0500 - - Fix mutex leak introduced in 0040d6f2ba. - - If allocate_progress() failed, the error condition returned before - unlocking its mutex. - -commit de365823ec9546a3bd688690e79fc15281a68f1f -Author: Alexander Strange -Date: Wed Jun 23 01:26:42 2010 -0700 - - todo: fix ugly word wrapping - -commit de736aacd945d66109197a6f04baf915d458f5ac -Merge: 7eac0bc 780a37c -Author: Alexander Strange -Date: Thu Jun 18 17:53:09 2009 -0400 - - Merge mainline. - -commit de8abf54671555bb166bb1d44a34fe14e360e2a5 -Author: Alexander Strange -Date: Sun Jan 24 16:37:24 2010 -0500 - - Rename and document MAX_DELAYED_RELEASED_BUFFERS. - -commit dedc2982f2f845357f28dff401fe5df8510c6a8f -Author: benoit -Date: Tue May 22 08:28:32 2007 +0000 - - id3v2 writer - patch by Andreas -�commit df444fadf045bf70058da9b074b8f848fc2209b1 -Merge: 14bdf76 1476e6a -Author: Alexander Strange -Date: Tue Mar 9 02:04:43 2010 -0500 - - Merge branch 'master' of git://git.mplayerhq.hu/ffmpeg - -commit df5d7acdcd0dcbfca6f8fd4f76c9369cb1674435 -Author: Alexander Strange -Date: Sat Aug 16 17:32:24 2008 -0400 - - Don't reuse the user's AVCodecContext for the first decoding thread, and copy more values between them as needed. - - This fixes a large class of race conditions (coded_frame works again) and should improve frame dropping. - -commit dfb8be0a60b9562cf7bb6e54dd67088ff51f83b0 -Author: Alexander Strange -Date: Tue Jun 24 21:35:14 2008 -0400 - - Call avcodec_get_frame_defaults() before decoding. - -commit e0285f04bed7fefba5f75d05c81b145f44fc49f5 -Author: Alexander Strange -Date: Thu Jul 31 18:40:46 2008 -0400 - - Use got_extradata instead of frame_number to guard against rereading extradata. - - frame_number is no longer valid internally, since I don't want to change its definition from the user's perspective. - mpeg12 does the same thing, but I can't find or create any mpeg1+extradata samples to check it. - -commit e044d5c79ab340cf52842ba8452d670959eb37c0 -Merge: 3c3a364 5115473 -Author: Alexander Strange -Date: Fri Nov 7 04:54:47 2008 -0500 - - Merge mainline into ffmpeg-mt - - - Handle reordered_opaque properly - - Picture.field_picture is a duplicate of Picture.mbaff, - but is necessary, since interlaced_frame can't be trusted - and mbaff can't be interpreted without it. - -commit e0dc361e0f0aa315320a549a4fda3424226c556f -Author: Alexander Strange -Date: Mon Sep 1 03:35:23 2008 -0400 - - Update todo - -commit e174657cbb973abf5de9085d00d85ac04d29a475 -Author: Alexander Strange -Date: Thu Aug 28 17:11:09 2008 -0400 - - Move avcodec_thread_init call before avcodec_open in ffplay. - - It makes no sense to have it after, since a decoder is not forbidden from reading it during init. - Encoders already do. - -commit e1f49541b976cdd091aa41f116e7c9fd0c740cf3 -Author: Alexander Strange -Date: Tue Jun 17 23:35:55 2008 -0400 - - Fix rounding for mpeg1 MVs. - -commit e23b687201a076161384fbc7a2f76bd0092dd34c -Author: Alexander Strange -Date: Wed Jan 20 02:36:18 2010 -0500 - - Include the delay from frame threads in has_b_frames. - - This is an API change, but anything that already counted thread_count - just has an incorrectly high max delay size, which shouldn't be a - problem. - -commit e2b9383929e2c703eabd1df8afcb9fa5ad7106ec -Author: Alexander Strange -Date: Sun Jun 15 17:36:59 2008 -0400 - - Add choice of threading algorithm to AVCodecContext. - - Use it to simplify USE_* macros. - FF_THREAD_AUTO needs to be handled better - even if a codec can handle frame-threads, we still don't want to use them if there are enough slices available. - -commit e2ecdd48d664f2660bfd661f1cef6276b986743b -Author: Alexander Strange -Date: Fri Jul 25 03:12:58 2008 -0400 - - Simplify mpeg_decode_update_context. - -commit e303003362829a7f2f1dcbc45d6abc9ac7a59b6a -Author: Alexander Strange -Date: Thu Aug 14 22:59:01 2008 -0400 - - Reindent. - -commit e340cacc56545c5fc3a903c68fec99e8921d579e -Author: Alexander Strange -Date: Sat Nov 8 06:13:23 2008 -0500 - - Disable r15412 for now to avoid crashes. - - update_context can't handle picture pts not pointing to picture and I couldn't think of a better way to do it at 5 am. - May not actually fix anything. - -commit e345a54e5f86d9777e4c3ccb04aad84f9cd77ff0 -Author: Alexander Strange -Date: Mon Mar 8 04:55:43 2010 -0500 - - Add optimization note to todo. - -commit e39c3828e02fe71ce627170bc8c26a558f29f4b8 -Author: Alexander Strange -Date: Mon Feb 15 00:39:39 2010 -0500 - - Update todo - -commit e3f13a4f70b1310309ebb462b1011721cb3692fe -Author: Alexander Strange -Date: Thu Sep 4 14:05:31 2008 -0400 - - Rename new symbols to be shorter - -commit e4565c5731bfcd8808d02f47f115e21dc6fc8b35 -Merge: 4b9ce55 fb61a7c -Author: Alexander Strange -Date: Thu Mar 10 02:25:55 2011 -0500 - - Merge branch 'master' of git://git.ffmpeg.org/ffmpeg - - Conflicts: - .gitignore - doc/APIchanges - ffplay.c - libavcodec/arm/asm-offsets.h - libavcodec/avcodec.h - libavcodec/h264.c - libavcodec/mpegvideo.h - libavcodec/options.c - libavcodec/pthread.c - libavcodec/thread.h - libavcodec/utils.c - libavcodec/vp3.c - libavcodec/vp8.c - libavformat/utils.c - -commit e45cf6d46cb45e6edcf9e4ac368b2a013ba30158 -Author: Alexander Strange -Date: Thu Aug 14 04:01:08 2008 -0400 - - Add todo and some other files. - - Trailing whitespace in mplayer isn't my fault. - -commit e4df986f3d2d3e1be9b0f4eeda463fa854910b8f -Author: Alexander Strange -Date: Thu Aug 28 00:41:52 2008 -0400 - - Revert unnecessary setting of the wrong variable - -commit e53d020b37ca26ffa4cdb22d2b40321897f52ba9 -Author: Alexander Strange -Date: Sat Aug 23 20:39:06 2008 -0400 - - Warn if users try to use frame threading without pthreads. - -commit e717770ee8437c296e012e908b772ba2eaeb2ed3 -Author: Alexander Strange -Date: Tue Jul 15 03:16:22 2008 -0400 - - Create next_delayed_pic for multithreading purposes - unreference_pic is intentionally unchanged. - -commit e71a2b5017728022fa1f992a8b541260615016b2 -Author: Alexander Strange -Date: Wed Jun 18 23:22:01 2008 -0400 - - Use USE_FRAME_THREADING instead of checking for thread_opaque, since it might be the wrong type. - -commit e74ef89858732b9fc4a90c8ec8fbb701407eb987 -Author: Alexander Strange -Date: Wed May 28 22:50:22 2008 -0400 - - Split setting avctx->thread_count from the rest of pthread init. - Make sure it's called from whichever of avcodec_open and avcodec_thread_init comes later. - -commit e7519b6532409e332fc9727ea5a57e148e6655a6 -Author: benoit -Date: Thu May 15 01:03:48 2008 +0000 - - Make av_set_string() fail when number could not be set. - Patch by Stefano Sabatini stefanocommit e8bc7da9d69234ebbcbde371c5a0e20f8b5cfccc -Author: Alexander Strange -Date: Mon Jan 25 02:59:00 2010 -0500 - - Remove accidental extra variable declaration - -commit e95251807c0ae66ffef1e4ad113b9773a287fa5a -Author: Alexander Strange -Date: Sat Jun 27 22:14:45 2009 -0400 - - Get rid of static variables in VP3. - - These are pointless and might behave wrong with thread-local - statics. - -commit e9a0e5eaf5207321baf90160b1094300f3810ecf -Author: Alexander Strange -Date: Mon Jun 23 21:21:44 2008 -0400 - - Use FF_INPUT_BUFFER_PADDING_SIZE for the buffer. - -commit ea396d38059476a54c5855e0bd81955c60238b22 -Author: Alexander Strange -Date: Wed Nov 3 22:50:02 2010 -0400 - - Rewrite comments in thread.h and fix parameter names in ff_thread_decode_frame - -commit ebce21c15f3aaf1b4512436ed8fc2e71a504bb11 -Merge: 3630d89 5570afd -Author: Alexander Strange -Date: Thu Dec 18 12:49:54 2008 -0500 - - Merge mainline. - - Conflicts: - - libavcodec/avcodec.h - libavcodec/mpegvideo.c - libavcodec/utils.c - -commit ed3e2ae1277cc425ef133f10700ace86629381ef -Author: Alexander Strange -Date: Sun Jul 13 16:05:09 2008 -0400 - - Remove useless variable. - -commit ed42183540e2a886a7368b8220e0b50aaf363551 -Author: Alexander Strange -Date: Thu Sep 30 16:53:03 2010 -0400 - - Fix hang decoding VP3/Theora. - - draw_horiz_band changed to only draw the displayed height instead of the - decoded height. This meant that we never reported progress for the last few - decoded pixels, but still awaited them, which deadlocked. - - This shouldn't cause any race conditions, because it always decodes the last - few pixels along with the last decoded pixels. - - Patch by Yuriy Kaminsky (yumkam mail ru). - -commit ed5e8392e2fce8e6b0468de4ae1a4310d338ee46 -Author: Alexander Strange -Date: Thu Aug 28 02:29:08 2008 -0400 - - Simplify(?) threaded avcodec_flush_buffers - -commit ed728b0a05c2154b07cc3d8330d5900dbc45f1d7 -Author: Alexander Strange -Date: Tue May 27 23:25:47 2008 -0400 - - Guard against avcodec_thread_execute() being called without being setup. - -commit edb60439feb2c5d39cda314178686eea151185b3 -Author: Alexander Strange -Date: Mon Nov 1 12:54:47 2010 -0400 - - vp3: Assume MVs are their maximum length of 16 pixels - - This makes it worse (although slightly simpler) in preparation for further - optimization. - -commit ee8430539ec7cc23b7cf6332e26751f539315d5b -Author: Alexander Strange -Date: Sun Jul 6 15:56:28 2008 -0400 - - Don't include the codecs' threading support functions without some kind of threading enabled. - As a side effect this makes non-pthreads threading even more problematic. - -commit eed4b9708287066ccc1b3042110f7c3379f63ee2 -Author: Alexander Strange -Date: Thu Aug 28 01:44:44 2008 -0400 - - Simplify disabling MB skipping - -commit ef26f878e0e581cb61f1e9b376bec4f7ff07397a -Author: Alexander Strange -Date: Tue Mar 9 01:48:18 2010 -0500 - - Cosmetics: fix outdated comment - -commit ef2d8664f1eff56e969801ecd1c5b7c729902819 -Merge: 11b1a8e 9c7037f -Author: Alexander Strange -Date: Tue Jun 8 14:29:22 2010 -0700 - - Merge mainline and libswscale - -commit efd1fb08db3e7964357dc00fd514cfb156b4ee69 -Author: Alexander Strange -Date: Thu Jun 11 11:33:09 2009 -0700 - - Reindent. - -commit f139f42301a5ee861f1a91cdfcceb2a85349fa29 -Merge: 70fb3fd 7210b4e -Author: Luca Barbato -Date: Sun Jun 22 12:08:59 2008 +0200 - - Merge branch 'master' of git://git.mplayerhq.hu/ffmpeg - -commit f143b66d9bf8b23985bf8ec6acf8273c3e9ccd1d -Author: Alexander Strange -Date: Tue Aug 19 21:12:32 2008 -0400 - - Handle NULL threads if they aren't started because of an init error. - -commit f1936d87290c7444090d6cb101b0d7c9270f0a81 -Author: benoit -Date: Thu Jun 24 15:22:33 2010 +0000 - - Set an opaque alpha value when decoding rgba ffv1. - Patch by Thad Ward coderjoe69commit f1fe312cb47cbc540da764cbab3582739a20a8d2 -Author: Alexander Strange -Date: Thu Jun 5 20:30:58 2008 -0400 - - Cosmetics: make thread.h look like other prototypes. - -commit f374d2ee585d7f6c98ffd3a7803223552497904e -Author: Alexander Strange -Date: Fri Jan 21 04:13:06 2011 -0500 - - Simplify change to avcodec_close() and fix a merge glitch in avcodec_open() - -commit f3c88f32b8c806b352cf6e00d6ac80fd32e9f54c -Author: Alexander Strange -Date: Wed Sep 3 11:45:09 2008 -0400 - - Field picture API support - -commit f3f3d1189de648862ca204676dd7591262f590df -Author: Alexander Strange -Date: Mon Jan 25 04:12:34 2010 -0500 - - Add todo note about a change to thread.h I mean to do. - -commit f4d4d43f3a596941b2214ac1e71bb818eb230d6b -Author: Alexander Strange -Date: Fri Jan 21 02:43:30 2011 -0500 - - Minor update to thread.h comment - -commit f4fb456b114eafc22b8ab9bb0bb3e7f13a4fbd9a -Author: Alexander Strange -Date: Tue Nov 2 02:56:12 2010 -0400 - - vp3: Revert motion_y removal - - Although it doesn't have much of an effect on speed either way, I reconsidered - the simplification I wanted to do, and now I'd rather keep this as an example - of proper multithreading structure. - -commit f52df8ebae0ad1db15c5e804a458ca81e04c6156 -Author: Alexander Strange -Date: Mon Aug 25 14:33:09 2008 -0400 - - Fix whitespace mistake - -commit f550857de3ffcb6b2980c4c952b7e84db478d399 -Merge: d62b7c0 a175a04 -Author: Alexander Strange -Date: Sat Mar 27 02:01:59 2010 -0400 - - Merge mainline. - - Conflicts: - libavcodec/avcodec.h - libavcodec/h264.c - libavcodec/options.c - libavcodec/vp3.c - -commit f5596f046c05bc7d8afda7658f891d69587934f0 -Author: Alexander Strange -Date: Mon Nov 15 01:38:36 2010 -0500 - - Rewrite comments and cosmetic changes to pthread.c - - Some small code changes, but there shouldn't be any behavior change. - -commit f695698a78e07a45f4cc9d24ae95fd73f25600e7 -Author: Alexander Strange -Date: Wed Jan 26 12:43:05 2011 -0500 - - Update todo.txt with review feedback - -commit f6d7d0c03c8d7c91a39c9374d9cee83e32627681 -Author: Alexander Strange -Date: Sun Feb 6 19:04:21 2011 -0500 - - pthread: Cosmetic changes and renaming - - Rename frame->packet, picture->frame. - Use /**< to point to the right field in doxygen. - Fix some typos. - -commit f71e7068faabecc32abc798a09b9df403f85e33f -Merge: 2bbb64d a4f892e -Author: Alexander Strange -Date: Thu Jan 6 05:45:03 2011 -0500 - - Merge mainline. - - Conflicts: - doc/APIchanges - -commit f7cc4441b7046a542ef655575ce3e8684ff12e02 -Merge: bba0e09 9eac0a6 -Author: Alexander Strange -Date: Sat Jun 20 15:58:38 2009 -0400 - - Merge mainline. - -commit f9515a4e57356bce4d652451fbaccd071d91dbe9 -Merge: a903974 0c28ee7 -Author: Alexander Strange -Date: Wed Nov 11 15:38:20 2009 -0500 - - Merge mainline. - - In h264, next_outputed_poc is now used in decode_postinit() - where mainline uses outputed_poc. - - Conflicts: - libavcodec/avcodec.h - libavcodec/h263dec.c - libavcodec/h264.c - libavcodec/utils.c - -commit f9b01bbf85d68f23a81ec5325fae81c8518cc385 -Author: Alexander Strange -Date: Mon May 25 20:06:00 2009 -0400 - - Remove unnecessary check from mc_dir_part_y(). - - This was already remove from mc_dir_part(). I hope it's unnecessary - here too. - -commit fa3f68f39f4a96a1170eadfe6ba4677d5d25017f -Author: Alexander Strange -Date: Sat Aug 16 04:23:20 2008 -0400 - - Document functions in thread.h - -commit fa8a82e991280b7ccac89ed2a29b332e609bc370 -Author: Luca Barbato -Date: Sat May 3 15:18:01 2008 +0200 - - Switch to the gitorius mirror of libswscale - -commit fafaae289235b361b6786745dcbdf6fa938c3c2e -Author: Alexander Strange -Date: Thu Dec 4 01:46:22 2008 -0500 - - Don't compare pthread_t to NULL - - It's not required to be a pointer, and it doesn't - need to be validated since pthread_join will just - return an error if it doesn't exist. - - Reverts f143b66d9bf8b23985bf8ec6acf8273c3e9ccd1d - -commit fb1afd9eba5fe2752b83c4b3de24ed88e14b534a -Author: Alexander Strange -Date: Sat Mar 14 00:56:54 2009 -0400 - - Rewrite todo (again...) split up so other people should be able to understand it. - Add yuvcmp, though maybe it should go somewhere else. - -commit fb1f31ff6cbcbbde72920e731223fd0fb8f05d02 -Author: Alexander Strange -Date: Sat Aug 30 04:26:47 2008 -0400 - - Update multithreading doc - -commit fb7dfc0e9e9ff8a5030cde46e28d49d6ce73e453 -Author: Alexander Strange -Date: Sun Jan 24 22:15:56 2010 -0500 - - Always call avcodec_thread_init() in avcodec_open(). - - This matches upstream behavior, but neither of them have any effect. - It allows implementing automatic thread counts, though. - -commit fbb871069bd106bfd47d215216be01d1ef30aec8 -Author: Alexander Strange -Date: Sun Feb 14 23:47:42 2010 -0500 - - Reindent vp3.c. - -commit fc957c71da6c9a7e5c769e15f256652352f7b4a4 -Author: Alexander Strange -Date: Mon May 24 17:31:38 2010 -0400 - - Fix compile with --disable-optimizations. - - gcc can't remove dead code like: - int threaded = HAVE_PTHREADS; - if (threaded) ... - -commit fd1b8587a4186b30c5922e3053c869726cca23df -Author: Alexander Strange -Date: Thu Nov 4 03:55:19 2010 -0400 - - Remove ff_thread_finish_frame() as it seems not useful enough - -commit fd9ae0065aa268c4b3e46706d775cf4ba1df8ed3 -Author: Alexander Strange -Date: Wed May 28 01:34:30 2008 -0400 - - Obfusticate the decoder to make the context copyable earlier. - -commit fda3e64cd474b5886457c6a1ffff8906f76a9bbc -Author: Alexander Strange -Date: Thu Jun 18 16:11:26 2009 -0400 - - Mimic: move up a line changing buf_ptrs. - - No effect on decoding, but it breaks the rule about changing - things after frame_setup_done. - -commit fdb381e68a3828dcc7eb1c93cf174b702cc78d2c -Author: Alexander Strange -Date: Wed Feb 17 00:39:42 2010 -0500 - - Cosmetics: rename function parameters - -commit fe4e238f573bab53760408b3376dbba0255e5b51 -Author: Alexander Strange -Date: Mon May 25 20:00:50 2009 -0400 - - Fix unnecessarily long wait for direct+progressive MBs. - -commit fe529c93b41f2d7406b76e7e5943b82acd789cb4 -Author: benoit -Date: Tue May 22 08:23:45 2007 +0000 - - id3v2 reader - patch by Andreas -�commit febe154099b8f31817e8c047cb3c8dee51b52117 -Author: Alexander Strange -Date: Wed Jun 16 14:54:00 2010 -0700 - - Fix merge glitch: pix_fmts should have been deleted - -commit feca6e0009da2b344b2c1be8f30a55c23623d77e -Merge: 2485cfd feaafaa -Author: Alexander Strange -Date: Mon May 25 19:58:17 2009 -0400 - - Merge branch 'master' of git://git.mplayerhq.hu/ffmpeg - -commit ff08d3a1629ab442f78a1d2fde496b727a1a9deb -Author: Alexander Strange -Date: Sat Jul 12 22:26:43 2008 -0400 - - Fix MPV_lowest_referenced_row to not be completely wrong. - The not handling qpel and emu_edge bugs were masked by the other bugs preventing almost all parallelism. - -commit ff4c627baab555a4ea6275c919d9f4259adc0e58 -Author: Alexander Strange -Date: Tue Oct 6 15:41:35 2009 -0400 - - Word-wrap todo.txt. - - Try to make some of it cleaner - so other people can actually - use it. - -commit ff69da3564ab912f7e7331f8c8389a96a254e16f -Author: Alexander Strange -Date: Sun Aug 1 20:33:57 2010 -0700 - - Fix the decoder not returning any frames if the frame count is less than the number of threads - - Fixes ./mt-work/test.sh with still2.mp4 - From b2f27d29267686bf3f80d347423abe2f24ea93f9 Mon Sep 17 00:00:00 2001 From: Carl Eugen Hoyos Date: Sun, 29 Jan 2012 17:50:17 +0100 Subject: [PATCH 003/991] Improve decoding quality for lossy wavpack. This reverts e6e7bfc1 and 365e1ec2. The code may be incorrect both before and after the revert, but we do not have any samples that were fixed by the original commits. Fixes ticket #871. (cherry picked from commit a915618a29f3f4197832151a4ed03ccdd585f9cf) --- libavcodec/wavpack.c | 25 +++++++------------------ 1 file changed, 7 insertions(+), 18 deletions(-) diff --git a/libavcodec/wavpack.c b/libavcodec/wavpack.c index 9adfc968db..11c90b74e6 100644 --- a/libavcodec/wavpack.c +++ b/libavcodec/wavpack.c @@ -112,8 +112,7 @@ typedef struct WavpackFrameContext { int extra_bits; int and, or, shift; int post_shift; - int hybrid, hybrid_bitrate; - int hybrid_maxclip, hybrid_minclip; + int hybrid, hybrid_bitrate, hybrid_maxclip; int float_flag; int float_shift; int float_max_exp; @@ -413,10 +412,10 @@ static inline int wv_get_value_integer(WavpackFrameContext *s, uint32_t *crc, } bit = (S & s->and) | s->or; - bit = ((S + bit) << s->shift) - bit; + bit = (((S + bit) << s->shift) - bit); if (s->hybrid) - bit = av_clip(bit, s->hybrid_minclip, s->hybrid_maxclip); + bit = av_clip(bit, -s->hybrid_maxclip - 1, s->hybrid_maxclip); return bit << s->post_shift; } @@ -764,7 +763,7 @@ static int wavpack_decode_block(AVCodecContext *avctx, int block_no, const uint8_t *orig_buf = buf; const uint8_t *buf_end = buf + buf_size; int i, j, id, size, ssize, weights, t; - int bpp, chan, chmask, orig_bpp; + int bpp, chan, chmask; if (buf_size == 0) { *got_frame_ptr = 0; @@ -800,16 +799,15 @@ static int wavpack_decode_block(AVCodecContext *avctx, int block_no, s->frame_flags = AV_RL32(buf); buf += 4; bpp = av_get_bytes_per_sample(avctx->sample_fmt); samples = (uint8_t*)samples + bpp * wc->ch_offset; - orig_bpp = ((s->frame_flags & 0x03) + 1) << 3; s->stereo = !(s->frame_flags & WV_MONO); s->stereo_in = (s->frame_flags & WV_FALSE_STEREO) ? 0 : s->stereo; s->joint = s->frame_flags & WV_JOINT_STEREO; s->hybrid = s->frame_flags & WV_HYBRID_MODE; s->hybrid_bitrate = s->frame_flags & WV_HYBRID_BITRATE; - s->post_shift = bpp * 8 - orig_bpp + ((s->frame_flags >> 13) & 0x1f); - s->hybrid_maxclip = (( 1LL << (orig_bpp - 1)) - 1) >> s->post_shift; - s->hybrid_minclip = ((-1LL << (orig_bpp - 1))) >> s->post_shift; + s->hybrid_maxclip = (1LL << ((((s->frame_flags & 0x03) + 1) << 3) - 1)) - 1; + s->post_shift = 8 * (bpp - 1 - (s->frame_flags & 0x03)) + + ((s->frame_flags >> 13) & 0x1f); s->CRC = AV_RL32(buf); buf += 4; if (wc->mkv_mode) buf += 4; //skip block size; @@ -970,15 +968,6 @@ static int wavpack_decode_block(AVCodecContext *avctx, int block_no, s->and = 1; s->shift = buf[3]; } - /* original WavPack decoder forces 32-bit lossy sound to be treated - * as 24-bit one in order to have proper clipping - */ - if (s->hybrid && bpp == 4 && s->post_shift < 8 && s->shift > 8) { - s->post_shift += 8; - s->shift -= 8; - s->hybrid_maxclip >>= 8; - s->hybrid_minclip >>= 8; - } buf += 4; break; case WP_ID_FLOATINFO: From 0df7d7482c4b2806486ac024979e38c6eaf9086d Mon Sep 17 00:00:00 2001 From: Justin Ruggles Date: Fri, 10 Feb 2012 20:18:10 -0500 Subject: [PATCH 004/991] wavpack: add needed braces for 2 statements inside an if block (cherry picked from commit 9d7cee50aa349563aa5faca1cff256ffccff6551) --- libavcodec/wavpack.c | 3 ++- 1 file changed, 2 insertions(+), 1 deletion(-) diff --git a/libavcodec/wavpack.c b/libavcodec/wavpack.c index 11c90b74e6..c1b6c2f188 100644 --- a/libavcodec/wavpack.c +++ b/libavcodec/wavpack.c @@ -904,8 +904,9 @@ static int wavpack_decode_block(AVCodecContext *avctx, int block_no, } else { for (j = 0; j < s->decorr[i].value; j++) { s->decorr[i].samplesA[j] = wp_exp2(AV_RL16(buf)); buf += 2; - if (s->stereo_in) + if (s->stereo_in) { s->decorr[i].samplesB[j] = wp_exp2(AV_RL16(buf)); buf += 2; + } } t += s->decorr[i].value * 2 * (s->stereo_in + 1); } From 569cb94869ba26ced9860350883fc0f1c4afa2d2 Mon Sep 17 00:00:00 2001 From: Carl Eugen Hoyos Date: Fri, 17 Feb 2012 23:51:22 +0100 Subject: [PATCH 005/991] Fix ffmpeg -codecs output. (cherry picked from commit f6492476a63938cc66c51bf61c88407b7749f780) --- cmdutils.c | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/cmdutils.c b/cmdutils.c index 386db3d48b..f326b9c655 100644 --- a/cmdutils.c +++ b/cmdutils.c @@ -806,7 +806,7 @@ int opt_codecs(const char *opt, const char *arg) if (p2 && strcmp(p->name, p2->name) == 0) { if (p->decode) decode = 1; - if (p->encode) + if (p->encode || p->encode2) encode = 1; cap |= p->capabilities; } From dcde8e1c901851c95fbefa322118198eead96fc7 Mon Sep 17 00:00:00 2001 From: Michael Niedermayer Date: Fri, 24 Feb 2012 01:26:38 +0100 Subject: [PATCH 006/991] Revert "Improve decoding quality for lossy wavpack." This has been implemented more correctly. This reverts commit a915618a29f3f4197832151a4ed03ccdd585f9cf. (cherry picked from commit 32e74395a8e88dee1c149aeb36e7a21df431c181) --- libavcodec/wavpack.c | 25 ++++++++++++++++++------- 1 file changed, 18 insertions(+), 7 deletions(-) diff --git a/libavcodec/wavpack.c b/libavcodec/wavpack.c index c1b6c2f188..b20c3cf67f 100644 --- a/libavcodec/wavpack.c +++ b/libavcodec/wavpack.c @@ -112,7 +112,8 @@ typedef struct WavpackFrameContext { int extra_bits; int and, or, shift; int post_shift; - int hybrid, hybrid_bitrate, hybrid_maxclip; + int hybrid, hybrid_bitrate; + int hybrid_maxclip, hybrid_minclip; int float_flag; int float_shift; int float_max_exp; @@ -412,10 +413,10 @@ static inline int wv_get_value_integer(WavpackFrameContext *s, uint32_t *crc, } bit = (S & s->and) | s->or; - bit = (((S + bit) << s->shift) - bit); + bit = ((S + bit) << s->shift) - bit; if (s->hybrid) - bit = av_clip(bit, -s->hybrid_maxclip - 1, s->hybrid_maxclip); + bit = av_clip(bit, s->hybrid_minclip, s->hybrid_maxclip); return bit << s->post_shift; } @@ -763,7 +764,7 @@ static int wavpack_decode_block(AVCodecContext *avctx, int block_no, const uint8_t *orig_buf = buf; const uint8_t *buf_end = buf + buf_size; int i, j, id, size, ssize, weights, t; - int bpp, chan, chmask; + int bpp, chan, chmask, orig_bpp; if (buf_size == 0) { *got_frame_ptr = 0; @@ -799,15 +800,16 @@ static int wavpack_decode_block(AVCodecContext *avctx, int block_no, s->frame_flags = AV_RL32(buf); buf += 4; bpp = av_get_bytes_per_sample(avctx->sample_fmt); samples = (uint8_t*)samples + bpp * wc->ch_offset; + orig_bpp = ((s->frame_flags & 0x03) + 1) << 3; s->stereo = !(s->frame_flags & WV_MONO); s->stereo_in = (s->frame_flags & WV_FALSE_STEREO) ? 0 : s->stereo; s->joint = s->frame_flags & WV_JOINT_STEREO; s->hybrid = s->frame_flags & WV_HYBRID_MODE; s->hybrid_bitrate = s->frame_flags & WV_HYBRID_BITRATE; - s->hybrid_maxclip = (1LL << ((((s->frame_flags & 0x03) + 1) << 3) - 1)) - 1; - s->post_shift = 8 * (bpp - 1 - (s->frame_flags & 0x03)) + - ((s->frame_flags >> 13) & 0x1f); + s->post_shift = bpp * 8 - orig_bpp + ((s->frame_flags >> 13) & 0x1f); + s->hybrid_maxclip = (( 1LL << (orig_bpp - 1)) - 1) >> s->post_shift; + s->hybrid_minclip = ((-1LL << (orig_bpp - 1))) >> s->post_shift; s->CRC = AV_RL32(buf); buf += 4; if (wc->mkv_mode) buf += 4; //skip block size; @@ -969,6 +971,15 @@ static int wavpack_decode_block(AVCodecContext *avctx, int block_no, s->and = 1; s->shift = buf[3]; } + /* original WavPack decoder forces 32-bit lossy sound to be treated + * as 24-bit one in order to have proper clipping + */ + if (s->hybrid && bpp == 4 && s->post_shift < 8 && s->shift > 8) { + s->post_shift += 8; + s->shift -= 8; + s->hybrid_maxclip >>= 8; + s->hybrid_minclip >>= 8; + } buf += 4; break; case WP_ID_FLOATINFO: From 9f82cbf7c11b2eca98a38fc9f1ca3a2ba1066a36 Mon Sep 17 00:00:00 2001 From: Derek Buitenhuis Date: Thu, 23 Feb 2012 10:55:35 -0500 Subject: [PATCH 007/991] wavpack: Don't shift minclip/maxclip Since we are clipping before we shift the values to 16 or 32 bits, we should not shift the min/max clip values to compensate. Fixes 8 and 24 bit lossy decoding. Fixes ticket #871. Signed-off-by: Derek Buitenhuis Signed-off-by: Anton Khirnov (cherry picked from commit 480b133e6f79c470aff0f84d9ed3648d37c32b03) --- libavcodec/wavpack.c | 4 ++-- 1 file changed, 2 insertions(+), 2 deletions(-) diff --git a/libavcodec/wavpack.c b/libavcodec/wavpack.c index b20c3cf67f..71eaf70ecc 100644 --- a/libavcodec/wavpack.c +++ b/libavcodec/wavpack.c @@ -808,8 +808,8 @@ static int wavpack_decode_block(AVCodecContext *avctx, int block_no, s->hybrid = s->frame_flags & WV_HYBRID_MODE; s->hybrid_bitrate = s->frame_flags & WV_HYBRID_BITRATE; s->post_shift = bpp * 8 - orig_bpp + ((s->frame_flags >> 13) & 0x1f); - s->hybrid_maxclip = (( 1LL << (orig_bpp - 1)) - 1) >> s->post_shift; - s->hybrid_minclip = ((-1LL << (orig_bpp - 1))) >> s->post_shift; + s->hybrid_maxclip = (( 1LL << (orig_bpp - 1)) - 1); + s->hybrid_minclip = ((-1LL << (orig_bpp - 1))); s->CRC = AV_RL32(buf); buf += 4; if (wc->mkv_mode) buf += 4; //skip block size; From 350d06d63fc758d047c050e0835f540277799f60 Mon Sep 17 00:00:00 2001 From: Anton Khirnov Date: Thu, 8 Dec 2011 06:57:44 +0100 Subject: [PATCH 008/991] lavc: add avcodec_is_open(). It allows to check whether an AVCodecContext is open in a documented way. Right now the undocumented way this check is done in lavf/lavc is by checking whether AVCodecContext.codec is NULL. However it's desirable to be able to set AVCodecContext.codec before avcodec_open2(). (cherry picked from commit af08d9aeea870de017139f7b1c44b7d816cf8e56) Conflicts: doc/APIchanges --- doc/APIchanges | 3 +++ libavcodec/avcodec.h | 6 ++++++ libavcodec/options.c | 2 +- libavcodec/utils.c | 8 ++++++++ libavcodec/version.h | 2 +- libavformat/utils.c | 5 ++--- 6 files changed, 21 insertions(+), 5 deletions(-) diff --git a/doc/APIchanges b/doc/APIchanges index 904e3462f7..1e326cac3f 100644 --- a/doc/APIchanges +++ b/doc/APIchanges @@ -13,6 +13,9 @@ libavutil: 2011-04-18 API changes, most recent first: +2012-02-17 - xxxxxxx - lavc 53.35.0 + Add avcodec_is_open() function. + 2012-01-15 - lavc 53.34.0 New audio encoding API: b2c75b6 Add CODEC_CAP_VARIABLE_FRAME_SIZE capability for use by audio diff --git a/libavcodec/avcodec.h b/libavcodec/avcodec.h index be1b2021bd..6db34fa78e 100644 --- a/libavcodec/avcodec.h +++ b/libavcodec/avcodec.h @@ -4737,4 +4737,10 @@ enum AVMediaType avcodec_get_type(enum CodecID codec_id); */ const AVClass *avcodec_get_class(void); +/** + * @return a positive value if s is open (i.e. avcodec_open2() was called on it + * with no corresponding avcodec_close()), 0 otherwise. + */ +int avcodec_is_open(AVCodecContext *s); + #endif /* AVCODEC_AVCODEC_H */ diff --git a/libavcodec/options.c b/libavcodec/options.c index 2689d32a92..7481f1a685 100644 --- a/libavcodec/options.c +++ b/libavcodec/options.c @@ -634,7 +634,7 @@ AVCodecContext *avcodec_alloc_context(void){ int avcodec_copy_context(AVCodecContext *dest, const AVCodecContext *src) { - if (dest->codec) { // check that the dest context is uninitialized + if (avcodec_is_open(dest)) { // check that the dest context is uninitialized av_log(dest, AV_LOG_ERROR, "Tried to copy AVCodecContext %p into already-initialized %p\n", src, dest); diff --git a/libavcodec/utils.c b/libavcodec/utils.c index ff3f065064..b097c9b421 100644 --- a/libavcodec/utils.c +++ b/libavcodec/utils.c @@ -637,6 +637,9 @@ int attribute_align_arg avcodec_open2(AVCodecContext *avctx, AVCodec *codec, AVD int ret = 0; AVDictionary *tmp = NULL; + if (avcodec_is_open(avctx)) + return 0; + if (avctx->extradata_size < 0 || avctx->extradata_size >= FF_MAX_EXTRADATA_SIZE) return AVERROR(EINVAL); @@ -1836,3 +1839,8 @@ enum AVMediaType avcodec_get_type(enum CodecID codec_id) return AVMEDIA_TYPE_UNKNOWN; } + +int avcodec_is_open(AVCodecContext *s) +{ + return !!s->internal; +} diff --git a/libavcodec/version.h b/libavcodec/version.h index c7b4c15b7a..77e16823f9 100644 --- a/libavcodec/version.h +++ b/libavcodec/version.h @@ -21,7 +21,7 @@ #define AVCODEC_VERSION_H #define LIBAVCODEC_VERSION_MAJOR 53 -#define LIBAVCODEC_VERSION_MINOR 34 +#define LIBAVCODEC_VERSION_MINOR 35 #define LIBAVCODEC_VERSION_MICRO 0 #define LIBAVCODEC_VERSION_INT AV_VERSION_INT(LIBAVCODEC_VERSION_MAJOR, \ diff --git a/libavformat/utils.c b/libavformat/utils.c index 22ee13b51f..3733a50409 100644 --- a/libavformat/utils.c +++ b/libavformat/utils.c @@ -2137,7 +2137,7 @@ static int try_decode_frame(AVStream *st, AVPacket *avpkt, AVDictionary **option AVFrame picture; AVPacket pkt = *avpkt; - if(!st->codec->codec){ + if (!avcodec_is_open(st->codec)) { AVDictionary *thread_opt = NULL; codec = avcodec_find_decoder(st->codec->codec_id); @@ -2487,8 +2487,7 @@ int avformat_find_stream_info(AVFormatContext *ic, AVDictionary **options) // close codecs which were opened in try_decode_frame() for(i=0;inb_streams;i++) { st = ic->streams[i]; - if(st->codec->codec) - avcodec_close(st->codec); + avcodec_close(st->codec); } for(i=0;inb_streams;i++) { st = ic->streams[i]; From bafd38a352126385ec0dcea51017229373b1c2f3 Mon Sep 17 00:00:00 2001 From: Anton Khirnov Date: Sun, 29 Jan 2012 12:17:30 +0100 Subject: [PATCH 009/991] lavc: make avcodec_close() work properly on unopened codecs. I.e. free the priv_data and other stuff allocated in avcodec_alloc_context3() and not segfault. (cherry picked from commit 0e72ad95f9fef6a6b8ae55e47339a5c40526502f) --- libavcodec/avcodec.h | 12 +++++++++++- libavcodec/utils.c | 19 +++++++++++-------- 2 files changed, 22 insertions(+), 9 deletions(-) diff --git a/libavcodec/avcodec.h b/libavcodec/avcodec.h index 6db34fa78e..95e14d7c2d 100644 --- a/libavcodec/avcodec.h +++ b/libavcodec/avcodec.h @@ -3912,7 +3912,8 @@ AVCodecContext *avcodec_alloc_context2(enum AVMediaType); /** * Allocate an AVCodecContext and set its fields to default values. The - * resulting struct can be deallocated by simply calling av_free(). + * resulting struct can be deallocated by calling avcodec_close() on it followed + * by av_free(). * * @param codec if non-NULL, allocate private data and initialize defaults * for the given codec. It is illegal to then call avcodec_open2() @@ -4343,6 +4344,15 @@ int avcodec_encode_video(AVCodecContext *avctx, uint8_t *buf, int buf_size, int avcodec_encode_subtitle(AVCodecContext *avctx, uint8_t *buf, int buf_size, const AVSubtitle *sub); +/** + * Close a given AVCodecContext and free all the data associated with it + * (but not the AVCodecContext itself). + * + * Calling this function on an AVCodecContext that hasn't been opened will free + * the codec-specific data allocated in avcodec_alloc_context3() / + * avcodec_get_context_defaults3() with a non-NULL codec. Subsequent calls will + * do nothing. + */ int avcodec_close(AVCodecContext *avctx); /** diff --git a/libavcodec/utils.c b/libavcodec/utils.c index b097c9b421..b2bd70246a 100644 --- a/libavcodec/utils.c +++ b/libavcodec/utils.c @@ -1281,14 +1281,17 @@ av_cold int avcodec_close(AVCodecContext *avctx) return -1; } - if (HAVE_THREADS && avctx->thread_opaque) - ff_thread_free(avctx); - if (avctx->codec && avctx->codec->close) - avctx->codec->close(avctx); - avcodec_default_free_buffers(avctx); - avctx->coded_frame = NULL; - av_freep(&avctx->internal); - if (avctx->codec && avctx->codec->priv_class) + if (avcodec_is_open(avctx)) { + if (HAVE_THREADS && avctx->thread_opaque) + ff_thread_free(avctx); + if (avctx->codec && avctx->codec->close) + avctx->codec->close(avctx); + avcodec_default_free_buffers(avctx); + avctx->coded_frame = NULL; + av_freep(&avctx->internal); + } + + if (avctx->priv_data && avctx->codec && avctx->codec->priv_class) av_opt_free(avctx->priv_data); av_opt_free(avctx); av_freep(&avctx->priv_data); From 571a4cf273a84b6f7f38697b462e667d4f0fddc4 Mon Sep 17 00:00:00 2001 From: Anton Khirnov Date: Sat, 28 Jan 2012 19:15:15 +0100 Subject: [PATCH 010/991] lavc: set AVCodecContext.codec in avcodec_get_context_defaults3(). This way, if the AVCodecContext is allocated for a specific codec, the caller doesn't need to store this codec separately and then pass it again to avcodec_open2(). It also allows to set codec private options using av_opt_set_* before opening the codec. (cherry picked from commit bc901998487bf9b77a423961d9f961bcc28a9291) Signed-off-by: Reinhard Tartler --- libavcodec/avcodec.h | 5 +++++ libavcodec/options.c | 1 + libavcodec/utils.c | 17 ++++++++++++----- libavformat/utils.c | 8 +++++--- 4 files changed, 23 insertions(+), 8 deletions(-) diff --git a/libavcodec/avcodec.h b/libavcodec/avcodec.h index 95e14d7c2d..2451294c1b 100644 --- a/libavcodec/avcodec.h +++ b/libavcodec/avcodec.h @@ -4059,6 +4059,11 @@ int avcodec_open(AVCodecContext *avctx, AVCodec *codec); * @endcode * * @param avctx The context to initialize. + * @param codec The codec to open this context for. If a non-NULL codec has been + * previously passed to avcodec_alloc_context3() or + * avcodec_get_context_defaults3() for this context, then this + * parameter MUST be either NULL or equal to the previously passed + * codec. * @param options A dictionary filled with AVCodecContext and codec-private options. * On return this object will be filled with options that were not found. * diff --git a/libavcodec/options.c b/libavcodec/options.c index 7481f1a685..26f3ab3b11 100644 --- a/libavcodec/options.c +++ b/libavcodec/options.c @@ -561,6 +561,7 @@ int avcodec_get_context_defaults3(AVCodecContext *s, AVCodec *codec){ s->av_class = &av_codec_context_class; s->codec_type = codec ? codec->type : AVMEDIA_TYPE_UNKNOWN; + s->codec = codec; av_opt_set_defaults(s); s->time_base = (AVRational){0,1}; diff --git a/libavcodec/utils.c b/libavcodec/utils.c index b2bd70246a..5109bf8b31 100644 --- a/libavcodec/utils.c +++ b/libavcodec/utils.c @@ -640,6 +640,18 @@ int attribute_align_arg avcodec_open2(AVCodecContext *avctx, AVCodec *codec, AVD if (avcodec_is_open(avctx)) return 0; + if ((!codec && !avctx->codec)) { + av_log(avctx, AV_LOG_ERROR, "No codec provided to avcodec_open2().\n"); + return AVERROR(EINVAL); + } + if ((codec && avctx->codec && codec != avctx->codec)) { + av_log(avctx, AV_LOG_ERROR, "This AVCodecContext was allocated for %s, " + "but %s passed to avcodec_open2().\n", avctx->codec->name, codec->name); + return AVERROR(EINVAL); + } + if (!codec) + codec = avctx->codec; + if (avctx->extradata_size < 0 || avctx->extradata_size >= FF_MAX_EXTRADATA_SIZE) return AVERROR(EINVAL); @@ -659,11 +671,6 @@ int attribute_align_arg avcodec_open2(AVCodecContext *avctx, AVCodec *codec, AVD goto end; } - if(avctx->codec || !codec) { - ret = AVERROR(EINVAL); - goto end; - } - avctx->internal = av_mallocz(sizeof(AVCodecInternal)); if (!avctx->internal) { ret = AVERROR(ENOMEM); diff --git a/libavformat/utils.c b/libavformat/utils.c index 3733a50409..f2d55028f9 100644 --- a/libavformat/utils.c +++ b/libavformat/utils.c @@ -2140,7 +2140,9 @@ static int try_decode_frame(AVStream *st, AVPacket *avpkt, AVDictionary **option if (!avcodec_is_open(st->codec)) { AVDictionary *thread_opt = NULL; - codec = avcodec_find_decoder(st->codec->codec_id); + codec = st->codec->codec ? st->codec->codec : + avcodec_find_decoder(st->codec->codec_id); + if (!codec) return -1; @@ -2306,8 +2308,8 @@ int avformat_find_stream_info(AVFormatContext *ic, AVDictionary **options) st->parser->flags |= PARSER_FLAG_COMPLETE_FRAMES; } } - assert(!st->codec->codec); - codec = avcodec_find_decoder(st->codec->codec_id); + codec = st->codec->codec ? st->codec->codec : + avcodec_find_decoder(st->codec->codec_id); /* force thread count to 1 since the h264 decoder will not extract SPS * and PPS to extradata during multi-threaded decoding */ From e364f507183634a9134eea0e004c8ae448e54469 Mon Sep 17 00:00:00 2001 From: Alex Converse Date: Wed, 25 Jan 2012 15:27:11 -0800 Subject: [PATCH 011/991] qdm2: Check data block size for bytes to bits overflow. Found-by: Mateusz "j00ru" Jurczyk and Gynvael Coldwind CC: libav-stable@libav.org (cherry picked from commit dac56d9ce01eb9963f28f26b97a81db5cbd46c1c) Signed-off-by: Reinhard Tartler --- libavcodec/qdm2.c | 4 ++++ 1 file changed, 4 insertions(+) diff --git a/libavcodec/qdm2.c b/libavcodec/qdm2.c index 91c47a8ec2..6acb7d8362 100644 --- a/libavcodec/qdm2.c +++ b/libavcodec/qdm2.c @@ -1819,6 +1819,10 @@ static av_cold int qdm2_decode_init(AVCodecContext *avctx) extradata += 4; s->checksum_size = AV_RB32(extradata); + if (s->checksum_size >= 1U << 28) { + av_log(avctx, AV_LOG_ERROR, "data block size too large (%u)\n", s->checksum_size); + return AVERROR_INVALIDDATA; + } s->fft_order = av_log2(s->fft_size) + 1; s->fft_frame_size = 2 * s->fft_size; // complex has two floats From fc89f15497c2b5b78a992c98eaba9fca7cc82f8f Mon Sep 17 00:00:00 2001 From: =?UTF-8?q?Martin=20Storsj=C3=B6?= Date: Thu, 26 Jan 2012 21:37:38 +0200 Subject: [PATCH 012/991] libavcodec: Don't crash in avcodec_encode_audio if time_base isn't set MIME-Version: 1.0 Content-Type: text/plain; charset=UTF-8 Content-Transfer-Encoding: 8bit Earlier, calling avcodec_encode_audio worked fine even if time_base wasn't set. Now it crashes due to trying to scale the output pts to the codec context time base. This affects e.g. VLC. If no time_base is set for audio codecs, set it to the sample rate. CC: libav-stable@libav.org Signed-off-by: Martin Storsjö (cherry picked from commit 9a7dc618c50902e7a171f2deda6430d52c277a95) Signed-off-by: Reinhard Tartler --- libavcodec/utils.c | 6 ++++++ 1 file changed, 6 insertions(+) diff --git a/libavcodec/utils.c b/libavcodec/utils.c index 5109bf8b31..f64bff8ff6 100644 --- a/libavcodec/utils.c +++ b/libavcodec/utils.c @@ -744,6 +744,12 @@ int attribute_align_arg avcodec_open2(AVCodecContext *avctx, AVCodec *codec, AVD avctx->error_recognition, avctx->err_recognition); #endif + if (avctx->codec_type == AVMEDIA_TYPE_AUDIO && + (!avctx->time_base.num || !avctx->time_base.den)) { + avctx->time_base.num = 1; + avctx->time_base.den = avctx->sample_rate; + } + if (HAVE_THREADS && !avctx->thread_opaque) { ret = ff_thread_init(avctx); if (ret < 0) { From a2c8db1b792670f8987c0580bb71ca0f29708d8b Mon Sep 17 00:00:00 2001 From: "Ronald S. Bultje" Date: Tue, 7 Feb 2012 11:33:20 -0800 Subject: [PATCH 013/991] swscale: fix V plane memory location in bilinear/unscaled RGB/YUYV case. Fixes bug 221. CC: libav-stable@libav.org (cherry picked from commit b7542dd3d71d1ee873277020b6a8eab2674bb167) Signed-off-by: Reinhard Tartler --- libswscale/x86/swscale_template.c | 24 ++++++++++++------------ 1 file changed, 12 insertions(+), 12 deletions(-) diff --git a/libswscale/x86/swscale_template.c b/libswscale/x86/swscale_template.c index e38f58b5d0..5db166b00a 100644 --- a/libswscale/x86/swscale_template.c +++ b/libswscale/x86/swscale_template.c @@ -688,10 +688,10 @@ static void RENAME(yuv2yuyv422_X)(SwsContext *c, const int16_t *lumFilter, "1: \n\t"\ "movq (%2, "#index"), %%mm2 \n\t" /* uvbuf0[eax]*/\ "movq (%3, "#index"), %%mm3 \n\t" /* uvbuf1[eax]*/\ - "add "UV_OFF_PX"("#c"), "#index" \n\t" \ + "add "UV_OFF_BYTE"("#c"), "#index" \n\t" \ "movq (%2, "#index"), %%mm5 \n\t" /* uvbuf0[eax+2048]*/\ "movq (%3, "#index"), %%mm4 \n\t" /* uvbuf1[eax+2048]*/\ - "sub "UV_OFF_PX"("#c"), "#index" \n\t" \ + "sub "UV_OFF_BYTE"("#c"), "#index" \n\t" \ "psubw %%mm3, %%mm2 \n\t" /* uvbuf0[eax] - uvbuf1[eax]*/\ "psubw %%mm4, %%mm5 \n\t" /* uvbuf0[eax+2048] - uvbuf1[eax+2048]*/\ "movq "CHR_MMX_FILTER_OFFSET"+8("#c"), %%mm0 \n\t"\ @@ -919,10 +919,10 @@ static void RENAME(yuv2rgb565_2)(SwsContext *c, const int16_t *buf[2], "1: \n\t"\ "movq (%2, "#index"), %%mm2 \n\t" /* uvbuf0[eax]*/\ "movq (%3, "#index"), %%mm3 \n\t" /* uvbuf1[eax]*/\ - "add "UV_OFF_PX"("#c"), "#index" \n\t" \ + "add "UV_OFF_BYTE"("#c"), "#index" \n\t" \ "movq (%2, "#index"), %%mm5 \n\t" /* uvbuf0[eax+2048]*/\ "movq (%3, "#index"), %%mm4 \n\t" /* uvbuf1[eax+2048]*/\ - "sub "UV_OFF_PX"("#c"), "#index" \n\t" \ + "sub "UV_OFF_BYTE"("#c"), "#index" \n\t" \ "psubw %%mm3, %%mm2 \n\t" /* uvbuf0[eax] - uvbuf1[eax]*/\ "psubw %%mm4, %%mm5 \n\t" /* uvbuf0[eax+2048] - uvbuf1[eax+2048]*/\ "movq "CHR_MMX_FILTER_OFFSET"+8("#c"), %%mm0 \n\t"\ @@ -974,9 +974,9 @@ static void RENAME(yuv2yuyv422_2)(SwsContext *c, const int16_t *buf[2], ".p2align 4 \n\t"\ "1: \n\t"\ "movq (%2, "#index"), %%mm3 \n\t" /* uvbuf0[eax]*/\ - "add "UV_OFF_PX"("#c"), "#index" \n\t" \ + "add "UV_OFF_BYTE"("#c"), "#index" \n\t" \ "movq (%2, "#index"), %%mm4 \n\t" /* uvbuf0[eax+2048]*/\ - "sub "UV_OFF_PX"("#c"), "#index" \n\t" \ + "sub "UV_OFF_BYTE"("#c"), "#index" \n\t" \ "psraw $4, %%mm3 \n\t" /* uvbuf0[eax] - uvbuf1[eax] >>4*/\ "psraw $4, %%mm4 \n\t" /* uvbuf0[eax+2048] - uvbuf1[eax+2048] >>4*/\ "psubw "U_OFFSET"("#c"), %%mm3 \n\t" /* (U-128)8*/\ @@ -1027,10 +1027,10 @@ static void RENAME(yuv2yuyv422_2)(SwsContext *c, const int16_t *buf[2], "1: \n\t"\ "movq (%2, "#index"), %%mm2 \n\t" /* uvbuf0[eax]*/\ "movq (%3, "#index"), %%mm3 \n\t" /* uvbuf1[eax]*/\ - "add "UV_OFF_PX"("#c"), "#index" \n\t" \ + "add "UV_OFF_BYTE"("#c"), "#index" \n\t" \ "movq (%2, "#index"), %%mm5 \n\t" /* uvbuf0[eax+2048]*/\ "movq (%3, "#index"), %%mm4 \n\t" /* uvbuf1[eax+2048]*/\ - "sub "UV_OFF_PX"("#c"), "#index" \n\t" \ + "sub "UV_OFF_BYTE"("#c"), "#index" \n\t" \ "paddw %%mm2, %%mm3 \n\t" /* uvbuf0[eax] + uvbuf1[eax]*/\ "paddw %%mm5, %%mm4 \n\t" /* uvbuf0[eax+2048] + uvbuf1[eax+2048]*/\ "psrlw $5, %%mm3 \n\t" /*FIXME might overflow*/\ @@ -1294,9 +1294,9 @@ static void RENAME(yuv2rgb565_1)(SwsContext *c, const int16_t *buf0, ".p2align 4 \n\t"\ "1: \n\t"\ "movq (%2, "#index"), %%mm3 \n\t" /* uvbuf0[eax]*/\ - "add "UV_OFF_PX"("#c"), "#index" \n\t" \ + "add "UV_OFF_BYTE"("#c"), "#index" \n\t" \ "movq (%2, "#index"), %%mm4 \n\t" /* uvbuf0[eax+2048]*/\ - "sub "UV_OFF_PX"("#c"), "#index" \n\t" \ + "sub "UV_OFF_BYTE"("#c"), "#index" \n\t" \ "psraw $7, %%mm3 \n\t" \ "psraw $7, %%mm4 \n\t" \ "movq (%0, "#index", 2), %%mm1 \n\t" /*buf0[eax]*/\ @@ -1312,10 +1312,10 @@ static void RENAME(yuv2rgb565_1)(SwsContext *c, const int16_t *buf0, "1: \n\t"\ "movq (%2, "#index"), %%mm2 \n\t" /* uvbuf0[eax]*/\ "movq (%3, "#index"), %%mm3 \n\t" /* uvbuf1[eax]*/\ - "add "UV_OFF_PX"("#c"), "#index" \n\t" \ + "add "UV_OFF_BYTE"("#c"), "#index" \n\t" \ "movq (%2, "#index"), %%mm5 \n\t" /* uvbuf0[eax+2048]*/\ "movq (%3, "#index"), %%mm4 \n\t" /* uvbuf1[eax+2048]*/\ - "sub "UV_OFF_PX"("#c"), "#index" \n\t" \ + "sub "UV_OFF_BYTE"("#c"), "#index" \n\t" \ "paddw %%mm2, %%mm3 \n\t" /* uvbuf0[eax] + uvbuf1[eax]*/\ "paddw %%mm5, %%mm4 \n\t" /* uvbuf0[eax+2048] + uvbuf1[eax+2048]*/\ "psrlw $8, %%mm3 \n\t" \ From 4c7879775e81ccca8f0f1d2a7b70524ee47b16ca Mon Sep 17 00:00:00 2001 From: "Ronald S. Bultje" Date: Thu, 9 Feb 2012 22:57:01 -0800 Subject: [PATCH 014/991] h264: disallow constrained intra prediction modes for luma. Conversion of the luma intra prediction mode to one of the constrained ("alzheimer") ones can happen by crafting special bitstreams, causing a crash because we'll call a NULL function pointer for 16x16 block intra prediction, since constrained intra prediction functions are only implemented for chroma (8x8 blocks). Found-by: Mateusz "j00ru" Jurczyk and Gynvael Coldwind CC: libav-stable@libav.org (cherry picked from commit 45b7bd7c53b41bc5ff6fc2158831f2b1b1256113) Signed-off-by: Reinhard Tartler --- libavcodec/h264.c | 4 ++-- libavcodec/h264.h | 2 +- libavcodec/h264_cabac.c | 4 ++-- libavcodec/h264_cavlc.c | 4 ++-- libavcodec/svq3.c | 4 ++-- 5 files changed, 9 insertions(+), 9 deletions(-) diff --git a/libavcodec/h264.c b/libavcodec/h264.c index 581848be16..e92acbd7a8 100644 --- a/libavcodec/h264.c +++ b/libavcodec/h264.c @@ -105,7 +105,7 @@ int ff_h264_check_intra4x4_pred_mode(H264Context *h){ * Check if the top & left blocks are available if needed and * change the dc mode so it only uses the available blocks. */ -int ff_h264_check_intra_pred_mode(H264Context *h, int mode){ +int ff_h264_check_intra_pred_mode(H264Context *h, int mode, int is_chroma){ MpegEncContext * const s = &h->s; static const int8_t top [7]= {LEFT_DC_PRED8x8, 1,-1,-1}; static const int8_t left[7]= { TOP_DC_PRED8x8,-1, 2,-1,DC_128_PRED8x8}; @@ -125,7 +125,7 @@ int ff_h264_check_intra_pred_mode(H264Context *h, int mode){ if((h->left_samples_available&0x8080) != 0x8080){ mode= left[ mode ]; - if(h->left_samples_available&0x8080){ //mad cow disease mode, aka MBAFF + constrained_intra_pred + if(is_chroma && (h->left_samples_available&0x8080)){ //mad cow disease mode, aka MBAFF + constrained_intra_pred mode= ALZHEIMER_DC_L0T_PRED8x8 + (!(h->left_samples_available&0x8000)) + 2*(mode == DC_128_PRED8x8); } if(mode<0){ diff --git a/libavcodec/h264.h b/libavcodec/h264.h index 50255389fa..8680f5fdbd 100644 --- a/libavcodec/h264.h +++ b/libavcodec/h264.h @@ -657,7 +657,7 @@ int ff_h264_check_intra4x4_pred_mode(H264Context *h); /** * Check if the top & left blocks are available if needed & change the dc mode so it only uses the available blocks. */ -int ff_h264_check_intra_pred_mode(H264Context *h, int mode); +int ff_h264_check_intra_pred_mode(H264Context *h, int mode, int is_chroma); void ff_h264_hl_decode_mb(H264Context *h); int ff_h264_frame_start(H264Context *h); diff --git a/libavcodec/h264_cabac.c b/libavcodec/h264_cabac.c index a49ac6d498..75fb02cb63 100644 --- a/libavcodec/h264_cabac.c +++ b/libavcodec/h264_cabac.c @@ -2040,14 +2040,14 @@ decode_intra_mb: write_back_intra_pred_mode(h); if( ff_h264_check_intra4x4_pred_mode(h) < 0 ) return -1; } else { - h->intra16x16_pred_mode= ff_h264_check_intra_pred_mode( h, h->intra16x16_pred_mode ); + h->intra16x16_pred_mode= ff_h264_check_intra_pred_mode( h, h->intra16x16_pred_mode, 0 ); if( h->intra16x16_pred_mode < 0 ) return -1; } if(decode_chroma){ h->chroma_pred_mode_table[mb_xy] = pred_mode = decode_cabac_mb_chroma_pre_mode( h ); - pred_mode= ff_h264_check_intra_pred_mode( h, pred_mode ); + pred_mode= ff_h264_check_intra_pred_mode( h, pred_mode, 1 ); if( pred_mode < 0 ) return -1; h->chroma_pred_mode= pred_mode; } else { diff --git a/libavcodec/h264_cavlc.c b/libavcodec/h264_cavlc.c index db74602f66..da9e1cb70c 100644 --- a/libavcodec/h264_cavlc.c +++ b/libavcodec/h264_cavlc.c @@ -822,12 +822,12 @@ decode_intra_mb: if( ff_h264_check_intra4x4_pred_mode(h) < 0) return -1; }else{ - h->intra16x16_pred_mode= ff_h264_check_intra_pred_mode(h, h->intra16x16_pred_mode); + h->intra16x16_pred_mode= ff_h264_check_intra_pred_mode(h, h->intra16x16_pred_mode, 0); if(h->intra16x16_pred_mode < 0) return -1; } if(decode_chroma){ - pred_mode= ff_h264_check_intra_pred_mode(h, get_ue_golomb_31(&s->gb)); + pred_mode= ff_h264_check_intra_pred_mode(h, get_ue_golomb_31(&s->gb), 1); if(pred_mode < 0) return -1; h->chroma_pred_mode= pred_mode; diff --git a/libavcodec/svq3.c b/libavcodec/svq3.c index 3cd95ba594..5cc57a745d 100644 --- a/libavcodec/svq3.c +++ b/libavcodec/svq3.c @@ -612,7 +612,7 @@ static int svq3_decode_mb(SVQ3Context *svq3, unsigned int mb_type) dir = i_mb_type_info[mb_type - 8].pred_mode; dir = (dir >> 1) ^ 3*(dir & 1) ^ 1; - if ((h->intra16x16_pred_mode = ff_h264_check_intra_pred_mode(h, dir)) == -1){ + if ((h->intra16x16_pred_mode = ff_h264_check_intra_pred_mode(h, dir, 0)) == -1){ av_log(h->s.avctx, AV_LOG_ERROR, "check_intra_pred_mode = -1\n"); return -1; } @@ -711,7 +711,7 @@ static int svq3_decode_mb(SVQ3Context *svq3, unsigned int mb_type) s->current_picture.f.mb_type[mb_xy] = mb_type; if (IS_INTRA(mb_type)) { - h->chroma_pred_mode = ff_h264_check_intra_pred_mode(h, DC_PRED8x8); + h->chroma_pred_mode = ff_h264_check_intra_pred_mode(h, DC_PRED8x8, 1); } return 0; From 697a45d861b7cd6a96718383a44f41348487f844 Mon Sep 17 00:00:00 2001 From: Michael Niedermayer Date: Sun, 25 Dec 2011 00:10:27 +0100 Subject: [PATCH 015/991] ws_snd1: Fix wrong samples count and crash. Signed-off-by: Michael Niedermayer (cherry picked from commit 9fb7a5af97d8c084c3af2566070d09eae0ab49fc) Addresses CVE-2012-0848 Reviewed-by: Justin Ruggles Signed-off-by: Reinhard Tartler --- libavcodec/ws-snd1.c | 4 ++-- 1 file changed, 2 insertions(+), 2 deletions(-) diff --git a/libavcodec/ws-snd1.c b/libavcodec/ws-snd1.c index b2d086e073..15eb6f895a 100644 --- a/libavcodec/ws-snd1.c +++ b/libavcodec/ws-snd1.c @@ -112,8 +112,8 @@ static int ws_snd_decode_frame(AVCodecContext *avctx, void *data, /* make sure we don't write past the output buffer */ switch (code) { - case 0: smp = 4; break; - case 1: smp = 2; break; + case 0: smp = 4*(count+1); break; + case 1: smp = 2*(count+1); break; case 2: smp = (count & 0x20) ? 1 : count + 1; break; default: smp = count + 1; break; } From f43b6e2b1ed47a1254a5d44c700a7fad5e9784be Mon Sep 17 00:00:00 2001 From: Michael Niedermayer Date: Sat, 17 Dec 2011 03:18:58 +0100 Subject: [PATCH 016/991] atrac3: Fix crash in tonal component decoding. Add a check to avoid writing past the end of the channel_unit.components[] array. Bug Found by: cosminamironesei Fixes CVE-2012-0853 CC: libav-stable@libav.org Signed-off-by: Michael Niedermayer Signed-off-by: Justin Ruggles (cherry picked from commit c509f4f74713b035a06f79cb4d00e708f5226bc5) Signed-off-by: Reinhard Tartler --- libavcodec/atrac3.c | 2 ++ 1 file changed, 2 insertions(+) diff --git a/libavcodec/atrac3.c b/libavcodec/atrac3.c index 6dec6a3abe..107c6ffeb0 100644 --- a/libavcodec/atrac3.c +++ b/libavcodec/atrac3.c @@ -402,6 +402,8 @@ static int decodeTonalComponents (GetBitContext *gb, tonal_component *pComponent for (k=0; k= 64) + return AVERROR_INVALIDDATA; pComponent[component_count].pos = j * 64 + (get_bits(gb,6)); max_coded_values = SAMPLES_PER_FRAME - pComponent[component_count].pos; coded_values = coded_values_per_component + 1; From 6fc3287b9ccece290c5881b92948772bbf72e68c Mon Sep 17 00:00:00 2001 From: Michael Niedermayer Date: Sun, 25 Dec 2011 12:28:50 +0100 Subject: [PATCH 017/991] shorten: Use separate pointers for the allocated memory for decoded samples. Fixes invalid free() if any of the buffers are not allocated due to either not decoding a header or an error prior to allocating all buffers. Fixes CVE-2012-0858 CC: libav-stable@libav.org Signed-off-by: Michael Niedermayer Signed-off-by: Justin Ruggles (cherry picked from commit 204cb29b3c84a74cbcd059d353c70c8bdc567d98) Signed-off-by: Reinhard Tartler --- libavcodec/shorten.c | 14 ++++++++------ 1 file changed, 8 insertions(+), 6 deletions(-) diff --git a/libavcodec/shorten.c b/libavcodec/shorten.c index eb67df7bea..83777fb934 100644 --- a/libavcodec/shorten.c +++ b/libavcodec/shorten.c @@ -86,6 +86,7 @@ typedef struct ShortenContext { int channels; int32_t *decoded[MAX_CHANNELS]; + int32_t *decoded_base[MAX_CHANNELS]; int32_t *offset[MAX_CHANNELS]; int *coeffs; uint8_t *bitstream; @@ -140,13 +141,14 @@ static int allocate_buffers(ShortenContext *s) return AVERROR(ENOMEM); s->offset[chan] = tmp_ptr; - tmp_ptr = av_realloc(s->decoded[chan], sizeof(int32_t)*(s->blocksize + s->nwrap)); + tmp_ptr = av_realloc(s->decoded_base[chan], (s->blocksize + s->nwrap) * + sizeof(s->decoded_base[0][0])); if (!tmp_ptr) return AVERROR(ENOMEM); - s->decoded[chan] = tmp_ptr; + s->decoded_base[chan] = tmp_ptr; for (i=0; inwrap; i++) - s->decoded[chan][i] = 0; - s->decoded[chan] += s->nwrap; + s->decoded_base[chan][i] = 0; + s->decoded[chan] = s->decoded_base[chan] + s->nwrap; } coeffs = av_realloc(s->coeffs, s->nwrap * sizeof(*s->coeffs)); @@ -615,8 +617,8 @@ static av_cold int shorten_decode_close(AVCodecContext *avctx) int i; for (i = 0; i < s->channels; i++) { - s->decoded[i] -= s->nwrap; - av_freep(&s->decoded[i]); + s->decoded[i] = NULL; + av_freep(&s->decoded_base[i]); av_freep(&s->offset[i]); } av_freep(&s->bitstream); From e1f2a6a32b86fef0916338e21851c9b4f499f706 Mon Sep 17 00:00:00 2001 From: "Ronald S. Bultje" Date: Tue, 14 Feb 2012 11:50:57 -0800 Subject: [PATCH 018/991] golomb: avoid infinite loop on all-zero input (or end of buffer). Found-by: Mateusz "j00ru" Jurczyk and Gynvael Coldwind CC: libav-stable@libav.org (cherry picked from commit c6643fddba73560f26f90d327c84d8832222a720) Signed-off-by: Reinhard Tartler --- libavcodec/golomb.h | 4 ++-- 1 file changed, 2 insertions(+), 2 deletions(-) diff --git a/libavcodec/golomb.h b/libavcodec/golomb.h index 503aa1416a..e19064c642 100644 --- a/libavcodec/golomb.h +++ b/libavcodec/golomb.h @@ -123,7 +123,7 @@ static inline int svq3_get_ue_golomb(GetBitContext *gb){ }else{ int ret = 1; - while (1) { + do { buf >>= 32 - 8; LAST_SKIP_BITS(re, gb, FFMIN(ff_interleaved_golomb_vlc_len[buf], 8)); @@ -135,7 +135,7 @@ static inline int svq3_get_ue_golomb(GetBitContext *gb){ ret = (ret << 4) | ff_interleaved_dirac_golomb_vlc_code[buf]; UPDATE_CACHE(re, gb); buf = GET_CACHE(re, gb); - } + } while (ret); CLOSE_READER(re, gb); return ret - 1; From 25b4ed053f0e4c48b4b4afdcf84306bbd7752314 Mon Sep 17 00:00:00 2001 From: "Ronald S. Bultje" Date: Wed, 22 Feb 2012 12:09:33 -0800 Subject: [PATCH 019/991] get_bits: add HAVE_BITS_REMAINING macro. (cherry picked from commit b44b41633f110e9d938165e0f79c9d32191fc135) Signed-off-by: Reinhard Tartler --- libavcodec/get_bits.h | 15 ++++++++++++++- 1 file changed, 14 insertions(+), 1 deletion(-) diff --git a/libavcodec/get_bits.h b/libavcodec/get_bits.h index 1668600b2d..ee47441899 100644 --- a/libavcodec/get_bits.h +++ b/libavcodec/get_bits.h @@ -120,10 +120,23 @@ for examples see get_bits, show_bits, skip_bits, get_vlc # define MIN_CACHE_BITS 25 #endif +#if UNCHECKED_BITSTREAM_READER #define OPEN_READER(name, gb) \ unsigned int name##_index = (gb)->index; \ unsigned int av_unused name##_cache = 0 +#define HAVE_BITS_REMAINING(name, gb) 1 +#else +#define OPEN_READER(name, gb) \ + unsigned int name##_index = (gb)->index; \ + unsigned int av_unused name##_cache = 0; \ + unsigned int av_unused name##_size_plus8 = \ + (gb)->size_in_bits_plus8 + +#define HAVE_BITS_REMAINING(name, gb) \ + name##_index < name##_size_plus8 +#endif + #define CLOSE_READER(name, gb) (gb)->index = name##_index #ifdef BITSTREAM_READER_LE @@ -156,7 +169,7 @@ for examples see get_bits, show_bits, skip_bits, get_vlc # define SKIP_COUNTER(name, gb, num) name##_index += (num) #else # define SKIP_COUNTER(name, gb, num) \ - name##_index = FFMIN((gb)->size_in_bits_plus8, name##_index + (num)) + name##_index = FFMIN(name##_size_plus8, name##_index + (num)) #endif #define SKIP_BITS(name, gb, num) do { \ From e43bd4fa58b8e72eedad9a1c160b12bf8915d45e Mon Sep 17 00:00:00 2001 From: "Ronald S. Bultje" Date: Fri, 17 Feb 2012 12:54:37 -0800 Subject: [PATCH 020/991] golomb: use HAVE_BITS_REMAINING() macro to prevent infloop on EOF. Found-by: Mateusz "j00ru" Jurczyk and Gynvael Coldwind CC: libav-stable@libav.org (cherry picked from commit 46b3fbc30b7aaf7fdd52391734cfd6d93af8720a) Signed-off-by: Reinhard Tartler --- libavcodec/golomb.h | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/libavcodec/golomb.h b/libavcodec/golomb.h index e19064c642..0deab87a36 100644 --- a/libavcodec/golomb.h +++ b/libavcodec/golomb.h @@ -135,7 +135,7 @@ static inline int svq3_get_ue_golomb(GetBitContext *gb){ ret = (ret << 4) | ff_interleaved_dirac_golomb_vlc_code[buf]; UPDATE_CACHE(re, gb); buf = GET_CACHE(re, gb); - } while (ret); + } while (HAVE_BITS_REMAINING(re, gb)); CLOSE_READER(re, gb); return ret - 1; From 6dcbbdc0116a50370d66f0f20d74a70d56568382 Mon Sep 17 00:00:00 2001 From: "Ronald S. Bultje" Date: Wed, 15 Feb 2012 09:52:11 -0800 Subject: [PATCH 021/991] flac: fix infinite loops on all-zero input or end-of-stream. Found-by: Mateusz "j00ru" Jurczyk and Gynvael Coldwind CC: libav-stable@libav.org (cherry picked from commit 52e4018be47697a60f4f18f83551766df31f5adf) Signed-off-by: Reinhard Tartler --- libavcodec/flacdec.c | 9 +++++++++ libavcodec/golomb.h | 2 +- 2 files changed, 10 insertions(+), 1 deletion(-) diff --git a/libavcodec/flacdec.c b/libavcodec/flacdec.c index 58eb66def9..440a55d3e9 100644 --- a/libavcodec/flacdec.c +++ b/libavcodec/flacdec.c @@ -422,7 +422,16 @@ static inline int decode_subframe(FLACContext *s, int channel) type = get_bits(&s->gb, 6); if (get_bits1(&s->gb)) { + int left = get_bits_left(&s->gb); wasted = 1; + if ( left < 0 || + (left < s->curr_bps && !show_bits_long(&s->gb, left)) || + !show_bits_long(&s->gb, s->curr_bps)) { + av_log(s->avctx, AV_LOG_ERROR, + "Invalid number of wasted bits > available bits (%d) - left=%d\n", + s->curr_bps, left); + return AVERROR_INVALIDDATA; + } while (!get_bits1(&s->gb)) wasted++; s->curr_bps -= wasted; diff --git a/libavcodec/golomb.h b/libavcodec/golomb.h index 0deab87a36..1712540fd3 100644 --- a/libavcodec/golomb.h +++ b/libavcodec/golomb.h @@ -301,7 +301,7 @@ static inline int get_ur_golomb_jpegls(GetBitContext *gb, int k, int limit, int return buf; }else{ int i; - for(i=0; SHOW_UBITS(re, gb, 1) == 0; i++){ + for (i = 0; i < limit && SHOW_UBITS(re, gb, 1) == 0; i++) { LAST_SKIP_BITS(re, gb, 1); UPDATE_CACHE(re, gb); } From ba418ad4005a2cc2f18cdfa089d0bcd55225b30e Mon Sep 17 00:00:00 2001 From: Janne Grunau Date: Tue, 24 Jan 2012 21:50:50 +0100 Subject: [PATCH 022/991] rv20: prevent calling ff_h263_decode_mba() with unset height/width Prevents a crash of VLC during playback of a invalid matroska file, found by John Villamil . CC: libav-stable@libav.org (cherry picked from commit c3e10ae4127c998b809066926a410f40ebd47593) Signed-off-by: Anton Khirnov --- libavcodec/rv10.c | 3 ++- 1 file changed, 2 insertions(+), 1 deletion(-) diff --git a/libavcodec/rv10.c b/libavcodec/rv10.c index 1d78c92c46..ccc09443ec 100644 --- a/libavcodec/rv10.c +++ b/libavcodec/rv10.c @@ -362,7 +362,8 @@ static int rv20_decode_picture_header(MpegEncContext *s) if(s->avctx->debug & FF_DEBUG_PICT_INFO){ av_log(s->avctx, AV_LOG_DEBUG, "F %d/%d\n", f, rpr_bits); } - } + } else if (av_image_check_size(s->width, s->height, 0, s->avctx) < 0) + return AVERROR_INVALIDDATA; mb_pos = ff_h263_decode_mba(s); From ad0ee682b3cf663eb319020086f64da11d17dd82 Mon Sep 17 00:00:00 2001 From: Alex Converse Date: Tue, 24 Jan 2012 18:43:43 -0800 Subject: [PATCH 023/991] wma: Clip WMA1 and WMA2 frame length to 11 bits. The MDCT buffers in the decoder are only sized for up to 11 bits. The reverse engineered documentation for WMA1/2 headers say that that for all samplerates above 32kHz 11 bits are used. 12 and 13 bit support were added for WMAPro. I was unable to make any Microsoft tools generate a test file at a samplerate above 48kHz. Discovered by: Mateusz "j00ru" Jurczyk and Gynvael Coldwind CC: libav-stable@libav.org (cherry picked from commit d78bb1a4b2a3a415b68e4e6dd448779eccec64e3) Signed-off-by: Anton Khirnov --- libavcodec/wma.c | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/libavcodec/wma.c b/libavcodec/wma.c index 4cdffcd101..d82fde7b18 100644 --- a/libavcodec/wma.c +++ b/libavcodec/wma.c @@ -85,7 +85,7 @@ int av_cold ff_wma_get_frame_len_bits(int sample_rate, int version, } else if (sample_rate <= 22050 || (sample_rate <= 32000 && version == 1)) { frame_len_bits = 10; - } else if (sample_rate <= 48000) { + } else if (sample_rate <= 48000 || version < 3) { frame_len_bits = 11; } else if (sample_rate <= 96000) { frame_len_bits = 12; From 683213230e6978302109253a48610a6b069ea43d Mon Sep 17 00:00:00 2001 From: Alex Converse Date: Wed, 22 Feb 2012 11:05:42 -0800 Subject: [PATCH 024/991] aac: fix infinite loop on end-of-frame with sequence of 1-bits. Based-on-work-by: Ronald S. Bultje Found-by: Mateusz "j00ru" Jurczyk and Gynvael Coldwind CC: libav-stable@libav.org (cherry picked from commit 1cd9a6154bc1ac1193c703cea980ed21c3e53792) Signed-off-by: Anton Khirnov --- libavcodec/aacdec.c | 25 +++++++++++++------------ 1 file changed, 13 insertions(+), 12 deletions(-) diff --git a/libavcodec/aacdec.c b/libavcodec/aacdec.c index ca1a876436..2b9b45c9e8 100644 --- a/libavcodec/aacdec.c +++ b/libavcodec/aacdec.c @@ -807,19 +807,20 @@ static int decode_band_types(AACContext *ac, enum BandType band_type[120], av_log(ac->avctx, AV_LOG_ERROR, "invalid band type\n"); return -1; } - while ((sect_len_incr = get_bits(gb, bits)) == (1 << bits) - 1) + do { + sect_len_incr = get_bits(gb, bits); sect_end += sect_len_incr; - sect_end += sect_len_incr; - if (get_bits_left(gb) < 0) { - av_log(ac->avctx, AV_LOG_ERROR, overread_err); - return -1; - } - if (sect_end > ics->max_sfb) { - av_log(ac->avctx, AV_LOG_ERROR, - "Number of bands (%d) exceeds limit (%d).\n", - sect_end, ics->max_sfb); - return -1; - } + if (get_bits_left(gb) < 0) { + av_log(ac->avctx, AV_LOG_ERROR, overread_err); + return -1; + } + if (sect_end > ics->max_sfb) { + av_log(ac->avctx, AV_LOG_ERROR, + "Number of bands (%d) exceeds limit (%d).\n", + sect_end, ics->max_sfb); + return -1; + } + } while (sect_len_incr == (1 << bits) - 1); for (; k < sect_end; k++) { band_type [idx] = sect_band_type; band_type_run_end[idx++] = sect_end; From be0b3137d02e2e19bd470f2de888bdeb281b0214 Mon Sep 17 00:00:00 2001 From: Alex Converse Date: Wed, 25 Jan 2012 14:34:21 -0800 Subject: [PATCH 025/991] matroskadec: Pad AAC extradata. Found-by: Mateusz "j00ru" Jurczyk and Gynvael Coldwind CC: libav-stable@libav.org (cherry picked from commit d2ee8c17793201ce969afd1f433ba1580c143cd2) Signed-off-by: Anton Khirnov --- libavformat/matroskadec.c | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/libavformat/matroskadec.c b/libavformat/matroskadec.c index e5fbd43266..5b919449f5 100644 --- a/libavformat/matroskadec.c +++ b/libavformat/matroskadec.c @@ -1440,7 +1440,7 @@ static int matroska_read_header(AVFormatContext *s, AVFormatParameters *ap) } else if (codec_id == CODEC_ID_AAC && !track->codec_priv.size) { int profile = matroska_aac_profile(track->codec_id); int sri = matroska_aac_sri(track->audio.samplerate); - extradata = av_malloc(5); + extradata = av_mallocz(5 + FF_INPUT_BUFFER_PADDING_SIZE); if (extradata == NULL) return AVERROR(ENOMEM); extradata[0] = (profile << 3) | ((sri&0x0E) >> 1); From 183e0eb5b9a8780b9879bd78b20ad9156d756a01 Mon Sep 17 00:00:00 2001 From: "Ronald S. Bultje" Date: Fri, 24 Feb 2012 16:12:18 -0800 Subject: [PATCH 026/991] matroska: don't overwrite string values until read/alloc was succesful. This prevents certain tags with a default value assigned to them (as per the EBML syntax elements) from ever being assigned a NULL value. Other parts of the code rely on these being non-NULL (i.e. they don't check for NULL before e.g. using the string in strcmp() or similar), and thus in effect this prevents crashes when reading of such specific tags fails, either because of low memory or because of targeted file corruption. Found-by: Mateusz "j00ru" Jurczyk and Gynvael Coldwind CC: libav-stable@libav.org (cherry picked from commit cd40c31ee9ad2cca6f3635950b002fd46be07e98) Signed-off-by: Anton Khirnov --- libavformat/matroskadec.c | 13 ++++++++----- 1 file changed, 8 insertions(+), 5 deletions(-) diff --git a/libavformat/matroskadec.c b/libavformat/matroskadec.c index 5b919449f5..1987b5095f 100644 --- a/libavformat/matroskadec.c +++ b/libavformat/matroskadec.c @@ -639,16 +639,19 @@ static int ebml_read_float(AVIOContext *pb, int size, double *num) */ static int ebml_read_ascii(AVIOContext *pb, int size, char **str) { - av_free(*str); + char *res; + /* EBML strings are usually not 0-terminated, so we allocate one * byte more, read the string and NULL-terminate it ourselves. */ - if (!(*str = av_malloc(size + 1))) + if (!(res = av_malloc(size + 1))) return AVERROR(ENOMEM); - if (avio_read(pb, (uint8_t *) *str, size) != size) { - av_freep(str); + if (avio_read(pb, (uint8_t *) res, size) != size) { + av_free(res); return AVERROR(EIO); } - (*str)[size] = '\0'; + (res)[size] = '\0'; + av_free(*str); + *str = res; return 0; } From d16653c3d437ff7843c111d9fffa3e8c3e186db7 Mon Sep 17 00:00:00 2001 From: Janne Grunau Date: Wed, 18 Jan 2012 10:59:32 +0100 Subject: [PATCH 027/991] lavf: prevent infinite loops while flushing in avformat_find_stream_info If no data was seen for a stream decoder are returning 0 when fed with empty packets for flushing. We can stop flushing when the decoder does not return delayed delayed frames anymore. Changes try_decode_frame() return value to got_picture or negative error. CC: libav-stable@libav.org (cherry picked from commit b3461c29c1aee7d62eeb02a59d46593c60362679) Signed-off-by: Anton Khirnov --- libavformat/utils.c | 20 +++++++++++++------- 1 file changed, 13 insertions(+), 7 deletions(-) diff --git a/libavformat/utils.c b/libavformat/utils.c index f2d55028f9..e6b4f40cf3 100644 --- a/libavformat/utils.c +++ b/libavformat/utils.c @@ -2130,6 +2130,7 @@ static int has_decode_delay_been_guessed(AVStream *st) st->info->nb_decoded_frames >= 6; } +/* returns 1 or 0 if or if not decoded data was returned, or a negative error */ static int try_decode_frame(AVStream *st, AVPacket *avpkt, AVDictionary **options) { AVCodec *codec; @@ -2179,6 +2180,7 @@ static int try_decode_frame(AVStream *st, AVPacket *avpkt, AVDictionary **option st->info->nb_decoded_frames++; pkt.data += ret; pkt.size -= ret; + ret = got_picture; } } return ret; @@ -2403,16 +2405,20 @@ int avformat_find_stream_info(AVFormatContext *ic, AVDictionary **options) st = ic->streams[i]; /* flush the decoders */ - while ((err = try_decode_frame(st, &empty_pkt, - (options && i < orig_nb_streams) ? - &options[i] : NULL)) >= 0) - if (has_codec_parameters(st->codec)) - break; + do { + err = try_decode_frame(st, &empty_pkt, + (options && i < orig_nb_streams) ? + &options[i] : NULL); + } while (err > 0 && !has_codec_parameters(st->codec)); - if (!has_codec_parameters(st->codec)){ + if (err < 0) { + av_log(ic, AV_LOG_WARNING, + "decoding for stream %d failed\n", st->index); + } else if (!has_codec_parameters(st->codec)){ char buf[256]; avcodec_string(buf, sizeof(buf), st->codec, 0); - av_log(ic, AV_LOG_WARNING, "Could not find codec parameters (%s)\n", buf); + av_log(ic, AV_LOG_WARNING, + "Could not find codec parameters (%s)\n", buf); } else { ret = 0; } From 04597e25952d399a350062c1824587c230cdd5b4 Mon Sep 17 00:00:00 2001 From: Alex Converse Date: Wed, 25 Jan 2012 16:12:42 -0800 Subject: [PATCH 028/991] smacker: Sanity check huffman tables found in the headers. Found-by: Mateusz "j00ru" Jurczyk and Gynvael Coldwind CC: libav-stable@libav.org (cherry picked from commit 9adf25c1cf78dbf1d71bf386c49dc74cb8a60df0) Signed-off-by: Anton Khirnov --- libavcodec/smacker.c | 22 +++++++++++++--------- 1 file changed, 13 insertions(+), 9 deletions(-) diff --git a/libavcodec/smacker.c b/libavcodec/smacker.c index 0c7c40560f..4714fa0346 100644 --- a/libavcodec/smacker.c +++ b/libavcodec/smacker.c @@ -128,12 +128,12 @@ static int smacker_decode_tree(GetBitContext *gb, HuffContext *hc, uint32_t pref */ static int smacker_decode_bigtree(GetBitContext *gb, HuffContext *hc, DBCtx *ctx) { + if (hc->current + 1 >= hc->length) { + av_log(NULL, AV_LOG_ERROR, "Tree size exceeded!\n"); + return -1; + } if(!get_bits1(gb)){ //Leaf int val, i1, i2, b1, b2; - if(hc->current >= hc->length){ - av_log(NULL, AV_LOG_ERROR, "Tree size exceeded!\n"); - return -1; - } b1 = get_bits_count(gb); i1 = ctx->v1->table ? get_vlc2(gb, ctx->v1->table, SMKTREE_BITS, 3) : 0; b1 = get_bits_count(gb) - b1; @@ -157,7 +157,7 @@ static int smacker_decode_bigtree(GetBitContext *gb, HuffContext *hc, DBCtx *ctx hc->values[hc->current++] = val; return 1; } else { //Node - int r = 0, t; + int r = 0, r_new, t; t = hc->current++; r = smacker_decode_bigtree(gb, hc, ctx); @@ -165,8 +165,10 @@ static int smacker_decode_bigtree(GetBitContext *gb, HuffContext *hc, DBCtx *ctx return r; hc->values[t] = SMK_NODE | r; r++; - r += smacker_decode_bigtree(gb, hc, ctx); - return r; + r_new = smacker_decode_bigtree(gb, hc, ctx); + if (r_new < 0) + return r_new; + return r + r_new; } } @@ -181,6 +183,7 @@ static int smacker_decode_header_tree(SmackVContext *smk, GetBitContext *gb, int VLC vlc[2]; int escapes[3]; DBCtx ctx; + int err = 0; if(size >= UINT_MAX>>4){ // (((size + 3) >> 2) + 3) << 2 must not overflow av_log(smk->avctx, AV_LOG_ERROR, "size too large\n"); @@ -254,7 +257,8 @@ static int smacker_decode_header_tree(SmackVContext *smk, GetBitContext *gb, int huff.current = 0; huff.values = av_mallocz(huff.length * sizeof(int)); - smacker_decode_bigtree(gb, &huff, &ctx); + if (smacker_decode_bigtree(gb, &huff, &ctx) < 0) + err = -1; skip_bits1(gb); if(ctx.last[0] == -1) ctx.last[0] = huff.current++; if(ctx.last[1] == -1) ctx.last[1] = huff.current++; @@ -273,7 +277,7 @@ static int smacker_decode_header_tree(SmackVContext *smk, GetBitContext *gb, int av_free(tmp2.lengths); av_free(tmp2.values); - return 0; + return err; } static int decode_header_trees(SmackVContext *smk) { From d19e3e19d67b50cb5614ead2e0f125678e1c257d Mon Sep 17 00:00:00 2001 From: Janne Grunau Date: Wed, 25 Jan 2012 15:49:54 +0100 Subject: [PATCH 029/991] vc1: prevent null pointer dereference on broken files CC: libav-stable@libav.org (cherry picked from commit 510ef04a461b3b54a762c6141ad880cbed85981f) Signed-off-by: Anton Khirnov --- libavcodec/vc1dec.c | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/libavcodec/vc1dec.c b/libavcodec/vc1dec.c index fa952739bb..0425a87e41 100644 --- a/libavcodec/vc1dec.c +++ b/libavcodec/vc1dec.c @@ -5708,7 +5708,7 @@ static int vc1_decode_frame(AVCodecContext *avctx, void *data, if (!v->field_mode || v->second_field) s->end_mb_y = (i == n_slices ) ? mb_height : FFMIN(mb_height, slices[i].mby_start % mb_height); else - s->end_mb_y = (i == n_slices1 + 1) ? mb_height : FFMIN(mb_height, slices[i].mby_start % mb_height); + s->end_mb_y = (i <= n_slices1 + 1) ? mb_height : FFMIN(mb_height, slices[i].mby_start % mb_height); vc1_decode_blocks(v); if (i != n_slices) s->gb = slices[i].gb; From 7046ae55932f8fae83269871847cea9fd84c23f5 Mon Sep 17 00:00:00 2001 From: "Ronald S. Bultje" Date: Fri, 10 Feb 2012 10:51:43 -0800 Subject: [PATCH 030/991] tta: error out if samplerate is zero. Prevents a division by zero later on. Found-by: Mateusz "j00ru" Jurczyk and Gynvael Coldwind CC: libav-stable@libav.org (cherry picked from commit 7416d610362807848236ceff1bc6740dbc82842d) Signed-off-by: Anton Khirnov --- libavcodec/tta.c | 3 +++ 1 file changed, 3 insertions(+) diff --git a/libavcodec/tta.c b/libavcodec/tta.c index 4656ce12e6..c8daff278c 100644 --- a/libavcodec/tta.c +++ b/libavcodec/tta.c @@ -224,6 +224,9 @@ static av_cold int tta_decode_init(AVCodecContext * avctx) if (s->channels == 0) { av_log(s->avctx, AV_LOG_ERROR, "Invalid number of channels\n"); return AVERROR_INVALIDDATA; + } else if (avctx->sample_rate == 0) { + av_log(s->avctx, AV_LOG_ERROR, "Invalid samplerate\n"); + return AVERROR_INVALIDDATA; } switch(s->bps) { From b68470707bf2e010136c6debd25051afdf198466 Mon Sep 17 00:00:00 2001 From: "Ronald S. Bultje" Date: Sat, 11 Feb 2012 08:42:28 -0800 Subject: [PATCH 031/991] swscale: enforce a minimum filtersize. At very small dimensions, this calculation could lead to zero-sized filters, which leads to uninitialized output, zero-sized allocations, loop overflows in SIMD that uses do{..}while(i++ --- libswscale/utils.c | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/libswscale/utils.c b/libswscale/utils.c index b49f924244..9d72196e42 100644 --- a/libswscale/utils.c +++ b/libswscale/utils.c @@ -263,7 +263,7 @@ static int initFilter(int16_t **outFilter, int16_t **filterPos, int *outFilterSi if (xInc <= 1<<16) filterSize= 1 + sizeFactor; // upscale else filterSize= 1 + (sizeFactor*srcW + dstW - 1)/ dstW; - if (filterSize > srcW-2) filterSize=srcW-2; + filterSize = av_clip(filterSize, 1, srcW - 2); FF_ALLOC_OR_GOTO(NULL, filter, dstW*sizeof(*filter)*filterSize, fail); From cd9bdc639588067732b53bb47a01f7b9b902b9ef Mon Sep 17 00:00:00 2001 From: "Ronald S. Bultje" Date: Wed, 22 Feb 2012 16:46:31 -0800 Subject: [PATCH 032/991] swscale: fix overflows in filterPos[] calculation for large sizes. Found-by: Mateusz "j00ru" Jurczyk and Gynvael Coldwind CC: libav-stable@libav.org (cherry picked from commit 19a65b5be47944c607a9e979edb098924d95f2e4) Signed-off-by: Anton Khirnov --- libswscale/utils.c | 14 +++++++------- 1 file changed, 7 insertions(+), 7 deletions(-) diff --git a/libswscale/utils.c b/libswscale/utils.c index 9d72196e42..2d7029e2f1 100644 --- a/libswscale/utils.c +++ b/libswscale/utils.c @@ -244,7 +244,7 @@ static int initFilter(int16_t **outFilter, int16_t **filterPos, int *outFilterSi xDstInSrc+= xInc; } } else { - int xDstInSrc; + int64_t xDstInSrc; int sizeFactor; if (flags&SWS_BICUBIC) sizeFactor= 4; @@ -809,8 +809,8 @@ int sws_init_context(SwsContext *c, SwsFilter *srcFilter, SwsFilter *dstFilter) if (!dstFilter) dstFilter= &dummyFilter; if (!srcFilter) srcFilter= &dummyFilter; - c->lumXInc= ((srcW<<16) + (dstW>>1))/dstW; - c->lumYInc= ((srcH<<16) + (dstH>>1))/dstH; + c->lumXInc= (((int64_t)srcW<<16) + (dstW>>1))/dstW; + c->lumYInc= (((int64_t)srcH<<16) + (dstH>>1))/dstH; c->dstFormatBpp = av_get_bits_per_pixel(&av_pix_fmt_descriptors[dstFormat]); c->srcFormatBpp = av_get_bits_per_pixel(&av_pix_fmt_descriptors[srcFormat]); c->vRounder= 4* 0x0001000100010001ULL; @@ -896,8 +896,8 @@ int sws_init_context(SwsContext *c, SwsFilter *srcFilter, SwsFilter *dstFilter) else c->canMMX2BeUsed=0; - c->chrXInc= ((c->chrSrcW<<16) + (c->chrDstW>>1))/c->chrDstW; - c->chrYInc= ((c->chrSrcH<<16) + (c->chrDstH>>1))/c->chrDstH; + c->chrXInc= (((int64_t)c->chrSrcW<<16) + (c->chrDstW>>1))/c->chrDstW; + c->chrYInc= (((int64_t)c->chrSrcH<<16) + (c->chrDstH>>1))/c->chrDstH; // match pixel 0 of the src to pixel 0 of dst and match pixel n-2 of src to pixel n-2 of dst // but only for the FAST_BILINEAR mode otherwise do correct scaling @@ -912,8 +912,8 @@ int sws_init_context(SwsContext *c, SwsFilter *srcFilter, SwsFilter *dstFilter) } //we don't use the x86 asm scaler if MMX is available else if (HAVE_MMX && cpu_flags & AV_CPU_FLAG_MMX) { - c->lumXInc = ((srcW-2)<<16)/(dstW-2) - 20; - c->chrXInc = ((c->chrSrcW-2)<<16)/(c->chrDstW-2) - 20; + c->lumXInc = ((int64_t)(srcW-2)<<16)/(dstW-2) - 20; + c->chrXInc = ((int64_t)(c->chrSrcW-2)<<16)/(c->chrDstW-2) - 20; } } From 0c60d5c59fe05de80fc45e097c61b6f5487431de Mon Sep 17 00:00:00 2001 From: "Ronald S. Bultje" Date: Wed, 22 Feb 2012 16:48:38 -0800 Subject: [PATCH 033/991] swscale: take first/lastline over/underflows into account for MMX. Fixes crashes for extremely large resizes (several 100-fold). Found-by: Mateusz "j00ru" Jurczyk and Gynvael Coldwind CC: libav-stable@libav.org (cherry picked from commit 1d8c4af396b6ed84c84b5ebf0bf1163c4a7a3017) Signed-off-by: Anton Khirnov --- libswscale/x86/swscale_mmx.c | 38 ++++++++++++++++++++++++++++++++++++ 1 file changed, 38 insertions(+) diff --git a/libswscale/x86/swscale_mmx.c b/libswscale/x86/swscale_mmx.c index 867a9f1244..0853e12c41 100644 --- a/libswscale/x86/swscale_mmx.c +++ b/libswscale/x86/swscale_mmx.c @@ -132,6 +132,44 @@ void updateMMXDitherTables(SwsContext *c, int dstY, int lumBufIndex, int chrBufI const int16_t **chrUSrcPtr= (const int16_t **) chrUPixBuf + chrBufIndex + firstChrSrcY - lastInChrBuf + vChrBufSize; const int16_t **alpSrcPtr= (CONFIG_SWSCALE_ALPHA && alpPixBuf) ? (const int16_t **) alpPixBuf + lumBufIndex + firstLumSrcY - lastInLumBuf + vLumBufSize : NULL; int i; + + if (firstLumSrcY < 0 || firstLumSrcY + vLumFilterSize > c->srcH) { + const int16_t **tmpY = (const int16_t **) lumPixBuf + 2 * vLumBufSize; + int neg = -firstLumSrcY, i, end = FFMIN(c->srcH - firstLumSrcY, vLumFilterSize); + for (i = 0; i < neg; i++) + tmpY[i] = lumSrcPtr[neg]; + for ( ; i < end; i++) + tmpY[i] = lumSrcPtr[i]; + for ( ; i < vLumFilterSize; i++) + tmpY[i] = tmpY[i-1]; + lumSrcPtr = tmpY; + + if (alpSrcPtr) { + const int16_t **tmpA = (const int16_t **) alpPixBuf + 2 * vLumBufSize; + for (i = 0; i < neg; i++) + tmpA[i] = alpSrcPtr[neg]; + for ( ; i < end; i++) + tmpA[i] = alpSrcPtr[i]; + for ( ; i < vLumFilterSize; i++) + tmpA[i] = tmpA[i - 1]; + alpSrcPtr = tmpA; + } + } + if (firstChrSrcY < 0 || firstChrSrcY + vChrFilterSize > c->chrSrcH) { + const int16_t **tmpU = (const int16_t **) chrUPixBuf + 2 * vChrBufSize; + int neg = -firstChrSrcY, i, end = FFMIN(c->chrSrcH - firstChrSrcY, vChrFilterSize); + for (i = 0; i < neg; i++) { + tmpU[i] = chrUSrcPtr[neg]; + } + for ( ; i < end; i++) { + tmpU[i] = chrUSrcPtr[i]; + } + for ( ; i < vChrFilterSize; i++) { + tmpU[i] = tmpU[i - 1]; + } + chrUSrcPtr = tmpU; + } + if (flags & SWS_ACCURATE_RND) { int s= APCK_SIZE / 8; for (i=0; i Date: Tue, 14 Feb 2012 12:40:19 -0800 Subject: [PATCH 034/991] vc1: prevent using last_frame as a reference for I/P first frame. Found-by: Mateusz "j00ru" Jurczyk and Gynvael Coldwind CC: libav-stable@libav.org (cherry picked from commit ae591aeea58d64399b8281be31dacec0de85ae04) Signed-off-by: Anton Khirnov --- libavcodec/vc1dec.c | 11 +++++++++-- 1 file changed, 9 insertions(+), 2 deletions(-) diff --git a/libavcodec/vc1dec.c b/libavcodec/vc1dec.c index 0425a87e41..3869d92518 100644 --- a/libavcodec/vc1dec.c +++ b/libavcodec/vc1dec.c @@ -478,7 +478,10 @@ static void vc1_mc_1mv(VC1Context *v, int dir) int dxy, mx, my, uvmx, uvmy, src_x, src_y, uvsrc_x, uvsrc_y; int off, off_uv; int v_edge_pos = s->v_edge_pos >> v->field_mode; - if (!v->field_mode && !v->s.last_picture.f.data[0]) + + if ((!v->field_mode || + (v->ref_field_type[dir] == 1 && v->cur_field_type == 1)) && + !v->s.last_picture.f.data[0]) return; mx = s->mv[dir][0][0]; @@ -690,7 +693,9 @@ static void vc1_mc_4mv_luma(VC1Context *v, int n, int dir) int fieldmv = (v->fcm == ILACE_FRAME) ? v->blk_mv_type[s->block_index[n]] : 0; int v_edge_pos = s->v_edge_pos >> v->field_mode; - if (!v->field_mode && !v->s.last_picture.f.data[0]) + if ((!v->field_mode || + (v->ref_field_type[dir] == 1 && v->cur_field_type == 1)) && + !v->s.last_picture.f.data[0]) return; mx = s->mv[dir][n][0]; @@ -946,6 +951,8 @@ static void vc1_mc_4mv_chroma(VC1Context *v, int dir) if (dominant) chroma_ref_type = !v->cur_field_type; } + if (v->field_mode && chroma_ref_type == 1 && v->cur_field_type == 1 && !v->s.last_picture.f.data[0]) + return; s->current_picture.f.motion_val[1][s->block_index[0] + v->blocks_off][0] = tx; s->current_picture.f.motion_val[1][s->block_index[0] + v->blocks_off][1] = ty; uvmx = (tx + ((tx & 3) == 3)) >> 1; From cfd7d166e2ae68302329c059afa7c4778a70e9b5 Mon Sep 17 00:00:00 2001 From: "Ronald S. Bultje" Date: Fri, 17 Feb 2012 12:10:33 -0800 Subject: [PATCH 035/991] cook: prevent div-by-zero if channels is zero. Found-by: Mateusz "j00ru" Jurczyk and Gynvael Coldwind CC: libav-stable@libav.org (cherry picked from commit 941fc1ea1ed7f7d99a8b9e2607b41f2f2820394a) Signed-off-by: Anton Khirnov --- libavcodec/cook.c | 4 ++++ 1 file changed, 4 insertions(+) diff --git a/libavcodec/cook.c b/libavcodec/cook.c index d2ed819b83..dc4c2ab170 100644 --- a/libavcodec/cook.c +++ b/libavcodec/cook.c @@ -1078,6 +1078,10 @@ static av_cold int cook_decode_init(AVCodecContext *avctx) q->sample_rate = avctx->sample_rate; q->nb_channels = avctx->channels; q->bit_rate = avctx->bit_rate; + if (!q->nb_channels) { + av_log(avctx, AV_LOG_ERROR, "Invalid number of channels\n"); + return AVERROR_INVALIDDATA; + } /* Initialize RNG. */ av_lfg_init(&q->random_state, 0); From 5ab9294a8db5b3a796871e403b1a779a413a494c Mon Sep 17 00:00:00 2001 From: "Ronald S. Bultje" Date: Fri, 17 Feb 2012 12:28:26 -0800 Subject: [PATCH 036/991] als: prevent infinite loop in zero_remaining(). Found-by: Mateusz "j00ru" Jurczyk and Gynvael Coldwind CC: libav-stable@libav.org (cherry picked from commit af468015d972c0dec5c8c37b2685ffa5cbe4ae87) Signed-off-by: Anton Khirnov --- libavcodec/alsdec.c | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/libavcodec/alsdec.c b/libavcodec/alsdec.c index dc4961c9ba..26496bf0f1 100644 --- a/libavcodec/alsdec.c +++ b/libavcodec/alsdec.c @@ -1011,7 +1011,7 @@ static void zero_remaining(unsigned int b, unsigned int b_max, { unsigned int count = 0; - while (b < b_max) + for (; b < b_max; b++) count += div_blocks[b]; if (count) From 27558bd87e7e67b83ddefb9176f1729c2291c7a0 Mon Sep 17 00:00:00 2001 From: "Ronald S. Bultje" Date: Fri, 17 Feb 2012 15:00:47 -0800 Subject: [PATCH 037/991] huffyuv: error out on bit overrun. On EOF, get_bits() will continuously return 0, causing an infinite loop. Found-by: Mateusz "j00ru" Jurczyk and Gynvael Coldwind CC: libav-stable@libav.org (cherry picked from commit 84c202cc37024bd78261e4222e46631ea73c48dd) Signed-off-by: Anton Khirnov --- libavcodec/huffyuv.c | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/libavcodec/huffyuv.c b/libavcodec/huffyuv.c index 57b5f32fc8..efa87de802 100644 --- a/libavcodec/huffyuv.c +++ b/libavcodec/huffyuv.c @@ -184,7 +184,7 @@ static int read_len_table(uint8_t *dst, GetBitContext *gb){ if(repeat==0) repeat= get_bits(gb, 8); //printf("%d %d\n", val, repeat); - if(i+repeat > 256) { + if(i+repeat > 256 || get_bits_left(gb) < 0) { av_log(NULL, AV_LOG_ERROR, "Error reading huffman table\n"); return -1; } From 95a9d44dc3121a93c68087dddd7b9b49d34bf930 Mon Sep 17 00:00:00 2001 From: "Ronald S. Bultje" Date: Fri, 17 Feb 2012 15:20:27 -0800 Subject: [PATCH 038/991] mp3on4: require a minimum framesize. If bufsize < headersize, init_get_bits() will be called with a negative number, causing it to fail and any subsequent call to get_bits() will crash because it reads from a NULL pointer. Found-by: Mateusz "j00ru" Jurczyk and Gynvael Coldwind CC: libav-stable@libav.org (cherry picked from commit 3e13005cac6e076053276b515f5fcf59a3f4b65d) Signed-off-by: Anton Khirnov --- libavcodec/mpegaudiodec.c | 4 ++++ 1 file changed, 4 insertions(+) diff --git a/libavcodec/mpegaudiodec.c b/libavcodec/mpegaudiodec.c index a83b1621fd..860c0c3d73 100644 --- a/libavcodec/mpegaudiodec.c +++ b/libavcodec/mpegaudiodec.c @@ -1921,6 +1921,10 @@ static int decode_frame_mp3on4(AVCodecContext *avctx, void *data, m = s->mp3decctx[fr]; assert(m != NULL); + if (fsize < HEADER_SIZE) { + av_log(avctx, AV_LOG_ERROR, "Frame size smaller than header size\n"); + return AVERROR_INVALIDDATA; + } header = (AV_RB32(buf) & 0x000fffff) | s->syncword; // patch header if (ff_mpa_check_header(header) < 0) // Bad header, discard block From 5c365dc9792a6a91637498e2ee1fdcb90c9c7640 Mon Sep 17 00:00:00 2001 From: "Ronald S. Bultje" Date: Fri, 17 Feb 2012 15:51:27 -0800 Subject: [PATCH 039/991] aiff: don't skip block_align==0 check on COMM-after-SSND files. This prevents SIGFPEs when using block_align for divisions. Found-by: Mateusz "j00ru" Jurczyk and Gynvael Coldwind CC: libav-stable@libav.org (cherry picked from commit 32a659c758bf2ddd8ad48f18c06fa77444341286) Signed-off-by: Anton Khirnov --- libavformat/aiffdec.c | 4 ++-- 1 file changed, 2 insertions(+), 2 deletions(-) diff --git a/libavformat/aiffdec.c b/libavformat/aiffdec.c index 0e69d02c8c..88e1e68bfe 100644 --- a/libavformat/aiffdec.c +++ b/libavformat/aiffdec.c @@ -264,12 +264,12 @@ static int aiff_read_header(AVFormatContext *s, } } +got_sound: if (!st->codec->block_align) { - av_log(s, AV_LOG_ERROR, "could not find COMM tag\n"); + av_log(s, AV_LOG_ERROR, "could not find COMM tag or invalid block_align value\n"); return -1; } -got_sound: /* Now positioned, get the sound data start and end */ avpriv_set_pts_info(st, 64, 1, st->codec->sample_rate); st->start_time = 0; From f947e965beb858b67ab6e49f9e24e8d12d9b5a7d Mon Sep 17 00:00:00 2001 From: "Ronald S. Bultje" Date: Fri, 17 Feb 2012 12:21:18 -0800 Subject: [PATCH 040/991] asf: prevent packet_size_left from going negative if hdrlen > pktlen. This prevents failed assertions further down in the packet processing where we require non-negative values for packet_size_left. Found-by: Mateusz "j00ru" Jurczyk and Gynvael Coldwind CC: libav-stable@libav.org (cherry picked from commit 41afac7f7a67c634c86b1d17fc930e9183d4aaa0) Signed-off-by: Anton Khirnov --- libavformat/asfdec.c | 7 +++++++ 1 file changed, 7 insertions(+) diff --git a/libavformat/asfdec.c b/libavformat/asfdec.c index 91d285e8b5..eb93f14ecf 100644 --- a/libavformat/asfdec.c +++ b/libavformat/asfdec.c @@ -789,6 +789,13 @@ static int ff_asf_get_packet(AVFormatContext *s, AVIOContext *pb) asf->packet_segments = 1; asf->packet_segsizetype = 0x80; } + if (rsize > packet_length - padsize) { + asf->packet_size_left = 0; + av_log(s, AV_LOG_ERROR, + "invalid packet header length %d for pktlen %d-%d at %"PRId64"\n", + rsize, packet_length, padsize, avio_tell(pb)); + return -1; + } asf->packet_size_left = packet_length - padsize - rsize; if (packet_length < asf->hdr.min_pktsize) padsize += asf->hdr.min_pktsize - packet_length; From bba43a1ea07392f14c508aeff2ee13a4cfc425b5 Mon Sep 17 00:00:00 2001 From: "Ronald S. Bultje" Date: Fri, 17 Feb 2012 16:27:36 -0800 Subject: [PATCH 041/991] mjpegb: don't return 0 at the end of frame decoding. Return 0 indicates "please return the same data again", i.e. it causes an infinite loop. Instead, return that we consumed the buffer if we finished decoding succesfully, or return an error if an error occurred. Found-by: Mateusz "j00ru" Jurczyk and Gynvael Coldwind CC: libav-stable@libav.org (cherry picked from commit 74699ac8c8b562e9f8d26e21482b89585365774a) Signed-off-by: Anton Khirnov --- libavcodec/mjpegbdec.c | 4 ++-- 1 file changed, 2 insertions(+), 2 deletions(-) diff --git a/libavcodec/mjpegbdec.c b/libavcodec/mjpegbdec.c index 4ad17ab3ce..9f71f508ae 100644 --- a/libavcodec/mjpegbdec.c +++ b/libavcodec/mjpegbdec.c @@ -66,7 +66,7 @@ read_header: if (get_bits_long(&hgb, 32) != MKBETAG('m','j','p','g')) { av_log(avctx, AV_LOG_WARNING, "not mjpeg-b (bad fourcc)\n"); - return 0; + return AVERROR_INVALIDDATA; } field_size = get_bits_long(&hgb, 32); /* field size */ @@ -146,7 +146,7 @@ read_header: picture->quality*= FF_QP2LAMBDA; } - return buf_ptr - buf; + return buf_size; } AVCodec ff_mjpegb_decoder = { From fe710f2074a711b5b07b76fe9ecf11b4068b32ef Mon Sep 17 00:00:00 2001 From: "Ronald S. Bultje" Date: Fri, 17 Feb 2012 16:57:00 -0800 Subject: [PATCH 042/991] wma: don't return 0 on invalid packets. Return 0 means "please return the same data again", i.e. it causes an infinite loop. Instead, return an error. Found-by: Mateusz "j00ru" Jurczyk and Gynvael Coldwind CC: libav-stable@libav.org (cherry picked from commit 9d3050d3e95e307ebc34a943484c7add838d1220) Signed-off-by: Anton Khirnov --- libavcodec/wmadec.c | 8 ++++++-- 1 file changed, 6 insertions(+), 2 deletions(-) diff --git a/libavcodec/wmadec.c b/libavcodec/wmadec.c index 5600f9ba90..afc0658eac 100644 --- a/libavcodec/wmadec.c +++ b/libavcodec/wmadec.c @@ -817,8 +817,12 @@ static int wma_decode_superframe(AVCodecContext *avctx, void *data, s->last_superframe_len = 0; return 0; } - if (buf_size < s->block_align) - return 0; + if (buf_size < s->block_align) { + av_log(avctx, AV_LOG_ERROR, + "Input packet size too small (%d < %d)\n", + buf_size, s->block_align); + return AVERROR_INVALIDDATA; + } buf_size = s->block_align; init_get_bits(&s->gb, buf, buf_size*8); From 8011a29fa8875aa4de54199bdfcd4e5331d532dd Mon Sep 17 00:00:00 2001 From: "Ronald S. Bultje" Date: Fri, 17 Feb 2012 14:18:22 -0800 Subject: [PATCH 043/991] vc1parse: call vc1_init_common(). The parser uses VLC tables initialized in vc1_common_init(), therefore we should call this function on parser init also. Found-by: Mateusz "j00ru" Jurczyk and Gynvael Coldwind CC: libav-stable@libav.org (cherry picked from commit c742ab4e81bb9dcabfdab006d6b8b09a5808c4ce) Conflicts: libavcodec/vc1.h Signed-off-by: Anton Khirnov --- libavcodec/vc1.h | 1 + libavcodec/vc1_parser.c | 2 +- libavcodec/vc1dec.c | 4 ++-- 3 files changed, 4 insertions(+), 3 deletions(-) diff --git a/libavcodec/vc1.h b/libavcodec/vc1.h index 6096077660..5ce0cb53cb 100644 --- a/libavcodec/vc1.h +++ b/libavcodec/vc1.h @@ -447,5 +447,6 @@ int vc1_decode_entry_point(AVCodecContext *avctx, VC1Context *v, GetBitContext * int vc1_parse_frame_header (VC1Context *v, GetBitContext *gb); int vc1_parse_frame_header_adv(VC1Context *v, GetBitContext *gb); +int ff_vc1_init_common(VC1Context *v); #endif /* AVCODEC_VC1_H */ diff --git a/libavcodec/vc1_parser.c b/libavcodec/vc1_parser.c index 0cc5ea0fa8..cdea0d7a80 100644 --- a/libavcodec/vc1_parser.c +++ b/libavcodec/vc1_parser.c @@ -188,7 +188,7 @@ static int vc1_parse_init(AVCodecParserContext *s) { VC1ParseContext *vpc = s->priv_data; vpc->v.s.slice_context_count = 1; - return 0; + return ff_vc1_init_common(&vpc->v); } AVCodecParser ff_vc1_parser = { diff --git a/libavcodec/vc1dec.c b/libavcodec/vc1dec.c index 3869d92518..3e84464135 100644 --- a/libavcodec/vc1dec.c +++ b/libavcodec/vc1dec.c @@ -67,7 +67,7 @@ static const int offset_table2[9] = { 0, 1, 3, 7, 15, 31, 63, 127, 255 }; * @param v The VC1Context to initialize * @return Status */ -static int vc1_init_common(VC1Context *v) +int ff_vc1_init_common(VC1Context *v) { static int done = 0; int i = 0; @@ -5273,7 +5273,7 @@ static av_cold int vc1_decode_init(AVCodecContext *avctx) avctx->idct_algo = FF_IDCT_WMV2; } - if (vc1_init_common(v) < 0) + if (ff_vc1_init_common(v) < 0) return -1; ff_vc1dsp_init(&v->vc1dsp); From 62beae313a4f91e8ff4e8dc0b2ec78baaa804b32 Mon Sep 17 00:00:00 2001 From: Janne Grunau Date: Tue, 21 Feb 2012 16:34:08 +0100 Subject: [PATCH 044/991] avplay: fix -threads option The AVOptions based default to threads auto in 2473a45c8 works only if avplay does not use custom option handling for -threads. CC: (cherry picked from commit e48a70e6da02cd5426b6340af70410bdfe27dfa7) Signed-off-by: Anton Khirnov --- avplay.c | 12 ------------ 1 file changed, 12 deletions(-) diff --git a/avplay.c b/avplay.c index 432afc11b3..57fb864ea8 100644 --- a/avplay.c +++ b/avplay.c @@ -242,7 +242,6 @@ static int64_t duration = AV_NOPTS_VALUE; static int debug = 0; static int debug_mv = 0; static int step = 0; -static int thread_count = 1; static int workaround_bugs = 1; static int fast = 0; static int genpts = 0; @@ -2189,7 +2188,6 @@ static int stream_component_open(VideoState *is, int stream_index) avctx->skip_loop_filter = skip_loop_filter; avctx->error_recognition = error_recognition; avctx->error_concealment = error_concealment; - avctx->thread_count = thread_count; if (lowres) avctx->flags |= CODEC_FLAG_EMU_EDGE; if (fast) avctx->flags2 |= CODEC_FLAG2_FAST; @@ -2954,15 +2952,6 @@ static int opt_vismv(const char *opt, const char *arg) return 0; } -static int opt_thread_count(const char *opt, const char *arg) -{ - thread_count = parse_number_or_die(opt, arg, OPT_INT64, 0, INT_MAX); -#if !HAVE_THREADS - fprintf(stderr, "Warning: not compiled with thread support, using thread emulation\n"); -#endif - return 0; -} - static const OptionDef options[] = { #include "cmdutils_common_opts.h" { "x", HAS_ARG, { (void*)opt_width }, "force displayed width", "width" }, @@ -2995,7 +2984,6 @@ static const OptionDef options[] = { { "er", OPT_INT | HAS_ARG | OPT_EXPERT, { (void*)&error_recognition }, "set error detection threshold (0-4)", "threshold" }, { "ec", OPT_INT | HAS_ARG | OPT_EXPERT, { (void*)&error_concealment }, "set error concealment options", "bit_mask" }, { "sync", HAS_ARG | OPT_EXPERT, { (void*)opt_sync }, "set audio-video sync. type (type=audio/video/ext)", "type" }, - { "threads", HAS_ARG | OPT_EXPERT, { (void*)opt_thread_count }, "thread count", "count" }, { "autoexit", OPT_BOOL | OPT_EXPERT, { (void*)&autoexit }, "exit at the end", "" }, { "exitonkeydown", OPT_BOOL | OPT_EXPERT, { (void*)&exit_on_keydown }, "exit on key down", "" }, { "exitonmousedown", OPT_BOOL | OPT_EXPERT, { (void*)&exit_on_mousedown }, "exit on mouse down", "" }, From 0312969b9ea7fa7027bca665bfded88690c4caa0 Mon Sep 17 00:00:00 2001 From: "Ronald S. Bultje" Date: Tue, 21 Feb 2012 10:36:27 -0800 Subject: [PATCH 045/991] rmdec: when using INT4 deinterleaving, error out if sub_packet_h <= 1. We read sub_packet_h / 2 packets per line of data (during deinterleaving), which equals zero if sub_packet_h <= 1, thus causing us to not read any data, leading to an infinite loop. Found-by: Mateusz "j00ru" Jurczyk and Gynvael Coldwind CC: libav-stable@libav.org (cherry picked from commit e30b3e59a4f3004337cb1623b2aac988ce52b93f) Signed-off-by: Anton Khirnov --- libavformat/rmdec.c | 1 + 1 file changed, 1 insertion(+) diff --git a/libavformat/rmdec.c b/libavformat/rmdec.c index 75e4833c4c..3d922530e5 100644 --- a/libavformat/rmdec.c +++ b/libavformat/rmdec.c @@ -265,6 +265,7 @@ static int rm_read_audio_stream_info(AVFormatContext *s, AVIOContext *pb, switch (ast->deint_id) { case DEINT_ID_INT4: if (ast->coded_framesize > ast->audio_framesize || + sub_packet_h <= 1 || ast->coded_framesize * sub_packet_h > (2 + (sub_packet_h & 1)) * ast->audio_framesize) return AVERROR_INVALIDDATA; break; From 8e3dc37bc01950915dcdab473fc2694fc3670a54 Mon Sep 17 00:00:00 2001 From: "Ronald S. Bultje" Date: Wed, 22 Feb 2012 12:19:52 -0800 Subject: [PATCH 046/991] truemotion2: error out if the huffman tree has no nodes. This prevents crashers and errors further down when reading nodes in the empty tree. Found-by: Mateusz "j00ru" Jurczyk and Gynvael Coldwind CC: libav-stable@libav.org (cherry picked from commit 2b83e8b7005d531bc78b0fd4f699e9faa54ce9bb) Signed-off-by: Anton Khirnov --- libavcodec/truemotion2.c | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/libavcodec/truemotion2.c b/libavcodec/truemotion2.c index 4045342ffa..29d2e4d057 100644 --- a/libavcodec/truemotion2.c +++ b/libavcodec/truemotion2.c @@ -132,7 +132,7 @@ static int tm2_build_huff_table(TM2Context *ctx, TM2Codes *code) huff.val_bits, huff.max_bits); return -1; } - if((huff.nodes < 0) || (huff.nodes > 0x10000)) { + if((huff.nodes <= 0) || (huff.nodes > 0x10000)) { av_log(ctx->avctx, AV_LOG_ERROR, "Incorrect number of Huffman tree nodes: %i\n", huff.nodes); return -1; } From 4f48417fe768a2d0d1852489463530a9a889fe76 Mon Sep 17 00:00:00 2001 From: "Ronald S. Bultje" Date: Thu, 23 Feb 2012 11:53:27 -0800 Subject: [PATCH 047/991] swf: check return values for av_get/new_packet(). Prevents crashers when using the packet if allocation failed. Found-by: Mateusz "j00ru" Jurczyk and Gynvael Coldwind CC: libav-stable@libav.org (cherry picked from commit 31632e73f47d25e2077fce729571259ee6354854) Signed-off-by: Anton Khirnov --- libavformat/swfdec.c | 14 +++++++++----- 1 file changed, 9 insertions(+), 5 deletions(-) diff --git a/libavformat/swfdec.c b/libavformat/swfdec.c index 1fc301b696..6966176a34 100644 --- a/libavformat/swfdec.c +++ b/libavformat/swfdec.c @@ -84,7 +84,7 @@ static int swf_read_packet(AVFormatContext *s, AVPacket *pkt) SWFContext *swf = s->priv_data; AVIOContext *pb = s->pb; AVStream *vst = NULL, *ast = NULL, *st = 0; - int tag, len, i, frame, v; + int tag, len, i, frame, v, res; for(;;) { uint64_t pos = avio_tell(pb); @@ -150,7 +150,8 @@ static int swf_read_packet(AVFormatContext *s, AVPacket *pkt) st = s->streams[i]; if (st->codec->codec_type == AVMEDIA_TYPE_VIDEO && st->id == ch_id) { frame = avio_rl16(pb); - av_get_packet(pb, pkt, len-2); + if ((res = av_get_packet(pb, pkt, len-2)) < 0) + return res; pkt->pos = pos; pkt->pts = frame; pkt->stream_index = st->index; @@ -163,9 +164,11 @@ static int swf_read_packet(AVFormatContext *s, AVPacket *pkt) if (st->codec->codec_type == AVMEDIA_TYPE_AUDIO && st->id == -1) { if (st->codec->codec_id == CODEC_ID_MP3) { avio_skip(pb, 4); - av_get_packet(pb, pkt, len-4); + if ((res = av_get_packet(pb, pkt, len-4)) < 0) + return res; } else { // ADPCM, PCM - av_get_packet(pb, pkt, len); + if ((res = av_get_packet(pb, pkt, len)) < 0) + return res; } pkt->pos = pos; pkt->stream_index = st->index; @@ -190,7 +193,8 @@ static int swf_read_packet(AVFormatContext *s, AVPacket *pkt) st = vst; } avio_rl16(pb); /* BITMAP_ID */ - av_new_packet(pkt, len-2); + if ((res = av_new_packet(pkt, len-2)) < 0) + return res; avio_read(pb, pkt->data, 4); if (AV_RB32(pkt->data) == 0xffd8ffd9 || AV_RB32(pkt->data) == 0xffd9ffd8) { From 424b6edd1944cf02261109edb5913417cf8e5dfb Mon Sep 17 00:00:00 2001 From: Alex Converse Date: Thu, 23 Feb 2012 10:47:50 -0800 Subject: [PATCH 048/991] tiff: Prevent overreads in the type_sizes array. Found-by: Mateusz "j00ru" Jurczyk and Gynvael Coldwind CC: libav-stable@libav.org (cherry picked from commit 447363870f2f91e125e07ac2d0820359a5d86b06) Signed-off-by: Anton Khirnov --- libavcodec/tiff.c | 15 +++++++++++---- 1 file changed, 11 insertions(+), 4 deletions(-) diff --git a/libavcodec/tiff.c b/libavcodec/tiff.c index a88d0f988b..6810f81b35 100644 --- a/libavcodec/tiff.c +++ b/libavcodec/tiff.c @@ -289,6 +289,11 @@ static int tiff_decode_tag(TiffContext *s, const uint8_t *start, const uint8_t * count = tget_long(&buf, s->le); off = tget_long(&buf, s->le); + if (type == 0 || type >= FF_ARRAY_ELEMS(type_sizes)) { + av_log(s->avctx, AV_LOG_DEBUG, "Unknown tiff type (%u) encountered\n", type); + return 0; + } + if(count == 1){ switch(type){ case TIFF_BYTE: @@ -310,10 +315,12 @@ static int tiff_decode_tag(TiffContext *s, const uint8_t *start, const uint8_t * value = -1; buf = start + off; } - }else if(type_sizes[type] * count <= 4){ - buf -= 4; - }else{ - buf = start + off; + } else { + if (count <= 4 && type_sizes[type] * count <= 4) { + buf -= 4; + } else { + buf = start + off; + } } if(buf && (buf < start || buf > end_buf)){ From bf6d1a1ca792e4207e5d9b71c5020befb2296ae3 Mon Sep 17 00:00:00 2001 From: "Ronald S. Bultje" Date: Thu, 23 Feb 2012 12:22:40 -0800 Subject: [PATCH 049/991] mjpeg: abort decoding if packet is too large. Found-by: Mateusz "j00ru" Jurczyk and Gynvael Coldwind CC: libav-stable@libav.org (cherry picked from commit ab492ca2ab105aeb24d955f3f03756bdb3139ee1) Signed-off-by: Anton Khirnov --- libavcodec/mjpegdec.c | 4 ++++ 1 file changed, 4 insertions(+) diff --git a/libavcodec/mjpegdec.c b/libavcodec/mjpegdec.c index 2ae502ddeb..49d334bb7e 100644 --- a/libavcodec/mjpegdec.c +++ b/libavcodec/mjpegdec.c @@ -1466,6 +1466,10 @@ int ff_mjpeg_decode_frame(AVCodecContext *avctx, void *data, int *data_size, /* EOF */ if (start_code < 0) { goto the_end; + } else if (unescaped_buf_size > (1U<<29)) { + av_log(avctx, AV_LOG_ERROR, "MJPEG packet 0x%x too big (0x%x/0x%x), corrupt data?\n", + start_code, unescaped_buf_ptr, buf_size); + return AVERROR_INVALIDDATA; } else { av_log(avctx, AV_LOG_DEBUG, "marker=%x avail_size_in_buf=%td\n", start_code, buf_end - buf_ptr); From 19f4943d12968a6dfb7c2915da191489dc614b87 Mon Sep 17 00:00:00 2001 From: "Ronald S. Bultje" Date: Thu, 23 Feb 2012 16:09:36 -0800 Subject: [PATCH 050/991] lcl: error out if uncompressed input buffer is smaller than framesize. This prevents crashes when trying to read beyond the end of the buffer while decoding frame data. Found-by: Mateusz "j00ru" Jurczyk and Gynvael Coldwind CC: libav-stable@libav.org (cherry picked from commit be129271eac04f91393bf42a490ec631e1a9abea) Signed-off-by: Anton Khirnov --- libavcodec/lcldec.c | 23 ++++++++++++++++++++++- 1 file changed, 22 insertions(+), 1 deletion(-) diff --git a/libavcodec/lcldec.c b/libavcodec/lcldec.c index b66a3ce65b..5b18418169 100644 --- a/libavcodec/lcldec.c +++ b/libavcodec/lcldec.c @@ -223,8 +223,29 @@ static int decode_frame(AVCodecContext *avctx, void *data, int *data_size, AVPac len = mszh_dlen; } break; - case COMP_MSZH_NOCOMP: + case COMP_MSZH_NOCOMP: { + int bppx2; + switch (c->imgtype) { + case IMGTYPE_YUV111: + case IMGTYPE_RGB24: + bppx2 = 6; + break; + case IMGTYPE_YUV422: + case IMGTYPE_YUV211: + bppx2 = 4; + break; + case IMGTYPE_YUV411: + case IMGTYPE_YUV420: + bppx2 = 3; + break; + default: + bppx2 = 0; // will error out below + break; + } + if (len < ((width * height * bppx2) >> 1)) + return AVERROR_INVALIDDATA; break; + } default: av_log(avctx, AV_LOG_ERROR, "BUG! Unknown MSZH compression in frame decoder.\n"); return -1; From e537dc230b2e123be8aebdaeee5a7d7787328b0b Mon Sep 17 00:00:00 2001 From: "Ronald S. Bultje" Date: Thu, 29 Dec 2011 09:07:32 -0800 Subject: [PATCH 051/991] kgv1: use avctx->get/release_buffer(). Also fixes crashes on corrupt bitstreams. Found-by: Mateusz "j00ru" Jurczyk and Gynvael Coldwind CC: libav-stable@libav.org (cherry picked from commit 33cd32b389864f2437c94e6fd7dc109ff5f0ed06) Signed-off-by: Anton Khirnov --- libavcodec/kgv1dec.c | 64 +++++++++++++++++++++++++++----------------- 1 file changed, 39 insertions(+), 25 deletions(-) diff --git a/libavcodec/kgv1dec.c b/libavcodec/kgv1dec.c index 2d6fa73fc2..4526bf9658 100644 --- a/libavcodec/kgv1dec.c +++ b/libavcodec/kgv1dec.c @@ -30,10 +30,17 @@ typedef struct { AVCodecContext *avctx; - AVFrame pic; - uint16_t *prev, *cur; + AVFrame prev, cur; } KgvContext; +static void decode_flush(AVCodecContext *avctx) +{ + KgvContext * const c = avctx->priv_data; + + if (c->prev.data[0]) + avctx->release_buffer(avctx, &c->prev); +} + static int decode_frame(AVCodecContext *avctx, void *data, int *data_size, AVPacket *avpkt) { const uint8_t *buf = avpkt->data; @@ -42,7 +49,7 @@ static int decode_frame(AVCodecContext *avctx, void *data, int *data_size, AVPac int offsets[7]; uint16_t *out, *prev; int outcnt = 0, maxcnt; - int w, h, i; + int w, h, i, res; if (avpkt->size < 2) return -1; @@ -59,15 +66,15 @@ static int decode_frame(AVCodecContext *avctx, void *data, int *data_size, AVPac maxcnt = w * h; - out = av_realloc(c->cur, w * h * 2); - if (!out) - return -1; - c->cur = out; - - prev = av_realloc(c->prev, w * h * 2); - if (!prev) - return -1; - c->prev = prev; + c->cur.reference = 3; + if ((res = avctx->get_buffer(avctx, &c->cur)) < 0) + return res; + out = (uint16_t *) c->cur.data[0]; + if (c->prev.data[0]) { + prev = (uint16_t *) c->prev.data[0]; + } else { + prev = NULL; + } for (i = 0; i < 7; i++) offsets[i] = -1; @@ -80,6 +87,7 @@ static int decode_frame(AVCodecContext *avctx, void *data, int *data_size, AVPac out[outcnt++] = code; // rgb555 pixel coded directly } else { int count; + int inp_off; uint16_t *inp; if ((code & 0x6000) == 0x6000) { @@ -101,7 +109,14 @@ static int decode_frame(AVCodecContext *avctx, void *data, int *data_size, AVPac if (maxcnt - start < count) break; - inp = prev + start; + if (!prev) { + av_log(avctx, AV_LOG_ERROR, + "Frame reference does not exist\n"); + break; + } + + inp = prev; + inp_off = start; } else { // copy from earlier in this frame int offset = (code & 0x1FFF) + 1; @@ -119,27 +134,28 @@ static int decode_frame(AVCodecContext *avctx, void *data, int *data_size, AVPac if (outcnt < offset) break; - inp = out + outcnt - offset; + inp = out; + inp_off = outcnt - offset; } if (maxcnt - outcnt < count) break; - for (i = 0; i < count; i++) + for (i = inp_off; i < count + inp_off; i++) { out[outcnt++] = inp[i]; + } } } if (outcnt - maxcnt) av_log(avctx, AV_LOG_DEBUG, "frame finished with %d diff\n", outcnt - maxcnt); - c->pic.data[0] = (uint8_t *)c->cur; - c->pic.linesize[0] = w * 2; - *data_size = sizeof(AVFrame); - *(AVFrame*)data = c->pic; + *(AVFrame*)data = c->cur; - FFSWAP(uint16_t *, c->cur, c->prev); + if (c->prev.data[0]) + avctx->release_buffer(avctx, &c->prev); + FFSWAP(AVFrame, c->cur, c->prev); return avpkt->size; } @@ -150,17 +166,14 @@ static av_cold int decode_init(AVCodecContext *avctx) c->avctx = avctx; avctx->pix_fmt = PIX_FMT_RGB555; + avctx->flags |= CODEC_FLAG_EMU_EDGE; return 0; } static av_cold int decode_end(AVCodecContext *avctx) { - KgvContext * const c = avctx->priv_data; - - av_freep(&c->cur); - av_freep(&c->prev); - + decode_flush(avctx); return 0; } @@ -172,5 +185,6 @@ AVCodec ff_kgv1_decoder = { .init = decode_init, .close = decode_end, .decode = decode_frame, + .flush = decode_flush, .long_name = NULL_IF_CONFIG_SMALL("Kega Game Video"), }; From a0473085f3e2300908b1bf7ecf2ed7177eef0d4f Mon Sep 17 00:00:00 2001 From: "Ronald S. Bultje" Date: Fri, 24 Feb 2012 16:27:53 -0800 Subject: [PATCH 052/991] kgv1: release reference picture on size change. Found-by: Mateusz "j00ru" Jurczyk and Gynvael Coldwind CC: libav-stable@libav.org (cherry picked from commit 6c4c27adb61b2881a94ce5c7d97ee1c8adadb5fe) Signed-off-by: Anton Khirnov --- libavcodec/kgv1dec.c | 5 ++++- 1 file changed, 4 insertions(+), 1 deletion(-) diff --git a/libavcodec/kgv1dec.c b/libavcodec/kgv1dec.c index 4526bf9658..c4c3dac016 100644 --- a/libavcodec/kgv1dec.c +++ b/libavcodec/kgv1dec.c @@ -61,8 +61,11 @@ static int decode_frame(AVCodecContext *avctx, void *data, int *data_size, AVPac if (av_image_check_size(w, h, 0, avctx)) return -1; - if (w != avctx->width || h != avctx->height) + if (w != avctx->width || h != avctx->height) { + if (c->prev.data[0]) + avctx->release_buffer(avctx, &c->prev); avcodec_set_dimensions(avctx, w, h); + } maxcnt = w * h; From 0d30e2c6f28dc0ae1bcb9bb40b26aedb5b5ce731 Mon Sep 17 00:00:00 2001 From: "Ronald S. Bultje" Date: Fri, 24 Feb 2012 14:11:04 -0800 Subject: [PATCH 053/991] fraps: release reference buffer on pix_fmt change. Prevents crash when trying to copy from a non-existing plane in e.g. a RGB32 reference image to a YUV420P target image Found-by: Mateusz "j00ru" Jurczyk and Gynvael Coldwind CC: libav-stable@libav.org (cherry picked from commit 830f70442a87a31f7c75565e9380e3caf8333b8a) Signed-off-by: Anton Khirnov --- libavcodec/fraps.c | 14 +++++++------- 1 file changed, 7 insertions(+), 7 deletions(-) diff --git a/libavcodec/fraps.c b/libavcodec/fraps.c index 1444eda979..d887cde0fc 100644 --- a/libavcodec/fraps.c +++ b/libavcodec/fraps.c @@ -138,7 +138,7 @@ static int decode_frame(AVCodecContext *avctx, uint32_t *luma1,*luma2,*cb,*cr; uint32_t offs[4]; int i, j, is_chroma, planes; - + enum PixelFormat pix_fmt; header = AV_RL32(buf); version = header & 0xff; @@ -155,12 +155,16 @@ static int decode_frame(AVCodecContext *avctx, if (header_size == 8) buf+=4; + pix_fmt = version & 1 ? PIX_FMT_BGR24 : PIX_FMT_YUVJ420P; + if (avctx->pix_fmt != pix_fmt && f->data[0]) { + avctx->release_buffer(avctx, f); + } + avctx->pix_fmt = pix_fmt; + switch(version) { case 0: default: /* Fraps v0 is a reordered YUV420 */ - avctx->pix_fmt = PIX_FMT_YUVJ420P; - if ( (buf_size != avctx->width*avctx->height*3/2+header_size) && (buf_size != header_size) ) { av_log(avctx, AV_LOG_ERROR, @@ -208,8 +212,6 @@ static int decode_frame(AVCodecContext *avctx, case 1: /* Fraps v1 is an upside-down BGR24 */ - avctx->pix_fmt = PIX_FMT_BGR24; - if ( (buf_size != avctx->width*avctx->height*3+header_size) && (buf_size != header_size) ) { av_log(avctx, AV_LOG_ERROR, @@ -244,7 +246,6 @@ static int decode_frame(AVCodecContext *avctx, * Fraps v2 is Huffman-coded YUV420 planes * Fraps v4 is virtually the same */ - avctx->pix_fmt = PIX_FMT_YUVJ420P; planes = 3; f->reference = 1; f->buffer_hints = FF_BUFFER_HINTS_VALID | @@ -287,7 +288,6 @@ static int decode_frame(AVCodecContext *avctx, case 3: case 5: /* Virtually the same as version 4, but is for RGB24 */ - avctx->pix_fmt = PIX_FMT_BGR24; planes = 3; f->reference = 1; f->buffer_hints = FF_BUFFER_HINTS_VALID | From abe35728786d79cd8230dffe41205b28ad6b7678 Mon Sep 17 00:00:00 2001 From: "Ronald S. Bultje" Date: Wed, 22 Feb 2012 11:33:24 -0800 Subject: [PATCH 054/991] rm: prevent infinite loops for index parsing. Specifically, prevent jumping back in the file for the next index, since this can lead to infinite loops where we jump between indexes referring to each other, and don't read indexes that don't fit in the file. Found-by: Mateusz "j00ru" Jurczyk and Gynvael Coldwind CC: libav-stable@libav.org (cherry picked from commit aac07a7a4c2c7a4a29cf6dbc88c1b9fdd191b99d) Signed-off-by: Reinhard Tartler --- libavformat/rmdec.c | 20 +++++++++++++++++--- 1 file changed, 17 insertions(+), 3 deletions(-) diff --git a/libavformat/rmdec.c b/libavformat/rmdec.c index 3d922530e5..405162e8ca 100644 --- a/libavformat/rmdec.c +++ b/libavformat/rmdec.c @@ -370,8 +370,19 @@ static int rm_read_index(AVFormatContext *s) st = s->streams[n]; break; } - if (n == s->nb_streams) + if (n == s->nb_streams) { + av_log(s, AV_LOG_ERROR, + "Invalid stream index %d for index at pos %"PRId64"\n", + str_id, avio_tell(pb)); goto skip; + } else if ((avio_size(pb) - avio_tell(pb)) / 14 < n_pkts) { + av_log(s, AV_LOG_ERROR, + "Nr. of packets in packet index for stream index %d " + "exceeds filesize (%"PRId64" at %"PRId64" = %d)\n", + str_id, avio_size(pb), avio_tell(pb), + (avio_size(pb) - avio_tell(pb)) / 14); + goto skip; + } for (n = 0; n < n_pkts; n++) { avio_skip(pb, 2); @@ -383,9 +394,12 @@ static int rm_read_index(AVFormatContext *s) } skip: - if (next_off && avio_tell(pb) != next_off && - avio_seek(pb, next_off, SEEK_SET) < 0) + if (next_off && avio_tell(pb) < next_off && + avio_seek(pb, next_off, SEEK_SET) < 0) { + av_log(s, AV_LOG_ERROR, + "Non-linear index detected, not supported\n"); return -1; + } } while (next_off); return 0; From 0f839cff6bf4569393cd0594f0f300af1c488723 Mon Sep 17 00:00:00 2001 From: Reinhard Tartler Date: Sun, 26 Feb 2012 10:50:45 +0100 Subject: [PATCH 055/991] Fix parser not to clobber has_b_frames when extradata is set. MIME-Version: 1.0 Content-Type: text/plain; charset=UTF-8 Content-Transfer-Encoding: 8bit Because in contrast to the decoder, the parser does not setup low_delay. The code in parse_nal_units would always end up setting has_b_frames to "1", except when stream is explicitly marked as low delay. Since the parser itself would create 'extradata', simply reopening the parser would cause this. This happens for instance in estimate_timings_from_pts(), which causes the parser to be reopened on the same stream. This fixes Libav #22 and FFmpeg (trac) #360 CC: libav-stable@libav.org Based on a patch by Reimar Döffinger (commit 31ac0ac29b6bba744493f7d1040757a3f51b9ad7) Comments and description adapted by Reinhard Tartler. Signed-off-by: Reinhard Tartler (cherry picked from commit 790a367d9ecd04360f78616765ee723f3fe65645) Signed-off-by: Reinhard Tartler --- libavcodec/h264_parser.c | 7 +++++++ 1 file changed, 7 insertions(+) diff --git a/libavcodec/h264_parser.c b/libavcodec/h264_parser.c index bcaa04a115..48215c5ada 100644 --- a/libavcodec/h264_parser.c +++ b/libavcodec/h264_parser.c @@ -251,6 +251,13 @@ static int h264_parse(AVCodecParserContext *s, h->got_first = 1; if (avctx->extradata_size) { h->s.avctx = avctx; + // must be done like in the decoder. + // otherwise opening the parser, creating extradata, + // and then closing and opening again + // will cause has_b_frames to be always set. + // NB: estimate_timings_from_pts behaves exactly like this. + if (!avctx->has_b_frames) + h->s.low_delay = 1; ff_h264_decode_extradata(h); } } From 2510e1476e9a8bfcca0fe4e85a1380482aed0ab3 Mon Sep 17 00:00:00 2001 From: "Ronald S. Bultje" Date: Tue, 10 Jan 2012 17:01:26 -0800 Subject: [PATCH 056/991] vorbis: fix overflows in floor1[] vector and inverse db table index. (cherry picked from commit 24947d4988012f1f0fd467c83418615adc11c3e8) Signed-off-by: Reinhard Tartler --- libavcodec/vorbis.c | 19 +++++++++---------- libavcodec/vorbisdec.c | 10 +++++----- 2 files changed, 14 insertions(+), 15 deletions(-) diff --git a/libavcodec/vorbis.c b/libavcodec/vorbis.c index 0b26870421..52ded8b0a8 100644 --- a/libavcodec/vorbis.c +++ b/libavcodec/vorbis.c @@ -152,7 +152,7 @@ void ff_vorbis_ready_floor1_list(vorbis_floor1_entry * list, int values) } } -static inline void render_line_unrolled(intptr_t x, uint8_t y, int x1, +static inline void render_line_unrolled(intptr_t x, int y, int x1, intptr_t sy, int ady, int adx, float *buf) { @@ -164,30 +164,30 @@ static inline void render_line_unrolled(intptr_t x, uint8_t y, int x1, if (err >= 0) { err += ady - adx; y += sy; - buf[x++] = ff_vorbis_floor1_inverse_db_table[y]; + buf[x++] = ff_vorbis_floor1_inverse_db_table[av_clip_uint8(y)]; } - buf[x] = ff_vorbis_floor1_inverse_db_table[y]; + buf[x] = ff_vorbis_floor1_inverse_db_table[av_clip_uint8(y)]; } if (x <= 0) { if (err + ady >= 0) y += sy; - buf[x] = ff_vorbis_floor1_inverse_db_table[y]; + buf[x] = ff_vorbis_floor1_inverse_db_table[av_clip_uint8(y)]; } } -static void render_line(int x0, uint8_t y0, int x1, int y1, float *buf) +static void render_line(int x0, int y0, int x1, int y1, float *buf) { int dy = y1 - y0; int adx = x1 - x0; int ady = FFABS(dy); int sy = dy < 0 ? -1 : 1; - buf[x0] = ff_vorbis_floor1_inverse_db_table[y0]; + buf[x0] = ff_vorbis_floor1_inverse_db_table[av_clip_uint8(y0)]; if (ady*2 <= adx) { // optimized common case render_line_unrolled(x0, y0, x1, sy, ady, adx, buf); } else { int base = dy / adx; int x = x0; - uint8_t y = y0; + int y = y0; int err = -adx; ady -= FFABS(base) * adx; while (++x < x1) { @@ -197,7 +197,7 @@ static void render_line(int x0, uint8_t y0, int x1, int y1, float *buf) err -= adx; y += sy; } - buf[x] = ff_vorbis_floor1_inverse_db_table[y]; + buf[x] = ff_vorbis_floor1_inverse_db_table[av_clip_uint8(y)]; } } } @@ -206,8 +206,7 @@ void ff_vorbis_floor1_render_list(vorbis_floor1_entry * list, int values, uint16_t *y_list, int *flag, int multiplier, float *out, int samples) { - int lx, i; - uint8_t ly; + int lx, ly, i; lx = 0; ly = y_list[0] * multiplier; for (i = 1; i < values; i++) { diff --git a/libavcodec/vorbisdec.c b/libavcodec/vorbisdec.c index bb69fed254..22a2cf7e8a 100644 --- a/libavcodec/vorbisdec.c +++ b/libavcodec/vorbisdec.c @@ -1244,20 +1244,20 @@ static int vorbis_floor1_decode(vorbis_context *vc, floor1_flag[i] = 1; if (val >= room) { if (highroom > lowroom) { - floor1_Y_final[i] = val - lowroom + predicted; + floor1_Y_final[i] = av_clip_uint16(val - lowroom + predicted); } else { - floor1_Y_final[i] = predicted - val + highroom - 1; + floor1_Y_final[i] = av_clip_uint16(predicted - val + highroom - 1); } } else { if (val & 1) { - floor1_Y_final[i] = predicted - (val + 1) / 2; + floor1_Y_final[i] = av_clip_uint16(predicted - (val + 1) / 2); } else { - floor1_Y_final[i] = predicted + val / 2; + floor1_Y_final[i] = av_clip_uint16(predicted + val / 2); } } } else { floor1_flag[i] = 0; - floor1_Y_final[i] = predicted; + floor1_Y_final[i] = av_clip_uint16(predicted); } av_dlog(NULL, " Decoded floor(%d) = %u / val %u\n", From 9dbd437da2bafbec540e38cb51bc7ce2b0101ee5 Mon Sep 17 00:00:00 2001 From: "Ronald S. Bultje" Date: Tue, 28 Feb 2012 10:22:28 -0800 Subject: [PATCH 057/991] Indeo3: fix crashes on corrupt bitstreams. Splits at borders of cells are invalid, since it leaves one of the cells with a width/height of zero. Also, propagate errors on buffer allocation failures, so we don't continue decoding (which crashes). Found-by: Mateusz "j00ru" Jurczyk and Gynvael Coldwind CC: libav-stable@libav.org (cherry picked from commit fc9bc08dca9ac32526251e19fcf738d23b8c68d1) Signed-off-by: Reinhard Tartler --- libavcodec/indeo3.c | 9 ++++++++- 1 file changed, 8 insertions(+), 1 deletion(-) diff --git a/libavcodec/indeo3.c b/libavcodec/indeo3.c index d2b01f469a..55b4ec7a7a 100644 --- a/libavcodec/indeo3.c +++ b/libavcodec/indeo3.c @@ -724,6 +724,8 @@ static int parse_bintree(Indeo3DecodeContext *ctx, AVCodecContext *avctx, SPLIT_CELL(ref_cell->height, curr_cell.height); ref_cell->ypos += curr_cell.height; ref_cell->height -= curr_cell.height; + if (ref_cell->height <= 0 || curr_cell.height <= 0) + return AVERROR_INVALIDDATA; } else if (code == V_SPLIT) { if (curr_cell.width > strip_width) { /* split strip */ @@ -732,6 +734,8 @@ static int parse_bintree(Indeo3DecodeContext *ctx, AVCodecContext *avctx, SPLIT_CELL(ref_cell->width, curr_cell.width); ref_cell->xpos += curr_cell.width; ref_cell->width -= curr_cell.width; + if (ref_cell->width <= 0 || curr_cell.width <= 0) + return AVERROR_INVALIDDATA; } while (1) { /* loop until return */ @@ -887,13 +891,16 @@ static int decode_frame_headers(Indeo3DecodeContext *ctx, AVCodecContext *avctx, return AVERROR_INVALIDDATA; if (width != ctx->width || height != ctx->height) { + int res; + av_dlog(avctx, "Frame dimensions changed!\n"); ctx->width = width; ctx->height = height; free_frame_buffers(ctx); - allocate_frame_buffers(ctx, avctx); + if ((res = allocate_frame_buffers(ctx, avctx)) < 0) + return res; avcodec_set_dimensions(avctx, width, height); } From 71a939fee47d8b59ba1258b481322d16378e556f Mon Sep 17 00:00:00 2001 From: "Ronald S. Bultje" Date: Tue, 28 Feb 2012 11:35:36 -0800 Subject: [PATCH 058/991] oma: don't read beyond end of leaf_table. Found-by: Mateusz "j00ru" Jurczyk and Gynvael Coldwind CC: libav-stable@libav.org (cherry picked from commit 934cd18a43151ba4b819d9270d539cdb26f6e079) Signed-off-by: Reinhard Tartler --- libavformat/omadec.c | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/libavformat/omadec.c b/libavformat/omadec.c index 0beed7165d..cc37397010 100644 --- a/libavformat/omadec.c +++ b/libavformat/omadec.c @@ -231,7 +231,7 @@ static int decrypt_init(AVFormatContext *s, ID3v2ExtraMeta *em, uint8_t *header) rprobe(s, gdata, oc->r_val) < 0 && nprobe(s, gdata, oc->n_val) < 0) { int i; - for (i = 0; i < sizeof(leaf_table); i += 2) { + for (i = 0; i < FF_ARRAY_ELEMS(leaf_table); i += 2) { uint8_t buf[16]; AV_WL64(buf, leaf_table[i]); AV_WL64(&buf[8], leaf_table[i+1]); From 083a8a00373b12dc06b8ae4c49eec61fb5e55f4b Mon Sep 17 00:00:00 2001 From: Alex Converse Date: Wed, 25 Jan 2012 13:39:24 -0800 Subject: [PATCH 059/991] mjpegbdec: Fix overflow in SOS. Based in part by a fix from Michael Niedermayer Fixes CVE-2011-3947 Found-by: Mateusz "j00ru" Jurczyk and Gynvael Coldwind (cherry picked from commit b57d262412204e54a7ef8fa1b23ff4dcede622e5) Signed-off-by: Reinhard Tartler --- libavcodec/mjpegbdec.c | 7 +++++-- 1 file changed, 5 insertions(+), 2 deletions(-) diff --git a/libavcodec/mjpegbdec.c b/libavcodec/mjpegbdec.c index 9f71f508ae..10c5addca0 100644 --- a/libavcodec/mjpegbdec.c +++ b/libavcodec/mjpegbdec.c @@ -59,6 +59,9 @@ read_header: s->restart_count = 0; s->mjpb_skiptosod = 0; + if (buf_end - buf_ptr >= 1 << 28) + return AVERROR_INVALIDDATA; + init_get_bits(&hgb, buf_ptr, /*buf_size*/(buf_end - buf_ptr)*8); skip_bits(&hgb, 32); /* reserved zeros */ @@ -111,8 +114,8 @@ read_header: av_log(avctx, AV_LOG_DEBUG, "sod offs: 0x%x\n", sod_offs); if (sos_offs) { -// init_get_bits(&s->gb, buf+sos_offs, (buf_end - (buf+sos_offs))*8); - init_get_bits(&s->gb, buf_ptr+sos_offs, field_size*8); + init_get_bits(&s->gb, buf_ptr + sos_offs, + 8 * FFMIN(field_size, buf_end - buf_ptr - sos_offs)); s->mjpb_skiptosod = (sod_offs - sos_offs - show_bits(&s->gb, 16)); s->start_code = SOS; if (ff_mjpeg_decode_sos(s, NULL, NULL) < 0 && From a1556d37b85328fda3c4010bc2f49e1a93273128 Mon Sep 17 00:00:00 2001 From: Paul B Mahol Date: Sun, 29 Jan 2012 20:09:22 +0000 Subject: [PATCH 060/991] avutil: make intfloat api public The functions are already av_ prefixed and intfloat header is already provided. Install libavutil/intfloat.h Signed-off-by: Paul B Mahol Signed-off-by: Anton Khirnov (cherry picked from commit 8b933129b932f523a746e921a0a20b8dd8816971) Conflicts: doc/APIchanges Signed-off-by: Anton Khirnov --- doc/APIchanges | 4 ++++ libavutil/Makefile | 1 + libavutil/avutil.h | 2 +- 3 files changed, 6 insertions(+), 1 deletion(-) diff --git a/doc/APIchanges b/doc/APIchanges index 1e326cac3f..b2ee01bd4b 100644 --- a/doc/APIchanges +++ b/doc/APIchanges @@ -13,6 +13,10 @@ libavutil: 2011-04-18 API changes, most recent first: +2012-02-29 - xxxxxxx - lavu 51.22.0 - intfloat.h + Add a new installed header libavutil/intfloat.h with int/float punning + functions. + 2012-02-17 - xxxxxxx - lavc 53.35.0 Add avcodec_is_open() function. diff --git a/libavutil/Makefile b/libavutil/Makefile index 6896846081..4bbe2575bb 100644 --- a/libavutil/Makefile +++ b/libavutil/Makefile @@ -17,6 +17,7 @@ HEADERS = adler32.h \ fifo.h \ file.h \ imgutils.h \ + intfloat.h \ intfloat_readwrite.h \ intreadwrite.h \ lfg.h \ diff --git a/libavutil/avutil.h b/libavutil/avutil.h index f0be5c110a..0e62b4a13f 100644 --- a/libavutil/avutil.h +++ b/libavutil/avutil.h @@ -154,7 +154,7 @@ */ #define LIBAVUTIL_VERSION_MAJOR 51 -#define LIBAVUTIL_VERSION_MINOR 21 +#define LIBAVUTIL_VERSION_MINOR 22 #define LIBAVUTIL_VERSION_MICRO 0 #define LIBAVUTIL_VERSION_INT AV_VERSION_INT(LIBAVUTIL_VERSION_MAJOR, \ From 2ad77c60ef862baa2afcdcb7e6f43dedabab38ef Mon Sep 17 00:00:00 2001 From: Anton Khirnov Date: Fri, 27 Jan 2012 13:33:09 +0100 Subject: [PATCH 061/991] lavf: add functions for accessing the fourcc<->CodecID mapping tables. Fixes bug 212. (cherry picked from commit dd6d3b0e025cb2a16022665dbb8ab1be18dc05e8) Conflicts: doc/APIchanges Signed-off-by: Anton Khirnov --- doc/APIchanges | 3 +++ libavformat/Makefile | 54 +++++++++++++++++++++--------------------- libavformat/avformat.h | 24 +++++++++++++++++++ libavformat/utils.c | 9 +++++++ libavformat/version.h | 2 +- 5 files changed, 64 insertions(+), 28 deletions(-) diff --git a/doc/APIchanges b/doc/APIchanges index b2ee01bd4b..58186a082c 100644 --- a/doc/APIchanges +++ b/doc/APIchanges @@ -13,6 +13,9 @@ libavutil: 2011-04-18 API changes, most recent first: +2012-02-29 - xxxxxxx - lavf 53.21.0 + Add avformat_get_riff_video_tags() and avformat_get_riff_audio_tags(). + 2012-02-29 - xxxxxxx - lavu 51.22.0 - intfloat.h Add a new installed header libavutil/intfloat.h with int/float punning functions. diff --git a/libavformat/Makefile b/libavformat/Makefile index 2a2a946104..c850bf4493 100644 --- a/libavformat/Makefile +++ b/libavformat/Makefile @@ -10,6 +10,7 @@ OBJS = allformats.o \ metadata.o \ options.o \ os_support.o \ + riff.o \ sdp.o \ seek.o \ utils.o \ @@ -25,8 +26,8 @@ OBJS-$(CONFIG_ADX_DEMUXER) += adxdec.o OBJS-$(CONFIG_ADX_MUXER) += rawenc.o OBJS-$(CONFIG_ADTS_MUXER) += adtsenc.o OBJS-$(CONFIG_AEA_DEMUXER) += aea.o pcm.o -OBJS-$(CONFIG_AIFF_DEMUXER) += aiffdec.o riff.o pcm.o -OBJS-$(CONFIG_AIFF_MUXER) += aiffenc.o riff.o +OBJS-$(CONFIG_AIFF_DEMUXER) += aiffdec.o pcm.o +OBJS-$(CONFIG_AIFF_MUXER) += aiffenc.o OBJS-$(CONFIG_AMR_DEMUXER) += amr.o OBJS-$(CONFIG_AMR_MUXER) += amr.o OBJS-$(CONFIG_ANM_DEMUXER) += anm.o @@ -34,14 +35,14 @@ OBJS-$(CONFIG_APC_DEMUXER) += apc.o OBJS-$(CONFIG_APE_DEMUXER) += ape.o apetag.o OBJS-$(CONFIG_APPLEHTTP_DEMUXER) += applehttp.o OBJS-$(CONFIG_ASF_DEMUXER) += asfdec.o asf.o asfcrypt.o \ - riff.o avlanguage.o -OBJS-$(CONFIG_ASF_MUXER) += asfenc.o asf.o riff.o + avlanguage.o +OBJS-$(CONFIG_ASF_MUXER) += asfenc.o asf.o OBJS-$(CONFIG_ASS_DEMUXER) += assdec.o OBJS-$(CONFIG_ASS_MUXER) += assenc.o OBJS-$(CONFIG_AU_DEMUXER) += au.o pcm.o OBJS-$(CONFIG_AU_MUXER) += au.o -OBJS-$(CONFIG_AVI_DEMUXER) += avidec.o riff.o -OBJS-$(CONFIG_AVI_MUXER) += avienc.o riff.o +OBJS-$(CONFIG_AVI_DEMUXER) += avidec.o +OBJS-$(CONFIG_AVI_MUXER) += avienc.o OBJS-$(CONFIG_AVISYNTH) += avisynth.o OBJS-$(CONFIG_AVM2_MUXER) += swfenc.o OBJS-$(CONFIG_AVS_DEMUXER) += avs.o vocdec.o voc.o @@ -51,7 +52,7 @@ OBJS-$(CONFIG_BINK_DEMUXER) += bink.o OBJS-$(CONFIG_BMV_DEMUXER) += bmv.o OBJS-$(CONFIG_C93_DEMUXER) += c93.o vocdec.o voc.o OBJS-$(CONFIG_CAF_DEMUXER) += cafdec.o caf.o mov.o mov_chan.o \ - riff.o isom.o + isom.o OBJS-$(CONFIG_CAVSVIDEO_DEMUXER) += cavsvideodec.o rawdec.o OBJS-$(CONFIG_CAVSVIDEO_MUXER) += rawenc.o OBJS-$(CONFIG_CDG_DEMUXER) += cdg.o @@ -68,7 +69,7 @@ OBJS-$(CONFIG_DTS_DEMUXER) += dtsdec.o rawdec.o OBJS-$(CONFIG_DTS_MUXER) += rawenc.o OBJS-$(CONFIG_DV_DEMUXER) += dv.o OBJS-$(CONFIG_DV_MUXER) += dvenc.o -OBJS-$(CONFIG_DXA_DEMUXER) += dxa.o riff.o +OBJS-$(CONFIG_DXA_DEMUXER) += dxa.o OBJS-$(CONFIG_EA_CDATA_DEMUXER) += eacdata.o OBJS-$(CONFIG_EA_DEMUXER) += electronicarts.o OBJS-$(CONFIG_EAC3_DEMUXER) += ac3dec.o rawdec.o @@ -112,7 +113,7 @@ OBJS-$(CONFIG_INGENIENT_DEMUXER) += ingenientdec.o rawdec.o OBJS-$(CONFIG_IPMOVIE_DEMUXER) += ipmovie.o OBJS-$(CONFIG_ISS_DEMUXER) += iss.o OBJS-$(CONFIG_IV8_DEMUXER) += iv8.o -OBJS-$(CONFIG_IVF_DEMUXER) += ivfdec.o riff.o +OBJS-$(CONFIG_IVF_DEMUXER) += ivfdec.o OBJS-$(CONFIG_IVF_MUXER) += ivfenc.o OBJS-$(CONFIG_JV_DEMUXER) += jvdec.o OBJS-$(CONFIG_LATM_DEMUXER) += rawdec.o @@ -122,9 +123,9 @@ OBJS-$(CONFIG_LXF_DEMUXER) += lxfdec.o OBJS-$(CONFIG_M4V_DEMUXER) += m4vdec.o rawdec.o OBJS-$(CONFIG_M4V_MUXER) += rawenc.o OBJS-$(CONFIG_MATROSKA_DEMUXER) += matroskadec.o matroska.o \ - riff.o isom.o rmdec.o rm.o + isom.o rmdec.o rm.o OBJS-$(CONFIG_MATROSKA_MUXER) += matroskaenc.o matroska.o \ - riff.o isom.o avc.o \ + isom.o avc.o \ flacenc_header.o avlanguage.o OBJS-$(CONFIG_MD5_MUXER) += md5enc.o OBJS-$(CONFIG_MJPEG_DEMUXER) += rawdec.o @@ -133,9 +134,9 @@ OBJS-$(CONFIG_MLP_DEMUXER) += rawdec.o OBJS-$(CONFIG_MLP_MUXER) += rawenc.o OBJS-$(CONFIG_MM_DEMUXER) += mm.o OBJS-$(CONFIG_MMF_DEMUXER) += mmf.o pcm.o -OBJS-$(CONFIG_MMF_MUXER) += mmf.o riff.o -OBJS-$(CONFIG_MOV_DEMUXER) += mov.o riff.o isom.o mov_chan.o -OBJS-$(CONFIG_MOV_MUXER) += movenc.o riff.o isom.o avc.o \ +OBJS-$(CONFIG_MMF_MUXER) += mmf.o +OBJS-$(CONFIG_MOV_DEMUXER) += mov.o isom.o mov_chan.o +OBJS-$(CONFIG_MOV_MUXER) += movenc.o isom.o avc.o \ movenchint.o rtpenc_chain.o \ mov_chan.o OBJS-$(CONFIG_MP2_MUXER) += mp3enc.o rawenc.o @@ -164,9 +165,9 @@ OBJS-$(CONFIG_MXG_DEMUXER) += mxg.o OBJS-$(CONFIG_NC_DEMUXER) += ncdec.o OBJS-$(CONFIG_NSV_DEMUXER) += nsvdec.o OBJS-$(CONFIG_NULL_MUXER) += nullenc.o -OBJS-$(CONFIG_NUT_DEMUXER) += nutdec.o nut.o riff.o -OBJS-$(CONFIG_NUT_MUXER) += nutenc.o nut.o riff.o -OBJS-$(CONFIG_NUV_DEMUXER) += nuv.o riff.o +OBJS-$(CONFIG_NUT_DEMUXER) += nutdec.o nut.o +OBJS-$(CONFIG_NUT_MUXER) += nutenc.o nut.o +OBJS-$(CONFIG_NUV_DEMUXER) += nuv.o OBJS-$(CONFIG_OGG_DEMUXER) += oggdec.o \ oggparsecelt.o \ oggparsedirac.o \ @@ -176,7 +177,6 @@ OBJS-$(CONFIG_OGG_DEMUXER) += oggdec.o \ oggparsespeex.o \ oggparsetheora.o \ oggparsevorbis.o \ - riff.o \ vorbiscomment.o OBJS-$(CONFIG_OGG_MUXER) += oggenc.o \ vorbiscomment.o @@ -301,28 +301,28 @@ OBJS-$(CONFIG_VMD_DEMUXER) += sierravmd.o OBJS-$(CONFIG_VOC_DEMUXER) += vocdec.o voc.o OBJS-$(CONFIG_VOC_MUXER) += vocenc.o voc.o OBJS-$(CONFIG_VQF_DEMUXER) += vqf.o -OBJS-$(CONFIG_W64_DEMUXER) += wav.o riff.o pcm.o -OBJS-$(CONFIG_WAV_DEMUXER) += wav.o riff.o pcm.o -OBJS-$(CONFIG_WAV_MUXER) += wav.o riff.o +OBJS-$(CONFIG_W64_DEMUXER) += wav.o pcm.o +OBJS-$(CONFIG_WAV_DEMUXER) += wav.o pcm.o +OBJS-$(CONFIG_WAV_MUXER) += wav.o OBJS-$(CONFIG_WC3_DEMUXER) += wc3movie.o OBJS-$(CONFIG_WEBM_MUXER) += matroskaenc.o matroska.o \ - riff.o isom.o avc.o \ + isom.o avc.o \ flacenc_header.o avlanguage.o OBJS-$(CONFIG_WSAUD_DEMUXER) += westwood.o OBJS-$(CONFIG_WSVQA_DEMUXER) += westwood.o OBJS-$(CONFIG_WTV_DEMUXER) += wtv.o asfdec.o asf.o asfcrypt.o \ - avlanguage.o mpegts.o isom.o riff.o + avlanguage.o mpegts.o isom.o OBJS-$(CONFIG_WV_DEMUXER) += wv.o apetag.o OBJS-$(CONFIG_XA_DEMUXER) += xa.o -OBJS-$(CONFIG_XMV_DEMUXER) += xmv.o riff.o -OBJS-$(CONFIG_XWMA_DEMUXER) += xwma.o riff.o +OBJS-$(CONFIG_XMV_DEMUXER) += xmv.o +OBJS-$(CONFIG_XWMA_DEMUXER) += xwma.o OBJS-$(CONFIG_YOP_DEMUXER) += yop.o OBJS-$(CONFIG_YUV4MPEGPIPE_MUXER) += yuv4mpeg.o OBJS-$(CONFIG_YUV4MPEGPIPE_DEMUXER) += yuv4mpeg.o # external libraries -OBJS-$(CONFIG_LIBNUT_DEMUXER) += libnut.o riff.o -OBJS-$(CONFIG_LIBNUT_MUXER) += libnut.o riff.o +OBJS-$(CONFIG_LIBNUT_DEMUXER) += libnut.o +OBJS-$(CONFIG_LIBNUT_MUXER) += libnut.o # protocols I/O OBJS+= avio.o aviobuf.o diff --git a/libavformat/avformat.h b/libavformat/avformat.h index 71aed80305..22a89d3cd5 100644 --- a/libavformat/avformat.h +++ b/libavformat/avformat.h @@ -1995,6 +1995,30 @@ int av_match_ext(const char *filename, const char *extensions); */ int avformat_query_codec(AVOutputFormat *ofmt, enum CodecID codec_id, int std_compliance); +/** + * @defgroup riff_fourcc RIFF FourCCs + * @{ + * Get the tables mapping RIFF FourCCs to libavcodec CodecIDs. The tables are + * meant to be passed to av_codec_get_id()/av_codec_get_tag() as in the + * following code: + * @code + * uint32_t tag = MKTAG('H', '2', '6', '4'); + * const struct AVCodecTag *table[] = { avformat_get_riff_video_tags(), 0 }; + * enum CodecID id = av_codec_get_id(table, tag); + * @endcode + */ +/** + * @return the table mapping RIFF FourCCs for video to libavcodec CodecID. + */ +const struct AVCodecTag *avformat_get_riff_video_tags(void); +/** + * @return the table mapping RIFF FourCCs for audio to CodecID. + */ +const struct AVCodecTag *avformat_get_riff_audio_tags(void); +/** + * @} + */ + /** * @} */ diff --git a/libavformat/utils.c b/libavformat/utils.c index e6b4f40cf3..0c355cee60 100644 --- a/libavformat/utils.c +++ b/libavformat/utils.c @@ -4107,3 +4107,12 @@ int ff_add_param_change(AVPacket *pkt, int32_t channels, } return 0; } + +const struct AVCodecTag *avformat_get_riff_video_tags(void) +{ + return ff_codec_bmp_tags; +} +const struct AVCodecTag *avformat_get_riff_audio_tags(void) +{ + return ff_codec_wav_tags; +} diff --git a/libavformat/version.h b/libavformat/version.h index cd774fbe65..009a60b1ad 100644 --- a/libavformat/version.h +++ b/libavformat/version.h @@ -30,7 +30,7 @@ #include "libavutil/avutil.h" #define LIBAVFORMAT_VERSION_MAJOR 53 -#define LIBAVFORMAT_VERSION_MINOR 20 +#define LIBAVFORMAT_VERSION_MINOR 21 #define LIBAVFORMAT_VERSION_MICRO 0 #define LIBAVFORMAT_VERSION_INT AV_VERSION_INT(LIBAVFORMAT_VERSION_MAJOR, \ From 1c63d613721f9fb05dcf1646d00aabf5f63695eb Mon Sep 17 00:00:00 2001 From: "Ronald S. Bultje" Date: Fri, 17 Feb 2012 12:21:22 -0800 Subject: [PATCH 062/991] asf: error out on ridiculously large minpktsize values. They cause various issues further down in demuxing. Found-by: Mateusz "j00ru" Jurczyk and Gynvael Coldwind CC: libav-stable@libav.org (cherry picked from commit 6e57a02b9f639af53acfa9fc742c1341400818f8) Signed-off-by: Reinhard Tartler --- libavformat/asfdec.c | 6 +++++- 1 file changed, 5 insertions(+), 1 deletion(-) diff --git a/libavformat/asfdec.c b/libavformat/asfdec.c index eb93f14ecf..1fbe79bf5f 100644 --- a/libavformat/asfdec.c +++ b/libavformat/asfdec.c @@ -202,6 +202,8 @@ static int asf_read_file_properties(AVFormatContext *s, int64_t size) asf->hdr.flags = avio_rl32(pb); asf->hdr.min_pktsize = avio_rl32(pb); asf->hdr.max_pktsize = avio_rl32(pb); + if (asf->hdr.min_pktsize >= (1U<<29)) + return AVERROR_INVALIDDATA; asf->hdr.max_bitrate = avio_rl32(pb); s->packet_size = asf->hdr.max_pktsize; @@ -616,7 +618,9 @@ static int asf_read_header(AVFormatContext *s, AVFormatParameters *ap) if (gsize < 24) return -1; if (!ff_guidcmp(&g, &ff_asf_file_header)) { - asf_read_file_properties(s, gsize); + int ret = asf_read_file_properties(s, gsize); + if (ret < 0) + return ret; } else if (!ff_guidcmp(&g, &ff_asf_stream_header)) { asf_read_stream_properties(s, gsize); } else if (!ff_guidcmp(&g, &ff_asf_comment_header)) { From 40ccc811461c2c5f7999200315f9e2a563807147 Mon Sep 17 00:00:00 2001 From: "Ronald S. Bultje" Date: Tue, 28 Feb 2012 16:13:46 -0800 Subject: [PATCH 063/991] asf: don't seek back on EOF. Seeking back on EOF will reset the EOF flag, causing us to re-enter the loop to find the next marker in the ASF file, thus potentially causing an infinite loop. Found-by: Mateusz "j00ru" Jurczyk and Gynvael Coldwind CC: libav-stable@libav.org (cherry picked from commit bb6d5411e1e1a8e0608b1af1c4addee654dcbac5) Signed-off-by: Reinhard Tartler --- libavformat/asfdec.c | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/libavformat/asfdec.c b/libavformat/asfdec.c index 1fbe79bf5f..969ab28875 100644 --- a/libavformat/asfdec.c +++ b/libavformat/asfdec.c @@ -761,7 +761,7 @@ static int ff_asf_get_packet(AVFormatContext *s, AVIOContext *pb) c= avio_r8(pb); d= avio_r8(pb); rsize+=3; - }else{ + } else if (!pb->eof_reached) { avio_seek(pb, -1, SEEK_CUR); //FIXME } From b2dcac7141a2fb72074679efbefcb4d8bef24c41 Mon Sep 17 00:00:00 2001 From: "Ronald S. Bultje" Date: Thu, 23 Feb 2012 11:19:33 -0800 Subject: [PATCH 064/991] vp56: error out on invalid stream dimensions. Prevents crashes when playing corrupt vp5/6 streams. Found-by: Mateusz "j00ru" Jurczyk and Gynvael Coldwind CC: libav-stable@libav.org (cherry picked from commit 8bc396fc0e8769a056375c1c211f389ce0e3ecc5) Signed-off-by: Reinhard Tartler --- libavcodec/vp5.c | 5 +++++ libavcodec/vp6.c | 6 +++++- 2 files changed, 10 insertions(+), 1 deletion(-) diff --git a/libavcodec/vp5.c b/libavcodec/vp5.c index 56f667cb63..1c6eaa9d42 100644 --- a/libavcodec/vp5.c +++ b/libavcodec/vp5.c @@ -57,6 +57,11 @@ static int vp5_parse_header(VP56Context *s, const uint8_t *buf, int buf_size, } rows = vp56_rac_gets(c, 8); /* number of stored macroblock rows */ cols = vp56_rac_gets(c, 8); /* number of stored macroblock cols */ + if (!rows || !cols) { + av_log(s->avctx, AV_LOG_ERROR, "Invalid size %dx%d\n", + cols << 4, rows << 4); + return 0; + } vp56_rac_gets(c, 8); /* number of displayed macroblock rows */ vp56_rac_gets(c, 8); /* number of displayed macroblock cols */ vp56_rac_gets(c, 2); diff --git a/libavcodec/vp6.c b/libavcodec/vp6.c index 9433983be3..e4783c6e84 100644 --- a/libavcodec/vp6.c +++ b/libavcodec/vp6.c @@ -77,6 +77,10 @@ static int vp6_parse_header(VP56Context *s, const uint8_t *buf, int buf_size, cols = buf[3]; /* number of stored macroblock cols */ /* buf[4] is number of displayed macroblock rows */ /* buf[5] is number of displayed macroblock cols */ + if (!rows || !cols) { + av_log(s->avctx, AV_LOG_ERROR, "Invalid size %dx%d\n", cols << 4, rows << 4); + return 0; + } if (!s->macroblocks || /* first frame */ 16*cols != s->avctx->coded_width || @@ -97,7 +101,7 @@ static int vp6_parse_header(VP56Context *s, const uint8_t *buf, int buf_size, vrt_shift = 5; s->sub_version = sub_version; } else { - if (!s->sub_version) + if (!s->sub_version || !s->avctx->coded_width || !s->avctx->coded_height) return 0; if (separated_coeff || !s->filter_header) { From 5f896773e07126dd66f5b83e604e99adb30617cb Mon Sep 17 00:00:00 2001 From: "Ronald S. Bultje" Date: Tue, 28 Feb 2012 18:21:31 -0800 Subject: [PATCH 065/991] swscale: fix another integer overflow. Found-by: Mateusz "j00ru" Jurczyk and Gynvael Coldwind CC: libav-stable@libav.org (cherry picked from commit 791de61bbb0d2bceb1037597b310e2a4a94494fd) Signed-off-by: Reinhard Tartler --- libswscale/utils.c | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/libswscale/utils.c b/libswscale/utils.c index 2d7029e2f1..51bc3842dc 100644 --- a/libswscale/utils.c +++ b/libswscale/utils.c @@ -1013,7 +1013,7 @@ int sws_init_context(SwsContext *c, SwsFilter *srcFilter, SwsFilter *dstFilter) c->vLumBufSize= c->vLumFilterSize; c->vChrBufSize= c->vChrFilterSize; for (i=0; ichrDstH / dstH; + int chrI = (int64_t) i * c->chrDstH / dstH; int nextSlice= FFMAX(c->vLumFilterPos[i ] + c->vLumFilterSize - 1, ((c->vChrFilterPos[chrI] + c->vChrFilterSize - 1)<chrSrcVSubSample)); From e904e9b7204b6ebd3433dd49a6c978ffb293cbdc Mon Sep 17 00:00:00 2001 From: "Ronald S. Bultje" Date: Tue, 28 Feb 2012 19:00:39 -0800 Subject: [PATCH 066/991] qtrle: return error on decode_init() failure. Found-by: Mateusz "j00ru" Jurczyk and Gynvael Coldwind CC: libav-stable@libav.org (cherry picked from commit e54ae60e46f737b8e9a96548971091f7ab6b8f7c) Signed-off-by: Reinhard Tartler --- libavcodec/qtrle.c | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/libavcodec/qtrle.c b/libavcodec/qtrle.c index 0c74798226..6e7b3c2a43 100644 --- a/libavcodec/qtrle.c +++ b/libavcodec/qtrle.c @@ -407,7 +407,7 @@ static av_cold int qtrle_decode_init(AVCodecContext *avctx) default: av_log (avctx, AV_LOG_ERROR, "Unsupported colorspace: %d bits/sample?\n", avctx->bits_per_coded_sample); - break; + return AVERROR_INVALIDDATA; } s->frame.data[0] = NULL; From 4493af756b8f8346b1e7671b487afc34c72bc16e Mon Sep 17 00:00:00 2001 From: "Ronald S. Bultje" Date: Tue, 28 Feb 2012 17:04:33 -0800 Subject: [PATCH 067/991] rpza: error out on buffer overreads. Found-by: Mateusz "j00ru" Jurczyk and Gynvael Coldwind CC: libav-stable@libav.org (cherry picked from commit 78e9852a2e3b198ecd69ffa0deab3fa22a8e5378) Signed-off-by: Reinhard Tartler --- libavcodec/rpza.c | 4 ++++ 1 file changed, 4 insertions(+) diff --git a/libavcodec/rpza.c b/libavcodec/rpza.c index 7350ef2c4a..59c3a7b3a7 100644 --- a/libavcodec/rpza.c +++ b/libavcodec/rpza.c @@ -183,6 +183,8 @@ static void rpza_decode_stream(RpzaContext *s) color4[1] |= ((11 * ta + 21 * tb) >> 5); color4[2] |= ((21 * ta + 11 * tb) >> 5); + if (s->size - stream_ptr < n_blocks * 4) + return; while (n_blocks--) { block_ptr = row_ptr + pixel_ptr; for (pixel_y = 0; pixel_y < 4; pixel_y++) { @@ -200,6 +202,8 @@ static void rpza_decode_stream(RpzaContext *s) /* Fill block with 16 colors */ case 0x00: + if (s->size - stream_ptr < 16) + return; block_ptr = row_ptr + pixel_ptr; for (pixel_y = 0; pixel_y < 4; pixel_y++) { for (pixel_x = 0; pixel_x < 4; pixel_x++){ From 1dd1ee00d54ba2a9f5d8ae2e82a22891300b6807 Mon Sep 17 00:00:00 2001 From: "Ronald S. Bultje" Date: Tue, 28 Feb 2012 19:00:48 -0800 Subject: [PATCH 068/991] vmnc: return error on decode_init() failure. Found-by: Mateusz "j00ru" Jurczyk and Gynvael Coldwind CC: libav-stable@libav.org (cherry picked from commit 07a180972fb369bb59bf6d4f8edb4598c51e80d2) Signed-off-by: Reinhard Tartler --- libavcodec/vmnc.c | 1 + 1 file changed, 1 insertion(+) diff --git a/libavcodec/vmnc.c b/libavcodec/vmnc.c index a72c507c3c..ca0ba82dcd 100644 --- a/libavcodec/vmnc.c +++ b/libavcodec/vmnc.c @@ -483,6 +483,7 @@ static av_cold int decode_init(AVCodecContext *avctx) break; default: av_log(avctx, AV_LOG_ERROR, "Unsupported bitdepth %i\n", c->bpp); + return AVERROR_INVALIDDATA; } return 0; From a63f3f714c014b3fcaffd45943bc089167b3fe61 Mon Sep 17 00:00:00 2001 From: "Ronald S. Bultje" Date: Thu, 1 Mar 2012 09:41:22 -0800 Subject: [PATCH 069/991] huffyuv: do not abort on unknown pix_fmt; instead, return an error. Found-by: Mateusz "j00ru" Jurczyk and Gynvael Coldwind CC: libav-stable@libav.org (cherry picked from commit 63c9de6469005974288f4e4d89fc79a590e38c06) Signed-off-by: Reinhard Tartler --- libavcodec/huffyuv.c | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/libavcodec/huffyuv.c b/libavcodec/huffyuv.c index efa87de802..412fe4b68d 100644 --- a/libavcodec/huffyuv.c +++ b/libavcodec/huffyuv.c @@ -514,7 +514,7 @@ s->bgr32=1; } break; default: - assert(0); + return AVERROR_INVALIDDATA; } alloc_temp(s); From 750f5baf3036d5a4c488a60d1cd6e872e4a871c4 Mon Sep 17 00:00:00 2001 From: "Ronald S. Bultje" Date: Thu, 1 Mar 2012 11:56:05 -0800 Subject: [PATCH 070/991] h264: error out on invalid bitdepth. Fixes invalid reads while initializing the dequant tables, which uses the bit depth to determine the QP table size. Found-by: Mateusz "j00ru" Jurczyk and Gynvael Coldwind CC: libav-stable@libav.org (cherry picked from commit 0ce4fe482c27abfa7eac503a52fdc50b70ccd871) Signed-off-by: Reinhard Tartler --- libavcodec/h264.c | 17 +++++++++++------ 1 file changed, 11 insertions(+), 6 deletions(-) diff --git a/libavcodec/h264.c b/libavcodec/h264.c index e92acbd7a8..449c634cfe 100644 --- a/libavcodec/h264.c +++ b/libavcodec/h264.c @@ -2707,11 +2707,6 @@ static int decode_slice_header(H264Context *h, H264Context *h0){ s->avctx->level = h->sps.level_idc; s->avctx->refs = h->sps.ref_frame_count; - if(h == h0 && h->dequant_coeff_pps != pps_id){ - h->dequant_coeff_pps = pps_id; - init_dequant_tables(h); - } - s->mb_width= h->sps.mb_width; s->mb_height= h->sps.mb_height * (2 - h->sps.frame_mbs_only_flag); @@ -2786,7 +2781,7 @@ static int decode_slice_header(H264Context *h, H264Context *h0){ else s->avctx->pix_fmt = PIX_FMT_YUV420P10; break; - default: + case 8: if (CHROMA444){ if (s->avctx->colorspace == AVCOL_SPC_RGB) { s->avctx->pix_fmt = PIX_FMT_GBRP; @@ -2802,6 +2797,11 @@ static int decode_slice_header(H264Context *h, H264Context *h0){ hwaccel_pixfmt_list_h264_jpeg_420 : ff_hwaccel_pixfmt_list_420); } + break; + default: + av_log(s->avctx, AV_LOG_ERROR, + "Unsupported bit depth: %d\n", h->sps.bit_depth_luma); + return AVERROR_INVALIDDATA; } s->avctx->hwaccel = ff_find_hwaccel(s->avctx->codec->id, s->avctx->pix_fmt); @@ -2846,6 +2846,11 @@ static int decode_slice_header(H264Context *h, H264Context *h0){ } } + if(h == h0 && h->dequant_coeff_pps != pps_id){ + h->dequant_coeff_pps = pps_id; + init_dequant_tables(h); + } + h->frame_num= get_bits(&s->gb, h->sps.log2_max_frame_num); h->mb_mbaff = 0; From 7f3f85544ca7804fde2210c129a4458536330dc6 Mon Sep 17 00:00:00 2001 From: Justin Ruggles Date: Fri, 24 Feb 2012 23:27:14 -0500 Subject: [PATCH 071/991] avutil: add AVERROR_UNKNOWN Useful to return instead of -1 when the cause of the error is unknown, typically from an external library. (cherry picked from commit c9bca801324f03746757aef8549ebd26599adec2) Conflicts: doc/APIchanges libavutil/avutil.h Signed-off-by: Reinhard Tartler --- doc/APIchanges | 3 +++ libavutil/avutil.h | 2 +- libavutil/error.c | 1 + libavutil/error.h | 1 + 4 files changed, 6 insertions(+), 1 deletion(-) diff --git a/doc/APIchanges b/doc/APIchanges index 58186a082c..78e37f4e95 100644 --- a/doc/APIchanges +++ b/doc/APIchanges @@ -13,6 +13,9 @@ libavutil: 2011-04-18 API changes, most recent first: +2012-03-04 - xxxxxxx - lavu 51.22.1 - error.h + Add AVERROR_UNKNOWN + 2012-02-29 - xxxxxxx - lavf 53.21.0 Add avformat_get_riff_video_tags() and avformat_get_riff_audio_tags(). diff --git a/libavutil/avutil.h b/libavutil/avutil.h index 0e62b4a13f..05e9248375 100644 --- a/libavutil/avutil.h +++ b/libavutil/avutil.h @@ -155,7 +155,7 @@ #define LIBAVUTIL_VERSION_MAJOR 51 #define LIBAVUTIL_VERSION_MINOR 22 -#define LIBAVUTIL_VERSION_MICRO 0 +#define LIBAVUTIL_VERSION_MICRO 1 #define LIBAVUTIL_VERSION_INT AV_VERSION_INT(LIBAVUTIL_VERSION_MAJOR, \ LIBAVUTIL_VERSION_MINOR, \ diff --git a/libavutil/error.c b/libavutil/error.c index a330e9f99c..21b68762d2 100644 --- a/libavutil/error.c +++ b/libavutil/error.c @@ -39,6 +39,7 @@ int av_strerror(int errnum, char *errbuf, size_t errbuf_size) case AVERROR_PROTOCOL_NOT_FOUND:errstr = "Protocol not found" ; break; case AVERROR_STREAM_NOT_FOUND: errstr = "Stream not found" ; break; case AVERROR_BUG: errstr = "Bug detected, please report the issue" ; break; + case AVERROR_UNKNOWN: errstr = "Unknown error occurred" ; break; } if (errstr) { diff --git a/libavutil/error.h b/libavutil/error.h index 2db65cb83f..11bcc5c4c4 100644 --- a/libavutil/error.h +++ b/libavutil/error.h @@ -58,6 +58,7 @@ #define AVERROR_PROTOCOL_NOT_FOUND (-MKTAG(0xF8,'P','R','O')) ///< Protocol not found #define AVERROR_STREAM_NOT_FOUND (-MKTAG(0xF8,'S','T','R')) ///< Stream not found #define AVERROR_BUG (-MKTAG( 'B','U','G',' ')) ///< Bug detected, please report the issue +#define AVERROR_UNKNOWN (-MKTAG( 'U','N','K','N')) ///< Unknown error, typically from an external library /** * Put a description of the AVERROR code errnum in errbuf. From 7e88df99e1d26accc56b0da52d271a57995ecde7 Mon Sep 17 00:00:00 2001 From: "Ronald S. Bultje" Date: Wed, 29 Feb 2012 17:50:28 -0800 Subject: [PATCH 072/991] lcl: return negative error codes on decode_init() errors. Found-by: Mateusz "j00ru" Jurczyk and Gynvael Coldwind CC: libav-stable@libav.org (cherry picked from commit bd17a40a7e0eba21b5d27c67aff795e2910766e4) Signed-off-by: Reinhard Tartler --- libavcodec/lcldec.c | 14 +++++++------- 1 file changed, 7 insertions(+), 7 deletions(-) diff --git a/libavcodec/lcldec.c b/libavcodec/lcldec.c index 5b18418169..679824cc1e 100644 --- a/libavcodec/lcldec.c +++ b/libavcodec/lcldec.c @@ -476,7 +476,7 @@ static av_cold int decode_init(AVCodecContext *avctx) if (avctx->extradata_size < 8) { av_log(avctx, AV_LOG_ERROR, "Extradata size too small.\n"); - return 1; + return AVERROR_INVALIDDATA; } /* Check codec type */ @@ -525,7 +525,7 @@ static av_cold int decode_init(AVCodecContext *avctx) break; default: av_log(avctx, AV_LOG_ERROR, "Unsupported image format %d.\n", c->imgtype); - return 1; + return AVERROR_INVALIDDATA; } /* Detect compression method */ @@ -542,7 +542,7 @@ static av_cold int decode_init(AVCodecContext *avctx) break; default: av_log(avctx, AV_LOG_ERROR, "Unsupported compression format for MSZH (%d).\n", c->compression); - return 1; + return AVERROR_INVALIDDATA; } break; #if CONFIG_ZLIB_DECODER @@ -560,7 +560,7 @@ static av_cold int decode_init(AVCodecContext *avctx) default: if (c->compression < Z_NO_COMPRESSION || c->compression > Z_BEST_COMPRESSION) { av_log(avctx, AV_LOG_ERROR, "Unsupported compression level for ZLIB: (%d).\n", c->compression); - return 1; + return AVERROR_INVALIDDATA; } av_log(avctx, AV_LOG_DEBUG, "Compression level for ZLIB: (%d).\n", c->compression); } @@ -568,14 +568,14 @@ static av_cold int decode_init(AVCodecContext *avctx) #endif default: av_log(avctx, AV_LOG_ERROR, "BUG! Unknown codec in compression switch.\n"); - return 1; + return AVERROR_INVALIDDATA; } /* Allocate decompression buffer */ if (c->decomp_size) { if ((c->decomp_buf = av_malloc(max_decomp_size)) == NULL) { av_log(avctx, AV_LOG_ERROR, "Can't allocate decompression buffer.\n"); - return 1; + return AVERROR(ENOMEM); } } @@ -601,7 +601,7 @@ static av_cold int decode_init(AVCodecContext *avctx) if (zret != Z_OK) { av_log(avctx, AV_LOG_ERROR, "Inflate init error: %d\n", zret); av_freep(&c->decomp_buf); - return 1; + return AVERROR_UNKNOWN; } } #endif From 19da1a39e861968c27504b67d481d32339669e2a Mon Sep 17 00:00:00 2001 From: Alex Converse Date: Thu, 1 Mar 2012 14:07:22 -0800 Subject: [PATCH 073/991] rv10/20: Fix a buffer overread caused by losing track of the remaining buffer size. Found-by: Mateusz "j00ru" Jurczyk and Gynvael Coldwind CC: libav-stable@libav.org (cherry picked from commit 2f6528537fdd88820f3a4683d5e595d7b3a62689) Signed-off-by: Reinhard Tartler --- libavcodec/rv10.c | 6 +++++- 1 file changed, 5 insertions(+), 1 deletion(-) diff --git a/libavcodec/rv10.c b/libavcodec/rv10.c index ccc09443ec..d7d7ed2fb2 100644 --- a/libavcodec/rv10.c +++ b/libavcodec/rv10.c @@ -642,8 +642,12 @@ static int rv10_decode_frame(AVCodecContext *avctx, if(!avctx->slice_count){ slice_count = (*buf++) + 1; + buf_size--; slices_hdr = buf + 4; buf += 8 * slice_count; + buf_size -= 8 * slice_count; + if (buf_size <= 0) + return AVERROR_INVALIDDATA; }else slice_count = avctx->slice_count; @@ -682,7 +686,7 @@ static int rv10_decode_frame(AVCodecContext *avctx, s->current_picture_ptr= NULL; //so we can detect if frame_end wasnt called (find some nicer solution...) } - return buf_size; + return avpkt->size; } AVCodec ff_rv10_decoder = { From fecd7468fcbf9115afdd8bf3dc3d08da0975e4d8 Mon Sep 17 00:00:00 2001 From: Alex Converse Date: Fri, 27 Jan 2012 14:24:07 -0800 Subject: [PATCH 074/991] wmadec: Verify bitstream size makes sense before calling init_get_bits. Found-by: Mateusz "j00ru" Jurczyk and Gynvael Coldwind (cherry picked from commit 48f1e5212c90b511c90fa0449655abb06a9edda2) Signed-off-by: Reinhard Tartler --- libavcodec/wmadec.c | 2 ++ 1 file changed, 2 insertions(+) diff --git a/libavcodec/wmadec.c b/libavcodec/wmadec.c index afc0658eac..b9fc21fd3e 100644 --- a/libavcodec/wmadec.c +++ b/libavcodec/wmadec.c @@ -877,6 +877,8 @@ static int wma_decode_superframe(AVCodecContext *avctx, void *data, /* read each frame starting from bit_offset */ pos = bit_offset + 4 + 4 + s->byte_offset_bits + 3; + if (pos >= MAX_CODED_SUPERFRAME_SIZE * 8) + return AVERROR_INVALIDDATA; init_get_bits(&s->gb, buf + (pos >> 3), (MAX_CODED_SUPERFRAME_SIZE - (pos >> 3))*8); len = pos & 7; if (len > 0) From b863979c0f36b565857c49cf6297810e22a9ba10 Mon Sep 17 00:00:00 2001 From: "Ronald S. Bultje" Date: Thu, 1 Mar 2012 16:19:51 -0800 Subject: [PATCH 075/991] wma: fix invalid buffer size assumptions causing random overreads. Found-by: Mateusz "j00ru" Jurczyk and Gynvael Coldwind CC: libav-stable@libav.org (cherry picked from commit 349b7977e408f18cff01ab31dfa66c8249b6584a) Signed-off-by: Reinhard Tartler --- libavcodec/wma.h | 2 +- libavcodec/wmadec.c | 13 ++++++++++--- 2 files changed, 11 insertions(+), 4 deletions(-) diff --git a/libavcodec/wma.h b/libavcodec/wma.h index 4acbf04bbf..d6f4880c14 100644 --- a/libavcodec/wma.h +++ b/libavcodec/wma.h @@ -124,7 +124,7 @@ typedef struct WMACodecContext { /* output buffer for one frame and the last for IMDCT windowing */ DECLARE_ALIGNED(32, float, frame_out)[MAX_CHANNELS][BLOCK_MAX_SIZE * 2]; /* last frame info */ - uint8_t last_superframe[MAX_CODED_SUPERFRAME_SIZE + 4]; /* padding added */ + uint8_t last_superframe[MAX_CODED_SUPERFRAME_SIZE + FF_INPUT_BUFFER_PADDING_SIZE]; /* padding added */ int last_bitoffset; int last_superframe_len; float noise_table[NOISE_TAB_SIZE]; diff --git a/libavcodec/wmadec.c b/libavcodec/wmadec.c index b9fc21fd3e..37feca1f7f 100644 --- a/libavcodec/wmadec.c +++ b/libavcodec/wmadec.c @@ -845,6 +845,12 @@ static int wma_decode_superframe(AVCodecContext *avctx, void *data, if (s->use_bit_reservoir) { bit_offset = get_bits(&s->gb, s->byte_offset_bits + 3); + if (bit_offset > get_bits_left(&s->gb)) { + av_log(avctx, AV_LOG_ERROR, + "Invalid last frame bit offset %d > buf size %d (%d)\n", + bit_offset, get_bits_left(&s->gb), buf_size); + goto fail; + } if (s->last_superframe_len > 0) { // printf("skip=%d\n", s->last_bitoffset); @@ -861,9 +867,10 @@ static int wma_decode_superframe(AVCodecContext *avctx, void *data, if (len > 0) { *q++ = (get_bits)(&s->gb, len) << (8 - len); } + memset(q, 0, FF_INPUT_BUFFER_PADDING_SIZE); /* XXX: bit_offset bits into last frame */ - init_get_bits(&s->gb, s->last_superframe, MAX_CODED_SUPERFRAME_SIZE*8); + init_get_bits(&s->gb, s->last_superframe, s->last_superframe_len * 8 + bit_offset); /* skip unused bits */ if (s->last_bitoffset > 0) skip_bits(&s->gb, s->last_bitoffset); @@ -877,9 +884,9 @@ static int wma_decode_superframe(AVCodecContext *avctx, void *data, /* read each frame starting from bit_offset */ pos = bit_offset + 4 + 4 + s->byte_offset_bits + 3; - if (pos >= MAX_CODED_SUPERFRAME_SIZE * 8) + if (pos >= MAX_CODED_SUPERFRAME_SIZE * 8 || pos > buf_size * 8) return AVERROR_INVALIDDATA; - init_get_bits(&s->gb, buf + (pos >> 3), (MAX_CODED_SUPERFRAME_SIZE - (pos >> 3))*8); + init_get_bits(&s->gb, buf + (pos >> 3), (buf_size - (pos >> 3))*8); len = pos & 7; if (len > 0) skip_bits(&s->gb, len); From 9686a2c2cfdb103784bd9153042da4f9656b56c6 Mon Sep 17 00:00:00 2001 From: "Ronald S. Bultje" Date: Thu, 1 Mar 2012 17:01:22 -0800 Subject: [PATCH 076/991] matroska: check buffer size for RM-style byte reordering. Found-by: Mateusz "j00ru" Jurczyk and Gynvael Coldwind CC: libav-stable@libav.org (cherry picked from commit 9c239f6026a170866a4a0c96908980ac2cfaa8b3) Signed-off-by: Reinhard Tartler --- libavformat/matroskadec.c | 22 +++++++++++++++++++--- 1 file changed, 19 insertions(+), 3 deletions(-) diff --git a/libavformat/matroskadec.c b/libavformat/matroskadec.c index 1987b5095f..59e0e1f49d 100644 --- a/libavformat/matroskadec.c +++ b/libavformat/matroskadec.c @@ -1808,15 +1808,31 @@ static int matroska_parse_block(MatroskaDemuxContext *matroska, uint8_t *data, if (!track->audio.pkt_cnt) { if (track->audio.sub_packet_cnt == 0) track->audio.buf_timecode = timecode; - if (st->codec->codec_id == CODEC_ID_RA_288) + if (st->codec->codec_id == CODEC_ID_RA_288) { + if (size < cfs * h / 2) { + av_log(matroska->ctx, AV_LOG_ERROR, + "Corrupt int4 RM-style audio packet size\n"); + return AVERROR_INVALIDDATA; + } for (x=0; xaudio.buf+x*2*w+y*cfs, data+x*cfs, cfs); - else if (st->codec->codec_id == CODEC_ID_SIPR) + } else if (st->codec->codec_id == CODEC_ID_SIPR) { + if (size < w) { + av_log(matroska->ctx, AV_LOG_ERROR, + "Corrupt sipr RM-style audio packet size\n"); + return AVERROR_INVALIDDATA; + } memcpy(track->audio.buf + y*w, data, w); - else + } else { + if (size < sps * w / sps) { + av_log(matroska->ctx, AV_LOG_ERROR, + "Corrupt generic RM-style audio packet size\n"); + return AVERROR_INVALIDDATA; + } for (x=0; xaudio.buf+sps*(h*x+((h+1)/2)*(y&1)+(y>>1)), data+x*sps, sps); + } if (++track->audio.sub_packet_cnt >= h) { if (st->codec->codec_id == CODEC_ID_SIPR) From de2656ec2518cae65a2b2823470a3ebe15934ba9 Mon Sep 17 00:00:00 2001 From: "Ronald S. Bultje" Date: Thu, 1 Mar 2012 13:51:21 -0800 Subject: [PATCH 077/991] amrwb: error out early if mode is invalid. Prevents using the invalid mode as an index in a static array, which would generate invalid reads. Found-by: Mateusz "j00ru" Jurczyk and Gynvael Coldwind CC: libav-stable@libav.org (cherry picked from commit 154b8bb80029e71d562e8936164266300dd35a0e) Signed-off-by: Reinhard Tartler --- libavcodec/amrwbdec.c | 12 ++++++++---- 1 file changed, 8 insertions(+), 4 deletions(-) diff --git a/libavcodec/amrwbdec.c b/libavcodec/amrwbdec.c index 6ea5d228dd..0ebaf47441 100644 --- a/libavcodec/amrwbdec.c +++ b/libavcodec/amrwbdec.c @@ -1095,23 +1095,27 @@ static int amrwb_decode_frame(AVCodecContext *avctx, void *data, buf_out = (float *)ctx->avframe.data[0]; header_size = decode_mime_header(ctx, buf); + if (ctx->fr_cur_mode > MODE_SID) { + av_log(avctx, AV_LOG_ERROR, + "Invalid mode %d\n", ctx->fr_cur_mode); + return AVERROR_INVALIDDATA; + } expected_fr_size = ((cf_sizes_wb[ctx->fr_cur_mode] + 7) >> 3) + 1; if (buf_size < expected_fr_size) { av_log(avctx, AV_LOG_ERROR, "Frame too small (%d bytes). Truncated file?\n", buf_size); *got_frame_ptr = 0; - return buf_size; + return AVERROR_INVALIDDATA; } if (!ctx->fr_quality || ctx->fr_cur_mode > MODE_SID) av_log(avctx, AV_LOG_ERROR, "Encountered a bad or corrupted frame\n"); - if (ctx->fr_cur_mode == MODE_SID) /* Comfort noise frame */ + if (ctx->fr_cur_mode == MODE_SID) { /* Comfort noise frame */ av_log_missing_feature(avctx, "SID mode", 1); - - if (ctx->fr_cur_mode >= MODE_SID) return -1; + } ff_amr_bit_reorder((uint16_t *) &ctx->frame, sizeof(AMRWBFrame), buf + header_size, amr_bit_orderings_by_mode[ctx->fr_cur_mode]); From 78d4f8cc56554e5d19c3f5688902278c3b795a04 Mon Sep 17 00:00:00 2001 From: "Ronald S. Bultje" Date: Thu, 1 Mar 2012 15:44:25 -0800 Subject: [PATCH 078/991] amrwb: remove duplicate arguments from extrapolate_isf(). Prevents warnings because the dst and src overlap (are the same) in the memcpy() inside the function. Found-by: Mateusz "j00ru" Jurczyk and Gynvael Coldwind CC: libav-stable@libav.org (cherry picked from commit 9d87374ec0f382c8394ad511243db6980afa42af) Signed-off-by: Reinhard Tartler --- libavcodec/amrwbdec.c | 25 ++++++++++++------------- 1 file changed, 12 insertions(+), 13 deletions(-) diff --git a/libavcodec/amrwbdec.c b/libavcodec/amrwbdec.c index 0ebaf47441..b9ae9ece66 100644 --- a/libavcodec/amrwbdec.c +++ b/libavcodec/amrwbdec.c @@ -898,10 +898,10 @@ static float auto_correlation(float *diff_isf, float mean, int lag) * Extrapolate a ISF vector to the 16kHz range (20th order LP) * used at mode 6k60 LP filter for the high frequency band. * - * @param[out] out Buffer for extrapolated isf - * @param[in] isf Input isf vector + * @param[out] isf Buffer for extrapolated isf; contains LP_ORDER + * values on input */ -static void extrapolate_isf(float out[LP_ORDER_16k], float isf[LP_ORDER]) +static void extrapolate_isf(float isf[LP_ORDER_16k]) { float diff_isf[LP_ORDER - 2], diff_mean; float *diff_hi = diff_isf - LP_ORDER + 1; // diff array for extrapolated indexes @@ -909,8 +909,7 @@ static void extrapolate_isf(float out[LP_ORDER_16k], float isf[LP_ORDER]) float est, scale; int i, i_max_corr; - memcpy(out, isf, (LP_ORDER - 1) * sizeof(float)); - out[LP_ORDER_16k - 1] = isf[LP_ORDER - 1]; + isf[LP_ORDER_16k - 1] = isf[LP_ORDER - 1]; /* Calculate the difference vector */ for (i = 0; i < LP_ORDER - 2; i++) @@ -931,16 +930,16 @@ static void extrapolate_isf(float out[LP_ORDER_16k], float isf[LP_ORDER]) i_max_corr++; for (i = LP_ORDER - 1; i < LP_ORDER_16k - 1; i++) - out[i] = isf[i - 1] + isf[i - 1 - i_max_corr] + isf[i] = isf[i - 1] + isf[i - 1 - i_max_corr] - isf[i - 2 - i_max_corr]; /* Calculate an estimate for ISF(18) and scale ISF based on the error */ - est = 7965 + (out[2] - out[3] - out[4]) / 6.0; - scale = 0.5 * (FFMIN(est, 7600) - out[LP_ORDER - 2]) / - (out[LP_ORDER_16k - 2] - out[LP_ORDER - 2]); + est = 7965 + (isf[2] - isf[3] - isf[4]) / 6.0; + scale = 0.5 * (FFMIN(est, 7600) - isf[LP_ORDER - 2]) / + (isf[LP_ORDER_16k - 2] - isf[LP_ORDER - 2]); for (i = LP_ORDER - 1; i < LP_ORDER_16k - 1; i++) - diff_hi[i] = scale * (out[i] - out[i - 1]); + diff_hi[i] = scale * (isf[i] - isf[i - 1]); /* Stability insurance */ for (i = LP_ORDER; i < LP_ORDER_16k - 1; i++) @@ -952,11 +951,11 @@ static void extrapolate_isf(float out[LP_ORDER_16k], float isf[LP_ORDER]) } for (i = LP_ORDER - 1; i < LP_ORDER_16k - 1; i++) - out[i] = out[i - 1] + diff_hi[i] * (1.0f / (1 << 15)); + isf[i] = isf[i - 1] + diff_hi[i] * (1.0f / (1 << 15)); /* Scale the ISF vector for 16000 Hz */ for (i = 0; i < LP_ORDER_16k - 1; i++) - out[i] *= 0.8; + isf[i] *= 0.8; } /** @@ -1003,7 +1002,7 @@ static void hb_synthesis(AMRWBContext *ctx, int subframe, float *samples, ff_weighted_vector_sumf(e_isf, isf_past, isf, isfp_inter[subframe], 1.0 - isfp_inter[subframe], LP_ORDER); - extrapolate_isf(e_isf, e_isf); + extrapolate_isf(e_isf); e_isf[LP_ORDER_16k - 1] *= 2.0; ff_acelp_lsf2lspd(e_isp, e_isf, LP_ORDER_16k); From 3f7e90cf0c12d739c5b9cd548c1916f23d691185 Mon Sep 17 00:00:00 2001 From: Alex Converse Date: Fri, 2 Mar 2012 10:13:07 -0800 Subject: [PATCH 079/991] mpegts: Pad the packet buffer in handle_packet(). This allows it to be used with get_bits without the thread of overreads. Found-by: Mateusz "j00ru" Jurczyk and Gynvael Coldwind CC: libav-stable@libav.org (cherry picked from commit 1aa708988ac131cf7d5c8bd59aca256a7c974df9) Signed-off-by: Reinhard Tartler --- libavformat/mpegts.c | 3 ++- 1 file changed, 2 insertions(+), 1 deletion(-) diff --git a/libavformat/mpegts.c b/libavformat/mpegts.c index 15688a9747..85e09527e3 100644 --- a/libavformat/mpegts.c +++ b/libavformat/mpegts.c @@ -1772,7 +1772,7 @@ static int read_packet(AVFormatContext *s, uint8_t *buf, int raw_packet_size) static int handle_packets(MpegTSContext *ts, int nb_packets) { AVFormatContext *s = ts->stream; - uint8_t packet[TS_PACKET_SIZE]; + uint8_t packet[TS_PACKET_SIZE+FF_INPUT_BUFFER_PADDING_SIZE]; int packet_num, ret = 0; if (avio_tell(s->pb) != ts->last_pos) { @@ -1794,6 +1794,7 @@ static int handle_packets(MpegTSContext *ts, int nb_packets) ts->stop_parse = 0; packet_num = 0; + memset(packet + TS_PACKET_SIZE, 0, FF_INPUT_BUFFER_PADDING_SIZE); for(;;) { if (ts->stop_parse>0) break; From b7c8fff80351249d448b93608bfac832c1ee3b4b Mon Sep 17 00:00:00 2001 From: Alex Converse Date: Fri, 2 Mar 2012 10:12:11 -0800 Subject: [PATCH 080/991] mpegts: Do not call read_sl_header() when no bytes remain in the buffer. Found-by: Mateusz "j00ru" Jurczyk and Gynvael Coldwind CC: libav-stable@libav.org (cherry picked from commit 4df369692ea8aee7094ac0f233cef8d1bee139a3) Signed-off-by: Reinhard Tartler --- libavformat/mpegts.c | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/libavformat/mpegts.c b/libavformat/mpegts.c index 85e09527e3..cc36e656da 100644 --- a/libavformat/mpegts.c +++ b/libavformat/mpegts.c @@ -889,7 +889,7 @@ static int mpegts_push_data(MpegTSFilter *filter, /* we got the full header. We parse it and get the payload */ pes->state = MPEGTS_PAYLOAD; pes->data_index = 0; - if (pes->stream_type == 0x12) { + if (pes->stream_type == 0x12 && buf_size > 0) { int sl_header_bytes = read_sl_header(pes, &pes->sl, p, buf_size); pes->pes_header_size += sl_header_bytes; p += sl_header_bytes; From 2e341bc99af72f1ae7c9812985635cbfeeb50269 Mon Sep 17 00:00:00 2001 From: Justin Ruggles Date: Fri, 2 Mar 2012 16:33:33 -0500 Subject: [PATCH 081/991] wmaenc: require a large enough output buffer to prevent overwrites The maximum theoretical frame size is around 17000 bytes. Although in practice it will generally be much smaller, we require a larger buffer just to be safe. CC: libav-stable@libav.org (cherry picked from commit dfc4fdedf8cfc56a505579b1f2c1c5efbce4b97e) Signed-off-by: Reinhard Tartler --- libavcodec/wmaenc.c | 5 +++++ 1 file changed, 5 insertions(+) diff --git a/libavcodec/wmaenc.c b/libavcodec/wmaenc.c index c762a723b9..a9053bbc92 100644 --- a/libavcodec/wmaenc.c +++ b/libavcodec/wmaenc.c @@ -355,6 +355,11 @@ static int encode_superframe(AVCodecContext *avctx, } } + if (buf_size < 2 * MAX_CODED_SUPERFRAME_SIZE) { + av_log(avctx, AV_LOG_ERROR, "output buffer size is too small\n"); + return AVERROR(EINVAL); + } + #if 1 total_gain= 128; for(i=64; i; i>>=1){ From 073891e8758d5b4ed9034b340fa24c687792e8f6 Mon Sep 17 00:00:00 2001 From: Justin Ruggles Date: Fri, 2 Mar 2012 16:10:00 -0500 Subject: [PATCH 082/991] wmaenc: limit block_align to MAX_CODED_SUPERFRAME_SIZE This is near the theoretical limit for wma frame size and is the most that our decoder can handle. Allowing higher bit rates will just end up padding each frame with empty bytes. Fixes invalid writes for avconv when using very high bit rates. CC:libav-stable@libav.org (cherry picked from commit c2b8dea1828f35c808adcf12615893d5c740bc0a) Signed-off-by: Reinhard Tartler --- libavcodec/wmaenc.c | 8 ++++++-- 1 file changed, 6 insertions(+), 2 deletions(-) diff --git a/libavcodec/wmaenc.c b/libavcodec/wmaenc.c index a9053bbc92..bc17f5b6ba 100644 --- a/libavcodec/wmaenc.c +++ b/libavcodec/wmaenc.c @@ -71,8 +71,12 @@ static int encode_init(AVCodecContext * avctx){ for(i = 0; i < s->nb_block_sizes; i++) ff_mdct_init(&s->mdct_ctx[i], s->frame_len_bits - i + 1, 0, 1.0); - avctx->block_align= - s->block_align= avctx->bit_rate*(int64_t)s->frame_len / (avctx->sample_rate*8); + s->block_align = avctx->bit_rate * (int64_t)s->frame_len / + (avctx->sample_rate * 8); + s->block_align = FFMIN(s->block_align, MAX_CODED_SUPERFRAME_SIZE); + avctx->block_align = s->block_align; + avctx->bit_rate = avctx->block_align * 8LL * avctx->sample_rate / + s->frame_len; //av_log(NULL, AV_LOG_ERROR, "%d %d %d %d\n", s->block_align, avctx->bit_rate, s->frame_len, avctx->sample_rate); avctx->frame_size= s->frame_len; From 6a073aa7a734d4fbad77071e9f8ee0fe75a17fae Mon Sep 17 00:00:00 2001 From: Justin Ruggles Date: Fri, 2 Mar 2012 16:27:57 -0500 Subject: [PATCH 083/991] wmaenc: limit allowed sample rate to 48kHz ff_wma_init() allows up to 50kHz, but this generates an exponent band size table that requires 65 bands. The code assumes 25 bands in many places, and using sample rates higher than 48kHz will lead to buffer overwrites. CC:libav-stable@libav.org (cherry picked from commit 1ec075cfecac01f9a289965db06f76365b0b1737) Signed-off-by: Reinhard Tartler --- libavcodec/wmaenc.c | 6 ++++++ 1 file changed, 6 insertions(+) diff --git a/libavcodec/wmaenc.c b/libavcodec/wmaenc.c index bc17f5b6ba..5135b982aa 100644 --- a/libavcodec/wmaenc.c +++ b/libavcodec/wmaenc.c @@ -39,6 +39,12 @@ static int encode_init(AVCodecContext * avctx){ return AVERROR(EINVAL); } + if (avctx->sample_rate > 48000) { + av_log(avctx, AV_LOG_ERROR, "sample rate is too high: %d > 48kHz", + avctx->sample_rate); + return AVERROR(EINVAL); + } + if(avctx->bit_rate < 24*1000) { av_log(avctx, AV_LOG_ERROR, "bitrate too low: got %i, need 24000 or higher\n", avctx->bit_rate); From 1128b10247739900174991b4e013429a1b8ceaa4 Mon Sep 17 00:00:00 2001 From: Justin Ruggles Date: Fri, 2 Mar 2012 17:11:25 -0500 Subject: [PATCH 084/991] wmaenc: fix m/s stereo encoding for the first frame We need to set ms_stereo in encode_init() in order to avoid incorrectly encoding the first frame as non-m/s while flagging it as m/s. Fixes an uncomfortable pop in the left channel at the start of playback. CC:libav-stable@libav.org (cherry picked from commit 51ddf35c9017018e58c15275ff5b129647a0c94d) Signed-off-by: Reinhard Tartler --- libavcodec/wmaenc.c | 4 +++- tests/ref/acodec/wmav1 | 6 +++--- tests/ref/acodec/wmav2 | 6 +++--- 3 files changed, 9 insertions(+), 7 deletions(-) diff --git a/libavcodec/wmaenc.c b/libavcodec/wmaenc.c index 5135b982aa..df59cab6aa 100644 --- a/libavcodec/wmaenc.c +++ b/libavcodec/wmaenc.c @@ -70,6 +70,8 @@ static int encode_init(AVCodecContext * avctx){ s->use_exp_vlc = flags2 & 0x0001; s->use_bit_reservoir = flags2 & 0x0002; s->use_variable_block_len = flags2 & 0x0004; + if (avctx->channels == 2) + s->ms_stereo = 1; ff_wma_init(avctx, flags2); @@ -191,7 +193,7 @@ static int encode_block(WMACodecContext *s, float (*src_coefs)[BLOCK_MAX_SIZE], } if (s->nb_channels == 2) { - put_bits(&s->pb, 1, s->ms_stereo= 1); + put_bits(&s->pb, 1, !!s->ms_stereo); } for(ch = 0; ch < s->nb_channels; ch++) { diff --git a/tests/ref/acodec/wmav1 b/tests/ref/acodec/wmav1 index 916e4a8ab6..117aa12a8c 100644 --- a/tests/ref/acodec/wmav1 +++ b/tests/ref/acodec/wmav1 @@ -1,4 +1,4 @@ -26a7f6b0f0b7181df8df3fa589f6bf81 *./tests/data/acodec/wmav1.asf +0260385b8a54df11ad349f9ba8240fd8 *./tests/data/acodec/wmav1.asf 106004 ./tests/data/acodec/wmav1.asf -stddev:12245.52 PSNR: 14.57 MAXDIFF:65521 bytes: 1064960/ 1058400 -stddev: 2095.89 PSNR: 29.90 MAXDIFF:27658 bytes: 1056768/ 1058400 +stddev:12241.90 PSNR: 14.57 MAXDIFF:65521 bytes: 1064960/ 1058400 +stddev: 2074.79 PSNR: 29.99 MAXDIFF:27658 bytes: 1056768/ 1058400 diff --git a/tests/ref/acodec/wmav2 b/tests/ref/acodec/wmav2 index 622b6fcc36..43b19b7530 100644 --- a/tests/ref/acodec/wmav2 +++ b/tests/ref/acodec/wmav2 @@ -1,4 +1,4 @@ -7c6c0cb692af01b312ae345723674b5f *./tests/data/acodec/wmav2.asf +bdb4c312fb109f990be83a70f8ec9bdc *./tests/data/acodec/wmav2.asf 106044 ./tests/data/acodec/wmav2.asf -stddev:12249.93 PSNR: 14.57 MAXDIFF:65521 bytes: 1064960/ 1058400 -stddev: 2089.21 PSNR: 29.93 MAXDIFF:27650 bytes: 1056768/ 1058400 +stddev:12246.35 PSNR: 14.57 MAXDIFF:65521 bytes: 1064960/ 1058400 +stddev: 2068.08 PSNR: 30.02 MAXDIFF:27650 bytes: 1056768/ 1058400 From cd17195d1c0e0f7385946506a5ad2510cf44471b Mon Sep 17 00:00:00 2001 From: "Ronald S. Bultje" Date: Tue, 28 Feb 2012 18:48:27 -0800 Subject: [PATCH 085/991] h264: prevent overreads in intra PCM decoding. Found-by: Mateusz "j00ru" Jurczyk and Gynvael Coldwind CC: libav-stable@libav.org (cherry picked from commit d1604b3de96575195b219028e2c4f08b2259aa7d) Signed-off-by: Reinhard Tartler --- libavcodec/h264_cabac.c | 2 ++ 1 file changed, 2 insertions(+) diff --git a/libavcodec/h264_cabac.c b/libavcodec/h264_cabac.c index 75fb02cb63..2ee4bc01a8 100644 --- a/libavcodec/h264_cabac.c +++ b/libavcodec/h264_cabac.c @@ -1996,6 +1996,8 @@ decode_intra_mb: } // The pixels are stored in the same order as levels in h->mb array. + if ((int) (h->cabac.bytestream_end - ptr) < mb_size) + return -1; memcpy(h->mb, ptr, mb_size); ptr+=mb_size; ff_init_cabac_decoder(&h->cabac, ptr, h->cabac.bytestream_end - ptr); From 11f3173e1bae135eb18a10b0060a5dd4b9fdcc74 Mon Sep 17 00:00:00 2001 From: Vitor Sessak Date: Wed, 29 Feb 2012 22:09:10 +0100 Subject: [PATCH 086/991] amrnbdec: check frame size before decoding. Found-by: Mateusz "j00ru" Jurczyk and Gynvael Coldwind CC: libav-stable@libav.org Signed-off-by: Ronald S. Bultje (cherry picked from commit 882abda5a26ffb8e3d1c5852dfa7cdad0a291d2d) Signed-off-by: Reinhard Tartler --- libavcodec/amrnbdec.c | 8 ++++++++ 1 file changed, 8 insertions(+) diff --git a/libavcodec/amrnbdec.c b/libavcodec/amrnbdec.c index fff0e7248a..a7d0b4e337 100644 --- a/libavcodec/amrnbdec.c +++ b/libavcodec/amrnbdec.c @@ -200,6 +200,10 @@ static enum Mode unpack_bitstream(AMRContext *p, const uint8_t *buf, p->bad_frame_indicator = !get_bits1(&gb); // quality bit skip_bits(&gb, 2); // two padding bits + if (mode >= N_MODES || buf_size < frame_sizes_nb[mode] + 1) { + return NO_DATA; + } + if (mode < MODE_DTX) ff_amr_bit_reorder((uint16_t *) &p->frame, sizeof(AMRNBFrame), buf + 1, amr_unpacking_bitmaps_per_mode[mode]); @@ -947,6 +951,10 @@ static int amrnb_decode_frame(AVCodecContext *avctx, void *data, buf_out = (float *)p->avframe.data[0]; p->cur_frame_mode = unpack_bitstream(p, buf, buf_size); + if (p->cur_frame_mode == NO_DATA) { + av_log(avctx, AV_LOG_ERROR, "Corrupt bitstream\n"); + return AVERROR_INVALIDDATA; + } if (p->cur_frame_mode == MODE_DTX) { av_log_missing_feature(avctx, "dtx mode", 1); return -1; From b5331b979bfb31ec1715618b2712429764b6a9b5 Mon Sep 17 00:00:00 2001 From: "Ronald S. Bultje" Date: Wed, 29 Feb 2012 13:55:09 -0800 Subject: [PATCH 087/991] cscd: use negative error values to indicate decode_init() failures. Found-by: Mateusz "j00ru" Jurczyk and Gynvael Coldwind CC: libav-stable@libav.org (cherry picked from commit 8a9faf33f2b4f40afbc3393b2be49867cea0c92d) Signed-off-by: Reinhard Tartler --- libavcodec/cscd.c | 4 ++-- 1 file changed, 2 insertions(+), 2 deletions(-) diff --git a/libavcodec/cscd.c b/libavcodec/cscd.c index 00921bc47d..1edab91bcf 100644 --- a/libavcodec/cscd.c +++ b/libavcodec/cscd.c @@ -228,7 +228,7 @@ static av_cold int decode_init(AVCodecContext *avctx) { av_log(avctx, AV_LOG_ERROR, "CamStudio codec error: invalid depth %i bpp\n", avctx->bits_per_coded_sample); - return 1; + return AVERROR_INVALIDDATA; } c->bpp = avctx->bits_per_coded_sample; c->pic.data[0] = NULL; @@ -241,7 +241,7 @@ static av_cold int decode_init(AVCodecContext *avctx) { c->decomp_buf = av_malloc(c->decomp_size + AV_LZO_OUTPUT_PADDING); if (!c->decomp_buf) { av_log(avctx, AV_LOG_ERROR, "Can't allocate decompression buffer.\n"); - return 1; + return AVERROR(ENOMEM); } return 0; } From 5186984ee9cf65946ed8bcf4b480f81c4310a8ce Mon Sep 17 00:00:00 2001 From: "Ronald S. Bultje" Date: Sat, 25 Feb 2012 17:24:56 -0800 Subject: [PATCH 088/991] h264: change underread for 10bit QPEL to overread. This prevents us from reading before the start of the buffer, and thus prevents crashes resulting from this behaviour. Fixes bug 237. (cherry picked from commit 291c9b62855d555ac5385e23219461b6080da7db) Signed-off-by: Reinhard Tartler --- libavcodec/x86/h264_qpel_10bit.asm | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/libavcodec/x86/h264_qpel_10bit.asm b/libavcodec/x86/h264_qpel_10bit.asm index 15dd72ca36..cafd4dabf0 100644 --- a/libavcodec/x86/h264_qpel_10bit.asm +++ b/libavcodec/x86/h264_qpel_10bit.asm @@ -619,7 +619,7 @@ MC MC33 %define PAD 12 %define COUNT 2 %else -%define PAD 0 +%define PAD 4 %define COUNT 3 %endif put_hv%2_10_%1: From 85eb76a23fbba2d26e3742e8163d3994b2972b4b Mon Sep 17 00:00:00 2001 From: "Ronald S. Bultje" Date: Sun, 26 Feb 2012 08:57:14 -0800 Subject: [PATCH 089/991] h264: fix mmxext chroma deblock to use correct TC values. (cherry picked from commit b0c4f04338234ee011d7b704621347ef232294fe) Signed-off-by: Reinhard Tartler --- libavcodec/x86/h264_deblock_10bit.asm | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/libavcodec/x86/h264_deblock_10bit.asm b/libavcodec/x86/h264_deblock_10bit.asm index baac725eec..6744661d65 100644 --- a/libavcodec/x86/h264_deblock_10bit.asm +++ b/libavcodec/x86/h264_deblock_10bit.asm @@ -870,7 +870,7 @@ cglobal deblock_v_chroma_10_%1, 5,7-(mmsize/16),8*(mmsize/16) %if mmsize < 16 add r0, mmsize add r5, mmsize - add r4, mmsize/8 + add r4, mmsize/4 dec r6 jg .loop REP_RET From 003f7e3dd0debfaa28622bd81e77f9217043ee28 Mon Sep 17 00:00:00 2001 From: Fabian Greffrath Date: Mon, 5 Mar 2012 16:06:01 +0100 Subject: [PATCH 090/991] Fix format string vulnerability detected by -Wformat-security. Signed-off-by: Diego Biurrun (cherry picked from commit c9dbac36ad4bac07f6c1d06d465e361ab55bcb95) Signed-off-by: Reinhard Tartler --- libavcodec/srtdec.c | 4 ++-- 1 file changed, 2 insertions(+), 2 deletions(-) diff --git a/libavcodec/srtdec.c b/libavcodec/srtdec.c index 677c5501f8..99cbd9428b 100644 --- a/libavcodec/srtdec.c +++ b/libavcodec/srtdec.c @@ -110,7 +110,7 @@ static const char *srt_to_ass(AVCodecContext *avctx, char *out, char *out_end, for (j=sptr-2; j>=0; j--) if (stack[j].param[i][0]) { out += snprintf(out, out_end-out, - stack[j].param[i]); + "%s", stack[j].param[i]); break; } } else { @@ -146,7 +146,7 @@ static const char *srt_to_ass(AVCodecContext *avctx, char *out, char *out_end, for (i=0; i Date: Thu, 9 Feb 2012 13:00:30 -0500 Subject: [PATCH 091/991] ac3dsp: do not use pshufb in ac3_extract_exponents_ssse3() We need to do unsigned saturation in order to cover the corner case when the absolute coefficient value is 16777215 (the maximum value). Fixes Bug #216 (cherry picked from commit d483bb58c318b0a6152709cf28263d72200b98f9) Signed-off-by: Reinhard Tartler --- libavcodec/x86/ac3dsp.asm | 13 ++++--------- 1 file changed, 4 insertions(+), 9 deletions(-) diff --git a/libavcodec/x86/ac3dsp.asm b/libavcodec/x86/ac3dsp.asm index c1b0906a85..9312ff6533 100644 --- a/libavcodec/x86/ac3dsp.asm +++ b/libavcodec/x86/ac3dsp.asm @@ -35,7 +35,6 @@ pw_bap_mul2: dw 5, 7, 0, 7, 5, 7, 0, 7 ; used in ff_ac3_extract_exponents() pd_1: times 4 dd 1 pd_151: times 4 dd 151 -pb_shuf_4dwb: db 0, 4, 8, 12 SECTION .text @@ -404,15 +403,12 @@ cglobal ac3_extract_exponents_3dnow, 3,3,0, exp, coef, len %endif %macro AC3_EXTRACT_EXPONENTS 1 -cglobal ac3_extract_exponents_%1, 3,3,5, exp, coef, len +cglobal ac3_extract_exponents_%1, 3,3,4, exp, coef, len add expq, lenq lea coefq, [coefq+4*lenq] neg lenq mova m2, [pd_1] mova m3, [pd_151] -%ifidn %1, ssse3 ; - movd m4, [pb_shuf_4dwb] -%endif .loop: ; move 4 32-bit coefs to xmm0 mova m0, [coefq+4*lenq] @@ -426,12 +422,11 @@ cglobal ac3_extract_exponents_%1, 3,3,5, exp, coef, len mova m0, m3 psubd m0, m1 ; move the lowest byte in each of 4 dwords to the low dword -%ifidn %1, ssse3 - pshufb m0, m4 -%else + ; NOTE: We cannot just extract the low bytes with pshufb because the dword + ; result for 16777215 is -1 due to float inaccuracy. Using packuswb + ; clips this to 0, which is the correct exponent. packssdw m0, m0 packuswb m0, m0 -%endif movd [expq+lenq], m0 add lenq, 4 From ca7e97bdcf0d19c69293de08f5956d1431ee461f Mon Sep 17 00:00:00 2001 From: =?UTF-8?q?Martin=20Storsj=C3=B6?= Date: Fri, 2 Mar 2012 17:03:06 +0200 Subject: [PATCH 092/991] g722: Fix the QMF scaling MIME-Version: 1.0 Content-Type: text/plain; charset=UTF-8 Content-Transfer-Encoding: 8bit This fixes clipping if the encoder input used the full 16 bit input range (samples with a magnitude below 16383 worked fine). The filtered subband samples should be 15 bit maximum, while the code earlier produced them scaled to 16 bit. This makes the decoder output have double the magnitude compared to before. The spec reference samples doesn't test the QMF at all, which was why this part slipped past initially. (cherry picked from commit b087ce2bee81db8cc5caffb8f0a4f6c7c92a30fe) Signed-off-by: Martin Storsjö --- libavcodec/g722dec.c | 4 +- libavcodec/g722enc.c | 4 +- tests/ref/acodec/g722 | 8 +- tests/ref/fate/g722dec-1 | 334 +++++++++++++++++++-------------------- tests/ref/fate/g722enc | 2 +- 5 files changed, 176 insertions(+), 176 deletions(-) diff --git a/libavcodec/g722dec.c b/libavcodec/g722dec.c index 50a224ba10..72bb0ef3c7 100644 --- a/libavcodec/g722dec.c +++ b/libavcodec/g722dec.c @@ -126,8 +126,8 @@ static int g722_decode_frame(AVCodecContext *avctx, void *data, c->prev_samples[c->prev_samples_pos++] = rlow - rhigh; ff_g722_apply_qmf(c->prev_samples + c->prev_samples_pos - 24, &xout1, &xout2); - *out_buf++ = av_clip_int16(xout1 >> 12); - *out_buf++ = av_clip_int16(xout2 >> 12); + *out_buf++ = av_clip_int16(xout1 >> 11); + *out_buf++ = av_clip_int16(xout2 >> 11); if (c->prev_samples_pos >= PREV_SAMPLES_BUF_SIZE) { memmove(c->prev_samples, c->prev_samples + c->prev_samples_pos - 22, 22 * sizeof(c->prev_samples[0])); diff --git a/libavcodec/g722enc.c b/libavcodec/g722enc.c index 1cb0070649..b5707e3cd3 100644 --- a/libavcodec/g722enc.c +++ b/libavcodec/g722enc.c @@ -128,8 +128,8 @@ static inline void filter_samples(G722Context *c, const int16_t *samples, c->prev_samples[c->prev_samples_pos++] = samples[0]; c->prev_samples[c->prev_samples_pos++] = samples[1]; ff_g722_apply_qmf(c->prev_samples + c->prev_samples_pos - 24, &xout1, &xout2); - *xlow = xout1 + xout2 >> 13; - *xhigh = xout1 - xout2 >> 13; + *xlow = xout1 + xout2 >> 14; + *xhigh = xout1 - xout2 >> 14; if (c->prev_samples_pos >= PREV_SAMPLES_BUF_SIZE) { memmove(c->prev_samples, c->prev_samples + c->prev_samples_pos - 22, diff --git a/tests/ref/acodec/g722 b/tests/ref/acodec/g722 index 6ea492ae45..0e2f7e75b0 100644 --- a/tests/ref/acodec/g722 +++ b/tests/ref/acodec/g722 @@ -1,4 +1,4 @@ -1975cc4a3521e374b33ae042e182f6b6 *./tests/data/acodec/g722.wav -48053 ./tests/data/acodec/g722.wav -ade04cdcf249e6946395f109b077dd62 *./tests/data/g722.acodec.out.wav -stddev: 8841.24 PSNR: 17.40 MAXDIFF:36225 bytes: 191980/ 1058400 +7b0492eee76b04b710990235f97a0bf2 *./tests/data/acodec/g722.wav + 48053 ./tests/data/acodec/g722.wav +b5568e0e3930ff563824156e8e1015f0 *./tests/data/g722.acodec.out.wav +stddev: 8939.44 PSNR: 17.30 MAXDIFF:40370 bytes: 191980/ 1058400 diff --git a/tests/ref/fate/g722dec-1 b/tests/ref/fate/g722dec-1 index 4c4b2b53e7..cdc54891c8 100644 --- a/tests/ref/fate/g722dec-1 +++ b/tests/ref/fate/g722dec-1 @@ -1,167 +1,167 @@ -0, 0, 4096, 0xde68394d -0, 11520, 4096, 0xa5c28cb7 -0, 23040, 4096, 0x2e3c2f23 -0, 34560, 4096, 0xd7757825 -0, 46080, 4096, 0xafd1fd61 -0, 57600, 4096, 0x686afcbe -0, 69120, 4096, 0x2290e848 -0, 80640, 4096, 0xddd484ad -0, 92160, 4096, 0x148811a6 -0, 103680, 4096, 0x8b965613 -0, 115200, 4096, 0x8b095d51 -0, 126720, 4096, 0xf7625485 -0, 138240, 4096, 0x982a688c -0, 149760, 4096, 0xc290dcfc -0, 161280, 4096, 0x8bdef225 -0, 172800, 4096, 0xfca27fdc -0, 184320, 4096, 0x95eff313 -0, 195840, 4096, 0x691ed4f7 -0, 207360, 4096, 0xd7e7b492 -0, 218880, 4096, 0xb0416bfe -0, 230400, 4096, 0xf94b3ebd -0, 241920, 4096, 0x7f73ca12 -0, 253440, 4096, 0xe91da4a3 -0, 264960, 4096, 0x1f74dc0e -0, 276480, 4096, 0xd95b35e8 -0, 288000, 4096, 0x6dcdde1a -0, 299520, 4096, 0x614fd4e4 -0, 311040, 4096, 0xe38d0fd5 -0, 322560, 4096, 0xfeba2999 -0, 334080, 4096, 0x1bf541e1 -0, 345600, 4096, 0x689f50d8 -0, 357120, 4096, 0x0aa60f5f -0, 368640, 4096, 0x60ac3116 -0, 380160, 4096, 0xfa60e5e6 -0, 391680, 4096, 0xc7207c5b -0, 403200, 4096, 0x01196277 -0, 414720, 4096, 0x609ca46c -0, 426240, 4096, 0xfb799142 -0, 437760, 4096, 0x720910df -0, 449280, 4096, 0xe21a8662 -0, 460800, 4096, 0x07105120 -0, 472320, 4096, 0x593f627e -0, 483840, 4096, 0x28ddc80c -0, 495360, 4096, 0xc69ef356 -0, 506880, 4096, 0x2defc5bd -0, 518400, 4096, 0x82a4f418 -0, 529920, 4096, 0x424cb997 -0, 541440, 4096, 0x167a49b7 -0, 552960, 4096, 0x32a3e0d4 -0, 564480, 4096, 0x08a353ae -0, 576000, 4096, 0x9543577b -0, 587520, 4096, 0x2ed137cf -0, 599040, 4096, 0xd80b0538 -0, 610560, 4096, 0x2ad31bef -0, 622080, 4096, 0x1060cff8 -0, 633600, 4096, 0x76ab5ab8 -0, 645120, 4096, 0x8eedb68d -0, 656640, 4096, 0xf4e2dc46 -0, 668160, 4096, 0xc52d3326 -0, 679680, 4096, 0x25201a26 -0, 691200, 4096, 0x16419378 -0, 702720, 4096, 0x97061f3c -0, 714240, 4096, 0xd54edecd -0, 725760, 4096, 0xc830b07b -0, 737280, 4096, 0x804bae00 -0, 748800, 4096, 0xbb279150 -0, 760320, 4096, 0x95c4d5aa -0, 771840, 4096, 0xc51d5259 -0, 783360, 4096, 0x856e1ab0 -0, 794880, 4096, 0x9e6ccb12 -0, 806400, 4096, 0xa2e5c1bb -0, 817920, 4096, 0xe62fb62f -0, 829440, 4096, 0xf10e3df0 -0, 840960, 4096, 0x76def18b -0, 852480, 4096, 0xc9c3a26d -0, 864000, 4096, 0x8ec0e061 -0, 875520, 4096, 0x3d4e8512 -0, 887040, 4096, 0xec45cd46 -0, 898560, 4096, 0xa34f3ddf -0, 910080, 4096, 0x52b81c53 -0, 921600, 4096, 0xd0f0397a -0, 933120, 4096, 0x7c0de231 -0, 944640, 4096, 0xfe86c032 -0, 956160, 4096, 0x67cdb848 -0, 967680, 4096, 0x90532cc0 -0, 979200, 4096, 0x03bca9e9 -0, 990720, 4096, 0x73169fd1 -0, 1002240, 4096, 0x0b93967d -0, 1013760, 4096, 0x6486d8be -0, 1025280, 4096, 0x555cc2ac -0, 1036800, 4096, 0x07c1912e -0, 1048320, 4096, 0xe0423c66 -0, 1059840, 4096, 0xc12d0fa1 -0, 1071360, 4096, 0xdf497c2f -0, 1082880, 4096, 0x9298d1ba -0, 1094400, 4096, 0x691a4e15 -0, 1105920, 4096, 0x725adc6e -0, 1117440, 4096, 0xf68e88de -0, 1128960, 4096, 0x37a234aa -0, 1140480, 4096, 0x43fb0558 -0, 1152000, 4096, 0x653e4320 -0, 1163520, 4096, 0x651e2f13 -0, 1175040, 4096, 0x179049f9 -0, 1186560, 4096, 0xe02fbb9d -0, 1198080, 4096, 0xb7e9f2a0 -0, 1209600, 4096, 0x94ee81df -0, 1221120, 4096, 0x398a98de -0, 1232640, 4096, 0x1267594a -0, 1244160, 4096, 0x715adbaf -0, 1255680, 4096, 0x28ce1a20 -0, 1267200, 4096, 0x4f8073d0 -0, 1278720, 4096, 0x536846d3 -0, 1290240, 4096, 0x7dc7defe -0, 1301760, 4096, 0x08a28e2a -0, 1313280, 4096, 0xd717c5cd -0, 1324800, 4096, 0x5d6e1efd -0, 1336320, 4096, 0x4d0eea27 -0, 1347840, 4096, 0x70fff90c -0, 1359360, 4096, 0xd5cc8207 -0, 1370880, 4096, 0xf87cae0e -0, 1382400, 4096, 0x26814ab5 -0, 1393920, 4096, 0x9569fb8d -0, 1405440, 4096, 0x7835122e -0, 1416960, 4096, 0xa38840dd -0, 1428480, 4096, 0xfc499ba3 -0, 1440000, 4096, 0x0aa60cb0 -0, 1451520, 4096, 0x530ef56e -0, 1463040, 4096, 0xead968db -0, 1474560, 4096, 0x64484214 -0, 1486080, 4096, 0xfd0cc89e -0, 1497600, 4096, 0x0d452a5d -0, 1509120, 4096, 0x36ef8482 -0, 1520640, 4096, 0x462b641b -0, 1532160, 4096, 0x2a5c1c0c -0, 1543680, 4096, 0x8837ff80 -0, 1555200, 4096, 0x27a3de22 -0, 1566720, 4096, 0xf88d28c1 -0, 1578240, 4096, 0xed85ea97 -0, 1589760, 4096, 0x50c3e7db -0, 1601280, 4096, 0x82bcb480 -0, 1612800, 4096, 0xc50ee536 -0, 1624320, 4096, 0x086280ee -0, 1635840, 4096, 0x6f18f2b2 -0, 1647360, 4096, 0x1c7c0856 -0, 1658880, 4096, 0xc576268a -0, 1670400, 4096, 0x7a9af56d -0, 1681920, 4096, 0x6d058fc5 -0, 1693440, 4096, 0x8fb1107b -0, 1704960, 4096, 0x807588d1 -0, 1716480, 4096, 0x56178443 -0, 1728000, 4096, 0xf2460763 -0, 1739520, 4096, 0x284255f2 -0, 1751040, 4096, 0xb29d17fb -0, 1762560, 4096, 0x5e7e4633 -0, 1774080, 4096, 0x57704db1 -0, 1785600, 4096, 0xd87dcc1d -0, 1797120, 4096, 0x28d4bb93 -0, 1808640, 4096, 0x3a2e5c6c -0, 1820160, 4096, 0xf3581656 -0, 1831680, 4096, 0x42f1942f -0, 1843200, 4096, 0xe75c5092 -0, 1854720, 4096, 0x3fae7f6d -0, 1866240, 4096, 0xf99ad73e -0, 1877760, 4096, 0x80564e3e -0, 1889280, 4096, 0x8ff6ebe5 -0, 1900800, 4096, 0x436d5e69 -0, 1912320, 1368, 0xe0ebeda3 +0, 0, 4096, 0x4f9228b3 +0, 11520, 4096, 0xfab58157 +0, 23040, 4096, 0x0b641c78 +0, 34560, 4096, 0x601c6803 +0, 46080, 4096, 0xb3e2f166 +0, 57600, 4096, 0x5681f206 +0, 69120, 4096, 0x1e69e71f +0, 80640, 4096, 0x05628be3 +0, 92160, 4096, 0x109b1aef +0, 103680, 4096, 0xd5435a9e +0, 115200, 4096, 0xb38b5d28 +0, 126720, 4096, 0x64514c93 +0, 138240, 4096, 0x453350e7 +0, 149760, 4096, 0x6deccce6 +0, 161280, 4096, 0xd427ede1 +0, 172800, 4096, 0xdecb8c42 +0, 184320, 4096, 0x3841e4d2 +0, 195840, 4096, 0x858ac1b1 +0, 207360, 4096, 0x8e9dbfa0 +0, 218880, 4096, 0xcbc0766f +0, 230400, 4096, 0x78d52555 +0, 241920, 4096, 0x600ac7d5 +0, 253440, 4096, 0xafadb7ee +0, 264960, 4096, 0x8009d5a1 +0, 276480, 4096, 0xb07d475e +0, 288000, 4096, 0xfcfecceb +0, 299520, 4096, 0x38b5d85f +0, 311040, 4096, 0xbd48072e +0, 322560, 4096, 0xd04724d8 +0, 334080, 4096, 0x08425144 +0, 345600, 4096, 0x7b14483e +0, 357120, 4096, 0x8858ef4c +0, 368640, 4096, 0x1e3024c2 +0, 380160, 4096, 0xcd6bfe4f +0, 391680, 4096, 0x8cde8d18 +0, 403200, 4096, 0xbbd856b8 +0, 414720, 4096, 0x988c9b7a +0, 426240, 4096, 0x2a858e03 +0, 437760, 4096, 0x6dee1e4a +0, 449280, 4096, 0x8cc38b41 +0, 460800, 4096, 0x48bd5cec +0, 472320, 4096, 0xeb7f606b +0, 483840, 4096, 0x75f5d28c +0, 495360, 4096, 0x5bfeec4b +0, 506880, 4096, 0xfc35c22a +0, 518400, 4096, 0x3a95efba +0, 529920, 4096, 0xefdbce9c +0, 541440, 4096, 0x00594ada +0, 552960, 4096, 0x20ffebfa +0, 564480, 4096, 0x1b31370a +0, 576000, 4096, 0x50766a56 +0, 587520, 4096, 0x0058315a +0, 599040, 4096, 0x98090cbf +0, 610560, 4096, 0x66ed2d40 +0, 622080, 4096, 0xdfd7c0a7 +0, 633600, 4096, 0x2adc57e1 +0, 645120, 4096, 0x838bbc82 +0, 656640, 4096, 0x2c55de1a +0, 668160, 4096, 0xeae027f4 +0, 679680, 4096, 0x09fe00f6 +0, 691200, 4096, 0xa25d9970 +0, 702720, 4096, 0xedb11a20 +0, 714240, 4096, 0x9ce2e63e +0, 725760, 4096, 0xeb699974 +0, 737280, 4096, 0xcc04a296 +0, 748800, 4096, 0xe90e9a12 +0, 760320, 4096, 0xae85c0f7 +0, 771840, 4096, 0x7ee877db +0, 783360, 4096, 0x9ecf14ee +0, 794880, 4096, 0xa821cecd +0, 806400, 4096, 0x2714bb11 +0, 817920, 4096, 0x28f1c1e0 +0, 829440, 4096, 0xf81c4f60 +0, 840960, 4096, 0x1ae0e5a1 +0, 852480, 4096, 0xbdae9d9a +0, 864000, 4096, 0x5202e560 +0, 875520, 4096, 0x82408396 +0, 887040, 4096, 0xc850ce0c +0, 898560, 4096, 0x1d732d88 +0, 910080, 4096, 0xc5c01e33 +0, 921600, 4096, 0x84942d6c +0, 933120, 4096, 0x7c27cd3a +0, 944640, 4096, 0x22adc503 +0, 956160, 4096, 0xfbc3af31 +0, 967680, 4096, 0xe9652b18 +0, 979200, 4096, 0xae75987e +0, 990720, 4096, 0x0f7ea428 +0, 1002240, 4096, 0x92b89582 +0, 1013760, 4096, 0xf393d910 +0, 1025280, 4096, 0x6349b600 +0, 1036800, 4096, 0x16918dbd +0, 1048320, 4096, 0x14ee15ad +0, 1059840, 4096, 0x26b510d3 +0, 1071360, 4096, 0x97007bf8 +0, 1082880, 4096, 0x3718c509 +0, 1094400, 4096, 0x24a54ccd +0, 1105920, 4096, 0xc960df4e +0, 1117440, 4096, 0xc7cb6e6f +0, 1128960, 4096, 0x4c563ae5 +0, 1140480, 4096, 0x0dd51432 +0, 1152000, 4096, 0xdb4243c8 +0, 1163520, 4096, 0x9bb6417f +0, 1175040, 4096, 0xec6a40a1 +0, 1186560, 4096, 0x82d6c3b4 +0, 1198080, 4096, 0xd181e2ec +0, 1209600, 4096, 0xba5d7b55 +0, 1221120, 4096, 0x78fcb938 +0, 1232640, 4096, 0x6691671c +0, 1244160, 4096, 0x44fadee7 +0, 1255680, 4096, 0xa42720d5 +0, 1267200, 4096, 0xc1165a91 +0, 1278720, 4096, 0x86aa3e3f +0, 1290240, 4096, 0xab5ae57d +0, 1301760, 4096, 0x291a91f3 +0, 1313280, 4096, 0xfdf0dcfc +0, 1324800, 4096, 0x1ef91f67 +0, 1336320, 4096, 0xc899efee +0, 1347840, 4096, 0x5ade15ac +0, 1359360, 4096, 0x04516beb +0, 1370880, 4096, 0xbf5ebbb9 +0, 1382400, 4096, 0x4a235122 +0, 1393920, 4096, 0xd7a3f4a6 +0, 1405440, 4096, 0x5f900f20 +0, 1416960, 4096, 0xa90b4365 +0, 1428480, 4096, 0x63149dc4 +0, 1440000, 4096, 0xf12c1ee8 +0, 1451520, 4096, 0x6d0fec8c +0, 1463040, 4096, 0x65e07850 +0, 1474560, 4096, 0x16d951cc +0, 1486080, 4096, 0xd296d0c4 +0, 1497600, 4096, 0x619b2a53 +0, 1509120, 4096, 0x316972d5 +0, 1520640, 4096, 0xcfd64e21 +0, 1532160, 4096, 0xcbcb10c6 +0, 1543680, 4096, 0x20aeff7c +0, 1555200, 4096, 0xd205dabd +0, 1566720, 4096, 0xac9d3001 +0, 1578240, 4096, 0x6d53dfdd +0, 1589760, 4096, 0xbb9fe15c +0, 1601280, 4096, 0x1852b88b +0, 1612800, 4096, 0xb0acec01 +0, 1624320, 4096, 0xb52a9342 +0, 1635840, 4096, 0x7529faee +0, 1647360, 4096, 0x150ff449 +0, 1658880, 4096, 0xa81d31d9 +0, 1670400, 4096, 0xbcb8084a +0, 1681920, 4096, 0x07229514 +0, 1693440, 4096, 0xa85cfd88 +0, 1704960, 4096, 0x0aef9c27 +0, 1716480, 4096, 0x8ec47b39 +0, 1728000, 4096, 0x910b0560 +0, 1739520, 4096, 0x99a8578e +0, 1751040, 4096, 0xb3df1d84 +0, 1762560, 4096, 0x48e52559 +0, 1774080, 4096, 0xb25c4800 +0, 1785600, 4096, 0x913bc8ce +0, 1797120, 4096, 0xb736cc8c +0, 1808640, 4096, 0x13c66646 +0, 1820160, 4096, 0x70a71221 +0, 1831680, 4096, 0x3a50a08e +0, 1843200, 4096, 0xc0a037b0 +0, 1854720, 4096, 0x9a789475 +0, 1866240, 4096, 0xc890ca16 +0, 1877760, 4096, 0xa0d34bed +0, 1889280, 4096, 0x1689fa60 +0, 1900800, 4096, 0x5bac4c83 +0, 1912320, 1368, 0x904be5e5 diff --git a/tests/ref/fate/g722enc b/tests/ref/fate/g722enc index c1094565b5..9b8e469a8b 100644 --- a/tests/ref/fate/g722enc +++ b/tests/ref/fate/g722enc @@ -1 +1 @@ -750269cc236541df28e15da5c7b0df7a +94e2f200d6e05b47cec4aa3e94571cf3 From ffdc41f0395f74cb8844361d2154784ce65e8fdd Mon Sep 17 00:00:00 2001 From: Michael Niedermayer Date: Tue, 24 Jan 2012 22:20:26 +0100 Subject: [PATCH 093/991] nsvdec: Fix use of uninitialized streams. Fixes CVE-2011-3940 (Out of bounds read resulting in out of bounds write) Found-by: Mateusz "j00ru" Jurczyk and Gynvael Coldwind Signed-off-by: Michael Niedermayer (cherry picked from commit 5c011706bc752d34bc6ada31d7df2ca0c9af7c6b) Signed-off-by: Alex Converse (cherry picked from commit 6a89b41d9780325ba6d89a37f2aeb925aa68e6a3) --- libavformat/nsvdec.c | 8 ++++---- 1 file changed, 4 insertions(+), 4 deletions(-) diff --git a/libavformat/nsvdec.c b/libavformat/nsvdec.c index 18dfde2867..261cfbb1af 100644 --- a/libavformat/nsvdec.c +++ b/libavformat/nsvdec.c @@ -605,12 +605,12 @@ null_chunk_retry: } /* map back streams to v,a */ - if (s->streams[0]) + if (s->nb_streams > 0) st[s->streams[0]->id] = s->streams[0]; - if (s->streams[1]) + if (s->nb_streams > 1) st[s->streams[1]->id] = s->streams[1]; - if (vsize/* && st[NSV_ST_VIDEO]*/) { + if (vsize && st[NSV_ST_VIDEO]) { nst = st[NSV_ST_VIDEO]->priv_data; pkt = &nsv->ahead[NSV_ST_VIDEO]; av_get_packet(pb, pkt, vsize); @@ -623,7 +623,7 @@ null_chunk_retry: if(st[NSV_ST_VIDEO]) ((NSVStream*)st[NSV_ST_VIDEO]->priv_data)->frame_offset++; - if (asize/*st[NSV_ST_AUDIO]*/) { + if (asize && st[NSV_ST_AUDIO]) { nst = st[NSV_ST_AUDIO]->priv_data; pkt = &nsv->ahead[NSV_ST_AUDIO]; /* read raw audio specific header on the first audio chunk... */ From e410dd17920342b7f08f16675044f077c88c251b Mon Sep 17 00:00:00 2001 From: Alex Converse Date: Thu, 26 Jan 2012 17:21:46 -0800 Subject: [PATCH 094/991] nsvdec: Be more careful with av_malloc(). Check results for av_malloc() and fix an overflow in one call. Related to CVE-2011-3940. Based in part on work from Michael Niedermayer. Found-by: Mateusz "j00ru" Jurczyk and Gynvael Coldwind (cherry picked from commit 8fd8a48263ff1437f9d02d7e78dc63efb9b5ed3a) --- libavformat/nsvdec.c | 8 +++++++- 1 file changed, 7 insertions(+), 1 deletion(-) diff --git a/libavformat/nsvdec.c b/libavformat/nsvdec.c index 261cfbb1af..22a1a0938c 100644 --- a/libavformat/nsvdec.c +++ b/libavformat/nsvdec.c @@ -314,7 +314,9 @@ static int nsv_parse_NSVf_header(AVFormatContext *s, AVFormatParameters *ap) char *token, *value; char quote; - p = strings = av_mallocz(strings_size + 1); + p = strings = av_mallocz((size_t)strings_size + 1); + if (!p) + return AVERROR(ENOMEM); endp = strings + strings_size; avio_read(pb, strings, strings_size); while (p < endp) { @@ -349,6 +351,8 @@ static int nsv_parse_NSVf_header(AVFormatContext *s, AVFormatParameters *ap) if((unsigned)table_entries_used >= UINT_MAX / sizeof(uint32_t)) return -1; nsv->nsvs_file_offset = av_malloc((unsigned)table_entries_used * sizeof(uint32_t)); + if (!nsv->nsvs_file_offset) + return AVERROR(ENOMEM); for(i=0;insvs_file_offset[i] = avio_rl32(pb) + size; @@ -356,6 +360,8 @@ static int nsv_parse_NSVf_header(AVFormatContext *s, AVFormatParameters *ap) if(table_entries > table_entries_used && avio_rl32(pb) == MKTAG('T','O','C','2')) { nsv->nsvs_timestamps = av_malloc((unsigned)table_entries_used*sizeof(uint32_t)); + if (!nsv->nsvs_timestamps) + return AVERROR(ENOMEM); for(i=0;insvs_timestamps[i] = avio_rl32(pb); } From dd37038ac7526221a9497b4d07dd808381fc08e4 Mon Sep 17 00:00:00 2001 From: Alex Converse Date: Thu, 26 Jan 2012 17:23:09 -0800 Subject: [PATCH 095/991] nsvdec: Propagate errors Related to CVE-2011-3940. Found-by: Mateusz "j00ru" Jurczyk and Gynvael Coldwind (cherry picked from commit c898431ca5ef2a997fe9388b650f658fb60783e5) Conflicts: libavformat/nsvdec.c --- libavformat/nsvdec.c | 7 ++++++- 1 file changed, 6 insertions(+), 1 deletion(-) diff --git a/libavformat/nsvdec.c b/libavformat/nsvdec.c index 22a1a0938c..e5aaf33b97 100644 --- a/libavformat/nsvdec.c +++ b/libavformat/nsvdec.c @@ -532,11 +532,16 @@ static int nsv_read_header(AVFormatContext *s, AVFormatParameters *ap) for (i = 0; i < NSV_MAX_RESYNC_TRIES; i++) { if (nsv_resync(s) < 0) return -1; - if (nsv->state == NSV_FOUND_NSVF) + if (nsv->state == NSV_FOUND_NSVF) { err = nsv_parse_NSVf_header(s, ap); + if (err < 0) + return err; + } /* we need the first NSVs also... */ if (nsv->state == NSV_FOUND_NSVS) { err = nsv_parse_NSVs_header(s, ap); + if (err < 0) + return err; break; /* we just want the first one */ } } From 416849f2e06227b1b4a451c392f100db1d709a0c Mon Sep 17 00:00:00 2001 From: Alex Converse Date: Thu, 26 Jan 2012 17:30:49 +0100 Subject: [PATCH 096/991] kmvc: Check palsize. Fixes: CVE-2011-3952 Found-by: Mateusz "j00ru" Jurczyk and Gynvael Coldwind Based on fix by Michael Niedermayer (cherry picked from commit 386741f887714d3e46c9e8fe577e326a7964037b) --- libavcodec/kmvc.c | 7 ++++++- 1 file changed, 6 insertions(+), 1 deletion(-) diff --git a/libavcodec/kmvc.c b/libavcodec/kmvc.c index 2b54b84e99..a6bb13b95a 100644 --- a/libavcodec/kmvc.c +++ b/libavcodec/kmvc.c @@ -33,6 +33,7 @@ #define KMVC_KEYFRAME 0x80 #define KMVC_PALETTE 0x40 #define KMVC_METHOD 0x0F +#define MAX_PALSIZE 256 /* * Decoder context @@ -43,7 +44,7 @@ typedef struct KmvcContext { int setpal; int palsize; - uint32_t pal[256]; + uint32_t pal[MAX_PALSIZE]; uint8_t *cur, *prev; uint8_t *frm0, *frm1; GetByteContext g; @@ -380,6 +381,10 @@ static av_cold int decode_init(AVCodecContext * avctx) c->palsize = 127; } else { c->palsize = AV_RL16(avctx->extradata + 10); + if (c->palsize >= MAX_PALSIZE) { + av_log(avctx, AV_LOG_ERROR, "KMVC palette too large\n"); + return AVERROR_INVALIDDATA; + } } if (avctx->extradata_size == 1036) { // palette in extradata From d5f2382d0389ed47a566ea536887af908bf9b14f Mon Sep 17 00:00:00 2001 From: Michael Niedermayer Date: Wed, 25 Jan 2012 23:23:35 +0100 Subject: [PATCH 097/991] kgv1dec: Increase offsets array size so it is large enough. Fixes CVE-2011-3945 Found-by: Mateusz "j00ru" Jurczyk and Gynvael Coldwind Signed-off-by: Michael Niedermayer (cherry picked from commit 807a045ab7f51993a2c1b3116016cbbd4f3d20d6) Signed-off-by: Alex Converse (cherry picked from commit a02e8df973f5478ec82f4c507f5b5b191a5ecb6b) --- libavcodec/kgv1dec.c | 4 ++-- 1 file changed, 2 insertions(+), 2 deletions(-) diff --git a/libavcodec/kgv1dec.c b/libavcodec/kgv1dec.c index c4c3dac016..42bbcae530 100644 --- a/libavcodec/kgv1dec.c +++ b/libavcodec/kgv1dec.c @@ -46,7 +46,7 @@ static int decode_frame(AVCodecContext *avctx, void *data, int *data_size, AVPac const uint8_t *buf = avpkt->data; const uint8_t *buf_end = buf + avpkt->size; KgvContext * const c = avctx->priv_data; - int offsets[7]; + int offsets[8]; uint16_t *out, *prev; int outcnt = 0, maxcnt; int w, h, i, res; @@ -79,7 +79,7 @@ static int decode_frame(AVCodecContext *avctx, void *data, int *data_size, AVPac prev = NULL; } - for (i = 0; i < 7; i++) + for (i = 0; i < 8; i++) offsets[i] = -1; while (outcnt < maxcnt && buf_end - 2 > buf) { From 1ca84aa162a811def05bcd31394b1cea7ee19093 Mon Sep 17 00:00:00 2001 From: Alex Converse Date: Fri, 27 Jan 2012 15:50:24 -0800 Subject: [PATCH 098/991] mpeg12: Pad framerate tab to 16 entries. There are many places where we read an unchecked 4-bit index into it. Found-by: Mateusz "j00ru" Jurczyk and Gynvael Coldwind (cherry picked from commit dfa37fe8a3d9243dd339d94befa065e2c90b29e6) --- libavcodec/mpeg12data.c | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/libavcodec/mpeg12data.c b/libavcodec/mpeg12data.c index 5ac8c243a5..a0dd6e5784 100644 --- a/libavcodec/mpeg12data.c +++ b/libavcodec/mpeg12data.c @@ -305,7 +305,7 @@ const uint8_t ff_mpeg12_mbMotionVectorTable[17][2] = { { 0xc, 10 }, }; -const AVRational avpriv_frame_rate_tab[] = { +const AVRational avpriv_frame_rate_tab[16] = { { 0, 0}, {24000, 1001}, { 24, 1}, From d0e53ecff736fd23c985c184051a7ae44529e448 Mon Sep 17 00:00:00 2001 From: Alex Converse Date: Wed, 25 Jan 2012 15:46:14 -0800 Subject: [PATCH 099/991] mp3dec: Fix a heap-buffer-overflow In some cases, what is left to read from ptr is smaller than EXTRABYTES. Based on a patch by Thierry Foucu . Signed-off-by: Alex Converse (cherry picked from commit f372ce119bd2458fa0b4ddfb2af3a36621df99f7) --- libavcodec/mpegaudiodec.c | 5 +++-- 1 file changed, 3 insertions(+), 2 deletions(-) diff --git a/libavcodec/mpegaudiodec.c b/libavcodec/mpegaudiodec.c index 860c0c3d73..04c1d9842c 100644 --- a/libavcodec/mpegaudiodec.c +++ b/libavcodec/mpegaudiodec.c @@ -1378,16 +1378,17 @@ static int mp_decode_layer3(MPADecodeContext *s) if (!s->adu_mode) { int skip; const uint8_t *ptr = s->gb.buffer + (get_bits_count(&s->gb)>>3); + int extrasize = av_clip(get_bits_left(&s->gb) >> 3, 0, EXTRABYTES); assert((get_bits_count(&s->gb) & 7) == 0); /* now we get bits from the main_data_begin offset */ av_dlog(s->avctx, "seekback: %d\n", main_data_begin); //av_log(NULL, AV_LOG_ERROR, "backstep:%d, lastbuf:%d\n", main_data_begin, s->last_buf_size); - memcpy(s->last_buf + s->last_buf_size, ptr, EXTRABYTES); + memcpy(s->last_buf + s->last_buf_size, ptr, extrasize); s->in_gb = s->gb; init_get_bits(&s->gb, s->last_buf, s->last_buf_size*8); #if !UNCHECKED_BITSTREAM_READER - s->gb.size_in_bits_plus8 += EXTRABYTES * 8; + s->gb.size_in_bits_plus8 += extrasize * 8; #endif s->last_buf_size <<= 3; for (gr = 0; gr < nb_granules && (s->last_buf_size >> 3) < main_data_begin; gr++) { From feed0c6b6ae31cb3d5af144c74dd2040051780b7 Mon Sep 17 00:00:00 2001 From: Dale Curtis Date: Fri, 24 Feb 2012 13:17:39 -0500 Subject: [PATCH 100/991] mpegaudiodec: Prevent premature clipping of mp3 input buffer. Instead of clipping extrasize based on EXTRABYTES, clip based on the amount of buffer actually left. Without this fix, there are warbles and other distortions in the test case below. http://kevincennis.com/mix/assets/sounds/1901_voxfx.mp3 (cherry picked from commit b7165426917f91ebcad84bdff366824f03b32bfe) Signed-off-by: Alex Converse --- libavcodec/mpegaudiodec.c | 6 ++++-- 1 file changed, 4 insertions(+), 2 deletions(-) diff --git a/libavcodec/mpegaudiodec.c b/libavcodec/mpegaudiodec.c index 04c1d9842c..d90257303c 100644 --- a/libavcodec/mpegaudiodec.c +++ b/libavcodec/mpegaudiodec.c @@ -40,6 +40,7 @@ #define BACKSTEP_SIZE 512 #define EXTRABYTES 24 +#define LAST_BUF_SIZE 2 * BACKSTEP_SIZE + EXTRABYTES /* layer 3 "granule" */ typedef struct GranuleDef { @@ -63,7 +64,7 @@ typedef struct GranuleDef { typedef struct MPADecodeContext { MPA_DECODE_HEADER - uint8_t last_buf[2 * BACKSTEP_SIZE + EXTRABYTES]; + uint8_t last_buf[LAST_BUF_SIZE]; int last_buf_size; /* next header (used in free format parsing) */ uint32_t free_format_next_header; @@ -1378,7 +1379,8 @@ static int mp_decode_layer3(MPADecodeContext *s) if (!s->adu_mode) { int skip; const uint8_t *ptr = s->gb.buffer + (get_bits_count(&s->gb)>>3); - int extrasize = av_clip(get_bits_left(&s->gb) >> 3, 0, EXTRABYTES); + int extrasize = av_clip(get_bits_left(&s->gb) >> 3, 0, + FFMAX(0, LAST_BUF_SIZE - s->last_buf_size)); assert((get_bits_count(&s->gb) & 7) == 0); /* now we get bits from the main_data_begin offset */ av_dlog(s->avctx, "seekback: %d\n", main_data_begin); From d7fddc97d40025876e1342109a49f07ba8fa6878 Mon Sep 17 00:00:00 2001 From: Michael Niedermayer Date: Tue, 24 Jan 2012 17:48:23 +0100 Subject: [PATCH 101/991] dv: check stype dv: check stype Fixes part1 of CVE-2011-3929 Possibly fixes part of CVE-2011-3936 Found-by: Mateusz "j00ru" Jurczyk and Gynvael Coldwind Reviewed-by: Roman Shaposhnik Signed-off-by: Michael Niedermayer Signed-off-by: Alex Converse (cherry picked from commit 635bcfccd439480003b74a665b5aa7c872c1ad6b) --- libavformat/dv.c | 6 ++++++ 1 file changed, 6 insertions(+) diff --git a/libavformat/dv.c b/libavformat/dv.c index 805f25271c..4896b0a3fe 100644 --- a/libavformat/dv.c +++ b/libavformat/dv.c @@ -204,6 +204,12 @@ static int dv_extract_audio_info(DVDemuxContext* c, uint8_t* frame) stype = (as_pack[3] & 0x1f); /* 0 - 2CH, 2 - 4CH, 3 - 8CH */ quant = as_pack[4] & 0x07; /* 0 - 16bit linear, 1 - 12bit nonlinear */ + if (stype > 3) { + av_log(c->fctx, AV_LOG_ERROR, "stype %d is invalid\n", stype); + c->ach = 0; + return 0; + } + /* note: ach counts PAIRS of channels (i.e. stereo channels) */ ach = ((int[4]){ 1, 0, 2, 4})[stype]; if (ach == 1 && quant && freq == 2) From efd30c4d95c56680f011c36a7f75c5c7389e34f2 Mon Sep 17 00:00:00 2001 From: Michael Niedermayer Date: Tue, 24 Jan 2012 17:51:40 +0100 Subject: [PATCH 102/991] dv: Fix null pointer dereference due to ach=0 dv: Fix null pointer dereference due to ach=0 Fixes part2 of CVE-2011-3929 Found-by: Mateusz "j00ru" Jurczyk and Gynvael Coldwind Reviewed-by: Roman Shaposhnik Signed-off-by: Michael Niedermayer Signed-off-by: Alex Converse (cherry picked from commit 5a396bb3a66a61a68b80f2369d0249729bf85e04) --- libavformat/dv.c | 3 ++- 1 file changed, 2 insertions(+), 1 deletion(-) diff --git a/libavformat/dv.c b/libavformat/dv.c index 4896b0a3fe..bde8ca340a 100644 --- a/libavformat/dv.c +++ b/libavformat/dv.c @@ -343,7 +343,8 @@ int avpriv_dv_produce_packet(DVDemuxContext *c, AVPacket *pkt, c->audio_pkt[i].pts = c->abytes * 30000*8 / c->ast[i]->codec->bit_rate; ppcm[i] = c->audio_buf[i]; } - dv_extract_audio(buf, ppcm, c->sys); + if (c->ach) + dv_extract_audio(buf, ppcm, c->sys); /* We work with 720p frames split in half, thus even frames have * channels 0,1 and odd 2,3. */ From 3e8434bceafa11ede27657b0efec899d7178c06d Mon Sep 17 00:00:00 2001 From: Alex Converse Date: Thu, 26 Jan 2012 15:08:26 -0800 Subject: [PATCH 103/991] dv: Fix small stack overread related to CVE-2011-3929 and CVE-2011-3936. Found with asan. Found-by: Mateusz "j00ru" Jurczyk and Gynvael Coldwind Signed-off-by: Alex Converse (cherry picked from commit 2d1c0dea5f6b91bec7f5fa53ec050913d851e366) --- libavformat/dv.c | 11 +++++------ 1 file changed, 5 insertions(+), 6 deletions(-) diff --git a/libavformat/dv.c b/libavformat/dv.c index bde8ca340a..e517855b34 100644 --- a/libavformat/dv.c +++ b/libavformat/dv.c @@ -127,10 +127,14 @@ static int dv_extract_audio(uint8_t* frame, uint8_t* ppcm[4], /* We work with 720p frames split in half, thus even frames have * channels 0,1 and odd 2,3. */ ipcm = (sys->height == 720 && !(frame[1] & 0x0C)) ? 2 : 0; - pcm = ppcm[ipcm++]; /* for each DIF channel */ for (chan = 0; chan < sys->n_difchan; chan++) { + /* next stereo channel (50Mbps and 100Mbps only) */ + pcm = ppcm[ipcm++]; + if (!pcm) + break; + /* for each DIF segment */ for (i = 0; i < sys->difseg_size; i++) { frame += 6 * 80; /* skip DIF segment header */ @@ -178,11 +182,6 @@ static int dv_extract_audio(uint8_t* frame, uint8_t* ppcm[4], frame += 16 * 80; /* 15 Video DIFs + 1 Audio DIF */ } } - - /* next stereo channel (50Mbps and 100Mbps only) */ - pcm = ppcm[ipcm++]; - if (!pcm) - break; } return size; From 627f4621f5cb1a808e29026480570bd173c28d9b Mon Sep 17 00:00:00 2001 From: Mans Rullgard Date: Tue, 31 Jan 2012 10:20:33 -0800 Subject: [PATCH 104/991] ac3: Do not read past the end of ff_ac3_band_start_tab. Found-by: Mateusz "j00ru" Jurczyk and Gynvael Coldwind Signed-off-by: Alex Converse (cherry picked from commit 034b03e7a0e8e4f8f66c82b736f2c0aa7c063ec0) --- libavcodec/ac3dsp.c | 8 +++++--- 1 file changed, 5 insertions(+), 3 deletions(-) diff --git a/libavcodec/ac3dsp.c b/libavcodec/ac3dsp.c index 98c73573cb..b751aec902 100644 --- a/libavcodec/ac3dsp.c +++ b/libavcodec/ac3dsp.c @@ -108,7 +108,7 @@ static void ac3_bit_alloc_calc_bap_c(int16_t *mask, int16_t *psd, int snr_offset, int floor, const uint8_t *bap_tab, uint8_t *bap) { - int bin, band; + int bin, band, band_end; /* special case, if snr offset is -960, set all bap's to zero */ if (snr_offset == -960) { @@ -120,12 +120,14 @@ static void ac3_bit_alloc_calc_bap_c(int16_t *mask, int16_t *psd, band = ff_ac3_bin_to_band_tab[start]; do { int m = (FFMAX(mask[band] - snr_offset - floor, 0) & 0x1FE0) + floor; - int band_end = FFMIN(ff_ac3_band_start_tab[band+1], end); + band_end = ff_ac3_band_start_tab[++band]; + band_end = FFMIN(band_end, end); + for (; bin < band_end; bin++) { int address = av_clip((psd[bin] - m) >> 5, 0, 63); bap[bin] = bap_tab[address]; } - } while (end > ff_ac3_band_start_tab[band++]); + } while (end > band_end); } static void ac3_update_bap_counts_c(uint16_t mant_cnt[16], uint8_t *bap, From ce14f00dea933c930f46d1fb820dd02824a89fb4 Mon Sep 17 00:00:00 2001 From: Alex Converse Date: Fri, 3 Feb 2012 10:43:21 -0800 Subject: [PATCH 105/991] movdec: Avoid av_malloc(0) in stss Found-by: Mateusz "j00ru" Jurczyk and Gynvael Coldwind (cherry picked from commit 29a20ac4a19df5acc0eef306ca5a737778a31358) --- libavformat/mov.c | 2 ++ 1 file changed, 2 insertions(+) diff --git a/libavformat/mov.c b/libavformat/mov.c index c6022d5d3a..d14ae7ee0d 100644 --- a/libavformat/mov.c +++ b/libavformat/mov.c @@ -1503,6 +1503,8 @@ static int mov_read_stss(MOVContext *c, AVIOContext *pb, MOVAtom atom) av_dlog(c->fc, "keyframe_count = %d\n", entries); + if (!entries) + return 0; if (entries >= UINT_MAX / sizeof(int)) return AVERROR_INVALIDDATA; sc->keyframes = av_malloc(entries * sizeof(int)); From e3743869e97568b75c100b643bf8df4c70f7d93e Mon Sep 17 00:00:00 2001 From: Michael Niedermayer Date: Thu, 2 Feb 2012 22:27:27 -0500 Subject: [PATCH 106/991] ac3dec: Move center and surround mix level tables to the parser. That way all mix levels as exported by avpriv_ac3_parse_header() will have the same meaning. Previously the 3-bit center mix level for E-AC-3 was used to index in a 4-entry table, leading to out-of-array reads. Signed-off-by: Michael Niedermayer Signed-off-by: Justin Ruggles Signed-off-by: Alex Converse (cherry picked from commit e6d9fa66f12cf5a3024c9bc7c4c608f7fc59207e) --- libavcodec/ac3_parser.c | 20 ++++++++++++++++---- libavcodec/ac3dec.c | 16 ++-------------- 2 files changed, 18 insertions(+), 18 deletions(-) diff --git a/libavcodec/ac3_parser.c b/libavcodec/ac3_parser.c index e3c46fd332..067b4f9879 100644 --- a/libavcodec/ac3_parser.c +++ b/libavcodec/ac3_parser.c @@ -34,6 +34,18 @@ static const uint8_t eac3_blocks[4] = { 1, 2, 3, 6 }; +/** + * Table for center mix levels + * reference: Section 5.4.2.4 cmixlev + */ +static const uint8_t center_levels[4] = { 4, 5, 6, 5 }; + +/** + * Table for surround mix levels + * reference: Section 5.4.2.5 surmixlev + */ +static const uint8_t surround_levels[4] = { 4, 6, 7, 6 }; + int avpriv_ac3_parse_header(GetBitContext *gbc, AC3HeaderInfo *hdr) { @@ -53,8 +65,8 @@ int avpriv_ac3_parse_header(GetBitContext *gbc, AC3HeaderInfo *hdr) hdr->num_blocks = 6; /* set default mix levels */ - hdr->center_mix_level = 1; // -4.5dB - hdr->surround_mix_level = 1; // -6.0dB + hdr->center_mix_level = 5; // -4.5dB + hdr->surround_mix_level = 6; // -6.0dB if(hdr->bitstream_id <= 10) { /* Normal AC-3 */ @@ -76,9 +88,9 @@ int avpriv_ac3_parse_header(GetBitContext *gbc, AC3HeaderInfo *hdr) skip_bits(gbc, 2); // skip dsurmod } else { if((hdr->channel_mode & 1) && hdr->channel_mode != AC3_CHMODE_MONO) - hdr->center_mix_level = get_bits(gbc, 2); + hdr-> center_mix_level = center_levels[get_bits(gbc, 2)]; if(hdr->channel_mode & 4) - hdr->surround_mix_level = get_bits(gbc, 2); + hdr->surround_mix_level = surround_levels[get_bits(gbc, 2)]; } hdr->lfe_on = get_bits1(gbc); diff --git a/libavcodec/ac3dec.c b/libavcodec/ac3dec.c index 662ea91d1f..1020eea0d6 100644 --- a/libavcodec/ac3dec.c +++ b/libavcodec/ac3dec.c @@ -76,18 +76,6 @@ static const float gain_levels[9] = { LEVEL_MINUS_9DB }; -/** - * Table for center mix levels - * reference: Section 5.4.2.4 cmixlev - */ -static const uint8_t center_levels[4] = { 4, 5, 6, 5 }; - -/** - * Table for surround mix levels - * reference: Section 5.4.2.5 surmixlev - */ -static const uint8_t surround_levels[4] = { 4, 6, 7, 6 }; - /** * Table for default stereo downmixing coefficients * reference: Section 7.8.2 Downmixing Into Two Channels @@ -320,8 +308,8 @@ static int parse_frame_header(AC3DecodeContext *s) static void set_downmix_coeffs(AC3DecodeContext *s) { int i; - float cmix = gain_levels[center_levels[s->center_mix_level]]; - float smix = gain_levels[surround_levels[s->surround_mix_level]]; + float cmix = gain_levels[s-> center_mix_level]; + float smix = gain_levels[s->surround_mix_level]; float norm0, norm1; for (i = 0; i < s->fbw_channels; i++) { From 035dd77cbb01215daeef7e4e9cf1218b7fee354c Mon Sep 17 00:00:00 2001 From: Alex Converse Date: Thu, 9 Feb 2012 17:11:55 -0800 Subject: [PATCH 107/991] dv: Fix small overread in audio frequency table. Found-by: Mateusz "j00ru" Jurczyk and Gynvael Coldwind (cherry picked from commit 0ab3687924457cb4fd81897bd39ab3cc5b699588) --- libavformat/dv.c | 9 +++++++++ 1 file changed, 9 insertions(+) diff --git a/libavformat/dv.c b/libavformat/dv.c index e517855b34..65d0f873dc 100644 --- a/libavformat/dv.c +++ b/libavformat/dv.c @@ -121,6 +121,9 @@ static int dv_extract_audio(uint8_t* frame, uint8_t* ppcm[4], if (quant > 1) return -1; /* unsupported quantization */ + if (freq >= FF_ARRAY_ELEMS(dv_audio_frequency)) + return AVERROR_INVALIDDATA; + size = (sys->audio_min_samples[freq] + smpls) * 4; /* 2ch, 2bytes */ half_ch = sys->difseg_size / 2; @@ -203,6 +206,12 @@ static int dv_extract_audio_info(DVDemuxContext* c, uint8_t* frame) stype = (as_pack[3] & 0x1f); /* 0 - 2CH, 2 - 4CH, 3 - 8CH */ quant = as_pack[4] & 0x07; /* 0 - 16bit linear, 1 - 12bit nonlinear */ + if (freq >= FF_ARRAY_ELEMS(dv_audio_frequency)) { + av_log(c->fctx, AV_LOG_ERROR, + "Unrecognized audio sample rate index (%d)\n", freq); + return 0; + } + if (stype > 3) { av_log(c->fctx, AV_LOG_ERROR, "stype %d is invalid\n", stype); c->ach = 0; From db315c796d7f07f0dcd7d3be1e9cb77ae6afee6e Mon Sep 17 00:00:00 2001 From: Alex Converse Date: Thu, 9 Feb 2012 20:21:47 -0800 Subject: [PATCH 108/991] svq3: Prevent illegal reads while parsing extradata. Found-by: Mateusz "j00ru" Jurczyk and Gynvael Coldwind (cherry picked from commit 9e1db721c4329f4ac166a0bcc002c8d75f831aba) --- libavcodec/svq3.c | 19 ++++++++++++++----- 1 file changed, 14 insertions(+), 5 deletions(-) diff --git a/libavcodec/svq3.c b/libavcodec/svq3.c index 5cc57a745d..eeb8ed7051 100644 --- a/libavcodec/svq3.c +++ b/libavcodec/svq3.c @@ -811,7 +811,9 @@ static av_cold int svq3_decode_init(AVCodecContext *avctx) MpegEncContext *s = &h->s; int m; unsigned char *extradata; + unsigned char *extradata_end; unsigned int size; + int marker_found = 0; if (ff_h264_decode_init(avctx) < 0) return -1; @@ -831,19 +833,26 @@ static av_cold int svq3_decode_init(AVCodecContext *avctx) /* prowl for the "SEQH" marker in the extradata */ extradata = (unsigned char *)avctx->extradata; - for (m = 0; m < avctx->extradata_size; m++) { - if (!memcmp(extradata, "SEQH", 4)) - break; - extradata++; + extradata_end = avctx->extradata + avctx->extradata_size; + if (extradata) { + for (m = 0; m + 8 < avctx->extradata_size; m++) { + if (!memcmp(extradata, "SEQH", 4)) { + marker_found = 1; + break; + } + extradata++; + } } /* if a match was found, parse the extra data */ - if (extradata && !memcmp(extradata, "SEQH", 4)) { + if (marker_found) { GetBitContext gb; int frame_size_code; size = AV_RB32(&extradata[4]); + if (size > extradata_end - extradata - 8) + return AVERROR_INVALIDDATA; init_get_bits(&gb, extradata + 8, size*8); /* 'frame size code' and optional 'width, height' */ From eaeaeb265fe46e1d81452960de918227541873b4 Mon Sep 17 00:00:00 2001 From: Alex Converse Date: Fri, 17 Feb 2012 14:13:40 -0800 Subject: [PATCH 109/991] dpcm: ignore extra unpaired bytes in stereo streams. Fixes: CVE-2011-3951 Found-by: Mateusz "j00ru" Jurczyk and Gynvael Coldwind (cherry picked from commit ce7aee9b733134649a6ce2fa743e51733f33e67e) --- libavcodec/dpcm.c | 7 ++++++- 1 file changed, 6 insertions(+), 1 deletion(-) diff --git a/libavcodec/dpcm.c b/libavcodec/dpcm.c index 1b0f6b005b..7f5dbfe3b9 100644 --- a/libavcodec/dpcm.c +++ b/libavcodec/dpcm.c @@ -183,6 +183,11 @@ static int dpcm_decode_frame(AVCodecContext *avctx, void *data, int stereo = s->channels - 1; int16_t *output_samples; + if (stereo && (buf_size & 1)) { + buf_size--; + buf_end--; + } + /* calculate output size */ switch(avctx->codec->id) { case CODEC_ID_ROQ_DPCM: @@ -317,7 +322,7 @@ static int dpcm_decode_frame(AVCodecContext *avctx, void *data, *got_frame_ptr = 1; *(AVFrame *)data = s->frame; - return buf_size; + return avpkt->size; } #define DPCM_DECODER(id_, name_, long_name_) \ From ef673211e7052d6db4dbec4b58db0f514b292288 Mon Sep 17 00:00:00 2001 From: Alex Converse Date: Thu, 23 Feb 2012 10:22:51 -0800 Subject: [PATCH 110/991] tiff: Make the TIFF_LONG and TIFF_SHORT types unsigned. TIFF v6.0 (unimplemented) adds signed equivalents. (cherry picked from commit e32548d1331ce05a054f1028fcdda8823a4f215a) --- libavcodec/tiff.c | 18 +++++++++--------- 1 file changed, 9 insertions(+), 9 deletions(-) diff --git a/libavcodec/tiff.c b/libavcodec/tiff.c index 6810f81b35..d807149922 100644 --- a/libavcodec/tiff.c +++ b/libavcodec/tiff.c @@ -59,24 +59,24 @@ typedef struct TiffContext { LZWState *lzw; } TiffContext; -static int tget_short(const uint8_t **p, int le){ - int v = le ? AV_RL16(*p) : AV_RB16(*p); +static unsigned tget_short(const uint8_t **p, int le) { + unsigned v = le ? AV_RL16(*p) : AV_RB16(*p); *p += 2; return v; } -static int tget_long(const uint8_t **p, int le){ - int v = le ? AV_RL32(*p) : AV_RB32(*p); +static unsigned tget_long(const uint8_t **p, int le) { + unsigned v = le ? AV_RL32(*p) : AV_RB32(*p); *p += 4; return v; } -static int tget(const uint8_t **p, int type, int le){ +static unsigned tget(const uint8_t **p, int type, int le) { switch(type){ case TIFF_BYTE : return *(*p)++; case TIFF_SHORT: return tget_short(p, le); case TIFF_LONG : return tget_long (p, le); - default : return -1; + default : return UINT_MAX; } } @@ -277,7 +277,7 @@ static int init_image(TiffContext *s) static int tiff_decode_tag(TiffContext *s, const uint8_t *start, const uint8_t *buf, const uint8_t *end_buf) { - int tag, type, count, off, value = 0; + unsigned tag, type, count, off, value = 0; int i, j; uint32_t *pal; const uint8_t *rp, *gp, *bp; @@ -312,7 +312,7 @@ static int tiff_decode_tag(TiffContext *s, const uint8_t *start, const uint8_t * break; } default: - value = -1; + value = UINT_MAX; buf = start + off; } } else { @@ -398,7 +398,7 @@ static int tiff_decode_tag(TiffContext *s, const uint8_t *start, const uint8_t * } break; case TIFF_ROWSPERSTRIP: - if(type == TIFF_LONG && value == -1) + if (type == TIFF_LONG && value == UINT_MAX) value = s->avctx->height; if(value < 1){ av_log(s->avctx, AV_LOG_ERROR, "Incorrect value of rows per strip\n"); From e891ee4bf639099c21bb146a734d31ad7f910acf Mon Sep 17 00:00:00 2001 From: Alex Converse Date: Tue, 28 Feb 2012 11:50:22 -0800 Subject: [PATCH 111/991] adpcm: Clip step_index values read from the bitstream at the beginning of each frame. Found-by: Mateusz "j00ru" Jurczyk and Gynvael Coldwind (cherry picked from commit bbeb29133b55b7256d18f5aaab8b5c8e919a173a) --- libavcodec/adpcm.c | 14 +++++++------- 1 file changed, 7 insertions(+), 7 deletions(-) diff --git a/libavcodec/adpcm.c b/libavcodec/adpcm.c index b319635ed4..a540a9b12f 100644 --- a/libavcodec/adpcm.c +++ b/libavcodec/adpcm.c @@ -690,7 +690,7 @@ static int adpcm_decode_frame(AVCodecContext *avctx, void *data, for (channel = 0; channel < avctx->channels; channel++) { cs = &c->status[channel]; cs->predictor = (int16_t)bytestream_get_le16(&src); - cs->step_index = *src++; + cs->step_index = av_clip(*src++, 0, 88); src++; *samples++ = cs->predictor; } @@ -713,8 +713,8 @@ static int adpcm_decode_frame(AVCodecContext *avctx, void *data, c->status[0].predictor = (int16_t)AV_RL16(src + 10); c->status[1].predictor = (int16_t)AV_RL16(src + 12); - c->status[0].step_index = src[14]; - c->status[1].step_index = src[15]; + c->status[0].step_index = av_clip(src[14], 0, 88); + c->status[1].step_index = av_clip(src[15], 0, 88); /* sign extend the predictors */ src += 16; diff_channel = c->status[1].predictor; @@ -754,7 +754,7 @@ static int adpcm_decode_frame(AVCodecContext *avctx, void *data, for (channel = 0; channel < avctx->channels; channel++) { cs = &c->status[channel]; cs->predictor = (int16_t)bytestream_get_le16(&src); - cs->step_index = *src++; + cs->step_index = av_clip(*src++, 0, 88); src++; } @@ -793,7 +793,7 @@ static int adpcm_decode_frame(AVCodecContext *avctx, void *data, src += 4; // skip sample count (already read) for (i=0; i<=st; i++) - c->status[i].step_index = bytestream_get_le32(&src); + c->status[i].step_index = av_clip(bytestream_get_le32(&src), 0, 88); for (i=0; i<=st; i++) c->status[i].predictor = bytestream_get_le32(&src); @@ -1007,11 +1007,11 @@ static int adpcm_decode_frame(AVCodecContext *avctx, void *data, case CODEC_ID_ADPCM_IMA_SMJPEG: if (avctx->codec->id == CODEC_ID_ADPCM_IMA_AMV) { c->status[0].predictor = sign_extend(bytestream_get_le16(&src), 16); - c->status[0].step_index = bytestream_get_le16(&src); + c->status[0].step_index = av_clip(bytestream_get_le16(&src), 0, 88); src += 4; } else { c->status[0].predictor = sign_extend(bytestream_get_be16(&src), 16); - c->status[0].step_index = bytestream_get_byte(&src); + c->status[0].step_index = av_clip(bytestream_get_byte(&src), 0, 88); src += 1; } From 522645e38f6d0aa78ebf3afb356e7427bf4eb248 Mon Sep 17 00:00:00 2001 From: Michael Niedermayer Date: Fri, 17 Feb 2012 13:35:10 -0800 Subject: [PATCH 112/991] h263dec: Disallow width/height changing with frame threads. Fixes CVE-2011-3937 Found-by: Mateusz "j00ru" Jurczyk and Gynvael Coldwind Signed-off-by: Michael Niedermayer (cherry picked from commit 71db86d53b5c6872cea31bf714a1a38ec78feaba) Conflicts: libavcodec/h263dec.c Signed-off-by: Alex Converse --- libavcodec/h263dec.c | 9 +++++++-- 1 file changed, 7 insertions(+), 2 deletions(-) diff --git a/libavcodec/h263dec.c b/libavcodec/h263dec.c index f056d1fbe2..ba0ea4f9f9 100644 --- a/libavcodec/h263dec.c +++ b/libavcodec/h263dec.c @@ -556,8 +556,7 @@ retry: #if HAVE_MMX if (s->codec_id == CODEC_ID_MPEG4 && s->xvid_build>=0 && avctx->idct_algo == FF_IDCT_AUTO && (av_get_cpu_flags() & AV_CPU_FLAG_MMX)) { avctx->idct_algo= FF_IDCT_XVIDMMX; - avctx->coded_width= 0; // force reinit -// dsputil_init(&s->dsp, avctx); + ff_dct_common_init(s); s->picture_number=0; } #endif @@ -571,6 +570,12 @@ retry: || s->height != avctx->coded_height) { /* H.263 could change picture size any time */ ParseContext pc= s->parse_context; //FIXME move these demuxng hack to avformat + + if (HAVE_THREADS && (s->avctx->active_thread_type&FF_THREAD_FRAME)) { + av_log_missing_feature(s->avctx, "Width/height/bit depth/chroma idc changing with threads is", 0); + return -1; // width / height changed during parallelized decoding + } + s->parse_context.buffer=0; MPV_common_end(s); s->parse_context= pc; From 48ac765efe05826184bc129678e0fdf3474b99dd Mon Sep 17 00:00:00 2001 From: Alex Converse Date: Thu, 1 Mar 2012 13:24:55 -0800 Subject: [PATCH 113/991] rv10/20: Fix slice overflow with checked bitstream reader. (cherry picked from commit 9243ec4a508c81a621e941bb7e012e2d45d93659) --- libavcodec/rv10.c | 28 +++++++++++++++++++++------- 1 file changed, 21 insertions(+), 7 deletions(-) diff --git a/libavcodec/rv10.c b/libavcodec/rv10.c index d7d7ed2fb2..ff6c9c3078 100644 --- a/libavcodec/rv10.c +++ b/libavcodec/rv10.c @@ -499,9 +499,10 @@ static int rv10_decode_packet(AVCodecContext *avctx, const uint8_t *buf, int buf_size, int buf_size2) { MpegEncContext *s = avctx->priv_data; - int mb_count, mb_pos, left, start_mb_x; + int mb_count, mb_pos, left, start_mb_x, active_bits_size; - init_get_bits(&s->gb, buf, buf_size*8); + active_bits_size = buf_size * 8; + init_get_bits(&s->gb, buf, FFMAX(buf_size, buf_size2) * 8); if(s->codec_id ==CODEC_ID_RV10) mb_count = rv10_decode_picture_header(s); else @@ -584,13 +585,26 @@ static int rv10_decode_packet(AVCodecContext *avctx, s->mv_type = MV_TYPE_16X16; ret=ff_h263_decode_mb(s, s->block); - if (ret != SLICE_ERROR && s->gb.size_in_bits < get_bits_count(&s->gb) && 8*buf_size2 >= get_bits_count(&s->gb)){ - av_log(avctx, AV_LOG_DEBUG, "update size from %d to %d\n", s->gb.size_in_bits, 8*buf_size2); - s->gb.size_in_bits= 8*buf_size2; + // Repeat the slice end check from ff_h263_decode_mb with our active + // bitstream size + if (ret != SLICE_ERROR) { + int v = show_bits(&s->gb, 16); + + if (get_bits_count(&s->gb) + 16 > active_bits_size) + v >>= get_bits_count(&s->gb) + 16 - active_bits_size; + + if (!v) + ret = SLICE_END; + } + if (ret != SLICE_ERROR && active_bits_size < get_bits_count(&s->gb) && + 8 * buf_size2 >= get_bits_count(&s->gb)) { + active_bits_size = buf_size2 * 8; + av_log(avctx, AV_LOG_DEBUG, "update size from %d to %d\n", + 8 * buf_size, active_bits_size); ret= SLICE_OK; } - if (ret == SLICE_ERROR || s->gb.size_in_bits < get_bits_count(&s->gb)) { + if (ret == SLICE_ERROR || active_bits_size < get_bits_count(&s->gb)) { av_log(s->avctx, AV_LOG_ERROR, "ERROR at MB %d %d\n", s->mb_x, s->mb_y); return -1; } @@ -612,7 +626,7 @@ static int rv10_decode_packet(AVCodecContext *avctx, ff_er_add_slice(s, start_mb_x, s->resync_mb_y, s->mb_x-1, s->mb_y, ER_MB_END); - return s->gb.size_in_bits; + return active_bits_size; } static int get_slice_offset(AVCodecContext *avctx, const uint8_t *buf, int n) From 4a325ddeae486c0bb2f73b886e16e30e305f9d20 Mon Sep 17 00:00:00 2001 From: Alex Converse Date: Tue, 21 Feb 2012 14:08:02 -0800 Subject: [PATCH 114/991] mov: Add support for MPEG2 HDV 720p24 (hdv4) (cherry picked from commit 0ad522afb3a3b3d22402ecb82dd4609f7655031b) --- libavformat/isom.c | 1 + 1 file changed, 1 insertion(+) diff --git a/libavformat/isom.c b/libavformat/isom.c index eab304c006..edd64f4627 100644 --- a/libavformat/isom.c +++ b/libavformat/isom.c @@ -159,6 +159,7 @@ const AVCodecTag codec_movvideo_tags[] = { { CODEC_ID_MPEG2VIDEO, MKTAG('h', 'd', 'v', '1') }, /* MPEG2 HDV 720p30 */ { CODEC_ID_MPEG2VIDEO, MKTAG('h', 'd', 'v', '2') }, /* MPEG2 HDV 1080i60 */ { CODEC_ID_MPEG2VIDEO, MKTAG('h', 'd', 'v', '3') }, /* MPEG2 HDV 1080i50 */ + { CODEC_ID_MPEG2VIDEO, MKTAG('h', 'd', 'v', '4') }, /* MPEG2 HDV 720p24 */ { CODEC_ID_MPEG2VIDEO, MKTAG('h', 'd', 'v', '5') }, /* MPEG2 HDV 720p25 */ { CODEC_ID_MPEG2VIDEO, MKTAG('h', 'd', 'v', '6') }, /* MPEG2 HDV 1080p24 */ { CODEC_ID_MPEG2VIDEO, MKTAG('h', 'd', 'v', '7') }, /* MPEG2 HDV 1080p25 */ From fb049da952668a54c3a82f3fee93d8384b254738 Mon Sep 17 00:00:00 2001 From: Alex Converse Date: Tue, 21 Feb 2012 15:37:35 -0800 Subject: [PATCH 115/991] mov: Add more HDV and XDCAM FourCCs. Reference: VLC (cherry picked from commit b142496c5630b9bc88fb9eaccae7f6bd62fb23e7) --- libavformat/isom.c | 4 ++++ 1 file changed, 4 insertions(+) diff --git a/libavformat/isom.c b/libavformat/isom.c index edd64f4627..07f22ca123 100644 --- a/libavformat/isom.c +++ b/libavformat/isom.c @@ -164,6 +164,8 @@ const AVCodecTag codec_movvideo_tags[] = { { CODEC_ID_MPEG2VIDEO, MKTAG('h', 'd', 'v', '6') }, /* MPEG2 HDV 1080p24 */ { CODEC_ID_MPEG2VIDEO, MKTAG('h', 'd', 'v', '7') }, /* MPEG2 HDV 1080p25 */ { CODEC_ID_MPEG2VIDEO, MKTAG('h', 'd', 'v', '8') }, /* MPEG2 HDV 1080p30 */ + { CODEC_ID_MPEG2VIDEO, MKTAG('h', 'd', 'v', '9') }, /* MPEG2 HDV 720p60 JVC */ + { CODEC_ID_MPEG2VIDEO, MKTAG('h', 'd', 'v', 'a') }, /* MPEG2 HDV 720p50 */ { CODEC_ID_MPEG2VIDEO, MKTAG('m', 'x', '5', 'n') }, /* MPEG2 IMX NTSC 525/60 50mb/s produced by FCP */ { CODEC_ID_MPEG2VIDEO, MKTAG('m', 'x', '5', 'p') }, /* MPEG2 IMX PAL 625/50 50mb/s produced by FCP */ { CODEC_ID_MPEG2VIDEO, MKTAG('m', 'x', '4', 'n') }, /* MPEG2 IMX NTSC 525/60 40mb/s produced by FCP */ @@ -194,6 +196,8 @@ const AVCodecTag codec_movvideo_tags[] = { { CODEC_ID_MPEG2VIDEO, MKTAG('x', 'd', 'v', 'd') }, /* XDCAM EX 1080p24 VBR */ { CODEC_ID_MPEG2VIDEO, MKTAG('x', 'd', 'v', 'e') }, /* XDCAM EX 1080p25 VBR */ { CODEC_ID_MPEG2VIDEO, MKTAG('x', 'd', 'v', 'f') }, /* XDCAM EX 1080p30 VBR */ + { CODEC_ID_MPEG2VIDEO, MKTAG('x', 'd', 'h', 'd') }, /* XDCAM HD 540p */ + { CODEC_ID_MPEG2VIDEO, MKTAG('x', 'd', 'h', '2') }, /* XDCAM HD422 540p */ { CODEC_ID_MPEG2VIDEO, MKTAG('A', 'V', 'm', 'p') }, /* AVID IMX PAL */ { CODEC_ID_JPEG2000, MKTAG('m', 'j', 'p', '2') }, /* JPEG 2000 produced by FCP */ From a47b96bdd31e00dfa03429ee3b04b84d035bf7f8 Mon Sep 17 00:00:00 2001 From: Janne Grunau Date: Mon, 13 Feb 2012 21:10:48 +0100 Subject: [PATCH 116/991] rv34: handle size changes during frame multithreading Factors all context dynamic memory handling to its own functions. Fixes bug 220. (cherry picked from commit 2bd730010da24d035639586bb13862abe36cc1b8) Signed-off-by: Reinhard Tartler --- libavcodec/rv34.c | 146 ++++++++++++++++++++++++++-------------------- 1 file changed, 82 insertions(+), 64 deletions(-) diff --git a/libavcodec/rv34.c b/libavcodec/rv34.c index e6af0793d3..0aecc2379e 100644 --- a/libavcodec/rv34.c +++ b/libavcodec/rv34.c @@ -711,8 +711,7 @@ static inline void rv34_mc(RV34DecContext *r, const int block_type, if (HAVE_THREADS && (s->avctx->active_thread_type & FF_THREAD_FRAME)) { /* wait for the referenced mb row to be finished */ - int mb_row = FFMIN(s->mb_height - 1, - s->mb_y + ((yoff + my + 5 + 8 * height) >> 4)); + int mb_row = s->mb_y + ((yoff + my + 5 + 8 * height) >> 4); AVFrame *f = dir ? &s->next_picture_ptr->f : &s->last_picture_ptr->f; ff_thread_await_progress(f, mb_row, 0); } @@ -1361,6 +1360,53 @@ static int check_slice_end(RV34DecContext *r, MpegEncContext *s) return 0; } + +static void rv34_decoder_free(RV34DecContext *r) +{ + av_freep(&r->intra_types_hist); + r->intra_types = NULL; + av_freep(&r->tmp_b_block_base); + av_freep(&r->mb_type); + av_freep(&r->cbp_luma); + av_freep(&r->cbp_chroma); + av_freep(&r->deblock_coefs); +} + + +static int rv34_decoder_alloc(RV34DecContext *r) +{ + r->intra_types_stride = r->s.mb_width * 4 + 4; + + r->cbp_chroma = av_malloc(r->s.mb_stride * r->s.mb_height * + sizeof(*r->cbp_chroma)); + r->cbp_luma = av_malloc(r->s.mb_stride * r->s.mb_height * + sizeof(*r->cbp_luma)); + r->deblock_coefs = av_malloc(r->s.mb_stride * r->s.mb_height * + sizeof(*r->deblock_coefs)); + r->intra_types_hist = av_malloc(r->intra_types_stride * 4 * 2 * + sizeof(*r->intra_types_hist)); + r->mb_type = av_mallocz(r->s.mb_stride * r->s.mb_height * + sizeof(*r->mb_type)); + + if (!(r->cbp_chroma && r->cbp_luma && r->deblock_coefs && + r->intra_types_hist && r->mb_type)) { + rv34_decoder_free(r); + return AVERROR(ENOMEM); + } + + r->intra_types = r->intra_types_hist + r->intra_types_stride * 4; + + return 0; +} + + +static int rv34_decoder_realloc(RV34DecContext *r) +{ + rv34_decoder_free(r); + return rv34_decoder_alloc(r); +} + + static int rv34_decode_slice(RV34DecContext *r, int end, const uint8_t* buf, int buf_size) { MpegEncContext *s = &r->s; @@ -1376,22 +1422,19 @@ static int rv34_decode_slice(RV34DecContext *r, int end, const uint8_t* buf, int } if ((s->mb_x == 0 && s->mb_y == 0) || s->current_picture_ptr==NULL) { - if(s->width != r->si.width || s->height != r->si.height){ - av_log(s->avctx, AV_LOG_DEBUG, "Changing dimensions to %dx%d\n", r->si.width,r->si.height); + if (s->width != r->si.width || s->height != r->si.height) { + int err; + + av_log(s->avctx, AV_LOG_WARNING, "Changing dimensions to %dx%d\n", + r->si.width, r->si.height); MPV_common_end(s); s->width = r->si.width; s->height = r->si.height; avcodec_set_dimensions(s->avctx, s->width, s->height); - if(MPV_common_init(s) < 0) - return -1; - r->intra_types_stride = s->mb_width*4 + 4; - r->intra_types_hist = av_realloc(r->intra_types_hist, r->intra_types_stride * 4 * 2 * sizeof(*r->intra_types_hist)); - r->intra_types = r->intra_types_hist + r->intra_types_stride * 4; - r->mb_type = av_realloc(r->mb_type, r->s.mb_stride * r->s.mb_height * sizeof(*r->mb_type)); - r->cbp_luma = av_realloc(r->cbp_luma, r->s.mb_stride * r->s.mb_height * sizeof(*r->cbp_luma)); - r->cbp_chroma = av_realloc(r->cbp_chroma, r->s.mb_stride * r->s.mb_height * sizeof(*r->cbp_chroma)); - r->deblock_coefs = av_realloc(r->deblock_coefs, r->s.mb_stride * r->s.mb_height * sizeof(*r->deblock_coefs)); - av_freep(&r->tmp_b_block_base); + if ((err = MPV_common_init(s)) < 0) + return err; + if ((err = rv34_decoder_realloc(r)) < 0) + return err; } s->pict_type = r->si.type ? r->si.type : AV_PICTURE_TYPE_I; if(MPV_frame_start(s, s->avctx) < 0) @@ -1496,6 +1539,7 @@ av_cold int ff_rv34_decode_init(AVCodecContext *avctx) { RV34DecContext *r = avctx->priv_data; MpegEncContext *s = &r->s; + int ret; MPV_decode_defaults(s); s->avctx = avctx; @@ -1512,8 +1556,8 @@ av_cold int ff_rv34_decode_init(AVCodecContext *avctx) avctx->has_b_frames = 1; s->low_delay = 0; - if (MPV_common_init(s) < 0) - return -1; + if ((ret = MPV_common_init(s)) < 0) + return ret; ff_h264_pred_init(&r->h, CODEC_ID_RV40, 8, 1); @@ -1526,15 +1570,8 @@ av_cold int ff_rv34_decode_init(AVCodecContext *avctx) ff_rv40dsp_init(&r->rdsp, &r->s.dsp); #endif - r->intra_types_stride = 4*s->mb_stride + 4; - r->intra_types_hist = av_malloc(r->intra_types_stride * 4 * 2 * sizeof(*r->intra_types_hist)); - r->intra_types = r->intra_types_hist + r->intra_types_stride * 4; - - r->mb_type = av_mallocz(r->s.mb_stride * r->s.mb_height * sizeof(*r->mb_type)); - - r->cbp_luma = av_malloc(r->s.mb_stride * r->s.mb_height * sizeof(*r->cbp_luma)); - r->cbp_chroma = av_malloc(r->s.mb_stride * r->s.mb_height * sizeof(*r->cbp_chroma)); - r->deblock_coefs = av_malloc(r->s.mb_stride * r->s.mb_height * sizeof(*r->deblock_coefs)); + if ((ret = rv34_decoder_alloc(r)) < 0) + return ret; if(!intra_vlcs[0].cbppattern[0].bits) rv34_init_tables(); @@ -1544,40 +1581,17 @@ av_cold int ff_rv34_decode_init(AVCodecContext *avctx) int ff_rv34_decode_init_thread_copy(AVCodecContext *avctx) { + int err; RV34DecContext *r = avctx->priv_data; r->s.avctx = avctx; if (avctx->internal->is_copy) { - r->cbp_chroma = av_malloc(r->s.mb_stride * r->s.mb_height * - sizeof(*r->cbp_chroma)); - r->cbp_luma = av_malloc(r->s.mb_stride * r->s.mb_height * - sizeof(*r->cbp_luma)); - r->deblock_coefs = av_malloc(r->s.mb_stride * r->s.mb_height * - sizeof(*r->deblock_coefs)); - r->intra_types_hist = av_malloc(r->intra_types_stride * 4 * 2 * - sizeof(*r->intra_types_hist)); - r->mb_type = av_malloc(r->s.mb_stride * r->s.mb_height * - sizeof(*r->mb_type)); - - if (!(r->cbp_chroma && r->cbp_luma && r->deblock_coefs && - r->intra_types_hist && r->mb_type)) { - av_freep(&r->cbp_chroma); - av_freep(&r->cbp_luma); - av_freep(&r->deblock_coefs); - av_freep(&r->intra_types_hist); - av_freep(&r->mb_type); - r->intra_types = NULL; - return AVERROR(ENOMEM); - } - - r->intra_types = r->intra_types_hist + r->intra_types_stride * 4; r->tmp_b_block_base = NULL; - - memset(r->mb_type, 0, r->s.mb_stride * r->s.mb_height * - sizeof(*r->mb_type)); - - MPV_common_init(&r->s); + if ((err = MPV_common_init(&r->s)) < 0) + return err; + if ((err = rv34_decoder_alloc(r)) < 0) + return err; } return 0; } @@ -1591,6 +1605,16 @@ int ff_rv34_decode_update_thread_context(AVCodecContext *dst, const AVCodecConte if (dst == src || !s1->context_initialized) return 0; + if (s->height != s1->height || s->width != s1->width) { + MPV_common_end(s); + s->height = s1->height; + s->width = s1->width; + if ((err = MPV_common_init(s)) < 0) + return err; + if ((err = rv34_decoder_realloc(r)) < 0) + return err; + } + if ((err = ff_mpeg_update_thread_context(dst, src))) return err; @@ -1708,11 +1732,12 @@ int ff_rv34_decode_frame(AVCodecContext *avctx, if(last && s->current_picture_ptr){ if(r->loop_filter) r->loop_filter(r, s->mb_height - 1); - if (HAVE_THREADS && (s->avctx->active_thread_type & FF_THREAD_FRAME)) - ff_thread_report_progress(&s->current_picture_ptr->f, - s->mb_height - 1, 0); ff_er_frame_end(s); MPV_frame_end(s); + + if (HAVE_THREADS && (s->avctx->active_thread_type & FF_THREAD_FRAME)) + ff_thread_report_progress(&s->current_picture_ptr->f, INT_MAX, 0); + if (s->pict_type == AV_PICTURE_TYPE_B || s->low_delay) { *pict = *(AVFrame*)s->current_picture_ptr; } else if (s->last_picture_ptr != NULL) { @@ -1733,14 +1758,7 @@ av_cold int ff_rv34_decode_end(AVCodecContext *avctx) RV34DecContext *r = avctx->priv_data; MPV_common_end(&r->s); - - av_freep(&r->intra_types_hist); - r->intra_types = NULL; - av_freep(&r->tmp_b_block_base); - av_freep(&r->mb_type); - av_freep(&r->cbp_luma); - av_freep(&r->cbp_chroma); - av_freep(&r->deblock_coefs); + rv34_decoder_free(r); return 0; } From 4a15240a274c1eada288d27c889443ebd6aa62f8 Mon Sep 17 00:00:00 2001 From: Justin Ruggles Date: Sun, 12 Feb 2012 15:06:58 -0500 Subject: [PATCH 117/991] mov: set channel layout for AC-3 streams based on the 'dac3' atom info fixes Bug 225 (cherry picked from commit 3798205a77ce275613098ecb48645e6029811f14) Signed-off-by: Reinhard Tartler --- libavcodec/Makefile | 2 +- libavcodec/ac3_parser.c | 2 +- libavcodec/ac3dec.c | 2 +- libavcodec/ac3tab.c | 2 +- libavcodec/ac3tab.h | 2 +- libavformat/mov.c | 5 +++++ 6 files changed, 10 insertions(+), 5 deletions(-) diff --git a/libavcodec/Makefile b/libavcodec/Makefile index 1e8d09b956..5a4fa4cbe9 100644 --- a/libavcodec/Makefile +++ b/libavcodec/Makefile @@ -549,7 +549,7 @@ OBJS-$(CONFIG_MATROSKA_MUXER) += xiph.o mpeg4audio.o \ flacdec.o flacdata.o flac.o \ mpegaudiodata.o OBJS-$(CONFIG_MP3_MUXER) += mpegaudiodata.o mpegaudiodecheader.o -OBJS-$(CONFIG_MOV_DEMUXER) += mpeg4audio.o mpegaudiodata.o +OBJS-$(CONFIG_MOV_DEMUXER) += mpeg4audio.o mpegaudiodata.o ac3tab.o OBJS-$(CONFIG_MOV_MUXER) += mpeg4audio.o mpegaudiodata.o OBJS-$(CONFIG_MPEGTS_MUXER) += mpegvideo.o mpeg4audio.o OBJS-$(CONFIG_MPEGTS_DEMUXER) += mpeg4audio.o mpegaudiodata.o diff --git a/libavcodec/ac3_parser.c b/libavcodec/ac3_parser.c index 067b4f9879..d9ba1fd70b 100644 --- a/libavcodec/ac3_parser.c +++ b/libavcodec/ac3_parser.c @@ -134,7 +134,7 @@ int avpriv_ac3_parse_header(GetBitContext *gbc, AC3HeaderInfo *hdr) (hdr->num_blocks * 256.0)); hdr->channels = ff_ac3_channels_tab[hdr->channel_mode] + hdr->lfe_on; } - hdr->channel_layout = ff_ac3_channel_layout_tab[hdr->channel_mode]; + hdr->channel_layout = avpriv_ac3_channel_layout_tab[hdr->channel_mode]; if (hdr->lfe_on) hdr->channel_layout |= AV_CH_LOW_FREQUENCY; diff --git a/libavcodec/ac3dec.c b/libavcodec/ac3dec.c index 1020eea0d6..fdc1d6830e 100644 --- a/libavcodec/ac3dec.c +++ b/libavcodec/ac3dec.c @@ -1383,7 +1383,7 @@ static int ac3_decode_frame(AVCodecContext * avctx, void *data, avctx->request_channels < s->channels) { s->out_channels = avctx->request_channels; s->output_mode = avctx->request_channels == 1 ? AC3_CHMODE_MONO : AC3_CHMODE_STEREO; - s->channel_layout = ff_ac3_channel_layout_tab[s->output_mode]; + s->channel_layout = avpriv_ac3_channel_layout_tab[s->output_mode]; } avctx->channels = s->out_channels; avctx->channel_layout = s->channel_layout; diff --git a/libavcodec/ac3tab.c b/libavcodec/ac3tab.c index 7df3d828fb..951a1014ce 100644 --- a/libavcodec/ac3tab.c +++ b/libavcodec/ac3tab.c @@ -84,7 +84,7 @@ const uint8_t ff_ac3_channels_tab[8] = { /** * Map audio coding mode (acmod) to channel layout mask. */ -const uint16_t ff_ac3_channel_layout_tab[8] = { +const uint16_t avpriv_ac3_channel_layout_tab[8] = { AV_CH_LAYOUT_STEREO, AV_CH_LAYOUT_MONO, AV_CH_LAYOUT_STEREO, diff --git a/libavcodec/ac3tab.h b/libavcodec/ac3tab.h index e5cd368bb7..8ed50520e6 100644 --- a/libavcodec/ac3tab.h +++ b/libavcodec/ac3tab.h @@ -33,7 +33,7 @@ extern const uint16_t ff_ac3_frame_size_tab[38][3]; extern const uint8_t ff_ac3_channels_tab[8]; -extern const uint16_t ff_ac3_channel_layout_tab[8]; +extern const uint16_t avpriv_ac3_channel_layout_tab[8]; extern const uint8_t ff_ac3_enc_channel_map[8][2][6]; extern const uint8_t ff_ac3_dec_channel_map[8][2][6]; extern const uint16_t ff_ac3_sample_rate_tab[3]; diff --git a/libavformat/mov.c b/libavformat/mov.c index d14ae7ee0d..089cdea558 100644 --- a/libavformat/mov.c +++ b/libavformat/mov.c @@ -25,11 +25,13 @@ //#define DEBUG //#define MOV_EXPORT_ALL_METADATA +#include "libavutil/audioconvert.h" #include "libavutil/intreadwrite.h" #include "libavutil/intfloat.h" #include "libavutil/mathematics.h" #include "libavutil/avstring.h" #include "libavutil/dict.h" +#include "libavcodec/ac3tab.h" #include "avformat.h" #include "internal.h" #include "avio_internal.h" @@ -548,6 +550,9 @@ static int mov_read_dac3(MOVContext *c, AVIOContext *pb, MOVAtom atom) acmod = (ac3info >> 11) & 0x7; lfeon = (ac3info >> 10) & 0x1; st->codec->channels = ((int[]){2,1,2,3,3,4,4,5})[acmod] + lfeon; + st->codec->channel_layout = avpriv_ac3_channel_layout_tab[acmod]; + if (lfeon) + st->codec->channel_layout |= AV_CH_LOW_FREQUENCY; st->codec->audio_service_type = bsmod; if (st->codec->channels > 1 && bsmod == 0x7) st->codec->audio_service_type = AV_AUDIO_SERVICE_TYPE_KARAOKE; From 9550c631963bbae78e9d33fa7f05f7138518dc8e Mon Sep 17 00:00:00 2001 From: Reinhard Tartler Date: Mon, 5 Mar 2012 20:40:37 +0100 Subject: [PATCH 118/991] Prepare for 0.8.1 Release --- RELEASE | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/RELEASE b/RELEASE index aec258df73..6f4eebdf6f 100644 --- a/RELEASE +++ b/RELEASE @@ -1 +1 @@ -0.8 +0.8.1 From 7b676935ee885d66d106436ec1acabdb8e335eca Mon Sep 17 00:00:00 2001 From: "Ronald S. Bultje" Date: Mon, 5 Mar 2012 17:03:32 -0800 Subject: [PATCH 119/991] svq3: protect against negative quantizers. Found-by: Mateusz "j00ru" Jurczyk and Gynvael Coldwind CC: libav-stable@libav.org (cherry picked from commit 11b940a1a8e7e5d5b212935a3ce78aeda577f5f2) Signed-off-by: Reinhard Tartler --- libavcodec/svq3.c | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/libavcodec/svq3.c b/libavcodec/svq3.c index eeb8ed7051..49ca456bef 100644 --- a/libavcodec/svq3.c +++ b/libavcodec/svq3.c @@ -651,7 +651,7 @@ static int svq3_decode_mb(SVQ3Context *svq3, unsigned int mb_type) if (IS_INTRA16x16(mb_type) || (s->pict_type != AV_PICTURE_TYPE_I && s->adaptive_quant && cbp)) { s->qscale += svq3_get_se_golomb(&s->gb); - if (s->qscale > 31){ + if (s->qscale > 31u){ av_log(h->s.avctx, AV_LOG_ERROR, "qscale:%d\n", s->qscale); return -1; } From 9def2f200e55f625161b4040aa5ce2d86ae69ed3 Mon Sep 17 00:00:00 2001 From: "Ronald S. Bultje" Date: Tue, 6 Mar 2012 10:27:05 -0800 Subject: [PATCH 120/991] error_resilience: initialize s->block_index[]. Found-by: Mateusz "j00ru" Jurczyk and Gynvael Coldwind CC: libav-stable@libav.org (cherry picked from commit 6193ff68549ecbaf1a4d63a0e06964ec580ac620) Signed-off-by: Reinhard Tartler --- libavcodec/error_resilience.c | 20 ++++++++++++++++++++ 1 file changed, 20 insertions(+) diff --git a/libavcodec/error_resilience.c b/libavcodec/error_resilience.c index bf59efad1a..96f49c8adb 100644 --- a/libavcodec/error_resilience.c +++ b/libavcodec/error_resilience.c @@ -419,9 +419,14 @@ static void guess_mv(MpegEncContext *s) if ((!(s->avctx->error_concealment&FF_EC_GUESS_MVS)) || num_avail <= mb_width / 2) { for (mb_y = 0; mb_y < s->mb_height; mb_y++) { + s->mb_x = 0; + s->mb_y = mb_y; + ff_init_block_index(s); for (mb_x = 0; mb_x < s->mb_width; mb_x++) { const int mb_xy = mb_x + mb_y * s->mb_stride; + ff_update_block_index(s); + if (IS_INTRA(s->current_picture.f.mb_type[mb_xy])) continue; if (!(s->error_status_table[mb_xy] & ER_MV_ERROR)) @@ -456,6 +461,9 @@ static void guess_mv(MpegEncContext *s) changed = 0; for (mb_y = 0; mb_y < s->mb_height; mb_y++) { + s->mb_x = 0; + s->mb_y = mb_y; + ff_init_block_index(s); for (mb_x = 0; mb_x < s->mb_width; mb_x++) { const int mb_xy = mb_x + mb_y * s->mb_stride; int mv_predictor[8][2] = { { 0 } }; @@ -467,6 +475,8 @@ static void guess_mv(MpegEncContext *s) const int mot_index = (mb_x + mb_y * mot_stride) * mot_step; int prev_x, prev_y, prev_ref; + ff_update_block_index(s); + if ((mb_x ^ mb_y ^ pass) & 1) continue; @@ -1072,11 +1082,16 @@ void ff_er_frame_end(MpegEncContext *s) /* handle inter blocks with damaged AC */ for (mb_y = 0; mb_y < s->mb_height; mb_y++) { + s->mb_x = 0; + s->mb_y = mb_y; + ff_init_block_index(s); for (mb_x = 0; mb_x < s->mb_width; mb_x++) { const int mb_xy = mb_x + mb_y * s->mb_stride; const int mb_type = s->current_picture.f.mb_type[mb_xy]; int dir = !s->last_picture.f.data[0]; + ff_update_block_index(s); + error = s->error_status_table[mb_xy]; if (IS_INTRA(mb_type)) @@ -1114,11 +1129,16 @@ void ff_er_frame_end(MpegEncContext *s) /* guess MVs */ if (s->pict_type == AV_PICTURE_TYPE_B) { for (mb_y = 0; mb_y < s->mb_height; mb_y++) { + s->mb_x = 0; + s->mb_y = mb_y; + ff_init_block_index(s); for (mb_x = 0; mb_x < s->mb_width; mb_x++) { int xy = mb_x * 2 + mb_y * 2 * s->b8_stride; const int mb_xy = mb_x + mb_y * s->mb_stride; const int mb_type = s->current_picture.f.mb_type[mb_xy]; + ff_update_block_index(s); + error = s->error_status_table[mb_xy]; if (IS_INTRA(mb_type)) From 7503861b424f7a1151bf4c4714bd46b4bdc5b496 Mon Sep 17 00:00:00 2001 From: "Ronald S. Bultje" Date: Mon, 5 Mar 2012 12:26:42 -0800 Subject: [PATCH 121/991] swscale: make filterPos 32bit. Fixes overflows for large image sizes. Found-by: Mateusz "j00ru" Jurczyk and Gynvael Coldwind CC: libav-stable@libav.org (cherry picked from commit 2254b559cbcfc0418135f09add37c0a5866b1981) Signed-off-by: Reinhard Tartler --- libswscale/ppc/swscale_altivec.c | 2 +- libswscale/swscale.c | 20 ++++++++++---------- libswscale/swscale_internal.h | 12 ++++++------ libswscale/utils.c | 4 ++-- libswscale/x86/scale.asm | 31 +++++++++++++++++-------------- libswscale/x86/swscale_mmx.c | 6 +++--- libswscale/x86/swscale_template.c | 4 ++-- 7 files changed, 41 insertions(+), 38 deletions(-) diff --git a/libswscale/ppc/swscale_altivec.c b/libswscale/ppc/swscale_altivec.c index 87059d9430..d7b58eea59 100644 --- a/libswscale/ppc/swscale_altivec.c +++ b/libswscale/ppc/swscale_altivec.c @@ -147,7 +147,7 @@ yuv2planeX_altivec(const int16_t *filter, int filterSize, static void hScale_altivec_real(SwsContext *c, int16_t *dst, int dstW, const uint8_t *src, const int16_t *filter, - const int16_t *filterPos, int filterSize) + const int32_t *filterPos, int filterSize) { register int i; DECLARE_ALIGNED(16, int, tempo)[4]; diff --git a/libswscale/swscale.c b/libswscale/swscale.c index 05ee8a4d91..1d0ea1b730 100644 --- a/libswscale/swscale.c +++ b/libswscale/swscale.c @@ -1874,7 +1874,7 @@ static void planar_rgb16be_to_uv(uint8_t *_dstU, uint8_t *_dstV, const uint8_t * static void hScale16To19_c(SwsContext *c, int16_t *_dst, int dstW, const uint8_t *_src, const int16_t *filter, - const int16_t *filterPos, int filterSize) + const int32_t *filterPos, int filterSize) { int i; int32_t *dst = (int32_t *) _dst; @@ -1897,7 +1897,7 @@ static void hScale16To19_c(SwsContext *c, int16_t *_dst, int dstW, const uint8_t static void hScale16To15_c(SwsContext *c, int16_t *dst, int dstW, const uint8_t *_src, const int16_t *filter, - const int16_t *filterPos, int filterSize) + const int32_t *filterPos, int filterSize) { int i; const uint16_t *src = (const uint16_t *) _src; @@ -1918,7 +1918,7 @@ static void hScale16To15_c(SwsContext *c, int16_t *dst, int dstW, const uint8_t // bilinear / bicubic scaling static void hScale8To15_c(SwsContext *c, int16_t *dst, int dstW, const uint8_t *src, - const int16_t *filter, const int16_t *filterPos, + const int16_t *filter, const int32_t *filterPos, int filterSize) { int i; @@ -1936,7 +1936,7 @@ static void hScale8To15_c(SwsContext *c, int16_t *dst, int dstW, const uint8_t * } static void hScale8To19_c(SwsContext *c, int16_t *_dst, int dstW, const uint8_t *src, - const int16_t *filter, const int16_t *filterPos, + const int16_t *filter, const int32_t *filterPos, int filterSize) { int i; @@ -2037,7 +2037,7 @@ static void hyscale_fast_c(SwsContext *c, int16_t *dst, int dstWidth, static av_always_inline void hyscale(SwsContext *c, int16_t *dst, int dstWidth, const uint8_t *src_in[4], int srcW, int xInc, const int16_t *hLumFilter, - const int16_t *hLumFilterPos, int hLumFilterSize, + const int32_t *hLumFilterPos, int hLumFilterSize, uint8_t *formatConvBuffer, uint32_t *pal, int isAlpha) { @@ -2081,7 +2081,7 @@ static void hcscale_fast_c(SwsContext *c, int16_t *dst1, int16_t *dst2, static av_always_inline void hcscale(SwsContext *c, int16_t *dst1, int16_t *dst2, int dstWidth, const uint8_t *src_in[4], int srcW, int xInc, const int16_t *hChrFilter, - const int16_t *hChrFilterPos, int hChrFilterSize, + const int32_t *hChrFilterPos, int hChrFilterSize, uint8_t *formatConvBuffer, uint32_t *pal) { const uint8_t *src1 = src_in[1], *src2 = src_in[2]; @@ -2369,10 +2369,10 @@ static int swScale(SwsContext *c, const uint8_t* src[], const int chrXInc= c->chrXInc; const enum PixelFormat dstFormat= c->dstFormat; const int flags= c->flags; - int16_t *vLumFilterPos= c->vLumFilterPos; - int16_t *vChrFilterPos= c->vChrFilterPos; - int16_t *hLumFilterPos= c->hLumFilterPos; - int16_t *hChrFilterPos= c->hChrFilterPos; + int32_t *vLumFilterPos= c->vLumFilterPos; + int32_t *vChrFilterPos= c->vChrFilterPos; + int32_t *hLumFilterPos= c->hLumFilterPos; + int32_t *hChrFilterPos= c->hChrFilterPos; int16_t *vLumFilter= c->vLumFilter; int16_t *vChrFilter= c->vChrFilter; int16_t *hLumFilter= c->hLumFilter; diff --git a/libswscale/swscale_internal.h b/libswscale/swscale_internal.h index 3436b92788..a71699538d 100644 --- a/libswscale/swscale_internal.h +++ b/libswscale/swscale_internal.h @@ -295,10 +295,10 @@ typedef struct SwsContext { int16_t *hChrFilter; ///< Array of horizontal filter coefficients for chroma planes. int16_t *vLumFilter; ///< Array of vertical filter coefficients for luma/alpha planes. int16_t *vChrFilter; ///< Array of vertical filter coefficients for chroma planes. - int16_t *hLumFilterPos; ///< Array of horizontal filter starting positions for each dst[i] for luma/alpha planes. - int16_t *hChrFilterPos; ///< Array of horizontal filter starting positions for each dst[i] for chroma planes. - int16_t *vLumFilterPos; ///< Array of vertical filter starting positions for each dst[i] for luma/alpha planes. - int16_t *vChrFilterPos; ///< Array of vertical filter starting positions for each dst[i] for chroma planes. + int32_t *hLumFilterPos; ///< Array of horizontal filter starting positions for each dst[i] for luma/alpha planes. + int32_t *hChrFilterPos; ///< Array of horizontal filter starting positions for each dst[i] for chroma planes. + int32_t *vLumFilterPos; ///< Array of vertical filter starting positions for each dst[i] for luma/alpha planes. + int32_t *vChrFilterPos; ///< Array of vertical filter starting positions for each dst[i] for chroma planes. int hLumFilterSize; ///< Horizontal filter size for luma/alpha pixels. int hChrFilterSize; ///< Horizontal filter size for chroma pixels. int vLumFilterSize; ///< Vertical filter size for luma/alpha pixels. @@ -508,10 +508,10 @@ typedef struct SwsContext { /** @{ */ void (*hyScale)(struct SwsContext *c, int16_t *dst, int dstW, const uint8_t *src, const int16_t *filter, - const int16_t *filterPos, int filterSize); + const int32_t *filterPos, int filterSize); void (*hcScale)(struct SwsContext *c, int16_t *dst, int dstW, const uint8_t *src, const int16_t *filter, - const int16_t *filterPos, int filterSize); + const int32_t *filterPos, int filterSize); /** @} */ /// Color range conversion function for luma plane if needed. diff --git a/libswscale/utils.c b/libswscale/utils.c index 51bc3842dc..f3a501230f 100644 --- a/libswscale/utils.c +++ b/libswscale/utils.c @@ -180,7 +180,7 @@ static double getSplineCoeff(double a, double b, double c, double d, double dist dist-1.0); } -static int initFilter(int16_t **outFilter, int16_t **filterPos, int *outFilterSize, int xInc, +static int initFilter(int16_t **outFilter, int32_t **filterPos, int *outFilterSize, int xInc, int srcW, int dstW, int filterAlign, int one, int flags, int cpu_flags, SwsVector *srcFilter, SwsVector *dstFilter, double param[2], int is_horizontal) { @@ -196,7 +196,7 @@ static int initFilter(int16_t **outFilter, int16_t **filterPos, int *outFilterSi emms_c(); //FIXME this should not be required but it IS (even for non-MMX versions) // NOTE: the +3 is for the MMX(+1)/SSE(+3) scaler which reads over the end - FF_ALLOC_OR_GOTO(NULL, *filterPos, (dstW+3)*sizeof(int16_t), fail); + FF_ALLOC_OR_GOTO(NULL, *filterPos, (dstW+3)*sizeof(**filterPos), fail); if (FFABS(xInc - 0x10000) <10) { // unscaled int i; diff --git a/libswscale/x86/scale.asm b/libswscale/x86/scale.asm index d35589419c..2b0b6dd230 100644 --- a/libswscale/x86/scale.asm +++ b/libswscale/x86/scale.asm @@ -38,7 +38,7 @@ SECTION .text ; (SwsContext *c, int{16,32}_t *dst, ; int dstW, const uint{8,16}_t *src, ; const int16_t *filter, -; const int16_t *filterPos, int filterSize); +; const int32_t *filterPos, int filterSize); ; ; Scale one horizontal line. Input is either 8-bits width or 16-bits width ; ($source_width can be either 8, 9, 10 or 16, difference is whether we have to @@ -53,6 +53,9 @@ SECTION .text cglobal hscale%1to%2_%4_%5, %6, 7, %7 %ifdef ARCH_X86_64 movsxd r2, r2d +%define mov32 movsxd +%else ; x86-32 +%define mov32 mov %endif ; x86-64 %if %2 == 19 %if mmsize == 8 ; mmx @@ -95,14 +98,14 @@ cglobal hscale%1to%2_%4_%5, %6, 7, %7 %else ; %2 == 19 lea r1, [r1+r2*(4>>r2shr)] %endif ; %2 == 15/19 - lea r5, [r5+r2*(2>>r2shr)] + lea r5, [r5+r2*(4>>r2shr)] neg r2 .loop: %if %3 == 4 ; filterSize == 4 scaling ; load 2x4 or 4x4 source pixels into m0/m1 - movsx r0, word [r5+r2*2+0] ; filterPos[0] - movsx r6, word [r5+r2*2+2] ; filterPos[1] + mov32 r0, dword [r5+r2*4+0] ; filterPos[0] + mov32 r6, dword [r5+r2*4+4] ; filterPos[1] movlh m0, [r3+r0*srcmul] ; src[filterPos[0] + {0,1,2,3}] %if mmsize == 8 movlh m1, [r3+r6*srcmul] ; src[filterPos[1] + {0,1,2,3}] @@ -112,8 +115,8 @@ cglobal hscale%1to%2_%4_%5, %6, 7, %7 %else ; %1 == 8 movd m4, [r3+r6*srcmul] ; src[filterPos[1] + {0,1,2,3}] %endif - movsx r0, word [r5+r2*2+4] ; filterPos[2] - movsx r6, word [r5+r2*2+6] ; filterPos[3] + mov32 r0, dword [r5+r2*4+8] ; filterPos[2] + mov32 r6, dword [r5+r2*4+12] ; filterPos[3] movlh m1, [r3+r0*srcmul] ; src[filterPos[2] + {0,1,2,3}] %if %1 > 8 movhps m1, [r3+r6*srcmul] ; src[filterPos[3] + {0,1,2,3}] @@ -156,8 +159,8 @@ cglobal hscale%1to%2_%4_%5, %6, 7, %7 %endif ; mmx/sse2/ssse3/sse4 %else ; %3 == 8, i.e. filterSize == 8 scaling ; load 2x8 or 4x8 source pixels into m0, m1, m4 and m5 - movsx r0, word [r5+r2*1+0] ; filterPos[0] - movsx r6, word [r5+r2*1+2] ; filterPos[1] + mov32 r0, dword [r5+r2*2+0] ; filterPos[0] + mov32 r6, dword [r5+r2*2+4] ; filterPos[1] movbh m0, [r3+ r0 *srcmul] ; src[filterPos[0] + {0,1,2,3,4,5,6,7}] %if mmsize == 8 movbh m1, [r3+(r0+4)*srcmul] ; src[filterPos[0] + {4,5,6,7}] @@ -165,8 +168,8 @@ cglobal hscale%1to%2_%4_%5, %6, 7, %7 movbh m5, [r3+(r6+4)*srcmul] ; src[filterPos[1] + {4,5,6,7}] %else ; mmsize == 16 movbh m1, [r3+ r6 *srcmul] ; src[filterPos[1] + {0,1,2,3,4,5,6,7}] - movsx r0, word [r5+r2*1+4] ; filterPos[2] - movsx r6, word [r5+r2*1+6] ; filterPos[3] + mov32 r0, dword [r5+r2*2+8] ; filterPos[2] + mov32 r6, dword [r5+r2*2+12] ; filterPos[3] movbh m4, [r3+ r0 *srcmul] ; src[filterPos[2] + {0,1,2,3,4,5,6,7}] movbh m5, [r3+ r6 *srcmul] ; src[filterPos[3] + {0,1,2,3,4,5,6,7}] %endif ; mmsize == 8/16 @@ -251,7 +254,7 @@ cglobal hscale%1to%2_%4_%5, %6, 7, %7 %define r1x r1 %define filter2 r6m %endif ; x86-32/64 - lea r5, [r5+r2*2] + lea r5, [r5+r2*4] %if %2 == 15 lea r1, [r1+r2*2] %else ; %2 == 19 @@ -261,8 +264,8 @@ cglobal hscale%1to%2_%4_%5, %6, 7, %7 neg r2 .loop: - movsx r0, word [r5+r2*2+0] ; filterPos[0] - movsx r1x, word [r5+r2*2+2] ; filterPos[1] + mov32 r0, dword [r5+r2*4+0] ; filterPos[0] + mov32 r1x, dword [r5+r2*4+4] ; filterPos[1] ; FIXME maybe do 4px/iteration on x86-64 (x86-32 wouldn't have enough regs)? pxor m4, m4 pxor m5, m5 @@ -293,7 +296,7 @@ cglobal hscale%1to%2_%4_%5, %6, 7, %7 jl .innerloop %ifidn %4, X4 - movsx r1x, word [r5+r2*2+2] ; filterPos[1] + mov32 r1x, dword [r5+r2*4+4] ; filterPos[1] movlh m0, [src_reg+r0 *srcmul] ; split last 4 srcpx of dstpx[0] sub r1x, r6 ; and first 4 srcpx of dstpx[1] %if %1 > 8 diff --git a/libswscale/x86/swscale_mmx.c b/libswscale/x86/swscale_mmx.c index 0853e12c41..f70d719f16 100644 --- a/libswscale/x86/swscale_mmx.c +++ b/libswscale/x86/swscale_mmx.c @@ -108,8 +108,8 @@ void updateMMXDitherTables(SwsContext *c, int dstY, int lumBufIndex, int chrBufI int16_t **alpPixBuf= c->alpPixBuf; const int vLumBufSize= c->vLumBufSize; const int vChrBufSize= c->vChrBufSize; - int16_t *vLumFilterPos= c->vLumFilterPos; - int16_t *vChrFilterPos= c->vChrFilterPos; + int32_t *vLumFilterPos= c->vLumFilterPos; + int32_t *vChrFilterPos= c->vChrFilterPos; int16_t *vLumFilter= c->vLumFilter; int16_t *vChrFilter= c->vChrFilter; int32_t *lumMmxFilter= c->lumMmxFilter; @@ -219,7 +219,7 @@ extern void ff_hscale ## from_bpc ## to ## to_bpc ## _ ## filter_n ## _ ## opt( SwsContext *c, int16_t *data, \ int dstW, const uint8_t *src, \ const int16_t *filter, \ - const int16_t *filterPos, int filterSize) + const int32_t *filterPos, int filterSize) #define SCALE_FUNCS(filter_n, opt) \ SCALE_FUNC(filter_n, 8, 15, opt); \ diff --git a/libswscale/x86/swscale_template.c b/libswscale/x86/swscale_template.c index 5db166b00a..40188d8019 100644 --- a/libswscale/x86/swscale_template.c +++ b/libswscale/x86/swscale_template.c @@ -1508,7 +1508,7 @@ static void RENAME(hyscale_fast)(SwsContext *c, int16_t *dst, int dstWidth, const uint8_t *src, int srcW, int xInc) { - int16_t *filterPos = c->hLumFilterPos; + int32_t *filterPos = c->hLumFilterPos; int16_t *filter = c->hLumFilter; void *mmx2FilterCode= c->lumMmx2FilterCode; int i; @@ -1604,7 +1604,7 @@ static void RENAME(hcscale_fast)(SwsContext *c, int16_t *dst1, int16_t *dst2, int dstWidth, const uint8_t *src1, const uint8_t *src2, int srcW, int xInc) { - int16_t *filterPos = c->hChrFilterPos; + int32_t *filterPos = c->hChrFilterPos; int16_t *filter = c->hChrFilter; void *mmx2FilterCode= c->chrMmx2FilterCode; int i; From 12247a13e018d64ba59012283d9b16374358985b Mon Sep 17 00:00:00 2001 From: "Ronald S. Bultje" Date: Mon, 5 Mar 2012 16:01:19 -0800 Subject: [PATCH 122/991] Don't use ff_cropTbl[] for IDCT. Results of IDCT can by far outreach the range of ff_cropTbl[], leading to overreads and potentially crashes. Found-by: Mateusz "j00ru" Jurczyk and Gynvael Coldwind CC: libav-stable@libav.org (cherry picked from commit c23acbaed40101c677dfcfbbfe0d2c230a8e8f44) Signed-off-by: Reinhard Tartler --- libavcodec/dsputil.c | 70 ++++++++++------------ libavcodec/h264idct_template.c | 32 +++++----- libavcodec/rv34dsp.c | 15 ++--- libavcodec/simple_idct.c | 19 +++--- libavcodec/simple_idct_template.c | 34 +++++------ libavcodec/svq3.c | 9 ++- libavcodec/vc1dsp.c | 97 +++++++++++++------------------ libavcodec/vp3dsp.c | 68 +++++++++++----------- libavcodec/vp8dsp.c | 18 +++--- 9 files changed, 161 insertions(+), 201 deletions(-) diff --git a/libavcodec/dsputil.c b/libavcodec/dsputil.c index 5c1039b028..66f1f933d0 100644 --- a/libavcodec/dsputil.c +++ b/libavcodec/dsputil.c @@ -367,18 +367,17 @@ void ff_put_pixels_clamped_c(const DCTELEM *block, uint8_t *restrict pixels, int line_size) { int i; - uint8_t *cm = ff_cropTbl + MAX_NEG_CROP; /* read the pixels */ for(i=0;i<8;i++) { - pixels[0] = cm[block[0]]; - pixels[1] = cm[block[1]]; - pixels[2] = cm[block[2]]; - pixels[3] = cm[block[3]]; - pixels[4] = cm[block[4]]; - pixels[5] = cm[block[5]]; - pixels[6] = cm[block[6]]; - pixels[7] = cm[block[7]]; + pixels[0] = av_clip_uint8(block[0]); + pixels[1] = av_clip_uint8(block[1]); + pixels[2] = av_clip_uint8(block[2]); + pixels[3] = av_clip_uint8(block[3]); + pixels[4] = av_clip_uint8(block[4]); + pixels[5] = av_clip_uint8(block[5]); + pixels[6] = av_clip_uint8(block[6]); + pixels[7] = av_clip_uint8(block[7]); pixels += line_size; block += 8; @@ -389,14 +388,13 @@ static void put_pixels_clamped4_c(const DCTELEM *block, uint8_t *restrict pixels int line_size) { int i; - uint8_t *cm = ff_cropTbl + MAX_NEG_CROP; /* read the pixels */ for(i=0;i<4;i++) { - pixels[0] = cm[block[0]]; - pixels[1] = cm[block[1]]; - pixels[2] = cm[block[2]]; - pixels[3] = cm[block[3]]; + pixels[0] = av_clip_uint8(block[0]); + pixels[1] = av_clip_uint8(block[1]); + pixels[2] = av_clip_uint8(block[2]); + pixels[3] = av_clip_uint8(block[3]); pixels += line_size; block += 8; @@ -407,12 +405,11 @@ static void put_pixels_clamped2_c(const DCTELEM *block, uint8_t *restrict pixels int line_size) { int i; - uint8_t *cm = ff_cropTbl + MAX_NEG_CROP; /* read the pixels */ for(i=0;i<2;i++) { - pixels[0] = cm[block[0]]; - pixels[1] = cm[block[1]]; + pixels[0] = av_clip_uint8(block[0]); + pixels[1] = av_clip_uint8(block[1]); pixels += line_size; block += 8; @@ -444,18 +441,17 @@ void ff_add_pixels_clamped_c(const DCTELEM *block, uint8_t *restrict pixels, int line_size) { int i; - uint8_t *cm = ff_cropTbl + MAX_NEG_CROP; /* read the pixels */ for(i=0;i<8;i++) { - pixels[0] = cm[pixels[0] + block[0]]; - pixels[1] = cm[pixels[1] + block[1]]; - pixels[2] = cm[pixels[2] + block[2]]; - pixels[3] = cm[pixels[3] + block[3]]; - pixels[4] = cm[pixels[4] + block[4]]; - pixels[5] = cm[pixels[5] + block[5]]; - pixels[6] = cm[pixels[6] + block[6]]; - pixels[7] = cm[pixels[7] + block[7]]; + pixels[0] = av_clip_uint8(pixels[0] + block[0]); + pixels[1] = av_clip_uint8(pixels[1] + block[1]); + pixels[2] = av_clip_uint8(pixels[2] + block[2]); + pixels[3] = av_clip_uint8(pixels[3] + block[3]); + pixels[4] = av_clip_uint8(pixels[4] + block[4]); + pixels[5] = av_clip_uint8(pixels[5] + block[5]); + pixels[6] = av_clip_uint8(pixels[6] + block[6]); + pixels[7] = av_clip_uint8(pixels[7] + block[7]); pixels += line_size; block += 8; } @@ -465,14 +461,13 @@ static void add_pixels_clamped4_c(const DCTELEM *block, uint8_t *restrict pixels int line_size) { int i; - uint8_t *cm = ff_cropTbl + MAX_NEG_CROP; /* read the pixels */ for(i=0;i<4;i++) { - pixels[0] = cm[pixels[0] + block[0]]; - pixels[1] = cm[pixels[1] + block[1]]; - pixels[2] = cm[pixels[2] + block[2]]; - pixels[3] = cm[pixels[3] + block[3]]; + pixels[0] = av_clip_uint8(pixels[0] + block[0]); + pixels[1] = av_clip_uint8(pixels[1] + block[1]); + pixels[2] = av_clip_uint8(pixels[2] + block[2]); + pixels[3] = av_clip_uint8(pixels[3] + block[3]); pixels += line_size; block += 8; } @@ -482,12 +477,11 @@ static void add_pixels_clamped2_c(const DCTELEM *block, uint8_t *restrict pixels int line_size) { int i; - uint8_t *cm = ff_cropTbl + MAX_NEG_CROP; /* read the pixels */ for(i=0;i<2;i++) { - pixels[0] = cm[pixels[0] + block[0]]; - pixels[1] = cm[pixels[1] + block[1]]; + pixels[0] = av_clip_uint8(pixels[0] + block[0]); + pixels[1] = av_clip_uint8(pixels[1] + block[1]); pixels += line_size; block += 8; } @@ -2745,15 +2739,11 @@ static void ff_jref_idct2_add(uint8_t *dest, int line_size, DCTELEM *block) static void ff_jref_idct1_put(uint8_t *dest, int line_size, DCTELEM *block) { - uint8_t *cm = ff_cropTbl + MAX_NEG_CROP; - - dest[0] = cm[(block[0] + 4)>>3]; + dest[0] = av_clip_uint8((block[0] + 4)>>3); } static void ff_jref_idct1_add(uint8_t *dest, int line_size, DCTELEM *block) { - uint8_t *cm = ff_cropTbl + MAX_NEG_CROP; - - dest[0] = cm[dest[0] + ((block[0] + 4)>>3)]; + dest[0] = av_clip_uint8(dest[0] + ((block[0] + 4)>>3)); } static void just_return(void *mem av_unused, int stride av_unused, int h av_unused) { return; } diff --git a/libavcodec/h264idct_template.c b/libavcodec/h264idct_template.c index eba850ac6f..e476f89a6f 100644 --- a/libavcodec/h264idct_template.c +++ b/libavcodec/h264idct_template.c @@ -49,7 +49,6 @@ static const uint8_t scan8[16*3]={ void FUNCC(ff_h264_idct_add)(uint8_t *_dst, DCTELEM *_block, int stride) { int i; - INIT_CLIP pixel *dst = (pixel*)_dst; dctcoef *block = (dctcoef*)_block; stride /= sizeof(pixel); @@ -74,16 +73,15 @@ void FUNCC(ff_h264_idct_add)(uint8_t *_dst, DCTELEM *_block, int stride) const int z2= (block[1 + 4*i]>>1) - block[3 + 4*i]; const int z3= block[1 + 4*i] + (block[3 + 4*i]>>1); - dst[i + 0*stride]= CLIP(dst[i + 0*stride] + ((z0 + z3) >> 6)); - dst[i + 1*stride]= CLIP(dst[i + 1*stride] + ((z1 + z2) >> 6)); - dst[i + 2*stride]= CLIP(dst[i + 2*stride] + ((z1 - z2) >> 6)); - dst[i + 3*stride]= CLIP(dst[i + 3*stride] + ((z0 - z3) >> 6)); + dst[i + 0*stride]= av_clip_pixel(dst[i + 0*stride] + ((z0 + z3) >> 6)); + dst[i + 1*stride]= av_clip_pixel(dst[i + 1*stride] + ((z1 + z2) >> 6)); + dst[i + 2*stride]= av_clip_pixel(dst[i + 2*stride] + ((z1 - z2) >> 6)); + dst[i + 3*stride]= av_clip_pixel(dst[i + 3*stride] + ((z0 - z3) >> 6)); } } void FUNCC(ff_h264_idct8_add)(uint8_t *_dst, DCTELEM *_block, int stride){ int i; - INIT_CLIP pixel *dst = (pixel*)_dst; dctcoef *block = (dctcoef*)_block; stride /= sizeof(pixel); @@ -143,14 +141,14 @@ void FUNCC(ff_h264_idct8_add)(uint8_t *_dst, DCTELEM *_block, int stride){ const int b5 = (a3>>2) - a5; const int b7 = a7 - (a1>>2); - dst[i + 0*stride] = CLIP( dst[i + 0*stride] + ((b0 + b7) >> 6) ); - dst[i + 1*stride] = CLIP( dst[i + 1*stride] + ((b2 + b5) >> 6) ); - dst[i + 2*stride] = CLIP( dst[i + 2*stride] + ((b4 + b3) >> 6) ); - dst[i + 3*stride] = CLIP( dst[i + 3*stride] + ((b6 + b1) >> 6) ); - dst[i + 4*stride] = CLIP( dst[i + 4*stride] + ((b6 - b1) >> 6) ); - dst[i + 5*stride] = CLIP( dst[i + 5*stride] + ((b4 - b3) >> 6) ); - dst[i + 6*stride] = CLIP( dst[i + 6*stride] + ((b2 - b5) >> 6) ); - dst[i + 7*stride] = CLIP( dst[i + 7*stride] + ((b0 - b7) >> 6) ); + dst[i + 0*stride] = av_clip_pixel( dst[i + 0*stride] + ((b0 + b7) >> 6) ); + dst[i + 1*stride] = av_clip_pixel( dst[i + 1*stride] + ((b2 + b5) >> 6) ); + dst[i + 2*stride] = av_clip_pixel( dst[i + 2*stride] + ((b4 + b3) >> 6) ); + dst[i + 3*stride] = av_clip_pixel( dst[i + 3*stride] + ((b6 + b1) >> 6) ); + dst[i + 4*stride] = av_clip_pixel( dst[i + 4*stride] + ((b6 - b1) >> 6) ); + dst[i + 5*stride] = av_clip_pixel( dst[i + 5*stride] + ((b4 - b3) >> 6) ); + dst[i + 6*stride] = av_clip_pixel( dst[i + 6*stride] + ((b2 - b5) >> 6) ); + dst[i + 7*stride] = av_clip_pixel( dst[i + 7*stride] + ((b0 - b7) >> 6) ); } } @@ -158,13 +156,12 @@ void FUNCC(ff_h264_idct8_add)(uint8_t *_dst, DCTELEM *_block, int stride){ void FUNCC(ff_h264_idct_dc_add)(uint8_t *_dst, DCTELEM *block, int stride){ int i, j; int dc = (((dctcoef*)block)[0] + 32) >> 6; - INIT_CLIP pixel *dst = (pixel*)_dst; stride /= sizeof(pixel); for( j = 0; j < 4; j++ ) { for( i = 0; i < 4; i++ ) - dst[i] = CLIP( dst[i] + dc ); + dst[i] = av_clip_pixel( dst[i] + dc ); dst += stride; } } @@ -172,13 +169,12 @@ void FUNCC(ff_h264_idct_dc_add)(uint8_t *_dst, DCTELEM *block, int stride){ void FUNCC(ff_h264_idct8_dc_add)(uint8_t *_dst, DCTELEM *block, int stride){ int i, j; int dc = (((dctcoef*)block)[0] + 32) >> 6; - INIT_CLIP pixel *dst = (pixel*)_dst; stride /= sizeof(pixel); for( j = 0; j < 8; j++ ) { for( i = 0; i < 8; i++ ) - dst[i] = CLIP( dst[i] + dc ); + dst[i] = av_clip_pixel( dst[i] + dc ); dst += stride; } } diff --git a/libavcodec/rv34dsp.c b/libavcodec/rv34dsp.c index e2251773af..919703d1e3 100644 --- a/libavcodec/rv34dsp.c +++ b/libavcodec/rv34dsp.c @@ -55,7 +55,6 @@ static av_always_inline void rv34_row_transform(int temp[16], DCTELEM *block) */ static void rv34_idct_add_c(uint8_t *dst, int stride, DCTELEM *block){ int temp[16]; - uint8_t *cm = ff_cropTbl + MAX_NEG_CROP; int i; rv34_row_transform(temp, block); @@ -67,10 +66,10 @@ static void rv34_idct_add_c(uint8_t *dst, int stride, DCTELEM *block){ const int z2 = 7* temp[4*1+i] - 17*temp[4*3+i]; const int z3 = 17* temp[4*1+i] + 7*temp[4*3+i]; - dst[0] = cm[ dst[0] + ( (z0 + z3) >> 10 ) ]; - dst[1] = cm[ dst[1] + ( (z1 + z2) >> 10 ) ]; - dst[2] = cm[ dst[2] + ( (z1 - z2) >> 10 ) ]; - dst[3] = cm[ dst[3] + ( (z0 - z3) >> 10 ) ]; + dst[0] = av_clip_uint8( dst[0] + ( (z0 + z3) >> 10 ) ); + dst[1] = av_clip_uint8( dst[1] + ( (z1 + z2) >> 10 ) ); + dst[2] = av_clip_uint8( dst[2] + ( (z1 - z2) >> 10 ) ); + dst[3] = av_clip_uint8( dst[3] + ( (z0 - z3) >> 10 ) ); dst += stride; } @@ -103,15 +102,13 @@ static void rv34_inv_transform_noround_c(DCTELEM *block){ static void rv34_idct_dc_add_c(uint8_t *dst, int stride, int dc) { - const uint8_t *cm = ff_cropTbl + MAX_NEG_CROP; int i, j; - cm += (13*13*dc + 0x200) >> 10; - + dc = (13*13*dc + 0x200) >> 10; for (i = 0; i < 4; i++) { for (j = 0; j < 4; j++) - dst[j] = cm[ dst[j] ]; + dst[j] = av_clip_uint8( dst[j] + dc ); dst += stride; } diff --git a/libavcodec/simple_idct.c b/libavcodec/simple_idct.c index 0c75261079..5812a87705 100644 --- a/libavcodec/simple_idct.c +++ b/libavcodec/simple_idct.c @@ -53,7 +53,6 @@ static inline void idct4col_put(uint8_t *dest, int line_size, const DCTELEM *col) { int c0, c1, c2, c3, a0, a1, a2, a3; - const uint8_t *cm = ff_cropTbl + MAX_NEG_CROP; a0 = col[8*0]; a1 = col[8*2]; @@ -63,13 +62,13 @@ static inline void idct4col_put(uint8_t *dest, int line_size, const DCTELEM *col c2 = ((a0 - a2) << (CN_SHIFT - 1)) + (1 << (C_SHIFT - 1)); c1 = a1 * C1 + a3 * C2; c3 = a1 * C2 - a3 * C1; - dest[0] = cm[(c0 + c1) >> C_SHIFT]; + dest[0] = av_clip_uint8((c0 + c1) >> C_SHIFT); dest += line_size; - dest[0] = cm[(c2 + c3) >> C_SHIFT]; + dest[0] = av_clip_uint8((c2 + c3) >> C_SHIFT); dest += line_size; - dest[0] = cm[(c2 - c3) >> C_SHIFT]; + dest[0] = av_clip_uint8((c2 - c3) >> C_SHIFT); dest += line_size; - dest[0] = cm[(c0 - c1) >> C_SHIFT]; + dest[0] = av_clip_uint8((c0 - c1) >> C_SHIFT); } #define BF(k) \ @@ -133,7 +132,6 @@ void ff_simple_idct248_put(uint8_t *dest, int line_size, DCTELEM *block) static inline void idct4col_add(uint8_t *dest, int line_size, const DCTELEM *col) { int c0, c1, c2, c3, a0, a1, a2, a3; - const uint8_t *cm = ff_cropTbl + MAX_NEG_CROP; a0 = col[8*0]; a1 = col[8*1]; @@ -143,13 +141,13 @@ static inline void idct4col_add(uint8_t *dest, int line_size, const DCTELEM *col c2 = (a0 - a2)*C3 + (1 << (C_SHIFT - 1)); c1 = a1 * C1 + a3 * C2; c3 = a1 * C2 - a3 * C1; - dest[0] = cm[dest[0] + ((c0 + c1) >> C_SHIFT)]; + dest[0] = av_clip_uint8(dest[0] + ((c0 + c1) >> C_SHIFT)); dest += line_size; - dest[0] = cm[dest[0] + ((c2 + c3) >> C_SHIFT)]; + dest[0] = av_clip_uint8(dest[0] + ((c2 + c3) >> C_SHIFT)); dest += line_size; - dest[0] = cm[dest[0] + ((c2 - c3) >> C_SHIFT)]; + dest[0] = av_clip_uint8(dest[0] + ((c2 - c3) >> C_SHIFT)); dest += line_size; - dest[0] = cm[dest[0] + ((c0 - c1) >> C_SHIFT)]; + dest[0] = av_clip_uint8(dest[0] + ((c0 - c1) >> C_SHIFT)); } #define RN_SHIFT 15 @@ -161,7 +159,6 @@ static inline void idct4col_add(uint8_t *dest, int line_size, const DCTELEM *col static inline void idct4row(DCTELEM *row) { int c0, c1, c2, c3, a0, a1, a2, a3; - //const uint8_t *cm = ff_cropTbl + MAX_NEG_CROP; a0 = row[0]; a1 = row[1]; diff --git a/libavcodec/simple_idct_template.c b/libavcodec/simple_idct_template.c index fdec3aab2b..3c855e3825 100644 --- a/libavcodec/simple_idct_template.c +++ b/libavcodec/simple_idct_template.c @@ -224,50 +224,48 @@ static inline void FUNC(idctSparseColPut)(pixel *dest, int line_size, DCTELEM *col) { int a0, a1, a2, a3, b0, b1, b2, b3; - INIT_CLIP; IDCT_COLS; - dest[0] = CLIP((a0 + b0) >> COL_SHIFT); + dest[0] = av_clip_pixel((a0 + b0) >> COL_SHIFT); dest += line_size; - dest[0] = CLIP((a1 + b1) >> COL_SHIFT); + dest[0] = av_clip_pixel((a1 + b1) >> COL_SHIFT); dest += line_size; - dest[0] = CLIP((a2 + b2) >> COL_SHIFT); + dest[0] = av_clip_pixel((a2 + b2) >> COL_SHIFT); dest += line_size; - dest[0] = CLIP((a3 + b3) >> COL_SHIFT); + dest[0] = av_clip_pixel((a3 + b3) >> COL_SHIFT); dest += line_size; - dest[0] = CLIP((a3 - b3) >> COL_SHIFT); + dest[0] = av_clip_pixel((a3 - b3) >> COL_SHIFT); dest += line_size; - dest[0] = CLIP((a2 - b2) >> COL_SHIFT); + dest[0] = av_clip_pixel((a2 - b2) >> COL_SHIFT); dest += line_size; - dest[0] = CLIP((a1 - b1) >> COL_SHIFT); + dest[0] = av_clip_pixel((a1 - b1) >> COL_SHIFT); dest += line_size; - dest[0] = CLIP((a0 - b0) >> COL_SHIFT); + dest[0] = av_clip_pixel((a0 - b0) >> COL_SHIFT); } static inline void FUNC(idctSparseColAdd)(pixel *dest, int line_size, DCTELEM *col) { int a0, a1, a2, a3, b0, b1, b2, b3; - INIT_CLIP; IDCT_COLS; - dest[0] = CLIP(dest[0] + ((a0 + b0) >> COL_SHIFT)); + dest[0] = av_clip_pixel(dest[0] + ((a0 + b0) >> COL_SHIFT)); dest += line_size; - dest[0] = CLIP(dest[0] + ((a1 + b1) >> COL_SHIFT)); + dest[0] = av_clip_pixel(dest[0] + ((a1 + b1) >> COL_SHIFT)); dest += line_size; - dest[0] = CLIP(dest[0] + ((a2 + b2) >> COL_SHIFT)); + dest[0] = av_clip_pixel(dest[0] + ((a2 + b2) >> COL_SHIFT)); dest += line_size; - dest[0] = CLIP(dest[0] + ((a3 + b3) >> COL_SHIFT)); + dest[0] = av_clip_pixel(dest[0] + ((a3 + b3) >> COL_SHIFT)); dest += line_size; - dest[0] = CLIP(dest[0] + ((a3 - b3) >> COL_SHIFT)); + dest[0] = av_clip_pixel(dest[0] + ((a3 - b3) >> COL_SHIFT)); dest += line_size; - dest[0] = CLIP(dest[0] + ((a2 - b2) >> COL_SHIFT)); + dest[0] = av_clip_pixel(dest[0] + ((a2 - b2) >> COL_SHIFT)); dest += line_size; - dest[0] = CLIP(dest[0] + ((a1 - b1) >> COL_SHIFT)); + dest[0] = av_clip_pixel(dest[0] + ((a1 - b1) >> COL_SHIFT)); dest += line_size; - dest[0] = CLIP(dest[0] + ((a0 - b0) >> COL_SHIFT)); + dest[0] = av_clip_pixel(dest[0] + ((a0 - b0) >> COL_SHIFT)); } static inline void FUNC(idctSparseCol)(DCTELEM *col) diff --git a/libavcodec/svq3.c b/libavcodec/svq3.c index 49ca456bef..3be71a0812 100644 --- a/libavcodec/svq3.c +++ b/libavcodec/svq3.c @@ -173,7 +173,6 @@ void ff_svq3_add_idct_c(uint8_t *dst, DCTELEM *block, int stride, int qp, { const int qmul = svq3_dequant_coeff[qp]; int i; - uint8_t *cm = ff_cropTbl + MAX_NEG_CROP; if (dc) { dc = 13*13*((dc == 1) ? 1538*block[0] : ((qmul*(block[0] >> 3)) / 2)); @@ -199,10 +198,10 @@ void ff_svq3_add_idct_c(uint8_t *dst, DCTELEM *block, int stride, int qp, const int z3 = 17* block[i + 4*1] + 7*block[i + 4*3]; const int rr = (dc + 0x80000); - dst[i + stride*0] = cm[ dst[i + stride*0] + (((z0 + z3)*qmul + rr) >> 20) ]; - dst[i + stride*1] = cm[ dst[i + stride*1] + (((z1 + z2)*qmul + rr) >> 20) ]; - dst[i + stride*2] = cm[ dst[i + stride*2] + (((z1 - z2)*qmul + rr) >> 20) ]; - dst[i + stride*3] = cm[ dst[i + stride*3] + (((z0 - z3)*qmul + rr) >> 20) ]; + dst[i + stride*0] = av_clip_uint8( dst[i + stride*0] + (((z0 + z3)*qmul + rr) >> 20) ); + dst[i + stride*1] = av_clip_uint8( dst[i + stride*1] + (((z1 + z2)*qmul + rr) >> 20) ); + dst[i + stride*2] = av_clip_uint8( dst[i + stride*2] + (((z1 - z2)*qmul + rr) >> 20) ); + dst[i + stride*3] = av_clip_uint8( dst[i + stride*3] + (((z0 - z3)*qmul + rr) >> 20) ); } } diff --git a/libavcodec/vc1dsp.c b/libavcodec/vc1dsp.c index 9bd107cdd9..b40824b86a 100644 --- a/libavcodec/vc1dsp.c +++ b/libavcodec/vc1dsp.c @@ -139,8 +139,6 @@ static void vc1_h_s_overlap_c(DCTELEM *left, DCTELEM *right) * @see 8.6 */ static av_always_inline int vc1_filter_line(uint8_t* src, int stride, int pq){ - uint8_t *cm = ff_cropTbl + MAX_NEG_CROP; - int a0 = (2*(src[-2*stride] - src[ 1*stride]) - 5*(src[-1*stride] - src[ 0*stride]) + 4) >> 3; int a0_sign = a0 >> 31; /* Store sign */ a0 = (a0 ^ a0_sign) - a0_sign; /* a0 = FFABS(a0); */ @@ -163,8 +161,8 @@ static av_always_inline int vc1_filter_line(uint8_t* src, int stride, int pq){ else{ d = FFMIN(d, clip); d = (d ^ d_sign) - d_sign; /* Restore sign */ - src[-1*stride] = cm[src[-1*stride] - d]; - src[ 0*stride] = cm[src[ 0*stride] + d]; + src[-1*stride] = av_clip_uint8(src[-1*stride] - d); + src[ 0*stride] = av_clip_uint8(src[ 0*stride] + d); } return 1; } @@ -234,19 +232,17 @@ static void vc1_inv_trans_8x8_dc_c(uint8_t *dest, int linesize, DCTELEM *block) { int i; int dc = block[0]; - const uint8_t *cm; dc = (3 * dc + 1) >> 1; dc = (3 * dc + 16) >> 5; - cm = ff_cropTbl + MAX_NEG_CROP + dc; for(i = 0; i < 8; i++){ - dest[0] = cm[dest[0]]; - dest[1] = cm[dest[1]]; - dest[2] = cm[dest[2]]; - dest[3] = cm[dest[3]]; - dest[4] = cm[dest[4]]; - dest[5] = cm[dest[5]]; - dest[6] = cm[dest[6]]; - dest[7] = cm[dest[7]]; + dest[0] = av_clip_uint8(dest[0] + dc); + dest[1] = av_clip_uint8(dest[1] + dc); + dest[2] = av_clip_uint8(dest[2] + dc); + dest[3] = av_clip_uint8(dest[3] + dc); + dest[4] = av_clip_uint8(dest[4] + dc); + dest[5] = av_clip_uint8(dest[5] + dc); + dest[6] = av_clip_uint8(dest[6] + dc); + dest[7] = av_clip_uint8(dest[7] + dc); dest += linesize; } } @@ -326,19 +322,17 @@ static void vc1_inv_trans_8x4_dc_c(uint8_t *dest, int linesize, DCTELEM *block) { int i; int dc = block[0]; - const uint8_t *cm; dc = ( 3 * dc + 1) >> 1; dc = (17 * dc + 64) >> 7; - cm = ff_cropTbl + MAX_NEG_CROP + dc; for(i = 0; i < 4; i++){ - dest[0] = cm[dest[0]]; - dest[1] = cm[dest[1]]; - dest[2] = cm[dest[2]]; - dest[3] = cm[dest[3]]; - dest[4] = cm[dest[4]]; - dest[5] = cm[dest[5]]; - dest[6] = cm[dest[6]]; - dest[7] = cm[dest[7]]; + dest[0] = av_clip_uint8(dest[0] + dc); + dest[1] = av_clip_uint8(dest[1] + dc); + dest[2] = av_clip_uint8(dest[2] + dc); + dest[3] = av_clip_uint8(dest[3] + dc); + dest[4] = av_clip_uint8(dest[4] + dc); + dest[5] = av_clip_uint8(dest[5] + dc); + dest[6] = av_clip_uint8(dest[6] + dc); + dest[7] = av_clip_uint8(dest[7] + dc); dest += linesize; } } @@ -348,7 +342,6 @@ static void vc1_inv_trans_8x4_c(uint8_t *dest, int linesize, DCTELEM *block) int i; register int t1,t2,t3,t4,t5,t6,t7,t8; DCTELEM *src, *dst; - const uint8_t *cm = ff_cropTbl + MAX_NEG_CROP; src = block; dst = block; @@ -388,10 +381,10 @@ static void vc1_inv_trans_8x4_c(uint8_t *dest, int linesize, DCTELEM *block) t3 = 22 * src[ 8] + 10 * src[24]; t4 = 22 * src[24] - 10 * src[ 8]; - dest[0*linesize] = cm[dest[0*linesize] + ((t1 + t3) >> 7)]; - dest[1*linesize] = cm[dest[1*linesize] + ((t2 - t4) >> 7)]; - dest[2*linesize] = cm[dest[2*linesize] + ((t2 + t4) >> 7)]; - dest[3*linesize] = cm[dest[3*linesize] + ((t1 - t3) >> 7)]; + dest[0*linesize] = av_clip_uint8(dest[0*linesize] + ((t1 + t3) >> 7)); + dest[1*linesize] = av_clip_uint8(dest[1*linesize] + ((t2 - t4) >> 7)); + dest[2*linesize] = av_clip_uint8(dest[2*linesize] + ((t2 + t4) >> 7)); + dest[3*linesize] = av_clip_uint8(dest[3*linesize] + ((t1 - t3) >> 7)); src ++; dest++; @@ -404,15 +397,13 @@ static void vc1_inv_trans_4x8_dc_c(uint8_t *dest, int linesize, DCTELEM *block) { int i; int dc = block[0]; - const uint8_t *cm; dc = (17 * dc + 4) >> 3; dc = (12 * dc + 64) >> 7; - cm = ff_cropTbl + MAX_NEG_CROP + dc; for(i = 0; i < 8; i++){ - dest[0] = cm[dest[0]]; - dest[1] = cm[dest[1]]; - dest[2] = cm[dest[2]]; - dest[3] = cm[dest[3]]; + dest[0] = av_clip_uint8(dest[0] + dc); + dest[1] = av_clip_uint8(dest[1] + dc); + dest[2] = av_clip_uint8(dest[2] + dc); + dest[3] = av_clip_uint8(dest[3] + dc); dest += linesize; } } @@ -422,7 +413,6 @@ static void vc1_inv_trans_4x8_c(uint8_t *dest, int linesize, DCTELEM *block) int i; register int t1,t2,t3,t4,t5,t6,t7,t8; DCTELEM *src, *dst; - const uint8_t *cm = ff_cropTbl + MAX_NEG_CROP; src = block; dst = block; @@ -458,14 +448,14 @@ static void vc1_inv_trans_4x8_c(uint8_t *dest, int linesize, DCTELEM *block) t3 = 9 * src[ 8] - 16 * src[24] + 4 * src[40] + 15 * src[56]; t4 = 4 * src[ 8] - 9 * src[24] + 15 * src[40] - 16 * src[56]; - dest[0*linesize] = cm[dest[0*linesize] + ((t5 + t1) >> 7)]; - dest[1*linesize] = cm[dest[1*linesize] + ((t6 + t2) >> 7)]; - dest[2*linesize] = cm[dest[2*linesize] + ((t7 + t3) >> 7)]; - dest[3*linesize] = cm[dest[3*linesize] + ((t8 + t4) >> 7)]; - dest[4*linesize] = cm[dest[4*linesize] + ((t8 - t4 + 1) >> 7)]; - dest[5*linesize] = cm[dest[5*linesize] + ((t7 - t3 + 1) >> 7)]; - dest[6*linesize] = cm[dest[6*linesize] + ((t6 - t2 + 1) >> 7)]; - dest[7*linesize] = cm[dest[7*linesize] + ((t5 - t1 + 1) >> 7)]; + dest[0*linesize] = av_clip_uint8(dest[0*linesize] + ((t5 + t1) >> 7)); + dest[1*linesize] = av_clip_uint8(dest[1*linesize] + ((t6 + t2) >> 7)); + dest[2*linesize] = av_clip_uint8(dest[2*linesize] + ((t7 + t3) >> 7)); + dest[3*linesize] = av_clip_uint8(dest[3*linesize] + ((t8 + t4) >> 7)); + dest[4*linesize] = av_clip_uint8(dest[4*linesize] + ((t8 - t4 + 1) >> 7)); + dest[5*linesize] = av_clip_uint8(dest[5*linesize] + ((t7 - t3 + 1) >> 7)); + dest[6*linesize] = av_clip_uint8(dest[6*linesize] + ((t6 - t2 + 1) >> 7)); + dest[7*linesize] = av_clip_uint8(dest[7*linesize] + ((t5 - t1 + 1) >> 7)); src ++; dest++; @@ -478,15 +468,13 @@ static void vc1_inv_trans_4x4_dc_c(uint8_t *dest, int linesize, DCTELEM *block) { int i; int dc = block[0]; - const uint8_t *cm; dc = (17 * dc + 4) >> 3; dc = (17 * dc + 64) >> 7; - cm = ff_cropTbl + MAX_NEG_CROP + dc; for(i = 0; i < 4; i++){ - dest[0] = cm[dest[0]]; - dest[1] = cm[dest[1]]; - dest[2] = cm[dest[2]]; - dest[3] = cm[dest[3]]; + dest[0] = av_clip_uint8(dest[0] + dc); + dest[1] = av_clip_uint8(dest[1] + dc); + dest[2] = av_clip_uint8(dest[2] + dc); + dest[3] = av_clip_uint8(dest[3] + dc); dest += linesize; } } @@ -496,7 +484,6 @@ static void vc1_inv_trans_4x4_c(uint8_t *dest, int linesize, DCTELEM *block) int i; register int t1,t2,t3,t4; DCTELEM *src, *dst; - const uint8_t *cm = ff_cropTbl + MAX_NEG_CROP; src = block; dst = block; @@ -522,10 +509,10 @@ static void vc1_inv_trans_4x4_c(uint8_t *dest, int linesize, DCTELEM *block) t3 = 22 * src[ 8] + 10 * src[24]; t4 = 22 * src[24] - 10 * src[ 8]; - dest[0*linesize] = cm[dest[0*linesize] + ((t1 + t3) >> 7)]; - dest[1*linesize] = cm[dest[1*linesize] + ((t2 - t4) >> 7)]; - dest[2*linesize] = cm[dest[2*linesize] + ((t2 + t4) >> 7)]; - dest[3*linesize] = cm[dest[3*linesize] + ((t1 - t3) >> 7)]; + dest[0*linesize] = av_clip_uint8(dest[0*linesize] + ((t1 + t3) >> 7)); + dest[1*linesize] = av_clip_uint8(dest[1*linesize] + ((t2 - t4) >> 7)); + dest[2*linesize] = av_clip_uint8(dest[2*linesize] + ((t2 + t4) >> 7)); + dest[3*linesize] = av_clip_uint8(dest[3*linesize] + ((t1 - t3) >> 7)); src ++; dest++; diff --git a/libavcodec/vp3dsp.c b/libavcodec/vp3dsp.c index baa22a5519..438ae76b57 100644 --- a/libavcodec/vp3dsp.c +++ b/libavcodec/vp3dsp.c @@ -41,7 +41,6 @@ static av_always_inline void idct(uint8_t *dst, int stride, int16_t *input, int type) { int16_t *ip = input; - uint8_t *cm = ff_cropTbl + MAX_NEG_CROP; int A, B, C, D, Ad, Bd, Cd, Dd, E, F, G, H; int Ed, Gd, Add, Bdd, Fd, Hd; @@ -147,29 +146,29 @@ static av_always_inline void idct(uint8_t *dst, int stride, int16_t *input, int ip[5*8] = (Fd + Bdd ) >> 4; ip[6*8] = (Fd - Bdd ) >> 4; }else if(type==1){ - dst[0*stride] = cm[(Gd + Cd ) >> 4]; - dst[7*stride] = cm[(Gd - Cd ) >> 4]; + dst[0*stride] = av_clip_uint8((Gd + Cd ) >> 4); + dst[7*stride] = av_clip_uint8((Gd - Cd ) >> 4); - dst[1*stride] = cm[(Add + Hd ) >> 4]; - dst[2*stride] = cm[(Add - Hd ) >> 4]; + dst[1*stride] = av_clip_uint8((Add + Hd ) >> 4); + dst[2*stride] = av_clip_uint8((Add - Hd ) >> 4); - dst[3*stride] = cm[(Ed + Dd ) >> 4]; - dst[4*stride] = cm[(Ed - Dd ) >> 4]; + dst[3*stride] = av_clip_uint8((Ed + Dd ) >> 4); + dst[4*stride] = av_clip_uint8((Ed - Dd ) >> 4); - dst[5*stride] = cm[(Fd + Bdd ) >> 4]; - dst[6*stride] = cm[(Fd - Bdd ) >> 4]; + dst[5*stride] = av_clip_uint8((Fd + Bdd ) >> 4); + dst[6*stride] = av_clip_uint8((Fd - Bdd ) >> 4); }else{ - dst[0*stride] = cm[dst[0*stride] + ((Gd + Cd ) >> 4)]; - dst[7*stride] = cm[dst[7*stride] + ((Gd - Cd ) >> 4)]; + dst[0*stride] = av_clip_uint8(dst[0*stride] + ((Gd + Cd ) >> 4)); + dst[7*stride] = av_clip_uint8(dst[7*stride] + ((Gd - Cd ) >> 4)); - dst[1*stride] = cm[dst[1*stride] + ((Add + Hd ) >> 4)]; - dst[2*stride] = cm[dst[2*stride] + ((Add - Hd ) >> 4)]; + dst[1*stride] = av_clip_uint8(dst[1*stride] + ((Add + Hd ) >> 4)); + dst[2*stride] = av_clip_uint8(dst[2*stride] + ((Add - Hd ) >> 4)); - dst[3*stride] = cm[dst[3*stride] + ((Ed + Dd ) >> 4)]; - dst[4*stride] = cm[dst[4*stride] + ((Ed - Dd ) >> 4)]; + dst[3*stride] = av_clip_uint8(dst[3*stride] + ((Ed + Dd ) >> 4)); + dst[4*stride] = av_clip_uint8(dst[4*stride] + ((Ed - Dd ) >> 4)); - dst[5*stride] = cm[dst[5*stride] + ((Fd + Bdd ) >> 4)]; - dst[6*stride] = cm[dst[6*stride] + ((Fd - Bdd ) >> 4)]; + dst[5*stride] = av_clip_uint8(dst[5*stride] + ((Fd + Bdd ) >> 4)); + dst[6*stride] = av_clip_uint8(dst[6*stride] + ((Fd - Bdd ) >> 4)); } } else { @@ -190,18 +189,18 @@ static av_always_inline void idct(uint8_t *dst, int stride, int16_t *input, int dst[4*stride]= dst[5*stride]= dst[6*stride]= - dst[7*stride]= cm[128 + ((xC4S4 * ip[0*8] + (IdctAdjustBeforeShift<<16))>>20)]; + dst[7*stride]= av_clip_uint8(128 + ((xC4S4 * ip[0*8] + (IdctAdjustBeforeShift<<16))>>20)); }else{ if(ip[0*8]){ int v= ((xC4S4 * ip[0*8] + (IdctAdjustBeforeShift<<16))>>20); - dst[0*stride] = cm[dst[0*stride] + v]; - dst[1*stride] = cm[dst[1*stride] + v]; - dst[2*stride] = cm[dst[2*stride] + v]; - dst[3*stride] = cm[dst[3*stride] + v]; - dst[4*stride] = cm[dst[4*stride] + v]; - dst[5*stride] = cm[dst[5*stride] + v]; - dst[6*stride] = cm[dst[6*stride] + v]; - dst[7*stride] = cm[dst[7*stride] + v]; + dst[0*stride] = av_clip_uint8(dst[0*stride] + v); + dst[1*stride] = av_clip_uint8(dst[1*stride] + v); + dst[2*stride] = av_clip_uint8(dst[2*stride] + v); + dst[3*stride] = av_clip_uint8(dst[3*stride] + v); + dst[4*stride] = av_clip_uint8(dst[4*stride] + v); + dst[5*stride] = av_clip_uint8(dst[5*stride] + v); + dst[6*stride] = av_clip_uint8(dst[6*stride] + v); + dst[7*stride] = av_clip_uint8(dst[7*stride] + v); } } } @@ -225,17 +224,16 @@ void ff_vp3_idct_add_c(uint8_t *dest/*align 8*/, int line_size, DCTELEM *block/* void ff_vp3_idct_dc_add_c(uint8_t *dest/*align 8*/, int line_size, const DCTELEM *block/*align 16*/){ int i, dc = (block[0] + 15) >> 5; - const uint8_t *cm = ff_cropTbl + MAX_NEG_CROP + dc; for(i = 0; i < 8; i++){ - dest[0] = cm[dest[0]]; - dest[1] = cm[dest[1]]; - dest[2] = cm[dest[2]]; - dest[3] = cm[dest[3]]; - dest[4] = cm[dest[4]]; - dest[5] = cm[dest[5]]; - dest[6] = cm[dest[6]]; - dest[7] = cm[dest[7]]; + dest[0] = av_clip_uint8(dest[0] + dc); + dest[1] = av_clip_uint8(dest[1] + dc); + dest[2] = av_clip_uint8(dest[2] + dc); + dest[3] = av_clip_uint8(dest[3] + dc); + dest[4] = av_clip_uint8(dest[4] + dc); + dest[5] = av_clip_uint8(dest[5] + dc); + dest[6] = av_clip_uint8(dest[6] + dc); + dest[7] = av_clip_uint8(dest[7] + dc); dest += line_size; } } diff --git a/libavcodec/vp8dsp.c b/libavcodec/vp8dsp.c index 89c3453efc..20bf66f206 100644 --- a/libavcodec/vp8dsp.c +++ b/libavcodec/vp8dsp.c @@ -80,7 +80,6 @@ static void vp8_luma_dc_wht_dc_c(DCTELEM block[4][4][16], DCTELEM dc[16]) static void vp8_idct_add_c(uint8_t *dst, DCTELEM block[16], int stride) { int i, t0, t1, t2, t3; - uint8_t *cm = ff_cropTbl + MAX_NEG_CROP; DCTELEM tmp[16]; for (i = 0; i < 4; i++) { @@ -105,10 +104,10 @@ static void vp8_idct_add_c(uint8_t *dst, DCTELEM block[16], int stride) t2 = MUL_35468(tmp[1*4+i]) - MUL_20091(tmp[3*4+i]); t3 = MUL_20091(tmp[1*4+i]) + MUL_35468(tmp[3*4+i]); - dst[0] = cm[dst[0] + ((t0 + t3 + 4) >> 3)]; - dst[1] = cm[dst[1] + ((t1 + t2 + 4) >> 3)]; - dst[2] = cm[dst[2] + ((t1 - t2 + 4) >> 3)]; - dst[3] = cm[dst[3] + ((t0 - t3 + 4) >> 3)]; + dst[0] = av_clip_uint8(dst[0] + ((t0 + t3 + 4) >> 3)); + dst[1] = av_clip_uint8(dst[1] + ((t1 + t2 + 4) >> 3)); + dst[2] = av_clip_uint8(dst[2] + ((t1 - t2 + 4) >> 3)); + dst[3] = av_clip_uint8(dst[3] + ((t0 - t3 + 4) >> 3)); dst += stride; } } @@ -116,14 +115,13 @@ static void vp8_idct_add_c(uint8_t *dst, DCTELEM block[16], int stride) static void vp8_idct_dc_add_c(uint8_t *dst, DCTELEM block[16], int stride) { int i, dc = (block[0] + 4) >> 3; - uint8_t *cm = ff_cropTbl + MAX_NEG_CROP + dc; block[0] = 0; for (i = 0; i < 4; i++) { - dst[0] = cm[dst[0]]; - dst[1] = cm[dst[1]]; - dst[2] = cm[dst[2]]; - dst[3] = cm[dst[3]]; + dst[0] = av_clip_uint8(dst[0] + dc); + dst[1] = av_clip_uint8(dst[1] + dc); + dst[2] = av_clip_uint8(dst[2] + dc); + dst[3] = av_clip_uint8(dst[3] + dc); dst += stride; } } From c3bf08d04cdec3d4fd5c4ea70e14b5edca2c45a7 Mon Sep 17 00:00:00 2001 From: "Ronald S. Bultje" Date: Tue, 6 Mar 2012 17:24:20 -0800 Subject: [PATCH 123/991] smacker: error out if palette copy-with-offset overruns palette size. Found-by: Mateusz "j00ru" Jurczyk and Gynvael Coldwind CC: libav-stable@libav.org (cherry picked from commit a93b572ae4f517ce0c35cf085167c318e9215908) Signed-off-by: Reinhard Tartler --- libavformat/smacker.c | 9 ++++++++- 1 file changed, 8 insertions(+), 1 deletion(-) diff --git a/libavformat/smacker.c b/libavformat/smacker.c index 770f5364d3..6df8b8b619 100644 --- a/libavformat/smacker.c +++ b/libavformat/smacker.c @@ -265,8 +265,15 @@ static int smacker_read_packet(AVFormatContext *s, AVPacket *pkt) sz += (t & 0x7F) + 1; pal += ((t & 0x7F) + 1) * 3; } else if(t & 0x40){ /* copy with offset */ - off = avio_r8(s->pb) * 3; + off = avio_r8(s->pb); j = (t & 0x3F) + 1; + if (off + j > 0xff) { + av_log(s, AV_LOG_ERROR, + "Invalid palette update, offset=%d length=%d extends beyond palette size\n", + off, j); + return AVERROR_INVALIDDATA; + } + off *= 3; while(j-- && sz < 256) { *pal++ = oldpal[off + 0]; *pal++ = oldpal[off + 1]; From e1b4614ab463f8ef4e350e0750fdefddea392135 Mon Sep 17 00:00:00 2001 From: "Ronald S. Bultje" Date: Tue, 6 Mar 2012 20:08:17 -0800 Subject: [PATCH 124/991] lpcm: fix sample size calculation for 20bit LCPM. Found-by: Mateusz "j00ru" Jurczyk and Gynvael Coldwind CC: libav-stable@libav.org (cherry picked from commit f1320dc3bed281bb2f3c5531c52b6a6246e2394a) Signed-off-by: Reinhard Tartler --- libavcodec/pcm-mpeg.c | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/libavcodec/pcm-mpeg.c b/libavcodec/pcm-mpeg.c index 9ab6fc3ff0..f010b970bf 100644 --- a/libavcodec/pcm-mpeg.c +++ b/libavcodec/pcm-mpeg.c @@ -156,7 +156,7 @@ static int pcm_bluray_decode_frame(AVCodecContext *avctx, void *data, /* There's always an even number of channels in the source */ num_source_channels = FFALIGN(avctx->channels, 2); - sample_size = (num_source_channels * avctx->bits_per_coded_sample) >> 3; + sample_size = (num_source_channels * (avctx->sample_fmt == AV_SAMPLE_FMT_S16 ? 16 : 24)) >> 3; samples = buf_size / sample_size; /* get output buffer */ From ed6aaf579db01d114d6198257fb734e20bc09f42 Mon Sep 17 00:00:00 2001 From: "Ronald S. Bultje" Date: Tue, 28 Feb 2012 18:11:59 -0800 Subject: [PATCH 125/991] dca: prevent accessing static arrays with invalid indexes. Found-by: Mateusz "j00ru" Jurczyk and Gynvael Coldwind CC: libav-stable@libav.org (cherry picked from commit e6ffd997cbc06426e75d3fa291b991866c84a79b) Signed-off-by: Reinhard Tartler --- libavcodec/dca.c | 37 ++++++++++++++++++++++++++----------- libavcodec/dcadata.h | 2 +- 2 files changed, 27 insertions(+), 12 deletions(-) diff --git a/libavcodec/dca.c b/libavcodec/dca.c index 3735b5a7fd..1bd31c9ac4 100644 --- a/libavcodec/dca.c +++ b/libavcodec/dca.c @@ -639,13 +639,20 @@ static int dca_parse_frame_header(DCAContext *s) } -static inline int get_scale(GetBitContext *gb, int level, int value) +static inline int get_scale(GetBitContext *gb, int level, int value, int log2range) { if (level < 5) { /* huffman encoded */ value += get_bitalloc(gb, &dca_scalefactor, level); - } else if (level < 8) - value = get_bits(gb, level + 1); + value = av_clip_uintp2(value, log2range); + } else if (level < 8) { + if (level + 1 > log2range) { + skip_bits(gb, level + 1 - log2range); + value = get_bits(gb, log2range); + } else { + value = get_bits(gb, level + 1); + } + } return value; } @@ -718,28 +725,31 @@ static int dca_subframe_header(DCAContext *s, int base_channel, int block_index) for (j = base_channel; j < s->prim_channels; j++) { const uint32_t *scale_table; - int scale_sum; + int scale_sum, log_size; memset(s->scale_factor[j], 0, s->subband_activity[j] * sizeof(s->scale_factor[0][0][0]) * 2); - if (s->scalefactor_huffman[j] == 6) + if (s->scalefactor_huffman[j] == 6) { scale_table = scale_factor_quant7; - else + log_size = 7; + } else { scale_table = scale_factor_quant6; + log_size = 6; + } /* When huffman coded, only the difference is encoded */ scale_sum = 0; for (k = 0; k < s->subband_activity[j]; k++) { if (k >= s->vq_start_subband[j] || s->bitalloc[j][k] > 0) { - scale_sum = get_scale(&s->gb, s->scalefactor_huffman[j], scale_sum); + scale_sum = get_scale(&s->gb, s->scalefactor_huffman[j], scale_sum, log_size); s->scale_factor[j][k][0] = scale_table[scale_sum]; } if (k < s->vq_start_subband[j] && s->transition_mode[j][k]) { /* Get second scale factor */ - scale_sum = get_scale(&s->gb, s->scalefactor_huffman[j], scale_sum); + scale_sum = get_scale(&s->gb, s->scalefactor_huffman[j], scale_sum, log_size); s->scale_factor[j][k][1] = scale_table[scale_sum]; } } @@ -768,8 +778,7 @@ static int dca_subframe_header(DCAContext *s, int base_channel, int block_index) * (is this valid as well for joint scales ???) */ for (k = s->subband_activity[j]; k < s->subband_activity[source_channel]; k++) { - scale = get_scale(&s->gb, s->joint_huff[j], 0); - scale += 64; /* bias */ + scale = get_scale(&s->gb, s->joint_huff[j], 64 /* bias */, 7); s->joint_scale_factor[j][k] = scale; /*joint_scale_table[scale]; */ } @@ -790,6 +799,11 @@ static int dca_subframe_header(DCAContext *s, int base_channel, int block_index) } } else { int am = s->amode & DCA_CHANNEL_MASK; + if (am >= FF_ARRAY_ELEMS(dca_default_coeffs)) { + av_log(s->avctx, AV_LOG_ERROR, + "Invalid channel mode %d\n", am); + return AVERROR_INVALIDDATA; + } for (j = base_channel; j < s->prim_channels; j++) { s->downmix_coef[j][0] = dca_default_coeffs[am][j][0]; s->downmix_coef[j][1] = dca_default_coeffs[am][j][1]; @@ -829,7 +843,8 @@ static int dca_subframe_header(DCAContext *s, int base_channel, int block_index) } /* Scale factor index */ - s->lfe_scale_factor = scale_factor_quant7[get_bits(&s->gb, 8)]; + skip_bits(&s->gb, 1); + s->lfe_scale_factor = scale_factor_quant7[get_bits(&s->gb, 7)]; /* Quantization step size * scale factor */ lfe_scale = 0.035 * s->lfe_scale_factor; diff --git a/libavcodec/dcadata.h b/libavcodec/dcadata.h index 0a83cdfae7..4b58ef7c38 100644 --- a/libavcodec/dcadata.h +++ b/libavcodec/dcadata.h @@ -7528,7 +7528,7 @@ static const float dca_downmix_coeffs[65] = { 0.001412537544623, 0.001000000000000, 0.000501187233627, 0.000251188643151, 0.000000000000000, }; -static const uint8_t dca_default_coeffs[16][5][2] = { +static const uint8_t dca_default_coeffs[10][5][2] = { { { 13, 13 }, }, { { 0, 64 }, { 64, 0 }, }, { { 0, 64 }, { 64, 0 }, }, From 9cb7f6e54a426e132396548a745cb32ff825b1fa Mon Sep 17 00:00:00 2001 From: "Ronald S. Bultje" Date: Tue, 6 Mar 2012 16:08:10 -0800 Subject: [PATCH 126/991] raw: move buffer size check up. This way, it protects against overreads for 4bpp/2bpp content also. Found-by: Mateusz "j00ru" Jurczyk and Gynvael Coldwind CC: libav-stable@libav.org (cherry picked from commit cc5dd632cecc5114717d0b90f8c2be162b1c6ee8) Signed-off-by: Reinhard Tartler --- libavcodec/rawdec.c | 6 +++--- 1 file changed, 3 insertions(+), 3 deletions(-) diff --git a/libavcodec/rawdec.c b/libavcodec/rawdec.c index 427d109a2b..83b2a216b5 100644 --- a/libavcodec/rawdec.c +++ b/libavcodec/rawdec.c @@ -129,6 +129,9 @@ static int raw_decode(AVCodecContext *avctx, frame->reordered_opaque = avctx->reordered_opaque; frame->pkt_pts = avctx->pkt->pts; + if(buf_size < context->length - (avctx->pix_fmt==PIX_FMT_PAL8 ? 256*4 : 0)) + return -1; + //2bpp and 4bpp raw in avi and mov (yes this is ugly ...) if (context->buffer) { int i; @@ -153,9 +156,6 @@ static int raw_decode(AVCodecContext *avctx, avctx->codec_tag == MKTAG('A', 'V', 'u', 'p')) buf += buf_size - context->length; - if(buf_size < context->length - (avctx->pix_fmt==PIX_FMT_PAL8 ? 256*4 : 0)) - return -1; - avpicture_fill(picture, buf, avctx->pix_fmt, avctx->width, avctx->height); if((avctx->pix_fmt==PIX_FMT_PAL8 && buf_size < context->length) || (avctx->pix_fmt!=PIX_FMT_PAL8 && From 74871ac70ae387470a5da469157050cb2d3ed36f Mon Sep 17 00:00:00 2001 From: "Ronald S. Bultje" Date: Wed, 7 Mar 2012 13:48:41 -0800 Subject: [PATCH 127/991] dv: check buffer size before reading profile. Found-by: Mateusz "j00ru" Jurczyk and Gynvael Coldwind CC: libav-stable@libav.org (cherry picked from commit e97efecec82ca8458a9bbd75a91ebf556abde362) Signed-off-by: Reinhard Tartler --- libavcodec/dvdata.c | 8 +++++--- 1 file changed, 5 insertions(+), 3 deletions(-) diff --git a/libavcodec/dvdata.c b/libavcodec/dvdata.c index 3a135a9ac7..62e569c576 100644 --- a/libavcodec/dvdata.c +++ b/libavcodec/dvdata.c @@ -248,11 +248,13 @@ static const DVprofile dv_profiles[] = { const DVprofile* avpriv_dv_frame_profile(const DVprofile *sys, const uint8_t* frame, unsigned buf_size) { - int i; + int i, dsf, stype; - int dsf = (frame[3] & 0x80) >> 7; + if (buf_size < 80*5 + 48 + 4) + return NULL; - int stype = frame[80*5 + 48 + 3] & 0x1f; + dsf = (frame[3] & 0x80) >> 7; + stype = frame[80*5 + 48 + 3] & 0x1f; /* 576i50 25Mbps 4:1:1 is a special case */ if (dsf == 1 && stype == 0 && frame[4] & 0x07 /* the APT field */) { From 1fcc2c60914c1fd9c516203f675676e1586b0376 Mon Sep 17 00:00:00 2001 From: "Ronald S. Bultje" Date: Wed, 7 Mar 2012 14:18:14 -0800 Subject: [PATCH 128/991] wma: fix off-by-one in array bounds check. Found-by: Mateusz "j00ru" Jurczyk and Gynvael Coldwind CC: libav-stable@libav.org (cherry picked from commit b4bccf3e4e58f6fe58043791ca09db01a4343fac) Signed-off-by: Reinhard Tartler --- libavcodec/wmadec.c | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/libavcodec/wmadec.c b/libavcodec/wmadec.c index 37feca1f7f..a7300594ca 100644 --- a/libavcodec/wmadec.c +++ b/libavcodec/wmadec.c @@ -356,7 +356,7 @@ static int decode_exp_vlc(WMACodecContext *s, int ch) } /* NOTE: this offset is the same as MPEG4 AAC ! */ last_exp += code - 60; - if ((unsigned)last_exp + 60 > FF_ARRAY_ELEMS(pow_tab)) { + if ((unsigned)last_exp + 60 >= FF_ARRAY_ELEMS(pow_tab)) { av_log(s->avctx, AV_LOG_ERROR, "Exponent out of range: %d\n", last_exp); return -1; From 2744fdbd9e1ee6a10f7627147be6556d04c1a88a Mon Sep 17 00:00:00 2001 From: Alex Converse Date: Tue, 6 Mar 2012 17:00:29 -0800 Subject: [PATCH 129/991] tiffdec: Prevent illegal memory access caused by recycled pointers. Found-by: Mateusz "j00ru" Jurczyk and Gynvael Coldwind CC: libav-stable@libav.org (cherry picked from commit fd0be63049ed46660993d0550a4f0847a0b942ea) Signed-off-by: Reinhard Tartler --- libavcodec/tiff.c | 2 ++ 1 file changed, 2 insertions(+) diff --git a/libavcodec/tiff.c b/libavcodec/tiff.c index d807149922..a0db1f1d28 100644 --- a/libavcodec/tiff.c +++ b/libavcodec/tiff.c @@ -535,6 +535,8 @@ static int decode_frame(AVCodecContext *avctx, av_log(avctx, AV_LOG_ERROR, "The answer to life, universe and everything is not correct!\n"); return -1; } + // Reset these pointers so we can tell if they were set this frame + s->stripsizes = s->stripdata = NULL; /* parse image file directory */ off = tget_long(&buf, le); if (off >= UINT_MAX - 14 || end_buf - orig_buf < off + 14) { From d4f2786cda271ed408e59f68e4a656f610a39808 Mon Sep 17 00:00:00 2001 From: "Ronald S. Bultje" Date: Wed, 15 Feb 2012 16:21:34 -0800 Subject: [PATCH 130/991] avs: fix infinite loop on end-of-stream. The codec would keep returning the last decoded frame if the stream contains B-frames, since it wouldn't clear that frame from the list of frames to be returned to the user. Found-by: Mateusz "j00ru" Jurczyk and Gynvael Coldwind CC: libav-stable@libav.org (cherry picked from commit 83f15a1228895434a982c840b09edccd1c64e800) Conflicts: libavcodec/cavsdec.c Signed-off-by: Reinhard Tartler --- libavcodec/cavsdec.c | 3 ++- 1 file changed, 2 insertions(+), 1 deletion(-) diff --git a/libavcodec/cavsdec.c b/libavcodec/cavsdec.c index 2f4b6e3b14..b0e517bbc5 100644 --- a/libavcodec/cavsdec.c +++ b/libavcodec/cavsdec.c @@ -655,7 +655,8 @@ static int cavs_decode_frame(AVCodecContext * avctx,void *data, int *data_size, if (buf_size == 0) { if (!s->low_delay && h->DPB[0].f.data[0]) { *data_size = sizeof(AVPicture); - *picture = *(AVFrame *) &h->DPB[0]; + *picture = h->DPB[0].f; + memset(&h->DPB[0], 0, sizeof(h->DPB[0])); } return 0; } From 9980e4df3bfcf49da2d3b22ed808b3dca0e7bbf2 Mon Sep 17 00:00:00 2001 From: "Ronald S. Bultje" Date: Wed, 7 Mar 2012 16:29:23 -0800 Subject: [PATCH 131/991] huffyuv: add padding to classic (v1) huffman tables. We slightly overread the input buffer, so we require padding at the end of the buffer, as is documented in the get_bits API. Without padding, we'll read uninitialized data or beyond the end of the .rodata, which may crash. Found-by: Mateusz "j00ru" Jurczyk and Gynvael Coldwind CC: libav-stable@libav.org (cherry picked from commit 4ffe5e2aa5241f8da9afd2c8fbc854dcc916c5f9) Signed-off-by: Reinhard Tartler --- libavcodec/huffyuv.c | 10 ++++++---- 1 file changed, 6 insertions(+), 4 deletions(-) diff --git a/libavcodec/huffyuv.c b/libavcodec/huffyuv.c index 412fe4b68d..2e1db043ea 100644 --- a/libavcodec/huffyuv.c +++ b/libavcodec/huffyuv.c @@ -82,13 +82,15 @@ typedef struct HYuvContext{ DSPContext dsp; }HYuvContext; -static const unsigned char classic_shift_luma[] = { +#define classic_shift_luma_table_size 42 +static const unsigned char classic_shift_luma[classic_shift_luma_table_size + FF_INPUT_BUFFER_PADDING_SIZE] = { 34,36,35,69,135,232,9,16,10,24,11,23,12,16,13,10,14,8,15,8, 16,8,17,20,16,10,207,206,205,236,11,8,10,21,9,23,8,8,199,70, 69,68, 0 }; -static const unsigned char classic_shift_chroma[] = { +#define classic_shift_chroma_table_size 59 +static const unsigned char classic_shift_chroma[classic_shift_chroma_table_size + FF_INPUT_BUFFER_PADDING_SIZE] = { 66,36,37,38,39,40,41,75,76,77,110,239,144,81,82,83,84,85,118,183, 56,57,88,89,56,89,154,57,58,57,26,141,57,56,58,57,58,57,184,119, 214,245,116,83,82,49,80,79,78,77,44,75,41,40,39,38,37,36,34, 0 @@ -366,10 +368,10 @@ static int read_old_huffman_tables(HYuvContext *s){ GetBitContext gb; int i; - init_get_bits(&gb, classic_shift_luma, sizeof(classic_shift_luma)*8); + init_get_bits(&gb, classic_shift_luma, classic_shift_luma_table_size*8); if(read_len_table(s->len[0], &gb)<0) return -1; - init_get_bits(&gb, classic_shift_chroma, sizeof(classic_shift_chroma)*8); + init_get_bits(&gb, classic_shift_chroma, classic_shift_chroma_table_size*8); if(read_len_table(s->len[1], &gb)<0) return -1; From 88c3cc019c8f3ebb9a41ce49c4b7ee6242836849 Mon Sep 17 00:00:00 2001 From: "Ronald S. Bultje" Date: Thu, 8 Mar 2012 17:09:27 -0800 Subject: [PATCH 132/991] cook: expand dither_tab[], and make sure indexes into it don't overflow. Fixes overflows in accessing dither_tab[]. Found-by: Mateusz "j00ru" Jurczyk and Gynvael Coldwind CC: libav-stable@libav.org (cherry picked from commit 442c3a8cb1785d74f8e2d7ab35b1862b7088436b) Signed-off-by: Reinhard Tartler --- libavcodec/cook.c | 6 +++++- libavcodec/cookdata.h | 4 ++-- 2 files changed, 7 insertions(+), 3 deletions(-) diff --git a/libavcodec/cook.c b/libavcodec/cook.c index dc4c2ab170..7c499f0c93 100644 --- a/libavcodec/cook.c +++ b/libavcodec/cook.c @@ -507,7 +507,11 @@ static inline void expand_category(COOKContext *q, int *category, { int i; for (i = 0; i < q->num_vectors; i++) - ++category[category_index[i]]; + { + int idx = category_index[i]; + if (++category[idx] >= FF_ARRAY_ELEMS(dither_tab)) + --category[idx]; + } } /** diff --git a/libavcodec/cookdata.h b/libavcodec/cookdata.h index e8d6ebfcb3..6825a4459c 100644 --- a/libavcodec/cookdata.h +++ b/libavcodec/cookdata.h @@ -36,8 +36,8 @@ static const int expbits_tab[8] = { 52,47,43,37,29,22,16,0, }; -static const float dither_tab[8] = { - 0.0, 0.0, 0.0, 0.0, 0.0, 0.176777, 0.25, 0.707107, +static const float dither_tab[9] = { + 0.0, 0.0, 0.0, 0.0, 0.0, 0.176777, 0.25, 0.707107, 1.0 }; static const float quant_centroid_tab[7][14] = { From b9482a6efdac8d8c31ce93ce9393f20eb029865d Mon Sep 17 00:00:00 2001 From: "Ronald S. Bultje" Date: Tue, 6 Mar 2012 13:45:32 -0800 Subject: [PATCH 133/991] cook: extend channel uncoupling tables so the full bit range is covered. Found-by: Mateusz "j00ru" Jurczyk and Gynvael Coldwind CC: libav-stable@libav.org (cherry picked from commit 37cc8600d0313838cab5b886b9d373e5819aa24f) Signed-off-by: Reinhard Tartler --- libavcodec/cook.c | 4 ++-- libavcodec/cookdata.h | 27 ++++++++++++++++++++++----- 2 files changed, 24 insertions(+), 7 deletions(-) diff --git a/libavcodec/cook.c b/libavcodec/cook.c index 7c499f0c93..d869c4200e 100644 --- a/libavcodec/cook.c +++ b/libavcodec/cook.c @@ -836,8 +836,8 @@ static void joint_decode(COOKContext *q, COOKSubpacket *p, float *mlt_buffer1, cpl_tmp = cplband[i]; idx -= decouple_tab[cpl_tmp]; cplscale = q->cplscales[p->js_vlc_bits - 2]; // choose decoupler table - f1 = cplscale[decouple_tab[cpl_tmp]]; - f2 = cplscale[idx - 1]; + f1 = cplscale[decouple_tab[cpl_tmp] + 1]; + f2 = cplscale[idx]; q->decouple(q, p, i, f1, f2, decode_buffer, mlt_buffer1, mlt_buffer2); idx = (1 << p->js_vlc_bits) - 1; } diff --git a/libavcodec/cookdata.h b/libavcodec/cookdata.h index 6825a4459c..c4c26fae5f 100644 --- a/libavcodec/cookdata.h +++ b/libavcodec/cookdata.h @@ -510,23 +510,37 @@ static const int cplband[51] = { 19, }; -static const float cplscale2[3] = { +// The 1 and 0 at the beginning/end are to prevent overflows with +// bitstream-read indexes. E.g. if n_bits=5, we can access any +// index from [1, (1< Date: Sat, 10 Mar 2012 17:51:28 -0800 Subject: [PATCH 134/991] cook: error out on quant_index values outside [-63, 63] range. Found-by: Mateusz "j00ru" Jurczyk and Gynvael Coldwind CC: libav-stable@libav.org (cherry picked from commit 97e48b2f541396ef6e8816a555bac1bb993d7a6a) Signed-off-by: Reinhard Tartler --- libavcodec/cook.c | 50 ++++++++++++++++++++++++++++++++++------------- 1 file changed, 36 insertions(+), 14 deletions(-) diff --git a/libavcodec/cook.c b/libavcodec/cook.c index d869c4200e..a835442b6b 100644 --- a/libavcodec/cook.c +++ b/libavcodec/cook.c @@ -366,8 +366,8 @@ static void decode_gain_info(GetBitContext *gb, int *gaininfo) * @param q pointer to the COOKContext * @param quant_index_table pointer to the array */ -static void decode_envelope(COOKContext *q, COOKSubpacket *p, - int *quant_index_table) +static int decode_envelope(COOKContext *q, COOKSubpacket *p, + int *quant_index_table) { int i, j, vlc_index; @@ -388,7 +388,15 @@ static void decode_envelope(COOKContext *q, COOKSubpacket *p, j = get_vlc2(&q->gb, q->envelope_quant_index[vlc_index - 1].table, q->envelope_quant_index[vlc_index - 1].bits, 2); quant_index_table[i] = quant_index_table[i - 1] + j - 12; // differential encoding + if (quant_index_table[i] > 63 || quant_index_table[i] < -63) { + av_log(q->avctx, AV_LOG_ERROR, + "Invalid quantizer %d at position %d, outside [-63, 63] range\n", + quant_index_table[i], i); + return AVERROR_INVALIDDATA; + } } + + return 0; } /** @@ -639,20 +647,24 @@ static void decode_vectors(COOKContext *q, COOKSubpacket *p, int *category, * @param q pointer to the COOKContext * @param mlt_buffer pointer to mlt coefficients */ -static void mono_decode(COOKContext *q, COOKSubpacket *p, float *mlt_buffer) +static int mono_decode(COOKContext *q, COOKSubpacket *p, float *mlt_buffer) { int category_index[128]; int quant_index_table[102]; int category[128]; + int res; memset(&category, 0, sizeof(category)); memset(&category_index, 0, sizeof(category_index)); - decode_envelope(q, p, quant_index_table); + if ((res = decode_envelope(q, p, quant_index_table)) < 0) + return res; q->num_vectors = get_bits(&q->gb, p->log2_numvector_size); categorize(q, p, quant_index_table, category, category_index); expand_category(q, category, category_index); decode_vectors(q, p, category, quant_index_table, mlt_buffer); + + return 0; } @@ -802,10 +814,10 @@ static void decouple_float(COOKContext *q, * @param mlt_buffer1 pointer to left channel mlt coefficients * @param mlt_buffer2 pointer to right channel mlt coefficients */ -static void joint_decode(COOKContext *q, COOKSubpacket *p, float *mlt_buffer1, - float *mlt_buffer2) +static int joint_decode(COOKContext *q, COOKSubpacket *p, float *mlt_buffer1, + float *mlt_buffer2) { - int i, j; + int i, j, res; int decouple_tab[SUBBAND_SIZE]; float *decode_buffer = q->decode_buffer_0; int idx, cpl_tmp; @@ -819,7 +831,8 @@ static void joint_decode(COOKContext *q, COOKSubpacket *p, float *mlt_buffer1, memset(mlt_buffer1, 0, 1024 * sizeof(*mlt_buffer1)); memset(mlt_buffer2, 0, 1024 * sizeof(*mlt_buffer2)); decouple_info(q, p, decouple_tab); - mono_decode(q, p, decode_buffer); + if ((res = mono_decode(q, p, decode_buffer)) < 0) + return res; /* The two channels are stored interleaved in decode_buffer. */ for (i = 0; i < p->js_subband_start; i++) { @@ -841,6 +854,8 @@ static void joint_decode(COOKContext *q, COOKSubpacket *p, float *mlt_buffer1, q->decouple(q, p, i, f1, f2, decode_buffer, mlt_buffer1, mlt_buffer2); idx = (1 << p->js_vlc_bits) - 1; } + + return 0; } /** @@ -913,10 +928,11 @@ static inline void mlt_compensate_output(COOKContext *q, float *decode_buffer, * @param inbuffer pointer to the inbuffer * @param outbuffer pointer to the outbuffer */ -static void decode_subpacket(COOKContext *q, COOKSubpacket *p, - const uint8_t *inbuffer, float *outbuffer) +static int decode_subpacket(COOKContext *q, COOKSubpacket *p, + const uint8_t *inbuffer, float *outbuffer) { int sub_packet_size = p->size; + int res; /* packet dump */ // for (i = 0; i < sub_packet_size ; i++) // av_log(q->avctx, AV_LOG_ERROR, "%02x", inbuffer[i]); @@ -925,13 +941,16 @@ static void decode_subpacket(COOKContext *q, COOKSubpacket *p, decode_bytes_and_gain(q, p, inbuffer, &p->gains1); if (p->joint_stereo) { - joint_decode(q, p, q->decode_buffer_1, q->decode_buffer_2); + if ((res = joint_decode(q, p, q->decode_buffer_1, q->decode_buffer_2)) < 0) + return res; } else { - mono_decode(q, p, q->decode_buffer_1); + if ((res = mono_decode(q, p, q->decode_buffer_1)) < 0) + return res; if (p->num_channels == 2) { decode_bytes_and_gain(q, p, inbuffer + sub_packet_size / 2, &p->gains2); - mono_decode(q, p, q->decode_buffer_2); + if ((res = mono_decode(q, p, q->decode_buffer_2)) < 0) + return res; } } @@ -945,6 +964,8 @@ static void decode_subpacket(COOKContext *q, COOKSubpacket *p, else mlt_compensate_output(q, q->decode_buffer_2, &p->gains2, p->mono_previous_buffer2, outbuffer, p->ch_idx + 1); + + return 0; } @@ -1000,7 +1021,8 @@ static int cook_decode_frame(AVCodecContext *avctx, void *data, i, q->subpacket[i].size, q->subpacket[i].joint_stereo, offset, avctx->block_align); - decode_subpacket(q, &q->subpacket[i], buf + offset, samples); + if ((ret = decode_subpacket(q, &q->subpacket[i], buf + offset, samples)) < 0) + return ret; offset += q->subpacket[i].size; chidx += q->subpacket[i].num_channels; av_log(avctx, AV_LOG_DEBUG, "subpacket[%i] %i %i\n", From 26521d87ba22fe1bb49f1f0796c7227017064e7f Mon Sep 17 00:00:00 2001 From: "Ronald S. Bultje" Date: Sun, 11 Mar 2012 07:28:54 -0700 Subject: [PATCH 135/991] dsicinvideo: validate buffer offset before copying pixels. Found-by: Mateusz "j00ru" Jurczyk and Gynvael Coldwind CC: libav-stable@libav.org (cherry picked from commit c95fefa0420be9cc0f09a95041acf11114aaacd0) Signed-off-by: Reinhard Tartler --- libavcodec/dsicinav.c | 40 +++++++++++++++++++++++++--------------- 1 file changed, 25 insertions(+), 15 deletions(-) diff --git a/libavcodec/dsicinav.c b/libavcodec/dsicinav.c index 37d39f5405..a379531613 100644 --- a/libavcodec/dsicinav.c +++ b/libavcodec/dsicinav.c @@ -146,11 +146,11 @@ static int cin_decode_huffman(const unsigned char *src, int src_size, unsigned c return dst_cur - dst; } -static void cin_decode_lzss(const unsigned char *src, int src_size, unsigned char *dst, int dst_size) +static int cin_decode_lzss(const unsigned char *src, int src_size, unsigned char *dst, int dst_size) { uint16_t cmd; int i, sz, offset, code; - unsigned char *dst_end = dst + dst_size; + unsigned char *dst_end = dst + dst_size, *dst_start = dst; const unsigned char *src_end = src + src_size; while (src < src_end && dst < dst_end) { @@ -161,6 +161,8 @@ static void cin_decode_lzss(const unsigned char *src, int src_size, unsigned cha } else { cmd = AV_RL16(src); src += 2; offset = cmd >> 4; + if ((int) (dst - dst_start) < offset + 1) + return AVERROR_INVALIDDATA; sz = (cmd & 0xF) + 2; /* don't use memcpy/memmove here as the decoding routine (ab)uses */ /* buffer overlappings to repeat bytes in the destination */ @@ -172,6 +174,8 @@ static void cin_decode_lzss(const unsigned char *src, int src_size, unsigned cha } } } + + return 0; } static void cin_decode_rle(const unsigned char *src, int src_size, unsigned char *dst, int dst_size) @@ -201,13 +205,7 @@ static int cinvideo_decode_frame(AVCodecContext *avctx, const uint8_t *buf = avpkt->data; int buf_size = avpkt->size; CinVideoContext *cin = avctx->priv_data; - int i, y, palette_type, palette_colors_count, bitmap_frame_type, bitmap_frame_size; - - cin->frame.buffer_hints = FF_BUFFER_HINTS_VALID | FF_BUFFER_HINTS_PRESERVE | FF_BUFFER_HINTS_REUSABLE; - if (avctx->reget_buffer(avctx, &cin->frame)) { - av_log(cin->avctx, AV_LOG_ERROR, "delphinecinvideo: reget_buffer() failed to allocate a frame\n"); - return -1; - } + int i, y, palette_type, palette_colors_count, bitmap_frame_type, bitmap_frame_size, res = 0; palette_type = buf[0]; palette_colors_count = AV_RL16(buf+1); @@ -233,8 +231,6 @@ static int cinvideo_decode_frame(AVCodecContext *avctx, bitmap_frame_size -= 4; } } - memcpy(cin->frame.data[1], cin->palette, sizeof(cin->palette)); - cin->frame.palette_has_changed = 1; /* note: the decoding routines below assumes that surface.width = surface.pitch */ switch (bitmap_frame_type) { @@ -267,17 +263,31 @@ static int cinvideo_decode_frame(AVCodecContext *avctx, cin->bitmap_table[CIN_CUR_BMP], cin->bitmap_size); break; case 38: - cin_decode_lzss(buf, bitmap_frame_size, - cin->bitmap_table[CIN_CUR_BMP], cin->bitmap_size); + res = cin_decode_lzss(buf, bitmap_frame_size, + cin->bitmap_table[CIN_CUR_BMP], + cin->bitmap_size); + if (res < 0) + return res; break; case 39: - cin_decode_lzss(buf, bitmap_frame_size, - cin->bitmap_table[CIN_CUR_BMP], cin->bitmap_size); + res = cin_decode_lzss(buf, bitmap_frame_size, + cin->bitmap_table[CIN_CUR_BMP], + cin->bitmap_size); + if (res < 0) + return res; cin_apply_delta_data(cin->bitmap_table[CIN_PRE_BMP], cin->bitmap_table[CIN_CUR_BMP], cin->bitmap_size); break; } + cin->frame.buffer_hints = FF_BUFFER_HINTS_VALID | FF_BUFFER_HINTS_PRESERVE | FF_BUFFER_HINTS_REUSABLE; + if (avctx->reget_buffer(avctx, &cin->frame)) { + av_log(cin->avctx, AV_LOG_ERROR, "delphinecinvideo: reget_buffer() failed to allocate a frame\n"); + return -1; + } + + memcpy(cin->frame.data[1], cin->palette, sizeof(cin->palette)); + cin->frame.palette_has_changed = 1; for (y = 0; y < cin->avctx->height; ++y) memcpy(cin->frame.data[0] + (cin->avctx->height - 1 - y) * cin->frame.linesize[0], cin->bitmap_table[CIN_CUR_BMP] + y * cin->avctx->width, From 8f881885c2325ce83f114437b97c2e0d6001cd7d Mon Sep 17 00:00:00 2001 From: "Ronald S. Bultje" Date: Thu, 8 Mar 2012 16:32:46 -0800 Subject: [PATCH 136/991] xxan: don't read before start of buffer in av_memcpy_backptr(). Found-by: Mateusz "j00ru" Jurczyk and Gynvael Coldwind CC: libav-stable@libav.org (cherry picked from commit f1279e286b00e99f343adb51e251f036a3df6f32) Signed-off-by: Reinhard Tartler --- libavcodec/xxan.c | 3 ++- 1 file changed, 2 insertions(+), 1 deletion(-) diff --git a/libavcodec/xxan.c b/libavcodec/xxan.c index 58c80c05fa..12a261b49f 100644 --- a/libavcodec/xxan.c +++ b/libavcodec/xxan.c @@ -129,7 +129,8 @@ static int xan_unpack(uint8_t *dest, const int dest_len, if (size + size2 > dest_end - dest) break; } - if (src + size > src_end || dest + size + size2 > dest_end) + if (src + size > src_end || dest + size + size2 > dest_end || + dest - orig_dest + size < back) return -1; bytestream_get_buffer(&src, dest, size); dest += size; From a43f4bd601e905e3f04c47293a642ac541d727f3 Mon Sep 17 00:00:00 2001 From: "Ronald S. Bultje" Date: Thu, 8 Mar 2012 16:32:47 -0800 Subject: [PATCH 137/991] xxan: convert to bytestream2 API. Protects against overreads. Found-by: Mateusz "j00ru" Jurczyk and Gynvael Coldwind CC: libav-stable@libav.org (cherry picked from commit 55188278169c3a1838334d7aa47a1f7a40741690) Signed-off-by: Reinhard Tartler --- libavcodec/xxan.c | 117 ++++++++++++++++++++++------------------------ 1 file changed, 56 insertions(+), 61 deletions(-) diff --git a/libavcodec/xxan.c b/libavcodec/xxan.c index 12a261b49f..fb8fb526ac 100644 --- a/libavcodec/xxan.c +++ b/libavcodec/xxan.c @@ -35,6 +35,7 @@ typedef struct XanContext { uint8_t *y_buffer; uint8_t *scratch_buffer; int buffer_size; + GetByteContext gb; } XanContext; static av_cold int xan_decode_init(AVCodecContext *avctx) @@ -58,29 +59,29 @@ static av_cold int xan_decode_init(AVCodecContext *avctx) return 0; } -static int xan_unpack_luma(const uint8_t *src, const int src_size, +static int xan_unpack_luma(XanContext *s, uint8_t *dst, const int dst_size) { int tree_size, eof; - const uint8_t *tree; int bits, mask; int tree_root, node; const uint8_t *dst_end = dst + dst_size; - const uint8_t *src_end = src + src_size; + GetByteContext tree = s->gb; + int start_off = bytestream2_tell(&tree); - tree_size = *src++; - eof = *src++; - tree = src - eof * 2 - 2; + tree_size = bytestream2_get_byte(&s->gb); + eof = bytestream2_get_byte(&s->gb); tree_root = eof + tree_size; - src += tree_size * 2; + bytestream2_skip(&s->gb, tree_size * 2); node = tree_root; - bits = *src++; + bits = bytestream2_get_byte(&s->gb); mask = 0x80; for (;;) { int bit = !!(bits & mask); mask >>= 1; - node = tree[node*2 + bit]; + bytestream2_seek(&tree, start_off + node*2 + bit - eof * 2, SEEK_SET); + node = bytestream2_get_byte(&tree); if (node == eof) break; if (node < eof) { @@ -90,49 +91,51 @@ static int xan_unpack_luma(const uint8_t *src, const int src_size, node = tree_root; } if (!mask) { - bits = *src++; - if (src > src_end) + if (bytestream2_get_bytes_left(&s->gb) <= 0) break; + bits = bytestream2_get_byteu(&s->gb); mask = 0x80; } } - return dst != dst_end; + return dst != dst_end ? AVERROR_INVALIDDATA : 0; } /* almost the same as in xan_wc3 decoder */ -static int xan_unpack(uint8_t *dest, const int dest_len, - const uint8_t *src, const int src_len) +static int xan_unpack(XanContext *s, + uint8_t *dest, const int dest_len) { uint8_t opcode; int size; uint8_t *orig_dest = dest; - const uint8_t *src_end = src + src_len; const uint8_t *dest_end = dest + dest_len; while (dest < dest_end) { - opcode = *src++; + if (bytestream2_get_bytes_left(&s->gb) <= 0) + return AVERROR_INVALIDDATA; + + opcode = bytestream2_get_byteu(&s->gb); if (opcode < 0xe0) { int size2, back; if ((opcode & 0x80) == 0) { size = opcode & 3; - back = ((opcode & 0x60) << 3) + *src++ + 1; + back = ((opcode & 0x60) << 3) + bytestream2_get_byte(&s->gb) + 1; size2 = ((opcode & 0x1c) >> 2) + 3; } else if ((opcode & 0x40) == 0) { - size = *src >> 6; - back = (bytestream_get_be16(&src) & 0x3fff) + 1; + size = bytestream2_peek_byte(&s->gb) >> 6; + back = (bytestream2_get_be16(&s->gb) & 0x3fff) + 1; size2 = (opcode & 0x3f) + 4; } else { size = opcode & 3; - back = ((opcode & 0x10) << 12) + bytestream_get_be16(&src) + 1; - size2 = ((opcode & 0x0c) << 6) + *src++ + 5; + back = ((opcode & 0x10) << 12) + bytestream2_get_be16(&s->gb) + 1; + size2 = ((opcode & 0x0c) << 6) + bytestream2_get_byte(&s->gb) + 5; if (size + size2 > dest_end - dest) break; } - if (src + size > src_end || dest + size + size2 > dest_end || + if (dest + size + size2 > dest_end || dest - orig_dest + size < back) return -1; - bytestream_get_buffer(&src, dest, size); + bytestream2_get_buffer(&s->gb, dest, size); dest += size; av_memcpy_backptr(dest, back, size2); dest += size2; @@ -140,9 +143,9 @@ static int xan_unpack(uint8_t *dest, const int dest_len, int finish = opcode >= 0xfc; size = finish ? opcode & 3 : ((opcode & 0x1f) << 2) + 4; - if (src + size > src_end || dest + size > dest_end) + if (dest_end - dest < size) return -1; - bytestream_get_buffer(&src, dest, size); + bytestream2_get_buffer(&s->gb, dest, size); dest += size; if (finish) break; @@ -151,38 +154,35 @@ static int xan_unpack(uint8_t *dest, const int dest_len, return dest - orig_dest; } -static int xan_decode_chroma(AVCodecContext *avctx, AVPacket *avpkt) +static int xan_decode_chroma(AVCodecContext *avctx, unsigned chroma_off) { - const uint8_t *buf = avpkt->data; XanContext *s = avctx->priv_data; uint8_t *U, *V; - unsigned chroma_off; int val, uval, vval; int i, j; const uint8_t *src, *src_end; const uint8_t *table; int mode, offset, dec_size; - chroma_off = AV_RL32(buf + 4); if (!chroma_off) return 0; - if (chroma_off + 10 >= avpkt->size) { + if (chroma_off + 4 >= bytestream2_get_bytes_left(&s->gb)) { av_log(avctx, AV_LOG_ERROR, "Invalid chroma block position\n"); return -1; } - src = avpkt->data + 4 + chroma_off; - table = src + 2; - mode = bytestream_get_le16(&src); - offset = bytestream_get_le16(&src) * 2; + bytestream2_seek(&s->gb, chroma_off + 4, SEEK_SET); + mode = bytestream2_get_le16(&s->gb); + table = s->gb.buffer; + offset = bytestream2_get_le16(&s->gb) * 2; - if (src - avpkt->data >= avpkt->size - offset) { + if (offset >= bytestream2_get_bytes_left(&s->gb)) { av_log(avctx, AV_LOG_ERROR, "Invalid chroma block offset\n"); return -1; } + bytestream2_skip(&s->gb, offset); memset(s->scratch_buffer, 0, s->buffer_size); - dec_size = xan_unpack(s->scratch_buffer, s->buffer_size, src + offset, - avpkt->size - offset - (src - avpkt->data)); + dec_size = xan_unpack(s, s->scratch_buffer, s->buffer_size); if (dec_size < 0) { av_log(avctx, AV_LOG_ERROR, "Chroma unpacking failed\n"); return -1; @@ -234,32 +234,27 @@ static int xan_decode_chroma(AVCodecContext *avctx, AVPacket *avpkt) return 0; } -static int xan_decode_frame_type0(AVCodecContext *avctx, AVPacket *avpkt) +static int xan_decode_frame_type0(AVCodecContext *avctx) { - const uint8_t *buf = avpkt->data; XanContext *s = avctx->priv_data; uint8_t *ybuf, *prev_buf, *src = s->scratch_buffer; unsigned chroma_off, corr_off; - int cur, last, size; + int cur, last; int i, j; int ret; - corr_off = AV_RL32(buf + 8); - chroma_off = AV_RL32(buf + 4); + chroma_off = bytestream2_get_le32(&s->gb); + corr_off = bytestream2_get_le32(&s->gb); - if ((ret = xan_decode_chroma(avctx, avpkt)) != 0) + if ((ret = xan_decode_chroma(avctx, chroma_off)) != 0) return ret; - size = avpkt->size - 4; - if (corr_off >= avpkt->size) { + if (corr_off >= (s->gb.buffer_end - s->gb.buffer_start)) { av_log(avctx, AV_LOG_WARNING, "Ignoring invalid correction block position\n"); corr_off = 0; } - if (corr_off) - size = corr_off; - if (chroma_off) - size = FFMIN(size, chroma_off); - ret = xan_unpack_luma(buf + 12, size, src, s->buffer_size >> 1); + bytestream2_seek(&s->gb, 12, SEEK_SET); + ret = xan_unpack_luma(s, src, s->buffer_size >> 1); if (ret) { av_log(avctx, AV_LOG_ERROR, "Luma decoding failed\n"); return ret; @@ -295,12 +290,11 @@ static int xan_decode_frame_type0(AVCodecContext *avctx, AVPacket *avpkt) if (corr_off) { int corr_end, dec_size; - corr_end = avpkt->size; + corr_end = (s->gb.buffer_end - s->gb.buffer_start); if (chroma_off > corr_off) corr_end = chroma_off; - dec_size = xan_unpack(s->scratch_buffer, s->buffer_size, - avpkt->data + 8 + corr_off, - corr_end - corr_off); + bytestream2_seek(&s->gb, 8 + corr_off, SEEK_SET); + dec_size = xan_unpack(s, s->scratch_buffer, s->buffer_size); if (dec_size < 0) dec_size = 0; for (i = 0; i < dec_size; i++) @@ -319,19 +313,19 @@ static int xan_decode_frame_type0(AVCodecContext *avctx, AVPacket *avpkt) return 0; } -static int xan_decode_frame_type1(AVCodecContext *avctx, AVPacket *avpkt) +static int xan_decode_frame_type1(AVCodecContext *avctx) { - const uint8_t *buf = avpkt->data; XanContext *s = avctx->priv_data; uint8_t *ybuf, *src = s->scratch_buffer; int cur, last; int i, j; int ret; - if ((ret = xan_decode_chroma(avctx, avpkt)) != 0) + if ((ret = xan_decode_chroma(avctx, bytestream2_get_le32(&s->gb))) != 0) return ret; - ret = xan_unpack_luma(buf + 16, avpkt->size - 16, src, + bytestream2_seek(&s->gb, 16, SEEK_SET); + ret = xan_unpack_luma(s, src, s->buffer_size >> 1); if (ret) { av_log(avctx, AV_LOG_ERROR, "Luma decoding failed\n"); @@ -381,13 +375,14 @@ static int xan_decode_frame(AVCodecContext *avctx, return ret; } - ftype = AV_RL32(avpkt->data); + bytestream2_init(&s->gb, avpkt->data, avpkt->size); + ftype = bytestream2_get_le32(&s->gb); switch (ftype) { case 0: - ret = xan_decode_frame_type0(avctx, avpkt); + ret = xan_decode_frame_type0(avctx); break; case 1: - ret = xan_decode_frame_type1(avctx, avpkt); + ret = xan_decode_frame_type1(avctx); break; default: av_log(avctx, AV_LOG_ERROR, "Unknown frame type %d\n", ftype); From c65eadee5d200b3ed2106548e8d0cace3db5e97f Mon Sep 17 00:00:00 2001 From: "Ronald S. Bultje" Date: Sat, 10 Mar 2012 11:57:17 -0800 Subject: [PATCH 138/991] xxan: protect against chroma LUT overreads. Found-by: Mateusz "j00ru" Jurczyk and Gynvael Coldwind CC: libav-stable@libav.org (cherry picked from commit f77bfa837636a99a4034d31916a76f7d1688cf5a) Signed-off-by: Reinhard Tartler --- libavcodec/xxan.c | 14 ++++++++------ 1 file changed, 8 insertions(+), 6 deletions(-) diff --git a/libavcodec/xxan.c b/libavcodec/xxan.c index fb8fb526ac..0a37d48f6b 100644 --- a/libavcodec/xxan.c +++ b/libavcodec/xxan.c @@ -162,7 +162,7 @@ static int xan_decode_chroma(AVCodecContext *avctx, unsigned chroma_off) int i, j; const uint8_t *src, *src_end; const uint8_t *table; - int mode, offset, dec_size; + int mode, offset, dec_size, table_size; if (!chroma_off) return 0; @@ -171,9 +171,11 @@ static int xan_decode_chroma(AVCodecContext *avctx, unsigned chroma_off) return -1; } bytestream2_seek(&s->gb, chroma_off + 4, SEEK_SET); - mode = bytestream2_get_le16(&s->gb); - table = s->gb.buffer; - offset = bytestream2_get_le16(&s->gb) * 2; + mode = bytestream2_get_le16(&s->gb); + table = s->gb.buffer; + table_size = bytestream2_get_le16(&s->gb); + offset = table_size * 2; + table_size += 1; if (offset >= bytestream2_get_bytes_left(&s->gb)) { av_log(avctx, AV_LOG_ERROR, "Invalid chroma block offset\n"); @@ -196,7 +198,7 @@ static int xan_decode_chroma(AVCodecContext *avctx, unsigned chroma_off) for (j = 0; j < avctx->height >> 1; j++) { for (i = 0; i < avctx->width >> 1; i++) { val = *src++; - if (val) { + if (val && val < table_size) { val = AV_RL16(table + (val << 1)); uval = (val >> 3) & 0xF8; vval = (val >> 8) & 0xF8; @@ -216,7 +218,7 @@ static int xan_decode_chroma(AVCodecContext *avctx, unsigned chroma_off) for (j = 0; j < avctx->height >> 2; j++) { for (i = 0; i < avctx->width >> 1; i += 2) { val = *src++; - if (val) { + if (val && val < table_size) { val = AV_RL16(table + (val << 1)); uval = (val >> 3) & 0xF8; vval = (val >> 8) & 0xF8; From 7bb97a61dfb65a3825e17c2dc1e0e693b5607ec6 Mon Sep 17 00:00:00 2001 From: "Ronald S. Bultje" Date: Sat, 10 Mar 2012 14:28:08 -0800 Subject: [PATCH 139/991] mpc: pad mpc_CC/SCF[] tables to allow for negative indices. MPC8 allows indices of mpc_CC up to -1, and mpc_SCF up to -6, thus pad the tables by that much on the left end. Found-by: Mateusz "j00ru" Jurczyk and Gynvael Coldwind CC: libav-stable@libav.org (cherry picked from commit d7eabd50425a61b31e90c763a0c3e4316a725404) Signed-off-by: Reinhard Tartler --- libavcodec/mpc.c | 6 +++--- libavcodec/mpc7.c | 4 ++-- libavcodec/mpcdata.h | 10 +++++++--- 3 files changed, 12 insertions(+), 8 deletions(-) diff --git a/libavcodec/mpc.c b/libavcodec/mpc.c index 4573860525..6b15a33e5a 100644 --- a/libavcodec/mpc.c +++ b/libavcodec/mpc.c @@ -78,13 +78,13 @@ void ff_mpc_dequantize_and_synth(MPCContext * c, int maxband, void *data, int ch for(ch = 0; ch < 2; ch++){ if(bands[i].res[ch]){ j = 0; - mul = mpc_CC[bands[i].res[ch]] * mpc_SCF[bands[i].scf_idx[ch][0]]; + mul = mpc_CC[bands[i].res[ch] + 1] * mpc_SCF[bands[i].scf_idx[ch][0]+6]; for(; j < 12; j++) c->sb_samples[ch][j][i] = mul * c->Q[ch][j + off]; - mul = mpc_CC[bands[i].res[ch]] * mpc_SCF[bands[i].scf_idx[ch][1]]; + mul = mpc_CC[bands[i].res[ch] + 1] * mpc_SCF[bands[i].scf_idx[ch][1]+6]; for(; j < 24; j++) c->sb_samples[ch][j][i] = mul * c->Q[ch][j + off]; - mul = mpc_CC[bands[i].res[ch]] * mpc_SCF[bands[i].scf_idx[ch][2]]; + mul = mpc_CC[bands[i].res[ch] + 1] * mpc_SCF[bands[i].scf_idx[ch][2]+6]; for(; j < 36; j++) c->sb_samples[ch][j][i] = mul * c->Q[ch][j + off]; } diff --git a/libavcodec/mpc7.c b/libavcodec/mpc7.c index 290ecfb385..b678afd1a2 100644 --- a/libavcodec/mpc7.c +++ b/libavcodec/mpc7.c @@ -193,7 +193,7 @@ static int get_scale_idx(GetBitContext *gb, int ref) int t = get_vlc2(gb, dscf_vlc.table, MPC7_DSCF_BITS, 1) - 7; if (t == 8) return get_bits(gb, 6); - return ref + t; + return av_clip_uintp2(ref + t, 7); } static int mpc7_decode_frame(AVCodecContext * avctx, void *data, @@ -234,7 +234,7 @@ static int mpc7_decode_frame(AVCodecContext * avctx, void *data, int t = 4; if(i) t = get_vlc2(&gb, hdr_vlc.table, MPC7_HDR_BITS, 1) - 5; if(t == 4) bands[i].res[ch] = get_bits(&gb, 4); - else bands[i].res[ch] = bands[i-1].res[ch] + t; + else bands[i].res[ch] = av_clip(bands[i-1].res[ch] + t, 0, 17); } if(bands[i].res[0] || bands[i].res[1]){ diff --git a/libavcodec/mpcdata.h b/libavcodec/mpcdata.h index 397dad59d8..15724f3b74 100644 --- a/libavcodec/mpcdata.h +++ b/libavcodec/mpcdata.h @@ -22,13 +22,17 @@ #ifndef AVCODEC_MPCDATA_H #define AVCODEC_MPCDATA_H -static const float mpc_CC[18] = { - 65536.0000, 21845.3333, 13107.2000, 9362.2857, 7281.7778, 4369.0667, 2114.0645, +static const float mpc_CC[18+1] = { + 111.285962475327f, // 32768/2/255*sqrt(3) + 65536.0000 /* this value is never used */, + 21845.3333, 13107.2000, 9362.2857, 7281.7778, 4369.0667, 2114.0645, 1040.2539, 516.0315, 257.0039, 128.2505, 64.0626, 32.0156, 16.0039, 8.0010, 4.0002, 2.0001, 1.0000 }; -static const float mpc_SCF[128] = { +static const float mpc_SCF[128+6] = { + 920.016296386718750000, 766.355773925781250000, 638.359558105468750000, + 531.741149902343750000, 442.930114746093750000, 368.952209472656250000, 307.330047607421875000, 255.999984741210937500, 213.243041992187500000, 177.627334594726562500, 147.960128784179687500, 123.247924804687500000, 102.663139343261718750, 85.516410827636718750, 71.233520507812500000, 59.336143493652343750, 49.425861358642578125, 41.170787811279296875, From d94256d36cc789788a68c6b35d31481c4b16fdd3 Mon Sep 17 00:00:00 2001 From: Janne Grunau Date: Mon, 12 Mar 2012 22:01:02 +0100 Subject: [PATCH 140/991] Revert "h264: clear trailing bits in partially parsed NAL units" This reverts commit 729ebb2f185244b0ff06d48edbbbbb02ceb4ed4e. There was an off-by-one error in the bit mask calculation clearing actually the last valid bit and causing http://bugzilla.libav.org/show_bug.cgi?id=227 The broken sample (Mr_MrsSmith-h264_aac.mp4) the commit was fixing does not work after correcting the off-by-one error. CC: libav-stable@libav.org (cherry picked from commit 8a6037c3900875ccab8d553d2cc659bdef2c9d0e) Signed-off-by: Reinhard Tartler --- libavcodec/h264.c | 5 +---- 1 file changed, 1 insertion(+), 4 deletions(-) diff --git a/libavcodec/h264.c b/libavcodec/h264.c index 449c634cfe..46e6c72832 100644 --- a/libavcodec/h264.c +++ b/libavcodec/h264.c @@ -3763,7 +3763,7 @@ static int decode_nal_units(H264Context *h, const uint8_t *buf, int buf_size){ int consumed; int dst_length; int bit_length; - uint8_t *ptr; + const uint8_t *ptr; int i, nalsize = 0; int err; @@ -3813,9 +3813,6 @@ static int decode_nal_units(H264Context *h, const uint8_t *buf, int buf_size){ } if (h->is_avc && (nalsize != consumed) && nalsize){ - // set trailing bits in the last partial byte to zero - if (bit_length & 7) - ptr[bit_length >> 3] = ptr[bit_length >> 3] & (0xff << 8 - (bit_length & 7)); av_log(h->s.avctx, AV_LOG_DEBUG, "AVC: Consumed only %d bytes instead of %d\n", consumed, nalsize); } From 666bd5848a92f82ee97ad0869dd1f8c7edb9f214 Mon Sep 17 00:00:00 2001 From: Anton Khirnov Date: Mon, 12 Mar 2012 17:42:57 +0100 Subject: [PATCH 141/991] avconv: link '-passlogfile' option to libx264 'stats' AVOption. Fixes bug 204. CC: libav-stable@libav.org (cherry picked from commit 6e8be949f12734f38d360aad0f5c503a0f9606fa) Signed-off-by: Reinhard Tartler --- avconv.c | 4 ++++ 1 file changed, 4 insertions(+) diff --git a/avconv.c b/avconv.c index 46f3090755..4a61fa52fc 100644 --- a/avconv.c +++ b/avconv.c @@ -2459,6 +2459,9 @@ static int transcode_init(OutputFile *output_files, snprintf(logfilename, sizeof(logfilename), "%s-%d.log", pass_logfilename_prefix ? pass_logfilename_prefix : DEFAULT_PASS_LOGFILENAME_PREFIX, i); + if (!strcmp(ost->enc->name, "libx264")) { + av_dict_set(&ost->opts, "stats", logfilename, AV_DICT_DONT_OVERWRITE); + } else { if (codec->flags & CODEC_FLAG_PASS1) { f = fopen(logfilename, "wb"); if (!f) { @@ -2477,6 +2480,7 @@ static int transcode_init(OutputFile *output_files, } codec->stats_in = logbuffer; } + } } } if (codec->codec_type == AVMEDIA_TYPE_VIDEO) { From a15adb18faecaaa984e4a6ef6732f4ea4be2418c Mon Sep 17 00:00:00 2001 From: Anton Khirnov Date: Mon, 12 Mar 2012 17:43:48 +0100 Subject: [PATCH 142/991] avconv: reindent CC: libav-stable@libav.org (cherry picked from commit 64334ddbbc7fce490c895c54106291d0b128e830) Signed-off-by: Reinhard Tartler --- avconv.c | 34 +++++++++++++++++----------------- 1 file changed, 17 insertions(+), 17 deletions(-) diff --git a/avconv.c b/avconv.c index 4a61fa52fc..dcc0935ed7 100644 --- a/avconv.c +++ b/avconv.c @@ -2462,24 +2462,24 @@ static int transcode_init(OutputFile *output_files, if (!strcmp(ost->enc->name, "libx264")) { av_dict_set(&ost->opts, "stats", logfilename, AV_DICT_DONT_OVERWRITE); } else { - if (codec->flags & CODEC_FLAG_PASS1) { - f = fopen(logfilename, "wb"); - if (!f) { - av_log(NULL, AV_LOG_FATAL, "Cannot write log file '%s' for pass-1 encoding: %s\n", - logfilename, strerror(errno)); - exit_program(1); + if (codec->flags & CODEC_FLAG_PASS1) { + f = fopen(logfilename, "wb"); + if (!f) { + av_log(NULL, AV_LOG_FATAL, "Cannot write log file '%s' for pass-1 encoding: %s\n", + logfilename, strerror(errno)); + exit_program(1); + } + ost->logfile = f; + } else { + char *logbuffer; + size_t logbuffer_size; + if (cmdutils_read_file(logfilename, &logbuffer, &logbuffer_size) < 0) { + av_log(NULL, AV_LOG_FATAL, "Error reading log file '%s' for pass-2 encoding\n", + logfilename); + exit_program(1); + } + codec->stats_in = logbuffer; } - ost->logfile = f; - } else { - char *logbuffer; - size_t logbuffer_size; - if (cmdutils_read_file(logfilename, &logbuffer, &logbuffer_size) < 0) { - av_log(NULL, AV_LOG_FATAL, "Error reading log file '%s' for pass-2 encoding\n", - logfilename); - exit_program(1); - } - codec->stats_in = logbuffer; - } } } } From f6257cf4b710eed9f05d9dcbca853d236d3cdd56 Mon Sep 17 00:00:00 2001 From: Anton Khirnov Date: Mon, 12 Mar 2012 17:09:22 +0100 Subject: [PATCH 143/991] libx264: fix help text for slice-max-size option. CC: libav-stable@libav.org (cherry picked from commit 9d5c131ecec75fcfb1b4b56f74f2b2756bf0027a) Signed-off-by: Reinhard Tartler --- libavcodec/libx264.c | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/libavcodec/libx264.c b/libavcodec/libx264.c index b3581f168f..96c9588ece 100644 --- a/libavcodec/libx264.c +++ b/libavcodec/libx264.c @@ -552,7 +552,7 @@ static const AVOption options[] = { { "spatial", NULL, 0, AV_OPT_TYPE_CONST, { X264_DIRECT_PRED_SPATIAL }, 0, 0, VE, "direct-pred" }, { "temporal", NULL, 0, AV_OPT_TYPE_CONST, { X264_DIRECT_PRED_TEMPORAL }, 0, 0, VE, "direct-pred" }, { "auto", NULL, 0, AV_OPT_TYPE_CONST, { X264_DIRECT_PRED_AUTO }, 0, 0, VE, "direct-pred" }, - { "slice-max-size","Constant quantization parameter rate control method",OFFSET(slice_max_size), AV_OPT_TYPE_INT, {-1 }, -1, INT_MAX, VE }, + { "slice-max-size","Limit the size of each slice in bytes", OFFSET(slice_max_size),AV_OPT_TYPE_INT, {-1 }, -1, INT_MAX, VE }, { NULL }, }; From 6548cb25782d05c1ea52bb6904c2b2b398079b8b Mon Sep 17 00:00:00 2001 From: Anton Khirnov Date: Mon, 12 Mar 2012 17:20:20 +0100 Subject: [PATCH 144/991] libx264: add 'stats' private option for setting 2pass stats filename. x264 always opens the file itself with fopen, so we cannot use the standard lavc stats mechanism. CC: libav-stable@libav.org (cherry picked from commit d533e395e14d403948ca2424efbcee92429ef8e1) Signed-off-by: Reinhard Tartler --- libavcodec/libx264.c | 3 +++ 1 file changed, 3 insertions(+) diff --git a/libavcodec/libx264.c b/libavcodec/libx264.c index 96c9588ece..ac0f6b6d05 100644 --- a/libavcodec/libx264.c +++ b/libavcodec/libx264.c @@ -66,6 +66,7 @@ typedef struct X264Context { char *partitions; int direct_pred; int slice_max_size; + char *stats; } X264Context; static void X264_log(void *p, int level, const char *fmt, va_list args) @@ -379,6 +380,7 @@ static av_cold int X264_init(AVCodecContext *avctx) PARSE_X264_OPT("psy-rd", psy_rd); PARSE_X264_OPT("deblock", deblock); PARSE_X264_OPT("partitions", partitions); + PARSE_X264_OPT("stats", stats); if (x4->psy >= 0) x4->params.analyse.b_psy = x4->psy; if (x4->rc_lookahead >= 0) @@ -553,6 +555,7 @@ static const AVOption options[] = { { "temporal", NULL, 0, AV_OPT_TYPE_CONST, { X264_DIRECT_PRED_TEMPORAL }, 0, 0, VE, "direct-pred" }, { "auto", NULL, 0, AV_OPT_TYPE_CONST, { X264_DIRECT_PRED_AUTO }, 0, 0, VE, "direct-pred" }, { "slice-max-size","Limit the size of each slice in bytes", OFFSET(slice_max_size),AV_OPT_TYPE_INT, {-1 }, -1, INT_MAX, VE }, + { "stats", "Filename for 2 pass stats", OFFSET(stats), AV_OPT_TYPE_STRING, { 0 }, 0, 0, VE }, { NULL }, }; From de0ff4ce69c311a2879e10143f1cc2c4945f3ef0 Mon Sep 17 00:00:00 2001 From: Michael Niedermayer Date: Mon, 12 Mar 2012 18:26:50 -0700 Subject: [PATCH 145/991] h264: Fix invalid interlaced/progressive MB combinations for direct mode prediction. Found-by: Mateusz "j00ru" Jurczyk and Gynvael Coldwind CC: libav-stable@libav.org Signed-off-by: Ronald S. Bultje (cherry picked from commit 758ec111538ccd487686e8677aa754ee4d82beaa) Signed-off-by: Reinhard Tartler --- libavcodec/h264_direct.c | 8 ++++++++ 1 file changed, 8 insertions(+) diff --git a/libavcodec/h264_direct.c b/libavcodec/h264_direct.c index a953728a12..4f70ff83e9 100644 --- a/libavcodec/h264_direct.c +++ b/libavcodec/h264_direct.c @@ -252,6 +252,10 @@ static void pred_spatial_direct_motion(H264Context * const h, int *mb_type){ mb_type_col[1] = h->ref_list[1][0].f.mb_type[mb_xy + s->mb_stride]; b8_stride = 2+4*s->mb_stride; b4_stride *= 6; + if (IS_INTERLACED(mb_type_col[0]) != IS_INTERLACED(mb_type_col[1])) { + mb_type_col[0] &= ~MB_TYPE_INTERLACED; + mb_type_col[1] &= ~MB_TYPE_INTERLACED; + } sub_mb_type |= MB_TYPE_16x16|MB_TYPE_DIRECT2; /* B_SUB_8x8 */ if( (mb_type_col[0] & MB_TYPE_16x16_OR_INTRA) @@ -438,6 +442,10 @@ static void pred_temp_direct_motion(H264Context * const h, int *mb_type){ mb_type_col[1] = h->ref_list[1][0].f.mb_type[mb_xy + s->mb_stride]; b8_stride = 2+4*s->mb_stride; b4_stride *= 6; + if (IS_INTERLACED(mb_type_col[0]) != IS_INTERLACED(mb_type_col[1])) { + mb_type_col[0] &= ~MB_TYPE_INTERLACED; + mb_type_col[1] &= ~MB_TYPE_INTERLACED; + } sub_mb_type = MB_TYPE_16x16|MB_TYPE_P0L0|MB_TYPE_P0L1|MB_TYPE_DIRECT2; /* B_SUB_8x8 */ From e4e4d92641df31a3c2d5213ac18b9fd5b0c38833 Mon Sep 17 00:00:00 2001 From: Paul B Mahol Date: Wed, 14 Mar 2012 03:02:02 +0000 Subject: [PATCH 146/991] jvdec: unbreak video decoding The safe bitstream reader broke it since the buffer size was specified in bytes instead of bits. Signed-off-by: Janne Grunau CC: libav-stable@libav.org (cherry picked from commit a1c036e961a32f7208e7315dabfa0ee99d779edb) Signed-off-by: Reinhard Tartler --- libavcodec/jvdec.c | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/libavcodec/jvdec.c b/libavcodec/jvdec.c index 5249764347..f2c97526c0 100644 --- a/libavcodec/jvdec.c +++ b/libavcodec/jvdec.c @@ -150,7 +150,7 @@ static int decode_frame(AVCodecContext *avctx, if (video_type == 0 || video_type == 1) { GetBitContext gb; - init_get_bits(&gb, buf, FFMIN(video_size, (buf_end - buf) * 8)); + init_get_bits(&gb, buf, 8 * FFMIN(video_size, buf_end - buf)); for (j = 0; j < avctx->height; j += 8) for (i = 0; i < avctx->width; i += 8) From f6778f58d4eb9cf47a42506b239586b5d17f84c4 Mon Sep 17 00:00:00 2001 From: "Ronald S. Bultje" Date: Tue, 6 Mar 2012 15:15:42 -0800 Subject: [PATCH 147/991] algmm: convert to bytestream2 API. Found-by: Mateusz "j00ru" Jurczyk and Gynvael Coldwind CC: libav-stable@libav.org (cherry picked from commit a55d5bdc6e28a2cfefc440d792de5cc4f02377e2) Signed-off-by: Reinhard Tartler --- libavcodec/mmvideo.c | 89 +++++++++++++++++++++++++------------------- 1 file changed, 51 insertions(+), 38 deletions(-) diff --git a/libavcodec/mmvideo.c b/libavcodec/mmvideo.c index 9e82ef94f9..501371ad52 100644 --- a/libavcodec/mmvideo.c +++ b/libavcodec/mmvideo.c @@ -33,6 +33,7 @@ #include "libavutil/intreadwrite.h" #include "avcodec.h" +#include "bytestream.h" #define MM_PREAMBLE_SIZE 6 @@ -48,6 +49,7 @@ typedef struct MmContext { AVCodecContext *avctx; AVFrame frame; int palette[AVPALETTE_COUNT]; + GetByteContext gb; } MmContext; static av_cold int mm_decode_init(AVCodecContext *avctx) @@ -63,40 +65,40 @@ static av_cold int mm_decode_init(AVCodecContext *avctx) return 0; } -static void mm_decode_pal(MmContext *s, const uint8_t *buf, const uint8_t *buf_end) +static int mm_decode_pal(MmContext *s) { int i; - buf += 4; - for (i=0; i<128 && buf+2palette[i] = AV_RB24(buf); + + bytestream2_skip(&s->gb, 4); + for (i = 0; i < 128; i++) { + s->palette[i] = bytestream2_get_be24(&s->gb); s->palette[i+128] = s->palette[i]<<2; - buf += 3; } + + return 0; } /** * @param half_horiz Half horizontal resolution (0 or 1) * @param half_vert Half vertical resolution (0 or 1) */ -static void mm_decode_intra(MmContext * s, int half_horiz, int half_vert, const uint8_t *buf, int buf_size) +static int mm_decode_intra(MmContext * s, int half_horiz, int half_vert) { int i, x, y; i=0; x=0; y=0; - while(igb) > 0) { int run_length, color; if (y >= s->avctx->height) - return; + return 0; - if (buf[i] & 0x80) { + color = bytestream2_get_byte(&s->gb); + if (color & 0x80) { run_length = 1; - color = buf[i]; - i++; }else{ - run_length = (buf[i] & 0x7f) + 2; - color = buf[i+1]; - i+=2; + run_length = (color & 0x7f) + 2; + color = bytestream2_get_byte(&s->gb); } if (half_horiz) @@ -114,23 +116,28 @@ static void mm_decode_intra(MmContext * s, int half_horiz, int half_vert, const y += 1 + half_vert; } } + + return 0; } /* * @param half_horiz Half horizontal resolution (0 or 1) * @param half_vert Half vertical resolution (0 or 1) */ -static void mm_decode_inter(MmContext * s, int half_horiz, int half_vert, const uint8_t *buf, int buf_size) +static int mm_decode_inter(MmContext * s, int half_horiz, int half_vert) { - const int data_ptr = 2 + AV_RL16(&buf[0]); - int d, r, y; - d = data_ptr; r = 2; y = 0; + int data_off = bytestream2_get_le16(&s->gb), y; + GetByteContext data_ptr; - while(r < data_ptr) { + if (bytestream2_get_bytes_left(&s->gb) < data_off) + return AVERROR_INVALIDDATA; + + bytestream2_init(&data_ptr, s->gb.buffer + data_off, bytestream2_get_bytes_left(&s->gb) - data_off); + while (s->gb.buffer < data_ptr.buffer_start) { int i, j; - int length = buf[r] & 0x7f; - int x = buf[r+1] + ((buf[r] & 0x80) << 1); - r += 2; + int length = bytestream2_get_byte(&s->gb); + int x = bytestream2_get_byte(&s->gb) + ((length & 0x80) << 1); + length &= 0x7F; if (length==0) { y += x; @@ -138,13 +145,14 @@ static void mm_decode_inter(MmContext * s, int half_horiz, int half_vert, const } if (y + half_vert >= s->avctx->height) - return; + return 0; for(i=0; igb); for(j=0; j<8; j++) { - int replace = (buf[r+i] >> (7-j)) & 1; + int replace = (replace_array >> (7-j)) & 1; if (replace) { - int color = buf[d]; + int color = bytestream2_get_byte(&data_ptr); s->frame.data[0][y*s->frame.linesize[0] + x] = color; if (half_horiz) s->frame.data[0][y*s->frame.linesize[0] + x + 1] = color; @@ -153,15 +161,15 @@ static void mm_decode_inter(MmContext * s, int half_horiz, int half_vert, const if (half_horiz) s->frame.data[0][(y+1)*s->frame.linesize[0] + x + 1] = color; } - d++; } x += 1 + half_horiz; } } - r += length; y += 1 + half_vert; } + + return 0; } static int mm_decode_frame(AVCodecContext *avctx, @@ -171,12 +179,14 @@ static int mm_decode_frame(AVCodecContext *avctx, const uint8_t *buf = avpkt->data; int buf_size = avpkt->size; MmContext *s = avctx->priv_data; - const uint8_t *buf_end = buf+buf_size; - int type; + int type, res; + if (buf_size < MM_PREAMBLE_SIZE) + return AVERROR_INVALIDDATA; type = AV_RL16(&buf[0]); buf += MM_PREAMBLE_SIZE; buf_size -= MM_PREAMBLE_SIZE; + bytestream2_init(&s->gb, buf, buf_size); if (avctx->reget_buffer(avctx, &s->frame) < 0) { av_log(avctx, AV_LOG_ERROR, "reget_buffer() failed\n"); @@ -184,16 +194,19 @@ static int mm_decode_frame(AVCodecContext *avctx, } switch(type) { - case MM_TYPE_PALETTE : mm_decode_pal(s, buf, buf_end); return buf_size; - case MM_TYPE_INTRA : mm_decode_intra(s, 0, 0, buf, buf_size); break; - case MM_TYPE_INTRA_HH : mm_decode_intra(s, 1, 0, buf, buf_size); break; - case MM_TYPE_INTRA_HHV : mm_decode_intra(s, 1, 1, buf, buf_size); break; - case MM_TYPE_INTER : mm_decode_inter(s, 0, 0, buf, buf_size); break; - case MM_TYPE_INTER_HH : mm_decode_inter(s, 1, 0, buf, buf_size); break; - case MM_TYPE_INTER_HHV : mm_decode_inter(s, 1, 1, buf, buf_size); break; - default : - return -1; + case MM_TYPE_PALETTE : res = mm_decode_pal(s); return buf_size; + case MM_TYPE_INTRA : res = mm_decode_intra(s, 0, 0); break; + case MM_TYPE_INTRA_HH : res = mm_decode_intra(s, 1, 0); break; + case MM_TYPE_INTRA_HHV : res = mm_decode_intra(s, 1, 1); break; + case MM_TYPE_INTER : res = mm_decode_inter(s, 0, 0); break; + case MM_TYPE_INTER_HH : res = mm_decode_inter(s, 1, 0); break; + case MM_TYPE_INTER_HHV : res = mm_decode_inter(s, 1, 1); break; + default: + res = AVERROR_INVALIDDATA; + break; } + if (res < 0) + return res; memcpy(s->frame.data[1], s->palette, AVPALETTE_SIZE); From ddb1149e250faceb91c220b2c032b27e60c1b417 Mon Sep 17 00:00:00 2001 From: "Ronald S. Bultje" Date: Tue, 6 Mar 2012 14:18:32 -0800 Subject: [PATCH 148/991] tgq: convert to bytestream2 API. This protects against input buffer overreads. Found-by: Mateusz "j00ru" Jurczyk and Gynvael Coldwind CC: libav-stable@libav.org (cherry picked from commit 1255eed533b4069db7f205601953ca54c0dc42c9) Signed-off-by: Reinhard Tartler --- libavcodec/eatgq.c | 56 +++++++++++++++++++++++----------------------- 1 file changed, 28 insertions(+), 28 deletions(-) diff --git a/libavcodec/eatgq.c b/libavcodec/eatgq.c index e82ed32470..5be1f55ba3 100644 --- a/libavcodec/eatgq.c +++ b/libavcodec/eatgq.c @@ -43,6 +43,7 @@ typedef struct TgqContext { ScanTable scantable; int qtable[64]; DECLARE_ALIGNED(16, DCTELEM, block)[6][64]; + GetByteContext gb; } TgqContext; static av_cold int tgq_decode_init(AVCodecContext *avctx){ @@ -141,39 +142,36 @@ static void tgq_idct_put_mb_dconly(TgqContext *s, int mb_x, int mb_y, const int8 } } -static void tgq_decode_mb(TgqContext *s, int mb_y, int mb_x, const uint8_t **bs, const uint8_t *buf_end){ +static void tgq_decode_mb(TgqContext *s, int mb_y, int mb_x){ int mode; int i; int8_t dc[6]; - mode = bytestream_get_byte(bs); - if (mode>buf_end-*bs) { - av_log(s->avctx, AV_LOG_ERROR, "truncated macroblock\n"); - return; - } - + mode = bytestream2_get_byte(&s->gb); if (mode>12) { GetBitContext gb; - init_get_bits(&gb, *bs, mode*8); + init_get_bits(&gb, s->gb.buffer, FFMIN(s->gb.buffer_end - s->gb.buffer, mode) * 8); for(i=0; i<6; i++) tgq_decode_block(s, s->block[i], &gb); tgq_idct_put_mb(s, s->block, mb_x, mb_y); + bytestream2_skip(&s->gb, mode); }else{ if (mode==3) { - memset(dc, (*bs)[0], 4); - dc[4] = (*bs)[1]; - dc[5] = (*bs)[2]; + memset(dc, bytestream2_get_byte(&s->gb), 4); + dc[4] = bytestream2_get_byte(&s->gb); + dc[5] = bytestream2_get_byte(&s->gb); }else if (mode==6) { - memcpy(dc, *bs, 6); + bytestream2_get_buffer(&s->gb, dc, 6); }else if (mode==12) { - for(i=0; i<6; i++) - dc[i] = (*bs)[i*2]; + for (i = 0; i < 6; i++) { + dc[i] = bytestream2_get_byte(&s->gb); + bytestream2_skip(&s->gb, 1); + } }else{ av_log(s->avctx, AV_LOG_ERROR, "unsupported mb mode %i\n", mode); } tgq_idct_put_mb_dconly(s, mb_x, mb_y, dc); } - *bs += mode; } static void tgq_calculate_qtable(TgqContext *s, int quant){ @@ -193,28 +191,30 @@ static int tgq_decode_frame(AVCodecContext *avctx, AVPacket *avpkt){ const uint8_t *buf = avpkt->data; int buf_size = avpkt->size; - const uint8_t *buf_start = buf; - const uint8_t *buf_end = buf + buf_size; TgqContext *s = avctx->priv_data; int x,y; - int big_endian = AV_RL32(&buf[4]) > 0x000FFFFF; - buf += 8; - if(8>buf_end-buf) { + if (buf_size < 16) { av_log(avctx, AV_LOG_WARNING, "truncated header\n"); return -1; } - s->width = big_endian ? AV_RB16(&buf[0]) : AV_RL16(&buf[0]); - s->height = big_endian ? AV_RB16(&buf[2]) : AV_RL16(&buf[2]); + bytestream2_init(&s->gb, buf + 8, buf_size - 8); + if (big_endian) { + s->width = bytestream2_get_be16u(&s->gb); + s->height = bytestream2_get_be16u(&s->gb); + } else { + s->width = bytestream2_get_le16u(&s->gb); + s->height = bytestream2_get_le16u(&s->gb); + } if (s->avctx->width!=s->width || s->avctx->height!=s->height) { avcodec_set_dimensions(s->avctx, s->width, s->height); if (s->frame.data[0]) avctx->release_buffer(avctx, &s->frame); } - tgq_calculate_qtable(s, buf[4]); - buf += 8; + tgq_calculate_qtable(s, bytestream2_get_byteu(&s->gb)); + bytestream2_skip(&s->gb, 3); if (!s->frame.data[0]) { s->frame.key_frame = 1; @@ -226,14 +226,14 @@ static int tgq_decode_frame(AVCodecContext *avctx, } } - for (y=0; y<(avctx->height+15)/16; y++) - for (x=0; x<(avctx->width+15)/16; x++) - tgq_decode_mb(s, y, x, &buf, buf_end); + for (y = 0; y < FFALIGN(avctx->height, 16) >> 4; y++) + for (x = 0; x < FFALIGN(avctx->width, 16) >> 4; x++) + tgq_decode_mb(s, y, x); *data_size = sizeof(AVFrame); *(AVFrame*)data = s->frame; - return buf-buf_start; + return avpkt->size; } static av_cold int tgq_decode_end(AVCodecContext *avctx){ From 9a66cdbc16806dc61272a81c4ea261d44cd2d41a Mon Sep 17 00:00:00 2001 From: "Ronald S. Bultje" Date: Wed, 29 Feb 2012 14:44:37 -0800 Subject: [PATCH 149/991] smc: port to bytestream2 API. Found-by: Mateusz "j00ru" Jurczyk and Gynvael Coldwind CC: libav-stable@libav.org (cherry picked from commit 8febcb9fc178926687ee19d32d2b3150da899867) Signed-off-by: Reinhard Tartler --- libavcodec/smc.c | 74 +++++++++++++++++++++--------------------------- 1 file changed, 32 insertions(+), 42 deletions(-) diff --git a/libavcodec/smc.c b/libavcodec/smc.c index f4a0b6a6a9..2bd3176f8e 100644 --- a/libavcodec/smc.c +++ b/libavcodec/smc.c @@ -34,6 +34,7 @@ #include "libavutil/intreadwrite.h" #include "avcodec.h" +#include "bytestream.h" #define CPAIR 2 #define CQUAD 4 @@ -46,8 +47,7 @@ typedef struct SmcContext { AVCodecContext *avctx; AVFrame frame; - const unsigned char *buf; - int size; + GetByteContext gb; /* SMC color tables */ unsigned char color_pairs[COLORS_PER_TABLE * CPAIR]; @@ -58,7 +58,7 @@ typedef struct SmcContext { } SmcContext; #define GET_BLOCK_COUNT() \ - (opcode & 0x10) ? (1 + s->buf[stream_ptr++]) : 1 + (opcode & 0x0F); + (opcode & 0x10) ? (1 + bytestream2_get_byte(&s->gb)) : 1 + (opcode & 0x0F); #define ADVANCE_BLOCK() \ { \ @@ -82,8 +82,8 @@ static void smc_decode_stream(SmcContext *s) int height = s->avctx->height; int stride = s->frame.linesize[0]; int i; - int stream_ptr = 0; int chunk_size; + int buf_size = (int) (s->gb.buffer_end - s->gb.buffer_start); unsigned char opcode; int n_blocks; unsigned int color_flags; @@ -113,24 +113,18 @@ static void smc_decode_stream(SmcContext *s) /* make the palette available */ memcpy(s->frame.data[1], s->pal, AVPALETTE_SIZE); - chunk_size = AV_RB32(&s->buf[stream_ptr]) & 0x00FFFFFF; - stream_ptr += 4; - if (chunk_size != s->size) + bytestream2_skip(&s->gb, 1); + chunk_size = bytestream2_get_be24(&s->gb); + if (chunk_size != buf_size) av_log(s->avctx, AV_LOG_INFO, "warning: MOV chunk size != encoded chunk size (%d != %d); using MOV chunk size\n", - chunk_size, s->size); + chunk_size, buf_size); - chunk_size = s->size; + chunk_size = buf_size; total_blocks = ((s->avctx->width + 3) / 4) * ((s->avctx->height + 3) / 4); /* traverse through the blocks */ while (total_blocks) { /* sanity checks */ - /* make sure stream ptr hasn't gone out of bounds */ - if (stream_ptr > chunk_size) { - av_log(s->avctx, AV_LOG_INFO, "SMC decoder just went out of bounds (stream ptr = %d, chunk size = %d)\n", - stream_ptr, chunk_size); - return; - } /* make sure the row pointer hasn't gone wild */ if (row_ptr >= image_size) { av_log(s->avctx, AV_LOG_INFO, "SMC decoder just went out of bounds (row ptr = %d, height = %d)\n", @@ -138,7 +132,7 @@ static void smc_decode_stream(SmcContext *s) return; } - opcode = s->buf[stream_ptr++]; + opcode = bytestream2_get_byte(&s->gb); switch (opcode & 0xF0) { /* skip n blocks */ case 0x00: @@ -158,7 +152,7 @@ static void smc_decode_stream(SmcContext *s) if ((row_ptr == 0) && (pixel_ptr == 0)) { av_log(s->avctx, AV_LOG_INFO, "encountered repeat block opcode (%02X) but no blocks rendered yet\n", opcode & 0xF0); - break; + return; } /* figure out where the previous block started */ @@ -192,7 +186,7 @@ static void smc_decode_stream(SmcContext *s) if ((row_ptr == 0) && (pixel_ptr < 2 * 4)) { av_log(s->avctx, AV_LOG_INFO, "encountered repeat block opcode (%02X) but not enough blocks rendered yet\n", opcode & 0xF0); - break; + return; } /* figure out where the previous 2 blocks started */ @@ -233,7 +227,7 @@ static void smc_decode_stream(SmcContext *s) case 0x60: case 0x70: n_blocks = GET_BLOCK_COUNT(); - pixel = s->buf[stream_ptr++]; + pixel = bytestream2_get_byte(&s->gb); while (n_blocks--) { block_ptr = row_ptr + pixel_ptr; @@ -257,7 +251,7 @@ static void smc_decode_stream(SmcContext *s) /* fetch the next 2 colors from bytestream and store in next * available entry in the color pair table */ for (i = 0; i < CPAIR; i++) { - pixel = s->buf[stream_ptr++]; + pixel = bytestream2_get_byte(&s->gb); color_table_index = CPAIR * color_pair_index + i; s->color_pairs[color_table_index] = pixel; } @@ -268,11 +262,10 @@ static void smc_decode_stream(SmcContext *s) if (color_pair_index == COLORS_PER_TABLE) color_pair_index = 0; } else - color_table_index = CPAIR * s->buf[stream_ptr++]; + color_table_index = CPAIR * bytestream2_get_byte(&s->gb); while (n_blocks--) { - color_flags = AV_RB16(&s->buf[stream_ptr]); - stream_ptr += 2; + color_flags = bytestream2_get_be16(&s->gb); flag_mask = 0x8000; block_ptr = row_ptr + pixel_ptr; for (pixel_y = 0; pixel_y < 4; pixel_y++) { @@ -300,7 +293,7 @@ static void smc_decode_stream(SmcContext *s) /* fetch the next 4 colors from bytestream and store in next * available entry in the color quad table */ for (i = 0; i < CQUAD; i++) { - pixel = s->buf[stream_ptr++]; + pixel = bytestream2_get_byte(&s->gb); color_table_index = CQUAD * color_quad_index + i; s->color_quads[color_table_index] = pixel; } @@ -311,11 +304,10 @@ static void smc_decode_stream(SmcContext *s) if (color_quad_index == COLORS_PER_TABLE) color_quad_index = 0; } else - color_table_index = CQUAD * s->buf[stream_ptr++]; + color_table_index = CQUAD * bytestream2_get_byte(&s->gb); while (n_blocks--) { - color_flags = AV_RB32(&s->buf[stream_ptr]); - stream_ptr += 4; + color_flags = bytestream2_get_be32(&s->gb); /* flag mask actually acts as a bit shift count here */ flag_mask = 30; block_ptr = row_ptr + pixel_ptr; @@ -342,7 +334,7 @@ static void smc_decode_stream(SmcContext *s) /* fetch the next 8 colors from bytestream and store in next * available entry in the color octet table */ for (i = 0; i < COCTET; i++) { - pixel = s->buf[stream_ptr++]; + pixel = bytestream2_get_byte(&s->gb); color_table_index = COCTET * color_octet_index + i; s->color_octets[color_table_index] = pixel; } @@ -353,7 +345,7 @@ static void smc_decode_stream(SmcContext *s) if (color_octet_index == COLORS_PER_TABLE) color_octet_index = 0; } else - color_table_index = COCTET * s->buf[stream_ptr++]; + color_table_index = COCTET * bytestream2_get_byte(&s->gb); while (n_blocks--) { /* @@ -363,15 +355,12 @@ static void smc_decode_stream(SmcContext *s) flags_a = xx012456, flags_b = xx89A37B */ /* build the color flags */ - color_flags_a = - ((AV_RB16(s->buf + stream_ptr ) & 0xFFF0) << 8) | - (AV_RB16(s->buf + stream_ptr + 2) >> 4); - color_flags_b = - ((AV_RB16(s->buf + stream_ptr + 4) & 0xFFF0) << 8) | - ((s->buf[stream_ptr + 1] & 0x0F) << 8) | - ((s->buf[stream_ptr + 3] & 0x0F) << 4) | - (s->buf[stream_ptr + 5] & 0x0F); - stream_ptr += 6; + int val1 = bytestream2_get_be16(&s->gb); + int val2 = bytestream2_get_be16(&s->gb); + int val3 = bytestream2_get_be16(&s->gb); + color_flags_a = ((val1 & 0xFFF0) << 8) | (val2 >> 4); + color_flags_b = ((val3 & 0xFFF0) << 8) | + ((val1 & 0x0F) << 8) | ((val2 & 0x0F) << 4) | (val3 & 0x0F); color_flags = color_flags_a; /* flag mask actually acts as a bit shift count here */ @@ -403,7 +392,7 @@ static void smc_decode_stream(SmcContext *s) block_ptr = row_ptr + pixel_ptr; for (pixel_y = 0; pixel_y < 4; pixel_y++) { for (pixel_x = 0; pixel_x < 4; pixel_x++) { - pixels[block_ptr++] = s->buf[stream_ptr++]; + pixels[block_ptr++] = bytestream2_get_byte(&s->gb); } block_ptr += row_inc; } @@ -412,10 +401,12 @@ static void smc_decode_stream(SmcContext *s) break; case 0xF0: - av_log(s->avctx, AV_LOG_INFO, "0xF0 opcode seen in SMC chunk (contact the developers)\n"); + av_log_missing_feature(s->avctx, "0xF0 opcode", 1); break; } } + + return; } static av_cold int smc_decode_init(AVCodecContext *avctx) @@ -439,8 +430,7 @@ static int smc_decode_frame(AVCodecContext *avctx, SmcContext *s = avctx->priv_data; const uint8_t *pal = av_packet_get_side_data(avpkt, AV_PKT_DATA_PALETTE, NULL); - s->buf = buf; - s->size = buf_size; + bytestream2_init(&s->gb, buf, buf_size); s->frame.reference = 1; s->frame.buffer_hints = FF_BUFFER_HINTS_VALID | FF_BUFFER_HINTS_PRESERVE | From 568a474a0831a6224ae1886187fd7f4a74328215 Mon Sep 17 00:00:00 2001 From: "Ronald S. Bultje" Date: Tue, 6 Mar 2012 15:58:35 -0800 Subject: [PATCH 150/991] roqvideo: convert to bytestream2 API. Found-by: Mateusz "j00ru" Jurczyk and Gynvael Coldwind CC: libav-stable@libav.org (cherry picked from commit cdf15771621bce7959b3e53b21426c5ba747e17b) Signed-off-by: Reinhard Tartler --- libavcodec/roqvideo.h | 4 +-- libavcodec/roqvideodec.c | 69 ++++++++++++++++++++-------------------- 2 files changed, 37 insertions(+), 36 deletions(-) diff --git a/libavcodec/roqvideo.h b/libavcodec/roqvideo.h index a1ff10af7d..4e6e5bb7db 100644 --- a/libavcodec/roqvideo.h +++ b/libavcodec/roqvideo.h @@ -24,6 +24,7 @@ #include "libavutil/lfg.h" #include "avcodec.h" +#include "bytestream.h" #include "dsputil.h" typedef struct { @@ -53,8 +54,7 @@ typedef struct RoqContext { roq_cell cb2x2[256]; roq_qcell cb4x4[256]; - const unsigned char *buf; - int size; + GetByteContext gb; int width, height; /* Encoder only data */ diff --git a/libavcodec/roqvideodec.c b/libavcodec/roqvideodec.c index 527ba51c99..0bf00cf380 100644 --- a/libavcodec/roqvideodec.c +++ b/libavcodec/roqvideodec.c @@ -38,16 +38,15 @@ static void roqvideo_decode_frame(RoqContext *ri) unsigned int chunk_id = 0, chunk_arg = 0; unsigned long chunk_size = 0; int i, j, k, nv1, nv2, vqflg = 0, vqflg_pos = -1; - int vqid, bpos, xpos, ypos, xp, yp, x, y, mx, my; + int vqid, xpos, ypos, xp, yp, x, y, mx, my; int frame_stats[2][4] = {{0},{0}}; roq_qcell *qcell; - const unsigned char *buf = ri->buf; - const unsigned char *buf_end = ri->buf + ri->size; + int64_t chunk_start; - while (buf < buf_end) { - chunk_id = bytestream_get_le16(&buf); - chunk_size = bytestream_get_le32(&buf); - chunk_arg = bytestream_get_le16(&buf); + while (bytestream2_get_bytes_left(&ri->gb) > 0) { + chunk_id = bytestream2_get_le16(&ri->gb); + chunk_size = bytestream2_get_le32(&ri->gb); + chunk_arg = bytestream2_get_le16(&ri->gb); if(chunk_id == RoQ_QUAD_VQ) break; @@ -57,25 +56,26 @@ static void roqvideo_decode_frame(RoqContext *ri) if((nv2 = chunk_arg & 0xff) == 0 && nv1 * 6 < chunk_size) nv2 = 256; for(i = 0; i < nv1; i++) { - ri->cb2x2[i].y[0] = *buf++; - ri->cb2x2[i].y[1] = *buf++; - ri->cb2x2[i].y[2] = *buf++; - ri->cb2x2[i].y[3] = *buf++; - ri->cb2x2[i].u = *buf++; - ri->cb2x2[i].v = *buf++; + ri->cb2x2[i].y[0] = bytestream2_get_byte(&ri->gb); + ri->cb2x2[i].y[1] = bytestream2_get_byte(&ri->gb); + ri->cb2x2[i].y[2] = bytestream2_get_byte(&ri->gb); + ri->cb2x2[i].y[3] = bytestream2_get_byte(&ri->gb); + ri->cb2x2[i].u = bytestream2_get_byte(&ri->gb); + ri->cb2x2[i].v = bytestream2_get_byte(&ri->gb); } for(i = 0; i < nv2; i++) for(j = 0; j < 4; j++) - ri->cb4x4[i].idx[j] = *buf++; + ri->cb4x4[i].idx[j] = bytestream2_get_byte(&ri->gb); } } - bpos = xpos = ypos = 0; - while(bpos < chunk_size) { + chunk_start = bytestream2_tell(&ri->gb); + xpos = ypos = 0; + while (bytestream2_tell(&ri->gb) < chunk_start + chunk_size) { for (yp = ypos; yp < ypos + 16; yp += 8) for (xp = xpos; xp < xpos + 16; xp += 8) { if (vqflg_pos < 0) { - vqflg = buf[bpos++]; vqflg |= (buf[bpos++] << 8); + vqflg = bytestream2_get_le16(&ri->gb); vqflg_pos = 7; } vqid = (vqflg >> (vqflg_pos * 2)) & 0x3; @@ -85,13 +85,15 @@ static void roqvideo_decode_frame(RoqContext *ri) switch(vqid) { case RoQ_ID_MOT: break; - case RoQ_ID_FCC: - mx = 8 - (buf[bpos] >> 4) - ((signed char) (chunk_arg >> 8)); - my = 8 - (buf[bpos++] & 0xf) - ((signed char) chunk_arg); + case RoQ_ID_FCC: { + int byte = bytestream2_get_byte(&ri->gb); + mx = 8 - (byte >> 4) - ((signed char) (chunk_arg >> 8)); + my = 8 - (byte & 0xf) - ((signed char) chunk_arg); ff_apply_motion_8x8(ri, xp, yp, mx, my); break; + } case RoQ_ID_SLD: - qcell = ri->cb4x4 + buf[bpos++]; + qcell = ri->cb4x4 + bytestream2_get_byte(&ri->gb); ff_apply_vector_4x4(ri, xp, yp, ri->cb2x2 + qcell->idx[0]); ff_apply_vector_4x4(ri, xp+4, yp, ri->cb2x2 + qcell->idx[1]); ff_apply_vector_4x4(ri, xp, yp+4, ri->cb2x2 + qcell->idx[2]); @@ -104,8 +106,7 @@ static void roqvideo_decode_frame(RoqContext *ri) if(k & 0x02) y += 4; if (vqflg_pos < 0) { - vqflg = buf[bpos++]; - vqflg |= (buf[bpos++] << 8); + vqflg = bytestream2_get_le16(&ri->gb); vqflg_pos = 7; } vqid = (vqflg >> (vqflg_pos * 2)) & 0x3; @@ -114,24 +115,25 @@ static void roqvideo_decode_frame(RoqContext *ri) switch(vqid) { case RoQ_ID_MOT: break; - case RoQ_ID_FCC: - mx = 8 - (buf[bpos] >> 4) - ((signed char) (chunk_arg >> 8)); - my = 8 - (buf[bpos++] & 0xf) - ((signed char) chunk_arg); + case RoQ_ID_FCC: { + int byte = bytestream2_get_byte(&ri->gb); + mx = 8 - (byte >> 4) - ((signed char) (chunk_arg >> 8)); + my = 8 - (byte & 0xf) - ((signed char) chunk_arg); ff_apply_motion_4x4(ri, x, y, mx, my); break; + } case RoQ_ID_SLD: - qcell = ri->cb4x4 + buf[bpos++]; + qcell = ri->cb4x4 + bytestream2_get_byte(&ri->gb); ff_apply_vector_2x2(ri, x, y, ri->cb2x2 + qcell->idx[0]); ff_apply_vector_2x2(ri, x+2, y, ri->cb2x2 + qcell->idx[1]); ff_apply_vector_2x2(ri, x, y+2, ri->cb2x2 + qcell->idx[2]); ff_apply_vector_2x2(ri, x+2, y+2, ri->cb2x2 + qcell->idx[3]); break; case RoQ_ID_CCC: - ff_apply_vector_2x2(ri, x, y, ri->cb2x2 + buf[bpos]); - ff_apply_vector_2x2(ri, x+2, y, ri->cb2x2 + buf[bpos+1]); - ff_apply_vector_2x2(ri, x, y+2, ri->cb2x2 + buf[bpos+2]); - ff_apply_vector_2x2(ri, x+2, y+2, ri->cb2x2 + buf[bpos+3]); - bpos += 4; + ff_apply_vector_2x2(ri, x, y, ri->cb2x2 + bytestream2_get_byte(&ri->gb)); + ff_apply_vector_2x2(ri, x+2, y, ri->cb2x2 + bytestream2_get_byte(&ri->gb)); + ff_apply_vector_2x2(ri, x, y+2, ri->cb2x2 + bytestream2_get_byte(&ri->gb)); + ff_apply_vector_2x2(ri, x+2, y+2, ri->cb2x2 + bytestream2_get_byte(&ri->gb)); break; } } @@ -185,8 +187,7 @@ static int roq_decode_frame(AVCodecContext *avctx, av_picture_copy((AVPicture*)s->current_frame, (AVPicture*)s->last_frame, avctx->pix_fmt, avctx->width, avctx->height); - s->buf = buf; - s->size = buf_size; + bytestream2_init(&s->gb, buf, buf_size); roqvideo_decode_frame(s); *data_size = sizeof(AVFrame); From d26e47bf6c7df8b4d74dc2ba818d17e6e2fa839f Mon Sep 17 00:00:00 2001 From: "Ronald S. Bultje" Date: Wed, 7 Mar 2012 16:16:20 -0800 Subject: [PATCH 151/991] png: convert to bytestream2 API. Protects against overreads in the input buffer. Found-by: Mateusz "j00ru" Jurczyk and Gynvael Coldwind CC: libav-stable@libav.org (cherry picked from commit 4c25269cedd042abcb823c42d33609564861c374) Signed-off-by: Reinhard Tartler --- libavcodec/pngdec.c | 69 ++++++++++++++++++++------------------------- 1 file changed, 30 insertions(+), 39 deletions(-) diff --git a/libavcodec/pngdec.c b/libavcodec/pngdec.c index a40cebbb83..94eb6ebeed 100644 --- a/libavcodec/pngdec.c +++ b/libavcodec/pngdec.c @@ -35,9 +35,7 @@ typedef struct PNGDecContext { DSPContext dsp; - const uint8_t *bytestream; - const uint8_t *bytestream_start; - const uint8_t *bytestream_end; + GetByteContext gb; AVFrame picture1, picture2; AVFrame *current_picture, *last_picture; @@ -362,12 +360,9 @@ static void png_handle_row(PNGDecContext *s) static int png_decode_idat(PNGDecContext *s, int length) { int ret; - s->zstream.avail_in = length; - s->zstream.next_in = s->bytestream; - s->bytestream += length; - - if(s->bytestream > s->bytestream_end) - return -1; + s->zstream.avail_in = FFMIN(length, bytestream2_get_bytes_left(&s->gb)); + s->zstream.next_in = s->gb.buffer; + bytestream2_skip(&s->gb, length); /* decode one line if possible */ while (s->zstream.avail_in > 0) { @@ -403,15 +398,13 @@ static int decode_frame(AVCodecContext *avctx, avctx->coded_frame= s->current_picture; p = s->current_picture; - s->bytestream_start= - s->bytestream= buf; - s->bytestream_end= buf + buf_size; - /* check signature */ - if (memcmp(s->bytestream, ff_pngsig, 8) != 0 && - memcmp(s->bytestream, ff_mngsig, 8) != 0) + if (buf_size < 8 || + memcmp(buf, ff_pngsig, 8) != 0 && + memcmp(buf, ff_mngsig, 8) != 0) return -1; - s->bytestream+= 8; + + bytestream2_init(&s->gb, buf + 8, buf_size - 8); s->y= s->state=0; // memset(s, 0, sizeof(PNGDecContext)); @@ -423,14 +416,12 @@ static int decode_frame(AVCodecContext *avctx, if (ret != Z_OK) return -1; for(;;) { - int tag32; - if (s->bytestream >= s->bytestream_end) + if (bytestream2_get_bytes_left(&s->gb) <= 0) goto fail; - length = bytestream_get_be32(&s->bytestream); + length = bytestream2_get_be32(&s->gb); if (length > 0x7fffffff) goto fail; - tag32 = bytestream_get_be32(&s->bytestream); - tag = av_bswap32(tag32); + tag = bytestream2_get_le32(&s->gb); av_dlog(avctx, "png: tag=%c%c%c%c length=%u\n", (tag & 0xff), ((tag >> 8) & 0xff), @@ -440,18 +431,18 @@ static int decode_frame(AVCodecContext *avctx, case MKTAG('I', 'H', 'D', 'R'): if (length != 13) goto fail; - s->width = bytestream_get_be32(&s->bytestream); - s->height = bytestream_get_be32(&s->bytestream); + s->width = bytestream2_get_be32(&s->gb); + s->height = bytestream2_get_be32(&s->gb); if(av_image_check_size(s->width, s->height, 0, avctx)){ s->width= s->height= 0; goto fail; } - s->bit_depth = *s->bytestream++; - s->color_type = *s->bytestream++; - s->compression_type = *s->bytestream++; - s->filter_type = *s->bytestream++; - s->interlace_type = *s->bytestream++; - s->bytestream += 4; /* crc */ + s->bit_depth = bytestream2_get_byte(&s->gb); + s->color_type = bytestream2_get_byte(&s->gb); + s->compression_type = bytestream2_get_byte(&s->gb); + s->filter_type = bytestream2_get_byte(&s->gb); + s->interlace_type = bytestream2_get_byte(&s->gb); + bytestream2_skip(&s->gb, 4); /* crc */ s->state |= PNG_IHDR; av_dlog(avctx, "width=%d height=%d depth=%d color_type=%d compression_type=%d filter_type=%d interlace_type=%d\n", s->width, s->height, s->bit_depth, s->color_type, @@ -547,7 +538,7 @@ static int decode_frame(AVCodecContext *avctx, s->state |= PNG_IDAT; if (png_decode_idat(s, length) < 0) goto fail; - s->bytestream += 4; /* crc */ + bytestream2_skip(&s->gb, 4); /* crc */ break; case MKTAG('P', 'L', 'T', 'E'): { @@ -558,16 +549,16 @@ static int decode_frame(AVCodecContext *avctx, /* read the palette */ n = length / 3; for(i=0;ibytestream++; - g = *s->bytestream++; - b = *s->bytestream++; + r = bytestream2_get_byte(&s->gb); + g = bytestream2_get_byte(&s->gb); + b = bytestream2_get_byte(&s->gb); s->palette[i] = (0xff << 24) | (r << 16) | (g << 8) | b; } for(;i<256;i++) { s->palette[i] = (0xff << 24); } s->state |= PNG_PLTE; - s->bytestream += 4; /* crc */ + bytestream2_skip(&s->gb, 4); /* crc */ } break; case MKTAG('t', 'R', 'N', 'S'): @@ -580,21 +571,21 @@ static int decode_frame(AVCodecContext *avctx, !(s->state & PNG_PLTE)) goto skip_tag; for(i=0;ibytestream++; + v = bytestream2_get_byte(&s->gb); s->palette[i] = (s->palette[i] & 0x00ffffff) | (v << 24); } - s->bytestream += 4; /* crc */ + bytestream2_skip(&s->gb, 4); /* crc */ } break; case MKTAG('I', 'E', 'N', 'D'): if (!(s->state & PNG_ALLIMAGE)) goto fail; - s->bytestream += 4; /* crc */ + bytestream2_skip(&s->gb, 4); /* crc */ goto exit_loop; default: /* skip tag */ skip_tag: - s->bytestream += length + 4; + bytestream2_skip(&s->gb, length + 4); break; } } @@ -619,7 +610,7 @@ static int decode_frame(AVCodecContext *avctx, *picture= *s->current_picture; *data_size = sizeof(AVFrame); - ret = s->bytestream - s->bytestream_start; + ret = bytestream2_tell(&s->gb); the_end: inflateEnd(&s->zstream); av_free(crow_buf_base); From 48f0eeb2e519882da9fe156abaa95cc808b67a8b Mon Sep 17 00:00:00 2001 From: Alex Converse Date: Sun, 4 Mar 2012 17:53:50 -0800 Subject: [PATCH 152/991] Replace computations of remaining bits with calls to get_bits_left(). (cherry picked from commit 3574a85ce57366ba7429edef93d5cad8640fb68c) Signed-off-by: Reinhard Tartler --- libavcodec/escape124.c | 2 +- libavcodec/h261dec.c | 2 +- libavcodec/h263dec.c | 2 +- libavcodec/h264.c | 6 +++--- libavcodec/h264_ps.c | 4 ++-- libavcodec/h264_sei.c | 2 +- libavcodec/huffyuv.c | 4 ++-- libavcodec/ituh263dec.c | 4 ++-- libavcodec/mjpegdec.c | 9 ++++----- libavcodec/vp6.c | 2 +- 10 files changed, 18 insertions(+), 19 deletions(-) diff --git a/libavcodec/escape124.c b/libavcodec/escape124.c index f6d7c8268e..9efafdbf12 100644 --- a/libavcodec/escape124.c +++ b/libavcodec/escape124.c @@ -49,7 +49,7 @@ typedef struct Escape124Context { } Escape124Context; static int can_safely_read(GetBitContext* gb, int bits) { - return get_bits_count(gb) + bits <= gb->size_in_bits; + return get_bits_left(gb) >= bits; } /** diff --git a/libavcodec/h261dec.c b/libavcodec/h261dec.c index 66ea4be2a1..0be0134f01 100644 --- a/libavcodec/h261dec.c +++ b/libavcodec/h261dec.c @@ -265,7 +265,7 @@ static int h261_decode_mb(H261Context *h){ while( h->mba_diff == MBA_STUFFING ); // stuffing if ( h->mba_diff < 0 ){ - if ( get_bits_count(&s->gb) + 7 >= s->gb.size_in_bits ) + if (get_bits_left(&s->gb) <= 7) return SLICE_END; av_log(s->avctx, AV_LOG_ERROR, "illegal mba at %d %d\n", s->mb_x, s->mb_y); diff --git a/libavcodec/h263dec.c b/libavcodec/h263dec.c index ba0ea4f9f9..55562148cf 100644 --- a/libavcodec/h263dec.c +++ b/libavcodec/h263dec.c @@ -650,7 +650,7 @@ retry: ret = decode_slice(s); while(s->mb_ymb_height){ if(s->msmpeg4_version){ - if(s->slice_height==0 || s->mb_x!=0 || (s->mb_y%s->slice_height)!=0 || get_bits_count(&s->gb) > s->gb.size_in_bits) + if(s->slice_height==0 || s->mb_x!=0 || (s->mb_y%s->slice_height)!=0 || get_bits_left(&s->gb)<0) break; }else{ int prev_x=s->mb_x, prev_y=s->mb_y; diff --git a/libavcodec/h264.c b/libavcodec/h264.c index 46e6c72832..d09c4aca2e 100644 --- a/libavcodec/h264.c +++ b/libavcodec/h264.c @@ -3666,7 +3666,7 @@ static int decode_slice(struct AVCodecContext *avctx, void *arg){ if(s->mb_y >= s->mb_height){ tprintf(s->avctx, "slice end %d %d\n", get_bits_count(&s->gb), s->gb.size_in_bits); - if(get_bits_count(&s->gb) == s->gb.size_in_bits ) { + if (get_bits_left(&s->gb) == 0) { ff_er_add_slice(s, s->resync_mb_x, s->resync_mb_y, s->mb_x-1, s->mb_y, ER_MB_END&part_mask); return 0; @@ -3678,9 +3678,9 @@ static int decode_slice(struct AVCodecContext *avctx, void *arg){ } } - if(get_bits_count(&s->gb) >= s->gb.size_in_bits && s->mb_skip_run<=0){ + if (get_bits_left(&s->gb) <= 0 && s->mb_skip_run <= 0){ tprintf(s->avctx, "slice end %d %d\n", get_bits_count(&s->gb), s->gb.size_in_bits); - if(get_bits_count(&s->gb) == s->gb.size_in_bits ){ + if (get_bits_left(&s->gb) == 0) { ff_er_add_slice(s, s->resync_mb_x, s->resync_mb_y, s->mb_x-1, s->mb_y, ER_MB_END&part_mask); if (s->mb_x > lf_x_start) loop_filter(h, lf_x_start, s->mb_x); diff --git a/libavcodec/h264_ps.c b/libavcodec/h264_ps.c index 76bf116a3f..287702c7c4 100644 --- a/libavcodec/h264_ps.c +++ b/libavcodec/h264_ps.c @@ -227,8 +227,8 @@ static inline int decode_vui_parameters(H264Context *h, SPS *sps){ sps->num_reorder_frames= get_ue_golomb(&s->gb); get_ue_golomb(&s->gb); /*max_dec_frame_buffering*/ - if(s->gb.size_in_bits < get_bits_count(&s->gb)){ - av_log(h->s.avctx, AV_LOG_ERROR, "Overread VUI by %d bits\n", get_bits_count(&s->gb) - s->gb.size_in_bits); + if (get_bits_left(&s->gb) < 0) { + av_log(h->s.avctx, AV_LOG_ERROR, "Overread VUI by %d bits\n", -get_bits_left(&s->gb)); sps->num_reorder_frames=0; sps->bitstream_restriction_flag= 0; } diff --git a/libavcodec/h264_sei.c b/libavcodec/h264_sei.c index 4f52bbe969..2e5fb65f0d 100644 --- a/libavcodec/h264_sei.c +++ b/libavcodec/h264_sei.c @@ -164,7 +164,7 @@ static int decode_buffering_period(H264Context *h){ int ff_h264_decode_sei(H264Context *h){ MpegEncContext * const s = &h->s; - while(get_bits_count(&s->gb) + 16 < s->gb.size_in_bits){ + while (get_bits_left(&s->gb) > 16) { int size, type; type=0; diff --git a/libavcodec/huffyuv.c b/libavcodec/huffyuv.c index 2e1db043ea..a173a13d87 100644 --- a/libavcodec/huffyuv.c +++ b/libavcodec/huffyuv.c @@ -720,7 +720,7 @@ static void decode_422_bitstream(HYuvContext *s, int count){ count/=2; if(count >= (get_bits_left(&s->gb))/(31*4)){ - for(i=0; igb) < s->gb.size_in_bits; i++){ + for (i = 0; i < count && get_bits_left(&s->gb) > 0; i++) { READ_2PIX(s->temp[0][2*i ], s->temp[1][i], 1); READ_2PIX(s->temp[0][2*i+1], s->temp[2][i], 2); } @@ -738,7 +738,7 @@ static void decode_gray_bitstream(HYuvContext *s, int count){ count/=2; if(count >= (get_bits_left(&s->gb))/(31*2)){ - for(i=0; igb) < s->gb.size_in_bits; i++){ + for (i = 0; i < count && get_bits_left(&s->gb) > 0; i++) { READ_2PIX(s->temp[0][2*i ], s->temp[0][2*i+1], 0); } }else{ diff --git a/libavcodec/ituh263dec.c b/libavcodec/ituh263dec.c index 148bb33a36..3d82e5c382 100644 --- a/libavcodec/ituh263dec.c +++ b/libavcodec/ituh263dec.c @@ -852,8 +852,8 @@ end: { int v= show_bits(&s->gb, 16); - if(get_bits_count(&s->gb) + 16 > s->gb.size_in_bits){ - v>>= get_bits_count(&s->gb) + 16 - s->gb.size_in_bits; + if (get_bits_left(&s->gb) < 16) { + v >>= 16 - get_bits_left(&s->gb); } if(v==0) diff --git a/libavcodec/mjpegdec.c b/libavcodec/mjpegdec.c index 49d334bb7e..a7950287e2 100644 --- a/libavcodec/mjpegdec.c +++ b/libavcodec/mjpegdec.c @@ -858,9 +858,9 @@ static int mjpeg_decode_scan(MJpegDecodeContext *s, int nb_components, int Ah, if (s->restart_interval && !s->restart_count) s->restart_count = s->restart_interval; - if (get_bits_count(&s->gb)>s->gb.size_in_bits) { + if (get_bits_left(&s->gb) < 0) { av_log(s->avctx, AV_LOG_ERROR, "overread %d\n", - get_bits_count(&s->gb) - s->gb.size_in_bits); + -get_bits_left(&s->gb)); return -1; } for (i = 0; i < nb_components; i++) { @@ -1151,7 +1151,7 @@ static int mjpeg_decode_app(MJpegDecodeContext *s) len = get_bits(&s->gb, 16); if (len < 5) return -1; - if (8 * len + get_bits_count(&s->gb) > s->gb.size_in_bits) + if (8 * len > get_bits_left(&s->gb)) return -1; id = get_bits_long(&s->gb, 32); @@ -1292,8 +1292,7 @@ out: static int mjpeg_decode_com(MJpegDecodeContext *s) { int len = get_bits(&s->gb, 16); - if (len >= 2 && - 8 * len - 16 + get_bits_count(&s->gb) <= s->gb.size_in_bits) { + if (len >= 2 && 8 * len - 16 <= get_bits_left(&s->gb)) { char *cbuf = av_malloc(len - 1); if (cbuf) { int i; diff --git a/libavcodec/vp6.c b/libavcodec/vp6.c index e4783c6e84..91377015eb 100644 --- a/libavcodec/vp6.c +++ b/libavcodec/vp6.c @@ -387,7 +387,7 @@ static void vp6_parse_coeff_huffman(VP56Context *s) if (coeff_idx) break; } else { - if (get_bits_count(&s->gb) >= s->gb.size_in_bits) + if (get_bits_left(&s->gb) <= 0) return; coeff = get_vlc2(&s->gb, vlc_coeff->table, 9, 3); if (coeff == 0) { From a81a6d9c80448cfbba0d2bcdd681bf971c7055a4 Mon Sep 17 00:00:00 2001 From: Michael Niedermayer Date: Sat, 1 Oct 2011 17:41:28 +0200 Subject: [PATCH 153/991] h264: improve parsing of broken AVC SPS Parsing the entire NAL as SPS fixes decoding of some AVC bitstreams with broken escaping. Since the size of the NAL unit is known and checked against the buffer end we can parse it entirely without buffer overreads. Fixes playback of http://streams.videolan.org/streams/mp4/Mr_MrsSmith-h264_aac.mp4 Signed-off-by: Janne Grunau (cherry picked from commit 3aa661ec561d7a20812b84b353b0d7855ac346c8) Signed-off-by: Reinhard Tartler --- libavcodec/h264.c | 9 ++++++++- libavcodec/h264_ps.c | 5 ++++- 2 files changed, 12 insertions(+), 2 deletions(-) diff --git a/libavcodec/h264.c b/libavcodec/h264.c index d09c4aca2e..95a672b962 100644 --- a/libavcodec/h264.c +++ b/libavcodec/h264.c @@ -3924,7 +3924,14 @@ static int decode_nal_units(H264Context *h, const uint8_t *buf, int buf_size){ break; case NAL_SPS: init_get_bits(&s->gb, ptr, bit_length); - ff_h264_decode_seq_parameter_set(h); + if (ff_h264_decode_seq_parameter_set(h) < 0 && + h->is_avc && (nalsize != consumed) && nalsize) { + av_log(h->s.avctx, AV_LOG_DEBUG, "SPS decoding failure, " + "try parsing the coomplete NAL\n"); + init_get_bits(&s->gb, buf + buf_index + 1 - consumed, + 8 * (nalsize - 1)); + ff_h264_decode_seq_parameter_set(h); + } if (s->flags& CODEC_FLAG_LOW_DELAY || (h->sps.bitstream_restriction_flag && !h->sps.num_reorder_frames)) diff --git a/libavcodec/h264_ps.c b/libavcodec/h264_ps.c index 287702c7c4..276eb77d1d 100644 --- a/libavcodec/h264_ps.c +++ b/libavcodec/h264_ps.c @@ -228,7 +228,6 @@ static inline int decode_vui_parameters(H264Context *h, SPS *sps){ get_ue_golomb(&s->gb); /*max_dec_frame_buffering*/ if (get_bits_left(&s->gb) < 0) { - av_log(h->s.avctx, AV_LOG_ERROR, "Overread VUI by %d bits\n", -get_bits_left(&s->gb)); sps->num_reorder_frames=0; sps->bitstream_restriction_flag= 0; } @@ -238,6 +237,10 @@ static inline int decode_vui_parameters(H264Context *h, SPS *sps){ return -1; } } + if (get_bits_left(&s->gb) < 0) { + av_log(h->s.avctx, AV_LOG_ERROR, "Overread VUI by %d bits\n", -get_bits_left(&s->gb)); + return AVERROR_INVALIDDATA; + } return 0; } From 4d343a6f47931a43fe8e4c9288a5068c76b843e0 Mon Sep 17 00:00:00 2001 From: "Ronald S. Bultje" Date: Tue, 13 Mar 2012 16:26:44 -0700 Subject: [PATCH 154/991] h264: stricter reference limit enforcement. Progressive images can have only 16 references, error out if there are more, since the data is almost certainly corrupt, and the invalid value will lead to random crashes or invalid writes later on. Found-by: Mateusz "j00ru" Jurczyk and Gynvael Coldwind CC: libav-stable@libav.org (cherry picked from commit e0febda22d0e0fab094a9c886b0e0f0f662df1ef) Signed-off-by: Reinhard Tartler --- libavcodec/h264.c | 15 +++++++++------ 1 file changed, 9 insertions(+), 6 deletions(-) diff --git a/libavcodec/h264.c b/libavcodec/h264.c index 95a672b962..e0eb8e119d 100644 --- a/libavcodec/h264.c +++ b/libavcodec/h264.c @@ -3020,6 +3020,8 @@ static int decode_slice_header(H264Context *h, H264Context *h0){ h->ref_count[1]= h->pps.ref_count[1]; if(h->slice_type_nos != AV_PICTURE_TYPE_I){ + int max_refs = s->picture_structure == PICT_FRAME ? 16 : 32; + if(h->slice_type_nos == AV_PICTURE_TYPE_B){ h->direct_spatial_mv_pred= get_bits1(&s->gb); } @@ -3029,13 +3031,14 @@ static int decode_slice_header(H264Context *h, H264Context *h0){ h->ref_count[0]= get_ue_golomb(&s->gb) + 1; if(h->slice_type_nos==AV_PICTURE_TYPE_B) h->ref_count[1]= get_ue_golomb(&s->gb) + 1; - - if(h->ref_count[0]-1 > 32-1 || h->ref_count[1]-1 > 32-1){ - av_log(h->s.avctx, AV_LOG_ERROR, "reference overflow\n"); - h->ref_count[0]= h->ref_count[1]= 1; - return -1; - } } + + if (h->ref_count[0] > max_refs || h->ref_count[1] > max_refs) { + av_log(h->s.avctx, AV_LOG_ERROR, "reference overflow\n"); + h->ref_count[0] = h->ref_count[1] = 1; + return AVERROR_INVALIDDATA; + } + if(h->slice_type_nos == AV_PICTURE_TYPE_B) h->list_count= 2; else From c999a8ed65797f26a8505af2d6ef203cb603b08e Mon Sep 17 00:00:00 2001 From: "Ronald S. Bultje" Date: Tue, 13 Mar 2012 15:21:07 -0700 Subject: [PATCH 155/991] h264: increase reference poc list from 16 to 32. Interlaced images can have 32 references (16 per field), so limiting the array size to 16 leads to invalid writes. Found-by: Mateusz "j00ru" Jurczyk and Gynvael Coldwind CC: libav-stable@libav.org (cherry picked from commit 48cbe4b092113eae0b3e5d6a08b59027f913a884) Signed-off-by: Reinhard Tartler --- libavcodec/mpegvideo.h | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/libavcodec/mpegvideo.h b/libavcodec/mpegvideo.h index 3473e6d8f7..06be735301 100644 --- a/libavcodec/mpegvideo.h +++ b/libavcodec/mpegvideo.h @@ -124,7 +124,7 @@ typedef struct Picture{ int pic_id; /**< h264 pic_num (short -> no wrap version of pic_num, pic_num & max_pic_num; long -> long_pic_num) */ int long_ref; ///< 1->long term reference 0->short term reference - int ref_poc[2][2][16]; ///< h264 POCs of the frames used as reference (FIXME need per slice) + int ref_poc[2][2][32]; ///< h264 POCs of the frames used as reference (FIXME need per slice) int ref_count[2][2]; ///< number of entries in ref_poc (FIXME need per slice) int mbaff; ///< h264 1 -> MBAFF frame 0-> not MBAFF int field_picture; ///< whether or not the picture was encoded in separate fields From 6e5c07f4c81317d728bfcba5f46b4ef46de9857f Mon Sep 17 00:00:00 2001 From: "Ronald S. Bultje" Date: Tue, 13 Mar 2012 12:28:35 -0700 Subject: [PATCH 156/991] xa_adpcm: limit filter to prevent xa_adpcm_table[] array bounds overruns. Found-by: Mateusz "j00ru" Jurczyk and Gynvael Coldwind CC: libav-stable@libav.org (cherry picked from commit 86020073dbb9a3a9d1fbb76345b2ca29ba1f13d2) Signed-off-by: Reinhard Tartler --- libavcodec/adpcm.c | 25 ++++++++++++++++++++----- 1 file changed, 20 insertions(+), 5 deletions(-) diff --git a/libavcodec/adpcm.c b/libavcodec/adpcm.c index a540a9b12f..a2947329eb 100644 --- a/libavcodec/adpcm.c +++ b/libavcodec/adpcm.c @@ -260,8 +260,9 @@ static inline short adpcm_yamaha_expand_nibble(ADPCMChannelStatus *c, unsigned c return c->predictor; } -static void xa_decode(short *out, const unsigned char *in, - ADPCMChannelStatus *left, ADPCMChannelStatus *right, int inc) +static int xa_decode(AVCodecContext *avctx, + short *out, const unsigned char *in, + ADPCMChannelStatus *left, ADPCMChannelStatus *right, int inc) { int i, j; int shift,filter,f0,f1; @@ -272,6 +273,12 @@ static void xa_decode(short *out, const unsigned char *in, shift = 12 - (in[4+i*2] & 15); filter = in[4+i*2] >> 4; + if (filter > 4) { + av_log(avctx, AV_LOG_ERROR, + "Invalid XA-ADPCM filter %d (max. allowed is 4)\n", + filter); + return AVERROR_INVALIDDATA; + } f0 = xa_adpcm_table[filter][0]; f1 = xa_adpcm_table[filter][1]; @@ -299,7 +306,12 @@ static void xa_decode(short *out, const unsigned char *in, shift = 12 - (in[5+i*2] & 15); filter = in[5+i*2] >> 4; - + if (filter > 4) { + av_log(avctx, AV_LOG_ERROR, + "Invalid XA-ADPCM filter %d (max. allowed is 4)\n", + filter); + return AVERROR_INVALIDDATA; + } f0 = xa_adpcm_table[filter][0]; f1 = xa_adpcm_table[filter][1]; @@ -323,6 +335,8 @@ static void xa_decode(short *out, const unsigned char *in, left->sample2 = s_2; } } + + return 0; } /** @@ -782,8 +796,9 @@ static int adpcm_decode_frame(AVCodecContext *avctx, void *data, break; case CODEC_ID_ADPCM_XA: while (buf_size >= 128) { - xa_decode(samples, src, &c->status[0], &c->status[1], - avctx->channels); + if ((ret = xa_decode(avctx, samples, src, &c->status[0], + &c->status[1], avctx->channels)) < 0) + return ret; src += 128; samples += 28 * 8; buf_size -= 128; From c9e95636a893225e2a5a42ba6e1e3cf6bfd59f2b Mon Sep 17 00:00:00 2001 From: Michael Niedermayer Date: Sat, 10 Mar 2012 00:08:32 +0100 Subject: [PATCH 157/991] snow: reject unsupported chroma shifts. Found-by: Mateusz "j00ru" Jurczyk and Gynvael Coldwind CC: libav-stable@libav.org Signed-off-by: Ronald S. Bultje (cherry picked from commit c9837954e7b968d44f82e7cdb7618e9f523b196c) Signed-off-by: Reinhard Tartler --- libavcodec/snowdec.c | 5 +++++ 1 file changed, 5 insertions(+) diff --git a/libavcodec/snowdec.c b/libavcodec/snowdec.c index 2b6f6e11c7..d9f61bc7ca 100644 --- a/libavcodec/snowdec.c +++ b/libavcodec/snowdec.c @@ -327,6 +327,11 @@ static int decode_header(SnowContext *s){ return -1; } + if (s->chroma_h_shift != 1 || s->chroma_v_shift != 1) { + av_log(s->avctx, AV_LOG_ERROR, "Invalid chroma shift\n"); + return AVERROR_PATCHWELCOME; + } + s->qlog += get_symbol(&s->c, s->header_state, 1); s->mv_scale += get_symbol(&s->c, s->header_state, 1); s->qbias += get_symbol(&s->c, s->header_state, 1); From ce15406e78fd213b420dae68c5015803d9716c51 Mon Sep 17 00:00:00 2001 From: Michael Niedermayer Date: Fri, 2 Mar 2012 20:53:00 +0100 Subject: [PATCH 158/991] snow: check reference frame indices. Fixes NULL ptr dereference Found-by: Mateusz "j00ru" Jurczyk and Gynvael Coldwind CC: libav-stable@libav.org Signed-off-by: Ronald S. Bultje (cherry picked from commit 1f8ff2b13cbfef790385818664ed12e763e7c75b) Signed-off-by: Reinhard Tartler --- libavcodec/snowdec.c | 30 +++++++++++++++++++++--------- 1 file changed, 21 insertions(+), 9 deletions(-) diff --git a/libavcodec/snowdec.c b/libavcodec/snowdec.c index d9f61bc7ca..70c5d4afc7 100644 --- a/libavcodec/snowdec.c +++ b/libavcodec/snowdec.c @@ -132,7 +132,7 @@ static inline void decode_subband_slice_buffered(SnowContext *s, SubBand *b, sli return; } -static void decode_q_branch(SnowContext *s, int level, int x, int y){ +static int decode_q_branch(SnowContext *s, int level, int x, int y){ const int w= s->b_width << s->block_max_depth; const int rem_depth= s->block_max_depth - level; const int index= (x + y*w) << rem_depth; @@ -142,10 +142,11 @@ static void decode_q_branch(SnowContext *s, int level, int x, int y){ const BlockNode *tl = y && x ? &s->block[index-w-1] : left; const BlockNode *tr = y && trxblock[index-w+(1<level + 2*top->level + tl->level + tr->level; + int res; if(s->keyframe){ set_blocks(s, level, x, y, null_block.color[0], null_block.color[1], null_block.color[2], null_block.mx, null_block.my, null_block.ref, BLOCK_INTRA); - return; + return 0; } if(level==s->block_max_depth || get_rac(&s->c, &s->block_state[4 + s_context])){ @@ -168,17 +169,23 @@ static void decode_q_branch(SnowContext *s, int level, int x, int y){ }else{ if(s->ref_frames > 1) ref= get_symbol(&s->c, &s->block_state[128 + 1024 + 32*ref_context], 0); + if (ref >= s->ref_frames) { + av_log(s->avctx, AV_LOG_ERROR, "Invalid ref\n"); + return AVERROR_INVALIDDATA; + } pred_mv(s, &mx, &my, ref, left, top, tr); mx+= get_symbol(&s->c, &s->block_state[128 + 32*(mx_context + 16*!!ref)], 1); my+= get_symbol(&s->c, &s->block_state[128 + 32*(my_context + 16*!!ref)], 1); } set_blocks(s, level, x, y, l, cb, cr, mx, my, ref, type); }else{ - decode_q_branch(s, level+1, 2*x+0, 2*y+0); - decode_q_branch(s, level+1, 2*x+1, 2*y+0); - decode_q_branch(s, level+1, 2*x+0, 2*y+1); - decode_q_branch(s, level+1, 2*x+1, 2*y+1); + if ((res = decode_q_branch(s, level+1, 2*x+0, 2*y+0)) < 0 || + (res = decode_q_branch(s, level+1, 2*x+1, 2*y+0)) < 0 || + (res = decode_q_branch(s, level+1, 2*x+0, 2*y+1)) < 0 || + (res = decode_q_branch(s, level+1, 2*x+1, 2*y+1)) < 0) + return res; } + return 0; } static void dequantize_slice_buffered(SnowContext *s, slice_buffer * sb, SubBand *b, IDWTELEM *src, int stride, int start_y, int end_y){ @@ -354,16 +361,19 @@ static av_cold int decode_init(AVCodecContext *avctx) return 0; } -static void decode_blocks(SnowContext *s){ +static int decode_blocks(SnowContext *s){ int x, y; int w= s->b_width; int h= s->b_height; + int res; for(y=0; ydebug&FF_DEBUG_PICT_INFO) av_log(avctx, AV_LOG_ERROR, "keyframe:%d qlog:%d\n", s->keyframe, s->qlog); - decode_blocks(s); + if ((res = decode_blocks(s)) < 0) + return res; for(plane_index=0; plane_index<3; plane_index++){ Plane *p= &s->plane[plane_index]; From b5947324758ae2a99ebf910ad425fdde69b23935 Mon Sep 17 00:00:00 2001 From: "Ronald S. Bultje" Date: Wed, 7 Mar 2012 11:06:20 -0800 Subject: [PATCH 159/991] dca: don't use av_clip_uintp2(). The argument is not a literal, thus causing the ARM v6 or later builds to break. Signed-off-by: Janne Grunau --- libavcodec/dca.c | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/libavcodec/dca.c b/libavcodec/dca.c index 1bd31c9ac4..70cf6044f8 100644 --- a/libavcodec/dca.c +++ b/libavcodec/dca.c @@ -644,7 +644,7 @@ static inline int get_scale(GetBitContext *gb, int level, int value, int log2ran if (level < 5) { /* huffman encoded */ value += get_bitalloc(gb, &dca_scalefactor, level); - value = av_clip_uintp2(value, log2range); + value = av_clip(value, 0, (1 << log2range) - 1); } else if (level < 8) { if (level + 1 > log2range) { skip_bits(gb, level + 1 - log2range); From 1ee0cd1ad77ab96ca4573ea4b3937df7e138c8d5 Mon Sep 17 00:00:00 2001 From: Kostya Shishkov Date: Wed, 7 Mar 2012 20:07:17 +0100 Subject: [PATCH 160/991] dca: include libavutil/mathematics.h for possibly missing M_SQRT1_2 Signed-off-by: Janne Grunau --- libavcodec/dca.c | 1 + 1 file changed, 1 insertion(+) diff --git a/libavcodec/dca.c b/libavcodec/dca.c index 70cf6044f8..a83d082118 100644 --- a/libavcodec/dca.c +++ b/libavcodec/dca.c @@ -29,6 +29,7 @@ #include "libavutil/common.h" #include "libavutil/intmath.h" #include "libavutil/intreadwrite.h" +#include "libavutil/mathematics.h" #include "libavutil/audioconvert.h" #include "avcodec.h" #include "dsputil.h" From 5effcfa76792470677a1f6bc9aa73347a87ef720 Mon Sep 17 00:00:00 2001 From: Reinhard Tartler Date: Thu, 15 Mar 2012 08:57:33 +0100 Subject: [PATCH 161/991] Update Changelog for the 0.8.1 Release --- Changelog | 30 ++++++++++++++++++++++++++++++ 1 file changed, 30 insertions(+) diff --git a/Changelog b/Changelog index f1530749de..cb04ee4992 100644 --- a/Changelog +++ b/Changelog @@ -1,6 +1,36 @@ Entries are sorted chronologically from oldest to youngest within each release, releases are sorted from youngest to oldest. +version 0.8.1: + +- Several bugs and crashes have been fixed in the following codecs: AAC, + AC-3, ADPCM, AMR (both NB and WB), ATRAC3, CAVC, Cook, camstudio, DCA, + DPCM, DSI CIN, DV, EA TGQ, FLAC, fraps, G.722 (both encoder and + decoder), H.264, huvffyuv, BB JV decoder, Indeo 3, KGV1, LCL, the + libx264 wrapper, MJPEG, mp3on4, Musepack, MPEG1/2, PNG, QDM2, Qt RLE, + ROQ, RV10, RV30/RV34/RV40, shorten, smacker, subrip, SVQ3, TIFF, + Truemotion2, TTA, VC1, VMware Screen codec, Vorbis, VP5, VP6, WMA, + Westwood SNDx, XXAN. + +- This release additionally updates the following codecs to the + bytestream2 API, and therefore benefit from additional overflow + checks: XXAN, ALG MM, TQG, SMC, Qt SMC, ROQ, PNG + +- Several bugs and crashes have been fixed in the following formats: + AIFF, ASF, DV, Matroska, NSV, MOV, MPEG-TS, Smacker, Sony OpenMG, RM, + SWF. + +- Libswscale has an potential overflow for large image size fixed. + +- The following APIs have been added: + + avcodec_is_open() + avformat_get_riff_video_tags() + avformat_get_riff_audio_tags() + + Please see the file doc/APIchanges and the Doxygen documentation for + further information. + version 0.8: From 43625c5128af5287e89c81566b48dfd1e6acb499 Mon Sep 17 00:00:00 2001 From: Nathan Caldwell Date: Fri, 27 Jan 2012 22:23:40 -0700 Subject: [PATCH 162/991] aacenc: Fix a bug where deinterleaved samples were stored in the wrong place. 10l: Forgot to adjust deinterleave for new location of incoming samples in 7946a5a. This produced incorrect, but surprisingly listenable results. Thanks to Justin Ruggles for the report. Signed-off-by: Anton Khirnov (cherry picked from commit dc7e7d4dd96eebd430e7bfa847b751add0e126ab) Signed-off-by: Michael Niedermayer --- libavcodec/aacenc.c | 4 ++-- 1 file changed, 2 insertions(+), 2 deletions(-) diff --git a/libavcodec/aacenc.c b/libavcodec/aacenc.c index 55f028687c..e507a34de6 100644 --- a/libavcodec/aacenc.c +++ b/libavcodec/aacenc.c @@ -487,10 +487,10 @@ static void deinterleave_input_samples(AACEncContext *s, const float *sptr = samples + channel_map[ch]; /* copy last 1024 samples of previous frame to the start of the current frame */ - memcpy(&s->planar_samples[ch][0], &s->planar_samples[ch][1024], 1024 * sizeof(s->planar_samples[0][0])); + memcpy(&s->planar_samples[ch][1024], &s->planar_samples[ch][2048], 1024 * sizeof(s->planar_samples[0][0])); /* deinterleave */ - for (i = 1024; i < 1024 * 2; i++) { + for (i = 2048; i < 3072; i++) { s->planar_samples[ch][i] = *sptr; sptr += sinc; } From c00c3807243704e2f7a309143305af85837946de Mon Sep 17 00:00:00 2001 From: Nathan Caldwell Date: Fri, 27 Jan 2012 22:23:41 -0700 Subject: [PATCH 163/991] aacenc: Fix LONG_START windowing. Forgot to add the equivalent amount to the incoming sample pointer as the output pointer. Signed-off-by: Anton Khirnov (cherry picked from commit 2e626dd5136f4daa244b37284e22483cdc7df1ac) Signed-off-by: Michael Niedermayer --- libavcodec/aacenc.c | 4 ++-- 1 file changed, 2 insertions(+), 2 deletions(-) diff --git a/libavcodec/aacenc.c b/libavcodec/aacenc.c index e507a34de6..2ff6f9cc04 100644 --- a/libavcodec/aacenc.c +++ b/libavcodec/aacenc.c @@ -200,8 +200,8 @@ WINDOW_FUNC(long_start) float *out = sce->ret; dsp->vector_fmul(out, audio, lwindow, 1024); - memcpy(out + 1024, audio, sizeof(out[0]) * 448); - dsp->vector_fmul_reverse(out + 1024 + 448, audio, swindow, 128); + memcpy(out + 1024, audio + 1024, sizeof(out[0]) * 448); + dsp->vector_fmul_reverse(out + 1024 + 448, audio + 1024 + 448, swindow, 128); memset(out + 1024 + 576, 0, sizeof(out[0]) * 448); } From c91a14638e4e3ea8652ecbedb3228b5a5d4c019f Mon Sep 17 00:00:00 2001 From: Fabian Greffrath Date: Sat, 3 Mar 2012 02:35:27 +0100 Subject: [PATCH 164/991] srtdec: fix a format string vulnerability. Signed-off-by: Michael Niedermayer (cherry picked from commit aaa1173de775b9b865a714abcc270816d2f59dff) --- libavcodec/srtdec.c | 4 ++-- 1 file changed, 2 insertions(+), 2 deletions(-) diff --git a/libavcodec/srtdec.c b/libavcodec/srtdec.c index aa73f4c7bf..b6f2dade0c 100644 --- a/libavcodec/srtdec.c +++ b/libavcodec/srtdec.c @@ -110,7 +110,7 @@ static const char *srt_to_ass(AVCodecContext *avctx, char *out, char *out_end, for (j=sptr-2; j>=0; j--) if (stack[j].param[i][0]) { out += snprintf(out, out_end-out, - stack[j].param[i]); + "%s", stack[j].param[i]); break; } } else { @@ -146,7 +146,7 @@ static const char *srt_to_ass(AVCodecContext *avctx, char *out, char *out_end, for (i=0; i Date: Sat, 3 Mar 2012 03:37:52 +0100 Subject: [PATCH 165/991] qpeg: Fix out of array writes. Found-by: Mateusz "j00ru" Jurczyk and Gynvael Coldwind Signed-off-by: Michael Niedermayer --- libavcodec/qpeg.c | 4 ++++ 1 file changed, 4 insertions(+) diff --git a/libavcodec/qpeg.c b/libavcodec/qpeg.c index bbb9f71aae..adbeff03ae 100644 --- a/libavcodec/qpeg.c +++ b/libavcodec/qpeg.c @@ -203,6 +203,8 @@ static void qpeg_decode_inter(const uint8_t *src, uint8_t *dst, int size, filled = 0; dst -= stride; height--; + if(height < 0) + break; } } } else if(code >= 0xC0) { /* copy code: 0xC0..0xDF */ @@ -214,6 +216,8 @@ static void qpeg_decode_inter(const uint8_t *src, uint8_t *dst, int size, filled = 0; dst -= stride; height--; + if(height < 0) + break; } } size -= code + 1; From 1749b0d74d792439c6d740212e6d8f0a54dded50 Mon Sep 17 00:00:00 2001 From: Michael Niedermayer Date: Tue, 13 Mar 2012 22:20:39 +0100 Subject: [PATCH 166/991] mmvideo: restore initial y value. This bug might have been exploitable (out of HEAP buffer writes) Bug introduced by libav commit a55d5bdc6e28a2cfefc440d792de5cc4f02377e2 Date: Tue Mar 6 15:15:42 2012 -0800 algmm: convert to bytestream2 API. (cherry picked from commit c2e3b564b32d596f5a66d47409f9e07a067a3084) Signed-off-by: Michael Niedermayer --- libavcodec/mmvideo.c | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/libavcodec/mmvideo.c b/libavcodec/mmvideo.c index 87eeee2c94..706605379d 100644 --- a/libavcodec/mmvideo.c +++ b/libavcodec/mmvideo.c @@ -127,7 +127,7 @@ static int mm_decode_intra(MmContext * s, int half_horiz, int half_vert) */ static int mm_decode_inter(MmContext * s, int half_horiz, int half_vert) { - int data_off = bytestream2_get_le16(&s->gb), y; + int data_off = bytestream2_get_le16(&s->gb), y = 0; GetByteContext data_ptr; if (bytestream2_get_bytes_left(&s->gb) < data_off) From 6242dae507dbe1b7961e34a5e5e05292e7101ba1 Mon Sep 17 00:00:00 2001 From: Michael Niedermayer Date: Fri, 16 Mar 2012 15:10:33 +0100 Subject: [PATCH 167/991] sonic: update to new API Fixes Ticket1075 Signed-off-by: Michael Niedermayer (cherry picked from commit 6f9803e5e02c557e1003cface9f3084a7e1e43e4) Signed-off-by: Michael Niedermayer --- libavcodec/sonic.c | 21 +++++++++++++++++---- 1 file changed, 17 insertions(+), 4 deletions(-) diff --git a/libavcodec/sonic.c b/libavcodec/sonic.c index 71641f95ff..c2697ea82c 100644 --- a/libavcodec/sonic.c +++ b/libavcodec/sonic.c @@ -44,6 +44,7 @@ #define RIGHT_SIDE 2 typedef struct SonicContext { + AVFrame frame; int lossless, decorrelation; int num_taps, downsampling; @@ -757,6 +758,9 @@ static av_cold int sonic_decode_init(AVCodecContext *avctx) s->channels = avctx->channels; s->samplerate = avctx->sample_rate; + avcodec_get_frame_defaults(&s->frame); + avctx->coded_frame = &s->frame; + if (!avctx->extradata) { av_log(avctx, AV_LOG_ERROR, "No mandatory headers present\n"); @@ -848,18 +852,25 @@ static av_cold int sonic_decode_close(AVCodecContext *avctx) } static int sonic_decode_frame(AVCodecContext *avctx, - void *data, int *data_size, + void *data, int *got_frame_ptr, AVPacket *avpkt) { const uint8_t *buf = avpkt->data; int buf_size = avpkt->size; SonicContext *s = avctx->priv_data; GetBitContext gb; - int i, quant, ch, j; - short *samples = data; + int i, quant, ch, j, ret; + short *samples; if (buf_size == 0) return 0; + s->frame.nb_samples = s->frame_size; + if ((ret = avctx->get_buffer(avctx, &s->frame)) < 0) { + av_log(avctx, AV_LOG_ERROR, "get_buffer() failed\n"); + return ret; + } + samples = s->frame.data[0]; + // av_log(NULL, AV_LOG_INFO, "buf_size: %d\n", buf_size); init_get_bits(&gb, buf, buf_size*8); @@ -930,7 +941,8 @@ static int sonic_decode_frame(AVCodecContext *avctx, align_get_bits(&gb); - *data_size = s->frame_size * 2; + *got_frame_ptr = 1; + *(AVFrame*)data = s->frame; return (get_bits_count(&gb)+7)/8; } @@ -943,6 +955,7 @@ AVCodec ff_sonic_decoder = { .init = sonic_decode_init, .close = sonic_decode_close, .decode = sonic_decode_frame, + .capabilities = CODEC_CAP_DR1, .long_name = NULL_IF_CONFIG_SMALL("Sonic"), }; #endif /* CONFIG_SONIC_DECODER */ From 9f253ebb41c5365edc406bf73bf1c483befc6ee4 Mon Sep 17 00:00:00 2001 From: Michael Niedermayer Date: Sun, 29 Jan 2012 03:38:58 +0100 Subject: [PATCH 168/991] diracdec: Fix integer overflow leading to out of global array read. Found-by: Mateusz "j00ru" Jurczyk and Gynvael Coldwind Reviewed-by: Paul B Mahol Signed-off-by: Michael Niedermayer (cherry picked from commit 9729f140ae073f1df2041b6c5fd2068592eb9c48) Signed-off-by: Michael Niedermayer --- libavcodec/diracdec.c | 11 ++++++++--- 1 file changed, 8 insertions(+), 3 deletions(-) diff --git a/libavcodec/diracdec.c b/libavcodec/diracdec.c index 03e7d0abde..c96b37aa4e 100644 --- a/libavcodec/diracdec.c +++ b/libavcodec/diracdec.c @@ -1172,7 +1172,7 @@ static void propagate_block_data(DiracBlock *block, int stride, int size) * Dirac Specification -> * 12. Block motion data syntax */ -static void dirac_unpack_block_motion_data(DiracContext *s) +static int dirac_unpack_block_motion_data(DiracContext *s) { GetBitContext *gb = &s->gb; uint8_t *sbsplit = s->sbsplit; @@ -1192,7 +1192,9 @@ static void dirac_unpack_block_motion_data(DiracContext *s) ff_dirac_init_arith_decoder(arith, gb, svq3_get_ue_golomb(gb)); /* svq3_get_ue_golomb(gb) is the length */ for (y = 0; y < s->sbheight; y++) { for (x = 0; x < s->sbwidth; x++) { - int split = dirac_get_arith_uint(arith, CTX_SB_F1, CTX_SB_DATA); + unsigned int split = dirac_get_arith_uint(arith, CTX_SB_F1, CTX_SB_DATA); + if (split > 2) + return -1; sbsplit[x] = (split + pred_sbsplit(sbsplit+x, s->sbwidth, x, y)) % 3; } sbsplit += s->sbwidth; @@ -1221,6 +1223,8 @@ static void dirac_unpack_block_motion_data(DiracContext *s) propagate_block_data(block, s->blwidth, step); } } + + return 0; } static int weight(int i, int blen, int offset) @@ -1675,7 +1679,8 @@ static int dirac_decode_picture_header(DiracContext *s) if (s->num_refs) { if (dirac_unpack_prediction_parameters(s)) /* [DIRAC_STD] 11.2 Picture Prediction Data. picture_prediction() */ return -1; - dirac_unpack_block_motion_data(s); /* [DIRAC_STD] 12. Block motion data syntax */ + if (dirac_unpack_block_motion_data(s)) /* [DIRAC_STD] 12. Block motion data syntax */ + return -1; } if (dirac_unpack_idwt_params(s)) /* [DIRAC_STD] 11.3 Wavelet transform data */ return -1; From 0be85fd80f4dba6d4b2d14590ab8921f6707a289 Mon Sep 17 00:00:00 2001 From: Michael Niedermayer Date: Sun, 29 Jan 2012 05:04:25 +0100 Subject: [PATCH 169/991] diracdec: Check for negative quants which would cause out of array reads. Found-by: Mateusz "j00ru" Jurczyk and Gynvael Coldwind Signed-off-by: Michael Niedermayer (cherry picked from commit 5cd8afee99c83b62e1474f122d947de7e4ad9ff5) Signed-off-by: Michael Niedermayer --- libavcodec/diracdec.c | 10 ++++++++-- 1 file changed, 8 insertions(+), 2 deletions(-) diff --git a/libavcodec/diracdec.c b/libavcodec/diracdec.c index c96b37aa4e..049f7592ca 100644 --- a/libavcodec/diracdec.c +++ b/libavcodec/diracdec.c @@ -491,10 +491,16 @@ static inline void codeblock(DiracContext *s, SubBand *b, } if (s->codeblock_mode && !(s->old_delta_quant && blockcnt_one)) { + int quant = b->quant; if (is_arith) - b->quant += dirac_get_arith_int(c, CTX_DELTA_Q_F, CTX_DELTA_Q_DATA); + quant += dirac_get_arith_int(c, CTX_DELTA_Q_F, CTX_DELTA_Q_DATA); else - b->quant += dirac_get_se_golomb(gb); + quant += dirac_get_se_golomb(gb); + if (quant < 0) { + av_log(s->avctx, AV_LOG_ERROR, "Invalid quant\n"); + return; + } + b->quant = quant; } b->quant = FFMIN(b->quant, MAX_QUANT); From 7f5bd6c72be0e75f4c2c0b4a7878e32ba29dca93 Mon Sep 17 00:00:00 2001 From: Michael Niedermayer Date: Tue, 6 Mar 2012 19:13:55 +0100 Subject: [PATCH 170/991] diracdec: Correct the bytestream end pointer. This fixes some arith decoder overreads and a potential infinite loop. Found-by: Mateusz "j00ru" Jurczyk and Gynvael Coldwind Signed-off-by: Michael Niedermayer (cherry picked from commit 0f13cc732b3752828890b8dff507615cfd454336) Signed-off-by: Michael Niedermayer --- libavcodec/diracdec.c | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/libavcodec/diracdec.c b/libavcodec/diracdec.c index 049f7592ca..7fa7137cac 100644 --- a/libavcodec/diracdec.c +++ b/libavcodec/diracdec.c @@ -625,7 +625,7 @@ static void decode_component(DiracContext *s, int comp) b->quant = svq3_get_ue_golomb(&s->gb); align_get_bits(&s->gb); b->coeff_data = s->gb.buffer + get_bits_count(&s->gb)/8; - b->length = FFMIN(b->length, get_bits_left(&s->gb)/8); + b->length = FFMIN(b->length, FFMAX(get_bits_left(&s->gb)/8, 0)); skip_bits_long(&s->gb, b->length*8); } } From 313ddbfe48bfd67dc8f9480d7d7cf887d6f485c1 Mon Sep 17 00:00:00 2001 From: Michael Niedermayer Date: Sun, 29 Jan 2012 04:39:37 +0100 Subject: [PATCH 171/991] proresdec: Fix read via negative index in a global array. Found-by: Mateusz "j00ru" Jurczyk and Gynvael Coldwind Signed-off-by: Michael Niedermayer (cherry picked from commit 006508032057824a371bec4e629b66f8cbb26c47) Signed-off-by: Michael Niedermayer --- libavcodec/proresdec2.c | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/libavcodec/proresdec2.c b/libavcodec/proresdec2.c index fe4cfd09b8..9f801e447a 100644 --- a/libavcodec/proresdec2.c +++ b/libavcodec/proresdec2.c @@ -302,7 +302,7 @@ static av_always_inline void decode_dc_coeffs(GetBitContext *gb, DCTELEM *out, code = 5; sign = 0; for (i = 1; i < blocks_per_slice; i++, out += 64) { - DECODE_CODEWORD(code, dc_codebook[FFMIN(code, 6)]); + DECODE_CODEWORD(code, dc_codebook[FFMIN(code, 6U)]); if(code) sign ^= -(code & 1); else sign = 0; prev_dc += (((code + 1) >> 1) ^ sign) - sign; From 001f4c7dc63e90e719187cd7f961c8220721878f Mon Sep 17 00:00:00 2001 From: Michael Niedermayer Date: Mon, 13 Feb 2012 23:50:35 +0100 Subject: [PATCH 172/991] jpeglsdec: Prevent out of array write. Signed-off-by: Michael Niedermayer (cherry picked from commit 00ab9cdae1a96dfea33cd505076a83823f390aa4) Signed-off-by: Michael Niedermayer --- libavcodec/jpeglsdec.c | 3 +++ 1 file changed, 3 insertions(+) diff --git a/libavcodec/jpeglsdec.c b/libavcodec/jpeglsdec.c index 0139c8860f..74714e0521 100644 --- a/libavcodec/jpeglsdec.c +++ b/libavcodec/jpeglsdec.c @@ -198,6 +198,9 @@ static inline void ls_decode_line(JLSState *state, MJpegDecodeContext *s, void * r = ff_log2_run[state->run_index[comp]]; if(r) r = get_bits_long(&s->gb, r); + if(x + r * stride > w) { + r = (w - x) / stride; + } for(i = 0; i < r; i++) { W(dst, x, Ra); x += stride; From dc8054128aaebc24d65c6036ae3f4b8507f82387 Mon Sep 17 00:00:00 2001 From: Stefano Sabatini Date: Thu, 8 Mar 2012 16:18:03 +0100 Subject: [PATCH 173/991] lavfi: port MP swapuv filter (cherry picked from commit fa35d880aab1d3ef2b828cae640e43d370e8f0c2) Conflicts: Changelog libavfilter/version.h Signed-off-by: Michael Niedermayer --- Changelog | 2 + doc/filters.texi | 3 ++ libavfilter/Makefile | 1 + libavfilter/allfilters.c | 1 + libavfilter/version.h | 2 +- libavfilter/vf_swapuv.c | 93 ++++++++++++++++++++++++++++++++++++++++ 6 files changed, 101 insertions(+), 1 deletion(-) create mode 100644 libavfilter/vf_swapuv.c diff --git a/Changelog b/Changelog index 464ba958c9..a22b9d76f8 100644 --- a/Changelog +++ b/Changelog @@ -5,6 +5,8 @@ version next: version 0.10.1 +- swapuv filter + - Several bugs and crashes have been fixed in the following codecs: AAC, AC-3, ADPCM, AMR (both NB and WB), ATRAC3, CAVC, Cook, camstudio, DCA, DPCM, DSI CIN, DV, EA TGQ, FLAC, fraps, G.722 (both encoder and diff --git a/doc/filters.texi b/doc/filters.texi index 7d008bc736..43eec40d16 100644 --- a/doc/filters.texi +++ b/doc/filters.texi @@ -2549,6 +2549,9 @@ For example: will create two separate outputs from the same input, one cropped and one padded. +@section swapuv +Swap U & V plane. + @section thumbnail Select the most representative frame in a given sequence of consecutive frames. diff --git a/libavfilter/Makefile b/libavfilter/Makefile index 01a1316434..82407e2593 100644 --- a/libavfilter/Makefile +++ b/libavfilter/Makefile @@ -85,6 +85,7 @@ OBJS-$(CONFIG_SETTB_FILTER) += vf_settb.o OBJS-$(CONFIG_SHOWINFO_FILTER) += vf_showinfo.o OBJS-$(CONFIG_SLICIFY_FILTER) += vf_slicify.o OBJS-$(CONFIG_SPLIT_FILTER) += vf_split.o +OBJS-$(CONFIG_SWAPUV_FILTER) += vf_swapuv.o OBJS-$(CONFIG_THUMBNAIL_FILTER) += vf_thumbnail.o OBJS-$(CONFIG_TINTERLACE_FILTER) += vf_tinterlace.o OBJS-$(CONFIG_TRANSPOSE_FILTER) += vf_transpose.o diff --git a/libavfilter/allfilters.c b/libavfilter/allfilters.c index 8286d4d21b..ef99298cb6 100644 --- a/libavfilter/allfilters.c +++ b/libavfilter/allfilters.c @@ -93,6 +93,7 @@ void avfilter_register_all(void) REGISTER_FILTER (SHOWINFO, showinfo, vf); REGISTER_FILTER (SLICIFY, slicify, vf); REGISTER_FILTER (SPLIT, split, vf); + REGISTER_FILTER (SWAPUV, swapuv, vf); REGISTER_FILTER (THUMBNAIL, thumbnail, vf); REGISTER_FILTER (TINTERLACE, tinterlace, vf); REGISTER_FILTER (TRANSPOSE, transpose, vf); diff --git a/libavfilter/version.h b/libavfilter/version.h index 60e496dcc0..cd8bd95037 100644 --- a/libavfilter/version.h +++ b/libavfilter/version.h @@ -29,7 +29,7 @@ #include "libavutil/avutil.h" #define LIBAVFILTER_VERSION_MAJOR 2 -#define LIBAVFILTER_VERSION_MINOR 60 +#define LIBAVFILTER_VERSION_MINOR 61 #define LIBAVFILTER_VERSION_MICRO 100 #define LIBAVFILTER_VERSION_INT AV_VERSION_INT(LIBAVFILTER_VERSION_MAJOR, \ diff --git a/libavfilter/vf_swapuv.c b/libavfilter/vf_swapuv.c new file mode 100644 index 0000000000..317485b2f9 --- /dev/null +++ b/libavfilter/vf_swapuv.c @@ -0,0 +1,93 @@ +/* + * Copyright (c) 2002 Michael Niedermayer + * + * This file is part of FFmpeg. + * + * FFmpeg is free software; you can redistribute it and/or + * modify it under the terms of the GNU Lesser General Public + * License as published by the Free Software Foundation; either + * version 2.1 of the License, or (at your option) any later version. + * + * FFmpeg is distributed in the hope that it will be useful, + * but WITHOUT ANY WARRANTY; without even the implied warranty of + * MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the GNU + * Lesser General Public License for more details. + * + * You should have received a copy of the GNU Lesser General Public + * License along with FFmpeg; if not, write to the Free Software + * Foundation, Inc., 51 Franklin Street, Fifth Floor, Boston, MA 02110-1301 USA + */ + +/** + * @file + * swap UV filter + */ + +#include "avfilter.h" + +static AVFilterBufferRef *get_video_buffer(AVFilterLink *link, int perms, + int w, int h) +{ + AVFilterBufferRef *picref = + avfilter_default_get_video_buffer(link, perms, w, h); + uint8_t *tmp; + int tmp2; + + tmp = picref->data[2]; + picref->data[2] = picref->data[1]; + picref->data[1] = tmp; + + tmp2 = picref->linesize[2]; + picref->linesize[2] = picref->linesize[1]; + picref->linesize[1] = tmp2; + + return picref; +} + +static void start_frame(AVFilterLink *link, AVFilterBufferRef *inpicref) +{ + AVFilterBufferRef *outpicref = avfilter_ref_buffer(inpicref, ~0); + + outpicref->data[1] = inpicref->data[2]; + outpicref->data[2] = inpicref->data[1]; + + outpicref->linesize[1] = inpicref->linesize[2]; + outpicref->linesize[2] = inpicref->linesize[1]; + + avfilter_start_frame(link->dst->outputs[0], outpicref); +} + +static int query_formats(AVFilterContext *ctx) +{ + static const enum PixelFormat pix_fmts[] = { + PIX_FMT_YUV420P, PIX_FMT_YUVJ420P, PIX_FMT_YUVA420P, + PIX_FMT_YUV444P, PIX_FMT_YUVJ444P, + PIX_FMT_YUV440P, PIX_FMT_YUVJ440P, + PIX_FMT_YUV422P, PIX_FMT_YUVJ422P, + PIX_FMT_YUV411P, + PIX_FMT_NONE, + }; + + avfilter_set_common_pixel_formats(ctx, avfilter_make_format_list(pix_fmts)); + return 0; +} + +AVFilter avfilter_vf_swapuv = { + .name = "swapuv", + .description = NULL_IF_CONFIG_SMALL("Swap U and V components."), + .priv_size = 0, + .query_formats = query_formats, + + .inputs = (const AVFilterPad[]) { + { .name = "default", + .type = AVMEDIA_TYPE_VIDEO, + .get_video_buffer = get_video_buffer, + .start_frame = start_frame, }, + { .name = NULL } + }, + .outputs = (const AVFilterPad[]) { + { .name = "default", + .type = AVMEDIA_TYPE_VIDEO, }, + { .name = NULL } + }, +}; From d39b183d8de1c36cf12eb4857883437ca1e6dc4f Mon Sep 17 00:00:00 2001 From: Michael Niedermayer Date: Sat, 17 Mar 2012 01:37:34 +0100 Subject: [PATCH 174/991] Update for 0.10.1 Signed-off-by: Michael Niedermayer --- Changelog | 2 ++ Doxyfile | 2 +- VERSION | 2 +- 3 files changed, 4 insertions(+), 2 deletions(-) diff --git a/Changelog b/Changelog index a22b9d76f8..9d193b1e37 100644 --- a/Changelog +++ b/Changelog @@ -4,6 +4,8 @@ releases are sorted from youngest to oldest. version next: version 0.10.1 +- Several security fixes, many bugfixes affecting many formats and + codecs, the list below is not complete. - swapuv filter diff --git a/Doxyfile b/Doxyfile index f4beab55f5..284640283c 100644 --- a/Doxyfile +++ b/Doxyfile @@ -31,7 +31,7 @@ PROJECT_NAME = FFmpeg # This could be handy for archiving the generated documentation or # if some version control system is used. -PROJECT_NUMBER = 0.10 +PROJECT_NUMBER = 0.10.1 # With the PROJECT_LOGO tag one can specify an logo or icon that is included # in the documentation. The maximum height of the logo should not exceed 55 diff --git a/VERSION b/VERSION index 688abaae7a..571215736a 100644 --- a/VERSION +++ b/VERSION @@ -1 +1 @@ -0.10 \ No newline at end of file +0.10.1 From 0a224ab102ded1f11de81331639a2796f94477cb Mon Sep 17 00:00:00 2001 From: Kelly Anderson Date: Sat, 17 Mar 2012 08:56:59 +0100 Subject: [PATCH 175/991] libx264: fix duplicate stats entry Signed-off-by: Michael Niedermayer --- libavcodec/libx264.c | 1 - 1 file changed, 1 deletion(-) diff --git a/libavcodec/libx264.c b/libavcodec/libx264.c index ad62d7e2c2..f6cd9fa3a5 100644 --- a/libavcodec/libx264.c +++ b/libavcodec/libx264.c @@ -70,7 +70,6 @@ typedef struct X264Context { char *partitions; int direct_pred; int slice_max_size; - char *stats; } X264Context; static void X264_log(void *p, int level, const char *fmt, va_list args) From f139838d6473c7b5152178f602cb953a824c2ff9 Mon Sep 17 00:00:00 2001 From: Michael Niedermayer Date: Sat, 17 Mar 2012 09:14:13 +0100 Subject: [PATCH 176/991] Update for 0.10.2 Signed-off-by: Michael Niedermayer --- Doxyfile | 2 +- RELEASE | 2 +- VERSION | 2 +- 3 files changed, 3 insertions(+), 3 deletions(-) diff --git a/Doxyfile b/Doxyfile index 284640283c..c065e0c194 100644 --- a/Doxyfile +++ b/Doxyfile @@ -31,7 +31,7 @@ PROJECT_NAME = FFmpeg # This could be handy for archiving the generated documentation or # if some version control system is used. -PROJECT_NUMBER = 0.10.1 +PROJECT_NUMBER = 0.10.2 # With the PROJECT_LOGO tag one can specify an logo or icon that is included # in the documentation. The maximum height of the logo should not exceed 55 diff --git a/RELEASE b/RELEASE index 571215736a..5eef0f10e8 100644 --- a/RELEASE +++ b/RELEASE @@ -1 +1 @@ -0.10.1 +0.10.2 diff --git a/VERSION b/VERSION index 571215736a..5eef0f10e8 100644 --- a/VERSION +++ b/VERSION @@ -1 +1 @@ -0.10.1 +0.10.2 From abfafb6c81f3e53524ba6762f6b36bb0112c3171 Mon Sep 17 00:00:00 2001 From: Michael Niedermayer Date: Tue, 20 Mar 2012 20:39:32 +0100 Subject: [PATCH 177/991] pngenc: Fix incorrect mask used for interlaced mode. Fixes Ticket1109 Signed-off-by: Michael Niedermayer (cherry picked from commit 15db6a959057b92245a384909ec7d413d5c16461) --- libavcodec/pngenc.c | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/libavcodec/pngenc.c b/libavcodec/pngenc.c index 5933bbb38a..d36914a0fb 100644 --- a/libavcodec/pngenc.c +++ b/libavcodec/pngenc.c @@ -55,7 +55,7 @@ static void png_get_interlaced_row(uint8_t *dst, int row_size, uint8_t *d; const uint8_t *s; - mask = ff_png_pass_mask[pass]; + mask = (int[]){0x80, 0x08, 0x88, 0x22, 0xaa, 0x55, 0xff}[pass]; switch(bits_per_pixel) { case 1: memset(dst, 0, row_size); From e687d77d150a325b4775957a6803e4ed998bb1ad Mon Sep 17 00:00:00 2001 From: =?UTF-8?q?Tomas=20H=C3=A4rdin?= Date: Tue, 20 Mar 2012 11:03:48 +0100 Subject: [PATCH 178/991] mxfdec: Only parse next partition pack if parsing forward This fixes ticket #1099. Signed-off-by: Michael Niedermayer (cherry picked from commit 393b81f0934866bd7fff0a2b113623dd9ee6808f) --- libavformat/mxfdec.c | 3 +++ 1 file changed, 3 insertions(+) diff --git a/libavformat/mxfdec.c b/libavformat/mxfdec.c index cb38e5caaf..f63cff9be8 100644 --- a/libavformat/mxfdec.c +++ b/libavformat/mxfdec.c @@ -1725,6 +1725,9 @@ static int mxf_read_header(AVFormatContext *s, AVFormatParameters *ap) /* next partition pack - keep going, seek to previous partition or stop */ if(mxf_parse_handle_partition_or_eof(mxf) <= 0) break; + else if (mxf->parsing_backward) + continue; + /* we're still parsing forward. proceed to parsing this partition pack */ } for (metadata = mxf_metadata_read_table; metadata->read; metadata++) { From f9bdc93723cc38f91de68d364854e7fa6b5857eb Mon Sep 17 00:00:00 2001 From: =?UTF-8?q?Franz=20Brau=C3=9Fe?= Date: Fri, 30 Mar 2012 14:40:14 -0400 Subject: [PATCH 179/991] smacker audio: sign-extend the initial 16-bit predicted value Fixes Bug #265 Signed-off-by: Justin Ruggles (cherry picked from commit 12cbbbb4abda2de0ea123282ccf7ebee61517f7d) --- libavcodec/smacker.c | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/libavcodec/smacker.c b/libavcodec/smacker.c index c423012fae..53890effb9 100644 --- a/libavcodec/smacker.c +++ b/libavcodec/smacker.c @@ -668,7 +668,7 @@ static int smka_decode_frame(AVCodecContext *avctx, void *data, } if(bits) { //decode 16-bit data for(i = stereo; i >= 0; i--) - pred[i] = av_bswap16(get_bits(&gb, 16)); + pred[i] = sign_extend(av_bswap16(get_bits(&gb, 16)), 16); for(i = 0; i <= stereo; i++) *samples++ = pred[i]; for(; i < unp_size / 2; i++) { From 989431c02ffcfdeb210cf42765e820130eb4b255 Mon Sep 17 00:00:00 2001 From: Anton Khirnov Date: Sat, 31 Mar 2012 07:52:42 +0200 Subject: [PATCH 180/991] id3v2: fix skipping extended header in id3v2.4 In v2.4, the length includes the length field itself. (cherry picked from commit ddb4431208745ea270dce8fce4cba999f0ed4303) Signed-off-by: Anton Khirnov --- libavformat/id3v2.c | 13 +++++++++++-- 1 file changed, 11 insertions(+), 2 deletions(-) diff --git a/libavformat/id3v2.c b/libavformat/id3v2.c index deb652d60c..6499872947 100644 --- a/libavformat/id3v2.c +++ b/libavformat/id3v2.c @@ -448,8 +448,17 @@ static void ff_id3v2_parse(AVFormatContext *s, int len, uint8_t version, uint8_t unsync = flags & 0x80; - if (isv34 && flags & 0x40) /* Extended header present, just skip over it */ - avio_skip(s->pb, get_size(s->pb, 4)); + if (isv34 && flags & 0x40) { /* Extended header present, just skip over it */ + int extlen = get_size(s->pb, 4); + if (version == 4) + extlen -= 4; // in v2.4 the length includes the length field we just read + + if (extlen < 0) { + reason = "invalid extended header length"; + goto error; + } + avio_skip(s->pb, extlen); + } while (len >= taghdrlen) { unsigned int tflags = 0; From fdc6f6507ccc6bc004ed7c3987a51ad7a4dceaaa Mon Sep 17 00:00:00 2001 From: Michael Niedermayer Date: Wed, 4 Apr 2012 03:43:23 +0200 Subject: [PATCH 181/991] h264: fix seeking in low delay streams without IDR Fixes Ticket1165 Signed-off-by: Michael Niedermayer (cherry picked from commit 3360b8517a1f478c4102072e5eadd8ba78be0538) --- libavcodec/h264_refs.c | 2 ++ 1 file changed, 2 insertions(+) diff --git a/libavcodec/h264_refs.c b/libavcodec/h264_refs.c index 8432a8a5b6..926a6cc40d 100644 --- a/libavcodec/h264_refs.c +++ b/libavcodec/h264_refs.c @@ -655,6 +655,8 @@ int ff_h264_execute_ref_pic_marking(H264Context *h, MMCO *mmco, int mmco_count){ if(err >= 0 && h->long_ref_count==0 && h->short_ref_count<=2 && h->pps.ref_count[0]<=1 + (s->picture_structure != PICT_FRAME) && s->current_picture_ptr->f.pict_type == AV_PICTURE_TYPE_I){ s->current_picture_ptr->sync |= 1; + if(!h->s.avctx->has_b_frames) + h->sync = 2; } return (h->s.avctx->err_recognition & AV_EF_EXPLODE) ? err : 0; From a56eaa024fcd34a886776e9ec00ca4fd51432e96 Mon Sep 17 00:00:00 2001 From: Michael Niedermayer Date: Wed, 4 Apr 2012 04:19:43 +0200 Subject: [PATCH 182/991] mpeg4: dont reset picture_num for xvid Fixes Ticket1162 Signed-off-by: Michael Niedermayer (cherry picked from commit a4e359a3f98650dab3d2e93f067658e20fa9c0d7) --- libavcodec/h263dec.c | 1 - 1 file changed, 1 deletion(-) diff --git a/libavcodec/h263dec.c b/libavcodec/h263dec.c index fa476d9315..6db3d39777 100644 --- a/libavcodec/h263dec.c +++ b/libavcodec/h263dec.c @@ -571,7 +571,6 @@ retry: if (s->codec_id == CODEC_ID_MPEG4 && s->xvid_build>=0 && avctx->idct_algo == FF_IDCT_AUTO && (av_get_cpu_flags() & AV_CPU_FLAG_MMX)) { avctx->idct_algo= FF_IDCT_XVIDMMX; ff_dct_common_init(s); - s->picture_number=0; } #endif From d076d0febdc12254c1a96f8ada19d3321d165f21 Mon Sep 17 00:00:00 2001 From: Stefano Sabatini Date: Thu, 29 Mar 2012 00:17:23 +0200 Subject: [PATCH 183/991] lavfi/fade: fix black level for non studio-level pixel formats Fix trac ticket #1139, regression introduced in 8c1fb50d077d5f954. (cherry picked from commit 95ce0ddcfe99182365e0e57f5f41d7f1a01c57eb) --- libavfilter/vf_fade.c | 4 ++-- 1 file changed, 2 insertions(+), 2 deletions(-) diff --git a/libavfilter/vf_fade.c b/libavfilter/vf_fade.c index 7fe0dae3f4..afd700b4c3 100644 --- a/libavfilter/vf_fade.c +++ b/libavfilter/vf_fade.c @@ -191,9 +191,9 @@ static int config_props(AVFilterLink *inlink) fade->alpha = fade->alpha ? ff_fmt_is_in(inlink->format, alpha_pix_fmts) : 0; fade->is_packed_rgb = ff_fill_rgba_map(fade->rgba_map, inlink->format) >= 0; - /* CCIR601/709 black level unless input is RGB or has alpha */ + /* use CCIR601/709 black level for studio-level pixel non-alpha components */ fade->black_level = - ff_fmt_is_in(inlink->format, studio_level_pix_fmts) || fade->alpha ? 0 : 16; + ff_fmt_is_in(inlink->format, studio_level_pix_fmts) && !fade->alpha ? 16 : 0; /* 32768 = 1 << 15, it is an integer representation * of 0.5 and is for rounding. */ fade->black_level_scaled = (fade->black_level << 16) + 32768; From a854d00acd911756a4b250962c24c7995c67d64d Mon Sep 17 00:00:00 2001 From: ami_stuff Date: Thu, 22 Mar 2012 19:28:52 +0100 Subject: [PATCH 184/991] Replace SSE2 instruction in scalarproduct_float_sse() by SSE equivalent. Fixes an AAC decoding issue with the sample from ticket #213 on machines with SSE but without SSE2. Based on 89411a by Reimar. (cherry picked from commit f6b78638086beae9bcab672d4c9de1790be5a928) --- libavcodec/x86/dsputil_yasm.asm | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/libavcodec/x86/dsputil_yasm.asm b/libavcodec/x86/dsputil_yasm.asm index dcd6fa4223..0f533241b1 100644 --- a/libavcodec/x86/dsputil_yasm.asm +++ b/libavcodec/x86/dsputil_yasm.asm @@ -475,7 +475,7 @@ cglobal scalarproduct_float_sse, 3,3,2, v1, v2, offset shufps xmm0, xmm0, 1 addss xmm0, xmm1 %ifndef ARCH_X86_64 - movd r0m, xmm0 + movss r0m, xmm0 fld dword r0m %endif RET From 265a628f162168f188f9756a06727a4ec41a183d Mon Sep 17 00:00:00 2001 From: "Ronald S. Bultje" Date: Fri, 16 Mar 2012 22:41:17 -0700 Subject: [PATCH 185/991] h264: use struct offsets in get_cabac_bypass_sign_x86(). (cherry picked from commit db025929f202bc32459a1278ee06920a06564762) --- libavcodec/x86/cabac.h | 19 +++++++++++-------- 1 file changed, 11 insertions(+), 8 deletions(-) diff --git a/libavcodec/x86/cabac.h b/libavcodec/x86/cabac.h index 2bb0be6374..edcd34a177 100644 --- a/libavcodec/x86/cabac.h +++ b/libavcodec/x86/cabac.h @@ -107,8 +107,8 @@ static av_always_inline int get_cabac_bypass_sign_x86(CABACContext *c, int val) { x86_reg tmp; __asm__ volatile( - "movl %4, %k1 \n\t" - "movl %2, %%eax \n\t" + "movl %a5(%2), %k1 \n\t" + "movl %a3(%2), %%eax \n\t" "shl $17, %k1 \n\t" "add %%eax, %%eax \n\t" "sub %k1, %%eax \n\t" @@ -119,20 +119,23 @@ static av_always_inline int get_cabac_bypass_sign_x86(CABACContext *c, int val) "sub %%edx, %%ecx \n\t" "test %%ax, %%ax \n\t" " jnz 1f \n\t" - "mov %3, %1 \n\t" + "mov %a4(%2), %1 \n\t" "subl $0xFFFF, %%eax \n\t" "movzwl (%1), %%edx \n\t" "bswap %%edx \n\t" "shrl $15, %%edx \n\t" "add $2, %1 \n\t" "addl %%edx, %%eax \n\t" - "mov %1, %3 \n\t" + "mov %1, %a4(%2) \n\t" "1: \n\t" - "movl %%eax, %2 \n\t" + "movl %%eax, %a3(%2) \n\t" - :"+c"(val), "=&r"(tmp), "+m"(c->low), "+m"(c->bytestream) - :"m"(c->range) - : "%eax", "%edx" + : "+c"(val), "=&r"(tmp) + : "r"(c), + "i"(offsetof(CABACContext, low)), + "i"(offsetof(CABACContext, bytestream)), + "i"(offsetof(CABACContext, range)) + : "%eax", "%edx", "memory" ); return val; } From 87208b8fc4bdd5c2ee635682b4a06fc251dae74d Mon Sep 17 00:00:00 2001 From: "Ronald S. Bultje" Date: Fri, 16 Mar 2012 14:16:56 -0700 Subject: [PATCH 186/991] mpeg4: report frame decoding completion at ff_MPV_frame_end(). Prevents hangs on corrupt input. Found-by: Mateusz "j00ru" Jurczyk and Gynvael Coldwind CC: libav-stable@libav.org (cherry picked from commit c6ccb96bc955b2087ec71033d99b3dcd5203eaf2) Conflicts: libavcodec/mpegvideo.c Signed-off-by: Reinhard Tartler --- libavcodec/mpegvideo.c | 3 +-- 1 file changed, 1 insertion(+), 2 deletions(-) diff --git a/libavcodec/mpegvideo.c b/libavcodec/mpegvideo.c index 50e6ad6da4..7aaf398e14 100644 --- a/libavcodec/mpegvideo.c +++ b/libavcodec/mpegvideo.c @@ -1415,8 +1415,7 @@ void MPV_frame_end(MpegEncContext *s) s->avctx->coded_frame = (AVFrame *) s->current_picture_ptr; if (s->codec_id != CODEC_ID_H264 && s->current_picture.f.reference) { - ff_thread_report_progress((AVFrame *) s->current_picture_ptr, - s->mb_height - 1, 0); + ff_thread_report_progress((AVFrame *) s->current_picture_ptr, INT_MAX, 0); } } From bf3998d71efa7a9a6acc6d7d81dd674249e074c1 Mon Sep 17 00:00:00 2001 From: "Ronald S. Bultje" Date: Fri, 16 Mar 2012 14:04:00 -0700 Subject: [PATCH 187/991] mimic: don't use self as reference, and report completion at end of decode(). Fixes hangs on corrupt samples that reference self-frames. Found-by: Mateusz "j00ru" Jurczyk and Gynvael Coldwind CC: libav-stable@libav.org (cherry picked from commit 80387f0e2568746dce4a68e2217297029a053dae) Signed-off-by: Reinhard Tartler --- libavcodec/mimic.c | 13 +++++++------ 1 file changed, 7 insertions(+), 6 deletions(-) diff --git a/libavcodec/mimic.c b/libavcodec/mimic.c index b93f51fa3e..fd03b97c37 100644 --- a/libavcodec/mimic.c +++ b/libavcodec/mimic.c @@ -259,8 +259,8 @@ static int decode(MimicContext *ctx, int quality, int num_coeffs, int index = (ctx->cur_index+backref)&15; uint8_t *p = ctx->flipped_ptrs[index].data[0]; - ff_thread_await_progress(&ctx->buf_ptrs[index], cur_row, 0); - if(p) { + if (index != ctx->cur_index && p) { + ff_thread_await_progress(&ctx->buf_ptrs[index], cur_row, 0); p += src - ctx->flipped_ptrs[ctx->prev_index].data[plane]; ctx->dsp.put_pixels_tab[1][0](dst, p, stride, 8); @@ -310,6 +310,7 @@ static int mimic_decode_frame(AVCodecContext *avctx, void *data, int width, height; int quality, num_coeffs; int swap_buf_size = buf_size - MIMIC_HEADER_SIZE; + int res; if(buf_size < MIMIC_HEADER_SIZE) { av_log(avctx, AV_LOG_ERROR, "insufficient data\n"); @@ -377,10 +378,10 @@ static int mimic_decode_frame(AVCodecContext *avctx, void *data, swap_buf_size>>2); init_get_bits(&ctx->gb, ctx->swap_buf, swap_buf_size << 3); - if(!decode(ctx, quality, num_coeffs, !is_pframe)) { - if (avctx->active_thread_type&FF_THREAD_FRAME) - ff_thread_report_progress(&ctx->buf_ptrs[ctx->cur_index], INT_MAX, 0); - else { + res = decode(ctx, quality, num_coeffs, !is_pframe); + ff_thread_report_progress(&ctx->buf_ptrs[ctx->cur_index], INT_MAX, 0); + if (!res) { + if (!(avctx->active_thread_type & FF_THREAD_FRAME)) { ff_thread_release_buffer(avctx, &ctx->buf_ptrs[ctx->cur_index]); return -1; } From ec554ee747c966ff173551ee89fe71e19c2aeb6c Mon Sep 17 00:00:00 2001 From: Reinhard Tartler Date: Sun, 18 Mar 2012 09:26:32 +0100 Subject: [PATCH 188/991] Read preset files with suffix .avpreset The preset files have been renamed some time ago. CC: libav-stable@libav.org (cherry picked from commit 050dc127787e91d8ee4b341046c74fe6e74e3285) Signed-off-by: Reinhard Tartler --- cmdutils.c | 4 ++-- cmdutils.h | 4 ++-- 2 files changed, 4 insertions(+), 4 deletions(-) diff --git a/cmdutils.c b/cmdutils.c index a489a0f06e..e96fa81ad9 100644 --- a/cmdutils.c +++ b/cmdutils.c @@ -883,12 +883,12 @@ FILE *get_preset_file(char *filename, size_t filename_size, for (i = 0; i < 3 && !f; i++) { if (!base[i]) continue; - snprintf(filename, filename_size, "%s%s/%s.ffpreset", base[i], + snprintf(filename, filename_size, "%s%s/%s.avpreset", base[i], i != 1 ? "" : "/.avconv", preset_name); f = fopen(filename, "r"); if (!f && codec_name) { snprintf(filename, filename_size, - "%s%s/%s-%s.ffpreset", + "%s%s/%s-%s.avpreset", base[i], i != 1 ? "" : "/.avconv", codec_name, preset_name); f = fopen(filename, "r"); diff --git a/cmdutils.h b/cmdutils.h index eb96645eed..c69bb02cea 100644 --- a/cmdutils.h +++ b/cmdutils.h @@ -345,11 +345,11 @@ int64_t guess_correct_pts(PtsCorrectionContext *ctx, int64_t pts, int64_t dts); * Get a file corresponding to a preset file. * * If is_path is non-zero, look for the file in the path preset_name. - * Otherwise search for a file named arg.ffpreset in the directories + * Otherwise search for a file named arg.avpreset in the directories * $AVCONV_DATADIR (if set), $HOME/.avconv, and in the datadir defined * at configuration time, in that order. If no such file is found and * codec_name is defined, then search for a file named - * codec_name-preset_name.ffpreset in the above-mentioned directories. + * codec_name-preset_name.avpreset in the above-mentioned directories. * * @param filename buffer where the name of the found filename is written * @param filename_size size in bytes of the filename buffer From 3a4949aa50cc6058a7318763af00ece259aa6749 Mon Sep 17 00:00:00 2001 From: "Ronald S. Bultje" Date: Wed, 21 Mar 2012 10:39:10 -0700 Subject: [PATCH 189/991] indeo4: fix out-of-bounds function call. Found-by: Mateusz "j00ru" Jurczyk and Gynvael Coldwind CC: libav-stable@libav.org Signed-off-by: Kostya Shishkov (cherry picked from commit 68fd077f68bdde864bb7328d72a040849c616261) Signed-off-by: Reinhard Tartler --- libavcodec/indeo4.c | 3 ++- 1 file changed, 2 insertions(+), 1 deletion(-) diff --git a/libavcodec/indeo4.c b/libavcodec/indeo4.c index 573718e374..3e8a3988d6 100644 --- a/libavcodec/indeo4.c +++ b/libavcodec/indeo4.c @@ -372,7 +372,8 @@ static int decode_band_hdr(IVI4DecContext *ctx, IVIBandDesc *band, if (!get_bits1(&ctx->gb) || ctx->frame_type == FRAMETYPE_INTRA) { transform_id = get_bits(&ctx->gb, 5); - if (!transforms[transform_id].inv_trans) { + if (transform_id >= FF_ARRAY_ELEMS(transforms) || + !transforms[transform_id].inv_trans) { av_log_ask_for_sample(avctx, "Unimplemented transform: %d!\n", transform_id); return AVERROR_PATCHWELCOME; } From 105601c1513a14ccfe115c936006f3f9062788f2 Mon Sep 17 00:00:00 2001 From: "Ronald S. Bultje" Date: Wed, 21 Mar 2012 15:47:11 -0700 Subject: [PATCH 190/991] wmavoice: fix stack overread. Found-by: Mateusz "j00ru" Jurczyk and Gynvael Coldwind CC: libav-stable@libav.org (cherry picked from commit 262196445cf03fda0f7e41c4b968f4f7bf060e6b) Signed-off-by: Reinhard Tartler --- libavcodec/wmavoice.c | 5 +++-- 1 file changed, 3 insertions(+), 2 deletions(-) diff --git a/libavcodec/wmavoice.c b/libavcodec/wmavoice.c index 8854e35d93..86e6996e1a 100644 --- a/libavcodec/wmavoice.c +++ b/libavcodec/wmavoice.c @@ -1440,8 +1440,7 @@ static int synth_frame(AVCodecContext *ctx, GetBitContext *gb, int frame_idx, int pitch[MAX_BLOCKS], last_block_pitch; /* Parse frame type ("frame header"), see frame_descs */ - int bd_idx = s->vbm_tree[get_vlc2(gb, frame_type_vlc.table, 6, 3)], - block_nsamples = MAX_FRAMESIZE / frame_descs[bd_idx].n_blocks; + int bd_idx = s->vbm_tree[get_vlc2(gb, frame_type_vlc.table, 6, 3)], block_nsamples; if (bd_idx < 0) { av_log(ctx, AV_LOG_ERROR, @@ -1449,6 +1448,8 @@ static int synth_frame(AVCodecContext *ctx, GetBitContext *gb, int frame_idx, return -1; } + block_nsamples = MAX_FRAMESIZE / frame_descs[bd_idx].n_blocks; + /* Pitch calculation for ACB_TYPE_ASYMMETRIC ("pitch-per-frame") */ if (frame_descs[bd_idx].acb_type == ACB_TYPE_ASYMMETRIC) { /* Pitch is provided per frame, which is interpreted as the pitch of From 0b9bb581fdd0f873b64d5de582cd6ddd91e10ccc Mon Sep 17 00:00:00 2001 From: Paul B Mahol Date: Fri, 16 Mar 2012 00:56:41 +0000 Subject: [PATCH 191/991] vqavideo: port to bytestream2 API Protects against overreads. Signed-off-by: Paul B Mahol Signed-off-by: Ronald S. Bultje (cherry picked from commit 5a3a906ba29b53fa34d3047af78d9f8fd7678256) Signed-off-by: Reinhard Tartler --- libavcodec/vqavideo.c | 186 ++++++++++++++++++++++-------------------- 1 file changed, 97 insertions(+), 89 deletions(-) diff --git a/libavcodec/vqavideo.c b/libavcodec/vqavideo.c index 7a6308aeb1..9801167e23 100644 --- a/libavcodec/vqavideo.c +++ b/libavcodec/vqavideo.c @@ -70,10 +70,10 @@ #include "libavutil/intreadwrite.h" #include "libavutil/imgutils.h" #include "avcodec.h" +#include "bytestream.h" #define PALETTE_COUNT 256 #define VQA_HEADER_SIZE 0x2A -#define CHUNK_PREAMBLE_SIZE 8 /* allocate the maximum vector space, regardless of the file version: * (0xFF00 codebook vectors + 0x100 solid pixel vectors) * (4x4 pixels/block) */ @@ -94,9 +94,7 @@ typedef struct VqaContext { AVCodecContext *avctx; AVFrame frame; - - const unsigned char *buf; - int size; + GetByteContext gb; uint32_t palette[PALETTE_COUNT]; @@ -123,7 +121,6 @@ typedef struct VqaContext { static av_cold int vqa_decode_init(AVCodecContext *avctx) { VqaContext *s = avctx->priv_data; - unsigned char *vqa_header; int i, j, codebook_index; s->avctx = avctx; @@ -136,17 +133,16 @@ static av_cold int vqa_decode_init(AVCodecContext *avctx) } /* load up the VQA parameters from the header */ - vqa_header = (unsigned char *)s->avctx->extradata; - s->vqa_version = vqa_header[0]; - s->width = AV_RL16(&vqa_header[6]); - s->height = AV_RL16(&vqa_header[8]); + s->vqa_version = s->avctx->extradata[0]; + s->width = AV_RL16(&s->avctx->extradata[6]); + s->height = AV_RL16(&s->avctx->extradata[8]); if(av_image_check_size(s->width, s->height, 0, avctx)){ s->width= s->height= 0; return -1; } - s->vector_width = vqa_header[10]; - s->vector_height = vqa_header[11]; - s->partial_count = s->partial_countdown = vqa_header[13]; + s->vector_width = s->avctx->extradata[10]; + s->vector_height = s->avctx->extradata[11]; + s->partial_count = s->partial_countdown = s->avctx->extradata[13]; /* the vector dimensions have to meet very stringent requirements */ if ((s->vector_width != 4) || @@ -189,84 +185,88 @@ static av_cold int vqa_decode_init(AVCodecContext *avctx) av_log(NULL, AV_LOG_ERROR, " VQA video: decode_format80 problem: next op would overflow dest_index\n"); \ av_log(NULL, AV_LOG_ERROR, " VQA video: current dest_index = %d, count = %d, dest_size = %d\n", \ dest_index, count, dest_size); \ - return; \ + return AVERROR_INVALIDDATA; \ } -static void decode_format80(const unsigned char *src, int src_size, +#define CHECK_COPY(idx) \ + if (idx < 0 || idx + count > dest_size) { \ + av_log(NULL, AV_LOG_ERROR, " VQA video: decode_format80 problem: next op would overflow dest_index\n"); \ + av_log(NULL, AV_LOG_ERROR, " VQA video: current src_pos = %d, count = %d, dest_size = %d\n", \ + src_pos, count, dest_size); \ + return AVERROR_INVALIDDATA; \ + } + + +static int decode_format80(GetByteContext *gb, int src_size, unsigned char *dest, int dest_size, int check_size) { - int src_index = 0; int dest_index = 0; - int count; + int count, opcode, start; int src_pos; unsigned char color; int i; - while (src_index < src_size) { - - av_dlog(NULL, " opcode %02X: ", src[src_index]); + start = bytestream2_tell(gb); + while (bytestream2_tell(gb) - start < src_size) { + opcode = bytestream2_get_byte(gb); + av_dlog(NULL, " opcode %02X: ", opcode); /* 0x80 means that frame is finished */ - if (src[src_index] == 0x80) - return; + if (opcode == 0x80) + return 0; if (dest_index >= dest_size) { av_log(NULL, AV_LOG_ERROR, " VQA video: decode_format80 problem: dest_index (%d) exceeded dest_size (%d)\n", dest_index, dest_size); - return; + return AVERROR_INVALIDDATA; } - if (src[src_index] == 0xFF) { + if (opcode == 0xFF) { - src_index++; - count = AV_RL16(&src[src_index]); - src_index += 2; - src_pos = AV_RL16(&src[src_index]); - src_index += 2; + count = bytestream2_get_le16(gb); + src_pos = bytestream2_get_le16(gb); av_dlog(NULL, "(1) copy %X bytes from absolute pos %X\n", count, src_pos); CHECK_COUNT(); + CHECK_COPY(src_pos); for (i = 0; i < count; i++) dest[dest_index + i] = dest[src_pos + i]; dest_index += count; - } else if (src[src_index] == 0xFE) { + } else if (opcode == 0xFE) { - src_index++; - count = AV_RL16(&src[src_index]); - src_index += 2; - color = src[src_index++]; + count = bytestream2_get_le16(gb); + color = bytestream2_get_byte(gb); av_dlog(NULL, "(2) set %X bytes to %02X\n", count, color); CHECK_COUNT(); memset(&dest[dest_index], color, count); dest_index += count; - } else if ((src[src_index] & 0xC0) == 0xC0) { + } else if ((opcode & 0xC0) == 0xC0) { - count = (src[src_index++] & 0x3F) + 3; - src_pos = AV_RL16(&src[src_index]); - src_index += 2; + count = (opcode & 0x3F) + 3; + src_pos = bytestream2_get_le16(gb); av_dlog(NULL, "(3) copy %X bytes from absolute pos %X\n", count, src_pos); CHECK_COUNT(); + CHECK_COPY(src_pos); for (i = 0; i < count; i++) dest[dest_index + i] = dest[src_pos + i]; dest_index += count; - } else if (src[src_index] > 0x80) { + } else if (opcode > 0x80) { - count = src[src_index++] & 0x3F; + count = opcode & 0x3F; av_dlog(NULL, "(4) copy %X bytes from source to dest\n", count); CHECK_COUNT(); - memcpy(&dest[dest_index], &src[src_index], count); - src_index += count; + bytestream2_get_buffer(gb, &dest[dest_index], count); dest_index += count; } else { - count = ((src[src_index] & 0x70) >> 4) + 3; - src_pos = AV_RB16(&src[src_index]) & 0x0FFF; - src_index += 2; + count = ((opcode & 0x70) >> 4) + 3; + src_pos = bytestream2_get_byte(gb) | ((opcode & 0x0F) << 8); av_dlog(NULL, "(5) copy %X bytes from relpos %X\n", count, src_pos); CHECK_COUNT(); + CHECK_COPY(dest_index - src_pos); for (i = 0; i < count; i++) dest[dest_index + i] = dest[dest_index - src_pos + i]; dest_index += count; @@ -281,9 +281,11 @@ static void decode_format80(const unsigned char *src, int src_size, if (dest_index < dest_size) av_log(NULL, AV_LOG_ERROR, " VQA video: decode_format80 problem: decode finished with dest_index (%d) < dest_size (%d)\n", dest_index, dest_size); + + return 0; // let's display what we decoded anyway } -static void vqa_decode_chunk(VqaContext *s) +static int vqa_decode_chunk(VqaContext *s) { unsigned int chunk_type; unsigned int chunk_size; @@ -292,6 +294,7 @@ static void vqa_decode_chunk(VqaContext *s) int i; unsigned char r, g, b; int index_shift; + int res; int cbf0_chunk = -1; int cbfz_chunk = -1; @@ -311,10 +314,11 @@ static void vqa_decode_chunk(VqaContext *s) int hibytes = s->decode_buffer_size / 2; /* first, traverse through the frame and find the subchunks */ - while (index < s->size) { + while (bytestream2_get_bytes_left(&s->gb) >= 8) { - chunk_type = AV_RB32(&s->buf[index]); - chunk_size = AV_RB32(&s->buf[index + 4]); + chunk_type = bytestream2_get_be32u(&s->gb); + index = bytestream2_tell(&s->gb); + chunk_size = bytestream2_get_be32u(&s->gb); switch (chunk_type) { @@ -357,7 +361,7 @@ static void vqa_decode_chunk(VqaContext *s) } byte_skip = chunk_size & 0x01; - index += (CHUNK_PREAMBLE_SIZE + chunk_size + byte_skip); + bytestream2_skip(&s->gb, chunk_size + byte_skip); } /* next, deal with the palette */ @@ -365,7 +369,7 @@ static void vqa_decode_chunk(VqaContext *s) /* a chunk should not have both chunk types */ av_log(s->avctx, AV_LOG_ERROR, " VQA video: problem: found both CPL0 and CPLZ chunks\n"); - return; + return AVERROR_INVALIDDATA; } /* decompress the palette chunk */ @@ -378,19 +382,19 @@ static void vqa_decode_chunk(VqaContext *s) /* convert the RGB palette into the machine's endian format */ if (cpl0_chunk != -1) { - chunk_size = AV_RB32(&s->buf[cpl0_chunk + 4]); + bytestream2_seek(&s->gb, cpl0_chunk, SEEK_SET); + chunk_size = bytestream2_get_be32(&s->gb); /* sanity check the palette size */ if (chunk_size / 3 > 256) { av_log(s->avctx, AV_LOG_ERROR, " VQA video: problem: found a palette chunk with %d colors\n", chunk_size / 3); - return; + return AVERROR_INVALIDDATA; } - cpl0_chunk += CHUNK_PREAMBLE_SIZE; for (i = 0; i < chunk_size / 3; i++) { /* scale by 4 to transform 6-bit palette -> 8-bit */ - r = s->buf[cpl0_chunk++] * 4; - g = s->buf[cpl0_chunk++] * 4; - b = s->buf[cpl0_chunk++] * 4; + r = bytestream2_get_byteu(&s->gb) * 4; + g = bytestream2_get_byteu(&s->gb) * 4; + b = bytestream2_get_byteu(&s->gb) * 4; s->palette[i] = (r << 16) | (g << 8) | (b); } } @@ -400,31 +404,32 @@ static void vqa_decode_chunk(VqaContext *s) /* a chunk should not have both chunk types */ av_log(s->avctx, AV_LOG_ERROR, " VQA video: problem: found both CBF0 and CBFZ chunks\n"); - return; + return AVERROR_INVALIDDATA; } /* decompress the full codebook chunk */ if (cbfz_chunk != -1) { - chunk_size = AV_RB32(&s->buf[cbfz_chunk + 4]); - cbfz_chunk += CHUNK_PREAMBLE_SIZE; - decode_format80(&s->buf[cbfz_chunk], chunk_size, - s->codebook, s->codebook_size, 0); + bytestream2_seek(&s->gb, cbfz_chunk, SEEK_SET); + chunk_size = bytestream2_get_be32(&s->gb); + if ((res = decode_format80(&s->gb, chunk_size, s->codebook, + s->codebook_size, 0)) < 0) + return res; } /* copy a full codebook */ if (cbf0_chunk != -1) { - chunk_size = AV_RB32(&s->buf[cbf0_chunk + 4]); + bytestream2_seek(&s->gb, cbf0_chunk, SEEK_SET); + chunk_size = bytestream2_get_be32(&s->gb); /* sanity check the full codebook size */ if (chunk_size > MAX_CODEBOOK_SIZE) { av_log(s->avctx, AV_LOG_ERROR, " VQA video: problem: CBF0 chunk too large (0x%X bytes)\n", chunk_size); - return; + return AVERROR_INVALIDDATA; } - cbf0_chunk += CHUNK_PREAMBLE_SIZE; - memcpy(s->codebook, &s->buf[cbf0_chunk], chunk_size); + bytestream2_get_buffer(&s->gb, s->codebook, chunk_size); } /* decode the frame */ @@ -432,13 +437,14 @@ static void vqa_decode_chunk(VqaContext *s) /* something is wrong if there is no VPTZ chunk */ av_log(s->avctx, AV_LOG_ERROR, " VQA video: problem: no VPTZ chunk found\n"); - return; + return AVERROR_INVALIDDATA; } - chunk_size = AV_RB32(&s->buf[vptz_chunk + 4]); - vptz_chunk += CHUNK_PREAMBLE_SIZE; - decode_format80(&s->buf[vptz_chunk], chunk_size, - s->decode_buffer, s->decode_buffer_size, 1); + bytestream2_seek(&s->gb, vptz_chunk, SEEK_SET); + chunk_size = bytestream2_get_be32(&s->gb); + if ((res = decode_format80(&s->gb, chunk_size, + s->decode_buffer, s->decode_buffer_size, 1)) < 0) + return res; /* render the final PAL8 frame */ if (s->vector_height == 4) @@ -502,17 +508,17 @@ static void vqa_decode_chunk(VqaContext *s) if ((cbp0_chunk != -1) && (cbpz_chunk != -1)) { /* a chunk should not have both chunk types */ av_log(s->avctx, AV_LOG_ERROR, " VQA video: problem: found both CBP0 and CBPZ chunks\n"); - return; + return AVERROR_INVALIDDATA; } if (cbp0_chunk != -1) { - chunk_size = AV_RB32(&s->buf[cbp0_chunk + 4]); - cbp0_chunk += CHUNK_PREAMBLE_SIZE; + bytestream2_seek(&s->gb, cbp0_chunk, SEEK_SET); + chunk_size = bytestream2_get_be32(&s->gb); /* accumulate partial codebook */ - memcpy(&s->next_codebook_buffer[s->next_codebook_buffer_index], - &s->buf[cbp0_chunk], chunk_size); + bytestream2_get_buffer(&s->gb, &s->next_codebook_buffer[s->next_codebook_buffer_index], + chunk_size); s->next_codebook_buffer_index += chunk_size; s->partial_countdown--; @@ -530,39 +536,39 @@ static void vqa_decode_chunk(VqaContext *s) if (cbpz_chunk != -1) { - chunk_size = AV_RB32(&s->buf[cbpz_chunk + 4]); - cbpz_chunk += CHUNK_PREAMBLE_SIZE; + bytestream2_seek(&s->gb, cbpz_chunk, SEEK_SET); + chunk_size = bytestream2_get_be32(&s->gb); /* accumulate partial codebook */ - memcpy(&s->next_codebook_buffer[s->next_codebook_buffer_index], - &s->buf[cbpz_chunk], chunk_size); + bytestream2_get_buffer(&s->gb, &s->next_codebook_buffer[s->next_codebook_buffer_index], + chunk_size); s->next_codebook_buffer_index += chunk_size; s->partial_countdown--; if (s->partial_countdown == 0) { + GetByteContext gb; + bytestream2_init(&gb, s->next_codebook_buffer, s->next_codebook_buffer_index); /* decompress codebook */ - decode_format80(s->next_codebook_buffer, - s->next_codebook_buffer_index, - s->codebook, s->codebook_size, 0); + if ((res = decode_format80(&gb, s->next_codebook_buffer_index, + s->codebook, s->codebook_size, 0)) < 0) + return res; /* reset accounting */ s->next_codebook_buffer_index = 0; s->partial_countdown = s->partial_count; } } + + return 0; } static int vqa_decode_frame(AVCodecContext *avctx, void *data, int *data_size, AVPacket *avpkt) { - const uint8_t *buf = avpkt->data; - int buf_size = avpkt->size; VqaContext *s = avctx->priv_data; - - s->buf = buf; - s->size = buf_size; + int res; if (s->frame.data[0]) avctx->release_buffer(avctx, &s->frame); @@ -572,7 +578,9 @@ static int vqa_decode_frame(AVCodecContext *avctx, return -1; } - vqa_decode_chunk(s); + bytestream2_init(&s->gb, avpkt->data, avpkt->size); + if ((res = vqa_decode_chunk(s)) < 0) + return res; /* make the palette available on the way out */ memcpy(s->frame.data[1], s->palette, PALETTE_COUNT * 4); @@ -582,7 +590,7 @@ static int vqa_decode_frame(AVCodecContext *avctx, *(AVFrame*)data = s->frame; /* report that the buffer was completely consumed */ - return buf_size; + return avpkt->size; } static av_cold int vqa_decode_end(AVCodecContext *avctx) From c21b858b278df60c849d86701019e7d096b0c1f4 Mon Sep 17 00:00:00 2001 From: "Ronald S. Bultje" Date: Wed, 21 Mar 2012 15:19:31 -0700 Subject: [PATCH 192/991] vqa: check palette chunk size before reading data. Prevents overreads beyond buffer boundaries. Found-by: Mateusz "j00ru" Jurczyk and Gynvael Coldwind CC: libav-stable@libav.org (cherry picked from commit 75d7975268394f4f16294b68ec6d6d5ac30da3ac) Signed-off-by: Reinhard Tartler --- libavcodec/vqavideo.c | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/libavcodec/vqavideo.c b/libavcodec/vqavideo.c index 9801167e23..bc1ff27da4 100644 --- a/libavcodec/vqavideo.c +++ b/libavcodec/vqavideo.c @@ -385,7 +385,7 @@ static int vqa_decode_chunk(VqaContext *s) bytestream2_seek(&s->gb, cpl0_chunk, SEEK_SET); chunk_size = bytestream2_get_be32(&s->gb); /* sanity check the palette size */ - if (chunk_size / 3 > 256) { + if (chunk_size / 3 > 256 || chunk_size > bytestream2_get_bytes_left(&s->gb)) { av_log(s->avctx, AV_LOG_ERROR, " VQA video: problem: found a palette chunk with %d colors\n", chunk_size / 3); return AVERROR_INVALIDDATA; From 19d3f7d8ac3f240a5be2058289488dfd47806a01 Mon Sep 17 00:00:00 2001 From: "Ronald S. Bultje" Date: Wed, 21 Mar 2012 16:10:37 -0700 Subject: [PATCH 193/991] asf: reset side data elements on packet copy. Prevents crash (double free) when free()ing the original packet. Found-by: Mateusz "j00ru" Jurczyk and Gynvael Coldwind CC: libav-stable@libav.org (cherry picked from commit e73c6aaabff1169899184c382385fe9afae5b068) Signed-off-by: Reinhard Tartler --- libavformat/asfdec.c | 2 ++ 1 file changed, 2 insertions(+) diff --git a/libavformat/asfdec.c b/libavformat/asfdec.c index 969ab28875..3b487888ba 100644 --- a/libavformat/asfdec.c +++ b/libavformat/asfdec.c @@ -1092,6 +1092,8 @@ static int ff_asf_parse_packet(AVFormatContext *s, AVIOContext *pb, AVPacket *pk //printf("packet %d %d\n", asf_st->pkt.size, asf->packet_frag_size); asf_st->pkt.size = 0; asf_st->pkt.data = 0; + asf_st->pkt.side_data_elems = 0; + asf_st->pkt.side_data = NULL; break; // packet completed } } From 15de658c04b6ce6a6628702837f98b8572e6b9f4 Mon Sep 17 00:00:00 2001 From: Alex Converse Date: Wed, 21 Mar 2012 10:58:07 -0700 Subject: [PATCH 194/991] xwma: Validate channels and bits_per_coded_sample. This prevents a SIGFPE later on. Found-by: Mateusz "j00ru" Jurczyk and Gynvael Coldwind CC: libav-stable@libav.org (cherry picked from commit 5023b89bba198b2f8e43b7f555aeb9c30d33db9f) Signed-off-by: Reinhard Tartler --- libavformat/xwma.c | 11 +++++++++++ 1 file changed, 11 insertions(+) diff --git a/libavformat/xwma.c b/libavformat/xwma.c index 5839bdcd22..94abfc7ae5 100644 --- a/libavformat/xwma.c +++ b/libavformat/xwma.c @@ -115,6 +115,17 @@ static int xwma_read_header(AVFormatContext *s, AVFormatParameters *ap) } } + if (!st->codec->channels) { + av_log(s, AV_LOG_WARNING, "Invalid channel count: %d\n", + st->codec->channels); + return AVERROR_INVALIDDATA; + } + if (!st->codec->bits_per_coded_sample) { + av_log(s, AV_LOG_WARNING, "Invalid bits_per_coded_sample: %d\n", + st->codec->bits_per_coded_sample); + return AVERROR_INVALIDDATA; + } + /* set the sample rate */ avpriv_set_pts_info(st, 64, 1, st->codec->sample_rate); From 86bd0244ec01e873614d94e88177836a9ce650c1 Mon Sep 17 00:00:00 2001 From: Alex Converse Date: Wed, 21 Mar 2012 11:24:10 -0700 Subject: [PATCH 195/991] mov: Do not read past the end of the ctts_data table. Found-by: Mateusz "j00ru" Jurczyk and Gynvael Coldwind CC: libav-stable@libav.org (cherry picked from commit 86f2ae06b92d42580ae7ebd86d52c9b7acbc2f13) Signed-off-by: Reinhard Tartler --- libavformat/mov.c | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/libavformat/mov.c b/libavformat/mov.c index 089cdea558..c5270695c1 100644 --- a/libavformat/mov.c +++ b/libavformat/mov.c @@ -2668,7 +2668,7 @@ static int mov_read_packet(AVFormatContext *s, AVPacket *pkt) pkt->stream_index = sc->ffindex; pkt->dts = sample->timestamp; - if (sc->ctts_data) { + if (sc->ctts_data && sc->ctts_index < sc->ctts_count) { pkt->pts = pkt->dts + sc->dts_shift + sc->ctts_data[sc->ctts_index].duration; /* update ctts context */ sc->ctts_sample++; From 9ddd3abe78b6bc0940df87f0fbd7386d794736b1 Mon Sep 17 00:00:00 2001 From: Alex Converse Date: Wed, 21 Mar 2012 10:11:02 -0700 Subject: [PATCH 196/991] aac: Reset PS parameters on header decode failure. If the next header frame codes zero envelopes the previous frame's values will be used. Consequently the invalid values must be cleared. Found-by: Mateusz "j00ru" Jurczyk and Gynvael Coldwind CC: libav-stable@libav.org (cherry picked from commit a237b38021cd3009cc78eeb974b596085f2fe393) Signed-off-by: Reinhard Tartler --- libavcodec/aacps.c | 4 ++++ 1 file changed, 4 insertions(+) diff --git a/libavcodec/aacps.c b/libavcodec/aacps.c index 3da912c6c7..6c9dcf2f1b 100644 --- a/libavcodec/aacps.c +++ b/libavcodec/aacps.c @@ -275,6 +275,10 @@ int ff_ps_read_data(AVCodecContext *avctx, GetBitContext *gb_host, PSContext *ps err: ps->start = 0; skip_bits_long(gb_host, bits_left); + memset(ps->iid_par, 0, sizeof(ps->iid_par)); + memset(ps->icc_par, 0, sizeof(ps->icc_par)); + memset(ps->ipd_par, 0, sizeof(ps->ipd_par)); + memset(ps->opd_par, 0, sizeof(ps->opd_par)); return bits_left; } From 2e681cf50f8209e5be2441f1f0c34b9b0144a059 Mon Sep 17 00:00:00 2001 From: Aneesh Dogra Date: Tue, 7 Feb 2012 01:39:22 +0530 Subject: [PATCH 197/991] bytestream: Add bytestream2 writing API. Signed-off-by: Justin Ruggles (cherry picked from commit db7d45237ab6fc7fe90ec861cb756b2a109504a4) Signed-off-by: Reinhard Tartler --- libavcodec/bytestream.h | 112 ++++++++++++++++++++++++++++++++++++++++ 1 file changed, 112 insertions(+) diff --git a/libavcodec/bytestream.h b/libavcodec/bytestream.h index 503598a4bc..49d7fa42a8 100644 --- a/libavcodec/bytestream.h +++ b/libavcodec/bytestream.h @@ -1,6 +1,7 @@ /* * Bytestream functions * copyright (c) 2006 Baptiste Coudurier + * Copyright (c) 2012 Aneesh Dogra (lionaneesh) * * This file is part of Libav. * @@ -30,6 +31,11 @@ typedef struct { const uint8_t *buffer, *buffer_end, *buffer_start; } GetByteContext; +typedef struct { + uint8_t *buffer, *buffer_end, *buffer_start; + int eof; +} PutByteContext; + #define DEF_T(type, name, bytes, read, write) \ static av_always_inline type bytestream_get_ ## name(const uint8_t **b){\ (*b) += bytes;\ @@ -39,6 +45,17 @@ static av_always_inline void bytestream_put_ ##name(uint8_t **b, const type valu write(*b, value);\ (*b) += bytes;\ }\ +static av_always_inline void bytestream2_put_ ## name ## u(PutByteContext *p, const type value)\ +{\ + bytestream_put_ ## name(&p->buffer, value);\ +}\ +static av_always_inline void bytestream2_put_ ## name(PutByteContext *p, const type value){\ + if (!p->eof && (p->buffer_end - p->buffer >= bytes)) {\ + write(p->buffer, value);\ + p->buffer += bytes;\ + } else\ + p->eof = 1;\ +}\ static av_always_inline type bytestream2_get_ ## name ## u(GetByteContext *g)\ {\ return bytestream_get_ ## name(&g->buffer);\ @@ -119,22 +136,53 @@ static av_always_inline void bytestream2_init(GetByteContext *g, g->buffer_end = buf + buf_size; } +static av_always_inline void bytestream2_init_writer(PutByteContext *p, + uint8_t *buf, int buf_size) +{ + p->buffer = buf; + p->buffer_start = buf; + p->buffer_end = buf + buf_size; + p->eof = 0; +} + static av_always_inline unsigned int bytestream2_get_bytes_left(GetByteContext *g) { return g->buffer_end - g->buffer; } +static av_always_inline unsigned int bytestream2_get_bytes_left_p(PutByteContext *p) +{ + return p->buffer_end - p->buffer; +} + static av_always_inline void bytestream2_skip(GetByteContext *g, unsigned int size) { g->buffer += FFMIN(g->buffer_end - g->buffer, size); } +static av_always_inline void bytestream2_skip_p(PutByteContext *p, + unsigned int size) +{ + int size2; + if (p->eof) + return; + size2 = FFMIN(p->buffer_end - p->buffer, size); + if (size2 != size) + p->eof = 1; + p->buffer += size2; +} + static av_always_inline int bytestream2_tell(GetByteContext *g) { return (int)(g->buffer - g->buffer_start); } +static av_always_inline int bytestream2_tell_p(PutByteContext *p) +{ + return (int)(p->buffer - p->buffer_start); +} + static av_always_inline int bytestream2_seek(GetByteContext *g, int offset, int whence) { @@ -158,6 +206,36 @@ static av_always_inline int bytestream2_seek(GetByteContext *g, int offset, return bytestream2_tell(g); } +static av_always_inline int bytestream2_seek_p(PutByteContext *p, int offset, + int whence) +{ + p->eof = 0; + switch (whence) { + case SEEK_CUR: + if (p->buffer_end - p->buffer < offset) + p->eof = 1; + offset = av_clip(offset, -(p->buffer - p->buffer_start), + p->buffer_end - p->buffer); + p->buffer += offset; + break; + case SEEK_END: + if (offset > 0) + p->eof = 1; + offset = av_clip(offset, -(p->buffer_end - p->buffer_start), 0); + p->buffer = p->buffer_end + offset; + break; + case SEEK_SET: + if (p->buffer_end - p->buffer_start < offset) + p->eof = 1; + offset = av_clip(offset, 0, p->buffer_end - p->buffer_start); + p->buffer = p->buffer_start + offset; + break; + default: + return AVERROR(EINVAL); + } + return bytestream2_tell_p(p); +} + static av_always_inline unsigned int bytestream2_get_buffer(GetByteContext *g, uint8_t *dst, unsigned int size) @@ -168,6 +246,40 @@ static av_always_inline unsigned int bytestream2_get_buffer(GetByteContext *g, return size2; } +static av_always_inline unsigned int bytestream2_put_buffer(PutByteContext *p, + const uint8_t *src, + unsigned int size) +{ + int size2; + if (p->eof) + return 0; + size2 = FFMIN(p->buffer_end - p->buffer, size); + if (size2 != size) + p->eof = 1; + memcpy(p->buffer, src, size2); + p->buffer += size2; + return size2; +} + +static av_always_inline void bytestream2_set_buffer(PutByteContext *p, + const uint8_t c, + unsigned int size) +{ + int size2; + if (p->eof) + return; + size2 = FFMIN(p->buffer_end - p->buffer, size); + if (size2 != size) + p->eof = 1; + memset(p->buffer, c, size2); + p->buffer += size2; +} + +static av_always_inline unsigned int bytestream2_get_eof(PutByteContext *p) +{ + return p->eof; +} + static av_always_inline unsigned int bytestream_get_buffer(const uint8_t **b, uint8_t *dst, unsigned int size) { memcpy(dst, *b, size); From e788c6e9cb269359d1527a862b003346789aa1c3 Mon Sep 17 00:00:00 2001 From: Aneesh Dogra Date: Wed, 8 Feb 2012 23:37:20 +0530 Subject: [PATCH 198/991] bytestream: K&R formatting cosmetics Signed-off-by: Diego Biurrun (cherry picked from commit ab9ae401525d301a31ec695bf39103502db6afeb) Signed-off-by: Reinhard Tartler --- libavcodec/bytestream.h | 121 ++++++++++++++++++++++------------------ 1 file changed, 68 insertions(+), 53 deletions(-) diff --git a/libavcodec/bytestream.h b/libavcodec/bytestream.h index 49d7fa42a8..4d686e550a 100644 --- a/libavcodec/bytestream.h +++ b/libavcodec/bytestream.h @@ -24,6 +24,7 @@ #define AVCODEC_BYTESTREAM_H #include + #include "libavutil/common.h" #include "libavutil/intreadwrite.h" @@ -36,46 +37,52 @@ typedef struct { int eof; } PutByteContext; -#define DEF_T(type, name, bytes, read, write) \ -static av_always_inline type bytestream_get_ ## name(const uint8_t **b){\ - (*b) += bytes;\ - return read(*b - bytes);\ -}\ -static av_always_inline void bytestream_put_ ##name(uint8_t **b, const type value){\ - write(*b, value);\ - (*b) += bytes;\ -}\ -static av_always_inline void bytestream2_put_ ## name ## u(PutByteContext *p, const type value)\ -{\ - bytestream_put_ ## name(&p->buffer, value);\ -}\ -static av_always_inline void bytestream2_put_ ## name(PutByteContext *p, const type value){\ - if (!p->eof && (p->buffer_end - p->buffer >= bytes)) {\ - write(p->buffer, value);\ - p->buffer += bytes;\ - } else\ - p->eof = 1;\ -}\ -static av_always_inline type bytestream2_get_ ## name ## u(GetByteContext *g)\ -{\ - return bytestream_get_ ## name(&g->buffer);\ -}\ -static av_always_inline type bytestream2_get_ ## name(GetByteContext *g)\ -{\ - if (g->buffer_end - g->buffer < bytes)\ - return 0;\ - return bytestream2_get_ ## name ## u(g);\ -}\ -static av_always_inline type bytestream2_peek_ ## name(GetByteContext *g)\ -{\ - if (g->buffer_end - g->buffer < bytes)\ - return 0;\ - return read(g->buffer);\ +#define DEF_T(type, name, bytes, read, write) \ +static av_always_inline type bytestream_get_ ## name(const uint8_t **b) \ +{ \ + (*b) += bytes; \ + return read(*b - bytes); \ +} \ +static av_always_inline void bytestream_put_ ## name(uint8_t **b, \ + const type value) \ +{ \ + write(*b, value); \ + (*b) += bytes; \ +} \ +static av_always_inline void bytestream2_put_ ## name ## u(PutByteContext *p, \ + const type value) \ +{ \ + bytestream_put_ ## name(&p->buffer, value); \ +} \ +static av_always_inline void bytestream2_put_ ## name(PutByteContext *p, \ + const type value) \ +{ \ + if (!p->eof && (p->buffer_end - p->buffer >= bytes)) { \ + write(p->buffer, value); \ + p->buffer += bytes; \ + } else \ + p->eof = 1; \ +} \ +static av_always_inline type bytestream2_get_ ## name ## u(GetByteContext *g) \ +{ \ + return bytestream_get_ ## name(&g->buffer); \ +} \ +static av_always_inline type bytestream2_get_ ## name(GetByteContext *g) \ +{ \ + if (g->buffer_end - g->buffer < bytes) \ + return 0; \ + return bytestream2_get_ ## name ## u(g); \ +} \ +static av_always_inline type bytestream2_peek_ ## name(GetByteContext *g) \ +{ \ + if (g->buffer_end - g->buffer < bytes) \ + return 0; \ + return read(g->buffer); \ } -#define DEF(name, bytes, read, write) \ +#define DEF(name, bytes, read, write) \ DEF_T(unsigned int, name, bytes, read, write) -#define DEF64(name, bytes, read, write) \ +#define DEF64(name, bytes, read, write) \ DEF_T(uint64_t, name, bytes, read, write) DEF64(le64, 8, AV_RL64, AV_WL64) @@ -129,15 +136,17 @@ DEF (byte, 1, AV_RB8 , AV_WB8 ) #endif static av_always_inline void bytestream2_init(GetByteContext *g, - const uint8_t *buf, int buf_size) + const uint8_t *buf, + int buf_size) { - g->buffer = buf; + g->buffer = buf; g->buffer_start = buf; - g->buffer_end = buf + buf_size; + g->buffer_end = buf + buf_size; } static av_always_inline void bytestream2_init_writer(PutByteContext *p, - uint8_t *buf, int buf_size) + uint8_t *buf, + int buf_size) { p->buffer = buf; p->buffer_start = buf; @@ -183,21 +192,22 @@ static av_always_inline int bytestream2_tell_p(PutByteContext *p) return (int)(p->buffer - p->buffer_start); } -static av_always_inline int bytestream2_seek(GetByteContext *g, int offset, +static av_always_inline int bytestream2_seek(GetByteContext *g, + int offset, int whence) { switch (whence) { case SEEK_CUR: - offset = av_clip(offset, -(g->buffer - g->buffer_start), - g->buffer_end - g->buffer); + offset = av_clip(offset, -(g->buffer - g->buffer_start), + g->buffer_end - g->buffer); g->buffer += offset; break; case SEEK_END: - offset = av_clip(offset, -(g->buffer_end - g->buffer_start), 0); + offset = av_clip(offset, -(g->buffer_end - g->buffer_start), 0); g->buffer = g->buffer_end + offset; break; case SEEK_SET: - offset = av_clip(offset, 0, g->buffer_end - g->buffer_start); + offset = av_clip(offset, 0, g->buffer_end - g->buffer_start); g->buffer = g->buffer_start + offset; break; default: @@ -206,7 +216,8 @@ static av_always_inline int bytestream2_seek(GetByteContext *g, int offset, return bytestream2_tell(g); } -static av_always_inline int bytestream2_seek_p(PutByteContext *p, int offset, +static av_always_inline int bytestream2_seek_p(PutByteContext *p, + int offset, int whence) { p->eof = 0; @@ -214,20 +225,20 @@ static av_always_inline int bytestream2_seek_p(PutByteContext *p, int offset, case SEEK_CUR: if (p->buffer_end - p->buffer < offset) p->eof = 1; - offset = av_clip(offset, -(p->buffer - p->buffer_start), - p->buffer_end - p->buffer); + offset = av_clip(offset, -(p->buffer - p->buffer_start), + p->buffer_end - p->buffer); p->buffer += offset; break; case SEEK_END: if (offset > 0) p->eof = 1; - offset = av_clip(offset, -(p->buffer_end - p->buffer_start), 0); + offset = av_clip(offset, -(p->buffer_end - p->buffer_start), 0); p->buffer = p->buffer_end + offset; break; case SEEK_SET: if (p->buffer_end - p->buffer_start < offset) p->eof = 1; - offset = av_clip(offset, 0, p->buffer_end - p->buffer_start); + offset = av_clip(offset, 0, p->buffer_end - p->buffer_start); p->buffer = p->buffer_start + offset; break; default: @@ -280,14 +291,18 @@ static av_always_inline unsigned int bytestream2_get_eof(PutByteContext *p) return p->eof; } -static av_always_inline unsigned int bytestream_get_buffer(const uint8_t **b, uint8_t *dst, unsigned int size) +static av_always_inline unsigned int bytestream_get_buffer(const uint8_t **b, + uint8_t *dst, + unsigned int size) { memcpy(dst, *b, size); (*b) += size; return size; } -static av_always_inline void bytestream_put_buffer(uint8_t **b, const uint8_t *src, unsigned int size) +static av_always_inline void bytestream_put_buffer(uint8_t **b, + const uint8_t *src, + unsigned int size) { memcpy(*b, src, size); (*b) += size; From 9e24f2a1f06bd902505ddf8860e69b120d39654d Mon Sep 17 00:00:00 2001 From: Paul B Mahol Date: Tue, 13 Mar 2012 14:14:59 +0000 Subject: [PATCH 199/991] bytestream: add more unchecked variants for bytestream2 API Signed-off-by: Paul B Mahol Signed-off-by: Ronald S. Bultje (cherry picked from commit f1ce053cd0e0d7dc67fa61f32bcd8b6ee5e5c490) Signed-off-by: Reinhard Tartler --- libavcodec/bytestream.h | 32 ++++++++++++++++++++++++++++++++ 1 file changed, 32 insertions(+) diff --git a/libavcodec/bytestream.h b/libavcodec/bytestream.h index 4d686e550a..68146200ae 100644 --- a/libavcodec/bytestream.h +++ b/libavcodec/bytestream.h @@ -170,6 +170,12 @@ static av_always_inline void bytestream2_skip(GetByteContext *g, g->buffer += FFMIN(g->buffer_end - g->buffer, size); } +static av_always_inline void bytestream2_skipu(GetByteContext *g, + unsigned int size) +{ + g->buffer += size; +} + static av_always_inline void bytestream2_skip_p(PutByteContext *p, unsigned int size) { @@ -257,6 +263,15 @@ static av_always_inline unsigned int bytestream2_get_buffer(GetByteContext *g, return size2; } +static av_always_inline unsigned int bytestream2_get_bufferu(GetByteContext *g, + uint8_t *dst, + unsigned int size) +{ + memcpy(dst, g->buffer, size); + g->buffer += size; + return size; +} + static av_always_inline unsigned int bytestream2_put_buffer(PutByteContext *p, const uint8_t *src, unsigned int size) @@ -272,6 +287,15 @@ static av_always_inline unsigned int bytestream2_put_buffer(PutByteContext *p, return size2; } +static av_always_inline unsigned int bytestream2_put_bufferu(PutByteContext *p, + const uint8_t *src, + unsigned int size) +{ + memcpy(p->buffer, src, size); + p->buffer += size; + return size; +} + static av_always_inline void bytestream2_set_buffer(PutByteContext *p, const uint8_t c, unsigned int size) @@ -286,6 +310,14 @@ static av_always_inline void bytestream2_set_buffer(PutByteContext *p, p->buffer += size2; } +static av_always_inline void bytestream2_set_bufferu(PutByteContext *p, + const uint8_t c, + unsigned int size) +{ + memset(p->buffer, c, size); + p->buffer += size; +} + static av_always_inline unsigned int bytestream2_get_eof(PutByteContext *p) { return p->eof; From f8f6c14f540112be012b15261e84577fc9a4644f Mon Sep 17 00:00:00 2001 From: "Ronald S. Bultje" Date: Thu, 22 Mar 2012 17:25:22 -0700 Subject: [PATCH 200/991] utvideo: port header reading to bytestream2. Fixes crash during slice size reading if slice_end goes negative. Found-by: Mateusz "j00ru" Jurczyk and Gynvael Coldwind CC: libav-stable@libav.org (cherry picked from commit ec0ed97b046d46421db72c4911d2bbe28bbe5741) Signed-off-by: Reinhard Tartler --- libavcodec/utvideo.c | 28 ++++++++++++---------------- 1 file changed, 12 insertions(+), 16 deletions(-) diff --git a/libavcodec/utvideo.c b/libavcodec/utvideo.c index 89854c277c..7fe024d214 100644 --- a/libavcodec/utvideo.c +++ b/libavcodec/utvideo.c @@ -358,13 +358,12 @@ static int decode_frame(AVCodecContext *avctx, void *data, int *data_size, AVPac { const uint8_t *buf = avpkt->data; int buf_size = avpkt->size; - const uint8_t *buf_end = buf + buf_size; UtvideoContext *c = avctx->priv_data; - const uint8_t *ptr; int i, j; const uint8_t *plane_start[5]; int plane_size, max_slice_size = 0, slice_start, slice_end, slice_size; int ret; + GetByteContext gb; if (c->pic.data[0]) ff_thread_release_buffer(avctx, &c->pic); @@ -379,20 +378,21 @@ static int decode_frame(AVCodecContext *avctx, void *data, int *data_size, AVPac ff_thread_finish_setup(avctx); /* parse plane structure to retrieve frame flags and validate slice offsets */ - ptr = buf; + bytestream2_init(&gb, buf, buf_size); for (i = 0; i < c->planes; i++) { - plane_start[i] = ptr; - if (buf_end - ptr < 256 + 4 * c->slices) { + plane_start[i] = gb.buffer; + if (bytestream2_get_bytes_left(&gb) < 256 + 4 * c->slices) { av_log(avctx, AV_LOG_ERROR, "Insufficient data for a plane\n"); return AVERROR_INVALIDDATA; } - ptr += 256; + bytestream2_skipu(&gb, 256); slice_start = 0; slice_end = 0; for (j = 0; j < c->slices; j++) { - slice_end = bytestream_get_le32(&ptr); + slice_end = bytestream2_get_le32u(&gb); slice_size = slice_end - slice_start; - if (slice_size < 0) { + if (slice_end <= 0 || slice_size <= 0 || + bytestream2_get_bytes_left(&gb) < slice_end) { av_log(avctx, AV_LOG_ERROR, "Incorrect slice size\n"); return AVERROR_INVALIDDATA; } @@ -400,18 +400,14 @@ static int decode_frame(AVCodecContext *avctx, void *data, int *data_size, AVPac max_slice_size = FFMAX(max_slice_size, slice_size); } plane_size = slice_end; - if (buf_end - ptr < plane_size) { - av_log(avctx, AV_LOG_ERROR, "Plane size is bigger than available data\n"); - return AVERROR_INVALIDDATA; - } - ptr += plane_size; + bytestream2_skipu(&gb, plane_size); } - plane_start[c->planes] = ptr; - if (buf_end - ptr < c->frame_info_size) { + plane_start[c->planes] = gb.buffer; + if (bytestream2_get_bytes_left(&gb) < c->frame_info_size) { av_log(avctx, AV_LOG_ERROR, "Not enough data for frame information\n"); return AVERROR_INVALIDDATA; } - c->frame_info = AV_RL32(ptr); + c->frame_info = bytestream2_get_le32u(&gb); av_log(avctx, AV_LOG_DEBUG, "frame information flags %X\n", c->frame_info); c->frame_pred = (c->frame_info >> 8) & 3; From 583f57f04a6cc6484466dc4403953af95192f5f4 Mon Sep 17 00:00:00 2001 From: Mashiat Sarker Shakkhar Date: Sat, 24 Mar 2012 15:49:34 -0700 Subject: [PATCH 201/991] vc1: Do not read from array if index is invalid. Found-by: Mateusz "j00ru" Jurczyk and Gynvael Coldwind CC: libav-stable@libav.org Signed-off-by: Ronald S. Bultje (cherry picked from commit 95b192de5d05f3e1542e7b2378cdefbc195f5185) Signed-off-by: Reinhard Tartler --- libavcodec/vc1.c | 2 +- libavcodec/vc1data.c | 2 +- libavcodec/vc1data.h | 2 +- libavcodec/vc1dec.c | 22 +++++++++++++++++++--- 4 files changed, 22 insertions(+), 6 deletions(-) diff --git a/libavcodec/vc1.c b/libavcodec/vc1.c index d728f9beb4..a1c3f07cdf 100644 --- a/libavcodec/vc1.c +++ b/libavcodec/vc1.c @@ -492,7 +492,7 @@ static int decode_sequence_header_adv(VC1Context *v, GetBitContext *gb) int nr, dr; nr = get_bits(gb, 8); dr = get_bits(gb, 4); - if (nr && nr < 8 && dr && dr < 3) { + if (nr > 0 && nr < 8 && dr > 0 && dr < 3) { v->s.avctx->time_base.num = ff_vc1_fps_dr[dr - 1]; v->s.avctx->time_base.den = ff_vc1_fps_nr[nr - 1] * 1000; } diff --git a/libavcodec/vc1data.c b/libavcodec/vc1data.c index 69d71ad954..e1e2cbf6f5 100644 --- a/libavcodec/vc1data.c +++ b/libavcodec/vc1data.c @@ -84,7 +84,7 @@ const uint8_t ff_vc1_mbmode_intfrp[2][15][4] = { } }; -const int ff_vc1_fps_nr[5] = { 24, 25, 30, 50, 60 }, +const int ff_vc1_fps_nr[7] = { 24, 25, 30, 50, 60, 48, 72 }, ff_vc1_fps_dr[2] = { 1000, 1001 }; const uint8_t ff_vc1_pquant_table[3][32] = { /* Implicit quantizer */ diff --git a/libavcodec/vc1data.h b/libavcodec/vc1data.h index da8f0a1f40..9e4074c511 100644 --- a/libavcodec/vc1data.h +++ b/libavcodec/vc1data.h @@ -41,7 +41,7 @@ extern const int ff_vc1_ttfrm_to_tt[4]; extern const uint8_t ff_vc1_mv_pmode_table[2][5]; extern const uint8_t ff_vc1_mv_pmode_table2[2][4]; -extern const int ff_vc1_fps_nr[5], ff_vc1_fps_dr[2]; +extern const int ff_vc1_fps_nr[7], ff_vc1_fps_dr[2]; extern const uint8_t ff_vc1_pquant_table[3][32]; /* MBMODE table for interlaced frame P-picture */ diff --git a/libavcodec/vc1dec.c b/libavcodec/vc1dec.c index 3e84464135..3d1abc71a5 100644 --- a/libavcodec/vc1dec.c +++ b/libavcodec/vc1dec.c @@ -2512,6 +2512,7 @@ static inline int vc1_pred_dc(MpegEncContext *s, int overlap, int pq, int n, int16_t *dc_val; int mb_pos = s->mb_x + s->mb_y * s->mb_stride; int q1, q2 = 0; + int dqscale_index; wrap = s->block_wrap[n]; dc_val = s->dc_val[0] + s->block_index[n]; @@ -2524,15 +2525,18 @@ static inline int vc1_pred_dc(MpegEncContext *s, int overlap, int pq, int n, a = dc_val[ - wrap]; /* scale predictors if needed */ q1 = s->current_picture.f.qscale_table[mb_pos]; + dqscale_index = s->y_dc_scale_table[q1] - 1; + if (dqscale_index < 0) + return 0; if (c_avail && (n != 1 && n != 3)) { q2 = s->current_picture.f.qscale_table[mb_pos - 1]; if (q2 && q2 != q1) - c = (c * s->y_dc_scale_table[q2] * ff_vc1_dqscale[s->y_dc_scale_table[q1] - 1] + 0x20000) >> 18; + c = (c * s->y_dc_scale_table[q2] * ff_vc1_dqscale[dqscale_index] + 0x20000) >> 18; } if (a_avail && (n != 2 && n != 3)) { q2 = s->current_picture.f.qscale_table[mb_pos - s->mb_stride]; if (q2 && q2 != q1) - a = (a * s->y_dc_scale_table[q2] * ff_vc1_dqscale[s->y_dc_scale_table[q1] - 1] + 0x20000) >> 18; + a = (a * s->y_dc_scale_table[q2] * ff_vc1_dqscale[dqscale_index] + 0x20000) >> 18; } if (a_avail && c_avail && (n != 3)) { int off = mb_pos; @@ -2542,7 +2546,7 @@ static inline int vc1_pred_dc(MpegEncContext *s, int overlap, int pq, int n, off -= s->mb_stride; q2 = s->current_picture.f.qscale_table[off]; if (q2 && q2 != q1) - b = (b * s->y_dc_scale_table[q2] * ff_vc1_dqscale[s->y_dc_scale_table[q1] - 1] + 0x20000) >> 18; + b = (b * s->y_dc_scale_table[q2] * ff_vc1_dqscale[dqscale_index] + 0x20000) >> 18; } if (a_avail && c_avail) { @@ -2959,6 +2963,8 @@ static int vc1_decode_i_block_adv(VC1Context *v, DCTELEM block[64], int n, q1 = q1 * 2 + ((q1 == v->pq) ? v->halfpq : 0) - 1; q2 = q2 * 2 + ((q2 == v->pq) ? v->halfpq : 0) - 1; + if (q1 < 1) + return AVERROR_INVALIDDATA; if (dc_pred_dir) { // left for (k = 1; k < 8; k++) block[k << v->left_blk_sh] += (ac_val[k] * q2 * ff_vc1_dqscale[q1 - 1] + 0x20000) >> 18; @@ -3001,6 +3007,8 @@ static int vc1_decode_i_block_adv(VC1Context *v, DCTELEM block[64], int n, if (q2 && q1 != q2) { q1 = q1 * 2 + ((q1 == v->pq) ? v->halfpq : 0) - 1; q2 = q2 * 2 + ((q2 == v->pq) ? v->halfpq : 0) - 1; + if (q1 < 1) + return AVERROR_INVALIDDATA; for (k = 1; k < 8; k++) ac_val2[k] = (ac_val2[k] * q2 * ff_vc1_dqscale[q1 - 1] + 0x20000) >> 18; } @@ -3011,6 +3019,8 @@ static int vc1_decode_i_block_adv(VC1Context *v, DCTELEM block[64], int n, if (q2 && q1 != q2) { q1 = q1 * 2 + ((q1 == v->pq) ? v->halfpq : 0) - 1; q2 = q2 * 2 + ((q2 == v->pq) ? v->halfpq : 0) - 1; + if (q1 < 1) + return AVERROR_INVALIDDATA; for (k = 1; k < 8; k++) ac_val2[k + 8] = (ac_val2[k + 8] * q2 * ff_vc1_dqscale[q1 - 1] + 0x20000) >> 18; } @@ -3169,6 +3179,8 @@ static int vc1_decode_intra_block(VC1Context *v, DCTELEM block[64], int n, q1 = q1 * 2 + ((q1 == v->pq) ? v->halfpq : 0) - 1; q2 = q2 * 2 + ((q2 == v->pq) ? v->halfpq : 0) - 1; + if (q1 < 1) + return AVERROR_INVALIDDATA; if (dc_pred_dir) { // left for (k = 1; k < 8; k++) block[k << v->left_blk_sh] += (ac_val[k] * q2 * ff_vc1_dqscale[q1 - 1] + 0x20000) >> 18; @@ -3211,6 +3223,8 @@ static int vc1_decode_intra_block(VC1Context *v, DCTELEM block[64], int n, if (q2 && q1 != q2) { q1 = q1 * 2 + ((q1 == v->pq) ? v->halfpq : 0) - 1; q2 = q2 * 2 + ((q2 == v->pq) ? v->halfpq : 0) - 1; + if (q1 < 1) + return AVERROR_INVALIDDATA; for (k = 1; k < 8; k++) ac_val2[k] = (ac_val2[k] * q2 * ff_vc1_dqscale[q1 - 1] + 0x20000) >> 18; } @@ -3221,6 +3235,8 @@ static int vc1_decode_intra_block(VC1Context *v, DCTELEM block[64], int n, if (q2 && q1 != q2) { q1 = q1 * 2 + ((q1 == v->pq) ? v->halfpq : 0) - 1; q2 = q2 * 2 + ((q2 == v->pq) ? v->halfpq : 0) - 1; + if (q1 < 1) + return AVERROR_INVALIDDATA; for (k = 1; k < 8; k++) ac_val2[k + 8] = (ac_val2[k + 8] * q2 * ff_vc1_dqscale[q1 - 1] + 0x20000) >> 18; } From 29d91e9161156f4d0df42279de1b6d7c296133f6 Mon Sep 17 00:00:00 2001 From: "Ronald S. Bultje" Date: Mon, 26 Mar 2012 18:02:08 -0700 Subject: [PATCH 202/991] raw: forward avpicture_fill() error code in raw_decode(). Found-by: Mateusz "j00ru" Jurczyk and Gynvael Coldwind CC: libav-stable@libav.org (cherry picked from commit 98df2e24141cd00a557ef10ed7af2b956200cd80) Signed-off-by: Reinhard Tartler --- libavcodec/rawdec.c | 5 ++++- 1 file changed, 4 insertions(+), 1 deletion(-) diff --git a/libavcodec/rawdec.c b/libavcodec/rawdec.c index 83b2a216b5..c0508d8434 100644 --- a/libavcodec/rawdec.c +++ b/libavcodec/rawdec.c @@ -119,6 +119,7 @@ static int raw_decode(AVCodecContext *avctx, const uint8_t *buf = avpkt->data; int buf_size = avpkt->size; RawVideoContext *context = avctx->priv_data; + int res; AVFrame * frame = (AVFrame *) data; AVPicture * picture = (AVPicture *) data; @@ -156,7 +157,9 @@ static int raw_decode(AVCodecContext *avctx, avctx->codec_tag == MKTAG('A', 'V', 'u', 'p')) buf += buf_size - context->length; - avpicture_fill(picture, buf, avctx->pix_fmt, avctx->width, avctx->height); + if ((res = avpicture_fill(picture, buf, avctx->pix_fmt, + avctx->width, avctx->height)) < 0) + return res; if((avctx->pix_fmt==PIX_FMT_PAL8 && buf_size < context->length) || (avctx->pix_fmt!=PIX_FMT_PAL8 && (av_pix_fmt_descriptors[avctx->pix_fmt].flags & PIX_FMT_PAL))){ From d6372e80fe5b9fc243632926fe023bc47ae5cca1 Mon Sep 17 00:00:00 2001 From: "Ronald S. Bultje" Date: Tue, 27 Mar 2012 12:26:46 -0700 Subject: [PATCH 203/991] lagarith: fix buffer overreads. Found-by: Mateusz "j00ru" Jurczyk and Gynvael Coldwind CC: libav-stable@libav.org (cherry picked from commit 0a82f5275f719e6e369a807720a2c3603aa0ddd9) Signed-off-by: Reinhard Tartler --- libavcodec/lagarith.c | 74 +++++++++++++++++++++++++++------------- libavcodec/lagarithrac.c | 5 +-- 2 files changed, 54 insertions(+), 25 deletions(-) diff --git a/libavcodec/lagarith.c b/libavcodec/lagarith.c index 757873ead3..6828ba8230 100644 --- a/libavcodec/lagarith.c +++ b/libavcodec/lagarith.c @@ -247,24 +247,26 @@ static void lag_pred_line(LagarithContext *l, uint8_t *buf, { int L, TL; - /* Left pixel is actually prev_row[width] */ - L = buf[width - stride - 1]; if (!line) { /* Left prediction only for first line */ L = l->dsp.add_hfyu_left_prediction(buf + 1, buf + 1, width - 1, buf[0]); - return; - } else if (line == 1) { - /* Second line, left predict first pixel, the rest of the line is median predicted - * NOTE: In the case of RGB this pixel is top predicted */ - TL = l->avctx->pix_fmt == PIX_FMT_YUV420P ? buf[-stride] : L; } else { - /* Top left is 2 rows back, last pixel */ - TL = buf[width - (2 * stride) - 1]; - } + /* Left pixel is actually prev_row[width] */ + L = buf[width - stride - 1]; - add_lag_median_prediction(buf, buf - stride, buf, - width, &L, &TL); + if (line == 1) { + /* Second line, left predict first pixel, the rest of the line is median predicted + * NOTE: In the case of RGB this pixel is top predicted */ + TL = l->avctx->pix_fmt == PIX_FMT_YUV420P ? buf[-stride] : L; + } else { + /* Top left is 2 rows back, last pixel */ + TL = buf[width - (2 * stride) - 1]; + } + + add_lag_median_prediction(buf, buf - stride, buf, + width, &L, &TL); + } } static int lag_decode_line(LagarithContext *l, lag_rac *rac, @@ -310,13 +312,13 @@ handle_zeros: } static int lag_decode_zero_run_line(LagarithContext *l, uint8_t *dst, - const uint8_t *src, int width, - int esc_count) + const uint8_t *src, const uint8_t *src_end, + int width, int esc_count) { int i = 0; int count; uint8_t zero_run = 0; - const uint8_t *start = src; + const uint8_t *src_start = src; uint8_t mask1 = -(esc_count < 2); uint8_t mask2 = -(esc_count < 3); uint8_t *end = dst + (width - 2); @@ -333,6 +335,8 @@ output_zeros: i = 0; while (!zero_run && dst + i < end) { i++; + if (src + i >= src_end) + return AVERROR_INVALIDDATA; zero_run = !(src[i] | (src[i + 1] & mask1) | (src[i + 2] & mask2)); } @@ -348,9 +352,10 @@ output_zeros: } else { memcpy(dst, src, i); src += i; + dst += i; } } - return start - src; + return src_start - src; } @@ -366,6 +371,7 @@ static int lag_decode_arith_plane(LagarithContext *l, uint8_t *dst, int esc_count = src[0]; GetBitContext gb; lag_rac rac; + const uint8_t *src_end = src + src_size; rac.avctx = l->avctx; l->zeros = 0; @@ -396,10 +402,16 @@ static int lag_decode_arith_plane(LagarithContext *l, uint8_t *dst, esc_count -= 4; if (esc_count > 0) { /* Zero run coding only, no range coding. */ - for (i = 0; i < height; i++) - src += lag_decode_zero_run_line(l, dst + (i * stride), src, - width, esc_count); + for (i = 0; i < height; i++) { + int res = lag_decode_zero_run_line(l, dst + (i * stride), src, + src_end, width, esc_count); + if (res < 0) + return res; + src += res; + } } else { + if (src_size < width * height) + return AVERROR_INVALIDDATA; // buffer not big enough /* Plane is stored uncompressed */ for (i = 0; i < height; i++) { memcpy(dst + (i * stride), src, width); @@ -506,11 +518,19 @@ static int lag_decode_frame(AVCodecContext *avctx, } for (i = 0; i < planes; i++) srcs[i] = l->rgb_planes + (i + 1) * l->rgb_stride * avctx->height - l->rgb_stride; + if (offset_ry >= buf_size || + offset_gu >= buf_size || + offset_bv >= buf_size || + (planes == 4 && offs[3] >= buf_size)) { + av_log(avctx, AV_LOG_ERROR, + "Invalid frame offsets\n"); + return AVERROR_INVALIDDATA; + } for (i = 0; i < planes; i++) lag_decode_arith_plane(l, srcs[i], avctx->width, avctx->height, -l->rgb_stride, buf + offs[i], - buf_size); + buf_size - offs[i]); dst = p->data[0]; for (i = 0; i < planes; i++) srcs[i] = l->rgb_planes + i * l->rgb_stride * avctx->height; @@ -544,15 +564,23 @@ static int lag_decode_frame(AVCodecContext *avctx, return -1; } + if (offset_ry >= buf_size || + offset_gu >= buf_size || + offset_bv >= buf_size) { + av_log(avctx, AV_LOG_ERROR, + "Invalid frame offsets\n"); + return AVERROR_INVALIDDATA; + } + lag_decode_arith_plane(l, p->data[0], avctx->width, avctx->height, p->linesize[0], buf + offset_ry, - buf_size); + buf_size - offset_ry); lag_decode_arith_plane(l, p->data[2], avctx->width / 2, avctx->height / 2, p->linesize[2], - buf + offset_gu, buf_size); + buf + offset_gu, buf_size - offset_gu); lag_decode_arith_plane(l, p->data[1], avctx->width / 2, avctx->height / 2, p->linesize[1], - buf + offset_bv, buf_size); + buf + offset_bv, buf_size - offset_bv); break; default: av_log(avctx, AV_LOG_ERROR, diff --git a/libavcodec/lagarithrac.c b/libavcodec/lagarithrac.c index ab7a60011d..f85e012c58 100644 --- a/libavcodec/lagarithrac.c +++ b/libavcodec/lagarithrac.c @@ -32,15 +32,16 @@ void lag_rac_init(lag_rac *l, GetBitContext *gb, int length) { - int i, j; + int i, j, left; /* According to reference decoder "1st byte is garbage", * however, it gets skipped by the call to align_get_bits() */ align_get_bits(gb); + left = get_bits_left(gb) >> 3; l->bytestream_start = l->bytestream = gb->buffer + get_bits_count(gb) / 8; - l->bytestream_end = l->bytestream_start + length; + l->bytestream_end = l->bytestream_start + FFMIN(length, left); l->range = 0x80; l->low = *l->bytestream >> 1; From e711ccee4d6b4e9b81ea3b12fdbec293a836e7da Mon Sep 17 00:00:00 2001 From: "Ronald S. Bultje" Date: Wed, 28 Mar 2012 11:53:13 -0700 Subject: [PATCH 204/991] truemotion2: convert packet header reading to bytestream2. Also use correct buffer sizes in calls to tm2_read_stream(). Together, this prevents overreads. Found-by: Mateusz "j00ru" Jurczyk and Gynvael Coldwind CC: libav-stable@libav.org (cherry picked from commit bd508d435b94584db460c684e30ea7ce180cf50f) Signed-off-by: Reinhard Tartler --- libavcodec/truemotion2.c | 54 +++++++++++++++++++++++----------------- 1 file changed, 31 insertions(+), 23 deletions(-) diff --git a/libavcodec/truemotion2.c b/libavcodec/truemotion2.c index 29d2e4d057..e16fef79d2 100644 --- a/libavcodec/truemotion2.c +++ b/libavcodec/truemotion2.c @@ -25,6 +25,7 @@ */ #include "avcodec.h" +#include "bytestream.h" #include "get_bits.h" #include "dsputil.h" @@ -248,13 +249,14 @@ static int tm2_read_deltas(TM2Context *ctx, int stream_id) { static int tm2_read_stream(TM2Context *ctx, const uint8_t *buf, int stream_id, int buf_size) { int i; - int cur = 0; int skip = 0; - int len, toks; + int len, toks, pos; TM2Codes codes; + GetByteContext gb; /* get stream length in dwords */ - len = AV_RB32(buf); buf += 4; cur += 4; + bytestream2_init(&gb, buf, buf_size); + len = bytestream2_get_be32(&gb); skip = len * 4 + 4; if(len == 0) @@ -265,36 +267,37 @@ static int tm2_read_stream(TM2Context *ctx, const uint8_t *buf, int stream_id, i return -1; } - toks = AV_RB32(buf); buf += 4; cur += 4; + toks = bytestream2_get_be32(&gb); if(toks & 1) { - len = AV_RB32(buf); buf += 4; cur += 4; + len = bytestream2_get_be32(&gb); if(len == TM2_ESCAPE) { - len = AV_RB32(buf); buf += 4; cur += 4; + len = bytestream2_get_be32(&gb); } if(len > 0) { - if (skip <= cur) + pos = bytestream2_tell(&gb); + if (skip <= pos) return -1; - init_get_bits(&ctx->gb, buf, (skip - cur) * 8); + init_get_bits(&ctx->gb, buf + pos, (skip - pos) * 8); if(tm2_read_deltas(ctx, stream_id) == -1) return -1; - buf += ((get_bits_count(&ctx->gb) + 31) >> 5) << 2; - cur += ((get_bits_count(&ctx->gb) + 31) >> 5) << 2; + bytestream2_skip(&gb, ((get_bits_count(&ctx->gb) + 31) >> 5) << 2); } } /* skip unused fields */ - if(AV_RB32(buf) == TM2_ESCAPE) { - buf += 4; cur += 4; /* some unknown length - could be escaped too */ + len = bytestream2_get_be32(&gb); + if(len == TM2_ESCAPE) { /* some unknown length - could be escaped too */ + bytestream2_skip(&gb, 8); /* unused by decoder */ + } else { + bytestream2_skip(&gb, 4); /* unused by decoder */ } - buf += 4; cur += 4; - buf += 4; cur += 4; /* unused by decoder */ - if (skip <= cur) + pos = bytestream2_tell(&gb); + if (skip <= pos) return -1; - init_get_bits(&ctx->gb, buf, (skip - cur) * 8); + init_get_bits(&ctx->gb, buf + pos, (skip - pos) * 8); if(tm2_build_huff_table(ctx, &codes) == -1) return -1; - buf += ((get_bits_count(&ctx->gb) + 31) >> 5) << 2; - cur += ((get_bits_count(&ctx->gb) + 31) >> 5) << 2; + bytestream2_skip(&gb, ((get_bits_count(&ctx->gb) + 31) >> 5) << 2); toks >>= 1; /* check if we have sane number of tokens */ @@ -305,11 +308,12 @@ static int tm2_read_stream(TM2Context *ctx, const uint8_t *buf, int stream_id, i } ctx->tokens[stream_id] = av_realloc(ctx->tokens[stream_id], toks * sizeof(int)); ctx->tok_lens[stream_id] = toks; - len = AV_RB32(buf); buf += 4; cur += 4; + len = bytestream2_get_be32(&gb); if(len > 0) { - if (skip <= cur) + pos = bytestream2_tell(&gb); + if (skip <= pos) return -1; - init_get_bits(&ctx->gb, buf, (skip - cur) * 8); + init_get_bits(&ctx->gb, buf + pos, (skip - pos) * 8); for(i = 0; i < toks; i++) { if (get_bits_left(&ctx->gb) <= 0) { av_log(ctx->avctx, AV_LOG_ERROR, "Incorrect number of tokens: %i\n", toks); @@ -762,7 +766,7 @@ static int decode_frame(AVCodecContext *avctx, AVPacket *avpkt) { const uint8_t *buf = avpkt->data; - int buf_size = avpkt->size; + int buf_size = avpkt->size & ~3; TM2Context * const l = avctx->priv_data; AVFrame * const p= (AVFrame*)&l->pic; int i, skip, t; @@ -790,7 +794,11 @@ static int decode_frame(AVCodecContext *avctx, } for(i = 0; i < TM2_NUM_STREAMS; i++){ - t = tm2_read_stream(l, swbuf + skip, tm2_stream_order[i], buf_size); + if (skip >= buf_size) { + av_free(swbuf); + return AVERROR_INVALIDDATA; + } + t = tm2_read_stream(l, swbuf + skip, tm2_stream_order[i], buf_size - skip); if(t == -1){ av_free(swbuf); return -1; From 562c6a7bf129f0c8c49ad6bacc9674a9d2daa5ec Mon Sep 17 00:00:00 2001 From: "Ronald S. Bultje" Date: Wed, 28 Mar 2012 17:06:00 -0700 Subject: [PATCH 205/991] lzw: prevent buffer overreads. Found-by: Mateusz "j00ru" Jurczyk and Gynvael Coldwind CC: libav-stable@libav.org (cherry picked from commit ddcf67c8a51c67b122a826d8b5819e96d591d813) Signed-off-by: Reinhard Tartler --- libavcodec/lzw.c | 11 ++++++++--- 1 file changed, 8 insertions(+), 3 deletions(-) diff --git a/libavcodec/lzw.c b/libavcodec/lzw.c index 873b31445b..b674d4e296 100644 --- a/libavcodec/lzw.c +++ b/libavcodec/lzw.c @@ -101,9 +101,14 @@ void ff_lzw_decode_tail(LZWState *p) struct LZWState *s = (struct LZWState *)p; if(s->mode == FF_LZW_GIF) { - while(s->pbuf < s->ebuf && s->bs>0){ - s->pbuf += s->bs; - s->bs = *s->pbuf++; + while (s->bs > 0) { + if (s->pbuf + s->bs >= s->ebuf) { + s->pbuf = s->ebuf; + break; + } else { + s->pbuf += s->bs; + s->bs = *s->pbuf++; + } } }else s->pbuf= s->ebuf; From 46f8bbfc6d8ec609afd9166a9aecdda1388b8d07 Mon Sep 17 00:00:00 2001 From: "Ronald S. Bultje" Date: Thu, 29 Mar 2012 09:29:03 -0700 Subject: [PATCH 206/991] truemotion2: handle out-of-frame motion vectors through edge extension. Found-by: Mateusz "j00ru" Jurczyk and Gynvael Coldwind CC: libav-stable@libav.org (cherry picked from commit bf39d3b59d85e5734babe48b61b8d92d18188185) Signed-off-by: Reinhard Tartler --- libavcodec/truemotion2.c | 117 ++++++++++++++++++++++++++++++--------- 1 file changed, 90 insertions(+), 27 deletions(-) diff --git a/libavcodec/truemotion2.c b/libavcodec/truemotion2.c index e16fef79d2..5ec24de8a8 100644 --- a/libavcodec/truemotion2.c +++ b/libavcodec/truemotion2.c @@ -57,7 +57,9 @@ typedef struct TM2Context{ int *clast; /* data for current and previous frame */ + int *Y1_base, *U1_base, *V1_base, *Y2_base, *U2_base, *V2_base; int *Y1, *U1, *V1, *Y2, *U2, *V2; + int y_stride, uv_stride; int cur; } TM2Context; @@ -348,9 +350,9 @@ static inline int GET_TOK(TM2Context *ctx,int type) { int *Y, *U, *V;\ int Ystride, Ustride, Vstride;\ \ - Ystride = ctx->avctx->width;\ - Vstride = (ctx->avctx->width + 1) >> 1;\ - Ustride = (ctx->avctx->width + 1) >> 1;\ + Ystride = ctx->y_stride;\ + Vstride = ctx->uv_stride;\ + Ustride = ctx->uv_stride;\ Y = (ctx->cur?ctx->Y2:ctx->Y1) + by * 4 * Ystride + bx * 4;\ V = (ctx->cur?ctx->V2:ctx->V1) + by * 2 * Vstride + bx * 2;\ U = (ctx->cur?ctx->U2:ctx->U1) + by * 2 * Ustride + bx * 2;\ @@ -638,6 +640,8 @@ static inline void tm2_motion_block(TM2Context *ctx, AVFrame *pic, int bx, int b mx = GET_TOK(ctx, TM2_MOT); my = GET_TOK(ctx, TM2_MOT); + mx = av_clip(mx, -(bx * 4 + 4), ctx->avctx->width - bx * 4); + my = av_clip(my, -(by * 4 + 4), ctx->avctx->height - by * 4); Yo += my * oYstride + mx; Uo += (my >> 1) * oUstride + (mx >> 1); @@ -678,15 +682,12 @@ static inline void tm2_motion_block(TM2Context *ctx, AVFrame *pic, int bx, int b static int tm2_decode_blocks(TM2Context *ctx, AVFrame *p) { int i, j; - int bw, bh; + int w = ctx->avctx->width, h = ctx->avctx->height, bw = w >> 2, bh = h >> 2, cw = w >> 1; int type; int keyframe = 1; int *Y, *U, *V; uint8_t *dst; - bw = ctx->avctx->width >> 2; - bh = ctx->avctx->height >> 2; - for(i = 0; i < TM2_NUM_STREAMS; i++) ctx->tok_ptrs[i] = 0; @@ -739,17 +740,54 @@ static int tm2_decode_blocks(TM2Context *ctx, AVFrame *p) U = (ctx->cur?ctx->U2:ctx->U1); V = (ctx->cur?ctx->V2:ctx->V1); dst = p->data[0]; - for(j = 0; j < ctx->avctx->height; j++){ - for(i = 0; i < ctx->avctx->width; i++){ + for(j = 0; j < h; j++){ + for(i = 0; i < w; i++){ int y = Y[i], u = U[i >> 1], v = V[i >> 1]; dst[3*i+0] = av_clip_uint8(y + v); dst[3*i+1] = av_clip_uint8(y); dst[3*i+2] = av_clip_uint8(y + u); } - Y += ctx->avctx->width; + + /* horizontal edge extension */ + Y[-4] = Y[-3] = Y[-2] = Y[-1] = Y[0]; + Y[w + 3] = Y[w + 2] = Y[w + 1] = Y[w] = Y[w - 1]; + + /* vertical edge extension */ + if (j == 0) { + memcpy(Y - 4 - 1 * ctx->y_stride, Y - 4, ctx->y_stride); + memcpy(Y - 4 - 2 * ctx->y_stride, Y - 4, ctx->y_stride); + memcpy(Y - 4 - 3 * ctx->y_stride, Y - 4, ctx->y_stride); + memcpy(Y - 4 - 4 * ctx->y_stride, Y - 4, ctx->y_stride); + } else if (j == h - 1) { + memcpy(Y - 4 + 1 * ctx->y_stride, Y - 4, ctx->y_stride); + memcpy(Y - 4 + 2 * ctx->y_stride, Y - 4, ctx->y_stride); + memcpy(Y - 4 + 3 * ctx->y_stride, Y - 4, ctx->y_stride); + memcpy(Y - 4 + 4 * ctx->y_stride, Y - 4, ctx->y_stride); + } + + Y += ctx->y_stride; if (j & 1) { - U += ctx->avctx->width >> 1; - V += ctx->avctx->width >> 1; + /* horizontal edge extension */ + U[-2] = U[-1] = U[0]; + V[-2] = V[-1] = V[0]; + U[cw + 1] = U[cw] = U[cw - 1]; + V[cw + 1] = V[cw] = V[cw - 1]; + + /* vertical edge extension */ + if (j == 1) { + memcpy(U - 2 - 1 * ctx->uv_stride, U - 2, ctx->uv_stride); + memcpy(V - 2 - 1 * ctx->uv_stride, V - 2, ctx->uv_stride); + memcpy(U - 2 - 2 * ctx->uv_stride, U - 2, ctx->uv_stride); + memcpy(V - 2 - 2 * ctx->uv_stride, V - 2, ctx->uv_stride); + } else if (j == h - 1) { + memcpy(U - 2 + 1 * ctx->uv_stride, U - 2, ctx->uv_stride); + memcpy(V - 2 + 1 * ctx->uv_stride, V - 2, ctx->uv_stride); + memcpy(U - 2 + 2 * ctx->uv_stride, U - 2, ctx->uv_stride); + memcpy(V - 2 + 2 * ctx->uv_stride, V - 2, ctx->uv_stride); + } + + U += ctx->uv_stride; + V += ctx->uv_stride; } dst += p->linesize[0]; } @@ -821,7 +859,7 @@ static int decode_frame(AVCodecContext *avctx, static av_cold int decode_init(AVCodecContext *avctx){ TM2Context * const l = avctx->priv_data; - int i; + int i, w = avctx->width, h = avctx->height; if((avctx->width & 3) || (avctx->height & 3)){ av_log(avctx, AV_LOG_ERROR, "Width and height must be multiple of 4\n"); @@ -834,21 +872,46 @@ static av_cold int decode_init(AVCodecContext *avctx){ dsputil_init(&l->dsp, avctx); - l->last = av_malloc(4 * sizeof(int) * (avctx->width >> 2)); - l->clast = av_malloc(4 * sizeof(int) * (avctx->width >> 2)); + l->last = av_malloc(4 * sizeof(*l->last) * (w >> 2)); + l->clast = av_malloc(4 * sizeof(*l->clast) * (w >> 2)); for(i = 0; i < TM2_NUM_STREAMS; i++) { l->tokens[i] = NULL; l->tok_lens[i] = 0; } - l->Y1 = av_malloc(sizeof(int) * avctx->width * avctx->height); - l->U1 = av_malloc(sizeof(int) * ((avctx->width + 1) >> 1) * ((avctx->height + 1) >> 1)); - l->V1 = av_malloc(sizeof(int) * ((avctx->width + 1) >> 1) * ((avctx->height + 1) >> 1)); - l->Y2 = av_malloc(sizeof(int) * avctx->width * avctx->height); - l->U2 = av_malloc(sizeof(int) * ((avctx->width + 1) >> 1) * ((avctx->height + 1) >> 1)); - l->V2 = av_malloc(sizeof(int) * ((avctx->width + 1) >> 1) * ((avctx->height + 1) >> 1)); + w += 8; + h += 8; + l->Y1_base = av_malloc(sizeof(*l->Y1_base) * w * h); + l->Y2_base = av_malloc(sizeof(*l->Y2_base) * w * h); + l->y_stride = w; + w = (w + 1) >> 1; + h = (h + 1) >> 1; + l->U1_base = av_malloc(sizeof(*l->U1_base) * w * h); + l->V1_base = av_malloc(sizeof(*l->V1_base) * w * h); + l->U2_base = av_malloc(sizeof(*l->U2_base) * w * h); + l->V2_base = av_malloc(sizeof(*l->V1_base) * w * h); + l->uv_stride = w; l->cur = 0; + if (!l->Y1_base || !l->Y2_base || !l->U1_base || + !l->V1_base || !l->U2_base || !l->V2_base || + !l->last || !l->clast) { + av_freep(l->Y1_base); + av_freep(l->Y2_base); + av_freep(l->U1_base); + av_freep(l->U2_base); + av_freep(l->V1_base); + av_freep(l->V2_base); + av_freep(l->last); + av_freep(l->clast); + return AVERROR(ENOMEM); + } + l->Y1 = l->Y1_base + l->y_stride * 4 + 4; + l->Y2 = l->Y2_base + l->y_stride * 4 + 4; + l->U1 = l->U1_base + l->uv_stride * 2 + 2; + l->U2 = l->U2_base + l->uv_stride * 2 + 2; + l->V1 = l->V1_base + l->uv_stride * 2 + 2; + l->V2 = l->V2_base + l->uv_stride * 2 + 2; return 0; } @@ -863,12 +926,12 @@ static av_cold int decode_end(AVCodecContext *avctx){ for(i = 0; i < TM2_NUM_STREAMS; i++) av_free(l->tokens[i]); if(l->Y1){ - av_free(l->Y1); - av_free(l->U1); - av_free(l->V1); - av_free(l->Y2); - av_free(l->U2); - av_free(l->V2); + av_free(l->Y1_base); + av_free(l->U1_base); + av_free(l->V1_base); + av_free(l->Y2_base); + av_free(l->U2_base); + av_free(l->V2_base); } if (pic->data[0]) From a08cb950b25d31ecc9c083dc8f70b30ec3c70cc9 Mon Sep 17 00:00:00 2001 From: "Ronald S. Bultje" Date: Wed, 28 Mar 2012 12:56:07 -0700 Subject: [PATCH 207/991] mov: don't overwrite existing indexes. Prevents all kind of badness if files contain multiple indexes. Found-by: Mateusz "j00ru" Jurczyk and Gynvael Coldwind CC: libav-stable@libav.org (cherry picked from commit 4f7c7624c0db185c48c59d95d745ab3f7851a5b4) Signed-off-by: Reinhard Tartler --- libavformat/mov.c | 19 +++++++++++-------- 1 file changed, 11 insertions(+), 8 deletions(-) diff --git a/libavformat/mov.c b/libavformat/mov.c index c5270695c1..f6be6a88bc 100644 --- a/libavformat/mov.c +++ b/libavformat/mov.c @@ -1699,6 +1699,7 @@ static void mov_build_index(MOVContext *mov, AVStream *st) unsigned int stps_index = 0; unsigned int i, j; uint64_t stream_size = 0; + AVIndexEntry *mem; /* adjust first dts according to edit list */ if (sc->time_offset && mov->time_scale > 0) { @@ -1727,12 +1728,13 @@ static void mov_build_index(MOVContext *mov, AVStream *st) if (!sc->sample_count) return; - if (sc->sample_count >= UINT_MAX / sizeof(*st->index_entries)) + if (sc->sample_count >= UINT_MAX / sizeof(*st->index_entries) - st->nb_index_entries) return; - st->index_entries = av_malloc(sc->sample_count*sizeof(*st->index_entries)); - if (!st->index_entries) + mem = av_realloc(st->index_entries, (st->nb_index_entries + sc->sample_count) * sizeof(*st->index_entries)); + if (!mem) return; - st->index_entries_allocated_size = sc->sample_count*sizeof(*st->index_entries); + st->index_entries = mem; + st->index_entries_allocated_size = (st->nb_index_entries + sc->sample_count) * sizeof(*st->index_entries); for (i = 0; i < sc->chunk_count; i++) { current_offset = sc->chunk_offsets[i]; @@ -1815,12 +1817,13 @@ static void mov_build_index(MOVContext *mov, AVStream *st) } av_dlog(mov->fc, "chunk count %d\n", total); - if (total >= UINT_MAX / sizeof(*st->index_entries)) + if (total >= UINT_MAX / sizeof(*st->index_entries) - st->nb_index_entries) return; - st->index_entries = av_malloc(total*sizeof(*st->index_entries)); - if (!st->index_entries) + mem = av_realloc(st->index_entries, (st->nb_index_entries + total) * sizeof(*st->index_entries)); + if (!mem) return; - st->index_entries_allocated_size = total*sizeof(*st->index_entries); + st->index_entries = mem; + st->index_entries_allocated_size = (st->nb_index_entries + total) * sizeof(*st->index_entries); // populate index for (i = 0; i < sc->chunk_count; i++) { From be424d86a85af1d86d2a4d1bc3fede3d6078f796 Mon Sep 17 00:00:00 2001 From: "Ronald S. Bultje" Date: Thu, 29 Mar 2012 10:25:04 -0700 Subject: [PATCH 208/991] truemotion: forbid invalid VLC bitsizes and token values. SHOW_UBITS() is only defined up to n_bits is 25, therefore forbid values larger than this in get_vlc2() (max_bits). tokens[][] can be used as an index in deltas[], which has a size of 64, so ensure the values are smaller than that. This prevents crashes on corrupt bitstreams. Found-by: Mateusz "j00ru" Jurczyk and Gynvael Coldwind CC: libav-stable@libav.org (cherry picked from commit b7b1509d06d3696d3b944791227fe198ded0654b) Signed-off-by: Reinhard Tartler --- libavcodec/truemotion2.c | 19 +++++++++++++++---- 1 file changed, 15 insertions(+), 4 deletions(-) diff --git a/libavcodec/truemotion2.c b/libavcodec/truemotion2.c index 5ec24de8a8..81dc84a7af 100644 --- a/libavcodec/truemotion2.c +++ b/libavcodec/truemotion2.c @@ -130,7 +130,7 @@ static int tm2_build_huff_table(TM2Context *ctx, TM2Codes *code) /* check for correct codes parameters */ if((huff.val_bits < 1) || (huff.val_bits > 32) || - (huff.max_bits < 0) || (huff.max_bits > 32)) { + (huff.max_bits < 0) || (huff.max_bits > 25)) { av_log(ctx->avctx, AV_LOG_ERROR, "Incorrect tree parameters - literal length: %i, max code length: %i\n", huff.val_bits, huff.max_bits); return -1; @@ -322,10 +322,21 @@ static int tm2_read_stream(TM2Context *ctx, const uint8_t *buf, int stream_id, i return -1; } ctx->tokens[stream_id][i] = tm2_get_token(&ctx->gb, &codes); + if (stream_id <= TM2_MOT && ctx->tokens[stream_id][i] >= TM2_DELTAS) { + av_log(ctx->avctx, AV_LOG_ERROR, "Invalid delta token index %d for type %d, n=%d\n", + ctx->tokens[stream_id][i], stream_id, i); + return AVERROR_INVALIDDATA; + } } } else { - for(i = 0; i < toks; i++) + for(i = 0; i < toks; i++) { ctx->tokens[stream_id][i] = codes.recode[0]; + if (stream_id <= TM2_MOT && ctx->tokens[stream_id][i] >= TM2_DELTAS) { + av_log(ctx->avctx, AV_LOG_ERROR, "Invalid delta token index %d for type %d, n=%d\n", + ctx->tokens[stream_id][i], stream_id, i); + return AVERROR_INVALIDDATA; + } + } } tm2_free_codes(&codes); @@ -837,9 +848,9 @@ static int decode_frame(AVCodecContext *avctx, return AVERROR_INVALIDDATA; } t = tm2_read_stream(l, swbuf + skip, tm2_stream_order[i], buf_size - skip); - if(t == -1){ + if(t < 0){ av_free(swbuf); - return -1; + return t; } skip += t; } From e8050f313e7e3e1893155f878475872c4cc3a6e7 Mon Sep 17 00:00:00 2001 From: Michael Niedermayer Date: Thu, 29 Mar 2012 17:52:21 +0000 Subject: [PATCH 209/991] apedec: check bits <= 32. Fixes a floating-point exception further down. Found-by: Mateusz "j00ru" Jurczyk and Gynvael Coldwind CC: libav-stable@libav.org Signed-off-by: Michael Niedermayer Signed-off-by: Ronald S. Bultje Signed-off-by: Derek Buitenhuis (cherry picked from commit 420d1df2e2a857eae45fa947e16eae7494793d57) Signed-off-by: Reinhard Tartler --- libavcodec/apedec.c | 5 ++++- 1 file changed, 4 insertions(+), 1 deletion(-) diff --git a/libavcodec/apedec.c b/libavcodec/apedec.c index fa50d6178d..0abf05bd61 100644 --- a/libavcodec/apedec.c +++ b/libavcodec/apedec.c @@ -404,9 +404,12 @@ static inline int ape_decode_value(APEContext *ctx, APERice *rice) if (tmpk <= 16) x = range_decode_bits(ctx, tmpk); - else { + else if (tmpk <= 32) { x = range_decode_bits(ctx, 16); x |= (range_decode_bits(ctx, tmpk - 16) << 16); + } else { + av_log(ctx->avctx, AV_LOG_ERROR, "Too many bits: %d\n", tmpk); + return AVERROR_INVALIDDATA; } x += overflow << tmpk; } else { From 1ee1e9e43ff35c3d3f0e36c6f3f2e604179d2c73 Mon Sep 17 00:00:00 2001 From: Michael Niedermayer Date: Thu, 22 Mar 2012 23:43:37 +0100 Subject: [PATCH 210/991] vqavideodev: Check image dimensions Fixes out of heap array read Found-by: Mateusz "j00ru" Jurczyk and Gynvael Coldwind Signed-off-by: Michael Niedermayer (cherry picked from commit 3583c8706df0abbfa3ecdd6730f4f3d72a01fe6d) Independently-Found-by: Fabian Yamaguchi Fixes: CVE-2012-0947 Conflicts: libavcodec/vqavideo.c --- libavcodec/vqavideo.c | 5 +++++ 1 file changed, 5 insertions(+) diff --git a/libavcodec/vqavideo.c b/libavcodec/vqavideo.c index 08d419dd73..d5182ed853 100644 --- a/libavcodec/vqavideo.c +++ b/libavcodec/vqavideo.c @@ -160,6 +160,11 @@ static av_cold int vqa_decode_init(AVCodecContext *avctx) s->codebook = av_malloc(s->codebook_size); s->next_codebook_buffer = av_malloc(s->codebook_size); + if (s->width % s->vector_width || s->height % s->vector_height) { + av_log(avctx, AV_LOG_ERROR, "Picture dimensions are not a multiple of the vector size\n"); + return AVERROR_INVALIDDATA; + } + /* initialize the solid-color vectors */ if (s->vector_height == 4) { codebook_index = 0xFF00 * 16; From cf5e119d4a43f230bd79125568637499ed952397 Mon Sep 17 00:00:00 2001 From: Paul B Mahol Date: Sun, 5 Feb 2012 19:39:13 +0000 Subject: [PATCH 211/991] tta: use skip_bits_long() Signed-off-by: Paul B Mahol Signed-off-by: Anton Khirnov (cherry picked from commit 9aff2d17533576f4ff52531e534f1319fb36a590) Signed-off-by: Reinhard Tartler --- libavcodec/tta.c | 12 +++++------- 1 file changed, 5 insertions(+), 7 deletions(-) diff --git a/libavcodec/tta.c b/libavcodec/tta.c index c8daff278c..2fc1eb4336 100644 --- a/libavcodec/tta.c +++ b/libavcodec/tta.c @@ -191,7 +191,6 @@ static int tta_get_unary(GetBitContext *gb) static av_cold int tta_decode_init(AVCodecContext * avctx) { TTAContext *s = avctx->priv_data; - int i; s->avctx = avctx; @@ -203,7 +202,7 @@ static av_cold int tta_decode_init(AVCodecContext * avctx) if (show_bits_long(&s->gb, 32) == AV_RL32("TTA1")) { /* signature */ - skip_bits(&s->gb, 32); + skip_bits_long(&s->gb, 32); s->format = get_bits(&s->gb, 16); if (s->format > 2) { @@ -219,7 +218,7 @@ static av_cold int tta_decode_init(AVCodecContext * avctx) s->bps = (avctx->bits_per_coded_sample + 7) / 8; avctx->sample_rate = get_bits_long(&s->gb, 32); s->data_length = get_bits_long(&s->gb, 32); - skip_bits(&s->gb, 32); // CRC32 of header + skip_bits_long(&s->gb, 32); // CRC32 of header if (s->channels == 0) { av_log(s->avctx, AV_LOG_ERROR, "Invalid number of channels\n"); @@ -261,9 +260,8 @@ static av_cold int tta_decode_init(AVCodecContext * avctx) s->data_length, s->frame_length, s->last_frame_length, s->total_frames); // FIXME: seek table - for (i = 0; i < s->total_frames; i++) - skip_bits(&s->gb, 32); - skip_bits(&s->gb, 32); // CRC32 of seektable + skip_bits_long(&s->gb, 32 * s->total_frames); + skip_bits_long(&s->gb, 32); // CRC32 of seektable if(s->frame_length >= UINT_MAX / (s->channels * sizeof(int32_t))){ av_log(avctx, AV_LOG_ERROR, "frame_length too large\n"); @@ -404,7 +402,7 @@ static int tta_decode_frame(AVCodecContext *avctx, void *data, if (get_bits_left(&s->gb) < 32) return -1; - skip_bits(&s->gb, 32); // frame crc + skip_bits_long(&s->gb, 32); // frame crc // convert to output buffer if (s->bps == 2) { From 994c0efcc76ff90a2875472119b98fb2513e6f7a Mon Sep 17 00:00:00 2001 From: Paul B Mahol Date: Sat, 11 Feb 2012 21:30:30 +0000 Subject: [PATCH 212/991] ttadec: CRC checking Signed-off-by: Paul B Mahol Signed-off-by: Justin Ruggles (cherry picked from commit 2af3dc8698707f800f83f5fc890571a6a119866e) Signed-off-by: Reinhard Tartler --- libavcodec/tta.c | 33 +++++++++++++++++++++++++++++++++ 1 file changed, 33 insertions(+) diff --git a/libavcodec/tta.c b/libavcodec/tta.c index 2fc1eb4336..985bf0c709 100644 --- a/libavcodec/tta.c +++ b/libavcodec/tta.c @@ -32,6 +32,7 @@ #include #include "avcodec.h" #include "get_bits.h" +#include "libavutil/crc.h" #define FORMAT_SIMPLE 1 #define FORMAT_ENCRYPTED 2 @@ -58,6 +59,7 @@ typedef struct TTAContext { AVCodecContext *avctx; AVFrame frame; GetBitContext gb; + const AVCRC *crc_table; int format, channels, bps, data_length; int frame_length, last_frame_length, total_frames; @@ -188,6 +190,20 @@ static int tta_get_unary(GetBitContext *gb) return ret; } +static int tta_check_crc(TTAContext *s, const uint8_t *buf, int buf_size) +{ + uint32_t crc, CRC; + + CRC = AV_RL32(buf + buf_size); + crc = av_crc(s->crc_table, 0xFFFFFFFFU, buf, buf_size); + if (CRC != (crc ^ 0xFFFFFFFFU)) { + av_log(s->avctx, AV_LOG_ERROR, "CRC error\n"); + return AVERROR_INVALIDDATA; + } + + return 0; +} + static av_cold int tta_decode_init(AVCodecContext * avctx) { TTAContext *s = avctx->priv_data; @@ -201,6 +217,12 @@ static av_cold int tta_decode_init(AVCodecContext * avctx) init_get_bits(&s->gb, avctx->extradata, avctx->extradata_size * 8); if (show_bits_long(&s->gb, 32) == AV_RL32("TTA1")) { + if (avctx->err_recognition & AV_EF_CRCCHECK) { + s->crc_table = av_crc_get_table(AV_CRC_32_IEEE_LE); + if (tta_check_crc(s, avctx->extradata, 18)) + return AVERROR_INVALIDDATA; + } + /* signature */ skip_bits_long(&s->gb, 32); @@ -260,6 +282,12 @@ static av_cold int tta_decode_init(AVCodecContext * avctx) s->data_length, s->frame_length, s->last_frame_length, s->total_frames); // FIXME: seek table + if (get_bits_left(&s->gb) < 32 * s->total_frames + 32) + av_log(avctx, AV_LOG_WARNING, "Seek table missing or too small\n"); + else if (avctx->err_recognition & AV_EF_CRCCHECK) { + if (tta_check_crc(s, avctx->extradata + 22, s->total_frames * 4)) + return AVERROR_INVALIDDATA; + } skip_bits_long(&s->gb, 32 * s->total_frames); skip_bits_long(&s->gb, 32); // CRC32 of seektable @@ -299,6 +327,11 @@ static int tta_decode_frame(AVCodecContext *avctx, void *data, int cur_chan = 0, framelen = s->frame_length; int32_t *p; + if (avctx->err_recognition & AV_EF_CRCCHECK) { + if (buf_size < 4 || tta_check_crc(s, buf, buf_size - 4)) + return AVERROR_INVALIDDATA; + } + init_get_bits(&s->gb, buf, buf_size*8); // FIXME: seeking From 0e4bb0530f7d4cb1343499ee2bf0cb943d3b9a41 Mon Sep 17 00:00:00 2001 From: "Ronald S. Bultje" Date: Thu, 29 Mar 2012 12:44:55 -0700 Subject: [PATCH 213/991] tta: prevents overflows for 32bit integers in header. This prevents sample_rate/data_length from going negative, which caused various crashes and undefined behaviour further down. Found-by: Mateusz "j00ru" Jurczyk and Gynvael Coldwind CC: libav-stable@libav.org (cherry picked from commit ac80b812cd177553339467ea12548d71c9ef6865) Signed-off-by: Reinhard Tartler --- libavcodec/tta.c | 8 +++++--- 1 file changed, 5 insertions(+), 3 deletions(-) diff --git a/libavcodec/tta.c b/libavcodec/tta.c index 985bf0c709..1743f7d0ac 100644 --- a/libavcodec/tta.c +++ b/libavcodec/tta.c @@ -61,7 +61,8 @@ typedef struct TTAContext { GetBitContext gb; const AVCRC *crc_table; - int format, channels, bps, data_length; + int format, channels, bps; + unsigned data_length; int frame_length, last_frame_length, total_frames; int32_t *decode_buffer; @@ -265,7 +266,7 @@ static av_cold int tta_decode_init(AVCodecContext * avctx) } // prevent overflow - if (avctx->sample_rate > 0x7FFFFF) { + if (avctx->sample_rate > 0x7FFFFFu) { av_log(avctx, AV_LOG_ERROR, "sample_rate too large\n"); return AVERROR(EINVAL); } @@ -282,7 +283,8 @@ static av_cold int tta_decode_init(AVCodecContext * avctx) s->data_length, s->frame_length, s->last_frame_length, s->total_frames); // FIXME: seek table - if (get_bits_left(&s->gb) < 32 * s->total_frames + 32) + if (avctx->extradata_size <= 26 || s->total_frames > INT_MAX / 4 || + avctx->extradata_size - 26 < s->total_frames * 4) av_log(avctx, AV_LOG_WARNING, "Seek table missing or too small\n"); else if (avctx->err_recognition & AV_EF_CRCCHECK) { if (tta_check_crc(s, avctx->extradata + 22, s->total_frames * 4)) From 746f1594d71dece6fd6f786447e19be9c200a07d Mon Sep 17 00:00:00 2001 From: "Ronald S. Bultje" Date: Thu, 29 Mar 2012 16:37:09 -0700 Subject: [PATCH 214/991] h264: additional protection against unsupported size/bitdepth changes. Fixes crashes in codepaths not covered by original checks. Found-by: Mateusz "j00ru" Jurczyk and Gynvael Coldwind (cherry picked from commit 732f9fcfe54fc9a0a7bbce53fe86b38744c2d301) Conflicts: libavcodec/h264.c Signed-off-by: Reinhard Tartler --- libavcodec/h264.c | 4 ++-- libavcodec/h264_ps.c | 3 +++ 2 files changed, 5 insertions(+), 2 deletions(-) diff --git a/libavcodec/h264.c b/libavcodec/h264.c index e0eb8e119d..b229510269 100644 --- a/libavcodec/h264.c +++ b/libavcodec/h264.c @@ -2723,9 +2723,9 @@ static int decode_slice_header(H264Context *h, H264Context *h0){ if (s->context_initialized && ( s->width != s->avctx->width || s->height != s->avctx->height || av_cmp_q(h->sps.sar, s->avctx->sample_aspect_ratio))) { - if(h != h0) { + if(h != h0 || (HAVE_THREADS && h->s.avctx->active_thread_type & FF_THREAD_FRAME)) { av_log_missing_feature(s->avctx, "Width/height changing with threads is", 0); - return -1; // width / height changed during parallelized decoding + return AVERROR_PATCHWELCOME; // width / height changed during parallelized decoding } free_tables(h, 0); flush_dpb(s->avctx); diff --git a/libavcodec/h264_ps.c b/libavcodec/h264_ps.c index 276eb77d1d..c6623a97ef 100644 --- a/libavcodec/h264_ps.c +++ b/libavcodec/h264_ps.c @@ -471,6 +471,9 @@ int ff_h264_decode_picture_parameter_set(H264Context *h, int bit_length){ if(pps_id >= MAX_PPS_COUNT) { av_log(h->s.avctx, AV_LOG_ERROR, "pps_id (%d) out of range\n", pps_id); return -1; + } else if (h->sps.bit_depth_luma > 10) { + av_log(h->s.avctx, AV_LOG_ERROR, "Unimplemented luma bit depth=%d (max=10)\n", h->sps.bit_depth_luma); + return AVERROR_PATCHWELCOME; } pps= av_mallocz(sizeof(PPS)); From 7fe4c8cb761b0fc8685dacf9f187311b9d124a52 Mon Sep 17 00:00:00 2001 From: "Ronald S. Bultje" Date: Thu, 29 Mar 2012 12:24:10 -0700 Subject: [PATCH 215/991] h263: more strictly forbid frame size changes with frame-mt. Prevents crashes because the old check was incomplete. Found-by: Mateusz "j00ru" Jurczyk and Gynvael Coldwind CC: libav-stable@libav.org (cherry picked from commit 2d22d4307dcc1461f39a2ffb9c8db6c6b23fd080) Signed-off-by: Reinhard Tartler --- libavcodec/h263dec.c | 12 +++++++----- 1 file changed, 7 insertions(+), 5 deletions(-) diff --git a/libavcodec/h263dec.c b/libavcodec/h263dec.c index 55562148cf..7f0934a124 100644 --- a/libavcodec/h263dec.c +++ b/libavcodec/h263dec.c @@ -430,6 +430,13 @@ retry: if (ret < 0){ av_log(s->avctx, AV_LOG_ERROR, "header damaged\n"); return -1; + } else if ((s->width != avctx->coded_width || + s->height != avctx->coded_height || + (s->width + 15) >> 4 != s->mb_width || + (s->height + 15) >> 4 != s->mb_height) && + (HAVE_THREADS && (s->avctx->active_thread_type & FF_THREAD_FRAME))) { + av_log_missing_feature(s->avctx, "Width/height/bit depth/chroma idc changing with threads is", 0); + return AVERROR_PATCHWELCOME; // width / height changed during parallelized decoding } avctx->has_b_frames= !s->low_delay; @@ -571,11 +578,6 @@ retry: /* H.263 could change picture size any time */ ParseContext pc= s->parse_context; //FIXME move these demuxng hack to avformat - if (HAVE_THREADS && (s->avctx->active_thread_type&FF_THREAD_FRAME)) { - av_log_missing_feature(s->avctx, "Width/height/bit depth/chroma idc changing with threads is", 0); - return -1; // width / height changed during parallelized decoding - } - s->parse_context.buffer=0; MPV_common_end(s); s->parse_context= pc; From 7240cc3f8b8798dfbb5d1adda7afb53dc0c871c1 Mon Sep 17 00:00:00 2001 From: "Ronald S. Bultje" Date: Tue, 13 Mar 2012 17:18:41 -0700 Subject: [PATCH 216/991] jpeg: handle progressive in second field of interlaced. Progressive data is allocated later in decode_sof(), not allocating that data leads to NULL dereferences. Found-by: Mateusz "j00ru" Jurczyk and Gynvael Coldwind CC: libav-stable@libav.org (cherry picked from commit 5eec5a79da118170f3cfe185a862783d3fa50abe) Signed-off-by: Reinhard Tartler --- libavcodec/mjpegdec.c | 5 ++--- 1 file changed, 2 insertions(+), 3 deletions(-) diff --git a/libavcodec/mjpegdec.c b/libavcodec/mjpegdec.c index a7950287e2..7f12fc162c 100644 --- a/libavcodec/mjpegdec.c +++ b/libavcodec/mjpegdec.c @@ -306,9 +306,7 @@ int ff_mjpeg_decode_sof(MJpegDecodeContext *s) s->first_picture = 0; } - if (s->interlaced && (s->bottom_field == !s->interlace_polarity)) - return 0; - + if (!(s->interlaced && (s->bottom_field == !s->interlace_polarity))) { /* XXX: not complete test ! */ pix_fmt_id = (s->h_count[0] << 28) | (s->v_count[0] << 24) | (s->h_count[1] << 20) | (s->v_count[1] << 16) | @@ -375,6 +373,7 @@ int ff_mjpeg_decode_sof(MJpegDecodeContext *s) if (len != (8 + (3 * nb_components))) av_log(s->avctx, AV_LOG_DEBUG, "decode_sof0: error, len(%d) mismatch\n", len); + } /* totally blank picture as progressive JPEG will only add details to it */ if (s->progressive) { From aaa6a666774eb02c351c84e80622a5c69e9b642e Mon Sep 17 00:00:00 2001 From: Alex Converse Date: Wed, 2 May 2012 12:08:03 -0700 Subject: [PATCH 217/991] motionpixels: Clip YUV values after applying a gradient. Prevents illegal reads on truncated and malformed input. CC: libav-stable@libav.org (cherry picked from commit b5da848facd41169283d7bfe568b83bdfa7fc42e) Signed-off-by: Reinhard Tartler --- libavcodec/motionpixels.c | 6 ++++++ 1 file changed, 6 insertions(+) diff --git a/libavcodec/motionpixels.c b/libavcodec/motionpixels.c index d054e00342..8259447d62 100644 --- a/libavcodec/motionpixels.c +++ b/libavcodec/motionpixels.c @@ -190,10 +190,13 @@ static void mp_decode_line(MotionPixelsContext *mp, GetBitContext *gb, int y) p = mp_get_yuv_from_rgb(mp, x - 1, y); } else { p.y += mp_gradient(mp, 0, mp_get_vlc(mp, gb)); + p.y = av_clip(p.y, 0, 31); if ((x & 3) == 0) { if ((y & 3) == 0) { p.v += mp_gradient(mp, 1, mp_get_vlc(mp, gb)); + p.v = av_clip(p.v, -32, 31); p.u += mp_gradient(mp, 2, mp_get_vlc(mp, gb)); + p.u = av_clip(p.u, -32, 31); mp->hpt[((y / 4) * mp->avctx->width + x) / 4] = p; } else { p.v = mp->hpt[((y / 4) * mp->avctx->width + x) / 4].v; @@ -217,9 +220,12 @@ static void mp_decode_frame_helper(MotionPixelsContext *mp, GetBitContext *gb) p = mp_get_yuv_from_rgb(mp, 0, y); } else { p.y += mp_gradient(mp, 0, mp_get_vlc(mp, gb)); + p.y = av_clip(p.y, 0, 31); if ((y & 3) == 0) { p.v += mp_gradient(mp, 1, mp_get_vlc(mp, gb)); + p.v = av_clip(p.v, -32, 31); p.u += mp_gradient(mp, 2, mp_get_vlc(mp, gb)); + p.u = av_clip(p.u, -32, 31); } mp->vpt[y] = p; mp_set_rgb_from_yuv(mp, 0, y, &p); From 9ea94c44b1b414ab3bc6e9220ebb77621423ca38 Mon Sep 17 00:00:00 2001 From: Alex Converse Date: Fri, 4 May 2012 10:27:03 -0700 Subject: [PATCH 218/991] celp filters: Do not read earlier than the start of the 'out' vector. CC: libav-stable@libav.org (cherry picked from commit 37ddd3833219fa7b913fff3f5cccc6878b047e6b) Signed-off-by: Reinhard Tartler --- libavcodec/celp_filters.c | 4 +--- 1 file changed, 1 insertion(+), 3 deletions(-) diff --git a/libavcodec/celp_filters.c b/libavcodec/celp_filters.c index 25a6744b04..849cda439e 100644 --- a/libavcodec/celp_filters.c +++ b/libavcodec/celp_filters.c @@ -133,9 +133,8 @@ void ff_celp_lp_synthesis_filterf(float *out, const float *filter_coeffs, out2 -= val * old_out2; out3 -= val * old_out3; - old_out3 = out[-5]; - for (i = 5; i <= filter_length; i += 2) { + old_out3 = out[-i]; val = filter_coeffs[i-1]; out0 -= val * old_out3; @@ -154,7 +153,6 @@ void ff_celp_lp_synthesis_filterf(float *out, const float *filter_coeffs, FFSWAP(float, old_out0, old_out2); old_out1 = old_out3; - old_out3 = out[-i-2]; } tmp0 = out0; From d5207e2af81580dd5e6277b354c8b459c3624f26 Mon Sep 17 00:00:00 2001 From: Mans Rullgard Date: Mon, 23 Apr 2012 13:16:33 +0100 Subject: [PATCH 219/991] vqavideo: return error if image size is not a multiple of block size The decoder assumes in various places that the image size is a multiple of the block size, and there is no obvious way to support odd sizes. Bailing out early if the header specifies a bad size avoids various errors later on. Fixes CVE-2012-0947. Signed-off-by: Mans Rullgard (cherry picked from commit 58b2e0f0f2fc96c1158e04f8aba95cbe6157a1a3) Signed-off-by: Reinhard Tartler --- libavcodec/vqavideo.c | 6 ++++++ 1 file changed, 6 insertions(+) diff --git a/libavcodec/vqavideo.c b/libavcodec/vqavideo.c index bc1ff27da4..4826650a6e 100644 --- a/libavcodec/vqavideo.c +++ b/libavcodec/vqavideo.c @@ -151,6 +151,12 @@ static av_cold int vqa_decode_init(AVCodecContext *avctx) return -1; } + if (s->width & (s->vector_width - 1) || + s->height & (s->vector_height - 1)) { + av_log(avctx, AV_LOG_ERROR, "Image size not multiple of block size\n"); + return AVERROR_INVALIDDATA; + } + /* allocate codebooks */ s->codebook_size = MAX_CODEBOOK_SIZE; s->codebook = av_malloc(s->codebook_size); From a638e10ba0b13112880fb011d546121118686019 Mon Sep 17 00:00:00 2001 From: Reinhard Tartler Date: Fri, 4 May 2012 22:40:37 +0200 Subject: [PATCH 220/991] Prepare for 0.8.2 Release --- RELEASE | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/RELEASE b/RELEASE index 6f4eebdf6f..100435be13 100644 --- a/RELEASE +++ b/RELEASE @@ -1 +1 @@ -0.8.1 +0.8.2 From 43e5fda45cf540a052d6f78248a3bf99f87095a8 Mon Sep 17 00:00:00 2001 From: Reinhard Tartler Date: Fri, 4 May 2012 22:59:01 +0200 Subject: [PATCH 221/991] Update Changelog for the 0.8.2 Release --- Changelog | 14 ++++++++++++++ 1 file changed, 14 insertions(+) diff --git a/Changelog b/Changelog index cb04ee4992..846aa5ac8d 100644 --- a/Changelog +++ b/Changelog @@ -1,6 +1,20 @@ Entries are sorted chronologically from oldest to youngest within each release, releases are sorted from youngest to oldest. +version 0.8.2: + +- Several bugs and crashes have been fixed in the following codecs: AAC, + APE, H.263, H.264, Indeo 4, Mimic, MJPEG, Motion Pixels Video, RAW, + TTA, VC1, VQA, WMA Voice, vqavideo (CVE-2012-0947). + +- Several bugs and crashes have been fixed in the following formats: + ASF, ID3v2, MOV, xWMA + +- This release additionally updates the following codecs to the + bytestream2 API, and therefore benefit from additional overflow + checks: truemotion2, utvideo, vqavideo + + version 0.8.1: - Several bugs and crashes have been fixed in the following codecs: AAC, From 25a28022390de45ca2c75497d213da51472f6c4f Mon Sep 17 00:00:00 2001 From: Michael Niedermayer Date: Mon, 16 Apr 2012 14:30:33 +0200 Subject: [PATCH 222/991] 4xmdemux: Check chunk size Fixes over reading the header array Found-by: Mateusz "j00ru" Jurczyk and Gynvael Coldwind Signed-off-by: Michael Niedermayer (cherry picked from commit 474e31c904f766b6989fe614c3fb093e697c847f) Signed-off-by: Michael Niedermayer --- libavformat/4xm.c | 4 ++++ 1 file changed, 4 insertions(+) diff --git a/libavformat/4xm.c b/libavformat/4xm.c index 3d9c5aea12..90a5fa0cbb 100644 --- a/libavformat/4xm.c +++ b/libavformat/4xm.c @@ -129,6 +129,10 @@ static int fourxm_read_header(AVFormatContext *s, for (i = 0; i < header_size - 8; i++) { fourcc_tag = AV_RL32(&header[i]); size = AV_RL32(&header[i + 4]); + if (size > header_size - i - 8 && (fourcc_tag == vtrk_TAG || fourcc_tag == strk_TAG)) { + av_log(s, AV_LOG_ERROR, "chunk larger than array %d>%d\n", size, header_size - i - 8); + return AVERROR_INVALIDDATA; + } if (fourcc_tag == std__TAG) { fourxm->fps = av_int2float(AV_RL32(&header[i + 12])); From 1ca4e70b6c52601e376c672741a960761c0b2516 Mon Sep 17 00:00:00 2001 From: Michael Niedermayer Date: Sat, 21 Apr 2012 19:28:35 +0200 Subject: [PATCH 223/991] cook: check subacket count Fixes out of array writes. Found-by: Mateusz "j00ru" Jurczyk and Gynvael Coldwind Signed-off-by: Michael Niedermayer (cherry picked from commit 5a35bd92ad6b535fd5d3a7513169661de66ec247) --- libavcodec/cook.c | 5 +++++ 1 file changed, 5 insertions(+) diff --git a/libavcodec/cook.c b/libavcodec/cook.c index c963ffec25..3d6f0dec0a 100644 --- a/libavcodec/cook.c +++ b/libavcodec/cook.c @@ -1235,6 +1235,11 @@ static av_cold int cook_decode_init(AVCodecContext *avctx) q->subpacket[s].gains2.now = q->subpacket[s].gain_3; q->subpacket[s].gains2.previous = q->subpacket[s].gain_4; + if (q->num_subpackets + q->subpacket[s].num_channels > q->nb_channels) { + av_log(avctx, AV_LOG_ERROR, "Too many subpackets %d for channels %d\n", q->num_subpackets, q->nb_channels); + return AVERROR_INVALIDDATA; + } + q->num_subpackets++; s++; if (s > MAX_SUBPACKETS) { From bf2534a5e2d57498dc663b1f49f85521e5ab9235 Mon Sep 17 00:00:00 2001 From: Michael Niedermayer Date: Tue, 17 Apr 2012 17:42:09 +0200 Subject: [PATCH 224/991] avidec: Dont crash on avi packets that belong to dv streams in dv in avi Fixes null pointer dereference Found-by: Mateusz "j00ru" Jurczyk and Gynvael Coldwind Signed-off-by: Michael Niedermayer (cherry picked from commit 096231d497457be9496b0be01ff6da2093186c3c) --- libavformat/avidec.c | 5 +++++ 1 file changed, 5 insertions(+) diff --git a/libavformat/avidec.c b/libavformat/avidec.c index ec2204c0a9..72aa60731f 100644 --- a/libavformat/avidec.c +++ b/libavformat/avidec.c @@ -954,6 +954,11 @@ start_sync: st = s->streams[n]; ast = st->priv_data; + if (!ast) { + av_log(s, AV_LOG_WARNING, "Skiping foreign stream %d packet\n", n); + continue; + } + if(s->nb_streams>=2){ AVStream *st1 = s->streams[1]; AVIStream *ast1= st1->priv_data; From a4846943a3566723976ecd67a57f381b76e80e29 Mon Sep 17 00:00:00 2001 From: Michael Niedermayer Date: Sat, 21 Apr 2012 19:41:54 +0200 Subject: [PATCH 225/991] xmvdemux: dont let current_stream become invalid. Found-by: Mateusz "j00ru" Jurczyk and Gynvael Coldwind Signed-off-by: Michael Niedermayer (cherry picked from commit 13381577d181fa732d6d2fa0491fa2ff50186546) --- libavformat/xmv.c | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/libavformat/xmv.c b/libavformat/xmv.c index f01e0aa77b..e7402f7a4a 100644 --- a/libavformat/xmv.c +++ b/libavformat/xmv.c @@ -300,7 +300,7 @@ static int xmv_process_packet_header(AVFormatContext *s) xmv->current_stream = 0; if (!xmv->video.frame_count) { xmv->video.frame_count = 1; - xmv->current_stream = 1; + xmv->current_stream = xmv->stream_count > 1; } /* Packet audio header */ From 0d40fbaef09b62ea01ac1cd1ebaaa045ad285e9d Mon Sep 17 00:00:00 2001 From: Michael Niedermayer Date: Sun, 22 Apr 2012 16:41:21 +0200 Subject: [PATCH 226/991] iff: fix null ptr dereference Found-by: Mateusz "j00ru" Jurczyk and Gynvael Coldwind Signed-off-by: Michael Niedermayer (cherry picked from commit 41abc9da50ba7a7b68bbbf6622475ce7a3c72e3f) --- libavcodec/iff.c | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/libavcodec/iff.c b/libavcodec/iff.c index 24167c722c..978507bbe3 100644 --- a/libavcodec/iff.c +++ b/libavcodec/iff.c @@ -473,7 +473,7 @@ static int decode_frame_ilbm(AVCodecContext *avctx, } else if ((res = avctx->get_buffer(avctx, &s->frame)) < 0) { av_log(avctx, AV_LOG_ERROR, "get_buffer() failed\n"); return res; - } else if (avctx->bits_per_coded_sample <= 8 && avctx->pix_fmt != PIX_FMT_GRAY8) { + } else if (avctx->bits_per_coded_sample <= 8 && avctx->pix_fmt == PIX_FMT_PAL8) { if ((res = ff_cmap_read_palette(avctx, (uint32_t*)s->frame.data[1])) < 0) return res; } From fe8508b948d045fbc02b2d81c305d9b445953be4 Mon Sep 17 00:00:00 2001 From: Michael Niedermayer Date: Fri, 23 Mar 2012 01:09:04 +0100 Subject: [PATCH 227/991] mov: fix global unicode convertion array overflow. Found-by: Mateusz "j00ru" Jurczyk and Gynvael Coldwind Signed-off-by: Michael Niedermayer (cherry picked from commit 437f5daf0bf727a53ea4b485a30f1289f44bf252) --- libavformat/mov.c | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/libavformat/mov.c b/libavformat/mov.c index 95bc3dee40..59922d1123 100644 --- a/libavformat/mov.c +++ b/libavformat/mov.c @@ -160,7 +160,7 @@ static int mov_read_mac_string(MOVContext *c, AVIOContext *pb, int len, uint8_t t, c = avio_r8(pb); if (c < 0x80 && p < end) *p++ = c; - else + else if (p < end) PUT_UTF8(mac_to_unicode[c-0x80], t, if (p < end) *p++ = t;); } *p = 0; From 6736de0ce628a2799ea4d1150b7a92a80f09c45a Mon Sep 17 00:00:00 2001 From: Michael Niedermayer Date: Sat, 24 Mar 2012 14:25:52 +0100 Subject: [PATCH 228/991] mpegvideo: increase buffer sizes. Fixes buffer overflow Found-by: Mateusz "j00ru" Jurczyk and Gynvael Coldwind Signed-off-by: Michael Niedermayer (cherry picked from commit 2c0559d5e2faeafa7998173a4dc430408475503f) --- libavcodec/mpegvideo.c | 4 ++-- 1 file changed, 2 insertions(+), 2 deletions(-) diff --git a/libavcodec/mpegvideo.c b/libavcodec/mpegvideo.c index a02a77d16f..16803a00e6 100644 --- a/libavcodec/mpegvideo.c +++ b/libavcodec/mpegvideo.c @@ -422,12 +422,12 @@ static int init_duplicate_context(MpegEncContext *s, MpegEncContext *base) // edge emu needs blocksize + filter length - 1 // (= 17x17 for halfpel / 21x21 for h264) FF_ALLOCZ_OR_GOTO(s->avctx, s->edge_emu_buffer, - (s->width + 64) * 2 * 21 * 2, fail); // (width + edge + align)*interlaced*MBsize*tolerance + (s->width + 95) * 2 * 21 * 4, fail); // (width + edge + align)*interlaced*MBsize*tolerance // FIXME should be linesize instead of s->width * 2 // but that is not known before get_buffer() FF_ALLOCZ_OR_GOTO(s->avctx, s->me.scratchpad, - (s->width + 64) * 4 * 16 * 2 * sizeof(uint8_t), fail) + (s->width + 95) * 4 * 16 * 2 * sizeof(uint8_t), fail) s->me.temp = s->me.scratchpad; s->rd_scratchpad = s->me.scratchpad; s->b_scratchpad = s->me.scratchpad; From c785a7058aa6c4b89ea1fa02278eee88006dce45 Mon Sep 17 00:00:00 2001 From: Michael Niedermayer Date: Fri, 2 Mar 2012 15:58:14 +0100 Subject: [PATCH 229/991] h261: check mtype. Fixes out of array read Found-by: Mateusz "j00ru" Jurczyk and Gynvael Coldwind Signed-off-by: Michael Niedermayer (cherry picked from commit ec3cd74f2dab8e3e8234ccb994132b23d3098585) --- libavcodec/h261dec.c | 4 ++++ 1 file changed, 4 insertions(+) diff --git a/libavcodec/h261dec.c b/libavcodec/h261dec.c index 1dbd75d103..3b26e8bdbc 100644 --- a/libavcodec/h261dec.c +++ b/libavcodec/h261dec.c @@ -286,6 +286,10 @@ static int h261_decode_mb(H261Context *h){ // Read mtype h->mtype = get_vlc2(&s->gb, h261_mtype_vlc.table, H261_MTYPE_VLC_BITS, 2); + if (h->mtype < 0) { + av_log(s->avctx, AV_LOG_ERROR, "illegal mtype %d\n", h->mtype); + return SLICE_ERROR; + } h->mtype = h261_mtype_map[h->mtype]; // Read mquant From 097ad61100118c34ff5456815cfb8de2bf9cfa0f Mon Sep 17 00:00:00 2001 From: Michael Niedermayer Date: Fri, 23 Mar 2012 00:49:00 +0100 Subject: [PATCH 230/991] mmdemux: dont set pkt->size to an invalid value. Found-by: Mateusz "j00ru" Jurczyk and Gynvael Coldwind Signed-off-by: Michael Niedermayer (cherry picked from commit 0c97fd336e17535239ab44d755a0d957dc2688f3) --- libavformat/mm.c | 1 - 1 file changed, 1 deletion(-) diff --git a/libavformat/mm.c b/libavformat/mm.c index 8bb933babe..0e40c27f42 100644 --- a/libavformat/mm.c +++ b/libavformat/mm.c @@ -175,7 +175,6 @@ static int read_packet(AVFormatContext *s, case MM_TYPE_AUDIO : if (av_get_packet(s->pb, pkt, length)<0) return AVERROR(ENOMEM); - pkt->size = length; pkt->stream_index = 1; pkt->pts = mm->audio_pts++; return 0; From 22285aba1337d0ec507255866512cf060bb010f0 Mon Sep 17 00:00:00 2001 From: Michael Niedermayer Date: Sun, 6 May 2012 01:31:25 +0200 Subject: [PATCH 231/991] Changelog: update Signed-off-by: Michael Niedermayer --- Changelog | 8 ++++++-- 1 file changed, 6 insertions(+), 2 deletions(-) diff --git a/Changelog b/Changelog index 19b3114285..8ef480ee0e 100644 --- a/Changelog +++ b/Changelog @@ -4,11 +4,15 @@ releases are sorted from youngest to oldest. version next: -version 0.10.2: +version 0.10.3: + +- Security fixes in the 4xm demuxer, avi demuxer, cook decoder, + mm demuxer, mpegvideo decoder, vqavideo decoder (CVE-2012-0947) and + xmv demuxer. - Several bugs and crashes have been fixed in the following codecs: AAC, APE, H.263, H.264, Indeo 4, Mimic, MJPEG, Motion Pixels Video, RAW, - TTA, VC1, VQA, WMA Voice, vqavideo (CVE-2012-0947). + TTA, VC1, VQA, WMA Voice, vqavideo. - Several bugs and crashes have been fixed in the following formats: ASF, ID3v2, MOV, xWMA From df93682e64e0e917d96c8af6519a2793c28117c5 Mon Sep 17 00:00:00 2001 From: Michael Niedermayer Date: Sat, 17 Mar 2012 20:45:45 +0100 Subject: [PATCH 232/991] dsp: fix diff_bytes_mmx() with small width Fixes Ticket1068 Signed-off-by: Michael Niedermayer (cherry picked from commit 73089eccd3e48539555349b36d8aabbf1cea416e) --- libavcodec/x86/dsputilenc_mmx.c | 1 + 1 file changed, 1 insertion(+) diff --git a/libavcodec/x86/dsputilenc_mmx.c b/libavcodec/x86/dsputilenc_mmx.c index f13c1219da..35d50bec9e 100644 --- a/libavcodec/x86/dsputilenc_mmx.c +++ b/libavcodec/x86/dsputilenc_mmx.c @@ -823,6 +823,7 @@ static int vsad16_mmx2(void *v, uint8_t * pix1, uint8_t * pix2, int line_size, i static void diff_bytes_mmx(uint8_t *dst, uint8_t *src1, uint8_t *src2, int w){ x86_reg i=0; + if(w>=16) __asm__ volatile( "1: \n\t" "movq (%2, %0), %%mm0 \n\t" From 96acb0a4eb83686f0b05bf095bec6db09af85405 Mon Sep 17 00:00:00 2001 From: Michael Niedermayer Date: Sat, 31 Mar 2012 21:42:50 +0200 Subject: [PATCH 233/991] indeo4: check that num_mbs matches Found-by: Mateusz "j00ru" Jurczyk and Gynvael Coldwind Signed-off-by: Michael Niedermayer (cherry picked from commit d3db8988d5befd8702a748cf1957415677bfe75c) --- libavcodec/indeo4.c | 5 +++++ 1 file changed, 5 insertions(+) diff --git a/libavcodec/indeo4.c b/libavcodec/indeo4.c index 3e8a3988d6..be7f088dc2 100644 --- a/libavcodec/indeo4.c +++ b/libavcodec/indeo4.c @@ -477,6 +477,11 @@ static int decode_mb_info(IVI4DecContext *ctx, IVIBandDesc *band, mv_scale = (ctx->planes[0].bands[0].mb_size >> 3) - (band->mb_size >> 3); mv_x = mv_y = 0; + if (((tile->width + band->mb_size-1)/band->mb_size) * ((tile->height + band->mb_size-1)/band->mb_size) != tile->num_MBs) { + av_log(avctx, AV_LOG_ERROR, "num_MBs mismatch %d %d %d %d\n", tile->width, tile->height, band->mb_size, tile->num_MBs); + return -1; + } + for (y = tile->ypos; y < tile->ypos + tile->height; y += band->mb_size) { mb_offset = offs; From b1f9ff45d4d4a2eb705fec33028b2b886d4b6ffb Mon Sep 17 00:00:00 2001 From: Michael Niedermayer Date: Sun, 6 May 2012 01:35:56 +0200 Subject: [PATCH 234/991] update for ffmpeg 0.10.3 Signed-off-by: Michael Niedermayer --- Doxyfile | 2 +- RELEASE | 2 +- VERSION | 2 +- 3 files changed, 3 insertions(+), 3 deletions(-) diff --git a/Doxyfile b/Doxyfile index c065e0c194..2cd57ae4f6 100644 --- a/Doxyfile +++ b/Doxyfile @@ -31,7 +31,7 @@ PROJECT_NAME = FFmpeg # This could be handy for archiving the generated documentation or # if some version control system is used. -PROJECT_NUMBER = 0.10.2 +PROJECT_NUMBER = 0.10.3 # With the PROJECT_LOGO tag one can specify an logo or icon that is included # in the documentation. The maximum height of the logo should not exceed 55 diff --git a/RELEASE b/RELEASE index 5eef0f10e8..a3f5a8ed4d 100644 --- a/RELEASE +++ b/RELEASE @@ -1 +1 @@ -0.10.2 +0.10.3 diff --git a/VERSION b/VERSION index 5eef0f10e8..a3f5a8ed4d 100644 --- a/VERSION +++ b/VERSION @@ -1 +1 @@ -0.10.2 +0.10.3 From 3fab87edc9ff5745d0a5c1634760ae0971d4e725 Mon Sep 17 00:00:00 2001 From: Michael Niedermayer Date: Sat, 11 Feb 2012 20:14:33 +0100 Subject: [PATCH 235/991] threads: Perform the generic progress cleanup more carefully. The cleanup is only done now when a picture is returned (assuming that it has to be done when its returned) a error is returned (assuming that there will be no further progress on the frame) the codec is not h264 (this is still needed due to some deadlocks in realvideo) This fixes a decoding regression with 00017.MTS Signed-off-by: Michael Niedermayer (cherry picked from commit 18a7f7465e7e6b9c3688ffc23230ae7a0639a771) --- libavcodec/pthread.c | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/libavcodec/pthread.c b/libavcodec/pthread.c index 6ae763da80..c58222b490 100644 --- a/libavcodec/pthread.c +++ b/libavcodec/pthread.c @@ -390,7 +390,7 @@ static attribute_align_arg void *frame_worker_thread(void *arg) pthread_mutex_lock(&p->progress_mutex); for (i = 0; i < MAX_BUFFERS; i++) - if (p->progress_used[i]) { + if (p->progress_used[i] && (p->got_frame || p->result<0 || avctx->codec_id != CODEC_ID_H264)) { p->progress[i][0] = INT_MAX; p->progress[i][1] = INT_MAX; } From 58361100188a1f80bcd9b6c58a4ce588032da1ad Mon Sep 17 00:00:00 2001 From: Michael Niedermayer Date: Fri, 17 Feb 2012 13:35:10 -0800 Subject: [PATCH 236/991] h263dec: Disallow width/height changing with frame threads. Fixes CVE-2011-3937 Found-by: Mateusz "j00ru" Jurczyk and Gynvael Coldwind Signed-off-by: Michael Niedermayer (cherry picked from commit 71db86d53b5c6872cea31bf714a1a38ec78feaba) Conflicts: libavcodec/h263dec.c Signed-off-by: Reinhard Tartler --- libavcodec/h263dec.c | 5 +++++ 1 file changed, 5 insertions(+) diff --git a/libavcodec/h263dec.c b/libavcodec/h263dec.c index 7f0934a124..1ddca1944d 100644 --- a/libavcodec/h263dec.c +++ b/libavcodec/h263dec.c @@ -578,6 +578,11 @@ retry: /* H.263 could change picture size any time */ ParseContext pc= s->parse_context; //FIXME move these demuxng hack to avformat + if (HAVE_THREADS && (s->avctx->active_thread_type&FF_THREAD_FRAME)) { + av_log_missing_feature(s->avctx, "Width/height/bit depth/chroma idc changing with threads is", 0); + return -1; // width / height changed during parallelized decoding + } + s->parse_context.buffer=0; MPV_common_end(s); s->parse_context= pc; From 47132345184dc3d0ff962a57a1225564fe979548 Mon Sep 17 00:00:00 2001 From: Alexander Strange Date: Sat, 24 Mar 2012 17:32:14 -0400 Subject: [PATCH 237/991] h264: Add check for invalid chroma_format_idc Fixes a crash when FF_DEBUG_PICT_INFO is used. Signed-off-by: Ronald S. Bultje (cherry picked from commit 6ef4063957aa5025c8d2cd757b6a537e4b6874df) Fixes: CVE-2012-0851 Signed-off-by: Reinhard Tartler --- libavcodec/h264_ps.c | 6 +++++- 1 file changed, 5 insertions(+), 1 deletion(-) diff --git a/libavcodec/h264_ps.c b/libavcodec/h264_ps.c index c6623a97ef..ff6103c2c0 100644 --- a/libavcodec/h264_ps.c +++ b/libavcodec/h264_ps.c @@ -332,8 +332,12 @@ int ff_h264_decode_seq_parameter_set(H264Context *h){ if(sps->profile_idc >= 100){ //high profile sps->chroma_format_idc= get_ue_golomb_31(&s->gb); - if(sps->chroma_format_idc == 3) + if(sps->chroma_format_idc > 3) { + av_log(h->s.avctx, AV_LOG_ERROR, "chroma_format_idc (%u) out of range\n", sps->chroma_format_idc); + return -1; + } else if(sps->chroma_format_idc == 3) { sps->residual_color_transform_flag = get_bits1(&s->gb); + } sps->bit_depth_luma = get_ue_golomb(&s->gb) + 8; sps->bit_depth_chroma = get_ue_golomb(&s->gb) + 8; sps->transform_bypass = get_bits1(&s->gb); From 5872580e65aab026b77754eb184f97ba7cc6ea35 Mon Sep 17 00:00:00 2001 From: Michael Niedermayer Date: Mon, 19 Dec 2011 04:13:37 +0100 Subject: [PATCH 238/991] tqi: Pass errors from the MB decoder This silences some valgrind warnings. CC: libav-stable@libav.org Fixes second half of http://ffmpeg.org/trac/ffmpeg/ticket/794 Bug found by: Oana Stratulat Signed-off-by: Michael Niedermayer Signed-off-by: Reinhard Tartler (cherry picked from commit f85334f58e1286287d0547a49fa9c93b40cbf48f) (cherry picked from commit 90290a5150e84fb138ccde57657dc03830f08c1c) Signed-off-by: Reinhard Tartler --- libavcodec/eatqi.c | 10 +++++++--- 1 file changed, 7 insertions(+), 3 deletions(-) diff --git a/libavcodec/eatqi.c b/libavcodec/eatqi.c index aaf704b41a..66d3819298 100644 --- a/libavcodec/eatqi.c +++ b/libavcodec/eatqi.c @@ -57,12 +57,15 @@ static av_cold int tqi_decode_init(AVCodecContext *avctx) return 0; } -static void tqi_decode_mb(MpegEncContext *s, DCTELEM (*block)[64]) +static int tqi_decode_mb(MpegEncContext *s, DCTELEM (*block)[64]) { int n; s->dsp.clear_blocks(block[0]); for (n=0; n<6; n++) - ff_mpeg1_decode_block_intra(s, block[n], n); + if (ff_mpeg1_decode_block_intra(s, block[n], n) < 0) + return -1; + + return 0; } static inline void tqi_idct_put(TqiContext *t, DCTELEM (*block)[64]) @@ -134,7 +137,8 @@ static int tqi_decode_frame(AVCodecContext *avctx, for (s->mb_y=0; s->mb_y<(avctx->height+15)/16; s->mb_y++) for (s->mb_x=0; s->mb_x<(avctx->width+15)/16; s->mb_x++) { - tqi_decode_mb(s, t->block); + if (tqi_decode_mb(s, t->block) < 0) + break; tqi_idct_put(t, t->block); } From c38d3e1a39b28937692a2c0eb39b25d8bc07d7bb Mon Sep 17 00:00:00 2001 From: "Ronald S. Bultje" Date: Wed, 2 May 2012 16:12:46 +0000 Subject: [PATCH 239/991] qdm2: clip array indices returned by qdm2_get_vlc(). Prevents subsequent overreads when these numbers are used as indices in arrays. Found-by: Mateusz "j00ru" Jurczyk and Gynvael Coldwind CC: libav-stable@libav.org Signed-off-by: Justin Ruggles (cherry picked from commit 64953f67f98da2e787aeb45cc7f504390fa32a69) Signed-off-by: Derek Buitenhuis Conflicts: libavcodec/qdm2.c --- libavcodec/qdm2.c | 18 +++++++++++++----- 1 file changed, 13 insertions(+), 5 deletions(-) diff --git a/libavcodec/qdm2.c b/libavcodec/qdm2.c index 6acb7d8362..739971eb83 100644 --- a/libavcodec/qdm2.c +++ b/libavcodec/qdm2.c @@ -884,9 +884,13 @@ static void synthfilt_build_sb_samples (QDM2Context *q, GetBitContext *gb, int l break; case 30: - if (BITS_LEFT(length,gb) >= 4) - samples[0] = type30_dequant[qdm2_get_vlc(gb, &vlc_tab_type30, 0, 1)]; - else + if (BITS_LEFT(length,gb) >= 4) { + unsigned index = qdm2_get_vlc(gb, &vlc_tab_type30, 0, 1); + if (index < FF_ARRAY_ELEMS(type30_dequant)) { + samples[0] = type30_dequant[index]; + } else + samples[0] = SB_DITHERING_NOISE(sb,q->noise_idx); + } else samples[0] = SB_DITHERING_NOISE(sb,q->noise_idx); run = 1; @@ -900,8 +904,12 @@ static void synthfilt_build_sb_samples (QDM2Context *q, GetBitContext *gb, int l type34_predictor = samples[0]; type34_first = 0; } else { - samples[0] = type34_delta[qdm2_get_vlc(gb, &vlc_tab_type34, 0, 1)] / type34_div + type34_predictor; - type34_predictor = samples[0]; + unsigned index = qdm2_get_vlc(gb, &vlc_tab_type34, 0, 1); + if (index < FF_ARRAY_ELEMS(type34_delta)) { + samples[0] = type34_delta[index] / type34_div + type34_predictor; + type34_predictor = samples[0]; + } else + samples[0] = SB_DITHERING_NOISE(sb,q->noise_idx); } } else { samples[0] = SB_DITHERING_NOISE(sb,q->noise_idx); From d34e9e61dd619a14e3d29760f6bc8cd5b1a19d9f Mon Sep 17 00:00:00 2001 From: "Ronald S. Bultje" Date: Wed, 2 May 2012 10:58:55 -0700 Subject: [PATCH 240/991] png: check bit depth for PAL8/Y400A pixel formats. Wrong bit depth can lead to invalid rowsize values, which crashes the decoder further down. Found-by: Mateusz "j00ru" Jurczyk and Gynvael Coldwind CC: libav-stable@libav.org (cherry picked from commit d2205d6543881f2e6fa18c8a354bbcf91a1235f7) Signed-off-by: Reinhard Tartler --- libavcodec/pngdec.c | 6 ++++-- 1 file changed, 4 insertions(+), 2 deletions(-) diff --git a/libavcodec/pngdec.c b/libavcodec/pngdec.c index 94eb6ebeed..ac98f7093d 100644 --- a/libavcodec/pngdec.c +++ b/libavcodec/pngdec.c @@ -479,9 +479,11 @@ static int decode_frame(AVCodecContext *avctx, } else if (s->bit_depth == 1 && s->color_type == PNG_COLOR_TYPE_GRAY) { avctx->pix_fmt = PIX_FMT_MONOBLACK; - } else if (s->color_type == PNG_COLOR_TYPE_PALETTE) { + } else if (s->bit_depth == 8 && + s->color_type == PNG_COLOR_TYPE_PALETTE) { avctx->pix_fmt = PIX_FMT_PAL8; - } else if (s->color_type == PNG_COLOR_TYPE_GRAY_ALPHA) { + } else if (s->bit_depth == 8 && + s->color_type == PNG_COLOR_TYPE_GRAY_ALPHA) { avctx->pix_fmt = PIX_FMT_Y400A; } else { goto fail; From ec27262c4d2d428d492e27f301a01dbf9656bd7f Mon Sep 17 00:00:00 2001 From: "Ronald S. Bultje" Date: Fri, 4 May 2012 16:06:26 -0700 Subject: [PATCH 241/991] ea: check chunk_size for validity. Found-by: Mateusz "j00ru" Jurczyk and Gynvael Coldwind CC: libav-stable@libav.org (cherry picked from commit 273e6af47b38391f2bcc157cca0423fe7fcbf55c) Signed-off-by: Reinhard Tartler --- libavformat/electronicarts.c | 7 ++++++- 1 file changed, 6 insertions(+), 1 deletion(-) diff --git a/libavformat/electronicarts.c b/libavformat/electronicarts.c index 01ba479fac..0113683ee2 100644 --- a/libavformat/electronicarts.c +++ b/libavformat/electronicarts.c @@ -474,12 +474,17 @@ static int ea_read_packet(AVFormatContext *s, while (!packet_read) { chunk_type = avio_rl32(pb); - chunk_size = (ea->big_endian ? avio_rb32(pb) : avio_rl32(pb)) - 8; + chunk_size = ea->big_endian ? avio_rb32(pb) : avio_rl32(pb); + if (chunk_size <= 8) + return AVERROR_INVALIDDATA; + chunk_size -= 8; switch (chunk_type) { /* audio data */ case ISNh_TAG: /* header chunk also contains data; skip over the header portion*/ + if (chunk_size < 32) + return AVERROR_INVALIDDATA; avio_skip(pb, 32); chunk_size -= 32; case ISNd_TAG: From f9ee7d13e8b6fbf58fb25fb6023b6264531cf900 Mon Sep 17 00:00:00 2001 From: Reinhard Tartler Date: Tue, 29 May 2012 22:56:46 +0200 Subject: [PATCH 242/991] Prepare for 0.8.3 Release --- RELEASE | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/RELEASE b/RELEASE index 100435be13..ee94dd834b 100644 --- a/RELEASE +++ b/RELEASE @@ -1 +1 @@ -0.8.2 +0.8.3 From 4dfea3e9f065e520f5fc71028472f7f6b9beed52 Mon Sep 17 00:00:00 2001 From: Reinhard Tartler Date: Tue, 29 May 2012 22:59:43 +0200 Subject: [PATCH 243/991] Update Changelog for the 0.8.3 Release --- Changelog | 7 +++++++ 1 file changed, 7 insertions(+) diff --git a/Changelog b/Changelog index 846aa5ac8d..fb9a7a6e19 100644 --- a/Changelog +++ b/Changelog @@ -1,6 +1,13 @@ Entries are sorted chronologically from oldest to youngest within each release, releases are sorted from youngest to oldest. + +version 0.8.3: + +- Several bugs and crashes have been fixed in the following codecs: PNG, + Electronic Arts TQI, H.264 (CVE-2012-0851) and H.263 (CVE-2011-3937) + + version 0.8.2: - Several bugs and crashes have been fixed in the following codecs: AAC, From ce39a84a7d760965972781df61a88e5f432b978a Mon Sep 17 00:00:00 2001 From: "Ronald S. Bultje" Date: Wed, 8 Feb 2012 10:16:41 -0800 Subject: [PATCH 244/991] cmdutils: update copyright year to 2012. --- cmdutils.c | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/cmdutils.c b/cmdutils.c index e96fa81ad9..7b2ff084ba 100644 --- a/cmdutils.c +++ b/cmdutils.c @@ -55,7 +55,7 @@ struct SwsContext *sws_opts; AVDictionary *format_opts, *codec_opts; -static const int this_year = 2011; +static const int this_year = 2012; void init_opts(void) { From a4b329d6228ecad76299523cdbee16f37a8ca98b Mon Sep 17 00:00:00 2001 From: Michael Niedermayer Date: Mon, 28 May 2012 16:50:15 +0200 Subject: [PATCH 245/991] cdgraphics: Fix out of array write Fixes Ticket1359 Found-by: Piotr Bandurski Signed-off-by: Michael Niedermayer (cherry picked from commit 1e5c7376c4ed733910845c9a09e272ac7696b1f4) Signed-off-by: Michael Niedermayer --- libavcodec/cdgraphics.c | 4 ++++ 1 file changed, 4 insertions(+) diff --git a/libavcodec/cdgraphics.c b/libavcodec/cdgraphics.c index b87ca1d2c3..1bba406478 100644 --- a/libavcodec/cdgraphics.c +++ b/libavcodec/cdgraphics.c @@ -280,6 +280,10 @@ static int cdg_decode_frame(AVCodecContext *avctx, av_log(avctx, AV_LOG_ERROR, "buffer too small for decoder\n"); return AVERROR(EINVAL); } + if (buf_size > CDG_HEADER_SIZE + CDG_DATA_SIZE) { + av_log(avctx, AV_LOG_ERROR, "buffer too big for decoder\n"); + return AVERROR(EINVAL); + } ret = avctx->reget_buffer(avctx, &cc->frame); if (ret) { From 7df0e309fd6e39384f9ed80103e3191049f0a280 Mon Sep 17 00:00:00 2001 From: Michael Niedermayer Date: Mon, 28 May 2012 17:04:38 +0200 Subject: [PATCH 246/991] xan: fix out of array read Fixes ticket1360 Signed-off-by: Michael Niedermayer (cherry picked from commit 01900fcc45e99ee4556e0a5d87ff57b2f150dad4) Signed-off-by: Michael Niedermayer --- libavcodec/xan.c | 4 ++++ 1 file changed, 4 insertions(+) diff --git a/libavcodec/xan.c b/libavcodec/xan.c index cfaca81e16..62bec83490 100644 --- a/libavcodec/xan.c +++ b/libavcodec/xan.c @@ -512,6 +512,10 @@ static int xan_decode_frame(AVCodecContext *avctx, int i; tag = bytestream_get_le32(&buf); size = bytestream_get_be32(&buf); + if(size < 0) { + av_log(avctx, AV_LOG_ERROR, "Invalid tag size %d\n", size); + return AVERROR_INVALIDDATA; + } size = FFMIN(size, buf_end - buf); switch (tag) { case PALT_TAG: From 0adc452146a9fc31184db783b3fc4bbea5767ade Mon Sep 17 00:00:00 2001 From: Michael Niedermayer Date: Mon, 28 May 2012 17:08:06 +0200 Subject: [PATCH 247/991] yop: check for missing extradata Fixes null ptr deref Fixes Ticket1361 Signed-off-by: Michael Niedermayer (cherry picked from commit 77a4c8b959fa9bc6bcaa42b40a0b046cdf3fec38) Signed-off-by: Michael Niedermayer --- libavcodec/yop.c | 5 +++++ 1 file changed, 5 insertions(+) diff --git a/libavcodec/yop.c b/libavcodec/yop.c index e5333db2fd..55526c2543 100644 --- a/libavcodec/yop.c +++ b/libavcodec/yop.c @@ -89,6 +89,11 @@ static av_cold int yop_decode_init(AVCodecContext *avctx) return -1; } + if (!avctx->extradata) { + av_log(avctx, AV_LOG_ERROR, "extradata missing\n"); + return AVERROR_INVALIDDATA; + } + avctx->pix_fmt = PIX_FMT_PAL8; avcodec_get_frame_defaults(&s->frame); From fa67ad85ac7ef186cfcfb5aaca5d7f743d373220 Mon Sep 17 00:00:00 2001 From: Michael Niedermayer Date: Mon, 28 May 2012 17:13:10 +0200 Subject: [PATCH 248/991] iff_ilbm: fix null ptr deref Fixes Ticket1362 Signed-off-by: Michael Niedermayer (cherry picked from commit 849d4b041351ef8d77c4231cf417f997e79f9ab7) Signed-off-by: Michael Niedermayer --- libavcodec/iff.c | 10 +++++++--- 1 file changed, 7 insertions(+), 3 deletions(-) diff --git a/libavcodec/iff.c b/libavcodec/iff.c index 978507bbe3..8a9141af5a 100644 --- a/libavcodec/iff.c +++ b/libavcodec/iff.c @@ -191,7 +191,13 @@ static int extract_header(AVCodecContext *const avctx, const uint8_t *buf; unsigned buf_size; IffContext *s = avctx->priv_data; - int palette_size = avctx->extradata_size - AV_RB16(avctx->extradata); + int palette_size; + + if (avctx->extradata_size < 2) { + av_log(avctx, AV_LOG_ERROR, "not enough extradata\n"); + return AVERROR_INVALIDDATA; + } + palette_size = avctx->extradata_size - AV_RB16(avctx->extradata); if (avpkt) { int image_size; @@ -207,8 +213,6 @@ static int extract_header(AVCodecContext *const avctx, return AVERROR_INVALIDDATA; } } else { - if (avctx->extradata_size < 2) - return AVERROR_INVALIDDATA; buf = avctx->extradata; buf_size = bytestream_get_be16(&buf); if (buf_size <= 1 || palette_size < 0) { From cc0fec8393ee47d8b173288b35e161fa68b0685d Mon Sep 17 00:00:00 2001 From: Michael Niedermayer Date: Mon, 28 May 2012 17:17:49 +0200 Subject: [PATCH 249/991] motionpixels: check extradata size Fixes null ptr derefernce Fixes Ticket1363 Signed-off-by: Michael Niedermayer (cherry picked from commit 50122084a6b3be06781a2b3d8ec036f2d67c32e3) Signed-off-by: Michael Niedermayer --- libavcodec/motionpixels.c | 5 +++++ 1 file changed, 5 insertions(+) diff --git a/libavcodec/motionpixels.c b/libavcodec/motionpixels.c index 508a0aa26e..6b07805859 100644 --- a/libavcodec/motionpixels.c +++ b/libavcodec/motionpixels.c @@ -55,6 +55,11 @@ static av_cold int mp_decode_init(AVCodecContext *avctx) int w4 = (avctx->width + 3) & ~3; int h4 = (avctx->height + 3) & ~3; + if(avctx->extradata_size < 2){ + av_log(avctx, AV_LOG_ERROR, "extradata too small\n"); + return AVERROR_INVALIDDATA; + } + motionpixels_tableinit(); mp->avctx = avctx; dsputil_init(&mp->dsp, avctx); From 3e4eea6c3255ccbb059db6d5998147597e9ceccd Mon Sep 17 00:00:00 2001 From: Michael Niedermayer Date: Mon, 28 May 2012 17:21:29 +0200 Subject: [PATCH 250/991] jvdec: check videosize Fixes null ptr dereference fixes Ticket1364 Signed-off-by: Michael Niedermayer (cherry picked from commit b4904e804d3b1c56ac4f5d3386b15daae98fca2d) Signed-off-by: Michael Niedermayer --- libavcodec/jvdec.c | 4 ++++ 1 file changed, 4 insertions(+) diff --git a/libavcodec/jvdec.c b/libavcodec/jvdec.c index bdffa76da2..62674211e7 100644 --- a/libavcodec/jvdec.c +++ b/libavcodec/jvdec.c @@ -143,6 +143,10 @@ static int decode_frame(AVCodecContext *avctx, buf += 5; if (video_size) { + if(video_size < 0) { + av_log(avctx, AV_LOG_ERROR, "video size %d invalid\n", video_size); + return AVERROR_INVALIDDATA; + } if (avctx->reget_buffer(avctx, &s->frame) < 0) { av_log(avctx, AV_LOG_ERROR, "get_buffer() failed\n"); return -1; From 9e9e6bbe7b79cf7bb628b7f32321b9509ecb3cba Mon Sep 17 00:00:00 2001 From: Michael Niedermayer Date: Tue, 29 May 2012 19:16:22 +0200 Subject: [PATCH 251/991] 4xm: fix division by zero caused by bps<8 Found-by: Mateusz "j00ru" Jurczyk and Gynvael Coldwind Signed-off-by: Michael Niedermayer (cherry picked from commit 1b8741a6843f3f4667c81c2d63d3182858aa534f) Signed-off-by: Michael Niedermayer --- libavformat/4xm.c | 5 +++++ 1 file changed, 5 insertions(+) diff --git a/libavformat/4xm.c b/libavformat/4xm.c index 90a5fa0cbb..c8eb0c0d1f 100644 --- a/libavformat/4xm.c +++ b/libavformat/4xm.c @@ -201,6 +201,11 @@ static int fourxm_read_header(AVFormatContext *s, ret= -1; goto fail; } + if(!fourxm->tracks[current_track].adpcm && fourxm->tracks[current_track].bits<8){ + av_log(s, AV_LOG_ERROR, "bits unspecified for non ADPCM\n"); + ret = AVERROR_INVALIDDATA; + goto fail; + } i += 8 + size; /* allocate a new AVStream */ From 0452ebfd4b97a60baf1211e8ac217ad501f7a149 Mon Sep 17 00:00:00 2001 From: Michael Niedermayer Date: Tue, 29 May 2012 19:50:15 +0200 Subject: [PATCH 252/991] ape: Fix null ptr dereference with files missing a seekatable. Such files are currently not supported as the table is used at several points Found-by: Mateusz "j00ru" Jurczyk and Gynvael Coldwind Signed-off-by: Michael Niedermayer (cherry picked from commit e7cb161515fc9fb6d30d1681d64d9ba7ad737a4e) Signed-off-by: Michael Niedermayer --- libavformat/ape.c | 3 +++ 1 file changed, 3 insertions(+) diff --git a/libavformat/ape.c b/libavformat/ape.c index 72fca5dd46..016638b54e 100644 --- a/libavformat/ape.c +++ b/libavformat/ape.c @@ -278,6 +278,9 @@ static int ape_read_header(AVFormatContext * s, AVFormatParameters * ap) return AVERROR(ENOMEM); for (i = 0; i < ape->seektablelength / sizeof(uint32_t); i++) ape->seektable[i] = avio_rl32(pb); + }else{ + av_log(s, AV_LOG_ERROR, "Missing seektable\n"); + return -1; } ape->frames[0].pos = ape->firstframe; From fc0d962919e2be08245135a6f2c2b53ff09c7bf0 Mon Sep 17 00:00:00 2001 From: Paul B Mahol Date: Wed, 30 May 2012 07:50:32 +0000 Subject: [PATCH 253/991] iff: check if there is extradata Fixes #1368. Signed-off-by: Paul B Mahol (cherry picked from commit 8f61526978697e51d3b9e61ea84daf13c42717af) Signed-off-by: Michael Niedermayer --- libavcodec/iff.c | 7 ++++++- 1 file changed, 6 insertions(+), 1 deletion(-) diff --git a/libavcodec/iff.c b/libavcodec/iff.c index 8a9141af5a..eca795aa66 100644 --- a/libavcodec/iff.c +++ b/libavcodec/iff.c @@ -316,7 +316,12 @@ static av_cold int decode_init(AVCodecContext *avctx) int err; if (avctx->bits_per_coded_sample <= 8) { - int palette_size = avctx->extradata_size - AV_RB16(avctx->extradata); + int palette_size; + + if (avctx->extradata_size >= 2) + palette_size = avctx->extradata_size - AV_RB16(avctx->extradata); + else + palette_size = 0; avctx->pix_fmt = (avctx->bits_per_coded_sample < 8) || (avctx->extradata_size >= 2 && palette_size) ? PIX_FMT_PAL8 : PIX_FMT_GRAY8; } else if (avctx->bits_per_coded_sample <= 32) { From 479856a3b2a1435f38bbe1c0a4b9d9b6197b4c18 Mon Sep 17 00:00:00 2001 From: Michael Niedermayer Date: Wed, 30 May 2012 16:19:36 +0200 Subject: [PATCH 254/991] truemotion1: Check index, fix out of array read Found-by: Mateusz "j00ru" Jurczyk and Gynvael Coldwind Signed-off-by: Michael Niedermayer (cherry picked from commit fd4c1c0b70b5a06dd572d7e27799a2f4c3d9b984) Signed-off-by: Michael Niedermayer --- libavcodec/truemotion1.c | 16 ++++++++++++++++ 1 file changed, 16 insertions(+) diff --git a/libavcodec/truemotion1.c b/libavcodec/truemotion1.c index ccebef5495..4576aa0c8e 100644 --- a/libavcodec/truemotion1.c +++ b/libavcodec/truemotion1.c @@ -520,6 +520,10 @@ hres,vres,i,i%vres (0 < i < 4) } #define APPLY_C_PREDICTOR() \ + if(index > 1023){\ + av_log(s->avctx, AV_LOG_ERROR, " index %d went out of bounds\n", index); \ + return; \ + }\ predictor_pair = s->c_predictor_table[index]; \ horiz_pred += (predictor_pair >> 1); \ if (predictor_pair & 1) { \ @@ -537,6 +541,10 @@ hres,vres,i,i%vres (0 < i < 4) index++; #define APPLY_C_PREDICTOR_24() \ + if(index > 1023){\ + av_log(s->avctx, AV_LOG_ERROR, " index %d went out of bounds\n", index); \ + return; \ + }\ predictor_pair = s->c_predictor_table[index]; \ horiz_pred += (predictor_pair >> 1); \ if (predictor_pair & 1) { \ @@ -555,6 +563,10 @@ hres,vres,i,i%vres (0 < i < 4) #define APPLY_Y_PREDICTOR() \ + if(index > 1023){\ + av_log(s->avctx, AV_LOG_ERROR, " index %d went out of bounds\n", index); \ + return; \ + }\ predictor_pair = s->y_predictor_table[index]; \ horiz_pred += (predictor_pair >> 1); \ if (predictor_pair & 1) { \ @@ -572,6 +584,10 @@ hres,vres,i,i%vres (0 < i < 4) index++; #define APPLY_Y_PREDICTOR_24() \ + if(index > 1023){\ + av_log(s->avctx, AV_LOG_ERROR, " index %d went out of bounds\n", index); \ + return; \ + }\ predictor_pair = s->y_predictor_table[index]; \ horiz_pred += (predictor_pair >> 1); \ if (predictor_pair & 1) { \ From ece27b09d6f9bc271ed19e37dcc21b7ae4db4291 Mon Sep 17 00:00:00 2001 From: Michael Niedermayer Date: Thu, 31 May 2012 05:01:28 +0200 Subject: [PATCH 255/991] indeo5: check quant_mat prevents out of array read Found-by: Mateusz "j00ru" Jurczyk and Gynvael Coldwind Signed-off-by: Michael Niedermayer (cherry picked from commit 8aaa00c3012d425ce50efffadb813ad62d1ff3d5) Signed-off-by: Michael Niedermayer --- libavcodec/indeo5.c | 4 ++++ 1 file changed, 4 insertions(+) diff --git a/libavcodec/indeo5.c b/libavcodec/indeo5.c index 8842f221cf..1ddf7c01ea 100644 --- a/libavcodec/indeo5.c +++ b/libavcodec/indeo5.c @@ -220,6 +220,10 @@ static int decode_gop_header(IVI5DecContext *ctx, AVCodecContext *avctx) } if (band->blk_size == 8) { + if(quant_mat >= 5){ + av_log(avctx, AV_LOG_ERROR, "quant_mat %d too large!\n", quant_mat); + return -1; + } band->intra_base = &ivi5_base_quant_8x8_intra[quant_mat][0]; band->inter_base = &ivi5_base_quant_8x8_inter[quant_mat][0]; band->intra_scale = &ivi5_scale_quant_8x8_intra[quant_mat][0]; From aefa2bf70a053f0fe26a2bc2342f8c8a2a43ecf0 Mon Sep 17 00:00:00 2001 From: Paul B Mahol Date: Thu, 31 May 2012 08:58:31 +0000 Subject: [PATCH 256/991] binkaudio: check number of channels Fixes #1380. Signed-off-by: Paul B Mahol (cherry picked from commit 824a6975ee066e944b7a20d1e220fd8974fb6174) Signed-off-by: Michael Niedermayer --- libavcodec/binkaudio.c | 6 +++--- 1 file changed, 3 insertions(+), 3 deletions(-) diff --git a/libavcodec/binkaudio.c b/libavcodec/binkaudio.c index 9f51c7a856..0c274b9e36 100644 --- a/libavcodec/binkaudio.c +++ b/libavcodec/binkaudio.c @@ -91,9 +91,9 @@ static av_cold int decode_init(AVCodecContext *avctx) frame_len_bits = 11; } - if (avctx->channels > MAX_CHANNELS) { - av_log(avctx, AV_LOG_ERROR, "too many channels: %d\n", avctx->channels); - return -1; + if (avctx->channels < 1 || avctx->channels > MAX_CHANNELS) { + av_log(avctx, AV_LOG_ERROR, "invalid number of channels: %d\n", avctx->channels); + return AVERROR_INVALIDDATA; } s->version_b = avctx->extradata && avctx->extradata[3] == 'b'; From d6c73986cc64600354971ae95491e8b77f3237eb Mon Sep 17 00:00:00 2001 From: Michael Niedermayer Date: Thu, 31 May 2012 23:50:08 +0200 Subject: [PATCH 257/991] dv-demux: dont mess with codec values Fixes part of Ticket1369 Found-by: ami_stuff Signed-off-by: Michael Niedermayer (cherry picked from commit 3c276ac0f8936745543d14674842647c502bdd2e) Signed-off-by: Michael Niedermayer --- libavformat/dv.c | 3 --- 1 file changed, 3 deletions(-) diff --git a/libavformat/dv.c b/libavformat/dv.c index a475307bf6..1275b1971f 100644 --- a/libavformat/dv.c +++ b/libavformat/dv.c @@ -267,9 +267,6 @@ static int dv_extract_video_info(DVDemuxContext *c, uint8_t* frame) avpriv_set_pts_info(c->vst, 64, c->sys->time_base.num, c->sys->time_base.den); avctx->time_base= c->sys->time_base; - if (!avctx->width) - avcodec_set_dimensions(avctx, c->sys->width, c->sys->height); - avctx->pix_fmt = c->sys->pix_fmt; /* finding out SAR is a little bit messy */ vsc_pack = dv_extract_pack(frame, dv_video_control); From fcf09ebff5af35280c655eaa40baed1c586fdf77 Mon Sep 17 00:00:00 2001 From: Michael Niedermayer Date: Fri, 1 Jun 2012 01:33:00 +0200 Subject: [PATCH 258/991] 8svx: fix crash Fixes Ticket1377 Found-by: Piotr Bandurski Signed-off-by: Michael Niedermayer (cherry picked from commit 03ce421c1361e4ce79468de8269ad51ba2ae4c16) Signed-off-by: Michael Niedermayer --- libavcodec/8svx.c | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/libavcodec/8svx.c b/libavcodec/8svx.c index f42a35b20b..e220ad13cc 100644 --- a/libavcodec/8svx.c +++ b/libavcodec/8svx.c @@ -47,7 +47,7 @@ typedef struct EightSvxContext { /* buffer used to store the whole audio decoded/interleaved chunk, * which is sent with the first packet */ uint8_t *samples; - size_t samples_size; + int64_t samples_size; int samples_idx; } EightSvxContext; From 3c69368e6be17f9c99767f0d3e0c078b0ea976e8 Mon Sep 17 00:00:00 2001 From: Michael Niedermayer Date: Fri, 1 Jun 2012 15:51:50 +0200 Subject: [PATCH 259/991] yopdec: check that palette fits in the packet Signed-off-by: Michael Niedermayer (cherry picked from commit b6fdf8dea7aaf3cb9a979dce91f752c2ce3086a3) Signed-off-by: Michael Niedermayer --- libavcodec/yop.c | 5 +++++ 1 file changed, 5 insertions(+) diff --git a/libavcodec/yop.c b/libavcodec/yop.c index 55526c2543..bf8a000e14 100644 --- a/libavcodec/yop.c +++ b/libavcodec/yop.c @@ -204,6 +204,11 @@ static int yop_decode_frame(AVCodecContext *avctx, void *data, int *data_size, if (s->frame.data[0]) avctx->release_buffer(avctx, &s->frame); + if (avpkt->size < 4 + 3*s->num_pal_colors) { + av_log(avctx, AV_LOG_ERROR, "packet of size %d too small\n", avpkt->size); + return AVERROR_INVALIDDATA; + } + ret = avctx->get_buffer(avctx, &s->frame); if (ret < 0) { av_log(avctx, AV_LOG_ERROR, "get_buffer() failed\n"); From 81476cf6932f10da84a0b7b2d14ad42b9d98a017 Mon Sep 17 00:00:00 2001 From: Michael Niedermayer Date: Fri, 1 Jun 2012 15:52:20 +0200 Subject: [PATCH 260/991] yopdec: check frame oddness to be within supported limits Fixes Ticket1365 Signed-off-by: Michael Niedermayer (cherry picked from commit febc013dc5d6db1535a4f91cf02fa8089038937c) Signed-off-by: Michael Niedermayer --- libavcodec/yop.c | 4 ++++ 1 file changed, 4 insertions(+) diff --git a/libavcodec/yop.c b/libavcodec/yop.c index bf8a000e14..fe52f53887 100644 --- a/libavcodec/yop.c +++ b/libavcodec/yop.c @@ -224,6 +224,10 @@ static int yop_decode_frame(AVCodecContext *avctx, void *data, int *data_size, s->low_nibble = NULL; is_odd_frame = avpkt->data[0]; + if(is_odd_frame>1){ + av_log(avctx, AV_LOG_ERROR, "frame is too odd %d\n", is_odd_frame); + return AVERROR_INVALIDDATA; + } firstcolor = s->first_color[is_odd_frame]; palette = (uint32_t *)s->frame.data[1]; From 321bbb6f496d3125d4b4507dc9fd280c1def5c98 Mon Sep 17 00:00:00 2001 From: Michael Niedermayer Date: Fri, 1 Jun 2012 21:42:29 +0200 Subject: [PATCH 261/991] wmv1: check that the input buffer is large enough Fixes null ptr deref Fixes Ticket1367 Signed-off-by: Michael Niedermayer (cherry picked from commit f23a2418fb0ccc56fdae4dbf83a5994cc917c475) Signed-off-by: Michael Niedermayer --- libavcodec/wnv1.c | 5 +++++ 1 file changed, 5 insertions(+) diff --git a/libavcodec/wnv1.c b/libavcodec/wnv1.c index 6429a5b748..6e4742e8e7 100644 --- a/libavcodec/wnv1.c +++ b/libavcodec/wnv1.c @@ -70,6 +70,11 @@ static int decode_frame(AVCodecContext *avctx, int prev_y = 0, prev_u = 0, prev_v = 0; uint8_t *rbuf; + if(buf_size<=8) { + av_log(avctx, AV_LOG_ERROR, "buf_size %d is too small\n", buf_size); + return AVERROR_INVALIDDATA; + } + rbuf = av_malloc(buf_size + FF_INPUT_BUFFER_PADDING_SIZE); if(!rbuf){ av_log(avctx, AV_LOG_ERROR, "Cannot allocate temporary buffer\n"); From c4926cba15d395bb1cb15c5985d10e81c9a6fa14 Mon Sep 17 00:00:00 2001 From: Michael Niedermayer Date: Sat, 2 Jun 2012 04:04:29 +0200 Subject: [PATCH 262/991] bmv: fix integer overflows in vlc decoder. Fixes part of Ticket1373 Found-by: Piotr Bandurski Based-on-patch-by: Paul B Mahol Signed-off-by: Michael Niedermayer (cherry picked from commit 679c578cb8e82df6fdee977e3137a26a680ad346) Signed-off-by: Michael Niedermayer --- libavcodec/bmv.c | 6 +++++- 1 file changed, 5 insertions(+), 1 deletion(-) diff --git a/libavcodec/bmv.c b/libavcodec/bmv.c index 37c844858f..9740b11f15 100644 --- a/libavcodec/bmv.c +++ b/libavcodec/bmv.c @@ -21,6 +21,7 @@ #include "avcodec.h" #include "bytestream.h" +#include "libavutil/avassert.h" enum BMVFlags{ BMV_NOP = 0, @@ -52,7 +53,7 @@ typedef struct BMVDecContext { static int decode_bmv_frame(const uint8_t *source, int src_len, uint8_t *frame, int frame_off) { - int val, saved_val = 0; + unsigned val, saved_val = 0; int tmplen = src_len; const uint8_t *src, *source_end = source + src_len; uint8_t *frame_end = frame + SCREEN_WIDE * SCREEN_HIGH; @@ -98,6 +99,8 @@ static int decode_bmv_frame(const uint8_t *source, int src_len, uint8_t *frame, } if (!(val & 0xC)) { for (;;) { + if(shift>22) + return -1; if (!read_two_nibbles) { if (src < source || src >= source_end) return -1; @@ -131,6 +134,7 @@ static int decode_bmv_frame(const uint8_t *source, int src_len, uint8_t *frame, } advance_mode = val & 1; len = (val >> 1) - 1; + av_assert0(len>0); mode += 1 + advance_mode; if (mode >= 4) mode -= 3; From 9c13d232a4ba858b3082127d9b332f0dd5595ace Mon Sep 17 00:00:00 2001 From: Michael Niedermayer Date: Sat, 2 Jun 2012 04:06:16 +0200 Subject: [PATCH 263/991] bmv: fix apparent sign error in the frame_off check Fixes part of Ticket1373 Signed-off-by: Michael Niedermayer (cherry picked from commit debbcfae6010f027a0334d70d0dbb7ddd912ad5a) Signed-off-by: Michael Niedermayer --- libavcodec/bmv.c | 4 ++-- 1 file changed, 2 insertions(+), 2 deletions(-) diff --git a/libavcodec/bmv.c b/libavcodec/bmv.c index 9740b11f15..35923a28d6 100644 --- a/libavcodec/bmv.c +++ b/libavcodec/bmv.c @@ -143,7 +143,7 @@ static int decode_bmv_frame(const uint8_t *source, int src_len, uint8_t *frame, switch (mode) { case 1: if (forward) { - if (dst - frame + SCREEN_WIDE < frame_off || + if (dst - frame + SCREEN_WIDE < -frame_off || frame_end - dst < frame_off + len) return -1; for (i = 0; i < len; i++) @@ -151,7 +151,7 @@ static int decode_bmv_frame(const uint8_t *source, int src_len, uint8_t *frame, dst += len; } else { dst -= len; - if (dst - frame + SCREEN_WIDE < frame_off || + if (dst - frame + SCREEN_WIDE < -frame_off || frame_end - dst < frame_off + len) return -1; for (i = len - 1; i >= 0; i--) From ddd9483a105a1b51e23fef0975b69cdf1052a0ce Mon Sep 17 00:00:00 2001 From: Michael Niedermayer Date: Sun, 3 Jun 2012 14:41:21 +0200 Subject: [PATCH 264/991] h263: disable loop filter with lowres Fixes ticket1212 Found-by: Piotr Bandurski Signed-off-by: Michael Niedermayer (cherry picked from commit cc229d4e83889d1298f1a0863b55feec6c5c339a) Signed-off-by: Michael Niedermayer --- libavcodec/intelh263dec.c | 2 +- libavcodec/ituh263dec.c | 2 ++ 2 files changed, 3 insertions(+), 1 deletion(-) diff --git a/libavcodec/intelh263dec.c b/libavcodec/intelh263dec.c index 836e98ee88..6309bcf284 100644 --- a/libavcodec/intelh263dec.c +++ b/libavcodec/intelh263dec.c @@ -77,7 +77,7 @@ int ff_intel_h263_decode_picture_header(MpegEncContext *s) } if(get_bits(&s->gb, 2)) av_log(s->avctx, AV_LOG_ERROR, "Bad value for reserved field\n"); - s->loop_filter = get_bits1(&s->gb); + s->loop_filter = get_bits1(&s->gb) * !s->avctx->lowres; if(get_bits1(&s->gb)) av_log(s->avctx, AV_LOG_ERROR, "Bad value for reserved field\n"); if(get_bits1(&s->gb)) diff --git a/libavcodec/ituh263dec.c b/libavcodec/ituh263dec.c index 9c81bcbd0b..a4474d32a2 100644 --- a/libavcodec/ituh263dec.c +++ b/libavcodec/ituh263dec.c @@ -963,6 +963,8 @@ int h263_decode_picture_header(MpegEncContext *s) s->h263_aic = get_bits1(&s->gb); /* Advanced Intra Coding (AIC) */ s->loop_filter= get_bits1(&s->gb); s->unrestricted_mv = s->umvplus || s->obmc || s->loop_filter; + if(s->avctx->lowres) + s->loop_filter = 0; s->h263_slice_structured= get_bits1(&s->gb); if (get_bits1(&s->gb) != 0) { From 944b6a801e0bb582978be123f4b05994fdeed4bb Mon Sep 17 00:00:00 2001 From: Michael Niedermayer Date: Sun, 3 Jun 2012 17:40:30 +0200 Subject: [PATCH 265/991] mpc8: fix channel checks fix heap array overflow Found-by: Piotr Bandurski Signed-off-by: Michael Niedermayer (cherry picked from commit 44c10168cff41c200825448b77cb8feff0d316c9) Signed-off-by: Michael Niedermayer --- libavcodec/mpc8.c | 3 ++- 1 file changed, 2 insertions(+), 1 deletion(-) diff --git a/libavcodec/mpc8.c b/libavcodec/mpc8.c index a4750ad961..ebf00e155b 100644 --- a/libavcodec/mpc8.c +++ b/libavcodec/mpc8.c @@ -138,7 +138,8 @@ static av_cold int mpc8_decode_init(AVCodecContext * avctx) c->frames = 1 << (get_bits(&gb, 3) * 2); avctx->sample_fmt = AV_SAMPLE_FMT_S16; - avctx->channel_layout = (avctx->channels==2) ? AV_CH_LAYOUT_STEREO : AV_CH_LAYOUT_MONO; + avctx->channel_layout = (channels==2) ? AV_CH_LAYOUT_STEREO : AV_CH_LAYOUT_MONO; + avctx->channels = channels; if(vlc_initialized) return 0; av_log(avctx, AV_LOG_DEBUG, "Initing VLC\n"); From 997e7692d83ad8c2ce4d5abaf26e9f1e2e68b53b Mon Sep 17 00:00:00 2001 From: Michael Niedermayer Date: Wed, 6 Jun 2012 19:26:21 +0200 Subject: [PATCH 266/991] mpegvideo: fix out of heap array accesses Signed-off-by: Michael Niedermayer (cherry picked from commit 317ca0d3f735fad354c404e8bbac3e1ce9f09b12) Signed-off-by: Michael Niedermayer --- libavcodec/mpegvideo.c | 4 ++-- 1 file changed, 2 insertions(+), 2 deletions(-) diff --git a/libavcodec/mpegvideo.c b/libavcodec/mpegvideo.c index 16803a00e6..3e90178ffb 100644 --- a/libavcodec/mpegvideo.c +++ b/libavcodec/mpegvideo.c @@ -1429,7 +1429,7 @@ static void draw_line(uint8_t *buf, int sx, int sy, int ex, int ey, y = (x * f) >> 16; fr = (x * f) & 0xFFFF; buf[y * stride + x] += (color * (0x10000 - fr)) >> 16; - buf[(y + 1) * stride + x] += (color * fr ) >> 16; + if(fr) buf[(y + 1) * stride + x] += (color * fr ) >> 16; } } else { if (sy > ey) { @@ -1446,7 +1446,7 @@ static void draw_line(uint8_t *buf, int sx, int sy, int ex, int ey, x = (y*f) >> 16; fr = (y*f) & 0xFFFF; buf[y * stride + x] += (color * (0x10000 - fr)) >> 16; - buf[y * stride + x + 1] += (color * fr ) >> 16; + if(fr) buf[y * stride + x + 1] += (color * fr ) >> 16; } } } From 8c0c0e9eb3341fe42a2a9315cef5af21e94c4855 Mon Sep 17 00:00:00 2001 From: Michael Niedermayer Date: Sat, 9 Jun 2012 20:52:12 +0200 Subject: [PATCH 267/991] Update for 0.10.4 Signed-off-by: Michael Niedermayer --- Doxyfile | 2 +- RELEASE | 2 +- VERSION | 2 +- 3 files changed, 3 insertions(+), 3 deletions(-) diff --git a/Doxyfile b/Doxyfile index 2cd57ae4f6..d3366384df 100644 --- a/Doxyfile +++ b/Doxyfile @@ -31,7 +31,7 @@ PROJECT_NAME = FFmpeg # This could be handy for archiving the generated documentation or # if some version control system is used. -PROJECT_NUMBER = 0.10.3 +PROJECT_NUMBER = 0.10.4 # With the PROJECT_LOGO tag one can specify an logo or icon that is included # in the documentation. The maximum height of the logo should not exceed 55 diff --git a/RELEASE b/RELEASE index a3f5a8ed4d..9b40aa6c21 100644 --- a/RELEASE +++ b/RELEASE @@ -1 +1 @@ -0.10.3 +0.10.4 diff --git a/VERSION b/VERSION index a3f5a8ed4d..9b40aa6c21 100644 --- a/VERSION +++ b/VERSION @@ -1 +1 @@ -0.10.3 +0.10.4 From e1608014c50eeb9f4744a53de0794eb6bb1269a2 Mon Sep 17 00:00:00 2001 From: Mans Rullgard Date: Wed, 30 May 2012 04:04:54 +0100 Subject: [PATCH 268/991] h264: allow cropping to AVCodecContext.width/height Override the frame size from the SPS with AVCodecContext values if the latter specify a size smaller by less than one macroblock. This is required for correct cropping of MOV files from Canon cameras. Signed-off-by: Mans Rullgard (cherry picked from commit 30f515091c323da59c0f1b533703dedca2f4b95d) Conflicts: libavcodec/h264.c --- libavcodec/h264.c | 6 ++++++ 1 file changed, 6 insertions(+) diff --git a/libavcodec/h264.c b/libavcodec/h264.c index b229510269..79298d7b0c 100644 --- a/libavcodec/h264.c +++ b/libavcodec/h264.c @@ -2720,6 +2720,12 @@ static int decode_slice_header(H264Context *h, H264Context *h0){ else s->height= 16*s->mb_height - (2<chroma_y_shift)*FFMIN(h->sps.crop_bottom, (16>>s->chroma_y_shift)-1); + if (FFALIGN(s->avctx->width, 16) == s->width && + FFALIGN(s->avctx->height, 16) == s->height) { + s->width = s->avctx->width; + s->height = s->avctx->height; + } + if (s->context_initialized && ( s->width != s->avctx->width || s->height != s->avctx->height || av_cmp_q(h->sps.sar, s->avctx->sample_aspect_ratio))) { From 2fb4be9a99a2c2a9435339830e3d940171cc0d9b Mon Sep 17 00:00:00 2001 From: Mans Rullgard Date: Wed, 30 May 2012 04:06:00 +0100 Subject: [PATCH 269/991] mov: set AVCodecContext.width/height for h264 This is required for correct cropping of files from Canon cameras. Signed-off-by: Mans Rullgard (cherry picked from commit 8aa93e900449c88c3169ff5636fed03f41779cac) Signed-off-by: Reinhard Tartler --- libavformat/mov.c | 3 --- 1 file changed, 3 deletions(-) diff --git a/libavformat/mov.c b/libavformat/mov.c index f6be6a88bc..1dbf63f91f 100644 --- a/libavformat/mov.c +++ b/libavformat/mov.c @@ -1995,9 +1995,6 @@ static int mov_read_trak(MOVContext *c, AVIOContext *pb, MOVAtom atom) #if CONFIG_H263_DECODER case CODEC_ID_H263: #endif -#if CONFIG_H264_DECODER - case CODEC_ID_H264: -#endif #if CONFIG_MPEG4_DECODER case CODEC_ID_MPEG4: #endif From 1846f3b5b15fceb43228f7a486db5f56eafdea51 Mon Sep 17 00:00:00 2001 From: Anton Khirnov Date: Fri, 22 Jun 2012 14:36:27 +0200 Subject: [PATCH 270/991] avconv: fix -force_key_frames parse_forced_keyframes() relies in encoder timebase being set, so call it from transcode_init() after it is known. Conflicts: avconv.c (cherry picked from commit 19ad567311b29a42e308317b5329218c590afac8) Signed-off-by: Anton Khirnov --- avconv.c | 59 ++++++++++++++++++++++++++++++-------------------------- 1 file changed, 32 insertions(+), 27 deletions(-) diff --git a/avconv.c b/avconv.c index dcc0935ed7..718fc8d6bf 100644 --- a/avconv.c +++ b/avconv.c @@ -226,6 +226,7 @@ typedef struct OutputStream { int64_t *forced_kf_pts; int forced_kf_count; int forced_kf_index; + char *forced_keyframes; /* audio only */ int audio_resample; @@ -687,6 +688,7 @@ void exit_program(int ret) av_freep(&frame); } + av_freep(&output_streams[i].forced_keyframes); #if CONFIG_AVFILTER av_freep(&output_streams[i].avfilter); #endif @@ -2229,6 +2231,29 @@ static int init_input_stream(int ist_index, OutputStream *output_streams, int nb return 0; } +static void parse_forced_key_frames(char *kf, OutputStream *ost, + AVCodecContext *avctx) +{ + char *p; + int n = 1, i; + int64_t t; + + for (p = kf; *p; p++) + if (*p == ',') + n++; + ost->forced_kf_count = n; + ost->forced_kf_pts = av_malloc(sizeof(*ost->forced_kf_pts) * n); + if (!ost->forced_kf_pts) { + av_log(NULL, AV_LOG_FATAL, "Could not allocate forced key frames array.\n"); + exit_program(1); + } + for (i = 0; i < n; i++) { + p = i ? strchr(p, ',') + 1 : kf; + t = parse_time_or_die("force_key_frames", p, 1); + ost->forced_kf_pts[i] = av_rescale_q(t, AV_TIME_BASE_Q, avctx->time_base); + } +} + static int transcode_init(OutputFile *output_files, int nb_output_files, InputFile *input_files, @@ -2444,6 +2469,9 @@ static int transcode_init(OutputFile *output_files, exit(1); } #endif + if (ost->forced_keyframes) + parse_forced_key_frames(ost->forced_keyframes, ost, + ost->st->codec); break; case AVMEDIA_TYPE_SUBTITLE: break; @@ -3362,29 +3390,6 @@ static int opt_input_file(OptionsContext *o, const char *opt, const char *filena return 0; } -static void parse_forced_key_frames(char *kf, OutputStream *ost, - AVCodecContext *avctx) -{ - char *p; - int n = 1, i; - int64_t t; - - for (p = kf; *p; p++) - if (*p == ',') - n++; - ost->forced_kf_count = n; - ost->forced_kf_pts = av_malloc(sizeof(*ost->forced_kf_pts) * n); - if (!ost->forced_kf_pts) { - av_log(NULL, AV_LOG_FATAL, "Could not allocate forced key frames array.\n"); - exit_program(1); - } - for (i = 0; i < n; i++) { - p = i ? strchr(p, ',') + 1 : kf; - t = parse_time_or_die("force_key_frames", p, 1); - ost->forced_kf_pts[i] = av_rescale_q(t, AV_TIME_BASE_Q, avctx->time_base); - } -} - static uint8_t *get_line(AVIOContext *s) { AVIOContext *line; @@ -3576,7 +3581,7 @@ static OutputStream *new_video_stream(OptionsContext *o, AVFormatContext *oc) if (!ost->stream_copy) { const char *p = NULL; - char *forced_key_frames = NULL, *frame_rate = NULL, *frame_size = NULL; + char *frame_rate = NULL, *frame_size = NULL; char *frame_aspect_ratio = NULL, *frame_pix_fmt = NULL; char *intra_matrix = NULL, *inter_matrix = NULL, *filters = NULL; int i; @@ -3659,9 +3664,9 @@ static OutputStream *new_video_stream(OptionsContext *o, AVFormatContext *oc) } } - MATCH_PER_STREAM_OPT(forced_key_frames, str, forced_key_frames, oc, st); - if (forced_key_frames) - parse_forced_key_frames(forced_key_frames, ost, video_enc); + MATCH_PER_STREAM_OPT(forced_key_frames, str, ost->forced_keyframes, oc, st); + if (ost->forced_keyframes) + ost->forced_keyframes = av_strdup(ost->forced_keyframes); MATCH_PER_STREAM_OPT(force_fps, i, ost->force_fps, oc, st); From c7b73724c789862ed75d4534058a2106181bc241 Mon Sep 17 00:00:00 2001 From: Carl Eugen Hoyos Date: Fri, 31 Aug 2012 14:17:01 +0200 Subject: [PATCH 271/991] Clarify that -passlogfile has a different syntax when used with -vcodec libx264. --- doc/ffmpeg.texi | 4 ++++ 1 file changed, 4 insertions(+) diff --git a/doc/ffmpeg.texi b/doc/ffmpeg.texi index ecf147ab55..6daf4ecad7 100644 --- a/doc/ffmpeg.texi +++ b/doc/ffmpeg.texi @@ -407,6 +407,10 @@ prefix is ``ffmpeg2pass''. The complete file name will be @file{PREFIX-N.log}, where N is a number specific to the output stream +Note that this option is overwritten by a local option of the same name +when using @code{-vcodec libx264}. That option maps to the x264 option stats +which has a different syntax. + @item -vlang @var{code} Set the ISO 639 language code (3 letters) of the current video stream. From de1591b167e44e2cc00dc416f2aaa30126ac2013 Mon Sep 17 00:00:00 2001 From: Ramiro Polla Date: Wed, 4 Apr 2012 02:48:27 -0300 Subject: [PATCH 272/991] asfenc: realloc index_ptr fewer times Signed-off-by: Michael Niedermayer (cherry picked from commit 97d36a1898dabd6fd85d0f2295bdac911d607b8e) Signed-off-by: Michael Niedermayer --- libavformat/asfenc.c | 10 +++++----- 1 file changed, 5 insertions(+), 5 deletions(-) diff --git a/libavformat/asfenc.c b/libavformat/asfenc.c index a287ac55ad..136ddb325f 100644 --- a/libavformat/asfenc.c +++ b/libavformat/asfenc.c @@ -30,7 +30,7 @@ #define ASF_INDEXED_INTERVAL 10000000 -#define ASF_INDEX_BLOCK 600 +#define ASF_INDEX_BLOCK (1<<9) #define ASF_PACKET_ERROR_CORRECTION_DATA_SIZE 0x2 #define ASF_PACKET_ERROR_CORRECTION_FLAGS (\ @@ -810,11 +810,11 @@ static int asf_write_packet(AVFormatContext *s, AVPacket *pkt) if ((!asf->is_streamed) && (flags & AV_PKT_FLAG_KEY)) { start_sec = (int)(duration / INT64_C(10000000)); if (start_sec != (int)(asf->last_indexed_pts / INT64_C(10000000))) { + if (start_sec > asf->nb_index_memory_alloc) { + asf->nb_index_memory_alloc = (start_sec + ASF_INDEX_BLOCK) & ~(ASF_INDEX_BLOCK - 1); + asf->index_ptr = (ASFIndex*)av_realloc( asf->index_ptr, sizeof(ASFIndex) * asf->nb_index_memory_alloc ); + } for(i=asf->nb_index_count;i=asf->nb_index_memory_alloc) { - asf->nb_index_memory_alloc += ASF_INDEX_BLOCK; - asf->index_ptr = (ASFIndex*)av_realloc( asf->index_ptr, sizeof(ASFIndex) * asf->nb_index_memory_alloc ); - } // store asf->index_ptr[i].packet_number = (uint32_t)packet_st; asf->index_ptr[i].packet_count = (uint16_t)(asf->nb_packets-packet_st); From f7b045db09e126ea86b4908e37370ea5cdcc46a3 Mon Sep 17 00:00:00 2001 From: Ramiro Polla Date: Wed, 4 Apr 2012 02:49:47 -0300 Subject: [PATCH 273/991] asfenc: rename some variables Signed-off-by: Michael Niedermayer (cherry picked from commit 1ceff0859df1c4f6bfacd6c1cd9dbdcceb039423) Signed-off-by: Michael Niedermayer --- libavformat/asfenc.c | 20 ++++++++++---------- 1 file changed, 10 insertions(+), 10 deletions(-) diff --git a/libavformat/asfenc.c b/libavformat/asfenc.c index 136ddb325f..1e42e1c825 100644 --- a/libavformat/asfenc.c +++ b/libavformat/asfenc.c @@ -786,9 +786,9 @@ static int asf_write_packet(AVFormatContext *s, AVPacket *pkt) { ASFContext *asf = s->priv_data; ASFStream *stream; - int64_t duration; AVCodecContext *codec; - int64_t packet_st,pts; + uint32_t packet_number; + int64_t pts; int start_sec,i; int flags= pkt->flags; @@ -800,15 +800,15 @@ static int asf_write_packet(AVFormatContext *s, AVPacket *pkt) pts = (pkt->pts != AV_NOPTS_VALUE) ? pkt->pts : pkt->dts; assert(pts != AV_NOPTS_VALUE); - duration = pts * 10000; - asf->duration= FFMAX(asf->duration, duration + pkt->duration * 10000); + pts *= 10000; + asf->duration= FFMAX(asf->duration, pts + pkt->duration * 10000); - packet_st = asf->nb_packets; + packet_number = asf->nb_packets; put_frame(s, stream, s->streams[pkt->stream_index], pkt->dts, pkt->data, pkt->size, flags); /* check index */ if ((!asf->is_streamed) && (flags & AV_PKT_FLAG_KEY)) { - start_sec = (int)(duration / INT64_C(10000000)); + start_sec = (int)(pts / INT64_C(10000000)); if (start_sec != (int)(asf->last_indexed_pts / INT64_C(10000000))) { if (start_sec > asf->nb_index_memory_alloc) { asf->nb_index_memory_alloc = (start_sec + ASF_INDEX_BLOCK) & ~(ASF_INDEX_BLOCK - 1); @@ -816,12 +816,12 @@ static int asf_write_packet(AVFormatContext *s, AVPacket *pkt) } for(i=asf->nb_index_count;iindex_ptr[i].packet_number = (uint32_t)packet_st; - asf->index_ptr[i].packet_count = (uint16_t)(asf->nb_packets-packet_st); - asf->maximum_packet = FFMAX(asf->maximum_packet, (uint16_t)(asf->nb_packets-packet_st)); + asf->index_ptr[i].packet_number = (uint32_t)packet_number; + asf->index_ptr[i].packet_count = (uint16_t)(asf->nb_packets-packet_number); + asf->maximum_packet = FFMAX(asf->maximum_packet, (uint16_t)(asf->nb_packets-packet_number)); } asf->nb_index_count = start_sec; - asf->last_indexed_pts = duration; + asf->last_indexed_pts = pts; } } return 0; From b04fbd2cd250f1c9fdaeb47275d71d6df3ee457d Mon Sep 17 00:00:00 2001 From: Ramiro Polla Date: Wed, 4 Apr 2012 02:50:05 -0300 Subject: [PATCH 274/991] asfenc: reduce code duplication with new variable Signed-off-by: Michael Niedermayer (cherry picked from commit f2fad251b8f0b5cfa9fa43200e72f5f9194fd620) Signed-off-by: Michael Niedermayer --- libavformat/asfenc.c | 5 +++-- 1 file changed, 3 insertions(+), 2 deletions(-) diff --git a/libavformat/asfenc.c b/libavformat/asfenc.c index 1e42e1c825..d1bb07b8eb 100644 --- a/libavformat/asfenc.c +++ b/libavformat/asfenc.c @@ -808,6 +808,7 @@ static int asf_write_packet(AVFormatContext *s, AVPacket *pkt) /* check index */ if ((!asf->is_streamed) && (flags & AV_PKT_FLAG_KEY)) { + uint16_t packet_count = asf->nb_packets - packet_number; start_sec = (int)(pts / INT64_C(10000000)); if (start_sec != (int)(asf->last_indexed_pts / INT64_C(10000000))) { if (start_sec > asf->nb_index_memory_alloc) { @@ -817,8 +818,8 @@ static int asf_write_packet(AVFormatContext *s, AVPacket *pkt) for(i=asf->nb_index_count;iindex_ptr[i].packet_number = (uint32_t)packet_number; - asf->index_ptr[i].packet_count = (uint16_t)(asf->nb_packets-packet_number); - asf->maximum_packet = FFMAX(asf->maximum_packet, (uint16_t)(asf->nb_packets-packet_number)); + asf->index_ptr[i].packet_count = (uint16_t)packet_count; + asf->maximum_packet = FFMAX(asf->maximum_packet, (uint16_t)packet_count); } asf->nb_index_count = start_sec; asf->last_indexed_pts = pts; From 94905d2af66b197030daa8efee2913147175db92 Mon Sep 17 00:00:00 2001 From: Ramiro Polla Date: Wed, 4 Apr 2012 02:50:40 -0300 Subject: [PATCH 275/991] asfenc: remove useless casts Signed-off-by: Michael Niedermayer (cherry picked from commit bc13b74992c30da3cf3da9bcce6a0b727b9d2e6b) Signed-off-by: Michael Niedermayer --- libavformat/asfenc.c | 8 ++++---- 1 file changed, 4 insertions(+), 4 deletions(-) diff --git a/libavformat/asfenc.c b/libavformat/asfenc.c index d1bb07b8eb..fd4ca536b5 100644 --- a/libavformat/asfenc.c +++ b/libavformat/asfenc.c @@ -813,13 +813,13 @@ static int asf_write_packet(AVFormatContext *s, AVPacket *pkt) if (start_sec != (int)(asf->last_indexed_pts / INT64_C(10000000))) { if (start_sec > asf->nb_index_memory_alloc) { asf->nb_index_memory_alloc = (start_sec + ASF_INDEX_BLOCK) & ~(ASF_INDEX_BLOCK - 1); - asf->index_ptr = (ASFIndex*)av_realloc( asf->index_ptr, sizeof(ASFIndex) * asf->nb_index_memory_alloc ); + asf->index_ptr = av_realloc( asf->index_ptr, sizeof(ASFIndex) * asf->nb_index_memory_alloc ); } for(i=asf->nb_index_count;iindex_ptr[i].packet_number = (uint32_t)packet_number; - asf->index_ptr[i].packet_count = (uint16_t)packet_count; - asf->maximum_packet = FFMAX(asf->maximum_packet, (uint16_t)packet_count); + asf->index_ptr[i].packet_number = packet_number; + asf->index_ptr[i].packet_count = packet_count; + asf->maximum_packet = FFMAX(asf->maximum_packet, packet_count); } asf->nb_index_count = start_sec; asf->last_indexed_pts = pts; From a1f678f7ca48d2dd9614e30f1d9c58bfaac07bda Mon Sep 17 00:00:00 2001 From: Ramiro Polla Date: Wed, 4 Apr 2012 02:52:27 -0300 Subject: [PATCH 276/991] asfenc: properly write index information The index must take into account the pre-roll time and must seek backwards, not forwards. Signed-off-by: Michael Niedermayer (cherry picked from commit bd603494f905a7db92fc04eab9c0f6793b0ed7d1) Conflicts: tests/ref/lavf/asf tests/ref/seek/lavf_asf Fixes Ticket1563 Signed-off-by: Michael Niedermayer --- libavformat/asfenc.c | 64 +++++++++++++++++++++++++++-------------- tests/ref/lavf/asf | 4 +-- tests/ref/seek/lavf_asf | 14 ++++----- 3 files changed, 51 insertions(+), 31 deletions(-) diff --git a/libavformat/asfenc.c b/libavformat/asfenc.c index fd4ca536b5..322dc61942 100644 --- a/libavformat/asfenc.c +++ b/libavformat/asfenc.c @@ -208,11 +208,13 @@ typedef struct { /* only for reading */ uint64_t data_offset; ///< beginning of the first data packet - int64_t last_indexed_pts; ASFIndex* index_ptr; - uint32_t nb_index_count; uint32_t nb_index_memory_alloc; uint16_t maximum_packet; + uint32_t next_packet_number; + uint16_t next_packet_count; + int next_start_sec; + int end_sec; } ASFContext; static const AVCodecTag codec_asf_bmp_tags[] = { @@ -557,10 +559,8 @@ static int asf_write_header(AVFormatContext *s) s->packet_size = PACKET_SIZE; asf->nb_packets = 0; - asf->last_indexed_pts = 0; asf->index_ptr = av_malloc( sizeof(ASFIndex) * ASF_INDEX_BLOCK ); asf->nb_index_memory_alloc = ASF_INDEX_BLOCK; - asf->nb_index_count = 0; asf->maximum_packet = 0; /* the data-chunk-size has to be 50, which is data_size - asf->data_offset @@ -782,6 +782,34 @@ static void put_frame( stream->seq++; } +static void update_index(AVFormatContext *s, int start_sec, + uint32_t packet_number, uint16_t packet_count) +{ + ASFContext *asf = s->priv_data; + + if (start_sec > asf->next_start_sec) { + int i; + + if (!asf->next_start_sec) { + asf->next_packet_number = packet_number; + asf->next_packet_count = packet_count; + } + + if (start_sec > asf->nb_index_memory_alloc) { + asf->nb_index_memory_alloc = (start_sec + ASF_INDEX_BLOCK) & ~(ASF_INDEX_BLOCK - 1); + asf->index_ptr = av_realloc( asf->index_ptr, sizeof(ASFIndex) * asf->nb_index_memory_alloc ); + } + for (i = asf->next_start_sec; i < start_sec; i++) { + asf->index_ptr[i].packet_number = asf->next_packet_number; + asf->index_ptr[i].packet_count = asf->next_packet_count; + } + } + asf->maximum_packet = FFMAX(asf->maximum_packet, packet_count); + asf->next_packet_number = packet_number; + asf->next_packet_count = packet_count; + asf->next_start_sec = start_sec; +} + static int asf_write_packet(AVFormatContext *s, AVPacket *pkt) { ASFContext *asf = s->priv_data; @@ -789,7 +817,7 @@ static int asf_write_packet(AVFormatContext *s, AVPacket *pkt) AVCodecContext *codec; uint32_t packet_number; int64_t pts; - int start_sec,i; + int start_sec; int flags= pkt->flags; codec = s->streams[pkt->stream_index]->codec; @@ -806,25 +834,16 @@ static int asf_write_packet(AVFormatContext *s, AVPacket *pkt) packet_number = asf->nb_packets; put_frame(s, stream, s->streams[pkt->stream_index], pkt->dts, pkt->data, pkt->size, flags); + start_sec = (int)((PREROLL_TIME * 10000 + pts + ASF_INDEXED_INTERVAL - 1) + / ASF_INDEXED_INTERVAL); + /* check index */ if ((!asf->is_streamed) && (flags & AV_PKT_FLAG_KEY)) { uint16_t packet_count = asf->nb_packets - packet_number; - start_sec = (int)(pts / INT64_C(10000000)); - if (start_sec != (int)(asf->last_indexed_pts / INT64_C(10000000))) { - if (start_sec > asf->nb_index_memory_alloc) { - asf->nb_index_memory_alloc = (start_sec + ASF_INDEX_BLOCK) & ~(ASF_INDEX_BLOCK - 1); - asf->index_ptr = av_realloc( asf->index_ptr, sizeof(ASFIndex) * asf->nb_index_memory_alloc ); - } - for(i=asf->nb_index_count;iindex_ptr[i].packet_number = packet_number; - asf->index_ptr[i].packet_count = packet_count; - asf->maximum_packet = FFMAX(asf->maximum_packet, packet_count); - } - asf->nb_index_count = start_sec; - asf->last_indexed_pts = pts; - } + update_index(s, start_sec, packet_number, packet_count); } + asf->end_sec = start_sec; + return 0; } @@ -859,8 +878,9 @@ static int asf_write_trailer(AVFormatContext *s) /* write index */ data_size = avio_tell(s->pb); - if ((!asf->is_streamed) && (asf->nb_index_count != 0)) { - asf_write_index(s, asf->index_ptr, asf->maximum_packet, asf->nb_index_count); + if (!asf->is_streamed && asf->next_start_sec) { + update_index(s, asf->end_sec + 1, 0, 0); + asf_write_index(s, asf->index_ptr, asf->maximum_packet, asf->next_start_sec); } avio_flush(s->pb); diff --git a/tests/ref/lavf/asf b/tests/ref/lavf/asf index c6e6b6baf4..ee819fad22 100644 --- a/tests/ref/lavf/asf +++ b/tests/ref/lavf/asf @@ -1,3 +1,3 @@ -3d410176ebf9ffdf99d2738922cef260 *./tests/data/lavf/lavf.asf -333489 ./tests/data/lavf/lavf.asf +cee474c51df8a3e67d01b733cafbb7e8 *./tests/data/lavf/lavf.asf +333581 ./tests/data/lavf/lavf.asf ./tests/data/lavf/lavf.asf CRC=0x9f5ab3e6 diff --git a/tests/ref/seek/lavf_asf b/tests/ref/seek/lavf_asf index 5aee39e049..868262cd99 100644 --- a/tests/ref/seek/lavf_asf +++ b/tests/ref/seek/lavf_asf @@ -2,9 +2,9 @@ ret: 0 st: 0 flags:1 dts: 0.000000 pts: 0.000000 pos: 689 size: 28487 ret: 0 st:-1 flags:0 ts:-1.000000 ret: 0 st: 0 flags:1 dts: 0.000000 pts: 0.000000 pos: 689 size: 28487 ret: 0 st:-1 flags:1 ts: 1.894167 -ret: 0 st: 1 flags:1 dts: 0.940000 pts: 0.940000 pos: 301489 size: 209 +ret: 0 st: 1 flags:1 dts: 0.444000 pts: 0.444000 pos: 147889 size: 209 ret: 0 st: 0 flags:0 ts: 0.788000 -ret: 0 st: 1 flags:1 dts: 0.940000 pts: 0.940000 pos: 301489 size: 209 +ret: 0 st: 1 flags:1 dts: 0.444000 pts: 0.444000 pos: 147889 size: 209 ret: 0 st: 0 flags:1 ts:-0.317000 ret: 0 st: 0 flags:1 dts: 0.000000 pts: 0.000000 pos: 689 size: 28487 ret: 0 st: 1 flags:0 ts: 2.577000 @@ -22,11 +22,11 @@ ret: 0 st: 1 flags:1 dts: 0.940000 pts: 0.940000 pos: 301489 size: 209 ret: 0 st: 1 flags:0 ts:-0.058000 ret: 0 st: 1 flags:1 dts: 0.000000 pts: 0.000000 pos: 29489 size: 208 ret: 0 st: 1 flags:1 ts: 2.836000 -ret: 0 st: 1 flags:1 dts: 0.967000 pts: 0.967000 pos: 330289 size: 209 +ret: 0 st: 1 flags:1 dts: 0.862000 pts: 0.862000 pos: 279089 size: 209 ret: 0 st:-1 flags:0 ts: 1.730004 ret: 0 st: 1 flags:1 dts: 0.940000 pts: 0.940000 pos: 301489 size: 209 ret: 0 st:-1 flags:1 ts: 0.624171 -ret: 0 st: 1 flags:1 dts: 0.444000 pts: 0.444000 pos: 147889 size: 209 +ret: 0 st: 0 flags:1 dts: 0.000000 pts: 0.000000 pos: 689 size: 28487 ret: 0 st: 0 flags:0 ts:-0.482000 ret: 0 st: 0 flags:1 dts: 0.000000 pts: 0.000000 pos: 689 size: 28487 ret: 0 st: 0 flags:1 ts: 2.413000 @@ -34,19 +34,19 @@ ret: 0 st: 1 flags:1 dts: 0.940000 pts: 0.940000 pos: 301489 size: 209 ret: 0 st: 1 flags:0 ts: 1.307000 ret: 0 st: 1 flags:1 dts: 0.967000 pts: 0.967000 pos: 330289 size: 209 ret: 0 st: 1 flags:1 ts: 0.201000 -ret: 0 st: 1 flags:1 dts: 0.183000 pts: 0.183000 pos: 71089 size: 209 +ret: 0 st: 1 flags:1 dts: 0.967000 pts: 0.967000 pos: 330289 size: 209 ret: 0 st:-1 flags:0 ts:-0.904994 ret: 0 st: 0 flags:1 dts: 0.000000 pts: 0.000000 pos: 689 size: 28487 ret: 0 st:-1 flags:1 ts: 1.989173 ret: 0 st: 1 flags:1 dts: 0.940000 pts: 0.940000 pos: 301489 size: 209 ret: 0 st: 0 flags:0 ts: 0.883000 -ret: 0 st: 1 flags:1 dts: 0.940000 pts: 0.940000 pos: 301489 size: 209 +ret: 0 st: 1 flags:1 dts: 0.444000 pts: 0.444000 pos: 147889 size: 209 ret: 0 st: 0 flags:1 ts:-0.222000 ret: 0 st: 0 flags:1 dts: 0.000000 pts: 0.000000 pos: 689 size: 28487 ret: 0 st: 1 flags:0 ts: 2.672000 ret: 0 st: 1 flags:1 dts: 0.967000 pts: 0.967000 pos: 330289 size: 209 ret: 0 st: 1 flags:1 ts: 1.566000 -ret: 0 st: 1 flags:1 dts: 0.967000 pts: 0.967000 pos: 330289 size: 209 +ret: 0 st: 1 flags:1 dts: 0.862000 pts: 0.862000 pos: 279089 size: 209 ret: 0 st:-1 flags:0 ts: 0.460008 ret: 0 st: 1 flags:1 dts: 0.444000 pts: 0.444000 pos: 147889 size: 209 ret: 0 st:-1 flags:1 ts:-0.645825 From 0f54c97f58648cf160b7d85b700e38ba84214f69 Mon Sep 17 00:00:00 2001 From: "Ronald S. Bultje" Date: Sun, 24 Jun 2012 11:17:13 +0100 Subject: [PATCH 277/991] dxva2: include dxva.h if found MIME-Version: 1.0 Content-Type: text/plain; charset=UTF-8 Content-Transfer-Encoding: 8bit Apparently, some build environments require dxva.h even for dxva2, while others lack this header entirely. Including it conditionally allows building in both cases. Signed-off-by: Martin Storsjö (cherry picked from commit fa84506177f0246b30d4ea6a99ee5d419f3e4550) Conflicts: configure Signed-off-by: Michael Niedermayer --- configure | 2 ++ libavcodec/dxva2_internal.h | 7 +++++++ 2 files changed, 9 insertions(+) diff --git a/configure b/configure index 07d473e861..e307fd3a7a 100755 --- a/configure +++ b/configure @@ -1168,6 +1168,7 @@ HAVE_LIST=" dlfcn_h dlopen dos_paths + dxva_h ebp_available ebx_available exp2 @@ -3047,6 +3048,7 @@ check_func_headers windows.h MapViewOfFile check_func_headers windows.h VirtualAlloc check_header dlfcn.h +check_header dxva.h check_header dxva2api.h -D_WIN32_WINNT=0x0600 check_header libcrystalhd/libcrystalhd_if.h check_header malloc.h diff --git a/libavcodec/dxva2_internal.h b/libavcodec/dxva2_internal.h index 23d4d87522..fcf45bc664 100644 --- a/libavcodec/dxva2_internal.h +++ b/libavcodec/dxva2_internal.h @@ -25,7 +25,14 @@ #define _WIN32_WINNT 0x0600 #define COBJMACROS + +#include "config.h" + #include "dxva2.h" +#if HAVE_DXVA_H +#include +#endif + #include "avcodec.h" #include "mpegvideo.h" From 50e6e494c90ece9b66a8f6ecac342acd410a2ff0 Mon Sep 17 00:00:00 2001 From: jamal Date: Fri, 3 Aug 2012 17:13:27 -0300 Subject: [PATCH 278/991] build: Fix some paths in uninstall-libs Folder and file names weren't being separated with a slash. This resulted in .dll.a, .lib and .def files not being removed on uninstall. Signed-off-by: Alexander Strasser (cherry picked from commit 49440853d0c1e740daee0e2df1e65d5e67b1ad6b) Signed-off-by: Michael Niedermayer --- library.mak | 4 ++-- 1 file changed, 2 insertions(+), 2 deletions(-) diff --git a/library.mak b/library.mak index 40a364eccc..cc71f9df82 100644 --- a/library.mak +++ b/library.mak @@ -84,8 +84,8 @@ uninstall-libs:: -$(RM) "$(SHLIBDIR)/$(SLIBNAME_WITH_MAJOR)" \ "$(SHLIBDIR)/$(SLIBNAME)" \ "$(SHLIBDIR)/$(SLIBNAME_WITH_VERSION)" - -$(RM) $(SLIB_INSTALL_EXTRA_SHLIB:%="$(SHLIBDIR)"%) - -$(RM) $(SLIB_INSTALL_EXTRA_LIB:%="$(LIBDIR)"%) + -$(RM) $(SLIB_INSTALL_EXTRA_SHLIB:%="$(SHLIBDIR)/%") + -$(RM) $(SLIB_INSTALL_EXTRA_LIB:%="$(LIBDIR)/%") -$(RM) "$(LIBDIR)/$(LIBNAME)" uninstall-headers:: From 2cf6afffe54f32ea76aabe758049b574b5a30dfd Mon Sep 17 00:00:00 2001 From: Carl Eugen Hoyos Date: Wed, 12 Sep 2012 13:08:27 +0200 Subject: [PATCH 279/991] Fix muxing mjpeg in swf. (cherry picked from commit 7680d99b4302e476076cc1b8f2567f47c2aaef4d) --- libavformat/swfenc.c | 2 ++ 1 file changed, 2 insertions(+) diff --git a/libavformat/swfenc.c b/libavformat/swfenc.c index af812d09eb..0ad7b3342c 100644 --- a/libavformat/swfenc.c +++ b/libavformat/swfenc.c @@ -498,8 +498,10 @@ static int swf_write_trailer(AVFormatContext *s) avio_wl32(pb, file_size); avio_seek(pb, swf->duration_pos, SEEK_SET); avio_wl16(pb, swf->video_frame_number); + if (swf->vframes_pos) { avio_seek(pb, swf->vframes_pos, SEEK_SET); avio_wl16(pb, swf->video_frame_number); + } avio_seek(pb, file_size, SEEK_SET); } return 0; From e2c7b37fd225d9e41c913bd21a5b481c78a11019 Mon Sep 17 00:00:00 2001 From: Ben Jackson Date: Thu, 13 Sep 2012 21:26:43 -0700 Subject: [PATCH 280/991] pthread: Avoid crashes/odd behavior caused by spurious wakeups pthread_wait_cond can wake up for no reason (Wikipedia: Spurious_wakeup). The FF_THREAD_SLICE thread mechanism could spontaneously execute jobs or allow the caller of avctx->execute to return before all jobs were complete. This adds tests to both cases to ensure the wakeup is real. Signed-off-by: Ben Jackson Signed-off-by: Michael Niedermayer (cherry picked from commit e3329474a366de066b25e86f35f5abf9c5a4b7b2) Signed-off-by: Michael Niedermayer (cherry picked from commit f1ec792ae3011531d47070144b8c91d58bb3e76f) Signed-off-by: Michael Niedermayer --- libavcodec/pthread.c | 10 ++++++++-- 1 file changed, 8 insertions(+), 2 deletions(-) diff --git a/libavcodec/pthread.c b/libavcodec/pthread.c index c58222b490..302acab84c 100644 --- a/libavcodec/pthread.c +++ b/libavcodec/pthread.c @@ -79,6 +79,7 @@ typedef struct ThreadContext { pthread_cond_t current_job_cond; pthread_mutex_t current_job_lock; int current_job; + unsigned int current_execute; int done; } ThreadContext; @@ -203,6 +204,7 @@ static void* attribute_align_arg worker(void *v) AVCodecContext *avctx = v; ThreadContext *c = avctx->thread_opaque; int our_job = c->job_count; + int last_execute = 0; int thread_count = avctx->thread_count; int self_id; @@ -213,7 +215,9 @@ static void* attribute_align_arg worker(void *v) if (c->current_job == thread_count + c->job_count) pthread_cond_signal(&c->last_job_cond); - pthread_cond_wait(&c->current_job_cond, &c->current_job_lock); + while (last_execute == c->current_execute && !c->done) + pthread_cond_wait(&c->current_job_cond, &c->current_job_lock); + last_execute = c->current_execute; our_job = self_id; if (c->done) { @@ -233,7 +237,8 @@ static void* attribute_align_arg worker(void *v) static av_always_inline void avcodec_thread_park_workers(ThreadContext *c, int thread_count) { - pthread_cond_wait(&c->last_job_cond, &c->current_job_lock); + while (c->current_job != thread_count + c->job_count) + pthread_cond_wait(&c->last_job_cond, &c->current_job_lock); pthread_mutex_unlock(&c->current_job_lock); } @@ -282,6 +287,7 @@ static int avcodec_thread_execute(AVCodecContext *avctx, action_func* func, void c->rets = &dummy_ret; c->rets_count = 1; } + c->current_execute++; pthread_cond_broadcast(&c->current_job_cond); avcodec_thread_park_workers(c, avctx->thread_count); From 1301942248f14bc18c02d984200d836e28b7dfd2 Mon Sep 17 00:00:00 2001 From: Michael Niedermayer Date: Fri, 14 Sep 2012 05:55:11 +0200 Subject: [PATCH 281/991] mpegaudio_parser: reset state to prevent it to be random Fixes Ticket1718 Signed-off-by: Michael Niedermayer (cherry picked from commit 93b240f4a59348c07d3d7e4862227f6949c51e14) Signed-off-by: Michael Niedermayer (cherry picked from commit 3581ab6ce0754544b06f34f7875b731a5ca2e061) Signed-off-by: Michael Niedermayer --- libavcodec/mpegaudio_parser.c | 1 + 1 file changed, 1 insertion(+) diff --git a/libavcodec/mpegaudio_parser.c b/libavcodec/mpegaudio_parser.c index ec7e882c31..283bf04a3d 100644 --- a/libavcodec/mpegaudio_parser.c +++ b/libavcodec/mpegaudio_parser.c @@ -53,6 +53,7 @@ static int mpegaudio_parse(AVCodecParserContext *s1, int inc= FFMIN(buf_size - i, s->frame_size); i += inc; s->frame_size -= inc; + state = 0; if(!s->frame_size){ next= i; From 38c5e8fec5625dd01b2eb77a8da8cbd791ff85b0 Mon Sep 17 00:00:00 2001 From: Michael Niedermayer Date: Thu, 16 Aug 2012 03:15:14 +0200 Subject: [PATCH 282/991] sp5xdec: fix off by 1 error causing a crash Fixes Ticket1633 Found-by: Piotr Bandurski Signed-off-by: Michael Niedermayer (cherry picked from commit f0896a6bd94e5b45447c7d640c8e8aa95d860d7a) Signed-off-by: Michael Niedermayer (cherry picked from commit 450e4b1a60721d25f306d97062f35c9c3d7989f8) Signed-off-by: Michael Niedermayer --- libavcodec/sp5xdec.c | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/libavcodec/sp5xdec.c b/libavcodec/sp5xdec.c index 4bf45f5454..164250a460 100644 --- a/libavcodec/sp5xdec.c +++ b/libavcodec/sp5xdec.c @@ -72,7 +72,7 @@ static int sp5x_decode_frame(AVCodecContext *avctx, for (i = 2; i < buf_size-2 && j < buf_size+1024-2; i++) recoded[j++] = buf[i]; else - for (i = 14; i < buf_size && j < buf_size+1024-2; i++) + for (i = 14; i < buf_size && j < buf_size+1024-3; i++) { recoded[j++] = buf[i]; if (buf[i] == 0xff) From fcb8bbf26411d9abc71a9a6d74e44c81b6699983 Mon Sep 17 00:00:00 2001 From: Michael Niedermayer Date: Thu, 16 Aug 2012 22:28:29 +0200 Subject: [PATCH 283/991] escape124: fix integer overflow leading to excessive memory allocation Fixes Ticket1629 Signed-off-by: Michael Niedermayer (cherry picked from commit 3d7817048cb387de87600f2152075f78b37b60a6) Signed-off-by: Michael Niedermayer (cherry picked from commit 9f1e01c9915fe0c86ad2b8f50e11fee9e1b00c62) Signed-off-by: Michael Niedermayer --- libavcodec/escape124.c | 4 ++-- 1 file changed, 2 insertions(+), 2 deletions(-) diff --git a/libavcodec/escape124.c b/libavcodec/escape124.c index d28d55dade..f77edaf1c5 100644 --- a/libavcodec/escape124.c +++ b/libavcodec/escape124.c @@ -48,7 +48,7 @@ typedef struct Escape124Context { CodeBook codebooks[3]; } Escape124Context; -static int can_safely_read(GetBitContext* gb, int bits) { +static int can_safely_read(GetBitContext* gb, uint64_t bits) { return get_bits_left(gb) >= bits; } @@ -90,7 +90,7 @@ static CodeBook unpack_codebook(GetBitContext* gb, unsigned depth, unsigned i, j; CodeBook cb = { 0 }; - if (!can_safely_read(gb, size * 34)) + if (!can_safely_read(gb, size * 34L)) return cb; if (size >= INT_MAX / sizeof(MacroBlock)) From d36c706b868b4801bb5e9756bf921ecc8ca8ae10 Mon Sep 17 00:00:00 2001 From: Michael Niedermayer Date: Fri, 7 Sep 2012 12:35:41 +0200 Subject: [PATCH 284/991] faxcompr: fix out of array read Signed-off-by: Michael Niedermayer (cherry picked from commit 5891e454a667e42ef71a06bfd9661540ea3f3ebd) Signed-off-by: Michael Niedermayer (cherry picked from commit 55b3e408fa18b918bd0cabb1b27f1f0c4ce57a64) Signed-off-by: Michael Niedermayer --- libavcodec/faxcompr.c | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/libavcodec/faxcompr.c b/libavcodec/faxcompr.c index c157b984d3..f66d33f133 100644 --- a/libavcodec/faxcompr.c +++ b/libavcodec/faxcompr.c @@ -228,7 +228,7 @@ static int decode_group3_2d_line(AVCodecContext *avctx, GetBitContext *gb, mode = !mode; } //sync line pointers - while(run_off <= offs){ + while(offs < width && run_off <= offs){ run_off += *ref++; run_off += *ref++; } From 501e60dcf5bb82572aa7bca44cf072b3c15d44aa Mon Sep 17 00:00:00 2001 From: Michael Niedermayer Date: Tue, 14 Aug 2012 18:58:49 +0200 Subject: [PATCH 285/991] bmv_videodec: fix out of array read Fixes Ticket1373 Signed-off-by: Michael Niedermayer (cherry picked from commit 70f0ffa1ed456fd0b560d0dd1d0d93f1ba3a6d93) Signed-off-by: Michael Niedermayer (cherry picked from commit d721cb009d73662f35c629bdc678e25786e79301) Signed-off-by: Michael Niedermayer --- libavcodec/bmv.c | 5 +++++ 1 file changed, 5 insertions(+) diff --git a/libavcodec/bmv.c b/libavcodec/bmv.c index 35923a28d6..d2f4e9f86c 100644 --- a/libavcodec/bmv.c +++ b/libavcodec/bmv.c @@ -268,6 +268,11 @@ static av_cold int decode_init(AVCodecContext *avctx) c->avctx = avctx; avctx->pix_fmt = PIX_FMT_PAL8; + if (avctx->width != SCREEN_WIDE || avctx->height != SCREEN_HIGH) { + av_log(avctx, AV_LOG_ERROR, "Invalid dimension %dx%d\n", avctx->width, avctx->height); + return AVERROR_INVALIDDATA; + } + c->pic.reference = 1; if (avctx->get_buffer(avctx, &c->pic) < 0) { av_log(avctx, AV_LOG_ERROR, "get_buffer() failed\n"); From eed53a38c9b3d2f6e77102a71a1683b508b5d472 Mon Sep 17 00:00:00 2001 From: Michael Niedermayer Date: Wed, 19 Sep 2012 02:34:55 +0200 Subject: [PATCH 286/991] Update for 0.10.5 Signed-off-by: Michael Niedermayer --- Doxyfile | 2 +- RELEASE | 2 +- VERSION | 2 +- 3 files changed, 3 insertions(+), 3 deletions(-) diff --git a/Doxyfile b/Doxyfile index d3366384df..9c0e3289ba 100644 --- a/Doxyfile +++ b/Doxyfile @@ -31,7 +31,7 @@ PROJECT_NAME = FFmpeg # This could be handy for archiving the generated documentation or # if some version control system is used. -PROJECT_NUMBER = 0.10.4 +PROJECT_NUMBER = 0.10.5 # With the PROJECT_LOGO tag one can specify an logo or icon that is included # in the documentation. The maximum height of the logo should not exceed 55 diff --git a/RELEASE b/RELEASE index 9b40aa6c21..9028ec6365 100644 --- a/RELEASE +++ b/RELEASE @@ -1 +1 @@ -0.10.4 +0.10.5 diff --git a/VERSION b/VERSION index 9b40aa6c21..9028ec6365 100644 --- a/VERSION +++ b/VERSION @@ -1 +1 @@ -0.10.4 +0.10.5 From 50032a75d6cf94f49b8ceee7381d5d68758d7431 Mon Sep 17 00:00:00 2001 From: Michael Niedermayer Date: Wed, 19 Sep 2012 03:09:28 +0200 Subject: [PATCH 287/991] Changelog for 0.10.5 Signed-off-by: Michael Niedermayer --- Changelog | 5 +++++ 1 file changed, 5 insertions(+) diff --git a/Changelog b/Changelog index 17ca5c9e38..030ecbd8b8 100644 --- a/Changelog +++ b/Changelog @@ -3,6 +3,11 @@ releases are sorted from youngest to oldest. version next: +version 0.10.5: + +- Several bugs and crashes have been fixed as well as build problems + with recent mingw64 + version 0.10.4: From 8efae4cbbf510588920d81b7e84d6e80ff1226df Mon Sep 17 00:00:00 2001 From: =?UTF-8?q?Reimar=20D=C3=B6ffinger?= Date: Mon, 30 Apr 2012 22:48:42 +0200 Subject: [PATCH 288/991] avconv: fix parsing of -force_key_frames option. Currently it always exits with an error when more than one position is specified. CC: libav-stable@libav.org (cherry picked from commit 4c679750cb4cb112c19f862bd733bf6660a935bd) Signed-off-by: Anton Khirnov --- avconv.c | 10 +++++++++- 1 file changed, 9 insertions(+), 1 deletion(-) diff --git a/avconv.c b/avconv.c index 718fc8d6bf..90bc49cc88 100644 --- a/avconv.c +++ b/avconv.c @@ -2247,10 +2247,18 @@ static void parse_forced_key_frames(char *kf, OutputStream *ost, av_log(NULL, AV_LOG_FATAL, "Could not allocate forced key frames array.\n"); exit_program(1); } + + p = kf; for (i = 0; i < n; i++) { - p = i ? strchr(p, ',') + 1 : kf; + char *next = strchr(p, ','); + + if (next) + *next++ = 0; + t = parse_time_or_die("force_key_frames", p, 1); ost->forced_kf_pts[i] = av_rescale_q(t, AV_TIME_BASE_Q, avctx->time_base); + + p = next; } } From 02b72394627933dc8ce26445231a69f00dba491b Mon Sep 17 00:00:00 2001 From: Kostya Shishkov Date: Thu, 27 Sep 2012 19:25:06 +0200 Subject: [PATCH 289/991] vc1dec: add flush function for WMV9 and VC-1 decoders CC: libav-stable@libav.org (cherry picked from commit 4dc8c8386eef942dba35c4f2fb3210e22b511a5b) Signed-off-by: Anton Khirnov --- libavcodec/vc1dec.c | 2 ++ 1 file changed, 2 insertions(+) diff --git a/libavcodec/vc1dec.c b/libavcodec/vc1dec.c index 3d1abc71a5..46cfdb0973 100644 --- a/libavcodec/vc1dec.c +++ b/libavcodec/vc1dec.c @@ -5812,6 +5812,7 @@ AVCodec ff_vc1_decoder = { .init = vc1_decode_init, .close = vc1_decode_end, .decode = vc1_decode_frame, + .flush = ff_mpeg_flush, .capabilities = CODEC_CAP_DR1 | CODEC_CAP_DELAY, .long_name = NULL_IF_CONFIG_SMALL("SMPTE VC-1"), .pix_fmts = ff_hwaccel_pixfmt_list_420, @@ -5827,6 +5828,7 @@ AVCodec ff_wmv3_decoder = { .init = vc1_decode_init, .close = vc1_decode_end, .decode = vc1_decode_frame, + .flush = ff_mpeg_flush, .capabilities = CODEC_CAP_DR1 | CODEC_CAP_DELAY, .long_name = NULL_IF_CONFIG_SMALL("Windows Media Video 9"), .pix_fmts = ff_hwaccel_pixfmt_list_420, From e9ac06160f4550c339dbd1a30a6c6925a7a17dbd Mon Sep 17 00:00:00 2001 From: =?UTF-8?q?Reimar=20D=C3=B6ffinger?= Date: Thu, 5 Jan 2012 21:01:56 +0100 Subject: [PATCH 290/991] sipr: fall back to setting mode based on bit_rate. Not all applications (e.g. MPlayer) set block_align, and when using a different demuxer it might not even be easily available. So fall back to selecting mode based on bit rate as before if block_align has not useful value. It can't be worse than failing to decode completely. (cherry picked from commit 1d0d63052b82c76e10c45cd38cdd27677de72e81) CC: libav-stable@libav.org Signed-off-by: Reinhard Tartler (cherry picked from commit c54e00610f20d2342fe9b17a5460abfbd411c8fb) Signed-off-by: Anton Khirnov --- libavcodec/sipr.c | 9 +++++++-- 1 file changed, 7 insertions(+), 2 deletions(-) diff --git a/libavcodec/sipr.c b/libavcodec/sipr.c index 4502fa5f2a..818524ca62 100644 --- a/libavcodec/sipr.c +++ b/libavcodec/sipr.c @@ -486,8 +486,13 @@ static av_cold int sipr_decoder_init(AVCodecContext * avctx) case 29: ctx->mode = MODE_6k5; break; case 37: ctx->mode = MODE_5k0; break; default: - av_log(avctx, AV_LOG_ERROR, "Invalid block_align: %d\n", avctx->block_align); - return AVERROR(EINVAL); + if (avctx->bit_rate > 12200) ctx->mode = MODE_16k; + else if (avctx->bit_rate > 7500 ) ctx->mode = MODE_8k5; + else if (avctx->bit_rate > 5750 ) ctx->mode = MODE_6k5; + else ctx->mode = MODE_5k0; + av_log(avctx, AV_LOG_WARNING, + "Invalid block_align: %d. Mode %s guessed based on bitrate: %d\n", + avctx->block_align, modes[ctx->mode].mode_name, avctx->bit_rate); } av_log(avctx, AV_LOG_DEBUG, "Mode: %s\n", modes[ctx->mode].mode_name); From bed5847563d1b9d3ee284f1fae442199508c7492 Mon Sep 17 00:00:00 2001 From: Anton Khirnov Date: Sun, 16 Sep 2012 08:33:09 +0200 Subject: [PATCH 291/991] bmpdec: only initialize palette for pal8. Gray8 is not considered to be paletted, so this would cause an invalid write. Fixes bug 367. CC: libav-stable@libav.org (cherry picked from commit 8b78c2969a5b7dca939d93bf525aa2bcd737b5d9) Signed-off-by: Anton Khirnov --- libavcodec/bmp.c | 6 +++--- 1 file changed, 3 insertions(+), 3 deletions(-) diff --git a/libavcodec/bmp.c b/libavcodec/bmp.c index 1f725f5369..974db4953c 100644 --- a/libavcodec/bmp.c +++ b/libavcodec/bmp.c @@ -227,9 +227,6 @@ static int bmp_decode_frame(AVCodecContext *avctx, if(comp == BMP_RLE4 || comp == BMP_RLE8) memset(p->data[0], 0, avctx->height * p->linesize[0]); - if(depth == 4 || depth == 8) - memset(p->data[1], 0, 1024); - if(height > 0){ ptr = p->data[0] + (avctx->height - 1) * p->linesize[0]; linesize = -p->linesize[0]; @@ -240,6 +237,9 @@ static int bmp_decode_frame(AVCodecContext *avctx, if(avctx->pix_fmt == PIX_FMT_PAL8){ int colors = 1 << depth; + + memset(p->data[1], 0, 1024); + if(ihsize >= 36){ int t; buf = buf0 + 46; From fdb70807817473a02bb02ac918b846a8051bd4bd Mon Sep 17 00:00:00 2001 From: Janne Grunau Date: Mon, 6 Aug 2012 13:50:51 +0200 Subject: [PATCH 292/991] Revert "nuv: check per-frame header for validity." The check is bogus since the nuv frameheader is already skipped and the (decompressed) RTjpeg header is checked. This reverts commit f6afacdb3b708720c9fb85984b4f7fdbca2b2036. CC: libav-stable@libav.org (cherry picked from commit 110d015ad450ea1b2fd40f0e9ce1c53507cdec5d) Signed-off-by: Anton Khirnov --- libavcodec/nuv.c | 6 +++--- 1 file changed, 3 insertions(+), 3 deletions(-) diff --git a/libavcodec/nuv.c b/libavcodec/nuv.c index 94962b5843..7bace2ec40 100644 --- a/libavcodec/nuv.c +++ b/libavcodec/nuv.c @@ -184,9 +184,9 @@ static int decode_frame(AVCodecContext *avctx, void *data, int *data_size, } if (c->codec_frameheader) { int w, h, q; - if (buf[0] != 'V' || buf_size < 12) { - av_log(avctx, AV_LOG_ERROR, "invalid nuv video frame (wrong codec_tag?)\n"); - return AVERROR_INVALIDDATA; + if (buf_size < 12) { + av_log(avctx, AV_LOG_ERROR, "invalid nuv video frame\n"); + return -1; } w = AV_RL16(&buf[6]); h = AV_RL16(&buf[8]); From 6704522ca9dd32c858ee474492be568c386910f9 Mon Sep 17 00:00:00 2001 From: Janne Grunau Date: Mon, 6 Aug 2012 13:59:04 +0200 Subject: [PATCH 293/991] nuv: check RTjpeg header for validity CC: libav-stable@libav.org (cherry picked from commit 859a579e9bbf47fae2e09494c43bcf813dcb2fad) Signed-off-by: Anton Khirnov --- libavcodec/nuv.c | 9 +++++---- libavcodec/rtjpeg.h | 3 +++ 2 files changed, 8 insertions(+), 4 deletions(-) diff --git a/libavcodec/nuv.c b/libavcodec/nuv.c index 7bace2ec40..519b550bcd 100644 --- a/libavcodec/nuv.c +++ b/libavcodec/nuv.c @@ -184,17 +184,18 @@ static int decode_frame(AVCodecContext *avctx, void *data, int *data_size, } if (c->codec_frameheader) { int w, h, q; - if (buf_size < 12) { + if (buf_size < RTJPEG_HEADER_SIZE || buf[4] != RTJPEG_HEADER_SIZE || + buf[5] != RTJPEG_FILE_VERSION) { av_log(avctx, AV_LOG_ERROR, "invalid nuv video frame\n"); - return -1; + return AVERROR_INVALIDDATA; } w = AV_RL16(&buf[6]); h = AV_RL16(&buf[8]); q = buf[10]; if (!codec_reinit(avctx, w, h, q)) return -1; - buf = &buf[12]; - buf_size -= 12; + buf = &buf[RTJPEG_HEADER_SIZE]; + buf_size -= RTJPEG_HEADER_SIZE; } if (keyframe && c->pic.data[0]) diff --git a/libavcodec/rtjpeg.h b/libavcodec/rtjpeg.h index d537c93ff4..4b46689f9c 100644 --- a/libavcodec/rtjpeg.h +++ b/libavcodec/rtjpeg.h @@ -25,6 +25,9 @@ #include #include "dsputil.h" +#define RTJPEG_FILE_VERSION 0 +#define RTJPEG_HEADER_SIZE 12 + typedef struct { int w, h; DSPContext *dsp; From 25a1a5b1b38ba86501cea51c961c10a46ecb49f1 Mon Sep 17 00:00:00 2001 From: Max Lazarov Date: Fri, 30 Mar 2012 23:56:56 -0700 Subject: [PATCH 294/991] eval: fix swapping of lt() and lte() CC: libav-stable@libav.org (cherry picked from commit caac3ab6efde4fc9769e8a7472269356f262970a) Signed-off-by: Anton Khirnov --- libavutil/eval.c | 4 ++-- tests/ref/fate/eval | 6 +++--- 2 files changed, 5 insertions(+), 5 deletions(-) diff --git a/libavutil/eval.c b/libavutil/eval.c index 9941ed7060..44d1428d58 100644 --- a/libavutil/eval.c +++ b/libavutil/eval.c @@ -277,8 +277,8 @@ static int parse_primary(AVExpr **e, Parser *p) else if (strmatch(next, "eq" )) d->type = e_eq; else if (strmatch(next, "gte" )) d->type = e_gte; else if (strmatch(next, "gt" )) d->type = e_gt; - else if (strmatch(next, "lte" )) { AVExpr *tmp = d->param[1]; d->param[1] = d->param[0]; d->param[0] = tmp; d->type = e_gt; } - else if (strmatch(next, "lt" )) { AVExpr *tmp = d->param[1]; d->param[1] = d->param[0]; d->param[0] = tmp; d->type = e_gte; } + else if (strmatch(next, "lte" )) { AVExpr *tmp = d->param[1]; d->param[1] = d->param[0]; d->param[0] = tmp; d->type = e_gte; } + else if (strmatch(next, "lt" )) { AVExpr *tmp = d->param[1]; d->param[1] = d->param[0]; d->param[0] = tmp; d->type = e_gt; } else if (strmatch(next, "ld" )) d->type = e_ld; else if (strmatch(next, "isnan" )) d->type = e_isnan; else if (strmatch(next, "st" )) d->type = e_st; diff --git a/tests/ref/fate/eval b/tests/ref/fate/eval index ef50292024..c16527c486 100644 --- a/tests/ref/fate/eval +++ b/tests/ref/fate/eval @@ -95,16 +95,16 @@ Evaluating 'st(1, 123); ld(1)' 'st(1, 123); ld(1)' -> 123.000000 Evaluating 'st(0, 1); while(lte(ld(0), 100), st(1, ld(1)+ld(0));st(0, ld(0)+1)); ld(1)' -'st(0, 1); while(lte(ld(0), 100), st(1, ld(1)+ld(0));st(0, ld(0)+1)); ld(1)' -> 4950.000000 +'st(0, 1); while(lte(ld(0), 100), st(1, ld(1)+ld(0));st(0, ld(0)+1)); ld(1)' -> 5050.000000 Evaluating 'st(1, 1); st(2, 2); st(0, 1); while(lte(ld(0),10), st(3, ld(1)+ld(2)); st(1, ld(2)); st(2, ld(3)); st(0, ld(0)+1)); ld(3)' -'st(1, 1); st(2, 2); st(0, 1); while(lte(ld(0),10), st(3, ld(1)+ld(2)); st(1, ld(2)); st(2, ld(3)); st(0, ld(0)+1)); ld(3)' -> 144.000000 +'st(1, 1); st(2, 2); st(0, 1); while(lte(ld(0),10), st(3, ld(1)+ld(2)); st(1, ld(2)); st(2, ld(3)); st(0, ld(0)+1)); ld(3)' -> 233.000000 Evaluating 'while(0, 10)' 'while(0, 10)' -> nan Evaluating 'st(0, 1); while(lte(ld(0),100), st(1, ld(1)+ld(0)); st(0, ld(0)+1))' -'st(0, 1); while(lte(ld(0),100), st(1, ld(1)+ld(0)); st(0, ld(0)+1))' -> 100.000000 +'st(0, 1); while(lte(ld(0),100), st(1, ld(1)+ld(0)); st(0, ld(0)+1))' -> 101.000000 Evaluating 'isnan(1)' 'isnan(1)' -> 0.000000 From 7a7229b52d1900279041991fadbd29b27e8dfe95 Mon Sep 17 00:00:00 2001 From: Janne Grunau Date: Mon, 2 Jul 2012 10:46:39 +0200 Subject: [PATCH 295/991] imgconvert: avoid undefined left shift in avcodec_find_best_pix_fmt CC: libav-stable@libav.org (cherry picked from commit 39bb27bf79bc4c2d8beaed637a14176264cb1916) Signed-off-by: Anton Khirnov --- libavcodec/imgconvert.c | 3 ++- 1 file changed, 2 insertions(+), 1 deletion(-) diff --git a/libavcodec/imgconvert.c b/libavcodec/imgconvert.c index eab051bacc..1dfe3b7659 100644 --- a/libavcodec/imgconvert.c +++ b/libavcodec/imgconvert.c @@ -612,7 +612,8 @@ static enum PixelFormat avcodec_find_best_pix_fmt1(int64_t pix_fmt_mask, /* find exact color match with smallest size */ dst_pix_fmt = PIX_FMT_NONE; min_dist = 0x7fffffff; - for(i = 0;i < PIX_FMT_NB; i++) { + /* test only the first 64 pixel formats to avoid undefined behaviour */ + for (i = 0; i < 64; i++) { if (pix_fmt_mask & (1ULL << i)) { loss = avcodec_get_pix_fmt_loss(i, src_pix_fmt, has_alpha) & loss_mask; if (loss == 0) { From da0c457663479bc1828918e1bb3e4a5e4de0d557 Mon Sep 17 00:00:00 2001 From: Michael Niedermayer Date: Sun, 20 Nov 2011 17:19:25 +0100 Subject: [PATCH 296/991] mpegvideo: Don't use ff_mspel_motion() for vc1 MIME-Version: 1.0 Content-Type: text/plain; charset=UTF-8 Content-Transfer-Encoding: 8bit Using ff_mspel_motion assumes that s (a MpegEncContext poiinter) really is a Wmv2Context. This fixes crashes in error resilience on vc1/wmv3 videos. CC: libav-stable@libav.org Signed-off-by: Martin Storsjö (cherry picked from commit 18f2d5cb9c48d06895960f37467576725c9dc2d1) Signed-off-by: Anton Khirnov --- libavcodec/mpegvideo_common.h | 3 ++- 1 file changed, 2 insertions(+), 1 deletion(-) diff --git a/libavcodec/mpegvideo_common.h b/libavcodec/mpegvideo_common.h index 9f6307ea7c..e8daf2ece3 100644 --- a/libavcodec/mpegvideo_common.h +++ b/libavcodec/mpegvideo_common.h @@ -725,7 +725,8 @@ static av_always_inline void MPV_motion_internal(MpegEncContext *s, 0, 0, 0, ref_picture, pix_op, qpix_op, s->mv[dir][0][0], s->mv[dir][0][1], 16); - }else if(!is_mpeg12 && (CONFIG_WMV2_DECODER || CONFIG_WMV2_ENCODER) && s->mspel){ + } else if (!is_mpeg12 && (CONFIG_WMV2_DECODER || CONFIG_WMV2_ENCODER) && + s->mspel && s->codec_id == CODEC_ID_WMV2) { ff_mspel_motion(s, dest_y, dest_cb, dest_cr, ref_picture, pix_op, s->mv[dir][0][0], s->mv[dir][0][1], 16); From 7124fa5d3640e5b8089dd13b22a09038b2ec5216 Mon Sep 17 00:00:00 2001 From: Anton Khirnov Date: Fri, 15 Jun 2012 19:58:11 +0200 Subject: [PATCH 297/991] lavf: don't segfault when a NULL filename is passed to avformat_open_input() This can easily happen when the caller is using a custom AVIOContext. Behave as if the filename was an empty string in this case. CC: libav-stable@libav.org (cherry picked from commit a5db8e4a1a5449cc7a61e963c9fa698a4f22131b) Signed-off-by: Anton Khirnov --- libavformat/utils.c | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/libavformat/utils.c b/libavformat/utils.c index 0c355cee60..240cd94925 100644 --- a/libavformat/utils.c +++ b/libavformat/utils.c @@ -634,7 +634,7 @@ int avformat_open_input(AVFormatContext **ps, const char *filename, AVInputForma } s->duration = s->start_time = AV_NOPTS_VALUE; - av_strlcpy(s->filename, filename, sizeof(s->filename)); + av_strlcpy(s->filename, filename ? filename : "", sizeof(s->filename)); /* allocate private data */ if (s->iformat->priv_data_size > 0) { From d9ffa2aca1e438a44d41f3ef3aeb8ef396bcd7b0 Mon Sep 17 00:00:00 2001 From: Justin Ruggles Date: Mon, 11 Jun 2012 10:29:57 -0400 Subject: [PATCH 298/991] golomb: check remaining bits during unary decoding in get_ur_golomb_jpegls() Fixes infinite loop in FLAC decoding in case of a truncated bitstream due to the safe bitstream reader returning 0's at the end. Fixes Bug 310. CC:libav-stable@libav.org (cherry picked from commit 4795362660a526a38a7a60f06826bce97a092b59) Signed-off-by: Anton Khirnov --- libavcodec/golomb.h | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/libavcodec/golomb.h b/libavcodec/golomb.h index 1712540fd3..b6b8cc8412 100644 --- a/libavcodec/golomb.h +++ b/libavcodec/golomb.h @@ -301,7 +301,7 @@ static inline int get_ur_golomb_jpegls(GetBitContext *gb, int k, int limit, int return buf; }else{ int i; - for (i = 0; i < limit && SHOW_UBITS(re, gb, 1) == 0; i++) { + for (i = 0; i < limit && SHOW_UBITS(re, gb, 1) == 0 && HAVE_BITS_REMAINING(re, gb); i++) { LAST_SKIP_BITS(re, gb, 1); UPDATE_CACHE(re, gb); } From a1b127515bb79c715933d0d4201e4ef3152b3dcb Mon Sep 17 00:00:00 2001 From: Michael Niedermayer Date: Sat, 24 Mar 2012 01:39:13 +0100 Subject: [PATCH 299/991] alsdec: check opt_order. Fixes out of array write in quant_cof. Also make sure no invalid opt_order stays in the context. Fixes CVE-2012-2775 Found-by: Mateusz "j00ru" Jurczyk and Gynvael Coldwind Signed-off-by: Michael Niedermayer Signed-off-by: Justin Ruggles (cherry picked from commit 9853e41aa0a6cfff629ff7009685eb8bf8d64e7f) Signed-off-by: Anton Khirnov --- libavcodec/alsdec.c | 5 +++++ 1 file changed, 5 insertions(+) diff --git a/libavcodec/alsdec.c b/libavcodec/alsdec.c index 26496bf0f1..d5e09c5d2a 100644 --- a/libavcodec/alsdec.c +++ b/libavcodec/alsdec.c @@ -663,6 +663,11 @@ static int read_var_block_data(ALSDecContext *ctx, ALSBlockData *bd) int opt_order_length = av_ceil_log2(av_clip((bd->block_length >> 3) - 1, 2, sconf->max_order + 1)); *bd->opt_order = get_bits(gb, opt_order_length); + if (*bd->opt_order > sconf->max_order) { + *bd->opt_order = sconf->max_order; + av_log(avctx, AV_LOG_ERROR, "Predictor order too large!\n"); + return AVERROR_INVALIDDATA; + } } else { *bd->opt_order = sconf->max_order; } From 6d1b91324c306568f67d2e22fc87e7e4be147210 Mon Sep 17 00:00:00 2001 From: =?UTF-8?q?Martin=20Storsj=C3=B6?= Date: Thu, 9 Feb 2012 11:28:46 +0200 Subject: [PATCH 300/991] h263: Add ff_ prefix to nonstatic symbols MIME-Version: 1.0 Content-Type: text/plain; charset=UTF-8 Content-Transfer-Encoding: 8bit Signed-off-by: Martin Storsjö (cherry picked from commit ddce8953a5056800ec795df2dfd84fc17a11b5fc) Signed-off-by: Anton Khirnov --- libavcodec/h263.c | 8 ++-- libavcodec/h263.h | 42 ++++++++++---------- libavcodec/h263data.h | 24 ++++++------ libavcodec/h263dec.c | 4 +- libavcodec/intelh263dec.c | 4 +- libavcodec/ituh263dec.c | 78 +++++++++++++++++++------------------- libavcodec/ituh263enc.c | 44 ++++++++++----------- libavcodec/mpeg4videodec.c | 50 ++++++++++++------------ libavcodec/mpeg4videoenc.c | 6 +-- libavcodec/mpegvideo_enc.c | 10 ++--- libavcodec/msmpeg4.c | 16 ++++---- libavcodec/msmpeg4data.c | 12 +++--- libavcodec/rv10.c | 2 +- libavcodec/rv34data.h | 2 +- libavcodec/snowenc.c | 2 +- libavcodec/svq1dec.c | 6 +-- libavcodec/svq1enc.c | 4 +- libavcodec/wmv2enc.c | 2 +- 18 files changed, 158 insertions(+), 158 deletions(-) diff --git a/libavcodec/h263.c b/libavcodec/h263.c index 77a1bb828b..7f1966f8bf 100644 --- a/libavcodec/h263.c +++ b/libavcodec/h263.c @@ -98,7 +98,7 @@ void ff_h263_update_motion_val(MpegEncContext * s){ } } -int h263_pred_dc(MpegEncContext * s, int n, int16_t **dc_val_ptr) +int ff_h263_pred_dc(MpegEncContext * s, int n, int16_t **dc_val_ptr) { int x, y, wrap, a, c, pred_dc; int16_t *dc_val; @@ -226,7 +226,7 @@ void ff_h263_loop_filter(MpegEncContext * s){ } } -void h263_pred_acdc(MpegEncContext * s, DCTELEM *block, int n) +void ff_h263_pred_acdc(MpegEncContext * s, DCTELEM *block, int n) { int x, y, wrap, a, c, pred_dc, scale, i; int16_t *dc_val, *ac_val, *ac_val1; @@ -313,8 +313,8 @@ void h263_pred_acdc(MpegEncContext * s, DCTELEM *block, int n) ac_val1[8 + i] = block[s->dsp.idct_permutation[i ]]; } -int16_t *h263_pred_motion(MpegEncContext * s, int block, int dir, - int *px, int *py) +int16_t *ff_h263_pred_motion(MpegEncContext * s, int block, int dir, + int *px, int *py) { int wrap; int16_t *A, *B, *C, (*mot_val)[2]; diff --git a/libavcodec/h263.h b/libavcodec/h263.h index 73c5966605..d26cf636eb 100644 --- a/libavcodec/h263.h +++ b/libavcodec/h263.h @@ -38,16 +38,16 @@ extern const AVRational ff_h263_pixel_aspect[16]; extern const uint8_t ff_h263_cbpy_tab[16][2]; -extern const uint8_t cbpc_b_tab[4][2]; +extern const uint8_t ff_cbpc_b_tab[4][2]; -extern const uint8_t mvtab[33][2]; +extern const uint8_t ff_mvtab[33][2]; extern const uint8_t ff_h263_intra_MCBPC_code[9]; extern const uint8_t ff_h263_intra_MCBPC_bits[9]; extern const uint8_t ff_h263_inter_MCBPC_code[28]; extern const uint8_t ff_h263_inter_MCBPC_bits[28]; -extern const uint8_t h263_mbtype_b_tab[15][2]; +extern const uint8_t ff_h263_mbtype_b_tab[15][2]; extern VLC ff_h263_intra_MCBPC_vlc; extern VLC ff_h263_inter_MCBPC_vlc; @@ -55,41 +55,41 @@ extern VLC ff_h263_cbpy_vlc; extern RLTable ff_h263_rl_inter; -extern RLTable rl_intra_aic; +extern RLTable ff_rl_intra_aic; -extern const uint16_t h263_format[8][2]; -extern const uint8_t modified_quant_tab[2][32]; +extern const uint16_t ff_h263_format[8][2]; +extern const uint8_t ff_modified_quant_tab[2][32]; extern uint16_t ff_mba_max[6]; extern uint8_t ff_mba_length[7]; extern uint8_t ff_h263_static_rl_table_store[2][2][2*MAX_RUN + MAX_LEVEL + 3]; -int h263_decode_motion(MpegEncContext * s, int pred, int f_code); +int ff_h263_decode_motion(MpegEncContext * s, int pred, int f_code); av_const int ff_h263_aspect_to_info(AVRational aspect); int ff_h263_decode_init(AVCodecContext *avctx); int ff_h263_decode_frame(AVCodecContext *avctx, void *data, int *data_size, AVPacket *avpkt); int ff_h263_decode_end(AVCodecContext *avctx); -void h263_encode_mb(MpegEncContext *s, - DCTELEM block[6][64], - int motion_x, int motion_y); -void h263_encode_picture_header(MpegEncContext *s, int picture_number); -void h263_encode_gob_header(MpegEncContext * s, int mb_line); -int16_t *h263_pred_motion(MpegEncContext * s, int block, int dir, - int *px, int *py); -void h263_encode_init(MpegEncContext *s); -void h263_decode_init_vlc(MpegEncContext *s); -int h263_decode_picture_header(MpegEncContext *s); +void ff_h263_encode_mb(MpegEncContext *s, + DCTELEM block[6][64], + int motion_x, int motion_y); +void ff_h263_encode_picture_header(MpegEncContext *s, int picture_number); +void ff_h263_encode_gob_header(MpegEncContext * s, int mb_line); +int16_t *ff_h263_pred_motion(MpegEncContext * s, int block, int dir, + int *px, int *py); +void ff_h263_encode_init(MpegEncContext *s); +void ff_h263_decode_init_vlc(MpegEncContext *s); +int ff_h263_decode_picture_header(MpegEncContext *s); int ff_h263_decode_gob_header(MpegEncContext *s); void ff_h263_update_motion_val(MpegEncContext * s); void ff_h263_loop_filter(MpegEncContext * s); int ff_h263_decode_mba(MpegEncContext *s); void ff_h263_encode_mba(MpegEncContext *s); void ff_init_qscale_tab(MpegEncContext *s); -int h263_pred_dc(MpegEncContext * s, int n, int16_t **dc_val_ptr); -void h263_pred_acdc(MpegEncContext * s, DCTELEM *block, int n); +int ff_h263_pred_dc(MpegEncContext * s, int n, int16_t **dc_val_ptr); +void ff_h263_pred_acdc(MpegEncContext * s, DCTELEM *block, int n); /** @@ -119,7 +119,7 @@ static inline int h263_get_motion_length(MpegEncContext * s, int val, int f_code int l, bit_size, code; if (val == 0) { - return mvtab[0][1]; + return ff_mvtab[0][1]; } else { bit_size = f_code - 1; /* modulo encoding */ @@ -128,7 +128,7 @@ static inline int h263_get_motion_length(MpegEncContext * s, int val, int f_code val--; code = (val >> bit_size) + 1; - return mvtab[code][1] + 1 + bit_size; + return ff_mvtab[code][1] + 1 + bit_size; } } diff --git a/libavcodec/h263data.h b/libavcodec/h263data.h index 966da56110..e3b83ad2e4 100644 --- a/libavcodec/h263data.h +++ b/libavcodec/h263data.h @@ -57,7 +57,7 @@ const uint8_t ff_h263_inter_MCBPC_bits[28] = { 11, 13, 13, 13,/* inter4Q*/ }; -const uint8_t h263_mbtype_b_tab[15][2] = { +const uint8_t ff_h263_mbtype_b_tab[15][2] = { {1, 1}, {3, 3}, {1, 5}, @@ -75,7 +75,7 @@ const uint8_t h263_mbtype_b_tab[15][2] = { {1, 8}, }; -const uint8_t cbpc_b_tab[4][2] = { +const uint8_t ff_cbpc_b_tab[4][2] = { {0, 1}, {2, 2}, {7, 3}, @@ -88,7 +88,7 @@ const uint8_t ff_h263_cbpy_tab[16][2] = {2,5}, {3,6}, {5,4}, {10,4}, {4,4}, {8,4}, {6,4}, {3,2} }; -const uint8_t mvtab[33][2] = +const uint8_t ff_mvtab[33][2] = { {1,1}, {1,2}, {1,3}, {1,4}, {3,6}, {5,7}, {4,7}, {3,7}, {11,9}, {10,9}, {9,9}, {17,10}, {16,10}, {15,10}, {14,10}, {13,10}, @@ -98,7 +98,7 @@ const uint8_t mvtab[33][2] = }; /* third non intra table */ -const uint16_t inter_vlc[103][2] = { +const uint16_t ff_inter_vlc[103][2] = { { 0x2, 2 },{ 0xf, 4 },{ 0x15, 6 },{ 0x17, 7 }, { 0x1f, 8 },{ 0x25, 9 },{ 0x24, 9 },{ 0x21, 10 }, { 0x20, 10 },{ 0x7, 11 },{ 0x6, 11 },{ 0x20, 11 }, @@ -127,7 +127,7 @@ const uint16_t inter_vlc[103][2] = { { 0x5e, 12 },{ 0x5f, 12 },{ 0x3, 7 }, }; -const int8_t inter_level[102] = { +const int8_t ff_inter_level[102] = { 1, 2, 3, 4, 5, 6, 7, 8, 9, 10, 11, 12, 1, 2, 3, 4, 5, 6, 1, 2, 3, 4, 1, 2, @@ -143,7 +143,7 @@ const int8_t inter_level[102] = { 1, 1, 1, 1, 1, 1, }; -const int8_t inter_run[102] = { +const int8_t ff_inter_run[102] = { 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 1, 1, 1, 1, 1, 1, 2, 2, 2, 2, 3, 3, @@ -162,9 +162,9 @@ const int8_t inter_run[102] = { RLTable ff_h263_rl_inter = { 102, 58, - inter_vlc, - inter_run, - inter_level, + ff_inter_vlc, + ff_inter_run, + ff_inter_level, }; static const uint16_t intra_vlc_aic[103][2] = { @@ -228,7 +228,7 @@ static const int8_t intra_level_aic[102] = { 1, 1, 1, 1, 1, 1, }; -RLTable rl_intra_aic = { +RLTable ff_rl_intra_aic = { 102, 58, intra_vlc_aic, @@ -236,7 +236,7 @@ RLTable rl_intra_aic = { intra_level_aic, }; -const uint16_t h263_format[8][2] = { +const uint16_t ff_h263_format[8][2] = { { 0, 0 }, { 128, 96 }, { 176, 144 }, @@ -250,7 +250,7 @@ const uint8_t ff_aic_dc_scale_table[32]={ 0, 2, 4, 6, 8,10,12,14,16,18,20,22,24,26,28,30,32,34,36,38,40,42,44,46,48,50,52,54,56,58,60,62 }; -const uint8_t modified_quant_tab[2][32]={ +const uint8_t ff_modified_quant_tab[2][32]={ // 0 1 2 3 4 5 6 7 8 9 10 11 12 13 14 15 16 17 18 19 20 21 22 23 24 25 26 27 28 29 30 31 { 0, 3, 1, 2, 3, 4, 5, 6, 7, 8, 9, 9,10,11,12,13,14,15,16,17,18,18,19,20,21,22,23,24,25,26,27,28 diff --git a/libavcodec/h263dec.c b/libavcodec/h263dec.c index 1ddca1944d..a675e6e393 100644 --- a/libavcodec/h263dec.c +++ b/libavcodec/h263dec.c @@ -113,7 +113,7 @@ av_cold int ff_h263_decode_init(AVCodecContext *avctx) if (MPV_common_init(s) < 0) return -1; - h263_decode_init_vlc(s); + ff_h263_decode_init_vlc(s); return 0; } @@ -421,7 +421,7 @@ retry: } else if (CONFIG_FLV_DECODER && s->h263_flv) { ret = ff_flv_decode_picture_header(s); } else { - ret = h263_decode_picture_header(s); + ret = ff_h263_decode_picture_header(s); } if(ret==FRAME_SKIPPED) return get_consumed_bytes(s, buf_size); diff --git a/libavcodec/intelh263dec.c b/libavcodec/intelh263dec.c index 8347c79021..8556128ad9 100644 --- a/libavcodec/intelh263dec.c +++ b/libavcodec/intelh263dec.c @@ -65,8 +65,8 @@ int ff_intel_h263_decode_picture_header(MpegEncContext *s) s->pb_frame = get_bits1(&s->gb); if (format < 6) { - s->width = h263_format[format][0]; - s->height = h263_format[format][1]; + s->width = ff_h263_format[format][0]; + s->height = ff_h263_format[format][1]; s->avctx->sample_aspect_ratio.num = 12; s->avctx->sample_aspect_ratio.den = 11; } else { diff --git a/libavcodec/ituh263dec.c b/libavcodec/ituh263dec.c index 3d82e5c382..dce8a995d1 100644 --- a/libavcodec/ituh263dec.c +++ b/libavcodec/ituh263dec.c @@ -101,7 +101,7 @@ static VLC cbpc_b_vlc; /* init vlcs */ /* XXX: find a better solution to handle static init */ -void h263_decode_init_vlc(MpegEncContext *s) +void ff_h263_decode_init_vlc(MpegEncContext *s) { static int done = 0; @@ -118,18 +118,18 @@ void h263_decode_init_vlc(MpegEncContext *s) &ff_h263_cbpy_tab[0][1], 2, 1, &ff_h263_cbpy_tab[0][0], 2, 1, 64); INIT_VLC_STATIC(&mv_vlc, MV_VLC_BITS, 33, - &mvtab[0][1], 2, 1, - &mvtab[0][0], 2, 1, 538); + &ff_mvtab[0][1], 2, 1, + &ff_mvtab[0][0], 2, 1, 538); init_rl(&ff_h263_rl_inter, ff_h263_static_rl_table_store[0]); - init_rl(&rl_intra_aic, ff_h263_static_rl_table_store[1]); + init_rl(&ff_rl_intra_aic, ff_h263_static_rl_table_store[1]); INIT_VLC_RL(ff_h263_rl_inter, 554); - INIT_VLC_RL(rl_intra_aic, 554); + INIT_VLC_RL(ff_rl_intra_aic, 554); INIT_VLC_STATIC(&h263_mbtype_b_vlc, H263_MBTYPE_B_VLC_BITS, 15, - &h263_mbtype_b_tab[0][1], 2, 1, - &h263_mbtype_b_tab[0][0], 2, 1, 80); + &ff_h263_mbtype_b_tab[0][1], 2, 1, + &ff_h263_mbtype_b_tab[0][0], 2, 1, 80); INIT_VLC_STATIC(&cbpc_b_vlc, CBPC_B_VLC_BITS, 4, - &cbpc_b_tab[0][1], 2, 1, - &cbpc_b_tab[0][0], 2, 1, 8); + &ff_cbpc_b_tab[0][1], 2, 1, + &ff_cbpc_b_tab[0][0], 2, 1, 8); } } @@ -269,7 +269,7 @@ int ff_h263_resync(MpegEncContext *s){ return -1; } -int h263_decode_motion(MpegEncContext * s, int pred, int f_code) +int ff_h263_decode_motion(MpegEncContext * s, int pred, int f_code) { int code, val, sign, shift; code = get_vlc2(&s->gb, mv_vlc.table, MV_VLC_BITS, 2); @@ -379,16 +379,16 @@ static void preview_obmc(MpegEncContext *s){ if ((cbpc & 16) == 0) { s->current_picture.f.mb_type[xy] = MB_TYPE_16x16 | MB_TYPE_L0; /* 16x16 motion prediction */ - mot_val= h263_pred_motion(s, 0, 0, &pred_x, &pred_y); + mot_val= ff_h263_pred_motion(s, 0, 0, &pred_x, &pred_y); if (s->umvplus) mx = h263p_decode_umotion(s, pred_x); else - mx = h263_decode_motion(s, pred_x, 1); + mx = ff_h263_decode_motion(s, pred_x, 1); if (s->umvplus) my = h263p_decode_umotion(s, pred_y); else - my = h263_decode_motion(s, pred_y, 1); + my = ff_h263_decode_motion(s, pred_y, 1); mot_val[0 ]= mot_val[2 ]= mot_val[0+stride]= mot_val[2+stride]= mx; @@ -397,16 +397,16 @@ static void preview_obmc(MpegEncContext *s){ } else { s->current_picture.f.mb_type[xy] = MB_TYPE_8x8 | MB_TYPE_L0; for(i=0;i<4;i++) { - mot_val = h263_pred_motion(s, i, 0, &pred_x, &pred_y); + mot_val = ff_h263_pred_motion(s, i, 0, &pred_x, &pred_y); if (s->umvplus) mx = h263p_decode_umotion(s, pred_x); else - mx = h263_decode_motion(s, pred_x, 1); + mx = ff_h263_decode_motion(s, pred_x, 1); if (s->umvplus) my = h263p_decode_umotion(s, pred_y); else - my = h263_decode_motion(s, pred_y, 1); + my = ff_h263_decode_motion(s, pred_y, 1); if (s->umvplus && (mx - pred_x) == 1 && (my - pred_y) == 1) skip_bits1(&s->gb); /* Bit stuffing to prevent PSC */ mot_val[0] = mx; @@ -430,7 +430,7 @@ static void h263_decode_dquant(MpegEncContext *s){ if(s->modified_quant){ if(get_bits1(&s->gb)) - s->qscale= modified_quant_tab[get_bits1(&s->gb)][ s->qscale ]; + s->qscale= ff_modified_quant_tab[get_bits1(&s->gb)][ s->qscale ]; else s->qscale= get_bits(&s->gb, 5); }else @@ -448,7 +448,7 @@ static int h263_decode_block(MpegEncContext * s, DCTELEM * block, scan_table = s->intra_scantable.permutated; if (s->h263_aic && s->mb_intra) { - rl = &rl_intra_aic; + rl = &ff_rl_intra_aic; i = 0; if (s->ac_pred) { if (s->h263_aic_dir) @@ -537,7 +537,7 @@ retry: if (i >= 64){ if(s->alt_inter_vlc && rl == &ff_h263_rl_inter && !s->mb_intra){ //Looks like a hack but no, it's the way it is supposed to work ... - rl = &rl_intra_aic; + rl = &ff_rl_intra_aic; i = 0; s->gb= gb; s->dsp.clear_block(block); @@ -554,7 +554,7 @@ retry: } not_coded: if (s->mb_intra && s->h263_aic) { - h263_pred_acdc(s, block, n); + ff_h263_pred_acdc(s, block, n); i = 63; } s->block_last_index[n] = i; @@ -653,11 +653,11 @@ int ff_h263_decode_mb(MpegEncContext *s, s->current_picture.f.mb_type[xy] = MB_TYPE_16x16 | MB_TYPE_L0; /* 16x16 motion prediction */ s->mv_type = MV_TYPE_16X16; - h263_pred_motion(s, 0, 0, &pred_x, &pred_y); + ff_h263_pred_motion(s, 0, 0, &pred_x, &pred_y); if (s->umvplus) mx = h263p_decode_umotion(s, pred_x); else - mx = h263_decode_motion(s, pred_x, 1); + mx = ff_h263_decode_motion(s, pred_x, 1); if (mx >= 0xffff) return -1; @@ -665,7 +665,7 @@ int ff_h263_decode_mb(MpegEncContext *s, if (s->umvplus) my = h263p_decode_umotion(s, pred_y); else - my = h263_decode_motion(s, pred_y, 1); + my = ff_h263_decode_motion(s, pred_y, 1); if (my >= 0xffff) return -1; @@ -678,18 +678,18 @@ int ff_h263_decode_mb(MpegEncContext *s, s->current_picture.f.mb_type[xy] = MB_TYPE_8x8 | MB_TYPE_L0; s->mv_type = MV_TYPE_8X8; for(i=0;i<4;i++) { - mot_val = h263_pred_motion(s, i, 0, &pred_x, &pred_y); + mot_val = ff_h263_pred_motion(s, i, 0, &pred_x, &pred_y); if (s->umvplus) mx = h263p_decode_umotion(s, pred_x); else - mx = h263_decode_motion(s, pred_x, 1); + mx = ff_h263_decode_motion(s, pred_x, 1); if (mx >= 0xffff) return -1; if (s->umvplus) my = h263p_decode_umotion(s, pred_y); else - my = h263_decode_motion(s, pred_y, 1); + my = ff_h263_decode_motion(s, pred_y, 1); if (my >= 0xffff) return -1; s->mv[0][i][0] = mx; @@ -761,11 +761,11 @@ int ff_h263_decode_mb(MpegEncContext *s, //FIXME UMV if(USES_LIST(mb_type, 0)){ - int16_t *mot_val= h263_pred_motion(s, 0, 0, &mx, &my); + int16_t *mot_val= ff_h263_pred_motion(s, 0, 0, &mx, &my); s->mv_dir = MV_DIR_FORWARD; - mx = h263_decode_motion(s, mx, 1); - my = h263_decode_motion(s, my, 1); + mx = ff_h263_decode_motion(s, mx, 1); + my = ff_h263_decode_motion(s, my, 1); s->mv[0][0][0] = mx; s->mv[0][0][1] = my; @@ -774,11 +774,11 @@ int ff_h263_decode_mb(MpegEncContext *s, } if(USES_LIST(mb_type, 1)){ - int16_t *mot_val= h263_pred_motion(s, 0, 1, &mx, &my); + int16_t *mot_val= ff_h263_pred_motion(s, 0, 1, &mx, &my); s->mv_dir |= MV_DIR_BACKWARD; - mx = h263_decode_motion(s, mx, 1); - my = h263_decode_motion(s, my, 1); + mx = ff_h263_decode_motion(s, mx, 1); + my = ff_h263_decode_motion(s, my, 1); s->mv[1][0][0] = mx; s->mv[1][0][1] = my; @@ -829,8 +829,8 @@ intra: } while(pb_mv_count--){ - h263_decode_motion(s, 0, 1); - h263_decode_motion(s, 0, 1); + ff_h263_decode_motion(s, 0, 1); + ff_h263_decode_motion(s, 0, 1); } /* decode each block */ @@ -864,7 +864,7 @@ end: } /* most is hardcoded. should extend to handle all h263 streams */ -int h263_decode_picture_header(MpegEncContext *s) +int ff_h263_decode_picture_header(MpegEncContext *s) { int format, width, height, i; uint32_t startcode; @@ -916,8 +916,8 @@ int h263_decode_picture_header(MpegEncContext *s) if (format != 7 && format != 6) { s->h263_plus = 0; /* H.263v1 */ - width = h263_format[format][0]; - height = h263_format[format][1]; + width = ff_h263_format[format][0]; + height = ff_h263_format[format][1]; if (!width) return -1; @@ -1024,8 +1024,8 @@ int h263_decode_picture_header(MpegEncContext *s) s->avctx->sample_aspect_ratio= ff_h263_pixel_aspect[s->aspect_ratio_info]; } } else { - width = h263_format[format][0]; - height = h263_format[format][1]; + width = ff_h263_format[format][0]; + height = ff_h263_format[format][1]; s->avctx->sample_aspect_ratio= (AVRational){12,11}; } if ((width == 0) || (height == 0)) diff --git a/libavcodec/ituh263enc.c b/libavcodec/ituh263enc.c index 6efba2d65a..5b247dce07 100644 --- a/libavcodec/ituh263enc.c +++ b/libavcodec/ituh263enc.c @@ -102,7 +102,7 @@ av_const int ff_h263_aspect_to_info(AVRational aspect){ return FF_ASPECT_EXTENDED; } -void h263_encode_picture_header(MpegEncContext * s, int picture_number) +void ff_h263_encode_picture_header(MpegEncContext * s, int picture_number) { int format, coded_frame_rate, coded_frame_rate_base, i, temp_ref; int best_clock_code=1; @@ -141,7 +141,7 @@ void h263_encode_picture_header(MpegEncContext * s, int picture_number) put_bits(&s->pb, 1, 0); /* camera off */ put_bits(&s->pb, 1, 0); /* freeze picture release off */ - format = ff_match_2uint16(h263_format, FF_ARRAY_ELEMS(h263_format), s->width, s->height); + format = ff_match_2uint16(ff_h263_format, FF_ARRAY_ELEMS(ff_h263_format), s->width, s->height); if (!s->h263_plus) { /* H.263v1 */ put_bits(&s->pb, 3, format); @@ -247,7 +247,7 @@ void h263_encode_picture_header(MpegEncContext * s, int picture_number) /** * Encode a group of blocks header. */ -void h263_encode_gob_header(MpegEncContext * s, int mb_line) +void ff_h263_encode_gob_header(MpegEncContext * s, int mb_line) { put_bits(&s->pb, 17, 1); /* GBSC */ @@ -333,7 +333,7 @@ static void h263_encode_block(MpegEncContext * s, DCTELEM * block, int n) } else { i = 0; if (s->h263_aic && s->mb_intra) - rl = &rl_intra_aic; + rl = &ff_rl_intra_aic; if(s->alt_inter_vlc && !s->mb_intra){ int aic_vlc_bits=0; @@ -353,14 +353,14 @@ static void h263_encode_block(MpegEncContext * s, DCTELEM * block, int n) if(level<0) level= -level; code = get_rl_index(rl, last, run, level); - aic_code = get_rl_index(&rl_intra_aic, last, run, level); + aic_code = get_rl_index(&ff_rl_intra_aic, last, run, level); inter_vlc_bits += rl->table_vlc[code][1]+1; - aic_vlc_bits += rl_intra_aic.table_vlc[aic_code][1]+1; + aic_vlc_bits += ff_rl_intra_aic.table_vlc[aic_code][1]+1; if (code == rl->n) { inter_vlc_bits += 1+6+8-1; } - if (aic_code == rl_intra_aic.n) { + if (aic_code == ff_rl_intra_aic.n) { aic_vlc_bits += 1+6+8-1; wrong_pos += run + 1; }else @@ -370,7 +370,7 @@ static void h263_encode_block(MpegEncContext * s, DCTELEM * block, int n) } i = 0; if(aic_vlc_bits < inter_vlc_bits && wrong_pos > 63) - rl = &rl_intra_aic; + rl = &ff_rl_intra_aic; } } @@ -454,9 +454,9 @@ static void h263p_encode_umotion(MpegEncContext * s, int val) } } -void h263_encode_mb(MpegEncContext * s, - DCTELEM block[6][64], - int motion_x, int motion_y) +void ff_h263_encode_mb(MpegEncContext * s, + DCTELEM block[6][64], + int motion_x, int motion_y) { int cbpc, cbpy, i, cbp, pred_x, pred_y; int16_t pred_dc; @@ -500,7 +500,7 @@ void h263_encode_mb(MpegEncContext * s, } /* motion vectors: 16x16 mode */ - h263_pred_motion(s, 0, 0, &pred_x, &pred_y); + ff_h263_pred_motion(s, 0, 0, &pred_x, &pred_y); if (!s->umvplus) { ff_h263_encode_motion_vector(s, motion_x - pred_x, @@ -527,7 +527,7 @@ void h263_encode_mb(MpegEncContext * s, for(i=0; i<4; i++){ /* motion vectors: 8x8 mode*/ - h263_pred_motion(s, i, 0, &pred_x, &pred_y); + ff_h263_pred_motion(s, i, 0, &pred_x, &pred_y); motion_x = s->current_picture.f.motion_val[0][s->block_index[i]][0]; motion_y = s->current_picture.f.motion_val[0][s->block_index[i]][1]; @@ -561,7 +561,7 @@ void h263_encode_mb(MpegEncContext * s, if(i<4) scale= s->y_dc_scale; else scale= s->c_dc_scale; - pred_dc = h263_pred_dc(s, i, &dc_ptr[i]); + pred_dc = ff_h263_pred_dc(s, i, &dc_ptr[i]); level -= pred_dc; /* Quant */ if (level >= 0) @@ -662,7 +662,7 @@ void ff_h263_encode_motion(MpegEncContext * s, int val, int f_code) if (val == 0) { /* zero vector */ code = 0; - put_bits(&s->pb, mvtab[code][1], mvtab[code][0]); + put_bits(&s->pb, ff_mvtab[code][1], ff_mvtab[code][0]); } else { bit_size = f_code - 1; range = 1 << bit_size; @@ -676,7 +676,7 @@ void ff_h263_encode_motion(MpegEncContext * s, int val, int f_code) code = (val >> bit_size) + 1; bits = val & (range - 1); - put_bits(&s->pb, mvtab[code][1] + 1, (mvtab[code][0] << 1) | sign); + put_bits(&s->pb, ff_mvtab[code][1] + 1, (ff_mvtab[code][0] << 1) | sign); if (bit_size > 0) { put_bits(&s->pb, bit_size, bits); } @@ -692,7 +692,7 @@ static void init_mv_penalty_and_fcode(MpegEncContext *s) for(mv=-MAX_MV; mv<=MAX_MV; mv++){ int len; - if(mv==0) len= mvtab[0][1]; + if(mv==0) len= ff_mvtab[0][1]; else{ int val, bit_size, code; @@ -704,9 +704,9 @@ static void init_mv_penalty_and_fcode(MpegEncContext *s) val--; code = (val >> bit_size) + 1; if(code<33){ - len= mvtab[code][1] + 1 + bit_size; + len= ff_mvtab[code][1] + 1 + bit_size; }else{ - len= mvtab[32][1] + av_log2(code>>5) + 2 + bit_size; + len= ff_mvtab[32][1] + av_log2(code>>5) + 2 + bit_size; } } @@ -768,7 +768,7 @@ static void init_uni_h263_rl_tab(RLTable *rl, uint32_t *bits_tab, uint8_t *len_t } } -void h263_encode_init(MpegEncContext *s) +void ff_h263_encode_init(MpegEncContext *s) { static int done = 0; @@ -776,9 +776,9 @@ void h263_encode_init(MpegEncContext *s) done = 1; init_rl(&ff_h263_rl_inter, ff_h263_static_rl_table_store[0]); - init_rl(&rl_intra_aic, ff_h263_static_rl_table_store[1]); + init_rl(&ff_rl_intra_aic, ff_h263_static_rl_table_store[1]); - init_uni_h263_rl_tab(&rl_intra_aic, NULL, uni_h263_intra_aic_rl_len); + init_uni_h263_rl_tab(&ff_rl_intra_aic, NULL, uni_h263_intra_aic_rl_len); init_uni_h263_rl_tab(&ff_h263_rl_inter , NULL, uni_h263_inter_rl_len); init_mv_penalty_and_fcode(s); diff --git a/libavcodec/mpeg4videodec.c b/libavcodec/mpeg4videodec.c index e15c348454..629430b54a 100644 --- a/libavcodec/mpeg4videodec.c +++ b/libavcodec/mpeg4videodec.c @@ -651,13 +651,13 @@ try_again: if ((cbpc & 16) == 0) { /* 16x16 motion prediction */ - h263_pred_motion(s, 0, 0, &pred_x, &pred_y); + ff_h263_pred_motion(s, 0, 0, &pred_x, &pred_y); if(!s->mcsel){ - mx = h263_decode_motion(s, pred_x, s->f_code); + mx = ff_h263_decode_motion(s, pred_x, s->f_code); if (mx >= 0xffff) return -1; - my = h263_decode_motion(s, pred_y, s->f_code); + my = ff_h263_decode_motion(s, pred_y, s->f_code); if (my >= 0xffff) return -1; s->current_picture.f.mb_type[xy] = MB_TYPE_16x16 | MB_TYPE_L0; @@ -675,12 +675,12 @@ try_again: int i; s->current_picture.f.mb_type[xy] = MB_TYPE_8x8 | MB_TYPE_L0; for(i=0;i<4;i++) { - int16_t *mot_val= h263_pred_motion(s, i, 0, &pred_x, &pred_y); - mx = h263_decode_motion(s, pred_x, s->f_code); + int16_t *mot_val= ff_h263_pred_motion(s, i, 0, &pred_x, &pred_y); + mx = ff_h263_decode_motion(s, pred_x, s->f_code); if (mx >= 0xffff) return -1; - my = h263_decode_motion(s, pred_y, s->f_code); + my = ff_h263_decode_motion(s, pred_y, s->f_code); if (my >= 0xffff) return -1; mot_val[0] = mx; @@ -1223,14 +1223,14 @@ static int mpeg4_decode_mb(MpegEncContext *s, s->field_select[0][0]= get_bits1(&s->gb); s->field_select[0][1]= get_bits1(&s->gb); - h263_pred_motion(s, 0, 0, &pred_x, &pred_y); + ff_h263_pred_motion(s, 0, 0, &pred_x, &pred_y); for(i=0; i<2; i++){ - mx = h263_decode_motion(s, pred_x, s->f_code); + mx = ff_h263_decode_motion(s, pred_x, s->f_code); if (mx >= 0xffff) return -1; - my = h263_decode_motion(s, pred_y/2, s->f_code); + my = ff_h263_decode_motion(s, pred_y/2, s->f_code); if (my >= 0xffff) return -1; @@ -1241,13 +1241,13 @@ static int mpeg4_decode_mb(MpegEncContext *s, s->current_picture.f.mb_type[xy] = MB_TYPE_16x16 | MB_TYPE_L0; /* 16x16 motion prediction */ s->mv_type = MV_TYPE_16X16; - h263_pred_motion(s, 0, 0, &pred_x, &pred_y); - mx = h263_decode_motion(s, pred_x, s->f_code); + ff_h263_pred_motion(s, 0, 0, &pred_x, &pred_y); + mx = ff_h263_decode_motion(s, pred_x, s->f_code); if (mx >= 0xffff) return -1; - my = h263_decode_motion(s, pred_y, s->f_code); + my = ff_h263_decode_motion(s, pred_y, s->f_code); if (my >= 0xffff) return -1; @@ -1258,12 +1258,12 @@ static int mpeg4_decode_mb(MpegEncContext *s, s->current_picture.f.mb_type[xy] = MB_TYPE_8x8 | MB_TYPE_L0; s->mv_type = MV_TYPE_8X8; for(i=0;i<4;i++) { - mot_val = h263_pred_motion(s, i, 0, &pred_x, &pred_y); - mx = h263_decode_motion(s, pred_x, s->f_code); + mot_val = ff_h263_pred_motion(s, i, 0, &pred_x, &pred_y); + mx = ff_h263_decode_motion(s, pred_x, s->f_code); if (mx >= 0xffff) return -1; - my = h263_decode_motion(s, pred_y, s->f_code); + my = ff_h263_decode_motion(s, pred_y, s->f_code); if (my >= 0xffff) return -1; s->mv[0][i][0] = mx; @@ -1359,8 +1359,8 @@ static int mpeg4_decode_mb(MpegEncContext *s, if(USES_LIST(mb_type, 0)){ s->mv_dir = MV_DIR_FORWARD; - mx = h263_decode_motion(s, s->last_mv[0][0][0], s->f_code); - my = h263_decode_motion(s, s->last_mv[0][0][1], s->f_code); + mx = ff_h263_decode_motion(s, s->last_mv[0][0][0], s->f_code); + my = ff_h263_decode_motion(s, s->last_mv[0][0][1], s->f_code); s->last_mv[0][1][0]= s->last_mv[0][0][0]= s->mv[0][0][0] = mx; s->last_mv[0][1][1]= s->last_mv[0][0][1]= s->mv[0][0][1] = my; } @@ -1368,8 +1368,8 @@ static int mpeg4_decode_mb(MpegEncContext *s, if(USES_LIST(mb_type, 1)){ s->mv_dir |= MV_DIR_BACKWARD; - mx = h263_decode_motion(s, s->last_mv[1][0][0], s->b_code); - my = h263_decode_motion(s, s->last_mv[1][0][1], s->b_code); + mx = ff_h263_decode_motion(s, s->last_mv[1][0][0], s->b_code); + my = ff_h263_decode_motion(s, s->last_mv[1][0][1], s->b_code); s->last_mv[1][1][0]= s->last_mv[1][0][0]= s->mv[1][0][0] = mx; s->last_mv[1][1][1]= s->last_mv[1][0][1]= s->mv[1][0][1] = my; } @@ -1380,8 +1380,8 @@ static int mpeg4_decode_mb(MpegEncContext *s, s->mv_dir = MV_DIR_FORWARD; for(i=0; i<2; i++){ - mx = h263_decode_motion(s, s->last_mv[0][i][0] , s->f_code); - my = h263_decode_motion(s, s->last_mv[0][i][1]/2, s->f_code); + mx = ff_h263_decode_motion(s, s->last_mv[0][i][0] , s->f_code); + my = ff_h263_decode_motion(s, s->last_mv[0][i][1]/2, s->f_code); s->last_mv[0][i][0]= s->mv[0][i][0] = mx; s->last_mv[0][i][1]= (s->mv[0][i][1] = my)*2; } @@ -1391,8 +1391,8 @@ static int mpeg4_decode_mb(MpegEncContext *s, s->mv_dir |= MV_DIR_BACKWARD; for(i=0; i<2; i++){ - mx = h263_decode_motion(s, s->last_mv[1][i][0] , s->b_code); - my = h263_decode_motion(s, s->last_mv[1][i][1]/2, s->b_code); + mx = ff_h263_decode_motion(s, s->last_mv[1][i][0] , s->b_code); + my = ff_h263_decode_motion(s, s->last_mv[1][i][1]/2, s->b_code); s->last_mv[1][i][0]= s->mv[1][i][0] = mx; s->last_mv[1][i][1]= (s->mv[1][i][1] = my)*2; } @@ -1404,8 +1404,8 @@ static int mpeg4_decode_mb(MpegEncContext *s, if(IS_SKIP(mb_type)) mx=my=0; else{ - mx = h263_decode_motion(s, 0, 1); - my = h263_decode_motion(s, 0, 1); + mx = ff_h263_decode_motion(s, 0, 1); + my = ff_h263_decode_motion(s, 0, 1); } s->mv_dir = MV_DIR_FORWARD | MV_DIR_BACKWARD | MV_DIRECT; diff --git a/libavcodec/mpeg4videoenc.c b/libavcodec/mpeg4videoenc.c index 41c153d0b0..523cbfd08b 100644 --- a/libavcodec/mpeg4videoenc.c +++ b/libavcodec/mpeg4videoenc.c @@ -693,7 +693,7 @@ void mpeg4_encode_mb(MpegEncContext * s, } /* motion vectors: 16x16 mode */ - h263_pred_motion(s, 0, 0, &pred_x, &pred_y); + ff_h263_pred_motion(s, 0, 0, &pred_x, &pred_y); ff_h263_encode_motion_vector(s, motion_x - pred_x, motion_y - pred_y, s->f_code); @@ -717,7 +717,7 @@ void mpeg4_encode_mb(MpegEncContext * s, } /* motion vectors: 16x8 interlaced mode */ - h263_pred_motion(s, 0, 0, &pred_x, &pred_y); + ff_h263_pred_motion(s, 0, 0, &pred_x, &pred_y); pred_y /=2; put_bits(&s->pb, 1, s->field_select[0][0]); @@ -745,7 +745,7 @@ void mpeg4_encode_mb(MpegEncContext * s, for(i=0; i<4; i++){ /* motion vectors: 8x8 mode*/ - h263_pred_motion(s, i, 0, &pred_x, &pred_y); + ff_h263_pred_motion(s, i, 0, &pred_x, &pred_y); ff_h263_encode_motion_vector(s, s->current_picture.f.motion_val[0][ s->block_index[i] ][0] - pred_x, s->current_picture.f.motion_val[0][ s->block_index[i] ][1] - pred_y, s->f_code); diff --git a/libavcodec/mpegvideo_enc.c b/libavcodec/mpegvideo_enc.c index 08484a7a9c..af72806ffe 100644 --- a/libavcodec/mpegvideo_enc.c +++ b/libavcodec/mpegvideo_enc.c @@ -708,7 +708,7 @@ av_cold int MPV_encode_init(AVCodecContext *avctx) case CODEC_ID_H263: if (!CONFIG_H263_ENCODER) return -1; - if (ff_match_2uint16(h263_format, FF_ARRAY_ELEMS(h263_format), + if (ff_match_2uint16(ff_h263_format, FF_ARRAY_ELEMS(ff_h263_format), s->width, s->height) == 8) { av_log(avctx, AV_LOG_INFO, "The specified picture size of %dx%d is not valid for " @@ -844,7 +844,7 @@ av_cold int MPV_encode_init(AVCodecContext *avctx) if (CONFIG_H261_ENCODER && s->out_format == FMT_H261) ff_h261_encode_init(s); if (CONFIG_H263_ENCODER && s->out_format == FMT_H263) - h263_encode_init(s); + ff_h263_encode_init(s); if (CONFIG_MSMPEG4_ENCODER && s->msmpeg4_version) ff_msmpeg4_encode_init(s); if ((CONFIG_MPEG1VIDEO_ENCODER || CONFIG_MPEG2VIDEO_ENCODER) @@ -2078,7 +2078,7 @@ static av_always_inline void encode_mb_internal(MpegEncContext *s, case CODEC_ID_RV10: case CODEC_ID_RV20: if (CONFIG_H263_ENCODER) - h263_encode_mb(s, s->block, motion_x, motion_y); + ff_h263_encode_mb(s, s->block, motion_x, motion_y); break; case CODEC_ID_MJPEG: if (CONFIG_MJPEG_ENCODER) @@ -2508,7 +2508,7 @@ static int encode_thread(AVCodecContext *c, void *arg){ case CODEC_ID_H263: case CODEC_ID_H263P: if (CONFIG_H263_ENCODER) - h263_encode_gob_header(s, mb_y); + ff_h263_encode_gob_header(s, mb_y); break; } @@ -3258,7 +3258,7 @@ static int encode_picture(MpegEncContext *s, int picture_number) else if (CONFIG_FLV_ENCODER && s->codec_id == CODEC_ID_FLV1) ff_flv_encode_picture_header(s, picture_number); else if (CONFIG_H263_ENCODER) - h263_encode_picture_header(s, picture_number); + ff_h263_encode_picture_header(s, picture_number); break; case FMT_MPEG1: if (CONFIG_MPEG1VIDEO_ENCODER || CONFIG_MPEG2VIDEO_ENCODER) diff --git a/libavcodec/msmpeg4.c b/libavcodec/msmpeg4.c index 11a191570e..b4fcc00a74 100644 --- a/libavcodec/msmpeg4.c +++ b/libavcodec/msmpeg4.c @@ -507,7 +507,7 @@ static void msmpeg4v2_encode_motion(MpegEncContext * s, int val) if (val == 0) { /* zero vector */ code = 0; - put_bits(&s->pb, mvtab[code][1], mvtab[code][0]); + put_bits(&s->pb, ff_mvtab[code][1], ff_mvtab[code][0]); } else { bit_size = s->f_code - 1; range = 1 << bit_size; @@ -526,7 +526,7 @@ static void msmpeg4v2_encode_motion(MpegEncContext * s, int val) code = (val >> bit_size) + 1; bits = val & (range - 1); - put_bits(&s->pb, mvtab[code][1] + 1, (mvtab[code][0] << 1) | sign); + put_bits(&s->pb, ff_mvtab[code][1] + 1, (ff_mvtab[code][0] << 1) | sign); if (bit_size > 0) { put_bits(&s->pb, bit_size, bits); } @@ -575,7 +575,7 @@ void msmpeg4_encode_mb(MpegEncContext * s, s->misc_bits += get_bits_diff(s); - h263_pred_motion(s, 0, 0, &pred_x, &pred_y); + ff_h263_pred_motion(s, 0, 0, &pred_x, &pred_y); msmpeg4v2_encode_motion(s, motion_x - pred_x); msmpeg4v2_encode_motion(s, motion_y - pred_y); }else{ @@ -586,7 +586,7 @@ void msmpeg4_encode_mb(MpegEncContext * s, s->misc_bits += get_bits_diff(s); /* motion vector */ - h263_pred_motion(s, 0, 0, &pred_x, &pred_y); + ff_h263_pred_motion(s, 0, 0, &pred_x, &pred_y); ff_msmpeg4_encode_motion(s, motion_x - pred_x, motion_y - pred_y); } @@ -1134,7 +1134,7 @@ static int msmpeg4v12_decode_mb(MpegEncContext *s, DCTELEM block[6][64]) cbp|= cbpy<<2; if(s->msmpeg4_version==1 || (cbp&3) != 3) cbp^= 0x3C; - h263_pred_motion(s, 0, 0, &mx, &my); + ff_h263_pred_motion(s, 0, 0, &mx, &my); mx= msmpeg4v2_decode_motion(s, mx, 1); my= msmpeg4v2_decode_motion(s, my, 1); @@ -1220,7 +1220,7 @@ static int msmpeg4v34_decode_mb(MpegEncContext *s, DCTELEM block[6][64]) s->rl_table_index = decode012(&s->gb); s->rl_chroma_table_index = s->rl_table_index; } - h263_pred_motion(s, 0, 0, &mx, &my); + ff_h263_pred_motion(s, 0, 0, &mx, &my); if (ff_msmpeg4_decode_motion(s, &mx, &my) < 0) return -1; s->mv_dir = MV_DIR_FORWARD; @@ -1316,8 +1316,8 @@ av_cold int ff_msmpeg4_decode_init(AVCodecContext *avctx) &v2_mb_type[0][1], 2, 1, &v2_mb_type[0][0], 2, 1, 128); INIT_VLC_STATIC(&v2_mv_vlc, V2_MV_VLC_BITS, 33, - &mvtab[0][1], 2, 1, - &mvtab[0][0], 2, 1, 538); + &ff_mvtab[0][1], 2, 1, + &ff_mvtab[0][0], 2, 1, 538); INIT_VLC_STATIC(&ff_mb_non_intra_vlc[0], MB_NON_INTRA_VLC_BITS, 128, &wmv2_inter_table[0][0][1], 8, 4, diff --git a/libavcodec/msmpeg4data.c b/libavcodec/msmpeg4data.c index 6799a9ccd2..e51c72596f 100644 --- a/libavcodec/msmpeg4data.c +++ b/libavcodec/msmpeg4data.c @@ -592,9 +592,9 @@ static const int8_t table4_run[168] = { 29, 30, 31, 32, 33, 34, 35, 36, }; -extern const uint16_t inter_vlc[103][2]; -extern const int8_t inter_level[102]; -extern const int8_t inter_run[102]; +extern const uint16_t ff_inter_vlc[103][2]; +extern const int8_t ff_inter_level[102]; +extern const int8_t ff_inter_run[102]; extern const uint16_t ff_mpeg4_intra_vlc[103][2]; extern const int8_t ff_mpeg4_intra_level[102]; @@ -647,9 +647,9 @@ RLTable rl_table[NB_RL_TABLES] = { { 102, 58, - inter_vlc, - inter_run, - inter_level, + ff_inter_vlc, + ff_inter_run, + ff_inter_level, }, }; diff --git a/libavcodec/rv10.c b/libavcodec/rv10.c index ff6c9c3078..58604d1947 100644 --- a/libavcodec/rv10.c +++ b/libavcodec/rv10.c @@ -471,7 +471,7 @@ static av_cold int rv10_decode_init(AVCodecContext *avctx) if (MPV_common_init(s) < 0) return -1; - h263_decode_init_vlc(s); + ff_h263_decode_init_vlc(s); /* init rv vlc */ if (!done) { diff --git a/libavcodec/rv34data.h b/libavcodec/rv34data.h index 41c5b20ad7..30641249da 100644 --- a/libavcodec/rv34data.h +++ b/libavcodec/rv34data.h @@ -101,7 +101,7 @@ static const uint8_t rv34_quant_to_vlc_set[2][31] = { /** * table for obtaining the quantizer difference - * @todo Use with modified_quant_tab from h263data.h. + * @todo Use with ff_modified_quant_tab from h263data.h. */ static const uint8_t rv34_dquant_tab[2][32]={ // 0 1 2 3 4 5 6 7 8 9 10 11 12 13 14 15 16 17 18 19 20 21 22 23 24 25 26 27 28 29 30 31 diff --git a/libavcodec/snowenc.c b/libavcodec/snowenc.c index cd60c3a512..05b6f0fa86 100644 --- a/libavcodec/snowenc.c +++ b/libavcodec/snowenc.c @@ -199,7 +199,7 @@ static av_cold int encode_init(AVCodecContext *avctx) s->m.me.map = av_mallocz(ME_MAP_SIZE*sizeof(uint32_t)); s->m.me.score_map = av_mallocz(ME_MAP_SIZE*sizeof(uint32_t)); s->m.obmc_scratchpad= av_mallocz(MB_SIZE*MB_SIZE*12*sizeof(uint32_t)); - h263_encode_init(&s->m); //mv_penalty + ff_h263_encode_init(&s->m); //mv_penalty s->max_ref_frames = FFMAX(FFMIN(avctx->refs, MAX_REF_FRAMES), 1); diff --git a/libavcodec/svq1dec.c b/libavcodec/svq1dec.c index 69dbd1b25d..1cbf1f51c9 100644 --- a/libavcodec/svq1dec.c +++ b/libavcodec/svq1dec.c @@ -43,7 +43,7 @@ #undef NDEBUG #include -extern const uint8_t mvtab[33][2]; +extern const uint8_t ff_mvtab[33][2]; static VLC svq1_block_type; static VLC svq1_motion_component; @@ -769,8 +769,8 @@ static av_cold int svq1_decode_init(AVCodecContext *avctx) &ff_svq1_block_type_vlc[0][0], 2, 1, 6); INIT_VLC_STATIC(&svq1_motion_component, 7, 33, - &mvtab[0][1], 2, 1, - &mvtab[0][0], 2, 1, 176); + &ff_mvtab[0][1], 2, 1, + &ff_mvtab[0][0], 2, 1, 176); for (i = 0; i < 6; i++) { static const uint8_t sizes[2][6] = {{14, 10, 14, 18, 16, 18}, {10, 10, 14, 14, 14, 16}}; diff --git a/libavcodec/svq1enc.c b/libavcodec/svq1enc.c index 80bae3cc85..ef136b94f0 100644 --- a/libavcodec/svq1enc.c +++ b/libavcodec/svq1enc.c @@ -402,7 +402,7 @@ static int svq1_encode_plane(SVQ1Context *s, int plane, unsigned char *src_plane int mx, my, pred_x, pred_y, dxy; int16_t *motion_ptr; - motion_ptr= h263_pred_motion(&s->m, 0, 0, &pred_x, &pred_y); + motion_ptr= ff_h263_pred_motion(&s->m, 0, 0, &pred_x, &pred_y); if(s->m.mb_type[x + y*s->m.mb_stride]&CANDIDATE_MB_TYPE_INTER){ for(i=0; i<6; i++) init_put_bits(&s->reorder_pb[i], reorder_buffer[1][i], 7*32); @@ -492,7 +492,7 @@ static av_cold int svq1_encode_init(AVCodecContext *avctx) s->m.me.score_map = av_mallocz(ME_MAP_SIZE*sizeof(uint32_t)); s->mb_type = av_mallocz((s->y_block_width+1)*s->y_block_height*sizeof(int16_t)); s->dummy = av_mallocz((s->y_block_width+1)*s->y_block_height*sizeof(int32_t)); - h263_encode_init(&s->m); //mv_penalty + ff_h263_encode_init(&s->m); //mv_penalty return 0; } diff --git a/libavcodec/wmv2enc.c b/libavcodec/wmv2enc.c index 9879cb87e9..78acad13b0 100644 --- a/libavcodec/wmv2enc.c +++ b/libavcodec/wmv2enc.c @@ -171,7 +171,7 @@ void ff_wmv2_encode_mb(MpegEncContext * s, wmv2_inter_table[w->cbp_table_index][cbp + 64][0]); /* motion vector */ - h263_pred_motion(s, 0, 0, &pred_x, &pred_y); + ff_h263_pred_motion(s, 0, 0, &pred_x, &pred_y); ff_msmpeg4_encode_motion(s, motion_x - pred_x, motion_y - pred_y); } else { From 8c0bbe51561b5185907f51117725d28e7c015c66 Mon Sep 17 00:00:00 2001 From: =?UTF-8?q?Martin=20Storsj=C3=B6?= Date: Thu, 9 Feb 2012 11:37:58 +0200 Subject: [PATCH 301/991] vlc/rl: Add ff_ prefix to the nonstatic symbols MIME-Version: 1.0 Content-Type: text/plain; charset=UTF-8 Content-Transfer-Encoding: 8bit Signed-off-by: Martin Storsjö (cherry picked from commit e96b4a53df101403c54e329abfadad2edddc47c4) Conflicts: libavcodec/4xm.c Signed-off-by: Anton Khirnov --- libavcodec/4xm.c | 2 +- libavcodec/bitstream.c | 6 +++--- libavcodec/cook.c | 6 +++--- libavcodec/dnxhddec.c | 12 ++++++------ libavcodec/dv.c | 2 +- libavcodec/faxcompr.c | 10 +++++----- libavcodec/fraps.c | 4 ++-- libavcodec/get_bits.h | 12 ++++++------ libavcodec/h261dec.c | 2 +- libavcodec/h261enc.c | 2 +- libavcodec/huffman.c | 2 +- libavcodec/huffyuv.c | 12 ++++++------ libavcodec/indeo5.c | 2 +- libavcodec/ituh263dec.c | 4 ++-- libavcodec/ituh263enc.c | 4 ++-- libavcodec/ivi_common.c | 4 ++-- libavcodec/mimic.c | 2 +- libavcodec/mjpegdec.c | 10 +++++----- libavcodec/motionpixels.c | 2 +- libavcodec/mpc8.c | 4 ++-- libavcodec/mpeg12.c | 4 ++-- libavcodec/mpeg12enc.c | 4 ++-- libavcodec/mpeg4videodec.c | 6 +++--- libavcodec/mpeg4videoenc.c | 2 +- libavcodec/mpegvideo.c | 6 +++--- libavcodec/msmpeg4.c | 4 ++-- libavcodec/rl.h | 6 +++--- libavcodec/rv34.c | 8 ++++---- libavcodec/rv40.c | 16 ++++++++-------- libavcodec/smacker.c | 6 +++--- libavcodec/truemotion2.c | 2 +- libavcodec/utvideo.c | 12 ++++++------ libavcodec/vorbisdec.c | 2 +- libavcodec/vp3.c | 18 +++++++++--------- libavcodec/vp6.c | 8 ++++---- libavcodec/wma.c | 6 +++--- 36 files changed, 107 insertions(+), 107 deletions(-) diff --git a/libavcodec/4xm.c b/libavcodec/4xm.c index 52edc9942e..0d4f036b3a 100644 --- a/libavcodec/4xm.c +++ b/libavcodec/4xm.c @@ -866,7 +866,7 @@ static av_cold int decode_end(AVCodecContext *avctx){ av_freep(&f->cfrm[i].data); f->cfrm[i].allocated_size= 0; } - free_vlc(&f->pre_vlc); + ff_free_vlc(&f->pre_vlc); if(f->current_picture.data[0]) avctx->release_buffer(avctx, &f->current_picture); if(f->last_picture.data[0]) diff --git a/libavcodec/bitstream.c b/libavcodec/bitstream.c index 14e392f34d..7fe38be556 100644 --- a/libavcodec/bitstream.c +++ b/libavcodec/bitstream.c @@ -253,9 +253,9 @@ static int build_table(VLC *vlc, int table_nb_bits, int nb_codes, (byte/word/long) to store the 'bits', 'codes', and 'symbols' tables. 'use_static' should be set to 1 for tables, which should be freed - with av_free_static(), 0 if free_vlc() will be used. + with av_free_static(), 0 if ff_free_vlc() will be used. */ -int init_vlc_sparse(VLC *vlc, int nb_bits, int nb_codes, +int ff_init_vlc_sparse(VLC *vlc, int nb_bits, int nb_codes, const void *bits, int bits_wrap, int bits_size, const void *codes, int codes_wrap, int codes_size, const void *symbols, int symbols_wrap, int symbols_size, @@ -318,7 +318,7 @@ int init_vlc_sparse(VLC *vlc, int nb_bits, int nb_codes, } -void free_vlc(VLC *vlc) +void ff_free_vlc(VLC *vlc) { av_freep(&vlc->table); } diff --git a/libavcodec/cook.c b/libavcodec/cook.c index a835442b6b..74378521b3 100644 --- a/libavcodec/cook.c +++ b/libavcodec/cook.c @@ -321,11 +321,11 @@ static av_cold int cook_decode_close(AVCodecContext *avctx) /* Free the VLC tables. */ for (i = 0; i < 13; i++) - free_vlc(&q->envelope_quant_index[i]); + ff_free_vlc(&q->envelope_quant_index[i]); for (i = 0; i < 7; i++) - free_vlc(&q->sqvh[i]); + ff_free_vlc(&q->sqvh[i]); for (i = 0; i < q->num_subpackets; i++) - free_vlc(&q->subpacket[i].ccpl); + ff_free_vlc(&q->subpacket[i].ccpl); av_log(avctx, AV_LOG_DEBUG, "Memory deallocated.\n"); diff --git a/libavcodec/dnxhddec.c b/libavcodec/dnxhddec.c index 956196ce64..bf5acf3260 100644 --- a/libavcodec/dnxhddec.c +++ b/libavcodec/dnxhddec.c @@ -79,9 +79,9 @@ static int dnxhd_init_vlc(DNXHDContext *ctx, int cid) } ctx->cid_table = &ff_dnxhd_cid_table[index]; - free_vlc(&ctx->ac_vlc); - free_vlc(&ctx->dc_vlc); - free_vlc(&ctx->run_vlc); + ff_free_vlc(&ctx->ac_vlc); + ff_free_vlc(&ctx->dc_vlc); + ff_free_vlc(&ctx->run_vlc); init_vlc(&ctx->ac_vlc, DNXHD_VLC_BITS, 257, ctx->cid_table->ac_bits, 1, 1, @@ -391,9 +391,9 @@ static av_cold int dnxhd_decode_close(AVCodecContext *avctx) if (ctx->picture.data[0]) avctx->release_buffer(avctx, &ctx->picture); - free_vlc(&ctx->ac_vlc); - free_vlc(&ctx->dc_vlc); - free_vlc(&ctx->run_vlc); + ff_free_vlc(&ctx->ac_vlc); + ff_free_vlc(&ctx->dc_vlc); + ff_free_vlc(&ctx->run_vlc); return 0; } diff --git a/libavcodec/dv.c b/libavcodec/dv.c index 74cbffb672..03a05b3748 100644 --- a/libavcodec/dv.c +++ b/libavcodec/dv.c @@ -312,7 +312,7 @@ static av_cold int dvvideo_init(AVCodecContext *avctx) dv_rl_vlc[i].level = level; dv_rl_vlc[i].run = run; } - free_vlc(&dv_vlc); + ff_free_vlc(&dv_vlc); dv_vlc_map_tableinit(); } diff --git a/libavcodec/faxcompr.c b/libavcodec/faxcompr.c index e59dad676a..a0fa82551e 100644 --- a/libavcodec/faxcompr.c +++ b/libavcodec/faxcompr.c @@ -110,11 +110,11 @@ av_cold void ff_ccitt_unpack_init(void) ccitt_vlc[1].table = code_table2; ccitt_vlc[1].table_allocated = 648; for(i = 0; i < 2; i++){ - init_vlc_sparse(&ccitt_vlc[i], 9, CCITT_SYMS, - ccitt_codes_lens[i], 1, 1, - ccitt_codes_bits[i], 1, 1, - ccitt_syms, 2, 2, - INIT_VLC_USE_NEW_STATIC); + ff_init_vlc_sparse(&ccitt_vlc[i], 9, CCITT_SYMS, + ccitt_codes_lens[i], 1, 1, + ccitt_codes_bits[i], 1, 1, + ccitt_syms, 2, 2, + INIT_VLC_USE_NEW_STATIC); } INIT_VLC_STATIC(&ccitt_group3_2d_vlc, 9, 11, ccitt_group3_2d_lens, 1, 1, diff --git a/libavcodec/fraps.c b/libavcodec/fraps.c index d887cde0fc..4d03057f43 100644 --- a/libavcodec/fraps.c +++ b/libavcodec/fraps.c @@ -112,13 +112,13 @@ static int fraps2_decode_plane(FrapsContext *s, uint8_t *dst, int stride, int w, if(j) dst[i] += dst[i - stride]; else if(Uoff) dst[i] += 0x80; if (get_bits_left(&gb) < 0) { - free_vlc(&vlc); + ff_free_vlc(&vlc); return AVERROR_INVALIDDATA; } } dst += stride; } - free_vlc(&vlc); + ff_free_vlc(&vlc); return 0; } diff --git a/libavcodec/get_bits.h b/libavcodec/get_bits.h index ee47441899..64393bc9d9 100644 --- a/libavcodec/get_bits.h +++ b/libavcodec/get_bits.h @@ -377,19 +377,19 @@ static inline void align_get_bits(GetBitContext *s) bits, bits_wrap, bits_size, \ codes, codes_wrap, codes_size, \ flags) \ - init_vlc_sparse(vlc, nb_bits, nb_codes, \ - bits, bits_wrap, bits_size, \ - codes, codes_wrap, codes_size, \ - NULL, 0, 0, flags) + ff_init_vlc_sparse(vlc, nb_bits, nb_codes, \ + bits, bits_wrap, bits_size, \ + codes, codes_wrap, codes_size, \ + NULL, 0, 0, flags) -int init_vlc_sparse(VLC *vlc, int nb_bits, int nb_codes, +int ff_init_vlc_sparse(VLC *vlc, int nb_bits, int nb_codes, const void *bits, int bits_wrap, int bits_size, const void *codes, int codes_wrap, int codes_size, const void *symbols, int symbols_wrap, int symbols_size, int flags); #define INIT_VLC_LE 2 #define INIT_VLC_USE_NEW_STATIC 4 -void free_vlc(VLC *vlc); +void ff_free_vlc(VLC *vlc); #define INIT_VLC_STATIC(vlc, bits, a,b,c,d,e,f,g, static_size) do { \ static VLC_TYPE table[static_size][2]; \ diff --git a/libavcodec/h261dec.c b/libavcodec/h261dec.c index 0be0134f01..665cc0da2f 100644 --- a/libavcodec/h261dec.c +++ b/libavcodec/h261dec.c @@ -66,7 +66,7 @@ static av_cold void h261_decode_init_vlc(H261Context *h){ INIT_VLC_STATIC(&h261_cbp_vlc, H261_CBP_VLC_BITS, 63, &h261_cbp_tab[0][1], 2, 1, &h261_cbp_tab[0][0], 2, 1, 512); - init_rl(&h261_rl_tcoeff, ff_h261_rl_table_store); + ff_init_rl(&h261_rl_tcoeff, ff_h261_rl_table_store); INIT_VLC_RL(h261_rl_tcoeff, 552); } } diff --git a/libavcodec/h261enc.c b/libavcodec/h261enc.c index c758ec09d5..ee37fe3af9 100644 --- a/libavcodec/h261enc.c +++ b/libavcodec/h261enc.c @@ -240,7 +240,7 @@ void ff_h261_encode_init(MpegEncContext *s){ if (!done) { done = 1; - init_rl(&h261_rl_tcoeff, ff_h261_rl_table_store); + ff_init_rl(&h261_rl_tcoeff, ff_h261_rl_table_store); } s->min_qcoeff= -127; diff --git a/libavcodec/huffman.c b/libavcodec/huffman.c index 4fb6530d39..9446332b7d 100644 --- a/libavcodec/huffman.c +++ b/libavcodec/huffman.c @@ -61,7 +61,7 @@ static int build_huff_tree(VLC *vlc, Node *nodes, int head, int flags) int pos = 0; get_tree_codes(bits, lens, xlat, nodes, head, 0, 0, &pos, no_zero_count); - return init_vlc_sparse(vlc, 9, pos, lens, 2, 2, bits, 4, 4, xlat, 1, 1, 0); + return ff_init_vlc_sparse(vlc, 9, pos, lens, 2, 2, bits, 4, 4, xlat, 1, 1, 0); } diff --git a/libavcodec/huffyuv.c b/libavcodec/huffyuv.c index a173a13d87..f9e101db3d 100644 --- a/libavcodec/huffyuv.c +++ b/libavcodec/huffyuv.c @@ -296,8 +296,8 @@ static void generate_joint_tables(HYuvContext *s){ i++; } } - free_vlc(&s->vlc[3+p]); - init_vlc_sparse(&s->vlc[3+p], VLC_BITS, i, len, 1, 1, bits, 2, 2, symbols, 2, 2, 0); + ff_free_vlc(&s->vlc[3+p]); + ff_init_vlc_sparse(&s->vlc[3+p], VLC_BITS, i, len, 1, 1, bits, 2, 2, symbols, 2, 2, 0); } }else{ uint8_t (*map)[4] = (uint8_t(*)[4])s->pix_bgr_map; @@ -337,7 +337,7 @@ static void generate_joint_tables(HYuvContext *s){ } } } - free_vlc(&s->vlc[3]); + ff_free_vlc(&s->vlc[3]); init_vlc(&s->vlc[3], VLC_BITS, i, len, 1, 1, bits, 2, 2, 0); } } @@ -354,7 +354,7 @@ static int read_huffman_tables(HYuvContext *s, const uint8_t *src, int length){ if(generate_bits_table(s->bits[i], s->len[i])<0){ return -1; } - free_vlc(&s->vlc[i]); + ff_free_vlc(&s->vlc[i]); init_vlc(&s->vlc[i], VLC_BITS, 256, s->len[i], 1, 1, s->bits[i], 4, 4, 0); } @@ -386,7 +386,7 @@ static int read_old_huffman_tables(HYuvContext *s){ memcpy(s->len[2] , s->len [1], 256*sizeof(uint8_t)); for(i=0; i<3; i++){ - free_vlc(&s->vlc[i]); + ff_free_vlc(&s->vlc[i]); init_vlc(&s->vlc[i], VLC_BITS, 256, s->len[i], 1, 1, s->bits[i], 4, 4, 0); } @@ -1220,7 +1220,7 @@ static av_cold int decode_end(AVCodecContext *avctx) av_freep(&s->bitstream_buffer); for(i=0; i<6; i++){ - free_vlc(&s->vlc[i]); + ff_free_vlc(&s->vlc[i]); } return 0; diff --git a/libavcodec/indeo5.c b/libavcodec/indeo5.c index 019fa2b8da..43253570b6 100644 --- a/libavcodec/indeo5.c +++ b/libavcodec/indeo5.c @@ -809,7 +809,7 @@ static av_cold int decode_close(AVCodecContext *avctx) ff_ivi_free_buffers(&ctx->planes[0]); if (ctx->mb_vlc.cust_tab.table) - free_vlc(&ctx->mb_vlc.cust_tab); + ff_free_vlc(&ctx->mb_vlc.cust_tab); if (ctx->frame.data[0]) avctx->release_buffer(avctx, &ctx->frame); diff --git a/libavcodec/ituh263dec.c b/libavcodec/ituh263dec.c index dce8a995d1..028d2a16a6 100644 --- a/libavcodec/ituh263dec.c +++ b/libavcodec/ituh263dec.c @@ -120,8 +120,8 @@ void ff_h263_decode_init_vlc(MpegEncContext *s) INIT_VLC_STATIC(&mv_vlc, MV_VLC_BITS, 33, &ff_mvtab[0][1], 2, 1, &ff_mvtab[0][0], 2, 1, 538); - init_rl(&ff_h263_rl_inter, ff_h263_static_rl_table_store[0]); - init_rl(&ff_rl_intra_aic, ff_h263_static_rl_table_store[1]); + ff_init_rl(&ff_h263_rl_inter, ff_h263_static_rl_table_store[0]); + ff_init_rl(&ff_rl_intra_aic, ff_h263_static_rl_table_store[1]); INIT_VLC_RL(ff_h263_rl_inter, 554); INIT_VLC_RL(ff_rl_intra_aic, 554); INIT_VLC_STATIC(&h263_mbtype_b_vlc, H263_MBTYPE_B_VLC_BITS, 15, diff --git a/libavcodec/ituh263enc.c b/libavcodec/ituh263enc.c index 5b247dce07..752b3073a3 100644 --- a/libavcodec/ituh263enc.c +++ b/libavcodec/ituh263enc.c @@ -775,8 +775,8 @@ void ff_h263_encode_init(MpegEncContext *s) if (!done) { done = 1; - init_rl(&ff_h263_rl_inter, ff_h263_static_rl_table_store[0]); - init_rl(&ff_rl_intra_aic, ff_h263_static_rl_table_store[1]); + ff_init_rl(&ff_h263_rl_inter, ff_h263_static_rl_table_store[0]); + ff_init_rl(&ff_rl_intra_aic, ff_h263_static_rl_table_store[1]); init_uni_h263_rl_tab(&ff_rl_intra_aic, NULL, uni_h263_intra_aic_rl_len); init_uni_h263_rl_tab(&ff_h263_rl_inter , NULL, uni_h263_inter_rl_len); diff --git a/libavcodec/ivi_common.c b/libavcodec/ivi_common.c index eedcd28ada..670be5e7f2 100644 --- a/libavcodec/ivi_common.c +++ b/libavcodec/ivi_common.c @@ -132,7 +132,7 @@ int ff_ivi_dec_huff_desc(GetBitContext *gb, int desc_coded, int which_tab, ff_ivi_huff_desc_copy(&huff_tab->cust_desc, &new_huff); if (huff_tab->cust_tab.table) - free_vlc(&huff_tab->cust_tab); + ff_free_vlc(&huff_tab->cust_tab); result = ff_ivi_create_huff_from_desc(&huff_tab->cust_desc, &huff_tab->cust_tab, 0); if (result) { @@ -237,7 +237,7 @@ void av_cold ff_ivi_free_buffers(IVIPlaneDesc *planes) av_freep(&planes[p].bands[b].bufs[2]); if (planes[p].bands[b].blk_vlc.cust_tab.table) - free_vlc(&planes[p].bands[b].blk_vlc.cust_tab); + ff_free_vlc(&planes[p].bands[b].blk_vlc.cust_tab); for (t = 0; t < planes[p].bands[b].num_tiles; t++) av_freep(&planes[p].bands[b].tiles[t].mbs); av_freep(&planes[p].bands[b].tiles); diff --git a/libavcodec/mimic.c b/libavcodec/mimic.c index fd03b97c37..013dc2ebde 100644 --- a/libavcodec/mimic.c +++ b/libavcodec/mimic.c @@ -413,7 +413,7 @@ static av_cold int mimic_decode_end(AVCodecContext *avctx) for(i = 0; i < 16; i++) if(ctx->buf_ptrs[i].data[0]) ff_thread_release_buffer(avctx, &ctx->buf_ptrs[i]); - free_vlc(&ctx->vlc); + ff_free_vlc(&ctx->vlc); return 0; } diff --git a/libavcodec/mjpegdec.c b/libavcodec/mjpegdec.c index 7f12fc162c..542de98c59 100644 --- a/libavcodec/mjpegdec.c +++ b/libavcodec/mjpegdec.c @@ -62,8 +62,8 @@ static int build_vlc(VLC *vlc, const uint8_t *bits_table, if (is_ac) huff_sym[0] = 16 * 256; - return init_vlc_sparse(vlc, 9, nb_codes, huff_size, 1, 1, - huff_code, 2, 2, huff_sym, 2, 2, use_static); + return ff_init_vlc_sparse(vlc, 9, nb_codes, huff_size, 1, 1, + huff_code, 2, 2, huff_sym, 2, 2, use_static); } static void build_basic_mjpeg_vlc(MJpegDecodeContext *s) @@ -195,7 +195,7 @@ int ff_mjpeg_decode_dht(MJpegDecodeContext *s) len -= n; /* build VLC and flush previous vlc if present */ - free_vlc(&s->vlcs[class][index]); + ff_free_vlc(&s->vlcs[class][index]); av_log(s->avctx, AV_LOG_DEBUG, "class=%d index=%d nb_codes=%d\n", class, index, code_max + 1); if (build_vlc(&s->vlcs[class][index], bits_table, val_table, @@ -203,7 +203,7 @@ int ff_mjpeg_decode_dht(MJpegDecodeContext *s) return -1; if (class > 0) { - free_vlc(&s->vlcs[2][index]); + ff_free_vlc(&s->vlcs[2][index]); if (build_vlc(&s->vlcs[2][index], bits_table, val_table, code_max + 1, 0, 0) < 0) return -1; @@ -1642,7 +1642,7 @@ av_cold int ff_mjpeg_decode_end(AVCodecContext *avctx) for (i = 0; i < 3; i++) { for (j = 0; j < 4; j++) - free_vlc(&s->vlcs[i][j]); + ff_free_vlc(&s->vlcs[i][j]); } for (i = 0; i < MAX_COMPONENTS; i++) { av_freep(&s->blocks[i]); diff --git a/libavcodec/motionpixels.c b/libavcodec/motionpixels.c index 8259447d62..0e1da3ae19 100644 --- a/libavcodec/motionpixels.c +++ b/libavcodec/motionpixels.c @@ -292,7 +292,7 @@ static int mp_decode_frame(AVCodecContext *avctx, if (init_vlc(&mp->vlc, mp->max_codes_bits, mp->codes_count, &mp->codes[0].size, sizeof(HuffCode), 1, &mp->codes[0].code, sizeof(HuffCode), 4, 0)) goto end; mp_decode_frame_helper(mp, &gb); - free_vlc(&mp->vlc); + ff_free_vlc(&mp->vlc); end: *data_size = sizeof(AVFrame); diff --git a/libavcodec/mpc8.c b/libavcodec/mpc8.c index b97f3ed62c..f5eb4d6651 100644 --- a/libavcodec/mpc8.c +++ b/libavcodec/mpc8.c @@ -182,13 +182,13 @@ static av_cold int mpc8_decode_init(AVCodecContext * avctx) q3_vlc[0].table = q3_0_table; q3_vlc[0].table_allocated = 512; - init_vlc_sparse(&q3_vlc[0], MPC8_Q3_BITS, MPC8_Q3_SIZE, + ff_init_vlc_sparse(&q3_vlc[0], MPC8_Q3_BITS, MPC8_Q3_SIZE, mpc8_q3_bits, 1, 1, mpc8_q3_codes, 1, 1, mpc8_q3_syms, 1, 1, INIT_VLC_USE_NEW_STATIC); q3_vlc[1].table = q3_1_table; q3_vlc[1].table_allocated = 516; - init_vlc_sparse(&q3_vlc[1], MPC8_Q4_BITS, MPC8_Q4_SIZE, + ff_init_vlc_sparse(&q3_vlc[1], MPC8_Q4_BITS, MPC8_Q4_SIZE, mpc8_q4_bits, 1, 1, mpc8_q4_codes, 1, 1, mpc8_q4_syms, 1, 1, INIT_VLC_USE_NEW_STATIC); diff --git a/libavcodec/mpeg12.c b/libavcodec/mpeg12.c index d79cf705ac..65dfe472e9 100644 --- a/libavcodec/mpeg12.c +++ b/libavcodec/mpeg12.c @@ -693,8 +693,8 @@ av_cold void ff_mpeg12_init_vlcs(void) INIT_VLC_STATIC(&mb_btype_vlc, MB_BTYPE_VLC_BITS, 11, &table_mb_btype[0][1], 2, 1, &table_mb_btype[0][0], 2, 1, 64); - init_rl(&ff_rl_mpeg1, ff_mpeg12_static_rl_table_store[0]); - init_rl(&ff_rl_mpeg2, ff_mpeg12_static_rl_table_store[1]); + ff_init_rl(&ff_rl_mpeg1, ff_mpeg12_static_rl_table_store[0]); + ff_init_rl(&ff_rl_mpeg2, ff_mpeg12_static_rl_table_store[1]); INIT_2D_VLC_RL(ff_rl_mpeg1, 680); INIT_2D_VLC_RL(ff_rl_mpeg2, 674); diff --git a/libavcodec/mpeg12enc.c b/libavcodec/mpeg12enc.c index 17097db909..b0950b8044 100644 --- a/libavcodec/mpeg12enc.c +++ b/libavcodec/mpeg12enc.c @@ -722,8 +722,8 @@ void ff_mpeg1_encode_init(MpegEncContext *s) int i; done=1; - init_rl(&ff_rl_mpeg1, ff_mpeg12_static_rl_table_store[0]); - init_rl(&ff_rl_mpeg2, ff_mpeg12_static_rl_table_store[1]); + ff_init_rl(&ff_rl_mpeg1, ff_mpeg12_static_rl_table_store[0]); + ff_init_rl(&ff_rl_mpeg2, ff_mpeg12_static_rl_table_store[1]); for(i=0; i<64; i++) { diff --git a/libavcodec/mpeg4videodec.c b/libavcodec/mpeg4videodec.c index 629430b54a..b243a23be7 100644 --- a/libavcodec/mpeg4videodec.c +++ b/libavcodec/mpeg4videodec.c @@ -2205,9 +2205,9 @@ static av_cold int decode_init(AVCodecContext *avctx) if (!done) { done = 1; - init_rl(&ff_mpeg4_rl_intra, ff_mpeg4_static_rl_table_store[0]); - init_rl(&rvlc_rl_inter, ff_mpeg4_static_rl_table_store[1]); - init_rl(&rvlc_rl_intra, ff_mpeg4_static_rl_table_store[2]); + ff_init_rl(&ff_mpeg4_rl_intra, ff_mpeg4_static_rl_table_store[0]); + ff_init_rl(&rvlc_rl_inter, ff_mpeg4_static_rl_table_store[1]); + ff_init_rl(&rvlc_rl_intra, ff_mpeg4_static_rl_table_store[2]); INIT_VLC_RL(ff_mpeg4_rl_intra, 554); INIT_VLC_RL(rvlc_rl_inter, 1072); INIT_VLC_RL(rvlc_rl_intra, 1072); diff --git a/libavcodec/mpeg4videoenc.c b/libavcodec/mpeg4videoenc.c index 523cbfd08b..b7c2da7a69 100644 --- a/libavcodec/mpeg4videoenc.c +++ b/libavcodec/mpeg4videoenc.c @@ -1230,7 +1230,7 @@ static av_cold int encode_init(AVCodecContext *avctx) init_uni_dc_tab(); - init_rl(&ff_mpeg4_rl_intra, ff_mpeg4_static_rl_table_store[0]); + ff_init_rl(&ff_mpeg4_rl_intra, ff_mpeg4_static_rl_table_store[0]); init_uni_mpeg4_rl_tab(&ff_mpeg4_rl_intra, uni_mpeg4_intra_rl_bits, uni_mpeg4_intra_rl_len); init_uni_mpeg4_rl_tab(&ff_h263_rl_inter, uni_mpeg4_inter_rl_bits, uni_mpeg4_inter_rl_len); diff --git a/libavcodec/mpegvideo.c b/libavcodec/mpegvideo.c index 7aaf398e14..fa89886821 100644 --- a/libavcodec/mpegvideo.c +++ b/libavcodec/mpegvideo.c @@ -1005,8 +1005,8 @@ void MPV_common_end(MpegEncContext *s) avcodec_default_free_buffers(s->avctx); } -void init_rl(RLTable *rl, - uint8_t static_store[2][2 * MAX_RUN + MAX_LEVEL + 3]) +void ff_init_rl(RLTable *rl, + uint8_t static_store[2][2 * MAX_RUN + MAX_LEVEL + 3]) { int8_t max_level[MAX_RUN + 1], max_run[MAX_LEVEL + 1]; uint8_t index_run[MAX_RUN + 1]; @@ -1057,7 +1057,7 @@ void init_rl(RLTable *rl, } } -void init_vlc_rl(RLTable *rl) +void ff_init_vlc_rl(RLTable *rl) { int i, q; diff --git a/libavcodec/msmpeg4.c b/libavcodec/msmpeg4.c index b4fcc00a74..a58d1357a4 100644 --- a/libavcodec/msmpeg4.c +++ b/libavcodec/msmpeg4.c @@ -262,7 +262,7 @@ av_cold void ff_msmpeg4_encode_init(MpegEncContext *s) init_mv_table(&mv_tables[0]); init_mv_table(&mv_tables[1]); for(i=0;itable = &table_data[table_offs[num]]; vlc->table_allocated = table_offs[num + 1] - table_offs[num]; - init_vlc_sparse(vlc, FFMIN(maxbits, 9), realsize, - bits2, 1, 1, - cw, 2, 2, - syms, 2, 2, INIT_VLC_USE_NEW_STATIC); + ff_init_vlc_sparse(vlc, FFMIN(maxbits, 9), realsize, + bits2, 1, 1, + cw, 2, 2, + syms, 2, 2, INIT_VLC_USE_NEW_STATIC); } /** diff --git a/libavcodec/rv40.c b/libavcodec/rv40.c index c55a07a7d0..3f2a824317 100644 --- a/libavcodec/rv40.c +++ b/libavcodec/rv40.c @@ -80,18 +80,18 @@ static av_cold void rv40_init_tables(void) for(i = 0; i < NUM_PTYPE_VLCS; i++){ ptype_vlc[i].table = &ptype_table[i << PTYPE_VLC_BITS]; ptype_vlc[i].table_allocated = 1 << PTYPE_VLC_BITS; - init_vlc_sparse(&ptype_vlc[i], PTYPE_VLC_BITS, PTYPE_VLC_SIZE, - ptype_vlc_bits[i], 1, 1, - ptype_vlc_codes[i], 1, 1, - ptype_vlc_syms, 1, 1, INIT_VLC_USE_NEW_STATIC); + ff_init_vlc_sparse(&ptype_vlc[i], PTYPE_VLC_BITS, PTYPE_VLC_SIZE, + ptype_vlc_bits[i], 1, 1, + ptype_vlc_codes[i], 1, 1, + ptype_vlc_syms, 1, 1, INIT_VLC_USE_NEW_STATIC); } for(i = 0; i < NUM_BTYPE_VLCS; i++){ btype_vlc[i].table = &btype_table[i << BTYPE_VLC_BITS]; btype_vlc[i].table_allocated = 1 << BTYPE_VLC_BITS; - init_vlc_sparse(&btype_vlc[i], BTYPE_VLC_BITS, BTYPE_VLC_SIZE, - btype_vlc_bits[i], 1, 1, - btype_vlc_codes[i], 1, 1, - btype_vlc_syms, 1, 1, INIT_VLC_USE_NEW_STATIC); + ff_init_vlc_sparse(&btype_vlc[i], BTYPE_VLC_BITS, BTYPE_VLC_SIZE, + btype_vlc_bits[i], 1, 1, + btype_vlc_codes[i], 1, 1, + btype_vlc_syms, 1, 1, INIT_VLC_USE_NEW_STATIC); } } diff --git a/libavcodec/smacker.c b/libavcodec/smacker.c index 4714fa0346..62e6689c37 100644 --- a/libavcodec/smacker.c +++ b/libavcodec/smacker.c @@ -267,9 +267,9 @@ static int smacker_decode_header_tree(SmackVContext *smk, GetBitContext *gb, int *recodes = huff.values; if(vlc[0].table) - free_vlc(&vlc[0]); + ff_free_vlc(&vlc[0]); if(vlc[1].table) - free_vlc(&vlc[1]); + ff_free_vlc(&vlc[1]); av_free(tmp1.bits); av_free(tmp1.lengths); av_free(tmp1.values); @@ -720,7 +720,7 @@ static int smka_decode_frame(AVCodecContext *avctx, void *data, for(i = 0; i < 4; i++) { if(vlc[i].table) - free_vlc(&vlc[i]); + ff_free_vlc(&vlc[i]); av_free(h[i].bits); av_free(h[i].lengths); av_free(h[i].values); diff --git a/libavcodec/truemotion2.c b/libavcodec/truemotion2.c index 81dc84a7af..09d9e27c9d 100644 --- a/libavcodec/truemotion2.c +++ b/libavcodec/truemotion2.c @@ -190,7 +190,7 @@ static void tm2_free_codes(TM2Codes *code) { av_free(code->recode); if(code->vlc.table) - free_vlc(&code->vlc); + ff_free_vlc(&code->vlc); } static inline int tm2_get_token(GetBitContext *gb, TM2Codes *code) diff --git a/libavcodec/utvideo.c b/libavcodec/utvideo.c index 7fe024d214..fdce255002 100644 --- a/libavcodec/utvideo.c +++ b/libavcodec/utvideo.c @@ -103,10 +103,10 @@ static int build_huff(const uint8_t *src, VLC *vlc, int *fsym) code += 0x80000000u >> (he[i].len - 1); } - return init_vlc_sparse(vlc, FFMIN(he[last].len, 9), last + 1, - bits, sizeof(*bits), sizeof(*bits), - codes, sizeof(*codes), sizeof(*codes), - syms, sizeof(*syms), sizeof(*syms), 0); + return ff_init_vlc_sparse(vlc, FFMIN(he[last].len, 9), last + 1, + bits, sizeof(*bits), sizeof(*bits), + codes, sizeof(*codes), sizeof(*codes), + syms, sizeof(*syms), sizeof(*syms), 0); } static int decode_plane(UtvideoContext *c, int plane_no, @@ -207,11 +207,11 @@ static int decode_plane(UtvideoContext *c, int plane_no, get_bits_left(&gb)); } - free_vlc(&vlc); + ff_free_vlc(&vlc); return 0; fail: - free_vlc(&vlc); + ff_free_vlc(&vlc); return AVERROR_INVALIDDATA; } diff --git a/libavcodec/vorbisdec.c b/libavcodec/vorbisdec.c index 22a2cf7e8a..009a3cda1a 100644 --- a/libavcodec/vorbisdec.c +++ b/libavcodec/vorbisdec.c @@ -203,7 +203,7 @@ static void vorbis_free(vorbis_context *vc) for (i = 0; i < vc->codebook_count; ++i) { av_free(vc->codebooks[i].codevectors); - free_vlc(&vc->codebooks[i].vlc); + ff_free_vlc(&vc->codebooks[i].vlc); } av_freep(&vc->codebooks); diff --git a/libavcodec/vp3.c b/libavcodec/vp3.c index 602b5fa7a1..da70e66ab9 100644 --- a/libavcodec/vp3.c +++ b/libavcodec/vp3.c @@ -292,17 +292,17 @@ static av_cold int vp3_decode_end(AVCodecContext *avctx) return 0; for (i = 0; i < 16; i++) { - free_vlc(&s->dc_vlc[i]); - free_vlc(&s->ac_vlc_1[i]); - free_vlc(&s->ac_vlc_2[i]); - free_vlc(&s->ac_vlc_3[i]); - free_vlc(&s->ac_vlc_4[i]); + ff_free_vlc(&s->dc_vlc[i]); + ff_free_vlc(&s->ac_vlc_1[i]); + ff_free_vlc(&s->ac_vlc_2[i]); + ff_free_vlc(&s->ac_vlc_3[i]); + ff_free_vlc(&s->ac_vlc_4[i]); } - free_vlc(&s->superblock_run_length_vlc); - free_vlc(&s->fragment_run_length_vlc); - free_vlc(&s->mode_code_vlc); - free_vlc(&s->motion_vector_vlc); + ff_free_vlc(&s->superblock_run_length_vlc); + ff_free_vlc(&s->fragment_run_length_vlc); + ff_free_vlc(&s->mode_code_vlc); + ff_free_vlc(&s->motion_vector_vlc); /* release all frames */ vp3_decode_flush(avctx); diff --git a/libavcodec/vp6.c b/libavcodec/vp6.c index 91377015eb..861a2da49e 100644 --- a/libavcodec/vp6.c +++ b/libavcodec/vp6.c @@ -237,7 +237,7 @@ static int vp6_build_huff_tree(VP56Context *s, uint8_t coeff_model[], nodes[map[2*i+1]].count = b + !b; } - free_vlc(vlc); + ff_free_vlc(vlc); /* then build the huffman tree according to probabilities */ return ff_huff_build_tree(s->avctx, vlc, size, nodes, vp6_huff_cmp, FF_HUFFMAN_FLAG_HNODE_FIRST); @@ -615,11 +615,11 @@ static av_cold int vp6_decode_free(AVCodecContext *avctx) ff_vp56_free(avctx); for (pt=0; pt<2; pt++) { - free_vlc(&s->dccv_vlc[pt]); - free_vlc(&s->runv_vlc[pt]); + ff_free_vlc(&s->dccv_vlc[pt]); + ff_free_vlc(&s->runv_vlc[pt]); for (ct=0; ct<3; ct++) for (cg=0; cg<6; cg++) - free_vlc(&s->ract_vlc[pt][ct][cg]); + ff_free_vlc(&s->ract_vlc[pt][ct][cg]); } return 0; } diff --git a/libavcodec/wma.c b/libavcodec/wma.c index d82fde7b18..63ddb6ceae 100644 --- a/libavcodec/wma.c +++ b/libavcodec/wma.c @@ -417,13 +417,13 @@ int ff_wma_end(AVCodecContext *avctx) ff_mdct_end(&s->mdct_ctx[i]); if (s->use_exp_vlc) { - free_vlc(&s->exp_vlc); + ff_free_vlc(&s->exp_vlc); } if (s->use_noise_coding) { - free_vlc(&s->hgain_vlc); + ff_free_vlc(&s->hgain_vlc); } for (i = 0; i < 2; i++) { - free_vlc(&s->coef_vlc[i]); + ff_free_vlc(&s->coef_vlc[i]); av_free(s->run_table[i]); av_free(s->level_table[i]); av_free(s->int_table[i]); From f695bd601640702a299f106637023511d7c9acd4 Mon Sep 17 00:00:00 2001 From: Janne Grunau Date: Mon, 13 Feb 2012 21:14:19 +0100 Subject: [PATCH 302/991] rv34: use AVERROR return values in ff_rv34_decode_frame() Also adds an error message. (cherry picked from commit 29330721b0e8514f9f8b4d54be75a662a2b79e44) Signed-off-by: Anton Khirnov --- libavcodec/rv34.c | 12 ++++++++---- 1 file changed, 8 insertions(+), 4 deletions(-) diff --git a/libavcodec/rv34.c b/libavcodec/rv34.c index d2d14aadc4..da8e79e04c 100644 --- a/libavcodec/rv34.c +++ b/libavcodec/rv34.c @@ -1676,15 +1676,19 @@ int ff_rv34_decode_frame(AVCodecContext *avctx, if(get_slice_offset(avctx, slices_hdr, 0) < 0 || get_slice_offset(avctx, slices_hdr, 0) > buf_size){ av_log(avctx, AV_LOG_ERROR, "Slice offset is invalid\n"); - return -1; + return AVERROR_INVALIDDATA; } init_get_bits(&s->gb, buf+get_slice_offset(avctx, slices_hdr, 0), (buf_size-get_slice_offset(avctx, slices_hdr, 0))*8); if(r->parse_slice_header(r, &r->s.gb, &si) < 0 || si.start){ av_log(avctx, AV_LOG_ERROR, "First slice header is incorrect\n"); - return -1; + return AVERROR_INVALIDDATA; + } + if ((!s->last_picture_ptr || !s->last_picture_ptr->f.data[0]) && + si.type == AV_PICTURE_TYPE_B) { + av_log(avctx, AV_LOG_ERROR, "Invalid decoder state: B-frame without " + "reference data.\n"); + return AVERROR_INVALIDDATA; } - if ((!s->last_picture_ptr || !s->last_picture_ptr->f.data[0]) && si.type == AV_PICTURE_TYPE_B) - return -1; if( (avctx->skip_frame >= AVDISCARD_NONREF && si.type==AV_PICTURE_TYPE_B) || (avctx->skip_frame >= AVDISCARD_NONKEY && si.type!=AV_PICTURE_TYPE_I) || avctx->skip_frame >= AVDISCARD_ALL) From 90575bd7dd1e46d0e780757c71e4c3eb32d815bb Mon Sep 17 00:00:00 2001 From: Janne Grunau Date: Fri, 28 Sep 2012 12:25:10 +0200 Subject: [PATCH 303/991] rv34: Handle only complete frames in frame-mt. Correct handling of errors to prevent hags or crashes is very complex otherwise. The frame initializing is also moved from decode_slice() to decode_frame() for clarity. (cherry picked from commit 73ad4471a48bd02b2c2a55de116161b87e061023) Signed-off-by: Anton Khirnov --- libavcodec/rv34.c | 193 +++++++++++++++++++++++++++------------------- 1 file changed, 113 insertions(+), 80 deletions(-) diff --git a/libavcodec/rv34.c b/libavcodec/rv34.c index da8e79e04c..859ea50f5d 100644 --- a/libavcodec/rv34.c +++ b/libavcodec/rv34.c @@ -1411,7 +1411,7 @@ static int rv34_decode_slice(RV34DecContext *r, int end, const uint8_t* buf, int { MpegEncContext *s = &r->s; GetBitContext *gb = &s->gb; - int mb_pos; + int mb_pos, slice_type; int res; init_get_bits(&r->s.gb, buf, buf_size*8); @@ -1421,60 +1421,10 @@ static int rv34_decode_slice(RV34DecContext *r, int end, const uint8_t* buf, int return -1; } - if ((s->mb_x == 0 && s->mb_y == 0) || s->current_picture_ptr==NULL) { - if (s->width != r->si.width || s->height != r->si.height) { - int err; - - av_log(s->avctx, AV_LOG_WARNING, "Changing dimensions to %dx%d\n", - r->si.width, r->si.height); - MPV_common_end(s); - s->width = r->si.width; - s->height = r->si.height; - avcodec_set_dimensions(s->avctx, s->width, s->height); - if ((err = MPV_common_init(s)) < 0) - return err; - if ((err = rv34_decoder_realloc(r)) < 0) - return err; - } - s->pict_type = r->si.type ? r->si.type : AV_PICTURE_TYPE_I; - if(MPV_frame_start(s, s->avctx) < 0) - return -1; - ff_er_frame_start(s); - if (!r->tmp_b_block_base) { - int i; - - r->tmp_b_block_base = av_malloc(s->linesize * 48); - for (i = 0; i < 2; i++) - r->tmp_b_block_y[i] = r->tmp_b_block_base + i * 16 * s->linesize; - for (i = 0; i < 4; i++) - r->tmp_b_block_uv[i] = r->tmp_b_block_base + 32 * s->linesize - + (i >> 1) * 8 * s->uvlinesize + (i & 1) * 16; - } - r->cur_pts = r->si.pts; - if(s->pict_type != AV_PICTURE_TYPE_B){ - r->last_pts = r->next_pts; - r->next_pts = r->cur_pts; - }else{ - int refdist = GET_PTS_DIFF(r->next_pts, r->last_pts); - int dist0 = GET_PTS_DIFF(r->cur_pts, r->last_pts); - int dist1 = GET_PTS_DIFF(r->next_pts, r->cur_pts); - - if(!refdist){ - r->weight1 = r->weight2 = 8192; - }else{ - r->weight1 = (dist0 << 14) / refdist; - r->weight2 = (dist1 << 14) / refdist; - } - } - s->mb_x = s->mb_y = 0; - ff_thread_finish_setup(s->avctx); - } else { - int slice_type = r->si.type ? r->si.type : AV_PICTURE_TYPE_I; - - if (slice_type != s->pict_type) { - av_log(s->avctx, AV_LOG_ERROR, "Slice type mismatch\n"); - return AVERROR_INVALIDDATA; - } + slice_type = r->si.type ? r->si.type : AV_PICTURE_TYPE_I; + if (slice_type != s->pict_type) { + av_log(s->avctx, AV_LOG_ERROR, "Slice type mismatch\n"); + return AVERROR_INVALIDDATA; } r->si.end = end; @@ -1624,10 +1574,6 @@ int ff_rv34_decode_update_thread_context(AVCodecContext *dst, const AVCodecConte memset(&r->si, 0, sizeof(r->si)); - /* necessary since it is it the condition checked for in decode_slice - * to call MPV_frame_start. cmp. comment at the end of decode_frame */ - s->current_picture_ptr = NULL; - return 0; } @@ -1637,8 +1583,33 @@ static int get_slice_offset(AVCodecContext *avctx, const uint8_t *buf, int n) else return AV_RL32(buf + n*8 - 4) == 1 ? AV_RL32(buf + n*8) : AV_RB32(buf + n*8); } +static int finish_frame(AVCodecContext *avctx, AVFrame *pict) +{ + RV34DecContext *r = avctx->priv_data; + MpegEncContext *s = &r->s; + int got_picture = 0; + + ff_er_frame_end(s); + MPV_frame_end(s); + + if (HAVE_THREADS && (s->avctx->active_thread_type & FF_THREAD_FRAME)) + ff_thread_report_progress(&s->current_picture_ptr->f, INT_MAX, 0); + + if (s->pict_type == AV_PICTURE_TYPE_B || s->low_delay) { + *pict = s->current_picture_ptr->f; + got_picture = 1; + } else if (s->last_picture_ptr != NULL) { + *pict = s->last_picture_ptr->f; + got_picture = 1; + } + if (got_picture) + ff_print_debug_info(s, pict); + + return got_picture; +} + int ff_rv34_decode_frame(AVCodecContext *avctx, - void *data, int *data_size, + void *data, int *got_picture_ptr, AVPacket *avpkt) { const uint8_t *buf = avpkt->data; @@ -1656,10 +1627,10 @@ int ff_rv34_decode_frame(AVCodecContext *avctx, if (buf_size == 0) { /* special case for last picture */ if (s->low_delay==0 && s->next_picture_ptr) { - *pict = *(AVFrame*)s->next_picture_ptr; + *pict = s->next_picture_ptr->f; s->next_picture_ptr = NULL; - *data_size = sizeof(AVFrame); + *got_picture_ptr = 1; } return 0; } @@ -1694,6 +1665,70 @@ int ff_rv34_decode_frame(AVCodecContext *avctx, || avctx->skip_frame >= AVDISCARD_ALL) return avpkt->size; + /* first slice */ + if (si.start == 0) { + if (s->mb_num_left > 0) { + av_log(avctx, AV_LOG_ERROR, "New frame but still %d MB left.", + s->mb_num_left); + ff_er_frame_end(s); + MPV_frame_end(s); + } + + if (s->width != si.width || s->height != si.height) { + int err; + + av_log(s->avctx, AV_LOG_WARNING, "Changing dimensions to %dx%d\n", + si.width, si.height); + MPV_common_end(s); + s->width = si.width; + s->height = si.height; + avcodec_set_dimensions(s->avctx, s->width, s->height); + if ((err = MPV_common_init(s)) < 0) + return err; + if ((err = rv34_decoder_realloc(r)) < 0) + return err; + } + s->pict_type = si.type ? si.type : AV_PICTURE_TYPE_I; + if (MPV_frame_start(s, s->avctx) < 0) + return -1; + ff_er_frame_start(s); + if (!r->tmp_b_block_base) { + int i; + + r->tmp_b_block_base = av_malloc(s->linesize * 48); + for (i = 0; i < 2; i++) + r->tmp_b_block_y[i] = r->tmp_b_block_base + + i * 16 * s->linesize; + for (i = 0; i < 4; i++) + r->tmp_b_block_uv[i] = r->tmp_b_block_base + 32 * s->linesize + + (i >> 1) * 8 * s->uvlinesize + + (i & 1) * 16; + } + r->cur_pts = si.pts; + if (s->pict_type != AV_PICTURE_TYPE_B) { + r->last_pts = r->next_pts; + r->next_pts = r->cur_pts; + } else { + int refdist = GET_PTS_DIFF(r->next_pts, r->last_pts); + int dist0 = GET_PTS_DIFF(r->cur_pts, r->last_pts); + int dist1 = GET_PTS_DIFF(r->next_pts, r->cur_pts); + + if (!refdist) { + r->weight1 = r->weight2 = 8192; + } else { + r->weight1 = (dist0 << 14) / refdist; + r->weight2 = (dist1 << 14) / refdist; + } + } + s->mb_x = s->mb_y = 0; + ff_thread_finish_setup(s->avctx); + } else if (HAVE_THREADS && + (s->avctx->active_thread_type & FF_THREAD_FRAME)) { + av_log(s->avctx, AV_LOG_ERROR, "Decoder needs full frames in frame " + "multithreading mode (start MB is %d).\n", si.start); + return AVERROR_INVALIDDATA; + } + for(i = 0; i < slice_count; i++){ int offset = get_slice_offset(avctx, slices_hdr, i); int size; @@ -1708,6 +1743,8 @@ int ff_rv34_decode_frame(AVCodecContext *avctx, } r->si.end = s->mb_width * s->mb_height; + s->mb_num_left = r->s.mb_x + r->s.mb_y*r->s.mb_width - r->si.start; + if(i+1 < slice_count){ if (get_slice_offset(avctx, slices_hdr, i+1) < 0 || get_slice_offset(avctx, slices_hdr, i+1) > buf_size) { @@ -1728,32 +1765,28 @@ int ff_rv34_decode_frame(AVCodecContext *avctx, break; } last = rv34_decode_slice(r, r->si.end, buf + offset, size); - s->mb_num_left = r->s.mb_x + r->s.mb_y*r->s.mb_width - r->si.start; if(last) break; } - if(last && s->current_picture_ptr){ - if(r->loop_filter) - r->loop_filter(r, s->mb_height - 1); - ff_er_frame_end(s); - MPV_frame_end(s); + if (s->current_picture_ptr) { + if (last) { + if(r->loop_filter) + r->loop_filter(r, s->mb_height - 1); - if (HAVE_THREADS && (s->avctx->active_thread_type & FF_THREAD_FRAME)) + *got_picture_ptr = finish_frame(avctx, pict); + } else if (HAVE_THREADS && + (s->avctx->active_thread_type & FF_THREAD_FRAME)) { + av_log(avctx, AV_LOG_INFO, "marking unfished frame as finished\n"); + /* always mark the current frame as finished, frame-mt supports + * only complete frames */ + ff_er_frame_end(s); + MPV_frame_end(s); ff_thread_report_progress(&s->current_picture_ptr->f, INT_MAX, 0); - - if (s->pict_type == AV_PICTURE_TYPE_B || s->low_delay) { - *pict = *(AVFrame*)s->current_picture_ptr; - } else if (s->last_picture_ptr != NULL) { - *pict = *(AVFrame*)s->last_picture_ptr; + return AVERROR_INVALIDDATA; } - - if(s->last_picture_ptr || s->low_delay){ - *data_size = sizeof(AVFrame); - ff_print_debug_info(s, pict); - } - s->current_picture_ptr = NULL; //so we can detect if frame_end wasnt called (find some nicer solution...) } + return avpkt->size; } From b1ad5a21da7ac56b853b6a21ed08a075ecbb89c6 Mon Sep 17 00:00:00 2001 From: Janne Grunau Date: Fri, 23 Mar 2012 22:30:38 +0100 Subject: [PATCH 304/991] rv34: error out on size changes with frame threading Fixes CVE-2012-2772 (cherry picked from commit cb7190cd2c691fd93e4d3664f3fce6c19ee001dd) Signed-off-by: Anton Khirnov --- libavcodec/rv34.c | 7 +++++++ 1 file changed, 7 insertions(+) diff --git a/libavcodec/rv34.c b/libavcodec/rv34.c index 859ea50f5d..c05b71b14c 100644 --- a/libavcodec/rv34.c +++ b/libavcodec/rv34.c @@ -1677,6 +1677,13 @@ int ff_rv34_decode_frame(AVCodecContext *avctx, if (s->width != si.width || s->height != si.height) { int err; + if (HAVE_THREADS && + (s->avctx->active_thread_type & FF_THREAD_FRAME)) { + av_log_missing_feature(s->avctx, "Width/height changing with " + "frame threading is", 0); + return AVERROR_PATCHWELCOME; + } + av_log(s->avctx, AV_LOG_WARNING, "Changing dimensions to %dx%d\n", si.width, si.height); MPV_common_end(s); From e5f4e249422834f727bcd432b73af971277f1371 Mon Sep 17 00:00:00 2001 From: Mina Nagy Zaki Date: Wed, 8 Jun 2011 19:24:25 +0300 Subject: [PATCH 305/991] lavfi: avfilter_merge_formats: handle case where inputs are same This fixes a double-free crash if lists are the same due to the two merge_ref() calls at the end of the (useless) merging that happens. Signed-off-by: Anton Khirnov (cherry picked from commit 11b6a82412bcd372adf694a26d83b07d337e1325) Conflicts: libavfilter/formats.c Signed-off-by: Reinhard Tartler --- libavfilter/formats.c | 3 +++ 1 file changed, 3 insertions(+) diff --git a/libavfilter/formats.c b/libavfilter/formats.c index 8c5041a8fe..7eca639489 100644 --- a/libavfilter/formats.c +++ b/libavfilter/formats.c @@ -45,6 +45,9 @@ AVFilterFormats *avfilter_merge_formats(AVFilterFormats *a, AVFilterFormats *b) AVFilterFormats *ret; unsigned i, j, k = 0, m_count; + if (a == b) + return a; + ret = av_mallocz(sizeof(AVFilterFormats)); /* merge list of formats */ From d4f3abca6a76f322d0b8c5e90dd0368efdf58821 Mon Sep 17 00:00:00 2001 From: Kostya Shishkov Date: Mon, 14 May 2012 19:46:54 +0200 Subject: [PATCH 306/991] indeo3: validate new frame size before resetting decoder (cherry picked from commit 6de226a2b8b703abc823f18c3fd7f39a0787aeb5) Signed-off-by: Reinhard Tartler --- libavcodec/indeo3.c | 8 ++++++++ 1 file changed, 8 insertions(+) diff --git a/libavcodec/indeo3.c b/libavcodec/indeo3.c index 55b4ec7a7a..b7ef9e5241 100644 --- a/libavcodec/indeo3.c +++ b/libavcodec/indeo3.c @@ -895,6 +895,14 @@ static int decode_frame_headers(Indeo3DecodeContext *ctx, AVCodecContext *avctx, av_dlog(avctx, "Frame dimensions changed!\n"); + if (width < 16 || width > 640 || + height < 16 || height > 480 || + width & 3 || height & 3) { + av_log(avctx, AV_LOG_ERROR, + "Invalid picture dimensions: %d x %d!\n", width, height); + return AVERROR_INVALIDDATA; + } + ctx->width = width; ctx->height = height; From e46cf805b10070327026f8e2880fe29e5e9ac1af Mon Sep 17 00:00:00 2001 From: Justin Ruggles Date: Wed, 22 Feb 2012 19:23:18 -0500 Subject: [PATCH 307/991] vorbisenc: check all allocations for failure (cherry picked from commit be8d812c9635f31f69c30dff9ebf565a07a7dab7) Signed-off-by: Anton Khirnov --- libavcodec/vorbisenc.c | 127 +++++++++++++++++++++++++++++------------ 1 file changed, 92 insertions(+), 35 deletions(-) diff --git a/libavcodec/vorbisenc.c b/libavcodec/vorbisenc.c index 00fe402d3e..9257333c1c 100644 --- a/libavcodec/vorbisenc.c +++ b/libavcodec/vorbisenc.c @@ -155,7 +155,7 @@ static int cb_lookup_vals(int lookup, int dimentions, int entries) return 0; } -static void ready_codebook(vorbis_enc_codebook *cb) +static int ready_codebook(vorbis_enc_codebook *cb) { int i; @@ -167,6 +167,8 @@ static void ready_codebook(vorbis_enc_codebook *cb) int vals = cb_lookup_vals(cb->lookup, cb->ndimentions, cb->nentries); cb->dimentions = av_malloc(sizeof(float) * cb->nentries * cb->ndimentions); cb->pow2 = av_mallocz(sizeof(float) * cb->nentries); + if (!cb->dimentions || !cb->pow2) + return AVERROR(ENOMEM); for (i = 0; i < cb->nentries; i++) { float last = 0; int j; @@ -187,13 +189,16 @@ static void ready_codebook(vorbis_enc_codebook *cb) cb->pow2[i] /= 2.; } } + return 0; } -static void ready_residue(vorbis_enc_residue *rc, vorbis_enc_context *venc) +static int ready_residue(vorbis_enc_residue *rc, vorbis_enc_context *venc) { int i; assert(rc->type == 2); rc->maxes = av_mallocz(sizeof(float[2]) * rc->classifications); + if (!rc->maxes) + return AVERROR(ENOMEM); for (i = 0; i < rc->classifications; i++) { int j; vorbis_enc_codebook * cb; @@ -223,15 +228,16 @@ static void ready_residue(vorbis_enc_residue *rc, vorbis_enc_context *venc) rc->maxes[i][0] += 0.8; rc->maxes[i][1] += 0.8; } + return 0; } -static void create_vorbis_context(vorbis_enc_context *venc, - AVCodecContext *avccontext) +static int create_vorbis_context(vorbis_enc_context *venc, + AVCodecContext *avccontext) { vorbis_enc_floor *fc; vorbis_enc_residue *rc; vorbis_enc_mapping *mc; - int i, book; + int i, book, ret; venc->channels = avccontext->channels; venc->sample_rate = avccontext->sample_rate; @@ -239,6 +245,8 @@ static void create_vorbis_context(vorbis_enc_context *venc, venc->ncodebooks = FF_ARRAY_ELEMS(cvectors); venc->codebooks = av_malloc(sizeof(vorbis_enc_codebook) * venc->ncodebooks); + if (!venc->codebooks) + return AVERROR(ENOMEM); // codebook 0..14 - floor1 book, values 0..255 // codebook 15 residue masterbook @@ -255,27 +263,36 @@ static void create_vorbis_context(vorbis_enc_context *venc, cb->lens = av_malloc(sizeof(uint8_t) * cb->nentries); cb->codewords = av_malloc(sizeof(uint32_t) * cb->nentries); + if (!cb->lens || !cb->codewords) + return AVERROR(ENOMEM); memcpy(cb->lens, cvectors[book].clens, cvectors[book].len); memset(cb->lens + cvectors[book].len, 0, cb->nentries - cvectors[book].len); if (cb->lookup) { vals = cb_lookup_vals(cb->lookup, cb->ndimentions, cb->nentries); cb->quantlist = av_malloc(sizeof(int) * vals); + if (!cb->quantlist) + return AVERROR(ENOMEM); for (i = 0; i < vals; i++) cb->quantlist[i] = cvectors[book].quant[i]; } else { cb->quantlist = NULL; } - ready_codebook(cb); + if ((ret = ready_codebook(cb)) < 0) + return ret; } venc->nfloors = 1; venc->floors = av_malloc(sizeof(vorbis_enc_floor) * venc->nfloors); + if (!venc->floors) + return AVERROR(ENOMEM); // just 1 floor fc = &venc->floors[0]; fc->partitions = NUM_FLOOR_PARTITIONS; fc->partition_to_class = av_malloc(sizeof(int) * fc->partitions); + if (!fc->partition_to_class) + return AVERROR(ENOMEM); fc->nclasses = 0; for (i = 0; i < fc->partitions; i++) { static const int a[] = {0, 1, 2, 2, 3, 3, 4, 4}; @@ -284,6 +301,8 @@ static void create_vorbis_context(vorbis_enc_context *venc, } fc->nclasses++; fc->classes = av_malloc(sizeof(vorbis_enc_floor_class) * fc->nclasses); + if (!fc->classes) + return AVERROR(ENOMEM); for (i = 0; i < fc->nclasses; i++) { vorbis_enc_floor_class * c = &fc->classes[i]; int j, books; @@ -292,6 +311,8 @@ static void create_vorbis_context(vorbis_enc_context *venc, c->masterbook = floor_classes[i].masterbook; books = (1 << c->subclass); c->books = av_malloc(sizeof(int) * books); + if (!c->books) + return AVERROR(ENOMEM); for (j = 0; j < books; j++) c->books[j] = floor_classes[i].nbooks[j]; } @@ -303,6 +324,8 @@ static void create_vorbis_context(vorbis_enc_context *venc, fc->values += fc->classes[fc->partition_to_class[i]].dim; fc->list = av_malloc(sizeof(vorbis_floor1_entry) * fc->values); + if (!fc->list) + return AVERROR(ENOMEM); fc->list[0].x = 0; fc->list[1].x = 1 << fc->rangebits; for (i = 2; i < fc->values; i++) { @@ -317,6 +340,8 @@ static void create_vorbis_context(vorbis_enc_context *venc, venc->nresidues = 1; venc->residues = av_malloc(sizeof(vorbis_enc_residue) * venc->nresidues); + if (!venc->residues) + return AVERROR(ENOMEM); // single residue rc = &venc->residues[0]; @@ -327,6 +352,8 @@ static void create_vorbis_context(vorbis_enc_context *venc, rc->classifications = 10; rc->classbook = 15; rc->books = av_malloc(sizeof(*rc->books) * rc->classifications); + if (!rc->books) + return AVERROR(ENOMEM); { static const int8_t a[10][8] = { { -1, -1, -1, -1, -1, -1, -1, -1, }, @@ -342,19 +369,26 @@ static void create_vorbis_context(vorbis_enc_context *venc, }; memcpy(rc->books, a, sizeof a); } - ready_residue(rc, venc); + if ((ret = ready_residue(rc, venc)) < 0) + return ret; venc->nmappings = 1; venc->mappings = av_malloc(sizeof(vorbis_enc_mapping) * venc->nmappings); + if (!venc->mappings) + return AVERROR(ENOMEM); // single mapping mc = &venc->mappings[0]; mc->submaps = 1; mc->mux = av_malloc(sizeof(int) * venc->channels); + if (!mc->mux) + return AVERROR(ENOMEM); for (i = 0; i < venc->channels; i++) mc->mux[i] = 0; mc->floor = av_malloc(sizeof(int) * mc->submaps); mc->residue = av_malloc(sizeof(int) * mc->submaps); + if (!mc->floor || !mc->residue) + return AVERROR(ENOMEM); for (i = 0; i < mc->submaps; i++) { mc->floor[i] = 0; mc->residue[i] = 0; @@ -362,6 +396,8 @@ static void create_vorbis_context(vorbis_enc_context *venc, mc->coupling_steps = venc->channels == 2 ? 1 : 0; mc->magnitude = av_malloc(sizeof(int) * mc->coupling_steps); mc->angle = av_malloc(sizeof(int) * mc->coupling_steps); + if (!mc->magnitude || !mc->angle) + return AVERROR(ENOMEM); if (mc->coupling_steps) { mc->magnitude[0] = 0; mc->angle[0] = 1; @@ -369,6 +405,8 @@ static void create_vorbis_context(vorbis_enc_context *venc, venc->nmodes = 1; venc->modes = av_malloc(sizeof(vorbis_enc_mode) * venc->nmodes); + if (!venc->modes) + return AVERROR(ENOMEM); // single mode venc->modes[0].blockflag = 0; @@ -379,12 +417,18 @@ static void create_vorbis_context(vorbis_enc_context *venc, venc->samples = av_malloc(sizeof(float) * venc->channels * (1 << venc->log2_blocksize[1])); venc->floor = av_malloc(sizeof(float) * venc->channels * (1 << venc->log2_blocksize[1]) / 2); venc->coeffs = av_malloc(sizeof(float) * venc->channels * (1 << venc->log2_blocksize[1]) / 2); + if (!venc->saved || !venc->samples || !venc->floor || !venc->coeffs) + return AVERROR(ENOMEM); venc->win[0] = ff_vorbis_vwin[venc->log2_blocksize[0] - 6]; venc->win[1] = ff_vorbis_vwin[venc->log2_blocksize[1] - 6]; - ff_mdct_init(&venc->mdct[0], venc->log2_blocksize[0], 0, 1.0); - ff_mdct_init(&venc->mdct[1], venc->log2_blocksize[1], 0, 1.0); + if ((ret = ff_mdct_init(&venc->mdct[0], venc->log2_blocksize[0], 0, 1.0)) < 0) + return ret; + if ((ret = ff_mdct_init(&venc->mdct[1], venc->log2_blocksize[1], 0, 1.0)) < 0) + return ret; + + return 0; } static void put_float(PutBitContext *pb, float f) @@ -647,6 +691,8 @@ static int put_main_header(vorbis_enc_context *venc, uint8_t **out) len = hlens[0] + hlens[1] + hlens[2]; p = *out = av_mallocz(64 + len + len/255); + if (!p) + return AVERROR(ENOMEM); *p++ = 2; p += av_xiphlacing(p, hlens[0]); @@ -952,32 +998,6 @@ static int apply_window_and_mdct(vorbis_enc_context *venc, const signed short *a return 1; } -static av_cold int vorbis_encode_init(AVCodecContext *avccontext) -{ - vorbis_enc_context *venc = avccontext->priv_data; - - if (avccontext->channels != 2) { - av_log(avccontext, AV_LOG_ERROR, "Current Libav Vorbis encoder only supports 2 channels.\n"); - return -1; - } - - create_vorbis_context(venc, avccontext); - - if (avccontext->flags & CODEC_FLAG_QSCALE) - venc->quality = avccontext->global_quality / (float)FF_QP2LAMBDA / 10.; - else - venc->quality = 0.03; - venc->quality *= venc->quality; - - avccontext->extradata_size = put_main_header(venc, (uint8_t**)&avccontext->extradata); - - avccontext->frame_size = 1 << (venc->log2_blocksize[0] - 1); - - avccontext->coded_frame = avcodec_alloc_frame(); - avccontext->coded_frame->key_frame = 1; - - return 0; -} static int vorbis_encode_frame(AVCodecContext *avccontext, unsigned char *packets, @@ -1102,6 +1122,43 @@ static av_cold int vorbis_encode_close(AVCodecContext *avccontext) return 0 ; } +static av_cold int vorbis_encode_init(AVCodecContext *avccontext) +{ + vorbis_enc_context *venc = avccontext->priv_data; + int ret; + + if (avccontext->channels != 2) { + av_log(avccontext, AV_LOG_ERROR, "Current Libav Vorbis encoder only supports 2 channels.\n"); + return -1; + } + + if ((ret = create_vorbis_context(venc, avccontext)) < 0) + goto error; + + if (avccontext->flags & CODEC_FLAG_QSCALE) + venc->quality = avccontext->global_quality / (float)FF_QP2LAMBDA / 10.; + else + venc->quality = 0.03; + venc->quality *= venc->quality; + + if ((ret = put_main_header(venc, (uint8_t**)&avccontext->extradata)) < 0) + goto error; + avccontext->extradata_size = ret; + + avccontext->frame_size = 1 << (venc->log2_blocksize[0] - 1); + + avccontext->coded_frame = avcodec_alloc_frame(); + if (!avccontext->coded_frame) { + ret = AVERROR(ENOMEM); + goto error; + } + + return 0; +error: + vorbis_encode_close(avccontext); + return ret; +} + AVCodec ff_vorbis_encoder = { .name = "vorbis", .type = AVMEDIA_TYPE_AUDIO, From 9aaaeba45c41cf2b3fa4100abbdee7437428f93c Mon Sep 17 00:00:00 2001 From: Alex Converse Date: Mon, 4 Jun 2012 18:27:03 -0700 Subject: [PATCH 308/991] vorbis: Validate that the floor 1 X values contain no duplicates. Duplicate values in this vector are explicitly banned by the Vorbis I spec and cause divide-by-zero crashes later on. (cherry picked from commit ecf79c4d3e8baaf2f303278ef81db6f8407656bc) Signed-off-by: Reinhard Tartler --- libavcodec/vorbis.c | 9 ++++++++- libavcodec/vorbis.h | 3 ++- libavcodec/vorbisdec.c | 6 +++++- libavcodec/vorbisenc.c | 3 ++- 4 files changed, 17 insertions(+), 4 deletions(-) diff --git a/libavcodec/vorbis.c b/libavcodec/vorbis.c index 52ded8b0a8..16fb998fab 100644 --- a/libavcodec/vorbis.c +++ b/libavcodec/vorbis.c @@ -119,7 +119,8 @@ int ff_vorbis_len2vlc(uint8_t *bits, uint32_t *codes, unsigned num) return 0; } -void ff_vorbis_ready_floor1_list(vorbis_floor1_entry * list, int values) +int ff_vorbis_ready_floor1_list(AVCodecContext *avccontext, + vorbis_floor1_entry *list, int values) { int i; list[0].sort = 0; @@ -143,6 +144,11 @@ void ff_vorbis_ready_floor1_list(vorbis_floor1_entry * list, int values) for (i = 0; i < values - 1; i++) { int j; for (j = i + 1; j < values; j++) { + if (list[i].x == list[j].x) { + av_log(avccontext, AV_LOG_ERROR, + "Duplicate value found in floor 1 X coordinates\n"); + return AVERROR_INVALIDDATA; + } if (list[list[i].sort].x > list[list[j].sort].x) { int tmp = list[i].sort; list[i].sort = list[j].sort; @@ -150,6 +156,7 @@ void ff_vorbis_ready_floor1_list(vorbis_floor1_entry * list, int values) } } } + return 0; } static inline void render_line_unrolled(intptr_t x, int y, int x1, diff --git a/libavcodec/vorbis.h b/libavcodec/vorbis.h index a55523f17e..baa5af2c55 100644 --- a/libavcodec/vorbis.h +++ b/libavcodec/vorbis.h @@ -36,7 +36,8 @@ typedef struct { uint16_t high; } vorbis_floor1_entry; -void ff_vorbis_ready_floor1_list(vorbis_floor1_entry * list, int values); +int ff_vorbis_ready_floor1_list(AVCodecContext *avccontext, + vorbis_floor1_entry *list, int values); unsigned int ff_vorbis_nth_root(unsigned int x, unsigned int n); // x^(1/n) int ff_vorbis_len2vlc(uint8_t *bits, uint32_t *codes, unsigned num); void ff_vorbis_floor1_render_list(vorbis_floor1_entry * list, int values, diff --git a/libavcodec/vorbisdec.c b/libavcodec/vorbisdec.c index 009a3cda1a..3c139478e0 100644 --- a/libavcodec/vorbisdec.c +++ b/libavcodec/vorbisdec.c @@ -574,7 +574,11 @@ static int vorbis_parse_setup_hdr_floors(vorbis_context *vc) } // Precalculate order of x coordinates - needed for decode - ff_vorbis_ready_floor1_list(floor_setup->data.t1.list, floor_setup->data.t1.x_list_dim); + if (ff_vorbis_ready_floor1_list(vc->avccontext, + floor_setup->data.t1.list, + floor_setup->data.t1.x_list_dim)) { + return AVERROR_INVALIDDATA; + } } else if (floor_setup->floor_type == 0) { unsigned max_codebook_dim = 0; diff --git a/libavcodec/vorbisenc.c b/libavcodec/vorbisenc.c index 9257333c1c..2cab6b3736 100644 --- a/libavcodec/vorbisenc.c +++ b/libavcodec/vorbisenc.c @@ -336,7 +336,8 @@ static int create_vorbis_context(vorbis_enc_context *venc, }; fc->list[i].x = a[i - 2]; } - ff_vorbis_ready_floor1_list(fc->list, fc->values); + if (ff_vorbis_ready_floor1_list(avccontext, fc->list, fc->values)) + return AVERROR_BUG; venc->nresidues = 1; venc->residues = av_malloc(sizeof(vorbis_enc_residue) * venc->nresidues); From 31bc3fb563b12931cc4e2175adbeec92a5de05f1 Mon Sep 17 00:00:00 2001 From: =?UTF-8?q?Martin=20Storsj=C3=B6?= Date: Mon, 2 Jul 2012 10:39:25 +0300 Subject: [PATCH 309/991] snow: Check mallocs at init MIME-Version: 1.0 Content-Type: text/plain; charset=UTF-8 Content-Transfer-Encoding: 8bit Signed-off-by: Martin Storsjö (cherry picked from commit 4d8516fdb15d0177ad745228508254dee187dff9) Conflicts: libavcodec/snow.c --- libavcodec/snow.c | 15 ++++++++++----- libavcodec/snowdec.c | 7 ++++++- libavcodec/snowenc.c | 7 +++++-- 3 files changed, 21 insertions(+), 8 deletions(-) diff --git a/libavcodec/snow.c b/libavcodec/snow.c index 905e02ad70..612f56ab04 100644 --- a/libavcodec/snow.c +++ b/libavcodec/snow.c @@ -385,7 +385,7 @@ mca( 8, 8,8) av_cold int ff_snow_common_init(AVCodecContext *avctx){ SnowContext *s = avctx->priv_data; int width, height; - int i, j; + int i, j, ret; s->avctx= avctx; s->max_ref_frames=1; //just make sure its not an invalid value in case of no initial keyframe @@ -438,17 +438,22 @@ av_cold int ff_snow_common_init(AVCodecContext *avctx){ width= s->avctx->width; height= s->avctx->height; - s->spatial_idwt_buffer= av_mallocz(width*height*sizeof(IDWTELEM)); - s->spatial_dwt_buffer= av_mallocz(width*height*sizeof(DWTELEM)); //FIXME this does not belong here + FF_ALLOCZ_OR_GOTO(avctx, s->spatial_idwt_buffer, width * height * sizeof(IDWTELEM), fail); + FF_ALLOCZ_OR_GOTO(avctx, s->spatial_dwt_buffer, width * height * sizeof(DWTELEM), fail); //FIXME this does not belong here for(i=0; iavctx->get_buffer(s->avctx, &s->mconly_picture); - s->scratchbuf = av_malloc(s->mconly_picture.linesize[0]*7*MB_SIZE); + if ((ret = s->avctx->get_buffer(s->avctx, &s->mconly_picture)) < 0) { + av_log(s->avctx, AV_LOG_ERROR, "get_buffer() failed\n"); + return ret; + } + FF_ALLOC_OR_GOTO(avctx, s->scratchbuf, s->mconly_picture.linesize[0]*7*MB_SIZE, fail); return 0; +fail: + return AVERROR(ENOMEM); } int ff_snow_common_init_after_header(AVCodecContext *avctx) { diff --git a/libavcodec/snowdec.c b/libavcodec/snowdec.c index 70c5d4afc7..049d4a609b 100644 --- a/libavcodec/snowdec.c +++ b/libavcodec/snowdec.c @@ -354,9 +354,14 @@ static int decode_header(SnowContext *s){ static av_cold int decode_init(AVCodecContext *avctx) { + int ret; + avctx->pix_fmt= PIX_FMT_YUV420P; - ff_snow_common_init(avctx); + if ((ret = ff_snow_common_init(avctx)) < 0) { + ff_snow_common_end(avctx->priv_data); + return ret; + } return 0; } diff --git a/libavcodec/snowenc.c b/libavcodec/snowenc.c index 05b6f0fa86..d9fba96903 100644 --- a/libavcodec/snowenc.c +++ b/libavcodec/snowenc.c @@ -156,7 +156,7 @@ static void dwt_quantize(SnowContext *s, Plane *p, DWTELEM *buffer, int width, i static av_cold int encode_init(AVCodecContext *avctx) { SnowContext *s = avctx->priv_data; - int plane_index; + int plane_index, ret; if(avctx->strict_std_compliance > FF_COMPLIANCE_EXPERIMENTAL){ av_log(avctx, AV_LOG_ERROR, "This codec is under development, files encoded with it may not be decodable with future versions!!!\n" @@ -185,7 +185,10 @@ static av_cold int encode_init(AVCodecContext *avctx) s->plane[plane_index].fast_mc= 1; } - ff_snow_common_init(avctx); + if ((ret = ff_snow_common_init(avctx)) < 0) { + ff_snow_common_end(avctx->priv_data); + return ret; + } ff_snow_alloc_blocks(s); s->version=0; From d7de11260bd1f656b475dbe96c10a602fbff332e Mon Sep 17 00:00:00 2001 From: Justin Ruggles Date: Sat, 29 Sep 2012 11:31:35 -0400 Subject: [PATCH 310/991] ac3dec: ensure get_buffer() gets a buffer for the correct number of channels If there is an error during frame parsing, but AVCodecContext.channels was changed and AC3DecodeContext.out_channels was set previously, the two may not match. Fixes CVE-2012-2802 Found-by: Mateusz "j00ru" Jurczyk and Gynvael Coldwind CC: libav-stable@libav.org (cherry picked from commit 56b6a43056235fc110a018678da590595734203d) Signed-off-by: Reinhard Tartler --- libavcodec/ac3dec.c | 1 + 1 file changed, 1 insertion(+) diff --git a/libavcodec/ac3dec.c b/libavcodec/ac3dec.c index fdc1d6830e..28a783a075 100644 --- a/libavcodec/ac3dec.c +++ b/libavcodec/ac3dec.c @@ -1404,6 +1404,7 @@ static int ac3_decode_frame(AVCodecContext * avctx, void *data, avctx->audio_service_type = AV_AUDIO_SERVICE_TYPE_KARAOKE; /* get output buffer */ + avctx->channels = s->out_channels; s->frame.nb_samples = s->num_blocks * 256; if ((ret = avctx->get_buffer(avctx, &s->frame)) < 0) { av_log(avctx, AV_LOG_ERROR, "get_buffer() failed\n"); From 9a76b7375eaa52044c6dcc2f1fd59ca9a3d901ee Mon Sep 17 00:00:00 2001 From: Michael Niedermayer Date: Fri, 20 Apr 2012 17:42:18 +0200 Subject: [PATCH 311/991] avsdec: Set dimensions instead of relying on the demuxer. The decode function assumes that the video will have those dimensions. Fixes CVE-2012-2801 CC:libav-stable@libav.org Found-by: Mateusz "j00ru" Jurczyk and Gynvael Coldwind Signed-off-by: Anton Khirnov (cherry picked from commit 85f477935cd6b34e6ec2716b20e15ce748277a89) Signed-off-by: Reinhard Tartler --- libavcodec/avs.c | 1 + 1 file changed, 1 insertion(+) diff --git a/libavcodec/avs.c b/libavcodec/avs.c index b3cd5b1478..0ce190ab8a 100644 --- a/libavcodec/avs.c +++ b/libavcodec/avs.c @@ -158,6 +158,7 @@ avs_decode_frame(AVCodecContext * avctx, static av_cold int avs_decode_init(AVCodecContext * avctx) { avctx->pix_fmt = PIX_FMT_PAL8; + avcodec_set_dimensions(avctx, 318, 198); return 0; } From 9e575e54a057f109d212fb05583c8330b0692289 Mon Sep 17 00:00:00 2001 From: Anton Khirnov Date: Fri, 28 Sep 2012 14:47:56 +0200 Subject: [PATCH 312/991] dfa: check that the caller set width/height properly. Fixes CVE-2012-2786. (cherry picked from commit ee715f49a06bf3898246d01b056284a9bb1bcbb9) Signed-off-by: Reinhard Tartler --- libavcodec/dfa.c | 6 ++++++ 1 file changed, 6 insertions(+) diff --git a/libavcodec/dfa.c b/libavcodec/dfa.c index 08bb2a4934..d68ac5e3a8 100644 --- a/libavcodec/dfa.c +++ b/libavcodec/dfa.c @@ -23,6 +23,8 @@ #include "avcodec.h" #include "libavutil/intreadwrite.h" #include "bytestream.h" + +#include "libavutil/imgutils.h" #include "libavutil/lzo.h" // for av_memcpy_backptr typedef struct DfaContext { @@ -35,9 +37,13 @@ typedef struct DfaContext { static av_cold int dfa_decode_init(AVCodecContext *avctx) { DfaContext *s = avctx->priv_data; + int ret; avctx->pix_fmt = PIX_FMT_PAL8; + if ((ret = av_image_check_size(avctx->width, avctx->height, 0, avctx)) < 0) + return ret; + s->frame_buf = av_mallocz(avctx->width * avctx->height + AV_LZO_OUTPUT_PADDING); if (!s->frame_buf) return AVERROR(ENOMEM); From 12941dbe2cc7efcd24f2cbdd4e16dfb9e6f95bf4 Mon Sep 17 00:00:00 2001 From: Paul B Mahol Date: Tue, 13 Mar 2012 01:58:12 +0000 Subject: [PATCH 313/991] dfa: convert to bytestream2 API Protects from overreads. Signed-off-by: Paul B Mahol Signed-off-by: Ronald S. Bultje (cherry picked from commit 29b0d94b43ac960cb442049a5d737a3386ff0337) Signed-off-by: Reinhard Tartler --- libavcodec/dfa.c | 163 +++++++++++++++++++++-------------------------- 1 file changed, 74 insertions(+), 89 deletions(-) diff --git a/libavcodec/dfa.c b/libavcodec/dfa.c index d68ac5e3a8..f440427b02 100644 --- a/libavcodec/dfa.c +++ b/libavcodec/dfa.c @@ -21,7 +21,6 @@ */ #include "avcodec.h" -#include "libavutil/intreadwrite.h" #include "bytestream.h" #include "libavutil/imgutils.h" @@ -51,19 +50,16 @@ static av_cold int dfa_decode_init(AVCodecContext *avctx) return 0; } -static int decode_copy(uint8_t *frame, int width, int height, - const uint8_t *src, const uint8_t *src_end) +static int decode_copy(GetByteContext *gb, uint8_t *frame, int width, int height) { const int size = width * height; - if (src_end - src < size) + if (bytestream2_get_buffer(gb, frame, size) != size) return -1; - bytestream_get_buffer(&src, frame, size); return 0; } -static int decode_tsw1(uint8_t *frame, int width, int height, - const uint8_t *src, const uint8_t *src_end) +static int decode_tsw1(GetByteContext *gb, uint8_t *frame, int width, int height) { const uint8_t *frame_start = frame; const uint8_t *frame_end = frame + width * height; @@ -71,22 +67,22 @@ static int decode_tsw1(uint8_t *frame, int width, int height, int v, count, segments; unsigned offset; - segments = bytestream_get_le32(&src); - offset = bytestream_get_le32(&src); + segments = bytestream2_get_le32(gb); + offset = bytestream2_get_le32(gb); if (frame_end - frame <= offset) return -1; frame += offset; while (segments--) { + if (bytestream2_get_bytes_left(gb) < 2) + return -1; if (mask == 0x10000) { - if (src >= src_end) - return -1; - bitbuf = bytestream_get_le16(&src); + bitbuf = bytestream2_get_le16u(gb); mask = 1; } - if (src_end - src < 2 || frame_end - frame < 2) + if (frame_end - frame < 2) return -1; if (bitbuf & mask) { - v = bytestream_get_le16(&src); + v = bytestream2_get_le16(gb); offset = (v & 0x1FFF) << 1; count = ((v >> 13) + 2) << 1; if (frame - frame_start < offset || frame_end - frame < count) @@ -94,8 +90,8 @@ static int decode_tsw1(uint8_t *frame, int width, int height, av_memcpy_backptr(frame, offset, count); frame += count; } else { - *frame++ = *src++; - *frame++ = *src++; + *frame++ = bytestream2_get_byte(gb); + *frame++ = bytestream2_get_byte(gb); } mask <<= 1; } @@ -103,26 +99,25 @@ static int decode_tsw1(uint8_t *frame, int width, int height, return 0; } -static int decode_dsw1(uint8_t *frame, int width, int height, - const uint8_t *src, const uint8_t *src_end) +static int decode_dsw1(GetByteContext *gb, uint8_t *frame, int width, int height) { const uint8_t *frame_start = frame; const uint8_t *frame_end = frame + width * height; int mask = 0x10000, bitbuf = 0; int v, offset, count, segments; - segments = bytestream_get_le16(&src); + segments = bytestream2_get_le16(gb); while (segments--) { + if (bytestream2_get_bytes_left(gb) < 2) + return -1; if (mask == 0x10000) { - if (src >= src_end) - return -1; - bitbuf = bytestream_get_le16(&src); + bitbuf = bytestream2_get_le16u(gb); mask = 1; } - if (src_end - src < 2 || frame_end - frame < 2) + if (frame_end - frame < 2) return -1; if (bitbuf & mask) { - v = bytestream_get_le16(&src); + v = bytestream2_get_le16(gb); offset = (v & 0x1FFF) << 1; count = ((v >> 13) + 2) << 1; if (frame - frame_start < offset || frame_end - frame < count) @@ -132,10 +127,10 @@ static int decode_dsw1(uint8_t *frame, int width, int height, frame[v] = frame[v - offset]; frame += count; } else if (bitbuf & (mask << 1)) { - frame += bytestream_get_le16(&src); + frame += bytestream2_get_le16(gb); } else { - *frame++ = *src++; - *frame++ = *src++; + *frame++ = bytestream2_get_byte(gb); + *frame++ = bytestream2_get_byte(gb); } mask <<= 2; } @@ -143,26 +138,25 @@ static int decode_dsw1(uint8_t *frame, int width, int height, return 0; } -static int decode_dds1(uint8_t *frame, int width, int height, - const uint8_t *src, const uint8_t *src_end) +static int decode_dds1(GetByteContext *gb, uint8_t *frame, int width, int height) { const uint8_t *frame_start = frame; const uint8_t *frame_end = frame + width * height; int mask = 0x10000, bitbuf = 0; int i, v, offset, count, segments; - segments = bytestream_get_le16(&src); + segments = bytestream2_get_le16(gb); while (segments--) { + if (bytestream2_get_bytes_left(gb) < 2) + return -1; if (mask == 0x10000) { - if (src >= src_end) - return -1; - bitbuf = bytestream_get_le16(&src); + bitbuf = bytestream2_get_le16u(gb); mask = 1; } - if (src_end - src < 2 || frame_end - frame < 2) + if (frame_end - frame < 2) return -1; if (bitbuf & mask) { - v = bytestream_get_le16(&src); + v = bytestream2_get_le16(gb); offset = (v & 0x1FFF) << 2; count = ((v >> 13) + 2) << 1; if (frame - frame_start < offset || frame_end - frame < count*2 + width) @@ -174,13 +168,13 @@ static int decode_dds1(uint8_t *frame, int width, int height, frame += 2; } } else if (bitbuf & (mask << 1)) { - frame += bytestream_get_le16(&src) * 2; + frame += bytestream2_get_le16(gb) * 2; } else { frame[0] = frame[1] = - frame[width] = frame[width + 1] = *src++; + frame[width] = frame[width + 1] = bytestream2_get_byte(gb); frame += 2; frame[0] = frame[1] = - frame[width] = frame[width + 1] = *src++; + frame[width] = frame[width + 1] = bytestream2_get_byte(gb); frame += 2; } mask <<= 2; @@ -189,40 +183,40 @@ static int decode_dds1(uint8_t *frame, int width, int height, return 0; } -static int decode_bdlt(uint8_t *frame, int width, int height, - const uint8_t *src, const uint8_t *src_end) +static int decode_bdlt(GetByteContext *gb, uint8_t *frame, int width, int height) { uint8_t *line_ptr; int count, lines, segments; - count = bytestream_get_le16(&src); + count = bytestream2_get_le16(gb); if (count >= height) return -1; frame += width * count; - lines = bytestream_get_le16(&src); - if (count + lines > height || src >= src_end) + lines = bytestream2_get_le16(gb); + if (count + lines > height) return -1; while (lines--) { + if (bytestream2_get_bytes_left(gb) < 1) + return -1; line_ptr = frame; frame += width; - segments = *src++; + segments = bytestream2_get_byteu(gb); while (segments--) { - if (src_end - src < 3) + if (frame - line_ptr <= bytestream2_peek_byte(gb)) return -1; - if (frame - line_ptr <= *src) - return -1; - line_ptr += *src++; - count = (int8_t)*src++; + line_ptr += bytestream2_get_byte(gb); + count = (int8_t)bytestream2_get_byte(gb); if (count >= 0) { - if (frame - line_ptr < count || src_end - src < count) + if (frame - line_ptr < count) + return -1; + if (bytestream2_get_buffer(gb, line_ptr, count) != count) return -1; - bytestream_get_buffer(&src, line_ptr, count); } else { count = -count; - if (frame - line_ptr < count || src >= src_end) + if (frame - line_ptr < count) return -1; - memset(line_ptr, *src++, count); + memset(line_ptr, bytestream2_get_byte(gb), count); } line_ptr += count; } @@ -231,49 +225,49 @@ static int decode_bdlt(uint8_t *frame, int width, int height, return 0; } -static int decode_wdlt(uint8_t *frame, int width, int height, - const uint8_t *src, const uint8_t *src_end) +static int decode_wdlt(GetByteContext *gb, uint8_t *frame, int width, int height) { const uint8_t *frame_end = frame + width * height; uint8_t *line_ptr; int count, i, v, lines, segments; - lines = bytestream_get_le16(&src); - if (lines > height || src >= src_end) + lines = bytestream2_get_le16(gb); + if (lines > height) return -1; while (lines--) { - segments = bytestream_get_le16(&src); + if (bytestream2_get_bytes_left(gb) < 2) + return -1; + segments = bytestream2_get_le16u(gb); while ((segments & 0xC000) == 0xC000) { unsigned delta = -((int16_t)segments * width); if (frame_end - frame <= delta) return -1; frame += delta; - segments = bytestream_get_le16(&src); + segments = bytestream2_get_le16(gb); } if (segments & 0x8000) { frame[width - 1] = segments & 0xFF; - segments = bytestream_get_le16(&src); + segments = bytestream2_get_le16(gb); } line_ptr = frame; frame += width; while (segments--) { - if (src_end - src < 2) + if (frame - line_ptr <= bytestream2_peek_byte(gb)) return -1; - if (frame - line_ptr <= *src) - return -1; - line_ptr += *src++; - count = (int8_t)*src++; + line_ptr += bytestream2_get_byte(gb); + count = (int8_t)bytestream2_get_byte(gb); if (count >= 0) { - if (frame - line_ptr < count*2 || src_end - src < count*2) + if (frame - line_ptr < count * 2) + return -1; + if (bytestream2_get_buffer(gb, line_ptr, count * 2) != count * 2) return -1; - bytestream_get_buffer(&src, line_ptr, count*2); line_ptr += count * 2; } else { count = -count; - if (frame - line_ptr < count*2 || src_end - src < 2) + if (frame - line_ptr < count * 2) return -1; - v = bytestream_get_le16(&src); + v = bytestream2_get_le16(gb); for (i = 0; i < count; i++) bytestream_put_le16(&line_ptr, v); } @@ -283,22 +277,19 @@ static int decode_wdlt(uint8_t *frame, int width, int height, return 0; } -static int decode_unk6(uint8_t *frame, int width, int height, - const uint8_t *src, const uint8_t *src_end) +static int decode_unk6(GetByteContext *gb, uint8_t *frame, int width, int height) { return -1; } -static int decode_blck(uint8_t *frame, int width, int height, - const uint8_t *src, const uint8_t *src_end) +static int decode_blck(GetByteContext *gb, uint8_t *frame, int width, int height) { memset(frame, 0, width * height); return 0; } -typedef int (*chunk_decoder)(uint8_t *frame, int width, int height, - const uint8_t *src, const uint8_t *src_end); +typedef int (*chunk_decoder)(GetByteContext *gb, uint8_t *frame, int width, int height); static const chunk_decoder decoder[8] = { decode_copy, decode_tsw1, decode_bdlt, decode_wdlt, @@ -314,9 +305,8 @@ static int dfa_decode_frame(AVCodecContext *avctx, AVPacket *avpkt) { DfaContext *s = avctx->priv_data; + GetByteContext gb; const uint8_t *buf = avpkt->data; - const uint8_t *buf_end = avpkt->data + avpkt->size; - const uint8_t *tmp_buf; uint32_t chunk_type, chunk_size; uint8_t *dst; int ret; @@ -330,27 +320,22 @@ static int dfa_decode_frame(AVCodecContext *avctx, return ret; } - while (buf < buf_end) { - chunk_size = AV_RL32(buf + 4); - chunk_type = AV_RL32(buf + 8); - buf += 12; - if (buf_end - buf < chunk_size) { - av_log(avctx, AV_LOG_ERROR, "Chunk size is too big (%d bytes)\n", chunk_size); - return -1; - } + bytestream2_init(&gb, avpkt->data, avpkt->size); + while (bytestream2_get_bytes_left(&gb) > 0) { + bytestream2_skip(&gb, 4); + chunk_size = bytestream2_get_le32(&gb); + chunk_type = bytestream2_get_le32(&gb); if (!chunk_type) break; if (chunk_type == 1) { pal_elems = FFMIN(chunk_size / 3, 256); - tmp_buf = buf; for (i = 0; i < pal_elems; i++) { - s->pal[i] = bytestream_get_be24(&tmp_buf) << 2; + s->pal[i] = bytestream2_get_be24(&gb) << 2; s->pal[i] |= (s->pal[i] >> 6) & 0x333; } s->pic.palette_has_changed = 1; } else if (chunk_type <= 9) { - if (decoder[chunk_type - 2](s->frame_buf, avctx->width, avctx->height, - buf, buf + chunk_size)) { + if (decoder[chunk_type - 2](&gb, s->frame_buf, avctx->width, avctx->height)) { av_log(avctx, AV_LOG_ERROR, "Error decoding %s chunk\n", chunk_name[chunk_type - 2]); return -1; From 2281ac9ffd2819ab0c4f71ac6b6a1dffef6ba76e Mon Sep 17 00:00:00 2001 From: Kostya Shishkov Date: Thu, 3 May 2012 20:10:36 +0200 Subject: [PATCH 314/991] dfa: add some checks to ensure that decoder won't write past frame end (cherry picked from commit 8099187e897ddc90cb3902332c76fb2542dac308) Signed-off-by: Reinhard Tartler --- libavcodec/dfa.c | 8 +++++++- 1 file changed, 7 insertions(+), 1 deletion(-) diff --git a/libavcodec/dfa.c b/libavcodec/dfa.c index f440427b02..12629bb879 100644 --- a/libavcodec/dfa.c +++ b/libavcodec/dfa.c @@ -170,6 +170,8 @@ static int decode_dds1(GetByteContext *gb, uint8_t *frame, int width, int height } else if (bitbuf & (mask << 1)) { frame += bytestream2_get_le16(gb) * 2; } else { + if (frame_end - frame < width + 2) + return AVERROR_INVALIDDATA; frame[0] = frame[1] = frame[width] = frame[width + 1] = bytestream2_get_byte(gb); frame += 2; @@ -230,6 +232,7 @@ static int decode_wdlt(GetByteContext *gb, uint8_t *frame, int width, int height const uint8_t *frame_end = frame + width * height; uint8_t *line_ptr; int count, i, v, lines, segments; + int y = 0; lines = bytestream2_get_le16(gb); if (lines > height) @@ -240,10 +243,12 @@ static int decode_wdlt(GetByteContext *gb, uint8_t *frame, int width, int height return -1; segments = bytestream2_get_le16u(gb); while ((segments & 0xC000) == 0xC000) { + unsigned skip_lines = -(int16_t)segments; unsigned delta = -((int16_t)segments * width); - if (frame_end - frame <= delta) + if (frame_end - frame <= delta || y + lines + skip_lines > height) return -1; frame += delta; + y += skip_lines; segments = bytestream2_get_le16(gb); } if (segments & 0x8000) { @@ -252,6 +257,7 @@ static int decode_wdlt(GetByteContext *gb, uint8_t *frame, int width, int height } line_ptr = frame; frame += width; + y++; while (segments--) { if (frame - line_ptr <= bytestream2_peek_byte(gb)) return -1; From d0267ecf768b9f07a488cdc0ac716d699675daaa Mon Sep 17 00:00:00 2001 From: Kostya Shishkov Date: Sun, 6 May 2012 09:46:19 +0200 Subject: [PATCH 315/991] dfa: use more meaningful return codes (cherry picked from commit fb5c1aaea60a714dab3d4e6e71228855fd816222) Signed-off-by: Reinhard Tartler --- libavcodec/dfa.c | 54 ++++++++++++++++++++++++------------------------ 1 file changed, 27 insertions(+), 27 deletions(-) diff --git a/libavcodec/dfa.c b/libavcodec/dfa.c index 12629bb879..d106d719cb 100644 --- a/libavcodec/dfa.c +++ b/libavcodec/dfa.c @@ -55,7 +55,7 @@ static int decode_copy(GetByteContext *gb, uint8_t *frame, int width, int height const int size = width * height; if (bytestream2_get_buffer(gb, frame, size) != size) - return -1; + return AVERROR_INVALIDDATA; return 0; } @@ -70,23 +70,23 @@ static int decode_tsw1(GetByteContext *gb, uint8_t *frame, int width, int height segments = bytestream2_get_le32(gb); offset = bytestream2_get_le32(gb); if (frame_end - frame <= offset) - return -1; + return AVERROR_INVALIDDATA; frame += offset; while (segments--) { if (bytestream2_get_bytes_left(gb) < 2) - return -1; + return AVERROR_INVALIDDATA; if (mask == 0x10000) { bitbuf = bytestream2_get_le16u(gb); mask = 1; } if (frame_end - frame < 2) - return -1; + return AVERROR_INVALIDDATA; if (bitbuf & mask) { v = bytestream2_get_le16(gb); offset = (v & 0x1FFF) << 1; count = ((v >> 13) + 2) << 1; if (frame - frame_start < offset || frame_end - frame < count) - return -1; + return AVERROR_INVALIDDATA; av_memcpy_backptr(frame, offset, count); frame += count; } else { @@ -109,19 +109,19 @@ static int decode_dsw1(GetByteContext *gb, uint8_t *frame, int width, int height segments = bytestream2_get_le16(gb); while (segments--) { if (bytestream2_get_bytes_left(gb) < 2) - return -1; + return AVERROR_INVALIDDATA; if (mask == 0x10000) { bitbuf = bytestream2_get_le16u(gb); mask = 1; } if (frame_end - frame < 2) - return -1; + return AVERROR_INVALIDDATA; if (bitbuf & mask) { v = bytestream2_get_le16(gb); offset = (v & 0x1FFF) << 1; count = ((v >> 13) + 2) << 1; if (frame - frame_start < offset || frame_end - frame < count) - return -1; + return AVERROR_INVALIDDATA; // can't use av_memcpy_backptr() since it can overwrite following pixels for (v = 0; v < count; v++) frame[v] = frame[v - offset]; @@ -148,19 +148,19 @@ static int decode_dds1(GetByteContext *gb, uint8_t *frame, int width, int height segments = bytestream2_get_le16(gb); while (segments--) { if (bytestream2_get_bytes_left(gb) < 2) - return -1; + return AVERROR_INVALIDDATA; if (mask == 0x10000) { bitbuf = bytestream2_get_le16u(gb); mask = 1; } if (frame_end - frame < 2) - return -1; + return AVERROR_INVALIDDATA; if (bitbuf & mask) { v = bytestream2_get_le16(gb); offset = (v & 0x1FFF) << 2; count = ((v >> 13) + 2) << 1; if (frame - frame_start < offset || frame_end - frame < count*2 + width) - return -1; + return AVERROR_INVALIDDATA; for (i = 0; i < count; i++) { frame[0] = frame[1] = frame[width] = frame[width + 1] = frame[-offset]; @@ -192,32 +192,32 @@ static int decode_bdlt(GetByteContext *gb, uint8_t *frame, int width, int height count = bytestream2_get_le16(gb); if (count >= height) - return -1; + return AVERROR_INVALIDDATA; frame += width * count; lines = bytestream2_get_le16(gb); if (count + lines > height) - return -1; + return AVERROR_INVALIDDATA; while (lines--) { if (bytestream2_get_bytes_left(gb) < 1) - return -1; + return AVERROR_INVALIDDATA; line_ptr = frame; frame += width; segments = bytestream2_get_byteu(gb); while (segments--) { if (frame - line_ptr <= bytestream2_peek_byte(gb)) - return -1; + return AVERROR_INVALIDDATA; line_ptr += bytestream2_get_byte(gb); count = (int8_t)bytestream2_get_byte(gb); if (count >= 0) { if (frame - line_ptr < count) - return -1; + return AVERROR_INVALIDDATA; if (bytestream2_get_buffer(gb, line_ptr, count) != count) - return -1; + return AVERROR_INVALIDDATA; } else { count = -count; if (frame - line_ptr < count) - return -1; + return AVERROR_INVALIDDATA; memset(line_ptr, bytestream2_get_byte(gb), count); } line_ptr += count; @@ -236,17 +236,17 @@ static int decode_wdlt(GetByteContext *gb, uint8_t *frame, int width, int height lines = bytestream2_get_le16(gb); if (lines > height) - return -1; + return AVERROR_INVALIDDATA; while (lines--) { if (bytestream2_get_bytes_left(gb) < 2) - return -1; + return AVERROR_INVALIDDATA; segments = bytestream2_get_le16u(gb); while ((segments & 0xC000) == 0xC000) { unsigned skip_lines = -(int16_t)segments; unsigned delta = -((int16_t)segments * width); if (frame_end - frame <= delta || y + lines + skip_lines > height) - return -1; + return AVERROR_INVALIDDATA; frame += delta; y += skip_lines; segments = bytestream2_get_le16(gb); @@ -260,19 +260,19 @@ static int decode_wdlt(GetByteContext *gb, uint8_t *frame, int width, int height y++; while (segments--) { if (frame - line_ptr <= bytestream2_peek_byte(gb)) - return -1; + return AVERROR_INVALIDDATA; line_ptr += bytestream2_get_byte(gb); count = (int8_t)bytestream2_get_byte(gb); if (count >= 0) { if (frame - line_ptr < count * 2) - return -1; + return AVERROR_INVALIDDATA; if (bytestream2_get_buffer(gb, line_ptr, count * 2) != count * 2) - return -1; + return AVERROR_INVALIDDATA; line_ptr += count * 2; } else { count = -count; if (frame - line_ptr < count * 2) - return -1; + return AVERROR_INVALIDDATA; v = bytestream2_get_le16(gb); for (i = 0; i < count; i++) bytestream_put_le16(&line_ptr, v); @@ -285,7 +285,7 @@ static int decode_wdlt(GetByteContext *gb, uint8_t *frame, int width, int height static int decode_unk6(GetByteContext *gb, uint8_t *frame, int width, int height) { - return -1; + return AVERROR_PATCHWELCOME; } static int decode_blck(GetByteContext *gb, uint8_t *frame, int width, int height) @@ -344,7 +344,7 @@ static int dfa_decode_frame(AVCodecContext *avctx, if (decoder[chunk_type - 2](&gb, s->frame_buf, avctx->width, avctx->height)) { av_log(avctx, AV_LOG_ERROR, "Error decoding %s chunk\n", chunk_name[chunk_type - 2]); - return -1; + return AVERROR_INVALIDDATA; } } else { av_log(avctx, AV_LOG_WARNING, "Ignoring unknown chunk type %d\n", From 0c19855539d7431b41b39d911486c193ed5d70d4 Mon Sep 17 00:00:00 2001 From: Anton Khirnov Date: Sat, 29 Sep 2012 13:25:28 +0200 Subject: [PATCH 316/991] dfa: improve boundary checks in decode_dds1() Fixes CVE-2012-2798 CC:libav-stable@libav.org (cherry picked from commit d05f72c75445969cd7bdb1d860635c9880c67fb6) Signed-off-by: Reinhard Tartler --- libavcodec/dfa.c | 10 ++++++---- 1 file changed, 6 insertions(+), 4 deletions(-) diff --git a/libavcodec/dfa.c b/libavcodec/dfa.c index d106d719cb..c2f8002c69 100644 --- a/libavcodec/dfa.c +++ b/libavcodec/dfa.c @@ -153,8 +153,7 @@ static int decode_dds1(GetByteContext *gb, uint8_t *frame, int width, int height bitbuf = bytestream2_get_le16u(gb); mask = 1; } - if (frame_end - frame < 2) - return AVERROR_INVALIDDATA; + if (bitbuf & mask) { v = bytestream2_get_le16(gb); offset = (v & 0x1FFF) << 2; @@ -168,9 +167,12 @@ static int decode_dds1(GetByteContext *gb, uint8_t *frame, int width, int height frame += 2; } } else if (bitbuf & (mask << 1)) { - frame += bytestream2_get_le16(gb) * 2; + v = bytestream2_get_le16(gb)*2; + if (frame - frame_end < v) + return AVERROR_INVALIDDATA; + frame += v; } else { - if (frame_end - frame < width + 2) + if (frame_end - frame < width + 3) return AVERROR_INVALIDDATA; frame[0] = frame[1] = frame[width] = frame[width + 1] = bytestream2_get_byte(gb); From 965302c9f336716562a0913ce049af3d2f5eba7a Mon Sep 17 00:00:00 2001 From: Kostya Shishkov Date: Sat, 19 May 2012 12:39:49 +0200 Subject: [PATCH 317/991] indeo: check custom Huffman tables for errors (cherry picked from commit fe7a37c36febd71576cbefc385d995a8d6e444e7) Signed-off-by: Reinhard Tartler --- libavcodec/ivi_common.c | 7 ++++++- 1 file changed, 6 insertions(+), 1 deletion(-) diff --git a/libavcodec/ivi_common.c b/libavcodec/ivi_common.c index 670be5e7f2..8d23122d85 100644 --- a/libavcodec/ivi_common.c +++ b/libavcodec/ivi_common.c @@ -123,6 +123,10 @@ int ff_ivi_dec_huff_desc(GetBitContext *gb, int desc_coded, int which_tab, if (huff_tab->tab_sel == 7) { /* custom huffman table (explicitly encoded) */ new_huff.num_rows = get_bits(gb, 4); + if (!new_huff.num_rows) { + av_log(avctx, AV_LOG_ERROR, "Empty custom Huffman table!\n"); + return AVERROR_INVALIDDATA; + } for (i = 0; i < new_huff.num_rows; i++) new_huff.xbits[i] = get_bits(gb, 4); @@ -136,9 +140,10 @@ int ff_ivi_dec_huff_desc(GetBitContext *gb, int desc_coded, int which_tab, result = ff_ivi_create_huff_from_desc(&huff_tab->cust_desc, &huff_tab->cust_tab, 0); if (result) { + huff_tab->cust_desc.num_rows = 0; // reset faulty description av_log(avctx, AV_LOG_ERROR, "Error while initializing custom vlc table!\n"); - return -1; + return result; } } huff_tab->tab = &huff_tab->cust_tab; From 911c250aef9ff5561bf457c74367542730b0c84b Mon Sep 17 00:00:00 2001 From: Kostya Shishkov Date: Sat, 19 May 2012 12:23:23 +0200 Subject: [PATCH 318/991] factor out common decoding code for Indeo 4 and Indeo 5 (cherry picked from commit aa372cf4705343a9fff422ab9ead99cef7e0b415) Signed-off-by: Reinhard Tartler --- libavcodec/indeo4.c | 271 ++++------------------------------------ libavcodec/indeo5.c | 241 ++++------------------------------- libavcodec/ivi_common.c | 210 +++++++++++++++++++++++++++++++ libavcodec/ivi_common.h | 60 +++++++++ 4 files changed, 317 insertions(+), 465 deletions(-) diff --git a/libavcodec/indeo4.c b/libavcodec/indeo4.c index 3e8a3988d6..c8ee0becbd 100644 --- a/libavcodec/indeo4.c +++ b/libavcodec/indeo4.c @@ -35,9 +35,6 @@ #include "ivi_common.h" #include "indeo4data.h" -#define IVI4_STREAM_ANALYSER 0 -#define IVI4_DEBUG_CHECKSUM 0 - /** * Indeo 4 frame types. */ @@ -54,46 +51,6 @@ enum { #define IVI4_PIC_SIZE_ESC 7 -typedef struct { - GetBitContext gb; - AVFrame frame; - RVMapDesc rvmap_tabs[9]; ///< local corrected copy of the static rvmap tables - - uint32_t frame_num; - int frame_type; - int prev_frame_type; ///< frame type of the previous frame - uint32_t data_size; ///< size of the frame data in bytes from picture header - int is_scalable; - int transp_status; ///< transparency mode status: 1 - enabled - - IVIPicConfig pic_conf; - IVIPlaneDesc planes[3]; ///< color planes - - int buf_switch; ///< used to switch between three buffers - int dst_buf; ///< buffer index for the currently decoded frame - int ref_buf; ///< inter frame reference buffer index - - IVIHuffTab mb_vlc; ///< current macroblock table descriptor - IVIHuffTab blk_vlc; ///< current block table descriptor - - uint16_t checksum; ///< frame checksum - - uint8_t rvmap_sel; - uint8_t in_imf; - uint8_t in_q; ///< flag for explicitly stored quantiser delta - uint8_t pic_glob_quant; - uint8_t unknown1; - -#if IVI4_STREAM_ANALYSER - uint8_t has_b_frames; - uint8_t has_transp; - uint8_t uses_tiling; - uint8_t uses_haar; - uint8_t uses_fullpel; -#endif -} IVI4DecContext; - - static const struct { InvTransformPtr *inv_trans; DCTransformPtr *dc_trans; @@ -158,7 +115,7 @@ static inline int scale_tile_size(int def_size, int size_factor) * @param[in] avctx pointer to the AVCodecContext * @return result code: 0 = OK, negative number = error */ -static int decode_pic_hdr(IVI4DecContext *ctx, AVCodecContext *avctx) +static int decode_pic_hdr(IVI45DecContext *ctx, AVCodecContext *avctx) { int pic_size_indx, i, p; IVIPicConfig pic_conf; @@ -322,7 +279,7 @@ static int decode_pic_hdr(IVI4DecContext *ctx, AVCodecContext *avctx) * @param[in] avctx pointer to the AVCodecContext * @return result code: 0 = OK, negative number = error */ -static int decode_band_hdr(IVI4DecContext *ctx, IVIBandDesc *band, +static int decode_band_hdr(IVI45DecContext *ctx, IVIBandDesc *band, AVCodecContext *avctx) { int plane, band_num, indx, transform_id, scan_indx; @@ -458,7 +415,7 @@ static int decode_band_hdr(IVI4DecContext *ctx, IVIBandDesc *band, * @param[in] avctx pointer to the AVCodecContext * @return result code: 0 = OK, negative number = error */ -static int decode_mb_info(IVI4DecContext *ctx, IVIBandDesc *band, +static int decode_mb_info(IVI45DecContext *ctx, IVIBandDesc *band, IVITile *tile, AVCodecContext *avctx) { int x, y, mv_x, mv_y, mv_delta, offs, mb_offset, blks_per_mb, @@ -573,126 +530,12 @@ static int decode_mb_info(IVI4DecContext *ctx, IVIBandDesc *band, } -/** - * Decode an Indeo 4 band. - * - * @param[in,out] ctx pointer to the decoder context - * @param[in,out] band pointer to the band descriptor - * @param[in] avctx pointer to the AVCodecContext - * @return result code: 0 = OK, negative number = error - */ -static int decode_band(IVI4DecContext *ctx, int plane_num, - IVIBandDesc *band, AVCodecContext *avctx) -{ - int result, i, t, pos, idx1, idx2; - IVITile *tile; - - band->buf = band->bufs[ctx->dst_buf]; - band->ref_buf = band->bufs[ctx->ref_buf]; - - result = decode_band_hdr(ctx, band, avctx); - if (result) { - av_log(avctx, AV_LOG_ERROR, "Error decoding band header\n"); - return result; - } - - if (band->is_empty) { - av_log(avctx, AV_LOG_ERROR, "Empty band encountered!\n"); - return AVERROR_INVALIDDATA; - } - - band->rv_map = &ctx->rvmap_tabs[band->rvmap_sel]; - - /* apply corrections to the selected rvmap table if present */ - for (i = 0; i < band->num_corr; i++) { - idx1 = band->corr[i * 2]; - idx2 = band->corr[i * 2 + 1]; - FFSWAP(uint8_t, band->rv_map->runtab[idx1], band->rv_map->runtab[idx2]); - FFSWAP(int16_t, band->rv_map->valtab[idx1], band->rv_map->valtab[idx2]); - } - - pos = get_bits_count(&ctx->gb); - - for (t = 0; t < band->num_tiles; t++) { - tile = &band->tiles[t]; - - tile->is_empty = get_bits1(&ctx->gb); - if (tile->is_empty) { - ff_ivi_process_empty_tile(avctx, band, tile, - (ctx->planes[0].bands[0].mb_size >> 3) - (band->mb_size >> 3)); - av_dlog(avctx, "Empty tile encountered!\n"); - } else { - tile->data_size = ff_ivi_dec_tile_data_size(&ctx->gb); - if (!tile->data_size) { - av_log(avctx, AV_LOG_ERROR, "Tile data size is zero!\n"); - return AVERROR_INVALIDDATA; - } - - result = decode_mb_info(ctx, band, tile, avctx); - if (result < 0) - break; - - result = ff_ivi_decode_blocks(&ctx->gb, band, tile); - if (result < 0 || ((get_bits_count(&ctx->gb) - pos) >> 3) != tile->data_size) { - av_log(avctx, AV_LOG_ERROR, "Corrupted tile data encountered!\n"); - break; - } - - pos += tile->data_size << 3; // skip to next tile - } - } - - /* restore the selected rvmap table by applying its corrections in reverse order */ - for (i = band->num_corr - 1; i >= 0; i--) { - idx1 = band->corr[i * 2]; - idx2 = band->corr[i * 2 + 1]; - FFSWAP(uint8_t, band->rv_map->runtab[idx1], band->rv_map->runtab[idx2]); - FFSWAP(int16_t, band->rv_map->valtab[idx1], band->rv_map->valtab[idx2]); - } - -#if defined(DEBUG) && IVI4_DEBUG_CHECKSUM - if (band->checksum_present) { - uint16_t chksum = ivi_calc_band_checksum(band); - if (chksum != band->checksum) { - av_log(avctx, AV_LOG_ERROR, - "Band checksum mismatch! Plane %d, band %d, received: %x, calculated: %x\n", - band->plane, band->band_num, band->checksum, chksum); - } - } -#endif - - align_get_bits(&ctx->gb); - - return 0; -} - - -static av_cold int decode_init(AVCodecContext *avctx) -{ - IVI4DecContext *ctx = avctx->priv_data; - - ff_ivi_init_static_vlc(); - - /* copy rvmap tables in our context so we can apply changes to them */ - memcpy(ctx->rvmap_tabs, ff_ivi_rvmap_tabs, sizeof(ff_ivi_rvmap_tabs)); - - /* Force allocation of the internal buffers */ - /* during picture header decoding. */ - ctx->pic_conf.pic_width = 0; - ctx->pic_conf.pic_height = 0; - - avctx->pix_fmt = PIX_FMT_YUV410P; - - return 0; -} - - /** * Rearrange decoding and reference buffers. * * @param[in,out] ctx pointer to the decoder context */ -static void switch_buffers(IVI4DecContext *ctx) +static void switch_buffers(IVI45DecContext *ctx) { switch (ctx->prev_frame_type) { case FRAMETYPE_INTRA: @@ -721,95 +564,33 @@ static void switch_buffers(IVI4DecContext *ctx) } -static int decode_frame(AVCodecContext *avctx, void *data, int *data_size, - AVPacket *avpkt) +static int is_nonnull_frame(IVI45DecContext *ctx) { - IVI4DecContext *ctx = avctx->priv_data; - const uint8_t *buf = avpkt->data; - int buf_size = avpkt->size; - int result, p, b; - - init_get_bits(&ctx->gb, buf, buf_size * 8); - - result = decode_pic_hdr(ctx, avctx); - if (result) { - av_log(avctx, AV_LOG_ERROR, "Error decoding picture header\n"); - return result; - } - - switch_buffers(ctx); - - if (ctx->frame_type < FRAMETYPE_NULL_FIRST) { - for (p = 0; p < 3; p++) { - for (b = 0; b < ctx->planes[p].num_bands; b++) { - result = decode_band(ctx, p, &ctx->planes[p].bands[b], avctx); - if (result) { - av_log(avctx, AV_LOG_ERROR, - "Error decoding band: %d, plane: %d\n", b, p); - return result; - } - } - } - } - - /* If the bidirectional mode is enabled, next I and the following P frame will */ - /* be sent together. Unfortunately the approach below seems to be the only way */ - /* to handle the B-frames mode. That's exactly the same Intel decoders do. */ - if (ctx->frame_type == FRAMETYPE_INTRA) { - while (get_bits(&ctx->gb, 8)); // skip version string - skip_bits_long(&ctx->gb, 64); // skip padding, TODO: implement correct 8-bytes alignment - if (get_bits_left(&ctx->gb) > 18 && show_bits(&ctx->gb, 18) == 0x3FFF8) - av_log(avctx, AV_LOG_ERROR, "Buffer contains IP frames!\n"); - } - - if (ctx->frame.data[0]) - avctx->release_buffer(avctx, &ctx->frame); - - ctx->frame.reference = 0; - if ((result = avctx->get_buffer(avctx, &ctx->frame)) < 0) { - av_log(avctx, AV_LOG_ERROR, "get_buffer() failed\n"); - return result; - } - - if (ctx->is_scalable) { - ff_ivi_recompose_haar(&ctx->planes[0], ctx->frame.data[0], ctx->frame.linesize[0], 4); - } else { - ff_ivi_output_plane(&ctx->planes[0], ctx->frame.data[0], ctx->frame.linesize[0]); - } - - ff_ivi_output_plane(&ctx->planes[2], ctx->frame.data[1], ctx->frame.linesize[1]); - ff_ivi_output_plane(&ctx->planes[1], ctx->frame.data[2], ctx->frame.linesize[2]); - - *data_size = sizeof(AVFrame); - *(AVFrame*)data = ctx->frame; - - return buf_size; + return ctx->frame_type < FRAMETYPE_NULL_FIRST; } -static av_cold int decode_close(AVCodecContext *avctx) +static av_cold int decode_init(AVCodecContext *avctx) { - IVI4DecContext *ctx = avctx->priv_data; + IVI45DecContext *ctx = avctx->priv_data; - ff_ivi_free_buffers(&ctx->planes[0]); + ff_ivi_init_static_vlc(); - if (ctx->frame.data[0]) - avctx->release_buffer(avctx, &ctx->frame); + /* copy rvmap tables in our context so we can apply changes to them */ + memcpy(ctx->rvmap_tabs, ff_ivi_rvmap_tabs, sizeof(ff_ivi_rvmap_tabs)); -#if IVI4_STREAM_ANALYSER - if (ctx->is_scalable) - av_log(avctx, AV_LOG_ERROR, "This video uses scalability mode!\n"); - if (ctx->uses_tiling) - av_log(avctx, AV_LOG_ERROR, "This video uses local decoding!\n"); - if (ctx->has_b_frames) - av_log(avctx, AV_LOG_ERROR, "This video contains B-frames!\n"); - if (ctx->has_transp) - av_log(avctx, AV_LOG_ERROR, "Transparency mode is enabled!\n"); - if (ctx->uses_haar) - av_log(avctx, AV_LOG_ERROR, "This video uses Haar transform!\n"); - if (ctx->uses_fullpel) - av_log(avctx, AV_LOG_ERROR, "This video uses fullpel motion vectors!\n"); -#endif + /* Force allocation of the internal buffers */ + /* during picture header decoding. */ + ctx->pic_conf.pic_width = 0; + ctx->pic_conf.pic_height = 0; + + avctx->pix_fmt = PIX_FMT_YUV410P; + + ctx->decode_pic_hdr = decode_pic_hdr; + ctx->decode_band_hdr = decode_band_hdr; + ctx->decode_mb_info = decode_mb_info; + ctx->switch_buffers = switch_buffers; + ctx->is_nonnull_frame = is_nonnull_frame; return 0; } @@ -819,9 +600,9 @@ AVCodec ff_indeo4_decoder = { .name = "indeo4", .type = AVMEDIA_TYPE_VIDEO, .id = CODEC_ID_INDEO4, - .priv_data_size = sizeof(IVI4DecContext), + .priv_data_size = sizeof(IVI45DecContext), .init = decode_init, - .close = decode_close, - .decode = decode_frame, + .close = ff_ivi_decode_close, + .decode = ff_ivi_decode_frame, .long_name = NULL_IF_CONFIG_SMALL("Intel Indeo Video Interactive 4"), }; diff --git a/libavcodec/indeo5.c b/libavcodec/indeo5.c index 43253570b6..f588dc0c20 100644 --- a/libavcodec/indeo5.c +++ b/libavcodec/indeo5.c @@ -48,37 +48,6 @@ enum { #define IVI5_PIC_SIZE_ESC 15 -#define IVI5_IS_PROTECTED 0x20 - -typedef struct { - GetBitContext gb; - AVFrame frame; - RVMapDesc rvmap_tabs[9]; ///< local corrected copy of the static rvmap tables - IVIPlaneDesc planes[3]; ///< color planes - const uint8_t *frame_data; ///< input frame data pointer - int buf_switch; ///< used to switch between three buffers - int inter_scal; ///< signals a sequence of scalable inter frames - int dst_buf; ///< buffer index for the currently decoded frame - int ref_buf; ///< inter frame reference buffer index - int ref2_buf; ///< temporal storage for switching buffers - uint32_t frame_size; ///< frame size in bytes - int frame_type; - int prev_frame_type; ///< frame type of the previous frame - int frame_num; - uint32_t pic_hdr_size; ///< picture header size in bytes - uint8_t frame_flags; - uint16_t checksum; ///< frame checksum - - IVIHuffTab mb_vlc; ///< vlc table for decoding macroblock data - - uint16_t gop_hdr_size; - uint8_t gop_flags; - int is_scalable; - uint32_t lock_word; - IVIPicConfig pic_conf; -} IVI5DecContext; - - /** * Decode Indeo5 GOP (Group of pictures) header. * This header is present in key frames only. @@ -88,7 +57,7 @@ typedef struct { * @param[in] avctx ptr to the AVCodecContext * @return result code: 0 = OK, -1 = error */ -static int decode_gop_header(IVI5DecContext *ctx, AVCodecContext *avctx) +static int decode_gop_header(IVI45DecContext *ctx, AVCodecContext *avctx) { int result, i, p, tile_size, pic_size_indx, mb_size, blk_size; int quant_mat, blk_size_changed = 0; @@ -318,7 +287,7 @@ static inline void skip_hdr_extension(GetBitContext *gb) * @param[in] avctx ptr to the AVCodecContext * @return result code: 0 = OK, -1 = error */ -static int decode_pic_hdr(IVI5DecContext *ctx, AVCodecContext *avctx) +static int decode_pic_hdr(IVI45DecContext *ctx, AVCodecContext *avctx) { if (get_bits(&ctx->gb, 5) != 0x1F) { av_log(avctx, AV_LOG_ERROR, "Invalid picture start code!\n"); @@ -371,7 +340,7 @@ static int decode_pic_hdr(IVI5DecContext *ctx, AVCodecContext *avctx) * @param[in] avctx ptr to the AVCodecContext * @return result code: 0 = OK, -1 = error */ -static int decode_band_hdr(IVI5DecContext *ctx, IVIBandDesc *band, +static int decode_band_hdr(IVI45DecContext *ctx, IVIBandDesc *band, AVCodecContext *avctx) { int i; @@ -441,7 +410,7 @@ static int decode_band_hdr(IVI5DecContext *ctx, IVIBandDesc *band, * @param[in] avctx ptr to the AVCodecContext * @return result code: 0 = OK, -1 = error */ -static int decode_mb_info(IVI5DecContext *ctx, IVIBandDesc *band, +static int decode_mb_info(IVI45DecContext *ctx, IVIBandDesc *band, IVITile *tile, AVCodecContext *avctx) { int x, y, mv_x, mv_y, mv_delta, offs, mb_offset, @@ -556,102 +525,12 @@ static int decode_mb_info(IVI5DecContext *ctx, IVIBandDesc *band, } -/** - * Decode an Indeo5 band. - * - * @param[in,out] ctx ptr to the decoder context - * @param[in,out] band ptr to the band descriptor - * @param[in] avctx ptr to the AVCodecContext - * @return result code: 0 = OK, -1 = error - */ -static int decode_band(IVI5DecContext *ctx, int plane_num, - IVIBandDesc *band, AVCodecContext *avctx) -{ - int result, i, t, idx1, idx2, pos; - IVITile *tile; - - band->buf = band->bufs[ctx->dst_buf]; - band->ref_buf = band->bufs[ctx->ref_buf]; - band->data_ptr = ctx->frame_data + (get_bits_count(&ctx->gb) >> 3); - - result = decode_band_hdr(ctx, band, avctx); - if (result) { - av_log(avctx, AV_LOG_ERROR, "Error while decoding band header: %d\n", - result); - return -1; - } - - if (band->is_empty) { - av_log(avctx, AV_LOG_ERROR, "Empty band encountered!\n"); - return -1; - } - - band->rv_map = &ctx->rvmap_tabs[band->rvmap_sel]; - - /* apply corrections to the selected rvmap table if present */ - for (i = 0; i < band->num_corr; i++) { - idx1 = band->corr[i*2]; - idx2 = band->corr[i*2+1]; - FFSWAP(uint8_t, band->rv_map->runtab[idx1], band->rv_map->runtab[idx2]); - FFSWAP(int16_t, band->rv_map->valtab[idx1], band->rv_map->valtab[idx2]); - } - - pos = get_bits_count(&ctx->gb); - - for (t = 0; t < band->num_tiles; t++) { - tile = &band->tiles[t]; - - tile->is_empty = get_bits1(&ctx->gb); - if (tile->is_empty) { - ff_ivi_process_empty_tile(avctx, band, tile, - (ctx->planes[0].bands[0].mb_size >> 3) - (band->mb_size >> 3)); - } else { - tile->data_size = ff_ivi_dec_tile_data_size(&ctx->gb); - - result = decode_mb_info(ctx, band, tile, avctx); - if (result < 0) - break; - - result = ff_ivi_decode_blocks(&ctx->gb, band, tile); - if (result < 0 || (get_bits_count(&ctx->gb) - pos) >> 3 != tile->data_size) { - av_log(avctx, AV_LOG_ERROR, "Corrupted tile data encountered!\n"); - break; - } - pos += tile->data_size << 3; // skip to next tile - } - } - - /* restore the selected rvmap table by applying its corrections in reverse order */ - for (i = band->num_corr-1; i >= 0; i--) { - idx1 = band->corr[i*2]; - idx2 = band->corr[i*2+1]; - FFSWAP(uint8_t, band->rv_map->runtab[idx1], band->rv_map->runtab[idx2]); - FFSWAP(int16_t, band->rv_map->valtab[idx1], band->rv_map->valtab[idx2]); - } - -#ifdef DEBUG - if (band->checksum_present) { - uint16_t chksum = ivi_calc_band_checksum(band); - if (chksum != band->checksum) { - av_log(avctx, AV_LOG_ERROR, - "Band checksum mismatch! Plane %d, band %d, received: %x, calculated: %x\n", - band->plane, band->band_num, band->checksum, chksum); - } - } -#endif - - align_get_bits(&ctx->gb); - - return result; -} - - /** * Switch buffers. * * @param[in,out] ctx ptr to the decoder context */ -static void switch_buffers(IVI5DecContext *ctx) +static void switch_buffers(IVI45DecContext *ctx) { switch (ctx->prev_frame_type) { case FRAMETYPE_INTRA: @@ -689,12 +568,18 @@ static void switch_buffers(IVI5DecContext *ctx) } +static int is_nonnull_frame(IVI45DecContext *ctx) +{ + return ctx->frame_type != FRAMETYPE_NULL; +} + + /** * Initialize Indeo5 decoder. */ static av_cold int decode_init(AVCodecContext *avctx) { - IVI5DecContext *ctx = avctx->priv_data; + IVI45DecContext *ctx = avctx->priv_data; int result; ff_ivi_init_static_vlc(); @@ -722,109 +607,25 @@ static av_cold int decode_init(AVCodecContext *avctx) ctx->buf_switch = 0; ctx->inter_scal = 0; + ctx->decode_pic_hdr = decode_pic_hdr; + ctx->decode_band_hdr = decode_band_hdr; + ctx->decode_mb_info = decode_mb_info; + ctx->switch_buffers = switch_buffers; + ctx->is_nonnull_frame = is_nonnull_frame; + avctx->pix_fmt = PIX_FMT_YUV410P; return 0; } -/** - * main decoder function - */ -static int decode_frame(AVCodecContext *avctx, void *data, int *data_size, - AVPacket *avpkt) -{ - IVI5DecContext *ctx = avctx->priv_data; - const uint8_t *buf = avpkt->data; - int buf_size = avpkt->size; - int result, p, b; - - init_get_bits(&ctx->gb, buf, buf_size * 8); - ctx->frame_data = buf; - ctx->frame_size = buf_size; - - result = decode_pic_hdr(ctx, avctx); - if (result) { - av_log(avctx, AV_LOG_ERROR, - "Error while decoding picture header: %d\n", result); - return -1; - } - - if (ctx->gop_flags & IVI5_IS_PROTECTED) { - av_log(avctx, AV_LOG_ERROR, "Password-protected clip!\n"); - return -1; - } - - switch_buffers(ctx); - - //{ START_TIMER; - - if (ctx->frame_type != FRAMETYPE_NULL) { - for (p = 0; p < 3; p++) { - for (b = 0; b < ctx->planes[p].num_bands; b++) { - result = decode_band(ctx, p, &ctx->planes[p].bands[b], avctx); - if (result) { - av_log(avctx, AV_LOG_ERROR, - "Error while decoding band: %d, plane: %d\n", b, p); - return -1; - } - } - } - } - - //STOP_TIMER("decode_planes"); } - - if (ctx->frame.data[0]) - avctx->release_buffer(avctx, &ctx->frame); - - ctx->frame.reference = 0; - if (avctx->get_buffer(avctx, &ctx->frame) < 0) { - av_log(avctx, AV_LOG_ERROR, "get_buffer() failed\n"); - return -1; - } - - if (ctx->is_scalable) { - ff_ivi_recompose53 (&ctx->planes[0], ctx->frame.data[0], ctx->frame.linesize[0], 4); - } else { - ff_ivi_output_plane(&ctx->planes[0], ctx->frame.data[0], ctx->frame.linesize[0]); - } - - ff_ivi_output_plane(&ctx->planes[2], ctx->frame.data[1], ctx->frame.linesize[1]); - ff_ivi_output_plane(&ctx->planes[1], ctx->frame.data[2], ctx->frame.linesize[2]); - - *data_size = sizeof(AVFrame); - *(AVFrame*)data = ctx->frame; - - return buf_size; -} - - -/** - * Close Indeo5 decoder and clean up its context. - */ -static av_cold int decode_close(AVCodecContext *avctx) -{ - IVI5DecContext *ctx = avctx->priv_data; - - ff_ivi_free_buffers(&ctx->planes[0]); - - if (ctx->mb_vlc.cust_tab.table) - ff_free_vlc(&ctx->mb_vlc.cust_tab); - - if (ctx->frame.data[0]) - avctx->release_buffer(avctx, &ctx->frame); - - return 0; -} - - AVCodec ff_indeo5_decoder = { .name = "indeo5", .type = AVMEDIA_TYPE_VIDEO, .id = CODEC_ID_INDEO5, - .priv_data_size = sizeof(IVI5DecContext), + .priv_data_size = sizeof(IVI45DecContext), .init = decode_init, - .close = decode_close, - .decode = decode_frame, + .close = ff_ivi_decode_close, + .decode = ff_ivi_decode_frame, .long_name = NULL_IF_CONFIG_SMALL("Intel Indeo Video Interactive 5"), }; diff --git a/libavcodec/ivi_common.c b/libavcodec/ivi_common.c index 8d23122d85..ebd9058a21 100644 --- a/libavcodec/ivi_common.c +++ b/libavcodec/ivi_common.c @@ -627,6 +627,216 @@ void ff_ivi_output_plane(IVIPlaneDesc *plane, uint8_t *dst, int dst_pitch) } } +/** + * Decode an Indeo 4 or 5 band. + * + * @param[in,out] ctx ptr to the decoder context + * @param[in,out] band ptr to the band descriptor + * @param[in] avctx ptr to the AVCodecContext + * @return result code: 0 = OK, -1 = error + */ +static int decode_band(IVI45DecContext *ctx, int plane_num, + IVIBandDesc *band, AVCodecContext *avctx) +{ + int result, i, t, idx1, idx2, pos; + IVITile *tile; + + band->buf = band->bufs[ctx->dst_buf]; + band->ref_buf = band->bufs[ctx->ref_buf]; + band->data_ptr = ctx->frame_data + (get_bits_count(&ctx->gb) >> 3); + + result = ctx->decode_band_hdr(ctx, band, avctx); + if (result) { + av_log(avctx, AV_LOG_ERROR, "Error while decoding band header: %d\n", + result); + return result; + } + + if (band->is_empty) { + av_log(avctx, AV_LOG_ERROR, "Empty band encountered!\n"); + return AVERROR_INVALIDDATA; + } + + band->rv_map = &ctx->rvmap_tabs[band->rvmap_sel]; + + /* apply corrections to the selected rvmap table if present */ + for (i = 0; i < band->num_corr; i++) { + idx1 = band->corr[i * 2]; + idx2 = band->corr[i * 2 + 1]; + FFSWAP(uint8_t, band->rv_map->runtab[idx1], band->rv_map->runtab[idx2]); + FFSWAP(int16_t, band->rv_map->valtab[idx1], band->rv_map->valtab[idx2]); + } + + pos = get_bits_count(&ctx->gb); + + for (t = 0; t < band->num_tiles; t++) { + tile = &band->tiles[t]; + + tile->is_empty = get_bits1(&ctx->gb); + if (tile->is_empty) { + ff_ivi_process_empty_tile(avctx, band, tile, + (ctx->planes[0].bands[0].mb_size >> 3) - (band->mb_size >> 3)); + av_dlog(avctx, "Empty tile encountered!\n"); + } else { + tile->data_size = ff_ivi_dec_tile_data_size(&ctx->gb); + if (!tile->data_size) { + av_log(avctx, AV_LOG_ERROR, "Tile data size is zero!\n"); + return AVERROR_INVALIDDATA; + } + + result = ctx->decode_mb_info(ctx, band, tile, avctx); + if (result < 0) + break; + + result = ff_ivi_decode_blocks(&ctx->gb, band, tile); + if (result < 0 || ((get_bits_count(&ctx->gb) - pos) >> 3) != tile->data_size) { + av_log(avctx, AV_LOG_ERROR, "Corrupted tile data encountered!\n"); + break; + } + + pos += tile->data_size << 3; // skip to next tile + } + } + + /* restore the selected rvmap table by applying its corrections in reverse order */ + for (i = band->num_corr-1; i >= 0; i--) { + idx1 = band->corr[i*2]; + idx2 = band->corr[i*2+1]; + FFSWAP(uint8_t, band->rv_map->runtab[idx1], band->rv_map->runtab[idx2]); + FFSWAP(int16_t, band->rv_map->valtab[idx1], band->rv_map->valtab[idx2]); + } + +#ifdef DEBUG + if (band->checksum_present) { + uint16_t chksum = ivi_calc_band_checksum(band); + if (chksum != band->checksum) { + av_log(avctx, AV_LOG_ERROR, + "Band checksum mismatch! Plane %d, band %d, received: %x, calculated: %x\n", + band->plane, band->band_num, band->checksum, chksum); + } + } +#endif + + align_get_bits(&ctx->gb); + + return result; +} + +int ff_ivi_decode_frame(AVCodecContext *avctx, void *data, int *data_size, + AVPacket *avpkt) +{ + IVI45DecContext *ctx = avctx->priv_data; + const uint8_t *buf = avpkt->data; + int buf_size = avpkt->size; + int result, p, b; + + init_get_bits(&ctx->gb, buf, buf_size * 8); + ctx->frame_data = buf; + ctx->frame_size = buf_size; + + result = ctx->decode_pic_hdr(ctx, avctx); + if (result) { + av_log(avctx, AV_LOG_ERROR, + "Error while decoding picture header: %d\n", result); + return -1; + } + + if (ctx->gop_flags & IVI5_IS_PROTECTED) { + av_log(avctx, AV_LOG_ERROR, "Password-protected clip!\n"); + return -1; + } + + ctx->switch_buffers(ctx); + + //{ START_TIMER; + + if (ctx->is_nonnull_frame(ctx)) { + for (p = 0; p < 3; p++) { + for (b = 0; b < ctx->planes[p].num_bands; b++) { + result = decode_band(ctx, p, &ctx->planes[p].bands[b], avctx); + if (result) { + av_log(avctx, AV_LOG_ERROR, + "Error while decoding band: %d, plane: %d\n", b, p); + return -1; + } + } + } + } + + //STOP_TIMER("decode_planes"); } + + /* If the bidirectional mode is enabled, next I and the following P frame will */ + /* be sent together. Unfortunately the approach below seems to be the only way */ + /* to handle the B-frames mode. That's exactly the same Intel decoders do. */ + if (avctx->codec_id == CODEC_ID_INDEO4 && ctx->frame_type == 0/*FRAMETYPE_INTRA*/) { + while (get_bits(&ctx->gb, 8)); // skip version string + skip_bits_long(&ctx->gb, 64); // skip padding, TODO: implement correct 8-bytes alignment + if (get_bits_left(&ctx->gb) > 18 && show_bits(&ctx->gb, 18) == 0x3FFF8) + av_log(avctx, AV_LOG_ERROR, "Buffer contains IP frames!\n"); + } + + if (ctx->frame.data[0]) + avctx->release_buffer(avctx, &ctx->frame); + + ctx->frame.reference = 0; + if ((result = avctx->get_buffer(avctx, &ctx->frame)) < 0) { + av_log(avctx, AV_LOG_ERROR, "get_buffer() failed\n"); + return result; + } + + if (ctx->is_scalable) { + if (avctx->codec_id == CODEC_ID_INDEO4) + ff_ivi_recompose_haar(&ctx->planes[0], ctx->frame.data[0], ctx->frame.linesize[0], 4); + else + ff_ivi_recompose53 (&ctx->planes[0], ctx->frame.data[0], ctx->frame.linesize[0], 4); + } else { + ff_ivi_output_plane(&ctx->planes[0], ctx->frame.data[0], ctx->frame.linesize[0]); + } + + ff_ivi_output_plane(&ctx->planes[2], ctx->frame.data[1], ctx->frame.linesize[1]); + ff_ivi_output_plane(&ctx->planes[1], ctx->frame.data[2], ctx->frame.linesize[2]); + + *data_size = sizeof(AVFrame); + *(AVFrame*)data = ctx->frame; + + return buf_size; +} + +/** + * Close Indeo5 decoder and clean up its context. + */ +av_cold int ff_ivi_decode_close(AVCodecContext *avctx) +{ + IVI45DecContext *ctx = avctx->priv_data; + + ff_ivi_free_buffers(&ctx->planes[0]); + + if (ctx->mb_vlc.cust_tab.table) + ff_free_vlc(&ctx->mb_vlc.cust_tab); + + if (ctx->frame.data[0]) + avctx->release_buffer(avctx, &ctx->frame); + +#if IVI4_STREAM_ANALYSER + if (avctx->codec_id == CODEC_ID_INDEO4) { + if (ctx->is_scalable) + av_log(avctx, AV_LOG_ERROR, "This video uses scalability mode!\n"); + if (ctx->uses_tiling) + av_log(avctx, AV_LOG_ERROR, "This video uses local decoding!\n"); + if (ctx->has_b_frames) + av_log(avctx, AV_LOG_ERROR, "This video contains B-frames!\n"); + if (ctx->has_transp) + av_log(avctx, AV_LOG_ERROR, "Transparency mode is enabled!\n"); + if (ctx->uses_haar) + av_log(avctx, AV_LOG_ERROR, "This video uses Haar transform!\n"); + if (ctx->uses_fullpel) + av_log(avctx, AV_LOG_ERROR, "This video uses fullpel motion vectors!\n"); + } +#endif + + return 0; +} + /** * These are 2x8 predefined Huffman codebooks for coding macroblock/block diff --git a/libavcodec/ivi_common.h b/libavcodec/ivi_common.h index 4b2ae063b1..d3edea0c0e 100644 --- a/libavcodec/ivi_common.h +++ b/libavcodec/ivi_common.h @@ -34,6 +34,8 @@ #include #define IVI_VLC_BITS 13 ///< max number of bits of the ivi's huffman codes +#define IVI4_STREAM_ANALYSER 0 +#define IVI5_IS_PROTECTED 0x20 /** * huffman codebook descriptor @@ -192,6 +194,60 @@ typedef struct { uint8_t chroma_bands; } IVIPicConfig; +typedef struct IVI45DecContext { + GetBitContext gb; + AVFrame frame; + RVMapDesc rvmap_tabs[9]; ///< local corrected copy of the static rvmap tables + + uint32_t frame_num; + int frame_type; + int prev_frame_type; ///< frame type of the previous frame + uint32_t data_size; ///< size of the frame data in bytes from picture header + int is_scalable; + int transp_status; ///< transparency mode status: 1 - enabled + const uint8_t *frame_data; ///< input frame data pointer + int inter_scal; ///< signals a sequence of scalable inter frames + uint32_t frame_size; ///< frame size in bytes + uint32_t pic_hdr_size; ///< picture header size in bytes + uint8_t frame_flags; + uint16_t checksum; ///< frame checksum + + IVIPicConfig pic_conf; + IVIPlaneDesc planes[3]; ///< color planes + + int buf_switch; ///< used to switch between three buffers + int dst_buf; ///< buffer index for the currently decoded frame + int ref_buf; ///< inter frame reference buffer index + int ref2_buf; ///< temporal storage for switching buffers + + IVIHuffTab mb_vlc; ///< current macroblock table descriptor + IVIHuffTab blk_vlc; ///< current block table descriptor + + uint8_t rvmap_sel; + uint8_t in_imf; + uint8_t in_q; ///< flag for explicitly stored quantiser delta + uint8_t pic_glob_quant; + uint8_t unknown1; + + uint16_t gop_hdr_size; + uint8_t gop_flags; + uint32_t lock_word; + +#if IVI4_STREAM_ANALYSER + uint8_t has_b_frames; + uint8_t has_transp; + uint8_t uses_tiling; + uint8_t uses_haar; + uint8_t uses_fullpel; +#endif + + int (*decode_pic_hdr) (struct IVI45DecContext *ctx, AVCodecContext *avctx); + int (*decode_band_hdr) (struct IVI45DecContext *ctx, IVIBandDesc *band, AVCodecContext *avctx); + int (*decode_mb_info) (struct IVI45DecContext *ctx, IVIBandDesc *band, IVITile *tile, AVCodecContext *avctx); + void (*switch_buffers) (struct IVI45DecContext *ctx); + int (*is_nonnull_frame)(struct IVI45DecContext *ctx); +} IVI45DecContext; + /** compare some properties of two pictures */ static inline int ivi_pic_config_cmp(IVIPicConfig *str1, IVIPicConfig *str2) { @@ -348,4 +404,8 @@ uint16_t ivi_calc_band_checksum (IVIBandDesc *band); */ int ivi_check_band (IVIBandDesc *band, const uint8_t *ref, int pitch); +int ff_ivi_decode_frame(AVCodecContext *avctx, void *data, int *data_size, + AVPacket *avpkt); +av_cold int ff_ivi_decode_close(AVCodecContext *avctx); + #endif /* AVCODEC_IVI_COMMON_H */ From e0daa15a96cff78f633dfcb5a7f0eeb2204ca82c Mon Sep 17 00:00:00 2001 From: Kostya Shishkov Date: Sat, 19 May 2012 13:08:51 +0200 Subject: [PATCH 319/991] indeo: track tile macroblock size (cherry picked from commit a6e4ac40a62930d3c90f869990f96fedb9a5d654) Signed-off-by: Reinhard Tartler --- libavcodec/ivi_common.c | 6 ++++++ libavcodec/ivi_common.h | 1 + 2 files changed, 7 insertions(+) diff --git a/libavcodec/ivi_common.c b/libavcodec/ivi_common.c index ebd9058a21..5626cd1855 100644 --- a/libavcodec/ivi_common.c +++ b/libavcodec/ivi_common.c @@ -287,6 +287,7 @@ int av_cold ff_ivi_init_tiles(IVIPlaneDesc *planes, int tile_width, int tile_hei for (x = 0; x < band->width; x += t_width) { tile->xpos = x; tile->ypos = y; + tile->mb_size = band->mb_size; tile->width = FFMIN(band->width - x, t_width); tile->height = FFMIN(band->height - y, t_height); tile->is_empty = tile->data_size = 0; @@ -672,6 +673,11 @@ static int decode_band(IVI45DecContext *ctx, int plane_num, for (t = 0; t < band->num_tiles; t++) { tile = &band->tiles[t]; + if (tile->mb_size != band->mb_size) { + av_log(avctx, AV_LOG_ERROR, "MB sizes mismatch: %d vs. %d\n", + band->mb_size, tile->mb_size); + return AVERROR_INVALIDDATA; + } tile->is_empty = get_bits1(&ctx->gb); if (tile->is_empty) { ff_ivi_process_empty_tile(avctx, band, tile, diff --git a/libavcodec/ivi_common.h b/libavcodec/ivi_common.h index d3edea0c0e..6842d748b3 100644 --- a/libavcodec/ivi_common.h +++ b/libavcodec/ivi_common.h @@ -118,6 +118,7 @@ typedef struct { int ypos; int width; int height; + int mb_size; int is_empty; ///< = 1 if this tile doesn't contain any data int data_size; ///< size of the data in bytes int num_MBs; ///< number of macroblocks in this tile From b561618014a2413d2b521d03561eb1e2028adbf4 Mon Sep 17 00:00:00 2001 From: Kostya Shishkov Date: Sat, 19 May 2012 13:39:15 +0200 Subject: [PATCH 320/991] indeo: clear allocated band buffers (cherry picked from commit 23ba1503f2b11057c65052b4a07961236d8d69c7) Signed-off-by: Reinhard Tartler --- libavcodec/ivi_common.c | 6 +++--- 1 file changed, 3 insertions(+), 3 deletions(-) diff --git a/libavcodec/ivi_common.c b/libavcodec/ivi_common.c index 5626cd1855..b8286cd31c 100644 --- a/libavcodec/ivi_common.c +++ b/libavcodec/ivi_common.c @@ -212,14 +212,14 @@ int av_cold ff_ivi_init_planes(IVIPlaneDesc *planes, const IVIPicConfig *cfg) band->width = b_width; band->height = b_height; band->pitch = width_aligned; - band->bufs[0] = av_malloc(buf_size); - band->bufs[1] = av_malloc(buf_size); + band->bufs[0] = av_mallocz(buf_size); + band->bufs[1] = av_mallocz(buf_size); if (!band->bufs[0] || !band->bufs[1]) return AVERROR(ENOMEM); /* allocate the 3rd band buffer for scalability mode */ if (cfg->luma_bands > 1) { - band->bufs[2] = av_malloc(buf_size); + band->bufs[2] = av_mallocz(buf_size); if (!band->bufs[2]) return AVERROR(ENOMEM); } From c5ec1908597824e93bbe20137ac9662f84f3cb07 Mon Sep 17 00:00:00 2001 From: Kostya Shishkov Date: Sat, 19 May 2012 16:07:42 +0200 Subject: [PATCH 321/991] indeo: check for invalid motion vectors (cherry picked from commit cf61aaaca16810b9b3a28395ed48fda8db0e87d9) Signed-off-by: Reinhard Tartler --- libavcodec/ivi_common.c | 16 ++++++++++++++++ libavcodec/ivi_common.h | 1 + 2 files changed, 17 insertions(+) diff --git a/libavcodec/ivi_common.c b/libavcodec/ivi_common.c index b8286cd31c..41e66b1bfb 100644 --- a/libavcodec/ivi_common.c +++ b/libavcodec/ivi_common.c @@ -212,6 +212,7 @@ int av_cold ff_ivi_init_planes(IVIPlaneDesc *planes, const IVIPicConfig *cfg) band->width = b_width; band->height = b_height; band->pitch = width_aligned; + band->aheight = height_aligned; band->bufs[0] = av_mallocz(buf_size); band->bufs[1] = av_mallocz(buf_size); if (!band->bufs[0] || !band->bufs[1]) @@ -383,6 +384,21 @@ int ff_ivi_decode_blocks(GetBitContext *gb, IVIBandDesc *band, IVITile *tile) mv_x >>= 1; mv_y >>= 1; /* convert halfpel vectors into fullpel ones */ } + if (mb->type) { + int dmv_x, dmv_y, cx, cy; + + dmv_x = mb->mv_x >> band->is_halfpel; + dmv_y = mb->mv_y >> band->is_halfpel; + cx = mb->mv_x & band->is_halfpel; + cy = mb->mv_y & band->is_halfpel; + + if ( mb->xpos + dmv_x < 0 + || mb->xpos + dmv_x + band->mb_size + cx > band->pitch + || mb->ypos + dmv_y < 0 + || mb->ypos + dmv_y + band->mb_size + cy > band->aheight) { + return AVERROR_INVALIDDATA; + } + } } for (blk = 0; blk < num_blocks; blk++) { diff --git a/libavcodec/ivi_common.h b/libavcodec/ivi_common.h index 6842d748b3..8c37b94da5 100644 --- a/libavcodec/ivi_common.h +++ b/libavcodec/ivi_common.h @@ -135,6 +135,7 @@ typedef struct { int band_num; ///< band number int width; int height; + int aheight; ///< aligned band height const uint8_t *data_ptr; ///< ptr to the first byte of the band data int data_size; ///< size of the band data int16_t *buf; ///< pointer to the output buffer for this band From 332555f6604964186ee4744e433c38119fd9853d Mon Sep 17 00:00:00 2001 From: Anton Khirnov Date: Sat, 29 Sep 2012 11:06:54 +0200 Subject: [PATCH 322/991] ivi_common: make ff_ivi_process_empty_tile() static. It's not used outside of ivi_common.c (cherry picked from commit 5d2170c53bf4c2b0499f230c43764e4acf228f88) Signed-off-by: Reinhard Tartler --- libavcodec/ivi_common.c | 15 ++++++++++++--- libavcodec/ivi_common.h | 12 ------------ 2 files changed, 12 insertions(+), 15 deletions(-) diff --git a/libavcodec/ivi_common.c b/libavcodec/ivi_common.c index 41e66b1bfb..9f4f610999 100644 --- a/libavcodec/ivi_common.c +++ b/libavcodec/ivi_common.c @@ -491,8 +491,17 @@ int ff_ivi_decode_blocks(GetBitContext *gb, IVIBandDesc *band, IVITile *tile) return 0; } -void ff_ivi_process_empty_tile(AVCodecContext *avctx, IVIBandDesc *band, - IVITile *tile, int32_t mv_scale) +/** + * Handle empty tiles by performing data copying and motion + * compensation respectively. + * + * @param[in] avctx ptr to the AVCodecContext + * @param[in] band pointer to the band descriptor + * @param[in] tile pointer to the tile descriptor + * @param[in] mv_scale scaling factor for motion vectors + */ +static void ivi_process_empty_tile(AVCodecContext *avctx, IVIBandDesc *band, + IVITile *tile, int32_t mv_scale) { int x, y, need_mc, mbn, blk, num_blocks, mv_x, mv_y, mc_type; int offs, mb_offset, row_offset; @@ -696,7 +705,7 @@ static int decode_band(IVI45DecContext *ctx, int plane_num, } tile->is_empty = get_bits1(&ctx->gb); if (tile->is_empty) { - ff_ivi_process_empty_tile(avctx, band, tile, + ivi_process_empty_tile(avctx, band, tile, (ctx->planes[0].bands[0].mb_size >> 3) - (band->mb_size >> 3)); av_dlog(avctx, "Empty tile encountered!\n"); } else { diff --git a/libavcodec/ivi_common.h b/libavcodec/ivi_common.h index 8c37b94da5..d52450a13b 100644 --- a/libavcodec/ivi_common.h +++ b/libavcodec/ivi_common.h @@ -373,18 +373,6 @@ int ff_ivi_dec_tile_data_size(GetBitContext *gb); */ int ff_ivi_decode_blocks(GetBitContext *gb, IVIBandDesc *band, IVITile *tile); -/** - * Handle empty tiles by performing data copying and motion - * compensation respectively. - * - * @param[in] avctx ptr to the AVCodecContext - * @param[in] band pointer to the band descriptor - * @param[in] tile pointer to the tile descriptor - * @param[in] mv_scale scaling factor for motion vectors - */ -void ff_ivi_process_empty_tile(AVCodecContext *avctx, IVIBandDesc *band, - IVITile *tile, int32_t mv_scale); - /** * Convert and output the current plane. * This conversion is done by adding back the bias value of 128 From 0815d9174c482f43f2094bf194d174cf26ee62a2 Mon Sep 17 00:00:00 2001 From: Anton Khirnov Date: Sat, 29 Sep 2012 11:07:58 +0200 Subject: [PATCH 323/991] indeo4/5: check empty tile size in decode_mb_info(). This prevents writing into a too small array if some parameters changed without the tile being reallocated. Based on a patch by Michael Niedermayer Fixes CVE-2012-2800 CC:libav-stable@libav.org Found-by: Mateusz "j00ru" Jurczyk and Gynvael Coldwind (cherry picked from commit ae3da0ae5550053583a6f281ea7fd940497ea0d1) Signed-off-by: Reinhard Tartler --- libavcodec/ivi_common.c | 17 ++++++++++++++--- 1 file changed, 14 insertions(+), 3 deletions(-) diff --git a/libavcodec/ivi_common.c b/libavcodec/ivi_common.c index 9f4f610999..269afa49d5 100644 --- a/libavcodec/ivi_common.c +++ b/libavcodec/ivi_common.c @@ -500,8 +500,8 @@ int ff_ivi_decode_blocks(GetBitContext *gb, IVIBandDesc *band, IVITile *tile) * @param[in] tile pointer to the tile descriptor * @param[in] mv_scale scaling factor for motion vectors */ -static void ivi_process_empty_tile(AVCodecContext *avctx, IVIBandDesc *band, - IVITile *tile, int32_t mv_scale) +static int ivi_process_empty_tile(AVCodecContext *avctx, IVIBandDesc *band, + IVITile *tile, int32_t mv_scale) { int x, y, need_mc, mbn, blk, num_blocks, mv_x, mv_y, mc_type; int offs, mb_offset, row_offset; @@ -511,6 +511,13 @@ static void ivi_process_empty_tile(AVCodecContext *avctx, IVIBandDesc *band, void (*mc_no_delta_func)(int16_t *buf, const int16_t *ref_buf, uint32_t pitch, int mc_type); + if (tile->num_MBs != IVI_MBs_PER_TILE(tile->width, tile->height, band->mb_size)) { + av_log(avctx, AV_LOG_ERROR, "Allocated tile size %d mismatches " + "parameters %d in ivi_process_empty_tile()\n", + tile->num_MBs, IVI_MBs_PER_TILE(tile->width, tile->height, band->mb_size)); + return AVERROR_INVALIDDATA; + } + offs = tile->ypos * band->pitch + tile->xpos; mb = tile->mbs; ref_mb = tile->ref_mbs; @@ -591,6 +598,8 @@ static void ivi_process_empty_tile(AVCodecContext *avctx, IVIBandDesc *band, dst += band->pitch; } } + + return 0; } @@ -705,8 +714,10 @@ static int decode_band(IVI45DecContext *ctx, int plane_num, } tile->is_empty = get_bits1(&ctx->gb); if (tile->is_empty) { - ivi_process_empty_tile(avctx, band, tile, + result = ivi_process_empty_tile(avctx, band, tile, (ctx->planes[0].bands[0].mb_size >> 3) - (band->mb_size >> 3)); + if (result < 0) + break; av_dlog(avctx, "Empty tile encountered!\n"); } else { tile->data_size = ff_ivi_dec_tile_data_size(&ctx->gb); From dc8371b2b12f4fc992623dd46fa47c81cbe21575 Mon Sep 17 00:00:00 2001 From: Michael Niedermayer Date: Sat, 24 Mar 2012 17:43:55 +0100 Subject: [PATCH 324/991] indeo5dec: Make sure we have had a valid gop header. This prevents decoding happening on a half initialized context. Fixes CVE-2012-2779 Found-by: Mateusz "j00ru" Jurczyk and Gynvael Coldwind Signed-off-by: Anton Khirnov (cherry picked from commit 891918431db628db17885ed947ee387b29826a64) Signed-off-by: Reinhard Tartler --- libavcodec/indeo5.c | 8 ++++++-- libavcodec/ivi_common.c | 2 ++ libavcodec/ivi_common.h | 2 ++ 3 files changed, 10 insertions(+), 2 deletions(-) diff --git a/libavcodec/indeo5.c b/libavcodec/indeo5.c index f588dc0c20..60f0eeea1c 100644 --- a/libavcodec/indeo5.c +++ b/libavcodec/indeo5.c @@ -304,8 +304,12 @@ static int decode_pic_hdr(IVI45DecContext *ctx, AVCodecContext *avctx) ctx->frame_num = get_bits(&ctx->gb, 8); if (ctx->frame_type == FRAMETYPE_INTRA) { - if (decode_gop_header(ctx, avctx)) - return -1; + ctx->gop_invalid = 1; + if (decode_gop_header(ctx, avctx)) { + av_log(avctx, AV_LOG_ERROR, "Invalid GOP header, skipping frames.\n"); + return AVERROR_INVALIDDATA; + } + ctx->gop_invalid = 0; } if (ctx->frame_type != FRAMETYPE_NULL) { diff --git a/libavcodec/ivi_common.c b/libavcodec/ivi_common.c index 269afa49d5..b36b31dfac 100644 --- a/libavcodec/ivi_common.c +++ b/libavcodec/ivi_common.c @@ -782,6 +782,8 @@ int ff_ivi_decode_frame(AVCodecContext *avctx, void *data, int *data_size, "Error while decoding picture header: %d\n", result); return -1; } + if (ctx->gop_invalid) + return AVERROR_INVALIDDATA; if (ctx->gop_flags & IVI5_IS_PROTECTED) { av_log(avctx, AV_LOG_ERROR, "Password-protected clip!\n"); diff --git a/libavcodec/ivi_common.h b/libavcodec/ivi_common.h index d52450a13b..07736f25f3 100644 --- a/libavcodec/ivi_common.h +++ b/libavcodec/ivi_common.h @@ -248,6 +248,8 @@ typedef struct IVI45DecContext { int (*decode_mb_info) (struct IVI45DecContext *ctx, IVIBandDesc *band, IVITile *tile, AVCodecContext *avctx); void (*switch_buffers) (struct IVI45DecContext *ctx); int (*is_nonnull_frame)(struct IVI45DecContext *ctx); + + int gop_invalid; } IVI45DecContext; /** compare some properties of two pictures */ From 3efe6becc79b8087ea517b12380f34b702db1cc5 Mon Sep 17 00:00:00 2001 From: Janne Grunau Date: Mon, 23 Jan 2012 21:33:34 +0100 Subject: [PATCH 325/991] indeo5: prevent null pointer dereference on broken files Found by John Villamil (cherry picked from commit 366ac22ea5a8bab63c7f46cdad2ddb2ff22cdbed) Signed-off-by: Reinhard Tartler --- libavcodec/indeo5.c | 4 ++++ 1 file changed, 4 insertions(+) diff --git a/libavcodec/indeo5.c b/libavcodec/indeo5.c index 60f0eeea1c..a8ff228bcd 100644 --- a/libavcodec/indeo5.c +++ b/libavcodec/indeo5.c @@ -426,6 +426,10 @@ static int decode_mb_info(IVI45DecContext *ctx, IVIBandDesc *band, ref_mb = tile->ref_mbs; offs = tile->ypos * band->pitch + tile->xpos; + if (!ref_mb && + ((band->qdelta_present && band->inherit_qdelta) || band->inherit_mv)) + return AVERROR_INVALIDDATA; + /* scale factor for motion vectors */ mv_scale = (ctx->planes[0].bands[0].mb_size >> 3) - (band->mb_size >> 3); mv_x = mv_y = 0; From 5c413648c1483385b74394fa40ded8e35b9ea4a2 Mon Sep 17 00:00:00 2001 From: Michael Niedermayer Date: Sun, 15 Apr 2012 14:11:50 +0200 Subject: [PATCH 326/991] indeo5: check tile size in decode_mb_info(). This prevents writing into a too small array if some parameters changed without the tile being reallocated. Fixes CVE-2012-2794 CC:libav-stable@libav.org Found-by: Mateusz "j00ru" Jurczyk and Gynvael Coldwind Signed-off-by: Anton Khirnov (cherry picked from commit 2d09cdbaf2f449ba23d54e97e94bd97ca22208c6) Signed-off-by: Reinhard Tartler --- libavcodec/indeo5.c | 6 ++++++ 1 file changed, 6 insertions(+) diff --git a/libavcodec/indeo5.c b/libavcodec/indeo5.c index a8ff228bcd..987b1a319f 100644 --- a/libavcodec/indeo5.c +++ b/libavcodec/indeo5.c @@ -430,6 +430,12 @@ static int decode_mb_info(IVI45DecContext *ctx, IVIBandDesc *band, ((band->qdelta_present && band->inherit_qdelta) || band->inherit_mv)) return AVERROR_INVALIDDATA; + if (tile->num_MBs != IVI_MBs_PER_TILE(tile->width, tile->height, band->mb_size)) { + av_log(avctx, AV_LOG_ERROR, "Allocated tile size %d mismatches parameters %d\n", + tile->num_MBs, IVI_MBs_PER_TILE(tile->width, tile->height, band->mb_size)); + return AVERROR_INVALIDDATA; + } + /* scale factor for motion vectors */ mv_scale = (ctx->planes[0].bands[0].mb_size >> 3) - (band->mb_size >> 3); mv_x = mv_y = 0; From 1c8e2561b48916f409980bf66ff247f001abc3b3 Mon Sep 17 00:00:00 2001 From: Anton Khirnov Date: Sat, 29 Sep 2012 10:39:49 +0200 Subject: [PATCH 327/991] indeo3: fix out of cell write. Fixes CVE-2012-2776. CC:libav-stable@libav.org Found-by: Mateusz "j00ru" Jurczyk and Gynvael Coldwind (cherry picked from commit e4d4044339b9c3b0f45f7203cd026eda3c0414c0) Signed-off-by: Reinhard Tartler --- libavcodec/indeo3.c | 3 +++ 1 file changed, 3 insertions(+) diff --git a/libavcodec/indeo3.c b/libavcodec/indeo3.c index b7ef9e5241..294527ec9d 100644 --- a/libavcodec/indeo3.c +++ b/libavcodec/indeo3.c @@ -416,6 +416,9 @@ static int decode_cell_data(Cell *cell, uint8_t *block, uint8_t *ref_block, blk_row_offset = (row_offset << (2 + v_zoom)) - (cell->width << 2); line_offset = v_zoom ? row_offset : 0; + if (cell->height & v_zoom || cell->width & h_zoom) + return IV3_BAD_DATA; + for (y = 0; y < cell->height; is_first_row = 0, y += 1 + v_zoom) { for (x = 0; x < cell->width; x += 1 + h_zoom) { ref = ref_block; From 14bba214fa9a143c61f95c62941c105d7c3b6ddd Mon Sep 17 00:00:00 2001 From: Michael Niedermayer Date: Sat, 14 Apr 2012 18:28:31 +0200 Subject: [PATCH 328/991] lagarith: check count before writing zeros. Fixes CVE-2012-2793 Found-by: Mateusz "j00ru" Jurczyk and Gynvael Coldwind Signed-off-by: Anton Khirnov (cherry picked from commit b631e4ed64f7d1b9ca8f897fda31140e8d1fad81) Signed-off-by: Reinhard Tartler --- libavcodec/lagarith.c | 5 +++++ 1 file changed, 5 insertions(+) diff --git a/libavcodec/lagarith.c b/libavcodec/lagarith.c index 6828ba8230..f04d89b305 100644 --- a/libavcodec/lagarith.c +++ b/libavcodec/lagarith.c @@ -326,6 +326,11 @@ static int lag_decode_zero_run_line(LagarithContext *l, uint8_t *dst, output_zeros: if (l->zeros_rem) { count = FFMIN(l->zeros_rem, width - i); + if (end - dst < count) { + av_log(l->avctx, AV_LOG_ERROR, "Too many zeros remaining.\n"); + return AVERROR_INVALIDDATA; + } + memset(dst, 0, count); l->zeros_rem -= count; dst += count; From 6744eee1e5bf68feb9930f1e3617311587b9d7a7 Mon Sep 17 00:00:00 2001 From: Michael Niedermayer Date: Sat, 14 Apr 2012 11:07:11 +0200 Subject: [PATCH 329/991] wmaprodec: check num_vec_coeffs for validity Fixes CVE-2012-2789 Found-by: Mateusz "j00ru" Jurczyk and Gynvael Coldwind Signed-off-by: Anton Khirnov (cherry picked from commit 99f392a584dd10b553facc8e819f2c7e982e176d) Signed-off-by: Reinhard Tartler --- libavcodec/wmaprodec.c | 7 ++++++- 1 file changed, 6 insertions(+), 1 deletion(-) diff --git a/libavcodec/wmaprodec.c b/libavcodec/wmaprodec.c index a1b82db60a..3b8c2c8676 100644 --- a/libavcodec/wmaprodec.c +++ b/libavcodec/wmaprodec.c @@ -1166,7 +1166,12 @@ static int decode_subframe(WMAProDecodeCtx *s) int num_bits = av_log2((s->subframe_len + 3)/4) + 1; for (i = 0; i < s->channels_for_cur_subframe; i++) { int c = s->channel_indexes_for_cur_subframe[i]; - s->channel[c].num_vec_coeffs = get_bits(&s->gb, num_bits) << 2; + int num_vec_coeffs = get_bits(&s->gb, num_bits) << 2; + if (num_vec_coeffs > WMAPRO_BLOCK_MAX_SIZE) { + av_log(s->avctx, AV_LOG_ERROR, "num_vec_coeffs %d is too large\n", num_vec_coeffs); + return AVERROR_INVALIDDATA; + } + s->channel[c].num_vec_coeffs = num_vec_coeffs; } } else { for (i = 0; i < s->channels_for_cur_subframe; i++) { From 0582b8e3eabb4b7d6f637fcd294d6ae43d24b61a Mon Sep 17 00:00:00 2001 From: Anton Khirnov Date: Fri, 28 Sep 2012 15:42:29 +0200 Subject: [PATCH 330/991] avidec: use actually read size instead of requested size Fixes CVE-2012-2788 (cherry picked from commit 0af49a63c7f87876486ab09482d5b26b95abce60) Signed-off-by: Reinhard Tartler --- libavformat/avidec.c | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/libavformat/avidec.c b/libavformat/avidec.c index b4ccfb50f8..13a39c0e11 100644 --- a/libavformat/avidec.c +++ b/libavformat/avidec.c @@ -1116,7 +1116,7 @@ resync: } ast->frame_offset += get_duration(ast, pkt->size); } - ast->remaining -= size; + ast->remaining -= err; if(!ast->remaining){ avi->stream_index= -1; ast->packet_size= 0; From 2bc1e4fcb96c470e2ccb2a0a78a415d5eab960c8 Mon Sep 17 00:00:00 2001 From: Michael Niedermayer Date: Sat, 14 Apr 2012 20:04:05 +0200 Subject: [PATCH 331/991] indeo4: update AVCodecContext width/height on size change Fixes CVE-2012-2787 Found-by: Mateusz "j00ru" Jurczyk and Gynvael Coldwind Signed-off-by: Anton Khirnov (cherry picked from commit b146d74730ab9ec5abede9066f770ad851e45fbc) Signed-off-by: Reinhard Tartler --- libavcodec/ivi_common.c | 1 + 1 file changed, 1 insertion(+) diff --git a/libavcodec/ivi_common.c b/libavcodec/ivi_common.c index b36b31dfac..db33767820 100644 --- a/libavcodec/ivi_common.c +++ b/libavcodec/ivi_common.c @@ -823,6 +823,7 @@ int ff_ivi_decode_frame(AVCodecContext *avctx, void *data, int *data_size, avctx->release_buffer(avctx, &ctx->frame); ctx->frame.reference = 0; + avcodec_set_dimensions(avctx, ctx->planes[0].width, ctx->planes[0].height); if ((result = avctx->get_buffer(avctx, &ctx->frame)) < 0) { av_log(avctx, AV_LOG_ERROR, "get_buffer() failed\n"); return result; From 2051adbfa008c06fb4c93256bc453924a4ea1a48 Mon Sep 17 00:00:00 2001 From: Michael Niedermayer Date: Sat, 24 Mar 2012 02:40:24 +0100 Subject: [PATCH 332/991] cavsdec: check for changing w/h. Our decoder does not support changing w/h. Fixes CVE-2012-2777 and CVE-2012-2784. Found-by: Mateusz "j00ru" Jurczyk and Gynvael Coldwind Signed-off-by: Anton Khirnov (cherry picked from commit c20a69630619d14ae92c5541d52c579d7c8f3e94) Signed-off-by: Reinhard Tartler --- libavcodec/cavsdec.c | 13 +++++++++++-- 1 file changed, 11 insertions(+), 2 deletions(-) diff --git a/libavcodec/cavsdec.c b/libavcodec/cavsdec.c index b0e517bbc5..1dd237a755 100644 --- a/libavcodec/cavsdec.c +++ b/libavcodec/cavsdec.c @@ -608,12 +608,21 @@ static int decode_pic(AVSContext *h) { static int decode_seq_header(AVSContext *h) { MpegEncContext *s = &h->s; int frame_rate_code; + int width, height; h->profile = get_bits(&s->gb,8); h->level = get_bits(&s->gb,8); skip_bits1(&s->gb); //progressive sequence - s->width = get_bits(&s->gb,14); - s->height = get_bits(&s->gb,14); + + width = get_bits(&s->gb, 14); + height = get_bits(&s->gb, 14); + if ((s->width || s->height) && (s->width != width || s->height != height)) { + av_log_missing_feature(s, "Width/height changing in CAVS is", 0); + return AVERROR_PATCHWELCOME; + } + s->width = width; + s->height = height; + skip_bits(&s->gb,2); //chroma format skip_bits(&s->gb,3); //sample_precision h->aspect_ratio = get_bits(&s->gb,4); From 15c2e8027f4827018608badb1bff1294af1810e4 Mon Sep 17 00:00:00 2001 From: Anton Khirnov Date: Tue, 16 Oct 2012 10:33:52 +0200 Subject: [PATCH 333/991] wav: do not fail on empty INFO tags Fixes Bug 379 CC: libav-stable@libav.org --- libavformat/wav.c | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/libavformat/wav.c b/libavformat/wav.c index 47cb5f8040..b873166b10 100644 --- a/libavformat/wav.c +++ b/libavformat/wav.c @@ -469,7 +469,7 @@ static int wav_read_header(AVFormatContext *s, break; case MKTAG('L', 'I', 'S', 'T'): list_type = avio_rl32(pb); - if (size <= 4) { + if (size < 4) { av_log(s, AV_LOG_ERROR, "too short LIST"); return AVERROR_INVALIDDATA; } From 592ba67815581a0ba371b57a7e3dd3079760fd9d Mon Sep 17 00:00:00 2001 From: Michael Niedermayer Date: Sat, 7 Apr 2012 17:25:47 +0200 Subject: [PATCH 334/991] alsdec: Check k used for rice decoder. Values that fail this check will cause failure of decode_rice() Signed-off-by: Michael Niedermayer Signed-off-by: Justin Ruggles (cherry picked from commit 23aae62c2cb4504a09ceb8cd0cabc1c8b260f521) Signed-off-by: Reinhard Tartler --- libavcodec/alsdec.c | 5 +++++ 1 file changed, 5 insertions(+) diff --git a/libavcodec/alsdec.c b/libavcodec/alsdec.c index d5e09c5d2a..8932996e57 100644 --- a/libavcodec/alsdec.c +++ b/libavcodec/alsdec.c @@ -651,6 +651,11 @@ static int read_var_block_data(ALSDecContext *ctx, ALSBlockData *bd) for (k = 1; k < sub_blocks; k++) s[k] = s[k - 1] + decode_rice(gb, 0); } + for (k = 1; k < sub_blocks; k++) + if (s[k] > 32) { + av_log(avctx, AV_LOG_ERROR, "k invalid for rice code.\n"); + return AVERROR_INVALIDDATA; + } if (get_bits1(gb)) *bd->shift_lsbs = get_bits(gb, 4) + 1; From 0f81057c125139b8b2fc00ff61b94f6c1d2f4c59 Mon Sep 17 00:00:00 2001 From: Michael Niedermayer Date: Wed, 29 Feb 2012 06:10:17 +0100 Subject: [PATCH 335/991] alsdec: Check that quantized parcor coeffs are within range. ALS spec: 11.6.3.1.1 Quantization and encoding of parcor coefficients ... In all cases the resulting quantized values ak are restricted to the range [-64,63]. Found-by: Mateusz "j00ru" Jurczyk and Gynvael Coldwind Signed-off-by: Michael Niedermayer Signed-off-by: Justin Ruggles (cherry picked from commit 5b051ec3bdc78f3d89e8d1425674cde8fd6c9ccc) Signed-off-by: Reinhard Tartler --- libavcodec/alsdec.c | 4 ++++ 1 file changed, 4 insertions(+) diff --git a/libavcodec/alsdec.c b/libavcodec/alsdec.c index 8932996e57..eec6a1680b 100644 --- a/libavcodec/alsdec.c +++ b/libavcodec/alsdec.c @@ -705,6 +705,10 @@ static int read_var_block_data(ALSDecContext *ctx, ALSBlockData *bd) int rice_param = parcor_rice_table[sconf->coef_table][k][1]; int offset = parcor_rice_table[sconf->coef_table][k][0]; quant_cof[k] = decode_rice(gb, rice_param) + offset; + if (quant_cof[k] < -64 || quant_cof[k] > 63) { + av_log(avctx, AV_LOG_ERROR, "quant_cof %d is out of range\n", quant_cof[k]); + return AVERROR_INVALIDDATA; + } } // read coefficients 20 to 126 From c5f9c272e9df0e226503cfc8029308a64d72aae4 Mon Sep 17 00:00:00 2001 From: Thilo Borgmann Date: Sun, 11 Mar 2012 16:56:23 +0100 Subject: [PATCH 336/991] alsdec: Fix out of ltp_gain_values read. Found-by: Mateusz "j00ru" Jurczyk and Gynvael Coldwind Signed-off-by: Michael Niedermayer Signed-off-by: Justin Ruggles (cherry picked from commit 97f0efbfb86d24f081b2caa39f6249e05c95c2ef) Signed-off-by: Reinhard Tartler --- libavcodec/alsdec.c | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/libavcodec/alsdec.c b/libavcodec/alsdec.c index eec6a1680b..4c8e5a9e27 100644 --- a/libavcodec/alsdec.c +++ b/libavcodec/alsdec.c @@ -741,7 +741,7 @@ static int read_var_block_data(ALSDecContext *ctx, ALSBlockData *bd) bd->ltp_gain[0] = decode_rice(gb, 1) << 3; bd->ltp_gain[1] = decode_rice(gb, 2) << 3; - r = get_unary(gb, 0, 4); + r = get_unary(gb, 0, 3); c = get_bits(gb, 2); bd->ltp_gain[2] = ltp_gain_values[r][c]; From c28e1c12adf43044c54383eec8a581f630fffda8 Mon Sep 17 00:00:00 2001 From: Mans Rullgard Date: Sun, 1 Jul 2012 13:36:30 +0100 Subject: [PATCH 337/991] alsdec: remove dead assignments Signed-off-by: Mans Rullgard (cherry picked from commit 4ca6d206d1b5beea42c4290d2ee801aaf5cd31f0) Signed-off-by: Reinhard Tartler --- libavcodec/alsdec.c | 4 ++-- 1 file changed, 2 insertions(+), 2 deletions(-) diff --git a/libavcodec/alsdec.c b/libavcodec/alsdec.c index 4c8e5a9e27..92b9e6caa5 100644 --- a/libavcodec/alsdec.c +++ b/libavcodec/alsdec.c @@ -770,7 +770,7 @@ static int read_var_block_data(ALSDecContext *ctx, ALSBlockData *bd) int delta[8]; unsigned int k [8]; unsigned int b = av_clip((av_ceil_log2(bd->block_length) - 3) >> 1, 0, 5); - unsigned int i = start; + unsigned int i; // read most significant bits unsigned int high; @@ -781,7 +781,7 @@ static int read_var_block_data(ALSDecContext *ctx, ALSBlockData *bd) current_res = bd->raw_samples + start; - for (sb = 0; sb < sub_blocks; sb++, i = 0) { + for (sb = 0; sb < sub_blocks; sb++) { k [sb] = s[sb] > b ? s[sb] - b : 0; delta[sb] = 5 - s[sb] + k[sb]; From dc5283dffcd41e8a41671d7566dfdd27c25e66bf Mon Sep 17 00:00:00 2001 From: Thilo Borgmann Date: Sun, 15 Apr 2012 18:07:12 +0200 Subject: [PATCH 338/991] alsdec: fix number of decoded samples in first sub-block in BGMC mode. Fixes CVE-2012-2790 Found-by: Mateusz "j00ru" Jurczyk and Gynvael Coldwind Signed-off-by: Michael Niedermayer Signed-off-by: Justin Ruggles (cherry picked from commit 66197988b1ee914825afbc3084e6da63f862068a) Signed-off-by: Reinhard Tartler --- libavcodec/alsdec.c | 12 ++++++------ 1 file changed, 6 insertions(+), 6 deletions(-) diff --git a/libavcodec/alsdec.c b/libavcodec/alsdec.c index 92b9e6caa5..459e2af928 100644 --- a/libavcodec/alsdec.c +++ b/libavcodec/alsdec.c @@ -770,7 +770,6 @@ static int read_var_block_data(ALSDecContext *ctx, ALSBlockData *bd) int delta[8]; unsigned int k [8]; unsigned int b = av_clip((av_ceil_log2(bd->block_length) - 3) >> 1, 0, 5); - unsigned int i; // read most significant bits unsigned int high; @@ -782,28 +781,29 @@ static int read_var_block_data(ALSDecContext *ctx, ALSBlockData *bd) current_res = bd->raw_samples + start; for (sb = 0; sb < sub_blocks; sb++) { + unsigned int sb_len = sb_length - (sb ? 0 : start); + k [sb] = s[sb] > b ? s[sb] - b : 0; delta[sb] = 5 - s[sb] + k[sb]; - ff_bgmc_decode(gb, sb_length, current_res, + ff_bgmc_decode(gb, sb_len, current_res, delta[sb], sx[sb], &high, &low, &value, ctx->bgmc_lut, ctx->bgmc_lut_status); - current_res += sb_length; + current_res += sb_len; } ff_bgmc_decode_end(gb); // read least significant bits and tails - i = start; current_res = bd->raw_samples + start; - for (sb = 0; sb < sub_blocks; sb++, i = 0) { + for (sb = 0; sb < sub_blocks; sb++, start = 0) { unsigned int cur_tail_code = tail_code[sx[sb]][delta[sb]]; unsigned int cur_k = k[sb]; unsigned int cur_s = s[sb]; - for (; i < sb_length; i++) { + for (; start < sb_length; start++) { int32_t res = *current_res; if (res == cur_tail_code) { From 3c55bf1201ac75c5e46b03e3e077031f755f85d0 Mon Sep 17 00:00:00 2001 From: Michael Niedermayer Date: Sat, 28 Jul 2012 17:14:50 +0600 Subject: [PATCH 339/991] vc1dec: check that coded slice positions and interlacing match. This fixes out of array writes. Addresses: CVE-2012-2796 Found-by: Mateusz "j00ru" Jurczyk and Gynvael Coldwind Signed-off-by: Michael Niedermayer Signed-off-by: Kostya Shishkov (cherry picked from commit 1100acbab26883007898c53efeb289f562c6e514) Signed-off-by: Reinhard Tartler --- libavcodec/vc1dec.c | 6 ++++++ 1 file changed, 6 insertions(+) diff --git a/libavcodec/vc1dec.c b/libavcodec/vc1dec.c index 46cfdb0973..38b08a565b 100644 --- a/libavcodec/vc1dec.c +++ b/libavcodec/vc1dec.c @@ -5710,6 +5710,12 @@ static int vc1_decode_frame(AVCodecContext *avctx, void *data, mb_height = s->mb_height >> v->field_mode; for (i = 0; i <= n_slices; i++) { if (i > 0 && slices[i - 1].mby_start >= mb_height) { + if (v->field_mode <= 0) { + av_log(v->s.avctx, AV_LOG_ERROR, "Slice %d starts beyond " + "picture boundary (%d >= %d)\n", i, + slices[i - 1].mby_start, mb_height); + continue; + } v->second_field = 1; v->blocks_off = s->mb_width * s->mb_height << 1; v->mb_off = s->mb_stride * s->mb_height >> 1; From a2d4d9f4fbe13cb259f06fb907a056b6f3dd2d15 Mon Sep 17 00:00:00 2001 From: Sean McGovern Date: Thu, 2 Aug 2012 15:37:28 -0400 Subject: [PATCH 340/991] wmapro: prevent division by zero when sample rate is unspecified This fixes Bugzilla #327: Signed-off-by: Kostya Shishkov (cherry picked from commit 3680b2435101a5de56821718a71c828320d535a0) Signed-off-by: Anton Khirnov --- libavcodec/wmaprodec.c | 5 +++++ 1 file changed, 5 insertions(+) diff --git a/libavcodec/wmaprodec.c b/libavcodec/wmaprodec.c index 3b8c2c8676..9804cc28e7 100644 --- a/libavcodec/wmaprodec.c +++ b/libavcodec/wmaprodec.c @@ -330,6 +330,11 @@ static av_cold int decode_init(AVCodecContext *avctx) return AVERROR_INVALIDDATA; } + if (s->avctx->sample_rate <= 0) { + av_log(avctx, AV_LOG_ERROR, "invalid sample rate\n"); + return AVERROR_INVALIDDATA; + } + s->num_channels = avctx->channels; if (s->num_channels < 0) { From 5acd1c6561c0aa4f11eb9a83cf56790f1db50d23 Mon Sep 17 00:00:00 2001 From: Anton Khirnov Date: Fri, 28 Sep 2012 15:26:48 +0200 Subject: [PATCH 341/991] avidec: return 0, not packet size from read_packet(). (cherry picked from commit eeade678f0a2bac127aeed2fb68d8717a6463420) Signed-off-by: Anton Khirnov --- libavformat/avidec.c | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/libavformat/avidec.c b/libavformat/avidec.c index 13a39c0e11..af6ee8ed0f 100644 --- a/libavformat/avidec.c +++ b/libavformat/avidec.c @@ -1122,7 +1122,7 @@ resync: ast->packet_size= 0; } - return size; + return 0; } if ((err = avi_sync(s, 0)) < 0) From 141d4ed6c0911fde1913f3b757ace5012eabd897 Mon Sep 17 00:00:00 2001 From: Anton Khirnov Date: Tue, 11 Sep 2012 11:03:52 +0200 Subject: [PATCH 342/991] cmdutils: avoid setting data pointers to invalid values in alloc_buffer() Fixes bug 352. (cherry picked from commit 990450c5bf17afc31a81d6225afaac86d0dca5dd) Conflicts: cmdutils.c Signed-off-by: Anton Khirnov --- avconv.c | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/avconv.c b/avconv.c index 90bc49cc88..34507d4d0c 100644 --- a/avconv.c +++ b/avconv.c @@ -455,7 +455,7 @@ static int alloc_buffer(InputStream *ist, FrameBuffer **pbuf) const int v_shift = i==0 ? 0 : v_chroma_shift; if (s->flags & CODEC_FLAG_EMU_EDGE) buf->data[i] = buf->base[i]; - else + else if (buf->base[i]) buf->data[i] = buf->base[i] + FFALIGN((buf->linesize[i]*edge >> v_shift) + (pixel_size*edge >> h_shift), 32); From 79fb7bc667dd4b9c899b3223d3e4fb5baa6c2e17 Mon Sep 17 00:00:00 2001 From: "Ronald S. Bultje" Date: Fri, 16 Mar 2012 15:24:08 -0700 Subject: [PATCH 343/991] h264: fix deadlocks on incomplete reference frame decoding. If decoding a second complementary field, and the first was decoded in our thread, mark decoding of that field as complete. If decoding fails, mark the decoded field/frame as complete. Do not allow switching between field modes or field/frame mode between slices within the same field/frame. Ensure that two subsequent fields cover top/bottom (rather than top/frame, bottom/frame or such nonsense situations). Fixes various deadlocks when decoding samples with errors in reference frames. Found-by: Mateusz "j00ru" Jurczyk and Gynvael Coldwind CC: libav-stable@libav.org (cherry picked from commit 1e26a48fa23ef8e1cbc424667d387184d8155f15) Fixes Bug 118 Conflicts: libavcodec/h264.c Signed-off-by: Anton Khirnov --- libavcodec/h264.c | 149 +++++++++++++++++++++++++++++++++++++--------- 1 file changed, 121 insertions(+), 28 deletions(-) diff --git a/libavcodec/h264.c b/libavcodec/h264.c index 79298d7b0c..9f6437cd8f 100644 --- a/libavcodec/h264.c +++ b/libavcodec/h264.c @@ -2522,8 +2522,8 @@ static int field_end(H264Context *h, int in_setup){ s->mb_y= 0; if (!in_setup && !s->dropable) - ff_thread_report_progress((AVFrame*)s->current_picture_ptr, (16*s->mb_height >> FIELD_PICTURE) - 1, - s->picture_structure==PICT_BOTTOM_FIELD); + ff_thread_report_progress(&s->current_picture_ptr->f, INT_MAX, + s->picture_structure == PICT_BOTTOM_FIELD); if (CONFIG_H264_VDPAU_DECODER && s->avctx->codec->capabilities&CODEC_CAP_HWACCEL_VDPAU) ff_vdpau_h264_set_reference_frames(s); @@ -2640,9 +2640,7 @@ static int decode_slice_header(H264Context *h, H264Context *h0){ int num_ref_idx_active_override_flag; unsigned int slice_type, tmp, i, j; int default_ref_list_done = 0; - int last_pic_structure; - - s->dropable= h->nal_ref_idc == 0; + int last_pic_structure, last_pic_dropable; /* FIXME: 2tap qpel isn't implemented for high bit depth. */ if((s->avctx->flags2 & CODEC_FLAG2_FAST) && !h->nal_ref_idc && !h->pixel_shift){ @@ -2661,8 +2659,14 @@ static int decode_slice_header(H264Context *h, H264Context *h0){ } h0->current_slice = 0; - if (!s0->first_field) - s->current_picture_ptr= NULL; + if (!s0->first_field) { + if (s->current_picture_ptr && !s->dropable && + s->current_picture_ptr->owner2 == s) { + ff_thread_report_progress(&s->current_picture_ptr->f, INT_MAX, + s->picture_structure == PICT_BOTTOM_FIELD); + } + s->current_picture_ptr = NULL; + } } slice_type= get_ue_golomb_31(&s->gb); @@ -2862,6 +2866,8 @@ static int decode_slice_header(H264Context *h, H264Context *h0){ h->mb_mbaff = 0; h->mb_aff_frame = 0; last_pic_structure = s0->picture_structure; + last_pic_dropable = s->dropable; + s->dropable = h->nal_ref_idc == 0; if(h->sps.frame_mbs_only_flag){ s->picture_structure= PICT_FRAME; }else{ @@ -2874,10 +2880,22 @@ static int decode_slice_header(H264Context *h, H264Context *h0){ } h->mb_field_decoding_flag= s->picture_structure != PICT_FRAME; - if(h0->current_slice == 0){ - // Shorten frame num gaps so we don't have to allocate reference frames just to throw them away - if(h->frame_num != h->prev_frame_num) { - int unwrap_prev_frame_num = h->prev_frame_num, max_frame_num = 1<sps.log2_max_frame_num; + if (h0->current_slice != 0) { + if (last_pic_structure != s->picture_structure || + last_pic_dropable != s->dropable) { + av_log(h->s.avctx, AV_LOG_ERROR, + "Changing field mode (%d -> %d) between slices is not allowed\n", + last_pic_structure, s->picture_structure); + s->picture_structure = last_pic_structure; + s->dropable = last_pic_dropable; + return AVERROR_INVALIDDATA; + } + } else { + /* Shorten frame num gaps so we don't have to allocate reference + * frames just to throw them away */ + if (h->frame_num != h->prev_frame_num) { + int unwrap_prev_frame_num = h->prev_frame_num; + int max_frame_num = 1 << h->sps.log2_max_frame_num; if (unwrap_prev_frame_num > h->frame_num) unwrap_prev_frame_num -= max_frame_num; @@ -2890,8 +2908,74 @@ static int decode_slice_header(H264Context *h, H264Context *h0){ } } - while(h->frame_num != h->prev_frame_num && - h->frame_num != (h->prev_frame_num+1)%(1<sps.log2_max_frame_num)){ + /* See if we have a decoded first field looking for a pair... + * Here, we're using that to see if we should mark previously + * decode frames as "finished". + * We have to do that before the "dummy" in-between frame allocation, + * since that can modify s->current_picture_ptr. */ + if (s0->first_field) { + assert(s0->current_picture_ptr); + assert(s0->current_picture_ptr->f.data[0]); + assert(s0->current_picture_ptr->f.reference != DELAYED_PIC_REF); + + /* Mark old field/frame as completed */ + if (!last_pic_dropable && s0->current_picture_ptr->owner2 == s0) { + ff_thread_report_progress(&s0->current_picture_ptr->f, INT_MAX, + last_pic_structure == PICT_BOTTOM_FIELD); + } + + /* figure out if we have a complementary field pair */ + if (!FIELD_PICTURE || s->picture_structure == last_pic_structure) { + /* Previous field is unmatched. Don't display it, but let it + * remain for reference if marked as such. */ + if (!last_pic_dropable && last_pic_structure != PICT_FRAME) { + ff_thread_report_progress(&s0->current_picture_ptr->f, INT_MAX, + last_pic_structure == PICT_TOP_FIELD); + } + } else { + if (s0->current_picture_ptr->frame_num != h->frame_num) { + /* This and previous field were reference, but had + * different frame_nums. Consider this field first in + * pair. Throw away previous field except for reference + * purposes. */ + if (!last_pic_dropable && last_pic_structure != PICT_FRAME) { + ff_thread_report_progress(&s0->current_picture_ptr->f, INT_MAX, + last_pic_structure == PICT_TOP_FIELD); + } + } else { + /* Second field in complementary pair */ + if (!((last_pic_structure == PICT_TOP_FIELD && + s->picture_structure == PICT_BOTTOM_FIELD) || + (last_pic_structure == PICT_BOTTOM_FIELD && + s->picture_structure == PICT_TOP_FIELD))) { + av_log(s->avctx, AV_LOG_ERROR, + "Invalid field mode combination %d/%d\n", + last_pic_structure, s->picture_structure); + s->picture_structure = last_pic_structure; + s->dropable = last_pic_dropable; + return AVERROR_INVALIDDATA; + } else if (last_pic_dropable != s->dropable) { + av_log(s->avctx, AV_LOG_ERROR, + "Cannot combine reference and non-reference fields in the same frame\n"); + av_log_ask_for_sample(s->avctx, NULL); + s->picture_structure = last_pic_structure; + s->dropable = last_pic_dropable; + return AVERROR_INVALIDDATA; + } + + /* Take ownership of this buffer. Note that if another thread owned + * the first field of this buffer, we're not operating on that pointer, + * so the original thread is still responsible for reporting progress + * on that first field (or if that was us, we just did that above). + * By taking ownership, we assign responsibility to ourselves to + * report progress on the second field. */ + s0->current_picture_ptr->owner2 = s0; + } + } + } + + while (h->frame_num != h->prev_frame_num && + h->frame_num != (h->prev_frame_num + 1) % (1 << h->sps.log2_max_frame_num)) { Picture *prev = h->short_ref_count ? h->short_ref[0] : NULL; av_log(h->s.avctx, AV_LOG_DEBUG, "Frame num gap %d %d\n", h->frame_num, h->prev_frame_num); if (ff_h264_frame_start(h) < 0) @@ -2922,7 +3006,9 @@ static int decode_slice_header(H264Context *h, H264Context *h0){ } } - /* See if we have a decoded first field looking for a pair... */ + /* See if we have a decoded first field looking for a pair... + * We're using that to see whether to continue decoding in that + * frame, or to allocate a new one. */ if (s0->first_field) { assert(s0->current_picture_ptr); assert(s0->current_picture_ptr->f.data[0]); @@ -2938,16 +3024,11 @@ static int decode_slice_header(H264Context *h, H264Context *h0){ s0->first_field = FIELD_PICTURE; } else { - if (h->nal_ref_idc && - s0->current_picture_ptr->f.reference && - s0->current_picture_ptr->frame_num != h->frame_num) { - /* - * This and previous field were reference, but had - * different frame_nums. Consider this field first in - * pair. Throw away previous field except for reference - * purposes. - */ - s0->first_field = 1; + if (s0->current_picture_ptr->frame_num != h->frame_num) { + /* This and the previous field had different frame_nums. + * Consider this field first in pair. Throw away previous + * one except for reference purposes. */ + s0->first_field = 1; s0->current_picture_ptr = NULL; } else { @@ -3803,8 +3884,9 @@ static int decode_nal_units(H264Context *h, const uint8_t *buf, int buf_size){ hx = h->thread_context[context_count]; ptr= ff_h264_decode_nal(hx, buf + buf_index, &dst_length, &consumed, next_avc - buf_index); - if (ptr==NULL || dst_length < 0){ - return -1; + if (ptr == NULL || dst_length < 0) { + buf_index = -1; + goto end; } i= buf_index + consumed; if((s->workaround_bugs & FF_BUG_AUTODETECT) && i+3nal_unit_type != NAL_IDR_SLICE) { av_log(h->s.avctx, AV_LOG_ERROR, "Invalid mix of idr and non-idr slices"); - return -1; + buf_index = -1; + goto end; } idr(h); // FIXME ensure we don't lose some frames if there is reordering case NAL_SLICE: @@ -3962,7 +4045,8 @@ static int decode_nal_units(H264Context *h, const uint8_t *buf, int buf_size){ dsputil_init(&s->dsp, s->avctx); } else { av_log(avctx, AV_LOG_ERROR, "Unsupported bit depth: %d\n", h->sps.bit_depth_luma); - return -1; + buf_index = -1; + goto end; } } break; @@ -4004,6 +4088,15 @@ static int decode_nal_units(H264Context *h, const uint8_t *buf, int buf_size){ } if(context_count) execute_decode_slices(h, context_count); + +end: + /* clean up */ + if (s->current_picture_ptr && s->current_picture_ptr->owner2 == s && + !s->dropable) { + ff_thread_report_progress(&s->current_picture_ptr->f, INT_MAX, + s->picture_structure == PICT_BOTTOM_FIELD); + } + return buf_index; } From 5920d00d741796a7e1a53241c7814d529cb68455 Mon Sep 17 00:00:00 2001 From: Justin Ruggles Date: Tue, 28 Feb 2012 18:52:30 -0500 Subject: [PATCH 344/991] libvorbis: fix use of minrate/maxrate AVOptions - enable the options for audio encoding - properly check for user-set maxrate - use correct calling order in vorbis_encode_setup_managed() (cherry picked from commit 182d4f1f3855460ee8634ea052f33332cf9d174e) Conflicts: libavcodec/libvorbis.c Fixes a part of Bug 277 Signed-off-by: Anton Khirnov --- libavcodec/libvorbis.c | 6 +++--- libavcodec/options.c | 4 ++-- 2 files changed, 5 insertions(+), 5 deletions(-) diff --git a/libavcodec/libvorbis.c b/libavcodec/libvorbis.c index 25e600671f..c790ff0f65 100644 --- a/libavcodec/libvorbis.c +++ b/libavcodec/libvorbis.c @@ -74,12 +74,12 @@ static av_cold int oggvorbis_init_encoder(vorbis_info *vi, AVCodecContext *avcco return -1; } else { int minrate = avccontext->rc_min_rate > 0 ? avccontext->rc_min_rate : -1; - int maxrate = avccontext->rc_min_rate > 0 ? avccontext->rc_max_rate : -1; + int maxrate = avccontext->rc_max_rate > 0 ? avccontext->rc_max_rate : -1; /* constant bitrate */ if (vorbis_encode_setup_managed(vi, avccontext->channels, - avccontext->sample_rate, minrate, - avccontext->bit_rate, maxrate)) + avccontext->sample_rate, maxrate, + avccontext->bit_rate, minrate)) return -1; /* variable bitrate by estimate, disable slow rate management */ diff --git a/libavcodec/options.c b/libavcodec/options.c index 26f3ab3b11..bd0083c826 100644 --- a/libavcodec/options.c +++ b/libavcodec/options.c @@ -226,8 +226,8 @@ static const AVOption options[]={ {"rc_qmod_freq", "experimental quantizer modulation", OFFSET(rc_qmod_freq), AV_OPT_TYPE_INT, {.dbl = DEFAULT }, INT_MIN, INT_MAX, V|E}, {"rc_override_count", NULL, OFFSET(rc_override_count), AV_OPT_TYPE_INT, {.dbl = DEFAULT }, INT_MIN, INT_MAX}, {"rc_eq", "set rate control equation", OFFSET(rc_eq), AV_OPT_TYPE_STRING, {.str = NULL}, CHAR_MIN, CHAR_MAX, V|E}, -{"maxrate", "set max video bitrate tolerance (in bits/s)", OFFSET(rc_max_rate), AV_OPT_TYPE_INT, {.dbl = DEFAULT }, INT_MIN, INT_MAX, V|E}, -{"minrate", "set min video bitrate tolerance (in bits/s)", OFFSET(rc_min_rate), AV_OPT_TYPE_INT, {.dbl = DEFAULT }, INT_MIN, INT_MAX, V|E}, +{"maxrate", "set max bitrate tolerance (in bits/s)", OFFSET(rc_max_rate), AV_OPT_TYPE_INT, {.dbl = DEFAULT }, INT_MIN, INT_MAX, V|A|E}, +{"minrate", "set min bitrate tolerance (in bits/s)", OFFSET(rc_min_rate), AV_OPT_TYPE_INT, {.dbl = DEFAULT }, INT_MIN, INT_MAX, V|A|E}, {"bufsize", "set ratecontrol buffer size (in bits)", OFFSET(rc_buffer_size), AV_OPT_TYPE_INT, {.dbl = DEFAULT }, INT_MIN, INT_MAX, A|V|E}, {"rc_buf_aggressivity", "currently useless", OFFSET(rc_buffer_aggressivity), AV_OPT_TYPE_FLOAT, {.dbl = 1.0 }, -FLT_MAX, FLT_MAX, V|E}, {"i_qfactor", "qp factor between P and I frames", OFFSET(i_quant_factor), AV_OPT_TYPE_FLOAT, {.dbl = -0.8 }, -FLT_MAX, FLT_MAX, V|E}, From 24025cc0b972a8c2e8b3018cb7c53c1f55fe5fbb Mon Sep 17 00:00:00 2001 From: Justin Ruggles Date: Tue, 28 Feb 2012 19:33:07 -0500 Subject: [PATCH 345/991] libvorbis: use VBR by default, with default quality of 3 (cherry picked from commit 147ff24a0e8d819615a0f596df3ea47dddd79fdc) Conflicts: libavcodec/libvorbis.c Fixes a part of Bug 277 Signed-off-by: Anton Khirnov --- libavcodec/libvorbis.c | 21 ++++++++++++++++++--- 1 file changed, 18 insertions(+), 3 deletions(-) diff --git a/libavcodec/libvorbis.c b/libavcodec/libvorbis.c index c790ff0f65..60235d7df7 100644 --- a/libavcodec/libvorbis.c +++ b/libavcodec/libvorbis.c @@ -29,6 +29,7 @@ #include "libavutil/opt.h" #include "avcodec.h" #include "bytestream.h" +#include "internal.h" #include "vorbis.h" #include "libavutil/mathematics.h" @@ -59,6 +60,12 @@ static const AVOption options[] = { { "iblock", "Sets the impulse block bias", offsetof(OggVorbisContext, iblock), AV_OPT_TYPE_DOUBLE, { .dbl = 0 }, -15, 0, AV_OPT_FLAG_AUDIO_PARAM | AV_OPT_FLAG_ENCODING_PARAM }, { NULL } }; + +static const AVCodecDefault defaults[] = { + { "b", "0" }, + { NULL }, +}; + static const AVClass class = { "libvorbis", av_default_item_name, options, LIBAVUTIL_VERSION_INT }; static av_cold int oggvorbis_init_encoder(vorbis_info *vi, AVCodecContext *avccontext) @@ -66,11 +73,18 @@ static av_cold int oggvorbis_init_encoder(vorbis_info *vi, AVCodecContext *avcco OggVorbisContext *context = avccontext->priv_data; double cfreq; - if (avccontext->flags & CODEC_FLAG_QSCALE) { - /* variable bitrate */ + if (avccontext->flags & CODEC_FLAG_QSCALE || !avccontext->bit_rate) { + /* variable bitrate + * NOTE: we use the oggenc range of -1 to 10 for global_quality for + * user convenience, but libvorbis uses -0.1 to 1.0. + */ + float q = avccontext->global_quality / (float)FF_QP2LAMBDA; + /* default to 3 if the user did not set quality or bitrate */ + if (!(avccontext->flags & CODEC_FLAG_QSCALE)) + q = 3.0; if (vorbis_encode_setup_vbr(vi, avccontext->channels, avccontext->sample_rate, - avccontext->global_quality / (float)FF_QP2LAMBDA / 10.0)) + q / 10.0)) return -1; } else { int minrate = avccontext->rc_min_rate > 0 ? avccontext->rc_min_rate : -1; @@ -262,4 +276,5 @@ AVCodec ff_libvorbis_encoder = { .sample_fmts = (const enum AVSampleFormat[]) { AV_SAMPLE_FMT_S16, AV_SAMPLE_FMT_NONE }, .long_name = NULL_IF_CONFIG_SMALL("libvorbis Vorbis"), .priv_class = &class, + .defaults = defaults, }; From be209bdabb11c59de17220bdbf0bf9c9f7cc16f5 Mon Sep 17 00:00:00 2001 From: Anton Khirnov Date: Sun, 8 Jul 2012 17:01:17 +0200 Subject: [PATCH 346/991] vf_pad: don't give up its own reference to the output buffer. Conflicts: libavfilter/vf_pad.c Fixes Bug 245 Signed-off-by: Anton Khirnov --- libavfilter/vf_pad.c | 5 ++++- 1 file changed, 4 insertions(+), 1 deletion(-) diff --git a/libavfilter/vf_pad.c b/libavfilter/vf_pad.c index 9ba91ed21c..8f583da16d 100644 --- a/libavfilter/vf_pad.c +++ b/libavfilter/vf_pad.c @@ -300,6 +300,7 @@ static void start_frame(AVFilterLink *inlink, AVFilterBufferRef *inpicref) { PadContext *pad = inlink->dst->priv; AVFilterBufferRef *outpicref = avfilter_ref_buffer(inpicref, ~0); + AVFilterBufferRef *for_next_filter; int plane; for (plane = 0; plane < 4 && outpicref->data[plane]; plane++) { @@ -336,12 +337,14 @@ static void start_frame(AVFilterLink *inlink, AVFilterBufferRef *inpicref) outpicref->video->w = pad->w; outpicref->video->h = pad->h; - avfilter_start_frame(inlink->dst->outputs[0], outpicref); + for_next_filter = avfilter_ref_buffer(outpicref, ~0); + avfilter_start_frame(inlink->dst->outputs[0], for_next_filter); } static void end_frame(AVFilterLink *link) { avfilter_end_frame(link->dst->outputs[0]); + avfilter_unref_buffer(link->dst->outputs[0]->out_buf); avfilter_unref_buffer(link->cur_buf); } From 443f1463c0e1fff69b2c8fa7cc8ca324cdfbd4c5 Mon Sep 17 00:00:00 2001 From: =?UTF-8?q?Franz=20Brau=C3=9Fe?= Date: Fri, 30 Mar 2012 14:40:14 -0400 Subject: [PATCH 347/991] smacker audio: sign-extend the initial 16-bit predicted value Fixes Bug #265 Signed-off-by: Justin Ruggles (cherry picked from commit 12cbbbb4abda2de0ea123282ccf7ebee61517f7d) Signed-off-by: Anton Khirnov --- libavcodec/smacker.c | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/libavcodec/smacker.c b/libavcodec/smacker.c index 62e6689c37..3928d8f569 100644 --- a/libavcodec/smacker.c +++ b/libavcodec/smacker.c @@ -662,7 +662,7 @@ static int smka_decode_frame(AVCodecContext *avctx, void *data, } if(bits) { //decode 16-bit data for(i = stereo; i >= 0; i--) - pred[i] = av_bswap16(get_bits(&gb, 16)); + pred[i] = sign_extend(av_bswap16(get_bits(&gb, 16)), 16); for(i = 0; i <= stereo; i++) *samples++ = pred[i]; for(; i < unp_size / 2; i++) { From d792be5681b4e918bb575a9c74f9a561497a6a5f Mon Sep 17 00:00:00 2001 From: Anton Khirnov Date: Fri, 5 Oct 2012 15:53:32 +0200 Subject: [PATCH 348/991] yuv4mpeg: return proper error codes. Fixes Bug 373. CC:libav-stable@libav.org (cherry picked from commit d3a72becc6371563185a509b94f5daf32ddbb485) Signed-off-by: Reinhard Tartler --- libavformat/yuv4mpeg.c | 22 +++++++++++++++------- 1 file changed, 15 insertions(+), 7 deletions(-) diff --git a/libavformat/yuv4mpeg.c b/libavformat/yuv4mpeg.c index 698ee6814d..09aabedea9 100644 --- a/libavformat/yuv4mpeg.c +++ b/libavformat/yuv4mpeg.c @@ -364,7 +364,7 @@ static int yuv4_read_packet(AVFormatContext *s, AVPacket *pkt) { int i; char header[MAX_FRAME_HEADER+1]; - int packet_size, width, height; + int packet_size, width, height, ret; AVStream *st = s->streams[0]; struct frame_attributes *s1 = s->priv_data; @@ -375,20 +375,28 @@ static int yuv4_read_packet(AVFormatContext *s, AVPacket *pkt) break; } } - if (i == MAX_FRAME_HEADER) - return -1; + if (s->pb->error) + return s->pb->error; + else if (s->pb->eof_reached) + return AVERROR_EOF; + else if (i == MAX_FRAME_HEADER) + return AVERROR_INVALIDDATA; + if (strncmp(header, Y4M_FRAME_MAGIC, strlen(Y4M_FRAME_MAGIC))) - return -1; + return AVERROR_INVALIDDATA; width = st->codec->width; height = st->codec->height; packet_size = avpicture_get_size(st->codec->pix_fmt, width, height); if (packet_size < 0) - return -1; + return packet_size; - if (av_get_packet(s->pb, pkt, packet_size) != packet_size) - return AVERROR(EIO); + ret = av_get_packet(s->pb, pkt, packet_size); + if (ret < 0) + return ret; + else if (ret != packet_size) + return s->pb->eof_reached ? AVERROR_EOF : AVERROR(EIO); if (st->codec->coded_frame) { st->codec->coded_frame->interlaced_frame = s1->interlaced_frame; From 0b923a2b72c103b29f4a0dc02676581a5eebcc43 Mon Sep 17 00:00:00 2001 From: Anton Khirnov Date: Fri, 5 Oct 2012 14:45:30 +0200 Subject: [PATCH 349/991] vf_pad/scale: use double precision for aspect ratios. Fixes Bug 203. CC:libav-stable@libav.org (cherry picked from commit ba04177eeb690ba4e93ec30fc8eb02f5319f844b) Signed-off-by: Reinhard Tartler --- libavfilter/vf_pad.c | 2 +- libavfilter/vf_scale.c | 4 ++-- 2 files changed, 3 insertions(+), 3 deletions(-) diff --git a/libavfilter/vf_pad.c b/libavfilter/vf_pad.c index 8f583da16d..0b60d5b4f9 100644 --- a/libavfilter/vf_pad.c +++ b/libavfilter/vf_pad.c @@ -156,7 +156,7 @@ static int config_input(AVFilterLink *inlink) var_values[VAR_IN_H] = var_values[VAR_IH] = inlink->h; var_values[VAR_OUT_W] = var_values[VAR_OW] = NAN; var_values[VAR_OUT_H] = var_values[VAR_OH] = NAN; - var_values[VAR_A] = (float) inlink->w / inlink->h; + var_values[VAR_A] = (double) inlink->w / inlink->h; var_values[VAR_HSUB] = 1<hsub; var_values[VAR_VSUB] = 1<vsub; diff --git a/libavfilter/vf_scale.c b/libavfilter/vf_scale.c index dd2f7e18a5..ec69d7b89f 100644 --- a/libavfilter/vf_scale.c +++ b/libavfilter/vf_scale.c @@ -151,9 +151,9 @@ static int config_props(AVFilterLink *outlink) var_values[VAR_IN_H] = var_values[VAR_IH] = inlink->h; var_values[VAR_OUT_W] = var_values[VAR_OW] = NAN; var_values[VAR_OUT_H] = var_values[VAR_OH] = NAN; - var_values[VAR_DAR] = var_values[VAR_A] = (float) inlink->w / inlink->h; + var_values[VAR_DAR] = var_values[VAR_A] = (double) inlink->w / inlink->h; var_values[VAR_SAR] = inlink->sample_aspect_ratio.num ? - (float) inlink->sample_aspect_ratio.num / inlink->sample_aspect_ratio.den : 1; + (double) inlink->sample_aspect_ratio.num / inlink->sample_aspect_ratio.den : 1; var_values[VAR_HSUB] = 1<format].log2_chroma_w; var_values[VAR_VSUB] = 1<format].log2_chroma_h; From 9822e3aa52d1f074cbf0577e255fcb706b7e6fd4 Mon Sep 17 00:00:00 2001 From: =?UTF-8?q?Jind=C5=99ich=20Makovi=C4=8Dka?= Date: Sat, 29 Sep 2012 11:16:45 +0200 Subject: [PATCH 350/991] h264: avoid stuck buffer pointer in decode_nal_units MIME-Version: 1.0 Content-Type: text/plain; charset=UTF-8 Content-Transfer-Encoding: 8bit When decode_nal_units() previously encountered a NAL_END_SEQUENCE, and there are some junk bytes left in the input buffer, but no start codes, buf_index gets stuck 3 bytes before the end of the buffer. This can trigger an infinite loop in the caller code, eg. in try_decode_trame(), as avcodec_decode_video() then keeps returning zeroes, with 3 bytes of the input packet still available. With this change, the remaining bytes are skipped so the whole packet gets consumed. CC:libav-stable@libav.org Signed-off-by: Jindřich Makovička Signed-off-by: Anton Khirnov (cherry picked from commit 1a8c6917f68f7378465e18f7615762bfd22704c2) Conflicts: libavcodec/h264.c --- libavcodec/h264.c | 6 +++++- 1 file changed, 5 insertions(+), 1 deletion(-) diff --git a/libavcodec/h264.c b/libavcodec/h264.c index 9f6437cd8f..d8d0a7d4f3 100644 --- a/libavcodec/h264.c +++ b/libavcodec/h264.c @@ -3875,7 +3875,11 @@ static int decode_nal_units(H264Context *h, const uint8_t *buf, int buf_size){ break; } - if(buf_index+3 >= buf_size) break; + + if (buf_index + 3 >= buf_size) { + buf_index = buf_size; + break; + } buf_index+=3; if(buf_index >= next_avc) continue; From 0f3381ad5bff4c21ba8631fcb54e7e26b6a96803 Mon Sep 17 00:00:00 2001 From: Luca Barbato Date: Fri, 28 Sep 2012 14:38:13 +0200 Subject: [PATCH 351/991] mpegaudiodec: fix short_start calculation The value should be always 3, as it follows from the specification. Fix a stack buffer overflow in exponents_from_scale_factors as reported by asan. Thanks to Dale Curtis for the sample vector. (cherry picked from commit 97cfa55eea39cef30abe14682c56c1e4e7f6f10d) Signed-off-by: Reinhard Tartler --- libavcodec/mpegaudiodec.c | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/libavcodec/mpegaudiodec.c b/libavcodec/mpegaudiodec.c index d90257303c..bb1baef2c9 100644 --- a/libavcodec/mpegaudiodec.c +++ b/libavcodec/mpegaudiodec.c @@ -208,7 +208,7 @@ static void ff_compute_band_indexes(MPADecodeContext *s, GranuleDef *g) else g->long_end = 4; /* 8000 Hz */ - g->short_start = 2 + (s->sample_rate_index != 8); + g->short_start = 3; } else { g->long_end = 0; g->short_start = 0; From 8076d32f309215d510d78261b7c2cfaf39aa8ab0 Mon Sep 17 00:00:00 2001 From: Alex Converse Date: Wed, 19 Sep 2012 11:12:58 -0700 Subject: [PATCH 352/991] tiffenc: Check av_malloc() results. (cherry picked from commit b92dfb56d4582633571db18c3d904f8602eaa2a6) Conflicts: libavcodec/tiffenc.c Signed-off-by: Reinhard Tartler --- libavcodec/tiffenc.c | 16 +++++++++++++++- 1 file changed, 15 insertions(+), 1 deletion(-) diff --git a/libavcodec/tiffenc.c b/libavcodec/tiffenc.c index 3b2b82991b..af9a870955 100644 --- a/libavcodec/tiffenc.c +++ b/libavcodec/tiffenc.c @@ -316,6 +316,10 @@ static int encode_frame(AVCodecContext * avctx, unsigned char *buf, strip_sizes = av_mallocz(sizeof(*strip_sizes) * strips); strip_offsets = av_mallocz(sizeof(*strip_offsets) * strips); + if (!strip_sizes || !strip_offsets) { + ret = AVERROR(ENOMEM); + goto fail; + } bytes_per_row = (((s->width - 1)/s->subsampling[0] + 1) * s->bpp * s->subsampling[0] * s->subsampling[1] + 7) >> 3; @@ -323,6 +327,7 @@ static int encode_frame(AVCodecContext * avctx, unsigned char *buf, yuv_line = av_malloc(bytes_per_row); if (yuv_line == NULL){ av_log(s->avctx, AV_LOG_ERROR, "Not enough memory\n"); + ret = AVERROR(ENOMEM); goto fail; } } @@ -335,6 +340,10 @@ static int encode_frame(AVCodecContext * avctx, unsigned char *buf, zlen = bytes_per_row * s->rps; zbuf = av_malloc(zlen); + if (!zbuf) { + ret = AVERROR(ENOMEM); + goto fail; + } strip_offsets[0] = ptr - buf; zn = 0; for (j = 0; j < s->rps; j++) { @@ -359,8 +368,13 @@ static int encode_frame(AVCodecContext * avctx, unsigned char *buf, } else #endif { - if(s->compr == TIFF_LZW) + if (s->compr == TIFF_LZW) { s->lzws = av_malloc(ff_lzw_encode_state_size); + if (!s->lzws) { + ret = AVERROR(ENOMEM); + goto fail; + } + } for (i = 0; i < s->height; i++) { if (strip_sizes[i / s->rps] == 0) { if(s->compr == TIFF_LZW){ From ca8c814970a99662a016e3443107960e8ee1fbf3 Mon Sep 17 00:00:00 2001 From: Reinhard Tartler Date: Wed, 17 Oct 2012 23:55:27 +0200 Subject: [PATCH 353/991] Prepare for 0.8.4 Release --- RELEASE | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/RELEASE b/RELEASE index ee94dd834b..b60d71966a 100644 --- a/RELEASE +++ b/RELEASE @@ -1 +1 @@ -0.8.3 +0.8.4 From a0f6c93f52f83291a1e073f31ae597739a05a3cd Mon Sep 17 00:00:00 2001 From: Anton Khirnov Date: Fri, 19 Oct 2012 20:39:27 +0200 Subject: [PATCH 354/991] lavc: remove stats_out from the options table. Since it is declared as a string AVOption, the generic freeing code attempts to free it on codec close. Some codecs might have already freed it elsewhere (or didn't even allocate it with av_malloc() in the first place), so this might lead to an invalid free. There is no point in having this field accessible as an AVOption, so remove it from the options table. Fixes Bug 380. CC: libav-stable@libav.org (cherry picked from commit b691135d0c6a2b1cca91adadaf457c2989c6a55d) Conflicts: libavcodec/options_table.h --- libavcodec/options.c | 2 -- 1 file changed, 2 deletions(-) diff --git a/libavcodec/options.c b/libavcodec/options.c index bd0083c826..d6e36cb0fb 100644 --- a/libavcodec/options.c +++ b/libavcodec/options.c @@ -219,8 +219,6 @@ static const AVOption options[]={ {"parse_only", NULL, OFFSET(parse_only), AV_OPT_TYPE_INT, {.dbl = DEFAULT }, INT_MIN, INT_MAX}, #endif {"mpeg_quant", "use MPEG quantizers instead of H.263", OFFSET(mpeg_quant), AV_OPT_TYPE_INT, {.dbl = DEFAULT }, INT_MIN, INT_MAX, V|E}, -{"stats_out", NULL, OFFSET(stats_out), AV_OPT_TYPE_STRING, {.str = NULL}, CHAR_MIN, CHAR_MAX}, -{"stats_in", NULL, OFFSET(stats_in), AV_OPT_TYPE_STRING, {.str = NULL}, CHAR_MIN, CHAR_MAX}, {"qsquish", "how to keep quantizer between qmin and qmax (0 = clip, 1 = use differentiable function)", OFFSET(rc_qsquish), AV_OPT_TYPE_FLOAT, {.dbl = DEFAULT }, 0, 99, V|E}, {"rc_qmod_amp", "experimental quantizer modulation", OFFSET(rc_qmod_amp), AV_OPT_TYPE_FLOAT, {.dbl = DEFAULT }, -FLT_MAX, FLT_MAX, V|E}, {"rc_qmod_freq", "experimental quantizer modulation", OFFSET(rc_qmod_freq), AV_OPT_TYPE_INT, {.dbl = DEFAULT }, INT_MIN, INT_MAX, V|E}, From 2c8ce46250ff78191fe6565876ddc4bc03fdf519 Mon Sep 17 00:00:00 2001 From: Reinhard Tartler Date: Thu, 18 Oct 2012 00:08:30 +0200 Subject: [PATCH 355/991] Update Changelog for the 0.8.4 Release --- Changelog | 29 +++++++++++++++++++++++++++++ 1 file changed, 29 insertions(+) diff --git a/Changelog b/Changelog index fb9a7a6e19..d3c743d111 100644 --- a/Changelog +++ b/Changelog @@ -1,6 +1,35 @@ Entries are sorted chronologically from oldest to youngest within each release, releases are sorted from youngest to oldest. +version 0.8.4: + +- Several bugs and crashes have been fixed in the following codecs: + h264 (Bug 118), vc1dec (CVE-2012-2796), sipr, bmpdec (bug 367), alsdec + (CVE-2012-2775), rv34/rv40 (CVE-2012-2772), indeo3/indeo4 + (CVE-2012-2776, CVE-2012-2779, CVE-2012-2787, CVE-2012-2794, + CVE-2012-2800), vorbisenc, vorbisdec (Bug 277), snow, ac3dec + (CVE-2012-2802), avsdec (CVE-2012-2801), dfa (CVE-2012-2786, + CVE-2012-2798), lagrith (CVE-2012-2793), wmaprodec (CVE-2012-2789 & + Bug 327), avidec (CVE-2012-2788, CVE-2012-2790), cavsdec + (CVE-2012-2777, CVE-2012-2784), wav (Bug 379), yuff4mpeg (Bug 373), + mpegaudio, tiffenc, smacker (Bug 265). + +- smaller bug fixes in avconv (Bug 352) + +- fix lt() and lte() in function evaluator + +- fix segfault in avformat_open_input() + +- fix segfault in golomb decoder (bug 310) + +- fix segfault (double free) in libavfilter + +- convert dfa decoder to bytestream2 API to protect from overreads + +- bugfix in vf_pad/scale filter (Bug 203 & 245) + +- lavc: remove stats_out and stats_in from the options table. (Bug 380) + version 0.8.3: From 6365b43295a0be1fc1ca67dd4a4d7c510daee79f Mon Sep 17 00:00:00 2001 From: Mans Rullgard Date: Thu, 11 Oct 2012 16:08:22 +0100 Subject: [PATCH 356/991] svq3: replace unsafe pointer casting with intreadwrite macros Signed-off-by: Mans Rullgard --- libavcodec/svq3.c | 16 ++++++++-------- 1 file changed, 8 insertions(+), 8 deletions(-) diff --git a/libavcodec/svq3.c b/libavcodec/svq3.c index 3be71a0812..ebe4fd9f5f 100644 --- a/libavcodec/svq3.c +++ b/libavcodec/svq3.c @@ -409,17 +409,17 @@ static inline int svq3_mc_dir(H264Context *h, int size, int mode, int dir, int32_t mv = pack16to32(mx,my); if (part_height == 8 && i < 8) { - *(int32_t *) h->mv_cache[dir][scan8[k] + 1*8] = mv; + AV_WN32A(h->mv_cache[dir][scan8[k] + 1*8], mv); if (part_width == 8 && j < 8) { - *(int32_t *) h->mv_cache[dir][scan8[k] + 1 + 1*8] = mv; + AV_WN32A(h->mv_cache[dir][scan8[k] + 1 + 1*8], mv); } } if (part_width == 8 && j < 8) { - *(int32_t *) h->mv_cache[dir][scan8[k] + 1] = mv; + AV_WN32A(h->mv_cache[dir][scan8[k] + 1], mv); } if (part_width == 4 || part_height == 4) { - *(int32_t *) h->mv_cache[dir][scan8[k]] = mv; + AV_WN32A(h->mv_cache[dir][scan8[k]], mv); } } @@ -487,11 +487,11 @@ static int svq3_decode_mb(SVQ3Context *svq3, unsigned int mb_type) for (m = 0; m < 2; m++) { if (s->mb_x > 0 && h->intra4x4_pred_mode[h->mb2br_xy[mb_xy - 1]+6] != -1) { for (i = 0; i < 4; i++) { - *(uint32_t *) h->mv_cache[m][scan8[0] - 1 + i*8] = *(uint32_t *) s->current_picture.f.motion_val[m][b_xy - 1 + i*h->b_stride]; + AV_COPY32(h->mv_cache[m][scan8[0] - 1 + i*8], s->current_picture.f.motion_val[m][b_xy - 1 + i*h->b_stride]); } } else { for (i = 0; i < 4; i++) { - *(uint32_t *) h->mv_cache[m][scan8[0] - 1 + i*8] = 0; + AV_ZERO32(h->mv_cache[m][scan8[0] - 1 + i*8]); } } if (s->mb_y > 0) { @@ -499,14 +499,14 @@ static int svq3_decode_mb(SVQ3Context *svq3, unsigned int mb_type) memset(&h->ref_cache[m][scan8[0] - 1*8], (h->intra4x4_pred_mode[h->mb2br_xy[mb_xy - s->mb_stride]] == -1) ? PART_NOT_AVAILABLE : 1, 4); if (s->mb_x < (s->mb_width - 1)) { - *(uint32_t *) h->mv_cache[m][scan8[0] + 4 - 1*8] = *(uint32_t *) s->current_picture.f.motion_val[m][b_xy - h->b_stride + 4]; + AV_COPY32(h->mv_cache[m][scan8[0] + 4 - 1*8], s->current_picture.f.motion_val[m][b_xy - h->b_stride + 4]); h->ref_cache[m][scan8[0] + 4 - 1*8] = (h->intra4x4_pred_mode[h->mb2br_xy[mb_xy - s->mb_stride + 1]+6] == -1 || h->intra4x4_pred_mode[h->mb2br_xy[mb_xy - s->mb_stride ] ] == -1) ? PART_NOT_AVAILABLE : 1; }else h->ref_cache[m][scan8[0] + 4 - 1*8] = PART_NOT_AVAILABLE; if (s->mb_x > 0) { - *(uint32_t *) h->mv_cache[m][scan8[0] - 1 - 1*8] = *(uint32_t *) s->current_picture.f.motion_val[m][b_xy - h->b_stride - 1]; + AV_COPY32(h->mv_cache[m][scan8[0] - 1 - 1*8], s->current_picture.f.motion_val[m][b_xy - h->b_stride - 1]); h->ref_cache[m][scan8[0] - 1 - 1*8] = (h->intra4x4_pred_mode[h->mb2br_xy[mb_xy - s->mb_stride - 1]+3] == -1) ? PART_NOT_AVAILABLE : 1; }else h->ref_cache[m][scan8[0] - 1 - 1*8] = PART_NOT_AVAILABLE; From cc88dacc1aa3b0a8a9077ed8a527894ce06d3b96 Mon Sep 17 00:00:00 2001 From: Janne Grunau Date: Tue, 9 Oct 2012 20:56:58 +0200 Subject: [PATCH 357/991] g722enc: fix size argument in memset Fixes CID700725. (cherry picked from commit f1de23faaa61ecf3706055f2da97f5b92aa07d9c) Signed-off-by: Michael Niedermayer --- libavcodec/g722enc.c | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/libavcodec/g722enc.c b/libavcodec/g722enc.c index b5707e3cd3..595afae633 100644 --- a/libavcodec/g722enc.c +++ b/libavcodec/g722enc.c @@ -174,7 +174,7 @@ static void g722_encode_trellis(G722Context *c, int trellis, for (i = 0; i < 2; i++) { nodes[i] = c->nodep_buf[i]; nodes_next[i] = c->nodep_buf[i] + frontier; - memset(c->nodep_buf[i], 0, 2 * frontier * sizeof(*c->nodep_buf)); + memset(c->nodep_buf[i], 0, 2 * frontier * sizeof(*c->nodep_buf[i])); nodes[i][0] = c->node_buf[i] + frontier; nodes[i][0]->ssd = 0; nodes[i][0]->path = 0; From c279e37e901eafc0e14554000e4729d7c86fe514 Mon Sep 17 00:00:00 2001 From: Janne Grunau Date: Wed, 10 Oct 2012 19:47:05 +0200 Subject: [PATCH 358/991] flashsv: propagate inflateReset() errors Fixes CID717493. (cherry picked from commit c466eb174699bd912b9cf601e5b1a5da87e83a33) Signed-off-by: Michael Niedermayer --- libavcodec/flashsv.c | 19 ++++++++++++++----- 1 file changed, 14 insertions(+), 5 deletions(-) diff --git a/libavcodec/flashsv.c b/libavcodec/flashsv.c index 3861344cb7..e57469def5 100644 --- a/libavcodec/flashsv.c +++ b/libavcodec/flashsv.c @@ -122,10 +122,11 @@ static av_cold int flashsv_decode_init(AVCodecContext *avctx) } -static void flashsv2_prime(FlashSVContext *s, uint8_t *src, - int size, int unp_size) +static int flashsv2_prime(FlashSVContext *s, uint8_t *src, + int size, int unp_size) { z_stream zs; + int zret; // Zlib return code zs.zalloc = NULL; zs.zfree = NULL; @@ -145,13 +146,18 @@ static void flashsv2_prime(FlashSVContext *s, uint8_t *src, deflate(&zs, Z_SYNC_FLUSH); deflateEnd(&zs); - inflateReset(&s->zstream); + if ((zret = inflateReset(&s->zstream)) != Z_OK) { + av_log(s->avctx, AV_LOG_ERROR, "Inflate reset error: %d\n", zret); + return AVERROR_UNKNOWN; + } s->zstream.next_in = s->deflate_block; s->zstream.avail_in = s->deflate_block_size - zs.avail_out; s->zstream.next_out = s->tmpblock; s->zstream.avail_out = s->block_size * 3; inflate(&s->zstream, Z_SYNC_FLUSH); + + return 0; } static int flashsv_decode_block(AVCodecContext *avctx, AVPacket *avpkt, @@ -164,11 +170,14 @@ static int flashsv_decode_block(AVCodecContext *avctx, AVPacket *avpkt, int k; int ret = inflateReset(&s->zstream); if (ret != Z_OK) { - //return -1; + av_log(avctx, AV_LOG_ERROR, "Inflate reset error: %d\n", ret); + return AVERROR_UNKNOWN; } if (s->zlibprime_curr || s->zlibprime_prev) { - flashsv2_prime(s, s->blocks[blk_idx].pos, s->blocks[blk_idx].size, + ret = flashsv2_prime(s, s->blocks[blk_idx].pos, s->blocks[blk_idx].size, s->blocks[blk_idx].unp_size); + if (ret < 0) + return ret; } s->zstream.next_in = avpkt->data + get_bits_count(gb) / 8; s->zstream.avail_in = block_size; From 0b9d4643489477aac2c62f144aee4f53f9f98965 Mon Sep 17 00:00:00 2001 From: Michael Niedermayer Date: Thu, 11 Oct 2012 02:16:52 +0200 Subject: [PATCH 359/991] swscale-test: fix freeing of uninitialized variable Fixes: CID733844 Signed-off-by: Michael Niedermayer (cherry picked from commit fac1ccbda1bb8441c7329a3ac18fbf04886da983) Signed-off-by: Michael Niedermayer --- libswscale/swscale-test.c | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/libswscale/swscale-test.c b/libswscale/swscale-test.c index ef6c55ce02..24a4747d02 100644 --- a/libswscale/swscale-test.c +++ b/libswscale/swscale-test.c @@ -87,7 +87,7 @@ static int doTest(uint8_t *ref[4], int refStride[4], int w, int h, static int srcStride[4]; uint8_t *dst[4] = { 0 }; uint8_t *out[4] = { 0 }; - int dstStride[4]; + int dstStride[4] = {0}; int i; uint64_t ssdY, ssdU = 0, ssdV = 0, ssdA = 0; struct SwsContext *dstContext = NULL, *outContext = NULL; From ba10ea845f413d0dff45c8c5381b48f78155f5dc Mon Sep 17 00:00:00 2001 From: Michael Niedermayer Date: Thu, 11 Oct 2012 03:00:34 +0200 Subject: [PATCH 360/991] asrc_aevalsrc: Fix use of uninitialized pointer inside av_strtok() Fixes CID733842 Signed-off-by: Michael Niedermayer (cherry picked from commit 989c91b5042c19c9914a3b205b1ca6e1598c66ba) Signed-off-by: Michael Niedermayer --- libavfilter/asrc_aevalsrc.c | 6 ++++++ 1 file changed, 6 insertions(+) diff --git a/libavfilter/asrc_aevalsrc.c b/libavfilter/asrc_aevalsrc.c index 7bd6a89eb3..63fe9164b4 100644 --- a/libavfilter/asrc_aevalsrc.c +++ b/libavfilter/asrc_aevalsrc.c @@ -95,6 +95,12 @@ static int init(AVFilterContext *ctx, const char *args, void *opaque) eval->class = &eval_class; av_opt_set_defaults(eval); + if (!args1) { + av_log(ctx, AV_LOG_ERROR, "Argument is empty\n"); + ret = args ? AVERROR(ENOMEM) : AVERROR(EINVAL); + goto end; + } + /* parse expressions */ buf = args1; i = 0; From 7450a0215ae2242e497a334eef788b1acb581e7e Mon Sep 17 00:00:00 2001 From: Michael Niedermayer Date: Thu, 11 Oct 2012 03:33:34 +0200 Subject: [PATCH 361/991] ffprobe: fix use of uninitialized pointer in av_strtok() Fixes CID733837 Signed-off-by: Michael Niedermayer (cherry picked from commit 4334ba043e9601717af3a7ca46addfaf154d5fb6) Signed-off-by: Michael Niedermayer --- ffprobe.c | 4 ++++ 1 file changed, 4 insertions(+) diff --git a/ffprobe.c b/ffprobe.c index ca6133e323..48c813a17c 100644 --- a/ffprobe.c +++ b/ffprobe.c @@ -1790,6 +1790,10 @@ int main(int argc, char **argv) if (!print_format) print_format = av_strdup("default"); + if (!print_format) { + ret = AVERROR(ENOMEM); + goto end; + } w_name = av_strtok(print_format, "=", &buf); w_args = buf; From 8a525e4d18c503e79df3f526006ffbfda7955b39 Mon Sep 17 00:00:00 2001 From: Michael Niedermayer Date: Thu, 11 Oct 2012 17:09:57 +0200 Subject: [PATCH 362/991] av_tempfile: fix leak in error case Fixes CID733796 Part2 Signed-off-by: Michael Niedermayer (cherry picked from commit c9454cb643f5404ca8f4f02e1384c863136f7a9e) Signed-off-by: Michael Niedermayer --- libavutil/file.c | 1 + 1 file changed, 1 insertion(+) diff --git a/libavutil/file.c b/libavutil/file.c index e59335a77a..ca78505be5 100644 --- a/libavutil/file.c +++ b/libavutil/file.c @@ -171,6 +171,7 @@ int av_tempfile(const char *prefix, char **filename, int log_offset, void *log_c if (fd < 0) { int err = AVERROR(errno); av_log(&file_log_ctx, AV_LOG_ERROR, "ff_tempfile: Cannot open temporary file %s\n", *filename); + av_freep(filename); return err; } return fd; /* success */ From d12bf6fc9e7ea64f15e3b0a14e14ec49093ec81b Mon Sep 17 00:00:00 2001 From: Michael Niedermayer Date: Thu, 11 Oct 2012 17:41:36 +0200 Subject: [PATCH 363/991] libvpxenc: fix memleak on error path Fixes CID733795 Signed-off-by: Michael Niedermayer (cherry picked from commit 104b1d9e103f90485e894b20dd5bb3f1964fe5f3) Signed-off-by: Michael Niedermayer --- libavcodec/libvpxenc.c | 1 + 1 file changed, 1 insertion(+) diff --git a/libavcodec/libvpxenc.c b/libavcodec/libvpxenc.c index 621f818c9f..1d33ce9aec 100644 --- a/libavcodec/libvpxenc.c +++ b/libavcodec/libvpxenc.c @@ -483,6 +483,7 @@ static int queue_frames(AVCodecContext *avctx, uint8_t *buf, int buf_size, av_log(avctx, AV_LOG_ERROR, "Data buffer alloc (%zu bytes) failed\n", cx_frame->sz); + av_free(cx_frame); return AVERROR(ENOMEM); } memcpy(cx_frame->buf, pkt->data.frame.buf, pkt->data.frame.sz); From c9df500190ee9e2f4a7471e483069c06b24f5b00 Mon Sep 17 00:00:00 2001 From: Paul B Mahol Date: Thu, 11 Oct 2012 17:56:04 +0000 Subject: [PATCH 364/991] bmp: unbreak non BMP_RGB compression for v4 and v5 Fixes CID733728 & CID733729. Signed-off-by: Paul B Mahol (cherry picked from commit 313b40efbd63a2c6b9933519ba2b208f1031a9d0) Signed-off-by: Michael Niedermayer --- libavcodec/bmp.c | 5 ++--- 1 file changed, 2 insertions(+), 3 deletions(-) diff --git a/libavcodec/bmp.c b/libavcodec/bmp.c index a286584428..14fd19379a 100644 --- a/libavcodec/bmp.c +++ b/libavcodec/bmp.c @@ -117,7 +117,7 @@ static int bmp_decode_frame(AVCodecContext *avctx, depth = bytestream_get_le16(&buf); - if(ihsize == 40 || ihsize == 64 || ihsize == 56) + if (ihsize >= 40) comp = bytestream_get_le32(&buf); else comp = BMP_RGB; @@ -132,8 +132,7 @@ static int bmp_decode_frame(AVCodecContext *avctx, rgb[0] = bytestream_get_le32(&buf); rgb[1] = bytestream_get_le32(&buf); rgb[2] = bytestream_get_le32(&buf); - if (ihsize >= 108) - alpha = bytestream_get_le32(&buf); + alpha = bytestream_get_le32(&buf); } avctx->width = width; From e6dfaf7bb89a63546c2266f5bc1f56719394ab91 Mon Sep 17 00:00:00 2001 From: Paul B Mahol Date: Fri, 12 Oct 2012 11:53:07 +0000 Subject: [PATCH 365/991] truemotion2: remove unreachable code Fixes CID610345. Signed-off-by: Paul B Mahol (cherry picked from commit caa7e24eb1d47a0dfeb9783909bce7df6d3f5482) Signed-off-by: Michael Niedermayer --- libavcodec/truemotion2.c | 2 -- 1 file changed, 2 deletions(-) diff --git a/libavcodec/truemotion2.c b/libavcodec/truemotion2.c index e2fbf9b0e9..2f94f56824 100644 --- a/libavcodec/truemotion2.c +++ b/libavcodec/truemotion2.c @@ -222,8 +222,6 @@ static inline int tm2_read_header(TM2Context *ctx, const uint8_t *buf) av_log (ctx->avctx, AV_LOG_ERROR, "Not a TM2 header: 0x%08X\n", magic); return -1; } - - return buf - obuf; } static int tm2_read_deltas(TM2Context *ctx, int stream_id) { From 46c1e5de58ac8cbe0f222e2649cf6bd6dd768012 Mon Sep 17 00:00:00 2001 From: Paul B Mahol Date: Fri, 12 Oct 2012 14:23:01 +0000 Subject: [PATCH 366/991] yop: check return value of avformat_new_stream() Fixes null pointer dereference, fixes CID703729. Signed-off-by: Paul B Mahol (cherry picked from commit 3d179edf6d2a987e7eb134eea541954338a19add) Signed-off-by: Michael Niedermayer --- libavformat/yop.c | 2 ++ 1 file changed, 2 insertions(+) diff --git a/libavformat/yop.c b/libavformat/yop.c index eac3fb6707..9c06404698 100644 --- a/libavformat/yop.c +++ b/libavformat/yop.c @@ -59,6 +59,8 @@ static int yop_read_header(AVFormatContext *s, AVFormatParameters *ap) audio_stream = avformat_new_stream(s, NULL); video_stream = avformat_new_stream(s, NULL); + if (!audio_stream || !video_stream) + return AVERROR(ENOMEM); // Extra data that will be passed to the decoder video_stream->codec->extradata_size = 8; From f2d56c2eebe6412c21f7376aaabdeedb91f61875 Mon Sep 17 00:00:00 2001 From: Michael Niedermayer Date: Fri, 12 Oct 2012 19:33:39 +0200 Subject: [PATCH 367/991] motion_est: more complete SAB diamond size check This makes no difference with the current #defines Fixes CID732255 Signed-off-by: Michael Niedermayer (cherry picked from commit 3a48e38ad0e37d89065843548414d367e70593bf) Signed-off-by: Michael Niedermayer --- libavcodec/motion_est.c | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/libavcodec/motion_est.c b/libavcodec/motion_est.c index ad6395296e..0b8c4f4058 100644 --- a/libavcodec/motion_est.c +++ b/libavcodec/motion_est.c @@ -300,7 +300,7 @@ int ff_init_me(MpegEncContext *s){ int cache_size= FFMIN(ME_MAP_SIZE>>ME_MAP_SHIFT, 1<avctx->dia_size)&255, FFABS(s->avctx->pre_dia_size)&255); - if(FFMIN(s->avctx->dia_size, s->avctx->pre_dia_size) < -ME_MAP_SIZE){ + if(FFMIN(s->avctx->dia_size, s->avctx->pre_dia_size) < -FFMIN(ME_MAP_SIZE, MAX_SAB_SIZE)){ av_log(s->avctx, AV_LOG_ERROR, "ME_MAP size is too small for SAB diamond\n"); return -1; } From 8b64036038e259abd04d119b6f70df5433e4c04f Mon Sep 17 00:00:00 2001 From: Michael Niedermayer Date: Sat, 13 Oct 2012 00:10:23 +0200 Subject: [PATCH 368/991] aacsbr: change order of operation to prevent out of array read Fixes CID732250 Signed-off-by: Michael Niedermayer (cherry picked from commit c2340831b8e9032716acb0aab4893d3cc500213a) Signed-off-by: Michael Niedermayer --- libavcodec/aacsbr.c | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/libavcodec/aacsbr.c b/libavcodec/aacsbr.c index 2f457b61cc..1110bb4a2e 100644 --- a/libavcodec/aacsbr.c +++ b/libavcodec/aacsbr.c @@ -542,7 +542,7 @@ static int sbr_hf_calc_npatches(AACContext *ac, SpectralBandReplication *sbr) k = sbr->n_master; } while (sb != sbr->kx[1] + sbr->m[1]); - if (sbr->patch_num_subbands[sbr->num_patches-1] < 3 && sbr->num_patches > 1) + if (sbr->num_patches > 1 && sbr->patch_num_subbands[sbr->num_patches-1] < 3) sbr->num_patches--; return 0; From 3038e2041e87ffd3d249ce0c8109f19207ca0017 Mon Sep 17 00:00:00 2001 From: Michael Niedermayer Date: Sat, 13 Oct 2012 00:30:42 +0200 Subject: [PATCH 369/991] ffserver: prevent nb_streams from becoming too large Fixes CID732249 Signed-off-by: Michael Niedermayer (cherry picked from commit 0f46825d9833b70cec671d825b0065850c485196) Signed-off-by: Michael Niedermayer --- ffserver.c | 6 ++++++ 1 file changed, 6 insertions(+) diff --git a/ffserver.c b/ffserver.c index 79463c0e64..aebe651617 100644 --- a/ffserver.c +++ b/ffserver.c @@ -3457,6 +3457,9 @@ static AVStream *add_av_stream1(FFStream *stream, AVCodecContext *codec, int cop { AVStream *fst; + if(stream->nb_streams >= FF_ARRAY_ELEMS(stream->streams)) + return NULL; + fst = av_mallocz(sizeof(AVStream)); if (!fst) return NULL; @@ -3802,6 +3805,9 @@ static void add_codec(FFStream *stream, AVCodecContext *av) { AVStream *st; + if(stream->nb_streams >= FF_ARRAY_ELEMS(stream->streams)) + return NULL; + /* compute default parameters */ switch(av->codec_type) { case AVMEDIA_TYPE_AUDIO: From 7a0e5a63d01b8d70e638dff3f136b49e57c944ee Mon Sep 17 00:00:00 2001 From: Michael Niedermayer Date: Sat, 13 Oct 2012 01:08:08 +0200 Subject: [PATCH 370/991] vf_fade: fix memleaks of args Fixes: CID718989 Signed-off-by: Michael Niedermayer (cherry picked from commit f374e9989be2478d276ed9e1c330a5726a26509c) Signed-off-by: Michael Niedermayer --- libavfilter/vf_fade.c | 4 ++-- 1 file changed, 2 insertions(+), 2 deletions(-) diff --git a/libavfilter/vf_fade.c b/libavfilter/vf_fade.c index afd700b4c3..3bde5ddefd 100644 --- a/libavfilter/vf_fade.c +++ b/libavfilter/vf_fade.c @@ -103,14 +103,14 @@ static av_cold int init(AVFilterContext *ctx, const char *args, void *opaque) if ((ret = av_opt_set(fade, "start_frame", expr, 0)) < 0) { av_log(ctx, AV_LOG_ERROR, "Invalid value '%s' for start_frame option\n", expr); - return ret; + goto end; } } if (expr = av_strtok(NULL, ":", &bufptr)) { if ((ret = av_opt_set(fade, "nb_frames", expr, 0)) < 0) { av_log(ctx, AV_LOG_ERROR, "Invalid value '%s' for nb_frames option\n", expr); - return ret; + goto end; } } From db4903f4e4b553b72059ed407b012aca6769b8ea Mon Sep 17 00:00:00 2001 From: Michael Niedermayer Date: Sat, 13 Oct 2012 01:47:31 +0200 Subject: [PATCH 371/991] ffv1: avoid checking a double for equality if 0.0 != 0.0 a out of array read would occur, equal checks with floating point may behave in such odd ways, though this is very unlikely in a real implementation of a compiler Fixes: CID718936 Signed-off-by: Michael Niedermayer (cherry picked from commit 54b2d317ed99622efa07b10aca217e1a083105d9) Signed-off-by: Michael Niedermayer --- libavcodec/ffv1.c | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/libavcodec/ffv1.c b/libavcodec/ffv1.c index c3034d326c..4d3a52887c 100644 --- a/libavcodec/ffv1.c +++ b/libavcodec/ffv1.c @@ -255,7 +255,7 @@ static void find_best_state(uint8_t best_state[256][256], const uint8_t one_stat occ[j]=1.0; for(k=0; k<256; k++){ double newocc[256]={0}; - for(m=0; m<256; m++){ + for(m=1; m<256; m++){ if(occ[m]){ len -=occ[m]*( p *l2tab[ m] + (1-p)*l2tab[256-m]); From c09b4dde377625d7f8a06caff71ff7120bad8f36 Mon Sep 17 00:00:00 2001 From: Michael Niedermayer Date: Sat, 13 Oct 2012 02:37:47 +0200 Subject: [PATCH 372/991] wtvdec: fix memleak on error Fixes CID718002 Signed-off-by: Michael Niedermayer (cherry picked from commit e47024d72f326f7a76c9df90da861663fc5d5fc2) Signed-off-by: Michael Niedermayer --- libavformat/wtvdec.c | 4 +++- 1 file changed, 3 insertions(+), 1 deletion(-) diff --git a/libavformat/wtvdec.c b/libavformat/wtvdec.c index db9bb10068..06050337fc 100644 --- a/libavformat/wtvdec.c +++ b/libavformat/wtvdec.c @@ -565,8 +565,10 @@ static AVStream * new_stream(AVFormatContext *s, AVStream *st, int sid, int code if (!wst) return NULL; st = avformat_new_stream(s, NULL); - if (!st) + if (!st) { + av_free(wst); return NULL; + } st->id = sid; st->priv_data = wst; } From fa73f547a023ab4462416462eb3c389c77c8ee94 Mon Sep 17 00:00:00 2001 From: Michael Niedermayer Date: Sat, 13 Oct 2012 03:49:11 +0200 Subject: [PATCH 373/991] jpegls: fix off limit Fixes part of CID717913 Signed-off-by: Michael Niedermayer (cherry picked from commit 4acfe3d193c741126bd7f5c1a32a911e00595ecc) Signed-off-by: Michael Niedermayer --- libavcodec/jpeglsdec.c | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/libavcodec/jpeglsdec.c b/libavcodec/jpeglsdec.c index 74714e0521..8eb9ec8d36 100644 --- a/libavcodec/jpeglsdec.c +++ b/libavcodec/jpeglsdec.c @@ -290,7 +290,7 @@ int ff_jpegls_decode_picture(MJpegDecodeContext *s, int near, int point_transfor // av_log(s->avctx, AV_LOG_DEBUG, "JPEG params: ILV=%i Pt=%i BPP=%i, scan = %i\n", ilv, point_transform, s->bits, s->cur_scan); if(ilv == 0) { /* separate planes */ stride = (s->nb_components > 1) ? 3 : 1; - off = av_clip(s->cur_scan - 1, 0, stride); + off = av_clip(s->cur_scan - 1, 0, stride - 1); width = s->width * stride; cur += off; for(i = 0; i < s->height; i++) { From 35b15a0da849ac62bd2343f2e52d9bd9504375ce Mon Sep 17 00:00:00 2001 From: Michael Niedermayer Date: Sat, 13 Oct 2012 03:49:11 +0200 Subject: [PATCH 374/991] jpegls: increase run_index to 4 Fixes part of CID717913 Signed-off-by: Michael Niedermayer (cherry picked from commit 8dc89944270aa223a960218e62e88164f8eda359) Signed-off-by: Michael Niedermayer --- libavcodec/jpegls.h | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/libavcodec/jpegls.h b/libavcodec/jpegls.h index 2c21f774e8..3304032c2a 100644 --- a/libavcodec/jpegls.h +++ b/libavcodec/jpegls.h @@ -40,7 +40,7 @@ typedef struct JLSState{ int A[367], B[367], C[365], N[367]; int limit, reset, bpp, qbpp, maxval, range; int near, twonear; - int run_index[3]; + int run_index[4]; }JLSState; extern const uint8_t ff_log2_run[32]; From 12801f969bf5e62f13994afd22354fa6fc3e2cea Mon Sep 17 00:00:00 2001 From: Michael Niedermayer Date: Sat, 13 Oct 2012 19:46:53 +0200 Subject: [PATCH 375/991] trasher: check seek return value. Fixes CID733726 Signed-off-by: Michael Niedermayer (cherry picked from commit 8ab0b9cabacad57cad7c26144baa544fab9c2ba7) Signed-off-by: Michael Niedermayer --- tools/trasher.c | 5 ++++- 1 file changed, 4 insertions(+), 1 deletion(-) diff --git a/tools/trasher.c b/tools/trasher.c index 61fd395f28..df6caf9932 100644 --- a/tools/trasher.c +++ b/tools/trasher.c @@ -54,7 +54,10 @@ int main(int argc, char **argv) while (count--) { int burst = 1 + ran() * (uint64_t) (abs(maxburst) - 1) / UINT32_MAX; int pos = ran() * (uint64_t) length / UINT32_MAX; - fseek(f, pos, SEEK_SET); + if (fseek(f, pos, SEEK_SET) < 0) { + fprintf(stderr, "seek failed\n"); + return 1; + } if (maxburst < 0) burst = -maxburst; From 93a0dd8358eed390e344219834975d2732c819f2 Mon Sep 17 00:00:00 2001 From: Michael Niedermayer Date: Sat, 13 Oct 2012 20:10:29 +0200 Subject: [PATCH 376/991] ffeval: avoid folding EOF onto a valid char Fixes CID733704 Signed-off-by: Michael Niedermayer (cherry picked from commit 225d3cc1ccd85bcda77e378f28aea6ab17ee4ba1) Signed-off-by: Michael Niedermayer --- tools/ffeval.c | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/tools/ffeval.c b/tools/ffeval.c index 027cd48237..d7b736a0cf 100644 --- a/tools/ffeval.c +++ b/tools/ffeval.c @@ -49,7 +49,7 @@ int main(int argc, char **argv) FILE *outfile = NULL, *infile = NULL; const char *prompt = "=> "; int count = 0, echo = 0; - char c; + int c; av_max_alloc(MAX_BLOCK_SIZE); From de4606a5b798f8905ab1a3e07f0375db34f5e69e Mon Sep 17 00:00:00 2001 From: Michael Niedermayer Date: Sat, 13 Oct 2012 21:09:42 +0200 Subject: [PATCH 377/991] pp: avoid overflow in w*h Fixes CID700580 Signed-off-by: Michael Niedermayer (cherry picked from commit 3689ec3d28d76b7a67a5d3838870dfd25cd2daad) Signed-off-by: Michael Niedermayer --- libpostproc/postprocess_template.c | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/libpostproc/postprocess_template.c b/libpostproc/postprocess_template.c index 4b8184c4f4..406af654f4 100644 --- a/libpostproc/postprocess_template.c +++ b/libpostproc/postprocess_template.c @@ -3225,7 +3225,7 @@ static void RENAME(postProcess)(const uint8_t src[], int srcStride, uint8_t dst[ c.frameNum++; // first frame is fscked so we ignore it - if(c.frameNum == 1) yHistogram[0]= width*height/64*15/256; + if(c.frameNum == 1) yHistogram[0]= width*(uint64_t)height/64*15/256; for(i=0; i<256; i++){ sum+= yHistogram[i]; From cff9f07d391f4880ce923f86163d41251124641e Mon Sep 17 00:00:00 2001 From: Michael Niedermayer Date: Sat, 13 Oct 2012 22:33:40 +0200 Subject: [PATCH 378/991] ffv1: make sure gob_count is not 0 Fixes division by 0 Fixes CID733736 Signed-off-by: Michael Niedermayer (cherry picked from commit 670b927aa22125a20b7915014ae41335cbf20ec4) Signed-off-by: Michael Niedermayer --- libavcodec/ffv1.c | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/libavcodec/ffv1.c b/libavcodec/ffv1.c index 4d3a52887c..8875c6ebea 100644 --- a/libavcodec/ffv1.c +++ b/libavcodec/ffv1.c @@ -993,7 +993,7 @@ static av_cold int encode_init(AVCodecContext *avctx) } } gob_count= strtol(p, &next, 0); - if(next==p || gob_count <0){ + if(next==p || gob_count <=0){ av_log(avctx, AV_LOG_ERROR, "2Pass file invalid\n"); return -1; } From 400b23beab0ab049152e276996a2a405b5542a02 Mon Sep 17 00:00:00 2001 From: Michael Niedermayer Date: Sat, 13 Oct 2012 22:36:15 +0200 Subject: [PATCH 379/991] dnxhddata_ Fix mixup of sizeof() and array elements in ff_dnxhd_find_cid() Fixes CID717910 Signed-off-by: Michael Niedermayer (cherry picked from commit 1037e484f0f1c45ab0a398c78985d3b91daa410c) Signed-off-by: Michael Niedermayer --- libavcodec/dnxhddata.c | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/libavcodec/dnxhddata.c b/libavcodec/dnxhddata.c index 948a4c6730..da6260e909 100644 --- a/libavcodec/dnxhddata.c +++ b/libavcodec/dnxhddata.c @@ -1038,7 +1038,7 @@ int ff_dnxhd_find_cid(AVCodecContext *avctx, int bit_depth) if (cid->width == avctx->width && cid->height == avctx->height && cid->interlaced == !!(avctx->flags & CODEC_FLAG_INTERLACED_DCT) && cid->bit_depth == bit_depth) { - for (j = 0; j < sizeof(cid->bit_rates); j++) { + for (j = 0; j < FF_ARRAY_ELEMS(cid->bit_rates); j++) { if (cid->bit_rates[j] == mbs) return cid->cid; } From e6fa08f14efd51e5d467d2d976a2708b625c3f3a Mon Sep 17 00:00:00 2001 From: Michael Niedermayer Date: Sat, 13 Oct 2012 22:48:32 +0200 Subject: [PATCH 380/991] flashsv: check deflateInit() return value Fixes CID703620 Signed-off-by: Michael Niedermayer (cherry picked from commit b3eb4f54c0d091ed518b38a5b90183d0d55fa729) Signed-off-by: Michael Niedermayer --- libavcodec/flashsv.c | 3 ++- 1 file changed, 2 insertions(+), 1 deletion(-) diff --git a/libavcodec/flashsv.c b/libavcodec/flashsv.c index e57469def5..3f9ec35fd3 100644 --- a/libavcodec/flashsv.c +++ b/libavcodec/flashsv.c @@ -138,7 +138,8 @@ static int flashsv2_prime(FlashSVContext *s, uint8_t *src, s->zstream.avail_out = s->block_size * 3; inflate(&s->zstream, Z_SYNC_FLUSH); - deflateInit(&zs, 0); + if (deflateInit(&zs, 0) != Z_OK) + return -1; zs.next_in = s->tmpblock; zs.avail_in = s->block_size * 3 - s->zstream.avail_out; zs.next_out = s->deflate_block; From 75a11e950fc4ce6eb43758a4b46d8dd81294bb3d Mon Sep 17 00:00:00 2001 From: Michael Niedermayer Date: Sat, 13 Oct 2012 23:52:55 +0200 Subject: [PATCH 381/991] mpegvideo: fix motion_val checks Fixes CID604124 Signed-off-by: Michael Niedermayer (cherry picked from commit 20ec0d2a750a804f50c090cf6e6509db8ff9cadd) Signed-off-by: Michael Niedermayer --- libavcodec/mpegvideo.c | 6 +++--- 1 file changed, 3 insertions(+), 3 deletions(-) diff --git a/libavcodec/mpegvideo.c b/libavcodec/mpegvideo.c index 5d38361d67..61dde24019 100644 --- a/libavcodec/mpegvideo.c +++ b/libavcodec/mpegvideo.c @@ -1597,7 +1597,7 @@ void ff_print_debug_info(MpegEncContext *s, AVFrame *pict) int mb_x; for (mb_x = 0; mb_x < s->mb_width; mb_x++) { const int mb_index = mb_x + mb_y * s->mb_stride; - if ((s->avctx->debug_mv) && pict->motion_val) { + if ((s->avctx->debug_mv) && pict->motion_val[0]) { int type; for (type = 0; type < 3; type++) { int direction = 0; @@ -1676,7 +1676,7 @@ void ff_print_debug_info(MpegEncContext *s, AVFrame *pict) } } } - if ((s->avctx->debug & FF_DEBUG_VIS_QP) && pict->motion_val) { + if ((s->avctx->debug & FF_DEBUG_VIS_QP)) { uint64_t c = (pict->qscale_table[mb_index] * 128 / 31) * 0x0101010101010101ULL; int y; @@ -1690,7 +1690,7 @@ void ff_print_debug_info(MpegEncContext *s, AVFrame *pict) } } if ((s->avctx->debug & FF_DEBUG_VIS_MB_TYPE) && - pict->motion_val) { + pict->motion_val[0]) { int mb_type = pict->mb_type[mb_index]; uint64_t u,v; int y; From 7f1fb8d2a367a20cdb674efb71346ba19c4f9e21 Mon Sep 17 00:00:00 2001 From: Thilo Borgmann Date: Sat, 13 Oct 2012 22:58:55 +0200 Subject: [PATCH 382/991] alsdec: fix clipping of weightings for MCC decoding Fixes CID717905 Signed-off-by: Michael Niedermayer (cherry picked from commit feaff427c0df015146f660199453bd8c0314e677) Signed-off-by: Michael Niedermayer --- libavcodec/alsdec.c | 12 ++++++------ 1 file changed, 6 insertions(+), 6 deletions(-) diff --git a/libavcodec/alsdec.c b/libavcodec/alsdec.c index aa1c82a5a9..643d25ee2f 100644 --- a/libavcodec/alsdec.c +++ b/libavcodec/alsdec.c @@ -1179,14 +1179,14 @@ static int read_channel_data(ALSDecContext *ctx, ALSChannelData *cd, int c) if (current->master_channel != c) { current->time_diff_flag = get_bits1(gb); - current->weighting[0] = mcc_weightings[av_clip(decode_rice(gb, 1) + 16, 0, 32)]; - current->weighting[1] = mcc_weightings[av_clip(decode_rice(gb, 2) + 14, 0, 32)]; - current->weighting[2] = mcc_weightings[av_clip(decode_rice(gb, 1) + 16, 0, 32)]; + current->weighting[0] = mcc_weightings[av_clip(decode_rice(gb, 1) + 16, 0, 31)]; + current->weighting[1] = mcc_weightings[av_clip(decode_rice(gb, 2) + 14, 0, 31)]; + current->weighting[2] = mcc_weightings[av_clip(decode_rice(gb, 1) + 16, 0, 31)]; if (current->time_diff_flag) { - current->weighting[3] = mcc_weightings[av_clip(decode_rice(gb, 1) + 16, 0, 32)]; - current->weighting[4] = mcc_weightings[av_clip(decode_rice(gb, 1) + 16, 0, 32)]; - current->weighting[5] = mcc_weightings[av_clip(decode_rice(gb, 1) + 16, 0, 32)]; + current->weighting[3] = mcc_weightings[av_clip(decode_rice(gb, 1) + 16, 0, 31)]; + current->weighting[4] = mcc_weightings[av_clip(decode_rice(gb, 1) + 16, 0, 31)]; + current->weighting[5] = mcc_weightings[av_clip(decode_rice(gb, 1) + 16, 0, 31)]; current->time_diff_sign = get_bits1(gb); current->time_diff_index = get_bits(gb, ctx->ltp_lag_length - 3) + 3; From 5b5e61a0bf0d8f81ac5bf29b844af2c6e1081235 Mon Sep 17 00:00:00 2001 From: Michael Niedermayer Date: Sun, 14 Oct 2012 21:45:42 +0200 Subject: [PATCH 383/991] noise_bsf: fix division by 0 Fixes CID733737 Signed-off-by: Michael Niedermayer (cherry picked from commit 93ef29b6f47eda7d73eb9e71628f1f1abb64266d) Signed-off-by: Michael Niedermayer --- libavcodec/noise_bsf.c | 3 +++ 1 file changed, 3 insertions(+) diff --git a/libavcodec/noise_bsf.c b/libavcodec/noise_bsf.c index 491fbccc1d..18a7f30886 100644 --- a/libavcodec/noise_bsf.c +++ b/libavcodec/noise_bsf.c @@ -28,6 +28,9 @@ static int noise(AVBitStreamFilterContext *bsfc, AVCodecContext *avctx, const ch int amount= args ? atoi(args) : (*state % 10001+1); int i; + if(amount <= 0) + return AVERROR(EINVAL); + *poutbuf= av_malloc(buf_size + FF_INPUT_BUFFER_PADDING_SIZE); memcpy(*poutbuf, buf, buf_size + FF_INPUT_BUFFER_PADDING_SIZE); From 36982b3616728033ad7868d845cc7438ceef3e76 Mon Sep 17 00:00:00 2001 From: Michael Niedermayer Date: Thu, 25 Oct 2012 21:43:19 +0200 Subject: [PATCH 384/991] Update for 0.10.6 Signed-off-by: Michael Niedermayer --- Changelog | 15 +++++++++++++++ Doxyfile | 2 +- RELEASE | 2 +- VERSION | 2 +- 4 files changed, 18 insertions(+), 3 deletions(-) diff --git a/Changelog b/Changelog index 030ecbd8b8..bf7aa361be 100644 --- a/Changelog +++ b/Changelog @@ -3,6 +3,21 @@ releases are sorted from youngest to oldest. version next: +version 0.10.6: + +- many bug fixes that where found with Coverity + +- The following CVE fixes where backported: + CVE-2012-2796, CVE-2012-2775, CVE-2012-2772, CVE-2012-2776, + CVE-2012-2779, CVE-2012-2787, CVE-2012-2794, CVE-2012-2800, + CVE-2012-2802, CVE-2012-2801, CVE-2012-2786, CVE-2012-2798, + CVE-2012-2793, CVE-2012-2789, CVE-2012-2788, CVE-2012-2790, + CVE-2012-2777, CVE-2012-2784 + +- hundreads of other bug fixes, some possibly security relevant, + see the git log for details. + + version 0.10.5: - Several bugs and crashes have been fixed as well as build problems diff --git a/Doxyfile b/Doxyfile index 9c0e3289ba..d77acba722 100644 --- a/Doxyfile +++ b/Doxyfile @@ -31,7 +31,7 @@ PROJECT_NAME = FFmpeg # This could be handy for archiving the generated documentation or # if some version control system is used. -PROJECT_NUMBER = 0.10.5 +PROJECT_NUMBER = 0.10.6 # With the PROJECT_LOGO tag one can specify an logo or icon that is included # in the documentation. The maximum height of the logo should not exceed 55 diff --git a/RELEASE b/RELEASE index 9028ec6365..69da6ebcd0 100644 --- a/RELEASE +++ b/RELEASE @@ -1 +1 @@ -0.10.5 +0.10.6 diff --git a/VERSION b/VERSION index 9028ec6365..69da6ebcd0 100644 --- a/VERSION +++ b/VERSION @@ -1 +1 @@ -0.10.5 +0.10.6 From e287201c77dc7a7a9759d56d8f48ae719b7e69a9 Mon Sep 17 00:00:00 2001 From: Diego Biurrun Date: Sun, 11 Nov 2012 22:41:46 +0100 Subject: [PATCH 385/991] x86: Require an assembler able to cope with AVX instructions All modern assemblers have this capability. Older NASM versions that lack the capability produce code that crashes at runtime, so it's better to error out during the build process instead. CC: libav-stable@libav.org (cherry picked from commit b8e8a07c6c4df93de92480f5c3a14296a6a2a690) Conflicts: configure --- configure | 3 +-- 1 file changed, 1 insertion(+), 2 deletions(-) diff --git a/configure b/configure index 93b98a96dd..51e20cb54e 100755 --- a/configure +++ b/configure @@ -2785,9 +2785,8 @@ EOF elf*) enabled debug && append YASMFLAGS $yasm_debug ;; esac - check_yasm "pextrd [eax], xmm0, 1" && enable yasm || + check_yasm "vextractf128 xmm0, ymm0, 0" && enable yasm || die "yasm not found, use --disable-yasm for a crippled build" - check_yasm "vextractf128 xmm0, ymm0, 0" || disable avx fi case "$cpu" in From 213f651498483c86097d5e0480a09b975ad1f28c Mon Sep 17 00:00:00 2001 From: Janne Grunau Date: Wed, 5 Dec 2012 19:56:36 +0100 Subject: [PATCH 386/991] h264: slice-mt: get last_pic_dropable from master context Fixes fate-h264-conformance-cvnlfi2_sony_h and smllwebdl.mkv from https://github.com/OpenELEC/OpenELEC.tv/issues/1557 . (cherry picked from commit 24c62ea7a5df44804be88150aa0c45e6796b5da9) Signed-off-by: Michael Niedermayer --- libavcodec/h264.c | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/libavcodec/h264.c b/libavcodec/h264.c index 54540e67f2..7632e95a86 100644 --- a/libavcodec/h264.c +++ b/libavcodec/h264.c @@ -2868,7 +2868,7 @@ static int decode_slice_header(H264Context *h, H264Context *h0){ h->mb_mbaff = 0; h->mb_aff_frame = 0; last_pic_structure = s0->picture_structure; - last_pic_dropable = s->dropable; + last_pic_dropable = s0->dropable; s->dropable = h->nal_ref_idc == 0; if(h->sps.frame_mbs_only_flag){ s->picture_structure= PICT_FRAME; From 1a5b7ce0ea676aa5811a19660724dbc446d0e988 Mon Sep 17 00:00:00 2001 From: Michael Niedermayer Date: Thu, 18 Oct 2012 04:58:20 +0200 Subject: [PATCH 387/991] riff: retry reading metadata without padding if it fails with Fixes Ticket1821 Reviewed-by: Paul B Mahol Signed-off-by: Michael Niedermayer (cherry picked from commit d0c27e88d2bb495d61bd32f41769f767a0c2a802) --- libavformat/riff.c | 9 +++++++-- 1 file changed, 7 insertions(+), 2 deletions(-) diff --git a/libavformat/riff.c b/libavformat/riff.c index 4efd1ad756..522c57b869 100644 --- a/libavformat/riff.c +++ b/libavformat/riff.c @@ -707,8 +707,13 @@ int ff_read_riff_info(AVFormatContext *s, int64_t size) chunk_code = avio_rl32(pb); chunk_size = avio_rl32(pb); if (chunk_size > end || end - chunk_size < cur || chunk_size == UINT_MAX) { - av_log(s, AV_LOG_ERROR, "too big INFO subchunk\n"); - return AVERROR_INVALIDDATA; + avio_seek(pb, -9, SEEK_CUR); + chunk_code = avio_rl32(pb); + chunk_size = avio_rl32(pb); + if (chunk_size > end || end - chunk_size < cur || chunk_size == UINT_MAX) { + av_log(s, AV_LOG_ERROR, "too big INFO subchunk\n"); + return AVERROR_INVALIDDATA; + } } chunk_size += (chunk_size & 1); From f1156fdc02343db9df0552fc660cd5c5eb8f47a6 Mon Sep 17 00:00:00 2001 From: Michael Niedermayer Date: Fri, 23 Nov 2012 23:35:16 +0100 Subject: [PATCH 388/991] riff: ignore ff_read_riff_info() failure. Some files simply contain invalid info tags. Fixes unrelated bug posted into Ticket1821 Signed-off-by: Michael Niedermayer (cherry picked from commit 09456d0df13404f004ab3a341d9ac21b7e5e6d6d) --- libavformat/wav.c | 3 +-- 1 file changed, 1 insertion(+), 2 deletions(-) diff --git a/libavformat/wav.c b/libavformat/wav.c index 9d4b0708b8..2080d8e664 100644 --- a/libavformat/wav.c +++ b/libavformat/wav.c @@ -513,8 +513,7 @@ static int wav_read_header(AVFormatContext *s, } switch (list_type) { case MKTAG('I', 'N', 'F', 'O'): - if ((ret = ff_read_riff_info(s, size - 4)) < 0) - return ret; + ff_read_riff_info(s, size - 4); } break; } From 2a42b680e993329e0aa4f8beac5c606d0df363f3 Mon Sep 17 00:00:00 2001 From: Michael Niedermayer Date: Thu, 22 Nov 2012 23:08:01 +0100 Subject: [PATCH 389/991] avidec: try to support oddly muxed MMES stream Fixes ticket1804 Signed-off-by: Michael Niedermayer (cherry picked from commit be89693ddc5a8cdeaf3edf48fb584d6adca54de0) --- libavformat/avidec.c | 5 +++++ 1 file changed, 5 insertions(+) diff --git a/libavformat/avidec.c b/libavformat/avidec.c index cedce5d8ef..41e2e3c027 100644 --- a/libavformat/avidec.c +++ b/libavformat/avidec.c @@ -1254,6 +1254,11 @@ static int avi_read_idx1(AVFormatContext *s, int size) avi->stream_index = -1; avio_seek(pb, idx1_pos, SEEK_SET); + if (s->nb_streams == 1 && s->streams[0]->codec->codec_tag == AV_RL32("MMES")){ + first_packet_pos = 0; + data_offset = avi->movi_list; + } + /* Read the entries and sort them in each stream component. */ for(i = 0; i < nb_index_entries; i++) { if(url_feof(pb)) From 6773269f4c84d232aba5818ef012c3a47b2f43c8 Mon Sep 17 00:00:00 2001 From: Michael Niedermayer Date: Wed, 12 Dec 2012 19:29:32 +0100 Subject: [PATCH 390/991] mpeg1video: support multi threaded slice encoding. Signed-off-by: Michael Niedermayer (cherry picked from commit 03df9720168335482f00898fc16b56ff4878d0e7) Conflicts: libavcodec/mpeg12enc.c --- libavcodec/mpeg12enc.c | 4 ++-- 1 file changed, 2 insertions(+), 2 deletions(-) diff --git a/libavcodec/mpeg12enc.c b/libavcodec/mpeg12enc.c index 62514e4f9c..c730f878cb 100644 --- a/libavcodec/mpeg12enc.c +++ b/libavcodec/mpeg12enc.c @@ -463,7 +463,7 @@ static av_always_inline void mpeg1_encode_mb_internal(MpegEncContext *s, } if (cbp == 0 && !first_mb && s->mv_type == MV_TYPE_16X16 && - (mb_x != s->mb_width - 1 || (mb_y != s->mb_height - 1 && s->codec_id == CODEC_ID_MPEG1VIDEO)) && + (mb_x != s->mb_width - 1 || (mb_y != s->end_mb_y - 1 && s->codec_id == CODEC_ID_MPEG1VIDEO)) && ((s->pict_type == AV_PICTURE_TYPE_P && (motion_x | motion_y) == 0) || (s->pict_type == AV_PICTURE_TYPE_B && s->mv_dir == s->last_mv_dir && (((s->mv_dir & MV_DIR_FORWARD) ? ((s->mv[0][0][0] - s->last_mv[0][0][0])|(s->mv[0][0][1] - s->last_mv[0][0][1])) : 0) | ((s->mv_dir & MV_DIR_BACKWARD) ? ((s->mv[1][0][0] - s->last_mv[1][0][0])|(s->mv[1][0][1] - s->last_mv[1][0][1])) : 0)) == 0))) { @@ -974,7 +974,7 @@ AVCodec ff_mpeg1video_encoder = { .close = MPV_encode_end, .supported_framerates= avpriv_frame_rate_tab+1, .pix_fmts= (const enum PixelFormat[]){PIX_FMT_YUV420P, PIX_FMT_NONE}, - .capabilities= CODEC_CAP_DELAY, + .capabilities= CODEC_CAP_DELAY | CODEC_CAP_SLICE_THREADS, .long_name= NULL_IF_CONFIG_SMALL("MPEG-1 video"), .priv_class = &mpeg1_class, }; From cdb376d77507d417be443d60d6dbc3960d5712d7 Mon Sep 17 00:00:00 2001 From: Michael Niedermayer Date: Wed, 12 Dec 2012 19:52:46 +0100 Subject: [PATCH 391/991] mpeg1video: fix regression with slices != threads Signed-off-by: Michael Niedermayer (cherry picked from commit a01679586cd9ac8470b81c0299fc7e13fd980d64) --- libavcodec/mpegvideo_enc.c | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/libavcodec/mpegvideo_enc.c b/libavcodec/mpegvideo_enc.c index d14374393c..e289663ee7 100644 --- a/libavcodec/mpegvideo_enc.c +++ b/libavcodec/mpegvideo_enc.c @@ -595,7 +595,7 @@ av_cold int MPV_encode_init(AVCodecContext *avctx) return -1; } - if (s->avctx->thread_count > 1) + if (s->avctx->slices > 1 || s->avctx->thread_count > 1) s->rtp_mode = 1; if (!avctx->time_base.den || !avctx->time_base.num) { From c3d7c805bc9c1ed584e92649cd8fa8cbb7010967 Mon Sep 17 00:00:00 2001 From: =?UTF-8?q?Cl=C3=A9ment=20B=C5=93sch?= Date: Sun, 30 Dec 2012 06:53:48 +0100 Subject: [PATCH 392/991] lavc/ass_split: check for NULL pointer in ff_ass_split_override_codes(). This is consistent with the other ff_ass_split_* functions. It also fixes a crash when trying to split a dialog with text=NULL (which seems to happen when the text of the dialog is empty); basically, this commit fixes crashes when trying to encode an empty text subtitle dialog (see subrip and mov_text encoders). Fixes Ticket2048. (cherry picked from commit c83002a4f8042ccfa0688a9a18e8fa0369c1fda8) --- libavcodec/ass_split.c | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/libavcodec/ass_split.c b/libavcodec/ass_split.c index 2a3b76445e..33c1c2714f 100644 --- a/libavcodec/ass_split.c +++ b/libavcodec/ass_split.c @@ -366,7 +366,7 @@ int ff_ass_split_override_codes(const ASSCodesCallbacks *callbacks, void *priv, char new_line[2]; int text_len = 0; - while (*buf) { + while (buf && *buf) { if (text && callbacks->text && (sscanf(buf, "\\%1[nN]", new_line) == 1 || !strncmp(buf, "{\\", 2))) { From 398d4e866975fee776683b301893f3595871637e Mon Sep 17 00:00:00 2001 From: Reinhard Tartler Date: Wed, 2 Jan 2013 20:07:48 +0100 Subject: [PATCH 393/991] Prepare for 0.8.5 Release --- RELEASE | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/RELEASE b/RELEASE index b60d71966a..7ada0d303f 100644 --- a/RELEASE +++ b/RELEASE @@ -1 +1 @@ -0.8.4 +0.8.5 From 3fca5799c6863e8b899fe37ed31f710d3d07e270 Mon Sep 17 00:00:00 2001 From: Anton Khirnov Date: Thu, 13 Dec 2012 19:38:20 +0100 Subject: [PATCH 394/991] ivi_common: check that scan pattern is set before using it. Fixes CVE-2012-2791. CC: libav-stable@libav.org (cherry picked from commit deabb52ab4c1fdb3dd319f3980b1489a182011f1) Signed-off-by: Reinhard Tartler --- libavcodec/ivi_common.c | 5 +++++ 1 file changed, 5 insertions(+) diff --git a/libavcodec/ivi_common.c b/libavcodec/ivi_common.c index db33767820..84705c4c62 100644 --- a/libavcodec/ivi_common.c +++ b/libavcodec/ivi_common.c @@ -411,6 +411,11 @@ int ff_ivi_decode_blocks(GetBitContext *gb, IVIBandDesc *band, IVITile *tile) } if (cbp & 1) { /* block coded ? */ + if (!band->scan) { + av_log(NULL, AV_LOG_ERROR, "Scan pattern is not set.\n"); + return AVERROR_INVALIDDATA; + } + scan_pos = -1; memset(trvec, 0, num_coeffs*sizeof(trvec[0])); /* zero transform vector */ memset(col_flags, 0, sizeof(col_flags)); /* zero column flags */ From 145317d22073e84fda642905f9518eda04a279b5 Mon Sep 17 00:00:00 2001 From: Luca Barbato Date: Fri, 14 Dec 2012 08:22:06 +0100 Subject: [PATCH 395/991] vp56: make parse_header return standard error codes Returning 0 for failure is misleading. CC: libav-stable@libav.org (cherry picked from commit bb675d3ac6d722d5e117ae9042a996b55ca05b1d) Signed-off-by: Reinhard Tartler --- libavcodec/vp5.c | 12 ++++++------ libavcodec/vp56.c | 8 ++++---- libavcodec/vp56.h | 2 ++ libavcodec/vp6.c | 12 ++++++------ 4 files changed, 18 insertions(+), 16 deletions(-) diff --git a/libavcodec/vp5.c b/libavcodec/vp5.c index 1c6eaa9d42..05c399c445 100644 --- a/libavcodec/vp5.c +++ b/libavcodec/vp5.c @@ -49,18 +49,18 @@ static int vp5_parse_header(VP56Context *s, const uint8_t *buf, int buf_size, { vp56_rac_gets(c, 8); if(vp56_rac_gets(c, 5) > 5) - return 0; + return AVERROR_INVALIDDATA; vp56_rac_gets(c, 2); if (vp56_rac_get(c)) { av_log(s->avctx, AV_LOG_ERROR, "interlacing not supported\n"); - return 0; + return AVERROR_PATCHWELCOME; } rows = vp56_rac_gets(c, 8); /* number of stored macroblock rows */ cols = vp56_rac_gets(c, 8); /* number of stored macroblock cols */ if (!rows || !cols) { av_log(s->avctx, AV_LOG_ERROR, "Invalid size %dx%d\n", cols << 4, rows << 4); - return 0; + return AVERROR_INVALIDDATA; } vp56_rac_gets(c, 8); /* number of displayed macroblock rows */ vp56_rac_gets(c, 8); /* number of displayed macroblock cols */ @@ -69,11 +69,11 @@ static int vp5_parse_header(VP56Context *s, const uint8_t *buf, int buf_size, 16*cols != s->avctx->coded_width || 16*rows != s->avctx->coded_height) { avcodec_set_dimensions(s->avctx, 16*cols, 16*rows); - return 2; + return VP56_SIZE_CHANGE; } } else if (!s->macroblocks) - return 0; - return 1; + return AVERROR_INVALIDDATA; + return 0; } static void vp5_parse_vector_adjustment(VP56Context *s, VP56mv *vect) diff --git a/libavcodec/vp56.c b/libavcodec/vp56.c index 3b2ac95837..0ad468cd0d 100644 --- a/libavcodec/vp56.c +++ b/libavcodec/vp56.c @@ -513,10 +513,10 @@ int ff_vp56_decode_frame(AVCodecContext *avctx, void *data, int *data_size, s->modelp = &s->models[is_alpha]; res = s->parse_header(s, buf, remaining_buf_size, &golden_frame); - if (!res) - return -1; + if (res < 0) + return res; - if (res == 2) { + if (res == VP56_SIZE_CHANGE) { int i; for (i = 0; i < 4; i++) { if (s->frames[i].data[0]) @@ -535,7 +535,7 @@ int ff_vp56_decode_frame(AVCodecContext *avctx, void *data, int *data_size, return -1; } - if (res == 2) + if (res == VP56_SIZE_CHANGE) if (vp56_size_changed(avctx)) { avctx->release_buffer(avctx, p); return -1; diff --git a/libavcodec/vp56.h b/libavcodec/vp56.h index 0607e0d4ce..770b6081b3 100644 --- a/libavcodec/vp56.h +++ b/libavcodec/vp56.h @@ -39,6 +39,8 @@ typedef struct { int16_t y; } DECLARE_ALIGNED(4, , VP56mv); +#define VP56_SIZE_CHANGE 1 + typedef void (*VP56ParseVectorAdjustment)(VP56Context *s, VP56mv *vect); typedef void (*VP56Filter)(VP56Context *s, uint8_t *dst, uint8_t *src, diff --git a/libavcodec/vp6.c b/libavcodec/vp6.c index 861a2da49e..9c8d40f70c 100644 --- a/libavcodec/vp6.c +++ b/libavcodec/vp6.c @@ -52,7 +52,7 @@ static int vp6_parse_header(VP56Context *s, const uint8_t *buf, int buf_size, int vrt_shift = 0; int sub_version; int rows, cols; - int res = 1; + int res = 0; int separated_coeff = buf[0] & 1; s->framep[VP56_FRAME_CURRENT]->key_frame = !(buf[0] & 0x80); @@ -61,7 +61,7 @@ static int vp6_parse_header(VP56Context *s, const uint8_t *buf, int buf_size, if (s->framep[VP56_FRAME_CURRENT]->key_frame) { sub_version = buf[1] >> 3; if (sub_version > 8) - return 0; + return AVERROR_INVALIDDATA; s->filter_header = buf[1] & 0x06; if (buf[1] & 1) { av_log(s->avctx, AV_LOG_ERROR, "interlacing not supported\n"); @@ -79,7 +79,7 @@ static int vp6_parse_header(VP56Context *s, const uint8_t *buf, int buf_size, /* buf[5] is number of displayed macroblock cols */ if (!rows || !cols) { av_log(s->avctx, AV_LOG_ERROR, "Invalid size %dx%d\n", cols << 4, rows << 4); - return 0; + return AVERROR_INVALIDDATA; } if (!s->macroblocks || /* first frame */ @@ -90,7 +90,7 @@ static int vp6_parse_header(VP56Context *s, const uint8_t *buf, int buf_size, s->avctx->width -= s->avctx->extradata[0] >> 4; s->avctx->height -= s->avctx->extradata[0] & 0x0F; } - res = 2; + res = VP56_SIZE_CHANGE; } ff_vp56_init_range_decoder(c, buf+6, buf_size-6); @@ -102,7 +102,7 @@ static int vp6_parse_header(VP56Context *s, const uint8_t *buf, int buf_size, s->sub_version = sub_version; } else { if (!s->sub_version || !s->avctx->coded_width || !s->avctx->coded_height) - return 0; + return AVERROR_INVALIDDATA; if (separated_coeff || !s->filter_header) { coeff_offset = AV_RB16(buf+1) - 2; @@ -146,7 +146,7 @@ static int vp6_parse_header(VP56Context *s, const uint8_t *buf, int buf_size, if (buf_size < 0) { if (s->framep[VP56_FRAME_CURRENT]->key_frame) avcodec_set_dimensions(s->avctx, 0, 0); - return 0; + return AVERROR_INVALIDDATA; } if (s->use_huffman) { s->parse_coeff = vp6_parse_coeff_huffman; From 211badf0689d3972c08790c6776d99a1b12cb935 Mon Sep 17 00:00:00 2001 From: Luca Barbato Date: Fri, 14 Dec 2012 09:55:04 +0100 Subject: [PATCH 396/991] vp56: release frames on error Fixes CVE-2012-2783 CC: libav-stable@libav.org (cherry picked from commit f33b5ba63eee96c9d1c7f0e568169cb0c3694238) Signed-off-by: Reinhard Tartler --- libavcodec/vp56.c | 8 +++++++- 1 file changed, 7 insertions(+), 1 deletion(-) diff --git a/libavcodec/vp56.c b/libavcodec/vp56.c index 0ad468cd0d..7767461843 100644 --- a/libavcodec/vp56.c +++ b/libavcodec/vp56.c @@ -513,8 +513,14 @@ int ff_vp56_decode_frame(AVCodecContext *avctx, void *data, int *data_size, s->modelp = &s->models[is_alpha]; res = s->parse_header(s, buf, remaining_buf_size, &golden_frame); - if (res < 0) + if (res < 0) { + int i; + for (i = 0; i < 4; i++) { + if (s->frames[i].data[0]) + avctx->release_buffer(avctx, &s->frames[i]); + } return res; + } if (res == VP56_SIZE_CHANGE) { int i; From 9837f196938427be3aa35a3768e5836354ff51d4 Mon Sep 17 00:00:00 2001 From: Sami Pietila Date: Fri, 12 Oct 2012 07:12:49 -0700 Subject: [PATCH 397/991] vp8: reset loopfilter delta values at keyframes. Signed-off-by: Ronald S. Bultje (cherry picked from commit 0bf511d579c7b21f1244eec688abf571ca1235bd) Signed-off-by: Reinhard Tartler --- libavcodec/vp8.c | 1 + 1 file changed, 1 insertion(+) diff --git a/libavcodec/vp8.c b/libavcodec/vp8.c index 833819890d..a16f5ca1ee 100644 --- a/libavcodec/vp8.c +++ b/libavcodec/vp8.c @@ -318,6 +318,7 @@ static int decode_frame_header(VP8Context *s, const uint8_t *buf, int buf_size) memcpy(s->prob->pred8x8c , vp8_pred8x8c_prob_inter , sizeof(s->prob->pred8x8c)); memcpy(s->prob->mvc , vp8_mv_default_prob , sizeof(s->prob->mvc)); memset(&s->segmentation, 0, sizeof(s->segmentation)); + memset(&s->lf_delta, 0, sizeof(s->lf_delta)); } if (!s->macroblocks_base || /* first frame */ From abe345251a1c7d56a8afc140d8002f4fe2d2a42b Mon Sep 17 00:00:00 2001 From: Luca Barbato Date: Fri, 26 Oct 2012 22:55:04 +0200 Subject: [PATCH 398/991] yuv4mpeg: reject unsupported codecs The muxer already rejects unsupported pixel formats, reject also unsupported codecs to prevent dangerous misuses. (cherry picked from commit 424b1e764263b1493de4c34365ef367ddae856db) Conflicts: libavformat/yuv4mpeg.c Signed-off-by: Reinhard Tartler --- libavformat/yuv4mpeg.c | 5 +++++ 1 file changed, 5 insertions(+) diff --git a/libavformat/yuv4mpeg.c b/libavformat/yuv4mpeg.c index 09aabedea9..f68c1a708f 100644 --- a/libavformat/yuv4mpeg.c +++ b/libavformat/yuv4mpeg.c @@ -155,6 +155,11 @@ static int yuv4_write_header(AVFormatContext *s) if (s->nb_streams != 1) return AVERROR(EIO); + if (s->streams[0]->codec->codec_id != CODEC_ID_RAWVIDEO) { + av_log(s, AV_LOG_ERROR, "ERROR: Only rawvideo supported.\n"); + return AVERROR_INVALIDDATA; + } + if (s->streams[0]->codec->pix_fmt == PIX_FMT_YUV411P) { av_log(s, AV_LOG_ERROR, "Warning: generating rarely used 4:1:1 YUV " "stream, some mjpegtools might not work.\n"); From 0ba0e3195517e423c35b232384e380b975b88b4e Mon Sep 17 00:00:00 2001 From: Justin Ruggles Date: Wed, 7 Nov 2012 14:48:28 -0500 Subject: [PATCH 399/991] flacenc: ensure the order is within the min/max range in LPC order search This fixes use of uninitialized values when the FLAC encoder uses the 2-level, 4-level, and 8-level search methods. Fixes failure of the fate-flac-24-comp-8 test when run using valgrind. (cherry picked from commit 3a2731cbd31d0c5681ddbc7c78edd5c53c4d0032) Conflicts: libavcodec/flacenc.c Signed-off-by: Reinhard Tartler --- libavcodec/flacenc.c | 8 +++++--- 1 file changed, 5 insertions(+), 3 deletions(-) diff --git a/libavcodec/flacenc.c b/libavcodec/flacenc.c index 94e381d17e..2bd47883e0 100644 --- a/libavcodec/flacenc.c +++ b/libavcodec/flacenc.c @@ -915,14 +915,16 @@ static int encode_residual_ch(FlacEncodeContext *s, int ch) omethod == ORDER_METHOD_8LEVEL) { int levels = 1 << omethod; uint32_t bits[1 << ORDER_METHOD_8LEVEL]; - int order; + int order = -1; int opt_index = levels-1; opt_order = max_order-1; bits[opt_index] = UINT32_MAX; for (i = levels-1; i >= 0; i--) { + int last_order = order; order = min_order + (((max_order-min_order+1) * (i+1)) / levels)-1; - if (order < 0) - order = 0; + order = av_clip(order, min_order - 1, max_order - 1); + if (order == last_order) + continue; encode_residual_lpc(res, smp, n, order+1, coefs[order], shift[order]); bits[i] = find_subframe_rice_params(s, sub, order+1); if (bits[i] < bits[opt_index]) { From 50b8e4c8fd25cc588062cafdda9ef57755e8fe67 Mon Sep 17 00:00:00 2001 From: Anton Khirnov Date: Mon, 22 Oct 2012 22:40:22 +0200 Subject: [PATCH 400/991] avconv: only apply presets when we have an encoder. Fixes a crash when using a preset with stream copy. (cherry picked from commit 4e61a38aa038b7027c5ed423635168d463515d24) Signed-off-by: Reinhard Tartler --- avconv.c | 55 ++++++++++++++++++++++++++++--------------------------- 1 file changed, 28 insertions(+), 27 deletions(-) diff --git a/avconv.c b/avconv.c index 34507d4d0c..de228ec61d 100644 --- a/avconv.c +++ b/avconv.c @@ -3468,8 +3468,6 @@ static OutputStream *new_output_stream(OptionsContext *o, AVFormatContext *oc, e char *bsf = NULL, *next, *codec_tag = NULL; AVBitStreamFilterContext *bsfc, *bsfc_prev = NULL; double qscale = -1; - char *buf = NULL, *arg = NULL, *preset = NULL; - AVIOContext *s = NULL; if (!st) { av_log(NULL, AV_LOG_FATAL, "Could not alloc stream.\n"); @@ -3488,37 +3486,40 @@ static OutputStream *new_output_stream(OptionsContext *o, AVFormatContext *oc, e st->codec->codec_type = type; choose_encoder(o, oc, ost); if (ost->enc) { + AVIOContext *s = NULL; + char *buf = NULL, *arg = NULL, *preset = NULL; + ost->opts = filter_codec_opts(codec_opts, ost->enc->id, oc, st); + + MATCH_PER_STREAM_OPT(presets, str, preset, oc, st); + if (preset && (!(ret = get_preset_file_2(preset, ost->enc->name, &s)))) { + do { + buf = get_line(s); + if (!buf[0] || buf[0] == '#') { + av_free(buf); + continue; + } + if (!(arg = strchr(buf, '='))) { + av_log(NULL, AV_LOG_FATAL, "Invalid line found in the preset file.\n"); + exit_program(1); + } + *arg++ = 0; + av_dict_set(&ost->opts, buf, arg, AV_DICT_DONT_OVERWRITE); + av_free(buf); + } while (!s->eof_reached); + avio_close(s); + } + if (ret) { + av_log(NULL, AV_LOG_FATAL, + "Preset %s specified for stream %d:%d, but could not be opened.\n", + preset, ost->file_index, ost->index); + exit_program(1); + } } avcodec_get_context_defaults3(st->codec, ost->enc); st->codec->codec_type = type; // XXX hack, avcodec_get_context_defaults2() sets type to unknown for stream copy - MATCH_PER_STREAM_OPT(presets, str, preset, oc, st); - if (preset && (!(ret = get_preset_file_2(preset, ost->enc->name, &s)))) { - do { - buf = get_line(s); - if (!buf[0] || buf[0] == '#') { - av_free(buf); - continue; - } - if (!(arg = strchr(buf, '='))) { - av_log(NULL, AV_LOG_FATAL, "Invalid line found in the preset file.\n"); - exit_program(1); - } - *arg++ = 0; - av_dict_set(&ost->opts, buf, arg, AV_DICT_DONT_OVERWRITE); - av_free(buf); - } while (!s->eof_reached); - avio_close(s); - } - if (ret) { - av_log(NULL, AV_LOG_FATAL, - "Preset %s specified for stream %d:%d, but could not be opened.\n", - preset, ost->file_index, ost->index); - exit_program(1); - } - ost->max_frames = INT64_MAX; MATCH_PER_STREAM_OPT(max_frames, i64, ost->max_frames, oc, st); From 576834b08e2eef0f076dd036276c410b38e7d620 Mon Sep 17 00:00:00 2001 From: Diego Biurrun Date: Wed, 25 Jan 2012 14:56:24 +0100 Subject: [PATCH 401/991] Ignore generated aviocat tool. (cherry picked from commit 50639cbefef8cc9f3df19241be7cf23cde8313b7) Signed-off-by: Diego Biurrun --- .gitignore | 1 + 1 file changed, 1 insertion(+) diff --git a/.gitignore b/.gitignore index 2118a5115e..478a1eebf3 100644 --- a/.gitignore +++ b/.gitignore @@ -35,6 +35,7 @@ tests/tiny_psnr tests/videogen tests/vsynth1 tests/vsynth2 +tools/aviocat tools/cws2fws tools/graph2dot tools/lavfi-showfiltfmts From dcf8f259d107838ff3778343dcb762398130a1a3 Mon Sep 17 00:00:00 2001 From: Diego Biurrun Date: Sun, 26 Jun 2011 13:52:40 +0200 Subject: [PATCH 402/991] build: Add 'check' target to run all compile and test targets. (cherry picked from commit 4982e1ddfaff5287e05b95957f3c56901d60b56a) Signed-off-by: Diego Biurrun --- Makefile | 4 +++- doc/developer.texi | 4 +--- 2 files changed, 4 insertions(+), 4 deletions(-) diff --git a/Makefile b/Makefile index 19b8df42d3..ff871c4373 100644 --- a/Makefile +++ b/Makefile @@ -182,6 +182,8 @@ distclean:: config: $(SRC_PATH)/configure $(value LIBAV_CONFIGURATION) +check: all alltools checkheaders examples testprogs fate + include $(SRC_PATH)/doc/Makefile include $(SRC_PATH)/tests/Makefile @@ -196,5 +198,5 @@ $(sort $(OBJDIRS)): # so this saves some time on slow systems. .SUFFIXES: -.PHONY: all all-yes alltools *clean config examples install* +.PHONY: all all-yes alltools check *clean config examples install* .PHONY: testprogs uninstall* diff --git a/doc/developer.texi b/doc/developer.texi index 046743fd62..c189de1870 100644 --- a/doc/developer.texi +++ b/doc/developer.texi @@ -420,9 +420,7 @@ send a reminder by email. Your patch should eventually be dealt with. @enumerate @item - Does @code{make fate} pass with the patch applied? -@item - Does @code{make checkheaders} pass with the patch applied? + Does @code{make check} pass with the patch applied? @item Is the patch against latest Libav git master branch? @item From 26b177b8f7abb2058fdd3a9142e26f118eaad294 Mon Sep 17 00:00:00 2001 From: Diego Biurrun Date: Thu, 3 Jan 2013 15:30:22 +0100 Subject: [PATCH 403/991] build: fix 'clean' target This fixes removal of TOOLS as well as HOSTPROGS declared in the top-level Makefile. The clean target in common.mak needs to be eval'd since the variables used within are reset for each library. (cherry picked from commit 395c3feb3bb165af5760d287a9a64344b6269fe2) Conflicts: common.mak library.mak Signed-off-by: Diego Biurrun --- Makefile | 1 - common.mak | 9 +++++++++ library.mak | 3 +-- 3 files changed, 10 insertions(+), 3 deletions(-) diff --git a/Makefile b/Makefile index ff871c4373..96e3a874bf 100644 --- a/Makefile +++ b/Makefile @@ -172,7 +172,6 @@ uninstall-data: clean:: $(RM) $(ALLPROGS) $(RM) $(CLEANSUFFIXES) - $(RM) $(TOOLS) $(RM) $(CLEANSUFFIXES:%=tools/%) distclean:: diff --git a/common.mak b/common.mak index d781ced09e..9193455c56 100644 --- a/common.mak +++ b/common.mak @@ -49,4 +49,13 @@ CLEANSUFFIXES = *.d *.o *~ *.ho *.map *.ver DISTCLEANSUFFIXES = *.pc LIBSUFFIXES = *.a *.lib *.so *.so.* *.dylib *.dll *.def *.dll.a *.exp +define RULES +clean:: + $(RM) $(OBJS) $(OBJS:.o=.d) + $(RM) $(HOSTPROGS) + $(RM) $(TOOLS) +endef + +$(eval $(RULES)) + -include $(wildcard $(OBJS:.o=.d) $(TESTOBJS:.o=.d)) diff --git a/library.mak b/library.mak index f50e8e59ee..8dde8f47da 100644 --- a/library.mak +++ b/library.mak @@ -47,8 +47,7 @@ $(SUBDIR)$(SLIBNAME_WITH_MAJOR): $(OBJS) $(SUBDIR)lib$(NAME).ver $(DEP_LIBS) clean:: $(RM) $(addprefix $(SUBDIR),*-example$(EXESUF) *-test$(EXESUF) $(CLEANFILES) $(CLEANSUFFIXES) $(LIBSUFFIXES)) \ - $(foreach dir,$(DIRS),$(CLEANSUFFIXES:%=$(SUBDIR)$(dir)/%)) \ - $(HOSTOBJS) $(HOSTPROGS) + $(foreach dir,$(DIRS),$(CLEANSUFFIXES:%=$(SUBDIR)$(dir)/%)) distclean:: clean $(RM) $(DISTCLEANSUFFIXES:%=$(SUBDIR)%) \ From 52adbc0e1793208c604c581c0eeba6fee0606005 Mon Sep 17 00:00:00 2001 From: Janne Grunau Date: Thu, 15 Nov 2012 16:21:41 +0100 Subject: [PATCH 404/991] h264: Fix parameters to ff_er_add_slice() call s->mb_x is reset to zero a couple of lines above. It does not make sense to call ff_er_add_slice() with 0 as endx when the end of the macroblock row was reached. Fixes unnecessary and counterproductive error resilience in https://bugzilla.libav.org/show_bug.cgi?id=394. (cherry picked from commit e6160bda98641b7d4f86de15761ad2a962f21a36) Conflicts: libavcodec/h264.c Signed-off-by: Reinhard Tartler --- libavcodec/h264.c | 7 ++++--- 1 file changed, 4 insertions(+), 3 deletions(-) diff --git a/libavcodec/h264.c b/libavcodec/h264.c index d8d0a7d4f3..b866917e5f 100644 --- a/libavcodec/h264.c +++ b/libavcodec/h264.c @@ -3760,9 +3760,10 @@ static int decode_slice(struct AVCodecContext *avctx, void *arg){ ff_er_add_slice(s, s->resync_mb_x, s->resync_mb_y, s->mb_x-1, s->mb_y, ER_MB_END&part_mask); return 0; - }else{ - ff_er_add_slice(s, s->resync_mb_x, s->resync_mb_y, s->mb_x, s->mb_y, ER_MB_END&part_mask); - + } else { + ff_er_add_slice(s, s->resync_mb_x, s->resync_mb_y, + s->mb_x - 1, s->mb_y, + ER_MB_END & part_mask); return -1; } } From 3750104e9d809c5516f8f201c699603b3609aa91 Mon Sep 17 00:00:00 2001 From: Anton Khirnov Date: Wed, 21 Nov 2012 08:48:47 +0100 Subject: [PATCH 405/991] id3v2: fix reading unsynchronized frames. Current code would incorrectly process e.g. 'ff 00 ff 00 ff' to 'ff ff ff', while it should be 'ff ff 00 ff'. Fixes Bug 395. CC: libav-stable@libav.org (cherry picked from commit 9ae80e6a9cefcab61e867256ba19ef78a4bfe0cb) Signed-off-by: Reinhard Tartler --- libavformat/id3v2.c | 18 ++++++++++-------- 1 file changed, 10 insertions(+), 8 deletions(-) diff --git a/libavformat/id3v2.c b/libavformat/id3v2.c index 6499872947..a7d3549e17 100644 --- a/libavformat/id3v2.c +++ b/libavformat/id3v2.c @@ -502,21 +502,23 @@ static void ff_id3v2_parse(AVFormatContext *s, int len, uint8_t version, uint8_t /* check for text tag or supported special meta tag */ } else if (tag[0] == 'T' || (extra_meta && (extra_func = get_extra_meta_func(tag, isv34)))) { if (unsync || tunsync) { - int i, j; + int64_t end = avio_tell(s->pb) + tlen; + uint8_t *b; av_fast_malloc(&buffer, &buffer_size, tlen); if (!buffer) { av_log(s, AV_LOG_ERROR, "Failed to alloc %d bytes\n", tlen); goto seek; } - for (i = 0, j = 0; i < tlen; i++, j++) { - buffer[j] = avio_r8(s->pb); - if (j > 0 && !buffer[j] && buffer[j - 1] == 0xff) { - /* Unsynchronised byte, skip it */ - j--; + b = buffer; + while (avio_tell(s->pb) < end) { + *b++ = avio_r8(s->pb); + if (*(b - 1) == 0xff && avio_tell(s->pb) < end - 1) { + uint8_t val = avio_r8(s->pb); + *b++ = val ? val : avio_r8(s->pb); } } - ffio_init_context(&pb, buffer, j, 0, NULL, NULL, NULL, NULL); - tlen = j; + ffio_init_context(&pb, buffer, b - buffer, 0, NULL, NULL, NULL, NULL); + tlen = b - buffer; pbx = &pb; // read from sync buffer } else { pbx = s->pb; // read straight from input From f65ec488a94d3828fb1550f9461e4754d47dc7b3 Mon Sep 17 00:00:00 2001 From: Anton Khirnov Date: Sat, 24 Nov 2012 07:55:42 +0100 Subject: [PATCH 406/991] avconv: fix copying per-stream metadata. It is handled separately from other types because it uses stream specifiers and currently that triggers an assert in SET_DICT. (cherry picked from commit 4632abc7a3a64b23c243b21cae7a08e5af92231e) Conflicts: avconv_opt.c Signed-off-by: Reinhard Tartler --- avconv.c | 2 ++ 1 file changed, 2 insertions(+) diff --git a/avconv.c b/avconv.c index de228ec61d..df86b2b227 100644 --- a/avconv.c +++ b/avconv.c @@ -3101,6 +3101,8 @@ static int copy_metadata(char *outspec, char *inspec, AVFormatContext *oc, AVFor METADATA_CHECK_INDEX(index, context->nb_programs, "program")\ meta = &context->programs[index]->metadata;\ break;\ + case 's':\ + break; /* handled separately below */ \ }\ SET_DICT(type_in, meta_in, ic, idx_in); From e5ea6539d484d399291ad2731eb87abbc8c2f7cf Mon Sep 17 00:00:00 2001 From: Kostya Shishkov Date: Mon, 14 May 2012 19:30:54 +0200 Subject: [PATCH 407/991] indeo3: ensure that decoded cell data is in 7-bit range as presumed by decoder Related to CVE-2012-2804 (cherry picked from commit fc417db3f162d5269c0d22f8e467da4afa67c20a) Signed-off-by: Reinhard Tartler --- libavcodec/indeo3.c | 30 ++++++++++++++++-------------- 1 file changed, 16 insertions(+), 14 deletions(-) diff --git a/libavcodec/indeo3.c b/libavcodec/indeo3.c index 294527ec9d..63517c67d0 100644 --- a/libavcodec/indeo3.c +++ b/libavcodec/indeo3.c @@ -344,8 +344,10 @@ if (*data_ptr >= last_ptr) \ fill_64(dst, pix64, num_lines << 1, row_offset) #define APPLY_DELTA_4 \ - AV_WN16A(dst + line_offset , AV_RN16A(ref ) + delta_tab->deltas[dyad1]);\ - AV_WN16A(dst + line_offset + 2, AV_RN16A(ref + 2) + delta_tab->deltas[dyad2]);\ + AV_WN16A(dst + line_offset ,\ + (AV_RN16A(ref ) + delta_tab->deltas[dyad1]) & 0x7F7F);\ + AV_WN16A(dst + line_offset + 2,\ + (AV_RN16A(ref + 2) + delta_tab->deltas[dyad2]) & 0x7F7F);\ if (mode >= 3) {\ if (is_top_of_cell && !cell->ypos) {\ AV_COPY32(dst, dst + row_offset);\ @@ -358,14 +360,14 @@ if (*data_ptr >= last_ptr) \ /* apply two 32-bit VQ deltas to next even line */\ if (is_top_of_cell) { \ AV_WN32A(dst + row_offset , \ - replicate32(AV_RN32A(ref )) + delta_tab->deltas_m10[dyad1]);\ + (replicate32(AV_RN32A(ref )) + delta_tab->deltas_m10[dyad1]) & 0x7F7F7F7F);\ AV_WN32A(dst + row_offset + 4, \ - replicate32(AV_RN32A(ref + 4)) + delta_tab->deltas_m10[dyad2]);\ + (replicate32(AV_RN32A(ref + 4)) + delta_tab->deltas_m10[dyad2]) & 0x7F7F7F7F);\ } else { \ AV_WN32A(dst + row_offset , \ - AV_RN32A(ref ) + delta_tab->deltas_m10[dyad1]);\ + (AV_RN32A(ref ) + delta_tab->deltas_m10[dyad1]) & 0x7F7F7F7F);\ AV_WN32A(dst + row_offset + 4, \ - AV_RN32A(ref + 4) + delta_tab->deltas_m10[dyad2]);\ + (AV_RN32A(ref + 4) + delta_tab->deltas_m10[dyad2]) & 0x7F7F7F7F);\ } \ /* odd lines are not coded but rather interpolated/replicated */\ /* first line of the cell on the top of image? - replicate */\ @@ -379,22 +381,22 @@ if (*data_ptr >= last_ptr) \ #define APPLY_DELTA_1011_INTER \ if (mode == 10) { \ AV_WN32A(dst , \ - AV_RN32A(dst ) + delta_tab->deltas_m10[dyad1]);\ + (AV_RN32A(dst ) + delta_tab->deltas_m10[dyad1]) & 0x7F7F7F7F);\ AV_WN32A(dst + 4 , \ - AV_RN32A(dst + 4 ) + delta_tab->deltas_m10[dyad2]);\ + (AV_RN32A(dst + 4 ) + delta_tab->deltas_m10[dyad2]) & 0x7F7F7F7F);\ AV_WN32A(dst + row_offset , \ - AV_RN32A(dst + row_offset ) + delta_tab->deltas_m10[dyad1]);\ + (AV_RN32A(dst + row_offset ) + delta_tab->deltas_m10[dyad1]) & 0x7F7F7F7F);\ AV_WN32A(dst + row_offset + 4, \ - AV_RN32A(dst + row_offset + 4) + delta_tab->deltas_m10[dyad2]);\ + (AV_RN32A(dst + row_offset + 4) + delta_tab->deltas_m10[dyad2]) & 0x7F7F7F7F);\ } else { \ AV_WN16A(dst , \ - AV_RN16A(dst ) + delta_tab->deltas[dyad1]);\ + (AV_RN16A(dst ) + delta_tab->deltas[dyad1]) & 0x7F7F);\ AV_WN16A(dst + 2 , \ - AV_RN16A(dst + 2 ) + delta_tab->deltas[dyad2]);\ + (AV_RN16A(dst + 2 ) + delta_tab->deltas[dyad2]) & 0x7F7F);\ AV_WN16A(dst + row_offset , \ - AV_RN16A(dst + row_offset ) + delta_tab->deltas[dyad1]);\ + (AV_RN16A(dst + row_offset ) + delta_tab->deltas[dyad1]) & 0x7F7F);\ AV_WN16A(dst + row_offset + 2, \ - AV_RN16A(dst + row_offset + 2) + delta_tab->deltas[dyad2]);\ + (AV_RN16A(dst + row_offset + 2) + delta_tab->deltas[dyad2]) & 0x7F7F);\ } From c55ca98769759ceb8aa56854caa405a0f73ac1a4 Mon Sep 17 00:00:00 2001 From: Kostya Shishkov Date: Mon, 14 May 2012 19:45:41 +0200 Subject: [PATCH 408/991] indeo3: when freeing buffers, set pointers referencing them to NULL as well Related to CVE-2012-2804 (cherry picked from commit bc00da27010ed9e5dbe47e5b6fae3dcddb999d78) Signed-off-by: Reinhard Tartler --- libavcodec/indeo3.c | 1 + 1 file changed, 1 insertion(+) diff --git a/libavcodec/indeo3.c b/libavcodec/indeo3.c index 63517c67d0..48e5810e69 100644 --- a/libavcodec/indeo3.c +++ b/libavcodec/indeo3.c @@ -207,6 +207,7 @@ static av_cold void free_frame_buffers(Indeo3DecodeContext *ctx) for (p = 0; p < 3; p++) { av_freep(&ctx->planes[p].buffers[0]); av_freep(&ctx->planes[p].buffers[1]); + ctx->planes[p].pixels[0] = ctx->planes[p].pixels[1] = 0; } } From 56c1e18a5225f2737f91e6028f114f56d7ca802a Mon Sep 17 00:00:00 2001 From: Anton Khirnov Date: Thu, 13 Dec 2012 17:53:31 +0100 Subject: [PATCH 409/991] mpeg12: do not decode extradata more than once. Fixes CVE-2012-2803. CC: libav-stable@libav.org (cherry picked from commit 582368626188c070d4300913c6da5efa4c24cfb2) Conflicts: libavcodec/mpeg12.c --- libavcodec/mpeg12.c | 3 ++- libavcodec/mpeg12.h | 1 + 2 files changed, 3 insertions(+), 1 deletion(-) diff --git a/libavcodec/mpeg12.c b/libavcodec/mpeg12.c index 65dfe472e9..436b4cf376 100644 --- a/libavcodec/mpeg12.c +++ b/libavcodec/mpeg12.c @@ -2223,8 +2223,9 @@ static int mpeg_decode_frame(AVCodecContext *avctx, s->slice_count = 0; - if (avctx->extradata && !avctx->frame_number) { + if (avctx->extradata && !s->extradata_decoded) { int ret = decode_chunks(avctx, picture, data_size, avctx->extradata, avctx->extradata_size); + s->extradata_decoded = 1; if (ret < 0 && (avctx->err_recognition & AV_EF_EXPLODE)) return ret; } diff --git a/libavcodec/mpeg12.h b/libavcodec/mpeg12.h index ab0352ff10..0f9faaf19c 100644 --- a/libavcodec/mpeg12.h +++ b/libavcodec/mpeg12.h @@ -42,6 +42,7 @@ typedef struct Mpeg1Context { AVRational frame_rate_ext; ///< MPEG-2 specific framerate modificator int sync; ///< Did we reach a sync point like a GOP/SEQ/KEYFrame? int closed_gop; ///< GOP is closed + int extradata_decoded; } Mpeg1Context; extern uint8_t ff_mpeg12_static_rl_table_store[2][2][2*MAX_RUN + MAX_LEVEL + 3]; From a5290800f5716a50ff53761164955be09a4e5581 Mon Sep 17 00:00:00 2001 From: Luca Barbato Date: Mon, 22 Oct 2012 19:11:05 +0200 Subject: [PATCH 410/991] mp3: properly forward mp_decode_frame errors The function can return either a parsing error or a memory management error. Fixes: CVE-2012-2797 (cherry picked from commit 9ab0874ea8b6774c6f5470dba2b5b4615a610d0d) Conflicts: libavcodec/mpegaudiodec.c Signed-off-by: Reinhard Tartler --- libavcodec/mpegaudiodec.c | 32 ++++++++++++++++++++------------ 1 file changed, 20 insertions(+), 12 deletions(-) diff --git a/libavcodec/mpegaudiodec.c b/libavcodec/mpegaudiodec.c index bb1baef2c9..cd0d26d8c5 100644 --- a/libavcodec/mpegaudiodec.c +++ b/libavcodec/mpegaudiodec.c @@ -1632,7 +1632,7 @@ static int decode_frame(AVCodecContext * avctx, void *data, int *got_frame_ptr, int buf_size = avpkt->size; MPADecodeContext *s = avctx->priv_data; uint32_t header; - int out_size; + int ret; if (buf_size < HEADER_SIZE) return AVERROR_INVALIDDATA; @@ -1663,21 +1663,22 @@ static int decode_frame(AVCodecContext * avctx, void *data, int *got_frame_ptr, buf_size= s->frame_size; } - out_size = mp_decode_frame(s, NULL, buf, buf_size); - if (out_size >= 0) { + ret = mp_decode_frame(s, NULL, buf, buf_size); + if (ret >= 0) { *got_frame_ptr = 1; *(AVFrame *)data = s->frame; avctx->sample_rate = s->sample_rate; //FIXME maybe move the other codec info stuff from above here too } else { av_log(avctx, AV_LOG_ERROR, "Error while decoding MPEG audio frame.\n"); - /* Only return an error if the bad frame makes up the whole packet. - If there is more data in the packet, just consume the bad frame - instead of returning an error, which would discard the whole - packet. */ + /* Only return an error if the bad frame makes up the whole packet or + * the error is related to buffer management. + * If there is more data in the packet, just consume the bad frame + * instead of returning an error, which would discard the whole + * packet. */ *got_frame_ptr = 0; - if (buf_size == avpkt->size) - return out_size; + if (buf_size == avpkt->size || ret != AVERROR_INVALIDDATA) + return ret; } s->frame_size = 0; return buf_size; @@ -1698,7 +1699,7 @@ static int decode_frame_adu(AVCodecContext *avctx, void *data, int buf_size = avpkt->size; MPADecodeContext *s = avctx->priv_data; uint32_t header; - int len, out_size; + int len, out_size, ret = 0; len = buf_size; @@ -1735,7 +1736,11 @@ static int decode_frame_adu(AVCodecContext *avctx, void *data, out_size = buf_size; else #endif - out_size = mp_decode_frame(s, NULL, buf, buf_size); + ret = mp_decode_frame(s, NULL, buf, buf_size); + if (ret < 0) { + av_log(avctx, AV_LOG_ERROR, "Error while decoding MPEG audio frame.\n"); + return ret; + } *got_frame_ptr = 1; *(AVFrame *)data = s->frame; @@ -1942,7 +1947,10 @@ static int decode_frame_mp3on4(AVCodecContext *avctx, void *data, } ch += m->nb_channels; - out_size += mp_decode_frame(m, outptr, buf, fsize); + if ((ret = mp_decode_frame(m, outptr, buf, fsize)) < 0) + return ret; + + out_size += ret; buf += fsize; len -= fsize; From 3e700cc66be24540ac816f17ab53d288d01863b7 Mon Sep 17 00:00:00 2001 From: Luca Barbato Date: Thu, 13 Dec 2012 16:20:19 +0100 Subject: [PATCH 411/991] vp6: properly fail on unsupported feature Interlacing is not supported at all and mismanaged down the normal codepaths causing possible buffer management issues. Fixes: CVE-2012-2783 (cherry picked from commit be75fed9755c1285ba084574aff2d7ee0f81110d) Signed-off-by: Reinhard Tartler --- libavcodec/vp6.c | 4 ++-- 1 file changed, 2 insertions(+), 2 deletions(-) diff --git a/libavcodec/vp6.c b/libavcodec/vp6.c index 9c8d40f70c..faba49b5e1 100644 --- a/libavcodec/vp6.c +++ b/libavcodec/vp6.c @@ -64,8 +64,8 @@ static int vp6_parse_header(VP56Context *s, const uint8_t *buf, int buf_size, return AVERROR_INVALIDDATA; s->filter_header = buf[1] & 0x06; if (buf[1] & 1) { - av_log(s->avctx, AV_LOG_ERROR, "interlacing not supported\n"); - return 0; + av_log_missing_feature(s->avctx, "Interlacing", 0); + return AVERROR_PATCHWELCOME; } if (separated_coeff || !s->filter_header) { coeff_offset = AV_RB16(buf+2) - 2; From fe0e64ca6431c2f606bc702c1a4e230f22531a4f Mon Sep 17 00:00:00 2001 From: Piotr Bandurski Date: Sun, 6 Jan 2013 01:56:23 +0100 Subject: [PATCH 412/991] tiffdec: Use the correct height field. Fixes Ticket913 Signed-off-by: Michael Niedermayer (cherry picked from commit 4784a135b2b0fe4d1b4c6256bd37265fc45aed3d) Conflicts: libavcodec/tiff.c --- libavcodec/tiff.c | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/libavcodec/tiff.c b/libavcodec/tiff.c index 7f5aa80207..c4da35d8e2 100644 --- a/libavcodec/tiff.c +++ b/libavcodec/tiff.c @@ -462,7 +462,7 @@ static int tiff_decode_tag(TiffContext *s, const uint8_t *start, const uint8_t * break; case TIFF_ROWSPERSTRIP: if (type == TIFF_LONG && value == UINT_MAX) - value = s->avctx->height; + value = s->height; if(value < 1){ av_log(s->avctx, AV_LOG_ERROR, "Incorrect value of rows per strip\n"); return -1; From bb35a42e93c1556511a1812dce7776afcea4001b Mon Sep 17 00:00:00 2001 From: Diego Biurrun Date: Wed, 9 Jan 2013 09:52:48 +0100 Subject: [PATCH 413/991] APIchanges: Fill in missing commit hashes --- doc/APIchanges | 8 ++++---- 1 file changed, 4 insertions(+), 4 deletions(-) diff --git a/doc/APIchanges b/doc/APIchanges index 34faf01153..0b9cdac9b0 100644 --- a/doc/APIchanges +++ b/doc/APIchanges @@ -13,17 +13,17 @@ libavutil: 2011-04-18 API changes, most recent first: -2012-03-04 - xxxxxxx - lavu 51.22.1 - error.h +2012-03-04 - 7f3f855 - lavu 51.22.1 - error.h Add AVERROR_UNKNOWN -2012-02-29 - xxxxxxx - lavf 53.21.1 +2012-02-29 - 2ad77c6 - lavf 53.21.1 Add avformat_get_riff_video_tags() and avformat_get_riff_audio_tags(). -2012-02-29 - xxxxxxx - lavu 51.22.0 - intfloat.h +2012-02-29 - a1556d3 - lavu 51.22.0 - intfloat.h Add a new installed header libavutil/intfloat.h with int/float punning functions. -2012-02-17 - xxxxxxx - lavc 53.35.0 +2012-02-17 - 350d06d - lavc 53.35.0 Add avcodec_is_open() function. 2012-01-15 - lavc 53.34.0 From 01a4e7f623a2e6dc95862f9a56c777f058d7bfaf Mon Sep 17 00:00:00 2001 From: Diego Biurrun Date: Mon, 7 Jan 2013 23:50:16 +0100 Subject: [PATCH 414/991] lavf: Bump minor version to distinguish branch and master version numbers This enables checking for an API version not present in master that has avformat_get_riff_video_tags() and avformat_get_riff_audio_tags(). --- doc/APIchanges | 2 +- libavformat/version.h | 2 +- 2 files changed, 2 insertions(+), 2 deletions(-) diff --git a/doc/APIchanges b/doc/APIchanges index 78e37f4e95..34faf01153 100644 --- a/doc/APIchanges +++ b/doc/APIchanges @@ -16,7 +16,7 @@ API changes, most recent first: 2012-03-04 - xxxxxxx - lavu 51.22.1 - error.h Add AVERROR_UNKNOWN -2012-02-29 - xxxxxxx - lavf 53.21.0 +2012-02-29 - xxxxxxx - lavf 53.21.1 Add avformat_get_riff_video_tags() and avformat_get_riff_audio_tags(). 2012-02-29 - xxxxxxx - lavu 51.22.0 - intfloat.h diff --git a/libavformat/version.h b/libavformat/version.h index 009a60b1ad..c0ca05a539 100644 --- a/libavformat/version.h +++ b/libavformat/version.h @@ -31,7 +31,7 @@ #define LIBAVFORMAT_VERSION_MAJOR 53 #define LIBAVFORMAT_VERSION_MINOR 21 -#define LIBAVFORMAT_VERSION_MICRO 0 +#define LIBAVFORMAT_VERSION_MICRO 1 #define LIBAVFORMAT_VERSION_INT AV_VERSION_INT(LIBAVFORMAT_VERSION_MAJOR, \ LIBAVFORMAT_VERSION_MINOR, \ From a4a63bf5b55f9b42b752301ae417ee3f50f5a594 Mon Sep 17 00:00:00 2001 From: Alex Converse Date: Tue, 11 Dec 2012 17:26:10 -0800 Subject: [PATCH 415/991] aacdec: Fix an off-by-one overwrite when switching to LTP profile from MAIN. Found-by: pawlkt CC: libav-stable@libav.org Fixes: CVE-2012-5144 (cherry picked from commit 6d5b0092678b2a95dfe209a207550bd2fe9ef646) Signed-off-by: Reinhard Tartler --- libavcodec/aacdec.c | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/libavcodec/aacdec.c b/libavcodec/aacdec.c index 2b9b45c9e8..6478c7765b 100644 --- a/libavcodec/aacdec.c +++ b/libavcodec/aacdec.c @@ -1747,7 +1747,7 @@ static void apply_tns(float coef[1024], TemporalNoiseShaping *tns, int w, filt, m, i; int bottom, top, order, start, end, size, inc; float lpc[TNS_MAX_ORDER]; - float tmp[TNS_MAX_ORDER]; + float tmp[TNS_MAX_ORDER + 1]; for (w = 0; w < ics->num_windows; w++) { bottom = ics->num_swb; From d282e5ce7286eab3bc4f5cbfe81a74551bd31006 Mon Sep 17 00:00:00 2001 From: Janne Grunau Date: Fri, 23 Nov 2012 14:05:36 +0100 Subject: [PATCH 416/991] lavf: avoid integer overflow in ff_compute_frame_duration() Scaling the denominator instead of the numerator if it is too large loses precision. Fixes an assert caused by a negative frame duration in the fuzzed sample nasa-8s2.ts_s202310. CC: libav-stable@libav.org (cherry picked from commit 7709ce029a7bc101b9ac1ceee607cda10dcb89dc) Signed-off-by: Reinhard Tartler --- libavformat/utils.c | 5 ++++- 1 file changed, 4 insertions(+), 1 deletion(-) diff --git a/libavformat/utils.c b/libavformat/utils.c index 240cd94925..9dc1dcb2c6 100644 --- a/libavformat/utils.c +++ b/libavformat/utils.c @@ -838,7 +838,10 @@ static void compute_frame_duration(int *pnum, int *pden, AVStream *st, *pnum = st->codec->time_base.num; *pden = st->codec->time_base.den; if (pc && pc->repeat_pict) { - *pnum = (*pnum) * (1 + pc->repeat_pict); + if (*pnum > INT_MAX / (1 + pc->repeat_pict)) + *pden /= 1 + pc->repeat_pict; + else + *pnum *= 1 + pc->repeat_pict; } //If this codec can be interlaced or progressive then we need a parser to compute duration of a packet //Thus if we have no parser in such case leave duration undefined. From 522e97bd9e91903249b5b7f9fb9f267bb55cb967 Mon Sep 17 00:00:00 2001 From: Janne Grunau Date: Sat, 24 Nov 2012 15:50:03 +0100 Subject: [PATCH 417/991] flashsv: check for keyframe before using differential coding Fixes a segfault in te fuzzed sample resolutionchange.flv_s211713. CC: libav-stable@libav.org (cherry picked from commit 5ae72f54532960cb9eae82a1c9e8d505106c022b) Signed-off-by: Reinhard Tartler --- libavcodec/flashsv.c | 5 +++++ 1 file changed, 5 insertions(+) diff --git a/libavcodec/flashsv.c b/libavcodec/flashsv.c index c99c21c719..792ad57f88 100644 --- a/libavcodec/flashsv.c +++ b/libavcodec/flashsv.c @@ -370,6 +370,11 @@ static int flashsv_decode_frame(AVCodecContext *avctx, void *data, } if (has_diff) { + if (!s->keyframe) { + av_log(avctx, AV_LOG_ERROR, + "inter frame without keyframe\n"); + return AVERROR_INVALIDDATA; + } s->diff_start = get_bits(&gb, 8); s->diff_height = get_bits(&gb, 8); av_log(avctx, AV_LOG_DEBUG, From 6cd92c3880956ee58fa59aca2d0656b10f506988 Mon Sep 17 00:00:00 2001 From: Janne Grunau Date: Fri, 16 Nov 2012 14:31:09 +0100 Subject: [PATCH 418/991] h264: enable low delay only if no delayed frames were seen Dropping frames is undesirable but that is the only way by which the decoder could return to low delay mode. Instead emit a warning and continue with delayed frames. Fixes a crash in fuzzed sample nasa-8s2.ts_s20033 caused by a larger than expected has_b_frames value. Low delay keeps getting re-enabled from a presumely broken SPS. CC: libav-stable@libav.org (cherry picked from commit 706acb558a38eba633056773280155d66c2f4b24) Conflicts: libavcodec/h264.c --- libavcodec/h264.c | 13 ++++++++++--- 1 file changed, 10 insertions(+), 3 deletions(-) diff --git a/libavcodec/h264.c b/libavcodec/h264.c index b866917e5f..1c5b841889 100644 --- a/libavcodec/h264.c +++ b/libavcodec/h264.c @@ -4030,9 +4030,16 @@ static int decode_nal_units(H264Context *h, const uint8_t *buf, int buf_size){ ff_h264_decode_seq_parameter_set(h); } - if (s->flags& CODEC_FLAG_LOW_DELAY || - (h->sps.bitstream_restriction_flag && !h->sps.num_reorder_frames)) - s->low_delay=1; + if (s->flags & CODEC_FLAG_LOW_DELAY || + (h->sps.bitstream_restriction_flag && + !h->sps.num_reorder_frames)) { + if (s->avctx->has_b_frames > 1 || h->delayed_pic[0]) + av_log(avctx, AV_LOG_WARNING, "Delayed frames seen " + "reenabling low delay requires a codec " + "flush.\n"); + else + s->low_delay = 1; + } if(avctx->has_b_frames < 2) avctx->has_b_frames= !s->low_delay; From b6592b402cd245fa4ac74f8eea4e0f9300c62adc Mon Sep 17 00:00:00 2001 From: Janne Grunau Date: Wed, 28 Nov 2012 17:31:35 +0100 Subject: [PATCH 419/991] flashsv: make sure data for zlib priming is available Fixes a segfault in the fuzzed sample resolutionchange.flv_s314809. CC: libav-stable@libav.org (cherry picked from commit 3ae69b91668e3d9b65af4007eb5871397cf0b0ab) Signed-off-by: Reinhard Tartler --- libavcodec/flashsv.c | 5 +++++ 1 file changed, 5 insertions(+) diff --git a/libavcodec/flashsv.c b/libavcodec/flashsv.c index 792ad57f88..4a231ce899 100644 --- a/libavcodec/flashsv.c +++ b/libavcodec/flashsv.c @@ -394,6 +394,11 @@ static int flashsv_decode_frame(AVCodecContext *avctx, void *data, av_log_missing_feature(avctx, "zlibprime_curr", 1); return AVERROR_PATCHWELCOME; } + if (!s->blocks && (s->zlibprime_curr || s->zlibprime_prev)) { + av_log(avctx, AV_LOG_ERROR, "no data available for zlib " + "priming\n"); + return AVERROR_INVALIDDATA; + } size--; // account for flags byte } From f1b3cc02ec5eda0bcbce10236cc2254d22048b17 Mon Sep 17 00:00:00 2001 From: Janne Grunau Date: Wed, 21 Nov 2012 19:41:59 +0100 Subject: [PATCH 420/991] h264: error out on unset current_picture_ptr for h->current_slice > 0 Fixes a segfault with fuzzed sample sample_varPAR_s11622_r001-02.avi. CC: libav-stable@libav.org (cherry picked from commit 0b300daad2f5cb59a7c06dde5ac701685e6edf16) Signed-off-by: Reinhard Tartler --- libavcodec/h264.c | 5 +++++ 1 file changed, 5 insertions(+) diff --git a/libavcodec/h264.c b/libavcodec/h264.c index 1c5b841889..c9940da97f 100644 --- a/libavcodec/h264.c +++ b/libavcodec/h264.c @@ -2889,6 +2889,11 @@ static int decode_slice_header(H264Context *h, H264Context *h0){ s->picture_structure = last_pic_structure; s->dropable = last_pic_dropable; return AVERROR_INVALIDDATA; + } else if (!s->current_picture_ptr) { + av_log(s->avctx, AV_LOG_ERROR, + "unset current_picture_ptr on %d. slice\n", + h0->current_slice + 1); + return AVERROR_INVALIDDATA; } } else { /* Shorten frame num gaps so we don't have to allocate reference From 77e6676d3eb3a5161f75103180d4ef3f3c8eb5c7 Mon Sep 17 00:00:00 2001 From: Justin Ruggles Date: Sat, 22 Dec 2012 01:21:09 -0500 Subject: [PATCH 421/991] alacdec: do not be too strict about the extradata size Sometimes the extradata has duplicate atoms, but that shouldn't prevent decoding. Just ensure that it is at least 36 bytes as a sanity check. CC: libav-stable@libav.org (cherry picked from commit 68a04b0ccee66f57516e129dd3ec457fd50b4bec) Signed-off-by: Reinhard Tartler --- libavcodec/alac.c | 7 +++---- 1 file changed, 3 insertions(+), 4 deletions(-) diff --git a/libavcodec/alac.c b/libavcodec/alac.c index 278cc99969..da789087fd 100644 --- a/libavcodec/alac.c +++ b/libavcodec/alac.c @@ -605,10 +605,9 @@ static av_cold int alac_decode_init(AVCodecContext * avctx) alac->avctx = avctx; /* initialize from the extradata */ - if (alac->avctx->extradata_size != ALAC_EXTRADATA_SIZE) { - av_log(avctx, AV_LOG_ERROR, "alac: expected %d extradata bytes\n", - ALAC_EXTRADATA_SIZE); - return -1; + if (alac->avctx->extradata_size < ALAC_EXTRADATA_SIZE) { + av_log(avctx, AV_LOG_ERROR, "alac: extradata is too small\n"); + return AVERROR_INVALIDDATA; } if (alac_set_info(alac)) { av_log(avctx, AV_LOG_ERROR, "alac: set_info failed\n"); From 6b70965f398ebcea599225f2215074d434327182 Mon Sep 17 00:00:00 2001 From: Luca Barbato Date: Mon, 3 Dec 2012 22:53:30 +0100 Subject: [PATCH 422/991] ppc: always use pic for shared libraries CC: libav-stable@libav.org (cherry picked from commit 1944d532a8a1c4b12222f0acfeb1153630dbc996) Conflicts: configure --- configure | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/configure b/configure index 51e20cb54e..2d17ce0b28 100755 --- a/configure +++ b/configure @@ -2392,7 +2392,7 @@ check_host_cflags -std=c99 check_host_cflags -Wall case "$arch" in - alpha|ia64|mips|parisc|sparc) + alpha|ia64|mips|parisc|ppc|sparc) spic=$shared ;; x86) From dfb7a638e6b9d4b86b7e3c5cf97bdd7621adc5f6 Mon Sep 17 00:00:00 2001 From: Justin Ruggles Date: Thu, 8 Nov 2012 18:35:49 -0500 Subject: [PATCH 423/991] opt: avoid segfault in av_opt_next() if the class does not have an option list CC: libav-stable@libav.org (cherry picked from commit d02202e08a994c6c80f0256ae756698541b59902) Signed-off-by: Reinhard Tartler --- libavutil/opt.c | 6 ++++-- 1 file changed, 4 insertions(+), 2 deletions(-) diff --git a/libavutil/opt.c b/libavutil/opt.c index 7c53024d25..aea381eead 100644 --- a/libavutil/opt.c +++ b/libavutil/opt.c @@ -57,8 +57,10 @@ const AVOption *av_next_option(void *obj, const AVOption *last) const AVOption *av_opt_next(void *obj, const AVOption *last) { AVClass *class = *(AVClass**)obj; - if (!last && class->option[0].name) return class->option; - if (last && last[1].name) return ++last; + if (!last && class->option && class->option[0].name) + return class->option; + if (last && last[1].name) + return ++last; return NULL; } From 1d98811b957db3a4c8a3774e85cf8eb07c03c2d4 Mon Sep 17 00:00:00 2001 From: Janne Grunau Date: Wed, 5 Dec 2012 19:56:36 +0100 Subject: [PATCH 424/991] h264: slice-mt: get last_pic_dropable from master context Fixes fate-h264-conformance-cvnlfi2_sony_h and smllwebdl.mkv from https://github.com/OpenELEC/OpenELEC.tv/issues/1557 . CC: libav-stable@libav.org (cherry picked from commit a8cb1746c5b6307b2e820f965a7da8d907893b38) Signed-off-by: Reinhard Tartler --- libavcodec/h264.c | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/libavcodec/h264.c b/libavcodec/h264.c index c9940da97f..97b21155f0 100644 --- a/libavcodec/h264.c +++ b/libavcodec/h264.c @@ -2866,7 +2866,7 @@ static int decode_slice_header(H264Context *h, H264Context *h0){ h->mb_mbaff = 0; h->mb_aff_frame = 0; last_pic_structure = s0->picture_structure; - last_pic_dropable = s->dropable; + last_pic_dropable = s0->dropable; s->dropable = h->nal_ref_idc == 0; if(h->sps.frame_mbs_only_flag){ s->picture_structure= PICT_FRAME; From d1d329932fd47d5e0fd4ca3c37827b98981c62cd Mon Sep 17 00:00:00 2001 From: =?UTF-8?q?Martin=20Storsj=C3=B6?= Date: Mon, 7 Jan 2013 18:39:04 +0200 Subject: [PATCH 425/991] rtsp: Recheck the reordering queue if getting a new packet MIME-Version: 1.0 Content-Type: text/plain; charset=UTF-8 Content-Transfer-Encoding: 8bit If we timed out and consumed a packet from the reordering queue, but didn't return a packet to the caller, recheck the queue status. Otherwise, we could end up in an infinite loop, trying to consume a queued packet that has already been consumed. CC: libav-stable@libav.org Signed-off-by: Martin Storsjö (cherry picked from commit 8729698d50739524665090e083d1bfdf28235724) Signed-off-by: Reinhard Tartler --- libavformat/rtsp.c | 8 ++++++-- 1 file changed, 6 insertions(+), 2 deletions(-) diff --git a/libavformat/rtsp.c b/libavformat/rtsp.c index 2858a9a806..5a691f24c0 100644 --- a/libavformat/rtsp.c +++ b/libavformat/rtsp.c @@ -1711,6 +1711,7 @@ int ff_rtsp_fetch_packet(AVFormatContext *s, AVPacket *pkt) rt->cur_transport_priv = NULL; } +redo: if (rt->transport == RTSP_TRANSPORT_RTP) { int i; int64_t first_queue_time = 0; @@ -1726,12 +1727,15 @@ int ff_rtsp_fetch_packet(AVFormatContext *s, AVPacket *pkt) first_queue_st = rt->rtsp_streams[i]; } } - if (first_queue_time) + if (first_queue_time) { wait_end = first_queue_time + s->max_delay; + } else { + wait_end = 0; + first_queue_st = NULL; + } } /* read next RTP packet */ - redo: if (!rt->recvbuf) { rt->recvbuf = av_malloc(RECVBUF_SIZE); if (!rt->recvbuf) From f620c12067a2a80af9fb63927665f82f583e18d7 Mon Sep 17 00:00:00 2001 From: Janne Grunau Date: Sun, 25 Nov 2012 12:56:04 +0100 Subject: [PATCH 426/991] h264: check sps.log2_max_frame_num for validity Fixes infinite or long taking loop in frame num gap code in the fuzzed sample bipbop234.ts_s223302. CC: libav-stable@libav.org (cherry picked from commit d7d6efe42b0d2057e67999b96b9a391f533d2333) Signed-off-by: Reinhard Tartler --- libavcodec/h264_ps.c | 16 ++++++++++++++-- 1 file changed, 14 insertions(+), 2 deletions(-) diff --git a/libavcodec/h264_ps.c b/libavcodec/h264_ps.c index ff6103c2c0..a468c96ac4 100644 --- a/libavcodec/h264_ps.c +++ b/libavcodec/h264_ps.c @@ -37,6 +37,9 @@ //#undef NDEBUG #include +#define MAX_LOG2_MAX_FRAME_NUM (12 + 4) +#define MIN_LOG2_MAX_FRAME_NUM 4 + static const AVRational pixel_aspect[17]={ {0, 1}, {1, 1}, @@ -301,7 +304,7 @@ int ff_h264_decode_seq_parameter_set(H264Context *h){ MpegEncContext * const s = &h->s; int profile_idc, level_idc, constraint_set_flags = 0; unsigned int sps_id; - int i; + int i, log2_max_frame_num_minus4; SPS *sps; profile_idc= get_bits(&s->gb, 8); @@ -348,7 +351,16 @@ int ff_h264_decode_seq_parameter_set(H264Context *h){ sps->bit_depth_chroma = 8; } - sps->log2_max_frame_num= get_ue_golomb(&s->gb) + 4; + log2_max_frame_num_minus4 = get_ue_golomb(&s->gb); + if (log2_max_frame_num_minus4 < MIN_LOG2_MAX_FRAME_NUM - 4 || + log2_max_frame_num_minus4 > MAX_LOG2_MAX_FRAME_NUM - 4) { + av_log(h->s.avctx, AV_LOG_ERROR, + "log2_max_frame_num_minus4 out of range (0-12): %d\n", + log2_max_frame_num_minus4); + return AVERROR_INVALIDDATA; + } + sps->log2_max_frame_num = log2_max_frame_num_minus4 + 4; + sps->poc_type= get_ue_golomb_31(&s->gb); if(sps->poc_type == 0){ //FIXME #define From 9ded14fcb8a57e0ec24b147f19d02faf4b7b93b3 Mon Sep 17 00:00:00 2001 From: Dale Curtis Date: Wed, 7 Mar 2012 14:26:58 -0800 Subject: [PATCH 427/991] Fix uninitialized reads on malformed ogg files. The ogg decoder wasn't padding the input buffer with the appropriate FF_INPUT_BUFFER_PADDING_SIZE bytes. Which led to uninitialized reads in various pieces of parsing code when they thought they had more data than they actually did. Signed-off-by: Dale Curtis Signed-off-by: Ronald S. Bultje (cherry picked from commit ef0d779706c77ca9007527bd8d41e9400682f4e4) Signed-off-by: Reinhard Tartler --- libavformat/oggdec.c | 10 +++++----- 1 file changed, 5 insertions(+), 5 deletions(-) diff --git a/libavformat/oggdec.c b/libavformat/oggdec.c index 36e2c452da..950308b462 100644 --- a/libavformat/oggdec.c +++ b/libavformat/oggdec.c @@ -70,8 +70,7 @@ static int ogg_save(AVFormatContext *s) for (i = 0; i < ogg->nstreams; i++){ struct ogg_stream *os = ogg->streams + i; - os->buf = av_malloc (os->bufsize); - memset (os->buf, 0, os->bufsize); + os->buf = av_mallocz (os->bufsize + FF_INPUT_BUFFER_PADDING_SIZE); memcpy (os->buf, ost->streams[i].buf, os->bufpos); } @@ -168,7 +167,7 @@ static int ogg_new_stream(AVFormatContext *s, uint32_t serial, int new_avstream) os = ogg->streams + idx; os->serial = serial; os->bufsize = DECODER_BUFFER_SIZE; - os->buf = av_malloc(os->bufsize); + os->buf = av_malloc(os->bufsize + FF_INPUT_BUFFER_PADDING_SIZE); os->header = -1; if (new_avstream) { @@ -186,7 +185,7 @@ static int ogg_new_stream(AVFormatContext *s, uint32_t serial, int new_avstream) static int ogg_new_buf(struct ogg *ogg, int idx) { struct ogg_stream *os = ogg->streams + idx; - uint8_t *nb = av_malloc(os->bufsize); + uint8_t *nb = av_malloc(os->bufsize + FF_INPUT_BUFFER_PADDING_SIZE); int size = os->bufpos - os->pstart; if(os->buf){ memcpy(nb, os->buf + os->pstart, size); @@ -297,7 +296,7 @@ static int ogg_read_page(AVFormatContext *s, int *str) } if (os->bufsize - os->bufpos < size){ - uint8_t *nb = av_malloc (os->bufsize *= 2); + uint8_t *nb = av_malloc ((os->bufsize *= 2) + FF_INPUT_BUFFER_PADDING_SIZE); memcpy (nb, os->buf, os->bufpos); av_free (os->buf); os->buf = nb; @@ -311,6 +310,7 @@ static int ogg_read_page(AVFormatContext *s, int *str) os->granule = gp; os->flags = flags; + memset(os->buf + os->bufpos, 0, FF_INPUT_BUFFER_PADDING_SIZE); if (str) *str = idx; From a335ffd7f4cdaaa6a8fe4187f6f06b0418eea19a Mon Sep 17 00:00:00 2001 From: Victor Lopez Date: Wed, 19 Dec 2012 09:12:24 +0100 Subject: [PATCH 428/991] h264: fix sps parsing for SVC and CAVLC 4:4:4 Intra profiles Fixes bug 396. CC: libav-stable@libav.org (cherry picked from commit 1c8bf3bfed5ff5c504c8e3de96188a977f67cce0) Signed-off-by: Reinhard Tartler --- libavcodec/h264_ps.c | 6 +++++- 1 file changed, 5 insertions(+), 1 deletion(-) diff --git a/libavcodec/h264_ps.c b/libavcodec/h264_ps.c index a468c96ac4..00c5003a22 100644 --- a/libavcodec/h264_ps.c +++ b/libavcodec/h264_ps.c @@ -333,7 +333,11 @@ int ff_h264_decode_seq_parameter_set(H264Context *h){ memset(sps->scaling_matrix8, 16, sizeof(sps->scaling_matrix8)); sps->scaling_matrix_present = 0; - if(sps->profile_idc >= 100){ //high profile + if (sps->profile_idc == 100 || sps->profile_idc == 110 || + sps->profile_idc == 122 || sps->profile_idc == 244 || + sps->profile_idc == 44 || sps->profile_idc == 83 || + sps->profile_idc == 86 || sps->profile_idc == 118 || + sps->profile_idc == 128 || sps->profile_idc == 144) { sps->chroma_format_idc= get_ue_golomb_31(&s->gb); if(sps->chroma_format_idc > 3) { av_log(h->s.avctx, AV_LOG_ERROR, "chroma_format_idc (%u) out of range\n", sps->chroma_format_idc); From 6eebba08e1888371637c2f86878130f9e7a30732 Mon Sep 17 00:00:00 2001 From: Luca Barbato Date: Sat, 22 Dec 2012 17:58:24 +0100 Subject: [PATCH 429/991] oggdec: check memory allocation (cherry picked from commit ba064ebe48376e199f353ef0b335ed8a39c638c5) Conflicts: libavformat/oggdec.c --- libavformat/oggdec.c | 11 +++++++++-- 1 file changed, 9 insertions(+), 2 deletions(-) diff --git a/libavformat/oggdec.c b/libavformat/oggdec.c index 950308b462..42a1a558ae 100644 --- a/libavformat/oggdec.c +++ b/libavformat/oggdec.c @@ -161,8 +161,13 @@ static int ogg_new_stream(AVFormatContext *s, uint32_t serial, int new_avstream) AVStream *st; struct ogg_stream *os; - ogg->streams = av_realloc (ogg->streams, - ogg->nstreams * sizeof (*ogg->streams)); + os = av_realloc (ogg->streams, ogg->nstreams * sizeof (*ogg->streams)); + + if (!os) + return AVERROR(ENOMEM); + + ogg->streams = os; + memset (ogg->streams + idx, 0, sizeof (*ogg->streams)); os = ogg->streams + idx; os->serial = serial; @@ -297,6 +302,8 @@ static int ogg_read_page(AVFormatContext *s, int *str) if (os->bufsize - os->bufpos < size){ uint8_t *nb = av_malloc ((os->bufsize *= 2) + FF_INPUT_BUFFER_PADDING_SIZE); + if (!nb) + return AVERROR(ENOMEM); memcpy (nb, os->buf, os->bufpos); av_free (os->buf); os->buf = nb; From 03fec31cd76f1b9eb980d4e422e569d95cad326c Mon Sep 17 00:00:00 2001 From: Luca Barbato Date: Fri, 4 Jan 2013 15:44:02 +0100 Subject: [PATCH 430/991] oggdec: free the ogg streams on read_header failure Plug an annoying memory leak on broken files. (cherry picked from commit 89b51b570daa80e6e3790fcd449fe61fc5574e07) Signed-off-by: Luca Barbato (cherry picked from commit 42bd6d9cf681306d14c92af97a40116fe4eb2522) Conflicts: libavformat/oggdec.c --- libavformat/oggdec.c | 32 +++++++++++++++++--------------- 1 file changed, 17 insertions(+), 15 deletions(-) diff --git a/libavformat/oggdec.c b/libavformat/oggdec.c index 42a1a558ae..3079685652 100644 --- a/libavformat/oggdec.c +++ b/libavformat/oggdec.c @@ -501,15 +501,30 @@ static int ogg_get_length(AVFormatContext *s) return 0; } -static int ogg_read_header(AVFormatContext *s, AVFormatParameters *ap) +static int ogg_read_close(AVFormatContext *s) +{ + struct ogg *ogg = s->priv_data; + int i; + + for (i = 0; i < ogg->nstreams; i++) { + av_free(ogg->streams[i].buf); + av_free(ogg->streams[i].private); + } + av_free(ogg->streams); + return 0; +} + +static int ogg_read_header(AVFormatContext *s) { struct ogg *ogg = s->priv_data; int ret, i; ogg->curidx = -1; //linear headers seek from start ret = ogg_get_headers(s); - if (ret < 0) + if (ret < 0) { + ogg_read_close(s); return ret; + } for (i = 0; i < ogg->nstreams; i++) if (ogg->streams[i].header < 0) @@ -594,19 +609,6 @@ retry: return psize; } -static int ogg_read_close(AVFormatContext *s) -{ - struct ogg *ogg = s->priv_data; - int i; - - for (i = 0; i < ogg->nstreams; i++){ - av_free (ogg->streams[i].buf); - av_free (ogg->streams[i].private); - } - av_free (ogg->streams); - return 0; -} - static int64_t ogg_read_timestamp(AVFormatContext *s, int stream_index, int64_t *pos_arg, int64_t pos_limit) { From 06312bbb101815a992fae0e16cde89ea4066a3a1 Mon Sep 17 00:00:00 2001 From: Janne Grunau Date: Wed, 28 Nov 2012 22:17:14 +0100 Subject: [PATCH 431/991] h264: check context state before decoding slice data partitions Fixes mov_h264_aac__Demo_FlagOfOurFathers.mov.SIGSEGV.4e9.656. Found-by: Mateusz "j00ru" Jurczyk CC: libav-stable@libav.org (cherry-picked from commit c1fcf563b13051f280db169ba41c6a1b21b25e08) Signed-off-by: Reinhard Tartler --- libavcodec/h264.c | 1 + 1 file changed, 1 insertion(+) diff --git a/libavcodec/h264.c b/libavcodec/h264.c index 97b21155f0..002477b8eb 100644 --- a/libavcodec/h264.c +++ b/libavcodec/h264.c @@ -4013,6 +4013,7 @@ static int decode_nal_units(H264Context *h, const uint8_t *buf, int buf_size){ hx->inter_gb_ptr= &hx->inter_gb; if(hx->redundant_pic_count==0 && hx->intra_gb_ptr && hx->s.data_partitioning + && s->current_picture_ptr && s->context_initialized && (avctx->skip_frame < AVDISCARD_NONREF || hx->nal_ref_idc) && (avctx->skip_frame < AVDISCARD_BIDIR || hx->slice_type_nos!=AV_PICTURE_TYPE_B) From adef01c370c909ed639dde3277476fab704589be Mon Sep 17 00:00:00 2001 From: Janne Grunau Date: Sat, 12 Jan 2013 17:22:50 +0100 Subject: [PATCH 432/991] h264: check ref_count validity for num_ref_idx_active_override_flag Fixes segfault in the fuzzed sample bipbop234.ts_s226407. CC: libav-stable@libav.org (cherry-picked from commit 6e5cdf26281945ddea3aaf5eca4d127791f23ca8) Signed-off-by: Janne Grunau --- libavcodec/h264.c | 7 ++++++- 1 file changed, 6 insertions(+), 1 deletion(-) diff --git a/libavcodec/h264.c b/libavcodec/h264.c index 002477b8eb..f3a47fe8c0 100644 --- a/libavcodec/h264.c +++ b/libavcodec/h264.c @@ -3121,8 +3121,13 @@ static int decode_slice_header(H264Context *h, H264Context *h0){ if(num_ref_idx_active_override_flag){ h->ref_count[0]= get_ue_golomb(&s->gb) + 1; - if(h->slice_type_nos==AV_PICTURE_TYPE_B) + if (h->ref_count[0] < 1) + return AVERROR_INVALIDDATA; + if (h->slice_type_nos == AV_PICTURE_TYPE_B) { h->ref_count[1]= get_ue_golomb(&s->gb) + 1; + if (h->ref_count[1] < 1) + return AVERROR_INVALIDDATA; + } } if (h->ref_count[0] > max_refs || h->ref_count[1] > max_refs) { From cf2cab5b2ab80fa2914692e02fa3488aaab7697e Mon Sep 17 00:00:00 2001 From: Reinhard Tartler Date: Sat, 12 Jan 2013 17:21:15 +0100 Subject: [PATCH 433/991] Update Changelog --- Changelog | 19 +++++++++++++++++++ 1 file changed, 19 insertions(+) diff --git a/Changelog b/Changelog index d3c743d111..c85120345a 100644 --- a/Changelog +++ b/Changelog @@ -1,6 +1,25 @@ Entries are sorted chronologically from oldest to youngest within each release, releases are sorted from youngest to oldest. +version 0.8.5: + +- Several bugs and crashes have been fixed in the following codecs: + Indeo 4 (CVE-2012-2791), VP5/VP6 (CVE-2012-2783), Indeo 3 (CVE-2012-2804), + MPEG-1/2 (CVE-2012-2803), MP3 (CVE-2012-2797), AAC (CVE-2012-5144), + AC-3 (CVE-2012-2802), AVS (CVE-2012-2801), DFA (CVE-2012-2798) + +- backported hardening patches for h264 and svq3 + +- smaller bug fixes in id3v2 (Bug 395), RTSP, option handling, ALAC, + Flash Screen Video + +- unconditionally enable PIC on PowerPC + +- x86: Require an assembler able to cope with AVX instructions + +- fix a serious memory leak on broken Ogg files + + version 0.8.4: - Several bugs and crashes have been fixed in the following codecs: From 4fc22e85c0117fc6f1596ff4bfd89ac00c17cfea Mon Sep 17 00:00:00 2001 From: Carl Eugen Hoyos Date: Thu, 17 Jan 2013 01:51:28 +0100 Subject: [PATCH 434/991] Revert "x86: Require an assembler able to cope with AVX instructions" This reverts commit e287201c77dc7a7a9759d56d8f48ae719b7e69a9. --- configure | 3 ++- 1 file changed, 2 insertions(+), 1 deletion(-) diff --git a/configure b/configure index e5337a112f..e307fd3a7a 100755 --- a/configure +++ b/configure @@ -2962,8 +2962,9 @@ EOF elf*) enabled debug && append YASMFLAGS $yasm_debug ;; esac - check_yasm "vextractf128 xmm0, ymm0, 0" && enable yasm || + check_yasm "pextrd [eax], xmm0, 1" && enable yasm || die "yasm not found, use --disable-yasm for a crippled build" + check_yasm "vextractf128 xmm0, ymm0, 0" || disable avx fi case "$cpu" in From 74b04e6a359fd7319f052650c40981dd4f8f312f Mon Sep 17 00:00:00 2001 From: Carl Eugen Hoyos Date: Thu, 17 Jan 2013 02:42:17 +0100 Subject: [PATCH 435/991] Fix detection of struct v4l2_frmsize_discrete. It was always detected successfully. (cherry picked from commit 91e016865cccc192f86d40ea93eb06cf0e7ba4a0) --- configure | 9 ++++++++- 1 file changed, 8 insertions(+), 1 deletion(-) diff --git a/configure b/configure index 2a8d0a7806..7298059e73 100755 --- a/configure +++ b/configure @@ -3203,7 +3203,14 @@ makeinfo --version > /dev/null 2>&1 && enable makeinfo || disable makeinfo check_header linux/fb.h check_header linux/videodev.h check_header linux/videodev2.h -check_struct linux/videodev2.h "struct v4l2_frmivalenum" discrete +check_cc < +int main(void) { +struct v4l2_frmsizeenum vfse; +vfse.discrete.width = 0; +return 0; +} +EOF check_header sys/videoio.h From a94f789c334ce35d7243f76b6bc982ba38289ec8 Mon Sep 17 00:00:00 2001 From: Kostya Shishkov Date: Mon, 14 May 2012 19:33:03 +0200 Subject: [PATCH 436/991] indeo3: initialise pixel planes on allocation This prevents decoder from reading garbage from it in case of errors later. (cherry picked from commit 81064a8045028838fd32d18490034c207c8ecc06) Fixes an invalid read on sample from CVE-2012-2804 Signed-off-by: Anton Khirnov --- libavcodec/indeo3.c | 2 ++ 1 file changed, 2 insertions(+) diff --git a/libavcodec/indeo3.c b/libavcodec/indeo3.c index 48e5810e69..2aa8d955ac 100644 --- a/libavcodec/indeo3.c +++ b/libavcodec/indeo3.c @@ -194,6 +194,8 @@ static av_cold int allocate_frame_buffers(Indeo3DecodeContext *ctx, /* set buffer pointers = buf_ptr + pitch and thus skip the INTRA prediction line */ ctx->planes[p].pixels[0] = ctx->planes[p].buffers[0] + ctx->planes[p].pitch; ctx->planes[p].pixels[1] = ctx->planes[p].buffers[1] + ctx->planes[p].pitch; + memset(ctx->planes[p].pixels[0], 0, ctx->planes[p].pitch * ctx->planes[p].height); + memset(ctx->planes[p].pixels[1], 0, ctx->planes[p].pitch * ctx->planes[p].height); } return 0; From 1076ea8115ada59d9c779d67209f0548cc03b604 Mon Sep 17 00:00:00 2001 From: Luca Barbato Date: Mon, 22 Oct 2012 18:50:32 +0200 Subject: [PATCH 437/991] mp3: exit on parsing error in mp_decode_frame Properly forward mp_decode_layer3 errors, mp_decode_layer1 and mp_decode_layer2 do not return errors. Based on a patch by Michael Niedermayer. (cherry picked from commit 0c03cc68386443f1e96ab6fb358220faf67cd5ff) Signed-off-by: Anton Khirnov --- libavcodec/mpegaudiodec.c | 3 +++ 1 file changed, 3 insertions(+) diff --git a/libavcodec/mpegaudiodec.c b/libavcodec/mpegaudiodec.c index cd0d26d8c5..adb25ffa38 100644 --- a/libavcodec/mpegaudiodec.c +++ b/libavcodec/mpegaudiodec.c @@ -1571,6 +1571,9 @@ static int mp_decode_frame(MPADecodeContext *s, OUT_INT *samples, default: nb_frames = mp_decode_layer3(s); + if (nb_frames < 0) + return nb_frames; + s->last_buf_size=0; if (s->in_gb.buffer) { align_get_bits(&s->gb); From 4e869e7a5f14d067446a2f5a62ac87b17cf15922 Mon Sep 17 00:00:00 2001 From: Carl Eugen Hoyos Date: Thu, 24 Jan 2013 02:30:40 +0100 Subject: [PATCH 438/991] matroskaenc: add codec_tag lists back. This reverts 312645e : "Do not set codec_tag property for matroska muxers." Also adds dummy codec_tag lists with codecs supported in mkv but not in wav / avi. Fixes ticket #2169. (cherry picked from commit df39c3ce385c02cbd8046298578ea7454c0a0f81) Conflicts: libavformat/matroskaenc.c --- libavformat/matroska.c | 3 +++ libavformat/matroskaenc.c | 33 +++++++++++++++++++++++++++++++++ 2 files changed, 36 insertions(+) diff --git a/libavformat/matroska.c b/libavformat/matroska.c index 52481d7556..a5a4363cc0 100644 --- a/libavformat/matroska.c +++ b/libavformat/matroska.c @@ -21,6 +21,9 @@ #include "matroska.h" +/* If you add a tag here that is not in ff_codec_bmp_tags[] + or ff_codec_wav_tags[], add it also to additional_audio_tags[] + or additional_video_tags[] in matroskaenc.c */ const CodecTags ff_mkv_codec_tags[]={ {"A_AAC" , CODEC_ID_AAC}, {"A_AC3" , CODEC_ID_AC3}, diff --git a/libavformat/matroskaenc.c b/libavformat/matroskaenc.c index e74366fe95..d1110f4fda 100644 --- a/libavformat/matroskaenc.c +++ b/libavformat/matroskaenc.c @@ -1295,6 +1295,32 @@ static int mkv_query_codec(enum CodecID codec_id, int std_compliance) return 0; } +const AVCodecTag additional_audio_tags[] = { + { CODEC_ID_ALAC, 0XFFFFFFFF }, + { CODEC_ID_EAC3, 0XFFFFFFFF }, + { CODEC_ID_MLP, 0xFFFFFFFF }, + { CODEC_ID_PCM_S16BE, 0xFFFFFFFF }, + { CODEC_ID_PCM_S24BE, 0xFFFFFFFF }, + { CODEC_ID_PCM_S32BE, 0xFFFFFFFF }, + { CODEC_ID_QDM2, 0xFFFFFFFF }, + { CODEC_ID_RA_144, 0xFFFFFFFF }, + { CODEC_ID_RA_288, 0xFFFFFFFF }, + { CODEC_ID_COOK, 0xFFFFFFFF }, + { CODEC_ID_TRUEHD, 0xFFFFFFFF }, + { CODEC_ID_TTA, 0xFFFFFFFF }, + { CODEC_ID_WAVPACK, 0xFFFFFFFF }, + { CODEC_ID_NONE, 0xFFFFFFFF } +}; + +const AVCodecTag additional_video_tags[] = { + { CODEC_ID_PRORES, 0xFFFFFFFF }, + { CODEC_ID_RV10, 0xFFFFFFFF }, + { CODEC_ID_RV20, 0xFFFFFFFF }, + { CODEC_ID_RV30, 0xFFFFFFFF }, + { CODEC_ID_RV40, 0xFFFFFFFF }, + { CODEC_ID_NONE, 0xFFFFFFFF } +}; + #if CONFIG_MATROSKA_MUXER AVOutputFormat ff_matroska_muxer = { .name = "matroska", @@ -1316,6 +1342,10 @@ AVOutputFormat ff_matroska_muxer = { .write_packet = mkv_write_packet, .write_trailer = mkv_write_trailer, .flags = AVFMT_GLOBALHEADER | AVFMT_VARIABLE_FPS, + .codec_tag = (const AVCodecTag* const []){ + ff_codec_bmp_tags, ff_codec_wav_tags, + additional_audio_tags, additional_video_tags, 0 + }, .subtitle_codec = CODEC_ID_SSA, .query_codec = mkv_query_codec, }; @@ -1354,5 +1384,8 @@ AVOutputFormat ff_matroska_audio_muxer = { .write_packet = mkv_write_packet, .write_trailer = mkv_write_trailer, .flags = AVFMT_GLOBALHEADER, + .codec_tag = (const AVCodecTag* const []){ + ff_codec_wav_tags, additional_audio_tags, 0 + }, }; #endif From a4c9260e6914aa82274d1582e1e4ce94ce5194ed Mon Sep 17 00:00:00 2001 From: Anton Khirnov Date: Thu, 24 Jan 2013 11:45:27 +0100 Subject: [PATCH 439/991] pthread: set the frame properties from the thread context, not user. Right now, the frame properties are set from the user-facing AVCodecContext before it is updated from the thread context, which is wrong since they may be invalid or obsolete. --- libavcodec/pthread.c | 8 ++++---- 1 file changed, 4 insertions(+), 4 deletions(-) diff --git a/libavcodec/pthread.c b/libavcodec/pthread.c index a4e3081272..64cff43983 100644 --- a/libavcodec/pthread.c +++ b/libavcodec/pthread.c @@ -631,10 +631,10 @@ int ff_thread_decode_frame(AVCodecContext *avctx, *picture = p->frame; *got_picture_ptr = p->got_frame; picture->pkt_dts = p->avpkt.dts; - picture->sample_aspect_ratio = avctx->sample_aspect_ratio; - picture->width = avctx->width; - picture->height = avctx->height; - picture->format = avctx->pix_fmt; + picture->sample_aspect_ratio = p->avctx->sample_aspect_ratio; + picture->width = p->avctx->width; + picture->height = p->avctx->height; + picture->format = p->avctx->pix_fmt; /* * A later call with avkpt->size == 0 may loop over all threads, From 4d9bde86d0242031d387c11d1faf49594ab6ef6b Mon Sep 17 00:00:00 2001 From: Michael Niedermayer Date: Wed, 6 Feb 2013 01:25:52 +0100 Subject: [PATCH 440/991] ffmpeg: dont allow -flags to override -pass Fixes Ticket2154 Signed-off-by: Michael Niedermayer (cherry picked from commit ccf9dd00da055e94117b56cead4af80ff331b00e) Conflicts: ffmpeg_opt.c --- ffmpeg.c | 2 ++ 1 file changed, 2 insertions(+) diff --git a/ffmpeg.c b/ffmpeg.c index dfa0a13fb6..edacf686dd 100644 --- a/ffmpeg.c +++ b/ffmpeg.c @@ -4068,9 +4068,11 @@ static OutputStream *new_video_stream(OptionsContext *o, AVFormatContext *oc) if (do_pass) { if (do_pass & 1) { video_enc->flags |= CODEC_FLAG_PASS1; + av_dict_set(&ost->opts, "flags", "+pass1", AV_DICT_APPEND); } if (do_pass & 2) { video_enc->flags |= CODEC_FLAG_PASS2; + av_dict_set(&ost->opts, "flags", "+pass2", AV_DICT_APPEND); } } From 7a21b089c2751f874aacec0bd16044e5d8facaa3 Mon Sep 17 00:00:00 2001 From: Carl Eugen Hoyos Date: Thu, 14 Feb 2013 14:42:41 +0100 Subject: [PATCH 441/991] sws: dont write out of array on bigendian Fixes Ticket2229 Signed-off-by: Michael Niedermayer (cherry picked from commit 4e2c63685e031e28d2296cff76473b963ee62ba1) --- libswscale/swscale_unscaled.c | 3 +++ 1 file changed, 3 insertions(+) diff --git a/libswscale/swscale_unscaled.c b/libswscale/swscale_unscaled.c index e1ba79926d..d4b39f4a30 100644 --- a/libswscale/swscale_unscaled.c +++ b/libswscale/swscale_unscaled.c @@ -483,6 +483,9 @@ static rgbConvFn findRgbConvFn(SwsContext *c) } } + if ((dstFormat == PIX_FMT_RGB32_1 || dstFormat == PIX_FMT_BGR32_1) && !isRGBA32(srcFormat) && ALT32_CORR<0) + return NULL; + return conv; } From 165f783235a028d969ac7de0b509647ad3157b19 Mon Sep 17 00:00:00 2001 From: Xi Wang Date: Tue, 22 Jan 2013 20:58:07 -0500 Subject: [PATCH 442/991] rtpenc: fix overflow checking in avc_mp4_find_startcode() The check `start + res < start' is broken since pointer overflow is undefined behavior in C. Many compilers such as gcc/clang optimize away this check. Use `res > end - start' instead. Also change `res' to unsigned int to avoid signed left-shift overflow. Signed-off-by: Xi Wang Signed-off-by: Michael Niedermayer (cherry picked from commit 2f014567cfd63e58156f60666f1a61ba147276ab) Signed-off-by: Michael Niedermayer --- libavformat/rtpenc_h264.c | 4 ++-- 1 file changed, 2 insertions(+), 2 deletions(-) diff --git a/libavformat/rtpenc_h264.c b/libavformat/rtpenc_h264.c index 86930bbac1..5447edcc30 100644 --- a/libavformat/rtpenc_h264.c +++ b/libavformat/rtpenc_h264.c @@ -31,14 +31,14 @@ static const uint8_t *avc_mp4_find_startcode(const uint8_t *start, const uint8_t *end, int nal_length_size) { - int res = 0; + unsigned int res = 0; if (end - start < nal_length_size) return NULL; while (nal_length_size--) res = (res << 8) | *start++; - if (start + res > end || res < 0 || start + res < start) + if (res > end - start) return NULL; return start + res; From 69b3fedc09d93ddf8041a5383435e7f4943ceadc Mon Sep 17 00:00:00 2001 From: Xi Wang Date: Tue, 22 Jan 2013 17:49:29 -0500 Subject: [PATCH 443/991] rtmp: fix multiple broken overflow checks Sanity checks like `data + size >= data_end || data + size < data' are broken, because `data + size < data' assumes pointer overflow, which is undefined behavior in C. Many compilers such as gcc/clang optimize such checks away. Use `size < 0 || size >= data_end - data' instead. Signed-off-by: Xi Wang Signed-off-by: Michael Niedermayer (cherry picked from commit 902cfe2f74d777a7dc20ac68f2393b9f84b790c1) Signed-off-by: Michael Niedermayer --- libavformat/rtmppkt.c | 12 ++++++------ 1 file changed, 6 insertions(+), 6 deletions(-) diff --git a/libavformat/rtmppkt.c b/libavformat/rtmppkt.c index 61e159b06a..a419de9e01 100644 --- a/libavformat/rtmppkt.c +++ b/libavformat/rtmppkt.c @@ -279,11 +279,11 @@ int ff_amf_tag_size(const uint8_t *data, const uint8_t *data_end) data++; break; } - if (data + size >= data_end || data + size < data) + if (size < 0 || size >= data_end - data) return -1; data += size; t = ff_amf_tag_size(data, data_end); - if (t < 0 || data + t >= data_end) + if (t < 0 || t >= data_end - data) return -1; data += t; } @@ -312,7 +312,7 @@ int ff_amf_get_field_value(const uint8_t *data, const uint8_t *data_end, int size = bytestream_get_be16(&data); if (!size) break; - if (data + size >= data_end || data + size < data) + if (size < 0 || size >= data_end - data) return -1; data += size; if (size == namelen && !memcmp(data-size, name, namelen)) { @@ -333,7 +333,7 @@ int ff_amf_get_field_value(const uint8_t *data, const uint8_t *data_end, return 0; } len = ff_amf_tag_size(data, data_end); - if (len < 0 || data + len >= data_end || data + len < data) + if (len < 0 || len >= data_end - data) return -1; data += len; } @@ -404,13 +404,13 @@ static void ff_amf_tag_contents(void *ctx, const uint8_t *data, const uint8_t *d data++; break; } - if (data + size >= data_end || data + size < data) + if (size < 0 || size >= data_end - data) return; data += size; av_log(ctx, AV_LOG_DEBUG, " %s: ", buf); ff_amf_tag_contents(ctx, data, data_end); t = ff_amf_tag_size(data, data_end); - if (t < 0 || data + t >= data_end) + if (t < 0 || t >= data_end - data) return; data += t; } From ef953f760ef1b616574cabf2a3e9580b7bf21ac4 Mon Sep 17 00:00:00 2001 From: Xi Wang Date: Tue, 22 Jan 2013 21:40:05 -0500 Subject: [PATCH 444/991] rtmp: fix buffer overflows in ff_amf_tag_contents() A negative `size' will bypass FFMIN(). In the subsequent memcpy() call, `size' will be considered as a large positive value, leading to a buffer overflow. Change the type of `size' to unsigned int to avoid buffer overflow, and simplify overflow checks accordingly. Signed-off-by: Xi Wang Signed-off-by: Michael Niedermayer (cherry picked from commit 4e692374f7962ea358c329de38c380103f8991b6) Signed-off-by: Michael Niedermayer --- libavformat/rtmppkt.c | 11 +++++------ 1 file changed, 5 insertions(+), 6 deletions(-) diff --git a/libavformat/rtmppkt.c b/libavformat/rtmppkt.c index a419de9e01..a00f463483 100644 --- a/libavformat/rtmppkt.c +++ b/libavformat/rtmppkt.c @@ -363,7 +363,7 @@ static const char* rtmp_packet_type(int type) static void ff_amf_tag_contents(void *ctx, const uint8_t *data, const uint8_t *data_end) { - int size; + unsigned int size; char buf[1024]; if (data >= data_end) @@ -382,7 +382,7 @@ static void ff_amf_tag_contents(void *ctx, const uint8_t *data, const uint8_t *d } else { size = bytestream_get_be32(&data); } - size = FFMIN(size, 1023); + size = FFMIN(size, sizeof(buf) - 1); memcpy(buf, data, size); buf[size] = 0; av_log(ctx, AV_LOG_DEBUG, " string '%s'\n", buf); @@ -395,16 +395,15 @@ static void ff_amf_tag_contents(void *ctx, const uint8_t *data, const uint8_t *d case AMF_DATA_TYPE_OBJECT: av_log(ctx, AV_LOG_DEBUG, " {\n"); for (;;) { - int size = bytestream_get_be16(&data); int t; - memcpy(buf, data, size); - buf[size] = 0; + size = bytestream_get_be16(&data); + av_strlcpy(buf, data, FFMIN(sizeof(buf), size + 1)); if (!size) { av_log(ctx, AV_LOG_DEBUG, " }\n"); data++; break; } - if (size < 0 || size >= data_end - data) + if (size >= data_end - data) return; data += size; av_log(ctx, AV_LOG_DEBUG, " %s: ", buf); From ba4b57e8024a9635b4eaf7f3cc08837b065bd4c9 Mon Sep 17 00:00:00 2001 From: Michael Niedermayer Date: Tue, 29 Jan 2013 18:29:41 +0100 Subject: [PATCH 445/991] huffyuvdec: Check init_vlc() return codes. Prevents out of array writes Found-by: Mateusz "j00ru" Jurczyk and Gynvael Coldwind Signed-off-by: Michael Niedermayer (cherry picked from commit f67a0d115254461649470452058fa3c28c0df294) Signed-off-by: Michael Niedermayer (cherry picked from commit 95ab8d33e1a680f30a5a9605175112008ab81afc) Conflicts: libavcodec/huffyuv.c (cherry picked from commit 277def59fce10d91e3113e5c0f63e22bc4abfa88) Signed-off-by: Michael Niedermayer --- libavcodec/huffyuv.c | 11 +++++++++-- 1 file changed, 9 insertions(+), 2 deletions(-) diff --git a/libavcodec/huffyuv.c b/libavcodec/huffyuv.c index 5140b90fc3..09e89babfc 100644 --- a/libavcodec/huffyuv.c +++ b/libavcodec/huffyuv.c @@ -28,6 +28,7 @@ * huffyuv codec for libavcodec. */ +#include "libavutil/avassert.h" #include "avcodec.h" #include "get_bits.h" #include "put_bits.h" @@ -317,6 +318,7 @@ static void generate_joint_tables(HYuvContext *s){ int len1 = s->len[p][u]; if(len1 > limit) continue; + av_assert0(i < (1 << VLC_BITS)); len[i] = len0 + len1; bits[i] = (s->bits[0][y] << len1) + s->bits[p][u]; symbols[i] = (y<<8) + u; @@ -350,6 +352,7 @@ static void generate_joint_tables(HYuvContext *s){ int len2 = s->len[2][r&255]; if(len2 > limit1) continue; + av_assert0(i < (1 << VLC_BITS)); len[i] = len0 + len1 + len2; bits[i] = (code << len2) + s->bits[2][r&255]; if(s->decorrelate){ @@ -373,6 +376,7 @@ static void generate_joint_tables(HYuvContext *s){ static int read_huffman_tables(HYuvContext *s, const uint8_t *src, int length){ GetBitContext gb; int i; + int ret; init_get_bits(&gb, src, length*8); @@ -383,7 +387,8 @@ static int read_huffman_tables(HYuvContext *s, const uint8_t *src, int length){ return -1; } ff_free_vlc(&s->vlc[i]); - init_vlc(&s->vlc[i], VLC_BITS, 256, s->len[i], 1, 1, s->bits[i], 4, 4, 0); + if ((ret = init_vlc(&s->vlc[i], VLC_BITS, 256, s->len[i], 1, 1, s->bits[i], 4, 4, 0)) < 0) + return ret; } generate_joint_tables(s); @@ -395,6 +400,7 @@ static int read_old_huffman_tables(HYuvContext *s){ #if 1 GetBitContext gb; int i; + int ret; init_get_bits(&gb, classic_shift_luma, classic_shift_luma_table_size*8); if(read_len_table(s->len[0], &gb)<0) @@ -415,7 +421,8 @@ static int read_old_huffman_tables(HYuvContext *s){ for(i=0; i<3; i++){ ff_free_vlc(&s->vlc[i]); - init_vlc(&s->vlc[i], VLC_BITS, 256, s->len[i], 1, 1, s->bits[i], 4, 4, 0); + if ((ret = init_vlc(&s->vlc[i], VLC_BITS, 256, s->len[i], 1, 1, s->bits[i], 4, 4, 0)) < 0) + return ret; } generate_joint_tables(s); From b07c791252707c88f610daa668eae3ddc6fbccc7 Mon Sep 17 00:00:00 2001 From: Michael Niedermayer Date: Tue, 29 Jan 2013 19:22:33 +0100 Subject: [PATCH 446/991] huffyuvdec: Skip len==0 cases Fixes vlc decoding for hypothetical files that would contain such cases. Signed-off-by: Michael Niedermayer (cherry picked from commit 0dfc01c2bbf4b71bb56201bc4a393321e15d1b31) Signed-off-by: Michael Niedermayer (cherry picked from commit 5ff41ffeb4cb9ea6df49757dc859619dc3d3ab4f) Conflicts: libavcodec/huffyuv.c (cherry picked from commit 9bc70fe1ae50fd2faa0b9429d47cfbda01a92ebc) Signed-off-by: Michael Niedermayer --- libavcodec/huffyuv.c | 10 +++++----- 1 file changed, 5 insertions(+), 5 deletions(-) diff --git a/libavcodec/huffyuv.c b/libavcodec/huffyuv.c index 09e89babfc..f5b8c918df 100644 --- a/libavcodec/huffyuv.c +++ b/libavcodec/huffyuv.c @@ -312,11 +312,11 @@ static void generate_joint_tables(HYuvContext *s){ for(i=y=0; y<256; y++){ int len0 = s->len[0][y]; int limit = VLC_BITS - len0; - if(limit <= 0) + if(limit <= 0 || !len0) continue; for(u=0; u<256; u++){ int len1 = s->len[p][u]; - if(len1 > limit) + if (len1 > limit || !len1) continue; av_assert0(i < (1 << VLC_BITS)); len[i] = len0 + len1; @@ -340,17 +340,17 @@ static void generate_joint_tables(HYuvContext *s){ for(i=0, g=-16; g<16; g++){ int len0 = s->len[p0][g&255]; int limit0 = VLC_BITS - len0; - if(limit0 < 2) + if (limit0 < 2 || !len0) continue; for(b=-16; b<16; b++){ int len1 = s->len[p1][b&255]; int limit1 = limit0 - len1; - if(limit1 < 1) + if (limit1 < 1 || !len1) continue; code = (s->bits[p0][g&255] << len1) + s->bits[p1][b&255]; for(r=-16; r<16; r++){ int len2 = s->len[2][r&255]; - if(len2 > limit1) + if (len2 > limit1 || !len2) continue; av_assert0(i < (1 << VLC_BITS)); len[i] = len0 + len1 + len2; From 83446017128bed233a04f03f420d883321f96a41 Mon Sep 17 00:00:00 2001 From: Carl Eugen Hoyos Date: Thu, 14 Feb 2013 15:08:37 +0100 Subject: [PATCH 447/991] Write the fiel atom to mov files independently of the used video coded. The QuickTime specification does not contain any hint that the atom must not be written in some cases and both the QuickTime and the AVID decoders do not fail if the atom is present. This change allows to signal (visually) interlaced streams with a codec different from uncompressed video. As a side-effect, this fixes ticket #2202 (cherry picked from commit 7d0e3b197c817b307d599a23704a44763ed0bbdd) Conflicts: libavformat/movenc.c tests/ref/lavf/mov tests/ref/seek/lavf_mov tests/ref/vsynth/vsynth1-avui tests/ref/vsynth/vsynth1-dnxhd-1080i tests/ref/vsynth/vsynth1-mpeg4 tests/ref/vsynth/vsynth2-avui tests/ref/vsynth/vsynth2-dnxhd-1080i tests/ref/vsynth/vsynth2-mpeg4 --- libavformat/movenc.c | 7 ++++--- 1 file changed, 4 insertions(+), 3 deletions(-) diff --git a/libavformat/movenc.c b/libavformat/movenc.c index 6ed1005d33..0d0d3e0c94 100644 --- a/libavformat/movenc.c +++ b/libavformat/movenc.c @@ -927,11 +927,12 @@ static int mov_write_video_tag(AVIOContext *pb, MOVTrack *track) mov_write_avcc_tag(pb, track); if(track->mode == MODE_IPOD) mov_write_uuid_tag_ipod(pb); - } else if (track->enc->field_order != AV_FIELD_UNKNOWN) - mov_write_fiel_tag(pb, track); - else if(track->vosLen > 0) + } else if(track->vosLen > 0) mov_write_glbl_tag(pb, track); + if (track->enc->field_order != AV_FIELD_UNKNOWN) + mov_write_fiel_tag(pb, track); + if (track->enc->sample_aspect_ratio.den && track->enc->sample_aspect_ratio.num && track->enc->sample_aspect_ratio.den != track->enc->sample_aspect_ratio.num) { mov_write_pasp_tag(pb, track); From f20764102b9fb7f01b1e0be0f73b5212d084269a Mon Sep 17 00:00:00 2001 From: Vicente Jimenez Aguilar Date: Wed, 20 Feb 2013 02:35:00 +0100 Subject: [PATCH 448/991] doc: filters: Correct BNF FILTER description Signed-off-by: Diego Biurrun (cherry picked from commit b5ad422bf4e671a8b30ce73ad236cd6b49940af9) --- doc/filters.texi | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/doc/filters.texi b/doc/filters.texi index 4e7ede23a4..8c70768b3f 100644 --- a/doc/filters.texi +++ b/doc/filters.texi @@ -82,7 +82,7 @@ Follows a BNF description for the filtergraph syntax: @var{LINKLABEL} ::= "[" @var{NAME} "]" @var{LINKLABELS} ::= @var{LINKLABEL} [@var{LINKLABELS}] @var{FILTER_ARGUMENTS} ::= sequence of chars (eventually quoted) -@var{FILTER} ::= [@var{LINKNAMES}] @var{NAME} ["=" @var{ARGUMENTS}] [@var{LINKNAMES}] +@var{FILTER} ::= [@var{LINKLABELS}] @var{NAME} ["=" @var{FILTER_ARGUMENTS}] [@var{LINKLABELS}] @var{FILTERCHAIN} ::= @var{FILTER} [,@var{FILTERCHAIN}] @var{FILTERGRAPH} ::= @var{FILTERCHAIN} [;@var{FILTERGRAPH}] @end example From c3829f7085c5d5f5e860f301cc8285b3963913ee Mon Sep 17 00:00:00 2001 From: Diego Biurrun Date: Fri, 22 Feb 2013 22:06:37 +0100 Subject: [PATCH 449/991] doc: developer: Allow tabs in the vim configuration for Automake files While we do not use Automake in libav, this allows our config to be used more globally without introducing unwanted breakage. (cherry picked from commit 040c565e51985477a8fa5e42d2ddfb26ebde6608) Conflicts: doc/developer.texi --- doc/developer.texi | 4 ++-- 1 file changed, 2 insertions(+), 2 deletions(-) diff --git a/doc/developer.texi b/doc/developer.texi index c189de1870..4b5d6af9ed 100644 --- a/doc/developer.texi +++ b/doc/developer.texi @@ -215,8 +215,8 @@ the following snippet into your @file{.vimrc}: set expandtab set shiftwidth=4 set softtabstop=4 -" allow tabs in Makefiles -autocmd FileType make set noexpandtab shiftwidth=8 softtabstop=8 +" Allow tabs in Makefiles. +autocmd FileType make,automake set noexpandtab shiftwidth=8 softtabstop=8 " Trailing whitespace and tabs are forbidden, so highlight them. highlight ForbiddenWhitespace ctermbg=red guibg=red match ForbiddenWhitespace /\s\+$\|\t/ From 60a1ee6e419e244dc2363fdc4ddf8350d506f2ae Mon Sep 17 00:00:00 2001 From: Vicente Jimenez Aguilar Date: Sat, 16 Feb 2013 03:08:36 +0100 Subject: [PATCH 450/991] doc: Fix some obsolete references to av* tools as ff* tools Signed-off-by: Diego Biurrun CC: libav-stable@libav.org (cherry picked from commit 202b5f6deb65e405b07b9b5c20f97c8cb925cf49) Signed-off-by: Reinhard Tartler --- doc/bitstream_filters.texi | 2 +- doc/demuxers.texi | 2 +- doc/encoders.texi | 2 +- doc/indevs.texi | 4 ++-- doc/muxers.texi | 2 +- doc/outdevs.texi | 2 +- doc/protocols.texi | 4 ++-- 7 files changed, 9 insertions(+), 9 deletions(-) diff --git a/doc/bitstream_filters.texi b/doc/bitstream_filters.texi index 1fbd40a70c..ba66bc8938 100644 --- a/doc/bitstream_filters.texi +++ b/doc/bitstream_filters.texi @@ -10,7 +10,7 @@ You can disable all the bitstream filters using the configure option the option @code{--enable-bsf=BSF}, or you can disable a particular bitstream filter using the option @code{--disable-bsf=BSF}. -The option @code{-bsfs} of the ff* tools will display the list of +The option @code{-bsfs} of the av* tools will display the list of all the supported bitstream filters included in your build. Below is a description of the currently available bitstream filters. diff --git a/doc/demuxers.texi b/doc/demuxers.texi index c3049ddfc4..af4e3f15cf 100644 --- a/doc/demuxers.texi +++ b/doc/demuxers.texi @@ -13,7 +13,7 @@ You can disable all the demuxers using the configure option the option "--enable-demuxer=@var{DEMUXER}", or disable it with the option "--disable-demuxer=@var{DEMUXER}". -The option "-formats" of the ff* tools will display the list of +The option "-formats" of the av* tools will display the list of enabled demuxers. The description of some of the currently available demuxers follows. diff --git a/doc/encoders.texi b/doc/encoders.texi index 830981fe8d..0491d7314a 100644 --- a/doc/encoders.texi +++ b/doc/encoders.texi @@ -14,7 +14,7 @@ You can disable all the encoders with the configure option with the options @code{--enable-encoder=@var{ENCODER}} / @code{--disable-encoder=@var{ENCODER}}. -The option @code{-codecs} of the ff* tools will display the list of +The option @code{-codecs} of the av* tools will display the list of enabled encoders. @c man end ENCODERS diff --git a/doc/indevs.texi b/doc/indevs.texi index e1b4dddbc5..b75039515b 100644 --- a/doc/indevs.texi +++ b/doc/indevs.texi @@ -13,7 +13,7 @@ You can disable all the input devices using the configure option option "--enable-indev=@var{INDEV}", or you can disable a particular input device using the option "--disable-indev=@var{INDEV}". -The option "-formats" of the ff* tools will display the list of +The option "-formats" of the av* tools will display the list of supported input devices (amongst the demuxers). A description of the currently available input devices follows. @@ -277,7 +277,7 @@ input device will use the frame rate value already set in the driver. Video4Linux support is deprecated since Linux 2.6.30, and will be dropped in later versions. -Follow some usage examples of the video4linux devices with the ff* +Follow some usage examples of the video4linux devices with the av* tools. @example # Grab and show the input of a video4linux device, frame rate is set diff --git a/doc/muxers.texi b/doc/muxers.texi index 5a609c8b9a..185d19e262 100644 --- a/doc/muxers.texi +++ b/doc/muxers.texi @@ -13,7 +13,7 @@ You can disable all the muxers with the configure option with the options @code{--enable-muxer=@var{MUXER}} / @code{--disable-muxer=@var{MUXER}}. -The option @code{-formats} of the ff* tools will display the list of +The option @code{-formats} of the av* tools will display the list of enabled muxers. A description of some of the currently available muxers follows. diff --git a/doc/outdevs.texi b/doc/outdevs.texi index 938909c784..dd7bd6475d 100644 --- a/doc/outdevs.texi +++ b/doc/outdevs.texi @@ -13,7 +13,7 @@ You can disable all the output devices using the configure option option "--enable-outdev=@var{OUTDEV}", or you can disable a particular input device using the option "--disable-outdev=@var{OUTDEV}". -The option "-formats" of the ff* tools will display the list of +The option "-formats" of the av* tools will display the list of enabled output devices (amongst the muxers). A description of the currently available output devices follows. diff --git a/doc/protocols.texi b/doc/protocols.texi index f5bb5324be..1fe2dda994 100644 --- a/doc/protocols.texi +++ b/doc/protocols.texi @@ -14,7 +14,7 @@ option "--enable-protocol=@var{PROTOCOL}", or you can disable a particular protocol using the option "--disable-protocol=@var{PROTOCOL}". -The option "-protocols" of the ff* tools will display the list of +The option "-protocols" of the av* tools will display the list of supported protocols. A description of the currently available protocols follows. @@ -73,7 +73,7 @@ use the command: avconv -i file:input.mpeg output.mpeg @end example -The ff* tools default to the file protocol, that is a resource +The av* tools default to the file protocol, that is a resource specified with the name "FILE.mpeg" is interpreted as the URL "file:FILE.mpeg". From 6a9f050c225e7c54cdbb6d4098458cff94d954c5 Mon Sep 17 00:00:00 2001 From: Diego Biurrun Date: Tue, 10 Jul 2012 18:42:13 +0200 Subject: [PATCH 451/991] build: Fix CAF demuxer dependencies (cherry picked from commit a519463366238a7ec05d2bb76c4a67f42cf60ece) Conflicts: libavcodec/Makefile --- libavcodec/Makefile | 3 ++- 1 file changed, 2 insertions(+), 1 deletion(-) diff --git a/libavcodec/Makefile b/libavcodec/Makefile index 5a4fa4cbe9..da8fd549b4 100644 --- a/libavcodec/Makefile +++ b/libavcodec/Makefile @@ -533,7 +533,8 @@ OBJS-$(CONFIG_ADPCM_YAMAHA_ENCODER) += adpcmenc.o adpcm_data.o # libavformat dependencies OBJS-$(CONFIG_ADTS_MUXER) += mpeg4audio.o OBJS-$(CONFIG_ADX_DEMUXER) += adx.o -OBJS-$(CONFIG_CAF_DEMUXER) += mpeg4audio.o mpegaudiodata.o +OBJS-$(CONFIG_CAF_DEMUXER) += mpeg4audio.o mpegaudiodata.o \ + ac3tab.o OBJS-$(CONFIG_DV_DEMUXER) += dvdata.o OBJS-$(CONFIG_DV_MUXER) += dvdata.o OBJS-$(CONFIG_FLAC_DEMUXER) += flacdec.o flacdata.o flac.o From eeacc5a7d06944708b58631dffd53a2abc9ee457 Mon Sep 17 00:00:00 2001 From: Nicolas George Date: Wed, 27 Feb 2013 19:19:15 +0100 Subject: [PATCH 452/991] lavf/avio: check for : in filenames for protocols. If the first "special" character in a filename is a comma, it can introduce protocol options, but only if there is a colon at the end. Otherwise, it is just a filename with a comma. Fix trac ticket #2303. (cherry picked from commit d9fad53f4b447db1e436dcf3fc4a57e604616e6c) --- libavformat/avio.c | 4 +++- 1 file changed, 3 insertions(+), 1 deletion(-) diff --git a/libavformat/avio.c b/libavformat/avio.c index 418a8a79fc..480dc98205 100644 --- a/libavformat/avio.c +++ b/libavformat/avio.c @@ -297,7 +297,9 @@ int ffurl_alloc(URLContext **puc, const char *filename, int flags, "Missing call to av_register_all()?\n"); } - if (filename[proto_len] != ':' && filename[proto_len] != ',' || is_dos_path(filename)) + if (filename[proto_len] != ':' && + (filename[proto_len] != ',' || !strchr(filename + proto_len + 1, ':')) || + is_dos_path(filename)) strcpy(proto_str, "file"); else av_strlcpy(proto_str, filename, FFMIN(proto_len+1, sizeof(proto_str))); From 85e082d08180ae1abfb63ddf0e09795def881316 Mon Sep 17 00:00:00 2001 From: Carl Eugen Hoyos Date: Sat, 2 Feb 2013 22:36:25 +0100 Subject: [PATCH 453/991] Require at least three frames to autodetect loas. (cherry picked from commit a60530e3ee1d9532c026a52b03661f88e163d647) --- libavformat/loasdec.c | 1 - 1 file changed, 1 deletion(-) diff --git a/libavformat/loasdec.c b/libavformat/loasdec.c index e48c21905a..fbe1cb4aa9 100644 --- a/libavformat/loasdec.c +++ b/libavformat/loasdec.c @@ -55,7 +55,6 @@ static int loas_probe(AVProbeData *p) if (first_frames>=3) return AVPROBE_SCORE_MAX/2+1; else if(max_frames>100)return AVPROBE_SCORE_MAX/2; else if(max_frames>=3) return AVPROBE_SCORE_MAX/4; - else if(max_frames>=1) return 1; else return 0; } From 8829c79039379e7fde64a837f3dbae088a4dbdbb Mon Sep 17 00:00:00 2001 From: Luca Barbato Date: Fri, 4 Jan 2013 16:05:51 +0100 Subject: [PATCH 454/991] oggdec: make sure the private parse data is cleaned up (cherry picked from commit d894f74762bc95310ba23f804b7ba8dffc8f6646) Related to CVE-2012-2882 Conflicts: libavformat/oggdec.h libavformat/oggparsevorbis.c --- libavformat/oggdec.c | 4 ++++ libavformat/oggdec.h | 5 +++++ libavformat/oggparsevorbis.c | 14 +++++++++++++- 3 files changed, 22 insertions(+), 1 deletion(-) diff --git a/libavformat/oggdec.c b/libavformat/oggdec.c index 3079685652..2a1c0a5f6f 100644 --- a/libavformat/oggdec.c +++ b/libavformat/oggdec.c @@ -508,6 +508,10 @@ static int ogg_read_close(AVFormatContext *s) for (i = 0; i < ogg->nstreams; i++) { av_free(ogg->streams[i].buf); + if (ogg->streams[i].codec && + ogg->streams[i].codec->cleanup) { + ogg->streams[i].codec->cleanup(s, i); + } av_free(ogg->streams[i].private); } av_free(ogg->streams); diff --git a/libavformat/oggdec.h b/libavformat/oggdec.h index 184a628622..1a702c32d2 100644 --- a/libavformat/oggdec.h +++ b/libavformat/oggdec.h @@ -51,6 +51,11 @@ struct ogg_codec { * 0 if granule is the end time of the associated packet. */ int granule_is_start; + /** + * Number of expected headers + */ + int nb_header; + void (*cleanup)(AVFormatContext *s, int idx); }; struct ogg_stream { diff --git a/libavformat/oggparsevorbis.c b/libavformat/oggparsevorbis.c index ba9b348456..0c26684dd2 100644 --- a/libavformat/oggparsevorbis.c +++ b/libavformat/oggparsevorbis.c @@ -188,6 +188,16 @@ fixup_vorbis_headers(AVFormatContext * as, struct oggvorbis_private *priv, return offset; } +static int vorbis_cleanup(AVFormatContext *s, int idx) +{ + struct ogg *ogg = s->priv_data; + struct ogg_stream *os = ogg->streams + idx; + struct oggvorbis_private *priv = os->private; + int i; + if (os->private) + for (i = 0; i < 3; i++) + av_freep(&priv->packet[i]); +} static int vorbis_header (AVFormatContext * s, int idx) @@ -278,5 +288,7 @@ vorbis_header (AVFormatContext * s, int idx) const struct ogg_codec ff_vorbis_codec = { .magic = "\001vorbis", .magicsize = 7, - .header = vorbis_header + .header = vorbis_header, + .cleanup= vorbis_cleanup, + .nb_header = 3, }; From cb93705900ff8f58a4a358911f59341d65a69e1b Mon Sep 17 00:00:00 2001 From: Reinhard Tartler Date: Sun, 17 Feb 2013 09:11:57 +0100 Subject: [PATCH 455/991] update year to 2013 Signed-off-by: Reinhard Tartler --- cmdutils.c | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/cmdutils.c b/cmdutils.c index 7b2ff084ba..3ba5d0cfb5 100644 --- a/cmdutils.c +++ b/cmdutils.c @@ -55,7 +55,7 @@ struct SwsContext *sws_opts; AVDictionary *format_opts, *codec_opts; -static const int this_year = 2012; +static const int this_year = 2013; void init_opts(void) { From 30bfa9e79f37fd7ddaa9fb3434e3976dadbf403b Mon Sep 17 00:00:00 2001 From: Reinhard Tartler Date: Sun, 17 Feb 2013 09:12:20 +0100 Subject: [PATCH 456/991] Update RELEASE file for 0.8.6 --- RELEASE | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/RELEASE b/RELEASE index 7ada0d303f..7fc2521fd7 100644 --- a/RELEASE +++ b/RELEASE @@ -1 +1 @@ -0.8.5 +0.8.6 From 29a2fdb184b13efb7007d4b631cae2c35001c509 Mon Sep 17 00:00:00 2001 From: Mans Rullgard Date: Thu, 16 Aug 2012 00:10:33 +0100 Subject: [PATCH 457/991] configure: clean up Altivec detection There used to be one test for Altivec intrinsics support and a separate test to determine which of two possible syntaxes to use for vector literals. Since 2008, we only support the more common of these so the split test no longer makes sense. This combines the tests into one and also changes the hard error on failure to a warning. The test can reasonably fail if no --cpu flag is provided (or is provided with an unknown CPU) and the compiler default target does not support Altivec. Aborting in this case is probably over-reacting. Fixes: #464, http://bugs.debian.org/701710 Signed-off-by: Mans Rullgard (cherry picked from commit 20bcce507aa6b9c866e34eee75d80305109767a8) Signed-off-by: Reinhard Tartler --- configure | 11 ++++------- 1 file changed, 4 insertions(+), 7 deletions(-) diff --git a/configure b/configure index 2d17ce0b28..081854feb9 100755 --- a/configure +++ b/configure @@ -2723,17 +2723,14 @@ elif enabled ppc; then check_cc < Date: Wed, 6 Mar 2013 09:58:00 +0100 Subject: [PATCH 458/991] wmadec: require block_align to be set. Avoids an infinite loop in the calling programs with decoder not consuming any input and not returning output. CC:libav-stable@libav.org (cherry picked from commit ea1136baafb1fe271cb56c3f4d7bff0267e3c70f) Signed-off-by: Reinhard Tartler (cherry picked from commit c1f479e8df24284237c80ad959619fc85e29a26d) Signed-off-by: Reinhard Tartler --- libavcodec/wmadec.c | 5 +++++ 1 file changed, 5 insertions(+) diff --git a/libavcodec/wmadec.c b/libavcodec/wmadec.c index a7300594ca..c88a035336 100644 --- a/libavcodec/wmadec.c +++ b/libavcodec/wmadec.c @@ -85,6 +85,11 @@ static int wma_decode_init(AVCodecContext * avctx) int i, flags2; uint8_t *extradata; + if (!avctx->block_align) { + av_log(avctx, AV_LOG_ERROR, "block_align is not set\n"); + return AVERROR(EINVAL); + } + s->avctx = avctx; /* extract flag infos */ From e050af9a809bd4e223c89e280ebd94da0e1034b5 Mon Sep 17 00:00:00 2001 From: Michael Niedermayer Date: Fri, 11 Jan 2013 00:54:12 +0100 Subject: [PATCH 459/991] vorbisdec: Error on bark_map_size equal to 0. The value is used to calculate output LSP curve and a division by zero and out of array accesses would occur. CVE-2013-0894 CC: libav-stable@libav.org Reported-by: Dale Curtis Found-by: inferno@chromium.org Signed-off-by: Michael Niedermayer Signed-off-by: Luca Barbato (cherry picked from commit 11dcecfcca0eca1a571792c4fa3c21fb2cfddddc) Signed-off-by: Reinhard Tartler (cherry picked from commit 494ddd377ada76ed555f7a3f49391455daa099c9) Signed-off-by: Reinhard Tartler --- libavcodec/vorbisdec.c | 5 +++++ 1 file changed, 5 insertions(+) diff --git a/libavcodec/vorbisdec.c b/libavcodec/vorbisdec.c index 3c139478e0..5a0a4a4a9b 100644 --- a/libavcodec/vorbisdec.c +++ b/libavcodec/vorbisdec.c @@ -587,6 +587,11 @@ static int vorbis_parse_setup_hdr_floors(vorbis_context *vc) floor_setup->data.t0.order = get_bits(gb, 8); floor_setup->data.t0.rate = get_bits(gb, 16); floor_setup->data.t0.bark_map_size = get_bits(gb, 16); + if (floor_setup->data.t0.bark_map_size == 0) { + av_log(vc->avccontext, AV_LOG_ERROR, + "Floor 0 bark map size is 0.\n"); + return AVERROR_INVALIDDATA; + } floor_setup->data.t0.amplitude_bits = get_bits(gb, 6); /* zero would result in a div by zero later * * 2^0 - 1 == 0 */ From e10af023b2579791d4de7a16d4958229dc62be03 Mon Sep 17 00:00:00 2001 From: Anton Khirnov Date: Wed, 6 Mar 2013 09:06:16 +0100 Subject: [PATCH 460/991] xxan: fix invalid memory access in xan_decode_frame_type0() The loop a few lines below the xan_unpack() call accesses up to dec_size * 2 bytes into y_buffer, so dec_size must be limited to buffer_size / 2. CC:libav-stable@libav.org (cherry picked from commit 8a49d2bcbe7573bb4b765728b2578fac0d19763f) Signed-off-by: Reinhard Tartler (cherry picked from commit 62a657de168cf501acb23d48cc1aa00793dc83f3) Signed-off-by: Reinhard Tartler --- libavcodec/xxan.c | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/libavcodec/xxan.c b/libavcodec/xxan.c index 0a37d48f6b..59e1229802 100644 --- a/libavcodec/xxan.c +++ b/libavcodec/xxan.c @@ -296,7 +296,7 @@ static int xan_decode_frame_type0(AVCodecContext *avctx) if (chroma_off > corr_off) corr_end = chroma_off; bytestream2_seek(&s->gb, 8 + corr_off, SEEK_SET); - dec_size = xan_unpack(s, s->scratch_buffer, s->buffer_size); + dec_size = xan_unpack(s, s->scratch_buffer, s->buffer_size / 2); if (dec_size < 0) dec_size = 0; for (i = 0; i < dec_size; i++) From 98406bd26e6d29bf782ab1456aa084fafc102a71 Mon Sep 17 00:00:00 2001 From: Anton Khirnov Date: Wed, 6 Mar 2013 10:42:51 +0100 Subject: [PATCH 461/991] vmdaudio: fix invalid reads when packet size is not a multiple of chunk size CC:libav-stable@libav.org (cherry picked from commit f86d66bcfa48998b0727aa0d1089a30cbeae0933) Signed-off-by: Reinhard Tartler (cherry picked from commit 77cf052e395b1fac8dd181d4f76b0101d1acd625) Signed-off-by: Reinhard Tartler --- libavcodec/vmdav.c | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/libavcodec/vmdav.c b/libavcodec/vmdav.c index 89b5c2bc6a..570c362a57 100644 --- a/libavcodec/vmdav.c +++ b/libavcodec/vmdav.c @@ -625,7 +625,7 @@ static int vmdaudio_decode_frame(AVCodecContext *avctx, void *data, /* decode audio chunks */ if (audio_chunks > 0) { buf_end = buf + buf_size; - while (buf < buf_end) { + while (buf + s->chunk_size <= buf_end) { if (s->out_bps == 2) { decode_audio_s16(output_samples_s16, buf, s->chunk_size, avctx->channels); From 5dbb3298b9c1d7beb41c7d3ab19f86d6e027e43d Mon Sep 17 00:00:00 2001 From: Justin Ruggles Date: Wed, 16 Jan 2013 17:52:55 -0500 Subject: [PATCH 462/991] libmp3lame: use the correct remaining buffer size when flushing CC:libav-stable@libav.org (cherry picked from commit e984f47873258b600fd88423f40e3cdaad179190) Signed-off-by: Reinhard Tartler (cherry picked from commit b77d9cbbd5050eda75030c8926241af3dbe1a8df) Signed-off-by: Reinhard Tartler --- libavcodec/libmp3lame.c | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/libavcodec/libmp3lame.c b/libavcodec/libmp3lame.c index f3c4528c07..3e8d92a3a5 100644 --- a/libavcodec/libmp3lame.c +++ b/libavcodec/libmp3lame.c @@ -169,7 +169,7 @@ static int MP3lame_encode_frame(AVCodecContext *avctx, unsigned char *frame, } } else { lame_result = lame_encode_flush(s->gfp, s->buffer + s->buffer_index, - BUFFER_SIZE - s->buffer_index); + s->buffer_size - s->buffer_index); } if (lame_result < 0) { From 9b79a05289d91d1184455d12e6c4df457f0657c4 Mon Sep 17 00:00:00 2001 From: Anton Khirnov Date: Wed, 6 Mar 2013 10:02:50 +0100 Subject: [PATCH 463/991] wmaprodec: return an error, not 0, when the input is too small. Returning 0 may result in an infinite loop in valid calling programs. A decoder should never return 0 without producing any output. CC:libav-stable@libav.org (cherry picked from commit 4c0080b7e7d501e2720d2a61f5186a18377f9d63) Signed-off-by: Reinhard Tartler (cherry picked from commit 60dd8b5733f9ec4919fbc732ace1be8184dde880) Signed-off-by: Reinhard Tartler --- libavcodec/wmaprodec.c | 7 +++++-- 1 file changed, 5 insertions(+), 2 deletions(-) diff --git a/libavcodec/wmaprodec.c b/libavcodec/wmaprodec.c index 9804cc28e7..54b0f57983 100644 --- a/libavcodec/wmaprodec.c +++ b/libavcodec/wmaprodec.c @@ -1507,8 +1507,11 @@ static int decode_packet(AVCodecContext *avctx, void *data, s->packet_done = 0; /** sanity check for the buffer length */ - if (buf_size < avctx->block_align) - return 0; + if (buf_size < avctx->block_align) { + av_log(avctx, AV_LOG_ERROR, "Input packet too small (%d < %d)\n", + buf_size, avctx->block_align); + return AVERROR_INVALIDDATA; + } s->next_packet_start = buf_size - avctx->block_align; buf_size = avctx->block_align; From b9ec4414b5ee4128a58f863fa290ca14bfb39db6 Mon Sep 17 00:00:00 2001 From: Diego Biurrun Date: Tue, 6 Mar 2012 18:59:03 +0100 Subject: [PATCH 464/991] vc1: Move init code shared between decoder and parser to common code file. This fixes standalone compilation of the VC-1 parser. (cherry picked from commit 3c715383ea7012ac69507e6b9189c98675c77461) Conflicts: libavcodec/vc1data.h Signed-off-by: Diego Biurrun --- libavcodec/vc1.c | 362 +++++++++++++++++++++++++++++++++++++++++ libavcodec/vc1.h | 2 + libavcodec/vc1acdata.h | 227 +------------------------- libavcodec/vc1data.c | 4 + libavcodec/vc1data.h | 5 + libavcodec/vc1dec.c | 144 +--------------- 6 files changed, 375 insertions(+), 369 deletions(-) diff --git a/libavcodec/vc1.c b/libavcodec/vc1.c index a1c3f07cdf..6135ebdc09 100644 --- a/libavcodec/vc1.c +++ b/libavcodec/vc1.c @@ -1239,3 +1239,365 @@ int vc1_parse_frame_header_adv(VC1Context *v, GetBitContext* gb) } return 0; } + +static const uint32_t vc1_ac_tables[AC_MODES][186][2] = { +{ +{ 0x0001, 2}, { 0x0005, 3}, { 0x000D, 4}, { 0x0012, 5}, { 0x000E, 6}, { 0x0015, 7}, +{ 0x0013, 8}, { 0x003F, 8}, { 0x004B, 9}, { 0x011F, 9}, { 0x00B8, 10}, { 0x03E3, 10}, +{ 0x0172, 11}, { 0x024D, 12}, { 0x03DA, 12}, { 0x02DD, 13}, { 0x1F55, 13}, { 0x05B9, 14}, +{ 0x3EAE, 14}, { 0x0000, 4}, { 0x0010, 5}, { 0x0008, 7}, { 0x0020, 8}, { 0x0029, 9}, +{ 0x01F4, 9}, { 0x0233, 10}, { 0x01E0, 11}, { 0x012A, 12}, { 0x03DD, 12}, { 0x050A, 13}, +{ 0x1F29, 13}, { 0x0A42, 14}, { 0x1272, 15}, { 0x1737, 15}, { 0x0003, 5}, { 0x0011, 7}, +{ 0x00C4, 8}, { 0x004B, 10}, { 0x00B4, 11}, { 0x07D4, 11}, { 0x0345, 12}, { 0x02D7, 13}, +{ 0x07BF, 13}, { 0x0938, 14}, { 0x0BBB, 14}, { 0x095E, 15}, { 0x0013, 5}, { 0x0078, 7}, +{ 0x0069, 9}, { 0x0232, 10}, { 0x0461, 11}, { 0x03EC, 12}, { 0x0520, 13}, { 0x1F2A, 13}, +{ 0x3E50, 14}, { 0x3E51, 14}, { 0x1486, 15}, { 0x000C, 6}, { 0x0024, 9}, { 0x0094, 11}, +{ 0x08C0, 12}, { 0x0F09, 14}, { 0x1EF0, 15}, { 0x003D, 6}, { 0x0053, 9}, { 0x01A0, 11}, +{ 0x02D6, 13}, { 0x0F08, 14}, { 0x0013, 7}, { 0x007C, 9}, { 0x07C1, 11}, { 0x04AC, 14}, +{ 0x001B, 7}, { 0x00A0, 10}, { 0x0344, 12}, { 0x0F79, 14}, { 0x0079, 7}, { 0x03E1, 10}, +{ 0x02D4, 13}, { 0x2306, 14}, { 0x0021, 8}, { 0x023C, 10}, { 0x0FAE, 12}, { 0x23DE, 14}, +{ 0x0035, 8}, { 0x0175, 11}, { 0x07B3, 13}, { 0x00C5, 8}, { 0x0174, 11}, { 0x0785, 13}, +{ 0x0048, 9}, { 0x01A3, 11}, { 0x049E, 13}, { 0x002C, 9}, { 0x00FA, 10}, { 0x07D6, 11}, +{ 0x0092, 10}, { 0x05CC, 13}, { 0x1EF1, 15}, { 0x00A3, 10}, { 0x03ED, 12}, { 0x093E, 14}, +{ 0x01E2, 11}, { 0x1273, 15}, { 0x07C4, 11}, { 0x1487, 15}, { 0x0291, 12}, { 0x0293, 12}, +{ 0x0F8A, 12}, { 0x0509, 13}, { 0x0508, 13}, { 0x078D, 13}, { 0x07BE, 13}, { 0x078C, 13}, +{ 0x04AE, 14}, { 0x0BBA, 14}, { 0x2307, 14}, { 0x0B9A, 14}, { 0x1736, 15}, { 0x000E, 4}, +{ 0x0045, 7}, { 0x01F3, 9}, { 0x047A, 11}, { 0x05DC, 13}, { 0x23DF, 14}, { 0x0019, 5}, +{ 0x0028, 9}, { 0x0176, 11}, { 0x049D, 13}, { 0x23DD, 14}, { 0x0030, 6}, { 0x00A2, 10}, +{ 0x02EF, 12}, { 0x05B8, 14}, { 0x003F, 6}, { 0x00A5, 10}, { 0x03DB, 12}, { 0x093F, 14}, +{ 0x0044, 7}, { 0x07CB, 11}, { 0x095F, 15}, { 0x0063, 7}, { 0x03C3, 12}, { 0x0015, 8}, +{ 0x08F6, 12}, { 0x0017, 8}, { 0x0498, 13}, { 0x002C, 8}, { 0x07B2, 13}, { 0x002F, 8}, +{ 0x1F54, 13}, { 0x008D, 8}, { 0x07BD, 13}, { 0x008E, 8}, { 0x1182, 13}, { 0x00FB, 8}, +{ 0x050B, 13}, { 0x002D, 8}, { 0x07C0, 11}, { 0x0079, 9}, { 0x1F5F, 13}, { 0x007A, 9}, +{ 0x1F56, 13}, { 0x0231, 10}, { 0x03E4, 10}, { 0x01A1, 11}, { 0x0143, 11}, { 0x01F7, 11}, +{ 0x016F, 12}, { 0x0292, 12}, { 0x02E7, 12}, { 0x016C, 12}, { 0x016D, 12}, { 0x03DC, 12}, +{ 0x0F8B, 12}, { 0x0499, 13}, { 0x03D8, 12}, { 0x078E, 13}, { 0x02D5, 13}, { 0x1F5E, 13}, +{ 0x1F2B, 13}, { 0x078F, 13}, { 0x04AD, 14}, { 0x3EAF, 14}, { 0x23DC, 14}, { 0x004A, 9} +}, +{ +{ 0x0000, 3}, { 0x0003, 4}, { 0x000B, 5}, { 0x0014, 6}, { 0x003F, 6}, { 0x005D, 7}, +{ 0x00A2, 8}, { 0x00AC, 9}, { 0x016E, 9}, { 0x020A, 10}, { 0x02E2, 10}, { 0x0432, 11}, +{ 0x05C9, 11}, { 0x0827, 12}, { 0x0B54, 12}, { 0x04E6, 13}, { 0x105F, 13}, { 0x172A, 13}, +{ 0x20B2, 14}, { 0x2D4E, 14}, { 0x39F0, 14}, { 0x4175, 15}, { 0x5A9E, 15}, { 0x0004, 4}, +{ 0x001E, 5}, { 0x0042, 7}, { 0x00B6, 8}, { 0x0173, 9}, { 0x0395, 10}, { 0x072E, 11}, +{ 0x0B94, 12}, { 0x16A4, 13}, { 0x20B3, 14}, { 0x2E45, 14}, { 0x0005, 5}, { 0x0040, 7}, +{ 0x0049, 9}, { 0x028F, 10}, { 0x05CB, 11}, { 0x048A, 13}, { 0x09DD, 14}, { 0x73E2, 15}, +{ 0x0018, 5}, { 0x0025, 8}, { 0x008A, 10}, { 0x051B, 11}, { 0x0E5F, 12}, { 0x09C9, 14}, +{ 0x139C, 15}, { 0x0029, 6}, { 0x004F, 9}, { 0x0412, 11}, { 0x048D, 13}, { 0x2E41, 14}, +{ 0x0038, 6}, { 0x010E, 9}, { 0x05A8, 11}, { 0x105C, 13}, { 0x39F2, 14}, { 0x0058, 7}, +{ 0x021F, 10}, { 0x0E7E, 12}, { 0x39FF, 14}, { 0x0023, 8}, { 0x02E3, 10}, { 0x04E5, 13}, +{ 0x2E40, 14}, { 0x00A1, 8}, { 0x05BE, 11}, { 0x09C8, 14}, { 0x0083, 8}, { 0x013A, 11}, +{ 0x1721, 13}, { 0x0044, 9}, { 0x0276, 12}, { 0x39F6, 14}, { 0x008B, 10}, { 0x04EF, 13}, +{ 0x5A9B, 15}, { 0x0208, 10}, { 0x1CFE, 13}, { 0x0399, 10}, { 0x1CB4, 13}, { 0x039E, 10}, +{ 0x39F3, 14}, { 0x05AB, 11}, { 0x73E3, 15}, { 0x0737, 11}, { 0x5A9F, 15}, { 0x082D, 12}, +{ 0x0E69, 12}, { 0x0E68, 12}, { 0x0433, 11}, { 0x0B7B, 12}, { 0x2DF8, 14}, { 0x2E56, 14}, +{ 0x2E57, 14}, { 0x39F7, 14}, { 0x51A5, 15}, { 0x0003, 3}, { 0x002A, 6}, { 0x00E4, 8}, +{ 0x028E, 10}, { 0x0735, 11}, { 0x1058, 13}, { 0x1CFA, 13}, { 0x2DF9, 14}, { 0x4174, 15}, +{ 0x0009, 4}, { 0x0054, 8}, { 0x0398, 10}, { 0x048B, 13}, { 0x139D, 15}, { 0x000D, 4}, +{ 0x00AD, 9}, { 0x0826, 12}, { 0x2D4C, 14}, { 0x0011, 5}, { 0x016B, 9}, { 0x0B7F, 12}, +{ 0x51A4, 15}, { 0x0019, 5}, { 0x021B, 10}, { 0x16FD, 13}, { 0x001D, 5}, { 0x0394, 10}, +{ 0x28D3, 14}, { 0x002B, 6}, { 0x05BC, 11}, { 0x5A9A, 15}, { 0x002F, 6}, { 0x0247, 12}, +{ 0x0010, 7}, { 0x0A35, 12}, { 0x003E, 6}, { 0x0B7A, 12}, { 0x0059, 7}, { 0x105E, 13}, +{ 0x0026, 8}, { 0x09CF, 14}, { 0x0055, 8}, { 0x1CB5, 13}, { 0x0057, 8}, { 0x0E5B, 12}, +{ 0x00A0, 8}, { 0x1468, 13}, { 0x0170, 9}, { 0x0090, 10}, { 0x01CE, 9}, { 0x021A, 10}, +{ 0x0218, 10}, { 0x0168, 9}, { 0x021E, 10}, { 0x0244, 12}, { 0x0736, 11}, { 0x0138, 11}, +{ 0x0519, 11}, { 0x0E5E, 12}, { 0x072C, 11}, { 0x0B55, 12}, { 0x09DC, 14}, { 0x20BB, 14}, +{ 0x048C, 13}, { 0x1723, 13}, { 0x2E44, 14}, { 0x16A5, 13}, { 0x0518, 11}, { 0x39FE, 14}, +{ 0x0169, 9} +}, +{ +{ 0x0001, 2}, { 0x0006, 3}, { 0x000F, 4}, { 0x0016, 5}, { 0x0020, 6}, { 0x0018, 7}, +{ 0x0008, 8}, { 0x009A, 8}, { 0x0056, 9}, { 0x013E, 9}, { 0x00F0, 10}, { 0x03A5, 10}, +{ 0x0077, 11}, { 0x01EF, 11}, { 0x009A, 12}, { 0x005D, 13}, { 0x0001, 4}, { 0x0011, 5}, +{ 0x0002, 7}, { 0x000B, 8}, { 0x0012, 9}, { 0x01D6, 9}, { 0x027E, 10}, { 0x0191, 11}, +{ 0x00EA, 12}, { 0x03DC, 12}, { 0x013B, 13}, { 0x0004, 5}, { 0x0014, 7}, { 0x009E, 8}, +{ 0x0009, 10}, { 0x01AC, 11}, { 0x01E2, 11}, { 0x03CA, 12}, { 0x005F, 13}, { 0x0017, 5}, +{ 0x004E, 7}, { 0x005E, 9}, { 0x00F3, 10}, { 0x01AD, 11}, { 0x00EC, 12}, { 0x05F0, 13}, +{ 0x000E, 6}, { 0x00E1, 8}, { 0x03A4, 10}, { 0x009C, 12}, { 0x013D, 13}, { 0x003B, 6}, +{ 0x001C, 9}, { 0x0014, 11}, { 0x09BE, 12}, { 0x0006, 7}, { 0x007A, 9}, { 0x0190, 11}, +{ 0x0137, 13}, { 0x001B, 7}, { 0x0008, 10}, { 0x075C, 11}, { 0x0071, 7}, { 0x00D7, 10}, +{ 0x09BF, 12}, { 0x0007, 8}, { 0x00AF, 10}, { 0x04CC, 11}, { 0x0034, 8}, { 0x0265, 10}, +{ 0x009F, 12}, { 0x00E0, 8}, { 0x0016, 11}, { 0x0327, 12}, { 0x0015, 9}, { 0x017D, 11}, +{ 0x0EBB, 12}, { 0x0014, 9}, { 0x00F6, 10}, { 0x01E4, 11}, { 0x00CB, 10}, { 0x099D, 12}, +{ 0x00CA, 10}, { 0x02FC, 12}, { 0x017F, 11}, { 0x04CD, 11}, { 0x02FD, 12}, { 0x04FE, 11}, +{ 0x013A, 13}, { 0x000A, 4}, { 0x0042, 7}, { 0x01D3, 9}, { 0x04DD, 11}, { 0x0012, 5}, +{ 0x00E8, 8}, { 0x004C, 11}, { 0x0136, 13}, { 0x0039, 6}, { 0x0264, 10}, { 0x0EBA, 12}, +{ 0x0000, 7}, { 0x00AE, 10}, { 0x099C, 12}, { 0x001F, 7}, { 0x04DE, 11}, { 0x0043, 7}, +{ 0x04DC, 11}, { 0x0003, 8}, { 0x03CB, 12}, { 0x0006, 8}, { 0x099E, 12}, { 0x002A, 8}, +{ 0x05F1, 13}, { 0x000F, 8}, { 0x09FE, 12}, { 0x0033, 8}, { 0x09FF, 12}, { 0x0098, 8}, +{ 0x099F, 12}, { 0x00EA, 8}, { 0x013C, 13}, { 0x002E, 8}, { 0x0192, 11}, { 0x0136, 9}, +{ 0x006A, 9}, { 0x0015, 11}, { 0x03AF, 10}, { 0x01E3, 11}, { 0x0074, 11}, { 0x00EB, 12}, +{ 0x02F9, 12}, { 0x005C, 13}, { 0x00ED, 12}, { 0x03DD, 12}, { 0x0326, 12}, { 0x005E, 13}, +{ 0x0016, 7} +}, +{ +{ 0x0004, 3}, { 0x0014, 5}, { 0x0017, 7}, { 0x007F, 8}, { 0x0154, 9}, { 0x01F2, 10}, +{ 0x00BF, 11}, { 0x0065, 12}, { 0x0AAA, 12}, { 0x0630, 13}, { 0x1597, 13}, { 0x03B7, 14}, +{ 0x2B22, 14}, { 0x0BE6, 15}, { 0x000B, 4}, { 0x0037, 7}, { 0x0062, 9}, { 0x0007, 11}, +{ 0x0166, 12}, { 0x00CE, 13}, { 0x1590, 13}, { 0x05F6, 14}, { 0x0BE7, 15}, { 0x0007, 5}, +{ 0x006D, 8}, { 0x0003, 11}, { 0x031F, 12}, { 0x05F2, 14}, { 0x0002, 6}, { 0x0061, 9}, +{ 0x0055, 12}, { 0x01DF, 14}, { 0x001A, 6}, { 0x001E, 10}, { 0x0AC9, 12}, { 0x2B23, 14}, +{ 0x001E, 6}, { 0x001F, 10}, { 0x0AC3, 12}, { 0x2B2B, 14}, { 0x0006, 7}, { 0x0004, 11}, +{ 0x02F8, 13}, { 0x0019, 7}, { 0x0006, 11}, { 0x063D, 13}, { 0x0057, 7}, { 0x0182, 11}, +{ 0x2AA2, 14}, { 0x0004, 8}, { 0x0180, 11}, { 0x059C, 14}, { 0x007D, 8}, { 0x0164, 12}, +{ 0x076D, 15}, { 0x0002, 9}, { 0x018D, 11}, { 0x1581, 13}, { 0x00AD, 8}, { 0x0060, 12}, +{ 0x0C67, 14}, { 0x001C, 9}, { 0x00EE, 13}, { 0x0003, 9}, { 0x02CF, 13}, { 0x00D9, 9}, +{ 0x1580, 13}, { 0x0002, 11}, { 0x0183, 11}, { 0x0057, 12}, { 0x0061, 12}, { 0x0031, 11}, +{ 0x0066, 12}, { 0x0631, 13}, { 0x0632, 13}, { 0x00AC, 13}, { 0x031D, 12}, { 0x0076, 12}, +{ 0x003A, 11}, { 0x0165, 12}, { 0x0C66, 14}, { 0x0003, 2}, { 0x0054, 7}, { 0x02AB, 10}, +{ 0x0016, 13}, { 0x05F7, 14}, { 0x0005, 4}, { 0x00F8, 9}, { 0x0AA9, 12}, { 0x005F, 15}, +{ 0x0004, 4}, { 0x001C, 10}, { 0x1550, 13}, { 0x0004, 5}, { 0x0077, 11}, { 0x076C, 15}, +{ 0x000E, 5}, { 0x000A, 12}, { 0x000C, 5}, { 0x0562, 11}, { 0x0004, 6}, { 0x031C, 12}, +{ 0x0006, 6}, { 0x00C8, 13}, { 0x000D, 6}, { 0x01DA, 13}, { 0x0007, 6}, { 0x00C9, 13}, +{ 0x0001, 7}, { 0x002E, 14}, { 0x0014, 7}, { 0x1596, 13}, { 0x000A, 7}, { 0x0AC2, 12}, +{ 0x0016, 7}, { 0x015B, 14}, { 0x0015, 7}, { 0x015A, 14}, { 0x000F, 8}, { 0x005E, 15}, +{ 0x007E, 8}, { 0x00AB, 8}, { 0x002D, 9}, { 0x00D8, 9}, { 0x000B, 9}, { 0x0014, 10}, +{ 0x02B3, 10}, { 0x01F3, 10}, { 0x003A, 10}, { 0x0000, 10}, { 0x0058, 10}, { 0x002E, 9}, +{ 0x005E, 10}, { 0x0563, 11}, { 0x00EC, 12}, { 0x0054, 12}, { 0x0AC1, 12}, { 0x1556, 13}, +{ 0x02FA, 13}, { 0x0181, 11}, { 0x1557, 13}, { 0x059D, 14}, { 0x2AA3, 14}, { 0x2B2A, 14}, +{ 0x01DE, 14}, { 0x063C, 13}, { 0x00CF, 13}, { 0x1594, 13}, { 0x000D, 9} +}, +{ +{ 0x0002, 2}, { 0x0006, 3}, { 0x000F, 4}, { 0x000D, 5}, { 0x000C, 5}, { 0x0015, 6}, +{ 0x0013, 6}, { 0x0012, 6}, { 0x0017, 7}, { 0x001F, 8}, { 0x001E, 8}, { 0x001D, 8}, +{ 0x0025, 9}, { 0x0024, 9}, { 0x0023, 9}, { 0x0021, 9}, { 0x0021, 10}, { 0x0020, 10}, +{ 0x000F, 10}, { 0x000E, 10}, { 0x0007, 11}, { 0x0006, 11}, { 0x0020, 11}, { 0x0021, 11}, +{ 0x0050, 12}, { 0x0051, 12}, { 0x0052, 12}, { 0x000E, 4}, { 0x0014, 6}, { 0x0016, 7}, +{ 0x001C, 8}, { 0x0020, 9}, { 0x001F, 9}, { 0x000D, 10}, { 0x0022, 11}, { 0x0053, 12}, +{ 0x0055, 12}, { 0x000B, 5}, { 0x0015, 7}, { 0x001E, 9}, { 0x000C, 10}, { 0x0056, 12}, +{ 0x0011, 6}, { 0x001B, 8}, { 0x001D, 9}, { 0x000B, 10}, { 0x0010, 6}, { 0x0022, 9}, +{ 0x000A, 10}, { 0x000D, 6}, { 0x001C, 9}, { 0x0008, 10}, { 0x0012, 7}, { 0x001B, 9}, +{ 0x0054, 12}, { 0x0014, 7}, { 0x001A, 9}, { 0x0057, 12}, { 0x0019, 8}, { 0x0009, 10}, +{ 0x0018, 8}, { 0x0023, 11}, { 0x0017, 8}, { 0x0019, 9}, { 0x0018, 9}, { 0x0007, 10}, +{ 0x0058, 12}, { 0x0007, 4}, { 0x000C, 6}, { 0x0016, 8}, { 0x0017, 9}, { 0x0006, 10}, +{ 0x0005, 11}, { 0x0004, 11}, { 0x0059, 12}, { 0x000F, 6}, { 0x0016, 9}, { 0x0005, 10}, +{ 0x000E, 6}, { 0x0004, 10}, { 0x0011, 7}, { 0x0024, 11}, { 0x0010, 7}, { 0x0025, 11}, +{ 0x0013, 7}, { 0x005A, 12}, { 0x0015, 8}, { 0x005B, 12}, { 0x0014, 8}, { 0x0013, 8}, +{ 0x001A, 8}, { 0x0015, 9}, { 0x0014, 9}, { 0x0013, 9}, { 0x0012, 9}, { 0x0011, 9}, +{ 0x0026, 11}, { 0x0027, 11}, { 0x005C, 12}, { 0x005D, 12}, { 0x005E, 12}, { 0x005F, 12}, +{ 0x0003, 7} +}, +{ +{ 0x0002, 2}, { 0x000F, 4}, { 0x0015, 6}, { 0x0017, 7}, { 0x001F, 8}, { 0x0025, 9}, +{ 0x0024, 9}, { 0x0021, 10}, { 0x0020, 10}, { 0x0007, 11}, { 0x0006, 11}, { 0x0020, 11}, +{ 0x0006, 3}, { 0x0014, 6}, { 0x001E, 8}, { 0x000F, 10}, { 0x0021, 11}, { 0x0050, 12}, +{ 0x000E, 4}, { 0x001D, 8}, { 0x000E, 10}, { 0x0051, 12}, { 0x000D, 5}, { 0x0023, 9}, +{ 0x000D, 10}, { 0x000C, 5}, { 0x0022, 9}, { 0x0052, 12}, { 0x000B, 5}, { 0x000C, 10}, +{ 0x0053, 12}, { 0x0013, 6}, { 0x000B, 10}, { 0x0054, 12}, { 0x0012, 6}, { 0x000A, 10}, +{ 0x0011, 6}, { 0x0009, 10}, { 0x0010, 6}, { 0x0008, 10}, { 0x0016, 7}, { 0x0055, 12}, +{ 0x0015, 7}, { 0x0014, 7}, { 0x001C, 8}, { 0x001B, 8}, { 0x0021, 9}, { 0x0020, 9}, +{ 0x001F, 9}, { 0x001E, 9}, { 0x001D, 9}, { 0x001C, 9}, { 0x001B, 9}, { 0x001A, 9}, +{ 0x0022, 11}, { 0x0023, 11}, { 0x0056, 12}, { 0x0057, 12}, { 0x0007, 4}, { 0x0019, 9}, +{ 0x0005, 11}, { 0x000F, 6}, { 0x0004, 11}, { 0x000E, 6}, { 0x000D, 6}, { 0x000C, 6}, +{ 0x0013, 7}, { 0x0012, 7}, { 0x0011, 7}, { 0x0010, 7}, { 0x001A, 8}, { 0x0019, 8}, +{ 0x0018, 8}, { 0x0017, 8}, { 0x0016, 8}, { 0x0015, 8}, { 0x0014, 8}, { 0x0013, 8}, +{ 0x0018, 9}, { 0x0017, 9}, { 0x0016, 9}, { 0x0015, 9}, { 0x0014, 9}, { 0x0013, 9}, +{ 0x0012, 9}, { 0x0011, 9}, { 0x0007, 10}, { 0x0006, 10}, { 0x0005, 10}, { 0x0004, 10}, +{ 0x0024, 11}, { 0x0025, 11}, { 0x0026, 11}, { 0x0027, 11}, { 0x0058, 12}, { 0x0059, 12}, +{ 0x005A, 12}, { 0x005B, 12}, { 0x005C, 12}, { 0x005D, 12}, { 0x005E, 12}, { 0x005F, 12}, +{ 0x0003, 7} +}, +{ +{ 0x0000, 2}, { 0x0003, 3}, { 0x000D, 4}, { 0x0005, 4}, { 0x001C, 5}, { 0x0016, 5}, +{ 0x003F, 6}, { 0x003A, 6}, { 0x002E, 6}, { 0x0022, 6}, { 0x007B, 7}, { 0x0067, 7}, +{ 0x005F, 7}, { 0x0047, 7}, { 0x0026, 7}, { 0x00EF, 8}, { 0x00CD, 8}, { 0x00C1, 8}, +{ 0x00A9, 8}, { 0x004F, 8}, { 0x01F2, 9}, { 0x01DD, 9}, { 0x0199, 9}, { 0x0185, 9}, +{ 0x015D, 9}, { 0x011B, 9}, { 0x03EF, 10}, { 0x03E1, 10}, { 0x03C8, 10}, { 0x0331, 10}, +{ 0x0303, 10}, { 0x02F1, 10}, { 0x02A0, 10}, { 0x0233, 10}, { 0x0126, 10}, { 0x07C0, 11}, +{ 0x076F, 11}, { 0x076C, 11}, { 0x0661, 11}, { 0x0604, 11}, { 0x0572, 11}, { 0x0551, 11}, +{ 0x046A, 11}, { 0x0274, 11}, { 0x0F27, 12}, { 0x0F24, 12}, { 0x0EDB, 12}, { 0x0C8E, 12}, +{ 0x0C0B, 12}, { 0x0C0A, 12}, { 0x0AE3, 12}, { 0x08D6, 12}, { 0x0490, 12}, { 0x0495, 12}, +{ 0x1F19, 13}, { 0x1DB5, 13}, { 0x0009, 4}, { 0x0010, 5}, { 0x0029, 6}, { 0x0062, 7}, +{ 0x00F3, 8}, { 0x00AD, 8}, { 0x01E5, 9}, { 0x0179, 9}, { 0x009C, 9}, { 0x03B1, 10}, +{ 0x02AE, 10}, { 0x0127, 10}, { 0x076E, 11}, { 0x0570, 11}, { 0x0275, 11}, { 0x0F25, 12}, +{ 0x0EC0, 12}, { 0x0AA0, 12}, { 0x08D7, 12}, { 0x1E4C, 13}, { 0x0008, 5}, { 0x0063, 7}, +{ 0x00AF, 8}, { 0x017B, 9}, { 0x03B3, 10}, { 0x07DD, 11}, { 0x0640, 11}, { 0x0F8D, 12}, +{ 0x0BC1, 12}, { 0x0491, 12}, { 0x0028, 6}, { 0x00C3, 8}, { 0x0151, 9}, { 0x02A1, 10}, +{ 0x0573, 11}, { 0x0EC3, 12}, { 0x1F35, 13}, { 0x0065, 7}, { 0x01DA, 9}, { 0x02AF, 10}, +{ 0x0277, 11}, { 0x08C9, 12}, { 0x1781, 13}, { 0x0025, 7}, { 0x0118, 9}, { 0x0646, 11}, +{ 0x0AA6, 12}, { 0x1780, 13}, { 0x00C9, 8}, { 0x0321, 10}, { 0x0F9B, 12}, { 0x191E, 13}, +{ 0x0048, 8}, { 0x07CC, 11}, { 0x0AA1, 12}, { 0x0180, 9}, { 0x0465, 11}, { 0x1905, 13}, +{ 0x03E2, 10}, { 0x0EC1, 12}, { 0x3C9B, 14}, { 0x02F4, 10}, { 0x08C8, 12}, { 0x07C1, 11}, +{ 0x0928, 13}, { 0x05E1, 11}, { 0x320D, 14}, { 0x0EC2, 12}, { 0x6418, 15}, { 0x1F34, 13}, +{ 0x0078, 7}, { 0x0155, 9}, { 0x0552, 11}, { 0x191F, 13}, { 0x00FA, 8}, { 0x07DC, 11}, +{ 0x1907, 13}, { 0x00AC, 8}, { 0x0249, 11}, { 0x13B1, 14}, { 0x01F6, 9}, { 0x0AE2, 12}, +{ 0x01DC, 9}, { 0x04ED, 12}, { 0x0184, 9}, { 0x1904, 13}, { 0x0156, 9}, { 0x09D9, 13}, +{ 0x03E7, 10}, { 0x0929, 13}, { 0x03B2, 10}, { 0x3B68, 14}, { 0x02F5, 10}, { 0x13B0, 14}, +{ 0x0322, 10}, { 0x3B69, 14}, { 0x0234, 10}, { 0x7935, 15}, { 0x07C7, 11}, { 0xC833, 16}, +{ 0x0660, 11}, { 0x7934, 15}, { 0x024B, 11}, { 0xC832, 16}, { 0x0AA7, 12}, { 0x1F18, 13}, +{ 0x007A, 7} +}, +{ +{ 0x0002, 2}, { 0x0000, 3}, { 0x001E, 5}, { 0x0004, 5}, { 0x0012, 6}, { 0x0070, 7}, +{ 0x001A, 7}, { 0x005F, 8}, { 0x0047, 8}, { 0x01D3, 9}, { 0x00B5, 9}, { 0x0057, 9}, +{ 0x03B5, 10}, { 0x016D, 10}, { 0x0162, 10}, { 0x07CE, 11}, { 0x0719, 11}, { 0x0691, 11}, +{ 0x02C6, 11}, { 0x0156, 11}, { 0x0F92, 12}, { 0x0D2E, 12}, { 0x0D20, 12}, { 0x059E, 12}, +{ 0x0468, 12}, { 0x02A6, 12}, { 0x1DA2, 13}, { 0x1C60, 13}, { 0x1A43, 13}, { 0x0B1D, 13}, +{ 0x08C0, 13}, { 0x055D, 13}, { 0x0003, 3}, { 0x000A, 5}, { 0x0077, 7}, { 0x00E5, 8}, +{ 0x01D9, 9}, { 0x03E5, 10}, { 0x0166, 10}, { 0x0694, 11}, { 0x0152, 11}, { 0x059F, 12}, +{ 0x1F3C, 13}, { 0x1A4B, 13}, { 0x055E, 13}, { 0x000C, 4}, { 0x007D, 7}, { 0x0044, 8}, +{ 0x03E0, 10}, { 0x0769, 11}, { 0x0E31, 12}, { 0x1F26, 13}, { 0x055C, 13}, { 0x001B, 5}, +{ 0x00E2, 8}, { 0x03A5, 10}, { 0x02C9, 11}, { 0x1F23, 13}, { 0x3B47, 14}, { 0x0007, 5}, +{ 0x01D8, 9}, { 0x02D8, 11}, { 0x1F27, 13}, { 0x3494, 14}, { 0x0035, 6}, { 0x03E1, 10}, +{ 0x059C, 12}, { 0x38C3, 14}, { 0x000C, 6}, { 0x0165, 10}, { 0x1D23, 13}, { 0x1638, 14}, +{ 0x0068, 7}, { 0x0693, 11}, { 0x3A45, 14}, { 0x0020, 7}, { 0x0F90, 12}, { 0x7CF6, 15}, +{ 0x00E8, 8}, { 0x058F, 12}, { 0x2CEF, 15}, { 0x0045, 8}, { 0x0B3A, 13}, { 0x01F1, 9}, +{ 0x3B46, 14}, { 0x01A7, 9}, { 0x1676, 14}, { 0x0056, 9}, { 0x692A, 15}, { 0x038D, 10}, +{ 0xE309, 16}, { 0x00AA, 10}, { 0x1C611, 17}, { 0x02DF, 11}, { 0xB3B9, 17}, { 0x02C8, 11}, +{ 0x38C20, 18}, { 0x01B0, 11}, { 0x16390, 18}, { 0x0F9F, 12}, { 0x16771, 18}, { 0x0ED0, 12}, +{ 0x71843, 19}, { 0x0D2A, 12}, { 0xF9E8C, 20}, { 0x0461, 12}, { 0xF9E8E, 20}, { 0x0B67, 13}, +{ 0x055F, 13}, { 0x003F, 6}, { 0x006D, 9}, { 0x0E90, 12}, { 0x054E, 13}, { 0x0013, 6}, +{ 0x0119, 10}, { 0x0B66, 13}, { 0x000B, 6}, { 0x0235, 11}, { 0x7CF5, 15}, { 0x0075, 7}, +{ 0x0D24, 12}, { 0xF9E9, 16}, { 0x002E, 7}, { 0x1F22, 13}, { 0x0021, 7}, { 0x054F, 13}, +{ 0x0014, 7}, { 0x3A44, 14}, { 0x00E4, 8}, { 0x7CF7, 15}, { 0x005E, 8}, { 0x7185, 15}, +{ 0x0037, 8}, { 0x2C73, 15}, { 0x01DB, 9}, { 0x59DD, 16}, { 0x01C7, 9}, { 0x692B, 15}, +{ 0x01A6, 9}, { 0x58E5, 16}, { 0x00B4, 9}, { 0x1F3D0, 17}, { 0x00B0, 9}, { 0xB1C9, 17}, +{ 0x03E6, 10}, { 0x16770, 18}, { 0x016E, 10}, { 0x3E7A2, 18}, { 0x011B, 10}, { 0xF9E8D, 20}, +{ 0x00D9, 10}, { 0xF9E8F, 20}, { 0x00A8, 10}, { 0x2C723, 19}, { 0x0749, 11}, { 0xE3084, 20}, +{ 0x0696, 11}, { 0x58E45, 20}, { 0x02DE, 11}, { 0xB1C88, 21}, { 0x0231, 11}, { 0x1C610A, 21}, +{ 0x01B1, 11}, { 0x71842D, 23}, { 0x0D2B, 12}, { 0x38C217, 22}, { 0x0D2F, 12}, { 0x163913, 22}, +{ 0x05B2, 12}, { 0x163912, 22}, { 0x0469, 12}, { 0x71842C, 23}, { 0x1A42, 13}, { 0x08C1, 13}, +{ 0x0073, 7} +} +}; + +static const uint16_t vlc_offs[] = { + 0, 520, 552, 616, 1128, 1160, 1224, 1740, 1772, 1836, 1900, 2436, + 2986, 3050, 3610, 4154, 4218, 4746, 5326, 5390, 5902, 6554, 7658, 8342, + 9304, 9988, 10630, 11234, 12174, 13006, 13560, 14232, 14786, 15432, 16350, 17522, + 20372, 21818, 22330, 22394, 23166, 23678, 23742, 24820, 25332, 25396, 26460, 26980, + 27048, 27592, 27600, 27608, 27616, 27624, 28224, 28258, 28290, 28802, 28834, 28866, + 29378, 29412, 29444, 29960, 29994, 30026, 30538, 30572, 30604, 31120, 31154, 31186, + 31714, 31746, 31778, 32306, 32340, 32372 +}; + +/** + * Init VC-1 specific tables and VC1Context members + * @param v The VC1Context to initialize + * @return Status + */ +int ff_vc1_init_common(VC1Context *v) +{ + static int done = 0; + int i = 0; + static VLC_TYPE vlc_table[32372][2]; + + v->hrd_rate = v->hrd_buffer = NULL; + + /* VLC tables */ + if (!done) { + INIT_VLC_STATIC(&ff_vc1_bfraction_vlc, VC1_BFRACTION_VLC_BITS, 23, + ff_vc1_bfraction_bits, 1, 1, + ff_vc1_bfraction_codes, 1, 1, 1 << VC1_BFRACTION_VLC_BITS); + INIT_VLC_STATIC(&ff_vc1_norm2_vlc, VC1_NORM2_VLC_BITS, 4, + ff_vc1_norm2_bits, 1, 1, + ff_vc1_norm2_codes, 1, 1, 1 << VC1_NORM2_VLC_BITS); + INIT_VLC_STATIC(&ff_vc1_norm6_vlc, VC1_NORM6_VLC_BITS, 64, + ff_vc1_norm6_bits, 1, 1, + ff_vc1_norm6_codes, 2, 2, 556); + INIT_VLC_STATIC(&ff_vc1_imode_vlc, VC1_IMODE_VLC_BITS, 7, + ff_vc1_imode_bits, 1, 1, + ff_vc1_imode_codes, 1, 1, 1 << VC1_IMODE_VLC_BITS); + for (i = 0; i < 3; i++) { + ff_vc1_ttmb_vlc[i].table = &vlc_table[vlc_offs[i * 3 + 0]]; + ff_vc1_ttmb_vlc[i].table_allocated = vlc_offs[i * 3 + 1] - vlc_offs[i * 3 + 0]; + init_vlc(&ff_vc1_ttmb_vlc[i], VC1_TTMB_VLC_BITS, 16, + ff_vc1_ttmb_bits[i], 1, 1, + ff_vc1_ttmb_codes[i], 2, 2, INIT_VLC_USE_NEW_STATIC); + ff_vc1_ttblk_vlc[i].table = &vlc_table[vlc_offs[i * 3 + 1]]; + ff_vc1_ttblk_vlc[i].table_allocated = vlc_offs[i * 3 + 2] - vlc_offs[i * 3 + 1]; + init_vlc(&ff_vc1_ttblk_vlc[i], VC1_TTBLK_VLC_BITS, 8, + ff_vc1_ttblk_bits[i], 1, 1, + ff_vc1_ttblk_codes[i], 1, 1, INIT_VLC_USE_NEW_STATIC); + ff_vc1_subblkpat_vlc[i].table = &vlc_table[vlc_offs[i * 3 + 2]]; + ff_vc1_subblkpat_vlc[i].table_allocated = vlc_offs[i * 3 + 3] - vlc_offs[i * 3 + 2]; + init_vlc(&ff_vc1_subblkpat_vlc[i], VC1_SUBBLKPAT_VLC_BITS, 15, + ff_vc1_subblkpat_bits[i], 1, 1, + ff_vc1_subblkpat_codes[i], 1, 1, INIT_VLC_USE_NEW_STATIC); + } + for (i = 0; i < 4; i++) { + ff_vc1_4mv_block_pattern_vlc[i].table = &vlc_table[vlc_offs[i * 3 + 9]]; + ff_vc1_4mv_block_pattern_vlc[i].table_allocated = vlc_offs[i * 3 + 10] - vlc_offs[i * 3 + 9]; + init_vlc(&ff_vc1_4mv_block_pattern_vlc[i], VC1_4MV_BLOCK_PATTERN_VLC_BITS, 16, + ff_vc1_4mv_block_pattern_bits[i], 1, 1, + ff_vc1_4mv_block_pattern_codes[i], 1, 1, INIT_VLC_USE_NEW_STATIC); + ff_vc1_cbpcy_p_vlc[i].table = &vlc_table[vlc_offs[i * 3 + 10]]; + ff_vc1_cbpcy_p_vlc[i].table_allocated = vlc_offs[i * 3 + 11] - vlc_offs[i * 3 + 10]; + init_vlc(&ff_vc1_cbpcy_p_vlc[i], VC1_CBPCY_P_VLC_BITS, 64, + ff_vc1_cbpcy_p_bits[i], 1, 1, + ff_vc1_cbpcy_p_codes[i], 2, 2, INIT_VLC_USE_NEW_STATIC); + ff_vc1_mv_diff_vlc[i].table = &vlc_table[vlc_offs[i * 3 + 11]]; + ff_vc1_mv_diff_vlc[i].table_allocated = vlc_offs[i * 3 + 12] - vlc_offs[i * 3 + 11]; + init_vlc(&ff_vc1_mv_diff_vlc[i], VC1_MV_DIFF_VLC_BITS, 73, + ff_vc1_mv_diff_bits[i], 1, 1, + ff_vc1_mv_diff_codes[i], 2, 2, INIT_VLC_USE_NEW_STATIC); + } + for (i = 0; i < 8; i++) { + ff_vc1_ac_coeff_table[i].table = &vlc_table[vlc_offs[i * 2 + 21]]; + ff_vc1_ac_coeff_table[i].table_allocated = vlc_offs[i * 2 + 22] - vlc_offs[i * 2 + 21]; + init_vlc(&ff_vc1_ac_coeff_table[i], AC_VLC_BITS, ff_vc1_ac_sizes[i], + &vc1_ac_tables[i][0][1], 8, 4, + &vc1_ac_tables[i][0][0], 8, 4, INIT_VLC_USE_NEW_STATIC); + /* initialize interlaced MVDATA tables (2-Ref) */ + ff_vc1_2ref_mvdata_vlc[i].table = &vlc_table[vlc_offs[i * 2 + 22]]; + ff_vc1_2ref_mvdata_vlc[i].table_allocated = vlc_offs[i * 2 + 23] - vlc_offs[i * 2 + 22]; + init_vlc(&ff_vc1_2ref_mvdata_vlc[i], VC1_2REF_MVDATA_VLC_BITS, 126, + ff_vc1_2ref_mvdata_bits[i], 1, 1, + ff_vc1_2ref_mvdata_codes[i], 4, 4, INIT_VLC_USE_NEW_STATIC); + } + for (i = 0; i < 4; i++) { + /* initialize 4MV MBMODE VLC tables for interlaced frame P picture */ + ff_vc1_intfr_4mv_mbmode_vlc[i].table = &vlc_table[vlc_offs[i * 3 + 37]]; + ff_vc1_intfr_4mv_mbmode_vlc[i].table_allocated = vlc_offs[i * 3 + 38] - vlc_offs[i * 3 + 37]; + init_vlc(&ff_vc1_intfr_4mv_mbmode_vlc[i], VC1_INTFR_4MV_MBMODE_VLC_BITS, 15, + ff_vc1_intfr_4mv_mbmode_bits[i], 1, 1, + ff_vc1_intfr_4mv_mbmode_codes[i], 2, 2, INIT_VLC_USE_NEW_STATIC); + /* initialize NON-4MV MBMODE VLC tables for the same */ + ff_vc1_intfr_non4mv_mbmode_vlc[i].table = &vlc_table[vlc_offs[i * 3 + 38]]; + ff_vc1_intfr_non4mv_mbmode_vlc[i].table_allocated = vlc_offs[i * 3 + 39] - vlc_offs[i * 3 + 38]; + init_vlc(&ff_vc1_intfr_non4mv_mbmode_vlc[i], VC1_INTFR_NON4MV_MBMODE_VLC_BITS, 9, + ff_vc1_intfr_non4mv_mbmode_bits[i], 1, 1, + ff_vc1_intfr_non4mv_mbmode_codes[i], 1, 1, INIT_VLC_USE_NEW_STATIC); + /* initialize interlaced MVDATA tables (1-Ref) */ + ff_vc1_1ref_mvdata_vlc[i].table = &vlc_table[vlc_offs[i * 3 + 39]]; + ff_vc1_1ref_mvdata_vlc[i].table_allocated = vlc_offs[i * 3 + 40] - vlc_offs[i * 3 + 39]; + init_vlc(&ff_vc1_1ref_mvdata_vlc[i], VC1_1REF_MVDATA_VLC_BITS, 72, + ff_vc1_1ref_mvdata_bits[i], 1, 1, + ff_vc1_1ref_mvdata_codes[i], 4, 4, INIT_VLC_USE_NEW_STATIC); + } + for (i = 0; i < 4; i++) { + /* Initialize 2MV Block pattern VLC tables */ + ff_vc1_2mv_block_pattern_vlc[i].table = &vlc_table[vlc_offs[i + 49]]; + ff_vc1_2mv_block_pattern_vlc[i].table_allocated = vlc_offs[i + 50] - vlc_offs[i + 49]; + init_vlc(&ff_vc1_2mv_block_pattern_vlc[i], VC1_2MV_BLOCK_PATTERN_VLC_BITS, 4, + ff_vc1_2mv_block_pattern_bits[i], 1, 1, + ff_vc1_2mv_block_pattern_codes[i], 1, 1, INIT_VLC_USE_NEW_STATIC); + } + for (i = 0; i < 8; i++) { + /* Initialize interlaced CBPCY VLC tables (Table 124 - Table 131) */ + ff_vc1_icbpcy_vlc[i].table = &vlc_table[vlc_offs[i * 3 + 53]]; + ff_vc1_icbpcy_vlc[i].table_allocated = vlc_offs[i * 3 + 54] - vlc_offs[i * 3 + 53]; + init_vlc(&ff_vc1_icbpcy_vlc[i], VC1_ICBPCY_VLC_BITS, 63, + ff_vc1_icbpcy_p_bits[i], 1, 1, + ff_vc1_icbpcy_p_codes[i], 2, 2, INIT_VLC_USE_NEW_STATIC); + /* Initialize interlaced field picture MBMODE VLC tables */ + ff_vc1_if_mmv_mbmode_vlc[i].table = &vlc_table[vlc_offs[i * 3 + 54]]; + ff_vc1_if_mmv_mbmode_vlc[i].table_allocated = vlc_offs[i * 3 + 55] - vlc_offs[i * 3 + 54]; + init_vlc(&ff_vc1_if_mmv_mbmode_vlc[i], VC1_IF_MMV_MBMODE_VLC_BITS, 8, + ff_vc1_if_mmv_mbmode_bits[i], 1, 1, + ff_vc1_if_mmv_mbmode_codes[i], 1, 1, INIT_VLC_USE_NEW_STATIC); + ff_vc1_if_1mv_mbmode_vlc[i].table = &vlc_table[vlc_offs[i * 3 + 55]]; + ff_vc1_if_1mv_mbmode_vlc[i].table_allocated = vlc_offs[i * 3 + 56] - vlc_offs[i * 3 + 55]; + init_vlc(&ff_vc1_if_1mv_mbmode_vlc[i], VC1_IF_1MV_MBMODE_VLC_BITS, 6, + ff_vc1_if_1mv_mbmode_bits[i], 1, 1, + ff_vc1_if_1mv_mbmode_codes[i], 1, 1, INIT_VLC_USE_NEW_STATIC); + } + done = 1; + } + + /* Other defaults */ + v->pq = -1; + v->mvrange = 0; /* 7.1.1.18, p80 */ + + return 0; +} diff --git a/libavcodec/vc1.h b/libavcodec/vc1.h index 5ce0cb53cb..0b94cbf712 100644 --- a/libavcodec/vc1.h +++ b/libavcodec/vc1.h @@ -28,6 +28,8 @@ #include "intrax8.h" #include "vc1dsp.h" +#define AC_VLC_BITS 9 + /** Markers used in VC-1 AP frame data */ //@{ enum VC1Code { diff --git a/libavcodec/vc1acdata.h b/libavcodec/vc1acdata.h index a7a33ff805..73ebe40bdf 100644 --- a/libavcodec/vc1acdata.h +++ b/libavcodec/vc1acdata.h @@ -24,232 +24,7 @@ #include -#define AC_MODES 8 - -static const int vc1_ac_sizes[AC_MODES] = { - 186, 169, 133, 149, 103, 103, 163, 175 -}; - -static const uint32_t vc1_ac_tables[AC_MODES][186][2] = { -{ -{ 0x0001, 2}, { 0x0005, 3}, { 0x000D, 4}, { 0x0012, 5}, { 0x000E, 6}, { 0x0015, 7}, -{ 0x0013, 8}, { 0x003F, 8}, { 0x004B, 9}, { 0x011F, 9}, { 0x00B8, 10}, { 0x03E3, 10}, -{ 0x0172, 11}, { 0x024D, 12}, { 0x03DA, 12}, { 0x02DD, 13}, { 0x1F55, 13}, { 0x05B9, 14}, -{ 0x3EAE, 14}, { 0x0000, 4}, { 0x0010, 5}, { 0x0008, 7}, { 0x0020, 8}, { 0x0029, 9}, -{ 0x01F4, 9}, { 0x0233, 10}, { 0x01E0, 11}, { 0x012A, 12}, { 0x03DD, 12}, { 0x050A, 13}, -{ 0x1F29, 13}, { 0x0A42, 14}, { 0x1272, 15}, { 0x1737, 15}, { 0x0003, 5}, { 0x0011, 7}, -{ 0x00C4, 8}, { 0x004B, 10}, { 0x00B4, 11}, { 0x07D4, 11}, { 0x0345, 12}, { 0x02D7, 13}, -{ 0x07BF, 13}, { 0x0938, 14}, { 0x0BBB, 14}, { 0x095E, 15}, { 0x0013, 5}, { 0x0078, 7}, -{ 0x0069, 9}, { 0x0232, 10}, { 0x0461, 11}, { 0x03EC, 12}, { 0x0520, 13}, { 0x1F2A, 13}, -{ 0x3E50, 14}, { 0x3E51, 14}, { 0x1486, 15}, { 0x000C, 6}, { 0x0024, 9}, { 0x0094, 11}, -{ 0x08C0, 12}, { 0x0F09, 14}, { 0x1EF0, 15}, { 0x003D, 6}, { 0x0053, 9}, { 0x01A0, 11}, -{ 0x02D6, 13}, { 0x0F08, 14}, { 0x0013, 7}, { 0x007C, 9}, { 0x07C1, 11}, { 0x04AC, 14}, -{ 0x001B, 7}, { 0x00A0, 10}, { 0x0344, 12}, { 0x0F79, 14}, { 0x0079, 7}, { 0x03E1, 10}, -{ 0x02D4, 13}, { 0x2306, 14}, { 0x0021, 8}, { 0x023C, 10}, { 0x0FAE, 12}, { 0x23DE, 14}, -{ 0x0035, 8}, { 0x0175, 11}, { 0x07B3, 13}, { 0x00C5, 8}, { 0x0174, 11}, { 0x0785, 13}, -{ 0x0048, 9}, { 0x01A3, 11}, { 0x049E, 13}, { 0x002C, 9}, { 0x00FA, 10}, { 0x07D6, 11}, -{ 0x0092, 10}, { 0x05CC, 13}, { 0x1EF1, 15}, { 0x00A3, 10}, { 0x03ED, 12}, { 0x093E, 14}, -{ 0x01E2, 11}, { 0x1273, 15}, { 0x07C4, 11}, { 0x1487, 15}, { 0x0291, 12}, { 0x0293, 12}, -{ 0x0F8A, 12}, { 0x0509, 13}, { 0x0508, 13}, { 0x078D, 13}, { 0x07BE, 13}, { 0x078C, 13}, -{ 0x04AE, 14}, { 0x0BBA, 14}, { 0x2307, 14}, { 0x0B9A, 14}, { 0x1736, 15}, { 0x000E, 4}, -{ 0x0045, 7}, { 0x01F3, 9}, { 0x047A, 11}, { 0x05DC, 13}, { 0x23DF, 14}, { 0x0019, 5}, -{ 0x0028, 9}, { 0x0176, 11}, { 0x049D, 13}, { 0x23DD, 14}, { 0x0030, 6}, { 0x00A2, 10}, -{ 0x02EF, 12}, { 0x05B8, 14}, { 0x003F, 6}, { 0x00A5, 10}, { 0x03DB, 12}, { 0x093F, 14}, -{ 0x0044, 7}, { 0x07CB, 11}, { 0x095F, 15}, { 0x0063, 7}, { 0x03C3, 12}, { 0x0015, 8}, -{ 0x08F6, 12}, { 0x0017, 8}, { 0x0498, 13}, { 0x002C, 8}, { 0x07B2, 13}, { 0x002F, 8}, -{ 0x1F54, 13}, { 0x008D, 8}, { 0x07BD, 13}, { 0x008E, 8}, { 0x1182, 13}, { 0x00FB, 8}, -{ 0x050B, 13}, { 0x002D, 8}, { 0x07C0, 11}, { 0x0079, 9}, { 0x1F5F, 13}, { 0x007A, 9}, -{ 0x1F56, 13}, { 0x0231, 10}, { 0x03E4, 10}, { 0x01A1, 11}, { 0x0143, 11}, { 0x01F7, 11}, -{ 0x016F, 12}, { 0x0292, 12}, { 0x02E7, 12}, { 0x016C, 12}, { 0x016D, 12}, { 0x03DC, 12}, -{ 0x0F8B, 12}, { 0x0499, 13}, { 0x03D8, 12}, { 0x078E, 13}, { 0x02D5, 13}, { 0x1F5E, 13}, -{ 0x1F2B, 13}, { 0x078F, 13}, { 0x04AD, 14}, { 0x3EAF, 14}, { 0x23DC, 14}, { 0x004A, 9} -}, -{ -{ 0x0000, 3}, { 0x0003, 4}, { 0x000B, 5}, { 0x0014, 6}, { 0x003F, 6}, { 0x005D, 7}, -{ 0x00A2, 8}, { 0x00AC, 9}, { 0x016E, 9}, { 0x020A, 10}, { 0x02E2, 10}, { 0x0432, 11}, -{ 0x05C9, 11}, { 0x0827, 12}, { 0x0B54, 12}, { 0x04E6, 13}, { 0x105F, 13}, { 0x172A, 13}, -{ 0x20B2, 14}, { 0x2D4E, 14}, { 0x39F0, 14}, { 0x4175, 15}, { 0x5A9E, 15}, { 0x0004, 4}, -{ 0x001E, 5}, { 0x0042, 7}, { 0x00B6, 8}, { 0x0173, 9}, { 0x0395, 10}, { 0x072E, 11}, -{ 0x0B94, 12}, { 0x16A4, 13}, { 0x20B3, 14}, { 0x2E45, 14}, { 0x0005, 5}, { 0x0040, 7}, -{ 0x0049, 9}, { 0x028F, 10}, { 0x05CB, 11}, { 0x048A, 13}, { 0x09DD, 14}, { 0x73E2, 15}, -{ 0x0018, 5}, { 0x0025, 8}, { 0x008A, 10}, { 0x051B, 11}, { 0x0E5F, 12}, { 0x09C9, 14}, -{ 0x139C, 15}, { 0x0029, 6}, { 0x004F, 9}, { 0x0412, 11}, { 0x048D, 13}, { 0x2E41, 14}, -{ 0x0038, 6}, { 0x010E, 9}, { 0x05A8, 11}, { 0x105C, 13}, { 0x39F2, 14}, { 0x0058, 7}, -{ 0x021F, 10}, { 0x0E7E, 12}, { 0x39FF, 14}, { 0x0023, 8}, { 0x02E3, 10}, { 0x04E5, 13}, -{ 0x2E40, 14}, { 0x00A1, 8}, { 0x05BE, 11}, { 0x09C8, 14}, { 0x0083, 8}, { 0x013A, 11}, -{ 0x1721, 13}, { 0x0044, 9}, { 0x0276, 12}, { 0x39F6, 14}, { 0x008B, 10}, { 0x04EF, 13}, -{ 0x5A9B, 15}, { 0x0208, 10}, { 0x1CFE, 13}, { 0x0399, 10}, { 0x1CB4, 13}, { 0x039E, 10}, -{ 0x39F3, 14}, { 0x05AB, 11}, { 0x73E3, 15}, { 0x0737, 11}, { 0x5A9F, 15}, { 0x082D, 12}, -{ 0x0E69, 12}, { 0x0E68, 12}, { 0x0433, 11}, { 0x0B7B, 12}, { 0x2DF8, 14}, { 0x2E56, 14}, -{ 0x2E57, 14}, { 0x39F7, 14}, { 0x51A5, 15}, { 0x0003, 3}, { 0x002A, 6}, { 0x00E4, 8}, -{ 0x028E, 10}, { 0x0735, 11}, { 0x1058, 13}, { 0x1CFA, 13}, { 0x2DF9, 14}, { 0x4174, 15}, -{ 0x0009, 4}, { 0x0054, 8}, { 0x0398, 10}, { 0x048B, 13}, { 0x139D, 15}, { 0x000D, 4}, -{ 0x00AD, 9}, { 0x0826, 12}, { 0x2D4C, 14}, { 0x0011, 5}, { 0x016B, 9}, { 0x0B7F, 12}, -{ 0x51A4, 15}, { 0x0019, 5}, { 0x021B, 10}, { 0x16FD, 13}, { 0x001D, 5}, { 0x0394, 10}, -{ 0x28D3, 14}, { 0x002B, 6}, { 0x05BC, 11}, { 0x5A9A, 15}, { 0x002F, 6}, { 0x0247, 12}, -{ 0x0010, 7}, { 0x0A35, 12}, { 0x003E, 6}, { 0x0B7A, 12}, { 0x0059, 7}, { 0x105E, 13}, -{ 0x0026, 8}, { 0x09CF, 14}, { 0x0055, 8}, { 0x1CB5, 13}, { 0x0057, 8}, { 0x0E5B, 12}, -{ 0x00A0, 8}, { 0x1468, 13}, { 0x0170, 9}, { 0x0090, 10}, { 0x01CE, 9}, { 0x021A, 10}, -{ 0x0218, 10}, { 0x0168, 9}, { 0x021E, 10}, { 0x0244, 12}, { 0x0736, 11}, { 0x0138, 11}, -{ 0x0519, 11}, { 0x0E5E, 12}, { 0x072C, 11}, { 0x0B55, 12}, { 0x09DC, 14}, { 0x20BB, 14}, -{ 0x048C, 13}, { 0x1723, 13}, { 0x2E44, 14}, { 0x16A5, 13}, { 0x0518, 11}, { 0x39FE, 14}, -{ 0x0169, 9} -}, -{ -{ 0x0001, 2}, { 0x0006, 3}, { 0x000F, 4}, { 0x0016, 5}, { 0x0020, 6}, { 0x0018, 7}, -{ 0x0008, 8}, { 0x009A, 8}, { 0x0056, 9}, { 0x013E, 9}, { 0x00F0, 10}, { 0x03A5, 10}, -{ 0x0077, 11}, { 0x01EF, 11}, { 0x009A, 12}, { 0x005D, 13}, { 0x0001, 4}, { 0x0011, 5}, -{ 0x0002, 7}, { 0x000B, 8}, { 0x0012, 9}, { 0x01D6, 9}, { 0x027E, 10}, { 0x0191, 11}, -{ 0x00EA, 12}, { 0x03DC, 12}, { 0x013B, 13}, { 0x0004, 5}, { 0x0014, 7}, { 0x009E, 8}, -{ 0x0009, 10}, { 0x01AC, 11}, { 0x01E2, 11}, { 0x03CA, 12}, { 0x005F, 13}, { 0x0017, 5}, -{ 0x004E, 7}, { 0x005E, 9}, { 0x00F3, 10}, { 0x01AD, 11}, { 0x00EC, 12}, { 0x05F0, 13}, -{ 0x000E, 6}, { 0x00E1, 8}, { 0x03A4, 10}, { 0x009C, 12}, { 0x013D, 13}, { 0x003B, 6}, -{ 0x001C, 9}, { 0x0014, 11}, { 0x09BE, 12}, { 0x0006, 7}, { 0x007A, 9}, { 0x0190, 11}, -{ 0x0137, 13}, { 0x001B, 7}, { 0x0008, 10}, { 0x075C, 11}, { 0x0071, 7}, { 0x00D7, 10}, -{ 0x09BF, 12}, { 0x0007, 8}, { 0x00AF, 10}, { 0x04CC, 11}, { 0x0034, 8}, { 0x0265, 10}, -{ 0x009F, 12}, { 0x00E0, 8}, { 0x0016, 11}, { 0x0327, 12}, { 0x0015, 9}, { 0x017D, 11}, -{ 0x0EBB, 12}, { 0x0014, 9}, { 0x00F6, 10}, { 0x01E4, 11}, { 0x00CB, 10}, { 0x099D, 12}, -{ 0x00CA, 10}, { 0x02FC, 12}, { 0x017F, 11}, { 0x04CD, 11}, { 0x02FD, 12}, { 0x04FE, 11}, -{ 0x013A, 13}, { 0x000A, 4}, { 0x0042, 7}, { 0x01D3, 9}, { 0x04DD, 11}, { 0x0012, 5}, -{ 0x00E8, 8}, { 0x004C, 11}, { 0x0136, 13}, { 0x0039, 6}, { 0x0264, 10}, { 0x0EBA, 12}, -{ 0x0000, 7}, { 0x00AE, 10}, { 0x099C, 12}, { 0x001F, 7}, { 0x04DE, 11}, { 0x0043, 7}, -{ 0x04DC, 11}, { 0x0003, 8}, { 0x03CB, 12}, { 0x0006, 8}, { 0x099E, 12}, { 0x002A, 8}, -{ 0x05F1, 13}, { 0x000F, 8}, { 0x09FE, 12}, { 0x0033, 8}, { 0x09FF, 12}, { 0x0098, 8}, -{ 0x099F, 12}, { 0x00EA, 8}, { 0x013C, 13}, { 0x002E, 8}, { 0x0192, 11}, { 0x0136, 9}, -{ 0x006A, 9}, { 0x0015, 11}, { 0x03AF, 10}, { 0x01E3, 11}, { 0x0074, 11}, { 0x00EB, 12}, -{ 0x02F9, 12}, { 0x005C, 13}, { 0x00ED, 12}, { 0x03DD, 12}, { 0x0326, 12}, { 0x005E, 13}, -{ 0x0016, 7} -}, -{ -{ 0x0004, 3}, { 0x0014, 5}, { 0x0017, 7}, { 0x007F, 8}, { 0x0154, 9}, { 0x01F2, 10}, -{ 0x00BF, 11}, { 0x0065, 12}, { 0x0AAA, 12}, { 0x0630, 13}, { 0x1597, 13}, { 0x03B7, 14}, -{ 0x2B22, 14}, { 0x0BE6, 15}, { 0x000B, 4}, { 0x0037, 7}, { 0x0062, 9}, { 0x0007, 11}, -{ 0x0166, 12}, { 0x00CE, 13}, { 0x1590, 13}, { 0x05F6, 14}, { 0x0BE7, 15}, { 0x0007, 5}, -{ 0x006D, 8}, { 0x0003, 11}, { 0x031F, 12}, { 0x05F2, 14}, { 0x0002, 6}, { 0x0061, 9}, -{ 0x0055, 12}, { 0x01DF, 14}, { 0x001A, 6}, { 0x001E, 10}, { 0x0AC9, 12}, { 0x2B23, 14}, -{ 0x001E, 6}, { 0x001F, 10}, { 0x0AC3, 12}, { 0x2B2B, 14}, { 0x0006, 7}, { 0x0004, 11}, -{ 0x02F8, 13}, { 0x0019, 7}, { 0x0006, 11}, { 0x063D, 13}, { 0x0057, 7}, { 0x0182, 11}, -{ 0x2AA2, 14}, { 0x0004, 8}, { 0x0180, 11}, { 0x059C, 14}, { 0x007D, 8}, { 0x0164, 12}, -{ 0x076D, 15}, { 0x0002, 9}, { 0x018D, 11}, { 0x1581, 13}, { 0x00AD, 8}, { 0x0060, 12}, -{ 0x0C67, 14}, { 0x001C, 9}, { 0x00EE, 13}, { 0x0003, 9}, { 0x02CF, 13}, { 0x00D9, 9}, -{ 0x1580, 13}, { 0x0002, 11}, { 0x0183, 11}, { 0x0057, 12}, { 0x0061, 12}, { 0x0031, 11}, -{ 0x0066, 12}, { 0x0631, 13}, { 0x0632, 13}, { 0x00AC, 13}, { 0x031D, 12}, { 0x0076, 12}, -{ 0x003A, 11}, { 0x0165, 12}, { 0x0C66, 14}, { 0x0003, 2}, { 0x0054, 7}, { 0x02AB, 10}, -{ 0x0016, 13}, { 0x05F7, 14}, { 0x0005, 4}, { 0x00F8, 9}, { 0x0AA9, 12}, { 0x005F, 15}, -{ 0x0004, 4}, { 0x001C, 10}, { 0x1550, 13}, { 0x0004, 5}, { 0x0077, 11}, { 0x076C, 15}, -{ 0x000E, 5}, { 0x000A, 12}, { 0x000C, 5}, { 0x0562, 11}, { 0x0004, 6}, { 0x031C, 12}, -{ 0x0006, 6}, { 0x00C8, 13}, { 0x000D, 6}, { 0x01DA, 13}, { 0x0007, 6}, { 0x00C9, 13}, -{ 0x0001, 7}, { 0x002E, 14}, { 0x0014, 7}, { 0x1596, 13}, { 0x000A, 7}, { 0x0AC2, 12}, -{ 0x0016, 7}, { 0x015B, 14}, { 0x0015, 7}, { 0x015A, 14}, { 0x000F, 8}, { 0x005E, 15}, -{ 0x007E, 8}, { 0x00AB, 8}, { 0x002D, 9}, { 0x00D8, 9}, { 0x000B, 9}, { 0x0014, 10}, -{ 0x02B3, 10}, { 0x01F3, 10}, { 0x003A, 10}, { 0x0000, 10}, { 0x0058, 10}, { 0x002E, 9}, -{ 0x005E, 10}, { 0x0563, 11}, { 0x00EC, 12}, { 0x0054, 12}, { 0x0AC1, 12}, { 0x1556, 13}, -{ 0x02FA, 13}, { 0x0181, 11}, { 0x1557, 13}, { 0x059D, 14}, { 0x2AA3, 14}, { 0x2B2A, 14}, -{ 0x01DE, 14}, { 0x063C, 13}, { 0x00CF, 13}, { 0x1594, 13}, { 0x000D, 9} -}, -{ -{ 0x0002, 2}, { 0x0006, 3}, { 0x000F, 4}, { 0x000D, 5}, { 0x000C, 5}, { 0x0015, 6}, -{ 0x0013, 6}, { 0x0012, 6}, { 0x0017, 7}, { 0x001F, 8}, { 0x001E, 8}, { 0x001D, 8}, -{ 0x0025, 9}, { 0x0024, 9}, { 0x0023, 9}, { 0x0021, 9}, { 0x0021, 10}, { 0x0020, 10}, -{ 0x000F, 10}, { 0x000E, 10}, { 0x0007, 11}, { 0x0006, 11}, { 0x0020, 11}, { 0x0021, 11}, -{ 0x0050, 12}, { 0x0051, 12}, { 0x0052, 12}, { 0x000E, 4}, { 0x0014, 6}, { 0x0016, 7}, -{ 0x001C, 8}, { 0x0020, 9}, { 0x001F, 9}, { 0x000D, 10}, { 0x0022, 11}, { 0x0053, 12}, -{ 0x0055, 12}, { 0x000B, 5}, { 0x0015, 7}, { 0x001E, 9}, { 0x000C, 10}, { 0x0056, 12}, -{ 0x0011, 6}, { 0x001B, 8}, { 0x001D, 9}, { 0x000B, 10}, { 0x0010, 6}, { 0x0022, 9}, -{ 0x000A, 10}, { 0x000D, 6}, { 0x001C, 9}, { 0x0008, 10}, { 0x0012, 7}, { 0x001B, 9}, -{ 0x0054, 12}, { 0x0014, 7}, { 0x001A, 9}, { 0x0057, 12}, { 0x0019, 8}, { 0x0009, 10}, -{ 0x0018, 8}, { 0x0023, 11}, { 0x0017, 8}, { 0x0019, 9}, { 0x0018, 9}, { 0x0007, 10}, -{ 0x0058, 12}, { 0x0007, 4}, { 0x000C, 6}, { 0x0016, 8}, { 0x0017, 9}, { 0x0006, 10}, -{ 0x0005, 11}, { 0x0004, 11}, { 0x0059, 12}, { 0x000F, 6}, { 0x0016, 9}, { 0x0005, 10}, -{ 0x000E, 6}, { 0x0004, 10}, { 0x0011, 7}, { 0x0024, 11}, { 0x0010, 7}, { 0x0025, 11}, -{ 0x0013, 7}, { 0x005A, 12}, { 0x0015, 8}, { 0x005B, 12}, { 0x0014, 8}, { 0x0013, 8}, -{ 0x001A, 8}, { 0x0015, 9}, { 0x0014, 9}, { 0x0013, 9}, { 0x0012, 9}, { 0x0011, 9}, -{ 0x0026, 11}, { 0x0027, 11}, { 0x005C, 12}, { 0x005D, 12}, { 0x005E, 12}, { 0x005F, 12}, -{ 0x0003, 7} -}, -{ -{ 0x0002, 2}, { 0x000F, 4}, { 0x0015, 6}, { 0x0017, 7}, { 0x001F, 8}, { 0x0025, 9}, -{ 0x0024, 9}, { 0x0021, 10}, { 0x0020, 10}, { 0x0007, 11}, { 0x0006, 11}, { 0x0020, 11}, -{ 0x0006, 3}, { 0x0014, 6}, { 0x001E, 8}, { 0x000F, 10}, { 0x0021, 11}, { 0x0050, 12}, -{ 0x000E, 4}, { 0x001D, 8}, { 0x000E, 10}, { 0x0051, 12}, { 0x000D, 5}, { 0x0023, 9}, -{ 0x000D, 10}, { 0x000C, 5}, { 0x0022, 9}, { 0x0052, 12}, { 0x000B, 5}, { 0x000C, 10}, -{ 0x0053, 12}, { 0x0013, 6}, { 0x000B, 10}, { 0x0054, 12}, { 0x0012, 6}, { 0x000A, 10}, -{ 0x0011, 6}, { 0x0009, 10}, { 0x0010, 6}, { 0x0008, 10}, { 0x0016, 7}, { 0x0055, 12}, -{ 0x0015, 7}, { 0x0014, 7}, { 0x001C, 8}, { 0x001B, 8}, { 0x0021, 9}, { 0x0020, 9}, -{ 0x001F, 9}, { 0x001E, 9}, { 0x001D, 9}, { 0x001C, 9}, { 0x001B, 9}, { 0x001A, 9}, -{ 0x0022, 11}, { 0x0023, 11}, { 0x0056, 12}, { 0x0057, 12}, { 0x0007, 4}, { 0x0019, 9}, -{ 0x0005, 11}, { 0x000F, 6}, { 0x0004, 11}, { 0x000E, 6}, { 0x000D, 6}, { 0x000C, 6}, -{ 0x0013, 7}, { 0x0012, 7}, { 0x0011, 7}, { 0x0010, 7}, { 0x001A, 8}, { 0x0019, 8}, -{ 0x0018, 8}, { 0x0017, 8}, { 0x0016, 8}, { 0x0015, 8}, { 0x0014, 8}, { 0x0013, 8}, -{ 0x0018, 9}, { 0x0017, 9}, { 0x0016, 9}, { 0x0015, 9}, { 0x0014, 9}, { 0x0013, 9}, -{ 0x0012, 9}, { 0x0011, 9}, { 0x0007, 10}, { 0x0006, 10}, { 0x0005, 10}, { 0x0004, 10}, -{ 0x0024, 11}, { 0x0025, 11}, { 0x0026, 11}, { 0x0027, 11}, { 0x0058, 12}, { 0x0059, 12}, -{ 0x005A, 12}, { 0x005B, 12}, { 0x005C, 12}, { 0x005D, 12}, { 0x005E, 12}, { 0x005F, 12}, -{ 0x0003, 7} -}, -{ -{ 0x0000, 2}, { 0x0003, 3}, { 0x000D, 4}, { 0x0005, 4}, { 0x001C, 5}, { 0x0016, 5}, -{ 0x003F, 6}, { 0x003A, 6}, { 0x002E, 6}, { 0x0022, 6}, { 0x007B, 7}, { 0x0067, 7}, -{ 0x005F, 7}, { 0x0047, 7}, { 0x0026, 7}, { 0x00EF, 8}, { 0x00CD, 8}, { 0x00C1, 8}, -{ 0x00A9, 8}, { 0x004F, 8}, { 0x01F2, 9}, { 0x01DD, 9}, { 0x0199, 9}, { 0x0185, 9}, -{ 0x015D, 9}, { 0x011B, 9}, { 0x03EF, 10}, { 0x03E1, 10}, { 0x03C8, 10}, { 0x0331, 10}, -{ 0x0303, 10}, { 0x02F1, 10}, { 0x02A0, 10}, { 0x0233, 10}, { 0x0126, 10}, { 0x07C0, 11}, -{ 0x076F, 11}, { 0x076C, 11}, { 0x0661, 11}, { 0x0604, 11}, { 0x0572, 11}, { 0x0551, 11}, -{ 0x046A, 11}, { 0x0274, 11}, { 0x0F27, 12}, { 0x0F24, 12}, { 0x0EDB, 12}, { 0x0C8E, 12}, -{ 0x0C0B, 12}, { 0x0C0A, 12}, { 0x0AE3, 12}, { 0x08D6, 12}, { 0x0490, 12}, { 0x0495, 12}, -{ 0x1F19, 13}, { 0x1DB5, 13}, { 0x0009, 4}, { 0x0010, 5}, { 0x0029, 6}, { 0x0062, 7}, -{ 0x00F3, 8}, { 0x00AD, 8}, { 0x01E5, 9}, { 0x0179, 9}, { 0x009C, 9}, { 0x03B1, 10}, -{ 0x02AE, 10}, { 0x0127, 10}, { 0x076E, 11}, { 0x0570, 11}, { 0x0275, 11}, { 0x0F25, 12}, -{ 0x0EC0, 12}, { 0x0AA0, 12}, { 0x08D7, 12}, { 0x1E4C, 13}, { 0x0008, 5}, { 0x0063, 7}, -{ 0x00AF, 8}, { 0x017B, 9}, { 0x03B3, 10}, { 0x07DD, 11}, { 0x0640, 11}, { 0x0F8D, 12}, -{ 0x0BC1, 12}, { 0x0491, 12}, { 0x0028, 6}, { 0x00C3, 8}, { 0x0151, 9}, { 0x02A1, 10}, -{ 0x0573, 11}, { 0x0EC3, 12}, { 0x1F35, 13}, { 0x0065, 7}, { 0x01DA, 9}, { 0x02AF, 10}, -{ 0x0277, 11}, { 0x08C9, 12}, { 0x1781, 13}, { 0x0025, 7}, { 0x0118, 9}, { 0x0646, 11}, -{ 0x0AA6, 12}, { 0x1780, 13}, { 0x00C9, 8}, { 0x0321, 10}, { 0x0F9B, 12}, { 0x191E, 13}, -{ 0x0048, 8}, { 0x07CC, 11}, { 0x0AA1, 12}, { 0x0180, 9}, { 0x0465, 11}, { 0x1905, 13}, -{ 0x03E2, 10}, { 0x0EC1, 12}, { 0x3C9B, 14}, { 0x02F4, 10}, { 0x08C8, 12}, { 0x07C1, 11}, -{ 0x0928, 13}, { 0x05E1, 11}, { 0x320D, 14}, { 0x0EC2, 12}, { 0x6418, 15}, { 0x1F34, 13}, -{ 0x0078, 7}, { 0x0155, 9}, { 0x0552, 11}, { 0x191F, 13}, { 0x00FA, 8}, { 0x07DC, 11}, -{ 0x1907, 13}, { 0x00AC, 8}, { 0x0249, 11}, { 0x13B1, 14}, { 0x01F6, 9}, { 0x0AE2, 12}, -{ 0x01DC, 9}, { 0x04ED, 12}, { 0x0184, 9}, { 0x1904, 13}, { 0x0156, 9}, { 0x09D9, 13}, -{ 0x03E7, 10}, { 0x0929, 13}, { 0x03B2, 10}, { 0x3B68, 14}, { 0x02F5, 10}, { 0x13B0, 14}, -{ 0x0322, 10}, { 0x3B69, 14}, { 0x0234, 10}, { 0x7935, 15}, { 0x07C7, 11}, { 0xC833, 16}, -{ 0x0660, 11}, { 0x7934, 15}, { 0x024B, 11}, { 0xC832, 16}, { 0x0AA7, 12}, { 0x1F18, 13}, -{ 0x007A, 7} -}, -{ -{ 0x0002, 2}, { 0x0000, 3}, { 0x001E, 5}, { 0x0004, 5}, { 0x0012, 6}, { 0x0070, 7}, -{ 0x001A, 7}, { 0x005F, 8}, { 0x0047, 8}, { 0x01D3, 9}, { 0x00B5, 9}, { 0x0057, 9}, -{ 0x03B5, 10}, { 0x016D, 10}, { 0x0162, 10}, { 0x07CE, 11}, { 0x0719, 11}, { 0x0691, 11}, -{ 0x02C6, 11}, { 0x0156, 11}, { 0x0F92, 12}, { 0x0D2E, 12}, { 0x0D20, 12}, { 0x059E, 12}, -{ 0x0468, 12}, { 0x02A6, 12}, { 0x1DA2, 13}, { 0x1C60, 13}, { 0x1A43, 13}, { 0x0B1D, 13}, -{ 0x08C0, 13}, { 0x055D, 13}, { 0x0003, 3}, { 0x000A, 5}, { 0x0077, 7}, { 0x00E5, 8}, -{ 0x01D9, 9}, { 0x03E5, 10}, { 0x0166, 10}, { 0x0694, 11}, { 0x0152, 11}, { 0x059F, 12}, -{ 0x1F3C, 13}, { 0x1A4B, 13}, { 0x055E, 13}, { 0x000C, 4}, { 0x007D, 7}, { 0x0044, 8}, -{ 0x03E0, 10}, { 0x0769, 11}, { 0x0E31, 12}, { 0x1F26, 13}, { 0x055C, 13}, { 0x001B, 5}, -{ 0x00E2, 8}, { 0x03A5, 10}, { 0x02C9, 11}, { 0x1F23, 13}, { 0x3B47, 14}, { 0x0007, 5}, -{ 0x01D8, 9}, { 0x02D8, 11}, { 0x1F27, 13}, { 0x3494, 14}, { 0x0035, 6}, { 0x03E1, 10}, -{ 0x059C, 12}, { 0x38C3, 14}, { 0x000C, 6}, { 0x0165, 10}, { 0x1D23, 13}, { 0x1638, 14}, -{ 0x0068, 7}, { 0x0693, 11}, { 0x3A45, 14}, { 0x0020, 7}, { 0x0F90, 12}, { 0x7CF6, 15}, -{ 0x00E8, 8}, { 0x058F, 12}, { 0x2CEF, 15}, { 0x0045, 8}, { 0x0B3A, 13}, { 0x01F1, 9}, -{ 0x3B46, 14}, { 0x01A7, 9}, { 0x1676, 14}, { 0x0056, 9}, { 0x692A, 15}, { 0x038D, 10}, -{ 0xE309, 16}, { 0x00AA, 10}, { 0x1C611, 17}, { 0x02DF, 11}, { 0xB3B9, 17}, { 0x02C8, 11}, -{ 0x38C20, 18}, { 0x01B0, 11}, { 0x16390, 18}, { 0x0F9F, 12}, { 0x16771, 18}, { 0x0ED0, 12}, -{ 0x71843, 19}, { 0x0D2A, 12}, { 0xF9E8C, 20}, { 0x0461, 12}, { 0xF9E8E, 20}, { 0x0B67, 13}, -{ 0x055F, 13}, { 0x003F, 6}, { 0x006D, 9}, { 0x0E90, 12}, { 0x054E, 13}, { 0x0013, 6}, -{ 0x0119, 10}, { 0x0B66, 13}, { 0x000B, 6}, { 0x0235, 11}, { 0x7CF5, 15}, { 0x0075, 7}, -{ 0x0D24, 12}, { 0xF9E9, 16}, { 0x002E, 7}, { 0x1F22, 13}, { 0x0021, 7}, { 0x054F, 13}, -{ 0x0014, 7}, { 0x3A44, 14}, { 0x00E4, 8}, { 0x7CF7, 15}, { 0x005E, 8}, { 0x7185, 15}, -{ 0x0037, 8}, { 0x2C73, 15}, { 0x01DB, 9}, { 0x59DD, 16}, { 0x01C7, 9}, { 0x692B, 15}, -{ 0x01A6, 9}, { 0x58E5, 16}, { 0x00B4, 9}, { 0x1F3D0, 17}, { 0x00B0, 9}, { 0xB1C9, 17}, -{ 0x03E6, 10}, { 0x16770, 18}, { 0x016E, 10}, { 0x3E7A2, 18}, { 0x011B, 10}, { 0xF9E8D, 20}, -{ 0x00D9, 10}, { 0xF9E8F, 20}, { 0x00A8, 10}, { 0x2C723, 19}, { 0x0749, 11}, { 0xE3084, 20}, -{ 0x0696, 11}, { 0x58E45, 20}, { 0x02DE, 11}, { 0xB1C88, 21}, { 0x0231, 11}, { 0x1C610A, 21}, -{ 0x01B1, 11}, { 0x71842D, 23}, { 0x0D2B, 12}, { 0x38C217, 22}, { 0x0D2F, 12}, { 0x163913, 22}, -{ 0x05B2, 12}, { 0x163912, 22}, { 0x0469, 12}, { 0x71842C, 23}, { 0x1A42, 13}, { 0x08C1, 13}, -{ 0x0073, 7} -} -}; +#include "vc1data.h" /* which indexes point to last=1 entries in tables */ static const int vc1_last_decode_table[AC_MODES] = { diff --git a/libavcodec/vc1data.c b/libavcodec/vc1data.c index e1e2cbf6f5..e0baf947fe 100644 --- a/libavcodec/vc1data.c +++ b/libavcodec/vc1data.c @@ -1129,3 +1129,7 @@ const uint16_t vc1_b_field_mvpred_scales[7][4] = { { 26, 17, 12, 10 }, // ZONE1OFFSET_X { 7, 4, 3, 3 } // ZONE1OFFSET_Y }; + +const int ff_vc1_ac_sizes[AC_MODES] = { + 186, 169, 133, 149, 103, 103, 163, 175 +}; diff --git a/libavcodec/vc1data.h b/libavcodec/vc1data.h index 9e4074c511..8345bf5f1e 100644 --- a/libavcodec/vc1data.h +++ b/libavcodec/vc1data.h @@ -200,4 +200,9 @@ extern const int32_t ff_vc1_dqscale[63]; extern const uint16_t vc1_field_mvpred_scales[2][7][4]; /* B Interlaced field picture backward MV predictor scaling values for first field (Table 115) */ extern const uint16_t vc1_b_field_mvpred_scales[7][4]; + +#define AC_MODES 8 + +extern const int ff_vc1_ac_sizes[AC_MODES]; + #endif /* AVCODEC_VC1DATA_H */ diff --git a/libavcodec/vc1dec.c b/libavcodec/vc1dec.c index 38b08a565b..9bc340b0e0 100644 --- a/libavcodec/vc1dec.c +++ b/libavcodec/vc1dec.c @@ -45,154 +45,12 @@ #define MB_INTRA_VLC_BITS 9 #define DC_VLC_BITS 9 -#define AC_VLC_BITS 9 -static const uint16_t vlc_offs[] = { - 0, 520, 552, 616, 1128, 1160, 1224, 1740, 1772, 1836, 1900, 2436, - 2986, 3050, 3610, 4154, 4218, 4746, 5326, 5390, 5902, 6554, 7658, 8342, - 9304, 9988, 10630, 11234, 12174, 13006, 13560, 14232, 14786, 15432, 16350, 17522, - 20372, 21818, 22330, 22394, 23166, 23678, 23742, 24820, 25332, 25396, 26460, 26980, - 27048, 27592, 27600, 27608, 27616, 27624, 28224, 28258, 28290, 28802, 28834, 28866, - 29378, 29412, 29444, 29960, 29994, 30026, 30538, 30572, 30604, 31120, 31154, 31186, - 31714, 31746, 31778, 32306, 32340, 32372 -}; - // offset tables for interlaced picture MVDATA decoding static const int offset_table1[9] = { 0, 1, 2, 4, 8, 16, 32, 64, 128 }; static const int offset_table2[9] = { 0, 1, 3, 7, 15, 31, 63, 127, 255 }; -/** - * Init VC-1 specific tables and VC1Context members - * @param v The VC1Context to initialize - * @return Status - */ -int ff_vc1_init_common(VC1Context *v) -{ - static int done = 0; - int i = 0; - static VLC_TYPE vlc_table[32372][2]; - - v->hrd_rate = v->hrd_buffer = NULL; - - /* VLC tables */ - if (!done) { - INIT_VLC_STATIC(&ff_vc1_bfraction_vlc, VC1_BFRACTION_VLC_BITS, 23, - ff_vc1_bfraction_bits, 1, 1, - ff_vc1_bfraction_codes, 1, 1, 1 << VC1_BFRACTION_VLC_BITS); - INIT_VLC_STATIC(&ff_vc1_norm2_vlc, VC1_NORM2_VLC_BITS, 4, - ff_vc1_norm2_bits, 1, 1, - ff_vc1_norm2_codes, 1, 1, 1 << VC1_NORM2_VLC_BITS); - INIT_VLC_STATIC(&ff_vc1_norm6_vlc, VC1_NORM6_VLC_BITS, 64, - ff_vc1_norm6_bits, 1, 1, - ff_vc1_norm6_codes, 2, 2, 556); - INIT_VLC_STATIC(&ff_vc1_imode_vlc, VC1_IMODE_VLC_BITS, 7, - ff_vc1_imode_bits, 1, 1, - ff_vc1_imode_codes, 1, 1, 1 << VC1_IMODE_VLC_BITS); - for (i = 0; i < 3; i++) { - ff_vc1_ttmb_vlc[i].table = &vlc_table[vlc_offs[i * 3 + 0]]; - ff_vc1_ttmb_vlc[i].table_allocated = vlc_offs[i * 3 + 1] - vlc_offs[i * 3 + 0]; - init_vlc(&ff_vc1_ttmb_vlc[i], VC1_TTMB_VLC_BITS, 16, - ff_vc1_ttmb_bits[i], 1, 1, - ff_vc1_ttmb_codes[i], 2, 2, INIT_VLC_USE_NEW_STATIC); - ff_vc1_ttblk_vlc[i].table = &vlc_table[vlc_offs[i * 3 + 1]]; - ff_vc1_ttblk_vlc[i].table_allocated = vlc_offs[i * 3 + 2] - vlc_offs[i * 3 + 1]; - init_vlc(&ff_vc1_ttblk_vlc[i], VC1_TTBLK_VLC_BITS, 8, - ff_vc1_ttblk_bits[i], 1, 1, - ff_vc1_ttblk_codes[i], 1, 1, INIT_VLC_USE_NEW_STATIC); - ff_vc1_subblkpat_vlc[i].table = &vlc_table[vlc_offs[i * 3 + 2]]; - ff_vc1_subblkpat_vlc[i].table_allocated = vlc_offs[i * 3 + 3] - vlc_offs[i * 3 + 2]; - init_vlc(&ff_vc1_subblkpat_vlc[i], VC1_SUBBLKPAT_VLC_BITS, 15, - ff_vc1_subblkpat_bits[i], 1, 1, - ff_vc1_subblkpat_codes[i], 1, 1, INIT_VLC_USE_NEW_STATIC); - } - for (i = 0; i < 4; i++) { - ff_vc1_4mv_block_pattern_vlc[i].table = &vlc_table[vlc_offs[i * 3 + 9]]; - ff_vc1_4mv_block_pattern_vlc[i].table_allocated = vlc_offs[i * 3 + 10] - vlc_offs[i * 3 + 9]; - init_vlc(&ff_vc1_4mv_block_pattern_vlc[i], VC1_4MV_BLOCK_PATTERN_VLC_BITS, 16, - ff_vc1_4mv_block_pattern_bits[i], 1, 1, - ff_vc1_4mv_block_pattern_codes[i], 1, 1, INIT_VLC_USE_NEW_STATIC); - ff_vc1_cbpcy_p_vlc[i].table = &vlc_table[vlc_offs[i * 3 + 10]]; - ff_vc1_cbpcy_p_vlc[i].table_allocated = vlc_offs[i * 3 + 11] - vlc_offs[i * 3 + 10]; - init_vlc(&ff_vc1_cbpcy_p_vlc[i], VC1_CBPCY_P_VLC_BITS, 64, - ff_vc1_cbpcy_p_bits[i], 1, 1, - ff_vc1_cbpcy_p_codes[i], 2, 2, INIT_VLC_USE_NEW_STATIC); - ff_vc1_mv_diff_vlc[i].table = &vlc_table[vlc_offs[i * 3 + 11]]; - ff_vc1_mv_diff_vlc[i].table_allocated = vlc_offs[i * 3 + 12] - vlc_offs[i * 3 + 11]; - init_vlc(&ff_vc1_mv_diff_vlc[i], VC1_MV_DIFF_VLC_BITS, 73, - ff_vc1_mv_diff_bits[i], 1, 1, - ff_vc1_mv_diff_codes[i], 2, 2, INIT_VLC_USE_NEW_STATIC); - } - for (i = 0; i < 8; i++) { - ff_vc1_ac_coeff_table[i].table = &vlc_table[vlc_offs[i * 2 + 21]]; - ff_vc1_ac_coeff_table[i].table_allocated = vlc_offs[i * 2 + 22] - vlc_offs[i * 2 + 21]; - init_vlc(&ff_vc1_ac_coeff_table[i], AC_VLC_BITS, vc1_ac_sizes[i], - &vc1_ac_tables[i][0][1], 8, 4, - &vc1_ac_tables[i][0][0], 8, 4, INIT_VLC_USE_NEW_STATIC); - /* initialize interlaced MVDATA tables (2-Ref) */ - ff_vc1_2ref_mvdata_vlc[i].table = &vlc_table[vlc_offs[i * 2 + 22]]; - ff_vc1_2ref_mvdata_vlc[i].table_allocated = vlc_offs[i * 2 + 23] - vlc_offs[i * 2 + 22]; - init_vlc(&ff_vc1_2ref_mvdata_vlc[i], VC1_2REF_MVDATA_VLC_BITS, 126, - ff_vc1_2ref_mvdata_bits[i], 1, 1, - ff_vc1_2ref_mvdata_codes[i], 4, 4, INIT_VLC_USE_NEW_STATIC); - } - for (i = 0; i < 4; i++) { - /* initialize 4MV MBMODE VLC tables for interlaced frame P picture */ - ff_vc1_intfr_4mv_mbmode_vlc[i].table = &vlc_table[vlc_offs[i * 3 + 37]]; - ff_vc1_intfr_4mv_mbmode_vlc[i].table_allocated = vlc_offs[i * 3 + 38] - vlc_offs[i * 3 + 37]; - init_vlc(&ff_vc1_intfr_4mv_mbmode_vlc[i], VC1_INTFR_4MV_MBMODE_VLC_BITS, 15, - ff_vc1_intfr_4mv_mbmode_bits[i], 1, 1, - ff_vc1_intfr_4mv_mbmode_codes[i], 2, 2, INIT_VLC_USE_NEW_STATIC); - /* initialize NON-4MV MBMODE VLC tables for the same */ - ff_vc1_intfr_non4mv_mbmode_vlc[i].table = &vlc_table[vlc_offs[i * 3 + 38]]; - ff_vc1_intfr_non4mv_mbmode_vlc[i].table_allocated = vlc_offs[i * 3 + 39] - vlc_offs[i * 3 + 38]; - init_vlc(&ff_vc1_intfr_non4mv_mbmode_vlc[i], VC1_INTFR_NON4MV_MBMODE_VLC_BITS, 9, - ff_vc1_intfr_non4mv_mbmode_bits[i], 1, 1, - ff_vc1_intfr_non4mv_mbmode_codes[i], 1, 1, INIT_VLC_USE_NEW_STATIC); - /* initialize interlaced MVDATA tables (1-Ref) */ - ff_vc1_1ref_mvdata_vlc[i].table = &vlc_table[vlc_offs[i * 3 + 39]]; - ff_vc1_1ref_mvdata_vlc[i].table_allocated = vlc_offs[i * 3 + 40] - vlc_offs[i * 3 + 39]; - init_vlc(&ff_vc1_1ref_mvdata_vlc[i], VC1_1REF_MVDATA_VLC_BITS, 72, - ff_vc1_1ref_mvdata_bits[i], 1, 1, - ff_vc1_1ref_mvdata_codes[i], 4, 4, INIT_VLC_USE_NEW_STATIC); - } - for (i = 0; i < 4; i++) { - /* Initialize 2MV Block pattern VLC tables */ - ff_vc1_2mv_block_pattern_vlc[i].table = &vlc_table[vlc_offs[i + 49]]; - ff_vc1_2mv_block_pattern_vlc[i].table_allocated = vlc_offs[i + 50] - vlc_offs[i + 49]; - init_vlc(&ff_vc1_2mv_block_pattern_vlc[i], VC1_2MV_BLOCK_PATTERN_VLC_BITS, 4, - ff_vc1_2mv_block_pattern_bits[i], 1, 1, - ff_vc1_2mv_block_pattern_codes[i], 1, 1, INIT_VLC_USE_NEW_STATIC); - } - for (i = 0; i < 8; i++) { - /* Initialize interlaced CBPCY VLC tables (Table 124 - Table 131) */ - ff_vc1_icbpcy_vlc[i].table = &vlc_table[vlc_offs[i * 3 + 53]]; - ff_vc1_icbpcy_vlc[i].table_allocated = vlc_offs[i * 3 + 54] - vlc_offs[i * 3 + 53]; - init_vlc(&ff_vc1_icbpcy_vlc[i], VC1_ICBPCY_VLC_BITS, 63, - ff_vc1_icbpcy_p_bits[i], 1, 1, - ff_vc1_icbpcy_p_codes[i], 2, 2, INIT_VLC_USE_NEW_STATIC); - /* Initialize interlaced field picture MBMODE VLC tables */ - ff_vc1_if_mmv_mbmode_vlc[i].table = &vlc_table[vlc_offs[i * 3 + 54]]; - ff_vc1_if_mmv_mbmode_vlc[i].table_allocated = vlc_offs[i * 3 + 55] - vlc_offs[i * 3 + 54]; - init_vlc(&ff_vc1_if_mmv_mbmode_vlc[i], VC1_IF_MMV_MBMODE_VLC_BITS, 8, - ff_vc1_if_mmv_mbmode_bits[i], 1, 1, - ff_vc1_if_mmv_mbmode_codes[i], 1, 1, INIT_VLC_USE_NEW_STATIC); - ff_vc1_if_1mv_mbmode_vlc[i].table = &vlc_table[vlc_offs[i * 3 + 55]]; - ff_vc1_if_1mv_mbmode_vlc[i].table_allocated = vlc_offs[i * 3 + 56] - vlc_offs[i * 3 + 55]; - init_vlc(&ff_vc1_if_1mv_mbmode_vlc[i], VC1_IF_1MV_MBMODE_VLC_BITS, 6, - ff_vc1_if_1mv_mbmode_bits[i], 1, 1, - ff_vc1_if_1mv_mbmode_codes[i], 1, 1, INIT_VLC_USE_NEW_STATIC); - } - done = 1; - } - - /* Other defaults */ - v->pq = -1; - v->mvrange = 0; /* 7.1.1.18, p80 */ - - return 0; -} - /***********************************************************************/ /** * @name VC-1 Bitplane decoding @@ -2624,7 +2482,7 @@ static void vc1_decode_ac_coeff(VC1Context *v, int *last, int *skip, int index, escape, run = 0, level = 0, lst = 0; index = get_vlc2(gb, ff_vc1_ac_coeff_table[codingset].table, AC_VLC_BITS, 3); - if (index != vc1_ac_sizes[codingset] - 1) { + if (index != ff_vc1_ac_sizes[codingset] - 1) { run = vc1_index_decode_table[codingset][index][0]; level = vc1_index_decode_table[codingset][index][1]; lst = index >= vc1_last_decode_table[codingset] || get_bits_left(gb) < 0; From 9e48d77158dcb104fb35b90593ace0b248bda7e1 Mon Sep 17 00:00:00 2001 From: Luca Barbato Date: Sun, 10 Mar 2013 02:50:52 +0100 Subject: [PATCH 465/991] h264: check for luma and chroma bit depth being equal The decoder assumes a single bit depth for all the planes while the specification allows different bit depths for luma and chroma. Avoid the possible problems described in CVE-2013-2277 --- libavcodec/h264.c | 6 ++++++ 1 file changed, 6 insertions(+) diff --git a/libavcodec/h264.c b/libavcodec/h264.c index f3a47fe8c0..da865c6387 100644 --- a/libavcodec/h264.c +++ b/libavcodec/h264.c @@ -4055,6 +4055,12 @@ static int decode_nal_units(H264Context *h, const uint8_t *buf, int buf_size){ if(avctx->has_b_frames < 2) avctx->has_b_frames= !s->low_delay; + if (h->sps.bit_depth_luma != h->sps.bit_depth_chroma) { + av_log_missing_feature(s->avctx, + "Different bit depth between chroma and luma", 1); + return AVERROR_PATCHWELCOME; + } + if (avctx->bits_per_raw_sample != h->sps.bit_depth_luma || h->cur_chroma_format_idc != h->sps.chroma_format_idc) { if (h->sps.bit_depth_luma >= 8 && h->sps.bit_depth_luma <= 10) { From 9314af3b2e8518e1a7ad91bdc2429224aacc2df5 Mon Sep 17 00:00:00 2001 From: Luca Barbato Date: Tue, 12 Mar 2013 18:56:28 +0100 Subject: [PATCH 466/991] matroskadec: request a read buffer for the wav header Solve an infiniloop. CC: libav-stable@libav.org (cherry picked from commit 37cb3b180a1dc3d6f123f68e0806585ebc2578b6) Signed-off-by: Luca Barbato --- libavformat/matroskadec.c | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/libavformat/matroskadec.c b/libavformat/matroskadec.c index 59e0e1f49d..891eb8380f 100644 --- a/libavformat/matroskadec.c +++ b/libavformat/matroskadec.c @@ -1415,7 +1415,7 @@ static int matroska_read_header(AVFormatContext *s, AVFormatParameters *ap) && track->codec_priv.data != NULL) { int ret; ffio_init_context(&b, track->codec_priv.data, track->codec_priv.size, - AVIO_FLAG_READ, NULL, NULL, NULL, NULL); + 0, NULL, NULL, NULL, NULL); ret = ff_get_wav_header(&b, st->codec, track->codec_priv.size); if (ret < 0) return ret; From a4a97e5f3c80256871c97d84e9298f26fd66811f Mon Sep 17 00:00:00 2001 From: Michael Niedermayer Date: Tue, 5 Mar 2013 15:13:04 +0100 Subject: [PATCH 467/991] shorten: set invalid channels count to 0 Prevent the loop shorten_decode_close from writing and freeing out of the array boundary. Found-by: Mateusz "j00ru" Jurczyk and Gynvael Coldwind Signed-off-by: Luca Barbato CC: libav-stable@libav.org (cherry picked from commit c10da30d8426a1f681d99a780b6e311f7fb4e5c5) (cherry picked from commit 21d568be179c54a1596d1377b4da7fbe755bfe7f) Signed-off-by: Luca Barbato --- libavcodec/shorten.c | 1 + 1 file changed, 1 insertion(+) diff --git a/libavcodec/shorten.c b/libavcodec/shorten.c index 83777fb934..a8b5713f56 100644 --- a/libavcodec/shorten.c +++ b/libavcodec/shorten.c @@ -341,6 +341,7 @@ static int read_header(ShortenContext *s) s->channels = get_uint(s, CHANSIZE); if (s->channels > MAX_CHANNELS) { av_log(s->avctx, AV_LOG_ERROR, "too many channels: %d\n", s->channels); + s->channels = 0; return -1; } s->avctx->channels = s->channels; From ff5a06f7f0d6e64de7c5fd02043e0482b9eae493 Mon Sep 17 00:00:00 2001 From: Luca Barbato Date: Tue, 5 Mar 2013 16:11:28 +0100 Subject: [PATCH 468/991] shorten: K&R formatting cosmetics (cherry picked from commit a2ad554def214d2d03b7c16f68dc081a8622f9ca) (cherry picked from commit 97cc2f286f9e3eed1a00034367ebca58cc05ee39) Signed-off-by: Luca Barbato Conflicts: libavcodec/shorten.c --- libavcodec/shorten.c | 217 ++++++++++++++++++++++--------------------- 1 file changed, 112 insertions(+), 105 deletions(-) diff --git a/libavcodec/shorten.c b/libavcodec/shorten.c index a8b5713f56..04a4912088 100644 --- a/libavcodec/shorten.c +++ b/libavcodec/shorten.c @@ -108,10 +108,10 @@ typedef struct ShortenContext { int got_quit_command; } ShortenContext; -static av_cold int shorten_decode_init(AVCodecContext * avctx) +static av_cold int shorten_decode_init(AVCodecContext *avctx) { ShortenContext *s = avctx->priv_data; - s->avctx = avctx; + s->avctx = avctx; avctx->sample_fmt = AV_SAMPLE_FMT_S16; avcodec_get_frame_defaults(&s->frame); @@ -126,17 +126,20 @@ static int allocate_buffers(ShortenContext *s) int *coeffs; void *tmp_ptr; - for (chan=0; chanchannels; chan++) { - if(FFMAX(1, s->nmean) >= UINT_MAX/sizeof(int32_t)){ + for (chan = 0; chan < s->channels; chan++) { + if (FFMAX(1, s->nmean) >= UINT_MAX / sizeof(int32_t)) { av_log(s->avctx, AV_LOG_ERROR, "nmean too large\n"); return -1; } - if(s->blocksize + s->nwrap >= UINT_MAX/sizeof(int32_t) || s->blocksize + s->nwrap <= (unsigned)s->nwrap){ - av_log(s->avctx, AV_LOG_ERROR, "s->blocksize + s->nwrap too large\n"); + if (s->blocksize + s->nwrap >= UINT_MAX / sizeof(int32_t) || + s->blocksize + s->nwrap <= (unsigned)s->nwrap) { + av_log(s->avctx, AV_LOG_ERROR, + "s->blocksize + s->nwrap too large\n"); return -1; } - tmp_ptr = av_realloc(s->offset[chan], sizeof(int32_t)*FFMAX(1, s->nmean)); + tmp_ptr = + av_realloc(s->offset[chan], sizeof(int32_t) * FFMAX(1, s->nmean)); if (!tmp_ptr) return AVERROR(ENOMEM); s->offset[chan] = tmp_ptr; @@ -146,7 +149,7 @@ static int allocate_buffers(ShortenContext *s) if (!tmp_ptr) return AVERROR(ENOMEM); s->decoded_base[chan] = tmp_ptr; - for (i=0; inwrap; i++) + for (i = 0; i < s->nwrap; i++) s->decoded_base[chan][i] = 0; s->decoded[chan] = s->decoded_base[chan] + s->nwrap; } @@ -159,7 +162,6 @@ static int allocate_buffers(ShortenContext *s) return 0; } - static inline unsigned int get_uint(ShortenContext *s, int k) { if (s->version != 0) @@ -167,7 +169,6 @@ static inline unsigned int get_uint(ShortenContext *s, int k) return get_ur_golomb_shorten(&s->gb, k); } - static void fix_bitshift(ShortenContext *s, int32_t *buffer) { int i; @@ -177,22 +178,20 @@ static void fix_bitshift(ShortenContext *s, int32_t *buffer) buffer[i] <<= s->bitshift; } - static int init_offset(ShortenContext *s) { int32_t mean = 0; - int chan, i; + int chan, i; int nblock = FFMAX(1, s->nmean); /* initialise offset */ - switch (s->internal_ftype) - { - case TYPE_S16HL: - case TYPE_S16LH: - mean = 0; - break; - default: - av_log(s->avctx, AV_LOG_ERROR, "unknown audio type"); - return AVERROR_INVALIDDATA; + switch (s->internal_ftype) { + case TYPE_S16HL: + case TYPE_S16LH: + mean = 0; + break; + default: + av_log(s->avctx, AV_LOG_ERROR, "unknown audio type"); + return AVERROR_INVALIDDATA; } for (chan = 0; chan < s->channels; chan++) @@ -207,21 +206,20 @@ static int decode_wave_header(AVCodecContext *avctx, const uint8_t *header, int len; short wave_format; - - if (bytestream_get_le32(&header) != MKTAG('R','I','F','F')) { + if (bytestream_get_le32(&header) != MKTAG('R', 'I', 'F', 'F')) { av_log(avctx, AV_LOG_ERROR, "missing RIFF tag\n"); return -1; } - header += 4; /* chunk size */; + header += 4; /* chunk size */ - if (bytestream_get_le32(&header) != MKTAG('W','A','V','E')) { + if (bytestream_get_le32(&header) != MKTAG('W', 'A', 'V', 'E')) { av_log(avctx, AV_LOG_ERROR, "missing WAVE tag\n"); return -1; } - while (bytestream_get_le32(&header) != MKTAG('f','m','t',' ')) { - len = bytestream_get_le32(&header); + while (bytestream_get_le32(&header) != MKTAG('f', 'm', 't', ' ')) { + len = bytestream_get_le32(&header); header += len; } len = bytestream_get_le32(&header); @@ -234,11 +232,11 @@ static int decode_wave_header(AVCodecContext *avctx, const uint8_t *header, wave_format = bytestream_get_le16(&header); switch (wave_format) { - case WAVE_FORMAT_PCM: - break; - default: - av_log(avctx, AV_LOG_ERROR, "unsupported wave format\n"); - return -1; + case WAVE_FORMAT_PCM: + break; + default: + av_log(avctx, AV_LOG_ERROR, "unsupported wave format\n"); + return -1; } header += 2; // skip channels (already got from shorten header) @@ -284,11 +282,12 @@ static int decode_subframe_lpc(ShortenContext *s, int command, int channel, /* read/validate prediction order */ pred_order = get_ur_golomb_shorten(&s->gb, LPCQSIZE); if (pred_order > s->nwrap) { - av_log(s->avctx, AV_LOG_ERROR, "invalid pred_order %d\n", pred_order); + av_log(s->avctx, AV_LOG_ERROR, "invalid pred_order %d\n", + pred_order); return AVERROR(EINVAL); } /* read LPC coefficients */ - for (i=0; icoeffs[i] = get_sr_golomb_shorten(&s->gb, LPCQUANT); coeffs = s->coeffs; @@ -296,7 +295,7 @@ static int decode_subframe_lpc(ShortenContext *s, int command, int channel, } else { /* fixed LPC coeffs */ pred_order = command; - coeffs = fixed_coeffs[pred_order-1]; + coeffs = fixed_coeffs[pred_order - 1]; qshift = 0; } @@ -307,11 +306,12 @@ static int decode_subframe_lpc(ShortenContext *s, int command, int channel, /* decode residual and do LPC prediction */ init_sum = pred_order ? (command == FN_QLPC ? s->lpcqoffset : 0) : coffset; - for (i=0; i < s->blocksize; i++) { + for (i = 0; i < s->blocksize; i++) { sum = init_sum; - for (j=0; jdecoded[channel][i-j-1]; - s->decoded[channel][i] = get_sr_golomb_shorten(&s->gb, residual_size) + (sum >> qshift); + for (j = 0; j < pred_order; j++) + sum += coeffs[j] * s->decoded[channel][i - j - 1]; + s->decoded[channel][i] = get_sr_golomb_shorten(&s->gb, residual_size) + + (sum >> qshift); } /* add offset to current samples */ @@ -332,10 +332,10 @@ static int read_header(ShortenContext *s) return -1; } - s->lpcqoffset = 0; - s->blocksize = DEFAULT_BLOCK_SIZE; - s->nmean = -1; - s->version = get_bits(&s->gb, 8); + s->lpcqoffset = 0; + s->blocksize = DEFAULT_BLOCK_SIZE; + s->nmean = -1; + s->version = get_bits(&s->gb, 8); s->internal_ftype = get_uint(s, TYPESIZE); s->channels = get_uint(s, CHANSIZE); @@ -352,19 +352,19 @@ static int read_header(ShortenContext *s) blocksize = get_uint(s, av_log2(DEFAULT_BLOCK_SIZE)); if (!blocksize || blocksize > MAX_BLOCKSIZE) { - av_log(s->avctx, AV_LOG_ERROR, "invalid or unsupported block size: %d\n", + av_log(s->avctx, AV_LOG_ERROR, + "invalid or unsupported block size: %d\n", blocksize); return AVERROR(EINVAL); } s->blocksize = blocksize; - maxnlpc = get_uint(s, LPCQSIZE); + maxnlpc = get_uint(s, LPCQSIZE); s->nmean = get_uint(s, 0); skip_bytes = get_uint(s, NSKIPSIZE); - for (i=0; igb, 8); - } } s->nwrap = FFMAX(NWRAP, maxnlpc); @@ -378,17 +378,20 @@ static int read_header(ShortenContext *s) s->lpcqoffset = V2LPCQOFFSET; if (get_ur_golomb_shorten(&s->gb, FNSIZE) != FN_VERBATIM) { - av_log(s->avctx, AV_LOG_ERROR, "missing verbatim section at beginning of stream\n"); + av_log(s->avctx, AV_LOG_ERROR, + "missing verbatim section at beginning of stream\n"); return -1; } s->header_size = get_ur_golomb_shorten(&s->gb, VERBATIM_CKSIZE_SIZE); - if (s->header_size >= OUT_BUFFER_SIZE || s->header_size < CANONICAL_HEADER_SIZE) { - av_log(s->avctx, AV_LOG_ERROR, "header is wrong size: %d\n", s->header_size); + if (s->header_size >= OUT_BUFFER_SIZE || + s->header_size < CANONICAL_HEADER_SIZE) { + av_log(s->avctx, AV_LOG_ERROR, "header is wrong size: %d\n", + s->header_size); return -1; } - for (i=0; iheader_size; i++) + for (i = 0; i < s->header_size; i++) s->header[i] = (char)get_ur_golomb_shorten(&s->gb, VERBATIM_BYTE_SIZE); if (decode_wave_header(s->avctx, s->header, s->header_size) < 0) @@ -406,15 +409,15 @@ static int shorten_decode_frame(AVCodecContext *avctx, void *data, int *got_frame_ptr, AVPacket *avpkt) { const uint8_t *buf = avpkt->data; - int buf_size = avpkt->size; - ShortenContext *s = avctx->priv_data; + int buf_size = avpkt->size; + ShortenContext *s = avctx->priv_data; int i, input_buf_size = 0; int ret; /* allocate internal bitstream buffer */ - if(s->max_framesize == 0){ + if (s->max_framesize == 0) { void *tmp_ptr; - s->max_framesize= 1024; // should hopefully be enough for the first header + s->max_framesize = 1024; // should hopefully be enough for the first header tmp_ptr = av_fast_realloc(s->bitstream, &s->allocated_bitstream_size, s->max_framesize); if (!tmp_ptr) { @@ -425,29 +428,32 @@ static int shorten_decode_frame(AVCodecContext *avctx, void *data, } /* append current packet data to bitstream buffer */ - if(1 && s->max_framesize){//FIXME truncated - buf_size= FFMIN(buf_size, s->max_framesize - s->bitstream_size); - input_buf_size= buf_size; + if (1 && s->max_framesize) { //FIXME truncated + buf_size = FFMIN(buf_size, s->max_framesize - s->bitstream_size); + input_buf_size = buf_size; - if(s->bitstream_index + s->bitstream_size + buf_size > s->allocated_bitstream_size){ - memmove(s->bitstream, &s->bitstream[s->bitstream_index], s->bitstream_size); - s->bitstream_index=0; + if (s->bitstream_index + s->bitstream_size + buf_size > + s->allocated_bitstream_size) { + memmove(s->bitstream, &s->bitstream[s->bitstream_index], + s->bitstream_size); + s->bitstream_index = 0; } if (buf) - memcpy(&s->bitstream[s->bitstream_index + s->bitstream_size], buf, buf_size); - buf= &s->bitstream[s->bitstream_index]; - buf_size += s->bitstream_size; - s->bitstream_size= buf_size; + memcpy(&s->bitstream[s->bitstream_index + s->bitstream_size], buf, + buf_size); + buf = &s->bitstream[s->bitstream_index]; + buf_size += s->bitstream_size; + s->bitstream_size = buf_size; /* do not decode until buffer has at least max_framesize bytes or - the end of the file has been reached */ + * the end of the file has been reached */ if (buf_size < s->max_framesize && avpkt->data) { *got_frame_ptr = 0; return input_buf_size; } } /* init and position bitstream reader */ - init_get_bits(&s->gb, buf, buf_size*8); + init_get_bits(&s->gb, buf, buf_size * 8); skip_bits(&s->gb, s->bitindex); /* process header or next subblock */ @@ -469,7 +475,7 @@ static int shorten_decode_frame(AVCodecContext *avctx, void *data, int cmd; int len; - if (get_bits_left(&s->gb) < 3+FNSIZE) { + if (get_bits_left(&s->gb) < 3 + FNSIZE) { *got_frame_ptr = 0; break; } @@ -485,32 +491,32 @@ static int shorten_decode_frame(AVCodecContext *avctx, void *data, if (!is_audio_command[cmd]) { /* process non-audio command */ switch (cmd) { - case FN_VERBATIM: - len = get_ur_golomb_shorten(&s->gb, VERBATIM_CKSIZE_SIZE); - while (len--) { - get_ur_golomb_shorten(&s->gb, VERBATIM_BYTE_SIZE); - } - break; - case FN_BITSHIFT: - s->bitshift = get_ur_golomb_shorten(&s->gb, BITSHIFTSIZE); - break; - case FN_BLOCKSIZE: { - int blocksize = get_uint(s, av_log2(s->blocksize)); - if (blocksize > s->blocksize) { - av_log(avctx, AV_LOG_ERROR, "Increasing block size is not supported\n"); - return AVERROR_PATCHWELCOME; - } - if (!blocksize || blocksize > MAX_BLOCKSIZE) { - av_log(avctx, AV_LOG_ERROR, "invalid or unsupported " - "block size: %d\n", blocksize); - return AVERROR(EINVAL); - } - s->blocksize = blocksize; - break; + case FN_VERBATIM: + len = get_ur_golomb_shorten(&s->gb, VERBATIM_CKSIZE_SIZE); + while (len--) + get_ur_golomb_shorten(&s->gb, VERBATIM_BYTE_SIZE); + break; + case FN_BITSHIFT: + s->bitshift = get_ur_golomb_shorten(&s->gb, BITSHIFTSIZE); + break; + case FN_BLOCKSIZE: { + int blocksize = get_uint(s, av_log2(s->blocksize)); + if (blocksize > s->blocksize) { + av_log(avctx, AV_LOG_ERROR, + "Increasing block size is not supported\n"); + return AVERROR_PATCHWELCOME; } - case FN_QUIT: - s->got_quit_command = 1; - break; + if (!blocksize || blocksize > MAX_BLOCKSIZE) { + av_log(avctx, AV_LOG_ERROR, "invalid or unsupported " + "block size: %d\n", blocksize); + return AVERROR(EINVAL); + } + s->blocksize = blocksize; + break; + } + case FN_QUIT: + s->got_quit_command = 1; + break; } if (cmd == FN_BLOCKSIZE || cmd == FN_QUIT) { *got_frame_ptr = 0; @@ -535,7 +541,7 @@ static int shorten_decode_frame(AVCodecContext *avctx, void *data, coffset = s->offset[channel][0]; else { int32_t sum = (s->version < 2) ? 0 : s->nmean / 2; - for (i=0; inmean; i++) + for (i = 0; i < s->nmean; i++) sum += s->offset[channel][i]; coffset = sum / s->nmean; if (s->version >= 2) @@ -544,21 +550,22 @@ static int shorten_decode_frame(AVCodecContext *avctx, void *data, /* decode samples for this channel */ if (cmd == FN_ZERO) { - for (i=0; iblocksize; i++) + for (i = 0; i < s->blocksize; i++) s->decoded[channel][i] = 0; } else { - if ((ret = decode_subframe_lpc(s, cmd, channel, residual_size, coffset)) < 0) + if ((ret = decode_subframe_lpc(s, cmd, channel, + residual_size, coffset)) < 0) return ret; } /* update means with info from the current block */ if (s->nmean > 0) { int32_t sum = (s->version < 2) ? 0 : s->blocksize / 2; - for (i=0; iblocksize; i++) + for (i = 0; i < s->blocksize; i++) sum += s->decoded[channel][i]; - for (i=1; inmean; i++) - s->offset[channel][i-1] = s->offset[channel][i]; + for (i = 1; i < s->nmean; i++) + s->offset[channel][i - 1] = s->offset[channel][i]; if (s->version < 2) s->offset[channel][s->nmean - 1] = sum / s->blocksize; @@ -567,11 +574,11 @@ static int shorten_decode_frame(AVCodecContext *avctx, void *data, } /* copy wrap samples for use with next block */ - for (i=-s->nwrap; i<0; i++) + for (i = -s->nwrap; i < 0; i++) s->decoded[channel][i] = s->decoded[channel][i + s->blocksize]; /* shift samples to add in unused zero bits which were removed - during encoding */ + * during encoding */ fix_bitshift(s, s->decoded[channel]); /* if this is the last channel in the block, output the samples */ @@ -596,12 +603,12 @@ static int shorten_decode_frame(AVCodecContext *avctx, void *data, *got_frame_ptr = 0; finish_frame: - s->bitindex = get_bits_count(&s->gb) - 8*((get_bits_count(&s->gb))/8); - i= (get_bits_count(&s->gb))/8; + s->bitindex = get_bits_count(&s->gb) - 8 * (get_bits_count(&s->gb) / 8); + i = get_bits_count(&s->gb) / 8; if (i > buf_size) { av_log(s->avctx, AV_LOG_ERROR, "overread: %d\n", i - buf_size); - s->bitstream_size=0; - s->bitstream_index=0; + s->bitstream_size = 0; + s->bitstream_index = 0; return -1; } if (s->bitstream_size) { From 5df064df62373c6854ac5b9bd372c74ebdc6fe0f Mon Sep 17 00:00:00 2001 From: Luca Barbato Date: Tue, 5 Mar 2013 16:34:16 +0100 Subject: [PATCH 469/991] shorten: report meaningful errors (cherry picked from commit 4c364eb2b856fc33cf7b42f7c7b979e69fde5f3a) (cherry picked from commit 0daf1428e82926dc5a8c72a0ff4c93aaa8a84ed9) Signed-off-by: Luca Barbato --- libavcodec/shorten.c | 28 ++++++++++++++-------------- 1 file changed, 14 insertions(+), 14 deletions(-) diff --git a/libavcodec/shorten.c b/libavcodec/shorten.c index 04a4912088..c2dffd533a 100644 --- a/libavcodec/shorten.c +++ b/libavcodec/shorten.c @@ -129,13 +129,13 @@ static int allocate_buffers(ShortenContext *s) for (chan = 0; chan < s->channels; chan++) { if (FFMAX(1, s->nmean) >= UINT_MAX / sizeof(int32_t)) { av_log(s->avctx, AV_LOG_ERROR, "nmean too large\n"); - return -1; + return AVERROR_INVALIDDATA; } if (s->blocksize + s->nwrap >= UINT_MAX / sizeof(int32_t) || s->blocksize + s->nwrap <= (unsigned)s->nwrap) { av_log(s->avctx, AV_LOG_ERROR, "s->blocksize + s->nwrap too large\n"); - return -1; + return AVERROR_INVALIDDATA; } tmp_ptr = @@ -208,14 +208,14 @@ static int decode_wave_header(AVCodecContext *avctx, const uint8_t *header, if (bytestream_get_le32(&header) != MKTAG('R', 'I', 'F', 'F')) { av_log(avctx, AV_LOG_ERROR, "missing RIFF tag\n"); - return -1; + return AVERROR_INVALIDDATA; } header += 4; /* chunk size */ if (bytestream_get_le32(&header) != MKTAG('W', 'A', 'V', 'E')) { av_log(avctx, AV_LOG_ERROR, "missing WAVE tag\n"); - return -1; + return AVERROR_INVALIDDATA; } while (bytestream_get_le32(&header) != MKTAG('f', 'm', 't', ' ')) { @@ -226,7 +226,7 @@ static int decode_wave_header(AVCodecContext *avctx, const uint8_t *header, if (len < 16) { av_log(avctx, AV_LOG_ERROR, "fmt chunk was too short\n"); - return -1; + return AVERROR_INVALIDDATA; } wave_format = bytestream_get_le16(&header); @@ -236,7 +236,7 @@ static int decode_wave_header(AVCodecContext *avctx, const uint8_t *header, break; default: av_log(avctx, AV_LOG_ERROR, "unsupported wave format\n"); - return -1; + return AVERROR(ENOSYS); } header += 2; // skip channels (already got from shorten header) @@ -247,7 +247,7 @@ static int decode_wave_header(AVCodecContext *avctx, const uint8_t *header, if (avctx->bits_per_coded_sample != 16) { av_log(avctx, AV_LOG_ERROR, "unsupported number of bits per sample\n"); - return -1; + return AVERROR(ENOSYS); } len -= 16; @@ -329,7 +329,7 @@ static int read_header(ShortenContext *s) /* shorten signature */ if (get_bits_long(&s->gb, 32) != AV_RB32("ajkg")) { av_log(s->avctx, AV_LOG_ERROR, "missing shorten magic 'ajkg'\n"); - return -1; + return AVERROR_INVALIDDATA; } s->lpcqoffset = 0; @@ -342,7 +342,7 @@ static int read_header(ShortenContext *s) if (s->channels > MAX_CHANNELS) { av_log(s->avctx, AV_LOG_ERROR, "too many channels: %d\n", s->channels); s->channels = 0; - return -1; + return AVERROR_INVALIDDATA; } s->avctx->channels = s->channels; @@ -380,7 +380,7 @@ static int read_header(ShortenContext *s) if (get_ur_golomb_shorten(&s->gb, FNSIZE) != FN_VERBATIM) { av_log(s->avctx, AV_LOG_ERROR, "missing verbatim section at beginning of stream\n"); - return -1; + return AVERROR_INVALIDDATA; } s->header_size = get_ur_golomb_shorten(&s->gb, VERBATIM_CKSIZE_SIZE); @@ -388,14 +388,14 @@ static int read_header(ShortenContext *s) s->header_size < CANONICAL_HEADER_SIZE) { av_log(s->avctx, AV_LOG_ERROR, "header is wrong size: %d\n", s->header_size); - return -1; + return AVERROR_INVALIDDATA; } for (i = 0; i < s->header_size; i++) s->header[i] = (char)get_ur_golomb_shorten(&s->gb, VERBATIM_BYTE_SIZE); - if (decode_wave_header(s->avctx, s->header, s->header_size) < 0) - return -1; + if ((ret = decode_wave_header(s->avctx, s->header, s->header_size)) < 0) + return ret; s->cur_chan = 0; s->bitshift = 0; @@ -609,7 +609,7 @@ finish_frame: av_log(s->avctx, AV_LOG_ERROR, "overread: %d\n", i - buf_size); s->bitstream_size = 0; s->bitstream_index = 0; - return -1; + return AVERROR_INVALIDDATA; } if (s->bitstream_size) { s->bitstream_index += i; From f42d03746afe491dd02bb6372961e85e78299864 Mon Sep 17 00:00:00 2001 From: Luca Barbato Date: Tue, 5 Mar 2013 17:12:35 +0100 Subject: [PATCH 470/991] shorten: use the unsigned type where needed get_uint returns an unsigned value, use an unsigned to store blocksize to make sure the comparison logic is correct and report correctly the error for the channel count not supported. CC: libav-stable@libav.org (cherry picked from commit 5cf7c72757779a740e897a97710aac044fe5258c) (cherry picked from commit 88089eecfd7e604d40d078b4f4206c647cb2e2b4) Signed-off-by: Luca Barbato Conflicts: libavcodec/shorten.c --- libavcodec/shorten.c | 11 ++++++++--- 1 file changed, 8 insertions(+), 3 deletions(-) diff --git a/libavcodec/shorten.c b/libavcodec/shorten.c index c2dffd533a..256beafd06 100644 --- a/libavcodec/shorten.c +++ b/libavcodec/shorten.c @@ -83,7 +83,7 @@ typedef struct ShortenContext { GetBitContext gb; int min_framesize, max_framesize; - int channels; + unsigned channels; int32_t *decoded[MAX_CHANNELS]; int32_t *decoded_base[MAX_CHANNELS]; @@ -339,6 +339,10 @@ static int read_header(ShortenContext *s) s->internal_ftype = get_uint(s, TYPESIZE); s->channels = get_uint(s, CHANSIZE); + if (!s->channels) { + av_log(s->avctx, AV_LOG_ERROR, "No channels reported\n"); + return AVERROR_INVALIDDATA; + } if (s->channels > MAX_CHANNELS) { av_log(s->avctx, AV_LOG_ERROR, "too many channels: %d\n", s->channels); s->channels = 0; @@ -348,7 +352,8 @@ static int read_header(ShortenContext *s) /* get blocksize if version > 0 */ if (s->version > 0) { - int skip_bytes, blocksize; + int skip_bytes; + unsigned blocksize; blocksize = get_uint(s, av_log2(DEFAULT_BLOCK_SIZE)); if (!blocksize || blocksize > MAX_BLOCKSIZE) { @@ -500,7 +505,7 @@ static int shorten_decode_frame(AVCodecContext *avctx, void *data, s->bitshift = get_ur_golomb_shorten(&s->gb, BITSHIFTSIZE); break; case FN_BLOCKSIZE: { - int blocksize = get_uint(s, av_log2(s->blocksize)); + unsigned blocksize = get_uint(s, av_log2(s->blocksize)); if (blocksize > s->blocksize) { av_log(avctx, AV_LOG_ERROR, "Increasing block size is not supported\n"); From 871c8f0abb0ef8da7428582c992027610bfab5ca Mon Sep 17 00:00:00 2001 From: Mans Rullgard Date: Thu, 26 Apr 2012 14:00:43 +0100 Subject: [PATCH 471/991] dsputil: fix invalid array indexing Indexing outside an array is invalid and causes errors with gcc 4.8. Signed-off-by: Mans Rullgard (cherry picked from commit 0a07f2b346433a9a2677c69c6b29a1a827e39109) Signed-off-by: Diego Biurrun --- libavcodec/dsputil.c | 16 ++++++++++------ 1 file changed, 10 insertions(+), 6 deletions(-) diff --git a/libavcodec/dsputil.c b/libavcodec/dsputil.c index 66f1f933d0..050081ad79 100644 --- a/libavcodec/dsputil.c +++ b/libavcodec/dsputil.c @@ -2788,7 +2788,7 @@ int ff_check_alignment(void){ av_cold void dsputil_init(DSPContext* c, AVCodecContext *avctx) { - int i; + int i, j; ff_check_alignment(); @@ -3154,11 +3154,15 @@ av_cold void dsputil_init(DSPContext* c, AVCodecContext *avctx) if (ARCH_SH4) dsputil_init_sh4 (c, avctx); if (ARCH_BFIN) dsputil_init_bfin (c, avctx); - for(i=0; i<64; i++){ - if(!c->put_2tap_qpel_pixels_tab[0][i]) - c->put_2tap_qpel_pixels_tab[0][i]= c->put_h264_qpel_pixels_tab[0][i]; - if(!c->avg_2tap_qpel_pixels_tab[0][i]) - c->avg_2tap_qpel_pixels_tab[0][i]= c->avg_h264_qpel_pixels_tab[0][i]; + for (i = 0; i < 4; i++) { + for (j = 0; j < 16; j++) { + if(!c->put_2tap_qpel_pixels_tab[i][j]) + c->put_2tap_qpel_pixels_tab[i][j] = + c->put_h264_qpel_pixels_tab[i][j]; + if(!c->avg_2tap_qpel_pixels_tab[i][j]) + c->avg_2tap_qpel_pixels_tab[i][j] = + c->avg_h264_qpel_pixels_tab[i][j]; + } } ff_init_scantable_permutation(c->idct_permutation, From f82e127dd9c7c0d54bf6400f83c7825e571f9a9e Mon Sep 17 00:00:00 2001 From: Michael Niedermayer Date: Wed, 3 Oct 2012 16:06:23 +0200 Subject: [PATCH 472/991] parser: fix large overreads Signed-off-by: Michael Niedermayer Signed-off-by: Justin Ruggles (cherry picked from commit 096abfa15052977eed93f0b5e01afd2d47c53c1f) Signed-off-by: Luca Barbato --- libavcodec/parser.c | 4 +++- 1 file changed, 3 insertions(+), 1 deletion(-) diff --git a/libavcodec/parser.c b/libavcodec/parser.c index 9fd7af6ce6..1bb5f8ced6 100644 --- a/libavcodec/parser.c +++ b/libavcodec/parser.c @@ -261,7 +261,9 @@ int ff_combine_frame(ParseContext *pc, int next, const uint8_t **buf, int *buf_s if(!new_buffer) return AVERROR(ENOMEM); pc->buffer = new_buffer; - memcpy(&pc->buffer[pc->index], *buf, next + FF_INPUT_BUFFER_PADDING_SIZE ); + if (next > -FF_INPUT_BUFFER_PADDING_SIZE) + memcpy(&pc->buffer[pc->index], *buf, + next + FF_INPUT_BUFFER_PADDING_SIZE); pc->index = 0; *buf= pc->buffer; } From d8fbae3c3c63505774288abe7a98404a507b60e3 Mon Sep 17 00:00:00 2001 From: Mans Rullgard Date: Fri, 7 Dec 2012 13:53:56 +0000 Subject: [PATCH 473/991] lavf: fix arithmetic overflows in avformat_seek_file() The values compared here can be more than INT64_MAX apart. Since the difference is always positive, converting to uint64_t before subtracting gives the correct result without overflows. Signed-off-by: Mans Rullgard (cherry picked from commit 91ac403b1316d59b4f43c4ea0f237e24cec2819a) Signed-off-by: Luca Barbato --- libavformat/utils.c | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/libavformat/utils.c b/libavformat/utils.c index 9dc1dcb2c6..a92acde062 100644 --- a/libavformat/utils.c +++ b/libavformat/utils.c @@ -1854,7 +1854,7 @@ int avformat_seek_file(AVFormatContext *s, int stream_index, int64_t min_ts, int //Fallback to old API if new is not implemented but old is //Note the old has somewat different sematics if(s->iformat->read_seek || 1) - return av_seek_frame(s, stream_index, ts, flags | (ts - min_ts > (uint64_t)(max_ts - ts) ? AVSEEK_FLAG_BACKWARD : 0)); + return av_seek_frame(s, stream_index, ts, flags | ((uint64_t)ts - min_ts > (uint64_t)max_ts - ts ? AVSEEK_FLAG_BACKWARD : 0)); // try some generic seek like seek_frame_generic() but with new ts semantics } From 0076639965a0970512296342d1f6c38ce990661e Mon Sep 17 00:00:00 2001 From: Anton Khirnov Date: Fri, 15 Mar 2013 08:54:27 +0100 Subject: [PATCH 474/991] avconv: skip attached files when selecting streams to read from. Fixes Bug 473 / invalid reads when using -attach. --- avconv.c | 2 ++ 1 file changed, 2 insertions(+) diff --git a/avconv.c b/avconv.c index df86b2b227..90b72fda11 100644 --- a/avconv.c +++ b/avconv.c @@ -2704,6 +2704,8 @@ static int transcode(OutputFile *output_files, double opts; ost = &output_streams[i]; of = &output_files[ost->file_index]; + if (ost->source_index < 0) + continue; os = output_files[ost->file_index].ctx; ist = &input_streams[ost->source_index]; if (ost->is_past_recording_time || no_packet[ist->file_index] || From 12d8ae297911c3020f4d3c1c34967a47b30fb8aa Mon Sep 17 00:00:00 2001 From: Xi Wang Date: Fri, 15 Mar 2013 06:31:21 -0400 Subject: [PATCH 475/991] atrac3: avoid oversized shifting in decode_bytes() When `off' is 0, `0x537F6103 << 32' in the following expression invokes undefined behavior, the result of which is not necessarily 0. (0x537F6103 >> (off * 8)) | (0x537F6103 << (32 - (off * 8))) Avoid oversized shifting. CC: libav-stable@libav.org Signed-off-by: Xi Wang Signed-off-by: Luca Barbato (cherry picked from commit eba1ff31304e407db3cefd7532108408f364367b) Conflicts: libavcodec/atrac3.c --- libavcodec/atrac3.c | 7 +++++-- 1 file changed, 5 insertions(+), 2 deletions(-) diff --git a/libavcodec/atrac3.c b/libavcodec/atrac3.c index 107c6ffeb0..40a44c706a 100644 --- a/libavcodec/atrac3.c +++ b/libavcodec/atrac3.c @@ -184,8 +184,11 @@ static int decode_bytes(const uint8_t* inbuffer, uint8_t* out, int bytes){ uint32_t* obuf = (uint32_t*) out; off = (intptr_t)inbuffer & 3; - buf = (const uint32_t*) (inbuffer - off); - c = av_be2ne32((0x537F6103 >> (off*8)) | (0x537F6103 << (32-(off*8)))); + buf = (const uint32_t *)(inbuffer - off); + if (off) + c = av_be2ne32((0x537F6103U >> (off * 8)) | (0x537F6103U << (32 - (off * 8)))); + else + c = av_be2ne32(0x537F6103U); bytes += 3 + off; for (i = 0; i < bytes/4; i++) obuf[i] = c ^ buf[i]; From d8010bda7a233fbfa05c3d7690d717a86102926c Mon Sep 17 00:00:00 2001 From: Xi Wang Date: Fri, 15 Mar 2013 07:11:47 -0400 Subject: [PATCH 476/991] flacdec: simplify bounds checking in flac_probe() Simplify `p->buf > p->buf + p->buf_size - 4' as `p->buf_size < 4'. Avoid a possible out-of-bounds pointer, which is undefined behavior in C. CC: libav-stable@libav.org Signed-off-by: Xi Wang Signed-off-by: Luca Barbato (cherry picked from commit 8425d693eefbedbb41f91735614d41067695aa37) --- libavformat/flacdec.c | 8 +++----- 1 file changed, 3 insertions(+), 5 deletions(-) diff --git a/libavformat/flacdec.c b/libavformat/flacdec.c index 9e083d116c..92957b67dd 100644 --- a/libavformat/flacdec.c +++ b/libavformat/flacdec.c @@ -143,11 +143,9 @@ static int flac_read_header(AVFormatContext *s, static int flac_probe(AVProbeData *p) { - uint8_t *bufptr = p->buf; - uint8_t *end = p->buf + p->buf_size; - - if(bufptr > end-4 || memcmp(bufptr, "fLaC", 4)) return 0; - else return AVPROBE_SCORE_MAX/2; + if (p->buf_size < 4 || memcmp(p->buf, "fLaC", 4)) + return 0; + return AVPROBE_SCORE_MAX/2; } AVInputFormat ff_flac_demuxer = { From cab96248927a171821dcee1434d73489d1ef9723 Mon Sep 17 00:00:00 2001 From: Xi Wang Date: Fri, 15 Mar 2013 06:59:22 -0400 Subject: [PATCH 477/991] lzo: fix overflow checking in copy_backptr() The check `src > dst' in the form `&c->out[-back] > c->out' invokes pointer overflow, which is undefined behavior in C. Remove the check. Also replace `&c->out[-back] < c->out_start' with a safe form `c->out - c->out_start < back' to avoid overflow. CC: libav-stable@libav.org Signed-off-by: Xi Wang Signed-off-by: Luca Barbato (cherry picked from commit ca6c3f2c53be70aa3c38e8f1292809db89ea1ba6) Conflicts: libavutil/lzo.c --- libavutil/lzo.c | 3 +-- 1 file changed, 1 insertion(+), 2 deletions(-) diff --git a/libavutil/lzo.c b/libavutil/lzo.c index 26cda12112..e49b83e0a2 100644 --- a/libavutil/lzo.c +++ b/libavutil/lzo.c @@ -119,9 +119,8 @@ static inline void memcpy_backptr(uint8_t *dst, int back, int cnt); * thus creating a repeating pattern with a period length of back. */ static inline void copy_backptr(LZOContext *c, int back, int cnt) { - register const uint8_t *src = &c->out[-back]; register uint8_t *dst = c->out; - if (src < c->out_start || src > dst) { + if (dst - c->out_start < back) { c->error |= AV_LZO_INVALID_BACKPTR; return; } From ca335f50002ff443e12cb7bb26b9fd06183f79a1 Mon Sep 17 00:00:00 2001 From: Reinhard Tartler Date: Thu, 14 Mar 2013 17:55:01 +0100 Subject: [PATCH 478/991] Revert "libmp3lame: use the correct remaining buffer size when flushing" This reverts commit 5dbb3298b9c1d7beb41c7d3ab19f86d6e027e43d, which was mistakenly backported. --- libavcodec/libmp3lame.c | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/libavcodec/libmp3lame.c b/libavcodec/libmp3lame.c index 3e8d92a3a5..f3c4528c07 100644 --- a/libavcodec/libmp3lame.c +++ b/libavcodec/libmp3lame.c @@ -169,7 +169,7 @@ static int MP3lame_encode_frame(AVCodecContext *avctx, unsigned char *frame, } } else { lame_result = lame_encode_flush(s->gfp, s->buffer + s->buffer_index, - s->buffer_size - s->buffer_index); + BUFFER_SIZE - s->buffer_index); } if (lame_result < 0) { From 87e4f4c79a88212c4bc1a3e37a581ff88b9d9638 Mon Sep 17 00:00:00 2001 From: Anton Khirnov Date: Wed, 6 Mar 2013 09:15:19 +0100 Subject: [PATCH 479/991] roqvideodec: fix a potential infinite loop in roqvideo_decode_frame(). When there is just 1 byte remanining in the buffer, nothing will be read and the loop will continue forever. Check that there are at least 8 bytes, which are always read at the beginning. CC:libav-stable@libav.org (cherry picked from commit 3e2f200237af977b9253b0aff121eee27bcedb44) Signed-off-by: Reinhard Tartler (cherry picked from commit 747fbe0c212b81952bb27ec7b99fa709081e2d63) Conflicts: libavcodec/roqvideodec.c --- libavcodec/roqvideodec.c | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/libavcodec/roqvideodec.c b/libavcodec/roqvideodec.c index 0bf00cf380..fe7863ff76 100644 --- a/libavcodec/roqvideodec.c +++ b/libavcodec/roqvideodec.c @@ -43,7 +43,7 @@ static void roqvideo_decode_frame(RoqContext *ri) roq_qcell *qcell; int64_t chunk_start; - while (bytestream2_get_bytes_left(&ri->gb) > 0) { + while (bytestream2_get_bytes_left(&ri->gb) >= 8) { chunk_id = bytestream2_get_le16(&ri->gb); chunk_size = bytestream2_get_le32(&ri->gb); chunk_arg = bytestream2_get_le16(&ri->gb); From 6dbe9313445c79be3ee9a96a7ab5ffb76fa2f66b Mon Sep 17 00:00:00 2001 From: Anton Khirnov Date: Wed, 6 Mar 2013 09:41:44 +0100 Subject: [PATCH 480/991] ivi_common: do not call MC for intra frames when dc_transform is unset CC:libav-stable@libav.org (cherry picked from commit 3ba40ebb6cc58753dc3746c718203bb31760deba) Signed-off-by: Reinhard Tartler (cherry picked from commit 74880e78d83031d612c941a383b810ff0c9d50c6) Signed-off-by: Reinhard Tartler --- libavcodec/ivi_common.c | 7 ++++--- 1 file changed, 4 insertions(+), 3 deletions(-) diff --git a/libavcodec/ivi_common.c b/libavcodec/ivi_common.c index 84705c4c62..00205ae8da 100644 --- a/libavcodec/ivi_common.c +++ b/libavcodec/ivi_common.c @@ -478,9 +478,10 @@ int ff_ivi_decode_blocks(GetBitContext *gb, IVIBandDesc *band, IVITile *tile) /* block not coded */ /* for intra blocks apply the dc slant transform */ /* for inter - perform the motion compensation without delta */ - if (is_intra && band->dc_transform) { - band->dc_transform(&prev_dc, band->buf + buf_offs, - band->pitch, blk_size); + if (is_intra) { + if (band->dc_transform) + band->dc_transform(&prev_dc, band->buf + buf_offs, + band->pitch, blk_size); } else mc_no_delta_func(band->buf + buf_offs, band->ref_buf + buf_offs + mv_y * band->pitch + mv_x, From b57ab9d7a9259e99fc70f0c93f17c6a667686da0 Mon Sep 17 00:00:00 2001 From: Anton Khirnov Date: Wed, 6 Mar 2013 09:58:00 +0100 Subject: [PATCH 481/991] wmaprodec: require block_align to be set. Avoids an infinite loop in the calling programs with decoder not consuming any input and not returning output. CC:libav-stable@libav.org (cherry picked from commit cacad1c058f66558ec727faac3b277d2dee264d4) Signed-off-by: Reinhard Tartler (cherry picked from commit 20373a66ec68d958c266f643a7d0e5ec254c0fcc) Signed-off-by: Reinhard Tartler --- libavcodec/wmaprodec.c | 5 +++++ 1 file changed, 5 insertions(+) diff --git a/libavcodec/wmaprodec.c b/libavcodec/wmaprodec.c index 54b0f57983..1b7797c9f2 100644 --- a/libavcodec/wmaprodec.c +++ b/libavcodec/wmaprodec.c @@ -280,6 +280,11 @@ static av_cold int decode_init(AVCodecContext *avctx) int log2_max_num_subframes; int num_possible_block_sizes; + if (!avctx->block_align) { + av_log(avctx, AV_LOG_ERROR, "block_align is not set\n"); + return AVERROR(EINVAL); + } + s->avctx = avctx; dsputil_init(&s->dsp, avctx); ff_fmt_convert_init(&s->fmt_conv, avctx); From e91a6249b69599b153afcb170236e5c86fa8b87d Mon Sep 17 00:00:00 2001 From: Reinhard Tartler Date: Thu, 14 Mar 2013 18:06:41 +0100 Subject: [PATCH 482/991] Update Changelog for the 0.8.6 Release --- Changelog | 31 +++++++++++++++++++++++++++++++ 1 file changed, 31 insertions(+) diff --git a/Changelog b/Changelog index c85120345a..ca6cbe9936 100644 --- a/Changelog +++ b/Changelog @@ -1,6 +1,37 @@ Entries are sorted chronologically from oldest to youngest within each release, releases are sorted from youngest to oldest. + +version 0.8.6: + +- Build system fixes: Fix Altivec detection (Debian Bug#701710) and fix + CAF demuxer dependencies +- Various minor documentation fixes +- dsputil: fix invalid array indexing +- h264: check for luma and chroma bit depth being equal (CVE-2013-2277) +- indeo3: initialise pixel planes on allocation +- lavf: fix arithmetic overflows in avformat_seek_file() +- matroskadec: request a read buffer for the wav header +- mp3: exit on parsing error in mp_decode_frame +- oggdec: make sure the private parse data is cleaned up +- parser: fix large overreads +- pthread: set the frame properties from the thread context, not user +- various potentially security relevant fixes to the shorten decoder +- update year to 2013 +- vmdaudio: fix invalid reads when packet size is not a multiple of chunk size +- vorbisdec: Error on bark_map_size equal to 0 (CVE-2013-0894) +- wmadec: require block_align to be set +- wmaprodec: return an error, not 0, when the input is too small +- xxan: fix invalid memory access in xan_decode_frame_type0() +- lzo: fix overflow checking in copy_backptr() +- flacdec: simplify bounds checking in flac_probe() to avoid undefined behavior. +- atrac3: avoid oversized shifting in decode_bytes(). +- png: use av_mallocz_array() for the zlib zalloc function, avoids accessing uninitialized memory. +- wmaprodec: require block_align to be set, avoids infinite loop. +- ivi_common: do not call MC for intra frames when dc_transform is unset +- roqvideodec: fix a potential infinite loop in roqvideo_decode_frame(). + + version 0.8.5: - Several bugs and crashes have been fixed in the following codecs: From 327ff82bac3081d918dceb4931c77e25d0a1480d Mon Sep 17 00:00:00 2001 From: Ronald Bultje Date: Sat, 31 Mar 2012 17:10:54 +0000 Subject: [PATCH 483/991] msrle: convert MS RLE decoding function to bytestream2. Signed-off-by: Justin Ruggles (cherry picked from commit 992f71e95dcf57c917531f126ba7499ef9ed87d3) Signed-off-by: Reinhard Tartler --- libavcodec/aasc.c | 12 +--- libavcodec/bmp.c | 4 +- libavcodec/msrle.c | 4 +- libavcodec/msrledec.c | 129 +++++++++++++++++++++--------------------- libavcodec/msrledec.h | 8 +-- libavcodec/tscc.c | 8 ++- 6 files changed, 85 insertions(+), 80 deletions(-) diff --git a/libavcodec/aasc.c b/libavcodec/aasc.c index 11ea5779b1..f9c60f9f67 100644 --- a/libavcodec/aasc.c +++ b/libavcodec/aasc.c @@ -34,17 +34,10 @@ typedef struct AascContext { AVCodecContext *avctx; + GetByteContext gb; AVFrame frame; } AascContext; -#define FETCH_NEXT_STREAM_BYTE() \ - if (stream_ptr >= buf_size) \ - { \ - av_log(s->avctx, AV_LOG_ERROR, " AASC: stream ptr just went out of bounds (fetch)\n"); \ - break; \ - } \ - stream_byte = buf[stream_ptr++]; - static av_cold int aasc_decode_init(AVCodecContext *avctx) { AascContext *s = avctx->priv_data; @@ -84,7 +77,8 @@ static int aasc_decode_frame(AVCodecContext *avctx, } break; case 1: - ff_msrle_decode(avctx, (AVPicture*)&s->frame, 8, buf - 4, buf_size + 4); + bytestream2_init(&s->gb, buf - 4, buf_size + 4); + ff_msrle_decode(avctx, (AVPicture*)&s->frame, 8, &s->gb); break; default: av_log(avctx, AV_LOG_ERROR, "Unknown compression type %d\n", compr); diff --git a/libavcodec/bmp.c b/libavcodec/bmp.c index 974db4953c..01c6fb0c7a 100644 --- a/libavcodec/bmp.c +++ b/libavcodec/bmp.c @@ -52,6 +52,7 @@ static int bmp_decode_frame(AVCodecContext *avctx, uint8_t *ptr; int dsize; const uint8_t *buf0 = buf; + GetByteContext gb; if(buf_size < 14){ av_log(avctx, AV_LOG_ERROR, "buf size too small (%d)\n", buf_size); @@ -265,7 +266,8 @@ static int bmp_decode_frame(AVCodecContext *avctx, p->data[0] += p->linesize[0] * (avctx->height - 1); p->linesize[0] = -p->linesize[0]; } - ff_msrle_decode(avctx, (AVPicture*)p, depth, buf, dsize); + bytestream2_init(&gb, buf, dsize); + ff_msrle_decode(avctx, (AVPicture*)p, depth, &gb); if(height < 0){ p->data[0] += p->linesize[0] * (avctx->height - 1); p->linesize[0] = -p->linesize[0]; diff --git a/libavcodec/msrle.c b/libavcodec/msrle.c index 41f1fd8ebd..f964392ade 100644 --- a/libavcodec/msrle.c +++ b/libavcodec/msrle.c @@ -40,6 +40,7 @@ typedef struct MsrleContext { AVCodecContext *avctx; AVFrame frame; + GetByteContext gb; const unsigned char *buf; int size; @@ -123,7 +124,8 @@ static int msrle_decode_frame(AVCodecContext *avctx, ptr += s->frame.linesize[0]; } } else { - ff_msrle_decode(avctx, (AVPicture*)&s->frame, avctx->bits_per_coded_sample, buf, buf_size); + bytestream2_init(&s->gb, buf, buf_size); + ff_msrle_decode(avctx, (AVPicture*)&s->frame, avctx->bits_per_coded_sample, &s->gb); } *data_size = sizeof(AVFrame); diff --git a/libavcodec/msrledec.c b/libavcodec/msrledec.c index 5e33a59280..003122e4f0 100644 --- a/libavcodec/msrledec.c +++ b/libavcodec/msrledec.c @@ -30,18 +30,9 @@ #include "avcodec.h" #include "msrledec.h" -#define FETCH_NEXT_STREAM_BYTE() \ - if (stream_ptr >= data_size) \ - { \ - av_log(avctx, AV_LOG_ERROR, " MS RLE: stream ptr just went out of bounds (1)\n"); \ - return -1; \ - } \ - stream_byte = data[stream_ptr++]; - static int msrle_decode_pal4(AVCodecContext *avctx, AVPicture *pic, - const uint8_t *data, int data_size) + GetByteContext *gb) { - int stream_ptr = 0; unsigned char rle_code; unsigned char extra_byte, odd_pixel; unsigned char stream_byte; @@ -52,11 +43,16 @@ static int msrle_decode_pal4(AVCodecContext *avctx, AVPicture *pic, int i; while (row_ptr >= 0) { - FETCH_NEXT_STREAM_BYTE(); - rle_code = stream_byte; + if (bytestream2_get_bytes_left(gb) <= 0) { + av_log(avctx, AV_LOG_ERROR, + "MS RLE: bytestream overrun, %d rows left\n", + row_ptr); + return AVERROR_INVALIDDATA; + } + rle_code = stream_byte = bytestream2_get_byteu(gb); if (rle_code == 0) { /* fetch the next byte to see how to handle escape code */ - FETCH_NEXT_STREAM_BYTE(); + stream_byte = bytestream2_get_byte(gb); if (stream_byte == 0) { /* line is done, goto the next one */ row_ptr -= row_dec; @@ -66,24 +62,26 @@ static int msrle_decode_pal4(AVCodecContext *avctx, AVPicture *pic, return 0; } else if (stream_byte == 2) { /* reposition frame decode coordinates */ - FETCH_NEXT_STREAM_BYTE(); + stream_byte = bytestream2_get_byte(gb); pixel_ptr += stream_byte; - FETCH_NEXT_STREAM_BYTE(); + stream_byte = bytestream2_get_byte(gb); row_ptr -= stream_byte * row_dec; } else { // copy pixels from encoded stream odd_pixel = stream_byte & 1; rle_code = (stream_byte + 1) / 2; extra_byte = rle_code & 0x01; - if (row_ptr + pixel_ptr + stream_byte > frame_size) { - av_log(avctx, AV_LOG_ERROR, " MS RLE: frame ptr just went out of bounds (1)\n"); - return -1; + if (row_ptr + pixel_ptr + stream_byte > frame_size || + bytestream2_get_bytes_left(gb) < rle_code) { + av_log(avctx, AV_LOG_ERROR, + "MS RLE: frame/stream ptr just went out of bounds (copy)\n"); + return AVERROR_INVALIDDATA; } for (i = 0; i < rle_code; i++) { if (pixel_ptr >= avctx->width) break; - FETCH_NEXT_STREAM_BYTE(); + stream_byte = bytestream2_get_byteu(gb); pic->data[0][row_ptr + pixel_ptr] = stream_byte >> 4; pixel_ptr++; if (i + 1 == rle_code && odd_pixel) @@ -96,15 +94,16 @@ static int msrle_decode_pal4(AVCodecContext *avctx, AVPicture *pic, // if the RLE code is odd, skip a byte in the stream if (extra_byte) - stream_ptr++; + bytestream2_skip(gb, 1); } } else { // decode a run of data if (row_ptr + pixel_ptr + stream_byte > frame_size) { - av_log(avctx, AV_LOG_ERROR, " MS RLE: frame ptr just went out of bounds (1)\n"); - return -1; + av_log(avctx, AV_LOG_ERROR, + "MS RLE: frame ptr just went out of bounds (run)\n"); + return AVERROR_INVALIDDATA; } - FETCH_NEXT_STREAM_BYTE(); + stream_byte = bytestream2_get_byte(gb); for (i = 0; i < rle_code; i++) { if (pixel_ptr >= avctx->width) break; @@ -118,21 +117,21 @@ static int msrle_decode_pal4(AVCodecContext *avctx, AVPicture *pic, } /* one last sanity check on the way out */ - if (stream_ptr < data_size) { - av_log(avctx, AV_LOG_ERROR, " MS RLE: ended frame decode with bytes left over (%d < %d)\n", - stream_ptr, data_size); - return -1; + if (bytestream2_get_bytes_left(gb)) { + av_log(avctx, AV_LOG_ERROR, + "MS RLE: ended frame decode with %d bytes left over\n", + bytestream2_get_bytes_left(gb)); + return AVERROR_INVALIDDATA; } return 0; } -static int msrle_decode_8_16_24_32(AVCodecContext *avctx, AVPicture *pic, int depth, - const uint8_t *data, int srcsize) +static int msrle_decode_8_16_24_32(AVCodecContext *avctx, AVPicture *pic, + int depth, GetByteContext *gb) { uint8_t *output, *output_end; - const uint8_t* src = data; int p1, p2, line=avctx->height - 1, pos=0, i; uint16_t av_uninit(pix16); uint32_t av_uninit(pix32); @@ -140,23 +139,29 @@ static int msrle_decode_8_16_24_32(AVCodecContext *avctx, AVPicture *pic, int de output = pic->data[0] + (avctx->height - 1) * pic->linesize[0]; output_end = pic->data[0] + avctx->height * pic->linesize[0]; - while(src < data + srcsize) { - p1 = *src++; + while (bytestream2_get_bytes_left(gb) > 0) { + p1 = bytestream2_get_byteu(gb); if(p1 == 0) { //Escape code - p2 = *src++; + p2 = bytestream2_get_byte(gb); if(p2 == 0) { //End-of-line output = pic->data[0] + (--line) * pic->linesize[0]; - if (line < 0 && !(src+1 < data + srcsize && AV_RB16(src) == 1)) { - av_log(avctx, AV_LOG_ERROR, "Next line is beyond picture bounds\n"); - return -1; + if (line < 0) { + if (bytestream2_get_be16(gb) == 1) { // end-of-picture + return 0; + } else { + av_log(avctx, AV_LOG_ERROR, + "Next line is beyond picture bounds (%d bytes left)\n", + bytestream2_get_bytes_left(gb)); + return AVERROR_INVALIDDATA; + } } pos = 0; continue; } else if(p2 == 1) { //End-of-picture return 0; } else if(p2 == 2) { //Skip - p1 = *src++; - p2 = *src++; + p1 = bytestream2_get_byte(gb); + p2 = bytestream2_get_byte(gb); line -= p2; pos += p1; if (line < 0 || pos >= width){ @@ -167,31 +172,31 @@ static int msrle_decode_8_16_24_32(AVCodecContext *avctx, AVPicture *pic, int de continue; } // Copy data - if ((pic->linesize[0] > 0 && output + p2 * (depth >> 3) > output_end) - ||(pic->linesize[0] < 0 && output + p2 * (depth >> 3) < output_end)) { - src += p2 * (depth >> 3); + if ((pic->linesize[0] > 0 && output + p2 * (depth >> 3) > output_end) || + (pic->linesize[0] < 0 && output + p2 * (depth >> 3) < output_end)) { + bytestream2_skip(gb, 2 * (depth >> 3)); continue; + } else if (bytestream2_get_bytes_left(gb) < p2 * (depth >> 3)) { + av_log(avctx, AV_LOG_ERROR, "bytestream overrun\n"); + return AVERROR_INVALIDDATA; } + if ((depth == 8) || (depth == 24)) { for(i = 0; i < p2 * (depth >> 3); i++) { - *output++ = *src++; + *output++ = bytestream2_get_byteu(gb); } // RLE8 copy is actually padded - and runs are not! if(depth == 8 && (p2 & 1)) { - src++; + bytestream2_skip(gb, 1); } } else if (depth == 16) { for(i = 0; i < p2; i++) { - pix16 = AV_RL16(src); - src += 2; - *(uint16_t*)output = pix16; + *(uint16_t*)output = bytestream2_get_le16u(gb); output += 2; } } else if (depth == 32) { for(i = 0; i < p2; i++) { - pix32 = AV_RL32(src); - src += 4; - *(uint32_t*)output = pix32; + *(uint32_t*)output = bytestream2_get_le32u(gb); output += 4; } } @@ -199,21 +204,19 @@ static int msrle_decode_8_16_24_32(AVCodecContext *avctx, AVPicture *pic, int de } else { //run of pixels uint8_t pix[3]; //original pixel switch(depth){ - case 8: pix[0] = *src++; + case 8: pix[0] = bytestream2_get_byte(gb); break; - case 16: pix16 = AV_RL16(src); - src += 2; + case 16: pix16 = bytestream2_get_le16(gb); break; - case 24: pix[0] = *src++; - pix[1] = *src++; - pix[2] = *src++; + case 24: pix[0] = bytestream2_get_byte(gb); + pix[1] = bytestream2_get_byte(gb); + pix[2] = bytestream2_get_byte(gb); break; - case 32: pix32 = AV_RL32(src); - src += 4; + case 32: pix32 = bytestream2_get_le32(gb); break; } - if ((pic->linesize[0] > 0 && output + p1 * (depth >> 3) > output_end) - ||(pic->linesize[0] < 0 && output + p1 * (depth >> 3) < output_end)) + if ((pic->linesize[0] > 0 && output + p1 * (depth >> 3) > output_end) || + (pic->linesize[0] < 0 && output + p1 * (depth >> 3) < output_end)) continue; for(i = 0; i < p1; i++) { switch(depth){ @@ -240,17 +243,17 @@ static int msrle_decode_8_16_24_32(AVCodecContext *avctx, AVPicture *pic, int de } -int ff_msrle_decode(AVCodecContext *avctx, AVPicture *pic, int depth, - const uint8_t* data, int data_size) +int ff_msrle_decode(AVCodecContext *avctx, AVPicture *pic, + int depth, GetByteContext *gb) { switch(depth){ case 4: - return msrle_decode_pal4(avctx, pic, data, data_size); + return msrle_decode_pal4(avctx, pic, gb); case 8: case 16: case 24: case 32: - return msrle_decode_8_16_24_32(avctx, pic, depth, data, data_size); + return msrle_decode_8_16_24_32(avctx, pic, depth, gb); default: av_log(avctx, AV_LOG_ERROR, "Unknown depth %d\n", depth); return -1; diff --git a/libavcodec/msrledec.h b/libavcodec/msrledec.h index 5bde35a1a2..c16784316a 100644 --- a/libavcodec/msrledec.h +++ b/libavcodec/msrledec.h @@ -23,6 +23,7 @@ #define AVCODEC_MSRLEDEC_H #include "avcodec.h" +#include "bytestream.h" /** * Decode stream in MS RLE format into frame. @@ -30,11 +31,10 @@ * @param avctx codec context * @param pic destination frame * @param depth bit depth - * @param data input stream - * @param data_size input size + * @param gb input bytestream context */ -int ff_msrle_decode(AVCodecContext *avctx, AVPicture *pic, int depth, - const uint8_t* data, int data_size); +int ff_msrle_decode(AVCodecContext *avctx, AVPicture *pic, + int depth, GetByteContext *gb); #endif /* AVCODEC_MSRLEDEC_H */ diff --git a/libavcodec/tscc.c b/libavcodec/tscc.c index ccf1048c9b..748072f954 100644 --- a/libavcodec/tscc.c +++ b/libavcodec/tscc.c @@ -58,6 +58,7 @@ typedef struct TsccContext { unsigned int decomp_size; // Decompression buffer unsigned char* decomp_buf; + GetByteContext gb; int height; z_stream zstream; @@ -105,8 +106,11 @@ static int decode_frame(AVCodecContext *avctx, void *data, int *data_size, AVPac } - if(zret != Z_DATA_ERROR) - ff_msrle_decode(avctx, (AVPicture*)&c->pic, c->bpp, c->decomp_buf, c->decomp_size - c->zstream.avail_out); + if (zret != Z_DATA_ERROR) { + bytestream2_init(&c->gb, c->decomp_buf, + c->decomp_size - c->zstream.avail_out); + ff_msrle_decode(avctx, (AVPicture*)&c->pic, c->bpp, &c->gb); + } /* make the palette available on the way out */ if (c->avctx->pix_fmt == PIX_FMT_PAL8) { From 4160398e2a3e229e29dff03300aaf630e726a768 Mon Sep 17 00:00:00 2001 From: Anton Khirnov Date: Tue, 29 Jan 2013 12:24:09 +0100 Subject: [PATCH 484/991] msrledec: check bounds before constructing a possibly invalid pointer, CC:libav-stable@libav.org (cherry picked from commit 9bd6375d5f16842306dcecde637ffe605acda26b) Signed-off-by: Reinhard Tartler (cherry picked from commit b7765d00f911fe0f8fcda21b93a540f27d2ba2f5) Signed-off-by: Reinhard Tartler --- libavcodec/msrledec.c | 4 ++-- 1 file changed, 2 insertions(+), 2 deletions(-) diff --git a/libavcodec/msrledec.c b/libavcodec/msrledec.c index 003122e4f0..821311b6c8 100644 --- a/libavcodec/msrledec.c +++ b/libavcodec/msrledec.c @@ -144,8 +144,7 @@ static int msrle_decode_8_16_24_32(AVCodecContext *avctx, AVPicture *pic, if(p1 == 0) { //Escape code p2 = bytestream2_get_byte(gb); if(p2 == 0) { //End-of-line - output = pic->data[0] + (--line) * pic->linesize[0]; - if (line < 0) { + if (--line < 0) { if (bytestream2_get_be16(gb) == 1) { // end-of-picture return 0; } else { @@ -155,6 +154,7 @@ static int msrle_decode_8_16_24_32(AVCodecContext *avctx, AVPicture *pic, return AVERROR_INVALIDDATA; } } + output = pic->data[0] + line * pic->linesize[0]; pos = 0; continue; } else if(p2 == 1) { //End-of-picture From f0337b0f247aeff85a68ae4e218c3532c433e8da Mon Sep 17 00:00:00 2001 From: Reinhard Tartler Date: Sun, 17 Mar 2013 08:23:42 +0100 Subject: [PATCH 485/991] Changelog: cosmetics, remove trailing periods and sort --- Changelog | 17 ++++++++--------- 1 file changed, 8 insertions(+), 9 deletions(-) diff --git a/Changelog b/Changelog index ca6cbe9936..576eeb8b5f 100644 --- a/Changelog +++ b/Changelog @@ -7,30 +7,29 @@ version 0.8.6: - Build system fixes: Fix Altivec detection (Debian Bug#701710) and fix CAF demuxer dependencies - Various minor documentation fixes +- atrac3: avoid oversized shifting in decode_bytes() - dsputil: fix invalid array indexing +- flacdec: simplify bounds checking in flac_probe() to avoid undefined behavior. - h264: check for luma and chroma bit depth being equal (CVE-2013-2277) - indeo3: initialise pixel planes on allocation +- ivi_common: do not call MC for intra frames when dc_transform is unset - lavf: fix arithmetic overflows in avformat_seek_file() +- lzo: fix overflow checking in copy_backptr() - matroskadec: request a read buffer for the wav header - mp3: exit on parsing error in mp_decode_frame - oggdec: make sure the private parse data is cleaned up - parser: fix large overreads +- png: use av_mallocz_array() for the zlib zalloc function, avoids accessing uninitialized memory - pthread: set the frame properties from the thread context, not user -- various potentially security relevant fixes to the shorten decoder +- roqvideodec: fix a potential infinite loop in roqvideo_decode_frame() - update year to 2013 +- various potentially security relevant fixes to the shorten decoder - vmdaudio: fix invalid reads when packet size is not a multiple of chunk size - vorbisdec: Error on bark_map_size equal to 0 (CVE-2013-0894) - wmadec: require block_align to be set +- wmaprodec: require block_align to be set, avoids infinite loop - wmaprodec: return an error, not 0, when the input is too small - xxan: fix invalid memory access in xan_decode_frame_type0() -- lzo: fix overflow checking in copy_backptr() -- flacdec: simplify bounds checking in flac_probe() to avoid undefined behavior. -- atrac3: avoid oversized shifting in decode_bytes(). -- png: use av_mallocz_array() for the zlib zalloc function, avoids accessing uninitialized memory. -- wmaprodec: require block_align to be set, avoids infinite loop. -- ivi_common: do not call MC for intra frames when dc_transform is unset -- roqvideodec: fix a potential infinite loop in roqvideo_decode_frame(). - version 0.8.5: From fabdeed6fcefa113c41c03315a6b440a02305e73 Mon Sep 17 00:00:00 2001 From: Reinhard Tartler Date: Sun, 17 Mar 2013 08:25:46 +0100 Subject: [PATCH 486/991] Changelog: document msrle bugfix --- Changelog | 2 ++ 1 file changed, 2 insertions(+) diff --git a/Changelog b/Changelog index 576eeb8b5f..edf3213c30 100644 --- a/Changelog +++ b/Changelog @@ -17,6 +17,7 @@ version 0.8.6: - lzo: fix overflow checking in copy_backptr() - matroskadec: request a read buffer for the wav header - mp3: exit on parsing error in mp_decode_frame +- msrledec: convert to bytestream2 API and add proper bounds checking (CVE-2013-2496) - oggdec: make sure the private parse data is cleaned up - parser: fix large overreads - png: use av_mallocz_array() for the zlib zalloc function, avoids accessing uninitialized memory @@ -31,6 +32,7 @@ version 0.8.6: - wmaprodec: return an error, not 0, when the input is too small - xxan: fix invalid memory access in xan_decode_frame_type0() + version 0.8.5: - Several bugs and crashes have been fixed in the following codecs: From 12e4aefb80f42f8f5da7cdf558314854b6fdef02 Mon Sep 17 00:00:00 2001 From: Carl Eugen Hoyos Date: Sat, 16 Mar 2013 20:13:44 +0100 Subject: [PATCH 487/991] Do not (re-)set libx264 parameter b_tff if interlaced encoding was not requested. Reconfiguring can break x264 lossless encoding. Fixes ticket #2165. (cherry picked from commit 75c7e4583f4fd727d236a12763a265502fe00988) --- libavcodec/libx264.c | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/libavcodec/libx264.c b/libavcodec/libx264.c index f6cd9fa3a5..a82cb2480f 100644 --- a/libavcodec/libx264.c +++ b/libavcodec/libx264.c @@ -174,7 +174,7 @@ static int X264_frame(AVCodecContext *ctx, uint8_t *buf, frame->pict_type == AV_PICTURE_TYPE_P ? X264_TYPE_P : frame->pict_type == AV_PICTURE_TYPE_B ? X264_TYPE_B : X264_TYPE_AUTO; - if (x4->params.b_tff != frame->top_field_first) { + if (x4->params.b_interlaced && x4->params.b_tff != frame->top_field_first) { x4->params.b_tff = frame->top_field_first; x264_encoder_reconfig(x4->enc, &x4->params); } From 36aad4f1cc707feb15f071260a99f239b6623a59 Mon Sep 17 00:00:00 2001 From: Kostya Shishkov Date: Sun, 17 Mar 2013 20:22:19 +0100 Subject: [PATCH 488/991] iff: validate CMAP palette size Fixes CVE-2013-2495 Found-by: Mateusz "j00ru" Jurczyk and Gynvael Coldwind Signed-off-by: Luca Barbato CC: libav-stable@libav.org (cherry picked from commit 50c449ac24fbb4c03c15d2e2026cef2204b80385) Signed-off-by: Reinhard Tartler (cherry picked from commit 31a77177ff323ef83944c60a8654891213ab6691) Signed-off-by: Reinhard Tartler --- libavformat/iff.c | 5 +++++ 1 file changed, 5 insertions(+) diff --git a/libavformat/iff.c b/libavformat/iff.c index b895cf2e67..4552985d77 100644 --- a/libavformat/iff.c +++ b/libavformat/iff.c @@ -159,6 +159,11 @@ static int iff_read_header(AVFormatContext *s, break; case ID_CMAP: + if (data_size < 3 || data_size > 768 || data_size % 3) { + av_log(s, AV_LOG_ERROR, "Invalid CMAP chunk size %d\n", + data_size); + return AVERROR_INVALIDDATA; + } st->codec->extradata_size = data_size; st->codec->extradata = av_malloc(data_size); if (!st->codec->extradata) From cd534fdf86e12ccd9a702ce0aee093b95150df8e Mon Sep 17 00:00:00 2001 From: "Ronald S. Bultje" Date: Sun, 24 Jun 2012 11:17:13 +0100 Subject: [PATCH 489/991] dxva2: include dxva.h if found MIME-Version: 1.0 Content-Type: text/plain; charset=UTF-8 Content-Transfer-Encoding: 8bit Apparently, some build environments require dxva.h even for dxva2, while others lack this header entirely. Including it conditionally allows building in both cases. Signed-off-by: Martin Storsjö (cherry picked from commit fa84506177f0246b30d4ea6a99ee5d419f3e4550) Signed-off-by: Reinhard Tartler --- configure | 2 ++ libavcodec/dxva2_internal.h | 7 +++++++ 2 files changed, 9 insertions(+) diff --git a/configure b/configure index 081854feb9..844069bcc9 100755 --- a/configure +++ b/configure @@ -1073,6 +1073,7 @@ HAVE_LIST=" dlfcn_h dlopen dos_paths + dxva_h ebp_available ebx_available exp2 @@ -2866,6 +2867,7 @@ check_func_headers windows.h MapViewOfFile check_func_headers windows.h VirtualAlloc check_header dlfcn.h +check_header dxva.h check_header dxva2api.h check_header malloc.h check_header poll.h diff --git a/libavcodec/dxva2_internal.h b/libavcodec/dxva2_internal.h index 57fc7bd6f9..e2305b1a24 100644 --- a/libavcodec/dxva2_internal.h +++ b/libavcodec/dxva2_internal.h @@ -25,7 +25,14 @@ #define _WIN32_WINNT 0x0600 #define COBJMACROS + +#include "config.h" + #include "dxva2.h" +#if HAVE_DXVA_H +#include +#endif + #include "avcodec.h" #include "mpegvideo.h" From dab40d5bd4da0f15dfe8dd6f1d7655fa107020ef Mon Sep 17 00:00:00 2001 From: Reinhard Tartler Date: Sat, 23 Mar 2013 09:43:26 +0100 Subject: [PATCH 490/991] fate: fetch samples that match the release series The idea is to ensure that 'make fate' always fetches the fate samples that work with this release. (cherry picked from commit a89f68776b2771935a348ce07d0a094ae965acfc) Signed-off-by: Reinhard Tartler --- tests/Makefile | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/tests/Makefile b/tests/Makefile index dba9e83688..b6b33e5082 100644 --- a/tests/Makefile +++ b/tests/Makefile @@ -102,7 +102,7 @@ fate-seek: $(FATE_SEEK) ifdef SAMPLES FATE += $(FATE_TESTS) $(FATE_TESTS-yes) fate-rsync: - rsync -vaLW rsync://fate-suite.libav.org/fate-suite/ $(SAMPLES) + rsync -vaLW rsync://fate-suite.libav.org/fate-suite-0.8/ $(SAMPLES) else fate-rsync: @echo "use 'make fate-rsync SAMPLES=/path/to/samples' to sync the fate suite" From b385a772180963813a23baf9a80713a12c86cb7c Mon Sep 17 00:00:00 2001 From: Reinhard Tartler Date: Sat, 23 Mar 2013 14:48:40 +0100 Subject: [PATCH 491/991] update Changelog --- Changelog | 1 + 1 file changed, 1 insertion(+) diff --git a/Changelog b/Changelog index edf3213c30..b183d30033 100644 --- a/Changelog +++ b/Changelog @@ -11,6 +11,7 @@ version 0.8.6: - dsputil: fix invalid array indexing - flacdec: simplify bounds checking in flac_probe() to avoid undefined behavior. - h264: check for luma and chroma bit depth being equal (CVE-2013-2277) +- iff: validate CMAP palette size (CVE-2013-2495) - indeo3: initialise pixel planes on allocation - ivi_common: do not call MC for intra frames when dc_transform is unset - lavf: fix arithmetic overflows in avformat_seek_file() From 5dd5cfd0b8d3b658d3b517a617aeb57a233c68c4 Mon Sep 17 00:00:00 2001 From: Carl Eugen Hoyos Date: Tue, 26 Mar 2013 15:16:07 +0100 Subject: [PATCH 492/991] Only test the first frame for missing aac_adtstoasc bistream filter. Many players ignore broken aac frames, so don't abort mov or flv muxing when encountering one, just print a warning instead. Fixes ticket #2380. (cherry picked from commit 1741fece7073f51efdd837a4f307ea2cdf3d1cfb) Conflicts: libavformat/flvenc.c --- libavformat/flvenc.c | 9 +++++++-- libavformat/movenc.c | 3 +++ 2 files changed, 10 insertions(+), 2 deletions(-) diff --git a/libavformat/flvenc.c b/libavformat/flvenc.c index 3f034bc31a..417a1c1986 100644 --- a/libavformat/flvenc.c +++ b/libavformat/flvenc.c @@ -446,8 +446,13 @@ static int flv_write_packet(AVFormatContext *s, AVPacket *pkt) } } else if (enc->codec_id == CODEC_ID_AAC && pkt->size > 2 && (AV_RB16(pkt->data) & 0xfff0) == 0xfff0) { - av_log(s, AV_LOG_ERROR, "malformated aac bitstream, use -absf aac_adtstoasc\n"); - return -1; + if (!s->streams[pkt->stream_index]->nb_frames) { + av_log(s, AV_LOG_ERROR, "Malformed AAC bitstream detected: " + "use audio bitstream filter 'aac_adtstoasc' to fix it " + "('-bsf:a aac_adtstoasc' option with ffmpeg)\n"); + return AVERROR_INVALIDDATA; + } + av_log(s, AV_LOG_WARNING, "aac bitstream error\n"); } if (flv->delay == AV_NOPTS_VALUE) flv->delay = -pkt->dts; diff --git a/libavformat/movenc.c b/libavformat/movenc.c index 0d0d3e0c94..fdde5176a0 100644 --- a/libavformat/movenc.c +++ b/libavformat/movenc.c @@ -2595,8 +2595,11 @@ static int mov_write_packet_internal(AVFormatContext *s, AVPacket *pkt) } } else if (enc->codec_id == CODEC_ID_AAC && pkt->size > 2 && (AV_RB16(pkt->data) & 0xfff0) == 0xfff0) { + if (!s->streams[pkt->stream_index]->nb_frames) { av_log(s, AV_LOG_ERROR, "malformated aac bitstream, use -absf aac_adtstoasc\n"); return -1; + } + av_log(s, AV_LOG_WARNING, "aac bitstream error\n"); } else { avio_write(pb, pkt->data, size); } From 8b72bcba713ae2dd48c260265010c9831dffdc30 Mon Sep 17 00:00:00 2001 From: Carl Eugen Hoyos Date: Sat, 30 Mar 2013 08:41:46 +0100 Subject: [PATCH 493/991] Write broken aac frames to mov files instead of skipping them. Fixes decoding with picky media players. Signed-off-by: Michael Niedermayer (cherry picked from commit b448c0a68d0cc7dfef736267dfdaed0e213c020b) Conflicts: libavformat/movenc.c --- libavformat/movenc.c | 15 ++++++++------- 1 file changed, 8 insertions(+), 7 deletions(-) diff --git a/libavformat/movenc.c b/libavformat/movenc.c index fdde5176a0..94e718263a 100644 --- a/libavformat/movenc.c +++ b/libavformat/movenc.c @@ -2583,6 +2583,14 @@ static int mov_write_packet_internal(AVFormatContext *s, AVPacket *pkt) memcpy(trk->vosData, enc->extradata, trk->vosLen); } + if (enc->codec_id == CODEC_ID_AAC && pkt->size > 2 && + (AV_RB16(pkt->data) & 0xfff0) == 0xfff0) { + if (!s->streams[pkt->stream_index]->nb_frames) { + av_log(s, AV_LOG_ERROR, "malformated aac bitstream, use -absf aac_adtstoasc\n"); + return -1; + } + av_log(s, AV_LOG_WARNING, "aac bitstream error\n"); + } if (enc->codec_id == CODEC_ID_H264 && trk->vosLen > 0 && *(uint8_t *)trk->vosData != 1) { /* from x264 or from bytestream h264 */ /* nal reformating needed */ @@ -2593,13 +2601,6 @@ static int mov_write_packet_internal(AVFormatContext *s, AVPacket *pkt) } else { size = ff_avc_parse_nal_units(pb, pkt->data, pkt->size); } - } else if (enc->codec_id == CODEC_ID_AAC && pkt->size > 2 && - (AV_RB16(pkt->data) & 0xfff0) == 0xfff0) { - if (!s->streams[pkt->stream_index]->nb_frames) { - av_log(s, AV_LOG_ERROR, "malformated aac bitstream, use -absf aac_adtstoasc\n"); - return -1; - } - av_log(s, AV_LOG_WARNING, "aac bitstream error\n"); } else { avio_write(pb, pkt->data, size); } From 1aa50348d8bc74fad59bca4f2c52b05ac0f92a60 Mon Sep 17 00:00:00 2001 From: Paul B Mahol Date: Wed, 3 Apr 2013 12:57:58 +0000 Subject: [PATCH 494/991] smacker: fix off by one error Regression since a93b572ae4f517ce0c35cf085167c318e9215908. Fixes #2426. Signed-off-by: Paul B Mahol (cherry picked from commit e3cc92a623a6ece42816c7a692c8815688a99ab0) --- libavformat/smacker.c | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/libavformat/smacker.c b/libavformat/smacker.c index b2fd0b6d20..2385088200 100644 --- a/libavformat/smacker.c +++ b/libavformat/smacker.c @@ -269,7 +269,7 @@ static int smacker_read_packet(AVFormatContext *s, AVPacket *pkt) } else if(t & 0x40){ /* copy with offset */ off = avio_r8(s->pb); j = (t & 0x3F) + 1; - if (off + j > 0xff) { + if (off + j - 1 > 0xff) { av_log(s, AV_LOG_ERROR, "Invalid palette update, offset=%d length=%d extends beyond palette size\n", off, j); From 5e2fadeadf80768955bc54948d384e67b0cd096b Mon Sep 17 00:00:00 2001 From: Michael Niedermayer Date: Thu, 14 Feb 2013 20:32:24 +0100 Subject: [PATCH 495/991] apichanges: fix date Signed-off-by: Michael Niedermayer (cherry picked from commit ad6802f975a91bf6757fe3729ef8c6f10e6796b7) Signed-off-by: Michael Niedermayer --- doc/APIchanges | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/doc/APIchanges b/doc/APIchanges index d387b5020b..f554859d09 100644 --- a/doc/APIchanges +++ b/doc/APIchanges @@ -64,7 +64,7 @@ API changes, most recent first: 2011-10-20 - b35e9e1 - lavu 51.22.0 Add av_strtok() to avstring.h. -2011-01-03 - b73ec05 - lavu 51.21.0 +2012-01-03 - b73ec05 - lavu 51.21.0 Add av_popcount64 2011-12-18 - 8400b12 - lavc 53.28.1 From 25d7a33251c6c98bb0dee1c15e3aa8f1aab86b84 Mon Sep 17 00:00:00 2001 From: Michael Niedermayer Date: Thu, 14 Feb 2013 21:13:32 +0100 Subject: [PATCH 496/991] apichanges: fix 2 wrong hashes Signed-off-by: Michael Niedermayer (cherry picked from commit 2f3bc5122822687dc388f7352c92cf6db456cf7c) Signed-off-by: Michael Niedermayer --- doc/APIchanges | 4 ++-- 1 file changed, 2 insertions(+), 2 deletions(-) diff --git a/doc/APIchanges b/doc/APIchanges index f554859d09..277b2c1adc 100644 --- a/doc/APIchanges +++ b/doc/APIchanges @@ -513,11 +513,11 @@ API changes, most recent first: 2011-02-10 - 12c14cd - lavf 52.99.0 - AVStream.disposition Add AV_DISPOSITION_HEARING_IMPAIRED and AV_DISPOSITION_VISUAL_IMPAIRED. -2011-02-09 - 5592734 - lavc 52.112.0 - avcodec_thread_init() +2011-02-09 - c0b102c - lavc 52.112.0 - avcodec_thread_init() Deprecate avcodec_thread_init()/avcodec_thread_free() use; instead set thread_count before calling avcodec_open. -2011-02-09 - 778b08a - lavc 52.111.0 - threading API +2011-02-09 - 37b00b4 - lavc 52.111.0 - threading API Add CODEC_CAP_FRAME_THREADS with new restrictions on get_buffer()/ release_buffer()/draw_horiz_band() callbacks for appropriate codecs. Add thread_type and active_thread_type fields to AVCodecContext. From 4b6b0a164c8c21a7363baaa2590c9f1e52b46a00 Mon Sep 17 00:00:00 2001 From: Michael Niedermayer Date: Sat, 13 Oct 2012 05:36:41 +0200 Subject: [PATCH 497/991] ffserver: fix return value of add_codec() Signed-off-by: Michael Niedermayer (cherry picked from commit ff814c75a3f52d264e6c6092736f6db2fb72a61c) Signed-off-by: Michael Niedermayer --- ffserver.c | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/ffserver.c b/ffserver.c index aebe651617..e7fdfbece0 100644 --- a/ffserver.c +++ b/ffserver.c @@ -3806,7 +3806,7 @@ static void add_codec(FFStream *stream, AVCodecContext *av) AVStream *st; if(stream->nb_streams >= FF_ARRAY_ELEMS(stream->streams)) - return NULL; + return; /* compute default parameters */ switch(av->codec_type) { From 119b7a6c7cd8e895446f0b9a982558ac76433718 Mon Sep 17 00:00:00 2001 From: Michael Niedermayer Date: Mon, 7 Jan 2013 14:14:41 +0100 Subject: [PATCH 498/991] oggparsevorbis: fix vorbis_cleanup return type Signed-off-by: Michael Niedermayer (cherry picked from commit 7a6beedd3fcd1ff0fc3f314cb5ec58db116d19ee) Signed-off-by: Michael Niedermayer --- libavformat/oggparsevorbis.c | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/libavformat/oggparsevorbis.c b/libavformat/oggparsevorbis.c index 0c26684dd2..7ec7a9eaeb 100644 --- a/libavformat/oggparsevorbis.c +++ b/libavformat/oggparsevorbis.c @@ -188,7 +188,7 @@ fixup_vorbis_headers(AVFormatContext * as, struct oggvorbis_private *priv, return offset; } -static int vorbis_cleanup(AVFormatContext *s, int idx) +static void vorbis_cleanup(AVFormatContext *s, int idx) { struct ogg *ogg = s->priv_data; struct ogg_stream *os = ogg->streams + idx; From 691017b5c3b2f8369bd08afbc1c03f98b4aefbb8 Mon Sep 17 00:00:00 2001 From: Diego Biurrun Date: Mon, 14 Jan 2013 20:38:33 +0100 Subject: [PATCH 499/991] configure: Make warnings from -Wreturn-type fatal errors These warnings have no false positives and point to serious bugs. (cherry picked from commit 99853cb8d4237b810b2fffb4a34f66fd0064ef72) Conflicts: configure Signed-off-by: Michael Niedermayer --- configure | 2 ++ 1 file changed, 2 insertions(+) diff --git a/configure b/configure index d8489e705d..f34b622e03 100755 --- a/configure +++ b/configure @@ -3360,11 +3360,13 @@ elif enabled gcc; then check_cflags -fno-tree-vectorize check_cflags -Werror=implicit-function-declaration check_cflags -Werror=missing-prototypes + check_cflags -Werror=return-type elif enabled llvm_gcc; then check_cflags -mllvm -stack-alignment=16 elif enabled clang; then check_cflags -mllvm -stack-alignment=16 check_cflags -Qunused-arguments + check_cflags -Werror=return-type elif enabled armcc; then # 2523: use of inline assembler is deprecated add_cflags -W${armcc_opt},--diag_suppress=2523 From fdee09a19e4016092e447ea193d59328c0b7daf8 Mon Sep 17 00:00:00 2001 From: Michael Niedermayer Date: Wed, 13 Feb 2013 03:32:23 +0100 Subject: [PATCH 500/991] doc/APIchanges: List merge commit hashes and version numbers Signed-off-by: Michael Niedermayer --- doc/APIchanges | 206 ++++++++++++++++++++++++------------------------- 1 file changed, 103 insertions(+), 103 deletions(-) diff --git a/doc/APIchanges b/doc/APIchanges index 277b2c1adc..f69941c39f 100644 --- a/doc/APIchanges +++ b/doc/APIchanges @@ -16,8 +16,8 @@ API changes, most recent first: 2012-01-24 - xxxxxxx - lavfi 2.60.100 Add avfilter_graph_dump. -2012-01-25 - lavf 53.22.0 - f1caf01 Allow doing av_write_frame(ctx, NULL) for flushing possible +2012-01-25 - lavf 53.31.100 / 53.22.0 + 3c5fe5b / f1caf01 Allow doing av_write_frame(ctx, NULL) for flushing possible buffered data within a muxer. Added AVFMT_ALLOW_FLUSH for muxers supporting it (av_write_frame makes sure it is called only for muxers with this flag). @@ -35,15 +35,15 @@ API changes, most recent first: 2012-02-17 - 350d06d - lavc 53.35.0 Add avcodec_is_open() function. -2012-01-15 - lavc 53.34.0 +2012-01-15 - lavc 53.56.105 / 53.34.0 New audio encoding API: - b2c75b6 Add CODEC_CAP_VARIABLE_FRAME_SIZE capability for use by audio + 67f5650 / b2c75b6 Add CODEC_CAP_VARIABLE_FRAME_SIZE capability for use by audio encoders. - 5ee5fa0 Add avcodec_fill_audio_frame() as a convenience function. - b2c75b6 Add avcodec_encode_audio2() and deprecate avcodec_encode_audio(). + 67f5650 / 5ee5fa0 Add avcodec_fill_audio_frame() as a convenience function. + 67f5650 / b2c75b6 Add avcodec_encode_audio2() and deprecate avcodec_encode_audio(). Add AVCodec.encode2(). -2012-01-12 - 3167dc9 - lavfi 2.15.0 +2012-01-12 - b18e17e / 3167dc9 - lavfi 2.59.100 / 2.15.0 Add a new installed header -- libavfilter/version.h -- with version macros. 2011-12-08 - a502939 - lavfi 2.52.0 @@ -64,37 +64,37 @@ API changes, most recent first: 2011-10-20 - b35e9e1 - lavu 51.22.0 Add av_strtok() to avstring.h. -2012-01-03 - b73ec05 - lavu 51.21.0 +2012-01-03 - ad1c8dd / b73ec05 - lavu 51.34.100 / 51.21.0 Add av_popcount64 -2011-12-18 - 8400b12 - lavc 53.28.1 +2011-12-18 - 7c29313 / 8400b12 - lavc 53.46.1 / 53.28.1 Deprecate AVFrame.age. The field is unused. -2011-12-12 - 5266045 - lavf 53.17.0 +2011-12-12 - 8bc7fe4 / 5266045 - lavf 53.25.0 / 53.17.0 Add avformat_close_input(). Deprecate av_close_input_file() and av_close_input_stream(). -2011-12-02 - 0eea212 - lavc 53.25.0 +2011-12-02 - e4de716 / 0eea212 - lavc 53.40.0 / 53.25.0 Add nb_samples and extended_data fields to AVFrame. Deprecate AVCODEC_MAX_AUDIO_FRAME_SIZE. Deprecate avcodec_decode_audio3() in favor of avcodec_decode_audio4(). avcodec_decode_audio4() writes output samples to an AVFrame, which allows audio decoders to use get_buffer(). -2011-12-04 - 560f773 - lavc 53.24.0 +2011-12-04 - e4de716 / 560f773 - lavc 53.40.0 / 53.24.0 Change AVFrame.data[4]/base[4]/linesize[4]/error[4] to [8] at next major bump. Change AVPicture.data[4]/linesize[4] to [8] at next major bump. Change AVCodecContext.error[4] to [8] at next major bump. Add AV_NUM_DATA_POINTERS to simplify the bump transition. -2011-11-23 - bbb46f3 - lavu 51.18.0 +2011-11-23 - 8e576d5 / bbb46f3 - lavu 51.27.0 / 51.18.0 Add av_samples_get_buffer_size(), av_samples_fill_arrays(), and av_samples_alloc(), to samplefmt.h. -2011-11-23 - 8889cc4 - lavu 51.17.0 +2011-11-23 - 8e576d5 / 8889cc4 - lavu 51.27.0 / 51.17.0 Add planar sample formats and av_sample_fmt_is_planar() to samplefmt.h. -2011-11-19 - f3a29b7 - lavc 53.21.0 +2011-11-19 - dbb38bc / f3a29b7 - lavc 53.36.0 / 53.21.0 Move some AVCodecContext fields to a new private struct, AVCodecInternal, which is accessed from a new field, AVCodecContext.internal. - fields moved: @@ -102,55 +102,55 @@ API changes, most recent first: AVCodecContext.internal_buffer_count --> AVCodecInternal.buffer_count AVCodecContext.is_copy --> AVCodecInternal.is_copy -2011-11-16 - 6270671 - lavu 51.16.0 +2011-11-16 - 8709ba9 / 6270671 - lavu 51.26.0 / 51.16.0 Add av_timegm() -2011-11-13 - lavf 53.15.0 +2011-11-13 - lavf 53.21.0 / 53.15.0 New interrupt callback API, allowing per-AVFormatContext/AVIOContext interrupt callbacks. - 6aa0b98 Add AVIOInterruptCB struct and the interrupt_callback field to + 5f268ca / 6aa0b98 Add AVIOInterruptCB struct and the interrupt_callback field to AVFormatContext. - 1dee0ac Add avio_open2() with additional parameters. Those are + 5f268ca / 1dee0ac Add avio_open2() with additional parameters. Those are an interrupt callback and an options AVDictionary. This will allow passing AVOptions to protocols after lavf 54.0. -2011-11-06 - ba04ecf - lavu 51.14.0 +2011-11-06 - 13b7781 / ba04ecf - lavu 51.24.0 / 51.14.0 Add av_strcasecmp() and av_strncasecmp() to avstring.h. -2011-11-06 - 07b172f - lavu 51.13.0 +2011-11-06 - 13b7781 / 07b172f - lavu 51.24.0 / 51.13.0 Add av_toupper()/av_tolower() -2011-11-05 - b6d08f4 - lavf 53.13.0 +2011-11-05 - d8cab5c / b6d08f4 - lavf 53.19.0 / 53.13.0 Add avformat_network_init()/avformat_network_uninit() -2011-10-27 - 512557b - lavc 53.15.0 +2011-10-27 - 6faf0a2 / 512557b - lavc 53.24.0 / 53.15.0 Remove avcodec_parse_frame. Deprecate AVCodecContext.parse_only and CODEC_CAP_PARSE_ONLY. -2011-10-19 - 569129a - lavf 53.10.0 +2011-10-19 - d049257 / 569129a - lavf 53.17.0 / 53.10.0 Add avformat_new_stream(). Deprecate av_new_stream(). -2011-10-13 - b631fba - lavf 53.9.0 +2011-10-13 - 91eb1b1 / b631fba - lavf 53.16.0 / 53.9.0 Add AVFMT_NO_BYTE_SEEK AVInputFormat flag. -2011-10-12 - lavu 51.12.0 +2011-10-12 - lavu 51.21.0 / 51.12.0 AVOptions API rewrite. - - 145f741 FF_OPT_TYPE* renamed to AV_OPT_TYPE_* + - f884ef0 / 145f741 FF_OPT_TYPE* renamed to AV_OPT_TYPE_* - new setting/getting functions with slightly different semantics: - dac66da av_set_string3 -> av_opt_set + f884ef0 / dac66da av_set_string3 -> av_opt_set av_set_double -> av_opt_set_double av_set_q -> av_opt_set_q av_set_int -> av_opt_set_int - 41d9d51 av_get_string -> av_opt_get + f884ef0 / 41d9d51 av_get_string -> av_opt_get av_get_double -> av_opt_get_double av_get_q -> av_opt_get_q av_get_int -> av_opt_get_int - - 8c5dcaa trivial rename av_next_option -> av_opt_next - - 641c7af new functions - av_opt_child_next, av_opt_child_class_next + - f884ef0 / 8c5dcaa trivial rename av_next_option -> av_opt_next + - f884ef0 / 641c7af new functions - av_opt_child_next, av_opt_child_class_next and av_opt_find2() 2011-09-22 - a70e787 - lavu 51.17.0 @@ -196,31 +196,31 @@ API changes, most recent first: 2011-08-20 - 69e2c1a - lavu 51.13.0 Add av_get_media_type_string(). -2011-09-03 - fb4ca26 - lavc 53.13.0 +2011-09-03 - 1889c67 / fb4ca26 - lavc 53.13.0 lavf 53.11.0 lsws 2.1.0 Add {avcodec,avformat,sws}_get_class(). -2011-08-03 - c11fb82 - lavu 51.15.0 +2011-08-03 - 1889c67 / c11fb82 - lavu 51.15.0 Add AV_OPT_SEARCH_FAKE_OBJ flag for av_opt_find() function. 2011-08-14 - 323b930 - lavu 51.12.0 Add av_fifo_peek2(), deprecate av_fifo_peek(). -2011-08-26 - lavu 51.9.0 - - add41de..abc78a5 Do not include intfloat_readwrite.h, +2011-08-26 - lavu 51.14.0 / 51.9.0 + - 976a8b2 / add41de..976a8b2 / abc78a5 Do not include intfloat_readwrite.h, mathematics.h, rational.h, pixfmt.h, or log.h from avutil.h. -2011-08-16 - 48f9e45 - lavf 53.8.0 +2011-08-16 - 27fbe31 / 48f9e45 - lavf 53.11.0 / 53.8.0 Add avformat_query_codec(). -2011-08-16 - bca06e7 - lavc 53.11.0 +2011-08-16 - 27fbe31 / bca06e7 - lavc 53.11.0 Add avcodec_get_type(). -2011-08-06 - 2f63440 - lavf 53.7.0 +2011-08-06 - 0cb233c / 2f63440 - lavf 53.7.0 Add error_recognition to AVFormatContext. -2011-08-02 - 9d39cbf - lavc 53.9.1 +2011-08-02 - 1d186e9 / 9d39cbf - lavc 53.9.1 Add AV_PKT_FLAG_CORRUPT AVPacket flag. 2011-07-16 - b57df29 - lavfi 2.27.0 @@ -231,10 +231,10 @@ API changes, most recent first: avfilter_set_common_packing_formats() avfilter_all_packing_formats() -2011-07-10 - a67c061 - lavf 53.6.0 +2011-07-10 - 3602ad7 / a67c061 - lavf 53.6.0 Add avformat_find_stream_info(), deprecate av_find_stream_info(). -2011-07-10 - 0b950fe - lavc 53.8.0 +2011-07-10 - 3602ad7 / 0b950fe - lavc 53.8.0 Add avcodec_open2(), deprecate avcodec_open(). 2011-07-01 - b442ca6 - lavf 53.5.0 - avformat.h @@ -273,35 +273,35 @@ API changes, most recent first: 2011-06-12 - 6119b23 - lavfi 2.16.0 - avfilter_graph_parse() Change avfilter_graph_parse() signature. -2011-06-23 - 67e9ae1 - lavu 51.8.0 - attributes.h +2011-06-23 - 686959e / 67e9ae1 - lavu 51.10.0 / 51.8.0 - attributes.h Add av_printf_format(). -2011-06-16 - 05e84c9, 25de595 - lavf 53.2.0 - avformat.h +2011-06-16 - 2905e3f / 05e84c9, 2905e3f / 25de595 - lavf 53.4.0 / 53.2.0 - avformat.h Add avformat_open_input and avformat_write_header(). Deprecate av_open_input_stream, av_open_input_file, AVFormatParameters and av_write_header. -2011-06-16 - 7e83e1c, dc59ec5 - lavu 51.7.0 - opt.h +2011-06-16 - 2905e3f / 7e83e1c, 2905e3f / dc59ec5 - lavu 51.9.0 / 51.7.0 - opt.h Add av_opt_set_dict() and av_opt_find(). Deprecate av_find_opt(). Add AV_DICT_APPEND flag. -2011-06-10 - cb7c11c - lavu 51.6.0 - opt.h +2011-06-10 - 45fb647 / cb7c11c - lavu 51.6.0 - opt.h Add av_opt_flag_is_set(). 2011-06-10 - c381960 - lavfi 2.15.0 - avfilter_get_audio_buffer_ref_from_arrays Add avfilter_get_audio_buffer_ref_from_arrays() to avfilter.h. -2011-06-09 - d9f80ea - lavu 51.8.0 - AVMetadata +2011-06-09 - f9ecb84 / d9f80ea - lavu 51.8.0 - AVMetadata Move AVMetadata from lavf to lavu and rename it to AVDictionary -- new installed header dict.h. All av_metadata_* functions renamed to av_dict_*. -2011-06-07 - a6703fa - lavu 51.8.0 - av_get_bytes_per_sample() +2011-06-07 - d552f61 / a6703fa - lavu 51.8.0 - av_get_bytes_per_sample() Add av_get_bytes_per_sample() in libavutil/samplefmt.h. Deprecate av_get_bits_per_sample_fmt(). -2011-06-05 - b39b062 - lavu 51.8.0 - opt.h +2011-06-05 - f956924 / b39b062 - lavu 51.8.0 - opt.h Add av_opt_free convenience function. 2011-06-06 - 95a0242 - lavfi 2.14.0 - AVFilterBufferRefAudioProps @@ -331,7 +331,7 @@ API changes, most recent first: Add av_get_pix_fmt_name() in libavutil/pixdesc.h, and deprecate avcodec_get_pix_fmt_name() in libavcodec/avcodec.h in its favor. -2011-05-25 - 30315a8 - lavf 53.3.0 - avformat.h +2011-05-25 - 39e4206 / 30315a8 - lavf 53.3.0 - avformat.h Add fps_probe_size to AVFormatContext. 2011-05-22 - 5ecdfd0 - lavf 53.2.0 - avformat.h @@ -347,10 +347,10 @@ API changes, most recent first: 2011-05-14 - 9fdf772 - lavfi 2.6.0 - avcodec.h Add avfilter_get_video_buffer_ref_from_frame() to libavfilter/avcodec.h. -2011-05-18 - 64150ff - lavc 53.7.0 - AVCodecContext.request_sample_fmt +2011-05-18 - 75a37b5 / 64150ff - lavc 53.7.0 - AVCodecContext.request_sample_fmt Add request_sample_fmt field to AVCodecContext. -2011-05-10 - 188dea1 - lavc 53.6.0 - avcodec.h +2011-05-10 - 59eb12f / 188dea1 - lavc 53.6.0 - avcodec.h Deprecate AVLPCType and the following fields in AVCodecContext: lpc_coeff_precision, prediction_order_method, min_partition_order, max_partition_order, lpc_type, lpc_passes. @@ -380,81 +380,81 @@ API changes, most recent first: Add av_dynarray_add function for adding an element to a dynamic array. -2011-04-26 - bebe72f - lavu 51.1.0 - avutil.h +2011-04-26 - d7e5aeb / bebe72f - lavu 51.1.0 - avutil.h Add AVPictureType enum and av_get_picture_type_char(), deprecate FF_*_TYPE defines and av_get_pict_type_char() defined in libavcodec/avcodec.h. -2011-04-26 - 10d3940 - lavfi 2.3.0 - avfilter.h +2011-04-26 - d7e5aeb / 10d3940 - lavfi 2.3.0 - avfilter.h Add pict_type and key_frame fields to AVFilterBufferRefVideo. -2011-04-26 - 7a11c82 - lavfi 2.2.0 - vsrc_buffer +2011-04-26 - d7e5aeb / 7a11c82 - lavfi 2.2.0 - vsrc_buffer Add sample_aspect_ratio fields to vsrc_buffer arguments -2011-04-21 - 94f7451 - lavc 53.1.0 - avcodec.h +2011-04-21 - 8772156 / 94f7451 - lavc 53.1.0 - avcodec.h Add CODEC_CAP_SLICE_THREADS for codecs supporting sliced threading. 2011-04-15 - lavc 52.120.0 - avcodec.h AVPacket structure got additional members for passing side information: - 4de339e introduce side information for AVPacket - 2d8591c make containers pass palette change in AVPacket + c407984 / 4de339e introduce side information for AVPacket + c407984 / 2d8591c make containers pass palette change in AVPacket 2011-04-12 - lavf 52.107.0 - avio.h Avio cleanup, part II - deprecate the entire URLContext API: - 175389c add avio_check as a replacement for url_exist - ff1ec0c add avio_pause and avio_seek_time as replacements + c55780d / 175389c add avio_check as a replacement for url_exist + 9891004 / ff1ec0c add avio_pause and avio_seek_time as replacements for _av_url_read_fseek/fpause - cdc6a87 deprecate av_protocol_next(), avio_enum_protocols + d4d0932 / cdc6a87 deprecate av_protocol_next(), avio_enum_protocols should be used instead. - 80c6e23 rename url_set_interrupt_cb->avio_set_interrupt_cb. - f87b1b3 rename open flags: URL_* -> AVIO_* - f8270bb add avio_enum_protocols. - 5593f03 deprecate URLProtocol. - c486dad deprecate URLContext. - 026e175 deprecate the typedef for URLInterruptCB - 8e76a19 deprecate av_register_protocol2. - b840484 deprecate URL_PROTOCOL_FLAG_NESTED_SCHEME - 1305d93 deprecate av_url_read_seek - fa104e1 deprecate av_url_read_pause - 727c7aa deprecate url_get_filename(). - 5958df3 deprecate url_max_packet_size(). - 1869ea0 deprecate url_get_file_handle(). - 32a97d4 deprecate url_filesize(). - e52a914 deprecate url_close(). - 58a48c6 deprecate url_seek(). - 925e908 deprecate url_write(). - dce3756 deprecate url_read_complete(). - bc371ac deprecate url_read(). - 0589da0 deprecate url_open(). - 62eaaea deprecate url_connect. - 5652bb9 deprecate url_alloc. - 333e894 deprecate url_open_protocol - e230705 deprecate url_poll and URLPollEntry + c88caa5 / 80c6e23 rename url_set_interrupt_cb->avio_set_interrupt_cb. + c88caa5 / f87b1b3 rename open flags: URL_* -> AVIO_* + d4d0932 / f8270bb add avio_enum_protocols. + d4d0932 / 5593f03 deprecate URLProtocol. + d4d0932 / c486dad deprecate URLContext. + d4d0932 / 026e175 deprecate the typedef for URLInterruptCB + c88caa5 / 8e76a19 deprecate av_register_protocol2. + 11d7841 / b840484 deprecate URL_PROTOCOL_FLAG_NESTED_SCHEME + 11d7841 / 1305d93 deprecate av_url_read_seek + 11d7841 / fa104e1 deprecate av_url_read_pause + 434f248 / 727c7aa deprecate url_get_filename(). + 434f248 / 5958df3 deprecate url_max_packet_size(). + 434f248 / 1869ea0 deprecate url_get_file_handle(). + 434f248 / 32a97d4 deprecate url_filesize(). + 434f248 / e52a914 deprecate url_close(). + 434f248 / 58a48c6 deprecate url_seek(). + 434f248 / 925e908 deprecate url_write(). + 434f248 / dce3756 deprecate url_read_complete(). + 434f248 / bc371ac deprecate url_read(). + 434f248 / 0589da0 deprecate url_open(). + 434f248 / 62eaaea deprecate url_connect. + 434f248 / 5652bb9 deprecate url_alloc. + 434f248 / 333e894 deprecate url_open_protocol + 434f248 / e230705 deprecate url_poll and URLPollEntry 2011-04-08 - lavf 52.106.0 - avformat.h Minor avformat.h cleanup: - a9bf9d8 deprecate av_guess_image2_codec - c3675df rename avf_sdp_create->av_sdp_create + d4d0932 / a9bf9d8 deprecate av_guess_image2_codec + d4d0932 / c3675df rename avf_sdp_create->av_sdp_create 2011-04-03 - lavf 52.105.0 - avio.h Large-scale renaming/deprecating of AVIOContext-related functions: - 724f6a0 deprecate url_fdopen - 403ee83 deprecate url_open_dyn_packet_buf - 6dc7d80 rename url_close_dyn_buf -> avio_close_dyn_buf - b92c545 rename url_open_dyn_buf -> avio_open_dyn_buf - 8978fed introduce an AVIOContext.seekable field as a replacement for + 2cae980 / 724f6a0 deprecate url_fdopen + 2cae980 / 403ee83 deprecate url_open_dyn_packet_buf + 2cae980 / 6dc7d80 rename url_close_dyn_buf -> avio_close_dyn_buf + 2cae980 / b92c545 rename url_open_dyn_buf -> avio_open_dyn_buf + 2cae980 / 8978fed introduce an AVIOContext.seekable field as a replacement for AVIOContext.is_streamed and url_is_streamed() - b64030f deprecate get_checksum() - 4c4427a deprecate init_checksum() - 4ec153b deprecate udp_set_remote_url/get_local_port - 933e90a deprecate av_url_read_fseek/fpause - 8d9769a deprecate url_fileno - b7f2fdd rename put_flush_packet -> avio_flush - 35f1023 deprecate url_close_buf - 83fddae deprecate url_open_buf - d9d86e0 rename url_fprintf -> avio_printf - 59f65d9 deprecate url_setbufsize - 3e68b3b deprecate url_ferror + 1caa412 / b64030f deprecate get_checksum() + 1caa412 / 4c4427a deprecate init_checksum() + 2fd41c9 / 4ec153b deprecate udp_set_remote_url/get_local_port + 4fa0e24 / 933e90a deprecate av_url_read_fseek/fpause + 4fa0e24 / 8d9769a deprecate url_fileno + 0fecf26 / b7f2fdd rename put_flush_packet -> avio_flush + 0fecf26 / 35f1023 deprecate url_close_buf + 0fecf26 / 83fddae deprecate url_open_buf + 0fecf26 / d9d86e0 rename url_fprintf -> avio_printf + 0fecf26 / 59f65d9 deprecate url_setbufsize + 6947b0c / 3e68b3b deprecate url_ferror e8bb2e2 deprecate url_fget_max_packet_size 76aa876 rename url_fsize -> avio_size e519753 deprecate url_fgetc @@ -475,7 +475,7 @@ API changes, most recent first: b3db9ce deprecate get_partial_buffer 8d9ac96 rename av_alloc_put_byte -> avio_alloc_context -2011-03-25 - 34b47d7 - lavc 52.115.0 - AVCodecContext.audio_service_type +2011-03-25 - 27ef7b1 / 34b47d7 - lavc 52.115.0 - AVCodecContext.audio_service_type Add audio_service_type field to AVCodecContext. 2011-03-17 - e309fdc - lavu 50.40.0 - pixfmt.h From 7ab4358cda5d2e6517bd61b9bfce7ffde593def7 Mon Sep 17 00:00:00 2001 From: Michael Niedermayer Date: Mon, 18 Mar 2013 00:00:02 +0100 Subject: [PATCH 501/991] rmdec: flush audio packet on seeking Fixes Ticket1605 Signed-off-by: Michael Niedermayer (cherry picked from commit 519ebb5ee5b89b8ecc80b4a4540fcbeb65cda172) Signed-off-by: Michael Niedermayer --- libavformat/rmdec.c | 13 +++++++++++++ 1 file changed, 13 insertions(+) diff --git a/libavformat/rmdec.c b/libavformat/rmdec.c index cae19c59c1..3032c8f43a 100644 --- a/libavformat/rmdec.c +++ b/libavformat/rmdec.c @@ -974,6 +974,18 @@ static int64_t rm_read_dts(AVFormatContext *s, int stream_index, return dts; } +static int rm_read_seek(AVFormatContext *s, int stream_index, + int64_t pts, int flags) +{ + RMDemuxContext *rm = s->priv_data; + + if (ff_seek_frame_binary(s, stream_index, pts, flags) < 0) + return -1; + rm->audio_pkt_cnt = 0; + return 0; +} + + AVInputFormat ff_rm_demuxer = { .name = "rm", .long_name = NULL_IF_CONFIG_SMALL("RealMedia format"), @@ -983,6 +995,7 @@ AVInputFormat ff_rm_demuxer = { .read_packet = rm_read_packet, .read_close = rm_read_close, .read_timestamp = rm_read_dts, + .read_seek = rm_read_seek, }; AVInputFormat ff_rdt_demuxer = { From 6f5e1d581132092fdb2678edfd14dcae0ce2f461 Mon Sep 17 00:00:00 2001 From: Michael Niedermayer Date: Sun, 7 Apr 2013 16:29:00 +0200 Subject: [PATCH 502/991] Update for 0.10.7 Signed-off-by: Michael Niedermayer --- Doxyfile | 2 +- RELEASE | 2 +- VERSION | 2 +- 3 files changed, 3 insertions(+), 3 deletions(-) diff --git a/Doxyfile b/Doxyfile index d77acba722..60309cf29c 100644 --- a/Doxyfile +++ b/Doxyfile @@ -31,7 +31,7 @@ PROJECT_NAME = FFmpeg # This could be handy for archiving the generated documentation or # if some version control system is used. -PROJECT_NUMBER = 0.10.6 +PROJECT_NUMBER = 0.10.7 # With the PROJECT_LOGO tag one can specify an logo or icon that is included # in the documentation. The maximum height of the logo should not exceed 55 diff --git a/RELEASE b/RELEASE index 69da6ebcd0..2d993c425b 100644 --- a/RELEASE +++ b/RELEASE @@ -1 +1 @@ -0.10.6 +0.10.7 diff --git a/VERSION b/VERSION index 69da6ebcd0..2d993c425b 100644 --- a/VERSION +++ b/VERSION @@ -1 +1 @@ -0.10.6 +0.10.7 From 0b8198346150192579a6b9c2b3c8a7822f4bf5cb Mon Sep 17 00:00:00 2001 From: James Almer Date: Tue, 5 Feb 2013 22:34:29 -0300 Subject: [PATCH 503/991] lavc/bink: Chech for malloc failure Based on commit 8ab2173ed141aa2c3336be7f9880340dfb8dcf5e --- libavcodec/bink.c | 13 ++++++++++--- 1 file changed, 10 insertions(+), 3 deletions(-) diff --git a/libavcodec/bink.c b/libavcodec/bink.c index 39c94a088c..16e3fd67a9 100644 --- a/libavcodec/bink.c +++ b/libavcodec/bink.c @@ -167,7 +167,7 @@ static void init_lengths(BinkContext *c, int width, int bw) * * @param c decoder context */ -static av_cold void init_bundles(BinkContext *c) +static av_cold int init_bundles(BinkContext *c) { int bw, bh, blocks; int i; @@ -178,8 +178,12 @@ static av_cold void init_bundles(BinkContext *c) for (i = 0; i < BINKB_NB_SRC; i++) { c->bundle[i].data = av_malloc(blocks * 64); + if (!c->bundle[i].data) + return AVERROR(ENOMEM); c->bundle[i].data_end = c->bundle[i].data + blocks * 64; } + + return 0; } /** @@ -1266,7 +1270,7 @@ static av_cold int decode_init(AVCodecContext *avctx) BinkContext * const c = avctx->priv_data; static VLC_TYPE table[16 * 128][2]; static int binkb_initialised = 0; - int i; + int i, ret; int flags; c->version = avctx->codec_tag >> 24; @@ -1301,7 +1305,10 @@ static av_cold int decode_init(AVCodecContext *avctx) dsputil_init(&c->dsp, avctx); ff_binkdsp_init(&c->bdsp); - init_bundles(c); + if ((ret = init_bundles(c)) < 0) { + free_bundles(c); + return ret; + } if (c->version == 'b') { if (!binkb_initialised) { From 73746237a188ecfff15221c7b09eacfe4598c227 Mon Sep 17 00:00:00 2001 From: Reinhard Tartler Date: Wed, 24 Apr 2013 21:01:00 +0200 Subject: [PATCH 504/991] Prepare for 0.8.7 Release --- RELEASE | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/RELEASE b/RELEASE index 7fc2521fd7..1e9b46b229 100644 --- a/RELEASE +++ b/RELEASE @@ -1 +1 @@ -0.8.6 +0.8.7 From a563e4af9f56061ccd00c3fc52f238bb4b677e13 Mon Sep 17 00:00:00 2001 From: Luca Barbato Date: Sat, 30 Mar 2013 09:46:06 +0100 Subject: [PATCH 505/991] oma: Validate sample rates The sample rate index is 3 bits even if currently index 5, 6 and 7 are not supported. Found-by: Mateusz "j00ru" Jurczyk and Gynvael Coldwind CC: libav-stable@libav.org (cherry picked from commit 0933fd1533560fbc718026e12f19a4824b041237) Signed-off-by: Reinhard Tartler --- libavformat/oma.c | 2 +- libavformat/oma.h | 2 +- libavformat/omadec.c | 17 +++++++++++++---- 3 files changed, 15 insertions(+), 6 deletions(-) diff --git a/libavformat/oma.c b/libavformat/oma.c index 930991cf00..be87647dd7 100644 --- a/libavformat/oma.c +++ b/libavformat/oma.c @@ -22,7 +22,7 @@ #include "oma.h" #include "libavcodec/avcodec.h" -const uint16_t ff_oma_srate_tab[6] = { 320, 441, 480, 882, 960, 0 }; +const uint16_t ff_oma_srate_tab[8] = { 320, 441, 480, 882, 960, 0 }; const AVCodecTag ff_oma_codec_tags[] = { { CODEC_ID_ATRAC3, OMA_CODECID_ATRAC3 }, diff --git a/libavformat/oma.h b/libavformat/oma.h index bac8bcb736..1f0ddf9a88 100644 --- a/libavformat/oma.h +++ b/libavformat/oma.h @@ -37,7 +37,7 @@ enum { OMA_CODECID_WMA = 5, }; -extern const uint16_t ff_oma_srate_tab[6]; +extern const uint16_t ff_oma_srate_tab[8]; extern const AVCodecTag ff_oma_codec_tags[]; diff --git a/libavformat/omadec.c b/libavformat/omadec.c index cc37397010..48cc4327b9 100644 --- a/libavformat/omadec.c +++ b/libavformat/omadec.c @@ -302,7 +302,11 @@ static int oma_read_header(AVFormatContext *s, switch (buf[32]) { case OMA_CODECID_ATRAC3: - samplerate = ff_oma_srate_tab[(codec_params >> 13) & 7]*100; + samplerate = ff_oma_srate_tab[(codec_params >> 13) & 7] * 100; + if (!samplerate) { + av_log(s, AV_LOG_ERROR, "Unsupported sample rate\n"); + return AVERROR_INVALIDDATA; + } if (samplerate != 44100) av_log_ask_for_sample(s, "Unsupported sample rate: %d\n", samplerate); @@ -332,9 +336,14 @@ static int oma_read_header(AVFormatContext *s, case OMA_CODECID_ATRAC3P: st->codec->channels = (codec_params >> 10) & 7; framesize = ((codec_params & 0x3FF) * 8) + 8; - st->codec->sample_rate = ff_oma_srate_tab[(codec_params >> 13) & 7]*100; - st->codec->bit_rate = st->codec->sample_rate * framesize * 8 / 1024; - avpriv_set_pts_info(st, 64, 1, st->codec->sample_rate); + samplerate = ff_oma_srate_tab[(codec_params >> 13) & 7] * 100; + if (!samplerate) { + av_log(s, AV_LOG_ERROR, "Unsupported sample rate\n"); + return AVERROR_INVALIDDATA; + } + st->codec->sample_rate = samplerate; + st->codec->bit_rate = samplerate * framesize * 8 / 1024; + avpriv_set_pts_info(st, 64, 1, samplerate); av_log(s, AV_LOG_ERROR, "Unsupported codec ATRAC3+!\n"); break; case OMA_CODECID_MP3: From 2eaf8698a3bb3ef01af8da8fada6437dae4a2ba5 Mon Sep 17 00:00:00 2001 From: Anton Khirnov Date: Sun, 17 Mar 2013 16:14:58 +0100 Subject: [PATCH 506/991] avfiltergraph: check for sws opts being non-NULL before using them. Avoid snprintfing a NULL pointer. CC: libav-stable@libav.org (cherry picked from commit 6e3c13a559e9ff300b5ca60e1d503e594d7f055c) Signed-off-by: Reinhard Tartler --- libavfilter/avfiltergraph.c | 7 ++++++- libavfilter/graphparser.c | 3 ++- 2 files changed, 8 insertions(+), 2 deletions(-) diff --git a/libavfilter/avfiltergraph.c b/libavfilter/avfiltergraph.c index 8c43251c4c..8ed38f0fbb 100644 --- a/libavfilter/avfiltergraph.c +++ b/libavfilter/avfiltergraph.c @@ -23,6 +23,7 @@ #include #include +#include "libavutil/avstring.h" #include "avfilter.h" #include "avfiltergraph.h" #include "internal.h" @@ -163,7 +164,11 @@ static int query_formats(AVFilterGraph *graph, AVClass *log_ctx) /* couldn't merge format lists. auto-insert scale filter */ snprintf(inst_name, sizeof(inst_name), "auto-inserted scaler %d", scaler_count++); - snprintf(scale_args, sizeof(scale_args), "0:0:%s", graph->scale_sws_opts); + av_strlcpy(scale_args, "0:0", sizeof(scale_args)); + if (graph->scale_sws_opts) { + av_strlcat(scale_args, ":", sizeof(scale_args)); + av_strlcat(scale_args, graph->scale_sws_opts, sizeof(scale_args)); + } if ((ret = avfilter_graph_create_filter(&scale, avfilter_get_by_name("scale"), inst_name, scale_args, NULL, graph)) < 0) return ret; diff --git a/libavfilter/graphparser.c b/libavfilter/graphparser.c index 90f2936590..94f291d659 100644 --- a/libavfilter/graphparser.c +++ b/libavfilter/graphparser.c @@ -121,7 +121,8 @@ static int create_filter(AVFilterContext **filt_ctx, AVFilterGraph *ctx, int ind return ret; } - if (!strcmp(filt_name, "scale") && args && !strstr(args, "flags")) { + if (!strcmp(filt_name, "scale") && args && !strstr(args, "flags") && + ctx->scale_sws_opts) { snprintf(tmp_args, sizeof(tmp_args), "%s:%s", args, ctx->scale_sws_opts); args = tmp_args; From c65fb5b41b8e7a11a8ef472eba88c9ff08ce097e Mon Sep 17 00:00:00 2001 From: Anton Khirnov Date: Thu, 28 Mar 2013 10:34:47 +0100 Subject: [PATCH 507/991] xmv: do not leak memory in the error paths in xmv_read_header() CC: libav-stable@libav.org (cherry picked from commit f8080bd13b5f7fc48204b17fa59a5ce9feb15f07) Signed-off-by: Reinhard Tartler --- libavformat/xmv.c | 12 ++++++++---- 1 file changed, 8 insertions(+), 4 deletions(-) diff --git a/libavformat/xmv.c b/libavformat/xmv.c index bc4b23917a..ee4aec3c96 100644 --- a/libavformat/xmv.c +++ b/libavformat/xmv.c @@ -178,8 +178,10 @@ static int xmv_read_header(AVFormatContext *s, return AVERROR(ENOMEM); xmv->audio = av_malloc(xmv->audio_track_count * sizeof(XMVAudioPacket)); - if (!xmv->audio) - return AVERROR(ENOMEM); + if (!xmv->audio) { + ret = AVERROR(ENOMEM); + goto fail; + } for (audio_track = 0; audio_track < xmv->audio_track_count; audio_track++) { XMVAudioTrack *track = &xmv->audio_tracks[audio_track]; @@ -213,8 +215,10 @@ static int xmv_read_header(AVFormatContext *s, "(0x%04X)\n", track->flags); ast = avformat_new_stream(s, NULL); - if (!ast) - return AVERROR(ENOMEM); + if (!ast) { + ret = AVERROR(ENOMEM); + goto fail; + } ast->codec->codec_type = AVMEDIA_TYPE_AUDIO; ast->codec->codec_id = track->codec_id; From 0f6364b62bb5f10b25d8cef88acbb9df84fd7f48 Mon Sep 17 00:00:00 2001 From: Anton Khirnov Date: Thu, 28 Mar 2013 10:09:36 +0100 Subject: [PATCH 508/991] bmv: check for len being valid in bmv_decode_frame(). It can be 0 or -1 for invalid files, which may result in invalid memory access. Reported-by: Mateusz "j00ru" Jurczyk and Gynvael Coldwind CC: libav-stable@libav.org (cherry picked from commit b88f902125ee808c8366e9dcb3f21e4c227483fc) Conflicts: libavcodec/bmv.c --- libavcodec/bmv.c | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/libavcodec/bmv.c b/libavcodec/bmv.c index 49346a41a8..920e75255f 100644 --- a/libavcodec/bmv.c +++ b/libavcodec/bmv.c @@ -134,7 +134,7 @@ static int decode_bmv_frame(const uint8_t *source, int src_len, uint8_t *frame, mode += 1 + advance_mode; if (mode >= 4) mode -= 3; - if (FFABS(dst_end - dst) < len) + if (len <= 0 || FFABS(dst_end - dst) < len) return -1; switch (mode) { case 1: From 9aa2eee31389696ddd4042b2f967ee02d38caeff Mon Sep 17 00:00:00 2001 From: Anton Khirnov Date: Thu, 28 Mar 2013 10:33:02 +0100 Subject: [PATCH 509/991] xmv: check audio track parameters validity. Reported-by: Mateusz "j00ru" Jurczyk and Gynvael Coldwind CC: libav-stable@libav.org (cherry picked from commit d1016dccdcb10486245e5d7c186cc31af54b2a9c) Signed-off-by: Reinhard Tartler --- libavformat/xmv.c | 32 ++++++++++++++++++++++---------- 1 file changed, 22 insertions(+), 10 deletions(-) diff --git a/libavformat/xmv.c b/libavformat/xmv.c index ee4aec3c96..8249ce11e3 100644 --- a/libavformat/xmv.c +++ b/libavformat/xmv.c @@ -126,6 +126,16 @@ static int xmv_probe(AVProbeData *p) return 0; } +static int xmv_read_close(AVFormatContext *s) +{ + XMVDemuxContext *xmv = s->priv_data; + + av_free(xmv->audio); + av_free(xmv->audio_tracks); + + return 0; +} + static int xmv_read_header(AVFormatContext *s, AVFormatParameters *ap) { @@ -136,6 +146,7 @@ static int xmv_read_header(AVFormatContext *s, uint32_t file_version; uint32_t this_packet_size; uint16_t audio_track; + int ret; avio_skip(pb, 4); /* Next packet size */ @@ -214,6 +225,13 @@ static int xmv_read_header(AVFormatContext *s, av_log(s, AV_LOG_WARNING, "Unsupported 5.1 ADPCM audio stream " "(0x%04X)\n", track->flags); + if (!track->channels || !track->sample_rate) { + av_log(s, AV_LOG_ERROR, "Invalid parameters for audio track %d.\n", + audio_track); + ret = AVERROR_INVALIDDATA; + goto fail; + } + ast = avformat_new_stream(s, NULL); if (!ast) { ret = AVERROR(ENOMEM); @@ -244,6 +262,10 @@ static int xmv_read_header(AVFormatContext *s, xmv->stream_count = xmv->audio_track_count + 1; return 0; + +fail: + xmv_read_close(s); + return ret; } static void xmv_read_extradata(uint8_t *extradata, AVIOContext *pb) @@ -551,16 +573,6 @@ static int xmv_read_packet(AVFormatContext *s, return 0; } -static int xmv_read_close(AVFormatContext *s) -{ - XMVDemuxContext *xmv = s->priv_data; - - av_free(xmv->audio); - av_free(xmv->audio_tracks); - - return 0; -} - AVInputFormat ff_xmv_demuxer = { .name = "xmv", .long_name = NULL_IF_CONFIG_SMALL("Microsoft XMV"), From 4c7f40c6df8306dd99f117f8b6f10be8d14690a6 Mon Sep 17 00:00:00 2001 From: Anton Khirnov Date: Wed, 27 Mar 2013 18:18:38 +0100 Subject: [PATCH 510/991] dfa: check for invalid access in decode_wdlt(). This can happen when the number of skipped lines is not consistent with the number of coded lines. Reported-by: Mateusz "j00ru" Jurczyk and Gynvael Coldwind CC: libav-stable@libav.org (cherry picked from commit 3623589edc7b1257bb45aa9e52c9631e133f22b6) Signed-off-by: Reinhard Tartler --- libavcodec/dfa.c | 2 ++ 1 file changed, 2 insertions(+) diff --git a/libavcodec/dfa.c b/libavcodec/dfa.c index c2f8002c69..0ae89a8985 100644 --- a/libavcodec/dfa.c +++ b/libavcodec/dfa.c @@ -258,6 +258,8 @@ static int decode_wdlt(GetByteContext *gb, uint8_t *frame, int width, int height segments = bytestream2_get_le16(gb); } line_ptr = frame; + if (frame_end - frame < width) + return AVERROR_INVALIDDATA; frame += width; y++; while (segments--) { From 881526744eeac45a740157243503f046d9fa6473 Mon Sep 17 00:00:00 2001 From: Anton Khirnov Date: Wed, 27 Mar 2013 17:56:59 +0100 Subject: [PATCH 511/991] lavf: make sure stream probe data gets freed. Reported-by: Mateusz "j00ru" Jurczyk and Gynvael Coldwind CC: libav-stable@libav.org (cherry picked from commit dbb1425811a672eddf4acf0513237cdf20f83756) Signed-off-by: Reinhard Tartler --- libavformat/utils.c | 1 + 1 file changed, 1 insertion(+) diff --git a/libavformat/utils.c b/libavformat/utils.c index a92acde062..98c3af4e83 100644 --- a/libavformat/utils.c +++ b/libavformat/utils.c @@ -2712,6 +2712,7 @@ void avformat_free_context(AVFormatContext *s) av_free_packet(&st->cur_pkt); } av_dict_free(&st->metadata); + av_freep(&st->probe_data.buf); av_free(st->index_entries); av_free(st->codec->extradata); av_free(st->codec->subtitle_header); From 74753cf1a99b9ded5525a351ec536a3d5cb4c068 Mon Sep 17 00:00:00 2001 From: Anton Khirnov Date: Wed, 10 Apr 2013 09:59:36 +0200 Subject: [PATCH 512/991] indeo3: fix data size check The data offsets are relative to the bistream header, which is 16 bytes after the start of the data. Fixes invalid reads with corrupted files. Reported-by: Mateusz "j00ru" Jurczyk and Gynvael Coldwind CC:libav-stable@libav.org (cherry picked from commit 34e6af9e204ca6bb18d8cf8ec68fe19b0e083e95) Signed-off-by: Reinhard Tartler --- libavcodec/indeo3.c | 3 +-- 1 file changed, 1 insertion(+), 2 deletions(-) diff --git a/libavcodec/indeo3.c b/libavcodec/indeo3.c index 2aa8d955ac..83aadf6d54 100644 --- a/libavcodec/indeo3.c +++ b/libavcodec/indeo3.c @@ -887,8 +887,7 @@ static int decode_frame_headers(Indeo3DecodeContext *ctx, AVCodecContext *avctx, if (ctx->data_size == 16) return 4; - if (ctx->data_size > buf_size) - ctx->data_size = buf_size; + ctx->data_size = FFMIN(ctx->data_size, buf_size - 16); buf_ptr += 3; // skip reserved byte and checksum From c5084a17654963565975337ec1c2e90c4df288f4 Mon Sep 17 00:00:00 2001 From: Anton Khirnov Date: Tue, 9 Apr 2013 20:33:25 +0200 Subject: [PATCH 513/991] rv10: check that extradata is large enough Reported-by: Mateusz "j00ru" Jurczyk and Gynvael Coldwind CC:libav-stable@libav.org (cherry picked from commit 01d376f598fe95478036f5d1e3e5e14ffe32d4bf) Conflicts: libavcodec/rv10.c --- libavcodec/rv10.c | 5 +++++ 1 file changed, 5 insertions(+) diff --git a/libavcodec/rv10.c b/libavcodec/rv10.c index 58604d1947..4f64ec29b3 100644 --- a/libavcodec/rv10.c +++ b/libavcodec/rv10.c @@ -341,6 +341,11 @@ static int rv20_decode_picture_header(MpegEncContext *s) f = get_bits(&s->gb, rpr_bits); if(f){ + if (s->avctx->extradata_size < 8 + 2 * f) { + av_log(s->avctx, AV_LOG_ERROR, "Extradata too small.\n"); + return AVERROR_INVALIDDATA; + } + new_w= 4*((uint8_t*)s->avctx->extradata)[6+2*f]; new_h= 4*((uint8_t*)s->avctx->extradata)[7+2*f]; }else{ From 9b2af4d080c7baccd2b175d8f2b95ed653df2361 Mon Sep 17 00:00:00 2001 From: Anton Khirnov Date: Tue, 16 Apr 2013 09:41:28 +0200 Subject: [PATCH 514/991] indeo3: check motion vectors. Reported-by: Mateusz "j00ru" Jurczyk and Gynvael Coldwind CC:libav-stable@libav.org (cherry picked from commit a0a872d0733f60876b0c93f236bc4606f36fbf89) Signed-off-by: Reinhard Tartler --- libavcodec/indeo3.c | 34 +++++++++++++++++++++++++++++----- 1 file changed, 29 insertions(+), 5 deletions(-) diff --git a/libavcodec/indeo3.c b/libavcodec/indeo3.c index 83aadf6d54..5d44f97bb9 100644 --- a/libavcodec/indeo3.c +++ b/libavcodec/indeo3.c @@ -222,7 +222,7 @@ static av_cold void free_frame_buffers(Indeo3DecodeContext *ctx) * @param plane pointer to the plane descriptor * @param cell pointer to the cell descriptor */ -static void copy_cell(Indeo3DecodeContext *ctx, Plane *plane, Cell *cell) +static int copy_cell(Indeo3DecodeContext *ctx, Plane *plane, Cell *cell) { int h, w, mv_x, mv_y, offset, offset_dst; uint8_t *src, *dst; @@ -232,6 +232,16 @@ static void copy_cell(Indeo3DecodeContext *ctx, Plane *plane, Cell *cell) dst = plane->pixels[ctx->buf_sel] + offset_dst; mv_y = cell->mv_ptr[0]; mv_x = cell->mv_ptr[1]; + + /* -1 because there is an extra line on top for prediction */ + if ((cell->ypos << 2) + mv_y < -1 || (cell->xpos << 2) + mv_x < 0 || + ((cell->ypos + cell->height) << 2) + mv_y >= plane->height || + ((cell->xpos + cell->width) << 2) + mv_x >= plane->width) { + av_log(ctx->avctx, AV_LOG_ERROR, + "Motion vectors point out of the frame.\n"); + return AVERROR_INVALIDDATA; + } + offset = offset_dst + mv_y * plane->pitch + mv_x; src = plane->pixels[ctx->buf_sel ^ 1] + offset; @@ -259,6 +269,8 @@ static void copy_cell(Indeo3DecodeContext *ctx, Plane *plane, Cell *cell) dst += 4; } } + + return 0; } @@ -584,11 +596,23 @@ static int decode_cell(Indeo3DecodeContext *ctx, AVCodecContext *avctx, } else if (mode >= 10) { /* for mode 10 and 11 INTER first copy the predicted cell into the current one */ /* so we don't need to do data copying for each RLE code later */ - copy_cell(ctx, plane, cell); + int ret = copy_cell(ctx, plane, cell); + if (ret < 0) + return ret; } else { /* set the pointer to the reference pixels for modes 0-4 INTER */ mv_y = cell->mv_ptr[0]; mv_x = cell->mv_ptr[1]; + + /* -1 because there is an extra line on top for prediction */ + if ((cell->ypos << 2) + mv_y < -1 || (cell->xpos << 2) + mv_x < 0 || + ((cell->ypos + cell->height) << 2) + mv_y >= plane->height || + ((cell->xpos + cell->width) << 2) + mv_x >= plane->width) { + av_log(ctx->avctx, AV_LOG_ERROR, + "Motion vectors point out of the frame.\n"); + return AVERROR_INVALIDDATA; + } + offset += mv_y * plane->pitch + mv_x; ref_block = plane->pixels[ctx->buf_sel ^ 1] + offset; } @@ -720,7 +744,7 @@ static int parse_bintree(Indeo3DecodeContext *ctx, AVCodecContext *avctx, const int depth, const int strip_width) { Cell curr_cell; - int bytes_used; + int bytes_used, ret; if (depth <= 0) { av_log(avctx, AV_LOG_ERROR, "Stack overflow (corrupted binary tree)!\n"); @@ -771,8 +795,8 @@ static int parse_bintree(Indeo3DecodeContext *ctx, AVCodecContext *avctx, CHECK_CELL if (!curr_cell.mv_ptr) return AVERROR_INVALIDDATA; - copy_cell(ctx, plane, &curr_cell); - return 0; + ret = copy_cell(ctx, plane, &curr_cell); + return ret; } break; case INTER_DATA: From c579d4283edb87933632d9cf818b4244d1474d23 Mon Sep 17 00:00:00 2001 From: Anton Khirnov Date: Wed, 10 Apr 2013 09:40:20 +0200 Subject: [PATCH 515/991] indeo3: switch parsing the header to bytestream2 Also add an additional sanity check to the alt_quant table. Fixes invalid reads with corrupted files. Reported-by: Mateusz "j00ru" Jurczyk and Gynvael Coldwind CC:libav-stable@libav.org (cherry picked from commit 66531d634e75b834e89e4a6a0f7470ca018712a1) Signed-off-by: Reinhard Tartler --- libavcodec/indeo3.c | 39 ++++++++++++++++++++++----------------- 1 file changed, 22 insertions(+), 17 deletions(-) diff --git a/libavcodec/indeo3.c b/libavcodec/indeo3.c index 5d44f97bb9..b3e05298df 100644 --- a/libavcodec/indeo3.c +++ b/libavcodec/indeo3.c @@ -879,17 +879,20 @@ static int decode_plane(Indeo3DecodeContext *ctx, AVCodecContext *avctx, static int decode_frame_headers(Indeo3DecodeContext *ctx, AVCodecContext *avctx, const uint8_t *buf, int buf_size) { - const uint8_t *buf_ptr = buf, *bs_hdr; + GetByteContext gb; + const uint8_t *bs_hdr; uint32_t frame_num, word2, check_sum, data_size; uint32_t y_offset, u_offset, v_offset, starts[3], ends[3]; uint16_t height, width; int i, j; + bytestream2_init(&gb, buf, buf_size); + /* parse and check the OS header */ - frame_num = bytestream_get_le32(&buf_ptr); - word2 = bytestream_get_le32(&buf_ptr); - check_sum = bytestream_get_le32(&buf_ptr); - data_size = bytestream_get_le32(&buf_ptr); + frame_num = bytestream2_get_le32(&gb); + word2 = bytestream2_get_le32(&gb); + check_sum = bytestream2_get_le32(&gb); + data_size = bytestream2_get_le32(&gb); if ((frame_num ^ word2 ^ data_size ^ OS_HDR_ID) != check_sum) { av_log(avctx, AV_LOG_ERROR, "OS header checksum mismatch!\n"); @@ -897,27 +900,27 @@ static int decode_frame_headers(Indeo3DecodeContext *ctx, AVCodecContext *avctx, } /* parse the bitstream header */ - bs_hdr = buf_ptr; + bs_hdr = gb.buffer; - if (bytestream_get_le16(&buf_ptr) != 32) { + if (bytestream2_get_le16(&gb) != 32) { av_log(avctx, AV_LOG_ERROR, "Unsupported codec version!\n"); return AVERROR_INVALIDDATA; } ctx->frame_num = frame_num; - ctx->frame_flags = bytestream_get_le16(&buf_ptr); - ctx->data_size = (bytestream_get_le32(&buf_ptr) + 7) >> 3; - ctx->cb_offset = *buf_ptr++; + ctx->frame_flags = bytestream2_get_le16(&gb); + ctx->data_size = (bytestream2_get_le32(&gb) + 7) >> 3; + ctx->cb_offset = bytestream2_get_byte(&gb); if (ctx->data_size == 16) return 4; ctx->data_size = FFMIN(ctx->data_size, buf_size - 16); - buf_ptr += 3; // skip reserved byte and checksum + bytestream2_skip(&gb, 3); // skip reserved byte and checksum /* check frame dimensions */ - height = bytestream_get_le16(&buf_ptr); - width = bytestream_get_le16(&buf_ptr); + height = bytestream2_get_le16(&gb); + width = bytestream2_get_le16(&gb); if (av_image_check_size(width, height, 0, avctx)) return AVERROR_INVALIDDATA; @@ -943,9 +946,10 @@ static int decode_frame_headers(Indeo3DecodeContext *ctx, AVCodecContext *avctx, avcodec_set_dimensions(avctx, width, height); } - y_offset = bytestream_get_le32(&buf_ptr); - v_offset = bytestream_get_le32(&buf_ptr); - u_offset = bytestream_get_le32(&buf_ptr); + y_offset = bytestream2_get_le32(&gb); + v_offset = bytestream2_get_le32(&gb); + u_offset = bytestream2_get_le32(&gb); + bytestream2_skip(&gb, 4); /* unfortunately there is no common order of planes in the buffer */ /* so we use that sorting algo for determining planes data sizes */ @@ -964,6 +968,7 @@ static int decode_frame_headers(Indeo3DecodeContext *ctx, AVCodecContext *avctx, ctx->v_data_size = ends[1] - starts[1]; ctx->u_data_size = ends[2] - starts[2]; if (FFMAX3(y_offset, v_offset, u_offset) >= ctx->data_size - 16 || + FFMIN3(y_offset, v_offset, u_offset) < gb.buffer - bs_hdr + 16 || FFMIN3(ctx->y_data_size, ctx->v_data_size, ctx->u_data_size) <= 0) { av_log(avctx, AV_LOG_ERROR, "One of the y/u/v offsets is invalid\n"); return AVERROR_INVALIDDATA; @@ -972,7 +977,7 @@ static int decode_frame_headers(Indeo3DecodeContext *ctx, AVCodecContext *avctx, ctx->y_data_ptr = bs_hdr + y_offset; ctx->v_data_ptr = bs_hdr + v_offset; ctx->u_data_ptr = bs_hdr + u_offset; - ctx->alt_quant = buf_ptr + sizeof(uint32_t); + ctx->alt_quant = gb.buffer; if (ctx->data_size == 16) { av_log(avctx, AV_LOG_DEBUG, "Sync frame encountered!\n"); From d2d2ddf9a34ed0324e6c88019c6d37b5c5dfbc51 Mon Sep 17 00:00:00 2001 From: Luca Barbato Date: Wed, 9 Jan 2013 20:49:34 +0100 Subject: [PATCH 516/991] oggdec: fix faulty cleanup prototype (cherry picked from commit fba8e5b608577fc660989d0057a55818254a3744) Signed-off-by: Reinhard Tartler --- libavformat/oggparsevorbis.c | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/libavformat/oggparsevorbis.c b/libavformat/oggparsevorbis.c index 0c26684dd2..7ec7a9eaeb 100644 --- a/libavformat/oggparsevorbis.c +++ b/libavformat/oggparsevorbis.c @@ -188,7 +188,7 @@ fixup_vorbis_headers(AVFormatContext * as, struct oggvorbis_private *priv, return offset; } -static int vorbis_cleanup(AVFormatContext *s, int idx) +static void vorbis_cleanup(AVFormatContext *s, int idx) { struct ogg *ogg = s->priv_data; struct ogg_stream *os = ogg->streams + idx; From 43c0a87279e717c1384314c6da7155c306ee7c60 Mon Sep 17 00:00:00 2001 From: Anton Khirnov Date: Tue, 9 Apr 2013 15:25:20 +0200 Subject: [PATCH 517/991] qdm2: check that the FFT size is a power of 2 Reported-by: Mateusz "j00ru" Jurczyk and Gynvael Coldwind CC:libav-stable@libav.org (cherry picked from commit 34f87a58532ed652a6e0283c1d044ee5df0aef0b) Signed-off-by: Reinhard Tartler --- libavcodec/qdm2.c | 4 ++++ 1 file changed, 4 insertions(+) diff --git a/libavcodec/qdm2.c b/libavcodec/qdm2.c index 739971eb83..59bce40c2d 100644 --- a/libavcodec/qdm2.c +++ b/libavcodec/qdm2.c @@ -1881,6 +1881,10 @@ static av_cold int qdm2_decode_init(AVCodecContext *avctx) av_log(avctx, AV_LOG_ERROR, "Unknown FFT order (%d), contact the developers!\n", s->fft_order); return -1; } + if (s->fft_size != (1 << (s->fft_order - 1))) { + av_log(avctx, AV_LOG_ERROR, "FFT size %d not power of 2.\n", s->fft_size); + return AVERROR_INVALIDDATA; + } ff_rdft_init(&s->rdft_ctx, s->fft_order, IDFT_C2R); ff_mpadsp_init(&s->mpadsp); From 7bf6a86f2e49165c60408acde601f6801dc93cb9 Mon Sep 17 00:00:00 2001 From: Reinhard Tartler Date: Wed, 24 Apr 2013 21:02:29 +0200 Subject: [PATCH 518/991] update Changelog --- Changelog | 16 ++++++++++++++++ 1 file changed, 16 insertions(+) diff --git a/Changelog b/Changelog index b183d30033..7323782c5b 100644 --- a/Changelog +++ b/Changelog @@ -1,6 +1,22 @@ Entries are sorted chronologically from oldest to youngest within each release, releases are sorted from youngest to oldest. +version 0.8.7: + +- avfiltergraph: check for sws opts being non-NULL before using them +- bmv: check for len being valid in bmv_decode_frame() +- dfa: check for invalid access in decode_wdlt() +- indeo3: check motion vectors +- indeo3: fix data size check +- indeo3: switch parsing the header to bytestream2 +- lavf: make sure stream probe data gets freed. +- oggdec: fix faulty cleanup prototype +- oma: Validate sample rates +- qdm2: check that the FFT size is a power of 2 +- rv10: check that extradata is large enough +- xmv: check audio track parameters validity +- xmv: do not leak memory in the error paths in xmv_read_header() + version 0.8.6: From 48f0a2c2394c73b85c4944cd7c8451f6f5c7c5bb Mon Sep 17 00:00:00 2001 From: Carl Eugen Hoyos Date: Sun, 5 May 2013 19:29:00 +0200 Subject: [PATCH 519/991] Fix type of shared flac table ff_flac_blocksize_table[]. Fixes ticket #2533. (cherry picked from commit a07ac1f7888fd08e42da2bed0421e74f1cfac177) --- libavcodec/flacdata.c | 2 +- libavcodec/flacdata.h | 2 +- 2 files changed, 2 insertions(+), 2 deletions(-) diff --git a/libavcodec/flacdata.c b/libavcodec/flacdata.c index 6fcbe3955a..1954f32d32 100644 --- a/libavcodec/flacdata.c +++ b/libavcodec/flacdata.c @@ -27,7 +27,7 @@ const int ff_flac_sample_rate_table[16] = 8000, 16000, 22050, 24000, 32000, 44100, 48000, 96000, 0, 0, 0, 0 }; -const int16_t ff_flac_blocksize_table[16] = { +const int32_t ff_flac_blocksize_table[16] = { 0, 192, 576<<0, 576<<1, 576<<2, 576<<3, 0, 0, 256<<0, 256<<1, 256<<2, 256<<3, 256<<4, 256<<5, 256<<6, 256<<7 }; diff --git a/libavcodec/flacdata.h b/libavcodec/flacdata.h index 96a50b9183..e2c1e5d7f2 100644 --- a/libavcodec/flacdata.h +++ b/libavcodec/flacdata.h @@ -26,6 +26,6 @@ extern const int ff_flac_sample_rate_table[16]; -extern const int16_t ff_flac_blocksize_table[16]; +extern const int32_t ff_flac_blocksize_table[16]; #endif /* AVCODEC_FLACDATA_H */ From a590979988b135db7c7260f6db2082e19a46609b Mon Sep 17 00:00:00 2001 From: Reinhard Tartler Date: Tue, 7 May 2013 07:13:50 +0200 Subject: [PATCH 520/991] aac: check the maximum number of channels Broken bitstreams could report a larger than specified number of channels and cause outbound writes. CC:libav-stable@libav.org (cherry picked from commit a943a132f36f4df8fe2f749744677b71984abce7) Signed-off-by: Luca Barbato Conflicts: libavcodec/aacdec.c --- libavcodec/aacdec.c | 2 ++ 1 file changed, 2 insertions(+) diff --git a/libavcodec/aacdec.c b/libavcodec/aacdec.c index 6478c7765b..24e6ca6a87 100644 --- a/libavcodec/aacdec.c +++ b/libavcodec/aacdec.c @@ -192,6 +192,8 @@ static av_cold int che_configure(AACContext *ac, enum ChannelPosition che_pos[4][MAX_ELEM_ID], int type, int id, int *channels) { + if (*channels >= MAX_CHANNELS) + return AVERROR_INVALIDDATA; if (che_pos[type][id]) { if (!ac->che[type][id]) { if (!(ac->che[type][id] = av_mallocz(sizeof(ChannelElement)))) From 6742f0408dba780e6a4fb266625f4542f6bd78d0 Mon Sep 17 00:00:00 2001 From: Anton Khirnov Date: Sat, 27 Apr 2013 18:01:51 +0200 Subject: [PATCH 521/991] indeo3: fix off by one in MV validity check CC:libav-stable@libav.org (cherry picked from commit 95220be1faac628d849a004644c0d102df0aa98b) Signed-off-by: Luca Barbato --- libavcodec/indeo3.c | 8 ++++---- 1 file changed, 4 insertions(+), 4 deletions(-) diff --git a/libavcodec/indeo3.c b/libavcodec/indeo3.c index b3e05298df..9e90fb1c5a 100644 --- a/libavcodec/indeo3.c +++ b/libavcodec/indeo3.c @@ -235,8 +235,8 @@ static int copy_cell(Indeo3DecodeContext *ctx, Plane *plane, Cell *cell) /* -1 because there is an extra line on top for prediction */ if ((cell->ypos << 2) + mv_y < -1 || (cell->xpos << 2) + mv_x < 0 || - ((cell->ypos + cell->height) << 2) + mv_y >= plane->height || - ((cell->xpos + cell->width) << 2) + mv_x >= plane->width) { + ((cell->ypos + cell->height) << 2) + mv_y > plane->height || + ((cell->xpos + cell->width) << 2) + mv_x > plane->width) { av_log(ctx->avctx, AV_LOG_ERROR, "Motion vectors point out of the frame.\n"); return AVERROR_INVALIDDATA; @@ -606,8 +606,8 @@ static int decode_cell(Indeo3DecodeContext *ctx, AVCodecContext *avctx, /* -1 because there is an extra line on top for prediction */ if ((cell->ypos << 2) + mv_y < -1 || (cell->xpos << 2) + mv_x < 0 || - ((cell->ypos + cell->height) << 2) + mv_y >= plane->height || - ((cell->xpos + cell->width) << 2) + mv_x >= plane->width) { + ((cell->ypos + cell->height) << 2) + mv_y > plane->height || + ((cell->xpos + cell->width) << 2) + mv_x > plane->width) { av_log(ctx->avctx, AV_LOG_ERROR, "Motion vectors point out of the frame.\n"); return AVERROR_INVALIDDATA; From f4bb72d33db2f12a3b4666c6843479d718ceecaf Mon Sep 17 00:00:00 2001 From: Luca Barbato Date: Wed, 1 May 2013 19:01:11 +0200 Subject: [PATCH 522/991] id3v2: check for end of file while unescaping tags Prevent an out of buffer bound write. Reported-by: Mateusz "j00ru" Jurczyk and Gynvael Coldwind CC:libav-stable@libav.org (cherry picked from commit af4cc2605c7a56ecfd84c264aa2b325020418472) Signed-off-by: Luca Barbato --- libavformat/id3v2.c | 5 +++-- 1 file changed, 3 insertions(+), 2 deletions(-) diff --git a/libavformat/id3v2.c b/libavformat/id3v2.c index a7d3549e17..f69ac034ff 100644 --- a/libavformat/id3v2.c +++ b/libavformat/id3v2.c @@ -510,9 +510,10 @@ static void ff_id3v2_parse(AVFormatContext *s, int len, uint8_t version, uint8_t goto seek; } b = buffer; - while (avio_tell(s->pb) < end) { + while (avio_tell(s->pb) < end && !s->pb->eof_reached) { *b++ = avio_r8(s->pb); - if (*(b - 1) == 0xff && avio_tell(s->pb) < end - 1) { + if (*(b - 1) == 0xff && avio_tell(s->pb) < end - 1 && + !s->pb->eof_reached ) { uint8_t val = avio_r8(s->pb); *b++ = val ? val : avio_r8(s->pb); } From 31ed79af7f47e64ed723321ba264cd1778d225a5 Mon Sep 17 00:00:00 2001 From: Luca Barbato Date: Sat, 4 May 2013 12:18:57 +0200 Subject: [PATCH 523/991] wav: Always seek to an even offset RIFF chunks are aligned to 16bit according to the specification. Bug-Id:500 CC:libav-stable@libav.org (cherry picked from commit ac87eaf856e0fb51917266b899bb15d19b907baf) Signed-off-by: Reinhard Tartler --- libavformat/wav.c | 10 ++++++++-- 1 file changed, 8 insertions(+), 2 deletions(-) diff --git a/libavformat/wav.c b/libavformat/wav.c index b873166b10..7539ce0506 100644 --- a/libavformat/wav.c +++ b/libavformat/wav.c @@ -230,6 +230,12 @@ static int64_t next_tag(AVIOContext *pb, uint32_t *tag) return avio_rl32(pb); } +/* RIFF chunks are always on a even offset. */ +static int64_t wav_seek_tag(AVIOContext *s, int64_t offset, int whence) +{ + return avio_seek(s, offset + (offset & 1), whence); +} + /* return the size of the found tag */ static int64_t find_tag(AVIOContext *pb, uint32_t tag1) { @@ -242,7 +248,7 @@ static int64_t find_tag(AVIOContext *pb, uint32_t tag1) size = next_tag(pb, &tag); if (tag == tag1) break; - avio_skip(pb, size); + wav_seek_tag(pb, size, SEEK_CUR); } return size; } @@ -483,7 +489,7 @@ static int wav_read_header(AVFormatContext *s, /* seek to next tag unless we know that we'll run into EOF */ if ((avio_size(pb) > 0 && next_tag_ofs >= avio_size(pb)) || - avio_seek(pb, next_tag_ofs, SEEK_SET) < 0) { + wav_seek_tag(pb, next_tag_ofs, SEEK_SET) < 0) { break; } } From 2f61e4090820f0a88c6651cfc25a746445f22096 Mon Sep 17 00:00:00 2001 From: Reinhard Tartler Date: Sat, 11 May 2013 11:57:08 +0200 Subject: [PATCH 524/991] update Changelog --- Changelog | 5 ++++- 1 file changed, 4 insertions(+), 1 deletion(-) diff --git a/Changelog b/Changelog index 7323782c5b..d9765b83fa 100644 --- a/Changelog +++ b/Changelog @@ -16,7 +16,10 @@ version 0.8.7: - rv10: check that extradata is large enough - xmv: check audio track parameters validity - xmv: do not leak memory in the error paths in xmv_read_header() - +- aac: check the maximum number of channels +- indeo3: fix off by one in MV validity check, Bug #503 +- id3v2: check for end of file while unescaping tags +- wav: Always seek to an even offset, Bug #500, LP: #1174737 version 0.8.6: From 4941dfb4f6de5f4a9fbb31b6fc07829bd58a5269 Mon Sep 17 00:00:00 2001 From: Michael Smith Date: Mon, 21 Jan 2013 19:40:35 +0100 Subject: [PATCH 525/991] proresdec: support mixed interlaced/non-interlaced content Set interlaced to false if we don't have an interlaced frame Signed-off-by: Luca Barbato (cherry picked from commit 0881cbf314982cce8448bd12644ce2a6e0b8c576) Signed-off-by: Reinhard Tartler (cherry picked from commit 1fa37f2bfa0f5c50ce61dedf2bbb772d96d71101) Signed-off-by: Reinhard Tartler --- libavcodec/proresdec.c | 2 ++ 1 file changed, 2 insertions(+) diff --git a/libavcodec/proresdec.c b/libavcodec/proresdec.c index 031760c3bb..bc99665a83 100644 --- a/libavcodec/proresdec.c +++ b/libavcodec/proresdec.c @@ -186,6 +186,8 @@ static int decode_frame_header(ProresContext *ctx, const uint8_t *buf, if (ctx->frame_type) { /* if interlaced */ ctx->picture.interlaced_frame = 1; ctx->picture.top_field_first = ctx->frame_type & 1; + } else { + ctx->picture.interlaced_frame = 0; } ctx->alpha_info = buf[17] & 0xf; From e6617580e3f2abb9171e2103b452da7a3971d74a Mon Sep 17 00:00:00 2001 From: Reinhard Tartler Date: Sun, 12 May 2013 08:40:56 +0200 Subject: [PATCH 526/991] update Changelog --- Changelog | 1 + 1 file changed, 1 insertion(+) diff --git a/Changelog b/Changelog index d9765b83fa..9295452c81 100644 --- a/Changelog +++ b/Changelog @@ -20,6 +20,7 @@ version 0.8.7: - indeo3: fix off by one in MV validity check, Bug #503 - id3v2: check for end of file while unescaping tags - wav: Always seek to an even offset, Bug #500, LP: #1174737 +- proresdec: support mixed interlaced/non-interlaced content version 0.8.6: From d95bb2ac2d54ce3e0cd8fe86708b0059ec948c5a Mon Sep 17 00:00:00 2001 From: Carl Eugen Hoyos Date: Mon, 13 May 2013 12:39:44 +0200 Subject: [PATCH 527/991] Do not read strd chunk in avi files as H264 extradata. Fixes ticket #2561. (cherry picked from commit 231b3317184790b6be4b4619d96fd328f13aeabb) --- libavformat/avidec.c | 4 +++- 1 file changed, 3 insertions(+), 1 deletion(-) diff --git a/libavformat/avidec.c b/libavformat/avidec.c index 41e2e3c027..c0b6308b6f 100644 --- a/libavformat/avidec.c +++ b/libavformat/avidec.c @@ -694,7 +694,9 @@ static int avi_read_header(AVFormatContext *s, AVFormatParameters *ap) } break; case MKTAG('s', 't', 'r', 'd'): - if (stream_index >= (unsigned)s->nb_streams || s->streams[stream_index]->codec->extradata_size) { + if (stream_index >= (unsigned)s->nb_streams + || s->streams[stream_index]->codec->extradata_size + || s->streams[stream_index]->codec->codec_tag == MKTAG('H','2','6','4')) { avio_skip(pb, size); } else { uint64_t cur_pos = avio_tell(pb); From 1c655c1419afc2fdaf28093bd11d2297165838da Mon Sep 17 00:00:00 2001 From: Michael Niedermayer Date: Fri, 17 May 2013 22:03:14 +0200 Subject: [PATCH 528/991] avidec: dont randomly skip packets for offseting the index Fixes Ticket2490 Signed-off-by: Michael Niedermayer (cherry picked from commit 6c593f1b671b7725b8c36f92f7c0a23ccf8e7628) --- libavformat/avidec.c | 4 ++-- 1 file changed, 2 insertions(+), 2 deletions(-) diff --git a/libavformat/avidec.c b/libavformat/avidec.c index c0b6308b6f..9c13f43d78 100644 --- a/libavformat/avidec.c +++ b/libavformat/avidec.c @@ -985,9 +985,9 @@ start_sync: || st->discard >= AVDISCARD_ALL){ if (!exit_early) { ast->frame_offset += get_duration(ast, size); + avio_skip(pb, size); + goto start_sync; } - avio_skip(pb, size); - goto start_sync; } if (d[2] == 'p' && d[3] == 'c' && size<=4*256+4) { From c8857308f60cf46e6290cfd5e6ed201628e29f6c Mon Sep 17 00:00:00 2001 From: Michael Niedermayer Date: Mon, 20 May 2013 21:42:06 +0200 Subject: [PATCH 529/991] smacker: remove av_clip_int16() Fixes Ticket2425 Signed-off-by: Michael Niedermayer (cherry picked from commit 2211c76287e073a9e176fde7dbb9a63ceb2af8d1) --- libavcodec/smacker.c | 4 ++-- 1 file changed, 2 insertions(+), 2 deletions(-) diff --git a/libavcodec/smacker.c b/libavcodec/smacker.c index fcd375f227..8e8da392fd 100644 --- a/libavcodec/smacker.c +++ b/libavcodec/smacker.c @@ -686,7 +686,7 @@ static int smka_decode_frame(AVCodecContext *avctx, void *data, res = 0; val |= h[3].values[res] << 8; pred[1] += sign_extend(val, 16); - *samples++ = av_clip_int16(pred[1]); + *samples++ = pred[1]; } else { if(vlc[0].table) res = get_vlc2(&gb, vlc[0].table, SMKTREE_BITS, 3); @@ -699,7 +699,7 @@ static int smka_decode_frame(AVCodecContext *avctx, void *data, res = 0; val |= h[1].values[res] << 8; pred[0] += sign_extend(val, 16); - *samples++ = av_clip_int16(pred[0]); + *samples++ = pred[0]; } } } else { //8-bit data From 02923b8c781c4f52b3f6b4f3e541d7cec187035c Mon Sep 17 00:00:00 2001 From: Michael Niedermayer Date: Thu, 30 May 2013 18:30:42 +0200 Subject: [PATCH 530/991] h264_cavlc: fix reading skip run Fixes Ticket2606 Signed-off-by: Michael Niedermayer (cherry picked from commit 826b3a75cd295c03720e00d3de83e1abcbedd4b9) Conflicts: libavcodec/h264_cavlc.c --- libavcodec/h264_cavlc.c | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/libavcodec/h264_cavlc.c b/libavcodec/h264_cavlc.c index 7cf1b4d0f5..96c421bd14 100644 --- a/libavcodec/h264_cavlc.c +++ b/libavcodec/h264_cavlc.c @@ -708,7 +708,7 @@ int ff_h264_decode_mb_cavlc(H264Context *h){ down the code */ if(h->slice_type_nos != AV_PICTURE_TYPE_I){ if(s->mb_skip_run==-1) - s->mb_skip_run= get_ue_golomb(&s->gb); + s->mb_skip_run= get_ue_golomb_long(&s->gb); if (s->mb_skip_run--) { if(FRAME_MBAFF && (s->mb_y&1) == 0){ From dfcf910569e7a44ff26cdcf5a9913de51847c7d2 Mon Sep 17 00:00:00 2001 From: Claudio Freire Date: Sat, 4 May 2013 18:36:37 -0300 Subject: [PATCH 531/991] AAC encoder: Fix rate control on twoloop. Fixes a case where multichannel bitrate isn't accurately targetted by psy model alone, never achieving the target bitrate. Now fixed. Fixes ticket #2625. Signed-off-by: Michael Niedermayer Conflicts: libavcodec/aaccoder.c Signed-off-by: Carl Eugen Hoyos --- libavcodec/aaccoder.c | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/libavcodec/aaccoder.c b/libavcodec/aaccoder.c index 8738460b81..4d642aea95 100644 --- a/libavcodec/aaccoder.c +++ b/libavcodec/aaccoder.c @@ -713,7 +713,7 @@ static void search_for_quantizers_twoloop(AVCodecContext *avctx, const float lambda) { int start = 0, i, w, w2, g; - int destbits = avctx->bit_rate * 1024.0 / avctx->sample_rate / avctx->channels; + int destbits = avctx->bit_rate * 1024.0 / avctx->sample_rate / avctx->channels * (lambda / 120.f); float dists[128], uplims[128]; float maxvals[128]; int fflag, minscaler; From 4abc8e76cbbbceff30b871597f65056ef0091a2d Mon Sep 17 00:00:00 2001 From: Michael Niedermayer Date: Thu, 13 Jun 2013 00:01:13 +0200 Subject: [PATCH 532/991] alacenc: Fix missing sign_extend() Fixes ticket #2497 Signed-off-by: Michael Niedermayer (cherry picked from commit 8aea2f05dc56f7e7d60767dd27ba8e846a05e8ae) --- libavcodec/alacenc.c | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/libavcodec/alacenc.c b/libavcodec/alacenc.c index e8d1bc03f2..5b57837b7e 100644 --- a/libavcodec/alacenc.c +++ b/libavcodec/alacenc.c @@ -259,7 +259,7 @@ static void alac_linear_predictor(AlacEncodeContext *s, int ch) // generate warm-up samples residual[0] = samples[0]; for (i = 1; i <= lpc.lpc_order; i++) - residual[i] = samples[i] - samples[i-1]; + residual[i] = sign_extend(samples[i] - samples[i-1], s->write_sample_size); // perform lpc on remaining samples for (i = lpc.lpc_order + 1; i < s->avctx->frame_size; i++) { From 9ea0f4522fb747a8fa9e80b983f5104db70ca111 Mon Sep 17 00:00:00 2001 From: Carl Eugen Hoyos Date: Wed, 19 Jun 2013 16:31:10 +0200 Subject: [PATCH 533/991] Autodetect idcin only if audio properties allow decoding. Fixes ticket #2688. (cherry picked from commit 06bede95fcea47d2e51e8ff248c15311f335b898) --- libavformat/idcin.c | 10 +++++----- 1 file changed, 5 insertions(+), 5 deletions(-) diff --git a/libavformat/idcin.c b/libavformat/idcin.c index 57f81c813d..c5e8f376b0 100644 --- a/libavformat/idcin.c +++ b/libavformat/idcin.c @@ -91,7 +91,7 @@ typedef struct IdcinDemuxContext { static int idcin_probe(AVProbeData *p) { - unsigned int number; + unsigned int number, sample_rate; /* * This is what you could call a "probabilistic" file check: id CIN @@ -120,18 +120,18 @@ static int idcin_probe(AVProbeData *p) return 0; /* check the audio sample rate */ - number = AV_RL32(&p->buf[8]); - if ((number != 0) && ((number < 8000) | (number > 48000))) + sample_rate = AV_RL32(&p->buf[8]); + if (sample_rate && (sample_rate < 8000 || sample_rate > 48000)) return 0; /* check the audio bytes/sample */ number = AV_RL32(&p->buf[12]); - if (number > 2) + if (number > 2 || sample_rate && !number) return 0; /* check the audio channels */ number = AV_RL32(&p->buf[16]); - if (number > 2) + if (number > 2 || sample_rate && !number) return 0; /* return half certainly since this check is a bit sketchy */ From 8ddc9790edc1793e8b731234e4c288b1d576612a Mon Sep 17 00:00:00 2001 From: Michael Niedermayer Date: Fri, 21 Jun 2013 01:11:45 +0200 Subject: [PATCH 534/991] avformat/libmodplug: Reduce the probe score for small input This ensures that theres enough data for mpeg_probe() to recognize mpeg-ps Fixes Ticket2583 Based on code by: Paul B Mahol Signed-off-by: Michael Niedermayer (cherry picked from commit c605adbf562fbf535e83ae427bb681bc45e440c8) --- libavformat/libmodplug.c | 17 +++++++++++++++-- 1 file changed, 15 insertions(+), 2 deletions(-) diff --git a/libavformat/libmodplug.c b/libavformat/libmodplug.c index dfbf67c2d2..f3f0e5ee10 100644 --- a/libavformat/libmodplug.c +++ b/libavformat/libmodplug.c @@ -347,6 +347,19 @@ static int modplug_read_seek(AVFormatContext *s, int stream_idx, int64_t ts, int return 0; } +static const char modplug_extensions[] = "669,abc,amf,ams,dbm,dmf,dsm,far,it,mdl,med,mid,mod,mt2,mtm,okt,psm,ptm,s3m,stm,ult,umx,xm,itgz,itr,itz,mdgz,mdr,mdz,s3gz,s3r,s3z,xmgz,xmr,xmz"; + +static int modplug_probe(AVProbeData *p) +{ + if (av_match_ext(p->filename, modplug_extensions)) { + if (p->buf_size < 16384) + return AVPROBE_SCORE_MAX/4-1; + else + return AVPROBE_SCORE_MAX/2; + } + return 0; +} + static const AVClass modplug_class = { .class_name = "ModPlug demuxer", .item_name = av_default_item_name, @@ -358,11 +371,11 @@ AVInputFormat ff_libmodplug_demuxer = { .name = "libmodplug", .long_name = NULL_IF_CONFIG_SMALL("ModPlug demuxer"), .priv_data_size = sizeof(ModPlugContext), + .read_probe = modplug_probe, .read_header = modplug_read_header, .read_packet = modplug_read_packet, .read_close = modplug_read_close, .read_seek = modplug_read_seek, - .extensions = "669,abc,amf,ams,dbm,dmf,dsm,far,it,mdl,med,mid,mod,mt2,mtm,okt,psm,ptm,s3m,stm,ult,umx,xm" - ",itgz,itr,itz,mdgz,mdr,mdz,s3gz,s3r,s3z,xmgz,xmr,xmz", // compressed mods + .extensions = modplug_extensions, .priv_class = &modplug_class, }; From a03dcec364747aea0c7e8c9fa2b5d00f5e799812 Mon Sep 17 00:00:00 2001 From: Luca Barbato Date: Tue, 14 May 2013 15:27:26 +0200 Subject: [PATCH 535/991] mjpegdec: properly report unsupported disabled features When JPEG-LS support is disabled the decoder would feed the data to the JPEG Lossless decode_*_scan function resulting in faulty decoding. CC: libav-stable@libav.org (cherry picked from commit b25e49b187617c486ae3f50a5cbb356fc0e868bb) Signed-off-by: Reinhard Tartler --- libavcodec/mjpegdec.c | 6 ++++++ 1 file changed, 6 insertions(+) diff --git a/libavcodec/mjpegdec.c b/libavcodec/mjpegdec.c index 542de98c59..18c52b9cc0 100644 --- a/libavcodec/mjpegdec.c +++ b/libavcodec/mjpegdec.c @@ -1489,6 +1489,12 @@ int ff_mjpeg_decode_frame(AVCodecContext *avctx, void *data, int *data_size, else if (start_code == COM) mjpeg_decode_com(s); + if (!CONFIG_JPEGLS_DECODER && + (start_code == SOF48 || start_code == LSE)) { + av_log(avctx, AV_LOG_ERROR, "JPEG-LS support not enabled.\n"); + return AVERROR(ENOSYS); + } + switch (start_code) { case SOI: s->restart_interval = 0; From 2ebabfff4804c75b5212ae264a5f6005e417484c Mon Sep 17 00:00:00 2001 From: Luca Barbato Date: Fri, 17 May 2013 12:36:06 +0200 Subject: [PATCH 536/991] jpegls: return meaningful errors (cherry picked from commit a5a0ef5e13a59ff53318a45d77c5624b23229c6f) Signed-off-by: Reinhard Tartler Conflicts: libavcodec/jpeglsdec.c --- libavcodec/jpeglsdec.c | 10 +++++----- 1 file changed, 5 insertions(+), 5 deletions(-) diff --git a/libavcodec/jpeglsdec.c b/libavcodec/jpeglsdec.c index a4cfe4f9d6..ca0224c906 100644 --- a/libavcodec/jpeglsdec.c +++ b/libavcodec/jpeglsdec.c @@ -71,13 +71,13 @@ int ff_jpegls_decode_lse(MJpegDecodeContext *s) case 2: case 3: av_log(s->avctx, AV_LOG_ERROR, "palette not supported\n"); - return -1; + return AVERROR(ENOSYS); case 4: av_log(s->avctx, AV_LOG_ERROR, "oversize image not supported\n"); - return -1; + return AVERROR(ENOSYS); default: av_log(s->avctx, AV_LOG_ERROR, "invalid id %d\n", id); - return -1; + return AVERROR_INVALIDDATA; } // av_log(s->avctx, AV_LOG_DEBUG, "ID=%i, T=%i,%i,%i\n", id, s->t1, s->t2, s->t3); @@ -324,11 +324,11 @@ int ff_jpegls_decode_picture(MJpegDecodeContext *s, int near, int point_transfor last = cur; cur += s->picture_ptr->linesize[0]; } - } else if(ilv == 2) { /* sample interleaving */ + } else if (ilv == 2) { /* sample interleaving */ av_log(s->avctx, AV_LOG_ERROR, "Sample interleaved images are not supported.\n"); av_free(state); av_free(zero); - return -1; + return AVERROR_PATCHWELCOME; } if(shift){ /* we need to do point transform or normalize samples */ From ca4a25acf89b715f8f587c947be7145d637a67d1 Mon Sep 17 00:00:00 2001 From: Reinhard Tartler Date: Fri, 31 May 2013 22:36:47 +0200 Subject: [PATCH 537/991] jpegls: factorize return paths Conflicts: libavcodec/jpeglsdec.c (cherry picked from commit 4a4107b48944397c914aa39ee16a82fe44db8c4c) --- libavcodec/jpeglsdec.c | 11 ++++++----- 1 file changed, 6 insertions(+), 5 deletions(-) diff --git a/libavcodec/jpeglsdec.c b/libavcodec/jpeglsdec.c index ca0224c906..63bf5cff87 100644 --- a/libavcodec/jpeglsdec.c +++ b/libavcodec/jpeglsdec.c @@ -260,7 +260,7 @@ int ff_jpegls_decode_picture(MJpegDecodeContext *s, int near, int point_transfor int i, t = 0; uint8_t *zero, *last, *cur; JLSState *state; - int off = 0, stride = 1, width, shift; + int off = 0, stride = 1, width, shift, ret = 0; zero = av_mallocz(s->picture_ptr->linesize[0]); last = zero; @@ -326,9 +326,8 @@ int ff_jpegls_decode_picture(MJpegDecodeContext *s, int near, int point_transfor } } else if (ilv == 2) { /* sample interleaving */ av_log(s->avctx, AV_LOG_ERROR, "Sample interleaved images are not supported.\n"); - av_free(state); - av_free(zero); - return AVERROR_PATCHWELCOME; + ret = AVERROR_PATCHWELCOME; + goto end; } if(shift){ /* we need to do point transform or normalize samples */ @@ -356,10 +355,12 @@ int ff_jpegls_decode_picture(MJpegDecodeContext *s, int near, int point_transfor } } } + +end: av_free(state); av_free(zero); - return 0; + return ret; } From d26bc6c6b69f8f87e51430234bbf4b22962e2b3f Mon Sep 17 00:00:00 2001 From: Luca Barbato Date: Fri, 17 May 2013 13:08:55 +0200 Subject: [PATCH 538/991] jpegls: check the scan offset Prevent an out of array bound write. Reported-by: Mateusz "j00ru" Jurczyk and Gynvael Coldwind CC: libav-stable@libav.org (cherry picked from commit abad374909e6416e941351094f4f1446a71f8d23) Signed-off-by: Reinhard Tartler Conflicts: libavcodec/jpeglsdec.c --- libavcodec/jpeglsdec.c | 4 ++++ 1 file changed, 4 insertions(+) diff --git a/libavcodec/jpeglsdec.c b/libavcodec/jpeglsdec.c index 63bf5cff87..d234d73c33 100644 --- a/libavcodec/jpeglsdec.c +++ b/libavcodec/jpeglsdec.c @@ -286,6 +286,10 @@ int ff_jpegls_decode_picture(MJpegDecodeContext *s, int near, int point_transfor // av_log(s->avctx, AV_LOG_DEBUG, "JPEG-LS params: %ix%i NEAR=%i MV=%i T(%i,%i,%i) RESET=%i, LIMIT=%i, qbpp=%i, RANGE=%i\n",s->width,s->height,state->near,state->maxval,state->T1,state->T2,state->T3,state->reset,state->limit,state->qbpp, state->range); // av_log(s->avctx, AV_LOG_DEBUG, "JPEG params: ILV=%i Pt=%i BPP=%i, scan = %i\n", ilv, point_transform, s->bits, s->cur_scan); if(ilv == 0) { /* separate planes */ + if (s->cur_scan > s->nb_components) { + ret = AVERROR_INVALIDDATA; + goto end; + } off = s->cur_scan - 1; stride = (s->nb_components > 1) ? 3 : 1; width = s->width * stride; From 6711d410dc130b889f1a85a8408dd5ff99b769bf Mon Sep 17 00:00:00 2001 From: Luca Barbato Date: Fri, 17 May 2013 18:29:15 +0200 Subject: [PATCH 539/991] wavpack: validate samples size parsed in wavpack_decode_block Reported-by: Mateusz "j00ru" Jurczyk and Gynvael Coldwind CC: libav-stable@libav.org (cherry picked from commit ed50673066956d6f2201a57c3254569f2ab08d9d) Signed-off-by: Reinhard Tartler Conflicts: libavcodec/wavpack.c --- libavcodec/wavpack.c | 3 +++ 1 file changed, 3 insertions(+) diff --git a/libavcodec/wavpack.c b/libavcodec/wavpack.c index 1098873d7c..7ceb947adb 100644 --- a/libavcodec/wavpack.c +++ b/libavcodec/wavpack.c @@ -790,6 +790,9 @@ static int wavpack_decode_block(AVCodecContext *avctx, int block_no, if (!wc->mkv_mode) { s->samples = AV_RL32(buf); buf += 4; + if (s->samples != wc->samples) + return AVERROR_INVALIDDATA; + if (!s->samples) { *got_frame_ptr = 0; return 0; From da5cf7e45263d7e8c67d0705a403c6c88686c5bb Mon Sep 17 00:00:00 2001 From: Luca Barbato Date: Tue, 14 May 2013 16:20:14 +0200 Subject: [PATCH 540/991] ljpeg: use the correct number of components in yuv Reported-by: Mateusz "j00ru" Jurczyk and Gynvael Coldwind CC: libav-stable@libav.org (cherry picked from commit a030279a67ef883df8cf3707774656fa1be81078) Signed-off-by: Reinhard Tartler --- libavcodec/mjpegdec.c | 6 +++--- 1 file changed, 3 insertions(+), 3 deletions(-) diff --git a/libavcodec/mjpegdec.c b/libavcodec/mjpegdec.c index 18c52b9cc0..7f1fa62ad1 100644 --- a/libavcodec/mjpegdec.c +++ b/libavcodec/mjpegdec.c @@ -711,10 +711,9 @@ static int ljpeg_decode_rgb_scan(MJpegDecodeContext *s, int predictor, } static int ljpeg_decode_yuv_scan(MJpegDecodeContext *s, int predictor, - int point_transform) + int point_transform, int nb_components) { int i, mb_x, mb_y; - const int nb_components = 3; for (mb_y = 0; mb_y < s->mb_height; mb_y++) { for (mb_x = 0; mb_x < s->mb_width; mb_x++) { @@ -1108,7 +1107,8 @@ int ff_mjpeg_decode_sos(MJpegDecodeContext *s, const uint8_t *mb_bitmask, if (ljpeg_decode_rgb_scan(s, predictor, point_transform) < 0) return -1; } else { - if (ljpeg_decode_yuv_scan(s, predictor, point_transform) < 0) + if (ljpeg_decode_yuv_scan(s, predictor, point_transform, + nb_components)) return -1; } } From 33492ad81000b326ba98fe20d6007d4b67cbbd3d Mon Sep 17 00:00:00 2001 From: Luca Barbato Date: Mon, 13 May 2013 19:32:04 +0200 Subject: [PATCH 541/991] mjpeg: Validate sampling factors They must be non-zero. Reported-by: Mateusz "j00ru" Jurczyk and Gynvael Coldwind CC: libav-stable@libav.org (cherry picked from commit 8aa3500905fec6c4e657bb291b861d43c34d3de9) Signed-off-by: Reinhard Tartler Conflicts: libavcodec/mjpegdec.c --- libavcodec/mjpegdec.c | 7 +++++++ 1 file changed, 7 insertions(+) diff --git a/libavcodec/mjpegdec.c b/libavcodec/mjpegdec.c index 7f1fa62ad1..47c98994fd 100644 --- a/libavcodec/mjpegdec.c +++ b/libavcodec/mjpegdec.c @@ -266,6 +266,13 @@ int ff_mjpeg_decode_sof(MJpegDecodeContext *s) s->quant_index[i] = get_bits(&s->gb, 8); if (s->quant_index[i] >= 4) return -1; + if (!s->h_count[i] || !s->v_count[i]) { + av_log(s->avctx, AV_LOG_ERROR, + "Invalid sampling factor in component %d %d:%d\n", + i, s->h_count[i], s->v_count[i]); + return AVERROR_INVALIDDATA; + } + av_log(s->avctx, AV_LOG_DEBUG, "component %d %d:%d id: %d quant:%d\n", i, s->h_count[i], s->v_count[i], s->component_id[i], s->quant_index[i]); From 7ca8d8223db270deb86d78b6361bec846feaaa9d Mon Sep 17 00:00:00 2001 From: Luca Barbato Date: Wed, 15 May 2013 18:41:41 +0200 Subject: [PATCH 542/991] mjpegdec: validate parameters in mjpeg_decode_scan_progressive_ac Prevent out of buffer write when decoding broken samples. Reported-by: Mateusz "j00ru" Jurczyk and Gynvael Coldwind CC: libav-stable@libav.org (cherry picked from commit cfbd98abe82cfcb9984a18d08697251b72b110c8) Signed-off-by: Reinhard Tartler --- libavcodec/mjpegdec.c | 5 +++++ 1 file changed, 5 insertions(+) diff --git a/libavcodec/mjpegdec.c b/libavcodec/mjpegdec.c index 47c98994fd..5256a8e04c 100644 --- a/libavcodec/mjpegdec.c +++ b/libavcodec/mjpegdec.c @@ -963,6 +963,11 @@ static int mjpeg_decode_scan_progressive_ac(MJpegDecodeContext *s, int ss, int16_t *quant_matrix = s->quant_matrixes[s->quant_index[c]]; GetBitContext mb_bitmask_gb; + if (ss < 0 || ss >= 64 || + se < ss || se >= 64 || + Ah < 0 || Al < 0) + return AVERROR_INVALIDDATA; + if (mb_bitmask) init_get_bits(&mb_bitmask_gb, mb_bitmask, s->mb_width * s->mb_height); From 5a6af4fd74a4fcadf76cbe28634274d67a07cfad Mon Sep 17 00:00:00 2001 From: Luca Barbato Date: Fri, 17 May 2013 18:28:33 +0200 Subject: [PATCH 543/991] wavpack: return meaningful errors And forward those that were already meaningful. (cherry picked from commit 8c34558131d846d2b10389564caadaa206372fd4) Signed-off-by: Reinhard Tartler Conflicts: libavcodec/wavpack.c --- libavcodec/wavpack.c | 39 ++++++++++++++++++++------------------- 1 file changed, 20 insertions(+), 19 deletions(-) diff --git a/libavcodec/wavpack.c b/libavcodec/wavpack.c index 59d735fab5..31377e75c6 100644 --- a/libavcodec/wavpack.c +++ b/libavcodec/wavpack.c @@ -773,13 +773,13 @@ static int wavpack_decode_block(AVCodecContext *avctx, int block_no, if (block_no >= wc->fdec_num && wv_alloc_frame_context(wc) < 0) { av_log(avctx, AV_LOG_ERROR, "Error creating frame decode context\n"); - return -1; + return AVERROR_INVALIDDATA; } s = wc->fdec[block_no]; if (!s) { av_log(avctx, AV_LOG_ERROR, "Context for block %d is not present\n", block_no); - return -1; + return AVERROR_INVALIDDATA; } memset(s->decorr, 0, MAX_TERMS * sizeof(Decorr)); @@ -1021,7 +1021,7 @@ static int wavpack_decode_block(AVCodecContext *avctx, int block_no, case WP_ID_CHANINFO: if (size <= 1) { av_log(avctx, AV_LOG_ERROR, "Insufficient channel information\n"); - return -1; + return AVERROR_INVALIDDATA; } chan = *buf++; switch (size - 2) { @@ -1040,10 +1040,11 @@ static int wavpack_decode_block(AVCodecContext *avctx, int block_no, chmask = avctx->channel_layout; } if (chan != avctx->channels) { - av_log(avctx, AV_LOG_ERROR, "Block reports total %d channels, " - "decoder believes it's %d channels\n", chan, - avctx->channels); - return -1; + av_log(avctx, AV_LOG_ERROR, + "Block reports total %d channels, " + "decoder believes it's %d channels\n", + chan, avctx->channels); + return AVERROR_INVALIDDATA; } if (!avctx->channel_layout) avctx->channel_layout = chmask; @@ -1058,31 +1059,31 @@ static int wavpack_decode_block(AVCodecContext *avctx, int block_no, if (!got_terms) { av_log(avctx, AV_LOG_ERROR, "No block with decorrelation terms\n"); - return -1; + return AVERROR_INVALIDDATA; } if (!got_weights) { av_log(avctx, AV_LOG_ERROR, "No block with decorrelation weights\n"); - return -1; + return AVERROR_INVALIDDATA; } if (!got_samples) { av_log(avctx, AV_LOG_ERROR, "No block with decorrelation samples\n"); - return -1; + return AVERROR_INVALIDDATA; } if (!got_entropy) { av_log(avctx, AV_LOG_ERROR, "No block with entropy info\n"); - return -1; + return AVERROR_INVALIDDATA; } if (s->hybrid && !got_hybrid) { av_log(avctx, AV_LOG_ERROR, "Hybrid config not found\n"); - return -1; + return AVERROR_INVALIDDATA; } if (!got_bs) { av_log(avctx, AV_LOG_ERROR, "Packed samples not found\n"); - return -1; + return AVERROR_INVALIDDATA; } if (!got_float && avctx->sample_fmt == AV_SAMPLE_FMT_FLT) { av_log(avctx, AV_LOG_ERROR, "Float information not found\n"); - return -1; + return AVERROR_INVALIDDATA; } if (s->got_extra_bits && avctx->sample_fmt != AV_SAMPLE_FMT_FLT) { const int size = get_bits_left(&s->gb_extra_bits); @@ -1102,7 +1103,7 @@ static int wavpack_decode_block(AVCodecContext *avctx, int block_no, samplecount = wv_unpack_stereo(s, &s->gb, samples, AV_SAMPLE_FMT_FLT); if (samplecount < 0) - return -1; + return samplecount; samplecount >>= 1; } else { @@ -1116,7 +1117,7 @@ static int wavpack_decode_block(AVCodecContext *avctx, int block_no, samplecount = wv_unpack_mono(s, &s->gb, samples, AV_SAMPLE_FMT_FLT); if (samplecount < 0) - return -1; + return samplecount; if (s->stereo && avctx->sample_fmt == AV_SAMPLE_FMT_S16) { int16_t *dst = (int16_t*)samples + 1; @@ -1193,7 +1194,7 @@ static int wavpack_decode_frame(AVCodecContext *avctx, void *data, if (s->samples <= 0) { av_log(avctx, AV_LOG_ERROR, "Invalid number of samples: %d\n", s->samples); - return AVERROR(EINVAL); + return AVERROR_INVALIDDATA; } if (frame_flags & 0x80) { @@ -1227,13 +1228,13 @@ static int wavpack_decode_frame(AVCodecContext *avctx, void *data, av_log(avctx, AV_LOG_ERROR, "Block %d has invalid size (size %d " "vs. %d bytes left)\n", s->block, frame_size, buf_size); wavpack_decode_flush(avctx); - return -1; + return AVERROR_INVALIDDATA; } if ((samplecount = wavpack_decode_block(avctx, s->block, s->frame.data[0], got_frame_ptr, buf, frame_size)) < 0) { wavpack_decode_flush(avctx); - return -1; + return samplecount; } s->block++; buf += frame_size; buf_size -= frame_size; From ea7ba1d8717dacca70771d0fbe553acbdbd47739 Mon Sep 17 00:00:00 2001 From: Anton Khirnov Date: Wed, 29 May 2013 16:18:40 +0200 Subject: [PATCH 544/991] apetag: use int64_t for filesize CC: libav-stable@libav.org (cherry picked from commit e816aaacd68201b67182f9c70dc680e89a0123e9) Signed-off-by: Reinhard Tartler --- libavformat/apetag.c | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/libavformat/apetag.c b/libavformat/apetag.c index 257ed48970..2390bfaad3 100644 --- a/libavformat/apetag.c +++ b/libavformat/apetag.c @@ -65,7 +65,7 @@ static int ape_tag_read_field(AVFormatContext *s) void ff_ape_parse_tag(AVFormatContext *s) { AVIOContext *pb = s->pb; - int file_size = avio_size(pb); + int64_t file_size = avio_size(pb); uint32_t val, fields, tag_bytes; uint8_t buf[8]; int i; From 96de1c5ed90b4defb4126d946061d4a23101b28c Mon Sep 17 00:00:00 2001 From: Luca Barbato Date: Mon, 3 Jun 2013 04:53:02 +0200 Subject: [PATCH 545/991] tiff: do not overread the source buffer At least 2 bytes from the source are read every loop. Reported-by: Mateusz "j00ru" Jurczyk and Gynvael Coldwind CC: libav-stable@libav.org (cherry picked from commit 9c2216976907336dfae0e8e38a4d70ca2465a92c) Signed-off-by: Reinhard Tartler Conflicts: libavcodec/tiff.c --- libavcodec/tiff.c | 5 ++++- 1 file changed, 4 insertions(+), 1 deletion(-) diff --git a/libavcodec/tiff.c b/libavcodec/tiff.c index a0db1f1d28..8a1db12aae 100644 --- a/libavcodec/tiff.c +++ b/libavcodec/tiff.c @@ -186,10 +186,13 @@ static int tiff_unpack_strip(TiffContext *s, uint8_t* dst, int stride, const uin break; case TIFF_PACKBITS: for(pixels = 0; pixels < width;){ + if (ssrc + size - src < 2) + return AVERROR_INVALIDDATA; code = (int8_t)*src++; if(code >= 0){ code++; - if(pixels + code > width){ + if (pixels + code > width || + ssrc + size - src < code) { av_log(s->avctx, AV_LOG_ERROR, "Copy went out of bounds\n"); return -1; } From 42fed7f433e6d2167ffd4aae31905b583a53b988 Mon Sep 17 00:00:00 2001 From: Luca Barbato Date: Wed, 22 May 2013 12:51:42 +0200 Subject: [PATCH 546/991] wavpack: check packet size early Reported-by: Mateusz "j00ru" Jurczyk and Gynvael Coldwind CC: libav-stable@libav.org (cherry picked from commit fd06291239c1bb616bf303b5696cc432710b2530) Signed-off-by: Reinhard Tartler --- libavcodec/wavpack.c | 3 +++ 1 file changed, 3 insertions(+) diff --git a/libavcodec/wavpack.c b/libavcodec/wavpack.c index 7ceb947adb..59d735fab5 100644 --- a/libavcodec/wavpack.c +++ b/libavcodec/wavpack.c @@ -1171,6 +1171,9 @@ static int wavpack_decode_frame(AVCodecContext *avctx, void *data, int frame_size, ret, frame_flags; int samplecount = 0; + if (avpkt->size < 12 + s->multichannel * 4) + return AVERROR_INVALIDDATA; + s->block = 0; s->ch_offset = 0; From e98f95670bf107a4307258b33e37be0abe811279 Mon Sep 17 00:00:00 2001 From: Anton Khirnov Date: Wed, 29 May 2013 16:18:40 +0200 Subject: [PATCH 547/991] Prepare for 0.8.8 Release --- RELEASE | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/RELEASE b/RELEASE index 1e9b46b229..6201b5f77f 100644 --- a/RELEASE +++ b/RELEASE @@ -1 +1 @@ -0.8.7 +0.8.8 From 5e6135f68d77b0560373a655789c04fdb3be6df1 Mon Sep 17 00:00:00 2001 From: Hendrik Leppkes Date: Sat, 15 Jun 2013 22:46:01 +0200 Subject: [PATCH 548/991] mathops/x86: work around inline asm miscompilation with GCC 4.8.1 The volatile is not required here, and prevents a miscompilation with GCC 4.8.1 when building on x86 with --cpu=i686 Signed-off-by: Michael Niedermayer (cherry picked from commit 659df32a9d8984081ccd54adc3aee7daeb33388d) --- libavcodec/x86/mathops.h | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/libavcodec/x86/mathops.h b/libavcodec/x86/mathops.h index 33d9a6c8ff..6fb7c32020 100644 --- a/libavcodec/x86/mathops.h +++ b/libavcodec/x86/mathops.h @@ -72,7 +72,7 @@ static av_always_inline av_const int64_t MUL64(int a, int b) static inline av_const int mid_pred(int a, int b, int c) { int i=b; - __asm__ volatile( + __asm__ ( "cmp %2, %1 \n\t" "cmovg %1, %0 \n\t" "cmovg %2, %1 \n\t" From e96aaa5622ed2efeb3729f46331990d952208a17 Mon Sep 17 00:00:00 2001 From: Kostya Shishkov Date: Wed, 12 Jun 2013 14:22:24 +0200 Subject: [PATCH 549/991] smacker: fix an off by one in huff.length computation Reported-by: Mateusz "j00ru" Jurczyk and Gynvael Coldwind CC: libav-stable@libav.org Signed-off-by: Luca Barbato (cherry picked from commit ee205588b250fe5cae0681be8eba51a5403c3272) Signed-off-by: Luca Barbato --- libavcodec/smacker.c | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/libavcodec/smacker.c b/libavcodec/smacker.c index 3928d8f569..f74f0dbc54 100644 --- a/libavcodec/smacker.c +++ b/libavcodec/smacker.c @@ -252,7 +252,7 @@ static int smacker_decode_header_tree(SmackVContext *smk, GetBitContext *gb, int ctx.recode2 = tmp2.values; ctx.last = last; - huff.length = ((size + 3) >> 2) + 3; + huff.length = ((size + 3) >> 2) + 4; huff.maxlength = 0; huff.current = 0; huff.values = av_mallocz(huff.length * sizeof(int)); From d7b7b10518ccd638131ef41062e1bc0c608628f7 Mon Sep 17 00:00:00 2001 From: Kostya Shishkov Date: Wed, 12 Jun 2013 14:27:00 +0200 Subject: [PATCH 550/991] smacker: check the return value of smacker_decode_tree Reported-by: Mateusz "j00ru" Jurczyk and Gynvael Coldwind CC: libav-stable@libav.org Signed-off-by: Luca Barbato (cherry picked from commit a2f9937bb04b23a341b0ec0eb1d923bbeb420277) Signed-off-by: Luca Barbato --- libavcodec/smacker.c | 11 ++++++++++- 1 file changed, 10 insertions(+), 1 deletion(-) diff --git a/libavcodec/smacker.c b/libavcodec/smacker.c index f74f0dbc54..e9192ffd0c 100644 --- a/libavcodec/smacker.c +++ b/libavcodec/smacker.c @@ -648,7 +648,16 @@ static int smka_decode_frame(AVCodecContext *avctx, void *data, h[i].lengths = av_mallocz(256 * sizeof(int)); h[i].values = av_mallocz(256 * sizeof(int)); skip_bits1(&gb); - smacker_decode_tree(&gb, &h[i], 0, 0); + if (smacker_decode_tree(&gb, &h[i], 0, 0) < 0) { + for (; i >= 0; i--) { + if (vlc[i].table) + ff_free_vlc(&vlc[i]); + av_free(h[i].bits); + av_free(h[i].lengths); + av_free(h[i].values); + } + return AVERROR_INVALIDDATA; + } skip_bits1(&gb); if(h[i].current > 1) { res = init_vlc(&vlc[i], SMKTREE_BITS, h[i].length, From db0c8061fe540bbd72146cc0c9105e30d54d7f61 Mon Sep 17 00:00:00 2001 From: Kostya Shishkov Date: Wed, 12 Jun 2013 14:28:07 +0200 Subject: [PATCH 551/991] smacker: pad the extradata allocation Reported-by: Mateusz "j00ru" Jurczyk and Gynvael Coldwind CC: libav-stable@libav.org Signed-off-by: Luca Barbato (cherry picked from commit 4c22baf65363433f8c20efd1022b4ba2d8cf2288) Signed-off-by: Luca Barbato --- libavformat/smacker.c | 3 ++- 1 file changed, 2 insertions(+), 1 deletion(-) diff --git a/libavformat/smacker.c b/libavformat/smacker.c index 6df8b8b619..e7c89e09f9 100644 --- a/libavformat/smacker.c +++ b/libavformat/smacker.c @@ -203,7 +203,8 @@ static int smacker_read_header(AVFormatContext *s, AVFormatParameters *ap) /* load trees to extradata, they will be unpacked by decoder */ - st->codec->extradata = av_malloc(smk->treesize + 16); + st->codec->extradata = av_mallocz(smk->treesize + 16 + + FF_INPUT_BUFFER_PADDING_SIZE); st->codec->extradata_size = smk->treesize + 16; if(!st->codec->extradata){ av_log(s, AV_LOG_ERROR, "Cannot allocate %i bytes of extradata\n", smk->treesize + 16); From b40870e636401ddbc97f966a60a21780e1eb17ca Mon Sep 17 00:00:00 2001 From: Kostya Shishkov Date: Wed, 12 Jun 2013 14:30:51 +0200 Subject: [PATCH 552/991] smacker: check frame size validity Reported-by: Mateusz "j00ru" Jurczyk and Gynvael Coldwind CC: libav-stable@libav.org Signed-off-by: Luca Barbato (cherry picked from commit 07423ad7836325e03894f2f87ba46a531a1cc0b3) Signed-off-by: Luca Barbato --- libavformat/smacker.c | 6 +++++- 1 file changed, 5 insertions(+), 1 deletion(-) diff --git a/libavformat/smacker.c b/libavformat/smacker.c index e7c89e09f9..d6bb21373e 100644 --- a/libavformat/smacker.c +++ b/libavformat/smacker.c @@ -297,10 +297,14 @@ static int smacker_read_packet(AVFormatContext *s, AVPacket *pkt) /* if audio chunks are present, put them to stack and retrieve later */ for(i = 0; i < 7; i++) { if(flags & 1) { - int size; + uint32_t size; uint8_t *tmpbuf; size = avio_rl32(s->pb) - 4; + if (!size || size > frame_size) { + av_log(s, AV_LOG_ERROR, "Invalid audio part size\n"); + return AVERROR_INVALIDDATA; + } frame_size -= size; frame_size -= 4; smk->curstream++; From 9248f789d1fa8e12ea2fd3073d7bb5cd13d654a6 Mon Sep 17 00:00:00 2001 From: Alexandra Khirnova Date: Wed, 13 Mar 2013 13:54:27 +0100 Subject: [PATCH 553/991] vmdav: convert to bytestream2 Signed-off-by: Anton Khirnov (cherry picked from commit 0afcf97e1ece51d29bb791698b00cd1b7ba97dcf) Signed-off-by: Reinhard Tartler Conflicts: libavcodec/vmdav.c --- libavcodec/vmdav.c | 152 ++++++++++++++++++--------------------------- 1 file changed, 59 insertions(+), 93 deletions(-) diff --git a/libavcodec/vmdav.c b/libavcodec/vmdav.c index 570c362a57..4659971335 100644 --- a/libavcodec/vmdav.c +++ b/libavcodec/vmdav.c @@ -45,6 +45,7 @@ #include "libavutil/intreadwrite.h" #include "avcodec.h" +#include "bytestream.h" #define VMD_HEADER_SIZE 0x330 #define PALETTE_COUNT 256 @@ -75,8 +76,6 @@ typedef struct VmdVideoContext { static void lz_unpack(const unsigned char *src, int src_len, unsigned char *dest, int dest_len) { - const unsigned char *s; - unsigned int s_len; unsigned char *d; unsigned char *d_end; unsigned char queue[QUEUE_SIZE]; @@ -87,18 +86,17 @@ static void lz_unpack(const unsigned char *src, int src_len, unsigned int speclen; unsigned char tag; unsigned int i, j; + GetByteContext gb; - s = src; - s_len = src_len; + bytestream2_init(&gb, src, src_len); d = dest; d_end = d + dest_len; - dataleft = AV_RL32(s); - s += 4; s_len -= 4; + dataleft = bytestream2_get_le32(&gb); memset(queue, 0x20, QUEUE_SIZE); - if (s_len < 4) + if (bytestream2_get_bytes_left(&gb) < 4) return; - if (AV_RL32(s) == 0x56781234) { - s += 4; s_len -= 4; + if (bytestream2_peek_le32(&gb) == 0x56781234) { + bytestream2_get_le32(&gb); qpos = 0x111; speclen = 0xF + 3; } else { @@ -106,40 +104,32 @@ static void lz_unpack(const unsigned char *src, int src_len, speclen = 100; /* no speclen */ } - while (dataleft > 0 && s_len > 0) { - tag = *s++; s_len--; + while (dataleft > 0 && bytestream2_get_bytes_left(&gb) > 0) { + tag = bytestream2_get_byteu(&gb); if ((tag == 0xFF) && (dataleft > 8)) { - if (d + 8 > d_end || s_len < 8) + if (d + 8 > d_end || bytestream2_get_bytes_left(&gb) < 8) return; for (i = 0; i < 8; i++) { - queue[qpos++] = *d++ = *s++; + queue[qpos++] = *d++ = bytestream2_get_byteu(&gb); qpos &= QUEUE_MASK; } - s_len -= 8; dataleft -= 8; } else { for (i = 0; i < 8; i++) { if (dataleft == 0) break; if (tag & 0x01) { - if (d + 1 > d_end || s_len < 1) + if (d + 1 > d_end || bytestream2_get_bytes_left(&gb) < 1) return; - queue[qpos++] = *d++ = *s++; + queue[qpos++] = *d++ = bytestream2_get_byte(&gb); qpos &= QUEUE_MASK; dataleft--; - s_len--; } else { - if (s_len < 2) - return; - chainofs = *s++; - chainofs |= ((*s & 0xF0) << 4); - chainlen = (*s++ & 0x0F) + 3; - s_len -= 2; + chainofs = bytestream2_get_byte(&gb); + chainofs |= ((bytestream2_peek_byte(&gb) & 0xF0) << 4); + chainlen = (bytestream2_get_byte(&gb) & 0x0F) + 3; if (chainlen == speclen) { - if (s_len < 1) - return; - chainlen = *s++ + 0xF + 3; - s_len--; + chainlen = bytestream2_get_byte(&gb) + 0xF + 3; } if (d + chainlen > d_end) return; @@ -159,49 +149,44 @@ static void lz_unpack(const unsigned char *src, int src_len, static int rle_unpack(const unsigned char *src, unsigned char *dest, int src_count, int src_size, int dest_len) { - const unsigned char *ps; unsigned char *pd; int i, l; unsigned char *dest_end = dest + dest_len; + GetByteContext gb; - ps = src; + bytestream2_init(&gb, src, src_size); pd = dest; if (src_count & 1) { - if (src_size < 1) + if (bytestream2_get_bytes_left(&gb) < 1) return 0; - *pd++ = *ps++; - src_size--; + *pd++ = bytestream2_get_byteu(&gb); } src_count >>= 1; i = 0; do { - if (src_size < 1) + if (bytestream2_get_bytes_left(&gb) < 1) break; - l = *ps++; - src_size--; + l = bytestream2_get_byteu(&gb); if (l & 0x80) { l = (l & 0x7F) * 2; - if (pd + l > dest_end || src_size < l) - return ps - src; - memcpy(pd, ps, l); - ps += l; - src_size -= l; + if (pd + l > dest_end || bytestream2_get_bytes_left(&gb) < l) + return bytestream2_tell(&gb); + bytestream2_get_buffer(&gb, pd, l); pd += l; } else { - if (pd + i > dest_end || src_size < 2) - return ps - src; + if (pd + i > dest_end || bytestream2_get_bytes_left(&gb) < 2) + return bytestream2_tell(&gb); for (i = 0; i < l; i++) { - *pd++ = ps[0]; - *pd++ = ps[1]; + *pd++ = bytestream2_get_byteu(&gb); + *pd++ = bytestream2_get_byteu(&gb); } - ps += 2; - src_size -= 2; + bytestream2_skip(&gb, 2); } i += l; } while (i < src_count); - return ps - src; + return bytestream2_tell(&gb); } static void vmd_decode(VmdVideoContext *s) @@ -210,11 +195,8 @@ static void vmd_decode(VmdVideoContext *s) unsigned int *palette32; unsigned char r, g, b; - /* point to the start of the encoded data */ - const unsigned char *p = s->buf + 16; + GetByteContext gb; - const unsigned char *pb; - unsigned int pb_size; unsigned char meth; unsigned char *dp; /* pointer to current frame */ unsigned char *pp; /* pointer to previous frame */ @@ -259,30 +241,31 @@ static void vmd_decode(VmdVideoContext *s) } /* check if there is a new palette */ + bytestream2_init(&gb, s->buf + 16, s->size - 16); if (s->buf[15] & 0x02) { - p += 2; + bytestream2_skip(&gb, 2); palette32 = (unsigned int *)s->palette; - for (i = 0; i < PALETTE_COUNT; i++) { - r = *p++ * 4; - g = *p++ * 4; - b = *p++ * 4; - palette32[i] = (r << 16) | (g << 8) | (b); + if (bytestream2_get_bytes_left(&gb) >= PALETTE_COUNT * 3) { + for (i = 0; i < PALETTE_COUNT; i++) { + r = bytestream2_get_byteu(&gb) * 4; + g = bytestream2_get_byteu(&gb) * 4; + b = bytestream2_get_byteu(&gb) * 4; + palette32[i] = (r << 16) | (g << 8) | (b); + } } s->size -= (256 * 3 + 2); } if (s->size > 0) { /* originally UnpackFrame in VAG's code */ - pb = p; - pb_size = s->buf + s->size - pb; - if (pb_size < 1) + bytestream2_init(&gb, gb.buffer, s->buf + s->size - gb.buffer); + if (bytestream2_get_bytes_left(&gb) < 1) return; - meth = *pb++; pb_size--; + meth = bytestream2_get_byteu(&gb); if (meth & 0x80) { - lz_unpack(pb, pb_size, + lz_unpack(gb.buffer, bytestream2_get_bytes_left(&gb), s->unpack_buffer, s->unpack_buffer_size); meth &= 0x7F; - pb = s->unpack_buffer; - pb_size = s->unpack_buffer_size; + bytestream2_init(&gb, s->unpack_buffer, s->unpack_buffer_size); } dp = &s->frame.data[0][frame_y * s->frame.linesize[0] + frame_x]; @@ -292,17 +275,12 @@ static void vmd_decode(VmdVideoContext *s) for (i = 0; i < frame_height; i++) { ofs = 0; do { - if (pb_size < 1) - return; - len = *pb++; - pb_size--; + len = bytestream2_get_byte(&gb); if (len & 0x80) { len = (len & 0x7F) + 1; - if (ofs + len > frame_width || pb_size < len) + if (ofs + len > frame_width || bytestream2_get_bytes_left(&gb) < len) return; - memcpy(&dp[ofs], pb, len); - pb += len; - pb_size -= len; + bytestream2_get_buffer(&gb, &dp[ofs], len); ofs += len; } else { /* interframe pixel copy */ @@ -324,11 +302,7 @@ static void vmd_decode(VmdVideoContext *s) case 2: for (i = 0; i < frame_height; i++) { - if (pb_size < frame_width) - return; - memcpy(dp, pb, frame_width); - pb += frame_width; - pb_size -= frame_width; + bytestream2_get_buffer(&gb, dp, frame_width); dp += s->frame.linesize[0]; pp += s->prev_frame.linesize[0]; } @@ -338,24 +312,16 @@ static void vmd_decode(VmdVideoContext *s) for (i = 0; i < frame_height; i++) { ofs = 0; do { - if (pb_size < 1) - return; - len = *pb++; - pb_size--; + len = bytestream2_get_byte(&gb); if (len & 0x80) { len = (len & 0x7F) + 1; - if (pb_size < 1) - return; - if (*pb++ == 0xFF) - len = rle_unpack(pb, &dp[ofs], len, pb_size, frame_width - ofs); - else { - if (pb_size < len) - return; - memcpy(&dp[ofs], pb, len); - } - pb += len; - pb_size -= 1 + len; - ofs += len; + if (bytestream2_get_byte(&gb) == 0xFF) + len = rle_unpack(gb.buffer, &dp[ofs], + len, bytestream2_get_bytes_left(&gb), + frame_width - ofs); + else + bytestream2_get_buffer(&gb, &dp[ofs], len); + bytestream2_skip(&gb, len); } else { /* interframe pixel copy */ if (ofs + len + 1 > frame_width || !s->prev_frame.data[0]) From 078e68d2617fcb339896ca68503a06f07cfdb41f Mon Sep 17 00:00:00 2001 From: Anton Khirnov Date: Tue, 13 Nov 2012 22:10:54 +0100 Subject: [PATCH 554/991] 4xm: don't rely on get_buffer() initializing the frame. (cherry picked from commit b047c68783aa4042b322af7af043b643d5daf09c) Signed-off-by: Reinhard Tartler --- libavcodec/4xm.c | 1 + 1 file changed, 1 insertion(+) diff --git a/libavcodec/4xm.c b/libavcodec/4xm.c index 0d4f036b3a..c210e46e13 100644 --- a/libavcodec/4xm.c +++ b/libavcodec/4xm.c @@ -807,6 +807,7 @@ static int decode_frame(AVCodecContext *avctx, av_log(avctx, AV_LOG_ERROR, "get_buffer() failed\n"); return -1; } + memset(f->last_picture.data[0], 0, avctx->height * FFABS(f->last_picture.linesize[0])); } p->pict_type= AV_PICTURE_TYPE_P; From e797b7787b258be7561939904442165510f381a6 Mon Sep 17 00:00:00 2001 From: Anton Khirnov Date: Wed, 13 Feb 2013 20:46:08 +0100 Subject: [PATCH 555/991] 4xm: check the return value of read_huffman_tables(). CC:libav-stable@libav.org (cherry picked from commit 8097fc9a2dd49d8e467b16c8bafaa96242b7fe46) Signed-off-by: Reinhard Tartler (cherry picked from commit bb3f1cad171b31537b64a9d19cabdbff50aca260) Signed-off-by: Reinhard Tartler Conflicts: libavcodec/4xm.c --- libavcodec/4xm.c | 6 +++++- 1 file changed, 5 insertions(+), 1 deletion(-) diff --git a/libavcodec/4xm.c b/libavcodec/4xm.c index c210e46e13..efaf939062 100644 --- a/libavcodec/4xm.c +++ b/libavcodec/4xm.c @@ -679,7 +679,11 @@ static int decode_i_frame(FourXContext *f, const uint8_t *buf, int length){ return -1; } - prestream= read_huffman_tables(f, prestream); + prestream = read_huffman_tables(f, prestream); + if (!prestream) { + av_log(f->avctx, AV_LOG_ERROR, "Error reading Huffman tables.\n"); + return AVERROR_INVALIDDATA; + } init_get_bits(&f->gb, buf + 4, 8*bitstream_size); From 284ac9191b755ffce1475687b597a8a738d511c6 Mon Sep 17 00:00:00 2001 From: Luca Barbato Date: Wed, 5 Jun 2013 17:12:16 +0200 Subject: [PATCH 556/991] 4xm: use the correct logging context (cherry picked from commit 08859d19b429c522d6494c186656f4a2d3ff8e21) Signed-off-by: Luca Barbato Conflicts: libavcodec/4xm.c --- libavcodec/4xm.c | 4 ++-- 1 file changed, 2 insertions(+), 2 deletions(-) diff --git a/libavcodec/4xm.c b/libavcodec/4xm.c index efaf939062..735cfcf73a 100644 --- a/libavcodec/4xm.c +++ b/libavcodec/4xm.c @@ -633,8 +633,8 @@ static int decode_i2_frame(FourXContext *f, const uint8_t *buf, int length){ color[0]= bytestream2_get_le16u(&g3); color[1]= bytestream2_get_le16u(&g3); - if(color[0]&0x8000) av_log(NULL, AV_LOG_ERROR, "unk bit 1\n"); - if(color[1]&0x8000) av_log(NULL, AV_LOG_ERROR, "unk bit 2\n"); + if(color[0]&0x8000) av_log(f->avctx, AV_LOG_ERROR, "unk bit 1\n"); + if(color[1]&0x8000) av_log(f->avctx, AV_LOG_ERROR, "unk bit 2\n"); color[2]= mix(color[0], color[1]); color[3]= mix(color[1], color[0]); From e5679444fd60d0b5a32ad4233e65d3a85300a952 Mon Sep 17 00:00:00 2001 From: Luca Barbato Date: Thu, 6 Jun 2013 16:58:57 +0200 Subject: [PATCH 557/991] 4xm: reject frames not compatible with the declared version Reported-by: Mateusz "j00ru" Jurczyk and Gynvael Coldwind CC: libav-stable@libav.org (cherry picked from commit 145023f57262d21474e35b4a6069cf95136339d4) Signed-off-by: Luca Barbato Conflicts: libavcodec/4xm.c --- libavcodec/4xm.c | 3 +++ 1 file changed, 3 insertions(+) diff --git a/libavcodec/4xm.c b/libavcodec/4xm.c index 735cfcf73a..842e787baa 100644 --- a/libavcodec/4xm.c +++ b/libavcodec/4xm.c @@ -769,6 +769,9 @@ static int decode_frame(AVCodecContext *avctx, av_log(f->avctx, AV_LOG_ERROR, "cframe id mismatch %d %d\n", id, avctx->frame_number); } + if (f->version <= 1) + return AVERROR_INVALIDDATA; + cfrm->size= cfrm->id= 0; frame_4cc= AV_RL32("pfrm"); }else From 6a4f1e784e39c82194a485995906d9917d4619b2 Mon Sep 17 00:00:00 2001 From: Luca Barbato Date: Mon, 10 Jun 2013 16:37:43 +0200 Subject: [PATCH 558/991] 4xm: check bitstream_size boundary before using it Prevent buffer overread. Reported-by: Mateusz "j00ru" Jurczyk and Gynvael Coldwind CC: libav-stable@libav.org (cherry picked from commit 59d7bb99b6a963b7e11c637228b2203adf535eee) Signed-off-by: Reinhard Tartler Conflicts: libavcodec/4xm.c --- libavcodec/4xm.c | 4 +++- 1 file changed, 3 insertions(+), 1 deletion(-) diff --git a/libavcodec/4xm.c b/libavcodec/4xm.c index 842e787baa..e9f08c3729 100644 --- a/libavcodec/4xm.c +++ b/libavcodec/4xm.c @@ -663,6 +663,9 @@ static int decode_i_frame(FourXContext *f, const uint8_t *buf, int length){ unsigned int prestream_size; const uint8_t *prestream; + if (bitstream_size > (1 << 26)) + return AVERROR_INVALIDDATA; + if (length < bitstream_size + 12) { av_log(f->avctx, AV_LOG_ERROR, "packet size too small\n"); return AVERROR_INVALIDDATA; @@ -673,7 +676,6 @@ static int decode_i_frame(FourXContext *f, const uint8_t *buf, int length){ prestream = buf + bitstream_size + 12; if(prestream_size + bitstream_size + 12 != length - || bitstream_size > (1<<26) || prestream_size > (1<<26)){ av_log(f->avctx, AV_LOG_ERROR, "size mismatch %d %d %d\n", prestream_size, bitstream_size, length); return -1; From 0c943d1cdd18d0aea4ebc15f18a1152f7a77e5c9 Mon Sep 17 00:00:00 2001 From: Luca Barbato Date: Sun, 9 Jun 2013 18:27:05 +0200 Subject: [PATCH 559/991] 4xm: do not overread the source buffer in decode_p_block Check for out of picture macroblocks before calling mcdc. Reported-by: Mateusz "j00ru" Jurczyk and Gynvael Coldwind CC: libav-stable@libav.org (cherry picked from commit 94aefb1932be882fd93f66cf790ceb19ff575c19) Signed-off-by: Reinhard Tartler Conflicts: libavcodec/4xm.c --- libavcodec/4xm.c | 8 ++++++++ 1 file changed, 8 insertions(+) diff --git a/libavcodec/4xm.c b/libavcodec/4xm.c index e9f08c3729..77d15d5803 100644 --- a/libavcodec/4xm.c +++ b/libavcodec/4xm.c @@ -343,6 +343,10 @@ static void decode_p_block(FourXContext *f, uint16_t *dst, uint16_t *src, int lo decode_p_block(f, dst , src , log2w, log2h, stride); decode_p_block(f, dst + (1<version<2){ + if (start > src || src > end) { + av_log(f->avctx, AV_LOG_ERROR, "mv out of pic\n"); + return; + } mcdc(dst, src, log2w, h, stride, 1, 0); }else if(code == 4){ src += f->mv[bytestream2_get_byte(&f->g)]; @@ -352,6 +356,10 @@ static void decode_p_block(FourXContext *f, uint16_t *dst, uint16_t *src, int lo } mcdc(dst, src, log2w, h, stride, 1, bytestream2_get_le16(&f->g2)); }else if(code == 5){ + if (start > src || src > end) { + av_log(f->avctx, AV_LOG_ERROR, "mv out of pic\n"); + return; + } mcdc(dst, src, log2w, h, stride, 0, bytestream2_get_le16(&f->g2)); }else if(code == 6){ if(log2w){ From 4e1999ebcb67436e7a2937248c0bd43ba548e7f4 Mon Sep 17 00:00:00 2001 From: Luca Barbato Date: Fri, 28 Jun 2013 05:23:21 +0200 Subject: [PATCH 560/991] wmapro: check num_vec_coeffs against the actual available buffer Prevent yet another buffer overwrite. Reported-by: Mateusz "j00ru" Jurczyk and Gynvael Coldwind CC: libav-stable@libav.org (cherry picked from commit 38229362529ed1619d8ebcc81ecde85b23b45895) Signed-off-by: Reinhard Tartler --- libavcodec/wmaprodec.c | 7 ++++--- 1 file changed, 4 insertions(+), 3 deletions(-) diff --git a/libavcodec/wmaprodec.c b/libavcodec/wmaprodec.c index cc8df9b900..78984d905b 100644 --- a/libavcodec/wmaprodec.c +++ b/libavcodec/wmaprodec.c @@ -1122,11 +1122,12 @@ static int decode_subframe(WMAProDecodeCtx *s) cur_subwoofer_cutoff = s->subwoofer_cutoffs[s->table_idx]; /** configure the decoder for the current subframe */ + offset += s->samples_per_frame >> 1; + for (i = 0; i < s->channels_for_cur_subframe; i++) { int c = s->channel_indexes_for_cur_subframe[i]; - s->channel[c].coeffs = &s->channel[c].out[(s->samples_per_frame >> 1) - + offset]; + s->channel[c].coeffs = &s->channel[c].out[offset]; } s->subframe_len = subframe_len; @@ -1177,7 +1178,7 @@ static int decode_subframe(WMAProDecodeCtx *s) for (i = 0; i < s->channels_for_cur_subframe; i++) { int c = s->channel_indexes_for_cur_subframe[i]; int num_vec_coeffs = get_bits(&s->gb, num_bits) << 2; - if (num_vec_coeffs > WMAPRO_BLOCK_MAX_SIZE) { + if (num_vec_coeffs + offset > FF_ARRAY_ELEMS(s->channel[c].out)) { av_log(s->avctx, AV_LOG_ERROR, "num_vec_coeffs %d is too large\n", num_vec_coeffs); return AVERROR_INVALIDDATA; } From b20004b2e6165a6d5ef6bc6ae98d3d33c6460808 Mon Sep 17 00:00:00 2001 From: Reinhard Tartler Date: Sat, 6 Jul 2013 09:46:07 +0200 Subject: [PATCH 561/991] lavc: move put_bits_left in put_bits.h (cherry picked from commit afe03092dd693d025d43e1620283d8d285c92772) Signed-off-by: Reinhard Tartler Conflicts: libavcodec/dv.c --- libavcodec/dv.c | 5 ----- libavcodec/put_bits.h | 8 ++++++++ 2 files changed, 8 insertions(+), 5 deletions(-) diff --git a/libavcodec/dv.c b/libavcodec/dv.c index 03a05b3748..6f74e7b5bd 100644 --- a/libavcodec/dv.c +++ b/libavcodec/dv.c @@ -372,11 +372,6 @@ typedef struct BlockInfo { static const int vs_total_ac_bits = (100 * 4 + 68*2) * 5; static const int mb_area_start[5] = { 1, 6, 21, 43, 64 }; -static inline int put_bits_left(PutBitContext* s) -{ - return (s->buf_end - s->buf) * 8 - put_bits_count(s); -} - /* decode AC coefficients */ static void dv_decode_ac(GetBitContext *gb, BlockInfo *mb, DCTELEM *block) { diff --git a/libavcodec/put_bits.h b/libavcodec/put_bits.h index 6e812670b8..905461a725 100644 --- a/libavcodec/put_bits.h +++ b/libavcodec/put_bits.h @@ -72,6 +72,14 @@ static inline int put_bits_count(PutBitContext *s) return (s->buf_ptr - s->buf) * 8 + 32 - s->bit_left; } +/** + * @return the number of bits available in the bitstream. + */ +static inline int put_bits_left(PutBitContext* s) +{ + return (s->buf_end - s->buf_ptr) * 8 - 32 + s->bit_left; +} + /** * Pad the end of the output stream with zeros. */ From 46e09894acb229fe80691900e3f17edceedfd52b Mon Sep 17 00:00:00 2001 From: Luca Barbato Date: Fri, 28 Jun 2013 05:21:33 +0200 Subject: [PATCH 562/991] wmapro: return early on unsupported condition Reported-by: Mateusz "j00ru" Jurczyk and Gynvael Coldwind CC: libav-stable@libav.org (cherry picked from commit 6652338f43ef623045912d7f28b61adea05d27ae) Signed-off-by: Reinhard Tartler Conflicts: libavcodec/wmaprodec.c --- libavcodec/wmaprodec.c | 1 + 1 file changed, 1 insertion(+) diff --git a/libavcodec/wmaprodec.c b/libavcodec/wmaprodec.c index 78984d905b..49a02a83c8 100644 --- a/libavcodec/wmaprodec.c +++ b/libavcodec/wmaprodec.c @@ -720,6 +720,7 @@ static int decode_channel_transform(WMAProDecodeCtx* s) if (get_bits1(&s->gb)) { av_log_ask_for_sample(s->avctx, "unsupported channel transform type\n"); + return AVERROR_PATCHWELCOME; } } else { chgroup->transform = 1; From 4ff5167ee7fdee6d35c1bb2558172329ae6ec770 Mon Sep 17 00:00:00 2001 From: Luca Barbato Date: Fri, 28 Jun 2013 04:03:47 +0200 Subject: [PATCH 563/991] wmapro: make sure there is room to store the current packet Prevent horrid and hard to trace struct overwrite. Reported-by: Mateusz "j00ru" Jurczyk and Gynvael Coldwind CC: libav-stable@libav.org (cherry picked from commit e30b068ef79f604ff439418da07f7e2efd01d4ea) Signed-off-by: Reinhard Tartler --- libavcodec/wmaprodec.c | 8 ++++++++ 1 file changed, 8 insertions(+) diff --git a/libavcodec/wmaprodec.c b/libavcodec/wmaprodec.c index 1b7797c9f2..cc8df9b900 100644 --- a/libavcodec/wmaprodec.c +++ b/libavcodec/wmaprodec.c @@ -1466,6 +1466,14 @@ static void save_bits(WMAProDecodeCtx *s, GetBitContext* gb, int len, return; } + if (len > put_bits_left(&s->pb)) { + av_log(s->avctx, AV_LOG_ERROR, + "Cannot append %d bits, only %d bits available.\n", + len, put_bits_left(&s->pb)); + s->packet_loss = 1; + return; + } + s->num_saved_bits += len; if (!append) { avpriv_copy_bits(&s->pb, gb->buffer + (get_bits_count(gb) >> 3), From bd5ff335ec55daffffc05a3e12ee7824ee84b1b2 Mon Sep 17 00:00:00 2001 From: Luca Barbato Date: Sat, 29 Jun 2013 01:56:09 +0200 Subject: [PATCH 564/991] wmapro: check the min_samples_per_subframe Must be at least WMAPRO_BLOCK_MIN_SIZE. Reported-by: Mateusz "j00ru" Jurczyk and Gynvael Coldwind CC: libav-stable@libav.org (cherry picked from commit d4a217a408da4bd63acc02cd8f9ebe378a2ad65a) Signed-off-by: Reinhard Tartler Conflicts: libavcodec/wmaprodec.c --- libavcodec/wmaprodec.c | 7 +++++++ 1 file changed, 7 insertions(+) diff --git a/libavcodec/wmaprodec.c b/libavcodec/wmaprodec.c index 49a02a83c8..1e3d99a941 100644 --- a/libavcodec/wmaprodec.c +++ b/libavcodec/wmaprodec.c @@ -106,6 +106,7 @@ #define WMAPRO_BLOCK_MIN_BITS 6 ///< log2 of min block size #define WMAPRO_BLOCK_MAX_BITS 12 ///< log2 of max block size +#define WMAPRO_BLOCK_MIN_SIZE (1 << WMAPRO_BLOCK_MIN_BITS) ///< minimum block size #define WMAPRO_BLOCK_MAX_SIZE (1 << WMAPRO_BLOCK_MAX_BITS) ///< maximum block size #define WMAPRO_BLOCK_SIZES (WMAPRO_BLOCK_MAX_BITS - WMAPRO_BLOCK_MIN_BITS + 1) ///< possible block sizes @@ -335,6 +336,12 @@ static av_cold int decode_init(AVCodecContext *avctx) return AVERROR_INVALIDDATA; } + if (s->min_samples_per_subframe < WMAPRO_BLOCK_MIN_SIZE) { + av_log(avctx, AV_LOG_ERROR, "Invalid minimum block size %i\n", + s->max_num_subframes); + return AVERROR_INVALIDDATA; + } + if (s->avctx->sample_rate <= 0) { av_log(avctx, AV_LOG_ERROR, "invalid sample rate\n"); return AVERROR_INVALIDDATA; From f16aa5843ff9ac7de26fc22e85684ff4ea1cad4f Mon Sep 17 00:00:00 2001 From: Luca Barbato Date: Sat, 29 Jun 2013 02:16:50 +0200 Subject: [PATCH 565/991] wmapro: error out on impossible scale factor offsets Reported-by: Mateusz "j00ru" Jurczyk and Gynvael Coldwind CC: libav-stable@libav.org (cherry picked from commit 02ec656af72030eea4f3d63e30b25625cce6a3df) Signed-off-by: Reinhard Tartler --- libavcodec/wmaprodec.c | 3 ++- 1 file changed, 2 insertions(+), 1 deletion(-) diff --git a/libavcodec/wmaprodec.c b/libavcodec/wmaprodec.c index 1e3d99a941..902c4e32bd 100644 --- a/libavcodec/wmaprodec.c +++ b/libavcodec/wmaprodec.c @@ -435,7 +435,8 @@ static av_cold int decode_init(AVCodecContext *avctx) for (x = 0; x < num_possible_block_sizes; x++) { int v = 0; while (s->sfb_offsets[x][v + 1] << x < offset) - ++v; + if (++v >= MAX_BANDS) + return AVERROR_INVALIDDATA; s->sf_offsets[i][x][b] = v; } } From 7658333c175562edb89136191fd577ad4a7f5795 Mon Sep 17 00:00:00 2001 From: Luca Barbato Date: Sun, 30 Jun 2013 09:57:56 +0200 Subject: [PATCH 566/991] indeo: Properly forward the error codes If the tile data size does not match the buffer size it did not return an AVERROR_INVALIDDATA causing futher corruption later. Reported-by: Mateusz "j00ru" Jurczyk and Gynvael Coldwind CC: libav-stable@libav.org (cherry picked from commit 7388c0c58601477db076e2e74e8b11f8a644384a) Signed-off-by: Reinhard Tartler Conflicts: libavcodec/ivi_common.c --- libavcodec/ivi_common.c | 12 ++++++++++-- 1 file changed, 10 insertions(+), 2 deletions(-) diff --git a/libavcodec/ivi_common.c b/libavcodec/ivi_common.c index 00205ae8da..ed9c28314b 100644 --- a/libavcodec/ivi_common.c +++ b/libavcodec/ivi_common.c @@ -737,8 +737,16 @@ static int decode_band(IVI45DecContext *ctx, int plane_num, break; result = ff_ivi_decode_blocks(&ctx->gb, band, tile); - if (result < 0 || ((get_bits_count(&ctx->gb) - pos) >> 3) != tile->data_size) { - av_log(avctx, AV_LOG_ERROR, "Corrupted tile data encountered!\n"); + if (result < 0) { + av_log(avctx, AV_LOG_ERROR, + "Corrupted tile data encountered!\n"); + break; + } + + if (((get_bits_count(&ctx->gb) - pos) >> 3) != tile->data_size) { + av_log(avctx, AV_LOG_ERROR, + "Tile data_size mismatch!\n"); + result = AVERROR_INVALIDDATA; break; } From 7eff48029f997c82023e20eb90272bb901ff9204 Mon Sep 17 00:00:00 2001 From: Luca Barbato Date: Sun, 30 Jun 2013 10:11:05 +0200 Subject: [PATCH 567/991] indeo: use proper error code (cherry picked from commit dd3754a48854cd570d38db72394491aab0f36570) Signed-off-by: Reinhard Tartler Conflicts: libavcodec/ivi_common.c --- libavcodec/ivi_common.c | 14 +++++++------- 1 file changed, 7 insertions(+), 7 deletions(-) diff --git a/libavcodec/ivi_common.c b/libavcodec/ivi_common.c index ed9c28314b..c0d8f36a7a 100644 --- a/libavcodec/ivi_common.c +++ b/libavcodec/ivi_common.c @@ -74,7 +74,7 @@ int ff_ivi_create_huff_from_desc(const IVIHuffDesc *cb, VLC *vlc, int flag) bits[pos] = i + cb->xbits[i] + not_last_row; if (bits[pos] > IVI_VLC_BITS) - return -1; /* invalid descriptor */ + return AVERROR_INVALIDDATA; /* invalid descriptor */ codewords[pos] = inv_bits((prefix | j), bits[pos]); if (!bits[pos]) @@ -433,7 +433,7 @@ int ff_ivi_decode_blocks(GetBitContext *gb, IVIBandDesc *band, IVITile *tile) } else { if (sym >= 256U) { av_log(NULL, AV_LOG_ERROR, "Invalid sym encountered: %d.\n", sym); - return -1; + return AVERROR_INVALIDDATA; } run = rvmap->runtab[sym]; val = rvmap->valtab[sym]; @@ -456,7 +456,7 @@ int ff_ivi_decode_blocks(GetBitContext *gb, IVIBandDesc *band, IVITile *tile) }// while if (scan_pos >= num_coeffs && sym != rvmap->eob_sym) - return -1; /* corrupt block data */ + return AVERROR_INVALIDDATA; /* corrupt block data */ /* undoing DC coeff prediction for intra-blocks */ if (is_intra && band->is_2d_trans) { @@ -794,14 +794,14 @@ int ff_ivi_decode_frame(AVCodecContext *avctx, void *data, int *data_size, if (result) { av_log(avctx, AV_LOG_ERROR, "Error while decoding picture header: %d\n", result); - return -1; + return result; } if (ctx->gop_invalid) return AVERROR_INVALIDDATA; if (ctx->gop_flags & IVI5_IS_PROTECTED) { av_log(avctx, AV_LOG_ERROR, "Password-protected clip!\n"); - return -1; + return AVERROR_PATCHWELCOME; } ctx->switch_buffers(ctx); @@ -812,10 +812,10 @@ int ff_ivi_decode_frame(AVCodecContext *avctx, void *data, int *data_size, for (p = 0; p < 3; p++) { for (b = 0; b < ctx->planes[p].num_bands; b++) { result = decode_band(ctx, p, &ctx->planes[p].bands[b], avctx); - if (result) { + if (result < 0) { av_log(avctx, AV_LOG_ERROR, "Error while decoding band: %d, plane: %d\n", b, p); - return -1; + return result; } } } From 0a1d02ca77c9fa9fa089828b2981a659c84c9337 Mon Sep 17 00:00:00 2001 From: Luca Barbato Date: Sun, 30 Jun 2013 10:40:37 +0200 Subject: [PATCH 568/991] indeo: check for reference when inheriting mvs The same is done already for qdelta. Reported-by: Mateusz "j00ru" Jurczyk and Gynvael Coldwind CC: libav-stable@libav.org (cherry picked from commit b36e1893ef3430f039c1eaddeedcbb378f9c4444) Signed-off-by: Reinhard Tartler --- libavcodec/ivi_common.c | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/libavcodec/ivi_common.c b/libavcodec/ivi_common.c index c0d8f36a7a..36e355a87f 100644 --- a/libavcodec/ivi_common.c +++ b/libavcodec/ivi_common.c @@ -550,7 +550,7 @@ static int ivi_process_empty_tile(AVCodecContext *avctx, IVIBandDesc *band, if (band->inherit_qdelta && ref_mb) mb->q_delta = ref_mb->q_delta; - if (band->inherit_mv) { + if (band->inherit_mv && ref_mb) { /* motion vector inheritance */ if (mv_scale) { mb->mv_x = ivi_scale_mv(ref_mb->mv_x, mv_scale); From 8514e3e08e234fbae7e994c8310730d1a6be1724 Mon Sep 17 00:00:00 2001 From: Michael Niedermayer Date: Mon, 1 Jul 2013 23:38:08 +0200 Subject: [PATCH 569/991] rmdec: Pass AVIOContext to rm_read_metadata() Fix null pointer dereference Fixes Ticket2588 Signed-off-by: Michael Niedermayer (cherry picked from commit bf87908cd8da31e8f8fe75c06577170928ea70a8) Conflicts: libavformat/rmdec.c --- libavformat/rmdec.c | 13 +++++++------ 1 file changed, 7 insertions(+), 6 deletions(-) diff --git a/libavformat/rmdec.c b/libavformat/rmdec.c index 3032c8f43a..5d1791f79f 100644 --- a/libavformat/rmdec.c +++ b/libavformat/rmdec.c @@ -107,13 +107,14 @@ static int rm_read_extradata(AVIOContext *pb, AVCodecContext *avctx, unsigned si return 0; } -static void rm_read_metadata(AVFormatContext *s, int wide) +static void rm_read_metadata(AVFormatContext *s, AVIOContext *pb, int wide) { char buf[1024]; int i; + for (i=0; ipb) : avio_r8(s->pb); - get_strl(s->pb, buf, sizeof(buf), len); + int len = wide ? avio_rb16(pb) : avio_r8(pb); + get_strl(pb, buf, sizeof(buf), len); av_dict_set(&s->metadata, ff_rm_metadata[i], buf, 0); } } @@ -143,7 +144,7 @@ static int rm_read_audio_stream_info(AVFormatContext *s, AVIOContext *pb, int header_size = avio_rb16(pb); int64_t startpos = avio_tell(pb); avio_skip(pb, 14); - rm_read_metadata(s, 0); + rm_read_metadata(s, pb, 0); if ((startpos + header_size) >= avio_tell(pb) + 2) { // fourcc (should always be "lpcJ") avio_r8(pb); @@ -289,7 +290,7 @@ static int rm_read_audio_stream_info(AVFormatContext *s, AVIOContext *pb, avio_r8(pb); avio_r8(pb); avio_r8(pb); - rm_read_metadata(s, 0); + rm_read_metadata(s, pb, 0); } } return 0; @@ -475,7 +476,7 @@ static int rm_read_header(AVFormatContext *s, AVFormatParameters *ap) flags = avio_rb16(pb); /* flags */ break; case MKTAG('C', 'O', 'N', 'T'): - rm_read_metadata(s, 1); + rm_read_metadata(s, pb, 1); break; case MKTAG('M', 'D', 'P', 'R'): st = avformat_new_stream(s, NULL); From c25c89a530957fd63ef9ed7fc597bf19b76279cc Mon Sep 17 00:00:00 2001 From: Michael Niedermayer Date: Fri, 5 Jul 2013 03:27:07 +0200 Subject: [PATCH 570/991] mpegts: only reopen pmt_cb filter if its different from the previous. Fixes Ticket2632 Signed-off-by: Michael Niedermayer (cherry picked from commit b009267910df10c004b5f340a090d45da29089a0) --- libavformat/mpegts.c | 12 +++++++++--- 1 file changed, 9 insertions(+), 3 deletions(-) diff --git a/libavformat/mpegts.c b/libavformat/mpegts.c index 99982486d1..b808c40162 100644 --- a/libavformat/mpegts.c +++ b/libavformat/mpegts.c @@ -1571,12 +1571,18 @@ static void pat_cb(MpegTSFilter *filter, const uint8_t *section, int section_len if (sid == 0x0000) { /* NIT info */ } else { + MpegTSFilter *fil = ts->pids[pmt_pid]; program = av_new_program(ts->stream, sid); program->program_num = sid; program->pmt_pid = pmt_pid; - if (ts->pids[pmt_pid]) - mpegts_close_filter(ts, ts->pids[pmt_pid]); - mpegts_open_section_filter(ts, pmt_pid, pmt_cb, ts, 1); + if (fil) + if ( fil->type != MPEGTS_SECTION + || fil->pid != pmt_pid + || fil->u.section_filter.section_cb != pmt_cb) + mpegts_close_filter(ts, ts->pids[pmt_pid]); + + if (!ts->pids[pmt_pid]) + mpegts_open_section_filter(ts, pmt_pid, pmt_cb, ts, 1); add_pat_entry(ts, sid); add_pid_to_pmt(ts, sid, 0); //add pat pid to program add_pid_to_pmt(ts, sid, pmt_pid); From e445dc9237ae3c87565480936b4feba31f7de998 Mon Sep 17 00:00:00 2001 From: Michael Niedermayer Date: Sun, 7 Jul 2013 02:42:40 +0200 Subject: [PATCH 571/991] avformat/mov: Fix duration of fragmented mov Fixes Ticket2757 Signed-off-by: Michael Niedermayer (cherry picked from commit dc2a13aa802fc691c25d5e0194818831058316ee) Conflicts: libavformat/mov.c --- libavformat/mov.c | 3 ++- 1 file changed, 2 insertions(+), 1 deletion(-) diff --git a/libavformat/mov.c b/libavformat/mov.c index 0cc94e5944..65d8798276 100644 --- a/libavformat/mov.c +++ b/libavformat/mov.c @@ -801,7 +801,8 @@ static int mov_read_mvhd(MOVContext *c, AVIOContext *pb, MOVAtom atom) c->duration = (version == 1) ? avio_rb64(pb) : avio_rb32(pb); /* duration */ // set the AVCodecContext duration because the duration of individual tracks // may be inaccurate - c->fc->duration = av_rescale(c->duration, AV_TIME_BASE, c->time_scale); + if (c->time_scale > 0 && !c->trex_data) + c->fc->duration = av_rescale(c->duration, AV_TIME_BASE, c->time_scale); avio_rb32(pb); /* preferred scale */ avio_rb16(pb); /* preferred volume */ From e6a365b5d2fc8010558ae9a0c3e9749819ad9d45 Mon Sep 17 00:00:00 2001 From: Luca Barbato Date: Sun, 13 Jan 2013 19:52:45 +0100 Subject: [PATCH 572/991] lavc: check for overflow in init_get_bits Fix an undefined behaviour and make the function return a proper error in case of overflow. CC: libav-stable@libav.org (cherry picked from commit d9cf5f516974c64e01846ca685301014b38cf224) Signed-off-by: Luca Barbato (cherry picked from commit 7a2ee770f520ae4fd5f009cfc361a18e993dec91) Signed-off-by: Reinhard Tartler --- libavcodec/get_bits.h | 22 +++++++++++++++------- 1 file changed, 15 insertions(+), 7 deletions(-) diff --git a/libavcodec/get_bits.h b/libavcodec/get_bits.h index 64393bc9d9..dc348c7713 100644 --- a/libavcodec/get_bits.h +++ b/libavcodec/get_bits.h @@ -344,20 +344,27 @@ static inline int check_marker(GetBitContext *s, const char *msg) } /** - * Inititalize GetBitContext. - * @param buffer bitstream buffer, must be FF_INPUT_BUFFER_PADDING_SIZE bytes larger than the actual read bits - * because some optimized bitstream readers read 32 or 64 bit at once and could read over the end + * Initialize GetBitContext. + * @param buffer bitstream buffer, must be FF_INPUT_BUFFER_PADDING_SIZE bytes + * larger than the actual read bits because some optimized bitstream + * readers read 32 or 64 bit at once and could read over the end * @param bit_size the size of the buffer in bits + * @return 0 on success, AVERROR_INVALIDDATA if the buffer_size would overflow. */ -static inline void init_get_bits(GetBitContext *s, const uint8_t *buffer, - int bit_size) +static inline int init_get_bits(GetBitContext *s, const uint8_t *buffer, + int bit_size) { - int buffer_size = (bit_size+7)>>3; - if (buffer_size < 0 || bit_size < 0) { + int buffer_size; + int ret = 0; + + if (bit_size > INT_MAX - 7 || bit_size <= 0) { buffer_size = bit_size = 0; buffer = NULL; + ret = AVERROR_INVALIDDATA; } + buffer_size = (bit_size + 7) >> 3; + s->buffer = buffer; s->size_in_bits = bit_size; #if !UNCHECKED_BITSTREAM_READER @@ -365,6 +372,7 @@ static inline void init_get_bits(GetBitContext *s, const uint8_t *buffer, #endif s->buffer_end = buffer + buffer_size; s->index = 0; + return ret; } static inline void align_get_bits(GetBitContext *s) From c9d8424395fc9e277f8d70ad55a8f2f74c57a49b Mon Sep 17 00:00:00 2001 From: Luca Barbato Date: Wed, 3 Jul 2013 11:18:30 +0200 Subject: [PATCH 573/991] indeo: use a typedef for the mc function pointer (cherry picked from commit e6d8acf6a8fba4743eb56eabe72a741d1bbee3cb) Signed-off-by: Luca Barbato --- libavcodec/ivi_common.c | 9 +++++---- 1 file changed, 5 insertions(+), 4 deletions(-) diff --git a/libavcodec/ivi_common.c b/libavcodec/ivi_common.c index 36e355a87f..c907e2a4d1 100644 --- a/libavcodec/ivi_common.c +++ b/libavcodec/ivi_common.c @@ -39,6 +39,9 @@ extern const IVIHuffDesc ff_ivi_blk_huff_desc[8]; ///< static block huffman tabl VLC ff_ivi_mb_vlc_tabs [8]; VLC ff_ivi_blk_vlc_tabs[8]; +typedef void (*ivi_mc_func) (int16_t *buf, const int16_t *ref_buf, + uint32_t pitch, int mc_type); + /** * Reverse "nbits" bits of the value "val" and return the result * in the least significant bits. @@ -343,8 +346,7 @@ int ff_ivi_decode_blocks(GetBitContext *gb, IVIBandDesc *band, IVITile *tile) uint32_t cbp, sym, lo, hi, quant, buf_offs, q; IVIMbInfo *mb; RVMapDesc *rvmap = band->rv_map; - void (*mc_with_delta_func)(int16_t *buf, const int16_t *ref_buf, uint32_t pitch, int mc_type); - void (*mc_no_delta_func) (int16_t *buf, const int16_t *ref_buf, uint32_t pitch, int mc_type); + ivi_mc_func mc_with_delta_func, mc_no_delta_func; const uint16_t *base_tab; const uint8_t *scale_tab; @@ -514,8 +516,7 @@ static int ivi_process_empty_tile(AVCodecContext *avctx, IVIBandDesc *band, IVIMbInfo *mb, *ref_mb; const int16_t *src; int16_t *dst; - void (*mc_no_delta_func)(int16_t *buf, const int16_t *ref_buf, uint32_t pitch, - int mc_type); + ivi_mc_func mc_no_delta_func; if (tile->num_MBs != IVI_MBs_PER_TILE(tile->width, tile->height, band->mb_size)) { av_log(avctx, AV_LOG_ERROR, "Allocated tile size %d mismatches " From e22a5d490de1afefdaaead39b02cb51c79daddc1 Mon Sep 17 00:00:00 2001 From: Luca Barbato Date: Mon, 1 Jul 2013 03:04:15 +0200 Subject: [PATCH 574/991] kmvc: use fixed sized arrays in the context Avoid some boilerplate code to dynamically allocate and then free the buffers. (cherry picked from commit 8f689770548c86151071ef976cf9b6998ba21c2a) Signed-off-by: Reinhard Tartler Conflicts: libavcodec/kmvc.c --- libavcodec/kmvc.c | 22 +--------------------- 1 file changed, 1 insertion(+), 21 deletions(-) diff --git a/libavcodec/kmvc.c b/libavcodec/kmvc.c index a6bb13b95a..fca0c728e8 100644 --- a/libavcodec/kmvc.c +++ b/libavcodec/kmvc.c @@ -46,7 +46,7 @@ typedef struct KmvcContext { int palsize; uint32_t pal[MAX_PALSIZE]; uint8_t *cur, *prev; - uint8_t *frm0, *frm1; + uint8_t frm0[320 * 200], frm1[320 * 200]; GetByteContext g; } KmvcContext; @@ -367,8 +367,6 @@ static av_cold int decode_init(AVCodecContext * avctx) return -1; } - c->frm0 = av_mallocz(320 * 200); - c->frm1 = av_mallocz(320 * 200); c->cur = c->frm0; c->prev = c->frm1; @@ -401,30 +399,12 @@ static av_cold int decode_init(AVCodecContext * avctx) return 0; } - - -/* - * Uninit kmvc decoder - */ -static av_cold int decode_end(AVCodecContext * avctx) -{ - KmvcContext *const c = avctx->priv_data; - - av_freep(&c->frm0); - av_freep(&c->frm1); - if (c->pic.data[0]) - avctx->release_buffer(avctx, &c->pic); - - return 0; -} - AVCodec ff_kmvc_decoder = { .name = "kmvc", .type = AVMEDIA_TYPE_VIDEO, .id = CODEC_ID_KMVC, .priv_data_size = sizeof(KmvcContext), .init = decode_init, - .close = decode_end, .decode = decode_frame, .capabilities = CODEC_CAP_DR1, .long_name = NULL_IF_CONFIG_SMALL("Karl Morton's video codec"), From 79edb9adf619d944f800f1e0eda03b0b7edef67f Mon Sep 17 00:00:00 2001 From: Luca Barbato Date: Mon, 1 Jul 2013 03:05:41 +0200 Subject: [PATCH 575/991] kmvc: Clip pixel position to valid range Reported-by: Mateusz "j00ru" Jurczyk and Gynvael Coldwind CC: libav-stable@libav.org (cherry picked from commit 4e7f0b082d8c4b360312216b9241bec65ff63b35) Signed-off-by: Reinhard Tartler Conflicts: libavcodec/kmvc.c --- libavcodec/kmvc.c | 4 +++- 1 file changed, 3 insertions(+), 1 deletion(-) diff --git a/libavcodec/kmvc.c b/libavcodec/kmvc.c index fca0c728e8..4ed78113dd 100644 --- a/libavcodec/kmvc.c +++ b/libavcodec/kmvc.c @@ -29,6 +29,8 @@ #include "avcodec.h" #include "bytestream.h" +#include "internal.h" +#include "libavutil/common.h" #define KMVC_KEYFRAME 0x80 #define KMVC_PALETTE 0x40 @@ -55,7 +57,7 @@ typedef struct BitBuf { int bitbuf; } BitBuf; -#define BLK(data, x, y) data[(x) + (y) * 320] +#define BLK(data, x, y) data[av_clip((x) + (y) * 320, 0, 320 * 200 -1)] #define kmvc_init_getbits(bb, g) bb.bits = 7; bb.bitbuf = bytestream2_get_byte(g); From 8c62082b5127011db0c251f6a48b2872af8c3bc6 Mon Sep 17 00:00:00 2001 From: Reinhard Tartler Date: Sun, 30 Jun 2013 16:50:05 +0200 Subject: [PATCH 576/991] Changelog for 0.8.8 --- Changelog | 33 +++++++++++++++++++++++++++++++++ 1 file changed, 33 insertions(+) diff --git a/Changelog b/Changelog index 9295452c81..2cbf41d5e8 100644 --- a/Changelog +++ b/Changelog @@ -1,6 +1,39 @@ Entries are sorted chronologically from oldest to youngest within each release, releases are sorted from youngest to oldest. + +version 0.8.8: + +- kmvc: Clip pixel position to valid range +- kmvc: use fixed sized arrays in the context +- indeo: use a typedef for the mc function pointer +- lavc: check for overflow in init_get_bits +- mjpegdec: properly report unsupported disabled features +- jpegls: return meaningful errors +- jpegls: factorize return paths +- jpegls: check the scan offset +- wavpack: validate samples size parsed in wavpack_decode_block +- ljpeg: use the correct number of components in yuv +- mjpeg: Validate sampling factors +- mjpegdec: validate parameters in mjpeg_decode_scan_progressive_ac +- wavpack: check packet size early +- wavpack: return meaningful errors +- apetag: use int64_t for filesize +- tiff: do not overread the source buffer +- Prepare for 0.8.8 Release +- smacker: fix an off by one in huff.length computation +- smacker: check the return value of smacker_decode_tree +- smacker: pad the extradata allocation +- smacker: check frame size validity +- vmdav: convert to bytestream2 +- 4xm: don't rely on get_buffer() initializing the frame. +- 4xm: check the return value of read_huffman_tables(). +- 4xm: use the correct logging context +- 4xm: reject frames not compatible with the declared version +- 4xm: check bitstream_size boundary before using it +- 4xm: do not overread the source buffer in decode_p_block + + version 0.8.7: - avfiltergraph: check for sws opts being non-NULL before using them From f75964ad1fe7142fe402cbcb75db7d31d73a00e6 Mon Sep 17 00:00:00 2001 From: Michael Niedermayer Date: Mon, 8 Jul 2013 21:46:20 +0200 Subject: [PATCH 577/991] mpeg12dec: avoid reinitialization on PS changes when possible. Fixes Ticket2574 Signed-off-by: Michael Niedermayer (cherry picked from commit 970c8df73528659925819dec31c4c8c0887f0321) Conflicts: libavcodec/mpeg12dec.c --- libavcodec/mpeg12.c | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/libavcodec/mpeg12.c b/libavcodec/mpeg12.c index 70daf68789..328d6a079b 100644 --- a/libavcodec/mpeg12.c +++ b/libavcodec/mpeg12.c @@ -1250,7 +1250,7 @@ static int mpeg_decode_postinit(AVCodecContext *avctx) s1->save_width != s->width || s1->save_height != s->height || s1->save_aspect_info != s->aspect_ratio_info || - s1->save_progressive_seq != s->progressive_sequence || + (s1->save_progressive_seq != s->progressive_sequence && (s->height&31)) || 0) { From e786cc33312083382f4ca394e67e1cb58c786289 Mon Sep 17 00:00:00 2001 From: Justin Ruggles Date: Mon, 10 Dec 2012 12:44:09 -0500 Subject: [PATCH 578/991] swfdec: do better validation of tag length Avoids trying to read a packet with 0 or negative size. Avoids a potential infinite loop due to seeking backwards. Partially based on a patch by Michael Niedermayer. (cherry picked from commit e70c5b034c4787377e82cab2d5565486baec0c2a) Signed-off-by: Luca Barbato --- libavformat/swfdec.c | 22 +++++++++++++++++++--- 1 file changed, 19 insertions(+), 3 deletions(-) diff --git a/libavformat/swfdec.c b/libavformat/swfdec.c index 6966176a34..faf74c525c 100644 --- a/libavformat/swfdec.c +++ b/libavformat/swfdec.c @@ -91,6 +91,10 @@ static int swf_read_packet(AVFormatContext *s, AVPacket *pkt) tag = get_swf_tag(pb, &len); if (tag < 0) return AVERROR(EIO); + if (len < 0) { + av_log(s, AV_LOG_ERROR, "invalid tag length: %d\n", len); + return AVERROR_INVALIDDATA; + } if (tag == TAG_VIDEOSTREAM) { int ch_id = avio_rl16(pb); len -= 2; @@ -150,7 +154,10 @@ static int swf_read_packet(AVFormatContext *s, AVPacket *pkt) st = s->streams[i]; if (st->codec->codec_type == AVMEDIA_TYPE_VIDEO && st->id == ch_id) { frame = avio_rl16(pb); - if ((res = av_get_packet(pb, pkt, len-2)) < 0) + len -= 2; + if (len <= 0) + goto skip; + if ((res = av_get_packet(pb, pkt, len)) < 0) return res; pkt->pos = pos; pkt->pts = frame; @@ -164,9 +171,14 @@ static int swf_read_packet(AVFormatContext *s, AVPacket *pkt) if (st->codec->codec_type == AVMEDIA_TYPE_AUDIO && st->id == -1) { if (st->codec->codec_id == CODEC_ID_MP3) { avio_skip(pb, 4); - if ((res = av_get_packet(pb, pkt, len-4)) < 0) + len -= 4; + if (len <= 0) + goto skip; + if ((res = av_get_packet(pb, pkt, len)) < 0) return res; } else { // ADPCM, PCM + if (len <= 0) + goto skip; if ((res = av_get_packet(pb, pkt, len)) < 0) return res; } @@ -193,7 +205,10 @@ static int swf_read_packet(AVFormatContext *s, AVPacket *pkt) st = vst; } avio_rl16(pb); /* BITMAP_ID */ - if ((res = av_new_packet(pkt, len-2)) < 0) + len -= 2; + if (len < 4) + goto skip; + if ((res = av_new_packet(pkt, len)) < 0) return res; avio_read(pb, pkt->data, 4); if (AV_RB32(pkt->data) == 0xffd8ffd9 || @@ -210,6 +225,7 @@ static int swf_read_packet(AVFormatContext *s, AVPacket *pkt) return pkt->size; } skip: + len = FFMAX(0, len); avio_skip(pb, len); } } From f3c300d0a4d326c19013d6ecc8ce7d1d25729aa5 Mon Sep 17 00:00:00 2001 From: Michael Niedermayer Date: Sat, 29 Jun 2013 19:48:05 +0200 Subject: [PATCH 579/991] update all trac links to use the trac subdomain Signed-off-by: Michael Niedermayer --- doc/issue_tracker.txt | 2 +- libavcodec/qtrle.c | 2 +- 2 files changed, 2 insertions(+), 2 deletions(-) diff --git a/doc/issue_tracker.txt b/doc/issue_tracker.txt index d487f66830..27b0009b58 100644 --- a/doc/issue_tracker.txt +++ b/doc/issue_tracker.txt @@ -24,7 +24,7 @@ a mail for every change to every issue. The subscription URL for the ffmpeg-trac list is: http(s)://ffmpeg.org/mailman/listinfo/ffmpeg-trac The URL of the webinterface of the tracker is: -http(s)://ffmpeg.org/trac/ffmpeg +http(s)://trac.ffmpeg.org Type: ----- diff --git a/libavcodec/qtrle.c b/libavcodec/qtrle.c index a5c58a0757..a5ae4f6004 100644 --- a/libavcodec/qtrle.c +++ b/libavcodec/qtrle.c @@ -77,7 +77,7 @@ static void qtrle_decode_1bpp(QtrleContext *s, int stream_ptr, int row_ptr, int * line' at the beginning. Since we always interpret it as 'go to next line' * in the decoding loop (which makes code simpler/faster), the first line * would not be counted, so we count one more. - * See: https://ffmpeg.org/trac/ffmpeg/ticket/226 + * See: https://trac.ffmpeg.org/ticket/226 * In the following decoding loop, row_ptr will be the position of the * _next_ row. */ lines_to_change++; From 4e17e9f8afc41de33f45bf8ae4f60a30f932a2c7 Mon Sep 17 00:00:00 2001 From: Michael Niedermayer Date: Mon, 29 Jul 2013 04:41:57 +0200 Subject: [PATCH 580/991] update for 0.10.8 Signed-off-by: Michael Niedermayer --- Doxyfile | 2 +- RELEASE | 2 +- VERSION | 2 +- 3 files changed, 3 insertions(+), 3 deletions(-) diff --git a/Doxyfile b/Doxyfile index 60309cf29c..bf2f69ecd7 100644 --- a/Doxyfile +++ b/Doxyfile @@ -31,7 +31,7 @@ PROJECT_NAME = FFmpeg # This could be handy for archiving the generated documentation or # if some version control system is used. -PROJECT_NUMBER = 0.10.7 +PROJECT_NUMBER = 0.10.8 # With the PROJECT_LOGO tag one can specify an logo or icon that is included # in the documentation. The maximum height of the logo should not exceed 55 diff --git a/RELEASE b/RELEASE index 2d993c425b..1a46c7f13e 100644 --- a/RELEASE +++ b/RELEASE @@ -1 +1 @@ -0.10.7 +0.10.8 diff --git a/VERSION b/VERSION index 2d993c425b..1a46c7f13e 100644 --- a/VERSION +++ b/VERSION @@ -1 +1 @@ -0.10.7 +0.10.8 From 5bb347a3b4a88ce4c4de6d0a1dbb0e351cc326f6 Mon Sep 17 00:00:00 2001 From: Michael Niedermayer Date: Sat, 8 Sep 2012 23:57:37 +0200 Subject: [PATCH 581/991] dct-test: fix order of evaluation bug Signed-off-by: Michael Niedermayer (cherry picked from commit dd081f98dded8e268a70468a43b25b077c8c3571) Signed-off-by: Michael Niedermayer --- libavcodec/dct-test.c | 6 ++++-- 1 file changed, 4 insertions(+), 2 deletions(-) diff --git a/libavcodec/dct-test.c b/libavcodec/dct-test.c index 9fdf7d179d..7dd7f616c5 100644 --- a/libavcodec/dct-test.c +++ b/libavcodec/dct-test.c @@ -234,8 +234,10 @@ static void init_block(DCTELEM block[64], int test, int is_idct, AVLFG *prng, in break; case 1: j = av_lfg_get(prng) % 10 + 1; - for (i = 0; i < j; i++) - block[av_lfg_get(prng) % 64] = av_lfg_get(prng) % (2*vals) -vals; + for (i = 0; i < j; i++) { + int idx = av_lfg_get(prng) % 64; + block[idx] = av_lfg_get(prng) % (2*vals) -vals; + } break; case 2: block[ 0] = av_lfg_get(prng) % (16*vals) - (8*vals); From e3e25777944eaa32847d71e68fd939f22d084f08 Mon Sep 17 00:00:00 2001 From: Michael Niedermayer Date: Sat, 8 Sep 2012 23:56:26 +0200 Subject: [PATCH 582/991] ffserver: fix order of evaluation bugs Signed-off-by: Michael Niedermayer (cherry picked from commit d40c0e4a6733ade9aaafc687bcaccc0cba1183b4) Signed-off-by: Michael Niedermayer --- ffserver.c | 11 ++++++++--- 1 file changed, 8 insertions(+), 3 deletions(-) diff --git a/ffserver.c b/ffserver.c index e7fdfbece0..ab18d56397 100644 --- a/ffserver.c +++ b/ffserver.c @@ -562,9 +562,11 @@ static void start_multicast(void) default_port = 6000; for(stream = first_stream; stream != NULL; stream = stream->next) { if (stream->is_multicast) { + unsigned random0 = av_lfg_get(&random_state); + unsigned random1 = av_lfg_get(&random_state); /* open the RTP connection */ snprintf(session_id, sizeof(session_id), "%08x%08x", - av_lfg_get(&random_state), av_lfg_get(&random_state)); + random0, random1); /* choose a port if none given */ if (stream->multicast_port == 0) { @@ -3086,9 +3088,12 @@ static void rtsp_cmd_setup(HTTPContext *c, const char *url, found: /* generate session id if needed */ - if (h->session_id[0] == '\0') + if (h->session_id[0] == '\0') { + unsigned random0 = av_lfg_get(&random_state); + unsigned random1 = av_lfg_get(&random_state); snprintf(h->session_id, sizeof(h->session_id), "%08x%08x", - av_lfg_get(&random_state), av_lfg_get(&random_state)); + random0, random1); + } /* find rtp session, and create it if none found */ rtp_c = find_rtp_session(h->session_id); From 466911f0004a494b46991c193c09c8452ed26dbc Mon Sep 17 00:00:00 2001 From: Michael Niedermayer Date: Sun, 22 Apr 2012 03:47:53 +0200 Subject: [PATCH 583/991] wmaprodec: tighter check for num_vec_coeffs Found-by: Mateusz "j00ru" Jurczyk and Gynvael Coldwind Signed-off-by: Michael Niedermayer (cherry picked from commit b21ba20cc83c80fe56192fee3626a8087f37d806) Conflicts: libavcodec/wmaprodec.c Signed-off-by: Michael Niedermayer --- libavcodec/wmaprodec.c | 5 ++++- 1 file changed, 4 insertions(+), 1 deletion(-) diff --git a/libavcodec/wmaprodec.c b/libavcodec/wmaprodec.c index e4309ad975..e04df49266 100644 --- a/libavcodec/wmaprodec.c +++ b/libavcodec/wmaprodec.c @@ -86,6 +86,7 @@ * subframe in order to reconstruct the output samples. */ +#include "libavutil/avassert.h" #include "libavutil/intfloat.h" #include "libavutil/intreadwrite.h" #include "avcodec.h" @@ -1177,6 +1178,7 @@ static int decode_subframe(WMAProDecodeCtx *s) transmit_coeffs = 1; } + av_assert0(s->subframe_len <= WMAPRO_BLOCK_MAX_SIZE); if (transmit_coeffs) { int step; int quant_step = 90 * s->bits_per_sample >> 4; @@ -1187,10 +1189,11 @@ static int decode_subframe(WMAProDecodeCtx *s) for (i = 0; i < s->channels_for_cur_subframe; i++) { int c = s->channel_indexes_for_cur_subframe[i]; int num_vec_coeffs = get_bits(&s->gb, num_bits) << 2; - if (num_vec_coeffs + offset > FF_ARRAY_ELEMS(s->channel[c].out)) { + if (num_vec_coeffs > s->subframe_len) { av_log(s->avctx, AV_LOG_ERROR, "num_vec_coeffs %d is too large\n", num_vec_coeffs); return AVERROR_INVALIDDATA; } + av_assert0(num_vec_coeffs + offset <= FF_ARRAY_ELEMS(s->channel[c].out)); s->channel[c].num_vec_coeffs = num_vec_coeffs; } } else { From 49f434ce2e5e57c57d3820330382e9c85f587086 Mon Sep 17 00:00:00 2001 From: Michael Niedermayer Date: Sat, 31 Aug 2013 03:08:25 +0200 Subject: [PATCH 584/991] avformat/avidec: match first index and first packet size=0 handling Fixes Ticket2861 Signed-off-by: Michael Niedermayer (cherry picked from commit 227a0eb5a92409572f2cecde6137529b83e7d495) Conflicts: libavformat/avidec.c --- libavformat/avidec.c | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/libavformat/avidec.c b/libavformat/avidec.c index 9c13f43d78..7f64e9a36e 100644 --- a/libavformat/avidec.c +++ b/libavformat/avidec.c @@ -1280,7 +1280,7 @@ static int avi_read_idx1(AVFormatContext *s, int size) st = s->streams[index]; ast = st->priv_data; - if(first_packet && first_packet_pos && len) { + if (first_packet && first_packet_pos) { data_offset = first_packet_pos - pos; first_packet = 0; } From f4392277b02e9cb991ef8ffc618c0019661a4573 Mon Sep 17 00:00:00 2001 From: Carl Eugen Hoyos Date: Mon, 2 Sep 2013 08:32:24 +0200 Subject: [PATCH 585/991] Avoid a deadlock when decoding wma. Fixes ticket #2925. (cherry picked from commit ec8a4841f7e81040f9a2757f23e70dff5e6b33a4) --- libavcodec/wmadec.c | 4 ++++ 1 file changed, 4 insertions(+) diff --git a/libavcodec/wmadec.c b/libavcodec/wmadec.c index 0232a95c06..02f83f604b 100644 --- a/libavcodec/wmadec.c +++ b/libavcodec/wmadec.c @@ -534,6 +534,10 @@ static int wma_decode_block(WMACodecContext *s) coef escape coding */ total_gain = 1; for(;;) { + if (get_bits_left(&s->gb) < 7) { + av_log(s->avctx, AV_LOG_ERROR, "total_gain overread\n"); + return AVERROR_INVALIDDATA; + } a = get_bits(&s->gb, 7); total_gain += a; if (a != 127) From c69b4bdf5895ecbf07e5412d1e4e3dd859a292af Mon Sep 17 00:00:00 2001 From: Luca Barbato Date: Sat, 27 Jul 2013 15:48:41 +0200 Subject: [PATCH 586/991] avidec: Let the inner dv demuxer take care of discarding (cherry picked from commit c8f0b20b4a6bb6691928789d83e4b) CC: libav-stable@libav.org --- libavformat/avidec.c | 9 ++++++--- 1 file changed, 6 insertions(+), 3 deletions(-) diff --git a/libavformat/avidec.c b/libavformat/avidec.c index af6ee8ed0f..ac6e85f78c 100644 --- a/libavformat/avidec.c +++ b/libavformat/avidec.c @@ -917,9 +917,12 @@ start_sync: } - if( (st->discard >= AVDISCARD_DEFAULT && size==0) - /*|| (st->discard >= AVDISCARD_NONKEY && !(pkt->flags & AV_PKT_FLAG_KEY))*/ //FIXME needs a little reordering - || st->discard >= AVDISCARD_ALL){ + if (!avi->dv_demux && + ((st->discard >= AVDISCARD_DEFAULT && size==0) /* || + //FIXME needs a little reordering + (st->discard >= AVDISCARD_NONKEY && + !(pkt->flags & AV_PKT_FLAG_KEY)) */ + || st->discard >= AVDISCARD_ALL)) { if (!exit_early) { ast->frame_offset += get_duration(ast, size); } From 139f352daf84e005824562e0e0f36e06ac60ee36 Mon Sep 17 00:00:00 2001 From: Luca Barbato Date: Mon, 24 Jun 2013 18:12:24 +0200 Subject: [PATCH 587/991] wtv: Mark attachment with a negative stream id A sid 0 would be mismatched to the attachment. Prevent NULL pointer dereference. Reported-by: Mateusz "j00ru" Jurczyk and Gynvael Coldwind CC: libav-stable@libav.org (cherry picked from commit f5e646a00ac21e500dae4bcceded790a0fbc5246) Signed-off-by: Luca Barbato --- libavformat/wtv.c | 1 + 1 file changed, 1 insertion(+) diff --git a/libavformat/wtv.c b/libavformat/wtv.c index c6198680c7..2d5d7c5cbd 100644 --- a/libavformat/wtv.c +++ b/libavformat/wtv.c @@ -489,6 +489,7 @@ static void get_attachment(AVFormatContext *s, AVIOContext *pb, int length) st->codec->codec_id = CODEC_ID_MJPEG; st->codec->codec_type = AVMEDIA_TYPE_ATTACHMENT; st->codec->extradata = av_mallocz(filesize); + st->id = -1; if (!st->codec->extradata) goto done; st->codec->extradata_size = filesize; From 42ad4178fd2dfa38a9a713419641c2ff41a85e98 Mon Sep 17 00:00:00 2001 From: Michael Niedermayer Date: Mon, 24 Jun 2013 14:23:44 +0200 Subject: [PATCH 588/991] avio: Handle AVERROR_EOF in the same way as the return value 0 MIME-Version: 1.0 Content-Type: text/plain; charset=UTF-8 Content-Transfer-Encoding: 8bit This makes sure the ffurl_read_complete function actually returns the number of bytes read, as the documentation of the function says, even if the underlying protocol uses AVERROR_EOF instead of 0. Signed-off-by: Martin Storsjö (cherry picked from commit 5d876be87a115b93dd2e644049e3ada2cfb5ccb7) Signed-off-by: Luca Barbato --- libavformat/avio.c | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/libavformat/avio.c b/libavformat/avio.c index ee4dfb6c8c..cfefa60162 100644 --- a/libavformat/avio.c +++ b/libavformat/avio.c @@ -328,7 +328,7 @@ static inline int retry_transfer_wrapper(URLContext *h, unsigned char *buf, int else usleep(1000); } else if (ret < 1) - return ret < 0 ? ret : len; + return (ret < 0 && ret != AVERROR_EOF) ? ret : len; if (ret) fast_retries = FFMAX(fast_retries, 2); len += ret; From fe8b5a37d5856769e91c159b83c19578ad316f61 Mon Sep 17 00:00:00 2001 From: Michael Niedermayer Date: Mon, 1 Jul 2013 23:38:08 +0200 Subject: [PATCH 589/991] rmdec: Use the AVIOContext given as parameter in rm_read_metadata() MIME-Version: 1.0 Content-Type: text/plain; charset=UTF-8 Content-Transfer-Encoding: 8bit This fixes crashes when playing back certain RealRTSP streams. When invoked from the RTP depacketizer, the full realmedia demuxer isn't invoked, but only certain functions from it, where a separate AVIOContext is passed in as parameter (for the buffer containing the data to parse). The functions called from within those entry points should only be using that parameter, not s->pb. In the depacketizer case, s is the RTSP context, where ->pb is null. Cc: libav-stable@libav.org Signed-off-by: Martin Storsjö (cherry picked from commit d35b6cd3775456a23b63e73316e244b671caa02f) Signed-off-by: Luca Barbato --- libavformat/rmdec.c | 12 ++++++------ 1 file changed, 6 insertions(+), 6 deletions(-) diff --git a/libavformat/rmdec.c b/libavformat/rmdec.c index 405162e8ca..37e18f02ac 100644 --- a/libavformat/rmdec.c +++ b/libavformat/rmdec.c @@ -107,13 +107,13 @@ static int rm_read_extradata(AVIOContext *pb, AVCodecContext *avctx, unsigned si return 0; } -static void rm_read_metadata(AVFormatContext *s, int wide) +static void rm_read_metadata(AVFormatContext *s, AVIOContext *pb, int wide) { char buf[1024]; int i; for (i=0; ipb) : avio_r8(s->pb); - get_strl(s->pb, buf, sizeof(buf), len); + int len = wide ? avio_rb16(pb) : avio_r8(pb); + get_strl(pb, buf, sizeof(buf), len); av_dict_set(&s->metadata, ff_rm_metadata[i], buf, 0); } } @@ -143,7 +143,7 @@ static int rm_read_audio_stream_info(AVFormatContext *s, AVIOContext *pb, int header_size = avio_rb16(pb); int64_t startpos = avio_tell(pb); avio_skip(pb, 14); - rm_read_metadata(s, 0); + rm_read_metadata(s, pb, 0); if ((startpos + header_size) >= avio_tell(pb) + 2) { // fourcc (should always be "lpcJ") avio_r8(pb); @@ -288,7 +288,7 @@ static int rm_read_audio_stream_info(AVFormatContext *s, AVIOContext *pb, avio_r8(pb); avio_r8(pb); avio_r8(pb); - rm_read_metadata(s, 0); + rm_read_metadata(s, pb, 0); } } return 0; @@ -474,7 +474,7 @@ static int rm_read_header(AVFormatContext *s, AVFormatParameters *ap) flags = avio_rb16(pb); /* flags */ break; case MKTAG('C', 'O', 'N', 'T'): - rm_read_metadata(s, 1); + rm_read_metadata(s, pb, 1); break; case MKTAG('M', 'D', 'P', 'R'): st = avformat_new_stream(s, NULL); From c6942a4b037476ca097036e99bb509b5e5d59128 Mon Sep 17 00:00:00 2001 From: Luca Barbato Date: Thu, 27 Jun 2013 03:19:05 +0200 Subject: [PATCH 590/991] vqavideo: check the version Prevent out of buffer write. Reported-by: Mateusz "j00ru" Jurczyk and Gynvael Coldwind CC: libav-stable@libav.org (cherry picked from commit c4abc9098cacb227dba39bac6aea16b2bceba0d0) Signed-off-by: Luca Barbato --- libavcodec/vqavideo.c | 11 +++++++++++ 1 file changed, 11 insertions(+) diff --git a/libavcodec/vqavideo.c b/libavcodec/vqavideo.c index 4826650a6e..110d8b17d5 100644 --- a/libavcodec/vqavideo.c +++ b/libavcodec/vqavideo.c @@ -134,6 +134,17 @@ static av_cold int vqa_decode_init(AVCodecContext *avctx) /* load up the VQA parameters from the header */ s->vqa_version = s->avctx->extradata[0]; + switch (s->vqa_version) { + case 1: + case 2: + break; + case 3: + av_log_missing_feature(avctx, "VQA Version 3", 0); + return AVERROR_PATCHWELCOME; + default: + av_log_missing_feature(avctx, "VQA Version", 1); + return AVERROR_PATCHWELCOME; + } s->width = AV_RL16(&s->avctx->extradata[6]); s->height = AV_RL16(&s->avctx->extradata[8]); if(av_image_check_size(s->width, s->height, 0, avctx)){ From 26589aa81028f42c763c5581a1486a271799890b Mon Sep 17 00:00:00 2001 From: Luca Barbato Date: Thu, 27 Jun 2013 04:30:20 +0200 Subject: [PATCH 591/991] westwood_vqa: do not free extradata on error in read_header The extradata is already freed by avformat_open_input on failure. Reported-by: Mateusz "j00ru" Jurczyk and Gynvael Coldwind CC: libav-stable@libav.org (cherry picked from commit 76f5dfbfd902178df4a38221a68dc8540189345a) Signed-off-by: Luca Barbato --- libavformat/westwood.c | 2 -- 1 file changed, 2 deletions(-) diff --git a/libavformat/westwood.c b/libavformat/westwood.c index 82b7e94840..47e835ad10 100644 --- a/libavformat/westwood.c +++ b/libavformat/westwood.c @@ -240,7 +240,6 @@ static int wsvqa_read_header(AVFormatContext *s, header = (unsigned char *)st->codec->extradata; if (avio_read(pb, st->codec->extradata, VQA_HEADER_SIZE) != VQA_HEADER_SIZE) { - av_free(st->codec->extradata); return AVERROR(EIO); } st->codec->width = AV_RL16(&header[6]); @@ -279,7 +278,6 @@ static int wsvqa_read_header(AVFormatContext *s, * FINF has been skipped and the file will be ready to be demuxed */ do { if (avio_read(pb, scratch, VQA_PREAMBLE_SIZE) != VQA_PREAMBLE_SIZE) { - av_free(st->codec->extradata); return AVERROR(EIO); } chunk_tag = AV_RB32(&scratch[0]); From 7296ee7af1424ad11afb9ea711f18f2b563c735b Mon Sep 17 00:00:00 2001 From: Luca Barbato Date: Thu, 27 Jun 2013 02:50:52 +0200 Subject: [PATCH 592/991] qdm2: check and reset dithering index per channel Checking per subband would have the index exceed the dithering noise table size. Reported-by: Mateusz "j00ru" Jurczyk and Gynvael Coldwind CC: libav-stable@libav.org (cherry picked from commit 744a11c996641888d477a3981d609e79eeb69ea9) Signed-off-by: Luca Barbato Conflicts: libavcodec/qdm2.c --- libavcodec/qdm2.c | 3 +-- 1 file changed, 1 insertion(+), 2 deletions(-) diff --git a/libavcodec/qdm2.c b/libavcodec/qdm2.c index 59bce40c2d..856f9a4c92 100644 --- a/libavcodec/qdm2.c +++ b/libavcodec/qdm2.c @@ -784,8 +784,6 @@ static void synthfilt_build_sb_samples (QDM2Context *q, GetBitContext *gb, int l } for (sb = sb_min; sb < sb_max; sb++) { - FIX_NOISE_IDX(q->noise_idx); - channels = q->nb_channels; if (q->nb_channels <= 1 || sb < 12) @@ -809,6 +807,7 @@ static void synthfilt_build_sb_samples (QDM2Context *q, GetBitContext *gb, int l } for (ch = 0; ch < channels; ch++) { + FIX_NOISE_IDX(q->noise_idx); zero_encoding = (BITS_LEFT(length,gb) >= 1) ? get_bits1(gb) : 0; type34_predictor = 0.0; type34_first = 1; From 09a098fb8bc7d70a0258b3e8d658833c8d11debe Mon Sep 17 00:00:00 2001 From: Luca Barbato Date: Tue, 9 Jul 2013 01:03:13 +0200 Subject: [PATCH 593/991] atrac3: fix error handling decode_tonal_components returns a proper AVERROR. Reported-by: Mateusz "j00ru" Jurczyk and Gynvael Coldwind CC: libav-stable@libav.org (cherry picked from commit 874c8a17ac9b04fb7ac23d003e54e3662dd23b4e) Signed-off-by: Luca Barbato Conflicts: libavcodec/atrac3.c --- libavcodec/atrac3.c | 3 ++- 1 file changed, 2 insertions(+), 1 deletion(-) diff --git a/libavcodec/atrac3.c b/libavcodec/atrac3.c index 40a44c706a..e0702a9a66 100644 --- a/libavcodec/atrac3.c +++ b/libavcodec/atrac3.c @@ -690,7 +690,8 @@ static int decodeChannelSoundUnit (ATRAC3Context *q, GetBitContext *gb, channel_ if (result) return result; pSnd->numComponents = decodeTonalComponents (gb, pSnd->components, pSnd->bandsCoded); - if (pSnd->numComponents == -1) return -1; + if (pSnd->numComponents < 0) + return pSnd->numComponents; numSubbands = decodeSpectrum (gb, pSnd->spectrum); From e06623c48030530b50f00cee26f1a3a33c4b4d4b Mon Sep 17 00:00:00 2001 From: Luca Barbato Date: Tue, 9 Jul 2013 04:20:23 +0200 Subject: [PATCH 594/991] atrac3: set the getbits context the right buffer_end Reported-by: Mateusz "j00ru" Jurczyk and Gynvael Coldwind CC: libav-stable@libav.org (cherry picked from commit 22e76ec635bafdd1d1ec35581a7ac09e69e3c43e) Signed-off-by: Luca Barbato Conflicts: libavcodec/atrac3.c --- libavcodec/atrac3.c | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/libavcodec/atrac3.c b/libavcodec/atrac3.c index e0702a9a66..cc0cc7c099 100644 --- a/libavcodec/atrac3.c +++ b/libavcodec/atrac3.c @@ -773,7 +773,7 @@ static int decodeFrame(ATRAC3Context *q, const uint8_t* databuf, /* set the bitstream reader at the start of the second Sound Unit*/ - init_get_bits(&q->gb,ptr1,q->bits_per_frame); + init_get_bits(&q->gb, ptr1, (q->bytes_per_frame - i) * 8); /* Fill the Weighting coeffs delay buffer */ memmove(q->weighting_delay,&(q->weighting_delay[2]),4*sizeof(int)); From 40ee4de6a6a9f7af3b5bb8a690aa1cae0a752430 Mon Sep 17 00:00:00 2001 From: Luca Barbato Date: Tue, 9 Jul 2013 04:44:26 +0200 Subject: [PATCH 595/991] atrac3: Error on impossible encoding/channel combinations Joint stereo encoded mono is impossible. Reported-by: Mateusz "j00ru" Jurczyk and Gynvael Coldwind CC: libav-stable@libav.org (cherry picked from commit 50cf5a7fb78846fc39b3ecdaa896a10bcd74da2a) Signed-off-by: Luca Barbato Conflicts: libavcodec/atrac3.c --- libavcodec/atrac3.c | 2 ++ 1 file changed, 2 insertions(+) diff --git a/libavcodec/atrac3.c b/libavcodec/atrac3.c index cc0cc7c099..e31dd1dcd5 100644 --- a/libavcodec/atrac3.c +++ b/libavcodec/atrac3.c @@ -976,6 +976,8 @@ static av_cold int atrac3_decode_init(AVCodecContext *avctx) if (q->codingMode == STEREO) { av_log(avctx,AV_LOG_DEBUG,"Normal stereo detected.\n"); } else if (q->codingMode == JOINT_STEREO) { + if (avctx->channels != 2) + return AVERROR_INVALIDDATA; av_log(avctx,AV_LOG_DEBUG,"Joint stereo detected.\n"); } else { av_log(avctx,AV_LOG_ERROR,"Unknown channel coding mode %x!\n",q->codingMode); From 90acd3bfe7fa8d4c92712d40e284c15d95ce5005 Mon Sep 17 00:00:00 2001 From: Luca Barbato Date: Tue, 9 Jul 2013 09:18:16 +0200 Subject: [PATCH 596/991] imc: Catch a division by zero Reported-by: Mateusz "j00ru" Jurczyk and Gynvael Coldwind CC: libav-stable@libav.org (cherry picked from commit bbf6a4aa20bfe3d7869b2218e66063602dfb8aa7) Signed-off-by: Luca Barbato Conflicts: libavcodec/imc.c --- libavcodec/imc.c | 4 ++++ 1 file changed, 4 insertions(+) diff --git a/libavcodec/imc.c b/libavcodec/imc.c index ff8e31e9e6..bee38b07f8 100644 --- a/libavcodec/imc.c +++ b/libavcodec/imc.c @@ -365,6 +365,10 @@ static int bit_allocation (IMCContext* q, int stream_format_code, int freebits, iacc += q->bandWidthT[i]; summa += q->bandWidthT[i] * q->flcoeffs4[i]; } + + if (!iacc) + return AVERROR_INVALIDDATA; + q->bandWidthT[BANDS-1] = 0; summa = (summa * 0.5 - freebits) / iacc; From b9dea1a085c4705e480bd17dfa8c8ce227fdce76 Mon Sep 17 00:00:00 2001 From: Luca Barbato Date: Sun, 7 Jul 2013 12:56:12 +0200 Subject: [PATCH 597/991] adpcm: Write the correct number of samples for ima-dk4 Reported-by: Mateusz "j00ru" Jurczyk and Gynvael Coldwind CC: libav-stable@libav.org (cherry picked from commit 12576afe206d35231ccd61f9033c5fdab6a11e80) Signed-off-by: Luca Barbato Conflicts: libavcodec/adpcm.c --- libavcodec/adpcm.c | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/libavcodec/adpcm.c b/libavcodec/adpcm.c index a2947329eb..476315c610 100644 --- a/libavcodec/adpcm.c +++ b/libavcodec/adpcm.c @@ -708,7 +708,7 @@ static int adpcm_decode_frame(AVCodecContext *avctx, void *data, src++; *samples++ = cs->predictor; } - for (n = nb_samples >> (1 - st); n > 0; n--, src++) { + for (n = (nb_samples >> (1 - st)) - 1; n > 0; n--) { uint8_t v = *src; *samples++ = adpcm_ima_expand_nibble(&c->status[0 ], v >> 4 , 3); *samples++ = adpcm_ima_expand_nibble(&c->status[st], v & 0x0F, 3); From b64bd2e18bac1bd3e3e0ae4aebcad1c33f031c66 Mon Sep 17 00:00:00 2001 From: Luca Barbato Date: Tue, 9 Jul 2013 14:44:02 +0200 Subject: [PATCH 598/991] qdm2: refactor joined stereo support qdm2 does support only two channels. Loop over the run once. Reported-by: Mateusz "j00ru" Jurczyk and Gynvael Coldwind CC: libav-stable@libav.org (cherry picked from commit adadc3f2443d25b375e21e801516ccfd78e0b080) Signed-off-by: Luca Barbato --- libavcodec/qdm2.c | 22 ++++++++++++---------- 1 file changed, 12 insertions(+), 10 deletions(-) diff --git a/libavcodec/qdm2.c b/libavcodec/qdm2.c index 856f9a4c92..365f717bcc 100644 --- a/libavcodec/qdm2.c +++ b/libavcodec/qdm2.c @@ -769,7 +769,7 @@ static void fill_coding_method_array (sb_int8_array tone_level_idx, sb_int8_arra static void synthfilt_build_sb_samples (QDM2Context *q, GetBitContext *gb, int length, int sb_min, int sb_max) { int sb, j, k, n, ch, run, channels; - int joined_stereo, zero_encoding, chs; + int joined_stereo, zero_encoding; int type34_first; float type34_div = 0; float type34_predictor; @@ -923,16 +923,18 @@ static void synthfilt_build_sb_samples (QDM2Context *q, GetBitContext *gb, int l } if (joined_stereo) { - float tmp[10][MPA_MAX_CHANNELS]; - - for (k = 0; k < run; k++) { - tmp[k][0] = samples[k]; - tmp[k][1] = (sign_bits[(j + k) / 8]) ? -samples[k] : samples[k]; + for (k = 0; k < run && j + k < 128; k++) { + q->sb_samples[0][j + k][sb] = + q->tone_level[0][sb][(j + k) / 2] * samples[k]; + if (q->nb_channels == 2) { + if (sign_bits[(j + k) / 8]) + q->sb_samples[1][j + k][sb] = + q->tone_level[1][sb][(j + k) / 2] * -samples[k]; + else + q->sb_samples[1][j + k][sb] = + q->tone_level[1][sb][(j + k) / 2] * samples[k]; + } } - for (chs = 0; chs < q->nb_channels; chs++) - for (k = 0; k < run; k++) - if ((j + k) < 128) - q->sb_samples[chs][j + k][sb] = q->tone_level[chs][sb][((j + k)/2)] * tmp[k][chs]; } else { for (k = 0; k < run; k++) if ((j + k) < 128) From 57efb6d94ceb42780577210616d30c98d89f6765 Mon Sep 17 00:00:00 2001 From: Luca Barbato Date: Tue, 9 Jul 2013 14:59:33 +0200 Subject: [PATCH 599/991] qdm2: Conceal broken samples Reported-by: Mateusz "j00ru" Jurczyk and Gynvael Coldwind CC: libav-stable@libav.org (cherry picked from commit 4ecdb5ed44591aba8a0ddb7d443cace836f761f6) Signed-off-by: Luca Barbato Conflicts: libavcodec/qdm2.c --- libavcodec/qdm2.c | 16 ++++++++++++---- 1 file changed, 12 insertions(+), 4 deletions(-) diff --git a/libavcodec/qdm2.c b/libavcodec/qdm2.c index 365f717bcc..1a076236cf 100644 --- a/libavcodec/qdm2.c +++ b/libavcodec/qdm2.c @@ -498,7 +498,8 @@ static void build_sb_samples_from_noise (QDM2Context *q, int sb) * @param channels number of channels * @param coding_method q->coding_method[0][0][0] */ -static void fix_coding_method_array (int sb, int channels, sb_int8_array coding_method) +static int fix_coding_method_array(int sb, int channels, + sb_int8_array coding_method) { int j,k; int ch; @@ -507,8 +508,10 @@ static void fix_coding_method_array (int sb, int channels, sb_int8_array coding_ for (ch = 0; ch < channels; ch++) { for (j = 0; j < 64; ) { - if((coding_method[ch][sb][j] - 8) > 22) { - run = 1; + if (coding_method[ch][sb][j] < 8) + return -1; + if ((coding_method[ch][sb][j] - 8) > 22) { + run = 1; case_val = 8; } else { switch (switchtable[coding_method[ch][sb][j]-8]) { @@ -533,6 +536,7 @@ static void fix_coding_method_array (int sb, int channels, sb_int8_array coding_ j += run; } } + return 0; } @@ -802,7 +806,11 @@ static void synthfilt_build_sb_samples (QDM2Context *q, GetBitContext *gb, int l if (q->coding_method[1][sb][j] > q->coding_method[0][sb][j]) q->coding_method[0][sb][j] = q->coding_method[1][sb][j]; - fix_coding_method_array(sb, q->nb_channels, q->coding_method); + if (fix_coding_method_array(sb, q->nb_channels, + q->coding_method)) { + build_sb_samples_from_noise(q, sb); + continue; + } channels = 1; } From 195b9f290cb61f2af1204970c8088c941647e90a Mon Sep 17 00:00:00 2001 From: Luca Barbato Date: Sat, 29 Jun 2013 07:26:48 +0200 Subject: [PATCH 600/991] iff: Do not read over the source buffer Reported-by: Mateusz "j00ru" Jurczyk and Gynvael Coldwind CC: libav-stable@libav.org (cherry picked from commit 7d65e960c72f36b73ae7fe84f8e427d758e61da9) Signed-off-by: Luca Barbato Conflicts: libavcodec/iff.c --- libavcodec/iff.c | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/libavcodec/iff.c b/libavcodec/iff.c index 41e7b5939f..b931e40213 100644 --- a/libavcodec/iff.c +++ b/libavcodec/iff.c @@ -271,7 +271,7 @@ static int decode_frame_ilbm(AVCodecContext *avctx, if (avctx->codec_tag == MKTAG('I','L','B','M')) { // interleaved if (avctx->pix_fmt == PIX_FMT_PAL8 || avctx->pix_fmt == PIX_FMT_GRAY8) { - for(y = 0; y < avctx->height; y++ ) { + for (y = 0; y < avctx->height && buf < buf_end; y++ ) { uint8_t *row = &s->frame.data[0][ y*s->frame.linesize[0] ]; memset(row, 0, avctx->width); for (plane = 0; plane < avctx->bits_per_coded_sample && buf < buf_end; plane++) { From 9c05debdcd75fe3bcfbec3f200334f404ebcea56 Mon Sep 17 00:00:00 2001 From: Luca Barbato Date: Sat, 29 Jun 2013 05:29:54 +0200 Subject: [PATCH 601/991] wmavoice: conceal clearly corrupted blocks Reported-by: Mateusz "j00ru" Jurczyk and Gynvael Coldwind CC: libav-stable@libav.org (cherry picked from commit d14a26edb7c4487df581f11e5c6911dc0e623d08) Signed-off-by: Luca Barbato --- libavcodec/wmavoice.c | 21 +++++++++++++++++---- 1 file changed, 17 insertions(+), 4 deletions(-) diff --git a/libavcodec/wmavoice.c b/libavcodec/wmavoice.c index 86e6996e1a..41a9ea3bb8 100644 --- a/libavcodec/wmavoice.c +++ b/libavcodec/wmavoice.c @@ -1046,9 +1046,10 @@ static void aw_parse_coords(WMAVoiceContext *s, GetBitContext *gb, * @param gb bit I/O context * @param block_idx block index in frame [0, 1] * @param fcb structure containing fixed codebook vector info + * @return -1 on error, 0 otherwise */ -static void aw_pulse_set2(WMAVoiceContext *s, GetBitContext *gb, - int block_idx, AMRFixed *fcb) +static int aw_pulse_set2(WMAVoiceContext *s, GetBitContext *gb, + int block_idx, AMRFixed *fcb) { uint16_t use_mask_mem[9]; // only 5 are used, rest is padding uint16_t *use_mask = use_mask_mem + 2; @@ -1110,7 +1111,7 @@ static void aw_pulse_set2(WMAVoiceContext *s, GetBitContext *gb, else if (use_mask[2]) idx = 0x2F; else if (use_mask[3]) idx = 0x3F; else if (use_mask[4]) idx = 0x4F; - else return; + else return -1; idx -= av_log2_16bit(use_mask[idx >> 4]); } if (use_mask[idx >> 4] & (0x8000 >> (idx & 15))) { @@ -1127,6 +1128,7 @@ static void aw_pulse_set2(WMAVoiceContext *s, GetBitContext *gb, /* set offset for next block, relative to start of that block */ n = (MAX_FRAMESIZE / 2 - start_off) % fcb->pitch_lag; s->aw_next_pulse_off_cache = n ? fcb->pitch_lag - n : 0; + return 0; } /** @@ -1289,7 +1291,18 @@ static void synth_block_fcb_acb(WMAVoiceContext *s, GetBitContext *gb, * (fixed) codebook pulses of the speech signal. */ if (frame_desc->fcb_type == FCB_TYPE_AW_PULSES) { aw_pulse_set1(s, gb, block_idx, &fcb); - aw_pulse_set2(s, gb, block_idx, &fcb); + if (aw_pulse_set2(s, gb, block_idx, &fcb)) { + /* Conceal the block with silence and return. + * Skip the correct amount of bits to read the next + * block from the correct offset. */ + int r_idx = pRNG(s->frame_cntr, block_idx, size); + + for (n = 0; n < size; n++) + excitation[n] = + wmavoice_std_codebook[r_idx + n] * s->silence_gain; + skip_bits(gb, 7 + 1); + return; + } } else /* FCB_TYPE_EXC_PULSES */ { int offset_nbits = 5 - frame_desc->log_n_blocks; From 9c3c08ba984ab0447a65a1e8417f01bea4dccf70 Mon Sep 17 00:00:00 2001 From: Luca Barbato Date: Sat, 29 Jun 2013 06:37:32 +0200 Subject: [PATCH 602/991] pcx: Do not overread source buffer in pcx_rle_decode Reported-by: Mateusz "j00ru" Jurczyk and Gynvael Coldwind CC: libav-stable@libav.org (cherry picked from commit 3abde1a3b49cf299f2aae4eaae6b6cb5270bdc22) Signed-off-by: Luca Barbato --- libavcodec/pcx.c | 27 ++++++++++++++++++--------- 1 file changed, 18 insertions(+), 9 deletions(-) diff --git a/libavcodec/pcx.c b/libavcodec/pcx.c index 7eb1daaa7a..0377b9298c 100644 --- a/libavcodec/pcx.c +++ b/libavcodec/pcx.c @@ -43,16 +43,19 @@ static av_cold int pcx_init(AVCodecContext *avctx) { /** * @return advanced src pointer */ -static const uint8_t *pcx_rle_decode(const uint8_t *src, uint8_t *dst, - unsigned int bytes_per_scanline, int compressed) { +static const uint8_t *pcx_rle_decode(const uint8_t *src, + const uint8_t *end, + uint8_t *dst, + unsigned int bytes_per_scanline, + int compressed) { unsigned int i = 0; unsigned char run, value; if (compressed) { - while (i= 0xc0) { + if (value >= 0xc0 && src < end) { run = value & 0x3f; value = *src++; } @@ -87,6 +90,7 @@ static int pcx_decode_frame(AVCodecContext *avctx, void *data, int *data_size, unsigned int w, h, bits_per_pixel, bytes_per_line, nplanes, stride, y, x, bytes_per_scanline; uint8_t *ptr; + const uint8_t *buf_end = buf + buf_size; uint8_t const *bufstart = buf; uint8_t *scanline; int ret = -1; @@ -115,7 +119,8 @@ static int pcx_decode_frame(AVCodecContext *avctx, void *data, int *data_size, nplanes = buf[65]; bytes_per_scanline = nplanes * bytes_per_line; - if (bytes_per_scanline < w * bits_per_pixel * nplanes / 8) { + if (bytes_per_scanline < w * bits_per_pixel * nplanes / 8 || + (!compressed && bytes_per_scanline > buf_size / h)) { av_log(avctx, AV_LOG_ERROR, "PCX data is corrupted\n"); return -1; } @@ -163,7 +168,8 @@ static int pcx_decode_frame(AVCodecContext *avctx, void *data, int *data_size, if (nplanes == 3 && bits_per_pixel == 8) { for (y=0; y> (x&7), v = 0; From 47baf9ca87347a8f7516a45f446c7756ad6cb89d Mon Sep 17 00:00:00 2001 From: Luca Barbato Date: Wed, 10 Jul 2013 04:35:34 +0200 Subject: [PATCH 603/991] mlpdec: Do not set invalid context in read_restart_header The faulty values rippled further down the codepath causing a hard-to-track segfault in the assembly code. Reported-by: Mateusz "j00ru" Jurczyk and Gynvael Coldwind CC: libav-stable@libav.org (cherry picked from commit e9d394f3fad7e8fd8fc80e3b33cb045bbaceb446) Signed-off-by: Luca Barbato Conflicts: libavcodec/mlpdec.c --- libavcodec/mlpdec.c | 30 ++++++++++++++++++------------ 1 file changed, 18 insertions(+), 12 deletions(-) diff --git a/libavcodec/mlpdec.c b/libavcodec/mlpdec.c index 357e28728d..e74b20269a 100644 --- a/libavcodec/mlpdec.c +++ b/libavcodec/mlpdec.c @@ -346,9 +346,10 @@ static int read_restart_header(MLPDecodeContext *m, GetBitContext *gbp, uint8_t checksum; uint8_t lossless_check; int start_count = get_bits_count(gbp); - const int max_matrix_channel = m->avctx->codec_id == CODEC_ID_MLP - ? MAX_MATRIX_CHANNEL_MLP - : MAX_MATRIX_CHANNEL_TRUEHD; + int min_channel, max_channel, max_matrix_channel; + const int std_max_matrix_channel = m->avctx->codec_id == CODEC_ID_MLP + ? MAX_MATRIX_CHANNEL_MLP + : MAX_MATRIX_CHANNEL_TRUEHD; sync_word = get_bits(gbp, 13); @@ -367,18 +368,18 @@ static int read_restart_header(MLPDecodeContext *m, GetBitContext *gbp, skip_bits(gbp, 16); /* Output timestamp */ - s->min_channel = get_bits(gbp, 4); - s->max_channel = get_bits(gbp, 4); - s->max_matrix_channel = get_bits(gbp, 4); + min_channel = get_bits(gbp, 4); + max_channel = get_bits(gbp, 4); + max_matrix_channel = get_bits(gbp, 4); - if (s->max_matrix_channel > max_matrix_channel) { + if (max_matrix_channel > std_max_matrix_channel) { av_log(m->avctx, AV_LOG_ERROR, "Max matrix channel cannot be greater than %d.\n", max_matrix_channel); return AVERROR_INVALIDDATA; } - if (s->max_channel != s->max_matrix_channel) { + if (max_channel != max_matrix_channel) { av_log(m->avctx, AV_LOG_ERROR, "Max channel must be equal max matrix channel.\n"); return AVERROR_INVALIDDATA; @@ -393,15 +394,20 @@ static int read_restart_header(MLPDecodeContext *m, GetBitContext *gbp, return AVERROR_INVALIDDATA; } - if (s->min_channel > s->max_channel) { + if (min_channel > max_channel) { av_log(m->avctx, AV_LOG_ERROR, "Substream min channel cannot be greater than max channel.\n"); return AVERROR_INVALIDDATA; } - if (m->avctx->request_channels > 0 - && s->max_channel + 1 >= m->avctx->request_channels - && substr < m->max_decoded_substream) { + + s->min_channel = min_channel; + s->max_channel = max_channel; + s->max_matrix_channel = max_matrix_channel; + + if (m->avctx->request_channels > 0 && + m->avctx->request_channels <= s->max_channel + 1 && + m->max_decoded_substream > substr) { av_log(m->avctx, AV_LOG_DEBUG, "Extracting %d channel downmix from substream %d. " "Further substreams will be skipped.\n", From 62c35475396dd0c3afb5d6c66a1245c1a3bbe9b6 Mon Sep 17 00:00:00 2001 From: Luca Barbato Date: Wed, 10 Jul 2013 04:54:49 +0200 Subject: [PATCH 604/991] pcm: always use codec->id instead of codec_id Reported-by: Mateusz "j00ru" Jurczyk and Gynvael Coldwind CC: libav-stable@libav.org (cherry picked from commit c82da343e635663605bd81c59d872bee3182da73) Signed-off-by: Luca Barbato Conflicts: libavcodec/pcm.c --- libavcodec/pcm.c | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/libavcodec/pcm.c b/libavcodec/pcm.c index 1adaf70318..cd44d77000 100644 --- a/libavcodec/pcm.c +++ b/libavcodec/pcm.c @@ -268,7 +268,7 @@ static int pcm_decode_frame(AVCodecContext *avctx, void *data, /* av_get_bits_per_sample returns 0 for CODEC_ID_PCM_DVD */ samples_per_block = 1; - if (CODEC_ID_PCM_DVD == avctx->codec_id) { + if (avctx->codec->id == CODEC_ID_PCM_DVD) { if (avctx->bits_per_coded_sample != 20 && avctx->bits_per_coded_sample != 24) { av_log(avctx, AV_LOG_ERROR, "PCM DVD unsupported sample depth\n"); From ce3ce08850f1690dff01d9bb4ed6a4274d52771e Mon Sep 17 00:00:00 2001 From: Luca Barbato Date: Wed, 10 Jul 2013 18:07:45 +0200 Subject: [PATCH 605/991] dca: Error out on missing DSYNC Reported-by: Mateusz "j00ru" Jurczyk and Gynvael Coldwind CC: libav-stable@libav.org (cherry picked from commit f261e508459e28beca59868a878e1519a44bb678) Signed-off-by: Luca Barbato --- libavcodec/dca.c | 1 + 1 file changed, 1 insertion(+) diff --git a/libavcodec/dca.c b/libavcodec/dca.c index a83d082118..61a056e13a 100644 --- a/libavcodec/dca.c +++ b/libavcodec/dca.c @@ -1254,6 +1254,7 @@ static int dca_subsubframe(DCAContext *s, int base_channel, int block_index) #endif } else { av_log(s->avctx, AV_LOG_ERROR, "Didn't get subframe DSYNC\n"); + return AVERROR_INVALIDDATA; } } From 521cbcb7d37fa12bf1038d1a73bbabcbf62589ed Mon Sep 17 00:00:00 2001 From: Luca Barbato Date: Wed, 10 Jul 2013 19:00:15 +0200 Subject: [PATCH 606/991] dca: Respect the current limits in the downmixing capabilities Reported-by: Mateusz "j00ru" Jurczyk and Gynvael Coldwind CC: libav-stable@libav.org (cherry picked from commit 3802833bc1f79775a1547c5e427fed6e92b77e53) Signed-off-by: Luca Barbato --- libavcodec/dca.c | 7 +++++++ 1 file changed, 7 insertions(+) diff --git a/libavcodec/dca.c b/libavcodec/dca.c index 61a056e13a..169c9b41b9 100644 --- a/libavcodec/dca.c +++ b/libavcodec/dca.c @@ -805,6 +805,13 @@ static int dca_subframe_header(DCAContext *s, int base_channel, int block_index) "Invalid channel mode %d\n", am); return AVERROR_INVALIDDATA; } + + if (s->prim_channels > FF_ARRAY_ELEMS(dca_default_coeffs[0])) { + av_log_ask_for_sample(s->avctx, "Downmixing %d channels", + s->prim_channels); + return AVERROR_PATCHWELCOME; + } + for (j = base_channel; j < s->prim_channels; j++) { s->downmix_coef[j][0] = dca_default_coeffs[am][j][0]; s->downmix_coef[j][1] = dca_default_coeffs[am][j][1]; From 763519536b63636006c9a421a4b83a58d353b84e Mon Sep 17 00:00:00 2001 From: Justin Ruggles Date: Wed, 20 Feb 2013 11:41:20 -0500 Subject: [PATCH 607/991] ac3dec: validate channel output mode against channel count Damaged frames can lead to a mismatch, which can cause a segfault due to using an incorrect channel mapping. CC:libav-stable@libav.org (cherry picked from commit d7c450436fcb9d3ecf59884a574e7684183e753d) Conflicts: libavcodec/ac3dec.c --- libavcodec/ac3dec.c | 14 ++++++++------ 1 file changed, 8 insertions(+), 6 deletions(-) diff --git a/libavcodec/ac3dec.c b/libavcodec/ac3dec.c index 28a783a075..61097e99d9 100644 --- a/libavcodec/ac3dec.c +++ b/libavcodec/ac3dec.c @@ -1373,8 +1373,10 @@ static int ac3_decode_frame(AVCodecContext * avctx, void *data, if (!err) { avctx->sample_rate = s->sample_rate; avctx->bit_rate = s->bit_rate; + } - /* channel config */ + /* channel config */ + if (!err || (s->channels && s->out_channels != s->channels)) { s->out_channels = s->channels; s->output_mode = s->channel_mode; if (s->lfe_on) @@ -1393,18 +1395,18 @@ static int ac3_decode_frame(AVCodecContext * avctx, void *data, s->fbw_channels == s->out_channels)) { set_downmix_coeffs(s); } - } else if (!s->out_channels) { - s->out_channels = avctx->channels; - if (s->out_channels < s->channels) - s->output_mode = s->out_channels == 1 ? AC3_CHMODE_MONO : AC3_CHMODE_STEREO; + } else if (!s->channels) { + av_log(avctx, AV_LOG_ERROR, "unable to determine channel mode\n"); + return AVERROR_INVALIDDATA; } + avctx->channels = s->out_channels; + /* set audio service type based on bitstream mode for AC-3 */ avctx->audio_service_type = s->bitstream_mode; if (s->bitstream_mode == 0x7 && s->channels > 1) avctx->audio_service_type = AV_AUDIO_SERVICE_TYPE_KARAOKE; /* get output buffer */ - avctx->channels = s->out_channels; s->frame.nb_samples = s->num_blocks * 256; if ((ret = avctx->get_buffer(avctx, &s->frame)) < 0) { av_log(avctx, AV_LOG_ERROR, "get_buffer() failed\n"); From 68b100871961c3e6450871367630e5bf830f6cfd Mon Sep 17 00:00:00 2001 From: Luca Barbato Date: Sat, 21 Sep 2013 15:33:11 +0200 Subject: [PATCH 608/991] adpcm: Unbreak ima-dk4 Was broken by commit b9dea1a085c4705e480bd17dfa8c8ce227fdce76 --- libavcodec/adpcm.c | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/libavcodec/adpcm.c b/libavcodec/adpcm.c index 476315c610..5f7f140a9d 100644 --- a/libavcodec/adpcm.c +++ b/libavcodec/adpcm.c @@ -708,7 +708,7 @@ static int adpcm_decode_frame(AVCodecContext *avctx, void *data, src++; *samples++ = cs->predictor; } - for (n = (nb_samples >> (1 - st)) - 1; n > 0; n--) { + for (n = (nb_samples >> (1 - st)) - 1; n > 0; n--, src++) { uint8_t v = *src; *samples++ = adpcm_ima_expand_nibble(&c->status[0 ], v >> 4 , 3); *samples++ = adpcm_ima_expand_nibble(&c->status[st], v & 0x0F, 3); From 93c524c0f0faf90ed99fcc2ac183a1de2cfda5f6 Mon Sep 17 00:00:00 2001 From: Luca Barbato Date: Tue, 9 Jul 2013 04:44:26 +0200 Subject: [PATCH 609/991] atrac3: Error on impossible encoding/channel combinations Joint stereo encoded mono is impossible. Reported-by: Mateusz "j00ru" Jurczyk and Gynvael Coldwind CC: libav-stable@libav.org (cherry picked from commit 50cf5a7fb78846fc39b3ecdaa896a10bcd74da2a) Signed-off-by: Luca Barbato Conflicts: libavcodec/atrac3.c --- libavcodec/atrac3.c | 2 ++ 1 file changed, 2 insertions(+) diff --git a/libavcodec/atrac3.c b/libavcodec/atrac3.c index 4ae2a27d05..7777b04da2 100644 --- a/libavcodec/atrac3.c +++ b/libavcodec/atrac3.c @@ -976,6 +976,8 @@ static av_cold int atrac3_decode_init(AVCodecContext *avctx) if (q->codingMode == STEREO) { av_log(avctx,AV_LOG_DEBUG,"Normal stereo detected.\n"); } else if (q->codingMode == JOINT_STEREO) { + if (avctx->channels != 2) + return AVERROR_INVALIDDATA; av_log(avctx,AV_LOG_DEBUG,"Joint stereo detected.\n"); } else { av_log(avctx,AV_LOG_ERROR,"Unknown channel coding mode %x!\n",q->codingMode); From f33d5af1f35e1f1fd83648d321b489c9006525c9 Mon Sep 17 00:00:00 2001 From: Luca Barbato Date: Tue, 9 Jul 2013 09:18:16 +0200 Subject: [PATCH 610/991] imc: Catch a division by zero Reported-by: Mateusz "j00ru" Jurczyk and Gynvael Coldwind CC: libav-stable@libav.org (cherry picked from commit bbf6a4aa20bfe3d7869b2218e66063602dfb8aa7) Signed-off-by: Luca Barbato Conflicts: libavcodec/imc.c --- libavcodec/imc.c | 4 ++++ 1 file changed, 4 insertions(+) diff --git a/libavcodec/imc.c b/libavcodec/imc.c index d3b8bf5a12..0c2b4b4a83 100644 --- a/libavcodec/imc.c +++ b/libavcodec/imc.c @@ -365,6 +365,10 @@ static int bit_allocation (IMCContext* q, int stream_format_code, int freebits, iacc += q->bandWidthT[i]; summa += q->bandWidthT[i] * q->flcoeffs4[i]; } + + if (!iacc) + return AVERROR_INVALIDDATA; + q->bandWidthT[BANDS-1] = 0; summa = (summa * 0.5 - freebits) / iacc; From ef475620b55a166b2131fd478391d4054f19ecd5 Mon Sep 17 00:00:00 2001 From: Luca Barbato Date: Sat, 21 Sep 2013 15:33:11 +0200 Subject: [PATCH 611/991] adpcm: Unbreak ima-dk4 Was broken by commit b9dea1a085c4705e480bd17dfa8c8ce227fdce76 Signed-off-by: Michael Niedermayer --- libavcodec/adpcm.c | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/libavcodec/adpcm.c b/libavcodec/adpcm.c index f22c0db19b..149fee1381 100644 --- a/libavcodec/adpcm.c +++ b/libavcodec/adpcm.c @@ -717,7 +717,7 @@ static int adpcm_decode_frame(AVCodecContext *avctx, void *data, src++; *samples++ = cs->predictor; } - for (n = (nb_samples >> (1 - st)) - 1; n > 0; n--) { + for (n = (nb_samples >> (1 - st)) - 1; n > 0; n--, src++) { uint8_t v = *src; *samples++ = adpcm_ima_expand_nibble(&c->status[0 ], v >> 4 , 3); *samples++ = adpcm_ima_expand_nibble(&c->status[st], v & 0x0F, 3); From ba5dfc25ee0afeb4b690de873ee17f0960160619 Mon Sep 17 00:00:00 2001 From: Luca Barbato Date: Fri, 12 Jul 2013 14:32:03 +0200 Subject: [PATCH 612/991] indeo4: Do not access missing reference MV Reported-by: Mateusz "j00ru" Jurczyk and Gynvael Coldwind CC: libav-stable@libav.org (cherry picked from commit 8435bca087c0e79385763c51de009fd89390b6a5) Signed-off-by: Luca Barbato Conflicts: libavcodec/indeo4.c --- libavcodec/indeo4.c | 24 ++++++++++++++---------- 1 file changed, 14 insertions(+), 10 deletions(-) diff --git a/libavcodec/indeo4.c b/libavcodec/indeo4.c index c8ee0becbd..24f5ce6096 100644 --- a/libavcodec/indeo4.c +++ b/libavcodec/indeo4.c @@ -458,7 +458,7 @@ static int decode_mb_info(IVI45DecContext *ctx, IVIBandDesc *band, } mb->mv_x = mb->mv_y = 0; /* no motion vector coded */ - if (band->inherit_mv) { + if (band->inherit_mv && ref_mb) { /* motion vector inheritance */ if (mv_scale) { mb->mv_x = ivi_scale_mv(ref_mb->mv_x, mv_scale); @@ -470,7 +470,10 @@ static int decode_mb_info(IVI45DecContext *ctx, IVIBandDesc *band, } } else { if (band->inherit_mv) { - mb->type = ref_mb->type; /* copy mb_type from corresponding reference mb */ + /* copy mb_type from corresponding reference mb */ + if (!ref_mb) + return AVERROR_INVALIDDATA; + mb->type = ref_mb->type; } else if (ctx->frame_type == FRAMETYPE_INTRA) { mb->type = 0; /* mb_type is always INTRA for intra-frames */ } else { @@ -493,14 +496,15 @@ static int decode_mb_info(IVI45DecContext *ctx, IVIBandDesc *band, mb->mv_x = mb->mv_y = 0; /* there is no motion vector in intra-macroblocks */ } else { if (band->inherit_mv) { - /* motion vector inheritance */ - if (mv_scale) { - mb->mv_x = ivi_scale_mv(ref_mb->mv_x, mv_scale); - mb->mv_y = ivi_scale_mv(ref_mb->mv_y, mv_scale); - } else { - mb->mv_x = ref_mb->mv_x; - mb->mv_y = ref_mb->mv_y; - } + if (ref_mb) + /* motion vector inheritance */ + if (mv_scale) { + mb->mv_x = ivi_scale_mv(ref_mb->mv_x, mv_scale); + mb->mv_y = ivi_scale_mv(ref_mb->mv_y, mv_scale); + } else { + mb->mv_x = ref_mb->mv_x; + mb->mv_y = ref_mb->mv_y; + } } else { /* decode motion vector deltas */ mv_delta = get_vlc2(&ctx->gb, ctx->mb_vlc.tab->table, From 06c52faef27e5bded4ceda7e6d1541f9fb20e84c Mon Sep 17 00:00:00 2001 From: Luca Barbato Date: Fri, 12 Jul 2013 15:02:33 +0200 Subject: [PATCH 613/991] indeo4: Check the quantization matrix index Reported-by: Mateusz "j00ru" Jurczyk and Gynvael Coldwind CC: libav-stable@libav.org (cherry picked from commit 6255ccf7d51c82ab79bf0cd47a921f572dda4489) Signed-off-by: Luca Barbato --- libavcodec/indeo4.c | 5 +++++ 1 file changed, 5 insertions(+) diff --git a/libavcodec/indeo4.c b/libavcodec/indeo4.c index 24f5ce6096..c197bf3a79 100644 --- a/libavcodec/indeo4.c +++ b/libavcodec/indeo4.c @@ -361,6 +361,11 @@ static int decode_band_hdr(IVI45DecContext *ctx, IVIBandDesc *band, av_log(avctx, AV_LOG_ERROR, "Custom quant matrix encountered!\n"); return AVERROR_INVALIDDATA; } + if (band->quant_mat >= FF_ARRAY_ELEMS(quant_index_to_tab)) { + av_log_ask_for_sample(avctx, "Quantization matrix %d", + band->quant_mat); + return AVERROR_INVALIDDATA; + } } /* decode block huffman codebook */ From 609345cd5e2a1b6f01a85a2431fcc472971e600e Mon Sep 17 00:00:00 2001 From: Luca Barbato Date: Fri, 12 Jul 2013 18:10:05 +0200 Subject: [PATCH 614/991] indeo4: Validate scantable dimension Reported-by: Mateusz "j00ru" Jurczyk and Gynvael Coldwind CC: libav-stable@libav.org (cherry picked from commit cd78e934c246d1b2510f8fba0abfe40bb75795f6) Signed-off-by: Luca Barbato --- libavcodec/indeo4.c | 6 ++++++ 1 file changed, 6 insertions(+) diff --git a/libavcodec/indeo4.c b/libavcodec/indeo4.c index c197bf3a79..a3b3c6b2f3 100644 --- a/libavcodec/indeo4.c +++ b/libavcodec/indeo4.c @@ -354,6 +354,12 @@ static int decode_band_hdr(IVI45DecContext *ctx, IVIBandDesc *band, av_log(avctx, AV_LOG_ERROR, "Custom scan pattern encountered!\n"); return AVERROR_INVALIDDATA; } + if (scan_indx > 4 && scan_indx < 10) { + if (band->blk_size != 4) + return AVERROR_INVALIDDATA; + } else if (band->blk_size != 8) + return AVERROR_INVALIDDATA; + band->scan = scan_index_to_tab[scan_indx]; band->quant_mat = get_bits(&ctx->gb, 5); From e2dcb8208e8f6cffef58a85127765047f5ef8868 Mon Sep 17 00:00:00 2001 From: Luca Barbato Date: Sun, 14 Jul 2013 14:41:56 +0200 Subject: [PATCH 615/991] indeo5: return proper error codes (cherry picked from commit b0eeb9d442e4b7e82f6797d74245434ea33110a5) Signed-off-by: Luca Barbato --- libavcodec/indeo5.c | 54 +++++++++++++++++++++++++-------------------- 1 file changed, 30 insertions(+), 24 deletions(-) diff --git a/libavcodec/indeo5.c b/libavcodec/indeo5.c index 987b1a319f..0626454826 100644 --- a/libavcodec/indeo5.c +++ b/libavcodec/indeo5.c @@ -74,7 +74,7 @@ static int decode_gop_header(IVI45DecContext *ctx, AVCodecContext *avctx) tile_size = (ctx->gop_flags & 0x40) ? 64 << get_bits(&ctx->gb, 2) : 0; if (tile_size > 256) { av_log(avctx, AV_LOG_ERROR, "Invalid tile size: %d\n", tile_size); - return -1; + return AVERROR_INVALIDDATA; } /* decode number of wavelet bands */ @@ -85,7 +85,7 @@ static int decode_gop_header(IVI45DecContext *ctx, AVCodecContext *avctx) if (ctx->is_scalable && (pic_conf.luma_bands != 4 || pic_conf.chroma_bands != 1)) { av_log(avctx, AV_LOG_ERROR, "Scalability: unsupported subdivision! Luma bands: %d, chroma bands: %d\n", pic_conf.luma_bands, pic_conf.chroma_bands); - return -1; + return AVERROR_INVALIDDATA; } pic_size_indx = get_bits(&ctx->gb, 4); @@ -98,8 +98,8 @@ static int decode_gop_header(IVI45DecContext *ctx, AVCodecContext *avctx) } if (ctx->gop_flags & 2) { - av_log(avctx, AV_LOG_ERROR, "YV12 picture format not supported!\n"); - return -1; + av_log_missing_feature(avctx, "YV12 picture format", 0); + return AVERROR_PATCHWELCOME; } pic_conf.chroma_height = (pic_conf.pic_height + 3) >> 2; @@ -115,9 +115,9 @@ static int decode_gop_header(IVI45DecContext *ctx, AVCodecContext *avctx) /* check if picture layout was changed and reallocate buffers */ if (ivi_pic_config_cmp(&pic_conf, &ctx->pic_conf)) { result = ff_ivi_init_planes(ctx->planes, &pic_conf); - if (result) { + if (result < 0) { av_log(avctx, AV_LOG_ERROR, "Couldn't reallocate color planes!\n"); - return -1; + return result; } ctx->pic_conf = pic_conf; blk_size_changed = 1; /* force reallocation of the internal structures */ @@ -140,8 +140,8 @@ static int decode_gop_header(IVI45DecContext *ctx, AVCodecContext *avctx) } if (get_bits1(&ctx->gb)) { - av_log(avctx, AV_LOG_ERROR, "Extended transform info encountered!\n"); - return -1; + av_log_missing_feature(avctx, "Extended transform info", 0); + return AVERROR_PATCHWELCOME; } /* select transform function and scan pattern according to plane and band number */ @@ -201,7 +201,7 @@ static int decode_gop_header(IVI45DecContext *ctx, AVCodecContext *avctx) if (get_bits(&ctx->gb, 2)) { av_log(avctx, AV_LOG_ERROR, "End marker missing!\n"); - return -1; + return AVERROR_INVALIDDATA; } } } @@ -230,17 +230,17 @@ static int decode_gop_header(IVI45DecContext *ctx, AVCodecContext *avctx) if (blk_size_changed) { result = ff_ivi_init_tiles(ctx->planes, pic_conf.tile_width, pic_conf.tile_height); - if (result) { + if (result < 0) { av_log(avctx, AV_LOG_ERROR, "Couldn't reallocate internal structures!\n"); - return -1; + return result; } } if (ctx->gop_flags & 8) { if (get_bits(&ctx->gb, 3)) { av_log(avctx, AV_LOG_ERROR, "Alignment bits are not zero!\n"); - return -1; + return AVERROR_INVALIDDATA; } if (get_bits1(&ctx->gb)) @@ -289,25 +289,27 @@ static inline void skip_hdr_extension(GetBitContext *gb) */ static int decode_pic_hdr(IVI45DecContext *ctx, AVCodecContext *avctx) { + int ret; + if (get_bits(&ctx->gb, 5) != 0x1F) { av_log(avctx, AV_LOG_ERROR, "Invalid picture start code!\n"); - return -1; + return AVERROR_INVALIDDATA; } ctx->prev_frame_type = ctx->frame_type; ctx->frame_type = get_bits(&ctx->gb, 3); if (ctx->frame_type >= 5) { av_log(avctx, AV_LOG_ERROR, "Invalid frame type: %d \n", ctx->frame_type); - return -1; + return AVERROR_INVALIDDATA; } ctx->frame_num = get_bits(&ctx->gb, 8); if (ctx->frame_type == FRAMETYPE_INTRA) { ctx->gop_invalid = 1; - if (decode_gop_header(ctx, avctx)) { + if ((ret = decode_gop_header(ctx, avctx)) < 0) { av_log(avctx, AV_LOG_ERROR, "Invalid GOP header, skipping frames.\n"); - return AVERROR_INVALIDDATA; + return ret; } ctx->gop_invalid = 0; } @@ -324,8 +326,10 @@ static int decode_pic_hdr(IVI45DecContext *ctx, AVCodecContext *avctx) skip_hdr_extension(&ctx->gb); /* XXX: untested */ /* decode macroblock huffman codebook */ - if (ff_ivi_dec_huff_desc(&ctx->gb, ctx->frame_flags & 0x40, IVI_MB_HUFF, &ctx->mb_vlc, avctx)) - return -1; + ret = ff_ivi_dec_huff_desc(&ctx->gb, ctx->frame_flags & 0x40, + IVI_MB_HUFF, &ctx->mb_vlc, avctx); + if (ret < 0) + return ret; skip_bits(&ctx->gb, 3); /* FIXME: unknown meaning! */ } @@ -347,7 +351,7 @@ static int decode_pic_hdr(IVI45DecContext *ctx, AVCodecContext *avctx) static int decode_band_hdr(IVI45DecContext *ctx, IVIBandDesc *band, AVCodecContext *avctx) { - int i; + int i, ret; uint8_t band_flags; band_flags = get_bits(&ctx->gb, 8); @@ -371,7 +375,7 @@ static int decode_band_hdr(IVI45DecContext *ctx, IVIBandDesc *band, if (band->num_corr > 61) { av_log(avctx, AV_LOG_ERROR, "Too many corrections: %d\n", band->num_corr); - return -1; + return AVERROR_INVALIDDATA; } /* read correction pairs */ @@ -383,8 +387,10 @@ static int decode_band_hdr(IVI45DecContext *ctx, IVIBandDesc *band, band->rvmap_sel = (band_flags & 0x40) ? get_bits(&ctx->gb, 3) : 8; /* decode block huffman codebook */ - if (ff_ivi_dec_huff_desc(&ctx->gb, band_flags & 0x80, IVI_BLK_HUFF, &band->blk_vlc, avctx)) - return -1; + ret = ff_ivi_dec_huff_desc(&ctx->gb, band_flags & 0x80, IVI_BLK_HUFF, + &band->blk_vlc, avctx); + if (ret < 0) + return ret; band->checksum_present = get_bits1(&ctx->gb); if (band->checksum_present) @@ -451,7 +457,7 @@ static int decode_mb_info(IVI45DecContext *ctx, IVIBandDesc *band, if (get_bits1(&ctx->gb)) { if (ctx->frame_type == FRAMETYPE_INTRA) { av_log(avctx, AV_LOG_ERROR, "Empty macroblock in an INTRA picture!\n"); - return -1; + return AVERROR_INVALIDDATA; } mb->type = 1; /* empty macroblocks are always INTER */ mb->cbp = 0; /* all blocks are empty */ @@ -615,7 +621,7 @@ static av_cold int decode_init(AVCodecContext *avctx) result = ff_ivi_init_planes(ctx->planes, &ctx->pic_conf); if (result) { av_log(avctx, AV_LOG_ERROR, "Couldn't allocate color planes!\n"); - return -1; + return AVERROR_INVALIDDATA; } ctx->buf_switch = 0; From 36921fcdd3613dedd4046b59e3f43024fbfbbe17 Mon Sep 17 00:00:00 2001 From: Luca Barbato Date: Sun, 14 Jul 2013 18:16:56 +0200 Subject: [PATCH 616/991] indeo: Reject impossible FRAMETYPE_NULL A frame marked FRAMETYPE_NULL cannot be scalable and requires a previous frame successfully decoded. Reported-by: Mateusz "j00ru" Jurczyk and Gynvael Coldwind CC: libav-stable@libav.org (cherry picked from commit 5b2a29552ca09edd4646b6aa1828b32912b7ab36) Signed-off-by: Luca Barbato --- libavcodec/ivi_common.c | 8 ++++++++ 1 file changed, 8 insertions(+) diff --git a/libavcodec/ivi_common.c b/libavcodec/ivi_common.c index c907e2a4d1..0dc7fa29f0 100644 --- a/libavcodec/ivi_common.c +++ b/libavcodec/ivi_common.c @@ -820,6 +820,14 @@ int ff_ivi_decode_frame(AVCodecContext *avctx, void *data, int *data_size, } } } + } else { + if (ctx->is_scalable) + return AVERROR_INVALIDDATA; + + for (p = 0; p < 3; p++) { + if (!ctx->planes[p].bands[0].buf) + return AVERROR_INVALIDDATA; + } } //STOP_TIMER("decode_planes"); } From 729143e2d27d5f06e6c4b959f4808a8a5fa7ca25 Mon Sep 17 00:00:00 2001 From: =?UTF-8?q?Martin=20Storsj=C3=B6?= Date: Mon, 15 Jul 2013 11:28:46 +0300 Subject: [PATCH 617/991] ac3dec: Don't consume more data than the actual input packet size MIME-Version: 1.0 Content-Type: text/plain; charset=UTF-8 Content-Transfer-Encoding: 8bit This was handled properly in the normal return case at the end of the function, but not in this special case. Returning a value larger than the input packet size can cause problems for certain library users. Returning the actual input buffer size unconditionally, since it is not guaranteed that frame_size is set to a sensible value at this point. Cc: libav-stable@libav.org Signed-off-by: Martin Storsjö (cherry picked from commit 8f24c12be7a3b3ea105e67bba9a867fe210a2333) Signed-off-by: Luca Barbato --- libavcodec/ac3dec.c | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/libavcodec/ac3dec.c b/libavcodec/ac3dec.c index 61097e99d9..2eac0ed12a 100644 --- a/libavcodec/ac3dec.c +++ b/libavcodec/ac3dec.c @@ -1345,7 +1345,7 @@ static int ac3_decode_frame(AVCodecContext * avctx, void *data, av_log(avctx, AV_LOG_ERROR, "unsupported frame type : " "skipping frame\n"); *got_frame_ptr = 0; - return s->frame_size; + return buf_size; } else { av_log(avctx, AV_LOG_ERROR, "invalid frame type\n"); } From a593d2e92e1491ec04f315d9e38b001b74dcf0b4 Mon Sep 17 00:00:00 2001 From: =?UTF-8?q?Martin=20Storsj=C3=B6?= Date: Mon, 15 Jul 2013 17:13:54 +0300 Subject: [PATCH 618/991] mov: Do not allow updating the time scale after it has been set MIME-Version: 1.0 Content-Type: text/plain; charset=UTF-8 Content-Transfer-Encoding: 8bit The time scale is set in mdhd, and later validated in the enclosing trak atom once all of its children have been parsed. A loose mdhd atom outside of a trak atom could update the time scale of the last stream without any validation. Reported-by: Mateusz "j00ru" Jurczyk and Gynvael Coldwind Cc: libav-stable@libav.org Signed-off-by: Martin Storsjö (cherry picked from commit 31931520df35a6f9606fe8293c8a39e2d1fabedf) Signed-off-by: Luca Barbato --- libavformat/mov.c | 5 +++++ 1 file changed, 5 insertions(+) diff --git a/libavformat/mov.c b/libavformat/mov.c index 1dbf63f91f..0e5d473a8b 100644 --- a/libavformat/mov.c +++ b/libavformat/mov.c @@ -736,6 +736,11 @@ static int mov_read_mdhd(MOVContext *c, AVIOContext *pb, MOVAtom atom) st = c->fc->streams[c->fc->nb_streams-1]; sc = st->priv_data; + if (sc->time_scale) { + av_log(c->fc, AV_LOG_ERROR, "Multiple mdhd?\n"); + return AVERROR_INVALIDDATA; + } + version = avio_r8(pb); if (version > 1) { av_log_ask_for_sample(c, "unsupported version %d\n", version); From 0d24adbe8d8e48428776586aa16df6629470d8ae Mon Sep 17 00:00:00 2001 From: Luca Barbato Date: Fri, 19 Jul 2013 21:09:40 +0200 Subject: [PATCH 619/991] dsicinav: Bound-check the source buffer when needed Reported-by: Mateusz "j00ru" Jurczyk and Gynvael Coldwind CC: libav-stable@libav.org (cherry picked from commit dd0bfc3a6a310e3e3674ce7742672d689a9a0e93) Signed-off-by: Luca Barbato --- libavcodec/dsicinav.c | 4 +++- 1 file changed, 3 insertions(+), 1 deletion(-) diff --git a/libavcodec/dsicinav.c b/libavcodec/dsicinav.c index a379531613..108424c858 100644 --- a/libavcodec/dsicinav.c +++ b/libavcodec/dsicinav.c @@ -187,11 +187,13 @@ static void cin_decode_rle(const unsigned char *src, int src_size, unsigned char while (src < src_end && dst < dst_end) { code = *src++; if (code & 0x80) { + if (src >= src_end) + break; len = code - 0x7F; memset(dst, *src++, FFMIN(len, dst_end - dst)); } else { len = code + 1; - memcpy(dst, src, FFMIN(len, dst_end - dst)); + memcpy(dst, src, FFMIN3(len, dst_end - dst, src_end - src)); src += len; } dst += len; From 246e0e2c994f0fad30d89ff39bd1fabca30c53ce Mon Sep 17 00:00:00 2001 From: Luca Barbato Date: Fri, 12 Jul 2013 23:02:25 +0200 Subject: [PATCH 620/991] alsdec: Fix the clipping range mcc_weightings is only 32 elements. Reported-by: Mateusz "j00ru" Jurczyk and Gynvael Coldwind CC: libav-stable@libav.org (cherry picked from commit 70ecc175c7b513a153ac87d1c5d219556ca55070) Signed-off-by: Luca Barbato --- libavcodec/alsdec.c | 18 ++++++++++++------ 1 file changed, 12 insertions(+), 6 deletions(-) diff --git a/libavcodec/alsdec.c b/libavcodec/alsdec.c index 459e2af928..b1fc1c05bd 100644 --- a/libavcodec/alsdec.c +++ b/libavcodec/alsdec.c @@ -1159,6 +1159,12 @@ static int decode_blocks(ALSDecContext *ctx, unsigned int ra_frame, return 0; } +static inline int als_weighting(GetBitContext *gb, int k, int off) +{ + int idx = av_clip(decode_rice(gb, k) + off, + 0, FF_ARRAY_ELEMS(mcc_weightings) - 1); + return mcc_weightings[idx]; +} /** Read the channel data. */ @@ -1179,14 +1185,14 @@ static int read_channel_data(ALSDecContext *ctx, ALSChannelData *cd, int c) if (current->master_channel != c) { current->time_diff_flag = get_bits1(gb); - current->weighting[0] = mcc_weightings[av_clip(decode_rice(gb, 1) + 16, 0, 32)]; - current->weighting[1] = mcc_weightings[av_clip(decode_rice(gb, 2) + 14, 0, 32)]; - current->weighting[2] = mcc_weightings[av_clip(decode_rice(gb, 1) + 16, 0, 32)]; + current->weighting[0] = als_weighting(gb, 1, 16); + current->weighting[1] = als_weighting(gb, 2, 14); + current->weighting[2] = als_weighting(gb, 1, 16); if (current->time_diff_flag) { - current->weighting[3] = mcc_weightings[av_clip(decode_rice(gb, 1) + 16, 0, 32)]; - current->weighting[4] = mcc_weightings[av_clip(decode_rice(gb, 1) + 16, 0, 32)]; - current->weighting[5] = mcc_weightings[av_clip(decode_rice(gb, 1) + 16, 0, 32)]; + current->weighting[3] = als_weighting(gb, 1, 16); + current->weighting[4] = als_weighting(gb, 1, 16); + current->weighting[5] = als_weighting(gb, 1, 16); current->time_diff_sign = get_bits1(gb); current->time_diff_index = get_bits(gb, ctx->ltp_lag_length - 3) + 3; From 8006716f215582ed396d9392809a174c26209f97 Mon Sep 17 00:00:00 2001 From: Luca Barbato Date: Sun, 28 Jul 2013 18:24:15 +0200 Subject: [PATCH 621/991] xl: Make sure the width is valid CC: libav-stable@libav.org Signed-off-by: Luca Barbato --- libavcodec/xl.c | 5 +++++ 1 file changed, 5 insertions(+) diff --git a/libavcodec/xl.c b/libavcodec/xl.c index 0ebc9467e0..d45866df8b 100644 --- a/libavcodec/xl.c +++ b/libavcodec/xl.c @@ -69,6 +69,11 @@ static int decode_frame(AVCodecContext *avctx, stride = avctx->width - 4; + if (avctx->width % 4) { + av_log(avctx, AV_LOG_ERROR, "Width not a multiple of 4.\n"); + return AVERROR_INVALIDDATA; + } + if (buf_size < avctx->width * avctx->height) { av_log(avctx, AV_LOG_ERROR, "Packet is too small\n"); return AVERROR_INVALIDDATA; From 9c779b5dd0e8ce296aa2125877c8276775b8423e Mon Sep 17 00:00:00 2001 From: Luca Barbato Date: Sun, 4 Aug 2013 18:48:20 +0200 Subject: [PATCH 622/991] bink: Bound check the quantization matrix. Reported-by: Mateusz "j00ru" Jurczyk and Gynvael Coldwind CC: libav-stable@libav.org (cherry picked from commit 9991298f2c4d9022ad56057f15d037e18d454157) Signed-off-by: Luca Barbato --- libavcodec/bink.c | 3 +++ 1 file changed, 3 insertions(+) diff --git a/libavcodec/bink.c b/libavcodec/bink.c index f38c030b7c..47fcc81172 100644 --- a/libavcodec/bink.c +++ b/libavcodec/bink.c @@ -675,6 +675,9 @@ static int read_dct_coeffs(GetBitContext *gb, int32_t block[64], const uint8_t * quant_idx = q; } + if (quant_idx >= 16) + return AVERROR_INVALIDDATA; + quant = quant_matrices[quant_idx]; block[0] = (block[0] * quant[0]) >> 11; From 75b1b13aff73bbe78a4da756dd4c048dd3462cb0 Mon Sep 17 00:00:00 2001 From: Luca Barbato Date: Mon, 5 Aug 2013 06:30:24 +0200 Subject: [PATCH 623/991] vc1: check mb_height validity. Reported-by: Mateusz "j00ru" Jurczyk and Gynvael Coldwind CC: libav-stable@libav.org (cherry picked from commit 43bacd5b7d3d265a77cd29d8abb131057796aecc) Signed-off-by: Luca Barbato --- libavcodec/vc1dec.c | 6 ++++++ 1 file changed, 6 insertions(+) diff --git a/libavcodec/vc1dec.c b/libavcodec/vc1dec.c index 752f22fe0a..e1aa4e65d8 100644 --- a/libavcodec/vc1dec.c +++ b/libavcodec/vc1dec.c @@ -5581,6 +5581,12 @@ static int vc1_decode_frame(AVCodecContext *avctx, void *data, v->mv_f[1] = tmp[1]; } mb_height = s->mb_height >> v->field_mode; + + if (!mb_height) { + av_log(v->s.avctx, AV_LOG_ERROR, "Invalid mb_height.\n"); + goto err; + } + for (i = 0; i <= n_slices; i++) { if (i > 0 && slices[i - 1].mby_start >= mb_height) { if (v->field_mode <= 0) { From 15620c153a35f76191c1e476fc9df24fbfd54e10 Mon Sep 17 00:00:00 2001 From: Luca Barbato Date: Tue, 13 Aug 2013 07:28:41 +0200 Subject: [PATCH 624/991] ogg: Always alloc the private context in vorbis_header It is possible to have an initial broken header and then valid packets. Reported-by: Mateusz "j00ru" Jurczyk and Gynvael Coldwind CC: libav-stable@libav.org (cherry picked from commit 3562684db716d11de0b0dcc52748e9cd90d68132) Signed-off-by: Luca Barbato --- libavformat/oggparsevorbis.c | 6 +++--- 1 file changed, 3 insertions(+), 3 deletions(-) diff --git a/libavformat/oggparsevorbis.c b/libavformat/oggparsevorbis.c index 7ec7a9eaeb..272e50c9bb 100644 --- a/libavformat/oggparsevorbis.c +++ b/libavformat/oggparsevorbis.c @@ -208,15 +208,15 @@ vorbis_header (AVFormatContext * s, int idx) struct oggvorbis_private *priv; int pkt_type = os->buf[os->pstart]; - if (!(pkt_type & 1)) - return 0; - if (!os->private) { os->private = av_mallocz(sizeof(struct oggvorbis_private)); if (!os->private) return 0; } + if (!(pkt_type & 1)) + return 0; + if (os->psize < 1 || pkt_type > 5) return -1; From 896baaaad85c402db187c1c81ececc3a9624dbc1 Mon Sep 17 00:00:00 2001 From: Luca Barbato Date: Tue, 13 Aug 2013 07:40:38 +0200 Subject: [PATCH 625/991] segafilm: Error out on impossible packet size Reported-by: Mateusz "j00ru" Jurczyk and Gynvael Coldwind CC: libav-stable@libav.org (cherry picked from commit 5268bd2900effa59b51e0fede61aacde5e2f0b95) Signed-off-by: Luca Barbato --- libavformat/segafilm.c | 2 ++ 1 file changed, 2 insertions(+) diff --git a/libavformat/segafilm.c b/libavformat/segafilm.c index 5c346a75bb..5279121383 100644 --- a/libavformat/segafilm.c +++ b/libavformat/segafilm.c @@ -210,6 +210,8 @@ static int film_read_header(AVFormatContext *s, film->sample_table[i].sample_offset = data_offset + AV_RB32(&scratch[0]); film->sample_table[i].sample_size = AV_RB32(&scratch[4]); + if (film->sample_table[i].sample_size > INT_MAX / 4) + return AVERROR_INVALIDDATA; if (AV_RB32(&scratch[8]) == 0xFFFFFFFF) { film->sample_table[i].stream = film->audio_stream_index; film->sample_table[i].pts = audio_frame_counter; From 54e03863691dcae73260f70108b3731b70773e7c Mon Sep 17 00:00:00 2001 From: Luca Barbato Date: Mon, 5 Aug 2013 06:27:12 +0200 Subject: [PATCH 626/991] vc1: check the source buffer in vc1_mc functions Reported-by: Mateusz "j00ru" Jurczyk and Gynvael Coldwind CC: libav-stable@libav.org (cherry picked from commit 090cd0631140ac1a3a795d2adfac5dbf5e381aa2) Signed-off-by: Luca Barbato Conflicts: libavcodec/vc1dec.c --- libavcodec/vc1dec.c | 15 +++++++++++++++ 1 file changed, 15 insertions(+) diff --git a/libavcodec/vc1dec.c b/libavcodec/vc1dec.c index 9bc340b0e0..752f22fe0a 100644 --- a/libavcodec/vc1dec.c +++ b/libavcodec/vc1dec.c @@ -395,6 +395,11 @@ static void vc1_mc_1mv(VC1Context *v, int dir) } } + if (!srcY || !srcU) { + av_log(v->s.avctx, AV_LOG_ERROR, "Referenced frame missing.\n"); + return; + } + src_x = s->mb_x * 16 + (mx >> 2); src_y = s->mb_y * 16 + (my >> 2); uvsrc_x = s->mb_x * 8 + (uvmx >> 2); @@ -570,6 +575,11 @@ static void vc1_mc_4mv_luma(VC1Context *v, int n, int dir) } else srcY = s->next_picture.f.data[0]; + if (!srcY) { + av_log(v->s.avctx, AV_LOG_ERROR, "Referenced frame missing.\n"); + return; + } + if (v->field_mode) { if (v->cur_field_type != v->ref_field_type[dir]) my = my - 2 + 4 * v->cur_field_type; @@ -856,6 +866,11 @@ static void vc1_mc_4mv_chroma(VC1Context *v, int dir) srcV = s->next_picture.f.data[2] + uvsrc_y * s->uvlinesize + uvsrc_x; } + if (!srcU) { + av_log(v->s.avctx, AV_LOG_ERROR, "Referenced frame missing.\n"); + return; + } + if (v->field_mode) { if (chroma_ref_type) { srcU += s->current_picture_ptr->f.linesize[1]; From 91355bec88ceb3622ea26f4d50126e6d5ea17d91 Mon Sep 17 00:00:00 2001 From: Luca Barbato Date: Wed, 14 Aug 2013 16:57:21 +0200 Subject: [PATCH 627/991] h261: check the mtype index Reported-by: Mateusz "j00ru" Jurczyk and Gynvael Coldwind CC: libav-stable@libav.org (cherry picked from commit c59967fa7cc5bc2fa06b36c17d2c207240c06b3e) Signed-off-by: Luca Barbato Conflicts: libavcodec/h261dec.c --- libavcodec/h261dec.c | 5 +++++ 1 file changed, 5 insertions(+) diff --git a/libavcodec/h261dec.c b/libavcodec/h261dec.c index 665cc0da2f..70347bb558 100644 --- a/libavcodec/h261dec.c +++ b/libavcodec/h261dec.c @@ -286,6 +286,11 @@ static int h261_decode_mb(H261Context *h){ // Read mtype h->mtype = get_vlc2(&s->gb, h261_mtype_vlc.table, H261_MTYPE_VLC_BITS, 2); + if (h->mtype < 0 || h->mtype >= FF_ARRAY_ELEMS(h261_mtype_map)) { + av_log(s->avctx, AV_LOG_ERROR, "Invalid mtype index %d\n", + h->mtype); + return SLICE_ERROR; + } h->mtype = h261_mtype_map[h->mtype]; // Read mquant From 86c169c5b691ac8434056936a7690fc4c64b4b1a Mon Sep 17 00:00:00 2001 From: Luca Barbato Date: Wed, 14 Aug 2013 16:51:53 +0200 Subject: [PATCH 628/991] dxa: Make sure the reference frame exists Reported-by: Mateusz "j00ru" Jurczyk and Gynvael Coldwind CC: libav-stable@libav.org (cherry picked from commit 5ef7c84a9374681c64722a96d91741f3b990af2b) Signed-off-by: Luca Barbato Conflicts: libavcodec/dxa.c --- libavcodec/dxa.c | 6 ++++++ 1 file changed, 6 insertions(+) diff --git a/libavcodec/dxa.c b/libavcodec/dxa.c index 97b912a61a..632b1a477c 100644 --- a/libavcodec/dxa.c +++ b/libavcodec/dxa.c @@ -255,6 +255,12 @@ static int decode_frame(AVCodecContext *avctx, void *data, int *data_size, AVPac case 5: c->pic.key_frame = !(compr & 1); c->pic.pict_type = (compr & 1) ? AV_PICTURE_TYPE_P : AV_PICTURE_TYPE_I; + + if (!tmpptr && !c->pic.key_frame) { + av_log(avctx, AV_LOG_ERROR, "Missing reference frame.\n"); + return AVERROR_INVALIDDATA; + } + for(j = 0; j < avctx->height; j++){ if(compr & 1){ for(i = 0; i < avctx->width; i++) From 3dff283de11ad52ddae3246fe7594526ebb62d04 Mon Sep 17 00:00:00 2001 From: Luca Barbato Date: Sun, 28 Jul 2013 13:26:12 +0200 Subject: [PATCH 629/991] ac3: Do not clash with normal AVERROR The parsing function return AVERROR and AAC_AC3_PARSE_ERROR values, make sure they are not misunderstood. (cherry picked from commit 6258d362b82934a2c27557e0984aed372d98091a) Signed-off-by: Luca Barbato --- libavcodec/aac_ac3_parser.h | 14 +++++++------- 1 file changed, 7 insertions(+), 7 deletions(-) diff --git a/libavcodec/aac_ac3_parser.h b/libavcodec/aac_ac3_parser.h index a14fce5190..7b21460acd 100644 --- a/libavcodec/aac_ac3_parser.h +++ b/libavcodec/aac_ac3_parser.h @@ -28,13 +28,13 @@ #include "parser.h" typedef enum { - AAC_AC3_PARSE_ERROR_SYNC = -1, - AAC_AC3_PARSE_ERROR_BSID = -2, - AAC_AC3_PARSE_ERROR_SAMPLE_RATE = -3, - AAC_AC3_PARSE_ERROR_FRAME_SIZE = -4, - AAC_AC3_PARSE_ERROR_FRAME_TYPE = -5, - AAC_AC3_PARSE_ERROR_CRC = -6, - AAC_AC3_PARSE_ERROR_CHANNEL_CFG = -7, + AAC_AC3_PARSE_ERROR_SYNC = -0x1030c0a, + AAC_AC3_PARSE_ERROR_BSID = -0x2030c0a, + AAC_AC3_PARSE_ERROR_SAMPLE_RATE = -0x3030c0a, + AAC_AC3_PARSE_ERROR_FRAME_SIZE = -0x4030c0a, + AAC_AC3_PARSE_ERROR_FRAME_TYPE = -0x5030c0a, + AAC_AC3_PARSE_ERROR_CRC = -0x6030c0a, + AAC_AC3_PARSE_ERROR_CHANNEL_CFG = -0x7030c0a, } AACAC3ParseError; typedef struct AACAC3ParseContext { From 37e69e2dee7c5167083bb42d669f73f038111a79 Mon Sep 17 00:00:00 2001 From: Luca Barbato Date: Sun, 28 Jul 2013 13:32:18 +0200 Subject: [PATCH 630/991] ac3: Clean up the error paths (cherry picked from commit 818d1f1a3e89d35213af0bd5dc4a772713951882) Signed-off-by: Luca Barbato --- libavcodec/ac3dec.c | 9 ++++++--- 1 file changed, 6 insertions(+), 3 deletions(-) diff --git a/libavcodec/ac3dec.c b/libavcodec/ac3dec.c index 2eac0ed12a..86726c311f 100644 --- a/libavcodec/ac3dec.c +++ b/libavcodec/ac3dec.c @@ -1342,7 +1342,7 @@ static int ac3_decode_frame(AVCodecContext * avctx, void *data, /* skip frame if CRC is ok. otherwise use error concealment. */ /* TODO: add support for substreams and dependent frames */ if (s->frame_type == EAC3_FRAME_TYPE_DEPENDENT || s->substreamid) { - av_log(avctx, AV_LOG_ERROR, "unsupported frame type : " + av_log(avctx, AV_LOG_WARNING, "unsupported frame type : " "skipping frame\n"); *got_frame_ptr = 0; return buf_size; @@ -1350,9 +1350,12 @@ static int ac3_decode_frame(AVCodecContext * avctx, void *data, av_log(avctx, AV_LOG_ERROR, "invalid frame type\n"); } break; - default: - av_log(avctx, AV_LOG_ERROR, "invalid header\n"); + case AAC_AC3_PARSE_ERROR_CRC: + case AAC_AC3_PARSE_ERROR_CHANNEL_CFG: break; + default: // Normal AVERROR do not try to recover. + *got_frame_ptr = 0; + return err; } } else { /* check that reported frame size fits in input buffer */ From c225c620c664c4b66a439485d226d03374cb3d33 Mon Sep 17 00:00:00 2001 From: Luca Barbato Date: Sat, 27 Jul 2013 10:16:35 +0200 Subject: [PATCH 631/991] ac3: Return proper error codes (cherry picked from commit b1f9cdc37ff5d5b391d2cd9af737ab4e5a0fc1c0) Signed-off-by: Luca Barbato --- libavcodec/ac3dec.c | 30 +++++++++++++++--------------- 1 file changed, 15 insertions(+), 15 deletions(-) diff --git a/libavcodec/ac3dec.c b/libavcodec/ac3dec.c index 86726c311f..039062b3d6 100644 --- a/libavcodec/ac3dec.c +++ b/libavcodec/ac3dec.c @@ -297,7 +297,7 @@ static int parse_frame_header(AC3DecodeContext *s) return ff_eac3_parse_header(s); } else { av_log(s->avctx, AV_LOG_ERROR, "E-AC-3 support not compiled in\n"); - return -1; + return AVERROR(ENOSYS); } } @@ -822,12 +822,12 @@ static int decode_audio_block(AC3DecodeContext *s, int blk) if (start_subband >= end_subband) { av_log(s->avctx, AV_LOG_ERROR, "invalid spectral extension " "range (%d >= %d)\n", start_subband, end_subband); - return -1; + return AVERROR_INVALIDDATA; } if (dst_start_freq >= src_start_freq) { av_log(s->avctx, AV_LOG_ERROR, "invalid spectral extension " "copy start bin (%d >= %d)\n", dst_start_freq, src_start_freq); - return -1; + return AVERROR_INVALIDDATA; } s->spx_dst_start_freq = dst_start_freq; @@ -904,7 +904,7 @@ static int decode_audio_block(AC3DecodeContext *s, int blk) if (channel_mode < AC3_CHMODE_STEREO) { av_log(s->avctx, AV_LOG_ERROR, "coupling not allowed in mono or dual-mono\n"); - return -1; + return AVERROR_INVALIDDATA; } /* check for enhanced coupling */ @@ -934,7 +934,7 @@ static int decode_audio_block(AC3DecodeContext *s, int blk) if (cpl_start_subband >= cpl_end_subband) { av_log(s->avctx, AV_LOG_ERROR, "invalid coupling range (%d >= %d)\n", cpl_start_subband, cpl_end_subband); - return -1; + return AVERROR_INVALIDDATA; } s->start_freq[CPL_CH] = cpl_start_subband * 12 + 37; s->end_freq[CPL_CH] = cpl_end_subband * 12 + 37; @@ -956,7 +956,7 @@ static int decode_audio_block(AC3DecodeContext *s, int blk) if (!blk) { av_log(s->avctx, AV_LOG_ERROR, "new coupling strategy must " "be present in block 0\n"); - return -1; + return AVERROR_INVALIDDATA; } else { s->cpl_in_use[blk] = s->cpl_in_use[blk-1]; } @@ -986,7 +986,7 @@ static int decode_audio_block(AC3DecodeContext *s, int blk) } else if (!blk) { av_log(s->avctx, AV_LOG_ERROR, "new coupling coordinates must " "be present in block 0\n"); - return -1; + return AVERROR_INVALIDDATA; } } else { /* channel not in coupling */ @@ -1041,7 +1041,7 @@ static int decode_audio_block(AC3DecodeContext *s, int blk) int bandwidth_code = get_bits(gbc, 6); if (bandwidth_code > 60) { av_log(s->avctx, AV_LOG_ERROR, "bandwidth code = %d > 60\n", bandwidth_code); - return -1; + return AVERROR_INVALIDDATA; } s->end_freq[ch] = bandwidth_code * 3 + 73; } @@ -1064,7 +1064,7 @@ static int decode_audio_block(AC3DecodeContext *s, int blk) s->num_exp_groups[ch], s->dexps[ch][0], &s->dexps[ch][s->start_freq[ch]+!!ch])) { av_log(s->avctx, AV_LOG_ERROR, "exponent out-of-range\n"); - return -1; + return AVERROR_INVALIDDATA; } if (ch != CPL_CH && ch != s->lfe_ch) skip_bits(gbc, 2); /* skip gainrng */ @@ -1084,7 +1084,7 @@ static int decode_audio_block(AC3DecodeContext *s, int blk) } else if (!blk) { av_log(s->avctx, AV_LOG_ERROR, "new bit allocation info must " "be present in block 0\n"); - return -1; + return AVERROR_INVALIDDATA; } } @@ -1115,7 +1115,7 @@ static int decode_audio_block(AC3DecodeContext *s, int blk) } } else if (!s->eac3 && !blk) { av_log(s->avctx, AV_LOG_ERROR, "new snr offsets must be present in block 0\n"); - return -1; + return AVERROR_INVALIDDATA; } } @@ -1154,7 +1154,7 @@ static int decode_audio_block(AC3DecodeContext *s, int blk) } else if (!s->eac3 && !blk) { av_log(s->avctx, AV_LOG_ERROR, "new coupling leak info must " "be present in block 0\n"); - return -1; + return AVERROR_INVALIDDATA; } s->first_cpl_leak = 0; } @@ -1166,7 +1166,7 @@ static int decode_audio_block(AC3DecodeContext *s, int blk) s->dba_mode[ch] = get_bits(gbc, 2); if (s->dba_mode[ch] == DBA_RESERVED) { av_log(s->avctx, AV_LOG_ERROR, "delta bit allocation strategy reserved\n"); - return -1; + return AVERROR_INVALIDDATA; } bit_alloc_stages[ch] = FFMAX(bit_alloc_stages[ch], 2); } @@ -1207,7 +1207,7 @@ static int decode_audio_block(AC3DecodeContext *s, int blk) s->dba_offsets[ch], s->dba_lengths[ch], s->dba_values[ch], s->mask[ch])) { av_log(s->avctx, AV_LOG_ERROR, "error in bit allocation\n"); - return -1; + return AVERROR_INVALIDDATA; } } if (bit_alloc_stages[ch] > 0) { @@ -1328,7 +1328,7 @@ static int ac3_decode_frame(AVCodecContext * avctx, void *data, switch (err) { case AAC_AC3_PARSE_ERROR_SYNC: av_log(avctx, AV_LOG_ERROR, "frame sync error\n"); - return -1; + return AVERROR_INVALIDDATA; case AAC_AC3_PARSE_ERROR_BSID: av_log(avctx, AV_LOG_ERROR, "invalid bitstream id\n"); break; From 5773065a71055b5000717fab68e79647eea3dd6d Mon Sep 17 00:00:00 2001 From: Anton Khirnov Date: Sat, 24 Aug 2013 21:30:46 +0200 Subject: [PATCH 632/991] pictordec: break out of both decoding loops when y drops below 0 Otherwise picmemset can get called with negative y, resulting in an invalid write. Reported-by: Mateusz "j00ru" Jurczyk and Gynvael Coldwind CC: libav-stable@libav.org (cherry picked from commit 5f7aecde02a95451e514c809f2794c1deba80695) Signed-off-by: Luca Barbato --- libavcodec/pictordec.c | 3 ++- 1 file changed, 2 insertions(+), 1 deletion(-) diff --git a/libavcodec/pictordec.c b/libavcodec/pictordec.c index e0bc899946..88add167cf 100644 --- a/libavcodec/pictordec.c +++ b/libavcodec/pictordec.c @@ -226,7 +226,7 @@ static int decode_frame(AVCodecContext *avctx, if (bits_per_plane == 8) { picmemset_8bpp(s, val, run, &x, &y); if (y < 0) - break; + goto finish; } else { picmemset(s, val, run, &x, &y, &plane, bits_per_plane); } @@ -236,6 +236,7 @@ static int decode_frame(AVCodecContext *avctx, av_log_ask_for_sample(s, "uncompressed image\n"); return avpkt->size; } +finish: *data_size = sizeof(AVFrame); *(AVFrame*)data = s->frame; From 8d2a86a29055d375eed9c1e93983f42c42fe856d Mon Sep 17 00:00:00 2001 From: Anton Khirnov Date: Sat, 24 Aug 2013 21:30:46 +0200 Subject: [PATCH 633/991] lavf: avoid integer overflow when estimating bitrate Reported-by: Mateusz "j00ru" Jurczyk and Gynvael Coldwind CC: libav-stable@libav.org (cherry picked from commit df33a58e5311ee9a64a573889b883a80e981af7b) Signed-off-by: Luca Barbato --- libavformat/utils.c | 9 +++++++-- 1 file changed, 7 insertions(+), 2 deletions(-) diff --git a/libavformat/utils.c b/libavformat/utils.c index 98c3af4e83..e31c5799e7 100644 --- a/libavformat/utils.c +++ b/libavformat/utils.c @@ -1953,8 +1953,13 @@ static void estimate_timings_from_bit_rate(AVFormatContext *ic) bit_rate = 0; for(i=0;inb_streams;i++) { st = ic->streams[i]; - if (st->codec->bit_rate > 0) - bit_rate += st->codec->bit_rate; + if (st->codec->bit_rate > 0) { + if (INT_MAX - st->codec->bit_rate > bit_rate) { + bit_rate = 0; + break; + } + bit_rate += st->codec->bit_rate; + } } ic->bit_rate = bit_rate; } From 23f73fc241da56ba00b76f975bff56d85c8caa58 Mon Sep 17 00:00:00 2001 From: Anton Khirnov Date: Sat, 24 Aug 2013 21:30:46 +0200 Subject: [PATCH 634/991] ape demuxer: check for EOF in potentially long loops Reported-by: Mateusz "j00ru" Jurczyk and Gynvael Coldwind CC: libav-stable@libav.org (cherry-picked from commit 488b2984fece7ad0c2596826fee18e74aa904667) Signed-off-by: Luca Barbato --- libavformat/ape.c | 4 +++- 1 file changed, 3 insertions(+), 1 deletion(-) diff --git a/libavformat/ape.c b/libavformat/ape.c index a60626e133..7d4cd39568 100644 --- a/libavformat/ape.c +++ b/libavformat/ape.c @@ -276,7 +276,9 @@ static int ape_read_header(AVFormatContext * s, AVFormatParameters * ap) ape->seektable = av_malloc(ape->seektablelength); if (!ape->seektable) return AVERROR(ENOMEM); - for (i = 0; i < ape->seektablelength / sizeof(uint32_t); i++) + for (i = 0; + i < ape->seektablelength / sizeof(uint32_t) && !pb->eof_reached; + i++) ape->seektable[i] = avio_rl32(pb); } From 068c8672866858d56ea8747fca5f1e0fcd2d920c Mon Sep 17 00:00:00 2001 From: =?UTF-8?q?Martin=20Storsj=C3=B6?= Date: Tue, 3 Sep 2013 12:10:50 +0300 Subject: [PATCH 635/991] matroskadec: Check that .lang was allocated and set before reading it MIME-Version: 1.0 Content-Type: text/plain; charset=UTF-8 Content-Transfer-Encoding: 8bit Reported-by: Mateusz "j00ru" Jurczyk and Gynvael Coldwind CC: libav-stable@libav.org Signed-off-by: Martin Storsjö (cherry picked from commit 5bcd3ae5b167fb74215520b01d5d810e0c8986ab) Signed-off-by: Luca Barbato --- libavformat/matroskadec.c | 3 ++- 1 file changed, 2 insertions(+), 1 deletion(-) diff --git a/libavformat/matroskadec.c b/libavformat/matroskadec.c index 891eb8380f..03839f89fb 100644 --- a/libavformat/matroskadec.c +++ b/libavformat/matroskadec.c @@ -1079,7 +1079,8 @@ static void matroska_convert_tag(AVFormatContext *s, EbmlList *list, int i; for (i=0; i < list->nb_elem; i++) { - const char *lang = strcmp(tags[i].lang, "und") ? tags[i].lang : NULL; + const char *lang = tags[i].lang && strcmp(tags[i].lang, "und") ? + tags[i].lang : NULL; if (!tags[i].name) { av_log(s, AV_LOG_WARNING, "Skipping invalid tag with no TagName.\n"); From 7a9af1da39009167a3dd62204ad2bfd6bbe114b7 Mon Sep 17 00:00:00 2001 From: Michael Niedermayer Date: Sat, 10 Mar 2012 22:02:46 +0100 Subject: [PATCH 636/991] mjpegb: Detect changing number of planes in interlaced video MIME-Version: 1.0 Content-Type: text/plain; charset=UTF-8 Content-Transfer-Encoding: 8bit Reported-by: Mateusz "j00ru" Jurczyk and Gynvael Coldwind CC: libav-stable@libav.org Signed-off-by: Martin Storsjö (cherry picked from commit af11fa5409cc72fc45ca7f3527400beca10967b9) Signed-off-by: Luca Barbato --- libavcodec/mjpegdec.c | 7 +++++++ 1 file changed, 7 insertions(+) diff --git a/libavcodec/mjpegdec.c b/libavcodec/mjpegdec.c index 5256a8e04c..a1a67893b6 100644 --- a/libavcodec/mjpegdec.c +++ b/libavcodec/mjpegdec.c @@ -245,6 +245,13 @@ int ff_mjpeg_decode_sof(MJpegDecodeContext *s) if (nb_components <= 0 || nb_components > MAX_COMPONENTS) return -1; + if (s->interlaced && (s->bottom_field == !s->interlace_polarity)) { + if (nb_components != s->nb_components) { + av_log(s->avctx, AV_LOG_ERROR, + "nb_components changing in interlaced picture\n"); + return AVERROR_INVALIDDATA; + } + } if (s->ls && !(s->bits <= 8 || nb_components == 1)) { av_log(s->avctx, AV_LOG_ERROR, "only <= 8 bits/component or 16-bit gray accepted for JPEG-LS\n"); From 5473d23ece9e42a8003fc880027fe242604ce367 Mon Sep 17 00:00:00 2001 From: =?UTF-8?q?Martin=20Storsj=C3=B6?= Date: Wed, 4 Sep 2013 01:36:51 +0300 Subject: [PATCH 637/991] mpegvideo: Avoid 32-bit wrapping of linesize multiplications MIME-Version: 1.0 Content-Type: text/plain; charset=UTF-8 Content-Transfer-Encoding: 8bit This makes sure that linesize * start_y doesn't overflow, so that emulated_edge_mc can get back the original value if needed. Reported-by: Mateusz "j00ru" Jurczyk and Gynvael Coldwind CC: libav-stable@libav.org Signed-off-by: Martin Storsjö (cherry picked from commit a711a2cb473dc95708f371a82c85c97fe789b5c2) Signed-off-by: Luca Barbato --- libavcodec/mpegvideo_common.h | 3 ++- 1 file changed, 2 insertions(+), 1 deletion(-) diff --git a/libavcodec/mpegvideo_common.h b/libavcodec/mpegvideo_common.h index e8daf2ece3..763c3197ff 100644 --- a/libavcodec/mpegvideo_common.h +++ b/libavcodec/mpegvideo_common.h @@ -244,7 +244,8 @@ void mpeg_motion_internal(MpegEncContext *s, { uint8_t *ptr_y, *ptr_cb, *ptr_cr; int dxy, uvdxy, mx, my, src_x, src_y, - uvsrc_x, uvsrc_y, v_edge_pos, uvlinesize, linesize; + uvsrc_x, uvsrc_y, v_edge_pos; + ptrdiff_t uvlinesize, linesize; #if 0 if(s->quarter_sample) From b0ca5fef09d1b1268ea0c8f89bf53cd38aaa85e7 Mon Sep 17 00:00:00 2001 From: Luca Barbato Date: Mon, 5 Aug 2013 22:15:24 +0200 Subject: [PATCH 638/991] dv: Add a guard to not overread the ppcm array Reported-by: Mateusz "j00ru" Jurczyk and Gynvael Coldwind CC: libav-stable@libav.org (cherry picked from commit 7ee191cab0dc44700f26c5784e2adeb6a779651b) Signed-off-by: Luca Barbato Conflicts: libavformat/dv.c --- libavformat/dv.c | 4 ++-- 1 file changed, 2 insertions(+), 2 deletions(-) diff --git a/libavformat/dv.c b/libavformat/dv.c index 65d0f873dc..ac662371e2 100644 --- a/libavformat/dv.c +++ b/libavformat/dv.c @@ -102,7 +102,7 @@ static const uint8_t* dv_extract_pack(uint8_t* frame, enum dv_pack_type t) * 3. Audio is always returned as 16bit linear samples: 12bit nonlinear samples * are converted into 16bit linear ones. */ -static int dv_extract_audio(uint8_t* frame, uint8_t* ppcm[4], +static int dv_extract_audio(uint8_t *frame, uint8_t **ppcm, const DVprofile *sys) { int size, chan, i, j, d, of, smpls, freq, quant, half_ch; @@ -335,7 +335,7 @@ int avpriv_dv_produce_packet(DVDemuxContext *c, AVPacket *pkt, uint8_t* buf, int buf_size) { int size, i; - uint8_t *ppcm[4] = {0}; + uint8_t *ppcm[5] = { 0 }; if (buf_size < DV_PROFILE_BYTES || !(c->sys = avpriv_dv_frame_profile(c->sys, buf, buf_size)) || From 9978c24abfbbde6d5db80bf8e6ff9b525ef8c42d Mon Sep 17 00:00:00 2001 From: Anton Khirnov Date: Wed, 4 Sep 2013 08:55:08 +0200 Subject: [PATCH 639/991] lavf: fix the comparison in an overflow check CC: libav-stable@libav.org Signed-off-by: Luca Barbato (cherry picked from commit 26f027fba1c5ab482fa2488fbe0fa36c8bb33b69) Signed-off-by: Luca Barbato --- libavformat/utils.c | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/libavformat/utils.c b/libavformat/utils.c index e31c5799e7..7065b2f004 100644 --- a/libavformat/utils.c +++ b/libavformat/utils.c @@ -1954,7 +1954,7 @@ static void estimate_timings_from_bit_rate(AVFormatContext *ic) for(i=0;inb_streams;i++) { st = ic->streams[i]; if (st->codec->bit_rate > 0) { - if (INT_MAX - st->codec->bit_rate > bit_rate) { + if (INT_MAX - st->codec->bit_rate < bit_rate) { bit_rate = 0; break; } From 20854f9bffd2130b6b987c439c2b4002aa177dd0 Mon Sep 17 00:00:00 2001 From: Michael Niedermayer Date: Thu, 26 Sep 2013 21:03:48 +0200 Subject: [PATCH 640/991] avcodec/parser: reset indexes on realloc failure Fixes Ticket2982 Signed-off-by: Michael Niedermayer (cherry picked from commit f31011e9abfb2ae75bb32bc44e2c34194c8dc40a) Signed-off-by: Michael Niedermayer --- libavcodec/parser.c | 10 +++++++--- 1 file changed, 7 insertions(+), 3 deletions(-) diff --git a/libavcodec/parser.c b/libavcodec/parser.c index 2c6de6e8ef..66eca06428 100644 --- a/libavcodec/parser.c +++ b/libavcodec/parser.c @@ -241,8 +241,10 @@ int ff_combine_frame(ParseContext *pc, int next, const uint8_t **buf, int *buf_s if(next == END_NOT_FOUND){ void* new_buffer = av_fast_realloc(pc->buffer, &pc->buffer_size, (*buf_size) + pc->index + FF_INPUT_BUFFER_PADDING_SIZE); - if(!new_buffer) + if(!new_buffer) { + pc->index = 0; return AVERROR(ENOMEM); + } pc->buffer = new_buffer; memcpy(&pc->buffer[pc->index], *buf, *buf_size); pc->index += *buf_size; @@ -255,9 +257,11 @@ int ff_combine_frame(ParseContext *pc, int next, const uint8_t **buf, int *buf_s /* append to buffer */ if(pc->index){ void* new_buffer = av_fast_realloc(pc->buffer, &pc->buffer_size, next + pc->index + FF_INPUT_BUFFER_PADDING_SIZE); - - if(!new_buffer) + if(!new_buffer) { + pc->overread_index = + pc->index = 0; return AVERROR(ENOMEM); + } pc->buffer = new_buffer; if (next > -FF_INPUT_BUFFER_PADDING_SIZE) memcpy(&pc->buffer[pc->index], *buf, From e288124394840f9e37e110afe47c737044372f89 Mon Sep 17 00:00:00 2001 From: Michael Niedermayer Date: Tue, 20 Aug 2013 23:18:48 +0200 Subject: [PATCH 641/991] avcodec/flashsv: check diff_start/height Fixes out of array accesses Fixes Ticket2844 Found-by: ami_stuff Signed-off-by: Michael Niedermayer (cherry picked from commit 880c73cd76109697447fbfbaa8e5ee5683309446) Signed-off-by: Michael Niedermayer --- libavcodec/flashsv.c | 4 ++++ 1 file changed, 4 insertions(+) diff --git a/libavcodec/flashsv.c b/libavcodec/flashsv.c index b7ace4f884..7ef4ade58e 100644 --- a/libavcodec/flashsv.c +++ b/libavcodec/flashsv.c @@ -388,6 +388,10 @@ static int flashsv_decode_frame(AVCodecContext *avctx, void *data, } s->diff_start = get_bits(&gb, 8); s->diff_height = get_bits(&gb, 8); + if (s->diff_start + s->diff_height > cur_blk_height) { + av_log(avctx, AV_LOG_ERROR, "Block parameters invalid\n"); + return AVERROR_INVALIDDATA; + } av_log(avctx, AV_LOG_DEBUG, "%dx%d diff start %d height %d\n", i, j, s->diff_start, s->diff_height); From ef8145270f4a91216b24b1552c73e7eda140c8b6 Mon Sep 17 00:00:00 2001 From: Michael Niedermayer Date: Thu, 22 Aug 2013 01:07:32 +0200 Subject: [PATCH 642/991] avcodec/rpza: Perform pointer advance and checks before using the pointers Fixes out of array accesses Fixes Ticket2850 Signed-off-by: Michael Niedermayer (cherry picked from commit 3819db745da2ac7fb3faacb116788c32f4753f34) Signed-off-by: Michael Niedermayer --- libavcodec/rpza.c | 8 ++++---- 1 file changed, 4 insertions(+), 4 deletions(-) diff --git a/libavcodec/rpza.c b/libavcodec/rpza.c index 635b4069ef..f291a95ea5 100644 --- a/libavcodec/rpza.c +++ b/libavcodec/rpza.c @@ -83,7 +83,7 @@ static void rpza_decode_stream(RpzaContext *s) unsigned short *pixels = (unsigned short *)s->frame.data[0]; int row_ptr = 0; - int pixel_ptr = 0; + int pixel_ptr = -4; int block_ptr; int pixel_x, pixel_y; int total_blocks; @@ -139,6 +139,7 @@ static void rpza_decode_stream(RpzaContext *s) colorA = AV_RB16 (&s->buf[stream_ptr]); stream_ptr += 2; while (n_blocks--) { + ADVANCE_BLOCK() block_ptr = row_ptr + pixel_ptr; for (pixel_y = 0; pixel_y < 4; pixel_y++) { for (pixel_x = 0; pixel_x < 4; pixel_x++){ @@ -147,7 +148,6 @@ static void rpza_decode_stream(RpzaContext *s) } block_ptr += row_inc; } - ADVANCE_BLOCK(); } break; @@ -186,6 +186,7 @@ static void rpza_decode_stream(RpzaContext *s) if (s->size - stream_ptr < n_blocks * 4) return; while (n_blocks--) { + ADVANCE_BLOCK(); block_ptr = row_ptr + pixel_ptr; for (pixel_y = 0; pixel_y < 4; pixel_y++) { index = s->buf[stream_ptr++]; @@ -196,7 +197,6 @@ static void rpza_decode_stream(RpzaContext *s) } block_ptr += row_inc; } - ADVANCE_BLOCK(); } break; @@ -204,6 +204,7 @@ static void rpza_decode_stream(RpzaContext *s) case 0x00: if (s->size - stream_ptr < 16) return; + ADVANCE_BLOCK(); block_ptr = row_ptr + pixel_ptr; for (pixel_y = 0; pixel_y < 4; pixel_y++) { for (pixel_x = 0; pixel_x < 4; pixel_x++){ @@ -217,7 +218,6 @@ static void rpza_decode_stream(RpzaContext *s) } block_ptr += row_inc; } - ADVANCE_BLOCK(); break; /* Unknown opcode */ From 1a311ad99a57ec3cd4f821f8a4c22973e2b4d740 Mon Sep 17 00:00:00 2001 From: Michael Niedermayer Date: Sat, 24 Aug 2013 03:19:40 +0200 Subject: [PATCH 643/991] jpeg2000: check log2_cblk dimensions Fixes out of array access Fixes Ticket2895 Found-by: Piotr Bandurski Signed-off-by: Michael Niedermayer (cherry picked from commit 9a271a9368eaabf99e6c2046103acb33957e63b7) Conflicts: libavcodec/jpeg2000dec.c Signed-off-by: Michael Niedermayer Conflicts: libavcodec/j2kdec.c Signed-off-by: Michael Niedermayer --- libavcodec/j2kdec.c | 8 ++++++++ 1 file changed, 8 insertions(+) diff --git a/libavcodec/j2kdec.c b/libavcodec/j2kdec.c index 78a24698a2..e4da2def00 100644 --- a/libavcodec/j2kdec.c +++ b/libavcodec/j2kdec.c @@ -28,6 +28,7 @@ #include "avcodec.h" #include "bytestream.h" #include "j2k.h" +#include "libavutil/avassert.h" #include "libavutil/common.h" #define JP2_SIG_TYPE 0x6A502020 @@ -289,6 +290,10 @@ static int get_cox(J2kDecoderContext *s, J2kCodingStyle *c) c->log2_cblk_width = bytestream_get_byte(&s->buf) + 2; // cblk width c->log2_cblk_height = bytestream_get_byte(&s->buf) + 2; // cblk height + if (c->log2_cblk_width > 6 || c->log2_cblk_height > 6) { + return AVERROR_PATCHWELCOME; + } + c->cblk_style = bytestream_get_byte(&s->buf); if (c->cblk_style != 0){ // cblk style av_log(s->avctx, AV_LOG_WARNING, "extra cblk styles %X\n", c->cblk_style); @@ -705,6 +710,9 @@ static int decode_cblk(J2kDecoderContext *s, J2kCodingStyle *codsty, J2kT1Contex int bpass_csty_symbol = J2K_CBLK_BYPASS & codsty->cblk_style; int vert_causal_ctx_csty_symbol = J2K_CBLK_VSC & codsty->cblk_style; + av_assert0(width <= J2K_MAX_CBLKW); + av_assert0(height <= J2K_MAX_CBLKH); + for (y = 0; y < height+2; y++) memset(t1->flags[y], 0, (width+2)*sizeof(int)); From 5230f1529ae6e5b4a0fa029930570b1961cf5e73 Mon Sep 17 00:00:00 2001 From: Michael Niedermayer Date: Mon, 20 May 2013 04:00:30 +0200 Subject: [PATCH 644/991] matroska_read_seek: Fix used streams for subtitle index compensation Might fix Ticket1907 (I have no testcase so i cant test) Signed-off-by: Michael Niedermayer (cherry picked from commit 4758e32a6c48044f77102a49110c79b4f338f648) Signed-off-by: Michael Niedermayer --- libavformat/matroskadec.c | 9 +++++---- 1 file changed, 5 insertions(+), 4 deletions(-) diff --git a/libavformat/matroskadec.c b/libavformat/matroskadec.c index 32c6af1d81..5e52f86e81 100644 --- a/libavformat/matroskadec.c +++ b/libavformat/matroskadec.c @@ -2075,10 +2075,11 @@ static int matroska_read_seek(AVFormatContext *s, int stream_index, if (tracks[i].type == MATROSKA_TRACK_TYPE_SUBTITLE && !tracks[i].stream->discard != AVDISCARD_ALL) { index_sub = av_index_search_timestamp(tracks[i].stream, st->index_entries[index].timestamp, AVSEEK_FLAG_BACKWARD); - if (index_sub >= 0 - && st->index_entries[index_sub].pos < st->index_entries[index_min].pos - && st->index_entries[index].timestamp - st->index_entries[index_sub].timestamp < 30000000000/matroska->time_scale) - index_min = index_sub; + while(index_sub >= 0 + && index_min >= 0 + && tracks[i].stream->index_entries[index_sub].pos < st->index_entries[index_min].pos + && st->index_entries[index].timestamp - tracks[i].stream->index_entries[index_sub].timestamp < 30000000000/matroska->time_scale) + index_min--; } } From 9300b1f64e5b85164e50d95dfed4a66452cb667e Mon Sep 17 00:00:00 2001 From: Michael Niedermayer Date: Fri, 30 Aug 2013 23:14:32 +0200 Subject: [PATCH 645/991] avcodec/pngdsp: fix (un)signed type in end comparission Fixes out of array accesses Fixes Ticket2919 Found_by: ami_stuff Signed-off-by: Michael Niedermayer (cherry picked from commit 86736f59d6a527d8bc807d09b93f971c0fe0bb07) Conflicts: libavcodec/pngdsp.c --- libavcodec/pngdec.c | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/libavcodec/pngdec.c b/libavcodec/pngdec.c index b768d38cae..5a76918e29 100644 --- a/libavcodec/pngdec.c +++ b/libavcodec/pngdec.c @@ -121,7 +121,7 @@ static void png_put_interlaced_row(uint8_t *dst, int width, static void add_bytes_l2_c(uint8_t *dst, uint8_t *src1, uint8_t *src2, int w) { long i; - for(i=0; i<=w-sizeof(long); i+=sizeof(long)){ + for(i=0; i<=w-(int)sizeof(long); i+=sizeof(long)){ long a = *(long*)(src1+i); long b = *(long*)(src2+i); *(long*)(dst+i) = ((a&pb_7f) + (b&pb_7f)) ^ ((a^b)&pb_80); From a99aff4e4bbef8e64b51f267cd1769214e1b4e80 Mon Sep 17 00:00:00 2001 From: Michael Niedermayer Date: Fri, 30 Aug 2013 23:40:47 +0200 Subject: [PATCH 646/991] avcodec/dsputil: fix signedness in sizeof() comparissions Signed-off-by: Michael Niedermayer (cherry picked from commit 454a11a1c9c686c78aa97954306fb63453299760) Signed-off-by: Michael Niedermayer --- libavcodec/dsputil.c | 4 ++-- 1 file changed, 2 insertions(+), 2 deletions(-) diff --git a/libavcodec/dsputil.c b/libavcodec/dsputil.c index 53dc2eb30a..6264832e56 100644 --- a/libavcodec/dsputil.c +++ b/libavcodec/dsputil.c @@ -1912,7 +1912,7 @@ void ff_set_cmp(DSPContext* c, me_cmp_func *cmp, int type){ static void add_bytes_c(uint8_t *dst, uint8_t *src, int w){ long i; - for(i=0; i<=w-sizeof(long); i+=sizeof(long)){ + for(i=0; i<=w-(int)sizeof(long); i+=sizeof(long)){ long a = *(long*)(src+i); long b = *(long*)(dst+i); *(long*)(dst+i) = ((a&pb_7f) + (b&pb_7f)) ^ ((a^b)&pb_80); @@ -1937,7 +1937,7 @@ static void diff_bytes_c(uint8_t *dst, uint8_t *src1, uint8_t *src2, int w){ } }else #endif - for(i=0; i<=w-sizeof(long); i+=sizeof(long)){ + for(i=0; i<=w-(int)sizeof(long); i+=sizeof(long)){ long a = *(long*)(src1+i); long b = *(long*)(src2+i); *(long*)(dst+i) = ((a|pb_80) - (b&pb_7f)) ^ ((a^b^pb_80)&pb_80); From 4a5bb426e26ed8d46e5ece4ab90ff936499d8536 Mon Sep 17 00:00:00 2001 From: Michael Niedermayer Date: Thu, 5 Sep 2013 00:36:44 +0200 Subject: [PATCH 647/991] avcodec/mjpegdec: Add some sanity checks to ljpeg_decode_rgb_scan() These prevent the rgb ljpeg code from being run on parameters that it doesnt support. No testcase available but it seems possible to trigger these. Signed-off-by: Michael Niedermayer (cherry picked from commit 61c68000eda643dfce96dc46b488d39fd5c4e309) Signed-off-by: Michael Niedermayer --- libavcodec/mjpegdec.c | 6 ++++++ 1 file changed, 6 insertions(+) diff --git a/libavcodec/mjpegdec.c b/libavcodec/mjpegdec.c index 662f0b4674..929235103d 100644 --- a/libavcodec/mjpegdec.c +++ b/libavcodec/mjpegdec.c @@ -719,6 +719,12 @@ static int ljpeg_decode_rgb_scan(MJpegDecodeContext *s, int nb_components, int p int resync_mb_y = 0; int resync_mb_x = 0; + if (s->nb_components != 3 && s->nb_components != 4) + return AVERROR_INVALIDDATA; + if (s->v_max != 1 || s->h_max != 1 || !s->lossless) + return AVERROR_INVALIDDATA; + + s->restart_count = s->restart_interval; av_fast_malloc(&s->ljpeg_buffer, &s->ljpeg_buffer_size, From f3dc3bef4b40524b9cd61001f98d86d139363de2 Mon Sep 17 00:00:00 2001 From: Michael Niedermayer Date: Sun, 8 Sep 2013 20:27:54 +0200 Subject: [PATCH 648/991] avcodec/truemotion2: Fix av_freep arguments Fixes null pointer dereference Fixes Ticket2944 Signed-off-by: Michael Niedermayer (cherry picked from commit c54aa2fb0f869ec025933944cbd1634fffe95d09) Conflicts: libavcodec/truemotion2.c Signed-off-by: Michael Niedermayer --- libavcodec/truemotion2.c | 16 ++++++++-------- 1 file changed, 8 insertions(+), 8 deletions(-) diff --git a/libavcodec/truemotion2.c b/libavcodec/truemotion2.c index 2f94f56824..bff8dce0ca 100644 --- a/libavcodec/truemotion2.c +++ b/libavcodec/truemotion2.c @@ -903,14 +903,14 @@ static av_cold int decode_init(AVCodecContext *avctx){ if (!l->Y1_base || !l->Y2_base || !l->U1_base || !l->V1_base || !l->U2_base || !l->V2_base || !l->last || !l->clast) { - av_freep(l->Y1_base); - av_freep(l->Y2_base); - av_freep(l->U1_base); - av_freep(l->U2_base); - av_freep(l->V1_base); - av_freep(l->V2_base); - av_freep(l->last); - av_freep(l->clast); + av_freep(&l->Y1_base); + av_freep(&l->Y2_base); + av_freep(&l->U1_base); + av_freep(&l->U2_base); + av_freep(&l->V1_base); + av_freep(&l->V2_base); + av_freep(&l->last); + av_freep(&l->clast); return AVERROR(ENOMEM); } l->Y1 = l->Y1_base + l->y_stride * 4 + 4; From f6057c5a62ea88926020ba8b19399c10d3e87c3e Mon Sep 17 00:00:00 2001 From: Michael Niedermayer Date: Mon, 9 Sep 2013 17:58:18 +0200 Subject: [PATCH 649/991] avcodec/ffv1enc: update buffer check for 16bps Signed-off-by: Michael Niedermayer (cherry picked from commit 3728603f1854b5c79d1a64dd3b41b80640ef1e7f) Conflicts: libavcodec/ffv1enc.c (cherry picked from commit c900c6e5c26cd86cf34f9c8d4347cedbd01f3935) --- libavcodec/ffv1.c | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/libavcodec/ffv1.c b/libavcodec/ffv1.c index 8875c6ebea..b363c9606b 100644 --- a/libavcodec/ffv1.c +++ b/libavcodec/ffv1.c @@ -451,7 +451,7 @@ static av_always_inline int encode_line(FFV1Context *s, int w, int run_mode=0; if(s->ac){ - if(c->bytestream_end - c->bytestream < w*20){ + if(c->bytestream_end - c->bytestream < w*35){ av_log(s->avctx, AV_LOG_ERROR, "encoded frame too large\n"); return -1; } From f66ecdb1b4de01e4afdc1e2c8640ce57ddec15ff Mon Sep 17 00:00:00 2001 From: Michael Niedermayer Date: Wed, 4 Sep 2013 14:22:20 +0200 Subject: [PATCH 650/991] avcodec: add emuedge_linesize_type Currently all uses of the emu edge code as well as the code itself assume int linesize changing some but not changing all would introduce a security issue once all use this typedef a simple search and replace can be done to switch them all to ptrdiff_t Signed-off-by: Michael Niedermayer (cherry picked from commit 2ffead98ddd384f61cdf6b1cb3f36592f54cd34a) Conflicts: libavcodec/mpegvideo_common.h libavcodec/videodsp.h libavcodec/videodsp_template.c libavcodec/x86/videodsp_init.c --- libavcodec/dsputil.h | 1 + libavcodec/mpegvideo_common.h | 2 +- 2 files changed, 2 insertions(+), 1 deletion(-) diff --git a/libavcodec/dsputil.h b/libavcodec/dsputil.h index a44c146af9..dd2737ea8b 100644 --- a/libavcodec/dsputil.h +++ b/libavcodec/dsputil.h @@ -33,6 +33,7 @@ #include "libavutil/intreadwrite.h" #include "avcodec.h" +typedef int emuedge_linesize_type; //#define DEBUG /* dct code */ diff --git a/libavcodec/mpegvideo_common.h b/libavcodec/mpegvideo_common.h index debd6bae17..02b2bc1974 100644 --- a/libavcodec/mpegvideo_common.h +++ b/libavcodec/mpegvideo_common.h @@ -245,7 +245,7 @@ void mpeg_motion_internal(MpegEncContext *s, uint8_t *ptr_y, *ptr_cb, *ptr_cr; int dxy, uvdxy, mx, my, src_x, src_y, uvsrc_x, uvsrc_y, v_edge_pos; - ptrdiff_t uvlinesize, linesize; + emuedge_linesize_type uvlinesize, linesize; #if 0 if(s->quarter_sample) From 0d1ae06fe95e2dd010025acda2d799240d651d6e Mon Sep 17 00:00:00 2001 From: Michael Niedermayer Date: Fri, 27 Sep 2013 01:57:02 +0200 Subject: [PATCH 651/991] update for 0.10.9 Signed-off-by: Michael Niedermayer --- Doxyfile | 2 +- RELEASE | 2 +- VERSION | 2 +- 3 files changed, 3 insertions(+), 3 deletions(-) diff --git a/Doxyfile b/Doxyfile index bf2f69ecd7..c19f09cd53 100644 --- a/Doxyfile +++ b/Doxyfile @@ -31,7 +31,7 @@ PROJECT_NAME = FFmpeg # This could be handy for archiving the generated documentation or # if some version control system is used. -PROJECT_NUMBER = 0.10.8 +PROJECT_NUMBER = 0.10.9 # With the PROJECT_LOGO tag one can specify an logo or icon that is included # in the documentation. The maximum height of the logo should not exceed 55 diff --git a/RELEASE b/RELEASE index 1a46c7f13e..f314d02022 100644 --- a/RELEASE +++ b/RELEASE @@ -1 +1 @@ -0.10.8 +0.10.9 diff --git a/VERSION b/VERSION index 1a46c7f13e..f314d02022 100644 --- a/VERSION +++ b/VERSION @@ -1 +1 @@ -0.10.8 +0.10.9 From 89d56f3be110ca894ab27b1f9e4e998bb116ee01 Mon Sep 17 00:00:00 2001 From: Mashiat Sarker Shakkhar Date: Sun, 15 Jul 2012 07:37:10 +0600 Subject: [PATCH 652/991] vc1dec: Do not use random pred_flag if motion vector data is skipped MIME-Version: 1.0 Content-Type: text/plain; charset=UTF-8 Content-Transfer-Encoding: 8bit This fixes SA10143.vc1 from test-suite. Also partially fixes MC-VC1.ts from videolan streams archive. Signed-off-by: Martin Storsjö (cherry picked from commit 082829520e2191625d3c41ed6ad0522e8d27ebe1) Signed-off-by: Michael Niedermayer --- libavcodec/vc1dec.c | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/libavcodec/vc1dec.c b/libavcodec/vc1dec.c index ee792cdbf8..cc0632c667 100644 --- a/libavcodec/vc1dec.c +++ b/libavcodec/vc1dec.c @@ -3964,7 +3964,7 @@ static int vc1_decode_p_mb_intfi(VC1Context *v) s->current_picture.f.mb_type[mb_pos + v->mb_off] = MB_TYPE_16x16; for (i = 0; i < 6; i++) v->mb_type[0][s->block_index[i]] = 0; if (idx_mbmode <= 5) { // 1-MV - dmv_x = dmv_y = 0; + dmv_x = dmv_y = pred_flag = 0; if (idx_mbmode & 1) { get_mvdata_interlaced(v, &dmv_x, &dmv_y, &pred_flag); } From f21dce60442bb2e3d00a0f38341e7a0bdcfaf322 Mon Sep 17 00:00:00 2001 From: Luca Barbato Date: Wed, 3 Jul 2013 12:58:40 +0200 Subject: [PATCH 653/991] indeo: Refactor ff_ivi_dec_huff_desc Spare an indentation level. (cherry picked from commit f6f36ca8ca1b2526d3abff7d7c627322d3bce912) Signed-off-by: Luca Barbato --- libavcodec/ivi_common.c | 67 +++++++++++++++++++++-------------------- 1 file changed, 34 insertions(+), 33 deletions(-) diff --git a/libavcodec/ivi_common.c b/libavcodec/ivi_common.c index 0dc7fa29f0..fcd28f7877 100644 --- a/libavcodec/ivi_common.c +++ b/libavcodec/ivi_common.c @@ -120,41 +120,42 @@ int ff_ivi_dec_huff_desc(GetBitContext *gb, int desc_coded, int which_tab, if (!desc_coded) { /* select default table */ huff_tab->tab = (which_tab) ? &ff_ivi_blk_vlc_tabs[7] - : &ff_ivi_mb_vlc_tabs [7]; - } else { - huff_tab->tab_sel = get_bits(gb, 3); - if (huff_tab->tab_sel == 7) { - /* custom huffman table (explicitly encoded) */ - new_huff.num_rows = get_bits(gb, 4); - if (!new_huff.num_rows) { - av_log(avctx, AV_LOG_ERROR, "Empty custom Huffman table!\n"); - return AVERROR_INVALIDDATA; - } + : &ff_ivi_mb_vlc_tabs [7]; + return 0; + } - for (i = 0; i < new_huff.num_rows; i++) - new_huff.xbits[i] = get_bits(gb, 4); - - /* Have we got the same custom table? Rebuild if not. */ - if (ff_ivi_huff_desc_cmp(&new_huff, &huff_tab->cust_desc)) { - ff_ivi_huff_desc_copy(&huff_tab->cust_desc, &new_huff); - - if (huff_tab->cust_tab.table) - ff_free_vlc(&huff_tab->cust_tab); - result = ff_ivi_create_huff_from_desc(&huff_tab->cust_desc, - &huff_tab->cust_tab, 0); - if (result) { - huff_tab->cust_desc.num_rows = 0; // reset faulty description - av_log(avctx, AV_LOG_ERROR, - "Error while initializing custom vlc table!\n"); - return result; - } - } - huff_tab->tab = &huff_tab->cust_tab; - } else { - /* select one of predefined tables */ - huff_tab->tab = (which_tab) ? &ff_ivi_blk_vlc_tabs[huff_tab->tab_sel] - : &ff_ivi_mb_vlc_tabs [huff_tab->tab_sel]; + huff_tab->tab_sel = get_bits(gb, 3); + if (huff_tab->tab_sel == 7) { + /* custom huffman table (explicitly encoded) */ + new_huff.num_rows = get_bits(gb, 4); + if (!new_huff.num_rows) { + av_log(avctx, AV_LOG_ERROR, "Empty custom Huffman table!\n"); + return AVERROR_INVALIDDATA; } + + for (i = 0; i < new_huff.num_rows; i++) + new_huff.xbits[i] = get_bits(gb, 4); + + /* Have we got the same custom table? Rebuild if not. */ + if (ff_ivi_huff_desc_cmp(&new_huff, &huff_tab->cust_desc)) { + ff_ivi_huff_desc_copy(&huff_tab->cust_desc, &new_huff); + + if (huff_tab->cust_tab.table) + ff_free_vlc(&huff_tab->cust_tab); + result = ff_ivi_create_huff_from_desc(&huff_tab->cust_desc, + &huff_tab->cust_tab, 0); + if (result) { + huff_tab->cust_desc.num_rows = 0; // reset faulty description + av_log(avctx, AV_LOG_ERROR, + "Error while initializing custom vlc table!\n"); + return result; + } + } + huff_tab->tab = &huff_tab->cust_tab; + } else { + /* select one of predefined tables */ + huff_tab->tab = (which_tab) ? &ff_ivi_blk_vlc_tabs[huff_tab->tab_sel] + : &ff_ivi_mb_vlc_tabs [huff_tab->tab_sel]; } return 0; From c5da487a38f93b981c4933d4e0b09c49c319fbb7 Mon Sep 17 00:00:00 2001 From: Luca Barbato Date: Wed, 3 Jul 2013 13:59:16 +0200 Subject: [PATCH 654/991] indeo: Refactor ff_ivi_init_tiles and ivi_decode_blocks Spin large and mostly self contained blocks into stand alone functions. (cherry picked from commit 62256010e9bc8879e2bf7f3b94af8ff85e239082) Signed-off-by: Luca Barbato --- libavcodec/ivi_common.c | 259 ++++++++++++++++++++++------------------ 1 file changed, 142 insertions(+), 117 deletions(-) diff --git a/libavcodec/ivi_common.c b/libavcodec/ivi_common.c index fcd28f7877..777438cb83 100644 --- a/libavcodec/ivi_common.c +++ b/libavcodec/ivi_common.c @@ -256,11 +256,45 @@ void av_cold ff_ivi_free_buffers(IVIPlaneDesc *planes) } } +static int ivi_init_tiles(IVIBandDesc *band, IVITile *ref_tile, + int p, int b, int t_height, int t_width) +{ + int x, y; + IVITile *tile = band->tiles; + + for (y = 0; y < band->height; y += t_height) { + for (x = 0; x < band->width; x += t_width) { + tile->xpos = x; + tile->ypos = y; + tile->mb_size = band->mb_size; + tile->width = FFMIN(band->width - x, t_width); + tile->height = FFMIN(band->height - y, t_height); + tile->is_empty = tile->data_size = 0; + /* calculate number of macroblocks */ + tile->num_MBs = IVI_MBs_PER_TILE(tile->width, tile->height, + band->mb_size); + + av_freep(&tile->mbs); + tile->mbs = av_malloc(tile->num_MBs * sizeof(IVIMbInfo)); + if (!tile->mbs) + return AVERROR(ENOMEM); + + tile->ref_mbs = 0; + if (p || b) { + tile->ref_mbs = ref_tile->mbs; + ref_tile++; + } + tile++; + } + } + + return 0; +} + int av_cold ff_ivi_init_tiles(IVIPlaneDesc *planes, int tile_width, int tile_height) { - int p, b, x, y, x_tiles, y_tiles, t_width, t_height; + int p, b, x_tiles, y_tiles, t_width, t_height, ret; IVIBandDesc *band; - IVITile *tile, *ref_tile; for (p = 0; p < 3; p++) { t_width = !p ? tile_width : (tile_width + 3) >> 2; @@ -282,41 +316,14 @@ int av_cold ff_ivi_init_tiles(IVIPlaneDesc *planes, int tile_width, int tile_hei if (!band->tiles) return AVERROR(ENOMEM); - tile = band->tiles; - /* use the first luma band as reference for motion vectors * and quant */ - ref_tile = planes[0].bands[0].tiles; - - for (y = 0; y < band->height; y += t_height) { - for (x = 0; x < band->width; x += t_width) { - tile->xpos = x; - tile->ypos = y; - tile->mb_size = band->mb_size; - tile->width = FFMIN(band->width - x, t_width); - tile->height = FFMIN(band->height - y, t_height); - tile->is_empty = tile->data_size = 0; - /* calculate number of macroblocks */ - tile->num_MBs = IVI_MBs_PER_TILE(tile->width, tile->height, - band->mb_size); - - av_freep(&tile->mbs); - tile->mbs = av_malloc(tile->num_MBs * sizeof(IVIMbInfo)); - if (!tile->mbs) - return AVERROR(ENOMEM); - - tile->ref_mbs = 0; - if (p || b) { - tile->ref_mbs = ref_tile->mbs; - ref_tile++; - } - - tile++; - } - } - - }// for b - }// for p + ret = ivi_init_tiles(band, planes[0].bands[0].tiles, + p, b, t_height, t_width); + if (ret < 0) + return ret; + } + } return 0; } @@ -338,25 +345,102 @@ int ff_ivi_dec_tile_data_size(GetBitContext *gb) return len; } +static int ivi_decode_coded_blocks(GetBitContext *gb, IVIBandDesc *band, + ivi_mc_func mc, int mv_x, int mv_y, + int *prev_dc, int is_intra, int mc_type, + uint32_t quant, int offs) +{ + const uint16_t *base_tab = is_intra ? band->intra_base : band->inter_base; + RVMapDesc *rvmap = band->rv_map; + uint8_t col_flags[8]; + int32_t trvec[64]; + uint32_t sym = 0, lo, hi, q; + int pos, run, val; + int blk_size = band->blk_size; + int num_coeffs = blk_size * blk_size; + int col_mask = blk_size - 1; + int scan_pos = -1; + + if (!band->scan) + return AVERROR_INVALIDDATA; + + /* zero transform vector */ + memset(trvec, 0, num_coeffs * sizeof(trvec[0])); + /* zero column flags */ + memset(col_flags, 0, sizeof(col_flags)); + while (scan_pos <= num_coeffs) { + sym = get_vlc2(gb, band->blk_vlc.tab->table, + IVI_VLC_BITS, 1); + if (sym == rvmap->eob_sym) + break; /* End of block */ + + /* Escape - run/val explicitly coded using 3 vlc codes */ + if (sym == rvmap->esc_sym) { + run = get_vlc2(gb, band->blk_vlc.tab->table, IVI_VLC_BITS, 1) + 1; + lo = get_vlc2(gb, band->blk_vlc.tab->table, IVI_VLC_BITS, 1); + hi = get_vlc2(gb, band->blk_vlc.tab->table, IVI_VLC_BITS, 1); + /* merge them and convert into signed val */ + val = IVI_TOSIGNED((hi << 6) | lo); + } else { + if (sym >= 256U) + return AVERROR_INVALIDDATA; + + run = rvmap->runtab[sym]; + val = rvmap->valtab[sym]; + } + + /* de-zigzag and dequantize */ + scan_pos += run; + if (scan_pos >= num_coeffs) + break; + pos = band->scan[scan_pos]; + + q = (base_tab[pos] * quant) >> 9; + if (q > 1) + val = val * q + FFSIGN(val) * (((q ^ 1) - 1) >> 1); + trvec[pos] = val; + /* track columns containing non-zero coeffs */ + col_flags[pos & col_mask] |= !!val; + } + + if (scan_pos >= num_coeffs && sym != rvmap->eob_sym) + return AVERROR_INVALIDDATA; /* corrupt block data */ + + /* undoing DC coeff prediction for intra-blocks */ + if (is_intra && band->is_2d_trans) { + *prev_dc += trvec[0]; + trvec[0] = *prev_dc; + col_flags[0] |= !!*prev_dc; + } + + /* apply inverse transform */ + band->inv_transform(trvec, band->buf + offs, + band->pitch, col_flags); + + /* apply motion compensation */ + if (!is_intra) + mc(band->buf + offs, + band->ref_buf + offs + mv_y * band->pitch + mv_x, + band->pitch, mc_type); + + return 0; +} + int ff_ivi_decode_blocks(GetBitContext *gb, IVIBandDesc *band, IVITile *tile) { - int mbn, blk, num_blocks, num_coeffs, blk_size, scan_pos, run, val, - pos, is_intra, mc_type, mv_x, mv_y, col_mask; - uint8_t col_flags[8]; - int32_t prev_dc, trvec[64]; - uint32_t cbp, sym, lo, hi, quant, buf_offs, q; - IVIMbInfo *mb; - RVMapDesc *rvmap = band->rv_map; + int mbn, blk, num_blocks, blk_size, ret, is_intra, mc_type = 0; + int mv_x = 0, mv_y = 0; + int32_t prev_dc; + uint32_t cbp, quant, buf_offs; + IVIMbInfo *mb; ivi_mc_func mc_with_delta_func, mc_no_delta_func; - const uint16_t *base_tab; - const uint8_t *scale_tab; - - prev_dc = 0; /* init intra prediction for the DC coefficient */ + const uint8_t *scale_tab; + /* init intra prediction for the DC coefficient */ + prev_dc = 0; blk_size = band->blk_size; - col_mask = blk_size - 1; /* column mask for tracking non-zero coeffs */ - num_blocks = (band->mb_size != blk_size) ? 4 : 1; /* number of blocks per mb */ - num_coeffs = blk_size * blk_size; + /* number of blocks per mb */ + num_blocks = (band->mb_size != blk_size) ? 4 : 1; if (blk_size == 8) { mc_with_delta_func = ff_ivi_mc_8x8_delta; mc_no_delta_func = ff_ivi_mc_8x8_no_delta; @@ -372,7 +456,6 @@ int ff_ivi_decode_blocks(GetBitContext *gb, IVIBandDesc *band, IVITile *tile) quant = av_clip(band->glob_quant + mb->q_delta, 0, 23); - base_tab = is_intra ? band->intra_base : band->inter_base; scale_tab = is_intra ? band->intra_scale : band->inter_scale; if (scale_tab) quant = scale_tab[quant]; @@ -395,10 +478,10 @@ int ff_ivi_decode_blocks(GetBitContext *gb, IVIBandDesc *band, IVITile *tile) cx = mb->mv_x & band->is_halfpel; cy = mb->mv_y & band->is_halfpel; - if ( mb->xpos + dmv_x < 0 - || mb->xpos + dmv_x + band->mb_size + cx > band->pitch - || mb->ypos + dmv_y < 0 - || mb->ypos + dmv_y + band->mb_size + cy > band->aheight) { + if (mb->xpos + dmv_x < 0 || + mb->xpos + dmv_x + band->mb_size + cx > band->pitch || + mb->ypos + dmv_y < 0 || + mb->ypos + dmv_y + band->mb_size + cy > band->aheight) { return AVERROR_INVALIDDATA; } } @@ -414,69 +497,11 @@ int ff_ivi_decode_blocks(GetBitContext *gb, IVIBandDesc *band, IVITile *tile) } if (cbp & 1) { /* block coded ? */ - if (!band->scan) { - av_log(NULL, AV_LOG_ERROR, "Scan pattern is not set.\n"); - return AVERROR_INVALIDDATA; - } - - scan_pos = -1; - memset(trvec, 0, num_coeffs*sizeof(trvec[0])); /* zero transform vector */ - memset(col_flags, 0, sizeof(col_flags)); /* zero column flags */ - - while (scan_pos <= num_coeffs) { - sym = get_vlc2(gb, band->blk_vlc.tab->table, IVI_VLC_BITS, 1); - if (sym == rvmap->eob_sym) - break; /* End of block */ - - if (sym == rvmap->esc_sym) { /* Escape - run/val explicitly coded using 3 vlc codes */ - run = get_vlc2(gb, band->blk_vlc.tab->table, IVI_VLC_BITS, 1) + 1; - lo = get_vlc2(gb, band->blk_vlc.tab->table, IVI_VLC_BITS, 1); - hi = get_vlc2(gb, band->blk_vlc.tab->table, IVI_VLC_BITS, 1); - val = IVI_TOSIGNED((hi << 6) | lo); /* merge them and convert into signed val */ - } else { - if (sym >= 256U) { - av_log(NULL, AV_LOG_ERROR, "Invalid sym encountered: %d.\n", sym); - return AVERROR_INVALIDDATA; - } - run = rvmap->runtab[sym]; - val = rvmap->valtab[sym]; - } - - /* de-zigzag and dequantize */ - scan_pos += run; - if (scan_pos >= num_coeffs) - break; - pos = band->scan[scan_pos]; - - if (!val) - av_dlog(NULL, "Val = 0 encountered!\n"); - - q = (base_tab[pos] * quant) >> 9; - if (q > 1) - val = val * q + FFSIGN(val) * (((q ^ 1) - 1) >> 1); - trvec[pos] = val; - col_flags[pos & col_mask] |= !!val; /* track columns containing non-zero coeffs */ - }// while - - if (scan_pos >= num_coeffs && sym != rvmap->eob_sym) - return AVERROR_INVALIDDATA; /* corrupt block data */ - - /* undoing DC coeff prediction for intra-blocks */ - if (is_intra && band->is_2d_trans) { - prev_dc += trvec[0]; - trvec[0] = prev_dc; - col_flags[0] |= !!prev_dc; - } - - /* apply inverse transform */ - band->inv_transform(trvec, band->buf + buf_offs, - band->pitch, col_flags); - - /* apply motion compensation */ - if (!is_intra) - mc_with_delta_func(band->buf + buf_offs, - band->ref_buf + buf_offs + mv_y * band->pitch + mv_x, - band->pitch, mc_type); + ret = ivi_decode_coded_blocks(gb, band, mc_with_delta_func, + mv_x, mv_y, &prev_dc, is_intra, + mc_type, quant, buf_offs); + if (ret < 0) + return ret; } else { /* block not coded */ /* for intra blocks apply the dc slant transform */ From aedde1a48de4bebdd26d27ca997b2cecc0016a45 Mon Sep 17 00:00:00 2001 From: Luca Barbato Date: Wed, 3 Jul 2013 14:01:32 +0200 Subject: [PATCH 655/991] indeo: Cosmetic formatting Trim some overly long lines. (cherry picked from commit 6dfacd7ab126aea1392949d1aa10fdc3d3eeb911) Signed-off-by: Luca Barbato Conflicts: libavcodec/ivi_common.c --- libavcodec/ivi_common.c | 37 +++++++++++++++++++++++-------------- 1 file changed, 23 insertions(+), 14 deletions(-) diff --git a/libavcodec/ivi_common.c b/libavcodec/ivi_common.c index 777438cb83..a94285ab36 100644 --- a/libavcodec/ivi_common.c +++ b/libavcodec/ivi_common.c @@ -51,9 +51,10 @@ static uint16_t inv_bits(uint16_t val, int nbits) uint16_t res; if (nbits <= 8) { - res = av_reverse[val] >> (8-nbits); + res = av_reverse[val] >> (8 - nbits); } else - res = ((av_reverse[val & 0xFF] << 8) + (av_reverse[val >> 8])) >> (16-nbits); + res = ((av_reverse[val & 0xFF] << 8) + + (av_reverse[val >> 8])) >> (16 - nbits); return res; } @@ -103,10 +104,12 @@ void ff_ivi_init_static_vlc(void) for (i = 0; i < 8; i++) { ff_ivi_mb_vlc_tabs[i].table = table_data + i * 2 * 8192; ff_ivi_mb_vlc_tabs[i].table_allocated = 8192; - ff_ivi_create_huff_from_desc(&ff_ivi_mb_huff_desc[i], &ff_ivi_mb_vlc_tabs[i], 1); + ff_ivi_create_huff_from_desc(&ff_ivi_mb_huff_desc[i], + &ff_ivi_mb_vlc_tabs[i], 1); ff_ivi_blk_vlc_tabs[i].table = table_data + (i * 2 + 1) * 8192; ff_ivi_blk_vlc_tabs[i].table_allocated = 8192; - ff_ivi_create_huff_from_desc(&ff_ivi_blk_huff_desc[i], &ff_ivi_blk_vlc_tabs[i], 1); + ff_ivi_create_huff_from_desc(&ff_ivi_blk_huff_desc[i], + &ff_ivi_blk_vlc_tabs[i], 1); } initialized_vlcs = 1; } @@ -114,7 +117,7 @@ void ff_ivi_init_static_vlc(void) int ff_ivi_dec_huff_desc(GetBitContext *gb, int desc_coded, int which_tab, IVIHuffTab *huff_tab, AVCodecContext *avctx) { - int i, result; + int i, result; IVIHuffDesc new_huff; if (!desc_coded) { @@ -175,8 +178,9 @@ void ff_ivi_huff_desc_copy(IVIHuffDesc *dst, const IVIHuffDesc *src) int av_cold ff_ivi_init_planes(IVIPlaneDesc *planes, const IVIPicConfig *cfg) { - int p, b; - uint32_t b_width, b_height, align_fac, width_aligned, height_aligned, buf_size; + int p, b; + uint32_t b_width, b_height, align_fac, width_aligned, + height_aligned, buf_size; IVIBandDesc *band; ff_ivi_free_buffers(planes); @@ -199,8 +203,10 @@ int av_cold ff_ivi_init_planes(IVIPlaneDesc *planes, const IVIPicConfig *cfg) /* select band dimensions: if there is only one band then it * has the full size, if there are several bands each of them * has only half size */ - b_width = planes[p].num_bands == 1 ? planes[p].width : (planes[p].width + 1) >> 1; - b_height = planes[p].num_bands == 1 ? planes[p].height : (planes[p].height + 1) >> 1; + b_width = planes[p].num_bands == 1 ? planes[p].width + : (planes[p].width + 1) >> 1; + b_height = planes[p].num_bands == 1 ? planes[p].height + : (planes[p].height + 1) >> 1; /* luma band buffers will be aligned on 16x16 (max macroblock size) */ /* chroma band buffers will be aligned on 8x8 (max macroblock size) */ @@ -228,8 +234,8 @@ int av_cold ff_ivi_init_planes(IVIPlaneDesc *planes, const IVIPicConfig *cfg) if (!band->bufs[2]) return AVERROR(ENOMEM); } - - planes[p].bands[0].blk_vlc.cust_desc.num_rows = 0; /* reset custom vlc */ + /* reset custom vlc */ + planes[p].bands[0].blk_vlc.cust_desc.num_rows = 0; } } @@ -781,7 +787,8 @@ static int decode_band(IVI45DecContext *ctx, int plane_num, } } - /* restore the selected rvmap table by applying its corrections in reverse order */ + /* restore the selected rvmap table by applying its corrections in + * reverse order */ for (i = band->num_corr-1; i >= 0; i--) { idx1 = band->corr[i*2]; idx2 = band->corr[i*2+1]; @@ -794,7 +801,8 @@ static int decode_band(IVI45DecContext *ctx, int plane_num, uint16_t chksum = ivi_calc_band_checksum(band); if (chksum != band->checksum) { av_log(avctx, AV_LOG_ERROR, - "Band checksum mismatch! Plane %d, band %d, received: %x, calculated: %x\n", + "Band checksum mismatch! Plane %d, band %d, " + "received: %x, calculated: %x\n", band->plane, band->band_num, band->checksum, chksum); } } @@ -861,7 +869,8 @@ int ff_ivi_decode_frame(AVCodecContext *avctx, void *data, int *data_size, /* If the bidirectional mode is enabled, next I and the following P frame will */ /* be sent together. Unfortunately the approach below seems to be the only way */ /* to handle the B-frames mode. That's exactly the same Intel decoders do. */ - if (avctx->codec_id == CODEC_ID_INDEO4 && ctx->frame_type == 0/*FRAMETYPE_INTRA*/) { + if (avctx->codec_id == CODEC_ID_INDEO4 && + ctx->frame_type == 0/*FRAMETYPE_INTRA*/) { while (get_bits(&ctx->gb, 8)); // skip version string skip_bits_long(&ctx->gb, 64); // skip padding, TODO: implement correct 8-bytes alignment if (get_bits_left(&ctx->gb) > 18 && show_bits(&ctx->gb, 18) == 0x3FFF8) From efe710f8a009c99a5c4e4dff160c870cb7d95e76 Mon Sep 17 00:00:00 2001 From: Luca Barbato Date: Wed, 3 Jul 2013 14:55:50 +0200 Subject: [PATCH 656/991] indeo: reject negative array indexes Reported-by: Mateusz "j00ru" Jurczyk and Gynvael Coldwind CC: libav-stable@libav.org (cherry picked from commit 6a10142faa1cca8ba2bfe51b970754f62d60f320) Signed-off-by: Luca Barbato --- libavcodec/ivi_common.c | 42 ++++++++++++++++++++++++++++------------- 1 file changed, 29 insertions(+), 13 deletions(-) diff --git a/libavcodec/ivi_common.c b/libavcodec/ivi_common.c index a94285ab36..4aab7abfd7 100644 --- a/libavcodec/ivi_common.c +++ b/libavcodec/ivi_common.c @@ -42,6 +42,20 @@ VLC ff_ivi_blk_vlc_tabs[8]; typedef void (*ivi_mc_func) (int16_t *buf, const int16_t *ref_buf, uint32_t pitch, int mc_type); +static int ivi_mc(ivi_mc_func mc, int16_t *buf, const int16_t *ref_buf, + int offs, int mv_x, int mv_y, uint32_t pitch, + int mc_type) +{ + int ref_offs = offs + mv_y * pitch + mv_x; + + if (offs < 0 || ref_offs < 0 || !ref_buf) + return AVERROR_INVALIDDATA; + + mc(buf + offs, ref_buf + ref_offs, pitch, mc_type); + + return 0; +} + /** * Reverse "nbits" bits of the value "val" and return the result * in the least significant bits. @@ -397,7 +411,7 @@ static int ivi_decode_coded_blocks(GetBitContext *gb, IVIBandDesc *band, /* de-zigzag and dequantize */ scan_pos += run; - if (scan_pos >= num_coeffs) + if (scan_pos >= num_coeffs || scan_pos < 0) break; pos = band->scan[scan_pos]; @@ -409,7 +423,7 @@ static int ivi_decode_coded_blocks(GetBitContext *gb, IVIBandDesc *band, col_flags[pos & col_mask] |= !!val; } - if (scan_pos >= num_coeffs && sym != rvmap->eob_sym) + if (scan_pos < 0 || scan_pos >= num_coeffs && sym != rvmap->eob_sym) return AVERROR_INVALIDDATA; /* corrupt block data */ /* undoing DC coeff prediction for intra-blocks */ @@ -425,9 +439,8 @@ static int ivi_decode_coded_blocks(GetBitContext *gb, IVIBandDesc *band, /* apply motion compensation */ if (!is_intra) - mc(band->buf + offs, - band->ref_buf + offs + mv_y * band->pitch + mv_x, - band->pitch, mc_type); + return ivi_mc(mc, band->buf, band->ref_buf, offs, mv_x, mv_y, + band->pitch, mc_type); return 0; } @@ -516,10 +529,12 @@ int ff_ivi_decode_blocks(GetBitContext *gb, IVIBandDesc *band, IVITile *tile) if (band->dc_transform) band->dc_transform(&prev_dc, band->buf + buf_offs, band->pitch, blk_size); - } else - mc_no_delta_func(band->buf + buf_offs, - band->ref_buf + buf_offs + mv_y * band->pitch + mv_x, - band->pitch, mc_type); + } else { + ret = ivi_mc(mc_no_delta_func, band->buf, band->ref_buf, + buf_offs, mv_x, mv_y, band->pitch, mc_type); + if (ret < 0) + return ret; + } } cbp >>= 1; @@ -544,7 +559,7 @@ static int ivi_process_empty_tile(AVCodecContext *avctx, IVIBandDesc *band, IVITile *tile, int32_t mv_scale) { int x, y, need_mc, mbn, blk, num_blocks, mv_x, mv_y, mc_type; - int offs, mb_offset, row_offset; + int offs, mb_offset, row_offset, ret; IVIMbInfo *mb, *ref_mb; const int16_t *src; int16_t *dst; @@ -622,9 +637,10 @@ static int ivi_process_empty_tile(AVCodecContext *avctx, IVIBandDesc *band, for (blk = 0; blk < num_blocks; blk++) { /* adjust block position in the buffer according with its number */ offs = mb->buf_offs + band->blk_size * ((blk & 1) + !!(blk & 2) * band->pitch); - mc_no_delta_func(band->buf + offs, - band->ref_buf + offs + mv_y * band->pitch + mv_x, - band->pitch, mc_type); + ret = ivi_mc(mc_no_delta_func, band->buf, band->ref_buf, + offs, mv_x, mv_y, band->pitch, mc_type); + if (ret < 0) + return ret; } } } else { From c02b9e6e633896617e5f95211665c5521800498b Mon Sep 17 00:00:00 2001 From: Luca Barbato Date: Fri, 12 Jul 2013 14:33:24 +0200 Subject: [PATCH 657/991] indeo: Bound-check before applying transform Reported-by: Mateusz "j00ru" Jurczyk and Gynvael Coldwind CC: libav-stable@libav.org (cherry picked from commit dc79685195a45c9b8b17d7b93d118e0aefa45462) Signed-off-by: Luca Barbato Conflicts: libavcodec/ivi_common.c --- libavcodec/indeo4.c | 7 +++++++ libavcodec/indeo5.c | 38 +++++++++++++++++++++++--------------- libavcodec/ivi_common.c | 31 ++++++++++++++++++++++++++++--- libavcodec/ivi_common.h | 1 + 4 files changed, 59 insertions(+), 18 deletions(-) diff --git a/libavcodec/indeo4.c b/libavcodec/indeo4.c index a3b3c6b2f3..74b3ef001b 100644 --- a/libavcodec/indeo4.c +++ b/libavcodec/indeo4.c @@ -348,6 +348,13 @@ static int decode_band_hdr(IVI45DecContext *ctx, IVIBandDesc *band, band->inv_transform = transforms[transform_id].inv_trans; band->dc_transform = transforms[transform_id].dc_trans; band->is_2d_trans = transforms[transform_id].is_2d_trans; + if (transform_id < 10) + band->transform_size = 8; + else + band->transform_size = 4; + + if (band->blk_size != band->transform_size) + return AVERROR_INVALIDDATA; scan_indx = get_bits(&ctx->gb, 4); if (scan_indx == 15) { diff --git a/libavcodec/indeo5.c b/libavcodec/indeo5.c index 0626454826..c06d46da3e 100644 --- a/libavcodec/indeo5.c +++ b/libavcodec/indeo5.c @@ -147,39 +147,47 @@ static int decode_gop_header(IVI45DecContext *ctx, AVCodecContext *avctx) /* select transform function and scan pattern according to plane and band number */ switch ((p << 2) + i) { case 0: - band->inv_transform = ff_ivi_inverse_slant_8x8; - band->dc_transform = ff_ivi_dc_slant_2d; - band->scan = ff_zigzag_direct; + band->inv_transform = ff_ivi_inverse_slant_8x8; + band->dc_transform = ff_ivi_dc_slant_2d; + band->scan = ff_zigzag_direct; + band->transform_size = 8; break; case 1: - band->inv_transform = ff_ivi_row_slant8; - band->dc_transform = ff_ivi_dc_row_slant; - band->scan = ff_ivi_vertical_scan_8x8; + band->inv_transform = ff_ivi_row_slant8; + band->dc_transform = ff_ivi_dc_row_slant; + band->scan = ff_ivi_vertical_scan_8x8; + band->transform_size = 8; break; case 2: - band->inv_transform = ff_ivi_col_slant8; - band->dc_transform = ff_ivi_dc_col_slant; - band->scan = ff_ivi_horizontal_scan_8x8; + band->inv_transform = ff_ivi_col_slant8; + band->dc_transform = ff_ivi_dc_col_slant; + band->scan = ff_ivi_horizontal_scan_8x8; + band->transform_size = 8; break; case 3: - band->inv_transform = ff_ivi_put_pixels_8x8; - band->dc_transform = ff_ivi_put_dc_pixel_8x8; - band->scan = ff_ivi_horizontal_scan_8x8; + band->inv_transform = ff_ivi_put_pixels_8x8; + band->dc_transform = ff_ivi_put_dc_pixel_8x8; + band->scan = ff_ivi_horizontal_scan_8x8; + band->transform_size = 8; break; case 4: - band->inv_transform = ff_ivi_inverse_slant_4x4; - band->dc_transform = ff_ivi_dc_slant_2d; - band->scan = ff_ivi_direct_scan_4x4; + band->inv_transform = ff_ivi_inverse_slant_4x4; + band->dc_transform = ff_ivi_dc_slant_2d; + band->scan = ff_ivi_direct_scan_4x4; + band->transform_size = 4; break; } band->is_2d_trans = band->inv_transform == ff_ivi_inverse_slant_8x8 || band->inv_transform == ff_ivi_inverse_slant_4x4; + if (band->transform_size != band->blk_size) + return AVERROR_INVALIDDATA; + /* select dequant matrix according to plane and band number */ if (!p) { quant_mat = (pic_conf.luma_bands > 1) ? i+1 : 0; diff --git a/libavcodec/ivi_common.c b/libavcodec/ivi_common.c index 4aab7abfd7..ea9082cadd 100644 --- a/libavcodec/ivi_common.c +++ b/libavcodec/ivi_common.c @@ -365,6 +365,25 @@ int ff_ivi_dec_tile_data_size(GetBitContext *gb) return len; } +static int ivi_dc_transform(IVIBandDesc *band, int *prev_dc, int buf_offs, + int blk_size) +{ + int buf_size = band->pitch * band->aheight - buf_offs; + int min_size = (blk_size - 1) * band->pitch + blk_size; + + if (!band->dc_transform) + return 0; + + + if (min_size > buf_size) + return AVERROR_INVALIDDATA; + + band->dc_transform(prev_dc, band->buf + buf_offs, + band->pitch, blk_size); + + return 0; +} + static int ivi_decode_coded_blocks(GetBitContext *gb, IVIBandDesc *band, ivi_mc_func mc, int mv_x, int mv_y, int *prev_dc, int is_intra, int mc_type, @@ -380,6 +399,12 @@ static int ivi_decode_coded_blocks(GetBitContext *gb, IVIBandDesc *band, int num_coeffs = blk_size * blk_size; int col_mask = blk_size - 1; int scan_pos = -1; + int min_size = band->pitch * (band->transform_size - 1) + + band->transform_size; + int buf_size = band->pitch * band->aheight - offs; + + if (min_size > buf_size) + return AVERROR_INVALIDDATA; if (!band->scan) return AVERROR_INVALIDDATA; @@ -526,9 +551,9 @@ int ff_ivi_decode_blocks(GetBitContext *gb, IVIBandDesc *band, IVITile *tile) /* for intra blocks apply the dc slant transform */ /* for inter - perform the motion compensation without delta */ if (is_intra) { - if (band->dc_transform) - band->dc_transform(&prev_dc, band->buf + buf_offs, - band->pitch, blk_size); + ret = ivi_dc_transform(band, &prev_dc, buf_offs, blk_size); + if (ret < 0) + return ret; } else { ret = ivi_mc(mc_no_delta_func, band->buf, band->ref_buf, buf_offs, mv_x, mv_y, band->pitch, mc_type); diff --git a/libavcodec/ivi_common.h b/libavcodec/ivi_common.h index 07736f25f3..b47d5d26c6 100644 --- a/libavcodec/ivi_common.h +++ b/libavcodec/ivi_common.h @@ -162,6 +162,7 @@ typedef struct { int num_tiles; ///< number of tiles in this band IVITile *tiles; ///< array of tile descriptors InvTransformPtr *inv_transform; + int transform_size; DCTransformPtr *dc_transform; int is_2d_trans; ///< 1 indicates that the two-dimensional inverse transform is used int32_t checksum; ///< for debug purposes From a0b8f85f29883f538a32593bc3c6f712c972ff70 Mon Sep 17 00:00:00 2001 From: Luca Barbato Date: Sun, 14 Jul 2013 14:06:16 +0200 Subject: [PATCH 658/991] indeo: Bound-check before applying motion compensation Reported-by: Mateusz "j00ru" Jurczyk and Gynvael Coldwind CC: libav-stable@libav.org (cherry picked from commit 25a6666f6c07c6ac8449a63d7fbce0dfd29c54cd) Signed-off-by: Luca Barbato --- libavcodec/ivi_common.c | 29 +++++++++++++++++------------ 1 file changed, 17 insertions(+), 12 deletions(-) diff --git a/libavcodec/ivi_common.c b/libavcodec/ivi_common.c index ea9082cadd..5289d6c766 100644 --- a/libavcodec/ivi_common.c +++ b/libavcodec/ivi_common.c @@ -42,16 +42,22 @@ VLC ff_ivi_blk_vlc_tabs[8]; typedef void (*ivi_mc_func) (int16_t *buf, const int16_t *ref_buf, uint32_t pitch, int mc_type); -static int ivi_mc(ivi_mc_func mc, int16_t *buf, const int16_t *ref_buf, - int offs, int mv_x, int mv_y, uint32_t pitch, - int mc_type) +static int ivi_mc(IVIBandDesc *band, ivi_mc_func mc, + int offs, int mv_x, int mv_y, int mc_type) { - int ref_offs = offs + mv_y * pitch + mv_x; + int ref_offs = offs + mv_y * band->pitch + mv_x; + int buf_size = band->pitch * band->aheight; + int min_size = band->pitch * (band->blk_size - 1) + band->blk_size; + int ref_size = (mc_type > 1) * band->pitch + (mc_type & 1); - if (offs < 0 || ref_offs < 0 || !ref_buf) + if (offs < 0 || ref_offs < 0 || !band->ref_buf) + return AVERROR_INVALIDDATA; + if (buf_size - min_size < offs) + return AVERROR_INVALIDDATA; + if (buf_size - min_size - ref_size < ref_offs) return AVERROR_INVALIDDATA; - mc(buf + offs, ref_buf + ref_offs, pitch, mc_type); + mc(band->buf + offs, band->ref_buf + ref_offs, band->pitch, mc_type); return 0; } @@ -464,8 +470,7 @@ static int ivi_decode_coded_blocks(GetBitContext *gb, IVIBandDesc *band, /* apply motion compensation */ if (!is_intra) - return ivi_mc(mc, band->buf, band->ref_buf, offs, mv_x, mv_y, - band->pitch, mc_type); + return ivi_mc(band, mc, offs, mv_x, mv_y, mc_type); return 0; } @@ -555,8 +560,8 @@ int ff_ivi_decode_blocks(GetBitContext *gb, IVIBandDesc *band, IVITile *tile) if (ret < 0) return ret; } else { - ret = ivi_mc(mc_no_delta_func, band->buf, band->ref_buf, - buf_offs, mv_x, mv_y, band->pitch, mc_type); + ret = ivi_mc(band, mc_no_delta_func, buf_offs, + mv_x, mv_y, mc_type); if (ret < 0) return ret; } @@ -662,8 +667,8 @@ static int ivi_process_empty_tile(AVCodecContext *avctx, IVIBandDesc *band, for (blk = 0; blk < num_blocks; blk++) { /* adjust block position in the buffer according with its number */ offs = mb->buf_offs + band->blk_size * ((blk & 1) + !!(blk & 2) * band->pitch); - ret = ivi_mc(mc_no_delta_func, band->buf, band->ref_buf, - offs, mv_x, mv_y, band->pitch, mc_type); + ret = ivi_mc(band, mc_no_delta_func, offs, + mv_x, mv_y, mc_type); if (ret < 0) return ret; } From 7999ff8966e0d8cb2ad8229d7740b4b83741708f Mon Sep 17 00:00:00 2001 From: Luca Barbato Date: Sun, 14 Jul 2013 15:48:17 +0200 Subject: [PATCH 659/991] indeo: Sanitize ff_ivi_init_planes fail paths Reported-by: Mateusz "j00ru" Jurczyk and Gynvael Coldwind CC: libav-stable@libav.org (cherry picked from commit 28dda8a691f1c723a4a9365ab85f9625f1330096) Signed-off-by: Luca Barbato --- libavcodec/indeo4.c | 1 + libavcodec/indeo5.c | 4 ++-- libavcodec/ivi_common.c | 5 +++++ 3 files changed, 8 insertions(+), 2 deletions(-) diff --git a/libavcodec/indeo4.c b/libavcodec/indeo4.c index 74b3ef001b..565bd15232 100644 --- a/libavcodec/indeo4.c +++ b/libavcodec/indeo4.c @@ -211,6 +211,7 @@ static int decode_pic_hdr(IVI45DecContext *ctx, AVCodecContext *avctx) if (ivi_pic_config_cmp(&pic_conf, &ctx->pic_conf)) { if (ff_ivi_init_planes(ctx->planes, &pic_conf)) { av_log(avctx, AV_LOG_ERROR, "Couldn't reallocate color planes!\n"); + ctx->pic_conf.luma_bands = 0; return AVERROR(ENOMEM); } diff --git a/libavcodec/indeo5.c b/libavcodec/indeo5.c index c06d46da3e..f637e70f98 100644 --- a/libavcodec/indeo5.c +++ b/libavcodec/indeo5.c @@ -113,7 +113,7 @@ static int decode_gop_header(IVI45DecContext *ctx, AVCodecContext *avctx) } /* check if picture layout was changed and reallocate buffers */ - if (ivi_pic_config_cmp(&pic_conf, &ctx->pic_conf)) { + if (ivi_pic_config_cmp(&pic_conf, &ctx->pic_conf) || ctx->gop_invalid) { result = ff_ivi_init_planes(ctx->planes, &pic_conf); if (result < 0) { av_log(avctx, AV_LOG_ERROR, "Couldn't reallocate color planes!\n"); @@ -314,9 +314,9 @@ static int decode_pic_hdr(IVI45DecContext *ctx, AVCodecContext *avctx) ctx->frame_num = get_bits(&ctx->gb, 8); if (ctx->frame_type == FRAMETYPE_INTRA) { - ctx->gop_invalid = 1; if ((ret = decode_gop_header(ctx, avctx)) < 0) { av_log(avctx, AV_LOG_ERROR, "Invalid GOP header, skipping frames.\n"); + ctx->gop_invalid = 1; return ret; } ctx->gop_invalid = 0; diff --git a/libavcodec/ivi_common.c b/libavcodec/ivi_common.c index 5289d6c766..3c5759b71f 100644 --- a/libavcodec/ivi_common.c +++ b/libavcodec/ivi_common.c @@ -205,6 +205,10 @@ int av_cold ff_ivi_init_planes(IVIPlaneDesc *planes, const IVIPicConfig *cfg) ff_ivi_free_buffers(planes); + if (cfg->pic_width < 1 || cfg->pic_height < 1 || + cfg->luma_bands < 1 || cfg->chroma_bands < 1) + return AVERROR_INVALIDDATA; + /* fill in the descriptor of the luminance plane */ planes[0].width = cfg->pic_width; planes[0].height = cfg->pic_height; @@ -279,6 +283,7 @@ void av_cold ff_ivi_free_buffers(IVIPlaneDesc *planes) av_freep(&planes[p].bands[b].tiles); } av_freep(&planes[p].bands); + planes[p].num_bands = 0; } } From 53c76b68036b4ca81b1342a4c51125c917c26e75 Mon Sep 17 00:00:00 2001 From: Luca Barbato Date: Sun, 14 Jul 2013 16:49:43 +0200 Subject: [PATCH 660/991] indeo: Do not reference mismatched tiles Reported-by: Mateusz "j00ru" Jurczyk and Gynvael Coldwind CC: libav-stable@libav.org (cherry picked from commit f9e5261cab067be7278f73d515bc9b601eb56202) Signed-off-by: Luca Barbato --- libavcodec/ivi_common.c | 2 ++ 1 file changed, 2 insertions(+) diff --git a/libavcodec/ivi_common.c b/libavcodec/ivi_common.c index 3c5759b71f..91a42b152f 100644 --- a/libavcodec/ivi_common.c +++ b/libavcodec/ivi_common.c @@ -312,6 +312,8 @@ static int ivi_init_tiles(IVIBandDesc *band, IVITile *ref_tile, tile->ref_mbs = 0; if (p || b) { + if (tile->num_MBs != ref_tile->num_MBs) + return AVERROR_INVALIDDATA; tile->ref_mbs = ref_tile->mbs; ref_tile++; } From cd9b0bb07a66d3299bd62922e9dfa742219abe79 Mon Sep 17 00:00:00 2001 From: Luca Barbato Date: Fri, 7 Jun 2013 16:16:46 +0200 Subject: [PATCH 661/991] 4xm: validate the buffer size before parsing it Reported-by: Mateusz "j00ru" Jurczyk and Gynvael Coldwind CC: libav-stable@libav.org (cherry picked from commit de2e5777e225e75813daf2373c95e223651fd89a) Signed-off-by: Luca Barbato --- libavcodec/4xm.c | 24 ++++++++++++++++++------ 1 file changed, 18 insertions(+), 6 deletions(-) diff --git a/libavcodec/4xm.c b/libavcodec/4xm.c index 77d15d5803..52c16cfd77 100644 --- a/libavcodec/4xm.c +++ b/libavcodec/4xm.c @@ -382,6 +382,8 @@ static int decode_p_frame(FourXContext *f, const uint8_t *buf, int length){ unsigned int bitstream_size, bytestream_size, wordstream_size, extra, bytestream_offset, wordstream_offset; if(f->version>1){ + if (length < 20) + return AVERROR_INVALIDDATA; extra=20; bitstream_size= AV_RL32(buf+8); wordstream_size= AV_RL32(buf+12); @@ -734,18 +736,28 @@ static int decode_frame(AVCodecContext *avctx, AVFrame *p, temp; int i, frame_4cc, frame_size; - frame_4cc= AV_RL32(buf); - if(buf_size != AV_RL32(buf+4)+8 || buf_size < 20){ - av_log(f->avctx, AV_LOG_ERROR, "size mismatch %d %d\n", buf_size, AV_RL32(buf+4)); + if (buf_size < 20) + return AVERROR_INVALIDDATA; + + if (buf_size < AV_RL32(buf + 4) + 8) { + av_log(f->avctx, AV_LOG_ERROR, + "size mismatch %d %d\n", buf_size, AV_RL32(buf + 4)); } + frame_4cc = AV_RL32(buf); + if(frame_4cc == AV_RL32("cfrm")){ int free_index=-1; - const int data_size= buf_size - 20; - const int id= AV_RL32(buf+12); - const int whole_size= AV_RL32(buf+16); + int id, whole_size; + const int data_size = buf_size - 20; CFrameBuffer *cfrm; + if (data_size < 0) + return AVERROR_INVALIDDATA; + + id = AV_RL32(buf + 12); + whole_size = AV_RL32(buf + 16); + for(i=0; icfrm[i].id && f->cfrm[i].id < avctx->frame_number) av_log(f->avctx, AV_LOG_ERROR, "lost c frame %d\n", f->cfrm[i].id); From 12dc01bb1f07112cd7eb31e183d75cb3c0fb92ca Mon Sep 17 00:00:00 2001 From: Luca Barbato Date: Fri, 7 Jun 2013 16:18:22 +0200 Subject: [PATCH 662/991] 4xm: do not overread the prestream buffer Reported-by: Mateusz "j00ru" Jurczyk and Gynvael Coldwind CC: libav-stable@libav.org (cherry picked from commit be373cb50d3c411366fec7eef2eb3681abe48f96) Signed-off-by: Luca Barbato --- libavcodec/4xm.c | 15 +++++++++++++-- 1 file changed, 13 insertions(+), 2 deletions(-) diff --git a/libavcodec/4xm.c b/libavcodec/4xm.c index 52c16cfd77..3d026febe3 100644 --- a/libavcodec/4xm.c +++ b/libavcodec/4xm.c @@ -535,7 +535,10 @@ static int decode_i_mb(FourXContext *f){ return 0; } -static const uint8_t *read_huffman_tables(FourXContext *f, const uint8_t * const buf){ +static const uint8_t *read_huffman_tables(FourXContext *f, + const uint8_t * const buf, + int len) +{ int frequency[512]; uint8_t flag[512]; int up[512]; @@ -553,12 +556,20 @@ static const uint8_t *read_huffman_tables(FourXContext *f, const uint8_t * const for(;;){ int i; + len -= end - start + 1; + + if (end < start || len < 0) + return NULL; + for(i=start; i<=end; i++){ frequency[i]= *ptr++; } start= *ptr++; if(start==0) break; + if (--len < 0) + return NULL; + end= *ptr++; } frequency[256]=1; @@ -691,7 +702,7 @@ static int decode_i_frame(FourXContext *f, const uint8_t *buf, int length){ return -1; } - prestream = read_huffman_tables(f, prestream); + prestream = read_huffman_tables(f, prestream, prestream_size); if (!prestream) { av_log(f->avctx, AV_LOG_ERROR, "Error reading Huffman tables.\n"); return AVERROR_INVALIDDATA; From c25bbb6fdbfb7332af302e0366fc2c2d60b44c72 Mon Sep 17 00:00:00 2001 From: Luca Barbato Date: Mon, 22 Jul 2013 12:44:19 +0200 Subject: [PATCH 663/991] 4xm: Reject not a multiple of 16 dimension Reported-by: Mateusz "j00ru" Jurczyk and Gynvael Coldwind CC: libav-stable@libav.org (cherry picked from commit 2f034f255c49050e894ab9b88087c09ebe249f3f) Signed-off-by: Luca Barbato --- libavcodec/4xm.c | 6 ++++++ 1 file changed, 6 insertions(+) diff --git a/libavcodec/4xm.c b/libavcodec/4xm.c index 3d026febe3..159ca9ce29 100644 --- a/libavcodec/4xm.c +++ b/libavcodec/4xm.c @@ -750,6 +750,12 @@ static int decode_frame(AVCodecContext *avctx, if (buf_size < 20) return AVERROR_INVALIDDATA; + if (avctx->width % 16 || avctx->height % 16) { + av_log(avctx, AV_LOG_ERROR, + "Dimensions non-multiple of 16 are invalid.\n"); + return AVERROR_INVALIDDATA; + } + if (buf_size < AV_RL32(buf + 4) + 8) { av_log(f->avctx, AV_LOG_ERROR, "size mismatch %d %d\n", buf_size, AV_RL32(buf + 4)); From 2da49df19e115becdddf60f8704889868ca2f56b Mon Sep 17 00:00:00 2001 From: Luca Barbato Date: Mon, 14 Jan 2013 05:32:38 +0100 Subject: [PATCH 664/991] lavc: set the default rc_initial_buffer_occupancy rc_buffer_size is not set before. Solve the initial the rate control underflow issue reported in bug 222. CC: libav-stable@libav.org Signed-off-by: Luca Barbato (cherry picked from commit bff3607547fdbb6e32b3830a351e6a33280c1e0d) Signed-off-by: Luca Barbato --- avconv.c | 2 -- libavcodec/utils.c | 3 +++ 2 files changed, 3 insertions(+), 2 deletions(-) diff --git a/avconv.c b/avconv.c index 90b72fda11..212d948905 100644 --- a/avconv.c +++ b/avconv.c @@ -3664,8 +3664,6 @@ static OutputStream *new_video_stream(OptionsContext *o, AVFormatContext *oc) if (p) p++; } video_enc->rc_override_count = i; - if (!video_enc->rc_initial_buffer_occupancy) - video_enc->rc_initial_buffer_occupancy = video_enc->rc_buffer_size * 3 / 4; video_enc->intra_dc_precision = intra_dc_precision - 8; /* two pass mode */ diff --git a/libavcodec/utils.c b/libavcodec/utils.c index f64bff8ff6..7902e987ca 100644 --- a/libavcodec/utils.c +++ b/libavcodec/utils.c @@ -810,6 +810,9 @@ int attribute_align_arg avcodec_open2(AVCodecContext *avctx, AVCodec *codec, AVD } else if (avctx->channel_layout) { avctx->channels = av_get_channel_layout_nb_channels(avctx->channel_layout); } + + if (!avctx->rc_initial_buffer_occupancy) + avctx->rc_initial_buffer_occupancy = avctx->rc_buffer_size * 3 / 4; } if(avctx->codec->init && !(avctx->active_thread_type&FF_THREAD_FRAME)){ From a9ebc17b2dd5518730213c672dce714a7a50d8ca Mon Sep 17 00:00:00 2001 From: Luca Barbato Date: Thu, 8 Aug 2013 19:44:19 +0200 Subject: [PATCH 665/991] rtmp: Do not misuse memcmp CC: libav-stable@libav.org (cherry picked from commit 5718e3487ba3b26aba341070be0b6b0b4de45ea3) Signed-off-by: Luca Barbato Conflicts: libavformat/rtmppkt.h libavformat/rtmpproto.c --- libavformat/rtmppkt.c | 33 +++++++++++++++++++++++++++++++++ libavformat/rtmppkt.h | 7 +++++++ libavformat/rtmpproto.c | 9 +++++---- 3 files changed, 45 insertions(+), 4 deletions(-) diff --git a/libavformat/rtmppkt.c b/libavformat/rtmppkt.c index 750dd78e5f..9ca4bf307b 100644 --- a/libavformat/rtmppkt.c +++ b/libavformat/rtmppkt.c @@ -448,3 +448,36 @@ void ff_rtmp_packet_dump(void *ctx, RTMPPacket *p) av_log(ctx, AV_LOG_DEBUG, "\n"); } } + +int ff_amf_match_string(const uint8_t *data, int size, const char *str) +{ + int len = strlen(str); + int amf_len, type; + + if (size < 1) + return 0; + + type = *data++; + + if (type != AMF_DATA_TYPE_LONG_STRING && + type != AMF_DATA_TYPE_STRING) + return 0; + + if (type == AMF_DATA_TYPE_LONG_STRING) { + if ((size -= 4 + 1) < 0) + return 0; + amf_len = bytestream_get_be32(&data); + } else { + if ((size -= 2 + 1) < 0) + return 0; + amf_len = bytestream_get_be16(&data); + } + + if (amf_len > size) + return 0; + + if (amf_len != len) + return 0; + + return !memcmp(data, str, len); +} diff --git a/libavformat/rtmppkt.h b/libavformat/rtmppkt.h index 765ca2d9cf..04eacf8f78 100644 --- a/libavformat/rtmppkt.h +++ b/libavformat/rtmppkt.h @@ -218,6 +218,13 @@ void ff_amf_write_field_name(uint8_t **dst, const char *str); */ void ff_amf_write_object_end(uint8_t **dst); +/** + * Match AMF string with a NULL-terminated string. + * + * @return 0 if the strings do not match. + */ +int ff_amf_match_string(const uint8_t *data, int size, const char *str); + /** @} */ // AMF funcs #endif /* AVFORMAT_RTMPPKT_H */ diff --git a/libavformat/rtmpproto.c b/libavformat/rtmpproto.c index 9e2a7ab73b..8dc8f0aa44 100644 --- a/libavformat/rtmpproto.c +++ b/libavformat/rtmpproto.c @@ -588,14 +588,14 @@ static int rtmp_parse_result(URLContext *s, RTMPContext *rt, RTMPPacket *pkt) break; case RTMP_PT_INVOKE: //TODO: check for the messages sent for wrong state? - if (!memcmp(pkt->data, "\002\000\006_error", 9)) { + if (ff_amf_match_string(pkt->data, pkt->size, "_error")) { uint8_t tmpstr[256]; if (!ff_amf_get_field_value(pkt->data + 9, data_end, "description", tmpstr, sizeof(tmpstr))) av_log(s, AV_LOG_ERROR, "Server error: %s\n",tmpstr); return -1; - } else if (!memcmp(pkt->data, "\002\000\007_result", 10)) { + } else if (ff_amf_match_string(pkt->data, pkt->size, "_result")) { switch (rt->state) { case STATE_HANDSHAKED: if (!rt->is_input) { @@ -636,7 +636,7 @@ static int rtmp_parse_result(URLContext *s, RTMPContext *rt, RTMPPacket *pkt) rt->state = STATE_READY; break; } - } else if (!memcmp(pkt->data, "\002\000\010onStatus", 11)) { + } else if (ff_amf_match_string(pkt->data, pkt->size, "onStatus")) { const uint8_t* ptr = pkt->data + 11; uint8_t tmpstr[256]; @@ -724,7 +724,8 @@ static int get_packet(URLContext *s, int for_header) continue; } if (rpkt.type == RTMP_PT_VIDEO || rpkt.type == RTMP_PT_AUDIO || - (rpkt.type == RTMP_PT_NOTIFY && !memcmp("\002\000\012onMetaData", rpkt.data, 13))) { + (rpkt.type == RTMP_PT_NOTIFY && + ff_amf_match_string(rpkt.data, rpkt.size, "onMetaData"))) { ts = rpkt.timestamp; // generate packet header and put data into buffer for FLV demuxer From 5312fb828751109798780f4e17d5f77dfd3d5398 Mon Sep 17 00:00:00 2001 From: Luca Barbato Date: Mon, 22 Jul 2013 23:26:05 +0200 Subject: [PATCH 666/991] 8bps: Bound-check the input buffer Reported-by: Mateusz "j00ru" Jurczyk and Gynvael Coldwind CC: libav-stable@libav.org (cherry picked from commit bd7b4da0f4627bb6c4a7c2575da83fe6b261a21c) Signed-off-by: Luca Barbato Conflicts: libavcodec/8bps.c --- libavcodec/8bps.c | 10 +++++++--- 1 file changed, 7 insertions(+), 3 deletions(-) diff --git a/libavcodec/8bps.c b/libavcodec/8bps.c index de8dd8ee84..b54c804d1c 100644 --- a/libavcodec/8bps.c +++ b/libavcodec/8bps.c @@ -69,7 +69,7 @@ static int decode_frame(AVCodecContext *avctx, void *data, int *data_size, AVPac unsigned char *pixptr, *pixptr_end; unsigned int height = avctx->height; // Real image height unsigned int dlen, p, row; - const unsigned char *lp, *dp; + const unsigned char *lp, *dp, *ep; unsigned char count; unsigned int px_inc; unsigned int planes = c->planes; @@ -85,6 +85,8 @@ static int decode_frame(AVCodecContext *avctx, void *data, int *data_size, AVPac return -1; } + ep = encoded + buf_size; + /* Set data pointer after line lengths */ dp = encoded + planes * (height << 1); @@ -102,16 +104,18 @@ static int decode_frame(AVCodecContext *avctx, void *data, int *data_size, AVPac for(row = 0; row < height; row++) { pixptr = c->pic.data[0] + row * c->pic.linesize[0] + planemap[p]; pixptr_end = pixptr + c->pic.linesize[0]; + if (ep - lp < row * 2 + 2) + return AVERROR_INVALIDDATA; dlen = av_be2ne16(*(const unsigned short *)(lp+row*2)); /* Decode a row of this plane */ while(dlen > 0) { - if(dp + 1 >= buf+buf_size) return -1; + if(ep - dp <= 1) return -1; if ((count = *dp++) <= 127) { count++; dlen -= count + 1; if (pixptr + count * px_inc > pixptr_end) break; - if(dp + count > buf+buf_size) return -1; + if(ep - dp < count) return -1; while(count--) { *pixptr = *dp++; pixptr += px_inc; From 067713f15989dd0b8c0888a3b43fd193819a1058 Mon Sep 17 00:00:00 2001 From: Luca Barbato Date: Tue, 8 Oct 2013 22:30:14 -0400 Subject: [PATCH 667/991] rtmp: rename data_size to size (cherry picked from commit ba5393a609c723ec8ab7f9727c10fef734c09278) Signed-off-by: Luca Barbato Conflicts: libavformat/rtmppkt.c libavformat/rtmpproto.c --- libavformat/rtmppkt.c | 74 ++++++++++++++++++++--------------------- libavformat/rtmppkt.h | 2 +- libavformat/rtmpproto.c | 34 +++++++++---------- 3 files changed, 55 insertions(+), 55 deletions(-) diff --git a/libavformat/rtmppkt.c b/libavformat/rtmppkt.c index 8c455a09f0..750dd78e5f 100644 --- a/libavformat/rtmppkt.c +++ b/libavformat/rtmppkt.c @@ -75,26 +75,26 @@ int ff_rtmp_packet_read(URLContext *h, RTMPPacket *p, int chunk_size, RTMPPacket *prev_pkt) { uint8_t hdr, t, buf[16]; - int channel_id, timestamp, data_size, offset = 0; + int channel_id, timestamp, size, offset = 0; uint32_t extra = 0; enum RTMPPacketType type; - int size = 0; + int written = 0; if (ffurl_read(h, &hdr, 1) != 1) return AVERROR(EIO); - size++; + written++; channel_id = hdr & 0x3F; if (channel_id < 2) { //special case for channel number >= 64 buf[1] = 0; if (ffurl_read_complete(h, buf, channel_id + 1) != channel_id + 1) return AVERROR(EIO); - size += channel_id + 1; + written += channel_id + 1; channel_id = AV_RL16(buf) + 64; } - data_size = prev_pkt[channel_id].data_size; - type = prev_pkt[channel_id].type; - extra = prev_pkt[channel_id].extra; + size = prev_pkt[channel_id].size; + type = prev_pkt[channel_id].type; + extra = prev_pkt[channel_id].extra; hdr >>= 6; if (hdr == RTMP_PS_ONEBYTE) { @@ -102,21 +102,21 @@ int ff_rtmp_packet_read(URLContext *h, RTMPPacket *p, } else { if (ffurl_read_complete(h, buf, 3) != 3) return AVERROR(EIO); - size += 3; + written += 3; timestamp = AV_RB24(buf); if (hdr != RTMP_PS_FOURBYTES) { if (ffurl_read_complete(h, buf, 3) != 3) return AVERROR(EIO); - size += 3; - data_size = AV_RB24(buf); + written += 3; + size = AV_RB24(buf); if (ffurl_read_complete(h, buf, 1) != 1) return AVERROR(EIO); - size++; + written++; type = buf[0]; if (hdr == RTMP_PS_TWELVEBYTES) { if (ffurl_read_complete(h, buf, 4) != 4) return AVERROR(EIO); - size += 4; + written += 4; extra = AV_RL32(buf); } } @@ -129,33 +129,33 @@ int ff_rtmp_packet_read(URLContext *h, RTMPPacket *p, if (hdr != RTMP_PS_TWELVEBYTES) timestamp += prev_pkt[channel_id].timestamp; - if (ff_rtmp_packet_create(p, channel_id, type, timestamp, data_size)) + if (ff_rtmp_packet_create(p, channel_id, type, timestamp, size)) return -1; p->extra = extra; // save history prev_pkt[channel_id].channel_id = channel_id; prev_pkt[channel_id].type = type; - prev_pkt[channel_id].data_size = data_size; + prev_pkt[channel_id].size = size; prev_pkt[channel_id].ts_delta = timestamp - prev_pkt[channel_id].timestamp; prev_pkt[channel_id].timestamp = timestamp; prev_pkt[channel_id].extra = extra; - while (data_size > 0) { - int toread = FFMIN(data_size, chunk_size); + while (size > 0) { + int toread = FFMIN(size, chunk_size); if (ffurl_read_complete(h, p->data + offset, toread) != toread) { ff_rtmp_packet_destroy(p); return AVERROR(EIO); } - data_size -= chunk_size; - offset += chunk_size; - size += chunk_size; - if (data_size > 0) { + size -= chunk_size; + offset += chunk_size; + written += chunk_size; + if (size > 0) { ffurl_read_complete(h, &t, 1); //marker - size++; + written++; if (t != (0xC0 + channel_id)) return -1; } } - return size; + return written; } int ff_rtmp_packet_write(URLContext *h, RTMPPacket *pkt, @@ -164,7 +164,7 @@ int ff_rtmp_packet_write(URLContext *h, RTMPPacket *pkt, uint8_t pkt_hdr[16], *p = pkt_hdr; int mode = RTMP_PS_TWELVEBYTES; int off = 0; - int size = 0; + int written = 0; pkt->ts_delta = pkt->timestamp - prev_pkt[pkt->channel_id].timestamp; @@ -172,7 +172,7 @@ int ff_rtmp_packet_write(URLContext *h, RTMPPacket *pkt, if (prev_pkt[pkt->channel_id].channel_id && pkt->extra == prev_pkt[pkt->channel_id].extra) { if (pkt->type == prev_pkt[pkt->channel_id].type && - pkt->data_size == prev_pkt[pkt->channel_id].data_size) { + pkt->size == prev_pkt[pkt->channel_id].size) { mode = RTMP_PS_FOURBYTES; if (pkt->ts_delta == prev_pkt[pkt->channel_id].ts_delta) mode = RTMP_PS_ONEBYTE; @@ -196,7 +196,7 @@ int ff_rtmp_packet_write(URLContext *h, RTMPPacket *pkt, timestamp = pkt->ts_delta; bytestream_put_be24(&p, timestamp >= 0xFFFFFF ? 0xFFFFFF : timestamp); if (mode != RTMP_PS_FOURBYTES) { - bytestream_put_be24(&p, pkt->data_size); + bytestream_put_be24(&p, pkt->size); bytestream_put_byte(&p, pkt->type); if (mode == RTMP_PS_TWELVEBYTES) bytestream_put_le32(&p, pkt->extra); @@ -207,7 +207,7 @@ int ff_rtmp_packet_write(URLContext *h, RTMPPacket *pkt, // save history prev_pkt[pkt->channel_id].channel_id = pkt->channel_id; prev_pkt[pkt->channel_id].type = pkt->type; - prev_pkt[pkt->channel_id].data_size = pkt->data_size; + prev_pkt[pkt->channel_id].size = pkt->size; prev_pkt[pkt->channel_id].timestamp = pkt->timestamp; if (mode != RTMP_PS_TWELVEBYTES) { prev_pkt[pkt->channel_id].ts_delta = pkt->ts_delta; @@ -217,18 +217,18 @@ int ff_rtmp_packet_write(URLContext *h, RTMPPacket *pkt, prev_pkt[pkt->channel_id].extra = pkt->extra; ffurl_write(h, pkt_hdr, p-pkt_hdr); - size = p - pkt_hdr + pkt->data_size; - while (off < pkt->data_size) { - int towrite = FFMIN(chunk_size, pkt->data_size - off); + written = p - pkt_hdr + pkt->size; + while (off < pkt->size) { + int towrite = FFMIN(chunk_size, pkt->size - off); ffurl_write(h, pkt->data + off, towrite); off += towrite; - if (off < pkt->data_size) { + if (off < pkt->size) { uint8_t marker = 0xC0 | pkt->channel_id; ffurl_write(h, &marker, 1); - size++; + written++; } } - return size; + return written; } int ff_rtmp_packet_create(RTMPPacket *pkt, int channel_id, RTMPPacketType type, @@ -239,7 +239,7 @@ int ff_rtmp_packet_create(RTMPPacket *pkt, int channel_id, RTMPPacketType type, if (!pkt->data) return AVERROR(ENOMEM); } - pkt->data_size = size; + pkt->size = size; pkt->channel_id = channel_id; pkt->type = type; pkt->timestamp = timestamp; @@ -254,7 +254,7 @@ void ff_rtmp_packet_destroy(RTMPPacket *pkt) if (!pkt) return; av_freep(&pkt->data); - pkt->data_size = 0; + pkt->size = 0; } int ff_amf_tag_size(const uint8_t *data, const uint8_t *data_end) @@ -426,9 +426,9 @@ static void ff_amf_tag_contents(void *ctx, const uint8_t *data, const uint8_t *d void ff_rtmp_packet_dump(void *ctx, RTMPPacket *p) { av_log(ctx, AV_LOG_DEBUG, "RTMP packet type '%s'(%d) for channel %d, timestamp %d, extra field %d size %d\n", - rtmp_packet_type(p->type), p->type, p->channel_id, p->timestamp, p->extra, p->data_size); + rtmp_packet_type(p->type), p->type, p->channel_id, p->timestamp, p->extra, p->size); if (p->type == RTMP_PT_INVOKE || p->type == RTMP_PT_NOTIFY) { - uint8_t *src = p->data, *src_end = p->data + p->data_size; + uint8_t *src = p->data, *src_end = p->data + p->size; while (src < src_end) { int sz; ff_amf_tag_contents(ctx, src, src_end); @@ -443,7 +443,7 @@ void ff_rtmp_packet_dump(void *ctx, RTMPPacket *p) av_log(ctx, AV_LOG_DEBUG, "Client BW = %d\n", AV_RB32(p->data)); } else if (p->type != RTMP_PT_AUDIO && p->type != RTMP_PT_VIDEO && p->type != RTMP_PT_METADATA) { int i; - for (i = 0; i < p->data_size; i++) + for (i = 0; i < p->size; i++) av_log(ctx, AV_LOG_DEBUG, " %02X", p->data[i]); av_log(ctx, AV_LOG_DEBUG, "\n"); } diff --git a/libavformat/rtmppkt.h b/libavformat/rtmppkt.h index 8372484fbd..765ca2d9cf 100644 --- a/libavformat/rtmppkt.h +++ b/libavformat/rtmppkt.h @@ -80,7 +80,7 @@ typedef struct RTMPPacket { uint32_t ts_delta; ///< timestamp increment to the previous one in milliseconds (latter only for media packets) uint32_t extra; ///< probably an additional channel ID used during streaming data uint8_t *data; ///< packet payload - int data_size; ///< packet payload size + int size; ///< packet payload size } RTMPPacket; /** diff --git a/libavformat/rtmpproto.c b/libavformat/rtmpproto.c index 867969a670..9e2a7ab73b 100644 --- a/libavformat/rtmpproto.c +++ b/libavformat/rtmpproto.c @@ -147,7 +147,7 @@ static void gen_connect(URLContext *s, RTMPContext *rt, const char *proto, } ff_amf_write_object_end(&p); - pkt.data_size = p - pkt.data; + pkt.size = p - pkt.data; ff_rtmp_packet_write(rt->stream, &pkt, rt->chunk_size, rt->prev_pkt[1]); ff_rtmp_packet_destroy(&pkt); @@ -549,7 +549,7 @@ static int rtmp_handshake(URLContext *s, RTMPContext *rt) static int rtmp_parse_result(URLContext *s, RTMPContext *rt, RTMPPacket *pkt) { int i, t; - const uint8_t *data_end = pkt->data + pkt->data_size; + const uint8_t *data_end = pkt->data + pkt->size; #ifdef DEBUG ff_rtmp_packet_dump(s, pkt); @@ -557,9 +557,9 @@ static int rtmp_parse_result(URLContext *s, RTMPContext *rt, RTMPPacket *pkt) switch (pkt->type) { case RTMP_PT_CHUNK_SIZE: - if (pkt->data_size != 4) { + if (pkt->size != 4) { av_log(s, AV_LOG_ERROR, - "Chunk size change packet is not 4 bytes long (%d)\n", pkt->data_size); + "Chunk size change packet is not 4 bytes long (%d)\n", pkt->size); return -1; } if (!rt->is_input) @@ -577,10 +577,10 @@ static int rtmp_parse_result(URLContext *s, RTMPContext *rt, RTMPPacket *pkt) gen_pong(s, rt, pkt); break; case RTMP_PT_CLIENT_BW: - if (pkt->data_size < 4) { + if (pkt->size < 4) { av_log(s, AV_LOG_ERROR, "Client bandwidth report packet is less than 4 bytes long (%d)\n", - pkt->data_size); + pkt->size); return -1; } av_log(s, AV_LOG_DEBUG, "Client bandwidth = %d\n", AV_RB32(pkt->data)); @@ -683,7 +683,7 @@ static int get_packet(URLContext *s, int for_header) int ret; uint8_t *p; const uint8_t *next; - uint32_t data_size; + uint32_t size; uint32_t ts, cts, pts=0; if (rt->state == STATE_STOPPED) @@ -719,7 +719,7 @@ static int get_packet(URLContext *s, int for_header) ff_rtmp_packet_destroy(&rpkt); return 0; } - if (!rpkt.data_size || !rt->is_input) { + if (!rpkt.size || !rt->is_input) { ff_rtmp_packet_destroy(&rpkt); continue; } @@ -729,28 +729,28 @@ static int get_packet(URLContext *s, int for_header) // generate packet header and put data into buffer for FLV demuxer rt->flv_off = 0; - rt->flv_size = rpkt.data_size + 15; + rt->flv_size = rpkt.size + 15; rt->flv_data = p = av_realloc(rt->flv_data, rt->flv_size); bytestream_put_byte(&p, rpkt.type); - bytestream_put_be24(&p, rpkt.data_size); + bytestream_put_be24(&p, rpkt.size); bytestream_put_be24(&p, ts); bytestream_put_byte(&p, ts >> 24); bytestream_put_be24(&p, 0); - bytestream_put_buffer(&p, rpkt.data, rpkt.data_size); + bytestream_put_buffer(&p, rpkt.data, rpkt.size); bytestream_put_be32(&p, 0); ff_rtmp_packet_destroy(&rpkt); return 0; } else if (rpkt.type == RTMP_PT_METADATA) { // we got raw FLV data, make it available for FLV demuxer rt->flv_off = 0; - rt->flv_size = rpkt.data_size; + rt->flv_size = rpkt.size; rt->flv_data = av_realloc(rt->flv_data, rt->flv_size); /* rewrite timestamps */ next = rpkt.data; ts = rpkt.timestamp; - while (next - rpkt.data < rpkt.data_size - 11) { + while (next - rpkt.data < rpkt.size - 11) { next++; - data_size = bytestream_get_be24(&next); + size = bytestream_get_be24(&next); p=next; cts = bytestream_get_be24(&next); cts |= bytestream_get_byte(&next) << 24; @@ -760,9 +760,9 @@ static int get_packet(URLContext *s, int for_header) pts = cts; bytestream_put_be24(&p, ts); bytestream_put_byte(&p, ts >> 24); - next += data_size + 3 + 4; + next += size + 3 + 4; } - memcpy(rt->flv_data, rpkt.data, rpkt.data_size); + memcpy(rt->flv_data, rpkt.data, rpkt.size); ff_rtmp_packet_destroy(&rpkt); return 0; } @@ -776,7 +776,7 @@ static int rtmp_close(URLContext *h) if (!rt->is_input) { rt->flv_data = NULL; - if (rt->out_pkt.data_size) + if (rt->out_pkt.size) ff_rtmp_packet_destroy(&rt->out_pkt); if (rt->state > STATE_FCPUBLISH) gen_fcunpublish_stream(h, rt); From e930b112d14d7acd050d5087d11b6dd4c56a8e4e Mon Sep 17 00:00:00 2001 From: Luca Barbato Date: Sat, 4 May 2013 07:40:09 +0200 Subject: [PATCH 668/991] oma: refactor seek function Properly propagate seek errors from avio and the generic pcm seek. (cherry picked from commit 4f03a77e52596cbe9ec179666ddb3e0345a8133a) Signed-off-by: Luca Barbato Conflicts: libavformat/omadec.c --- libavformat/omadec.c | 28 ++++++++++++++++------------ 1 file changed, 16 insertions(+), 12 deletions(-) diff --git a/libavformat/omadec.c b/libavformat/omadec.c index 48cc4327b9..42272480f9 100644 --- a/libavformat/omadec.c +++ b/libavformat/omadec.c @@ -422,22 +422,26 @@ static int oma_read_seek(struct AVFormatContext *s, int stream_index, int64_t ti { OMAContext *oc = s->priv_data; - pcm_read_seek(s, stream_index, timestamp, flags); + int err = pcm_read_seek(s, stream_index, timestamp, flags); - if (oc->encrypted) { - /* readjust IV for CBC */ - int64_t pos = avio_tell(s->pb); - if (pos < oc->content_start) - memset(oc->iv, 0, 8); - else { - if (avio_seek(s->pb, -8, SEEK_CUR) < 0 || avio_read(s->pb, oc->iv, 8) < 8) { - memset(oc->iv, 0, 8); - return -1; - } - } + if (!oc->encrypted) + return err; + + /* readjust IV for CBC */ + if (err || avio_tell(s->pb) < oc->content_start) + goto wipe; + if ((err = avio_seek(s->pb, -8, SEEK_CUR)) < 0) + goto wipe; + if ((err = avio_read(s->pb, oc->iv, 8)) < 8) { + if (err >= 0) + err = AVERROR_EOF; + goto wipe; } return 0; +wipe: + memset(oc->iv, 0, 8); + return err; } AVInputFormat ff_oma_demuxer = { From b98a824c3e97a2e40eb9fd5daa64001ecd4b7f5a Mon Sep 17 00:00:00 2001 From: Luca Barbato Date: Wed, 17 Apr 2013 21:07:09 +0200 Subject: [PATCH 669/991] oma: check geob tag boundary Prevent read after buffer boundary on corrupted tag. Reported-by: Mateusz "j00ru" Jurczyk and Gynvael Coldwind CC: libav-stable@libav.org (cherry picked from commit 9d0b45ade864f3d2ccd8610149fe1fff53c4e937) Signed-off-by: Luca Barbato Conflicts: libavformat/omadec.c --- libavformat/omadec.c | 33 ++++++++++++++++++++++++--------- 1 file changed, 24 insertions(+), 9 deletions(-) diff --git a/libavformat/omadec.c b/libavformat/omadec.c index 42272480f9..860b876b8c 100644 --- a/libavformat/omadec.c +++ b/libavformat/omadec.c @@ -113,13 +113,18 @@ static int kset(AVFormatContext *s, const uint8_t *r_val, const uint8_t *n_val, return 0; } -static int rprobe(AVFormatContext *s, uint8_t *enc_header, const uint8_t *r_val) +#define OMA_RPROBE_M_VAL 48 + 1 + +static int rprobe(AVFormatContext *s, uint8_t *enc_header, unsigned size, + const uint8_t *r_val) { OMAContext *oc = s->priv_data; unsigned int pos; struct AVDES av_des; - if (!enc_header || !r_val) + if (!enc_header || !r_val || + size < OMA_ENC_HEADER_SIZE + oc->k_size + oc->e_size + oc->i_size || + size < OMA_RPROBE_M_VAL) return -1; /* m_val */ @@ -140,19 +145,25 @@ static int rprobe(AVFormatContext *s, uint8_t *enc_header, const uint8_t *r_val) return memcmp(&enc_header[pos], oc->sm_val, 8) ? -1 : 0; } -static int nprobe(AVFormatContext *s, uint8_t *enc_header, const uint8_t *n_val) +static int nprobe(AVFormatContext *s, uint8_t *enc_header, unsigned size, + const uint8_t *n_val) { OMAContext *oc = s->priv_data; - uint32_t pos, taglen, datalen; + uint64_t pos; + uint32_t taglen, datalen; struct AVDES av_des; - if (!enc_header || !n_val) + if (!enc_header || !n_val || + size < OMA_ENC_HEADER_SIZE + oc->k_size + 4) return -1; pos = OMA_ENC_HEADER_SIZE + oc->k_size; if (!memcmp(&enc_header[pos], "EKB ", 4)) pos += 32; + if (size < pos + 44) + return -1; + if (AV_RB32(&enc_header[pos]) != oc->rid) av_log(s, AV_LOG_DEBUG, "Mismatching RID\n"); @@ -161,11 +172,14 @@ static int nprobe(AVFormatContext *s, uint8_t *enc_header, const uint8_t *n_val) pos += 44 + taglen; + if (datalen << 4 > size - pos) + return -1; + av_des_init(&av_des, n_val, 192, 1); while (datalen-- > 0) { av_des_crypt(&av_des, oc->r_val, &enc_header[pos], 2, NULL, 1); kset(s, oc->r_val, NULL, 16); - if (!rprobe(s, enc_header, oc->r_val)) + if (!rprobe(s, enc_header, size, oc->r_val)) return 0; pos += 16; } @@ -228,15 +242,16 @@ static int decrypt_init(AVFormatContext *s, ID3v2ExtraMeta *em, uint8_t *header) kset(s, s->key, s->key, s->keylen); } if (!memcmp(oc->r_val, (const uint8_t[8]){0}, 8) || - rprobe(s, gdata, oc->r_val) < 0 && - nprobe(s, gdata, oc->n_val) < 0) { + rprobe(s, gdata, geob->datasize, oc->r_val) < 0 && + nprobe(s, gdata, geob->datasize, oc->n_val) < 0) { int i; for (i = 0; i < FF_ARRAY_ELEMS(leaf_table); i += 2) { uint8_t buf[16]; AV_WL64(buf, leaf_table[i]); AV_WL64(&buf[8], leaf_table[i+1]); kset(s, buf, buf, 16); - if (!rprobe(s, gdata, oc->r_val) || !nprobe(s, gdata, oc->n_val)) + if (!rprobe(s, gdata, geob->datasize, oc->r_val) || + !nprobe(s, gdata, geob->datasize, oc->n_val)) break; } if (i >= sizeof(leaf_table)) { From 3cc05e0d9d24d0d6f2fdb1d49ec6b6d298816dae Mon Sep 17 00:00:00 2001 From: Luca Barbato Date: Wed, 17 Apr 2013 21:19:23 +0200 Subject: [PATCH 670/991] oma: correctly mark and decrypt partial packets Incomplete crypted files would lead to a read after buffer boundary otherwise. Reported-by: Mateusz "j00ru" Jurczyk and Gynvael Coldwind CC: libav-stable@libav.org (cherry picked from commit 2219e27b5b17d146e4ab71a3ed86dfc013fb7a93) Signed-off-by: Luca Barbato Conflicts: libavformat/omadec.c --- libavformat/omadec.c | 12 ++++++++++-- 1 file changed, 10 insertions(+), 2 deletions(-) diff --git a/libavformat/omadec.c b/libavformat/omadec.c index 860b876b8c..9e8b43b3c5 100644 --- a/libavformat/omadec.c +++ b/libavformat/omadec.c @@ -392,14 +392,22 @@ static int oma_read_packet(AVFormatContext *s, AVPacket *pkt) int packet_size = s->streams[0]->codec->block_align; int ret = av_get_packet(s->pb, pkt, packet_size); + if (ret < packet_size) + pkt->flags |= AV_PKT_FLAG_CORRUPT; + if (ret <= 0) return AVERROR(EIO); pkt->stream_index = 0; if (oc->encrypted) { - /* previous unencrypted block saved in IV for the next packet (CBC mode) */ - av_des_crypt(&oc->av_des, pkt->data, pkt->data, (packet_size >> 3), oc->iv, 1); + /* previous unencrypted block saved in IV for + * the next packet (CBC mode) */ + if (ret == packet_size) + av_des_crypt(&oc->av_des, pkt->data, pkt->data, + (packet_size >> 3), oc->iv, 1); + else + memset(oc->iv, 0, 8); } return ret; From d2eddcfc833fc55dfa447376f4c30e46851c3242 Mon Sep 17 00:00:00 2001 From: Anton Khirnov Date: Sat, 17 Nov 2012 18:07:42 +0100 Subject: [PATCH 671/991] nuv: return meaningful error codes. (cherry picked from commit 3344f5cb747bb1f54cc34878b66dc0536f194720) Signed-off-by: Luca Barbato Conflicts: libavcodec/nuv.c --- libavcodec/nuv.c | 30 +++++++++++++++++------------- 1 file changed, 17 insertions(+), 13 deletions(-) diff --git a/libavcodec/nuv.c b/libavcodec/nuv.c index 459fd27df3..9b275e8637 100644 --- a/libavcodec/nuv.c +++ b/libavcodec/nuv.c @@ -84,7 +84,7 @@ static int get_quant(AVCodecContext *avctx, NuvContext *c, int i; if (size < 2 * 64 * 4) { av_log(avctx, AV_LOG_ERROR, "insufficient rtjpeg quant data\n"); - return -1; + return AVERROR_INVALIDDATA; } for (i = 0; i < 64; i++, buf += 4) c->lq[i] = AV_RL32(buf); @@ -107,25 +107,27 @@ static void get_quant_quality(NuvContext *c, int quality) { static int codec_reinit(AVCodecContext *avctx, int width, int height, int quality) { NuvContext *c = avctx->priv_data; + int ret; + width = FFALIGN(width, 2); height = FFALIGN(height, 2); if (quality >= 0) get_quant_quality(c, quality); if (width != c->width || height != c->height) { - if (av_image_check_size(height, width, 0, avctx) < 0) - return 0; + if ((ret = av_image_check_size(height, width, 0, avctx)) < 0) + return ret; avctx->width = c->width = width; avctx->height = c->height = height; av_fast_malloc(&c->decomp_buf, &c->decomp_size, c->height * c->width * 3 / 2 + FF_INPUT_BUFFER_PADDING_SIZE); if (!c->decomp_buf) { av_log(avctx, AV_LOG_ERROR, "Can't allocate decompression buffer.\n"); - return 0; + return AVERROR(ENOMEM); } rtjpeg_decode_init(&c->rtj, &c->dsp, c->width, c->height, c->lq, c->cq); } else if (quality != c->quality) rtjpeg_decode_init(&c->rtj, &c->dsp, c->width, c->height, c->lq, c->cq); - return 1; + return 0; } static int decode_frame(AVCodecContext *avctx, void *data, int *data_size, @@ -143,7 +145,7 @@ static int decode_frame(AVCodecContext *avctx, void *data, int *data_size, if (buf_size < 12) { av_log(avctx, AV_LOG_ERROR, "coded frame too small\n"); - return -1; + return AVERROR_INVALIDDATA; } // codec data (rtjpeg quant tables) @@ -161,7 +163,7 @@ static int decode_frame(AVCodecContext *avctx, void *data, int *data_size, if (buf[0] != 'V' || buf_size < 12) { av_log(avctx, AV_LOG_ERROR, "not a nuv video frame\n"); - return -1; + return AVERROR_INVALIDDATA; } comptype = buf[1]; switch (comptype) { @@ -196,8 +198,8 @@ static int decode_frame(AVCodecContext *avctx, void *data, int *data_size, w = AV_RL16(&buf[6]); h = AV_RL16(&buf[8]); q = buf[10]; - if (!codec_reinit(avctx, w, h, q)) - return -1; + if ((result = codec_reinit(avctx, w, h, q)) < 0) + return result; buf = &buf[RTJPEG_HEADER_SIZE]; buf_size -= RTJPEG_HEADER_SIZE; } @@ -210,7 +212,7 @@ static int decode_frame(AVCodecContext *avctx, void *data, int *data_size, result = avctx->reget_buffer(avctx, &c->pic); if (result < 0) { av_log(avctx, AV_LOG_ERROR, "get_buffer() failed\n"); - return -1; + return result; } c->pic.pict_type = keyframe ? AV_PICTURE_TYPE_I : AV_PICTURE_TYPE_P; @@ -244,7 +246,7 @@ static int decode_frame(AVCodecContext *avctx, void *data, int *data_size, } default: av_log(avctx, AV_LOG_ERROR, "unknown compression\n"); - return -1; + return AVERROR_INVALIDDATA; } *picture = c->pic; @@ -254,6 +256,8 @@ static int decode_frame(AVCodecContext *avctx, void *data, int *data_size, static av_cold int decode_init(AVCodecContext *avctx) { NuvContext *c = avctx->priv_data; + int ret; + avctx->pix_fmt = PIX_FMT_YUV420P; c->pic.data[0] = NULL; c->decomp_buf = NULL; @@ -264,8 +268,8 @@ static av_cold int decode_init(AVCodecContext *avctx) { if (avctx->extradata_size) get_quant(avctx, c, avctx->extradata, avctx->extradata_size); dsputil_init(&c->dsp, avctx); - if (!codec_reinit(avctx, avctx->width, avctx->height, -1)) - return 1; + if ((ret = codec_reinit(avctx, avctx->width, avctx->height, -1)) < 0) + return ret; return 0; } From cda26ab21eb574e7e39b0a329941d87754b8c477 Mon Sep 17 00:00:00 2001 From: Luca Barbato Date: Mon, 12 Aug 2013 00:16:12 +0200 Subject: [PATCH 672/991] nuv: Do not ignore lzo decompression failures Update the fate reference since the last broken frame is not decoded anymore. Reported-by: Mateusz "j00ru" Jurczyk and Gynvael Coldwind CC: libav-stable@libav.org (cherry picked from commit aae159a7cc4df7d0521901022b778c9da251c24e) Signed-off-by: Luca Barbato Conflicts: libavcodec/nuv.c --- libavcodec/nuv.c | 4 +++- tests/ref/fate/nuv | 1 - 2 files changed, 3 insertions(+), 2 deletions(-) diff --git a/libavcodec/nuv.c b/libavcodec/nuv.c index 519b550bcd..b4e21bf0dd 100644 --- a/libavcodec/nuv.c +++ b/libavcodec/nuv.c @@ -177,8 +177,10 @@ static int decode_frame(AVCodecContext *avctx, void *data, int *data_size, buf_size -= 12; if (comptype == NUV_RTJPEG_IN_LZO || comptype == NUV_LZO) { int outlen = c->decomp_size, inlen = buf_size; - if (av_lzo1x_decode(c->decomp_buf, &outlen, buf, &inlen)) + if (av_lzo1x_decode(c->decomp_buf, &outlen, buf, &inlen)) { av_log(avctx, AV_LOG_ERROR, "error during lzo decompression\n"); + return AVERROR_INVALIDDATA; + } buf = c->decomp_buf; buf_size = c->decomp_size; } diff --git a/tests/ref/fate/nuv b/tests/ref/fate/nuv index f1fcae3883..c43c09cf85 100644 --- a/tests/ref/fate/nuv +++ b/tests/ref/fate/nuv @@ -18,7 +18,6 @@ 1, 20898, 4096, 0x28f7c6e5 0, 21021, 460800, 0x4b7f4df0 1, 22988, 4096, 0xca9d9df2 -0, 24024, 460800, 0xb30eb322 1, 25078, 4096, 0x5c6b95a9 1, 27167, 4096, 0x0bdfc0bf 1, 29257, 4096, 0xd95a9277 From c1ebdef01b016b24b8ec322efdbc31da2639addd Mon Sep 17 00:00:00 2001 From: Luca Barbato Date: Tue, 13 Aug 2013 07:01:40 +0200 Subject: [PATCH 673/991] nuv: Use av_fast_realloc The decompressed buffer can be used after codec_reinit, so it must be preserved. Reported-by: Mateusz "j00ru" Jurczyk and Gynvael Coldwind CC: libav-stable@libav.org (cherry picked from commit 2df0776c2293efb0ac12c003843ce19332342e01) Signed-off-by: Luca Barbato Conflicts: libavcodec/nuv.c --- libavcodec/nuv.c | 14 ++++++++++---- 1 file changed, 10 insertions(+), 4 deletions(-) diff --git a/libavcodec/nuv.c b/libavcodec/nuv.c index 9b275e8637..8545d863d9 100644 --- a/libavcodec/nuv.c +++ b/libavcodec/nuv.c @@ -114,16 +114,20 @@ static int codec_reinit(AVCodecContext *avctx, int width, int height, int qualit if (quality >= 0) get_quant_quality(c, quality); if (width != c->width || height != c->height) { + void *ptr; if ((ret = av_image_check_size(height, width, 0, avctx)) < 0) return ret; avctx->width = c->width = width; avctx->height = c->height = height; - av_fast_malloc(&c->decomp_buf, &c->decomp_size, c->height * c->width * 3 / 2 + - FF_INPUT_BUFFER_PADDING_SIZE); - if (!c->decomp_buf) { + ptr = av_fast_realloc(c->decomp_buf, &c->decomp_size, + c->height * c->width * 3 / 2 + + FF_INPUT_BUFFER_PADDING_SIZE + + RTJPEG_HEADER_SIZE); + if (!ptr) { av_log(avctx, AV_LOG_ERROR, "Can't allocate decompression buffer.\n"); return AVERROR(ENOMEM); - } + } else + c->decomp_buf = ptr; rtjpeg_decode_init(&c->rtj, &c->dsp, c->width, c->height, c->lq, c->cq); } else if (quality != c->quality) rtjpeg_decode_init(&c->rtj, &c->dsp, c->width, c->height, c->lq, c->cq); @@ -200,6 +204,8 @@ static int decode_frame(AVCodecContext *avctx, void *data, int *data_size, q = buf[10]; if ((result = codec_reinit(avctx, w, h, q)) < 0) return result; + if (comptype == NUV_RTJPEG_IN_LZO || comptype == NUV_LZO) + buf = c->decomp_buf; buf = &buf[RTJPEG_HEADER_SIZE]; buf_size -= RTJPEG_HEADER_SIZE; } From 4a11d773f9f7e9c21416264c30d4a260d1dc49a6 Mon Sep 17 00:00:00 2001 From: Luca Barbato Date: Sun, 11 Aug 2013 20:35:40 +0200 Subject: [PATCH 674/991] nuv: check rtjpeg_decode_frame_yuv420 return value CC: libav-stable@libav.org (cherry picked from commit 85ac12587bfef970d0e0e4abc292df346daf8478) Signed-off-by: Luca Barbato Conflicts: libavcodec/nuv.c --- libavcodec/nuv.c | 5 ++++- 1 file changed, 4 insertions(+), 1 deletion(-) diff --git a/libavcodec/nuv.c b/libavcodec/nuv.c index ea5e9ee042..1c07089a07 100644 --- a/libavcodec/nuv.c +++ b/libavcodec/nuv.c @@ -145,6 +145,7 @@ static int decode_frame(AVCodecContext *avctx, void *data, int *data_size, int orig_size = buf_size; int keyframe; int result; + int ret; enum {NUV_UNCOMPRESSED = '0', NUV_RTJPEG = '1', NUV_RTJPEG_IN_LZO = '2', NUV_LZO = '3', NUV_BLACK = 'N', NUV_COPY_LAST = 'L'} comptype; @@ -239,7 +240,9 @@ static int decode_frame(AVCodecContext *avctx, void *data, int *data_size, } case NUV_RTJPEG_IN_LZO: case NUV_RTJPEG: { - rtjpeg_decode_frame_yuv420(&c->rtj, &c->pic, buf, buf_size); + ret = rtjpeg_decode_frame_yuv420(&c->rtj, &c->pic, buf, buf_size); + if (ret < 0) + return ret; break; } case NUV_BLACK: { From 36fc320747a768335ae4538a24a5739033b7eb74 Mon Sep 17 00:00:00 2001 From: Luca Barbato Date: Mon, 12 Aug 2013 11:34:06 +0200 Subject: [PATCH 675/991] nuv: Pad the lzo outbuf And properly update the buf_size with the correct size. Reported-by: Mateusz "j00ru" Jurczyk and Gynvael Coldwind CC: libav-stable@libav.org (cherry picked from commit 075dbc185521f193c98b896cd63be3ec2613df5d) Signed-off-by: Luca Barbato Conflicts: libavcodec/nuv.c --- libavcodec/nuv.c | 8 +++++--- 1 file changed, 5 insertions(+), 3 deletions(-) diff --git a/libavcodec/nuv.c b/libavcodec/nuv.c index b4e21bf0dd..459fd27df3 100644 --- a/libavcodec/nuv.c +++ b/libavcodec/nuv.c @@ -116,7 +116,8 @@ static int codec_reinit(AVCodecContext *avctx, int width, int height, int qualit return 0; avctx->width = c->width = width; avctx->height = c->height = height; - av_fast_malloc(&c->decomp_buf, &c->decomp_size, c->height * c->width * 3 / 2); + av_fast_malloc(&c->decomp_buf, &c->decomp_size, c->height * c->width * 3 / 2 + + FF_INPUT_BUFFER_PADDING_SIZE); if (!c->decomp_buf) { av_log(avctx, AV_LOG_ERROR, "Can't allocate decompression buffer.\n"); return 0; @@ -176,13 +177,14 @@ static int decode_frame(AVCodecContext *avctx, void *data, int *data_size, buf = &buf[12]; buf_size -= 12; if (comptype == NUV_RTJPEG_IN_LZO || comptype == NUV_LZO) { - int outlen = c->decomp_size, inlen = buf_size; + int outlen = c->decomp_size - FF_INPUT_BUFFER_PADDING_SIZE; + int inlen = buf_size; if (av_lzo1x_decode(c->decomp_buf, &outlen, buf, &inlen)) { av_log(avctx, AV_LOG_ERROR, "error during lzo decompression\n"); return AVERROR_INVALIDDATA; } buf = c->decomp_buf; - buf_size = c->decomp_size; + buf_size = outlen; } if (c->codec_frameheader) { int w, h, q; From abb41f19cc10fea09fb16d9ecc9967b2a78cf7b0 Mon Sep 17 00:00:00 2001 From: Luca Barbato Date: Tue, 13 Aug 2013 06:01:48 +0200 Subject: [PATCH 676/991] nuv: Reset the frame on resize Reported-by: Mateusz "j00ru" Jurczyk and Gynvael Coldwind CC: libav-stable@libav.org Signed-off-by: Luca Barbato Conflicts: libavcodec/nuv.c --- libavcodec/nuv.c | 2 ++ 1 file changed, 2 insertions(+) diff --git a/libavcodec/nuv.c b/libavcodec/nuv.c index 8545d863d9..ea5e9ee042 100644 --- a/libavcodec/nuv.c +++ b/libavcodec/nuv.c @@ -129,6 +129,8 @@ static int codec_reinit(AVCodecContext *avctx, int width, int height, int qualit } else c->decomp_buf = ptr; rtjpeg_decode_init(&c->rtj, &c->dsp, c->width, c->height, c->lq, c->cq); + if (c->pic.data[0]) + avctx->release_buffer(avctx, &c->pic); } else if (quality != c->quality) rtjpeg_decode_init(&c->rtj, &c->dsp, c->width, c->height, c->lq, c->cq); return 0; From 8096691a681bdba8db5fcb6a1e843f73ef5d5cbe Mon Sep 17 00:00:00 2001 From: Michael Niedermayer Date: Wed, 9 Oct 2013 23:52:54 +0200 Subject: [PATCH 677/991] avcodec/h264_refs: modify key frame detection heuristic to detect more cases Fixes Ticket2968 Signed-off-by: Michael Niedermayer (cherry picked from commit 5ac6b6028f17b64723884c9fa72cfcbd369a1ba2) Conflicts: libavcodec/h264_refs.c --- libavcodec/h264_refs.c | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/libavcodec/h264_refs.c b/libavcodec/h264_refs.c index 926a6cc40d..b872759724 100644 --- a/libavcodec/h264_refs.c +++ b/libavcodec/h264_refs.c @@ -653,7 +653,7 @@ int ff_h264_execute_ref_pic_marking(H264Context *h, MMCO *mmco, int mmco_count){ print_short_term(h); print_long_term(h); - if(err >= 0 && h->long_ref_count==0 && h->short_ref_count<=2 && h->pps.ref_count[0]<=1 + (s->picture_structure != PICT_FRAME) && s->current_picture_ptr->f.pict_type == AV_PICTURE_TYPE_I){ + if(err >= 0 && h->long_ref_count==0 && h->short_ref_count<=2 && h->pps.ref_count[0]<=2 + (s->picture_structure != PICT_FRAME) && s->current_picture_ptr->f.pict_type == AV_PICTURE_TYPE_I){ s->current_picture_ptr->sync |= 1; if(!h->s.avctx->has_b_frames) h->sync = 2; From 558c1f35fa09e0f7f67eb27d7c0ff3dd05ba84cd Mon Sep 17 00:00:00 2001 From: Michael Niedermayer Date: Fri, 25 Oct 2013 20:03:29 +0200 Subject: [PATCH 678/991] avcodec/h264: reduce noisiness of "mmco: unref short failure" Do not consider it an error if we have no frames and should discard one. This condition can easily happen when decoding is started from an I frame Fixes Ticket2811 Signed-off-by: Michael Niedermayer (cherry picked from commit 08a89761964bdd0a023eff6d37a1131fb7e1d7a0) Conflicts: libavcodec/h264_refs.c --- libavcodec/h264_refs.c | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/libavcodec/h264_refs.c b/libavcodec/h264_refs.c index b872759724..0ccbe62bcb 100644 --- a/libavcodec/h264_refs.c +++ b/libavcodec/h264_refs.c @@ -516,7 +516,7 @@ int ff_h264_execute_ref_pic_marking(H264Context *h, MMCO *mmco, int mmco_count){ if(!pic){ if(mmco[i].opcode != MMCO_SHORT2LONG || !h->long_ref[mmco[i].long_arg] || h->long_ref[mmco[i].long_arg]->frame_num != frame_num) { - av_log(h->s.avctx, AV_LOG_ERROR, "mmco: unref short failure\n"); + av_log(h->s.avctx, h->short_ref_count ? AV_LOG_ERROR : AV_LOG_DEBUG, "mmco: unref short failure\n"); err = AVERROR_INVALIDDATA; } continue; From c08127c5e6922e40ffc4e4f7ad26fd119a8a526f Mon Sep 17 00:00:00 2001 From: Michael Niedermayer Date: Sun, 27 Oct 2013 01:03:19 +0200 Subject: [PATCH 679/991] avformat/utils: do not override pts in h264 when they are provided from the demuxer Fixes Ticket2143 Signed-off-by: Michael Niedermayer (cherry picked from commit 1e5271a9fd6ddcceb083f2185a4bbd8d44c9a813) --- libavformat/utils.c | 6 ++++-- 1 file changed, 4 insertions(+), 2 deletions(-) diff --git a/libavformat/utils.c b/libavformat/utils.c index a06ef4377c..7e0476ca5f 100644 --- a/libavformat/utils.c +++ b/libavformat/utils.c @@ -1083,12 +1083,14 @@ static void compute_pkt_fields(AVFormatContext *s, AVStream *st, if (pkt->dts != AV_NOPTS_VALUE) { // got DTS from the stream, update reference timestamp st->reference_dts = pkt->dts - pc->dts_ref_dts_delta * num / den; - pkt->pts = pkt->dts + pc->pts_dts_delta * num / den; } else if (st->reference_dts != AV_NOPTS_VALUE) { // compute DTS based on reference timestamp pkt->dts = st->reference_dts + pc->dts_ref_dts_delta * num / den; - pkt->pts = pkt->dts + pc->pts_dts_delta * num / den; } + + if (st->reference_dts != AV_NOPTS_VALUE && pkt->pts == AV_NOPTS_VALUE) + pkt->pts = pkt->dts + pc->pts_dts_delta * num / den; + if (pc->dts_sync_point > 0) st->reference_dts = pkt->dts; // new reference } From 5971631d84546466cf6bde65c71920239295e4d3 Mon Sep 17 00:00:00 2001 From: =?UTF-8?q?Reimar=20D=C3=B6ffinger?= Date: Sun, 18 Aug 2013 17:40:51 +0200 Subject: [PATCH 680/991] ogg: Fix potential infinite discard loop Seeking in certain broken files would cause ogg_read_timestamp to fail because ogg_packet would go into a state where all packets of stream 1 would be discarded until the end of the stream. Bug-Id: 553 CC: libav-stable@libav.org Signed-off-by: Jan Gerber Signed-off-by: Luca Barbato (cherry picked from commit 9a27acae9e6b7d0bf74c5b878af9c42495a546f3) Signed-off-by: Luca Barbato Conflicts: libavformat/oggdec.c --- libavformat/oggdec.c | 6 +++++- 1 file changed, 5 insertions(+), 1 deletion(-) diff --git a/libavformat/oggdec.c b/libavformat/oggdec.c index 2a1c0a5f6f..8d59470549 100644 --- a/libavformat/oggdec.c +++ b/libavformat/oggdec.c @@ -376,7 +376,11 @@ static int ogg_packet(AVFormatContext *s, int *str, int *dstart, int *dsize, if (!complete && os->segp == os->nsegs){ ogg->curidx = -1; - os->incomplete = 1; + // Do not set incomplete for empty packets. + // Together with the code in ogg_read_page + // that discards all continuation of empty packets + // we would get an infinite loop. + os->incomplete = !!os->psize; } }while (!complete); From 1682c9fb595d72e1502c94804c3bb53c35348c0d Mon Sep 17 00:00:00 2001 From: Luca Barbato Date: Fri, 12 Jul 2013 23:38:02 +0200 Subject: [PATCH 681/991] alsdec: Clean up error paths Fix at least a memory leak. CC: libav-stable@libav.org (cherry picked from commit ca488ad480360dfafcb5766f7bfbb567a0638979) Signed-off-by: Luca Barbato Conflicts: libavcodec/alsdec.c --- libavcodec/alsdec.c | 137 ++++++++++++++++++++++++-------------------- 1 file changed, 76 insertions(+), 61 deletions(-) diff --git a/libavcodec/alsdec.c b/libavcodec/alsdec.c index b1fc1c05bd..b0369d7f4e 100644 --- a/libavcodec/alsdec.c +++ b/libavcodec/alsdec.c @@ -294,12 +294,12 @@ static av_cold int read_specific_config(ALSDecContext *ctx) avctx->extradata_size * 8, 1); if (config_offset < 0) - return -1; + return AVERROR_INVALIDDATA; skip_bits_long(&gb, config_offset); if (get_bits_left(&gb) < (30 << 3)) - return -1; + return AVERROR_INVALIDDATA; // read the fixed items als_id = get_bits_long(&gb, 32); @@ -334,7 +334,7 @@ static av_cold int read_specific_config(ALSDecContext *ctx) // check for ALSSpecificConfig struct if (als_id != MKBETAG('A','L','S','\0')) - return -1; + return AVERROR_INVALIDDATA; ctx->cur_frame_length = sconf->frame_length; @@ -349,7 +349,7 @@ static av_cold int read_specific_config(ALSDecContext *ctx) int chan_pos_bits = av_ceil_log2(avctx->channels); int bits_needed = avctx->channels * chan_pos_bits + 7; if (get_bits_left(&gb) < bits_needed) - return -1; + return AVERROR_INVALIDDATA; if (!(sconf->chan_pos = av_malloc(avctx->channels * sizeof(*sconf->chan_pos)))) return AVERROR(ENOMEM); @@ -367,7 +367,7 @@ static av_cold int read_specific_config(ALSDecContext *ctx) // read fixed header and trailer sizes, // if size = 0xFFFFFFFF then there is no data field! if (get_bits_left(&gb) < 64) - return -1; + return AVERROR_INVALIDDATA; header_size = get_bits_long(&gb, 32); trailer_size = get_bits_long(&gb, 32); @@ -381,10 +381,10 @@ static av_cold int read_specific_config(ALSDecContext *ctx) // skip the header and trailer data if (get_bits_left(&gb) < ht_size) - return -1; + return AVERROR_INVALIDDATA; if (ht_size > INT32_MAX) - return -1; + return AVERROR_PATCHWELCOME; skip_bits_long(&gb, ht_size); @@ -392,7 +392,7 @@ static av_cold int read_specific_config(ALSDecContext *ctx) // initialize CRC calculation if (sconf->crc_enabled) { if (get_bits_left(&gb) < 32) - return -1; + return AVERROR_INVALIDDATA; if (avctx->err_recognition & AV_EF_CRCCHECK) { ctx->crc_table = av_crc_get_table(AV_CRC_32_IEEE_LE); @@ -632,7 +632,7 @@ static int read_var_block_data(ALSDecContext *ctx, ALSBlockData *bd) if (bd->block_length & (sub_blocks - 1)) { av_log(avctx, AV_LOG_WARNING, "Block length is not evenly divisible by the number of subblocks.\n"); - return -1; + return AVERROR_INVALIDDATA; } sb_length = bd->block_length >> log2_sub_blocks; @@ -963,18 +963,18 @@ static int decode_var_block_data(ALSDecContext *ctx, ALSBlockData *bd) */ static int read_block(ALSDecContext *ctx, ALSBlockData *bd) { + int ret = 0; GetBitContext *gb = &ctx->gb; *bd->shift_lsbs = 0; // read block type flag and read the samples accordingly if (get_bits1(gb)) { - if (read_var_block_data(ctx, bd)) - return -1; + ret = read_var_block_data(ctx, bd); } else { read_const_block_data(ctx, bd); } - return 0; + return ret; } @@ -983,12 +983,16 @@ static int read_block(ALSDecContext *ctx, ALSBlockData *bd) static int decode_block(ALSDecContext *ctx, ALSBlockData *bd) { unsigned int smp; + int ret = 0; // read block type flag and read the samples accordingly if (*bd->const_block) decode_const_block_data(ctx, bd); - else if (decode_var_block_data(ctx, bd)) - return -1; + else + ret = decode_var_block_data(ctx, bd); // always return 0 + + if (ret < 0) + return ret; // TODO: read RLSLMS extension data @@ -1006,14 +1010,10 @@ static int read_decode_block(ALSDecContext *ctx, ALSBlockData *bd) { int ret; - ret = read_block(ctx, bd); - - if (ret) + if ((ret = read_block(ctx, bd)) < 0) return ret; - ret = decode_block(ctx, bd); - - return ret; + return decode_block(ctx, bd); } @@ -1039,6 +1039,7 @@ static int decode_blocks_ind(ALSDecContext *ctx, unsigned int ra_frame, unsigned int c, const unsigned int *div_blocks, unsigned int *js_blocks) { + int ret; unsigned int b; ALSBlockData bd; @@ -1061,10 +1062,10 @@ static int decode_blocks_ind(ALSDecContext *ctx, unsigned int ra_frame, for (b = 0; b < ctx->num_blocks; b++) { bd.block_length = div_blocks[b]; - if (read_decode_block(ctx, &bd)) { + if ((ret = read_decode_block(ctx, &bd)) < 0) { // damaged block, write zero for the rest of the frame zero_remaining(b, ctx->num_blocks, div_blocks, bd.raw_samples); - return -1; + return ret; } bd.raw_samples += div_blocks[b]; bd.ra_block = 0; @@ -1083,6 +1084,7 @@ static int decode_blocks(ALSDecContext *ctx, unsigned int ra_frame, ALSSpecificConfig *sconf = &ctx->sconf; unsigned int offset = 0; unsigned int b; + int ret; ALSBlockData bd[2]; memset(bd, 0, 2 * sizeof(ALSBlockData)); @@ -1126,12 +1128,10 @@ static int decode_blocks(ALSDecContext *ctx, unsigned int ra_frame, bd[0].raw_other = bd[1].raw_samples; bd[1].raw_other = bd[0].raw_samples; - if(read_decode_block(ctx, &bd[0]) || read_decode_block(ctx, &bd[1])) { - // damaged block, write zero for the rest of the frame - zero_remaining(b, ctx->num_blocks, div_blocks, bd[0].raw_samples); - zero_remaining(b, ctx->num_blocks, div_blocks, bd[1].raw_samples); - return -1; - } + if ((ret = read_decode_block(ctx, &bd[0])) < 0 || + (ret = read_decode_block(ctx, &bd[1])) < 0) + goto fail; + // reconstruct joint-stereo blocks if (bd[0].js_blocks) { @@ -1157,6 +1157,11 @@ static int decode_blocks(ALSDecContext *ctx, unsigned int ra_frame, sizeof(*ctx->raw_samples[c]) * sconf->max_order); return 0; +fail: + // damaged block, write zero for the rest of the frame + zero_remaining(b, ctx->num_blocks, div_blocks, bd[0].raw_samples); + zero_remaining(b, ctx->num_blocks, div_blocks, bd[1].raw_samples); + return ret; } static inline int als_weighting(GetBitContext *gb, int k, int off) @@ -1180,7 +1185,7 @@ static int read_channel_data(ALSDecContext *ctx, ALSChannelData *cd, int c) if (current->master_channel >= channels) { av_log(ctx->avctx, AV_LOG_ERROR, "Invalid master channel!\n"); - return -1; + return AVERROR_INVALIDDATA; } if (current->master_channel != c) { @@ -1205,7 +1210,7 @@ static int read_channel_data(ALSDecContext *ctx, ALSChannelData *cd, int c) if (entries == channels) { av_log(ctx->avctx, AV_LOG_ERROR, "Damaged channel data!\n"); - return -1; + return AVERROR_INVALIDDATA; } align_get_bits(gb); @@ -1237,7 +1242,7 @@ static int revert_channel_correlation(ALSDecContext *ctx, ALSBlockData *bd, if (dep == channels) { av_log(ctx->avctx, AV_LOG_WARNING, "Invalid channel correlation!\n"); - return -1; + return AVERROR_INVALIDDATA; } bd->const_block = ctx->const_block + c; @@ -1310,6 +1315,7 @@ static int read_frame_data(ALSDecContext *ctx, unsigned int ra_frame) unsigned int js_blocks[2]; uint32_t bs_info = 0; + int ret; // skip the size of the ra unit if present in the frame if (sconf->ra_flag == RA_FLAG_FRAMES && ra_frame) @@ -1340,13 +1346,15 @@ static int read_frame_data(ALSDecContext *ctx, unsigned int ra_frame) independent_bs = 1; if (independent_bs) { - if (decode_blocks_ind(ctx, ra_frame, c, div_blocks, js_blocks)) - return -1; - + ret = decode_blocks_ind(ctx, ra_frame, c, + div_blocks, js_blocks); + if (ret < 0) + return ret; independent_bs--; } else { - if (decode_blocks(ctx, ra_frame, c, div_blocks, js_blocks)) - return -1; + ret = decode_blocks(ctx, ra_frame, c, div_blocks, js_blocks); + if (ret < 0) + return ret; c++; } @@ -1365,7 +1373,7 @@ static int read_frame_data(ALSDecContext *ctx, unsigned int ra_frame) for (c = 0; c < avctx->channels; c++) if (ctx->chan_data[c] < ctx->chan_data_buffer) { av_log(ctx->avctx, AV_LOG_ERROR, "Invalid channel data!\n"); - return -1; + return AVERROR_INVALIDDATA; } memset(&bd, 0, sizeof(ALSBlockData)); @@ -1397,11 +1405,12 @@ static int read_frame_data(ALSDecContext *ctx, unsigned int ra_frame) return -1; } - for (c = 0; c < avctx->channels; c++) - if (revert_channel_correlation(ctx, &bd, ctx->chan_data, - reverted_channels, offset, c)) - return -1; - + for (c = 0; c < avctx->channels; c++) { + ret = revert_channel_correlation(ctx, &bd, ctx->chan_data, + reverted_channels, offset, c); + if (ret < 0) + return ret; + } for (c = 0; c < avctx->channels; c++) { bd.const_block = ctx->const_block + c; bd.shift_lsbs = ctx->shift_lsbs + c; @@ -1598,29 +1607,30 @@ static av_cold int decode_init(AVCodecContext *avctx) { unsigned int c; unsigned int channel_size; - int num_buffers; + int num_buffers, ret; ALSDecContext *ctx = avctx->priv_data; ALSSpecificConfig *sconf = &ctx->sconf; ctx->avctx = avctx; if (!avctx->extradata) { av_log(avctx, AV_LOG_ERROR, "Missing required ALS extradata.\n"); - return -1; + return AVERROR_INVALIDDATA; } - if (read_specific_config(ctx)) { + if ((ret = read_specific_config(ctx)) < 0) { av_log(avctx, AV_LOG_ERROR, "Reading ALSSpecificConfig failed.\n"); - decode_end(avctx); - return -1; + goto fail; } - if (check_specific_config(ctx)) { - decode_end(avctx); - return -1; + if ((ret = check_specific_config(ctx)) < 0) { + goto fail; } - if (sconf->bgmc) - ff_bgmc_init(avctx, &ctx->bgmc_lut, &ctx->bgmc_lut_status); + if (sconf->bgmc) { + ret = ff_bgmc_init(avctx, &ctx->bgmc_lut, &ctx->bgmc_lut_status); + if (ret < 0) + goto fail; + } if (sconf->floating) { avctx->sample_fmt = AV_SAMPLE_FMT_FLT; @@ -1656,7 +1666,8 @@ static av_cold int decode_init(AVCodecContext *avctx) !ctx->quant_cof_buffer || !ctx->lpc_cof_buffer || !ctx->lpc_cof_reversed_buffer) { av_log(avctx, AV_LOG_ERROR, "Allocating buffer memory failed.\n"); - return AVERROR(ENOMEM); + ret = AVERROR(ENOMEM); + goto fail; } // assign quantized parcor coefficient buffers @@ -1681,8 +1692,8 @@ static av_cold int decode_init(AVCodecContext *avctx) !ctx->use_ltp || !ctx->ltp_lag || !ctx->ltp_gain || !ctx->ltp_gain_buffer) { av_log(avctx, AV_LOG_ERROR, "Allocating buffer memory failed.\n"); - decode_end(avctx); - return AVERROR(ENOMEM); + ret = AVERROR(ENOMEM); + goto fail; } for (c = 0; c < num_buffers; c++) @@ -1699,8 +1710,8 @@ static av_cold int decode_init(AVCodecContext *avctx) if (!ctx->chan_data_buffer || !ctx->chan_data || !ctx->reverted_channels) { av_log(avctx, AV_LOG_ERROR, "Allocating buffer memory failed.\n"); - decode_end(avctx); - return AVERROR(ENOMEM); + ret = AVERROR(ENOMEM); + goto fail; } for (c = 0; c < num_buffers; c++) @@ -1721,8 +1732,8 @@ static av_cold int decode_init(AVCodecContext *avctx) // allocate previous raw sample buffer if (!ctx->prev_raw_samples || !ctx->raw_buffer|| !ctx->raw_samples) { av_log(avctx, AV_LOG_ERROR, "Allocating buffer memory failed.\n"); - decode_end(avctx); - return AVERROR(ENOMEM); + ret = AVERROR(ENOMEM); + goto fail; } // assign raw samples buffers @@ -1739,8 +1750,8 @@ static av_cold int decode_init(AVCodecContext *avctx) av_get_bytes_per_sample(avctx->sample_fmt)); if (!ctx->crc_buffer) { av_log(avctx, AV_LOG_ERROR, "Allocating buffer memory failed.\n"); - decode_end(avctx); - return AVERROR(ENOMEM); + ret = AVERROR(ENOMEM); + goto fail; } } @@ -1750,6 +1761,10 @@ static av_cold int decode_init(AVCodecContext *avctx) avctx->coded_frame = &ctx->frame; return 0; + +fail: + decode_end(avctx); + return ret; } From b8ba48c725dcda56d5dccc1474322857a7e3ed13 Mon Sep 17 00:00:00 2001 From: Luca Barbato Date: Fri, 19 Jul 2013 21:34:21 +0200 Subject: [PATCH 682/991] dsicinav: Clip the source size to the expected maximum A packet larger than cin->bitmap_size does not make sense. Reported-by: Mateusz "j00ru" Jurczyk and Gynvael Coldwind CC: libav-stable@libav.org (cherry picked from commit fd8189932147a524fe43532b46baa35e8be92a1b) Signed-off-by: Luca Barbato Conflicts: libavcodec/dsicinav.c --- libavcodec/dsicinav.c | 2 ++ 1 file changed, 2 insertions(+) diff --git a/libavcodec/dsicinav.c b/libavcodec/dsicinav.c index 108424c858..03bdeaf359 100644 --- a/libavcodec/dsicinav.c +++ b/libavcodec/dsicinav.c @@ -234,6 +234,8 @@ static int cinvideo_decode_frame(AVCodecContext *avctx, } } + bitmap_frame_size = FFMIN(cin->bitmap_size, bitmap_frame_size); + /* note: the decoding routines below assumes that surface.width = surface.pitch */ switch (bitmap_frame_type) { case 9: From 82978539171f32d0e1cf3bb4b452de4c1a920bae Mon Sep 17 00:00:00 2001 From: Anton Khirnov Date: Sat, 24 Aug 2013 21:30:46 +0200 Subject: [PATCH 683/991] pictordec: pass correct context to avpriv_request_sample Fixes invalid reads. Reported-by: Mateusz "j00ru" Jurczyk and Gynvael Coldwind CC: libav-stable@libav.org (cherry-picked from commit fe9bb61f9a16be19ad91875632c39e44b7a99a8a) Signed-off-by: Luca Barbato Conflicts: libavcodec/pictordec.c --- libavcodec/pictordec.c | 4 ++-- 1 file changed, 2 insertions(+), 2 deletions(-) diff --git a/libavcodec/pictordec.c b/libavcodec/pictordec.c index 88add167cf..6f2193d511 100644 --- a/libavcodec/pictordec.c +++ b/libavcodec/pictordec.c @@ -121,7 +121,7 @@ static int decode_frame(AVCodecContext *avctx, s->nb_planes = (tmp >> 4) + 1; bpp = bits_per_plane * s->nb_planes; if (bits_per_plane > 8 || bpp < 1 || bpp > 32) { - av_log_ask_for_sample(s, "unsupported bit depth\n"); + av_log_ask_for_sample(avctx, "unsupported bit depth\n"); return AVERROR_INVALIDDATA; } @@ -233,7 +233,7 @@ static int decode_frame(AVCodecContext *avctx, } } } else { - av_log_ask_for_sample(s, "uncompressed image\n"); + av_log_ask_for_sample(avctx, "uncompressed image\n"); return avpkt->size; } finish: From 8119336df40f5530672d7c6ad6d21cfb883584c6 Mon Sep 17 00:00:00 2001 From: Luca Barbato Date: Fri, 19 Jul 2013 21:05:44 +0200 Subject: [PATCH 684/991] dsicinav: K&R formatting cosmetics (cherry picked from commit fcae3ff124ee97c9265e3b93f3d41238b2aee9bd) Signed-off-by: Luca Barbato Conflicts: libavcodec/dsicinav.c --- libavcodec/dsicinav.c | 111 +++++++++++++++++++++++------------------- 1 file changed, 62 insertions(+), 49 deletions(-) diff --git a/libavcodec/dsicinav.c b/libavcodec/dsicinav.c index 03bdeaf359..1a3366814b 100644 --- a/libavcodec/dsicinav.c +++ b/libavcodec/dsicinav.c @@ -107,27 +107,31 @@ static av_cold int cinvideo_decode_init(AVCodecContext *avctx) return 0; } -static void cin_apply_delta_data(const unsigned char *src, unsigned char *dst, int size) +static void cin_apply_delta_data(const unsigned char *src, unsigned char *dst, + int size) { while (size--) *dst++ += *src++; } -static int cin_decode_huffman(const unsigned char *src, int src_size, unsigned char *dst, int dst_size) +static int cin_decode_huffman(const unsigned char *src, int src_size, + unsigned char *dst, int dst_size) { int b, huff_code = 0; unsigned char huff_code_table[15]; - unsigned char *dst_cur = dst; - unsigned char *dst_end = dst + dst_size; + unsigned char *dst_cur = dst; + unsigned char *dst_end = dst + dst_size; const unsigned char *src_end = src + src_size; - memcpy(huff_code_table, src, 15); src += 15; src_size -= 15; + memcpy(huff_code_table, src, 15); + src += 15; + src_size -= 15; while (src < src_end) { huff_code = *src++; if ((huff_code >> 4) == 15) { - b = huff_code << 4; - huff_code = *src++; + b = huff_code << 4; + huff_code = *src++; *dst_cur++ = b | (huff_code >> 4); } else *dst_cur++ = huff_code_table[huff_code >> 4]; @@ -146,11 +150,12 @@ static int cin_decode_huffman(const unsigned char *src, int src_size, unsigned c return dst_cur - dst; } -static int cin_decode_lzss(const unsigned char *src, int src_size, unsigned char *dst, int dst_size) +static int cin_decode_lzss(const unsigned char *src, int src_size, + unsigned char *dst, int dst_size) { uint16_t cmd; int i, sz, offset, code; - unsigned char *dst_end = dst + dst_size, *dst_start = dst; + unsigned char *dst_end = dst + dst_size, *dst_start = dst; const unsigned char *src_end = src + src_size; while (src < src_end && dst < dst_end) { @@ -159,13 +164,15 @@ static int cin_decode_lzss(const unsigned char *src, int src_size, unsigned char if (code & (1 << i)) { *dst++ = *src++; } else { - cmd = AV_RL16(src); src += 2; + cmd = AV_RL16(src); + src += 2; offset = cmd >> 4; - if ((int) (dst - dst_start) < offset + 1) + if ((int)(dst - dst_start) < offset + 1) return AVERROR_INVALIDDATA; sz = (cmd & 0xF) + 2; - /* don't use memcpy/memmove here as the decoding routine (ab)uses */ - /* buffer overlappings to repeat bytes in the destination */ + /* don't use memcpy/memmove here as the decoding routine + * (ab)uses buffer overlappings to repeat bytes in the + * destination */ sz = FFMIN(sz, dst_end - dst); while (sz--) { *dst = *(dst - offset - 1); @@ -178,10 +185,11 @@ static int cin_decode_lzss(const unsigned char *src, int src_size, unsigned char return 0; } -static void cin_decode_rle(const unsigned char *src, int src_size, unsigned char *dst, int dst_size) +static void cin_decode_rle(const unsigned char *src, int src_size, + unsigned char *dst, int dst_size) { int len, code; - unsigned char *dst_end = dst + dst_size; + unsigned char *dst_end = dst + dst_size; const unsigned char *src_end = src + src_size; while (src < src_end && dst < dst_end) { @@ -204,15 +212,16 @@ static int cinvideo_decode_frame(AVCodecContext *avctx, void *data, int *data_size, AVPacket *avpkt) { - const uint8_t *buf = avpkt->data; - int buf_size = avpkt->size; + const uint8_t *buf = avpkt->data; + int buf_size = avpkt->size; CinVideoContext *cin = avctx->priv_data; - int i, y, palette_type, palette_colors_count, bitmap_frame_type, bitmap_frame_size, res = 0; + int i, y, palette_type, palette_colors_count, + bitmap_frame_type, bitmap_frame_size, res = 0; - palette_type = buf[0]; + palette_type = buf[0]; palette_colors_count = AV_RL16(buf+1); - bitmap_frame_type = buf[3]; - buf += 4; + bitmap_frame_type = buf[3]; + buf += 4; bitmap_frame_size = buf_size - 4; @@ -223,48 +232,50 @@ static int cinvideo_decode_frame(AVCodecContext *avctx, if (palette_colors_count > 256) return AVERROR_INVALIDDATA; for (i = 0; i < palette_colors_count; ++i) { - cin->palette[i] = bytestream_get_le24(&buf); + cin->palette[i] = bytestream_get_le24(&buf); bitmap_frame_size -= 3; } } else { for (i = 0; i < palette_colors_count; ++i) { - cin->palette[buf[0]] = AV_RL24(buf+1); - buf += 4; - bitmap_frame_size -= 4; + cin->palette[buf[0]] = AV_RL24(buf + 1); + buf += 4; + bitmap_frame_size -= 4; } } bitmap_frame_size = FFMIN(cin->bitmap_size, bitmap_frame_size); - /* note: the decoding routines below assumes that surface.width = surface.pitch */ + /* note: the decoding routines below assumes that + * surface.width = surface.pitch */ switch (bitmap_frame_type) { case 9: cin_decode_rle(buf, bitmap_frame_size, - cin->bitmap_table[CIN_CUR_BMP], cin->bitmap_size); + cin->bitmap_table[CIN_CUR_BMP], cin->bitmap_size); break; case 34: cin_decode_rle(buf, bitmap_frame_size, - cin->bitmap_table[CIN_CUR_BMP], cin->bitmap_size); + cin->bitmap_table[CIN_CUR_BMP], cin->bitmap_size); cin_apply_delta_data(cin->bitmap_table[CIN_PRE_BMP], - cin->bitmap_table[CIN_CUR_BMP], cin->bitmap_size); + cin->bitmap_table[CIN_CUR_BMP], cin->bitmap_size); break; case 35: cin_decode_huffman(buf, bitmap_frame_size, - cin->bitmap_table[CIN_INT_BMP], cin->bitmap_size); + cin->bitmap_table[CIN_INT_BMP], cin->bitmap_size); cin_decode_rle(cin->bitmap_table[CIN_INT_BMP], bitmap_frame_size, - cin->bitmap_table[CIN_CUR_BMP], cin->bitmap_size); + cin->bitmap_table[CIN_CUR_BMP], cin->bitmap_size); break; case 36: bitmap_frame_size = cin_decode_huffman(buf, bitmap_frame_size, - cin->bitmap_table[CIN_INT_BMP], cin->bitmap_size); + cin->bitmap_table[CIN_INT_BMP], + cin->bitmap_size); cin_decode_rle(cin->bitmap_table[CIN_INT_BMP], bitmap_frame_size, - cin->bitmap_table[CIN_CUR_BMP], cin->bitmap_size); + cin->bitmap_table[CIN_CUR_BMP], cin->bitmap_size); cin_apply_delta_data(cin->bitmap_table[CIN_PRE_BMP], - cin->bitmap_table[CIN_CUR_BMP], cin->bitmap_size); + cin->bitmap_table[CIN_CUR_BMP], cin->bitmap_size); break; case 37: cin_decode_huffman(buf, bitmap_frame_size, - cin->bitmap_table[CIN_CUR_BMP], cin->bitmap_size); + cin->bitmap_table[CIN_CUR_BMP], cin->bitmap_size); break; case 38: res = cin_decode_lzss(buf, bitmap_frame_size, @@ -280,24 +291,26 @@ static int cinvideo_decode_frame(AVCodecContext *avctx, if (res < 0) return res; cin_apply_delta_data(cin->bitmap_table[CIN_PRE_BMP], - cin->bitmap_table[CIN_CUR_BMP], cin->bitmap_size); + cin->bitmap_table[CIN_CUR_BMP], cin->bitmap_size); break; } cin->frame.buffer_hints = FF_BUFFER_HINTS_VALID | FF_BUFFER_HINTS_PRESERVE | FF_BUFFER_HINTS_REUSABLE; - if (avctx->reget_buffer(avctx, &cin->frame)) { - av_log(cin->avctx, AV_LOG_ERROR, "delphinecinvideo: reget_buffer() failed to allocate a frame\n"); - return -1; + if ((res = avctx->reget_buffer(avctx, &cin->frame)) < 0) { + av_log(cin->avctx, AV_LOG_ERROR, + "delphinecinvideo: reget_buffer() failed to allocate a frame\n"); + return res; } memcpy(cin->frame.data[1], cin->palette, sizeof(cin->palette)); cin->frame.palette_has_changed = 1; for (y = 0; y < cin->avctx->height; ++y) memcpy(cin->frame.data[0] + (cin->avctx->height - 1 - y) * cin->frame.linesize[0], - cin->bitmap_table[CIN_CUR_BMP] + y * cin->avctx->width, - cin->avctx->width); + cin->bitmap_table[CIN_CUR_BMP] + y * cin->avctx->width, + cin->avctx->width); - FFSWAP(uint8_t *, cin->bitmap_table[CIN_CUR_BMP], cin->bitmap_table[CIN_PRE_BMP]); + FFSWAP(uint8_t *, cin->bitmap_table[CIN_CUR_BMP], + cin->bitmap_table[CIN_PRE_BMP]); *data_size = sizeof(AVFrame); *(AVFrame *)data = cin->frame; @@ -341,8 +354,8 @@ static av_cold int cinaudio_decode_init(AVCodecContext *avctx) static int cinaudio_decode_frame(AVCodecContext *avctx, void *data, int *got_frame_ptr, AVPacket *avpkt) { - const uint8_t *buf = avpkt->data; - CinAudioContext *cin = avctx->priv_data; + const uint8_t *buf = avpkt->data; + CinAudioContext *cin = avctx->priv_data; const uint8_t *buf_end = buf + avpkt->size; int16_t *samples; int delta, ret; @@ -358,13 +371,13 @@ static int cinaudio_decode_frame(AVCodecContext *avctx, void *data, delta = cin->delta; if (cin->initial_decode_frame) { cin->initial_decode_frame = 0; - delta = sign_extend(AV_RL16(buf), 16); - buf += 2; - *samples++ = delta; + delta = sign_extend(AV_RL16(buf), 16); + buf += 2; + *samples++ = delta; } while (buf < buf_end) { - delta += cinaudio_delta16_table[*buf++]; - delta = av_clip_int16(delta); + delta += cinaudio_delta16_table[*buf++]; + delta = av_clip_int16(delta); *samples++ = delta; } cin->delta = delta; From be8b796f559cece8a0312749e470d47b1653fa23 Mon Sep 17 00:00:00 2001 From: Anton Khirnov Date: Sat, 24 Aug 2013 21:30:46 +0200 Subject: [PATCH 685/991] vcr1: add sanity checks Fixes invalid reads with corrupted files. Reported-by: Mateusz "j00ru" Jurczyk and Gynvael Coldwind CC: libav-stable@libav.org (cherry picked from commit 8aba7968dd604aae91ee42cbce0be3dad7dceb30) Signed-off-by: Luca Barbato Conflicts: libavcodec/vcr1.c --- libavcodec/vcr1.c | 21 +++++++++++++++++++++ 1 file changed, 21 insertions(+) diff --git a/libavcodec/vcr1.c b/libavcodec/vcr1.c index e50e092c7e..e9fedbd211 100644 --- a/libavcodec/vcr1.c +++ b/libavcodec/vcr1.c @@ -64,9 +64,13 @@ static int decode_frame(AVCodecContext *avctx, p->pict_type= AV_PICTURE_TYPE_I; p->key_frame= 1; + if (buf_size < 32) + goto packet_small; + for(i=0; i<16; i++){ a->delta[i]= *(bytestream++); bytestream++; + buf_size--; } for(y=0; yheight; y++){ @@ -77,8 +81,12 @@ static int decode_frame(AVCodecContext *avctx, uint8_t *cb= &a->picture.data[1][ (y>>2)*a->picture.linesize[1] ]; uint8_t *cr= &a->picture.data[2][ (y>>2)*a->picture.linesize[2] ]; + if (buf_size < 4 + avctx->width) + goto packet_small; + for(i=0; i<4; i++) a->offset[i]= *(bytestream++); + buf_size -= 4; offset= a->offset[0] - a->delta[ bytestream[2]&0xF ]; for(x=0; xwidth; x+=4){ @@ -92,8 +100,12 @@ static int decode_frame(AVCodecContext *avctx, *(cr++) = bytestream[1]; bytestream+= 4; + buf_size -= 4; } }else{ + if (buf_size < avctx->width / 2) + goto packet_small; + offset= a->offset[y&3] - a->delta[ bytestream[2]&0xF ]; for(x=0; xwidth; x+=8){ @@ -107,6 +119,7 @@ static int decode_frame(AVCodecContext *avctx, luma[7]=( offset += a->delta[ bytestream[1]>>4 ]); luma += 8; bytestream+= 4; + buf_size -= 4; } } } @@ -115,6 +128,9 @@ static int decode_frame(AVCodecContext *avctx, *data_size = sizeof(AVPicture); return buf_size; +packet_small: + av_log(avctx, AV_LOG_ERROR, "Input packet too small.\n"); + return AVERROR_INVALIDDATA; } #if CONFIG_VCR1_ENCODER @@ -151,6 +167,11 @@ static av_cold int decode_init(AVCodecContext *avctx){ avctx->pix_fmt= PIX_FMT_YUV410P; + if (avctx->width & 7) { + av_log(avctx, AV_LOG_ERROR, "Width %d is not divisble by 8.\n", avctx->width); + return AVERROR_INVALIDDATA; + } + return 0; } From ef67d8107eb3da56df13efd838e722b5fb0bc0c3 Mon Sep 17 00:00:00 2001 From: Luca Barbato Date: Tue, 7 May 2013 01:29:36 +0200 Subject: [PATCH 686/991] aac: return meaningful errors (cherry picked from commit 07c52e2c7c60b087fd023cd9771778973def0b33) Signed-off-by: Luca Barbato Conflicts: libavcodec/aacdec.c --- libavcodec/aacdec.c | 61 ++++++++++++++++++++++++--------------------- 1 file changed, 33 insertions(+), 28 deletions(-) diff --git a/libavcodec/aacdec.c b/libavcodec/aacdec.c index 24e6ca6a87..2d566d5e1b 100644 --- a/libavcodec/aacdec.c +++ b/libavcodec/aacdec.c @@ -343,7 +343,7 @@ static int decode_pce(AVCodecContext *avctx, MPEG4AudioConfig *m4ac, comment_len = get_bits(gb, 8) * 8; if (get_bits_left(gb) < comment_len) { av_log(avctx, AV_LOG_ERROR, overread_err); - return -1; + return AVERROR_INVALIDDATA; } skip_bits_long(gb, comment_len); return 0; @@ -364,7 +364,7 @@ static av_cold int set_default_channel_config(AVCodecContext *avctx, if (channel_config < 1 || channel_config > 7) { av_log(avctx, AV_LOG_ERROR, "invalid default channel configuration (%d)\n", channel_config); - return -1; + return AVERROR_INVALIDDATA; } /* default channel configurations: @@ -482,7 +482,7 @@ static int decode_audio_specific_config(AACContext *ac, int sync_extension) { GetBitContext gb; - int i; + int i, ret; av_dlog(avctx, "extradata size %d\n", avctx->extradata_size); for (i = 0; i < avctx->extradata_size; i++) @@ -492,10 +492,10 @@ static int decode_audio_specific_config(AACContext *ac, init_get_bits(&gb, data, bit_size); if ((i = avpriv_mpeg4audio_get_config(m4ac, data, bit_size, sync_extension)) < 0) - return -1; + return AVERROR_INVALIDDATA; if (m4ac->sampling_index > 12) { av_log(avctx, AV_LOG_ERROR, "invalid sampling rate index %d\n", m4ac->sampling_index); - return -1; + return AVERROR_INVALIDDATA; } skip_bits_long(&gb, i); @@ -504,13 +504,14 @@ static int decode_audio_specific_config(AACContext *ac, case AOT_AAC_MAIN: case AOT_AAC_LC: case AOT_AAC_LTP: - if (decode_ga_specific_config(ac, avctx, &gb, m4ac, m4ac->chan_config)) - return -1; + if ((ret = decode_ga_specific_config(ac, avctx, &gb, + m4ac, m4ac->chan_config)) < 0) + return ret; break; default: av_log(avctx, AV_LOG_ERROR, "Audio object type %s%d is not supported.\n", m4ac->sbr == 1? "SBR+" : "", m4ac->object_type); - return -1; + return AVERROR(ENOSYS); } av_dlog(avctx, "AOT %d chan config %d sampling index %d (%d) SBR %d PS %d\n", @@ -581,16 +582,17 @@ static void reset_predictor_group(PredictorState *ps, int group_num) static av_cold int aac_decode_init(AVCodecContext *avctx) { AACContext *ac = avctx->priv_data; + int ret; float output_scale_factor; ac->avctx = avctx; ac->m4ac.sample_rate = avctx->sample_rate; if (avctx->extradata_size > 0) { - if (decode_audio_specific_config(ac, ac->avctx, &ac->m4ac, + if ((ret = decode_audio_specific_config(ac, ac->avctx, &ac->m4ac, avctx->extradata, - avctx->extradata_size*8, 1) < 0) - return -1; + avctx->extradata_size*8, 1)) < 0) + return ret; } else { int sr, i; enum ChannelPosition new_che_pos[4][MAX_ELEM_ID]; @@ -683,7 +685,7 @@ static int skip_data_stream_element(AACContext *ac, GetBitContext *gb) if (get_bits_left(gb) < 8 * count) { av_log(ac->avctx, AV_LOG_ERROR, overread_err); - return -1; + return AVERROR_INVALIDDATA; } skip_bits_long(gb, 8 * count); return 0; @@ -697,7 +699,7 @@ static int decode_prediction(AACContext *ac, IndividualChannelStream *ics, ics->predictor_reset_group = get_bits(gb, 5); if (ics->predictor_reset_group == 0 || ics->predictor_reset_group > 30) { av_log(ac->avctx, AV_LOG_ERROR, "Invalid Predictor Reset Group.\n"); - return -1; + return AVERROR_INVALIDDATA; } } for (sfb = 0; sfb < FFMIN(ics->max_sfb, ff_aac_pred_sfb_max[ac->m4ac.sampling_index]); sfb++) { @@ -807,20 +809,20 @@ static int decode_band_types(AACContext *ac, enum BandType band_type[120], int sect_band_type = get_bits(gb, 4); if (sect_band_type == 12) { av_log(ac->avctx, AV_LOG_ERROR, "invalid band type\n"); - return -1; + return AVERROR_INVALIDDATA; } do { sect_len_incr = get_bits(gb, bits); sect_end += sect_len_incr; if (get_bits_left(gb) < 0) { av_log(ac->avctx, AV_LOG_ERROR, overread_err); - return -1; + return AVERROR_INVALIDDATA; } if (sect_end > ics->max_sfb) { av_log(ac->avctx, AV_LOG_ERROR, "Number of bands (%d) exceeds limit (%d).\n", sect_end, ics->max_sfb); - return -1; + return AVERROR_INVALIDDATA; } } while (sect_len_incr == (1 << bits) - 1); for (; k < sect_end; k++) { @@ -892,7 +894,7 @@ static int decode_scalefactors(AACContext *ac, float sf[120], GetBitContext *gb, if (offset[0] > 255U) { av_log(ac->avctx, AV_LOG_ERROR, "%s (%d) out of range.\n", sf_str[0], offset[0]); - return -1; + return AVERROR_INVALIDDATA; } sf[idx] = -ff_aac_pow2sf_tab[offset[0] - 100 + POW_SF2_ZERO]; } @@ -950,7 +952,7 @@ static int decode_tns(AACContext *ac, TemporalNoiseShaping *tns, av_log(ac->avctx, AV_LOG_ERROR, "TNS filter order %d is greater than maximum %d.\n", tns->order[w][filt], tns_max_order); tns->order[w][filt] = 0; - return -1; + return AVERROR_INVALIDDATA; } if (tns->order[w][filt]) { tns->direction[w][filt] = get_bits1(gb); @@ -1233,7 +1235,7 @@ static int decode_spectrum_and_dequant(AACContext *ac, float coef[1024], if (b > 8) { av_log(ac->avctx, AV_LOG_ERROR, "error in spectral data, ESC overflow\n"); - return -1; + return AVERROR_INVALIDDATA; } SKIP_BITS(re, gb, b + 1); @@ -1376,6 +1378,7 @@ static int decode_ics(AACContext *ac, SingleChannelElement *sce, IndividualChannelStream *ics = &sce->ics; float *out = sce->coeffs; int global_gain, pulse_present = 0; + int ret; /* This assignment is to silence a GCC warning about the variable being used * uninitialized when in fact it always is. @@ -1389,25 +1392,27 @@ static int decode_ics(AACContext *ac, SingleChannelElement *sce, return AVERROR_INVALIDDATA; } - if (decode_band_types(ac, sce->band_type, sce->band_type_run_end, gb, ics) < 0) - return -1; - if (decode_scalefactors(ac, sce->sf, gb, global_gain, ics, sce->band_type, sce->band_type_run_end) < 0) - return -1; + if ((ret = decode_band_types(ac, sce->band_type, + sce->band_type_run_end, gb, ics)) < 0) + return ret; + if ((ret = decode_scalefactors(ac, sce->sf, gb, global_gain, ics, + sce->band_type, sce->band_type_run_end)) < 0) + return ret; pulse_present = 0; if (!scale_flag) { if ((pulse_present = get_bits1(gb))) { if (ics->window_sequence[0] == EIGHT_SHORT_SEQUENCE) { av_log(ac->avctx, AV_LOG_ERROR, "Pulse tool not allowed in eight short sequence.\n"); - return -1; + return AVERROR_INVALIDDATA; } if (decode_pulses(&pulse, gb, ics->swb_offset, ics->num_swb)) { av_log(ac->avctx, AV_LOG_ERROR, "Pulse data corrupt or invalid.\n"); - return -1; + return AVERROR_INVALIDDATA; } } if ((tns->present = get_bits1(gb)) && decode_tns(ac, tns, gb, ics)) - return -1; + return AVERROR_INVALIDDATA; if (get_bits1(gb)) { av_log_missing_feature(ac->avctx, "SSR", 1); return -1; @@ -1415,7 +1420,7 @@ static int decode_ics(AACContext *ac, SingleChannelElement *sce, } if (decode_spectrum_and_dequant(ac, out, gb, sce->sf, pulse_present, &pulse, ics, sce->band_type) < 0) - return -1; + return AVERROR_INVALIDDATA; if (ac->m4ac.object_type == AOT_AAC_MAIN && !common_window) apply_prediction(ac, sce); @@ -1513,7 +1518,7 @@ static int decode_cpe(AACContext *ac, GetBitContext *gb, ChannelElement *cpe) ms_present = get_bits(gb, 2); if (ms_present == 3) { av_log(ac->avctx, AV_LOG_ERROR, "ms_present = 3 is reserved.\n"); - return -1; + return AVERROR_INVALIDDATA; } else if (ms_present) decode_mid_side_stereo(cpe, gb, ms_present); } From 86d0bf0e96bf917e283d24239ce0eed08351da86 Mon Sep 17 00:00:00 2001 From: =?UTF-8?q?Martin=20Storsj=C3=B6?= Date: Mon, 15 Jul 2013 15:59:50 +0300 Subject: [PATCH 687/991] mov: Seek back if overreading an individual atom MIME-Version: 1.0 Content-Type: text/plain; charset=UTF-8 Content-Transfer-Encoding: 8bit Reported-by: Mateusz "j00ru" Jurczyk and Gynvael Coldwind Cc: libav-stable@libav.org Signed-off-by: Martin Storsjö (cherry picked from commit 5b4eb243bce10a3e8345401a353749e0414c54ca) Signed-off-by: Luca Barbato Conflicts: libavformat/mov.c --- libavformat/mov.c | 6 ++++++ 1 file changed, 6 insertions(+) diff --git a/libavformat/mov.c b/libavformat/mov.c index 0e5d473a8b..9cac5069c0 100644 --- a/libavformat/mov.c +++ b/libavformat/mov.c @@ -357,6 +357,12 @@ static int mov_read_default(MOVContext *c, AVIOContext *pb, MOVAtom atom) left = a.size - avio_tell(pb) + start_pos; if (left > 0) /* skip garbage at atom end */ avio_skip(pb, left); + else if (left < 0) { + av_log(c->fc, AV_LOG_WARNING, + "overread end of atom '%.4s' by %"PRId64" bytes\n", + (char*)&a.type, -left); + avio_seek(pb, left, SEEK_CUR); + } } total_size += a.size; From 2ed8a550da524434deb3b89f7ec62ed833bedac5 Mon Sep 17 00:00:00 2001 From: Luca Barbato Date: Sun, 4 Aug 2013 15:00:02 +0200 Subject: [PATCH 688/991] aac: Check init_get_bits return value Some code paths can call it with invalid length. CC: libav-stable@libav.org (cherry picked from commit 71953ebcf94fe4ef316cdad1f276089205dd1d65) Signed-off-by: Luca Barbato --- libavcodec/aacdec.c | 9 ++++++--- 1 file changed, 6 insertions(+), 3 deletions(-) diff --git a/libavcodec/aacdec.c b/libavcodec/aacdec.c index 2d566d5e1b..83dd06bfc0 100644 --- a/libavcodec/aacdec.c +++ b/libavcodec/aacdec.c @@ -489,7 +489,8 @@ static int decode_audio_specific_config(AACContext *ac, av_dlog(avctx, "%02x ", avctx->extradata[i]); av_dlog(avctx, "\n"); - init_get_bits(&gb, data, bit_size); + if ((ret = init_get_bits(&gb, data, bit_size)) < 0) + return ret; if ((i = avpriv_mpeg4audio_get_config(m4ac, data, bit_size, sync_extension)) < 0) return AVERROR_INVALIDDATA; @@ -2298,7 +2299,8 @@ static int aac_decode_frame(AVCodecContext *avctx, void *data, return AVERROR_INVALIDDATA; } - init_get_bits(&gb, buf, buf_size * 8); + if ((err = init_get_bits(&gb, buf, buf_size * 8)) < 0) + return err; if ((err = aac_decode_frame_int(avctx, data, got_frame_ptr, &gb)) < 0) return err; @@ -2543,7 +2545,8 @@ static int latm_decode_frame(AVCodecContext *avctx, void *out, int muxlength, err; GetBitContext gb; - init_get_bits(&gb, avpkt->data, avpkt->size * 8); + if ((err = init_get_bits(&gb, avpkt->data, avpkt->size * 8)) < 0) + return err; // check for LOAS sync word if (get_bits(&gb, 11) != LOAS_SYNC_WORD) From a1b82c6b1c7b8843ac4b866c8e0814f10e634887 Mon Sep 17 00:00:00 2001 From: Diego Biurrun Date: Tue, 29 Oct 2013 03:02:22 +0100 Subject: [PATCH 689/991] x86: ac3dsp: Drop mmx variant of ac3_max_msb_abs_int16 The function accidentally uses mmxext instructions, so it causes sigill on mmx-only CPUs and provides no benefit on CPUs with mmxext available. Signed-off-by: Luca Barbato --- libavcodec/x86/ac3dsp.asm | 9 --------- libavcodec/x86/ac3dsp_mmx.c | 2 -- 2 files changed, 11 deletions(-) diff --git a/libavcodec/x86/ac3dsp.asm b/libavcodec/x86/ac3dsp.asm index 9312ff6533..1bfa0e4cb3 100644 --- a/libavcodec/x86/ac3dsp.asm +++ b/libavcodec/x86/ac3dsp.asm @@ -86,7 +86,6 @@ AC3_EXPONENT_MIN sse2 ; This function uses 2 different methods to calculate a valid result. ; 1) logical 'or' of abs of each element ; This is used for ssse3 because of the pabsw instruction. -; It is also used for mmx because of the lack of min/max instructions. ; 2) calculate min/max for the array, then or(abs(min),abs(max)) ; This is used for mmxext and sse2 because they have pminsw/pmaxsw. ;----------------------------------------------------------------------------- @@ -104,15 +103,9 @@ cglobal ac3_max_msb_abs_int16_%1, 2,2,5, src, len pmaxsw m3, m0 pmaxsw m3, m1 %else ; or_abs -%ifidn %1, mmx - mova m0, [srcq] - mova m1, [srcq+mmsize] - ABS2 m0, m1, m3, m4 -%else ; ssse3 ; using memory args is faster for ssse3 pabsw m0, [srcq] pabsw m1, [srcq+mmsize] -%endif por m2, m0 por m2, m1 %endif @@ -137,9 +130,7 @@ cglobal ac3_max_msb_abs_int16_%1, 2,2,5, src, len %endmacro INIT_MMX -%define ABS2 ABS2_MMX %define PSHUFLW pshufw -AC3_MAX_MSB_ABS_INT16 mmx, or_abs %define ABS2 ABS2_MMX2 AC3_MAX_MSB_ABS_INT16 mmxext, min_max INIT_XMM diff --git a/libavcodec/x86/ac3dsp_mmx.c b/libavcodec/x86/ac3dsp_mmx.c index d6bb469457..a8c5054034 100644 --- a/libavcodec/x86/ac3dsp_mmx.c +++ b/libavcodec/x86/ac3dsp_mmx.c @@ -27,7 +27,6 @@ extern void ff_ac3_exponent_min_mmx (uint8_t *exp, int num_reuse_blocks, int n extern void ff_ac3_exponent_min_mmxext(uint8_t *exp, int num_reuse_blocks, int nb_coefs); extern void ff_ac3_exponent_min_sse2 (uint8_t *exp, int num_reuse_blocks, int nb_coefs); -extern int ff_ac3_max_msb_abs_int16_mmx (const int16_t *src, int len); extern int ff_ac3_max_msb_abs_int16_mmxext(const int16_t *src, int len); extern int ff_ac3_max_msb_abs_int16_sse2 (const int16_t *src, int len); extern int ff_ac3_max_msb_abs_int16_ssse3 (const int16_t *src, int len); @@ -55,7 +54,6 @@ av_cold void ff_ac3dsp_init_x86(AC3DSPContext *c, int bit_exact) if (mm_flags & AV_CPU_FLAG_MMX) { c->ac3_exponent_min = ff_ac3_exponent_min_mmx; - c->ac3_max_msb_abs_int16 = ff_ac3_max_msb_abs_int16_mmx; c->ac3_lshift_int16 = ff_ac3_lshift_int16_mmx; c->ac3_rshift_int32 = ff_ac3_rshift_int32_mmx; } From 62c8bf00bb0b934853c54741dca9a82afa1382ca Mon Sep 17 00:00:00 2001 From: Diego Biurrun Date: Wed, 30 Oct 2013 19:19:44 +0100 Subject: [PATCH 690/991] x86: fft: Remove 3DNow! optimizations, they break FATE --- libavcodec/x86/Makefile | 2 - libavcodec/x86/fft.c | 10 --- libavcodec/x86/fft_3dn.c | 23 ----- libavcodec/x86/fft_3dn2.c | 174 -------------------------------------- 4 files changed, 209 deletions(-) delete mode 100644 libavcodec/x86/fft_3dn.c delete mode 100644 libavcodec/x86/fft_3dn2.c diff --git a/libavcodec/x86/Makefile b/libavcodec/x86/Makefile index 1e88e4a847..e2aa198431 100644 --- a/libavcodec/x86/Makefile +++ b/libavcodec/x86/Makefile @@ -3,8 +3,6 @@ OBJS-$(CONFIG_TRUEHD_DECODER) += x86/mlpdsp.o YASM-OBJS-$(CONFIG_DCT) += x86/dct32_sse.o -YASM-OBJS-FFT-$(HAVE_AMD3DNOW) += x86/fft_3dn.o -YASM-OBJS-FFT-$(HAVE_AMD3DNOWEXT) += x86/fft_3dn2.o YASM-OBJS-FFT-$(HAVE_SSE) += x86/fft_sse.o YASM-OBJS-$(CONFIG_FFT) += x86/fft_mmx.o \ $(YASM-OBJS-FFT-yes) diff --git a/libavcodec/x86/fft.c b/libavcodec/x86/fft.c index f7308cca32..be5fab5832 100644 --- a/libavcodec/x86/fft.c +++ b/libavcodec/x86/fft.c @@ -39,16 +39,6 @@ av_cold void ff_fft_init_mmx(FFTContext *s) s->fft_permute = ff_fft_permute_sse; s->fft_calc = ff_fft_calc_sse; s->fft_permutation = FF_FFT_PERM_SWAP_LSBS; - } else if (has_vectors & AV_CPU_FLAG_3DNOWEXT && HAVE_AMD3DNOWEXT) { - /* 3DNowEx for K7 */ - s->imdct_calc = ff_imdct_calc_3dn2; - s->imdct_half = ff_imdct_half_3dn2; - s->fft_calc = ff_fft_calc_3dn2; - } else if (has_vectors & AV_CPU_FLAG_3DNOW && HAVE_AMD3DNOW) { - /* 3DNow! for K6-2/3 */ - s->imdct_calc = ff_imdct_calc_3dn; - s->imdct_half = ff_imdct_half_3dn; - s->fft_calc = ff_fft_calc_3dn; } #endif } diff --git a/libavcodec/x86/fft_3dn.c b/libavcodec/x86/fft_3dn.c deleted file mode 100644 index 5a4d3ad2c8..0000000000 --- a/libavcodec/x86/fft_3dn.c +++ /dev/null @@ -1,23 +0,0 @@ -/* - * FFT/MDCT transform with 3DNow! optimizations - * Copyright (c) 2008 Loren Merritt - * - * This file is part of Libav. - * - * Libav is free software; you can redistribute it and/or - * modify it under the terms of the GNU Lesser General Public - * License as published by the Free Software Foundation; either - * version 2.1 of the License, or (at your option) any later version. - * - * Libav is distributed in the hope that it will be useful, - * but WITHOUT ANY WARRANTY; without even the implied warranty of - * MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the GNU - * Lesser General Public License for more details. - * - * You should have received a copy of the GNU Lesser General Public - * License along with Libav; if not, write to the Free Software - * Foundation, Inc., 51 Franklin Street, Fifth Floor, Boston, MA 02110-1301 USA - */ - -#define EMULATE_3DNOWEXT -#include "fft_3dn2.c" diff --git a/libavcodec/x86/fft_3dn2.c b/libavcodec/x86/fft_3dn2.c deleted file mode 100644 index a724398aff..0000000000 --- a/libavcodec/x86/fft_3dn2.c +++ /dev/null @@ -1,174 +0,0 @@ -/* - * FFT/MDCT transform with Extended 3DNow! optimizations - * Copyright (c) 2006-2008 Zuxy MENG Jie, Loren Merritt - * - * This file is part of Libav. - * - * Libav is free software; you can redistribute it and/or - * modify it under the terms of the GNU Lesser General Public - * License as published by the Free Software Foundation; either - * version 2.1 of the License, or (at your option) any later version. - * - * Libav is distributed in the hope that it will be useful, - * but WITHOUT ANY WARRANTY; without even the implied warranty of - * MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the GNU - * Lesser General Public License for more details. - * - * You should have received a copy of the GNU Lesser General Public - * License along with Libav; if not, write to the Free Software - * Foundation, Inc., 51 Franklin Street, Fifth Floor, Boston, MA 02110-1301 USA - */ - -#include "libavutil/x86_cpu.h" -#include "libavcodec/dsputil.h" -#include "fft.h" - -DECLARE_ALIGNED(8, static const unsigned int, m1m1)[2] = { 1U<<31, 1U<<31 }; - -#ifdef EMULATE_3DNOWEXT -#define PSWAPD(s,d)\ - "movq "#s","#d"\n"\ - "psrlq $32,"#d"\n"\ - "punpckldq "#s","#d"\n" -#define ff_fft_calc_3dn2 ff_fft_calc_3dn -#define ff_fft_dispatch_3dn2 ff_fft_dispatch_3dn -#define ff_fft_dispatch_interleave_3dn2 ff_fft_dispatch_interleave_3dn -#define ff_imdct_calc_3dn2 ff_imdct_calc_3dn -#define ff_imdct_half_3dn2 ff_imdct_half_3dn -#else -#define PSWAPD(s,d) "pswapd "#s","#d"\n" -#endif - -void ff_fft_dispatch_3dn2(FFTComplex *z, int nbits); -void ff_fft_dispatch_interleave_3dn2(FFTComplex *z, int nbits); - -void ff_fft_calc_3dn2(FFTContext *s, FFTComplex *z) -{ - int n = 1<nbits; - int i; - ff_fft_dispatch_interleave_3dn2(z, s->nbits); - __asm__ volatile("femms"); - if(n <= 8) - for(i=0; imdct_size; - long n2 = n >> 1; - long n4 = n >> 2; - long n8 = n >> 3; - const uint16_t *revtab = s->revtab; - const FFTSample *tcos = s->tcos; - const FFTSample *tsin = s->tsin; - const FFTSample *in1, *in2; - FFTComplex *z = (FFTComplex *)output; - - /* pre rotation */ - in1 = input; - in2 = input + n2 - 1; -#ifdef EMULATE_3DNOWEXT - __asm__ volatile("movd %0, %%mm7" ::"r"(1U<<31)); -#endif - for(k = 0; k < n4; k++) { - // FIXME a single block is faster, but gcc 2.95 and 3.4.x on 32bit can't compile it - __asm__ volatile( - "movd %0, %%mm0 \n" - "movd %2, %%mm1 \n" - "punpckldq %1, %%mm0 \n" - "punpckldq %3, %%mm1 \n" - "movq %%mm0, %%mm2 \n" - PSWAPD( %%mm1, %%mm3 ) - "pfmul %%mm1, %%mm0 \n" - "pfmul %%mm3, %%mm2 \n" -#ifdef EMULATE_3DNOWEXT - "movq %%mm0, %%mm1 \n" - "punpckhdq %%mm2, %%mm0 \n" - "punpckldq %%mm2, %%mm1 \n" - "pxor %%mm7, %%mm0 \n" - "pfadd %%mm1, %%mm0 \n" -#else - "pfpnacc %%mm2, %%mm0 \n" -#endif - ::"m"(in2[-2*k]), "m"(in1[2*k]), - "m"(tcos[k]), "m"(tsin[k]) - ); - __asm__ volatile( - "movq %%mm0, %0 \n\t" - :"=m"(z[revtab[k]]) - ); - } - - ff_fft_dispatch_3dn2(z, s->nbits); - -#define CMUL(j,mm0,mm1)\ - "movq (%2,"#j",2), %%mm6 \n"\ - "movq 8(%2,"#j",2), "#mm0"\n"\ - "movq %%mm6, "#mm1"\n"\ - "movq "#mm0",%%mm7 \n"\ - "pfmul (%3,"#j"), %%mm6 \n"\ - "pfmul (%4,"#j"), "#mm0"\n"\ - "pfmul (%4,"#j"), "#mm1"\n"\ - "pfmul (%3,"#j"), %%mm7 \n"\ - "pfsub %%mm6, "#mm0"\n"\ - "pfadd %%mm7, "#mm1"\n" - - /* post rotation */ - j = -n2; - k = n2-8; - __asm__ volatile( - "1: \n" - CMUL(%0, %%mm0, %%mm1) - CMUL(%1, %%mm2, %%mm3) - "movd %%mm0, (%2,%0,2) \n" - "movd %%mm1,12(%2,%1,2) \n" - "movd %%mm2, (%2,%1,2) \n" - "movd %%mm3,12(%2,%0,2) \n" - "psrlq $32, %%mm0 \n" - "psrlq $32, %%mm1 \n" - "psrlq $32, %%mm2 \n" - "psrlq $32, %%mm3 \n" - "movd %%mm0, 8(%2,%0,2) \n" - "movd %%mm1, 4(%2,%1,2) \n" - "movd %%mm2, 8(%2,%1,2) \n" - "movd %%mm3, 4(%2,%0,2) \n" - "sub $8, %1 \n" - "add $8, %0 \n" - "jl 1b \n" - :"+r"(j), "+r"(k) - :"r"(z+n8), "r"(tcos+n8), "r"(tsin+n8) - :"memory" - ); - __asm__ volatile("femms"); -} - -void ff_imdct_calc_3dn2(FFTContext *s, FFTSample *output, const FFTSample *input) -{ - x86_reg j, k; - long n = s->mdct_size; - long n4 = n >> 2; - - ff_imdct_half_3dn2(s, output+n4, input); - - j = -n; - k = n-8; - __asm__ volatile( - "movq %4, %%mm7 \n" - "1: \n" - PSWAPD((%2,%1), %%mm0) - PSWAPD((%3,%0), %%mm1) - "pxor %%mm7, %%mm0 \n" - "movq %%mm1, (%3,%1) \n" - "movq %%mm0, (%2,%0) \n" - "sub $8, %1 \n" - "add $8, %0 \n" - "jl 1b \n" - :"+r"(j), "+r"(k) - :"r"(output+n4), "r"(output+n4*3), - "m"(*m1m1) - ); - __asm__ volatile("femms"); -} - From d2f4846591727fedcc2b452b688da8da09ee8305 Mon Sep 17 00:00:00 2001 From: Reinhard Tartler Date: Sat, 2 Nov 2013 10:17:43 -0400 Subject: [PATCH 691/991] Prepare for 0.8.7 Release --- RELEASE | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/RELEASE b/RELEASE index 6201b5f77f..55485e1793 100644 --- a/RELEASE +++ b/RELEASE @@ -1 +1 @@ -0.8.8 +0.8.9 From ae9652605a9a3328d3f992925a37bde037dff2ee Mon Sep 17 00:00:00 2001 From: Reinhard Tartler Date: Sat, 2 Nov 2013 10:31:35 -0400 Subject: [PATCH 692/991] Changelog for 0.8.9 --- Changelog | 90 +++++++++++++++++++++++++++++++++++++++++++++++++++++++ 1 file changed, 90 insertions(+) diff --git a/Changelog b/Changelog index 2cbf41d5e8..bedc168ed2 100644 --- a/Changelog +++ b/Changelog @@ -1,6 +1,96 @@ Entries are sorted chronologically from oldest to youngest within each release, releases are sorted from youngest to oldest. +version 0.8.9: + +- x86: fft: Remove 3DNow! optimizations, they break FATE +- x86: ac3dsp: Drop mmx variant of ac3_max_msb_abs_int16 +- aac: Check init_get_bits return value +- aac: return meaningful errors +- dsicinav: K&R formatting cosmetics +- mov: Seek back if overreading an individual atom +- vcr1: add sanity checks +- pictordec: pass correct context to avpriv_request_sample +- dsicinav: Clip the source size to the expected maximum +- alsdec: Clean up error paths +- ogg: Fix potential infinite discard loop +- nuv: check rtjpeg_decode_frame_yuv420 return value +- nuv: Reset the frame on resize +- nuv: Use av_fast_realloc +- nuv: return meaningful error codes. +- nuv: Pad the lzo outbuf +- nuv: Do not ignore lzo decompression failures +- oma: correctly mark and decrypt partial packets +- oma: check geob tag boundary +- oma: refactor seek function +- 8bps: Bound-check the input buffer +- rtmp: Do not misuse memcmp +- rtmp: rename data_size to size +- lavc: set the default rc_initial_buffer_occupancy +- 4xm: Reject not a multiple of 16 dimension +- 4xm: do not overread the prestream buffer +- 4xm: validate the buffer size before parsing it +- indeo: Do not reference mismatched tiles +- indeo: Sanitize ff_ivi_init_planes fail paths +- indeo: Bound-check before applying motion compensation +- indeo: Bound-check before applying transform +- indeo: reject negative array indexes +- indeo: Cosmetic formatting +- indeo: Refactor ff_ivi_init_tiles and ivi_decode_blocks +- indeo: Refactor ff_ivi_dec_huff_desc +- lavf: fix the comparison in an overflow check +- dv: Add a guard to not overread the ppcm array +- mpegvideo: Avoid 32-bit wrapping of linesize multiplications +- mjpegb: Detect changing number of planes in interlaced video +- matroskadec: Check that .lang was allocated and set before reading it +- ape demuxer: check for EOF in potentially long loops +- lavf: avoid integer overflow when estimating bitrate +- pictordec: break out of both decoding loops when y drops below 0 +- ac3: Return proper error codes +- ac3: Clean up the error paths +- ac3: Do not clash with normal AVERROR +- dxa: Make sure the reference frame exists +- h261: check the mtype index +- segafilm: Error out on impossible packet size +- ogg: Always alloc the private context in vorbis_header +- vc1: check mb_height validity. +- vc1: check the source buffer in vc1_mc functions +- bink: Bound check the quantization matrix. +- xl: Make sure the width is valid +- alsdec: Fix the clipping range +- dsicinav: Bound-check the source buffer when needed +- mov: Do not allow updating the time scale after it has been set +- ac3dec: Don't consume more data than the actual input packet size +- indeo: Reject impossible FRAMETYPE_NULL +- indeo5: return proper error codes +- indeo4: Validate scantable dimension +- indeo4: Check the quantization matrix index +- indeo4: Do not access missing reference MV +- adpcm: Unbreak ima-dk4 +- ac3dec: validate channel output mode against channel count +- dca: Respect the current limits in the downmixing capabilities +- dca: Error out on missing DSYNC +- pcm: always use codec->id instead of codec_id +- mlpdec: Do not set invalid context in read_restart_header +- pcx: Do not overread source buffer in pcx_rle_decode +- wmavoice: conceal clearly corrupted blocks +- iff: Do not read over the source buffer +- qdm2: Conceal broken samples +- qdm2: refactor joined stereo support +- adpcm: Write the correct number of samples for ima-dk4 +- imc: Catch a division by zero +- atrac3: Error on impossible encoding/channel combinations +- atrac3: set the getbits context the right buffer_end +- atrac3: fix error handling +- qdm2: check and reset dithering index per channel +- westwood_vqa: do not free extradata on error in read_header +- vqavideo: check the version +- rmdec: Use the AVIOContext given as parameter in rm_read_metadata() +- avio: Handle AVERROR_EOF in the same way as the return value 0 +- wtv: Mark attachment with a negative stream id +- avidec: Let the inner dv demuxer take care of discarding +- swfdec: do better validation of tag length + version 0.8.8: From d83dff2e09516f04f79b05850bfbccf8080aff68 Mon Sep 17 00:00:00 2001 From: Michael Niedermayer Date: Mon, 4 Nov 2013 20:07:44 +0100 Subject: [PATCH 693/991] update for 0.10.10 Signed-off-by: Michael Niedermayer --- Changelog | 3 +++ Doxyfile | 2 +- RELEASE | 2 +- VERSION | 2 +- 4 files changed, 6 insertions(+), 3 deletions(-) diff --git a/Changelog b/Changelog index 076ec8f30b..912d7273c0 100644 --- a/Changelog +++ b/Changelog @@ -3,6 +3,9 @@ releases are sorted from youngest to oldest. version next: + +version 0.10.10 + - x86: fft: Remove 3DNow! optimizations, they break FATE - x86: ac3dsp: Drop mmx variant of ac3_max_msb_abs_int16 - aac: Check init_get_bits return value diff --git a/Doxyfile b/Doxyfile index c19f09cd53..0018f58f0f 100644 --- a/Doxyfile +++ b/Doxyfile @@ -31,7 +31,7 @@ PROJECT_NAME = FFmpeg # This could be handy for archiving the generated documentation or # if some version control system is used. -PROJECT_NUMBER = 0.10.9 +PROJECT_NUMBER = 0.10.10 # With the PROJECT_LOGO tag one can specify an logo or icon that is included # in the documentation. The maximum height of the logo should not exceed 55 diff --git a/RELEASE b/RELEASE index f314d02022..ddf1d4ae68 100644 --- a/RELEASE +++ b/RELEASE @@ -1 +1 @@ -0.10.9 +0.10.10 diff --git a/VERSION b/VERSION index f314d02022..ddf1d4ae68 100644 --- a/VERSION +++ b/VERSION @@ -1 +1 @@ -0.10.9 +0.10.10 From 4ddbe89d40bd7a6ba16a6537b0acdd22f6c86507 Mon Sep 17 00:00:00 2001 From: Michael Niedermayer Date: Mon, 21 Oct 2013 16:21:14 +0200 Subject: [PATCH 694/991] avfilter/ff_insert_pad: fix order of operations Fixes out of bounds access Fixes CID732170 Fixes CID732169 No filter is known to use this function in a way so the issue can be reproduced. Signed-off-by: Michael Niedermayer (cherry picked from commit ab2bfb85d49b2f8aa505816f93e75fd18ad0a361) Conflicts: libavfilter/avfilter.c (cherry picked from commit 86591b244f3a27293153896813f5569b49b2f5c0) Conflicts: libavfilter/avfilter.c (cherry picked from commit 400c4f8fa3fd58951dc3f356b2b00484e3363694) Signed-off-by: Michael Niedermayer --- libavfilter/avfilter.c | 6 +++--- 1 file changed, 3 insertions(+), 3 deletions(-) diff --git a/libavfilter/avfilter.c b/libavfilter/avfilter.c index 706f7e2694..ef54c7c23a 100644 --- a/libavfilter/avfilter.c +++ b/libavfilter/avfilter.c @@ -176,9 +176,9 @@ void avfilter_insert_pad(unsigned idx, unsigned *count, size_t padidx_off, (*links)[idx] = NULL; (*count)++; - for (i = idx+1; i < *count; i++) - if (*links[i]) - (*(unsigned *)((uint8_t *) *links[i] + padidx_off))++; + for (i = idx + 1; i < *count; i++) + if ((*links)[i]) + (*(unsigned *)((uint8_t *) (*links)[i] + padidx_off))++; } int avfilter_link(AVFilterContext *src, unsigned srcpad, From 58e212c1fbad5df87ea91c85711361325cc84be1 Mon Sep 17 00:00:00 2001 From: Michael Niedermayer Date: Wed, 30 Oct 2013 23:27:28 +0100 Subject: [PATCH 695/991] avcodec/jpeglsdec: check err value for ls_get_code_runterm() Fixes infinite loop Fixes Ticket3086 Signed-off-by: Michael Niedermayer (cherry picked from commit cc0e47b55096361723b364afa43b79a3f5619cdc) Signed-off-by: Michael Niedermayer --- libavcodec/jpeglsdec.c | 2 ++ 1 file changed, 2 insertions(+) diff --git a/libavcodec/jpeglsdec.c b/libavcodec/jpeglsdec.c index 7814ad6640..b95a15126e 100644 --- a/libavcodec/jpeglsdec.c +++ b/libavcodec/jpeglsdec.c @@ -143,6 +143,8 @@ static inline int ls_get_code_runterm(GetBitContext *gb, JLSState *state, int RI ret = ret >> 1; } + if(FFABS(ret) > 0xFFFF) + return -0x10000; /* update state */ state->A[Q] += FFABS(ret) - RItype; ret *= state->twonear; From d4a24e43edd0c1a06d5dbf454448fde5b3d1d281 Mon Sep 17 00:00:00 2001 From: Reinhard Tartler Date: Sun, 8 Dec 2013 13:24:26 -0500 Subject: [PATCH 696/991] alsdec: check block length Fix writing over the end Found-by: Mateusz "j00ru" Jurczyk and Gynvael Coldwind Addresses: CVE-2013-0845 (cherry picked from commit 2a0fb7286d67c47e44aa76c237ede117b22af616) Signed-off-by: Reinhard Tartler (cherry picked from commit 3f7d89034bfe50893927cc92ddcb95a2e9b4178d) Signed-off-by: Reinhard Tartler --- libavcodec/alsdec.c | 5 +++++ 1 file changed, 5 insertions(+) diff --git a/libavcodec/alsdec.c b/libavcodec/alsdec.c index b0369d7f4e..7daa545765 100644 --- a/libavcodec/alsdec.c +++ b/libavcodec/alsdec.c @@ -1386,6 +1386,11 @@ static int read_frame_data(ALSDecContext *ctx, unsigned int ra_frame) for (b = 0; b < ctx->num_blocks; b++) { bd.block_length = div_blocks[b]; + if (bd.block_length <= 0) { + av_log(ctx->avctx, AV_LOG_WARNING, + "Invalid block length %d in channel data!\n", bd.block_length); + continue; + } for (c = 0; c < avctx->channels; c++) { bd.const_block = ctx->const_block + c; From b5736759eefab9d546668731bb6d06273edce012 Mon Sep 17 00:00:00 2001 From: Michael Niedermayer Date: Fri, 30 Nov 2012 23:59:40 +0100 Subject: [PATCH 697/991] qdm2: check array index before use, fix out of array accesses Found-by: Mateusz "j00ru" Jurczyk and Gynvael Coldwind Signed-off-by: Michael Niedermayer (cherry picked from commit a7ee6281f7ef1c29284e3a4cadfe0f227ffde1ed) CC: libav-stable@libav.org Signed-off-by: Reinhard Tartler (cherry picked from commit 39bec05ed42e505d17877b0c23f16322f9b5883b) Signed-off-by: Reinhard Tartler (cherry picked from commit 0b2b8ab979624b0cce673d5e99255482d7c553ad) Signed-off-by: Reinhard Tartler --- libavcodec/qdm2.c | 5 +++++ 1 file changed, 5 insertions(+) diff --git a/libavcodec/qdm2.c b/libavcodec/qdm2.c index 1a076236cf..6b11b46d98 100644 --- a/libavcodec/qdm2.c +++ b/libavcodec/qdm2.c @@ -1250,6 +1250,11 @@ static void qdm2_decode_super_block (QDM2Context *q) for (i = 0; packet_bytes > 0; i++) { int j; + if (i >= FF_ARRAY_ELEMS(q->sub_packet_list_A)) { + SAMPLES_NEEDED_2("too many packet bytes"); + return; + } + q->sub_packet_list_A[i].next = NULL; if (i > 0) { From 6f6cd7dbe539b64ea2ec25d91cad4880206a16af Mon Sep 17 00:00:00 2001 From: Michael Niedermayer Date: Thu, 29 Nov 2012 15:18:17 +0100 Subject: [PATCH 698/991] roqvideodec: check dimensions validity Found-by: Mateusz "j00ru" Jurczyk and Gynvael Coldwind Signed-off-by: Michael Niedermayer (cherry picked from commit 3ae610451170cd5a28b33950006ff0bd23036845) Signed-off-by: Michael Niedermayer (cherry picked from commit fee26d352a52eb9f7fcd8d9167fb4a5ba015b612) CC: libav-stable@libav.org Signed-off-by: Reinhard Tartler (cherry picked from commit 488f87be873506abb01d67708a67c10a4dd29283) Signed-off-by: Reinhard Tartler (cherry picked from commit 52b18c1fde65efac7f6e6104b76d39bf8d0a34ee) Signed-off-by: Reinhard Tartler --- libavcodec/roqvideodec.c | 7 +++++++ 1 file changed, 7 insertions(+) diff --git a/libavcodec/roqvideodec.c b/libavcodec/roqvideodec.c index fe7863ff76..b18e8e094c 100644 --- a/libavcodec/roqvideodec.c +++ b/libavcodec/roqvideodec.c @@ -159,6 +159,13 @@ static av_cold int roq_decode_init(AVCodecContext *avctx) RoqContext *s = avctx->priv_data; s->avctx = avctx; + + if (avctx->width % 16 || avctx->height % 16) { + av_log(avctx, AV_LOG_ERROR, + "Dimensions must be a multiple of 16\n"); + return AVERROR_PATCHWELCOME; + } + s->width = avctx->width; s->height = avctx->height; s->last_frame = &s->frames[0]; From b997a6a86d7aeec8b1b321273e4d1efaef65e39b Mon Sep 17 00:00:00 2001 From: Reinhard Tartler Date: Sat, 14 Dec 2013 14:34:28 -0500 Subject: [PATCH 699/991] Prepare for 0.8.10 Release --- RELEASE | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/RELEASE b/RELEASE index 55485e1793..ef50561618 100644 --- a/RELEASE +++ b/RELEASE @@ -1 +1 @@ -0.8.9 +0.8.10 From b6fc0127ce8487602ce79f64bfd263ef0dc9df9b Mon Sep 17 00:00:00 2001 From: =?UTF-8?q?Martin=20Storsj=C3=B6?= Date: Fri, 20 Dec 2013 15:02:35 +0200 Subject: [PATCH 700/991] arm: Don't clobber callee saved registers in scalarproduct MIME-Version: 1.0 Content-Type: text/plain; charset=UTF-8 Content-Transfer-Encoding: 8bit q4-q7/d8-d15 are supposed to not be clobbered by the callee. CC: libav-stable@libav.org Signed-off-by: Martin Storsjö (cherry picked from commit d307e408d4a9ada22df443cc38be77cc5e492694) Signed-off-by: Martin Storsjö --- libavcodec/arm/int_neon.S | 12 ++++++------ 1 file changed, 6 insertions(+), 6 deletions(-) diff --git a/libavcodec/arm/int_neon.S b/libavcodec/arm/int_neon.S index 8bb58afb18..db2b4942e5 100644 --- a/libavcodec/arm/int_neon.S +++ b/libavcodec/arm/int_neon.S @@ -66,10 +66,10 @@ function ff_scalarproduct_int16_neon, export=1 3: vpadd.s32 d16, d0, d1 vpadd.s32 d17, d2, d3 - vpadd.s32 d10, d4, d5 - vpadd.s32 d11, d6, d7 + vpadd.s32 d18, d4, d5 + vpadd.s32 d19, d6, d7 vpadd.s32 d0, d16, d17 - vpadd.s32 d1, d10, d11 + vpadd.s32 d1, d18, d19 vpadd.s32 d2, d0, d1 vpaddl.s32 d3, d2 vmov.32 r0, d3[0] @@ -106,10 +106,10 @@ function ff_scalarproduct_and_madd_int16_neon, export=1 vpadd.s32 d16, d0, d1 vpadd.s32 d17, d2, d3 - vpadd.s32 d10, d4, d5 - vpadd.s32 d11, d6, d7 + vpadd.s32 d18, d4, d5 + vpadd.s32 d19, d6, d7 vpadd.s32 d0, d16, d17 - vpadd.s32 d1, d10, d11 + vpadd.s32 d1, d18, d19 vpadd.s32 d2, d0, d1 vpaddl.s32 d3, d2 vmov.32 r0, d3[0] From 594b8436084c1073d7eeb1347eaa244697fbb2bd Mon Sep 17 00:00:00 2001 From: =?UTF-8?q?Martin=20Storsj=C3=B6?= Date: Fri, 20 Dec 2013 15:02:35 +0200 Subject: [PATCH 701/991] arm: Don't clobber callee saved registers in scalarproduct MIME-Version: 1.0 Content-Type: text/plain; charset=UTF-8 Content-Transfer-Encoding: 8bit q4-q7/d8-d15 are supposed to not be clobbered by the callee. CC: libav-stable@libav.org Signed-off-by: Martin Storsjö (cherry picked from commit d307e408d4a9ada22df443cc38be77cc5e492694) --- libavcodec/arm/int_neon.S | 12 ++++++------ 1 file changed, 6 insertions(+), 6 deletions(-) diff --git a/libavcodec/arm/int_neon.S b/libavcodec/arm/int_neon.S index e1353982d0..bb3c9533f9 100644 --- a/libavcodec/arm/int_neon.S +++ b/libavcodec/arm/int_neon.S @@ -66,10 +66,10 @@ function ff_scalarproduct_int16_neon, export=1 3: vpadd.s32 d16, d0, d1 vpadd.s32 d17, d2, d3 - vpadd.s32 d10, d4, d5 - vpadd.s32 d11, d6, d7 + vpadd.s32 d18, d4, d5 + vpadd.s32 d19, d6, d7 vpadd.s32 d0, d16, d17 - vpadd.s32 d1, d10, d11 + vpadd.s32 d1, d18, d19 vpadd.s32 d2, d0, d1 vpaddl.s32 d3, d2 vmov.32 r0, d3[0] @@ -106,10 +106,10 @@ function ff_scalarproduct_and_madd_int16_neon, export=1 vpadd.s32 d16, d0, d1 vpadd.s32 d17, d2, d3 - vpadd.s32 d10, d4, d5 - vpadd.s32 d11, d6, d7 + vpadd.s32 d18, d4, d5 + vpadd.s32 d19, d6, d7 vpadd.s32 d0, d16, d17 - vpadd.s32 d1, d10, d11 + vpadd.s32 d1, d18, d19 vpadd.s32 d2, d0, d1 vpaddl.s32 d3, d2 vmov.32 r0, d3[0] From 9291012d52a7eddda1ffa32c46d3fb6f1953b11e Mon Sep 17 00:00:00 2001 From: =?UTF-8?q?Martin=20Storsj=C3=B6?= Date: Wed, 11 Sep 2013 22:53:15 +0300 Subject: [PATCH 702/991] mpc8: Make sure the first stream exists before parsing the seek table MIME-Version: 1.0 Content-Type: text/plain; charset=UTF-8 Content-Transfer-Encoding: 8bit Reported-by: Mateusz "j00ru" Jurczyk and Gynvael Coldwind CC: libav-stable@libav.org Signed-off-by: Martin Storsjö (cherry picked from commit 17d57848fc14e82f76a65ffb25c90f2f011dc4a0) Signed-off-by: Luca Barbato (cherry picked from commit 557df77eab7d3726c34221aeb999afe9e7818d52) --- libavformat/mpc8.c | 5 +++++ 1 file changed, 5 insertions(+) diff --git a/libavformat/mpc8.c b/libavformat/mpc8.c index 97a9b01025..785a4f7a1c 100644 --- a/libavformat/mpc8.c +++ b/libavformat/mpc8.c @@ -137,6 +137,11 @@ static void mpc8_parse_seektable(AVFormatContext *s, int64_t off) int i, t, seekd; GetBitContext gb; + if (s->nb_streams == 0) { + av_log(s, AV_LOG_ERROR, "No stream added before parsing seek table\n"); + return; + } + avio_seek(s->pb, off, SEEK_SET); mpc8_get_chunk_header(s->pb, &tag, &size); if(tag != TAG_SEEKTABLE){ From 7981b5c20e614e792967f17d09cf1adfb07ae254 Mon Sep 17 00:00:00 2001 From: =?UTF-8?q?Martin=20Storsj=C3=B6?= Date: Wed, 11 Sep 2013 14:54:05 +0300 Subject: [PATCH 703/991] omadec: Properly check lengths before incrementing the position MIME-Version: 1.0 Content-Type: text/plain; charset=UTF-8 Content-Transfer-Encoding: 8bit Reported-by: Mateusz "j00ru" Jurczyk and Gynvael Coldwind CC: libav-stable@libav.org Signed-off-by: Martin Storsjö (cherry picked from commit 342c43d154e586bc022c86b168fe8d36f69da9d3) Signed-off-by: Luca Barbato (cherry picked from commit 9eba02d5dd7036294ea350cb772822deec95b867) --- libavformat/omadec.c | 6 +++++- 1 file changed, 5 insertions(+), 1 deletion(-) diff --git a/libavformat/omadec.c b/libavformat/omadec.c index 9e8b43b3c5..98ba1c5e35 100644 --- a/libavformat/omadec.c +++ b/libavformat/omadec.c @@ -170,7 +170,11 @@ static int nprobe(AVFormatContext *s, uint8_t *enc_header, unsigned size, taglen = AV_RB32(&enc_header[pos+32]); datalen = AV_RB32(&enc_header[pos+36]) >> 4; - pos += 44 + taglen; + pos += 44; + if (size - pos < taglen) + return -1; + + pos += taglen; if (datalen << 4 > size - pos) return -1; From b9e90b36cd3b87298b524330640818411b5ff45e Mon Sep 17 00:00:00 2001 From: =?UTF-8?q?Martin=20Storsj=C3=B6?= Date: Wed, 11 Sep 2013 22:56:55 +0300 Subject: [PATCH 704/991] sierravmd: Do sanity checking of frame sizes MIME-Version: 1.0 Content-Type: text/plain; charset=UTF-8 Content-Transfer-Encoding: 8bit Limit the size to INT_MAX/2 (for simplicity) to be sure that size + BYTES_PER_FRAME_RECORD won't overflow. Also factorize other existing error return paths. Reported-by: Mateusz "j00ru" Jurczyk and Gynvael Coldwind CC: libav-stable@libav.org Signed-off-by: Martin Storsjö (cherry picked from commit 0ef1660a6365ce60ead8858936b6f3f8ea862826) Signed-off-by: Luca Barbato (cherry picked from commit 153deed18bed43d16b272e8681b2a9b988d2682a) --- libavformat/sierravmd.c | 22 +++++++++++++++------- 1 file changed, 15 insertions(+), 7 deletions(-) diff --git a/libavformat/sierravmd.c b/libavformat/sierravmd.c index 81ff46fea0..3b8da4a769 100644 --- a/libavformat/sierravmd.c +++ b/libavformat/sierravmd.c @@ -88,7 +88,7 @@ static int vmd_read_header(AVFormatContext *s, unsigned char *raw_frame_table; int raw_frame_table_size; int64_t current_offset; - int i, j; + int i, j, ret; unsigned int total_frames; int64_t current_audio_pts = 0; unsigned char chunk[BYTES_PER_FRAME_RECORD]; @@ -169,15 +169,13 @@ static int vmd_read_header(AVFormatContext *s, raw_frame_table = av_malloc(raw_frame_table_size); vmd->frame_table = av_malloc((vmd->frame_count * vmd->frames_per_block + sound_buffers) * sizeof(vmd_frame)); if (!raw_frame_table || !vmd->frame_table) { - av_free(raw_frame_table); - av_free(vmd->frame_table); - return AVERROR(ENOMEM); + ret = AVERROR(ENOMEM); + goto error; } if (avio_read(pb, raw_frame_table, raw_frame_table_size) != raw_frame_table_size) { - av_free(raw_frame_table); - av_free(vmd->frame_table); - return AVERROR(EIO); + ret = AVERROR(EIO); + goto error; } total_frames = 0; @@ -193,6 +191,11 @@ static int vmd_read_header(AVFormatContext *s, avio_read(pb, chunk, BYTES_PER_FRAME_RECORD); type = chunk[0]; size = AV_RL32(&chunk[2]); + if (size > INT_MAX / 2) { + av_log(s, AV_LOG_ERROR, "Invalid frame size\n"); + ret = AVERROR_INVALIDDATA; + goto error; + } if(!size && type != 1) continue; switch(type) { @@ -229,6 +232,11 @@ static int vmd_read_header(AVFormatContext *s, vmd->frame_count = total_frames; return 0; + +error: + av_free(raw_frame_table); + av_free(vmd->frame_table); + return ret; } static int vmd_read_packet(AVFormatContext *s, From 7f80928c0e7a74dff58d6c9b0172e34619844d01 Mon Sep 17 00:00:00 2001 From: =?UTF-8?q?Martin=20Storsj=C3=B6?= Date: Thu, 12 Sep 2013 11:58:25 +0300 Subject: [PATCH 705/991] cavsdec: Make sure a sequence header has been decoded before decoding pictures MIME-Version: 1.0 Content-Type: text/plain; charset=UTF-8 Content-Transfer-Encoding: 8bit Reported-by: Mateusz "j00ru" Jurczyk and Gynvael Coldwind CC: libav-stable@libav.org Signed-off-by: Martin Storsjö (cherry picked from commit e90a6846c2c006fbebd00e1f2789f4a86fafacef) Signed-off-by: Luca Barbato Conflicts: libavcodec/cavsdec.c --- libavcodec/cavsdec.c | 5 +++++ 1 file changed, 5 insertions(+) diff --git a/libavcodec/cavsdec.c b/libavcodec/cavsdec.c index 1dd237a755..5582fd42d3 100644 --- a/libavcodec/cavsdec.c +++ b/libavcodec/cavsdec.c @@ -467,6 +467,11 @@ static int decode_pic(AVSContext *h) { int skip_count = -1; enum cavs_mb mb_type; + if (!h->top_qp) { + av_log(h, AV_LOG_ERROR, "No sequence header decoded yet\n"); + return AVERROR_INVALIDDATA; + } + if (!s->context_initialized) { s->avctx->idct_algo = FF_IDCT_CAVS; if (MPV_common_init(s) < 0) From 290783b84866b1d16588f04c9c06ece37e523a69 Mon Sep 17 00:00:00 2001 From: =?UTF-8?q?Martin=20Storsj=C3=B6?= Date: Thu, 12 Sep 2013 12:27:58 +0300 Subject: [PATCH 706/991] vp3: Check the framerate for validity MIME-Version: 1.0 Content-Type: text/plain; charset=UTF-8 Content-Transfer-Encoding: 8bit Reported-by: Mateusz "j00ru" Jurczyk and Gynvael Coldwind CC: libav-stable@libav.org Signed-off-by: Martin Storsjö (cherry picked from commit 6fc8226e29055858f28973bb3d27b63b3b65e616) Signed-off-by: Luca Barbato (cherry picked from commit b4c479a82adbb1301e3e549cd80cdd65208ddd05) --- libavcodec/vp3.c | 4 ++++ 1 file changed, 4 insertions(+) diff --git a/libavcodec/vp3.c b/libavcodec/vp3.c index da70e66ab9..d8e16505a1 100644 --- a/libavcodec/vp3.c +++ b/libavcodec/vp3.c @@ -2155,6 +2155,10 @@ static int theora_decode_header(AVCodecContext *avctx, GetBitContext *gb) fps.num = get_bits_long(gb, 32); fps.den = get_bits_long(gb, 32); if (fps.num && fps.den) { + if (fps.num < 0 || fps.den < 0) { + av_log(avctx, AV_LOG_ERROR, "Invalid framerate\n"); + return AVERROR_INVALIDDATA; + } av_reduce(&avctx->time_base.num, &avctx->time_base.den, fps.den, fps.num, 1<<30); } From 802deb2d136fd2e2b6f445476703c05a0b633aa2 Mon Sep 17 00:00:00 2001 From: =?UTF-8?q?Martin=20Storsj=C3=B6?= Date: Mon, 16 Sep 2013 15:05:03 +0300 Subject: [PATCH 707/991] svq3: Check for any negative return value from ff_h264_check_intra_pred_mode MIME-Version: 1.0 Content-Type: text/plain; charset=UTF-8 Content-Transfer-Encoding: 8bit Also pass on any returned error code. Reported-by: Mateusz "j00ru" Jurczyk and Gynvael Coldwind CC: libav-stable@libav.org Signed-off-by: Martin Storsjö (cherry picked from commit 1115689d54ea95a084421f5a182b8dc56cbff978) Signed-off-by: Luca Barbato Conflicts: libavcodec/svq3.c --- libavcodec/svq3.c | 6 +++--- 1 file changed, 3 insertions(+), 3 deletions(-) diff --git a/libavcodec/svq3.c b/libavcodec/svq3.c index ebe4fd9f5f..5097af5b5f 100644 --- a/libavcodec/svq3.c +++ b/libavcodec/svq3.c @@ -611,9 +611,9 @@ static int svq3_decode_mb(SVQ3Context *svq3, unsigned int mb_type) dir = i_mb_type_info[mb_type - 8].pred_mode; dir = (dir >> 1) ^ 3*(dir & 1) ^ 1; - if ((h->intra16x16_pred_mode = ff_h264_check_intra_pred_mode(h, dir, 0)) == -1){ - av_log(h->s.avctx, AV_LOG_ERROR, "check_intra_pred_mode = -1\n"); - return -1; + if ((h->intra16x16_pred_mode = ff_h264_check_intra_pred_mode(h, dir, 0)) < 0) { + av_log(h->s.avctx, AV_LOG_ERROR, "ff_h264_check_intra_pred_mode < 0\n"); + return h->intra16x16_pred_mode; } cbp = i_mb_type_info[mb_type - 8].cbp; From 48f27c854f23b43890f72239c5d18b7fff0707af Mon Sep 17 00:00:00 2001 From: =?UTF-8?q?Martin=20Storsj=C3=B6?= Date: Mon, 16 Sep 2013 15:19:52 +0300 Subject: [PATCH 708/991] mace: Make sure that the channel count is set to a valid value MIME-Version: 1.0 Content-Type: text/plain; charset=UTF-8 Content-Transfer-Encoding: 8bit Also return a proper error code. Reported-by: Mateusz "j00ru" Jurczyk and Gynvael Coldwind CC: libav-stable@libav.org Signed-off-by: Martin Storsjö (cherry picked from commit e1f3847f860a1094a46be4c5f10db8df616c3135) Signed-off-by: Luca Barbato Conflicts: libavcodec/mace.c --- libavcodec/mace.c | 4 ++-- 1 file changed, 2 insertions(+), 2 deletions(-) diff --git a/libavcodec/mace.c b/libavcodec/mace.c index 792d71d072..d02b1dc095 100644 --- a/libavcodec/mace.c +++ b/libavcodec/mace.c @@ -231,8 +231,8 @@ static av_cold int mace_decode_init(AVCodecContext * avctx) { MACEContext *ctx = avctx->priv_data; - if (avctx->channels > 2) - return -1; + if (avctx->channels > 2 || avctx->channels < 1) + return AVERROR(EINVAL); avctx->sample_fmt = AV_SAMPLE_FMT_S16; avcodec_get_frame_defaults(&ctx->frame); From d5c104c1ae56060f273c202f103ba19f3f85bbcf Mon Sep 17 00:00:00 2001 From: =?UTF-8?q?Martin=20Storsj=C3=B6?= Date: Wed, 11 Sep 2013 15:54:20 +0300 Subject: [PATCH 709/991] smacker: Make sure we don't fill in huffman codes out of range MIME-Version: 1.0 Content-Type: text/plain; charset=UTF-8 Content-Transfer-Encoding: 8bit Reported-by: Mateusz "j00ru" Jurczyk and Gynvael Coldwind CC: libav-stable@libav.org Signed-off-by: Martin Storsjö (cherry picked from commit 0679cec6e8802643bbe6d5f68ca1110a7d3171da) Signed-off-by: Luca Barbato --- libavcodec/smacker.c | 6 ++++++ 1 file changed, 6 insertions(+) diff --git a/libavcodec/smacker.c b/libavcodec/smacker.c index e9192ffd0c..e07fc3749d 100644 --- a/libavcodec/smacker.c +++ b/libavcodec/smacker.c @@ -263,6 +263,12 @@ static int smacker_decode_header_tree(SmackVContext *smk, GetBitContext *gb, int if(ctx.last[0] == -1) ctx.last[0] = huff.current++; if(ctx.last[1] == -1) ctx.last[1] = huff.current++; if(ctx.last[2] == -1) ctx.last[2] = huff.current++; + if (ctx.last[0] >= huff.length || + ctx.last[1] >= huff.length || + ctx.last[2] >= huff.length) { + av_log(smk->avctx, AV_LOG_ERROR, "Huffman codes out of range\n"); + err = AVERROR_INVALIDDATA; + } *recodes = huff.values; From 75f811babc08af5eadf4f2ea23b3e5c46cadbe2a Mon Sep 17 00:00:00 2001 From: =?UTF-8?q?Martin=20Storsj=C3=B6?= Date: Mon, 16 Sep 2013 15:36:24 +0300 Subject: [PATCH 710/991] matroskadec: Verify realaudio codec parameters MIME-Version: 1.0 Content-Type: text/plain; charset=UTF-8 Content-Transfer-Encoding: 8bit Reported-by: Mateusz "j00ru" Jurczyk and Gynvael Coldwind CC: libav-stable@libav.org Signed-off-by: Martin Storsjö (cherry picked from commit 569d18aa9dc989c37bb4d4b968026fe5afa6fff9) Signed-off-by: Luca Barbato (cherry picked from commit 9f7a8b8f8f6ad024410232d926b774261ef2ef36) --- libavformat/matroskadec.c | 4 ++++ 1 file changed, 4 insertions(+) diff --git a/libavformat/matroskadec.c b/libavformat/matroskadec.c index 03839f89fb..922b2580be 100644 --- a/libavformat/matroskadec.c +++ b/libavformat/matroskadec.c @@ -1488,6 +1488,10 @@ static int matroska_read_header(AVFormatContext *s, AVFormatParameters *ap) track->audio.sub_packet_h = avio_rb16(&b); track->audio.frame_size = avio_rb16(&b); track->audio.sub_packet_size = avio_rb16(&b); + if (flavor <= 0 || track->audio.coded_framesize <= 0 || + track->audio.sub_packet_h <= 0 || track->audio.frame_size <= 0 || + track->audio.sub_packet_size <= 0) + return AVERROR_INVALIDDATA; track->audio.buf = av_malloc(track->audio.frame_size * track->audio.sub_packet_h); if (codec_id == CODEC_ID_RA_288) { st->codec->block_align = track->audio.coded_framesize; From 2ef84218b2921372aed5fcd06eb7edca3e39d01b Mon Sep 17 00:00:00 2001 From: =?UTF-8?q?Martin=20Storsj=C3=B6?= Date: Mon, 16 Sep 2013 21:03:34 +0300 Subject: [PATCH 711/991] truemotion2: Use av_freep properly in an error path MIME-Version: 1.0 Content-Type: text/plain; charset=UTF-8 Content-Transfer-Encoding: 8bit Reported-by: Mateusz "j00ru" Jurczyk and Gynvael Coldwind CC: libav-stable@libav.org Signed-off-by: Martin Storsjö (cherry picked from commit c39f7eba01cd656e8f0eed592f93d11814736650) Signed-off-by: Luca Barbato (cherry picked from commit eac1c3f384eab770d42468f4f244156c1735701d) --- libavcodec/truemotion2.c | 16 ++++++++-------- 1 file changed, 8 insertions(+), 8 deletions(-) diff --git a/libavcodec/truemotion2.c b/libavcodec/truemotion2.c index 09d9e27c9d..fd5d28c574 100644 --- a/libavcodec/truemotion2.c +++ b/libavcodec/truemotion2.c @@ -907,14 +907,14 @@ static av_cold int decode_init(AVCodecContext *avctx){ if (!l->Y1_base || !l->Y2_base || !l->U1_base || !l->V1_base || !l->U2_base || !l->V2_base || !l->last || !l->clast) { - av_freep(l->Y1_base); - av_freep(l->Y2_base); - av_freep(l->U1_base); - av_freep(l->U2_base); - av_freep(l->V1_base); - av_freep(l->V2_base); - av_freep(l->last); - av_freep(l->clast); + av_freep(&l->Y1_base); + av_freep(&l->Y2_base); + av_freep(&l->U1_base); + av_freep(&l->U2_base); + av_freep(&l->V1_base); + av_freep(&l->V2_base); + av_freep(&l->last); + av_freep(&l->clast); return AVERROR(ENOMEM); } l->Y1 = l->Y1_base + l->y_stride * 4 + 4; From 712945d21e63f6b3bb954b6555ecd79c36a57f42 Mon Sep 17 00:00:00 2001 From: =?UTF-8?q?Martin=20Storsj=C3=B6?= Date: Wed, 11 Sep 2013 22:17:13 +0300 Subject: [PATCH 712/991] shorten: Use a checked bytestream reader for the wave header MIME-Version: 1.0 Content-Type: text/plain; charset=UTF-8 Content-Transfer-Encoding: 8bit Reported-by: Mateusz "j00ru" Jurczyk and Gynvael Coldwind CC: libav-stable@libav.org Signed-off-by: Martin Storsjö (cherry picked from commit 49568851bf1700e3d9ea9cda29208d0df3c2c38b) Signed-off-by: Luca Barbato --- libavcodec/shorten.c | 29 ++++++++++++++++------------- 1 file changed, 16 insertions(+), 13 deletions(-) diff --git a/libavcodec/shorten.c b/libavcodec/shorten.c index 256beafd06..5231ce404e 100644 --- a/libavcodec/shorten.c +++ b/libavcodec/shorten.c @@ -205,31 +205,34 @@ static int decode_wave_header(AVCodecContext *avctx, const uint8_t *header, { int len; short wave_format; + GetByteContext gb; - if (bytestream_get_le32(&header) != MKTAG('R', 'I', 'F', 'F')) { + bytestream2_init(&gb, header, header_size); + + if (bytestream2_get_le32(&gb) != MKTAG('R', 'I', 'F', 'F')) { av_log(avctx, AV_LOG_ERROR, "missing RIFF tag\n"); return AVERROR_INVALIDDATA; } - header += 4; /* chunk size */ + bytestream2_skip(&gb, 4); /* chunk size */ - if (bytestream_get_le32(&header) != MKTAG('W', 'A', 'V', 'E')) { + if (bytestream2_get_le32(&gb) != MKTAG('W', 'A', 'V', 'E')) { av_log(avctx, AV_LOG_ERROR, "missing WAVE tag\n"); return AVERROR_INVALIDDATA; } - while (bytestream_get_le32(&header) != MKTAG('f', 'm', 't', ' ')) { - len = bytestream_get_le32(&header); - header += len; + while (bytestream2_get_le32(&gb) != MKTAG('f', 'm', 't', ' ')) { + len = bytestream2_get_le32(&gb); + bytestream2_skip(&gb, len); } - len = bytestream_get_le32(&header); + len = bytestream2_get_le32(&gb); if (len < 16) { av_log(avctx, AV_LOG_ERROR, "fmt chunk was too short\n"); return AVERROR_INVALIDDATA; } - wave_format = bytestream_get_le16(&header); + wave_format = bytestream2_get_le16(&gb); switch (wave_format) { case WAVE_FORMAT_PCM: @@ -239,11 +242,11 @@ static int decode_wave_header(AVCodecContext *avctx, const uint8_t *header, return AVERROR(ENOSYS); } - header += 2; // skip channels (already got from shorten header) - avctx->sample_rate = bytestream_get_le32(&header); - header += 4; // skip bit rate (represents original uncompressed bit rate) - header += 2; // skip block align (not needed) - avctx->bits_per_coded_sample = bytestream_get_le16(&header); + bytestream2_skip(&gb, 2); // skip channels (already got from shorten header) + avctx->sample_rate = bytestream2_get_le32(&gb); + bytestream2_skip(&gb, 4); // skip bit rate (represents original uncompressed bit rate) + bytestream2_skip(&gb, 2); // skip block align (not needed) + avctx->bits_per_coded_sample = bytestream2_get_le16(&gb); if (avctx->bits_per_coded_sample != 16) { av_log(avctx, AV_LOG_ERROR, "unsupported number of bits per sample\n"); From f0db793bee82a73bbdaab824f02e8dd081a5d87b Mon Sep 17 00:00:00 2001 From: =?UTF-8?q?Martin=20Storsj=C3=B6?= Date: Mon, 16 Sep 2013 16:01:02 +0300 Subject: [PATCH 713/991] rv34: Check the return value from ff_rv34_decode_init MIME-Version: 1.0 Content-Type: text/plain; charset=UTF-8 Content-Transfer-Encoding: 8bit Reported-by: Mateusz "j00ru" Jurczyk and Gynvael Coldwind CC: libav-stable@libav.org Signed-off-by: Martin Storsjö (cherry picked from commit 711c970168297683860422e95d6b7e37ee3c8367) Signed-off-by: Luca Barbato (cherry picked from commit 20c8f176293e7520c6205b664e25ecf8a711253e) --- libavcodec/rv30.c | 4 +++- libavcodec/rv40.c | 4 +++- 2 files changed, 6 insertions(+), 2 deletions(-) diff --git a/libavcodec/rv30.c b/libavcodec/rv30.c index 4828e982b7..7b280f4fc5 100644 --- a/libavcodec/rv30.c +++ b/libavcodec/rv30.c @@ -244,9 +244,11 @@ static void rv30_loop_filter(RV34DecContext *r, int row) static av_cold int rv30_decode_init(AVCodecContext *avctx) { RV34DecContext *r = avctx->priv_data; + int ret; r->rv30 = 1; - ff_rv34_decode_init(avctx); + if ((ret = ff_rv34_decode_init(avctx)) < 0) + return ret; if(avctx->extradata_size < 2){ av_log(avctx, AV_LOG_ERROR, "Extradata is too small.\n"); return -1; diff --git a/libavcodec/rv40.c b/libavcodec/rv40.c index 3f2a824317..1d586d8395 100644 --- a/libavcodec/rv40.c +++ b/libavcodec/rv40.c @@ -541,9 +541,11 @@ static void rv40_loop_filter(RV34DecContext *r, int row) static av_cold int rv40_decode_init(AVCodecContext *avctx) { RV34DecContext *r = avctx->priv_data; + int ret; r->rv30 = 0; - ff_rv34_decode_init(avctx); + if ((ret = ff_rv34_decode_init(avctx)) < 0) + return ret; if(!aic_top_vlc.bits) rv40_init_tables(); r->parse_slice_header = rv40_parse_slice_header; From 2b71a7884196413d39b90549e58c4488a8f83953 Mon Sep 17 00:00:00 2001 From: =?UTF-8?q?Martin=20Storsj=C3=B6?= Date: Mon, 16 Sep 2013 21:46:50 +0300 Subject: [PATCH 714/991] ffv1: Make sure at least one slice context is initialized MIME-Version: 1.0 Content-Type: text/plain; charset=UTF-8 Content-Transfer-Encoding: 8bit This avoids crashes when initializing the range coder for the first slice context. Reported-by: Mateusz "j00ru" Jurczyk and Gynvael Coldwind CC: libav-stable@libav.org Signed-off-by: Martin Storsjö (cherry picked from commit b1db33159fdc2da4bdd8c75e4ff9a7dd0ef2f0c2) Signed-off-by: Luca Barbato --- libavcodec/ffv1.c | 4 ++++ 1 file changed, 4 insertions(+) diff --git a/libavcodec/ffv1.c b/libavcodec/ffv1.c index 8a6f33f383..917f40d1bc 100644 --- a/libavcodec/ffv1.c +++ b/libavcodec/ffv1.c @@ -708,6 +708,10 @@ static av_cold int init_slice_contexts(FFV1Context *f){ int i; f->slice_count= f->num_h_slices * f->num_v_slices; + if (f->slice_count <= 0) { + av_log(f->avctx, AV_LOG_ERROR, "Invalid number of slices\n"); + return AVERROR(EINVAL); + } for(i=0; islice_count; i++){ FFV1Context *fs= av_mallocz(sizeof(*fs)); From 7d8a4bb8d2ca8d12043ec78d2546323e3a35114f Mon Sep 17 00:00:00 2001 From: =?UTF-8?q?Martin=20Storsj=C3=B6?= Date: Wed, 11 Sep 2013 22:19:28 +0300 Subject: [PATCH 715/991] shorten: Break out of loop looking for fmt chunk if none is found MIME-Version: 1.0 Content-Type: text/plain; charset=UTF-8 Content-Transfer-Encoding: 8bit Reported-by: Mateusz "j00ru" Jurczyk and Gynvael Coldwind CC: libav-stable@libav.org Signed-off-by: Martin Storsjö (cherry picked from commit b26742cc308552f242ee2bf93b07a3ff509f4edc) Signed-off-by: Luca Barbato --- libavcodec/shorten.c | 4 ++++ 1 file changed, 4 insertions(+) diff --git a/libavcodec/shorten.c b/libavcodec/shorten.c index 5231ce404e..7d51c56acd 100644 --- a/libavcodec/shorten.c +++ b/libavcodec/shorten.c @@ -224,6 +224,10 @@ static int decode_wave_header(AVCodecContext *avctx, const uint8_t *header, while (bytestream2_get_le32(&gb) != MKTAG('f', 'm', 't', ' ')) { len = bytestream2_get_le32(&gb); bytestream2_skip(&gb, len); + if (bytestream2_get_bytes_left(&gb) < 16) { + av_log(avctx, AV_LOG_ERROR, "no fmt chunk found\n"); + return AVERROR_INVALIDDATA; + } } len = bytestream2_get_le32(&gb); From 33b88170d76a5e97722c0e10ef97f284badbf98b Mon Sep 17 00:00:00 2001 From: =?UTF-8?q?Martin=20Storsj=C3=B6?= Date: Mon, 16 Sep 2013 17:17:26 +0300 Subject: [PATCH 716/991] oggparseogm: Convert to use bytestream2 MIME-Version: 1.0 Content-Type: text/plain; charset=UTF-8 Content-Transfer-Encoding: 8bit Reported-by: Mateusz "j00ru" Jurczyk and Gynvael Coldwind CC: libav-stable@libav.org Signed-off-by: Martin Storsjö (cherry picked from commit 19b9659f3174599e8685d329c4330b1ea8c4c6db) Signed-off-by: Luca Barbato --- libavformat/oggparseogm.c | 52 ++++++++++++++++++++------------------- 1 file changed, 27 insertions(+), 25 deletions(-) diff --git a/libavformat/oggparseogm.c b/libavformat/oggparseogm.c index 0a8a7c6bd4..c761bbd7db 100644 --- a/libavformat/oggparseogm.c +++ b/libavformat/oggparseogm.c @@ -37,62 +37,64 @@ ogm_header(AVFormatContext *s, int idx) struct ogg *ogg = s->priv_data; struct ogg_stream *os = ogg->streams + idx; AVStream *st = s->streams[idx]; - const uint8_t *p = os->buf + os->pstart; + GetByteContext p; uint64_t time_unit; uint64_t spu; - if(!(*p & 1)) + bytestream2_init(&p, os->buf + os->pstart, os->psize); + if (!(bytestream2_peek_byte(&p) & 1)) return 0; - if(*p == 1) { - p++; + if (bytestream2_peek_byte(&p) == 1) { + bytestream2_skip(&p, 1); - if(*p == 'v'){ + if (bytestream2_peek_byte(&p) == 'v'){ int tag; st->codec->codec_type = AVMEDIA_TYPE_VIDEO; - p += 8; - tag = bytestream_get_le32(&p); + bytestream2_skip(&p, 8); + tag = bytestream2_get_le32(&p); st->codec->codec_id = ff_codec_get_id(ff_codec_bmp_tags, tag); st->codec->codec_tag = tag; - } else if (*p == 't') { + } else if (bytestream2_peek_byte(&p) == 't') { st->codec->codec_type = AVMEDIA_TYPE_SUBTITLE; st->codec->codec_id = CODEC_ID_TEXT; - p += 12; + bytestream2_skip(&p, 12); } else { - uint8_t acid[5]; + uint8_t acid[5] = { 0 }; int cid; st->codec->codec_type = AVMEDIA_TYPE_AUDIO; - p += 8; - bytestream_get_buffer(&p, acid, 4); + bytestream2_skip(&p, 8); + bytestream2_get_buffer(&p, acid, 4); acid[4] = 0; cid = strtol(acid, NULL, 16); st->codec->codec_id = ff_codec_get_id(ff_codec_wav_tags, cid); st->need_parsing = AVSTREAM_PARSE_FULL; } - p += 4; /* useless size field */ + bytestream2_skip(&p, 4); /* useless size field */ - time_unit = bytestream_get_le64(&p); - spu = bytestream_get_le64(&p); - p += 4; /* default_len */ - p += 8; /* buffersize + bits_per_sample */ + time_unit = bytestream2_get_le64(&p); + spu = bytestream2_get_le64(&p); + bytestream2_skip(&p, 4); /* default_len */ + bytestream2_skip(&p, 8); /* buffersize + bits_per_sample */ if(st->codec->codec_type == AVMEDIA_TYPE_VIDEO){ - st->codec->width = bytestream_get_le32(&p); - st->codec->height = bytestream_get_le32(&p); + st->codec->width = bytestream2_get_le32(&p); + st->codec->height = bytestream2_get_le32(&p); st->codec->time_base.den = spu * 10000000; st->codec->time_base.num = time_unit; avpriv_set_pts_info(st, 64, st->codec->time_base.num, st->codec->time_base.den); } else { - st->codec->channels = bytestream_get_le16(&p); - p += 2; /* block_align */ - st->codec->bit_rate = bytestream_get_le32(&p) * 8; + st->codec->channels = bytestream2_get_le16(&p); + bytestream2_skip(&p, 2); /* block_align */ + st->codec->bit_rate = bytestream2_get_le32(&p) * 8; st->codec->sample_rate = spu * 10000000 / time_unit; avpriv_set_pts_info(st, 64, 1, st->codec->sample_rate); } - } else if (*p == 3) { - if (os->psize > 8) - ff_vorbis_comment(s, &st->metadata, p+7, os->psize-8); + } else if (bytestream2_peek_byte(&p) == 3) { + bytestream2_skip(&p, 7); + if (bytestream2_get_bytes_left(&p) > 1) + ff_vorbis_comment(s, &st->metadata, p.buffer, bytestream2_get_bytes_left(&p) - 1); } return 1; From 0a23055b8ab24800774a7079921791acb92fe0f2 Mon Sep 17 00:00:00 2001 From: =?UTF-8?q?Martin=20Storsj=C3=B6?= Date: Mon, 16 Sep 2013 21:27:49 +0300 Subject: [PATCH 717/991] xmv: Add more sanity checks for parameters read from the bitstream MIME-Version: 1.0 Content-Type: text/plain; charset=UTF-8 Content-Transfer-Encoding: 8bit Since the number of channels is multiplied by 36 and assigned to to a uint16_t, make sure this calculation didn't overflow. (In certain cases the calculation could overflow leaving the truncated block_align at 0, leading to divisions by zero later.) Reported-by: Mateusz "j00ru" Jurczyk and Gynvael Coldwind CC: libav-stable@libav.org Signed-off-by: Martin Storsjö (cherry picked from commit d4c2a3740fb95f952a87ba320d2bf31f126bdf68) Signed-off-by: Luca Barbato (cherry picked from commit 00516b5491fbd99e4057f21eae231fc02cc596e3) --- libavformat/xmv.c | 7 +++++-- 1 file changed, 5 insertions(+), 2 deletions(-) diff --git a/libavformat/xmv.c b/libavformat/xmv.c index 8249ce11e3..f0950c0f6b 100644 --- a/libavformat/xmv.c +++ b/libavformat/xmv.c @@ -43,6 +43,8 @@ XMV_AUDIO_ADPCM51_FRONTCENTERLOW | \ XMV_AUDIO_ADPCM51_REARLEFTRIGHT) +#define XMV_BLOCK_ALIGN_SIZE 36 + typedef struct XMVAudioTrack { uint16_t compression; uint16_t channels; @@ -208,7 +210,7 @@ static int xmv_read_header(AVFormatContext *s, track->bit_rate = track->bits_per_sample * track->sample_rate * track->channels; - track->block_align = 36 * track->channels; + track->block_align = XMV_BLOCK_ALIGN_SIZE * track->channels; track->block_samples = 64; track->codec_id = ff_wav_codec_get_id(track->compression, track->bits_per_sample); @@ -225,7 +227,8 @@ static int xmv_read_header(AVFormatContext *s, av_log(s, AV_LOG_WARNING, "Unsupported 5.1 ADPCM audio stream " "(0x%04X)\n", track->flags); - if (!track->channels || !track->sample_rate) { + if (!track->channels || !track->sample_rate || + track->channels >= UINT16_MAX / XMV_BLOCK_ALIGN_SIZE) { av_log(s, AV_LOG_ERROR, "Invalid parameters for audio track %d.\n", audio_track); ret = AVERROR_INVALIDDATA; From e01d623e01937d43de404807ae0bf7c2cf88fb0b Mon Sep 17 00:00:00 2001 From: =?UTF-8?q?Martin=20Storsj=C3=B6?= Date: Wed, 11 Sep 2013 15:13:48 +0300 Subject: [PATCH 718/991] dsicin: Add some basic sanity checks for fields read from the file MIME-Version: 1.0 Content-Type: text/plain; charset=UTF-8 Content-Transfer-Encoding: 8bit Reported-by: Mateusz "j00ru" Jurczyk and Gynvael Coldwind CC: libav-stable@libav.org Signed-off-by: Martin Storsjö (cherry picked from commit 48d6556dd46d4f4fac10d0f4a819e314887cd50e) Signed-off-by: Luca Barbato --- libavformat/dsicin.c | 2 ++ 1 file changed, 2 insertions(+) diff --git a/libavformat/dsicin.c b/libavformat/dsicin.c index 801ca6af22..03af6c66d1 100644 --- a/libavformat/dsicin.c +++ b/libavformat/dsicin.c @@ -152,6 +152,8 @@ static int cin_read_frame_header(CinDemuxContext *cin, AVIOContext *pb) { if (avio_rl32(pb) != 0xAA55AA55) return AVERROR_INVALIDDATA; + if (hdr->video_frame_size < 0 || hdr->audio_frame_size < 0) + return AVERROR_INVALIDDATA; return 0; } From f241d5aa1fa45d98c26accd0832c354e7ec64e5a Mon Sep 17 00:00:00 2001 From: =?UTF-8?q?Martin=20Storsj=C3=B6?= Date: Wed, 11 Sep 2013 22:29:33 +0300 Subject: [PATCH 719/991] ape: Don't allow the seektable to be omitted MIME-Version: 1.0 Content-Type: text/plain; charset=UTF-8 Content-Transfer-Encoding: 8bit The seektable is required for filling in ape->frames[i].pos further down. Reported-by: Mateusz "j00ru" Jurczyk and Gynvael Coldwind CC: libav-stable@libav.org Signed-off-by: Martin Storsjö (cherry picked from commit 183b9d843a9533774fabd3984a52f3987001acbc) Signed-off-by: Luca Barbato --- libavformat/ape.c | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/libavformat/ape.c b/libavformat/ape.c index 7d4cd39568..2e5250b0c1 100644 --- a/libavformat/ape.c +++ b/libavformat/ape.c @@ -255,7 +255,7 @@ static int ape_read_header(AVFormatContext * s, AVFormatParameters * ap) ape->totalframes); return -1; } - if (ape->seektablelength && (ape->seektablelength / sizeof(*ape->seektable)) < ape->totalframes) { + if (ape->seektablelength / sizeof(*ape->seektable) < ape->totalframes) { av_log(s, AV_LOG_ERROR, "Number of seek entries is less than number of frames: %zu vs. %"PRIu32"\n", ape->seektablelength / sizeof(*ape->seektable), ape->totalframes); From 843b330c3c9a3fc60bee5638e1fb47ace5db0c73 Mon Sep 17 00:00:00 2001 From: =?UTF-8?q?Martin=20Storsj=C3=B6?= Date: Mon, 16 Sep 2013 20:32:35 +0300 Subject: [PATCH 720/991] ivi_common: Make sure color planes have been initialized MIME-Version: 1.0 Content-Type: text/plain; charset=UTF-8 Content-Transfer-Encoding: 8bit Reported-by: Mateusz "j00ru" Jurczyk and Gynvael Coldwind CC: libav-stable@libav.org Signed-off-by: Martin Storsjö (cherry picked from commit a92538b7c0defc86c55fb91f55dfa36aad192673) Signed-off-by: Luca Barbato (cherry picked from commit 38bd229af9c4fa5897fc1a69e73a04c55f78647f) --- libavcodec/ivi_common.c | 5 +++++ 1 file changed, 5 insertions(+) diff --git a/libavcodec/ivi_common.c b/libavcodec/ivi_common.c index 91a42b152f..84695a058b 100644 --- a/libavcodec/ivi_common.c +++ b/libavcodec/ivi_common.c @@ -892,6 +892,11 @@ int ff_ivi_decode_frame(AVCodecContext *avctx, void *data, int *data_size, return AVERROR_PATCHWELCOME; } + if (!ctx->planes[0].bands) { + av_log(avctx, AV_LOG_ERROR, "Color planes not initialized yet\n"); + return AVERROR_INVALIDDATA; + } + ctx->switch_buffers(ctx); //{ START_TIMER; From 3b169044ca042f1bc82a7e55bbf72062b051c75f Mon Sep 17 00:00:00 2001 From: =?UTF-8?q?Martin=20Storsj=C3=B6?= Date: Mon, 16 Sep 2013 15:40:57 +0300 Subject: [PATCH 721/991] rv10: Validate the dimensions set from the container MIME-Version: 1.0 Content-Type: text/plain; charset=UTF-8 Content-Transfer-Encoding: 8bit Reported-by: Mateusz "j00ru" Jurczyk and Gynvael Coldwind CC: libav-stable@libav.org Signed-off-by: Martin Storsjö (cherry picked from commit 5372cda67109848d22146289e401669266217e80) Signed-off-by: Luca Barbato (cherry picked from commit 0b0f1cd44ece180e12795cfc8d0a0ac5ea3ebe2c) --- libavcodec/rv10.c | 5 ++++- 1 file changed, 4 insertions(+), 1 deletion(-) diff --git a/libavcodec/rv10.c b/libavcodec/rv10.c index 4f64ec29b3..59bd96859e 100644 --- a/libavcodec/rv10.c +++ b/libavcodec/rv10.c @@ -425,12 +425,15 @@ static av_cold int rv10_decode_init(AVCodecContext *avctx) { MpegEncContext *s = avctx->priv_data; static int done=0; - int major_ver, minor_ver, micro_ver; + int major_ver, minor_ver, micro_ver, ret; if (avctx->extradata_size < 8) { av_log(avctx, AV_LOG_ERROR, "Extradata is too small.\n"); return -1; } + if ((ret = av_image_check_size(avctx->coded_width, + avctx->coded_height, 0, avctx)) < 0) + return ret; MPV_decode_defaults(s); From 61032c577db0421c332d0eea10a00748353b38ee Mon Sep 17 00:00:00 2001 From: =?UTF-8?q?Martin=20Storsj=C3=B6?= Date: Wed, 11 Sep 2013 15:20:01 +0300 Subject: [PATCH 722/991] smacker: Don't return packets in unallocated streams MIME-Version: 1.0 Content-Type: text/plain; charset=UTF-8 Content-Transfer-Encoding: 8bit Reported-by: Mateusz "j00ru" Jurczyk and Gynvael Coldwind CC: libav-stable@libav.org Signed-off-by: Martin Storsjö (cherry picked from commit 8d928023f953a28692ba27071a448259134b103b) Signed-off-by: Luca Barbato --- libavformat/smacker.c | 2 ++ 1 file changed, 2 insertions(+) diff --git a/libavformat/smacker.c b/libavformat/smacker.c index d6bb21373e..3d5a3b8d72 100644 --- a/libavformat/smacker.c +++ b/libavformat/smacker.c @@ -336,6 +336,8 @@ static int smacker_read_packet(AVFormatContext *s, AVPacket *pkt) smk->cur_frame++; smk->nextpos = avio_tell(s->pb); } else { + if (smk->stream_id[smk->curstream] < 0) + return AVERROR_INVALIDDATA; if (av_new_packet(pkt, smk->buf_sizes[smk->curstream])) return AVERROR(ENOMEM); memcpy(pkt->data, smk->bufs[smk->curstream], smk->buf_sizes[smk->curstream]); From b81d804f2ac113a46d1736751401d78f998db56d Mon Sep 17 00:00:00 2001 From: Michael Niedermayer Date: Sun, 11 Nov 2012 18:08:39 +0100 Subject: [PATCH 723/991] zmbvdec: Check the buffer size for uncompressed data MIME-Version: 1.0 Content-Type: text/plain; charset=UTF-8 Content-Transfer-Encoding: 8bit Also don't pointlessly set the buffer size to 1 after copying one packet. Reported-by: Mateusz "j00ru" Jurczyk and Gynvael Coldwind CC: libav-stable@libav.org Signed-off-by: Martin Storsjö (cherry picked from commit 0d61f260010707f3028b818e8b24598e1a83d696) Signed-off-by: Luca Barbato --- libavcodec/zmbv.c | 5 ++++- 1 file changed, 4 insertions(+), 1 deletion(-) diff --git a/libavcodec/zmbv.c b/libavcodec/zmbv.c index a36a844b1f..9df0d53525 100644 --- a/libavcodec/zmbv.c +++ b/libavcodec/zmbv.c @@ -497,8 +497,11 @@ static int decode_frame(AVCodecContext *avctx, void *data, int *data_size, AVPac } if (c->comp == 0) { //Uncompressed data + if (c->decomp_size < len) { + av_log(avctx, AV_LOG_ERROR, "Buffer too small\n"); + return AVERROR_INVALIDDATA; + } memcpy(c->decomp_buf, buf, len); - c->decomp_size = 1; } else { // ZLIB-compressed data c->zstream.total_in = c->zstream.total_out = 0; c->zstream.next_in = buf; From e3ba6ff9357d845ad7add95dad4760f849360b8d Mon Sep 17 00:00:00 2001 From: =?UTF-8?q?Martin=20Storsj=C3=B6?= Date: Mon, 16 Sep 2013 20:40:13 +0300 Subject: [PATCH 724/991] mpeg4videodec: Check the width/height in mpeg4_decode_sprite_trajectory MIME-Version: 1.0 Content-Type: text/plain; charset=UTF-8 Content-Transfer-Encoding: 8bit This avoids a potential division by zero. Reported-by: Mateusz "j00ru" Jurczyk and Gynvael Coldwind CC: libav-stable@libav.org Signed-off-by: Martin Storsjö (cherry picked from commit f875a732e36786d49f3650e3235272891a820600) Signed-off-by: Luca Barbato (cherry picked from commit c8c93795e4afd04c2c5b74e29e8dec29b6a76b81) --- libavcodec/mpeg4videodec.c | 12 +++++++++--- 1 file changed, 9 insertions(+), 3 deletions(-) diff --git a/libavcodec/mpeg4videodec.c b/libavcodec/mpeg4videodec.c index b243a23be7..f96955b435 100644 --- a/libavcodec/mpeg4videodec.c +++ b/libavcodec/mpeg4videodec.c @@ -152,7 +152,7 @@ static inline int mpeg4_is_resync(MpegEncContext *s){ return 0; } -static void mpeg4_decode_sprite_trajectory(MpegEncContext * s, GetBitContext *gb) +static int mpeg4_decode_sprite_trajectory(MpegEncContext *s, GetBitContext *gb) { int i; int a= 2<sprite_warping_accuracy; @@ -168,6 +168,9 @@ static void mpeg4_decode_sprite_trajectory(MpegEncContext * s, GetBitContext *gb int h= s->height; int min_ab; + if (w <= 0 || h <= 0) + return AVERROR_INVALIDDATA; + for(i=0; inum_sprite_warping_points; i++){ int length; int x=0, y=0; @@ -340,6 +343,7 @@ static void mpeg4_decode_sprite_trajectory(MpegEncContext * s, GetBitContext *gb } s->real_sprite_warping_points= s->num_sprite_warping_points; } + return 0; } /** @@ -413,7 +417,8 @@ int mpeg4_decode_video_packet_header(MpegEncContext *s) skip_bits(&s->gb, 3); /* intra dc vlc threshold */ //FIXME don't just ignore everything if(s->pict_type == AV_PICTURE_TYPE_S && s->vol_sprite_usage==GMC_SPRITE){ - mpeg4_decode_sprite_trajectory(s, &s->gb); + if (mpeg4_decode_sprite_trajectory(s, &s->gb) < 0) + return AVERROR_INVALIDDATA; av_log(s->avctx, AV_LOG_ERROR, "untested\n"); } @@ -2025,7 +2030,8 @@ static int decode_vop_header(MpegEncContext *s, GetBitContext *gb){ } if(s->pict_type == AV_PICTURE_TYPE_S && (s->vol_sprite_usage==STATIC_SPRITE || s->vol_sprite_usage==GMC_SPRITE)){ - mpeg4_decode_sprite_trajectory(s, gb); + if (mpeg4_decode_sprite_trajectory(s, gb) < 0) + return AVERROR_INVALIDDATA; if(s->sprite_brightness_change) av_log(s->avctx, AV_LOG_ERROR, "sprite_brightness_change not supported\n"); if(s->vol_sprite_usage==STATIC_SPRITE) av_log(s->avctx, AV_LOG_ERROR, "static sprite not supported\n"); } From 75dabbff8b15700c20e42f79a23fd4338a54e71d Mon Sep 17 00:00:00 2001 From: =?UTF-8?q?Martin=20Storsj=C3=B6?= Date: Mon, 16 Sep 2013 14:53:15 +0300 Subject: [PATCH 725/991] idroqdec: Make sure a video stream has been allocated before returning packets MIME-Version: 1.0 Content-Type: text/plain; charset=UTF-8 Content-Transfer-Encoding: 8bit Reported-by: Mateusz "j00ru" Jurczyk and Gynvael Coldwind CC: libav-stable@libav.org Signed-off-by: Martin Storsjö (cherry picked from commit bcbe4f3ceb6ee0210d3a401963518906c8b9b230) Signed-off-by: Luca Barbato (cherry picked from commit de75bc01cda53acfbd9f901639695ade8e650c43) --- libavformat/idroqdec.c | 7 +++++++ 1 file changed, 7 insertions(+) diff --git a/libavformat/idroqdec.c b/libavformat/idroqdec.c index d63c395b79..ece18b8b4f 100644 --- a/libavformat/idroqdec.c +++ b/libavformat/idroqdec.c @@ -142,6 +142,8 @@ static int roq_read_packet(AVFormatContext *s, break; case RoQ_QUAD_CODEBOOK: + if (roq->video_stream_index < 0) + return AVERROR_INVALIDDATA; /* packet needs to contain both this codebook and next VQ chunk */ codebook_offset = avio_tell(pb) - RoQ_CHUNK_PREAMBLE_SIZE; codebook_size = chunk_size; @@ -184,6 +186,11 @@ static int roq_read_packet(AVFormatContext *s, st->codec->block_align = st->codec->channels * st->codec->bits_per_coded_sample; } case RoQ_QUAD_VQ: + if (chunk_type == RoQ_QUAD_VQ) { + if (roq->video_stream_index < 0) + return AVERROR_INVALIDDATA; + } + /* load up the packet */ if (av_new_packet(pkt, chunk_size + RoQ_CHUNK_PREAMBLE_SIZE)) return AVERROR(EIO); From 68a1df13c460adb6241cfdf96aad953b5d637623 Mon Sep 17 00:00:00 2001 From: =?UTF-8?q?Martin=20Storsj=C3=B6?= Date: Wed, 11 Sep 2013 15:25:13 +0300 Subject: [PATCH 726/991] smacker: Avoid integer overflow when allocating packets MIME-Version: 1.0 Content-Type: text/plain; charset=UTF-8 Content-Transfer-Encoding: 8bit Reported-by: Mateusz "j00ru" Jurczyk and Gynvael Coldwind CC: libav-stable@libav.org Signed-off-by: Martin Storsjö (cherry picked from commit 710b0e27025948b7511821c2f888ff2d74a59e14) Signed-off-by: Luca Barbato --- libavformat/smacker.c | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/libavformat/smacker.c b/libavformat/smacker.c index 3d5a3b8d72..92b91b7144 100644 --- a/libavformat/smacker.c +++ b/libavformat/smacker.c @@ -320,7 +320,7 @@ static int smacker_read_packet(AVFormatContext *s, AVPacket *pkt) } flags >>= 1; } - if (frame_size < 0) + if (frame_size < 0 || frame_size >= INT_MAX/2) return AVERROR_INVALIDDATA; if (av_new_packet(pkt, frame_size + 769)) return AVERROR(ENOMEM); From 486c45767587151b517bb6fde602d43d178da203 Mon Sep 17 00:00:00 2001 From: =?UTF-8?q?Martin=20Storsj=C3=B6?= Date: Wed, 11 Sep 2013 22:47:06 +0300 Subject: [PATCH 727/991] mpc8: Check the seek table size parsed from the bitstream MIME-Version: 1.0 Content-Type: text/plain; charset=UTF-8 Content-Transfer-Encoding: 8bit Limit the size to INT_MAX/2 (for simplicity) to be sure that size + FF_INPUT_BUFFER_PADDING_SIZE won't overflow. Reported-by: Mateusz "j00ru" Jurczyk and Gynvael Coldwind CC: libav-stable@libav.org Signed-off-by: Martin Storsjö (cherry picked from commit 459f2b393a3f89ed08d10fbceb4738d1429f268e) Signed-off-by: Luca Barbato (cherry picked from commit f8a72f041c049e812dfa1f32156327e9778f5710) --- libavformat/mpc8.c | 4 ++++ 1 file changed, 4 insertions(+) diff --git a/libavformat/mpc8.c b/libavformat/mpc8.c index d9560496f7..97a9b01025 100644 --- a/libavformat/mpc8.c +++ b/libavformat/mpc8.c @@ -143,6 +143,10 @@ static void mpc8_parse_seektable(AVFormatContext *s, int64_t off) av_log(s, AV_LOG_ERROR, "No seek table at given position\n"); return; } + if (size < 0 || size >= INT_MAX / 2) { + av_log(s, AV_LOG_ERROR, "Bad seek table size\n"); + return; + } if(!(buf = av_malloc(size + FF_INPUT_BUFFER_PADDING_SIZE))) return; avio_read(s->pb, buf, size); From b19eafa2b930ee40abfde6d1f026b7fa5591c4dc Mon Sep 17 00:00:00 2001 From: =?UTF-8?q?Martin=20Storsj=C3=B6?= Date: Mon, 16 Sep 2013 21:07:30 +0300 Subject: [PATCH 728/991] eacmv: Make sure a reference frame exists before referencing it MIME-Version: 1.0 Content-Type: text/plain; charset=UTF-8 Content-Transfer-Encoding: 8bit This is similar to an existing check for the second-last frame from 062421e3. Reported-by: Mateusz "j00ru" Jurczyk and Gynvael Coldwind CC: libav-stable@libav.org Signed-off-by: Martin Storsjö (cherry picked from commit ea78a348d86a3a733f6c1e0a65cfdd8283d924b9) Signed-off-by: Luca Barbato Conflicts: libavcodec/eacmv.c (cherry picked from commit 2e12af4587613dd5b2c3431e5c8194d73b03434f) --- libavcodec/eacmv.c | 7 ++++--- 1 file changed, 4 insertions(+), 3 deletions(-) diff --git a/libavcodec/eacmv.c b/libavcodec/eacmv.c index 085e2d8177..2a4ecdc219 100644 --- a/libavcodec/eacmv.c +++ b/libavcodec/eacmv.c @@ -106,9 +106,10 @@ static void cmv_decode_inter(CmvContext * s, const uint8_t *buf, const uint8_t * }else{ /* inter using last frame as reference */ int xoffset = (buf[i] & 0xF) - 7; int yoffset = ((buf[i] >> 4)) - 7; - cmv_motcomp(s->frame.data[0], s->frame.linesize[0], - s->last_frame.data[0], s->last_frame.linesize[0], - x*4, y*4, xoffset, yoffset, s->avctx->width, s->avctx->height); + if (s->last_frame.data[0]) + cmv_motcomp(s->frame.data[0], s->frame.linesize[0], + s->last_frame.data[0], s->last_frame.linesize[0], + x*4, y*4, xoffset, yoffset, s->avctx->width, s->avctx->height); } i++; } From 036136fa89ac44fd89c7f4730d3039f0b3b92cfd Mon Sep 17 00:00:00 2001 From: =?UTF-8?q?Martin=20Storsj=C3=B6?= Date: Thu, 19 Sep 2013 15:14:56 +0300 Subject: [PATCH 729/991] asv1: Verify the amount of extradata MIME-Version: 1.0 Content-Type: text/plain; charset=UTF-8 Content-Transfer-Encoding: 8bit The init function reads one byte of extradata. Reported-by: Mateusz "j00ru" Jurczyk and Gynvael Coldwind CC: libav-stable@libav.org Signed-off-by: Martin Storsjö (cherry picked from commit f50803354c6acb4575379d7c54ca48ec5d36dd61) Signed-off-by: Luca Barbato --- libavcodec/asv1.c | 5 +++++ 1 file changed, 5 insertions(+) diff --git a/libavcodec/asv1.c b/libavcodec/asv1.c index 8db23c07ef..cdddfa58af 100644 --- a/libavcodec/asv1.c +++ b/libavcodec/asv1.c @@ -535,6 +535,11 @@ static av_cold int decode_init(AVCodecContext *avctx){ int i; const int scale= avctx->codec_id == CODEC_ID_ASV1 ? 1 : 2; + if (avctx->extradata_size < 1) { + av_log(avctx, AV_LOG_ERROR, "No extradata provided\n"); + return AVERROR_INVALIDDATA; + } + common_init(avctx); init_vlcs(a); ff_init_scantable(a->dsp.idct_permutation, &a->scantable, scantab); From cd254e8540b3fce4ab83e06dc1a64f69feddd9ca Mon Sep 17 00:00:00 2001 From: =?UTF-8?q?Martin=20Storsj=C3=B6?= Date: Fri, 20 Sep 2013 11:16:57 +0300 Subject: [PATCH 730/991] vc1dec: Undo mpegvideo initialization if unable to allocate tables MIME-Version: 1.0 Content-Type: text/plain; charset=UTF-8 Content-Transfer-Encoding: 8bit Previously, s->context_initialized was left set to 1 if ff_vc1_decode_init_alloc_tables failed, skipping the initialization completely on the next decode call. Reported-by: Mateusz "j00ru" Jurczyk and Gynvael Coldwind CC: libav-stable@libav.org Signed-off-by: Martin Storsjö (cherry picked from commit b772b0e28eba6abf76d86ee8c6e459a86642db5a) Signed-off-by: Luca Barbato --- libavcodec/vc1dec.c | 6 +++++- 1 file changed, 5 insertions(+), 1 deletion(-) diff --git a/libavcodec/vc1dec.c b/libavcodec/vc1dec.c index 328c5a69c5..8c28aa9bc2 100644 --- a/libavcodec/vc1dec.c +++ b/libavcodec/vc1dec.c @@ -5483,8 +5483,12 @@ static int vc1_decode_frame(AVCodecContext *avctx, void *data, } if (!s->context_initialized) { - if (ff_msmpeg4_decode_init(avctx) < 0 || vc1_decode_init_alloc_tables(v) < 0) + if (ff_msmpeg4_decode_init(avctx) < 0) return -1; + if (vc1_decode_init_alloc_tables(v) < 0) { + MPV_common_end(s); + return -1; + } s->low_delay = !avctx->has_b_frames || v->res_sprite; From ff8837e9c60a99172565c47d7fcf432418c0dac8 Mon Sep 17 00:00:00 2001 From: =?UTF-8?q?Martin=20Storsj=C3=B6?= Date: Thu, 19 Sep 2013 15:32:02 +0300 Subject: [PATCH 731/991] mpegaudiodec: Validate that the number of channels fits at the given offset MIME-Version: 1.0 Content-Type: text/plain; charset=UTF-8 Content-Transfer-Encoding: 8bit This is similar to the fix in 35cbc98b. Reported-by: Mateusz "j00ru" Jurczyk and Gynvael Coldwind CC: libav-stable@libav.org Signed-off-by: Martin Storsjö (cherry picked from commit e9d61de96c113ee0ef8082833c7e682df0e23eec) Signed-off-by: Luca Barbato (cherry picked from commit bacf5db1962a6955ce80eea6bbc86c6970d7d360) --- libavcodec/mpegaudiodec.c | 3 ++- 1 file changed, 2 insertions(+), 1 deletion(-) diff --git a/libavcodec/mpegaudiodec.c b/libavcodec/mpegaudiodec.c index adb25ffa38..e2216f3fdb 100644 --- a/libavcodec/mpegaudiodec.c +++ b/libavcodec/mpegaudiodec.c @@ -1943,7 +1943,8 @@ static int decode_frame_mp3on4(AVCodecContext *avctx, void *data, avpriv_mpegaudio_decode_header((MPADecodeHeader *)m, header); - if (ch + m->nb_channels > avctx->channels) { + if (ch + m->nb_channels > avctx->channels || + s->coff[fr] + m->nb_channels > avctx->channels) { av_log(avctx, AV_LOG_ERROR, "frame channel count exceeds codec " "channel count\n"); return AVERROR_INVALIDDATA; From 61d56054a9d792882f18b0e6bfb6834a793efe2f Mon Sep 17 00:00:00 2001 From: =?UTF-8?q?Martin=20Storsj=C3=B6?= Date: Sat, 28 Sep 2013 00:34:35 +0300 Subject: [PATCH 732/991] vqf: Make sure sample_rate is set to a valid value MIME-Version: 1.0 Content-Type: text/plain; charset=UTF-8 Content-Transfer-Encoding: 8bit This avoids divisions by zero later (and possibly assertions in time base scaling), since an invalid rate_flag combined with an invalid bitrate below could pass the mode combination test. Reported-by: Mateusz "j00ru" Jurczyk and Gynvael Coldwind CC: libav-stable@libav.org Signed-off-by: Martin Storsjö (cherry picked from commit 9277050e2918e0a0df9689721a188a604d886616) Signed-off-by: Luca Barbato (cherry picked from commit 4d60ab62e05decc562645cd6f813f7c9e69637ee) --- libavformat/vqf.c | 4 ++++ 1 file changed, 4 insertions(+) diff --git a/libavformat/vqf.c b/libavformat/vqf.c index 4f8f07c919..a9b5ce784c 100644 --- a/libavformat/vqf.c +++ b/libavformat/vqf.c @@ -174,6 +174,10 @@ static int vqf_read_header(AVFormatContext *s, AVFormatParameters *ap) st->codec->sample_rate = 11025; break; default: + if (rate_flag < 8 || rate_flag > 44) { + av_log(s, AV_LOG_ERROR, "Invalid rate flag %d\n", rate_flag); + return AVERROR_INVALIDDATA; + } st->codec->sample_rate = rate_flag*1000; break; } From 2c3114158510d05346e362d381a3b352175e260e Mon Sep 17 00:00:00 2001 From: =?UTF-8?q?Martin=20Storsj=C3=B6?= Date: Thu, 19 Sep 2013 15:53:31 +0300 Subject: [PATCH 733/991] qpeg: Add checks for running out of rows in qpeg_decode_inter MIME-Version: 1.0 Content-Type: text/plain; charset=UTF-8 Content-Transfer-Encoding: 8bit Reported-by: Mateusz "j00ru" Jurczyk and Gynvael Coldwind CC: libav-stable@libav.org Signed-off-by: Martin Storsjö (cherry picked from commit 7a5a55722749a3ab77941914707277b147322cbe) Signed-off-by: Luca Barbato (cherry picked from commit 4d90550cf95eac0451465116d6e53bac37b96927) --- libavcodec/qpeg.c | 4 ++++ 1 file changed, 4 insertions(+) diff --git a/libavcodec/qpeg.c b/libavcodec/qpeg.c index 9513dd0ad3..9897f16bf3 100644 --- a/libavcodec/qpeg.c +++ b/libavcodec/qpeg.c @@ -198,6 +198,8 @@ static void qpeg_decode_inter(const uint8_t *src, uint8_t *dst, int size, filled = 0; dst -= stride; height--; + if (height < 0) + break; } } } else if(code >= 0xC0) { /* copy code: 0xC0..0xDF */ @@ -209,6 +211,8 @@ static void qpeg_decode_inter(const uint8_t *src, uint8_t *dst, int size, filled = 0; dst -= stride; height--; + if (height < 0) + break; } } size -= code + 1; From efe59ad90bce0e7d03319356b13fe83dde2eecc5 Mon Sep 17 00:00:00 2001 From: =?UTF-8?q?Martin=20Storsj=C3=B6?= Date: Sat, 28 Sep 2013 23:19:10 +0300 Subject: [PATCH 734/991] vqf: Make sure the bitrate is in the valid range MIME-Version: 1.0 Content-Type: text/plain; charset=UTF-8 Content-Transfer-Encoding: 8bit Even if the sample rate is valid, an invalid bitrate could pass the mode combination test below. CC: libav-stable@libav.org Signed-off-by: Martin Storsjö (cherry picked from commit 68ff9981283a56c731f00c2ee7901103665092fc) Signed-off-by: Luca Barbato (cherry picked from commit 60701469ab9f526841ae81444236425f87916adb) --- libavformat/vqf.c | 7 +++++++ 1 file changed, 7 insertions(+) diff --git a/libavformat/vqf.c b/libavformat/vqf.c index a9b5ce784c..253ddec666 100644 --- a/libavformat/vqf.c +++ b/libavformat/vqf.c @@ -182,6 +182,13 @@ static int vqf_read_header(AVFormatContext *s, AVFormatParameters *ap) break; } + if (read_bitrate / st->codec->channels < 8 || + read_bitrate / st->codec->channels > 48) { + av_log(s, AV_LOG_ERROR, "Invalid bitrate per channel %d\n", + read_bitrate / st->codec->channels); + return AVERROR_INVALIDDATA; + } + switch (((st->codec->sample_rate/1000) << 8) + read_bitrate/st->codec->channels) { case (11<<8) + 8 : From e80071892b14a66b8730dfe21aca76e5b0333f2d Mon Sep 17 00:00:00 2001 From: =?UTF-8?q?Martin=20Storsj=C3=B6?= Date: Thu, 19 Sep 2013 16:02:29 +0300 Subject: [PATCH 735/991] segafilm: Validate the number of audio channels MIME-Version: 1.0 Content-Type: text/plain; charset=UTF-8 Content-Transfer-Encoding: 8bit This avoids divisions by zero later. Reported-by: Mateusz "j00ru" Jurczyk and Gynvael Coldwind CC: libav-stable@libav.org Signed-off-by: Martin Storsjö (cherry picked from commit 82e266c6d3fbf3cc74e515b883e66543381a0f2c) Signed-off-by: Luca Barbato (cherry picked from commit 5379c5184b9fe9ef06234638f5629d4c80056e04) --- libavformat/segafilm.c | 5 +++++ 1 file changed, 5 insertions(+) diff --git a/libavformat/segafilm.c b/libavformat/segafilm.c index 5279121383..d5aaf11d38 100644 --- a/libavformat/segafilm.c +++ b/libavformat/segafilm.c @@ -112,6 +112,11 @@ static int film_read_header(AVFormatContext *s, return AVERROR(EIO); film->audio_samplerate = AV_RB16(&scratch[24]); film->audio_channels = scratch[21]; + if (!film->audio_channels || film->audio_channels > 2) { + av_log(s, AV_LOG_ERROR, + "Invalid number of channels: %d\n", film->audio_channels); + return AVERROR_INVALIDDATA; + } film->audio_bits = scratch[22]; if (scratch[23] == 2) film->audio_type = CODEC_ID_ADPCM_ADX; From 889bdc47f6bbf3fc30c73173349db82828cdd0e1 Mon Sep 17 00:00:00 2001 From: =?UTF-8?q?Martin=20Storsj=C3=B6?= Date: Sat, 28 Sep 2013 00:41:31 +0300 Subject: [PATCH 736/991] avidec: Make sure a packet is large enough before reading its data MIME-Version: 1.0 Content-Type: text/plain; charset=UTF-8 Content-Transfer-Encoding: 8bit Reported-by: Mateusz "j00ru" Jurczyk and Gynvael Coldwind CC: libav-stable@libav.org Signed-off-by: Martin Storsjö (cherry picked from commit 8d07258bb6063d0780ce2d39443d6dc6d8eedc5a) Signed-off-by: Luca Barbato Conflicts: libavformat/avidec.c (cherry picked from commit 2e4c649b3e62fdd158b5a9a0f973d3b186a23e94) --- libavformat/avidec.c | 6 ++++-- 1 file changed, 4 insertions(+), 2 deletions(-) diff --git a/libavformat/avidec.c b/libavformat/avidec.c index ac6e85f78c..11d086cbe8 100644 --- a/libavformat/avidec.c +++ b/libavformat/avidec.c @@ -749,8 +749,10 @@ static int avi_read_header(AVFormatContext *s, AVFormatParameters *ap) return 0; } -static int read_gab2_sub(AVStream *st, AVPacket *pkt) { - if (!strcmp(pkt->data, "GAB2") && AV_RL16(pkt->data+5) == 2) { +static int read_gab2_sub(AVStream *st, AVPacket *pkt) +{ + if (pkt->size >= 7 && + !strcmp(pkt->data, "GAB2") && AV_RL16(pkt->data + 5) == 2) { uint8_t desc[256]; int score = AVPROBE_SCORE_MAX / 2, ret; AVIStream *ast = st->priv_data; From f23b1cc7d979ab0153d203e2e7ecb0ca48e78abb Mon Sep 17 00:00:00 2001 From: =?UTF-8?q?Martin=20Storsj=C3=B6?= Date: Thu, 19 Sep 2013 16:55:13 +0300 Subject: [PATCH 737/991] wtv: Add more sanity checks for a length read from the file MIME-Version: 1.0 Content-Type: text/plain; charset=UTF-8 Content-Transfer-Encoding: 8bit Also make sure the existing length check can't overflow. Reported-by: Mateusz "j00ru" Jurczyk and Gynvael Coldwind CC: libav-stable@libav.org Signed-off-by: Martin Storsjö (cherry picked from commit 83c285f88016b087c2f0f4b9ef356ad8ef12d947) Signed-off-by: Luca Barbato (cherry picked from commit 78dc022f6f8a8b87773a209e0fcbea2d5b48396f) --- libavformat/wtv.c | 7 ++++++- 1 file changed, 6 insertions(+), 1 deletion(-) diff --git a/libavformat/wtv.c b/libavformat/wtv.c index 2d5d7c5cbd..7a668439f9 100644 --- a/libavformat/wtv.c +++ b/libavformat/wtv.c @@ -273,7 +273,12 @@ static AVIOContext * wtvfile_open2(AVFormatContext *s, const uint8_t *buf, int b dir_length = AV_RL16(buf + 16); file_length = AV_RL64(buf + 24); name_size = 2 * AV_RL32(buf + 32); - if (buf + 48 + name_size > buf_end) { + if (name_size < 0) { + av_log(s, AV_LOG_ERROR, + "bad filename length, remaining directory entries ignored\n"); + break; + } + if (48 + name_size > buf_end - buf) { av_log(s, AV_LOG_ERROR, "filename exceeds buffer size; remaining directory entries ignored\n"); break; } From ea1c9424d1c425c657b43fbba478e65af2e2c774 Mon Sep 17 00:00:00 2001 From: =?UTF-8?q?Martin=20Storsj=C3=B6?= Date: Sat, 28 Sep 2013 23:13:26 +0300 Subject: [PATCH 738/991] xwma: Avoid division by zero MIME-Version: 1.0 Content-Type: text/plain; charset=UTF-8 Content-Transfer-Encoding: 8bit Reported-by: Mateusz "j00ru" Jurczyk and Gynvael Coldwind CC: libav-stable@libav.org Signed-off-by: Martin Storsjö (cherry picked from commit adc09136a4a63b152630abeacb22c56541eacf60) Signed-off-by: Luca Barbato (cherry picked from commit 2ff935a06008fb1959ff633962fbc728762c33cb) --- libavformat/xwma.c | 8 ++++++++ 1 file changed, 8 insertions(+) diff --git a/libavformat/xwma.c b/libavformat/xwma.c index 94abfc7ae5..f690e190e1 100644 --- a/libavformat/xwma.c +++ b/libavformat/xwma.c @@ -200,6 +200,14 @@ static int xwma_read_header(AVFormatContext *s, AVFormatParameters *ap) /* Estimate the duration from the total number of output bytes. */ const uint64_t total_decoded_bytes = dpds_table[dpds_table_size - 1]; + + if (!bytes_per_sample) { + av_log(s, AV_LOG_ERROR, + "Invalid bits_per_coded_sample %d for %d channels\n", + st->codec->bits_per_coded_sample, st->codec->channels); + return AVERROR_INVALIDDATA; + } + st->duration = total_decoded_bytes / bytes_per_sample; /* Use the dpds data to build a seek table. We can only do this after From 213b8aa0a90585f13aebb7fba39cbd3e367e98a6 Mon Sep 17 00:00:00 2001 From: =?UTF-8?q?Martin=20Storsj=C3=B6?= Date: Sat, 28 Sep 2013 23:46:04 +0300 Subject: [PATCH 739/991] bfi: Add some very basic sanity checks for input packet sizes MIME-Version: 1.0 Content-Type: text/plain; charset=UTF-8 Content-Transfer-Encoding: 8bit CC: libav-stable@libav.org Signed-off-by: Martin Storsjö (cherry picked from commit 640a2427aafa774b83316b7a8c5c2bdc28bfd269) Signed-off-by: Luca Barbato (cherry picked from commit 10f384e4f5d0ee692cacaf90d629d8bc2178b092) --- libavformat/bfi.c | 4 ++++ 1 file changed, 4 insertions(+) diff --git a/libavformat/bfi.c b/libavformat/bfi.c index c0b5681744..326c1f3e83 100644 --- a/libavformat/bfi.c +++ b/libavformat/bfi.c @@ -130,6 +130,10 @@ static int bfi_read_packet(AVFormatContext * s, AVPacket * pkt) video_offset = avio_rl32(pb); audio_size = video_offset - audio_offset; bfi->video_size = chunk_size - video_offset; + if (audio_size < 0 || bfi->video_size < 0) { + av_log(s, AV_LOG_ERROR, "Invalid audio/video offsets or chunk size\n"); + return AVERROR_INVALIDDATA; + } //Tossing an audio packet at the audio decoder. ret = av_get_packet(pb, pkt, audio_size); From c211ba9b59e8a7c730dfacc536e59f036e77950f Mon Sep 17 00:00:00 2001 From: =?UTF-8?q?Martin=20Storsj=C3=B6?= Date: Thu, 19 Sep 2013 16:57:47 +0300 Subject: [PATCH 740/991] rl2: Avoid a division by zero MIME-Version: 1.0 Content-Type: text/plain; charset=UTF-8 Content-Transfer-Encoding: 8bit Reported-by: Mateusz "j00ru" Jurczyk and Gynvael Coldwind CC: libav-stable@libav.org Signed-off-by: Martin Storsjö (cherry picked from commit 3ca14aa5964ea5d11f7a15f9fff17924d6096d44) Signed-off-by: Luca Barbato (cherry picked from commit ce1dacb435460dda1f9d453eaaeac44bd502aca4) --- libavformat/rl2.c | 4 ++++ 1 file changed, 4 insertions(+) diff --git a/libavformat/rl2.c b/libavformat/rl2.c index b2be7c0ca9..b138d7bf46 100644 --- a/libavformat/rl2.c +++ b/libavformat/rl2.c @@ -109,6 +109,10 @@ static av_cold int rl2_read_header(AVFormatContext *s, rate = avio_rl16(pb); channels = avio_rl16(pb); def_sound_size = avio_rl16(pb); + if (!channels || channels > 42) { + av_log(s, AV_LOG_ERROR, "Invalid number of channels: %d\n", channels); + return AVERROR_INVALIDDATA; + } /** setup video stream */ st = avformat_new_stream(s, NULL); From 35c39d2ee2a2ff6f8200b5725dd9bf443dba55c7 Mon Sep 17 00:00:00 2001 From: =?UTF-8?q?Martin=20Storsj=C3=B6?= Date: Sat, 28 Sep 2013 23:26:18 +0300 Subject: [PATCH 741/991] mvi: Add sanity checking for the audio frame size MIME-Version: 1.0 Content-Type: text/plain; charset=UTF-8 Content-Transfer-Encoding: 8bit This avoids a division by zero. Reported-by: Mateusz "j00ru" Jurczyk and Gynvael Coldwind CC: libav-stable@libav.org Signed-off-by: Martin Storsjö (cherry picked from commit 28ff439efd2362fb21e1a78610737f2e26a72d8f) Signed-off-by: Luca Barbato (cherry picked from commit 04d2f9ace3fb6e880f3488770fc5a39de5b63cbb) --- libavformat/mvi.c | 6 ++++++ 1 file changed, 6 insertions(+) diff --git a/libavformat/mvi.c b/libavformat/mvi.c index 4782aad479..51ffb6c600 100644 --- a/libavformat/mvi.c +++ b/libavformat/mvi.c @@ -91,6 +91,12 @@ static int read_header(AVFormatContext *s, AVFormatParameters *ap) mvi->get_int = (vst->codec->width * vst->codec->height < (1 << 16)) ? avio_rl16 : avio_rl24; mvi->audio_frame_size = ((uint64_t)mvi->audio_data_size << MVI_FRAC_BITS) / frames_count; + if (mvi->audio_frame_size <= 1 << MVI_FRAC_BITS - 1) { + av_log(s, AV_LOG_ERROR, "Invalid audio_data_size (%d) or frames_count (%d)\n", + mvi->audio_data_size, frames_count); + return AVERROR_INVALIDDATA; + } + mvi->audio_size_counter = (ast->codec->sample_rate * 830 / mvi->audio_frame_size - 1) * mvi->audio_frame_size; mvi->audio_size_left = mvi->audio_data_size; From 1438181a2943be1aa37ec955cae4905514cf317c Mon Sep 17 00:00:00 2001 From: =?UTF-8?q?Martin=20Storsj=C3=B6?= Date: Sat, 28 Sep 2013 23:57:36 +0300 Subject: [PATCH 742/991] mov: Make sure the read sample count is nonnegative MIME-Version: 1.0 Content-Type: text/plain; charset=UTF-8 Content-Transfer-Encoding: 8bit This avoids setting a negative number of frames, ending up with a negative average frame rate. Reported-by: Mateusz "j00ru" Jurczyk and Gynvael Coldwind CC: libav-stable@libav.org Signed-off-by: Martin Storsjö (cherry picked from commit c231987662194d009dd91bfc57c678e0e70ca161) Signed-off-by: Luca Barbato (cherry picked from commit c10f3fed259c23e6887f68cdf3e7d4ae87026f65) --- libavformat/mov.c | 4 ++++ 1 file changed, 4 insertions(+) diff --git a/libavformat/mov.c b/libavformat/mov.c index 9cac5069c0..2096988ce7 100644 --- a/libavformat/mov.c +++ b/libavformat/mov.c @@ -1642,6 +1642,10 @@ static int mov_read_stts(MOVContext *c, AVIOContext *pb, MOVAtom atom) sample_count=avio_rb32(pb); sample_duration = avio_rb32(pb); + if (sample_count < 0) { + av_log(c->fc, AV_LOG_ERROR, "Invalid sample_count=%d\n", sample_count); + return AVERROR_INVALIDDATA; + } sc->stts_data[i].count= sample_count; sc->stts_data[i].duration= sample_duration; From 456a9392103f6ccd63173660804b1029052dc36c Mon Sep 17 00:00:00 2001 From: =?UTF-8?q?Martin=20Storsj=C3=B6?= Date: Thu, 19 Sep 2013 15:12:06 +0300 Subject: [PATCH 743/991] dca: Validate the lfe parameter MIME-Version: 1.0 Content-Type: text/plain; charset=UTF-8 Content-Transfer-Encoding: 8bit Reported-by: Mateusz "j00ru" Jurczyk and Gynvael Coldwind CC: libav-stable@libav.org Signed-off-by: Martin Storsjö (cherry picked from commit a9d50bb578ec04c085a25f1e023f75e0e4499d5e) Signed-off-by: Luca Barbato --- libavcodec/dca.c | 5 +++++ 1 file changed, 5 insertions(+) diff --git a/libavcodec/dca.c b/libavcodec/dca.c index 169c9b41b9..4d71812d88 100644 --- a/libavcodec/dca.c +++ b/libavcodec/dca.c @@ -578,6 +578,11 @@ static int dca_parse_frame_header(DCAContext *s) s->lfe = get_bits(&s->gb, 2); s->predictor_history = get_bits(&s->gb, 1); + if (s->lfe > 2) { + av_log(s->avctx, AV_LOG_ERROR, "Invalid LFE value: %d\n", s->lfe); + return AVERROR_INVALIDDATA; + } + /* TODO: check CRC */ if (s->crc_present) s->header_crc = get_bits(&s->gb, 16); From 7fdb915fc712f43879a396015b6fc56e40e89b35 Mon Sep 17 00:00:00 2001 From: =?UTF-8?q?Martin=20Storsj=C3=B6?= Date: Sat, 28 Sep 2013 23:32:39 +0300 Subject: [PATCH 744/991] riffdec: Add sanity checks for the sample rate MIME-Version: 1.0 Content-Type: text/plain; charset=UTF-8 Content-Transfer-Encoding: 8bit This avoids a division by zero for G726. Reported-by: Mateusz "j00ru" Jurczyk and Gynvael Coldwind CC: libav-stable@libav.org Signed-off-by: Martin Storsjö (cherry picked from commit d07aa3f02b73ab1371c13ac7898338380ca0932b) Signed-off-by: Luca Barbato (cherry picked from commit 607863acaec85671f8c2afd81079ae4c605e3468) --- libavformat/riff.c | 5 +++++ 1 file changed, 5 insertions(+) diff --git a/libavformat/riff.c b/libavformat/riff.c index 4caac80643..2594bd2995 100644 --- a/libavformat/riff.c +++ b/libavformat/riff.c @@ -563,6 +563,11 @@ int ff_get_wav_header(AVIOContext *pb, AVCodecContext *codec, int size) if (size > 0) avio_skip(pb, size); } + if (codec->sample_rate <= 0) { + av_log(NULL, AV_LOG_ERROR, + "Invalid sample rate: %d\n", codec->sample_rate); + return AVERROR_INVALIDDATA; + } codec->codec_id = ff_wav_codec_get_id(id, codec->bits_per_coded_sample); if (codec->codec_id == CODEC_ID_AAC_LATM) { /* channels and sample_rate values are those prior to applying SBR and/or PS */ From ac1e61d5593d987876e2947b42a7aa37a4efcd4e Mon Sep 17 00:00:00 2001 From: =?UTF-8?q?Martin=20Storsj=C3=B6?= Date: Sun, 29 Sep 2013 00:12:04 +0300 Subject: [PATCH 745/991] pngdec: Stop trying to decode once inflate returns Z_STREAM_END MIME-Version: 1.0 Content-Type: text/plain; charset=UTF-8 Content-Transfer-Encoding: 8bit If the input buffer contains more data after the deflate stream, the loop previously left running infinitely, with inflate returning Z_STREAM_END. Reported-by: Mateusz "j00ru" Jurczyk and Gynvael Coldwind CC: libav-stable@libav.org Signed-off-by: Martin Storsjö (cherry picked from commit a81cad8f86d1feb7e4bfae29e43f3e994935a5c7) Signed-off-by: Luca Barbato (cherry picked from commit a63e83cd4b43c3dcef38f7fefe41c002a263af0f) --- libavcodec/pngdec.c | 4 ++++ 1 file changed, 4 insertions(+) diff --git a/libavcodec/pngdec.c b/libavcodec/pngdec.c index ac98f7093d..22f154ebbc 100644 --- a/libavcodec/pngdec.c +++ b/libavcodec/pngdec.c @@ -377,6 +377,10 @@ static int png_decode_idat(PNGDecContext *s, int length) s->zstream.avail_out = s->crow_size; s->zstream.next_out = s->crow_buf; } + if (ret == Z_STREAM_END && s->zstream.avail_in > 0) { + av_log(NULL, AV_LOG_WARNING, "%d undecompressed bytes left in buffer\n", s->zstream.avail_in); + return 0; + } } return 0; } From 380e3732676828decd54dccaba96db30be78aecf Mon Sep 17 00:00:00 2001 From: =?UTF-8?q?Martin=20Storsj=C3=B6?= Date: Sun, 29 Sep 2013 00:59:50 +0300 Subject: [PATCH 746/991] xan: Only read within the data that actually was initialized MIME-Version: 1.0 Content-Type: text/plain; charset=UTF-8 Content-Transfer-Encoding: 8bit Reported-by: Mateusz "j00ru" Jurczyk and Gynvael Coldwind CC: libav-stable@libav.org Signed-off-by: Martin Storsjö (cherry picked from commit fc739b3eefa0b58d64e7661621da94a94dbc8a82) Signed-off-by: Luca Barbato (cherry picked from commit 09ace619d6ccb2c0a45b5fdead29f926409fa129) --- libavcodec/xan.c | 12 +++++++----- 1 file changed, 7 insertions(+), 5 deletions(-) diff --git a/libavcodec/xan.c b/libavcodec/xan.c index 3078e0a977..d0def65f20 100644 --- a/libavcodec/xan.c +++ b/libavcodec/xan.c @@ -104,6 +104,7 @@ static int xan_huffman_decode(unsigned char *dest, int dest_len, int ptr_len = src_len - 1 - byte*2; unsigned char val = ival; unsigned char *dest_end = dest + dest_len; + unsigned char *dest_start = dest; GetBitContext gb; if (ptr_len < 0) @@ -119,13 +120,13 @@ static int xan_huffman_decode(unsigned char *dest, int dest_len, if (val < 0x16) { if (dest >= dest_end) - return 0; + return dest_len; *dest++ = val; val = ival; } } - return 0; + return dest - dest_start; } /** @@ -274,7 +275,7 @@ static int xan_wc3_decode_frame(XanContext *s) { unsigned char flag = 0; int size = 0; int motion_x, motion_y; - int x, y; + int x, y, ret; unsigned char *opcode_buffer = s->buffer1; unsigned char *opcode_buffer_end = s->buffer1 + s->buffer1_size; @@ -308,9 +309,10 @@ static int xan_wc3_decode_frame(XanContext *s) { bytestream2_init(&vector_segment, s->buf + vector_offset, s->size - vector_offset); imagedata_segment = s->buf + imagedata_offset; - if (xan_huffman_decode(opcode_buffer, opcode_buffer_size, - huffman_segment, s->size - huffman_offset) < 0) + if ((ret = xan_huffman_decode(opcode_buffer, opcode_buffer_size, + huffman_segment, s->size - huffman_offset)) < 0) return AVERROR_INVALIDDATA; + opcode_buffer_end = opcode_buffer + ret; if (imagedata_segment[0] == 2) { xan_unpack(s->buffer2, s->buffer2_size, From b29c31c21e6d9d791b413146defb1986032d72b5 Mon Sep 17 00:00:00 2001 From: =?UTF-8?q?Martin=20Storsj=C3=B6?= Date: Fri, 20 Sep 2013 00:07:34 +0300 Subject: [PATCH 747/991] wnv1: Make sure the input packet is large enough MIME-Version: 1.0 Content-Type: text/plain; charset=UTF-8 Content-Transfer-Encoding: 8bit Reported-by: Mateusz "j00ru" Jurczyk and Gynvael Coldwind CC: libav-stable@libav.org Signed-off-by: Martin Storsjö (cherry picked from commit 91be1103fd1f79d381edf268c32f4166b6c3b6d8) Signed-off-by: Luca Barbato (cherry picked from commit 0c8c6b4419e00d13197a4aea5456b398dca24df0) --- libavcodec/wnv1.c | 5 +++++ 1 file changed, 5 insertions(+) diff --git a/libavcodec/wnv1.c b/libavcodec/wnv1.c index f6e4694df2..0cc26dbb60 100644 --- a/libavcodec/wnv1.c +++ b/libavcodec/wnv1.c @@ -70,6 +70,11 @@ static int decode_frame(AVCodecContext *avctx, int prev_y = 0, prev_u = 0, prev_v = 0; uint8_t *rbuf; + if (buf_size < 8) { + av_log(avctx, AV_LOG_ERROR, "Packet is too short\n"); + return AVERROR_INVALIDDATA; + } + rbuf = av_malloc(buf_size + FF_INPUT_BUFFER_PADDING_SIZE); if(!rbuf){ av_log(avctx, AV_LOG_ERROR, "Cannot allocate temporary buffer\n"); From 416ad3ecf242946034a552f39718b6aaaa98c272 Mon Sep 17 00:00:00 2001 From: =?UTF-8?q?Martin=20Storsj=C3=B6?= Date: Sat, 28 Sep 2013 23:38:40 +0300 Subject: [PATCH 748/991] electronicarts: Add more sanity checking for the number of channels MIME-Version: 1.0 Content-Type: text/plain; charset=UTF-8 Content-Transfer-Encoding: 8bit Reported-by: Mateusz "j00ru" Jurczyk and Gynvael Coldwind CC: libav-stable@libav.org Signed-off-by: Martin Storsjö (cherry picked from commit a9221e39600a31ee13e736e9e47743cde23f0280) Signed-off-by: Luca Barbato Conflicts: libavformat/electronicarts.c (cherry picked from commit a89868d714705af1b0b004fa790a889e9ba792cd) --- libavformat/electronicarts.c | 5 +++-- 1 file changed, 3 insertions(+), 2 deletions(-) diff --git a/libavformat/electronicarts.c b/libavformat/electronicarts.c index 0113683ee2..fb8f7185ad 100644 --- a/libavformat/electronicarts.c +++ b/libavformat/electronicarts.c @@ -424,8 +424,9 @@ static int ea_read_header(AVFormatContext *s, } if (ea->audio_codec) { - if (ea->num_channels <= 0) { - av_log(s, AV_LOG_WARNING, "Unsupported number of channels: %d\n", ea->num_channels); + if (ea->num_channels <= 0 || ea->num_channels > 2) { + av_log(s, AV_LOG_WARNING, + "Unsupported number of channels: %d\n", ea->num_channels); ea->audio_codec = 0; return 1; } From 5a40e4c64d909006b401419f9ab9cc96ce0b7337 Mon Sep 17 00:00:00 2001 From: =?UTF-8?q?Martin=20Storsj=C3=B6?= Date: Sun, 29 Sep 2013 00:38:50 +0300 Subject: [PATCH 749/991] pcx: Consume the whole packet if giving up due to missing palette MIME-Version: 1.0 Content-Type: text/plain; charset=UTF-8 Content-Transfer-Encoding: 8bit Previously, we returned 0, meaning successful decoding but 0 bytes consumed, leading to an infinite loop. Reported-by: Mateusz "j00ru" Jurczyk and Gynvael Coldwind CC: libav-stable@libav.org Signed-off-by: Martin Storsjö (cherry picked from commit 9fb0de86b49e9fb0709a8ad1e1875e35da841887) Signed-off-by: Luca Barbato (cherry picked from commit 812955a12b190012c134be33a93f27308953eb2f) --- libavcodec/pcx.c | 1 + 1 file changed, 1 insertion(+) diff --git a/libavcodec/pcx.c b/libavcodec/pcx.c index 0377b9298c..0e8201267a 100644 --- a/libavcodec/pcx.c +++ b/libavcodec/pcx.c @@ -195,6 +195,7 @@ static int pcx_decode_frame(AVCodecContext *avctx, void *data, int *data_size, } if (*buf++ != 12) { av_log(avctx, AV_LOG_ERROR, "expected palette after image data\n"); + ret = buf_size; goto end; } From d3986f4f1baf8397c1f12154387c2c1950125d72 Mon Sep 17 00:00:00 2001 From: =?UTF-8?q?Martin=20Storsj=C3=B6?= Date: Sun, 29 Sep 2013 01:04:05 +0300 Subject: [PATCH 750/991] xxan: Disallow odd width MIME-Version: 1.0 Content-Type: text/plain; charset=UTF-8 Content-Transfer-Encoding: 8bit Decoded data is always written in pairs within this decoder. This fixes writes out of bounds. Reported-by: Mateusz "j00ru" Jurczyk and Gynvael Coldwind CC: libav-stable@libav.org Signed-off-by: Martin Storsjö (cherry picked from commit aa0dd52434768da64f1f3d8ae92bcf980c1adffc) Signed-off-by: Luca Barbato --- libavcodec/xxan.c | 5 +++++ 1 file changed, 5 insertions(+) diff --git a/libavcodec/xxan.c b/libavcodec/xxan.c index 59e1229802..e9c6169ad8 100644 --- a/libavcodec/xxan.c +++ b/libavcodec/xxan.c @@ -46,6 +46,11 @@ static av_cold int xan_decode_init(AVCodecContext *avctx) avctx->pix_fmt = PIX_FMT_YUV420P; + if (avctx->width & 1) { + av_log(avctx, AV_LOG_ERROR, "Invalid frame width: %d.\n", avctx->width); + return AVERROR(EINVAL); + } + s->buffer_size = avctx->width * avctx->height; s->y_buffer = av_malloc(s->buffer_size); if (!s->y_buffer) From 159993acc7f4e3155510d42c543e09fe972b933c Mon Sep 17 00:00:00 2001 From: =?UTF-8?q?Martin=20Storsj=C3=B6?= Date: Fri, 20 Sep 2013 11:16:00 +0300 Subject: [PATCH 751/991] vc1dec: Fix leaks in ff_vc1_decode_init_alloc_tables on errors MIME-Version: 1.0 Content-Type: text/plain; charset=UTF-8 Content-Transfer-Encoding: 8bit Reported-by: Mateusz "j00ru" Jurczyk and Gynvael Coldwind CC: libav-stable@libav.org Signed-off-by: Martin Storsjö (cherry picked from commit ede508443e4bf57dc1e019fac81bf6244b88fbd3) Signed-off-by: Luca Barbato (cherry picked from commit b62704891d2353679e012555ac9e9a49ee63d497) --- libavcodec/vc1dec.c | 15 +++++++++++++-- 1 file changed, 13 insertions(+), 2 deletions(-) diff --git a/libavcodec/vc1dec.c b/libavcodec/vc1dec.c index e1aa4e65d8..328c5a69c5 100644 --- a/libavcodec/vc1dec.c +++ b/libavcodec/vc1dec.c @@ -5126,8 +5126,19 @@ static av_cold int vc1_decode_init_alloc_tables(VC1Context *v) if (!v->mv_type_mb_plane || !v->direct_mb_plane || !v->acpred_plane || !v->over_flags_plane || !v->block || !v->cbp_base || !v->ttblk_base || !v->is_intra_base || !v->luma_mv_base || - !v->mb_type_base) - return -1; + !v->mb_type_base) { + av_freep(&v->mv_type_mb_plane); + av_freep(&v->direct_mb_plane); + av_freep(&v->acpred_plane); + av_freep(&v->over_flags_plane); + av_freep(&v->block); + av_freep(&v->cbp_base); + av_freep(&v->ttblk_base); + av_freep(&v->is_intra_base); + av_freep(&v->luma_mv_base); + av_freep(&v->mb_type_base); + return AVERROR(ENOMEM); + } return 0; } From 5e8243e843be8f71da7dde199a71d095726533eb Mon Sep 17 00:00:00 2001 From: =?UTF-8?q?Martin=20Storsj=C3=B6?= Date: Sat, 28 Sep 2013 23:42:40 +0300 Subject: [PATCH 752/991] bfi: Avoid divisions by zero MIME-Version: 1.0 Content-Type: text/plain; charset=UTF-8 Content-Transfer-Encoding: 8bit If a zero-length video packet is to be returned, just return AVERROR(EAGAIN) and switch back to the audio stream. Reported-by: Mateusz "j00ru" Jurczyk and Gynvael Coldwind CC: libav-stable@libav.org Signed-off-by: Martin Storsjö (cherry picked from commit 9fc7184d1a9af8d97b3fc5c2ef9d0a647d6617ea) Signed-off-by: Luca Barbato (cherry picked from commit ad1223d6bcc69e1639951aedcdae40822bf41042) --- libavformat/bfi.c | 7 ++++--- 1 file changed, 4 insertions(+), 3 deletions(-) diff --git a/libavformat/bfi.c b/libavformat/bfi.c index bb02e85581..c0b5681744 100644 --- a/libavformat/bfi.c +++ b/libavformat/bfi.c @@ -138,9 +138,7 @@ static int bfi_read_packet(AVFormatContext * s, AVPacket * pkt) pkt->pts = bfi->audio_frame; bfi->audio_frame += ret; - } - - else { + } else if (bfi->video_size > 0) { //Tossing a video packet at the video decoder. ret = av_get_packet(pb, pkt, bfi->video_size); @@ -152,6 +150,9 @@ static int bfi_read_packet(AVFormatContext * s, AVPacket * pkt) /* One less frame to read. A cursory decrement. */ bfi->nframes--; + } else { + /* Empty video packet */ + ret = AVERROR(EAGAIN); } bfi->avflag = !bfi->avflag; From 993977032a0adb47eb70e7fef6ce0d5370027e83 Mon Sep 17 00:00:00 2001 From: =?UTF-8?q?Martin=20Storsj=C3=B6?= Date: Sun, 29 Sep 2013 00:53:58 +0300 Subject: [PATCH 753/991] xan: Use bytestream2 to limit reading to within the buffer MIME-Version: 1.0 Content-Type: text/plain; charset=UTF-8 Content-Transfer-Encoding: 8bit Reported-by: Mateusz "j00ru" Jurczyk and Gynvael Coldwind CC: libav-stable@libav.org Signed-off-by: Martin Storsjö (cherry picked from commit 30db94dc399f6e4ef8905049d9b740556f0fce47) Signed-off-by: Luca Barbato (cherry picked from commit 145de32896b37a508f11bcf11dfcc94487301716) --- libavcodec/xan.c | 22 ++++++++++------------ 1 file changed, 10 insertions(+), 12 deletions(-) diff --git a/libavcodec/xan.c b/libavcodec/xan.c index 4c4721ada2..3078e0a977 100644 --- a/libavcodec/xan.c +++ b/libavcodec/xan.c @@ -283,8 +283,8 @@ static int xan_wc3_decode_frame(XanContext *s) { /* pointers to segments inside the compressed chunk */ const unsigned char *huffman_segment; - const unsigned char *size_segment; - const unsigned char *vector_segment; + GetByteContext size_segment; + GetByteContext vector_segment; const unsigned char *imagedata_segment; int huffman_offset, size_offset, vector_offset, imagedata_offset, imagedata_size; @@ -304,8 +304,8 @@ static int xan_wc3_decode_frame(XanContext *s) { return AVERROR_INVALIDDATA; huffman_segment = s->buf + huffman_offset; - size_segment = s->buf + size_offset; - vector_segment = s->buf + vector_offset; + bytestream2_init(&size_segment, s->buf + size_offset, s->size - size_offset); + bytestream2_init(&vector_segment, s->buf + vector_offset, s->size - vector_offset); imagedata_segment = s->buf + imagedata_offset; if (xan_huffman_decode(opcode_buffer, opcode_buffer_size, @@ -357,19 +357,17 @@ static int xan_wc3_decode_frame(XanContext *s) { case 9: case 19: - size = *size_segment++; + size = bytestream2_get_byte(&size_segment); break; case 10: case 20: - size = AV_RB16(&size_segment[0]); - size_segment += 2; + size = bytestream2_get_be16(&size_segment); break; case 11: case 21: - size = AV_RB24(size_segment); - size_segment += 3; + size = bytestream2_get_be24(&size_segment); break; } @@ -391,9 +389,9 @@ static int xan_wc3_decode_frame(XanContext *s) { } } else { /* run-based motion compensation from last frame */ - motion_x = sign_extend(*vector_segment >> 4, 4); - motion_y = sign_extend(*vector_segment & 0xF, 4); - vector_segment++; + uint8_t vector = bytestream2_get_byte(&vector_segment); + motion_x = sign_extend(vector >> 4, 4); + motion_y = sign_extend(vector & 0xF, 4); /* copy a run of pixels from the previous frame */ xan_wc3_copy_pixel_run(s, x, y, size, motion_x, motion_y); From cb4a101fbe2729f77d636c264b11789d251bfe84 Mon Sep 17 00:00:00 2001 From: =?UTF-8?q?Martin=20Storsj=C3=B6?= Date: Sun, 29 Sep 2013 01:24:20 +0300 Subject: [PATCH 754/991] rpza: Fix a buffer size check MIME-Version: 1.0 Content-Type: text/plain; charset=UTF-8 Content-Transfer-Encoding: 8bit We read 2 bytes for 15 out of 16 pixels, therefore we need to have at least 30 bytes, not 16. Reported-by: Mateusz "j00ru" Jurczyk and Gynvael Coldwind CC: libav-stable@libav.org Signed-off-by: Martin Storsjö (cherry picked from commit 7ba0cedbfeff5671b264d1d7e90777057b5714c6) Signed-off-by: Luca Barbato (cherry picked from commit f06e39fe6b272a11782c023c31eec43bfce3138d) --- libavcodec/rpza.c | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/libavcodec/rpza.c b/libavcodec/rpza.c index 59c3a7b3a7..c0cea865df 100644 --- a/libavcodec/rpza.c +++ b/libavcodec/rpza.c @@ -202,7 +202,7 @@ static void rpza_decode_stream(RpzaContext *s) /* Fill block with 16 colors */ case 0x00: - if (s->size - stream_ptr < 16) + if (s->size - stream_ptr < 30) return; block_ptr = row_ptr + pixel_ptr; for (pixel_y = 0; pixel_y < 4; pixel_y++) { From d92c908e235a0632176b1b037860c73bcd2ed97f Mon Sep 17 00:00:00 2001 From: =?UTF-8?q?Martin=20Storsj=C3=B6?= Date: Sun, 29 Sep 2013 13:02:27 +0300 Subject: [PATCH 755/991] pcx: Check the packet size before assuming it fits a palette MIME-Version: 1.0 Content-Type: text/plain; charset=UTF-8 Content-Transfer-Encoding: 8bit This fixes reads out of bounds. Reported-by: Mateusz "j00ru" Jurczyk and Gynvael Coldwind CC: libav-stable@libav.org Signed-off-by: Martin Storsjö (cherry picked from commit d1d99e3befea5d411ac3aae72dbdecce94f8b547) Signed-off-by: Luca Barbato Conflicts: libavcodec/pcx.c (cherry picked from commit 7e350b7ddd19af856b55634233d609e29baab646) --- libavcodec/pcx.c | 8 +++++++- 1 file changed, 7 insertions(+), 1 deletion(-) diff --git a/libavcodec/pcx.c b/libavcodec/pcx.c index 0e8201267a..8419e5cd76 100644 --- a/libavcodec/pcx.c +++ b/libavcodec/pcx.c @@ -183,7 +183,13 @@ static int pcx_decode_frame(AVCodecContext *avctx, void *data, int *data_size, } else if (nplanes == 1 && bits_per_pixel == 8) { const uint8_t *palstart = bufstart + buf_size - 769; - for (y=0; y Date: Sat, 28 Sep 2013 16:56:54 +0200 Subject: [PATCH 756/991] mxfdec: set audio timebase to 1/samplerate Fixes sync in some samples (e.g. bugs 7581 and 8374 in VLC). Based on a commit by Matthieu Bouron Reported-by: Jean-Baptiste Kempf CC: libav-stable@libav.org (cherry picked from commit 93370d12164236d59645314871a1d6808b2a8ddb) Signed-off-by: Luca Barbato --- libavformat/mxfdec.c | 12 +++++++++++- tests/ref/seek/lavf_mxf | 16 ++++++++-------- tests/ref/seek/lavf_mxf_d10 | 16 ++++++++-------- 3 files changed, 27 insertions(+), 17 deletions(-) diff --git a/libavformat/mxfdec.c b/libavformat/mxfdec.c index cb2ae86e48..c0f71136ad 100644 --- a/libavformat/mxfdec.c +++ b/libavformat/mxfdec.c @@ -830,7 +830,17 @@ static int mxf_parse_structural_metadata(MXFContext *mxf) st->codec->codec_id = container_ul->id; st->codec->channels = descriptor->channels; st->codec->bits_per_coded_sample = descriptor->bits_per_sample; - st->codec->sample_rate = descriptor->sample_rate.num / descriptor->sample_rate.den; + if (descriptor->sample_rate.den > 0) { + st->codec->sample_rate = descriptor->sample_rate.num / descriptor->sample_rate.den; + avpriv_set_pts_info(st, 64, descriptor->sample_rate.den, descriptor->sample_rate.num); + } else { + av_log(mxf->fc, AV_LOG_WARNING, "invalid sample rate (%d/%d) " + "found for stream #%d, time base forced to 1/48000\n", + descriptor->sample_rate.num, descriptor->sample_rate.den, + st->index); + avpriv_set_pts_info(st, 64, 1, 48000); + } + /* TODO: implement CODEC_ID_RAWAUDIO */ if (st->codec->codec_id == CODEC_ID_PCM_S16LE) { if (descriptor->bits_per_sample > 16 && descriptor->bits_per_sample <= 24) diff --git a/tests/ref/seek/lavf_mxf b/tests/ref/seek/lavf_mxf index 4c1aecc68e..ce0d6ed873 100644 --- a/tests/ref/seek/lavf_mxf +++ b/tests/ref/seek/lavf_mxf @@ -7,9 +7,9 @@ ret: 0 st: 0 flags:0 ts: 0.800000 ret:-1 ret: 0 st: 0 flags:1 ts:-0.320000 ret: 0 st: 0 flags:1 dts: 0.000000 pts: NOPTS pos: 6144 size: 24801 -ret: 0 st: 1 flags:0 ts: 2.560000 +ret: 0 st: 1 flags:0 ts: 2.576667 ret:-1 -ret: 0 st: 1 flags:1 ts: 1.480000 +ret: 0 st: 1 flags:1 ts: 1.470833 ret:-1 ret: 0 st:-1 flags:0 ts: 0.365002 ret: 0 st: 0 flags:1 dts: 0.360000 pts: NOPTS pos: 6144 size: 24801 @@ -19,9 +19,9 @@ ret: 0 st: 0 flags:0 ts: 2.160000 ret:-1 ret: 0 st: 0 flags:1 ts: 1.040000 ret:-1 -ret: 0 st: 1 flags:0 ts:-0.040000 +ret: 0 st: 1 flags:0 ts:-0.058333 ret: 0 st: 0 flags:1 dts: 0.000000 pts: NOPTS pos: 6144 size: 24801 -ret: 0 st: 1 flags:1 ts: 2.840000 +ret: 0 st: 1 flags:1 ts: 2.835833 ret:-1 ret: 0 st:-1 flags:0 ts: 1.730004 ret:-1 @@ -31,9 +31,9 @@ ret: 0 st: 0 flags:0 ts:-0.480000 ret: 0 st: 0 flags:1 dts: 0.000000 pts: NOPTS pos: 6144 size: 24801 ret: 0 st: 0 flags:1 ts: 2.400000 ret:-1 -ret: 0 st: 1 flags:0 ts: 1.320000 +ret: 0 st: 1 flags:0 ts: 1.306667 ret:-1 -ret: 0 st: 1 flags:1 ts: 0.200000 +ret: 0 st: 1 flags:1 ts: 0.200833 ret: 0 st: 0 flags:1 dts: 0.200000 pts: NOPTS pos: 6144 size: 24801 ret: 0 st:-1 flags:0 ts:-0.904994 ret: 0 st: 0 flags:1 dts: 0.000000 pts: NOPTS pos: 6144 size: 24801 @@ -43,9 +43,9 @@ ret: 0 st: 0 flags:0 ts: 0.880000 ret:-1 ret: 0 st: 0 flags:1 ts:-0.240000 ret: 0 st: 0 flags:1 dts: 0.000000 pts: NOPTS pos: 6144 size: 24801 -ret: 0 st: 1 flags:0 ts: 2.680000 +ret: 0 st: 1 flags:0 ts: 2.671667 ret:-1 -ret: 0 st: 1 flags:1 ts: 1.560000 +ret: 0 st: 1 flags:1 ts: 1.565833 ret:-1 ret: 0 st:-1 flags:0 ts: 0.460008 ret: 0 st: 0 flags:1 dts: 0.480000 pts: NOPTS pos: 6144 size: 24801 diff --git a/tests/ref/seek/lavf_mxf_d10 b/tests/ref/seek/lavf_mxf_d10 index c05870f402..dba05ce9cb 100644 --- a/tests/ref/seek/lavf_mxf_d10 +++ b/tests/ref/seek/lavf_mxf_d10 @@ -7,9 +7,9 @@ ret: 0 st: 0 flags:0 ts: 0.800000 ret:-1 ret: 0 st: 0 flags:1 ts:-0.320000 ret: 0 st: 0 flags:1 dts: 0.000000 pts: 0.000000 pos: 6144 size:150000 -ret: 0 st: 1 flags:0 ts: 2.560000 +ret: 0 st: 1 flags:0 ts: 2.576667 ret:-1 -ret: 0 st: 1 flags:1 ts: 1.480000 +ret: 0 st: 1 flags:1 ts: 1.470833 ret:-1 ret: 0 st:-1 flags:0 ts: 0.365002 ret: 0 st: 0 flags:1 dts: 0.360000 pts: 0.360000 pos: 6144 size:150000 @@ -19,9 +19,9 @@ ret: 0 st: 0 flags:0 ts: 2.160000 ret:-1 ret: 0 st: 0 flags:1 ts: 1.040000 ret:-1 -ret: 0 st: 1 flags:0 ts:-0.040000 +ret: 0 st: 1 flags:0 ts:-0.058333 ret: 0 st: 0 flags:1 dts: 0.000000 pts: 0.000000 pos: 6144 size:150000 -ret: 0 st: 1 flags:1 ts: 2.840000 +ret: 0 st: 1 flags:1 ts: 2.835833 ret:-1 ret: 0 st:-1 flags:0 ts: 1.730004 ret:-1 @@ -31,9 +31,9 @@ ret: 0 st: 0 flags:0 ts:-0.480000 ret: 0 st: 0 flags:1 dts: 0.000000 pts: 0.000000 pos: 6144 size:150000 ret: 0 st: 0 flags:1 ts: 2.400000 ret:-1 -ret: 0 st: 1 flags:0 ts: 1.320000 +ret: 0 st: 1 flags:0 ts: 1.306667 ret:-1 -ret: 0 st: 1 flags:1 ts: 0.200000 +ret: 0 st: 1 flags:1 ts: 0.200833 ret: 0 st: 0 flags:1 dts: 0.200000 pts: 0.200000 pos: 6144 size:150000 ret: 0 st:-1 flags:0 ts:-0.904994 ret: 0 st: 0 flags:1 dts: 0.000000 pts: 0.000000 pos: 6144 size:150000 @@ -43,9 +43,9 @@ ret: 0 st: 0 flags:0 ts: 0.880000 ret:-1 ret: 0 st: 0 flags:1 ts:-0.240000 ret: 0 st: 0 flags:1 dts: 0.000000 pts: 0.000000 pos: 6144 size:150000 -ret: 0 st: 1 flags:0 ts: 2.680000 +ret: 0 st: 1 flags:0 ts: 2.671667 ret:-1 -ret: 0 st: 1 flags:1 ts: 1.560000 +ret: 0 st: 1 flags:1 ts: 1.565833 ret:-1 ret: 0 st:-1 flags:0 ts: 0.460008 ret: 0 st: 0 flags:1 dts: 0.480000 pts: 0.480000 pos: 6144 size:150000 From e972338e3596036d5d1f3ef214c465fa8a4a8504 Mon Sep 17 00:00:00 2001 From: =?UTF-8?q?Martin=20Storsj=C3=B6?= Date: Sat, 28 Sep 2013 23:32:57 +0300 Subject: [PATCH 757/991] asfdec: Check the return value of asf_read_stream_properties MIME-Version: 1.0 Content-Type: text/plain; charset=UTF-8 Content-Transfer-Encoding: 8bit This makes sure errors in setting stream parameters are passed on to the caller. This avoids successfully opening files while some parameters aren't filled in properly. Reported-by: Mateusz "j00ru" Jurczyk and Gynvael Coldwind CC: libav-stable@libav.org Signed-off-by: Martin Storsjö (cherry picked from commit cc41167aede4c101ad17eeffa8f39bb6c23d3dad) Signed-off-by: Luca Barbato (cherry picked from commit fc4d11ec9b4c9710e2dac012d4ed0e7d08c6df7d) --- libavformat/asfdec.c | 4 +++- 1 file changed, 3 insertions(+), 1 deletion(-) diff --git a/libavformat/asfdec.c b/libavformat/asfdec.c index 3b487888ba..a6affbbe53 100644 --- a/libavformat/asfdec.c +++ b/libavformat/asfdec.c @@ -622,7 +622,9 @@ static int asf_read_header(AVFormatContext *s, AVFormatParameters *ap) if (ret < 0) return ret; } else if (!ff_guidcmp(&g, &ff_asf_stream_header)) { - asf_read_stream_properties(s, gsize); + int ret = asf_read_stream_properties(s, gsize); + if (ret < 0) + return ret; } else if (!ff_guidcmp(&g, &ff_asf_comment_header)) { asf_read_content_desc(s, gsize); } else if (!ff_guidcmp(&g, &ff_asf_language_guid)) { From 591d5281f5bccd2ee398ca46bf7de507be65036b Mon Sep 17 00:00:00 2001 From: =?UTF-8?q?Martin=20Storsj=C3=B6?= Date: Tue, 17 Sep 2013 19:33:48 +0300 Subject: [PATCH 758/991] twinvqdec: Check the ibps parameter separately MIME-Version: 1.0 Content-Type: text/plain; charset=UTF-8 Content-Transfer-Encoding: 8bit This is required, since invalid parameters actually could pass the switch check below. Reported-by: Mateusz "j00ru" Jurczyk and Gynvael Coldwind CC: libav-stable@libav.org Signed-off-by: Martin Storsjö (cherry picked from commit c77d409bf95954aceb762dd800d1ee2868c4b0d4) (cherry picked from commit 9b9aee27f4e43b4a6b0884f8a6f49eb0289d7c09) --- libavcodec/twinvq.c | 4 ++++ 1 file changed, 4 insertions(+) diff --git a/libavcodec/twinvq.c b/libavcodec/twinvq.c index 22be07a5b5..3006e9f108 100644 --- a/libavcodec/twinvq.c +++ b/libavcodec/twinvq.c @@ -1137,6 +1137,10 @@ static av_cold int twin_decode_init(AVCodecContext *avctx) return -1; } ibps = avctx->bit_rate / (1000 * avctx->channels); + if (ibps < 8 || ibps > 48) { + av_log(avctx, AV_LOG_ERROR, "Bad bitrate per channel value %d\n", ibps); + return AVERROR_INVALIDDATA; + } switch ((isampf << 8) + ibps) { case (8 <<8) + 8: tctx->mtab = &mode_08_08; break; From 871baf312791b5bdf00affa34ceb6dbc239cd077 Mon Sep 17 00:00:00 2001 From: =?UTF-8?q?Martin=20Storsj=C3=B6?= Date: Mon, 16 Sep 2013 20:58:38 +0300 Subject: [PATCH 759/991] rmdec: Validate the fps value MIME-Version: 1.0 Content-Type: text/plain; charset=UTF-8 Content-Transfer-Encoding: 8bit Abort if it is invalid if strict error checking has been requested. Reported-by: Mateusz "j00ru" Jurczyk and Gynvael Coldwind CC: libav-stable@libav.org Signed-off-by: Martin Storsjö (cherry picked from commit 0f310a6f333b016d336674d086045e8473fdf918) Signed-off-by: Luca Barbato Conflicts: libavformat/rmdec.c --- libavformat/rmdec.c | 9 +++++++-- 1 file changed, 7 insertions(+), 2 deletions(-) diff --git a/libavformat/rmdec.c b/libavformat/rmdec.c index 37e18f02ac..62b0802caa 100644 --- a/libavformat/rmdec.c +++ b/libavformat/rmdec.c @@ -334,8 +334,13 @@ ff_rm_read_mdpr_codecdata (AVFormatContext *s, AVIOContext *pb, if ((ret = rm_read_extradata(pb, st->codec, codec_data_size - (avio_tell(pb) - codec_pos))) < 0) return ret; - av_reduce(&st->r_frame_rate.den, &st->r_frame_rate.num, - 0x10000, fps, (1 << 30) - 1); + if (fps > 0) { + av_reduce(&st->r_frame_rate.den, &st->r_frame_rate.num, + 0x10000, fps, (1 << 30) - 1); + } else if (s->error_recognition & AV_EF_EXPLODE) { + av_log(s, AV_LOG_ERROR, "Invalid framerate\n"); + return AVERROR_INVALIDDATA; + } st->avg_frame_rate = st->r_frame_rate; } From 49c1defee5221cb8b533cc5cf731fb61f0508647 Mon Sep 17 00:00:00 2001 From: =?UTF-8?q?Martin=20Storsj=C3=B6?= Date: Thu, 19 Sep 2013 15:58:59 +0300 Subject: [PATCH 760/991] svq3: Avoid a division by zero MIME-Version: 1.0 Content-Type: text/plain; charset=UTF-8 Content-Transfer-Encoding: 8bit If the height is zero, the decompression will probably end up failing due to not fitting into the allocated buffer later anyway, so this doesn't need any more elaborate check. Reported-by: Mateusz "j00ru" Jurczyk and Gynvael Coldwind CC: libav-stable@libav.org Signed-off-by: Martin Storsjö (cherry picked from commit 601c2015bc16f0b281160292a6a760cbbbb0eacb) --- libavcodec/svq3.c | 3 ++- 1 file changed, 2 insertions(+), 1 deletion(-) diff --git a/libavcodec/svq3.c b/libavcodec/svq3.c index 5097af5b5f..601afb6b7f 100644 --- a/libavcodec/svq3.c +++ b/libavcodec/svq3.c @@ -902,7 +902,8 @@ static av_cold int svq3_decode_init(AVCodecContext *avctx) int offset = (get_bits_count(&gb)+7)>>3; uint8_t *buf; - if ((uint64_t)watermark_width*4 > UINT_MAX/watermark_height) + if (watermark_height > 0 && + (uint64_t)watermark_width * 4 > UINT_MAX / watermark_height) return -1; buf = av_malloc(buf_len); From fbc52044f3d07f4f059214b314d17fd07bc4e12f Mon Sep 17 00:00:00 2001 From: =?UTF-8?q?Martin=20Storsj=C3=B6?= Date: Thu, 19 Sep 2013 16:29:23 +0300 Subject: [PATCH 761/991] fraps: Make the input buffer size checks more strict MIME-Version: 1.0 Content-Type: text/plain; charset=UTF-8 Content-Transfer-Encoding: 8bit Reported-by: Mateusz "j00ru" Jurczyk and Gynvael Coldwind CC: libav-stable@libav.org Signed-off-by: Martin Storsjö Conflicts: libavcodec/fraps.c --- libavcodec/fraps.c | 35 ++++++++++++++++++++++------------- 1 file changed, 22 insertions(+), 13 deletions(-) diff --git a/libavcodec/fraps.c b/libavcodec/fraps.c index 4d03057f43..23cfee89ce 100644 --- a/libavcodec/fraps.c +++ b/libavcodec/fraps.c @@ -139,10 +139,17 @@ static int decode_frame(AVCodecContext *avctx, uint32_t offs[4]; int i, j, is_chroma, planes; enum PixelFormat pix_fmt; + int prev_pic_bit, expected_size; + + if (buf_size < 4) { + av_log(avctx, AV_LOG_ERROR, "Packet is too short\n"); + return AVERROR_INVALIDDATA; + } header = AV_RL32(buf); version = header & 0xff; header_size = (header & (1<<30))? 8 : 4; /* bit 30 means pad to 8 bytes */ + prev_pic_bit = header & (1U << 31); /* bit 31 means same as previous pic */ if (version > 5) { av_log(avctx, AV_LOG_ERROR, @@ -161,16 +168,19 @@ static int decode_frame(AVCodecContext *avctx, } avctx->pix_fmt = pix_fmt; - switch(version) { + expected_size = header_size; + + switch (version) { case 0: default: /* Fraps v0 is a reordered YUV420 */ - if ( (buf_size != avctx->width*avctx->height*3/2+header_size) && - (buf_size != header_size) ) { + if (!prev_pic_bit) + expected_size += avctx->width * avctx->height * 3 / 2; + if (buf_size != expected_size) { av_log(avctx, AV_LOG_ERROR, "Invalid frame length %d (should be %d)\n", - buf_size, avctx->width*avctx->height*3/2+header_size); - return -1; + buf_size, expected_size); + return AVERROR_INVALIDDATA; } if (( (avctx->width % 8) != 0) || ( (avctx->height % 2) != 0 )) { @@ -187,8 +197,7 @@ static int decode_frame(AVCodecContext *avctx, av_log(avctx, AV_LOG_ERROR, "reget_buffer() failed\n"); return -1; } - /* bit 31 means same as previous pic */ - f->pict_type = (header & (1U<<31))? AV_PICTURE_TYPE_P : AV_PICTURE_TYPE_I; + f->pict_type = prev_pic_bit ? AV_PICTURE_TYPE_P : AV_PICTURE_TYPE_I; f->key_frame = f->pict_type == AV_PICTURE_TYPE_I; if (f->pict_type == AV_PICTURE_TYPE_I) { @@ -212,12 +221,13 @@ static int decode_frame(AVCodecContext *avctx, case 1: /* Fraps v1 is an upside-down BGR24 */ - if ( (buf_size != avctx->width*avctx->height*3+header_size) && - (buf_size != header_size) ) { + if (!prev_pic_bit) + expected_size += avctx->width * avctx->height * 3; + if (buf_size != expected_size) { av_log(avctx, AV_LOG_ERROR, "Invalid frame length %d (should be %d)\n", - buf_size, avctx->width*avctx->height*3+header_size); - return -1; + buf_size, expected_size); + return AVERROR_INVALIDDATA; } f->reference = 1; @@ -228,8 +238,7 @@ static int decode_frame(AVCodecContext *avctx, av_log(avctx, AV_LOG_ERROR, "reget_buffer() failed\n"); return -1; } - /* bit 31 means same as previous pic */ - f->pict_type = (header & (1U<<31))? AV_PICTURE_TYPE_P : AV_PICTURE_TYPE_I; + f->pict_type = prev_pic_bit ? AV_PICTURE_TYPE_P : AV_PICTURE_TYPE_I; f->key_frame = f->pict_type == AV_PICTURE_TYPE_I; if (f->pict_type == AV_PICTURE_TYPE_I) { From c00e491aebecd3257cccb41c56029996146727d2 Mon Sep 17 00:00:00 2001 From: Michael Niedermayer Date: Tue, 19 Feb 2013 21:40:09 +0100 Subject: [PATCH 762/991] vc1dec: Don't decode slices when the latest slice header failed to decode MIME-Version: 1.0 Content-Type: text/plain; charset=UTF-8 Content-Transfer-Encoding: 8bit Reported-by: Mateusz "j00ru" Jurczyk and Gynvael Coldwind CC: libav-stable@libav.org Signed-off-by: Martin Storsjö Conflicts: libavcodec/vc1dec.c --- libavcodec/vc1dec.c | 18 ++++++++++++++---- 1 file changed, 14 insertions(+), 4 deletions(-) diff --git a/libavcodec/vc1dec.c b/libavcodec/vc1dec.c index cf960f6816..2d193c177f 100644 --- a/libavcodec/vc1dec.c +++ b/libavcodec/vc1dec.c @@ -5579,6 +5579,8 @@ static int vc1_decode_frame(AVCodecContext *avctx, void *data, if (avctx->hwaccel->end_frame(avctx) < 0) goto err; } else { + int header_ret = 0; + ff_er_frame_start(s); v->bits = buf_size * 8; @@ -5623,13 +5625,21 @@ static int vc1_decode_frame(AVCodecContext *avctx, void *data, } if (i) { v->pic_header_flag = 0; - if (v->field_mode && i == n_slices1 + 2) - vc1_parse_frame_header_adv(v, &s->gb); - else if (get_bits1(&s->gb)) { + if (v->field_mode && i == n_slices1 + 2) { + if ((header_ret = vc1_parse_frame_header_adv(v, &s->gb)) < 0) { + av_log(v->s.avctx, AV_LOG_ERROR, "Field header damaged\n"); + continue; + } + } else if (get_bits1(&s->gb)) { v->pic_header_flag = 1; - vc1_parse_frame_header_adv(v, &s->gb); + if ((header_ret = vc1_parse_frame_header_adv(v, &s->gb)) < 0) { + av_log(v->s.avctx, AV_LOG_ERROR, "Slice header damaged\n"); + continue; + } } } + if (header_ret < 0) + continue; s->start_mb_y = (i == 0) ? 0 : FFMAX(0, slices[i-1].mby_start % mb_height); if (!v->field_mode || v->second_field) s->end_mb_y = (i == n_slices ) ? mb_height : FFMIN(mb_height, slices[i].mby_start % mb_height); From 29fa517d40ed485a24128d005ee796f0355398e1 Mon Sep 17 00:00:00 2001 From: =?UTF-8?q?Martin=20Storsj=C3=B6?= Date: Thu, 19 Sep 2013 17:02:36 +0300 Subject: [PATCH 763/991] r3d: Add more input value validation MIME-Version: 1.0 Content-Type: text/plain; charset=UTF-8 Content-Transfer-Encoding: 8bit Reported-by: Mateusz "j00ru" Jurczyk and Gynvael Coldwind CC: libav-stable@libav.org Signed-off-by: Martin Storsjö Conflicts: libavformat/r3d.c --- libavformat/r3d.c | 4 ++++ 1 file changed, 4 insertions(+) diff --git a/libavformat/r3d.c b/libavformat/r3d.c index 73e73986ff..877c901748 100644 --- a/libavformat/r3d.c +++ b/libavformat/r3d.c @@ -277,6 +277,10 @@ static int r3d_read_reda(AVFormatContext *s, AVPacket *pkt, Atom *atom) dts = avio_rb32(s->pb); st->codec->sample_rate = avio_rb32(s->pb); + if (st->codec->sample_rate <= 0) { + av_log(s, AV_LOG_ERROR, "Bad sample rate\n"); + return AVERROR_INVALIDDATA; + } samples = avio_rb32(s->pb); From 371659d1ad71cac41732c5d9d7a32ee1cf173c95 Mon Sep 17 00:00:00 2001 From: =?UTF-8?q?Martin=20Storsj=C3=B6?= Date: Tue, 24 Sep 2013 12:02:39 +0300 Subject: [PATCH 764/991] mpegvideo: Initialize chroma_*_shift and codec_tag even if the size is 0 MIME-Version: 1.0 Content-Type: text/plain; charset=UTF-8 Content-Transfer-Encoding: 8bit This fixes breakage in a few fate tests on certain setups (that for some reason didn't break on OS X) after the previous commit (8812a8057). Currently, some video streams are initialized in ff_MPV_common_init with width/height set at 0 and only changed to a proper video size with ff_MPV_common_frame_size_change later. The breakage was diagnosed by Anton Khirnov. Signed-off-by: Martin Storsjö --- libavcodec/mpegvideo.c | 18 +++++++++--------- 1 file changed, 9 insertions(+), 9 deletions(-) diff --git a/libavcodec/mpegvideo.c b/libavcodec/mpegvideo.c index fa89886821..8df3061174 100644 --- a/libavcodec/mpegvideo.c +++ b/libavcodec/mpegvideo.c @@ -696,6 +696,15 @@ av_cold int MPV_common_init(MpegEncContext *s) s->flags = s->avctx->flags; s->flags2 = s->avctx->flags2; + /* set chroma shifts */ + avcodec_get_chroma_sub_sample(s->avctx->pix_fmt, &s->chroma_x_shift, + &s->chroma_y_shift); + + /* convert fourcc to upper case */ + s->codec_tag = avpriv_toupper4(s->avctx->codec_tag); + + s->stream_codec_tag = avpriv_toupper4(s->avctx->stream_codec_tag); + if (s->width && s->height) { s->mb_width = (s->width + 15) / 16; s->mb_stride = s->mb_width + 1; @@ -704,10 +713,6 @@ av_cold int MPV_common_init(MpegEncContext *s) mb_array_size = s->mb_height * s->mb_stride; mv_table_size = (s->mb_height + 2) * s->mb_stride + 1; - /* set chroma shifts */ - avcodec_get_chroma_sub_sample(s->avctx->pix_fmt, &s->chroma_x_shift, - &s->chroma_y_shift); - /* set default edge pos, will be overriden * in decode_header if needed */ s->h_edge_pos = s->mb_width * 16; @@ -726,11 +731,6 @@ av_cold int MPV_common_init(MpegEncContext *s) c_size = s->mb_stride * (s->mb_height + 1); yc_size = y_size + 2 * c_size; - /* convert fourcc to upper case */ - s->codec_tag = avpriv_toupper4(s->avctx->codec_tag); - - s->stream_codec_tag = avpriv_toupper4(s->avctx->stream_codec_tag); - s->avctx->coded_frame = (AVFrame *)&s->current_picture; FF_ALLOCZ_OR_GOTO(s->avctx, s->mb_index2xy, (s->mb_num + 1) * sizeof(int), From 1123870879835be0948a184dfe5d71b48eb07240 Mon Sep 17 00:00:00 2001 From: Ben Jackson Date: Fri, 18 Oct 2013 15:28:50 +0100 Subject: [PATCH 765/991] pthread: Avoid spurious wakeups pthread_wait_cond can wake up unexpectedly (Wikipedia: Spurious_wakeup). The FF_THREAD_SLICE thread mechanism could spontaneously execute jobs or allow the caller of avctx->execute to return before all jobs were complete. Test both cases to ensure the wakeup is real. Signed-off-by: Ben Jackson Signed-off-by: Michael Niedermayer Signed-off-by: Derek Buitenhuis Signed-off-by: Luca Barbato (cherry picked from commit 311583e7798237be5cc531d672a9e37f8c729d83) --- libavcodec/pthread.c | 9 +++++++-- 1 file changed, 7 insertions(+), 2 deletions(-) diff --git a/libavcodec/pthread.c b/libavcodec/pthread.c index af1c9455f8..65c6e2fbe3 100644 --- a/libavcodec/pthread.c +++ b/libavcodec/pthread.c @@ -75,6 +75,7 @@ typedef struct ThreadContext { pthread_cond_t last_job_cond; pthread_cond_t current_job_cond; pthread_mutex_t current_job_lock; + unsigned current_execute; int current_job; int done; } ThreadContext; @@ -195,6 +196,7 @@ static void* attribute_align_arg worker(void *v) { AVCodecContext *avctx = v; ThreadContext *c = avctx->thread_opaque; + unsigned last_execute = 0; int our_job = c->job_count; int thread_count = avctx->thread_count; int self_id; @@ -206,8 +208,9 @@ static void* attribute_align_arg worker(void *v) if (c->current_job == thread_count + c->job_count) pthread_cond_signal(&c->last_job_cond); - if (!c->done) + while (last_execute == c->current_execute && !c->done) pthread_cond_wait(&c->current_job_cond, &c->current_job_lock); + last_execute = c->current_execute; our_job = self_id; if (c->done) { @@ -227,7 +230,8 @@ static void* attribute_align_arg worker(void *v) static av_always_inline void avcodec_thread_park_workers(ThreadContext *c, int thread_count) { - pthread_cond_wait(&c->last_job_cond, &c->current_job_lock); + while (c->current_job != thread_count + c->job_count) + pthread_cond_wait(&c->last_job_cond, &c->current_job_lock); pthread_mutex_unlock(&c->current_job_lock); } @@ -276,6 +280,7 @@ static int avcodec_thread_execute(AVCodecContext *avctx, action_func* func, void c->rets = &dummy_ret; c->rets_count = 1; } + c->current_execute++; pthread_cond_broadcast(&c->current_job_cond); avcodec_thread_park_workers(c, avctx->thread_count); From 9925f7df0a50387ade8d83cb85b40c53e41e7041 Mon Sep 17 00:00:00 2001 From: =?UTF-8?q?Martin=20Storsj=C3=B6?= Date: Fri, 20 Sep 2013 11:32:25 +0300 Subject: [PATCH 766/991] vc1dec: Make sure last_picture is initialized in vc1_decode_skip_blocks MIME-Version: 1.0 Content-Type: text/plain; charset=UTF-8 Content-Transfer-Encoding: 8bit Reported-by: Mateusz "j00ru" Jurczyk and Gynvael Coldwind CC: libav-stable@libav.org Signed-off-by: Martin Storsjö (cherry picked from commit 5e25fdbfe01635cfc650ac4adc27d434b2df0d64) Signed-off-by: Luca Barbato Conflicts: libavcodec/vc1dec.c (cherry picked from commit 494f2d4f9e834db1eaf1a7d0160d497f9802013d) --- libavcodec/vc1dec.c | 3 +++ 1 file changed, 3 insertions(+) diff --git a/libavcodec/vc1dec.c b/libavcodec/vc1dec.c index 8c28aa9bc2..cf960f6816 100644 --- a/libavcodec/vc1dec.c +++ b/libavcodec/vc1dec.c @@ -4741,6 +4741,9 @@ static void vc1_decode_skip_blocks(VC1Context *v) { MpegEncContext *s = &v->s; + if (!v->s.last_picture.f.data[0]) + return; + ff_er_add_slice(s, 0, s->start_mb_y, s->mb_width - 1, s->end_mb_y - 1, ER_MB_END); s->first_slice_line = 1; for (s->mb_y = s->start_mb_y; s->mb_y < s->end_mb_y; s->mb_y++) { From 48d57650f121d3d9e977832e9006bb334337d921 Mon Sep 17 00:00:00 2001 From: Derek Buitenhuis Date: Thu, 10 Oct 2013 11:05:40 -0400 Subject: [PATCH 767/991] pthread: Fix deadlock during thread initialization Sometimes, if pthread_create() failed, then pthread_cond_wait() could accidentally be called in the worker threads after the uninit function had already called pthread_cond_broadcast(), leading to a deadlock. Don't call pthread_cond_wait() if c->done is set. Signed-off-by: Derek Buitenhuis (cherry picked from commit 1a5a6ac01b0ad2cf3d2128372ea41f3c1cfc2d3f) --- libavcodec/pthread.c | 3 ++- 1 file changed, 2 insertions(+), 1 deletion(-) diff --git a/libavcodec/pthread.c b/libavcodec/pthread.c index 64cff43983..af1c9455f8 100644 --- a/libavcodec/pthread.c +++ b/libavcodec/pthread.c @@ -206,7 +206,8 @@ static void* attribute_align_arg worker(void *v) if (c->current_job == thread_count + c->job_count) pthread_cond_signal(&c->last_job_cond); - pthread_cond_wait(&c->current_job_cond, &c->current_job_lock); + if (!c->done) + pthread_cond_wait(&c->current_job_cond, &c->current_job_lock); our_job = self_id; if (c->done) { From 3736b13753921fd576080ea4e328ff80bb0abf9b Mon Sep 17 00:00:00 2001 From: Sean McGovern Date: Tue, 5 Nov 2013 19:15:47 -0500 Subject: [PATCH 768/991] Changelog for 0.8.10 --- Changelog | 72 +++++++++++++++++++++++++++++++++++++++++++++++++++++++ 1 file changed, 72 insertions(+) diff --git a/Changelog b/Changelog index bedc168ed2..b9fb40a882 100644 --- a/Changelog +++ b/Changelog @@ -1,6 +1,78 @@ Entries are sorted chronologically from oldest to youngest within each release, releases are sorted from youngest to oldest. +version 0.8.10: + +- pthread: Avoid spurious wakeups +- pthread: Fix deadlock during thread initialization +- mpegvideo: Initialize chroma_*_shift and codec_tag even if the size is 0 +- vc1dec: Don't decode slices when the latest slice header failed to decode +- vc1dec: Make sure last_picture is initialized in vc1_decode_skip_blocks +- r3d: Add more input value validation +- fraps: Make the input buffer size checks more strict +- svq3: Avoid a division by zero +- rmdec: Validate the fps value +- twinvqdec: Check the ibps parameter separately +- asfdec: Check the return value of asf_read_stream_properties +- mxfdec: set audio timebase to 1/samplerate +- pcx: Check the packet size before assuming it fits a palette +- rpza: Fix a buffer size check +- xxan: Disallow odd width +- xan: Only read within the data that actually was initialized +- xan: Use bytestream2 to limit reading to within the buffer +- pcx: Consume the whole packet if giving up due to missing palette +- pngdec: Stop trying to decode once inflate returns Z_STREAM_END +- mov: Make sure the read sample count is nonnegative +- bfi: Add some very basic sanity checks for input packet sizes +- bfi: Avoid divisions by zero +- electronicarts: Add more sanity checking for the number of channels +- riffdec: Add sanity checks for the sample rate +- mvi: Add sanity checking for the audio frame size +- xwma: Avoid division by zero +- avidec: Make sure a packet is large enough before reading its data +- vqf: Make sure the bitrate is in the valid range +- vqf: Make sure sample_rate is set to a valid value +- vc1dec: Undo mpegvideo initialization if unable to allocate tables +- vc1dec: Fix leaks in ff_vc1_decode_init_alloc_tables on errors +- wnv1: Make sure the input packet is large enough +- dca: Validate the lfe parameter +- rl2: Avoid a division by zero +- wtv: Add more sanity checks for a length read from the file +- segafilm: Validate the number of audio channels +- qpeg: Add checks for running out of rows in qpeg_decode_inter +- mpegaudiodec: Validate that the number of channels fits at the given offset +- asv1: Verify the amount of extradata +- idroqdec: Make sure a video stream has been allocated before returning packets +- rv10: Validate the dimensions set from the container +- xmv: Add more sanity checks for parameters read from the bitstream +- ffv1: Make sure at least one slice context is initialized +- truemotion2: Use av_freep properly in an error path +- eacmv: Make sure a reference frame exists before referencing it +- mpeg4videodec: Check the width/height in mpeg4_decode_sprite_trajectory +- ivi_common: Make sure color planes have been initialized +- oggparseogm: Convert to use bytestream2 +- rv34: Check the return value from ff_rv34_decode_init +- matroskadec: Verify realaudio codec parameters +- mace: Make sure that the channel count is set to a valid value +- svq3: Check for any negative return value from ff_h264_check_intra_pred_mode +- vp3: Check the framerate for validity +- cavsdec: Make sure a sequence header has been decoded before decoding pictures +- sierravmd: Do sanity checking of frame sizes +- omadec: Properly check lengths before incrementing the position +- mpc8: Make sure the first stream exists before parsing the seek table +- mpc8: Check the seek table size parsed from the bitstream +- zmbvdec: Check the buffer size for uncompressed data +- ape: Don't allow the seektable to be omitted +- shorten: Break out of loop looking for fmt chunk if none is found +- shorten: Use a checked bytestream reader for the wave header +- smacker: Make sure we don't fill in huffman codes out of range +- smacker: Avoid integer overflow when allocating packets +- smacker: Don't return packets in unallocated streams +- dsicin: Add some basic sanity checks for fields read from the file +- roqvideodec: check dimensions validity +- qdm2: check array index before use, fix out of array accesses +- alsdec: check block length + version 0.8.9: - x86: fft: Remove 3DNow! optimizations, they break FATE From 8b24e17d0920e070e0353dee6901fbaf8666f94f Mon Sep 17 00:00:00 2001 From: Luca Barbato Date: Tue, 7 Jan 2014 14:21:53 +0100 Subject: [PATCH 769/991] twinvq: Cope with gcc-4.8.2 miscompilation Apparently gcc-4.8.2 miscompiles enums resulting in a lucky fpe soon after it. Passing the enum value as integer makes the ftype == FT_PPC condition evaluates correctly. --- libavcodec/twinvq.c | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/libavcodec/twinvq.c b/libavcodec/twinvq.c index 3006e9f108..6d0a0ec9c9 100644 --- a/libavcodec/twinvq.c +++ b/libavcodec/twinvq.c @@ -996,7 +996,7 @@ static void linear_perm(int16_t *out, int16_t *in, int n_blocks, int size) out[i] = block_size * (in[i] % n_blocks) + in[i] / n_blocks; } -static av_cold void construct_perm_table(TwinContext *tctx,enum FrameType ftype) +static av_cold void construct_perm_table(TwinContext *tctx, int ftype) { int block_size; const ModeTab *mtab = tctx->mtab; From 85c02da3076893dc09fe25152754ae072b59a837 Mon Sep 17 00:00:00 2001 From: Michael Niedermayer Date: Thu, 16 Jan 2014 02:53:32 +0100 Subject: [PATCH 770/991] cmdutils: update year Signed-off-by: Michael Niedermayer --- cmdutils.c | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/cmdutils.c b/cmdutils.c index 45820ed878..01abc51e9b 100644 --- a/cmdutils.c +++ b/cmdutils.c @@ -56,7 +56,7 @@ struct SwsContext *sws_opts; AVDictionary *format_opts, *codec_opts; -const int this_year = 2013; +const int this_year = 2014; static FILE *report_file; From 41216ebb9e53bfa25b1bf39b66c15ab7d2902929 Mon Sep 17 00:00:00 2001 From: Michael Niedermayer Date: Thu, 16 Jan 2014 23:37:49 +0100 Subject: [PATCH 771/991] update for 0.10.11 Signed-off-by: Michael Niedermayer --- Doxyfile | 2 +- RELEASE | 2 +- VERSION | 2 +- 3 files changed, 3 insertions(+), 3 deletions(-) diff --git a/Doxyfile b/Doxyfile index 0018f58f0f..783d0f8a9b 100644 --- a/Doxyfile +++ b/Doxyfile @@ -31,7 +31,7 @@ PROJECT_NAME = FFmpeg # This could be handy for archiving the generated documentation or # if some version control system is used. -PROJECT_NUMBER = 0.10.10 +PROJECT_NUMBER = 0.10.11 # With the PROJECT_LOGO tag one can specify an logo or icon that is included # in the documentation. The maximum height of the logo should not exceed 55 diff --git a/RELEASE b/RELEASE index ddf1d4ae68..223df19846 100644 --- a/RELEASE +++ b/RELEASE @@ -1 +1 @@ -0.10.10 +0.10.11 diff --git a/VERSION b/VERSION index ddf1d4ae68..223df19846 100644 --- a/VERSION +++ b/VERSION @@ -1 +1 @@ -0.10.10 +0.10.11 From a89acaa0b0dbf463a4a60499421e770608a23903 Mon Sep 17 00:00:00 2001 From: Luca Barbato Date: Sun, 20 Jan 2013 05:10:32 +0100 Subject: [PATCH 772/991] get_bits: change the failure condition in init_get_bits Too much code relies in having init_get_bits fed with a valid buffer and set its dimension to 0. Check for NULL buffer instead. (cherry picked from commit 4603ec85ed620e585fc6e2e072c99858ed421855) Signed-off-by: Luca Barbato --- libavcodec/get_bits.h | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/libavcodec/get_bits.h b/libavcodec/get_bits.h index dc348c7713..db70937c14 100644 --- a/libavcodec/get_bits.h +++ b/libavcodec/get_bits.h @@ -357,7 +357,7 @@ static inline int init_get_bits(GetBitContext *s, const uint8_t *buffer, int buffer_size; int ret = 0; - if (bit_size > INT_MAX - 7 || bit_size <= 0) { + if (bit_size > INT_MAX - 7 || bit_size < 0 || !buffer) { buffer_size = bit_size = 0; buffer = NULL; ret = AVERROR_INVALIDDATA; From 976a7b72a3f51c18fee573985987bdcdd445af0d Mon Sep 17 00:00:00 2001 From: Luca Barbato Date: Tue, 6 Aug 2013 03:52:48 +0200 Subject: [PATCH 773/991] avi: directly resync on DV in AVI read failure Reported-by: Mateusz "j00ru" Jurczyk and Gynvael Coldwind CC: libav-stable@libav.org (cherry picked from commit ceec6e792e4b5baaa23b220f4fd33417631f5288) Signed-off-by: Reinhard Tartler Adresses CVE-2013-0856 (cherry picked from commit 61057f4604eb909ac2b37f08c7d2b0ed758fd4bf) Signed-off-by: Reinhard Tartler --- libavformat/avidec.c | 2 ++ 1 file changed, 2 insertions(+) diff --git a/libavformat/avidec.c b/libavformat/avidec.c index 11d086cbe8..8d06c9a1d2 100644 --- a/libavformat/avidec.c +++ b/libavformat/avidec.c @@ -986,6 +986,8 @@ static int avi_read_packet(AVFormatContext *s, AVPacket *pkt) int size = avpriv_dv_get_packet(avi->dv_demux, pkt); if (size >= 0) return size; + else + goto resync; } if(avi->non_interleaved){ From d04194db45711f82e3e87fab62c9224ac03998c3 Mon Sep 17 00:00:00 2001 From: Michael Niedermayer Date: Fri, 25 Jan 2013 06:11:59 +0100 Subject: [PATCH 774/991] vqavideo: check chunk sizes before reading chunks Fixes out of array writes Found-by: Mateusz "j00ru" Jurczyk and Gynvael Coldwind Signed-off-by: Michael Niedermayer (cherry picked from commit ab6c9332bfa1e20127a16392a0b85a4aa4840889) Signed-off-by: Michael Niedermayer (cherry picked from commit 13093f9767b922661132a3c1f4b5ba2c7338b660) CC: libav-stable@libav.org Signed-off-by: Reinhard Tartler (cherry picked from commit f7d18deb73d1dd1b27b2c7062c9a10d168a6c62a) Addresses: CVE-2013-0865 Signed-off-by: Reinhard Tartler (cherry picked from commit ab434bf0d051008a329d49d0256faa5d64e2bf4d) Signed-off-by: Reinhard Tartler --- libavcodec/vqavideo.c | 12 ++++++++++++ 1 file changed, 12 insertions(+) diff --git a/libavcodec/vqavideo.c b/libavcodec/vqavideo.c index 110d8b17d5..7870f0e3c7 100644 --- a/libavcodec/vqavideo.c +++ b/libavcodec/vqavideo.c @@ -533,6 +533,12 @@ static int vqa_decode_chunk(VqaContext *s) bytestream2_seek(&s->gb, cbp0_chunk, SEEK_SET); chunk_size = bytestream2_get_be32(&s->gb); + if (chunk_size > MAX_CODEBOOK_SIZE - s->next_codebook_buffer_index) { + av_log(s->avctx, AV_LOG_ERROR, "cbp0 chunk too large (%u bytes)\n", + chunk_size); + return AVERROR_INVALIDDATA; + } + /* accumulate partial codebook */ bytestream2_get_buffer(&s->gb, &s->next_codebook_buffer[s->next_codebook_buffer_index], chunk_size); @@ -556,6 +562,12 @@ static int vqa_decode_chunk(VqaContext *s) bytestream2_seek(&s->gb, cbpz_chunk, SEEK_SET); chunk_size = bytestream2_get_be32(&s->gb); + if (chunk_size > MAX_CODEBOOK_SIZE - s->next_codebook_buffer_index) { + av_log(s->avctx, AV_LOG_ERROR, "cbpz chunk too large (%u bytes)\n", + chunk_size); + return AVERROR_INVALIDDATA; + } + /* accumulate partial codebook */ bytestream2_get_buffer(&s->gb, &s->next_codebook_buffer[s->next_codebook_buffer_index], chunk_size); From ef6c90e102a393c136a38c1eee42bfd26e964de5 Mon Sep 17 00:00:00 2001 From: Michael Niedermayer Date: Fri, 30 Aug 2013 23:14:32 +0200 Subject: [PATCH 775/991] dsputil/pngdsp: fix signed/unsigned type in end comparison Fixes out of array accesses and integer overflows. (cherry picked from commit d1916d13e28b87f4b1b214231149e12e1d536b4b) Adresses: CVE-2013-7010, CVE-2013-7014 Signed-off-by: Reinhard Tartler (cherry picked from commit af9799790d7a6342027e0261b5dd87657abb7a0b) Signed-off-by: Reinhard Tartler Conflicts: libavcodec/pngdsp.c --- libavcodec/dsputil.c | 4 ++-- 1 file changed, 2 insertions(+), 2 deletions(-) diff --git a/libavcodec/dsputil.c b/libavcodec/dsputil.c index 050081ad79..b32fea958c 100644 --- a/libavcodec/dsputil.c +++ b/libavcodec/dsputil.c @@ -1867,7 +1867,7 @@ void ff_set_cmp(DSPContext* c, me_cmp_func *cmp, int type){ static void add_bytes_c(uint8_t *dst, uint8_t *src, int w){ long i; - for(i=0; i<=w-sizeof(long); i+=sizeof(long)){ + for (i = 0; i <= w - (int) sizeof(long); i += sizeof(long)) { long a = *(long*)(src+i); long b = *(long*)(dst+i); *(long*)(dst+i) = ((a&pb_7f) + (b&pb_7f)) ^ ((a^b)&pb_80); @@ -1903,7 +1903,7 @@ static void diff_bytes_c(uint8_t *dst, uint8_t *src1, uint8_t *src2, int w){ } }else #endif - for(i=0; i<=w-sizeof(long); i+=sizeof(long)){ + for (i = 0; i <= w - (int) sizeof(long); i += sizeof(long)) { long a = *(long*)(src1+i); long b = *(long*)(src2+i); *(long*)(dst+i) = ((a|pb_80) - (b&pb_7f)) ^ ((a^b^pb_80)&pb_80); From cb5d0ea0bec119ecbe327bd7d3834987ab42ec1a Mon Sep 17 00:00:00 2001 From: Michael Niedermayer Date: Tue, 20 Aug 2013 23:18:48 +0200 Subject: [PATCH 776/991] flashsv: Check diff_start diff_height values Fix out of array accesses. Found-by: ami_stuff Signed-off-by: Michael Niedermayer Adresses: CVE-2013-7015 (cherry picked from commit 57070b1468edc6ac8cb3696c817f3c943975d4c1) Signed-off-by: Reinhard Tartler (cherry picked from commit 10d48fe6d3963842319b1d8d738a318020836e72) Signed-off-by: Reinhard Tartler --- libavcodec/flashsv.c | 6 ++++++ 1 file changed, 6 insertions(+) diff --git a/libavcodec/flashsv.c b/libavcodec/flashsv.c index 4a231ce899..686a696099 100644 --- a/libavcodec/flashsv.c +++ b/libavcodec/flashsv.c @@ -377,6 +377,12 @@ static int flashsv_decode_frame(AVCodecContext *avctx, void *data, } s->diff_start = get_bits(&gb, 8); s->diff_height = get_bits(&gb, 8); + if (s->diff_start + s->diff_height > cur_blk_height) { + av_log(avctx, AV_LOG_ERROR, + "Block parameters invalid: %d + %d > %d\n", + s->diff_start, s->diff_height, cur_blk_height); + return AVERROR_INVALIDDATA; + } av_log(avctx, AV_LOG_DEBUG, "%dx%d diff start %d height %d\n", i, j, s->diff_start, s->diff_height); From b68e5b119588cb1e01f8d16986f2a23db825d8b2 Mon Sep 17 00:00:00 2001 From: Justin Ruggles Date: Tue, 27 Mar 2012 21:31:14 -0400 Subject: [PATCH 777/991] avutil: use align == 0 for default alignment in audio sample buffer functions Fixes: http://pad.lv/1264886, http://pad.lv/1241439 (cherry picked from commit 0109a09dc3850eb5dbff84a7bb50eb252a5a8f22) Signed-off-by: Reinhard Tartler Conflicts: libavutil/avutil.h --- libavutil/avutil.h | 2 +- libavutil/samplefmt.c | 4 ++++ libavutil/samplefmt.h | 5 +++-- 3 files changed, 8 insertions(+), 3 deletions(-) diff --git a/libavutil/avutil.h b/libavutil/avutil.h index 05e9248375..605be62384 100644 --- a/libavutil/avutil.h +++ b/libavutil/avutil.h @@ -155,7 +155,7 @@ #define LIBAVUTIL_VERSION_MAJOR 51 #define LIBAVUTIL_VERSION_MINOR 22 -#define LIBAVUTIL_VERSION_MICRO 1 +#define LIBAVUTIL_VERSION_MICRO 2 #define LIBAVUTIL_VERSION_INT AV_VERSION_INT(LIBAVUTIL_VERSION_MAJOR, \ LIBAVUTIL_VERSION_MINOR, \ diff --git a/libavutil/samplefmt.c b/libavutil/samplefmt.c index f38d05e426..8d6125b763 100644 --- a/libavutil/samplefmt.c +++ b/libavutil/samplefmt.c @@ -104,6 +104,10 @@ int av_samples_get_buffer_size(int *linesize, int nb_channels, int nb_samples, if (!sample_size || nb_samples <= 0 || nb_channels <= 0) return AVERROR(EINVAL); + /* auto-select alignment if not specified */ + if (!align) + align = 32; + /* check for integer overflow */ if (nb_channels > INT_MAX / align || (int64_t)nb_channels * nb_samples > (INT_MAX - (align * nb_channels)) / sample_size) diff --git a/libavutil/samplefmt.h b/libavutil/samplefmt.h index b6715561d4..91dcc02333 100644 --- a/libavutil/samplefmt.h +++ b/libavutil/samplefmt.h @@ -99,6 +99,7 @@ int av_sample_fmt_is_planar(enum AVSampleFormat sample_fmt); * @param nb_channels the number of channels * @param nb_samples the number of samples in a single channel * @param sample_fmt the sample format + * @param align buffer size alignment (0 = default, 1 = no alignment) * @return required buffer size, or negative error code on failure */ int av_samples_get_buffer_size(int *linesize, int nb_channels, int nb_samples, @@ -122,7 +123,7 @@ int av_samples_get_buffer_size(int *linesize, int nb_channels, int nb_samples, * @param nb_channels the number of channels * @param nb_samples the number of samples in a single channel * @param sample_fmt the sample format - * @param align buffer size alignment (1 = no alignment required) + * @param align buffer size alignment (0 = default, 1 = no alignment) * @return 0 on success or a negative error code on failure */ int av_samples_fill_arrays(uint8_t **audio_data, int *linesize, uint8_t *buf, @@ -138,7 +139,7 @@ int av_samples_fill_arrays(uint8_t **audio_data, int *linesize, uint8_t *buf, * @param[out] linesize aligned size for audio buffer(s) * @param nb_channels number of audio channels * @param nb_samples number of samples per channel - * @param align buffer size alignment (1 = no alignment required) + * @param align buffer size alignment (0 = default, 1 = no alignment) * @return 0 on success or a negative error code on failure * @see av_samples_fill_arrays() */ From 2c0bfce4cb2d92f6add16fa09737865417fd226b Mon Sep 17 00:00:00 2001 From: Luca Barbato Date: Tue, 6 Aug 2013 03:38:12 +0200 Subject: [PATCH 778/991] avi: DV in AVI must be considered single stream Reported-by: Mateusz "j00ru" Jurczyk and Gynvael Coldwind CC: libav-stable@libav.org (cherry picked from commit 3485a07977f17b8d4709fb327be4fc29031032b7) Signed-off-by: Reinhard Tartler --- libavformat/avidec.c | 10 +++++++--- 1 file changed, 7 insertions(+), 3 deletions(-) diff --git a/libavformat/avidec.c b/libavformat/avidec.c index 8d06c9a1d2..ca402f9549 100644 --- a/libavformat/avidec.c +++ b/libavformat/avidec.c @@ -882,7 +882,7 @@ start_sync: goto start_sync; } - n= get_stream_idx(d); + n = avi->dv_demux ? 0 : get_stream_idx(d); if(!((i-avi->last_pkt_pos)&1) && get_stream_idx(d+1) < s->nb_streams) continue; @@ -1286,12 +1286,17 @@ static int avi_read_seek(AVFormatContext *s, int stream_index, int64_t timestamp int64_t pos; AVIStream *ast; + /* Does not matter which stream is requested dv in avi has the + * stream information in the first video stream. + */ + if (avi->dv_demux) + stream_index = 0; + if (!avi->index_loaded) { /* we only load the index on demand */ avi_load_index(s); avi->index_loaded = 1; } - assert(stream_index>= 0); st = s->streams[stream_index]; ast= st->priv_data; @@ -1309,7 +1314,6 @@ static int avi_read_seek(AVFormatContext *s, int stream_index, int64_t timestamp /* One and only one real stream for DV in AVI, and it has video */ /* offsets. Calling with other stream indexes should have failed */ /* the av_index_search_timestamp call above. */ - assert(stream_index == 0); /* Feed the DV video stream version of the timestamp to the */ /* DV demux so it can synthesize correct timestamps. */ From e964207e6c17c358b5a42d281f0da740044c240c Mon Sep 17 00:00:00 2001 From: Luca Barbato Date: Sun, 13 Oct 2013 03:30:06 +0200 Subject: [PATCH 779/991] cavs: Check for negative cbp Sample-Id: 00000647-google Reported-by: Mateusz "j00ru" Jurczyk and Gynvael Coldwind CC: libav-stable@libav.org (cherry picked from commit c85e5f13f6ac9c4c90125e7671d89009e57f9df9) Signed-off-by: Reinhard Tartler Conflicts: libavcodec/cavsdec.c --- libavcodec/cavsdec.c | 6 +++--- 1 file changed, 3 insertions(+), 3 deletions(-) diff --git a/libavcodec/cavsdec.c b/libavcodec/cavsdec.c index 5582fd42d3..7521c2972e 100644 --- a/libavcodec/cavsdec.c +++ b/libavcodec/cavsdec.c @@ -165,8 +165,8 @@ static inline int decode_residual_inter(AVSContext *h) { /* get coded block pattern */ int cbp= get_ue_golomb(&h->s.gb); - if(cbp > 63){ - av_log(h->s.avctx, AV_LOG_ERROR, "illegal inter cbp\n"); + if(cbp > 63 || cbp < 0){ + av_log(h->s.avctx, AV_LOG_ERROR, "illegal inter cbp %d\n", cbp); return -1; } h->cbp = cbp_tab[cbp][1]; @@ -225,7 +225,7 @@ static int decode_mb_i(AVSContext *h, int cbp_code) { /* get coded block pattern */ if(h->pic_type == AV_PICTURE_TYPE_I) cbp_code = get_ue_golomb(gb); - if(cbp_code > 63){ + if(cbp_code > 63 || cbp_code < 0 ){ av_log(h->s.avctx, AV_LOG_ERROR, "illegal intra cbp\n"); return -1; } From 23144c5f060de1863859308eab4bc888b817840c Mon Sep 17 00:00:00 2001 From: Anton Khirnov Date: Fri, 15 Nov 2013 09:42:26 +0100 Subject: [PATCH 780/991] h264_cavlc: check the size of the intra PCM data. Fixes invalid reads. Found-by: Mateusz "j00ru" Jurczyk and Gynvael Coldwind CC:libav-stable@libav.org (cherry picked from commit b5275ca1a805436ca12540c34dd5ed1671877434) Signed-off-by: Reinhard Tartler --- libavcodec/h264_cavlc.c | 4 ++++ 1 file changed, 4 insertions(+) diff --git a/libavcodec/h264_cavlc.c b/libavcodec/h264_cavlc.c index da9e1cb70c..5e3c79d72d 100644 --- a/libavcodec/h264_cavlc.c +++ b/libavcodec/h264_cavlc.c @@ -769,6 +769,10 @@ decode_intra_mb: // We assume these blocks are very rare so we do not optimize it. align_get_bits(&s->gb); + if (get_bits_left(&s->gb) < mb_size) { + av_log(s->avctx, AV_LOG_ERROR, "Not enough data for an intra PCM block.\n"); + return AVERROR_INVALIDDATA; + } // The pixels are stored in the same order as levels in h->mb array. for(x=0; x < mb_size; x++){ From 6a56d16dc1368b9fe2ac5667c898684be3045d2e Mon Sep 17 00:00:00 2001 From: Anton Khirnov Date: Thu, 28 Nov 2013 10:54:35 +0100 Subject: [PATCH 781/991] segafilm: fix leaks if reading the header fails Found-by: Mateusz "j00ru" Jurczyk and Gynvael Coldwind CC:libav-stable@libav.org (cherry picked from commit 6892d145a0c80249bd61ee7dd31ec851c5076bcd) Signed-off-by: Reinhard Tartler (cherry picked from commit f728782c0d30433efa11f1238a16aed994e9b563) Signed-off-by: Reinhard Tartler Conflicts: libavformat/segafilm.c --- libavformat/segafilm.c | 35 ++++++++++++++++++++--------------- 1 file changed, 20 insertions(+), 15 deletions(-) diff --git a/libavformat/segafilm.c b/libavformat/segafilm.c index d5aaf11d38..386fd7ebd0 100644 --- a/libavformat/segafilm.c +++ b/libavformat/segafilm.c @@ -75,6 +75,16 @@ static int film_probe(AVProbeData *p) return AVPROBE_SCORE_MAX; } +static int film_read_close(AVFormatContext *s) +{ + FilmDemuxContext *film = s->priv_data; + + av_freep(&film->sample_table); + av_freep(&film->stereo_buffer); + + return 0; +} + static int film_read_header(AVFormatContext *s, AVFormatParameters *ap) { @@ -82,7 +92,7 @@ static int film_read_header(AVFormatContext *s, AVIOContext *pb = s->pb; AVStream *st; unsigned char scratch[256]; - int i; + int i, ret; unsigned int data_offset; unsigned int audio_frame_counter; @@ -209,14 +219,16 @@ static int film_read_header(AVFormatContext *s, for (i = 0; i < film->sample_count; i++) { /* load the next sample record and transfer it to an internal struct */ if (avio_read(pb, scratch, 16) != 16) { - av_free(film->sample_table); - return AVERROR(EIO); + ret = AVERROR(EIO); + goto fail; } film->sample_table[i].sample_offset = data_offset + AV_RB32(&scratch[0]); film->sample_table[i].sample_size = AV_RB32(&scratch[4]); - if (film->sample_table[i].sample_size > INT_MAX / 4) - return AVERROR_INVALIDDATA; + if (film->sample_table[i].sample_size > INT_MAX / 4) { + ret = AVERROR_INVALIDDATA; + goto fail; + } if (AV_RB32(&scratch[8]) == 0xFFFFFFFF) { film->sample_table[i].stream = film->audio_stream_index; film->sample_table[i].pts = audio_frame_counter; @@ -239,6 +251,9 @@ static int film_read_header(AVFormatContext *s, film->current_sample = 0; return 0; +fail: + film_read_close(s); + return ret; } static int film_read_packet(AVFormatContext *s, @@ -317,16 +332,6 @@ static int film_read_packet(AVFormatContext *s, return ret; } -static int film_read_close(AVFormatContext *s) -{ - FilmDemuxContext *film = s->priv_data; - - av_free(film->sample_table); - av_free(film->stereo_buffer); - - return 0; -} - AVInputFormat ff_segafilm_demuxer = { .name = "film_cpk", .long_name = NULL_IF_CONFIG_SMALL("Sega FILM/CPK format"), From 2f4e066d66b37e48c6c11cc33649fb5c9656007d Mon Sep 17 00:00:00 2001 From: =?UTF-8?q?Martin=20Storsj=C3=B6?= Date: Mon, 13 Jan 2014 14:46:07 +0200 Subject: [PATCH 782/991] mov: Free an earlier allocated array if allocating a new one MIME-Version: 1.0 Content-Type: text/plain; charset=UTF-8 Content-Transfer-Encoding: 8bit It could probably also be considered an error if the pointer isn't null at this point, but then we might risk rejecting some slightly broken files that we might have handled so far. Sample-Id: 00000496-google Reported-by: Mateusz "j00ru" Jurczyk and Gynvael Coldwind CC: libav-stable@libav.org Signed-off-by: Martin Storsjö (cherry picked from commit 2620df13104ddaa136158eb6bb1195adbf9d7692) Signed-off-by: Reinhard Tartler (cherry picked from commit a1b4d42d31ba700c97d4388153a2a553d71ca0ba) Signed-off-by: Reinhard Tartler --- libavformat/mov.c | 1 + 1 file changed, 1 insertion(+) diff --git a/libavformat/mov.c b/libavformat/mov.c index 2096988ce7..28c89f1c6f 100644 --- a/libavformat/mov.c +++ b/libavformat/mov.c @@ -1630,6 +1630,7 @@ static int mov_read_stts(MOVContext *c, AVIOContext *pb, MOVAtom atom) if (entries >= UINT_MAX / sizeof(*sc->stts_data)) return AVERROR(EINVAL); + av_free(sc->stts_data); sc->stts_data = av_malloc(entries * sizeof(*sc->stts_data)); if (!sc->stts_data) return AVERROR(ENOMEM); From 979f77b0dc40571761999633a38d97be9a1670c8 Mon Sep 17 00:00:00 2001 From: Anton Khirnov Date: Thu, 28 Nov 2013 10:54:35 +0100 Subject: [PATCH 783/991] h264: check that an IDR NAL only contains I slices Found-by: Mateusz "j00ru" Jurczyk and Gynvael Coldwind CC:libav-stable@libav.org (cherry picked from commit 8b2e5e42bb9d6a59ede5af2e6df4aaf7750d1195) Signed-off-by: Reinhard Tartler (cherry picked from commit 62ed6da016b789eee00e0fff517df4a254e12e5d) Signed-off-by: Reinhard Tartler Conflicts: libavcodec/h264.c --- libavcodec/h264.c | 9 ++++++++- 1 file changed, 8 insertions(+), 1 deletion(-) diff --git a/libavcodec/h264.c b/libavcodec/h264.c index da865c6387..ff7859ce2b 100644 --- a/libavcodec/h264.c +++ b/libavcodec/h264.c @@ -2688,7 +2688,14 @@ static int decode_slice_header(H264Context *h, H264Context *h0){ h->slice_type= slice_type; h->slice_type_nos= slice_type & 3; - s->pict_type= h->slice_type; // to make a few old functions happy, it's wrong though + if (h->nal_unit_type == NAL_IDR_SLICE && + h->slice_type_nos != AV_PICTURE_TYPE_I) { + av_log(h->s.avctx, AV_LOG_ERROR, "A non-intra slice in an IDR NAL unit.\n"); + return AVERROR_INVALIDDATA; + } + + // to make a few old functions happy, it's wrong though + s->pict_type = h->slice_type; pps_id= get_ue_golomb(&s->gb); if(pps_id>=MAX_PPS_COUNT){ From 716ee73c991cfa4a8a49670e2650ebd0e2d34df8 Mon Sep 17 00:00:00 2001 From: Anton Khirnov Date: Thu, 28 Nov 2013 10:54:35 +0100 Subject: [PATCH 784/991] h264: reset num_reorder_frames if it is invalid An invalid VUI is not considered a fatal error, so the SPS containing it may still be used. Leaving an invalid value of num_reorder_frames there can result in writing over the bounds of H264Context.delayed_pic. Found-by: Mateusz "j00ru" Jurczyk and Gynvael Coldwind CC:libav-stable@libav.org (cherry picked from commit 9ecabd7892ff073ae60ded3fc0a1290f5914ed5c) Signed-off-by: Reinhard Tartler Conflicts: libavcodec/h264_ps.c (cherry picked from commit 299c5dcfb0cd3debdf07943edfb46f4aeb02ca91) Signed-off-by: Reinhard Tartler --- libavcodec/h264_ps.c | 4 +++- 1 file changed, 3 insertions(+), 1 deletion(-) diff --git a/libavcodec/h264_ps.c b/libavcodec/h264_ps.c index 00c5003a22..ee4711c147 100644 --- a/libavcodec/h264_ps.c +++ b/libavcodec/h264_ps.c @@ -236,7 +236,9 @@ static inline int decode_vui_parameters(H264Context *h, SPS *sps){ } if(sps->num_reorder_frames > 16U /*max_dec_frame_buffering || max_dec_frame_buffering > 16*/){ - av_log(h->s.avctx, AV_LOG_ERROR, "illegal num_reorder_frames %d\n", sps->num_reorder_frames); + av_log(h->s.avctx, AV_LOG_ERROR, "Clipping illegal num_reorder_frames %d\n", + sps->num_reorder_frames); + sps->num_reorder_frames = 16; return -1; } } From 30c8a5e4f6c096eabb82c45177b945ebc85144fb Mon Sep 17 00:00:00 2001 From: Michael Niedermayer Date: Sun, 19 Jan 2014 15:28:25 +0000 Subject: [PATCH 785/991] vc1: Always reset numref when parsing a new frame header. Fixes an issue where the B-frame coding mode switches from interlaced fields to interlaced frames, causing incorrect decisions in the motion compensation code and resulting in visual artifacts. CC: libav-stable@libav.org Signed-off-by: Tim Walker (cherry picked from commit dd2d0039b6405dc724e4fef0d5b8f49530eea3aa) Signed-off-by: Reinhard Tartler (cherry picked from commit 3cc8d9bc1ffc6c0888960fb009f12fa3047bb663) Signed-off-by: Reinhard Tartler --- libavcodec/vc1.c | 1 + 1 file changed, 1 insertion(+) diff --git a/libavcodec/vc1.c b/libavcodec/vc1.c index 6135ebdc09..68e0d0d306 100644 --- a/libavcodec/vc1.c +++ b/libavcodec/vc1.c @@ -822,6 +822,7 @@ int vc1_parse_frame_header_adv(VC1Context *v, GetBitContext* gb) int mbmodetab, imvtab, icbptab, twomvbptab, fourmvbptab; /* useful only for debugging */ int scale, shift, i; /* for initializing LUT for intensity compensation */ + v->numref = 0; v->p_frame_skipped = 0; if (v->second_field) { v->s.pict_type = (v->fptype & 1) ? AV_PICTURE_TYPE_P : AV_PICTURE_TYPE_I; From e03b875c0b57d458d3fc693b37b01615fc7283e7 Mon Sep 17 00:00:00 2001 From: Anton Khirnov Date: Thu, 12 Dec 2013 07:34:13 +0100 Subject: [PATCH 786/991] mathematics: remove asserts from av_rescale_rnd() It is a public function, it must not assert on its parameters. (cherry picked from commit 94a417acc05cc5151b473abc0bf51fad26f8c5a0) Signed-off-by: Reinhard Tartler (cherry picked from commit 03bfd8419fbaf9c72b293457437bd508dea64736) Signed-off-by: Reinhard Tartler --- libavutil/mathematics.c | 7 +++---- 1 file changed, 3 insertions(+), 4 deletions(-) diff --git a/libavutil/mathematics.c b/libavutil/mathematics.c index e6ce2f98ad..51b0e95133 100644 --- a/libavutil/mathematics.c +++ b/libavutil/mathematics.c @@ -23,7 +23,6 @@ * miscellaneous math routines and tables */ -#include #include #include #include "mathematics.h" @@ -76,9 +75,9 @@ int64_t av_gcd(int64_t a, int64_t b){ int64_t av_rescale_rnd(int64_t a, int64_t b, int64_t c, enum AVRounding rnd){ int64_t r=0; - assert(c > 0); - assert(b >=0); - assert((unsigned)rnd<=5 && rnd!=4); + + if (c <= 0 || b < 0 || rnd == 4 || rnd > 5) + return INT64_MIN; if(a<0 && a != INT64_MIN) return -av_rescale_rnd(-a, b, c, rnd ^ ((rnd>>1)&1)); From b0db7a523df5ce5c5bcfb21d64a8f2a5fdcd5b42 Mon Sep 17 00:00:00 2001 From: Anton Khirnov Date: Thu, 28 Nov 2013 10:54:35 +0100 Subject: [PATCH 787/991] oggparseogm: check timing variables Fixes a potential divide by zero. Found-by: Mateusz "j00ru" Jurczyk and Gynvael Coldwind CC:libav-stable@libav.org (cherry picked from commit 75647dea6f7db79b409bad66a119f5c73da730f3) Signed-off-by: Reinhard Tartler (cherry picked from commit bf7c240a50f8ed99a42e08bb7a8a70262cce34ad) Signed-off-by: Reinhard Tartler --- libavformat/oggparseogm.c | 5 +++++ 1 file changed, 5 insertions(+) diff --git a/libavformat/oggparseogm.c b/libavformat/oggparseogm.c index c761bbd7db..b74537c689 100644 --- a/libavformat/oggparseogm.c +++ b/libavformat/oggparseogm.c @@ -75,6 +75,11 @@ ogm_header(AVFormatContext *s, int idx) time_unit = bytestream2_get_le64(&p); spu = bytestream2_get_le64(&p); + if (!time_unit || !spu) { + av_log(s, AV_LOG_ERROR, "Invalid timing values.\n"); + return AVERROR_INVALIDDATA; + } + bytestream2_skip(&p, 4); /* default_len */ bytestream2_skip(&p, 8); /* buffersize + bits_per_sample */ From 5522c564d48e1bb07d8cb722e8f94575a2683e29 Mon Sep 17 00:00:00 2001 From: Reinhard Tartler Date: Sun, 2 Feb 2014 12:54:52 -0500 Subject: [PATCH 788/991] Updated Changelog for 0.8.10 --- Changelog | 17 +++++++++++++++++ 1 file changed, 17 insertions(+) diff --git a/Changelog b/Changelog index b9fb40a882..7855c11324 100644 --- a/Changelog +++ b/Changelog @@ -3,6 +3,23 @@ releases are sorted from youngest to oldest. version 0.8.10: +- oggparseogm: check timing variables +- mathematics: remove asserts from av_rescale_rnd() +- vc1: Always reset numref when parsing a new frame header. +- h264: reset num_reorder_frames if it is invalid +- h264: check that an IDR NAL only contains I slices +- mov: Free an earlier allocated array if allocating a new one +- segafilm: fix leaks if reading the header fails +- h264_cavlc: check the size of the intra PCM data. +- cavs: Check for negative cbp +- avi: DV in AVI must be considered single stream +- avutil: use align == 0 for default alignment in audio sample buffer functions +- flashsv: Check diff_start diff_height values +- dsputil/pngdsp: fix signed/unsigned type in end comparison +- vqavideo: check chunk sizes before reading chunks +- avi: directly resync on DV in AVI read failure +- get_bits: change the failure condition in init_get_bits +- twinvq: Cope with gcc-4.8.2 miscompilation - pthread: Avoid spurious wakeups - pthread: Fix deadlock during thread initialization - mpegvideo: Initialize chroma_*_shift and codec_tag even if the size is 0 From 8cade1352bde1a1d4da70fc16a722a4fa7d2edc7 Mon Sep 17 00:00:00 2001 From: Anton Khirnov Date: Mon, 13 Jan 2014 13:47:07 +0100 Subject: [PATCH 789/991] lavf: make av_probe_input_buffer more robust Always use the actually read size as the offset instead of making possibly invalid assumptions. Addresses: CVE-2012-6618 (cherry picked from commit 2115a3597457231a6e5c0527fe0ff8550f64b733) Signed-off-by: Reinhard Tartler Conflicts: libavformat/utils.c Signed-off-by: Anton Khirnov (cherry picked from commit 8575f5362f98c937758b20ff8512d6767a56208e) Signed-off-by: Reinhard Tartler --- libavformat/utils.c | 3 +-- 1 file changed, 1 insertion(+), 2 deletions(-) diff --git a/libavformat/utils.c b/libavformat/utils.c index 7065b2f004..64a0b04ea0 100644 --- a/libavformat/utils.c +++ b/libavformat/utils.c @@ -514,7 +514,6 @@ int av_probe_input_buffer(AVIOContext *pb, AVInputFormat **fmt, for(probe_size= PROBE_BUF_MIN; probe_size<=max_probe_size && !*fmt; probe_size = FFMIN(probe_size<<1, FFMAX(max_probe_size, probe_size+1))) { int score = probe_size < max_probe_size ? AVPROBE_SCORE_MAX/4 : 0; - int buf_offset = (probe_size == PROBE_BUF_MIN) ? 0 : probe_size>>1; if (probe_size < offset) { continue; @@ -522,7 +521,7 @@ int av_probe_input_buffer(AVIOContext *pb, AVInputFormat **fmt, /* read probe data */ buf = av_realloc(buf, probe_size + AVPROBE_PADDING_SIZE); - if ((ret = avio_read(pb, buf + buf_offset, probe_size - buf_offset)) < 0) { + if ((ret = avio_read(pb, buf + pd.buf_size, probe_size - pd.buf_size)) < 0) { /* fail if error was not end of file, otherwise, lower score */ if (ret != AVERROR_EOF) { av_free(buf); From 36017d49e2f797f7371dc24848a2285ca63e39ab Mon Sep 17 00:00:00 2001 From: Reinhard Tartler Date: Thu, 6 Feb 2014 23:26:33 -0500 Subject: [PATCH 790/991] Prepare for 0.8.11 Release --- RELEASE | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/RELEASE b/RELEASE index ef50561618..83ce05d72f 100644 --- a/RELEASE +++ b/RELEASE @@ -1 +1 @@ -0.8.10 +0.8.11 From cf676c159b810d5126924aeab9abc8f8271881e0 Mon Sep 17 00:00:00 2001 From: Anton Khirnov Date: Thu, 28 Nov 2013 10:54:35 +0100 Subject: [PATCH 791/991] rpza: limit the number of blocks to the total remaining blocks in the frame Fixes invalid writes. Found-by: Mateusz "j00ru" Jurczyk and Gynvael Coldwind CC:libav-stable@libav.org (cherry picked from commit 77bb0004bbe18f1498cfecdc68db5f10808b6599) Signed-off-by: Luca Barbato --- libavcodec/rpza.c | 3 +++ 1 file changed, 3 insertions(+) diff --git a/libavcodec/rpza.c b/libavcodec/rpza.c index c0cea865df..31d199c083 100644 --- a/libavcodec/rpza.c +++ b/libavcodec/rpza.c @@ -38,6 +38,7 @@ #include #include +#include "libavutil/common.h" #include "libavutil/intreadwrite.h" #include "avcodec.h" @@ -125,6 +126,8 @@ static void rpza_decode_stream(RpzaContext *s) } } + n_blocks = FFMIN(n_blocks, total_blocks); + switch (opcode & 0xe0) { /* Skip blocks */ From a6003760bd0749eed366c19a2ceb17b4678f9c37 Mon Sep 17 00:00:00 2001 From: Vittorio Giovara Date: Thu, 20 Feb 2014 02:38:32 +0100 Subject: [PATCH 792/991] h264: Lower bound check for slice offsets And use the value from the specification. Sample-Id: 00000451-google Found-by: Mateusz j00ru Jurczyk and Gynvael Coldwind CC: libav-stable@libav.org Signed-off-by: Luca Barbato (cherry picked from commit f777504f640260337974848c7d5d7a3f064bbb45) (cherry picked from commit 5bd083d0216d9ee649039c84999fb61386536ac1) Conflicts: libavcodec/h264.c (cherry picked from commit 41380e017afcca3119acb560c08a60a97d416c3c) Conflicts: libavcodec/h264.c --- libavcodec/h264.c | 37 +++++++++++++++++++----------------- libavcodec/h264_loopfilter.c | 8 ++++---- 2 files changed, 24 insertions(+), 21 deletions(-) diff --git a/libavcodec/h264.c b/libavcodec/h264.c index ff7859ce2b..f3094b51cf 100644 --- a/libavcodec/h264.c +++ b/libavcodec/h264.c @@ -3225,8 +3225,8 @@ static int decode_slice_header(H264Context *h, H264Context *h0){ } h->deblocking_filter = 1; - h->slice_alpha_c0_offset = 52; - h->slice_beta_offset = 52; + h->slice_alpha_c0_offset = 0; + h->slice_beta_offset = 0; if( h->pps.deblocking_filter_parameters_present ) { tmp= get_ue_golomb_31(&s->gb); if(tmp > 2){ @@ -3237,12 +3237,16 @@ static int decode_slice_header(H264Context *h, H264Context *h0){ if(h->deblocking_filter < 2) h->deblocking_filter^= 1; // 1<->0 - if( h->deblocking_filter ) { - h->slice_alpha_c0_offset += get_se_golomb(&s->gb) << 1; - h->slice_beta_offset += get_se_golomb(&s->gb) << 1; - if( h->slice_alpha_c0_offset > 104U - || h->slice_beta_offset > 104U){ - av_log(s->avctx, AV_LOG_ERROR, "deblocking filter parameters %d %d out of range\n", h->slice_alpha_c0_offset, h->slice_beta_offset); + if (h->deblocking_filter) { + h->slice_alpha_c0_offset = get_se_golomb(&s->gb) * 2; + h->slice_beta_offset = get_se_golomb(&s->gb) * 2; + if (h->slice_alpha_c0_offset > 12 || + h->slice_alpha_c0_offset < -12 || + h->slice_beta_offset > 12 || + h->slice_beta_offset < -12) { + av_log(s->avctx, AV_LOG_ERROR, + "deblocking filter parameters %d %d out of range\n", + h->slice_alpha_c0_offset, h->slice_beta_offset); return -1; } } @@ -3271,14 +3275,12 @@ static int decode_slice_header(H264Context *h, H264Context *h0){ } } } - h->qp_thresh = 15 + 52 - FFMIN(h->slice_alpha_c0_offset, h->slice_beta_offset) - - FFMAX3(0, h->pps.chroma_qp_index_offset[0], h->pps.chroma_qp_index_offset[1]) - + 6 * (h->sps.bit_depth_luma - 8); - -#if 0 //FMO - if( h->pps.num_slice_groups > 1 && h->pps.mb_slice_group_map_type >= 3 && h->pps.mb_slice_group_map_type <= 5) - slice_group_change_cycle= get_bits(&s->gb, ?); -#endif + h->qp_thresh = 15 + + FFMIN(h->slice_alpha_c0_offset, h->slice_beta_offset) - + FFMAX3(0, + h->pps.chroma_qp_index_offset[0], + h->pps.chroma_qp_index_offset[1]) + + 6 * (h->sps.bit_depth_luma - 8); h0->last_slice_type = slice_type; h->slice_num = ++h0->current_slice; @@ -3333,7 +3335,8 @@ static int decode_slice_header(H264Context *h, H264Context *h0){ s->current_picture_ptr->field_poc[0], s->current_picture_ptr->field_poc[1], h->ref_count[0], h->ref_count[1], s->qscale, - h->deblocking_filter, h->slice_alpha_c0_offset/2-26, h->slice_beta_offset/2-26, + h->deblocking_filter, + h->slice_alpha_c0_offset, h->slice_beta_offset, h->use_weight, h->use_weight==1 && h->use_weight_chroma ? "c" : "", h->slice_type == AV_PICTURE_TYPE_B ? (h->direct_spatial_mv_pred ? "SPAT" : "TEMP") : "" diff --git a/libavcodec/h264_loopfilter.c b/libavcodec/h264_loopfilter.c index be750caa6d..c9ede82dae 100644 --- a/libavcodec/h264_loopfilter.c +++ b/libavcodec/h264_loopfilter.c @@ -254,8 +254,8 @@ static av_always_inline void h264_filter_mb_fast_internal(H264Context *h, int top_type= h->top_type; int qp_bd_offset = 6 * (h->sps.bit_depth_luma - 8); - int a = h->slice_alpha_c0_offset - qp_bd_offset; - int b = h->slice_beta_offset - qp_bd_offset; + int a = 52 + h->slice_alpha_c0_offset - qp_bd_offset; + int b = 52 + h->slice_beta_offset - qp_bd_offset; int mb_type = s->current_picture.f.mb_type[mb_xy]; int qp = s->current_picture.f.qscale_table[mb_xy]; @@ -715,8 +715,8 @@ void ff_h264_filter_mb( H264Context *h, int mb_x, int mb_y, uint8_t *img_y, uint av_unused int dir; int chroma = !(CONFIG_GRAY && (s->flags&CODEC_FLAG_GRAY)); int qp_bd_offset = 6 * (h->sps.bit_depth_luma - 8); - int a = h->slice_alpha_c0_offset - qp_bd_offset; - int b = h->slice_beta_offset - qp_bd_offset; + int a = 52 + h->slice_alpha_c0_offset - qp_bd_offset; + int b = 52 + h->slice_beta_offset - qp_bd_offset; if (FRAME_MBAFF // and current and left pair do not have the same interlaced type From 4279e0e8d09a3e988d38d550265e4c94402b72b0 Mon Sep 17 00:00:00 2001 From: Luca Barbato Date: Sat, 22 Feb 2014 11:19:03 +0100 Subject: [PATCH 793/991] h264: Fix a typo from the previous commit f777504f640260337974848c7d5d7a3f064bbb45 changed a - in + CC: libav-stable@libav.org (cherry picked from commit d922c5a5fbaf0b6c73bd8c81ae059bc6e406961c) (cherry picked from commit 3ce77e04c2ca4b9e7fa6b94b51e8d7c5f188da86) (cherry picked from commit 8cba6f58c8acaa0ca6749110a2746bbe60ff2dab) --- libavcodec/h264.c | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/libavcodec/h264.c b/libavcodec/h264.c index f3094b51cf..ba8872cc5f 100644 --- a/libavcodec/h264.c +++ b/libavcodec/h264.c @@ -3275,7 +3275,7 @@ static int decode_slice_header(H264Context *h, H264Context *h0){ } } } - h->qp_thresh = 15 + + h->qp_thresh = 15 - FFMIN(h->slice_alpha_c0_offset, h->slice_beta_offset) - FFMAX3(0, h->pps.chroma_qp_index_offset[0], From 9786c24bb756775796ff1fc240f700dafc39d222 Mon Sep 17 00:00:00 2001 From: Justin Ruggles Date: Thu, 30 Jan 2014 14:08:38 -0500 Subject: [PATCH 794/991] samplefmt: avoid integer overflow in av_samples_get_buffer_size() CC:libav-stable@libav.org (cherry picked from commit 0e830094ad0dc251613a0aa3234d9c5c397e02e6) (cherry picked from commit e9b3abd49890e958c745ea46a9f4f91b6b4baa58) Conflicts: libavutil/samplefmt.c --- libavutil/samplefmt.c | 5 ++++- 1 file changed, 4 insertions(+), 1 deletion(-) diff --git a/libavutil/samplefmt.c b/libavutil/samplefmt.c index 8d6125b763..a3e898c2c9 100644 --- a/libavutil/samplefmt.c +++ b/libavutil/samplefmt.c @@ -105,8 +105,11 @@ int av_samples_get_buffer_size(int *linesize, int nb_channels, int nb_samples, return AVERROR(EINVAL); /* auto-select alignment if not specified */ - if (!align) + if (!align) { + if (nb_samples > INT_MAX - 31) + return AVERROR(EINVAL); align = 32; + } /* check for integer overflow */ if (nb_channels > INT_MAX / align || From 43aa7eb38efc33f193f51d1d239dbfe12663e537 Mon Sep 17 00:00:00 2001 From: Anton Khirnov Date: Thu, 28 Nov 2013 10:54:35 +0100 Subject: [PATCH 795/991] shorten: pad the internal bitstream buffer Fixes invalid reads. Found-by: Mateusz "j00ru" Jurczyk and Gynvael Coldwind CC:libav-stable@libav.org (cherry picked from commit 1713eec29add37b654ec6bf262b843d139c1ffc6) (cherry picked from commit 5881ec0ea58a95403bd375b63f22d49905cdd8e5) --- libavcodec/shorten.c | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/libavcodec/shorten.c b/libavcodec/shorten.c index 7d51c56acd..f96a003e75 100644 --- a/libavcodec/shorten.c +++ b/libavcodec/shorten.c @@ -431,7 +431,7 @@ static int shorten_decode_frame(AVCodecContext *avctx, void *data, void *tmp_ptr; s->max_framesize = 1024; // should hopefully be enough for the first header tmp_ptr = av_fast_realloc(s->bitstream, &s->allocated_bitstream_size, - s->max_framesize); + s->max_framesize + FF_INPUT_BUFFER_PADDING_SIZE); if (!tmp_ptr) { av_log(avctx, AV_LOG_ERROR, "error allocating bitstream buffer\n"); return AVERROR(ENOMEM); From de0e442e9d6754ae1ad56a8372f45f6aa5e51012 Mon Sep 17 00:00:00 2001 From: Anton Khirnov Date: Thu, 28 Nov 2013 10:54:35 +0100 Subject: [PATCH 796/991] truemotion1: check the header size Fixes invalid reads. Found-by: Mateusz "j00ru" Jurczyk and Gynvael Coldwind CC:libav-stable@libav.org (cherry picked from commit 2240e2078d53d3cfce8ff1dda64e58fa72038602) (cherry picked from commit 76b40a9bf93e387d98aa7dc02ec7a8d13f51722f) --- libavcodec/truemotion1.c | 5 +++++ 1 file changed, 5 insertions(+) diff --git a/libavcodec/truemotion1.c b/libavcodec/truemotion1.c index fcf6004c51..65a45d82bf 100644 --- a/libavcodec/truemotion1.c +++ b/libavcodec/truemotion1.c @@ -320,6 +320,11 @@ static int truemotion1_decode_header(TrueMotion1Context *s) return -1; } + if (header.header_size + 1 > s->size) { + av_log(s->avctx, AV_LOG_ERROR, "Input packet too small.\n"); + return AVERROR_INVALIDDATA; + } + /* unscramble the header bytes with a XOR operation */ memset(header_buffer, 0, 128); for (i = 1; i < header.header_size; i++) From 2fb0a52e70fa2b6df8d303713f9eafc393a0a145 Mon Sep 17 00:00:00 2001 From: Anton Khirnov Date: Thu, 14 Feb 2013 08:47:17 +0100 Subject: [PATCH 797/991] lagarith: avoid infinite loop in lag_rac_refill() range == 0 happens with corrupted files CC:libav-stable@libav.org (cherry picked from commit de6dfa2bb82df916a67e5036b0ef96a944781ed3) Signed-off-by: Reinhard Tartler (cherry picked from commit 8bce2c60b8ebc31899d576dde3bbe6205faae97d) --- libavcodec/lagarithrac.h | 3 +++ 1 file changed, 3 insertions(+) diff --git a/libavcodec/lagarithrac.h b/libavcodec/lagarithrac.h index b9421993a4..1c8093ff38 100644 --- a/libavcodec/lagarithrac.h +++ b/libavcodec/lagarithrac.h @@ -107,6 +107,9 @@ static inline uint8_t lag_get_rac(lag_rac *l) l->range -= range_scaled * l->prob[255]; } + if (!l->range) + l->range = 0x80; + l->low -= range_scaled * l->prob[val]; return val; From 2c1d84499bfe06d75e9160b824eeffd9f5587337 Mon Sep 17 00:00:00 2001 From: "Ronald S. Bultje" Date: Thu, 2 Aug 2012 20:46:09 -0700 Subject: [PATCH 798/991] lagarith: pad RGB buffer by 1 byte. For left HFYU prediction, we predict from the buffer buf+1 using 8- or 16-byte reads. This means that aligning the buffer by 16 bytes is in itself not sufficient, because if the width itself is 16- or 8-byte aligned, the buffer will not be padded, and thus a read of size 16 at buf+1 will overflow boundaries at the right edge. Padding the buffer by 1 byte is sufficient to not overflow its boundaries. Fixes bug 342. (cherry picked from commit 98d0d19208959766a58f13dd6a678d1f765a26ac) --- libavcodec/lagarith.c | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/libavcodec/lagarith.c b/libavcodec/lagarith.c index f04d89b305..93e0253091 100644 --- a/libavcodec/lagarith.c +++ b/libavcodec/lagarith.c @@ -515,7 +515,7 @@ static int lag_decode_frame(AVCodecContext *avctx, if (!l->rgb_planes) { l->rgb_stride = FFALIGN(avctx->width, 16); - l->rgb_planes = av_malloc(l->rgb_stride * avctx->height * planes); + l->rgb_planes = av_malloc(l->rgb_stride * avctx->height * planes + 1); if (!l->rgb_planes) { av_log(avctx, AV_LOG_ERROR, "cannot allocate temporary buffer\n"); return AVERROR(ENOMEM); From 3da4fdd5acdd137660412e3b58433b4693d05e84 Mon Sep 17 00:00:00 2001 From: Anton Khirnov Date: Thu, 28 Nov 2013 10:54:35 +0100 Subject: [PATCH 799/991] lagarith: reallocate rgb_planes when needed Fixes invalid writes on pixel format changes. Found-by: Mateusz "j00ru" Jurczyk and Gynvael Coldwind CC:libav-stable@libav.org (cherry picked from commit 4c3e1956ee35fdcc5ffdb28782050164b4623c0b) (cherry picked from commit bd57e783437f990c3ac4747eeebe20332e103980) --- libavcodec/lagarith.c | 12 ++++++------ 1 file changed, 6 insertions(+), 6 deletions(-) diff --git a/libavcodec/lagarith.c b/libavcodec/lagarith.c index 93e0253091..193fd509c5 100644 --- a/libavcodec/lagarith.c +++ b/libavcodec/lagarith.c @@ -52,6 +52,7 @@ typedef struct LagarithContext { int zeros; /**< number of consecutive zero bytes encountered */ int zeros_rem; /**< number of zero bytes remaining to output */ uint8_t *rgb_planes; + int rgb_planes_allocated; int rgb_stride; } LagarithContext; @@ -513,13 +514,12 @@ static int lag_decode_frame(AVCodecContext *avctx, offs[1] = offset_gu; offs[2] = offset_ry; + l->rgb_stride = FFALIGN(avctx->width, 16); + av_fast_malloc(&l->rgb_planes, &l->rgb_planes_allocated, + l->rgb_stride * avctx->height * planes + 1); if (!l->rgb_planes) { - l->rgb_stride = FFALIGN(avctx->width, 16); - l->rgb_planes = av_malloc(l->rgb_stride * avctx->height * planes + 1); - if (!l->rgb_planes) { - av_log(avctx, AV_LOG_ERROR, "cannot allocate temporary buffer\n"); - return AVERROR(ENOMEM); - } + av_log(avctx, AV_LOG_ERROR, "cannot allocate temporary buffer\n"); + return AVERROR(ENOMEM); } for (i = 0; i < planes; i++) srcs[i] = l->rgb_planes + (i + 1) * l->rgb_stride * avctx->height - l->rgb_stride; From fd2fc130b24cd17239ae09ec6de0347340c1b950 Mon Sep 17 00:00:00 2001 From: Janne Grunau Date: Wed, 5 Mar 2014 12:44:57 +0100 Subject: [PATCH 800/991] arm: hpeldsp: prevent overreads in armv6 asm Based on a patch by Russel King Bug-Id: 646 CC: libav-stable@libav.org --- libavcodec/arm/asm.S | 7 +++++++ libavcodec/arm/dsputil_armv6.S | 20 ++++++++++++-------- 2 files changed, 19 insertions(+), 8 deletions(-) diff --git a/libavcodec/arm/asm.S b/libavcodec/arm/asm.S index 3b495a279f..c9e4fec60f 100644 --- a/libavcodec/arm/asm.S +++ b/libavcodec/arm/asm.S @@ -126,6 +126,13 @@ T ldr \rt, [\rn] T add \rn, \rn, \rm .endm +.macro ldrc_pre cc, rt, rn, rm:vararg +A ldr\cc \rt, [\rn, \rm]! +T itt \cc +T add\cc \rn, \rn, \rm +T ldr\cc \rt, [\rn] +.endm + .macro ldrd_reg rt, rt2, rn, rm A ldrd \rt, \rt2, [\rn, \rm] T add \rt, \rn, \rm diff --git a/libavcodec/arm/dsputil_armv6.S b/libavcodec/arm/dsputil_armv6.S index becf85182d..e4f71cb5b6 100644 --- a/libavcodec/arm/dsputil_armv6.S +++ b/libavcodec/arm/dsputil_armv6.S @@ -134,11 +134,12 @@ function ff_put_pixels8_y2_armv6, export=1 uhadd8 r9, r5, r7 eor r11, r5, r7 and r10, r10, r12 - ldr_pre r4, r1, r2 + ldrc_pre ne, r4, r1, r2 uadd8 r8, r8, r10 and r11, r11, r12 uadd8 r9, r9, r11 - ldr r5, [r1, #4] + it ne + ldrne r5, [r1, #4] uhadd8 r10, r4, r6 eor r6, r4, r6 uhadd8 r11, r5, r7 @@ -146,10 +147,11 @@ function ff_put_pixels8_y2_armv6, export=1 eor r7, r5, r7 uadd8 r10, r10, r6 and r7, r7, r12 - ldr_pre r6, r1, r2 + ldrc_pre ne, r6, r1, r2 uadd8 r11, r11, r7 strd_post r8, r9, r0, r2 - ldr r7, [r1, #4] + it ne + ldrne r7, [r1, #4] strd_post r10, r11, r0, r2 bne 1b @@ -194,13 +196,15 @@ function ff_put_pixels8_y2_no_rnd_armv6, export=1 1: subs r3, r3, #2 uhadd8 r8, r4, r6 - ldr_pre r4, r1, r2 + ldrc_pre ne, r4, r1, r2 uhadd8 r9, r5, r7 - ldr r5, [r1, #4] + it ne + ldrne r5, [r1, #4] uhadd8 r12, r4, r6 - ldr_pre r6, r1, r2 + ldrc_pre ne, r6, r1, r2 uhadd8 r14, r5, r7 - ldr r7, [r1, #4] + it ne + ldrne r7, [r1, #4] stm r0, {r8,r9} add r0, r0, r2 stm r0, {r12,r14} From 0120e480bf0a1257299c8c84416a8814ccfcc73b Mon Sep 17 00:00:00 2001 From: Janne Grunau Date: Sat, 8 Mar 2014 11:52:14 +0100 Subject: [PATCH 801/991] arm: hpeldsp: fix put_pixels8_y2_{,no_rnd_}armv6 The overread avoidance fix in cbddee1cca0ebd01e8c5aa694d31228eb4de4b41 broke the computation for the last row since it prevented the safe reading from the height+1-th row. --- libavcodec/arm/dsputil_armv6.S | 10 ++++------ 1 file changed, 4 insertions(+), 6 deletions(-) diff --git a/libavcodec/arm/dsputil_armv6.S b/libavcodec/arm/dsputil_armv6.S index e4f71cb5b6..25074b4311 100644 --- a/libavcodec/arm/dsputil_armv6.S +++ b/libavcodec/arm/dsputil_armv6.S @@ -134,12 +134,11 @@ function ff_put_pixels8_y2_armv6, export=1 uhadd8 r9, r5, r7 eor r11, r5, r7 and r10, r10, r12 - ldrc_pre ne, r4, r1, r2 + ldr_pre r4, r1, r2 uadd8 r8, r8, r10 and r11, r11, r12 uadd8 r9, r9, r11 - it ne - ldrne r5, [r1, #4] + ldr r5, [r1, #4] uhadd8 r10, r4, r6 eor r6, r4, r6 uhadd8 r11, r5, r7 @@ -196,10 +195,9 @@ function ff_put_pixels8_y2_no_rnd_armv6, export=1 1: subs r3, r3, #2 uhadd8 r8, r4, r6 - ldrc_pre ne, r4, r1, r2 + ldr_pre r4, r1, r2 uhadd8 r9, r5, r7 - it ne - ldrne r5, [r1, #4] + ldr r5, [r1, #4] uhadd8 r12, r4, r6 ldrc_pre ne, r6, r1, r2 uhadd8 r14, r5, r7 From 98f44b24b56bece934c6bb99e0acca3cc45fe5aa Mon Sep 17 00:00:00 2001 From: Michael Niedermayer Date: Fri, 17 Jan 2014 20:09:48 +0100 Subject: [PATCH 802/991] dnxhdenc: fix mb_rc size Fixes out of array access with RC_VARIANCE set to 0 Signed-off-by: Michael Niedermayer (cherry picked from commit f1caaa1c61310beba705957e6366f0392a0b005b) Signed-off-by: Michael Niedermayer --- libavcodec/dnxhdenc.c | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/libavcodec/dnxhdenc.c b/libavcodec/dnxhdenc.c index e4c6274ae4..15543c1a1b 100644 --- a/libavcodec/dnxhdenc.c +++ b/libavcodec/dnxhdenc.c @@ -220,7 +220,7 @@ static int dnxhd_init_qmat(DNXHDEncContext *ctx, int lbias, int cbias) static int dnxhd_init_rc(DNXHDEncContext *ctx) { - FF_ALLOCZ_OR_GOTO(ctx->m.avctx, ctx->mb_rc, 8160*ctx->m.avctx->qmax*sizeof(RCEntry), fail); + FF_ALLOCZ_OR_GOTO(ctx->m.avctx, ctx->mb_rc, 8160*(ctx->m.avctx->qmax + 1)*sizeof(RCEntry), fail); if (ctx->m.avctx->mb_decision != FF_MB_DECISION_RD) FF_ALLOCZ_OR_GOTO(ctx->m.avctx, ctx->mb_cmp, ctx->m.mb_num*sizeof(RCCMPEntry), fail); From 5cab56dc9e405eaeb6aa792e34ec2a4f90949ad1 Mon Sep 17 00:00:00 2001 From: Michael Niedermayer Date: Mon, 20 Jan 2014 18:08:18 +0100 Subject: [PATCH 803/991] avcodec/vmnc: Check that rectangles are within the picture Prevents out of array accesses with CODEC_FLAG_EMU_EDGE Signed-off-by: Michael Niedermayer (cherry picked from commit 6ba02602aa7fc7d38db582e75b8b093fb3c1608d) Conflicts: libavcodec/vmnc.c Signed-off-by: Michael Niedermayer (cherry picked from commit 7c17207ab9acfaa934e8feb8fba90765c9d0b989) Signed-off-by: Michael Niedermayer --- libavcodec/vmnc.c | 5 +++++ 1 file changed, 5 insertions(+) diff --git a/libavcodec/vmnc.c b/libavcodec/vmnc.c index 2dde23948f..1a02a75e69 100644 --- a/libavcodec/vmnc.c +++ b/libavcodec/vmnc.c @@ -275,6 +275,11 @@ static int decode_hextile(VmncContext *c, uint8_t* dst, const uint8_t* src, int } xy = *src++; wh = *src++; + if ( (xy >> 4) + (wh >> 4) + 1 > w - i + || (xy & 0xF) + (wh & 0xF)+1 > h - j) { + av_log(c->avctx, AV_LOG_ERROR, "Rectangle outside picture\n"); + return AVERROR_INVALIDDATA; + } paint_rect(dst2, xy >> 4, xy & 0xF, (wh>>4)+1, (wh & 0xF)+1, fg, bpp, stride); } } From 4e47ae4e716256cfe77f9bf63a3638395c4d57b5 Mon Sep 17 00:00:00 2001 From: Michael Niedermayer Date: Sat, 1 Feb 2014 19:04:37 +0100 Subject: [PATCH 804/991] avcodec/vc1: reset fcm/field_mode in non advanced header parsing Fixes NULL pointer dereference Fixes: signal_sigsegv_1ab8bf4_2847_cov_4254117347_SA10091.vc1 Found-by: Mateusz "j00ru" Jurczyk and Gynvael Coldwind Signed-off-by: Michael Niedermayer (cherry picked from commit b51e9354772de446e8196dabf9aad1567b22f74d) Signed-off-by: Michael Niedermayer --- libavcodec/vc1.c | 2 ++ 1 file changed, 2 insertions(+) diff --git a/libavcodec/vc1.c b/libavcodec/vc1.c index daf6325c0c..e84cc0f88b 100644 --- a/libavcodec/vc1.c +++ b/libavcodec/vc1.c @@ -578,6 +578,8 @@ int vc1_parse_frame_header(VC1Context *v, GetBitContext* gb) { int pqindex, lowquant, status; + v->field_mode = 0; + v->fcm = 0; if (v->finterpflag) v->interpfrm = get_bits1(gb); skip_bits(gb, 2); //framecnt unused From ca8c3ec11b8ceb6d753176d5c04145cb83cbbe47 Mon Sep 17 00:00:00 2001 From: Michael Niedermayer Date: Sat, 14 Apr 2012 14:49:22 +0200 Subject: [PATCH 805/991] wmalosslessdec: make mclms arrays big enough for whats written into them. Found-by: Mateusz "j00ru" Jurczyk and Gynvael Coldwind Signed-off-by: Michael Niedermayer (cherry picked from commit a0abefb0af64a311b15141062c77dd577ba590a3) Conflicts: libavcodec/wmalosslessdec.c --- libavcodec/wmalosslessdec.c | 6 +++--- 1 file changed, 3 insertions(+), 3 deletions(-) diff --git a/libavcodec/wmalosslessdec.c b/libavcodec/wmalosslessdec.c index 3f23b66002..d6e5a1e2f8 100644 --- a/libavcodec/wmalosslessdec.c +++ b/libavcodec/wmalosslessdec.c @@ -240,9 +240,9 @@ typedef struct WmallDecodeCtx { int8_t mclms_scaling; int16_t mclms_coeffs[128]; int16_t mclms_coeffs_cur[4]; - int16_t mclms_prevvalues[64]; // FIXME: should be 32-bit / 16-bit depending on bit-depth - int16_t mclms_updates[64]; - int mclms_recent; + int16_t mclms_prevvalues[WMALL_MAX_CHANNELS * 2 * 32]; + int16_t mclms_updates[WMALL_MAX_CHANNELS * 2 * 32]; + int mclms_recent; int movave_scaling; int quant_stepsize; From ae51d93983530a1900ee4e1e4bf43cb28a30efb2 Mon Sep 17 00:00:00 2001 From: Michael Niedermayer Date: Fri, 7 Feb 2014 15:07:23 +0100 Subject: [PATCH 806/991] avcodec/wmalosslessdec: fix mclms_coeffs* array size Fixes corruption of context Fixes: 8835659dde6a4f7dcdf341de6a45c6c8-signal_sigsegv_1dce67b_4564_cov_2504444599_classical_22_16_1_14000_v3c_0_extend_0_29.wma Found-by: Mateusz "j00ru" Jurczyk and Gynvael Coldwind Signed-off-by: Michael Niedermayer (cherry picked from commit ec9578d54d09b64bf112c2bf7a34b1ef3b93dbd3) Conflicts: libavcodec/wmalosslessdec.c --- libavcodec/wmalosslessdec.c | 4 ++-- 1 file changed, 2 insertions(+), 2 deletions(-) diff --git a/libavcodec/wmalosslessdec.c b/libavcodec/wmalosslessdec.c index d6e5a1e2f8..3fcf177c72 100644 --- a/libavcodec/wmalosslessdec.c +++ b/libavcodec/wmalosslessdec.c @@ -238,8 +238,8 @@ typedef struct WmallDecodeCtx { int8_t mclms_order; int8_t mclms_scaling; - int16_t mclms_coeffs[128]; - int16_t mclms_coeffs_cur[4]; + int16_t mclms_coeffs[WMALL_MAX_CHANNELS * WMALL_MAX_CHANNELS * 32]; + int16_t mclms_coeffs_cur[WMALL_MAX_CHANNELS * WMALL_MAX_CHANNELS]; int16_t mclms_prevvalues[WMALL_MAX_CHANNELS * 2 * 32]; int16_t mclms_updates[WMALL_MAX_CHANNELS * 2 * 32]; int mclms_recent; From 68b14c044a4a00d69aeb620bdb57dce533c4190a Mon Sep 17 00:00:00 2001 From: Michael Niedermayer Date: Thu, 13 Feb 2014 13:59:51 +0100 Subject: [PATCH 807/991] avformat/mpegtsenc: Check data array size in mpegts_write_pmt() Prevents out of array writes Signed-off-by: Michael Niedermayer (cherry picked from commit 842b6c14bcfc1c5da1a2d288fd65386eb8c158ad) Conflicts: libavformat/mpegtsenc.c (cherry picked from commit e87de3f50b765134588d0b048c32ed4b8acc16fb) Signed-off-by: Michael Niedermayer --- libavformat/mpegtsenc.c | 9 +++++++-- 1 file changed, 7 insertions(+), 2 deletions(-) diff --git a/libavformat/mpegtsenc.c b/libavformat/mpegtsenc.c index 043e578130..84cdcbde40 100644 --- a/libavformat/mpegtsenc.c +++ b/libavformat/mpegtsenc.c @@ -235,7 +235,7 @@ static void mpegts_write_pat(AVFormatContext *s) data, q - data); } -static void mpegts_write_pmt(AVFormatContext *s, MpegTSService *service) +static int mpegts_write_pmt(AVFormatContext *s, MpegTSService *service) { // MpegTSWrite *ts = s->priv_data; uint8_t data[1012], *q, *desc_length_ptr, *program_info_length_ptr; @@ -288,6 +288,10 @@ static void mpegts_write_pmt(AVFormatContext *s, MpegTSService *service) stream_type = STREAM_TYPE_PRIVATE_DATA; break; } + + if (q - data > sizeof(data) - 32) + return AVERROR(EINVAL); + *q++ = stream_type; put16(&q, 0xe000 | ts_st->pid); desc_length_ptr = q; @@ -311,7 +315,7 @@ static void mpegts_write_pmt(AVFormatContext *s, MpegTSService *service) len_ptr = q++; *len_ptr = 0; - for (p = lang->value; next && *len_ptr < 255 / 4 * 4; p = next + 1) { + for (p = lang->value; next && *len_ptr < 255 / 4 * 4 && q - data < sizeof(data) - 4; p = next + 1) { next = strchr(p, ','); if (strlen(p) != 3 && (!next || next != p + 3)) continue; /* not a 3-letter code */ @@ -373,6 +377,7 @@ static void mpegts_write_pmt(AVFormatContext *s, MpegTSService *service) } mpegts_write_section1(&service->pmt, PMT_TID, service->sid, 0, 0, 0, data, q - data); + return 0; } /* NOTE: str == NULL is accepted for an empty string */ From f157f18b3473dc5bcef8d21d25ce0cdb6597bafd Mon Sep 17 00:00:00 2001 From: Michael Niedermayer Date: Sun, 16 Feb 2014 23:08:52 +0100 Subject: [PATCH 808/991] avcodec/msrle: use av_image_get_linesize() to calculate the linesize Fixes out of array access Fixes: 14a74a0a2dc67ede543f0e35d834fbbe-asan_heap-oob_49572c_556_cov_215466444_44_001_engine_room.mov Found-by: Mateusz "j00ru" Jurczyk and Gynvael Coldwind Signed-off-by: Michael Niedermayer (cherry picked from commit c919e1ca2ecfc47d796382973ba0e48b8f6f92a2) Conflicts: libavcodec/msrle.c (cherry picked from commit bc1c8ec5e65098fd2ccd8456f667151dfc9cda42) Signed-off-by: Michael Niedermayer --- libavcodec/msrle.c | 3 ++- 1 file changed, 2 insertions(+), 1 deletion(-) diff --git a/libavcodec/msrle.c b/libavcodec/msrle.c index 1e6976f854..e8906c7a2a 100644 --- a/libavcodec/msrle.c +++ b/libavcodec/msrle.c @@ -35,6 +35,7 @@ #include "avcodec.h" #include "dsputil.h" #include "msrledec.h" +#include "libavutil/imgutils.h" typedef struct MsrleContext { AVCodecContext *avctx; @@ -108,7 +109,7 @@ static int msrle_decode_frame(AVCodecContext *avctx, /* FIXME how to correctly detect RLE ??? */ if (avctx->height * istride == avpkt->size) { /* assume uncompressed */ - int linesize = (avctx->width * avctx->bits_per_coded_sample + 7) / 8; + int linesize = av_image_get_linesize(avctx->pix_fmt, avctx->width, 0); uint8_t *ptr = s->frame.data[0]; uint8_t *buf = avpkt->data + (avctx->height-1)*istride; int i, j; From 43b1762ab869b2451ef66a2606d01ad09d691f51 Mon Sep 17 00:00:00 2001 From: Michael Niedermayer Date: Tue, 18 Feb 2014 02:53:14 +0100 Subject: [PATCH 809/991] avcodec/snow: split block clipping checks Fixes out of array read Fixes: d4476f68ca1c1c57afbc45806f581963-asan_heap-oob_2266b27_8607_cov_4044577381_snow_chroma_bug.avi Found-by: Mateusz "j00ru" Jurczyk and Gynvael Coldwind Signed-off-by: Michael Niedermayer (cherry picked from commit 61d59703c91869f4e5cdacd8d6be52f8b89d4ba4) Signed-off-by: Michael Niedermayer --- libavcodec/snow.h | 6 ++++-- 1 file changed, 4 insertions(+), 2 deletions(-) diff --git a/libavcodec/snow.h b/libavcodec/snow.h index 3a5cdc7175..6a04d694bb 100644 --- a/libavcodec/snow.h +++ b/libavcodec/snow.h @@ -311,7 +311,8 @@ static av_always_inline void add_yblock(SnowContext *s, int sliced, slice_buffer if(!sliced && !offset_dst) dst -= src_x; src_x=0; - }else if(src_x + b_w > w){ + } + if(src_x + b_w > w){ b_w = w - src_x; } if(src_y<0){ @@ -320,7 +321,8 @@ static av_always_inline void add_yblock(SnowContext *s, int sliced, slice_buffer if(!sliced && !offset_dst) dst -= src_y*dst_stride; src_y=0; - }else if(src_y + b_h> h){ + } + if(src_y + b_h> h){ b_h = h - src_y; } From 6f9e6ac6aa3c670cb5c9f853095ae47fe0c40487 Mon Sep 17 00:00:00 2001 From: Michael Niedermayer Date: Mon, 10 Mar 2014 19:00:59 +0100 Subject: [PATCH 810/991] update for 0.10.12 Signed-off-by: Michael Niedermayer --- Doxyfile | 2 +- RELEASE | 2 +- VERSION | 2 +- 3 files changed, 3 insertions(+), 3 deletions(-) diff --git a/Doxyfile b/Doxyfile index 783d0f8a9b..e0c1fe8232 100644 --- a/Doxyfile +++ b/Doxyfile @@ -31,7 +31,7 @@ PROJECT_NAME = FFmpeg # This could be handy for archiving the generated documentation or # if some version control system is used. -PROJECT_NUMBER = 0.10.11 +PROJECT_NUMBER = 0.10.12 # With the PROJECT_LOGO tag one can specify an logo or icon that is included # in the documentation. The maximum height of the logo should not exceed 55 diff --git a/RELEASE b/RELEASE index 223df19846..70016a7c6a 100644 --- a/RELEASE +++ b/RELEASE @@ -1 +1 @@ -0.10.11 +0.10.12 diff --git a/VERSION b/VERSION index 223df19846..70016a7c6a 100644 --- a/VERSION +++ b/VERSION @@ -1 +1 @@ -0.10.11 +0.10.12 From 7b00340f97f2d9456a0e6d6cee4c1a92165cde91 Mon Sep 17 00:00:00 2001 From: Diego Biurrun Date: Mon, 23 Dec 2013 01:03:48 +0100 Subject: [PATCH 811/991] configure: Support preprocessor macros as header names New versions of FreeType have moved the location of their API header(s) and hide the location behind a macro. Since the location changes between versions and no other way to know the location exists, this workaround becomes necessary. Signed-off-by: Luca Barbato (cherry picked from commit 52ccc4a0ece88030e67254418317d72089a0ecc8) Signed-off-by: Luca Barbato Conflicts: configure --- configure | 9 ++++++++- 1 file changed, 8 insertions(+), 1 deletion(-) diff --git a/configure b/configure index 844069bcc9..f9eac08588 100755 --- a/configure +++ b/configure @@ -654,6 +654,13 @@ check_ld(){ check_cmd $ld $LDFLAGS $flags -o $TMPE $TMPO $libs $extralibs } +print_include(){ + hdr=$1 + test "${hdr%.h}" = "${hdr}" && + echo "#include $hdr" || + echo "#include <$hdr>" +} + check_cppflags(){ log check_cppflags "$@" set -- $($filter_cppflags "$@") @@ -723,7 +730,7 @@ check_func_headers(){ shift 2 { for hdr in $headers; do - echo "#include <$hdr>" + print_include $hdr done for func in $funcs; do echo "long check_$func(void) { return (long) $func; }" From ec772cca60423b9994fe00c7cef239f93eae6112 Mon Sep 17 00:00:00 2001 From: Luca Barbato Date: Sun, 5 Jan 2014 12:30:45 +0100 Subject: [PATCH 812/991] drawtext: Drop pointless header It should be forward compatible with newer freetype. (cherry picked from commit d68dc3c9446e38b4d686cc0f55433c9e8d7c128b) Signed-off-by: Luca Barbato --- libavfilter/vf_drawtext.c | 1 - 1 file changed, 1 deletion(-) diff --git a/libavfilter/vf_drawtext.c b/libavfilter/vf_drawtext.c index dcde542118..273dc97a7d 100644 --- a/libavfilter/vf_drawtext.c +++ b/libavfilter/vf_drawtext.c @@ -45,7 +45,6 @@ #undef time #include -#include #include FT_FREETYPE_H #include FT_GLYPH_H From bf0cb89a8d11d418cdf351fe5d91240ce92cd71d Mon Sep 17 00:00:00 2001 From: Luca Barbato Date: Sat, 21 Dec 2013 17:59:59 +0100 Subject: [PATCH 813/991] configure: Update freetype check to follow upstream The freetype tutorial suggests to use #include FT_FREETYPE_H. Bug-Id: 616 Signed-off-by: Luca Barbato (cherry picked from commit e61b8fa5605b16a02a2a0ea75afbfc31d7832bba) Conflicts: configure --- configure | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/configure b/configure index f9eac08588..bcfbe4e6ec 100755 --- a/configure +++ b/configure @@ -2946,7 +2946,7 @@ enabled libdirac && require_pkg_config dirac \ "libdirac_decoder/dirac_parser.h libdirac_encoder/dirac_encoder.h" \ "dirac_decoder_init dirac_encoder_init" enabled libfaac && require2 libfaac "stdint.h faac.h" faacEncGetVersion -lfaac -enabled libfreetype && require_pkg_config freetype2 "ft2build.h freetype/freetype.h" FT_Init_FreeType +enabled libfreetype && require_pkg_config freetype2 "ft2build.h FT_FREETYPE_H" FT_Init_FreeType enabled libgsm && require libgsm gsm/gsm.h gsm_create -lgsm enabled libmp3lame && require "libmp3lame >= 3.98.3" lame/lame.h lame_set_VBR_quality -lmp3lame enabled libnut && require libnut libnut.h nut_demuxer_init -lnut From aedf1a2996e70d322220d2704d5a615c4f7b1b23 Mon Sep 17 00:00:00 2001 From: Reinhard Tartler Date: Thu, 13 Mar 2014 20:59:00 -0400 Subject: [PATCH 814/991] Update Changelog for 0.8.11 --- Changelog | 20 ++++++++++++++++++++ 1 file changed, 20 insertions(+) diff --git a/Changelog b/Changelog index 7855c11324..6323e026e5 100644 --- a/Changelog +++ b/Changelog @@ -1,6 +1,26 @@ Entries are sorted chronologically from oldest to youngest within each release, releases are sorted from youngest to oldest. +version 0.8.11: + +- configure: Update freetype check to follow upstream +- drawtext: Drop pointless header +- configure: Support preprocessor macros as header names +- arm: hpeldsp: fix put_pixels8_y2_{,no_rnd_}armv6 +- arm: hpeldsp: prevent overreads in armv6 asm +- lagarith: reallocate rgb_planes when needed +- lagarith: avoid infinite loop in lag_rac_refill() +- lagarith: pad RGB buffer by 1 byte. +- truemotion1: check the header size +- shorten: pad the internal bitstream buffer +- samplefmt: avoid integer overflow in av_samples_get_buffer_size() +- h264: Fix a typo from the previous commit +- h264: Lower bound check for slice offsets +- rpza: limit the number of blocks to the total remaining blocks in the frame +- Prepare for 0.8.11 Release +- lavf: make av_probe_input_buffer more robust + + version 0.8.10: - oggparseogm: check timing variables From f1a8885ae9e7f281b597d1f9188fc16fb2ab7832 Mon Sep 17 00:00:00 2001 From: =?UTF-8?q?Martin=20Storsj=C3=B6?= Date: Wed, 12 Mar 2014 13:46:04 +0200 Subject: [PATCH 815/991] doc: Point to the correct, actually maintained gas-preprocessor repo MIME-Version: 1.0 Content-Type: text/plain; charset=UTF-8 Content-Transfer-Encoding: 8bit Signed-off-by: Martin Storsjö (cherry picked from commit d15c536123a44362ace6299c391a492c90b83fc7) Signed-off-by: Martin Storsjö --- doc/platform.texi | 4 ++-- 1 file changed, 2 insertions(+), 2 deletions(-) diff --git a/doc/platform.texi b/doc/platform.texi index 7ec7cb3dd0..4fc1a2cde2 100644 --- a/doc/platform.texi +++ b/doc/platform.texi @@ -51,8 +51,8 @@ The toolchain provided with Xcode is sufficient to build the basic unacelerated code. OS X on PowerPC or ARM (iPhone) requires a preprocessor from -@url{http://github.com/yuvi/gas-preprocessor} to build the optimized -assembler functions. Just download the Perl script and put it somewhere +@url{git://git.libav.org/gas-preprocessor.git} to build the optimized +assembler functions. Put the Perl script somewhere in your PATH, Libav's configure will pick it up automatically. OS X on AMD64 and x86 requires @command{yasm} to build most of the From 16f0f97eec7945d082b74ed88de382bac21538ca Mon Sep 17 00:00:00 2001 From: Keiji Costantini Date: Sat, 1 Mar 2014 18:17:04 +0000 Subject: [PATCH 816/991] ituh263: reject b-frame with pp_time = 0 Avoid a division by 0 in ff_mpeg4_set_one_direct_mv. Sample-Id: 00000168-google Reported-by: Mateusz "j00ru" Jurczyk and Gynvael Coldwind Signed-off-by: Vittorio Giovara (cherry picked from commit 9514440337875e0c63b409abcd616b68c518283f) (cherry picked from commit 5df52b0131d3d4d804ad6e221bc9a2cd8b201ef2) (cherry picked from commit aa2a3ca27a3269e2b975686652204607fad8bc49) --- libavcodec/ituh263dec.c | 2 ++ 1 file changed, 2 insertions(+) diff --git a/libavcodec/ituh263dec.c b/libavcodec/ituh263dec.c index 028d2a16a6..ebbead478b 100644 --- a/libavcodec/ituh263dec.c +++ b/libavcodec/ituh263dec.c @@ -753,6 +753,8 @@ int ff_h263_decode_mb(MpegEncContext *s, } if(IS_DIRECT(mb_type)){ + if (!s->pp_time) + return AVERROR_INVALIDDATA; s->mv_dir = MV_DIR_FORWARD | MV_DIR_BACKWARD | MV_DIRECT; mb_type |= ff_mpeg4_set_direct_mv(s, 0, 0); }else{ From afab4c422b60e83419e10ee3dd4ba7001798b3db Mon Sep 17 00:00:00 2001 From: Mans Rullgard Date: Fri, 7 Sep 2012 12:50:43 +0100 Subject: [PATCH 817/991] configure: use utilities from /usr/xpg4/bin if it exists Solaris defaults to non-standard utilities (grep, sed, ...) with proper ones being in /usr/xpg4/bin. Prefixing PATH with this directory when it exists ensures we get correct variants. Signed-off-by: Mans Rullgard --- configure | 2 ++ 1 file changed, 2 insertions(+) diff --git a/configure b/configure index bcfbe4e6ec..13066e224a 100755 --- a/configure +++ b/configure @@ -54,6 +54,8 @@ if test "$E1" != 0 || test "$E2" = 0; then exit 1 fi +test -d /usr/xpg4/bin && PATH=/usr/xpg4/bin:$PATH + show_help(){ cat < Date: Sat, 4 Jan 2014 20:47:32 +0100 Subject: [PATCH 818/991] cmdutils: update copyright year to 2014. MIME-Version: 1.0 Content-Type: text/plain; charset=UTF-8 Content-Transfer-Encoding: 8bit Signed-off-by: Martin Storsjö --- cmdutils.c | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/cmdutils.c b/cmdutils.c index 3ba5d0cfb5..e85f8d76bc 100644 --- a/cmdutils.c +++ b/cmdutils.c @@ -55,7 +55,7 @@ struct SwsContext *sws_opts; AVDictionary *format_opts, *codec_opts; -static const int this_year = 2013; +static const int this_year = 2014; void init_opts(void) { From 2cbc8dfeddcbe00ef5f112162912bb49c1dd6623 Mon Sep 17 00:00:00 2001 From: Anton Khirnov Date: Fri, 15 Nov 2013 10:15:24 +0100 Subject: [PATCH 819/991] h264: check buffer size before accessing it Fixes invalid reads. Found-by: Mateusz "j00ru" Jurczyk and Gynvael Coldwind CC:libav-stable@libav.org --- libavcodec/h264.c | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/libavcodec/h264.c b/libavcodec/h264.c index ba8872cc5f..f021e59713 100644 --- a/libavcodec/h264.c +++ b/libavcodec/h264.c @@ -3919,7 +3919,7 @@ static int decode_nal_units(H264Context *h, const uint8_t *buf, int buf_size){ s->workaround_bugs |= FF_BUG_TRUNCATED; if(!(s->workaround_bugs & FF_BUG_TRUNCATED)){ - while(ptr[dst_length - 1] == 0 && dst_length > 0) + while(dst_length > 0 && ptr[dst_length - 1] == 0) dst_length--; } bit_length= !dst_length ? 0 : (8*dst_length - ff_h264_decode_rbsp_trailing(h, ptr + dst_length - 1)); From e0d8a17402b934b8fba7b86c6c990abf1257901b Mon Sep 17 00:00:00 2001 From: Anton Khirnov Date: Fri, 15 Nov 2013 19:06:23 +0100 Subject: [PATCH 820/991] h264_refs: make sure not to write over the bounds of the default ref list Fixes invalid writes. Found-by: Mateusz "j00ru" Jurczyk and Gynvael Coldwind CC:libav-stable@libav.org --- libavcodec/h264_refs.c | 28 ++++++++++++++++++---------- 1 file changed, 18 insertions(+), 10 deletions(-) diff --git a/libavcodec/h264_refs.c b/libavcodec/h264_refs.c index 273c52b475..dd4bd62206 100644 --- a/libavcodec/h264_refs.c +++ b/libavcodec/h264_refs.c @@ -62,20 +62,22 @@ static int split_field_copy(Picture *dest, Picture *src, return match; } -static int build_def_list(Picture *def, Picture **in, int len, int is_long, int sel){ +static int build_def_list(Picture *def, int def_len, + Picture **in, int len, int is_long, int sel) +{ int i[2]={0}; int index=0; - while(i[0]f.reference & sel))) i[0]++; while (i[1] < len && !(in[ i[1] ] && (in[ i[1] ]->f.reference & (sel^3)))) i[1]++; - if(i[0] < len){ + if (i[0] < len && index < def_len) { in[ i[0] ]->pic_id= is_long ? i[0] : in[ i[0] ]->frame_num; split_field_copy(&def[index++], in[ i[0]++ ], sel , 1); } - if(i[1] < len){ + if (i[1] < len && index < def_len) { in[ i[1] ]->pic_id= is_long ? i[1] : in[ i[1] ]->frame_num; split_field_copy(&def[index++], in[ i[1]++ ], sel^3, 0); } @@ -123,9 +125,12 @@ int ff_h264_fill_default_ref_list(H264Context *h){ len= add_sorted(sorted , h->short_ref, h->short_ref_count, cur_poc, 1^list); len+=add_sorted(sorted+len, h->short_ref, h->short_ref_count, cur_poc, 0^list); assert(len<=32); - len= build_def_list(h->default_ref_list[list] , sorted , len, 0, s->picture_structure); - len+=build_def_list(h->default_ref_list[list]+len, h->long_ref, 16 , 1, s->picture_structure); - assert(len<=32); + + len = build_def_list(h->default_ref_list[list], FF_ARRAY_ELEMS(h->default_ref_list[0]), + sorted, len, 0, s->picture_structure); + len += build_def_list(h->default_ref_list[list] + len, + FF_ARRAY_ELEMS(h->default_ref_list[0]) - len, + h->long_ref, 16, 1, s->picture_structure); if(len < h->ref_count[list]) memset(&h->default_ref_list[list][len], 0, sizeof(Picture)*(h->ref_count[list] - len)); @@ -138,9 +143,12 @@ int ff_h264_fill_default_ref_list(H264Context *h){ FFSWAP(Picture, h->default_ref_list[1][0], h->default_ref_list[1][1]); } }else{ - len = build_def_list(h->default_ref_list[0] , h->short_ref, h->short_ref_count, 0, s->picture_structure); - len+= build_def_list(h->default_ref_list[0]+len, h-> long_ref, 16 , 1, s->picture_structure); - assert(len <= 32); + len = build_def_list(h->default_ref_list[0], FF_ARRAY_ELEMS(h->default_ref_list[0]), + h->short_ref, h->short_ref_count, 0, s->picture_structure); + len += build_def_list(h->default_ref_list[0] + len, + FF_ARRAY_ELEMS(h->default_ref_list[0]) - len, + h-> long_ref, 16, 1, s->picture_structure); + if(len < h->ref_count[0]) memset(&h->default_ref_list[0][len], 0, sizeof(Picture)*(h->ref_count[0] - len)); } From 3ee26080d6b3e777992b4b4124e62e1bf0ac0a65 Mon Sep 17 00:00:00 2001 From: Anton Khirnov Date: Thu, 28 Nov 2013 10:54:35 +0100 Subject: [PATCH 821/991] h264: reset data_partitioning if decoding the slice header for NAL_DPA fails If it was set before then we can end up trying to decode a slice without a valid slice header, which can lead to invalid memory access. Found-by: Mateusz "j00ru" Jurczyk and Gynvael Coldwind CC:libav-stable@libav.org --- libavcodec/h264.c | 7 ++++++- 1 file changed, 6 insertions(+), 1 deletion(-) diff --git a/libavcodec/h264.c b/libavcodec/h264.c index f021e59713..886fc047fb 100644 --- a/libavcodec/h264.c +++ b/libavcodec/h264.c @@ -4013,8 +4013,13 @@ static int decode_nal_units(H264Context *h, const uint8_t *buf, int buf_size){ hx->intra_gb_ptr= hx->inter_gb_ptr= NULL; - if ((err = decode_slice_header(hx, h)) < 0) + if ((err = decode_slice_header(hx, h)) < 0) { + /* make sure data_partitioning is cleared if it was set + * before, so we don't try decoding a slice without a valid + * slice header later */ + s->data_partitioning = 0; break; + } hx->s.data_partitioning = 1; From 0f71a5df4bc913f17a53c7ac66d4957914fa1d3d Mon Sep 17 00:00:00 2001 From: Anton Khirnov Date: Thu, 28 Nov 2013 10:54:35 +0100 Subject: [PATCH 822/991] h264: do not use 422 functions for monochrome Fixes invalid memory access. Found-by: Mateusz "j00ru" Jurczyk and Gynvael Coldwind CC:libav-stable@libav.org --- libavcodec/arm/h264dsp_init_arm.c | 2 +- libavcodec/h264dsp.c | 12 ++++++------ libavcodec/h264pred.c | 10 +++++----- libavcodec/ppc/h264_altivec.c | 2 +- libavcodec/x86/h264_intrapred_init.c | 20 ++++++++++---------- libavcodec/x86/h264dsp_mmx.c | 14 +++++++------- 6 files changed, 30 insertions(+), 30 deletions(-) diff --git a/libavcodec/arm/h264dsp_init_arm.c b/libavcodec/arm/h264dsp_init_arm.c index 1c331a495d..5d33b90f28 100644 --- a/libavcodec/arm/h264dsp_init_arm.c +++ b/libavcodec/arm/h264dsp_init_arm.c @@ -87,7 +87,7 @@ static void ff_h264dsp_init_neon(H264DSPContext *c, const int bit_depth, const i c->h264_idct_dc_add = ff_h264_idct_dc_add_neon; c->h264_idct_add16 = ff_h264_idct_add16_neon; c->h264_idct_add16intra = ff_h264_idct_add16intra_neon; - if (chroma_format_idc == 1) + if (chroma_format_idc <= 1) c->h264_idct_add8 = ff_h264_idct_add8_neon; c->h264_idct8_add = ff_h264_idct8_add_neon; c->h264_idct8_dc_add = ff_h264_idct8_dc_add_neon; diff --git a/libavcodec/h264dsp.c b/libavcodec/h264dsp.c index ba967079fb..4d67f16b51 100644 --- a/libavcodec/h264dsp.c +++ b/libavcodec/h264dsp.c @@ -53,13 +53,13 @@ void ff_h264dsp_init(H264DSPContext *c, const int bit_depth, const int chroma_fo c->h264_idct8_dc_add= FUNC(ff_h264_idct8_dc_add, depth);\ c->h264_idct_add16 = FUNC(ff_h264_idct_add16, depth);\ c->h264_idct8_add4 = FUNC(ff_h264_idct8_add4, depth);\ - if (chroma_format_idc == 1)\ + if (chroma_format_idc <= 1)\ c->h264_idct_add8 = FUNC(ff_h264_idct_add8, depth);\ else\ c->h264_idct_add8 = FUNC(ff_h264_idct_add8_422, depth);\ c->h264_idct_add16intra= FUNC(ff_h264_idct_add16intra, depth);\ c->h264_luma_dc_dequant_idct= FUNC(ff_h264_luma_dc_dequant_idct, depth);\ - if (chroma_format_idc == 1)\ + if (chroma_format_idc <= 1)\ c->h264_chroma_dc_dequant_idct= FUNC(ff_h264_chroma_dc_dequant_idct, depth);\ else\ c->h264_chroma_dc_dequant_idct= FUNC(ff_h264_chroma422_dc_dequant_idct, depth);\ @@ -80,20 +80,20 @@ void ff_h264dsp_init(H264DSPContext *c, const int bit_depth, const int chroma_fo c->h264_h_loop_filter_luma_intra= FUNC(h264_h_loop_filter_luma_intra, depth);\ c->h264_h_loop_filter_luma_mbaff_intra= FUNC(h264_h_loop_filter_luma_mbaff_intra, depth);\ c->h264_v_loop_filter_chroma= FUNC(h264_v_loop_filter_chroma, depth);\ - if (chroma_format_idc == 1)\ + if (chroma_format_idc <= 1)\ c->h264_h_loop_filter_chroma= FUNC(h264_h_loop_filter_chroma, depth);\ else\ c->h264_h_loop_filter_chroma= FUNC(h264_h_loop_filter_chroma422, depth);\ - if (chroma_format_idc == 1)\ + if (chroma_format_idc <= 1)\ c->h264_h_loop_filter_chroma_mbaff= FUNC(h264_h_loop_filter_chroma_mbaff, depth);\ else\ c->h264_h_loop_filter_chroma_mbaff= FUNC(h264_h_loop_filter_chroma422_mbaff, depth);\ c->h264_v_loop_filter_chroma_intra= FUNC(h264_v_loop_filter_chroma_intra, depth);\ - if (chroma_format_idc == 1)\ + if (chroma_format_idc <= 1)\ c->h264_h_loop_filter_chroma_intra= FUNC(h264_h_loop_filter_chroma_intra, depth);\ else\ c->h264_h_loop_filter_chroma_intra= FUNC(h264_h_loop_filter_chroma422_intra, depth);\ - if (chroma_format_idc == 1)\ + if (chroma_format_idc <= 1)\ c->h264_h_loop_filter_chroma_mbaff_intra= FUNC(h264_h_loop_filter_chroma_mbaff_intra, depth);\ else\ c->h264_h_loop_filter_chroma_mbaff_intra= FUNC(h264_h_loop_filter_chroma422_mbaff_intra, depth);\ diff --git a/libavcodec/h264pred.c b/libavcodec/h264pred.c index 37a4cf1486..ba6eb054d2 100644 --- a/libavcodec/h264pred.c +++ b/libavcodec/h264pred.c @@ -434,7 +434,7 @@ void ff_h264_pred_init(H264PredContext *h, int codec_id, const int bit_depth, co h->pred8x8l[TOP_DC_PRED ]= FUNCC(pred8x8l_top_dc , depth);\ h->pred8x8l[DC_128_PRED ]= FUNCC(pred8x8l_128_dc , depth);\ \ - if (chroma_format_idc == 1) {\ + if (chroma_format_idc <= 1) {\ h->pred8x8[VERT_PRED8x8 ]= FUNCC(pred8x8_vertical , depth);\ h->pred8x8[HOR_PRED8x8 ]= FUNCC(pred8x8_horizontal , depth);\ } else {\ @@ -442,7 +442,7 @@ void ff_h264_pred_init(H264PredContext *h, int codec_id, const int bit_depth, co h->pred8x8[HOR_PRED8x8 ]= FUNCC(pred8x16_horizontal , depth);\ }\ if (codec_id != CODEC_ID_VP8) {\ - if (chroma_format_idc == 1) {\ + if (chroma_format_idc <= 1) {\ h->pred8x8[PLANE_PRED8x8]= FUNCC(pred8x8_plane , depth);\ } else {\ h->pred8x8[PLANE_PRED8x8]= FUNCC(pred8x16_plane , depth);\ @@ -450,7 +450,7 @@ void ff_h264_pred_init(H264PredContext *h, int codec_id, const int bit_depth, co } else\ h->pred8x8[PLANE_PRED8x8]= FUNCD(pred8x8_tm_vp8);\ if(codec_id != CODEC_ID_RV40 && codec_id != CODEC_ID_VP8){\ - if (chroma_format_idc == 1) {\ + if (chroma_format_idc <= 1) {\ h->pred8x8[DC_PRED8x8 ]= FUNCC(pred8x8_dc , depth);\ h->pred8x8[LEFT_DC_PRED8x8]= FUNCC(pred8x8_left_dc , depth);\ h->pred8x8[TOP_DC_PRED8x8 ]= FUNCC(pred8x8_top_dc , depth);\ @@ -476,7 +476,7 @@ void ff_h264_pred_init(H264PredContext *h, int codec_id, const int bit_depth, co h->pred8x8[DC_129_PRED8x8]= FUNCC(pred8x8_129_dc , depth);\ }\ }\ - if (chroma_format_idc == 1) {\ + if (chroma_format_idc <= 1) {\ h->pred8x8[DC_128_PRED8x8 ]= FUNCC(pred8x8_128_dc , depth);\ } else {\ h->pred8x8[DC_128_PRED8x8 ]= FUNCC(pred8x16_128_dc , depth);\ @@ -510,7 +510,7 @@ void ff_h264_pred_init(H264PredContext *h, int codec_id, const int bit_depth, co h->pred4x4_add [ HOR_PRED ]= FUNCC(pred4x4_horizontal_add , depth);\ h->pred8x8l_add [VERT_PRED ]= FUNCC(pred8x8l_vertical_add , depth);\ h->pred8x8l_add [ HOR_PRED ]= FUNCC(pred8x8l_horizontal_add , depth);\ - if (chroma_format_idc == 1) {\ + if (chroma_format_idc <= 1) {\ h->pred8x8_add [VERT_PRED8x8]= FUNCC(pred8x8_vertical_add , depth);\ h->pred8x8_add [ HOR_PRED8x8]= FUNCC(pred8x8_horizontal_add , depth);\ } else {\ diff --git a/libavcodec/ppc/h264_altivec.c b/libavcodec/ppc/h264_altivec.c index c8baee456e..f66aed1901 100644 --- a/libavcodec/ppc/h264_altivec.c +++ b/libavcodec/ppc/h264_altivec.c @@ -1004,7 +1004,7 @@ void ff_h264dsp_init_ppc(H264DSPContext *c, const int bit_depth, const int chrom if (av_get_cpu_flags() & AV_CPU_FLAG_ALTIVEC) { if (bit_depth == 8) { c->h264_idct_add = ff_h264_idct_add_altivec; - if (chroma_format_idc == 1) + if (chroma_format_idc <= 1) c->h264_idct_add8 = ff_h264_idct_add8_altivec; c->h264_idct_add16 = ff_h264_idct_add16_altivec; c->h264_idct_add16intra = ff_h264_idct_add16intra_altivec; diff --git a/libavcodec/x86/h264_intrapred_init.c b/libavcodec/x86/h264_intrapred_init.c index 41e611ecd1..223dbde2ae 100644 --- a/libavcodec/x86/h264_intrapred_init.c +++ b/libavcodec/x86/h264_intrapred_init.c @@ -176,7 +176,7 @@ void ff_h264_pred_init_x86(H264PredContext *h, int codec_id, const int bit_depth if (mm_flags & AV_CPU_FLAG_MMX) { h->pred16x16[VERT_PRED8x8 ] = ff_pred16x16_vertical_mmx; h->pred16x16[HOR_PRED8x8 ] = ff_pred16x16_horizontal_mmx; - if (chroma_format_idc == 1) { + if (chroma_format_idc <= 1) { h->pred8x8 [VERT_PRED8x8 ] = ff_pred8x8_vertical_mmx; h->pred8x8 [HOR_PRED8x8 ] = ff_pred8x8_horizontal_mmx; } @@ -185,7 +185,7 @@ void ff_h264_pred_init_x86(H264PredContext *h, int codec_id, const int bit_depth h->pred8x8 [PLANE_PRED8x8 ] = ff_pred8x8_tm_vp8_mmx; h->pred4x4 [TM_VP8_PRED ] = ff_pred4x4_tm_vp8_mmx; } else { - if (chroma_format_idc == 1) + if (chroma_format_idc <= 1) h->pred8x8 [PLANE_PRED8x8] = ff_pred8x8_plane_mmx; if (codec_id == CODEC_ID_SVQ3) { h->pred16x16[PLANE_PRED8x8] = ff_pred16x16_plane_svq3_mmx; @@ -200,7 +200,7 @@ void ff_h264_pred_init_x86(H264PredContext *h, int codec_id, const int bit_depth if (mm_flags & AV_CPU_FLAG_MMX2) { h->pred16x16[HOR_PRED8x8 ] = ff_pred16x16_horizontal_mmxext; h->pred16x16[DC_PRED8x8 ] = ff_pred16x16_dc_mmxext; - if (chroma_format_idc == 1) + if (chroma_format_idc <= 1) h->pred8x8[HOR_PRED8x8 ] = ff_pred8x8_horizontal_mmxext; h->pred8x8l [TOP_DC_PRED ] = ff_pred8x8l_top_dc_mmxext; h->pred8x8l [DC_PRED ] = ff_pred8x8l_dc_mmxext; @@ -225,7 +225,7 @@ void ff_h264_pred_init_x86(H264PredContext *h, int codec_id, const int bit_depth h->pred4x4 [HOR_UP_PRED ] = ff_pred4x4_horizontal_up_mmxext; } if (codec_id == CODEC_ID_SVQ3 || codec_id == CODEC_ID_H264) { - if (chroma_format_idc == 1) { + if (chroma_format_idc <= 1) { h->pred8x8[TOP_DC_PRED8x8 ] = ff_pred8x8_top_dc_mmxext; h->pred8x8[DC_PRED8x8 ] = ff_pred8x8_dc_mmxext; } @@ -237,7 +237,7 @@ void ff_h264_pred_init_x86(H264PredContext *h, int codec_id, const int bit_depth h->pred4x4 [TM_VP8_PRED ] = ff_pred4x4_tm_vp8_mmxext; h->pred4x4 [VERT_PRED ] = ff_pred4x4_vertical_vp8_mmxext; } else { - if (chroma_format_idc == 1) + if (chroma_format_idc <= 1) h->pred8x8 [PLANE_PRED8x8] = ff_pred8x8_plane_mmx2; if (codec_id == CODEC_ID_SVQ3) { h->pred16x16[PLANE_PRED8x8 ] = ff_pred16x16_plane_svq3_mmx2; @@ -264,7 +264,7 @@ void ff_h264_pred_init_x86(H264PredContext *h, int codec_id, const int bit_depth h->pred16x16[PLANE_PRED8x8 ] = ff_pred16x16_tm_vp8_sse2; h->pred8x8 [PLANE_PRED8x8 ] = ff_pred8x8_tm_vp8_sse2; } else { - if (chroma_format_idc == 1) + if (chroma_format_idc <= 1) h->pred8x8 [PLANE_PRED8x8] = ff_pred8x8_plane_sse2; if (codec_id == CODEC_ID_SVQ3) { h->pred16x16[PLANE_PRED8x8] = ff_pred16x16_plane_svq3_sse2; @@ -279,7 +279,7 @@ void ff_h264_pred_init_x86(H264PredContext *h, int codec_id, const int bit_depth if (mm_flags & AV_CPU_FLAG_SSSE3) { h->pred16x16[HOR_PRED8x8 ] = ff_pred16x16_horizontal_ssse3; h->pred16x16[DC_PRED8x8 ] = ff_pred16x16_dc_ssse3; - if (chroma_format_idc == 1) + if (chroma_format_idc <= 1) h->pred8x8 [HOR_PRED8x8 ] = ff_pred8x8_horizontal_ssse3; h->pred8x8l [TOP_DC_PRED ] = ff_pred8x8l_top_dc_ssse3; h->pred8x8l [DC_PRED ] = ff_pred8x8l_dc_ssse3; @@ -295,7 +295,7 @@ void ff_h264_pred_init_x86(H264PredContext *h, int codec_id, const int bit_depth h->pred8x8 [PLANE_PRED8x8 ] = ff_pred8x8_tm_vp8_ssse3; h->pred4x4 [TM_VP8_PRED ] = ff_pred4x4_tm_vp8_ssse3; } else { - if (chroma_format_idc == 1) + if (chroma_format_idc <= 1) h->pred8x8 [PLANE_PRED8x8] = ff_pred8x8_plane_ssse3; if (codec_id == CODEC_ID_SVQ3) { h->pred16x16[PLANE_PRED8x8] = ff_pred16x16_plane_svq3_ssse3; @@ -311,7 +311,7 @@ void ff_h264_pred_init_x86(H264PredContext *h, int codec_id, const int bit_depth h->pred4x4[DC_PRED ] = ff_pred4x4_dc_10_mmxext; h->pred4x4[HOR_UP_PRED ] = ff_pred4x4_horizontal_up_10_mmxext; - if (chroma_format_idc == 1) + if (chroma_format_idc <= 1) h->pred8x8[DC_PRED8x8 ] = ff_pred8x8_dc_10_mmxext; h->pred8x8l[DC_128_PRED ] = ff_pred8x8l_128_dc_10_mmxext; @@ -330,7 +330,7 @@ void ff_h264_pred_init_x86(H264PredContext *h, int codec_id, const int bit_depth h->pred4x4[VERT_RIGHT_PRED ] = ff_pred4x4_vertical_right_10_sse2; h->pred4x4[HOR_DOWN_PRED ] = ff_pred4x4_horizontal_down_10_sse2; - if (chroma_format_idc == 1) { + if (chroma_format_idc <= 1) { h->pred8x8[DC_PRED8x8 ] = ff_pred8x8_dc_10_sse2; h->pred8x8[TOP_DC_PRED8x8 ] = ff_pred8x8_top_dc_10_sse2; h->pred8x8[PLANE_PRED8x8 ] = ff_pred8x8_plane_10_sse2; diff --git a/libavcodec/x86/h264dsp_mmx.c b/libavcodec/x86/h264dsp_mmx.c index dcd918013c..f5ae4dc055 100644 --- a/libavcodec/x86/h264dsp_mmx.c +++ b/libavcodec/x86/h264dsp_mmx.c @@ -344,7 +344,7 @@ void ff_h264dsp_init_x86(H264DSPContext *c, const int bit_depth, const int chrom { int mm_flags = av_get_cpu_flags(); - if (chroma_format_idc == 1 && mm_flags & AV_CPU_FLAG_MMX2) { + if (chroma_format_idc <= 1 && mm_flags & AV_CPU_FLAG_MMX2) { c->h264_loop_filter_strength= h264_loop_filter_strength_mmx2; } @@ -358,7 +358,7 @@ void ff_h264dsp_init_x86(H264DSPContext *c, const int bit_depth, const int chrom c->h264_idct_add16 = ff_h264_idct_add16_8_mmx; c->h264_idct8_add4 = ff_h264_idct8_add4_8_mmx; - if (chroma_format_idc == 1) + if (chroma_format_idc <= 1) c->h264_idct_add8 = ff_h264_idct_add8_8_mmx; c->h264_idct_add16intra = ff_h264_idct_add16intra_8_mmx; c->h264_luma_dc_dequant_idct= ff_h264_luma_dc_dequant_idct_mmx; @@ -368,13 +368,13 @@ void ff_h264dsp_init_x86(H264DSPContext *c, const int bit_depth, const int chrom c->h264_idct8_dc_add = ff_h264_idct8_dc_add_8_mmx2; c->h264_idct_add16 = ff_h264_idct_add16_8_mmx2; c->h264_idct8_add4 = ff_h264_idct8_add4_8_mmx2; - if (chroma_format_idc == 1) + if (chroma_format_idc <= 1) c->h264_idct_add8 = ff_h264_idct_add8_8_mmx2; c->h264_idct_add16intra= ff_h264_idct_add16intra_8_mmx2; c->h264_v_loop_filter_chroma= ff_deblock_v_chroma_8_mmxext; c->h264_v_loop_filter_chroma_intra= ff_deblock_v_chroma_intra_8_mmxext; - if (chroma_format_idc == 1) { + if (chroma_format_idc <= 1) { c->h264_h_loop_filter_chroma= ff_deblock_h_chroma_8_mmxext; c->h264_h_loop_filter_chroma_intra= ff_deblock_h_chroma_intra_8_mmxext; } @@ -397,7 +397,7 @@ void ff_h264dsp_init_x86(H264DSPContext *c, const int bit_depth, const int chrom c->h264_idct_add16 = ff_h264_idct_add16_8_sse2; c->h264_idct8_add4 = ff_h264_idct8_add4_8_sse2; - if (chroma_format_idc == 1) + if (chroma_format_idc <= 1) c->h264_idct_add8 = ff_h264_idct_add8_8_sse2; c->h264_idct_add16intra = ff_h264_idct_add16intra_8_sse2; c->h264_luma_dc_dequant_idct= ff_h264_luma_dc_dequant_idct_sse2; @@ -448,7 +448,7 @@ void ff_h264dsp_init_x86(H264DSPContext *c, const int bit_depth, const int chrom c->h264_idct8_dc_add = ff_h264_idct8_dc_add_10_sse2; c->h264_idct_add16 = ff_h264_idct_add16_10_sse2; - if (chroma_format_idc == 1) + if (chroma_format_idc <= 1) c->h264_idct_add8 = ff_h264_idct_add8_10_sse2; c->h264_idct_add16intra= ff_h264_idct_add16intra_10_sse2; #if HAVE_ALIGNED_STACK @@ -489,7 +489,7 @@ void ff_h264dsp_init_x86(H264DSPContext *c, const int bit_depth, const int chrom c->h264_idct8_dc_add = ff_h264_idct8_dc_add_10_avx; c->h264_idct_add16 = ff_h264_idct_add16_10_avx; - if (chroma_format_idc == 1) + if (chroma_format_idc <= 1) c->h264_idct_add8 = ff_h264_idct_add8_10_avx; c->h264_idct_add16intra= ff_h264_idct_add16intra_10_avx; #if HAVE_ALIGNED_STACK From 7f33a24e824c6d20cb941e6b20c5382becfbc923 Mon Sep 17 00:00:00 2001 From: Anton Khirnov Date: Thu, 28 Nov 2013 10:54:35 +0100 Subject: [PATCH 823/991] h264: check that execute_decode_slices() is not called too many times Fixes invalid reads. Found-by: Mateusz "j00ru" Jurczyk and Gynvael Coldwind CC:libav-stable@libav.org --- libavcodec/h264.c | 6 ++++++ 1 file changed, 6 insertions(+) diff --git a/libavcodec/h264.c b/libavcodec/h264.c index 886fc047fb..7d1945fc1e 100644 --- a/libavcodec/h264.c +++ b/libavcodec/h264.c @@ -3818,6 +3818,12 @@ static int execute_decode_slices(H264Context *h, int context_count){ H264Context *hx; int i; + if (s->mb_y >= s->mb_height) { + av_log(s->avctx, AV_LOG_ERROR, + "Input contains more MB rows than the frame height.\n"); + return AVERROR_INVALIDDATA; + } + if (s->avctx->hwaccel || s->avctx->codec->capabilities&CODEC_CAP_HWACCEL_VDPAU) return 0; if(context_count == 1) { From 07558d0b9fa0923e8b53f6eb7f2b69c4d631f11a Mon Sep 17 00:00:00 2001 From: Anton Khirnov Date: Thu, 28 Nov 2013 10:54:35 +0100 Subject: [PATCH 824/991] mpegvideo: set reference/pict_type on generated reference frames Otherwise the generic code will unref them, which can then result in last_picture_ptr == current_picture_ptr, which causes deadlocks at least in rv40. Found-by: Mateusz "j00ru" Jurczyk and Gynvael Coldwind CC:libav-stable@libav.org --- libavcodec/mpegvideo.c | 8 ++++++++ 1 file changed, 8 insertions(+) diff --git a/libavcodec/mpegvideo.c b/libavcodec/mpegvideo.c index 8df3061174..f3e2c12911 100644 --- a/libavcodec/mpegvideo.c +++ b/libavcodec/mpegvideo.c @@ -1269,6 +1269,10 @@ int MPV_frame_start(MpegEncContext *s, AVCodecContext *avctx) /* Allocate a dummy frame */ i = ff_find_unused_picture(s, 0); s->last_picture_ptr = &s->picture[i]; + + s->last_picture_ptr->f.reference = 3; + s->last_picture_ptr->f.pict_type = AV_PICTURE_TYPE_I; + if (ff_alloc_picture(s, s->last_picture_ptr, 0) < 0) return -1; ff_thread_report_progress((AVFrame *) s->last_picture_ptr, @@ -1282,6 +1286,10 @@ int MPV_frame_start(MpegEncContext *s, AVCodecContext *avctx) /* Allocate a dummy frame */ i = ff_find_unused_picture(s, 0); s->next_picture_ptr = &s->picture[i]; + + s->next_picture_ptr->f.reference = 3; + s->next_picture_ptr->f.pict_type = AV_PICTURE_TYPE_I; + if (ff_alloc_picture(s, s->next_picture_ptr, 0) < 0) return -1; ff_thread_report_progress((AVFrame *) s->next_picture_ptr, From 9938e450c8575e0a4640dcbefb87d26d6bab9e4d Mon Sep 17 00:00:00 2001 From: Janne Grunau Date: Fri, 24 Jan 2014 16:22:44 +0100 Subject: [PATCH 825/991] mpeg12: check scantable indices in all decode_block functions Add checks to the fast functions used with CODEC_FLAGS2_FAST and move the check for all other functions to before the invalid memory is accessed. Fixes https://trac.videolan.org/vlc/ticket/9713 with CODEC_FLAGS2_FAST. CC: libav-stable@libav.org --- libavcodec/mpeg12.c | 48 +++++++++++++++++++++++++++------------------ 1 file changed, 29 insertions(+), 19 deletions(-) diff --git a/libavcodec/mpeg12.c b/libavcodec/mpeg12.c index 436b4cf376..4db2753b40 100644 --- a/libavcodec/mpeg12.c +++ b/libavcodec/mpeg12.c @@ -80,6 +80,15 @@ static int mpeg_decode_motion(MpegEncContext *s, int fcode, int pred) return sign_extend(val, 5 + shift); } +#define check_scantable_index(ctx, x) \ + do { \ + if ((x) > 63) { \ + av_log(ctx->avctx, AV_LOG_ERROR, "ac-tex damaged at %d %d\n", \ + ctx->mb_x, ctx->mb_y); \ + return AVERROR_INVALIDDATA; \ + } \ + } while (0) \ + static inline int mpeg1_decode_block_intra(MpegEncContext *s, DCTELEM *block, int n) { int level, dc, diff, i, j, run; @@ -111,6 +120,7 @@ static inline int mpeg1_decode_block_intra(MpegEncContext *s, DCTELEM *block, in break; } else if (level != 0) { i += run; + check_scantable_index(s, i); j = scantable[i]; level = (level * qscale * quant_matrix[j]) >> 4; level = (level - 1) | 1; @@ -127,6 +137,7 @@ static inline int mpeg1_decode_block_intra(MpegEncContext *s, DCTELEM *block, in level = SHOW_UBITS(re, &s->gb, 8) ; LAST_SKIP_BITS(re, &s->gb, 8); } i += run; + check_scantable_index(s, i); j = scantable[i]; if (level < 0) { level = -level; @@ -138,10 +149,6 @@ static inline int mpeg1_decode_block_intra(MpegEncContext *s, DCTELEM *block, in level = (level - 1) | 1; } } - if (i > 63) { - av_log(s->avctx, AV_LOG_ERROR, "ac-tex damaged at %d %d\n", s->mb_x, s->mb_y); - return -1; - } block[j] = level; } @@ -261,6 +268,7 @@ static inline int mpeg1_fast_decode_block_inter(MpegEncContext *s, DCTELEM *bloc if (level != 0) { i += run; + check_scantable_index(s, i); j = scantable[i]; level = ((level * 2 + 1) * qscale) >> 1; level = (level - 1) | 1; @@ -277,6 +285,7 @@ static inline int mpeg1_fast_decode_block_inter(MpegEncContext *s, DCTELEM *bloc level = SHOW_UBITS(re, &s->gb, 8) ; SKIP_BITS(re, &s->gb, 8); } i += run; + check_scantable_index(s, i); j = scantable[i]; if (level < 0) { level = -level; @@ -342,6 +351,7 @@ static inline int mpeg2_decode_block_non_intra(MpegEncContext *s, DCTELEM *block if (level != 0) { i += run; + check_scantable_index(s, i); j = scantable[i]; level = ((level * 2 + 1) * qscale * quant_matrix[j]) >> 5; level = (level ^ SHOW_SBITS(re, &s->gb, 1)) - SHOW_SBITS(re, &s->gb, 1); @@ -353,6 +363,7 @@ static inline int mpeg2_decode_block_non_intra(MpegEncContext *s, DCTELEM *block level = SHOW_SBITS(re, &s->gb, 12); SKIP_BITS(re, &s->gb, 12); i += run; + check_scantable_index(s, i); j = scantable[i]; if (level < 0) { level = ((-level * 2 + 1) * qscale * quant_matrix[j]) >> 5; @@ -361,10 +372,6 @@ static inline int mpeg2_decode_block_non_intra(MpegEncContext *s, DCTELEM *block level = ((level * 2 + 1) * qscale * quant_matrix[j]) >> 5; } } - if (i > 63) { - av_log(s->avctx, AV_LOG_ERROR, "ac-tex damaged at %d %d\n", s->mb_x, s->mb_y); - return -1; - } mismatch ^= level; block[j] = level; @@ -411,6 +418,7 @@ static inline int mpeg2_fast_decode_block_non_intra(MpegEncContext *s, if (level != 0) { i += run; + check_scantable_index(s, i); j = scantable[i]; level = ((level * 2 + 1) * qscale) >> 1; level = (level ^ SHOW_SBITS(re, &s->gb, 1)) - SHOW_SBITS(re, &s->gb, 1); @@ -422,6 +430,7 @@ static inline int mpeg2_fast_decode_block_non_intra(MpegEncContext *s, level = SHOW_SBITS(re, &s->gb, 12); SKIP_BITS(re, &s->gb, 12); i += run; + check_scantable_index(s, i); j = scantable[i]; if (level < 0) { level = ((-level * 2 + 1) * qscale) >> 1; @@ -488,6 +497,7 @@ static inline int mpeg2_decode_block_intra(MpegEncContext *s, DCTELEM *block, in break; } else if (level != 0) { i += run; + check_scantable_index(s, i); j = scantable[i]; level = (level * qscale * quant_matrix[j]) >> 4; level = (level ^ SHOW_SBITS(re, &s->gb, 1)) - SHOW_SBITS(re, &s->gb, 1); @@ -498,6 +508,7 @@ static inline int mpeg2_decode_block_intra(MpegEncContext *s, DCTELEM *block, in UPDATE_CACHE(re, &s->gb); level = SHOW_SBITS(re, &s->gb, 12); SKIP_BITS(re, &s->gb, 12); i += run; + check_scantable_index(s, i); j = scantable[i]; if (level < 0) { level = (-level * qscale * quant_matrix[j]) >> 4; @@ -506,10 +517,6 @@ static inline int mpeg2_decode_block_intra(MpegEncContext *s, DCTELEM *block, in level = (level * qscale * quant_matrix[j]) >> 4; } } - if (i > 63) { - av_log(s->avctx, AV_LOG_ERROR, "ac-tex damaged at %d %d\n", s->mb_x, s->mb_y); - return -1; - } mismatch ^= level; block[j] = level; @@ -524,10 +531,10 @@ static inline int mpeg2_decode_block_intra(MpegEncContext *s, DCTELEM *block, in static inline int mpeg2_fast_decode_block_intra(MpegEncContext *s, DCTELEM *block, int n) { - int level, dc, diff, j, run; + int level, dc, diff, i, j, run; int component; RLTable *rl; - uint8_t * scantable = s->intra_scantable.permutated; + uint8_t * const scantable = s->intra_scantable.permutated; const uint16_t *quant_matrix; const int qscale = s->qscale; @@ -546,6 +553,7 @@ static inline int mpeg2_fast_decode_block_intra(MpegEncContext *s, DCTELEM *bloc dc += diff; s->last_dc[component] = dc; block[0] = dc << (3 - s->intra_dc_precision); + i = 0; if (s->intra_vlc_format) rl = &ff_rl_mpeg2; else @@ -561,8 +569,9 @@ static inline int mpeg2_fast_decode_block_intra(MpegEncContext *s, DCTELEM *bloc if (level == 127) { break; } else if (level != 0) { - scantable += run; - j = *scantable; + i += run; + check_scantable_index(s, i); + j = scantable[i]; level = (level * qscale * quant_matrix[j]) >> 4; level = (level ^ SHOW_SBITS(re, &s->gb, 1)) - SHOW_SBITS(re, &s->gb, 1); LAST_SKIP_BITS(re, &s->gb, 1); @@ -571,8 +580,9 @@ static inline int mpeg2_fast_decode_block_intra(MpegEncContext *s, DCTELEM *bloc run = SHOW_UBITS(re, &s->gb, 6) + 1; LAST_SKIP_BITS(re, &s->gb, 6); UPDATE_CACHE(re, &s->gb); level = SHOW_SBITS(re, &s->gb, 12); SKIP_BITS(re, &s->gb, 12); - scantable += run; - j = *scantable; + i += run; + check_scantable_index(s, i); + j = scantable[i]; if (level < 0) { level = (-level * qscale * quant_matrix[j]) >> 4; level = -level; @@ -586,7 +596,7 @@ static inline int mpeg2_fast_decode_block_intra(MpegEncContext *s, DCTELEM *bloc CLOSE_READER(re, &s->gb); } - s->block_last_index[n] = scantable - s->intra_scantable.permutated; + s->block_last_index[n] = i; return 0; } From db52f056c3d26c59feb9156a9deeaf8e0089b86e Mon Sep 17 00:00:00 2001 From: John Stebbins Date: Mon, 3 Mar 2014 20:20:15 +0000 Subject: [PATCH 826/991] movenc: allow override of "writing application" tag Signed-off-by: Tim Walker CC: libav-stable@libav.org (cherry picked from commit 565e0c6d866ce08d4b06427456d3d1f4fd856e9c) --- libavformat/movenc.c | 3 ++- 1 file changed, 2 insertions(+), 1 deletion(-) diff --git a/libavformat/movenc.c b/libavformat/movenc.c index 85b5667076..0b774f54bf 100644 --- a/libavformat/movenc.c +++ b/libavformat/movenc.c @@ -1626,7 +1626,8 @@ static int mov_write_ilst_tag(AVIOContext *pb, MOVMuxContext *mov, mov_write_string_metadata(s, pb, "\251wrt", "composer" , 1); mov_write_string_metadata(s, pb, "\251alb", "album" , 1); mov_write_string_metadata(s, pb, "\251day", "date" , 1); - mov_write_string_tag(pb, "\251too", LIBAVFORMAT_IDENT, 0, 1); + if (!mov_write_string_metadata(s, pb, "\251too", "encoding_tool", 1)) + mov_write_string_tag(pb, "\251too", LIBAVFORMAT_IDENT, 0, 1); mov_write_string_metadata(s, pb, "\251cmt", "comment" , 1); mov_write_string_metadata(s, pb, "\251gen", "genre" , 1); mov_write_string_metadata(s, pb, "\251cpy", "copyright", 1); From d0ecfe32492bbf27274bbb0c525d2ea59518cd5f Mon Sep 17 00:00:00 2001 From: Anton Khirnov Date: Thu, 28 Nov 2013 10:54:35 +0100 Subject: [PATCH 827/991] adx: check that the offset is not negative Found-by: Mateusz "j00ru" Jurczyk and Gynvael Coldwind CC:libav-stable@libav.org (cherry picked from commit 5569146d48f06564e8fa393424782cceed510916) --- libavcodec/adx.c | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/libavcodec/adx.c b/libavcodec/adx.c index 1e5d89c991..41e8e1c8c1 100644 --- a/libavcodec/adx.c +++ b/libavcodec/adx.c @@ -47,7 +47,7 @@ int avpriv_adx_decode_header(AVCodecContext *avctx, const uint8_t *buf, offset = AV_RB16(buf + 2) + 4; /* if copyright string is within the provided data, validate it */ - if (bufsize >= offset && memcmp(buf + offset - 6, "(c)CRI", 6)) + if (bufsize >= offset && offset >= 6 && memcmp(buf + offset - 6, "(c)CRI", 6)) return AVERROR_INVALIDDATA; /* check for encoding=3 block_size=18, sample_size=4 */ From 1dce4a031f8dca167ce5f58da066e296d0231a4a Mon Sep 17 00:00:00 2001 From: Luca Barbato Date: Wed, 5 Mar 2014 10:41:33 +0100 Subject: [PATCH 828/991] avfilter: Add missing emms_c when needed Arch specific calls should have an emms_c following to keep the cpu state consistent. Reported-By: wm4 CC: libav-stable@libav.org --- libavfilter/vf_gradfun.c | 1 + 1 file changed, 1 insertion(+) diff --git a/libavfilter/vf_gradfun.c b/libavfilter/vf_gradfun.c index c6663c4102..525aec91a8 100644 --- a/libavfilter/vf_gradfun.c +++ b/libavfilter/vf_gradfun.c @@ -113,6 +113,7 @@ static void filter(GradFunContext *ctx, uint8_t *dst, uint8_t *src, int width, i ctx->filter_line(dst + y * dst_linesize, src + y * src_linesize, dc - r / 2, width, thresh, dither[y & 7]); if (++y >= height) break; } + emms_c(); } static av_cold int init(AVFilterContext *ctx, const char *args, void *opaque) From b473fdcde329dfbe6d099247f65f51436a49e8c6 Mon Sep 17 00:00:00 2001 From: Paul B Mahol Date: Wed, 21 Mar 2012 00:10:18 +0000 Subject: [PATCH 829/991] bytestream: add functions for accessing size of buffer Signed-off-by: Paul B Mahol Signed-off-by: Michael Niedermayer Signed-off-by: Justin Ruggles CC:libav-stable@libav.org (cherry picked from commit de9d2705f61ef569487ec5f8974a9c7ce34ec783) --- libavcodec/bytestream.h | 10 ++++++++++ 1 file changed, 10 insertions(+) diff --git a/libavcodec/bytestream.h b/libavcodec/bytestream.h index 68146200ae..091cab8c8e 100644 --- a/libavcodec/bytestream.h +++ b/libavcodec/bytestream.h @@ -198,6 +198,16 @@ static av_always_inline int bytestream2_tell_p(PutByteContext *p) return (int)(p->buffer - p->buffer_start); } +static av_always_inline int bytestream2_size(GetByteContext *g) +{ + return (int)(g->buffer_end - g->buffer_start); +} + +static av_always_inline int bytestream2_size_p(PutByteContext *p) +{ + return (int)(p->buffer_end - p->buffer_start); +} + static av_always_inline int bytestream2_seek(GetByteContext *g, int offset, int whence) From c4033cd4eb921a9cc8deb513efc6d6a6ba3b2163 Mon Sep 17 00:00:00 2001 From: Anton Khirnov Date: Thu, 28 Nov 2013 10:54:35 +0100 Subject: [PATCH 830/991] h264: reject mismatching luma/chroma bit depths during sps parsing There is no point in delaying the check and it avoids bugs with a half-initialized context. Fixes invalid reads. Found-by: Mateusz "j00ru" Jurczyk and Gynvael Coldwind CC:libav-stable@libav.org --- libavcodec/h264.c | 6 ------ libavcodec/h264_ps.c | 5 +++++ 2 files changed, 5 insertions(+), 6 deletions(-) diff --git a/libavcodec/h264.c b/libavcodec/h264.c index 7d1945fc1e..d6e1ba1f40 100644 --- a/libavcodec/h264.c +++ b/libavcodec/h264.c @@ -4076,12 +4076,6 @@ static int decode_nal_units(H264Context *h, const uint8_t *buf, int buf_size){ if(avctx->has_b_frames < 2) avctx->has_b_frames= !s->low_delay; - if (h->sps.bit_depth_luma != h->sps.bit_depth_chroma) { - av_log_missing_feature(s->avctx, - "Different bit depth between chroma and luma", 1); - return AVERROR_PATCHWELCOME; - } - if (avctx->bits_per_raw_sample != h->sps.bit_depth_luma || h->cur_chroma_format_idc != h->sps.chroma_format_idc) { if (h->sps.bit_depth_luma >= 8 && h->sps.bit_depth_luma <= 10) { diff --git a/libavcodec/h264_ps.c b/libavcodec/h264_ps.c index ee4711c147..5d7508276b 100644 --- a/libavcodec/h264_ps.c +++ b/libavcodec/h264_ps.c @@ -349,6 +349,11 @@ int ff_h264_decode_seq_parameter_set(H264Context *h){ } sps->bit_depth_luma = get_ue_golomb(&s->gb) + 8; sps->bit_depth_chroma = get_ue_golomb(&s->gb) + 8; + if (sps->bit_depth_chroma != sps->bit_depth_luma) { + av_log_missing_feature(s->avctx, + "Different bit depth between chroma and luma", 1); + goto fail; + } sps->transform_bypass = get_bits1(&s->gb); decode_scaling_matrices(h, sps, NULL, 1, sps->scaling_matrix4, sps->scaling_matrix8); }else{ From 51ae8e26af8f5b26efb41edc0fe4812368d16ae9 Mon Sep 17 00:00:00 2001 From: Anton Khirnov Date: Thu, 28 Nov 2013 10:54:35 +0100 Subject: [PATCH 831/991] h264: limit allowed pred modes in ff_h264_check_intra_pred_mode() to 3 Higher modes are not allowed for 16x16/chroma, which is what this function is used for. Otherwise this function would return 0 (vertical prediction) for invalid higher modes, which could result in invalid reads. Found-by: Mateusz "j00ru" Jurczyk and Gynvael Coldwind CC:libav-stable@libav.org --- libavcodec/h264.c | 6 +++--- 1 file changed, 3 insertions(+), 3 deletions(-) diff --git a/libavcodec/h264.c b/libavcodec/h264.c index d6e1ba1f40..de4a4f0e66 100644 --- a/libavcodec/h264.c +++ b/libavcodec/h264.c @@ -107,10 +107,10 @@ int ff_h264_check_intra4x4_pred_mode(H264Context *h){ */ int ff_h264_check_intra_pred_mode(H264Context *h, int mode, int is_chroma){ MpegEncContext * const s = &h->s; - static const int8_t top [7]= {LEFT_DC_PRED8x8, 1,-1,-1}; - static const int8_t left[7]= { TOP_DC_PRED8x8,-1, 2,-1,DC_128_PRED8x8}; + static const int8_t top[4] = { LEFT_DC_PRED8x8, 1, -1, -1 }; + static const int8_t left[5] = { TOP_DC_PRED8x8, -1, 2, -1, DC_128_PRED8x8 }; - if(mode > 6U) { + if(mode > 3U) { av_log(h->s.avctx, AV_LOG_ERROR, "out of range intra chroma pred mode at %d %d\n", s->mb_x, s->mb_y); return -1; } From a7cce9ebf3ae3b9678970236c964900393603a73 Mon Sep 17 00:00:00 2001 From: Anton Khirnov Date: Thu, 28 Nov 2013 10:54:35 +0100 Subject: [PATCH 832/991] h264: reset first_field if frame_start() fails for missing refs In this case we may not have a current frame, while first_field being set implies we do. Fixes invalid reads. Found-by: Mateusz "j00ru" Jurczyk and Gynvael Coldwind CC:libav-stable@libav.org --- libavcodec/h264.c | 4 +++- 1 file changed, 3 insertions(+), 1 deletion(-) diff --git a/libavcodec/h264.c b/libavcodec/h264.c index de4a4f0e66..e88bb936e3 100644 --- a/libavcodec/h264.c +++ b/libavcodec/h264.c @@ -2990,8 +2990,10 @@ static int decode_slice_header(H264Context *h, H264Context *h0){ h->frame_num != (h->prev_frame_num + 1) % (1 << h->sps.log2_max_frame_num)) { Picture *prev = h->short_ref_count ? h->short_ref[0] : NULL; av_log(h->s.avctx, AV_LOG_DEBUG, "Frame num gap %d %d\n", h->frame_num, h->prev_frame_num); - if (ff_h264_frame_start(h) < 0) + if (ff_h264_frame_start(h) < 0) { + h0->s.first_field = 0; return -1; + } h->prev_frame_num++; h->prev_frame_num %= 1<sps.log2_max_frame_num; s->current_picture_ptr->frame_num= h->prev_frame_num; From 35ba079fbf281a066f3ac1e1271f3caa402dcd74 Mon Sep 17 00:00:00 2001 From: Anton Khirnov Date: Thu, 28 Nov 2013 10:54:35 +0100 Subject: [PATCH 833/991] h264: reset ref count if decoding the slice header fails Otherwise the ER code might try to use some already freed references. Fixes possible access to freed memory. Found-by: Mateusz "j00ru" Jurczyk and Gynvael Coldwind CC:libav-stable@libav.org --- libavcodec/h264.c | 5 +++-- 1 file changed, 3 insertions(+), 2 deletions(-) diff --git a/libavcodec/h264.c b/libavcodec/h264.c index e88bb936e3..1c2f23a8cf 100644 --- a/libavcodec/h264.c +++ b/libavcodec/h264.c @@ -4118,9 +4118,10 @@ static int decode_nal_units(H264Context *h, const uint8_t *buf, int buf_size){ context_count = 0; } - if (err < 0) + if (err < 0) { av_log(h->s.avctx, AV_LOG_ERROR, "decode_slice_header error\n"); - else if(err == 1) { + h->ref_count[0] = h->ref_count[1] = h->list_count = 0; + } else if (err == 1) { /* Slice could not be decoded in parallel mode, copy down * NAL unit stuff to context 0 and restart. Note that * rbsp_buffer is not transferred, but since we no longer From 27ac9585c97d35b809382be5634c8e5f7211243a Mon Sep 17 00:00:00 2001 From: Anton Khirnov Date: Thu, 28 Nov 2013 10:54:35 +0100 Subject: [PATCH 834/991] h264: reset data partitioning at the beginning of each decode call Prevents using GetBitContexts with data from previous calls. Fixes access to freed memory. Found-by: Mateusz "j00ru" Jurczyk and Gynvael Coldwind CC:libav-stable@libav.org --- libavcodec/h264.c | 10 ++++++++++ 1 file changed, 10 insertions(+) diff --git a/libavcodec/h264.c b/libavcodec/h264.c index 1c2f23a8cf..bca9bda675 100644 --- a/libavcodec/h264.c +++ b/libavcodec/h264.c @@ -4017,6 +4017,13 @@ static int decode_nal_units(H264Context *h, const uint8_t *buf, int buf_size){ } break; case NAL_DPA: + if (s->flags2 & CODEC_FLAG2_CHUNKS) { + av_log(h->s.avctx, AV_LOG_ERROR, + "Decoding in chunks is not supported for " + "partitioned slices.\n"); + return AVERROR(ENOSYS); + } + init_get_bits(&hx->s.gb, ptr, bit_length); hx->intra_gb_ptr= hx->inter_gb_ptr= NULL; @@ -4170,6 +4177,9 @@ static int decode_frame(AVCodecContext *avctx, s->flags= avctx->flags; s->flags2= avctx->flags2; + /* reset data partitioning here, to ensure GetBitContexts from previous + * packets do not get used. */ + s->data_partitioning = 0; /* end of stream, output what is still in the buffers */ out: From 71b8c8430cf3f7056849257324fc39b423075ba1 Mon Sep 17 00:00:00 2001 From: Anton Khirnov Date: Thu, 2 Jan 2014 09:34:20 +0100 Subject: [PATCH 835/991] sgidec: fix buffer size check in expand_rle_row() Right now it will spuriously fail if the linesize is exactly equal to the data width. CC:libav-stable@libav.org --- libavcodec/sgidec.c | 22 ++++++++++++++++++---- 1 file changed, 18 insertions(+), 4 deletions(-) diff --git a/libavcodec/sgidec.c b/libavcodec/sgidec.c index dfa00ed79f..13f505a559 100644 --- a/libavcodec/sgidec.c +++ b/libavcodec/sgidec.c @@ -25,6 +25,7 @@ #include "sgi.h" typedef struct SgiState { + AVCodecContext *avctx; AVFrame picture; unsigned int width; unsigned int height; @@ -38,12 +39,12 @@ typedef struct SgiState { * Expand an RLE row into a channel. * @param s the current image state * @param out_buf Points to one line after the output buffer. - * @param out_end end of line in output buffer + * @param len length of out_buf in bytes * @param pixelstride pixel stride of input buffer * @return size of output in bytes, -1 if buffer overflows */ static int expand_rle_row(SgiState *s, uint8_t *out_buf, - uint8_t *out_end, int pixelstride) + int len, int pixelstride) { unsigned char pixel, count; unsigned char *orig = out_buf; @@ -57,7 +58,10 @@ static int expand_rle_row(SgiState *s, uint8_t *out_buf, } /* Check for buffer overflow. */ - if(out_buf + pixelstride * count >= out_end) return -1; + if (pixelstride * (count - 1) >= len) { + av_log(s->avctx, AV_LOG_ERROR, "Invalid pixel count.\n"); + return AVERROR_INVALIDDATA; + } if (pixel & 0x80) { while (count--) { @@ -100,7 +104,7 @@ static int read_rle_sgi(uint8_t *out_buf, SgiState *s) dest_row -= s->linesize; start_offset = bytestream2_get_be32(&g_table); bytestream2_seek(&s->g, start_offset, SEEK_SET); - if (expand_rle_row(s, dest_row + z, dest_row + FFABS(s->linesize), + if (expand_rle_row(s, dest_row + z, FFABS(s->linesize) - z, s->depth) != s->width) { return AVERROR_INVALIDDATA; } @@ -258,6 +262,15 @@ static av_cold int sgi_end(AVCodecContext *avctx) return 0; } +static av_cold int sgi_decode_init(AVCodecContext *avctx) +{ + SgiState *s = avctx->priv_data; + + s->avctx = avctx; + + return 0; +} + AVCodec ff_sgi_decoder = { .name = "sgi", .type = AVMEDIA_TYPE_VIDEO, @@ -266,6 +279,7 @@ AVCodec ff_sgi_decoder = { .init = sgi_init, .close = sgi_end, .decode = decode_frame, + .init = sgi_decode_init, .long_name = NULL_IF_CONFIG_SMALL("SGI image"), }; From 330c18032464a4e1f3da907e54db2e69a6fbfcda Mon Sep 17 00:00:00 2001 From: John Stebbins Date: Mon, 3 Mar 2014 20:20:14 +0000 Subject: [PATCH 836/991] matroskaenc: allow override of "writing application" tag Signed-off-by: Tim Walker CC: libav-stable@libav.org (cherry picked from commit 0092c1dd8dac2d9e185b58503b447a0d3fb5230d) --- libavformat/matroskaenc.c | 8 ++++++-- 1 file changed, 6 insertions(+), 2 deletions(-) diff --git a/libavformat/matroskaenc.c b/libavformat/matroskaenc.c index e93dd65dff..8666bafc42 100644 --- a/libavformat/matroskaenc.c +++ b/libavformat/matroskaenc.c @@ -766,7 +766,8 @@ static int mkv_write_tag(AVFormatContext *s, AVDictionary *m, unsigned int eleme end_ebml_master(s->pb, targets); while ((t = av_dict_get(m, "", t, AV_DICT_IGNORE_SUFFIX))) - if (av_strcasecmp(t->key, "title")) + if (av_strcasecmp(t->key, "title") && + av_strcasecmp(t->key, "encoding_tool")) mkv_write_simpletag(s->pb, t); end_ebml_master(s->pb, tag); @@ -926,7 +927,10 @@ static int mkv_write_header(AVFormatContext *s) segment_uid[i] = av_lfg_get(&lfg); put_ebml_string(pb, MATROSKA_ID_MUXINGAPP , LIBAVFORMAT_IDENT); - put_ebml_string(pb, MATROSKA_ID_WRITINGAPP, LIBAVFORMAT_IDENT); + if ((tag = av_dict_get(s->metadata, "encoding_tool", NULL, 0))) + put_ebml_string(pb, MATROSKA_ID_WRITINGAPP, tag->value); + else + put_ebml_string(pb, MATROSKA_ID_WRITINGAPP, LIBAVFORMAT_IDENT); put_ebml_binary(pb, MATROSKA_ID_SEGMENTUID, segment_uid, 16); } From fa60904ebd58da33abf10b05e9933d24619cf096 Mon Sep 17 00:00:00 2001 From: Justin Ruggles Date: Sun, 29 Sep 2013 19:45:57 -0400 Subject: [PATCH 837/991] bytestream: add bytestream2_copy_buffer() functions This is basically an overread/overwrite-safe memcpy between a GetByteContext and a PutByteContext. CC:libav-stable@libav.org (cherry picked from commit 5748faf291fec297ef25d81962b52b3438f54278) --- libavcodec/bytestream.h | 26 ++++++++++++++++++++++++++ 1 file changed, 26 insertions(+) diff --git a/libavcodec/bytestream.h b/libavcodec/bytestream.h index 091cab8c8e..617724139a 100644 --- a/libavcodec/bytestream.h +++ b/libavcodec/bytestream.h @@ -333,6 +333,32 @@ static av_always_inline unsigned int bytestream2_get_eof(PutByteContext *p) return p->eof; } +static av_always_inline unsigned int bytestream2_copy_bufferu(PutByteContext *p, + GetByteContext *g, + unsigned int size) +{ + memcpy(p->buffer, g->buffer, size); + p->buffer += size; + g->buffer += size; + return size; +} + +static av_always_inline unsigned int bytestream2_copy_buffer(PutByteContext *p, + GetByteContext *g, + unsigned int size) +{ + int size2; + + if (p->eof) + return 0; + size = FFMIN(g->buffer_end - g->buffer, size); + size2 = FFMIN(p->buffer_end - p->buffer, size); + if (size2 != size) + p->eof = 1; + + return bytestream2_copy_bufferu(p, g, size2); +} + static av_always_inline unsigned int bytestream_get_buffer(const uint8_t **b, uint8_t *dst, unsigned int size) From a0a90b1a1116250a2494021da810cc5da89ea36f Mon Sep 17 00:00:00 2001 From: Justin Ruggles Date: Sun, 29 Sep 2013 19:47:55 -0400 Subject: [PATCH 838/991] tiffdec: use bytestream2 to simplify overread/overwrite protection Based on a patch by Paul B Mahol CC:libav-stable@libav.org --- libavcodec/tiff.c | 244 ++++++++++++++++++++++------------------------ 1 file changed, 117 insertions(+), 127 deletions(-) diff --git a/libavcodec/tiff.c b/libavcodec/tiff.c index 8a1db12aae..c0b611f631 100644 --- a/libavcodec/tiff.c +++ b/libavcodec/tiff.c @@ -26,6 +26,7 @@ */ #include "avcodec.h" +#include "bytestream.h" #if CONFIG_ZLIB #include #endif @@ -39,6 +40,7 @@ typedef struct TiffContext { AVCodecContext *avctx; AVFrame picture; + GetByteContext gb; int width, height; unsigned int bpp, bppcount; @@ -53,30 +55,27 @@ typedef struct TiffContext { int strips, rps, sstype; int sot; - const uint8_t* stripdata; - const uint8_t* stripsizes; - int stripsize, stripoff; + int stripsizesoff, stripsize, stripoff, strippos; LZWState *lzw; } TiffContext; -static unsigned tget_short(const uint8_t **p, int le) { - unsigned v = le ? AV_RL16(*p) : AV_RB16(*p); - *p += 2; - return v; +static unsigned tget_short(GetByteContext *gb, int le) +{ + return le ? bytestream2_get_le16(gb) : bytestream2_get_be16(gb); } -static unsigned tget_long(const uint8_t **p, int le) { - unsigned v = le ? AV_RL32(*p) : AV_RB32(*p); - *p += 4; - return v; +static unsigned tget_long(GetByteContext *gb, int le) +{ + return le ? bytestream2_get_le32(gb) : bytestream2_get_be32(gb); } -static unsigned tget(const uint8_t **p, int type, int le) { +static unsigned tget(GetByteContext *gb, int type, int le) +{ switch(type){ - case TIFF_BYTE : return *(*p)++; - case TIFF_SHORT: return tget_short(p, le); - case TIFF_LONG : return tget_long (p, le); - default : return UINT_MAX; + case TIFF_BYTE: return bytestream2_get_byte(gb); + case TIFF_SHORT: return tget_short(gb, le); + case TIFF_LONG: return tget_long(gb, le); + default: return UINT_MAX; } } @@ -104,8 +103,8 @@ static int tiff_uncompress(uint8_t *dst, unsigned long *len, const uint8_t *src, #endif static int tiff_unpack_strip(TiffContext *s, uint8_t* dst, int stride, const uint8_t *src, int size, int lines){ + PutByteContext pb; int c, line, pixels, code; - const uint8_t *ssrc = src; int width = ((s->width * s->bpp) + 7) >> 3; #if CONFIG_ZLIB uint8_t *zbuf; unsigned long outlen; @@ -135,6 +134,16 @@ static int tiff_unpack_strip(TiffContext *s, uint8_t* dst, int stride, const uin av_log(s->avctx, AV_LOG_ERROR, "Error initializing LZW decoder\n"); return -1; } + for (line = 0; line < lines; line++) { + pixels = ff_lzw_decode(s->lzw, dst, width); + if (pixels < width) { + av_log(s->avctx, AV_LOG_ERROR, "Decoded only %i bytes of %i\n", + pixels, width); + return AVERROR_INVALIDDATA; + } + dst += stride; + } + return 0; } if(s->compr == TIFF_CCITT_RLE || s->compr == TIFF_G3 || s->compr == TIFF_G4){ int i, ret = 0; @@ -166,60 +175,40 @@ static int tiff_unpack_strip(TiffContext *s, uint8_t* dst, int stride, const uin av_free(src2); return ret; } + + bytestream2_init(&s->gb, src, size); + bytestream2_init_writer(&pb, dst, stride * lines); + for(line = 0; line < lines; line++){ - if(src - ssrc > size){ - av_log(s->avctx, AV_LOG_ERROR, "Source data overread\n"); - return -1; - } + if (bytestream2_get_bytes_left(&s->gb) == 0 || bytestream2_get_eof(&pb)) + break; + bytestream2_seek_p(&pb, stride * line, SEEK_SET); switch(s->compr){ case TIFF_RAW: - if (ssrc + size - src < width) - return AVERROR_INVALIDDATA; if (!s->fill_order) { - memcpy(dst, src, width); + bytestream2_copy_buffer(&pb, &s->gb, width); } else { int i; for (i = 0; i < width; i++) - dst[i] = av_reverse[src[i]]; + bytestream2_put_byte(&pb, av_reverse[bytestream2_get_byte(&s->gb)]); } - src += width; break; case TIFF_PACKBITS: for(pixels = 0; pixels < width;){ - if (ssrc + size - src < 2) - return AVERROR_INVALIDDATA; - code = (int8_t)*src++; + code = (int8_t)bytestream2_get_byte(&s->gb); if(code >= 0){ code++; - if (pixels + code > width || - ssrc + size - src < code) { - av_log(s->avctx, AV_LOG_ERROR, "Copy went out of bounds\n"); - return -1; - } - memcpy(dst + pixels, src, code); - src += code; + bytestream2_copy_buffer(&pb, &s->gb, code); pixels += code; }else if(code != -128){ // -127..-1 code = (-code) + 1; - if(pixels + code > width){ - av_log(s->avctx, AV_LOG_ERROR, "Run went out of bounds\n"); - return -1; - } - c = *src++; - memset(dst + pixels, c, code); + c = bytestream2_get_byte(&s->gb); + bytestream2_set_buffer(&pb, c, code); pixels += code; } } break; - case TIFF_LZW: - pixels = ff_lzw_decode(s->lzw, dst, width); - if(pixels < width){ - av_log(s->avctx, AV_LOG_ERROR, "Decoded only %i bytes of %i\n", pixels, width); - return -1; - } - break; } - dst += stride; } return 0; } @@ -278,19 +267,19 @@ static int init_image(TiffContext *s) return 0; } -static int tiff_decode_tag(TiffContext *s, const uint8_t *start, const uint8_t *buf, const uint8_t *end_buf) +static int tiff_decode_tag(TiffContext *s) { unsigned tag, type, count, off, value = 0; - int i, j; + int i, start; uint32_t *pal; - const uint8_t *rp, *gp, *bp; - if (end_buf - buf < 12) + if (bytestream2_get_bytes_left(&s->gb) < 12) return -1; - tag = tget_short(&buf, s->le); - type = tget_short(&buf, s->le); - count = tget_long(&buf, s->le); - off = tget_long(&buf, s->le); + tag = tget_short(&s->gb, s->le); + type = tget_short(&s->gb, s->le); + count = tget_long(&s->gb, s->le); + off = tget_long(&s->gb, s->le); + start = bytestream2_tell(&s->gb); if (type == 0 || type >= FF_ARRAY_ELEMS(type_sizes)) { av_log(s->avctx, AV_LOG_DEBUG, "Unknown tiff type (%u) encountered\n", type); @@ -301,34 +290,26 @@ static int tiff_decode_tag(TiffContext *s, const uint8_t *start, const uint8_t * switch(type){ case TIFF_BYTE: case TIFF_SHORT: - buf -= 4; - value = tget(&buf, type, s->le); - buf = NULL; + bytestream2_seek(&s->gb, -4, SEEK_CUR); + value = tget(&s->gb, type, s->le); break; case TIFF_LONG: value = off; - buf = NULL; break; case TIFF_STRING: if(count <= 4){ - buf -= 4; + bytestream2_seek(&s->gb, -4, SEEK_CUR); break; } default: value = UINT_MAX; - buf = start + off; + bytestream2_seek(&s->gb, off, SEEK_SET); } } else { - if (count <= 4 && type_sizes[type] * count <= 4) { - buf -= 4; - } else { - buf = start + off; - } - } - - if(buf && (buf < start || buf > end_buf)){ - av_log(s->avctx, AV_LOG_ERROR, "Tag referencing position outside the image\n"); - return -1; + if (count <= 4 && type_sizes[type] * count <= 4) + bytestream2_seek(&s->gb, -4, SEEK_CUR); + else + bytestream2_seek(&s->gb, off, SEEK_SET); } switch(tag){ @@ -353,7 +334,8 @@ static int tiff_decode_tag(TiffContext *s, const uint8_t *start, const uint8_t * case TIFF_SHORT: case TIFF_LONG: s->bpp = 0; - for(i = 0; i < count && buf < end_buf; i++) s->bpp += tget(&buf, type, s->le); + for (i = 0; i < count; i++) + s->bpp += tget(&s->gb, type, s->le); break; default: s->bpp = -1; @@ -411,32 +393,24 @@ static int tiff_decode_tag(TiffContext *s, const uint8_t *start, const uint8_t * break; case TIFF_STRIP_OFFS: if(count == 1){ - s->stripdata = NULL; + s->strippos = 0; s->stripoff = value; }else - s->stripdata = start + off; + s->strippos = off; s->strips = count; if(s->strips == 1) s->rps = s->height; s->sot = type; - if(s->stripdata > end_buf){ - av_log(s->avctx, AV_LOG_ERROR, "Tag referencing position outside the image\n"); - return -1; - } break; case TIFF_STRIP_SIZE: if(count == 1){ - s->stripsizes = NULL; - s->stripsize = value; - s->strips = 1; + s->stripsizesoff = 0; + s->stripsize = value; + s->strips = 1; }else{ - s->stripsizes = start + off; + s->stripsizesoff = off; } s->strips = count; s->sstype = type; - if(s->stripsizes > end_buf){ - av_log(s->avctx, AV_LOG_ERROR, "Tag referencing position outside the image\n"); - return -1; - } break; case TIFF_PREDICTOR: s->predictor = value; @@ -464,23 +438,27 @@ static int tiff_decode_tag(TiffContext *s, const uint8_t *start, const uint8_t * } s->fill_order = value - 1; break; - case TIFF_PAL: + case TIFF_PAL: { + GetByteContext pal_gb[3]; pal = (uint32_t *) s->palette; off = type_sizes[type]; - if (count / 3 > 256 || end_buf - buf < count / 3 * off * 3) + if (count / 3 > 256 || + bytestream2_get_bytes_left(&s->gb) < count / 3 * off * 3) return -1; - rp = buf; - gp = buf + count / 3 * off; - bp = buf + count / 3 * off * 2; + pal_gb[0] = pal_gb[1] = pal_gb[2] = s->gb; + bytestream2_skip(&pal_gb[1], count / 3 * off); + bytestream2_skip(&pal_gb[2], count / 3 * off * 2); off = (type_sizes[type] - 1) << 3; for(i = 0; i < count / 3; i++){ - j = (tget(&rp, type, s->le) >> off) << 16; - j |= (tget(&gp, type, s->le) >> off) << 8; - j |= tget(&bp, type, s->le) >> off; - pal[i] = j; + uint32_t p = 0xFF000000; + p |= (tget(&pal_gb[0], type, s->le) >> off) << 16; + p |= (tget(&pal_gb[1], type, s->le) >> off) << 8; + p |= tget(&pal_gb[2], type, s->le) >> off; + pal[i] = p; } s->palette_is_set = 1; break; + } case TIFF_PLANAR: if(value == 2){ av_log(s->avctx, AV_LOG_ERROR, "Planar format is not supported\n"); @@ -498,6 +476,7 @@ static int tiff_decode_tag(TiffContext *s, const uint8_t *start, const uint8_t * default: av_log(s->avctx, AV_LOG_DEBUG, "Unknown or unsupported tag %d/0X%0X\n", tag, tag); } + bytestream2_seek(&s->gb, start, SEEK_SET); return 0; } @@ -505,23 +484,24 @@ static int decode_frame(AVCodecContext *avctx, void *data, int *data_size, AVPacket *avpkt) { - const uint8_t *buf = avpkt->data; - int buf_size = avpkt->size; TiffContext * const s = avctx->priv_data; AVFrame *picture = data; AVFrame * const p= (AVFrame*)&s->picture; - const uint8_t *orig_buf = buf, *end_buf = buf + buf_size; unsigned off; int id, le, ret; int i, j, entries; int stride; unsigned soff, ssize; uint8_t *dst; + GetByteContext stripsizes; + GetByteContext stripdata; + + bytestream2_init(&s->gb, avpkt->data, avpkt->size); //parse image header - if (end_buf - buf < 8) + if (avpkt->size < 8) return AVERROR_INVALIDDATA; - id = AV_RL16(buf); buf += 2; + id = bytestream2_get_le16(&s->gb); if(id == 0x4949) le = 1; else if(id == 0x4D4D) le = 0; else{ @@ -534,26 +514,25 @@ static int decode_frame(AVCodecContext *avctx, s->fill_order = 0; // As TIFF 6.0 specification puts it "An arbitrary but carefully chosen number // that further identifies the file as a TIFF file" - if(tget_short(&buf, le) != 42){ + if (tget_short(&s->gb, le) != 42) { av_log(avctx, AV_LOG_ERROR, "The answer to life, universe and everything is not correct!\n"); return -1; } - // Reset these pointers so we can tell if they were set this frame - s->stripsizes = s->stripdata = NULL; + // Reset these offsets so we can tell if they were set this frame + s->stripsizesoff = s->strippos = 0; /* parse image file directory */ - off = tget_long(&buf, le); - if (off >= UINT_MAX - 14 || end_buf - orig_buf < off + 14) { + off = tget_long(&s->gb, le); + if (off >= UINT_MAX - 14 || avpkt->size < off + 14) { av_log(avctx, AV_LOG_ERROR, "IFD offset is greater than image size\n"); return AVERROR_INVALIDDATA; } - buf = orig_buf + off; - entries = tget_short(&buf, le); + bytestream2_seek(&s->gb, off, SEEK_SET); + entries = tget_short(&s->gb, le); for(i = 0; i < entries; i++){ - if(tiff_decode_tag(s, orig_buf, buf, end_buf) < 0) + if (tiff_decode_tag(s) < 0) return -1; - buf += 12; } - if(!s->stripdata && !s->stripoff){ + if (!s->strippos && !s->stripoff) { av_log(avctx, AV_LOG_ERROR, "Image data is missing\n"); return -1; } @@ -563,30 +542,41 @@ static int decode_frame(AVCodecContext *avctx, if(s->strips == 1 && !s->stripsize){ av_log(avctx, AV_LOG_WARNING, "Image data size missing\n"); - s->stripsize = buf_size - s->stripoff; + s->stripsize = avpkt->size - s->stripoff; } stride = p->linesize[0]; dst = p->data[0]; + + if (s->stripsizesoff) { + if (s->stripsizesoff >= avpkt->size) + return AVERROR_INVALIDDATA; + bytestream2_init(&stripsizes, avpkt->data + s->stripsizesoff, + avpkt->size - s->stripsizesoff); + } + if (s->strippos) { + if (s->strippos >= avpkt->size) + return AVERROR_INVALIDDATA; + bytestream2_init(&stripdata, avpkt->data + s->strippos, + avpkt->size - s->strippos); + } + for(i = 0; i < s->height; i += s->rps){ - if(s->stripsizes) { - if (s->stripsizes >= end_buf) - return AVERROR_INVALIDDATA; - ssize = tget(&s->stripsizes, s->sstype, s->le); - } else + if (s->stripsizesoff) + ssize = tget(&stripsizes, s->sstype, le); + else ssize = s->stripsize; - if(s->stripdata){ - if (s->stripdata >= end_buf) - return AVERROR_INVALIDDATA; - soff = tget(&s->stripdata, s->sot, s->le); - }else + if (s->strippos) + soff = tget(&stripdata, s->sot, le); + else soff = s->stripoff; - if (soff > buf_size || ssize > buf_size - soff) { + if (soff > avpkt->size || ssize > avpkt->size - soff) { av_log(avctx, AV_LOG_ERROR, "Invalid strip size/offset\n"); return -1; } - if(tiff_unpack_strip(s, dst, stride, orig_buf + soff, ssize, FFMIN(s->rps, s->height - i)) < 0) + if (tiff_unpack_strip(s, dst, stride, avpkt->data + soff, ssize, + FFMIN(s->rps, s->height - i)) < 0) break; dst += s->rps * stride; } @@ -615,7 +605,7 @@ static int decode_frame(AVCodecContext *avctx, *picture= *(AVFrame*)&s->picture; *data_size = sizeof(AVPicture); - return buf_size; + return avpkt->size; } static av_cold int tiff_init(AVCodecContext *avctx){ From 42dcfe32a86772488bc15e025ba05d712d372c4c Mon Sep 17 00:00:00 2001 From: Michael Niedermayer Date: Wed, 2 Apr 2014 09:11:10 +0200 Subject: [PATCH 839/991] avi: Improve non-interleaved detection Additional fixes by Nigel Touati-Evans . Check the index for streams with a time drift of 2s or a buffer drift of 64MB. Bug-Id: 666 CC: libav-stable@libav.org Sample-Id: yet-another-broken-interleaved-avi.avi Signed-off-by: Vittorio Giovara Signed-off-by: Luca Barbato Signed-off-by: Diego Biurrun --- libavformat/avidec.c | 72 ++++++++++++++++++++++++++++++++++++++++++-- 1 file changed, 70 insertions(+), 2 deletions(-) diff --git a/libavformat/avidec.c b/libavformat/avidec.c index ca402f9549..d9fbb8bbbf 100644 --- a/libavformat/avidec.c +++ b/libavformat/avidec.c @@ -727,7 +727,11 @@ static int avi_read_header(AVFormatContext *s, AVFormatParameters *ap) if(!avi->index_loaded && pb->seekable) avi_load_index(s); avi->index_loaded = 1; - avi->non_interleaved |= guess_ni_flag(s); + + if ((ret = guess_ni_flag(s)) < 0) + return ret; + + avi->non_interleaved |= ret; for(i=0; inb_streams; i++){ AVStream *st = s->streams[i]; if(st->nb_index_entries) @@ -1199,6 +1203,66 @@ static int avi_read_idx1(AVFormatContext *s, int size) return 0; } +/* Scan the index and consider any file with streams more than + * 2 seconds or 64MB apart non-interleaved. */ +static int check_stream_max_drift(AVFormatContext *s) +{ + int64_t min_pos, pos; + int i; + int *idx = av_malloc(s->nb_streams * sizeof(*idx)); + if (!idx) + return AVERROR(ENOMEM); + else + memset(idx, 0, s->nb_streams * sizeof(*idx)); + + for (min_pos = pos = 0; min_pos != INT64_MAX; pos = min_pos + 1LU) { + int64_t max_dts = INT64_MIN / 2; + int64_t min_dts = INT64_MAX / 2; + int64_t max_buffer = 0; + + min_pos = INT64_MAX; + + for (i = 0; i < s->nb_streams; i++) { + AVStream *st = s->streams[i]; + AVIStream *ast = st->priv_data; + int n = st->nb_index_entries; + while (idx[i] < n && st->index_entries[idx[i]].pos < pos) + idx[i]++; + if (idx[i] < n) { + int64_t dts; + dts = av_rescale_q(st->index_entries[idx[i]].timestamp / + FFMAX(ast->sample_size, 1), + st->time_base, AV_TIME_BASE_Q); + min_dts = FFMIN(min_dts, dts); + min_pos = FFMIN(min_pos, st->index_entries[idx[i]].pos); + } + } + for (i = 0; i < s->nb_streams; i++) { + AVStream *st = s->streams[i]; + AVIStream *ast = st->priv_data; + + if (idx[i] && min_dts != INT64_MAX / 2) { + int64_t dts; + dts = av_rescale_q(st->index_entries[idx[i] - 1].timestamp / + FFMAX(ast->sample_size, 1), + st->time_base, AV_TIME_BASE_Q); + max_dts = FFMAX(max_dts, dts); + max_buffer = FFMAX(max_buffer, + av_rescale(dts - min_dts, + st->codec->bit_rate, + AV_TIME_BASE)); + } + } + if (max_dts - min_dts > 2 * AV_TIME_BASE || + max_buffer > 1024 * 1024 * 8 * 8) { + av_free(idx); + return 1; + } + } + av_free(idx); + return 0; +} + static int guess_ni_flag(AVFormatContext *s){ int i; int64_t last_start=0; @@ -1227,7 +1291,11 @@ static int guess_ni_flag(AVFormatContext *s){ first_end= st->index_entries[n-1].pos; } avio_seek(s->pb, oldpos, SEEK_SET); - return last_start > first_end; + + if (last_start > first_end) + return 1; + + return check_stream_max_drift(s); } static int avi_load_index(AVFormatContext *s) From 079758e49a4d6b3e7cf2e22bed71d34c46712242 Mon Sep 17 00:00:00 2001 From: Anton Khirnov Date: Wed, 23 Apr 2014 22:26:40 +0200 Subject: [PATCH 840/991] h264: reset next_output_pic earlier in start_frame() In case start_frame() fails, this potentially invalid frame can still be output to the caller. Bug-Id: 672 Bug-Id: debian/741240 Bug-Id: ubuntu/1288206 --- libavcodec/h264.c | 4 ++-- 1 file changed, 2 insertions(+), 2 deletions(-) diff --git a/libavcodec/h264.c b/libavcodec/h264.c index bca9bda675..737fc0cb1b 100644 --- a/libavcodec/h264.c +++ b/libavcodec/h264.c @@ -1281,6 +1281,8 @@ int ff_h264_frame_start(H264Context *h){ int i; const int pixel_shift = h->pixel_shift; + h->next_output_pic = NULL; + if(MPV_frame_start(s, s->avctx) < 0) return -1; ff_er_frame_start(s); @@ -1329,8 +1331,6 @@ int ff_h264_frame_start(H264Context *h){ s->current_picture_ptr->field_poc[0]= s->current_picture_ptr->field_poc[1]= INT_MAX; - h->next_output_pic = NULL; - assert(s->current_picture_ptr->long_ref==0); return 0; From 5463a2b0566b34b9e3847db9ceb1ef1d2a6004fc Mon Sep 17 00:00:00 2001 From: Baptiste Coudurier Date: Wed, 21 Mar 2012 14:18:16 -0700 Subject: [PATCH 841/991] movdec: handle 0x7fff langcode as macintosh per the specs The correct point that seperates ISO and MAC language codes is 0x400 according to the current QT spec. Old QT specs did not list where this seperation is but apparently only defined the meaning of the first 137. (cherry picked from commit 9e71cc81f3655cacf0f91860fba3043f13b64059) (cherry picked from commit 7940306a47df602be4f57a62175706265bbfd0aa) --- libavformat/isom.c | 2 +- libavformat/mov.c | 2 +- 2 files changed, 2 insertions(+), 2 deletions(-) diff --git a/libavformat/isom.c b/libavformat/isom.c index 07f22ca123..347c992031 100644 --- a/libavformat/isom.c +++ b/libavformat/isom.c @@ -339,7 +339,7 @@ int ff_mov_lang_to_iso639(unsigned code, char to[4]) memset(to, 0, 4); /* is it the mangled iso code? */ /* see http://www.geocities.com/xhelmboyx/quicktime/formats/mp4-layout.txt */ - if (code > 138) { + if (code >= 0x400 && code != 0x7fff) { for (i = 2; i >= 0; i--) { to[i] = 0x60 + (code & 0x1f); code >>= 5; diff --git a/libavformat/mov.c b/libavformat/mov.c index 28c89f1c6f..d59a66e798 100644 --- a/libavformat/mov.c +++ b/libavformat/mov.c @@ -248,7 +248,7 @@ static int mov_read_udta_string(MOVContext *c, AVIOContext *pb, MOVAtom atom) if (parse) parse(c, pb, str_size, key); else { - if (data_type == 3 || (data_type == 0 && langcode < 0x800)) { // MAC Encoded + if (data_type == 3 || (data_type == 0 && (langcode < 0x400 || langcode == 0x7fff))) { // MAC Encoded mov_read_mac_string(c, pb, str_size, str, sizeof(str)); } else { avio_read(pb, str, str_size); From b7b798a1afb1bfb1365b4ce67985351967c229d4 Mon Sep 17 00:00:00 2001 From: Mark Himsley Date: Fri, 1 Nov 2013 11:22:53 +0000 Subject: [PATCH 842/991] isom: lpcm in mov default to big endian It is my understanding that "Unless otherwise stated, all data in a QuickTime movie is stored in big-endian byte ordering" [1] in MOV files. I have a couple of thousand files, which technically are invalid because their sound sample description element 4CC is 'lpcm' but its version is 0 - and "Version 0 supports only uncompressed audio in raw ('raw ') or twos-complement ('twos') format" [2] Because isom.c only contains a mapping for 4CC 'lpcm' to AV_CODEC_ID_PCM_S16LE, these files have their audio decoded as LE when it is actually BE. This commit adds AV_CODEC_ID_PCM_S16BE as the first match for 4CC 'lpcm'. [1] https://developer.apple.com/library/mac/documentation/quicktime/QTFF/qtff.pdf page 21 [2] https://developer.apple.com/library/mac/documentation/quicktime/QTFF/qtff.pdf page 178 Reviewed-by: Yusuke Nakamura --- libavformat/isom.c | 1 + 1 file changed, 1 insertion(+) diff --git a/libavformat/isom.c b/libavformat/isom.c index 347c992031..e8f891c916 100644 --- a/libavformat/isom.c +++ b/libavformat/isom.c @@ -256,6 +256,7 @@ const AVCodecTag codec_movaudio_tags[] = { { CODEC_ID_PCM_MULAW, MKTAG('u', 'l', 'a', 'w') }, { CODEC_ID_PCM_S16BE, MKTAG('t', 'w', 'o', 's') }, { CODEC_ID_PCM_S16LE, MKTAG('s', 'o', 'w', 't') }, + { CODEC_ID_PCM_S16BE, MKTAG('l', 'p', 'c', 'm') }, { CODEC_ID_PCM_S16LE, MKTAG('l', 'p', 'c', 'm') }, { CODEC_ID_PCM_S24BE, MKTAG('i', 'n', '2', '4') }, { CODEC_ID_PCM_S24LE, MKTAG('i', 'n', '2', '4') }, From 65c3593792a9702d9e4135bba46b1ca186afed6c Mon Sep 17 00:00:00 2001 From: =?UTF-8?q?Rafa=C3=ABl=20Carr=C3=A9?= Date: Tue, 27 Aug 2013 17:35:49 +0200 Subject: [PATCH 843/991] apedec: do not buffer decoded samples over AVPackets Only consume an AVPacket when all the samples have been read. When the rate of samples output is limited (by the default value of max_samples), consuming the first packet immediately will cause timing problems: - The first packet with PTS 0 will output 4608 samples and be consumed entirely - The second packet with PTS 64 will output the remaining samples (typically, a lot, that's why max_samples exist) until the decoded samples of the first packet have been exhausted, at which point the samples of the second packet will be decoded and output when av_decode_frame is called with the next packet). That means there's a PTS jump since the first packet is 'decoded' immediately, which can be seen with avplay or mplayer: the timing jumps immediately to 6.2s (which is the size of a packet). Sample: http://streams.videolan.org/issues/6348/Goldwave-MAClib.ape Bug-Debian: http://bugs.debian.org/744901 Signed-off-by: Justin Ruggles (cherry picked from commit 91d4cfb8127f1de6c4ad173a30fffe584700046d) Signed-off-by: Reinhard Tartler --- libavcodec/apedec.c | 4 +--- 1 file changed, 1 insertion(+), 3 deletions(-) diff --git a/libavcodec/apedec.c b/libavcodec/apedec.c index 0abf05bd61..745b14c1be 100644 --- a/libavcodec/apedec.c +++ b/libavcodec/apedec.c @@ -822,7 +822,6 @@ static int ape_decode_frame(AVCodecContext *avctx, void *data, int16_t *samples; int i, ret; int blockstodecode; - int bytes_used = 0; /* this should never be negative, but bad things will happen if it is, so check it just to make sure. */ @@ -877,7 +876,6 @@ static int ape_decode_frame(AVCodecContext *avctx, void *data, return AVERROR_INVALIDDATA; } - bytes_used = buf_size; } if (!s->data) { @@ -920,7 +918,7 @@ static int ape_decode_frame(AVCodecContext *avctx, void *data, *got_frame_ptr = 1; *(AVFrame *)data = s->frame; - return bytes_used; + return (s->samples == 0) ? buf_size : 0; } static void ape_flush(AVCodecContext *avctx) From 110680c5a2098505400f4fdff4c994020a377d19 Mon Sep 17 00:00:00 2001 From: =?UTF-8?q?Martin=20Storsj=C3=B6?= Date: Tue, 3 Sep 2013 11:54:03 +0300 Subject: [PATCH 844/991] alac: Limit max_samples_per_frame MIME-Version: 1.0 Content-Type: text/plain; charset=UTF-8 Content-Transfer-Encoding: 8bit Otherwise buffer size calculations in allocate_buffers could overflow later, making the code think a large enough buffer actually was allocated. Reported-by: Mateusz "j00ru" Jurczyk and Gynvael Coldwind CC: libav-stable@libav.org Signed-off-by: Martin Storsjö --- libavcodec/alac.c | 6 ++++++ 1 file changed, 6 insertions(+) diff --git a/libavcodec/alac.c b/libavcodec/alac.c index da789087fd..23b8951169 100644 --- a/libavcodec/alac.c +++ b/libavcodec/alac.c @@ -584,6 +584,12 @@ static int alac_set_info(ALACContext *alac) /* buffer size / 2 ? */ alac->setinfo_max_samples_per_frame = bytestream_get_be32(&ptr); + if (!alac->setinfo_max_samples_per_frame || + alac->setinfo_max_samples_per_frame > INT_MAX / sizeof(int32_t)) { + av_log(alac->avctx, AV_LOG_ERROR, "max samples per frame invalid: %u\n", + alac->setinfo_max_samples_per_frame); + return AVERROR_INVALIDDATA; + } ptr++; /* compatible version */ alac->setinfo_sample_size = *ptr++; alac->setinfo_rice_historymult = *ptr++; From 7fa72700298107fe756311ecb4dee5270ff12d35 Mon Sep 17 00:00:00 2001 From: Luca Barbato Date: Fri, 2 May 2014 00:21:23 +0200 Subject: [PATCH 845/991] swscale: Fix an undefined behaviour Prevent a division by zero down the codepath. Sample-Id: 00001721-google Reported-by: Mateusz "j00ru" Jurczyk and Gynvael Coldwind CC: libav-stable@libav.org --- libswscale/utils.c | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/libswscale/utils.c b/libswscale/utils.c index f3a501230f..b4a7485569 100644 --- a/libswscale/utils.c +++ b/libswscale/utils.c @@ -269,7 +269,7 @@ static int initFilter(int16_t **outFilter, int32_t **filterPos, int *outFilterSi xDstInSrc= xInc - 0x10000; for (i=0; i Date: Fri, 16 Nov 2012 01:12:40 +0100 Subject: [PATCH 846/991] h264: set parameters from SPS whenever it changes Fixes a crash in the fuzzed sample sample_varPAR.avi_s26638 with alternating bit depths. --- libavcodec/h264.c | 93 +++++++++++++++++++++++++++++--------------- libavcodec/h264.h | 2 + libavcodec/h264_ps.c | 7 +++- 3 files changed, 68 insertions(+), 34 deletions(-) diff --git a/libavcodec/h264.c b/libavcodec/h264.c index 737fc0cb1b..547cf3d1c9 100644 --- a/libavcodec/h264.c +++ b/libavcodec/h264.c @@ -2623,6 +2623,52 @@ int ff_h264_get_profile(SPS *sps) return profile; } +static int h264_set_parameter_from_sps(H264Context *h) +{ + MpegEncContext *s = &h->s; + + if (s->flags & CODEC_FLAG_LOW_DELAY || + (h->sps.bitstream_restriction_flag && + !h->sps.num_reorder_frames)) { + if (s->avctx->has_b_frames > 1 || h->delayed_pic[0]) + av_log(h->s.avctx, AV_LOG_WARNING, "Delayed frames seen. " + "Reenabling low delay requires a codec flush.\n"); + else + s->low_delay = 1; + } + + if (s->avctx->has_b_frames < 2) + s->avctx->has_b_frames = !s->low_delay; + + if (s->avctx->bits_per_raw_sample != h->sps.bit_depth_luma || + h->cur_chroma_format_idc != h->sps.chroma_format_idc) { + if (s->avctx->codec && + s->avctx->codec->capabilities & CODEC_CAP_HWACCEL_VDPAU && + (h->sps.bit_depth_luma != 8 || h->sps.chroma_format_idc > 1)) { + av_log(s->avctx, AV_LOG_ERROR, + "VDPAU decoding does not support video colorspace.\n"); + return AVERROR_INVALIDDATA; + } + if (h->sps.bit_depth_luma >= 8 && h->sps.bit_depth_luma <= 10) { + s->avctx->bits_per_raw_sample = h->sps.bit_depth_luma; + h->cur_chroma_format_idc = h->sps.chroma_format_idc; + h->pixel_shift = h->sps.bit_depth_luma > 8; + + ff_h264dsp_init(&h->h264dsp, h->sps.bit_depth_luma, + h->sps.chroma_format_idc); + ff_h264_pred_init(&h->hpc, s->codec_id, h->sps.bit_depth_luma, + h->sps.chroma_format_idc); + s->dsp.dct_bits = h->sps.bit_depth_luma > 8 ? 32 : 16; + dsputil_init(&s->dsp, s->avctx); + } else { + av_log(s->avctx, AV_LOG_ERROR, "Unsupported bit depth: %d\n", + h->sps.bit_depth_luma); + return AVERROR_INVALIDDATA; + } + } + return 0; +} + /** * Decode a slice header. * This will also call MPV_common_init() and frame_start() as needed. @@ -2640,7 +2686,7 @@ static int decode_slice_header(H264Context *h, H264Context *h0){ int num_ref_idx_active_override_flag; unsigned int slice_type, tmp, i, j; int default_ref_list_done = 0; - int last_pic_structure, last_pic_dropable; + int last_pic_structure, last_pic_dropable, ret; /* FIXME: 2tap qpel isn't implemented for high bit depth. */ if((s->avctx->flags2 & CODEC_FLAG2_FAST) && !h->nal_ref_idc && !h->pixel_shift){ @@ -2712,7 +2758,17 @@ static int decode_slice_header(H264Context *h, H264Context *h0){ av_log(h->s.avctx, AV_LOG_ERROR, "non-existing SPS %u referenced\n", h->pps.sps_id); return -1; } - h->sps = *h0->sps_buffers[h->pps.sps_id]; + + if (h->pps.sps_id != h->current_sps_id || + h0->sps_buffers[h->pps.sps_id]->new) { + h0->sps_buffers[h->pps.sps_id]->new = 0; + + h->current_sps_id = h->pps.sps_id; + h->sps = *h0->sps_buffers[h->pps.sps_id]; + + if ((ret = h264_set_parameter_from_sps(h)) < 0) + return ret; + } s->avctx->profile = ff_h264_get_profile(&h->sps); s->avctx->level = h->sps.level_idc; @@ -4071,36 +4127,9 @@ static int decode_nal_units(H264Context *h, const uint8_t *buf, int buf_size){ ff_h264_decode_seq_parameter_set(h); } - if (s->flags & CODEC_FLAG_LOW_DELAY || - (h->sps.bitstream_restriction_flag && - !h->sps.num_reorder_frames)) { - if (s->avctx->has_b_frames > 1 || h->delayed_pic[0]) - av_log(avctx, AV_LOG_WARNING, "Delayed frames seen " - "reenabling low delay requires a codec " - "flush.\n"); - else - s->low_delay = 1; - } - - if(avctx->has_b_frames < 2) - avctx->has_b_frames= !s->low_delay; - - if (avctx->bits_per_raw_sample != h->sps.bit_depth_luma || - h->cur_chroma_format_idc != h->sps.chroma_format_idc) { - if (h->sps.bit_depth_luma >= 8 && h->sps.bit_depth_luma <= 10) { - avctx->bits_per_raw_sample = h->sps.bit_depth_luma; - h->cur_chroma_format_idc = h->sps.chroma_format_idc; - h->pixel_shift = h->sps.bit_depth_luma > 8; - - ff_h264dsp_init(&h->h264dsp, h->sps.bit_depth_luma, h->sps.chroma_format_idc); - ff_h264_pred_init(&h->hpc, s->codec_id, h->sps.bit_depth_luma, h->sps.chroma_format_idc); - s->dsp.dct_bits = h->sps.bit_depth_luma > 8 ? 32 : 16; - dsputil_init(&s->dsp, s->avctx); - } else { - av_log(avctx, AV_LOG_ERROR, "Unsupported bit depth: %d\n", h->sps.bit_depth_luma); - buf_index = -1; - goto end; - } + if (h264_set_parameter_from_sps(h) < 0) { + buf_index = -1; + goto end; } break; case NAL_PPS: diff --git a/libavcodec/h264.h b/libavcodec/h264.h index 8680f5fdbd..c0e043e54b 100644 --- a/libavcodec/h264.h +++ b/libavcodec/h264.h @@ -204,6 +204,7 @@ typedef struct SPS{ int bit_depth_chroma; ///< bit_depth_chroma_minus8 + 8 int residual_color_transform_flag; ///< residual_colour_transform_flag int constraint_set_flags; ///< constraint_set[0-3]_flag + int new; ///< flag to keep track if the decoder context needs re-init due to changed SPS }SPS; /** @@ -330,6 +331,7 @@ typedef struct H264Context{ int emu_edge_width; int emu_edge_height; + unsigned current_sps_id; ///< id of the current SPS SPS sps; ///< current sps /** diff --git a/libavcodec/h264_ps.c b/libavcodec/h264_ps.c index 5d7508276b..029edf5763 100644 --- a/libavcodec/h264_ps.c +++ b/libavcodec/h264_ps.c @@ -469,10 +469,13 @@ int ff_h264_decode_seq_parameter_set(H264Context *h){ sps->timing_info_present_flag ? sps->time_scale : 0 ); } + sps->new = 1; av_free(h->sps_buffers[sps_id]); - h->sps_buffers[sps_id]= sps; - h->sps = *sps; + h->sps_buffers[sps_id] = sps; + h->sps = *sps; + h->current_sps_id = sps_id; + return 0; fail: av_free(sps); From 516ea2dccd1bc27e31a53f0b69362d6d89a5cfed Mon Sep 17 00:00:00 2001 From: Reinhard Tartler Date: Sat, 31 May 2014 20:09:10 -0400 Subject: [PATCH 847/991] Prepare for 0.8.12 Release --- RELEASE | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/RELEASE b/RELEASE index 83ce05d72f..7eff8ab952 100644 --- a/RELEASE +++ b/RELEASE @@ -1 +1 @@ -0.8.11 +0.8.12 From d75b149757fce813cd73ba12463f324cc2bba4ed Mon Sep 17 00:00:00 2001 From: Sean McGovern Date: Sun, 1 Jun 2014 14:20:46 -0400 Subject: [PATCH 848/991] Update Changelog for 0.8.12 --- Changelog | 35 ++++++++++++++++++++++++++++++++++- 1 file changed, 34 insertions(+), 1 deletion(-) diff --git a/Changelog b/Changelog index 6323e026e5..64a3422e8c 100644 --- a/Changelog +++ b/Changelog @@ -1,6 +1,40 @@ Entries are sorted chronologically from oldest to youngest within each release, releases are sorted from youngest to oldest. +version 0.8.12: + +- h264: set parameters from SPS whenever it changes +- alac: Limit max_samples_per_frame +- swscale: Fix an undefined behaviour +- apedec: do not buffer decoded samples over AVPackets +- isom: lpcm in mov default to big endian +- movdec: handle 0x7fff langcode as macintosh per the specs +- avi: Improve non-interleaved detection +- h264: reset next_output_pic earlier in start_frame() +- tiffdec: use bytestream2 to simplify overread/overwrite protection +- bytestream: add bytestream2_copy_buffer() functions +- bytestream: add functions for accessing size of buffer +- movenc: allow override of "writing application" tag +- matroskaenc: allow override of "writing application" tag +- avfilter: Add missing emms_c when needed +- mpeg12: check scantable indices in all decode_block functions +- sgidec: fix buffer size check in expand_rle_row() +- adx: check that the offset is not negative +- mpegvideo: set reference/pict_type on generated reference frames +- h264: reset data partitioning at the beginning of each decode call +- h264: reset ref count if decoding the slice header fails +- h264: reset first_field if frame_start() fails for missing refs +- h264: limit allowed pred modes in ff_h264_check_intra_pred_mode() to 3 +- h264: reject mismatching luma/chroma bit depths during sps parsing +- h264: check that execute_decode_slices() is not called too many times +- h264: do not use 422 functions for monochrome +- h264: reset data_partitioning if decoding the slice header for NAL_DPA fails +- h264_refs: make sure not to write over the bounds of the default ref list +- h264: check buffer size before accessing it +- configure: use utilities from /usr/xpg4/bin if it exists +- cmdutils: update copyright year to 2014. +- ituh263: reject b-frame with pp_time = 0 + version 0.8.11: - configure: Update freetype check to follow upstream @@ -20,7 +54,6 @@ version 0.8.11: - Prepare for 0.8.11 Release - lavf: make av_probe_input_buffer more robust - version 0.8.10: - oggparseogm: check timing variables From 9552b37e2604552d5ff210175d6baf28ccc2bb80 Mon Sep 17 00:00:00 2001 From: Reinhard Tartler Date: Sun, 1 Jun 2014 16:12:58 -0400 Subject: [PATCH 849/991] Add some bug references --- Changelog | 6 +++--- 1 file changed, 3 insertions(+), 3 deletions(-) diff --git a/Changelog b/Changelog index 64a3422e8c..d3257869e9 100644 --- a/Changelog +++ b/Changelog @@ -6,11 +6,11 @@ version 0.8.12: - h264: set parameters from SPS whenever it changes - alac: Limit max_samples_per_frame - swscale: Fix an undefined behaviour -- apedec: do not buffer decoded samples over AVPackets +- apedec: do not buffer decoded samples over AVPackets (debian/744901) - isom: lpcm in mov default to big endian - movdec: handle 0x7fff langcode as macintosh per the specs -- avi: Improve non-interleaved detection -- h264: reset next_output_pic earlier in start_frame() +- avi: Improve non-interleaved detection (libav/666) +- h264: reset next_output_pic earlier in start_frame() (libav/672, debian/741240, ubuntu/1288206) - tiffdec: use bytestream2 to simplify overread/overwrite protection - bytestream: add bytestream2_copy_buffer() functions - bytestream: add functions for accessing size of buffer From bca2ebbeeeacee9d2985468805ae81cb2792c888 Mon Sep 17 00:00:00 2001 From: Michael Niedermayer Date: Wed, 12 Mar 2014 23:03:11 +0100 Subject: [PATCH 850/991] doc: switch github urls to https Signed-off-by: Michael Niedermayer (cherry picked from commit 675a66a93bf8138d629573fbdadd05bd7771012e) Signed-off-by: Michael Niedermayer --- doc/platform.texi | 4 ++-- doc/protocols.texi | 2 +- 2 files changed, 3 insertions(+), 3 deletions(-) diff --git a/doc/platform.texi b/doc/platform.texi index 9de280933a..b79b8b10b8 100644 --- a/doc/platform.texi +++ b/doc/platform.texi @@ -52,14 +52,14 @@ unacelerated code. Mac OS X on PowerPC or ARM (iPhone) requires a preprocessor from @url{https://github.com/FFmpeg/gas-preprocessor} or -@url{http://github.com/yuvi/gas-preprocessor} to build the optimized +@url{https://github.com/yuvi/gas-preprocessor} to build the optimized assembler functions. Put the Perl script somewhere in your PATH, FFmpeg's configure will pick it up automatically. Mac OS X on amd64 and x86 requires @command{yasm} to build most of the optimized assembler functions. @uref{http://www.finkproject.org/, Fink}, @uref{http://www.gentoo.org/proj/en/gentoo-alt/prefix/bootstrap-macos.xml, Gentoo Prefix}, -@uref{http://mxcl.github.com/homebrew/, Homebrew} +@uref{https://mxcl.github.com/homebrew/, Homebrew} or @uref{http://www.macports.org, MacPorts} can easily provide it. diff --git a/doc/protocols.texi b/doc/protocols.texi index da0e39f56c..cbefc24109 100644 --- a/doc/protocols.texi +++ b/doc/protocols.texi @@ -242,7 +242,7 @@ data transferred over RDT). The muxer can be used to send a stream using RTSP ANNOUNCE to a server supporting it (currently Darwin Streaming Server and Mischa Spiegelmock's -@uref{http://github.com/revmischa/rtsp-server, RTSP server}). +@uref{https://github.com/revmischa/rtsp-server, RTSP server}). The required syntax for a RTSP url is: @example From 3b977a6ded41b893f4fa1587490c8c98577ac22b Mon Sep 17 00:00:00 2001 From: Michael Niedermayer Date: Sun, 8 Jun 2014 14:30:30 +0200 Subject: [PATCH 851/991] avcodec/alsdec: Clear MPEG4AudioConfig so that no use of uninitialized memory is possible Signed-off-by: Michael Niedermayer (cherry picked from commit 6e6bd5481cf42a9765c492c77754d4633092cece) Signed-off-by: Michael Niedermayer --- libavcodec/alsdec.c | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/libavcodec/alsdec.c b/libavcodec/alsdec.c index 1d69c7e39a..3f2157f69b 100644 --- a/libavcodec/alsdec.c +++ b/libavcodec/alsdec.c @@ -283,7 +283,7 @@ static av_cold int read_specific_config(ALSDecContext *ctx) GetBitContext gb; uint64_t ht_size; int i, config_offset; - MPEG4AudioConfig m4ac; + MPEG4AudioConfig m4ac = {0}; ALSSpecificConfig *sconf = &ctx->sconf; AVCodecContext *avctx = ctx->avctx; uint32_t als_id, header_size, trailer_size; From 2facb10f705ab3f34b7a050107d7556b388c068c Mon Sep 17 00:00:00 2001 From: Dale Curtis Date: Thu, 10 Jan 2013 11:05:29 -0800 Subject: [PATCH 852/991] matroska: Fix use after free Signed-off-by: Dale Curtis Signed-off-by: Luca Barbato (cherry picked from commit ae3d41636942cbc0236bad21ad06c65f4eb0f096) Signed-off-by: Michael Niedermayer --- libavformat/matroskadec.c | 1 + 1 file changed, 1 insertion(+) diff --git a/libavformat/matroskadec.c b/libavformat/matroskadec.c index 45bafe5ec4..710883c28e 100644 --- a/libavformat/matroskadec.c +++ b/libavformat/matroskadec.c @@ -1720,6 +1720,7 @@ static int matroska_deliver_packet(MatroskaDemuxContext *matroska, */ static void matroska_clear_queue(MatroskaDemuxContext *matroska) { + matroska->prev_pkt = NULL; if (matroska->packets) { int n; for (n = 0; n < matroska->num_packets; n++) { From f24246a8891ee62bd0494635755c8d29492d7fb6 Mon Sep 17 00:00:00 2001 From: Michael Niedermayer Date: Wed, 26 Mar 2014 18:09:23 +0100 Subject: [PATCH 853/991] avcodec/h264_mp4toannexb_bsf: prepend global headers before any in stream parameter sets Fixes h264_mp4toannexb_bsf_failure.mkv Signed-off-by: Michael Niedermayer (cherry picked from commit 289b149cecb381522cc9ccdf382825330169c655) Signed-off-by: Michael Niedermayer --- libavcodec/h264_mp4toannexb_bsf.c | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/libavcodec/h264_mp4toannexb_bsf.c b/libavcodec/h264_mp4toannexb_bsf.c index 5085ecbdfd..8fe88d14ff 100644 --- a/libavcodec/h264_mp4toannexb_bsf.c +++ b/libavcodec/h264_mp4toannexb_bsf.c @@ -156,7 +156,7 @@ pps: goto fail; /* prepend only to the first type 5 NAL unit of an IDR picture */ - if (ctx->first_idr && unit_type == 5) { + if (ctx->first_idr && (unit_type == 5 || unit_type == 7 || unit_type == 8)) { if ((ret=alloc_and_copy(poutbuf, poutbuf_size, avctx->extradata, avctx->extradata_size, buf, nal_size)) < 0) From 6cf254ea68148497b28981fa915848d5f4bfd6b0 Mon Sep 17 00:00:00 2001 From: Michael Niedermayer Date: Sat, 5 Apr 2014 21:34:03 +0200 Subject: [PATCH 854/991] avcodec/wma: use av_freep(), do not leave stale pointers in memory Signed-off-by: Michael Niedermayer (cherry picked from commit d167faafe9dfa0b82bebb267c3c4e5fa5286bd67) Signed-off-by: Michael Niedermayer --- libavcodec/wma.c | 6 +++--- 1 file changed, 3 insertions(+), 3 deletions(-) diff --git a/libavcodec/wma.c b/libavcodec/wma.c index a19f776039..fcb516ff09 100644 --- a/libavcodec/wma.c +++ b/libavcodec/wma.c @@ -424,9 +424,9 @@ int ff_wma_end(AVCodecContext *avctx) } for (i = 0; i < 2; i++) { ff_free_vlc(&s->coef_vlc[i]); - av_free(s->run_table[i]); - av_free(s->level_table[i]); - av_free(s->int_table[i]); + av_freep(&s->run_table[i]); + av_freep(&s->level_table[i]); + av_freep(&s->int_table[i]); } return 0; From ec29aec618546c9bd7661d18804335c08fa102e6 Mon Sep 17 00:00:00 2001 From: Michael Niedermayer Date: Tue, 8 Apr 2014 18:12:12 +0200 Subject: [PATCH 855/991] swscale/x86/swscale_template: loose hardcoded dstw_offset Signed-off-by: Michael Niedermayer (cherry picked from commit f6759d9ad4a8b71e6f212ca4f1e7da9fa56d3298) Signed-off-by: Michael Niedermayer --- libswscale/x86/swscale_template.c | 78 +++++++++++++++---------------- 1 file changed, 37 insertions(+), 41 deletions(-) diff --git a/libswscale/x86/swscale_template.c b/libswscale/x86/swscale_template.c index 61ee3ebae0..54dece2b8f 100644 --- a/libswscale/x86/swscale_template.c +++ b/libswscale/x86/swscale_template.c @@ -321,7 +321,7 @@ static void RENAME(yuv2yuvX)(const int16_t *filter, int filterSize, MOVNTQ( q3, 24(dst, index, 4))\ \ "add $8, "#index" \n\t"\ - "cmp "#dstw", "#index" \n\t"\ + "cmp "dstw", "#index" \n\t"\ " jb 1b \n\t" #define WRITEBGR32(dst, dstw, index, b, g, r, a, q0, q2, q3, t) REAL_WRITEBGR32(dst, dstw, index, b, g, r, a, q0, q2, q3, t) @@ -347,13 +347,13 @@ static void RENAME(yuv2rgb32_X_ar)(SwsContext *c, const int16_t *lumFilter, "psraw $3, %%mm1 \n\t" "psraw $3, %%mm7 \n\t" "packuswb %%mm7, %%mm1 \n\t" - WRITEBGR32(%4, %5, %%REGa, %%mm3, %%mm4, %%mm5, %%mm1, %%mm0, %%mm7, %%mm2, %%mm6) + WRITEBGR32(%4, "%5", %%REGa, %%mm3, %%mm4, %%mm5, %%mm1, %%mm0, %%mm7, %%mm2, %%mm6) YSCALEYUV2PACKEDX_END } else { YSCALEYUV2PACKEDX_ACCURATE YSCALEYUV2RGBX "pcmpeqd %%mm7, %%mm7 \n\t" - WRITEBGR32(%4, %5, %%REGa, %%mm2, %%mm4, %%mm5, %%mm7, %%mm0, %%mm1, %%mm3, %%mm6) + WRITEBGR32(%4, "%5", %%REGa, %%mm2, %%mm4, %%mm5, %%mm7, %%mm0, %%mm1, %%mm3, %%mm6) YSCALEYUV2PACKEDX_END } } @@ -376,13 +376,13 @@ static void RENAME(yuv2rgb32_X)(SwsContext *c, const int16_t *lumFilter, "psraw $3, %%mm1 \n\t" "psraw $3, %%mm7 \n\t" "packuswb %%mm7, %%mm1 \n\t" - WRITEBGR32(%4, %5, %%REGa, %%mm2, %%mm4, %%mm5, %%mm1, %%mm0, %%mm7, %%mm3, %%mm6) + WRITEBGR32(%4, "%5", %%REGa, %%mm2, %%mm4, %%mm5, %%mm1, %%mm0, %%mm7, %%mm3, %%mm6) YSCALEYUV2PACKEDX_END } else { YSCALEYUV2PACKEDX YSCALEYUV2RGBX "pcmpeqd %%mm7, %%mm7 \n\t" - WRITEBGR32(%4, %5, %%REGa, %%mm2, %%mm4, %%mm5, %%mm7, %%mm0, %%mm1, %%mm3, %%mm6) + WRITEBGR32(%4, "%5", %%REGa, %%mm2, %%mm4, %%mm5, %%mm7, %%mm0, %%mm1, %%mm3, %%mm6) YSCALEYUV2PACKEDX_END } } @@ -411,7 +411,7 @@ static void RENAME(yuv2rgb32_X)(SwsContext *c, const int16_t *lumFilter, MOVNTQ(%%mm1, 8(dst, index, 2))\ \ "add $8, "#index" \n\t"\ - "cmp "#dstw", "#index" \n\t"\ + "cmp "dstw", "#index" \n\t"\ " jb 1b \n\t" #define WRITERGB16(dst, dstw, index) REAL_WRITERGB16(dst, dstw, index) @@ -435,7 +435,7 @@ static void RENAME(yuv2rgb565_X_ar)(SwsContext *c, const int16_t *lumFilter, "paddusb "GREEN_DITHER"(%0), %%mm4\n\t" "paddusb "RED_DITHER"(%0), %%mm5\n\t" #endif - WRITERGB16(%4, %5, %%REGa) + WRITERGB16(%4, "%5", %%REGa) YSCALEYUV2PACKEDX_END } @@ -459,7 +459,7 @@ static void RENAME(yuv2rgb565_X)(SwsContext *c, const int16_t *lumFilter, "paddusb "GREEN_DITHER"(%0), %%mm4 \n\t" "paddusb "RED_DITHER"(%0), %%mm5 \n\t" #endif - WRITERGB16(%4, %5, %%REGa) + WRITERGB16(%4, "%5", %%REGa) YSCALEYUV2PACKEDX_END } @@ -488,7 +488,7 @@ static void RENAME(yuv2rgb565_X)(SwsContext *c, const int16_t *lumFilter, MOVNTQ(%%mm1, 8(dst, index, 2))\ \ "add $8, "#index" \n\t"\ - "cmp "#dstw", "#index" \n\t"\ + "cmp "dstw", "#index" \n\t"\ " jb 1b \n\t" #define WRITERGB15(dst, dstw, index) REAL_WRITERGB15(dst, dstw, index) @@ -512,7 +512,7 @@ static void RENAME(yuv2rgb555_X_ar)(SwsContext *c, const int16_t *lumFilter, "paddusb "GREEN_DITHER"(%0), %%mm4\n\t" "paddusb "RED_DITHER"(%0), %%mm5\n\t" #endif - WRITERGB15(%4, %5, %%REGa) + WRITERGB15(%4, "%5", %%REGa) YSCALEYUV2PACKEDX_END } @@ -536,7 +536,7 @@ static void RENAME(yuv2rgb555_X)(SwsContext *c, const int16_t *lumFilter, "paddusb "GREEN_DITHER"(%0), %%mm4 \n\t" "paddusb "RED_DITHER"(%0), %%mm5 \n\t" #endif - WRITERGB15(%4, %5, %%REGa) + WRITERGB15(%4, "%5", %%REGa) YSCALEYUV2PACKEDX_END } @@ -590,7 +590,7 @@ static void RENAME(yuv2rgb555_X)(SwsContext *c, const int16_t *lumFilter, "add $24, "#dst" \n\t"\ \ "add $8, "#index" \n\t"\ - "cmp "#dstw", "#index" \n\t"\ + "cmp "dstw", "#index" \n\t"\ " jb 1b \n\t" #define WRITEBGR24MMX2(dst, dstw, index) \ @@ -638,7 +638,7 @@ static void RENAME(yuv2rgb555_X)(SwsContext *c, const int16_t *lumFilter, "add $24, "#dst" \n\t"\ \ "add $8, "#index" \n\t"\ - "cmp "#dstw", "#index" \n\t"\ + "cmp "dstw", "#index" \n\t"\ " jb 1b \n\t" #if COMPILE_TEMPLATE_MMX2 @@ -665,7 +665,7 @@ static void RENAME(yuv2bgr24_X_ar)(SwsContext *c, const int16_t *lumFilter, "pxor %%mm7, %%mm7 \n\t" "lea (%%"REG_a", %%"REG_a", 2), %%"REG_c"\n\t" //FIXME optimize "add %4, %%"REG_c" \n\t" - WRITEBGR24(%%REGc, %5, %%REGa) + WRITEBGR24(%%REGc, "%5", %%REGa) :: "r" (&c->redDither), "m" (dummy), "m" (dummy), "m" (dummy), "r" (dest), "m" (dstW_reg), "m"(uv_off) @@ -689,7 +689,7 @@ static void RENAME(yuv2bgr24_X)(SwsContext *c, const int16_t *lumFilter, "pxor %%mm7, %%mm7 \n\t" "lea (%%"REG_a", %%"REG_a", 2), %%"REG_c" \n\t" //FIXME optimize "add %4, %%"REG_c" \n\t" - WRITEBGR24(%%REGc, %5, %%REGa) + WRITEBGR24(%%REGc, "%5", %%REGa) :: "r" (&c->redDither), "m" (dummy), "m" (dummy), "m" (dummy), "r" (dest), "m" (dstW_reg), "m"(uv_off) @@ -710,7 +710,7 @@ static void RENAME(yuv2bgr24_X)(SwsContext *c, const int16_t *lumFilter, MOVNTQ(%%mm7, 8(dst, index, 2))\ \ "add $8, "#index" \n\t"\ - "cmp "#dstw", "#index" \n\t"\ + "cmp "dstw", "#index" \n\t"\ " jb 1b \n\t" #define WRITEYUY2(dst, dstw, index) REAL_WRITEYUY2(dst, dstw, index) @@ -731,7 +731,7 @@ static void RENAME(yuv2yuyv422_X_ar)(SwsContext *c, const int16_t *lumFilter, "psraw $3, %%mm4 \n\t" "psraw $3, %%mm1 \n\t" "psraw $3, %%mm7 \n\t" - WRITEYUY2(%4, %5, %%REGa) + WRITEYUY2(%4, "%5", %%REGa) YSCALEYUV2PACKEDX_END } @@ -752,7 +752,7 @@ static void RENAME(yuv2yuyv422_X)(SwsContext *c, const int16_t *lumFilter, "psraw $3, %%mm4 \n\t" "psraw $3, %%mm1 \n\t" "psraw $3, %%mm7 \n\t" - WRITEYUY2(%4, %5, %%REGa) + WRITEYUY2(%4, "%5", %%REGa) YSCALEYUV2PACKEDX_END } @@ -853,7 +853,7 @@ static void RENAME(yuv2rgb32_2)(SwsContext *c, const int16_t *buf[2], "psraw $3, %%mm1 \n\t" /* abuf0[eax] - abuf1[eax] >>7*/ "psraw $3, %%mm7 \n\t" /* abuf0[eax] - abuf1[eax] >>7*/ "packuswb %%mm7, %%mm1 \n\t" - WRITEBGR32(%4, 8280(%5), %%r8, %%mm2, %%mm4, %%mm5, %%mm1, %%mm0, %%mm7, %%mm3, %%mm6) + WRITEBGR32(%4, DSTW_OFFSET"(%5)", %%r8, %%mm2, %%mm4, %%mm5, %%mm1, %%mm0, %%mm7, %%mm3, %%mm6) :: "c" (buf0), "d" (buf1), "S" (ubuf0), "D" (ubuf1), "r" (dest), "a" (&c->redDither), "r" (abuf0), "r" (abuf1) @@ -877,7 +877,7 @@ static void RENAME(yuv2rgb32_2)(SwsContext *c, const int16_t *buf[2], "packuswb %%mm7, %%mm1 \n\t" "pop %1 \n\t" "pop %0 \n\t" - WRITEBGR32(%%REGb, 8280(%5), %%REGBP, %%mm2, %%mm4, %%mm5, %%mm1, %%mm0, %%mm7, %%mm3, %%mm6) + WRITEBGR32(%%REGb, DSTW_OFFSET"(%5)", %%REGBP, %%mm2, %%mm4, %%mm5, %%mm1, %%mm0, %%mm7, %%mm3, %%mm6) "pop %%"REG_BP" \n\t" "mov "ESP_OFFSET"(%5), %%"REG_b" \n\t" :: "c" (buf0), "d" (buf1), "S" (ubuf0), "D" (ubuf1), "m" (dest), @@ -891,7 +891,7 @@ static void RENAME(yuv2rgb32_2)(SwsContext *c, const int16_t *buf[2], "push %%"REG_BP" \n\t" YSCALEYUV2RGB(%%REGBP, %5) "pcmpeqd %%mm7, %%mm7 \n\t" - WRITEBGR32(%%REGb, 8280(%5), %%REGBP, %%mm2, %%mm4, %%mm5, %%mm7, %%mm0, %%mm1, %%mm3, %%mm6) + WRITEBGR32(%%REGb, DSTW_OFFSET"(%5)", %%REGBP, %%mm2, %%mm4, %%mm5, %%mm7, %%mm0, %%mm1, %%mm3, %%mm6) "pop %%"REG_BP" \n\t" "mov "ESP_OFFSET"(%5), %%"REG_b" \n\t" :: "c" (buf0), "d" (buf1), "S" (ubuf0), "D" (ubuf1), "m" (dest), @@ -908,14 +908,13 @@ static void RENAME(yuv2bgr24_2)(SwsContext *c, const int16_t *buf[2], const int16_t *buf0 = buf[0], *buf1 = buf[1], *ubuf0 = ubuf[0], *ubuf1 = ubuf[1]; - //Note 8280 == DSTW_OFFSET but the preprocessor can't handle that there :( __asm__ volatile( "mov %%"REG_b", "ESP_OFFSET"(%5) \n\t" "mov %4, %%"REG_b" \n\t" "push %%"REG_BP" \n\t" YSCALEYUV2RGB(%%REGBP, %5) "pxor %%mm7, %%mm7 \n\t" - WRITEBGR24(%%REGb, 8280(%5), %%REGBP) + WRITEBGR24(%%REGb, DSTW_OFFSET"(%5)", %%REGBP) "pop %%"REG_BP" \n\t" "mov "ESP_OFFSET"(%5), %%"REG_b" \n\t" :: "c" (buf0), "d" (buf1), "S" (ubuf0), "D" (ubuf1), "m" (dest), @@ -931,7 +930,6 @@ static void RENAME(yuv2rgb555_2)(SwsContext *c, const int16_t *buf[2], const int16_t *buf0 = buf[0], *buf1 = buf[1], *ubuf0 = ubuf[0], *ubuf1 = ubuf[1]; - //Note 8280 == DSTW_OFFSET but the preprocessor can't handle that there :( __asm__ volatile( "mov %%"REG_b", "ESP_OFFSET"(%5) \n\t" "mov %4, %%"REG_b" \n\t" @@ -944,7 +942,7 @@ static void RENAME(yuv2rgb555_2)(SwsContext *c, const int16_t *buf[2], "paddusb "GREEN_DITHER"(%5), %%mm4 \n\t" "paddusb "RED_DITHER"(%5), %%mm5 \n\t" #endif - WRITERGB15(%%REGb, 8280(%5), %%REGBP) + WRITERGB15(%%REGb, DSTW_OFFSET"(%5)", %%REGBP) "pop %%"REG_BP" \n\t" "mov "ESP_OFFSET"(%5), %%"REG_b" \n\t" :: "c" (buf0), "d" (buf1), "S" (ubuf0), "D" (ubuf1), "m" (dest), @@ -960,7 +958,6 @@ static void RENAME(yuv2rgb565_2)(SwsContext *c, const int16_t *buf[2], const int16_t *buf0 = buf[0], *buf1 = buf[1], *ubuf0 = ubuf[0], *ubuf1 = ubuf[1]; - //Note 8280 == DSTW_OFFSET but the preprocessor can't handle that there :( __asm__ volatile( "mov %%"REG_b", "ESP_OFFSET"(%5) \n\t" "mov %4, %%"REG_b" \n\t" @@ -973,7 +970,7 @@ static void RENAME(yuv2rgb565_2)(SwsContext *c, const int16_t *buf[2], "paddusb "GREEN_DITHER"(%5), %%mm4 \n\t" "paddusb "RED_DITHER"(%5), %%mm5 \n\t" #endif - WRITERGB16(%%REGb, 8280(%5), %%REGBP) + WRITERGB16(%%REGb, DSTW_OFFSET"(%5)", %%REGBP) "pop %%"REG_BP" \n\t" "mov "ESP_OFFSET"(%5), %%"REG_b" \n\t" :: "c" (buf0), "d" (buf1), "S" (ubuf0), "D" (ubuf1), "m" (dest), @@ -1029,13 +1026,12 @@ static void RENAME(yuv2yuyv422_2)(SwsContext *c, const int16_t *buf[2], const int16_t *buf0 = buf[0], *buf1 = buf[1], *ubuf0 = ubuf[0], *ubuf1 = ubuf[1]; - //Note 8280 == DSTW_OFFSET but the preprocessor can't handle that there :( __asm__ volatile( "mov %%"REG_b", "ESP_OFFSET"(%5) \n\t" "mov %4, %%"REG_b" \n\t" "push %%"REG_BP" \n\t" YSCALEYUV2PACKED(%%REGBP, %5) - WRITEYUY2(%%REGb, 8280(%5), %%REGBP) + WRITEYUY2(%%REGb, DSTW_OFFSET"(%5)", %%REGBP) "pop %%"REG_BP" \n\t" "mov "ESP_OFFSET"(%5), %%"REG_b" \n\t" :: "c" (buf0), "d" (buf1), "S" (ubuf0), "D" (ubuf1), "m" (dest), @@ -1177,7 +1173,7 @@ static void RENAME(yuv2rgb32_1)(SwsContext *c, const int16_t *buf0, "push %%"REG_BP" \n\t" YSCALEYUV2RGB1(%%REGBP, %5) YSCALEYUV2RGB1_ALPHA(%%REGBP) - WRITEBGR32(%%REGb, 8280(%5), %%REGBP, %%mm2, %%mm4, %%mm5, %%mm7, %%mm0, %%mm1, %%mm3, %%mm6) + WRITEBGR32(%%REGb, DSTW_OFFSET"(%5)", %%REGBP, %%mm2, %%mm4, %%mm5, %%mm7, %%mm0, %%mm1, %%mm3, %%mm6) "pop %%"REG_BP" \n\t" "mov "ESP_OFFSET"(%5), %%"REG_b" \n\t" :: "c" (buf0), "d" (abuf0), "S" (ubuf0), "D" (ubuf1), "m" (dest), @@ -1190,7 +1186,7 @@ static void RENAME(yuv2rgb32_1)(SwsContext *c, const int16_t *buf0, "push %%"REG_BP" \n\t" YSCALEYUV2RGB1(%%REGBP, %5) "pcmpeqd %%mm7, %%mm7 \n\t" - WRITEBGR32(%%REGb, 8280(%5), %%REGBP, %%mm2, %%mm4, %%mm5, %%mm7, %%mm0, %%mm1, %%mm3, %%mm6) + WRITEBGR32(%%REGb, DSTW_OFFSET"(%5)", %%REGBP, %%mm2, %%mm4, %%mm5, %%mm7, %%mm0, %%mm1, %%mm3, %%mm6) "pop %%"REG_BP" \n\t" "mov "ESP_OFFSET"(%5), %%"REG_b" \n\t" :: "c" (buf0), "d" (buf1), "S" (ubuf0), "D" (ubuf1), "m" (dest), @@ -1205,7 +1201,7 @@ static void RENAME(yuv2rgb32_1)(SwsContext *c, const int16_t *buf0, "push %%"REG_BP" \n\t" YSCALEYUV2RGB1b(%%REGBP, %5) YSCALEYUV2RGB1_ALPHA(%%REGBP) - WRITEBGR32(%%REGb, 8280(%5), %%REGBP, %%mm2, %%mm4, %%mm5, %%mm7, %%mm0, %%mm1, %%mm3, %%mm6) + WRITEBGR32(%%REGb, DSTW_OFFSET"(%5)", %%REGBP, %%mm2, %%mm4, %%mm5, %%mm7, %%mm0, %%mm1, %%mm3, %%mm6) "pop %%"REG_BP" \n\t" "mov "ESP_OFFSET"(%5), %%"REG_b" \n\t" :: "c" (buf0), "d" (abuf0), "S" (ubuf0), "D" (ubuf1), "m" (dest), @@ -1218,7 +1214,7 @@ static void RENAME(yuv2rgb32_1)(SwsContext *c, const int16_t *buf0, "push %%"REG_BP" \n\t" YSCALEYUV2RGB1b(%%REGBP, %5) "pcmpeqd %%mm7, %%mm7 \n\t" - WRITEBGR32(%%REGb, 8280(%5), %%REGBP, %%mm2, %%mm4, %%mm5, %%mm7, %%mm0, %%mm1, %%mm3, %%mm6) + WRITEBGR32(%%REGb, DSTW_OFFSET"(%5)", %%REGBP, %%mm2, %%mm4, %%mm5, %%mm7, %%mm0, %%mm1, %%mm3, %%mm6) "pop %%"REG_BP" \n\t" "mov "ESP_OFFSET"(%5), %%"REG_b" \n\t" :: "c" (buf0), "d" (buf1), "S" (ubuf0), "D" (ubuf1), "m" (dest), @@ -1243,7 +1239,7 @@ static void RENAME(yuv2bgr24_1)(SwsContext *c, const int16_t *buf0, "push %%"REG_BP" \n\t" YSCALEYUV2RGB1(%%REGBP, %5) "pxor %%mm7, %%mm7 \n\t" - WRITEBGR24(%%REGb, 8280(%5), %%REGBP) + WRITEBGR24(%%REGb, DSTW_OFFSET"(%5)", %%REGBP) "pop %%"REG_BP" \n\t" "mov "ESP_OFFSET"(%5), %%"REG_b" \n\t" :: "c" (buf0), "d" (buf1), "S" (ubuf0), "D" (ubuf1), "m" (dest), @@ -1256,7 +1252,7 @@ static void RENAME(yuv2bgr24_1)(SwsContext *c, const int16_t *buf0, "push %%"REG_BP" \n\t" YSCALEYUV2RGB1b(%%REGBP, %5) "pxor %%mm7, %%mm7 \n\t" - WRITEBGR24(%%REGb, 8280(%5), %%REGBP) + WRITEBGR24(%%REGb, DSTW_OFFSET"(%5)", %%REGBP) "pop %%"REG_BP" \n\t" "mov "ESP_OFFSET"(%5), %%"REG_b" \n\t" :: "c" (buf0), "d" (buf1), "S" (ubuf0), "D" (ubuf1), "m" (dest), @@ -1286,7 +1282,7 @@ static void RENAME(yuv2rgb555_1)(SwsContext *c, const int16_t *buf0, "paddusb "GREEN_DITHER"(%5), %%mm4 \n\t" "paddusb "RED_DITHER"(%5), %%mm5 \n\t" #endif - WRITERGB15(%%REGb, 8280(%5), %%REGBP) + WRITERGB15(%%REGb, DSTW_OFFSET"(%5)", %%REGBP) "pop %%"REG_BP" \n\t" "mov "ESP_OFFSET"(%5), %%"REG_b" \n\t" :: "c" (buf0), "d" (buf1), "S" (ubuf0), "D" (ubuf1), "m" (dest), @@ -1305,7 +1301,7 @@ static void RENAME(yuv2rgb555_1)(SwsContext *c, const int16_t *buf0, "paddusb "GREEN_DITHER"(%5), %%mm4 \n\t" "paddusb "RED_DITHER"(%5), %%mm5 \n\t" #endif - WRITERGB15(%%REGb, 8280(%5), %%REGBP) + WRITERGB15(%%REGb, DSTW_OFFSET"(%5)", %%REGBP) "pop %%"REG_BP" \n\t" "mov "ESP_OFFSET"(%5), %%"REG_b" \n\t" :: "c" (buf0), "d" (buf1), "S" (ubuf0), "D" (ubuf1), "m" (dest), @@ -1335,7 +1331,7 @@ static void RENAME(yuv2rgb565_1)(SwsContext *c, const int16_t *buf0, "paddusb "GREEN_DITHER"(%5), %%mm4 \n\t" "paddusb "RED_DITHER"(%5), %%mm5 \n\t" #endif - WRITERGB16(%%REGb, 8280(%5), %%REGBP) + WRITERGB16(%%REGb, DSTW_OFFSET"(%5)", %%REGBP) "pop %%"REG_BP" \n\t" "mov "ESP_OFFSET"(%5), %%"REG_b" \n\t" :: "c" (buf0), "d" (buf1), "S" (ubuf0), "D" (ubuf1), "m" (dest), @@ -1354,7 +1350,7 @@ static void RENAME(yuv2rgb565_1)(SwsContext *c, const int16_t *buf0, "paddusb "GREEN_DITHER"(%5), %%mm4 \n\t" "paddusb "RED_DITHER"(%5), %%mm5 \n\t" #endif - WRITERGB16(%%REGb, 8280(%5), %%REGBP) + WRITERGB16(%%REGb, DSTW_OFFSET"(%5)", %%REGBP) "pop %%"REG_BP" \n\t" "mov "ESP_OFFSET"(%5), %%"REG_b" \n\t" :: "c" (buf0), "d" (buf1), "S" (ubuf0), "D" (ubuf1), "m" (dest), @@ -1414,7 +1410,7 @@ static void RENAME(yuv2yuyv422_1)(SwsContext *c, const int16_t *buf0, "mov %4, %%"REG_b" \n\t" "push %%"REG_BP" \n\t" YSCALEYUV2PACKED1(%%REGBP, %5) - WRITEYUY2(%%REGb, 8280(%5), %%REGBP) + WRITEYUY2(%%REGb, DSTW_OFFSET"(%5)", %%REGBP) "pop %%"REG_BP" \n\t" "mov "ESP_OFFSET"(%5), %%"REG_b" \n\t" :: "c" (buf0), "d" (buf1), "S" (ubuf0), "D" (ubuf1), "m" (dest), @@ -1426,7 +1422,7 @@ static void RENAME(yuv2yuyv422_1)(SwsContext *c, const int16_t *buf0, "mov %4, %%"REG_b" \n\t" "push %%"REG_BP" \n\t" YSCALEYUV2PACKED1b(%%REGBP, %5) - WRITEYUY2(%%REGb, 8280(%5), %%REGBP) + WRITEYUY2(%%REGb, DSTW_OFFSET"(%5)", %%REGBP) "pop %%"REG_BP" \n\t" "mov "ESP_OFFSET"(%5), %%"REG_b" \n\t" :: "c" (buf0), "d" (buf1), "S" (ubuf0), "D" (ubuf1), "m" (dest), From 71a3ad42b8c9e2bfeb5d4987d57780e0f8dc434c Mon Sep 17 00:00:00 2001 From: Michael Niedermayer Date: Wed, 16 Apr 2014 02:06:37 +0200 Subject: [PATCH 856/991] avformat/mpegts: Remove redundant check Fixes part of Ticket3466 Found-by: Andrey_Karpov / PVS-Studio Signed-off-by: Michael Niedermayer (cherry picked from commit ff6fa0b4b980fc5b9f7653d7b159ae02c3d95210) Signed-off-by: Michael Niedermayer --- libavformat/mpegts.c | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/libavformat/mpegts.c b/libavformat/mpegts.c index b808c40162..8cd81d6d47 100644 --- a/libavformat/mpegts.c +++ b/libavformat/mpegts.c @@ -1229,7 +1229,7 @@ static void m4sl_cb(MpegTSFilter *filter, const uint8_t *section, int section_le AVStream *st; if (ts->pids[pid]->es_id != mp4_descr[i].es_id) continue; - if (!(ts->pids[pid] && ts->pids[pid]->type == MPEGTS_PES)) { + if (ts->pids[pid]->type != MPEGTS_PES) { av_log(s, AV_LOG_ERROR, "pid %x is not PES\n", pid); continue; } From 90b69d1d020bde80a2b24c4a40c17363e482fc9b Mon Sep 17 00:00:00 2001 From: Michael Niedermayer Date: Wed, 16 Apr 2014 02:06:37 +0200 Subject: [PATCH 857/991] avcodec/diracdec: fix undefined behavior with shifts Fixes part of Ticket3466 Found-by: Andrey_Karpov / PVS-Studio Signed-off-by: Michael Niedermayer (cherry picked from commit b8598f6ce61ccda3f2ff0c730b009fb650e42986) Signed-off-by: Michael Niedermayer --- libavcodec/diracdec.c | 4 ++-- 1 file changed, 2 insertions(+), 2 deletions(-) diff --git a/libavcodec/diracdec.c b/libavcodec/diracdec.c index 7fa7137cac..50457232ab 100644 --- a/libavcodec/diracdec.c +++ b/libavcodec/diracdec.c @@ -1332,8 +1332,8 @@ static int mc_subpel(DiracContext *s, DiracBlock *block, const uint8_t *src[5], motion_y >>= s->chroma_y_shift; } - mx = motion_x & ~(-1 << s->mv_precision); - my = motion_y & ~(-1 << s->mv_precision); + mx = motion_x & ~(-1U << s->mv_precision); + my = motion_y & ~(-1U << s->mv_precision); motion_x >>= s->mv_precision; motion_y >>= s->mv_precision; /* normalize subpel coordinates to epel */ From 363cf196c90401f017a2ba8c7bdfa0321b7ed947 Mon Sep 17 00:00:00 2001 From: Michael Niedermayer Date: Wed, 16 Apr 2014 02:06:37 +0200 Subject: [PATCH 858/991] avfilter/vf_deshake: fix loss of precission with odd resolutions Fixes part of Ticket3466 Found-by: Andrey_Karpov / PVS-Studio Signed-off-by: Michael Niedermayer (cherry picked from commit 73734282e0e4df92269984ee1671424e39249481) Signed-off-by: Michael Niedermayer --- libavfilter/vf_deshake.c | 4 ++-- 1 file changed, 2 insertions(+), 2 deletions(-) diff --git a/libavfilter/vf_deshake.c b/libavfilter/vf_deshake.c index bb20551bc9..bf605d37ff 100644 --- a/libavfilter/vf_deshake.c +++ b/libavfilter/vf_deshake.c @@ -315,8 +315,8 @@ static void find_motion(DeshakeContext *deshake, uint8_t *src1, uint8_t *src2, //av_log(NULL, AV_LOG_ERROR, "\n"); } - p_x = (center_x - width / 2); - p_y = (center_y - height / 2); + p_x = (center_x - width / 2.0); + p_y = (center_y - height / 2.0); t->vector.x += (cos(t->angle)-1)*p_x - sin(t->angle)*p_y; t->vector.y += sin(t->angle)*p_x + (cos(t->angle)-1)*p_y; From dd8464bc99515dc4a38d5f86320e2ae64b589952 Mon Sep 17 00:00:00 2001 From: Michael Niedermayer Date: Wed, 23 Apr 2014 21:47:48 +0200 Subject: [PATCH 859/991] avformat/h263dec: Fix h263 probe The code was missing 1 bit in the src format Signed-off-by: Michael Niedermayer (cherry picked from commit fc145e576a443bfc89efdf35b91fd3c9ca0d8388) Signed-off-by: Michael Niedermayer --- libavformat/h263dec.c | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/libavformat/h263dec.c b/libavformat/h263dec.c index b07e9782b8..6945821f93 100644 --- a/libavformat/h263dec.c +++ b/libavformat/h263dec.c @@ -35,7 +35,7 @@ static int h263_probe(AVProbeData *p) for(i=0; ibuf_size; i++){ code = (code<<8) + p->buf[i]; if ((code & 0xfffffc0000) == 0x800000) { - src_fmt= (code>>2)&3; + src_fmt= (code>>2)&7; if( src_fmt != last_src_fmt && last_src_fmt>0 && last_src_fmt<6 && src_fmt<6) From 6a679279f7f27a897cae314967427325bf53138a Mon Sep 17 00:00:00 2001 From: Michael Niedermayer Date: Sun, 27 Apr 2014 05:32:56 +0200 Subject: [PATCH 860/991] avcodec/mjpegdec: Fix undefined shift Fixes CID1194388 Signed-off-by: Michael Niedermayer (cherry picked from commit b4329605289e25bb071ec1c1182bf25fc83b09aa) Signed-off-by: Michael Niedermayer --- libavcodec/mjpegdec.c | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/libavcodec/mjpegdec.c b/libavcodec/mjpegdec.c index 929235103d..9aee5956c1 100644 --- a/libavcodec/mjpegdec.c +++ b/libavcodec/mjpegdec.c @@ -1111,7 +1111,7 @@ static int mjpeg_decode_scan_progressive_ac(MJpegDecodeContext *s, int ss, return AVERROR_INVALIDDATA; if (!Al) { - s->coefs_finished[c] |= (1LL << (se + 1)) - (1LL << ss); + s->coefs_finished[c] |= (2LL << se) - (1LL << ss); last_scan = !~s->coefs_finished[c]; } From da97174dcb1457b2b47b07b5205610409469039e Mon Sep 17 00:00:00 2001 From: Michael Niedermayer Date: Mon, 9 Jun 2014 02:00:04 +0200 Subject: [PATCH 861/991] update for 0.10.13 Signed-off-by: Michael Niedermayer --- Doxyfile | 2 +- RELEASE | 2 +- VERSION | 2 +- 3 files changed, 3 insertions(+), 3 deletions(-) diff --git a/Doxyfile b/Doxyfile index e0c1fe8232..cd45fe33f0 100644 --- a/Doxyfile +++ b/Doxyfile @@ -31,7 +31,7 @@ PROJECT_NAME = FFmpeg # This could be handy for archiving the generated documentation or # if some version control system is used. -PROJECT_NUMBER = 0.10.12 +PROJECT_NUMBER = 0.10.13 # With the PROJECT_LOGO tag one can specify an logo or icon that is included # in the documentation. The maximum height of the logo should not exceed 55 diff --git a/RELEASE b/RELEASE index 70016a7c6a..f25c43cdc2 100644 --- a/RELEASE +++ b/RELEASE @@ -1 +1 @@ -0.10.12 +0.10.13 diff --git a/VERSION b/VERSION index 70016a7c6a..f25c43cdc2 100644 --- a/VERSION +++ b/VERSION @@ -1 +1 @@ -0.10.12 +0.10.13 From 9c7321e2b8981ec867294309e9cf3833055df78f Mon Sep 17 00:00:00 2001 From: Sean McGovern Date: Mon, 2 Jun 2014 18:35:25 -0400 Subject: [PATCH 862/991] sgidec: fix an incorrect backport Signed-off-by: Anton Khirnov --- libavcodec/sgidec.c | 12 ++---------- 1 file changed, 2 insertions(+), 10 deletions(-) diff --git a/libavcodec/sgidec.c b/libavcodec/sgidec.c index 13f505a559..6aaa5145e1 100644 --- a/libavcodec/sgidec.c +++ b/libavcodec/sgidec.c @@ -246,6 +246,8 @@ static int decode_frame(AVCodecContext *avctx, static av_cold int sgi_init(AVCodecContext *avctx){ SgiState *s = avctx->priv_data; + s->avctx = avctx; + avcodec_get_frame_defaults(&s->picture); avctx->coded_frame = &s->picture; @@ -262,15 +264,6 @@ static av_cold int sgi_end(AVCodecContext *avctx) return 0; } -static av_cold int sgi_decode_init(AVCodecContext *avctx) -{ - SgiState *s = avctx->priv_data; - - s->avctx = avctx; - - return 0; -} - AVCodec ff_sgi_decoder = { .name = "sgi", .type = AVMEDIA_TYPE_VIDEO, @@ -279,7 +272,6 @@ AVCodec ff_sgi_decoder = { .init = sgi_init, .close = sgi_end, .decode = decode_frame, - .init = sgi_decode_init, .long_name = NULL_IF_CONFIG_SMALL("SGI image"), }; From 6a968073daa74ffb98368fefd476a4562ce84e1b Mon Sep 17 00:00:00 2001 From: Michael Niedermayer Date: Fri, 20 Jun 2014 03:15:28 +0200 Subject: [PATCH 863/991] avutil/lzo: Fix integer overflow Embargoed-till: 2014-06-27 requested by researcher, but embargo broken by libav today (git and mailing list) Fixes: LMS-2014-06-16-4 Found-by: "Don A. Bailey" See: ccda51b14c0fcae2fad73a24872dce75a7964996 Signed-off-by: Michael Niedermayer (cherry picked from commit d6af26c55c1ea30f85a7d9edbc373f53be1743ee) Conflicts: libavutil/lzo.c (cherry picked from commit 7b5c706494a775b2b0d0e0a38448610802eef8f4) Signed-off-by: Michael Niedermayer --- libavutil/lzo.c | 8 +++++++- 1 file changed, 7 insertions(+), 1 deletion(-) diff --git a/libavutil/lzo.c b/libavutil/lzo.c index 8cb8da43a3..58878bce16 100644 --- a/libavutil/lzo.c +++ b/libavutil/lzo.c @@ -62,7 +62,13 @@ static inline int get_byte(LZOContext *c) { static inline int get_len(LZOContext *c, int x, int mask) { int cnt = x & mask; if (!cnt) { - while (!(x = get_byte(c))) cnt += 255; + while (!(x = get_byte(c))) { + if (cnt >= INT_MAX - 1000) { + c->error |= AV_LZO_ERROR; + break; + } + cnt += 255; + } cnt += mask + x; } return cnt; From e7f5dacd55deeee8a866020b8463f829b2c5971f Mon Sep 17 00:00:00 2001 From: Luca Barbato Date: Thu, 19 Jun 2014 23:26:58 +0200 Subject: [PATCH 864/991] lzo: Handle integer overflow get_len can overflow for specially crafted payload. Reported-By: Don A. Baley CC: libav-stable@libav.org (cherry picked from commit ccda51b14c0fcae2fad73a24872dce75a7964996) Signed-off-by: Luca Barbato Conflicts: libavutil/lzo.c --- libavutil/lzo.c | 10 +++++++++- 1 file changed, 9 insertions(+), 1 deletion(-) diff --git a/libavutil/lzo.c b/libavutil/lzo.c index e49b83e0a2..0c497a5cf3 100644 --- a/libavutil/lzo.c +++ b/libavutil/lzo.c @@ -88,6 +88,10 @@ static inline int get_len(LZOContext *c, int x, int mask) { static inline void copy(LZOContext *c, int cnt) { register const uint8_t *src = c->in; register uint8_t *dst = c->out; + if (cnt < 0) { + c->error |= AV_LZO_ERROR; + return; + } if (cnt > c->in_end - src) { cnt = FFMAX(c->in_end - src, 0); c->error |= AV_LZO_INPUT_DEPLETED; @@ -113,13 +117,17 @@ static inline void memcpy_backptr(uint8_t *dst, int back, int cnt); /** * @brief Copies previously decoded bytes to current position. * @param back how many bytes back we start - * @param cnt number of bytes to copy, must be >= 0 + * @param cnt number of bytes to copy, must be > 0 * * cnt > back is valid, this will copy the bytes we just copied, * thus creating a repeating pattern with a period length of back. */ static inline void copy_backptr(LZOContext *c, int back, int cnt) { register uint8_t *dst = c->out; + if (cnt <= 0) { + c->error |= AV_LZO_ERROR; + return; + } if (dst - c->out_start < back) { c->error |= AV_LZO_INVALID_BACKPTR; return; From 359383c98308bd236723d6e8720c7be16f7b129d Mon Sep 17 00:00:00 2001 From: Reinhard Tartler Date: Thu, 26 Jun 2014 21:33:18 -0400 Subject: [PATCH 865/991] Prepare for 0.8.13 Release --- RELEASE | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/RELEASE b/RELEASE index 7eff8ab952..c2f73c6ecf 100644 --- a/RELEASE +++ b/RELEASE @@ -1 +1 @@ -0.8.12 +0.8.13 From e122fb594a5feb6729cce86a70aafd93d10202d8 Mon Sep 17 00:00:00 2001 From: Reinhard Tartler Date: Thu, 26 Jun 2014 21:34:03 -0400 Subject: [PATCH 866/991] Update Changelog for 0.8.13 --- Changelog | 5 +++++ 1 file changed, 5 insertions(+) diff --git a/Changelog b/Changelog index d3257869e9..5ba4bf1f56 100644 --- a/Changelog +++ b/Changelog @@ -1,6 +1,11 @@ Entries are sorted chronologically from oldest to youngest within each release, releases are sorted from youngest to oldest. +version 0.8.13: + +- lzo: Handle integer overflow +- sgidec: fix an incorrect backport + version 0.8.12: - h264: set parameters from SPS whenever it changes From 9153b33a742c4e2a85ff6230aea0e75f5a8b26c2 Mon Sep 17 00:00:00 2001 From: Michael Niedermayer Date: Sun, 29 Jun 2014 03:26:12 +0200 Subject: [PATCH 867/991] update for FFmpeg 0.10.14 Signed-off-by: Michael Niedermayer --- Doxyfile | 2 +- RELEASE | 2 +- VERSION | 2 +- 3 files changed, 3 insertions(+), 3 deletions(-) diff --git a/Doxyfile b/Doxyfile index cd45fe33f0..7f51569f6a 100644 --- a/Doxyfile +++ b/Doxyfile @@ -31,7 +31,7 @@ PROJECT_NAME = FFmpeg # This could be handy for archiving the generated documentation or # if some version control system is used. -PROJECT_NUMBER = 0.10.13 +PROJECT_NUMBER = 0.10.14 # With the PROJECT_LOGO tag one can specify an logo or icon that is included # in the documentation. The maximum height of the logo should not exceed 55 diff --git a/RELEASE b/RELEASE index f25c43cdc2..c70613aa09 100644 --- a/RELEASE +++ b/RELEASE @@ -1 +1 @@ -0.10.13 +0.10.14 diff --git a/VERSION b/VERSION index f25c43cdc2..c70613aa09 100644 --- a/VERSION +++ b/VERSION @@ -1 +1 @@ -0.10.13 +0.10.14 From 187cfd3c13a1deb47661486824a5b8f41e158a7a Mon Sep 17 00:00:00 2001 From: Anton Khirnov Date: Sun, 20 Jul 2014 12:06:47 +0000 Subject: [PATCH 868/991] eamad: use the bytestream2 API instead of AV_RL This is safer and possibly fixes invalid reads on truncated data. (cherry-picked from commit 541427ab4d5b4b6f5a90a687a06decdb78e7bc3c) CC:libav-stable@libav.org Conflicts: libavcodec/eamad.c (cherry picked from commit f9204ec56a4cf73843d1e5b8563d3584c2c05b47) Signed-off-by: Diego Biurrun --- libavcodec/eamad.c | 38 +++++++++++++++++++++----------------- 1 file changed, 21 insertions(+), 17 deletions(-) diff --git a/libavcodec/eamad.c b/libavcodec/eamad.c index c5aa6ace79..0d109828a0 100644 --- a/libavcodec/eamad.c +++ b/libavcodec/eamad.c @@ -29,6 +29,7 @@ */ #include "avcodec.h" +#include "bytestream.h" #include "get_bits.h" #include "dsputil.h" #include "aandcttab.h" @@ -236,29 +237,31 @@ static int decode_frame(AVCodecContext *avctx, { const uint8_t *buf = avpkt->data; int buf_size = avpkt->size; - const uint8_t *buf_end = buf+buf_size; MadContext *t = avctx->priv_data; + GetByteContext gb; MpegEncContext *s = &t->s; int chunk_type; int inter; - if (buf_size < 17) { - av_log(avctx, AV_LOG_ERROR, "Input buffer too small\n"); - *data_size = 0; - return -1; - } + bytestream2_init(&gb, buf, buf_size); - chunk_type = AV_RL32(&buf[0]); + chunk_type = bytestream2_get_le32(&gb); inter = (chunk_type == MADm_TAG || chunk_type == MADe_TAG); - buf += 8; + bytestream2_skip(&gb, 10); av_reduce(&avctx->time_base.num, &avctx->time_base.den, - AV_RL16(&buf[6]), 1000, 1<<30); + bytestream2_get_le16(&gb), 1000, 1<<30); - s->width = AV_RL16(&buf[8]); - s->height = AV_RL16(&buf[10]); - calc_intra_matrix(t, buf[13]); - buf += 16; + s->width = bytestream2_get_le16(&gb); + s->height = bytestream2_get_le16(&gb); + bytestream2_skip(&gb, 1); + calc_intra_matrix(t, bytestream2_get_byte(&gb)); + bytestream2_skip(&gb, 2); + + if (bytestream2_get_bytes_left(&gb) < 2) { + av_log(avctx, AV_LOG_ERROR, "Input data too small\n"); + return AVERROR_INVALIDDATA; + } if (avctx->width != s->width || avctx->height != s->height) { if (av_image_check_size(s->width, s->height, 0, avctx) < 0) @@ -276,12 +279,13 @@ static int decode_frame(AVCodecContext *avctx, } } - av_fast_malloc(&t->bitstream_buf, &t->bitstream_buf_size, (buf_end-buf) + FF_INPUT_BUFFER_PADDING_SIZE); + av_fast_malloc(&t->bitstream_buf, &t->bitstream_buf_size, + bytestream2_get_bytes_left(&gb) + FF_INPUT_BUFFER_PADDING_SIZE); if (!t->bitstream_buf) return AVERROR(ENOMEM); - bswap16_buf(t->bitstream_buf, (const uint16_t*)buf, (buf_end-buf)/2); - init_get_bits(&s->gb, t->bitstream_buf, 8*(buf_end-buf)); - + bswap16_buf(t->bitstream_buf, (const uint16_t *)(buf + bytestream2_tell(&gb)), + bytestream2_get_bytes_left(&gb) / 2); + init_get_bits(&s->gb, t->bitstream_buf, 8*(bytestream2_get_bytes_left(&gb))); for (s->mb_y=0; s->mb_y < (avctx->height+15)/16; s->mb_y++) for (s->mb_x=0; s->mb_x < (avctx->width +15)/16; s->mb_x++) decode_mb(t, inter); From e4fdfdf65d520ce3af13a21ff8a3649e37757af8 Mon Sep 17 00:00:00 2001 From: Diego Biurrun Date: Tue, 29 Jul 2014 05:43:04 -0700 Subject: [PATCH 869/991] vf_select: Drop a debug av_log with an unchecked double to enum conversion CC: libav-stable@libav.org (cherry picked from commit a8d803a320fb08b3ad5db4fffc79abd401206905) Signed-off-by: Diego Biurrun --- libavfilter/vf_select.c | 13 ------------- 1 file changed, 13 deletions(-) diff --git a/libavfilter/vf_select.c b/libavfilter/vf_select.c index 0ec443aec5..83afe3d87b 100644 --- a/libavfilter/vf_select.c +++ b/libavfilter/vf_select.c @@ -200,19 +200,6 @@ static int select_frame(AVFilterContext *ctx, AVFilterBufferRef *picref) select->var_values[VAR_PICT_TYPE] = picref->video->pict_type; res = av_expr_eval(select->expr, select->var_values, NULL); - av_log(inlink->dst, AV_LOG_DEBUG, - "n:%d pts:%d t:%f pos:%d interlace_type:%c key:%d pict_type:%c " - "-> select:%f\n", - (int)select->var_values[VAR_N], - (int)select->var_values[VAR_PTS], - select->var_values[VAR_T], - (int)select->var_values[VAR_POS], - select->var_values[VAR_INTERLACE_TYPE] == INTERLACE_TYPE_P ? 'P' : - select->var_values[VAR_INTERLACE_TYPE] == INTERLACE_TYPE_T ? 'T' : - select->var_values[VAR_INTERLACE_TYPE] == INTERLACE_TYPE_B ? 'B' : '?', - (int)select->var_values[VAR_KEY], - av_get_picture_type_char(select->var_values[VAR_PICT_TYPE]), - res); select->var_values[VAR_N] += 1.0; From 277103e07fbe22fc8e4361bacd5c6b48133f3ba5 Mon Sep 17 00:00:00 2001 From: =?UTF-8?q?Bernhard=20=C3=9Cbelacker?= Date: Sun, 27 Jul 2014 08:38:59 -0700 Subject: [PATCH 870/991] video4linux2: Avoid a floating point exception This avoids a segfault in avconv_opt.c:opt_target when trying to determine the norm. (cherry picked from commit dc71f1958846bb1d96de43a4603983dc8450cfcc) Signed-off-by: Diego Biurrun --- avconv.c | 3 ++- 1 file changed, 2 insertions(+), 1 deletion(-) diff --git a/avconv.c b/avconv.c index 212d948905..4c57753d32 100644 --- a/avconv.c +++ b/avconv.c @@ -4212,7 +4212,8 @@ static int opt_target(OptionsContext *o, const char *opt, const char *arg) for (j = 0; j < nb_input_files; j++) { for (i = 0; i < input_files[j].nb_streams; i++) { AVCodecContext *c = input_files[j].ctx->streams[i]->codec; - if (c->codec_type != AVMEDIA_TYPE_VIDEO) + if (c->codec_type != AVMEDIA_TYPE_VIDEO || + !c->time_base.num) continue; fr = c->time_base.den * 1000 / c->time_base.num; if (fr == 25000) { From 28f2d3c5a5a3a3c14a68cf691054f15e4f23355a Mon Sep 17 00:00:00 2001 From: Diego Biurrun Date: Mon, 29 Oct 2012 18:00:14 +0100 Subject: [PATCH 871/991] cmdutils: Conditionally compile libswscale-related bits This fixes compilation with libswscale disabled. (cherry picked from commit ab799664755c8bc2c439c428ff5b538c105a5c38) Signed-off-by: Diego Biurrun --- cmdutils.c | 7 ++++++- 1 file changed, 6 insertions(+), 1 deletion(-) diff --git a/cmdutils.c b/cmdutils.c index e85f8d76bc..376d97681f 100644 --- a/cmdutils.c +++ b/cmdutils.c @@ -369,7 +369,10 @@ int opt_default(const char *opt, const char *arg) const AVOption *o; char opt_stripped[128]; const char *p; - const AVClass *cc = avcodec_get_class(), *fc = avformat_get_class(), *sc = sws_get_class(); + const AVClass *cc = avcodec_get_class(), *fc = avformat_get_class(); +#if CONFIG_SWSCALE + const AVClass *sc = sws_get_class(); +#endif if (!(p = strchr(opt, ':'))) p = opt + strlen(opt); @@ -383,6 +386,7 @@ int opt_default(const char *opt, const char *arg) else if ((o = av_opt_find(&fc, opt, NULL, 0, AV_OPT_SEARCH_CHILDREN | AV_OPT_SEARCH_FAKE_OBJ))) av_dict_set(&format_opts, opt, arg, FLAGS); +#if CONFIG_SWSCALE else if ((o = av_opt_find(&sc, opt, NULL, 0, AV_OPT_SEARCH_CHILDREN | AV_OPT_SEARCH_FAKE_OBJ))) { // XXX we only support sws_flags, not arbitrary sws options @@ -392,6 +396,7 @@ int opt_default(const char *opt, const char *arg) return ret; } } +#endif if (o) return 0; From 976f2e0a542e47aaf68ddbe001fb70a00bf96d99 Mon Sep 17 00:00:00 2001 From: Diego Biurrun Date: Wed, 29 Aug 2012 11:14:17 +0200 Subject: [PATCH 872/991] x86: Fix linking with some or all of yasm, mmx, optimizations disabled Some optimized template functions reference optimized symbols, so they must be explicitly disabled when those symbols are unavailable. (cherry picked from commit ec36aa69448f20a78d8c4588265022e0b2272ab5) Signed-off-by: Diego Biurrun --- libavcodec/x86/mpegaudiodec_mmx.c | 2 ++ 1 file changed, 2 insertions(+) diff --git a/libavcodec/x86/mpegaudiodec_mmx.c b/libavcodec/x86/mpegaudiodec_mmx.c index 06ffbca90a..7703a74a39 100644 --- a/libavcodec/x86/mpegaudiodec_mmx.c +++ b/libavcodec/x86/mpegaudiodec_mmx.c @@ -160,6 +160,7 @@ static void apply_window_mp3(float *in, float *win, int *unused, float *out, } +#if HAVE_YASM #define DECL_IMDCT_BLOCKS(CPU1, CPU2) \ static void imdct36_blocks_ ## CPU1(float *out, float *buf, float *in, \ int count, int switch_point, int block_type) \ @@ -197,6 +198,7 @@ DECL_IMDCT_BLOCKS(sse2,sse) DECL_IMDCT_BLOCKS(sse3,sse) DECL_IMDCT_BLOCKS(ssse3,sse) DECL_IMDCT_BLOCKS(avx,avx) +#endif /* HAVE_YASM */ void ff_mpadsp_init_mmx(MPADSPContext *s) { From a465ed5707f5cbc9713d5e9629d424cd2d46e038 Mon Sep 17 00:00:00 2001 From: Michael Niedermayer Date: Wed, 30 Jul 2014 21:31:19 -0400 Subject: [PATCH 873/991] pgssubdec: Check RLE size before copying Make sure the buffer size does not exceed the expected RLE size. Prevent an out of array bound write. Found-by: Mateusz "j00ru" Jurczyk and Gynvael Coldwind Signed-off-by: Michael Niedermayer Bug-Id: CVE-2013-0852 Signed-off-by: Luca Barbato (cherry picked from commit 00915d3cd2ce61db3d6dc11f63566630a9aff4ec) Signed-off-by: Diego Biurrun --- libavcodec/pgssubdec.c | 7 +++++++ 1 file changed, 7 insertions(+) diff --git a/libavcodec/pgssubdec.c b/libavcodec/pgssubdec.c index bcc47f358e..ca6abcc7f2 100644 --- a/libavcodec/pgssubdec.c +++ b/libavcodec/pgssubdec.c @@ -192,6 +192,13 @@ static int parse_picture_segment(AVCodecContext *avctx, /* Decode rle bitmap length, stored size includes width/height data */ rle_bitmap_len = bytestream_get_be24(&buf) - 2*2; + if (buf_size > rle_bitmap_len) { + av_log(avctx, AV_LOG_ERROR, + "Buffer dimension %d larger than the expected RLE data %d\n", + buf_size, rle_bitmap_len); + return AVERROR_INVALIDDATA; + } + /* Get bitmap dimensions from data */ width = bytestream_get_be16(&buf); height = bytestream_get_be16(&buf); From 184c79729d4011f33027bcdc61a63d521017ebc1 Mon Sep 17 00:00:00 2001 From: Michael Niedermayer Date: Thu, 19 Sep 2013 16:26:25 +0200 Subject: [PATCH 874/991] h264_sei: check SEI size Signed-off-by: Anton Khirnov Signed-off-by: Vittorio Giovara --- libavcodec/h264_sei.c | 6 ++++++ 1 file changed, 6 insertions(+) diff --git a/libavcodec/h264_sei.c b/libavcodec/h264_sei.c index 2e5fb65f0d..5995a8efec 100644 --- a/libavcodec/h264_sei.c +++ b/libavcodec/h264_sei.c @@ -177,6 +177,12 @@ int ff_h264_decode_sei(H264Context *h){ size+= show_bits(&s->gb, 8); }while(get_bits(&s->gb, 8) == 255); + if (size > get_bits_left(&s->gb) / 8) { + av_log(s->avctx, AV_LOG_ERROR, "SEI type %d truncated at %d\n", + type, get_bits_left(&s->gb)); + return AVERROR_INVALIDDATA; + } + switch(type){ case SEI_TYPE_PIC_TIMING: // Picture timing SEI if(decode_picture_timing(h) < 0) From 7585a6254bbb38148e4467793fc34211b79d5f7d Mon Sep 17 00:00:00 2001 From: Vittorio Giovara Date: Wed, 30 Jul 2014 19:33:36 +0100 Subject: [PATCH 875/991] h264: prevent theoretical infinite loop in SEI parsing Properly address CVE-2011-3946 and parse bitstream as described in the spec. CC: libav-stable@libav.org Found-by: Mateusz "j00ru" Jurczyk and Gynvael Coldwind --- libavcodec/h264_sei.c | 23 ++++++++++++++--------- 1 file changed, 14 insertions(+), 9 deletions(-) diff --git a/libavcodec/h264_sei.c b/libavcodec/h264_sei.c index 5995a8efec..776ce57d46 100644 --- a/libavcodec/h264_sei.c +++ b/libavcodec/h264_sei.c @@ -165,17 +165,22 @@ int ff_h264_decode_sei(H264Context *h){ MpegEncContext * const s = &h->s; while (get_bits_left(&s->gb) > 16) { - int size, type; + int type = 0; + int size = 0; + int last = 0; - type=0; - do{ - type+= show_bits(&s->gb, 8); - }while(get_bits(&s->gb, 8) == 255); + while (get_bits_left(&s->gb) >= 8 && + (last = get_bits(&s->gb, 8)) == 255) { + type += 255; + } + type += last; - size=0; - do{ - size+= show_bits(&s->gb, 8); - }while(get_bits(&s->gb, 8) == 255); + last = 0; + while (get_bits_left(&s->gb) >= 8 && + (last = get_bits(&s->gb, 8)) == 255) { + size += 255; + } + size += last; if (size > get_bits_left(&s->gb) / 8) { av_log(s->avctx, AV_LOG_ERROR, "SEI type %d truncated at %d\n", From 3e60501f311c50bf234033f206c19d34d889df01 Mon Sep 17 00:00:00 2001 From: Janne Grunau Date: Wed, 5 Dec 2012 20:08:01 +0100 Subject: [PATCH 876/991] h264: slice-mt: check master context for valid current_picture_ptr Fixes errors in slice based multithreading introduced in 0b300daad2f5. CC: libav-stable@libav.org (cherry picked from commit 5945c7b35d9169caf9ecef1c419eebdebb909e60) Signed-off-by: Diego Biurrun --- libavcodec/h264.c | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/libavcodec/h264.c b/libavcodec/h264.c index 547cf3d1c9..c4853253e5 100644 --- a/libavcodec/h264.c +++ b/libavcodec/h264.c @@ -2952,7 +2952,7 @@ static int decode_slice_header(H264Context *h, H264Context *h0){ s->picture_structure = last_pic_structure; s->dropable = last_pic_dropable; return AVERROR_INVALIDDATA; - } else if (!s->current_picture_ptr) { + } else if (!s0->current_picture_ptr) { av_log(s->avctx, AV_LOG_ERROR, "unset current_picture_ptr on %d. slice\n", h0->current_slice + 1); From 50493f1f7d2235db811d2991b9e5b330baf7c05a Mon Sep 17 00:00:00 2001 From: Mans Rullgard Date: Tue, 1 May 2012 18:27:19 +0100 Subject: [PATCH 877/991] twinvq: fix out of bounds array access ModeTab.fmode has only 3 elements, so indexing it with ftype in the initialier for 'size' is invalid when ftype == FT_PPC. This fixes crashes with gcc 4.8. Signed-off-by: Mans Rullgard (cherry picked from commit 4bf2e7c5f1c0ad3997fd7c9859c16db8e4e16df6) Signed-off-by: Diego Biurrun --- libavcodec/twinvq.c | 6 ++++-- 1 file changed, 4 insertions(+), 2 deletions(-) diff --git a/libavcodec/twinvq.c b/libavcodec/twinvq.c index 6d0a0ec9c9..c58a9bc75d 100644 --- a/libavcodec/twinvq.c +++ b/libavcodec/twinvq.c @@ -1000,14 +1000,16 @@ static av_cold void construct_perm_table(TwinContext *tctx, int ftype) { int block_size; const ModeTab *mtab = tctx->mtab; - int size = tctx->avctx->channels*mtab->fmode[ftype].sub; + int size; int16_t *tmp_perm = (int16_t *) tctx->tmp_buf; if (ftype == FT_PPC) { size = tctx->avctx->channels; block_size = mtab->ppc_shape_len; - } else + } else { + size = tctx->avctx->channels * mtab->fmode[ftype].sub; block_size = mtab->size / mtab->fmode[ftype].sub; + } permutate_in_line(tmp_perm, tctx->n_div[ftype], size, block_size, tctx->length[ftype], From 4a6622550a4a4bf4690ea7d9fe42210a30a67936 Mon Sep 17 00:00:00 2001 From: Diego Biurrun Date: Sun, 3 Aug 2014 12:19:10 -0700 Subject: [PATCH 878/991] huffyuv: Check and propagate function return values Bug-Id: CVE-2013-0868 inspired by a patch from Michael Niedermayer Found-by: Mateusz "j00ru" Jurczyk and Gynvael Coldwind (cherry picked from commit 744b406ff3474e77543bcf86125a2f7bc7deaa18) Signed-off-by: Diego Biurrun Conflicts: libavcodec/huffyuvdec.c --- libavcodec/huffyuv.c | 92 +++++++++++++++++++++++++++----------------- 1 file changed, 57 insertions(+), 35 deletions(-) diff --git a/libavcodec/huffyuv.c b/libavcodec/huffyuv.c index f9e101db3d..0933575f14 100644 --- a/libavcodec/huffyuv.c +++ b/libavcodec/huffyuv.c @@ -273,10 +273,12 @@ static void generate_len_table(uint8_t *dst, const uint64_t *stats){ } #endif /* CONFIG_HUFFYUV_ENCODER || CONFIG_FFVHUFF_ENCODER */ -static void generate_joint_tables(HYuvContext *s){ +static int generate_joint_tables(HYuvContext *s){ uint16_t symbols[1<bitstream_bpp < 24){ int p, i, y, u; for(p=0; p<3; p++){ @@ -297,7 +299,9 @@ static void generate_joint_tables(HYuvContext *s){ } } ff_free_vlc(&s->vlc[3+p]); - ff_init_vlc_sparse(&s->vlc[3+p], VLC_BITS, i, len, 1, 1, bits, 2, 2, symbols, 2, 2, 0); + if ((ret = ff_init_vlc_sparse(&s->vlc[3 + p], VLC_BITS, i, len, 1, 1, + bits, 2, 2, symbols, 2, 2, 0)) < 0) + return ret; } }else{ uint8_t (*map)[4] = (uint8_t(*)[4])s->pix_bgr_map; @@ -338,27 +342,33 @@ static void generate_joint_tables(HYuvContext *s){ } } ff_free_vlc(&s->vlc[3]); - init_vlc(&s->vlc[3], VLC_BITS, i, len, 1, 1, bits, 2, 2, 0); + if ((ret = init_vlc(&s->vlc[3], VLC_BITS, i, len, 1, 1, + bits, 2, 2, 0)) < 0) + return ret; } + return 0; } static int read_huffman_tables(HYuvContext *s, const uint8_t *src, int length){ GetBitContext gb; - int i; + int i, ret; - init_get_bits(&gb, src, length*8); + if ((ret = init_get_bits(&gb, src, length * 8)) < 0) + return ret; for(i=0; i<3; i++){ - if(read_len_table(s->len[i], &gb)<0) - return -1; - if(generate_bits_table(s->bits[i], s->len[i])<0){ - return -1; - } + if ((ret = read_len_table(s->len[i], &gb)) < 0) + return ret; + if ((ret = generate_bits_table(s->bits[i], s->len[i])) < 0) + return ret; ff_free_vlc(&s->vlc[i]); - init_vlc(&s->vlc[i], VLC_BITS, 256, s->len[i], 1, 1, s->bits[i], 4, 4, 0); + if ((ret = init_vlc(&s->vlc[i], VLC_BITS, 256, s->len[i], 1, 1, + s->bits[i], 4, 4, 0)) < 0) + return ret; } - generate_joint_tables(s); + if ((ret = generate_joint_tables(s)) < 0) + return ret; return (get_bits_count(&gb)+7)/8; } @@ -366,14 +376,18 @@ static int read_huffman_tables(HYuvContext *s, const uint8_t *src, int length){ static int read_old_huffman_tables(HYuvContext *s){ #if 1 GetBitContext gb; - int i; + int i, ret; - init_get_bits(&gb, classic_shift_luma, classic_shift_luma_table_size*8); - if(read_len_table(s->len[0], &gb)<0) - return -1; - init_get_bits(&gb, classic_shift_chroma, classic_shift_chroma_table_size*8); - if(read_len_table(s->len[1], &gb)<0) - return -1; + if ((ret = init_get_bits(&gb, classic_shift_luma, + classic_shift_luma_table_size * 8)) < 0) + return ret; + if ((ret = read_len_table(s->len[0], &gb)) < 0) + return ret; + if ((ret = init_get_bits(&gb, classic_shift_chroma, + classic_shift_chroma_table_size * 8)) < 0) + return ret; + if ((ret = read_len_table(s->len[1], &gb)) < 0) + return ret; for(i=0; i<256; i++) s->bits[0][i] = classic_add_luma [i]; for(i=0; i<256; i++) s->bits[1][i] = classic_add_chroma[i]; @@ -387,10 +401,13 @@ static int read_old_huffman_tables(HYuvContext *s){ for(i=0; i<3; i++){ ff_free_vlc(&s->vlc[i]); - init_vlc(&s->vlc[i], VLC_BITS, 256, s->len[i], 1, 1, s->bits[i], 4, 4, 0); + if ((ret = init_vlc(&s->vlc[i], VLC_BITS, 256, s->len[i], 1, 1, + s->bits[i], 4, 4, 0)) < 0) + return ret; } - generate_joint_tables(s); + if ((ret = generate_joint_tables(s)) < 0) + return ret; return 0; #else @@ -430,6 +447,7 @@ static av_cold int common_init(AVCodecContext *avctx){ static av_cold int decode_init(AVCodecContext *avctx) { HYuvContext *s = avctx->priv_data; + int ret; common_init(avctx); memset(s->vlc, 0, 3*sizeof(VLC)); @@ -464,8 +482,9 @@ s->bgr32=1; s->interlaced= (interlace==1) ? 1 : (interlace==2) ? 0 : s->interlaced; s->context= ((uint8_t*)avctx->extradata)[2] & 0x40 ? 1 : 0; - if(read_huffman_tables(s, ((uint8_t*)avctx->extradata)+4, avctx->extradata_size-4) < 0) - return -1; + if ((ret = read_huffman_tables(s, ((uint8_t*)avctx->extradata) + 4, + avctx->extradata_size - 4)) < 0) + return ret; }else{ switch(avctx->bits_per_coded_sample&7){ case 1: @@ -492,8 +511,8 @@ s->bgr32=1; s->bitstream_bpp= avctx->bits_per_coded_sample & ~7; s->context= 0; - if(read_old_huffman_tables(s) < 0) - return -1; + if ((ret = read_old_huffman_tables(s)) < 0) + return ret; } switch(s->bitstream_bpp){ @@ -529,7 +548,7 @@ s->bgr32=1; static av_cold int decode_init_thread_copy(AVCodecContext *avctx) { HYuvContext *s = avctx->priv_data; - int i; + int i, ret; avctx->coded_frame= &s->picture; alloc_temp(s); @@ -538,11 +557,12 @@ static av_cold int decode_init_thread_copy(AVCodecContext *avctx) s->vlc[i].table = NULL; if(s->version==2){ - if(read_huffman_tables(s, ((uint8_t*)avctx->extradata)+4, avctx->extradata_size) < 0) - return -1; + if ((ret = read_huffman_tables(s, ((uint8_t*)avctx->extradata) + 4, + avctx->extradata_size)) < 0) + return ret; }else{ - if(read_old_huffman_tables(s) < 0) - return -1; + if ((ret = read_old_huffman_tables(s)) < 0) + return ret; } return 0; @@ -959,7 +979,7 @@ static int decode_frame(AVCodecContext *avctx, void *data, int *data_size, AVPac const int height= s->height; int fake_ystride, fake_ustride, fake_vstride; AVFrame * const p= &s->picture; - int table_size= 0; + int table_size = 0, ret; AVFrame *picture = data; @@ -974,21 +994,23 @@ static int decode_frame(AVCodecContext *avctx, void *data, int *data_size, AVPac ff_thread_release_buffer(avctx, p); p->reference= 0; - if(ff_thread_get_buffer(avctx, p) < 0){ + if ((ret = ff_thread_get_buffer(avctx, p)) < 0) { av_log(avctx, AV_LOG_ERROR, "get_buffer() failed\n"); - return -1; + return ret; } if(s->context){ table_size = read_huffman_tables(s, s->bitstream_buffer, buf_size); if(table_size < 0) - return -1; + return table_size; } if((unsigned)(buf_size-table_size) >= INT_MAX/8) return -1; - init_get_bits(&s->gb, s->bitstream_buffer+table_size, (buf_size-table_size)*8); + if ((ret = init_get_bits(&s->gb, s->bitstream_buffer + table_size, + (buf_size - table_size) * 8)) < 0) + return ret; fake_ystride= s->interlaced ? p->linesize[0]*2 : p->linesize[0]; fake_ustride= s->interlaced ? p->linesize[1]*2 : p->linesize[1]; From e17dc0a254ac8d3c33887a114a66e2b659ba0bc5 Mon Sep 17 00:00:00 2001 From: Michael Niedermayer Date: Sun, 3 Aug 2014 19:24:18 +0100 Subject: [PATCH 879/991] mmvideo: check horizontal coordinate too Fixes out of array accesses. Bug-Id: CVE-2013-3672 Found-by: Mateusz "j00ru" Jurczyk and Gynvael Coldwind Signed-off-by: Vittorio Giovara Signed-off-by: Anton Khirnov (cherry picked from commit 70cd3b8e659c3522eea5c16a65d14b8658894a94) Signed-off-by: Anton Khirnov --- libavcodec/mmvideo.c | 2 ++ 1 file changed, 2 insertions(+) diff --git a/libavcodec/mmvideo.c b/libavcodec/mmvideo.c index 501371ad52..660cebc58f 100644 --- a/libavcodec/mmvideo.c +++ b/libavcodec/mmvideo.c @@ -151,6 +151,8 @@ static int mm_decode_inter(MmContext * s, int half_horiz, int half_vert) int replace_array = bytestream2_get_byte(&s->gb); for(j=0; j<8; j++) { int replace = (replace_array >> (7-j)) & 1; + if (x + half_horiz >= s->avctx->width) + return AVERROR_INVALIDDATA; if (replace) { int color = bytestream2_get_byte(&data_ptr); s->frame.data[0][y*s->frame.linesize[0] + x] = color; From a1804df66a4064aa30554a11e4fd6cdac3ed89c0 Mon Sep 17 00:00:00 2001 From: Michael Niedermayer Date: Sun, 3 Aug 2014 00:54:33 +0100 Subject: [PATCH 880/991] huffyuvdec: check width size for yuv422p Avoid out of array accesses. CC: libav-stable@libav.org Bug-Id: CVE-2013-0848 Signed-off-by: Vittorio Giovara Signed-off-by: Anton Khirnov (cherry picked from commit a7153444df9040bf6ae103e0bbf6104b66f974cb) Signed-off-by: Anton Khirnov Conflicts: libavcodec/huffyuvdec.c --- libavcodec/huffyuv.c | 7 +++++++ 1 file changed, 7 insertions(+) diff --git a/libavcodec/huffyuv.c b/libavcodec/huffyuv.c index 0933575f14..9630537584 100644 --- a/libavcodec/huffyuv.c +++ b/libavcodec/huffyuv.c @@ -538,6 +538,13 @@ s->bgr32=1; return AVERROR_INVALIDDATA; } + if (s->predictor == MEDIAN && avctx->pix_fmt == PIX_FMT_YUV422P && + avctx->width % 4) { + av_log(avctx, AV_LOG_ERROR, "width must be multiple of 4 " + "for this combination of colorspace and predictor type.\n"); + return AVERROR_INVALIDDATA; + } + alloc_temp(s); // av_log(NULL, AV_LOG_DEBUG, "pred:%d bpp:%d hbpp:%d il:%d\n", s->predictor, s->bitstream_bpp, avctx->bits_per_coded_sample, s->interlaced); From 3aebdffb010df025728d6c2af89642f9634aa806 Mon Sep 17 00:00:00 2001 From: Anton Khirnov Date: Wed, 6 Aug 2014 10:46:50 +0000 Subject: [PATCH 881/991] cdgraphics: switch to bytestream2 Fixes possible invalid memory accesses on corrupted data. CC:libav-stable@libav.org Bug-ID: CVE-2013-3674 (cherry picked from commit a1599f3f7ea8478d1f6a95e59e3bc6bc86d5f812) Signed-off-by: Anton Khirnov --- libavcodec/cdgraphics.c | 16 +++++++--------- 1 file changed, 7 insertions(+), 9 deletions(-) diff --git a/libavcodec/cdgraphics.c b/libavcodec/cdgraphics.c index f1f474f3de..dc2aa0784b 100644 --- a/libavcodec/cdgraphics.c +++ b/libavcodec/cdgraphics.c @@ -268,7 +268,7 @@ static void cdg_scroll(CDGraphicsContext *cc, uint8_t *data, static int cdg_decode_frame(AVCodecContext *avctx, void *data, int *data_size, AVPacket *avpkt) { - const uint8_t *buf = avpkt->data; + GetByteContext gb; int buf_size = avpkt->size; int ret; uint8_t command, inst; @@ -276,10 +276,8 @@ static int cdg_decode_frame(AVCodecContext *avctx, AVFrame new_frame; CDGraphicsContext *cc = avctx->priv_data; - if (buf_size < CDG_MINIMUM_PKT_SIZE) { - av_log(avctx, AV_LOG_ERROR, "buffer too small for decoder\n"); - return AVERROR(EINVAL); - } + bytestream2_init(&gb, avpkt->data, avpkt->size); + ret = avctx->reget_buffer(avctx, &cc->frame); if (ret) { @@ -287,11 +285,11 @@ static int cdg_decode_frame(AVCodecContext *avctx, return ret; } - command = bytestream_get_byte(&buf); - inst = bytestream_get_byte(&buf); + command = bytestream2_get_byte(&gb); + inst = bytestream2_get_byte(&gb); inst &= CDG_MASK; - buf += 2; /// skipping 2 unneeded bytes - bytestream_get_buffer(&buf, cdg_data, buf_size - CDG_HEADER_SIZE); + bytestream2_skip(&gb, 2); + bytestream2_get_buffer(&gb, cdg_data, sizeof(cdg_data)); if ((command & CDG_MASK) == CDG_COMMAND) { switch (inst) { From cf6b2a0ad2b06aabf04bec4c7b19e78a560cd904 Mon Sep 17 00:00:00 2001 From: Anton Khirnov Date: Wed, 6 Aug 2014 10:56:34 +0000 Subject: [PATCH 882/991] cdgraphics: do not return 0 from the decode function 0 means no data consumed, so it can trigger an infinite loop in the caller. CC:libav-stable@libav.org (cherry picked from commit c7d9b473e28238d4a4ef1b7e8b42c1cca256da36) Signed-off-by: Anton Khirnov Conflicts: libavcodec/cdgraphics.c --- libavcodec/cdgraphics.c | 3 +-- 1 file changed, 1 insertion(+), 2 deletions(-) diff --git a/libavcodec/cdgraphics.c b/libavcodec/cdgraphics.c index dc2aa0784b..9ab00b4fac 100644 --- a/libavcodec/cdgraphics.c +++ b/libavcodec/cdgraphics.c @@ -348,11 +348,10 @@ static int cdg_decode_frame(AVCodecContext *avctx, *data_size = sizeof(AVFrame); } else { *data_size = 0; - buf_size = 0; } *(AVFrame *) data = cc->frame; - return buf_size; + return avpkt->size; } static av_cold int cdg_decode_end(AVCodecContext *avctx) From 9d5f4f025304ac7c69775179044e6f69f370441a Mon Sep 17 00:00:00 2001 From: Anton Khirnov Date: Sun, 3 Aug 2014 10:14:48 +0200 Subject: [PATCH 883/991] svq1: do not modify the input packet The input data must remain constant, make a copy instead. This is in theory a performance hit, but since I failed to find any samples using this feature, this should not matter in practice. Also, check the size of the header, avoiding invalid reads on truncated data. CC:libav-stable@libav.org (cherry picked from commit 7b588bb691644e1b3c168b99accf74248a24e3cf) Signed-off-by: Anton Khirnov Conflicts: libavcodec/svq1dec.c --- libavcodec/mpegvideo.h | 3 +++ libavcodec/svq1dec.c | 28 +++++++++++++++++++++++----- 2 files changed, 26 insertions(+), 5 deletions(-) diff --git a/libavcodec/mpegvideo.h b/libavcodec/mpegvideo.h index 06be735301..1c08c8744d 100644 --- a/libavcodec/mpegvideo.h +++ b/libavcodec/mpegvideo.h @@ -679,6 +679,9 @@ typedef struct MpegEncContext { int (*dct_quantize)(struct MpegEncContext *s, DCTELEM *block/*align 16*/, int n, int qscale, int *overflow); int (*fast_dct_quantize)(struct MpegEncContext *s, DCTELEM *block/*align 16*/, int n, int qscale, int *overflow); void (*denoise_dct)(struct MpegEncContext *s, DCTELEM *block); + + uint8_t *pkt_swapped; + int pkt_swapped_allocated; } MpegEncContext; #define REBASE_PICTURE(pic, new_ctx, old_ctx) (pic ? \ diff --git a/libavcodec/svq1dec.c b/libavcodec/svq1dec.c index 1cbf1f51c9..4acb7ce730 100644 --- a/libavcodec/svq1dec.c +++ b/libavcodec/svq1dec.c @@ -644,13 +644,29 @@ static int svq1_decode_frame(AVCodecContext *avctx, return -1; /* swap some header bytes (why?) */ - if (s->f_code != 0x20) { - uint32_t *src = (uint32_t *) (buf + 4); + if (s->f_code != 0x20) { + uint32_t *src; - for (i=0; i < 4; i++) { - src[i] = ((src[i] << 16) | (src[i] >> 16)) ^ src[7 - i]; + if (buf_size < 9 * 4) { + av_log(avctx, AV_LOG_ERROR, "Input packet too small\n"); + return AVERROR_INVALIDDATA; + } + + av_fast_malloc(s->pkt_swapped, &s->pkt_swapped_allocated, + buf_size); + if (!s->pkt_swapped) + return AVERROR(ENOMEM); + + memcpy(s->pkt_swapped, buf, buf_size); + buf = s->pkt_swapped; + init_get_bits(&s->gb, buf, buf_size * 8); + skip_bits(&s->gb, 22); + + src = (uint32_t *)(s->pkt_swapped + 4); + + for (i = 0; i < 4; i++) + src[i] = ((src[i] << 16) | (src[i] >> 16)) ^ src[7 - i]; } - } result = svq1_decode_frame_header (&s->gb, s); @@ -804,6 +820,8 @@ static av_cold int svq1_decode_end(AVCodecContext *avctx) { MpegEncContext *s = avctx->priv_data; + av_freep(&s->pkt_swapped); + MPV_common_end(s); return 0; } From c79cf0129edafc388ba1c47cd7b6a620557e48de Mon Sep 17 00:00:00 2001 From: Michael Niedermayer Date: Wed, 6 Aug 2014 18:19:57 +0100 Subject: [PATCH 884/991] error_concealment: avoid using the picture if not fully setup Fixes state becoming inconsistent and a null pointer dereference. CC: libav-stable@libav.org Bug-Id: CVE-2013-0860 Found-by: Mateusz "j00ru" Jurczyk and Gynvael Coldwind Signed-off-by: Vittorio Giovara Signed-off-by: Anton Khirnov --- libavcodec/error_resilience.c | 6 ++++++ 1 file changed, 6 insertions(+) diff --git a/libavcodec/error_resilience.c b/libavcodec/error_resilience.c index 96f49c8adb..2735c6667d 100644 --- a/libavcodec/error_resilience.c +++ b/libavcodec/error_resilience.c @@ -900,6 +900,12 @@ void ff_er_frame_end(MpegEncContext *s) return; }; + if (s->picture_structure == PICT_FRAME && + s->current_picture.f.linesize[0] != s->current_picture_ptr->f.linesize[0]) { + av_log(s->avctx, AV_LOG_ERROR, "Error concealment not possible, frame not fully initialized\n"); + return; + } + if (s->current_picture.f.motion_val[0] == NULL) { av_log(s->avctx, AV_LOG_ERROR, "Warning MVs not available\n"); From 4709baecc9cc57acefc622ce2b41bbf3704826a1 Mon Sep 17 00:00:00 2001 From: Reinhard Tartler Date: Wed, 6 Aug 2014 20:24:47 -0400 Subject: [PATCH 885/991] Prepare for 0.8.14 Release --- RELEASE | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/RELEASE b/RELEASE index c2f73c6ecf..832bad2740 100644 --- a/RELEASE +++ b/RELEASE @@ -1 +1 @@ -0.8.13 +0.8.14 From a79e58cdc6e46c62346d13e7ddd4da2008714200 Mon Sep 17 00:00:00 2001 From: Reinhard Tartler Date: Wed, 6 Aug 2014 20:24:20 -0400 Subject: [PATCH 886/991] Update Changelog for v0.8.14 --- Changelog | 20 ++++++++++++++++++++ 1 file changed, 20 insertions(+) diff --git a/Changelog b/Changelog index 5ba4bf1f56..b1b71837f7 100644 --- a/Changelog +++ b/Changelog @@ -1,6 +1,26 @@ Entries are sorted chronologically from oldest to youngest within each release, releases are sorted from youngest to oldest. +version 0.8.14: + +- error_concealment: avoid using the picture if not fully setup (CVE-2013-0860) +- svq1: do not modify the input packet +- cdgraphics: do not return 0 from the decode function +- cdgraphics: switch to bytestream2 (CVE-2013-3674) +- huffyuvdec: check width size for yuv422p (CVE-2013-0848) +- mmvideo: check horizontal coordinate too (CVE-2013-3672) +- huffyuv: Check and propagate function return values (CVE-2013-0868) +- twinvq: fix out of bounds array access +- h264: slice-mt: check master context for valid current_picture_ptr +- h264: prevent theoretical infinite loop in SEI parsing (CVE-2011-3946) +- h264_sei: check SEI size +- pgssubdec: Check RLE size before copying (CVE-2013-0852) +- x86: Fix linking with some or all of yasm, mmx, optimizations disabled +- cmdutils: Conditionally compile libswscale-related bits +- video4linux2: Avoid a floating point exception +- vf_select: Drop a debug av_log with an unchecked double to enum conversion +- eamad: use the bytestream2 API instead of AV_RL (CVE-2013-0851) + version 0.8.13: - lzo: Handle integer overflow From d86df7dd497ead1132bd95df7c4c18d91fbe3def Mon Sep 17 00:00:00 2001 From: Luca Barbato Date: Sun, 3 Aug 2014 19:27:07 +0200 Subject: [PATCH 887/991] mpegts: Define the section length with a constant The specification says the value is expressed in 10 bits including the 4-byte CRC. (cherry picked from commit 694b7cd873f8b06af109036eff1ccd741afdd28e) Signed-off-by: Luca Barbato Conflicts: libavformat/mpegtsenc.c --- libavformat/mpegtsenc.c | 11 +++++++---- 1 file changed, 7 insertions(+), 4 deletions(-) diff --git a/libavformat/mpegtsenc.c b/libavformat/mpegtsenc.c index 90f223273e..87cf726c73 100644 --- a/libavformat/mpegtsenc.c +++ b/libavformat/mpegtsenc.c @@ -106,6 +106,10 @@ static const AVClass mpegts_muxer_class = { .version = LIBAVUTIL_VERSION_INT, }; +/* The section length is 12 bits. The first 2 are set to 0, the remaining + * 10 bits should not exceed 1021. */ +#define SECTION_LENGTH 1020 + /* NOTE: 4 bytes must be left at the end for the crc32 */ static void mpegts_write_section(MpegTSSection *s, uint8_t *buf, int len) { @@ -217,7 +221,7 @@ static void mpegts_write_pat(AVFormatContext *s) { MpegTSWrite *ts = s->priv_data; MpegTSService *service; - uint8_t data[1012], *q; + uint8_t data[SECTION_LENGTH], *q; int i; q = data; @@ -232,8 +236,7 @@ static void mpegts_write_pat(AVFormatContext *s) static void mpegts_write_pmt(AVFormatContext *s, MpegTSService *service) { - // MpegTSWrite *ts = s->priv_data; - uint8_t data[1012], *q, *desc_length_ptr, *program_info_length_ptr; + uint8_t data[SECTION_LENGTH], *q, *desc_length_ptr, *program_info_length_ptr; int val, stream_type, i; q = data; @@ -385,7 +388,7 @@ static void mpegts_write_sdt(AVFormatContext *s) { MpegTSWrite *ts = s->priv_data; MpegTSService *service; - uint8_t data[1012], *q, *desc_list_len_ptr, *desc_len_ptr; + uint8_t data[SECTION_LENGTH], *q, *desc_list_len_ptr, *desc_len_ptr; int i, running_status, free_ca_mode, val; q = data; From ebe2292eafa7cac71dcdddb865e18c05635fe117 Mon Sep 17 00:00:00 2001 From: Luca Barbato Date: Thu, 7 Aug 2014 17:10:32 +0200 Subject: [PATCH 888/991] mpegts: Do not try to write a PMT larger than SECTION_SIZE Prevent out of array write. Similar to what Michael Niedermayer did to address the same issue. Bug-Id: CVE-2014-2263 CC: libav-stable@libav.org (cherry picked from commit addbaf134836aea4e14f73add8c6d753a1373257) Signed-off-by: Luca Barbato --- libavformat/mpegtsenc.c | 24 +++++++++++++++++++++++- 1 file changed, 23 insertions(+), 1 deletion(-) diff --git a/libavformat/mpegtsenc.c b/libavformat/mpegtsenc.c index 87cf726c73..91b6758cc1 100644 --- a/libavformat/mpegtsenc.c +++ b/libavformat/mpegtsenc.c @@ -237,7 +237,7 @@ static void mpegts_write_pat(AVFormatContext *s) static void mpegts_write_pmt(AVFormatContext *s, MpegTSService *service) { uint8_t data[SECTION_LENGTH], *q, *desc_length_ptr, *program_info_length_ptr; - int val, stream_type, i; + int val, stream_type, i, err = 0; q = data; put16(&q, 0xe000 | service->pcr_pid); @@ -255,6 +255,11 @@ static void mpegts_write_pmt(AVFormatContext *s, MpegTSService *service) AVStream *st = s->streams[i]; MpegTSWriteStream *ts_st = st->priv_data; AVDictionaryEntry *lang = av_dict_get(st->metadata, "language", NULL,0); + + if (q - data > SECTION_LENGTH - 3 - 2 - 6) { + err = 1; + break; + } switch(st->codec->codec_id) { case CODEC_ID_MPEG1VIDEO: case CODEC_ID_MPEG2VIDEO: @@ -304,6 +309,10 @@ static void mpegts_write_pmt(AVFormatContext *s, MpegTSService *service) *len_ptr = 0; for (p = lang->value; next && *len_ptr < 255 / 4 * 4; p = next + 1) { + if (q - data > SECTION_LENGTH - 4) { + err = 1; + break; + } next = strchr(p, ','); if (strlen(p) != 3 && (!next || next != p + 3)) continue; /* not a 3-letter code */ @@ -338,6 +347,11 @@ static void mpegts_write_pmt(AVFormatContext *s, MpegTSService *service) *q++ = language[1]; *q++ = language[2]; *q++ = 0x10; /* normal subtitles (0x20 = if hearing pb) */ + + if (q - data > SECTION_LENGTH - 4) { + err = 1; + break; + } if(st->codec->extradata_size == 4) { memcpy(q, st->codec->extradata, 4); q += 4; @@ -363,6 +377,14 @@ static void mpegts_write_pmt(AVFormatContext *s, MpegTSService *service) desc_length_ptr[0] = val >> 8; desc_length_ptr[1] = val; } + + if (err) + av_log(s, AV_LOG_ERROR, + "The PMT section is too small for stream %d and following.\n" + "Try reducing the number of languages in the audio streams " + "or the total number of streams.\n", + i); + mpegts_write_section1(&service->pmt, PMT_TID, service->sid, 0, 0, 0, data, q - data); } From dcc68de942f06d358192a57057adb133f7c40dd7 Mon Sep 17 00:00:00 2001 From: Michael Niedermayer Date: Mon, 4 Aug 2014 01:06:51 +0100 Subject: [PATCH 889/991] vp3: Copy all 3 frames for thread updates Fixes a double release of the current frame on deinit. Bug-Id: CVE-2011-3934 Found-by: Mateusz "j00ru" Jurczyk and Gynvael Coldwind Signed-off-by: Vittorio Giovara --- libavcodec/vp3.c | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/libavcodec/vp3.c b/libavcodec/vp3.c index d8e16505a1..2fa10c1e1b 100644 --- a/libavcodec/vp3.c +++ b/libavcodec/vp3.c @@ -1865,7 +1865,7 @@ static int vp3_update_thread_context(AVCodecContext *dst, const AVCodecContext * ||s->width != s1->width ||s->height!= s1->height) { if (s != s1) - copy_fields(s, s1, golden_frame, current_frame); + copy_fields(s, s1, golden_frame, keyframe); return -1; } From 042c25f54bd25b52d2936b822be026450971a82d Mon Sep 17 00:00:00 2001 From: Reinhard Tartler Date: Fri, 8 Aug 2014 20:49:45 -0400 Subject: [PATCH 890/991] Update Changelog for v0.8.14 --- Changelog | 3 +++ 1 file changed, 3 insertions(+) diff --git a/Changelog b/Changelog index b1b71837f7..cb0565c304 100644 --- a/Changelog +++ b/Changelog @@ -3,6 +3,9 @@ releases are sorted from youngest to oldest. version 0.8.14: +- vp3: Copy all 3 frames for thread updates (CVE-2011-3934) +- mpegts: Do not try to write a PMT larger than SECTION_SIZE (CVE-2014-2263) +- mpegts: Define the section length with a constant - error_concealment: avoid using the picture if not fully setup (CVE-2013-0860) - svq1: do not modify the input packet - cdgraphics: do not return 0 from the decode function From 0ab76ddf313eeab70d06619ae0376fd7dd40761b Mon Sep 17 00:00:00 2001 From: Luca Barbato Date: Fri, 8 Aug 2014 18:07:43 +0200 Subject: [PATCH 891/991] avcodec: Introduce ff_get_buffer Validate the image size there as is done in the other release branches. Bug-Id: CVE-2011-3935 Found-by: Mateusz "j00ru" Jurczyk and Gynvael Coldwind --- avplay.c | 2 +- libavcodec/8svx.c | 3 ++- libavcodec/aacdec.c | 2 +- libavcodec/ac3dec.c | 2 +- libavcodec/adpcm.c | 3 ++- libavcodec/adxdec.c | 3 ++- libavcodec/alac.c | 3 ++- libavcodec/alsdec.c | 3 ++- libavcodec/amrnbdec.c | 3 ++- libavcodec/amrwbdec.c | 3 ++- libavcodec/ansi.c | 3 ++- libavcodec/apedec.c | 3 ++- libavcodec/atrac1.c | 3 ++- libavcodec/atrac3.c | 3 ++- libavcodec/binkaudio.c | 3 ++- libavcodec/bmv.c | 5 +++-- libavcodec/cdgraphics.c | 3 ++- libavcodec/cook.c | 3 ++- libavcodec/dca.c | 3 ++- libavcodec/dfa.c | 3 ++- libavcodec/dpcm.c | 3 ++- libavcodec/dsicinav.c | 3 ++- libavcodec/dxtory.c | 3 ++- libavcodec/flacdec.c | 2 +- libavcodec/g722dec.c | 3 ++- libavcodec/g726.c | 2 +- libavcodec/gsmdec.c | 3 ++- libavcodec/iff.c | 5 +++-- libavcodec/imc.c | 3 ++- libavcodec/indeo3.c | 3 ++- libavcodec/internal.h | 3 +++ libavcodec/ivi_common.c | 3 ++- libavcodec/kgv1dec.c | 3 ++- libavcodec/libgsm.c | 2 +- libavcodec/libopencore-amr.c | 4 ++-- libavcodec/libspeexdec.c | 2 +- libavcodec/mace.c | 3 ++- libavcodec/mlpdec.c | 3 ++- libavcodec/mpc7.c | 3 ++- libavcodec/mpc8.c | 3 ++- libavcodec/mpegaudiodec.c | 5 +++-- libavcodec/mxpegdec.c | 4 ++-- libavcodec/nellymoserdec.c | 3 ++- libavcodec/pcm-mpeg.c | 3 ++- libavcodec/pcm.c | 2 +- libavcodec/pthread.c | 6 +++--- libavcodec/qcelpdec.c | 2 +- libavcodec/qdm2.c | 3 ++- libavcodec/ra144dec.c | 3 ++- libavcodec/ra288.c | 3 ++- libavcodec/roqvideoenc.c | 4 ++-- libavcodec/s302m.c | 3 ++- libavcodec/shorten.c | 3 ++- libavcodec/sipr.c | 3 ++- libavcodec/smacker.c | 3 ++- libavcodec/svq1enc.c | 4 ++-- libavcodec/thread.h | 2 +- libavcodec/truespeech.c | 3 ++- libavcodec/tta.c | 3 ++- libavcodec/twinvq.c | 3 ++- libavcodec/utils.c | 19 ++++++++++++++++--- libavcodec/vmdav.c | 5 +++-- libavcodec/vorbisdec.c | 3 ++- libavcodec/wavpack.c | 3 ++- libavcodec/wmadec.c | 3 ++- libavcodec/wmaprodec.c | 2 +- libavcodec/wmavoice.c | 3 ++- libavcodec/ws-snd1.c | 3 ++- libavcodec/xan.c | 3 ++- libavcodec/yop.c | 3 ++- 70 files changed, 149 insertions(+), 81 deletions(-) diff --git a/avplay.c b/avplay.c index 57fb864ea8..be8811622b 100644 --- a/avplay.c +++ b/avplay.c @@ -1584,7 +1584,7 @@ static int input_reget_buffer(AVCodecContext *codec, AVFrame *pic) if (pic->data[0] == NULL) { pic->buffer_hints |= FF_BUFFER_HINTS_READABLE; - return codec->get_buffer(codec, pic); + return input_get_buffer(codec, pic); } if ((codec->width != ref->video->w) || (codec->height != ref->video->h) || diff --git a/libavcodec/8svx.c b/libavcodec/8svx.c index 4f11b8bec4..1057a72db9 100644 --- a/libavcodec/8svx.c +++ b/libavcodec/8svx.c @@ -29,6 +29,7 @@ */ #include "avcodec.h" +#include "internal.h" /** decoder context */ typedef struct EightSvxContext { @@ -141,7 +142,7 @@ static int eightsvx_decode_frame(AVCodecContext *avctx, void *data, /* get output buffer */ esc->frame.nb_samples = buf_size * (is_compr + 1); - if ((ret = avctx->get_buffer(avctx, &esc->frame)) < 0) { + if ((ret = ff_get_buffer(avctx, &esc->frame)) < 0) { av_log(avctx, AV_LOG_ERROR, "get_buffer() failed\n"); return ret; } diff --git a/libavcodec/aacdec.c b/libavcodec/aacdec.c index 83dd06bfc0..9c4489434a 100644 --- a/libavcodec/aacdec.c +++ b/libavcodec/aacdec.c @@ -2246,7 +2246,7 @@ static int aac_decode_frame_int(AVCodecContext *avctx, void *data, if (samples) { /* get output buffer */ ac->frame.nb_samples = samples; - if ((err = avctx->get_buffer(avctx, &ac->frame)) < 0) { + if ((err = ff_get_buffer(avctx, &ac->frame)) < 0) { av_log(avctx, AV_LOG_ERROR, "get_buffer() failed\n"); return err; } diff --git a/libavcodec/ac3dec.c b/libavcodec/ac3dec.c index 039062b3d6..a3c581909b 100644 --- a/libavcodec/ac3dec.c +++ b/libavcodec/ac3dec.c @@ -1411,7 +1411,7 @@ static int ac3_decode_frame(AVCodecContext * avctx, void *data, /* get output buffer */ s->frame.nb_samples = s->num_blocks * 256; - if ((ret = avctx->get_buffer(avctx, &s->frame)) < 0) { + if ((ret = ff_get_buffer(avctx, &s->frame)) < 0) { av_log(avctx, AV_LOG_ERROR, "get_buffer() failed\n"); return ret; } diff --git a/libavcodec/adpcm.c b/libavcodec/adpcm.c index 5f7f140a9d..fe4949d7af 100644 --- a/libavcodec/adpcm.c +++ b/libavcodec/adpcm.c @@ -18,6 +18,7 @@ * Foundation, Inc., 51 Franklin Street, Fifth Floor, Boston, MA 02110-1301 USA */ #include "avcodec.h" +#include "internal.h" #include "get_bits.h" #include "put_bits.h" #include "bytestream.h" @@ -547,7 +548,7 @@ static int adpcm_decode_frame(AVCodecContext *avctx, void *data, /* get output buffer */ c->frame.nb_samples = nb_samples; - if ((ret = avctx->get_buffer(avctx, &c->frame)) < 0) { + if ((ret = ff_get_buffer(avctx, &c->frame)) < 0) { av_log(avctx, AV_LOG_ERROR, "get_buffer() failed\n"); return ret; } diff --git a/libavcodec/adxdec.c b/libavcodec/adxdec.c index 3f7f5f4ca1..de2d718b1c 100644 --- a/libavcodec/adxdec.c +++ b/libavcodec/adxdec.c @@ -21,6 +21,7 @@ #include "libavutil/intreadwrite.h" #include "avcodec.h" +#include "internal.h" #include "adx.h" #include "get_bits.h" @@ -140,7 +141,7 @@ static int adx_decode_frame(AVCodecContext *avctx, void *data, /* get output buffer */ c->frame.nb_samples = num_blocks * BLOCK_SAMPLES; - if ((ret = avctx->get_buffer(avctx, &c->frame)) < 0) { + if ((ret = ff_get_buffer(avctx, &c->frame)) < 0) { av_log(avctx, AV_LOG_ERROR, "get_buffer() failed\n"); return ret; } diff --git a/libavcodec/alac.c b/libavcodec/alac.c index 23b8951169..c162e2f60e 100644 --- a/libavcodec/alac.c +++ b/libavcodec/alac.c @@ -47,6 +47,7 @@ #include "avcodec.h" +#include "internal.h" #include "get_bits.h" #include "bytestream.h" #include "unary.h" @@ -402,7 +403,7 @@ static int alac_decode_frame(AVCodecContext *avctx, void *data, return AVERROR_INVALIDDATA; } alac->frame.nb_samples = outputsamples; - if ((ret = avctx->get_buffer(avctx, &alac->frame)) < 0) { + if ((ret = ff_get_buffer(avctx, &alac->frame)) < 0) { av_log(avctx, AV_LOG_ERROR, "get_buffer() failed\n"); return ret; } diff --git a/libavcodec/alsdec.c b/libavcodec/alsdec.c index 7daa545765..c49552de59 100644 --- a/libavcodec/alsdec.c +++ b/libavcodec/alsdec.c @@ -30,6 +30,7 @@ #include "avcodec.h" +#include "internal.h" #include "get_bits.h" #include "unary.h" #include "mpeg4audio.h" @@ -1484,7 +1485,7 @@ static int decode_frame(AVCodecContext *avctx, void *data, int *got_frame_ptr, /* get output buffer */ ctx->frame.nb_samples = ctx->cur_frame_length; - if ((ret = avctx->get_buffer(avctx, &ctx->frame)) < 0) { + if ((ret = ff_get_buffer(avctx, &ctx->frame)) < 0) { av_log(avctx, AV_LOG_ERROR, "get_buffer() failed\n"); return ret; } diff --git a/libavcodec/amrnbdec.c b/libavcodec/amrnbdec.c index a7d0b4e337..d294fe967f 100644 --- a/libavcodec/amrnbdec.c +++ b/libavcodec/amrnbdec.c @@ -44,6 +44,7 @@ #include #include "avcodec.h" +#include "internal.h" #include "get_bits.h" #include "libavutil/common.h" #include "celp_math.h" @@ -944,7 +945,7 @@ static int amrnb_decode_frame(AVCodecContext *avctx, void *data, /* get output buffer */ p->avframe.nb_samples = AMR_BLOCK_SIZE; - if ((ret = avctx->get_buffer(avctx, &p->avframe)) < 0) { + if ((ret = ff_get_buffer(avctx, &p->avframe)) < 0) { av_log(avctx, AV_LOG_ERROR, "get_buffer() failed\n"); return ret; } diff --git a/libavcodec/amrwbdec.c b/libavcodec/amrwbdec.c index b9ae9ece66..893cd355e5 100644 --- a/libavcodec/amrwbdec.c +++ b/libavcodec/amrwbdec.c @@ -27,6 +27,7 @@ #include "libavutil/lfg.h" #include "avcodec.h" +#include "internal.h" #include "get_bits.h" #include "lsp.h" #include "celp_math.h" @@ -1087,7 +1088,7 @@ static int amrwb_decode_frame(AVCodecContext *avctx, void *data, /* get output buffer */ ctx->avframe.nb_samples = 4 * AMRWB_SFR_SIZE_16k; - if ((ret = avctx->get_buffer(avctx, &ctx->avframe)) < 0) { + if ((ret = ff_get_buffer(avctx, &ctx->avframe)) < 0) { av_log(avctx, AV_LOG_ERROR, "get_buffer() failed\n"); return ret; } diff --git a/libavcodec/ansi.c b/libavcodec/ansi.c index 32c7ce4ecd..3721bca1e8 100644 --- a/libavcodec/ansi.c +++ b/libavcodec/ansi.c @@ -26,6 +26,7 @@ #include "libavutil/lfg.h" #include "avcodec.h" +#include "internal.h" #include "cga_data.h" #define ATTR_BOLD 0x01 /**< Bold/Bright-foreground (mode 1) */ @@ -221,7 +222,7 @@ static int execute_code(AVCodecContext * avctx, int c) if (s->frame.data[0]) avctx->release_buffer(avctx, &s->frame); avcodec_set_dimensions(avctx, width, height); - ret = avctx->get_buffer(avctx, &s->frame); + ret = ff_get_buffer(avctx, &s->frame); if (ret < 0) { av_log(avctx, AV_LOG_ERROR, "get_buffer() failed\n"); return ret; diff --git a/libavcodec/apedec.c b/libavcodec/apedec.c index 745b14c1be..a9c3be492f 100644 --- a/libavcodec/apedec.c +++ b/libavcodec/apedec.c @@ -22,6 +22,7 @@ #define BITSTREAM_READER_LE #include "avcodec.h" +#include "internal.h" #include "dsputil.h" #include "get_bits.h" #include "bytestream.h" @@ -887,7 +888,7 @@ static int ape_decode_frame(AVCodecContext *avctx, void *data, /* get output buffer */ s->frame.nb_samples = blockstodecode; - if ((ret = avctx->get_buffer(avctx, &s->frame)) < 0) { + if ((ret = ff_get_buffer(avctx, &s->frame)) < 0) { av_log(avctx, AV_LOG_ERROR, "get_buffer() failed\n"); return ret; } diff --git a/libavcodec/atrac1.c b/libavcodec/atrac1.c index 9ead80d5c8..128a66d0e7 100644 --- a/libavcodec/atrac1.c +++ b/libavcodec/atrac1.c @@ -33,6 +33,7 @@ #include #include "avcodec.h" +#include "internal.h" #include "get_bits.h" #include "dsputil.h" #include "fft.h" @@ -291,7 +292,7 @@ static int atrac1_decode_frame(AVCodecContext *avctx, void *data, /* get output buffer */ q->frame.nb_samples = AT1_SU_SAMPLES; - if ((ret = avctx->get_buffer(avctx, &q->frame)) < 0) { + if ((ret = ff_get_buffer(avctx, &q->frame)) < 0) { av_log(avctx, AV_LOG_ERROR, "get_buffer() failed\n"); return ret; } diff --git a/libavcodec/atrac3.c b/libavcodec/atrac3.c index e31dd1dcd5..5bfd038abd 100644 --- a/libavcodec/atrac3.c +++ b/libavcodec/atrac3.c @@ -37,6 +37,7 @@ #include #include "avcodec.h" +#include "internal.h" #include "get_bits.h" #include "dsputil.h" #include "bytestream.h" @@ -852,7 +853,7 @@ static int atrac3_decode_frame(AVCodecContext *avctx, void *data, /* get output buffer */ q->frame.nb_samples = SAMPLES_PER_FRAME; - if ((result = avctx->get_buffer(avctx, &q->frame)) < 0) { + if ((result = ff_get_buffer(avctx, &q->frame)) < 0) { av_log(avctx, AV_LOG_ERROR, "get_buffer() failed\n"); return result; } diff --git a/libavcodec/binkaudio.c b/libavcodec/binkaudio.c index d73ffcdabc..dc1028fbad 100644 --- a/libavcodec/binkaudio.c +++ b/libavcodec/binkaudio.c @@ -29,6 +29,7 @@ */ #include "avcodec.h" +#include "internal.h" #define BITSTREAM_READER_LE #include "get_bits.h" #include "dsputil.h" @@ -340,7 +341,7 @@ static int decode_frame(AVCodecContext *avctx, void *data, /* get output buffer */ s->frame.nb_samples = s->block_size / avctx->channels; - if ((ret = avctx->get_buffer(avctx, &s->frame)) < 0) { + if ((ret = ff_get_buffer(avctx, &s->frame)) < 0) { av_log(avctx, AV_LOG_ERROR, "get_buffer() failed\n"); return ret; } diff --git a/libavcodec/bmv.c b/libavcodec/bmv.c index 920e75255f..c0fe9b87d8 100644 --- a/libavcodec/bmv.c +++ b/libavcodec/bmv.c @@ -20,6 +20,7 @@ */ #include "avcodec.h" +#include "internal.h" #include "bytestream.h" enum BMVFlags{ @@ -265,7 +266,7 @@ static av_cold int decode_init(AVCodecContext *avctx) avctx->pix_fmt = PIX_FMT_PAL8; c->pic.reference = 1; - if (avctx->get_buffer(avctx, &c->pic) < 0) { + if (ff_get_buffer(avctx, &c->pic) < 0) { av_log(avctx, AV_LOG_ERROR, "get_buffer() failed\n"); return -1; } @@ -330,7 +331,7 @@ static int bmv_aud_decode_frame(AVCodecContext *avctx, void *data, /* get output buffer */ c->frame.nb_samples = total_blocks * 32; - if ((ret = avctx->get_buffer(avctx, &c->frame)) < 0) { + if ((ret = ff_get_buffer(avctx, &c->frame)) < 0) { av_log(avctx, AV_LOG_ERROR, "get_buffer() failed\n"); return ret; } diff --git a/libavcodec/cdgraphics.c b/libavcodec/cdgraphics.c index 9ab00b4fac..f642287782 100644 --- a/libavcodec/cdgraphics.c +++ b/libavcodec/cdgraphics.c @@ -20,6 +20,7 @@ */ #include "avcodec.h" +#include "internal.h" #include "bytestream.h" /** @@ -331,7 +332,7 @@ static int cdg_decode_frame(AVCodecContext *avctx, } cdg_init_frame(&new_frame); - ret = avctx->get_buffer(avctx, &new_frame); + ret = ff_get_buffer(avctx, &new_frame); if (ret) { av_log(avctx, AV_LOG_ERROR, "get_buffer() failed\n"); return ret; diff --git a/libavcodec/cook.c b/libavcodec/cook.c index 74378521b3..df4fee5967 100644 --- a/libavcodec/cook.c +++ b/libavcodec/cook.c @@ -44,6 +44,7 @@ #include "libavutil/lfg.h" #include "avcodec.h" +#include "internal.h" #include "get_bits.h" #include "dsputil.h" #include "bytestream.h" @@ -991,7 +992,7 @@ static int cook_decode_frame(AVCodecContext *avctx, void *data, /* get output buffer */ if (q->discarded_packets >= 2) { q->frame.nb_samples = q->samples_per_channel; - if ((ret = avctx->get_buffer(avctx, &q->frame)) < 0) { + if ((ret = ff_get_buffer(avctx, &q->frame)) < 0) { av_log(avctx, AV_LOG_ERROR, "get_buffer() failed\n"); return ret; } diff --git a/libavcodec/dca.c b/libavcodec/dca.c index 4d71812d88..72b7bbf7f1 100644 --- a/libavcodec/dca.c +++ b/libavcodec/dca.c @@ -32,6 +32,7 @@ #include "libavutil/mathematics.h" #include "libavutil/audioconvert.h" #include "avcodec.h" +#include "internal.h" #include "dsputil.h" #include "fft.h" #include "get_bits.h" @@ -1902,7 +1903,7 @@ static int dca_decode_frame(AVCodecContext *avctx, void *data, /* get output buffer */ s->frame.nb_samples = 256 * (s->sample_blocks / 8); - if ((ret = avctx->get_buffer(avctx, &s->frame)) < 0) { + if ((ret = ff_get_buffer(avctx, &s->frame)) < 0) { av_log(avctx, AV_LOG_ERROR, "get_buffer() failed\n"); return ret; } diff --git a/libavcodec/dfa.c b/libavcodec/dfa.c index 0ae89a8985..d9ff44545e 100644 --- a/libavcodec/dfa.c +++ b/libavcodec/dfa.c @@ -21,6 +21,7 @@ */ #include "avcodec.h" +#include "internal.h" #include "bytestream.h" #include "libavutil/imgutils.h" @@ -325,7 +326,7 @@ static int dfa_decode_frame(AVCodecContext *avctx, if (s->pic.data[0]) avctx->release_buffer(avctx, &s->pic); - if ((ret = avctx->get_buffer(avctx, &s->pic))) { + if ((ret = ff_get_buffer(avctx, &s->pic))) { av_log(avctx, AV_LOG_ERROR, "get_buffer() failed\n"); return ret; } diff --git a/libavcodec/dpcm.c b/libavcodec/dpcm.c index 7f5dbfe3b9..f4aaa95c0a 100644 --- a/libavcodec/dpcm.c +++ b/libavcodec/dpcm.c @@ -39,6 +39,7 @@ #include "libavutil/intreadwrite.h" #include "avcodec.h" +#include "internal.h" #include "bytestream.h" typedef struct DPCMContext { @@ -213,7 +214,7 @@ static int dpcm_decode_frame(AVCodecContext *avctx, void *data, /* get output buffer */ s->frame.nb_samples = out / s->channels; - if ((ret = avctx->get_buffer(avctx, &s->frame)) < 0) { + if ((ret = ff_get_buffer(avctx, &s->frame)) < 0) { av_log(avctx, AV_LOG_ERROR, "get_buffer() failed\n"); return ret; } diff --git a/libavcodec/dsicinav.c b/libavcodec/dsicinav.c index 1a3366814b..99eea8ab33 100644 --- a/libavcodec/dsicinav.c +++ b/libavcodec/dsicinav.c @@ -25,6 +25,7 @@ */ #include "avcodec.h" +#include "internal.h" #include "bytestream.h" #include "mathops.h" @@ -362,7 +363,7 @@ static int cinaudio_decode_frame(AVCodecContext *avctx, void *data, /* get output buffer */ cin->frame.nb_samples = avpkt->size - cin->initial_decode_frame; - if ((ret = avctx->get_buffer(avctx, &cin->frame)) < 0) { + if ((ret = ff_get_buffer(avctx, &cin->frame)) < 0) { av_log(avctx, AV_LOG_ERROR, "get_buffer() failed\n"); return ret; } diff --git a/libavcodec/dxtory.c b/libavcodec/dxtory.c index 5f67fbdbef..f8ebb43b63 100644 --- a/libavcodec/dxtory.c +++ b/libavcodec/dxtory.c @@ -21,6 +21,7 @@ */ #include "avcodec.h" +#include "internal.h" #include "libavutil/intreadwrite.h" static av_cold int decode_init(AVCodecContext *avctx) @@ -51,7 +52,7 @@ static int decode_frame(AVCodecContext *avctx, void *data, int *data_size, } pic->reference = 0; - if ((ret = avctx->get_buffer(avctx, pic)) < 0) + if ((ret = ff_get_buffer(avctx, pic)) < 0) return ret; pic->pict_type = AV_PICTURE_TYPE_I; diff --git a/libavcodec/flacdec.c b/libavcodec/flacdec.c index 440a55d3e9..f20dc3d9b7 100644 --- a/libavcodec/flacdec.c +++ b/libavcodec/flacdec.c @@ -599,7 +599,7 @@ static int flac_decode_frame(AVCodecContext *avctx, void *data, /* get output buffer */ s->frame.nb_samples = s->blocksize; - if ((ret = avctx->get_buffer(avctx, &s->frame)) < 0) { + if ((ret = ff_get_buffer(avctx, &s->frame)) < 0) { av_log(avctx, AV_LOG_ERROR, "get_buffer() failed\n"); return ret; } diff --git a/libavcodec/g722dec.c b/libavcodec/g722dec.c index 72bb0ef3c7..9e0a2870b2 100644 --- a/libavcodec/g722dec.c +++ b/libavcodec/g722dec.c @@ -35,6 +35,7 @@ */ #include "avcodec.h" +#include "internal.h" #include "get_bits.h" #include "g722.h" #include "libavutil/opt.h" @@ -96,7 +97,7 @@ static int g722_decode_frame(AVCodecContext *avctx, void *data, /* get output buffer */ c->frame.nb_samples = avpkt->size * 2; - if ((ret = avctx->get_buffer(avctx, &c->frame)) < 0) { + if ((ret = ff_get_buffer(avctx, &c->frame)) < 0) { av_log(avctx, AV_LOG_ERROR, "get_buffer() failed\n"); return ret; } diff --git a/libavcodec/g726.c b/libavcodec/g726.c index 85711f854c..81aa7d0927 100644 --- a/libavcodec/g726.c +++ b/libavcodec/g726.c @@ -448,7 +448,7 @@ static int g726_decode_frame(AVCodecContext *avctx, void *data, /* get output buffer */ c->frame.nb_samples = out_samples; - if ((ret = avctx->get_buffer(avctx, &c->frame)) < 0) { + if ((ret = ff_get_buffer(avctx, &c->frame)) < 0) { av_log(avctx, AV_LOG_ERROR, "get_buffer() failed\n"); return ret; } diff --git a/libavcodec/gsmdec.c b/libavcodec/gsmdec.c index 97b6fe8492..6fdf9fbf61 100644 --- a/libavcodec/gsmdec.c +++ b/libavcodec/gsmdec.c @@ -25,6 +25,7 @@ */ #include "avcodec.h" +#include "internal.h" #include "get_bits.h" #include "msgsmdec.h" @@ -72,7 +73,7 @@ static int gsm_decode_frame(AVCodecContext *avctx, void *data, /* get output buffer */ s->frame.nb_samples = avctx->frame_size; - if ((res = avctx->get_buffer(avctx, &s->frame)) < 0) { + if ((res = ff_get_buffer(avctx, &s->frame)) < 0) { av_log(avctx, AV_LOG_ERROR, "get_buffer() failed\n"); return res; } diff --git a/libavcodec/iff.c b/libavcodec/iff.c index b931e40213..4565724a8a 100644 --- a/libavcodec/iff.c +++ b/libavcodec/iff.c @@ -28,6 +28,7 @@ #include "libavutil/imgutils.h" #include "bytestream.h" #include "avcodec.h" +#include "internal.h" #include "get_bits.h" typedef struct { @@ -260,7 +261,7 @@ static int decode_frame_ilbm(AVCodecContext *avctx, av_log(avctx, AV_LOG_ERROR, "reget_buffer() failed\n"); return res; } - } else if ((res = avctx->get_buffer(avctx, &s->frame)) < 0) { + } else if ((res = ff_get_buffer(avctx, &s->frame)) < 0) { av_log(avctx, AV_LOG_ERROR, "get_buffer() failed\n"); return res; } else if (avctx->bits_per_coded_sample <= 8 && avctx->pix_fmt != PIX_FMT_GRAY8) { @@ -317,7 +318,7 @@ static int decode_frame_byterun1(AVCodecContext *avctx, av_log(avctx, AV_LOG_ERROR, "reget_buffer() failed\n"); return res; } - } else if ((res = avctx->get_buffer(avctx, &s->frame)) < 0) { + } else if ((res = ff_get_buffer(avctx, &s->frame)) < 0) { av_log(avctx, AV_LOG_ERROR, "get_buffer() failed\n"); return res; } else if (avctx->bits_per_coded_sample <= 8 && avctx->pix_fmt != PIX_FMT_GRAY8) { diff --git a/libavcodec/imc.c b/libavcodec/imc.c index bee38b07f8..44bef9a13a 100644 --- a/libavcodec/imc.c +++ b/libavcodec/imc.c @@ -36,6 +36,7 @@ #include #include "avcodec.h" +#include "internal.h" #include "get_bits.h" #include "dsputil.h" #include "fft.h" @@ -680,7 +681,7 @@ static int imc_decode_frame(AVCodecContext * avctx, void *data, /* get output buffer */ q->frame.nb_samples = COEFFS; - if ((ret = avctx->get_buffer(avctx, &q->frame)) < 0) { + if ((ret = ff_get_buffer(avctx, &q->frame)) < 0) { av_log(avctx, AV_LOG_ERROR, "get_buffer() failed\n"); return ret; } diff --git a/libavcodec/indeo3.c b/libavcodec/indeo3.c index 9e90fb1c5a..c0957f0e3c 100644 --- a/libavcodec/indeo3.c +++ b/libavcodec/indeo3.c @@ -32,6 +32,7 @@ #include "libavutil/imgutils.h" #include "libavutil/intreadwrite.h" #include "avcodec.h" +#include "internal.h" #include "dsputil.h" #include "bytestream.h" #include "get_bits.h" @@ -1095,7 +1096,7 @@ static int decode_frame(AVCodecContext *avctx, void *data, int *data_size, avctx->release_buffer(avctx, &ctx->frame); ctx->frame.reference = 0; - if ((res = avctx->get_buffer(avctx, &ctx->frame)) < 0) { + if ((res = ff_get_buffer(avctx, &ctx->frame)) < 0) { av_log(ctx->avctx, AV_LOG_ERROR, "get_buffer() failed\n"); return res; } diff --git a/libavcodec/internal.h b/libavcodec/internal.h index 441430e41c..66940a8da5 100644 --- a/libavcodec/internal.h +++ b/libavcodec/internal.h @@ -126,4 +126,7 @@ int avpriv_unlock_avformat(void); */ int ff_alloc_packet(AVPacket *avpkt, int size); + +int ff_get_buffer(AVCodecContext *avctx, AVFrame *frame); + #endif /* AVCODEC_INTERNAL_H */ diff --git a/libavcodec/ivi_common.c b/libavcodec/ivi_common.c index 84695a058b..25390018ad 100644 --- a/libavcodec/ivi_common.c +++ b/libavcodec/ivi_common.c @@ -28,6 +28,7 @@ #define BITSTREAM_READER_LE #include "avcodec.h" +#include "internal.h" #include "get_bits.h" #include "ivi_common.h" #include "libavutil/common.h" @@ -940,7 +941,7 @@ int ff_ivi_decode_frame(AVCodecContext *avctx, void *data, int *data_size, ctx->frame.reference = 0; avcodec_set_dimensions(avctx, ctx->planes[0].width, ctx->planes[0].height); - if ((result = avctx->get_buffer(avctx, &ctx->frame)) < 0) { + if ((result = ff_get_buffer(avctx, &ctx->frame)) < 0) { av_log(avctx, AV_LOG_ERROR, "get_buffer() failed\n"); return result; } diff --git a/libavcodec/kgv1dec.c b/libavcodec/kgv1dec.c index 42bbcae530..21f30803da 100644 --- a/libavcodec/kgv1dec.c +++ b/libavcodec/kgv1dec.c @@ -27,6 +27,7 @@ #include "libavutil/intreadwrite.h" #include "libavutil/imgutils.h" #include "avcodec.h" +#include "internal.h" typedef struct { AVCodecContext *avctx; @@ -70,7 +71,7 @@ static int decode_frame(AVCodecContext *avctx, void *data, int *data_size, AVPac maxcnt = w * h; c->cur.reference = 3; - if ((res = avctx->get_buffer(avctx, &c->cur)) < 0) + if ((res = ff_get_buffer(avctx, &c->cur)) < 0) return res; out = (uint16_t *) c->cur.data[0]; if (c->prev.data[0]) { diff --git a/libavcodec/libgsm.c b/libavcodec/libgsm.c index 1fa04cf9d9..1098bce631 100644 --- a/libavcodec/libgsm.c +++ b/libavcodec/libgsm.c @@ -188,7 +188,7 @@ static int libgsm_decode_frame(AVCodecContext *avctx, void *data, /* get output buffer */ s->frame.nb_samples = avctx->frame_size; - if ((ret = avctx->get_buffer(avctx, &s->frame)) < 0) { + if ((ret = ff_get_buffer(avctx, &s->frame)) < 0) { av_log(avctx, AV_LOG_ERROR, "get_buffer() failed\n"); return ret; } diff --git a/libavcodec/libopencore-amr.c b/libavcodec/libopencore-amr.c index ded92179d3..8265848155 100644 --- a/libavcodec/libopencore-amr.c +++ b/libavcodec/libopencore-amr.c @@ -143,7 +143,7 @@ static int amr_nb_decode_frame(AVCodecContext *avctx, void *data, /* get output buffer */ s->frame.nb_samples = 160; - if ((ret = avctx->get_buffer(avctx, &s->frame)) < 0) { + if ((ret = ff_get_buffer(avctx, &s->frame)) < 0) { av_log(avctx, AV_LOG_ERROR, "get_buffer() failed\n"); return ret; } @@ -295,7 +295,7 @@ static int amr_wb_decode_frame(AVCodecContext *avctx, void *data, /* get output buffer */ s->frame.nb_samples = 320; - if ((ret = avctx->get_buffer(avctx, &s->frame)) < 0) { + if ((ret = ff_get_buffer(avctx, &s->frame)) < 0) { av_log(avctx, AV_LOG_ERROR, "get_buffer() failed\n"); return ret; } diff --git a/libavcodec/libspeexdec.c b/libavcodec/libspeexdec.c index eba2f16949..0ce09f4be7 100644 --- a/libavcodec/libspeexdec.c +++ b/libavcodec/libspeexdec.c @@ -108,7 +108,7 @@ static int libspeex_decode_frame(AVCodecContext *avctx, void *data, /* get output buffer */ s->frame.nb_samples = s->frame_size; - if ((ret = avctx->get_buffer(avctx, &s->frame)) < 0) { + if ((ret = ff_get_buffer(avctx, &s->frame)) < 0) { av_log(avctx, AV_LOG_ERROR, "get_buffer() failed\n"); return ret; } diff --git a/libavcodec/mace.c b/libavcodec/mace.c index d02b1dc095..2d2f3767a1 100644 --- a/libavcodec/mace.c +++ b/libavcodec/mace.c @@ -25,6 +25,7 @@ */ #include "avcodec.h" +#include "internal.h" /* * Adapted to libavcodec by Francois Revol @@ -253,7 +254,7 @@ static int mace_decode_frame(AVCodecContext *avctx, void *data, /* get output buffer */ ctx->frame.nb_samples = 3 * (buf_size << (1 - is_mace3)) / avctx->channels; - if ((ret = avctx->get_buffer(avctx, &ctx->frame)) < 0) { + if ((ret = ff_get_buffer(avctx, &ctx->frame)) < 0) { av_log(avctx, AV_LOG_ERROR, "get_buffer() failed\n"); return ret; } diff --git a/libavcodec/mlpdec.c b/libavcodec/mlpdec.c index e74b20269a..6f6701fa10 100644 --- a/libavcodec/mlpdec.c +++ b/libavcodec/mlpdec.c @@ -27,6 +27,7 @@ #include #include "avcodec.h" +#include "internal.h" #include "dsputil.h" #include "libavutil/intreadwrite.h" #include "get_bits.h" @@ -932,7 +933,7 @@ static int output_data(MLPDecodeContext *m, unsigned int substr, /* get output buffer */ m->frame.nb_samples = s->blockpos; - if ((ret = avctx->get_buffer(avctx, &m->frame)) < 0) { + if ((ret = ff_get_buffer(avctx, &m->frame)) < 0) { av_log(avctx, AV_LOG_ERROR, "get_buffer() failed\n"); return ret; } diff --git a/libavcodec/mpc7.c b/libavcodec/mpc7.c index b678afd1a2..443c78b40f 100644 --- a/libavcodec/mpc7.c +++ b/libavcodec/mpc7.c @@ -27,6 +27,7 @@ #include "libavutil/lfg.h" #include "avcodec.h" +#include "internal.h" #include "get_bits.h" #include "dsputil.h" #include "mpegaudiodsp.h" @@ -218,7 +219,7 @@ static int mpc7_decode_frame(AVCodecContext * avctx, void *data, /* get output buffer */ c->frame.nb_samples = buf[1] ? c->lastframelen : MPC_FRAME_SIZE; - if ((ret = avctx->get_buffer(avctx, &c->frame)) < 0) { + if ((ret = ff_get_buffer(avctx, &c->frame)) < 0) { av_log(avctx, AV_LOG_ERROR, "get_buffer() failed\n"); return ret; } diff --git a/libavcodec/mpc8.c b/libavcodec/mpc8.c index f5eb4d6651..5dadbefafb 100644 --- a/libavcodec/mpc8.c +++ b/libavcodec/mpc8.c @@ -27,6 +27,7 @@ #include "libavutil/lfg.h" #include "avcodec.h" +#include "internal.h" #include "get_bits.h" #include "dsputil.h" #include "mpegaudiodsp.h" @@ -250,7 +251,7 @@ static int mpc8_decode_frame(AVCodecContext * avctx, void *data, /* get output buffer */ c->frame.nb_samples = MPC_FRAME_SIZE; - if ((res = avctx->get_buffer(avctx, &c->frame)) < 0) { + if ((res = ff_get_buffer(avctx, &c->frame)) < 0) { av_log(avctx, AV_LOG_ERROR, "get_buffer() failed\n"); return res; } diff --git a/libavcodec/mpegaudiodec.c b/libavcodec/mpegaudiodec.c index e2216f3fdb..ee67f12464 100644 --- a/libavcodec/mpegaudiodec.c +++ b/libavcodec/mpegaudiodec.c @@ -26,6 +26,7 @@ #include "libavutil/audioconvert.h" #include "avcodec.h" +#include "internal.h" #include "get_bits.h" #include "mathops.h" #include "mpegaudiodsp.h" @@ -1604,7 +1605,7 @@ static int mp_decode_frame(MPADecodeContext *s, OUT_INT *samples, /* get output buffer */ if (!samples) { s->frame.nb_samples = s->avctx->frame_size; - if ((ret = s->avctx->get_buffer(s->avctx, &s->frame)) < 0) { + if ((ret = ff_get_buffer(s->avctx, &s->frame)) < 0) { av_log(s->avctx, AV_LOG_ERROR, "get_buffer() failed\n"); return ret; } @@ -1910,7 +1911,7 @@ static int decode_frame_mp3on4(AVCodecContext *avctx, void *data, /* get output buffer */ s->frame->nb_samples = MPA_FRAME_SIZE; - if ((ret = avctx->get_buffer(avctx, s->frame)) < 0) { + if ((ret = ff_get_buffer(avctx, s->frame)) < 0) { av_log(avctx, AV_LOG_ERROR, "get_buffer() failed\n"); return ret; } diff --git a/libavcodec/mxpegdec.c b/libavcodec/mxpegdec.c index 6f0d0457f7..fff5c7eef9 100644 --- a/libavcodec/mxpegdec.c +++ b/libavcodec/mxpegdec.c @@ -249,7 +249,7 @@ static int mxpeg_decode_frame(AVCodecContext *avctx, /* use stored SOF data to allocate current picture */ if (jpg->picture_ptr->data[0]) avctx->release_buffer(avctx, jpg->picture_ptr); - if (avctx->get_buffer(avctx, jpg->picture_ptr) < 0) { + if (ff_get_buffer(avctx, jpg->picture_ptr) < 0) { av_log(avctx, AV_LOG_ERROR, "get_buffer() failed\n"); return AVERROR(ENOMEM); } @@ -268,7 +268,7 @@ static int mxpeg_decode_frame(AVCodecContext *avctx, /* allocate dummy reference picture if needed */ if (!reference_ptr->data[0] && - avctx->get_buffer(avctx, reference_ptr) < 0) { + ff_get_buffer(avctx, reference_ptr) < 0) { av_log(avctx, AV_LOG_ERROR, "get_buffer() failed\n"); return AVERROR(ENOMEM); } diff --git a/libavcodec/nellymoserdec.c b/libavcodec/nellymoserdec.c index 69c1b86f5e..1bc2b5422d 100644 --- a/libavcodec/nellymoserdec.c +++ b/libavcodec/nellymoserdec.c @@ -36,6 +36,7 @@ #include "libavutil/random_seed.h" #include "libavutil/audioconvert.h" #include "avcodec.h" +#include "internal.h" #include "dsputil.h" #include "fft.h" #include "fmtconvert.h" @@ -179,7 +180,7 @@ static int decode_tag(AVCodecContext *avctx, void *data, /* get output buffer */ s->frame.nb_samples = NELLY_SAMPLES * blocks; - if ((ret = avctx->get_buffer(avctx, &s->frame)) < 0) { + if ((ret = ff_get_buffer(avctx, &s->frame)) < 0) { av_log(avctx, AV_LOG_ERROR, "get_buffer() failed\n"); return ret; } diff --git a/libavcodec/pcm-mpeg.c b/libavcodec/pcm-mpeg.c index f010b970bf..0d0eba189b 100644 --- a/libavcodec/pcm-mpeg.c +++ b/libavcodec/pcm-mpeg.c @@ -26,6 +26,7 @@ #include "libavutil/audioconvert.h" #include "avcodec.h" +#include "internal.h" #include "bytestream.h" /* @@ -161,7 +162,7 @@ static int pcm_bluray_decode_frame(AVCodecContext *avctx, void *data, /* get output buffer */ s->frame.nb_samples = samples; - if ((retval = avctx->get_buffer(avctx, &s->frame)) < 0) { + if ((retval = ff_get_buffer(avctx, &s->frame)) < 0) { av_log(avctx, AV_LOG_ERROR, "get_buffer() failed\n"); return retval; } diff --git a/libavcodec/pcm.c b/libavcodec/pcm.c index cd44d77000..23a03c45ad 100644 --- a/libavcodec/pcm.c +++ b/libavcodec/pcm.c @@ -302,7 +302,7 @@ static int pcm_decode_frame(AVCodecContext *avctx, void *data, /* get output buffer */ s->frame.nb_samples = n * samples_per_block / avctx->channels; - if ((ret = avctx->get_buffer(avctx, &s->frame)) < 0) { + if ((ret = ff_get_buffer(avctx, &s->frame)) < 0) { av_log(avctx, AV_LOG_ERROR, "get_buffer() failed\n"); return ret; } diff --git a/libavcodec/pthread.c b/libavcodec/pthread.c index 65c6e2fbe3..345456ce6e 100644 --- a/libavcodec/pthread.c +++ b/libavcodec/pthread.c @@ -573,7 +573,7 @@ static int submit_packet(PerThreadContext *p, AVPacket *avpkt) pthread_cond_wait(&p->progress_cond, &p->progress_mutex); if (p->state == STATE_GET_BUFFER) { - p->result = p->avctx->get_buffer(p->avctx, p->requested_frame); + p->result = p-ff_get_buffer(p->avctx, p->requested_frame); p->state = STATE_SETTING_UP; pthread_cond_signal(&p->progress_cond); } @@ -919,7 +919,7 @@ int ff_thread_get_buffer(AVCodecContext *avctx, AVFrame *f) if (!(avctx->active_thread_type&FF_THREAD_FRAME)) { f->thread_opaque = NULL; - return avctx->get_buffer(avctx, f); + return ff_get_buffer(avctx, f); } if (p->state != STATE_SETTING_UP && @@ -941,7 +941,7 @@ int ff_thread_get_buffer(AVCodecContext *avctx, AVFrame *f) if (avctx->thread_safe_callbacks || avctx->get_buffer == avcodec_default_get_buffer) { - err = avctx->get_buffer(avctx, f); + err = ff_get_buffer(avctx, f); } else { p->requested_frame = f; p->state = STATE_GET_BUFFER; diff --git a/libavcodec/qcelpdec.c b/libavcodec/qcelpdec.c index a3af2378f3..3d7420b9f2 100644 --- a/libavcodec/qcelpdec.c +++ b/libavcodec/qcelpdec.c @@ -697,7 +697,7 @@ static int qcelp_decode_frame(AVCodecContext *avctx, void *data, /* get output buffer */ q->avframe.nb_samples = 160; - if ((ret = avctx->get_buffer(avctx, &q->avframe)) < 0) { + if ((ret = ff_get_buffer(avctx, &q->avframe)) < 0) { av_log(avctx, AV_LOG_ERROR, "get_buffer() failed\n"); return ret; } diff --git a/libavcodec/qdm2.c b/libavcodec/qdm2.c index 6b11b46d98..936c911d1a 100644 --- a/libavcodec/qdm2.c +++ b/libavcodec/qdm2.c @@ -37,6 +37,7 @@ #define BITSTREAM_READER_LE #include "avcodec.h" +#include "internal.h" #include "get_bits.h" #include "dsputil.h" #include "rdft.h" @@ -2003,7 +2004,7 @@ static int qdm2_decode_frame(AVCodecContext *avctx, void *data, /* get output buffer */ s->frame.nb_samples = 16 * s->frame_size; - if ((ret = avctx->get_buffer(avctx, &s->frame)) < 0) { + if ((ret = ff_get_buffer(avctx, &s->frame)) < 0) { av_log(avctx, AV_LOG_ERROR, "get_buffer() failed\n"); return ret; } diff --git a/libavcodec/ra144dec.c b/libavcodec/ra144dec.c index dd8838c417..86c7eedd9c 100644 --- a/libavcodec/ra144dec.c +++ b/libavcodec/ra144dec.c @@ -24,6 +24,7 @@ #include "libavutil/intmath.h" #include "avcodec.h" +#include "internal.h" #include "get_bits.h" #include "ra144.h" @@ -77,7 +78,7 @@ static int ra144_decode_frame(AVCodecContext * avctx, void *data, /* get output buffer */ ractx->frame.nb_samples = NBLOCKS * BLOCKSIZE; - if ((ret = avctx->get_buffer(avctx, &ractx->frame)) < 0) { + if ((ret = ff_get_buffer(avctx, &ractx->frame)) < 0) { av_log(avctx, AV_LOG_ERROR, "get_buffer() failed\n"); return ret; } diff --git a/libavcodec/ra288.c b/libavcodec/ra288.c index 4cb2493fc9..0d10545faa 100644 --- a/libavcodec/ra288.c +++ b/libavcodec/ra288.c @@ -20,6 +20,7 @@ */ #include "avcodec.h" +#include "internal.h" #define BITSTREAM_READER_LE #include "get_bits.h" #include "ra288.h" @@ -188,7 +189,7 @@ static int ra288_decode_frame(AVCodecContext * avctx, void *data, /* get output buffer */ ractx->frame.nb_samples = RA288_BLOCK_SIZE * RA288_BLOCKS_PER_FRAME; - if ((ret = avctx->get_buffer(avctx, &ractx->frame)) < 0) { + if ((ret = ff_get_buffer(avctx, &ractx->frame)) < 0) { av_log(avctx, AV_LOG_ERROR, "get_buffer() failed\n"); return ret; } diff --git a/libavcodec/roqvideoenc.c b/libavcodec/roqvideoenc.c index 2a62d5509d..58dd255a55 100644 --- a/libavcodec/roqvideoenc.c +++ b/libavcodec/roqvideoenc.c @@ -1031,8 +1031,8 @@ static int roq_encode_frame(AVCodecContext *avctx, unsigned char *buf, int buf_s if (enc->first_frame) { /* Alloc memory for the reconstruction data (we must know the stride for that) */ - if (avctx->get_buffer(avctx, enc->current_frame) || - avctx->get_buffer(avctx, enc->last_frame)) { + if (ff_get_buffer(avctx, enc->current_frame) || + ff_get_buffer(avctx, enc->last_frame)) { av_log(avctx, AV_LOG_ERROR, " RoQ: get_buffer() failed\n"); return -1; } diff --git a/libavcodec/s302m.c b/libavcodec/s302m.c index 34018aeb46..f18059da51 100644 --- a/libavcodec/s302m.c +++ b/libavcodec/s302m.c @@ -22,6 +22,7 @@ #include "libavutil/intreadwrite.h" #include "avcodec.h" +#include "internal.h" #define AES3_HEADER_LEN 4 @@ -94,7 +95,7 @@ static int s302m_decode_frame(AVCodecContext *avctx, void *data, /* get output buffer */ block_size = (avctx->bits_per_coded_sample + 4) / 4; s->frame.nb_samples = 2 * (buf_size / block_size) / avctx->channels; - if ((ret = avctx->get_buffer(avctx, &s->frame)) < 0) { + if ((ret = ff_get_buffer(avctx, &s->frame)) < 0) { av_log(avctx, AV_LOG_ERROR, "get_buffer() failed\n"); return ret; } diff --git a/libavcodec/shorten.c b/libavcodec/shorten.c index f96a003e75..2a127c50b9 100644 --- a/libavcodec/shorten.c +++ b/libavcodec/shorten.c @@ -28,6 +28,7 @@ #include #include "avcodec.h" +#include "internal.h" #include "bytestream.h" #include "get_bits.h" #include "golomb.h" @@ -598,7 +599,7 @@ static int shorten_decode_frame(AVCodecContext *avctx, void *data, if (s->cur_chan == s->channels) { /* get output buffer */ s->frame.nb_samples = s->blocksize; - if ((ret = avctx->get_buffer(avctx, &s->frame)) < 0) { + if ((ret = ff_get_buffer(avctx, &s->frame)) < 0) { av_log(avctx, AV_LOG_ERROR, "get_buffer() failed\n"); return ret; } diff --git a/libavcodec/sipr.c b/libavcodec/sipr.c index 818524ca62..b862e7d3be 100644 --- a/libavcodec/sipr.c +++ b/libavcodec/sipr.c @@ -27,6 +27,7 @@ #include "libavutil/mathematics.h" #include "avcodec.h" +#include "internal.h" #define BITSTREAM_READER_LE #include "get_bits.h" #include "dsputil.h" @@ -541,7 +542,7 @@ static int sipr_decode_frame(AVCodecContext *avctx, void *data, /* get output buffer */ ctx->frame.nb_samples = mode_par->frames_per_packet * subframe_size * mode_par->subframe_count; - if ((ret = avctx->get_buffer(avctx, &ctx->frame)) < 0) { + if ((ret = ff_get_buffer(avctx, &ctx->frame)) < 0) { av_log(avctx, AV_LOG_ERROR, "get_buffer() failed\n"); return ret; } diff --git a/libavcodec/smacker.c b/libavcodec/smacker.c index e07fc3749d..bce23f4e0a 100644 --- a/libavcodec/smacker.c +++ b/libavcodec/smacker.c @@ -32,6 +32,7 @@ #include #include "avcodec.h" +#include "internal.h" #include "libavutil/audioconvert.h" #include "mathops.h" @@ -636,7 +637,7 @@ static int smka_decode_frame(AVCodecContext *avctx, void *data, /* get output buffer */ s->frame.nb_samples = unp_size / (avctx->channels * (bits + 1)); - if ((ret = avctx->get_buffer(avctx, &s->frame)) < 0) { + if ((ret = ff_get_buffer(avctx, &s->frame)) < 0) { av_log(avctx, AV_LOG_ERROR, "get_buffer() failed\n"); return ret; } diff --git a/libavcodec/svq1enc.c b/libavcodec/svq1enc.c index ef136b94f0..82b828b6dd 100644 --- a/libavcodec/svq1enc.c +++ b/libavcodec/svq1enc.c @@ -512,8 +512,8 @@ static int svq1_encode_frame(AVCodecContext *avctx, unsigned char *buf, } if(!s->current_picture.data[0]){ - avctx->get_buffer(avctx, &s->current_picture); - avctx->get_buffer(avctx, &s->last_picture); + ff_get_buffer(avctx, &s->current_picture); + ff_get_buffer(avctx, &s->last_picture); s->scratchbuf = av_malloc(s->current_picture.linesize[0] * 16 * 2); } diff --git a/libavcodec/thread.h b/libavcodec/thread.h index 7f018fc441..782c03cbcf 100644 --- a/libavcodec/thread.h +++ b/libavcodec/thread.h @@ -89,7 +89,7 @@ void ff_thread_await_progress(AVFrame *f, int progress, int field); /** * Wrapper around get_buffer() for frame-multithreaded codecs. - * Call this function instead of avctx->get_buffer(f). + * Call this function instead of ff_get_buffer(f). * Cannot be called after the codec has called ff_thread_finish_setup(). * * @param avctx The current context. diff --git a/libavcodec/truespeech.c b/libavcodec/truespeech.c index 5ef0a01427..4b69b90ddb 100644 --- a/libavcodec/truespeech.c +++ b/libavcodec/truespeech.c @@ -21,6 +21,7 @@ #include "libavutil/intreadwrite.h" #include "avcodec.h" +#include "internal.h" #include "dsputil.h" #include "get_bits.h" @@ -325,7 +326,7 @@ static int truespeech_decode_frame(AVCodecContext *avctx, void *data, /* get output buffer */ c->frame.nb_samples = iterations * 240; - if ((ret = avctx->get_buffer(avctx, &c->frame)) < 0) { + if ((ret = ff_get_buffer(avctx, &c->frame)) < 0) { av_log(avctx, AV_LOG_ERROR, "get_buffer() failed\n"); return ret; } diff --git a/libavcodec/tta.c b/libavcodec/tta.c index 1743f7d0ac..9ea7d030cd 100644 --- a/libavcodec/tta.c +++ b/libavcodec/tta.c @@ -31,6 +31,7 @@ //#define DEBUG #include #include "avcodec.h" +#include "internal.h" #include "get_bits.h" #include "libavutil/crc.h" @@ -343,7 +344,7 @@ static int tta_decode_frame(AVCodecContext *avctx, void *data, /* get output buffer */ s->frame.nb_samples = framelen; - if ((ret = avctx->get_buffer(avctx, &s->frame)) < 0) { + if ((ret = ff_get_buffer(avctx, &s->frame)) < 0) { av_log(avctx, AV_LOG_ERROR, "get_buffer() failed\n"); return ret; } diff --git a/libavcodec/twinvq.c b/libavcodec/twinvq.c index c58a9bc75d..061ff7636b 100644 --- a/libavcodec/twinvq.c +++ b/libavcodec/twinvq.c @@ -20,6 +20,7 @@ */ #include "avcodec.h" +#include "internal.h" #include "get_bits.h" #include "dsputil.h" #include "fft.h" @@ -840,7 +841,7 @@ static int twin_decode_frame(AVCodecContext * avctx, void *data, /* get output buffer */ if (tctx->discarded_packets >= 2) { tctx->frame.nb_samples = mtab->size; - if ((ret = avctx->get_buffer(avctx, &tctx->frame)) < 0) { + if ((ret = ff_get_buffer(avctx, &tctx->frame)) < 0) { av_log(avctx, AV_LOG_ERROR, "get_buffer() failed\n"); return ret; } diff --git a/libavcodec/utils.c b/libavcodec/utils.c index 7902e987ca..e657a2cece 100644 --- a/libavcodec/utils.c +++ b/libavcodec/utils.c @@ -552,7 +552,7 @@ int avcodec_default_reget_buffer(AVCodecContext *s, AVFrame *pic){ if(pic->data[0] == NULL) { /* We will copy from buffer, so must be readable */ pic->buffer_hints |= FF_BUFFER_HINTS_READABLE; - return s->get_buffer(s, pic); + return ff_get_buffer(s, pic); } /* If internal buffer type return the same buffer */ @@ -571,7 +571,7 @@ int avcodec_default_reget_buffer(AVCodecContext *s, AVFrame *pic){ pic->data[i] = pic->base[i] = NULL; pic->opaque = NULL; /* Allocate new frame */ - if (s->get_buffer(s, pic)) + if (ff_get_buffer(s, pic)) return -1; /* Copy image data from old buffer to new buffer */ av_picture_copy((AVPicture*)pic, (AVPicture*)&temp_pic, s->pix_fmt, s->width, @@ -1815,7 +1815,7 @@ unsigned int avpriv_toupper4(unsigned int x) int ff_thread_get_buffer(AVCodecContext *avctx, AVFrame *f) { f->owner = avctx; - return avctx->get_buffer(avctx, f); + return ff_get_buffer(avctx, f); } void ff_thread_release_buffer(AVCodecContext *avctx, AVFrame *f) @@ -1863,3 +1863,16 @@ int avcodec_is_open(AVCodecContext *s) { return !!s->internal; } + +int ff_get_buffer(AVCodecContext *avctx, AVFrame *frame) +{ + switch (avctx->codec_type) { + case AVMEDIA_TYPE_VIDEO: + if (av_image_check_size(avctx->width, avctx->height, 0, avctx)) { + av_log(avctx, AV_LOG_ERROR, "Invalid dimensions %dx%d\n", + avctx->width, avctx->height); + return AVERROR_INVALIDDATA; + } + } + return avctx->get_buffer(avctx, frame); +} diff --git a/libavcodec/vmdav.c b/libavcodec/vmdav.c index 4659971335..bdd9ca056e 100644 --- a/libavcodec/vmdav.c +++ b/libavcodec/vmdav.c @@ -45,6 +45,7 @@ #include "libavutil/intreadwrite.h" #include "avcodec.h" +#include "internal.h" #include "bytestream.h" #define VMD_HEADER_SIZE 0x330 @@ -396,7 +397,7 @@ static int vmdvideo_decode_frame(AVCodecContext *avctx, return buf_size; s->frame.reference = 1; - if (avctx->get_buffer(avctx, &s->frame)) { + if (ff_get_buffer(avctx, &s->frame)) { av_log(s->avctx, AV_LOG_ERROR, "VMD Video: get_buffer() failed\n"); return -1; } @@ -569,7 +570,7 @@ static int vmdaudio_decode_frame(AVCodecContext *avctx, void *data, /* get output buffer */ s->frame.nb_samples = ((silent_chunks + audio_chunks) * avctx->block_align) / avctx->channels; - if ((ret = avctx->get_buffer(avctx, &s->frame)) < 0) { + if ((ret = ff_get_buffer(avctx, &s->frame)) < 0) { av_log(avctx, AV_LOG_ERROR, "get_buffer() failed\n"); return ret; } diff --git a/libavcodec/vorbisdec.c b/libavcodec/vorbisdec.c index 5a0a4a4a9b..a22b541b11 100644 --- a/libavcodec/vorbisdec.c +++ b/libavcodec/vorbisdec.c @@ -27,6 +27,7 @@ #define BITSTREAM_READER_LE #include "avcodec.h" +#include "internal.h" #include "get_bits.h" #include "dsputil.h" #include "fft.h" @@ -1668,7 +1669,7 @@ static int vorbis_decode_frame(AVCodecContext *avccontext, void *data, /* get output buffer */ vc->frame.nb_samples = len; - if ((ret = avccontext->get_buffer(avccontext, &vc->frame)) < 0) { + if ((ret = ff_get_buffer(avccontext, &vc->frame)) < 0) { av_log(avccontext, AV_LOG_ERROR, "get_buffer() failed\n"); return ret; } diff --git a/libavcodec/wavpack.c b/libavcodec/wavpack.c index 31377e75c6..73986f89f4 100644 --- a/libavcodec/wavpack.c +++ b/libavcodec/wavpack.c @@ -23,6 +23,7 @@ #include "libavutil/audioconvert.h" #include "avcodec.h" +#include "internal.h" #include "get_bits.h" #include "unary.h" @@ -1207,7 +1208,7 @@ static int wavpack_decode_frame(AVCodecContext *avctx, void *data, /* get output buffer */ s->frame.nb_samples = s->samples; - if ((ret = avctx->get_buffer(avctx, &s->frame)) < 0) { + if ((ret = ff_get_buffer(avctx, &s->frame)) < 0) { av_log(avctx, AV_LOG_ERROR, "get_buffer() failed\n"); return ret; } diff --git a/libavcodec/wmadec.c b/libavcodec/wmadec.c index c88a035336..a0eb5c3b63 100644 --- a/libavcodec/wmadec.c +++ b/libavcodec/wmadec.c @@ -34,6 +34,7 @@ */ #include "avcodec.h" +#include "internal.h" #include "wma.h" #undef NDEBUG @@ -842,7 +843,7 @@ static int wma_decode_superframe(AVCodecContext *avctx, void *data, /* get output buffer */ s->frame.nb_samples = nb_frames * s->frame_len; - if ((ret = avctx->get_buffer(avctx, &s->frame)) < 0) { + if ((ret = ff_get_buffer(avctx, &s->frame)) < 0) { av_log(avctx, AV_LOG_ERROR, "get_buffer() failed\n"); return ret; } diff --git a/libavcodec/wmaprodec.c b/libavcodec/wmaprodec.c index 902c4e32bd..93bccb0e37 100644 --- a/libavcodec/wmaprodec.c +++ b/libavcodec/wmaprodec.c @@ -1384,7 +1384,7 @@ static int decode_frame(WMAProDecodeCtx *s, int *got_frame_ptr) /* get output buffer */ s->frame.nb_samples = s->samples_per_frame; - if ((ret = avctx->get_buffer(avctx, &s->frame)) < 0) { + if ((ret = ff_get_buffer(avctx, &s->frame)) < 0) { av_log(avctx, AV_LOG_ERROR, "get_buffer() failed\n"); s->packet_loss = 1; return 0; diff --git a/libavcodec/wmavoice.c b/libavcodec/wmavoice.c index 41a9ea3bb8..444a7274cc 100644 --- a/libavcodec/wmavoice.c +++ b/libavcodec/wmavoice.c @@ -29,6 +29,7 @@ #include #include "avcodec.h" +#include "internal.h" #include "get_bits.h" #include "put_bits.h" #include "wmavoice_data.h" @@ -1814,7 +1815,7 @@ static int synth_superframe(AVCodecContext *ctx, int *got_frame_ptr) /* get output buffer */ s->frame.nb_samples = 480; - if ((res = ctx->get_buffer(ctx, &s->frame)) < 0) { + if ((res = ff_get_buffer(ctx, &s->frame)) < 0) { av_log(ctx, AV_LOG_ERROR, "get_buffer() failed\n"); return res; } diff --git a/libavcodec/ws-snd1.c b/libavcodec/ws-snd1.c index 15eb6f895a..685c8ecfd9 100644 --- a/libavcodec/ws-snd1.c +++ b/libavcodec/ws-snd1.c @@ -22,6 +22,7 @@ #include #include "libavutil/intreadwrite.h" #include "avcodec.h" +#include "internal.h" /** * @file @@ -89,7 +90,7 @@ static int ws_snd_decode_frame(AVCodecContext *avctx, void *data, /* get output buffer */ s->frame.nb_samples = out_size; - if ((ret = avctx->get_buffer(avctx, &s->frame)) < 0) { + if ((ret = ff_get_buffer(avctx, &s->frame)) < 0) { av_log(avctx, AV_LOG_ERROR, "get_buffer() failed\n"); return ret; } diff --git a/libavcodec/xan.c b/libavcodec/xan.c index d0def65f20..fd7de1c9d7 100644 --- a/libavcodec/xan.c +++ b/libavcodec/xan.c @@ -34,6 +34,7 @@ #include "libavutil/intreadwrite.h" #include "avcodec.h" +#include "internal.h" #include "bytestream.h" #define BITSTREAM_READER_LE #include "get_bits.h" @@ -560,7 +561,7 @@ static int xan_decode_frame(AVCodecContext *avctx, return AVERROR_INVALIDDATA; } - if ((ret = avctx->get_buffer(avctx, &s->current_frame))) { + if ((ret = ff_get_buffer(avctx, &s->current_frame))) { av_log(s->avctx, AV_LOG_ERROR, "get_buffer() failed\n"); return ret; } diff --git a/libavcodec/yop.c b/libavcodec/yop.c index 3c2d8b8957..e1d9753cb1 100644 --- a/libavcodec/yop.c +++ b/libavcodec/yop.c @@ -26,6 +26,7 @@ #include "libavutil/imgutils.h" #include "avcodec.h" +#include "internal.h" #include "get_bits.h" typedef struct YopDecContext { @@ -198,7 +199,7 @@ static int yop_decode_frame(AVCodecContext *avctx, void *data, int *data_size, if (s->frame.data[0]) avctx->release_buffer(avctx, &s->frame); - ret = avctx->get_buffer(avctx, &s->frame); + ret = ff_get_buffer(avctx, &s->frame); if (ret < 0) { av_log(avctx, AV_LOG_ERROR, "get_buffer() failed\n"); return ret; From c98d164a6a2c3d93bfb10d44c946bc3ed56f14e7 Mon Sep 17 00:00:00 2001 From: =?UTF-8?q?Martin=20Storsj=C3=B6?= Date: Tue, 13 Nov 2012 19:01:51 +0200 Subject: [PATCH 892/991] configure: Check for -Werror parameters on clang MIME-Version: 1.0 Content-Type: text/plain; charset=UTF-8 Content-Transfer-Encoding: 8bit Signed-off-by: Martin Storsjö (cherry picked from commit 9eded0fe412e610ee8944681d5c554b723463e96) Signed-off-by: Luca Barbato --- configure | 2 ++ 1 file changed, 2 insertions(+) diff --git a/configure b/configure index 13066e224a..e12b88d9d8 100755 --- a/configure +++ b/configure @@ -3141,6 +3141,8 @@ elif enabled llvm_gcc; then elif enabled clang; then check_cflags -mllvm -stack-alignment=16 check_cflags -Qunused-arguments + check_cflags -Werror=implicit-function-declaration + check_cflags -Werror=missing-prototypes elif enabled armcc; then # 2523: use of inline assembler is deprecated add_cflags -W${armcc_opt},--diag_suppress=2523 From e24d1cbc4e134e0b4448b3bc3a80f3197271b347 Mon Sep 17 00:00:00 2001 From: Luca Barbato Date: Sat, 9 Aug 2014 14:14:34 +0200 Subject: [PATCH 893/991] lavf: Fix leftovers from the ff_get_buffer patch The automated script did not perfectly replace all the instances nor added internal.h in all the files requiring it. --- libavcodec/mxpegdec.c | 1 + libavcodec/pthread.c | 2 +- libavcodec/roqvideoenc.c | 1 + 3 files changed, 3 insertions(+), 1 deletion(-) diff --git a/libavcodec/mxpegdec.c b/libavcodec/mxpegdec.c index fff5c7eef9..dda4b32073 100644 --- a/libavcodec/mxpegdec.c +++ b/libavcodec/mxpegdec.c @@ -27,6 +27,7 @@ #include "mjpeg.h" #include "mjpegdec.h" +#include "internal.h" typedef struct MXpegDecodeContext { MJpegDecodeContext jpg; diff --git a/libavcodec/pthread.c b/libavcodec/pthread.c index 345456ce6e..7a89cc4e82 100644 --- a/libavcodec/pthread.c +++ b/libavcodec/pthread.c @@ -573,7 +573,7 @@ static int submit_packet(PerThreadContext *p, AVPacket *avpkt) pthread_cond_wait(&p->progress_cond, &p->progress_mutex); if (p->state == STATE_GET_BUFFER) { - p->result = p-ff_get_buffer(p->avctx, p->requested_frame); + p->result = ff_get_buffer(p->avctx, p->requested_frame); p->state = STATE_SETTING_UP; pthread_cond_signal(&p->progress_cond); } diff --git a/libavcodec/roqvideoenc.c b/libavcodec/roqvideoenc.c index 58dd255a55..2683a4ad0e 100644 --- a/libavcodec/roqvideoenc.c +++ b/libavcodec/roqvideoenc.c @@ -60,6 +60,7 @@ #include "bytestream.h" #include "elbg.h" #include "mathops.h" +#include "internal.h" #define CHROMA_BIAS 1 From 5a2d1913a96bb0e029b424a4dd5b414cfb91c708 Mon Sep 17 00:00:00 2001 From: Reinhard Tartler Date: Sat, 9 Aug 2014 09:09:24 -0400 Subject: [PATCH 894/991] Prepare for 0.8.15 Release --- RELEASE | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/RELEASE b/RELEASE index 832bad2740..7d87d9947c 100644 --- a/RELEASE +++ b/RELEASE @@ -1 +1 @@ -0.8.14 +0.8.15 From 452e343295e25f7b2cbc8529c66e9386e2ea6f55 Mon Sep 17 00:00:00 2001 From: Reinhard Tartler Date: Sat, 9 Aug 2014 08:22:11 -0700 Subject: [PATCH 895/991] avcodec: Add more missing #includes for ff_get_buffer() --- libavcodec/libgsm.c | 1 + libavcodec/libopencore-amr.c | 1 + libavcodec/libspeexdec.c | 1 + 3 files changed, 3 insertions(+) diff --git a/libavcodec/libgsm.c b/libavcodec/libgsm.c index 1098bce631..a1fbb55f15 100644 --- a/libavcodec/libgsm.c +++ b/libavcodec/libgsm.c @@ -30,6 +30,7 @@ #include #include "avcodec.h" +#include "internal.h" #include "gsm.h" static av_cold int libgsm_encode_init(AVCodecContext *avctx) { diff --git a/libavcodec/libopencore-amr.c b/libavcodec/libopencore-amr.c index 8265848155..724c3fcaf5 100644 --- a/libavcodec/libopencore-amr.c +++ b/libavcodec/libopencore-amr.c @@ -20,6 +20,7 @@ */ #include "avcodec.h" +#include "internal.h" #include "libavutil/avstring.h" #include "libavutil/opt.h" diff --git a/libavcodec/libspeexdec.c b/libavcodec/libspeexdec.c index 0ce09f4be7..a9ed04719d 100644 --- a/libavcodec/libspeexdec.c +++ b/libavcodec/libspeexdec.c @@ -23,6 +23,7 @@ #include #include #include "avcodec.h" +#include "internal.h" typedef struct { AVFrame frame; From b5d7b80a7e43779ca2962ba56442579c2a7e927d Mon Sep 17 00:00:00 2001 From: Michael Niedermayer Date: Fri, 30 Aug 2013 04:51:09 +0200 Subject: [PATCH 896/991] ffv1dec: check that global parameters do not change in version 0/1 Such changes are neither allowed nor supported Found-by: ami_stuff Bug-Id: CVE-2013-7020 CC: libav-stable@libav.org Signed-off-by: Anton Khirnov (cherry picked from commit da7d839a0d3ec40423a665dc85e0cfaed3f92eb8) Signed-off-by: Anton Khirnov Conflicts: libavcodec/ffv1dec.c --- libavcodec/ffv1.c | 49 +++++++++++++++++++++++++++++++++++------------ 1 file changed, 37 insertions(+), 12 deletions(-) diff --git a/libavcodec/ffv1.c b/libavcodec/ffv1.c index 917f40d1bc..5e798883b6 100644 --- a/libavcodec/ffv1.c +++ b/libavcodec/ffv1.c @@ -1518,20 +1518,45 @@ static int read_header(FFV1Context *f){ memset(state, 128, sizeof(state)); if(f->version < 2){ - f->version= get_symbol(c, state, 0); - f->ac= f->avctx->coder_type= get_symbol(c, state, 0); - if(f->ac>1){ - for(i=1; i<256; i++){ - f->state_transition[i]= get_symbol(c, state, 1) + c->one_state[i]; + int chroma_h_shift, chroma_v_shift, colorspace, bits_per_raw_sample; + unsigned v = get_symbol(c, state, 0); + if (v > 1) { + av_log(f->avctx, AV_LOG_ERROR, + "invalid version %d in version 1 header\n", v); + return AVERROR_INVALIDDATA; + } + f->version = v; + + f->ac = f->avctx->coder_type = get_symbol(c, state, 0); + + if (f->ac > 1) { + for (i = 1; i < 256; i++) + f->state_transition[i] = + get_symbol(c, state, 1) + c->one_state[i]; + } + + colorspace = get_symbol(c, state, 0); //YUV cs type + bits_per_raw_sample = f->version > 0 ? get_symbol(c, state, 0) : f->avctx->bits_per_raw_sample; + get_rac(c, state); //no chroma = false + chroma_h_shift = get_symbol(c, state, 0); + chroma_v_shift = get_symbol(c, state, 0); + get_rac(c, state); //transparency plane + + if (f->plane_count) { + if (colorspace != f->colorspace || + bits_per_raw_sample != f->avctx->bits_per_raw_sample || + chroma_h_shift != f->chroma_h_shift || + chroma_v_shift != f->chroma_v_shift) { + av_log(f->avctx, AV_LOG_ERROR, "Invalid change of global parameters\n"); + return AVERROR_INVALIDDATA; } } - f->colorspace= get_symbol(c, state, 0); //YUV cs type - if(f->version>0) - f->avctx->bits_per_raw_sample= get_symbol(c, state, 0); - get_rac(c, state); //no chroma = false - f->chroma_h_shift= get_symbol(c, state, 0); - f->chroma_v_shift= get_symbol(c, state, 0); - get_rac(c, state); //transparency plane + + f->colorspace = colorspace; + f->avctx->bits_per_raw_sample = bits_per_raw_sample; + f->chroma_h_shift = chroma_h_shift; + f->chroma_v_shift = chroma_v_shift; + f->plane_count= 2; } From a2c6cb260fdab9337e9a2aca2c53e5bf136dc3e1 Mon Sep 17 00:00:00 2001 From: Michael Niedermayer Date: Thu, 7 Aug 2014 02:27:07 +0200 Subject: [PATCH 897/991] avcodec/svq1dec: Fix multiple bugs from "svq1: do not modify the input packet" Add padding, clear size, use the correct pointer. Signed-off-by: Michael Niedermayer (cherry picked from commit 4213fc5b9eebec53c7d22b770c3f1ceecca1c113) Signed-off-by: Michael Niedermayer --- libavcodec/svq1dec.c | 3 ++- 1 file changed, 2 insertions(+), 1 deletion(-) diff --git a/libavcodec/svq1dec.c b/libavcodec/svq1dec.c index 224aef5ed1..1c00c93e9e 100644 --- a/libavcodec/svq1dec.c +++ b/libavcodec/svq1dec.c @@ -652,7 +652,7 @@ static int svq1_decode_frame(AVCodecContext *avctx, return AVERROR_INVALIDDATA; } - av_fast_malloc(s->pkt_swapped, &s->pkt_swapped_allocated, + av_fast_padded_malloc(&s->pkt_swapped, &s->pkt_swapped_allocated, buf_size); if (!s->pkt_swapped) return AVERROR(ENOMEM); @@ -821,6 +821,7 @@ static av_cold int svq1_decode_end(AVCodecContext *avctx) MpegEncContext *s = avctx->priv_data; av_freep(&s->pkt_swapped); + s->pkt_swapped_allocated = 0; MPV_common_end(s); return 0; From 80a77c0c5befee2ca395ad91259385a67a9ed5cb Mon Sep 17 00:00:00 2001 From: Michael Niedermayer Date: Tue, 12 Aug 2014 20:09:50 +0200 Subject: [PATCH 898/991] avcodec/libspeexdec: fix missing header includes Signed-off-by: Michael Niedermayer --- libavcodec/libspeexdec.c | 1 + 1 file changed, 1 insertion(+) diff --git a/libavcodec/libspeexdec.c b/libavcodec/libspeexdec.c index ca3143c377..de6b806eff 100644 --- a/libavcodec/libspeexdec.c +++ b/libavcodec/libspeexdec.c @@ -23,6 +23,7 @@ #include #include #include "avcodec.h" +#include "internal.h" typedef struct { AVFrame frame; From 394f4ee61e3bf94aae0749095c8a555e3cb3b719 Mon Sep 17 00:00:00 2001 From: Mans Rullgard Date: Wed, 16 May 2012 00:01:34 +0100 Subject: [PATCH 899/991] pcmenc: set correct bitrate value This fixes a bogus bitrate value in the header of WAV files with alaw/ulaw audio. Signed-off-by: Mans Rullgard (cherry picked from commit 7d7b40f48a05af4483b31cdb8b4f1808b97b1f2f) Conflicts: libavcodec/pcm.c Signed-off-by: Michael Niedermayer --- libavcodec/pcm.c | 1 + tests/ref/acodec/pcm_alaw | 2 +- tests/ref/acodec/pcm_mulaw | 2 +- tests/ref/seek/pcm_alaw_wav | 36 ++++++++++++++++++------------------ tests/ref/seek/pcm_mulaw_wav | 36 ++++++++++++++++++------------------ 5 files changed, 39 insertions(+), 38 deletions(-) diff --git a/libavcodec/pcm.c b/libavcodec/pcm.c index 35ccc9d8f4..818a635d22 100644 --- a/libavcodec/pcm.c +++ b/libavcodec/pcm.c @@ -48,6 +48,7 @@ static av_cold int pcm_encode_init(AVCodecContext *avctx) avctx->bits_per_coded_sample = av_get_bits_per_sample(avctx->codec->id); avctx->block_align = avctx->channels * avctx->bits_per_coded_sample/8; + avctx->bit_rate = avctx->block_align * avctx->sample_rate * 8; avctx->coded_frame= avcodec_alloc_frame(); avctx->coded_frame->key_frame= 1; diff --git a/tests/ref/acodec/pcm_alaw b/tests/ref/acodec/pcm_alaw index 4943831d39..0eba43a0c4 100644 --- a/tests/ref/acodec/pcm_alaw +++ b/tests/ref/acodec/pcm_alaw @@ -1,4 +1,4 @@ -ede2da07839a00c255a43129922f2c7b *./tests/data/acodec/pcm_alaw.wav +a2dd6a934ec6d5ec901a211652e85227 *./tests/data/acodec/pcm_alaw.wav 529258 ./tests/data/acodec/pcm_alaw.wav f323f7551ffad91de8613f44dcb198b6 *./tests/data/pcm_alaw.acodec.out.wav stddev: 101.67 PSNR: 56.19 MAXDIFF: 515 bytes: 1058400/ 1058400 diff --git a/tests/ref/acodec/pcm_mulaw b/tests/ref/acodec/pcm_mulaw index cefd76ba49..e1abcbe60c 100644 --- a/tests/ref/acodec/pcm_mulaw +++ b/tests/ref/acodec/pcm_mulaw @@ -1,4 +1,4 @@ -0c2a55850fb46ad5385a69b15b271f10 *./tests/data/acodec/pcm_mulaw.wav +fd10ee54bd298fc29fd6fc70baa71414 *./tests/data/acodec/pcm_mulaw.wav 529258 ./tests/data/acodec/pcm_mulaw.wav 7ae8c3fc804bd574006fd547fe28980c *./tests/data/pcm_mulaw.acodec.out.wav stddev: 103.38 PSNR: 56.04 MAXDIFF: 644 bytes: 1058400/ 1058400 diff --git a/tests/ref/seek/pcm_alaw_wav b/tests/ref/seek/pcm_alaw_wav index 22d95bf27f..e5466bd2d3 100644 --- a/tests/ref/seek/pcm_alaw_wav +++ b/tests/ref/seek/pcm_alaw_wav @@ -2,52 +2,52 @@ ret: 0 st: 0 flags:1 dts: 0.000000 pts: 0.000000 pos: 58 size: 4096 ret: 0 st:-1 flags:0 ts:-1.000000 ret: 0 st: 0 flags:1 dts: 0.000000 pts: 0.000000 pos: 58 size: 4096 ret: 0 st:-1 flags:1 ts: 1.894167 -ret: 0 st: 0 flags:1 dts: 1.894127 pts: 1.894127 pos: 30364 size: 4096 +ret: 0 st: 0 flags:1 dts: 1.894172 pts: 1.894172 pos: 167124 size: 4096 ret: 0 st: 0 flags:0 ts: 0.788345 -ret: 0 st: 0 flags:1 dts: 0.788367 pts: 0.788367 pos: 12672 size: 4096 +ret: 0 st: 0 flags:1 dts: 0.788345 pts: 0.788345 pos: 69590 size: 4096 ret: 0 st: 0 flags:1 ts:-0.317506 ret: 0 st: 0 flags:1 dts: 0.000000 pts: 0.000000 pos: 58 size: 4096 ret: 0 st:-1 flags:0 ts: 2.576668 -ret: 0 st: 0 flags:1 dts: 2.576757 pts: 2.576757 pos: 41286 size: 4096 +ret: 0 st: 0 flags:1 dts: 2.576667 pts: 2.576667 pos: 227320 size: 4096 ret: 0 st:-1 flags:1 ts: 1.470835 -ret: 0 st: 0 flags:1 dts: 1.470748 pts: 1.470748 pos: 23590 size: 4096 +ret: 0 st: 0 flags:1 dts: 1.470839 pts: 1.470839 pos: 129786 size: 4096 ret: 0 st: 0 flags:0 ts: 0.365011 -ret: 0 st: 0 flags:1 dts: 0.365125 pts: 0.365125 pos: 5900 size: 4096 +ret: 0 st: 0 flags:1 dts: 0.365011 pts: 0.365011 pos: 32252 size: 4096 ret: 0 st: 0 flags:1 ts:-0.740839 ret: 0 st: 0 flags:1 dts: 0.000000 pts: 0.000000 pos: 58 size: 4096 ret: 0 st:-1 flags:0 ts: 2.153336 -ret: 0 st: 0 flags:1 dts: 2.153379 pts: 2.153379 pos: 34512 size: 4096 +ret: 0 st: 0 flags:1 dts: 2.153333 pts: 2.153333 pos: 189982 size: 4096 ret: 0 st:-1 flags:1 ts: 1.047503 -ret: 0 st: 0 flags:1 dts: 1.047506 pts: 1.047506 pos: 16818 size: 4096 +ret: 0 st: 0 flags:1 dts: 1.047506 pts: 1.047506 pos: 92448 size: 4096 ret: 0 st: 0 flags:0 ts:-0.058322 ret: 0 st: 0 flags:1 dts: 0.000000 pts: 0.000000 pos: 58 size: 4096 ret: 0 st: 0 flags:1 ts: 2.835828 -ret: 0 st: 0 flags:1 dts: 2.835760 pts: 2.835760 pos: 45430 size: 4096 +ret: 0 st: 0 flags:1 dts: 2.835828 pts: 2.835828 pos: 250178 size: 4096 ret: 0 st:-1 flags:0 ts: 1.730004 -ret: 0 st: 0 flags:1 dts: 1.730000 pts: 1.730000 pos: 27738 size: 4096 +ret: 0 st: 0 flags:1 dts: 1.730000 pts: 1.730000 pos: 152644 size: 4096 ret: 0 st:-1 flags:1 ts: 0.624171 -ret: 0 st: 0 flags:1 dts: 0.624127 pts: 0.624127 pos: 10044 size: 4096 +ret: 0 st: 0 flags:1 dts: 0.624172 pts: 0.624172 pos: 55110 size: 4096 ret: 0 st: 0 flags:0 ts:-0.481655 ret: 0 st: 0 flags:1 dts: 0.000000 pts: 0.000000 pos: 58 size: 4096 ret: 0 st: 0 flags:1 ts: 2.412494 -ret: 0 st: 0 flags:1 dts: 2.412381 pts: 2.412381 pos: 38656 size: 4096 +ret: 0 st: 0 flags:1 dts: 2.412494 pts: 2.412494 pos: 212840 size: 4096 ret: 0 st:-1 flags:0 ts: 1.306672 -ret: 0 st: 0 flags:1 dts: 1.306757 pts: 1.306757 pos: 20966 size: 4096 +ret: 0 st: 0 flags:1 dts: 1.306667 pts: 1.306667 pos: 115306 size: 4096 ret: 0 st:-1 flags:1 ts: 0.200839 -ret: 0 st: 0 flags:1 dts: 0.200748 pts: 0.200748 pos: 3270 size: 4096 +ret: 0 st: 0 flags:1 dts: 0.200839 pts: 0.200839 pos: 17772 size: 4096 ret: 0 st: 0 flags:0 ts:-0.904989 ret: 0 st: 0 flags:1 dts: 0.000000 pts: 0.000000 pos: 58 size: 4096 ret: 0 st: 0 flags:1 ts: 1.989184 -ret: 0 st: 0 flags:1 dts: 1.989116 pts: 1.989116 pos: 31884 size: 4096 +ret: 0 st: 0 flags:1 dts: 1.989184 pts: 1.989184 pos: 175504 size: 4096 ret: 0 st:-1 flags:0 ts: 0.883340 -ret: 0 st: 0 flags:1 dts: 0.883379 pts: 0.883379 pos: 14192 size: 4096 +ret: 0 st: 0 flags:1 dts: 0.883333 pts: 0.883333 pos: 77968 size: 4096 ret: 0 st:-1 flags:1 ts:-0.222493 ret: 0 st: 0 flags:1 dts: 0.000000 pts: 0.000000 pos: 58 size: 4096 ret: 0 st: 0 flags:0 ts: 2.671678 -ret: 0 st: 0 flags:1 dts: 2.671746 pts: 2.671746 pos: 42806 size: 4096 +ret: 0 st: 0 flags:1 dts: 2.671678 pts: 2.671678 pos: 235700 size: 4096 ret: 0 st: 0 flags:1 ts: 1.565850 -ret: 0 st: 0 flags:1 dts: 1.565760 pts: 1.565760 pos: 25110 size: 4096 +ret: 0 st: 0 flags:1 dts: 1.565850 pts: 1.565850 pos: 138166 size: 4096 ret: 0 st:-1 flags:0 ts: 0.460008 -ret: 0 st: 0 flags:1 dts: 0.460000 pts: 0.460000 pos: 7418 size: 4096 +ret: 0 st: 0 flags:1 dts: 0.460000 pts: 0.460000 pos: 40630 size: 4096 ret: 0 st:-1 flags:1 ts:-0.645825 ret: 0 st: 0 flags:1 dts: 0.000000 pts: 0.000000 pos: 58 size: 4096 diff --git a/tests/ref/seek/pcm_mulaw_wav b/tests/ref/seek/pcm_mulaw_wav index 22d95bf27f..e5466bd2d3 100644 --- a/tests/ref/seek/pcm_mulaw_wav +++ b/tests/ref/seek/pcm_mulaw_wav @@ -2,52 +2,52 @@ ret: 0 st: 0 flags:1 dts: 0.000000 pts: 0.000000 pos: 58 size: 4096 ret: 0 st:-1 flags:0 ts:-1.000000 ret: 0 st: 0 flags:1 dts: 0.000000 pts: 0.000000 pos: 58 size: 4096 ret: 0 st:-1 flags:1 ts: 1.894167 -ret: 0 st: 0 flags:1 dts: 1.894127 pts: 1.894127 pos: 30364 size: 4096 +ret: 0 st: 0 flags:1 dts: 1.894172 pts: 1.894172 pos: 167124 size: 4096 ret: 0 st: 0 flags:0 ts: 0.788345 -ret: 0 st: 0 flags:1 dts: 0.788367 pts: 0.788367 pos: 12672 size: 4096 +ret: 0 st: 0 flags:1 dts: 0.788345 pts: 0.788345 pos: 69590 size: 4096 ret: 0 st: 0 flags:1 ts:-0.317506 ret: 0 st: 0 flags:1 dts: 0.000000 pts: 0.000000 pos: 58 size: 4096 ret: 0 st:-1 flags:0 ts: 2.576668 -ret: 0 st: 0 flags:1 dts: 2.576757 pts: 2.576757 pos: 41286 size: 4096 +ret: 0 st: 0 flags:1 dts: 2.576667 pts: 2.576667 pos: 227320 size: 4096 ret: 0 st:-1 flags:1 ts: 1.470835 -ret: 0 st: 0 flags:1 dts: 1.470748 pts: 1.470748 pos: 23590 size: 4096 +ret: 0 st: 0 flags:1 dts: 1.470839 pts: 1.470839 pos: 129786 size: 4096 ret: 0 st: 0 flags:0 ts: 0.365011 -ret: 0 st: 0 flags:1 dts: 0.365125 pts: 0.365125 pos: 5900 size: 4096 +ret: 0 st: 0 flags:1 dts: 0.365011 pts: 0.365011 pos: 32252 size: 4096 ret: 0 st: 0 flags:1 ts:-0.740839 ret: 0 st: 0 flags:1 dts: 0.000000 pts: 0.000000 pos: 58 size: 4096 ret: 0 st:-1 flags:0 ts: 2.153336 -ret: 0 st: 0 flags:1 dts: 2.153379 pts: 2.153379 pos: 34512 size: 4096 +ret: 0 st: 0 flags:1 dts: 2.153333 pts: 2.153333 pos: 189982 size: 4096 ret: 0 st:-1 flags:1 ts: 1.047503 -ret: 0 st: 0 flags:1 dts: 1.047506 pts: 1.047506 pos: 16818 size: 4096 +ret: 0 st: 0 flags:1 dts: 1.047506 pts: 1.047506 pos: 92448 size: 4096 ret: 0 st: 0 flags:0 ts:-0.058322 ret: 0 st: 0 flags:1 dts: 0.000000 pts: 0.000000 pos: 58 size: 4096 ret: 0 st: 0 flags:1 ts: 2.835828 -ret: 0 st: 0 flags:1 dts: 2.835760 pts: 2.835760 pos: 45430 size: 4096 +ret: 0 st: 0 flags:1 dts: 2.835828 pts: 2.835828 pos: 250178 size: 4096 ret: 0 st:-1 flags:0 ts: 1.730004 -ret: 0 st: 0 flags:1 dts: 1.730000 pts: 1.730000 pos: 27738 size: 4096 +ret: 0 st: 0 flags:1 dts: 1.730000 pts: 1.730000 pos: 152644 size: 4096 ret: 0 st:-1 flags:1 ts: 0.624171 -ret: 0 st: 0 flags:1 dts: 0.624127 pts: 0.624127 pos: 10044 size: 4096 +ret: 0 st: 0 flags:1 dts: 0.624172 pts: 0.624172 pos: 55110 size: 4096 ret: 0 st: 0 flags:0 ts:-0.481655 ret: 0 st: 0 flags:1 dts: 0.000000 pts: 0.000000 pos: 58 size: 4096 ret: 0 st: 0 flags:1 ts: 2.412494 -ret: 0 st: 0 flags:1 dts: 2.412381 pts: 2.412381 pos: 38656 size: 4096 +ret: 0 st: 0 flags:1 dts: 2.412494 pts: 2.412494 pos: 212840 size: 4096 ret: 0 st:-1 flags:0 ts: 1.306672 -ret: 0 st: 0 flags:1 dts: 1.306757 pts: 1.306757 pos: 20966 size: 4096 +ret: 0 st: 0 flags:1 dts: 1.306667 pts: 1.306667 pos: 115306 size: 4096 ret: 0 st:-1 flags:1 ts: 0.200839 -ret: 0 st: 0 flags:1 dts: 0.200748 pts: 0.200748 pos: 3270 size: 4096 +ret: 0 st: 0 flags:1 dts: 0.200839 pts: 0.200839 pos: 17772 size: 4096 ret: 0 st: 0 flags:0 ts:-0.904989 ret: 0 st: 0 flags:1 dts: 0.000000 pts: 0.000000 pos: 58 size: 4096 ret: 0 st: 0 flags:1 ts: 1.989184 -ret: 0 st: 0 flags:1 dts: 1.989116 pts: 1.989116 pos: 31884 size: 4096 +ret: 0 st: 0 flags:1 dts: 1.989184 pts: 1.989184 pos: 175504 size: 4096 ret: 0 st:-1 flags:0 ts: 0.883340 -ret: 0 st: 0 flags:1 dts: 0.883379 pts: 0.883379 pos: 14192 size: 4096 +ret: 0 st: 0 flags:1 dts: 0.883333 pts: 0.883333 pos: 77968 size: 4096 ret: 0 st:-1 flags:1 ts:-0.222493 ret: 0 st: 0 flags:1 dts: 0.000000 pts: 0.000000 pos: 58 size: 4096 ret: 0 st: 0 flags:0 ts: 2.671678 -ret: 0 st: 0 flags:1 dts: 2.671746 pts: 2.671746 pos: 42806 size: 4096 +ret: 0 st: 0 flags:1 dts: 2.671678 pts: 2.671678 pos: 235700 size: 4096 ret: 0 st: 0 flags:1 ts: 1.565850 -ret: 0 st: 0 flags:1 dts: 1.565760 pts: 1.565760 pos: 25110 size: 4096 +ret: 0 st: 0 flags:1 dts: 1.565850 pts: 1.565850 pos: 138166 size: 4096 ret: 0 st:-1 flags:0 ts: 0.460008 -ret: 0 st: 0 flags:1 dts: 0.460000 pts: 0.460000 pos: 7418 size: 4096 +ret: 0 st: 0 flags:1 dts: 0.460000 pts: 0.460000 pos: 40630 size: 4096 ret: 0 st:-1 flags:1 ts:-0.645825 ret: 0 st: 0 flags:1 dts: 0.000000 pts: 0.000000 pos: 58 size: 4096 From c13b19a5bcc23c49e67d97062cc0e9fa16c949c2 Mon Sep 17 00:00:00 2001 From: Michael Niedermayer Date: Tue, 12 Aug 2014 20:44:27 +0200 Subject: [PATCH 900/991] Update for 0.10.15 Signed-off-by: Michael Niedermayer --- Doxyfile | 2 +- RELEASE | 2 +- VERSION | 2 +- 3 files changed, 3 insertions(+), 3 deletions(-) diff --git a/Doxyfile b/Doxyfile index 7f51569f6a..2ba74334b0 100644 --- a/Doxyfile +++ b/Doxyfile @@ -31,7 +31,7 @@ PROJECT_NAME = FFmpeg # This could be handy for archiving the generated documentation or # if some version control system is used. -PROJECT_NUMBER = 0.10.14 +PROJECT_NUMBER = 0.10.15 # With the PROJECT_LOGO tag one can specify an logo or icon that is included # in the documentation. The maximum height of the logo should not exceed 55 diff --git a/RELEASE b/RELEASE index c70613aa09..ba788384c3 100644 --- a/RELEASE +++ b/RELEASE @@ -1 +1 @@ -0.10.14 +0.10.15 diff --git a/VERSION b/VERSION index c70613aa09..ba788384c3 100644 --- a/VERSION +++ b/VERSION @@ -1 +1 @@ -0.10.14 +0.10.15 From 6dd19ffd39babd651744082301d133264a30882c Mon Sep 17 00:00:00 2001 From: Mans Rullgard Date: Thu, 10 May 2012 00:55:18 +0100 Subject: [PATCH 901/991] arm: dsputil: fix overreads in put/avg_pixels functions The vertically interpolating variants of these functions read ahead one line to optimise the loop. On the last line processed, this might be outside the buffer. Fix these invalid reads by processing the last line outside the loop. Signed-off-by: Mans Rullgard --- libavcodec/arm/dsputil_neon.S | 92 +++++++++++++++++++++++++++++++++++ 1 file changed, 92 insertions(+) diff --git a/libavcodec/arm/dsputil_neon.S b/libavcodec/arm/dsputil_neon.S index d49aedd6c4..4bdcd95061 100644 --- a/libavcodec/arm/dsputil_neon.S +++ b/libavcodec/arm/dsputil_neon.S @@ -95,6 +95,7 @@ endfunc .endm .macro pixels16_y2 rnd=1, avg=0 + sub r3, r3, #2 vld1.64 {q0}, [r1], r2 vld1.64 {q1}, [r1], r2 1: subs r3, r3, #2 @@ -114,10 +115,25 @@ endfunc vst1.64 {q2}, [r0,:128], r2 vst1.64 {q3}, [r0,:128], r2 bne 1b + + avg q2, q0, q1 + vld1.64 {q0}, [r1], r2 + avg q3, q0, q1 + .if \avg + vld1.8 {q8}, [r0,:128], r2 + vld1.8 {q9}, [r0,:128] + vrhadd.u8 q2, q2, q8 + vrhadd.u8 q3, q3, q9 + sub r0, r0, r2 + .endif + vst1.64 {q2}, [r0,:128], r2 + vst1.64 {q3}, [r0,:128], r2 + bx lr .endm .macro pixels16_xy2 rnd=1, avg=0 + sub r3, r3, #2 vld1.64 {d0-d2}, [r1], r2 vld1.64 {d4-d6}, [r1], r2 .ifeq \rnd @@ -173,6 +189,42 @@ endfunc vaddl.u8 q11, d3, d5 vst1.64 {q15}, [r0,:128], r2 bgt 1b + + vld1.64 {d0-d2}, [r1], r2 + vadd.u16 q12, q8, q9 + .ifeq \rnd + vadd.u16 q12, q12, q13 + .endif + vext.8 q15, q0, q1, #1 + vadd.u16 q1 , q10, q11 + shrn d28, q12, #2 + .ifeq \rnd + vadd.u16 q1, q1, q13 + .endif + shrn d29, q1, #2 + .if \avg + vld1.8 {q8}, [r0,:128] + vrhadd.u8 q14, q14, q8 + .endif + vaddl.u8 q8, d0, d30 + vaddl.u8 q10, d1, d31 + vst1.64 {q14}, [r0,:128], r2 + vadd.u16 q12, q8, q9 + .ifeq \rnd + vadd.u16 q12, q12, q13 + .endif + vadd.u16 q0, q10, q11 + shrn d30, q12, #2 + .ifeq \rnd + vadd.u16 q0, q0, q13 + .endif + shrn d31, q0, #2 + .if \avg + vld1.8 {q9}, [r0,:128] + vrhadd.u8 q15, q15, q9 + .endif + vst1.64 {q15}, [r0,:128], r2 + bx lr .endm @@ -228,6 +280,7 @@ endfunc .endm .macro pixels8_y2 rnd=1, avg=0 + sub r3, r3, #2 vld1.64 {d0}, [r1], r2 vld1.64 {d1}, [r1], r2 1: subs r3, r3, #2 @@ -246,10 +299,24 @@ endfunc vst1.64 {d4}, [r0,:64], r2 vst1.64 {d5}, [r0,:64], r2 bne 1b + + avg d4, d0, d1 + vld1.64 {d0}, [r1], r2 + avg d5, d0, d1 + .if \avg + vld1.8 {d2}, [r0,:64], r2 + vld1.8 {d3}, [r0,:64] + vrhadd.u8 q2, q2, q1 + sub r0, r0, r2 + .endif + vst1.64 {d4}, [r0,:64], r2 + vst1.64 {d5}, [r0,:64], r2 + bx lr .endm .macro pixels8_xy2 rnd=1, avg=0 + sub r3, r3, #2 vld1.64 {q0}, [r1], r2 vld1.64 {q1}, [r1], r2 .ifeq \rnd @@ -291,6 +358,31 @@ endfunc vaddl.u8 q9, d2, d6 vst1.64 {d7}, [r0,:64], r2 bgt 1b + + vld1.64 {q0}, [r1], r2 + vadd.u16 q10, q8, q9 + vext.8 d4, d0, d1, #1 + .ifeq \rnd + vadd.u16 q10, q10, q11 + .endif + vaddl.u8 q8, d0, d4 + shrn d5, q10, #2 + vadd.u16 q10, q8, q9 + .if \avg + vld1.8 {d7}, [r0,:64] + vrhadd.u8 d5, d5, d7 + .endif + .ifeq \rnd + vadd.u16 q10, q10, q11 + .endif + vst1.64 {d5}, [r0,:64], r2 + shrn d7, q10, #2 + .if \avg + vld1.8 {d5}, [r0,:64] + vrhadd.u8 d7, d7, d5 + .endif + vst1.64 {d7}, [r0,:64], r2 + bx lr .endm From 9fa9d471a7af57a62843fdae0dc36e67960c3f3d Mon Sep 17 00:00:00 2001 From: Mans Rullgard Date: Thu, 10 May 2012 16:24:33 +0100 Subject: [PATCH 902/991] arm: dsputil: prettify some conditional instructions in put_pixels macros Signed-off-by: Mans Rullgard --- libavcodec/arm/dsputil_neon.S | 62 +++++++++++------------------------ 1 file changed, 20 insertions(+), 42 deletions(-) diff --git a/libavcodec/arm/dsputil_neon.S b/libavcodec/arm/dsputil_neon.S index 4bdcd95061..21b1aba32b 100644 --- a/libavcodec/arm/dsputil_neon.S +++ b/libavcodec/arm/dsputil_neon.S @@ -136,9 +136,7 @@ endfunc sub r3, r3, #2 vld1.64 {d0-d2}, [r1], r2 vld1.64 {d4-d6}, [r1], r2 - .ifeq \rnd - vmov.i16 q13, #1 - .endif +NRND vmov.i16 q13, #1 pld [r1] pld [r1, r2] vext.8 q1, q0, q1, #1 @@ -151,15 +149,11 @@ endfunc vld1.64 {d0-d2}, [r1], r2 vadd.u16 q12, q8, q9 pld [r1] - .ifeq \rnd - vadd.u16 q12, q12, q13 - .endif +NRND vadd.u16 q12, q12, q13 vext.8 q15, q0, q1, #1 vadd.u16 q1 , q10, q11 shrn d28, q12, #2 - .ifeq \rnd - vadd.u16 q1, q1, q13 - .endif +NRND vadd.u16 q1, q1, q13 shrn d29, q1, #2 .if \avg vld1.8 {q8}, [r0,:128] @@ -171,15 +165,11 @@ endfunc vst1.64 {q14}, [r0,:128], r2 vadd.u16 q12, q8, q9 pld [r1, r2] - .ifeq \rnd - vadd.u16 q12, q12, q13 - .endif +NRND vadd.u16 q12, q12, q13 vext.8 q2, q1, q2, #1 vadd.u16 q0, q10, q11 shrn d30, q12, #2 - .ifeq \rnd - vadd.u16 q0, q0, q13 - .endif +NRND vadd.u16 q0, q0, q13 shrn d31, q0, #2 .if \avg vld1.8 {q9}, [r0,:128] @@ -192,15 +182,11 @@ endfunc vld1.64 {d0-d2}, [r1], r2 vadd.u16 q12, q8, q9 - .ifeq \rnd - vadd.u16 q12, q12, q13 - .endif +NRND vadd.u16 q12, q12, q13 vext.8 q15, q0, q1, #1 vadd.u16 q1 , q10, q11 shrn d28, q12, #2 - .ifeq \rnd - vadd.u16 q1, q1, q13 - .endif +NRND vadd.u16 q1, q1, q13 shrn d29, q1, #2 .if \avg vld1.8 {q8}, [r0,:128] @@ -210,14 +196,10 @@ endfunc vaddl.u8 q10, d1, d31 vst1.64 {q14}, [r0,:128], r2 vadd.u16 q12, q8, q9 - .ifeq \rnd - vadd.u16 q12, q12, q13 - .endif +NRND vadd.u16 q12, q12, q13 vadd.u16 q0, q10, q11 shrn d30, q12, #2 - .ifeq \rnd - vadd.u16 q0, q0, q13 - .endif +NRND vadd.u16 q0, q0, q13 shrn d31, q0, #2 .if \avg vld1.8 {q9}, [r0,:128] @@ -319,9 +301,7 @@ endfunc sub r3, r3, #2 vld1.64 {q0}, [r1], r2 vld1.64 {q1}, [r1], r2 - .ifeq \rnd - vmov.i16 q11, #1 - .endif +NRND vmov.i16 q11, #1 pld [r1] pld [r1, r2] vext.8 d4, d0, d1, #1 @@ -333,9 +313,7 @@ endfunc pld [r1] vadd.u16 q10, q8, q9 vext.8 d4, d0, d1, #1 - .ifeq \rnd - vadd.u16 q10, q10, q11 - .endif +NRND vadd.u16 q10, q10, q11 vaddl.u8 q8, d0, d4 shrn d5, q10, #2 vld1.64 {q1}, [r1], r2 @@ -345,9 +323,7 @@ endfunc vld1.8 {d7}, [r0,:64] vrhadd.u8 d5, d5, d7 .endif - .ifeq \rnd - vadd.u16 q10, q10, q11 - .endif +NRND vadd.u16 q10, q10, q11 vst1.64 {d5}, [r0,:64], r2 shrn d7, q10, #2 .if \avg @@ -362,9 +338,7 @@ endfunc vld1.64 {q0}, [r1], r2 vadd.u16 q10, q8, q9 vext.8 d4, d0, d1, #1 - .ifeq \rnd - vadd.u16 q10, q10, q11 - .endif +NRND vadd.u16 q10, q10, q11 vaddl.u8 q8, d0, d4 shrn d5, q10, #2 vadd.u16 q10, q8, q9 @@ -372,9 +346,7 @@ endfunc vld1.8 {d7}, [r0,:64] vrhadd.u8 d5, d5, d7 .endif - .ifeq \rnd - vadd.u16 q10, q10, q11 - .endif +NRND vadd.u16 q10, q10, q11 vst1.64 {d5}, [r0,:64], r2 shrn d7, q10, #2 .if \avg @@ -394,6 +366,8 @@ endfunc .macro shrn rd, rn, rm vrshrn.u16 \rd, \rn, \rm .endm + .macro NRND insn:vararg + .endm .else .macro avg rd, rn, rm vhadd.u8 \rd, \rn, \rm @@ -401,12 +375,16 @@ endfunc .macro shrn rd, rn, rm vshrn.u16 \rd, \rn, \rm .endm + .macro NRND insn:vararg + \insn + .endm .endif function ff_\pfx\name\suf\()_neon, export=1 \name \rnd, \avg endfunc .purgem avg .purgem shrn + .purgem NRND .endm .macro pixfunc2 pfx, name, avg=0 From 8152b02f33a7b939cb2c9a5f26d10cd10465d4f9 Mon Sep 17 00:00:00 2001 From: Mans Rullgard Date: Thu, 10 May 2012 17:40:30 +0100 Subject: [PATCH 903/991] arm/neon: dsputil: use correct size specifiers on vld1/vst1 Change the size specifiers to match the actual element sizes of the data. This makes no practical difference with strict alignment checking disabled (the default) other than somewhat documenting the code. With strict alignment checking on, it avoids trapping the unaligned loads. Signed-off-by: Mans Rullgard --- libavcodec/arm/dsputil_neon.S | 294 +++++++++++++++++----------------- 1 file changed, 147 insertions(+), 147 deletions(-) diff --git a/libavcodec/arm/dsputil_neon.S b/libavcodec/arm/dsputil_neon.S index 21b1aba32b..b59c901ea6 100644 --- a/libavcodec/arm/dsputil_neon.S +++ b/libavcodec/arm/dsputil_neon.S @@ -44,22 +44,22 @@ endfunc .if \avg mov r12, r0 .endif -1: vld1.64 {q0}, [r1], r2 - vld1.64 {q1}, [r1], r2 - vld1.64 {q2}, [r1], r2 +1: vld1.8 {q0}, [r1], r2 + vld1.8 {q1}, [r1], r2 + vld1.8 {q2}, [r1], r2 pld [r1, r2, lsl #2] - vld1.64 {q3}, [r1], r2 + vld1.8 {q3}, [r1], r2 pld [r1] pld [r1, r2] pld [r1, r2, lsl #1] .if \avg - vld1.64 {q8}, [r12,:128], r2 + vld1.8 {q8}, [r12,:128], r2 vrhadd.u8 q0, q0, q8 - vld1.64 {q9}, [r12,:128], r2 + vld1.8 {q9}, [r12,:128], r2 vrhadd.u8 q1, q1, q9 - vld1.64 {q10}, [r12,:128], r2 + vld1.8 {q10}, [r12,:128], r2 vrhadd.u8 q2, q2, q10 - vld1.64 {q11}, [r12,:128], r2 + vld1.8 {q11}, [r12,:128], r2 vrhadd.u8 q3, q3, q11 .endif subs r3, r3, #4 @@ -72,8 +72,8 @@ endfunc .endm .macro pixels16_x2 rnd=1, avg=0 -1: vld1.64 {d0-d2}, [r1], r2 - vld1.64 {d4-d6}, [r1], r2 +1: vld1.8 {d0-d2}, [r1], r2 + vld1.8 {d4-d6}, [r1], r2 pld [r1] pld [r1, r2] subs r3, r3, #2 @@ -88,21 +88,21 @@ endfunc vrhadd.u8 q2, q2, q3 sub r0, r0, r2 .endif - vst1.64 {q0}, [r0,:128], r2 - vst1.64 {q2}, [r0,:128], r2 + vst1.8 {q0}, [r0,:128], r2 + vst1.8 {q2}, [r0,:128], r2 bne 1b bx lr .endm .macro pixels16_y2 rnd=1, avg=0 sub r3, r3, #2 - vld1.64 {q0}, [r1], r2 - vld1.64 {q1}, [r1], r2 + vld1.8 {q0}, [r1], r2 + vld1.8 {q1}, [r1], r2 1: subs r3, r3, #2 avg q2, q0, q1 - vld1.64 {q0}, [r1], r2 + vld1.8 {q0}, [r1], r2 avg q3, q0, q1 - vld1.64 {q1}, [r1], r2 + vld1.8 {q1}, [r1], r2 pld [r1] pld [r1, r2] .if \avg @@ -112,12 +112,12 @@ endfunc vrhadd.u8 q3, q3, q9 sub r0, r0, r2 .endif - vst1.64 {q2}, [r0,:128], r2 - vst1.64 {q3}, [r0,:128], r2 + vst1.8 {q2}, [r0,:128], r2 + vst1.8 {q3}, [r0,:128], r2 bne 1b avg q2, q0, q1 - vld1.64 {q0}, [r1], r2 + vld1.8 {q0}, [r1], r2 avg q3, q0, q1 .if \avg vld1.8 {q8}, [r0,:128], r2 @@ -126,16 +126,16 @@ endfunc vrhadd.u8 q3, q3, q9 sub r0, r0, r2 .endif - vst1.64 {q2}, [r0,:128], r2 - vst1.64 {q3}, [r0,:128], r2 + vst1.8 {q2}, [r0,:128], r2 + vst1.8 {q3}, [r0,:128], r2 bx lr .endm .macro pixels16_xy2 rnd=1, avg=0 sub r3, r3, #2 - vld1.64 {d0-d2}, [r1], r2 - vld1.64 {d4-d6}, [r1], r2 + vld1.8 {d0-d2}, [r1], r2 + vld1.8 {d4-d6}, [r1], r2 NRND vmov.i16 q13, #1 pld [r1] pld [r1, r2] @@ -146,7 +146,7 @@ NRND vmov.i16 q13, #1 vaddl.u8 q9, d4, d6 vaddl.u8 q11, d5, d7 1: subs r3, r3, #2 - vld1.64 {d0-d2}, [r1], r2 + vld1.8 {d0-d2}, [r1], r2 vadd.u16 q12, q8, q9 pld [r1] NRND vadd.u16 q12, q12, q13 @@ -160,9 +160,9 @@ NRND vadd.u16 q1, q1, q13 vrhadd.u8 q14, q14, q8 .endif vaddl.u8 q8, d0, d30 - vld1.64 {d2-d4}, [r1], r2 + vld1.8 {d2-d4}, [r1], r2 vaddl.u8 q10, d1, d31 - vst1.64 {q14}, [r0,:128], r2 + vst1.8 {q14}, [r0,:128], r2 vadd.u16 q12, q8, q9 pld [r1, r2] NRND vadd.u16 q12, q12, q13 @@ -177,10 +177,10 @@ NRND vadd.u16 q0, q0, q13 .endif vaddl.u8 q9, d2, d4 vaddl.u8 q11, d3, d5 - vst1.64 {q15}, [r0,:128], r2 + vst1.8 {q15}, [r0,:128], r2 bgt 1b - vld1.64 {d0-d2}, [r1], r2 + vld1.8 {d0-d2}, [r1], r2 vadd.u16 q12, q8, q9 NRND vadd.u16 q12, q12, q13 vext.8 q15, q0, q1, #1 @@ -194,7 +194,7 @@ NRND vadd.u16 q1, q1, q13 .endif vaddl.u8 q8, d0, d30 vaddl.u8 q10, d1, d31 - vst1.64 {q14}, [r0,:128], r2 + vst1.8 {q14}, [r0,:128], r2 vadd.u16 q12, q8, q9 NRND vadd.u16 q12, q12, q13 vadd.u16 q0, q10, q11 @@ -205,44 +205,44 @@ NRND vadd.u16 q0, q0, q13 vld1.8 {q9}, [r0,:128] vrhadd.u8 q15, q15, q9 .endif - vst1.64 {q15}, [r0,:128], r2 + vst1.8 {q15}, [r0,:128], r2 bx lr .endm .macro pixels8 rnd=1, avg=0 -1: vld1.64 {d0}, [r1], r2 - vld1.64 {d1}, [r1], r2 - vld1.64 {d2}, [r1], r2 +1: vld1.8 {d0}, [r1], r2 + vld1.8 {d1}, [r1], r2 + vld1.8 {d2}, [r1], r2 pld [r1, r2, lsl #2] - vld1.64 {d3}, [r1], r2 + vld1.8 {d3}, [r1], r2 pld [r1] pld [r1, r2] pld [r1, r2, lsl #1] .if \avg - vld1.64 {d4}, [r0,:64], r2 + vld1.8 {d4}, [r0,:64], r2 vrhadd.u8 d0, d0, d4 - vld1.64 {d5}, [r0,:64], r2 + vld1.8 {d5}, [r0,:64], r2 vrhadd.u8 d1, d1, d5 - vld1.64 {d6}, [r0,:64], r2 + vld1.8 {d6}, [r0,:64], r2 vrhadd.u8 d2, d2, d6 - vld1.64 {d7}, [r0,:64], r2 + vld1.8 {d7}, [r0,:64], r2 vrhadd.u8 d3, d3, d7 sub r0, r0, r2, lsl #2 .endif subs r3, r3, #4 - vst1.64 {d0}, [r0,:64], r2 - vst1.64 {d1}, [r0,:64], r2 - vst1.64 {d2}, [r0,:64], r2 - vst1.64 {d3}, [r0,:64], r2 + vst1.8 {d0}, [r0,:64], r2 + vst1.8 {d1}, [r0,:64], r2 + vst1.8 {d2}, [r0,:64], r2 + vst1.8 {d3}, [r0,:64], r2 bne 1b bx lr .endm .macro pixels8_x2 rnd=1, avg=0 -1: vld1.64 {q0}, [r1], r2 +1: vld1.8 {q0}, [r1], r2 vext.8 d1, d0, d1, #1 - vld1.64 {q1}, [r1], r2 + vld1.8 {q1}, [r1], r2 vext.8 d3, d2, d3, #1 pld [r1] pld [r1, r2] @@ -255,21 +255,21 @@ NRND vadd.u16 q0, q0, q13 vrhadd.u8 q0, q0, q2 sub r0, r0, r2 .endif - vst1.64 {d0}, [r0,:64], r2 - vst1.64 {d1}, [r0,:64], r2 + vst1.8 {d0}, [r0,:64], r2 + vst1.8 {d1}, [r0,:64], r2 bne 1b bx lr .endm .macro pixels8_y2 rnd=1, avg=0 sub r3, r3, #2 - vld1.64 {d0}, [r1], r2 - vld1.64 {d1}, [r1], r2 + vld1.8 {d0}, [r1], r2 + vld1.8 {d1}, [r1], r2 1: subs r3, r3, #2 avg d4, d0, d1 - vld1.64 {d0}, [r1], r2 + vld1.8 {d0}, [r1], r2 avg d5, d0, d1 - vld1.64 {d1}, [r1], r2 + vld1.8 {d1}, [r1], r2 pld [r1] pld [r1, r2] .if \avg @@ -278,12 +278,12 @@ NRND vadd.u16 q0, q0, q13 vrhadd.u8 q2, q2, q1 sub r0, r0, r2 .endif - vst1.64 {d4}, [r0,:64], r2 - vst1.64 {d5}, [r0,:64], r2 + vst1.8 {d4}, [r0,:64], r2 + vst1.8 {d5}, [r0,:64], r2 bne 1b avg d4, d0, d1 - vld1.64 {d0}, [r1], r2 + vld1.8 {d0}, [r1], r2 avg d5, d0, d1 .if \avg vld1.8 {d2}, [r0,:64], r2 @@ -291,16 +291,16 @@ NRND vadd.u16 q0, q0, q13 vrhadd.u8 q2, q2, q1 sub r0, r0, r2 .endif - vst1.64 {d4}, [r0,:64], r2 - vst1.64 {d5}, [r0,:64], r2 + vst1.8 {d4}, [r0,:64], r2 + vst1.8 {d5}, [r0,:64], r2 bx lr .endm .macro pixels8_xy2 rnd=1, avg=0 sub r3, r3, #2 - vld1.64 {q0}, [r1], r2 - vld1.64 {q1}, [r1], r2 + vld1.8 {q0}, [r1], r2 + vld1.8 {q1}, [r1], r2 NRND vmov.i16 q11, #1 pld [r1] pld [r1, r2] @@ -309,14 +309,14 @@ NRND vmov.i16 q11, #1 vaddl.u8 q8, d0, d4 vaddl.u8 q9, d2, d6 1: subs r3, r3, #2 - vld1.64 {q0}, [r1], r2 + vld1.8 {q0}, [r1], r2 pld [r1] vadd.u16 q10, q8, q9 vext.8 d4, d0, d1, #1 NRND vadd.u16 q10, q10, q11 vaddl.u8 q8, d0, d4 shrn d5, q10, #2 - vld1.64 {q1}, [r1], r2 + vld1.8 {q1}, [r1], r2 vadd.u16 q10, q8, q9 pld [r1, r2] .if \avg @@ -324,7 +324,7 @@ NRND vadd.u16 q10, q10, q11 vrhadd.u8 d5, d5, d7 .endif NRND vadd.u16 q10, q10, q11 - vst1.64 {d5}, [r0,:64], r2 + vst1.8 {d5}, [r0,:64], r2 shrn d7, q10, #2 .if \avg vld1.8 {d5}, [r0,:64] @@ -332,10 +332,10 @@ NRND vadd.u16 q10, q10, q11 .endif vext.8 d6, d2, d3, #1 vaddl.u8 q9, d2, d6 - vst1.64 {d7}, [r0,:64], r2 + vst1.8 {d7}, [r0,:64], r2 bgt 1b - vld1.64 {q0}, [r1], r2 + vld1.8 {q0}, [r1], r2 vadd.u16 q10, q8, q9 vext.8 d4, d0, d1, #1 NRND vadd.u16 q10, q10, q11 @@ -347,13 +347,13 @@ NRND vadd.u16 q10, q10, q11 vrhadd.u8 d5, d5, d7 .endif NRND vadd.u16 q10, q10, q11 - vst1.64 {d5}, [r0,:64], r2 + vst1.8 {d5}, [r0,:64], r2 shrn d7, q10, #2 .if \avg vld1.8 {d5}, [r0,:64] vrhadd.u8 d7, d7, d5 .endif - vst1.64 {d7}, [r0,:64], r2 + vst1.8 {d7}, [r0,:64], r2 bx lr .endm @@ -429,147 +429,147 @@ endfunc pixfunc2 avg_, pixels8_xy2, avg=1 function ff_put_pixels_clamped_neon, export=1 - vld1.64 {d16-d19}, [r0,:128]! + vld1.16 {d16-d19}, [r0,:128]! vqmovun.s16 d0, q8 - vld1.64 {d20-d23}, [r0,:128]! + vld1.16 {d20-d23}, [r0,:128]! vqmovun.s16 d1, q9 - vld1.64 {d24-d27}, [r0,:128]! + vld1.16 {d24-d27}, [r0,:128]! vqmovun.s16 d2, q10 - vld1.64 {d28-d31}, [r0,:128]! + vld1.16 {d28-d31}, [r0,:128]! vqmovun.s16 d3, q11 - vst1.64 {d0}, [r1,:64], r2 + vst1.8 {d0}, [r1,:64], r2 vqmovun.s16 d4, q12 - vst1.64 {d1}, [r1,:64], r2 + vst1.8 {d1}, [r1,:64], r2 vqmovun.s16 d5, q13 - vst1.64 {d2}, [r1,:64], r2 + vst1.8 {d2}, [r1,:64], r2 vqmovun.s16 d6, q14 - vst1.64 {d3}, [r1,:64], r2 + vst1.8 {d3}, [r1,:64], r2 vqmovun.s16 d7, q15 - vst1.64 {d4}, [r1,:64], r2 - vst1.64 {d5}, [r1,:64], r2 - vst1.64 {d6}, [r1,:64], r2 - vst1.64 {d7}, [r1,:64], r2 + vst1.8 {d4}, [r1,:64], r2 + vst1.8 {d5}, [r1,:64], r2 + vst1.8 {d6}, [r1,:64], r2 + vst1.8 {d7}, [r1,:64], r2 bx lr endfunc function ff_put_signed_pixels_clamped_neon, export=1 vmov.u8 d31, #128 - vld1.64 {d16-d17}, [r0,:128]! + vld1.16 {d16-d17}, [r0,:128]! vqmovn.s16 d0, q8 - vld1.64 {d18-d19}, [r0,:128]! + vld1.16 {d18-d19}, [r0,:128]! vqmovn.s16 d1, q9 - vld1.64 {d16-d17}, [r0,:128]! + vld1.16 {d16-d17}, [r0,:128]! vqmovn.s16 d2, q8 - vld1.64 {d18-d19}, [r0,:128]! + vld1.16 {d18-d19}, [r0,:128]! vadd.u8 d0, d0, d31 - vld1.64 {d20-d21}, [r0,:128]! + vld1.16 {d20-d21}, [r0,:128]! vadd.u8 d1, d1, d31 - vld1.64 {d22-d23}, [r0,:128]! + vld1.16 {d22-d23}, [r0,:128]! vadd.u8 d2, d2, d31 - vst1.64 {d0}, [r1,:64], r2 + vst1.8 {d0}, [r1,:64], r2 vqmovn.s16 d3, q9 - vst1.64 {d1}, [r1,:64], r2 + vst1.8 {d1}, [r1,:64], r2 vqmovn.s16 d4, q10 - vst1.64 {d2}, [r1,:64], r2 + vst1.8 {d2}, [r1,:64], r2 vqmovn.s16 d5, q11 - vld1.64 {d24-d25}, [r0,:128]! + vld1.16 {d24-d25}, [r0,:128]! vadd.u8 d3, d3, d31 - vld1.64 {d26-d27}, [r0,:128]! + vld1.16 {d26-d27}, [r0,:128]! vadd.u8 d4, d4, d31 vadd.u8 d5, d5, d31 - vst1.64 {d3}, [r1,:64], r2 + vst1.8 {d3}, [r1,:64], r2 vqmovn.s16 d6, q12 - vst1.64 {d4}, [r1,:64], r2 + vst1.8 {d4}, [r1,:64], r2 vqmovn.s16 d7, q13 - vst1.64 {d5}, [r1,:64], r2 + vst1.8 {d5}, [r1,:64], r2 vadd.u8 d6, d6, d31 vadd.u8 d7, d7, d31 - vst1.64 {d6}, [r1,:64], r2 - vst1.64 {d7}, [r1,:64], r2 + vst1.8 {d6}, [r1,:64], r2 + vst1.8 {d7}, [r1,:64], r2 bx lr endfunc function ff_add_pixels_clamped_neon, export=1 mov r3, r1 - vld1.64 {d16}, [r1,:64], r2 - vld1.64 {d0-d1}, [r0,:128]! + vld1.8 {d16}, [r1,:64], r2 + vld1.16 {d0-d1}, [r0,:128]! vaddw.u8 q0, q0, d16 - vld1.64 {d17}, [r1,:64], r2 - vld1.64 {d2-d3}, [r0,:128]! + vld1.8 {d17}, [r1,:64], r2 + vld1.16 {d2-d3}, [r0,:128]! vqmovun.s16 d0, q0 - vld1.64 {d18}, [r1,:64], r2 + vld1.8 {d18}, [r1,:64], r2 vaddw.u8 q1, q1, d17 - vld1.64 {d4-d5}, [r0,:128]! + vld1.16 {d4-d5}, [r0,:128]! vaddw.u8 q2, q2, d18 - vst1.64 {d0}, [r3,:64], r2 + vst1.8 {d0}, [r3,:64], r2 vqmovun.s16 d2, q1 - vld1.64 {d19}, [r1,:64], r2 - vld1.64 {d6-d7}, [r0,:128]! + vld1.8 {d19}, [r1,:64], r2 + vld1.16 {d6-d7}, [r0,:128]! vaddw.u8 q3, q3, d19 vqmovun.s16 d4, q2 - vst1.64 {d2}, [r3,:64], r2 - vld1.64 {d16}, [r1,:64], r2 + vst1.8 {d2}, [r3,:64], r2 + vld1.8 {d16}, [r1,:64], r2 vqmovun.s16 d6, q3 - vld1.64 {d0-d1}, [r0,:128]! + vld1.16 {d0-d1}, [r0,:128]! vaddw.u8 q0, q0, d16 - vst1.64 {d4}, [r3,:64], r2 - vld1.64 {d17}, [r1,:64], r2 - vld1.64 {d2-d3}, [r0,:128]! + vst1.8 {d4}, [r3,:64], r2 + vld1.8 {d17}, [r1,:64], r2 + vld1.16 {d2-d3}, [r0,:128]! vaddw.u8 q1, q1, d17 - vst1.64 {d6}, [r3,:64], r2 + vst1.8 {d6}, [r3,:64], r2 vqmovun.s16 d0, q0 - vld1.64 {d18}, [r1,:64], r2 - vld1.64 {d4-d5}, [r0,:128]! + vld1.8 {d18}, [r1,:64], r2 + vld1.16 {d4-d5}, [r0,:128]! vaddw.u8 q2, q2, d18 - vst1.64 {d0}, [r3,:64], r2 + vst1.8 {d0}, [r3,:64], r2 vqmovun.s16 d2, q1 - vld1.64 {d19}, [r1,:64], r2 + vld1.8 {d19}, [r1,:64], r2 vqmovun.s16 d4, q2 - vld1.64 {d6-d7}, [r0,:128]! + vld1.16 {d6-d7}, [r0,:128]! vaddw.u8 q3, q3, d19 - vst1.64 {d2}, [r3,:64], r2 + vst1.8 {d2}, [r3,:64], r2 vqmovun.s16 d6, q3 - vst1.64 {d4}, [r3,:64], r2 - vst1.64 {d6}, [r3,:64], r2 + vst1.8 {d4}, [r3,:64], r2 + vst1.8 {d6}, [r3,:64], r2 bx lr endfunc function ff_vector_fmul_neon, export=1 subs r3, r3, #8 - vld1.64 {d0-d3}, [r1,:128]! - vld1.64 {d4-d7}, [r2,:128]! + vld1.32 {d0-d3}, [r1,:128]! + vld1.32 {d4-d7}, [r2,:128]! vmul.f32 q8, q0, q2 vmul.f32 q9, q1, q3 beq 3f bics ip, r3, #15 beq 2f 1: subs ip, ip, #16 - vld1.64 {d0-d1}, [r1,:128]! - vld1.64 {d4-d5}, [r2,:128]! + vld1.32 {d0-d1}, [r1,:128]! + vld1.32 {d4-d5}, [r2,:128]! vmul.f32 q10, q0, q2 - vld1.64 {d2-d3}, [r1,:128]! - vld1.64 {d6-d7}, [r2,:128]! + vld1.32 {d2-d3}, [r1,:128]! + vld1.32 {d6-d7}, [r2,:128]! vmul.f32 q11, q1, q3 - vst1.64 {d16-d19},[r0,:128]! - vld1.64 {d0-d1}, [r1,:128]! - vld1.64 {d4-d5}, [r2,:128]! + vst1.32 {d16-d19},[r0,:128]! + vld1.32 {d0-d1}, [r1,:128]! + vld1.32 {d4-d5}, [r2,:128]! vmul.f32 q8, q0, q2 - vld1.64 {d2-d3}, [r1,:128]! - vld1.64 {d6-d7}, [r2,:128]! + vld1.32 {d2-d3}, [r1,:128]! + vld1.32 {d6-d7}, [r2,:128]! vmul.f32 q9, q1, q3 - vst1.64 {d20-d23},[r0,:128]! + vst1.32 {d20-d23},[r0,:128]! bne 1b ands r3, r3, #15 beq 3f -2: vld1.64 {d0-d1}, [r1,:128]! - vld1.64 {d4-d5}, [r2,:128]! - vst1.64 {d16-d17},[r0,:128]! +2: vld1.32 {d0-d1}, [r1,:128]! + vld1.32 {d4-d5}, [r2,:128]! + vst1.32 {d16-d17},[r0,:128]! vmul.f32 q8, q0, q2 - vld1.64 {d2-d3}, [r1,:128]! - vld1.64 {d6-d7}, [r2,:128]! - vst1.64 {d18-d19},[r0,:128]! + vld1.32 {d2-d3}, [r1,:128]! + vld1.32 {d6-d7}, [r2,:128]! + vst1.32 {d18-d19},[r0,:128]! vmul.f32 q9, q1, q3 -3: vst1.64 {d16-d19},[r0,:128]! +3: vst1.32 {d16-d19},[r0,:128]! bx lr endfunc @@ -582,10 +582,10 @@ function ff_vector_fmul_window_neon, export=1 add r4, r3, r5, lsl #3 add ip, r0, r5, lsl #3 mov r5, #-16 - vld1.64 {d0,d1}, [r1,:128]! - vld1.64 {d2,d3}, [r2,:128], r5 - vld1.64 {d4,d5}, [r3,:128]! - vld1.64 {d6,d7}, [r4,:128], r5 + vld1.32 {d0,d1}, [r1,:128]! + vld1.32 {d2,d3}, [r2,:128], r5 + vld1.32 {d4,d5}, [r3,:128]! + vld1.32 {d6,d7}, [r4,:128], r5 1: subs lr, lr, #4 vmul.f32 d22, d0, d4 vrev64.32 q3, q3 @@ -595,19 +595,19 @@ function ff_vector_fmul_window_neon, export=1 vmul.f32 d21, d1, d6 beq 2f vmla.f32 d22, d3, d7 - vld1.64 {d0,d1}, [r1,:128]! + vld1.32 {d0,d1}, [r1,:128]! vmla.f32 d23, d2, d6 - vld1.64 {d18,d19},[r2,:128], r5 + vld1.32 {d18,d19},[r2,:128], r5 vmls.f32 d20, d3, d4 - vld1.64 {d24,d25},[r3,:128]! + vld1.32 {d24,d25},[r3,:128]! vmls.f32 d21, d2, d5 - vld1.64 {d6,d7}, [r4,:128], r5 + vld1.32 {d6,d7}, [r4,:128], r5 vmov q1, q9 vrev64.32 q11, q11 vmov q2, q12 vswp d22, d23 - vst1.64 {d20,d21},[r0,:128]! - vst1.64 {d22,d23},[ip,:128], r5 + vst1.32 {d20,d21},[r0,:128]! + vst1.32 {d22,d23},[ip,:128], r5 b 1b 2: vmla.f32 d22, d3, d7 vmla.f32 d23, d2, d6 @@ -615,8 +615,8 @@ function ff_vector_fmul_window_neon, export=1 vmls.f32 d21, d2, d5 vrev64.32 q11, q11 vswp d22, d23 - vst1.64 {d20,d21},[r0,:128]! - vst1.64 {d22,d23},[ip,:128], r5 + vst1.32 {d20,d21},[r0,:128]! + vst1.32 {d22,d23},[ip,:128], r5 pop {r4,r5,pc} endfunc From 57c36de7265761dd94fb6bb4a9180011f796128f Mon Sep 17 00:00:00 2001 From: Aaron Colwell Date: Sun, 18 Mar 2012 20:03:00 -0700 Subject: [PATCH 904/991] vp8: avoid race condition on segment map. This change avoids accessing the segment map of the previous frame if segmentation is not enabled for the current frame. The caller of decode_mb_mode() only calls ff_thread_await_progress() on the reference segmentation index array if segmentation is enabled, so Chromium's TSAN will report a race when accessing this data while segmentation is not enabled. Signed-off-by: Ronald S. Bultje (cherry picked from commit 30011bf20109eef1a0f9ee949b19f9998ad88663) Signed-off-by: Diego Biurrun --- libavcodec/vp8.c | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/libavcodec/vp8.c b/libavcodec/vp8.c index a16f5ca1ee..0b6d818e69 100644 --- a/libavcodec/vp8.c +++ b/libavcodec/vp8.c @@ -642,7 +642,7 @@ void decode_mb_mode(VP8Context *s, VP8Macroblock *mb, int mb_x, int mb_y, uint8_ if (s->segmentation.update_map) *segment = vp8_rac_get_tree(c, vp8_segmentid_tree, s->prob->segmentid); - else + else if (s->segmentation.enabled) *segment = ref ? *ref : *segment; s->segment = *segment; From 90a2359fef5325f90aec0eca51b145d90ca3df7d Mon Sep 17 00:00:00 2001 From: Diego Biurrun Date: Tue, 25 Sep 2012 19:01:10 +0200 Subject: [PATCH 905/991] nutdec: Remove unused and broken debug function stub (cherry picked from commit 83655442fa6dbf7578d108ce479f98a14ebb3e3c) Signed-off-by: Diego Biurrun Conflicts: libavformat/nutdec.c --- libavformat/nutdec.c | 8 -------- 1 file changed, 8 deletions(-) diff --git a/libavformat/nutdec.c b/libavformat/nutdec.c index 9cec89e622..d7a304809d 100644 --- a/libavformat/nutdec.c +++ b/libavformat/nutdec.c @@ -81,16 +81,8 @@ static inline int64_t get_s_trace(AVIOContext *bc, char *file, char *func, int l av_log(NULL, AV_LOG_DEBUG, "get_s %5"PRId64" / %"PRIX64" in %s %s:%d\n", v, v, file, func, line); return v; } - -static inline uint64_t get_vb_trace(AVIOContext *bc, char *file, char *func, int line){ - uint64_t v= get_vb(bc); - - av_log(NULL, AV_LOG_DEBUG, "get_vb %5"PRId64" / %"PRIX64" in %s %s:%d\n", v, v, file, func, line); - return v; -} #define ffio_read_varlen(bc) get_v_trace(bc, __FILE__, __PRETTY_FUNCTION__, __LINE__) #define get_s(bc) get_s_trace(bc, __FILE__, __PRETTY_FUNCTION__, __LINE__) -#define get_vb(bc) get_vb_trace(bc, __FILE__, __PRETTY_FUNCTION__, __LINE__) #endif static int get_packetheader(NUTContext *nut, AVIOContext *bc, int calculate_checksum, uint64_t startcode) From 233d1b4861e252cbc4571840e7f264e1db151c13 Mon Sep 17 00:00:00 2001 From: Diego Biurrun Date: Tue, 25 Sep 2012 19:05:26 +0200 Subject: [PATCH 906/991] h264_refs: Fix debug tprintf argument types (cherry picked from commit 6c5b0517e00fc22753c5cc0751cba186dd71ed36) Signed-off-by: Diego Biurrun --- libavcodec/h264_refs.c | 4 ++-- 1 file changed, 2 insertions(+), 2 deletions(-) diff --git a/libavcodec/h264_refs.c b/libavcodec/h264_refs.c index dd4bd62206..c599d617bc 100644 --- a/libavcodec/h264_refs.c +++ b/libavcodec/h264_refs.c @@ -154,11 +154,11 @@ int ff_h264_fill_default_ref_list(H264Context *h){ } #ifdef TRACE for (i=0; iref_count[0]; i++) { - tprintf(h->s.avctx, "List0: %s fn:%d 0x%p\n", (h->default_ref_list[0][i].long_ref ? "LT" : "ST"), h->default_ref_list[0][i].pic_id, h->default_ref_list[0][i].data[0]); + tprintf(h->s.avctx, "List0: %s fn:%d 0x%p\n", (h->default_ref_list[0][i].long_ref ? "LT" : "ST"), h->default_ref_list[0][i].pic_id, h->default_ref_list[0][i].f.data[0]); } if(h->slice_type_nos==AV_PICTURE_TYPE_B){ for (i=0; iref_count[1]; i++) { - tprintf(h->s.avctx, "List1: %s fn:%d 0x%p\n", (h->default_ref_list[1][i].long_ref ? "LT" : "ST"), h->default_ref_list[1][i].pic_id, h->default_ref_list[1][i].data[0]); + tprintf(h->s.avctx, "List1: %s fn:%d 0x%p\n", (h->default_ref_list[1][i].long_ref ? "LT" : "ST"), h->default_ref_list[1][i].pic_id, h->default_ref_list[1][i].f.data[0]); } } #endif From ce57531a8894d69e3da085c7c6cba45b1f133b35 Mon Sep 17 00:00:00 2001 From: Diego Biurrun Date: Tue, 11 Sep 2012 22:11:25 +0200 Subject: [PATCH 907/991] swscale: Remove two bogus asserts (cherry picked from commit b9141aa346b736adffd27e1a98bd12aa7b628a8f) Signed-off-by: Diego Biurrun Conflicts: libswscale/swscale.c --- libswscale/swscale.c | 2 -- 1 file changed, 2 deletions(-) diff --git a/libswscale/swscale.c b/libswscale/swscale.c index 1d0ea1b730..1b9130ce18 100644 --- a/libswscale/swscale.c +++ b/libswscale/swscale.c @@ -2644,8 +2644,6 @@ static int swScale(SwsContext *c, const uint8_t* src[], } } } else { - assert(lumSrcPtr + vLumFilterSize - 1 < lumPixBuf + vLumBufSize*2); - assert(chrUSrcPtr + vChrFilterSize - 1 < chrUPixBuf + vChrBufSize*2); if (c->yuv2packed1 && vLumFilterSize == 1 && vChrFilterSize == 2) { //unscaled RGB int chrAlpha = vChrFilter[2 * dstY + 1]; yuv2packed1(c, *lumSrcPtr, chrUSrcPtr, chrVSrcPtr, From 9858a723cbcb206287fd0232d74c6a0991eecdc8 Mon Sep 17 00:00:00 2001 From: Michael Niedermayer Date: Sat, 18 Aug 2012 21:53:32 +0200 Subject: [PATCH 908/991] elbg: Fix an assert MIME-Version: 1.0 Content-Type: text/plain; charset=UTF-8 Content-Transfer-Encoding: 8bit It seems the condition was flipped from what was intended. Signed-off-by: Martin Storsjö (cherry picked from commit 2c340596cab981ac842aff7da89d298025c99304) Signed-off-by: Diego Biurrun --- libavcodec/elbg.c | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/libavcodec/elbg.c b/libavcodec/elbg.c index 030c3a68c4..36ed9c21c2 100644 --- a/libavcodec/elbg.c +++ b/libavcodec/elbg.c @@ -110,7 +110,7 @@ static int get_high_utility_cell(elbg_data *elbg) while (elbg->utility_inc[i] < r) i++; - assert(!elbg->cells[i]); + assert(elbg->cells[i]); return i; } From d1c490448cbe3f7715773c673e92139a7192326f Mon Sep 17 00:00:00 2001 From: Michael Niedermayer Date: Mon, 6 Aug 2012 16:49:49 +0200 Subject: [PATCH 909/991] mpegvideo: remove last_picture_ptr / h264 assert. MIME-Version: 1.0 Content-Type: text/plain; charset=UTF-8 Content-Transfer-Encoding: 8bit This assert is no longer true since h264 error concealment needs last_picture_ptr to be set. Signed-off-by: Martin Storsjö (cherry picked from commit 91672504a403556f63492093b892574234f21dd7) Signed-off-by: Diego Biurrun Conflicts: libavcodec/mpegvideo.c --- libavcodec/mpegvideo.c | 3 --- 1 file changed, 3 deletions(-) diff --git a/libavcodec/mpegvideo.c b/libavcodec/mpegvideo.c index f3e2c12911..b867be2bf6 100644 --- a/libavcodec/mpegvideo.c +++ b/libavcodec/mpegvideo.c @@ -1166,9 +1166,6 @@ int MPV_frame_start(MpegEncContext *s, AVCodecContext *avctx) Picture *pic; s->mb_skipped = 0; - assert(s->last_picture_ptr == NULL || s->out_format != FMT_H264 || - s->codec_id == CODEC_ID_SVQ3); - /* mark & release old frames */ if (s->out_format != FMT_H264 || s->codec_id == CODEC_ID_SVQ3) { if (s->pict_type != AV_PICTURE_TYPE_B && s->last_picture_ptr && From 372f742dd18911dc5c6552b1bb2e2ca235c5ee47 Mon Sep 17 00:00:00 2001 From: =?UTF-8?q?Martin=20Storsj=C3=B6?= Date: Tue, 4 Sep 2012 14:45:00 +0300 Subject: [PATCH 910/991] parser: Don't use pc as context for av_dlog MIME-Version: 1.0 Content-Type: text/plain; charset=UTF-8 Content-Transfer-Encoding: 8bit The ParserContext class doesn't have an AVClass, required for using it as a logging class. Signed-off-by: Martin Storsjö (cherry picked from commit 6d65496990dcac551f60668c2418a50a3111c86c) Signed-off-by: Diego Biurrun --- libavcodec/parser.c | 8 ++++---- 1 file changed, 4 insertions(+), 4 deletions(-) diff --git a/libavcodec/parser.c b/libavcodec/parser.c index 1bb5f8ced6..59fec407d2 100644 --- a/libavcodec/parser.c +++ b/libavcodec/parser.c @@ -222,9 +222,9 @@ void av_parser_close(AVCodecParserContext *s) int ff_combine_frame(ParseContext *pc, int next, const uint8_t **buf, int *buf_size) { if(pc->overread){ - av_dlog(pc, "overread %d, state:%X next:%d index:%d o_index:%d\n", + av_dlog(NULL, "overread %d, state:%X next:%d index:%d o_index:%d\n", pc->overread, pc->state, next, pc->index, pc->overread_index); - av_dlog(pc, "%X %X %X %X\n", (*buf)[0], (*buf)[1], (*buf)[2], (*buf)[3]); + av_dlog(NULL, "%X %X %X %X\n", (*buf)[0], (*buf)[1], (*buf)[2], (*buf)[3]); } /* Copy overread bytes from last frame into buffer. */ @@ -276,9 +276,9 @@ int ff_combine_frame(ParseContext *pc, int next, const uint8_t **buf, int *buf_s } if(pc->overread){ - av_dlog(pc, "overread %d, state:%X next:%d index:%d o_index:%d\n", + av_dlog(NULL, "overread %d, state:%X next:%d index:%d o_index:%d\n", pc->overread, pc->state, next, pc->index, pc->overread_index); - av_dlog(pc, "%X %X %X %X\n", (*buf)[0], (*buf)[1],(*buf)[2],(*buf)[3]); + av_dlog(NULL, "%X %X %X %X\n", (*buf)[0], (*buf)[1],(*buf)[2],(*buf)[3]); } return 0; From ec0df23765bd41846f66e4a4fb694779b432fc62 Mon Sep 17 00:00:00 2001 From: Michael Niedermayer Date: Tue, 7 Aug 2012 00:18:59 +0200 Subject: [PATCH 911/991] h264: Remove an assert on current_picture_ptr being null MIME-Version: 1.0 Content-Type: text/plain; charset=UTF-8 Content-Transfer-Encoding: 8bit It is possible in various error paths as well as gap handling that this has already been allocated. It is not clear why that would be a problem with the current code, thus disable the assert to avoid a common assert failure when asserts are enabled. Signed-off-by: Martin Storsjö (cherry picked from commit 5e997688f8801bb89c773f368237627d957fa520) Signed-off-by: Diego Biurrun --- libavcodec/h264.c | 1 - 1 file changed, 1 deletion(-) diff --git a/libavcodec/h264.c b/libavcodec/h264.c index c4853253e5..c53799dfec 100644 --- a/libavcodec/h264.c +++ b/libavcodec/h264.c @@ -3109,7 +3109,6 @@ static int decode_slice_header(H264Context *h, H264Context *h0){ } else { /* Frame or first field in a potentially complementary pair */ - assert(!s0->current_picture_ptr); s0->first_field = FIELD_PICTURE; } From 3eed35addb461c42471e0367bb6cd68d8ffd3aec Mon Sep 17 00:00:00 2001 From: Michael Niedermayer Date: Mon, 6 Aug 2012 16:28:13 +0200 Subject: [PATCH 912/991] svq1enc: Set picture_structure correctly MIME-Version: 1.0 Content-Type: text/plain; charset=UTF-8 Content-Transfer-Encoding: 8bit This fixes assert failures when running in debug mode. Signed-off-by: Martin Storsjö (cherry picked from commit 2d7d91f06d6a1d243dc74c96d3389ee237a3b906) Signed-off-by: Diego Biurrun --- libavcodec/svq1enc.c | 1 + 1 file changed, 1 insertion(+) diff --git a/libavcodec/svq1enc.c b/libavcodec/svq1enc.c index 82b828b6dd..d90346e7e2 100644 --- a/libavcodec/svq1enc.c +++ b/libavcodec/svq1enc.c @@ -486,6 +486,7 @@ static av_cold int svq1_encode_init(AVCodecContext *avctx) s->avctx= avctx; s->m.avctx= avctx; + s->m.picture_structure = PICT_FRAME; s->m.me.temp = s->m.me.scratchpad= av_mallocz((avctx->width+64)*2*16*2*sizeof(uint8_t)); s->m.me.map = av_mallocz(ME_MAP_SIZE*sizeof(uint32_t)); From 2deac60a387409dcbc7b37a8c30de89c7aeb58ac Mon Sep 17 00:00:00 2001 From: Michael Niedermayer Date: Tue, 4 Sep 2012 14:02:30 +0300 Subject: [PATCH 913/991] adpcmenc: Calculate the IMA_QT predictor without overflow MIME-Version: 1.0 Content-Type: text/plain; charset=UTF-8 Content-Transfer-Encoding: 8bit Previously, the value given to put_bits was 10 bits long for positive predictors, even though 9 bits were to be written. The extra bit could in some cases overwrite existing bits in the bitstream writer cache. This fixes a failed assert in put_bits.h, when running a version built with -DDEBUG. The fate test result gets slightly improved, thanks to getting rid of the overwritten bits in the bitstream writer cache. Signed-off-by: Martin Storsjö (cherry picked from commit aa264da5bf6a3d82a47abba4cfcfa629dd1f3daa) Signed-off-by: Diego Biurrun Conflicts: tests/ref/fate/acodec-adpcm-ima_qt --- libavcodec/adpcmenc.c | 2 +- tests/ref/acodec/adpcm_ima_qt | 6 +++--- 2 files changed, 4 insertions(+), 4 deletions(-) diff --git a/libavcodec/adpcmenc.c b/libavcodec/adpcmenc.c index 9697f829d2..c88a5da894 100644 --- a/libavcodec/adpcmenc.c +++ b/libavcodec/adpcmenc.c @@ -550,7 +550,7 @@ static int adpcm_encode_frame(AVCodecContext *avctx, init_put_bits(&pb, dst, buf_size * 8); for (ch = 0; ch < avctx->channels; ch++) { - put_bits(&pb, 9, (c->status[ch].prev_sample + 0x10000) >> 7); + put_bits(&pb, 9, (c->status[ch].prev_sample & 0xFFFF) >> 7); put_bits(&pb, 7, c->status[ch].step_index); if (avctx->trellis > 0) { uint8_t buf[64]; diff --git a/tests/ref/acodec/adpcm_ima_qt b/tests/ref/acodec/adpcm_ima_qt index c1db43f1aa..a50c30a27c 100644 --- a/tests/ref/acodec/adpcm_ima_qt +++ b/tests/ref/acodec/adpcm_ima_qt @@ -1,4 +1,4 @@ -057d27978b35888776512e4e9669a63b *./tests/data/acodec/adpcm_qt.aiff +23cbae1182e150ebf28e0abfb9cba127 *./tests/data/acodec/adpcm_qt.aiff 281252 ./tests/data/acodec/adpcm_qt.aiff -169c40435c68d50112c9c61fc67e446d *./tests/data/adpcm_ima_qt.acodec.out.wav -stddev: 918.61 PSNR: 37.07 MAXDIFF:34029 bytes: 1058560/ 1058400 +b0fafd002c38fb70acaddfda1a31ed61 *./tests/data/adpcm_ima_qt.acodec.out.wav +stddev: 904.76 PSNR: 37.20 MAXDIFF:34029 bytes: 1058560/ 1058400 From 554fd5cd630073b8273aa044a6bdfd6f608209e9 Mon Sep 17 00:00:00 2001 From: Diego Biurrun Date: Wed, 20 Aug 2014 10:50:33 -0700 Subject: [PATCH 914/991] ffmpeg: Clarify wording of ffmpeg --> avconv deprecation message --- ffmpeg.c | 8 +++++--- 1 file changed, 5 insertions(+), 3 deletions(-) diff --git a/ffmpeg.c b/ffmpeg.c index f61de33a33..1069c3eff8 100644 --- a/ffmpeg.c +++ b/ffmpeg.c @@ -4376,9 +4376,11 @@ int main(int argc, char **argv) show_banner(); - av_log(NULL, AV_LOG_WARNING, "This program is not developed anymore and is only " - "provided for compatibility. Use avconv instead " - "(see Changelog for the list of incompatible changes).\n"); + av_log(NULL, AV_LOG_WARNING, + "The ffmpeg program is only provided for script compatibility and will be removed\n" + "in a future release. It has been deprecated in the Libav project to allow for\n" + "incompatible command line syntax improvements in its replacement called avconv\n" + "(see Changelog for details). Please use avconv instead.\n"); /* parse options */ parse_options(NULL, argc, argv, options, opt_output_file); From f661006f235fa58bc756610cdc76c662ac0fab5f Mon Sep 17 00:00:00 2001 From: Diego Biurrun Date: Wed, 10 Sep 2014 18:38:15 +0200 Subject: [PATCH 915/991] doc: Fix syntax and logical errors in avconv stream combination example Bug-Id: 661 CC: libav-stable@libav.org (cherry picked from commit 775a0b04f0cf8102fe322b2ee03fe1a0633dea04) Signed-off-by: Diego Biurrun --- doc/avconv.texi | 6 +++--- 1 file changed, 3 insertions(+), 3 deletions(-) diff --git a/doc/avconv.texi b/doc/avconv.texi index 0a83326379..aed16ced4e 100644 --- a/doc/avconv.texi +++ b/doc/avconv.texi @@ -1021,11 +1021,11 @@ only formats accepting a normal integer are suitable. You can put many streams of the same type in the output: @example -avconv -i test1.avi -i test2.avi -map 0.3 -map 0.2 -map 0.1 -map 0.0 -c copy test12.nut +avconv -i test1.avi -i test2.avi -map 1:1 -map 1:0 -map 0:1 -map 0:0 -c copy -y test12.nut @end example -The resulting output file @file{test12.avi} will contain first four streams from -the input file in reverse order. +The resulting output file @file{test12.nut} will contain the first four streams +from the input files in reverse order. @end itemize @c man end EXAMPLES From e9e7646379f985d4bbeb02779fb969b8d5cad728 Mon Sep 17 00:00:00 2001 From: Diego Biurrun Date: Wed, 10 Sep 2014 12:42:12 -0700 Subject: [PATCH 916/991] Update Changelog for v0.8.15 --- Changelog | 6 ++++++ 1 file changed, 6 insertions(+) diff --git a/Changelog b/Changelog index cb0565c304..bc21035e4e 100644 --- a/Changelog +++ b/Changelog @@ -1,6 +1,12 @@ Entries are sorted chronologically from oldest to youngest within each release, releases are sorted from youngest to oldest. +version 0.8.15: + +- avcodec: Introduce ff_get_buffer +- configure: Check for -Werror parameters on clang +- lavf: Fix leftovers from the ff_get_buffer patch + version 0.8.14: - vp3: Copy all 3 frames for thread updates (CVE-2011-3934) From 992da6b76c6119292bb7e96b66a937a032997804 Mon Sep 17 00:00:00 2001 From: Diego Biurrun Date: Wed, 10 Sep 2014 12:43:08 -0700 Subject: [PATCH 917/991] Prepare for 0.8.16 release --- RELEASE | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/RELEASE b/RELEASE index 7d87d9947c..ac7dffa069 100644 --- a/RELEASE +++ b/RELEASE @@ -1 +1 @@ -0.8.15 +0.8.16 From c6af9e944ebeb336f6520f59afaebb62392fb026 Mon Sep 17 00:00:00 2001 From: Diego Biurrun Date: Wed, 10 Sep 2014 12:46:05 -0700 Subject: [PATCH 918/991] Update Changelog for v0.8.16 --- Changelog | 20 ++++++++++++++++++++ 1 file changed, 20 insertions(+) diff --git a/Changelog b/Changelog index bc21035e4e..f9740c1276 100644 --- a/Changelog +++ b/Changelog @@ -1,6 +1,26 @@ Entries are sorted chronologically from oldest to youngest within each release, releases are sorted from youngest to oldest. +version 0.8.16: + +- avcodec: Add more missing #includes for ff_get_buffer() +- ffv1dec: check that global parameters do not change in version 0/1 +- arm: dsputil: fix overreads in put/avg_pixels functions +- arm: dsputil: prettify some conditional instructions in put_pixels macros +- arm/neon: dsputil: use correct size specifiers on vld1/vst1 +- vp8: avoid race condition on segment map. +- nutdec: Remove unused and broken debug function stub +- h264_refs: Fix debug tprintf argument types +- swscale: Remove two bogus asserts +- elbg: Fix an assert +- mpegvideo: remove last_picture_ptr / h264 assert. +- parser: Don't use pc as context for av_dlog +- h264: Remove an assert on current_picture_ptr being null +- svq1enc: Set picture_structure correctly +- adpcmenc: Calculate the IMA_QT predictor without overflow +- ffmpeg: Clarify wording of ffmpeg --> avconv deprecation message +- doc: Fix syntax and logical errors in avconv stream combination example + version 0.8.15: - avcodec: Introduce ff_get_buffer From 8637f4edeee1a6bd18bc90740fafadd3e1b412aa Mon Sep 17 00:00:00 2001 From: Diego Biurrun Date: Tue, 19 Jun 2012 22:55:26 +0200 Subject: [PATCH 919/991] x86: Add CPU flag for the i686 cmov instruction (cherry picked from commit 65345a5a30a0e866b6944c0e6184be3feca04335) Signed-off-by: Diego Biurrun Conflicts: libavutil/cpu.c libavutil/cpu.h --- doc/APIchanges | 3 +++ libavutil/avutil.h | 2 +- libavutil/cpu.c | 1 + libavutil/cpu.h | 1 + libavutil/x86/cpu.c | 2 ++ 5 files changed, 8 insertions(+), 1 deletion(-) diff --git a/doc/APIchanges b/doc/APIchanges index 0b9cdac9b0..a9524ccf6a 100644 --- a/doc/APIchanges +++ b/doc/APIchanges @@ -13,6 +13,9 @@ libavutil: 2011-04-18 API changes, most recent first: +2014-09-16 - xxxxxxx - lavu 51.22.3 - cpu.h + Add AV_CPU_FLAG_CMOV. + 2012-03-04 - 7f3f855 - lavu 51.22.1 - error.h Add AVERROR_UNKNOWN diff --git a/libavutil/avutil.h b/libavutil/avutil.h index 605be62384..0d305389bc 100644 --- a/libavutil/avutil.h +++ b/libavutil/avutil.h @@ -155,7 +155,7 @@ #define LIBAVUTIL_VERSION_MAJOR 51 #define LIBAVUTIL_VERSION_MINOR 22 -#define LIBAVUTIL_VERSION_MICRO 2 +#define LIBAVUTIL_VERSION_MICRO 3 #define LIBAVUTIL_VERSION_INT AV_VERSION_INT(LIBAVUTIL_VERSION_MAJOR, \ LIBAVUTIL_VERSION_MINOR, \ diff --git a/libavutil/cpu.c b/libavutil/cpu.c index 25895d6d5d..60d0e14981 100644 --- a/libavutil/cpu.c +++ b/libavutil/cpu.c @@ -64,6 +64,7 @@ static const struct { { AV_CPU_FLAG_FMA4, "fma4" }, { AV_CPU_FLAG_3DNOW, "3dnow" }, { AV_CPU_FLAG_3DNOWEXT, "3dnowext" }, + { AV_CPU_FLAG_CMOV, "cmov" }, #endif { 0 } }; diff --git a/libavutil/cpu.h b/libavutil/cpu.h index df7bf4421a..e53558033f 100644 --- a/libavutil/cpu.h +++ b/libavutil/cpu.h @@ -41,6 +41,7 @@ #define AV_CPU_FLAG_XOP 0x0400 ///< Bulldozer XOP functions #define AV_CPU_FLAG_FMA4 0x0800 ///< Bulldozer FMA4 functions #define AV_CPU_FLAG_IWMMXT 0x0100 ///< XScale IWMMXT +#define AV_CPU_FLAG_CMOV 0x1000 ///< i686 cmov #define AV_CPU_FLAG_ALTIVEC 0x0001 ///< standard /** diff --git a/libavutil/x86/cpu.c b/libavutil/x86/cpu.c index 2424fe4516..b87d3a3a92 100644 --- a/libavutil/x86/cpu.c +++ b/libavutil/x86/cpu.c @@ -83,6 +83,8 @@ int ff_get_cpu_flags_x86(void) cpuid(1, eax, ebx, ecx, std_caps); family = ((eax>>8)&0xf) + ((eax>>20)&0xff); model = ((eax>>4)&0xf) + ((eax>>12)&0xf0); + if (std_caps & (1 << 15)) + rval |= AV_CPU_FLAG_CMOV; if (std_caps & (1<<23)) rval |= AV_CPU_FLAG_MMX; if (std_caps & (1<<25)) From 893b353362bc220280efd8d14c4878a1cafe18a8 Mon Sep 17 00:00:00 2001 From: Diego Biurrun Date: Tue, 19 Jun 2012 12:55:10 +0200 Subject: [PATCH 920/991] x86: Only use optimizations with cmov if the CPU supports the instruction Also fill in missing hash for AV_CPU_FLAG_CMOV addition in APIChanges. (cherry picked from commit fe07c9c6b5a870b8f2ffcfac649228b4d76e9505) Signed-off-by: Diego Biurrun Conflicts: libavcodec/x86/dsputil_mmx.c --- doc/APIchanges | 2 +- libavcodec/x86/dsputil_mmx.c | 3 ++- libavcodec/x86/h264_intrapred_init.c | 3 ++- libavcodec/x86/h264dsp_mmx.c | 3 ++- 4 files changed, 7 insertions(+), 4 deletions(-) diff --git a/doc/APIchanges b/doc/APIchanges index a9524ccf6a..7c95af2430 100644 --- a/doc/APIchanges +++ b/doc/APIchanges @@ -13,7 +13,7 @@ libavutil: 2011-04-18 API changes, most recent first: -2014-09-16 - xxxxxxx - lavu 51.22.3 - cpu.h +2014-09-16 - 8637f4e - lavu 51.22.3 - cpu.h Add AV_CPU_FLAG_CMOV. 2012-03-04 - 7f3f855 - lavu 51.22.1 - error.h diff --git a/libavcodec/x86/dsputil_mmx.c b/libavcodec/x86/dsputil_mmx.c index e34b95b0da..81472bb726 100644 --- a/libavcodec/x86/dsputil_mmx.c +++ b/libavcodec/x86/dsputil_mmx.c @@ -2683,7 +2683,8 @@ void dsputil_init_mmx(DSPContext* c, AVCodecContext *avctx) c->add_hfyu_median_prediction = ff_add_hfyu_median_prediction_mmx2; #endif #if HAVE_7REGS - if (HAVE_AMD3DNOW && (mm_flags & AV_CPU_FLAG_3DNOW)) + if (HAVE_AMD3DNOW && (mm_flags & AV_CPU_FLAG_3DNOW) && + (mm_flags & AV_CPU_FLAG_CMOV)) c->add_hfyu_median_prediction = add_hfyu_median_prediction_cmov; #endif diff --git a/libavcodec/x86/h264_intrapred_init.c b/libavcodec/x86/h264_intrapred_init.c index 223dbde2ae..70a4c1e00b 100644 --- a/libavcodec/x86/h264_intrapred_init.c +++ b/libavcodec/x86/h264_intrapred_init.c @@ -188,7 +188,8 @@ void ff_h264_pred_init_x86(H264PredContext *h, int codec_id, const int bit_depth if (chroma_format_idc <= 1) h->pred8x8 [PLANE_PRED8x8] = ff_pred8x8_plane_mmx; if (codec_id == CODEC_ID_SVQ3) { - h->pred16x16[PLANE_PRED8x8] = ff_pred16x16_plane_svq3_mmx; + if (mm_flags & AV_CPU_FLAG_CMOV) + h->pred16x16[PLANE_PRED8x8] = ff_pred16x16_plane_svq3_mmx; } else if (codec_id == CODEC_ID_RV40) { h->pred16x16[PLANE_PRED8x8] = ff_pred16x16_plane_rv40_mmx; } else { diff --git a/libavcodec/x86/h264dsp_mmx.c b/libavcodec/x86/h264dsp_mmx.c index f5ae4dc055..19b3a4b44c 100644 --- a/libavcodec/x86/h264dsp_mmx.c +++ b/libavcodec/x86/h264dsp_mmx.c @@ -361,7 +361,8 @@ void ff_h264dsp_init_x86(H264DSPContext *c, const int bit_depth, const int chrom if (chroma_format_idc <= 1) c->h264_idct_add8 = ff_h264_idct_add8_8_mmx; c->h264_idct_add16intra = ff_h264_idct_add16intra_8_mmx; - c->h264_luma_dc_dequant_idct= ff_h264_luma_dc_dequant_idct_mmx; + if (mm_flags & AV_CPU_FLAG_CMOV) + c->h264_luma_dc_dequant_idct = ff_h264_luma_dc_dequant_idct_mmx; if (mm_flags & AV_CPU_FLAG_MMX2) { c->h264_idct_dc_add = ff_h264_idct_dc_add_8_mmx2; From b989bb7adee0f3286dcaa63c5cd0753eac45f6be Mon Sep 17 00:00:00 2001 From: Katerina Barone-Adesi Date: Tue, 16 Sep 2014 01:40:24 +0200 Subject: [PATCH 921/991] apetag: Fix APE tag size check The size variable is (correctly) unsigned, but is passed to several functions which take signed parameters, such as avio_read, sometimes after having numbers added to it. So ensure that size remains within the bounds that these functions can handle. (cherry picked from commit 56ac2cbd0464e0146e62c91843e2b1f5e0908504) Signed-off-by: Diego Biurrun Conflicts: libavformat/apetag.c --- libavformat/apetag.c | 6 ++++-- 1 file changed, 4 insertions(+), 2 deletions(-) diff --git a/libavformat/apetag.c b/libavformat/apetag.c index 2390bfaad3..41ba054d69 100644 --- a/libavformat/apetag.c +++ b/libavformat/apetag.c @@ -51,8 +51,10 @@ static int ape_tag_read_field(AVFormatContext *s) av_log(s, AV_LOG_WARNING, "Invalid APE tag key '%s'.\n", key); return -1; } - if (size >= UINT_MAX) - return -1; + if (size > INT32_MAX - FF_INPUT_BUFFER_PADDING_SIZE) { + av_log(s, AV_LOG_ERROR, "APE tag size too large.\n"); + return AVERROR_INVALIDDATA; + } value = av_malloc(size+1); if (!value) return AVERROR(ENOMEM); From 22103315c2a1cb2de336750c50cf6bf7c109220c Mon Sep 17 00:00:00 2001 From: Diego Biurrun Date: Tue, 16 Sep 2014 03:28:45 -0700 Subject: [PATCH 922/991] Add some bug references to the changelog --- Changelog | 8 ++++---- 1 file changed, 4 insertions(+), 4 deletions(-) diff --git a/Changelog b/Changelog index f9740c1276..eb2a98381b 100644 --- a/Changelog +++ b/Changelog @@ -4,7 +4,7 @@ releases are sorted from youngest to oldest. version 0.8.16: - avcodec: Add more missing #includes for ff_get_buffer() -- ffv1dec: check that global parameters do not change in version 0/1 +- ffv1dec: check that global parameters do not change in version 0/1 (CVE-2013-7020) - arm: dsputil: fix overreads in put/avg_pixels functions - arm: dsputil: prettify some conditional instructions in put_pixels macros - arm/neon: dsputil: use correct size specifiers on vld1/vst1 @@ -19,11 +19,11 @@ version 0.8.16: - svq1enc: Set picture_structure correctly - adpcmenc: Calculate the IMA_QT predictor without overflow - ffmpeg: Clarify wording of ffmpeg --> avconv deprecation message -- doc: Fix syntax and logical errors in avconv stream combination example +- doc: Fix syntax and logical errors in avconv stream combination example (libav/661) version 0.8.15: -- avcodec: Introduce ff_get_buffer +- avcodec: Introduce ff_get_buffer (CVE-2011-3935) - configure: Check for -Werror parameters on clang - lavf: Fix leftovers from the ff_get_buffer patch @@ -222,7 +222,7 @@ version 0.8.9: - 8bps: Bound-check the input buffer - rtmp: Do not misuse memcmp - rtmp: rename data_size to size -- lavc: set the default rc_initial_buffer_occupancy +- lavc: set the default rc_initial_buffer_occupancy (libav/222, ubuntu/1023408) - 4xm: Reject not a multiple of 16 dimension - 4xm: do not overread the prestream buffer - 4xm: validate the buffer size before parsing it From 0ceb2dffb6ba082a8abcc57c53a14b2512f0aa48 Mon Sep 17 00:00:00 2001 From: Anton Khirnov Date: Tue, 12 Aug 2014 14:39:10 +0000 Subject: [PATCH 923/991] mov: avoid a memleak when multiple stss boxes are present CC: libav-stable@libav.org Found-by: Mateusz "j00ru" Jurczyk and Gynvael Coldwind (cherry picked from commit 64f7575fbd64e5b65d5c644347408588c776f1fe) Signed-off-by: Anton Khirnov (cherry picked from commit 577f1feb3fd1e51fd14af7ce6d79d468faa3b929) Signed-off-by: Anton Khirnov (cherry picked from commit 931f5b235112f1c2a09dead36f0a228061d23942) Signed-off-by: Anton Khirnov (cherry picked from commit 93f919d0b4c4341ccee366c98ac9af813f8fe622) Signed-off-by: Anton Khirnov --- libavformat/mov.c | 1 + 1 file changed, 1 insertion(+) diff --git a/libavformat/mov.c b/libavformat/mov.c index d59a66e798..a1de6526a0 100644 --- a/libavformat/mov.c +++ b/libavformat/mov.c @@ -1523,6 +1523,7 @@ static int mov_read_stss(MOVContext *c, AVIOContext *pb, MOVAtom atom) return 0; if (entries >= UINT_MAX / sizeof(int)) return AVERROR_INVALIDDATA; + av_freep(&sc->keyframes); sc->keyframes = av_malloc(entries * sizeof(int)); if (!sc->keyframes) return AVERROR(ENOMEM); From 954aafaa961c32c655ad38fb622e8cbe249ebd5a Mon Sep 17 00:00:00 2001 From: Anton Khirnov Date: Sun, 14 Dec 2014 21:01:59 +0100 Subject: [PATCH 924/991] jvdec: check frame dimensions The frame size must be set by the caller and each dimension must be a multiple of 8. CC: libav-stable@libav.org Bug-ID: CVE-2014-8542 Found-by: Mateusz "j00ru" Jurczyk and Gynvael Coldwind (cherry picked from commit 88626e5af8d006e67189bf10b96b982502a7e8ad) Signed-off-by: Anton Khirnov (cherry picked from commit 55788572ea7b89cdd77bab1cf4bf06d14ead34f5) Signed-off-by: Anton Khirnov (cherry picked from commit 8f238dd9bdd9eba569fcaa564a07fbdd89412a14) Signed-off-by: Anton Khirnov Conflicts: libavcodec/jvdec.c (cherry picked from commit 50cb695bf124b0bd4d9e2b3c1bfdd08b35b14438) Signed-off-by: Anton Khirnov Conflicts: libavcodec/jvdec.c --- libavcodec/jvdec.c | 8 ++++++++ 1 file changed, 8 insertions(+) diff --git a/libavcodec/jvdec.c b/libavcodec/jvdec.c index f2c97526c0..cc05688652 100644 --- a/libavcodec/jvdec.c +++ b/libavcodec/jvdec.c @@ -42,6 +42,14 @@ static av_cold int decode_init(AVCodecContext *avctx) JvContext *s = avctx->priv_data; avctx->pix_fmt = PIX_FMT_PAL8; dsputil_init(&s->dsp, avctx); + + if (!avctx->width || !avctx->height || + (avctx->width & 7) || (avctx->height & 7)) { + av_log(avctx, AV_LOG_ERROR, "Invalid video dimensions: %dx%d\n", + avctx->width, avctx->height); + return AVERROR(EINVAL); + } + return 0; } From fc159ba88ea2dd1fa11e4ab6af8b574fc80db454 Mon Sep 17 00:00:00 2001 From: Anton Khirnov Date: Sun, 14 Dec 2014 21:01:59 +0100 Subject: [PATCH 925/991] mmvideo: check frame dimensions The frame size must be set by the caller and each dimension must be a multiple of 2. CC: libav-stable@libav.org Bug-ID: CVE-2014-8543 Found-by: Mateusz "j00ru" Jurczyk and Gynvael Coldwind (cherry picked from commit 17ba719d9ba30c970f65747f42d5fbb1e447ca28) Signed-off-by: Anton Khirnov (cherry picked from commit 69a930b988ff4f88ae27e4fc24ff6ed116840b5e) Signed-off-by: Anton Khirnov (cherry picked from commit 3f10a779b465fd22d3aec1b744ca8544bc2da970) Signed-off-by: Anton Khirnov Conflicts: libavcodec/mmvideo.c (cherry picked from commit 03dba25a4001495226651068232b4c6b1e75fd02) Signed-off-by: Anton Khirnov --- libavcodec/mmvideo.c | 7 +++++++ 1 file changed, 7 insertions(+) diff --git a/libavcodec/mmvideo.c b/libavcodec/mmvideo.c index 660cebc58f..269813214c 100644 --- a/libavcodec/mmvideo.c +++ b/libavcodec/mmvideo.c @@ -60,6 +60,13 @@ static av_cold int mm_decode_init(AVCodecContext *avctx) avctx->pix_fmt = PIX_FMT_PAL8; + if (!avctx->width || !avctx->height || + (avctx->width & 1) || (avctx->height & 1)) { + av_log(avctx, AV_LOG_ERROR, "Invalid video dimensions: %dx%d\n", + avctx->width, avctx->height); + return AVERROR(EINVAL); + } + s->frame.reference = 1; return 0; From a331e11906b196c9a00f5ffbc45d80fcd7fe8423 Mon Sep 17 00:00:00 2001 From: Michael Niedermayer Date: Fri, 3 Oct 2014 22:50:45 +0200 Subject: [PATCH 926/991] smc: fix the bounds check Fixes invalid writes when there are more blocks in a run than total remaining blocks. CC: libav-stable@libav.org Bug-ID: CVE-2014-8548 Found-by: Mateusz "j00ru" Jurczyk and Gynvael Coldwind Signed-off-by: Anton Khirnov (cherry picked from commit d423dd72be451462c6fb1cbbe313bed0194001ab) Signed-off-by: Anton Khirnov (cherry picked from commit 58dc526ebf722d33bf09275c1241674e0e6b9ef1) Signed-off-by: Anton Khirnov (cherry picked from commit f249e9889155599ee3ad0172832d38f68b0c625d) Signed-off-by: Anton Khirnov (cherry picked from commit 306ee95088243fefa2dfcb5c355d439db75e2d2a) Signed-off-by: Anton Khirnov --- libavcodec/smc.c | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/libavcodec/smc.c b/libavcodec/smc.c index 2bd3176f8e..257d5dae5f 100644 --- a/libavcodec/smc.c +++ b/libavcodec/smc.c @@ -69,7 +69,7 @@ typedef struct SmcContext { row_ptr += stride * 4; \ } \ total_blocks--; \ - if (total_blocks < 0) \ + if (total_blocks < !!n_blocks) \ { \ av_log(s->avctx, AV_LOG_INFO, "warning: block counter just went negative (this should not happen)\n"); \ return; \ From 9ae3cd6e7271a3d6b8cd92a4d35ebb16d2e03f1a Mon Sep 17 00:00:00 2001 From: Michael Niedermayer Date: Fri, 3 Oct 2014 20:15:52 +0200 Subject: [PATCH 927/991] gifdec: refactor interleave end handling Fixes invalid writes with very small image heights. CC: libav-stable@libav.org Bug-ID: CVE-2014-8547 Found-by: Mateusz "j00ru" Jurczyk and Gynvael Coldwind Signed-off-by: Anton Khirnov (cherry picked from commit 0b39ac6f54505a538c21fe49a626de94c518c903) Signed-off-by: Anton Khirnov (cherry picked from commit eac49477aa95cf727d87d2741ee8e60be59d394b) Signed-off-by: Anton Khirnov (cherry picked from commit 92888e9ed4ea4e761ae953bbe28c85cc658abc8f) Signed-off-by: Anton Khirnov (cherry picked from commit 02de44073a8e116ea177b53081219d32ef135ad8) Signed-off-by: Anton Khirnov --- libavcodec/gifdec.c | 15 +++++---------- 1 file changed, 5 insertions(+), 10 deletions(-) diff --git a/libavcodec/gifdec.c b/libavcodec/gifdec.c index 9bac254c59..4b30e50894 100644 --- a/libavcodec/gifdec.c +++ b/libavcodec/gifdec.c @@ -125,26 +125,21 @@ static int gif_read_image(GifState *s) case 1: y1 += 8; ptr += linesize * 8; - if (y1 >= height) { - y1 = pass ? 2 : 4; - ptr = ptr1 + linesize * y1; - pass++; - } break; case 2: y1 += 4; ptr += linesize * 4; - if (y1 >= height) { - y1 = 1; - ptr = ptr1 + linesize; - pass++; - } break; case 3: y1 += 2; ptr += linesize * 2; break; } + while (y1 >= height) { + y1 = 4 >> pass; + ptr = ptr1 + linesize * y1; + pass++; + } } else { ptr += linesize; } From 51dd54c51aaca909893c9f90a4119e96ff71ffdf Mon Sep 17 00:00:00 2001 From: Xiaohan Wang Date: Thu, 6 Nov 2014 12:59:54 -0800 Subject: [PATCH 928/991] matroskadec: Fix read-after-free in matroska_read_seek() In matroska_read_seek(), |tracks| is assigned at the begining of the function. However, functions like matroska_parse_cues() could reallocate the tracks and invalidate |tracks|. This assigns |tracks| only before using it, so that it will not get invalidated elsewhere. Bug-Id: chromium/427266 --- libavformat/matroskadec.c | 3 ++- 1 file changed, 2 insertions(+), 1 deletion(-) diff --git a/libavformat/matroskadec.c b/libavformat/matroskadec.c index 922b2580be..4dd82d214a 100644 --- a/libavformat/matroskadec.c +++ b/libavformat/matroskadec.c @@ -1974,7 +1974,7 @@ static int matroska_read_seek(AVFormatContext *s, int stream_index, int64_t timestamp, int flags) { MatroskaDemuxContext *matroska = s->priv_data; - MatroskaTrack *tracks = matroska->tracks.elem; + MatroskaTrack *tracks = NULL; AVStream *st = s->streams[stream_index]; int i, index, index_sub, index_min; @@ -2003,6 +2003,7 @@ static int matroska_read_seek(AVFormatContext *s, int stream_index, return 0; index_min = index; + tracks = matroska->tracks.elem; for (i=0; i < matroska->tracks.nb_elem; i++) { tracks[i].audio.pkt_cnt = 0; tracks[i].audio.sub_packet_cnt = 0; From d6deed7916f7f52dbfc88e2fc2c43e3cfb8ee74b Mon Sep 17 00:00:00 2001 From: Michael Niedermayer Date: Thu, 31 Jan 2013 04:20:24 +0100 Subject: [PATCH 929/991] h264_cabac: Break infinite loops MIME-Version: 1.0 Content-Type: text/plain; charset=UTF-8 Content-Transfer-Encoding: 8bit This fixes out of array reads and/or infinite loops. 30 is the maximum number of bits that can be read into coeff_abs below. CC: libav-stable@libav.org Found-by: Mateusz "j00ru" Jurczyk and Gynvael Coldwind Signed-off-by: Martin Storsjö --- libavcodec/h264_cabac.c | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/libavcodec/h264_cabac.c b/libavcodec/h264_cabac.c index 2ee4bc01a8..7f86de58d3 100644 --- a/libavcodec/h264_cabac.c +++ b/libavcodec/h264_cabac.c @@ -1719,7 +1719,7 @@ decode_cabac_residual_internal(H264Context *h, DCTELEM *block, \ if( coeff_abs >= 15 ) { \ int j = 0; \ - while( get_cabac_bypass( CC ) ) { \ + while (get_cabac_bypass(CC) && j < 30) { \ j++; \ } \ \ From aace8b184c867875e2715b2af23fa98886f90427 Mon Sep 17 00:00:00 2001 From: Reinhard Tartler Date: Sun, 8 Mar 2015 11:29:56 -0400 Subject: [PATCH 930/991] Prepare for 0.8.17 Release --- RELEASE | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/RELEASE b/RELEASE index ac7dffa069..9bba175d1c 100644 --- a/RELEASE +++ b/RELEASE @@ -1 +1 @@ -0.8.16 +0.8.17 From 8b1f8fb26bfe6a4cd9f72b962b45643fa331dbe1 Mon Sep 17 00:00:00 2001 From: Reinhard Tartler Date: Sun, 8 Mar 2015 11:32:09 -0400 Subject: [PATCH 931/991] Update Changelog for 0.8.17 Release --- Changelog | 13 +++++++++++++ 1 file changed, 13 insertions(+) diff --git a/Changelog b/Changelog index eb2a98381b..81cee04626 100644 --- a/Changelog +++ b/Changelog @@ -1,6 +1,19 @@ Entries are sorted chronologically from oldest to youngest within each release, releases are sorted from youngest to oldest. +version 0.8.17: + +- h264_cabac: Break infinite loops +- matroskadec: Fix read-after-free in matroska_read_seek() (chromium/427266) +- gifdec: refactor interleave end handling (CVE-2014-8547) +- smc: fix the bounds check (CVE-2014-8548) +- mmvideo: check frame dimensions (CVE-2014-8543) +- jvdec: check frame dimensions (CVE-2014-8542) +- mov: avoid a memleak when multiple stss boxes are present +- apetag: Fix APE tag size check +- x86: Only use optimizations with cmov if the CPU supports the instruction +- x86: Add CPU flag for the i686 cmov instruction + version 0.8.16: - avcodec: Add more missing #includes for ff_get_buffer() From 905988fe1a8accbc1ab93120aa4cd29252b81cce Mon Sep 17 00:00:00 2001 From: Federico Tomassetti Date: Wed, 18 Feb 2015 12:11:44 +0000 Subject: [PATCH 932/991] eamad: check for out of bounds read Bug-Id: CID 1257500 CC: libav-stable@libav.org Signed-off-by: Luca Barbato --- libavcodec/eamad.c | 14 ++++++++++---- 1 file changed, 10 insertions(+), 4 deletions(-) diff --git a/libavcodec/eamad.c b/libavcodec/eamad.c index 0d109828a0..8c3f357f6f 100644 --- a/libavcodec/eamad.c +++ b/libavcodec/eamad.c @@ -138,6 +138,11 @@ static inline void decode_block_intra(MadContext * t, DCTELEM * block) break; } else if (level != 0) { i += run; + if (i > 63) { + av_log(s->avctx, AV_LOG_ERROR, + "ac-tex damaged at %d %d\n", s->mb_x, s->mb_y); + return; + } j = scantable[i]; level = (level*quant_matrix[j]) >> 4; level = (level-1)|1; @@ -152,6 +157,11 @@ static inline void decode_block_intra(MadContext * t, DCTELEM * block) run = SHOW_UBITS(re, &s->gb, 6)+1; LAST_SKIP_BITS(re, &s->gb, 6); i += run; + if (i > 63) { + av_log(s->avctx, AV_LOG_ERROR, + "ac-tex damaged at %d %d\n", s->mb_x, s->mb_y); + return; + } j = scantable[i]; if (level < 0) { level = -level; @@ -163,10 +173,6 @@ static inline void decode_block_intra(MadContext * t, DCTELEM * block) level = (level-1)|1; } } - if (i > 63) { - av_log(s->avctx, AV_LOG_ERROR, "ac-tex damaged at %d %d\n", s->mb_x, s->mb_y); - return; - } block[j] = level; } From 82776caf7993221719eefbe576f851c7e52dfef9 Mon Sep 17 00:00:00 2001 From: Andreas Cadhalpun Date: Mon, 2 Mar 2015 16:52:26 +0100 Subject: [PATCH 933/991] rmenc: limit packet size The chunk size is limited to UINT16_MAX (written by avio_wb16), so make sure that the packet size is not too large. Such large frames need to be split into slices smaller than 64 kB, but that is currently supported neither by the rv10/rv20 encoders nor the rm muxer. Signed-off-by: Andreas Cadhalpun Signed-off-by: Anton Khirnov Signed-off-by: Vittorio Giovara --- libavformat/rmenc.c | 8 ++++++++ 1 file changed, 8 insertions(+) diff --git a/libavformat/rmenc.c b/libavformat/rmenc.c index 0312d161c7..94be94a1c2 100644 --- a/libavformat/rmenc.c +++ b/libavformat/rmenc.c @@ -44,6 +44,10 @@ typedef struct { /* in ms */ #define BUFFER_DURATION 0 +/* the header needs at most 7 + 4 + 12 B */ +#define MAX_HEADER_SIZE (7 + 4 + 12) +/* UINT16_MAX is the maximal chunk size */ +#define MAX_PACKET_SIZE (UINT16_MAX - MAX_HEADER_SIZE) static void put_str(AVIOContext *s, const char *tag) @@ -387,6 +391,10 @@ static int rm_write_video(AVFormatContext *s, const uint8_t *buf, int size, int /* Well, I spent some time finding the meaning of these bits. I am not sure I understood everything, but it works !! */ #if 1 + if (size > MAX_PACKET_SIZE) { + av_log_missing_feature(s, "Muxing packets larger than 64 kB", 0); + return AVERROR(ENOSYS); + } write_packet_header(s, stream, size + 7 + (size >= 0x4000)*4, key_frame); /* bit 7: '1' if final packet of a frame converted in several packets */ avio_w8(pb, 0x81); From ec5b2f6a385959048f780b4e7d3d259dc1fa8421 Mon Sep 17 00:00:00 2001 From: Anton Khirnov Date: Sat, 7 Mar 2015 22:06:59 +0100 Subject: [PATCH 934/991] tiff: Check that there is no aliasing in pixel format selection Fixes possible issues with unexpected bpp/bppcount values. CC: libav-stable@libav.org Found-by: Mateusz "j00ru" Jurczyk and Gynvael Coldwind Bug-Id: CVE-2014-8544 (cherry picked from commit ae5e1f3d663a8c9a532d89e588cbc61f171c9186) Signed-off-by: Luca Barbato (cherry picked from commit eb9041403d820634c45ed4ee98570246a252507a) Signed-off-by: Reinhard Tartler (cherry picked from commit 62b0462e5fa78901380ca229ddb6a7625efd61a2) Signed-off-by: Reinhard Tartler --- libavcodec/tiff.c | 8 ++++++++ 1 file changed, 8 insertions(+) diff --git a/libavcodec/tiff.c b/libavcodec/tiff.c index c0b611f631..20f2a47f22 100644 --- a/libavcodec/tiff.c +++ b/libavcodec/tiff.c @@ -218,6 +218,14 @@ static int init_image(TiffContext *s) int i, ret; uint32_t *pal; + // make sure there is no aliasing in the following switch + if (s->bpp >= 100 || s->bppcount >= 10) { + av_log(s->avctx, AV_LOG_ERROR, + "Unsupported image parameters: bpp=%d, bppcount=%d\n", + s->bpp, s->bppcount); + return AVERROR_INVALIDDATA; + } + switch (s->bpp * 10 + s->bppcount) { case 11: s->avctx->pix_fmt = PIX_FMT_MONOBLACK; From 76435f5e40854567252756ea7f788958dd2cc04c Mon Sep 17 00:00:00 2001 From: Reinhard Tartler Date: Sun, 8 Mar 2015 22:34:43 -0400 Subject: [PATCH 935/991] doc: More changelog updates for v0.8.17 --- Changelog | 3 +++ 1 file changed, 3 insertions(+) diff --git a/Changelog b/Changelog index 81cee04626..ed35b61ddb 100644 --- a/Changelog +++ b/Changelog @@ -3,6 +3,9 @@ releases are sorted from youngest to oldest. version 0.8.17: +- tiff: Check that there is no aliasing in pixel format selection (CVE-2014-8544) +- rmenc: limit packet size +- eamad: check for out of bounds read (CID/1257500) - h264_cabac: Break infinite loops - matroskadec: Fix read-after-free in matroska_read_seek() (chromium/427266) - gifdec: refactor interleave end handling (CVE-2014-8547) From 335ec616cc38ee6206a3acebd46d01aad73d721b Mon Sep 17 00:00:00 2001 From: Michael Niedermayer Date: Wed, 4 Mar 2015 17:36:14 +0000 Subject: [PATCH 936/991] utvideodec: Handle slice_height being zero Fixes out of array accesses. CC: libav-stable@libav.org Found-by: Mateusz "j00ru" Jurczyk and Gynvael Coldwind Bug-Id: CVE-2014-9604 Signed-off-by: Vittorio Giovara Signed-off-by: Luca Barbato (cherry picked from commit 0ce3a0f9d9523a9bcad4c6d451ca5bbd7a4f420d) (cherry picked from commit 3a417a86b330b7c1acf9db4f729be7d619caaded) Signed-off-by: Reinhard Tartler (cherry picked from commit e032e647dd79e7748145792dfee0358eccb1982e) Signed-off-by: Reinhard Tartler (cherry picked from commit 789f433bc6376e6e45d41ae491007d482fa1df85) Conflicts: libavcodec/utvideodec.c --- libavcodec/utvideo.c | 4 ++++ 1 file changed, 4 insertions(+) diff --git a/libavcodec/utvideo.c b/libavcodec/utvideo.c index fdce255002..b889ae9c42 100644 --- a/libavcodec/utvideo.c +++ b/libavcodec/utvideo.c @@ -246,6 +246,8 @@ static void restore_median(uint8_t *src, int step, int stride, for (slice = 0; slice < slices; slice++) { slice_start = ((slice * height) / slices) & cmask; slice_height = ((((slice + 1) * height) / slices) & cmask) - slice_start; + if (!slice_height) + continue; bsrc = src + slice_start * stride; @@ -301,6 +303,8 @@ static void restore_median_il(uint8_t *src, int step, int stride, slice_start = ((slice * height) / slices) & cmask; slice_height = ((((slice + 1) * height) / slices) & cmask) - slice_start; slice_height >>= 1; + if (!slice_height) + continue; bsrc = src + slice_start * stride; From 0e810255596070e2c503c5da9001f7087f71de6e Mon Sep 17 00:00:00 2001 From: Reinhard Tartler Date: Mon, 9 Mar 2015 22:11:14 -0400 Subject: [PATCH 937/991] doc: More changelog updates for v0.8.17 --- Changelog | 1 + 1 file changed, 1 insertion(+) diff --git a/Changelog b/Changelog index ed35b61ddb..ecbb6ef3e4 100644 --- a/Changelog +++ b/Changelog @@ -3,6 +3,7 @@ releases are sorted from youngest to oldest. version 0.8.17: +- utvideodec: Handle slice_height being zero (CVE-2014-9604) - tiff: Check that there is no aliasing in pixel format selection (CVE-2014-8544) - rmenc: limit packet size - eamad: check for out of bounds read (CID/1257500) From 7248e735599bad765e1ef39c3ea9a6d469d74049 Mon Sep 17 00:00:00 2001 From: Michael Niedermayer Date: Fri, 22 Aug 2014 01:15:57 +0200 Subject: [PATCH 938/991] avcodec: fix aac/ac3 parser bitstream buffer size Buffers containing copies of the AAC and AC3 header bits were not padded before parsing, violating init_get_bits() buffer padding requirement, leading to potential buffer read overflows. This change adds FF_INPUT_BUFFER_PADDING_SIZE bytes to the bit buffer for parsing the header in each of aac_parser.c and ac3_parser.c. Based on patch by: Matt Wolenetz Signed-off-by: Michael Niedermayer (cherry picked from commit fccd85b9f30525f88692f53134eba41f1f2d90db) Signed-off-by: Michael Niedermayer --- libavcodec/aac_parser.c | 2 +- libavcodec/ac3_parser.c | 2 +- 2 files changed, 2 insertions(+), 2 deletions(-) diff --git a/libavcodec/aac_parser.c b/libavcodec/aac_parser.c index a8ef2f35dd..a6c9ad1352 100644 --- a/libavcodec/aac_parser.c +++ b/libavcodec/aac_parser.c @@ -34,7 +34,7 @@ static int aac_sync(uint64_t state, AACAC3ParseContext *hdr_info, int size; union { uint64_t u64; - uint8_t u8[8]; + uint8_t u8[8 + FF_INPUT_BUFFER_PADDING_SIZE]; } tmp; tmp.u64 = av_be2ne64(state); diff --git a/libavcodec/ac3_parser.c b/libavcodec/ac3_parser.c index 83cc4e0e36..773f4c289f 100644 --- a/libavcodec/ac3_parser.c +++ b/libavcodec/ac3_parser.c @@ -147,7 +147,7 @@ static int ac3_sync(uint64_t state, AACAC3ParseContext *hdr_info, int err; union { uint64_t u64; - uint8_t u8[8]; + uint8_t u8[8 + FF_INPUT_BUFFER_PADDING_SIZE]; } tmp = { av_be2ne64(state) }; AC3HeaderInfo hdr; GetBitContext gbc; From ced4e9fdbba79f752cdace41be8627fe798cde7c Mon Sep 17 00:00:00 2001 From: Michael Niedermayer Date: Sun, 7 Sep 2014 16:39:39 +0200 Subject: [PATCH 939/991] avformat/m4vdec: Check for non startcode 00 00 00 sequences in probe Fixes miss detection of PCM as m4v Fixes Ticket 3928 Signed-off-by: Michael Niedermayer (cherry picked from commit 7c1835c52a4be2e4e996f83c91a8d5a147b01100) Signed-off-by: Michael Niedermayer --- libavformat/m4vdec.c | 8 +++++--- 1 file changed, 5 insertions(+), 3 deletions(-) diff --git a/libavformat/m4vdec.c b/libavformat/m4vdec.c index 88f838022e..67d6ef4a47 100644 --- a/libavformat/m4vdec.c +++ b/libavformat/m4vdec.c @@ -33,13 +33,15 @@ static int mpeg4video_probe(AVProbeData *probe_packet) for(i=0; ibuf_size; i++){ temp_buffer = (temp_buffer<<8) + probe_packet->buf[i]; - if ((temp_buffer & 0xffffff00) != 0x100) + if (temp_buffer & 0xfffffe00) + continue; + if (temp_buffer < 2) continue; if (temp_buffer == VOP_START_CODE) VOP++; else if (temp_buffer == VISUAL_OBJECT_START_CODE) VISO++; - else if (temp_buffer < 0x120) VO++; - else if (temp_buffer < 0x130) VOL++; + else if (temp_buffer >= 0x100 && temp_buffer < 0x120) VO++; + else if (temp_buffer >= 0x120 && temp_buffer < 0x130) VOL++; else if ( !(0x1AF < temp_buffer && temp_buffer < 0x1B7) && !(0x1B9 < temp_buffer && temp_buffer < 0x1C4)) res++; } From 348b87b9bd510dd550b0bc0971a37e35ac87de9c Mon Sep 17 00:00:00 2001 From: Michael Niedermayer Date: Sat, 27 Sep 2014 20:34:44 +0200 Subject: [PATCH 940/991] avcodec/ac3enc_template: fix out of array read Found-by: Andreas Cadhalpun Signed-off-by: Michael Niedermayer (cherry picked from commit d85ebea3f3b68ebccfe308fa839fc30fa634e4de) Signed-off-by: Michael Niedermayer --- libavcodec/ac3enc_template.c | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/libavcodec/ac3enc_template.c b/libavcodec/ac3enc_template.c index 60472550d1..b6b9e4011d 100644 --- a/libavcodec/ac3enc_template.c +++ b/libavcodec/ac3enc_template.c @@ -261,7 +261,7 @@ static void apply_channel_coupling(AC3EncodeContext *s) energy_cpl = energy[blk][CPL_CH][bnd]; energy_ch = energy[blk][ch][bnd]; blk1 = blk+1; - while (!s->blocks[blk1].new_cpl_coords[ch] && blk1 < s->num_blocks) { + while (blk1 < s->num_blocks && !s->blocks[blk1].new_cpl_coords[ch]) { if (s->blocks[blk1].cpl_in_use) { energy_cpl += energy[blk1][CPL_CH][bnd]; energy_ch += energy[blk1][ch][bnd]; From ef803afa769be24fedb5f46c9bcce5cc30903a25 Mon Sep 17 00:00:00 2001 From: =?UTF-8?q?Reimar=20D=C3=B6ffinger?= Date: Sun, 21 Sep 2014 09:58:10 +0100 Subject: [PATCH 941/991] configure: add noexecstack to linker options if supported. MIME-Version: 1.0 Content-Type: text/plain; charset=UTF-8 Content-Transfer-Encoding: 8bit Signed-off-by: Reimar Döffinger (cherry picked from commit b7082d953fda93f7841ffffe7d15a6c3cd15bdee) Signed-off-by: Michael Niedermayer --- configure | 1 + 1 file changed, 1 insertion(+) diff --git a/configure b/configure index 23a5174212..520631f36e 100755 --- a/configure +++ b/configure @@ -2988,6 +2988,7 @@ if enabled asm; then fi check_ldflags -Wl,--as-needed +check_ldflags -Wl,-z,noexecstack if check_func dlopen; then ldl= From 1704a7b67dce9acacee9ebd381b8f5b63a9bc486 Mon Sep 17 00:00:00 2001 From: Michael Niedermayer Date: Thu, 2 Oct 2014 23:17:21 +0200 Subject: [PATCH 942/991] avcodec/jpeglsdec: Check run value more completely in ls_decode_line() previously it could have been by 1 too large Fixes out of array access Fixes: asan_heap-oob_12240f5_1_asan_heap-oob_12240f5_448_t8c1e3.jls Fixes: asan_heap-oob_12240f5_1_asan_heap-oob_12240f5_448_t8nde0.jls Fixes: asan_heap-oob_12240fa_1_asan_heap-oob_12240fa_448_t16e3.jls Found-by: Mateusz "j00ru" Jurczyk and Gynvael Coldwind Signed-off-by: Michael Niedermayer (cherry picked from commit 06e7d58410a17dc72c30ee7f3145fcacc425f4f2) Signed-off-by: Michael Niedermayer --- libavcodec/jpeglsdec.c | 5 +++++ 1 file changed, 5 insertions(+) diff --git a/libavcodec/jpeglsdec.c b/libavcodec/jpeglsdec.c index b95a15126e..28fa5940d2 100644 --- a/libavcodec/jpeglsdec.c +++ b/libavcodec/jpeglsdec.c @@ -208,6 +208,11 @@ static inline void ls_decode_line(JLSState *state, MJpegDecodeContext *s, void * x += stride; } + if (x >= w) { + av_log(NULL, AV_LOG_ERROR, "run overflow\n"); + return; + } + /* decode run termination value */ Rb = R(last, x); RItype = (FFABS(Ra - Rb) <= state->near) ? 1 : 0; From bb6a8a0509d5fcc93aff6e3c62135ed5f6f9cb25 Mon Sep 17 00:00:00 2001 From: Michael Niedermayer Date: Fri, 3 Oct 2014 01:50:27 +0200 Subject: [PATCH 943/991] avcodec/mjpegdec: check bits per pixel for changes similar to dimensions Fixes out of array accesses Fixes: asan_heap-oob_16668e9_2_asan_heap-oob_16668e9_346_miss_congeniality_pegasus_mjpg.avi Found-by: Mateusz "j00ru" Jurczyk and Gynvael Coldwind Signed-off-by: Michael Niedermayer (cherry picked from commit 5c378d6a6df8243f06c87962b873bd563e58cd39) Conflicts: libavcodec/mjpegdec.c (cherry picked from commit 94371a404c663c3dae3d542fa43951567ab67f82) Conflicts: libavcodec/mjpegdec.c Signed-off-by: Michael Niedermayer --- libavcodec/mjpegdec.c | 17 ++++++++++------- 1 file changed, 10 insertions(+), 7 deletions(-) diff --git a/libavcodec/mjpegdec.c b/libavcodec/mjpegdec.c index 9aee5956c1..d0520a3c2a 100644 --- a/libavcodec/mjpegdec.c +++ b/libavcodec/mjpegdec.c @@ -216,21 +216,21 @@ int ff_mjpeg_decode_dht(MJpegDecodeContext *s) int ff_mjpeg_decode_sof(MJpegDecodeContext *s) { - int len, nb_components, i, width, height, pix_fmt_id; + int len, nb_components, i, width, height, bits, pix_fmt_id; s->cur_scan = 0; s->upscale_h = s->upscale_v = 0; /* XXX: verify len field validity */ len = get_bits(&s->gb, 16); - s->bits = get_bits(&s->gb, 8); + bits = get_bits(&s->gb, 8); if (s->pegasus_rct) - s->bits = 9; - if (s->bits == 9 && !s->pegasus_rct) + bits = 9; + if (bits == 9 && !s->pegasus_rct) s->rct = 1; // FIXME ugly - if (s->bits != 8 && !s->lossless) { + if (bits != 8 && !s->lossless) { av_log(s->avctx, AV_LOG_ERROR, "only 8 bits/component accepted\n"); return -1; } @@ -262,7 +262,7 @@ int ff_mjpeg_decode_sof(MJpegDecodeContext *s) return AVERROR_INVALIDDATA; } } - if (s->ls && !(s->bits <= 8 || nb_components == 1)) { + if (s->ls && !(bits <= 8 || nb_components == 1)) { av_log(s->avctx, AV_LOG_ERROR, "only <= 8 bits/component or 16-bit gray accepted for JPEG-LS\n"); return -1; @@ -306,11 +306,14 @@ int ff_mjpeg_decode_sof(MJpegDecodeContext *s) /* if different size, realloc/alloc picture */ /* XXX: also check h_count and v_count */ - if (width != s->width || height != s->height) { + if ( width != s->width || height != s->height + || bits != s->bits + ) { av_freep(&s->qscale_table); s->width = width; s->height = height; + s->bits = bits; s->interlaced = 0; /* test interlaced mode */ From bd3a28e8b65cd1bbe550e03bc7647831d4ea3d18 Mon Sep 17 00:00:00 2001 From: Michael Niedermayer Date: Fri, 3 Oct 2014 04:30:58 +0200 Subject: [PATCH 944/991] avcodec/utils: Add case for jv to avcodec_align_dimensions2() Fixes out of array accesses Fixes: asan_heap-oob_12304aa_8_asan_heap-oob_4da4f3_300_intro.jv Found-by: Mateusz "j00ru" Jurczyk and Gynvael Coldwind Signed-off-by: Michael Niedermayer (cherry picked from commit 105654e376a736d243aef4a1d121abebce912e6b) Conflicts: libavcodec/utils.c --- libavcodec/utils.c | 4 ++++ 1 file changed, 4 insertions(+) diff --git a/libavcodec/utils.c b/libavcodec/utils.c index 6ecdfebbe2..7cfb96d537 100644 --- a/libavcodec/utils.c +++ b/libavcodec/utils.c @@ -222,6 +222,10 @@ void avcodec_align_dimensions2(AVCodecContext *s, int *width, int *height, w_align=4; h_align=4; } + if (s->codec_id == CODEC_ID_JV) { + w_align = 8; + h_align = 8; + } break; case PIX_FMT_BGR24: if((s->codec_id == CODEC_ID_MSZH) || (s->codec_id == CODEC_ID_ZLIB)){ From 19d0c9e9934b6460e1c6d815c9cf31653fcddcfc Mon Sep 17 00:00:00 2001 From: Michael Niedermayer Date: Fri, 3 Oct 2014 14:45:04 +0200 Subject: [PATCH 945/991] avcodec/mmvideo: Bounds check 2nd line of HHV Intra blocks Fixes out of array access Fixes: asan_heap-oob_4da4f3_8_asan_heap-oob_4da4f3_419_scene1a.mm Found-by: Mateusz "j00ru" Jurczyk and Gynvael Coldwind Signed-off-by: Michael Niedermayer (cherry picked from commit 8b0e96e1f21b761ca15dbb470cd619a1ebf86c3e) Conflicts: libavcodec/mmvideo.c Signed-off-by: Michael Niedermayer --- libavcodec/mmvideo.c | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/libavcodec/mmvideo.c b/libavcodec/mmvideo.c index 21d6669327..b480533128 100644 --- a/libavcodec/mmvideo.c +++ b/libavcodec/mmvideo.c @@ -114,7 +114,7 @@ static int mm_decode_intra(MmContext * s, int half_horiz, int half_vert) if (color) { memset(s->frame.data[0] + y*s->frame.linesize[0] + x, color, run_length); - if (half_vert) + if (half_vert && y + half_vert < s->avctx->height) memset(s->frame.data[0] + (y+1)*s->frame.linesize[0] + x, color, run_length); } x+= run_length; From 7c1150bf05cd4f3c216fbe3441894a567a18f2ee Mon Sep 17 00:00:00 2001 From: Michael Niedermayer Date: Fri, 3 Oct 2014 16:08:32 +0200 Subject: [PATCH 946/991] avcodec/tiff: more completely check bpp/bppcount Fixes pixel format selection Fixes out of array accesses Fixes: asan_heap-oob_1766029_6_asan_heap-oob_20aa045_332_cov_1823216757_m2-d1d366d7965db766c19a66c7a2ccbb6b.tif Found-by: Mateusz "j00ru" Jurczyk and Gynvael Coldwind Signed-off-by: Michael Niedermayer (cherry picked from commit e1c0cfaa419aa5d320540d5a1b3f8fd9b82ab7e5) Conflicts: libavcodec/tiff.c (cherry picked from commit e9125e74897135d690cf44f6e6d39e80dcd07803) Conflicts: libavcodec/tiff.c --- libavcodec/tiff.c | 13 ++++++++++--- 1 file changed, 10 insertions(+), 3 deletions(-) diff --git a/libavcodec/tiff.c b/libavcodec/tiff.c index 00ff8d3e39..930da9ff3e 100644 --- a/libavcodec/tiff.c +++ b/libavcodec/tiff.c @@ -386,11 +386,11 @@ static int tiff_decode_tag(TiffContext *s) s->height = value; break; case TIFF_BPP: - s->bppcount = count; - if(count > 4){ - av_log(s->avctx, AV_LOG_ERROR, "This format is not supported (bpp=%d, %d components)\n", s->bpp, count); + if(count > 4U){ + av_log(s->avctx, AV_LOG_ERROR, "This format is not supported (bpp=%d, %d components)\n", value, count); return -1; } + s->bppcount = count; if(count == 1) s->bpp = value; else{ switch(type){ @@ -407,6 +407,13 @@ static int tiff_decode_tag(TiffContext *s) s->bpp = -1; } } + if (s->bpp > 64U) { + av_log(s->avctx, AV_LOG_ERROR, + "This format is not supported (bpp=%d, %d components)\n", + s->bpp, count); + s->bpp = 0; + return AVERROR_INVALIDDATA; + } break; case TIFF_SAMPLES_PER_PIXEL: if (count != 1) { From 7238c744de4254973d3b04550c5764fd6bfc8267 Mon Sep 17 00:00:00 2001 From: Michael Niedermayer Date: Fri, 3 Oct 2014 17:35:58 +0200 Subject: [PATCH 947/991] avcodec/pngdec: Check bits per pixel before setting monoblack pixel format Fixes out of array accesses Fixes: asan_heap-oob_14dbfcf_4_asan_heap-oob_1ce5767_179_add_method_small.png Found-by: Mateusz "j00ru" Jurczyk and Gynvael Coldwind Signed-off-by: Michael Niedermayer (cherry picked from commit 3e2b745020c2dbf0201fe7df3dad9e7e0b2e1bb6) Conflicts: libavcodec/pngdec.c --- libavcodec/pngdec.c | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/libavcodec/pngdec.c b/libavcodec/pngdec.c index 1edef54035..80631f7b51 100644 --- a/libavcodec/pngdec.c +++ b/libavcodec/pngdec.c @@ -486,7 +486,7 @@ static int decode_frame(AVCodecContext *avctx, } else if ((s->bits_per_pixel == 1 || s->bits_per_pixel == 2 || s->bits_per_pixel == 4 || s->bits_per_pixel == 8) && s->color_type == PNG_COLOR_TYPE_PALETTE) { avctx->pix_fmt = PIX_FMT_PAL8; - } else if (s->bit_depth == 1) { + } else if (s->bit_depth == 1 && s->bits_per_pixel == 1) { avctx->pix_fmt = PIX_FMT_MONOBLACK; } else if (s->bit_depth == 8 && s->color_type == PNG_COLOR_TYPE_GRAY_ALPHA) { From 677da723005e0a40e4ab88cec7c001fbfc65955a Mon Sep 17 00:00:00 2001 From: Michael Niedermayer Date: Fri, 3 Oct 2014 17:54:21 +0200 Subject: [PATCH 948/991] avcodec/pngdec: Calculate MPNG bytewidth more defensively Signed-off-by: Michael Niedermayer (cherry picked from commit e830902934a29df05c7af65aef2a480b15f572c4) Conflicts: libavcodec/pngdec.c --- libavcodec/pngdec.c | 3 ++- 1 file changed, 2 insertions(+), 1 deletion(-) diff --git a/libavcodec/pngdec.c b/libavcodec/pngdec.c index 80631f7b51..15b48c372c 100644 --- a/libavcodec/pngdec.c +++ b/libavcodec/pngdec.c @@ -650,9 +650,10 @@ static int decode_frame(AVCodecContext *avctx, int i, j; uint8_t *pd = s->current_picture->data[0]; uint8_t *pd_last = s->last_picture->data[0]; + int ls = FFMIN(av_image_get_linesize(s->current_picture->format, s->width, 0), s->width * s->bpp); for(j=0; j < s->height; j++) { - for(i=0; i < s->width * s->bpp; i++) { + for(i=0; i < ls; i++) { pd[i] += pd_last[i]; } pd += s->image_linesize; From e0ed766f2a4d6395e9633d350f39a175b9e9adc3 Mon Sep 17 00:00:00 2001 From: Michael Niedermayer Date: Fri, 3 Oct 2014 21:08:52 +0200 Subject: [PATCH 949/991] avcodec/qpeg: fix off by 1 error in MV bounds check Fixes out of array access Fixes: asan_heap-oob_153760f_4_asan_heap-oob_1d7a4cf_164_VWbig6.avi Found-by: Mateusz "j00ru" Jurczyk and Gynvael Coldwind Signed-off-by: Michael Niedermayer (cherry picked from commit dd3bfe3cc1ca26d0fff3a3baf61a40207032143f) Signed-off-by: Michael Niedermayer --- libavcodec/qpeg.c | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/libavcodec/qpeg.c b/libavcodec/qpeg.c index d85d967a16..ac4f9a85d8 100644 --- a/libavcodec/qpeg.c +++ b/libavcodec/qpeg.c @@ -171,7 +171,7 @@ static void qpeg_decode_inter(const uint8_t *src, uint8_t *dst, int size, /* check motion vector */ if ((me_x + filled < 0) || (me_x + me_w + filled > width) || - (height - me_y - me_h < 0) || (height - me_y > orig_height) || + (height - me_y - me_h < 0) || (height - me_y >= orig_height) || (filled + me_w > width) || (height - me_h < 0)) av_log(NULL, AV_LOG_ERROR, "Bogus motion vector (%i,%i), block size %ix%i at %i,%i\n", me_x, me_y, me_w, me_h, filled, height); From 27d82d83741b317f90472c961ef81f38bdc86a9f Mon Sep 17 00:00:00 2001 From: Michael Niedermayer Date: Sat, 4 Oct 2014 04:29:40 +0200 Subject: [PATCH 950/991] avformat/mpegts: Check desc_len / get8() return code Fixes out of array read Fixes: signal_sigsegv_844d59_10_signal_sigsegv_a17bb7_366_mpegts_mpeg2video_mp2_dvbsub_topfield.rec Found-by: Mateusz "j00ru" Jurczyk and Gynvael Coldwind Signed-off-by: Michael Niedermayer (cherry picked from commit c3d7f00ee3e09801f56f25db8b5961f25e842bd2) Signed-off-by: Michael Niedermayer --- libavformat/mpegts.c | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/libavformat/mpegts.c b/libavformat/mpegts.c index 8cd81d6d47..96400a9564 100644 --- a/libavformat/mpegts.c +++ b/libavformat/mpegts.c @@ -1632,7 +1632,7 @@ static void sdt_cb(MpegTSFilter *filter, const uint8_t *section, int section_len break; desc_len = get8(&p, desc_list_end); desc_end = p + desc_len; - if (desc_end > desc_list_end) + if (desc_len < 0 || desc_end > desc_list_end) break; av_dlog(ts->stream, "tag: 0x%02x len=%d\n", From 017226fdf9eb6e3985e87f6218d012f7b6fe99e3 Mon Sep 17 00:00:00 2001 From: Michael Niedermayer Date: Tue, 28 Oct 2014 15:26:42 +0100 Subject: [PATCH 951/991] avcodec/dxa: check dimensions Fixes out of array access Fixes: asan_heap-oob_11222fb_21_020.dxa Found-by: Mateusz "j00ru" Jurczyk and Gynvael Coldwind Signed-off-by: Michael Niedermayer (cherry picked from commit e70312dfc22c4e54d5716f28f28db8f99c74cc90) Conflicts: libavcodec/dxa.c Signed-off-by: Michael Niedermayer --- libavcodec/dxa.c | 5 +++++ 1 file changed, 5 insertions(+) diff --git a/libavcodec/dxa.c b/libavcodec/dxa.c index 20f5464e8a..a5bf1a051c 100644 --- a/libavcodec/dxa.c +++ b/libavcodec/dxa.c @@ -301,6 +301,11 @@ static av_cold int decode_init(AVCodecContext *avctx) c->avctx = avctx; avctx->pix_fmt = PIX_FMT_PAL8; + if (avctx->width%4 || avctx->height%4) { + av_log(avctx, AV_LOG_ERROR, "dimensions are not a multiple of 4"); + return AVERROR_INVALIDDATA; + } + avcodec_get_frame_defaults(&c->pic); avcodec_get_frame_defaults(&c->prev); From d327f673f934b95eefefd4944161d273d5ddfb44 Mon Sep 17 00:00:00 2001 From: Michael Niedermayer Date: Wed, 29 Oct 2014 00:57:07 +0100 Subject: [PATCH 952/991] avcodec/dnxhddec: treat pix_fmt like width/height Fixes out of array accesses Fixes: asan_heap-oob_22c9a39_16_015.mxf Found-by: Mateusz "j00ru" Jurczyk and Gynvael Coldwind Signed-off-by: Michael Niedermayer (cherry picked from commit f3c0e0bf6f53df0977f3878d4f5cec99dff8de9e) Conflicts: libavcodec/dnxhddec.c Signed-off-by: Michael Niedermayer --- libavcodec/dnxhddec.c | 11 +++++++++-- 1 file changed, 9 insertions(+), 2 deletions(-) diff --git a/libavcodec/dnxhddec.c b/libavcodec/dnxhddec.c index ac912c368f..800f99a62c 100644 --- a/libavcodec/dnxhddec.c +++ b/libavcodec/dnxhddec.c @@ -38,6 +38,7 @@ typedef struct DNXHDContext { GetBitContext gb; int cid; ///< compression id unsigned int width, height; + enum PixelFormat pix_fmt; unsigned int mb_width, mb_height; uint32_t mb_scan_index[68]; /* max for 1080p */ int cur_field; ///< current interlaced field @@ -129,7 +130,7 @@ static int dnxhd_decode_header(DNXHDContext *ctx, const uint8_t *buf, int buf_si av_dlog(ctx->avctx, "width %d, height %d\n", ctx->width, ctx->height); if (buf[0x21] & 0x40) { - ctx->avctx->pix_fmt = PIX_FMT_YUV422P10; + ctx->pix_fmt = PIX_FMT_YUV422P10; ctx->avctx->bits_per_raw_sample = 10; if (ctx->bit_depth != 10) { dsputil_init(&ctx->dsp, ctx->avctx); @@ -137,7 +138,7 @@ static int dnxhd_decode_header(DNXHDContext *ctx, const uint8_t *buf, int buf_si ctx->decode_dct_block = dnxhd_decode_dct_block_10; } } else { - ctx->avctx->pix_fmt = PIX_FMT_YUV422P; + ctx->pix_fmt = PIX_FMT_YUV422P; ctx->avctx->bits_per_raw_sample = 8; if (ctx->bit_depth != 8) { dsputil_init(&ctx->dsp, ctx->avctx); @@ -380,9 +381,15 @@ static int dnxhd_decode_frame(AVCodecContext *avctx, void *data, int *data_size, avctx->width, avctx->height, ctx->width, ctx->height); first_field = 1; } + if (avctx->pix_fmt != PIX_FMT_NONE && avctx->pix_fmt != ctx->pix_fmt) { + av_log(avctx, AV_LOG_WARNING, "pix_fmt changed: %s -> %s\n", + av_get_pix_fmt_name(avctx->pix_fmt), av_get_pix_fmt_name(ctx->pix_fmt)); + first_field = 1; + } if (av_image_check_size(ctx->width, ctx->height, 0, avctx)) return -1; + avctx->pix_fmt = ctx->pix_fmt; avcodec_set_dimensions(avctx, ctx->width, ctx->height); if (first_field) { From 3296e30d372d8ed0ada4b5fc010d2b0fc6b37e97 Mon Sep 17 00:00:00 2001 From: Michael Niedermayer Date: Sun, 2 Nov 2014 01:55:40 +0100 Subject: [PATCH 953/991] avcodec/h264_slice: Clear table pointers to avoid stale pointers Might fix Ticket3889 Signed-off-by: Michael Niedermayer (cherry picked from commit 547fce95858ef83f8c25ae347e3ae3b8ba437fd9) Conflicts: libavcodec/h264_slice.c Conflicts: libavcodec/h264.c --- libavcodec/h264.c | 13 +++++++++++++ 1 file changed, 13 insertions(+) diff --git a/libavcodec/h264.c b/libavcodec/h264.c index e726fd8019..988e8195b2 100644 --- a/libavcodec/h264.c +++ b/libavcodec/h264.c @@ -1224,6 +1224,19 @@ static int decode_update_thread_context(AVCodecContext *dst, const AVCodecContex memcpy(&h->s + 1, &h1->s + 1, sizeof(H264Context) - sizeof(MpegEncContext)); //copy all fields after MpegEnc memset(h->sps_buffers, 0, sizeof(h->sps_buffers)); memset(h->pps_buffers, 0, sizeof(h->pps_buffers)); + + h->intra4x4_pred_mode= NULL; + h->non_zero_count = NULL; + h->slice_table_base = NULL; + h->slice_table = NULL; + h->cbp_table = NULL; + h->chroma_pred_mode_table = NULL; + memset(h->mvd_table, 0, sizeof(h->mvd_table)); + h->direct_table = NULL; + h->list_counts = NULL; + h->mb2b_xy = NULL; + h->mb2br_xy = NULL; + if (ff_h264_alloc_tables(h) < 0) { av_log(dst, AV_LOG_ERROR, "Could not allocate memory for h264\n"); return AVERROR(ENOMEM); From ec640e10b24923d59c0d981b7b5f7e5ab3eb8ea0 Mon Sep 17 00:00:00 2001 From: Michael Niedermayer Date: Mon, 10 Nov 2014 23:07:50 +0100 Subject: [PATCH 954/991] avcodec/wmaprodec: Fix integer overflow in sfb_offsets initialization Fixes out of array read Fixes: asan_heap-oob_2aec5b0_1828_classical_22_16_2_16000_v3c_0_exclusive_0_29.wma Found-by: Mateusz "j00ru" Jurczyk and Gynvael Coldwind Signed-off-by: Michael Niedermayer (cherry picked from commit 5dcb99033df16eccc4dbbc4a099ad64457f9f090) Signed-off-by: Michael Niedermayer --- libavcodec/wmaprodec.c | 3 +++ 1 file changed, 3 insertions(+) diff --git a/libavcodec/wmaprodec.c b/libavcodec/wmaprodec.c index 3a32dffacd..b40b02000a 100644 --- a/libavcodec/wmaprodec.c +++ b/libavcodec/wmaprodec.c @@ -416,6 +416,9 @@ static av_cold int decode_init(AVCodecContext *avctx) offset &= ~3; if (offset > s->sfb_offsets[i][band - 1]) s->sfb_offsets[i][band++] = offset; + + if (offset >= subframe_len) + break; } s->sfb_offsets[i][band - 1] = subframe_len; s->num_sfb[i] = band - 1; From aebfcf7d6258760af42e84ab146f592fbfb6395c Mon Sep 17 00:00:00 2001 From: Michael Niedermayer Date: Tue, 25 Nov 2014 13:53:06 +0100 Subject: [PATCH 955/991] avcodec/mjpegdec: Fix context fields becoming inconsistent Fixes out of array access Fixes: asan_heap-oob_1ca4f85_2760_cov_144449187_miss_congeniality_pegasus_ljpg.avi Found-by: Mateusz "j00ru" Jurczyk and Gynvael Coldwind Signed-off-by: Michael Niedermayer (cherry picked from commit 0eecf40935b22644e6cd74c586057237ecfd6844) Conflicts: libavcodec/mjpegdec.c (cherry picked from commit 32d3acac727f3f4a6489ca129a5ea4ccdfcb34a5) Signed-off-by: Michael Niedermayer --- libavcodec/mjpegdec.c | 20 ++++++++++++++++---- 1 file changed, 16 insertions(+), 4 deletions(-) diff --git a/libavcodec/mjpegdec.c b/libavcodec/mjpegdec.c index d0520a3c2a..84bc9aa33d 100644 --- a/libavcodec/mjpegdec.c +++ b/libavcodec/mjpegdec.c @@ -1376,6 +1376,8 @@ static int mjpeg_decode_app(MJpegDecodeContext *s) } if (id == AV_RL32("LJIF")) { + int rgb = s->rgb; + int pegasus_rct = s->pegasus_rct; if (s->avctx->debug & FF_DEBUG_PICT_INFO) av_log(s->avctx, AV_LOG_INFO, "Pegasus lossless jpeg header found\n"); @@ -1385,17 +1387,27 @@ static int mjpeg_decode_app(MJpegDecodeContext *s) skip_bits(&s->gb, 16); /* unknwon always 0? */ switch (get_bits(&s->gb, 8)) { case 1: - s->rgb = 1; - s->pegasus_rct = 0; + rgb = 1; + pegasus_rct = 0; break; case 2: - s->rgb = 1; - s->pegasus_rct = 1; + rgb = 1; + pegasus_rct = 1; break; default: av_log(s->avctx, AV_LOG_ERROR, "unknown colorspace\n"); } + len -= 9; + if (s->got_picture) + if (rgb != s->rgb || pegasus_rct != s->pegasus_rct) { + av_log(s->avctx, AV_LOG_WARNING, "Mismatching LJIF tag\n"); + goto out; + } + + s->rgb = rgb; + s->pegasus_rct = pegasus_rct; + goto out; } From 0b5d644839c5aa5af1ff6bd857007c9ff9fbbc00 Mon Sep 17 00:00:00 2001 From: Michael Niedermayer Date: Wed, 26 Nov 2014 15:45:47 +0100 Subject: [PATCH 956/991] avcodec/pngdec: Check IHDR/IDAT order Fixes out of array access Fixes: asan_heap-oob_20a6c26_2690_cov_3434532168_mail.png Found-by: Mateusz "j00ru" Jurczyk and Gynvael Coldwind Signed-off-by: Michael Niedermayer (cherry picked from commit 79ceaf827be0b070675d4cd0a55c3386542defd8) Conflicts: libavcodec/pngdec.c --- libavcodec/pngdec.c | 6 ++++++ 1 file changed, 6 insertions(+) diff --git a/libavcodec/pngdec.c b/libavcodec/pngdec.c index 15b48c372c..ceae67e7c3 100644 --- a/libavcodec/pngdec.c +++ b/libavcodec/pngdec.c @@ -437,6 +437,12 @@ static int decode_frame(AVCodecContext *avctx, case MKTAG('I', 'H', 'D', 'R'): if (length != 13) goto fail; + + if (s->state & PNG_IDAT) { + av_log(avctx, AV_LOG_ERROR, "IHDR after IDAT\n"); + goto fail; + } + s->width = bytestream2_get_be32(&s->gb); s->height = bytestream2_get_be32(&s->gb); if(av_image_check_size(s->width, s->height, 0, avctx)){ From a5c43d7c87b5a2da5696f4ef5f7c0194a5e26aa8 Mon Sep 17 00:00:00 2001 From: Michael Niedermayer Date: Wed, 3 Dec 2014 20:01:18 +0100 Subject: [PATCH 957/991] avformat/rmdec: Check codec_data_size Fixes infinite loop Fixes Ticket4154 Signed-off-by: Michael Niedermayer (cherry picked from commit a6f730730b82645a9d31aad0968487cb77d6946c) Signed-off-by: Michael Niedermayer --- libavformat/rmdec.c | 3 +++ 1 file changed, 3 insertions(+) diff --git a/libavformat/rmdec.c b/libavformat/rmdec.c index dfd229e93e..5fe853974d 100644 --- a/libavformat/rmdec.c +++ b/libavformat/rmdec.c @@ -305,6 +305,9 @@ ff_rm_read_mdpr_codecdata (AVFormatContext *s, AVIOContext *pb, int64_t codec_pos; int ret; + if (codec_data_size < 0) + return AVERROR_INVALIDDATA; + avpriv_set_pts_info(st, 64, 1, 1000); codec_pos = avio_tell(pb); v = avio_rb32(pb); From 5a1061b4ad41609039ac0bcc7d127bb1ad1cd29d Mon Sep 17 00:00:00 2001 From: Michael Niedermayer Date: Wed, 3 Dec 2014 20:21:56 +0100 Subject: [PATCH 958/991] swscale/x86/rgb2rgb_template: fix crash with tiny size and nv12 output Fixes Ticket4151 Signed-off-by: Michael Niedermayer (cherry picked from commit 8524558858b7e14bc50afa10233e0194f591ab9d) Signed-off-by: Michael Niedermayer --- libswscale/x86/rgb2rgb_template.c | 1 + 1 file changed, 1 insertion(+) diff --git a/libswscale/x86/rgb2rgb_template.c b/libswscale/x86/rgb2rgb_template.c index 3bca43c42e..9e28f4bcb1 100644 --- a/libswscale/x86/rgb2rgb_template.c +++ b/libswscale/x86/rgb2rgb_template.c @@ -1959,6 +1959,7 @@ static void RENAME(interleaveBytes)(const uint8_t *src1, const uint8_t *src2, ui for (h=0; h < height; h++) { int w; + if (width >= 16) #if COMPILE_TEMPLATE_SSE2 __asm__( "xor %%"REG_a", %%"REG_a" \n\t" From 39a6977354de23d313d027b9f604b0a5da0f55d7 Mon Sep 17 00:00:00 2001 From: wm4 Date: Sat, 6 Dec 2014 16:53:30 +0100 Subject: [PATCH 959/991] avformat/matroskadec: fix handling of recursive SeekHead elements When matroska_execute_seekhead() is called, it goes through the list of seekhead entries and attempts to read elements not read yet. When doing this, the parser can find further SeekHead elements, and will extend the matroska->seekhead list. This can lead to a (practically) infinite loop with certain broken files. (Maybe it can happen even with valid files. The demuxer doesn't seem to check correctly whether an element has already been read.) Fix this by ignoring elements that were added to the seekhead field during executing seekhead entries. This does not fix the possible situation when multiple SeekHead elements after the file header (i.e. occur after the "before_pos" file position) point to the same elements. These elements will probably be parsed multiple times, likely leading to bugs. Fixes ticket #4162. Signed-off-by: Michael Niedermayer (cherry picked from commit 6551acab6877addae815decd02aeca33ba4990c8) Signed-off-by: Michael Niedermayer --- libavformat/matroskadec.c | 6 +++++- 1 file changed, 5 insertions(+), 1 deletion(-) diff --git a/libavformat/matroskadec.c b/libavformat/matroskadec.c index 484f8c1975..65aecb0b84 100644 --- a/libavformat/matroskadec.c +++ b/libavformat/matroskadec.c @@ -1229,13 +1229,17 @@ static void matroska_execute_seekhead(MatroskaDemuxContext *matroska) EbmlList *seekhead_list = &matroska->seekhead; int64_t before_pos = avio_tell(matroska->ctx->pb); int i; + int nb_elem; // we should not do any seeking in the streaming case if (!matroska->ctx->pb->seekable || (matroska->ctx->flags & AVFMT_FLAG_IGNIDX)) return; - for (i = 0; i < seekhead_list->nb_elem; i++) { + // do not read entries that are added while parsing seekhead entries + nb_elem = seekhead_list->nb_elem; + + for (i = 0; i < nb_elem; i++) { MatroskaSeekhead *seekhead = seekhead_list->elem; if (seekhead[i].pos <= before_pos) continue; From adf2f2166e7e713e5702bc58e97866060578c2d9 Mon Sep 17 00:00:00 2001 From: Michael Niedermayer Date: Sun, 14 Dec 2014 17:26:11 +0100 Subject: [PATCH 960/991] avformat/aviobuf: Check that avio_seek() target is non negative Fixes out of array access Suggested-by: Andrew Scherkus Signed-off-by: Michael Niedermayer (cherry picked from commit ed86dbd05d61363dc1c0d33f3267e2177c985fdd) Signed-off-by: Michael Niedermayer --- libavformat/aviobuf.c | 3 +++ 1 file changed, 3 insertions(+) diff --git a/libavformat/aviobuf.c b/libavformat/aviobuf.c index d8074780df..3a360a0694 100644 --- a/libavformat/aviobuf.c +++ b/libavformat/aviobuf.c @@ -229,6 +229,9 @@ int64_t avio_seek(AVIOContext *s, int64_t offset, int whence) return offset1; offset += offset1; } + if (offset < 0) + return AVERROR(EINVAL); + offset1 = offset - pos; if (!s->must_flush && offset1 >= 0 && offset1 <= (s->buf_end - s->buffer)) { From 87ec3c615689e3d8bce36f1a168d908c7502b867 Mon Sep 17 00:00:00 2001 From: Michael Niedermayer Date: Tue, 16 Dec 2014 16:24:55 +0100 Subject: [PATCH 961/991] avcodec/vmdvideo: Check len before using it in method 3 Fixes out of array access Fixes: asan_heap-oob_4d23ba_91_cov_3853393937_128.vmd Found-by: Mateusz "j00ru" Jurczyk and Gynvael Coldwind Signed-off-by: Michael Niedermayer (cherry picked from commit 3030fb7e0d41836f8add6399e9a7c7b740b48bfd) Conflicts: libavcodec/vmdav.c --- libavcodec/vmdav.c | 6 +++++- 1 file changed, 5 insertions(+), 1 deletion(-) diff --git a/libavcodec/vmdav.c b/libavcodec/vmdav.c index 1e5f2caab8..2b491ad86a 100644 --- a/libavcodec/vmdav.c +++ b/libavcodec/vmdav.c @@ -319,8 +319,12 @@ static void vmd_decode(VmdVideoContext *s) len = rle_unpack(gb.buffer, &dp[ofs], len, bytestream2_get_bytes_left(&gb), frame_width - ofs); - else + else { + if (ofs + len > frame_width || + bytestream2_get_bytes_left(&gb) < len) + return; bytestream2_get_buffer(&gb, &dp[ofs], len); + } bytestream2_skip(&gb, len); } else { /* interframe pixel copy */ From 1d1cc267e6e7e846894fe58e5d63988ef4b77b8b Mon Sep 17 00:00:00 2001 From: Michael Niedermayer Date: Tue, 16 Dec 2014 22:21:21 +0100 Subject: [PATCH 962/991] swscale: increase yuv2rgb table headroom Fixes out of array access Fixes: case2_bad_read_yuv2rgbx32.mp4 Found-by: Michal Zalewski Signed-off-by: Michael Niedermayer --- libswscale/swscale_internal.h | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/libswscale/swscale_internal.h b/libswscale/swscale_internal.h index 3def1b63e6..b2f844ff8c 100644 --- a/libswscale/swscale_internal.h +++ b/libswscale/swscale_internal.h @@ -34,7 +34,7 @@ #define STR(s) AV_TOSTRING(s) // AV_STRINGIFY is too long -#define YUVRGB_TABLE_HEADROOM 128 +#define YUVRGB_TABLE_HEADROOM 256 #define FAST_BGR2YV12 // use 7-bit instead of 15-bit coefficients From cd4827dfd43a46bfa751c3521cd1f32be7d5a472 Mon Sep 17 00:00:00 2001 From: Michael Niedermayer Date: Wed, 17 Dec 2014 03:14:21 +0100 Subject: [PATCH 963/991] avcodec/indeo3: use signed variables to avoid underflow Fixes out of array read Fixes: signal_sigsegv_1b0a4da_1865_cov_2167818389_computer_anger.avi Found-by: Mateusz "j00ru" Jurczyk and Gynvael Coldwind Signed-off-by: Michael Niedermayer (cherry picked from commit 3305acdc92fa37869f160a11a87741c8a0de0454) Signed-off-by: Michael Niedermayer --- libavcodec/indeo3.c | 5 +++-- 1 file changed, 3 insertions(+), 2 deletions(-) diff --git a/libavcodec/indeo3.c b/libavcodec/indeo3.c index 67859e57d2..3deffb007d 100644 --- a/libavcodec/indeo3.c +++ b/libavcodec/indeo3.c @@ -94,7 +94,7 @@ typedef struct Indeo3DecodeContext { int16_t width, height; uint32_t frame_num; ///< current frame number (zero-based) - uint32_t data_size; ///< size of the frame data in bytes + int data_size; ///< size of the frame data in bytes uint16_t frame_flags; ///< frame properties uint8_t cb_offset; ///< needed for selecting VQ tables uint8_t buf_sel; ///< active frame buffer: 0 - primary, 1 -secondary @@ -886,7 +886,8 @@ static int decode_frame_headers(Indeo3DecodeContext *ctx, AVCodecContext *avctx, GetByteContext gb; const uint8_t *bs_hdr; uint32_t frame_num, word2, check_sum, data_size; - uint32_t y_offset, u_offset, v_offset, starts[3], ends[3]; + int y_offset, u_offset, v_offset; + uint32_t starts[3], ends[3]; uint16_t height, width; int i, j; From 87a716991d842650b43e084c30a4fbd176fa74ae Mon Sep 17 00:00:00 2001 From: Michael Niedermayer Date: Thu, 18 Dec 2014 18:57:27 +0100 Subject: [PATCH 964/991] avcodec/indeo3: ensure offsets are non negative Signed-off-by: Michael Niedermayer (cherry picked from commit 368642361f3a589d7b0c23ea327d988edb434e3f) Signed-off-by: Michael Niedermayer --- libavcodec/indeo3.c | 3 ++- 1 file changed, 2 insertions(+), 1 deletion(-) diff --git a/libavcodec/indeo3.c b/libavcodec/indeo3.c index 3deffb007d..3e9fa6ea40 100644 --- a/libavcodec/indeo3.c +++ b/libavcodec/indeo3.c @@ -972,7 +972,8 @@ static int decode_frame_headers(Indeo3DecodeContext *ctx, AVCodecContext *avctx, ctx->y_data_size = ends[0] - starts[0]; ctx->v_data_size = ends[1] - starts[1]; ctx->u_data_size = ends[2] - starts[2]; - if (FFMAX3(y_offset, v_offset, u_offset) >= ctx->data_size - 16 || + if (FFMIN3(y_offset, v_offset, u_offset) < 0 || + FFMAX3(y_offset, v_offset, u_offset) >= ctx->data_size - 16 || FFMIN3(y_offset, v_offset, u_offset) < gb.buffer - bs_hdr + 16 || FFMIN3(ctx->y_data_size, ctx->v_data_size, ctx->u_data_size) <= 0) { av_log(avctx, AV_LOG_ERROR, "One of the y/u/v offsets is invalid\n"); From ce219702c3469e16fd1c70fc750a59b71ae8c8d5 Mon Sep 17 00:00:00 2001 From: wm4 Date: Mon, 5 Jan 2015 04:45:26 +0100 Subject: [PATCH 965/991] avcodec/dvdsubdec: fix out of bounds accesses The code blindly trusted buffer offsets read from the file in the RLE decoder. Explicitly check the offset. Also error out on other RLE decoding errors. Signed-off-by: Michael Niedermayer (cherry picked from commit c9151de7c42553bb145be608df8513c1287f1f24) Signed-off-by: Michael Niedermayer --- libavcodec/dvdsubdec.c | 13 +++++++++---- 1 file changed, 9 insertions(+), 4 deletions(-) diff --git a/libavcodec/dvdsubdec.c b/libavcodec/dvdsubdec.c index f4b54396d9..1890cdd4e6 100644 --- a/libavcodec/dvdsubdec.c +++ b/libavcodec/dvdsubdec.c @@ -94,6 +94,9 @@ static int decode_rle(uint8_t *bitmap, int linesize, int w, int h, int x, y, len, color; uint8_t *d; + if (start >= buf_size) + return -1; + bit_len = (buf_size - start) * 8; init_get_bits(&gb, buf + start, bit_len); @@ -336,10 +339,12 @@ static int decode_dvd_subtitles(DVDSubContext *ctx, AVSubtitle *sub_header, sub_header->rects[0] = av_mallocz(sizeof(AVSubtitleRect)); sub_header->num_rects = 1; sub_header->rects[0]->pict.data[0] = bitmap; - decode_rle(bitmap, w * 2, w, (h + 1) / 2, - buf, offset1, buf_size, is_8bit); - decode_rle(bitmap + w, w * 2, w, h / 2, - buf, offset2, buf_size, is_8bit); + if (decode_rle(bitmap, w * 2, w, (h + 1) / 2, + buf, offset1, buf_size, is_8bit) < 0) + goto fail; + if (decode_rle(bitmap + w, w * 2, w, h / 2, + buf, offset2, buf_size, is_8bit) < 0) + goto fail; sub_header->rects[0]->pict.data[1] = av_mallocz(AVPALETTE_SIZE); if (is_8bit) { if (yuv_palette == 0) From 766c1cbeb4a10589f9a31370dcc38cf788b92e8b Mon Sep 17 00:00:00 2001 From: Michael Niedermayer Date: Tue, 6 Jan 2015 04:29:10 +0100 Subject: [PATCH 966/991] avformat/mov: fix integer overflow in mov_read_udta_string() Found-by: Paul Mehta Signed-off-by: Michael Niedermayer (cherry picked from commit 3859868c75313e318ebc5d0d33baada62d45dd75) Signed-off-by: Michael Niedermayer --- libavformat/mov.c | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/libavformat/mov.c b/libavformat/mov.c index 5fbd6217ad..3fcfa79703 100644 --- a/libavformat/mov.c +++ b/libavformat/mov.c @@ -245,7 +245,7 @@ static int mov_read_udta_string(MOVContext *c, AVIOContext *pb, MOVAtom atom) if (!key) return 0; - if (atom.size < 0) + if (atom.size < 0 || str_size >= INT_MAX/2) return AVERROR_INVALIDDATA; str_size = FFMIN3(sizeof(str)-1, str_size, atom.size); From b3242c0f2293e2fac8c80c3bfb444d6d20f29bb2 Mon Sep 17 00:00:00 2001 From: Johan Andersson Date: Sat, 3 Jan 2015 17:31:36 +0100 Subject: [PATCH 967/991] cmdutils: update copyright year to 2015. (cherry picked from commit 3e160652219ff4da433f5672ae1e5f4956abb815) Conflicts: cmdutils.c --- cmdutils.c | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/cmdutils.c b/cmdutils.c index bba6f8c0b0..c76ae518f0 100644 --- a/cmdutils.c +++ b/cmdutils.c @@ -56,7 +56,7 @@ struct SwsContext *sws_opts; AVDictionary *format_opts, *codec_opts; -const int this_year = 2014; +const int this_year = 2015; static FILE *report_file; From 00cde0cddc569ccd34f05ae188d47e006f16aafc Mon Sep 17 00:00:00 2001 From: wm4 Date: Wed, 7 Jan 2015 23:57:50 +0100 Subject: [PATCH 968/991] avcodec/dvdsubdec: error on bitmaps with size 0 Attemtping to decode them could lead to invalid writes with some fuzzed samples. Signed-off-by: Michael Niedermayer (cherry picked from commit bcaa9099b3648b47060e1724a97dc98b63c83702) Signed-off-by: Michael Niedermayer --- libavcodec/dvdsubdec.c | 3 +++ 1 file changed, 3 insertions(+) diff --git a/libavcodec/dvdsubdec.c b/libavcodec/dvdsubdec.c index 1890cdd4e6..c09c6be55a 100644 --- a/libavcodec/dvdsubdec.c +++ b/libavcodec/dvdsubdec.c @@ -97,6 +97,9 @@ static int decode_rle(uint8_t *bitmap, int linesize, int w, int h, if (start >= buf_size) return -1; + if (w <= 0 || h <= 0) + return -1; + bit_len = (buf_size - start) * 8; init_get_bits(&gb, buf + start, bit_len); From c78ed1fb5d3338634cdd79b1b8edf246a4ab7177 Mon Sep 17 00:00:00 2001 From: Michael Niedermayer Date: Sat, 17 Jan 2015 01:56:03 +0100 Subject: [PATCH 969/991] avcodec/flac_parser: fix handling EOF if no headers are found Fixes assertion failure Fixes Ticket4269 Signed-off-by: Michael Niedermayer (cherry picked from commit c4d85fc23c100f7a27d9bad710eb153214868e27) Signed-off-by: Michael Niedermayer --- libavcodec/flac_parser.c | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/libavcodec/flac_parser.c b/libavcodec/flac_parser.c index ae7edaa052..6be2df3f20 100644 --- a/libavcodec/flac_parser.c +++ b/libavcodec/flac_parser.c @@ -646,7 +646,7 @@ static int flac_parse(AVCodecParserContext *s, AVCodecContext *avctx, handle_error: *poutbuf = NULL; *poutbuf_size = 0; - return read_end - buf; + return buf_size ? read_end - buf : 0; } static int flac_parse_init(AVCodecParserContext *c) From c00fd60ab34506c2f4f5b6e704604f25962af129 Mon Sep 17 00:00:00 2001 From: Michael Niedermayer Date: Sun, 1 Feb 2015 19:19:25 +0100 Subject: [PATCH 970/991] avformat/utils: Fix number suffixes in tb_unreliable() Signed-off-by: Michael Niedermayer (cherry picked from commit 4b15bba2aec93776bfdc69a1bca42a4795a7d191) Conflicts: libavformat/utils.c (cherry picked from commit e651a2f88c219e74c9851563e74100f7652a6005) --- libavformat/utils.c | 4 ++-- 1 file changed, 2 insertions(+), 2 deletions(-) diff --git a/libavformat/utils.c b/libavformat/utils.c index 48fe249b14..836f0ec436 100644 --- a/libavformat/utils.c +++ b/libavformat/utils.c @@ -2382,8 +2382,8 @@ static int get_std_framerate(int i){ * And there are "variable" fps files this needs to detect as well. */ static int tb_unreliable(AVCodecContext *c){ - if( c->time_base.den >= 101L*c->time_base.num - || c->time_base.den < 5L*c->time_base.num + if( c->time_base.den >= 101LL*c->time_base.num + || c->time_base.den < 5LL*c->time_base.num /* || c->codec_tag == AV_RL32("DIVX") || c->codec_tag == AV_RL32("XVID")*/ || c->codec_id == CODEC_ID_MPEG2VIDEO From 1d73ad25dcb26b7eb1cdd48ee5acf29cea402fee Mon Sep 17 00:00:00 2001 From: Michael Niedermayer Date: Sun, 1 Feb 2015 19:36:13 +0100 Subject: [PATCH 971/991] avformat/smacker: Fix number suffix Signed-off-by: Michael Niedermayer (cherry picked from commit 465f3705b1ef832fd6904750d018f81f9044f3ab) Signed-off-by: Michael Niedermayer --- libavformat/smacker.c | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/libavformat/smacker.c b/libavformat/smacker.c index e948c22f01..20530814d3 100644 --- a/libavformat/smacker.c +++ b/libavformat/smacker.c @@ -303,7 +303,7 @@ static int smacker_read_packet(AVFormatContext *s, AVPacket *pkt) uint8_t *tmpbuf; size = avio_rl32(s->pb) - 4; - if (!size || size + 4L > frame_size) { + if (!size || size + 4LL > frame_size) { av_log(s, AV_LOG_ERROR, "Invalid audio part size\n"); return AVERROR_INVALIDDATA; } From 376533e0cd86e40a8d452b4a040560ab4758241d Mon Sep 17 00:00:00 2001 From: wm4 Date: Tue, 3 Feb 2015 19:04:12 +0100 Subject: [PATCH 972/991] avformat/mpc8: fix hang with fuzzed file This can lead to an endless loop by seeking back a few bytes after each attempted chunk read. Assuming negative sizes are always invalid, this is easy to fix. Other code in this demuxer treats negative sizes as invalid as well. Fixes ticket #4262. Signed-off-by: Michael Niedermayer (cherry picked from commit 56cc024220886927350cfc26ee695062ca7ecaf4) Signed-off-by: Michael Niedermayer --- libavformat/mpc8.c | 4 ++++ 1 file changed, 4 insertions(+) diff --git a/libavformat/mpc8.c b/libavformat/mpc8.c index a3fc1be894..b448c1b8ca 100644 --- a/libavformat/mpc8.c +++ b/libavformat/mpc8.c @@ -214,6 +214,10 @@ static int mpc8_read_header(AVFormatContext *s, AVFormatParameters *ap) while(!url_feof(pb)){ pos = avio_tell(pb); mpc8_get_chunk_header(pb, &tag, &size); + if (size < 0) { + av_log(s, AV_LOG_ERROR, "Invalid chunk length\n"); + return AVERROR_INVALIDDATA; + } if(tag == TAG_STREAMHDR) break; mpc8_handle_chunk(s, tag, pos, size); From e83c03aaf1477b9985c80669f824ef0534002a4e Mon Sep 17 00:00:00 2001 From: wm4 Date: Tue, 3 Feb 2015 19:04:11 +0100 Subject: [PATCH 973/991] avformat/mpc8: fix broken pointer math MIME-Version: 1.0 Content-Type: text/plain; charset=UTF-8 Content-Transfer-Encoding: 8bit This could overflow and crash at least on 32 bit systems. Reviewed-by: Reimar Döffinger Signed-off-by: Michael Niedermayer (cherry picked from commit b737a2c52857b214be246ff615c6293730033cfa) Conflicts: libavformat/mpc8.c (cherry picked from commit 49dd89f9027f3def12e170bb7d986d37812eedba) Signed-off-by: Michael Niedermayer --- libavformat/mpc8.c | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/libavformat/mpc8.c b/libavformat/mpc8.c index b448c1b8ca..6499fca79e 100644 --- a/libavformat/mpc8.c +++ b/libavformat/mpc8.c @@ -89,7 +89,7 @@ static int mpc8_probe(AVProbeData *p) size = bs_get_v(&bs); if (size < 2) return 0; - if (bs + size - 2 >= bs_end) + if (size >= bs_end - bs + 2) return AVPROBE_SCORE_MAX / 4 - 1; //seems to be valid MPC but no header yet if (header_found) { if (size < 11 || size > 28) From d0a925ba2e7c299da93956a61b6a95a8c909e0f2 Mon Sep 17 00:00:00 2001 From: Michael Niedermayer Date: Wed, 4 Feb 2015 14:47:41 +0100 Subject: [PATCH 974/991] avformat/mpc8: Use uint64_t in *_get_v() to avoid undefined behavior Signed-off-by: Michael Niedermayer (cherry picked from commit 05e161952954acf247e0fd1fdef00559675c4d4d) Signed-off-by: Michael Niedermayer --- libavformat/mpc8.c | 4 ++-- 1 file changed, 2 insertions(+), 2 deletions(-) diff --git a/libavformat/mpc8.c b/libavformat/mpc8.c index 6499fca79e..01fdcec2a6 100644 --- a/libavformat/mpc8.c +++ b/libavformat/mpc8.c @@ -55,7 +55,7 @@ typedef struct { static inline int64_t bs_get_v(uint8_t **bs) { - int64_t v = 0; + uint64_t v = 0; int br = 0; int c; @@ -106,7 +106,7 @@ static int mpc8_probe(AVProbeData *p) static inline int64_t gb_get_v(GetBitContext *gb) { - int64_t v = 0; + uint64_t v = 0; int bits = 0; while(get_bits1(gb) && bits < 64-7){ v <<= 7; From 5c0413aa85f75cd9b9beffd984947560a080d914 Mon Sep 17 00:00:00 2001 From: Michael Niedermayer Date: Wed, 4 Feb 2015 20:13:18 +0100 Subject: [PATCH 975/991] avcodec/mjpegdec: Check escape sequence validity Fixes assertion failure Fixes: asan_heap-oob_1c1a4ea_1242_cov_2274415971_TESTcmyk.jpg Found-by: Mateusz "j00ru" Jurczyk and Gynvael Coldwind Signed-off-by: Michael Niedermayer --- libavcodec/mjpegdec.c | 4 ++++ 1 file changed, 4 insertions(+) diff --git a/libavcodec/mjpegdec.c b/libavcodec/mjpegdec.c index 84bc9aa33d..694a46009a 100644 --- a/libavcodec/mjpegdec.c +++ b/libavcodec/mjpegdec.c @@ -1573,6 +1573,10 @@ int ff_mjpeg_find_marker(MJpegDecodeContext *s, put_bits(&pb, 8, x); if (x == 0xFF) { x = src[b++]; + if (x & 0x80) { + av_log(s->avctx, AV_LOG_WARNING, "Invalid escape sequence\n"); + x &= 0x7f; + } put_bits(&pb, 7, x); bit_count--; } From a16669f1e226e15c5e970e2ab48b2c54ed7ee77a Mon Sep 17 00:00:00 2001 From: Michael Niedermayer Date: Wed, 4 Feb 2015 20:48:30 +0100 Subject: [PATCH 976/991] avcodec/mjpegdec: Check number of components for JPEG-LS Fixes out of array accesses Fixes: asan_heap-oob_1c1a4ea_1242_cov_2274415971_TESTcmyk.jpg Found-by: Mateusz "j00ru" Jurczyk and Gynvael Coldwind Signed-off-by: Michael Niedermayer (cherry picked from commit fabbfaa095660982cc0bc63242c459561fa37037) Conflicts: libavcodec/mjpegdec.c --- libavcodec/mjpegdec.c | 7 +++++-- 1 file changed, 5 insertions(+), 2 deletions(-) diff --git a/libavcodec/mjpegdec.c b/libavcodec/mjpegdec.c index 694a46009a..e2706f2550 100644 --- a/libavcodec/mjpegdec.c +++ b/libavcodec/mjpegdec.c @@ -418,9 +418,12 @@ int ff_mjpeg_decode_sof(MJpegDecodeContext *s) } if (s->ls) { s->upscale_h = s->upscale_v = 0; - if (s->nb_components > 1) + if (s->nb_components == 3) { s->avctx->pix_fmt = PIX_FMT_RGB24; - else if (s->bits <= 8) + } else if (s->nb_components != 1) { + av_log(s->avctx, AV_LOG_ERROR, "Unsupported number of components %d\n", s->nb_components); + return AVERROR_PATCHWELCOME; + } else if (s->bits <= 8) s->avctx->pix_fmt = PIX_FMT_GRAY8; else s->avctx->pix_fmt = PIX_FMT_GRAY16; From 3b90117a1f9a29dfe9588ad5de8c3f4b9640cc38 Mon Sep 17 00:00:00 2001 From: Michael Niedermayer Date: Thu, 5 Feb 2015 03:45:21 +0100 Subject: [PATCH 977/991] avformat/thp: Check av_get_packet() for failure not only for partial output Fixes null pointer dereference Fixes: signal_sigsegv_db2c1f_3108_cov_163322880_pikmin2_opening1_partial.thp Found-by: Mateusz "j00ru" Jurczyk and Gynvael Coldwind Signed-off-by: Michael Niedermayer (cherry picked from commit f2579dbb4b31e6ae731e7f5555680528ef3020ab) Signed-off-by: Michael Niedermayer --- libavformat/thp.c | 2 ++ 1 file changed, 2 insertions(+) diff --git a/libavformat/thp.c b/libavformat/thp.c index 75f7941ff8..bed3f599c2 100644 --- a/libavformat/thp.c +++ b/libavformat/thp.c @@ -179,6 +179,8 @@ static int thp_read_packet(AVFormatContext *s, pkt->stream_index = thp->video_stream_index; } else { ret = av_get_packet(pb, pkt, thp->audiosize); + if (ret < 0) + return ret; if (ret != thp->audiosize) { av_free_packet(pkt); return AVERROR(EIO); From 20d95a8ad32bac435e894c036c587c259f52512c Mon Sep 17 00:00:00 2001 From: Michael Niedermayer Date: Fri, 6 Feb 2015 04:11:56 +0100 Subject: [PATCH 978/991] avcodec/h264_ps: More completely check the bit depths Fixes out of array read Fixes: asan_static-oob_30328b6_719_cov_3325483287_H264_artifacts_motion.h264 Found-by: Mateusz "j00ru" Jurczyk and Gynvael Coldwind Signed-off-by: Michael Niedermayer (cherry picked from commit 69aa79365c1e8e1cb597d33e77bf1062c2ef47d4) Conflicts: libavcodec/h264_ps.c Signed-off-by: Michael Niedermayer --- libavcodec/h264_ps.c | 4 +++- 1 file changed, 3 insertions(+), 1 deletion(-) diff --git a/libavcodec/h264_ps.c b/libavcodec/h264_ps.c index 4d4ff22bc1..52a4c902bf 100644 --- a/libavcodec/h264_ps.c +++ b/libavcodec/h264_ps.c @@ -365,7 +365,9 @@ int ff_h264_decode_seq_parameter_set(H264Context *h){ } sps->bit_depth_luma = get_ue_golomb(&s->gb) + 8; sps->bit_depth_chroma = get_ue_golomb(&s->gb) + 8; - if (sps->bit_depth_luma > 12U || sps->bit_depth_chroma > 12U) { + if (sps->bit_depth_luma < 8 || sps->bit_depth_luma > 12 || + sps->bit_depth_chroma < 8 || sps->bit_depth_chroma > 12 || + sps->bit_depth_luma != sps->bit_depth_chroma) { av_log(h->s.avctx, AV_LOG_ERROR, "illegal bit depth value (%d, %d)\n", sps->bit_depth_luma, sps->bit_depth_chroma); goto fail; From 4640184c76f2da094dcbec54321d55b96153cb70 Mon Sep 17 00:00:00 2001 From: Michael Niedermayer Date: Wed, 11 Feb 2015 03:33:53 +0100 Subject: [PATCH 979/991] avcodec/mjpegdec: Skip blocks which are outside the visible area Fixes out of array accesses Fixes: ffmpeg_mjpeg_crash.avi Found-by: Thomas Lindroth Signed-off-by: Michael Niedermayer (cherry picked from commit 08509c8f86626815a3e9e68d600d1aacbb8df4bf) Conflicts: libavcodec/mjpegdec.c (cherry picked from commit 0bb0716d9c0699895abcef2d3954c1d6e4157cb2) Signed-off-by: Michael Niedermayer --- libavcodec/mjpegdec.c | 19 +++++++++++++------ 1 file changed, 13 insertions(+), 6 deletions(-) diff --git a/libavcodec/mjpegdec.c b/libavcodec/mjpegdec.c index e2706f2550..655bc8e798 100644 --- a/libavcodec/mjpegdec.c +++ b/libavcodec/mjpegdec.c @@ -1029,12 +1029,17 @@ static int mjpeg_decode_scan(MJpegDecodeContext *s, int nb_components, int Ah, if (s->interlaced && s->bottom_field) block_offset += linesize[c] >> 1; - ptr = data[c] + block_offset; + if ( 8*(h * mb_x + x) < s->width + && 8*(v * mb_y + y) < s->height) { + ptr = data[c] + block_offset; + } else + ptr = NULL; if (!s->progressive) { - if (copy_mb) - mjpeg_copy_block(ptr, reference_data[c] + block_offset, - linesize[c], s->avctx->lowres); - else { + if (copy_mb) { + if (ptr) + mjpeg_copy_block(ptr, reference_data[c] + block_offset, + linesize[c], s->avctx->lowres); + } else { s->dsp.clear_block(s->block); if (decode_block(s, s->block, i, s->dc_index[i], s->ac_index[i], @@ -1043,7 +1048,9 @@ static int mjpeg_decode_scan(MJpegDecodeContext *s, int nb_components, int Ah, "error y=%d x=%d\n", mb_y, mb_x); return -1; } - s->dsp.idct_put(ptr, linesize[c], s->block); + if (ptr) { + s->dsp.idct_put(ptr, linesize[c], s->block); + } } } else { int block_idx = s->block_stride[c] * (v * mb_y + y) + From 3d023f4343d6e68009313d7ef0d239edb09c4a96 Mon Sep 17 00:00:00 2001 From: Michael Niedermayer Date: Fri, 20 Feb 2015 20:14:56 +0100 Subject: [PATCH 980/991] avformat/gxf: Use 64bit for res to avoid overflow Signed-off-by: Michael Niedermayer (cherry picked from commit 12987f89007ee82b9d3a6090085dfaef8461ab8b) Signed-off-by: Michael Niedermayer (cherry picked from commit f8be605800b801e59ea49657a560287883ebfc8a) Signed-off-by: Michael Niedermayer --- libavformat/gxf.c | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/libavformat/gxf.c b/libavformat/gxf.c index e773ba7775..fc8df84fc6 100644 --- a/libavformat/gxf.c +++ b/libavformat/gxf.c @@ -531,7 +531,7 @@ static int gxf_packet(AVFormatContext *s, AVPacket *pkt) { } static int gxf_seek(AVFormatContext *s, int stream_index, int64_t timestamp, int flags) { - int res = 0; + int64_t res = 0; uint64_t pos; uint64_t maxlen = 100 * 1024 * 1024; AVStream *st = s->streams[0]; From 7232fc75e14072784fe0c480cd68c4abeb8cc328 Mon Sep 17 00:00:00 2001 From: Andreas Cadhalpun Date: Sun, 22 Feb 2015 20:48:38 +0100 Subject: [PATCH 981/991] avcodec/a64multienc: fix use of uninitialized values in to_meta_with_crop Averaging over 2 pixels doesn't work correctly for the last pixel, because the rest of the buffer is not initialized. Signed-off-by: Michael Niedermayer (cherry picked from commit 87513d654546a99f8ddb045ca4fa5d33778a617e) Signed-off-by: Michael Niedermayer --- libavcodec/a64multienc.c | 10 +++++++--- 1 file changed, 7 insertions(+), 3 deletions(-) diff --git a/libavcodec/a64multienc.c b/libavcodec/a64multienc.c index 5a665d0592..c029e9e6bf 100644 --- a/libavcodec/a64multienc.c +++ b/libavcodec/a64multienc.c @@ -55,9 +55,13 @@ static void to_meta_with_crop(AVCodecContext *avctx, AVFrame *p, int *dest) for (y = blocky; y < blocky + 8 && y < C64YRES; y++) { for (x = blockx; x < blockx + 8 && x < C64XRES; x += 2) { if(x < width && y < height) { - /* build average over 2 pixels */ - luma = (src[(x + 0 + y * p->linesize[0])] + - src[(x + 1 + y * p->linesize[0])]) / 2; + if (x + 1 < width) { + /* build average over 2 pixels */ + luma = (src[(x + 0 + y * p->linesize[0])] + + src[(x + 1 + y * p->linesize[0])]) / 2; + } else { + luma = src[(x + y * p->linesize[0])]; + } /* write blocks as linear data now so they are suitable for elbg */ dest[0] = luma; } From 07a9a43d5c1f6c4abcaba38d1e398aea6ad23802 Mon Sep 17 00:00:00 2001 From: Michael Niedermayer Date: Tue, 24 Feb 2015 03:12:22 +0100 Subject: [PATCH 982/991] avcodec/snowdec: Fix ref value check Fixes integer overflow and out of array read. Fixes: signal_sigsegv_24169e6_3445_cov_3778346427_snow_chroma_bug.avi Found-by: Mateusz "j00ru" Jurczyk and Gynvael Coldwind Signed-off-by: Michael Niedermayer (cherry picked from commit 8f4cbf940212079a34753c7f4d6c6b5a43586d30) Signed-off-by: Michael Niedermayer --- libavcodec/snowdec.c | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/libavcodec/snowdec.c b/libavcodec/snowdec.c index dc5bea4ac6..5768160766 100644 --- a/libavcodec/snowdec.c +++ b/libavcodec/snowdec.c @@ -154,7 +154,7 @@ static int decode_q_branch(SnowContext *s, int level, int x, int y){ int l = left->color[0]; int cb= left->color[1]; int cr= left->color[2]; - int ref = 0; + unsigned ref = 0; int ref_context= av_log2(2*left->ref) + av_log2(2*top->ref); int mx_context= av_log2(2*FFABS(left->mx - top->mx)) + 0*av_log2(2*FFABS(tr->mx - top->mx)); int my_context= av_log2(2*FFABS(left->my - top->my)) + 0*av_log2(2*FFABS(tr->my - top->my)); From 0c1f8a784db9d60f30f838153f03e325437ec844 Mon Sep 17 00:00:00 2001 From: Michael Niedermayer Date: Wed, 25 Feb 2015 12:29:10 +0100 Subject: [PATCH 983/991] avcodec/zmbv: Check len before reading in decode_frame() Fixes out of array read Fixes: asan_heap-oob_4d4eb0_3994_cov_3169972261_zmbv_15bit.avi Found-by: Mateusz "j00ru" Jurczyk and Gynvael Coldwind Signed-off-by: Michael Niedermayer (cherry picked from commit 1f5c7781e63d6519192ada59c1e36bcecc92791d) Signed-off-by: Michael Niedermayer --- libavcodec/zmbv.c | 5 +++++ 1 file changed, 5 insertions(+) diff --git a/libavcodec/zmbv.c b/libavcodec/zmbv.c index 38ab7253f1..1ac7274016 100644 --- a/libavcodec/zmbv.c +++ b/libavcodec/zmbv.c @@ -416,11 +416,16 @@ static int decode_frame(AVCodecContext *avctx, void *data, int *data_size, AVPac } /* parse header */ + if (len < 1) + return AVERROR_INVALIDDATA; c->flags = buf[0]; buf++; len--; if (c->flags & ZMBV_KEYFRAME) { void *decode_intra = NULL; c->decode_intra= NULL; + + if (len < 6) + return AVERROR_INVALIDDATA; hi_ver = buf[0]; lo_ver = buf[1]; c->comp = buf[2]; From c89645c3ef4b975aac0b25a5a8c1707a2567d7da Mon Sep 17 00:00:00 2001 From: Dyami Caliri Date: Thu, 26 Feb 2015 10:17:01 -0800 Subject: [PATCH 984/991] Fix buffer_size argument to init_put_bits() in multiple encoders. Several encoders were multiplying the buffer size by 8, in order to get a bit size. However, the buffer_size argument is for the byte size of the buffer. We had experienced crashes encoding prores (Anatoliy) at size 4096x4096. (cherry picked from commit 50833c9f7b4e1922197a8955669f8ab3589c8cef) Conflicts: libavcodec/proresenc_kostya.c Conflicts: libavcodec/faxcompr.c libavcodec/s302menc.c Conflicts: libavcodec/adpcmenc.c --- libavcodec/aacenc.c | 2 +- libavcodec/adpcmenc.c | 4 ++-- libavcodec/faxcompr.c | 2 +- libavcodec/flashsv2enc.c | 2 +- libavcodec/flashsvenc.c | 2 +- libavcodec/nellymoserenc.c | 2 +- libavcodec/proresenc.c | 2 +- 7 files changed, 8 insertions(+), 8 deletions(-) diff --git a/libavcodec/aacenc.c b/libavcodec/aacenc.c index 2ff6f9cc04..d66dcfd150 100644 --- a/libavcodec/aacenc.c +++ b/libavcodec/aacenc.c @@ -164,7 +164,7 @@ static void put_audio_specific_config(AVCodecContext *avctx) PutBitContext pb; AACEncContext *s = avctx->priv_data; - init_put_bits(&pb, avctx->extradata, avctx->extradata_size*8); + init_put_bits(&pb, avctx->extradata, avctx->extradata_size); put_bits(&pb, 5, 2); //object type - AAC-LC put_bits(&pb, 4, s->samplerate_index); //sample rate index put_bits(&pb, 4, s->channels); diff --git a/libavcodec/adpcmenc.c b/libavcodec/adpcmenc.c index 1b3d1bcd01..73da9272ec 100644 --- a/libavcodec/adpcmenc.c +++ b/libavcodec/adpcmenc.c @@ -551,7 +551,7 @@ static int adpcm_encode_frame(AVCodecContext *avctx, { int ch, i; PutBitContext pb; - init_put_bits(&pb, dst, buf_size * 8); + init_put_bits(&pb, dst, buf_size); for (ch = 0; ch < avctx->channels; ch++) { put_bits(&pb, 9, (c->status[ch].prev_sample & 0xFFFF) >> 7); @@ -582,7 +582,7 @@ static int adpcm_encode_frame(AVCodecContext *avctx, { int i; PutBitContext pb; - init_put_bits(&pb, dst, buf_size * 8); + init_put_bits(&pb, dst, buf_size); n = avctx->frame_size - 1; diff --git a/libavcodec/faxcompr.c b/libavcodec/faxcompr.c index d358940690..01c8c61ae1 100644 --- a/libavcodec/faxcompr.c +++ b/libavcodec/faxcompr.c @@ -243,7 +243,7 @@ static void put_line(uint8_t *dst, int size, int width, const int *runs) PutBitContext pb; int run, mode = ~0, pix_left = width, run_idx = 0; - init_put_bits(&pb, dst, size*8); + init_put_bits(&pb, dst, size); while(pix_left > 0){ run = runs[run_idx++]; mode = ~mode; diff --git a/libavcodec/flashsv2enc.c b/libavcodec/flashsv2enc.c index 6466be7858..dd477d420d 100644 --- a/libavcodec/flashsv2enc.c +++ b/libavcodec/flashsv2enc.c @@ -270,7 +270,7 @@ static int write_header(FlashSV2Context * s, uint8_t * buf, int buf_size) if (buf_size < 5) return -1; - init_put_bits(&pb, buf, buf_size * 8); + init_put_bits(&pb, buf, buf_size); put_bits(&pb, 4, (s->block_width >> 4) - 1); put_bits(&pb, 12, s->image_width); diff --git a/libavcodec/flashsvenc.c b/libavcodec/flashsvenc.c index 7e21e7d534..8ed92a6381 100644 --- a/libavcodec/flashsvenc.c +++ b/libavcodec/flashsvenc.c @@ -130,7 +130,7 @@ static int encode_bitstream(FlashSVContext *s, AVFrame *p, uint8_t *buf, int buf_pos, res; int pred_blocks = 0; - init_put_bits(&pb, buf, buf_size * 8); + init_put_bits(&pb, buf, buf_size); put_bits(&pb, 4, block_width / 16 - 1); put_bits(&pb, 12, s->image_width); diff --git a/libavcodec/nellymoserenc.c b/libavcodec/nellymoserenc.c index 725270c9fa..54820ad315 100644 --- a/libavcodec/nellymoserenc.c +++ b/libavcodec/nellymoserenc.c @@ -288,7 +288,7 @@ static void encode_block(NellyMoserEncodeContext *s, unsigned char *output, int apply_mdct(s); - init_put_bits(&pb, output, output_size * 8); + init_put_bits(&pb, output, output_size); i = 0; for (band = 0; band < NELLY_BANDS; band++) { diff --git a/libavcodec/proresenc.c b/libavcodec/proresenc.c index 09678a002f..26afe5914f 100644 --- a/libavcodec/proresenc.c +++ b/libavcodec/proresenc.c @@ -302,7 +302,7 @@ static int encode_slice_plane(AVCodecContext *avctx, int mb_count, } blocks_per_slice = mb_count << (2 - chroma); - init_put_bits(&pb, buf, buf_size << 3); + init_put_bits(&pb, buf, buf_size); encode_dc_coeffs(&pb, blocks, blocks_per_slice, qmat); encode_ac_coeffs(avctx, &pb, blocks, blocks_per_slice, qmat); From f92e8cccf5813dd62b7c4a2bea072badc7a250cb Mon Sep 17 00:00:00 2001 From: Andreas Cadhalpun Date: Wed, 25 Feb 2015 22:55:44 +0100 Subject: [PATCH 985/991] avformat/adxdec: check avctx->channels for invalid values This avoids a null pointer dereference of pkt->data. Signed-off-by: Andreas Cadhalpun Signed-off-by: Michael Niedermayer (cherry picked from commit 7faa40af982960608b117e20fec999b48011e5e0) Signed-off-by: Michael Niedermayer --- libavformat/adxdec.c | 5 +++++ 1 file changed, 5 insertions(+) diff --git a/libavformat/adxdec.c b/libavformat/adxdec.c index ab11d832d8..021042c608 100644 --- a/libavformat/adxdec.c +++ b/libavformat/adxdec.c @@ -41,6 +41,11 @@ static int adx_read_packet(AVFormatContext *s, AVPacket *pkt) AVCodecContext *avctx = s->streams[0]->codec; int ret, size; + if (avctx->channels <= 0) { + av_log(s, AV_LOG_ERROR, "invalid number of channels %d\n", avctx->channels); + return AVERROR_INVALIDDATA; + } + size = BLOCK_SIZE * avctx->channels; pkt->pos = avio_tell(s->pb); From 6739df26a62049ae579fa2a31c2552315eb640da Mon Sep 17 00:00:00 2001 From: Andreas Cadhalpun Date: Thu, 26 Feb 2015 21:38:50 +0100 Subject: [PATCH 986/991] avformat/bit: check that pkt->size is 10 in write_packet Ohter packet sizes are not supported by this muxer. This avoids a null pointer dereference of pkt->data. Signed-off-by: Andreas Cadhalpun Signed-off-by: Michael Niedermayer (cherry picked from commit eeda2c3de8a8484d9e7d1e47ac836bec850b31fc) Signed-off-by: Michael Niedermayer --- libavformat/bit.c | 3 +++ 1 file changed, 3 insertions(+) diff --git a/libavformat/bit.c b/libavformat/bit.c index 1249ea1aee..f346cf4df0 100644 --- a/libavformat/bit.c +++ b/libavformat/bit.c @@ -132,6 +132,9 @@ static int write_packet(AVFormatContext *s, AVPacket *pkt) GetBitContext gb; int i; + if (pkt->size != 10) + return AVERROR(EINVAL); + avio_wl16(pb, SYNC_WORD); avio_wl16(pb, 8 * 10); From 7f99fae1ec2903366ecc529d84d2542daa5f3c57 Mon Sep 17 00:00:00 2001 From: Michael Niedermayer Date: Sat, 7 Mar 2015 14:30:34 +0100 Subject: [PATCH 987/991] avcodec/utils: Align YUV411 by as much as the other YUV variants Fixes out of array accesses Fixes: ffmpeg_mjpeg_crash2.avi Found-by: Thomas Lindroth Tested-by: Thomas Lindroth Signed-off-by: Michael Niedermayer (cherry picked from commit e3201c38d53d2b8b24d0bc95d726b2cb1752dc12) Conflicts: libavcodec/utils.c --- libavcodec/utils.c | 4 ++-- 1 file changed, 2 insertions(+), 2 deletions(-) diff --git a/libavcodec/utils.c b/libavcodec/utils.c index 7cfb96d537..a35da92106 100644 --- a/libavcodec/utils.c +++ b/libavcodec/utils.c @@ -202,8 +202,8 @@ void avcodec_align_dimensions2(AVCodecContext *s, int *width, int *height, break; case PIX_FMT_YUV411P: case PIX_FMT_UYYVYY411: - w_align=32; - h_align=8; + w_align = 32; + h_align = 16 * 2; break; case PIX_FMT_YUV410P: if(s->codec_id == CODEC_ID_SVQ1){ From 25e2ef355d8a5f2bb093811cee0aac19cc4889f8 Mon Sep 17 00:00:00 2001 From: Michael Niedermayer Date: Sun, 8 Mar 2015 23:27:43 +0100 Subject: [PATCH 988/991] avcodec/tiff: move bpp check to after "end:" This ensures that all current and future code-pathes get bpp checked Signed-off-by: Michael Niedermayer (cherry picked from commit d5e9fc782150d4596c72440a0aa02b7f4f1254b1) Conflicts: libavcodec/tiff.c --- libavcodec/tiff.c | 14 +++++++------- 1 file changed, 7 insertions(+), 7 deletions(-) diff --git a/libavcodec/tiff.c b/libavcodec/tiff.c index 930da9ff3e..d6e2295564 100644 --- a/libavcodec/tiff.c +++ b/libavcodec/tiff.c @@ -407,13 +407,6 @@ static int tiff_decode_tag(TiffContext *s) s->bpp = -1; } } - if (s->bpp > 64U) { - av_log(s->avctx, AV_LOG_ERROR, - "This format is not supported (bpp=%d, %d components)\n", - s->bpp, count); - s->bpp = 0; - return AVERROR_INVALIDDATA; - } break; case TIFF_SAMPLES_PER_PIXEL: if (count != 1) { @@ -556,6 +549,13 @@ static int tiff_decode_tag(TiffContext *s) default: av_log(s->avctx, AV_LOG_DEBUG, "Unknown or unsupported tag %d/0X%0X\n", tag, tag); } + if (s->bpp > 64U) { + av_log(s->avctx, AV_LOG_ERROR, + "This format is not supported (bpp=%d, %d components)\n", + s->bpp, count); + s->bpp = 0; + return AVERROR_INVALIDDATA; + } bytestream2_seek(&s->gb, start, SEEK_SET); return 0; } From fcabfc5590fec6b1a8dcd19e08ff0fb3f9467a56 Mon Sep 17 00:00:00 2001 From: Andreas Cadhalpun Date: Mon, 9 Mar 2015 19:24:09 +0100 Subject: [PATCH 989/991] roqvideoenc: set enc->avctx in roq_encode_init So far it is only set in roq_encode_frame, but it is used in roq_encode_end to free the coded_frame. This currently segfaults if roq_encode_frame is not called between roq_encode_init and roq_encode_end. Signed-off-by: Andreas Cadhalpun Signed-off-by: Michael Niedermayer (cherry picked from commit cf82c426fadf90105e1fb9d5ecd267cc3aa2b288) Signed-off-by: Michael Niedermayer --- libavcodec/roqvideoenc.c | 2 ++ 1 file changed, 2 insertions(+) diff --git a/libavcodec/roqvideoenc.c b/libavcodec/roqvideoenc.c index a3c99870a0..4b008781bd 100644 --- a/libavcodec/roqvideoenc.c +++ b/libavcodec/roqvideoenc.c @@ -943,6 +943,8 @@ static int roq_encode_init(AVCodecContext *avctx) av_lfg_init(&enc->randctx, 1); + enc->avctx = avctx; + enc->framesSinceKeyframe = 0; if ((avctx->width & 0xf) || (avctx->height & 0xf)) { av_log(avctx, AV_LOG_ERROR, "Dimensions must be divisible by 16\n"); From d6541bdbd7e2eba005600c7d7cb71b27ac963367 Mon Sep 17 00:00:00 2001 From: Michael Niedermayer Date: Thu, 12 Mar 2015 18:06:09 +0100 Subject: [PATCH 990/991] Update for 0.10.16 Signed-off-by: Michael Niedermayer --- Doxyfile | 2 +- RELEASE | 2 +- VERSION | 2 +- 3 files changed, 3 insertions(+), 3 deletions(-) diff --git a/Doxyfile b/Doxyfile index 2ba74334b0..712e9ddcda 100644 --- a/Doxyfile +++ b/Doxyfile @@ -31,7 +31,7 @@ PROJECT_NAME = FFmpeg # This could be handy for archiving the generated documentation or # if some version control system is used. -PROJECT_NUMBER = 0.10.15 +PROJECT_NUMBER = 0.10.16 # With the PROJECT_LOGO tag one can specify an logo or icon that is included # in the documentation. The maximum height of the logo should not exceed 55 diff --git a/RELEASE b/RELEASE index ba788384c3..55a6d615b6 100644 --- a/RELEASE +++ b/RELEASE @@ -1 +1 @@ -0.10.15 +0.10.16 diff --git a/VERSION b/VERSION index ba788384c3..55a6d615b6 100644 --- a/VERSION +++ b/VERSION @@ -1 +1 @@ -0.10.15 +0.10.16 From 79bc4798b7bb31d213c0d97ab1c858c6be35113e Mon Sep 17 00:00:00 2001 From: Michael Niedermayer Date: Fri, 31 Jul 2015 15:54:38 +0200 Subject: [PATCH 991/991] MAINTAINERS: Remove myself as leader Signed-off-by: Michael Niedermayer (cherry picked from commit f2c58931e629343f7d68258cc2b2d62c5f501ba5) Signed-off-by: Michael Niedermayer --- MAINTAINERS | 1 - 1 file changed, 1 deletion(-) diff --git a/MAINTAINERS b/MAINTAINERS index 7a04209493..c3187d13c5 100644 --- a/MAINTAINERS +++ b/MAINTAINERS @@ -14,7 +14,6 @@ and related discussions. Project Leader ============== -Michael Niedermayer final design decisions