From 1fd8eb4d4f02d50cdb2457d25c7d6a2ba1624536 Mon Sep 17 00:00:00 2001 From: Michael Niedermayer Date: Sun, 14 Feb 2016 22:29:44 +0100 Subject: [PATCH 001/942] Basic updates for 3.0 Signed-off-by: Michael Niedermayer --- Changelog | 3 --- RELEASE | 2 +- RELEASE_NOTES | 15 +++++++++++++++ doc/Doxyfile | 2 +- 4 files changed, 17 insertions(+), 5 deletions(-) create mode 100644 RELEASE_NOTES diff --git a/Changelog b/Changelog index 90964f0ae9..67a625e1d0 100644 --- a/Changelog +++ b/Changelog @@ -1,9 +1,6 @@ Entries are sorted chronologically from oldest to youngest within each release, releases are sorted from youngest to oldest. -version : - - version 3.0: - Common Encryption (CENC) MP4 encoding and decoding support - DXV decoding diff --git a/RELEASE b/RELEASE index 847967f1eb..9f55b2ccb5 100644 --- a/RELEASE +++ b/RELEASE @@ -1 +1 @@ -2.8.git +3.0 diff --git a/RELEASE_NOTES b/RELEASE_NOTES new file mode 100644 index 0000000000..861dc04a13 --- /dev/null +++ b/RELEASE_NOTES @@ -0,0 +1,15 @@ + + ┌─────────────────────────────────────────┐ + │ RELEASE NOTES for FFmpeg 3.0 "Einstein" │ + └─────────────────────────────────────────┘ + + The FFmpeg Project proudly presents FFmpeg 3.0 "Einstein", about 5 + months after the release of FFmpeg 2.8. + + A complete Changelog is available at the root of the project, and the + complete Git history on http://source.ffmpeg.org. + + We hope you will like this release as much as we enjoyed working on it, and + as usual, if you have any questions about it, or any FFmpeg related topic, + feel free to join us on the #ffmpeg IRC channel (on irc.freenode.net) or ask + on the mailing-lists. diff --git a/doc/Doxyfile b/doc/Doxyfile index 1ad9f3041f..07b4d1fe01 100644 --- a/doc/Doxyfile +++ b/doc/Doxyfile @@ -31,7 +31,7 @@ PROJECT_NAME = FFmpeg # This could be handy for archiving the generated documentation or # if some version control system is used. -PROJECT_NUMBER = +PROJECT_NUMBER = 3.0 # With the PROJECT_LOGO tag one can specify a logo or icon that is included # in the documentation. The maximum height of the logo should not exceed 55 From 380980e0d2b3e877452d52fca937c2e96c626383 Mon Sep 17 00:00:00 2001 From: Rostislav Pehlivanov Date: Sun, 14 Feb 2016 21:59:50 +0000 Subject: [PATCH 002/942] Changelog: add entries for the SMPTE VC-2 decoder and encoder Signed-off-by: Rostislav Pehlivanov --- Changelog | 2 ++ 1 file changed, 2 insertions(+) diff --git a/Changelog b/Changelog index 67a625e1d0..2e1cd36f5f 100644 --- a/Changelog +++ b/Changelog @@ -67,6 +67,8 @@ version 3.0: - streamselect video and astreamselect audio filter - swaprect filter - metadata video and ametadata audio filter +- SMPTE VC-2 HQ profile support for the Dirac decoder +- SMPTE VC-2 native encoder supporting the HQ profile version 2.8: From 1e8a75fae479c75514f1923a4d697dc07f87ca26 Mon Sep 17 00:00:00 2001 From: James Almer Date: Sun, 7 Feb 2016 00:29:43 -0300 Subject: [PATCH 003/942] x86: add some more helper macros to check for slow cpuflags Reviewed-by: Michael Niedermayer Signed-off-by: James Almer (cherry picked from commit 73a4589d4b0d97cbd6f8bf8be18b78151b657898) --- libavutil/cpu_internal.h | 11 +++++++---- libavutil/x86/cpu.h | 4 ++++ 2 files changed, 11 insertions(+), 4 deletions(-) diff --git a/libavutil/cpu_internal.h b/libavutil/cpu_internal.h index 2105298843..6c352abe1b 100644 --- a/libavutil/cpu_internal.h +++ b/libavutil/cpu_internal.h @@ -24,13 +24,16 @@ #define CPUEXT_SUFFIX(flags, suffix, cpuext) \ (HAVE_ ## cpuext ## suffix && ((flags) & AV_CPU_FLAG_ ## cpuext)) -#define CPUEXT_SUFFIX_FAST(flags, suffix, cpuext) \ +#define CPUEXT_SUFFIX_FAST2(flags, suffix, cpuext, slow_cpuext) \ (HAVE_ ## cpuext ## suffix && ((flags) & AV_CPU_FLAG_ ## cpuext) && \ - !((flags) & AV_CPU_FLAG_ ## cpuext ## SLOW)) + !((flags) & AV_CPU_FLAG_ ## slow_cpuext ## SLOW)) -#define CPUEXT_SUFFIX_SLOW(flags, suffix, cpuext) \ +#define CPUEXT_SUFFIX_SLOW2(flags, suffix, cpuext, slow_cpuext) \ (HAVE_ ## cpuext ## suffix && ((flags) & AV_CPU_FLAG_ ## cpuext) && \ - ((flags) & AV_CPU_FLAG_ ## cpuext ## SLOW)) + ((flags) & AV_CPU_FLAG_ ## slow_cpuext ## SLOW)) + +#define CPUEXT_SUFFIX_FAST(flags, suffix, cpuext) CPUEXT_SUFFIX_FAST2(flags, suffix, cpuext, cpuext) +#define CPUEXT_SUFFIX_SLOW(flags, suffix, cpuext) CPUEXT_SUFFIX_SLOW2(flags, suffix, cpuext, cpuext) #define CPUEXT(flags, cpuext) CPUEXT_SUFFIX(flags, , cpuext) #define CPUEXT_FAST(flags, cpuext) CPUEXT_SUFFIX_FAST(flags, , cpuext) diff --git a/libavutil/x86/cpu.h b/libavutil/x86/cpu.h index dc102c6015..f171037f1c 100644 --- a/libavutil/x86/cpu.h +++ b/libavutil/x86/cpu.h @@ -68,8 +68,12 @@ #define EXTERNAL_AVX_SLOW(flags) CPUEXT_SUFFIX_SLOW(flags, _EXTERNAL, AVX) #define EXTERNAL_XOP(flags) CPUEXT_SUFFIX(flags, _EXTERNAL, XOP) #define EXTERNAL_FMA3(flags) CPUEXT_SUFFIX(flags, _EXTERNAL, FMA3) +#define EXTERNAL_FMA3_FAST(flags) CPUEXT_SUFFIX_FAST2(flags, _EXTERNAL, FMA3, AVX) +#define EXTERNAL_FMA3_SLOW(flags) CPUEXT_SUFFIX_SLOW2(flags, _EXTERNAL, FMA3, AVX) #define EXTERNAL_FMA4(flags) CPUEXT_SUFFIX(flags, _EXTERNAL, FMA4) #define EXTERNAL_AVX2(flags) CPUEXT_SUFFIX(flags, _EXTERNAL, AVX2) +#define EXTERNAL_AVX2_FAST(flags) CPUEXT_SUFFIX_FAST2(flags, _EXTERNAL, AVX2, AVX) +#define EXTERNAL_AVX2_SLOW(flags) CPUEXT_SUFFIX_SLOW2(flags, _EXTERNAL, AVX2, AVX) #define EXTERNAL_AESNI(flags) CPUEXT_SUFFIX(flags, _EXTERNAL, AESNI) #define INLINE_AMD3DNOW(flags) CPUEXT_SUFFIX(flags, _INLINE, AMD3DNOW) From 4d95207938252d6683411bc2f51f05c3d02749a2 Mon Sep 17 00:00:00 2001 From: James Almer Date: Sun, 7 Feb 2016 00:52:06 -0300 Subject: [PATCH 004/942] x86: use the new helper macros where useful Reviewed-by: Michael Niedermayer Signed-off-by: James Almer (cherry picked from commit 70d685a77f283b110e7b1ab565ff5de53f752d55) --- libavcodec/x86/hevcdsp_init.c | 11 ++++++++++- libavcodec/x86/huffyuvencdsp_mmx.c | 2 +- libavcodec/x86/jpeg2000dsp_init.c | 2 +- libavcodec/x86/mlpdsp_init.c | 2 +- libavcodec/x86/synth_filter_init.c | 2 +- libavcodec/x86/v210enc_init.c | 2 +- libavcodec/x86/vp9dsp_init.c | 2 +- libavcodec/x86/vp9dsp_init_16bpp.c | 2 +- libavcodec/x86/vp9dsp_init_16bpp_template.c | 2 +- libavutil/x86/float_dsp_init.c | 2 +- libavutil/x86/lls_init.c | 2 +- libswresample/x86/audio_convert_init.c | 2 +- libswresample/x86/resample_init.c | 2 +- 13 files changed, 22 insertions(+), 13 deletions(-) diff --git a/libavcodec/x86/hevcdsp_init.c b/libavcodec/x86/hevcdsp_init.c index 0de01637ad..09eb06d0c9 100644 --- a/libavcodec/x86/hevcdsp_init.c +++ b/libavcodec/x86/hevcdsp_init.c @@ -753,6 +753,10 @@ void ff_hevc_dsp_init_x86(HEVCDSPContext *c, const int bit_depth) c->transform_add[3] = ff_hevc_transform_add32_8_avx; } if (EXTERNAL_AVX2(cpu_flags)) { + c->sao_band_filter[0] = ff_hevc_sao_band_filter_8_8_avx2; + c->sao_band_filter[1] = ff_hevc_sao_band_filter_16_8_avx2; + } + if (EXTERNAL_AVX2_FAST(cpu_flags)) { c->idct_dc[2] = ff_hevc_idct16x16_dc_8_avx2; c->idct_dc[3] = ff_hevc_idct32x32_dc_8_avx2; if (ARCH_X86_64) { @@ -897,7 +901,9 @@ void ff_hevc_dsp_init_x86(HEVCDSPContext *c, const int bit_depth) SAO_BAND_INIT(10, avx); } if (EXTERNAL_AVX2(cpu_flags)) { - + c->sao_band_filter[0] = ff_hevc_sao_band_filter_8_10_avx2; + } + if (EXTERNAL_AVX2_FAST(cpu_flags)) { c->idct_dc[2] = ff_hevc_idct16x16_dc_10_avx2; c->idct_dc[3] = ff_hevc_idct32x32_dc_10_avx2; if (ARCH_X86_64) { @@ -1095,6 +1101,9 @@ void ff_hevc_dsp_init_x86(HEVCDSPContext *c, const int bit_depth) SAO_BAND_INIT(12, avx); } if (EXTERNAL_AVX2(cpu_flags)) { + c->sao_band_filter[0] = ff_hevc_sao_band_filter_8_12_avx2; + } + if (EXTERNAL_AVX2_FAST(cpu_flags)) { c->idct_dc[2] = ff_hevc_idct16x16_dc_12_avx2; c->idct_dc[3] = ff_hevc_idct32x32_dc_12_avx2; diff --git a/libavcodec/x86/huffyuvencdsp_mmx.c b/libavcodec/x86/huffyuvencdsp_mmx.c index 0ba4358165..9767b212da 100644 --- a/libavcodec/x86/huffyuvencdsp_mmx.c +++ b/libavcodec/x86/huffyuvencdsp_mmx.c @@ -98,7 +98,7 @@ av_cold void ff_huffyuvencdsp_init_x86(HuffYUVEncDSPContext *c) c->diff_bytes = ff_diff_bytes_sse2; } - if (EXTERNAL_AVX2(cpu_flags)) { + if (EXTERNAL_AVX2_FAST(cpu_flags)) { c->diff_bytes = ff_diff_bytes_avx2; } } diff --git a/libavcodec/x86/jpeg2000dsp_init.c b/libavcodec/x86/jpeg2000dsp_init.c index 0dbd2db7f5..baa81383ea 100644 --- a/libavcodec/x86/jpeg2000dsp_init.c +++ b/libavcodec/x86/jpeg2000dsp_init.c @@ -44,7 +44,7 @@ av_cold void ff_jpeg2000dsp_init_x86(Jpeg2000DSPContext *c) c->mct_decode[FF_DWT97] = ff_ict_float_avx; } - if (EXTERNAL_AVX2(cpu_flags)) { + if (EXTERNAL_AVX2_FAST(cpu_flags)) { c->mct_decode[FF_DWT53] = ff_rct_int_avx2; } } diff --git a/libavcodec/x86/mlpdsp_init.c b/libavcodec/x86/mlpdsp_init.c index e9d9b1bf18..7f5e6b11d5 100644 --- a/libavcodec/x86/mlpdsp_init.c +++ b/libavcodec/x86/mlpdsp_init.c @@ -199,6 +199,6 @@ av_cold void ff_mlpdsp_init_x86(MLPDSPContext *c) #endif if (ARCH_X86_64 && EXTERNAL_SSE4(cpu_flags)) c->mlp_rematrix_channel = ff_mlp_rematrix_channel_sse4; - if (ARCH_X86_64 && EXTERNAL_AVX2(cpu_flags) && cpu_flags & AV_CPU_FLAG_BMI2) + if (ARCH_X86_64 && EXTERNAL_AVX2_FAST(cpu_flags) && cpu_flags & AV_CPU_FLAG_BMI2) c->mlp_rematrix_channel = ff_mlp_rematrix_channel_avx2_bmi2; } diff --git a/libavcodec/x86/synth_filter_init.c b/libavcodec/x86/synth_filter_init.c index 0649ea20a6..9ef00cdb0a 100644 --- a/libavcodec/x86/synth_filter_init.c +++ b/libavcodec/x86/synth_filter_init.c @@ -67,7 +67,7 @@ av_cold void ff_synth_filter_init_x86(SynthFilterContext *s) if (EXTERNAL_AVX_FAST(cpu_flags)) { s->synth_filter_float = synth_filter_avx; } - if (EXTERNAL_FMA3(cpu_flags) && !(cpu_flags & AV_CPU_FLAG_AVXSLOW)) { + if (EXTERNAL_FMA3_FAST(cpu_flags)) { s->synth_filter_float = synth_filter_fma3; } #endif /* HAVE_YASM */ diff --git a/libavcodec/x86/v210enc_init.c b/libavcodec/x86/v210enc_init.c index ee48e80538..8abb152c4f 100644 --- a/libavcodec/x86/v210enc_init.c +++ b/libavcodec/x86/v210enc_init.c @@ -45,7 +45,7 @@ av_cold void ff_v210enc_init_x86(V210EncContext *s) if (EXTERNAL_AVX(cpu_flags)) s->pack_line_8 = ff_v210_planar_pack_8_avx; - if (EXTERNAL_AVX2(cpu_flags)) { + if (EXTERNAL_AVX2_FAST(cpu_flags)) { s->pack_line_8 = ff_v210_planar_pack_8_avx2; s->pack_line_10 = ff_v210_planar_pack_10_avx2; s->sample_factor = 2; diff --git a/libavcodec/x86/vp9dsp_init.c b/libavcodec/x86/vp9dsp_init.c index 8efb18c89f..469a661717 100644 --- a/libavcodec/x86/vp9dsp_init.c +++ b/libavcodec/x86/vp9dsp_init.c @@ -377,7 +377,7 @@ av_cold void ff_vp9dsp_init_x86(VP9DSPContext *dsp, int bpp, int bitexact) init_ipred(32, avx, v, VERT); } - if (EXTERNAL_AVX2(cpu_flags)) { + if (EXTERNAL_AVX2_FAST(cpu_flags)) { init_fpel_func(1, 1, 32, avg, _8, avx2); init_fpel_func(0, 1, 64, avg, _8, avx2); if (ARCH_X86_64) { diff --git a/libavcodec/x86/vp9dsp_init_16bpp.c b/libavcodec/x86/vp9dsp_init_16bpp.c index 4ceb4d4b49..eb67499c96 100644 --- a/libavcodec/x86/vp9dsp_init_16bpp.c +++ b/libavcodec/x86/vp9dsp_init_16bpp.c @@ -129,7 +129,7 @@ av_cold void ff_vp9dsp_init_16bpp_x86(VP9DSPContext *dsp) init_ipred_funcs(hd, HOR_DOWN, 16, avx); } - if (EXTERNAL_AVX2(cpu_flags)) { + if (EXTERNAL_AVX2_FAST(cpu_flags)) { init_fpel_func(2, 1, 32, avg, _16, avx2); init_fpel_func(1, 1, 64, avg, _16, avx2); init_fpel_func(0, 1, 128, avg, _16, avx2); diff --git a/libavcodec/x86/vp9dsp_init_16bpp_template.c b/libavcodec/x86/vp9dsp_init_16bpp_template.c index 90cdcc9ace..4840b2844e 100644 --- a/libavcodec/x86/vp9dsp_init_16bpp_template.c +++ b/libavcodec/x86/vp9dsp_init_16bpp_template.c @@ -225,7 +225,7 @@ av_cold void INIT_FUNC(VP9DSPContext *dsp, int bitexact) init_lpf_funcs(BPC, avx); } - if (EXTERNAL_AVX2(cpu_flags)) { + if (EXTERNAL_AVX2_FAST(cpu_flags)) { #if HAVE_AVX2_EXTERNAL init_subpel3_32_64(0, put, BPC, avx2); init_subpel3_32_64(1, avg, BPC, avx2); diff --git a/libavutil/x86/float_dsp_init.c b/libavutil/x86/float_dsp_init.c index f211f2396b..c836a78e1b 100644 --- a/libavutil/x86/float_dsp_init.c +++ b/libavutil/x86/float_dsp_init.c @@ -92,7 +92,7 @@ av_cold void ff_float_dsp_init_x86(AVFloatDSPContext *fdsp) fdsp->vector_fmul_add = ff_vector_fmul_add_avx; fdsp->vector_fmul_reverse = ff_vector_fmul_reverse_avx; } - if (EXTERNAL_FMA3(cpu_flags) && !(cpu_flags & AV_CPU_FLAG_AVXSLOW)) { + if (EXTERNAL_FMA3_FAST(cpu_flags)) { fdsp->vector_fmac_scalar = ff_vector_fmac_scalar_fma3; fdsp->vector_fmul_add = ff_vector_fmul_add_fma3; } diff --git a/libavutil/x86/lls_init.c b/libavutil/x86/lls_init.c index 9f0d862b0e..1c5dca42dc 100644 --- a/libavutil/x86/lls_init.c +++ b/libavutil/x86/lls_init.c @@ -39,7 +39,7 @@ av_cold void ff_init_lls_x86(LLSModel *m) if (EXTERNAL_AVX_FAST(cpu_flags)) { m->update_lls = ff_update_lls_avx; } - if (EXTERNAL_FMA3(cpu_flags) && !(cpu_flags & AV_CPU_FLAG_AVXSLOW)) { + if (EXTERNAL_FMA3_FAST(cpu_flags)) { m->update_lls = ff_update_lls_fma3; } } diff --git a/libswresample/x86/audio_convert_init.c b/libswresample/x86/audio_convert_init.c index 5e5e91d142..bb89cf604b 100644 --- a/libswresample/x86/audio_convert_init.c +++ b/libswresample/x86/audio_convert_init.c @@ -174,7 +174,7 @@ MULTI_CAPS_FUNC(SSE2, sse2) ac->simd_f = ff_pack_8ch_float_to_int32_a_avx; } } - if(EXTERNAL_AVX2(mm_flags)) { + if(EXTERNAL_AVX2_FAST(mm_flags)) { if( out_fmt == AV_SAMPLE_FMT_S32 && in_fmt == AV_SAMPLE_FMT_FLT || out_fmt == AV_SAMPLE_FMT_S32P && in_fmt == AV_SAMPLE_FMT_FLTP) ac->simd_f = ff_float_to_int32_a_avx2; } diff --git a/libswresample/x86/resample_init.c b/libswresample/x86/resample_init.c index bc444cfb8b..9d7d5cf89e 100644 --- a/libswresample/x86/resample_init.c +++ b/libswresample/x86/resample_init.c @@ -71,7 +71,7 @@ av_cold void swri_resample_dsp_x86_init(ResampleContext *c) c->dsp.resample = c->linear ? ff_resample_linear_float_avx : ff_resample_common_float_avx; } - if (EXTERNAL_FMA3(mm_flags) && !(mm_flags & AV_CPU_FLAG_AVXSLOW)) { + if (EXTERNAL_FMA3_FAST(mm_flags)) { c->dsp.resample = c->linear ? ff_resample_linear_float_fma3 : ff_resample_common_float_fma3; } From bd0497b28bc2fac669a6a528579ecf66c817ffc5 Mon Sep 17 00:00:00 2001 From: Michael Niedermayer Date: Mon, 15 Feb 2016 03:10:09 +0100 Subject: [PATCH 005/942] avcodec/cfhd: Temporary disable frame threading until related bugs have been fixed Signed-off-by: Michael Niedermayer --- libavcodec/cfhd.c | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/libavcodec/cfhd.c b/libavcodec/cfhd.c index 5c15d9bb04..d6d831b6cf 100644 --- a/libavcodec/cfhd.c +++ b/libavcodec/cfhd.c @@ -756,6 +756,6 @@ AVCodec ff_cfhd_decoder = { .init = cfhd_decode_init, .close = cfhd_close_decoder, .decode = cfhd_decode, - .capabilities = AV_CODEC_CAP_DR1 | AV_CODEC_CAP_FRAME_THREADS, + .capabilities = AV_CODEC_CAP_DR1, .caps_internal = FF_CODEC_CAP_INIT_THREADSAFE | FF_CODEC_CAP_INIT_CLEANUP, }; From c40983a6f631d22fede713d535bb9c31d5c9740c Mon Sep 17 00:00:00 2001 From: Michael Niedermayer Date: Mon, 15 Feb 2016 03:40:32 +0100 Subject: [PATCH 006/942] fate/source-check.sh: Use "git show" instead of git --version to test for git This fixes fate with non git source trees Signed-off-by: Michael Niedermayer (cherry picked from commit 295de3efc53efa3945c3116b5a910b1464632358) Signed-off-by: Michael Niedermayer --- tests/fate/source-check.sh | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/tests/fate/source-check.sh b/tests/fate/source-check.sh index 33affae24d..ac2878d9f7 100755 --- a/tests/fate/source-check.sh +++ b/tests/fate/source-check.sh @@ -2,7 +2,7 @@ cd "$1"/.. -git --version > /dev/null || { cat tests/ref/fate/source ; exit 0; } +git show > /dev/null 2> /dev/null || { cat tests/ref/fate/source ; exit 0; } echo Files without standard license headers: git grep -L -E "This file is part of FFmpeg|This file is part of libswresample|"\ From 0aa2fbddb19035cd715130bc9b7c643e240ed74e Mon Sep 17 00:00:00 2001 From: Rostislav Pehlivanov Date: Mon, 15 Feb 2016 12:08:11 +0000 Subject: [PATCH 007/942] vc2enc: fix use of uninitialized variables in the rate control system Fixes: CID1352550 Fixes: CID1352549 Signed-off-by: Rostislav Pehlivanov (cherry picked from commit 7cdea450c67d24a3503a0eb64f491f58e474973f) --- libavcodec/vc2enc.c | 10 +++++----- 1 file changed, 5 insertions(+), 5 deletions(-) diff --git a/libavcodec/vc2enc.c b/libavcodec/vc2enc.c index 5472609efd..f42b10ffef 100644 --- a/libavcodec/vc2enc.c +++ b/libavcodec/vc2enc.c @@ -658,7 +658,8 @@ static int rate_control(AVCodecContext *avctx, void *arg) VC2EncContext *s = slice_dat->ctx; const int sx = slice_dat->x; const int sy = slice_dat->y; - int quant_buf[2], bits_buf[2], quant = s->q_start, range = s->q_start/3; + int bits_last = INT_MAX, quant_buf[2] = {-1, -1}; + int quant = s->q_start, range = s->q_start/3; const int64_t top = slice_dat->bits_ceil; const double percent = s->tolerance; const double bottom = top - top*(percent/100.0f); @@ -670,14 +671,13 @@ static int rate_control(AVCodecContext *avctx, void *arg) bits = count_hq_slice(s, sx, sy, quant); range = av_clip(range/2, 1, s->q_ceil); if (quant_buf[1] == quant) { - quant = bits_buf[0] < bits ? quant_buf[0] : quant; - bits = bits_buf[0] < bits ? bits_buf[0] : bits; + quant = bits_last < bits ? quant_buf[0] : quant; + bits = bits_last < bits ? bits_last : bits; break; } quant_buf[1] = quant_buf[0]; quant_buf[0] = quant; - bits_buf[1] = bits_buf[0]; - bits_buf[0] = bits; + bits_last = bits; } slice_dat->quant_idx = av_clip(quant, 0, s->q_ceil); slice_dat->bytes = FFALIGN((bits >> 3), s->size_scaler) + 4 + s->prefix_bytes; From 449ff0e3fd477539dc7b003e1453842de62ba163 Mon Sep 17 00:00:00 2001 From: Carl Eugen Hoyos Date: Tue, 23 Feb 2016 15:50:28 +0100 Subject: [PATCH 008/942] postproc: fix unaligned access Based on 59074310 by Andreas Cadhalpun. Fixes ticket #5259. (cherry picked from commit 2aa21eec1adcb3737be59f0eab7081c5a790faa9) --- libpostproc/postprocess.c | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/libpostproc/postprocess.c b/libpostproc/postprocess.c index 3b86f93980..1dc719cf93 100644 --- a/libpostproc/postprocess.c +++ b/libpostproc/postprocess.c @@ -973,7 +973,7 @@ void pp_postprocess(const uint8_t * src[3], const int srcStride[3], int i; const int count= FFMAX(mbHeight * absQPStride, mbWidth); for(i=0; i<(count>>2); i++){ - ((uint32_t*)c->stdQPTable)[i] = (((const uint32_t*)QP_store)[i]>>1) & 0x7F7F7F7F; + AV_WN32(c->stdQPTable + (i<<2), AV_RN32(QP_store + (i<<2)) >> 1 & 0x7F7F7F7F); } for(i<<=2; istdQPTable[i] = QP_store[i]>>1; From b80083a5c17a60ce4edf56fd6bb19b5f439f001a Mon Sep 17 00:00:00 2001 From: Oliver Collyer Date: Sat, 20 Feb 2016 09:33:49 +0200 Subject: [PATCH 009/942] ffserver&ffm: Fixed issues preventing ffserver write_index and files_size from being set correctly which was breaking ffserver streaming. I discovered that ffserver streaming was broken (it seems like it has been since 20th November) and I opened a ticket for this (https://trac.ffmpeg.org/ticket/5250 ). I spent yesterday learning git bisect (with the kind help of cehoyos) to painstakingly track down the cause. This was made more difficult due to the presence of a segfault in ffserver during the period where the bug was introduced so I first had to identify when and how that was fixed and then retrospectively apply that fix again for each step of the second git bisect to find the actual bug. Anyway, the fruits of my labour are the innocent looking patch below to correct a couple of typos and define a valid range for two variables. Signed-off-by: Michael Niedermayer (cherry picked from commit a2f8beef2dfaee573f7c4a607afaa9e83fc2c1e0) --- ffserver.c | 4 ++-- libavformat/ffmdec.c | 4 ++-- 2 files changed, 4 insertions(+), 4 deletions(-) diff --git a/ffserver.c b/ffserver.c index bc7dbee760..374af99cc7 100644 --- a/ffserver.c +++ b/ffserver.c @@ -373,8 +373,8 @@ static void ffm_set_write_index(AVFormatContext *s, int64_t pos, int64_t file_size) { av_opt_set_int(s, "server_attached", 1, AV_OPT_SEARCH_CHILDREN); - av_opt_set_int(s, "write_index", pos, AV_OPT_SEARCH_CHILDREN); - av_opt_set_int(s, "file_size", file_size, AV_OPT_SEARCH_CHILDREN); + av_opt_set_int(s, "ffm_write_index", pos, AV_OPT_SEARCH_CHILDREN); + av_opt_set_int(s, "ffm_file_size", file_size, AV_OPT_SEARCH_CHILDREN); } static char *ctime1(char *buf2, size_t buf_size) diff --git a/libavformat/ffmdec.c b/libavformat/ffmdec.c index 41c518f3c7..257319bd06 100644 --- a/libavformat/ffmdec.c +++ b/libavformat/ffmdec.c @@ -775,8 +775,8 @@ static int ffm_probe(AVProbeData *p) static const AVOption options[] = { {"server_attached", NULL, offsetof(FFMContext, server_attached), AV_OPT_TYPE_BOOL, {.i64 = 0}, 0, 1, AV_OPT_FLAG_EXPORT }, - {"ffm_write_index", NULL, offsetof(FFMContext, write_index), AV_OPT_TYPE_INT64, {.i64 = 0}, 0, 1, AV_OPT_FLAG_EXPORT }, - {"ffm_file_size", NULL, offsetof(FFMContext, file_size), AV_OPT_TYPE_INT64, {.i64 = 0}, 0, 1, AV_OPT_FLAG_EXPORT }, + {"ffm_write_index", NULL, offsetof(FFMContext, write_index), AV_OPT_TYPE_INT64, {.i64 = 0}, 0, INT64_MAX, AV_OPT_FLAG_EXPORT }, + {"ffm_file_size", NULL, offsetof(FFMContext, file_size), AV_OPT_TYPE_INT64, {.i64 = 0}, 0, INT64_MAX, AV_OPT_FLAG_EXPORT }, { NULL }, }; From eb46065f4a0855f5ace61b92ea4d3aa1a70603ae Mon Sep 17 00:00:00 2001 From: Paul B Mahol Date: Wed, 2 Mar 2016 11:20:07 +0100 Subject: [PATCH 010/942] doc/utils: fix typo for min() description Signed-off-by: Paul B Mahol (cherry picked from commit bdf474bcff29f5b40fe14f6fa1dbe10e69c73ab7) Signed-off-by: Timothy Gu --- doc/utils.texi | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/doc/utils.texi b/doc/utils.texi index 756c609072..7aea460609 100644 --- a/doc/utils.texi +++ b/doc/utils.texi @@ -869,7 +869,7 @@ Return 1 if @var{x} is lesser than or equal to @var{y}, 0 otherwise. Return the maximum between @var{x} and @var{y}. @item min(x, y) -Return the maximum between @var{x} and @var{y}. +Return the minimum between @var{x} and @var{y}. @item mod(x, y) Compute the remainder of division of @var{x} by @var{y}. From 9da31a03738f1456020ac164f8982b4367d18536 Mon Sep 17 00:00:00 2001 From: Carl Eugen Hoyos Date: Mon, 14 Mar 2016 16:33:57 +0100 Subject: [PATCH 011/942] lavf/http: Add httpproxy to the default protocol whitelist. (cherry picked from commit 58fa694978735e30f433f8ede6c7f808b9409919) --- libavformat/http.c | 4 ++-- 1 file changed, 2 insertions(+), 2 deletions(-) diff --git a/libavformat/http.c b/libavformat/http.c index d1b91e23d6..3dad2ef9fb 100644 --- a/libavformat/http.c +++ b/libavformat/http.c @@ -1522,7 +1522,7 @@ URLProtocol ff_http_protocol = { .priv_data_size = sizeof(HTTPContext), .priv_data_class = &http_context_class, .flags = URL_PROTOCOL_FLAG_NETWORK, - .default_whitelist = "http,https,tls,rtp,tcp,udp,crypto" + .default_whitelist = "http,https,tls,rtp,tcp,udp,crypto,httpproxy" }; #endif /* CONFIG_HTTP_PROTOCOL */ @@ -1541,7 +1541,7 @@ URLProtocol ff_https_protocol = { .priv_data_size = sizeof(HTTPContext), .priv_data_class = &https_context_class, .flags = URL_PROTOCOL_FLAG_NETWORK, - .default_whitelist = "http,https,tls,rtp,tcp,udp,crypto" + .default_whitelist = "http,https,tls,rtp,tcp,udp,crypto,httpproxy" }; #endif /* CONFIG_HTTPS_PROTOCOL */ From ee7c347935c02507b9a447f0e3d0869927f4c7de Mon Sep 17 00:00:00 2001 From: Hendrik Leppkes Date: Wed, 16 Mar 2016 15:23:28 +0100 Subject: [PATCH 012/942] configure: check for SEC_I_CONTEXT_EXPIRED before enabling SChannel Fixes build on mingw32, which lacks this constant. --- configure | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/configure b/configure index 2148f11044..475c087a84 100755 --- a/configure +++ b/configure @@ -5659,7 +5659,7 @@ disabled securetransport || { check_func SecIdentityCreate "-Wl,-framework,CoreF enable securetransport; } disabled schannel || { check_func_headers "windows.h Security.h" InitializeSecurityContext -DSECURITY_WIN32 -lSecur32 && - enable schannel && add_extralibs -lSecur32; } + check_cpp_condition winerror.h "defined(SEC_I_CONTEXT_EXPIRED)" && enable schannel && add_extralibs -lSecur32; } makeinfo --version > /dev/null 2>&1 && enable makeinfo || disable makeinfo enabled makeinfo \ From 20d89a3a32716d0e485e74d43fc202c5a9f18ec8 Mon Sep 17 00:00:00 2001 From: James Almer Date: Thu, 17 Mar 2016 00:50:08 -0300 Subject: [PATCH 013/942] libwebpenc_animencoder: zero initialize the WebPAnimEncoderOptions struct This zeroes the WebPAnimEncoderOptions.verbose field, silencing library info messages printed to stderr. Reviewed-by: James Zern Signed-off-by: James Almer (cherry picked from commit 626b6b769ced6d3e55d2661985ab2a1cb89f481e) --- libavcodec/libwebpenc_animencoder.c | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/libavcodec/libwebpenc_animencoder.c b/libavcodec/libwebpenc_animencoder.c index d7437a9a57..35c456adef 100644 --- a/libavcodec/libwebpenc_animencoder.c +++ b/libavcodec/libwebpenc_animencoder.c @@ -41,7 +41,7 @@ static av_cold int libwebp_anim_encode_init(AVCodecContext *avctx) int ret = ff_libwebp_encode_init_common(avctx); if (!ret) { LibWebPAnimContext *s = avctx->priv_data; - WebPAnimEncoderOptions enc_options; + WebPAnimEncoderOptions enc_options = { 0 }; WebPAnimEncoderOptionsInit(&enc_options); // TODO(urvang): Expose some options on command-line perhaps. s->enc = WebPAnimEncoderNew(avctx->width, avctx->height, &enc_options); From 373bc77a356ad7e2cd51bd316c03750ad131c8fb Mon Sep 17 00:00:00 2001 From: James Almer Date: Thu, 17 Mar 2016 01:01:02 -0300 Subject: [PATCH 014/942] libwebpenc_animencoder: print library messages in verbose log levels Reviewed-by: James Zern Signed-off-by: James Almer (cherry picked from commit f875ba48739f59691661393eed1f7cc2371c93f1) --- libavcodec/libwebpenc_animencoder.c | 1 + 1 file changed, 1 insertion(+) diff --git a/libavcodec/libwebpenc_animencoder.c b/libavcodec/libwebpenc_animencoder.c index 35c456adef..61ecae8a8a 100644 --- a/libavcodec/libwebpenc_animencoder.c +++ b/libavcodec/libwebpenc_animencoder.c @@ -43,6 +43,7 @@ static av_cold int libwebp_anim_encode_init(AVCodecContext *avctx) LibWebPAnimContext *s = avctx->priv_data; WebPAnimEncoderOptions enc_options = { 0 }; WebPAnimEncoderOptionsInit(&enc_options); + enc_options.verbose = av_log_get_level() >= AV_LOG_VERBOSE; // TODO(urvang): Expose some options on command-line perhaps. s->enc = WebPAnimEncoderNew(avctx->width, avctx->height, &enc_options); if (!s->enc) From 9e4d297ba74c3cc75cf4b2070b1339a7cf5a05ea Mon Sep 17 00:00:00 2001 From: KO Myung-Hun Date: Mon, 15 Feb 2016 13:16:23 +0900 Subject: [PATCH 015/942] MAINTAINERS: add myself as an OS/2 maintainer Signed-off-by: Michael Niedermayer (cherry picked from commit 346ec917646c18fc9e26bddf04bfa8f8f1e2e18f) Signed-off-by: Michael Niedermayer --- MAINTAINERS | 1 + 1 file changed, 1 insertion(+) diff --git a/MAINTAINERS b/MAINTAINERS index e57150da90..0705a6999f 100644 --- a/MAINTAINERS +++ b/MAINTAINERS @@ -564,6 +564,7 @@ Windows ICL Matthew Oliver ADI/Blackfin DSP Marc Hoffman Sparc Roman Shaposhnik x86 Michael Niedermayer +OS/2 KO Myung-Hun Releases From c3e7a7ef3f8527d1e2e90e937be26b933c9ff24a Mon Sep 17 00:00:00 2001 From: Michael Niedermayer Date: Wed, 17 Feb 2016 04:15:29 +0100 Subject: [PATCH 016/942] swscale/x86/output: Move code into yuv2planeX_mainloop Reviewed-by: BBB Signed-off-by: Michael Niedermayer (cherry picked from commit d07f6e5f1c36be675e0900edba3e40a32f05f0f4) Signed-off-by: Michael Niedermayer --- libswscale/x86/output.asm | 141 +++++++++++++++++++------------------- 1 file changed, 72 insertions(+), 69 deletions(-) diff --git a/libswscale/x86/output.asm b/libswscale/x86/output.asm index 9ea4af9535..9570969cea 100644 --- a/libswscale/x86/output.asm +++ b/libswscale/x86/output.asm @@ -54,75 +54,7 @@ SECTION .text ; int32_t if $output_size is 16. $filter is 12-bits. $filterSize is a multiple ; of 2. $offset is either 0 or 3. $dither holds 8 values. ;----------------------------------------------------------------------------- - -%macro yuv2planeX_fn 3 - -%if ARCH_X86_32 -%define cntr_reg fltsizeq -%define movsx mov -%else -%define cntr_reg r7 -%define movsx movsxd -%endif - -cglobal yuv2planeX_%1, %3, 8, %2, filter, fltsize, src, dst, w, dither, offset -%if %1 == 8 || %1 == 9 || %1 == 10 - pxor m6, m6 -%endif ; %1 == 8/9/10 - -%if %1 == 8 -%if ARCH_X86_32 -%assign pad 0x2c - (stack_offset & 15) - SUB rsp, pad -%define m_dith m7 -%else ; x86-64 -%define m_dith m9 -%endif ; x86-32 - - ; create registers holding dither - movq m_dith, [ditherq] ; dither - test offsetd, offsetd - jz .no_rot -%if mmsize == 16 - punpcklqdq m_dith, m_dith -%endif ; mmsize == 16 - PALIGNR m_dith, m_dith, 3, m0 -.no_rot: -%if mmsize == 16 - punpcklbw m_dith, m6 -%if ARCH_X86_64 - punpcklwd m8, m_dith, m6 - pslld m8, 12 -%else ; x86-32 - punpcklwd m5, m_dith, m6 - pslld m5, 12 -%endif ; x86-32/64 - punpckhwd m_dith, m6 - pslld m_dith, 12 -%if ARCH_X86_32 - mova [rsp+ 0], m5 - mova [rsp+16], m_dith -%endif -%else ; mmsize == 8 - punpcklbw m5, m_dith, m6 - punpckhbw m_dith, m6 - punpcklwd m4, m5, m6 - punpckhwd m5, m6 - punpcklwd m3, m_dith, m6 - punpckhwd m_dith, m6 - pslld m4, 12 - pslld m5, 12 - pslld m3, 12 - pslld m_dith, 12 - mova [rsp+ 0], m4 - mova [rsp+ 8], m5 - mova [rsp+16], m3 - mova [rsp+24], m_dith -%endif ; mmsize == 8/16 -%endif ; %1 == 8 - - xor r5, r5 - +%macro yuv2planeX_mainloop 1 .pixelloop: %assign %%i 0 ; the rep here is for the 8bit output mmx case, where dither covers @@ -233,6 +165,77 @@ cglobal yuv2planeX_%1, %3, 8, %2, filter, fltsize, src, dst, w, dither, offset %assign %%i %%i+2 %endrep jg .pixelloop +%endmacro + +%macro yuv2planeX_fn 3 + +%if ARCH_X86_32 +%define cntr_reg fltsizeq +%define movsx mov +%else +%define cntr_reg r7 +%define movsx movsxd +%endif + +cglobal yuv2planeX_%1, %3, 8, %2, filter, fltsize, src, dst, w, dither, offset +%if %1 == 8 || %1 == 9 || %1 == 10 + pxor m6, m6 +%endif ; %1 == 8/9/10 + +%if %1 == 8 +%if ARCH_X86_32 +%assign pad 0x2c - (stack_offset & 15) + SUB rsp, pad +%define m_dith m7 +%else ; x86-64 +%define m_dith m9 +%endif ; x86-32 + + ; create registers holding dither + movq m_dith, [ditherq] ; dither + test offsetd, offsetd + jz .no_rot +%if mmsize == 16 + punpcklqdq m_dith, m_dith +%endif ; mmsize == 16 + PALIGNR m_dith, m_dith, 3, m0 +.no_rot: +%if mmsize == 16 + punpcklbw m_dith, m6 +%if ARCH_X86_64 + punpcklwd m8, m_dith, m6 + pslld m8, 12 +%else ; x86-32 + punpcklwd m5, m_dith, m6 + pslld m5, 12 +%endif ; x86-32/64 + punpckhwd m_dith, m6 + pslld m_dith, 12 +%if ARCH_X86_32 + mova [rsp+ 0], m5 + mova [rsp+16], m_dith +%endif +%else ; mmsize == 8 + punpcklbw m5, m_dith, m6 + punpckhbw m_dith, m6 + punpcklwd m4, m5, m6 + punpckhwd m5, m6 + punpcklwd m3, m_dith, m6 + punpckhwd m_dith, m6 + pslld m4, 12 + pslld m5, 12 + pslld m3, 12 + pslld m_dith, 12 + mova [rsp+ 0], m4 + mova [rsp+ 8], m5 + mova [rsp+16], m3 + mova [rsp+24], m_dith +%endif ; mmsize == 8/16 +%endif ; %1 == 8 + + xor r5, r5 + +yuv2planeX_mainloop %1 %if %1 == 8 %if ARCH_X86_32 From be5acd6cb1f3437377512bf5683c4998267395e6 Mon Sep 17 00:00:00 2001 From: Michael Niedermayer Date: Wed, 17 Feb 2016 00:14:56 +0100 Subject: [PATCH 017/942] swscale/x86/output: Fix yuv2planeX_16* with unaligned destination Reviewed-by: BBB Signed-off-by: Michael Niedermayer (cherry picked from commit f6492a2ea8df80be0ed9591aee4019cef0e36e99) Signed-off-by: Michael Niedermayer --- libswscale/x86/output.asm | 23 ++++++++++++++++------- 1 file changed, 16 insertions(+), 7 deletions(-) diff --git a/libswscale/x86/output.asm b/libswscale/x86/output.asm index 9570969cea..133817cb71 100644 --- a/libswscale/x86/output.asm +++ b/libswscale/x86/output.asm @@ -54,8 +54,8 @@ SECTION .text ; int32_t if $output_size is 16. $filter is 12-bits. $filterSize is a multiple ; of 2. $offset is either 0 or 3. $dither holds 8 values. ;----------------------------------------------------------------------------- -%macro yuv2planeX_mainloop 1 -.pixelloop: +%macro yuv2planeX_mainloop 2 +.pixelloop_%2: %assign %%i 0 ; the rep here is for the 8bit output mmx case, where dither covers ; 8 pixels but we can only handle 2 pixels per register, and thus 4 @@ -82,7 +82,7 @@ SECTION .text mova m2, m1 %endif ; %1 == 8/9/10/16 movsx cntr_reg, fltsizem -.filterloop_ %+ %%i: +.filterloop_%2_ %+ %%i: ; input pixels mov r6, [srcq+gprsize*cntr_reg-2*gprsize] %if %1 == 16 @@ -129,7 +129,7 @@ SECTION .text %endif ; %1 == 8/9/10/16 sub cntr_reg, 2 - jg .filterloop_ %+ %%i + jg .filterloop_%2_ %+ %%i %if %1 == 16 psrad m2, 31 - %1 @@ -156,7 +156,7 @@ SECTION .text %endif ; mmxext/sse2/sse4/avx pminsw m2, [yuv2yuvX_%1_upper] %endif ; %1 == 9/10/16 - mova [dstq+r5*2], m2 + mov%2 [dstq+r5*2], m2 %endif ; %1 == 8/9/10/16 add r5, mmsize/2 @@ -164,7 +164,7 @@ SECTION .text %assign %%i %%i+2 %endrep - jg .pixelloop + jg .pixelloop_%2 %endmacro %macro yuv2planeX_fn 3 @@ -235,7 +235,16 @@ cglobal yuv2planeX_%1, %3, 8, %2, filter, fltsize, src, dst, w, dither, offset xor r5, r5 -yuv2planeX_mainloop %1 +%if mmsize == 8 || %1 == 8 + yuv2planeX_mainloop %1, a +%else ; mmsize == 16 + test dstq, 15 + jnz .unaligned + yuv2planeX_mainloop %1, a + REP_RET +.unaligned: + yuv2planeX_mainloop %1, u +%endif ; mmsize == 8/16 %if %1 == 8 %if ARCH_X86_32 From c4765a41b956f15b855746a8fe91309e087431f4 Mon Sep 17 00:00:00 2001 From: Michael Niedermayer Date: Fri, 19 Feb 2016 01:31:16 +0100 Subject: [PATCH 018/942] avcodec/h264: Execute error concealment before marking the frame as done. Fixes race condition causing artifacts Fixes Ticket4122 Signed-off-by: Michael Niedermayer (cherry picked from commit 98a0053d0f90e3309dc1038b1bae3a48bbd9067c) Signed-off-by: Michael Niedermayer --- libavcodec/h264.c | 41 +++++++++++++++++++++++++++++++++++++++ libavcodec/h264_picture.c | 41 --------------------------------------- 2 files changed, 41 insertions(+), 41 deletions(-) diff --git a/libavcodec/h264.c b/libavcodec/h264.c index fe8d44e3bd..f1399b886a 100644 --- a/libavcodec/h264.c +++ b/libavcodec/h264.c @@ -1678,6 +1678,47 @@ again: ret = 0; end: + +#if CONFIG_ERROR_RESILIENCE + sl = h->slice_ctx; + /* + * FIXME: Error handling code does not seem to support interlaced + * when slices span multiple rows + * The ff_er_add_slice calls don't work right for bottom + * fields; they cause massive erroneous error concealing + * Error marking covers both fields (top and bottom). + * This causes a mismatched s->error_count + * and a bad error table. Further, the error count goes to + * INT_MAX when called for bottom field, because mb_y is + * past end by one (callers fault) and resync_mb_y != 0 + * causes problems for the first MB line, too. + */ + if (!FIELD_PICTURE(h) && h->current_slice && !h->sps.new && h->enable_er) { + int use_last_pic = h->last_pic_for_ec.f->buf[0] && !sl->ref_count[0]; + + ff_h264_set_erpic(&sl->er.cur_pic, h->cur_pic_ptr); + + if (use_last_pic) { + ff_h264_set_erpic(&sl->er.last_pic, &h->last_pic_for_ec); + sl->ref_list[0][0].parent = &h->last_pic_for_ec; + memcpy(sl->ref_list[0][0].data, h->last_pic_for_ec.f->data, sizeof(sl->ref_list[0][0].data)); + memcpy(sl->ref_list[0][0].linesize, h->last_pic_for_ec.f->linesize, sizeof(sl->ref_list[0][0].linesize)); + sl->ref_list[0][0].reference = h->last_pic_for_ec.reference; + } else if (sl->ref_count[0]) { + ff_h264_set_erpic(&sl->er.last_pic, sl->ref_list[0][0].parent); + } else + ff_h264_set_erpic(&sl->er.last_pic, NULL); + + if (sl->ref_count[1]) + ff_h264_set_erpic(&sl->er.next_pic, sl->ref_list[1][0].parent); + + sl->er.ref_count = sl->ref_count[0]; + + ff_er_frame_end(&sl->er); + if (use_last_pic) + memset(&sl->ref_list[0][0], 0, sizeof(sl->ref_list[0][0])); + } +#endif /* CONFIG_ERROR_RESILIENCE */ /* clean up */ if (h->cur_pic_ptr && !h->droppable) { ff_thread_report_progress(&h->cur_pic_ptr->tf, INT_MAX, diff --git a/libavcodec/h264_picture.c b/libavcodec/h264_picture.c index 731d780e67..c4b17c03c9 100644 --- a/libavcodec/h264_picture.c +++ b/libavcodec/h264_picture.c @@ -186,47 +186,6 @@ int ff_h264_field_end(H264Context *h, H264SliceContext *sl, int in_setup) ff_vdpau_h264_picture_complete(h); #endif -#if CONFIG_ERROR_RESILIENCE - av_assert0(sl == h->slice_ctx); - /* - * FIXME: Error handling code does not seem to support interlaced - * when slices span multiple rows - * The ff_er_add_slice calls don't work right for bottom - * fields; they cause massive erroneous error concealing - * Error marking covers both fields (top and bottom). - * This causes a mismatched s->error_count - * and a bad error table. Further, the error count goes to - * INT_MAX when called for bottom field, because mb_y is - * past end by one (callers fault) and resync_mb_y != 0 - * causes problems for the first MB line, too. - */ - if (!FIELD_PICTURE(h) && h->current_slice && !h->sps.new && h->enable_er) { - int use_last_pic = h->last_pic_for_ec.f->buf[0] && !sl->ref_count[0]; - - ff_h264_set_erpic(&sl->er.cur_pic, h->cur_pic_ptr); - - if (use_last_pic) { - ff_h264_set_erpic(&sl->er.last_pic, &h->last_pic_for_ec); - sl->ref_list[0][0].parent = &h->last_pic_for_ec; - memcpy(sl->ref_list[0][0].data, h->last_pic_for_ec.f->data, sizeof(sl->ref_list[0][0].data)); - memcpy(sl->ref_list[0][0].linesize, h->last_pic_for_ec.f->linesize, sizeof(sl->ref_list[0][0].linesize)); - sl->ref_list[0][0].reference = h->last_pic_for_ec.reference; - } else if (sl->ref_count[0]) { - ff_h264_set_erpic(&sl->er.last_pic, sl->ref_list[0][0].parent); - } else - ff_h264_set_erpic(&sl->er.last_pic, NULL); - - if (sl->ref_count[1]) - ff_h264_set_erpic(&sl->er.next_pic, sl->ref_list[1][0].parent); - - sl->er.ref_count = sl->ref_count[0]; - - ff_er_frame_end(&sl->er); - if (use_last_pic) - memset(&sl->ref_list[0][0], 0, sizeof(sl->ref_list[0][0])); - } -#endif /* CONFIG_ERROR_RESILIENCE */ - if (!in_setup && !h->droppable) ff_thread_report_progress(&h->cur_pic_ptr->tf, INT_MAX, h->picture_structure == PICT_BOTTOM_FIELD); From bd79dbfa2b8f3c9c183c39dc35cada90500dac97 Mon Sep 17 00:00:00 2001 From: Michael Niedermayer Date: Mon, 22 Feb 2016 03:31:34 +0100 Subject: [PATCH 019/942] avutil/pixdesc: Make get_color_type() aware of CIE XYZ formats Signed-off-by: Michael Niedermayer (cherry picked from commit 1ec7a703806049265991723a8826bd61555edef4) Signed-off-by: Michael Niedermayer --- libavutil/pixdesc.c | 4 ++++ 1 file changed, 4 insertions(+) diff --git a/libavutil/pixdesc.c b/libavutil/pixdesc.c index 58833cfb8e..dd7de7ee25 100644 --- a/libavutil/pixdesc.c +++ b/libavutil/pixdesc.c @@ -2275,6 +2275,7 @@ enum AVPixelFormat av_pix_fmt_swap_endianness(enum AVPixelFormat pix_fmt) #define FF_COLOR_GRAY 1 /**< gray color space */ #define FF_COLOR_YUV 2 /**< YUV color space. 16 <= Y <= 235, 16 <= U, V <= 240 */ #define FF_COLOR_YUV_JPEG 3 /**< YUV color space. 0 <= Y <= 255, 0 <= U, V <= 255 */ +#define FF_COLOR_XYZ 4 #define pixdesc_has_alpha(pixdesc) \ ((pixdesc)->nb_components == 2 || (pixdesc)->nb_components == 4 || (pixdesc)->flags & AV_PIX_FMT_FLAG_PAL) @@ -2290,6 +2291,9 @@ static int get_color_type(const AVPixFmtDescriptor *desc) { if(desc->name && !strncmp(desc->name, "yuvj", 4)) return FF_COLOR_YUV_JPEG; + if(desc->name && !strncmp(desc->name, "xyz", 3)) + return FF_COLOR_XYZ; + if(desc->flags & AV_PIX_FMT_FLAG_RGB) return FF_COLOR_RGB; From ca5c6394461eec5dda1fea6d82dda2e891c44ab1 Mon Sep 17 00:00:00 2001 From: Michael Niedermayer Date: Tue, 23 Feb 2016 23:14:03 +0100 Subject: [PATCH 020/942] swscale/input: Fix GBRAP16 input Fixes part of Ticket5264 Signed-off-by: Michael Niedermayer (cherry picked from commit df36257a53561a51af969a6ea6319dd2579509b9) Signed-off-by: Michael Niedermayer --- libswscale/input.c | 20 ++++++++++++++++++++ 1 file changed, 20 insertions(+) diff --git a/libswscale/input.c b/libswscale/input.c index 1df84a9865..ac76aee7f7 100644 --- a/libswscale/input.c +++ b/libswscale/input.c @@ -885,6 +885,19 @@ static av_always_inline void planar_rgb16_to_y(uint8_t *_dst, const uint8_t *_sr } } +static av_always_inline void planar_rgb16_to_a(uint8_t *_dst, const uint8_t *_src[4], + int width, int bpc, int is_be, int32_t *rgb2yuv) +{ + int i; + const uint16_t **src = (const uint16_t **)_src; + uint16_t *dst = (uint16_t *)_dst; + int shift = bpc < 16 ? bpc : 14; + + for (i = 0; i < width; i++) { + dst[i] = rdpx(src[3] + i) << (14 - shift); + } +} + static av_always_inline void planar_rgb16_to_uv(uint8_t *_dstU, uint8_t *_dstV, const uint8_t *_src[4], int width, int bpc, int is_be, int32_t *rgb2yuv) @@ -913,6 +926,11 @@ static void planar_rgb##nbits##endian_name##_to_y(uint8_t *dst, const uint8_t *s { \ planar_rgb16_to_y(dst, src, w, nbits, endian, rgb2yuv); \ } \ +static void planar_rgb##nbits##endian_name##_to_a(uint8_t *dst, const uint8_t *src[4], \ + int w, int32_t *rgb2yuv) \ +{ \ + planar_rgb16_to_a(dst, src, w, nbits, endian, rgb2yuv); \ +} \ static void planar_rgb##nbits##endian_name##_to_uv(uint8_t *dstU, uint8_t *dstV, \ const uint8_t *src[4], int w, int32_t *rgb2yuv) \ { \ @@ -1248,6 +1266,7 @@ av_cold void ff_sws_init_input_funcs(SwsContext *c) c->readLumPlanar = planar_rgb14le_to_y; break; case AV_PIX_FMT_GBRAP16LE: + c->readAlpPlanar = planar_rgb16le_to_a; case AV_PIX_FMT_GBRP16LE: c->readLumPlanar = planar_rgb16le_to_y; break; @@ -1264,6 +1283,7 @@ av_cold void ff_sws_init_input_funcs(SwsContext *c) c->readLumPlanar = planar_rgb14be_to_y; break; case AV_PIX_FMT_GBRAP16BE: + c->readAlpPlanar = planar_rgb16be_to_a; case AV_PIX_FMT_GBRP16BE: c->readLumPlanar = planar_rgb16be_to_y; break; From fb8676eb1cdd3891b266a1150e52138cf4496cc8 Mon Sep 17 00:00:00 2001 From: Michael Niedermayer Date: Tue, 23 Feb 2016 23:48:11 +0100 Subject: [PATCH 021/942] swscale/utils: Fix chrSrcHSubSample for GBRAP16 Fixes part of Ticket5264 Signed-off-by: Michael Niedermayer (cherry picked from commit 67e5bd0c501f7568fc8d93284d0f7eb40663ab06) Signed-off-by: Michael Niedermayer --- libswscale/utils.c | 1 + 1 file changed, 1 insertion(+) diff --git a/libswscale/utils.c b/libswscale/utils.c index ef4241ac37..0beb7538cb 100644 --- a/libswscale/utils.c +++ b/libswscale/utils.c @@ -1354,6 +1354,7 @@ av_cold int sws_init_context(SwsContext *c, SwsFilter *srcFilter, srcFormat != AV_PIX_FMT_GBRP12BE && srcFormat != AV_PIX_FMT_GBRP12LE && srcFormat != AV_PIX_FMT_GBRP14BE && srcFormat != AV_PIX_FMT_GBRP14LE && srcFormat != AV_PIX_FMT_GBRP16BE && srcFormat != AV_PIX_FMT_GBRP16LE && + srcFormat != AV_PIX_FMT_GBRAP16BE && srcFormat != AV_PIX_FMT_GBRAP16LE && ((dstW >> c->chrDstHSubSample) <= (srcW >> 1) || (flags & SWS_FAST_BILINEAR))) c->chrSrcHSubSample = 1; From 0d7343f8ddf69950de5ce53d203f5d3394256dc0 Mon Sep 17 00:00:00 2001 From: Michael Niedermayer Date: Sun, 28 Feb 2016 18:10:23 +0100 Subject: [PATCH 022/942] avcodec/mjpegdec: Fix decoding slightly odd progressive jpeg Fixes: ebd58db6-dc86-11e5-91c2-59daeddf50c7.jpg Signed-off-by: Michael Niedermayer (cherry picked from commit c6f4720b8664e6e22eb5b3da6bb48ed5b113f746) Signed-off-by: Michael Niedermayer --- libavcodec/mjpegdec.c | 10 ++++------ 1 file changed, 4 insertions(+), 6 deletions(-) diff --git a/libavcodec/mjpegdec.c b/libavcodec/mjpegdec.c index 69c9cf3626..bce5496fca 100644 --- a/libavcodec/mjpegdec.c +++ b/libavcodec/mjpegdec.c @@ -1381,12 +1381,10 @@ static int mjpeg_decode_scan_progressive_ac(MJpegDecodeContext *s, int ss, return AVERROR_INVALIDDATA; } - if (!Al) { - // s->coefs_finished is a bitmask for coefficients coded - // ss and se are parameters telling start and end coefficients - s->coefs_finished[c] |= (2ULL << se) - (1ULL << ss); - last_scan = !~s->coefs_finished[c]; - } + // s->coefs_finished is a bitmask for coefficients coded + // ss and se are parameters telling start and end coefficients + s->coefs_finished[c] |= (2ULL << se) - (1ULL << ss); + last_scan = !Al && !~s->coefs_finished[c]; if (s->interlaced && s->bottom_field) data += linesize >> 1; From bf8f2fae2ad8498496e21de82299c5d777b03d04 Mon Sep 17 00:00:00 2001 From: Rodger Combs Date: Thu, 18 Feb 2016 12:57:37 -0600 Subject: [PATCH 023/942] lavf/mov: fix sidx with edit lists (cherry picked from commit 3617e69d50dd9dd07b5011dfb9477a9d1a630354) Signed-off-by: Michael Niedermayer --- libavformat/mov.c | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/libavformat/mov.c b/libavformat/mov.c index 149e3b4a0e..c5e0a1eb17 100644 --- a/libavformat/mov.c +++ b/libavformat/mov.c @@ -3609,7 +3609,7 @@ static int mov_read_trun(MOVContext *c, AVIOContext *pb, MOVAtom atom) } av_log(c->fc, AV_LOG_DEBUG, "calculated into dts %"PRId64"\n", dts); } else { - dts = frag->time; + dts = frag->time - sc->time_offset; av_log(c->fc, AV_LOG_DEBUG, "found frag time %"PRId64 ", using it for dts\n", dts); } From 3b179b630253466b325b44fd6355a4c8d3548b62 Mon Sep 17 00:00:00 2001 From: Rodger Combs Date: Mon, 22 Feb 2016 18:34:01 -0600 Subject: [PATCH 024/942] lavf/mov: downgrade sidx errors to non-fatal warnings; fixes trac #5216 (cherry picked from commit 22dbc1caaf13e4bb17c9e0164a5b1ccaf490e428) Signed-off-by: Michael Niedermayer --- libavformat/mov.c | 6 +++--- 1 file changed, 3 insertions(+), 3 deletions(-) diff --git a/libavformat/mov.c b/libavformat/mov.c index c5e0a1eb17..0408ad164f 100644 --- a/libavformat/mov.c +++ b/libavformat/mov.c @@ -3666,7 +3666,7 @@ static int mov_read_sidx(MOVContext *c, AVIOContext *pb, MOVAtom atom) version = avio_r8(pb); if (version > 1) { avpriv_request_sample(c->fc, "sidx version %u", version); - return AVERROR_PATCHWELCOME; + return 0; } avio_rb24(pb); // flags @@ -3679,8 +3679,8 @@ static int mov_read_sidx(MOVContext *c, AVIOContext *pb, MOVAtom atom) } } if (!st) { - av_log(c->fc, AV_LOG_ERROR, "could not find corresponding track id %d\n", track_id); - return AVERROR_INVALIDDATA; + av_log(c->fc, AV_LOG_WARNING, "could not find corresponding track id %d\n", track_id); + return 0; } sc = st->priv_data; From b4be953c559699986c63c68e2c2e9e927201d4c2 Mon Sep 17 00:00:00 2001 From: Michael Niedermayer Date: Wed, 2 Mar 2016 14:09:23 +0100 Subject: [PATCH 025/942] avformat/cache: Fix memleak of tree entries Found-by: jamrial Signed-off-by: Michael Niedermayer (cherry picked from commit 554f6e930ce05a4c5449efcaae36bdafe2d9de74) Signed-off-by: Michael Niedermayer --- libavformat/cache.c | 7 +++++++ 1 file changed, 7 insertions(+) diff --git a/libavformat/cache.c b/libavformat/cache.c index 8e8b9e8412..8aed37eb2d 100644 --- a/libavformat/cache.c +++ b/libavformat/cache.c @@ -283,6 +283,12 @@ resolve_eof: return ret; } +static int enu_free(void *opaque, void *elem) +{ + av_free(elem); + return 0; +} + static int cache_close(URLContext *h) { Context *c= h->priv_data; @@ -292,6 +298,7 @@ static int cache_close(URLContext *h) close(c->fd); ffurl_close(c->inner); + av_tree_enumerate(c->root, NULL, NULL, enu_free); av_tree_destroy(c->root); return 0; From 27a61302b792f765e7893f63853fc887c7bc2cf8 Mon Sep 17 00:00:00 2001 From: Michael Niedermayer Date: Sat, 5 Mar 2016 21:58:16 +0100 Subject: [PATCH 026/942] fate/aac: Increase fuzz from of fate-aac-pns-encode from 72 to 74 for Loongson Signed-off-by: Michael Niedermayer (cherry picked from commit c78a7267175a3d1e07b88be42f949f95124925e3) Signed-off-by: Michael Niedermayer --- tests/fate/aac.mak | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/tests/fate/aac.mak b/tests/fate/aac.mak index 8d1e30368b..324b05d4f5 100644 --- a/tests/fate/aac.mak +++ b/tests/fate/aac.mak @@ -175,7 +175,7 @@ fate-aac-pns-encode: REF = $(SAMPLES)/audio-reference/luckynight_2ch_44kHz_s16.w fate-aac-pns-encode: CMP_SHIFT = -4096 fate-aac-pns-encode: CMP_TARGET = 616 fate-aac-pns-encode: SIZE_TOLERANCE = 3560 -fate-aac-pns-encode: FUZZ = 72 +fate-aac-pns-encode: FUZZ = 74 FATE_AAC_ENCODE += fate-aac-tns-encode fate-aac-tns-encode: CMD = enc_dec_pcm adts wav s16le $(TARGET_SAMPLES)/audio-reference/luckynight_2ch_44kHz_s16.wav -c:a aac -aac_tns 1 -aac_is 0 -aac_pns 0 -aac_ms 0 -b:a 128k -cutoff 22050 -fflags +bitexact -flags +bitexact From da6ccfe18ebbe7af41ba07edd64b6d1b8650ced2 Mon Sep 17 00:00:00 2001 From: foo86 Date: Wed, 2 Mar 2016 22:31:10 +0300 Subject: [PATCH 027/942] avcodec/dca: clear X96 channels if nothing was decoded The first X96 channel set can have more channels than core, causing X96 decoding to be skipped. Clear the number of decoded X96 channels to zero in this rudimentary case. Signed-off-by: Michael Niedermayer (cherry picked from commit db44b599805fdd96940cf2e5a336f872648bbda1) Signed-off-by: Michael Niedermayer --- libavcodec/dca_core.c | 1 + 1 file changed, 1 insertion(+) diff --git a/libavcodec/dca_core.c b/libavcodec/dca_core.c index 48a8f618f7..d9f1a4ca76 100644 --- a/libavcodec/dca_core.c +++ b/libavcodec/dca_core.c @@ -1760,6 +1760,7 @@ static int parse_x96_frame_exss(DCACoreDecoder *s) return ret; // Channel set data + s->x96_nchannels = 0; for (i = 0, x96_base_ch = 0; i < x96_nchsets; i++) { header_pos = get_bits_count(&s->gb); From 56c4dca5ae7831a972fda57596c8fee8fa2b0451 Mon Sep 17 00:00:00 2001 From: Boris Nagels Date: Sun, 6 Mar 2016 16:31:36 +0100 Subject: [PATCH 028/942] avformat/rtpenc: Fix integer overflow in NTP_TO_RTP_FORMAT RTCP synchronization packet was broken since commit in ffmpeg version > 2.8.3 (commit: e04b039b1528f4c7df5c2b93865651bfea168a19) Since this commit (2e814d0329aded98c811d0502839618f08642685) "rtpenc: Simplify code by introducing a macro for rescaling NTP timestamps", NTP_TO_RTP_FORMAT uses av_rescale_rnd() function to add the data to the packet. This causes an overflow in the av_rescale_rnd() function and it will return INT64_MIN. Causing the NTP stamp in the RTCP packet to have an invalid value. Github: Closes #182 Reverting commit '2e814d0329aded98c811d0502839618f08642685' solves the problem. (cherry picked from commit 1109ed7973c7fd1e7001898adc4976590d862122) Signed-off-by: Michael Niedermayer --- libavformat/rtpenc.c | 3 ++- 1 file changed, 2 insertions(+), 1 deletion(-) diff --git a/libavformat/rtpenc.c b/libavformat/rtpenc.c index 31569d60b7..00b69f5765 100644 --- a/libavformat/rtpenc.c +++ b/libavformat/rtpenc.c @@ -271,7 +271,8 @@ static void rtcp_send_sr(AVFormatContext *s1, int64_t ntp_time, int bye) avio_w8(s1->pb, RTCP_SR); avio_wb16(s1->pb, 6); /* length in words - 1 */ avio_wb32(s1->pb, s->ssrc); - avio_wb64(s1->pb, NTP_TO_RTP_FORMAT(ntp_time)); + avio_wb32(s1->pb, ntp_time / 1000000); + avio_wb32(s1->pb, ((ntp_time % 1000000) << 32) / 1000000); avio_wb32(s1->pb, rtp_ts); avio_wb32(s1->pb, s->packet_count); avio_wb32(s1->pb, s->octet_count); From 756f4b586ae758f11d4b115e5b4595cdef1d3af3 Mon Sep 17 00:00:00 2001 From: Michael Niedermayer Date: Tue, 8 Mar 2016 02:42:10 +0100 Subject: [PATCH 029/942] avformat/utils: fix dts from pts code in compute_pkt_fields() during ascending delay Signed-off-by: Michael Niedermayer (cherry picked from commit de1de4932419d0fb49c9c23f62e68cdbe90d0ee3) Signed-off-by: Michael Niedermayer --- libavformat/utils.c | 5 +++-- tests/ref/fate/mkv | 2 +- 2 files changed, 4 insertions(+), 3 deletions(-) diff --git a/libavformat/utils.c b/libavformat/utils.c index 129a49d699..3aa5beb6b1 100644 --- a/libavformat/utils.c +++ b/libavformat/utils.c @@ -1186,12 +1186,13 @@ static void compute_pkt_fields(AVFormatContext *s, AVStream *st, } } - if (pkt->pts != AV_NOPTS_VALUE && delay <= MAX_REORDER_DELAY && has_decode_delay_been_guessed(st)) { + if (pkt->pts != AV_NOPTS_VALUE && delay <= MAX_REORDER_DELAY) { st->pts_buffer[0] = pkt->pts; for (i = 0; ipts_buffer[i] > st->pts_buffer[i + 1]; i++) FFSWAP(int64_t, st->pts_buffer[i], st->pts_buffer[i + 1]); - pkt->dts = select_from_pts_buffer(st, st->pts_buffer, pkt->dts); + if(has_decode_delay_been_guessed(st)) + pkt->dts = select_from_pts_buffer(st, st->pts_buffer, pkt->dts); } // We skipped it above so we try here. if (!onein_oneout) diff --git a/tests/ref/fate/mkv b/tests/ref/fate/mkv index aea378a881..765798cbfe 100644 --- a/tests/ref/fate/mkv +++ b/tests/ref/fate/mkv @@ -25,9 +25,9 @@ 1, 264, 264, 21, 609, 0xc0dc255c 1, 285, 285, 21, 619, 0x9ac52dd1 0, 292, 292, 41, 16751, 0xf293ab46, F=0x0 -0, 292, 417, 41, 22029, 0x3696462b, F=0x0 1, 306, 306, 21, 574, 0xf6410d4d 1, 327, 327, 22, 565, 0xfd561191 +0, 334, 417, 41, 22029, 0x3696462b, F=0x0 1, 350, 350, 21, 713, 0x48425147 1, 371, 371, 21, 537, 0x09bbf515 0, 375, 375, 41, 5044, 0xa0344ae6, F=0x0 From 64f2b48be062f885b9bdc9573c9bdb5ba009d905 Mon Sep 17 00:00:00 2001 From: Michael Niedermayer Date: Tue, 19 Jan 2016 22:13:14 +0100 Subject: [PATCH 030/942] avformat/concatdec: set safe mode to enabled instead of auto This is safer, as a selected demuxer could still mean that it was auto-detected by a user application Reviewed-previously-by: Nicolas George Reviewed-previously-by: Andreas Cadhalpun Signed-off-by: Michael Niedermayer (cherry picked from commit 689211d5727231c3fe92762d224dbadebdbf4e30) Signed-off-by: Michael Niedermayer --- doc/demuxers.texi | 6 ++++-- libavformat/concatdec.c | 2 +- 2 files changed, 5 insertions(+), 3 deletions(-) diff --git a/doc/demuxers.texi b/doc/demuxers.texi index 6b5f8bba15..3947bf640f 100644 --- a/doc/demuxers.texi +++ b/doc/demuxers.texi @@ -104,7 +104,7 @@ All subsequent file-related directives apply to that file. @item @code{ffconcat version 1.0} Identify the script type and version. It also sets the @option{safe} option -to 1 if it was to its default -1. +to 1 if it was -1. To make FFmpeg recognize the format automatically, this directive must appears exactly as is (no extra space or byte-order-mark) on the very first @@ -192,7 +192,9 @@ component. If set to 0, any file name is accepted. -The default is -1, it is equivalent to 1 if the format was automatically +The default is 1. + +-1 is equivalent to 1 if the format was automatically probed and 0 otherwise. @item auto_convert diff --git a/libavformat/concatdec.c b/libavformat/concatdec.c index d226e1504e..de7b89a28f 100644 --- a/libavformat/concatdec.c +++ b/libavformat/concatdec.c @@ -710,7 +710,7 @@ static int concat_seek(AVFormatContext *avf, int stream, static const AVOption options[] = { { "safe", "enable safe mode", - OFFSET(safe), AV_OPT_TYPE_BOOL, {.i64 = -1}, -1, 1, DEC }, + OFFSET(safe), AV_OPT_TYPE_BOOL, {.i64 = 1}, -1, 1, DEC }, { "auto_convert", "automatically convert bitstream format", OFFSET(auto_convert), AV_OPT_TYPE_BOOL, {.i64 = 1}, 0, 1, DEC }, { "segment_time_metadata", "output file segment start time and duration as packet metadata", From 934bc32accaefd764a2a815c19462c6fbe5d1f79 Mon Sep 17 00:00:00 2001 From: Martin Cracauer Date: Tue, 1 Dec 2015 17:59:36 -0500 Subject: [PATCH 031/942] avutil/channel_layout: AV_CH_LAYOUT_6POINT1_BACK not reachable in parsing Trying to make heads and tails out of DTS 6.1 I can across this typo. I also noticed that this wiki page is incorrect or misleading, the channel order for 6.1 given does not match the source code. At the least it should be clarified that the layout given does not apply to DTS. https://trac.ffmpeg.org/wiki/AudioChannelManipulation Signed-off-by: Michael Niedermayer (cherry picked from commit 73d1398f0c4ce2de16790f46e05a79242137d153) Signed-off-by: Michael Niedermayer --- libavutil/channel_layout.c | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/libavutil/channel_layout.c b/libavutil/channel_layout.c index 601c7e677c..26c87c96a8 100644 --- a/libavutil/channel_layout.c +++ b/libavutil/channel_layout.c @@ -94,7 +94,7 @@ static const struct { { "6.0(front)", 6, AV_CH_LAYOUT_6POINT0_FRONT }, { "hexagonal", 6, AV_CH_LAYOUT_HEXAGONAL }, { "6.1", 7, AV_CH_LAYOUT_6POINT1 }, - { "6.1", 7, AV_CH_LAYOUT_6POINT1_BACK }, + { "6.1(back)", 7, AV_CH_LAYOUT_6POINT1_BACK }, { "6.1(front)", 7, AV_CH_LAYOUT_6POINT1_FRONT }, { "7.0", 7, AV_CH_LAYOUT_7POINT0 }, { "7.0(front)", 7, AV_CH_LAYOUT_7POINT0_FRONT }, From c8977ec6e9b07ffaddcff9b1b93fe2178b3a6078 Mon Sep 17 00:00:00 2001 From: Michael Niedermayer Date: Wed, 9 Dec 2015 15:18:53 +0100 Subject: [PATCH 032/942] avutil/random_seed: Add the runtime in cycles of the main loop to the entropy pool This should theoretically improve the randomness slightly Signed-off-by: Michael Niedermayer (cherry picked from commit 2540d884f3fd7cfac503e048112098967be2569a) Signed-off-by: Michael Niedermayer --- libavutil/random_seed.c | 7 ++++++- 1 file changed, 6 insertions(+), 1 deletion(-) diff --git a/libavutil/random_seed.c b/libavutil/random_seed.c index 205a636f92..0821550bc8 100644 --- a/libavutil/random_seed.c +++ b/libavutil/random_seed.c @@ -97,8 +97,13 @@ static uint32_t get_generic_seed(void) last_t = t; } - if(TEST) + if(TEST) { buffer[0] = buffer[1] = 0; + } else { +#ifdef AV_READ_TIME + buffer[111] += AV_READ_TIME(); +#endif + } av_sha_init(sha, 160); av_sha_update(sha, (const uint8_t *)buffer, sizeof(buffer)); From e1589367128af24c0556603c7feb44a7653e3cfd Mon Sep 17 00:00:00 2001 From: Michael Niedermayer Date: Fri, 11 Mar 2016 00:29:59 +0100 Subject: [PATCH 033/942] avformat/hlsenc: Fix passing options, regression since bc9a5965c815cf7fd998d8ce14a18b8e861dd9ce Signed-off-by: Michael Niedermayer (cherry picked from commit b2ab3398f59ed18a565063584f961ff84484d699) Signed-off-by: Michael Niedermayer --- libavformat/hlsenc.c | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/libavformat/hlsenc.c b/libavformat/hlsenc.c index 7ab7cbb9ab..85a0907e67 100644 --- a/libavformat/hlsenc.c +++ b/libavformat/hlsenc.c @@ -396,7 +396,7 @@ static int hls_window(AVFormatContext *s, int last) set_http_options(&options, hls); snprintf(temp_filename, sizeof(temp_filename), use_rename ? "%s.tmp" : "%s", s->filename); - if ((ret = s->io_open(s, &out, temp_filename, AVIO_FLAG_WRITE, NULL)) < 0) + if ((ret = s->io_open(s, &out, temp_filename, AVIO_FLAG_WRITE, &options)) < 0) goto fail; for (en = hls->segments; en; en = en->next) { From b0e836466f2abcafb766aa244f887702bba04e09 Mon Sep 17 00:00:00 2001 From: Luca Barbato Date: Mon, 22 Feb 2016 19:58:18 -0500 Subject: [PATCH 034/942] indeo2data: K&R formatting cosmetics Signed-off-by: Vittorio Giovara Signed-off-by: Diego Biurrun (cherry picked from commit d4066a702407352a0648af882c34ea81a404fa2b) (cherry picked from commit 522ab0b9a92962edda7156a91a494a1e2b8a7f64) Signed-off-by: Michael Niedermayer --- libavcodec/indeo2data.h | 208 ++++++++++++++++++++-------------------- 1 file changed, 104 insertions(+), 104 deletions(-) diff --git a/libavcodec/indeo2data.h b/libavcodec/indeo2data.h index 0d6d82f22c..8fd664c6ab 100644 --- a/libavcodec/indeo2data.h +++ b/libavcodec/indeo2data.h @@ -27,115 +27,115 @@ #define IR2_CODES 143 static const uint16_t ir2_codes[IR2_CODES][2] = { #ifdef BITSTREAM_READER_LE -{0x0000, 3}, {0x0004, 3}, {0x0006, 3}, {0x0001, 5}, -{0x0009, 5}, {0x0019, 5}, {0x000D, 5}, {0x001D, 5}, -{0x0023, 6}, {0x0013, 6}, {0x0033, 6}, {0x000B, 6}, -{0x002B, 6}, {0x001B, 6}, {0x0007, 8}, {0x0087, 8}, -{0x0027, 8}, {0x00A7, 8}, {0x0067, 8}, {0x00E7, 8}, -{0x0097, 8}, {0x0057, 8}, {0x0037, 8}, {0x00B7, 8}, -{0x00F7, 8}, {0x000F, 9}, {0x008F, 9}, {0x018F, 9}, -{0x014F, 9}, {0x00CF, 9}, {0x002F, 9}, {0x012F, 9}, -{0x01AF, 9}, {0x006F, 9}, {0x00EF, 9}, {0x01EF, 9}, -{0x001F, 10}, {0x021F, 10}, {0x011F, 10}, {0x031F, 10}, -{0x009F, 10}, {0x029F, 10}, {0x019F, 10}, {0x039F, 10}, -{0x005F, 10}, {0x025F, 10}, {0x015F, 10}, {0x035F, 10}, -{0x00DF, 10}, {0x02DF, 10}, {0x01DF, 10}, {0x03DF, 10}, -{0x003F, 13}, {0x103F, 13}, {0x083F, 13}, {0x183F, 13}, -{0x043F, 13}, {0x143F, 13}, {0x0C3F, 13}, {0x1C3F, 13}, -{0x023F, 13}, {0x123F, 13}, {0x0A3F, 13}, {0x1A3F, 13}, -{0x063F, 13}, {0x163F, 13}, {0x0E3F, 13}, {0x1E3F, 13}, -{0x013F, 13}, {0x113F, 13}, {0x093F, 13}, {0x193F, 13}, -{0x053F, 13}, {0x153F, 13}, {0x0D3F, 13}, {0x1D3F, 13}, -{0x033F, 13}, {0x133F, 13}, {0x0B3F, 13}, {0x1B3F, 13}, -{0x073F, 13}, {0x173F, 13}, {0x0F3F, 13}, {0x1F3F, 13}, -{0x00BF, 13}, {0x10BF, 13}, {0x08BF, 13}, {0x18BF, 13}, -{0x04BF, 13}, {0x14BF, 13}, {0x0CBF, 13}, {0x1CBF, 13}, -{0x02BF, 13}, {0x12BF, 13}, {0x0ABF, 13}, {0x1ABF, 13}, -{0x06BF, 13}, {0x16BF, 13}, {0x0EBF, 13}, {0x1EBF, 13}, -{0x01BF, 13}, {0x11BF, 13}, {0x09BF, 13}, {0x19BF, 13}, -{0x05BF, 13}, {0x15BF, 13}, {0x0DBF, 13}, {0x1DBF, 13}, -{0x03BF, 13}, {0x13BF, 13}, {0x0BBF, 13}, {0x1BBF, 13}, -{0x07BF, 13}, {0x17BF, 13}, {0x0FBF, 13}, {0x1FBF, 13}, -{0x007F, 14}, {0x207F, 14}, {0x107F, 14}, {0x307F, 14}, -{0x087F, 14}, {0x287F, 14}, {0x187F, 14}, {0x387F, 14}, -{0x047F, 14}, {0x247F, 14}, {0x147F, 14}, {0x0002, 3}, -{0x0011, 5}, {0x0005, 5}, {0x0015, 5}, {0x0003, 6}, -{0x003B, 6}, {0x0047, 8}, {0x00C7, 8}, {0x0017, 8}, -{0x00D7, 8}, {0x0077, 8}, {0x010F, 9}, {0x004F, 9}, -{0x01CF, 9}, {0x00AF, 9}, {0x016F, 9}, + { 0x0000, 3 }, { 0x0004, 3 }, { 0x0006, 3 }, { 0x0001, 5 }, + { 0x0009, 5 }, { 0x0019, 5 }, { 0x000D, 5 }, { 0x001D, 5 }, + { 0x0023, 6 }, { 0x0013, 6 }, { 0x0033, 6 }, { 0x000B, 6 }, + { 0x002B, 6 }, { 0x001B, 6 }, { 0x0007, 8 }, { 0x0087, 8 }, + { 0x0027, 8 }, { 0x00A7, 8 }, { 0x0067, 8 }, { 0x00E7, 8 }, + { 0x0097, 8 }, { 0x0057, 8 }, { 0x0037, 8 }, { 0x00B7, 8 }, + { 0x00F7, 8 }, { 0x000F, 9 }, { 0x008F, 9 }, { 0x018F, 9 }, + { 0x014F, 9 }, { 0x00CF, 9 }, { 0x002F, 9 }, { 0x012F, 9 }, + { 0x01AF, 9 }, { 0x006F, 9 }, { 0x00EF, 9 }, { 0x01EF, 9 }, + { 0x001F, 10 }, { 0x021F, 10 }, { 0x011F, 10 }, { 0x031F, 10 }, + { 0x009F, 10 }, { 0x029F, 10 }, { 0x019F, 10 }, { 0x039F, 10 }, + { 0x005F, 10 }, { 0x025F, 10 }, { 0x015F, 10 }, { 0x035F, 10 }, + { 0x00DF, 10 }, { 0x02DF, 10 }, { 0x01DF, 10 }, { 0x03DF, 10 }, + { 0x003F, 13 }, { 0x103F, 13 }, { 0x083F, 13 }, { 0x183F, 13 }, + { 0x043F, 13 }, { 0x143F, 13 }, { 0x0C3F, 13 }, { 0x1C3F, 13 }, + { 0x023F, 13 }, { 0x123F, 13 }, { 0x0A3F, 13 }, { 0x1A3F, 13 }, + { 0x063F, 13 }, { 0x163F, 13 }, { 0x0E3F, 13 }, { 0x1E3F, 13 }, + { 0x013F, 13 }, { 0x113F, 13 }, { 0x093F, 13 }, { 0x193F, 13 }, + { 0x053F, 13 }, { 0x153F, 13 }, { 0x0D3F, 13 }, { 0x1D3F, 13 }, + { 0x033F, 13 }, { 0x133F, 13 }, { 0x0B3F, 13 }, { 0x1B3F, 13 }, + { 0x073F, 13 }, { 0x173F, 13 }, { 0x0F3F, 13 }, { 0x1F3F, 13 }, + { 0x00BF, 13 }, { 0x10BF, 13 }, { 0x08BF, 13 }, { 0x18BF, 13 }, + { 0x04BF, 13 }, { 0x14BF, 13 }, { 0x0CBF, 13 }, { 0x1CBF, 13 }, + { 0x02BF, 13 }, { 0x12BF, 13 }, { 0x0ABF, 13 }, { 0x1ABF, 13 }, + { 0x06BF, 13 }, { 0x16BF, 13 }, { 0x0EBF, 13 }, { 0x1EBF, 13 }, + { 0x01BF, 13 }, { 0x11BF, 13 }, { 0x09BF, 13 }, { 0x19BF, 13 }, + { 0x05BF, 13 }, { 0x15BF, 13 }, { 0x0DBF, 13 }, { 0x1DBF, 13 }, + { 0x03BF, 13 }, { 0x13BF, 13 }, { 0x0BBF, 13 }, { 0x1BBF, 13 }, + { 0x07BF, 13 }, { 0x17BF, 13 }, { 0x0FBF, 13 }, { 0x1FBF, 13 }, + { 0x007F, 14 }, { 0x207F, 14 }, { 0x107F, 14 }, { 0x307F, 14 }, + { 0x087F, 14 }, { 0x287F, 14 }, { 0x187F, 14 }, { 0x387F, 14 }, + { 0x047F, 14 }, { 0x247F, 14 }, { 0x147F, 14 }, { 0x0002, 3 }, + { 0x0011, 5 }, { 0x0005, 5 }, { 0x0015, 5 }, { 0x0003, 6 }, + { 0x003B, 6 }, { 0x0047, 8 }, { 0x00C7, 8 }, { 0x0017, 8 }, + { 0x00D7, 8 }, { 0x0077, 8 }, { 0x010F, 9 }, { 0x004F, 9 }, + { 0x01CF, 9 }, { 0x00AF, 9 }, { 0x016F, 9 }, #else - {0x0000, 3}, {0x0001, 3}, {0x0003, 3}, {0x0010, 5}, - {0x0012, 5}, {0x0013, 5}, {0x0016, 5}, {0x0017, 5}, - {0x0031, 6}, {0x0032, 6}, {0x0033, 6}, {0x0034, 6}, - {0x0035, 6}, {0x0036, 6}, {0x00E0, 8}, {0x00E1, 8}, - {0x00E4, 8}, {0x00E5, 8}, {0x00E6, 8}, {0x00E7, 8}, - {0x00E9, 8}, {0x00EA, 8}, {0x00EC, 8}, {0x00ED, 8}, - {0x00EF, 8}, {0x01E0, 9}, {0x01E2, 9}, {0x01E3, 9}, - {0x01E5, 9}, {0x01E6, 9}, {0x01E8, 9}, {0x01E9, 9}, - {0x01EB, 9}, {0x01EC, 9}, {0x01EE, 9}, {0x01EF, 9}, - {0x03E0, 10}, {0x03E1, 10}, {0x03E2, 10}, {0x03E3, 10}, - {0x03E4, 10}, {0x03E5, 10}, {0x03E6, 10}, {0x03E7, 10}, - {0x03E8, 10}, {0x03E9, 10}, {0x03EA, 10}, {0x03EB, 10}, - {0x03EC, 10}, {0x03ED, 10}, {0x03EE, 10}, {0x03EF, 10}, - {0x1F80, 13}, {0x1F81, 13}, {0x1F82, 13}, {0x1F83, 13}, - {0x1F84, 13}, {0x1F85, 13}, {0x1F86, 13}, {0x1F87, 13}, - {0x1F88, 13}, {0x1F89, 13}, {0x1F8A, 13}, {0x1F8B, 13}, - {0x1F8C, 13}, {0x1F8D, 13}, {0x1F8E, 13}, {0x1F8F, 13}, - {0x1F90, 13}, {0x1F91, 13}, {0x1F92, 13}, {0x1F93, 13}, - {0x1F94, 13}, {0x1F95, 13}, {0x1F96, 13}, {0x1F97, 13}, - {0x1F98, 13}, {0x1F99, 13}, {0x1F9A, 13}, {0x1F9B, 13}, - {0x1F9C, 13}, {0x1F9D, 13}, {0x1F9E, 13}, {0x1F9F, 13}, - {0x1FA0, 13}, {0x1FA1, 13}, {0x1FA2, 13}, {0x1FA3, 13}, - {0x1FA4, 13}, {0x1FA5, 13}, {0x1FA6, 13}, {0x1FA7, 13}, - {0x1FA8, 13}, {0x1FA9, 13}, {0x1FAA, 13}, {0x1FAB, 13}, - {0x1FAC, 13}, {0x1FAD, 13}, {0x1FAE, 13}, {0x1FAF, 13}, - {0x1FB0, 13}, {0x1FB1, 13}, {0x1FB2, 13}, {0x1FB3, 13}, - {0x1FB4, 13}, {0x1FB5, 13}, {0x1FB6, 13}, {0x1FB7, 13}, - {0x1FB8, 13}, {0x1FB9, 13}, {0x1FBA, 13}, {0x1FBB, 13}, - {0x1FBC, 13}, {0x1FBD, 13}, {0x1FBE, 13}, {0x1FBF, 13}, - {0x3F80, 14}, {0x3F81, 14}, {0x3F82, 14}, {0x3F83, 14}, - {0x3F84, 14}, {0x3F85, 14}, {0x3F86, 14}, {0x3F87, 14}, - {0x3F88, 14}, {0x3F89, 14}, {0x3F8A, 14}, {0x0002, 3}, - {0x0011, 5}, {0x0014, 5}, {0x0015, 5}, {0x0030, 6}, - {0x0037, 6}, {0x00E2, 8}, {0x00E3, 8}, {0x00E8, 8}, - {0x00EB, 8}, {0x00EE, 8}, {0x01E1, 9}, {0x01E4, 9}, - {0x01E7, 9}, {0x01EA, 9}, {0x01ED, 9} + { 0x0000, 3 }, { 0x0001, 3 }, { 0x0003, 3 }, { 0x0010, 5 }, + { 0x0012, 5 }, { 0x0013, 5 }, { 0x0016, 5 }, { 0x0017, 5 }, + { 0x0031, 6 }, { 0x0032, 6 }, { 0x0033, 6 }, { 0x0034, 6 }, + { 0x0035, 6 }, { 0x0036, 6 }, { 0x00E0, 8 }, { 0x00E1, 8 }, + { 0x00E4, 8 }, { 0x00E5, 8 }, { 0x00E6, 8 }, { 0x00E7, 8 }, + { 0x00E9, 8 }, { 0x00EA, 8 }, { 0x00EC, 8 }, { 0x00ED, 8 }, + { 0x00EF, 8 }, { 0x01E0, 9 }, { 0x01E2, 9 }, { 0x01E3, 9 }, + { 0x01E5, 9 }, { 0x01E6, 9 }, { 0x01E8, 9 }, { 0x01E9, 9 }, + { 0x01EB, 9 }, { 0x01EC, 9 }, { 0x01EE, 9 }, { 0x01EF, 9 }, + { 0x03E0, 10 }, { 0x03E1, 10 }, { 0x03E2, 10 }, { 0x03E3, 10 }, + { 0x03E4, 10 }, { 0x03E5, 10 }, { 0x03E6, 10 }, { 0x03E7, 10 }, + { 0x03E8, 10 }, { 0x03E9, 10 }, { 0x03EA, 10 }, { 0x03EB, 10 }, + { 0x03EC, 10 }, { 0x03ED, 10 }, { 0x03EE, 10 }, { 0x03EF, 10 }, + { 0x1F80, 13 }, { 0x1F81, 13 }, { 0x1F82, 13 }, { 0x1F83, 13 }, + { 0x1F84, 13 }, { 0x1F85, 13 }, { 0x1F86, 13 }, { 0x1F87, 13 }, + { 0x1F88, 13 }, { 0x1F89, 13 }, { 0x1F8A, 13 }, { 0x1F8B, 13 }, + { 0x1F8C, 13 }, { 0x1F8D, 13 }, { 0x1F8E, 13 }, { 0x1F8F, 13 }, + { 0x1F90, 13 }, { 0x1F91, 13 }, { 0x1F92, 13 }, { 0x1F93, 13 }, + { 0x1F94, 13 }, { 0x1F95, 13 }, { 0x1F96, 13 }, { 0x1F97, 13 }, + { 0x1F98, 13 }, { 0x1F99, 13 }, { 0x1F9A, 13 }, { 0x1F9B, 13 }, + { 0x1F9C, 13 }, { 0x1F9D, 13 }, { 0x1F9E, 13 }, { 0x1F9F, 13 }, + { 0x1FA0, 13 }, { 0x1FA1, 13 }, { 0x1FA2, 13 }, { 0x1FA3, 13 }, + { 0x1FA4, 13 }, { 0x1FA5, 13 }, { 0x1FA6, 13 }, { 0x1FA7, 13 }, + { 0x1FA8, 13 }, { 0x1FA9, 13 }, { 0x1FAA, 13 }, { 0x1FAB, 13 }, + { 0x1FAC, 13 }, { 0x1FAD, 13 }, { 0x1FAE, 13 }, { 0x1FAF, 13 }, + { 0x1FB0, 13 }, { 0x1FB1, 13 }, { 0x1FB2, 13 }, { 0x1FB3, 13 }, + { 0x1FB4, 13 }, { 0x1FB5, 13 }, { 0x1FB6, 13 }, { 0x1FB7, 13 }, + { 0x1FB8, 13 }, { 0x1FB9, 13 }, { 0x1FBA, 13 }, { 0x1FBB, 13 }, + { 0x1FBC, 13 }, { 0x1FBD, 13 }, { 0x1FBE, 13 }, { 0x1FBF, 13 }, + { 0x3F80, 14 }, { 0x3F81, 14 }, { 0x3F82, 14 }, { 0x3F83, 14 }, + { 0x3F84, 14 }, { 0x3F85, 14 }, { 0x3F86, 14 }, { 0x3F87, 14 }, + { 0x3F88, 14 }, { 0x3F89, 14 }, { 0x3F8A, 14 }, { 0x0002, 3 }, + { 0x0011, 5 }, { 0x0014, 5 }, { 0x0015, 5 }, { 0x0030, 6 }, + { 0x0037, 6 }, { 0x00E2, 8 }, { 0x00E3, 8 }, { 0x00E8, 8 }, + { 0x00EB, 8 }, { 0x00EE, 8 }, { 0x01E1, 9 }, { 0x01E4, 9 }, + { 0x01E7, 9 }, { 0x01EA, 9 }, { 0x01ED, 9 }, #endif }; static const uint8_t ir2_luma_table[256] = { - 0x80, 0x80, 0x84, 0x84, 0x7C, 0x7C, 0x7F, 0x85, - 0x81, 0x7B, 0x85, 0x7F, 0x7B, 0x81, 0x8C, 0x8C, - 0x74, 0x74, 0x83, 0x8D, 0x7D, 0x73, 0x8D, 0x83, - 0x73, 0x7D, 0x77, 0x89, 0x89, 0x77, 0x89, 0x77, - 0x77, 0x89, 0x8C, 0x95, 0x74, 0x6B, 0x95, 0x8C, - 0x6B, 0x74, 0x7C, 0x90, 0x84, 0x70, 0x90, 0x7C, - 0x70, 0x84, 0x96, 0x96, 0x6A, 0x6A, 0x82, 0x98, - 0x7E, 0x68, 0x98, 0x82, 0x68, 0x7E, 0x97, 0xA2, - 0x69, 0x5E, 0xA2, 0x97, 0x5E, 0x69, 0xA2, 0xA2, - 0x5E, 0x5E, 0x8B, 0xA3, 0x75, 0x5D, 0xA3, 0x8B, - 0x5D, 0x75, 0x71, 0x95, 0x8F, 0x6B, 0x95, 0x71, - 0x6B, 0x8F, 0x78, 0x9D, 0x88, 0x63, 0x9D, 0x78, - 0x63, 0x88, 0x7F, 0xA7, 0x81, 0x59, 0xA7, 0x7F, - 0x59, 0x81, 0xA4, 0xB1, 0x5C, 0x4F, 0xB1, 0xA4, - 0x4F, 0x5C, 0x96, 0xB1, 0x6A, 0x4F, 0xB1, 0x96, - 0x4F, 0x6A, 0xB2, 0xB2, 0x4E, 0x4E, 0x65, 0x9B, - 0x9B, 0x65, 0x9B, 0x65, 0x65, 0x9B, 0x89, 0xB4, - 0x77, 0x4C, 0xB4, 0x89, 0x4C, 0x77, 0x6A, 0xA3, - 0x96, 0x5D, 0xA3, 0x6A, 0x5D, 0x96, 0x73, 0xAC, - 0x8D, 0x54, 0xAC, 0x73, 0x54, 0x8D, 0xB4, 0xC3, - 0x4C, 0x3D, 0xC3, 0xB4, 0x3D, 0x4C, 0xA4, 0xC3, - 0x5C, 0x3D, 0xC3, 0xA4, 0x3D, 0x5C, 0xC4, 0xC4, - 0x3C, 0x3C, 0x96, 0xC6, 0x6A, 0x3A, 0xC6, 0x96, - 0x3A, 0x6A, 0x7C, 0xBA, 0x84, 0x46, 0xBA, 0x7C, - 0x46, 0x84, 0x5B, 0xAB, 0xA5, 0x55, 0xAB, 0x5B, - 0x55, 0xA5, 0x63, 0xB4, 0x9D, 0x4C, 0xB4, 0x63, - 0x4C, 0x9D, 0x86, 0xCA, 0x7A, 0x36, 0xCA, 0x86, - 0x36, 0x7A, 0xB6, 0xD7, 0x4A, 0x29, 0xD7, 0xB6, - 0x29, 0x4A, 0xC8, 0xD7, 0x38, 0x29, 0xD7, 0xC8, - 0x29, 0x38, 0xA4, 0xD8, 0x5C, 0x28, 0xD8, 0xA4, - 0x28, 0x5C, 0x6C, 0xC1, 0x94, 0x3F, 0xC1, 0x6C, - 0x3F, 0x94, 0xD9, 0xD9, 0x27, 0x27, 0x80, 0x80 + 0x80, 0x80, 0x84, 0x84, 0x7C, 0x7C, 0x7F, 0x85, + 0x81, 0x7B, 0x85, 0x7F, 0x7B, 0x81, 0x8C, 0x8C, + 0x74, 0x74, 0x83, 0x8D, 0x7D, 0x73, 0x8D, 0x83, + 0x73, 0x7D, 0x77, 0x89, 0x89, 0x77, 0x89, 0x77, + 0x77, 0x89, 0x8C, 0x95, 0x74, 0x6B, 0x95, 0x8C, + 0x6B, 0x74, 0x7C, 0x90, 0x84, 0x70, 0x90, 0x7C, + 0x70, 0x84, 0x96, 0x96, 0x6A, 0x6A, 0x82, 0x98, + 0x7E, 0x68, 0x98, 0x82, 0x68, 0x7E, 0x97, 0xA2, + 0x69, 0x5E, 0xA2, 0x97, 0x5E, 0x69, 0xA2, 0xA2, + 0x5E, 0x5E, 0x8B, 0xA3, 0x75, 0x5D, 0xA3, 0x8B, + 0x5D, 0x75, 0x71, 0x95, 0x8F, 0x6B, 0x95, 0x71, + 0x6B, 0x8F, 0x78, 0x9D, 0x88, 0x63, 0x9D, 0x78, + 0x63, 0x88, 0x7F, 0xA7, 0x81, 0x59, 0xA7, 0x7F, + 0x59, 0x81, 0xA4, 0xB1, 0x5C, 0x4F, 0xB1, 0xA4, + 0x4F, 0x5C, 0x96, 0xB1, 0x6A, 0x4F, 0xB1, 0x96, + 0x4F, 0x6A, 0xB2, 0xB2, 0x4E, 0x4E, 0x65, 0x9B, + 0x9B, 0x65, 0x9B, 0x65, 0x65, 0x9B, 0x89, 0xB4, + 0x77, 0x4C, 0xB4, 0x89, 0x4C, 0x77, 0x6A, 0xA3, + 0x96, 0x5D, 0xA3, 0x6A, 0x5D, 0x96, 0x73, 0xAC, + 0x8D, 0x54, 0xAC, 0x73, 0x54, 0x8D, 0xB4, 0xC3, + 0x4C, 0x3D, 0xC3, 0xB4, 0x3D, 0x4C, 0xA4, 0xC3, + 0x5C, 0x3D, 0xC3, 0xA4, 0x3D, 0x5C, 0xC4, 0xC4, + 0x3C, 0x3C, 0x96, 0xC6, 0x6A, 0x3A, 0xC6, 0x96, + 0x3A, 0x6A, 0x7C, 0xBA, 0x84, 0x46, 0xBA, 0x7C, + 0x46, 0x84, 0x5B, 0xAB, 0xA5, 0x55, 0xAB, 0x5B, + 0x55, 0xA5, 0x63, 0xB4, 0x9D, 0x4C, 0xB4, 0x63, + 0x4C, 0x9D, 0x86, 0xCA, 0x7A, 0x36, 0xCA, 0x86, + 0x36, 0x7A, 0xB6, 0xD7, 0x4A, 0x29, 0xD7, 0xB6, + 0x29, 0x4A, 0xC8, 0xD7, 0x38, 0x29, 0xD7, 0xC8, + 0x29, 0x38, 0xA4, 0xD8, 0x5C, 0x28, 0xD8, 0xA4, + 0x28, 0x5C, 0x6C, 0xC1, 0x94, 0x3F, 0xC1, 0x6C, + 0x3F, 0x94, 0xD9, 0xD9, 0x27, 0x27, 0x80, 0x80, }; #endif /* AVCODEC_INDEO2DATA_H */ From 53fffc9fc4f212ec0f1c560622ab007d3a65ddfe Mon Sep 17 00:00:00 2001 From: Luca Barbato Date: Mon, 22 Feb 2016 19:58:19 -0500 Subject: [PATCH 035/942] indeo2: Fix banding artefacts Rename luma table to delta table and change how it is used. CC: libav-stable@libav.org Signed-off-by: Vittorio Giovara Signed-off-by: Diego Biurrun (cherry picked from commit f8c34f4b8d62afad3f63cf3d9617d73735bef8c1) (cherry picked from commit 73f3c8f73edf0a69502233b2c50fa9e7104f99ec) Signed-off-by: Michael Niedermayer --- libavcodec/indeo2.c | 15 ++-- libavcodec/indeo2data.h | 162 ++++++++++++++++++++++++++++++++-------- 2 files changed, 138 insertions(+), 39 deletions(-) diff --git a/libavcodec/indeo2.c b/libavcodec/indeo2.c index 3424e00b38..17f236761d 100644 --- a/libavcodec/indeo2.c +++ b/libavcodec/indeo2.c @@ -146,6 +146,7 @@ static int ir2_decode_frame(AVCodecContext *avctx, AVFrame *picture = data; AVFrame * const p = s->picture; int start, ret; + int ltab, ctab; if ((ret = ff_reget_buffer(avctx, p)) < 0) return ret; @@ -168,34 +169,36 @@ static int ir2_decode_frame(AVCodecContext *avctx, if ((ret = init_get_bits8(&s->gb, buf + start, buf_size - start)) < 0) return ret; + ltab = buf[0x22] & 3; + ctab = buf[0x22] >> 2; if (s->decode_delta) { /* intraframe */ if ((ret = ir2_decode_plane(s, avctx->width, avctx->height, p->data[0], p->linesize[0], - ir2_luma_table)) < 0) + ir2_delta_table[ltab])) < 0) return ret; /* swapped U and V */ if ((ret = ir2_decode_plane(s, avctx->width >> 2, avctx->height >> 2, p->data[2], p->linesize[2], - ir2_luma_table)) < 0) + ir2_delta_table[ctab])) < 0) return ret; if ((ret = ir2_decode_plane(s, avctx->width >> 2, avctx->height >> 2, p->data[1], p->linesize[1], - ir2_luma_table)) < 0) + ir2_delta_table[ctab])) < 0) return ret; } else { /* interframe */ if ((ret = ir2_decode_plane_inter(s, avctx->width, avctx->height, p->data[0], p->linesize[0], - ir2_luma_table)) < 0) + ir2_delta_table[ltab])) < 0) return ret; /* swapped U and V */ if ((ret = ir2_decode_plane_inter(s, avctx->width >> 2, avctx->height >> 2, p->data[2], p->linesize[2], - ir2_luma_table)) < 0) + ir2_delta_table[ctab])) < 0) return ret; if ((ret = ir2_decode_plane_inter(s, avctx->width >> 2, avctx->height >> 2, p->data[1], p->linesize[1], - ir2_luma_table)) < 0) + ir2_delta_table[ctab])) < 0) return ret; } diff --git a/libavcodec/indeo2data.h b/libavcodec/indeo2data.h index 8fd664c6ab..e05c91ff58 100644 --- a/libavcodec/indeo2data.h +++ b/libavcodec/indeo2data.h @@ -103,39 +103,135 @@ static const uint16_t ir2_codes[IR2_CODES][2] = { #endif }; -static const uint8_t ir2_luma_table[256] = { - 0x80, 0x80, 0x84, 0x84, 0x7C, 0x7C, 0x7F, 0x85, - 0x81, 0x7B, 0x85, 0x7F, 0x7B, 0x81, 0x8C, 0x8C, - 0x74, 0x74, 0x83, 0x8D, 0x7D, 0x73, 0x8D, 0x83, - 0x73, 0x7D, 0x77, 0x89, 0x89, 0x77, 0x89, 0x77, - 0x77, 0x89, 0x8C, 0x95, 0x74, 0x6B, 0x95, 0x8C, - 0x6B, 0x74, 0x7C, 0x90, 0x84, 0x70, 0x90, 0x7C, - 0x70, 0x84, 0x96, 0x96, 0x6A, 0x6A, 0x82, 0x98, - 0x7E, 0x68, 0x98, 0x82, 0x68, 0x7E, 0x97, 0xA2, - 0x69, 0x5E, 0xA2, 0x97, 0x5E, 0x69, 0xA2, 0xA2, - 0x5E, 0x5E, 0x8B, 0xA3, 0x75, 0x5D, 0xA3, 0x8B, - 0x5D, 0x75, 0x71, 0x95, 0x8F, 0x6B, 0x95, 0x71, - 0x6B, 0x8F, 0x78, 0x9D, 0x88, 0x63, 0x9D, 0x78, - 0x63, 0x88, 0x7F, 0xA7, 0x81, 0x59, 0xA7, 0x7F, - 0x59, 0x81, 0xA4, 0xB1, 0x5C, 0x4F, 0xB1, 0xA4, - 0x4F, 0x5C, 0x96, 0xB1, 0x6A, 0x4F, 0xB1, 0x96, - 0x4F, 0x6A, 0xB2, 0xB2, 0x4E, 0x4E, 0x65, 0x9B, - 0x9B, 0x65, 0x9B, 0x65, 0x65, 0x9B, 0x89, 0xB4, - 0x77, 0x4C, 0xB4, 0x89, 0x4C, 0x77, 0x6A, 0xA3, - 0x96, 0x5D, 0xA3, 0x6A, 0x5D, 0x96, 0x73, 0xAC, - 0x8D, 0x54, 0xAC, 0x73, 0x54, 0x8D, 0xB4, 0xC3, - 0x4C, 0x3D, 0xC3, 0xB4, 0x3D, 0x4C, 0xA4, 0xC3, - 0x5C, 0x3D, 0xC3, 0xA4, 0x3D, 0x5C, 0xC4, 0xC4, - 0x3C, 0x3C, 0x96, 0xC6, 0x6A, 0x3A, 0xC6, 0x96, - 0x3A, 0x6A, 0x7C, 0xBA, 0x84, 0x46, 0xBA, 0x7C, - 0x46, 0x84, 0x5B, 0xAB, 0xA5, 0x55, 0xAB, 0x5B, - 0x55, 0xA5, 0x63, 0xB4, 0x9D, 0x4C, 0xB4, 0x63, - 0x4C, 0x9D, 0x86, 0xCA, 0x7A, 0x36, 0xCA, 0x86, - 0x36, 0x7A, 0xB6, 0xD7, 0x4A, 0x29, 0xD7, 0xB6, - 0x29, 0x4A, 0xC8, 0xD7, 0x38, 0x29, 0xD7, 0xC8, - 0x29, 0x38, 0xA4, 0xD8, 0x5C, 0x28, 0xD8, 0xA4, - 0x28, 0x5C, 0x6C, 0xC1, 0x94, 0x3F, 0xC1, 0x6C, - 0x3F, 0x94, 0xD9, 0xD9, 0x27, 0x27, 0x80, 0x80, +static const uint8_t ir2_delta_table[4][256] = { + { 0x80, 0x80, 0x84, 0x84, 0x7C, 0x7C, 0x7F, 0x85, + 0x81, 0x7B, 0x85, 0x7F, 0x7B, 0x81, 0x8C, 0x8C, + 0x74, 0x74, 0x83, 0x8D, 0x7D, 0x73, 0x8D, 0x83, + 0x73, 0x7D, 0x77, 0x89, 0x89, 0x77, 0x89, 0x77, + 0x77, 0x89, 0x8C, 0x95, 0x74, 0x6B, 0x95, 0x8C, + 0x6B, 0x74, 0x7C, 0x90, 0x84, 0x70, 0x90, 0x7C, + 0x70, 0x84, 0x96, 0x96, 0x6A, 0x6A, 0x82, 0x98, + 0x7E, 0x68, 0x98, 0x82, 0x68, 0x7E, 0x97, 0xA2, + 0x69, 0x5E, 0xA2, 0x97, 0x5E, 0x69, 0xA2, 0xA2, + 0x5E, 0x5E, 0x8B, 0xA3, 0x75, 0x5D, 0xA3, 0x8B, + 0x5D, 0x75, 0x71, 0x95, 0x8F, 0x6B, 0x95, 0x71, + 0x6B, 0x8F, 0x78, 0x9D, 0x88, 0x63, 0x9D, 0x78, + 0x63, 0x88, 0x7F, 0xA7, 0x81, 0x59, 0xA7, 0x7F, + 0x59, 0x81, 0xA4, 0xB1, 0x5C, 0x4F, 0xB1, 0xA4, + 0x4F, 0x5C, 0x96, 0xB1, 0x6A, 0x4F, 0xB1, 0x96, + 0x4F, 0x6A, 0xB2, 0xB2, 0x4E, 0x4E, 0x65, 0x9B, + 0x9B, 0x65, 0x9B, 0x65, 0x65, 0x9B, 0x89, 0xB4, + 0x77, 0x4C, 0xB4, 0x89, 0x4C, 0x77, 0x6A, 0xA3, + 0x96, 0x5D, 0xA3, 0x6A, 0x5D, 0x96, 0x73, 0xAC, + 0x8D, 0x54, 0xAC, 0x73, 0x54, 0x8D, 0xB4, 0xC3, + 0x4C, 0x3D, 0xC3, 0xB4, 0x3D, 0x4C, 0xA4, 0xC3, + 0x5C, 0x3D, 0xC3, 0xA4, 0x3D, 0x5C, 0xC4, 0xC4, + 0x3C, 0x3C, 0x96, 0xC6, 0x6A, 0x3A, 0xC6, 0x96, + 0x3A, 0x6A, 0x7C, 0xBA, 0x84, 0x46, 0xBA, 0x7C, + 0x46, 0x84, 0x5B, 0xAB, 0xA5, 0x55, 0xAB, 0x5B, + 0x55, 0xA5, 0x63, 0xB4, 0x9D, 0x4C, 0xB4, 0x63, + 0x4C, 0x9D, 0x86, 0xCA, 0x7A, 0x36, 0xCA, 0x86, + 0x36, 0x7A, 0xB6, 0xD7, 0x4A, 0x29, 0xD7, 0xB6, + 0x29, 0x4A, 0xC8, 0xD7, 0x38, 0x29, 0xD7, 0xC8, + 0x29, 0x38, 0xA4, 0xD8, 0x5C, 0x28, 0xD8, 0xA4, + 0x28, 0x5C, 0x6C, 0xC1, 0x94, 0x3F, 0xC1, 0x6C, + 0x3F, 0x94, 0xD9, 0xD9, 0x27, 0x27, 0x80, 0x80, }, + { 0x80, 0x80, 0x85, 0x85, 0x7B, 0x7B, 0x7E, 0x87, + 0x82, 0x79, 0x87, 0x7E, 0x79, 0x82, 0x8F, 0x8F, + 0x71, 0x71, 0x84, 0x8F, 0x7C, 0x71, 0x8F, 0x84, + 0x71, 0x7C, 0x75, 0x8B, 0x8B, 0x75, 0x8B, 0x75, + 0x75, 0x8B, 0x8E, 0x9A, 0x72, 0x66, 0x9A, 0x8E, + 0x66, 0x72, 0x7B, 0x93, 0x85, 0x6D, 0x93, 0x7B, + 0x6D, 0x85, 0x9B, 0x9B, 0x65, 0x65, 0x82, 0x9D, + 0x7E, 0x63, 0x9D, 0x82, 0x63, 0x7E, 0x9B, 0xA8, + 0x65, 0x58, 0xA8, 0x9B, 0x58, 0x65, 0xA9, 0xA9, + 0x57, 0x57, 0x8D, 0xAA, 0x73, 0x56, 0xAA, 0x8D, + 0x56, 0x73, 0x6E, 0x99, 0x92, 0x67, 0x99, 0x6E, + 0x67, 0x92, 0x76, 0xA2, 0x8A, 0x5E, 0xA2, 0x76, + 0x5E, 0x8A, 0x7F, 0xAF, 0x81, 0x51, 0xAF, 0x7F, + 0x51, 0x81, 0xAB, 0xBA, 0x55, 0x46, 0xBA, 0xAB, + 0x46, 0x55, 0x9A, 0xBB, 0x66, 0x45, 0xBB, 0x9A, + 0x45, 0x66, 0xBB, 0xBB, 0x45, 0x45, 0x60, 0xA0, + 0xA0, 0x60, 0xA0, 0x60, 0x60, 0xA0, 0x8B, 0xBE, + 0x75, 0x42, 0xBE, 0x8B, 0x42, 0x75, 0x66, 0xAA, + 0x9A, 0x56, 0xAA, 0x66, 0x56, 0x9A, 0x70, 0xB5, + 0x90, 0x4B, 0xB5, 0x70, 0x4B, 0x90, 0xBE, 0xCF, + 0x42, 0x31, 0xCF, 0xBE, 0x31, 0x42, 0xAB, 0xD0, + 0x55, 0x30, 0xD0, 0xAB, 0x30, 0x55, 0xD1, 0xD1, + 0x2F, 0x2F, 0x9A, 0xD3, 0x66, 0x2D, 0xD3, 0x9A, + 0x2D, 0x66, 0x7B, 0xC5, 0x85, 0x3B, 0xC5, 0x7B, + 0x3B, 0x85, 0x54, 0xB4, 0xAC, 0x4C, 0xB4, 0x54, + 0x4C, 0xAC, 0x5E, 0xBE, 0xA2, 0x42, 0xBE, 0x5E, + 0x42, 0xA2, 0x87, 0xD8, 0x79, 0x28, 0xD8, 0x87, + 0x28, 0x79, 0xC0, 0xE8, 0x40, 0x18, 0xE8, 0xC0, + 0x18, 0x40, 0xD5, 0xE8, 0x2B, 0x18, 0xE8, 0xD5, + 0x18, 0x2B, 0xAB, 0xE9, 0x55, 0x17, 0xE9, 0xAB, + 0x17, 0x55, 0x68, 0xCD, 0x98, 0x33, 0xCD, 0x68, + 0x33, 0x98, 0xEA, 0xEA, 0x16, 0x16, 0x80, 0x80, }, + { 0x80, 0x80, 0x86, 0x86, 0x7A, 0x7A, 0x7E, 0x88, + 0x82, 0x78, 0x88, 0x7E, 0x78, 0x82, 0x92, 0x92, + 0x6E, 0x6E, 0x85, 0x92, 0x7B, 0x6E, 0x92, 0x85, + 0x6E, 0x7B, 0x73, 0x8D, 0x8D, 0x73, 0x8D, 0x73, + 0x73, 0x8D, 0x91, 0x9E, 0x6F, 0x62, 0x9E, 0x91, + 0x62, 0x6F, 0x79, 0x97, 0x87, 0x69, 0x97, 0x79, + 0x69, 0x87, 0xA0, 0xA0, 0x60, 0x60, 0x83, 0xA2, + 0x7D, 0x5E, 0xA2, 0x83, 0x5E, 0x7D, 0xA0, 0xB0, + 0x60, 0x50, 0xB0, 0xA0, 0x50, 0x60, 0xB1, 0xB1, + 0x4F, 0x4F, 0x8F, 0xB2, 0x71, 0x4E, 0xB2, 0x8F, + 0x4E, 0x71, 0x6B, 0x9E, 0x95, 0x62, 0x9E, 0x6B, + 0x62, 0x95, 0x74, 0xA9, 0x8C, 0x57, 0xA9, 0x74, + 0x57, 0x8C, 0x7F, 0xB8, 0x81, 0x48, 0xB8, 0x7F, + 0x48, 0x81, 0xB4, 0xC5, 0x4C, 0x3B, 0xC5, 0xB4, + 0x3B, 0x4C, 0x9F, 0xC6, 0x61, 0x3A, 0xC6, 0x9F, + 0x3A, 0x61, 0xC6, 0xC6, 0x3A, 0x3A, 0x59, 0xA7, + 0xA7, 0x59, 0xA7, 0x59, 0x59, 0xA7, 0x8D, 0xCA, + 0x73, 0x36, 0xCA, 0x8D, 0x36, 0x73, 0x61, 0xB2, + 0x9F, 0x4E, 0xB2, 0x61, 0x4E, 0x9F, 0x6D, 0xBF, + 0x93, 0x41, 0xBF, 0x6D, 0x41, 0x93, 0xCA, 0xDF, + 0x36, 0x21, 0xDF, 0xCA, 0x21, 0x36, 0xB3, 0xDF, + 0x4D, 0x21, 0xDF, 0xB3, 0x21, 0x4D, 0xE1, 0xE1, + 0x1F, 0x1F, 0x9F, 0xE3, 0x61, 0x1D, 0xE3, 0x9F, + 0x1D, 0x61, 0x7A, 0xD3, 0x86, 0x2D, 0xD3, 0x7A, + 0x2D, 0x86, 0x4C, 0xBE, 0xB4, 0x42, 0xBE, 0x4C, + 0x42, 0xB4, 0x57, 0xCA, 0xA9, 0x36, 0xCA, 0x57, + 0x36, 0xA9, 0x88, 0xE9, 0x78, 0x17, 0xE9, 0x88, + 0x17, 0x78, 0xCC, 0xFB, 0x34, 0x05, 0xFB, 0xCC, + 0x05, 0x34, 0xE6, 0xFB, 0x1A, 0x05, 0xFB, 0xE6, + 0x05, 0x1A, 0xB4, 0xFD, 0x4C, 0x03, 0xFD, 0xB4, + 0x03, 0x4C, 0x63, 0xDC, 0x9D, 0x24, 0xDC, 0x63, + 0x24, 0x9D, 0xFE, 0xFE, 0x02, 0x02, 0x80, 0x80, }, + { 0x80, 0x80, 0x87, 0x87, 0x79, 0x79, 0x7E, 0x89, + 0x82, 0x77, 0x89, 0x7E, 0x77, 0x82, 0x95, 0x95, + 0x6B, 0x6B, 0x86, 0x96, 0x7A, 0x6A, 0x96, 0x86, + 0x6A, 0x7A, 0x70, 0x90, 0x90, 0x70, 0x90, 0x70, + 0x70, 0x90, 0x94, 0xA4, 0x6C, 0x5C, 0xA4, 0x94, + 0x5C, 0x6C, 0x78, 0x9B, 0x88, 0x65, 0x9B, 0x78, + 0x65, 0x88, 0xA6, 0xA6, 0x5A, 0x5A, 0x83, 0xA9, + 0x7D, 0x57, 0xA9, 0x83, 0x57, 0x7D, 0xA6, 0xB9, + 0x5A, 0x47, 0xB9, 0xA6, 0x47, 0x5A, 0xBA, 0xBA, + 0x46, 0x46, 0x92, 0xBC, 0x6E, 0x44, 0xBC, 0x92, + 0x44, 0x6E, 0x67, 0xA3, 0x99, 0x5D, 0xA3, 0x67, + 0x5D, 0x99, 0x72, 0xB0, 0x8E, 0x50, 0xB0, 0x72, + 0x50, 0x8E, 0x7F, 0xC3, 0x81, 0x3D, 0xC3, 0x7F, + 0x3D, 0x81, 0xBE, 0xD2, 0x42, 0x2E, 0xD2, 0xBE, + 0x2E, 0x42, 0xA5, 0xD4, 0x5B, 0x2C, 0xD4, 0xA5, + 0x2C, 0x5B, 0xD4, 0xD4, 0x2C, 0x2C, 0x52, 0xAE, + 0xAE, 0x52, 0xAE, 0x52, 0x52, 0xAE, 0x8F, 0xD8, + 0x71, 0x28, 0xD8, 0x8F, 0x28, 0x71, 0x5B, 0xBB, + 0xA5, 0x45, 0xBB, 0x5B, 0x45, 0xA5, 0x69, 0xCB, + 0x97, 0x35, 0xCB, 0x69, 0x35, 0x97, 0xD8, 0xF0, + 0x28, 0x10, 0xF0, 0xD8, 0x10, 0x28, 0xBD, 0xF1, + 0x43, 0x0F, 0xF1, 0xBD, 0x0F, 0x43, 0xF3, 0xF3, + 0x0D, 0x0D, 0xA5, 0xF6, 0x5B, 0x0A, 0xF6, 0xA5, + 0x0A, 0x5B, 0x78, 0xE2, 0x88, 0x1E, 0xE2, 0x78, + 0x1E, 0x88, 0x42, 0xC9, 0xBE, 0x37, 0xC9, 0x42, + 0x37, 0xBE, 0x4F, 0xD8, 0xB1, 0x28, 0xD8, 0x4F, + 0x28, 0xB1, 0x8A, 0xFD, 0x76, 0x03, 0xFD, 0x8A, + 0x03, 0x76, 0xDB, 0xFF, 0x25, 0x01, 0xFF, 0xDB, + 0x01, 0x25, 0xF9, 0xFF, 0x07, 0x01, 0xFF, 0xF9, + 0x01, 0x07, 0xBE, 0xFF, 0x42, 0x01, 0xFF, 0xBE, + 0x01, 0x42, 0x5E, 0xED, 0xA2, 0x13, 0xED, 0x5E, + 0x13, 0xA2, 0xFF, 0xFF, 0x01, 0x01, 0x80, 0x80, }, }; #endif /* AVCODEC_INDEO2DATA_H */ From bf80b1d88d3909611782b2c7ffa3b131a1e4cb01 Mon Sep 17 00:00:00 2001 From: Michael Niedermayer Date: Wed, 16 Mar 2016 19:40:32 +0100 Subject: [PATCH 036/942] avcodec/resample: Remove disabled and faulty code Fixes Ticket5345 Signed-off-by: Michael Niedermayer (cherry picked from commit 50ef7361cb5f78c94da2323f3bae86c6bbd618c8) Signed-off-by: Michael Niedermayer --- libavcodec/resample.c | 6 ------ 1 file changed, 6 deletions(-) diff --git a/libavcodec/resample.c b/libavcodec/resample.c index 0f5ee84942..4c5eb9f10e 100644 --- a/libavcodec/resample.c +++ b/libavcodec/resample.c @@ -291,12 +291,6 @@ int audio_resample(ReSampleContext *s, short *output, short *input, int nb_sampl short *output_bak = NULL; int lenout; - if (s->input_channels == s->output_channels && s->ratio == 1.0 && 0) { - /* nothing to do */ - memcpy(output, input, nb_samples * s->input_channels * sizeof(short)); - return nb_samples; - } - if (s->sample_fmt[0] != AV_SAMPLE_FMT_S16) { int istride[1] = { s->sample_size[0] }; int ostride[1] = { 2 }; From d6adcab84280f1cb35ad25e22c6acd5b01c50c08 Mon Sep 17 00:00:00 2001 From: Mark Thompson Date: Thu, 17 Mar 2016 13:41:02 +0000 Subject: [PATCH 037/942] lavc/hevc: Allow arbitrary garbage in bytestream as long as at least one NAL unit is found. Signed-off-by: Michael Niedermayer (cherry picked from commit fbec157ea08f61063847bbe0dba28525e6283ff5) Signed-off-by: Michael Niedermayer --- libavcodec/hevc_parse.c | 10 ++++++++-- 1 file changed, 8 insertions(+), 2 deletions(-) diff --git a/libavcodec/hevc_parse.c b/libavcodec/hevc_parse.c index 63ed84a8de..d557cc7f04 100644 --- a/libavcodec/hevc_parse.c +++ b/libavcodec/hevc_parse.c @@ -232,8 +232,14 @@ int ff_hevc_split_packet(HEVCContext *s, HEVCPacket *pkt, const uint8_t *buf, in ++buf; --length; if (length < 4) { - av_log(avctx, AV_LOG_ERROR, "No start code is found.\n"); - return AVERROR_INVALIDDATA; + if (pkt->nb_nals > 0) { + // No more start codes: we discarded some irrelevant + // bytes at the end of the packet. + return 0; + } else { + av_log(avctx, AV_LOG_ERROR, "No start code is found.\n"); + return AVERROR_INVALIDDATA; + } } } From 50a639a62aa3fdef8a8a701e500acaf61a25c6ff Mon Sep 17 00:00:00 2001 From: Michael Niedermayer Date: Sat, 19 Mar 2016 15:41:30 +0100 Subject: [PATCH 038/942] avcodec/mjpegenc_common: Store approximate aspect if exact cannot be stored Fixes Ticket5244 Signed-off-by: Michael Niedermayer (cherry picked from commit 068026b0f7845e0f1850094d974f60d181480d64) Signed-off-by: Michael Niedermayer --- libavcodec/mjpegenc_common.c | 14 ++++++++++++-- 1 file changed, 12 insertions(+), 2 deletions(-) diff --git a/libavcodec/mjpegenc_common.c b/libavcodec/mjpegenc_common.c index 099d817d5f..7a6fe7468f 100644 --- a/libavcodec/mjpegenc_common.c +++ b/libavcodec/mjpegenc_common.c @@ -122,6 +122,16 @@ static void jpeg_put_comments(AVCodecContext *avctx, PutBitContext *p) uint8_t *ptr; if (avctx->sample_aspect_ratio.num > 0 && avctx->sample_aspect_ratio.den > 0) { + AVRational sar = avctx->sample_aspect_ratio; + + if (sar.num > 65535 || sar.den > 65535) { + if (!av_reduce(&sar.num, &sar.den, avctx->sample_aspect_ratio.num, avctx->sample_aspect_ratio.den, 65535)) + av_log(avctx, AV_LOG_WARNING, + "Cannot store exact aspect ratio %d:%d\n", + avctx->sample_aspect_ratio.num, + avctx->sample_aspect_ratio.den); + } + /* JFIF header */ put_marker(p, APP0); put_bits(p, 16, 16); @@ -131,8 +141,8 @@ static void jpeg_put_comments(AVCodecContext *avctx, PutBitContext *p) * released revision. */ put_bits(p, 16, 0x0102); put_bits(p, 8, 0); /* units type: 0 - aspect ratio */ - put_bits(p, 16, avctx->sample_aspect_ratio.num); - put_bits(p, 16, avctx->sample_aspect_ratio.den); + put_bits(p, 16, sar.num); + put_bits(p, 16, sar.den); put_bits(p, 8, 0); /* thumbnail width */ put_bits(p, 8, 0); /* thumbnail height */ } From 0fae52d7e37a11dada1d26e1f4827c3ccc601311 Mon Sep 17 00:00:00 2001 From: Michael Niedermayer Date: Sat, 19 Mar 2016 18:37:53 +0100 Subject: [PATCH 039/942] avformat/file: Add crypto to default whitelist Fixes Ticket5287 Signed-off-by: Michael Niedermayer (cherry picked from commit efa98cdc2ff17a2f3b0ceb69e22864fd5bc433db) Signed-off-by: Michael Niedermayer --- libavformat/file.c | 4 ++-- 1 file changed, 2 insertions(+), 2 deletions(-) diff --git a/libavformat/file.c b/libavformat/file.c index 595ba3607e..544647f5e6 100644 --- a/libavformat/file.c +++ b/libavformat/file.c @@ -349,7 +349,7 @@ URLProtocol ff_file_protocol = { .url_open_dir = file_open_dir, .url_read_dir = file_read_dir, .url_close_dir = file_close_dir, - .default_whitelist = "file" + .default_whitelist = "file,crypto" }; #endif /* CONFIG_FILE_PROTOCOL */ @@ -388,7 +388,7 @@ URLProtocol ff_pipe_protocol = { .url_check = file_check, .priv_data_size = sizeof(FileContext), .priv_data_class = &pipe_class, - .default_whitelist = "none" + .default_whitelist = "crypto" }; #endif /* CONFIG_PIPE_PROTOCOL */ From e15a48d35afae9308dab9f9c06f801e8310e8928 Mon Sep 17 00:00:00 2001 From: Michael Niedermayer Date: Wed, 23 Mar 2016 02:52:03 +0100 Subject: [PATCH 040/942] avformat/mpegtsenc: Keep track of the program for each service Simplifies code Signed-off-by: Michael Niedermayer (cherry picked from commit 50d017a28171177b89c367194ec8d02f963e7e9e) Signed-off-by: Michael Niedermayer --- libavformat/mpegtsenc.c | 15 +++++++-------- 1 file changed, 7 insertions(+), 8 deletions(-) diff --git a/libavformat/mpegtsenc.c b/libavformat/mpegtsenc.c index 765672067a..360c1372d1 100644 --- a/libavformat/mpegtsenc.c +++ b/libavformat/mpegtsenc.c @@ -56,6 +56,7 @@ typedef struct MpegTSService { int pcr_pid; int pcr_packet_count; int pcr_packet_period; + AVProgram *program; } MpegTSService; // service_type values as defined in ETSI 300 468 @@ -275,15 +276,12 @@ static int mpegts_write_pmt(AVFormatContext *s, MpegTSService *service) AVDictionaryEntry *lang = av_dict_get(st->metadata, "language", NULL, 0); if (s->nb_programs) { - int j, k, found = 0; + int k, found = 0; + AVProgram *program = service->program; - for (j = 0; j < s->nb_programs; j++) - if (s->programs[j]->id == service->sid) { - for (k = 0; k < s->programs[j]->nb_stream_indexes; k++) - if (s->programs[j]->stream_index[k] == i) { - found = 1; - break; - } + for (k = 0; k < program->nb_stream_indexes; k++) + if (program->stream_index[k] == i) { + found = 1; break; } @@ -784,6 +782,7 @@ static int mpegts_init(AVFormatContext *s) service->pmt.write_packet = section_write_packet; service->pmt.opaque = s; service->pmt.cc = 15; + service->program = program; } } From 6e5648ad42b7fd5f13d90648a8fc49fbbcdb9187 Mon Sep 17 00:00:00 2001 From: Michael Niedermayer Date: Wed, 23 Mar 2016 02:58:52 +0100 Subject: [PATCH 041/942] avformat/mpegtsenc: Fix used service Signed-off-by: Michael Niedermayer (cherry picked from commit 26811fd9468dc484402faca3ca33cacb2e58c53e) Conflicts: libavformat/version.h --- libavformat/mpegtsenc.c | 12 ++++++++++++ 1 file changed, 12 insertions(+) diff --git a/libavformat/mpegtsenc.c b/libavformat/mpegtsenc.c index 360c1372d1..6bf5461b64 100644 --- a/libavformat/mpegtsenc.c +++ b/libavformat/mpegtsenc.c @@ -806,6 +806,7 @@ static int mpegts_init(AVFormatContext *s) /* assign pids to each stream */ for (i = 0; i < s->nb_streams; i++) { + AVProgram *program; st = s->streams[i]; ts_st = av_mallocz(sizeof(MpegTSWriteStream)); @@ -823,6 +824,17 @@ static int mpegts_init(AVFormatContext *s) ret = AVERROR(ENOMEM); goto fail; } + + program = av_find_program_from_stream(s, NULL, i); + if (program) { + for (j = 0; j < ts->nb_services; j++) { + if (ts->services[j]->program == program) { + service = ts->services[j]; + break; + } + } + } + ts_st->service = service; /* MPEG pid values < 16 are reserved. Applications which set st->id in * this range are assigned a calculated pid. */ From daa6dc0a3b398f7bc36af683cb2f6d7ba186e015 Mon Sep 17 00:00:00 2001 From: Ico Doornekamp Date: Thu, 24 Mar 2016 14:31:38 +0100 Subject: [PATCH 042/942] avformat/rtpdec_jpeg: fix low contrast image on low quality setting Original mail and my own followup on ffmpeg-user earlier today: I have a device sending out a MJPEG/RTP stream on a low quality setting. Decoding and displaying the video with libavformat results in a washed out, low contrast, greyish image. Playing the same stream with VLC results in proper color representation. Screenshots for comparison: http://zevv.nl/div/libav/shot-ffplay.jpg http://zevv.nl/div/libav/shot-vlc.jpg A pcap capture of a few seconds of video and SDP file for playing the stream are available at http://zevv.nl/div/libav/mjpeg.pcap http://zevv.nl/div/libav/mjpeg.sdp I believe the problem might be in the calculation of the quantization tables in the function create_default_qtables(), the attached patch solves the issue for me. The problem is that the argument 'q' is of the type uint8_t. According to the JPEG standard, if 1 <= q <= 50, the scale factor 'S' should be 5000 / Q. Because the create_default_qtables() reuses the variable 'q' to store the result of this calculation, for small values of q < 19, q wil subsequently overflow and give wrong results in the calculated quantization tables. The patch below uses a new variable 'S' (same name as in RFC2435) with the proper range to store the result of the division. Signed-off-by: Michael Niedermayer (cherry picked from commit e3e6a2cff4af9542455d416faec4584d5e823d5d) Signed-off-by: Michael Niedermayer --- libavformat/rtpdec_jpeg.c | 7 ++++--- 1 file changed, 4 insertions(+), 3 deletions(-) diff --git a/libavformat/rtpdec_jpeg.c b/libavformat/rtpdec_jpeg.c index f3a2060523..397b5cf56c 100644 --- a/libavformat/rtpdec_jpeg.c +++ b/libavformat/rtpdec_jpeg.c @@ -193,16 +193,17 @@ static void create_default_qtables(uint8_t *qtables, uint8_t q) { int factor = q; int i; + uint16_t S; factor = av_clip(q, 1, 99); if (q < 50) - q = 5000 / factor; + S = 5000 / factor; else - q = 200 - factor * 2; + S = 200 - factor * 2; for (i = 0; i < 128; i++) { - int val = (default_quantizers[i] * q + 50) / 100; + int val = (default_quantizers[i] * S + 50) / 100; /* Limit the quantizers to 1 <= q <= 255. */ val = av_clip(val, 1, 255); From 2d0e415482caa0bac1728f23efedad975314ac28 Mon Sep 17 00:00:00 2001 From: Michael Niedermayer Date: Thu, 24 Mar 2016 20:55:30 +0100 Subject: [PATCH 043/942] avcodec/libutvideodec: copy frame so it has reference counters when refcounted_frames is set Reviewed-by: maintainer Signed-off-by: Michael Niedermayer (cherry picked from commit 0cd9ff4e3aa23318a855c21d60b1c9035b2b99d2) Signed-off-by: Michael Niedermayer --- libavcodec/libutvideodec.cpp | 12 +++++++++++- 1 file changed, 11 insertions(+), 1 deletion(-) diff --git a/libavcodec/libutvideodec.cpp b/libavcodec/libutvideodec.cpp index 7c60f4fb83..a456735d3c 100644 --- a/libavcodec/libutvideodec.cpp +++ b/libavcodec/libutvideodec.cpp @@ -222,9 +222,19 @@ static int utvideo_decode_frame(AVCodecContext *avctx, void *data, pic->data[0] = utv->buffer + utv->buf_size + pic->linesize[0]; break; } + pic->width = w; + pic->height = h; + pic->format = avctx->pix_fmt; + + if (avctx->refcounted_frames) { + int ret = av_frame_ref((AVFrame*)data, pic); + if (ret < 0) + return ret; + } else { + av_frame_move_ref((AVFrame*)data, pic); + } *got_frame = 1; - av_frame_move_ref((AVFrame*)data, pic); return avpkt->size; } From 526c7b21865f8547fb425eeeb093f0765f1f9918 Mon Sep 17 00:00:00 2001 From: Michael Niedermayer Date: Sat, 26 Mar 2016 22:37:41 +0100 Subject: [PATCH 044/942] Update for 3.0.1 Signed-off-by: Michael Niedermayer --- Changelog | 40 ++++++++++++++++++++++++++++++++++++++++ RELEASE | 2 +- 2 files changed, 41 insertions(+), 1 deletion(-) diff --git a/Changelog b/Changelog index 2e1cd36f5f..fe379b756e 100644 --- a/Changelog +++ b/Changelog @@ -1,6 +1,46 @@ Entries are sorted chronologically from oldest to youngest within each release, releases are sorted from youngest to oldest. +version 3.0.1: +avcodec/libutvideodec: copy frame so it has reference counters when refcounted_frames is set +avformat/rtpdec_jpeg: fix low contrast image on low quality setting +avformat/mpegtsenc: Fix used service +avformat/mpegtsenc: Keep track of the program for each service +avformat/file: Add crypto to default whitelist +avcodec/mjpegenc_common: Store approximate aspect if exact cannot be stored +lavc/hevc: Allow arbitrary garbage in bytestream as long as at least one NAL unit is found. +avcodec/resample: Remove disabled and faulty code +indeo2: Fix banding artefacts +indeo2data: K&R formatting cosmetics +avformat/hlsenc: Fix passing options, regression since bc9a5965c815cf7fd998d8ce14a18b8e861dd9ce +avutil/random_seed: Add the runtime in cycles of the main loop to the entropy pool +avutil/channel_layout: AV_CH_LAYOUT_6POINT1_BACK not reachable in parsing +avformat/concatdec: set safe mode to enabled instead of auto +avformat/utils: fix dts from pts code in compute_pkt_fields() during ascending delay +avformat/rtpenc: Fix integer overflow in NTP_TO_RTP_FORMAT +avcodec/dca: clear X96 channels if nothing was decoded +fate/aac: Increase fuzz from of fate-aac-pns-encode from 72 to 74 for Loongson +avformat/cache: Fix memleak of tree entries +lavf/mov: downgrade sidx errors to non-fatal warnings; fixes trac #5216 +lavf/mov: fix sidx with edit lists +avcodec/mjpegdec: Fix decoding slightly odd progressive jpeg +swscale/utils: Fix chrSrcHSubSample for GBRAP16 +swscale/input: Fix GBRAP16 input +avutil/pixdesc: Make get_color_type() aware of CIE XYZ formats +avcodec/h264: Execute error concealment before marking the frame as done. +swscale/x86/output: Fix yuv2planeX_16* with unaligned destination +swscale/x86/output: Move code into yuv2planeX_mainloop +MAINTAINERS: add myself as an OS/2 maintainer +libwebpenc_animencoder: print library messages in verbose log levels +libwebpenc_animencoder: zero initialize the WebPAnimEncoderOptions struct +configure: check for SEC_I_CONTEXT_EXPIRED before enabling SChannel +lavf/http: Add httpproxy to the default protocol whitelist. +doc/utils: fix typo for min() description +ffserver&ffm: Fixed issues preventing ffserver write_index and files_size from being set correctly which was breaking ffserver streaming. +postproc: fix unaligned access +vc2enc: fix use of uninitialized variables in the rate control system + + version 3.0: - Common Encryption (CENC) MP4 encoding and decoding support - DXV decoding diff --git a/RELEASE b/RELEASE index 9f55b2ccb5..cb2b00e4f7 100644 --- a/RELEASE +++ b/RELEASE @@ -1 +1 @@ -3.0 +3.0.1 From 7c2576e15d3265ff8205923049fc371a3d229d06 Mon Sep 17 00:00:00 2001 From: Ganesh Ajjanagadde Date: Mon, 29 Feb 2016 22:16:16 -0500 Subject: [PATCH 045/942] lavc/aacenc_utils: replace sqrtf(Q*sqrtf(Q)) by precomputed value It makes no sense whatsoever to do this at each function call; we already have a table for this. Yields a 2x improvement in find_min_book (x86-64, Haswell+GCC): ffmpeg -i sin.flac -acodec aac -y sin.aac find_min_book old 605 decicycles in find_min_book, 8388453 runs, 155 skips.9x 606 decicycles in find_min_book,16776912 runs, 304 skips.9x 607 decicycles in find_min_book,33553819 runs, 613 skips.2x 607 decicycles in find_min_book,67107668 runs, 1196 skips.3x 607 decicycles in find_min_book,134215360 runs, 2368 skips3x new 359 decicycles in find_min_book, 8388552 runs, 56 skips.3x 360 decicycles in find_min_book,16777112 runs, 104 skips.1x 361 decicycles in find_min_book,33554218 runs, 214 skips.4x 361 decicycles in find_min_book,67108381 runs, 483 skips.5x 361 decicycles in find_min_book,134216725 runs, 1003 skips5x and more importantly a non-negligible speedup (~ 8%) to overall AAC encoding: old: ffmpeg -i sin.flac -acodec aac -strict -2 -y sin_new.aac 6.82s user 0.03s system 104% cpu 6.565 total new: ffmpeg -i sin.flac -acodec aac -strict -2 -y sin_old.aac 6.24s user 0.03s system 104% cpu 5.993 total This also improves accuracy of the expression by ~ 2 ulp in some cases. Reviewed-by: Derek Buitenhuis Reviewed-by: Rostislav Pehlivanov Signed-off-by: Ganesh Ajjanagadde (cherry picked from commit bd9c58756a50b52e495b748d6ea6b0aafe397c25) --- libavcodec/aacenc_utils.h | 3 +-- 1 file changed, 1 insertion(+), 2 deletions(-) diff --git a/libavcodec/aacenc_utils.h b/libavcodec/aacenc_utils.h index cb5bc8da12..c2a2c2ec68 100644 --- a/libavcodec/aacenc_utils.h +++ b/libavcodec/aacenc_utils.h @@ -90,8 +90,7 @@ static inline float find_max_val(int group_len, int swb_size, const float *scale static inline int find_min_book(float maxval, int sf) { - float Q = ff_aac_pow2sf_tab[POW_SF2_ZERO - sf + SCALE_ONE_POS - SCALE_DIV_512]; - float Q34 = sqrtf(Q * sqrtf(Q)); + float Q34 = ff_aac_pow34sf_tab[POW_SF2_ZERO - sf + SCALE_ONE_POS - SCALE_DIV_512]; int qmaxval, cb; qmaxval = maxval * Q34 + C_QUANT; if (qmaxval >= (FF_ARRAY_ELEMS(aac_maxval_cb))) From 1cbe4ff2acdd1f166ac7ac912c1b00da9fbf0dd1 Mon Sep 17 00:00:00 2001 From: =?UTF-8?q?Reimar=20D=C3=B6ffinger?= Date: Tue, 1 Mar 2016 22:53:18 +0100 Subject: [PATCH 046/942] aacenc: avoid double in quantize_bands. MIME-Version: 1.0 Content-Type: text/plain; charset=UTF-8 Content-Transfer-Encoding: 8bit I cannot see any point whatsoever to use double here instead of float, the results are likely identical in all cases.. Using float allows for much more efficient use of SIMD. Signed-off-by: Reimar Döffinger (cherry picked from commit 0a04c2885f02f7db6b410b6d43d120e5eb48dc18) --- libavcodec/aacenc_utils.h | 5 ++--- 1 file changed, 2 insertions(+), 3 deletions(-) diff --git a/libavcodec/aacenc_utils.h b/libavcodec/aacenc_utils.h index c2a2c2ec68..b9bd6bf449 100644 --- a/libavcodec/aacenc_utils.h +++ b/libavcodec/aacenc_utils.h @@ -66,10 +66,9 @@ static inline void quantize_bands(int *out, const float *in, const float *scaled const float rounding) { int i; - double qc; for (i = 0; i < size; i++) { - qc = scaled[i] * Q34; - out[i] = (int)FFMIN(qc + rounding, (double)maxval); + float qc = scaled[i] * Q34; + out[i] = (int)FFMIN(qc + rounding, (float)maxval); if (is_signed && in[i] < 0.0f) { out[i] = -out[i]; } From b176ab0556914a734932e934a5e904dad091ad71 Mon Sep 17 00:00:00 2001 From: =?UTF-8?q?Reimar=20D=C3=B6ffinger?= Date: Sun, 6 Mar 2016 21:25:11 +0100 Subject: [PATCH 047/942] aacenc_utils: Use temporary variable. MIME-Version: 1.0 Content-Type: text/plain; charset=UTF-8 Content-Transfer-Encoding: 8bit This ensures gcc does not create unnecessary loads or stores and possibly even does not vectorize the negation. Speeds up mp3 to aac transcoding with default settings by 10% when using "gcc (Debian 5.3.1-10) 5.3.1 20160224". Signed-off-by: Reimar Döffinger (cherry picked from commit b60dfae7af65c4c7d255ef599352f2c54964303d) --- libavcodec/aacenc_utils.h | 5 +++-- 1 file changed, 3 insertions(+), 2 deletions(-) diff --git a/libavcodec/aacenc_utils.h b/libavcodec/aacenc_utils.h index b9bd6bf449..41a62961e1 100644 --- a/libavcodec/aacenc_utils.h +++ b/libavcodec/aacenc_utils.h @@ -68,10 +68,11 @@ static inline void quantize_bands(int *out, const float *in, const float *scaled int i; for (i = 0; i < size; i++) { float qc = scaled[i] * Q34; - out[i] = (int)FFMIN(qc + rounding, (float)maxval); + int tmp = (int)FFMIN(qc + rounding, (float)maxval); if (is_signed && in[i] < 0.0f) { - out[i] = -out[i]; + tmp = -tmp; } + out[i] = tmp; } } From f281cb4ea93dc4c27ce93870eafffbe490b25247 Mon Sep 17 00:00:00 2001 From: Ganesh Ajjanagadde Date: Mon, 7 Mar 2016 21:16:29 -0500 Subject: [PATCH 048/942] lavc/aacenc_utils: replace powf(x,y) by expf(logf(x), y) MIME-Version: 1.0 Content-Type: text/plain; charset=UTF-8 Content-Transfer-Encoding: 8bit This is ~2x faster for y not an integer on Haswell+GCC, and should generally be faster due to the fact that anyway powf essentially does this under the hood. Made an inline function in lavu/internal.h for this purpose. Note that there are some accuracy differences, that should generally be negligible. In particular, FATE still passes on this platform. Results in ~ 7% speedup in aac encoding with -march=native, Haswell+GCC. before: ffmpeg -i sin.flac -acodec aac -y sin_new.aac 6.05s user 0.06s system 104% cpu 5.821 total after: ffmpeg -i sin.flac -acodec aac -y sin_new.aac 5.67s user 0.03s system 105% cpu 5.416 total This is also faster than an alternative approach that pulls in powf, gets rid of the crufty NaN checks and other special cases, exploits knowledge about the intervals, etc. This of course does not exclude smarter approaches; just suggests that there would need to be significant work on this front of lower utility than searches for hotspots elsewhere. Reviewed-by: Reimar Döffinger Reviewed-by: Ronald S. Bultje Signed-off-by: Ganesh Ajjanagadde (cherry picked from commit bccc81dfa08e6561df6ed37860e3a08f7d983825) --- libavcodec/aacenc_utils.h | 6 +++++- libavutil/internal.h | 16 ++++++++++++++++ 2 files changed, 21 insertions(+), 1 deletion(-) diff --git a/libavcodec/aacenc_utils.h b/libavcodec/aacenc_utils.h index 41a62961e1..07f733746b 100644 --- a/libavcodec/aacenc_utils.h +++ b/libavcodec/aacenc_utils.h @@ -28,6 +28,7 @@ #ifndef AVCODEC_AACENC_UTILS_H #define AVCODEC_AACENC_UTILS_H +#include "libavutil/internal.h" #include "aac.h" #include "aacenctab.h" #include "aactab.h" @@ -122,7 +123,10 @@ static inline float find_form_factor(int group_len, int swb_size, float thresh, if (s >= ethresh) { nzl += 1.0f; } else { - nzl += powf(s / ethresh, nzslope); + if (nzslope == 2.f) + nzl += (s / ethresh) * (s / ethresh); + else + nzl += ff_fast_powf(s / ethresh, nzslope); } } if (e2 > thresh) { diff --git a/libavutil/internal.h b/libavutil/internal.h index c4bcf37ab8..44f8c1ee47 100644 --- a/libavutil/internal.h +++ b/libavutil/internal.h @@ -313,6 +313,22 @@ static av_always_inline float ff_exp10f(float x) return exp2f(M_LOG2_10 * x); } +/** + * Compute x^y for floating point x, y. Note: this function is faster than the + * libm variant due to mainly 2 reasons: + * 1. It does not handle any edge cases. In particular, this is only guaranteed + * to work correctly for x > 0. + * 2. It is not as accurate as a standard nearly "correctly rounded" libm variant. + * @param x base + * @param y exponent + * @return x^y + */ +static av_always_inline float ff_fast_powf(float x, float y) +{ + return expf(logf(x) * y); +} + + /** * A wrapper for open() setting O_CLOEXEC. */ From 6cb5bbc66024572a5310717c03ce3227ec8f4c2c Mon Sep 17 00:00:00 2001 From: Rostislav Pehlivanov Date: Mon, 28 Mar 2016 16:59:14 +0100 Subject: [PATCH 049/942] Changelog: update for 3.0.1's aacenc optimizations Signed-off-by: Rostislav Pehlivanov --- Changelog | 1 + 1 file changed, 1 insertion(+) diff --git a/Changelog b/Changelog index fe379b756e..ce0728563a 100644 --- a/Changelog +++ b/Changelog @@ -39,6 +39,7 @@ doc/utils: fix typo for min() description ffserver&ffm: Fixed issues preventing ffserver write_index and files_size from being set correctly which was breaking ffserver streaming. postproc: fix unaligned access vc2enc: fix use of uninitialized variables in the rate control system +aacenc: optimize encoding speed version 3.0: From f01919b57af0ff99820b6e8285d6fe546d3ed938 Mon Sep 17 00:00:00 2001 From: Rostislav Pehlivanov Date: Fri, 26 Feb 2016 12:21:36 +0000 Subject: [PATCH 050/942] vc2enc: correctly zero out coefficient array padding Credit for figuring this out goes to James Darnley. Signed-off-by: Rostislav Pehlivanov (cherry picked from commit 3ef10406e19663a78791ed1b38178fb00d4c7d88) --- libavcodec/vc2enc.c | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/libavcodec/vc2enc.c b/libavcodec/vc2enc.c index f42b10ffef..bf3f3a980d 100644 --- a/libavcodec/vc2enc.c +++ b/libavcodec/vc2enc.c @@ -867,7 +867,7 @@ static int dwt_plane(AVCodecContext *avctx, void *arg) } } - memset(buf, 0, (p->coef_stride*p->dwt_height - p->height*p->width)*sizeof(dwtcoef)); + memset(buf, 0, p->coef_stride * (p->dwt_height - p->height) * sizeof(dwtcoef)); for (level = s->wavelet_depth-1; level >= 0; level--) { const SubBand *b = &p->band[level][0]; From 3d9ebfd27264d0d2f5a379d76375d267fc98d616 Mon Sep 17 00:00:00 2001 From: Rostislav Pehlivanov Date: Mon, 28 Mar 2016 17:04:23 +0100 Subject: [PATCH 051/942] Changelog: update for 3.0.1's vc2enc fixes Signed-off-by: Rostislav Pehlivanov --- Changelog | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/Changelog b/Changelog index ce0728563a..c0ac96b6bc 100644 --- a/Changelog +++ b/Changelog @@ -38,7 +38,7 @@ lavf/http: Add httpproxy to the default protocol whitelist. doc/utils: fix typo for min() description ffserver&ffm: Fixed issues preventing ffserver write_index and files_size from being set correctly which was breaking ffserver streaming. postproc: fix unaligned access -vc2enc: fix use of uninitialized variables in the rate control system +vc2enc: fix use of uninitialized variables in the rate control system, correctly zero out coefficient array padding aacenc: optimize encoding speed From 7b1e020fc5edbc09774d6fe7857d47d29f157a13 Mon Sep 17 00:00:00 2001 From: James Almer Date: Mon, 28 Mar 2016 21:34:08 -0300 Subject: [PATCH 052/942] avformat/svag: fix division by zero Fixes ticket #5386 Signed-off-by: James Almer (cherry picked from commit d5a3578350a3901a26df39df196bb085760ec46f) --- libavformat/svag.c | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/libavformat/svag.c b/libavformat/svag.c index ab7f36c81a..08fc06b1ba 100644 --- a/libavformat/svag.c +++ b/libavformat/svag.c @@ -48,7 +48,7 @@ static int svag_read_header(AVFormatContext *s) if (st->codec->sample_rate <= 0) return AVERROR_INVALIDDATA; st->codec->channels = avio_rl32(s->pb); - if (st->codec->channels <= 0) + if (st->codec->channels <= 0 || st->codec->channels > 8) return AVERROR_INVALIDDATA; st->duration = size / (16 * st->codec->channels) * 28; align = avio_rl32(s->pb); From 26d29f0c3dc200bbbf066f55a90738398b6013be Mon Sep 17 00:00:00 2001 From: Michael Niedermayer Date: Fri, 25 Mar 2016 15:29:26 +0100 Subject: [PATCH 053/942] avcodec/h264_slice: Check PPS more extensively when its not copied Fixes Ticket5371 Fixes null pointer dereference Signed-off-by: Michael Niedermayer (cherry picked from commit c50be7a52bc1e8e18a0059e489743ec12a43f257) Signed-off-by: Michael Niedermayer --- libavcodec/h264_slice.c | 10 +++++++--- 1 file changed, 7 insertions(+), 3 deletions(-) diff --git a/libavcodec/h264_slice.c b/libavcodec/h264_slice.c index 2131338a7b..0b3e0406f2 100644 --- a/libavcodec/h264_slice.c +++ b/libavcodec/h264_slice.c @@ -1282,9 +1282,13 @@ int ff_h264_decode_slice_header(H264Context *h, H264SliceContext *sl) if (first_slice) { h->pps = *h->pps_buffers[pps_id]; - } else if (h->setup_finished && h->dequant_coeff_pps != pps_id) { - av_log(h->avctx, AV_LOG_ERROR, "PPS changed between slices\n"); - return AVERROR_INVALIDDATA; + } else { + if (h->pps.sps_id != pps->sps_id || + h->pps.transform_8x8_mode != pps->transform_8x8_mode || + (h->setup_finished && h->dequant_coeff_pps != pps_id)) { + av_log(h->avctx, AV_LOG_ERROR, "PPS changed between slices\n"); + return AVERROR_INVALIDDATA; + } } if (pps->sps_id != h->sps.sps_id || From 00b54d4625b088b40b3547d55b6c990f3c8fd6c9 Mon Sep 17 00:00:00 2001 From: Michael Niedermayer Date: Mon, 28 Mar 2016 04:01:08 +0200 Subject: [PATCH 054/942] avcodec/diracdec: check bitstream size related fields for overflows Fixes segfault Fixes Ticket5333 Regression since bfc8a4dabe5a0154b31128b59dca575010176441 Signed-off-by: Michael Niedermayer (cherry picked from commit 8f2a1990c06df73cf58401c8ba193711eb8947e7) Signed-off-by: Michael Niedermayer --- libavcodec/diracdec.c | 26 +++++++++++++++++++++----- 1 file changed, 21 insertions(+), 5 deletions(-) diff --git a/libavcodec/diracdec.c b/libavcodec/diracdec.c index e530a05de3..05c79005eb 100644 --- a/libavcodec/diracdec.c +++ b/libavcodec/diracdec.c @@ -173,7 +173,7 @@ typedef struct DiracContext { struct { unsigned prefix_bytes; - unsigned size_scaler; + uint64_t size_scaler; } highquality; struct { @@ -826,9 +826,15 @@ static int decode_hq_slice(AVCodecContext *avctx, void *arg) /* Luma + 2 Chroma planes */ for (i = 0; i < 3; i++) { - int length = s->highquality.size_scaler * get_bits(gb, 8); - int bits_left = 8 * length; - int bits_end = get_bits_count(gb) + bits_left; + int64_t length = s->highquality.size_scaler * get_bits(gb, 8); + int64_t bits_left = 8 * length; + int64_t bits_end = get_bits_count(gb) + bits_left; + + if (bits_end >= INT_MAX) { + av_log(s->avctx, AV_LOG_ERROR, "end too far away\n"); + return AVERROR_INVALIDDATA; + } + for (level = 0; level < s->wavelet_depth; level++) { for (orientation = !!level; orientation < 4; orientation++) { decode_subband(s, gb, quants[level][orientation], slice->slice_x, slice->slice_y, bits_end, @@ -848,7 +854,8 @@ static int decode_hq_slice(AVCodecContext *avctx, void *arg) static int decode_lowdelay(DiracContext *s) { AVCodecContext *avctx = s->avctx; - int slice_x, slice_y, bytes = 0, bufsize; + int slice_x, slice_y, bufsize; + int64_t bytes = 0; const uint8_t *buf; DiracSlice *slices; int slice_num = 0; @@ -872,6 +879,11 @@ static int decode_lowdelay(DiracContext *s) if (bytes <= bufsize/8) bytes += buf[bytes] * s->highquality.size_scaler + 1; } + if (bytes >= INT_MAX) { + av_log(s->avctx, AV_LOG_ERROR, "too many bytes\n"); + av_free(slices); + return AVERROR_INVALIDDATA; + } slices[slice_num].bytes = bytes; slices[slice_num].slice_x = slice_x; @@ -1151,6 +1163,10 @@ static int dirac_unpack_idwt_params(DiracContext *s) } else if (s->hq_picture) { s->highquality.prefix_bytes = svq3_get_ue_golomb(gb); s->highquality.size_scaler = svq3_get_ue_golomb(gb); + if (s->highquality.prefix_bytes >= INT_MAX / 8) { + av_log(s->avctx,AV_LOG_ERROR,"too many prefix bytes\n"); + return AVERROR_INVALIDDATA; + } } /* [DIRAC_STD] 11.3.5 Quantisation matrices (low-delay syntax). quant_matrix() */ From 9b1b674ebefd804192c9fcee2457d4e670683e75 Mon Sep 17 00:00:00 2001 From: Michael Niedermayer Date: Tue, 29 Mar 2016 03:53:36 +0200 Subject: [PATCH 055/942] Changelog: update Signed-off-by: Michael Niedermayer --- Changelog | 2 ++ 1 file changed, 2 insertions(+) diff --git a/Changelog b/Changelog index c0ac96b6bc..7556ada9dd 100644 --- a/Changelog +++ b/Changelog @@ -40,6 +40,8 @@ ffserver&ffm: Fixed issues preventing ffserver write_index and files_size from b postproc: fix unaligned access vc2enc: fix use of uninitialized variables in the rate control system, correctly zero out coefficient array padding aacenc: optimize encoding speed +avcodec/diracdec: check bitstream size related fields for overflows +avcodec/h264_slice: Check PPS more extensively when its not copied version 3.0: From fda00aa7749326f02a6ca0a7d9bd9bcda1054071 Mon Sep 17 00:00:00 2001 From: Michael Niedermayer Date: Tue, 29 Mar 2016 04:25:48 +0200 Subject: [PATCH 056/942] doc/Doxyfile: update for 3.0.1 Signed-off-by: Michael Niedermayer --- doc/Doxyfile | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/doc/Doxyfile b/doc/Doxyfile index 07b4d1fe01..c001ef792a 100644 --- a/doc/Doxyfile +++ b/doc/Doxyfile @@ -31,7 +31,7 @@ PROJECT_NAME = FFmpeg # This could be handy for archiving the generated documentation or # if some version control system is used. -PROJECT_NUMBER = 3.0 +PROJECT_NUMBER = 3.0.1 # With the PROJECT_LOGO tag one can specify a logo or icon that is included # in the documentation. The maximum height of the logo should not exceed 55 From 5d79566ab3ddfc6fc46cc2fe7f3b894b4c384f3e Mon Sep 17 00:00:00 2001 From: Aaron Boxer Date: Thu, 31 Mar 2016 16:02:14 -0400 Subject: [PATCH 057/942] avcodec/j2kenc: Add attribution to OpenJPEG project: http://ghostscript.com/~tor/gs-browse/gs/openjpeg/libopenjpeg/t1.c Signed-off-by: Michael Niedermayer (cherry picked from commit b6b4b0a65e02495edf9d7e5b23bef99a92921147) Signed-off-by: Michael Niedermayer --- libavcodec/j2kenc.c | 38 ++++++++++++++++++++++++++++++++++++++ 1 file changed, 38 insertions(+) diff --git a/libavcodec/j2kenc.c b/libavcodec/j2kenc.c index 2cd837d8be..c8d3861732 100644 --- a/libavcodec/j2kenc.c +++ b/libavcodec/j2kenc.c @@ -17,8 +17,46 @@ * You should have received a copy of the GNU Lesser General Public * License along with FFmpeg; if not, write to the Free Software * Foundation, Inc., 51 Franklin Street, Fifth Floor, Boston, MA 02110-1301 USA + * + * ********************************************************************************************************************** + * + * + * + * This source code incorporates work covered by the following copyright and + * permission notice: + * + * Copyright (c) 2002-2007, Communications and Remote Sensing Laboratory, Universite catholique de Louvain (UCL), Belgium + * Copyright (c) 2002-2007, Professor Benoit Macq + * Copyright (c) 2001-2003, David Janssens + * Copyright (c) 2002-2003, Yannick Verschueren + * Copyright (c) 2003-2007, Francois-Olivier Devaux and Antonin Descampe + * Copyright (c) 2005, Herve Drolon, FreeImage Team + * Copyright (c) 2007, Callum Lerwick + * All rights reserved. + * + * Redistribution and use in source and binary forms, with or without + * modification, are permitted provided that the following conditions + * are met: + * 1. Redistributions of source code must retain the above copyright + * notice, this list of conditions and the following disclaimer. + * 2. Redistributions in binary form must reproduce the above copyright + * notice, this list of conditions and the following disclaimer in the + * documentation and/or other materials provided with the distribution. + * + * THIS SOFTWARE IS PROVIDED BY THE COPYRIGHT HOLDERS AND CONTRIBUTORS `AS IS' + * AND ANY EXPRESS OR IMPLIED WARRANTIES, INCLUDING, BUT NOT LIMITED TO, THE + * IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR PURPOSE + * ARE DISCLAIMED. IN NO EVENT SHALL THE COPYRIGHT OWNER OR CONTRIBUTORS BE + * LIABLE FOR ANY DIRECT, INDIRECT, INCIDENTAL, SPECIAL, EXEMPLARY, OR + * CONSEQUENTIAL DAMAGES (INCLUDING, BUT NOT LIMITED TO, PROCUREMENT OF + * SUBSTITUTE GOODS OR SERVICES; LOSS OF USE, DATA, OR PROFITS; OR BUSINESS + * INTERRUPTION) HOWEVER CAUSED AND ON ANY THEORY OF LIABILITY, WHETHER IN + * CONTRACT, STRICT LIABILITY, OR TORT (INCLUDING NEGLIGENCE OR OTHERWISE) + * ARISING IN ANY WAY OUT OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED OF THE + * POSSIBILITY OF SUCH DAMAGE. */ + /** * JPEG2000 image encoder * @file From 47f0d80ee01b1ae5f3ab68ef697681d9a1327b00 Mon Sep 17 00:00:00 2001 From: Marios Titas Date: Sat, 2 Apr 2016 21:11:44 +0300 Subject: [PATCH 058/942] avfilter/src_movie: fix how we check for overflows with seek_point Currently, if the movie source filter is used and a seek_point is specified on a file that has a negative start time, ffmpeg will fail. An easy way to reproduce this is as follows: $ ffmpeg -vsync passthrough -filter_complex 'color=d=10,setpts=PTS-1/TB' test.mp4 $ ffmpeg -filter_complex 'movie=filename=test.mp4:seek_point=2' -f null - The problem is caused by checking for int64_t overflow the wrong way. In general, to check whether a + b overflows, it is not enough to do: a > INT64_MAX - b because b might be negative; the correct way is: b > 0 && > a > INT64_MAX - b Signed-off-by: Michael Niedermayer (cherry picked from commit c1f9734f977f59bc0034096afbe8e43e40d93a5d) Signed-off-by: Michael Niedermayer --- libavfilter/src_movie.c | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/libavfilter/src_movie.c b/libavfilter/src_movie.c index 82d2bcda10..eab24589dc 100644 --- a/libavfilter/src_movie.c +++ b/libavfilter/src_movie.c @@ -240,7 +240,7 @@ static av_cold int movie_common_init(AVFilterContext *ctx) timestamp = movie->seek_point; // add the stream start time, should it exist if (movie->format_ctx->start_time != AV_NOPTS_VALUE) { - if (timestamp > INT64_MAX - movie->format_ctx->start_time) { + if (timestamp > 0 && movie->format_ctx->start_time > INT64_MAX - timestamp) { av_log(ctx, AV_LOG_ERROR, "%s: seek value overflow with start_time:%"PRId64" seek_point:%"PRId64"\n", movie->file_name, movie->format_ctx->start_time, movie->seek_point); From 6103a8453fadf53f87fe4198db41cb6a5a7420dc Mon Sep 17 00:00:00 2001 From: Michael Niedermayer Date: Mon, 4 Apr 2016 22:45:14 +0200 Subject: [PATCH 059/942] Changelog: Make formating consistent Signed-off-by: Michael Niedermayer --- Changelog | 80 +++++++++++++++++++++++++++---------------------------- 1 file changed, 40 insertions(+), 40 deletions(-) diff --git a/Changelog b/Changelog index 7556ada9dd..8776e0d9bd 100644 --- a/Changelog +++ b/Changelog @@ -2,46 +2,46 @@ Entries are sorted chronologically from oldest to youngest within each release, releases are sorted from youngest to oldest. version 3.0.1: -avcodec/libutvideodec: copy frame so it has reference counters when refcounted_frames is set -avformat/rtpdec_jpeg: fix low contrast image on low quality setting -avformat/mpegtsenc: Fix used service -avformat/mpegtsenc: Keep track of the program for each service -avformat/file: Add crypto to default whitelist -avcodec/mjpegenc_common: Store approximate aspect if exact cannot be stored -lavc/hevc: Allow arbitrary garbage in bytestream as long as at least one NAL unit is found. -avcodec/resample: Remove disabled and faulty code -indeo2: Fix banding artefacts -indeo2data: K&R formatting cosmetics -avformat/hlsenc: Fix passing options, regression since bc9a5965c815cf7fd998d8ce14a18b8e861dd9ce -avutil/random_seed: Add the runtime in cycles of the main loop to the entropy pool -avutil/channel_layout: AV_CH_LAYOUT_6POINT1_BACK not reachable in parsing -avformat/concatdec: set safe mode to enabled instead of auto -avformat/utils: fix dts from pts code in compute_pkt_fields() during ascending delay -avformat/rtpenc: Fix integer overflow in NTP_TO_RTP_FORMAT -avcodec/dca: clear X96 channels if nothing was decoded -fate/aac: Increase fuzz from of fate-aac-pns-encode from 72 to 74 for Loongson -avformat/cache: Fix memleak of tree entries -lavf/mov: downgrade sidx errors to non-fatal warnings; fixes trac #5216 -lavf/mov: fix sidx with edit lists -avcodec/mjpegdec: Fix decoding slightly odd progressive jpeg -swscale/utils: Fix chrSrcHSubSample for GBRAP16 -swscale/input: Fix GBRAP16 input -avutil/pixdesc: Make get_color_type() aware of CIE XYZ formats -avcodec/h264: Execute error concealment before marking the frame as done. -swscale/x86/output: Fix yuv2planeX_16* with unaligned destination -swscale/x86/output: Move code into yuv2planeX_mainloop -MAINTAINERS: add myself as an OS/2 maintainer -libwebpenc_animencoder: print library messages in verbose log levels -libwebpenc_animencoder: zero initialize the WebPAnimEncoderOptions struct -configure: check for SEC_I_CONTEXT_EXPIRED before enabling SChannel -lavf/http: Add httpproxy to the default protocol whitelist. -doc/utils: fix typo for min() description -ffserver&ffm: Fixed issues preventing ffserver write_index and files_size from being set correctly which was breaking ffserver streaming. -postproc: fix unaligned access -vc2enc: fix use of uninitialized variables in the rate control system, correctly zero out coefficient array padding -aacenc: optimize encoding speed -avcodec/diracdec: check bitstream size related fields for overflows -avcodec/h264_slice: Check PPS more extensively when its not copied +- avcodec/libutvideodec: copy frame so it has reference counters when refcounted_frames is set +- avformat/rtpdec_jpeg: fix low contrast image on low quality setting +- avformat/mpegtsenc: Fix used service +- avformat/mpegtsenc: Keep track of the program for each service +- avformat/file: Add crypto to default whitelist +- avcodec/mjpegenc_common: Store approximate aspect if exact cannot be stored +- lavc/hevc: Allow arbitrary garbage in bytestream as long as at least one NAL unit is found. +- avcodec/resample: Remove disabled and faulty code +- indeo2: Fix banding artefacts +- indeo2data: K&R formatting cosmetics +- avformat/hlsenc: Fix passing options, regression since bc9a5965c815cf7fd998d8ce14a18b8e861dd9ce +- avutil/random_seed: Add the runtime in cycles of the main loop to the entropy pool +- avutil/channel_layout: AV_CH_LAYOUT_6POINT1_BACK not reachable in parsing +- avformat/concatdec: set safe mode to enabled instead of auto +- avformat/utils: fix dts from pts code in compute_pkt_fields() during ascending delay +- avformat/rtpenc: Fix integer overflow in NTP_TO_RTP_FORMAT +- avcodec/dca: clear X96 channels if nothing was decoded +- fate/aac: Increase fuzz from of fate-aac-pns-encode from 72 to 74 for Loongson +- avformat/cache: Fix memleak of tree entries +- lavf/mov: downgrade sidx errors to non-fatal warnings; fixes trac #5216 +- lavf/mov: fix sidx with edit lists +- avcodec/mjpegdec: Fix decoding slightly odd progressive jpeg +- swscale/utils: Fix chrSrcHSubSample for GBRAP16 +- swscale/input: Fix GBRAP16 input +- avutil/pixdesc: Make get_color_type() aware of CIE XYZ formats +- avcodec/h264: Execute error concealment before marking the frame as done. +- swscale/x86/output: Fix yuv2planeX_16* with unaligned destination +- swscale/x86/output: Move code into yuv2planeX_mainloop +- MAINTAINERS: add myself as an OS/2 maintainer +- libwebpenc_animencoder: print library messages in verbose log levels +- libwebpenc_animencoder: zero initialize the WebPAnimEncoderOptions struct +- configure: check for SEC_I_CONTEXT_EXPIRED before enabling SChannel +- lavf/http: Add httpproxy to the default protocol whitelist. +- doc/utils: fix typo for min() description +- ffserver&ffm: Fixed issues preventing ffserver write_index and files_size from being set correctly which was breaking ffserver streaming. +- postproc: fix unaligned access +- vc2enc: fix use of uninitialized variables in the rate control system, correctly zero out coefficient array padding +- aacenc: optimize encoding speed +- avcodec/diracdec: check bitstream size related fields for overflows +- avcodec/h264_slice: Check PPS more extensively when its not copied version 3.0: From 325d0b64d5a43925adb81daa3a86a25dbb7d58fe Mon Sep 17 00:00:00 2001 From: Michael Niedermayer Date: Sat, 9 Apr 2016 00:47:10 +0200 Subject: [PATCH 060/942] avcodec/pngdec: Fix alpha detection with skip_frame Fixes Ticket4816 Signed-off-by: Michael Niedermayer (cherry picked from commit d433623fba2b273491ff7dda401648e7d07e19fe) Signed-off-by: Michael Niedermayer --- libavcodec/pngdec.c | 1 + 1 file changed, 1 insertion(+) diff --git a/libavcodec/pngdec.c b/libavcodec/pngdec.c index 61857d0e5c..24318fbeaf 100644 --- a/libavcodec/pngdec.c +++ b/libavcodec/pngdec.c @@ -1136,6 +1136,7 @@ static int decode_frame_common(AVCodecContext *avctx, PNGDecContext *s, case MKTAG('p', 'H', 'Y', 's'): case MKTAG('t', 'E', 'X', 't'): case MKTAG('I', 'D', 'A', 'T'): + case MKTAG('t', 'R', 'N', 'S'): break; default: goto skip_tag; From 14fdebc4ffcbaa202fe4568234fcb26752b416ad Mon Sep 17 00:00:00 2001 From: Michael Niedermayer Date: Thu, 14 Apr 2016 15:10:31 +0200 Subject: [PATCH 061/942] avcodec/bmp_parser: Ensure remaining_size is not too small in startcode packet crossing corner case Fixes Ticket 5438 Signed-off-by: Michael Niedermayer (cherry picked from commit 8e26bdd59bf559d00c7e60c53fff292de10139ff) Signed-off-by: Michael Niedermayer --- libavcodec/bmp_parser.c | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/libavcodec/bmp_parser.c b/libavcodec/bmp_parser.c index c9493dc32d..7ab32a0b00 100644 --- a/libavcodec/bmp_parser.c +++ b/libavcodec/bmp_parser.c @@ -63,7 +63,7 @@ restart: continue; } bpc->pc.frame_start_found++; - bpc->remaining_size = bpc->fsize + i - 17; + bpc->remaining_size = bpc->fsize + FFMAX(i - 17, 0); if (bpc->pc.index + i > 17) { next = i - 17; From 76573c5239fb7d293cc350807f02cc3e91bff18d Mon Sep 17 00:00:00 2001 From: Ivan Date: Tue, 12 Apr 2016 16:32:04 -0400 Subject: [PATCH 062/942] avcodec/h264: Fix for H.264 configuration parsing Sometimes video fails to decode if H.264 configuration changes mid stream. The reason is that configuration parser assumes that nal_ref_idc is equal to 11b while actually some codecs but 01b there. The H.264 spec is somewhat vague about this but it looks like it allows any non-zero nal_ref_idc for sps/pps. Signed-off-by: Michael Niedermayer (cherry picked from commit 3a727606c474d3d0b9efa3c900294a84bdb5e331) Signed-off-by: Michael Niedermayer --- libavcodec/h264.c | 4 ++-- 1 file changed, 2 insertions(+), 2 deletions(-) diff --git a/libavcodec/h264.c b/libavcodec/h264.c index f1399b886a..88768af733 100644 --- a/libavcodec/h264.c +++ b/libavcodec/h264.c @@ -1781,7 +1781,7 @@ static int is_extra(const uint8_t *buf, int buf_size) const uint8_t *p= buf+6; while(cnt--){ int nalsize= AV_RB16(p) + 2; - if(nalsize > buf_size - (p-buf) || p[2]!=0x67) + if(nalsize > buf_size - (p-buf) || (p[2] & 0x9F) != 7) return 0; p += nalsize; } @@ -1790,7 +1790,7 @@ static int is_extra(const uint8_t *buf, int buf_size) return 0; while(cnt--){ int nalsize= AV_RB16(p) + 2; - if(nalsize > buf_size - (p-buf) || p[2]!=0x68) + if(nalsize > buf_size - (p-buf) || (p[2] & 0x9F) != 8) return 0; p += nalsize; } From 264c9fe6aada7ee6c4f0d94e624d84c58097db92 Mon Sep 17 00:00:00 2001 From: Michael Niedermayer Date: Wed, 20 Apr 2016 22:38:26 +0200 Subject: [PATCH 063/942] avcodec/avpacket: Fix off by 5 error Fixes out of array read Fixes: mozilla bug 1266129 Found-by: Tyson Smith Tested-by: Tyson Smith Signed-off-by: Michael Niedermayer (cherry picked from commit 9f36ea57ae6eefb42432220feab0350494f4144c) Signed-off-by: Michael Niedermayer --- libavcodec/avpacket.c | 6 ++++-- 1 file changed, 4 insertions(+), 2 deletions(-) diff --git a/libavcodec/avpacket.c b/libavcodec/avpacket.c index 4901d361b1..b2079f61a1 100644 --- a/libavcodec/avpacket.c +++ b/libavcodec/avpacket.c @@ -401,10 +401,12 @@ int av_packet_split_side_data(AVPacket *pkt){ p = pkt->data + pkt->size - 8 - 5; for (i=1; ; i++){ size = AV_RB32(p); - if (size>INT_MAX || p - pkt->data < size) + if (size>INT_MAX - 5 || p - pkt->data < size) return 0; if (p[4]&128) break; + if (p - pkt->data < size + 5) + return 0; p-= size+5; } @@ -415,7 +417,7 @@ int av_packet_split_side_data(AVPacket *pkt){ p= pkt->data + pkt->size - 8 - 5; for (i=0; ; i++){ size= AV_RB32(p); - av_assert0(size<=INT_MAX && p - pkt->data >= size); + av_assert0(size<=INT_MAX - 5 && p - pkt->data >= size); pkt->side_data[i].data = av_mallocz(size + AV_INPUT_BUFFER_PADDING_SIZE); pkt->side_data[i].size = size; pkt->side_data[i].type = p[4]&127; From 6fdd122b11e57582655ae9d7735c2c7f45a36cb7 Mon Sep 17 00:00:00 2001 From: Paul B Mahol Date: Tue, 12 Apr 2016 10:51:30 +0200 Subject: [PATCH 064/942] avcodec/apedec: fix decoding of stereo files with one channel full of silence Signed-off-by: Paul B Mahol (cherry picked from commit 9149e9c0baaec122bc3da925d6068dffa60b5427) Signed-off-by: Michael Niedermayer --- libavcodec/apedec.c | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/libavcodec/apedec.c b/libavcodec/apedec.c index bed9a96984..de9d71ca40 100644 --- a/libavcodec/apedec.c +++ b/libavcodec/apedec.c @@ -1372,7 +1372,7 @@ static void ape_unpack_stereo(APEContext *ctx, int count) int32_t *decoded0 = ctx->decoded[0]; int32_t *decoded1 = ctx->decoded[1]; - if (ctx->frameflags & APE_FRAMECODE_STEREO_SILENCE) { + if ((ctx->frameflags & APE_FRAMECODE_STEREO_SILENCE) == APE_FRAMECODE_STEREO_SILENCE) { /* We are pure silence, so we're done. */ av_log(ctx->avctx, AV_LOG_DEBUG, "pure silence stereo\n"); return; From 7626fb6cbf5f4755c3f7591e99ca475dfadf4c7c Mon Sep 17 00:00:00 2001 From: Paul B Mahol Date: Wed, 20 Apr 2016 22:45:05 +0200 Subject: [PATCH 065/942] avcodec/takdec: add code that got somehow lost in process of REing Signed-off-by: Paul B Mahol (cherry picked from commit 38797a8033d061ade58b30b8ac86da222fe42a84) Signed-off-by: Michael Niedermayer --- libavcodec/takdec.c | 1 + 1 file changed, 1 insertion(+) diff --git a/libavcodec/takdec.c b/libavcodec/takdec.c index d057e0a1cb..001086bc74 100644 --- a/libavcodec/takdec.c +++ b/libavcodec/takdec.c @@ -227,6 +227,7 @@ static void decode_lpc(int32_t *coeffs, int mode, int length) int a3 = coeffs[2]; int a4 = a3 + a1; int a5 = a4 + a2; + coeffs[2] = a5; coeffs += 3; for (i = 0; i < length - 3; i++) { a3 += *coeffs; From 512c064cd9e064fccd5809bc0928822a7324373d Mon Sep 17 00:00:00 2001 From: Michael Niedermayer Date: Sun, 24 Apr 2016 12:07:37 +0200 Subject: [PATCH 066/942] avformat/mux: Check that deinit is set before calling it Fixes null pointer dereference Signed-off-by: Michael Niedermayer (cherry picked from commit c84ba07db4abd123b2ad93784e312a24d9341553) Signed-off-by: Michael Niedermayer --- libavformat/mux.c | 3 ++- 1 file changed, 2 insertions(+), 1 deletion(-) diff --git a/libavformat/mux.c b/libavformat/mux.c index 789c811cd8..f14bfd52d5 100644 --- a/libavformat/mux.c +++ b/libavformat/mux.c @@ -400,7 +400,8 @@ FF_ENABLE_DEPRECATION_WARNINGS } if (s->oformat->init && (ret = s->oformat->init(s)) < 0) { - s->oformat->deinit(s); + if (s->oformat->deinit) + s->oformat->deinit(s); goto fail; } From f2e9e4757f7d02ff84018138577b2321e123b6a9 Mon Sep 17 00:00:00 2001 From: Michael Niedermayer Date: Sun, 24 Apr 2016 12:30:20 +0200 Subject: [PATCH 067/942] avfilter/vf_drawtext: Check return code of load_glyph() Fixes segfault Fixes Ticket5347 Signed-off-by: Michael Niedermayer (cherry picked from commit 2e67a99fbc6b99315925de40fc6fa7161576be10) Signed-off-by: Michael Niedermayer --- libavfilter/vf_drawtext.c | 4 +++- 1 file changed, 3 insertions(+), 1 deletion(-) diff --git a/libavfilter/vf_drawtext.c b/libavfilter/vf_drawtext.c index 1ef3ecb31f..65c2c58b6f 100644 --- a/libavfilter/vf_drawtext.c +++ b/libavfilter/vf_drawtext.c @@ -1222,7 +1222,9 @@ static int draw_text(AVFilterContext *ctx, AVFrame *frame, dummy.code = code; glyph = av_tree_find(s->glyphs, &dummy, glyph_cmp, NULL); if (!glyph) { - load_glyph(ctx, &glyph, code); + ret = load_glyph(ctx, &glyph, code); + if (ret < 0) + return ret; } y_min = FFMIN(glyph->bbox.yMin, y_min); From 4c896d6bd47870aee4684515747f4f7f927bebc0 Mon Sep 17 00:00:00 2001 From: Michael Niedermayer Date: Mon, 25 Apr 2016 04:08:21 +0200 Subject: [PATCH 068/942] avcodec/ac3dec: Reset SPX when switching from EAC3 to AC3 Fixes Ticket5319 Signed-off-by: Michael Niedermayer (cherry picked from commit 9ac154d1facd4756db6918f866dccf3e3ffb698c) Signed-off-by: Michael Niedermayer --- libavcodec/ac3dec.c | 12 +++++++----- 1 file changed, 7 insertions(+), 5 deletions(-) diff --git a/libavcodec/ac3dec.c b/libavcodec/ac3dec.c index 5d5330c4aa..f82f3974ef 100644 --- a/libavcodec/ac3dec.c +++ b/libavcodec/ac3dec.c @@ -895,11 +895,13 @@ static int decode_audio_block(AC3DecodeContext *s, int blk) ff_eac3_default_spx_band_struct, &s->num_spx_bands, s->spx_band_sizes); - } else { - for (ch = 1; ch <= fbw_channels; ch++) { - s->channel_uses_spx[ch] = 0; - s->first_spx_coords[ch] = 1; - } + } + } + if (!s->eac3 || !s->spx_in_use) { + s->spx_in_use = 0; + for (ch = 1; ch <= fbw_channels; ch++) { + s->channel_uses_spx[ch] = 0; + s->first_spx_coords[ch] = 1; } } From 666754c665713d02750fa8b882627602e589ebce Mon Sep 17 00:00:00 2001 From: =?UTF-8?q?Jan=20Ekstr=C3=B6m?= Date: Sun, 24 Apr 2016 17:30:56 +0300 Subject: [PATCH 069/942] pgssubdec: fix subpicture output colorspace and range Functionality used before didn't widen the values from limited to full range. Additionally, now the decoder uses BT.709 where it should be used according to the video resolution. Default for not yet set colorimetry is BT.709 due to most observed HDMV content being HD. BT.709 coefficients were gathered from the first two parts of BT.709 to BT.2020 conversion guide in ARIB STD-B62 (Pt. 1, Chapter 6.2.2). They were additionally confirmed by manually calculating values. Fixes #4637 (cherry picked from commit 9779b6262471d553c1ed811ff7312564e39d8adf) Signed-off-by: Michael Niedermayer --- libavcodec/pgssubdec.c | 10 ++++++++-- libavutil/colorspace.h | 10 ++++++++++ 2 files changed, 18 insertions(+), 2 deletions(-) diff --git a/libavcodec/pgssubdec.c b/libavcodec/pgssubdec.c index 07a2a78629..133d08bfa7 100644 --- a/libavcodec/pgssubdec.c +++ b/libavcodec/pgssubdec.c @@ -354,8 +354,14 @@ static int parse_palette_segment(AVCodecContext *avctx, cb = bytestream_get_byte(&buf); alpha = bytestream_get_byte(&buf); - YUV_TO_RGB1(cb, cr); - YUV_TO_RGB2(r, g, b, y); + /* Default to BT.709 colorimetry. In case of <= 576 height use BT.601 */ + if (avctx->height <= 0 || avctx->height > 576) { + YUV_TO_RGB1_CCIR_BT709(cb, cr); + } else { + YUV_TO_RGB1_CCIR(cb, cr); + } + + YUV_TO_RGB2_CCIR(r, g, b, y); ff_dlog(avctx, "Color %d := (%d,%d,%d,%d)\n", color_id, r, g, b, alpha); diff --git a/libavutil/colorspace.h b/libavutil/colorspace.h index 826ffd52c4..7d3f7110c9 100644 --- a/libavutil/colorspace.h +++ b/libavutil/colorspace.h @@ -41,6 +41,16 @@ b_add = FIX(1.77200*255.0/224.0) * cb + ONE_HALF;\ } +#define YUV_TO_RGB1_CCIR_BT709(cb1, cr1)\ +{\ + cb = (cb1) - 128;\ + cr = (cr1) - 128;\ + r_add = FIX(1.5747*255.0/224.0) * cr + ONE_HALF;\ + g_add = - FIX(0.1873*255.0/224.0) * cb - FIX(0.4682*255.0/224.0) * cr + \ + ONE_HALF;\ + b_add = FIX(1.8556*255.0/224.0) * cb + ONE_HALF;\ +} + #define YUV_TO_RGB2_CCIR(r, g, b, y1)\ {\ y = ((y1) - 16) * FIX(255.0/219.0);\ From a5638dbfbafd9162a201692b4b76981180c87d34 Mon Sep 17 00:00:00 2001 From: Vicente Olivert Riera Date: Tue, 26 Apr 2016 12:17:14 +0530 Subject: [PATCH 070/942] mips: add support for R6 Note:- backporting commit ad16eff64ba78d8dc98a8324640025c7cb2857f3 from head Understanding the mips32r6 and mips64r6 ISAs in the configure script is not enough. In order to have full support for MIPS R6 in FFmpeg we need to be able to build it, and for that we need to make sure we don't use incompatible assembler code which makes the build fail. Ifdefing the offending code is sufficient to fix the problem. Signed-off-by: Vicente Olivert Riera Signed-off-by: Michael Niedermayer --- libavcodec/mips/aaccoder_mips.c | 4 ++++ libavcodec/mips/aacdec_mips.h | 2 ++ libavcodec/mips/aacpsdsp_mips.c | 4 ++++ libavcodec/mips/aacpsy_mips.h | 2 ++ libavcodec/mips/aacsbr_mips.c | 4 ++++ libavcodec/mips/aacsbr_mips.h | 2 ++ libavcodec/mips/ac3dsp_mips.c | 6 +++++- libavcodec/mips/acelp_filters_mips.c | 4 ++++ libavcodec/mips/acelp_vectors_mips.c | 4 ++++ libavcodec/mips/amrwbdec_mips.c | 2 ++ libavcodec/mips/amrwbdec_mips.h | 2 ++ libavcodec/mips/celp_filters_mips.c | 4 ++++ libavcodec/mips/celp_math_mips.c | 4 ++++ libavcodec/mips/compute_antialias_float.h | 2 ++ libavcodec/mips/fft_mips.c | 4 ++++ libavcodec/mips/iirfilter_mips.c | 4 ++++ libavcodec/mips/lsp_mips.h | 2 ++ libavcodec/mips/mpegaudiodsp_mips_fixed.c | 10 ++++++++++ libavcodec/mips/mpegaudiodsp_mips_float.c | 10 ++++++++++ libavcodec/mips/sbrdsp_mips.c | 4 ++++ libavutil/mips/float_dsp_mips.c | 4 ++++ 21 files changed, 83 insertions(+), 1 deletion(-) diff --git a/libavcodec/mips/aaccoder_mips.c b/libavcodec/mips/aaccoder_mips.c index 8fbdfd230a..d690c8c24a 100644 --- a/libavcodec/mips/aaccoder_mips.c +++ b/libavcodec/mips/aaccoder_mips.c @@ -66,6 +66,7 @@ #include "libavcodec/aacenc_utils.h" #if HAVE_INLINE_ASM +#if !HAVE_MIPS32R6 && !HAVE_MIPS64R6 typedef struct BandCodingPath { int prev_idx; float cost; @@ -2477,10 +2478,12 @@ static void search_for_ms_mips(AACEncContext *s, ChannelElement *cpe) #include "libavcodec/aaccoder_trellis.h" +#endif /* !HAVE_MIPS32R6 && !HAVE_MIPS64R6 */ #endif /* HAVE_INLINE_ASM */ void ff_aac_coder_init_mips(AACEncContext *c) { #if HAVE_INLINE_ASM +#if !HAVE_MIPS32R6 && !HAVE_MIPS64R6 AACCoefficientsEncoder *e = c->coder; int option = c->options.coder; @@ -2494,5 +2497,6 @@ void ff_aac_coder_init_mips(AACEncContext *c) { #if HAVE_MIPSFPU e->search_for_ms = search_for_ms_mips; #endif /* HAVE_MIPSFPU */ +#endif /* !HAVE_MIPS32R6 && !HAVE_MIPS64R6 */ #endif /* HAVE_INLINE_ASM */ } diff --git a/libavcodec/mips/aacdec_mips.h b/libavcodec/mips/aacdec_mips.h index c4f6438570..758266fc16 100644 --- a/libavcodec/mips/aacdec_mips.h +++ b/libavcodec/mips/aacdec_mips.h @@ -61,6 +61,7 @@ #include "libavutil/mips/asmdefs.h" #if HAVE_INLINE_ASM && HAVE_MIPSFPU +#if !HAVE_MIPS32R6 && !HAVE_MIPS64R6 static inline float *VMUL2_mips(float *dst, const float *v, unsigned idx, const float *scale) { @@ -246,6 +247,7 @@ static inline float *VMUL4S_mips(float *dst, const float *v, unsigned idx, #define VMUL4 VMUL4_mips #define VMUL2S VMUL2S_mips #define VMUL4S VMUL4S_mips +#endif /* !HAVE_MIPS32R6 && !HAVE_MIPS64R6 */ #endif /* HAVE_INLINE_ASM && HAVE_MIPSFPU */ #endif /* AVCODEC_MIPS_AACDEC_MIPS_H */ diff --git a/libavcodec/mips/aacpsdsp_mips.c b/libavcodec/mips/aacpsdsp_mips.c index 695f9ef3c6..83fdc2f9db 100644 --- a/libavcodec/mips/aacpsdsp_mips.c +++ b/libavcodec/mips/aacpsdsp_mips.c @@ -188,6 +188,7 @@ static void ps_hybrid_synthesis_deint_mips(float out[2][38][64], } #if HAVE_MIPSFPU +#if !HAVE_MIPS32R6 && !HAVE_MIPS64R6 static void ps_add_squares_mips(float *dst, const float (*src)[2], int n) { int i; @@ -442,6 +443,7 @@ static void ps_stereo_interpolate_mips(float (*l)[2], float (*r)[2], : "memory" ); } +#endif /* !HAVE_MIPS32R6 && !HAVE_MIPS64R6 */ #endif /* HAVE_MIPSFPU */ #endif /* HAVE_INLINE_ASM */ @@ -451,10 +453,12 @@ void ff_psdsp_init_mips(PSDSPContext *s) s->hybrid_analysis_ileave = ps_hybrid_analysis_ileave_mips; s->hybrid_synthesis_deint = ps_hybrid_synthesis_deint_mips; #if HAVE_MIPSFPU +#if !HAVE_MIPS32R6 && !HAVE_MIPS64R6 s->add_squares = ps_add_squares_mips; s->mul_pair_single = ps_mul_pair_single_mips; s->decorrelate = ps_decorrelate_mips; s->stereo_interpolate[0] = ps_stereo_interpolate_mips; +#endif /* !HAVE_MIPS32R6 && !HAVE_MIPS64R6 */ #endif /* HAVE_MIPSFPU */ #endif /* HAVE_INLINE_ASM */ } diff --git a/libavcodec/mips/aacpsy_mips.h b/libavcodec/mips/aacpsy_mips.h index 42ff442a59..a1fe5ccea9 100644 --- a/libavcodec/mips/aacpsy_mips.h +++ b/libavcodec/mips/aacpsy_mips.h @@ -59,6 +59,7 @@ #include "libavutil/mips/asmdefs.h" #if HAVE_INLINE_ASM && HAVE_MIPSFPU && ( PSY_LAME_FIR_LEN == 21 ) +#if !HAVE_MIPS32R6 && !HAVE_MIPS64R6 static void calc_thr_3gpp_mips(const FFPsyWindowInfo *wi, const int num_bands, AacPsyChannel *pch, const uint8_t *band_sizes, const float *coefs, const int cutoff) @@ -232,5 +233,6 @@ static void psy_hp_filter_mips(const float *firbuf, float *hpfsmpl, const float #define calc_thr_3gpp calc_thr_3gpp_mips #define psy_hp_filter psy_hp_filter_mips +#endif /* !HAVE_MIPS32R6 && !HAVE_MIPS64R6 */ #endif /* HAVE_INLINE_ASM && HAVE_MIPSFPU */ #endif /* AVCODEC_MIPS_AACPSY_MIPS_H */ diff --git a/libavcodec/mips/aacsbr_mips.c b/libavcodec/mips/aacsbr_mips.c index e478290e47..56aa4e8682 100644 --- a/libavcodec/mips/aacsbr_mips.c +++ b/libavcodec/mips/aacsbr_mips.c @@ -311,6 +311,7 @@ static int sbr_x_gen_mips(SpectralBandReplication *sbr, float X[2][38][64], } #if HAVE_MIPSFPU +#if !HAVE_MIPS32R6 && !HAVE_MIPS64R6 static void sbr_hf_assemble_mips(float Y1[38][64][2], const float X_high[64][40][2], SpectralBandReplication *sbr, SBRData *ch_data, @@ -603,6 +604,7 @@ static void sbr_hf_inverse_filter_mips(SBRDSPContext *dsp, } } } +#endif /* !HAVE_MIPS32R6 && !HAVE_MIPS64R6 */ #endif /* HAVE_MIPSFPU */ #endif /* HAVE_INLINE_ASM */ @@ -612,8 +614,10 @@ void ff_aacsbr_func_ptr_init_mips(AACSBRContext *c) c->sbr_lf_gen = sbr_lf_gen_mips; c->sbr_x_gen = sbr_x_gen_mips; #if HAVE_MIPSFPU +#if !HAVE_MIPS32R6 && !HAVE_MIPS64R6 c->sbr_hf_inverse_filter = sbr_hf_inverse_filter_mips; c->sbr_hf_assemble = sbr_hf_assemble_mips; +#endif /* !HAVE_MIPS32R6 && !HAVE_MIPS64R6 */ #endif /* HAVE_MIPSFPU */ #endif /* HAVE_INLINE_ASM */ } diff --git a/libavcodec/mips/aacsbr_mips.h b/libavcodec/mips/aacsbr_mips.h index 13e55d26ea..4461e763ed 100644 --- a/libavcodec/mips/aacsbr_mips.h +++ b/libavcodec/mips/aacsbr_mips.h @@ -150,6 +150,7 @@ static void sbr_qmf_analysis_mips(AVFloatDSPContext *fdsp, FFTContext *mdct, } #if HAVE_MIPSFPU +#if !HAVE_MIPS32R6 && !HAVE_MIPS64R6 static void sbr_qmf_synthesis_mips(FFTContext *mdct, SBRDSPContext *sbrdsp, AVFloatDSPContext *fdsp, float *out, float X[2][38][64], @@ -488,6 +489,7 @@ static void sbr_qmf_synthesis_mips(FFTContext *mdct, #define sbr_qmf_analysis sbr_qmf_analysis_mips #define sbr_qmf_synthesis sbr_qmf_synthesis_mips +#endif /* !HAVE_MIPS32R6 && !HAVE_MIPS64R6 */ #endif /* HAVE_MIPSFPU */ #endif /* HAVE_INLINE_ASM */ diff --git a/libavcodec/mips/ac3dsp_mips.c b/libavcodec/mips/ac3dsp_mips.c index da4919f6eb..f9aaf15639 100644 --- a/libavcodec/mips/ac3dsp_mips.c +++ b/libavcodec/mips/ac3dsp_mips.c @@ -201,6 +201,7 @@ static void ac3_update_bap_counts_mips(uint16_t mant_cnt[16], uint8_t *bap, #endif #if HAVE_MIPSFPU +#if !HAVE_MIPS32R6 && !HAVE_MIPS64R6 static void float_to_fixed24_mips(int32_t *dst, const float *src, unsigned int len) { const float scale = 1 << 24; @@ -395,7 +396,8 @@ static void ac3_downmix_mips(float **samples, float (*matrix)[2], :"memory" ); } -#endif +#endif /* !HAVE_MIPS32R6 && !HAVE_MIPS64R6 */ +#endif /* HAVE_MIPSFPU */ #endif /* HAVE_INLINE_ASM */ void ff_ac3dsp_init_mips(AC3DSPContext *c, int bit_exact) { @@ -405,9 +407,11 @@ void ff_ac3dsp_init_mips(AC3DSPContext *c, int bit_exact) { c->update_bap_counts = ac3_update_bap_counts_mips; #endif #if HAVE_MIPSFPU +#if !HAVE_MIPS32R6 && !HAVE_MIPS64R6 c->float_to_fixed24 = float_to_fixed24_mips; c->downmix = ac3_downmix_mips; #endif #endif +#endif } diff --git a/libavcodec/mips/acelp_filters_mips.c b/libavcodec/mips/acelp_filters_mips.c index ba789abe3f..478db855b2 100644 --- a/libavcodec/mips/acelp_filters_mips.c +++ b/libavcodec/mips/acelp_filters_mips.c @@ -57,6 +57,7 @@ #include "libavutil/mips/asmdefs.h" #if HAVE_INLINE_ASM +#if !HAVE_MIPS32R6 && !HAVE_MIPS64R6 static void ff_acelp_interpolatef_mips(float *out, const float *in, const float *filter_coeffs, int precision, int frac_pos, int filter_length, int length) @@ -206,12 +207,15 @@ static void ff_acelp_apply_order_2_transfer_function_mips(float *out, const floa "$f12", "$f13", "$f14", "$f15", "$f16", "memory" ); } +#endif /* !HAVE_MIPS32R6 && !HAVE_MIPS64R6 */ #endif /* HAVE_INLINE_ASM */ void ff_acelp_filter_init_mips(ACELPFContext *c) { #if HAVE_INLINE_ASM +#if !HAVE_MIPS32R6 && !HAVE_MIPS64R6 c->acelp_interpolatef = ff_acelp_interpolatef_mips; c->acelp_apply_order_2_transfer_function = ff_acelp_apply_order_2_transfer_function_mips; #endif +#endif } diff --git a/libavcodec/mips/acelp_vectors_mips.c b/libavcodec/mips/acelp_vectors_mips.c index ad9434866e..0ab2b6a87b 100644 --- a/libavcodec/mips/acelp_vectors_mips.c +++ b/libavcodec/mips/acelp_vectors_mips.c @@ -57,6 +57,7 @@ #include "libavutil/mips/asmdefs.h" #if HAVE_INLINE_ASM +#if !HAVE_MIPS32R6 && !HAVE_MIPS64R6 static void ff_weighted_vector_sumf_mips( float *out, const float *in_a, const float *in_b, float weight_coeff_a, float weight_coeff_b, int length) @@ -92,11 +93,14 @@ static void ff_weighted_vector_sumf_mips( : "$f0", "$f1", "$f2", "$f3", "$f4", "$f5", "memory" ); } +#endif /* !HAVE_MIPS32R6 && !HAVE_MIPS64R6 */ #endif /* HAVE_INLINE_ASM */ void ff_acelp_vectors_init_mips(ACELPVContext *c) { #if HAVE_INLINE_ASM +#if !HAVE_MIPS32R6 && !HAVE_MIPS64R6 c->weighted_vector_sumf = ff_weighted_vector_sumf_mips; #endif +#endif } diff --git a/libavcodec/mips/amrwbdec_mips.c b/libavcodec/mips/amrwbdec_mips.c index e933b8a6c5..5dc054361b 100644 --- a/libavcodec/mips/amrwbdec_mips.c +++ b/libavcodec/mips/amrwbdec_mips.c @@ -54,6 +54,7 @@ #include "amrwbdec_mips.h" #if HAVE_INLINE_ASM +#if !HAVE_MIPS32R6 && !HAVE_MIPS64R6 void ff_hb_fir_filter_mips(float *out, const float fir_coef[HB_FIR_SIZE + 1], float mem[HB_FIR_SIZE], const float *in) { @@ -184,4 +185,5 @@ void ff_hb_fir_filter_mips(float *out, const float fir_coef[HB_FIR_SIZE + 1], } memcpy(mem, data + AMRWB_SFR_SIZE_16k, HB_FIR_SIZE * sizeof(float)); } +#endif /* !HAVE_MIPS32R6 && !HAVE_MIPS64R6 */ #endif /* HAVE_INLINE_ASM */ diff --git a/libavcodec/mips/amrwbdec_mips.h b/libavcodec/mips/amrwbdec_mips.h index ec46f95224..a9f66fef94 100644 --- a/libavcodec/mips/amrwbdec_mips.h +++ b/libavcodec/mips/amrwbdec_mips.h @@ -54,9 +54,11 @@ #include "config.h" #if HAVE_MIPSFPU && HAVE_INLINE_ASM +#if !HAVE_MIPS32R6 && !HAVE_MIPS64R6 void ff_hb_fir_filter_mips(float *out, const float fir_coef[], float mem[], const float *in); #define hb_fir_filter ff_hb_fir_filter_mips #endif +#endif #endif /* AVCODEC_MIPS_AMRWBDEC_MIPS_H */ diff --git a/libavcodec/mips/celp_filters_mips.c b/libavcodec/mips/celp_filters_mips.c index 88ac45841d..926f1cb334 100644 --- a/libavcodec/mips/celp_filters_mips.c +++ b/libavcodec/mips/celp_filters_mips.c @@ -58,6 +58,7 @@ #include "libavutil/mips/asmdefs.h" #if HAVE_INLINE_ASM +#if !HAVE_MIPS32R6 && !HAVE_MIPS64R6 static void ff_celp_lp_synthesis_filterf_mips(float *out, const float *filter_coeffs, const float* in, int buffer_length, @@ -278,12 +279,15 @@ static void ff_celp_lp_zero_synthesis_filterf_mips(float *out, out[n] = sum_out1; } } +#endif /* !HAVE_MIPS32R6 && !HAVE_MIPS64R6 */ #endif /* HAVE_INLINE_ASM */ void ff_celp_filter_init_mips(CELPFContext *c) { #if HAVE_INLINE_ASM +#if !HAVE_MIPS32R6 && !HAVE_MIPS64R6 c->celp_lp_synthesis_filterf = ff_celp_lp_synthesis_filterf_mips; c->celp_lp_zero_synthesis_filterf = ff_celp_lp_zero_synthesis_filterf_mips; #endif +#endif } diff --git a/libavcodec/mips/celp_math_mips.c b/libavcodec/mips/celp_math_mips.c index 008dd80308..ce711bd63c 100644 --- a/libavcodec/mips/celp_math_mips.c +++ b/libavcodec/mips/celp_math_mips.c @@ -56,6 +56,7 @@ #include "libavutil/mips/asmdefs.h" #if HAVE_INLINE_ASM +#if !HAVE_MIPS32R6 && !HAVE_MIPS64R6 static float ff_dot_productf_mips(const float* a, const float* b, int length) { @@ -80,11 +81,14 @@ static float ff_dot_productf_mips(const float* a, const float* b, ); return sum; } +#endif /* !HAVE_MIPS32R6 && !HAVE_MIPS64R6 */ #endif /* HAVE_INLINE_ASM */ void ff_celp_math_init_mips(CELPMContext *c) { #if HAVE_INLINE_ASM +#if !HAVE_MIPS32R6 && !HAVE_MIPS64R6 c->dot_productf = ff_dot_productf_mips; #endif +#endif } diff --git a/libavcodec/mips/compute_antialias_float.h b/libavcodec/mips/compute_antialias_float.h index f6cf46508b..e2b4f29f4a 100644 --- a/libavcodec/mips/compute_antialias_float.h +++ b/libavcodec/mips/compute_antialias_float.h @@ -58,6 +58,7 @@ #include "libavutil/mips/asmdefs.h" #if HAVE_INLINE_ASM +#if !HAVE_MIPS32R6 && !HAVE_MIPS64R6 static void compute_antialias_mips_float(MPADecodeContext *s, GranuleDef *g) { @@ -179,6 +180,7 @@ static void compute_antialias_mips_float(MPADecodeContext *s, ); } #define compute_antialias compute_antialias_mips_float +#endif /* !HAVE_MIPS32R6 && !HAVE_MIPS64R6 */ #endif /* HAVE_INLINE_ASM */ #endif /* AVCODEC_MIPS_COMPUTE_ANTIALIAS_FLOAT_H */ diff --git a/libavcodec/mips/fft_mips.c b/libavcodec/mips/fft_mips.c index cf008c6561..3cb1a4c162 100644 --- a/libavcodec/mips/fft_mips.c +++ b/libavcodec/mips/fft_mips.c @@ -57,6 +57,7 @@ */ #if HAVE_INLINE_ASM +#if !HAVE_MIPS32R6 && !HAVE_MIPS64R6 static void ff_fft_calc_mips(FFTContext *s, FFTComplex *z) { int nbits, i, n, num_transforms, offset, step; @@ -494,6 +495,7 @@ static void ff_imdct_calc_mips(FFTContext *s, FFTSample *output, const FFTSample output[n-k-4] = output[n2+k+3]; } } +#endif /* !HAVE_MIPS32R6 && !HAVE_MIPS64R6 */ #endif /* HAVE_INLINE_ASM */ av_cold void ff_fft_init_mips(FFTContext *s) @@ -504,10 +506,12 @@ av_cold void ff_fft_init_mips(FFTContext *s) ff_init_ff_cos_tabs(16); #if HAVE_INLINE_ASM +#if !HAVE_MIPS32R6 && !HAVE_MIPS64R6 s->fft_calc = ff_fft_calc_mips; #if CONFIG_MDCT s->imdct_calc = ff_imdct_calc_mips; s->imdct_half = ff_imdct_half_mips; #endif #endif +#endif } diff --git a/libavcodec/mips/iirfilter_mips.c b/libavcodec/mips/iirfilter_mips.c index a5646cde8b..87db9ffe55 100644 --- a/libavcodec/mips/iirfilter_mips.c +++ b/libavcodec/mips/iirfilter_mips.c @@ -55,6 +55,7 @@ #include "libavcodec/iirfilter.h" #if HAVE_INLINE_ASM +#if !HAVE_MIPS32R6 && !HAVE_MIPS64R6 typedef struct FFIIRFilterCoeffs { int order; float gain; @@ -195,10 +196,13 @@ static void ff_iir_filter_flt_mips(const struct FFIIRFilterCoeffs *c, } } } +#endif /* !HAVE_MIPS32R6 && !HAVE_MIPS64R6 */ #endif /* HAVE_INLINE_ASM */ void ff_iir_filter_init_mips(FFIIRFilterContext *f) { #if HAVE_INLINE_ASM +#if !HAVE_MIPS32R6 && !HAVE_MIPS64R6 f->filter_flt = ff_iir_filter_flt_mips; +#endif /* !HAVE_MIPS32R6 && !HAVE_MIPS64R6 */ #endif /* HAVE_INLINE_ASM */ } diff --git a/libavcodec/mips/lsp_mips.h b/libavcodec/mips/lsp_mips.h index 1e899bcd7c..6219c5aa40 100644 --- a/libavcodec/mips/lsp_mips.h +++ b/libavcodec/mips/lsp_mips.h @@ -55,6 +55,7 @@ #define AVCODEC_MIPS_LSP_MIPS_H #if HAVE_MIPSFPU && HAVE_INLINE_ASM +#if !HAVE_MIPS32R6 && !HAVE_MIPS64R6 #include "libavutil/mips/asmdefs.h" static av_always_inline void ff_lsp2polyf_mips(const double *lsp, double *f, int lp_half_order) @@ -107,5 +108,6 @@ static av_always_inline void ff_lsp2polyf_mips(const double *lsp, double *f, int } } #define ff_lsp2polyf ff_lsp2polyf_mips +#endif /* !HAVE_MIPS32R6 && !HAVE_MIPS64R6 */ #endif /* HAVE_MIPSFPU && HAVE_INLINE_ASM */ #endif /* AVCODEC_MIPS_LSP_MIPS_H */ diff --git a/libavcodec/mips/mpegaudiodsp_mips_fixed.c b/libavcodec/mips/mpegaudiodsp_mips_fixed.c index 92d260b85f..ed8c89089e 100644 --- a/libavcodec/mips/mpegaudiodsp_mips_fixed.c +++ b/libavcodec/mips/mpegaudiodsp_mips_fixed.c @@ -57,6 +57,9 @@ #include "libavutil/mips/asmdefs.h" #include "libavcodec/mpegaudiodsp.h" +#if HAVE_INLINE_ASM +#if !HAVE_MIPS32R6 && !HAVE_MIPS64R6 + static void ff_mpadsp_apply_window_mips_fixed(int32_t *synth_buf, int32_t *window, int *dither_state, int16_t *samples, int incr) { @@ -901,8 +904,15 @@ static void ff_imdct36_blocks_mips_fixed(int *out, int *buf, int *in, } } +#endif /* !HAVE_MIPS32R6 && !HAVE_MIPS64R6 */ +#endif /* HAVE_INLINE_ASM */ + void ff_mpadsp_init_mipsdsp(MPADSPContext *s) { +#if HAVE_INLINE_ASM +#if !HAVE_MIPS32R6 && !HAVE_MIPS64R6 s->apply_window_fixed = ff_mpadsp_apply_window_mips_fixed; s->imdct36_blocks_fixed = ff_imdct36_blocks_mips_fixed; +#endif +#endif } diff --git a/libavcodec/mips/mpegaudiodsp_mips_float.c b/libavcodec/mips/mpegaudiodsp_mips_float.c index bd36894d31..270838ebf1 100644 --- a/libavcodec/mips/mpegaudiodsp_mips_float.c +++ b/libavcodec/mips/mpegaudiodsp_mips_float.c @@ -58,6 +58,9 @@ #include "libavutil/mips/asmdefs.h" #include "libavcodec/mpegaudiodsp.h" +#if HAVE_INLINE_ASM && HAVE_MIPSFPU +#if !HAVE_MIPS32R6 && !HAVE_MIPS64R6 + static void ff_mpadsp_apply_window_mips_float(float *synth_buf, float *window, int *dither_state, float *samples, int incr) { @@ -1243,9 +1246,16 @@ static void ff_imdct36_blocks_mips_float(float *out, float *buf, float *in, } } +#endif /* !HAVE_MIPS32R6 && !HAVE_MIPS64R6 */ +#endif /* HAVE_INLINE_ASM && HAVE_MIPSFPU */ + void ff_mpadsp_init_mipsfpu(MPADSPContext *s) { +#if HAVE_INLINE_ASM && HAVE_MIPSFPU +#if !HAVE_MIPS32R6 && !HAVE_MIPS64R6 s->apply_window_float = ff_mpadsp_apply_window_mips_float; s->imdct36_blocks_float = ff_imdct36_blocks_mips_float; s->dct32_float = ff_dct32_mips_float; +#endif +#endif } diff --git a/libavcodec/mips/sbrdsp_mips.c b/libavcodec/mips/sbrdsp_mips.c index c203095548..1b0a10608d 100644 --- a/libavcodec/mips/sbrdsp_mips.c +++ b/libavcodec/mips/sbrdsp_mips.c @@ -166,6 +166,7 @@ static void sbr_qmf_post_shuffle_mips(float W[32][2], const float *z) } #if HAVE_MIPSFPU +#if !HAVE_MIPS32R6 && !HAVE_MIPS64R6 static void sbr_sum64x5_mips(float *z) { int k; @@ -882,6 +883,7 @@ static void sbr_hf_apply_noise_3_mips(float (*Y)[2], const float *s_m, phi_sign = -phi_sign; } } +#endif /* !HAVE_MIPS32R6 && !HAVE_MIPS64R6 */ #endif /* HAVE_MIPSFPU */ #endif /* HAVE_INLINE_ASM */ @@ -891,6 +893,7 @@ void ff_sbrdsp_init_mips(SBRDSPContext *s) s->qmf_pre_shuffle = sbr_qmf_pre_shuffle_mips; s->qmf_post_shuffle = sbr_qmf_post_shuffle_mips; #if HAVE_MIPSFPU +#if !HAVE_MIPS32R6 && !HAVE_MIPS64R6 s->sum64x5 = sbr_sum64x5_mips; s->sum_square = sbr_sum_square_mips; s->qmf_deint_bfly = sbr_qmf_deint_bfly_mips; @@ -902,6 +905,7 @@ void ff_sbrdsp_init_mips(SBRDSPContext *s) s->hf_apply_noise[1] = sbr_hf_apply_noise_1_mips; s->hf_apply_noise[2] = sbr_hf_apply_noise_2_mips; s->hf_apply_noise[3] = sbr_hf_apply_noise_3_mips; +#endif /* !HAVE_MIPS32R6 && !HAVE_MIPS64R6 */ #endif /* HAVE_MIPSFPU */ #endif /* HAVE_INLINE_ASM */ } diff --git a/libavutil/mips/float_dsp_mips.c b/libavutil/mips/float_dsp_mips.c index b3a812ceeb..0943d6f343 100644 --- a/libavutil/mips/float_dsp_mips.c +++ b/libavutil/mips/float_dsp_mips.c @@ -56,6 +56,7 @@ #include "libavutil/mips/asmdefs.h" #if HAVE_INLINE_ASM && HAVE_MIPSFPU +#if !HAVE_MIPS32R6 && !HAVE_MIPS64R6 static void vector_fmul_mips(float *dst, const float *src0, const float *src1, int len) { @@ -339,14 +340,17 @@ static void vector_fmul_reverse_mips(float *dst, const float *src0, const float ); } } +#endif /* !HAVE_MIPS32R6 && !HAVE_MIPS64R6 */ #endif /* HAVE_INLINE_ASM && HAVE_MIPSFPU */ void ff_float_dsp_init_mips(AVFloatDSPContext *fdsp) { #if HAVE_INLINE_ASM && HAVE_MIPSFPU +#if !HAVE_MIPS32R6 && !HAVE_MIPS64R6 fdsp->vector_fmul = vector_fmul_mips; fdsp->vector_fmul_scalar = vector_fmul_scalar_mips; fdsp->vector_fmul_window = vector_fmul_window_mips; fdsp->butterflies_float = butterflies_float_mips; fdsp->vector_fmul_reverse = vector_fmul_reverse_mips; +#endif /* !HAVE_MIPS32R6 && !HAVE_MIPS64R6 */ #endif /* HAVE_INLINE_ASM && HAVE_MIPSFPU */ } From 83eaaae0057fc471a621a2c1bf1e95e4ab27484f Mon Sep 17 00:00:00 2001 From: Shivraj Patil Date: Tue, 26 Apr 2016 12:17:15 +0530 Subject: [PATCH 071/942] configure: build fix for P5600 with mips code restructuring Note:- backporting commit 15ef98afd10b3696d29fb6d19606ba03a9dd47ad from head Signed-off-by: Shivraj Patil Signed-off-by: Michael Niedermayer --- configure | 252 ++++++++++++++++++++++++++---------------------------- 1 file changed, 120 insertions(+), 132 deletions(-) diff --git a/configure b/configure index 475c087a84..9103e8560e 100755 --- a/configure +++ b/configure @@ -913,6 +913,25 @@ void foo(void){ __asm__ volatile($code); } EOF } +check_inline_asm_flags(){ + log check_inline_asm_flags "$@" + name="$1" + code="$2" + flags='' + shift 2 + while [ "$1" != "" ]; do + append flags $1 + shift + done; + disable $name + cat > $TMPC < Date: Tue, 26 Apr 2016 19:17:19 +0200 Subject: [PATCH 072/942] avcodec/ttaenc: Reallocate packet if its too small Fixes assertion failure Fixes Ticket5394 Signed-off-by: Michael Niedermayer (cherry picked from commit 005c61c6b8982f977e415aa69d2d2b42e6b7f3f2) Signed-off-by: Michael Niedermayer --- libavcodec/ttaenc.c | 15 +++++++++++++-- 1 file changed, 13 insertions(+), 2 deletions(-) diff --git a/libavcodec/ttaenc.c b/libavcodec/ttaenc.c index 0df1fcb6aa..2f1c8db556 100644 --- a/libavcodec/ttaenc.c +++ b/libavcodec/ttaenc.c @@ -114,9 +114,12 @@ static int tta_encode_frame(AVCodecContext *avctx, AVPacket *avpkt, { TTAEncContext *s = avctx->priv_data; PutBitContext pb; - int ret, i, out_bytes, cur_chan = 0, res = 0, samples = 0; + int ret, i, out_bytes, cur_chan, res, samples; + int64_t pkt_size = frame->nb_samples * 2LL * avctx->channels * s->bps; - if ((ret = ff_alloc_packet2(avctx, avpkt, frame->nb_samples * 2 * avctx->channels * s->bps, 0)) < 0) +pkt_alloc: + cur_chan = 0, res = 0, samples = 0; + if ((ret = ff_alloc_packet2(avctx, avpkt, pkt_size, 0)) < 0) return ret; init_put_bits(&pb, avpkt->data, avpkt->size); @@ -174,6 +177,14 @@ static int tta_encode_frame(AVCodecContext *avctx, AVPacket *avpkt, rice->k1++; unary = 1 + (outval >> k); + if (unary + 100LL > put_bits_left(&pb)) { + if (pkt_size < INT_MAX/2) { + pkt_size *= 2; + av_packet_unref(avpkt); + goto pkt_alloc; + } else + return AVERROR(ENOMEM); + } do { if (unary > 31) { put_bits(&pb, 31, 0x7FFFFFFF); From ad559492dc75e7e6d74c48889eb6b90918a39126 Mon Sep 17 00:00:00 2001 From: Michael Niedermayer Date: Thu, 28 Apr 2016 01:40:54 +0200 Subject: [PATCH 073/942] update for 3.0.2 Signed-off-by: Michael Niedermayer --- Changelog | 19 +++++++++++++++++++ RELEASE | 2 +- doc/Doxyfile | 2 +- 3 files changed, 21 insertions(+), 2 deletions(-) diff --git a/Changelog b/Changelog index 8776e0d9bd..5cb30a0701 100644 --- a/Changelog +++ b/Changelog @@ -1,6 +1,25 @@ Entries are sorted chronologically from oldest to youngest within each release, releases are sorted from youngest to oldest. + +version 3.0.2: +- avcodec/ttaenc: Reallocate packet if its too small +- configure: build fix for P5600 with mips code restructuring +- mips: add support for R6 +- pgssubdec: fix subpicture output colorspace and range +- avcodec/ac3dec: Reset SPX when switching from EAC3 to AC3 +- avfilter/vf_drawtext: Check return code of load_glyph() +- avformat/mux: Check that deinit is set before calling it +- avcodec/takdec: add code that got somehow lost in process of REing +- avcodec/apedec: fix decoding of stereo files with one channel full of silence +- avcodec/avpacket: Fix off by 5 error +- avcodec/h264: Fix for H.264 configuration parsing +- avcodec/bmp_parser: Ensure remaining_size is not too small in startcode packet crossing corner case +- avcodec/pngdec: Fix alpha detection with skip_frame +- Changelog: Make formating consistent +- avfilter/src_movie: fix how we check for overflows with seek_point +- avcodec/j2kenc: Add attribution to OpenJPEG project: + version 3.0.1: - avcodec/libutvideodec: copy frame so it has reference counters when refcounted_frames is set - avformat/rtpdec_jpeg: fix low contrast image on low quality setting diff --git a/RELEASE b/RELEASE index cb2b00e4f7..b502146930 100644 --- a/RELEASE +++ b/RELEASE @@ -1 +1 @@ -3.0.1 +3.0.2 diff --git a/doc/Doxyfile b/doc/Doxyfile index c001ef792a..845d8dc010 100644 --- a/doc/Doxyfile +++ b/doc/Doxyfile @@ -31,7 +31,7 @@ PROJECT_NAME = FFmpeg # This could be handy for archiving the generated documentation or # if some version control system is used. -PROJECT_NUMBER = 3.0.1 +PROJECT_NUMBER = 3.0.2 # With the PROJECT_LOGO tag one can specify a logo or icon that is included # in the documentation. The maximum height of the logo should not exceed 55 From c66f4d1ae64dffaf456d05cbdade02054446f499 Mon Sep 17 00:00:00 2001 From: Michael Niedermayer Date: Thu, 28 Apr 2016 03:03:39 +0200 Subject: [PATCH 074/942] Changelog: Fix minor formating inconsistency Signed-off-by: Michael Niedermayer --- Changelog | 1 + 1 file changed, 1 insertion(+) diff --git a/Changelog b/Changelog index 5cb30a0701..248f8b50a8 100644 --- a/Changelog +++ b/Changelog @@ -20,6 +20,7 @@ version 3.0.2: - avfilter/src_movie: fix how we check for overflows with seek_point - avcodec/j2kenc: Add attribution to OpenJPEG project: + version 3.0.1: - avcodec/libutvideodec: copy frame so it has reference counters when refcounted_frames is set - avformat/rtpdec_jpeg: fix low contrast image on low quality setting From e675926a4fa6720925bbe708fadeb19eff3e5dd5 Mon Sep 17 00:00:00 2001 From: Carl Eugen Hoyos Date: Sun, 1 May 2016 15:39:13 +0200 Subject: [PATCH 075/942] lavf/mpegts: Return small probe score for very short transport streams. Fixes Debian bug 823098. (cherry picked from commit 88a849c714c17ad80d411f68e6575dfa1c8e8358) --- libavformat/mpegts.c | 13 +++++++++---- 1 file changed, 9 insertions(+), 4 deletions(-) diff --git a/libavformat/mpegts.c b/libavformat/mpegts.c index 22874e6f83..87a21f0d56 100644 --- a/libavformat/mpegts.c +++ b/libavformat/mpegts.c @@ -2441,7 +2441,7 @@ static int mpegts_probe(AVProbeData *p) #define CHECK_COUNT 10 #define CHECK_BLOCK 100 - if (check_count < CHECK_COUNT) + if (!check_count) return 0; for (i = 0; i 6) return AVPROBE_SCORE_MAX + sumscore - CHECK_COUNT; - else if (maxscore > 6) return AVPROBE_SCORE_MAX/2 + sumscore - CHECK_COUNT; - else + if (check_count >= CHECK_COUNT && sumscore > 6) { + return AVPROBE_SCORE_MAX + sumscore - CHECK_COUNT; + } else if (check_count >= CHECK_COUNT && maxscore > 6) { + return AVPROBE_SCORE_MAX/2 + sumscore - CHECK_COUNT; + } else if (sumscore > 6) { + return 2; + } else { return 0; + } } /* return the 90kHz PCR and the extension for the 27MHz PCR. return From 08c21bcb5dfd609167327a7900be6292fd0e51c1 Mon Sep 17 00:00:00 2001 From: foo86 Date: Mon, 2 May 2016 23:44:47 +0300 Subject: [PATCH 076/942] avcodec/dca: fix sync word search error condition This didn't actually check if sync word was found and always errored out with "-err_detect explode" option enabled. Signed-off-by: Michael Niedermayer (cherry picked from commit ce2f9fdb0a92956aedfa2c564d1374a2f1eebfbd) --- libavcodec/dca_core.c | 15 +++++++++------ 1 file changed, 9 insertions(+), 6 deletions(-) diff --git a/libavcodec/dca_core.c b/libavcodec/dca_core.c index d9f1a4ca76..19496e944b 100644 --- a/libavcodec/dca_core.c +++ b/libavcodec/dca_core.c @@ -1900,9 +1900,10 @@ static int parse_optional_info(DCACoreDecoder *s) } } - if (s->avctx->err_recognition & AV_EF_EXPLODE) { + if (!s->xch_pos) { av_log(s->avctx, AV_LOG_ERROR, "XCH sync word not found\n"); - return AVERROR_INVALIDDATA; + if (s->avctx->err_recognition & AV_EF_EXPLODE) + return AVERROR_INVALIDDATA; } break; @@ -1922,9 +1923,10 @@ static int parse_optional_info(DCACoreDecoder *s) } } - if (s->avctx->err_recognition & AV_EF_EXPLODE) { + if (!s->x96_pos) { av_log(s->avctx, AV_LOG_ERROR, "X96 sync word not found\n"); - return AVERROR_INVALIDDATA; + if (s->avctx->err_recognition & AV_EF_EXPLODE) + return AVERROR_INVALIDDATA; } break; @@ -1947,9 +1949,10 @@ static int parse_optional_info(DCACoreDecoder *s) } } - if (s->avctx->err_recognition & AV_EF_EXPLODE) { + if (!s->xxch_pos) { av_log(s->avctx, AV_LOG_ERROR, "XXCH sync word not found\n"); - return AVERROR_INVALIDDATA; + if (s->avctx->err_recognition & AV_EF_EXPLODE) + return AVERROR_INVALIDDATA; } break; } From 8dce66d33d4182232abc763063bf49dfcce11a94 Mon Sep 17 00:00:00 2001 From: James Almer Date: Tue, 10 May 2016 22:07:19 -0300 Subject: [PATCH 077/942] avcodec/rscc: check input buffer size for deflate mode Fixes overreads. Reviewed-by: Michael Niedermayer Signed-off-by: James Almer (cherry picked from commit b2244fa0a624f7e38893d58265e9c039bed2e4de) --- libavcodec/rscc.c | 11 +++++++++++ 1 file changed, 11 insertions(+) diff --git a/libavcodec/rscc.c b/libavcodec/rscc.c index a2f7a0dc7c..0c3e81845d 100644 --- a/libavcodec/rscc.c +++ b/libavcodec/rscc.c @@ -223,6 +223,12 @@ static int rscc_decode_frame(AVCodecContext *avctx, void *data, ff_dlog(avctx, "pixel_size %d packed_size %d.\n", pixel_size, packed_size); + if (packed_size < 0) { + av_log(avctx, AV_LOG_ERROR, "Invalid tile size %d\n", packed_size); + ret = AVERROR_INVALIDDATA; + goto end; + } + /* Get pixels buffer, it may be deflated or just raw */ if (pixel_size == packed_size) { if (bytestream2_get_bytes_left(gbc) < pixel_size) { @@ -233,6 +239,11 @@ static int rscc_decode_frame(AVCodecContext *avctx, void *data, pixels = gbc->buffer; } else { uLongf len = ctx->inflated_size; + if (bytestream2_get_bytes_left(gbc) < packed_size) { + av_log(avctx, AV_LOG_ERROR, "Insufficient input for %d\n", packed_size); + ret = AVERROR_INVALIDDATA; + goto end; + } ret = uncompress(ctx->inflated_buf, &len, gbc->buffer, packed_size); if (ret) { av_log(avctx, AV_LOG_ERROR, "Pixel deflate error %d.\n", ret); From 68dcb46205c79002bff4daf01b81641423776eda Mon Sep 17 00:00:00 2001 From: James Almer Date: Sat, 14 May 2016 23:02:52 -0300 Subject: [PATCH 078/942] doc/general: update supported DCA extensions --- doc/general.texi | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/doc/general.texi b/doc/general.texi index 59ea4f44d9..df16c3e97f 100644 --- a/doc/general.texi +++ b/doc/general.texi @@ -950,7 +950,7 @@ following image formats are supported: @item COOK @tab @tab X @tab All versions except 5.1 are supported. @item DCA (DTS Coherent Acoustics) @tab X @tab X - @tab supported extensions: XCh, XLL (partially) + @tab supported extensions: XCh, XXCH, X96, XBR, XLL @item DPCM id RoQ @tab X @tab X @tab Used in Quake III, Jedi Knight 2 and other computer games. @item DPCM Interplay @tab @tab X From 2fc7e5c1b553d9644ef003c15f89c17487824603 Mon Sep 17 00:00:00 2001 From: Michael Niedermayer Date: Thu, 28 Apr 2016 22:50:48 +0200 Subject: [PATCH 079/942] avformat/ffmdec: Check pix_fmt Fixes crash Fixes Ticket5412 Signed-off-by: Michael Niedermayer (cherry picked from commit 78baa450d9939957f52d5187beb95d763d2f1f18) Signed-off-by: Michael Niedermayer --- libavformat/ffmdec.c | 11 +++++++++++ 1 file changed, 11 insertions(+) diff --git a/libavformat/ffmdec.c b/libavformat/ffmdec.c index 257319bd06..83929fe8c3 100644 --- a/libavformat/ffmdec.c +++ b/libavformat/ffmdec.c @@ -27,6 +27,7 @@ #include "libavutil/opt.h" #include "libavutil/avassert.h" #include "libavutil/avstring.h" +#include "libavutil/pixdesc.h" #include "avformat.h" #include "internal.h" #include "ffm.h" @@ -377,6 +378,11 @@ static int ffm2_read_header(AVFormatContext *s) codec->height = avio_rb16(pb); codec->gop_size = avio_rb16(pb); codec->pix_fmt = avio_rb32(pb); + if (!av_pix_fmt_desc_get(codec->pix_fmt)) { + av_log(s, AV_LOG_ERROR, "Invalid pix fmt id: %d\n", codec->pix_fmt); + codec->pix_fmt = AV_PIX_FMT_NONE; + goto fail; + } codec->qmin = avio_r8(pb); codec->qmax = avio_r8(pb); codec->max_qdiff = avio_r8(pb); @@ -569,6 +575,11 @@ static int ffm_read_header(AVFormatContext *s) codec->height = avio_rb16(pb); codec->gop_size = avio_rb16(pb); codec->pix_fmt = avio_rb32(pb); + if (!av_pix_fmt_desc_get(codec->pix_fmt)) { + av_log(s, AV_LOG_ERROR, "Invalid pix fmt id: %d\n", codec->pix_fmt); + codec->pix_fmt = AV_PIX_FMT_NONE; + goto fail; + } codec->qmin = avio_r8(pb); codec->qmax = avio_r8(pb); codec->max_qdiff = avio_r8(pb); From 9491f47035bfdf2d0c457ad0333cc59c790f6b7c Mon Sep 17 00:00:00 2001 From: Michael Niedermayer Date: Mon, 2 May 2016 22:00:55 +0200 Subject: [PATCH 080/942] avformat/options_table: Add missing identifier for very strict compliance Fixes Ticket5443 Signed-off-by: Michael Niedermayer (cherry picked from commit 11db7eee9b001d6992c34b65ee7b0d64f6f5c758) Signed-off-by: Michael Niedermayer --- libavformat/options_table.h | 1 + 1 file changed, 1 insertion(+) diff --git a/libavformat/options_table.h b/libavformat/options_table.h index 8926fe5734..e84e54a5b1 100644 --- a/libavformat/options_table.h +++ b/libavformat/options_table.h @@ -87,6 +87,7 @@ static const AVOption avformat_options[] = { {"max_interleave_delta", "maximum buffering duration for interleaving", OFFSET(max_interleave_delta), AV_OPT_TYPE_INT64, { .i64 = 10000000 }, 0, INT64_MAX, E }, {"f_strict", "how strictly to follow the standards (deprecated; use strict, save via avconv)", OFFSET(strict_std_compliance), AV_OPT_TYPE_INT, {.i64 = DEFAULT }, INT_MIN, INT_MAX, D|E, "strict"}, {"strict", "how strictly to follow the standards", OFFSET(strict_std_compliance), AV_OPT_TYPE_INT, {.i64 = DEFAULT }, INT_MIN, INT_MAX, D|E, "strict"}, +{"very", "strictly conform to a older more strict version of the spec or reference software", 0, AV_OPT_TYPE_CONST, {.i64 = FF_COMPLIANCE_VERY_STRICT }, INT_MIN, INT_MAX, D|E, "strict"}, {"strict", "strictly conform to all the things in the spec no matter what the consequences", 0, AV_OPT_TYPE_CONST, {.i64 = FF_COMPLIANCE_STRICT }, INT_MIN, INT_MAX, D|E, "strict"}, {"normal", NULL, 0, AV_OPT_TYPE_CONST, {.i64 = FF_COMPLIANCE_NORMAL }, INT_MIN, INT_MAX, D|E, "strict"}, {"unofficial", "allow unofficial extensions", 0, AV_OPT_TYPE_CONST, {.i64 = FF_COMPLIANCE_UNOFFICIAL }, INT_MIN, INT_MAX, D|E, "strict"}, From ef2b8416d95647c39634ddb2dcf2aa1bcbe9292a Mon Sep 17 00:00:00 2001 From: Michael Niedermayer Date: Mon, 2 May 2016 12:45:14 +0200 Subject: [PATCH 081/942] avcodec/mjpegdec: Do not try to detect last scan but apply idct after all scans for progressive jpeg Fixes: IMG-20160418-WA0002.jpg Signed-off-by: Michael Niedermayer (cherry picked from commit deaf58abf236e09fc9b97db29f1edd064e4b5ad4) Signed-off-by: Michael Niedermayer --- libavcodec/mjpegdec.c | 52 ++++++++++++++++++++++++++++++------------- 1 file changed, 37 insertions(+), 15 deletions(-) diff --git a/libavcodec/mjpegdec.c b/libavcodec/mjpegdec.c index bce5496fca..4bde42f784 100644 --- a/libavcodec/mjpegdec.c +++ b/libavcodec/mjpegdec.c @@ -1369,11 +1369,7 @@ static int mjpeg_decode_scan_progressive_ac(MJpegDecodeContext *s, int ss, int mb_x, mb_y; int EOBRUN = 0; int c = s->comp_index[0]; - uint8_t *data = s->picture_ptr->data[c]; - int linesize = s->linesize[c]; - int last_scan = 0; int16_t *quant_matrix = s->quant_matrixes[s->quant_sindex[0]]; - int bytes_per_pixel = 1 + (s->bits > 8); av_assert0(ss>=0 && Ah>=0 && Al>=0); if (se < ss || se > 63) { @@ -1384,15 +1380,10 @@ static int mjpeg_decode_scan_progressive_ac(MJpegDecodeContext *s, int ss, // s->coefs_finished is a bitmask for coefficients coded // ss and se are parameters telling start and end coefficients s->coefs_finished[c] |= (2ULL << se) - (1ULL << ss); - last_scan = !Al && !~s->coefs_finished[c]; - - if (s->interlaced && s->bottom_field) - data += linesize >> 1; s->restart_count = 0; for (mb_y = 0; mb_y < s->mb_height; mb_y++) { - uint8_t *ptr = data + (mb_y * linesize * 8 >> s->avctx->lowres); int block_idx = mb_y * s->block_stride[c]; int16_t (*block)[64] = &s->blocks[c][block_idx]; uint8_t *last_nnz = &s->last_nnz[c][block_idx]; @@ -1413,12 +1404,6 @@ static int mjpeg_decode_scan_progressive_ac(MJpegDecodeContext *s, int ss, return AVERROR_INVALIDDATA; } - if (last_scan) { - s->idsp.idct_put(ptr, linesize, *block); - if (s->bits & 7) - shift_output(s, ptr, linesize); - ptr += bytes_per_pixel*8 >> s->avctx->lowres; - } if (handle_rstn(s, 0)) EOBRUN = 0; } @@ -1426,6 +1411,41 @@ static int mjpeg_decode_scan_progressive_ac(MJpegDecodeContext *s, int ss, return 0; } +static void mjpeg_idct_scan_progressive_ac(MJpegDecodeContext *s) +{ + int mb_x, mb_y; + int c; + const int bytes_per_pixel = 1 + (s->bits > 8); + const int block_size = s->lossless ? 1 : 8; + + for (c = 0; c < s->nb_components; c++) { + uint8_t *data = s->picture_ptr->data[c]; + int linesize = s->linesize[c]; + int h = s->h_max / s->h_count[c]; + int v = s->v_max / s->v_count[c]; + int mb_width = (s->width + h * block_size - 1) / (h * block_size); + int mb_height = (s->height + v * block_size - 1) / (v * block_size); + + if (~s->coefs_finished[c]) + av_log(s->avctx, AV_LOG_WARNING, "component %d is incomplete\n", c); + + if (s->interlaced && s->bottom_field) + data += linesize >> 1; + + for (mb_y = 0; mb_y < mb_height; mb_y++) { + uint8_t *ptr = data + (mb_y * linesize * 8 >> s->avctx->lowres); + int block_idx = mb_y * s->block_stride[c]; + int16_t (*block)[64] = &s->blocks[c][block_idx]; + for (mb_x = 0; mb_x < mb_width; mb_x++, block++) { + s->idsp.idct_put(ptr, linesize, *block); + if (s->bits & 7) + shift_output(s, ptr, linesize); + ptr += bytes_per_pixel*8 >> s->avctx->lowres; + } + } + } +} + int ff_mjpeg_decode_sos(MJpegDecodeContext *s, const uint8_t *mb_bitmask, int mb_bitmask_size, const AVFrame *reference) { @@ -2162,6 +2182,8 @@ int ff_mjpeg_decode_frame(AVCodecContext *avctx, void *data, int *got_frame, break; case EOI: eoi_parser: + if (avctx->skip_frame != AVDISCARD_ALL && s->progressive && s->cur_scan && s->got_picture) + mjpeg_idct_scan_progressive_ac(s); s->cur_scan = 0; if (!s->got_picture) { av_log(avctx, AV_LOG_WARNING, From 46360e36d928d0856ce818adbec9d9545c4c5559 Mon Sep 17 00:00:00 2001 From: Michael Niedermayer Date: Tue, 10 May 2016 23:12:58 +0200 Subject: [PATCH 082/942] avformat/oggparseopus: Check that granule pos is within the supported range Larger values would imply file durations of astronomic proportions and cause overflows Fixes integer overflow Fixes: usan_int64_overflow Found-by: Thomas Guilbert Signed-off-by: Michael Niedermayer (cherry picked from commit 8efaee3710baa87af40556a622bf2d96a27c6425) Signed-off-by: Michael Niedermayer --- libavformat/oggparseopus.c | 4 ++++ 1 file changed, 4 insertions(+) diff --git a/libavformat/oggparseopus.c b/libavformat/oggparseopus.c index c8b02fab4d..584fff4538 100644 --- a/libavformat/oggparseopus.c +++ b/libavformat/oggparseopus.c @@ -117,6 +117,10 @@ static int opus_packet(AVFormatContext *avf, int idx) if (!os->psize) return AVERROR_INVALIDDATA; + if (os->granule > INT64_MAX - UINT32_MAX) { + av_log(avf, AV_LOG_ERROR, "Unsupported huge granule pos %"PRId64 "\n", os->granule); + return AVERROR_INVALIDDATA; + } if ((!os->lastpts || os->lastpts == AV_NOPTS_VALUE) && !(os->flags & OGG_FLAG_EOS)) { int seg, d; From 79181b97d477386e26bd1d4d476b33376f194c96 Mon Sep 17 00:00:00 2001 From: Michael Niedermayer Date: Wed, 11 May 2016 00:00:52 +0200 Subject: [PATCH 083/942] avformat/utils: Check bps before using it in a shift in ff_get_pcm_codec_id() Fixes undefined shift Fixes: usan_shift Found-by: Thomas Guilbert Signed-off-by: Michael Niedermayer (cherry picked from commit ea791c080dd5494b3bee0c618a3f52e371b5f320) Signed-off-by: Michael Niedermayer --- libavformat/utils.c | 3 +++ 1 file changed, 3 insertions(+) diff --git a/libavformat/utils.c b/libavformat/utils.c index 3aa5beb6b1..9fa744377c 100644 --- a/libavformat/utils.c +++ b/libavformat/utils.c @@ -2833,6 +2833,9 @@ enum AVCodecID ff_codec_get_id(const AVCodecTag *tags, unsigned int tag) enum AVCodecID ff_get_pcm_codec_id(int bps, int flt, int be, int sflags) { + if (bps > 64U) + return AV_CODEC_ID_NONE; + if (flt) { switch (bps) { case 32: From 069eea16d975643bee6a42643c9bac54f170ee9c Mon Sep 17 00:00:00 2001 From: Chris Cunningham Date: Mon, 9 May 2016 15:27:29 -0700 Subject: [PATCH 084/942] libavformat/oggdec: Free stream private when header parsing fails. Leaking this private structure opens up the possibility that it may be re-used when parsing later packets in the stream. This is problematic if the later packets are not the same codec type (e.g. private allocated during Vorbis parsing, but later packets are Opus and the private is assumed to be the oggopus_private type in opus_header()). Signed-off-by: Michael Niedermayer (cherry picked from commit 542f725964e52201000ec34e2f23229cf534ad3a) Signed-off-by: Michael Niedermayer --- libavformat/oggdec.c | 1 + 1 file changed, 1 insertion(+) diff --git a/libavformat/oggdec.c b/libavformat/oggdec.c index 2d99b4af25..8f3b44c3c5 100644 --- a/libavformat/oggdec.c +++ b/libavformat/oggdec.c @@ -701,6 +701,7 @@ static int ogg_read_header(AVFormatContext *s) if (ogg->streams[i].header < 0) { av_log(s, AV_LOG_ERROR, "Header parsing failed for stream %d\n", i); ogg->streams[i].codec = NULL; + av_freep(&ogg->streams[i].private); } else if (os->codec && os->nb_header < os->codec->nb_header) { av_log(s, AV_LOG_WARNING, "Headers mismatch for stream %d: " From 7c43c48fda09cd734ad1e28ef2b8f0a2e197d4e0 Mon Sep 17 00:00:00 2001 From: Will Kelleher Date: Thu, 7 Apr 2016 08:58:31 -0500 Subject: [PATCH 085/942] hevc: Fix memory leak related to a53_caption data Signed-off-by: Will Kelleher Signed-off-by: Michael Niedermayer (cherry picked from commit 964f07f68e1cc4e2d585615e2b1a1fade269afb0) Signed-off-by: Michael Niedermayer --- libavcodec/hevc.c | 2 ++ libavcodec/hevc.h | 9 +++++++++ libavcodec/hevc_parser.c | 2 ++ libavcodec/hevc_sei.c | 6 ++++++ 4 files changed, 19 insertions(+) diff --git a/libavcodec/hevc.c b/libavcodec/hevc.c index 203f90ab2e..0e849b81c6 100644 --- a/libavcodec/hevc.c +++ b/libavcodec/hevc.c @@ -3149,6 +3149,8 @@ static av_cold int hevc_init_context(AVCodecContext *avctx) s->context_initialized = 1; s->eos = 0; + ff_hevc_reset_sei(s); + return 0; fail: diff --git a/libavcodec/hevc.h b/libavcodec/hevc.h index c91f815857..5d9d35c446 100644 --- a/libavcodec/hevc.h +++ b/libavcodec/hevc.h @@ -1092,6 +1092,15 @@ int ff_hevc_split_packet(HEVCContext *s, HEVCPacket *pkt, const uint8_t *buf, in int ff_hevc_encode_nal_vps(HEVCVPS *vps, unsigned int id, uint8_t *buf, int buf_size); +/** + * Reset SEI values that are stored on the Context. + * e.g. Caption data that was extracted during NAL + * parsing. + * + * @param s HEVCContext. + */ +void ff_hevc_reset_sei(HEVCContext *s); + extern const uint8_t ff_hevc_qpel_extra_before[4]; extern const uint8_t ff_hevc_qpel_extra_after[4]; extern const uint8_t ff_hevc_qpel_extra[4]; diff --git a/libavcodec/hevc_parser.c b/libavcodec/hevc_parser.c index 4625e6149a..d635716fb9 100644 --- a/libavcodec/hevc_parser.c +++ b/libavcodec/hevc_parser.c @@ -209,6 +209,8 @@ static inline int parse_nal_units(AVCodecParserContext *s, const uint8_t *buf, h->avctx = avctx; + ff_hevc_reset_sei(h); + if (!buf_size) return 0; diff --git a/libavcodec/hevc_sei.c b/libavcodec/hevc_sei.c index 40685fe5d8..f598b6393a 100644 --- a/libavcodec/hevc_sei.c +++ b/libavcodec/hevc_sei.c @@ -373,3 +373,9 @@ int ff_hevc_decode_nal_sei(HEVCContext *s) } while (more_rbsp_data(&s->HEVClc->gb)); return 1; } + +void ff_hevc_reset_sei(HEVCContext *s) +{ + s->a53_caption_size = 0; + av_freep(&s->a53_caption); +} From f6586db165da1007e347bfa2822d0e183dd841a5 Mon Sep 17 00:00:00 2001 From: Michael Niedermayer Date: Sun, 15 May 2016 18:33:09 +0200 Subject: [PATCH 086/942] swresample/rematrix: Use error diffusion to avoid error in the DC component of the matrix This fixes the sum of the integer coefficients ending up summing to a value larger than the value representing unity. This issue occurs with qN0.dts when converting to stereo Signed-off-by: Michael Niedermayer (cherry picked from commit 7fe81bc4f8ba684626fa08f7bef46da3e8abe373) Signed-off-by: Michael Niedermayer --- libswresample/rematrix.c | 12 +++++++++--- 1 file changed, 9 insertions(+), 3 deletions(-) diff --git a/libswresample/rematrix.c b/libswresample/rematrix.c index 932088ffb7..f18c9f67db 100644 --- a/libswresample/rematrix.c +++ b/libswresample/rematrix.c @@ -371,9 +371,15 @@ av_cold int swri_rematrix_init(SwrContext *s){ s->native_one = av_mallocz(sizeof(int)); if (!s->native_matrix || !s->native_one) return AVERROR(ENOMEM); - for (i = 0; i < nb_out; i++) - for (j = 0; j < nb_in; j++) - ((int*)s->native_matrix)[i * nb_in + j] = lrintf(s->matrix[i][j] * 32768); + for (i = 0; i < nb_out; i++) { + double rem = 0; + + for (j = 0; j < nb_in; j++) { + double target = s->matrix[i][j] * 32768 + rem; + ((int*)s->native_matrix)[i * nb_in + j] = lrintf(target); + rem += target - ((int*)s->native_matrix)[i * nb_in + j]; + } + } *((int*)s->native_one) = 32768; s->mix_1_1_f = (mix_1_1_func_type*)copy_s16; s->mix_2_1_f = (mix_2_1_func_type*)sum2_s16; From 1cd872a7d555bd74a53bb7538bfb7c393c04e42d Mon Sep 17 00:00:00 2001 From: Michael Niedermayer Date: Sun, 15 May 2016 21:34:37 +0200 Subject: [PATCH 087/942] swresample/rematrix: Use clipping s16 rematrixing if overflows are possible Signed-off-by: Michael Niedermayer (cherry picked from commit 2f76157eb05bf63725f96167feda6b2e07501c7e) Signed-off-by: Michael Niedermayer --- libswresample/rematrix.c | 19 ++++++++++++++++--- libswresample/rematrix_template.c | 7 ++++++- 2 files changed, 22 insertions(+), 4 deletions(-) diff --git a/libswresample/rematrix.c b/libswresample/rematrix.c index f18c9f67db..ddba0433e8 100644 --- a/libswresample/rematrix.c +++ b/libswresample/rematrix.c @@ -32,6 +32,9 @@ #define TEMPLATE_REMATRIX_S16 #include "rematrix_template.c" +#define TEMPLATE_CLIP +#include "rematrix_template.c" +#undef TEMPLATE_CLIP #undef TEMPLATE_REMATRIX_S16 #define TEMPLATE_REMATRIX_S32 @@ -367,23 +370,33 @@ av_cold int swri_rematrix_init(SwrContext *s){ return r; } if (s->midbuf.fmt == AV_SAMPLE_FMT_S16P){ + int maxsum = 0; s->native_matrix = av_calloc(nb_in * nb_out, sizeof(int)); s->native_one = av_mallocz(sizeof(int)); if (!s->native_matrix || !s->native_one) return AVERROR(ENOMEM); for (i = 0; i < nb_out; i++) { double rem = 0; + int sum = 0; for (j = 0; j < nb_in; j++) { double target = s->matrix[i][j] * 32768 + rem; ((int*)s->native_matrix)[i * nb_in + j] = lrintf(target); rem += target - ((int*)s->native_matrix)[i * nb_in + j]; + sum += FFABS(((int*)s->native_matrix)[i * nb_in + j]); } + maxsum = FFMAX(maxsum, sum); } *((int*)s->native_one) = 32768; - s->mix_1_1_f = (mix_1_1_func_type*)copy_s16; - s->mix_2_1_f = (mix_2_1_func_type*)sum2_s16; - s->mix_any_f = (mix_any_func_type*)get_mix_any_func_s16(s); + if (maxsum <= 32768) { + s->mix_1_1_f = (mix_1_1_func_type*)copy_s16; + s->mix_2_1_f = (mix_2_1_func_type*)sum2_s16; + s->mix_any_f = (mix_any_func_type*)get_mix_any_func_s16(s); + } else { + s->mix_1_1_f = (mix_1_1_func_type*)copy_clip_s16; + s->mix_2_1_f = (mix_2_1_func_type*)sum2_clip_s16; + s->mix_any_f = (mix_any_func_type*)get_mix_any_func_clip_s16(s); + } }else if(s->midbuf.fmt == AV_SAMPLE_FMT_FLTP){ s->native_matrix = av_calloc(nb_in * nb_out, sizeof(float)); s->native_one = av_mallocz(sizeof(float)); diff --git a/libswresample/rematrix_template.c b/libswresample/rematrix_template.c index 95a3b9a8c0..add65e3155 100644 --- a/libswresample/rematrix_template.c +++ b/libswresample/rematrix_template.c @@ -31,11 +31,16 @@ # define INTER double # define RENAME(x) x ## _double #elif defined(TEMPLATE_REMATRIX_S16) -# define R(x) (((x) + 16384)>>15) # define SAMPLE int16_t # define COEFF int # define INTER int +# ifdef TEMPLATE_CLIP +# define R(x) av_clip_int16(((x) + 16384)>>15) +# define RENAME(x) x ## _clip_s16 +# else +# define R(x) (((x) + 16384)>>15) # define RENAME(x) x ## _s16 +# endif #elif defined(TEMPLATE_REMATRIX_S32) # define R(x) (((x) + 16384)>>15) # define SAMPLE int32_t From d7ae13d47934b9dd90a2d37bb97043d1f77a0452 Mon Sep 17 00:00:00 2001 From: Michael Niedermayer Date: Mon, 16 May 2016 05:10:21 +0200 Subject: [PATCH 088/942] swresample/resample: Fix division by 0 with tap_count=1 Signed-off-by: Michael Niedermayer (cherry picked from commit feeb3a92616310b5f79191b0ef3064712c40b7d3) Signed-off-by: Michael Niedermayer --- libswresample/resample.c | 8 ++++---- 1 file changed, 4 insertions(+), 4 deletions(-) diff --git a/libswresample/resample.c b/libswresample/resample.c index 7888e570a3..d410432658 100644 --- a/libswresample/resample.c +++ b/libswresample/resample.c @@ -203,7 +203,7 @@ static int build_filter(ResampleContext *c, void *filter, double factor, int tap case AV_SAMPLE_FMT_S16P: for(i=0;i Date: Mon, 16 May 2016 12:49:06 +0200 Subject: [PATCH 089/942] ffmpeg: Check that r_frame_rate is set before attempting to use it Avoids unexpected occurance and dependency on NaN behavior and divisions by 0 Testcase: fate-lavf-fate-avi_cram Signed-off-by: Michael Niedermayer (cherry picked from commit 6085d6b2aeef28671614f625601a23cfc922d282) Signed-off-by: Michael Niedermayer --- ffmpeg.c | 3 ++- 1 file changed, 2 insertions(+), 1 deletion(-) diff --git a/ffmpeg.c b/ffmpeg.c index a5ec3c3833..9352b24004 100644 --- a/ffmpeg.c +++ b/ffmpeg.c @@ -2893,7 +2893,8 @@ static int transcode_init(void) * overhead */ if(!strcmp(oc->oformat->name, "avi")) { - if ( copy_tb<0 && av_q2d(ist->st->r_frame_rate) >= av_q2d(ist->st->avg_frame_rate) + if ( copy_tb<0 && ist->st->r_frame_rate.num + && av_q2d(ist->st->r_frame_rate) >= av_q2d(ist->st->avg_frame_rate) && 0.5/av_q2d(ist->st->r_frame_rate) > av_q2d(ist->st->time_base) && 0.5/av_q2d(ist->st->r_frame_rate) > av_q2d(dec_ctx->time_base) && av_q2d(ist->st->time_base) < 1.0/500 && av_q2d(dec_ctx->time_base) < 1.0/500 From e5d167149d82a8ca3509a94a62989af5b24a943d Mon Sep 17 00:00:00 2001 From: Michael Niedermayer Date: Mon, 16 May 2016 13:43:02 +0200 Subject: [PATCH 090/942] avformat/utils: Do not compute the bitrate from duration == 0 Fixes division by 0 in fate-acodec-ra144 Signed-off-by: Michael Niedermayer (cherry picked from commit 635b2ec5f20d6cdef1adf4907ca28f8f09abcecc) Signed-off-by: Michael Niedermayer --- libavformat/utils.c | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/libavformat/utils.c b/libavformat/utils.c index 9fa744377c..054cada7f9 100644 --- a/libavformat/utils.c +++ b/libavformat/utils.c @@ -2408,7 +2408,7 @@ static void update_stream_timings(AVFormatContext *ic) if (duration != INT64_MIN && duration > 0 && ic->duration == AV_NOPTS_VALUE) { ic->duration = duration; } - if (ic->pb && (filesize = avio_size(ic->pb)) > 0 && ic->duration != AV_NOPTS_VALUE) { + if (ic->pb && (filesize = avio_size(ic->pb)) > 0 && ic->duration > 0) { /* compute the bitrate */ double bitrate = (double) filesize * 8.0 * AV_TIME_BASE / (double) ic->duration; From 145b18ce9a27554fdb4af5f2c122b5f44bf521b3 Mon Sep 17 00:00:00 2001 From: Chris Cunningham Date: Tue, 17 May 2016 11:28:32 -0700 Subject: [PATCH 091/942] avformat/utils: Check negative bps before shifting in ff_get_pcm_codec_id() Fixes: undefined shift. Signed-off-by: Michael Niedermayer (cherry picked from commit 2875745d354ab0ebc4af1ebaca5c5a8d26ccdc03) Signed-off-by: Michael Niedermayer --- libavformat/utils.c | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/libavformat/utils.c b/libavformat/utils.c index 054cada7f9..7ed21b6762 100644 --- a/libavformat/utils.c +++ b/libavformat/utils.c @@ -2833,7 +2833,7 @@ enum AVCodecID ff_codec_get_id(const AVCodecTag *tags, unsigned int tag) enum AVCodecID ff_get_pcm_codec_id(int bps, int flt, int be, int sflags) { - if (bps > 64U) + if (bps <= 0 || bps > 64) return AV_CODEC_ID_NONE; if (flt) { From b11900251fff69214cb5c73b491ca14c6bc2eacb Mon Sep 17 00:00:00 2001 From: Michael Niedermayer Date: Wed, 18 May 2016 23:27:54 +0200 Subject: [PATCH 092/942] avformat/avidec: Detect index with too short entries Fixes Ticket5498 Signed-off-by: Michael Niedermayer (cherry picked from commit d08f2c172fd2baab022f0118f49e5b2852a2d463) Signed-off-by: Michael Niedermayer --- libavformat/avidec.c | 2 ++ 1 file changed, 2 insertions(+) diff --git a/libavformat/avidec.c b/libavformat/avidec.c index 38598107fc..a6459a0e05 100644 --- a/libavformat/avidec.c +++ b/libavformat/avidec.c @@ -1695,6 +1695,8 @@ static int guess_ni_flag(AVFormatContext *s) size = avio_rl32(s->pb); if (get_stream_idx(tag) == i && pos + size > st->index_entries[1].pos) last_start = INT64_MAX; + if (get_stream_idx(tag) == i && size == st->index_entries[0].size + 8) + last_start = INT64_MAX; } if (st->index_entries[0].pos > last_start) From 4d9fdca05319ec84c3052521b6693ce59fd2e0d9 Mon Sep 17 00:00:00 2001 From: Michael Niedermayer Date: Thu, 19 May 2016 18:02:53 +0200 Subject: [PATCH 093/942] avcodec/diracdec: Fix potential integer overflow Fixes CID1361948 Signed-off-by: Michael Niedermayer (cherry picked from commit 7ecfe4dc363435c81e66dd14881dc0b0ccc73fb1) Signed-off-by: Michael Niedermayer --- libavcodec/diracdec.c | 4 ++-- 1 file changed, 2 insertions(+), 2 deletions(-) diff --git a/libavcodec/diracdec.c b/libavcodec/diracdec.c index 05c79005eb..1d7bb9b98b 100644 --- a/libavcodec/diracdec.c +++ b/libavcodec/diracdec.c @@ -903,8 +903,8 @@ static int decode_lowdelay(DiracContext *s) } else { for (slice_y = 0; bufsize > 0 && slice_y < s->num_y; slice_y++) { for (slice_x = 0; bufsize > 0 && slice_x < s->num_x; slice_x++) { - bytes = (slice_num+1) * s->lowdelay.bytes.num / s->lowdelay.bytes.den - - slice_num * s->lowdelay.bytes.num / s->lowdelay.bytes.den; + bytes = (slice_num+1) * (int64_t)s->lowdelay.bytes.num / s->lowdelay.bytes.den + - slice_num * (int64_t)s->lowdelay.bytes.num / s->lowdelay.bytes.den; slices[slice_num].bytes = bytes; slices[slice_num].slice_x = slice_x; slices[slice_num].slice_y = slice_y; From 241f1e603f5c958a41083658ab3d494f913d146e Mon Sep 17 00:00:00 2001 From: Gregor Riepl Date: Tue, 24 May 2016 15:17:22 +0200 Subject: [PATCH 094/942] ffserver: fixed deallocation bug in build_feed_streams Signed-off-by: Gregor Riepl Signed-off-by: Michael Niedermayer (cherry picked from commit d970f7ba31246040787e5ea6eb73bb85cafb932b) Signed-off-by: Michael Niedermayer --- ffserver.c | 2 ++ 1 file changed, 2 insertions(+) diff --git a/ffserver.c b/ffserver.c index 374af99cc7..35e399dc55 100644 --- a/ffserver.c +++ b/ffserver.c @@ -3858,6 +3858,8 @@ drop: if (avformat_write_header(s, NULL) < 0) { http_log("Container doesn't support the required parameters\n"); avio_closep(&s->pb); + s->streams = NULL; + s->nb_streams = 0; avformat_free_context(s); goto bail; } From 69c3dfdd548f25d7bd260afbf59987e37eb60f33 Mon Sep 17 00:00:00 2001 From: Michael Niedermayer Date: Wed, 18 May 2016 20:40:08 +0200 Subject: [PATCH 095/942] doc/developer.texi: Add a code of conduct See: [FFmpeg-devel] [Vote] Code of Conduct Signed-off-by: Michael Niedermayer (cherry picked from commit 89e9393022373bf97d528e6e9f2601ad0b3d0fc1) Signed-off-by: Michael Niedermayer --- doc/developer.texi | 29 +++++++++++++++++++++++++++++ 1 file changed, 29 insertions(+) diff --git a/doc/developer.texi b/doc/developer.texi index 6db93cef70..4d3a7aef94 100644 --- a/doc/developer.texi +++ b/doc/developer.texi @@ -403,6 +403,35 @@ finding a new maintainer and also don't forget to update the @file{MAINTAINERS} We think our rules are not too hard. If you have comments, contact us. +@section Code of conduct + +Be friendly and respectful towards others and third parties. +Treat others the way you yourself want to be treated. + +Be considerate. Not everyone shares the same viewpoint and priorities as you do. +Different opinions and interpretations help the project. +Looking at issues from a different perspective assists development. + +Do not assume malice for things that can be attributed to incompetence. Even if +it is malice, it's rarely good to start with that as initial assumption. + +Stay friendly even if someone acts contrarily. Everyone has a bad day +once in a while. +If you yourself have a bad day or are angry then try to take a break and reply +once you are calm and without anger if you have to. + +Try to help other team members and cooperate if you can. + +The goal of software development is to create technical excellence, not for any +individual to be better and "win" against the others. Large software projects +are only possible and successful through teamwork. + +If someone struggles do not put them down. Give them a helping hand +instead and point them in the right direction. + +Finally, keep in mind the immortal words of Bill and Ted, +"Be excellent to each other." + @anchor{Submitting patches} @section Submitting patches From cc1e01d8b67f41659cb03f2500f18fe5df647ff1 Mon Sep 17 00:00:00 2001 From: Michael Niedermayer Date: Sat, 28 May 2016 23:51:35 +0200 Subject: [PATCH 096/942] avformat/utils: avoid overflow in update_stream_timings() with huge durations Fixes: usan_granule_overflow Found-by: Thomas Guilbert Signed-off-by: Michael Niedermayer (cherry picked from commit 2be3007ed55f1513bcae3d2a076e71878f48eb03) Signed-off-by: Michael Niedermayer --- libavformat/utils.c | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/libavformat/utils.c b/libavformat/utils.c index 7ed21b6762..fe684c352d 100644 --- a/libavformat/utils.c +++ b/libavformat/utils.c @@ -2370,7 +2370,7 @@ static void update_stream_timings(AVFormatContext *ic) end_time1 = av_rescale_q_rnd(st->duration, st->time_base, AV_TIME_BASE_Q, AV_ROUND_NEAR_INF|AV_ROUND_PASS_MINMAX); - if (end_time1 != AV_NOPTS_VALUE) { + if (end_time1 != AV_NOPTS_VALUE && start_time1 <= INT64_MAX - end_time1) { end_time1 += start_time1; end_time = FFMAX(end_time, end_time1); } From 7f864badc01f92f5861aa57dc954c07977b2f1f4 Mon Sep 17 00:00:00 2001 From: Michael Niedermayer Date: Sat, 28 May 2016 23:51:35 +0200 Subject: [PATCH 097/942] avformat/utils: avoid overflow in compute_chapters_end() with huge durations Fixes: usan_granule_overflow Found-by: Thomas Guilbert Signed-off-by: Michael Niedermayer (cherry picked from commit c1ed78a591f68f3c81eded0bfaac313937ffa3b6) Signed-off-by: Michael Niedermayer --- libavformat/utils.c | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/libavformat/utils.c b/libavformat/utils.c index fe684c352d..542ded76cb 100644 --- a/libavformat/utils.c +++ b/libavformat/utils.c @@ -2919,7 +2919,7 @@ static void compute_chapters_end(AVFormatContext *s) unsigned int i, j; int64_t max_time = 0; - if (s->duration > 0) + if (s->duration > 0 && s->start_time < INT64_MAX - s->duration) max_time = s->duration + ((s->start_time == AV_NOPTS_VALUE) ? 0 : s->start_time); From dab82a2a7c907f0ff842f9a1ce05670cfe6715ab Mon Sep 17 00:00:00 2001 From: Thomas Guilbert Date: Fri, 27 May 2016 15:50:25 -0700 Subject: [PATCH 098/942] avformat/oggparseopus: Fix Undefined behavior in oggparseopus.c and libavformat/utils.c Fixes: usan_granule_overflow constant type fix by commiter Signed-off-by: Michael Niedermayer (cherry picked from commit 1a82d2cf8fb6a7e854e7548dfcf73c3d046b34ac) Signed-off-by: Michael Niedermayer --- libavformat/oggparseopus.c | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/libavformat/oggparseopus.c b/libavformat/oggparseopus.c index 584fff4538..8bb2a41366 100644 --- a/libavformat/oggparseopus.c +++ b/libavformat/oggparseopus.c @@ -117,7 +117,7 @@ static int opus_packet(AVFormatContext *avf, int idx) if (!os->psize) return AVERROR_INVALIDDATA; - if (os->granule > INT64_MAX - UINT32_MAX) { + if (os->granule > (1LL << 62)) { av_log(avf, AV_LOG_ERROR, "Unsupported huge granule pos %"PRId64 "\n", os->granule); return AVERROR_INVALIDDATA; } From e5942c14363180644cd7a56c9a4b8385469e8771 Mon Sep 17 00:00:00 2001 From: Michael Niedermayer Date: Tue, 31 May 2016 22:01:13 +0200 Subject: [PATCH 099/942] avcodec/bmp_parser: Fix state Fixes Ticket5598 Signed-off-by: Michael Niedermayer (cherry picked from commit d0388bd32e1c84a9ef87ba6c448c7fffb6a9f259) Signed-off-by: Michael Niedermayer --- libavcodec/bmp_parser.c | 2 ++ 1 file changed, 2 insertions(+) diff --git a/libavcodec/bmp_parser.c b/libavcodec/bmp_parser.c index 7ab32a0b00..b06e3e84ef 100644 --- a/libavcodec/bmp_parser.c +++ b/libavcodec/bmp_parser.c @@ -67,6 +67,8 @@ restart: if (bpc->pc.index + i > 17) { next = i - 17; + state = 0; + break; } else goto restart; } else if (bpc->pc.frame_start_found) From c6470d81939c41a146bad87816fd8f03c271468f Mon Sep 17 00:00:00 2001 From: Michael Niedermayer Date: Sun, 5 Jun 2016 01:46:18 +0200 Subject: [PATCH 100/942] avcodec/mpegvideo: Deallocate last/next picture earlier Fixes regression with mplayers direct rendering and reduces buffer count pressure in some cases Signed-off-by: Michael Niedermayer (cherry picked from commit 39c0b22df42088cf4fb1ceb2447291c224a5c7ed) Signed-off-by: Michael Niedermayer --- libavcodec/mpegvideo.c | 4 ++-- 1 file changed, 2 insertions(+), 2 deletions(-) diff --git a/libavcodec/mpegvideo.c b/libavcodec/mpegvideo.c index 236987b3d4..798b517ec5 100644 --- a/libavcodec/mpegvideo.c +++ b/libavcodec/mpegvideo.c @@ -1216,6 +1216,8 @@ int ff_mpv_frame_start(MpegEncContext *s, AVCodecContext *avctx) } ff_mpeg_unref_picture(s->avctx, &s->current_picture); + ff_mpeg_unref_picture(s->avctx, &s->last_picture); + ff_mpeg_unref_picture(s->avctx, &s->next_picture); /* release non reference frames */ for (i = 0; i < MAX_PICTURE_COUNT; i++) { @@ -1367,14 +1369,12 @@ int ff_mpv_frame_start(MpegEncContext *s, AVCodecContext *avctx) memset(s->next_picture.f->data, 0, sizeof(s->next_picture.f->data)); #endif if (s->last_picture_ptr) { - ff_mpeg_unref_picture(s->avctx, &s->last_picture); if (s->last_picture_ptr->f->buf[0] && (ret = ff_mpeg_ref_picture(s->avctx, &s->last_picture, s->last_picture_ptr)) < 0) return ret; } if (s->next_picture_ptr) { - ff_mpeg_unref_picture(s->avctx, &s->next_picture); if (s->next_picture_ptr->f->buf[0] && (ret = ff_mpeg_ref_picture(s->avctx, &s->next_picture, s->next_picture_ptr)) < 0) From fbdf5ca763f05bdd52c402be947bb2b2755a09c9 Mon Sep 17 00:00:00 2001 From: Michael Niedermayer Date: Sun, 26 Jun 2016 03:43:52 +0200 Subject: [PATCH 101/942] tests/checkasm/checkasm: Disable checkasm_check_pixblockdsp for ppc64be See: Ticket5508 Suggested-by: Carl Signed-off-by: Michael Niedermayer (cherry picked from commit e5d434b840404d84585456e51755e052a0fe0731) --- tests/checkasm/checkasm.c | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/tests/checkasm/checkasm.c b/tests/checkasm/checkasm.c index 1e73e34c76..797ecd5d19 100644 --- a/tests/checkasm/checkasm.c +++ b/tests/checkasm/checkasm.c @@ -92,7 +92,7 @@ static const struct { #if CONFIG_JPEG2000_DECODER { "jpeg2000dsp", checkasm_check_jpeg2000dsp }, #endif - #if CONFIG_PIXBLOCKDSP + #if CONFIG_PIXBLOCKDSP && !(ARCH_PPC64 && HAVE_BIGENDIAN) { "pixblockdsp", checkasm_check_pixblockdsp }, #endif #if CONFIG_V210_ENCODER From bffe1c42220f0f5622239c365df06db8bd141504 Mon Sep 17 00:00:00 2001 From: Timo Rothenpieler Date: Wed, 29 Jun 2016 11:15:39 +0200 Subject: [PATCH 102/942] ffplay: Fix usage of private lavfi API Reviewed-by: Michael Niedermayer (cherry picked from commit 1bd9fb6de59bb96144ece914643d2d205818168d) --- ffplay.c | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/ffplay.c b/ffplay.c index 2cfdf26ee9..3df0d4dd72 100644 --- a/ffplay.c +++ b/ffplay.c @@ -2730,7 +2730,7 @@ static int stream_component_open(VideoState *is, int stream_index) goto fail; link = is->out_audio_filter->inputs[0]; sample_rate = link->sample_rate; - nb_channels = link->channels; + nb_channels = avfilter_link_get_channels(link); channel_layout = link->channel_layout; } #else From 96f5019bde0f6719133a36433fec465b8538df25 Mon Sep 17 00:00:00 2001 From: Michael Niedermayer Date: Sun, 26 Jun 2016 17:34:37 +0200 Subject: [PATCH 103/942] avcodec/libopenjpegenc: Set numresolutions by default to a value that is not too large Fixes issues with libopenjpeg 2.1 Signed-off-by: Michael Niedermayer (cherry picked from commit e9394ca63dab3434bc8e869de019ecd86cb604ac) --- libavcodec/libopenjpegenc.c | 8 +++++++- 1 file changed, 7 insertions(+), 1 deletion(-) diff --git a/libavcodec/libopenjpegenc.c b/libavcodec/libopenjpegenc.c index b67c320b2f..058ca363c8 100644 --- a/libavcodec/libopenjpegenc.c +++ b/libavcodec/libopenjpegenc.c @@ -352,6 +352,12 @@ static av_cold int libopenjpeg_encode_init(AVCodecContext *avctx) ctx->enc_params.cp_cinema = ctx->cinema_mode; #endif + if (!ctx->numresolution) { + ctx->numresolution = 6; + while (FFMIN(avctx->width, avctx->height) >> ctx->numresolution < 1) + ctx->numresolution --; + } + ctx->enc_params.mode = !!avctx->global_quality; ctx->enc_params.prog_order = ctx->prog_order; ctx->enc_params.numresolution = ctx->numresolution; @@ -814,7 +820,7 @@ static const AVOption options[] = { { "rpcl", NULL, 0, AV_OPT_TYPE_CONST, { .i64 = OPJ(RPCL) }, 0, 0, VE, "prog_order" }, { "pcrl", NULL, 0, AV_OPT_TYPE_CONST, { .i64 = OPJ(PCRL) }, 0, 0, VE, "prog_order" }, { "cprl", NULL, 0, AV_OPT_TYPE_CONST, { .i64 = OPJ(CPRL) }, 0, 0, VE, "prog_order" }, - { "numresolution", NULL, OFFSET(numresolution), AV_OPT_TYPE_INT, { .i64 = 6 }, 1, INT_MAX, VE }, + { "numresolution", NULL, OFFSET(numresolution), AV_OPT_TYPE_INT, { .i64 = 0 }, 0, INT_MAX, VE }, { "numlayers", NULL, OFFSET(numlayers), AV_OPT_TYPE_INT, { .i64 = 1 }, 1, 10, VE }, { "disto_alloc", NULL, OFFSET(disto_alloc), AV_OPT_TYPE_INT, { .i64 = 1 }, 0, 1, VE }, { "fixed_alloc", NULL, OFFSET(fixed_alloc), AV_OPT_TYPE_INT, { .i64 = 0 }, 0, 1, VE }, From 4774eb8128ea61a8b2f60e3d5950f48ebf6b8c55 Mon Sep 17 00:00:00 2001 From: James Almer Date: Sat, 9 Jul 2016 16:00:06 -0300 Subject: [PATCH 104/942] =?UTF-8?q?Revert=20"configure:=20Enable=20GCC=20v?= =?UTF-8?q?ectorization=20on=20=E2=89=A54.9=20on=20x86"?= MIME-Version: 1.0 Content-Type: text/plain; charset=UTF-8 Content-Transfer-Encoding: 8bit This reverts commit cb8646af24bd8e9627cc5e1c62b049a00fe0b07b. This change has brough more issues than benefits, between compilation time failures depending on flags used and code miscompilation causing runtime crashes. See the "[PATCH 2/2] configure: Enable GCC vectorization on ≥4.9" thread in the ffmpeg-devel mailing list for the relevant discussion. (cherry picked from commit fd6dbc53855fbfc9a782095d0ffe11dd3a98905f) --- configure | 6 +----- 1 file changed, 1 insertion(+), 5 deletions(-) diff --git a/configure b/configure index 9103e8560e..1091bdcc13 100755 --- a/configure +++ b/configure @@ -5923,11 +5923,7 @@ elif enabled ccc; then add_cflags -msg_disable nonstandcast add_cflags -msg_disable unsupieee elif enabled gcc; then - case $gcc_basever in - 4.9*) enabled x86 || check_optflags -fno-tree-vectorize ;; - 4.*) check_optflags -fno-tree-vectorize ;; - *) enabled x86 || check_optflags -fno-tree-vectorize ;; - esac + check_optflags -fno-tree-vectorize check_cflags -Werror=format-security check_cflags -Werror=implicit-function-declaration check_cflags -Werror=missing-prototypes From 21c36d83f8507a051babaaabd69c15a4ac64e676 Mon Sep 17 00:00:00 2001 From: James Almer Date: Tue, 12 Jul 2016 17:05:42 -0300 Subject: [PATCH 105/942] avformat/oggparsevp8: fix pts calculation on pages ending with an invisible frame Signed-off-by: James Almer (cherry picked from commit 5adfbd391847fcdaea1e9b105fae2dd90af2a733) --- libavformat/oggparsevp8.c | 6 +++++- 1 file changed, 5 insertions(+), 1 deletion(-) diff --git a/libavformat/oggparsevp8.c b/libavformat/oggparsevp8.c index 7aed8abad3..ca13928f1e 100644 --- a/libavformat/oggparsevp8.c +++ b/libavformat/oggparsevp8.c @@ -82,7 +82,11 @@ static uint64_t vp8_gptopts(AVFormatContext *s, int idx, struct ogg *ogg = s->priv_data; struct ogg_stream *os = ogg->streams + idx; - uint64_t pts = (granule >> 32); + int invcnt = !((granule >> 30) & 3); + // If page granule is that of an invisible vp8 frame, its pts will be + // that of the end of the next visible frame. We substract 1 for those + // to prevent messing up pts calculations. + uint64_t pts = (granule >> 32) - invcnt; uint32_t dist = (granule >> 3) & 0x07ffffff; if (!dist) From b62191f9c1892d922811931fddbb5d81eeac857e Mon Sep 17 00:00:00 2001 From: Luca Barbato Date: Wed, 22 Jun 2016 06:36:31 +0200 Subject: [PATCH 106/942] librtmp: Avoid an infiniloop setting connection arguments The exit condition was missing. Signed-off-by: Timothy Gu (cherry picked from commit e85d38c20a8893cb59d7c86f74481f2497882196) Signed-off-by: Timothy Gu --- libavformat/librtmp.c | 2 ++ 1 file changed, 2 insertions(+) diff --git a/libavformat/librtmp.c b/libavformat/librtmp.c index bfa9a718f1..5a138adad4 100644 --- a/libavformat/librtmp.c +++ b/libavformat/librtmp.c @@ -193,6 +193,8 @@ static int rtmp_open(URLContext *s, const char *uri, int flags) if (sep) p = sep + 1; + else + break; } } if (ctx->playpath) { From f3c1a76ffdd8283e7e0634b2daf9683047558d1e Mon Sep 17 00:00:00 2001 From: Vivekanand Date: Thu, 7 Apr 2016 16:16:23 +0530 Subject: [PATCH 107/942] avformat/allformats: Making av_register_all() thread-safe. When multiple threads tries to call av_register_all(), the first thread sets initialized to 1 and do the register process. At the same time, other thread might also call av_register_all(), which returns immediately because initialized is set to 1 (even when it has not completed registering codecs). We can avoid this problem if we set initialised to 1 while exiting from function. Github: Closes #196 (cherry picked from commit b092ee701f4d0ef2b8a4171cd38101d1ee9a1034) Conflicts: libavformat/allformats.c --- libavformat/allformats.c | 3 ++- 1 file changed, 2 insertions(+), 1 deletion(-) diff --git a/libavformat/allformats.c b/libavformat/allformats.c index 02bb16a71e..fb1a67797b 100644 --- a/libavformat/allformats.c +++ b/libavformat/allformats.c @@ -54,7 +54,6 @@ void av_register_all(void) if (initialized) return; - initialized = 1; avcodec_register_all(); @@ -418,4 +417,6 @@ void av_register_all(void) REGISTER_PROTOCOL(LIBRTMPTE, librtmpte); REGISTER_PROTOCOL(LIBSSH, libssh); REGISTER_PROTOCOL(LIBSMBCLIENT, libsmbclient); + + initialized = 1; } From b2a2b1a88b3e3c78e8732bceab717910bd3eba09 Mon Sep 17 00:00:00 2001 From: Michael Niedermayer Date: Thu, 28 Apr 2016 20:49:13 +0200 Subject: [PATCH 108/942] avfilter/af_amix: dont fail if there are no samples in output_frame() Fixes Ticket5326 Signed-off-by: Michael Niedermayer (cherry picked from commit abc957e896beb3ce33c5691b9b3701993a381852) Signed-off-by: Michael Niedermayer --- libavfilter/af_amix.c | 3 +++ 1 file changed, 3 insertions(+) diff --git a/libavfilter/af_amix.c b/libavfilter/af_amix.c index e64e289108..3e5e7ee118 100644 --- a/libavfilter/af_amix.c +++ b/libavfilter/af_amix.c @@ -312,6 +312,9 @@ static int output_frame(AVFilterLink *outlink) calculate_scales(s, nb_samples); + if (nb_samples == 0) + return 0; + out_buf = ff_get_audio_buffer(outlink, nb_samples); if (!out_buf) return AVERROR(ENOMEM); From 9f1e8b4fb28f92f624bc2da431f438dfe43c7332 Mon Sep 17 00:00:00 2001 From: Michael Niedermayer Date: Mon, 6 Jun 2016 14:01:43 +0200 Subject: [PATCH 109/942] avcodec/bmp_parser: Fix frame_start_found in cross frame cases Fixes part of ticket 5598 Signed-off-by: Michael Niedermayer (cherry picked from commit bfe945ac3a0c328371dc4b4cc3409b7da5784cb8) Signed-off-by: Michael Niedermayer --- libavcodec/bmp_parser.c | 5 ++++- 1 file changed, 4 insertions(+), 1 deletion(-) diff --git a/libavcodec/bmp_parser.c b/libavcodec/bmp_parser.c index b06e3e84ef..c9fe153de1 100644 --- a/libavcodec/bmp_parser.c +++ b/libavcodec/bmp_parser.c @@ -91,7 +91,10 @@ flush: if (ff_combine_frame(&bpc->pc, next, &buf, &buf_size) < 0) return buf_size; - bpc->pc.frame_start_found = 0; + if (next != END_NOT_FOUND && next < 0) + bpc->pc.frame_start_found = FFMAX(bpc->pc.frame_start_found - i - 1, 0); + else + bpc->pc.frame_start_found = 0; *poutbuf = buf; *poutbuf_size = buf_size; From fca62cc6a709a80384673ab97654a79b43f7e98c Mon Sep 17 00:00:00 2001 From: Michael Niedermayer Date: Mon, 6 Jun 2016 14:27:20 +0200 Subject: [PATCH 110/942] avcodec/bmp_parser: Fix remaining size Fixes part of ticket 5598 Signed-off-by: Michael Niedermayer (cherry picked from commit 250b620d296adba7bd3a3104a9c30e820fb0bc36) Signed-off-by: Michael Niedermayer --- libavcodec/bmp_parser.c | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/libavcodec/bmp_parser.c b/libavcodec/bmp_parser.c index c9fe153de1..8111ada6f2 100644 --- a/libavcodec/bmp_parser.c +++ b/libavcodec/bmp_parser.c @@ -63,7 +63,7 @@ restart: continue; } bpc->pc.frame_start_found++; - bpc->remaining_size = bpc->fsize + FFMAX(i - 17, 0); + bpc->remaining_size = bpc->fsize + i - 17; if (bpc->pc.index + i > 17) { next = i - 17; From 76a239768f630b4766fd3be71f7d465eeeda1d79 Mon Sep 17 00:00:00 2001 From: Michael Niedermayer Date: Mon, 6 Jun 2016 14:30:40 +0200 Subject: [PATCH 111/942] avcodec/bmp_parser: reset state Fixes part of ticket 5598 Signed-off-by: Michael Niedermayer (cherry picked from commit 37005e65eb17b1480d9e1755eeba3f50ee3b9555) Signed-off-by: Michael Niedermayer --- libavcodec/bmp_parser.c | 4 +++- 1 file changed, 3 insertions(+), 1 deletion(-) diff --git a/libavcodec/bmp_parser.c b/libavcodec/bmp_parser.c index 8111ada6f2..d2a04ef69b 100644 --- a/libavcodec/bmp_parser.c +++ b/libavcodec/bmp_parser.c @@ -69,8 +69,10 @@ restart: next = i - 17; state = 0; break; - } else + } else { + bpc->pc.state64 = 0; goto restart; + } } else if (bpc->pc.frame_start_found) bpc->pc.frame_start_found++; } From 603fd4f771433bdddce2836dffca78c724d76dea Mon Sep 17 00:00:00 2001 From: Michael Niedermayer Date: Mon, 6 Jun 2016 14:32:48 +0200 Subject: [PATCH 112/942] avcodec/bmp_parser: Check fsize Signed-off-by: Michael Niedermayer (cherry picked from commit 43a4276c6964a2ec57e08c3c622bb94d35c0441f) Signed-off-by: Michael Niedermayer --- libavcodec/bmp_parser.c | 3 ++- 1 file changed, 2 insertions(+), 1 deletion(-) diff --git a/libavcodec/bmp_parser.c b/libavcodec/bmp_parser.c index d2a04ef69b..cd65f02a2e 100644 --- a/libavcodec/bmp_parser.c +++ b/libavcodec/bmp_parser.c @@ -53,7 +53,8 @@ restart: if (bpc->pc.frame_start_found == 0) { if ((state >> 48) == (('B' << 8) | 'M')) { bpc->fsize = av_bswap32(state >> 16); - bpc->pc.frame_start_found = 1; + if (bpc->fsize > 17) + bpc->pc.frame_start_found = 1; } } else if (bpc->pc.frame_start_found == 2+4+4) { // unsigned hsize = av_bswap32(state>>32); From b3fe93e73b18be9d8f9ac62b7e62407a47c834c3 Mon Sep 17 00:00:00 2001 From: Michael Niedermayer Date: Mon, 6 Jun 2016 21:43:01 +0200 Subject: [PATCH 113/942] avformat/mpegts: Do not trust BSSD descriptor, it is sometimes not an S302M stream Signed-off-by: Michael Niedermayer (cherry picked from commit a5eb70ad9569c62158b4b2d18f2143db791f7d27) Conflicts: libavformat/mpegts.c --- libavformat/mpegts.c | 5 ++++- 1 file changed, 4 insertions(+), 1 deletion(-) diff --git a/libavformat/mpegts.c b/libavformat/mpegts.c index 87a21f0d56..7a2f9421fe 100644 --- a/libavformat/mpegts.c +++ b/libavformat/mpegts.c @@ -1769,8 +1769,11 @@ int ff_parse_mpeg2_descriptor(AVFormatContext *fc, AVStream *st, int stream_type case 0x05: /* registration descriptor */ st->codec->codec_tag = bytestream_get_le32(pp); av_log(fc, AV_LOG_TRACE, "reg_desc=%.4s\n", (char *)&st->codec->codec_tag); - if (st->codec->codec_id == AV_CODEC_ID_NONE || st->request_probe > 0) + if (st->codec->codec_id == AV_CODEC_ID_NONE || st->request_probe > 0) { mpegts_find_stream_type(st, st->codec->codec_tag, REGD_types); + if (st->codec->codec_tag == MKTAG('B', 'S', 'S', 'D')) + st->request_probe = 50; + } break; case 0x52: /* stream identifier descriptor */ st->stream_identifier = 1 + get8(pp, desc_end); From 9cf85419a32dd1f52b224517a5e49879005c8375 Mon Sep 17 00:00:00 2001 From: Michael Niedermayer Date: Tue, 7 Jun 2016 03:48:09 +0200 Subject: [PATCH 114/942] avcodec/utils: check skip_samples signedness Fixes Ticket5528 Signed-off-by: Michael Niedermayer (cherry picked from commit 153ab83bd37cbbcc79d8303cc6efbf81089b8123) Signed-off-by: Michael Niedermayer --- libavcodec/utils.c | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/libavcodec/utils.c b/libavcodec/utils.c index f532824f45..fedbc476f7 100644 --- a/libavcodec/utils.c +++ b/libavcodec/utils.c @@ -2254,7 +2254,7 @@ int attribute_align_arg avcodec_decode_audio4(AVCodecContext *avctx, skip_reason = AV_RL8(side + 8); discard_reason = AV_RL8(side + 9); } - if (avctx->internal->skip_samples && *got_frame_ptr && + if (avctx->internal->skip_samples > 0 && *got_frame_ptr && !(avctx->flags2 & AV_CODEC_FLAG2_SKIP_MANUAL)) { if(frame->nb_samples <= avctx->internal->skip_samples){ *got_frame_ptr = 0; From f50f7adf7a9a4c71b2970e231202d453ef80263b Mon Sep 17 00:00:00 2001 From: Umair Khan Date: Sat, 12 Mar 2016 02:34:30 +0530 Subject: [PATCH 115/942] avcodec/alsdec: fix max bits in ltp prefix code The maximum number of bits int the prefix code for p(0) is 4. By setting it as 3, we were missing the last 0 bit. This fixes bug #4715 present on the trac. Signed-off-by: Umair Khan Reviewed-by: Thilo Borgmann Signed-off-by: Michael Niedermayer (cherry picked from commit 5d64ba9d18294a305f4f46c9a64e592dc5d34aa9) Signed-off-by: Michael Niedermayer --- libavcodec/alsdec.c | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/libavcodec/alsdec.c b/libavcodec/alsdec.c index ebd364e085..8283b79760 100644 --- a/libavcodec/alsdec.c +++ b/libavcodec/alsdec.c @@ -765,7 +765,7 @@ static int read_var_block_data(ALSDecContext *ctx, ALSBlockData *bd) bd->ltp_gain[0] = decode_rice(gb, 1) << 3; bd->ltp_gain[1] = decode_rice(gb, 2) << 3; - r = get_unary(gb, 0, 3); + r = get_unary(gb, 0, 4); c = get_bits(gb, 2); bd->ltp_gain[2] = ltp_gain_values[r][c]; From a004e2e4f138b775d3352c6857f8121818cba917 Mon Sep 17 00:00:00 2001 From: Michael Niedermayer Date: Tue, 7 Jun 2016 20:50:38 +0200 Subject: [PATCH 116/942] avcodec/alsdec: Check r to prevent out of array read No testcase known Signed-off-by: Michael Niedermayer (cherry picked from commit c36fc857b5a8f8bdf2bcc54ce72bbf817902edcf) Signed-off-by: Michael Niedermayer --- libavcodec/alsdec.c | 5 +++++ 1 file changed, 5 insertions(+) diff --git a/libavcodec/alsdec.c b/libavcodec/alsdec.c index 8283b79760..d2c3485ee6 100644 --- a/libavcodec/alsdec.c +++ b/libavcodec/alsdec.c @@ -767,6 +767,11 @@ static int read_var_block_data(ALSDecContext *ctx, ALSBlockData *bd) r = get_unary(gb, 0, 4); c = get_bits(gb, 2); + if (r >= 4) { + av_log(avctx, AV_LOG_ERROR, "r overflow\n"); + return AVERROR_INVALIDDATA; + } + bd->ltp_gain[2] = ltp_gain_values[r][c]; bd->ltp_gain[3] = decode_rice(gb, 2) << 3; From e7a064efa6ac4076eb475be4a2c487fe50e31f48 Mon Sep 17 00:00:00 2001 From: Michael Niedermayer Date: Tue, 7 Jun 2016 22:17:38 +0200 Subject: [PATCH 117/942] avcodec/h264: Fix off by 1 context count Fixes fate-h264-xavc-4389 with slice threads (cherry picked from commit 27c1eae55f24e9ed005a6634cd4ddd867118fa48) Conflicts: libavcodec/h264.c Signed-off-by: Michael Niedermayer --- libavcodec/h264.c | 10 ++++------ 1 file changed, 4 insertions(+), 6 deletions(-) diff --git a/libavcodec/h264.c b/libavcodec/h264.c index 88768af733..b1001f8516 100644 --- a/libavcodec/h264.c +++ b/libavcodec/h264.c @@ -1656,12 +1656,10 @@ again: av_log(h->avctx, AV_LOG_ERROR, "decode_slice_header error\n"); sl->ref_count[0] = sl->ref_count[1] = sl->list_count = 0; } else if (err == SLICE_SINGLETHREAD) { - if (context_count > 1) { - ret = ff_h264_execute_decode_slices(h, context_count - 1); - if (ret < 0 && (h->avctx->err_recognition & AV_EF_EXPLODE)) - goto end; - context_count = 0; - } + ret = ff_h264_execute_decode_slices(h, context_count); + if (ret < 0 && (h->avctx->err_recognition & AV_EF_EXPLODE)) + goto end; + context_count = 0; /* Slice could not be decoded in parallel mode, restart. Note * that rbsp_buffer is not transferred, but since we no longer * run in parallel mode this should not be an issue. */ From 7216068e42554575ef052c2dec4a3291ac04d68f Mon Sep 17 00:00:00 2001 From: Michael Niedermayer Date: Fri, 10 Jun 2016 09:59:21 +0200 Subject: [PATCH 118/942] MAINTAINERs cleanup (remove myself from things i de facto dont maintain) x86 is maintained entirely by others these days ML, mostly too remove myself from a few spots that have other maintainers and where i just dont know the code that well anyway to do an ideal job Signed-off-by: Michael Niedermayer (cherry picked from commit bb5bc08ba6f88af2a4a2e00ea03261b142f79f8f) Signed-off-by: Michael Niedermayer --- MAINTAINERS | 9 ++++----- 1 file changed, 4 insertions(+), 5 deletions(-) diff --git a/MAINTAINERS b/MAINTAINERS index 0705a6999f..15203e29cb 100644 --- a/MAINTAINERS +++ b/MAINTAINERS @@ -56,7 +56,7 @@ Communication website Deby Barbara Lepage fate.ffmpeg.org Timothy Gu Trac bug tracker Alexander Strasser, Michael Niedermayer, Carl Eugen Hoyos, Lou Logan -mailing lists Michael Niedermayer, Baptiste Coudurier, Lou Logan +mailing lists Baptiste Coudurier, Lou Logan Google+ Paul B Mahol, Michael Niedermayer, Alexander Strasser Twitter Lou Logan, Reynaldo H. Verdejo Pinochet Launchpad Timothy Gu @@ -168,7 +168,7 @@ Codecs: dirac* Rostislav Pehlivanov dnxhd* Baptiste Coudurier dpcm.c Mike Melanson - dss_sp.c Oleksij Rempel, Michael Niedermayer + dss_sp.c Oleksij Rempel dv.c Roman Shaposhnik dvbsubdec.c Anshul Maheshwari dxa.c Kostya Shishkov @@ -422,7 +422,7 @@ Muxers/Demuxers: cdxl.c Paul B Mahol crc.c Michael Niedermayer daud.c Reimar Doeffinger - dss.c Oleksij Rempel, Michael Niedermayer + dss.c Oleksij Rempel dtshddec.c Paul B Mahol dv.c Roman Shaposhnik dxa.c Kostya Shishkov @@ -458,7 +458,7 @@ Muxers/Demuxers: mgsts.c Paul B Mahol microdvd* Aurelien Jacobs mm.c Peter Ross - mov.c Michael Niedermayer, Baptiste Coudurier + mov.c Baptiste Coudurier movenc.c Baptiste Coudurier, Matthieu Bouron movenccenc.c Eran Kornblau mpc.c Kostya Shishkov @@ -563,7 +563,6 @@ Windows MSVC Matthew Oliver, Hendrik Leppkes Windows ICL Matthew Oliver ADI/Blackfin DSP Marc Hoffman Sparc Roman Shaposhnik -x86 Michael Niedermayer OS/2 KO Myung-Hun From 679e869496ede3cd17369b46e815d3a47458cab4 Mon Sep 17 00:00:00 2001 From: Michael Niedermayer Date: Fri, 10 Jun 2016 15:38:26 +0200 Subject: [PATCH 119/942] avcodec/mpegvideo: Do not clear the parse context during init It is allocated before, this cannot work Fixes Ticket5613 Signed-off-by: Michael Niedermayer (cherry picked from commit 24f513619680b5bef40b02db6ca07a8a009c2ece) Signed-off-by: Michael Niedermayer --- libavcodec/mpegvideo.c | 4 +--- 1 file changed, 1 insertion(+), 3 deletions(-) diff --git a/libavcodec/mpegvideo.c b/libavcodec/mpegvideo.c index 798b517ec5..f660a1cbec 100644 --- a/libavcodec/mpegvideo.c +++ b/libavcodec/mpegvideo.c @@ -822,9 +822,7 @@ static void clear_context(MpegEncContext *s) s->sc.b_scratchpad = s->sc.obmc_scratchpad = NULL; - s->parse_context.buffer = NULL; - s->parse_context.buffer_size = 0; - s->parse_context.overread = 0; + s->bitstream_buffer = NULL; s->allocated_bitstream_buffer_size = 0; s->picture = NULL; From 5bf11223dd8eaee21d0230a285420abc2e248ecf Mon Sep 17 00:00:00 2001 From: Michael Niedermayer Date: Fri, 10 Jun 2016 20:22:02 +0200 Subject: [PATCH 120/942] avcodec/cfhd: Set dimensions unconditionally Fixes Ticket5215 Reviewed-by: Paul B Mahol Signed-off-by: Michael Niedermayer (cherry picked from commit 056a4ae771b00645184c639fe9fd6b7217eb6d87) Signed-off-by: Michael Niedermayer --- libavcodec/cfhd.c | 5 +++++ 1 file changed, 5 insertions(+) diff --git a/libavcodec/cfhd.c b/libavcodec/cfhd.c index d6d831b6cf..3b2901d8ff 100644 --- a/libavcodec/cfhd.c +++ b/libavcodec/cfhd.c @@ -425,6 +425,11 @@ static int cfhd_decode(AVCodecContext *avctx, void *data, int *got_frame, return ret; } } + ret = ff_set_dimensions(avctx, s->coded_width, s->coded_height); + if (ret < 0) + return ret; + frame.f->width = + frame.f->height = 0; if ((ret = ff_thread_get_buffer(avctx, &frame, 0)) < 0) return ret; From 280587b4ab1044529fd99754b928d52a21046802 Mon Sep 17 00:00:00 2001 From: Michael Niedermayer Date: Sat, 11 Jun 2016 02:41:45 +0200 Subject: [PATCH 121/942] avformat/mp3dec: Increase probe score slightly when the whole data from begin to end is mp3 Improves score for 1000-frames-of-noise-encoded-with-lame.mp3 without file extension Signed-off-by: Michael Niedermayer (cherry picked from commit 5fd73948bb684efcadc1f95fd2028b58d675f3ff) Signed-off-by: Michael Niedermayer --- libavformat/mp3dec.c | 7 ++++++- 1 file changed, 6 insertions(+), 1 deletion(-) diff --git a/libavformat/mp3dec.c b/libavformat/mp3dec.c index c76b21ebd6..50bf52cf27 100644 --- a/libavformat/mp3dec.c +++ b/libavformat/mp3dec.c @@ -64,6 +64,7 @@ static int check(AVIOContext *pb, int64_t pos, uint32_t *header); static int mp3_read_probe(AVProbeData *p) { int max_frames, first_frames = 0; + int whole_used = 0; int frames, ret; uint32_t header; const uint8_t *buf, *buf0, *buf2, *end; @@ -88,8 +89,11 @@ static int mp3_read_probe(AVProbeData *p) buf2 += h.frame_size; } max_frames = FFMAX(max_frames, frames); - if(buf == buf0) + if(buf == buf0) { first_frames= frames; + if (buf2 == end + sizeof(uint32_t)) + whole_used = 1; + } } // keep this in sync with ac3 probe, both need to avoid // issues with MPEG-files! @@ -98,6 +102,7 @@ static int mp3_read_probe(AVProbeData *p) else if(max_frames>=4 && max_frames >= p->buf_size/10000) return AVPROBE_SCORE_EXTENSION / 2; else if(ff_id3v2_match(buf0, ID3v2_DEFAULT_MAGIC) && 2*ff_id3v2_tag_len(buf0) >= p->buf_size) return p->buf_size < PROBE_BUF_MAX ? AVPROBE_SCORE_EXTENSION / 4 : AVPROBE_SCORE_EXTENSION - 2; + else if(first_frames > 1 && whole_used) return 5; else if(max_frames>=1 && max_frames >= p->buf_size/10000) return 1; else return 0; //mpegps_mp3_unrecognized_format.mpg has max_frames=3 From 2577cfd207ee619198f80ac46e3e4832cfc5b83f Mon Sep 17 00:00:00 2001 From: Michael Niedermayer Date: Sat, 11 Jun 2016 14:28:24 +0200 Subject: [PATCH 122/942] avcodec/mpc8: Correct end truncation Fixes Ticket5478 Signed-off-by: Michael Niedermayer (cherry picked from commit b21f674876badefc68e4deecdb4a1d46de10b67c) Signed-off-by: Michael Niedermayer --- libavcodec/mpc8.c | 8 ++++++-- 1 file changed, 6 insertions(+), 2 deletions(-) diff --git a/libavcodec/mpc8.c b/libavcodec/mpc8.c index a8feb6c4ce..8894457c7e 100644 --- a/libavcodec/mpc8.c +++ b/libavcodec/mpc8.c @@ -415,10 +415,14 @@ static int mpc8_decode_frame(AVCodecContext * avctx, void *data, c->cur_frame++; c->last_bits_used = get_bits_count(gb); - if(get_bits_left(gb) < 8) // we have only padding left - c->last_bits_used = buf_size << 3; if(c->cur_frame >= c->frames) c->cur_frame = 0; + if(c->cur_frame == 0 && get_bits_left(gb) < 8) {// we have only padding left + c->last_bits_used = buf_size << 3; + } else if (get_bits_left(gb) < 0) { + av_log(avctx, AV_LOG_ERROR, "Overread %d\n", -get_bits_left(gb)); + c->last_bits_used = buf_size << 3; + } *got_frame_ptr = 1; From 4e5d1c45f111966f37176757d4e75c9ec9fe4aac Mon Sep 17 00:00:00 2001 From: Michael Niedermayer Date: Tue, 14 Jun 2016 01:36:15 +0200 Subject: [PATCH 123/942] avformat/mpegts: adjust probe score for low check_count Fixes mis-detection of tiff as mpegts Fixes Ticket5565 Signed-off-by: Michael Niedermayer (cherry picked from commit 00c4861f13d9ec302348cfa1e2d4f1c796e9e86b) Signed-off-by: Michael Niedermayer --- libavformat/mpegts.c | 4 +++- 1 file changed, 3 insertions(+), 1 deletion(-) diff --git a/libavformat/mpegts.c b/libavformat/mpegts.c index 7a2f9421fe..e8f3889d1a 100644 --- a/libavformat/mpegts.c +++ b/libavformat/mpegts.c @@ -2462,8 +2462,10 @@ static int mpegts_probe(AVProbeData *p) ff_dlog(0, "TS score: %d %d\n", sumscore, maxscore); - if (check_count >= CHECK_COUNT && sumscore > 6) { + if (check_count > CHECK_COUNT && sumscore > 6) { return AVPROBE_SCORE_MAX + sumscore - CHECK_COUNT; + } else if (check_count >= CHECK_COUNT && sumscore > 6) { + return AVPROBE_SCORE_MAX/2 + sumscore - CHECK_COUNT; } else if (check_count >= CHECK_COUNT && maxscore > 6) { return AVPROBE_SCORE_MAX/2 + sumscore - CHECK_COUNT; } else if (sumscore > 6) { From 694d37eb52ad296db8e038766750207ad61094e8 Mon Sep 17 00:00:00 2001 From: Michael Niedermayer Date: Tue, 14 Jun 2016 17:13:51 +0200 Subject: [PATCH 124/942] avfilter/vf_telecine: Make frame writable before writing into it Fixes Ticket 5627 Signed-off-by: Michael Niedermayer (cherry picked from commit fa0097e008a145ea8324879d4e24c1881bb86279) Signed-off-by: Michael Niedermayer --- libavfilter/vf_telecine.c | 2 ++ tests/ref/fate/filter-pixfmts-fieldmatch | 2 +- 2 files changed, 3 insertions(+), 1 deletion(-) diff --git a/libavfilter/vf_telecine.c b/libavfilter/vf_telecine.c index 182c670849..58babca9a1 100644 --- a/libavfilter/vf_telecine.c +++ b/libavfilter/vf_telecine.c @@ -190,6 +190,7 @@ static int filter_frame(AVFilterLink *inlink, AVFrame *inpicref) } if (s->occupied) { + av_frame_make_writable(s->frame[nout]); for (i = 0; i < s->nb_planes; i++) { // fill in the EARLIER field from the buffered pic av_image_copy_plane(s->frame[nout]->data[i] + s->frame[nout]->linesize[i] * s->first_field, @@ -213,6 +214,7 @@ static int filter_frame(AVFilterLink *inlink, AVFrame *inpicref) while (len >= 2) { // output THIS image as-is + av_frame_make_writable(s->frame[nout]); for (i = 0; i < s->nb_planes; i++) av_image_copy_plane(s->frame[nout]->data[i], s->frame[nout]->linesize[i], inpicref->data[i], inpicref->linesize[i], diff --git a/tests/ref/fate/filter-pixfmts-fieldmatch b/tests/ref/fate/filter-pixfmts-fieldmatch index 44622d060c..99946c8d1d 100644 --- a/tests/ref/fate/filter-pixfmts-fieldmatch +++ b/tests/ref/fate/filter-pixfmts-fieldmatch @@ -1,5 +1,5 @@ yuv410p a6c9b4065e8253d8120772f69be0bf04 yuv411p b913e634ad37ce046240252bed8681fb -yuv420p d448d95326eadeeb12ea0cc348067958 +yuv420p a9286560141eb14595e427dbe5829b00 yuv422p 11ad22ce00c5e8a30d0472f29fb15434 yuv444p 9350a3f23cd7d95ec441a49f63f55953 From 19b86db2b32fcd017c6f4f08508f7fb3183f47b4 Mon Sep 17 00:00:00 2001 From: Michael Niedermayer Date: Wed, 20 Apr 2016 19:19:25 +0200 Subject: [PATCH 125/942] avcodec: Add avpriv_codec_get_cap_skip_frame_fill_param() With this the use of the caps_internal from libavformat can be avoided Signed-off-by: Michael Niedermayer --- libavcodec/internal.h | 2 ++ libavcodec/utils.c | 4 ++++ 2 files changed, 6 insertions(+) diff --git a/libavcodec/internal.h b/libavcodec/internal.h index 24d320c186..6c0efec8b1 100644 --- a/libavcodec/internal.h +++ b/libavcodec/internal.h @@ -293,6 +293,8 @@ const uint8_t *avpriv_find_start_code(const uint8_t *p, const uint8_t *end, uint32_t *state); +int avpriv_codec_get_cap_skip_frame_fill_param(const AVCodec *codec); + /** * Check that the provided frame dimensions are valid and set them on the codec * context. diff --git a/libavcodec/utils.c b/libavcodec/utils.c index fedbc476f7..5d5190002e 100644 --- a/libavcodec/utils.c +++ b/libavcodec/utils.c @@ -1126,6 +1126,10 @@ int av_codec_get_max_lowres(const AVCodec *codec) return codec->max_lowres; } +int avpriv_codec_get_cap_skip_frame_fill_param(const AVCodec *codec){ + return !!(codec->caps_internal & FF_CODEC_CAP_SKIP_FRAME_FILL_PARAM); +} + static void get_subtitle_defaults(AVSubtitle *sub) { memset(sub, 0, sizeof(*sub)); From d13ba3960659fc54a459769d656531ac65ba1511 Mon Sep 17 00:00:00 2001 From: Michael Niedermayer Date: Thu, 16 Jun 2016 09:14:44 +0200 Subject: [PATCH 126/942] tests/api/api-codec-param-test: Do not directly access caps_internal The caps_internal field has moved without major bump and direct access causes crashes, found when testing 3.1 Signed-off-by: Michael Niedermayer (cherry picked from commit d0ee2e3ae6a7b58363b5e1ae518b242d0666f82b) Signed-off-by: Michael Niedermayer --- tests/api/api-codec-param-test.c | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/tests/api/api-codec-param-test.c b/tests/api/api-codec-param-test.c index fa51964bbd..377a5e9c79 100644 --- a/tests/api/api-codec-param-test.c +++ b/tests/api/api-codec-param-test.c @@ -50,7 +50,7 @@ static int try_decode_video_frame(AVCodecContext *codec_ctx, AVPacket *pkt, int goto end; } - if (!decode && codec_ctx->codec->caps_internal & FF_CODEC_CAP_SKIP_FRAME_FILL_PARAM) { + if (!decode && avpriv_codec_get_cap_skip_frame_fill_param(codec_ctx->codec)) { codec_ctx->skip_frame = AVDISCARD_ALL; } From 13b6852225847bf2a340d94afa4db4343970d2e6 Mon Sep 17 00:00:00 2001 From: Michael Niedermayer Date: Tue, 21 Jun 2016 23:38:23 +0200 Subject: [PATCH 127/942] avformat/flvdec: Accept last size if its off by 1 Fixes part of Ticket5648 Signed-off-by: Michael Niedermayer (cherry picked from commit e8931d79cc4d3a807860c0d4a223a77b149d2e9e) Signed-off-by: Michael Niedermayer --- libavformat/flvdec.c | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/libavformat/flvdec.c b/libavformat/flvdec.c index 5090ac2157..03bbf98d5e 100644 --- a/libavformat/flvdec.c +++ b/libavformat/flvdec.c @@ -1144,7 +1144,7 @@ retry_duration: leave: last = avio_rb32(s->pb); - if (last != orig_size + 11 && + if (last != orig_size + 11 && last != orig_size + 10 && (last != orig_size || !last) && last != flv->sum_flv_tag_size && !flv->broken_sizes) { av_log(s, AV_LOG_ERROR, "Packet mismatch %d %d\n", last, orig_size + 11); From 96ce6f64cc33e7d599d9b98e15d9fc2e3e28cb69 Mon Sep 17 00:00:00 2001 From: Michael Niedermayer Date: Wed, 22 Jun 2016 20:19:40 +0200 Subject: [PATCH 128/942] avcodec/flac_parser: Raise threshold for detecting invalid data Fixes regression from Ticket5428 Signed-off-by: Michael Niedermayer (cherry picked from commit b0b3676e136a09a13767859f429a0aa416d929cd) Signed-off-by: Michael Niedermayer --- libavcodec/flac_parser.c | 4 ++-- 1 file changed, 2 insertions(+), 2 deletions(-) diff --git a/libavcodec/flac_parser.c b/libavcodec/flac_parser.c index 3723716441..183fe6e5c9 100644 --- a/libavcodec/flac_parser.c +++ b/libavcodec/flac_parser.c @@ -617,8 +617,8 @@ static int flac_parse(AVCodecParserContext *s, AVCodecContext *avctx, if (!av_fifo_space(fpc->fifo_buf) && av_fifo_size(fpc->fifo_buf) / FLAC_AVG_FRAME_SIZE > - fpc->nb_headers_buffered * 10) { - /* There is less than one valid flac header buffered for 10 headers + fpc->nb_headers_buffered * 20) { + /* There is less than one valid flac header buffered for 20 headers * buffered. Therefore the fifo is most likely filled with invalid * data and the input is not a flac file. */ goto handle_error; From c34f0616d9c7c2e903a026182cf4630c75cdeee8 Mon Sep 17 00:00:00 2001 From: Michael Niedermayer Date: Wed, 22 Jun 2016 20:33:09 +0200 Subject: [PATCH 129/942] avformat/flacdec: Fix seeking close to EOF Fixes Ticket5428 Signed-off-by: Michael Niedermayer (cherry picked from commit d0b21b28a3d348c0302c98cee23c4820cd13e1e2) Signed-off-by: Michael Niedermayer --- libavformat/flacdec.c | 9 ++++++--- 1 file changed, 6 insertions(+), 3 deletions(-) diff --git a/libavformat/flacdec.c b/libavformat/flacdec.c index eb92216c45..46c51a6453 100644 --- a/libavformat/flacdec.c +++ b/libavformat/flacdec.c @@ -259,8 +259,10 @@ static av_unused int64_t flac_read_timestamp(AVFormatContext *s, int stream_inde if (ret < 0){ if (ret == AVERROR(EAGAIN)) continue; - else - break; + else { + av_packet_unref(&pkt); + av_assert1(!pkt.size); + } } av_init_packet(&out_pkt); av_parser_parse2(parser, st->codec, @@ -277,7 +279,8 @@ static av_unused int64_t flac_read_timestamp(AVFormatContext *s, int stream_inde pts = parser->pts; break; } - } + } else if (ret < 0) + break; } av_parser_close(parser); return pts; From 811d560378f34f9bca5d7bf1216e5e9bb650927a Mon Sep 17 00:00:00 2001 From: Michael Niedermayer Date: Thu, 7 Apr 2016 17:26:56 +0200 Subject: [PATCH 130/942] avformat/format: Fix registering a format more than once and related races Signed-off-by: Michael Niedermayer (cherry picked from commit 4cc896ea5f06f8b1ebcde6d876d9c5b59ef9a016) Signed-off-by: Michael Niedermayer --- libavformat/format.c | 16 ++++++++++------ 1 file changed, 10 insertions(+), 6 deletions(-) diff --git a/libavformat/format.c b/libavformat/format.c index 15fe167fb2..f0abb5deeb 100644 --- a/libavformat/format.c +++ b/libavformat/format.c @@ -62,20 +62,24 @@ void av_register_input_format(AVInputFormat *format) { AVInputFormat **p = last_iformat; - format->next = NULL; - while(*p || avpriv_atomic_ptr_cas((void * volatile *)p, NULL, format)) + // Note, format could be added after the first 2 checks but that implies that *p is no longer NULL + while(p != &format->next && !format->next && avpriv_atomic_ptr_cas((void * volatile *)p, NULL, format)) p = &(*p)->next; - last_iformat = &format->next; + + if (!format->next) + last_iformat = &format->next; } void av_register_output_format(AVOutputFormat *format) { AVOutputFormat **p = last_oformat; - format->next = NULL; - while(*p || avpriv_atomic_ptr_cas((void * volatile *)p, NULL, format)) + // Note, format could be added after the first 2 checks but that implies that *p is no longer NULL + while(p != &format->next && !format->next && avpriv_atomic_ptr_cas((void * volatile *)p, NULL, format)) p = &(*p)->next; - last_oformat = &format->next; + + if (!format->next) + last_oformat = &format->next; } int av_match_ext(const char *filename, const char *extensions) From a5680d83af26d4e6cfb9fe2eb8f51247bf36a41f Mon Sep 17 00:00:00 2001 From: Michael Niedermayer Date: Tue, 28 Jun 2016 23:49:36 +0200 Subject: [PATCH 131/942] avformat/mov: Check sample size Fixes integer overflow Fixes: poc.mp4 Found-by: ajax secure Signed-off-by: Michael Niedermayer (cherry picked from commit 8a3221cc67a516dfc1700bdae3566ec52c7ee823) Signed-off-by: Michael Niedermayer --- libavformat/mov.c | 11 ++++++++++- 1 file changed, 10 insertions(+), 1 deletion(-) diff --git a/libavformat/mov.c b/libavformat/mov.c index 0408ad164f..bcba9bb382 100644 --- a/libavformat/mov.c +++ b/libavformat/mov.c @@ -2750,7 +2750,12 @@ static void mov_build_index(MOVContext *mov, AVStream *st) sample_size = sc->stsz_sample_size > 0 ? sc->stsz_sample_size : sc->sample_sizes[current_sample]; if (sc->pseudo_stream_id == -1 || sc->stsc_data[stsc_index].id - 1 == sc->pseudo_stream_id) { - AVIndexEntry *e = &st->index_entries[st->nb_index_entries++]; + AVIndexEntry *e; + if (sample_size > 0x3FFFFFFF) { + av_log(mov->fc, AV_LOG_ERROR, "Sample size %u is too large\n", sample_size); + return; + } + e = &st->index_entries[st->nb_index_entries++]; e->pos = current_offset; e->timestamp = current_dts; e->size = sample_size; @@ -2875,6 +2880,10 @@ static void mov_build_index(MOVContext *mov, AVStream *st) av_log(mov->fc, AV_LOG_ERROR, "wrong chunk count %d\n", total); return; } + if (size > 0x3FFFFFFF) { + av_log(mov->fc, AV_LOG_ERROR, "Sample size %u is too large\n", size); + return; + } e = &st->index_entries[st->nb_index_entries++]; e->pos = current_offset; e->timestamp = current_dts; From 6e13acaadd5ce44068c090675d0f84dc0d73b152 Mon Sep 17 00:00:00 2001 From: Sasi Inguva Date: Thu, 21 Jul 2016 18:52:41 -0700 Subject: [PATCH 132/942] libx264: Increase x264 opts character limit to 4096 Signed-off-by: Sasi Inguva Signed-off-by: Michael Niedermayer (cherry picked from commit 282477bf4534439ecb06f14d46446a4f1ab82284) Signed-off-by: Michael Niedermayer --- libavcodec/libx264.c | 4 ++-- 1 file changed, 2 insertions(+), 2 deletions(-) diff --git a/libavcodec/libx264.c b/libavcodec/libx264.c index 5030d65f79..35339bc150 100644 --- a/libavcodec/libx264.c +++ b/libavcodec/libx264.c @@ -783,8 +783,8 @@ FF_ENABLE_DEPRECATION_WARNINGS if(x4->x264opts){ const char *p= x4->x264opts; while(p){ - char param[256]={0}, val[256]={0}; - if(sscanf(p, "%255[^:=]=%255[^:]", param, val) == 1){ + char param[4096]={0}, val[4096]={0}; + if(sscanf(p, "%4095[^:=]=%4095[^:]", param, val) == 1){ OPT_STR(param, "1"); }else OPT_STR(param, val); From 6e6609f5dd61e2b195748b16d46964bd97d77c80 Mon Sep 17 00:00:00 2001 From: =?UTF-8?q?Kacper=20Michaj=C5=82ow?= Date: Sat, 23 Jul 2016 21:43:06 +0200 Subject: [PATCH 133/942] libavutil/opt: Small bugfix in example. Fix const corectness and zero init the struct. This example code would actually crash when initializing string. Signed-off-by: Michael Niedermayer (cherry picked from commit 69630f4d304a4e35d90957d6a170744af87cbf93) Signed-off-by: Michael Niedermayer --- libavutil/opt.h | 4 ++-- 1 file changed, 2 insertions(+), 2 deletions(-) diff --git a/libavutil/opt.h b/libavutil/opt.h index 753434d628..f6ab2839ed 100644 --- a/libavutil/opt.h +++ b/libavutil/opt.h @@ -58,7 +58,7 @@ * The following example illustrates an AVOptions-enabled struct: * @code * typedef struct test_struct { - * AVClass *class; + * const AVClass *class; * int int_opt; * char *str_opt; * uint8_t *bin_opt; @@ -96,7 +96,7 @@ * @code * test_struct *alloc_test_struct(void) * { - * test_struct *ret = av_malloc(sizeof(*ret)); + * test_struct *ret = av_mallocz(sizeof(*ret)); * ret->class = &test_class; * av_opt_set_defaults(ret); * return ret; From c5757266219c48bd4e3bbb382df2ff6048d19f26 Mon Sep 17 00:00:00 2001 From: =?UTF-8?q?Kacper=20Michaj=C5=82ow?= Date: Sat, 23 Jul 2016 23:47:39 +0200 Subject: [PATCH 134/942] libavformat/rtpdec_asf: zero initialize the AVIOContext struct This fixes crash in avformat_open_input() when accessing protocol_whitelist field. Signed-off-by: Michael Niedermayer (cherry picked from commit e947b75b1c76ef6793209c2c445b8c224a28717a) Signed-off-by: Michael Niedermayer --- libavformat/rtpdec_asf.c | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/libavformat/rtpdec_asf.c b/libavformat/rtpdec_asf.c index 2b1ddf140d..1c88580f84 100644 --- a/libavformat/rtpdec_asf.c +++ b/libavformat/rtpdec_asf.c @@ -101,7 +101,7 @@ int ff_wms_parse_sdp_a_line(AVFormatContext *s, const char *p) { int ret = 0; if (av_strstart(p, "pgmpu:data:application/vnd.ms.wms-hdr.asfv1;base64,", &p)) { - AVIOContext pb; + AVIOContext pb = { 0 }; RTSPState *rt = s->priv_data; AVDictionary *opts = NULL; int len = strlen(p) * 6 / 8; From 8b3d9c33d617d2a94c8733e4a57a8040ae1d41f5 Mon Sep 17 00:00:00 2001 From: Michael Niedermayer Date: Mon, 1 Aug 2016 13:50:21 +0200 Subject: [PATCH 135/942] avcodec/vp9_parser: Check the input frame sizes for being consistent Suggested-by: BBB Fixed-by: BBB Signed-off-by: Michael Niedermayer (cherry picked from commit 77b0f3f26d33d4f46f274896e0583ad1f5936b7c) Signed-off-by: Michael Niedermayer --- libavcodec/vp9_parser.c | 17 +++++++++++++++++ 1 file changed, 17 insertions(+) diff --git a/libavcodec/vp9_parser.c b/libavcodec/vp9_parser.c index 2e9235e657..9900e7ab1f 100644 --- a/libavcodec/vp9_parser.c +++ b/libavcodec/vp9_parser.c @@ -28,6 +28,7 @@ typedef struct VP9ParseContext { int n_frames; // 1-8 int size[8]; + int marker_size; int64_t pts; } VP9ParseContext; @@ -88,6 +89,21 @@ static int parse(AVCodecParserContext *ctx, return 0; } + if (s->n_frames > 0) { + int i; + int size_sum = 0; + + for (i = 0; i < s->n_frames ;i++) + size_sum += s->size[i]; + size_sum += s->marker_size; + + if (size_sum != size) { + av_log(avctx, AV_LOG_ERROR, "Inconsistent input frame sizes %d %d\n", + size_sum, size); + s->n_frames = 0; + } + } + if (s->n_frames > 0) { *out_data = data; *out_size = s->size[--s->n_frames]; @@ -131,6 +147,7 @@ static int parse(AVCodecParserContext *ctx, data += sz; \ size -= sz; \ } \ + s->marker_size = size; \ parse_frame(ctx, *out_data, *out_size); \ return s->n_frames > 0 ? *out_size : full_size From 7876fd679d98531a2b3c864d40eafd42de938d3f Mon Sep 17 00:00:00 2001 From: Michael Niedermayer Date: Wed, 3 Aug 2016 13:15:14 +0200 Subject: [PATCH 136/942] ffplay: Fix invalid array index Found-by: Thomas Guilbert Fixes: clusterfuzz_usan-2016-08-02 Signed-off-by: Michael Niedermayer (cherry picked from commit 6cd9a8b67a95a136ea15bfe3c3bab6cf5e6d1cc9) Signed-off-by: Michael Niedermayer --- ffplay.c | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/ffplay.c b/ffplay.c index 3df0d4dd72..97c356f835 100644 --- a/ffplay.c +++ b/ffplay.c @@ -2931,7 +2931,7 @@ static int read_thread(void *arg) AVStream *st = ic->streams[i]; enum AVMediaType type = st->codec->codec_type; st->discard = AVDISCARD_ALL; - if (wanted_stream_spec[type] && st_index[type] == -1) + if (type >= 0 && wanted_stream_spec[type] && st_index[type] == -1) if (avformat_match_stream_specifier(ic, st, wanted_stream_spec[type]) > 0) st_index[type] = i; } From 2a8441e949ee2eb83e78673b5fd877045c9b53be Mon Sep 17 00:00:00 2001 From: Michael Niedermayer Date: Wed, 3 Aug 2016 13:34:40 +0200 Subject: [PATCH 137/942] avformat/oggdec: Fix integer overflow with invalid pts If negative pts are possible for some codecs in ogg then the code needs to be changed to use signed values. Found-by: Thomas Guilbert Fixes: clusterfuzz_usan-2016-08-02 Signed-off-by: Michael Niedermayer (cherry picked from commit c5cc3b08e56fc95665977544486bd9f06e4b7a72) Signed-off-by: Michael Niedermayer --- libavformat/oggdec.h | 5 +++++ 1 file changed, 5 insertions(+) diff --git a/libavformat/oggdec.h b/libavformat/oggdec.h index d7af1cfabd..4a2b6ddee8 100644 --- a/libavformat/oggdec.h +++ b/libavformat/oggdec.h @@ -162,6 +162,11 @@ ogg_gptopts (AVFormatContext * s, int i, uint64_t gp, int64_t *dts) if (dts) *dts = pts; } + if (pts > INT64_MAX && pts != AV_NOPTS_VALUE) { + // The return type is unsigned, we thus cannot return negative pts + av_log(s, AV_LOG_ERROR, "invalid pts %"PRId64"\n", pts); + pts = AV_NOPTS_VALUE; + } return pts; } From e7c00a2814238d199e2ae83eb98f97f4fd8fce7a Mon Sep 17 00:00:00 2001 From: Michael Niedermayer Date: Sat, 6 Aug 2016 01:53:30 +0200 Subject: [PATCH 138/942] avcodec/ffv1enc: Fix assertion failure with non zero bits per sample Fixes Ticket5736 Signed-off-by: Michael Niedermayer (cherry picked from commit c1bfeda5a34631787e07702f7a3569a41751caeb) Signed-off-by: Michael Niedermayer --- libavcodec/ffv1enc.c | 6 ++---- 1 file changed, 2 insertions(+), 4 deletions(-) diff --git a/libavcodec/ffv1enc.c b/libavcodec/ffv1enc.c index 9ee992144b..42e59a1efc 100644 --- a/libavcodec/ffv1enc.c +++ b/libavcodec/ffv1enc.c @@ -780,14 +780,12 @@ FF_ENABLE_DEPRECATION_WARNINGS s->colorspace = 1; s->transparency = 1; s->chroma_planes = 1; - if (!avctx->bits_per_raw_sample) - s->bits_per_raw_sample = 8; + s->bits_per_raw_sample = 8; break; case AV_PIX_FMT_0RGB32: s->colorspace = 1; s->chroma_planes = 1; - if (!avctx->bits_per_raw_sample) - s->bits_per_raw_sample = 8; + s->bits_per_raw_sample = 8; break; case AV_PIX_FMT_GBRP9: if (!avctx->bits_per_raw_sample) From ab9616428ac09b0a0b76da34c412c71096144e6e Mon Sep 17 00:00:00 2001 From: Michael Niedermayer Date: Sun, 7 Aug 2016 16:27:31 +0200 Subject: [PATCH 139/942] avcodec/raw: Fix decoding of ilacetest.mov Signed-off-by: Michael Niedermayer (cherry picked from commit bbec14de3126dbc4e1ec2b32ed714dab173386aa) Signed-off-by: Michael Niedermayer --- libavcodec/raw.c | 1 + 1 file changed, 1 insertion(+) diff --git a/libavcodec/raw.c b/libavcodec/raw.c index bfa2537b5a..d36b68bfae 100644 --- a/libavcodec/raw.c +++ b/libavcodec/raw.c @@ -31,6 +31,7 @@ const PixelFormatTag ff_raw_pix_fmt_tags[] = { { AV_PIX_FMT_YUV420P, MKTAG('I', '4', '2', '0') }, /* Planar formats */ { AV_PIX_FMT_YUV420P, MKTAG('I', 'Y', 'U', 'V') }, + { AV_PIX_FMT_YUV420P, MKTAG('y', 'v', '1', '2') }, { AV_PIX_FMT_YUV420P, MKTAG('Y', 'V', '1', '2') }, { AV_PIX_FMT_YUV410P, MKTAG('Y', 'U', 'V', '9') }, { AV_PIX_FMT_YUV410P, MKTAG('Y', 'V', 'U', '9') }, From 09d1854063878a4bc6aa4e57d96fded9a602f464 Mon Sep 17 00:00:00 2001 From: Hendrik Leppkes Date: Mon, 8 Aug 2016 15:27:41 +0200 Subject: [PATCH 140/942] cmdutils: remove the current working directory from the DLL search path on win32 Reviewed-by: Matt Oliver Signed-off-by: Michael Niedermayer (cherry picked from commit 3bf142c77337814458ed8e036796934032d9837f) Signed-off-by: Michael Niedermayer --- cmdutils.c | 9 +++++++++ cmdutils.h | 5 +++++ ffmpeg.c | 2 ++ ffplay.c | 2 ++ ffprobe.c | 2 ++ ffserver.c | 1 + 6 files changed, 21 insertions(+) diff --git a/cmdutils.c b/cmdutils.c index 03a4836207..6960f8c99c 100644 --- a/cmdutils.c +++ b/cmdutils.c @@ -107,6 +107,15 @@ static void log_callback_report(void *ptr, int level, const char *fmt, va_list v } } +void init_dynload(void) +{ +#ifdef _WIN32 + /* Calling SetDllDirectory with the empty string (but not NULL) removes the + * current working directory from the DLL search path as a security pre-caution. */ + SetDllDirectory(""); +#endif +} + static void (*program_exit)(int ret); void register_exit(void (*cb)(int ret)) diff --git a/cmdutils.h b/cmdutils.h index 83ea4ad39e..67bf4848b7 100644 --- a/cmdutils.h +++ b/cmdutils.h @@ -61,6 +61,11 @@ void register_exit(void (*cb)(int ret)); */ void exit_program(int ret) av_noreturn; +/** + * Initialize dynamic library loading + */ +void init_dynload(void); + /** * Initialize the cmdutils option system, in particular * allocate the *_opts contexts. diff --git a/ffmpeg.c b/ffmpeg.c index 9352b24004..435ad5730c 100644 --- a/ffmpeg.c +++ b/ffmpeg.c @@ -4268,6 +4268,8 @@ int main(int argc, char **argv) int ret; int64_t ti; + init_dynload(); + register_exit(ffmpeg_cleanup); setvbuf(stderr,NULL,_IONBF,0); /* win32 runtime needs this */ diff --git a/ffplay.c b/ffplay.c index 97c356f835..22c530bb87 100644 --- a/ffplay.c +++ b/ffplay.c @@ -3771,6 +3771,8 @@ int main(int argc, char **argv) VideoState *is; char dummy_videodriver[] = "SDL_VIDEODRIVER=dummy"; + init_dynload(); + av_log_set_flags(AV_LOG_SKIP_REPEATED); parse_loglevel(argc, argv, options); diff --git a/ffprobe.c b/ffprobe.c index f7b51adda2..4f23bddb69 100644 --- a/ffprobe.c +++ b/ffprobe.c @@ -3178,6 +3178,8 @@ int main(int argc, char **argv) char *w_name = NULL, *w_args = NULL; int ret, i; + init_dynload(); + av_log_set_flags(AV_LOG_SKIP_REPEATED); register_exit(ffprobe_cleanup); diff --git a/ffserver.c b/ffserver.c index 35e399dc55..d73caee9ec 100644 --- a/ffserver.c +++ b/ffserver.c @@ -3975,6 +3975,7 @@ int main(int argc, char **argv) int cfg_parsed; int ret = EXIT_FAILURE; + init_dynload(); config.filename = av_strdup("/etc/ffserver.conf"); From 534dc63089d99eb9996f211f70719a060acdda66 Mon Sep 17 00:00:00 2001 From: Michael Niedermayer Date: Sat, 13 Aug 2016 14:12:19 +0200 Subject: [PATCH 141/942] Update for 3.0.3 Signed-off-by: Michael Niedermayer --- Changelog | 67 ++++++++++++++++++++++++++++++++++++++++++++++++++++ RELEASE | 2 +- doc/Doxyfile | 2 +- 3 files changed, 69 insertions(+), 2 deletions(-) diff --git a/Changelog b/Changelog index 248f8b50a8..334e69068a 100644 --- a/Changelog +++ b/Changelog @@ -1,6 +1,73 @@ Entries are sorted chronologically from oldest to youngest within each release, releases are sorted from youngest to oldest. +version 3.0.3: +- cmdutils: remove the current working directory from the DLL search path on win32 +- avcodec/raw: Fix decoding of ilacetest.mov +- avcodec/ffv1enc: Fix assertion failure with non zero bits per sample +- avformat/oggdec: Fix integer overflow with invalid pts +- ffplay: Fix invalid array index +- avcodec/vp9_parser: Check the input frame sizes for being consistent +- libavformat/rtpdec_asf: zero initialize the AVIOContext struct +- libavutil/opt: Small bugfix in example. +- libx264: Increase x264 opts character limit to 4096 +- avformat/mov: Check sample size +- avformat/format: Fix registering a format more than once and related races +- avformat/flacdec: Fix seeking close to EOF +- avcodec/flac_parser: Raise threshold for detecting invalid data +- avformat/flvdec: Accept last size if its off by 1 +- tests/api/api-codec-param-test: Do not directly access caps_internal +- avcodec: Add avpriv_codec_get_cap_skip_frame_fill_param() +- avfilter/vf_telecine: Make frame writable before writing into it +- avformat/mpegts: adjust probe score for low check_count +- avcodec/mpc8: Correct end truncation +- avformat/mp3dec: Increase probe score slightly when the whole data from begin to end is mp3 +- avcodec/cfhd: Set dimensions unconditionally +- avcodec/mpegvideo: Do not clear the parse context during init +- avcodec/h264: Fix off by 1 context count +- avcodec/alsdec: Check r to prevent out of array read +- avcodec/alsdec: fix max bits in ltp prefix code +- avcodec/utils: check skip_samples signedness +- avformat/mpegts: Do not trust BSSD descriptor, it is sometimes not an S302M stream +- avcodec/bmp_parser: Check fsize +- avcodec/bmp_parser: reset state +- avcodec/bmp_parser: Fix remaining size +- avcodec/bmp_parser: Fix frame_start_found in cross frame cases +- avfilter/af_amix: do not fail if there are no samples in output_frame() +- avformat/allformats: Making av_register_all() thread-safe. +- librtmp: Avoid an infiniloop setting connection arguments +- avformat/oggparsevp8: fix pts calculation on pages ending with an invisible frame +- Revert "configure: Enable GCC vectorization on ≥4.9 on x86" +- avcodec/libopenjpegenc: Set numresolutions by default to a value that is not too large +- ffplay: Fix usage of private lavfi API +- tests/checkasm/checkasm: Disable checkasm_check_pixblockdsp for ppc64be +- avcodec/mpegvideo: Deallocate last/next picture earlier +- avcodec/bmp_parser: Fix state +- avformat/oggparseopus: Fix Undefined behavior in oggparseopus.c and libavformat/utils.c +- avformat/utils: avoid overflow in compute_chapters_end() with huge durations +- avformat/utils: avoid overflow in update_stream_timings() with huge durations +- doc/developer.texi: Add a code of conduct +- ffserver: fixed deallocation bug in build_feed_streams +- avcodec/diracdec: Fix potential integer overflow +- avformat/avidec: Detect index with too short entries +- avformat/utils: Check negative bps before shifting in ff_get_pcm_codec_id() +- avformat/utils: Do not compute the bitrate from duration == 0 +- ffmpeg: Check that r_frame_rate is set before attempting to use it +- swresample/resample: Fix division by 0 with tap_count=1 +- swresample/rematrix: Use clipping s16 rematrixing if overflows are possible +- swresample/rematrix: Use error diffusion to avoid error in the DC component of the matrix +- hevc: Fix memory leak related to a53_caption data +- libavformat/oggdec: Free stream private when header parsing fails. +- avformat/utils: Check bps before using it in a shift in ff_get_pcm_codec_id() +- avformat/oggparseopus: Check that granule pos is within the supported range +- avcodec/mjpegdec: Do not try to detect last scan but apply idct after all scans for progressive jpeg +- avformat/options_table: Add missing identifier for very strict compliance +- avformat/ffmdec: Check pix_fmt +- doc/general: update supported DCA extensions +- avcodec/rscc: check input buffer size for deflate mode +- avcodec/dca: fix sync word search error condition +- lavf/mpegts: Return small probe score for very short transport streams. + version 3.0.2: - avcodec/ttaenc: Reallocate packet if its too small diff --git a/RELEASE b/RELEASE index b502146930..75a22a26ac 100644 --- a/RELEASE +++ b/RELEASE @@ -1 +1 @@ -3.0.2 +3.0.3 diff --git a/doc/Doxyfile b/doc/Doxyfile index 845d8dc010..91870f387b 100644 --- a/doc/Doxyfile +++ b/doc/Doxyfile @@ -31,7 +31,7 @@ PROJECT_NAME = FFmpeg # This could be handy for archiving the generated documentation or # if some version control system is used. -PROJECT_NUMBER = 3.0.2 +PROJECT_NUMBER = 3.0.3 # With the PROJECT_LOGO tag one can specify a logo or icon that is included # in the documentation. The maximum height of the logo should not exceed 55 From 66bd740e0ba5d43d58d12f79addaf9acf8e3c0ae Mon Sep 17 00:00:00 2001 From: Michael Niedermayer Date: Wed, 8 Jun 2016 12:32:57 +0200 Subject: [PATCH 142/942] avcodec/h264: Put context_count check back Fixes assertion failure Signed-off-by: Michael Niedermayer (cherry picked from commit f883f0b0bd0dac76b58e49f5c75cf9b497eecaa0) Signed-off-by: Michael Niedermayer --- libavcodec/h264.c | 10 ++++++---- 1 file changed, 6 insertions(+), 4 deletions(-) diff --git a/libavcodec/h264.c b/libavcodec/h264.c index b1001f8516..b979b15382 100644 --- a/libavcodec/h264.c +++ b/libavcodec/h264.c @@ -1656,10 +1656,12 @@ again: av_log(h->avctx, AV_LOG_ERROR, "decode_slice_header error\n"); sl->ref_count[0] = sl->ref_count[1] = sl->list_count = 0; } else if (err == SLICE_SINGLETHREAD) { - ret = ff_h264_execute_decode_slices(h, context_count); - if (ret < 0 && (h->avctx->err_recognition & AV_EF_EXPLODE)) - goto end; - context_count = 0; + if (context_count > 0) { + ret = ff_h264_execute_decode_slices(h, context_count); + if (ret < 0 && (h->avctx->err_recognition & AV_EF_EXPLODE)) + goto end; + context_count = 0; + } /* Slice could not be decoded in parallel mode, restart. Note * that rbsp_buffer is not transferred, but since we no longer * run in parallel mode this should not be an issue. */ From 61fcba75464a6f4766bcf49e12cad8bc1d03379b Mon Sep 17 00:00:00 2001 From: James Almer Date: Mon, 22 Aug 2016 19:24:31 -0300 Subject: [PATCH 143/942] cmdutils: check for SetDllDirectory() availability It's only available on Windows XP or newer. Should fix compilation with mingw32 using the default OS target. Reviewed-by: Michael Niedermayer Signed-off-by: James Almer --- cmdutils.c | 2 +- configure | 2 ++ 2 files changed, 3 insertions(+), 1 deletion(-) diff --git a/cmdutils.c b/cmdutils.c index 6960f8c99c..a725e77531 100644 --- a/cmdutils.c +++ b/cmdutils.c @@ -109,7 +109,7 @@ static void log_callback_report(void *ptr, int level, const char *fmt, va_list v void init_dynload(void) { -#ifdef _WIN32 +#if HAVE_SETDLLDIRECTORY /* Calling SetDllDirectory with the empty string (but not NULL) removes the * current working directory from the DLL search path as a security pre-caution. */ SetDllDirectory(""); diff --git a/configure b/configure index 1091bdcc13..c9c139e7aa 100755 --- a/configure +++ b/configure @@ -1900,6 +1900,7 @@ SYSTEM_FUNCS=" sched_getaffinity SetConsoleTextAttribute SetConsoleCtrlHandler + SetDllDirectory setmode setrlimit Sleep @@ -5317,6 +5318,7 @@ check_func_headers windows.h MapViewOfFile check_func_headers windows.h PeekNamedPipe check_func_headers windows.h SetConsoleTextAttribute check_func_headers windows.h SetConsoleCtrlHandler +check_func_headers windows.h SetDllDirectory check_func_headers windows.h Sleep check_func_headers windows.h VirtualAlloc check_struct windows.h "CONDITION_VARIABLE" Ptr From 426b959e37bd1e27f369b887a4d2e3771a88033f Mon Sep 17 00:00:00 2001 From: Tobias Rapp Date: Mon, 29 Aug 2016 15:25:58 +0200 Subject: [PATCH 144/942] cmdutils: fix implicit declaration of SetDllDirectory function Pre-processor check changed by commiter. Signed-off-by: James Almer --- cmdutils.c | 3 +++ 1 file changed, 3 insertions(+) diff --git a/cmdutils.c b/cmdutils.c index a725e77531..3bb8bde3e9 100644 --- a/cmdutils.c +++ b/cmdutils.c @@ -61,6 +61,9 @@ #include #include #endif +#if HAVE_SETDLLDIRECTORY +#include +#endif static int init_report(const char *env); From 17035c8d2eb38d1e1c6adf7962e75dbd45e6351e Mon Sep 17 00:00:00 2001 From: Carl Eugen Hoyos Date: Fri, 2 Sep 2016 17:10:57 +0200 Subject: [PATCH 145/942] lavc/mjpegdec: Do not skip reading quantization tables. They may contain 0xFFs, confusing the start code finding algorithm. Fixes ticket #5819. (cherry picked from commit cef5bc0e6e2320d3903cf063d59cef83e91dbc3c) Conflicts: libavcodec/mjpegdec.c --- libavcodec/mjpegdec.c | 6 +++--- 1 file changed, 3 insertions(+), 3 deletions(-) diff --git a/libavcodec/mjpegdec.c b/libavcodec/mjpegdec.c index 4bde42f784..f002ccd866 100644 --- a/libavcodec/mjpegdec.c +++ b/libavcodec/mjpegdec.c @@ -2104,6 +2104,9 @@ int ff_mjpeg_decode_frame(AVCodecContext *avctx, void *data, int *got_frame, /* Comment */ else if (start_code == COM) mjpeg_decode_com(s); + else if (start_code == DQT) { + ff_mjpeg_decode_dqt(s); + } ret = -1; @@ -2135,9 +2138,6 @@ int ff_mjpeg_decode_frame(AVCodecContext *avctx, void *data, int *got_frame, s->restart_count = 0; /* nothing to do on SOI */ break; - case DQT: - ff_mjpeg_decode_dqt(s); - break; case DHT: if ((ret = ff_mjpeg_decode_dht(s)) < 0) { av_log(avctx, AV_LOG_ERROR, "huffman table decode error\n"); From 815a4439c38489cabf7554ba3c722c135a700db3 Mon Sep 17 00:00:00 2001 From: Michael Niedermayer Date: Fri, 19 Aug 2016 02:07:22 +0200 Subject: [PATCH 146/942] avcodec/rawdec: Fix bits_per_coded_sample checks Fixes assertion failure Fixes: 9eb9cf5b8c26dd0fa7107ed0348dcc1f/signal_sigabrt_7ffff6ae7c37_8926_4609a5c3f071d555d2d557625f9687b1.swf Found-by: Mateusz "j00ru" Jurczyk and Gynvael Coldwind Signed-off-by: Michael Niedermayer (cherry picked from commit 237207645b36fb79759d313c0399ee93ba467b9d) Signed-off-by: Michael Niedermayer --- libavcodec/rawdec.c | 5 +++-- 1 file changed, 3 insertions(+), 2 deletions(-) diff --git a/libavcodec/rawdec.c b/libavcodec/rawdec.c index 287be96955..193a88fd33 100644 --- a/libavcodec/rawdec.c +++ b/libavcodec/rawdec.c @@ -223,8 +223,9 @@ static int raw_decode(AVCodecContext *avctx, void *data, int *got_frame, } desc = av_pix_fmt_desc_get(avctx->pix_fmt); - if ((avctx->bits_per_coded_sample == 8 || avctx->bits_per_coded_sample == 4 - || avctx->bits_per_coded_sample <= 2) && + if ((avctx->bits_per_coded_sample == 8 || avctx->bits_per_coded_sample == 4 || + avctx->bits_per_coded_sample == 2 || avctx->bits_per_coded_sample == 1 || + (avctx->bits_per_coded_sample == 0 && (context->is_nut_pal8 || context->is_mono)) ) && (context->is_mono || context->is_pal8) && (!avctx->codec_tag || avctx->codec_tag == MKTAG('r','a','w',' ') || context->is_nut_mono || context->is_nut_pal8)) { From ca92adafb0effac6c51a12f90a593ba7e8b3ee90 Mon Sep 17 00:00:00 2001 From: Michael Niedermayer Date: Fri, 19 Aug 2016 10:28:22 +0200 Subject: [PATCH 147/942] avformat/swfdec: Fix inflate() error code check MIME-Version: 1.0 Content-Type: text/plain; charset=UTF-8 Content-Transfer-Encoding: 8bit Fixes infinite loop Fixes endless.poc Found-by: 连一汉 Signed-off-by: Michael Niedermayer (cherry picked from commit a453bbb68f3eec202673728988bba3bc76071761) Signed-off-by: Michael Niedermayer --- libavformat/swfdec.c | 4 ++-- 1 file changed, 2 insertions(+), 2 deletions(-) diff --git a/libavformat/swfdec.c b/libavformat/swfdec.c index eb17e82e08..518ca1fcb9 100644 --- a/libavformat/swfdec.c +++ b/libavformat/swfdec.c @@ -119,10 +119,10 @@ retry: z->avail_out = buf_size; ret = inflate(z, Z_NO_FLUSH); - if (ret < 0) - return AVERROR(EINVAL); if (ret == Z_STREAM_END) return AVERROR_EOF; + if (ret != Z_OK) + return AVERROR(EINVAL); if (buf_size - z->avail_out == 0) goto retry; From 93534cd642ddb92e45226ed9dd059b81a719a6b0 Mon Sep 17 00:00:00 2001 From: Michael Niedermayer Date: Fri, 19 Aug 2016 13:07:14 +0200 Subject: [PATCH 148/942] avcodec/indeo2: check ctab Fixes out of array access Fixes: 6b73fa392ac808f02e95a4e0a5770026/asan_static-oob_1b15f9a_1969_e7778535e5f27225fe0d6ded14721430.AVI Found-by: Mateusz "j00ru" Jurczyk and Gynvael Coldwind Signed-off-by: Michael Niedermayer (cherry picked from commit 9ffe44c5c75c485b4cbb12751e228f18da219df3) Signed-off-by: Michael Niedermayer --- libavcodec/indeo2.c | 6 ++++++ 1 file changed, 6 insertions(+) diff --git a/libavcodec/indeo2.c b/libavcodec/indeo2.c index 17f236761d..7ad686d50b 100644 --- a/libavcodec/indeo2.c +++ b/libavcodec/indeo2.c @@ -171,6 +171,12 @@ static int ir2_decode_frame(AVCodecContext *avctx, ltab = buf[0x22] & 3; ctab = buf[0x22] >> 2; + + if (ctab > 3) { + av_log(avctx, AV_LOG_ERROR, "ctab %d is invalid\n", ctab); + return AVERROR_INVALIDDATA; + } + if (s->decode_delta) { /* intraframe */ if ((ret = ir2_decode_plane(s, avctx->width, avctx->height, p->data[0], p->linesize[0], From d794d97d960341ae6ad6294446b8799dcf80e811 Mon Sep 17 00:00:00 2001 From: Michael Niedermayer Date: Fri, 19 Aug 2016 21:34:38 +0200 Subject: [PATCH 149/942] avcodec/cfhd: Increase minimum band dimension to 3 The implementation does not currently support len=2 Fixes out of array accesses Fixes: 29d1b3db5ba2205e82b0b3a533e057a3/asan_heap-oob_12b650c_9254_3b8c4e4d931eb2c32841c18ebb297f1d.avi Found-by: Mateusz "j00ru" Jurczyk and Gynvael Coldwind Signed-off-by: Michael Niedermayer (cherry picked from commit b8b36717217c6f45db71c77ad4e7c65521e7d9ff) Signed-off-by: Michael Niedermayer --- libavcodec/cfhd.c | 12 ++++++------ 1 file changed, 6 insertions(+), 6 deletions(-) diff --git a/libavcodec/cfhd.c b/libavcodec/cfhd.c index 3b2901d8ff..196647f3ee 100644 --- a/libavcodec/cfhd.c +++ b/libavcodec/cfhd.c @@ -312,7 +312,7 @@ static int cfhd_decode(AVCodecContext *avctx, void *data, int *got_frame, s->plane[s->channel_num].band[0][0].width = data; s->plane[s->channel_num].band[0][0].stride = data; av_log(avctx, AV_LOG_DEBUG, "Lowpass width %"PRIu16"\n", data); - if (data < 2 || data > s->plane[s->channel_num].band[0][0].a_width) { + if (data < 3 || data > s->plane[s->channel_num].band[0][0].a_width) { av_log(avctx, AV_LOG_ERROR, "Invalid lowpass width\n"); ret = AVERROR(EINVAL); break; @@ -320,7 +320,7 @@ static int cfhd_decode(AVCodecContext *avctx, void *data, int *got_frame, } else if (tag == 28) { s->plane[s->channel_num].band[0][0].height = data; av_log(avctx, AV_LOG_DEBUG, "Lowpass height %"PRIu16"\n", data); - if (data < 2 || data > s->plane[s->channel_num].band[0][0].height) { + if (data < 3 || data > s->plane[s->channel_num].band[0][0].height) { av_log(avctx, AV_LOG_ERROR, "Invalid lowpass height\n"); ret = AVERROR(EINVAL); break; @@ -358,7 +358,7 @@ static int cfhd_decode(AVCodecContext *avctx, void *data, int *got_frame, s->plane[s->channel_num].band[s->level][s->subband_num].width = data; s->plane[s->channel_num].band[s->level][s->subband_num].stride = FFALIGN(data, 8); av_log(avctx, AV_LOG_DEBUG, "Highpass width %i channel %i level %i subband %i\n", data, s->channel_num, s->level, s->subband_num); - if (data < 2) { + if (data < 3) { av_log(avctx, AV_LOG_ERROR, "Invalid highpass width\n"); ret = AVERROR(EINVAL); break; @@ -366,7 +366,7 @@ static int cfhd_decode(AVCodecContext *avctx, void *data, int *got_frame, } else if (tag == 42) { s->plane[s->channel_num].band[s->level][s->subband_num].height = data; av_log(avctx, AV_LOG_DEBUG, "Highpass height %i\n", data); - if (data < 2) { + if (data < 3) { av_log(avctx, AV_LOG_ERROR, "Invalid highpass height\n"); ret = AVERROR(EINVAL); break; @@ -375,7 +375,7 @@ static int cfhd_decode(AVCodecContext *avctx, void *data, int *got_frame, s->plane[s->channel_num].band[s->level][s->subband_num].width = data; s->plane[s->channel_num].band[s->level][s->subband_num].stride = FFALIGN(data, 8); av_log(avctx, AV_LOG_DEBUG, "Highpass width2 %i\n", data); - if (data < 2) { + if (data < 3) { av_log(avctx, AV_LOG_ERROR, "Invalid highpass width2\n"); ret = AVERROR(EINVAL); break; @@ -383,7 +383,7 @@ static int cfhd_decode(AVCodecContext *avctx, void *data, int *got_frame, } else if (tag == 50) { s->plane[s->channel_num].band[s->level][s->subband_num].height = data; av_log(avctx, AV_LOG_DEBUG, "Highpass height2 %i\n", data); - if (data < 2) { + if (data < 3) { av_log(avctx, AV_LOG_ERROR, "Invalid highpass height2\n"); ret = AVERROR(EINVAL); break; From 4ab41164d23899716d79752511fb9d975a264016 Mon Sep 17 00:00:00 2001 From: Michael Niedermayer Date: Sat, 20 Aug 2016 19:21:07 +0200 Subject: [PATCH 150/942] avcodec/diracdec: Check numx/y Fixes division by 0 Fixes: 60261c4469ba3e11059890fb2832a515/asan_generic_135e694_2790_beb94eaa0aeb7d11c0437375a8964a99.drc Found-by: Mateusz "j00ru" Jurczyk and Gynvael Coldwind Signed-off-by: Michael Niedermayer (cherry picked from commit a31e08fa1aa5c5f0518b8af850f28eb945268e66) Signed-off-by: Michael Niedermayer --- libavcodec/diracdec.c | 5 +++++ 1 file changed, 5 insertions(+) diff --git a/libavcodec/diracdec.c b/libavcodec/diracdec.c index 1d7bb9b98b..1242bd821d 100644 --- a/libavcodec/diracdec.c +++ b/libavcodec/diracdec.c @@ -1153,6 +1153,11 @@ static int dirac_unpack_idwt_params(DiracContext *s) else { s->num_x = svq3_get_ue_golomb(gb); s->num_y = svq3_get_ue_golomb(gb); + if (s->num_x * s->num_y == 0 || s->num_x * (uint64_t)s->num_y > INT_MAX) { + av_log(s->avctx,AV_LOG_ERROR,"Invalid numx/y\n"); + s->num_x = s->num_y = 0; + return AVERROR_INVALIDDATA; + } if (s->ld_picture) { s->lowdelay.bytes.num = svq3_get_ue_golomb(gb); s->lowdelay.bytes.den = svq3_get_ue_golomb(gb); From fe7366ee93c8d2fc43b10dc8987cbdc7d44098fd Mon Sep 17 00:00:00 2001 From: Michael Niedermayer Date: Sun, 21 Aug 2016 20:30:34 +0200 Subject: [PATCH 151/942] libavcodec/wmalosslessdec: Check the remaining bits Fixes assertion failure Fixes: 24ebfda03228b5cc1ef792608cfba458/signal_sigabrt_7ffff6ae7c37_6473_3fa8a111dbc752b1a7c411c5ab79aaa4.wma Found-by: Mateusz "j00ru" Jurczyk and Gynvael Coldwind Signed-off-by: Michael Niedermayer (cherry picked from commit 67318187fbba382d887f9581dde48a50842f1bea) Signed-off-by: Michael Niedermayer --- libavcodec/wmalosslessdec.c | 5 +++++ 1 file changed, 5 insertions(+) diff --git a/libavcodec/wmalosslessdec.c b/libavcodec/wmalosslessdec.c index 8a5ffb86a5..a335f07ae4 100644 --- a/libavcodec/wmalosslessdec.c +++ b/libavcodec/wmalosslessdec.c @@ -1252,6 +1252,11 @@ static int decode_packet(AVCodecContext *avctx, void *data, int *got_frame_ptr, } } + if (remaining_bits(s, gb) < 0) { + av_log(avctx, AV_LOG_ERROR, "Overread %d\n", -remaining_bits(s, gb)); + s->packet_loss = 1; + } + if (s->packet_done && !s->packet_loss && remaining_bits(s, gb) > 0) { /* save the rest of the data so that it can be decoded From 2858f77fd460f668a9e29dd897be940d29d9bb10 Mon Sep 17 00:00:00 2001 From: Michael Niedermayer Date: Sun, 21 Aug 2016 21:30:36 +0200 Subject: [PATCH 152/942] avformat/wtvdec: Check pointer before use Fixes out of array read Fixes: 049fdf78565f1ce5665df236d90f8657/asan_heap-oob_10a5a97_1026_42f9d4855547329560f385768de2f3fb.wtv Found-by: Mateusz "j00ru" Jurczyk and Gynvael Coldwind Signed-off-by: Michael Niedermayer (cherry picked from commit cc5e5548df4af48674c7aef518e831b19e99f9fc) Signed-off-by: Michael Niedermayer --- libavformat/wtvdec.c | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/libavformat/wtvdec.c b/libavformat/wtvdec.c index 71deaf0aa6..882fde13f4 100644 --- a/libavformat/wtvdec.c +++ b/libavformat/wtvdec.c @@ -1033,7 +1033,7 @@ static int read_header(AVFormatContext *s) while (1) { uint64_t frame_nb = avio_rl64(pb); uint64_t position = avio_rl64(pb); - while (frame_nb > e->size && e <= e_end) { + while (e <= e_end && frame_nb > e->size) { e->pos = last_position; e++; } From cd91aaa4cc59bca6d05e30a0b044cd95df26a26f Mon Sep 17 00:00:00 2001 From: Michael Niedermayer Date: Tue, 23 Aug 2016 11:00:29 +0200 Subject: [PATCH 153/942] avcodec/aacenc: Tighter input checks Fixes occurance of NaN/Inf leading to assertion failures and out of array access Fixes: d1c38a09acc34845c6be3a127a5aacaf/signal_sigsegv_3982225_6121_d18bd5451d4245ee09408f04badd1b83.wmv Found-by: Mateusz "j00ru" Jurczyk and Gynvael Coldwind Signed-off-by: Michael Niedermayer (cherry picked from commit 77bf96b04710b98a52aaddb93bfd32da0d506191) Signed-off-by: Michael Niedermayer --- libavcodec/aacenc.c | 4 ++-- 1 file changed, 2 insertions(+), 2 deletions(-) diff --git a/libavcodec/aacenc.c b/libavcodec/aacenc.c index 5a70da1764..51b90e98b5 100644 --- a/libavcodec/aacenc.c +++ b/libavcodec/aacenc.c @@ -609,8 +609,8 @@ static int aac_encode_frame(AVCodecContext *avctx, AVPacket *avpkt, } for (k = 0; k < 1024; k++) { - if (!isfinite(cpe->ch[ch].coeffs[k])) { - av_log(avctx, AV_LOG_ERROR, "Input contains NaN/+-Inf\n"); + if (!(fabs(cpe->ch[ch].coeffs[k]) < 1E16)) { // Ensure headroom for energy calculation + av_log(avctx, AV_LOG_ERROR, "Input contains (near) NaN/+-Inf\n"); return AVERROR(EINVAL); } } From 1b47c278a606f1bef198b6a7746edc70e0e7d84d Mon Sep 17 00:00:00 2001 From: Michael Niedermayer Date: Sat, 27 Aug 2016 01:12:49 +0200 Subject: [PATCH 154/942] avformat/utils: End probing if the expected codec surpasses AVPROBE_SCORE_STREAM_RETRY Fixes Ticket5800 Signed-off-by: Michael Niedermayer (cherry picked from commit c75273310cf1becffee79bab0e2bba0b1606afb7) Signed-off-by: Michael Niedermayer --- libavformat/utils.c | 5 ++++- 1 file changed, 4 insertions(+), 1 deletion(-) diff --git a/libavformat/utils.c b/libavformat/utils.c index 542ded76cb..fbc9a68bbe 100644 --- a/libavformat/utils.c +++ b/libavformat/utils.c @@ -297,7 +297,7 @@ static int set_codec_from_probe_data(AVFormatContext *s, AVStream *st, int score; AVInputFormat *fmt = av_probe_input_format3(pd, 1, &score); - if (fmt && st->request_probe <= score) { + if (fmt) { int i; av_log(s, AV_LOG_DEBUG, "Probe with size=%d, packets=%d detected %s with score=%d\n", @@ -305,6 +305,9 @@ static int set_codec_from_probe_data(AVFormatContext *s, AVStream *st, fmt->name, score); for (i = 0; fmt_id_type[i].name; i++) { if (!strcmp(fmt->name, fmt_id_type[i].name)) { + if (st->request_probe > score && + st->codec->codec_id != fmt_id_type[i].id) + continue; st->codec->codec_id = fmt_id_type[i].id; st->codec->codec_type = fmt_id_type[i].type; return score; From 1d90326f95a791db515f69a01a5f6ef867896d15 Mon Sep 17 00:00:00 2001 From: Michael Niedermayer Date: Fri, 2 Sep 2016 12:19:29 +0200 Subject: [PATCH 155/942] avformat/avidec: Fix infinite loop in avi_read_nikon() MIME-Version: 1.0 Content-Type: text/plain; charset=UTF-8 Content-Transfer-Encoding: 8bit Fixes: 360/test.poc Found-by: 连一汉 Signed-off-by: Michael Niedermayer (cherry picked from commit e4e4a9cad7f21593d4bcb1f2404ea0d373c36c43) Signed-off-by: Michael Niedermayer --- libavformat/avidec.c | 4 ++-- 1 file changed, 2 insertions(+), 2 deletions(-) diff --git a/libavformat/avidec.c b/libavformat/avidec.c index a6459a0e05..72099806a6 100644 --- a/libavformat/avidec.c +++ b/libavformat/avidec.c @@ -344,14 +344,14 @@ static void avi_metadata_creation_time(AVDictionary **metadata, char *date) static void avi_read_nikon(AVFormatContext *s, uint64_t end) { - while (avio_tell(s->pb) < end) { + while (avio_tell(s->pb) < end && !avio_feof(s->pb)) { uint32_t tag = avio_rl32(s->pb); uint32_t size = avio_rl32(s->pb); switch (tag) { case MKTAG('n', 'c', 't', 'g'): /* Nikon Tags */ { uint64_t tag_end = avio_tell(s->pb) + size; - while (avio_tell(s->pb) < tag_end) { + while (avio_tell(s->pb) < tag_end && !avio_feof(s->pb)) { uint16_t tag = avio_rl16(s->pb); uint16_t size = avio_rl16(s->pb); const char *name = NULL; From 3512ed3622e1200f03e0d508b5c1bcbf9f5d2c88 Mon Sep 17 00:00:00 2001 From: Michael Niedermayer Date: Mon, 5 Sep 2016 01:29:52 +0200 Subject: [PATCH 156/942] Changelog: update Signed-off-by: Michael Niedermayer --- Changelog | 13 +++++++++++++ 1 file changed, 13 insertions(+) diff --git a/Changelog b/Changelog index 334e69068a..81fa45f720 100644 --- a/Changelog +++ b/Changelog @@ -2,6 +2,19 @@ Entries are sorted chronologically from oldest to youngest within each release, releases are sorted from youngest to oldest. version 3.0.3: +- avformat/avidec: Fix infinite loop in avi_read_nikon() +- avcodec/aacenc: Tighter input checks +- avformat/wtvdec: Check pointer before use +- libavcodec/wmalosslessdec: Check the remaining bits +- avcodec/diracdec: Check numx/y +- avcodec/cfhd: Increase minimum band dimension to 3 +- avcodec/indeo2: check ctab +- avformat/swfdec: Fix inflate() error code check +- avcodec/rawdec: Fix bits_per_coded_sample checks +- lavc/mjpegdec: Do not skip reading quantization tables. +- cmdutils: fix implicit declaration of SetDllDirectory function +- cmdutils: check for SetDllDirectory() availability +- avcodec/h264: Put context_count check back - cmdutils: remove the current working directory from the DLL search path on win32 - avcodec/raw: Fix decoding of ilacetest.mov - avcodec/ffv1enc: Fix assertion failure with non zero bits per sample From 73b644cdee8a45d2fd736f556b6414615d11d970 Mon Sep 17 00:00:00 2001 From: Carl Eugen Hoyos Date: Sat, 24 Sep 2016 13:07:39 +0200 Subject: [PATCH 157/942] lavf/utils: Avoid an overflow for huge negative durations. Fixes ticket #5135. (cherry picked from commit 267da70ea8c36caaa645a3c4f1c5f0ca8bae156a) --- libavformat/utils.c | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/libavformat/utils.c b/libavformat/utils.c index fbc9a68bbe..42b617e2c1 100644 --- a/libavformat/utils.c +++ b/libavformat/utils.c @@ -2373,7 +2373,7 @@ static void update_stream_timings(AVFormatContext *ic) end_time1 = av_rescale_q_rnd(st->duration, st->time_base, AV_TIME_BASE_Q, AV_ROUND_NEAR_INF|AV_ROUND_PASS_MINMAX); - if (end_time1 != AV_NOPTS_VALUE && start_time1 <= INT64_MAX - end_time1) { + if (end_time1 != AV_NOPTS_VALUE && (end_time1 > 0 ? start_time1 <= INT64_MAX - end_time1 : start_time1 >= INT64_MIN - end_time1)) { end_time1 += start_time1; end_time = FFMAX(end_time, end_time1); } From 6744d3f6b953884fd092bd6fc460513e7531defe Mon Sep 17 00:00:00 2001 From: Michael Niedermayer Date: Fri, 2 Sep 2016 20:25:24 +0200 Subject: [PATCH 158/942] swscale/swscale_unscaled: Fix packed_16bpc_bswap() with slices Signed-off-by: Michael Niedermayer (cherry picked from commit 47bc1bdafb0950ccf128eaa491d8fd7cc0978813) Signed-off-by: Michael Niedermayer --- libswscale/swscale_unscaled.c | 1 + 1 file changed, 1 insertion(+) diff --git a/libswscale/swscale_unscaled.c b/libswscale/swscale_unscaled.c index 74f3467428..9662a10ab4 100644 --- a/libswscale/swscale_unscaled.c +++ b/libswscale/swscale_unscaled.c @@ -352,6 +352,7 @@ static int packed_16bpc_bswap(SwsContext *c, const uint8_t *src[], int min_stride = FFMIN(FFABS(srcstr), FFABS(dststr)); if(!dstPtr || !srcPtr) continue; + dstPtr += (srcSliceY >> c->chrDstVSubSample) * dststr; for (i = 0; i < (srcSliceH >> c->chrDstVSubSample); i++) { for (j = 0; j < min_stride; j++) { dstPtr[j] = av_bswap16(srcPtr[j]); From cb8a29f872909aa88f34b1b9b8e4a355af889ee6 Mon Sep 17 00:00:00 2001 From: Michael Niedermayer Date: Sat, 3 Sep 2016 12:15:24 +0200 Subject: [PATCH 159/942] swscale/swscale_unscaled: Try to fix Rgb16ToPlanarRgb16Wrapper() with slices Signed-off-by: Michael Niedermayer (cherry picked from commit e57d99dd4e0d8fe2992da0d65b563580e35ce728) Signed-off-by: Michael Niedermayer --- libswscale/swscale_unscaled.c | 8 ++++++++ 1 file changed, 8 insertions(+) diff --git a/libswscale/swscale_unscaled.c b/libswscale/swscale_unscaled.c index 9662a10ab4..b2d1401e6f 100644 --- a/libswscale/swscale_unscaled.c +++ b/libswscale/swscale_unscaled.c @@ -558,6 +558,8 @@ static int Rgb16ToPlanarRgb16Wrapper(SwsContext *c, const uint8_t *src[], int bpc = dst_format->comp[0].depth; int alpha = src_format->flags & AV_PIX_FMT_FLAG_ALPHA; int swap = 0; + int i; + if ( HAVE_BIGENDIAN && !(src_format->flags & AV_PIX_FMT_FLAG_BE) || !HAVE_BIGENDIAN && src_format->flags & AV_PIX_FMT_FLAG_BE) swap++; @@ -571,6 +573,12 @@ static int Rgb16ToPlanarRgb16Wrapper(SwsContext *c, const uint8_t *src[], src_format->name, dst_format->name); return srcSliceH; } + + for(i=0; i<4; i++) { + dst2013[i] += stride2013[i] * srcSliceY / 2; + dst1023[i] += stride1023[i] * srcSliceY / 2; + } + switch (c->srcFormat) { case AV_PIX_FMT_RGB48LE: case AV_PIX_FMT_RGB48BE: From 9259b7f38e008720096532cd4e666a9889f3c578 Mon Sep 17 00:00:00 2001 From: Sergey Volk Date: Wed, 7 Sep 2016 14:05:35 -0700 Subject: [PATCH 160/942] avformat/mov: Fix potential integer overflow in mov_read_keys Actual allocation size is computed as (count + 1)*sizeof(meta_keys), so we need to check that (count + 1) won't cause overflow. Signed-off-by: Michael Niedermayer (cherry picked from commit 347cb14b7cba7560e53f4434b419b9d8800253e7) Signed-off-by: Michael Niedermayer --- libavformat/mov.c | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/libavformat/mov.c b/libavformat/mov.c index bcba9bb382..6b90d08ddc 100644 --- a/libavformat/mov.c +++ b/libavformat/mov.c @@ -3149,7 +3149,7 @@ static int mov_read_keys(MOVContext *c, AVIOContext *pb, MOVAtom atom) avio_skip(pb, 4); count = avio_rb32(pb); - if (count > UINT_MAX / sizeof(*c->meta_keys)) { + if (count > UINT_MAX / sizeof(*c->meta_keys) - 1) { av_log(c->fc, AV_LOG_ERROR, "The 'keys' atom with the invalid key count: %d\n", count); return AVERROR_INVALIDDATA; From d669b7f4f6e8bfe4db5501c7f1d95bdae84f1f1f Mon Sep 17 00:00:00 2001 From: Michael Niedermayer Date: Fri, 9 Sep 2016 10:26:15 +0200 Subject: [PATCH 161/942] avcodec/ccaption_dec: Use simple array instead of AVBuffer This is simpler and fixes an out of array read, fixing it with AVBuffers would be more complex Fixes: e00d9e6e50e5495cc93fea41147b97bb/asan_heap-oob_12dcdbb_8798_b32a97ea722dd37bb5066812cc674552.mov Found-by: Mateusz "j00ru" Jurczyk and Gynvael Coldwind Signed-off-by: Michael Niedermayer (cherry picked from commit 752e6dfa3ea97e7901870bdd9e5a51f860607240) Signed-off-by: Michael Niedermayer --- libavcodec/ccaption_dec.c | 27 +++++++++++---------------- 1 file changed, 11 insertions(+), 16 deletions(-) diff --git a/libavcodec/ccaption_dec.c b/libavcodec/ccaption_dec.c index 790f0718fd..4b42dbc5db 100644 --- a/libavcodec/ccaption_dec.c +++ b/libavcodec/ccaption_dec.c @@ -135,7 +135,8 @@ typedef struct CCaptionSubContext { int64_t last_real_time; char prev_cmd[2]; /* buffer to store pkt data */ - AVBufferRef *pktbuf; + uint8_t *pktbuf; + int pktbuf_size; } CCaptionSubContext; @@ -160,11 +161,7 @@ static av_cold int init_decoder(AVCodecContext *avctx) if (ret < 0) { return ret; } - /* allocate pkt buffer */ - ctx->pktbuf = av_buffer_alloc(128); - if (!ctx->pktbuf) { - ret = AVERROR(ENOMEM); - } + return ret; } @@ -172,7 +169,8 @@ static av_cold int close_decoder(AVCodecContext *avctx) { CCaptionSubContext *ctx = avctx->priv_data; av_bprint_finalize(&ctx->buffer, NULL); - av_buffer_unref(&ctx->pktbuf); + av_freep(&ctx->pktbuf); + ctx->pktbuf_size = 0; return 0; } @@ -578,16 +576,13 @@ static int decode(AVCodecContext *avctx, void *data, int *got_sub, AVPacket *avp int ret = 0; int i; - if (ctx->pktbuf->size < len) { - ret = av_buffer_realloc(&ctx->pktbuf, len); - if (ret < 0) { - av_log(ctx, AV_LOG_WARNING, "Insufficient Memory of %d truncated to %d\n", len, ctx->pktbuf->size); - len = ctx->pktbuf->size; - ret = 0; - } + av_fast_padded_malloc(&ctx->pktbuf, &ctx->pktbuf_size, len); + if (!ctx->pktbuf) { + av_log(ctx, AV_LOG_WARNING, "Insufficient Memory of %d truncated to %d\n", len, ctx->pktbuf_size); + return AVERROR(ENOMEM); } - memcpy(ctx->pktbuf->data, avpkt->data, len); - bptr = ctx->pktbuf->data; + memcpy(ctx->pktbuf, avpkt->data, len); + bptr = ctx->pktbuf; for (i = 0; i < len; i += 3) { uint8_t cc_type = *(bptr + i) & 3; From b7b3b0086d4e87caa2f8a54d472e20c80ce23369 Mon Sep 17 00:00:00 2001 From: Michael Niedermayer Date: Fri, 9 Sep 2016 13:11:43 +0200 Subject: [PATCH 162/942] avformat/movenc: Check first DTS similar to dts difference Fixes assertion failure Fixes: b84b53855a0b74560e64c6f45f505a13/signal_sigabrt_7ffff6ae7c37_3837_ef4e243ea5b4fa8d0becf4afe9166604.avi Found-by: Mateusz "j00ru" Jurczyk and Gynvael Coldwind Signed-off-by: Michael Niedermayer (cherry picked from commit 68f4c2163ec6d4534ae1756dbcf259845f2e4d2c) Signed-off-by: Michael Niedermayer --- libavformat/movenc.c | 7 +++++++ 1 file changed, 7 insertions(+) diff --git a/libavformat/movenc.c b/libavformat/movenc.c index b9c0f7ae67..4e51cdf66f 100644 --- a/libavformat/movenc.c +++ b/libavformat/movenc.c @@ -4362,6 +4362,13 @@ int ff_mov_write_packet(AVFormatContext *s, AVPacket *pkt) pkt->dts = trk->cluster[trk->entry - 1].dts + 1; pkt->pts = AV_NOPTS_VALUE; } + } else if (pkt->dts <= INT_MIN || pkt->dts >= INT_MAX) { + av_log(s, AV_LOG_ERROR, "Application provided initial timestamp: %"PRId64" is out of range for mov/mp4 format\n", + pkt->dts + ); + + pkt->dts = 0; + pkt->pts = AV_NOPTS_VALUE; } if (pkt->duration < 0 || pkt->duration > INT_MAX) { av_log(s, AV_LOG_ERROR, "Application provided duration: %"PRId64" is invalid\n", pkt->duration); From 26a8fc1c00d58652ebcd5809e76eb5fc9b9e2a44 Mon Sep 17 00:00:00 2001 From: Michael Niedermayer Date: Mon, 12 Sep 2016 13:13:42 +0200 Subject: [PATCH 163/942] avcodec/avpacket: clear side_data_elems MIME-Version: 1.0 Content-Type: text/plain; charset=UTF-8 Content-Transfer-Encoding: 8bit Fixes null pointer dereference Found-by: 连一汉 Signed-off-by: Michael Niedermayer (cherry picked from commit 5e1bf9d8c0d2cdbbf17b06a5dfdf87a635b3203b) Signed-off-by: Michael Niedermayer --- libavcodec/avpacket.c | 7 +++++-- 1 file changed, 5 insertions(+), 2 deletions(-) diff --git a/libavcodec/avpacket.c b/libavcodec/avpacket.c index b2079f61a1..6de85dea1d 100644 --- a/libavcodec/avpacket.c +++ b/libavcodec/avpacket.c @@ -184,6 +184,7 @@ static int copy_packet_data(AVPacket *pkt, const AVPacket *src, int dup) { pkt->data = NULL; pkt->side_data = NULL; + pkt->side_data_elems = 0; if (pkt->buf) { AVBufferRef *ref = av_buffer_ref(src->buf); if (!ref) @@ -193,9 +194,11 @@ static int copy_packet_data(AVPacket *pkt, const AVPacket *src, int dup) } else { DUP_DATA(pkt->data, src->data, pkt->size, 1, ALLOC_BUF); } - if (pkt->side_data_elems && dup) + if (src->side_data_elems && dup) { pkt->side_data = src->side_data; - if (pkt->side_data_elems && !dup) { + pkt->side_data_elems = src->side_data_elems; + } + if (src->side_data_elems && !dup) { return av_copy_packet_side_data(pkt, src); } return 0; From 9357aa67572ce630267144ecd923c643a0982617 Mon Sep 17 00:00:00 2001 From: Michael Niedermayer Date: Wed, 14 Sep 2016 13:06:53 +0200 Subject: [PATCH 164/942] avcodec/g726: Add missing ADDB output mask MIME-Version: 1.0 Content-Type: text/plain; charset=UTF-8 Content-Transfer-Encoding: 8bit Fixes: 1.poc Fixes out of array read Found-by: 连一汉 Signed-off-by: Michael Niedermayer (cherry picked from commit a5af1240fce845f645440364c1335e0f8e44ee6c) Signed-off-by: Michael Niedermayer --- libavcodec/g726.c | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/libavcodec/g726.c b/libavcodec/g726.c index c3d018fda6..f3de9e715d 100644 --- a/libavcodec/g726.c +++ b/libavcodec/g726.c @@ -206,7 +206,7 @@ static int16_t g726_decode(G726Context* c, int I) if (I_sig) /* get the sign */ dq = -dq; - re_signal = c->se + dq; + re_signal = (int16_t)(c->se + dq); /* Update second order predictor coefficient A2 and A1 */ pk0 = (c->sez + dq) ? sgn(c->sez + dq) : 0; From f2f7d49f41b1d4a1ac7d6054c12ce92b4708d4d5 Mon Sep 17 00:00:00 2001 From: Xinzheng Zhang Date: Wed, 14 Sep 2016 16:13:45 +0800 Subject: [PATCH 165/942] avformat/utils: fix timebase error in avformat_seek_file() When there is only one stream and stream_index has not specified, The ts has been transferd by the timebase of stream0 without modifying the stream_index In this condation it cause seek failure. Signed-off-by: Michael Niedermayer (cherry picked from commit ecc04b4f2f29ac676e6c1d1ebf20ec45f5385f1e) Signed-off-by: Michael Niedermayer --- libavformat/utils.c | 1 + 1 file changed, 1 insertion(+) diff --git a/libavformat/utils.c b/libavformat/utils.c index 42b617e2c1..c9bc6f2376 100644 --- a/libavformat/utils.c +++ b/libavformat/utils.c @@ -2284,6 +2284,7 @@ int avformat_seek_file(AVFormatContext *s, int stream_index, int64_t min_ts, max_ts = av_rescale_rnd(max_ts, time_base.den, time_base.num * (int64_t)AV_TIME_BASE, AV_ROUND_DOWN | AV_ROUND_PASS_MINMAX); + stream_index = 0; } ret = s->iformat->read_seek2(s, stream_index, min_ts, From a1f77124c87614b71745e08194c667fc04eaa07c Mon Sep 17 00:00:00 2001 From: Michael Niedermayer Date: Thu, 15 Sep 2016 23:52:42 +0200 Subject: [PATCH 166/942] avformat/movenc: Factor check_pkt() out Reviewed-by: Paul B Mahol Signed-off-by: Michael Niedermayer (cherry picked from commit deabcd2c05b2b01689d91394bbf3908da17234ed) Signed-off-by: Michael Niedermayer --- libavformat/movenc.c | 24 ++++++++++++++++++------ 1 file changed, 18 insertions(+), 6 deletions(-) diff --git a/libavformat/movenc.c b/libavformat/movenc.c index 4e51cdf66f..6230f30823 100644 --- a/libavformat/movenc.c +++ b/libavformat/movenc.c @@ -4342,15 +4342,10 @@ static int mov_auto_flush_fragment(AVFormatContext *s, int force) return ret; } -int ff_mov_write_packet(AVFormatContext *s, AVPacket *pkt) +static int check_pkt(AVFormatContext *s, AVPacket *pkt) { MOVMuxContext *mov = s->priv_data; - AVIOContext *pb = s->pb; MOVTrack *trk = &mov->tracks[pkt->stream_index]; - AVCodecContext *enc = trk->enc; - unsigned int samples_in_chunk = 0; - int size = pkt->size, ret = 0; - uint8_t *reformatted_data = NULL; if (trk->entry) { int64_t duration = pkt->dts - trk->cluster[trk->entry - 1].dts; @@ -4374,6 +4369,23 @@ int ff_mov_write_packet(AVFormatContext *s, AVPacket *pkt) av_log(s, AV_LOG_ERROR, "Application provided duration: %"PRId64" is invalid\n", pkt->duration); return AVERROR(EINVAL); } + return 0; +} + +int ff_mov_write_packet(AVFormatContext *s, AVPacket *pkt) +{ + MOVMuxContext *mov = s->priv_data; + AVIOContext *pb = s->pb; + MOVTrack *trk = &mov->tracks[pkt->stream_index]; + AVCodecContext *enc = trk->enc; + unsigned int samples_in_chunk = 0; + int size = pkt->size, ret = 0; + uint8_t *reformatted_data = NULL; + + ret = check_pkt(s, pkt); + if (ret < 0) + return ret; + if (mov->flags & FF_MOV_FLAG_FRAGMENT) { int ret; if (mov->moov_written || mov->flags & FF_MOV_FLAG_EMPTY_MOOV) { From 7fefa4138ddd8b4841459075b5e124b38b3806ee Mon Sep 17 00:00:00 2001 From: Michael Niedermayer Date: Thu, 15 Sep 2016 23:52:54 +0200 Subject: [PATCH 167/942] avformat/movenc: Check packet in mov_write_single_packet() too Fixes assertion failure Found-by: durandal117 Reviewed-by: Paul B Mahol Signed-off-by: Michael Niedermayer (cherry picked from commit 28343139330f557e00293933a4697c7d0fc19c56) Signed-off-by: Michael Niedermayer --- libavformat/movenc.c | 4 ++++ 1 file changed, 4 insertions(+) diff --git a/libavformat/movenc.c b/libavformat/movenc.c index 6230f30823..cdc3a00f1f 100644 --- a/libavformat/movenc.c +++ b/libavformat/movenc.c @@ -4650,6 +4650,10 @@ static int mov_write_single_packet(AVFormatContext *s, AVPacket *pkt) int64_t frag_duration = 0; int size = pkt->size; + int ret = check_pkt(s, pkt); + if (ret < 0) + return ret; + if (mov->flags & FF_MOV_FLAG_FRAG_DISCONT) { int i; for (i = 0; i < s->nb_streams; i++) From 63f951601e75051085b85e8034989ee8a7dcff1d Mon Sep 17 00:00:00 2001 From: Michael Niedermayer Date: Mon, 19 Sep 2016 15:25:38 +0200 Subject: [PATCH 168/942] avcodec/cavsdsp: use av_clip_uint8() for idct MIME-Version: 1.0 Content-Type: text/plain; charset=UTF-8 Content-Transfer-Encoding: 8bit Fixes out of array read Fixes: 1.swf Found-by: 连一汉 Tested-by: 连一汉 Signed-off-by: Michael Niedermayer (cherry picked from commit 0e318f110bcd6bb8e7de9127f2747272e60f48d7) Signed-off-by: Michael Niedermayer --- libavcodec/cavsdsp.c | 17 ++++++++--------- 1 file changed, 8 insertions(+), 9 deletions(-) diff --git a/libavcodec/cavsdsp.c b/libavcodec/cavsdsp.c index 91f6d7350b..df9490ad8f 100644 --- a/libavcodec/cavsdsp.c +++ b/libavcodec/cavsdsp.c @@ -188,7 +188,6 @@ static void cavs_filter_ch_c(uint8_t *d, int stride, int alpha, int beta, int tc static void cavs_idct8_add_c(uint8_t *dst, int16_t *block, int stride) { int i; int16_t (*src)[8] = (int16_t(*)[8])block; - const uint8_t *cm = ff_crop_tab + MAX_NEG_CROP; src[0][0] += 8; @@ -243,14 +242,14 @@ static void cavs_idct8_add_c(uint8_t *dst, int16_t *block, int stride) { const int b2 = a5 - a7; const int b3 = a4 - a6; - dst[i + 0*stride] = cm[ dst[i + 0*stride] + ((b0 + b4) >> 7)]; - dst[i + 1*stride] = cm[ dst[i + 1*stride] + ((b1 + b5) >> 7)]; - dst[i + 2*stride] = cm[ dst[i + 2*stride] + ((b2 + b6) >> 7)]; - dst[i + 3*stride] = cm[ dst[i + 3*stride] + ((b3 + b7) >> 7)]; - dst[i + 4*stride] = cm[ dst[i + 4*stride] + ((b3 - b7) >> 7)]; - dst[i + 5*stride] = cm[ dst[i + 5*stride] + ((b2 - b6) >> 7)]; - dst[i + 6*stride] = cm[ dst[i + 6*stride] + ((b1 - b5) >> 7)]; - dst[i + 7*stride] = cm[ dst[i + 7*stride] + ((b0 - b4) >> 7)]; + dst[i + 0*stride] = av_clip_uint8( dst[i + 0*stride] + ((b0 + b4) >> 7)); + dst[i + 1*stride] = av_clip_uint8( dst[i + 1*stride] + ((b1 + b5) >> 7)); + dst[i + 2*stride] = av_clip_uint8( dst[i + 2*stride] + ((b2 + b6) >> 7)); + dst[i + 3*stride] = av_clip_uint8( dst[i + 3*stride] + ((b3 + b7) >> 7)); + dst[i + 4*stride] = av_clip_uint8( dst[i + 4*stride] + ((b3 - b7) >> 7)); + dst[i + 5*stride] = av_clip_uint8( dst[i + 5*stride] + ((b2 - b6) >> 7)); + dst[i + 6*stride] = av_clip_uint8( dst[i + 6*stride] + ((b1 - b5) >> 7)); + dst[i + 7*stride] = av_clip_uint8( dst[i + 7*stride] + ((b0 - b4) >> 7)); } } From e5bf7ab3e7c6432da47958105ac59ee2681d3198 Mon Sep 17 00:00:00 2001 From: Michael Niedermayer Date: Mon, 26 Sep 2016 20:25:59 +0200 Subject: [PATCH 169/942] avcodec/ansi: Check dimensions MIME-Version: 1.0 Content-Type: text/plain; charset=UTF-8 Content-Transfer-Encoding: 8bit Fixes: 1.avi Found-by: 连一汉 Signed-off-by: Michael Niedermayer (cherry picked from commit 69449da436169e7facaa6d1f3bcbc41cf6ce2754) Signed-off-by: Michael Niedermayer --- libavcodec/ansi.c | 3 +++ 1 file changed, 3 insertions(+) diff --git a/libavcodec/ansi.c b/libavcodec/ansi.c index 21d5ae1db2..98ea9e3d2a 100644 --- a/libavcodec/ansi.c +++ b/libavcodec/ansi.c @@ -94,6 +94,9 @@ static av_cold int decode_init(AVCodecContext *avctx) int ret = ff_set_dimensions(avctx, 80 << 3, 25 << 4); if (ret < 0) return ret; + } else if (avctx->width % FONT_WIDTH || avctx->height % s->font_height) { + av_log(avctx, AV_LOG_ERROR, "Invalid dimensions %d %d\n", avctx->width, avctx->height); + return AVERROR(EINVAL); } return 0; } From 82b58841c9d0e9d7d76d59438fe6b2a315e07e38 Mon Sep 17 00:00:00 2001 From: Sasi Inguva Date: Tue, 27 Sep 2016 19:23:20 -0700 Subject: [PATCH 170/942] lavc/movtextdec.c: Avoid infinite loop on invalid data. Signed-off-by: Sasi Inguva (cherry picked from commit 7e9e1b7070242a79fa6e3acd749d7fe76e39ea7b) Signed-off-by: Michael Niedermayer --- libavcodec/movtextdec.c | 4 ++++ 1 file changed, 4 insertions(+) diff --git a/libavcodec/movtextdec.c b/libavcodec/movtextdec.c index 8d0e8141d3..28f7b8f5be 100644 --- a/libavcodec/movtextdec.c +++ b/libavcodec/movtextdec.c @@ -477,6 +477,10 @@ static int mov_text_decode_frame(AVCodecContext *avctx, tsmb_type = AV_RB32(tsmb); tsmb += 4; + if (tsmb_size == 0) { + return AVERROR_INVALIDDATA; + } + if (tsmb_size == 1) { if (m->tracksize + 16 > avpkt->size) break; From fb7617df4eb13659fa20cb535888c10eac0fdb77 Mon Sep 17 00:00:00 2001 From: Michael Niedermayer Date: Sun, 25 Sep 2016 11:56:11 +0200 Subject: [PATCH 171/942] avformat/avidec: Fix memleak with dv in avi MIME-Version: 1.0 Content-Type: text/plain; charset=UTF-8 Content-Transfer-Encoding: 8bit Found-by: 连一汉 Signed-off-by: Michael Niedermayer (cherry picked from commit b98dafe04564d5fe3e5bf5073d871dd93a4a62de) Signed-off-by: Michael Niedermayer --- libavformat/avidec.c | 1 + 1 file changed, 1 insertion(+) diff --git a/libavformat/avidec.c b/libavformat/avidec.c index 72099806a6..f4a2872609 100644 --- a/libavformat/avidec.c +++ b/libavformat/avidec.c @@ -608,6 +608,7 @@ static int avi_read_header(AVFormatContext *s) if (s->streams[0]->info) av_freep(&s->streams[0]->info->duration_error); av_freep(&s->streams[0]->info); + av_freep(&s->streams[0]->internal); av_freep(&s->streams[0]); s->nb_streams = 0; if (CONFIG_DV_DEMUXER) { From 77d5a237ef6803e3b5a138fdee10bf1f62e4a7d7 Mon Sep 17 00:00:00 2001 From: Michael Niedermayer Date: Wed, 28 Sep 2016 15:47:12 +0200 Subject: [PATCH 172/942] avformat/avidec: Remove ancient assert MIME-Version: 1.0 Content-Type: text/plain; charset=UTF-8 Content-Transfer-Encoding: 8bit This assert can with crafted files fail, a warning is already printed for this case. Fixes assertion failure Fixes:1/assert.avi Found-by: 连一汉 Signed-off-by: Michael Niedermayer (cherry picked from commit 14bac7e00d72eac687612d9b125e585011a56d4f) Signed-off-by: Michael Niedermayer --- libavformat/avidec.c | 1 - 1 file changed, 1 deletion(-) diff --git a/libavformat/avidec.c b/libavformat/avidec.c index f4a2872609..2e053a3c8a 100644 --- a/libavformat/avidec.c +++ b/libavformat/avidec.c @@ -1846,7 +1846,6 @@ static int avi_read_seek(AVFormatContext *s, int stream_index, continue; // av_assert1(st2->codec->block_align); - av_assert0(fabs(av_q2d(st2->time_base) - ast2->scale / (double)ast2->rate) < av_q2d(st2->time_base) * 0.00000001); index = av_index_search_timestamp(st2, av_rescale_q(timestamp, st->time_base, From 8c43f320574d201fe1b696b133c08368f5f18508 Mon Sep 17 00:00:00 2001 From: Michael Niedermayer Date: Wed, 28 Sep 2016 16:14:08 +0200 Subject: [PATCH 173/942] avformat/avidec: Check nb_streams in read_gab2_sub() MIME-Version: 1.0 Content-Type: text/plain; charset=UTF-8 Content-Transfer-Encoding: 8bit Fixes null pointer dereference Fixes: 1/null_point.avi Found-by: 连一汉 Signed-off-by: Michael Niedermayer (cherry picked from commit 2679ad4773aa356e7c3da5c68bc81f02a194617f) Signed-off-by: Michael Niedermayer --- libavformat/avidec.c | 2 ++ 1 file changed, 2 insertions(+) diff --git a/libavformat/avidec.c b/libavformat/avidec.c index 2e053a3c8a..7adb819346 100644 --- a/libavformat/avidec.c +++ b/libavformat/avidec.c @@ -1094,6 +1094,8 @@ static int read_gab2_sub(AVFormatContext *s, AVStream *st, AVPacket *pkt) goto error; if (!avformat_open_input(&ast->sub_ctx, "", sub_demuxer, NULL)) { + if (ast->sub_ctx->nb_streams != 1) + goto error; ff_read_packet(ast->sub_ctx, &ast->sub_pkt); *st->codec = *ast->sub_ctx->streams[0]->codec; ast->sub_ctx->streams[0]->codec->extradata = NULL; From b9a1d389b2a05269042d013cf6da4a09ce6ccc24 Mon Sep 17 00:00:00 2001 From: Michael Niedermayer Date: Wed, 28 Sep 2016 17:13:09 +0200 Subject: [PATCH 174/942] Update for 3.0.4 Signed-off-by: Michael Niedermayer --- Changelog | 19 +++++++++++++++++++ RELEASE | 2 +- doc/Doxyfile | 2 +- 3 files changed, 21 insertions(+), 2 deletions(-) diff --git a/Changelog b/Changelog index 81fa45f720..a5bcb37b25 100644 --- a/Changelog +++ b/Changelog @@ -1,6 +1,25 @@ Entries are sorted chronologically from oldest to youngest within each release, releases are sorted from youngest to oldest. +version 3.0.4: +- avformat/avidec: Check nb_streams in read_gab2_sub() +- avformat/avidec: Remove ancient assert +- avformat/avidec: Fix memleak with dv in avi +- lavc/movtextdec.c: Avoid infinite loop on invalid data. +- avcodec/ansi: Check dimensions +- avcodec/cavsdsp: use av_clip_uint8() for idct +- avformat/movenc: Check packet in mov_write_single_packet() too +- avformat/movenc: Factor check_pkt() out +- avformat/utils: fix timebase error in avformat_seek_file() +- avcodec/g726: Add missing ADDB output mask +- avcodec/avpacket: clear side_data_elems +- avformat/movenc: Check first DTS similar to dts difference +- avcodec/ccaption_dec: Use simple array instead of AVBuffer +- avformat/mov: Fix potential integer overflow in mov_read_keys +- swscale/swscale_unscaled: Try to fix Rgb16ToPlanarRgb16Wrapper() with slices +- swscale/swscale_unscaled: Fix packed_16bpc_bswap() with slices +- lavf/utils: Avoid an overflow for huge negative durations. + version 3.0.3: - avformat/avidec: Fix infinite loop in avi_read_nikon() - avcodec/aacenc: Tighter input checks diff --git a/RELEASE b/RELEASE index 75a22a26ac..b0f2dcb32f 100644 --- a/RELEASE +++ b/RELEASE @@ -1 +1 @@ -3.0.3 +3.0.4 diff --git a/doc/Doxyfile b/doc/Doxyfile index 91870f387b..11596536a4 100644 --- a/doc/Doxyfile +++ b/doc/Doxyfile @@ -31,7 +31,7 @@ PROJECT_NAME = FFmpeg # This could be handy for archiving the generated documentation or # if some version control system is used. -PROJECT_NUMBER = 3.0.3 +PROJECT_NUMBER = 3.0.4 # With the PROJECT_LOGO tag one can specify a logo or icon that is included # in the documentation. The maximum height of the logo should not exceed 55 From ef5b120e2dd6ef83b41f31317890ad947955d916 Mon Sep 17 00:00:00 2001 From: Shivraj Patil Date: Wed, 5 Oct 2016 17:52:24 +0530 Subject: [PATCH 175/942] avutil/mips/generic_macros_msa: rename macro variable which causes segfault for mips r6 Signed-off-by: Shivraj Patil Signed-off-by: Michael Niedermayer (cherry picked from commit c1cc13cd2a9b8d6d2810ec42454f328a1a0d5efa) Signed-off-by: Michael Niedermayer --- libavutil/mips/generic_macros_msa.h | 12 ++++++------ 1 file changed, 6 insertions(+), 6 deletions(-) diff --git a/libavutil/mips/generic_macros_msa.h b/libavutil/mips/generic_macros_msa.h index b1d18dd9d3..0a59619e7b 100644 --- a/libavutil/mips/generic_macros_msa.h +++ b/libavutil/mips/generic_macros_msa.h @@ -85,12 +85,12 @@ #else // !(__mips == 64) #define LD(psrc) \ ( { \ - uint8_t *psrc_m = (uint8_t *) (psrc); \ + uint8_t *psrc_ld_m = (uint8_t *) (psrc); \ uint32_t val0_m, val1_m; \ uint64_t val_m = 0; \ \ - val0_m = LW(psrc_m); \ - val1_m = LW(psrc_m + 4); \ + val0_m = LW(psrc_ld_m); \ + val1_m = LW(psrc_ld_m + 4); \ \ val_m = (uint64_t) (val1_m); \ val_m = (uint64_t) ((val_m << 32) & 0xFFFFFFFF00000000); \ @@ -172,12 +172,12 @@ #else // !(__mips == 64) #define LD(psrc) \ ( { \ - uint8_t *psrc_m1 = (uint8_t *) (psrc); \ + uint8_t *psrc_ld_m = (uint8_t *) (psrc); \ uint32_t val0_m, val1_m; \ uint64_t val_m = 0; \ \ - val0_m = LW(psrc_m1); \ - val1_m = LW(psrc_m1 + 4); \ + val0_m = LW(psrc_ld_m); \ + val1_m = LW(psrc_ld_m + 4); \ \ val_m = (uint64_t) (val1_m); \ val_m = (uint64_t) ((val_m << 32) & 0xFFFFFFFF00000000); \ From c993a11e56abcc8a6199ebed894394acd37f3c0c Mon Sep 17 00:00:00 2001 From: Shivraj Patil Date: Fri, 5 Aug 2016 13:42:44 +0530 Subject: [PATCH 176/942] Support for MIPS cpu P6600 Signed-off-by: Shivraj Patil Signed-off-by: Michael Niedermayer (cherry picked from commit 6803a298f4338c19c3032d2417c6e857eb6d95be) Signed-off-by: Michael Niedermayer --- configure | 6 +++++- 1 file changed, 5 insertions(+), 1 deletion(-) diff --git a/configure b/configure index c9c139e7aa..1f36d37d16 100755 --- a/configure +++ b/configure @@ -4189,7 +4189,7 @@ elif enabled mips; then enable mips32r2 disable msa ;; - p5600|i6400) + p5600|i6400|p6600) disable mipsdsp disable mipsdspr2 ;; @@ -4254,6 +4254,10 @@ elif enabled mips; then enable mips64r6 check_cflags "-mtune=i6400 -mabi=64" && check_cflags "-msched-weight -mload-store-pairs -funroll-loops" && check_ldflags "-mabi=64" ;; + p6600) + enable mips64r6 + check_cflags "-mtune=p6600 -mabi=64" && check_cflags "-msched-weight -mload-store-pairs -funroll-loops" && check_ldflags "-mabi=64" + ;; esac else # We do not disable anything. Is up to the user to disable the unwanted features. From 27f1fb1251437038caebbd64e9f791c614028ae2 Mon Sep 17 00:00:00 2001 From: Hendrik Leppkes Date: Sat, 1 Oct 2016 16:15:45 +0200 Subject: [PATCH 177/942] ffmpeg: remove unused and errorneous AVFrame timestamp check Decoders have previously not used AVFrame.pts, and with the upcoming deprecation of pkt_pts (in favor of pts), this would lead to an errorneous interpration of timestamps. (cherry picked from commit 04a3577263782cd6d70722d4ae18d75fee03dbc4) Signed-off-by: Michael Niedermayer --- ffmpeg.c | 7 +------ 1 file changed, 1 insertion(+), 6 deletions(-) diff --git a/ffmpeg.c b/ffmpeg.c index 435ad5730c..4d1a9724bf 100644 --- a/ffmpeg.c +++ b/ffmpeg.c @@ -2014,12 +2014,7 @@ static int decode_audio(InputStream *ist, AVPacket *pkt, int *got_output) } } - /* if the decoder provides a pts, use it instead of the last packet pts. - the decoder could be delaying output by a packet or more. */ - if (decoded_frame->pts != AV_NOPTS_VALUE) { - ist->dts = ist->next_dts = ist->pts = ist->next_pts = av_rescale_q(decoded_frame->pts, avctx->time_base, AV_TIME_BASE_Q); - decoded_frame_tb = avctx->time_base; - } else if (decoded_frame->pkt_pts != AV_NOPTS_VALUE) { + if (decoded_frame->pkt_pts != AV_NOPTS_VALUE) { decoded_frame->pts = decoded_frame->pkt_pts; decoded_frame_tb = ist->st->time_base; } else if (pkt->pts != AV_NOPTS_VALUE) { From 6457346e6a15ed49cd146567c8cd415842daa3b9 Mon Sep 17 00:00:00 2001 From: Moritz Barsnick Date: Sun, 9 Oct 2016 12:56:58 +0200 Subject: [PATCH 178/942] tools: fix grammar error Signed-off-by: Moritz Barsnick Signed-off-by: Michael Niedermayer (cherry picked from commit f71c98ee12f9a9e950b4a8fb6b1548fee91ba1f8) Signed-off-by: Michael Niedermayer --- tools/ismindex.c | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/tools/ismindex.c b/tools/ismindex.c index dfef118653..363b7eead7 100644 --- a/tools/ismindex.c +++ b/tools/ismindex.c @@ -375,7 +375,7 @@ static int read_tfra(struct Tracks *tracks, int start_index, AVIOContext *f) track->duration - track->offsets[track->chunks - 1].time; } - // Now try and read the actual durations from the trun sample data. + // Now try to read the actual durations from the trun sample data. for (i = 0; i < track->chunks; i++) { int64_t duration = read_moof_duration(f, track->offsets[i].offset); if (duration > 0 && llabs(duration - track->offsets[i].duration) > 3) { From 17b8e7799f640a7cf41f4656184f3b5201e4d845 Mon Sep 17 00:00:00 2001 From: Moritz Barsnick Date: Sun, 9 Oct 2016 12:56:59 +0200 Subject: [PATCH 179/942] lavc: fix typos Signed-off-by: Moritz Barsnick Signed-off-by: Michael Niedermayer (cherry picked from commit 3305f71025289970fb34473adce5d9c65d1af016) Signed-off-by: Michael Niedermayer --- libavcodec/asvenc.c | 2 +- libavcodec/mpeg12dec.c | 2 +- 2 files changed, 2 insertions(+), 2 deletions(-) diff --git a/libavcodec/asvenc.c b/libavcodec/asvenc.c index ec98a0ce35..c4eca2a13d 100644 --- a/libavcodec/asvenc.c +++ b/libavcodec/asvenc.c @@ -61,7 +61,7 @@ static inline void asv2_put_level(ASV1Context *a, PutBitContext *pb, int level) } else { put_bits(pb, ff_asv2_level_tab[31][1], ff_asv2_level_tab[31][0]); if (level < -128 || level > 127) { - av_log(a->avctx, AV_LOG_WARNING, "Cliping level %d, increase qscale\n", level); + av_log(a->avctx, AV_LOG_WARNING, "Clipping level %d, increase qscale\n", level); level = av_clip_int8(level); } asv2_put_bits(pb, 8, level & 0xFF); diff --git a/libavcodec/mpeg12dec.c b/libavcodec/mpeg12dec.c index cc8ace8e3a..caa5f0c043 100644 --- a/libavcodec/mpeg12dec.c +++ b/libavcodec/mpeg12dec.c @@ -2432,7 +2432,7 @@ FF_ENABLE_DEPRECATION_WARNINGS #endif s->closed_gop = get_bits1(&s->gb); - /* broken_link indicate that after editing the + /* broken_link indicates that after editing the * reference frames of the first B-Frames after GOP I-Frame * are missing (open gop) */ broken_link = get_bits1(&s->gb); From 8baf2d8fadc16d7f2c7d4e686f19e495ae6cc07e Mon Sep 17 00:00:00 2001 From: Moritz Barsnick Date: Sun, 9 Oct 2016 12:57:00 +0200 Subject: [PATCH 180/942] lavfi: fix typos Signed-off-by: Moritz Barsnick Signed-off-by: Michael Niedermayer (cherry picked from commit f4e4bde1f4cff99d4ec59ed361ff9228b2050e6b) Signed-off-by: Michael Niedermayer --- libavfilter/af_pan.c | 4 ++-- libavfilter/vf_blackframe.c | 4 ++-- 2 files changed, 4 insertions(+), 4 deletions(-) diff --git a/libavfilter/af_pan.c b/libavfilter/af_pan.c index 1eb102c10a..7c02f6720d 100644 --- a/libavfilter/af_pan.c +++ b/libavfilter/af_pan.c @@ -109,7 +109,7 @@ static av_cold int init(AVFilterContext *ctx) if (!pan->args) { av_log(ctx, AV_LOG_ERROR, "pan filter needs a channel layout and a set " - "of channels definitions as parameter\n"); + "of channel definitions as parameter\n"); return AVERROR(EINVAL); } if (!args) @@ -276,7 +276,7 @@ static int config_props(AVFilterLink *link) if (link->channels > MAX_CHANNELS || pan->nb_output_channels > MAX_CHANNELS) { av_log(ctx, AV_LOG_ERROR, - "af_pan support a maximum of %d channels. " + "af_pan supports a maximum of %d channels. " "Feel free to ask for a higher limit.\n", MAX_CHANNELS); return AVERROR_PATCHWELCOME; } diff --git a/libavfilter/vf_blackframe.c b/libavfilter/vf_blackframe.c index ad6d488b3a..9fe2a42942 100644 --- a/libavfilter/vf_blackframe.c +++ b/libavfilter/vf_blackframe.c @@ -104,8 +104,8 @@ static int filter_frame(AVFilterLink *inlink, AVFrame *frame) #define OFFSET(x) offsetof(BlackFrameContext, x) #define FLAGS AV_OPT_FLAG_VIDEO_PARAM|AV_OPT_FLAG_FILTERING_PARAM static const AVOption blackframe_options[] = { - { "amount", "Percentage of the pixels that have to be below the threshold " - "for the frame to be considered black.", OFFSET(bamount), AV_OPT_TYPE_INT, { .i64 = 98 }, 0, 100, FLAGS }, + { "amount", "percentage of the pixels that have to be below the threshold " + "for the frame to be considered black", OFFSET(bamount), AV_OPT_TYPE_INT, { .i64 = 98 }, 0, 100, FLAGS }, { "threshold", "threshold below which a pixel value is considered black", OFFSET(bthresh), AV_OPT_TYPE_INT, { .i64 = 32 }, 0, 255, FLAGS }, { "thresh", "threshold below which a pixel value is considered black", From 88f52f2f8f210e0edba8559f567d0d39a609401c Mon Sep 17 00:00:00 2001 From: Moritz Barsnick Date: Sun, 9 Oct 2016 12:57:02 +0200 Subject: [PATCH 181/942] cmdutils: fix typos Signed-off-by: Moritz Barsnick Signed-off-by: Michael Niedermayer (cherry picked from commit 3e5d27d7a7350e096eac9f8999d02bf48c3b3a69) Signed-off-by: Michael Niedermayer --- cmdutils.c | 4 ++-- cmdutils.h | 4 ++-- 2 files changed, 4 insertions(+), 4 deletions(-) diff --git a/cmdutils.c b/cmdutils.c index 3bb8bde3e9..476c85894c 100644 --- a/cmdutils.c +++ b/cmdutils.c @@ -2111,7 +2111,7 @@ static int print_device_sources(AVInputFormat *fmt, AVDictionary *opts) if (!fmt || !fmt->priv_class || !AV_IS_INPUT_DEVICE(fmt->priv_class->category)) return AVERROR(EINVAL); - printf("Audo-detected sources for %s:\n", fmt->name); + printf("Auto-detected sources for %s:\n", fmt->name); if (!fmt->get_device_list) { ret = AVERROR(ENOSYS); printf("Cannot list sources. Not implemented.\n"); @@ -2141,7 +2141,7 @@ static int print_device_sinks(AVOutputFormat *fmt, AVDictionary *opts) if (!fmt || !fmt->priv_class || !AV_IS_OUTPUT_DEVICE(fmt->priv_class->category)) return AVERROR(EINVAL); - printf("Audo-detected sinks for %s:\n", fmt->name); + printf("Auto-detected sinks for %s:\n", fmt->name); if (!fmt->get_device_list) { ret = AVERROR(ENOSYS); printf("Cannot list sinks. Not implemented.\n"); diff --git a/cmdutils.h b/cmdutils.h index 67bf4848b7..1b96aa48d1 100644 --- a/cmdutils.h +++ b/cmdutils.h @@ -450,13 +450,13 @@ int show_devices(void *optctx, const char *opt, const char *arg); #if CONFIG_AVDEVICE /** - * Print a listing containing audodetected sinks of the output device. + * Print a listing containing autodetected sinks of the output device. * Device name with options may be passed as an argument to limit results. */ int show_sinks(void *optctx, const char *opt, const char *arg); /** - * Print a listing containing audodetected sources of the input device. + * Print a listing containing autodetected sources of the input device. * Device name with options may be passed as an argument to limit results. */ int show_sources(void *optctx, const char *opt, const char *arg); From 047e0049d1ccf4e6d62eb22fcc88725e1f43170c Mon Sep 17 00:00:00 2001 From: Michael Niedermayer Date: Mon, 17 Oct 2016 04:55:52 +0200 Subject: [PATCH 182/942] Changelog: update for recent commits Signed-off-by: Michael Niedermayer --- Changelog | 7 +++++++ 1 file changed, 7 insertions(+) diff --git a/Changelog b/Changelog index a5bcb37b25..c8bc8822a8 100644 --- a/Changelog +++ b/Changelog @@ -2,6 +2,13 @@ Entries are sorted chronologically from oldest to youngest within each release, releases are sorted from youngest to oldest. version 3.0.4: +- cmdutils: fix typos +- lavfi: fix typos +- lavc: fix typos +- tools: fix grammar error +- ffmpeg: remove unused and errorneous AVFrame timestamp check +- Support for MIPS cpu P6600 +- avutil/mips/generic_macros_msa: rename macro variable which causes segfault for mips r - avformat/avidec: Check nb_streams in read_gab2_sub() - avformat/avidec: Remove ancient assert - avformat/avidec: Fix memleak with dv in avi From ada229e66fea11e33a11df2f02dc287304842a48 Mon Sep 17 00:00:00 2001 From: Andreas Cadhalpun Date: Tue, 11 Oct 2016 20:28:35 +0200 Subject: [PATCH 183/942] configure: fix detection of libopenjpeg Use check_lib2 to test the header together with the function. This is necessary, because '-DOPJ_STATIC' changes what the included header does. Also add '-DOPJ_STATIC' to CPPFLAGS, so that it isn't necessary to hardcode this in libavcodec/libopenjpeg{dec,enc}.c. Finally, check for non-static openjpeg 2.1, too. Reviewed-by: Michael Bradshaw Signed-off-by: Andreas Cadhalpun (cherry picked from commit 7a65aef00d113a38e0d1a54df49eead9df6aa15c) Signed-off-by: Andreas Cadhalpun --- configure | 9 +++++---- libavcodec/libopenjpegdec.c | 2 -- libavcodec/libopenjpegenc.c | 2 -- 3 files changed, 5 insertions(+), 8 deletions(-) diff --git a/configure b/configure index 1f36d37d16..67078010ef 100755 --- a/configure +++ b/configure @@ -5485,10 +5485,11 @@ enabled libopencv && { check_header opencv2/core/core_c.h && require_pkg_config opencv opencv2/core/core_c.h cvCreateImageHeader || require_pkg_config opencv opencv/cxcore.h cvCreateImageHeader; } enabled libopenh264 && require_pkg_config openh264 wels/codec_api.h WelsGetCodecVersion -enabled libopenjpeg && { check_lib openjpeg-2.1/openjpeg.h opj_version -lopenjp2 -DOPJ_STATIC || - check_lib openjpeg-2.0/openjpeg.h opj_version -lopenjp2 -DOPJ_STATIC || - check_lib openjpeg-1.5/openjpeg.h opj_version -lopenjpeg -DOPJ_STATIC || - check_lib openjpeg.h opj_version -lopenjpeg -DOPJ_STATIC || +enabled libopenjpeg && { { check_lib2 openjpeg-2.1/openjpeg.h opj_version -lopenjp2 -DOPJ_STATIC && add_cppflags -DOPJ_STATIC; } || + check_lib2 openjpeg-2.1/openjpeg.h opj_version -lopenjp2 || + { check_lib2 openjpeg-2.0/openjpeg.h opj_version -lopenjp2 -DOPJ_STATIC && add_cppflags -DOPJ_STATIC; } || + { check_lib2 openjpeg-1.5/openjpeg.h opj_version -lopenjpeg -DOPJ_STATIC && add_cppflags -DOPJ_STATIC; } || + { check_lib2 openjpeg.h opj_version -lopenjpeg -DOPJ_STATIC && add_cppflags -DOPJ_STATIC; } || die "ERROR: libopenjpeg not found"; } enabled libopus && require_pkg_config opus opus_multistream.h opus_multistream_decoder_create enabled libpulse && require_pkg_config libpulse pulse/pulseaudio.h pa_context_new diff --git a/libavcodec/libopenjpegdec.c b/libavcodec/libopenjpegdec.c index cae3d20986..3f24a9c6cd 100644 --- a/libavcodec/libopenjpegdec.c +++ b/libavcodec/libopenjpegdec.c @@ -24,8 +24,6 @@ * JPEG 2000 decoder using libopenjpeg */ -#define OPJ_STATIC - #include "libavutil/common.h" #include "libavutil/imgutils.h" #include "libavutil/intreadwrite.h" diff --git a/libavcodec/libopenjpegenc.c b/libavcodec/libopenjpegenc.c index 058ca363c8..c2aa257547 100644 --- a/libavcodec/libopenjpegenc.c +++ b/libavcodec/libopenjpegenc.c @@ -24,8 +24,6 @@ * JPEG 2000 encoder using libopenjpeg */ -#define OPJ_STATIC - #include "libavutil/avassert.h" #include "libavutil/common.h" #include "libavutil/imgutils.h" From de42af2beef7ecc3bf44d746c316de437b8be274 Mon Sep 17 00:00:00 2001 From: Andreas Cadhalpun Date: Thu, 13 Oct 2016 21:16:35 +0200 Subject: [PATCH 184/942] libopenjpegenc: stop reusing image data buffer for openjpeg 2 openjpeg 2 sets the data pointers of the image components to NULL, causing segfaults if the image is reused. Reviewed-by: Michael Bradshaw Signed-off-by: Andreas Cadhalpun (cherry picked from commit 69c8505f3bf54f316e9dc8bec1c71dfa1febec63) Signed-off-by: Andreas Cadhalpun --- libavcodec/libopenjpegenc.c | 39 +++++++++++++++++++++++++++---------- 1 file changed, 29 insertions(+), 10 deletions(-) diff --git a/libavcodec/libopenjpegenc.c b/libavcodec/libopenjpegenc.c index c2aa257547..a5c3e961f7 100644 --- a/libavcodec/libopenjpegenc.c +++ b/libavcodec/libopenjpegenc.c @@ -52,7 +52,9 @@ typedef struct LibOpenJPEGContext { AVClass *avclass; +#if OPENJPEG_MAJOR_VERSION == 1 opj_image_t *image; +#endif // OPENJPEG_MAJOR_VERSION == 1 opj_cparameters_t enc_params; #if OPENJPEG_MAJOR_VERSION == 1 opj_event_mgr_t event_mgr; @@ -369,18 +371,22 @@ static av_cold int libopenjpeg_encode_init(AVCodecContext *avctx) cinema_parameters(&ctx->enc_params); } +#if OPENJPEG_MAJOR_VERSION == 1 ctx->image = mj2_create_image(avctx, &ctx->enc_params); if (!ctx->image) { av_log(avctx, AV_LOG_ERROR, "Error creating the mj2 image\n"); err = AVERROR(EINVAL); goto fail; } +#endif // OPENJPEG_MAJOR_VERSION == 1 return 0; fail: +#if OPENJPEG_MAJOR_VERSION == 1 opj_image_destroy(ctx->image); ctx->image = NULL; +#endif // OPENJPEG_MAJOR_VERSION == 1 return err; } @@ -591,18 +597,24 @@ static int libopenjpeg_encode_frame(AVCodecContext *avctx, AVPacket *pkt, const AVFrame *frame, int *got_packet) { LibOpenJPEGContext *ctx = avctx->priv_data; - opj_image_t *image = ctx->image; + int ret; + AVFrame *gbrframe; + int cpyresult = 0; #if OPENJPEG_MAJOR_VERSION == 1 + opj_image_t *image = ctx->image; opj_cinfo_t *compress = NULL; opj_cio_t *stream = NULL; int len; #else // OPENJPEG_MAJOR_VERSION == 2 opj_codec_t *compress = NULL; opj_stream_t *stream = NULL; + opj_image_t *image = mj2_create_image(avctx, &ctx->enc_params); + if (!image) { + av_log(avctx, AV_LOG_ERROR, "Error creating the mj2 image\n"); + ret = AVERROR(EINVAL); + goto done; + } #endif // OPENJPEG_MAJOR_VERSION == 1 - int cpyresult = 0; - int ret; - AVFrame *gbrframe; switch (avctx->pix_fmt) { case AV_PIX_FMT_RGB24: @@ -625,8 +637,10 @@ static int libopenjpeg_encode_frame(AVCodecContext *avctx, AVPacket *pkt, case AV_PIX_FMT_GBRP14: case AV_PIX_FMT_GBRP16: gbrframe = av_frame_clone(frame); - if (!gbrframe) - return AVERROR(ENOMEM); + if (!gbrframe) { + ret = AVERROR(ENOMEM); + goto done; + } gbrframe->data[0] = frame->data[2]; // swap to be rgb gbrframe->data[1] = frame->data[0]; gbrframe->data[2] = frame->data[1]; @@ -683,19 +697,21 @@ static int libopenjpeg_encode_frame(AVCodecContext *avctx, AVPacket *pkt, av_log(avctx, AV_LOG_ERROR, "The frame's pixel format '%s' is not supported\n", av_get_pix_fmt_name(avctx->pix_fmt)); - return AVERROR(EINVAL); + ret = AVERROR(EINVAL); + goto done; break; } if (!cpyresult) { av_log(avctx, AV_LOG_ERROR, "Could not copy the frame data to the internal image buffer\n"); - return -1; + ret = -1; + goto done; } #if OPENJPEG_MAJOR_VERSION == 2 if ((ret = ff_alloc_packet2(avctx, pkt, 1024, 0)) < 0) { - return ret; + goto done; } #endif // OPENJPEG_MAJOR_VERSION == 2 @@ -762,7 +778,7 @@ static int libopenjpeg_encode_frame(AVCodecContext *avctx, AVPacket *pkt, #error Missing call to opj_stream_set_user_data #endif - if (!opj_start_compress(compress, ctx->image, stream) || + if (!opj_start_compress(compress, image, stream) || !opj_encode(compress, stream) || !opj_end_compress(compress, stream)) { av_log(avctx, AV_LOG_ERROR, "Error during the opj encode\n"); @@ -781,6 +797,7 @@ done: #if OPENJPEG_MAJOR_VERSION == 2 opj_stream_destroy(stream); opj_destroy_codec(compress); + opj_image_destroy(image); #else opj_cio_close(stream); opj_destroy_compress(compress); @@ -790,10 +807,12 @@ done: static av_cold int libopenjpeg_encode_close(AVCodecContext *avctx) { +#if OPENJPEG_MAJOR_VERSION == 1 LibOpenJPEGContext *ctx = avctx->priv_data; opj_image_destroy(ctx->image); ctx->image = NULL; +#endif // OPENJPEG_MAJOR_VERSION == 1 return 0; } From 0887f1835d69d65fef45eb9aa0183bb06954f52a Mon Sep 17 00:00:00 2001 From: Andreas Cadhalpun Date: Thu, 13 Oct 2016 22:14:46 +0200 Subject: [PATCH 185/942] libopenjpegenc: fix out-of-bounds reads when filling the edges The calculation of width/height should round up, not round down to prevent setting width or height to 0. Also image->comps[compno].w is unsigned (at least in openjpeg2), so the calculation could silently wrap around without the explicit cast to int. Reviewed-by: Michael Bradshaw Reviewed-by: Michael Niedermayer Signed-off-by: Andreas Cadhalpun (cherry picked from commit 56706ac0d5723cb549fec2602e798ab1bf6004cd) Signed-off-by: Andreas Cadhalpun --- libavcodec/libopenjpegenc.c | 18 +++++++++--------- 1 file changed, 9 insertions(+), 9 deletions(-) diff --git a/libavcodec/libopenjpegenc.c b/libavcodec/libopenjpegenc.c index a5c3e961f7..2ca7b2d4d2 100644 --- a/libavcodec/libopenjpegenc.c +++ b/libavcodec/libopenjpegenc.c @@ -421,7 +421,7 @@ static int libopenjpeg_copy_packed8(AVCodecContext *avctx, const AVFrame *frame, for (; y < image->comps[compno].h; ++y) { image_line = image->comps[compno].data + y * image->comps[compno].w; for (x = 0; x < image->comps[compno].w; ++x) { - image_line[x] = image_line[x - image->comps[compno].w]; + image_line[x] = image_line[x - (int)image->comps[compno].w]; } } } @@ -461,7 +461,7 @@ static int libopenjpeg_copy_packed12(AVCodecContext *avctx, const AVFrame *frame for (; y < image->comps[compno].h; ++y) { image_line = image->comps[compno].data + y * image->comps[compno].w; for (x = 0; x < image->comps[compno].w; ++x) { - image_line[x] = image_line[x - image->comps[compno].w]; + image_line[x] = image_line[x - (int)image->comps[compno].w]; } } } @@ -501,7 +501,7 @@ static int libopenjpeg_copy_packed16(AVCodecContext *avctx, const AVFrame *frame for (; y < image->comps[compno].h; ++y) { image_line = image->comps[compno].data + y * image->comps[compno].w; for (x = 0; x < image->comps[compno].w; ++x) { - image_line[x] = image_line[x - image->comps[compno].w]; + image_line[x] = image_line[x - (int)image->comps[compno].w]; } } } @@ -528,8 +528,8 @@ static int libopenjpeg_copy_unpacked8(AVCodecContext *avctx, const AVFrame *fram } for (compno = 0; compno < numcomps; ++compno) { - width = avctx->width / image->comps[compno].dx; - height = avctx->height / image->comps[compno].dy; + width = (avctx->width + image->comps[compno].dx - 1) / image->comps[compno].dx; + height = (avctx->height + image->comps[compno].dy - 1) / image->comps[compno].dy; for (y = 0; y < height; ++y) { image_line = image->comps[compno].data + y * image->comps[compno].w; frame_index = y * frame->linesize[compno]; @@ -542,7 +542,7 @@ static int libopenjpeg_copy_unpacked8(AVCodecContext *avctx, const AVFrame *fram for (; y < image->comps[compno].h; ++y) { image_line = image->comps[compno].data + y * image->comps[compno].w; for (x = 0; x < image->comps[compno].w; ++x) { - image_line[x] = image_line[x - image->comps[compno].w]; + image_line[x] = image_line[x - (int)image->comps[compno].w]; } } } @@ -570,8 +570,8 @@ static int libopenjpeg_copy_unpacked16(AVCodecContext *avctx, const AVFrame *fra } for (compno = 0; compno < numcomps; ++compno) { - width = avctx->width / image->comps[compno].dx; - height = avctx->height / image->comps[compno].dy; + width = (avctx->width + image->comps[compno].dx - 1) / image->comps[compno].dx; + height = (avctx->height + image->comps[compno].dy - 1) / image->comps[compno].dy; frame_ptr = (uint16_t *)frame->data[compno]; for (y = 0; y < height; ++y) { image_line = image->comps[compno].data + y * image->comps[compno].w; @@ -585,7 +585,7 @@ static int libopenjpeg_copy_unpacked16(AVCodecContext *avctx, const AVFrame *fra for (; y < image->comps[compno].h; ++y) { image_line = image->comps[compno].data + y * image->comps[compno].w; for (x = 0; x < image->comps[compno].w; ++x) { - image_line[x] = image_line[x - image->comps[compno].w]; + image_line[x] = image_line[x - (int)image->comps[compno].w]; } } } From f309b698e6b72644ab1ff09a62078beb12a1bf7b Mon Sep 17 00:00:00 2001 From: Andreas Cadhalpun Date: Mon, 17 Oct 2016 18:15:04 +0200 Subject: [PATCH 186/942] Changelog: update for recent commits Signed-off-by: Andreas Cadhalpun --- Changelog | 3 +++ 1 file changed, 3 insertions(+) diff --git a/Changelog b/Changelog index c8bc8822a8..089e3395ef 100644 --- a/Changelog +++ b/Changelog @@ -2,6 +2,9 @@ Entries are sorted chronologically from oldest to youngest within each release, releases are sorted from youngest to oldest. version 3.0.4: +- libopenjpegenc: fix out-of-bounds reads when filling the edges +- libopenjpegenc: stop reusing image data buffer for openjpeg 2 +- configure: fix detection of libopenjpeg - cmdutils: fix typos - lavfi: fix typos - lavc: fix typos From 5771a0c8237d6fb0fb65877126ec0f7842fd2a1e Mon Sep 17 00:00:00 2001 From: Michael Niedermayer Date: Tue, 18 Oct 2016 04:23:33 +0200 Subject: [PATCH 187/942] doc/examples/demuxing_decoding: Drop AVFrame->pts use This code is not correct for git master Reviewed-by: Stefano Sabatini Signed-off-by: Michael Niedermayer (cherry picked from commit 2bd99564540a365d5b80d9aad6c19264b15955af) Signed-off-by: Michael Niedermayer --- doc/examples/demuxing_decoding.c | 5 ++--- 1 file changed, 2 insertions(+), 3 deletions(-) diff --git a/doc/examples/demuxing_decoding.c b/doc/examples/demuxing_decoding.c index 59e0ccc986..f2050bd6eb 100644 --- a/doc/examples/demuxing_decoding.c +++ b/doc/examples/demuxing_decoding.c @@ -93,10 +93,9 @@ static int decode_packet(int *got_frame, int cached) return -1; } - printf("video_frame%s n:%d coded_n:%d pts:%s\n", + printf("video_frame%s n:%d coded_n:%d\n", cached ? "(cached)" : "", - video_frame_count++, frame->coded_picture_number, - av_ts2timestr(frame->pts, &video_dec_ctx->time_base)); + video_frame_count++, frame->coded_picture_number); /* copy decoded frame to destination buffer: * this is required since rawvideo expects non aligned data */ From 492bbe58902ddf7f9085f13345fd01098c44c6de Mon Sep 17 00:00:00 2001 From: James Almer Date: Sat, 19 Nov 2016 12:38:44 -0300 Subject: [PATCH 188/942] avcodec/avpacket: fix leak on realloc in av_packet_add_side_data() If realloc fails, the pointer is overwritten and the previously allocated buffer is leaked, which goes against the expected behavior of keeping the packet unchanged in case of error. Michael Niedermayer Signed-off-by: James Almer (cherry picked from commit 574929d8b6de32ae712fcca7ab09f01a3e4616be) --- libavcodec/avpacket.c | 7 ++++--- 1 file changed, 4 insertions(+), 3 deletions(-) diff --git a/libavcodec/avpacket.c b/libavcodec/avpacket.c index 6de85dea1d..b3acc8838b 100644 --- a/libavcodec/avpacket.c +++ b/libavcodec/avpacket.c @@ -280,16 +280,17 @@ FF_ENABLE_DEPRECATION_WARNINGS int av_packet_add_side_data(AVPacket *pkt, enum AVPacketSideDataType type, uint8_t *data, size_t size) { + AVPacketSideData *tmp; int elems = pkt->side_data_elems; if ((unsigned)elems + 1 > INT_MAX / sizeof(*pkt->side_data)) return AVERROR(ERANGE); - pkt->side_data = av_realloc(pkt->side_data, - (elems + 1) * sizeof(*pkt->side_data)); - if (!pkt->side_data) + tmp = av_realloc(pkt->side_data, (elems + 1) * sizeof(*tmp)); + if (!tmp) return AVERROR(ENOMEM); + pkt->side_data = tmp; pkt->side_data[elems].data = data; pkt->side_data[elems].size = size; pkt->side_data[elems].type = type; From 0009cf348aa85957dbbe262926e432896a628ff3 Mon Sep 17 00:00:00 2001 From: Andreas Cadhalpun Date: Wed, 19 Oct 2016 19:23:49 +0200 Subject: [PATCH 189/942] avformat: prevent triggering request_probe assert in ff_read_packet If probe_codec is called with pkt == NULL, it sets probe_packets to 0 and request_probe to -1. However, request_probe can change when calling s->iformat->read_packet and thus a probe_packets value of 0 doesn't guarantee a request_probe value of -1. In that case calling probe_codec again is necessary to prevent triggering the assert. Reviewed-by: Michael Niedermayer Signed-off-by: Andreas Cadhalpun (cherry picked from commit a5b4476a602f31e451b11ca0c18bc92be130a50e) Signed-off-by: Andreas Cadhalpun --- libavformat/utils.c | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/libavformat/utils.c b/libavformat/utils.c index c9bc6f2376..47e76ec7a2 100644 --- a/libavformat/utils.c +++ b/libavformat/utils.c @@ -708,7 +708,7 @@ int ff_read_packet(AVFormatContext *s, AVPacket *pkt) return ret; for (i = 0; i < s->nb_streams; i++) { st = s->streams[i]; - if (st->probe_packets) + if (st->probe_packets || st->request_probe > 0) if ((err = probe_codec(s, st, NULL)) < 0) return err; av_assert0(st->request_probe <= 0); From 1d439041ece002c6b2e8e3d57c3b389f9fc279b6 Mon Sep 17 00:00:00 2001 From: Andreas Cadhalpun Date: Thu, 20 Oct 2016 22:14:22 +0200 Subject: [PATCH 190/942] cavsdec: unref frame before referencing again This fixes asserts (from commit 13aae8) in av_frame_ref and av_frame_move_ref. Reviewed-by: Michael Niedermayer Signed-off-by: Andreas Cadhalpun (cherry picked from commit 1966ea012fd72abc8003e95dc3c8ad9e9f197913) Signed-off-by: Andreas Cadhalpun --- libavcodec/cavsdec.c | 2 ++ 1 file changed, 2 insertions(+) diff --git a/libavcodec/cavsdec.c b/libavcodec/cavsdec.c index 70ac6f8a42..fed7043c12 100644 --- a/libavcodec/cavsdec.c +++ b/libavcodec/cavsdec.c @@ -1217,6 +1217,8 @@ static int cavs_decode_frame(AVCodecContext *avctx, void *data, int *got_frame, h->got_keyframe = 1; } case PIC_PB_START_CODE: + if (*got_frame) + av_frame_unref(data); *got_frame = 0; if (!h->got_keyframe) break; From 30d542d55ddbcb2edb0f1351e1ecb6ad286b37ff Mon Sep 17 00:00:00 2001 From: Andreas Cadhalpun Date: Thu, 20 Oct 2016 22:51:55 +0200 Subject: [PATCH 191/942] mpeg12dec: unref discarded picture from extradata Otherwise another frame gets referenced into picture, triggering an assert (from commit 13aae8) in av_frame_ref. Reviewed-by: Michael Niedermayer Signed-off-by: Andreas Cadhalpun (cherry picked from commit a92f8edf0c51781e152651cce2e753ad6e359eb2) Signed-off-by: Andreas Cadhalpun --- libavcodec/mpeg12dec.c | 1 + 1 file changed, 1 insertion(+) diff --git a/libavcodec/mpeg12dec.c b/libavcodec/mpeg12dec.c index caa5f0c043..5a70148c5f 100644 --- a/libavcodec/mpeg12dec.c +++ b/libavcodec/mpeg12dec.c @@ -2827,6 +2827,7 @@ static int mpeg_decode_frame(AVCodecContext *avctx, void *data, avctx->extradata, avctx->extradata_size); if (*got_output) { av_log(avctx, AV_LOG_ERROR, "picture in extradata\n"); + av_frame_unref(picture); *got_output = 0; } s->extradata_decoded = 1; From a1e6daeb1e92abf59e6b5a4229948ca54967f759 Mon Sep 17 00:00:00 2001 From: Andreas Cadhalpun Date: Sun, 30 Oct 2016 20:47:22 +0100 Subject: [PATCH 192/942] interplayacm: check for too large b This fixes out-of-bounds reads. Reviewed-by: Paul B Mahol Signed-off-by: Andreas Cadhalpun (cherry picked from commit 14e4e26559697cfdea584767be4e68474a0a9c7f) Signed-off-by: Andreas Cadhalpun --- libavcodec/interplayacm.c | 12 ++++++++++++ 1 file changed, 12 insertions(+) diff --git a/libavcodec/interplayacm.c b/libavcodec/interplayacm.c index a676bcb931..2c23fac494 100644 --- a/libavcodec/interplayacm.c +++ b/libavcodec/interplayacm.c @@ -325,6 +325,10 @@ static int t15(InterplayACMContext *s, unsigned ind, unsigned col) for (i = 0; i < s->rows; i++) { /* b = (x1) + (x2 * 3) + (x3 * 9) */ b = get_bits(gb, 5); + if (b > 26) { + av_log(NULL, AV_LOG_ERROR, "Too large b = %d > 26\n", b); + return AVERROR_INVALIDDATA; + } n1 = (mul_3x3[b] & 0x0F) - 1; n2 = ((mul_3x3[b] >> 4) & 0x0F) - 1; @@ -350,6 +354,10 @@ static int t27(InterplayACMContext *s, unsigned ind, unsigned col) for (i = 0; i < s->rows; i++) { /* b = (x1) + (x2 * 5) + (x3 * 25) */ b = get_bits(gb, 7); + if (b > 124) { + av_log(NULL, AV_LOG_ERROR, "Too large b = %d > 124\n", b); + return AVERROR_INVALIDDATA; + } n1 = (mul_3x5[b] & 0x0F) - 2; n2 = ((mul_3x5[b] >> 4) & 0x0F) - 2; @@ -374,6 +382,10 @@ static int t37(InterplayACMContext *s, unsigned ind, unsigned col) for (i = 0; i < s->rows; i++) { /* b = (x1) + (x2 * 11) */ b = get_bits(gb, 7); + if (b > 120) { + av_log(NULL, AV_LOG_ERROR, "Too large b = %d > 120\n", b); + return AVERROR_INVALIDDATA; + } n1 = (mul_2x11[b] & 0x0F) - 5; n2 = ((mul_2x11[b] >> 4) & 0x0F) - 5; From aa32d415275613e406a43d8f091d6981e4e1b872 Mon Sep 17 00:00:00 2001 From: Andreas Cadhalpun Date: Sun, 30 Oct 2016 21:41:11 +0100 Subject: [PATCH 193/942] interplayacm: validate number of channels The number of channels is used as divisor in decode_frame, so it must not be zero to avoid SIGFPE crashes. Reviewed-by: Paul B Mahol Signed-off-by: Andreas Cadhalpun (cherry picked from commit 5540d6c1343e6d1e06d6601b7d35884761711e3e) Signed-off-by: Andreas Cadhalpun --- libavcodec/interplayacm.c | 5 +++++ 1 file changed, 5 insertions(+) diff --git a/libavcodec/interplayacm.c b/libavcodec/interplayacm.c index 2c23fac494..14cad09cff 100644 --- a/libavcodec/interplayacm.c +++ b/libavcodec/interplayacm.c @@ -61,6 +61,11 @@ static av_cold int decode_init(AVCodecContext *avctx) if (avctx->extradata_size < 14) return AVERROR_INVALIDDATA; + if (avctx->channels <= 0) { + av_log(avctx, AV_LOG_ERROR, "Invalid number of channels: %d\n", avctx->channels); + return AVERROR_INVALIDDATA; + } + s->level = AV_RL16(avctx->extradata + 12) & 0xf; s->rows = AV_RL16(avctx->extradata + 12) >> 4; s->cols = 1 << s->level; From aca7f5f0607789b26b1b5d0c2dbe3ae39a229806 Mon Sep 17 00:00:00 2001 From: Andreas Cadhalpun Date: Sun, 30 Oct 2016 21:18:20 +0100 Subject: [PATCH 194/942] interplayacm: increase bitstream buffer size by AV_INPUT_BUFFER_PADDING_SIZE This fixes out-of-bounds reads by the bitstream reader. Reviewed-by: Paul B Mahol Signed-off-by: Andreas Cadhalpun (cherry picked from commit 60178e78f2fe9a7bfb9da0abc985835e2ebfd2f1) Signed-off-by: Andreas Cadhalpun --- libavcodec/interplayacm.c | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/libavcodec/interplayacm.c b/libavcodec/interplayacm.c index 14cad09cff..8b340093df 100644 --- a/libavcodec/interplayacm.c +++ b/libavcodec/interplayacm.c @@ -76,7 +76,7 @@ static av_cold int decode_init(AVCodecContext *avctx) s->block = av_calloc(s->block_len, sizeof(int)); s->wrapbuf = av_calloc(s->wrapbuf_len, sizeof(int)); s->ampbuf = av_calloc(0x10000, sizeof(int)); - s->bitstream = av_calloc(s->max_framesize, sizeof(*s->bitstream)); + s->bitstream = av_calloc(s->max_framesize + AV_INPUT_BUFFER_PADDING_SIZE / sizeof(*s->bitstream) + 1, sizeof(*s->bitstream)); if (!s->block || !s->wrapbuf || !s->ampbuf || !s->bitstream) return AVERROR(ENOMEM); From 087b77741526e701d392c038ae765993d60b5fab Mon Sep 17 00:00:00 2001 From: Andreas Cadhalpun Date: Wed, 2 Nov 2016 21:28:49 +0100 Subject: [PATCH 195/942] ppc: pixblockdsp: do unaligned block accesses correctly again This was broken by the following Libav commit: 4c387c7 ppc: dsputil: do unaligned block accesses correctly The following tests fail due to this: fate-checkasm fate-vsynth1-dnxhd-2k-hr-hq fate-vsynth1-dnxhd-edge1-hr fate-vsynth1-dnxhd-edge2-hr fate-vsynth1-dnxhd-edge3-hr fate-vsynth1-dnxhd-hr-sq-mov fate-vsynth1-dnxhd-hr-hq-mov fate-vsynth2-dnxhd-2k-hr-hq fate-vsynth2-dnxhd-edge1-hr fate-vsynth2-dnxhd-edge2-hr fate-vsynth2-dnxhd-edge3-hr fate-vsynth2-dnxhd-hr-sq-mov fate-vsynth2-dnxhd-hr-hq-mov fate-vsynth3-dnxhd-2k-hr-hq fate-vsynth3-dnxhd-edge1-hr fate-vsynth3-dnxhd-edge2-hr fate-vsynth3-dnxhd-edge3-hr fate-vsynth3-dnxhd-hr-sq-mov fate-vsynth3-dnxhd-hr-hq-mov Fixes trac ticket #5508. Reviewed-by: Carl Eugen Hoyos Signed-off-by: Andreas Cadhalpun (cherry picked from commit 3932ccc472ad4f4d370dcfc1c2f574b0f3acb88c) Signed-off-by: Andreas Cadhalpun --- libavcodec/ppc/pixblockdsp.c | 17 ++++++++++------- 1 file changed, 10 insertions(+), 7 deletions(-) diff --git a/libavcodec/ppc/pixblockdsp.c b/libavcodec/ppc/pixblockdsp.c index 84aa562bb6..f3a5050469 100644 --- a/libavcodec/ppc/pixblockdsp.c +++ b/libavcodec/ppc/pixblockdsp.c @@ -67,10 +67,10 @@ static void get_pixels_altivec(int16_t *restrict block, const uint8_t *pixels, ptrdiff_t line_size) { int i; - vec_u8 perm = vec_lvsl(0, pixels); const vec_u8 zero = (const vec_u8)vec_splat_u8(0); for (i = 0; i < 8; i++) { + vec_u8 perm = vec_lvsl(0, pixels); /* Read potentially unaligned pixels. * We're reading 16 pixels, and actually only want 8, * but we simply ignore the extras. */ @@ -157,8 +157,7 @@ static void diff_pixels_altivec(int16_t *restrict block, const uint8_t *s1, const uint8_t *s2, int stride) { int i; - vec_u8 perm1 = vec_lvsl(0, s1); - vec_u8 perm2 = vec_lvsl(0, s2); + vec_u8 perm; const vec_u8 zero = (const vec_u8)vec_splat_u8(0); vec_s16 shorts1, shorts2; @@ -166,17 +165,19 @@ static void diff_pixels_altivec(int16_t *restrict block, const uint8_t *s1, /* Read potentially unaligned pixels. * We're reading 16 pixels, and actually only want 8, * but we simply ignore the extras. */ + perm = vec_lvsl(0, s1); vec_u8 pixl = vec_ld(0, s1); vec_u8 pixr = vec_ld(15, s1); - vec_u8 bytes = vec_perm(pixl, pixr, perm1); + vec_u8 bytes = vec_perm(pixl, pixr, perm); // Convert the bytes into shorts. shorts1 = (vec_s16)vec_mergeh(zero, bytes); // Do the same for the second block of pixels. + perm = vec_lvsl(0, s2); pixl = vec_ld(0, s2); pixr = vec_ld(15, s2); - bytes = vec_perm(pixl, pixr, perm2); + bytes = vec_perm(pixl, pixr, perm); // Convert the bytes into shorts. shorts2 = (vec_s16)vec_mergeh(zero, bytes); @@ -197,17 +198,19 @@ static void diff_pixels_altivec(int16_t *restrict block, const uint8_t *s1, /* Read potentially unaligned pixels. * We're reading 16 pixels, and actually only want 8, * but we simply ignore the extras. */ + perm = vec_lvsl(0, s1); pixl = vec_ld(0, s1); pixr = vec_ld(15, s1); - bytes = vec_perm(pixl, pixr, perm1); + bytes = vec_perm(pixl, pixr, perm); // Convert the bytes into shorts. shorts1 = (vec_s16)vec_mergeh(zero, bytes); // Do the same for the second block of pixels. + perm = vec_lvsl(0, s2); pixl = vec_ld(0, s2); pixr = vec_ld(15, s2); - bytes = vec_perm(pixl, pixr, perm2); + bytes = vec_perm(pixl, pixr, perm); // Convert the bytes into shorts. shorts2 = (vec_s16)vec_mergeh(zero, bytes); From dcc8d2418acac6539e2533fc046f3d00f1c0c333 Mon Sep 17 00:00:00 2001 From: Andreas Cadhalpun Date: Fri, 4 Nov 2016 19:00:17 +0100 Subject: [PATCH 196/942] diracdec: check return code of get_buffer_with_edge If it fails, buffers aren't allocated, causing NULL pointer dereferencing. Reviewed-by: Rostislav Pehlivanov Signed-off-by: Andreas Cadhalpun (cherry picked from commit db79dedb1ae5dd38432eee3f09155e26f3f2d95a) Signed-off-by: Andreas Cadhalpun --- libavcodec/diracdec.c | 4 +++- 1 file changed, 3 insertions(+), 1 deletion(-) diff --git a/libavcodec/diracdec.c b/libavcodec/diracdec.c index 1242bd821d..b31d71f729 100644 --- a/libavcodec/diracdec.c +++ b/libavcodec/diracdec.c @@ -1900,7 +1900,9 @@ static int dirac_decode_picture_header(DiracContext *s) for (j = 0; j < MAX_FRAMES; j++) if (!s->all_frames[j].avframe->data[0]) { s->ref_pics[i] = &s->all_frames[j]; - get_buffer_with_edge(s->avctx, s->ref_pics[i]->avframe, AV_GET_BUFFER_FLAG_REF); + ret = get_buffer_with_edge(s->avctx, s->ref_pics[i]->avframe, AV_GET_BUFFER_FLAG_REF); + if (ret < 0) + return ret; break; } From ef2d91e9c337f50edbc7631485bfec385601f4bb Mon Sep 17 00:00:00 2001 From: Andreas Cadhalpun Date: Fri, 4 Nov 2016 22:58:49 +0100 Subject: [PATCH 197/942] lzf: update pointer p after realloc This fixes heap-use-after-free detected by AddressSanitizer. Reviewed-by: Luca Barbato Signed-off-by: Andreas Cadhalpun (cherry picked from commit bb6a7b6f75ac544c956e3eefee297700ef4d3468) Signed-off-by: Andreas Cadhalpun --- libavcodec/lzf.c | 2 ++ 1 file changed, 2 insertions(+) diff --git a/libavcodec/lzf.c b/libavcodec/lzf.c index 409a7ffdd3..5b7526ef18 100644 --- a/libavcodec/lzf.c +++ b/libavcodec/lzf.c @@ -53,6 +53,7 @@ int ff_lzf_uncompress(GetByteContext *gb, uint8_t **buf, int64_t *size) ret = av_reallocp(buf, *size); if (ret < 0) return ret; + p = *buf + len; } bytestream2_get_buffer(gb, p, s); @@ -75,6 +76,7 @@ int ff_lzf_uncompress(GetByteContext *gb, uint8_t **buf, int64_t *size) ret = av_reallocp(buf, *size); if (ret < 0) return ret; + p = *buf + len; } av_memcpy_backptr(p, off, l); From e78d9f3f35e379ab7da729360e3eb5ad39c150fa Mon Sep 17 00:00:00 2001 From: Andreas Cadhalpun Date: Sat, 5 Nov 2016 00:17:53 +0100 Subject: [PATCH 198/942] mxfdec: fix NULL pointer dereference Metadata streams have priv_data set to NULL. Reviewed-by: Michael Niedermayer Signed-off-by: Andreas Cadhalpun (cherry picked from commit 0efb6106118c17308b3fdc3190f5e5bf84b01d5c) Signed-off-by: Andreas Cadhalpun --- libavformat/mxfdec.c | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/libavformat/mxfdec.c b/libavformat/mxfdec.c index f4222fcab5..9e505daff6 100644 --- a/libavformat/mxfdec.c +++ b/libavformat/mxfdec.c @@ -382,7 +382,7 @@ static int mxf_get_stream_index(AVFormatContext *s, KLVPacket *klv) for (i = 0; i < s->nb_streams; i++) { MXFTrack *track = s->streams[i]->priv_data; /* SMPTE 379M 7.3 */ - if (!memcmp(klv->key + sizeof(mxf_essence_element_key), track->track_number, sizeof(track->track_number))) + if (track && !memcmp(klv->key + sizeof(mxf_essence_element_key), track->track_number, sizeof(track->track_number))) return i; } /* return 0 if only one stream, for OP Atom files with 0 as track number */ From e6197a6ce986af0d2f29ed0b649f3ed531a6d66e Mon Sep 17 00:00:00 2001 From: Andreas Cadhalpun Date: Mon, 7 Nov 2016 01:16:14 +0100 Subject: [PATCH 199/942] mpegaudio_parser: don't return AVERROR_PATCHWELCOME The API does not allow returning AVERROR codes. It triggers an assert in av_parser_parse2. Reviewed-by: Michael Niedermayer Signed-off-by: Andreas Cadhalpun (cherry picked from commit 5249706e9d2ec5ed1b07d8ffdbb8fb9104261f6d) Signed-off-by: Andreas Cadhalpun --- libavcodec/mpegaudio_parser.c | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/libavcodec/mpegaudio_parser.c b/libavcodec/mpegaudio_parser.c index 873f941237..8c39825792 100644 --- a/libavcodec/mpegaudio_parser.c +++ b/libavcodec/mpegaudio_parser.c @@ -98,7 +98,7 @@ static int mpegaudio_parse(AVCodecParserContext *s1, } else if (codec_id == AV_CODEC_ID_MP3ADU) { avpriv_report_missing_feature(avctx, "MP3ADU full parser"); - return AVERROR_PATCHWELCOME; + return 0; /* parsers must not return error codes */ } break; From 5801482379cb053c2901da1058e86365aac563a1 Mon Sep 17 00:00:00 2001 From: Andreas Cadhalpun Date: Tue, 8 Nov 2016 00:42:23 +0100 Subject: [PATCH 200/942] matroskadec: fix NULL pointer dereference in webm_dash_manifest_read_header The code assumes that s->streams[0] is valid. Reviewed-by: Michael Niedermayer Signed-off-by: Andreas Cadhalpun (cherry picked from commit ff100c9dd97d2f1f456ff38b192edf84f9744738) Signed-off-by: Andreas Cadhalpun --- libavformat/matroskadec.c | 5 +++++ 1 file changed, 5 insertions(+) diff --git a/libavformat/matroskadec.c b/libavformat/matroskadec.c index d788232150..94c4639352 100644 --- a/libavformat/matroskadec.c +++ b/libavformat/matroskadec.c @@ -3579,6 +3579,11 @@ static int webm_dash_manifest_read_header(AVFormatContext *s) av_log(s, AV_LOG_ERROR, "Failed to read file headers\n"); return -1; } + if (!s->nb_streams) { + matroska_read_close(s); + av_log(s, AV_LOG_ERROR, "No streams found\n"); + return AVERROR_INVALIDDATA; + } if (!matroska->is_live) { buf = av_asprintf("%g", matroska->duration); From 3d82cebdd2bd5424b0eb37b0e39284da19fa0e5b Mon Sep 17 00:00:00 2001 From: Andreas Cadhalpun Date: Mon, 7 Nov 2016 23:37:59 +0100 Subject: [PATCH 201/942] mpegts: prevent division by zero Reviewed-by: Michael Niedermayer Signed-off-by: Andreas Cadhalpun (cherry picked from commit 1bbb18fe82fc77a10d45fa53bd2738d2c54de6c6) Signed-off-by: Andreas Cadhalpun --- libavformat/mpegts.c | 13 +++++++++++-- 1 file changed, 11 insertions(+), 2 deletions(-) diff --git a/libavformat/mpegts.c b/libavformat/mpegts.c index e8f3889d1a..c85c30ddad 100644 --- a/libavformat/mpegts.c +++ b/libavformat/mpegts.c @@ -2585,8 +2585,17 @@ static int mpegts_read_header(AVFormatContext *s) packet_count[nb_pcrs] = nb_packets; pcrs[nb_pcrs] = pcr_h * 300 + pcr_l; nb_pcrs++; - if (nb_pcrs >= 2) - break; + if (nb_pcrs >= 2) { + if (pcrs[1] - pcrs[0] > 0) { + /* the difference needs to be positive to make sense for bitrate computation */ + break; + } else { + av_log(ts->stream, AV_LOG_WARNING, "invalid pcr pair %"PRId64" >= %"PRId64"\n", pcrs[0], pcrs[1]); + pcrs[0] = pcrs[1]; + packet_count[0] = packet_count[1]; + nb_pcrs--; + } + } } else { finished_reading_packet(s, ts->raw_packet_size); } From c3307f7e9e1889c15dcaad1247c8212628474bc5 Mon Sep 17 00:00:00 2001 From: Andreas Cadhalpun Date: Tue, 8 Nov 2016 23:53:52 +0100 Subject: [PATCH 202/942] icodec: fix leaking pkt on error Reviewed-by: Michael Niedermayer Signed-off-by: Andreas Cadhalpun (cherry picked from commit 467eece1bea5c8325c6974190ba61f1bba88a3f3) Signed-off-by: Andreas Cadhalpun --- libavformat/icodec.c | 4 +++- 1 file changed, 3 insertions(+), 1 deletion(-) diff --git a/libavformat/icodec.c b/libavformat/icodec.c index 6ddb901b7e..e866cf91d5 100644 --- a/libavformat/icodec.c +++ b/libavformat/icodec.c @@ -170,8 +170,10 @@ static int read_packet(AVFormatContext *s, AVPacket *pkt) bytestream_put_le16(&buf, 0); bytestream_put_le32(&buf, 0); - if ((ret = avio_read(pb, buf, image->size)) < 0) + if ((ret = avio_read(pb, buf, image->size)) < 0) { + av_packet_unref(pkt); return ret; + } st->codec->bits_per_coded_sample = AV_RL16(buf + 14); From 05e6606ba98a53f10213b2f8b07afc3e62731c5a Mon Sep 17 00:00:00 2001 From: Andreas Cadhalpun Date: Tue, 8 Nov 2016 23:54:41 +0100 Subject: [PATCH 203/942] icodec: add ico_read_close to fix leaking ico->images Reviewed-by: Michael Niedermayer Signed-off-by: Andreas Cadhalpun (cherry picked from commit d54c95a1435a8a3fcd599108ec85b7f56a0fcbf9) Signed-off-by: Andreas Cadhalpun --- libavformat/icodec.c | 8 ++++++++ 1 file changed, 8 insertions(+) diff --git a/libavformat/icodec.c b/libavformat/icodec.c index e866cf91d5..ca1fa78cbc 100644 --- a/libavformat/icodec.c +++ b/libavformat/icodec.c @@ -195,6 +195,13 @@ static int read_packet(AVFormatContext *s, AVPacket *pkt) return 0; } +static int ico_read_close(AVFormatContext * s) +{ + IcoDemuxContext *ico = s->priv_data; + av_freep(&ico->images); + return 0; +} + AVInputFormat ff_ico_demuxer = { .name = "ico", .long_name = NULL_IF_CONFIG_SMALL("Microsoft Windows ICO"), @@ -202,5 +209,6 @@ AVInputFormat ff_ico_demuxer = { .read_probe = probe, .read_header = read_header, .read_packet = read_packet, + .read_close = ico_read_close, .flags = AVFMT_NOTIMESTAMPS, }; From e14cc2f1975b608b630725007bda10f49aa096a1 Mon Sep 17 00:00:00 2001 From: Andreas Cadhalpun Date: Wed, 9 Nov 2016 00:38:50 +0100 Subject: [PATCH 204/942] escape124: reject codebook size 0 It causes a cb_depth of 32, leading to assertion failures in get_bits. Reviewed-by: Michael Niedermayer Signed-off-by: Andreas Cadhalpun (cherry picked from commit 226d35c84591f1901c2a13819031549909faa1f5) Signed-off-by: Andreas Cadhalpun --- libavcodec/escape124.c | 4 ++++ 1 file changed, 4 insertions(+) diff --git a/libavcodec/escape124.c b/libavcodec/escape124.c index 50a86c8355..dfbaec9877 100644 --- a/libavcodec/escape124.c +++ b/libavcodec/escape124.c @@ -250,6 +250,10 @@ static int escape124_decode_frame(AVCodecContext *avctx, // This codebook can be cut off at places other than // powers of 2, leaving some of the entries undefined. cb_size = get_bits_long(&gb, 20); + if (!cb_size) { + av_log(avctx, AV_LOG_ERROR, "Invalid codebook size 0.\n"); + return AVERROR_INVALIDDATA; + } cb_depth = av_log2(cb_size - 1) + 1; } else { cb_depth = get_bits(&gb, 4); From 416a8a06b977d8b3d113945701d9690abfdd7622 Mon Sep 17 00:00:00 2001 From: Andreas Cadhalpun Date: Wed, 9 Nov 2016 23:49:46 +0100 Subject: [PATCH 205/942] proresdec_lgpl: explicitly check coff[3] against slice_data_size The implicit checks via v_data_size and a_data_size don't work in the case '(hdr_size > 7) && !ctx->alpha_info'. This fixes segmentation faults due to invalid reads. This problem was introduced in commit 547c2f002a87f4412a83c23b0d60364be5e7ce58. Reviewed-by: Michael Niedermayer Signed-off-by: Andreas Cadhalpun (cherry picked from commit 1e33035ee7a8d9fb7a4b8b6cc54842e72b36ed70) Signed-off-by: Andreas Cadhalpun --- libavcodec/proresdec_lgpl.c | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/libavcodec/proresdec_lgpl.c b/libavcodec/proresdec_lgpl.c index 467a423f23..bc5bdb5a4d 100644 --- a/libavcodec/proresdec_lgpl.c +++ b/libavcodec/proresdec_lgpl.c @@ -625,7 +625,7 @@ static int decode_slice(AVCodecContext *avctx, void *tdata) /* if V or alpha component size is negative that means that previous component sizes are too large */ - if (v_data_size < 0 || a_data_size < 0 || hdr_size < 6) { + if (v_data_size < 0 || a_data_size < 0 || hdr_size < 6 || coff[3] > slice_data_size) { av_log(avctx, AV_LOG_ERROR, "invalid data size\n"); return AVERROR_INVALIDDATA; } From 27888d13b8d370b365593312d6755d268a4428f6 Mon Sep 17 00:00:00 2001 From: Andreas Cadhalpun Date: Tue, 8 Nov 2016 22:32:42 +0100 Subject: [PATCH 206/942] dvbsubdec: fix division by zero in compute_default_clut This problem was introduced in commit 4b90dcb8493552c17a811c8b1e6538dae4061f9d. Reviewed-by: Michael Niedermayer Signed-off-by: Andreas Cadhalpun (cherry picked from commit c82b8ef0e4f226423ddd644bfe37e6a15d070924) Signed-off-by: Andreas Cadhalpun --- libavcodec/dvbsubdec.c | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/libavcodec/dvbsubdec.c b/libavcodec/dvbsubdec.c index a4663d997f..08f6a9bf85 100644 --- a/libavcodec/dvbsubdec.c +++ b/libavcodec/dvbsubdec.c @@ -810,7 +810,7 @@ static void compute_default_clut(AVSubtitleRect *rect, int w, int h) list_inv[ i ] = bestv; } - count = i - 1; + count = FFMAX(i - 1, 1); for (i--; i>=0; i--) { int v = i*255/count; AV_WN32(rect->data[1] + 4*list_inv[i], RGBA(v/2,v,v/2,v)); From 3047b0a4a3e749e62e413f8fc96ae2e9fe228477 Mon Sep 17 00:00:00 2001 From: Andreas Cadhalpun Date: Tue, 8 Nov 2016 23:29:28 +0100 Subject: [PATCH 207/942] icodec: correctly check avio_read return value It can read less than the requested amount, in which case buf contains uninitialized data, causing problems like segmentation faults later on. Also make sure that image->size is positive, so that it can't match a negative error code. Reviewed-by: Michael Niedermayer Signed-off-by: Andreas Cadhalpun (cherry picked from commit 89eb398c7fc4cb9a15e55bdf2ab6435b5332e377) Signed-off-by: Andreas Cadhalpun --- libavformat/icodec.c | 8 ++++++-- 1 file changed, 6 insertions(+), 2 deletions(-) diff --git a/libavformat/icodec.c b/libavformat/icodec.c index ca1fa78cbc..20721d5ff5 100644 --- a/libavformat/icodec.c +++ b/libavformat/icodec.c @@ -105,6 +105,10 @@ static int read_header(AVFormatContext *s) avio_skip(pb, 5); ico->images[i].size = avio_rl32(pb); + if (ico->images[i].size <= 0) { + av_log(s, AV_LOG_ERROR, "Invalid image size %d\n", ico->images[i].size); + return AVERROR_INVALIDDATA; + } ico->images[i].offset = avio_rl32(pb); if (avio_seek(pb, ico->images[i].offset, SEEK_SET) < 0) @@ -170,9 +174,9 @@ static int read_packet(AVFormatContext *s, AVPacket *pkt) bytestream_put_le16(&buf, 0); bytestream_put_le32(&buf, 0); - if ((ret = avio_read(pb, buf, image->size)) < 0) { + if ((ret = avio_read(pb, buf, image->size)) != image->size) { av_packet_unref(pkt); - return ret; + return ret < 0 ? ret : AVERROR_INVALIDDATA; } st->codec->bits_per_coded_sample = AV_RL16(buf + 14); From 69673d02790f7917d11055236ecfa20c9ff8771a Mon Sep 17 00:00:00 2001 From: Andreas Cadhalpun Date: Thu, 10 Nov 2016 22:09:03 +0100 Subject: [PATCH 208/942] smvjpegdec: make sure cur_frame is not negative This fixes a heap-buffer-overflow detected by AddressSanitizer. Reviewed-by: Michael Niedermayer Signed-off-by: Andreas Cadhalpun (cherry picked from commit 360bc0d90aa66cf21e9f488e77d21db18e01ec9c) Signed-off-by: Andreas Cadhalpun --- libavcodec/smvjpegdec.c | 4 ++++ 1 file changed, 4 insertions(+) diff --git a/libavcodec/smvjpegdec.c b/libavcodec/smvjpegdec.c index 9057e86161..e319e5781b 100644 --- a/libavcodec/smvjpegdec.c +++ b/libavcodec/smvjpegdec.c @@ -152,6 +152,10 @@ static int smvjpeg_decode_frame(AVCodecContext *avctx, void *data, int *data_siz cur_frame = avpkt->pts % s->frames_per_jpeg; + /* cur_frame is later used to calculate the buffer offset, so it mustn't be negative */ + if (cur_frame < 0) + cur_frame += s->frames_per_jpeg; + /* Are we at the start of a block? */ if (!cur_frame) { av_frame_unref(mjpeg_data); From b32c9941a21ef44b95489c878b4f6a40c077eb47 Mon Sep 17 00:00:00 2001 From: Andreas Cadhalpun Date: Wed, 9 Nov 2016 01:09:35 +0100 Subject: [PATCH 209/942] pnmdec: make sure v is capped by maxval Otherwise put_bits can be called with a value that doesn't fit in the sample_len, causing an assertion failure. Reviewed-by: Michael Niedermayer Signed-off-by: Andreas Cadhalpun (cherry picked from commit cdb5479c9ddc886f0b8661db585405ebab343e80) Signed-off-by: Andreas Cadhalpun --- libavcodec/pnmdec.c | 10 +++++++--- 1 file changed, 7 insertions(+), 3 deletions(-) diff --git a/libavcodec/pnmdec.c b/libavcodec/pnmdec.c index d4261a4530..4e2045d2b3 100644 --- a/libavcodec/pnmdec.c +++ b/libavcodec/pnmdec.c @@ -43,7 +43,7 @@ static int pnm_decode_frame(AVCodecContext *avctx, void *data, int buf_size = avpkt->size; PNMContext * const s = avctx->priv_data; AVFrame * const p = data; - int i, j, n, linesize, h, upgrade = 0, is_mono = 0; + int i, j, k, n, linesize, h, upgrade = 0, is_mono = 0; unsigned char *ptr; int components, sample_len, ret; @@ -143,10 +143,14 @@ static int pnm_decode_frame(AVCodecContext *avctx, void *data, v = (*s->bytestream++)&1; } else { /* read a sequence of digits */ - do { + for (k = 0; k < 5 && c <= 9; k += 1) { v = 10*v + c; c = (*s->bytestream++) - '0'; - } while (c <= 9); + } + if (v > s->maxval) { + av_log(avctx, AV_LOG_ERROR, "value %d larger than maxval %d\n", v, s->maxval); + return AVERROR_INVALIDDATA; + } } if (sample_len == 16) { ((uint16_t*)ptr)[j] = (((1<maxval>>1))/s->maxval; From e93934e100d41ddb08bb85bf9023ee1716d78718 Mon Sep 17 00:00:00 2001 From: Andreas Cadhalpun Date: Sun, 13 Nov 2016 18:22:12 +0100 Subject: [PATCH 210/942] filmstripdec: correctly check image dimensions This prevents a division by zero in read_packet. Reviewed-by: Paul B Mahol Signed-off-by: Andreas Cadhalpun (cherry picked from commit 25012c56448a48487cdc9699465e640871dbcd60) Signed-off-by: Andreas Cadhalpun --- libavformat/filmstripdec.c | 7 +++---- 1 file changed, 3 insertions(+), 4 deletions(-) diff --git a/libavformat/filmstripdec.c b/libavformat/filmstripdec.c index cdbb93b11a..b28854fa5e 100644 --- a/libavformat/filmstripdec.c +++ b/libavformat/filmstripdec.c @@ -25,6 +25,7 @@ */ #include "libavutil/intreadwrite.h" +#include "libavutil/imgutils.h" #include "avformat.h" #include "internal.h" @@ -68,10 +69,8 @@ static int read_header(AVFormatContext *s) st->codec->height = avio_rb16(pb); film->leading = avio_rb16(pb); - if (st->codec->width * 4LL * st->codec->height >= INT_MAX) { - av_log(s, AV_LOG_ERROR, "dimensions too large\n"); - return AVERROR_PATCHWELCOME; - } + if (av_image_check_size(st->codec->width, st->codec->height, 0, s) < 0) + return AVERROR_INVALIDDATA; avpriv_set_pts_info(st, 64, 1, avio_rb16(pb)); From 48496e4d4fadd01ff3ce45d2540e8cf75ac5cd89 Mon Sep 17 00:00:00 2001 From: Andreas Cadhalpun Date: Sun, 13 Nov 2016 20:52:02 +0100 Subject: [PATCH 211/942] softfloat: handle -INT_MAX correctly This is similar to commit 9ac61e73d0843ec4b83f4e3d47eded73234e406e. Reviewed-by: Michael Niedermayer Signed-off-by: Andreas Cadhalpun (cherry picked from commit 0edd569466eb45b134690b9f4efbb57eda86f58d) Signed-off-by: Andreas Cadhalpun --- libavutil/softfloat.h | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/libavutil/softfloat.h b/libavutil/softfloat.h index 4b895f014b..df3fc798d7 100644 --- a/libavutil/softfloat.h +++ b/libavutil/softfloat.h @@ -155,7 +155,7 @@ static inline av_const SoftFloat av_sub_sf(SoftFloat a, SoftFloat b){ */ static inline av_const SoftFloat av_int2sf(int v, int frac_bits){ int exp_offset = 0; - if(v == INT_MIN){ + if(v <= INT_MIN + 1){ exp_offset = 1; v>>=1; } From 57665e04e22a201d3c56072532c15ce6ba71353a Mon Sep 17 00:00:00 2001 From: Andreas Cadhalpun Date: Sun, 13 Nov 2016 22:59:47 +0100 Subject: [PATCH 212/942] libschroedingerdec: don't produce empty frames They are not valid and can cause problems/crashes for API users. Reviewed-by: Michael Niedermayer Signed-off-by: Andreas Cadhalpun (cherry picked from commit a86ebbf7f641bc797002ddea7fb517759722cd1b) Signed-off-by: Andreas Cadhalpun --- libavcodec/libschroedingerdec.c | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/libavcodec/libschroedingerdec.c b/libavcodec/libschroedingerdec.c index 152cbe7d47..fe20e9c613 100644 --- a/libavcodec/libschroedingerdec.c +++ b/libavcodec/libschroedingerdec.c @@ -307,7 +307,7 @@ static int libschroedinger_decode_frame(AVCodecContext *avctx, /* Grab next frame to be returned from the top of the queue. */ framewithpts = ff_schro_queue_pop(&p_schro_params->dec_frame_queue); - if (framewithpts && framewithpts->frame) { + if (framewithpts && framewithpts->frame && framewithpts->frame->components[0].stride) { int ret; if ((ret = ff_get_buffer(avctx, avframe, 0)) < 0) From 4ffd5805af4a8734d238e561daa63c7b3be5eedb Mon Sep 17 00:00:00 2001 From: Andreas Cadhalpun Date: Sun, 13 Nov 2016 23:10:06 +0100 Subject: [PATCH 213/942] libschroedingerdec: fix leaking of framewithpts Reviewed-by: Michael Niedermayer Signed-off-by: Andreas Cadhalpun (cherry picked from commit 3c0328d58d98664b05efdd377d3fe66a569d385e) Signed-off-by: Andreas Cadhalpun --- libavcodec/libschroedingerdec.c | 16 +++++++++------- 1 file changed, 9 insertions(+), 7 deletions(-) diff --git a/libavcodec/libschroedingerdec.c b/libavcodec/libschroedingerdec.c index fe20e9c613..471077b2fe 100644 --- a/libavcodec/libschroedingerdec.c +++ b/libavcodec/libschroedingerdec.c @@ -218,6 +218,7 @@ static int libschroedinger_decode_frame(AVCodecContext *avctx, int outer = 1; SchroParseUnitContext parse_ctx; LibSchroFrameContext *framewithpts = NULL; + int ret; *got_frame = 0; @@ -308,10 +309,9 @@ static int libschroedinger_decode_frame(AVCodecContext *avctx, framewithpts = ff_schro_queue_pop(&p_schro_params->dec_frame_queue); if (framewithpts && framewithpts->frame && framewithpts->frame->components[0].stride) { - int ret; if ((ret = ff_get_buffer(avctx, avframe, 0)) < 0) - return ret; + goto end; memcpy(avframe->data[0], framewithpts->frame->components[0].data, @@ -332,15 +332,17 @@ static int libschroedinger_decode_frame(AVCodecContext *avctx, avframe->linesize[2] = framewithpts->frame->components[2].stride; *got_frame = 1; - - /* Now free the frame resources. */ - libschroedinger_decode_frame_free(framewithpts->frame); - av_free(framewithpts); } else { data = NULL; *got_frame = 0; } - return buf_size; + ret = buf_size; +end: + /* Now free the frame resources. */ + if (framewithpts && framewithpts->frame) + libschroedinger_decode_frame_free(framewithpts->frame); + av_freep(&framewithpts); + return ret; } From 1c282152c1c7ca23c388ecb04e9997030fbba19a Mon Sep 17 00:00:00 2001 From: Andreas Cadhalpun Date: Thu, 17 Nov 2016 22:53:51 +0100 Subject: [PATCH 214/942] mxfdec: fix NULL pointer dereference in mxf_read_packet_old Metadata streams have priv_data set to NULL. Reviewed-by: Josh de Kock Signed-off-by: Andreas Cadhalpun (cherry picked from commit fdb8c455b637f86e2e85503b7e090fa448164398) Signed-off-by: Andreas Cadhalpun --- libavformat/mxfdec.c | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/libavformat/mxfdec.c b/libavformat/mxfdec.c index 9e505daff6..f214b36e3c 100644 --- a/libavformat/mxfdec.c +++ b/libavformat/mxfdec.c @@ -3012,7 +3012,7 @@ static int mxf_read_packet_old(AVFormatContext *s, AVPacket *pkt) if (mxf->nb_index_tables >= 1 && mxf->current_edit_unit < t->nb_ptses) { pkt->dts = mxf->current_edit_unit + t->first_dts; pkt->pts = t->ptses[mxf->current_edit_unit]; - } else if (track->intra_only) { + } else if (track && track->intra_only) { /* intra-only -> PTS = EditUnit. * let utils.c figure out DTS since it can be < PTS if low_delay = 0 (Sony IMX30) */ pkt->pts = mxf->current_edit_unit; From 48d24cca1308d7cc78aa99827b5449a8577a68a2 Mon Sep 17 00:00:00 2001 From: Andreas Cadhalpun Date: Sat, 19 Nov 2016 14:21:11 +0100 Subject: [PATCH 215/942] smacker: limit recursion depth of smacker_decode_bigtree This fixes segmentation faults due to stack-overflow caused by too deep recursion. Reviewed-by: Michael Niedermayer Signed-off-by: Andreas Cadhalpun (cherry picked from commit 946ecd19ea752399bccc751c9339ff74b815587e) Signed-off-by: Andreas Cadhalpun --- libavcodec/smacker.c | 12 ++++++++---- 1 file changed, 8 insertions(+), 4 deletions(-) diff --git a/libavcodec/smacker.c b/libavcodec/smacker.c index 4014e8d04c..8dc474c42e 100644 --- a/libavcodec/smacker.c +++ b/libavcodec/smacker.c @@ -131,8 +131,12 @@ static int smacker_decode_tree(GetBitContext *gb, HuffContext *hc, uint32_t pref /** * Decode header tree */ -static int smacker_decode_bigtree(GetBitContext *gb, HuffContext *hc, DBCtx *ctx) +static int smacker_decode_bigtree(GetBitContext *gb, HuffContext *hc, DBCtx *ctx, int length) { + if(length > 500) { // Larger length can cause segmentation faults due to too deep recursion. + av_log(NULL, AV_LOG_ERROR, "length too long\n"); + return AVERROR_INVALIDDATA; + } if (hc->current + 1 >= hc->length) { av_log(NULL, AV_LOG_ERROR, "Tree size exceeded!\n"); return AVERROR_INVALIDDATA; @@ -161,12 +165,12 @@ static int smacker_decode_bigtree(GetBitContext *gb, HuffContext *hc, DBCtx *ctx int r = 0, r_new, t; t = hc->current++; - r = smacker_decode_bigtree(gb, hc, ctx); + r = smacker_decode_bigtree(gb, hc, ctx, length + 1); if(r < 0) return r; hc->values[t] = SMK_NODE | r; r++; - r_new = smacker_decode_bigtree(gb, hc, ctx); + r_new = smacker_decode_bigtree(gb, hc, ctx, length + 1); if (r_new < 0) return r_new; return r + r_new; @@ -277,7 +281,7 @@ static int smacker_decode_header_tree(SmackVContext *smk, GetBitContext *gb, int goto error; } - if (smacker_decode_bigtree(gb, &huff, &ctx) < 0) + if (smacker_decode_bigtree(gb, &huff, &ctx, 0) < 0) err = -1; skip_bits1(gb); if(ctx.last[0] == -1) ctx.last[0] = huff.current++; From 80b85300ae0b8c6c1bb813a4390d94e3ea87b1da Mon Sep 17 00:00:00 2001 From: Andreas Cadhalpun Date: Thu, 10 Nov 2016 22:21:20 +0100 Subject: [PATCH 216/942] sbgdec: prevent NULL pointer access Reviewed-by: Josh de Kock Signed-off-by: Andreas Cadhalpun (cherry picked from commit dbefbb61b785cd77810c032f5cdb499d2a92df07) Signed-off-by: Andreas Cadhalpun --- libavformat/sbgdec.c | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/libavformat/sbgdec.c b/libavformat/sbgdec.c index 03cd9226c9..659dfc81ff 100644 --- a/libavformat/sbgdec.c +++ b/libavformat/sbgdec.c @@ -927,7 +927,7 @@ static void expand_timestamps(void *log, struct sbg_script *s) } } if (s->start_ts == AV_NOPTS_VALUE) - s->start_ts = s->opt_start_at_first ? s->tseq[0].ts.t : now; + s->start_ts = (s->opt_start_at_first && s->tseq) ? s->tseq[0].ts.t : now; s->end_ts = s->opt_duration ? s->start_ts + s->opt_duration : AV_NOPTS_VALUE; /* may be overridden later by -E option */ cur_ts = now; From 5d2f1ffef1f26e4d66c8e63ab1101da179af11e6 Mon Sep 17 00:00:00 2001 From: Andreas Cadhalpun Date: Wed, 9 Nov 2016 23:23:16 +0100 Subject: [PATCH 217/942] pgssubdec: only set w/h/linesize when allocating data Rects with positive w/h/linesize but no data are invalid. Reviewed-by: Petri Hintukainen Signed-off-by: Andreas Cadhalpun (cherry picked from commit 995512328ed84bb737bc364e4ef6fba1994f062a) Signed-off-by: Andreas Cadhalpun --- libavcodec/pgssubdec.c | 9 +++++---- 1 file changed, 5 insertions(+), 4 deletions(-) diff --git a/libavcodec/pgssubdec.c b/libavcodec/pgssubdec.c index 133d08bfa7..5174d89190 100644 --- a/libavcodec/pgssubdec.c +++ b/libavcodec/pgssubdec.c @@ -558,12 +558,13 @@ static int display_end_segment(AVCodecContext *avctx, void *data, sub->rects[i]->x = ctx->presentation.objects[i].x; sub->rects[i]->y = ctx->presentation.objects[i].y; - sub->rects[i]->w = object->w; - sub->rects[i]->h = object->h; - - sub->rects[i]->linesize[0] = object->w; if (object->rle) { + sub->rects[i]->w = object->w; + sub->rects[i]->h = object->h; + + sub->rects[i]->linesize[0] = object->w; + if (object->rle_remaining_len) { av_log(avctx, AV_LOG_ERROR, "RLE data length %u is %u bytes shorter than expected\n", object->rle_data_len, object->rle_remaining_len); From dbad79248704d4b7cfcabbe46a734c51c1ada9a0 Mon Sep 17 00:00:00 2001 From: Andreas Cadhalpun Date: Mon, 14 Nov 2016 21:41:45 +0100 Subject: [PATCH 218/942] libopusdec: default to stereo for invalid number of channels This fixes an out-of-bounds read if avc->channels is 0. Reviewed-by: Michael Niedermayer Signed-off-by: Andreas Cadhalpun (cherry picked from commit 8c8f543b81aa2b50bb6a6cfd370a0061281492a3) Signed-off-by: Andreas Cadhalpun --- libavcodec/libopusdec.c | 7 +++++++ 1 file changed, 7 insertions(+) diff --git a/libavcodec/libopusdec.c b/libavcodec/libopusdec.c index 1e97604181..7dff9c16b7 100644 --- a/libavcodec/libopusdec.c +++ b/libavcodec/libopusdec.c @@ -47,6 +47,13 @@ static av_cold int libopus_decode_init(AVCodecContext *avc) int ret, channel_map = 0, gain_db = 0, nb_streams, nb_coupled; uint8_t mapping_arr[8] = { 0, 1 }, *mapping; + avc->channels = avc->extradata_size >= 10 ? avc->extradata[9] : (avc->channels == 1) ? 1 : 2; + if (avc->channels <= 0) { + av_log(avc, AV_LOG_WARNING, + "Invalid number of channels %d, defaulting to stereo\n", avc->channels); + avc->channels = 2; + } + avc->sample_rate = 48000; avc->sample_fmt = avc->request_sample_fmt == AV_SAMPLE_FMT_FLT ? AV_SAMPLE_FMT_FLT : AV_SAMPLE_FMT_S16; From 88bf1d2749624cf78be0c5a5d74c169ad16ba99c Mon Sep 17 00:00:00 2001 From: Andreas Cadhalpun Date: Fri, 25 Nov 2016 00:26:51 +0100 Subject: [PATCH 219/942] softfloat: decrease MIN_EXP to cover full float range floats are not necessarily normalized, so a normalized softfloat needs MIN_EXP lowered by 23 to cover that range. Reviewed-by: Michael Niedermayer Signed-off-by: Andreas Cadhalpun (cherry picked from commit 2d6f46d801bab990b7e742b8a8e5c5b0cb70a80e) Signed-off-by: Andreas Cadhalpun --- libavutil/softfloat.h | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/libavutil/softfloat.h b/libavutil/softfloat.h index df3fc798d7..35fd703fbe 100644 --- a/libavutil/softfloat.h +++ b/libavutil/softfloat.h @@ -27,7 +27,7 @@ #include "avassert.h" #include "softfloat_tables.h" -#define MIN_EXP -126 +#define MIN_EXP -149 #define MAX_EXP 126 #define ONE_BITS 29 From 0496403c08ab35b20490a48aa9e3fdbd4d3bf27d Mon Sep 17 00:00:00 2001 From: Andreas Cadhalpun Date: Thu, 24 Nov 2016 23:57:46 +0100 Subject: [PATCH 220/942] mss2: only use error correction for matching block counts This fixes a heap-buffer-overflow in ff_er_frame_end when decoding mss2 with coded_width/coded_height larger than width/height. Reviewed-by: Michael Niedermayer Signed-off-by: Andreas Cadhalpun (cherry picked from commit 2566ad98b01538ea589e5ee07b69fc566aadc348) Signed-off-by: Andreas Cadhalpun --- libavcodec/mss2.c | 8 +++++++- 1 file changed, 7 insertions(+), 1 deletion(-) diff --git a/libavcodec/mss2.c b/libavcodec/mss2.c index c640934986..cf325470b9 100644 --- a/libavcodec/mss2.c +++ b/libavcodec/mss2.c @@ -422,7 +422,13 @@ static int decode_wmv9(AVCodecContext *avctx, const uint8_t *buf, int buf_size, ff_vc1_decode_blocks(v); - ff_er_frame_end(&s->er); + if (v->end_mb_x == s->mb_width && s->end_mb_y == s->mb_height) { + ff_er_frame_end(&s->er); + } else { + av_log(v->s.avctx, AV_LOG_WARNING, + "disabling error correction due to block count mismatch %dx%d != %dx%d\n", + v->end_mb_x, s->end_mb_y, s->mb_width, s->mb_height); + } ff_mpv_frame_end(s); From 45b18fbb9a7729c91d69d6359a782a0135b5f2b8 Mon Sep 17 00:00:00 2001 From: Andreas Cadhalpun Date: Wed, 19 Oct 2016 23:40:41 +0200 Subject: [PATCH 221/942] rsd: limit number of channels Negative values don't make sense and too large values can cause overflows. For AV_CODEC_ID_ADPCM_THP this leads to a too small extradata buffer being allocated, causing out-of-bounds writes. Reviewed-by: Michael Niedermayer Signed-off-by: Andreas Cadhalpun (cherry picked from commit ee5f0f1d355fa0fd9194ac97a2c8598c93ed328b) Signed-off-by: Andreas Cadhalpun --- libavformat/rsd.c | 4 +++- 1 file changed, 3 insertions(+), 1 deletion(-) diff --git a/libavformat/rsd.c b/libavformat/rsd.c index dd1f3723d0..c773c0aa9e 100644 --- a/libavformat/rsd.c +++ b/libavformat/rsd.c @@ -84,8 +84,10 @@ static int rsd_read_header(AVFormatContext *s) } codec->channels = avio_rl32(pb); - if (!codec->channels) + if (codec->channels <= 0 || codec->channels > INT_MAX / 36) { + av_log(s, AV_LOG_ERROR, "Invalid number of channels: %d\n", codec->channels); return AVERROR_INVALIDDATA; + } avio_skip(pb, 4); // Bit depth codec->sample_rate = avio_rl32(pb); From e8ab2bd2ac85ad0b1013f247d35032b7cd7f771e Mon Sep 17 00:00:00 2001 From: Andreas Cadhalpun Date: Thu, 20 Oct 2016 20:13:54 +0200 Subject: [PATCH 222/942] dcstr: fix division by zero Also check for possible overflows. Reviewed-by: Michael Niedermayer Signed-off-by: Andreas Cadhalpun (cherry picked from commit b0a043f51b8cc3b420dc3ceaa38fe9aa344799aa) Signed-off-by: Andreas Cadhalpun --- libavformat/dcstr.c | 8 +++++++- 1 file changed, 7 insertions(+), 1 deletion(-) diff --git a/libavformat/dcstr.c b/libavformat/dcstr.c index 2ae61dec85..e9714e504f 100644 --- a/libavformat/dcstr.c +++ b/libavformat/dcstr.c @@ -33,6 +33,7 @@ static int dcstr_probe(AVProbeData *p) static int dcstr_read_header(AVFormatContext *s) { unsigned codec, align; + int mult; AVStream *st; st = avformat_new_stream(s, NULL); @@ -46,7 +47,12 @@ static int dcstr_read_header(AVFormatContext *s) align = avio_rl32(s->pb); avio_skip(s->pb, 4); st->duration = avio_rl32(s->pb); - st->codec->channels *= avio_rl32(s->pb); + mult = avio_rl32(s->pb); + if (st->codec->channels <= 0 || mult <= 0 || mult > INT_MAX / st->codec->channels) { + av_log(s, AV_LOG_ERROR, "invalid number of channels %d x %d\n", st->codec->channels, mult); + return AVERROR_INVALIDDATA; + } + st->codec->channels *= mult; if (!align || align > INT_MAX / st->codec->channels) return AVERROR_INVALIDDATA; st->codec->block_align = align * st->codec->channels; From 9375a7d85e8bc78dbb5cc101c37ff7c51f7d9b24 Mon Sep 17 00:00:00 2001 From: Mark Harris Date: Mon, 15 Feb 2016 23:52:13 -0800 Subject: [PATCH 223/942] avformat/icodec: Fix crash probing fuzzed file Avoid invalid memory read/crash when frame offset >= 0xfffffff8. Base64-encoded example: AAABADAwMDAwMAAAMAAwMDAw/P///w== (The previous commit verifies that p->buf_size >= 22.) Signed-off-by: Michael Niedermayer (cherry picked from commit 56e2cd9c042e05255aa28487694c29aaec023263) Signed-off-by: Andreas Cadhalpun --- libavformat/icodec.c | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/libavformat/icodec.c b/libavformat/icodec.c index 20721d5ff5..bd83ef4c95 100644 --- a/libavformat/icodec.c +++ b/libavformat/icodec.c @@ -60,7 +60,7 @@ static int probe(AVProbeData *p) offset = AV_RL32(p->buf + 18 + i * 16); if (offset < 22) return FFMIN(i, AVPROBE_SCORE_MAX / 4); - if (offset + 8 > p->buf_size) + if (offset > p->buf_size - 8) return AVPROBE_SCORE_MAX / 4 + FFMIN(i, 1); if (p->buf[offset] != 40 && AV_RB64(p->buf + offset) != PNGSIG) return FFMIN(i, AVPROBE_SCORE_MAX / 4); From 86f5b73429d8c19bc80399548e0e9a8dc8ee7cf9 Mon Sep 17 00:00:00 2001 From: Michael Niedermayer Date: Fri, 21 Oct 2016 13:40:18 +0200 Subject: [PATCH 224/942] avcodec/utils: Clear MMX state before returning from avcodec_default_execute*() Signed-off-by: Michael Niedermayer (cherry picked from commit 4f96f9d1118e073d346d16be157fa5075434e7f2) Signed-off-by: Michael Niedermayer --- libavcodec/utils.c | 2 ++ 1 file changed, 2 insertions(+) diff --git a/libavcodec/utils.c b/libavcodec/utils.c index 5d5190002e..b1bc789792 100644 --- a/libavcodec/utils.c +++ b/libavcodec/utils.c @@ -957,6 +957,7 @@ int avcodec_default_execute(AVCodecContext *c, int (*func)(AVCodecContext *c2, v if (ret) ret[i] = r; } + emms_c(); return 0; } @@ -969,6 +970,7 @@ int avcodec_default_execute2(AVCodecContext *c, int (*func)(AVCodecContext *c2, if (ret) ret[i] = r; } + emms_c(); return 0; } From 9128ef0302084ab5e7d87ed5fbe95846eda8d8d8 Mon Sep 17 00:00:00 2001 From: Michael Niedermayer Date: Fri, 21 Oct 2016 14:05:00 +0200 Subject: [PATCH 225/942] avcodec/mpegvideo_enc: Clear mmx state in ff_mpv_reallocate_putbitbuffer() This function must be called from the mb or slice encoding loop and MMX state may not be clean there Signed-off-by: Michael Niedermayer (cherry picked from commit 03ec6b780cfae85b8bf0f32b2eda201063ad061b) Signed-off-by: Michael Niedermayer --- libavcodec/mpegvideo_enc.c | 2 ++ 1 file changed, 2 insertions(+) diff --git a/libavcodec/mpegvideo_enc.c b/libavcodec/mpegvideo_enc.c index 297ff78840..4af65a6c95 100644 --- a/libavcodec/mpegvideo_enc.c +++ b/libavcodec/mpegvideo_enc.c @@ -2912,6 +2912,8 @@ int ff_mpv_reallocate_putbitbuffer(MpegEncContext *s, size_t threshold, size_t s return AVERROR(ENOMEM); } + emms_c(); + av_fast_padded_malloc(&new_buffer, &new_buffer_size, s->avctx->internal->byte_buffer_size + size_increase); if (!new_buffer) From bab7d72d46458061065a41536611793b9a53fa5a Mon Sep 17 00:00:00 2001 From: Michael Niedermayer Date: Fri, 21 Oct 2016 19:45:21 +0200 Subject: [PATCH 226/942] avformat/mxfdec: Check size to avoid integer overflow in mxf_read_utf16_string() Signed-off-by: Michael Niedermayer (cherry picked from commit fecb3e82a4ba09dc11a51ad0961ab491881a53a1) Signed-off-by: Michael Niedermayer --- libavformat/mxfdec.c | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/libavformat/mxfdec.c b/libavformat/mxfdec.c index f214b36e3c..173a769ada 100644 --- a/libavformat/mxfdec.c +++ b/libavformat/mxfdec.c @@ -826,7 +826,7 @@ static inline int mxf_read_utf16_string(AVIOContext *pb, int size, char** str, i int ret; size_t buf_size; - if (size < 0) + if (size < 0 || size > INT_MAX/2) return AVERROR(EINVAL); buf_size = size + size / 2 + 1; From d54aa2de176119f49d3491be8b8fe7ad7848577f Mon Sep 17 00:00:00 2001 From: Michael Niedermayer Date: Tue, 25 Oct 2016 03:51:17 +0200 Subject: [PATCH 227/942] avcodec/interplayvideo: Check side data size before use Fixes out of array read Found-by: Thomas Garnier using libFuzzer Signed-off-by: Michael Niedermayer (cherry picked from commit 85d23e5cbc9ad6835eef870a5b4247de78febe56) Signed-off-by: Michael Niedermayer --- libavcodec/interplayvideo.c | 7 +++++-- 1 file changed, 5 insertions(+), 2 deletions(-) diff --git a/libavcodec/interplayvideo.c b/libavcodec/interplayvideo.c index 1460741a53..3c3212e1fe 100644 --- a/libavcodec/interplayvideo.c +++ b/libavcodec/interplayvideo.c @@ -1012,10 +1012,13 @@ static int ipvideo_decode_frame(AVCodecContext *avctx, return ret; if (!s->is_16bpp) { - const uint8_t *pal = av_packet_get_side_data(avpkt, AV_PKT_DATA_PALETTE, NULL); - if (pal) { + int size; + const uint8_t *pal = av_packet_get_side_data(avpkt, AV_PKT_DATA_PALETTE, &size); + if (pal && size == AVPALETTE_SIZE) { frame->palette_has_changed = 1; memcpy(s->pal, pal, AVPALETTE_SIZE); + } else if (pal) { + av_log(avctx, AV_LOG_ERROR, "Palette size %d is wrong\n", size); } } From 642cd5de4de6c94877601078fad5474a45d36630 Mon Sep 17 00:00:00 2001 From: "Ronald S. Bultje" Date: Fri, 14 Oct 2016 13:01:27 -0400 Subject: [PATCH 228/942] vp9: change order of operations in adapt_prob(). This is intended to workaround bug "665 Integer Divide Instruction May Cause Unpredictable Behavior" on some early AMD CPUs, which causes a div-by-zero in this codepath, such as reported in Mozilla bug #1293996. Note that this isn't guaranteed to fix the bug, since a compiler is free to reorder instructions that don't depend on each other. However, it appears to fix the bug in Firefox, and a similar patch was applied to libvpx also (see Chrome bug #599899). (cherry picked from commit be885da3427c5d9a6fa68229d16318afffe67193) Signed-off-by: Michael Niedermayer --- libavcodec/vp9.c | 5 ++--- 1 file changed, 2 insertions(+), 3 deletions(-) diff --git a/libavcodec/vp9.c b/libavcodec/vp9.c index 5d8ad12b21..c9d76907a1 100644 --- a/libavcodec/vp9.c +++ b/libavcodec/vp9.c @@ -3703,11 +3703,10 @@ static av_always_inline void adapt_prob(uint8_t *p, unsigned ct0, unsigned ct1, if (!ct) return; + update_factor = FASTDIV(update_factor * FFMIN(ct, max_count), max_count); p1 = *p; - p2 = ((ct0 << 8) + (ct >> 1)) / ct; + p2 = ((((int64_t) ct0) << 8) + (ct >> 1)) / ct; p2 = av_clip(p2, 1, 255); - ct = FFMIN(ct, max_count); - update_factor = FASTDIV(update_factor * ct, max_count); // (p1 * (256 - update_factor) + p2 * update_factor + 128) >> 8 *p = p1 + (((p2 - p1) * update_factor + 128) >> 8); From 8cca6b06ec6c47977855aa8282e1cf089ec9a3e6 Mon Sep 17 00:00:00 2001 From: Michael Niedermayer Date: Wed, 26 Oct 2016 16:29:57 +0200 Subject: [PATCH 229/942] avcodec/dvdsubdec: Fix buf_size check Fixes out of array access Found-by: Thomas Garnier using libFuzzer Signed-off-by: Michael Niedermayer (cherry picked from commit 25ab1a65f3acb5ec67b53fb7a2463a7368f1ad16) Signed-off-by: Michael Niedermayer --- libavcodec/dvdsubdec.c | 3 ++- 1 file changed, 2 insertions(+), 1 deletion(-) diff --git a/libavcodec/dvdsubdec.c b/libavcodec/dvdsubdec.c index 19f25f0e60..783a24fc1a 100644 --- a/libavcodec/dvdsubdec.c +++ b/libavcodec/dvdsubdec.c @@ -548,7 +548,8 @@ static int append_to_cached_buf(AVCodecContext *avctx, { DVDSubContext *ctx = avctx->priv_data; - if (ctx->buf_size >= sizeof(ctx->buf) - buf_size) { + av_assert0(buf_size >= 0 && ctx->buf_size <= sizeof(ctx->buf)); + if (buf_size >= sizeof(ctx->buf) - ctx->buf_size) { av_log(avctx, AV_LOG_WARNING, "Attempt to reconstruct " "too large SPU packets aborted.\n"); ctx->buf_size = 0; From 9ec40eacb1696933b507bf6860d149f0c25494b6 Mon Sep 17 00:00:00 2001 From: Michael Niedermayer Date: Wed, 26 Oct 2016 00:11:52 +0200 Subject: [PATCH 230/942] avcodec/dvdsubdec: Fix off by 1 error Fixes out of array read Found-by: Thomas Garnier using libFuzzer Signed-off-by: Michael Niedermayer (cherry picked from commit c92f55847a3d9cd12db60bfcd0831ff7f089c37c) Signed-off-by: Michael Niedermayer --- libavcodec/dvdsubdec.c | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/libavcodec/dvdsubdec.c b/libavcodec/dvdsubdec.c index 783a24fc1a..4ae63b40ac 100644 --- a/libavcodec/dvdsubdec.c +++ b/libavcodec/dvdsubdec.c @@ -185,7 +185,7 @@ static void guess_palette(DVDSubContext* ctx, for(i = 0; i < 4; i++) { if (alpha[i] != 0) { if (!color_used[colormap[i]]) { - level = level_map[nb_opaque_colors][j]; + level = level_map[nb_opaque_colors - 1][j]; r = (((subtitle_color >> 16) & 0xff) * level) >> 8; g = (((subtitle_color >> 8) & 0xff) * level) >> 8; b = (((subtitle_color >> 0) & 0xff) * level) >> 8; From 35498718474f287eb6fa209b4f72756ecc66c32c Mon Sep 17 00:00:00 2001 From: Michael Niedermayer Date: Sun, 30 Oct 2016 13:44:52 +0100 Subject: [PATCH 231/942] avcodec/8bps: Check side data size before use Fixes out of array read Signed-off-by: Michael Niedermayer (cherry picked from commit 042faa847feea820451c474af0034fd3de9cff82) Signed-off-by: Michael Niedermayer --- libavcodec/8bps.c | 7 +++++-- 1 file changed, 5 insertions(+), 2 deletions(-) diff --git a/libavcodec/8bps.c b/libavcodec/8bps.c index 2e4464dbb4..14f7bd5bf6 100644 --- a/libavcodec/8bps.c +++ b/libavcodec/8bps.c @@ -120,12 +120,15 @@ static int decode_frame(AVCodecContext *avctx, void *data, } if (avctx->bits_per_coded_sample <= 8) { + int size; const uint8_t *pal = av_packet_get_side_data(avpkt, AV_PKT_DATA_PALETTE, - NULL); - if (pal) { + &size); + if (pal && size == AVPALETTE_SIZE) { frame->palette_has_changed = 1; memcpy(c->pal, pal, AVPALETTE_SIZE); + } else if (pal) { + av_log(avctx, AV_LOG_ERROR, "Palette size %d is wrong\n", size); } memcpy (frame->data[1], c->pal, AVPALETTE_SIZE); From 9cab9b878fd40add15422cbe4d51b60cf2d319ee Mon Sep 17 00:00:00 2001 From: Michael Niedermayer Date: Sun, 30 Oct 2016 13:47:38 +0100 Subject: [PATCH 232/942] avcodec/cinepak: Check side data size before use Fixes out of array read Signed-off-by: Michael Niedermayer (cherry picked from commit 121be310607879841d19a34d9f16d4fe9ba7f18c) Signed-off-by: Michael Niedermayer --- libavcodec/cinepak.c | 7 +++++-- 1 file changed, 5 insertions(+), 2 deletions(-) diff --git a/libavcodec/cinepak.c b/libavcodec/cinepak.c index f1a4656303..58c26dc69c 100644 --- a/libavcodec/cinepak.c +++ b/libavcodec/cinepak.c @@ -443,10 +443,13 @@ static int cinepak_decode_frame(AVCodecContext *avctx, return ret; if (s->palette_video) { - const uint8_t *pal = av_packet_get_side_data(avpkt, AV_PKT_DATA_PALETTE, NULL); - if (pal) { + int size; + const uint8_t *pal = av_packet_get_side_data(avpkt, AV_PKT_DATA_PALETTE, &size); + if (pal && size == AVPALETTE_SIZE) { s->frame->palette_has_changed = 1; memcpy(s->pal, pal, AVPALETTE_SIZE); + } else if (pal) { + av_log(avctx, AV_LOG_ERROR, "Palette size %d is wrong\n", size); } } From e0dd617ed7f681435546e9332629276618f21a9c Mon Sep 17 00:00:00 2001 From: Michael Niedermayer Date: Sun, 30 Oct 2016 15:12:12 +0100 Subject: [PATCH 233/942] avcodec/idcinvideo: Check side data size before use Fixes out of array read Signed-off-by: Michael Niedermayer (cherry picked from commit a2b8dde65947bfabf42269e124ef83ecf9c5974a) Signed-off-by: Michael Niedermayer --- libavcodec/idcinvideo.c | 7 +++++-- 1 file changed, 5 insertions(+), 2 deletions(-) diff --git a/libavcodec/idcinvideo.c b/libavcodec/idcinvideo.c index 4a0a6fb6c0..014a3c3ed5 100644 --- a/libavcodec/idcinvideo.c +++ b/libavcodec/idcinvideo.c @@ -214,7 +214,8 @@ static int idcin_decode_frame(AVCodecContext *avctx, const uint8_t *buf = avpkt->data; int buf_size = avpkt->size; IdcinContext *s = avctx->priv_data; - const uint8_t *pal = av_packet_get_side_data(avpkt, AV_PKT_DATA_PALETTE, NULL); + int pal_size; + const uint8_t *pal = av_packet_get_side_data(avpkt, AV_PKT_DATA_PALETTE, &pal_size); AVFrame *frame = data; int ret; @@ -227,9 +228,11 @@ static int idcin_decode_frame(AVCodecContext *avctx, if (idcin_decode_vlcs(s, frame)) return AVERROR_INVALIDDATA; - if (pal) { + if (pal && pal_size == AVPALETTE_SIZE) { frame->palette_has_changed = 1; memcpy(s->pal, pal, AVPALETTE_SIZE); + } else if (pal) { + av_log(avctx, AV_LOG_ERROR, "Palette size %d is wrong\n", pal_size); } /* make the palette available on the way out */ memcpy(frame->data[1], s->pal, AVPALETTE_SIZE); From adc86ad32f047f7e219673648fe4eb84b4b44b70 Mon Sep 17 00:00:00 2001 From: Michael Niedermayer Date: Sun, 30 Oct 2016 15:12:12 +0100 Subject: [PATCH 234/942] avcodec/kmvc: Check side data size before use Fixes out of array read Signed-off-by: Michael Niedermayer (cherry picked from commit 2d99101d0964f754822fb4af121c4abc69047dba) Signed-off-by: Michael Niedermayer --- libavcodec/kmvc.c | 7 +++++-- 1 file changed, 5 insertions(+), 2 deletions(-) diff --git a/libavcodec/kmvc.c b/libavcodec/kmvc.c index 7acaba7d21..ffe6a142e9 100644 --- a/libavcodec/kmvc.c +++ b/libavcodec/kmvc.c @@ -268,7 +268,8 @@ static int decode_frame(AVCodecContext * avctx, void *data, int *got_frame, int i, ret; int header; int blocksize; - const uint8_t *pal = av_packet_get_side_data(avpkt, AV_PKT_DATA_PALETTE, NULL); + int pal_size; + const uint8_t *pal = av_packet_get_side_data(avpkt, AV_PKT_DATA_PALETTE, &pal_size); bytestream2_init(&ctx->g, avpkt->data, avpkt->size); @@ -303,9 +304,11 @@ static int decode_frame(AVCodecContext * avctx, void *data, int *got_frame, } } - if (pal) { + if (pal && pal_size == AVPALETTE_SIZE) { frame->palette_has_changed = 1; memcpy(ctx->pal, pal, AVPALETTE_SIZE); + } else if (pal) { + av_log(avctx, AV_LOG_ERROR, "Palette size %d is wrong\n", pal_size); } if (ctx->setpal) { From 136fc7084e161af1b645619beb66aa35a35f950d Mon Sep 17 00:00:00 2001 From: Michael Niedermayer Date: Sun, 30 Oct 2016 15:12:12 +0100 Subject: [PATCH 235/942] avcodec/msrle: Check side data size before use Fixes out of array read Signed-off-by: Michael Niedermayer (cherry picked from commit a6330119a099840c5279697cf80cb768df97a90a) Signed-off-by: Michael Niedermayer --- libavcodec/msrle.c | 7 +++++-- 1 file changed, 5 insertions(+), 2 deletions(-) diff --git a/libavcodec/msrle.c b/libavcodec/msrle.c index 3090a910c2..33b157bc75 100644 --- a/libavcodec/msrle.c +++ b/libavcodec/msrle.c @@ -99,11 +99,14 @@ static int msrle_decode_frame(AVCodecContext *avctx, return ret; if (avctx->bits_per_coded_sample > 1 && avctx->bits_per_coded_sample <= 8) { - const uint8_t *pal = av_packet_get_side_data(avpkt, AV_PKT_DATA_PALETTE, NULL); + int size; + const uint8_t *pal = av_packet_get_side_data(avpkt, AV_PKT_DATA_PALETTE, &size); - if (pal) { + if (pal && size == AVPALETTE_SIZE) { s->frame->palette_has_changed = 1; memcpy(s->pal, pal, AVPALETTE_SIZE); + } else if (pal) { + av_log(avctx, AV_LOG_ERROR, "Palette size %d is wrong\n", size); } /* make the palette available */ memcpy(s->frame->data[1], s->pal, AVPALETTE_SIZE); From 51aa6d09872da45099b06f05eff9aba83432d922 Mon Sep 17 00:00:00 2001 From: Michael Niedermayer Date: Sun, 30 Oct 2016 15:12:12 +0100 Subject: [PATCH 236/942] avcodec/qtrle: Check side data size before use Fixes out of array read Signed-off-by: Michael Niedermayer (cherry picked from commit 7d196f2a5a48faf25fd904b33b1fd239daae9840) Signed-off-by: Michael Niedermayer --- libavcodec/qtrle.c | 7 +++++-- 1 file changed, 5 insertions(+), 2 deletions(-) diff --git a/libavcodec/qtrle.c b/libavcodec/qtrle.c index 3f482f4453..5745afc517 100644 --- a/libavcodec/qtrle.c +++ b/libavcodec/qtrle.c @@ -506,11 +506,14 @@ static int qtrle_decode_frame(AVCodecContext *avctx, } if(has_palette) { - const uint8_t *pal = av_packet_get_side_data(avpkt, AV_PKT_DATA_PALETTE, NULL); + int size; + const uint8_t *pal = av_packet_get_side_data(avpkt, AV_PKT_DATA_PALETTE, &size); - if (pal) { + if (pal && size == AVPALETTE_SIZE) { s->frame->palette_has_changed = 1; memcpy(s->pal, pal, AVPALETTE_SIZE); + } else if (pal) { + av_log(avctx, AV_LOG_ERROR, "Palette size %d is wrong\n", size); } /* make the palette available on the way out */ From 1bc7215e8a4466e53ec0c54692fab2bd860db41e Mon Sep 17 00:00:00 2001 From: Michael Niedermayer Date: Sun, 30 Oct 2016 15:12:12 +0100 Subject: [PATCH 237/942] avcodec/qpeg: Check side data size before use Fixes out of array read Signed-off-by: Michael Niedermayer (cherry picked from commit 16793504dfba44e738655807db3274301b9bc690) Signed-off-by: Michael Niedermayer --- libavcodec/qpeg.c | 7 +++++-- 1 file changed, 5 insertions(+), 2 deletions(-) diff --git a/libavcodec/qpeg.c b/libavcodec/qpeg.c index 9eaf9b8054..9bfecc3a31 100644 --- a/libavcodec/qpeg.c +++ b/libavcodec/qpeg.c @@ -260,7 +260,8 @@ static int decode_frame(AVCodecContext *avctx, AVFrame * const ref = a->ref; uint8_t* outdata; int delta, ret; - const uint8_t *pal = av_packet_get_side_data(avpkt, AV_PKT_DATA_PALETTE, NULL); + int pal_size; + const uint8_t *pal = av_packet_get_side_data(avpkt, AV_PKT_DATA_PALETTE, &pal_size); if (avpkt->size < 0x86) { av_log(avctx, AV_LOG_ERROR, "Packet is too small\n"); @@ -287,9 +288,11 @@ static int decode_frame(AVCodecContext *avctx, } /* make the palette available on the way out */ - if (pal) { + if (pal && pal_size == AVPALETTE_SIZE) { p->palette_has_changed = 1; memcpy(a->pal, pal, AVPALETTE_SIZE); + } else if (pal) { + av_log(avctx, AV_LOG_ERROR, "Palette size %d is wrong\n", pal_size); } memcpy(p->data[1], a->pal, AVPALETTE_SIZE); From 7affe32738d84c4c47ece7ad1835ae733220751d Mon Sep 17 00:00:00 2001 From: Michael Niedermayer Date: Sun, 30 Oct 2016 15:12:12 +0100 Subject: [PATCH 238/942] avcodec/msvideo1: Check side data size before use Fixes out of array read Signed-off-by: Michael Niedermayer (cherry picked from commit 161ccdaa06d1d109e8f77d2535bda11ce02720f5) Signed-off-by: Michael Niedermayer --- libavcodec/msvideo1.c | 7 +++++-- 1 file changed, 5 insertions(+), 2 deletions(-) diff --git a/libavcodec/msvideo1.c b/libavcodec/msvideo1.c index 891675fcb0..0526505a96 100644 --- a/libavcodec/msvideo1.c +++ b/libavcodec/msvideo1.c @@ -306,11 +306,14 @@ static int msvideo1_decode_frame(AVCodecContext *avctx, return ret; if (s->mode_8bit) { - const uint8_t *pal = av_packet_get_side_data(avpkt, AV_PKT_DATA_PALETTE, NULL); + int size; + const uint8_t *pal = av_packet_get_side_data(avpkt, AV_PKT_DATA_PALETTE, &size); - if (pal) { + if (pal && size == AVPALETTE_SIZE) { memcpy(s->pal, pal, AVPALETTE_SIZE); s->frame->palette_has_changed = 1; + } else if (pal) { + av_log(avctx, AV_LOG_ERROR, "Palette size %d is wrong\n", size); } } From 8fd3293fa14866da1240d880b725ea171834eebc Mon Sep 17 00:00:00 2001 From: Michael Niedermayer Date: Sun, 30 Oct 2016 15:12:12 +0100 Subject: [PATCH 239/942] avcodec/rawdec: Check side data size before use Fixes out of array read Signed-off-by: Michael Niedermayer (cherry picked from commit 5f0bc0215a0f7099a2bcba5dced2e045e70fee61) Signed-off-by: Michael Niedermayer --- libavcodec/rawdec.c | 7 ++++++- 1 file changed, 6 insertions(+), 1 deletion(-) diff --git a/libavcodec/rawdec.c b/libavcodec/rawdec.c index 193a88fd33..f78190ea01 100644 --- a/libavcodec/rawdec.c +++ b/libavcodec/rawdec.c @@ -383,8 +383,13 @@ static int raw_decode(AVCodecContext *avctx, void *data, int *got_frame, } if (avctx->pix_fmt == AV_PIX_FMT_PAL8) { + int pal_size; const uint8_t *pal = av_packet_get_side_data(avpkt, AV_PKT_DATA_PALETTE, - NULL); + &pal_size); + if (pal_size != AVPALETTE_SIZE) { + av_log(avctx, AV_LOG_ERROR, "Palette size %d is wrong\n", pal_size); + pal = NULL; + } if (pal) { av_buffer_unref(&context->palette); From 4251dc6d7e7d6e3c0396ab7bdb9d3259112ed351 Mon Sep 17 00:00:00 2001 From: Michael Niedermayer Date: Sun, 30 Oct 2016 15:12:12 +0100 Subject: [PATCH 240/942] avcodec/tscc: Check side data size before use Fixes out of array read Signed-off-by: Michael Niedermayer (cherry picked from commit 979bca513424879ed0c653cb1b55fc4156a89576) Signed-off-by: Michael Niedermayer --- libavcodec/tscc.c | 7 +++++-- 1 file changed, 5 insertions(+), 2 deletions(-) diff --git a/libavcodec/tscc.c b/libavcodec/tscc.c index 8c5ec68cf4..3dd476aee5 100644 --- a/libavcodec/tscc.c +++ b/libavcodec/tscc.c @@ -99,11 +99,14 @@ static int decode_frame(AVCodecContext *avctx, void *data, int *got_frame, /* make the palette available on the way out */ if (c->avctx->pix_fmt == AV_PIX_FMT_PAL8) { - const uint8_t *pal = av_packet_get_side_data(avpkt, AV_PKT_DATA_PALETTE, NULL); + int size; + const uint8_t *pal = av_packet_get_side_data(avpkt, AV_PKT_DATA_PALETTE, &size); - if (pal) { + if (pal && size == AVPALETTE_SIZE) { frame->palette_has_changed = 1; memcpy(c->pal, pal, AVPALETTE_SIZE); + } else if (pal) { + av_log(avctx, AV_LOG_ERROR, "Palette size %d is wrong\n", size); } memcpy(frame->data[1], c->pal, AVPALETTE_SIZE); } From bc63205ae2eb3ecb16a61118c125e214daa3384b Mon Sep 17 00:00:00 2001 From: Michael Niedermayer Date: Tue, 1 Nov 2016 19:24:49 +0100 Subject: [PATCH 241/942] avcodec/sunrast: Fix input buffer pointer check Fixes: out of array read Fixes: poc.dat Found-by: Bingchang, Liu @VARAS of IIE Tested-by: bc L Signed-off-by: Michael Niedermayer (cherry picked from commit 37138338ff602803d174b13fecd363a083bc2f9a) Signed-off-by: Michael Niedermayer --- libavcodec/sunrast.c | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/libavcodec/sunrast.c b/libavcodec/sunrast.c index 25e11f6cd2..0af5626e35 100644 --- a/libavcodec/sunrast.c +++ b/libavcodec/sunrast.c @@ -168,7 +168,7 @@ static int sunrast_decode_frame(AVCodecContext *avctx, void *data, } } else { for (y = 0; y < h; y++) { - if (buf_end - buf < len) + if (buf_end - buf < alen) break; memcpy(ptr, buf, len); ptr += stride; From 083919e9c4595924cedb2f39db2f58f389794fd6 Mon Sep 17 00:00:00 2001 From: Michael Niedermayer Date: Tue, 15 Nov 2016 14:46:16 +0100 Subject: [PATCH 242/942] avcodec/movtextdec: Fix potential integer overflow Signed-off-by: Michael Niedermayer (cherry picked from commit 6ea27157682200e5f78cadcabdb009eccd9dd9b1) Signed-off-by: Michael Niedermayer --- libavcodec/movtextdec.c | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/libavcodec/movtextdec.c b/libavcodec/movtextdec.c index 28f7b8f5be..9c4195342f 100644 --- a/libavcodec/movtextdec.c +++ b/libavcodec/movtextdec.c @@ -491,7 +491,7 @@ static int mov_text_decode_frame(AVCodecContext *avctx, m->size_var = 8; //size_var is equal to 8 or 16 depending on the size of box - if (m->tracksize + tsmb_size > avpkt->size) + if (tsmb_size > avpkt->size - m->tracksize) break; for (size_t i = 0; i < box_count; i++) { From 3f9a24f06d5df3c52c7cec0e29ab273946388992 Mon Sep 17 00:00:00 2001 From: Michael Niedermayer Date: Tue, 15 Nov 2016 14:52:21 +0100 Subject: [PATCH 243/942] avcodec/movtextdec: Fix tsmb_size check==0 check Fixes: 173/fuzz-3-ffmpeg_SUBTITLE_AV_CODEC_ID_MOV_TEXT_fuzzer Found-by: continuous fuzzing process https://github.com/google/oss-fuzz/tree/master/targets/ffmpeg Signed-off-by: Michael Niedermayer (cherry picked from commit a609905723c01e356d35146425c3d45c090aae7b) Signed-off-by: Michael Niedermayer --- libavcodec/movtextdec.c | 8 ++++---- 1 file changed, 4 insertions(+), 4 deletions(-) diff --git a/libavcodec/movtextdec.c b/libavcodec/movtextdec.c index 9c4195342f..3faebb3aca 100644 --- a/libavcodec/movtextdec.c +++ b/libavcodec/movtextdec.c @@ -477,10 +477,6 @@ static int mov_text_decode_frame(AVCodecContext *avctx, tsmb_type = AV_RB32(tsmb); tsmb += 4; - if (tsmb_size == 0) { - return AVERROR_INVALIDDATA; - } - if (tsmb_size == 1) { if (m->tracksize + 16 > avpkt->size) break; @@ -491,6 +487,10 @@ static int mov_text_decode_frame(AVCodecContext *avctx, m->size_var = 8; //size_var is equal to 8 or 16 depending on the size of box + if (tsmb_size == 0) { + return AVERROR_INVALIDDATA; + } + if (tsmb_size > avpkt->size - m->tracksize) break; From 27fbf8f110f618725b1efe50b2d56f3de27f96d9 Mon Sep 17 00:00:00 2001 From: Michael Niedermayer Date: Tue, 15 Nov 2016 14:54:47 +0100 Subject: [PATCH 244/942] avcodec/movtextdec: Add error message for tsmb_size check Signed-off-by: Michael Niedermayer (cherry picked from commit 0eb319800567b79ca6b4cf0d90904318641b9e50) Signed-off-by: Michael Niedermayer --- libavcodec/movtextdec.c | 1 + 1 file changed, 1 insertion(+) diff --git a/libavcodec/movtextdec.c b/libavcodec/movtextdec.c index 3faebb3aca..775c63e72c 100644 --- a/libavcodec/movtextdec.c +++ b/libavcodec/movtextdec.c @@ -488,6 +488,7 @@ static int mov_text_decode_frame(AVCodecContext *avctx, //size_var is equal to 8 or 16 depending on the size of box if (tsmb_size == 0) { + av_log(avctx, AV_LOG_ERROR, "tsmb_size is 0\n"); return AVERROR_INVALIDDATA; } From 8ad4e1c1cb74294b58bccb58c54e5e0ee2b6f297 Mon Sep 17 00:00:00 2001 From: Michael Niedermayer Date: Tue, 15 Nov 2016 18:05:33 +0100 Subject: [PATCH 245/942] avcodec/ituh263dec: Avoid spending a long time in slice sync Fixes: 177/fuzz-3-ffmpeg_VIDEO_AV_CODEC_ID_FLV1_fuzzer Found-by: continuous fuzzing process https://github.com/google/oss-fuzz/tree/master/targets/ffmpeg Signed-off-by: Michael Niedermayer (cherry picked from commit 2baf36caed98cfdc7f6a2086fbf26f1a172f16cf) Signed-off-by: Michael Niedermayer --- libavcodec/ituh263dec.c | 1 + 1 file changed, 1 insertion(+) diff --git a/libavcodec/ituh263dec.c b/libavcodec/ituh263dec.c index 2e449f8eeb..42ec1f61cf 100644 --- a/libavcodec/ituh263dec.c +++ b/libavcodec/ituh263dec.c @@ -167,6 +167,7 @@ static int h263_decode_gob_header(MpegEncContext *s) /* We have a GBSC probably with GSTUFF */ skip_bits(&s->gb, 16); /* Drop the zeros */ left= get_bits_left(&s->gb); + left = FFMIN(left, 32); //MN: we must check the bits left or we might end in a infinite loop (or segfault) for(;left>13; left--){ if(get_bits1(&s->gb)) break; /* Seek the '1' bit */ From 63caf18787d569fb4ba85ea4790134d2503fabef Mon Sep 17 00:00:00 2001 From: Michael Niedermayer Date: Tue, 15 Nov 2016 22:50:35 +0100 Subject: [PATCH 246/942] avcodec/rv40: Test remaining space in loop of get_dimension() Fixes infinite loop Fixes: 178/fuzz-3-ffmpeg_VIDEO_AV_CODEC_ID_RV40_fuzzer Found-by: continuous fuzzing process https://github.com/google/oss-fuzz/tree/master/targets/ffmpeg Signed-off-by: Michael Niedermayer (cherry picked from commit 1546d487cf12da37d90a080813f8d57ac33036bf) Signed-off-by: Michael Niedermayer --- libavcodec/rv40.c | 2 ++ 1 file changed, 2 insertions(+) diff --git a/libavcodec/rv40.c b/libavcodec/rv40.c index 3ff1554d3c..c52e06d4c9 100644 --- a/libavcodec/rv40.c +++ b/libavcodec/rv40.c @@ -109,6 +109,8 @@ static int get_dimension(GetBitContext *gb, const int *dim) val = dim[get_bits1(gb) - val]; if(!val){ do{ + if (get_bits_left(gb) < 8) + return AVERROR_INVALIDDATA; t = get_bits(gb, 8); val += t << 2; }while(t == 0xFF); From 2caee48576871d54bf436a20e91fd81d61033cf4 Mon Sep 17 00:00:00 2001 From: Michael Niedermayer Date: Tue, 15 Nov 2016 20:06:42 +0100 Subject: [PATCH 247/942] avformat/mpeg: Adjust vid probe threshold to correct mis-detection Fixes: _ij.mp3 Signed-off-by: Michael Niedermayer (cherry picked from commit 4e5049a2303ae7fe74216a83206239e4de42c965) Signed-off-by: Michael Niedermayer --- libavformat/mpeg.c | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/libavformat/mpeg.c b/libavformat/mpeg.c index 69685cf890..f937fa13ac 100644 --- a/libavformat/mpeg.c +++ b/libavformat/mpeg.c @@ -112,7 +112,7 @@ static int mpegps_probe(AVProbeData *p) : AVPROBE_SCORE_EXTENSION / 2; // 1 more than .mpg if ((!!vid ^ !!audio) && (audio > 4 || vid > 1) && !sys && !pspack && p->buf_size > 2048 && vid + audio > invalid) /* PES stream */ - return (audio > 12 || vid > 3 + 2 * invalid) ? AVPROBE_SCORE_EXTENSION + 2 + return (audio > 12 || vid > 6 + 2 * invalid) ? AVPROBE_SCORE_EXTENSION + 2 : AVPROBE_SCORE_EXTENSION / 2; // 02-Penguin.flac has sys:0 priv1:0 pspack:0 vid:0 audio:1 From ff01dbb6ec88285d11fb87be109007f398cb0e56 Mon Sep 17 00:00:00 2001 From: Michael Niedermayer Date: Tue, 29 Nov 2016 02:58:34 +0100 Subject: [PATCH 248/942] avformat/idroqdec: Check chunk_size for being too large Signed-off-by: Michael Niedermayer (cherry picked from commit 744a0b5206634e5de04d5c31f08cc3640faf800d) Signed-off-by: Michael Niedermayer --- libavformat/idroqdec.c | 3 +++ 1 file changed, 3 insertions(+) diff --git a/libavformat/idroqdec.c b/libavformat/idroqdec.c index 76bb3924b1..d733953a04 100644 --- a/libavformat/idroqdec.c +++ b/libavformat/idroqdec.c @@ -157,6 +157,9 @@ static int roq_read_packet(AVFormatContext *s, chunk_size = AV_RL32(&preamble[2]) + RoQ_CHUNK_PREAMBLE_SIZE * 2 + codebook_size; + if (chunk_size > INT_MAX) + return AVERROR_INVALIDDATA; + /* rewind */ avio_seek(pb, codebook_offset, SEEK_SET); From 6bee6ef0c2ec264b5362d59d8541849653d2456d Mon Sep 17 00:00:00 2001 From: Michael Niedermayer Date: Thu, 24 Nov 2016 15:29:52 +0100 Subject: [PATCH 249/942] avcodec/flac_parser: Update nb_headers_buffered Fixes infinite loop Fixes: fuzz.flac Found-by: Frank Liberato Reviewed-by: Frank Liberato Signed-off-by: Michael Niedermayer (cherry picked from commit 2475858889cde6221677473b663df6f985add33d) Signed-off-by: Michael Niedermayer --- libavcodec/flac_parser.c | 2 ++ 1 file changed, 2 insertions(+) diff --git a/libavcodec/flac_parser.c b/libavcodec/flac_parser.c index 183fe6e5c9..6df531b7b3 100644 --- a/libavcodec/flac_parser.c +++ b/libavcodec/flac_parser.c @@ -586,10 +586,12 @@ static int flac_parse(AVCodecParserContext *s, AVCodecContext *avctx, temp = curr->next; av_freep(&curr->link_penalty); av_free(curr); + fpc->nb_headers_buffered--; } fpc->headers = fpc->best_header->next; av_freep(&fpc->best_header->link_penalty); av_freep(&fpc->best_header); + fpc->nb_headers_buffered--; } /* Find and score new headers. */ From 66e8f87ebc7897d0b7a92ff748c53481e990a670 Mon Sep 17 00:00:00 2001 From: Michael Niedermayer Date: Sat, 3 Dec 2016 03:02:41 +0100 Subject: [PATCH 250/942] avformat/utils: Check start/end before computing duration in update_stream_timings() Fixes undefined behavior Fixes: 637428.ogg Found-by: Matt Wolenetz Signed-off-by: Michael Niedermayer (cherry picked from commit 90da187f1d334422477886a19eca3c1da29c59a7) Signed-off-by: Michael Niedermayer --- libavformat/utils.c | 7 +++++-- 1 file changed, 5 insertions(+), 2 deletions(-) diff --git a/libavformat/utils.c b/libavformat/utils.c index 47e76ec7a2..d368f0a8ab 100644 --- a/libavformat/utils.c +++ b/libavformat/utils.c @@ -2402,11 +2402,14 @@ static void update_stream_timings(AVFormatContext *ic) if (ic->nb_programs) { for (i = 0; i < ic->nb_programs; i++) { p = ic->programs[i]; - if (p->start_time != AV_NOPTS_VALUE && p->end_time > p->start_time) + if (p->start_time != AV_NOPTS_VALUE && + p->end_time > p->start_time && + p->end_time - (uint64_t)p->start_time <= INT64_MAX) duration = FFMAX(duration, p->end_time - p->start_time); } - } else + } else if (end_time >= start_time && end_time - (uint64_t)start_time <= INT64_MAX) { duration = FFMAX(duration, end_time - start_time); + } } } if (duration != INT64_MIN && duration > 0 && ic->duration == AV_NOPTS_VALUE) { From e9003828dd7ea167133266e3c6bd7a8f3ed200fb Mon Sep 17 00:00:00 2001 From: Michael Niedermayer Date: Sat, 3 Dec 2016 03:40:55 +0100 Subject: [PATCH 251/942] avformat/oggparsespeex: Check frames_per_packet and packet_size The speex specification does not seem to restrict these values, thus the limits where choosen so as to avoid multiplicative overflow Fixes undefined behavior Fixes: 635422.ogg Found-by: Matt Wolenetz Signed-off-by: Michael Niedermayer (cherry picked from commit afcf15b0dbb4b6429be5083e50b296cdca61875e) Signed-off-by: Michael Niedermayer --- libavformat/oggparsespeex.c | 7 +++++++ 1 file changed, 7 insertions(+) diff --git a/libavformat/oggparsespeex.c b/libavformat/oggparsespeex.c index c86b12713e..3440a501c4 100644 --- a/libavformat/oggparsespeex.c +++ b/libavformat/oggparsespeex.c @@ -76,6 +76,13 @@ static int speex_header(AVFormatContext *s, int idx) { spxp->packet_size = AV_RL32(p + 56); frames_per_packet = AV_RL32(p + 64); + if (spxp->packet_size < 0 || + frames_per_packet < 0 || + spxp->packet_size * (int64_t)frames_per_packet > INT32_MAX / 256) { + av_log(s, AV_LOG_ERROR, "invalid packet_size, frames_per_packet %d %d\n", spxp->packet_size, frames_per_packet); + spxp->packet_size = 0; + return AVERROR_INVALIDDATA; + } if (frames_per_packet) spxp->packet_size *= frames_per_packet; From 2f26f3de780167c66f89ee74768fc82c1f599814 Mon Sep 17 00:00:00 2001 From: Michael Niedermayer Date: Sat, 3 Dec 2016 16:43:10 +0100 Subject: [PATCH 252/942] avcodec/flacdsp_template: Fix undefined shift in flac_decorrelate_indep_c Fixes: left shift of negative value Fixes: 668346-media Found-by: Matt Wolenetz Signed-off-by: Michael Niedermayer (cherry picked from commit acc163c6ab52d2235767852262c64c7f6b273d1c) Signed-off-by: Michael Niedermayer --- libavcodec/flacdsp_template.c | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/libavcodec/flacdsp_template.c b/libavcodec/flacdsp_template.c index 62c0a15ff6..776c78da71 100644 --- a/libavcodec/flacdsp_template.c +++ b/libavcodec/flacdsp_template.c @@ -56,7 +56,7 @@ static void FUNC(flac_decorrelate_indep_c)(uint8_t **out, int32_t **in, for (j = 0; j < len; j++) for (i = 0; i < channels; i++) - S(samples, i, j) = in[i][j] << shift; + S(samples, i, j) = (int)((unsigned)in[i][j] << shift); } static void FUNC(flac_decorrelate_ls_c)(uint8_t **out, int32_t **in, From 2d66fbc853ff7d22c30a597fe548e3ff952a1dc7 Mon Sep 17 00:00:00 2001 From: Michael Niedermayer Date: Sat, 3 Dec 2016 17:05:43 +0100 Subject: [PATCH 253/942] avcodec/flacdec: Fix signed integer overflow in decode_subframe_fixed() Fixes undefined behavior Fixes: 640912-media Found-by: Matt Wolenetz Signed-off-by: Michael Niedermayer (cherry picked from commit 83a75bf6c31b3c0ce2ca7e1426d1f2e3df634239) Signed-off-by: Michael Niedermayer --- libavcodec/flacdec.c | 3 ++- 1 file changed, 2 insertions(+), 1 deletion(-) diff --git a/libavcodec/flacdec.c b/libavcodec/flacdec.c index b7237e18f0..5f5802c97f 100644 --- a/libavcodec/flacdec.c +++ b/libavcodec/flacdec.c @@ -268,7 +268,8 @@ static int decode_subframe_fixed(FLACContext *s, int32_t *decoded, int pred_order, int bps) { const int blocksize = s->blocksize; - int av_uninit(a), av_uninit(b), av_uninit(c), av_uninit(d), i; + unsigned av_uninit(a), av_uninit(b), av_uninit(c), av_uninit(d); + int i; int ret; /* warm up samples */ From 9f7eb718e9d345179283a1bbfee1d89a5e2d18bc Mon Sep 17 00:00:00 2001 From: Michael Niedermayer Date: Sat, 3 Dec 2016 13:39:56 +0100 Subject: [PATCH 254/942] avformat/ffmdec: Check media type for chunks Signed-off-by: Michael Niedermayer (cherry picked from commit e706e2e775730db5dfa9103628cd70704dd13cef) Signed-off-by: Michael Niedermayer --- libavformat/ffmdec.c | 8 ++++---- 1 file changed, 4 insertions(+), 4 deletions(-) diff --git a/libavformat/ffmdec.c b/libavformat/ffmdec.c index 83929fe8c3..44110af701 100644 --- a/libavformat/ffmdec.c +++ b/libavformat/ffmdec.c @@ -362,7 +362,7 @@ static int ffm2_read_header(AVFormatContext *s) } break; case MKBETAG('S', 'T', 'V', 'I'): - if (f_stvi++) { + if (f_stvi++ || codec->codec_type != AVMEDIA_TYPE_VIDEO) { ret = AVERROR(EINVAL); goto fail; } @@ -423,7 +423,7 @@ static int ffm2_read_header(AVFormatContext *s) codec->refs = avio_rb32(pb); break; case MKBETAG('S', 'T', 'A', 'U'): - if (f_stau++) { + if (f_stau++ || codec->codec_type != AVMEDIA_TYPE_AUDIO) { ret = AVERROR(EINVAL); goto fail; } @@ -449,7 +449,7 @@ static int ffm2_read_header(AVFormatContext *s) } break; case MKBETAG('S', '2', 'V', 'I'): - if (f_stvi++ || !size) { + if (f_stvi++ || !size || codec->codec_type != AVMEDIA_TYPE_VIDEO) { ret = AVERROR(EINVAL); goto fail; } @@ -464,7 +464,7 @@ static int ffm2_read_header(AVFormatContext *s) goto fail; break; case MKBETAG('S', '2', 'A', 'U'): - if (f_stau++ || !size) { + if (f_stau++ || !size || codec->codec_type != AVMEDIA_TYPE_AUDIO) { ret = AVERROR(EINVAL); goto fail; } From 66bf84e2c4e14f18d96fc3dc495aadc3a9e8ec75 Mon Sep 17 00:00:00 2001 From: Michael Niedermayer Date: Sat, 3 Dec 2016 23:44:56 +0100 Subject: [PATCH 255/942] avcodec/get_bits: Fix get_sbits_long(0) Fixes undefined behavior Fixes: 640889-media Found-by: Matt Wolenetz Signed-off-by: Michael Niedermayer (cherry picked from commit c72fa432349881d5a445cd110abf698cc94d490d) Signed-off-by: Michael Niedermayer --- libavcodec/get_bits.h | 4 ++++ 1 file changed, 4 insertions(+) diff --git a/libavcodec/get_bits.h b/libavcodec/get_bits.h index 4cf61d6f1b..30e9da311f 100644 --- a/libavcodec/get_bits.h +++ b/libavcodec/get_bits.h @@ -382,6 +382,10 @@ static inline uint64_t get_bits64(GetBitContext *s, int n) */ static inline int get_sbits_long(GetBitContext *s, int n) { + // sign_extend(x, 0) is undefined + if (!n) + return 0; + return sign_extend(get_bits_long(s, n), n); } From 2c6792b0c68375a87aa1b6731b411d548bc1af05 Mon Sep 17 00:00:00 2001 From: Michael Niedermayer Date: Sun, 4 Dec 2016 00:11:17 +0100 Subject: [PATCH 256/942] avcodec/flacdec: Fix undefined shift in decode_subframe() Fixes undefined behavior Fixes: 639961-media Found-by: Matt Wolenetz Signed-off-by: Michael Niedermayer (cherry picked from commit 1f5630af51f24d79053b6bef5b8b3ba93d637306) Signed-off-by: Michael Niedermayer --- libavcodec/flacdec.c | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/libavcodec/flacdec.c b/libavcodec/flacdec.c index 5f5802c97f..4dde0e0591 100644 --- a/libavcodec/flacdec.c +++ b/libavcodec/flacdec.c @@ -448,7 +448,7 @@ static inline int decode_subframe(FLACContext *s, int channel) if (wasted) { int i; for (i = 0; i < s->blocksize; i++) - decoded[i] <<= wasted; + decoded[i] = (unsigned)decoded[i] << wasted; } return 0; From 6e1bc747df868b7576161b88d8561870894863b1 Mon Sep 17 00:00:00 2001 From: Michael Niedermayer Date: Sun, 4 Dec 2016 21:15:15 +0100 Subject: [PATCH 257/942] Update for version 3.0.5 Signed-off-by: Michael Niedermayer --- Changelog | 72 ++++++++++++++++++++++++++++++++++++++++++++++++++++ RELEASE | 2 +- doc/Doxyfile | 2 +- 3 files changed, 74 insertions(+), 2 deletions(-) diff --git a/Changelog b/Changelog index 089e3395ef..373a31b9a1 100644 --- a/Changelog +++ b/Changelog @@ -1,6 +1,78 @@ Entries are sorted chronologically from oldest to youngest within each release, releases are sorted from youngest to oldest. +version 3.0.5: +- avcodec/flacdec: Fix undefined shift in decode_subframe() +- avcodec/get_bits: Fix get_sbits_long(0) +- avformat/ffmdec: Check media type for chunks +- avcodec/flacdec: Fix signed integer overflow in decode_subframe_fixed() +- avcodec/flacdsp_template: Fix undefined shift in flac_decorrelate_indep_c +- avformat/oggparsespeex: Check frames_per_packet and packet_size +- avformat/utils: Check start/end before computing duration in update_stream_timings() +- avcodec/flac_parser: Update nb_headers_buffered +- avformat/idroqdec: Check chunk_size for being too large +- avformat/mpeg: Adjust vid probe threshold to correct mis-detection +- avcodec/rv40: Test remaining space in loop of get_dimension() +- avcodec/ituh263dec: Avoid spending a long time in slice sync +- avcodec/movtextdec: Add error message for tsmb_size check +- avcodec/movtextdec: Fix tsmb_size check==0 check +- avcodec/movtextdec: Fix potential integer overflow +- avcodec/sunrast: Fix input buffer pointer check +- avcodec/tscc: Check side data size before use +- avcodec/rawdec: Check side data size before use +- avcodec/msvideo1: Check side data size before use +- avcodec/qpeg: Check side data size before use +- avcodec/qtrle: Check side data size before use +- avcodec/msrle: Check side data size before use +- avcodec/kmvc: Check side data size before use +- avcodec/idcinvideo: Check side data size before use +- avcodec/cinepak: Check side data size before use +- avcodec/8bps: Check side data size before use +- avcodec/dvdsubdec: Fix off by 1 error +- avcodec/dvdsubdec: Fix buf_size check +- vp9: change order of operations in adapt_prob(). +- avcodec/interplayvideo: Check side data size before use +- avformat/mxfdec: Check size to avoid integer overflow in mxf_read_utf16_string() +- avcodec/mpegvideo_enc: Clear mmx state in ff_mpv_reallocate_putbitbuffer() +- avcodec/utils: Clear MMX state before returning from avcodec_default_execute*() +- avformat/icodec: Fix crash probing fuzzed file +- dcstr: fix division by zero +- rsd: limit number of channels +- mss2: only use error correction for matching block counts +- softfloat: decrease MIN_EXP to cover full float range +- libopusdec: default to stereo for invalid number of channels +- pgssubdec: only set w/h/linesize when allocating data +- sbgdec: prevent NULL pointer access +- smacker: limit recursion depth of smacker_decode_bigtree +- mxfdec: fix NULL pointer dereference in mxf_read_packet_old +- libschroedingerdec: fix leaking of framewithpts +- libschroedingerdec: don't produce empty frames +- softfloat: handle -INT_MAX correctly +- filmstripdec: correctly check image dimensions +- pnmdec: make sure v is capped by maxval +- smvjpegdec: make sure cur_frame is not negative +- icodec: correctly check avio_read return value +- dvbsubdec: fix division by zero in compute_default_clut +- proresdec_lgpl: explicitly check coff[3] against slice_data_size +- escape124: reject codebook size 0 +- icodec: add ico_read_close to fix leaking ico->images +- icodec: fix leaking pkt on error +- mpegts: prevent division by zero +- matroskadec: fix NULL pointer dereference in webm_dash_manifest_read_header +- mpegaudio_parser: don't return AVERROR_PATCHWELCOME +- mxfdec: fix NULL pointer dereference +- lzf: update pointer p after realloc +- diracdec: check return code of get_buffer_with_edge +- ppc: pixblockdsp: do unaligned block accesses correctly again +- interplayacm: increase bitstream buffer size by AV_INPUT_BUFFER_PADDING_SIZE +- interplayacm: validate number of channels +- interplayacm: check for too large b +- mpeg12dec: unref discarded picture from extradata +- cavsdec: unref frame before referencing again +- avformat: prevent triggering request_probe assert in ff_read_packet +- avcodec/avpacket: fix leak on realloc in av_packet_add_side_data() + + version 3.0.4: - libopenjpegenc: fix out-of-bounds reads when filling the edges - libopenjpegenc: stop reusing image data buffer for openjpeg 2 diff --git a/RELEASE b/RELEASE index b0f2dcb32f..eca690e737 100644 --- a/RELEASE +++ b/RELEASE @@ -1 +1 @@ -3.0.4 +3.0.5 diff --git a/doc/Doxyfile b/doc/Doxyfile index 11596536a4..dd0ef09225 100644 --- a/doc/Doxyfile +++ b/doc/Doxyfile @@ -31,7 +31,7 @@ PROJECT_NAME = FFmpeg # This could be handy for archiving the generated documentation or # if some version control system is used. -PROJECT_NUMBER = 3.0.4 +PROJECT_NUMBER = 3.0.5 # With the PROJECT_LOGO tag one can specify a logo or icon that is included # in the documentation. The maximum height of the logo should not exceed 55 From d111c9ce139c83edbf4f1e0ea22bb151b8da1547 Mon Sep 17 00:00:00 2001 From: James Almer Date: Thu, 3 Nov 2016 22:34:58 -0300 Subject: [PATCH 258/942] avcodec/rawdec: check for side data before checking its size Fixes valgrind warnings about usage of uninitialized values. Reviewed-by: Michael Niedermayer Signed-off-by: James Almer (cherry picked from commit 51e329918dc1826de7451541cb15bef3b9bfe138) --- Changelog | 1 + libavcodec/rawdec.c | 2 +- 2 files changed, 2 insertions(+), 1 deletion(-) diff --git a/Changelog b/Changelog index 373a31b9a1..cb97baca1f 100644 --- a/Changelog +++ b/Changelog @@ -2,6 +2,7 @@ Entries are sorted chronologically from oldest to youngest within each release, releases are sorted from youngest to oldest. version 3.0.5: +- avcodec/rawdec: check for side data before checking its size - avcodec/flacdec: Fix undefined shift in decode_subframe() - avcodec/get_bits: Fix get_sbits_long(0) - avformat/ffmdec: Check media type for chunks diff --git a/libavcodec/rawdec.c b/libavcodec/rawdec.c index f78190ea01..fbdf4810fa 100644 --- a/libavcodec/rawdec.c +++ b/libavcodec/rawdec.c @@ -386,7 +386,7 @@ static int raw_decode(AVCodecContext *avctx, void *data, int *got_frame, int pal_size; const uint8_t *pal = av_packet_get_side_data(avpkt, AV_PKT_DATA_PALETTE, &pal_size); - if (pal_size != AVPALETTE_SIZE) { + if (pal && pal_size != AVPALETTE_SIZE) { av_log(avctx, AV_LOG_ERROR, "Palette size %d is wrong\n", pal_size); pal = NULL; } From 9c0b2b9d5b5515d85b6cd2e4e580617fe780e0ae Mon Sep 17 00:00:00 2001 From: Timothy Gu Date: Mon, 5 Dec 2016 10:04:57 -0800 Subject: [PATCH 259/942] zmqsend: Initialize ret to 0 Fixes CID1396857. (cherry picked from commit d903b4e3ad4a81b3dd79f12c2f3b9cb16e511173) Signed-off-by: Michael Niedermayer --- tools/zmqsend.c | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/tools/zmqsend.c b/tools/zmqsend.c index d47bf216b4..6148bd623c 100644 --- a/tools/zmqsend.c +++ b/tools/zmqsend.c @@ -53,7 +53,7 @@ int main(int argc, char **argv) { AVBPrint src; char c, *src_buf, *recv_buf; - int recv_buf_size, ret; + int recv_buf_size, ret = 0; void *zmq_ctx, *socket; const char *bind_address = "tcp://localhost:5555"; const char *infilename = NULL; From a5513ae7bc7cb131e7b7edba57e4cf93121d6c8e Mon Sep 17 00:00:00 2001 From: Michael Niedermayer Date: Mon, 5 Dec 2016 11:14:51 +0100 Subject: [PATCH 260/942] avformat/rtmppkt: Check for packet size mismatches Fixes out of array access Found-by: Paul Cher Reviewed-by: Paul Cher Signed-off-by: Michael Niedermayer (cherry picked from commit 7d57ca4d9a75562fa32e40766211de150f8b3ee7) Signed-off-by: Michael Niedermayer --- libavformat/rtmppkt.c | 8 ++++++++ 1 file changed, 8 insertions(+) diff --git a/libavformat/rtmppkt.c b/libavformat/rtmppkt.c index 0d693c27f7..cde0da78ce 100644 --- a/libavformat/rtmppkt.c +++ b/libavformat/rtmppkt.c @@ -235,6 +235,14 @@ static int rtmp_packet_read_one_chunk(URLContext *h, RTMPPacket *p, if (hdr != RTMP_PS_TWELVEBYTES) timestamp += prev_pkt[channel_id].timestamp; + if (prev_pkt[channel_id].read && size != prev_pkt[channel_id].size) { + av_log(NULL, AV_LOG_ERROR, "RTMP packet size mismatch %d != %d\n", + size, + prev_pkt[channel_id].size); + ff_rtmp_packet_destroy(&prev_pkt[channel_id]); + prev_pkt[channel_id].read = 0; + } + if (!prev_pkt[channel_id].read) { if ((ret = ff_rtmp_packet_create(p, channel_id, type, timestamp, size)) < 0) From e0d1db72dadfa5330c2b9b70c6bb1baa9f17e6fe Mon Sep 17 00:00:00 2001 From: Michael Niedermayer Date: Mon, 5 Dec 2016 12:54:21 +0100 Subject: [PATCH 261/942] Avoid using the term "file" and prefer "url" in some docs and comments This should make it less ambigous that these are URLs Signed-off-by: Michael Niedermayer (cherry picked from commit a5f27a9c3aa973c543bd8bbf2a78363700bbc03e) Signed-off-by: Michael Niedermayer --- doc/ffmpeg.texi | 18 +++++++++--------- doc/ffplay.texi | 6 +++--- doc/ffprobe.texi | 10 +++++----- ffmpeg_opt.c | 4 ++-- 4 files changed, 19 insertions(+), 19 deletions(-) diff --git a/doc/ffmpeg.texi b/doc/ffmpeg.texi index e02807cb47..2ee81c283e 100644 --- a/doc/ffmpeg.texi +++ b/doc/ffmpeg.texi @@ -12,7 +12,7 @@ @chapter Synopsis -ffmpeg [@var{global_options}] @{[@var{input_file_options}] -i @file{input_file}@} ... @{[@var{output_file_options}] @file{output_file}@} ... +ffmpeg [@var{global_options}] @{[@var{input_file_options}] -i @file{input_url}@} ... @{[@var{output_file_options}] @file{output_url}@} ... @chapter Description @c man begin DESCRIPTION @@ -24,10 +24,10 @@ rates and resize video on the fly with a high quality polyphase filter. @command{ffmpeg} reads from an arbitrary number of input "files" (which can be regular files, pipes, network streams, grabbing devices, etc.), specified by the @code{-i} option, and writes to an arbitrary number of output "files", which are -specified by a plain output filename. Anything found on the command line which -cannot be interpreted as an option is considered to be an output filename. +specified by a plain output url. Anything found on the command line which +cannot be interpreted as an option is considered to be an output url. -Each input or output file can, in principle, contain any number of streams of +Each input or output url can, in principle, contain any number of streams of different types (video/audio/subtitle/attachment/data). The allowed number and/or types of streams may be limited by the container format. Selecting which streams from which inputs will go into which output is either done automatically @@ -243,8 +243,8 @@ Force input or output file format. The format is normally auto detected for inpu files and guessed from the file extension for output files, so this option is not needed in most cases. -@item -i @var{filename} (@emph{input}) -input file name +@item -i @var{url} (@emph{input}) +input file url @item -y (@emph{global}) Overwrite output files without asking. @@ -281,7 +281,7 @@ libx264, and the 138th audio, which will be encoded with libvorbis. When used as an input option (before @code{-i}), limit the @var{duration} of data read from the input file. -When used as an output option (before an output filename), stop writing the +When used as an output option (before an output url), stop writing the output after its duration reaches @var{duration}. @var{duration} must be a time duration specification, @@ -310,7 +310,7 @@ extra segment between the seek point and @var{position} will be decoded and discarded. When doing stream copy or when @option{-noaccurate_seek} is used, it will be preserved. -When used as an output option (before an output filename), decodes but discards +When used as an output option (before an output url), decodes but discards input until the timestamps reach @var{position}. @var{position} must be a time duration specification, @@ -1129,7 +1129,7 @@ may be reassigned to a different value. For example, to set the stream 0 PID to 33 and the stream 1 PID to 36 for an output mpegts file: @example -ffmpeg -i infile -streamid 0:33 -streamid 1:36 out.ts +ffmpeg -i inurl -streamid 0:33 -streamid 1:36 out.ts @end example @item -bsf[:@var{stream_specifier}] @var{bitstream_filters} (@emph{output,per-stream}) diff --git a/doc/ffplay.texi b/doc/ffplay.texi index 4bc3ced39a..073b457256 100644 --- a/doc/ffplay.texi +++ b/doc/ffplay.texi @@ -12,7 +12,7 @@ @chapter Synopsis -ffplay [@var{options}] [@file{input_file}] +ffplay [@var{options}] [@file{input_url}] @chapter Description @c man begin DESCRIPTION @@ -106,8 +106,8 @@ the input audio. Use the option "-filters" to show all the available filters (including sources and sinks). -@item -i @var{input_file} -Read @var{input_file}. +@item -i @var{input_url} +Read @var{input_url}. @end table @section Advanced options diff --git a/doc/ffprobe.texi b/doc/ffprobe.texi index 2024eed4e5..26530a9962 100644 --- a/doc/ffprobe.texi +++ b/doc/ffprobe.texi @@ -12,7 +12,7 @@ @chapter Synopsis -ffprobe [@var{options}] [@file{input_file}] +ffprobe [@var{options}] [@file{input_url}] @chapter Description @c man begin DESCRIPTION @@ -24,8 +24,8 @@ For example it can be used to check the format of the container used by a multimedia stream and the format and type of each media stream contained in it. -If a filename is specified in input, ffprobe will try to open and -probe the file content. If the file cannot be opened or recognized as +If a url is specified in input, ffprobe will try to open and +probe the url content. If the url cannot be opened or recognized as a multimedia file, a positive exit code is returned. ffprobe may be employed both as a standalone application or in @@ -332,8 +332,8 @@ with name "PIXEL_FORMAT". Force bitexact output, useful to produce output which is not dependent on the specific build. -@item -i @var{input_file} -Read @var{input_file}. +@item -i @var{input_url} +Read @var{input_url}. @end table @c man end diff --git a/ffmpeg_opt.c b/ffmpeg_opt.c index bc8355e2bf..304a4d4d66 100644 --- a/ffmpeg_opt.c +++ b/ffmpeg_opt.c @@ -2989,8 +2989,8 @@ enum OptGroup { }; static const OptionGroupDef groups[] = { - [GROUP_OUTFILE] = { "output file", NULL, OPT_OUTPUT }, - [GROUP_INFILE] = { "input file", "i", OPT_INPUT }, + [GROUP_OUTFILE] = { "output url", NULL, OPT_OUTPUT }, + [GROUP_INFILE] = { "input url", "i", OPT_INPUT }, }; static int open_files(OptionGroupList *l, const char *inout, From 1768e02a046ac05cb212991ae23021ad412cd15a Mon Sep 17 00:00:00 2001 From: Michael Niedermayer Date: Mon, 5 Dec 2016 17:27:45 +0100 Subject: [PATCH 262/942] ffserver: Check chunk size Fixes out of array access Fixes: poc_ffserver.py Found-by: Paul Cher Signed-off-by: Michael Niedermayer (cherry picked from commit a5d25faa3f4b18dac737fdb35d0dd68eb0dc2156) Signed-off-by: Michael Niedermayer --- ffserver.c | 5 ++++- 1 file changed, 4 insertions(+), 1 deletion(-) diff --git a/ffserver.c b/ffserver.c index d73caee9ec..5ce439a0df 100644 --- a/ffserver.c +++ b/ffserver.c @@ -2701,8 +2701,10 @@ static int http_receive_data(HTTPContext *c) } else if (c->buffer_ptr - c->buffer >= 2 && !memcmp(c->buffer_ptr - 1, "\r\n", 2)) { c->chunk_size = strtol(c->buffer, 0, 16); - if (c->chunk_size == 0) // end of stream + if (c->chunk_size <= 0) { // end of stream or invalid chunk size + c->chunk_size = 0; goto fail; + } c->buffer_ptr = c->buffer; break; } else if (++loop_run > 10) @@ -2724,6 +2726,7 @@ static int http_receive_data(HTTPContext *c) /* end of connection : close it */ goto fail; else { + av_assert0(len <= c->chunk_size); c->chunk_size -= len; c->buffer_ptr += len; c->data_count += len; From 2e3f0a1c6f39cf2a35bdda85e43970ffc6db797b Mon Sep 17 00:00:00 2001 From: "Ronald S. Bultje" Date: Mon, 5 Dec 2016 08:02:33 -0500 Subject: [PATCH 263/942] http: make length/offset-related variables unsigned. Fixes #5992, reported and found by Paul Cher . (cherry picked from commit 2a05c8f813de6f2278827734bf8102291e7484aa) --- libavformat/http.c | 70 +++++++++++++++++++++++++--------------------- 1 file changed, 38 insertions(+), 32 deletions(-) diff --git a/libavformat/http.c b/libavformat/http.c index 3dad2ef9fb..bd84aa05da 100644 --- a/libavformat/http.c +++ b/libavformat/http.c @@ -62,8 +62,8 @@ typedef struct HTTPContext { int line_count; int http_code; /* Used if "Transfer-Encoding: chunked" otherwise -1. */ - int64_t chunksize; - int64_t off, end_off, filesize; + uint64_t chunksize; + uint64_t off, end_off, filesize; char *location; HTTPAuthState auth_state; HTTPAuthState proxy_auth_state; @@ -92,9 +92,9 @@ typedef struct HTTPContext { AVDictionary *cookie_dict; int icy; /* how much data was read since the last ICY metadata packet */ - int icy_data_read; + uint64_t icy_data_read; /* after how many bytes of read data a new metadata packet will be found */ - int icy_metaint; + uint64_t icy_metaint; char *icy_metadata_headers; char *icy_metadata_packet; AVDictionary *metadata; @@ -480,7 +480,7 @@ static int http_open(URLContext *h, const char *uri, int flags, else h->is_streamed = 1; - s->filesize = -1; + s->filesize = UINT64_MAX; s->location = av_strdup(uri); if (!s->location) return AVERROR(ENOMEM); @@ -607,9 +607,9 @@ static void parse_content_range(URLContext *h, const char *p) if (!strncmp(p, "bytes ", 6)) { p += 6; - s->off = strtoll(p, NULL, 10); + s->off = strtoull(p, NULL, 10); if ((slash = strchr(p, '/')) && strlen(slash) > 0) - s->filesize = strtoll(slash + 1, NULL, 10); + s->filesize = strtoull(slash + 1, NULL, 10); } if (s->seekable == -1 && (!s->is_akamai || s->filesize != 2147483647)) h->is_streamed = 0; /* we _can_ in fact seek */ @@ -799,8 +799,9 @@ static int process_line(URLContext *h, char *line, int line_count, if ((ret = parse_location(s, p)) < 0) return ret; *new_location = 1; - } else if (!av_strcasecmp(tag, "Content-Length") && s->filesize == -1) { - s->filesize = strtoll(p, NULL, 10); + } else if (!av_strcasecmp(tag, "Content-Length") && + s->filesize == UINT64_MAX) { + s->filesize = strtoull(p, NULL, 10); } else if (!av_strcasecmp(tag, "Content-Range")) { parse_content_range(h, p); } else if (!av_strcasecmp(tag, "Accept-Ranges") && @@ -809,7 +810,7 @@ static int process_line(URLContext *h, char *line, int line_count, h->is_streamed = 0; } else if (!av_strcasecmp(tag, "Transfer-Encoding") && !av_strncasecmp(p, "chunked", 7)) { - s->filesize = -1; + s->filesize = UINT64_MAX; s->chunksize = 0; } else if (!av_strcasecmp(tag, "WWW-Authenticate")) { ff_http_auth_handle_header(&s->auth_state, tag, p); @@ -833,7 +834,7 @@ static int process_line(URLContext *h, char *line, int line_count, if (parse_cookie(s, p, &s->cookie_dict)) av_log(h, AV_LOG_WARNING, "Unable to parse '%s'\n", p); } else if (!av_strcasecmp(tag, "Icy-MetaInt")) { - s->icy_metaint = strtoll(p, NULL, 10); + s->icy_metaint = strtoull(p, NULL, 10); } else if (!av_strncasecmp(tag, "Icy-", 4)) { if ((ret = parse_icy(s, tag, p)) < 0) return ret; @@ -963,7 +964,7 @@ static int http_read_header(URLContext *h, int *new_location) char line[MAX_URL_SIZE]; int err = 0; - s->chunksize = -1; + s->chunksize = UINT64_MAX; for (;;) { if ((err = http_get_line(s, line, sizeof(line))) < 0) @@ -997,7 +998,7 @@ static int http_connect(URLContext *h, const char *path, const char *local_path, int post, err; char headers[HTTP_HEADERS_SIZE] = ""; char *authstr = NULL, *proxyauthstr = NULL; - int64_t off = s->off; + uint64_t off = s->off; int len = 0; const char *method; int send_expect_100 = 0; @@ -1045,7 +1046,7 @@ static int http_connect(URLContext *h, const char *path, const char *local_path, // server supports seeking by analysing the reply headers. if (!has_header(s->headers, "\r\nRange: ") && !post && (s->off > 0 || s->end_off || s->seekable == -1)) { len += av_strlcatf(headers + len, sizeof(headers) - len, - "Range: bytes=%"PRId64"-", s->off); + "Range: bytes=%"PRIu64"-", s->off); if (s->end_off) len += av_strlcatf(headers + len, sizeof(headers) - len, "%"PRId64, s->end_off - 1); @@ -1120,7 +1121,7 @@ static int http_connect(URLContext *h, const char *path, const char *local_path, s->line_count = 0; s->off = 0; s->icy_data_read = 0; - s->filesize = -1; + s->filesize = UINT64_MAX; s->willclose = 0; s->end_chunked_post = 0; s->end_header = 0; @@ -1160,15 +1161,13 @@ static int http_buf_read(URLContext *h, uint8_t *buf, int size) memcpy(buf, s->buf_ptr, len); s->buf_ptr += len; } else { - int64_t target_end = s->end_off ? s->end_off : s->filesize; - if ((!s->willclose || s->chunksize < 0) && - target_end >= 0 && s->off >= target_end) + uint64_t target_end = s->end_off ? s->end_off : s->filesize; + if ((!s->willclose || s->chunksize == UINT64_MAX) && s->off >= target_end) return AVERROR_EOF; len = ffurl_read(s->hd, buf, size); - if (!len && (!s->willclose || s->chunksize < 0) && - target_end >= 0 && s->off < target_end) { + if (!len && (!s->willclose || s->chunksize == UINT64_MAX) && s->off < target_end) { av_log(h, AV_LOG_ERROR, - "Stream ends prematurely at %"PRId64", should be %"PRId64"\n", + "Stream ends prematurely at %"PRIu64", should be %"PRIu64"\n", s->off, target_end ); return AVERROR(EIO); @@ -1231,7 +1230,7 @@ static int http_read_stream(URLContext *h, uint8_t *buf, int size) return err; } - if (s->chunksize >= 0) { + if (s->chunksize != UINT64_MAX) { if (!s->chunksize) { char line[32]; @@ -1240,13 +1239,19 @@ static int http_read_stream(URLContext *h, uint8_t *buf, int size) return err; } while (!*line); /* skip CR LF from last chunk */ - s->chunksize = strtoll(line, NULL, 16); + s->chunksize = strtoull(line, NULL, 16); - av_log(NULL, AV_LOG_TRACE, "Chunked encoding data size: %"PRId64"'\n", + av_log(h, AV_LOG_TRACE, + "Chunked encoding data size: %"PRIu64"'\n", s->chunksize); if (!s->chunksize) return 0; + else if (s->chunksize == UINT64_MAX) { + av_log(h, AV_LOG_ERROR, "Invalid chunk size %"PRIu64"\n", + s->chunksize); + return AVERROR(EINVAL); + } } size = FFMIN(size, s->chunksize); } @@ -1257,17 +1262,17 @@ static int http_read_stream(URLContext *h, uint8_t *buf, int size) read_ret = http_buf_read(h, buf, size); if ( (read_ret < 0 && s->reconnect && (!h->is_streamed || s->reconnect_streamed) && s->filesize > 0 && s->off < s->filesize) || (read_ret == 0 && s->reconnect_at_eof && (!h->is_streamed || s->reconnect_streamed))) { - int64_t target = h->is_streamed ? 0 : s->off; + uint64_t target = h->is_streamed ? 0 : s->off; if (s->reconnect_delay > s->reconnect_delay_max) return AVERROR(EIO); - av_log(h, AV_LOG_INFO, "Will reconnect at %"PRId64" error=%s.\n", s->off, av_err2str(read_ret)); + av_log(h, AV_LOG_INFO, "Will reconnect at %"PRIu64" error=%s.\n", s->off, av_err2str(read_ret)); av_usleep(1000U*1000*s->reconnect_delay); s->reconnect_delay = 1 + 2*s->reconnect_delay; seek_ret = http_seek_internal(h, target, SEEK_SET, 1); if (seek_ret != target) { - av_log(h, AV_LOG_ERROR, "Failed to reconnect at %"PRId64".\n", target); + av_log(h, AV_LOG_ERROR, "Failed to reconnect at %"PRIu64".\n", target); return read_ret; } @@ -1322,10 +1327,11 @@ static int store_icy(URLContext *h, int size) { HTTPContext *s = h->priv_data; /* until next metadata packet */ - int remaining = s->icy_metaint - s->icy_data_read; + uint64_t remaining; - if (remaining < 0) + if (s->icy_metaint < s->icy_data_read) return AVERROR_INVALIDDATA; + remaining = s->icy_metaint - s->icy_data_read; if (!remaining) { /* The metadata packet is variable sized. It has a 1 byte header @@ -1439,7 +1445,7 @@ static int64_t http_seek_internal(URLContext *h, int64_t off, int whence, int fo { HTTPContext *s = h->priv_data; URLContext *old_hd = s->hd; - int64_t old_off = s->off; + uint64_t old_off = s->off; uint8_t old_buf[BUFFER_SIZE]; int old_buf_size, ret; AVDictionary *options = NULL; @@ -1450,7 +1456,7 @@ static int64_t http_seek_internal(URLContext *h, int64_t off, int whence, int fo ((whence == SEEK_CUR && off == 0) || (whence == SEEK_SET && off == s->off))) return s->off; - else if ((s->filesize == -1 && whence == SEEK_END)) + else if ((s->filesize == UINT64_MAX && whence == SEEK_END)) return AVERROR(ENOSYS); if (whence == SEEK_CUR) @@ -1605,7 +1611,7 @@ redo: s->buf_ptr = s->buffer; s->buf_end = s->buffer; s->line_count = 0; - s->filesize = -1; + s->filesize = UINT64_MAX; cur_auth_type = s->proxy_auth_state.auth_type; /* Note: This uses buffering, potentially reading more than the From 726faff0aa86fa040280c57f27eefde47a17ea1b Mon Sep 17 00:00:00 2001 From: "Ronald S. Bultje" Date: Mon, 5 Dec 2016 10:18:10 -0500 Subject: [PATCH 264/942] http: move chunk handling from http_read_stream() to http_buf_read(). (cherry picked from commit 845bb401781ef04e342bd558df16a8dbf5f800f9) --- libavformat/http.c | 57 +++++++++++++++++++++++++--------------------- 1 file changed, 31 insertions(+), 26 deletions(-) diff --git a/libavformat/http.c b/libavformat/http.c index bd84aa05da..f027e036a7 100644 --- a/libavformat/http.c +++ b/libavformat/http.c @@ -1153,6 +1153,34 @@ static int http_buf_read(URLContext *h, uint8_t *buf, int size) { HTTPContext *s = h->priv_data; int len; + + if (s->chunksize != UINT64_MAX) { + if (!s->chunksize) { + char line[32]; + int err; + + do { + if ((err = http_get_line(s, line, sizeof(line))) < 0) + return err; + } while (!*line); /* skip CR LF from last chunk */ + + s->chunksize = strtoull(line, NULL, 16); + + av_log(h, AV_LOG_TRACE, + "Chunked encoding data size: %"PRIu64"'\n", + s->chunksize); + + if (!s->chunksize) + return 0; + else if (s->chunksize == UINT64_MAX) { + av_log(h, AV_LOG_ERROR, "Invalid chunk size %"PRIu64"\n", + s->chunksize); + return AVERROR(EINVAL); + } + } + size = FFMIN(size, s->chunksize); + } + /* read bytes from input buffer first */ len = s->buf_end - s->buf_ptr; if (len > 0) { @@ -1175,8 +1203,10 @@ static int http_buf_read(URLContext *h, uint8_t *buf, int size) } if (len > 0) { s->off += len; - if (s->chunksize > 0) + if (s->chunksize > 0) { + av_assert0(s->chunksize >= len); s->chunksize -= len; + } } return len; } @@ -1230,31 +1260,6 @@ static int http_read_stream(URLContext *h, uint8_t *buf, int size) return err; } - if (s->chunksize != UINT64_MAX) { - if (!s->chunksize) { - char line[32]; - - do { - if ((err = http_get_line(s, line, sizeof(line))) < 0) - return err; - } while (!*line); /* skip CR LF from last chunk */ - - s->chunksize = strtoull(line, NULL, 16); - - av_log(h, AV_LOG_TRACE, - "Chunked encoding data size: %"PRIu64"'\n", - s->chunksize); - - if (!s->chunksize) - return 0; - else if (s->chunksize == UINT64_MAX) { - av_log(h, AV_LOG_ERROR, "Invalid chunk size %"PRIu64"\n", - s->chunksize); - return AVERROR(EINVAL); - } - } - size = FFMIN(size, s->chunksize); - } #if CONFIG_ZLIB if (s->compressed) return http_buf_read_compressed(h, buf, size); From c1435f9dfb9a2d5195c3118f453f4a564ceaaaf4 Mon Sep 17 00:00:00 2001 From: James Almer Date: Mon, 5 Dec 2016 13:07:10 -0300 Subject: [PATCH 265/942] configure: check for strtoull on msvc Reviewed-by: Michael Niedermayer Signed-off-by: James Almer (cherry picked from commit b52d3574d466e745834d1283b55570dee1e2d4cd) --- configure | 1 + 1 file changed, 1 insertion(+) diff --git a/configure b/configure index 67078010ef..034d22dc96 100755 --- a/configure +++ b/configure @@ -5995,6 +5995,7 @@ __declspec($_restrict) void* foo(int); EOF fi check_func strtoll || add_cflags -Dstrtoll=_strtoi64 + check_func strtoull || add_cflags -Dstrtoull=_strtoui64 fi for pfx in "" host_; do From b408dba231091cd7f465ddf8bd8babf5b7efe63a Mon Sep 17 00:00:00 2001 From: Michael Niedermayer Date: Mon, 5 Dec 2016 23:32:35 +0100 Subject: [PATCH 266/942] Chagelog: update Signed-off-by: Michael Niedermayer --- Changelog | 7 +++++++ 1 file changed, 7 insertions(+) diff --git a/Changelog b/Changelog index cb97baca1f..0a8d3bc5f5 100644 --- a/Changelog +++ b/Changelog @@ -2,6 +2,13 @@ Entries are sorted chronologically from oldest to youngest within each release, releases are sorted from youngest to oldest. version 3.0.5: +- configure: check for strtoull on msvc +- http: move chunk handling from http_read_stream() to http_buf_read(). +- http: make length/offset-related variables unsigned. +- ffserver: Check chunk size +- Avoid using the term "file" and prefer "url" in some docs and comments +- avformat/rtmppkt: Check for packet size mismatches +- zmqsend: Initialize ret to 0 - avcodec/rawdec: check for side data before checking its size - avcodec/flacdec: Fix undefined shift in decode_subframe() - avcodec/get_bits: Fix get_sbits_long(0) From 0bcc7ea5dc243cae48e0b9c18b3bea717f184f6b Mon Sep 17 00:00:00 2001 From: Michael Niedermayer Date: Fri, 9 Dec 2016 00:19:19 +0100 Subject: [PATCH 267/942] avcodec/ffv1enc: Fix size of first slice Signed-off-by: Michael Niedermayer (cherry picked from commit cff1c0edaa797eca96663d9b83e4b8c1b609ff19) Signed-off-by: Michael Niedermayer --- libavcodec/ffv1enc.c | 13 +++++++++---- 1 file changed, 9 insertions(+), 4 deletions(-) diff --git a/libavcodec/ffv1enc.c b/libavcodec/ffv1enc.c index 42e59a1efc..55d32a07b4 100644 --- a/libavcodec/ffv1enc.c +++ b/libavcodec/ffv1enc.c @@ -1222,7 +1222,6 @@ static int encode_frame(AVCodecContext *avctx, AVPacket *pkt, FFV1Context *f = avctx->priv_data; RangeCoder *const c = &f->slice_context[0]->c; AVFrame *const p = f->picture.f; - int used_count = 0; uint8_t keystate = 128; uint8_t *buf_p; int i, ret; @@ -1307,11 +1306,17 @@ static int encode_frame(AVCodecContext *avctx, AVPacket *pkt, } } - for (i = 1; i < f->slice_count; i++) { + for (i = 0; i < f->slice_count; i++) { FFV1Context *fs = f->slice_context[i]; - uint8_t *start = pkt->data + (pkt->size - used_count) * (int64_t)i / f->slice_count; + uint8_t *start = pkt->data + pkt->size * (int64_t)i / f->slice_count; int len = pkt->size / f->slice_count; - ff_init_range_encoder(&fs->c, start, len); + if (i) { + ff_init_range_encoder(&fs->c, start, len); + } else { + av_assert0(fs->c.bytestream_end >= fs->c.bytestream_start + len); + av_assert0(fs->c.bytestream < fs->c.bytestream_start + len); + fs->c.bytestream_end = fs->c.bytestream_start + len; + } } avctx->execute(avctx, encode_slice, &f->slice_context[0], NULL, f->slice_count, sizeof(void *)); From 7c68d5e701511967471b70b14a4ebbeafb423373 Mon Sep 17 00:00:00 2001 From: Michael Niedermayer Date: Fri, 9 Dec 2016 17:01:14 +0100 Subject: [PATCH 268/942] avformat/oggdec: Skip streams in duration correction that did not had their duration set. Fixes: part of 670190.ogg Fixes integer overflow Found-by: Matt Wolenetz Signed-off-by: Michael Niedermayer (cherry picked from commit ee2a6f5df8c6a151c3e3826872f1b0a07401c62a) Signed-off-by: Michael Niedermayer --- libavformat/oggdec.c | 2 ++ 1 file changed, 2 insertions(+) diff --git a/libavformat/oggdec.c b/libavformat/oggdec.c index 8f3b44c3c5..7ecb42ce8f 100644 --- a/libavformat/oggdec.c +++ b/libavformat/oggdec.c @@ -643,6 +643,8 @@ static int ogg_get_length(AVFormatContext *s) int64_t pts; if (i < 0) continue; pts = ogg_calc_pts(s, i, NULL); + if (s->streams[i]->duration == AV_NOPTS_VALUE) + continue; if (pts != AV_NOPTS_VALUE && s->streams[i]->start_time == AV_NOPTS_VALUE && !ogg->streams[i].got_start) { s->streams[i]->duration -= pts; ogg->streams[i].got_start= 1; From efa164aa68503c5761851b7aaa28d6d4b3b7d01e Mon Sep 17 00:00:00 2001 From: Michael Niedermayer Date: Fri, 9 Dec 2016 17:01:14 +0100 Subject: [PATCH 269/942] avcodec/mpeg4videodec: Fix undefined shifts in mpeg4_decode_sprite_trajectory() Fixes: part of 670190.ogg Found-by: Matt Wolenetz Signed-off-by: Michael Niedermayer (cherry picked from commit 8258e363851434ad5662c19d036fddb3e3f27683) Signed-off-by: Michael Niedermayer --- libavcodec/mpeg4videodec.c | 12 ++++++------ 1 file changed, 6 insertions(+), 6 deletions(-) diff --git a/libavcodec/mpeg4videodec.c b/libavcodec/mpeg4videodec.c index 527cbe96c5..e9f54bd3d2 100644 --- a/libavcodec/mpeg4videodec.c +++ b/libavcodec/mpeg4videodec.c @@ -315,13 +315,13 @@ static int mpeg4_decode_sprite_trajectory(Mpeg4DecContext *ctx, GetBitContext *g min_ab = FFMIN(alpha, beta); w3 = w2 >> min_ab; h3 = h2 >> min_ab; - s->sprite_offset[0][0] = (sprite_ref[0][0] << (alpha + beta + rho - min_ab)) + + s->sprite_offset[0][0] = (sprite_ref[0][0] * (1<<(alpha + beta + rho - min_ab))) + (-r * sprite_ref[0][0] + virtual_ref[0][0]) * h3 * (-vop_ref[0][0]) + (-r * sprite_ref[0][0] + virtual_ref[1][0]) * w3 * (-vop_ref[0][1]) + (1 << (alpha + beta + rho - min_ab - 1)); - s->sprite_offset[0][1] = (sprite_ref[0][1] << (alpha + beta + rho - min_ab)) + + s->sprite_offset[0][1] = (sprite_ref[0][1] * (1 << (alpha + beta + rho - min_ab))) + (-r * sprite_ref[0][1] + virtual_ref[0][1]) * h3 * (-vop_ref[0][0]) + (-r * sprite_ref[0][1] + virtual_ref[1][1]) * @@ -368,10 +368,10 @@ static int mpeg4_decode_sprite_trajectory(Mpeg4DecContext *ctx, GetBitContext *g int shift_y = 16 - ctx->sprite_shift[0]; int shift_c = 16 - ctx->sprite_shift[1]; for (i = 0; i < 2; i++) { - s->sprite_offset[0][i] <<= shift_y; - s->sprite_offset[1][i] <<= shift_c; - s->sprite_delta[0][i] <<= shift_y; - s->sprite_delta[1][i] <<= shift_y; + s->sprite_offset[0][i] *= 1 << shift_y; + s->sprite_offset[1][i] *= 1 << shift_c; + s->sprite_delta[0][i] *= 1 << shift_y; + s->sprite_delta[1][i] *= 1 << shift_y; ctx->sprite_shift[i] = 16; } s->real_sprite_warping_points = ctx->num_sprite_warping_points; From 667c9ed1f14cd049c14cb849386ebe38671ec00b Mon Sep 17 00:00:00 2001 From: Michael Niedermayer Date: Thu, 8 Dec 2016 23:51:45 +0100 Subject: [PATCH 270/942] avcodec/ffv1enc: Allocate smaller packet if the worst case size cannot be allocated We are checking during encoding if there is enough space as version 4 needs that check. Fixes Ticket6005 Signed-off-by: Michael Niedermayer (cherry picked from commit 38a7834bbb24ef62466b076715e0add60e1d6962) Signed-off-by: Michael Niedermayer --- libavcodec/ffv1enc.c | 5 +++++ 1 file changed, 5 insertions(+) diff --git a/libavcodec/ffv1enc.c b/libavcodec/ffv1enc.c index 55d32a07b4..9b14309b31 100644 --- a/libavcodec/ffv1enc.c +++ b/libavcodec/ffv1enc.c @@ -1277,6 +1277,11 @@ static int encode_frame(AVCodecContext *avctx, AVPacket *pkt, if (f->version > 3) maxsize = AV_INPUT_BUFFER_MIN_SIZE + avctx->width*avctx->height*3LL*4; + if (maxsize > INT_MAX - AV_INPUT_BUFFER_PADDING_SIZE - 32) { + av_log(avctx, AV_LOG_WARNING, "Cannot allocate worst case packet size, the encoding could fail\n"); + maxsize = INT_MAX - AV_INPUT_BUFFER_PADDING_SIZE - 32; + } + if ((ret = ff_alloc_packet2(avctx, pkt, maxsize, 0)) < 0) return ret; From 7dd1cc6076cab5f4c41a4b0b877024d0654e8fae Mon Sep 17 00:00:00 2001 From: Michael Niedermayer Date: Fri, 18 Nov 2016 17:00:30 +0100 Subject: [PATCH 271/942] avformat: Add max_streams option This allows user apps to stop OOM due to excessive number of streams Signed-off-by: Michael Niedermayer (cherry picked from commit 1296f844955e513d19051c962656f829479d4fb9) Signed-off-by: Michael Niedermayer --- doc/formats.texi | 4 ++++ libavformat/avformat.h | 7 +++++++ libavformat/options_table.h | 1 + libavformat/utils.c | 2 +- 4 files changed, 13 insertions(+), 1 deletion(-) diff --git a/doc/formats.texi b/doc/formats.texi index 617cda54a9..b62ca43dd7 100644 --- a/doc/formats.texi +++ b/doc/formats.texi @@ -205,6 +205,10 @@ For example to separate the fields with newlines and indention: ffprobe -dump_separator " " -i ~/videos/matrixbench_mpeg2.mpg @end example + +@item max_streams @var{integer} (@emph{input}) +Specifies the maximum number of streams. This can be used to reject files that +would require too many resources due to a large number of streams. @end table @c man end FORMAT OPTIONS diff --git a/libavformat/avformat.h b/libavformat/avformat.h index 34bad436cd..06a71c97ff 100644 --- a/libavformat/avformat.h +++ b/libavformat/avformat.h @@ -1866,6 +1866,13 @@ typedef struct AVFormatContext { * A callback for closing the streams opened with AVFormatContext.io_open(). */ void (*io_close)(struct AVFormatContext *s, AVIOContext *pb); + + /** + * The maximum number of streams. + * - encoding: unused + * - decoding: set by user through AVOptions (NO direct access) + */ + int max_streams; } AVFormatContext; int av_format_get_probe_score(const AVFormatContext *s); diff --git a/libavformat/options_table.h b/libavformat/options_table.h index e84e54a5b1..935da94ce6 100644 --- a/libavformat/options_table.h +++ b/libavformat/options_table.h @@ -102,6 +102,7 @@ static const AVOption avformat_options[] = { {"codec_whitelist", "List of decoders that are allowed to be used", OFFSET(codec_whitelist), AV_OPT_TYPE_STRING, { .str = NULL }, CHAR_MIN, CHAR_MAX, D }, {"format_whitelist", "List of demuxers that are allowed to be used", OFFSET(format_whitelist), AV_OPT_TYPE_STRING, { .str = NULL }, CHAR_MIN, CHAR_MAX, D }, {"protocol_whitelist", "List of protocols that are allowed to be used", OFFSET(protocol_whitelist), AV_OPT_TYPE_STRING, { .str = NULL }, CHAR_MIN, CHAR_MAX, D }, +{"max_streams", "maximum number of streams", OFFSET(max_streams), AV_OPT_TYPE_INT, { .i64 = INT_MAX }, 0, INT_MAX, D }, {NULL}, }; diff --git a/libavformat/utils.c b/libavformat/utils.c index d368f0a8ab..6df3036371 100644 --- a/libavformat/utils.c +++ b/libavformat/utils.c @@ -3819,7 +3819,7 @@ AVStream *avformat_new_stream(AVFormatContext *s, const AVCodec *c) int i; AVStream **streams; - if (s->nb_streams >= INT_MAX/sizeof(*streams)) + if (s->nb_streams >= FFMIN(s->max_streams, INT_MAX/sizeof(*streams))) return NULL; streams = av_realloc_array(s->streams, s->nb_streams + 1, sizeof(*streams)); if (!streams) From 76961f4f42d28c7b4197c2cbef8bae3dc7b67379 Mon Sep 17 00:00:00 2001 From: Michael Niedermayer Date: Sat, 10 Dec 2016 21:05:14 +0100 Subject: [PATCH 272/942] avutil: Add av_image_check_size2() Signed-off-by: Michael Niedermayer (cherry picked from commit f542b152aa2086b30d1089162d79f5c136905c0c) Signed-off-by: Michael Niedermayer --- libavutil/imgutils.c | 29 ++++++++++++++++++++++++----- libavutil/imgutils.h | 14 ++++++++++++++ 2 files changed, 38 insertions(+), 5 deletions(-) diff --git a/libavutil/imgutils.c b/libavutil/imgutils.c index 1474482275..5c0eb11374 100644 --- a/libavutil/imgutils.c +++ b/libavutil/imgutils.c @@ -248,19 +248,38 @@ static const AVClass imgutils_class = { .parent_log_context_offset = offsetof(ImgUtils, log_ctx), }; -int av_image_check_size(unsigned int w, unsigned int h, int log_offset, void *log_ctx) +int av_image_check_size2(unsigned int w, unsigned int h, int64_t max_pixels, enum AVPixelFormat pix_fmt, int log_offset, void *log_ctx) { ImgUtils imgutils = { .class = &imgutils_class, .log_offset = log_offset, .log_ctx = log_ctx, }; + int64_t stride = av_image_get_linesize(pix_fmt, w, 0); + if (stride <= 0) + stride = 8LL*w; + stride += 128*8; - if ((int)w>0 && (int)h>0 && (w+128)*(uint64_t)(h+128) < INT_MAX/8) - return 0; + if ((int)w<=0 || (int)h<=0 || stride >= INT_MAX || stride*(uint64_t)(h+128) >= INT_MAX) { + av_log(&imgutils, AV_LOG_ERROR, "Picture size %ux%u is invalid\n", w, h); + return AVERROR(EINVAL); + } - av_log(&imgutils, AV_LOG_ERROR, "Picture size %ux%u is invalid\n", w, h); - return AVERROR(EINVAL); + if (max_pixels < INT64_MAX) { + if (w*(int64_t)h > max_pixels) { + av_log(&imgutils, AV_LOG_ERROR, + "Picture size %ux%u exceeds specified max pixel count %"PRId64", see the documentation if you wish to increase it\n", + w, h, max_pixels); + return AVERROR(EINVAL); + } + } + + return 0; +} + +int av_image_check_size(unsigned int w, unsigned int h, int log_offset, void *log_ctx) +{ + return av_image_check_size2(w, h, INT64_MAX, AV_PIX_FMT_NONE, log_offset, log_ctx); } int av_image_check_sar(unsigned int w, unsigned int h, AVRational sar) diff --git a/libavutil/imgutils.h b/libavutil/imgutils.h index 23282a38fa..19f34deced 100644 --- a/libavutil/imgutils.h +++ b/libavutil/imgutils.h @@ -191,6 +191,20 @@ int av_image_copy_to_buffer(uint8_t *dst, int dst_size, */ int av_image_check_size(unsigned int w, unsigned int h, int log_offset, void *log_ctx); +/** + * Check if the given dimension of an image is valid, meaning that all + * bytes of the image can be addressed with a signed int. + * + * @param w the width of the picture + * @param h the height of the picture + * @param max_pixels the maximum number of pixels the user wants to accept + * @param pix_fmt the pixel format, can be AV_PIX_FMT_NONE if unknown. + * @param log_offset the offset to sum to the log level for logging with log_ctx + * @param log_ctx the parent logging context, it may be NULL + * @return >= 0 if valid, a negative error code otherwise + */ +int av_image_check_size2(unsigned int w, unsigned int h, int64_t max_pixels, enum AVPixelFormat pix_fmt, int log_offset, void *log_ctx); + /** * Check if the given sample aspect ratio of an image is valid. * From 1a168061da70e622d20d0cd96c99e5f741fd4f03 Mon Sep 17 00:00:00 2001 From: Andreas Cadhalpun Date: Tue, 31 Jan 2017 01:55:44 +0100 Subject: [PATCH 273/942] pgssubdec: reset rle_data_len/rle_remaining_len on allocation error The code relies on their validity and otherwise can try to access a NULL object->rle pointer, causing segmentation faults. Reviewed-by: Michael Niedermayer Signed-off-by: Andreas Cadhalpun (cherry picked from commit 842e98b4d83d8cf297e2bc2761f1f47eb89e49e4) Signed-off-by: Andreas Cadhalpun --- libavcodec/pgssubdec.c | 5 ++++- 1 file changed, 4 insertions(+), 1 deletion(-) diff --git a/libavcodec/pgssubdec.c b/libavcodec/pgssubdec.c index 5174d89190..222c40a377 100644 --- a/libavcodec/pgssubdec.c +++ b/libavcodec/pgssubdec.c @@ -300,8 +300,11 @@ static int parse_object_segment(AVCodecContext *avctx, av_fast_padded_malloc(&object->rle, &object->rle_buffer_size, rle_bitmap_len); - if (!object->rle) + if (!object->rle) { + object->rle_data_len = 0; + object->rle_remaining_len = 0; return AVERROR(ENOMEM); + } memcpy(object->rle, buf, buf_size); object->rle_data_len = buf_size; From 4535861ef8289e97e02d6c7c08eabd9454bbb63a Mon Sep 17 00:00:00 2001 From: Michael Niedermayer Date: Sat, 10 Dec 2016 20:15:12 +0100 Subject: [PATCH 274/942] avformat/options_table: Set the default maximum number of streams to 1000 Fixes CVE-2016-9561, Note the security relevance of this is disputed as running out of memory can happen with valid files Suggested-by: Andreas Cadhalpun Reviewed-by: Andreas Cadhalpun Signed-off-by: Michael Niedermayer (cherry picked from commit 30581c51e72a7a7ea1572c1c6039f6e4c590a55c) Signed-off-by: Michael Niedermayer --- libavformat/options_table.h | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/libavformat/options_table.h b/libavformat/options_table.h index 935da94ce6..20f87c4024 100644 --- a/libavformat/options_table.h +++ b/libavformat/options_table.h @@ -102,7 +102,7 @@ static const AVOption avformat_options[] = { {"codec_whitelist", "List of decoders that are allowed to be used", OFFSET(codec_whitelist), AV_OPT_TYPE_STRING, { .str = NULL }, CHAR_MIN, CHAR_MAX, D }, {"format_whitelist", "List of demuxers that are allowed to be used", OFFSET(format_whitelist), AV_OPT_TYPE_STRING, { .str = NULL }, CHAR_MIN, CHAR_MAX, D }, {"protocol_whitelist", "List of protocols that are allowed to be used", OFFSET(protocol_whitelist), AV_OPT_TYPE_STRING, { .str = NULL }, CHAR_MIN, CHAR_MAX, D }, -{"max_streams", "maximum number of streams", OFFSET(max_streams), AV_OPT_TYPE_INT, { .i64 = INT_MAX }, 0, INT_MAX, D }, +{"max_streams", "maximum number of streams", OFFSET(max_streams), AV_OPT_TYPE_INT, { .i64 = 1000 }, 0, INT_MAX, D }, {NULL}, }; From 198c8924c609e5d2d03b9d4889325d65d4a4cd64 Mon Sep 17 00:00:00 2001 From: Michael Niedermayer Date: Sat, 10 Dec 2016 20:15:13 +0100 Subject: [PATCH 275/942] avformat/utils: Print verbose error message if stream count exceeds max_streams Reviewed-by: Andreas Cadhalpun Signed-off-by: Michael Niedermayer (cherry picked from commit f0bdd538712d8ed34120ab2b7bd1409fcc99fb45) Signed-off-by: Michael Niedermayer --- libavformat/utils.c | 5 ++++- 1 file changed, 4 insertions(+), 1 deletion(-) diff --git a/libavformat/utils.c b/libavformat/utils.c index 6df3036371..b199ff23bf 100644 --- a/libavformat/utils.c +++ b/libavformat/utils.c @@ -3819,8 +3819,11 @@ AVStream *avformat_new_stream(AVFormatContext *s, const AVCodec *c) int i; AVStream **streams; - if (s->nb_streams >= FFMIN(s->max_streams, INT_MAX/sizeof(*streams))) + if (s->nb_streams >= FFMIN(s->max_streams, INT_MAX/sizeof(*streams))) { + if (s->max_streams < INT_MAX/sizeof(*streams)) + av_log(s, AV_LOG_ERROR, "Number of streams exceeds max_streams parameter (%d), see the documentation if you wish to increase it\n", s->max_streams); return NULL; + } streams = av_realloc_array(s->streams, s->nb_streams + 1, sizeof(*streams)); if (!streams) return NULL; From c4b36ccd0291e221dd9cd793187fd11c8d1a6e57 Mon Sep 17 00:00:00 2001 From: Michael Niedermayer Date: Thu, 22 Dec 2016 03:59:03 +0100 Subject: [PATCH 276/942] avutil/random_seed: Improve get_generic_seed() with higher precission clock() Tested-by: Thomas Turner Signed-off-by: Michael Niedermayer (cherry picked from commit da73d95bad4736c5e0a6b4b1a811f4dd4525bb4c) Signed-off-by: Michael Niedermayer --- libavutil/random_seed.c | 10 ++++++---- 1 file changed, 6 insertions(+), 4 deletions(-) diff --git a/libavutil/random_seed.c b/libavutil/random_seed.c index 0821550bc8..48c6325df1 100644 --- a/libavutil/random_seed.c +++ b/libavutil/random_seed.c @@ -67,6 +67,7 @@ static uint32_t get_generic_seed(void) uint8_t tmp[120]; struct AVSHA *sha = (void*)tmp; clock_t last_t = 0; + clock_t last_td = 0; static uint64_t i = 0; static uint32_t buffer[512] = { 0 }; unsigned char digest[20]; @@ -86,11 +87,12 @@ static uint32_t get_generic_seed(void) for (;;) { clock_t t = clock(); - - if (last_t == t) { - buffer[i & 511]++; + if (last_t + 2*last_td + 1 >= t) { + last_td = t - last_t; + buffer[i & 511] = 1664525*buffer[i & 511] + 1013904223 + (last_td % 3294638521U); } else { - buffer[++i & 511] += (t - last_t) % 3294638521U; + last_td = t - last_t; + buffer[++i & 511] += last_td % 3294638521U; if (last_i && i - last_i > 4 || i - last_i > 64 || TEST && i - last_i > 8) break; } From a0b7a3c8aaa8fa355b899ebe6b55d5f709abc9b2 Mon Sep 17 00:00:00 2001 From: Michael Niedermayer Date: Sat, 24 Dec 2016 14:26:41 +0100 Subject: [PATCH 277/942] avutil/random_seed: Reduce the time needed on systems with very low precission clock() This should fix issues on BSD CLOCKS_PER_SEC is 128 on BSD while SUSv2 requires it to be a million Signed-off-by: Michael Niedermayer (cherry picked from commit c4152fc42e480c41efb7f761b1bbe5f0bc43d5bc) Signed-off-by: Michael Niedermayer --- libavutil/random_seed.c | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/libavutil/random_seed.c b/libavutil/random_seed.c index 48c6325df1..69bf43466c 100644 --- a/libavutil/random_seed.c +++ b/libavutil/random_seed.c @@ -87,7 +87,7 @@ static uint32_t get_generic_seed(void) for (;;) { clock_t t = clock(); - if (last_t + 2*last_td + 1 >= t) { + if (last_t + 2*last_td + (CLOCKS_PER_SEC > 1000) >= t) { last_td = t - last_t; buffer[i & 511] = 1664525*buffer[i & 511] + 1013904223 + (last_td % 3294638521U); } else { From 72d5addc0beadc0593bdd494de89281dd9f69255 Mon Sep 17 00:00:00 2001 From: Michael Niedermayer Date: Sat, 31 Dec 2016 03:08:33 +0100 Subject: [PATCH 278/942] avcodec/mjpegdec: Check for rgb before flipping Fixes assertion failure due to unsupported case Fixes: 356/fuzz-1-ffmpeg_VIDEO_AV_CODEC_ID_MJPEG_fuzzer Found-by: continuous fuzzing process https://github.com/google/oss-fuzz/tree/master/targets/ffmpeg Signed-off-by: Michael Niedermayer (cherry picked from commit 25d9643f1172ae6a210c671195ba3135895abaf3) Signed-off-by: Michael Niedermayer --- libavcodec/mjpegdec.c | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/libavcodec/mjpegdec.c b/libavcodec/mjpegdec.c index f002ccd866..094fc47f31 100644 --- a/libavcodec/mjpegdec.c +++ b/libavcodec/mjpegdec.c @@ -2366,7 +2366,7 @@ the_end: } } } - if (s->flipped) { + if (s->flipped && !s->rgb) { int j; avcodec_get_chroma_sub_sample(s->avctx->pix_fmt, &hshift, &vshift); for (index=0; index<4; index++) { From a6639334df63639ae333f81c43098ed8ee360ee9 Mon Sep 17 00:00:00 2001 From: Tobias Rapp Date: Fri, 23 Dec 2016 14:50:16 +0100 Subject: [PATCH 279/942] avformat/avidec: skip odml master index chunks in avi_sync Fixes pts gaps when reading AVI files > 256GiB generated by FFmpeg. Signed-off-by: Tobias Rapp Signed-off-by: Michael Niedermayer (cherry picked from commit 6d579d7c1bdc4126955cae7f385208e455685986) Signed-off-by: Michael Niedermayer --- libavformat/avidec.c | 3 ++- 1 file changed, 2 insertions(+), 1 deletion(-) diff --git a/libavformat/avidec.c b/libavformat/avidec.c index 7adb819346..955b27b857 100644 --- a/libavformat/avidec.c +++ b/libavformat/avidec.c @@ -1191,7 +1191,8 @@ start_sync: if ((d[0] == 'i' && d[1] == 'x' && n < s->nb_streams) || // parse JUNK (d[0] == 'J' && d[1] == 'U' && d[2] == 'N' && d[3] == 'K') || - (d[0] == 'i' && d[1] == 'd' && d[2] == 'x' && d[3] == '1')) { + (d[0] == 'i' && d[1] == 'd' && d[2] == 'x' && d[3] == '1') || + (d[0] == 'i' && d[1] == 'n' && d[2] == 'd' && d[3] == 'x')) { avio_skip(pb, size); goto start_sync; } From 99c78466ff27311b2a06d874cb7bbd8b1cefc597 Mon Sep 17 00:00:00 2001 From: Michael Niedermayer Date: Mon, 23 Jan 2017 01:25:27 +0100 Subject: [PATCH 280/942] avcodec/pngdec: Fix off by 1 size in decode_zbuf() Fixes out of array access Fixes: 444/fuzz-2-ffmpeg_VIDEO_AV_CODEC_ID_PNG_fuzzer Found-by: continuous fuzzing process https://github.com/google/oss-fuzz/tree/master/targets/ffmpeg Signed-off-by: Michael Niedermayer (cherry picked from commit e371f031b942d73e02c090170975561fabd5c264) Signed-off-by: Michael Niedermayer --- libavcodec/pngdec.c | 6 +++--- 1 file changed, 3 insertions(+), 3 deletions(-) diff --git a/libavcodec/pngdec.c b/libavcodec/pngdec.c index 24318fbeaf..5443332277 100644 --- a/libavcodec/pngdec.c +++ b/libavcodec/pngdec.c @@ -437,13 +437,13 @@ static int decode_zbuf(AVBPrint *bp, const uint8_t *data, av_bprint_init(bp, 0, -1); while (zstream.avail_in > 0) { - av_bprint_get_buffer(bp, 1, &buf, &buf_size); - if (!buf_size) { + av_bprint_get_buffer(bp, 2, &buf, &buf_size); + if (buf_size < 2) { ret = AVERROR(ENOMEM); goto fail; } zstream.next_out = buf; - zstream.avail_out = buf_size; + zstream.avail_out = buf_size - 1; ret = inflate(&zstream, Z_PARTIAL_FLUSH); if (ret != Z_OK && ret != Z_STREAM_END) { ret = AVERROR_EXTERNAL; From 02323b1d025cd54373c614c1020e35e51f06eba5 Mon Sep 17 00:00:00 2001 From: Michael Niedermayer Date: Tue, 24 Jan 2017 16:13:05 +0100 Subject: [PATCH 281/942] avcodec/mjpegdec: Check remaining bitstream in ljpeg_decode_yuv_scan() Fixes timeout Fixes: 445/fuzz-3-ffmpeg_VIDEO_AV_CODEC_ID_MJPEG_fuzzer Fixes: 456/fuzz-2-ffmpeg_VIDEO_AV_CODEC_ID_JPEGLS_fuzzer Found-by: continuous fuzzing process https://github.com/google/oss-fuzz/tree/master/targets/ffmpeg Signed-off-by: Michael Niedermayer (cherry picked from commit 755933cb5cd17decd1838d3d64e07d4157de5638) Signed-off-by: Michael Niedermayer --- libavcodec/mjpegdec.c | 4 ++++ 1 file changed, 4 insertions(+) diff --git a/libavcodec/mjpegdec.c b/libavcodec/mjpegdec.c index 094fc47f31..f065cdad87 100644 --- a/libavcodec/mjpegdec.c +++ b/libavcodec/mjpegdec.c @@ -1076,6 +1076,10 @@ static int ljpeg_decode_yuv_scan(MJpegDecodeContext *s, int predictor, for (mb_y = 0; mb_y < s->mb_height; mb_y++) { for (mb_x = 0; mb_x < s->mb_width; mb_x++) { + if (get_bits_left(&s->gb) < 1) { + av_log(s->avctx, AV_LOG_ERROR, "bitstream end in yuv_scan\n"); + return AVERROR_INVALIDDATA; + } if (s->restart_interval && !s->restart_count){ s->restart_count = s->restart_interval; resync_mb_x = mb_x; From 3e03d12c83525c06edb1e686b6bbd74be885e9fa Mon Sep 17 00:00:00 2001 From: Michael Niedermayer Date: Tue, 24 Jan 2017 22:21:25 +0100 Subject: [PATCH 282/942] avcodec/vp56: Check for the bitstream end, pass error codes on Fixes timeout Fixes: 446/fuzz-3-ffmpeg_VIDEO_AV_CODEC_ID_VP6_fuzzer Found-by: continuous fuzzing process https://github.com/google/oss-fuzz/tree/master/targets/ffmpeg Signed-off-by: Michael Niedermayer (cherry picked from commit 9e6a2427558a718be0c1fffacffd935f630a7a8d) Signed-off-by: Michael Niedermayer --- libavcodec/vp5.c | 8 +++++++- libavcodec/vp56.c | 14 ++++++++++---- libavcodec/vp56.h | 2 +- libavcodec/vp6.c | 17 ++++++++++++----- 4 files changed, 30 insertions(+), 11 deletions(-) diff --git a/libavcodec/vp5.c b/libavcodec/vp5.c index 5bcf9b6217..4ec85ebde7 100644 --- a/libavcodec/vp5.c +++ b/libavcodec/vp5.c @@ -171,7 +171,7 @@ static int vp5_parse_coeff_models(VP56Context *s) return 0; } -static void vp5_parse_coeff(VP56Context *s) +static int vp5_parse_coeff(VP56Context *s) { VP56RangeCoder *c = &s->c; VP56Model *model = s->modelp; @@ -181,6 +181,11 @@ static void vp5_parse_coeff(VP56Context *s) int b, i, cg, idx, ctx, ctx_last; int pt = 0; /* plane type (0 for Y, 1 for U or V) */ + if (c->end >= c->buffer && c->bits >= 0) { + av_log(s->avctx, AV_LOG_ERROR, "End of AC stream reached in vp5_parse_coeff\n"); + return AVERROR_INVALIDDATA; + } + for (b=0; b<6; b++) { int ct = 1; /* code type */ @@ -246,6 +251,7 @@ static void vp5_parse_coeff(VP56Context *s) s->coeff_ctx[ff_vp56_b6to4[b]][i] = 5; s->above_blocks[s->above_block_idx[b]].not_null_dc = s->coeff_ctx[ff_vp56_b6to4[b]][0]; } + return 0; } static void vp5_default_models_init(VP56Context *s) diff --git a/libavcodec/vp56.c b/libavcodec/vp56.c index 631924828d..d8fe994b8c 100644 --- a/libavcodec/vp56.c +++ b/libavcodec/vp56.c @@ -381,12 +381,13 @@ static void vp56_mc(VP56Context *s, int b, int plane, uint8_t *src, } } -static void vp56_decode_mb(VP56Context *s, int row, int col, int is_alpha) +static int vp56_decode_mb(VP56Context *s, int row, int col, int is_alpha) { AVFrame *frame_current, *frame_ref; VP56mb mb_type; VP56Frame ref_frame; int b, ab, b_max, plane, off; + int ret; if (s->frames[VP56_FRAME_CURRENT]->key_frame) mb_type = VP56_MB_INTRA; @@ -394,14 +395,16 @@ static void vp56_decode_mb(VP56Context *s, int row, int col, int is_alpha) mb_type = vp56_decode_mv(s, row, col); ref_frame = ff_vp56_reference_frame[mb_type]; - s->parse_coeff(s); + ret = s->parse_coeff(s); + if (ret < 0) + return ret; vp56_add_predictors_dc(s, ref_frame); frame_current = s->frames[VP56_FRAME_CURRENT]; frame_ref = s->frames[ref_frame]; if (mb_type != VP56_MB_INTRA && !frame_ref->data[0]) - return; + return 0; ab = 6*is_alpha; b_max = 6 - 2*is_alpha; @@ -451,6 +454,7 @@ static void vp56_decode_mb(VP56Context *s, int row, int col, int is_alpha) s->block_coeff[4][0] = 0; s->block_coeff[5][0] = 0; } + return 0; } static int vp56_size_changed(VP56Context *s) @@ -653,7 +657,9 @@ static int ff_vp56_decode_mbs(AVCodecContext *avctx, void *data, s->block_offset[5] = s->block_offset[4]; for (mb_col=0; mb_colmb_width; mb_col++) { - vp56_decode_mb(s, mb_row, mb_col, is_alpha); + int ret = vp56_decode_mb(s, mb_row, mb_col, is_alpha); + if (ret < 0) + return ret; for (y=0; y<4; y++) { s->above_block_idx[y] += 2; diff --git a/libavcodec/vp56.h b/libavcodec/vp56.h index 56c30919b7..34d48228fd 100644 --- a/libavcodec/vp56.h +++ b/libavcodec/vp56.h @@ -74,7 +74,7 @@ typedef void (*VP56ParseVectorAdjustment)(VP56Context *s, typedef void (*VP56Filter)(VP56Context *s, uint8_t *dst, uint8_t *src, int offset1, int offset2, int stride, VP56mv mv, int mask, int select, int luma); -typedef void (*VP56ParseCoeff)(VP56Context *s); +typedef int (*VP56ParseCoeff)(VP56Context *s); typedef void (*VP56DefaultModelsInit)(VP56Context *s); typedef void (*VP56ParseVectorModels)(VP56Context *s); typedef int (*VP56ParseCoeffModels)(VP56Context *s); diff --git a/libavcodec/vp6.c b/libavcodec/vp6.c index a2bb4578d5..7f0a9b7d5d 100644 --- a/libavcodec/vp6.c +++ b/libavcodec/vp6.c @@ -40,8 +40,8 @@ #define VP6_MAX_HUFF_SIZE 12 -static void vp6_parse_coeff(VP56Context *s); -static void vp6_parse_coeff_huffman(VP56Context *s); +static int vp6_parse_coeff(VP56Context *s); +static int vp6_parse_coeff_huffman(VP56Context *s); static int vp6_parse_header(VP56Context *s, const uint8_t *buf, int buf_size) { @@ -380,7 +380,7 @@ static unsigned vp6_get_nb_null(VP56Context *s) return val; } -static void vp6_parse_coeff_huffman(VP56Context *s) +static int vp6_parse_coeff_huffman(VP56Context *s) { VP56Model *model = s->modelp; uint8_t *permute = s->idct_scantable; @@ -402,7 +402,7 @@ static void vp6_parse_coeff_huffman(VP56Context *s) break; } else { if (get_bits_left(&s->gb) <= 0) - return; + return AVERROR_INVALIDDATA; coeff = get_vlc2(&s->gb, vlc_coeff->table, FF_HUFFMAN_BITS, 3); if (coeff == 0) { if (coeff_idx) { @@ -437,9 +437,10 @@ static void vp6_parse_coeff_huffman(VP56Context *s) vlc_coeff = &s->ract_vlc[pt][ct][cg]; } } + return 0; } -static void vp6_parse_coeff(VP56Context *s) +static int vp6_parse_coeff(VP56Context *s) { VP56RangeCoder *c = s->ccp; VP56Model *model = s->modelp; @@ -449,6 +450,11 @@ static void vp6_parse_coeff(VP56Context *s) int b, i, cg, idx, ctx; int pt = 0; /* plane type (0 for Y, 1 for U or V) */ + if (c->end >= c->buffer && c->bits >= 0) { + av_log(s->avctx, AV_LOG_ERROR, "End of AC stream reached in vp6_parse_coeff\n"); + return AVERROR_INVALIDDATA; + } + for (b=0; b<6; b++) { int ct = 1; /* code type */ int run = 1; @@ -512,6 +518,7 @@ static void vp6_parse_coeff(VP56Context *s) s->left_block[ff_vp56_b6to4[b]].not_null_dc = s->above_blocks[s->above_block_idx[b]].not_null_dc = !!s->block_coeff[b][0]; } + return 0; } static int vp6_block_variance(uint8_t *src, int stride) From cfbab858094b134ed8750bae6d75a55425fd7ede Mon Sep 17 00:00:00 2001 From: Michael Niedermayer Date: Wed, 25 Jan 2017 00:20:19 +0100 Subject: [PATCH 283/942] avcodec/utils: correct align value for interplay Fixes out of array access Fixes: 452/fuzz-1-ffmpeg_VIDEO_AV_CODEC_ID_INTERPLAY_VIDEO_fuzzer Found-by: continuous fuzzing process https://github.com/google/oss-fuzz/tree/master/targets/ffmpeg Signed-off-by: Michael Niedermayer (cherry picked from commit 2080bc33717955a0e4268e738acf8c1eeddbf8cb) Signed-off-by: Michael Niedermayer --- libavcodec/utils.c | 7 ++++++- 1 file changed, 6 insertions(+), 1 deletion(-) diff --git a/libavcodec/utils.c b/libavcodec/utils.c index b1bc789792..d5e1cc87f5 100644 --- a/libavcodec/utils.c +++ b/libavcodec/utils.c @@ -373,6 +373,10 @@ void avcodec_align_dimensions2(AVCodecContext *s, int *width, int *height, w_align = 4; h_align = 4; } + if (s->codec_id == AV_CODEC_ID_INTERPLAY_VIDEO) { + w_align = 8; + h_align = 8; + } break; case AV_PIX_FMT_PAL8: case AV_PIX_FMT_BGR8: @@ -382,7 +386,8 @@ void avcodec_align_dimensions2(AVCodecContext *s, int *width, int *height, w_align = 4; h_align = 4; } - if (s->codec_id == AV_CODEC_ID_JV) { + if (s->codec_id == AV_CODEC_ID_JV || + s->codec_id == AV_CODEC_ID_INTERPLAY_VIDEO) { w_align = 8; h_align = 8; } From 44eaff5e6d659c4104b0be7ae7222e665666d315 Mon Sep 17 00:00:00 2001 From: Frank Liberato Date: Tue, 24 Jan 2017 10:58:17 -0800 Subject: [PATCH 284/942] avformat/flacdec: Check avio_read result when reading flac block header. Return AVERROR_INVALIDDATA if all four bytes aren't present. Signed-off-by: Michael Niedermayer (cherry picked from commit 95bde49982a82bc10470c0adab5969ffe635d064) Signed-off-by: Michael Niedermayer --- libavformat/flacdec.c | 3 ++- 1 file changed, 2 insertions(+), 1 deletion(-) diff --git a/libavformat/flacdec.c b/libavformat/flacdec.c index 46c51a6453..9553106f34 100644 --- a/libavformat/flacdec.c +++ b/libavformat/flacdec.c @@ -65,7 +65,8 @@ static int flac_read_header(AVFormatContext *s) /* process metadata blocks */ while (!avio_feof(s->pb) && !metadata_last) { - avio_read(s->pb, header, 4); + if (avio_read(s->pb, header, 4) != 4) + return AVERROR(AVERROR_INVALIDDATA); flac_parse_block_header(header, &metadata_last, &metadata_type, &metadata_size); switch (metadata_type) { From a71d22d84dafdcb6ce33e72bca8abd501fe33438 Mon Sep 17 00:00:00 2001 From: Michael Niedermayer Date: Wed, 1 Feb 2017 01:32:37 +0100 Subject: [PATCH 285/942] avcodec/mjpegdec: Check for for the bitstream end in mjpeg_decode_scan_progressive_ac() Fixes timeout Fixes: 496/clusterfuzz-testcase-5805083497332736 Found-by: continuous fuzzing process https://github.com/google/oss-fuzz/tree/master/targets/ffmpeg Signed-off-by: Michael Niedermayer (cherry picked from commit 3782656631fa8262528c07794acf7e9c2aab000d) Signed-off-by: Michael Niedermayer --- libavcodec/mjpegdec.c | 4 ++++ 1 file changed, 4 insertions(+) diff --git a/libavcodec/mjpegdec.c b/libavcodec/mjpegdec.c index f065cdad87..cf765fc560 100644 --- a/libavcodec/mjpegdec.c +++ b/libavcodec/mjpegdec.c @@ -1391,6 +1391,10 @@ static int mjpeg_decode_scan_progressive_ac(MJpegDecodeContext *s, int ss, int block_idx = mb_y * s->block_stride[c]; int16_t (*block)[64] = &s->blocks[c][block_idx]; uint8_t *last_nnz = &s->last_nnz[c][block_idx]; + if (get_bits_left(&s->gb) <= 0) { + av_log(s->avctx, AV_LOG_ERROR, "bitstream truncated in mjpeg_decode_scan_progressive_ac\n"); + return AVERROR_INVALIDDATA; + } for (mb_x = 0; mb_x < s->mb_width; mb_x++, block++, last_nnz++) { int ret; if (s->restart_interval && !s->restart_count) From dfca37f0e513236cf824d9d0d3aedd9b76014ab5 Mon Sep 17 00:00:00 2001 From: Michael Niedermayer Date: Fri, 3 Feb 2017 16:43:36 +0100 Subject: [PATCH 286/942] Update for 3.0.6 Signed-off-by: Michael Niedermayer --- Changelog | 22 ++++++++++++++++++++++ RELEASE | 2 +- doc/Doxyfile | 2 +- 3 files changed, 24 insertions(+), 2 deletions(-) diff --git a/Changelog b/Changelog index 0a8d3bc5f5..ca9eaae996 100644 --- a/Changelog +++ b/Changelog @@ -1,6 +1,28 @@ Entries are sorted chronologically from oldest to youngest within each release, releases are sorted from youngest to oldest. +version 3.0.6: +- avcodec/mjpegdec: Check for for the bitstream end in mjpeg_decode_scan_progressive_ac() +- avformat/flacdec: Check avio_read result when reading flac block header. +- avcodec/utils: correct align value for interplay +- avcodec/vp56: Check for the bitstream end, pass error codes on +- avcodec/mjpegdec: Check remaining bitstream in ljpeg_decode_yuv_scan() +- avcodec/pngdec: Fix off by 1 size in decode_zbuf() +- avformat/avidec: skip odml master index chunks in avi_sync +- avcodec/mjpegdec: Check for rgb before flipping +- avutil/random_seed: Reduce the time needed on systems with very low precision clock() +- avutil/random_seed: Improve get_generic_seed() with higher precision clock() +- avformat/utils: Print verbose error message if stream count exceeds max_streams +- avformat/options_table: Set the default maximum number of streams to 1000 +- pgssubdec: reset rle_data_len/rle_remaining_len on allocation error +- avutil: Add av_image_check_size2() +- avformat: Add max_streams option +- avcodec/ffv1enc: Allocate smaller packet if the worst case size cannot be allocated +- avcodec/mpeg4videodec: Fix undefined shifts in mpeg4_decode_sprite_trajectory() +- avformat/oggdec: Skip streams in duration correction that did not had their duration set. +- avcodec/ffv1enc: Fix size of first slice + + version 3.0.5: - configure: check for strtoull on msvc - http: move chunk handling from http_read_stream() to http_buf_read(). diff --git a/RELEASE b/RELEASE index eca690e737..818bd47abf 100644 --- a/RELEASE +++ b/RELEASE @@ -1 +1 @@ -3.0.5 +3.0.6 diff --git a/doc/Doxyfile b/doc/Doxyfile index dd0ef09225..a03b12e866 100644 --- a/doc/Doxyfile +++ b/doc/Doxyfile @@ -31,7 +31,7 @@ PROJECT_NAME = FFmpeg # This could be handy for archiving the generated documentation or # if some version control system is used. -PROJECT_NUMBER = 3.0.5 +PROJECT_NUMBER = 3.0.6 # With the PROJECT_LOGO tag one can specify a logo or icon that is included # in the documentation. The maximum height of the logo should not exceed 55 From 9797929749d040d0cdd2be3d99e739f8526cf01c Mon Sep 17 00:00:00 2001 From: Michael Niedermayer Date: Sat, 4 Feb 2017 02:45:02 +0100 Subject: [PATCH 287/942] avcodec/interplayvideo: Move parameter change check up Fixes out of array read Fixes: 544/clusterfuzz-testcase-5936536407244800.f8bd9b24_8ba77916_70c2c7be_3df6a2ea_96cd9f14 Signed-off-by: Michael Niedermayer (cherry picked from commit b1e2192007d7026049237c9ab11e05ae71bf4f42) Signed-off-by: Michael Niedermayer --- libavcodec/interplayvideo.c | 9 +++++---- 1 file changed, 5 insertions(+), 4 deletions(-) diff --git a/libavcodec/interplayvideo.c b/libavcodec/interplayvideo.c index 3c3212e1fe..48dc3783b4 100644 --- a/libavcodec/interplayvideo.c +++ b/libavcodec/interplayvideo.c @@ -988,6 +988,11 @@ static int ipvideo_decode_frame(AVCodecContext *avctx, AVFrame *frame = data; int ret; + if (av_packet_get_side_data(avpkt, AV_PKT_DATA_PARAM_CHANGE, NULL)) { + av_frame_unref(s->last_frame); + av_frame_unref(s->second_last_frame); + } + if (buf_size < 2) return AVERROR_INVALIDDATA; @@ -999,10 +1004,6 @@ static int ipvideo_decode_frame(AVCodecContext *avctx, if (buf_size < s->decoding_map_size + 2) return buf_size; - if (av_packet_get_side_data(avpkt, AV_PKT_DATA_PARAM_CHANGE, NULL)) { - av_frame_unref(s->last_frame); - av_frame_unref(s->second_last_frame); - } s->decoding_map = buf + 2; bytestream2_init(&s->stream_ptr, buf + 2 + s->decoding_map_size, From f9a96bac2804583b9eeba5561d331817609784b0 Mon Sep 17 00:00:00 2001 From: Michael Niedermayer Date: Sat, 4 Feb 2017 12:24:14 +0100 Subject: [PATCH 288/942] avcodec/pngdec: Check trns more completely Fixes out of array access Fixes: 546/clusterfuzz-testcase-4809433909559296 Found-by: continuous fuzzing process https://github.com/google/oss-fuzz/tree/master/targets/ffmpeg Signed-off-by: Michael Niedermayer (cherry picked from commit e477f09d0b3619f3d29173b2cd593e17e2d1978e) Signed-off-by: Michael Niedermayer --- libavcodec/pngdec.c | 15 ++++++++++++++- 1 file changed, 14 insertions(+), 1 deletion(-) diff --git a/libavcodec/pngdec.c b/libavcodec/pngdec.c index 5443332277..0393c52322 100644 --- a/libavcodec/pngdec.c +++ b/libavcodec/pngdec.c @@ -772,6 +772,16 @@ static int decode_trns_chunk(AVCodecContext *avctx, PNGDecContext *s, { int v, i; + if (!(s->state & PNG_IHDR)) { + av_log(avctx, AV_LOG_ERROR, "trns before IHDR\n"); + return AVERROR_INVALIDDATA; + } + + if (s->state & PNG_IDAT) { + av_log(avctx, AV_LOG_ERROR, "trns after IDAT\n"); + return AVERROR_INVALIDDATA; + } + if (s->color_type == PNG_COLOR_TYPE_PALETTE) { if (length > 256 || !(s->state & PNG_PLTE)) return AVERROR_INVALIDDATA; @@ -782,7 +792,8 @@ static int decode_trns_chunk(AVCodecContext *avctx, PNGDecContext *s, } } else if (s->color_type == PNG_COLOR_TYPE_GRAY || s->color_type == PNG_COLOR_TYPE_RGB) { if ((s->color_type == PNG_COLOR_TYPE_GRAY && length != 2) || - (s->color_type == PNG_COLOR_TYPE_RGB && length != 6)) + (s->color_type == PNG_COLOR_TYPE_RGB && length != 6) || + s->bit_depth == 1) return AVERROR_INVALIDDATA; for (i = 0; i < length / 2; i++) { @@ -1241,6 +1252,8 @@ exit_loop: size_t raw_bpp = s->bpp - byte_depth; unsigned x, y; + av_assert0(s->bit_depth > 1); + for (y = 0; y < s->height; ++y) { uint8_t *row = &s->image_buf[s->image_linesize * y]; From c595b1da4f93094f6a69e4df12ae0c4ba640ad4e Mon Sep 17 00:00:00 2001 From: Michael Niedermayer Date: Sun, 5 Feb 2017 01:05:58 +0100 Subject: [PATCH 289/942] Changelog: Update Signed-off-by: Michael Niedermayer --- Changelog | 2 ++ 1 file changed, 2 insertions(+) diff --git a/Changelog b/Changelog index ca9eaae996..fe496dcbfe 100644 --- a/Changelog +++ b/Changelog @@ -2,6 +2,8 @@ Entries are sorted chronologically from oldest to youngest within each release, releases are sorted from youngest to oldest. version 3.0.6: +- avcodec/pngdec: Check trns more completely +- avcodec/interplayvideo: Move parameter change check up - avcodec/mjpegdec: Check for for the bitstream end in mjpeg_decode_scan_progressive_ac() - avformat/flacdec: Check avio_read result when reading flac block header. - avcodec/utils: correct align value for interplay From e8b94e5ce48f0dd68287e8b1c2ef4125fabff1d7 Mon Sep 17 00:00:00 2001 From: James Almer Date: Mon, 2 Jan 2017 01:38:03 -0300 Subject: [PATCH 290/942] configure: bump year Happy new year! (cherry picked from commit d800d48fc67208819c2a4ae5eb214ca5e3ad7e82) Signed-off-by: Michael Niedermayer --- configure | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/configure b/configure index 034d22dc96..090a938136 100755 --- a/configure +++ b/configure @@ -6412,7 +6412,7 @@ cat > $TMPH < Date: Fri, 3 Feb 2017 14:42:44 -0800 Subject: [PATCH 291/942] lavf/matroskadec: fix is_keyframe for early Blocks Blocks are marked as key frames whenever the "reference" field is zero. This breaks for non-keyframe Blocks with a reference timestamp of zero. The likelihood of reference timestamp being zero is increased by a longstanding bug in muxing that encodes reference timestamp as the absolute time of the referenced frame (rather than relative to the current Block timestamp, as described in MKV spec). Now using INT64_MIN to denote "no reference". Reported to chromium at http://crbug.com/497889 (contains sample) (cherry picked from commit ac25840ee32888f0c13118edeb9404a123cd3a79) Signed-off-by: Michael Niedermayer --- libavformat/matroskadec.c | 10 +++++++--- 1 file changed, 7 insertions(+), 3 deletions(-) diff --git a/libavformat/matroskadec.c b/libavformat/matroskadec.c index 94c4639352..76b9c8d0c2 100644 --- a/libavformat/matroskadec.c +++ b/libavformat/matroskadec.c @@ -87,6 +87,7 @@ typedef const struct EbmlSyntax { int list_elem_size; int data_offset; union { + int64_t i; uint64_t u; double f; const char *s; @@ -606,7 +607,7 @@ static const EbmlSyntax matroska_blockgroup[] = { { MATROSKA_ID_SIMPLEBLOCK, EBML_BIN, 0, offsetof(MatroskaBlock, bin) }, { MATROSKA_ID_BLOCKDURATION, EBML_UINT, 0, offsetof(MatroskaBlock, duration) }, { MATROSKA_ID_DISCARDPADDING, EBML_SINT, 0, offsetof(MatroskaBlock, discard_padding) }, - { MATROSKA_ID_BLOCKREFERENCE, EBML_SINT, 0, offsetof(MatroskaBlock, reference) }, + { MATROSKA_ID_BLOCKREFERENCE, EBML_SINT, 0, offsetof(MatroskaBlock, reference), { .i = INT64_MIN } }, { MATROSKA_ID_CODECSTATE, EBML_NONE }, { 1, EBML_UINT, 0, offsetof(MatroskaBlock, non_simple), { .u = 1 } }, { 0 } @@ -977,6 +978,9 @@ static int ebml_parse_nest(MatroskaDemuxContext *matroska, EbmlSyntax *syntax, for (i = 0; syntax[i].id; i++) switch (syntax[i].type) { + case EBML_SINT: + *(int64_t *) ((char *) data + syntax[i].data_offset) = syntax[i].def.i; + break; case EBML_UINT: *(uint64_t *) ((char *) data + syntax[i].data_offset) = syntax[i].def.u; break; @@ -3097,7 +3101,7 @@ static int matroska_parse_cluster_incremental(MatroskaDemuxContext *matroska) matroska->current_cluster_num_blocks = blocks_list->nb_elem; i = blocks_list->nb_elem - 1; if (blocks[i].bin.size > 0 && blocks[i].bin.data) { - int is_keyframe = blocks[i].non_simple ? !blocks[i].reference : -1; + int is_keyframe = blocks[i].non_simple ? blocks[i].reference == INT64_MIN : -1; uint8_t* additional = blocks[i].additional.size > 0 ? blocks[i].additional.data : NULL; if (!blocks[i].non_simple) @@ -3135,7 +3139,7 @@ static int matroska_parse_cluster(MatroskaDemuxContext *matroska) blocks = blocks_list->elem; for (i = 0; i < blocks_list->nb_elem; i++) if (blocks[i].bin.size > 0 && blocks[i].bin.data) { - int is_keyframe = blocks[i].non_simple ? !blocks[i].reference : -1; + int is_keyframe = blocks[i].non_simple ? blocks[i].reference == INT64_MIN : -1; res = matroska_parse_block(matroska, blocks[i].bin.data, blocks[i].bin.size, blocks[i].bin.pos, cluster.timecode, blocks[i].duration, From 4730d0d385a1a1db24cfa6fd147261410f1353b0 Mon Sep 17 00:00:00 2001 From: Michael Niedermayer Date: Mon, 6 Feb 2017 11:17:10 +0100 Subject: [PATCH 292/942] avcodec/movtextdec: Fix decode_styl() cleanup Fixes: null pointer dereference Fixes: 555/clusterfuzz-testcase-5986646595993600 Found-by: continuous fuzzing process https://github.com/google/oss-fuzz/tree/master/targets/ffmpeg Signed-off-by: Michael Niedermayer (cherry picked from commit e248522d1b0d6dd8641f382cd5c4338d0ecd98e5) Signed-off-by: Michael Niedermayer --- libavcodec/movtextdec.c | 8 ++++++-- 1 file changed, 6 insertions(+), 2 deletions(-) diff --git a/libavcodec/movtextdec.c b/libavcodec/movtextdec.c index 775c63e72c..6148593ade 100644 --- a/libavcodec/movtextdec.c +++ b/libavcodec/movtextdec.c @@ -115,6 +115,8 @@ static void mov_text_cleanup(MovTextContext *m) av_freep(&m->s[i]); } av_freep(&m->s); + m->count_s = 0; + m->style_entries = 0; } } @@ -278,12 +280,14 @@ static int decode_hclr(const uint8_t *tsmb, MovTextContext *m, AVPacket *avpkt) static int decode_styl(const uint8_t *tsmb, MovTextContext *m, AVPacket *avpkt) { int i; - m->style_entries = AV_RB16(tsmb); + int style_entries = AV_RB16(tsmb); tsmb += 2; // A single style record is of length 12 bytes. - if (m->tracksize + m->size_var + 2 + m->style_entries * 12 > avpkt->size) + if (m->tracksize + m->size_var + 2 + style_entries * 12 > avpkt->size) return -1; + m->style_entries = style_entries; + m->box_flags |= STYL_BOX; for(i = 0; i < m->style_entries; i++) { m->s_temp = av_malloc(sizeof(*m->s_temp)); From bb504aa5eb7eb32dbb62545772285e794af85651 Mon Sep 17 00:00:00 2001 From: Michael Niedermayer Date: Tue, 7 Feb 2017 15:49:09 +0100 Subject: [PATCH 293/942] avcodec/pictordec: Fix logic error Fixes: 559/clusterfuzz-testcase-6424225917173760 Found-by: continuous fuzzing process https://github.com/google/oss-fuzz/tree/master/targets/ffmpeg Signed-off-by: Michael Niedermayer (cherry picked from commit 8c2ea3030af7b40a3c4275696fb5c76cdb80950a) Signed-off-by: Michael Niedermayer --- libavcodec/pictordec.c | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/libavcodec/pictordec.c b/libavcodec/pictordec.c index ff6eb7f4fc..0cfc785832 100644 --- a/libavcodec/pictordec.c +++ b/libavcodec/pictordec.c @@ -142,7 +142,7 @@ static int decode_frame(AVCodecContext *avctx, if (av_image_check_size(s->width, s->height, 0, avctx) < 0) return -1; - if (s->width != avctx->width && s->height != avctx->height) { + if (s->width != avctx->width || s->height != avctx->height) { ret = ff_set_dimensions(avctx, s->width, s->height); if (ret < 0) return ret; From 4f7064c9da35cd8156f6aee4a25e9b4e7f4ae607 Mon Sep 17 00:00:00 2001 From: Matt Wolenetz Date: Wed, 14 Dec 2016 15:24:42 -0800 Subject: [PATCH 294/942] lavf/mov.c: Avoid heap allocation wrap in mov_read_hdlr Core of patch is from paul@paulmehta.com Reference https://crbug.com/643950 Signed-off-by: Michael Niedermayer Check value reduced as the code does not support larger lengths (cherry picked from commit fd30e4d57fe5841385f845440688505b88c0f4a9) Signed-off-by: Michael Niedermayer --- libavformat/mov.c | 2 ++ 1 file changed, 2 insertions(+) diff --git a/libavformat/mov.c b/libavformat/mov.c index 6b90d08ddc..e6b6c67309 100644 --- a/libavformat/mov.c +++ b/libavformat/mov.c @@ -674,6 +674,8 @@ static int mov_read_hdlr(MOVContext *c, AVIOContext *pb, MOVAtom atom) title_size = atom.size - 24; if (title_size > 0) { + if (title_size > FFMIN(INT_MAX, SIZE_MAX-1)) + return AVERROR_INVALIDDATA; title_str = av_malloc(title_size + 1); /* Add null terminator */ if (!title_str) return AVERROR(ENOMEM); From dc1e099bf281e69d162bde02bd87112bbcb1ab5c Mon Sep 17 00:00:00 2001 From: Matt Wolenetz Date: Wed, 14 Dec 2016 15:26:19 -0800 Subject: [PATCH 295/942] lavf/mov.c: Avoid heap allocation wrap in mov_read_uuid Core of patch is from paul@paulmehta.com Reference https://crbug.com/643951 Signed-off-by: Michael Niedermayer Check value reduced as the code does not support values beyond INT_MAX Also the check is moved to a more common place and before integer truncation (cherry picked from commit 2d453188c2303da641dafb048dc1806790526dfd) Signed-off-by: Michael Niedermayer --- libavformat/mov.c | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/libavformat/mov.c b/libavformat/mov.c index e6b6c67309..b03a4b947a 100644 --- a/libavformat/mov.c +++ b/libavformat/mov.c @@ -3901,7 +3901,7 @@ static int mov_read_uuid(MOVContext *c, AVIOContext *pb, MOVAtom atom) 0x9c, 0x71, 0x99, 0x94, 0x91, 0xe3, 0xaf, 0xac }; - if (atom.size < sizeof(uuid) || atom.size == INT64_MAX) + if (atom.size < sizeof(uuid) || atom.size >= FFMIN(INT_MAX, SIZE_MAX)) return AVERROR_INVALIDDATA; ret = avio_read(pb, uuid, sizeof(uuid)); From 3295d22f3ab197ac872603b38da535d33b971708 Mon Sep 17 00:00:00 2001 From: Michael Niedermayer Date: Wed, 8 Feb 2017 17:55:41 +0100 Subject: [PATCH 296/942] avcodec/h264_slice: Clear ref_counts on redundant slices Fixes reading freed memory Fixes: 568/clusterfuzz-testcase-6107186067406848 Found-by: continuous fuzzing process https://github.com/google/oss-fuzz/tree/master/targets/ffmpeg Signed-off-by: Michael Niedermayer (cherry picked from commit c03029a835949fc0e68b4c6558ebcdc3ae137087) Signed-off-by: Michael Niedermayer --- libavcodec/h264.c | 4 +++- 1 file changed, 3 insertions(+), 1 deletion(-) diff --git a/libavcodec/h264.c b/libavcodec/h264.c index b979b15382..550a7fc15e 100644 --- a/libavcodec/h264.c +++ b/libavcodec/h264.c @@ -1591,7 +1591,9 @@ again: #endif } else context_count++; - } + } else + sl->ref_count[0] = sl->ref_count[1] = 0; + break; break; case NAL_DPA: case NAL_DPB: From a5dabd4013d1d4e90855d955fcc5069c6ddf8170 Mon Sep 17 00:00:00 2001 From: Michael Niedermayer Date: Wed, 8 Feb 2017 21:16:57 +0100 Subject: [PATCH 297/942] Update for 3.0.7 Signed-off-by: Michael Niedermayer --- Changelog | 8 ++++++++ RELEASE | 2 +- doc/Doxyfile | 2 +- 3 files changed, 10 insertions(+), 2 deletions(-) diff --git a/Changelog b/Changelog index fe496dcbfe..8e8aa20978 100644 --- a/Changelog +++ b/Changelog @@ -1,6 +1,14 @@ Entries are sorted chronologically from oldest to youngest within each release, releases are sorted from youngest to oldest. +version 3.0.7 +- avcodec/h264_slice: Clear ref_counts on redundant slices +- lavf/mov.c: Avoid heap allocation wrap in mov_read_uuid +- lavf/mov.c: Avoid heap allocation wrap in mov_read_hdlr +- avcodec/pictordec: Fix logic error +- avcodec/movtextdec: Fix decode_styl() cleanup +- lavf/matroskadec: fix is_keyframe for early Blocks + version 3.0.6: - avcodec/pngdec: Check trns more completely - avcodec/interplayvideo: Move parameter change check up diff --git a/RELEASE b/RELEASE index 818bd47abf..2451c27caf 100644 --- a/RELEASE +++ b/RELEASE @@ -1 +1 @@ -3.0.6 +3.0.7 diff --git a/doc/Doxyfile b/doc/Doxyfile index a03b12e866..cb6e3cf8fc 100644 --- a/doc/Doxyfile +++ b/doc/Doxyfile @@ -31,7 +31,7 @@ PROJECT_NAME = FFmpeg # This could be handy for archiving the generated documentation or # if some version control system is used. -PROJECT_NUMBER = 3.0.6 +PROJECT_NUMBER = 3.0.7 # With the PROJECT_LOGO tag one can specify a logo or icon that is included # in the documentation. The maximum height of the logo should not exceed 55 From b5c13002d18e8cd0ab19b37bb1fff3ea75ec3e5e Mon Sep 17 00:00:00 2001 From: Matt Wolenetz Date: Wed, 8 Feb 2017 15:40:46 -0800 Subject: [PATCH 298/942] lavf/mov.c: Avoid OOB in mov_read_udta_string() Core of patch is from paul@paulmehta.com Reference https://crbug.com/643952 (udta_string portion) Signed-off-by: Matt Wolenetz Signed-off-by: Michael Niedermayer (cherry picked from commit 9bbdf5d921ef57e1698f64981e4ea04db7c56fb5) Signed-off-by: Michael Niedermayer --- libavformat/mov.c | 4 ++-- 1 file changed, 2 insertions(+), 2 deletions(-) diff --git a/libavformat/mov.c b/libavformat/mov.c index b03a4b947a..6fc792f0b7 100644 --- a/libavformat/mov.c +++ b/libavformat/mov.c @@ -380,11 +380,11 @@ retry: return ret; } else if (!key && c->found_hdlr_mdta && c->meta_keys) { uint32_t index = AV_RB32(&atom.type); - if (index < c->meta_keys_count) { + if (index < c->meta_keys_count && index > 0) { key = c->meta_keys[index]; } else { av_log(c->fc, AV_LOG_WARNING, - "The index of 'data' is out of range: %d >= %d.\n", + "The index of 'data' is out of range: %d < 1 or >= %d.\n", index, c->meta_keys_count); } } From c63e58756699d07b5bc69799db388600d3e634bf Mon Sep 17 00:00:00 2001 From: Matt Wolenetz Date: Wed, 14 Dec 2016 15:27:49 -0800 Subject: [PATCH 299/942] lavf/mov.c: Avoid heap allocation wraps in mov_read_{senc,saiz}() Core of patch is from paul@paulmehta.com Reference https://crbug.com/643952 (senc,saiz portions) Signed-off-by: Matt Wolenetz Signed-off-by: Michael Niedermayer (cherry picked from commit 36aba43bd5fae8595dd9a566fbcfbbea63f0fca3) Signed-off-by: Michael Niedermayer --- libavformat/mov.c | 4 ++-- 1 file changed, 2 insertions(+), 2 deletions(-) diff --git a/libavformat/mov.c b/libavformat/mov.c index 6fc792f0b7..b06e9c84ae 100644 --- a/libavformat/mov.c +++ b/libavformat/mov.c @@ -4064,8 +4064,8 @@ static int mov_read_senc(MOVContext *c, AVIOContext *pb, MOVAtom atom) avio_rb32(pb); /* entries */ - if (atom.size < 8) { - av_log(c->fc, AV_LOG_ERROR, "senc atom size %"PRId64" too small\n", atom.size); + if (atom.size < 8 || atom.size > FFMIN(INT_MAX, SIZE_MAX)) { + av_log(c->fc, AV_LOG_ERROR, "senc atom size %"PRId64" invalid\n", atom.size); return AVERROR_INVALIDDATA; } From 9b6af4561b07ec9a634e84e3fc388d0cd5a59d79 Mon Sep 17 00:00:00 2001 From: Carl Eugen Hoyos Date: Fri, 17 Feb 2017 00:46:14 +0100 Subject: [PATCH 300/942] lavc/avpacket: Initialize a variable in error path. Fixes ticket #6153. Tested-by: Tyson Smith (cherry picked from commit 1d54be215309b8aa71a51826e4b0a1660fef9f93) --- libavcodec/avpacket.c | 2 ++ 1 file changed, 2 insertions(+) diff --git a/libavcodec/avpacket.c b/libavcodec/avpacket.c index b3acc8838b..3480c23368 100644 --- a/libavcodec/avpacket.c +++ b/libavcodec/avpacket.c @@ -333,6 +333,8 @@ uint8_t *av_packet_get_side_data(AVPacket *pkt, enum AVPacketSideDataType type, return pkt->side_data[i].data; } } + if (size) + *size = 0; return NULL; } From dffd455b9b6a6bd01ea073cdb59d62242bf0c377 Mon Sep 17 00:00:00 2001 From: Carl Eugen Hoyos Date: Sun, 19 Feb 2017 16:15:34 +0100 Subject: [PATCH 301/942] lavf/mpeg: Initialize a stack variable used by memcmp(). Silence a valgrind warning. Fixes ticket #6160. (cherry picked from commit a5c1c7a8b3d13c86b453558628951c3f52054ab4) --- libavformat/mpeg.c | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/libavformat/mpeg.c b/libavformat/mpeg.c index f937fa13ac..db8f1f99a5 100644 --- a/libavformat/mpeg.c +++ b/libavformat/mpeg.c @@ -138,7 +138,7 @@ typedef struct MpegDemuxContext { static int mpegps_read_header(AVFormatContext *s) { MpegDemuxContext *m = s->priv_data; - char buffer[7]; + char buffer[7] = { 0 }; int64_t last_pos = avio_tell(s->pb); m->header_state = 0xff; From 2423dd965637e1baecd9ad0ec3ecaf9ca59ff66e Mon Sep 17 00:00:00 2001 From: James Almer Date: Tue, 21 Mar 2017 12:02:35 -0300 Subject: [PATCH 302/942] swresample/resample: move resample_free() higher in the file Also make it more readable while at it. Signed-off-by: James Almer (cherry picked from commit 2a8a8a2e98136c22f6e07ff669251afb8a033676) Conflicts: libswresample/resample.c --- libswresample/resample.c | 15 ++++++++------- 1 file changed, 8 insertions(+), 7 deletions(-) diff --git a/libswresample/resample.c b/libswresample/resample.c index d410432658..a0c2a3a85b 100644 --- a/libswresample/resample.c +++ b/libswresample/resample.c @@ -295,6 +295,14 @@ fail: return 0; } +static void resample_free(ResampleContext **cc){ + ResampleContext *c = *cc; + if(!c) + return; + av_freep(&c->filter_bank); + av_freep(cc); +} + static ResampleContext *resample_init(ResampleContext *c, int out_rate, int in_rate, int filter_size, int phase_shift, int linear, double cutoff0, enum AVSampleFormat format, enum SwrFilterType filter_type, double kaiser_beta, double precision, int cheby) @@ -375,13 +383,6 @@ error: return NULL; } -static void resample_free(ResampleContext **c){ - if(!*c) - return; - av_freep(&(*c)->filter_bank); - av_freep(c); -} - static int set_compensation(ResampleContext *c, int sample_delta, int compensation_distance){ c->compensation_distance= compensation_distance; if (compensation_distance) From 4c97b79cf560afe6a9ddfef9843fff3489d08ce7 Mon Sep 17 00:00:00 2001 From: James Almer Date: Tue, 21 Mar 2017 12:03:44 -0300 Subject: [PATCH 303/942] swresample/resample: free existing ResampleContext on reinit Fixes memleak. Reviewed-by: wm4 Reviewed-by: Michael Niedermayer Signed-off-by: James Almer (cherry picked from commit db7a05dab0652d4ec6d89394c9024d02f44494a7) --- libswresample/resample.c | 1 + 1 file changed, 1 insertion(+) diff --git a/libswresample/resample.c b/libswresample/resample.c index a0c2a3a85b..a19af17516 100644 --- a/libswresample/resample.c +++ b/libswresample/resample.c @@ -314,6 +314,7 @@ static ResampleContext *resample_init(ResampleContext *c, int out_rate, int in_r if (!c || c->phase_shift != phase_shift || c->linear!=linear || c->factor != factor || c->filter_length != FFMAX((int)ceil(filter_size/factor), 1) || c->format != format || c->filter_type != filter_type || c->kaiser_beta != kaiser_beta) { + resample_free(&c); c = av_mallocz(sizeof(*c)); if (!c) return NULL; From 48706b9fef0c9f4594630dacfe5561c6f96cd193 Mon Sep 17 00:00:00 2001 From: James Almer Date: Mon, 20 Mar 2017 22:53:00 -0300 Subject: [PATCH 304/942] avformat/apng: fix setting frame delay when max_fps is set to no limit Reviewed-by: Michael Niedermayer Signed-off-by: James Almer (cherry picked from commit 874eb012f75bc18bb6d79ad4bc0912afa21751f3) --- libavformat/apngdec.c | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/libavformat/apngdec.c b/libavformat/apngdec.c index c6403a191d..d9f9ee3f30 100644 --- a/libavformat/apngdec.c +++ b/libavformat/apngdec.c @@ -269,7 +269,7 @@ static int decode_fctl_chunk(AVFormatContext *s, APNGDemuxContext *ctx, AVPacket /* default is hundredths of seconds */ if (!delay_den) delay_den = 100; - if (!delay_num || delay_den / delay_num > ctx->max_fps) { + if (!delay_num || (ctx->max_fps && delay_den / delay_num > ctx->max_fps)) { delay_num = 1; delay_den = ctx->default_fps; } From d5cdae9e357b4078e3aebc8417ccbe4d50de8379 Mon Sep 17 00:00:00 2001 From: Michael Niedermayer Date: Mon, 13 Feb 2017 12:47:49 +0100 Subject: [PATCH 305/942] avformat/http: Check for truncated buffers in http_connect() Reported-by: SleepProgger Reviewed-by: Steven Liu Signed-off-by: Michael Niedermayer (cherry picked from commit 8fa18e042ad2c078f759692f1db5629d16d70595) Signed-off-by: Michael Niedermayer --- libavformat/http.c | 11 ++++++++++- 1 file changed, 10 insertions(+), 1 deletion(-) diff --git a/libavformat/http.c b/libavformat/http.c index f027e036a7..5bb8d586de 100644 --- a/libavformat/http.c +++ b/libavformat/http.c @@ -1002,6 +1002,7 @@ static int http_connect(URLContext *h, const char *path, const char *local_path, int len = 0; const char *method; int send_expect_100 = 0; + int ret; /* send http header */ post = h->flags & AVIO_FLAG_WRITE; @@ -1092,7 +1093,7 @@ static int http_connect(URLContext *h, const char *path, const char *local_path, if (s->headers) av_strlcpy(headers + len, s->headers, sizeof(headers) - len); - snprintf(s->buffer, sizeof(s->buffer), + ret = snprintf(s->buffer, sizeof(s->buffer), "%s %s HTTP/1.1\r\n" "%s" "%s" @@ -1108,6 +1109,14 @@ static int http_connect(URLContext *h, const char *path, const char *local_path, av_log(h, AV_LOG_DEBUG, "request: %s\n", s->buffer); + if (strlen(headers) + 1 == sizeof(headers) || + ret >= sizeof(s->buffer)) { + av_log(h, AV_LOG_ERROR, "overlong headers\n"); + err = AVERROR(EINVAL); + goto done; + } + + if ((err = ffurl_write(s->hd, s->buffer, strlen(s->buffer))) < 0) goto done; From 5cfd259820fe4b644917fcbddbc2a89f6b5a6122 Mon Sep 17 00:00:00 2001 From: Michael Niedermayer Date: Sun, 19 Feb 2017 15:09:34 +0100 Subject: [PATCH 306/942] avcodec/wavpacl: Fix runtime error: left shift of negative value -1 Fixes: 607/clusterfuzz-testcase-5108792465293312 Found-by: continuous fuzzing process https://github.com/google/oss-fuzz/tree/master/targets/ffmpeg Signed-off-by: Michael Niedermayer (cherry picked from commit 12eebb845a7fe1ced91606547352cbdd93a2726d) Signed-off-by: Michael Niedermayer --- libavcodec/wavpack.c | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/libavcodec/wavpack.c b/libavcodec/wavpack.c index b6022f0fa5..16fdfa158c 100644 --- a/libavcodec/wavpack.c +++ b/libavcodec/wavpack.c @@ -682,7 +682,7 @@ static int wavpack_decode_block(AVCodecContext *avctx, int block_no, s->hybrid_bitrate = s->frame_flags & WV_HYBRID_BITRATE; s->post_shift = bpp * 8 - orig_bpp + ((s->frame_flags >> 13) & 0x1f); s->hybrid_maxclip = ((1LL << (orig_bpp - 1)) - 1); - s->hybrid_minclip = ((-1LL << (orig_bpp - 1))); + s->hybrid_minclip = ((-1UL << (orig_bpp - 1))); s->CRC = bytestream2_get_le32(&gb); // parse metadata blocks From 1f4f22eb0fb78a696c6f7437f189cd35bf708dc0 Mon Sep 17 00:00:00 2001 From: Michael Niedermayer Date: Sun, 19 Feb 2017 18:47:13 +0100 Subject: [PATCH 307/942] avcodec/mpeg12dec: Fix runtime error: left shift of negative value Fixes: 608/clusterfuzz-testcase-603978286392934 Found-by: continuous fuzzing process https://github.com/google/oss-fuzz/tree/master/targets/ffmpeg Signed-off-by: Michael Niedermayer (cherry picked from commit 706757d26dd5e606c1745a4bb53fe45f6d6493cf) Signed-off-by: Michael Niedermayer --- libavcodec/mpeg12dec.c | 4 ++-- 1 file changed, 2 insertions(+), 2 deletions(-) diff --git a/libavcodec/mpeg12dec.c b/libavcodec/mpeg12dec.c index 5a70148c5f..fbcf87edb2 100644 --- a/libavcodec/mpeg12dec.c +++ b/libavcodec/mpeg12dec.c @@ -914,8 +914,8 @@ static int mpeg_decode_mb(MpegEncContext *s, int16_t block[12][64]) s->last_mv[i][0][1]); /* full_pel: only for MPEG-1 */ if (s->full_pel[i]) { - s->mv[i][0][0] <<= 1; - s->mv[i][0][1] <<= 1; + s->mv[i][0][0] *= 2; + s->mv[i][0][1] *= 2; } } } From 0465fc58e86bd02d8fd7f4046209d715a8ea43bc Mon Sep 17 00:00:00 2001 From: Michael Niedermayer Date: Sun, 19 Feb 2017 19:12:25 +0100 Subject: [PATCH 308/942] avcodec/pngdec: Check bit depth for validity Fixes: runtime error: shift exponent 132 is too large for 32-bit type 'int' Fixes: 609/clusterfuzz-testcase-4825202619842560 See 11.2.2 IHDR Image header Found-by: continuous fuzzing process https://github.com/google/oss-fuzz/tree/master/targets/ffmpeg Signed-off-by: Michael Niedermayer (cherry picked from commit 4279613a2652cdf2bee564f4b7244567e5ba91ba) Signed-off-by: Michael Niedermayer --- libavcodec/pngdec.c | 9 +++++++++ 1 file changed, 9 insertions(+) diff --git a/libavcodec/pngdec.c b/libavcodec/pngdec.c index 0393c52322..a3973870e3 100644 --- a/libavcodec/pngdec.c +++ b/libavcodec/pngdec.c @@ -559,6 +559,11 @@ static int decode_ihdr_chunk(AVCodecContext *avctx, PNGDecContext *s, return AVERROR_INVALIDDATA; } s->bit_depth = bytestream2_get_byte(&s->gb); + if (s->bit_depth != 1 && s->bit_depth != 2 && s->bit_depth != 4 && + s->bit_depth != 8 && s->bit_depth != 16) { + av_log(avctx, AV_LOG_ERROR, "Invalid bit depth\n"); + goto error; + } s->color_type = bytestream2_get_byte(&s->gb); s->compression_type = bytestream2_get_byte(&s->gb); s->filter_type = bytestream2_get_byte(&s->gb); @@ -572,6 +577,10 @@ static int decode_ihdr_chunk(AVCodecContext *avctx, PNGDecContext *s, s->compression_type, s->filter_type, s->interlace_type); return 0; +error: + s->cur_w = s->cur_h = s->width = s->height = 0; + s->bit_depth = 8; + return AVERROR_INVALIDDATA; } static int decode_phys_chunk(AVCodecContext *avctx, PNGDecContext *s) From fe27d3f02f41c577c7f01e52f6c86bead689007f Mon Sep 17 00:00:00 2001 From: Michael Niedermayer Date: Sun, 19 Feb 2017 23:37:53 +0100 Subject: [PATCH 309/942] avcodec/srtdec: Fix signed integer overflow: 1811992524 * 384 cannot be represented in type 'int' Fixes: 617/clusterfuzz-testcase-6413875723370496 Found-by: continuous fuzzing process https://github.com/google/oss-fuzz/tree/master/targets/ffmpeg Signed-off-by: Michael Niedermayer (cherry picked from commit c11d3634b07b4aa71f75478aa1bcb63b0c22e030) Signed-off-by: Michael Niedermayer --- libavcodec/srtdec.c | 8 ++++---- 1 file changed, 4 insertions(+), 4 deletions(-) diff --git a/libavcodec/srtdec.c b/libavcodec/srtdec.c index 542dd35795..d830d7ca6f 100644 --- a/libavcodec/srtdec.c +++ b/libavcodec/srtdec.c @@ -38,13 +38,13 @@ static void srt_to_ass(AVCodecContext *avctx, AVBPrint *dst, /* text rectangle defined, write the text at the center of the rectangle */ const int cx = x1 + (x2 - x1)/2; const int cy = y1 + (y2 - y1)/2; - const int scaled_x = cx * ASS_DEFAULT_PLAYRESX / 720; - const int scaled_y = cy * ASS_DEFAULT_PLAYRESY / 480; + const int scaled_x = cx * (int64_t)ASS_DEFAULT_PLAYRESX / 720; + const int scaled_y = cy * (int64_t)ASS_DEFAULT_PLAYRESY / 480; av_bprintf(dst, "{\\an5}{\\pos(%d,%d)}", scaled_x, scaled_y); } else { /* only the top left corner, assume the text starts in that corner */ - const int scaled_x = x1 * ASS_DEFAULT_PLAYRESX / 720; - const int scaled_y = y1 * ASS_DEFAULT_PLAYRESY / 480; + const int scaled_x = x1 * (int64_t)ASS_DEFAULT_PLAYRESX / 720; + const int scaled_y = y1 * (int64_t)ASS_DEFAULT_PLAYRESY / 480; av_bprintf(dst, "{\\an1}{\\pos(%d,%d)}", scaled_x, scaled_y); } } From 783ba62dae862d8a6f4c530d06dcfffe58f5accf Mon Sep 17 00:00:00 2001 From: Michael Niedermayer Date: Mon, 20 Feb 2017 12:31:43 +0100 Subject: [PATCH 310/942] avcodec/pictordec: Do not read more than nb_planes Fixes undefined behavior Fixes: 622/clusterfuzz-testcase-5745722022428672 Found-by: continuous fuzzing process https://github.com/google/oss-fuzz/tree/master/targets/ffmpeg Signed-off-by: Michael Niedermayer (cherry picked from commit 01d196a67dc55eb01cf3e06d6338c5d096a29b1c) Signed-off-by: Michael Niedermayer --- libavcodec/pictordec.c | 4 ++-- 1 file changed, 2 insertions(+), 2 deletions(-) diff --git a/libavcodec/pictordec.c b/libavcodec/pictordec.c index 0cfc785832..a3d72e3f25 100644 --- a/libavcodec/pictordec.c +++ b/libavcodec/pictordec.c @@ -80,7 +80,7 @@ static void picmemset(PicContext *s, AVFrame *frame, int value, int run, value <<= bits_per_plane; mask <<= bits_per_plane; if (*plane >= s->nb_planes) - break; + return; } } } @@ -236,7 +236,7 @@ static int decode_frame(AVCodecContext *avctx, } } - if (x < avctx->width) { + if (plane < s->nb_planes && x < avctx->width) { int run = (y + 1) * avctx->width - x; if (bits_per_plane == 8) picmemset_8bpp(s, frame, val, run, &x, &y); From 7aaac74f58ce5e2ed9a48b66e8806e383f3495b0 Mon Sep 17 00:00:00 2001 From: Michael Niedermayer Date: Fri, 24 Feb 2017 12:46:28 +0100 Subject: [PATCH 311/942] avcodec/rv34: Simplify and factor get_slice_offset() code This also fixes several integer overflows by checking each value before use. Fixes: 662/clusterfuzz-testcase-4898131432964096 Found-by: continuous fuzzing process https://github.com/google/oss-fuzz/tree/master/targets/ffmpeg Signed-off-by: Michael Niedermayer (cherry picked from commit 8696f254444c2ec24daa570f26feadbd3df911e4) Signed-off-by: Michael Niedermayer --- libavcodec/rv34.c | 42 +++++++++++++++++++----------------------- 1 file changed, 19 insertions(+), 23 deletions(-) diff --git a/libavcodec/rv34.c b/libavcodec/rv34.c index c2e84a3b57..a80b063e4e 100644 --- a/libavcodec/rv34.c +++ b/libavcodec/rv34.c @@ -1585,10 +1585,13 @@ int ff_rv34_decode_update_thread_context(AVCodecContext *dst, const AVCodecConte return ff_mpeg_update_thread_context(dst, src); } -static int get_slice_offset(AVCodecContext *avctx, const uint8_t *buf, int n) +static int get_slice_offset(AVCodecContext *avctx, const uint8_t *buf, int n, int slice_count, int buf_size) { - if(avctx->slice_count) return avctx->slice_offset[n]; - else return AV_RL32(buf + n*8 - 4) == 1 ? AV_RL32(buf + n*8) : AV_RB32(buf + n*8); + if (n < slice_count) { + if(avctx->slice_count) return avctx->slice_offset[n]; + else return AV_RL32(buf + n*8 - 4) == 1 ? AV_RL32(buf + n*8) : AV_RB32(buf + n*8); + } else + return buf_size; } static int finish_frame(AVCodecContext *avctx, AVFrame *pict) @@ -1646,6 +1649,7 @@ int ff_rv34_decode_frame(AVCodecContext *avctx, const uint8_t *slices_hdr = NULL; int last = 0; int faulty_b = 0; + int offset; /* no supplementary picture */ if (buf_size == 0) { @@ -1668,13 +1672,13 @@ int ff_rv34_decode_frame(AVCodecContext *avctx, }else slice_count = avctx->slice_count; + offset = get_slice_offset(avctx, slices_hdr, 0, slice_count, buf_size); //parse first slice header to check whether this frame can be decoded - if(get_slice_offset(avctx, slices_hdr, 0) < 0 || - get_slice_offset(avctx, slices_hdr, 0) > buf_size){ + if(offset < 0 || offset > buf_size){ av_log(avctx, AV_LOG_ERROR, "Slice offset is invalid\n"); return AVERROR_INVALIDDATA; } - init_get_bits(&s->gb, buf+get_slice_offset(avctx, slices_hdr, 0), (buf_size-get_slice_offset(avctx, slices_hdr, 0))*8); + init_get_bits(&s->gb, buf+offset, (buf_size-offset)*8); if(r->parse_slice_header(r, &r->s.gb, &si) < 0 || si.start){ av_log(avctx, AV_LOG_ERROR, "First slice header is incorrect\n"); return AVERROR_INVALIDDATA; @@ -1777,40 +1781,32 @@ int ff_rv34_decode_frame(AVCodecContext *avctx, return AVERROR_INVALIDDATA; for(i = 0; i < slice_count; i++){ - int offset = get_slice_offset(avctx, slices_hdr, i); + int offset = get_slice_offset(avctx, slices_hdr, i , slice_count, buf_size); + int offset1 = get_slice_offset(avctx, slices_hdr, i+1, slice_count, buf_size); int size; - if(i+1 == slice_count) - size = buf_size - offset; - else - size = get_slice_offset(avctx, slices_hdr, i+1) - offset; - if(offset < 0 || offset > buf_size){ + if(offset < 0 || offset > offset1 || offset1 > buf_size){ av_log(avctx, AV_LOG_ERROR, "Slice offset is invalid\n"); break; } + size = offset1 - offset; r->si.end = s->mb_width * s->mb_height; s->mb_num_left = r->s.mb_x + r->s.mb_y*r->s.mb_width - r->si.start; if(i+1 < slice_count){ - if (get_slice_offset(avctx, slices_hdr, i+1) < 0 || - get_slice_offset(avctx, slices_hdr, i+1) > buf_size) { + int offset2 = get_slice_offset(avctx, slices_hdr, i+2, slice_count, buf_size); + if (offset2 < offset1 || offset2 > buf_size) { av_log(avctx, AV_LOG_ERROR, "Slice offset is invalid\n"); break; } - init_get_bits(&s->gb, buf+get_slice_offset(avctx, slices_hdr, i+1), (buf_size-get_slice_offset(avctx, slices_hdr, i+1))*8); + init_get_bits(&s->gb, buf+offset1, (buf_size-offset1)*8); if(r->parse_slice_header(r, &r->s.gb, &si) < 0){ - if(i+2 < slice_count) - size = get_slice_offset(avctx, slices_hdr, i+2) - offset; - else - size = buf_size - offset; + size = offset2 - offset; }else r->si.end = si.start; } - if (size < 0 || size > buf_size - offset) { - av_log(avctx, AV_LOG_ERROR, "Slice size is invalid\n"); - break; - } + av_assert0 (size >= 0 && size <= buf_size - offset); last = rv34_decode_slice(r, r->si.end, buf + offset, size); if(last) break; From 90f7b5fd16a684ac2c25e96741144772fa0e0dd9 Mon Sep 17 00:00:00 2001 From: Michael Niedermayer Date: Fri, 24 Feb 2017 19:04:12 +0100 Subject: [PATCH 312/942] avcodec/mpegaudiodec_template: Correct return code on id3 tag discarding Fixes: 665/clusterfuzz-testcase-4863789881098240 Found-by: continuous fuzzing process https://github.com/google/oss-fuzz/tree/master/targets/ffmpeg Signed-off-by: Michael Niedermayer (cherry picked from commit 5d81616be332cca99304d0b747c2c8e2d719f349) Signed-off-by: Michael Niedermayer --- libavcodec/mpegaudiodec_template.c | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/libavcodec/mpegaudiodec_template.c b/libavcodec/mpegaudiodec_template.c index 5e3fe7e986..72f0613b7a 100644 --- a/libavcodec/mpegaudiodec_template.c +++ b/libavcodec/mpegaudiodec_template.c @@ -1663,7 +1663,7 @@ static int decode_frame(AVCodecContext * avctx, void *data, int *got_frame_ptr, header = AV_RB32(buf); if (header>>8 == AV_RB32("TAG")>>8) { av_log(avctx, AV_LOG_DEBUG, "discarding ID3 tag\n"); - return buf_size; + return buf_size + skipped; } ret = avpriv_mpegaudio_decode_header((MPADecodeHeader *)s, header); if (ret < 0) { From 065440d96bf2a32e679b048a8889942eeeb3fbe0 Mon Sep 17 00:00:00 2001 From: Michael Niedermayer Date: Fri, 24 Feb 2017 21:05:33 +0100 Subject: [PATCH 313/942] avcodec/vp56: Fix sign typo Fixes: 664/clusterfuzz-testcase-4917047475568640 The change to fate is due to a truncated last frames which is now detected as damaged. Found-by: continuous fuzzing process https://github.com/google/oss-fuzz/tree/master/targets/ffmpeg Signed-off-by: Michael Niedermayer (cherry picked from commit 513a3494396d0a20233273b3cadcb5ee86485d5c) Signed-off-by: Michael Niedermayer --- libavcodec/vp5.c | 2 +- libavcodec/vp6.c | 2 +- tests/ref/fate/vp5 | 2 +- 3 files changed, 3 insertions(+), 3 deletions(-) diff --git a/libavcodec/vp5.c b/libavcodec/vp5.c index 4ec85ebde7..108f16131d 100644 --- a/libavcodec/vp5.c +++ b/libavcodec/vp5.c @@ -181,7 +181,7 @@ static int vp5_parse_coeff(VP56Context *s) int b, i, cg, idx, ctx, ctx_last; int pt = 0; /* plane type (0 for Y, 1 for U or V) */ - if (c->end >= c->buffer && c->bits >= 0) { + if (c->end <= c->buffer && c->bits >= 0) { av_log(s->avctx, AV_LOG_ERROR, "End of AC stream reached in vp5_parse_coeff\n"); return AVERROR_INVALIDDATA; } diff --git a/libavcodec/vp6.c b/libavcodec/vp6.c index 7f0a9b7d5d..662126ca70 100644 --- a/libavcodec/vp6.c +++ b/libavcodec/vp6.c @@ -450,7 +450,7 @@ static int vp6_parse_coeff(VP56Context *s) int b, i, cg, idx, ctx; int pt = 0; /* plane type (0 for Y, 1 for U or V) */ - if (c->end >= c->buffer && c->bits >= 0) { + if (c->end <= c->buffer && c->bits >= 0) { av_log(s->avctx, AV_LOG_ERROR, "End of AC stream reached in vp6_parse_coeff\n"); return AVERROR_INVALIDDATA; } diff --git a/tests/ref/fate/vp5 b/tests/ref/fate/vp5 index 0e601ba811..25bc7aa587 100644 --- a/tests/ref/fate/vp5 +++ b/tests/ref/fate/vp5 @@ -245,4 +245,4 @@ 0, 243, 243, 1, 233472, 0x6f530ac6 0, 244, 244, 1, 233472, 0x94f7466c 0, 245, 245, 1, 233472, 0xa8c1d365 -0, 246, 246, 1, 233472, 0xedcff050 +0, 246, 246, 1, 233472, 0x8843293b From 674cd62f07fa4496fa75b6dd2a48c287b3380ae9 Mon Sep 17 00:00:00 2001 From: Michael Niedermayer Date: Sat, 25 Feb 2017 01:43:16 +0100 Subject: [PATCH 314/942] avcodec/pngdec: Fix runtime error: left shift of 152 by 24 places cannot be represented in type 'int' Fixes: 666/clusterfuzz-testcase-6581447227867136 Found-by: continuous fuzzing process https://github.com/google/oss-fuzz/tree/master/targets/ffmpeg Signed-off-by: Michael Niedermayer (cherry picked from commit 310d2af319d9113263f75e94f5a1b211c05260b5) Signed-off-by: Michael Niedermayer --- libavcodec/pngdec.c | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/libavcodec/pngdec.c b/libavcodec/pngdec.c index a3973870e3..c2da1f66d5 100644 --- a/libavcodec/pngdec.c +++ b/libavcodec/pngdec.c @@ -796,7 +796,7 @@ static int decode_trns_chunk(AVCodecContext *avctx, PNGDecContext *s, return AVERROR_INVALIDDATA; for (i = 0; i < length; i++) { - v = bytestream2_get_byte(&s->gb); + unsigned v = bytestream2_get_byte(&s->gb); s->palette[i] = (s->palette[i] & 0x00ffffff) | (v << 24); } } else if (s->color_type == PNG_COLOR_TYPE_GRAY || s->color_type == PNG_COLOR_TYPE_RGB) { From 336a4c5f79a582f43f794b24e218f3b446dc975e Mon Sep 17 00:00:00 2001 From: Michael Niedermayer Date: Sat, 25 Feb 2017 02:19:43 +0100 Subject: [PATCH 315/942] avcodec/amrwbdec: Fix 2 runtime errors: left shift of negative value -1 Fixes: 669/clusterfuzz-testcase-4847965409640448 Found-by: continuous fuzzing process https://github.com/google/oss-fuzz/tree/master/targets/ffmpeg Signed-off-by: Michael Niedermayer (cherry picked from commit 6bd79ba59f46a8b3133f28faae53b75540469803) Signed-off-by: Michael Niedermayer --- libavcodec/amrwbdec.c | 4 ++-- 1 file changed, 2 insertions(+), 2 deletions(-) diff --git a/libavcodec/amrwbdec.c b/libavcodec/amrwbdec.c index a99dbd110e..104a392363 100644 --- a/libavcodec/amrwbdec.c +++ b/libavcodec/amrwbdec.c @@ -295,7 +295,7 @@ static void decode_pitch_lag_low(int *lag_int, int *lag_frac, int pitch_index, if (subframe == 0 || (subframe == 2 && mode != MODE_6k60)) { if (pitch_index < 116) { *lag_int = (pitch_index + 69) >> 1; - *lag_frac = (pitch_index - (*lag_int << 1) + 68) << 1; + *lag_frac = (pitch_index - (*lag_int << 1) + 68) * 2; } else { *lag_int = pitch_index - 24; *lag_frac = 0; @@ -305,7 +305,7 @@ static void decode_pitch_lag_low(int *lag_int, int *lag_frac, int pitch_index, AMRWB_P_DELAY_MIN, AMRWB_P_DELAY_MAX - 15); } else { *lag_int = (pitch_index + 1) >> 1; - *lag_frac = (pitch_index - (*lag_int << 1)) << 1; + *lag_frac = (pitch_index - (*lag_int << 1)) * 2; *lag_int += *base_lag_int; } } From 3c8c0c0162d2910a19bd2cc38af429e2004b84df Mon Sep 17 00:00:00 2001 From: Michael Niedermayer Date: Sat, 25 Feb 2017 12:37:32 +0100 Subject: [PATCH 316/942] avcodec/vp56: Implement very basic error concealment This should fix the fate failure due to a truncated last frame. Alternatively the frame could be dropped. Signed-off-by: Michael Niedermayer (cherry picked from commit d34bf886e963445350c4987f7a9ed77bd9c9a5c7) Signed-off-by: Michael Niedermayer --- libavcodec/vp56.c | 81 ++++++++++++++++++++++++++++++++++++++++++++-- tests/ref/fate/vp5 | 2 +- 2 files changed, 79 insertions(+), 4 deletions(-) diff --git a/libavcodec/vp56.c b/libavcodec/vp56.c index d8fe994b8c..b36c99fd33 100644 --- a/libavcodec/vp56.c +++ b/libavcodec/vp56.c @@ -261,6 +261,25 @@ static VP56mb vp56_decode_mv(VP56Context *s, int row, int col) return s->mb_type; } +static VP56mb vp56_conceal_mv(VP56Context *s, int row, int col) +{ + VP56mv *mv, vect = {0,0}; + int b; + + s->mb_type = VP56_MB_INTER_NOVEC_PF; + s->macroblocks[row * s->mb_width + col].type = s->mb_type; + + mv = &vect; + + s->macroblocks[row*s->mb_width + col].mv = *mv; + + /* same vector for all blocks */ + for (b=0; b<6; b++) + s->mv[b] = *mv; + + return s->mb_type; +} + static void vp56_add_predictors_dc(VP56Context *s, VP56Frame ref_frame) { int idx = s->idct_scantable[0]; @@ -457,6 +476,57 @@ static int vp56_decode_mb(VP56Context *s, int row, int col, int is_alpha) return 0; } +static int vp56_conceal_mb(VP56Context *s, int row, int col, int is_alpha) +{ + AVFrame *frame_current, *frame_ref; + VP56mb mb_type; + VP56Frame ref_frame; + int b, ab, b_max, plane, off; + + if (s->frames[VP56_FRAME_CURRENT]->key_frame) + mb_type = VP56_MB_INTRA; + else + mb_type = vp56_conceal_mv(s, row, col); + ref_frame = ff_vp56_reference_frame[mb_type]; + + frame_current = s->frames[VP56_FRAME_CURRENT]; + frame_ref = s->frames[ref_frame]; + if (mb_type != VP56_MB_INTRA && !frame_ref->data[0]) + return 0; + + ab = 6*is_alpha; + b_max = 6 - 2*is_alpha; + + switch (mb_type) { + case VP56_MB_INTRA: + for (b=0; bvp3dsp.idct_put(frame_current->data[plane] + s->block_offset[b], + s->stride[plane], s->block_coeff[b]); + } + break; + + case VP56_MB_INTER_NOVEC_PF: + case VP56_MB_INTER_NOVEC_GF: + for (b=0; bblock_offset[b]; + s->hdsp.put_pixels_tab[1][0](frame_current->data[plane] + off, + frame_ref->data[plane] + off, + s->stride[plane], 8); + s->vp3dsp.idct_add(frame_current->data[plane] + off, + s->stride[plane], s->block_coeff[b]); + } + break; + } + + if (is_alpha) { + s->block_coeff[4][0] = 0; + s->block_coeff[5][0] = 0; + } + return 0; +} + static int vp56_size_changed(VP56Context *s) { AVCodecContext *avctx = s->avctx; @@ -593,6 +663,7 @@ static int ff_vp56_decode_mbs(AVCodecContext *avctx, void *data, int block, y, uv; ptrdiff_t stride_y, stride_uv; int res; + int damaged = 0; if (p->key_frame) { p->pict_type = AV_PICTURE_TYPE_I; @@ -657,9 +728,13 @@ static int ff_vp56_decode_mbs(AVCodecContext *avctx, void *data, s->block_offset[5] = s->block_offset[4]; for (mb_col=0; mb_colmb_width; mb_col++) { - int ret = vp56_decode_mb(s, mb_row, mb_col, is_alpha); - if (ret < 0) - return ret; + if (!damaged) { + int ret = vp56_decode_mb(s, mb_row, mb_col, is_alpha); + if (ret < 0) + damaged = 1; + } + if (damaged) + vp56_conceal_mb(s, mb_row, mb_col, is_alpha); for (y=0; y<4; y++) { s->above_block_idx[y] += 2; diff --git a/tests/ref/fate/vp5 b/tests/ref/fate/vp5 index 25bc7aa587..f044567fd9 100644 --- a/tests/ref/fate/vp5 +++ b/tests/ref/fate/vp5 @@ -245,4 +245,4 @@ 0, 243, 243, 1, 233472, 0x6f530ac6 0, 244, 244, 1, 233472, 0x94f7466c 0, 245, 245, 1, 233472, 0xa8c1d365 -0, 246, 246, 1, 233472, 0x8843293b +0, 246, 246, 1, 233472, 0xbf73f1b7 From f6908d087e6bd7b10a2f6d4e9be8cb0faf9fe785 Mon Sep 17 00:00:00 2001 From: Michael Niedermayer Date: Wed, 1 Mar 2017 04:28:23 +0100 Subject: [PATCH 317/942] avcodec/vp56: Clear dimensions in case of failure in the middle of a resolution change Similar code is used elsewhere in vp56 to force a more complete reinit in the future. Fixes null pointer dereference Fixes: 707/clusterfuzz-testcase-4717453097566208 Found-by: continuous fuzzing process https://github.com/google/oss-fuzz/tree/master/targets/ffmpeg Signed-off-by: Michael Niedermayer (cherry picked from commit 4bed06637729ab000b79250c67d53078300e37c4) Signed-off-by: Michael Niedermayer --- libavcodec/vp56.c | 7 ++++++- 1 file changed, 6 insertions(+), 1 deletion(-) diff --git a/libavcodec/vp56.c b/libavcodec/vp56.c index b36c99fd33..52f2a7dae8 100644 --- a/libavcodec/vp56.c +++ b/libavcodec/vp56.c @@ -603,13 +603,18 @@ int ff_vp56_decode_frame(AVCodecContext *avctx, void *data, int *got_frame, } ret = ff_get_buffer(avctx, p, AV_GET_BUFFER_FLAG_REF); - if (ret < 0) + if (ret < 0) { + if (res == VP56_SIZE_CHANGE) + ff_set_dimensions(avctx, 0, 0); return ret; + } if (avctx->pix_fmt == AV_PIX_FMT_YUVA420P) { av_frame_unref(s->alpha_context->frames[VP56_FRAME_CURRENT]); if ((ret = av_frame_ref(s->alpha_context->frames[VP56_FRAME_CURRENT], p)) < 0) { av_frame_unref(p); + if (res == VP56_SIZE_CHANGE) + ff_set_dimensions(avctx, 0, 0); return ret; } } From 095449d272897bc369431436b71788ad877470dc Mon Sep 17 00:00:00 2001 From: Michael Niedermayer Date: Sun, 12 Mar 2017 03:04:04 +0100 Subject: [PATCH 318/942] avcodec/mpeg12dec: Fix runtime error: left shift of negative value -1 Fixes: 764/clusterfuzz-testcase-6273034652483584 Found-by: continuous fuzzing process https://github.com/google/oss-fuzz/tree/master/targets/ffmpeg Signed-off-by: Michael Niedermayer (cherry picked from commit a720b854b0d3f0fae2b1eac644dd39e5821cacb1) Signed-off-by: Michael Niedermayer --- libavcodec/mpeg12dec.c | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/libavcodec/mpeg12dec.c b/libavcodec/mpeg12dec.c index fbcf87edb2..cb8bab57a7 100644 --- a/libavcodec/mpeg12dec.c +++ b/libavcodec/mpeg12dec.c @@ -1043,7 +1043,7 @@ static int mpeg_decode_mb(MpegEncContext *s, int16_t block[12][64]) cbp = get_vlc2(&s->gb, ff_mb_pat_vlc.table, MB_PAT_VLC_BITS, 1); if (mb_block_count > 6) { - cbp <<= mb_block_count - 6; + cbp *= 1 << mb_block_count - 6; cbp |= get_bits(&s->gb, mb_block_count - 6); s->bdsp.clear_blocks(s->block[6]); } From 067bd9877f732a0e795ad836beccfc6a4917742d Mon Sep 17 00:00:00 2001 From: Michael Niedermayer Date: Mon, 20 Feb 2017 19:34:54 +0100 Subject: [PATCH 319/942] Add CHECK/SUINT code Signed-off-by: Michael Niedermayer (cherry picked from commit 4614bf2caf67a89c2d833b3368f325eab54582bc) (cherry picked from commit e8d4eacc07c61ae24f48451073a2620d8d257d33) Signed-off-by: Michael Niedermayer (cherry picked from commit 3f2a09a43f6fade53227804459e6babb1c7248b3) Signed-off-by: Michael Niedermayer --- libavutil/internal.h | 14 ++++++++++++++ 1 file changed, 14 insertions(+) diff --git a/libavutil/internal.h b/libavutil/internal.h index 44f8c1ee47..00872a4b73 100644 --- a/libavutil/internal.h +++ b/libavutil/internal.h @@ -30,6 +30,10 @@ # define NDEBUG #endif +#if defined(DEBUG) && !defined(CHECKED) +# define CHECKED +#endif + #include #include #include @@ -257,6 +261,16 @@ void avpriv_request_sample(void *avc, # define ff_dlog(ctx, ...) do { if (0) av_log(ctx, AV_LOG_DEBUG, __VA_ARGS__); } while (0) #endif +// For debuging we use signed operations so overflows can be detected (by ubsan) +// For production we use unsigned so there are no undefined operations +#ifdef CHECKED +#define SUINT int +#define SUINT32 int32_t +#else +#define SUINT unsigned +#define SUINT32 uint32_t +#endif + /** * Clip and convert a double value into the long long amin-amax range. * This function is needed because conversion of floating point to integers when From 8b644b956347c948a8e54de9658556f964d74191 Mon Sep 17 00:00:00 2001 From: Michael Niedermayer Date: Fri, 24 Feb 2017 13:11:43 +0100 Subject: [PATCH 320/942] avcodec/vp3dsp: Fix multiple signed integer overflow: 46341 * 47523 cannot be represented in type 'int' Fixes: 664/clusterfuzz-testcase-4917047475568640 Found-by: continuous fuzzing process https://github.com/google/oss-fuzz/tree/master/targets/ffmpeg Signed-off-by: Michael Niedermayer (cherry picked from commit 2b8b7921c55a93049a86cfeb2fda9423d16f8ebe) Signed-off-by: Michael Niedermayer --- libavcodec/vp3dsp.c | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/libavcodec/vp3dsp.c b/libavcodec/vp3dsp.c index d8a3e0a354..37997431d3 100644 --- a/libavcodec/vp3dsp.c +++ b/libavcodec/vp3dsp.c @@ -41,7 +41,7 @@ #define xC6S2 25080 #define xC7S1 12785 -#define M(a, b) (((a) * (b)) >> 16) +#define M(a, b) ((int)((SUINT)(a) * (b)) >> 16) static av_always_inline void idct(uint8_t *dst, int stride, int16_t *input, int type) From 49130f414559d6d047f4e1d4dcead1febb4a08dd Mon Sep 17 00:00:00 2001 From: Michael Niedermayer Date: Sat, 25 Feb 2017 21:07:22 +0100 Subject: [PATCH 321/942] avcodec/vp56: Factorize vp56_render_mb() out Signed-off-by: Michael Niedermayer (cherry picked from commit 4c0139463c8f0a6f28e7b193c2a85608a7635bbd) Signed-off-by: Michael Niedermayer --- libavcodec/vp56.c | 77 ++++++++++++++--------------------------------- 1 file changed, 23 insertions(+), 54 deletions(-) diff --git a/libavcodec/vp56.c b/libavcodec/vp56.c index 52f2a7dae8..5ea365375b 100644 --- a/libavcodec/vp56.c +++ b/libavcodec/vp56.c @@ -400,30 +400,18 @@ static void vp56_mc(VP56Context *s, int b, int plane, uint8_t *src, } } -static int vp56_decode_mb(VP56Context *s, int row, int col, int is_alpha) +static av_always_inline void vp56_render_mb(VP56Context *s, int row, int col, int is_alpha, VP56mb mb_type) { - AVFrame *frame_current, *frame_ref; - VP56mb mb_type; - VP56Frame ref_frame; int b, ab, b_max, plane, off; - int ret; - - if (s->frames[VP56_FRAME_CURRENT]->key_frame) - mb_type = VP56_MB_INTRA; - else - mb_type = vp56_decode_mv(s, row, col); - ref_frame = ff_vp56_reference_frame[mb_type]; - - ret = s->parse_coeff(s); - if (ret < 0) - return ret; + AVFrame *frame_current, *frame_ref; + VP56Frame ref_frame = ff_vp56_reference_frame[mb_type]; vp56_add_predictors_dc(s, ref_frame); frame_current = s->frames[VP56_FRAME_CURRENT]; frame_ref = s->frames[ref_frame]; if (mb_type != VP56_MB_INTRA && !frame_ref->data[0]) - return 0; + return; ab = 6*is_alpha; b_max = 6 - 2*is_alpha; @@ -473,57 +461,38 @@ static int vp56_decode_mb(VP56Context *s, int row, int col, int is_alpha) s->block_coeff[4][0] = 0; s->block_coeff[5][0] = 0; } +} + +static int vp56_decode_mb(VP56Context *s, int row, int col, int is_alpha) +{ + VP56mb mb_type; + int ret; + + if (s->frames[VP56_FRAME_CURRENT]->key_frame) + mb_type = VP56_MB_INTRA; + else + mb_type = vp56_decode_mv(s, row, col); + + ret = s->parse_coeff(s); + if (ret < 0) + return ret; + + vp56_render_mb(s, row, col, is_alpha, mb_type); + return 0; } static int vp56_conceal_mb(VP56Context *s, int row, int col, int is_alpha) { - AVFrame *frame_current, *frame_ref; VP56mb mb_type; - VP56Frame ref_frame; - int b, ab, b_max, plane, off; if (s->frames[VP56_FRAME_CURRENT]->key_frame) mb_type = VP56_MB_INTRA; else mb_type = vp56_conceal_mv(s, row, col); - ref_frame = ff_vp56_reference_frame[mb_type]; - frame_current = s->frames[VP56_FRAME_CURRENT]; - frame_ref = s->frames[ref_frame]; - if (mb_type != VP56_MB_INTRA && !frame_ref->data[0]) - return 0; + vp56_render_mb(s, row, col, is_alpha, mb_type); - ab = 6*is_alpha; - b_max = 6 - 2*is_alpha; - - switch (mb_type) { - case VP56_MB_INTRA: - for (b=0; bvp3dsp.idct_put(frame_current->data[plane] + s->block_offset[b], - s->stride[plane], s->block_coeff[b]); - } - break; - - case VP56_MB_INTER_NOVEC_PF: - case VP56_MB_INTER_NOVEC_GF: - for (b=0; bblock_offset[b]; - s->hdsp.put_pixels_tab[1][0](frame_current->data[plane] + off, - frame_ref->data[plane] + off, - s->stride[plane], 8); - s->vp3dsp.idct_add(frame_current->data[plane] + off, - s->stride[plane], s->block_coeff[b]); - } - break; - } - - if (is_alpha) { - s->block_coeff[4][0] = 0; - s->block_coeff[5][0] = 0; - } return 0; } From 5740278de27ff9ff6d33de0936fa3d97001d2560 Mon Sep 17 00:00:00 2001 From: Michael Niedermayer Date: Tue, 28 Feb 2017 03:55:02 +0100 Subject: [PATCH 322/942] avcodec/vp8: Check for bitsteam end in decode_mb_row_no_filter() Fixes timeout with 686/clusterfuzz-testcase-5853946876788736 this shortcuts (i.e. speeds up) the error and return-to-user when decoding a truncated frame Found-by: continuous fuzzing process https://github.com/google/oss-fuzz/tree/master/targets/ffmpeg Previous version reviewed by: "Ronald S. Bultje" Signed-off-by: Michael Niedermayer (cherry picked from commit 7b5ff7d57355dc608f0fd86e3ab32a2fda65e752) Signed-off-by: Michael Niedermayer --- libavcodec/vp8.c | 20 ++++++++++++++------ libavcodec/vp8.h | 2 +- 2 files changed, 15 insertions(+), 7 deletions(-) diff --git a/libavcodec/vp8.c b/libavcodec/vp8.c index 64037fc089..a39b010b70 100644 --- a/libavcodec/vp8.c +++ b/libavcodec/vp8.c @@ -2274,7 +2274,7 @@ static void vp8_decode_mv_mb_modes(AVCodecContext *avctx, VP8Frame *cur_frame, #define update_pos(td, mb_y, mb_x) while(0) #endif -static av_always_inline void decode_mb_row_no_filter(AVCodecContext *avctx, void *tdata, +static av_always_inline int decode_mb_row_no_filter(AVCodecContext *avctx, void *tdata, int jobnr, int threadnr, int is_vp7) { VP8Context *s = avctx->priv_data; @@ -2290,6 +2290,10 @@ static av_always_inline void decode_mb_row_no_filter(AVCodecContext *avctx, void curframe->tf.f->data[1] + 8 * mb_y * s->uvlinesize, curframe->tf.f->data[2] + 8 * mb_y * s->uvlinesize }; + + if (c->end <= c->buffer && c->bits >= 0) + return AVERROR_INVALIDDATA; + if (mb_y == 0) prev_td = td; else @@ -2393,18 +2397,19 @@ static av_always_inline void decode_mb_row_no_filter(AVCodecContext *avctx, void update_pos(td, mb_y, mb_x); } } + return 0; } -static void vp7_decode_mb_row_no_filter(AVCodecContext *avctx, void *tdata, +static int vp7_decode_mb_row_no_filter(AVCodecContext *avctx, void *tdata, int jobnr, int threadnr) { - decode_mb_row_no_filter(avctx, tdata, jobnr, threadnr, 1); + return decode_mb_row_no_filter(avctx, tdata, jobnr, threadnr, 1); } -static void vp8_decode_mb_row_no_filter(AVCodecContext *avctx, void *tdata, +static int vp8_decode_mb_row_no_filter(AVCodecContext *avctx, void *tdata, int jobnr, int threadnr) { - decode_mb_row_no_filter(avctx, tdata, jobnr, threadnr, 0); + return decode_mb_row_no_filter(avctx, tdata, jobnr, threadnr, 0); } static av_always_inline void filter_mb_row(AVCodecContext *avctx, void *tdata, @@ -2487,13 +2492,16 @@ int vp78_decode_mb_row_sliced(AVCodecContext *avctx, void *tdata, int jobnr, VP8ThreadData *next_td = NULL, *prev_td = NULL; VP8Frame *curframe = s->curframe; int mb_y, num_jobs = s->num_jobs; + int ret; td->thread_nr = threadnr; for (mb_y = jobnr; mb_y < s->mb_height; mb_y += num_jobs) { if (mb_y >= s->mb_height) break; td->thread_mb_pos = mb_y << 16; - s->decode_mb_row_no_filter(avctx, tdata, jobnr, threadnr); + ret = s->decode_mb_row_no_filter(avctx, tdata, jobnr, threadnr); + if (ret < 0) + return ret; if (s->deblock_filter) s->filter_mb_row(avctx, tdata, jobnr, threadnr); update_pos(td, mb_y, INT_MAX & 0xFFFF); diff --git a/libavcodec/vp8.h b/libavcodec/vp8.h index cfd82aaaba..81ffe2c144 100644 --- a/libavcodec/vp8.h +++ b/libavcodec/vp8.h @@ -275,7 +275,7 @@ typedef struct VP8Context { */ int mb_layout; - void (*decode_mb_row_no_filter)(AVCodecContext *avctx, void *tdata, int jobnr, int threadnr); + int (*decode_mb_row_no_filter)(AVCodecContext *avctx, void *tdata, int jobnr, int threadnr); void (*filter_mb_row)(AVCodecContext *avctx, void *tdata, int jobnr, int threadnr); int vp7; From e11e2574c742d71d16d17742eac2006f0f269716 Mon Sep 17 00:00:00 2001 From: Michael Niedermayer Date: Thu, 15 Dec 2016 21:08:48 +0100 Subject: [PATCH 323/942] avcodec/vp3: Do not return random positive values but the buf size Signed-off-by: Michael Niedermayer (cherry picked from commit d8094a303ba36344015a44d629bafc6d7094b4ac) Signed-off-by: Michael Niedermayer --- libavcodec/vp3.c | 6 ++++-- 1 file changed, 4 insertions(+), 2 deletions(-) diff --git a/libavcodec/vp3.c b/libavcodec/vp3.c index 5bbf47b52d..f392183918 100644 --- a/libavcodec/vp3.c +++ b/libavcodec/vp3.c @@ -2022,8 +2022,9 @@ static int vp3_decode_frame(AVCodecContext *avctx, ret = vp3_decode_init(avctx); if (ret < 0) { vp3_decode_end(avctx); + return ret; } - return ret; + return buf_size; } else if (type == 2) { vp3_decode_end(avctx); ret = theora_decode_tables(avctx, &gb); @@ -2031,8 +2032,9 @@ static int vp3_decode_frame(AVCodecContext *avctx, ret = vp3_decode_init(avctx); if (ret < 0) { vp3_decode_end(avctx); + return ret; } - return ret; + return buf_size; } av_log(avctx, AV_LOG_ERROR, From a38d6d36a8c7ad0550e5b3d030bc50df5014db1c Mon Sep 17 00:00:00 2001 From: Michael Niedermayer Date: Thu, 2 Mar 2017 03:02:06 +0100 Subject: [PATCH 324/942] avcodec/vp56: Require a correctly decoded frame before using vp56_conceal_mb() Fixes timeout with 700/clusterfuzz-testcase-5660909504561152 Fixes timeout with 702/clusterfuzz-testcase-4553541576294400 Found-by: continuous fuzzing process https://github.com/google/oss-fuzz/tree/master/targets/ffmpeg Signed-off-by: Michael Niedermayer (cherry picked from commit 2ce4f28431623cdde4aa496fd10430f6c7bdef63) Signed-off-by: Michael Niedermayer --- libavcodec/vp56.c | 14 +++++++++++++- libavcodec/vp56.h | 3 +++ 2 files changed, 16 insertions(+), 1 deletion(-) diff --git a/libavcodec/vp56.c b/libavcodec/vp56.c index 5ea365375b..0010408847 100644 --- a/libavcodec/vp56.c +++ b/libavcodec/vp56.c @@ -617,8 +617,12 @@ int ff_vp56_decode_frame(AVCodecContext *avctx, void *data, int *got_frame, } } + s->discard_frame = 0; avctx->execute2(avctx, ff_vp56_decode_mbs, 0, 0, (avctx->pix_fmt == AV_PIX_FMT_YUVA420P) + 1); + if (s->discard_frame) + return AVERROR_INVALIDDATA; + if ((res = av_frame_ref(data, p)) < 0) return res; *got_frame = 1; @@ -704,8 +708,13 @@ static int ff_vp56_decode_mbs(AVCodecContext *avctx, void *data, for (mb_col=0; mb_colmb_width; mb_col++) { if (!damaged) { int ret = vp56_decode_mb(s, mb_row, mb_col, is_alpha); - if (ret < 0) + if (ret < 0) { damaged = 1; + if (!s->have_undamaged_frame) { + s->discard_frame = 1; + return AVERROR_INVALIDDATA; + } + } } if (damaged) vp56_conceal_mb(s, mb_row, mb_col, is_alpha); @@ -722,6 +731,9 @@ static int ff_vp56_decode_mbs(AVCodecContext *avctx, void *data, } } + if (!damaged) + s->have_undamaged_frame = 1; + next: if (p->key_frame || s->golden_frame) { av_frame_unref(s->frames[VP56_FRAME_GOLDEN]); diff --git a/libavcodec/vp56.h b/libavcodec/vp56.h index 34d48228fd..e5c5bea963 100644 --- a/libavcodec/vp56.h +++ b/libavcodec/vp56.h @@ -203,6 +203,9 @@ struct vp56_context { VLC runv_vlc[2]; VLC ract_vlc[2][3][6]; unsigned int nb_null[2][2]; /* number of consecutive NULL DC/AC */ + + int have_undamaged_frame; + int discard_frame; }; From f4f5f69082ff77f3133df5d03327b2636415e158 Mon Sep 17 00:00:00 2001 From: Michael Niedermayer Date: Tue, 7 Mar 2017 00:53:52 +0100 Subject: [PATCH 325/942] avcodec/vp8: remove redundant check Reviewed-by: Paul B Mahol Signed-off-by: Michael Niedermayer (cherry picked from commit 5098a6f6275a57f122cd8f03e7ffbe5dd090b8e0) Signed-off-by: Michael Niedermayer --- libavcodec/vp8.c | 2 -- 1 file changed, 2 deletions(-) diff --git a/libavcodec/vp8.c b/libavcodec/vp8.c index a39b010b70..a10bcc080b 100644 --- a/libavcodec/vp8.c +++ b/libavcodec/vp8.c @@ -2496,8 +2496,6 @@ int vp78_decode_mb_row_sliced(AVCodecContext *avctx, void *tdata, int jobnr, td->thread_nr = threadnr; for (mb_y = jobnr; mb_y < s->mb_height; mb_y += num_jobs) { - if (mb_y >= s->mb_height) - break; td->thread_mb_pos = mb_y << 16; ret = s->decode_mb_row_no_filter(avctx, tdata, jobnr, threadnr); if (ret < 0) From 9f225bbcabd52537ed322db3f2b0be64b011ffd5 Mon Sep 17 00:00:00 2001 From: Michael Niedermayer Date: Tue, 7 Mar 2017 19:09:38 +0100 Subject: [PATCH 326/942] avcodec/vp568: Check that there is enough data for ff_vp56_init_range_decoder() Fixes: timeout in 730/clusterfuzz-testcase-5265113739165696 (part 1 of 2) Found-by: continuous fuzzing process https://github.com/google/oss-fuzz/tree/master/targets/ffmpeg Reviewed-by: BBB Signed-off-by: Michael Niedermayer (cherry picked from commit 55d7371fe0c44c025eb0e75215e0685870f31874) Signed-off-by: Michael Niedermayer --- libavcodec/vp5.c | 5 ++++- libavcodec/vp56.h | 2 +- libavcodec/vp56rac.c | 5 ++++- libavcodec/vp6.c | 15 +++++++++++---- libavcodec/vp8.c | 21 ++++++++++++++------- libavcodec/vp9.c | 9 +++++++-- 6 files changed, 41 insertions(+), 16 deletions(-) diff --git a/libavcodec/vp5.c b/libavcodec/vp5.c index 108f16131d..7100bb455d 100644 --- a/libavcodec/vp5.c +++ b/libavcodec/vp5.c @@ -39,8 +39,11 @@ static int vp5_parse_header(VP56Context *s, const uint8_t *buf, int buf_size) { VP56RangeCoder *c = &s->c; int rows, cols; + int ret; - ff_vp56_init_range_decoder(&s->c, buf, buf_size); + ret = ff_vp56_init_range_decoder(&s->c, buf, buf_size); + if (ret < 0) + return ret; s->frames[VP56_FRAME_CURRENT]->key_frame = !vp56_rac_get(c); vp56_rac_get(c); ff_vp56_init_dequant(s, vp56_rac_gets(c, 6)); diff --git a/libavcodec/vp56.h b/libavcodec/vp56.h index e5c5bea963..c049399df8 100644 --- a/libavcodec/vp56.h +++ b/libavcodec/vp56.h @@ -224,7 +224,7 @@ int ff_vp56_decode_frame(AVCodecContext *avctx, void *data, int *got_frame, */ extern const uint8_t ff_vp56_norm_shift[256]; -void ff_vp56_init_range_decoder(VP56RangeCoder *c, const uint8_t *buf, int buf_size); +int ff_vp56_init_range_decoder(VP56RangeCoder *c, const uint8_t *buf, int buf_size); static av_always_inline unsigned int vp56_rac_renorm(VP56RangeCoder *c) { diff --git a/libavcodec/vp56rac.c b/libavcodec/vp56rac.c index 6061b7ee72..e70302bf85 100644 --- a/libavcodec/vp56rac.c +++ b/libavcodec/vp56rac.c @@ -37,11 +37,14 @@ const uint8_t ff_vp56_norm_shift[256]= { 0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0, }; -void ff_vp56_init_range_decoder(VP56RangeCoder *c, const uint8_t *buf, int buf_size) +int ff_vp56_init_range_decoder(VP56RangeCoder *c, const uint8_t *buf, int buf_size) { c->high = 255; c->bits = -16; c->buffer = buf; c->end = buf + buf_size; + if (buf_size < 1) + return AVERROR_INVALIDDATA; c->code_word = bytestream_get_be24(&c->buffer); + return 0; } diff --git a/libavcodec/vp6.c b/libavcodec/vp6.c index 662126ca70..f0e60a3822 100644 --- a/libavcodec/vp6.c +++ b/libavcodec/vp6.c @@ -52,6 +52,7 @@ static int vp6_parse_header(VP56Context *s, const uint8_t *buf, int buf_size) int sub_version; int rows, cols; int res = 0; + int ret; int separated_coeff = buf[0] & 1; s->frames[VP56_FRAME_CURRENT]->key_frame = !(buf[0] & 0x80); @@ -93,7 +94,7 @@ static int vp6_parse_header(VP56Context *s, const uint8_t *buf, int buf_size) s->avctx->coded_width = 16 * cols; s->avctx->coded_height = 16 * rows; } else { - int ret = ff_set_dimensions(s->avctx, 16 * cols, 16 * rows); + ret = ff_set_dimensions(s->avctx, 16 * cols, 16 * rows); if (ret < 0) return ret; @@ -105,7 +106,9 @@ static int vp6_parse_header(VP56Context *s, const uint8_t *buf, int buf_size) res = VP56_SIZE_CHANGE; } - ff_vp56_init_range_decoder(c, buf+6, buf_size-6); + ret = ff_vp56_init_range_decoder(c, buf+6, buf_size-6); + if (ret < 0) + return ret; vp56_rac_gets(c, 2); parse_filter_info = s->filter_header; @@ -122,7 +125,9 @@ static int vp6_parse_header(VP56Context *s, const uint8_t *buf, int buf_size) buf += 2; buf_size -= 2; } - ff_vp56_init_range_decoder(c, buf+1, buf_size-1); + ret = ff_vp56_init_range_decoder(c, buf+1, buf_size-1); + if (ret < 0) + return ret; s->golden_frame = vp56_rac_get(c); if (s->filter_header) { @@ -165,7 +170,9 @@ static int vp6_parse_header(VP56Context *s, const uint8_t *buf, int buf_size) s->parse_coeff = vp6_parse_coeff_huffman; init_get_bits(&s->gb, buf, buf_size<<3); } else { - ff_vp56_init_range_decoder(&s->cc, buf, buf_size); + ret = ff_vp56_init_range_decoder(&s->cc, buf, buf_size); + if (ret < 0) + return ret; s->ccp = &s->cc; } } else { diff --git a/libavcodec/vp8.c b/libavcodec/vp8.c index a10bcc080b..13269639b1 100644 --- a/libavcodec/vp8.c +++ b/libavcodec/vp8.c @@ -260,6 +260,7 @@ static int setup_partitions(VP8Context *s, const uint8_t *buf, int buf_size) { const uint8_t *sizes = buf; int i; + int ret; s->num_coeff_partitions = 1 << vp8_rac_get_uint(&s->c, 2); @@ -273,13 +274,13 @@ static int setup_partitions(VP8Context *s, const uint8_t *buf, int buf_size) if (buf_size - size < 0) return -1; - ff_vp56_init_range_decoder(&s->coeff_partition[i], buf, size); + ret = ff_vp56_init_range_decoder(&s->coeff_partition[i], buf, size); + if (ret < 0) + return ret; buf += size; buf_size -= size; } - ff_vp56_init_range_decoder(&s->coeff_partition[i], buf, buf_size); - - return 0; + return ff_vp56_init_range_decoder(&s->coeff_partition[i], buf, buf_size); } static void vp7_get_quants(VP8Context *s) @@ -517,7 +518,9 @@ static int vp7_decode_frame_header(VP8Context *s, const uint8_t *buf, int buf_si memcpy(s->put_pixels_tab, s->vp8dsp.put_vp8_epel_pixels_tab, sizeof(s->put_pixels_tab)); - ff_vp56_init_range_decoder(c, buf, part1_size); + ret = ff_vp56_init_range_decoder(c, buf, part1_size); + if (ret < 0) + return ret; buf += part1_size; buf_size -= part1_size; @@ -569,7 +572,9 @@ static int vp7_decode_frame_header(VP8Context *s, const uint8_t *buf, int buf_si s->lf_delta.enabled = 0; s->num_coeff_partitions = 1; - ff_vp56_init_range_decoder(&s->coeff_partition[0], buf, buf_size); + ret = ff_vp56_init_range_decoder(&s->coeff_partition[0], buf, buf_size); + if (ret < 0) + return ret; if (!s->macroblocks_base || /* first frame */ width != s->avctx->width || height != s->avctx->height || @@ -698,7 +703,9 @@ static int vp8_decode_frame_header(VP8Context *s, const uint8_t *buf, int buf_si memset(&s->lf_delta, 0, sizeof(s->lf_delta)); } - ff_vp56_init_range_decoder(c, buf, header_size); + ret = ff_vp56_init_range_decoder(c, buf, header_size); + if (ret < 0) + return ret; buf += header_size; buf_size -= header_size; diff --git a/libavcodec/vp9.c b/libavcodec/vp9.c index c9d76907a1..e4229eb13f 100644 --- a/libavcodec/vp9.c +++ b/libavcodec/vp9.c @@ -842,7 +842,10 @@ static int decode_frame_header(AVCodecContext *ctx, av_log(ctx, AV_LOG_ERROR, "Invalid compressed header size\n"); return AVERROR_INVALIDDATA; } - ff_vp56_init_range_decoder(&s->c, data2, size2); + res = ff_vp56_init_range_decoder(&s->c, data2, size2); + if (res < 0) + return res; + if (vp56_rac_get_prob_branchy(&s->c, 128)) { // marker bit av_log(ctx, AV_LOG_ERROR, "Marker bit was set\n"); return AVERROR_INVALIDDATA; @@ -4126,7 +4129,9 @@ static int vp9_decode_frame(AVCodecContext *ctx, void *frame, ff_thread_report_progress(&s->s.frames[CUR_FRAME].tf, INT_MAX, 0); return AVERROR_INVALIDDATA; } - ff_vp56_init_range_decoder(&s->c_b[tile_col], data, tile_size); + res = ff_vp56_init_range_decoder(&s->c_b[tile_col], data, tile_size); + if (res < 0) + return res; if (vp56_rac_get_prob_branchy(&s->c_b[tile_col], 128)) { // marker bit ff_thread_report_progress(&s->s.frames[CUR_FRAME].tf, INT_MAX, 0); return AVERROR_INVALIDDATA; From 404fbd980b9558332af6681fb810f1338d169dac Mon Sep 17 00:00:00 2001 From: Michael Niedermayer Date: Tue, 7 Mar 2017 19:09:39 +0100 Subject: [PATCH 327/942] avcodec/vp8: Check for the bitstream end per MB in decode_mb_row_no_filter() Fixes: timeout in 730/clusterfuzz-testcase-5265113739165696 (part 2 of 2) Found-by: continuous fuzzing process https://github.com/google/oss-fuzz/tree/master/targets/ffmpeg Reviewed-by: BBB Signed-off-by: Michael Niedermayer (cherry picked from commit 1afd246960202917e244c844c534e9c1e3c323f5) Signed-off-by: Michael Niedermayer --- libavcodec/vp8.c | 2 ++ 1 file changed, 2 insertions(+) diff --git a/libavcodec/vp8.c b/libavcodec/vp8.c index 13269639b1..b142a17fd0 100644 --- a/libavcodec/vp8.c +++ b/libavcodec/vp8.c @@ -2329,6 +2329,8 @@ static av_always_inline int decode_mb_row_no_filter(AVCodecContext *avctx, void s->mv_max.x = ((s->mb_width - 1) << 6) + MARGIN; for (mb_x = 0; mb_x < s->mb_width; mb_x++, mb_xy++, mb++) { + if (c->end <= c->buffer && c->bits >= 0) + return AVERROR_INVALIDDATA; // Wait for previous thread to read mb_x+2, and reach mb_y-1. if (prev_td != td) { if (threadnr != 0) { From a132c3f3be50462d62cda13c594b432c59ed36ff Mon Sep 17 00:00:00 2001 From: Thomas Guilbert Date: Fri, 10 Mar 2017 00:15:39 +0100 Subject: [PATCH 328/942] avcodec/vp8: Fix hang with slice threads Fixes: 447860.webm Reviewed-by: "Ronald S. Bultje" Signed-off-by: Michael Niedermayer (cherry picked from commit 9bbc73ae9fdedc8789b2b6be65279e9a0ecd7090) Signed-off-by: Michael Niedermayer --- libavcodec/vp8.c | 4 +++- 1 file changed, 3 insertions(+), 1 deletion(-) diff --git a/libavcodec/vp8.c b/libavcodec/vp8.c index b142a17fd0..5fb46b6e8b 100644 --- a/libavcodec/vp8.c +++ b/libavcodec/vp8.c @@ -2507,8 +2507,10 @@ int vp78_decode_mb_row_sliced(AVCodecContext *avctx, void *tdata, int jobnr, for (mb_y = jobnr; mb_y < s->mb_height; mb_y += num_jobs) { td->thread_mb_pos = mb_y << 16; ret = s->decode_mb_row_no_filter(avctx, tdata, jobnr, threadnr); - if (ret < 0) + if (ret < 0) { + update_pos(td, s->mb_height, INT_MAX & 0xFFFF); return ret; + } if (s->deblock_filter) s->filter_mb_row(avctx, tdata, jobnr, threadnr); update_pos(td, mb_y, INT_MAX & 0xFFFF); From 537b2b8ab5123c3f24d3a1666ca773378f59eb5f Mon Sep 17 00:00:00 2001 From: Michael Niedermayer Date: Thu, 9 Mar 2017 17:55:32 +0100 Subject: [PATCH 329/942] avcodec/vp56: Reset have_undamaged_frame on resolution changes Fixes: timeout in 758/clusterfuzz-testcase-4720832028868608 Found-by: continuous fuzzing process https://github.com/google/oss-fuzz/tree/master/targets/ffmpeg Signed-off-by: Michael Niedermayer (cherry picked from commit 6e913f212907048d7009cf2f15551781c69b9985) Signed-off-by: Michael Niedermayer --- libavcodec/vp56.c | 2 ++ 1 file changed, 2 insertions(+) diff --git a/libavcodec/vp56.c b/libavcodec/vp56.c index 0010408847..9d4162bb96 100644 --- a/libavcodec/vp56.c +++ b/libavcodec/vp56.c @@ -507,6 +507,8 @@ static int vp56_size_changed(VP56Context *s) s->plane_height[0] = s->plane_height[3] = avctx->coded_height; s->plane_height[1] = s->plane_height[2] = avctx->coded_height/2; + s->have_undamaged_frame = 0; + for (i=0; i<4; i++) s->stride[i] = s->flip * s->frames[VP56_FRAME_CURRENT]->linesize[i]; From bb4ca14d13d14ed22e7d630371af7013c7382021 Mon Sep 17 00:00:00 2001 From: Michael Niedermayer Date: Sun, 12 Mar 2017 03:04:06 +0100 Subject: [PATCH 330/942] avcodec/vp6: clear dimensions on failed resolution change in vp6_parse_header() Fixes: 807/clusterfuzz-testcase-6470061042696192 Fixes null pointer dereference Found-by: continuous fuzzing process https://github.com/google/oss-fuzz/tree/master/targets/ffmpeg Signed-off-by: Michael Niedermayer (cherry picked from commit 967feea5ebb744dce97ab327d33502b43fca0c7f) Signed-off-by: Michael Niedermayer --- libavcodec/vp6.c | 13 ++++++++----- 1 file changed, 8 insertions(+), 5 deletions(-) diff --git a/libavcodec/vp6.c b/libavcodec/vp6.c index f0e60a3822..4afd67b3a4 100644 --- a/libavcodec/vp6.c +++ b/libavcodec/vp6.c @@ -108,7 +108,7 @@ static int vp6_parse_header(VP56Context *s, const uint8_t *buf, int buf_size) ret = ff_vp56_init_range_decoder(c, buf+6, buf_size-6); if (ret < 0) - return ret; + goto fail; vp56_rac_gets(c, 2); parse_filter_info = s->filter_header; @@ -162,9 +162,8 @@ static int vp6_parse_header(VP56Context *s, const uint8_t *buf, int buf_size) buf += coeff_offset; buf_size -= coeff_offset; if (buf_size < 0) { - if (s->frames[VP56_FRAME_CURRENT]->key_frame) - ff_set_dimensions(s->avctx, 0, 0); - return AVERROR_INVALIDDATA; + ret = AVERROR_INVALIDDATA; + goto fail; } if (s->use_huffman) { s->parse_coeff = vp6_parse_coeff_huffman; @@ -172,7 +171,7 @@ static int vp6_parse_header(VP56Context *s, const uint8_t *buf, int buf_size) } else { ret = ff_vp56_init_range_decoder(&s->cc, buf, buf_size); if (ret < 0) - return ret; + goto fail; s->ccp = &s->cc; } } else { @@ -180,6 +179,10 @@ static int vp6_parse_header(VP56Context *s, const uint8_t *buf, int buf_size) } return res; +fail: + if (res == VP56_SIZE_CHANGE) + ff_set_dimensions(s->avctx, 0, 0); + return ret; } static void vp6_coeff_order_table_init(VP56Context *s) From 9a891b843c20d0e844dd94a1c5ae8af98c15891f Mon Sep 17 00:00:00 2001 From: Michael Niedermayer Date: Fri, 11 Nov 2016 02:25:42 +0100 Subject: [PATCH 331/942] avcodec/htmlsubtitles: Fix reading one byte beyond the array Fixes: fuzz-2-ffmpeg_SUBTITLE_AV_CODEC_ID_SUBRIP_fuzzer Found-by: continuous fuzzing process https://github.com/google/oss-fuzz/tree/master/targets/ffmpeg Signed-off-by: Michael Niedermayer (cherry picked from commit 04bd1b38ee6b8df410d0ab8d4949546b6c4af26a) Signed-off-by: Michael Niedermayer --- libavcodec/htmlsubtitles.c | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/libavcodec/htmlsubtitles.c b/libavcodec/htmlsubtitles.c index a2cd40fad3..8b57febd26 100644 --- a/libavcodec/htmlsubtitles.c +++ b/libavcodec/htmlsubtitles.c @@ -146,7 +146,7 @@ void ff_htmlmarkup_to_ass(void *log_ctx, AVBPrint *dst, const char *in) if (stack[sptr].param[i][0]) av_bprintf(dst, "%s", stack[sptr].param[i]); } - } else if (!tagname[1] && strspn(tagname, "bisu") == 1) { + } else if (tagname[0] && !tagname[1] && strspn(tagname, "bisu") == 1) { av_bprintf(dst, "{\\%c%d}", tagname[0], !tag_close); } else { unknown = 1; From 2fd1ab16d9fe8c259b5d5626253de57138d72f21 Mon Sep 17 00:00:00 2001 From: Michael Niedermayer Date: Sun, 19 Feb 2017 20:32:48 +0100 Subject: [PATCH 332/942] avcodec/eac3dec: Fix runtime error: left shift of negative value Fixes: 610/clusterfuzz-testcase-4831030085156864 Found-by: continuous fuzzing process https://github.com/google/oss-fuzz/tree/master/targets/ffmpeg Signed-off-by: Michael Niedermayer (cherry picked from commit 067485b673f6ac4b1207d6fc975d1fd968edc68e) Signed-off-by: Michael Niedermayer --- libavcodec/eac3dec.c | 6 +++--- 1 file changed, 3 insertions(+), 3 deletions(-) diff --git a/libavcodec/eac3dec.c b/libavcodec/eac3dec.c index ef815afb55..caa5e2eaf5 100644 --- a/libavcodec/eac3dec.c +++ b/libavcodec/eac3dec.c @@ -252,7 +252,7 @@ static void ff_eac3_decode_transform_coeffs_aht_ch(AC3DecodeContext *s, int ch) /* Vector Quantization */ int v = get_bits(gbc, bits); for (blk = 0; blk < 6; blk++) { - s->pre_mantissa[ch][bin][blk] = ff_eac3_mantissa_vq[hebap][v][blk] << 8; + s->pre_mantissa[ch][bin][blk] = ff_eac3_mantissa_vq[hebap][v][blk] * (1 << 8); } } else { /* Gain Adaptive Quantization */ @@ -271,12 +271,12 @@ static void ff_eac3_decode_transform_coeffs_aht_ch(AC3DecodeContext *s, int ch) int b; int mbits = bits - (2 - log_gain); mant = get_sbits(gbc, mbits); - mant <<= (23 - (mbits - 1)); + mant = ((unsigned)mant) << (23 - (mbits - 1)); /* remap mantissa value to correct for asymmetric quantization */ if (mant >= 0) b = 1 << (23 - log_gain); else - b = ff_eac3_gaq_remap_2_4_b[hebap-8][log_gain-1] << 8; + b = ff_eac3_gaq_remap_2_4_b[hebap-8][log_gain-1] * (1 << 8); mant += ((ff_eac3_gaq_remap_2_4_a[hebap-8][log_gain-1] * (int64_t)mant) >> 15) + b; } else { /* small mantissa, no GAQ, or Gk=1 */ From 97bbd8e8d3433c0f384b636bb03f09b080092226 Mon Sep 17 00:00:00 2001 From: Michael Niedermayer Date: Sun, 19 Feb 2017 20:39:13 +0100 Subject: [PATCH 333/942] avcodec/mjpegdec: Fix runtime error: left shift of negative value -507 Fixes: 611/clusterfuzz-testcase-5613455820193792 Found-by: continuous fuzzing process https://github.com/google/oss-fuzz/tree/master/targets/ffmpeg Signed-off-by: Michael Niedermayer (cherry picked from commit c91bdd4524815125e1f7d8dee22ee7a73173c39a) Signed-off-by: Michael Niedermayer --- libavcodec/mjpegdec.c | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/libavcodec/mjpegdec.c b/libavcodec/mjpegdec.c index cf765fc560..673e3238d6 100644 --- a/libavcodec/mjpegdec.c +++ b/libavcodec/mjpegdec.c @@ -1131,7 +1131,7 @@ static int ljpeg_decode_yuv_scan(MJpegDecodeContext *s, int predictor, if (s->interlaced && s->bottom_field) ptr += linesize >> 1; pred &= mask; - *ptr= pred + (dc << point_transform); + *ptr= pred + ((unsigned)dc << point_transform); }else{ ptr16 = (uint16_t*)(s->picture_ptr->data[c] + 2*(linesize * (v * mb_y + y)) + 2*(h * mb_x + x)); //FIXME optimize this crap if(y==0 && toprow){ From a18c76cb783f9e0993ab704fdd1f1b9500959901 Mon Sep 17 00:00:00 2001 From: Michael Niedermayer Date: Sun, 19 Feb 2017 21:33:27 +0100 Subject: [PATCH 334/942] avcodec/mpeg4videodec: Fix runtime error: shift exponent -2 is negative Fixes: 612/clusterfuzz-testcase-4707817137111040 Found-by: continuous fuzzing process https://github.com/google/oss-fuzz/tree/master/targets/ffmpeg Signed-off-by: Michael Niedermayer (cherry picked from commit aa2b75263e17651187b1475551a02aa2f4ff65fe) Signed-off-by: Michael Niedermayer --- libavcodec/mpeg4videodec.c | 6 ++++++ 1 file changed, 6 insertions(+) diff --git a/libavcodec/mpeg4videodec.c b/libavcodec/mpeg4videodec.c index e9f54bd3d2..e9353aab5d 100644 --- a/libavcodec/mpeg4videodec.c +++ b/libavcodec/mpeg4videodec.c @@ -367,6 +367,12 @@ static int mpeg4_decode_sprite_trajectory(Mpeg4DecContext *ctx, GetBitContext *g } else { int shift_y = 16 - ctx->sprite_shift[0]; int shift_c = 16 - ctx->sprite_shift[1]; + + if (shift_c < 0 || shift_y < 0) { + avpriv_request_sample(s->avctx, "Too large sprite shift"); + return AVERROR_PATCHWELCOME; + } + for (i = 0; i < 2; i++) { s->sprite_offset[0][i] *= 1 << shift_y; s->sprite_offset[1][i] *= 1 << shift_c; From 37400a90685997cb6013b71fe8739fee9ec6c859 Mon Sep 17 00:00:00 2001 From: Michael Niedermayer Date: Sun, 19 Feb 2017 22:40:29 +0100 Subject: [PATCH 335/942] avcodec/h264_cabac: runtime error: signed integer overflow: 2147483647 + 14 cannot be represented in type 'int' Fixes: 614/clusterfuzz-testcase-4931860079575040 Found-by: continuous fuzzing process https://github.com/google/oss-fuzz/tree/master/targets/ffmpeg Signed-off-by: Michael Niedermayer (cherry picked from commit 258763ad0e1efff82bbe2beb97527d3c19f40932) Signed-off-by: Michael Niedermayer --- libavcodec/h264_cabac.c | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/libavcodec/h264_cabac.c b/libavcodec/h264_cabac.c index deab35a3d9..4adbbde8b7 100644 --- a/libavcodec/h264_cabac.c +++ b/libavcodec/h264_cabac.c @@ -1744,7 +1744,7 @@ decode_cabac_residual_internal(const H264Context *h, H264SliceContext *sl, while( j-- ) { \ coeff_abs += coeff_abs + get_cabac_bypass( CC ); \ } \ - coeff_abs+= 14; \ + coeff_abs+= 14U; \ } \ \ if( is_dc ) { \ From a9d1e7d3c85b0492dd983befd3de6f2f18fab814 Mon Sep 17 00:00:00 2001 From: Michael Niedermayer Date: Tue, 21 Feb 2017 03:05:32 +0100 Subject: [PATCH 336/942] avcodec/rv40: Fix runtime error: left shift of negative value Fixes: 630/clusterfuzz-testcase-6608718928019456 Found-by: continuous fuzzing process https://github.com/google/oss-fuzz/tree/master/targets/ffmpeg Signed-off-by: Michael Niedermayer (cherry picked from commit 956472a3236cc8eaeba5147c55b51bde6005c898) Signed-off-by: Michael Niedermayer --- libavcodec/rv40.c | 2 +- libavcodec/rv40dsp.c | 2 +- 2 files changed, 2 insertions(+), 2 deletions(-) diff --git a/libavcodec/rv40.c b/libavcodec/rv40.c index c52e06d4c9..e4c8400268 100644 --- a/libavcodec/rv40.c +++ b/libavcodec/rv40.c @@ -189,7 +189,7 @@ static int rv40_decode_intra_types(RV34DecContext *r, GetBitContext *gb, int8_t A = ptr[-r->intra_types_stride + 1]; // it won't be used for the last coefficient in a row B = ptr[-r->intra_types_stride]; C = ptr[-1]; - pattern = A + (B << 4) + (C << 8); + pattern = A + B * (1 << 4) + C * (1 << 8); for(k = 0; k < MODE2_PATTERNS_NUM; k++) if(pattern == rv40_aic_table_index[k]) break; diff --git a/libavcodec/rv40dsp.c b/libavcodec/rv40dsp.c index 19b0e93696..95ba0a9259 100644 --- a/libavcodec/rv40dsp.c +++ b/libavcodec/rv40dsp.c @@ -449,7 +449,7 @@ static av_always_inline void rv40_weak_loop_filter(uint8_t *src, if (u > 3 - (filter_p1 && filter_q1)) continue; - t <<= 2; + t *= 1 << 2; if (filter_p1 && filter_q1) t += src[-2*step] - src[1*step]; From d6419e984f72d5908246f2e0b7a27ae173a04034 Mon Sep 17 00:00:00 2001 From: Michael Niedermayer Date: Tue, 21 Feb 2017 17:32:56 +0100 Subject: [PATCH 337/942] avcodec/ituh263dec: Fix runtime error: left shift of negative value -22 Fixes: 639/clusterfuzz-testcase-5143866241974272 Found-by: continuous fuzzing process https://github.com/google/oss-fuzz/tree/master/targets/ffmpeg Signed-off-by: Michael Niedermayer (cherry picked from commit 631f7484918a9e7260377c3cea878be708609e64) Signed-off-by: Michael Niedermayer --- libavcodec/ituh263dec.c | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/libavcodec/ituh263dec.c b/libavcodec/ituh263dec.c index 42ec1f61cf..2d83bf3d30 100644 --- a/libavcodec/ituh263dec.c +++ b/libavcodec/ituh263dec.c @@ -524,7 +524,7 @@ retry: }else{ level = SHOW_UBITS(re, &s->gb, 5); SKIP_CACHE(re, &s->gb, 5); - level |= SHOW_SBITS(re, &s->gb, 6)<<5; + level |= SHOW_SBITS(re, &s->gb, 6) * (1<<5); SKIP_COUNTER(re, &s->gb, 5 + 6); } } From 99696ad046e5b1ae2d5dc03fad918db7b9f23961 Mon Sep 17 00:00:00 2001 From: Michael Niedermayer Date: Wed, 22 Feb 2017 01:22:24 +0100 Subject: [PATCH 338/942] avcodec/mpeg4video: Fix runtime error: left shift of negative value Fixes: 644/clusterfuzz-testcase-4726434209726464 Found-by: continuous fuzzing process https://github.com/google/oss-fuzz/tree/master/targets/ffmpeg Signed-off-by: Michael Niedermayer (cherry picked from commit 6179dc8aa7e5fc5358b9614306f93f1adadf22a4) Signed-off-by: Michael Niedermayer --- libavcodec/mpeg4videodec.c | 2 +- libavcodec/mpegvideo_motion.c | 8 ++++---- 2 files changed, 5 insertions(+), 5 deletions(-) diff --git a/libavcodec/mpeg4videodec.c b/libavcodec/mpeg4videodec.c index e9353aab5d..448dfaf179 100644 --- a/libavcodec/mpeg4videodec.c +++ b/libavcodec/mpeg4videodec.c @@ -509,7 +509,7 @@ static inline int get_amv(Mpeg4DecContext *ctx, int n) if (ctx->divx_version == 500 && ctx->divx_build == 413) sum = s->sprite_offset[0][n] / (1 << (a - s->quarter_sample)); else - sum = RSHIFT(s->sprite_offset[0][n] << s->quarter_sample, a); + sum = RSHIFT(s->sprite_offset[0][n] * (1 << s->quarter_sample), a); } else { dx = s->sprite_delta[n][0]; dy = s->sprite_delta[n][1]; diff --git a/libavcodec/mpegvideo_motion.c b/libavcodec/mpegvideo_motion.c index 51ba435231..2d3a778ec4 100644 --- a/libavcodec/mpegvideo_motion.c +++ b/libavcodec/mpegvideo_motion.c @@ -48,8 +48,8 @@ static void gmc1_motion(MpegEncContext *s, motion_y = s->sprite_offset[0][1]; src_x = s->mb_x * 16 + (motion_x >> (s->sprite_warping_accuracy + 1)); src_y = s->mb_y * 16 + (motion_y >> (s->sprite_warping_accuracy + 1)); - motion_x <<= (3 - s->sprite_warping_accuracy); - motion_y <<= (3 - s->sprite_warping_accuracy); + motion_x *= 1 << (3 - s->sprite_warping_accuracy); + motion_y *= 1 << (3 - s->sprite_warping_accuracy); src_x = av_clip(src_x, -16, s->width); if (src_x == s->width) motion_x = 0; @@ -95,8 +95,8 @@ static void gmc1_motion(MpegEncContext *s, motion_y = s->sprite_offset[1][1]; src_x = s->mb_x * 8 + (motion_x >> (s->sprite_warping_accuracy + 1)); src_y = s->mb_y * 8 + (motion_y >> (s->sprite_warping_accuracy + 1)); - motion_x <<= (3 - s->sprite_warping_accuracy); - motion_y <<= (3 - s->sprite_warping_accuracy); + motion_x *= 1 << (3 - s->sprite_warping_accuracy); + motion_y *= 1 << (3 - s->sprite_warping_accuracy); src_x = av_clip(src_x, -8, s->width >> 1); if (src_x == s->width >> 1) motion_x = 0; From c66899d5e43088b48faafba2e44f7df41ef2eb63 Mon Sep 17 00:00:00 2001 From: Michael Niedermayer Date: Wed, 22 Feb 2017 21:57:49 +0100 Subject: [PATCH 339/942] avcodec/mpeg4videodec: Check sprite_offset in addition to shifts Fixes: 651/clusterfuzz-testcase-5710668915277824 Found-by: continuous fuzzing process https://github.com/google/oss-fuzz/tree/master/targets/ffmpeg Signed-off-by: Michael Niedermayer (cherry picked from commit 6871df02d973c9ffc1aa4f6d08fb4b1b63d411be) Signed-off-by: Michael Niedermayer --- libavcodec/mpeg4videodec.c | 9 +++++++-- 1 file changed, 7 insertions(+), 2 deletions(-) diff --git a/libavcodec/mpeg4videodec.c b/libavcodec/mpeg4videodec.c index 448dfaf179..eeb26381d1 100644 --- a/libavcodec/mpeg4videodec.c +++ b/libavcodec/mpeg4videodec.c @@ -368,8 +368,13 @@ static int mpeg4_decode_sprite_trajectory(Mpeg4DecContext *ctx, GetBitContext *g int shift_y = 16 - ctx->sprite_shift[0]; int shift_c = 16 - ctx->sprite_shift[1]; - if (shift_c < 0 || shift_y < 0) { - avpriv_request_sample(s->avctx, "Too large sprite shift"); + if (shift_c < 0 || shift_y < 0 || + FFABS(s->sprite_offset[0][0]) >= INT_MAX >> shift_y || + FFABS(s->sprite_offset[1][0]) >= INT_MAX >> shift_c || + FFABS(s->sprite_offset[0][1]) >= INT_MAX >> shift_y || + FFABS(s->sprite_offset[1][1]) >= INT_MAX >> shift_c + ) { + avpriv_request_sample(s->avctx, "Too large sprite shift or offset"); return AVERROR_PATCHWELCOME; } From 2e7621d615c5e66b8ad73ebd763e6c2faf14e52c Mon Sep 17 00:00:00 2001 From: Michael Niedermayer Date: Thu, 23 Feb 2017 22:33:16 +0100 Subject: [PATCH 340/942] avcodec/mpeg4videodec: Check the other 3 sprite points for intermediate overflows This is not necessarily specific to fuzzed files Fixes: Multiple integer overflows Fixes: 656/clusterfuzz-testcase-6463814516080640 Fixes: 658/clusterfuzz-testcase-6691260146384896 Found-by: continuous fuzzing process https://github.com/google/oss-fuzz/tree/master/targets/ffmpeg Signed-off-by: Michael Niedermayer (cherry picked from commit 76ba09d18245a2a41dc5f93a60fd00cdf358cb1f) Signed-off-by: Michael Niedermayer --- libavcodec/mpeg4videodec.c | 7 +++++++ 1 file changed, 7 insertions(+) diff --git a/libavcodec/mpeg4videodec.c b/libavcodec/mpeg4videodec.c index eeb26381d1..76447035af 100644 --- a/libavcodec/mpeg4videodec.c +++ b/libavcodec/mpeg4videodec.c @@ -384,6 +384,13 @@ static int mpeg4_decode_sprite_trajectory(Mpeg4DecContext *ctx, GetBitContext *g s->sprite_delta[0][i] *= 1 << shift_y; s->sprite_delta[1][i] *= 1 << shift_y; ctx->sprite_shift[i] = 16; + + if (llabs(s->sprite_offset[i][0] + s->sprite_delta[i][0] * (int64_t)w) >= INT_MAX || + llabs(s->sprite_offset[i][0] + s->sprite_delta[i][1] * (int64_t)h) >= INT_MAX || + llabs(s->sprite_offset[i][0] + s->sprite_delta[i][0] * (int64_t)w + s->sprite_delta[i][1] * (int64_t)h) >= INT_MAX) { + avpriv_request_sample(s->avctx, "Overflow on sprite points"); + return AVERROR_PATCHWELCOME; + } } s->real_sprite_warping_points = ctx->num_sprite_warping_points; } From 89ffe4e0e0000c98a7b179dfe2f2f1276d71cd11 Mon Sep 17 00:00:00 2001 From: Michael Niedermayer Date: Sat, 25 Feb 2017 21:07:24 +0100 Subject: [PATCH 341/942] avcodec/mpeg12dec: Fix runtime error: left shift of negative value -2 671/clusterfuzz-testcase-4990381827555328 Found-by: continuous fuzzing process https://github.com/google/oss-fuzz/tree/master/targets/ffmpeg Reviewed-by: Paul B Mahol Signed-off-by: Michael Niedermayer (cherry picked from commit aff8cf18cb0b1fa4f2e3d163c3da2f25aa6d1906) Signed-off-by: Michael Niedermayer --- libavcodec/mpeg12dec.c | 4 ++-- 1 file changed, 2 insertions(+), 2 deletions(-) diff --git a/libavcodec/mpeg12dec.c b/libavcodec/mpeg12dec.c index cb8bab57a7..6e378edf57 100644 --- a/libavcodec/mpeg12dec.c +++ b/libavcodec/mpeg12dec.c @@ -997,8 +997,8 @@ static int mpeg_decode_mb(MpegEncContext *s, int16_t block[12][64]) dmy = get_dmv(s); - s->last_mv[i][0][1] = my << my_shift; - s->last_mv[i][1][1] = my << my_shift; + s->last_mv[i][0][1] = my * (1 << my_shift); + s->last_mv[i][1][1] = my * (1 << my_shift); s->mv[i][0][0] = mx; s->mv[i][0][1] = my; From 6da1353a5aa3a67bfe3f776197af332511cf69a6 Mon Sep 17 00:00:00 2001 From: Michael Niedermayer Date: Sat, 25 Feb 2017 21:07:25 +0100 Subject: [PATCH 342/942] avcodec/eac3dec: Fix runtime error: left shift of negative value -3 Fixes: 672/clusterfuzz-testcase-5595018867769344 Found-by: continuous fuzzing process https://github.com/google/oss-fuzz/tree/master/targets/ffmpeg Reviewed-by: Paul B Mahol Signed-off-by: Michael Niedermayer (cherry picked from commit 87eb3749708c0eb2978f4812c7be2a4af667fdb7) Signed-off-by: Michael Niedermayer --- libavcodec/eac3dec.c | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/libavcodec/eac3dec.c b/libavcodec/eac3dec.c index caa5e2eaf5..001a404389 100644 --- a/libavcodec/eac3dec.c +++ b/libavcodec/eac3dec.c @@ -280,7 +280,7 @@ static void ff_eac3_decode_transform_coeffs_aht_ch(AC3DecodeContext *s, int ch) mant += ((ff_eac3_gaq_remap_2_4_a[hebap-8][log_gain-1] * (int64_t)mant) >> 15) + b; } else { /* small mantissa, no GAQ, or Gk=1 */ - mant <<= 24 - bits; + mant *= (1 << 24 - bits); if (!log_gain) { /* remap mantissa value for no GAQ or Gk=1 */ mant += (ff_eac3_gaq_remap_1[hebap-8] * (int64_t)mant) >> 15; From 5a4709e9e3216823d9df7a57cd7dc4bd23c6926a Mon Sep 17 00:00:00 2001 From: Michael Niedermayer Date: Sun, 26 Feb 2017 20:27:59 +0100 Subject: [PATCH 343/942] avcodec/mpeg4videodec: Fix runtime error: left shift of negative value -2650 Fixes: 674/clusterfuzz-testcase-6713275880308736 Found-by: continuous fuzzing process https://github.com/google/oss-fuzz/tree/master/targets/ffmpeg Signed-off-by: Michael Niedermayer (cherry picked from commit 25e93aacc2142f3b57f1e63c67ca46d304f154ef) Signed-off-by: Michael Niedermayer --- libavcodec/mpeg4videodec.c | 4 ++-- 1 file changed, 2 insertions(+), 2 deletions(-) diff --git a/libavcodec/mpeg4videodec.c b/libavcodec/mpeg4videodec.c index 76447035af..4083eef8f6 100644 --- a/libavcodec/mpeg4videodec.c +++ b/libavcodec/mpeg4videodec.c @@ -283,12 +283,12 @@ static int mpeg4_decode_sprite_trajectory(Mpeg4DecContext *ctx, GetBitContext *g ctx->sprite_shift[1] = 0; break; case 2: - s->sprite_offset[0][0] = (sprite_ref[0][0] << (alpha + rho)) + + s->sprite_offset[0][0] = (sprite_ref[0][0] * (1 << alpha + rho)) + (-r * sprite_ref[0][0] + virtual_ref[0][0]) * (-vop_ref[0][0]) + (r * sprite_ref[0][1] - virtual_ref[0][1]) * (-vop_ref[0][1]) + (1 << (alpha + rho - 1)); - s->sprite_offset[0][1] = (sprite_ref[0][1] << (alpha + rho)) + + s->sprite_offset[0][1] = (sprite_ref[0][1] * (1 << alpha + rho)) + (-r * sprite_ref[0][1] + virtual_ref[0][1]) * (-vop_ref[0][0]) + (-r * sprite_ref[0][0] + virtual_ref[0][0]) * From e8fb38f48cb6883b0df7905f2fe185f1d7fbf262 Mon Sep 17 00:00:00 2001 From: Michael Niedermayer Date: Sun, 26 Feb 2017 20:28:00 +0100 Subject: [PATCH 344/942] avcodec/pictordec: Check plane value before doing value/mask computations Fixes integer overflow Fixes: 675/clusterfuzz-testcase-6722971232108544 Found-by: continuous fuzzing process https://github.com/google/oss-fuzz/tree/master/targets/ffmpeg Signed-off-by: Michael Niedermayer (cherry picked from commit 63e400a8807dca7b0ffa3841df2e31f7419abb8d) Signed-off-by: Michael Niedermayer --- libavcodec/pictordec.c | 4 ++-- 1 file changed, 2 insertions(+), 2 deletions(-) diff --git a/libavcodec/pictordec.c b/libavcodec/pictordec.c index a3d72e3f25..a09ee379c0 100644 --- a/libavcodec/pictordec.c +++ b/libavcodec/pictordec.c @@ -77,10 +77,10 @@ static void picmemset(PicContext *s, AVFrame *frame, int value, int run, if (*y < 0) { *y = s->height - 1; *plane += 1; - value <<= bits_per_plane; - mask <<= bits_per_plane; if (*plane >= s->nb_planes) return; + value <<= bits_per_plane; + mask <<= bits_per_plane; } } } From 250d2b402a0e31d169cc849575e27d61324b0c5a Mon Sep 17 00:00:00 2001 From: Michael Niedermayer Date: Tue, 28 Feb 2017 03:13:24 +0100 Subject: [PATCH 345/942] avcodec/h264_direct: Fix runtime error: left shift of negative value -14 Fixes: 682/clusterfuzz-testcase-4799120021651456 Found-by: continuous fuzzing process https://github.com/google/oss-fuzz/tree/master/targets/ffmpeg Signed-off-by: Michael Niedermayer (cherry picked from commit 4bd3f1ce3e68a9348e97ec07a247048ea72ed808) Signed-off-by: Michael Niedermayer --- libavcodec/h264_direct.c | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/libavcodec/h264_direct.c b/libavcodec/h264_direct.c index 5f66a67d89..2660cb80d3 100644 --- a/libavcodec/h264_direct.c +++ b/libavcodec/h264_direct.c @@ -613,7 +613,7 @@ single_col: { const int16_t *mv_col = l1mv[x8 * 3 + y8 * b4_stride]; - int my_col = (mv_col[1] << y_shift) / 2; + int my_col = (mv_col[1] * (1 << y_shift)) / 2; int mx = (scale * mv_col[0] + 128) >> 8; int my = (scale * my_col + 128) >> 8; fill_rectangle(&sl->mv_cache[0][scan8[i8 * 4]], 2, 2, 8, From 20c36f04b960e09611fafa1022168de5a574bde4 Mon Sep 17 00:00:00 2001 From: Michael Niedermayer Date: Wed, 1 Mar 2017 16:32:09 +0100 Subject: [PATCH 346/942] avcodec/mjpegdec: Fix runtime error: left shift of negative value -511 Fixes: 693/clusterfuzz-testcase-6109776066904064 Found-by: continuous fuzzing process https://github.com/google/oss-fuzz/tree/master/targets/ffmpeg Signed-off-by: Michael Niedermayer (cherry picked from commit 4b72d5cd6f9341dcafdbc1b9030166aa987b8304) Signed-off-by: Michael Niedermayer --- libavcodec/mjpegdec.c | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/libavcodec/mjpegdec.c b/libavcodec/mjpegdec.c index 673e3238d6..7460e8e565 100644 --- a/libavcodec/mjpegdec.c +++ b/libavcodec/mjpegdec.c @@ -1151,7 +1151,7 @@ static int ljpeg_decode_yuv_scan(MJpegDecodeContext *s, int predictor, if (s->interlaced && s->bottom_field) ptr16 += linesize >> 1; pred &= mask; - *ptr16= pred + (dc << point_transform); + *ptr16= pred + ((unsigned)dc << point_transform); } if (++x == h) { x = 0; From ab92ed6365e6964655b6d772ae1261b2b783c413 Mon Sep 17 00:00:00 2001 From: Michael Niedermayer Date: Thu, 2 Mar 2017 03:02:07 +0100 Subject: [PATCH 347/942] avcodec/mpeg4videodec: Improve the overflow checks in mpeg4_decode_sprite_trajectory() Also clear the state on errors Fixes integer overflows in 701/clusterfuzz-testcase-6594719951880192 Found-by: continuous fuzzing process https://github.com/google/oss-fuzz/tree/master/targets/ffmpeg Signed-off-by: Michael Niedermayer (cherry picked from commit eb41956636fc264fe2077b78ef00591d83bbbace) Signed-off-by: Michael Niedermayer --- libavcodec/mpeg4videodec.c | 16 +++++++++++----- 1 file changed, 11 insertions(+), 5 deletions(-) diff --git a/libavcodec/mpeg4videodec.c b/libavcodec/mpeg4videodec.c index 4083eef8f6..af42ee7023 100644 --- a/libavcodec/mpeg4videodec.c +++ b/libavcodec/mpeg4videodec.c @@ -375,7 +375,7 @@ static int mpeg4_decode_sprite_trajectory(Mpeg4DecContext *ctx, GetBitContext *g FFABS(s->sprite_offset[1][1]) >= INT_MAX >> shift_c ) { avpriv_request_sample(s->avctx, "Too large sprite shift or offset"); - return AVERROR_PATCHWELCOME; + goto overflow; } for (i = 0; i < 2; i++) { @@ -385,17 +385,23 @@ static int mpeg4_decode_sprite_trajectory(Mpeg4DecContext *ctx, GetBitContext *g s->sprite_delta[1][i] *= 1 << shift_y; ctx->sprite_shift[i] = 16; - if (llabs(s->sprite_offset[i][0] + s->sprite_delta[i][0] * (int64_t)w) >= INT_MAX || - llabs(s->sprite_offset[i][0] + s->sprite_delta[i][1] * (int64_t)h) >= INT_MAX || - llabs(s->sprite_offset[i][0] + s->sprite_delta[i][0] * (int64_t)w + s->sprite_delta[i][1] * (int64_t)h) >= INT_MAX) { + } + for (i = 0; i < 2; i++) { + if (llabs(s->sprite_offset[0][i] + s->sprite_delta[i][0] * (w+16LL)) >= INT_MAX || + llabs(s->sprite_offset[0][i] + s->sprite_delta[i][1] * (h+16LL)) >= INT_MAX || + llabs(s->sprite_offset[0][i] + s->sprite_delta[i][0] * (w+16LL) + s->sprite_delta[i][1] * (h+16LL)) >= INT_MAX) { avpriv_request_sample(s->avctx, "Overflow on sprite points"); - return AVERROR_PATCHWELCOME; + goto overflow; } } s->real_sprite_warping_points = ctx->num_sprite_warping_points; } return 0; +overflow: + memset(s->sprite_offset, 0, sizeof(s->sprite_offset)); + memset(s->sprite_delta, 0, sizeof(s->sprite_delta)); + return AVERROR_PATCHWELCOME; } static int decode_new_pred(Mpeg4DecContext *ctx, GetBitContext *gb) { From a44c53f8d7e2994577c6e2355598556f703bc5d9 Mon Sep 17 00:00:00 2001 From: Michael Niedermayer Date: Fri, 3 Mar 2017 04:39:04 +0100 Subject: [PATCH 348/942] avcodec/adxdec: Fix runtime error: left shift of negative value -1 Fixes: 705/clusterfuzz-testcase-5129572590813184 Found-by: continuous fuzzing process https://github.com/google/oss-fuzz/tree/master/targets/ffmpeg Signed-off-by: Michael Niedermayer (cherry picked from commit d23727e0420b9f77f0d4cb28b43819b402f702e5) Signed-off-by: Michael Niedermayer --- libavcodec/adxdec.c | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/libavcodec/adxdec.c b/libavcodec/adxdec.c index 32cc0f005a..178ea99dcf 100644 --- a/libavcodec/adxdec.c +++ b/libavcodec/adxdec.c @@ -81,7 +81,7 @@ static int adx_decode(ADXContext *c, int16_t *out, int offset, s2 = prev->s2; for (i = 0; i < BLOCK_SAMPLES; i++) { d = get_sbits(&gb, 4); - s0 = ((d << COEFF_BITS) * scale + c->coeff[0] * s1 + c->coeff[1] * s2) >> COEFF_BITS; + s0 = ((d * (1 << COEFF_BITS)) * scale + c->coeff[0] * s1 + c->coeff[1] * s2) >> COEFF_BITS; s2 = s1; s1 = av_clip_int16(s0); *out++ = s1; From 868de78861cce3d5bac549f6c4929e3276513f06 Mon Sep 17 00:00:00 2001 From: Michael Niedermayer Date: Fri, 3 Mar 2017 04:39:06 +0100 Subject: [PATCH 349/942] avcodec/h264_mvpred: Fix multiple runtime error: left shift of negative value Fixes: 710/clusterfuzz-testcase-5091051431788544 Found-by: continuous fuzzing process https://github.com/google/oss-fuzz/tree/master/targets/ffmpeg Signed-off-by: Michael Niedermayer (cherry picked from commit ab998f4c7faf90d0e46b6ead38a1df1f6a31e2eb) Signed-off-by: Michael Niedermayer --- libavcodec/h264_mvpred.h | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/libavcodec/h264_mvpred.h b/libavcodec/h264_mvpred.h index 763746cc26..36151bf15c 100644 --- a/libavcodec/h264_mvpred.h +++ b/libavcodec/h264_mvpred.h @@ -248,7 +248,7 @@ static av_always_inline void pred_8x16_motion(const H264Context *const h, if (IS_INTERLACED(type)) { \ refn >>= 1; \ AV_COPY32(mvbuf[idx], mvn); \ - mvbuf[idx][1] <<= 1; \ + mvbuf[idx][1] *= 2; \ mvn = mvbuf[idx]; \ } \ } \ From f458d65bb42b8709d2bb169413744786d55781b0 Mon Sep 17 00:00:00 2001 From: Michael Niedermayer Date: Fri, 3 Mar 2017 04:39:05 +0100 Subject: [PATCH 350/942] avcodec/mpeg12dec: Fix runtime error: left shift of negative value -13 Fixes: 709/clusterfuzz-testcase-4789836449841152 Found-by: continuous fuzzing process https://github.com/google/oss-fuzz/tree/master/targets/ffmpeg Signed-off-by: Michael Niedermayer (cherry picked from commit d757ddbaab8f03b3664788e620314b70ac791319) Signed-off-by: Michael Niedermayer --- libavcodec/mpeg12dec.c | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/libavcodec/mpeg12dec.c b/libavcodec/mpeg12dec.c index 6e378edf57..4f520819e0 100644 --- a/libavcodec/mpeg12dec.c +++ b/libavcodec/mpeg12dec.c @@ -563,7 +563,7 @@ static inline int mpeg2_decode_block_intra(MpegEncContext *s, dc = s->last_dc[component]; dc += diff; s->last_dc[component] = dc; - block[0] = dc << (3 - s->intra_dc_precision); + block[0] = dc * (1 << (3 - s->intra_dc_precision)); ff_tlog(s->avctx, "dc=%d\n", block[0]); mismatch = block[0] ^ 1; i = 0; From b7239fec9d8705048f650533b27bde3a00bbc3a7 Mon Sep 17 00:00:00 2001 From: Michael Niedermayer Date: Fri, 3 Mar 2017 20:12:20 +0100 Subject: [PATCH 351/942] avcodec/mpeg4videodec: Fix runtime error: signed integer overflow: 134527392 * 16 cannot be represented in type 'int' This checks the sprite delta intermediates for overflow Fixes: 716/clusterfuzz-testcase-4890287480504320 Found-by: continuous fuzzing process https://github.com/google/oss-fuzz/tree/master/targets/ffmpeg Signed-off-by: Michael Niedermayer (cherry picked from commit fab13bbbcdf92da165f1a6be94fbb8f87fac639a) Signed-off-by: Michael Niedermayer --- libavcodec/mpeg4videodec.c | 5 ++++- 1 file changed, 4 insertions(+), 1 deletion(-) diff --git a/libavcodec/mpeg4videodec.c b/libavcodec/mpeg4videodec.c index af42ee7023..f14a9956d1 100644 --- a/libavcodec/mpeg4videodec.c +++ b/libavcodec/mpeg4videodec.c @@ -389,7 +389,10 @@ static int mpeg4_decode_sprite_trajectory(Mpeg4DecContext *ctx, GetBitContext *g for (i = 0; i < 2; i++) { if (llabs(s->sprite_offset[0][i] + s->sprite_delta[i][0] * (w+16LL)) >= INT_MAX || llabs(s->sprite_offset[0][i] + s->sprite_delta[i][1] * (h+16LL)) >= INT_MAX || - llabs(s->sprite_offset[0][i] + s->sprite_delta[i][0] * (w+16LL) + s->sprite_delta[i][1] * (h+16LL)) >= INT_MAX) { + llabs(s->sprite_offset[0][i] + s->sprite_delta[i][0] * (w+16LL) + s->sprite_delta[i][1] * (h+16LL)) >= INT_MAX || + llabs(s->sprite_delta[i][0] * (w+16LL)) >= INT_MAX || + llabs(s->sprite_delta[i][1] * (w+16LL)) >= INT_MAX + ) { avpriv_request_sample(s->avctx, "Overflow on sprite points"); goto overflow; } From 41beb7297fcc3ffd3b9f364081575d92a4e49d4b Mon Sep 17 00:00:00 2001 From: Michael Niedermayer Date: Sat, 4 Mar 2017 04:55:15 +0100 Subject: [PATCH 352/942] avcodec/wavpack: Fix runtime error: left shift of negative value -2 Fixes: 723/clusterfuzz-testcase-6471394663596032 Found-by: continuous fuzzing process https://github.com/google/oss-fuzz/tree/master/targets/ffmpeg Signed-off-by: Michael Niedermayer (cherry picked from commit ba150051322c02e24c004bd5309468886e1e5ab6) Signed-off-by: Michael Niedermayer --- libavcodec/wavpack.c | 4 ++-- 1 file changed, 2 insertions(+), 2 deletions(-) diff --git a/libavcodec/wavpack.c b/libavcodec/wavpack.c index 16fdfa158c..40601d9036 100644 --- a/libavcodec/wavpack.c +++ b/libavcodec/wavpack.c @@ -736,13 +736,13 @@ static int wavpack_decode_block(AVCodecContext *avctx, int block_no, } for (i = 0; i < weights; i++) { t = (int8_t)bytestream2_get_byte(&gb); - s->decorr[s->terms - i - 1].weightA = t << 3; + s->decorr[s->terms - i - 1].weightA = t * (1 << 3); if (s->decorr[s->terms - i - 1].weightA > 0) s->decorr[s->terms - i - 1].weightA += (s->decorr[s->terms - i - 1].weightA + 64) >> 7; if (s->stereo_in) { t = (int8_t)bytestream2_get_byte(&gb); - s->decorr[s->terms - i - 1].weightB = t << 3; + s->decorr[s->terms - i - 1].weightB = t * (1 << 3); if (s->decorr[s->terms - i - 1].weightB > 0) s->decorr[s->terms - i - 1].weightB += (s->decorr[s->terms - i - 1].weightB + 64) >> 7; From e4d5f9bf93b58b30c2e91d26b40bc460457d88ee Mon Sep 17 00:00:00 2001 From: Michael Niedermayer Date: Mon, 6 Mar 2017 21:52:36 +0100 Subject: [PATCH 353/942] avcodec/wavpack: Fix runtime error: left shift of negative value -5 Fixes: 729/clusterfuzz-testcase-5154831595470848 Found-by: continuous fuzzing process https://github.com/google/oss-fuzz/tree/master/targets/ffmpeg Signed-off-by: Michael Niedermayer (cherry picked from commit 3016e919d4e1d90da98af19ce2a9d4979506eaf3) Signed-off-by: Michael Niedermayer --- libavcodec/wavpack.c | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/libavcodec/wavpack.c b/libavcodec/wavpack.c index 40601d9036..046abe272c 100644 --- a/libavcodec/wavpack.c +++ b/libavcodec/wavpack.c @@ -267,7 +267,7 @@ static inline int wv_get_value_integer(WavpackFrameContext *s, uint32_t *crc, int bit; if (s->extra_bits) { - S <<= s->extra_bits; + S *= 1 << s->extra_bits; if (s->got_extra_bits && get_bits_left(&s->gb_extra_bits) >= s->extra_bits) { From 8b4386ab876483ffdb0be4daf48da1cd99632b6f Mon Sep 17 00:00:00 2001 From: Michael Niedermayer Date: Wed, 8 Mar 2017 21:41:34 +0100 Subject: [PATCH 354/942] avcodec/mjpegdec: Fix runtime error: left shift of negative value -127 Fixes: 733/clusterfuzz-testcase-4682158096515072 Found-by: continuous fuzzing process https://github.com/google/oss-fuzz/tree/master/targets/ffmpeg Signed-off-by: Michael Niedermayer (cherry picked from commit 800d02abe041deacab5585bf41c1bc2ae5f4b922) Signed-off-by: Michael Niedermayer --- libavcodec/mjpegdec.c | 4 ++-- 1 file changed, 2 insertions(+), 2 deletions(-) diff --git a/libavcodec/mjpegdec.c b/libavcodec/mjpegdec.c index 7460e8e565..3f593791ae 100644 --- a/libavcodec/mjpegdec.c +++ b/libavcodec/mjpegdec.c @@ -1190,13 +1190,13 @@ static int ljpeg_decode_yuv_scan(MJpegDecodeContext *s, int predictor, PREDICT(pred, ptr[-linesize-1], ptr[-linesize], ptr[-1], predictor); pred &= mask; - *ptr = pred + (dc << point_transform); + *ptr = pred + ((unsigned)dc << point_transform); }else{ ptr16 = (uint16_t*)(s->picture_ptr->data[c] + 2*(linesize * (v * mb_y + y)) + 2*(h * mb_x + x)); //FIXME optimize this crap PREDICT(pred, ptr16[-linesize-1], ptr16[-linesize], ptr16[-1], predictor); pred &= mask; - *ptr16= pred + (dc << point_transform); + *ptr16= pred + ((unsigned)dc << point_transform); } if (++x == h) { From 625044336e6ec561740bbc4be6ee712c13e44e33 Mon Sep 17 00:00:00 2001 From: Michael Niedermayer Date: Wed, 8 Mar 2017 21:53:15 +0100 Subject: [PATCH 355/942] avcodec/h264_mvpred: Fix runtime error: left shift of negative value -1 Fixes: 734/clusterfuzz-testcase-4821293192970240 Found-by: continuous fuzzing process https://github.com/google/oss-fuzz/tree/master/targets/ffmpeg Signed-off-by: Michael Niedermayer (cherry picked from commit 222c9f031de3315af62be6d7a99c71105e516088) Signed-off-by: Michael Niedermayer --- libavcodec/h264_mvpred.h | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/libavcodec/h264_mvpred.h b/libavcodec/h264_mvpred.h index 36151bf15c..18de4b0bbc 100644 --- a/libavcodec/h264_mvpred.h +++ b/libavcodec/h264_mvpred.h @@ -68,7 +68,7 @@ static av_always_inline int fetch_diagonal_mv(const H264Context *h, H264SliceCon } if (MB_FIELD(sl) && !IS_INTERLACED(sl->left_type[0])) { // left shift will turn LIST_NOT_USED into PART_NOT_AVAILABLE, but that's OK. - SET_DIAG_MV(/ 2, << 1, sl->left_mb_xy[i >= 36], ((i >> 2)) & 3); + SET_DIAG_MV(/ 2, *2, sl->left_mb_xy[i >= 36], ((i >> 2)) & 3); } } #undef SET_DIAG_MV From 7b91d4f07bb61c6e33d97f1154319af4c58af5e5 Mon Sep 17 00:00:00 2001 From: Michael Niedermayer Date: Wed, 8 Mar 2017 22:25:08 +0100 Subject: [PATCH 356/942] avcodec/mpeg4videodec: Fix runtime error: signed integer overflow: -135088512 * 16 cannot be represented in type 'int' Fixes: 736/clusterfuzz-testcase-5580263943831552 Found-by: continuous fuzzing process https://github.com/google/oss-fuzz/tree/master/targets/ffmpeg Signed-off-by: Michael Niedermayer (cherry picked from commit e2a4f1a9eb2c1ef3feed4a4f04db7629f2b61084) Signed-off-by: Michael Niedermayer --- libavcodec/mpeg4videodec.c | 12 +++++++++++- 1 file changed, 11 insertions(+), 1 deletion(-) diff --git a/libavcodec/mpeg4videodec.c b/libavcodec/mpeg4videodec.c index f14a9956d1..633e588786 100644 --- a/libavcodec/mpeg4videodec.c +++ b/libavcodec/mpeg4videodec.c @@ -387,11 +387,21 @@ static int mpeg4_decode_sprite_trajectory(Mpeg4DecContext *ctx, GetBitContext *g } for (i = 0; i < 2; i++) { + int64_t sd[2] = { + s->sprite_delta[i][0] - a * (1LL<<16), + s->sprite_delta[i][1] - a * (1LL<<16) + }; + if (llabs(s->sprite_offset[0][i] + s->sprite_delta[i][0] * (w+16LL)) >= INT_MAX || llabs(s->sprite_offset[0][i] + s->sprite_delta[i][1] * (h+16LL)) >= INT_MAX || llabs(s->sprite_offset[0][i] + s->sprite_delta[i][0] * (w+16LL) + s->sprite_delta[i][1] * (h+16LL)) >= INT_MAX || llabs(s->sprite_delta[i][0] * (w+16LL)) >= INT_MAX || - llabs(s->sprite_delta[i][1] * (w+16LL)) >= INT_MAX + llabs(s->sprite_delta[i][1] * (w+16LL)) >= INT_MAX || + llabs(sd[0]) >= INT_MAX || + llabs(sd[1]) >= INT_MAX || + llabs(s->sprite_offset[0][i] + sd[0] * (w+16LL)) >= INT_MAX || + llabs(s->sprite_offset[0][i] + sd[1] * (h+16LL)) >= INT_MAX || + llabs(s->sprite_offset[0][i] + sd[0] * (w+16LL) + sd[1] * (h+16LL)) >= INT_MAX ) { avpriv_request_sample(s->avctx, "Overflow on sprite points"); goto overflow; From bb0baaf58002507fe75b38437e31ae13e2f68333 Mon Sep 17 00:00:00 2001 From: Michael Niedermayer Date: Sat, 11 Mar 2017 03:55:39 +0100 Subject: [PATCH 357/942] avcodec/amrwbdec: Fix runtime error: left shift of negative value -1 Fixes: 763/clusterfuzz-testcase-6007567320875008 Found-by: continuous fuzzing process https://github.com/google/oss-fuzz/tree/master/targets/ffmpeg Signed-off-by: Michael Niedermayer (cherry picked from commit 44e2105189ac66637f34c764febc349238250b1d) Signed-off-by: Michael Niedermayer --- libavcodec/amrwbdec.c | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/libavcodec/amrwbdec.c b/libavcodec/amrwbdec.c index 104a392363..1431870fa3 100644 --- a/libavcodec/amrwbdec.c +++ b/libavcodec/amrwbdec.c @@ -265,7 +265,7 @@ static void decode_pitch_lag_high(int *lag_int, int *lag_frac, int pitch_index, *lag_frac = pitch_index - (*lag_int << 2) + 136; } else if (pitch_index < 440) { *lag_int = (pitch_index + 257 - 376) >> 1; - *lag_frac = (pitch_index - (*lag_int << 1) + 256 - 376) << 1; + *lag_frac = (pitch_index - (*lag_int << 1) + 256 - 376) * 2; /* the actual resolution is 1/2 but expressed as 1/4 */ } else { *lag_int = pitch_index - 280; From 8df6363188bff1aa97fd17fcc7af5cb2cd548c1b Mon Sep 17 00:00:00 2001 From: Michael Niedermayer Date: Sun, 12 Mar 2017 03:04:05 +0100 Subject: [PATCH 358/942] avcodec/rv34: Fix runtime error: signed integer overflow: 36880 * 66288 cannot be represented in type 'int' Fixes: 768/clusterfuzz-testcase-4807444305805312 Found-by: continuous fuzzing process https://github.com/google/oss-fuzz/tree/master/targets/ffmpeg Signed-off-by: Michael Niedermayer (cherry picked from commit a66c6e28b543804f50df1c6083a204219b6b1daa) Signed-off-by: Michael Niedermayer --- libavcodec/rv34.c | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/libavcodec/rv34.c b/libavcodec/rv34.c index a80b063e4e..ac7b36bb2f 100644 --- a/libavcodec/rv34.c +++ b/libavcodec/rv34.c @@ -1630,7 +1630,7 @@ static AVRational update_sar(int old_w, int old_h, AVRational sar, int new_w, in if (!sar.num) sar = (AVRational){1, 1}; - sar = av_mul_q(sar, (AVRational){new_h * old_w, new_w * old_h}); + sar = av_mul_q(sar, av_mul_q((AVRational){new_h, new_w}, (AVRational){old_w, old_h})); return sar; } From 9ff9e3931b81971d930c8bd8894714e17a9b03d2 Mon Sep 17 00:00:00 2001 From: Michael Niedermayer Date: Mon, 13 Mar 2017 02:51:15 +0100 Subject: [PATCH 359/942] avcodec/wavpack: Fix runtime error: shift exponent 32 is too large for 32-bit type 'int' Fixes: 822/clusterfuzz-testcase-4873433189974016 Found-by: continuous fuzzing process https://github.com/google/oss-fuzz/tree/master/targets/ffmpeg Signed-off-by: Michael Niedermayer (cherry picked from commit 7cebc5a9ccba0de7bddf7900ae85652ebc66141c) Signed-off-by: Michael Niedermayer --- libavcodec/wavpack.c | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/libavcodec/wavpack.c b/libavcodec/wavpack.c index 046abe272c..f828fc725b 100644 --- a/libavcodec/wavpack.c +++ b/libavcodec/wavpack.c @@ -837,7 +837,7 @@ static int wavpack_decode_block(AVCodecContext *avctx, int block_no, continue; } bytestream2_get_buffer(&gb, val, 4); - if (val[0] > 32) { + if (val[0] > 31) { av_log(avctx, AV_LOG_ERROR, "Invalid INT32INFO, extra_bits = %d (> 32)\n", val[0]); continue; From 5e69ec6c2f886556483354dddd32f4332c78681d Mon Sep 17 00:00:00 2001 From: Michael Niedermayer Date: Mon, 13 Mar 2017 20:45:08 +0100 Subject: [PATCH 360/942] avcodec/tiff: Check for multiple geo key directories Fixes memleak Fixes: 826/clusterfuzz-testcase-5316921379520512 Found-by: continuous fuzzing process https://github.com/google/oss-fuzz/tree/master/targets/ffmpeg Signed-off-by: Michael Niedermayer (cherry picked from commit 108b02e5471c1dae248200db694aba9b7b8555a8) Signed-off-by: Michael Niedermayer --- libavcodec/tiff.c | 4 ++++ 1 file changed, 4 insertions(+) diff --git a/libavcodec/tiff.c b/libavcodec/tiff.c index 4be587d569..ecafd2ddf1 100644 --- a/libavcodec/tiff.c +++ b/libavcodec/tiff.c @@ -1035,6 +1035,10 @@ static int tiff_decode_tag(TiffContext *s, AVFrame *frame) ADD_METADATA(count, "ModelTiepointTag", NULL); break; case TIFF_GEO_KEY_DIRECTORY: + if (s->geotag_count) { + avpriv_request_sample(s->avctx, "Multiple geo key directories\n"); + return AVERROR_INVALIDDATA; + } ADD_METADATA(1, "GeoTIFF_Version", NULL); ADD_METADATA(2, "GeoTIFF_Key_Revision", "."); s->geotag_count = ff_tget_short(&s->gb, s->le); From 6a70c38e397b4e90691f6ba7cf4c81067c7e1804 Mon Sep 17 00:00:00 2001 From: Michael Niedermayer Date: Mon, 13 Mar 2017 20:45:09 +0100 Subject: [PATCH 361/942] avcodec/mpegaudiodec_template: Make l3_unscale() work with e=0 Fixes undefined behavior Fixes: 830/clusterfuzz-testcase-6253175327686656 Found-by: continuous fuzzing process https://github.com/google/oss-fuzz/tree/master/targets/ffmpeg Signed-off-by: Michael Niedermayer (cherry picked from commit 8ebed703f153e979edb2156754c8bdac4d5d6266) Signed-off-by: Michael Niedermayer --- libavcodec/mpegaudiodec_template.c | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/libavcodec/mpegaudiodec_template.c b/libavcodec/mpegaudiodec_template.c index 72f0613b7a..79ca97a8eb 100644 --- a/libavcodec/mpegaudiodec_template.c +++ b/libavcodec/mpegaudiodec_template.c @@ -252,7 +252,7 @@ static inline int l3_unscale(int value, int exponent) #endif if (e > 31) return 0; - m = (m + (1 << (e - 1))) >> e; + m = (m + ((1U << e)>>1)) >> e; return m; } From 72b968361b3d8cb2e0429d6a7a4443bd25b75505 Mon Sep 17 00:00:00 2001 From: Michael Niedermayer Date: Thu, 16 Mar 2017 02:00:17 +0100 Subject: [PATCH 362/942] avcodec/tiff: Check stripsize strippos for overflow Fixes: 861/clusterfuzz-testcase-5688284384591872 Found-by: continuous fuzzing process https://github.com/google/oss-fuzz/tree/master/targets/ffmpeg Signed-off-by: Michael Niedermayer (cherry picked from commit 5d996b56499f00f80b02a41bab3d6b7349e36e9d) Signed-off-by: Michael Niedermayer --- libavcodec/tiff.c | 10 ++++++++++ 1 file changed, 10 insertions(+) diff --git a/libavcodec/tiff.c b/libavcodec/tiff.c index ecafd2ddf1..70e34b469d 100644 --- a/libavcodec/tiff.c +++ b/libavcodec/tiff.c @@ -904,6 +904,11 @@ static int tiff_decode_tag(TiffContext *s, AVFrame *frame) break; case TIFF_STRIP_OFFS: if (count == 1) { + if (value > INT_MAX) { + av_log(s->avctx, AV_LOG_ERROR, + "strippos %u too large\n", value); + return AVERROR_INVALIDDATA; + } s->strippos = 0; s->stripoff = value; } else @@ -915,6 +920,11 @@ static int tiff_decode_tag(TiffContext *s, AVFrame *frame) break; case TIFF_STRIP_SIZE: if (count == 1) { + if (value > INT_MAX) { + av_log(s->avctx, AV_LOG_ERROR, + "stripsize %u too large\n", value); + return AVERROR_INVALIDDATA; + } s->stripsizesoff = 0; s->stripsize = value; s->strips = 1; From fd5f35746112bc760c214451c9dbeae4b02b2d94 Mon Sep 17 00:00:00 2001 From: Michael Niedermayer Date: Thu, 16 Mar 2017 11:20:46 +0100 Subject: [PATCH 363/942] avcodec/vp56: Check avctx->error_concealment before enabling EC Fixes timeout with 847/clusterfuzz-testcase-5291877358108672 Fixes timeout with 850/clusterfuzz-testcase-5721296509861888 Found-by: continuous fuzzing process https://github.com/google/oss-fuzz/tree/master/targets/ffmpeg Signed-off-by: Michael Niedermayer (cherry picked from commit 98da63b3f5f5a277c5c3a16860db9a9f6741e54c) Signed-off-by: Michael Niedermayer --- libavcodec/vp56.c | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/libavcodec/vp56.c b/libavcodec/vp56.c index 9d4162bb96..bfc3d3bc7c 100644 --- a/libavcodec/vp56.c +++ b/libavcodec/vp56.c @@ -712,7 +712,7 @@ static int ff_vp56_decode_mbs(AVCodecContext *avctx, void *data, int ret = vp56_decode_mb(s, mb_row, mb_col, is_alpha); if (ret < 0) { damaged = 1; - if (!s->have_undamaged_frame) { + if (!s->have_undamaged_frame || !avctx->error_concealment) { s->discard_frame = 1; return AVERROR_INVALIDDATA; } From f1e6c03739d4b2cc014341a71cbeabe8e17cf8d5 Mon Sep 17 00:00:00 2001 From: Michael Niedermayer Date: Tue, 21 Mar 2017 01:55:01 +0100 Subject: [PATCH 364/942] avcodec/tiff: Check geotag count for being non zero Fixes memleak Fixes: 874/clusterfuzz-testcase-5252796175613952 Found-by: continuous fuzzing process https://github.com/google/oss-fuzz/tree/master/targets/ffmpeg Signed-off-by: Michael Niedermayer (cherry picked from commit 3182e19c1c29eef60208a67ad8ecad1d9a2d0694) Signed-off-by: Michael Niedermayer --- libavcodec/tiff.c | 3 ++- 1 file changed, 2 insertions(+), 1 deletion(-) diff --git a/libavcodec/tiff.c b/libavcodec/tiff.c index 70e34b469d..3bc31a4545 100644 --- a/libavcodec/tiff.c +++ b/libavcodec/tiff.c @@ -1056,7 +1056,8 @@ static int tiff_decode_tag(TiffContext *s, AVFrame *frame) s->geotag_count = count / 4 - 1; av_log(s->avctx, AV_LOG_WARNING, "GeoTIFF key directory buffer shorter than specified\n"); } - if (bytestream2_get_bytes_left(&s->gb) < s->geotag_count * sizeof(int16_t) * 4) { + if ( bytestream2_get_bytes_left(&s->gb) < s->geotag_count * sizeof(int16_t) * 4 + || s->geotag_count == 0) { s->geotag_count = 0; return -1; } From 0a13449b2806893a8521fabad6b149c81d68dd2f Mon Sep 17 00:00:00 2001 From: Philip Langdale Date: Wed, 30 Nov 2016 16:13:14 -0800 Subject: [PATCH 365/942] avcodec/vdpau_hevc: Fix potential out-of-bounds write The maximum number of references is 16, so the index value cannot exceed 15. Fixes Coverity CID 1348139, 1348140, 1348141 (cherry picked from commit 4e6d1c1f4ec83000a067ff14452b34c1f2d2a43a) Signed-off-by: Michael Niedermayer --- libavcodec/vdpau_hevc.c | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/libavcodec/vdpau_hevc.c b/libavcodec/vdpau_hevc.c index 3c1dc5f223..3223f5e2eb 100644 --- a/libavcodec/vdpau_hevc.c +++ b/libavcodec/vdpau_hevc.c @@ -245,7 +245,7 @@ static int vdpau_hevc_start_frame(AVCodecContext *avctx, const HEVCFrame *frame = &h->DPB[i]; if (frame != h->ref && (frame->flags & (HEVC_FRAME_FLAG_LONG_REF | HEVC_FRAME_FLAG_SHORT_REF))) { - if (j > 16) { + if (j > 15) { av_log(avctx, AV_LOG_WARNING, "VDPAU only supports up to 16 references in the DPB. " "This frame may not be decoded correctly.\n"); From cc4a13b8a7d8bfad6fa4f6cf051066e51434b72f Mon Sep 17 00:00:00 2001 From: Michael Niedermayer Date: Sun, 8 Jan 2017 16:37:56 +0100 Subject: [PATCH 366/942] avcodec/tiff: Perform multiply in tiff_unpack_lzma() as 64bit This should make no difference as the value should not be able to be that large but its more correct this way Fixes CID1348138 Signed-off-by: Michael Niedermayer (cherry picked from commit f48b6b8b91d63148ef50d096688ed7226cd6ddf4) Signed-off-by: Michael Niedermayer --- libavcodec/tiff.c | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/libavcodec/tiff.c b/libavcodec/tiff.c index 3bc31a4545..af433d9a4e 100644 --- a/libavcodec/tiff.c +++ b/libavcodec/tiff.c @@ -408,7 +408,7 @@ static int tiff_unpack_lzma(TiffContext *s, AVFrame *p, uint8_t *dst, int stride const uint8_t *src, int size, int width, int lines, int strip_start, int is_yuv) { - uint64_t outlen = width * lines; + uint64_t outlen = width * (uint64_t)lines; int ret, line; uint8_t *buf = av_malloc(outlen); if (!buf) From 408242556c944522c2ff87f736c7550e71877d16 Mon Sep 17 00:00:00 2001 From: Michael Niedermayer Date: Sat, 21 Jan 2017 01:35:52 +0100 Subject: [PATCH 367/942] avfilter/avfiltergraph: Add assert to write down in machine readable form what is assumed about sample rates in swap_samplerates_on_filter() Fixes CID1397292 Signed-off-by: Michael Niedermayer (cherry picked from commit 5f2b360fc05bbb4f21e1247d1d9af303113d6c25) Signed-off-by: Michael Niedermayer --- libavfilter/avfiltergraph.c | 2 ++ 1 file changed, 2 insertions(+) diff --git a/libavfilter/avfiltergraph.c b/libavfilter/avfiltergraph.c index 9f50b4120d..b6f795bff8 100644 --- a/libavfilter/avfiltergraph.c +++ b/libavfilter/avfiltergraph.c @@ -858,6 +858,8 @@ static void swap_samplerates_on_filter(AVFilterContext *filter) for (j = 0; j < outlink->in_samplerates->nb_formats; j++) { int diff = abs(sample_rate - outlink->in_samplerates->formats[j]); + av_assert0(diff < INT_MAX); // This would lead to the use of uninitialized best_diff but is only possible with invalid sample rates + if (diff < best_diff) { best_diff = diff; best_idx = j; From 0cbd48a38b15894af3d4509bb71a0cc47e700771 Mon Sep 17 00:00:00 2001 From: Michael Niedermayer Date: Thu, 30 Mar 2017 22:15:21 +0200 Subject: [PATCH 368/942] avfilter/af_sofalizer: Fix bad shift Fixes CID1396835 Signed-off-by: Michael Niedermayer (cherry picked from commit 4064f3f0dfe71f6d378b9252a390f89c4315bf54) Signed-off-by: Michael Niedermayer --- libavfilter/af_sofalizer.c | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/libavfilter/af_sofalizer.c b/libavfilter/af_sofalizer.c index 0f1231f884..eda98b08bb 100644 --- a/libavfilter/af_sofalizer.c +++ b/libavfilter/af_sofalizer.c @@ -375,7 +375,7 @@ static int get_speaker_pos(AVFilterContext *ctx, /* set speaker positions according to input channel configuration: */ for (m = 0, ch = 0; ch < n_conv && m < 64; m++) { - uint64_t mask = channels_layout & (1 << m); + uint64_t mask = channels_layout & (1ULL << m); switch (mask) { case AV_CH_FRONT_LEFT: azim[ch] = 30; break; From 98f93f5272ea3f159d9410ddfbba9ef51eebf838 Mon Sep 17 00:00:00 2001 From: Michael Niedermayer Date: Sat, 1 Apr 2017 19:18:34 +0200 Subject: [PATCH 369/942] avformat/oggparsedaala: Check duration for AV_NOPTS_VALUE This avoids an integer overflow the solution matches oggparsevorbis.c and 45581ed15d2ad5955e24d809820c1675da68f500 Fixes: 700242 Found-by: Thomas Guilbert Reviewed-by: Rostislav Pehlivanov Signed-off-by: Michael Niedermayer (cherry picked from commit 679a315424e6ffaafd21ebf7a86108bd4e743793) Signed-off-by: Michael Niedermayer --- libavformat/oggparsedaala.c | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/libavformat/oggparsedaala.c b/libavformat/oggparsedaala.c index 3651ca188b..1ca1c36fa3 100644 --- a/libavformat/oggparsedaala.c +++ b/libavformat/oggparsedaala.c @@ -232,7 +232,7 @@ static int daala_packet(AVFormatContext *s, int idx) os->lastpts = os->lastdts = daala_gptopts(s, idx, os->granule, NULL) - duration; if(s->streams[idx]->start_time == AV_NOPTS_VALUE) { s->streams[idx]->start_time = os->lastpts; - if (s->streams[idx]->duration) + if (s->streams[idx]->duration != AV_NOPTS_VALUE) s->streams[idx]->duration -= s->streams[idx]->start_time; } } From ed0c3290f86d929236a16c38de32c3c431b799e9 Mon Sep 17 00:00:00 2001 From: Michael Niedermayer Date: Sat, 1 Apr 2017 19:18:35 +0200 Subject: [PATCH 370/942] avformat/oggparsedaala: Do not leave an invalid value in gpshift Fixes: undefined behavior Fixes: 702974 Found-by: Thomas Guilbert Reviewed-by: Rostislav Pehlivanov Signed-off-by: Michael Niedermayer (cherry picked from commit 23ae3cc822915ede2bb4e85047ab46cc5bc71268) Signed-off-by: Michael Niedermayer --- libavformat/oggparsedaala.c | 1 + 1 file changed, 1 insertion(+) diff --git a/libavformat/oggparsedaala.c b/libavformat/oggparsedaala.c index 1ca1c36fa3..9e98d49c8f 100644 --- a/libavformat/oggparsedaala.c +++ b/libavformat/oggparsedaala.c @@ -126,6 +126,7 @@ static int daala_header(AVFormatContext *s, int idx) if (hdr->gpshift >= 32) { av_log(s, AV_LOG_ERROR, "Too large gpshift %d (>= 32).\n", hdr->gpshift); + hdr->gpshift = 0; return AVERROR_INVALIDDATA; } hdr->gpmask = (1U << hdr->gpshift) - 1; From 70e26e9c25d3f5d90d88b88563436d68135e257d Mon Sep 17 00:00:00 2001 From: Michael Niedermayer Date: Fri, 7 Apr 2017 03:36:17 +0200 Subject: [PATCH 371/942] avcodec/dvdsubdec: Fixes 2 runtime error: left shift of 170 by 24 places cannot be represented in type 'int' Fixes: 619/clusterfuzz-testcase-5803914534322176 Found-by: continuous fuzzing process https://github.com/google/oss-fuzz/tree/master/targets/ffmpeg Signed-off-by: Michael Niedermayer (cherry picked from commit 61ee2ca7758672128e30b3e87908b6845e006d71) Signed-off-by: Michael Niedermayer --- libavcodec/dvdsubdec.c | 4 ++-- 1 file changed, 2 insertions(+), 2 deletions(-) diff --git a/libavcodec/dvdsubdec.c b/libavcodec/dvdsubdec.c index 4ae63b40ac..ed80b718d5 100644 --- a/libavcodec/dvdsubdec.c +++ b/libavcodec/dvdsubdec.c @@ -189,12 +189,12 @@ static void guess_palette(DVDSubContext* ctx, r = (((subtitle_color >> 16) & 0xff) * level) >> 8; g = (((subtitle_color >> 8) & 0xff) * level) >> 8; b = (((subtitle_color >> 0) & 0xff) * level) >> 8; - rgba_palette[i] = b | (g << 8) | (r << 16) | ((alpha[i] * 17) << 24); + rgba_palette[i] = b | (g << 8) | (r << 16) | ((alpha[i] * 17U) << 24); color_used[colormap[i]] = (i + 1); j++; } else { rgba_palette[i] = (rgba_palette[color_used[colormap[i]] - 1] & 0x00ffffff) | - ((alpha[i] * 17) << 24); + ((alpha[i] * 17U) << 24); } } } From 351dc1f33a65e221172c22d5569de2df2997fe24 Mon Sep 17 00:00:00 2001 From: Derek Buitenhuis Date: Thu, 20 Apr 2017 13:14:42 +0100 Subject: [PATCH 372/942] avformat/webmdashenc: Require the 'adaptation_sets' option to be set This seems to be non-optional, and if the muxer is run without it, strlen() is run on NULL, causing a segfault. Signed-off-by: Michael Niedermayer (cherry picked from commit cbd3a68f3e1c2d1679370301eb5e1a32a2df64fe) Signed-off-by: Michael Niedermayer --- libavformat/webmdashenc.c | 4 ++++ 1 file changed, 4 insertions(+) diff --git a/libavformat/webmdashenc.c b/libavformat/webmdashenc.c index 301c045b41..cf536129e4 100644 --- a/libavformat/webmdashenc.c +++ b/libavformat/webmdashenc.c @@ -428,6 +428,10 @@ static int parse_adaptation_sets(AVFormatContext *s) char *p = w->adaptation_sets; char *q; enum { new_set, parsed_id, parsing_streams } state; + if (!w->adaptation_sets) { + av_log(s, AV_LOG_ERROR, "The 'adaptation_sets' option must be set.\n"); + return AVERROR(EINVAL); + } // syntax id=0,streams=0,1,2 id=1,streams=3,4 and so on state = new_set; while (p < w->adaptation_sets + strlen(w->adaptation_sets)) { From b1d5c2de2bbf31cb4aa0a88798000cafd318d75b Mon Sep 17 00:00:00 2001 From: Derek Buitenhuis Date: Thu, 20 Apr 2017 16:17:44 +0100 Subject: [PATCH 373/942] avformat/webmdashenc: Validate the 'streams' adaptation sets parameter It should not be a value larger than the number of streams we have, or it will cause invalid reads and/or SIGSEGV. Signed-off-by: Michael Niedermayer (cherry picked from commit ec07efa70012845e8642df67a4a773f510a17088) Signed-off-by: Michael Niedermayer --- libavformat/webmdashenc.c | 6 +++++- 1 file changed, 5 insertions(+), 1 deletion(-) diff --git a/libavformat/webmdashenc.c b/libavformat/webmdashenc.c index cf536129e4..757cf8b030 100644 --- a/libavformat/webmdashenc.c +++ b/libavformat/webmdashenc.c @@ -462,7 +462,11 @@ static int parse_adaptation_sets(AVFormatContext *s) if (as->streams == NULL) return AVERROR(ENOMEM); as->streams[as->nb_streams - 1] = to_integer(p, q - p + 1); - if (as->streams[as->nb_streams - 1] < 0) return -1; + if (as->streams[as->nb_streams - 1] < 0 || + as->streams[as->nb_streams - 1] >= s->nb_streams) { + av_log(s, AV_LOG_ERROR, "Invalid value for 'streams' in adapation_sets.\n"); + return AVERROR(EINVAL); + } if (*q == '\0') break; if (*q == ' ') state = new_set; p = ++q; From 19a58a10fd6247514532749005b49bba925f2a94 Mon Sep 17 00:00:00 2001 From: Martin Vignali Date: Tue, 25 Apr 2017 22:52:50 +0200 Subject: [PATCH 374/942] libavcodec/exr : fix float to uint16 conversion for negative float value Signed-off-by: Michael Niedermayer (cherry picked from commit e46d63745215c04637e7797228bad36bce49d881) Signed-off-by: Michael Niedermayer --- libavcodec/exr.c | 4 ++-- 1 file changed, 2 insertions(+), 2 deletions(-) diff --git a/libavcodec/exr.c b/libavcodec/exr.c index 9ec99d65a0..292707cd0a 100644 --- a/libavcodec/exr.c +++ b/libavcodec/exr.c @@ -186,9 +186,9 @@ static union av_intfloat32 exr_half2float(uint16_t hf) * * @return normalized 16-bit unsigned int */ -static inline uint16_t exr_flt2uint(uint32_t v) +static inline uint16_t exr_flt2uint(int32_t v) { - unsigned int exp = v >> 23; + int32_t exp = v >> 23; // "HACK": negative values result in exp< 0, so clipping them to 0 // is also handled by this condition, avoids explicit check for sign bit. if (exp <= 127 + 7 - 24) // we would shift out all bits anyway From 8bca0d765121f63f934408d8d050c6f066924edb Mon Sep 17 00:00:00 2001 From: Michael Niedermayer Date: Thu, 27 Apr 2017 02:08:54 +0200 Subject: [PATCH 375/942] avcodec/x86/vc1dsp_init: Fix build failure with --disable-optimizations and clang compilers doing DCE at -O0 do not necessarily understand "complex" boolean expressions Build succeeds with this change, this was the only failure Signed-off-by: Michael Niedermayer (cherry picked from commit fa8fd0808f1086fc85abba5cf123faf41da49305) Signed-off-by: Michael Niedermayer --- libavcodec/x86/vc1dsp_init.c | 6 ++++-- 1 file changed, 4 insertions(+), 2 deletions(-) diff --git a/libavcodec/x86/vc1dsp_init.c b/libavcodec/x86/vc1dsp_init.c index c8943fa2f7..c53a1328f2 100644 --- a/libavcodec/x86/vc1dsp_init.c +++ b/libavcodec/x86/vc1dsp_init.c @@ -106,10 +106,12 @@ av_cold void ff_vc1dsp_init_x86(VC1DSPContext *dsp) { int cpu_flags = av_get_cpu_flags(); - if (HAVE_6REGS && INLINE_MMX(cpu_flags) && EXTERNAL_MMX(cpu_flags)) + if (HAVE_6REGS && INLINE_MMX(cpu_flags)) + if (EXTERNAL_MMX(cpu_flags)) ff_vc1dsp_init_mmx(dsp); - if (HAVE_6REGS && INLINE_MMXEXT(cpu_flags) && EXTERNAL_MMXEXT(cpu_flags)) + if (HAVE_6REGS && INLINE_MMXEXT(cpu_flags)) + if (EXTERNAL_MMXEXT(cpu_flags)) ff_vc1dsp_init_mmxext(dsp); #define ASSIGN_LF(EXT) \ From b3328c069c4762a5c604a788e2199df4514117c1 Mon Sep 17 00:00:00 2001 From: Michael Niedermayer Date: Thu, 27 Apr 2017 02:27:16 +0200 Subject: [PATCH 376/942] avcodec/mdec: Fix runtime error: left shift of negative value -127 Fixes undefined behavior Fixes: 1275/clusterfuzz-testcase-minimized-6718162017976320 Found-by: continuous fuzzing process https://github.com/google/oss-fuzz/tree/master/targets/ffmpeg Signed-off-by: Michael Niedermayer (cherry picked from commit 6ca82975b7a8eaf676a52738ec8e7e36732327cc) Signed-off-by: Michael Niedermayer --- libavcodec/mdec.c | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/libavcodec/mdec.c b/libavcodec/mdec.c index 1cc4ca4742..42bd561cd7 100644 --- a/libavcodec/mdec.c +++ b/libavcodec/mdec.c @@ -73,7 +73,7 @@ static inline int mdec_decode_block_intra(MDECContext *a, int16_t *block, int n) if (diff >= 0xffff) return AVERROR_INVALIDDATA; a->last_dc[component] += diff; - block[0] = a->last_dc[component] << 3; + block[0] = a->last_dc[component] * (1 << 3); } i = 0; From 345ae4e8dfc4ad3b7f9424ff165720ba1cbe470a Mon Sep 17 00:00:00 2001 From: Michael Niedermayer Date: Fri, 28 Apr 2017 02:50:42 +0200 Subject: [PATCH 377/942] doc/developer: Add terse documentation of assumed C implementation defined behavior Suggested-by: "Ronald S. Bultje" Signed-off-by: Michael Niedermayer (cherry picked from commit b706ddbae3f4a11c58560b914807931556108b55) Signed-off-by: Michael Niedermayer --- doc/developer.texi | 5 +++++ 1 file changed, 5 insertions(+) diff --git a/doc/developer.texi b/doc/developer.texi index 4d3a7aef94..acb9dc83a2 100644 --- a/doc/developer.texi +++ b/doc/developer.texi @@ -131,6 +131,11 @@ designated struct initializers (@samp{struct s x = @{ .i = 17 @};}); @item compound literals (@samp{x = (struct s) @{ 17, 23 @};}). + +@item +Implementation defined behavior for signed integers is assumed to match the +expected behavior for two's complement. Non representable values in integer +casts are binary truncated. Shift right of signed values uses sign extension. @end itemize These features are supported by all compilers we care about, so we will not From b2af4884a9bafa3b8ba57bbf5c358a8c967df0af Mon Sep 17 00:00:00 2001 From: Michael Niedermayer Date: Mon, 1 May 2017 18:46:27 +0200 Subject: [PATCH 378/942] avcodec/vp3: Check remaining bits in unpack_dct_coeffs() Decreases the time spend decoding junk. May fix: 1283/clusterfuzz-testcase-minimized-6221126759874560 Found-by: continuous fuzzing process https://github.com/google/oss-fuzz/tree/master/targets/ffmpeg Signed-off-by: Michael Niedermayer (cherry picked from commit 2f00300b779e7b247c85db0d7daef448225105ff) Signed-off-by: Michael Niedermayer --- libavcodec/vp3.c | 7 +++++++ 1 file changed, 7 insertions(+) diff --git a/libavcodec/vp3.c b/libavcodec/vp3.c index f392183918..ea80c0e2b1 100644 --- a/libavcodec/vp3.c +++ b/libavcodec/vp3.c @@ -1071,6 +1071,9 @@ static int unpack_dct_coeffs(Vp3DecodeContext *s, GetBitContext *gb) s->dct_tokens[0][0] = s->dct_tokens_base; + if (get_bits_left(gb) < 16) + return AVERROR_INVALIDDATA; + /* fetch the DC table indexes */ dc_y_table = get_bits(gb, 4); dc_c_table = get_bits(gb, 4); @@ -1080,6 +1083,8 @@ static int unpack_dct_coeffs(Vp3DecodeContext *s, GetBitContext *gb) 0, residual_eob_run); if (residual_eob_run < 0) return residual_eob_run; + if (get_bits_left(gb) < 8) + return AVERROR_INVALIDDATA; /* reverse prediction of the Y-plane DC coefficients */ reverse_dc_prediction(s, 0, s->fragment_width[0], s->fragment_height[0]); @@ -1102,6 +1107,8 @@ static int unpack_dct_coeffs(Vp3DecodeContext *s, GetBitContext *gb) s->fragment_width[1], s->fragment_height[1]); } + if (get_bits_left(gb) < 8) + return AVERROR_INVALIDDATA; /* fetch the AC table indexes */ ac_y_table = get_bits(gb, 4); ac_c_table = get_bits(gb, 4); From 53c2b81281956565453241495b0406b627f94ad2 Mon Sep 17 00:00:00 2001 From: Michael Niedermayer Date: Mon, 1 May 2017 18:53:52 +0200 Subject: [PATCH 379/942] avcodec/indeo2: Check remaining bits in ir2_decode_plane() Fixes: 1290/clusterfuzz-testcase-minimized-5815578902134784 Fixes: timeout Found-by: continuous fuzzing process https://github.com/google/oss-fuzz/tree/master/targets/ffmpeg Signed-off-by: Michael Niedermayer (cherry picked from commit b29feec9829cfab2523c8d95e35bd69e689ea4af) Signed-off-by: Michael Niedermayer --- libavcodec/indeo2.c | 4 ++++ 1 file changed, 4 insertions(+) diff --git a/libavcodec/indeo2.c b/libavcodec/indeo2.c index 7ad686d50b..f12d6d00d1 100644 --- a/libavcodec/indeo2.c +++ b/libavcodec/indeo2.c @@ -76,6 +76,8 @@ static int ir2_decode_plane(Ir2Context *ctx, int width, int height, uint8_t *dst for (j = 1; j < height; j++) { out = 0; + if (get_bits_left(&ctx->gb) <= 0) + return AVERROR_INVALIDDATA; while (out < width) { int c = ir2_get_code(&ctx->gb); if (c >= 0x80) { /* we have a skip */ @@ -115,6 +117,8 @@ static int ir2_decode_plane_inter(Ir2Context *ctx, int width, int height, uint8_ for (j = 0; j < height; j++) { out = 0; + if (get_bits_left(&ctx->gb) <= 0) + return AVERROR_INVALIDDATA; while (out < width) { c = ir2_get_code(&ctx->gb); if (c >= 0x80) { /* we have a skip */ From 6828048800a14bf0be44029348a7e5472e443bfd Mon Sep 17 00:00:00 2001 From: Michael Niedermayer Date: Thu, 27 Apr 2017 15:10:25 +0200 Subject: [PATCH 380/942] avcodec/svq3: Increase offsets to prevent integer overflows Fixes: 1280/clusterfuzz-testcase-minimized-6102353767825408 Found-by: continuous fuzzing process https://github.com/google/oss-fuzz/tree/master/targets/ffmpeg Signed-off-by: Michael Niedermayer (cherry picked from commit 382b4fc9b5f3102f59743bf9c8619b31dd8ede1b) Signed-off-by: Michael Niedermayer --- libavcodec/svq3.c | 12 ++++++------ 1 file changed, 6 insertions(+), 6 deletions(-) diff --git a/libavcodec/svq3.c b/libavcodec/svq3.c index 57205c6ad1..1a9bfa294f 100644 --- a/libavcodec/svq3.c +++ b/libavcodec/svq3.c @@ -435,8 +435,8 @@ static inline int svq3_mc_dir(SVQ3Context *s, int size, int mode, int fx, fy; mx = (mx + 1 >> 1) + dx; my = (my + 1 >> 1) + dy; - fx = (unsigned)(mx + 0x3000) / 3 - 0x1000; - fy = (unsigned)(my + 0x3000) / 3 - 0x1000; + fx = (unsigned)(mx + 0x30000) / 3 - 0x10000; + fy = (unsigned)(my + 0x30000) / 3 - 0x10000; dxy = (mx - 3 * fx) + 4 * (my - 3 * fy); svq3_mc_dir_part(s, x, y, part_width, part_height, @@ -444,8 +444,8 @@ static inline int svq3_mc_dir(SVQ3Context *s, int size, int mode, mx += mx; my += my; } else if (mode == HALFPEL_MODE || mode == PREDICT_MODE) { - mx = (unsigned)(mx + 1 + 0x3000) / 3 + dx - 0x1000; - my = (unsigned)(my + 1 + 0x3000) / 3 + dy - 0x1000; + mx = (unsigned)(mx + 1 + 0x30000) / 3 + dx - 0x10000; + my = (unsigned)(my + 1 + 0x30000) / 3 + dy - 0x10000; dxy = (mx & 1) + 2 * (my & 1); svq3_mc_dir_part(s, x, y, part_width, part_height, @@ -453,8 +453,8 @@ static inline int svq3_mc_dir(SVQ3Context *s, int size, int mode, mx *= 3; my *= 3; } else { - mx = (unsigned)(mx + 3 + 0x6000) / 6 + dx - 0x1000; - my = (unsigned)(my + 3 + 0x6000) / 6 + dy - 0x1000; + mx = (unsigned)(mx + 3 + 0x60000) / 6 + dx - 0x10000; + my = (unsigned)(my + 3 + 0x60000) / 6 + dy - 0x10000; svq3_mc_dir_part(s, x, y, part_width, part_height, mx, my, 0, 0, dir, avg); From 487ea209f8519f7651f026befffe5383ab602d6f Mon Sep 17 00:00:00 2001 From: Michael Niedermayer Date: Fri, 7 Apr 2017 22:27:50 +0200 Subject: [PATCH 381/942] avcodec/dcadsp: Fix runtime error: signed integer overflow Found-by: continuous fuzzing process https://github.com/google/oss-fuzz/tree/master/targets/ffmpeg Signed-off-by: Michael Niedermayer (cherry picked from commit 9244b839b788e4677019041907ff5a4378a23490) Signed-off-by: Michael Niedermayer --- libavcodec/dcadsp.c | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/libavcodec/dcadsp.c b/libavcodec/dcadsp.c index 09faee51fb..4316a2eb98 100644 --- a/libavcodec/dcadsp.c +++ b/libavcodec/dcadsp.c @@ -320,7 +320,7 @@ static void dmix_sub_c(int32_t *dst, const int32_t *src, int coeff, ptrdiff_t le int i; for (i = 0; i < len; i++) - dst[i] -= mul15(src[i], coeff); + dst[i] -= (unsigned)mul15(src[i], coeff); } static void dmix_add_c(int32_t *dst, const int32_t *src, int coeff, ptrdiff_t len) From 4a6426d3cb36d0979c9926b68874f5875262a81b Mon Sep 17 00:00:00 2001 From: Michael Niedermayer Date: Sat, 22 Apr 2017 21:59:29 +0200 Subject: [PATCH 382/942] avcodec/h264_cavlc: Fix undefined behavior on qscale overflow Fixes: 1214/clusterfuzz-testcase-minimized-6130606599569408 Found-by: continuous fuzzing process https://github.com/google/oss-fuzz/tree/master/targets/ffmpeg Signed-off-by: Michael Niedermayer (cherry picked from commit fc8cff96ed45dfdb91ed03e9942845f28be0e770) Signed-off-by: Michael Niedermayer --- libavcodec/h264_cavlc.c | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/libavcodec/h264_cavlc.c b/libavcodec/h264_cavlc.c index b0251f405c..7a7dd397d8 100644 --- a/libavcodec/h264_cavlc.c +++ b/libavcodec/h264_cavlc.c @@ -1114,7 +1114,7 @@ decode_intra_mb: dquant= get_se_golomb(&sl->gb); - sl->qscale += dquant; + sl->qscale += (unsigned)dquant; if (((unsigned)sl->qscale) > max_qp){ if (sl->qscale < 0) sl->qscale += max_qp + 1; From 32f047ce5c7aa6e46fe9702e23b871d6a53f074e Mon Sep 17 00:00:00 2001 From: Michael Niedermayer Date: Thu, 4 May 2017 15:24:46 +0200 Subject: [PATCH 383/942] avcodec/msvideo1: Check buffer size before re-getting the frame Fixes timeout Fixes: 1306/clusterfuzz-testcase-minimized-6152296217968640 Found-by: continuous fuzzing process https://github.com/google/oss-fuzz/tree/master/targets/ffmpeg Signed-off-by: Michael Niedermayer (cherry picked from commit cabfed6895fcc679cd6a6244a12d800e0f3f2d20) Signed-off-by: Michael Niedermayer --- libavcodec/msvideo1.c | 6 ++++++ 1 file changed, 6 insertions(+) diff --git a/libavcodec/msvideo1.c b/libavcodec/msvideo1.c index 0526505a96..c53ca826cb 100644 --- a/libavcodec/msvideo1.c +++ b/libavcodec/msvideo1.c @@ -302,6 +302,12 @@ static int msvideo1_decode_frame(AVCodecContext *avctx, s->buf = buf; s->size = buf_size; + // Discard frame if its smaller than the minimum frame size + if (buf_size < (avctx->width/4) * (avctx->height/4) / 512) { + av_log(avctx, AV_LOG_ERROR, "Packet is too small\n"); + return AVERROR_INVALIDDATA; + } + if ((ret = ff_reget_buffer(avctx, s->frame)) < 0) return ret; From 79d027ae7ca8bce31c613af4c1e73fbf5d448bf0 Mon Sep 17 00:00:00 2001 From: Michael Niedermayer Date: Thu, 4 May 2017 18:40:46 +0200 Subject: [PATCH 384/942] avcodec/pngdec: Use ff_set_dimensions() Fixes OOM Fixes: 1314/clusterfuzz-testcase-minimized-4621997222920192 Found-by: continuous fuzzing process https://github.com/google/oss-fuzz/tree/master/targets/ffmpeg Signed-off-by: Michael Niedermayer (cherry picked from commit a0296fc056f0d86943c697c505a181744b07dd45) Signed-off-by: Michael Niedermayer --- libavcodec/pngdec.c | 5 +++-- 1 file changed, 3 insertions(+), 2 deletions(-) diff --git a/libavcodec/pngdec.c b/libavcodec/pngdec.c index c2da1f66d5..0bc8252465 100644 --- a/libavcodec/pngdec.c +++ b/libavcodec/pngdec.c @@ -611,8 +611,9 @@ static int decode_idat_chunk(AVCodecContext *avctx, PNGDecContext *s, } if (!(s->state & PNG_IDAT)) { /* init image info */ - avctx->width = s->width; - avctx->height = s->height; + ret = ff_set_dimensions(avctx, s->width, s->height); + if (ret < 0) + return ret; s->channels = ff_png_get_nb_channels(s->color_type); s->bits_per_pixel = s->bit_depth * s->channels; From d0ac194ea4cbc1c89a7a5ae2183a41602b860386 Mon Sep 17 00:00:00 2001 From: Michael Niedermayer Date: Wed, 3 May 2017 05:21:51 +0200 Subject: [PATCH 385/942] libavcodec/mpeg4videodec: Convert sprite_offset to 64bit This avoids intermediates from overflowing (the final values are checked) Fixes: runtime error: signed integer overflow: -167712 + -2147352576 cannot be represented in type 'int' Fixes: 1298/clusterfuzz-testcase-minimized-5955580877340672 Found-by: continuous fuzzing process https://github.com/google/oss-fuzz/tree/master/targets/ffmpeg Signed-off-by: Michael Niedermayer (cherry picked from commit c1c3a14073b33f790075f2884ea5c64451a6c876) Signed-off-by: Michael Niedermayer --- libavcodec/mpeg4videodec.c | 102 ++++++++++++++++++------------------- 1 file changed, 50 insertions(+), 52 deletions(-) diff --git a/libavcodec/mpeg4videodec.c b/libavcodec/mpeg4videodec.c index 633e588786..c41f6aa8b6 100644 --- a/libavcodec/mpeg4videodec.c +++ b/libavcodec/mpeg4videodec.c @@ -178,6 +178,7 @@ static int mpeg4_decode_sprite_trajectory(Mpeg4DecContext *ctx, GetBitContext *g int min_ab, i, w2, h2, w3, h3; int sprite_ref[4][2]; int virtual_ref[2][2]; + int64_t sprite_offset[2][2]; // only true for rectangle shapes const int vop_ref[4][2] = { { 0, 0 }, { s->width, 0 }, @@ -257,10 +258,10 @@ static int mpeg4_decode_sprite_trajectory(Mpeg4DecContext *ctx, GetBitContext *g switch (ctx->num_sprite_warping_points) { case 0: - s->sprite_offset[0][0] = - s->sprite_offset[0][1] = - s->sprite_offset[1][0] = - s->sprite_offset[1][1] = 0; + sprite_offset[0][0] = + sprite_offset[0][1] = + sprite_offset[1][0] = + sprite_offset[1][1] = 0; s->sprite_delta[0][0] = a; s->sprite_delta[0][1] = s->sprite_delta[1][0] = 0; @@ -269,11 +270,11 @@ static int mpeg4_decode_sprite_trajectory(Mpeg4DecContext *ctx, GetBitContext *g ctx->sprite_shift[1] = 0; break; case 1: // GMC only - s->sprite_offset[0][0] = sprite_ref[0][0] - a * vop_ref[0][0]; - s->sprite_offset[0][1] = sprite_ref[0][1] - a * vop_ref[0][1]; - s->sprite_offset[1][0] = ((sprite_ref[0][0] >> 1) | (sprite_ref[0][0] & 1)) - + sprite_offset[0][0] = sprite_ref[0][0] - a * vop_ref[0][0]; + sprite_offset[0][1] = sprite_ref[0][1] - a * vop_ref[0][1]; + sprite_offset[1][0] = ((sprite_ref[0][0] >> 1) | (sprite_ref[0][0] & 1)) - a * (vop_ref[0][0] / 2); - s->sprite_offset[1][1] = ((sprite_ref[0][1] >> 1) | (sprite_ref[0][1] & 1)) - + sprite_offset[1][1] = ((sprite_ref[0][1] >> 1) | (sprite_ref[0][1] & 1)) - a * (vop_ref[0][1] / 2); s->sprite_delta[0][0] = a; s->sprite_delta[0][1] = @@ -283,22 +284,22 @@ static int mpeg4_decode_sprite_trajectory(Mpeg4DecContext *ctx, GetBitContext *g ctx->sprite_shift[1] = 0; break; case 2: - s->sprite_offset[0][0] = (sprite_ref[0][0] * (1 << alpha + rho)) + + sprite_offset[0][0] = (sprite_ref[0][0] * (1 << alpha + rho)) + (-r * sprite_ref[0][0] + virtual_ref[0][0]) * (-vop_ref[0][0]) + (r * sprite_ref[0][1] - virtual_ref[0][1]) * (-vop_ref[0][1]) + (1 << (alpha + rho - 1)); - s->sprite_offset[0][1] = (sprite_ref[0][1] * (1 << alpha + rho)) + + sprite_offset[0][1] = (sprite_ref[0][1] * (1 << alpha + rho)) + (-r * sprite_ref[0][1] + virtual_ref[0][1]) * (-vop_ref[0][0]) + (-r * sprite_ref[0][0] + virtual_ref[0][0]) * (-vop_ref[0][1]) + (1 << (alpha + rho - 1)); - s->sprite_offset[1][0] = ((-r * sprite_ref[0][0] + virtual_ref[0][0]) * + sprite_offset[1][0] = ((-r * sprite_ref[0][0] + virtual_ref[0][0]) * (-2 * vop_ref[0][0] + 1) + (r * sprite_ref[0][1] - virtual_ref[0][1]) * (-2 * vop_ref[0][1] + 1) + 2 * w2 * r * sprite_ref[0][0] - 16 * w2 + (1 << (alpha + rho + 1))); - s->sprite_offset[1][1] = ((-r * sprite_ref[0][1] + virtual_ref[0][1]) * + sprite_offset[1][1] = ((-r * sprite_ref[0][1] + virtual_ref[0][1]) * (-2 * vop_ref[0][0] + 1) + (-r * sprite_ref[0][0] + virtual_ref[0][0]) * (-2 * vop_ref[0][1] + 1) + 2 * w2 * r * @@ -315,30 +316,22 @@ static int mpeg4_decode_sprite_trajectory(Mpeg4DecContext *ctx, GetBitContext *g min_ab = FFMIN(alpha, beta); w3 = w2 >> min_ab; h3 = h2 >> min_ab; - s->sprite_offset[0][0] = (sprite_ref[0][0] * (1<<(alpha + beta + rho - min_ab))) + - (-r * sprite_ref[0][0] + virtual_ref[0][0]) * - h3 * (-vop_ref[0][0]) + - (-r * sprite_ref[0][0] + virtual_ref[1][0]) * - w3 * (-vop_ref[0][1]) + - (1 << (alpha + beta + rho - min_ab - 1)); - s->sprite_offset[0][1] = (sprite_ref[0][1] * (1 << (alpha + beta + rho - min_ab))) + - (-r * sprite_ref[0][1] + virtual_ref[0][1]) * - h3 * (-vop_ref[0][0]) + - (-r * sprite_ref[0][1] + virtual_ref[1][1]) * - w3 * (-vop_ref[0][1]) + - (1 << (alpha + beta + rho - min_ab - 1)); - s->sprite_offset[1][0] = (-r * sprite_ref[0][0] + virtual_ref[0][0]) * - h3 * (-2 * vop_ref[0][0] + 1) + - (-r * sprite_ref[0][0] + virtual_ref[1][0]) * - w3 * (-2 * vop_ref[0][1] + 1) + 2 * w2 * h3 * - r * sprite_ref[0][0] - 16 * w2 * h3 + - (1 << (alpha + beta + rho - min_ab + 1)); - s->sprite_offset[1][1] = (-r * sprite_ref[0][1] + virtual_ref[0][1]) * - h3 * (-2 * vop_ref[0][0] + 1) + - (-r * sprite_ref[0][1] + virtual_ref[1][1]) * - w3 * (-2 * vop_ref[0][1] + 1) + 2 * w2 * h3 * - r * sprite_ref[0][1] - 16 * w2 * h3 + - (1 << (alpha + beta + rho - min_ab + 1)); + sprite_offset[0][0] = ((int64_t)sprite_ref[0][0] * (1 << (alpha + beta + rho - min_ab))) + + ((int64_t)-r * sprite_ref[0][0] + virtual_ref[0][0]) * h3 * (-vop_ref[0][0]) + + ((int64_t)-r * sprite_ref[0][0] + virtual_ref[1][0]) * w3 * (-vop_ref[0][1]) + + ((int64_t)1 << (alpha + beta + rho - min_ab - 1)); + sprite_offset[0][1] = ((int64_t)sprite_ref[0][1] * (1 << (alpha + beta + rho - min_ab))) + + ((int64_t)-r * sprite_ref[0][1] + virtual_ref[0][1]) * h3 * (-vop_ref[0][0]) + + ((int64_t)-r * sprite_ref[0][1] + virtual_ref[1][1]) * w3 * (-vop_ref[0][1]) + + ((int64_t)1 << (alpha + beta + rho - min_ab - 1)); + sprite_offset[1][0] = ((int64_t)-r * sprite_ref[0][0] + virtual_ref[0][0]) * h3 * (-2 * vop_ref[0][0] + 1) + + ((int64_t)-r * sprite_ref[0][0] + virtual_ref[1][0]) * w3 * (-2 * vop_ref[0][1] + 1) + + (int64_t)2 * w2 * h3 * r * sprite_ref[0][0] - 16 * w2 * h3 + + ((int64_t)1 << (alpha + beta + rho - min_ab + 1)); + sprite_offset[1][1] = ((int64_t)-r * sprite_ref[0][1] + virtual_ref[0][1]) * h3 * (-2 * vop_ref[0][0] + 1) + + ((int64_t)-r * sprite_ref[0][1] + virtual_ref[1][1]) * w3 * (-2 * vop_ref[0][1] + 1) + + (int64_t)2 * w2 * h3 * r * sprite_ref[0][1] - 16 * w2 * h3 + + ((int64_t)1 << (alpha + beta + rho - min_ab + 1)); s->sprite_delta[0][0] = (-r * sprite_ref[0][0] + virtual_ref[0][0]) * h3; s->sprite_delta[0][1] = (-r * sprite_ref[0][0] + virtual_ref[1][0]) * w3; s->sprite_delta[1][0] = (-r * sprite_ref[0][1] + virtual_ref[0][1]) * h3; @@ -353,10 +346,10 @@ static int mpeg4_decode_sprite_trajectory(Mpeg4DecContext *ctx, GetBitContext *g s->sprite_delta[0][1] == 0 && s->sprite_delta[1][0] == 0 && s->sprite_delta[1][1] == a << ctx->sprite_shift[0]) { - s->sprite_offset[0][0] >>= ctx->sprite_shift[0]; - s->sprite_offset[0][1] >>= ctx->sprite_shift[0]; - s->sprite_offset[1][0] >>= ctx->sprite_shift[1]; - s->sprite_offset[1][1] >>= ctx->sprite_shift[1]; + sprite_offset[0][0] >>= ctx->sprite_shift[0]; + sprite_offset[0][1] >>= ctx->sprite_shift[0]; + sprite_offset[1][0] >>= ctx->sprite_shift[1]; + sprite_offset[1][1] >>= ctx->sprite_shift[1]; s->sprite_delta[0][0] = a; s->sprite_delta[0][1] = 0; s->sprite_delta[1][0] = 0; @@ -369,18 +362,18 @@ static int mpeg4_decode_sprite_trajectory(Mpeg4DecContext *ctx, GetBitContext *g int shift_c = 16 - ctx->sprite_shift[1]; if (shift_c < 0 || shift_y < 0 || - FFABS(s->sprite_offset[0][0]) >= INT_MAX >> shift_y || - FFABS(s->sprite_offset[1][0]) >= INT_MAX >> shift_c || - FFABS(s->sprite_offset[0][1]) >= INT_MAX >> shift_y || - FFABS(s->sprite_offset[1][1]) >= INT_MAX >> shift_c + FFABS(sprite_offset[0][0]) >= INT_MAX >> shift_y || + FFABS(sprite_offset[1][0]) >= INT_MAX >> shift_c || + FFABS(sprite_offset[0][1]) >= INT_MAX >> shift_y || + FFABS(sprite_offset[1][1]) >= INT_MAX >> shift_c ) { avpriv_request_sample(s->avctx, "Too large sprite shift or offset"); goto overflow; } for (i = 0; i < 2; i++) { - s->sprite_offset[0][i] *= 1 << shift_y; - s->sprite_offset[1][i] *= 1 << shift_c; + sprite_offset[0][i] *= 1 << shift_y; + sprite_offset[1][i] *= 1 << shift_c; s->sprite_delta[0][i] *= 1 << shift_y; s->sprite_delta[1][i] *= 1 << shift_y; ctx->sprite_shift[i] = 16; @@ -392,16 +385,16 @@ static int mpeg4_decode_sprite_trajectory(Mpeg4DecContext *ctx, GetBitContext *g s->sprite_delta[i][1] - a * (1LL<<16) }; - if (llabs(s->sprite_offset[0][i] + s->sprite_delta[i][0] * (w+16LL)) >= INT_MAX || - llabs(s->sprite_offset[0][i] + s->sprite_delta[i][1] * (h+16LL)) >= INT_MAX || - llabs(s->sprite_offset[0][i] + s->sprite_delta[i][0] * (w+16LL) + s->sprite_delta[i][1] * (h+16LL)) >= INT_MAX || + if (llabs(sprite_offset[0][i] + s->sprite_delta[i][0] * (w+16LL)) >= INT_MAX || + llabs(sprite_offset[0][i] + s->sprite_delta[i][1] * (h+16LL)) >= INT_MAX || + llabs(sprite_offset[0][i] + s->sprite_delta[i][0] * (w+16LL) + s->sprite_delta[i][1] * (h+16LL)) >= INT_MAX || llabs(s->sprite_delta[i][0] * (w+16LL)) >= INT_MAX || llabs(s->sprite_delta[i][1] * (w+16LL)) >= INT_MAX || llabs(sd[0]) >= INT_MAX || llabs(sd[1]) >= INT_MAX || - llabs(s->sprite_offset[0][i] + sd[0] * (w+16LL)) >= INT_MAX || - llabs(s->sprite_offset[0][i] + sd[1] * (h+16LL)) >= INT_MAX || - llabs(s->sprite_offset[0][i] + sd[0] * (w+16LL) + sd[1] * (h+16LL)) >= INT_MAX + llabs(sprite_offset[0][i] + sd[0] * (w+16LL)) >= INT_MAX || + llabs(sprite_offset[0][i] + sd[1] * (h+16LL)) >= INT_MAX || + llabs(sprite_offset[0][i] + sd[0] * (w+16LL) + sd[1] * (h+16LL)) >= INT_MAX ) { avpriv_request_sample(s->avctx, "Overflow on sprite points"); goto overflow; @@ -410,6 +403,11 @@ static int mpeg4_decode_sprite_trajectory(Mpeg4DecContext *ctx, GetBitContext *g s->real_sprite_warping_points = ctx->num_sprite_warping_points; } + s->sprite_offset[0][0] = sprite_offset[0][0]; + s->sprite_offset[0][1] = sprite_offset[0][1]; + s->sprite_offset[1][0] = sprite_offset[1][0]; + s->sprite_offset[1][1] = sprite_offset[1][1]; + return 0; overflow: memset(s->sprite_offset, 0, sizeof(s->sprite_offset)); From 27fbb554fcbf8c3211e0e50d595075392dd126e6 Mon Sep 17 00:00:00 2001 From: Michael Niedermayer Date: Fri, 5 May 2017 02:51:13 +0200 Subject: [PATCH 386/942] avcodec/dvdsubdec: Fix runtime error: left shift of 242 by 24 places cannot be represented in type 'int' Fixes: 1080/clusterfuzz-testcase-5353236754071552 Found-by: continuous fuzzing process https://github.com/google/oss-fuzz/tree/master/targets/ffmpeg Signed-off-by: Michael Niedermayer (cherry picked from commit ce7098b8f2b59c62b5abdb3d74819db75cf67698) Signed-off-by: Michael Niedermayer --- libavcodec/dvdsubdec.c | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/libavcodec/dvdsubdec.c b/libavcodec/dvdsubdec.c index ed80b718d5..917adc3dfe 100644 --- a/libavcodec/dvdsubdec.c +++ b/libavcodec/dvdsubdec.c @@ -60,7 +60,7 @@ static void yuv_a_to_rgba(const uint8_t *ycbcr, const uint8_t *alpha, uint32_t * cb = *ycbcr++; YUV_TO_RGB1_CCIR(cb, cr); YUV_TO_RGB2_CCIR(r, g, b, y); - *rgba++ = (*alpha++ << 24) | (r << 16) | (g << 8) | b; + *rgba++ = ((unsigned)*alpha++ << 24) | (r << 16) | (g << 8) | b; } } From 7d0830c546f56f41438a65d0859b35c8b5e1be09 Mon Sep 17 00:00:00 2001 From: Michael Niedermayer Date: Fri, 5 May 2017 03:24:40 +0200 Subject: [PATCH 387/942] avcodec/cavsdec: Fix undefined behavior from integer overflow Fixes: 1335/clusterfuzz-testcase-minimized-5566961566089216 Found-by: continuous fuzzing process https://github.com/google/oss-fuzz/tree/master/targets/ffmpeg Signed-off-by: Michael Niedermayer (cherry picked from commit a0e5f7f363555d2befafb1c9e1579dbe0a2fbca7) Signed-off-by: Michael Niedermayer --- libavcodec/cavsdec.c | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/libavcodec/cavsdec.c b/libavcodec/cavsdec.c index fed7043c12..8842346c25 100644 --- a/libavcodec/cavsdec.c +++ b/libavcodec/cavsdec.c @@ -465,7 +465,7 @@ static inline void mv_pred_direct(AVSContext *h, cavs_vector *pmv_fw, cavs_vector *col_mv) { cavs_vector *pmv_bw = pmv_fw + MV_BWD_OFFS; - int den = h->direct_den[col_mv->ref]; + unsigned den = h->direct_den[col_mv->ref]; int m = FF_SIGNBIT(col_mv->x); pmv_fw->dist = h->dist[1]; From 2fe493ed72cb96412500a61e3e11552a2f46d2cb Mon Sep 17 00:00:00 2001 From: Michael Niedermayer Date: Thu, 27 Apr 2017 15:10:25 +0200 Subject: [PATCH 388/942] avcodec/mjpegdec: Fix runtime error: signed integer overflow: -24543 * 2031616 cannot be represented in type 'int' Fixes: 943/clusterfuzz-testcase-5114865297391616 Found-by: continuous fuzzing process https://github.com/google/oss-fuzz/tree/master/targets/ffmpeg Signed-off-by: Michael Niedermayer (cherry picked from commit a78ae465fda902565ed041d93403e04490b4be0d) Signed-off-by: Michael Niedermayer --- libavcodec/mjpegdec.c | 3 ++- 1 file changed, 2 insertions(+), 1 deletion(-) diff --git a/libavcodec/mjpegdec.c b/libavcodec/mjpegdec.c index 3f593791ae..e9705f2694 100644 --- a/libavcodec/mjpegdec.c +++ b/libavcodec/mjpegdec.c @@ -747,7 +747,8 @@ static int decode_block_progressive(MJpegDecodeContext *s, int16_t *block, int16_t *quant_matrix, int ss, int se, int Al, int *EOBRUN) { - int code, i, j, level, val, run; + int code, i, j, val, run; + unsigned level; if (*EOBRUN) { (*EOBRUN)--; From 8054b21f8d3e2200ec68f47935c1353d2bab4c56 Mon Sep 17 00:00:00 2001 From: Michael Niedermayer Date: Fri, 5 May 2017 12:48:12 +0200 Subject: [PATCH 389/942] avcodec/tiertexseqv: set the fixed dimenasions, do not depend on the demuxer doing so Fixes: out of array access Fixes: 1348/clusterfuzz-testcase-minimized-6195673642827776 Found-by: continuous fuzzing process https://github.com/google/oss-fuzz/tree/master/targets/ffmpeg Signed-off-by: Michael Niedermayer (cherry picked from commit ce551a3925a1cf9c7824e26a246b99b6773bda4b) Signed-off-by: Michael Niedermayer --- libavcodec/tiertexseqv.c | 5 +++++ 1 file changed, 5 insertions(+) diff --git a/libavcodec/tiertexseqv.c b/libavcodec/tiertexseqv.c index df12ee3809..f86ae2aac1 100644 --- a/libavcodec/tiertexseqv.c +++ b/libavcodec/tiertexseqv.c @@ -213,10 +213,15 @@ static int seqvideo_decode(SeqVideoContext *seq, const unsigned char *data, int static av_cold int seqvideo_decode_init(AVCodecContext *avctx) { SeqVideoContext *seq = avctx->priv_data; + int ret; seq->avctx = avctx; avctx->pix_fmt = AV_PIX_FMT_PAL8; + ret = ff_set_dimensions(avctx, 256, 128); + if (ret < 0) + return ret; + seq->frame = av_frame_alloc(); if (!seq->frame) return AVERROR(ENOMEM); From ca6277e1eeb01b9de2a66fbc5becb65bd05127b4 Mon Sep 17 00:00:00 2001 From: Michael Niedermayer Date: Fri, 5 May 2017 18:01:25 +0200 Subject: [PATCH 390/942] avcodec/wnv1: Fix runtime error: left shift of negative value -1 Fixes: 1338/clusterfuzz-testcase-minimized-6485546354343936 Found-by: continuous fuzzing process https://github.com/google/oss-fuzz/tree/master/targets/ffmpeg Signed-off-by: Michael Niedermayer (cherry picked from commit 9fac508ca46f93450ec232299dfd15ac70b6f326) Signed-off-by: Michael Niedermayer --- libavcodec/wnv1.c | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/libavcodec/wnv1.c b/libavcodec/wnv1.c index 9ff99b2f98..126c01a02d 100644 --- a/libavcodec/wnv1.c +++ b/libavcodec/wnv1.c @@ -52,7 +52,7 @@ static inline int wnv1_get_code(WNV1Context *w, int base_value) if (v == 15) return ff_reverse[get_bits(&w->gb, 8 - w->shift)]; else - return base_value + ((v - 7) << w->shift); + return base_value + ((v - 7U) << w->shift); } static int decode_frame(AVCodecContext *avctx, From c4ae78ef067fed67e4f6be87200dbd3e6b7578a8 Mon Sep 17 00:00:00 2001 From: Michael Niedermayer Date: Fri, 5 May 2017 18:07:25 +0200 Subject: [PATCH 391/942] avcodec/dss_sp: Fix multiple left shift of negative value -466 Fixes: 1339/clusterfuzz-testcase-minimized-4614671485108224 Found-by: continuous fuzzing process https://github.com/google/oss-fuzz/tree/master/targets/ffmpeg Signed-off-by: Michael Niedermayer (cherry picked from commit 38152d9368beb080b4acd6cd9e5ccc89b3f733bf) Signed-off-by: Michael Niedermayer --- libavcodec/dss_sp.c | 4 ++-- 1 file changed, 2 insertions(+), 2 deletions(-) diff --git a/libavcodec/dss_sp.c b/libavcodec/dss_sp.c index 7cf84899fc..b337cb37ae 100644 --- a/libavcodec/dss_sp.c +++ b/libavcodec/dss_sp.c @@ -33,7 +33,7 @@ #define DSS_SP_FRAME_SIZE 42 #define DSS_SP_SAMPLE_COUNT (66 * SUBFRAMES) -#define DSS_SP_FORMULA(a, b, c) (((((a) << 15) + (b) * (c)) + 0x4000) >> 15) +#define DSS_SP_FORMULA(a, b, c) (((((a) * (1 << 15)) + (b) * (c)) + 0x4000) >> 15) typedef struct DssSpSubframe { int16_t gain; @@ -499,7 +499,7 @@ static void dss_sp_scale_vector(int32_t *vec, int bits, int size) vec[i] = vec[i] >> -bits; else for (i = 0; i < size; i++) - vec[i] = vec[i] << bits; + vec[i] = vec[i] * (1 << bits); } static void dss_sp_update_buf(int32_t *hist, int32_t *vector) From add1e9c371f396c46314c7eb68207a3023165d84 Mon Sep 17 00:00:00 2001 From: Michael Niedermayer Date: Fri, 5 May 2017 18:14:03 +0200 Subject: [PATCH 392/942] avcodec/g722: Fix multiple runtime error: left shift of negative value -1 Fixes: 1340/clusterfuzz-testcase-minimized-4669892148068352 Found-by: continuous fuzzing process https://github.com/google/oss-fuzz/tree/master/targets/ffmpeg Signed-off-by: Michael Niedermayer (cherry picked from commit f55df62998681c7702f008ce7c12a00b15e33f53) Signed-off-by: Michael Niedermayer --- libavcodec/g722.c | 8 ++++---- 1 file changed, 4 insertions(+), 4 deletions(-) diff --git a/libavcodec/g722.c b/libavcodec/g722.c index ee3b85f845..ef7ca6d446 100644 --- a/libavcodec/g722.c +++ b/libavcodec/g722.c @@ -88,14 +88,14 @@ static inline void s_zero(int cur_diff, struct G722Band *band) ACCUM(3, band->diff_mem[2], 1); ACCUM(2, band->diff_mem[1], 1); ACCUM(1, band->diff_mem[0], 1); - ACCUM(0, cur_diff << 1, 1); + ACCUM(0, cur_diff * 2, 1); } else { ACCUM(5, band->diff_mem[4], 0); ACCUM(4, band->diff_mem[3], 0); ACCUM(3, band->diff_mem[2], 0); ACCUM(2, band->diff_mem[1], 0); ACCUM(1, band->diff_mem[0], 0); - ACCUM(0, cur_diff << 1, 0); + ACCUM(0, cur_diff * 2, 0); } #undef ACCUM band->s_zero = s_zero; @@ -119,14 +119,14 @@ static void do_adaptive_prediction(struct G722Band *band, const int cur_diff) band->part_reconst_mem[0] = cur_part_reconst; band->pole_mem[1] = av_clip((sg[0] * av_clip(band->pole_mem[0], -8191, 8191) >> 5) + - (sg[1] << 7) + (band->pole_mem[1] * 127 >> 7), -12288, 12288); + (sg[1] * 128) + (band->pole_mem[1] * 127 >> 7), -12288, 12288); limit = 15360 - band->pole_mem[1]; band->pole_mem[0] = av_clip(-192 * sg[0] + (band->pole_mem[0] * 255 >> 8), -limit, limit); s_zero(cur_diff, band); - cur_qtzd_reconst = av_clip_int16((band->s_predictor + cur_diff) << 1); + cur_qtzd_reconst = av_clip_int16((band->s_predictor + cur_diff) * 2); band->s_predictor = av_clip_int16(band->s_zero + (band->pole_mem[0] * cur_qtzd_reconst >> 15) + (band->pole_mem[1] * band->prev_qtzd_reconst >> 15)); From 2871d8dbb57b9398f9486474e5885e126b91bafd Mon Sep 17 00:00:00 2001 From: Michael Niedermayer Date: Fri, 5 May 2017 19:26:02 +0200 Subject: [PATCH 393/942] avcodec/cdxl: Fix signed integer overflow: 14243456 * 164 cannot be represented in type 'int' Fixes: 1341/clusterfuzz-testcase-minimized-5441502618583040 Found-by: continuous fuzzing process https://github.com/google/oss-fuzz/tree/master/targets/ffmpeg Signed-off-by: Michael Niedermayer (cherry picked from commit 1002932a3b16d35c46a08455f76462909eebb5aa) Signed-off-by: Michael Niedermayer --- libavcodec/cdxl.c | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/libavcodec/cdxl.c b/libavcodec/cdxl.c index 50d514b25d..5958efeee3 100644 --- a/libavcodec/cdxl.c +++ b/libavcodec/cdxl.c @@ -252,7 +252,7 @@ static int cdxl_decode_frame(AVCodecContext *avctx, void *data, aligned_width = FFALIGN(c->avctx->width, 16); c->padded_bits = aligned_width - c->avctx->width; - if (c->video_size < aligned_width * avctx->height * c->bpp / 8) + if (c->video_size < aligned_width * avctx->height * (int64_t)c->bpp / 8) return AVERROR_INVALIDDATA; if (!encoding && c->palette_size && c->bpp <= 8) { avctx->pix_fmt = AV_PIX_FMT_PAL8; From e488ad44aacfd06112eedd98599d106f3b3d3123 Mon Sep 17 00:00:00 2001 From: Michael Niedermayer Date: Fri, 5 May 2017 19:28:56 +0200 Subject: [PATCH 394/942] avcodec/nellymoser: Fix multiple left shift of negative value -8591 Fixes: 1342/clusterfuzz-testcase-minimized-5490842129137664 Found-by: continuous fuzzing process https://github.com/google/oss-fuzz/tree/master/targets/ffmpeg Signed-off-by: Michael Niedermayer (cherry picked from commit 0953736b7e97f6e121a0587a95434bf1857a27da) Signed-off-by: Michael Niedermayer --- libavcodec/nellymoser.c | 4 ++-- 1 file changed, 2 insertions(+), 2 deletions(-) diff --git a/libavcodec/nellymoser.c b/libavcodec/nellymoser.c index 0740c75a0f..d6d5b7a910 100644 --- a/libavcodec/nellymoser.c +++ b/libavcodec/nellymoser.c @@ -85,7 +85,7 @@ const int16_t ff_nelly_delta_table[32] = { static inline int signed_shift(int i, int shift) { if (shift > 0) - return i << shift; + return (unsigned)i << shift; return i >> -shift; } @@ -109,7 +109,7 @@ static int headroom(int *la) return 31; } l = 30 - av_log2(FFABS(*la)); - *la <<= l; + *la *= 1< Date: Fri, 5 May 2017 20:42:11 +0200 Subject: [PATCH 395/942] avcodec/dfa: Fix off by 1 error Fixes out of array access Fixes: 1345/clusterfuzz-testcase-minimized-6062963045695488 Found-by: continuous fuzzing process https://github.com/google/oss-fuzz/tree/master/targets/ffmpeg Signed-off-by: Michael Niedermayer (cherry picked from commit f52fbf4f3ed02a7d872d8a102006f29b4421f360) Signed-off-by: Michael Niedermayer --- libavcodec/dfa.c | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/libavcodec/dfa.c b/libavcodec/dfa.c index f45d019a79..5ddb647c4c 100644 --- a/libavcodec/dfa.c +++ b/libavcodec/dfa.c @@ -175,7 +175,7 @@ static int decode_dds1(GetByteContext *gb, uint8_t *frame, int width, int height return AVERROR_INVALIDDATA; frame += v; } else { - if (frame_end - frame < width + 3) + if (frame_end - frame < width + 4) return AVERROR_INVALIDDATA; frame[0] = frame[1] = frame[width] = frame[width + 1] = bytestream2_get_byte(gb); From d0947505dc970155f78acfc5f5a0bac60cda3e2b Mon Sep 17 00:00:00 2001 From: Michael Niedermayer Date: Fri, 5 May 2017 22:17:59 +0200 Subject: [PATCH 396/942] avcodec/mdec: Fix signed integer overflow: 28835400 * 83 cannot be represented in type 'int' Fixes: 1346/clusterfuzz-testcase-minimized-5776732600664064 Found-by: continuous fuzzing process https://github.com/google/oss-fuzz/tree/master/targets/ffmpeg Signed-off-by: Michael Niedermayer (cherry picked from commit a234b5ade3ca6cde805b92b8b6ecacf693460a8c) Signed-off-by: Michael Niedermayer --- libavcodec/mdec.c | 4 ++-- 1 file changed, 2 insertions(+), 2 deletions(-) diff --git a/libavcodec/mdec.c b/libavcodec/mdec.c index 42bd561cd7..8e28aa04f0 100644 --- a/libavcodec/mdec.c +++ b/libavcodec/mdec.c @@ -111,11 +111,11 @@ static inline int mdec_decode_block_intra(MDECContext *a, int16_t *block, int n) j = scantable[i]; if (level < 0) { level = -level; - level = (level * qscale * quant_matrix[j]) >> 3; + level = (level * (unsigned)qscale * quant_matrix[j]) >> 3; level = (level - 1) | 1; level = -level; } else { - level = (level * qscale * quant_matrix[j]) >> 3; + level = (level * (unsigned)qscale * quant_matrix[j]) >> 3; level = (level - 1) | 1; } } From 4a58c5a3b9d57c656ed825878183c8706902b9df Mon Sep 17 00:00:00 2001 From: Michael Niedermayer Date: Fri, 5 May 2017 23:00:59 +0200 Subject: [PATCH 397/942] avcodec/aacsbr_template: Do not leave bs_num_env invalid Fixes out of array read Fixes: 1349/clusterfuzz-testcase-minimized-5370707196248064 Found-by: continuous fuzzing process https://github.com/google/oss-fuzz/tree/master/targets/ffmpeg Signed-off-by: Michael Niedermayer (cherry picked from commit a8ad83b793e883b8c6d114f81073a4e40c0308a3) Signed-off-by: Michael Niedermayer --- libavcodec/aacsbr_template.c | 2 ++ 1 file changed, 2 insertions(+) diff --git a/libavcodec/aacsbr_template.c b/libavcodec/aacsbr_template.c index 733e619b78..98c9a8e649 100644 --- a/libavcodec/aacsbr_template.c +++ b/libavcodec/aacsbr_template.c @@ -639,6 +639,7 @@ static int read_sbr_grid(AACContext *ac, SpectralBandReplication *sbr, av_log(ac->avctx, AV_LOG_ERROR, "Invalid bitstream, too many SBR envelopes in FIXFIX type SBR frame: %d\n", ch_data->bs_num_env); + ch_data->bs_num_env = 2; return -1; } @@ -694,6 +695,7 @@ static int read_sbr_grid(AACContext *ac, SpectralBandReplication *sbr, av_log(ac->avctx, AV_LOG_ERROR, "Invalid bitstream, too many SBR envelopes in VARVAR type SBR frame: %d\n", ch_data->bs_num_env); + ch_data->bs_num_env = 2; return -1; } From 317c043316cd3819e11bb1c401e16bc6f17299a8 Mon Sep 17 00:00:00 2001 From: Michael Niedermayer Date: Sat, 6 May 2017 00:13:05 +0200 Subject: [PATCH 398/942] avutil/softfloat: Fix multiple runtime error: left shift of negative value -8 Fixes: 1352/clusterfuzz-testcase-minimized-5757565017260032 Found-by: continuous fuzzing process https://github.com/google/oss-fuzz/tree/master/targets/ffmpeg Signed-off-by: Michael Niedermayer (cherry picked from commit 35f3df0d76e28969fa77f2b865e2e40b3ba69722) Signed-off-by: Michael Niedermayer --- libavutil/softfloat.h | 4 ++-- 1 file changed, 2 insertions(+), 2 deletions(-) diff --git a/libavutil/softfloat.h b/libavutil/softfloat.h index 35fd703fbe..8e28a0e6ee 100644 --- a/libavutil/softfloat.h +++ b/libavutil/softfloat.h @@ -214,12 +214,12 @@ static av_unused void av_sincos_sf(int a, int *s, int *c) int st, ct; idx = a >> 26; - sign = (idx << 27) >> 31; + sign = (int32_t)((unsigned)idx << 27) >> 31; cv = av_costbl_1_sf[idx & 0xf]; cv = (cv ^ sign) - sign; idx -= 8; - sign = (idx << 27) >> 31; + sign = (int32_t)((unsigned)idx << 27) >> 31; sv = av_costbl_1_sf[idx & 0xf]; sv = (sv ^ sign) - sign; From 93702fd208c6550d89a77d5afc506a2eea2260b3 Mon Sep 17 00:00:00 2001 From: Michael Niedermayer Date: Sat, 6 May 2017 01:08:54 +0200 Subject: [PATCH 399/942] avcodec/snowdec: Check qbias Fixes: signed integer overflow: -1094995529 * 131 cannot be represented in type 'int' Fixes: 1353/clusterfuzz-testcase-minimized-5208180449607680 Found-by: continuous fuzzing process https://github.com/google/oss-fuzz/tree/master/targets/ffmpeg Signed-off-by: Michael Niedermayer (cherry picked from commit 523205ce1ed9415183c162998c68f573479e78fe) Signed-off-by: Michael Niedermayer --- libavcodec/snowdec.c | 5 +++++ 1 file changed, 5 insertions(+) diff --git a/libavcodec/snowdec.c b/libavcodec/snowdec.c index 042aecbbeb..97f55288c1 100644 --- a/libavcodec/snowdec.c +++ b/libavcodec/snowdec.c @@ -395,6 +395,11 @@ static int decode_header(SnowContext *s){ s->block_max_depth= 0; return AVERROR_INVALIDDATA; } + if (FFABS(s->qbias) > 127) { + av_log(s->avctx, AV_LOG_ERROR, "qbias %d is too large\n", s->qbias); + s->qbias = 0; + return AVERROR_INVALIDDATA; + } return 0; } From 1e034a9ffe533361acfed1455c6bbe1dd9890643 Mon Sep 17 00:00:00 2001 From: Michael Niedermayer Date: Sat, 6 May 2017 12:05:17 +0200 Subject: [PATCH 400/942] avcodec/mlpdec: Fix runtime error: left shift of negative value -22 Fixes: 1355/clusterfuzz-testcase-minimized-6662205472768000 Found-by: continuous fuzzing process https://github.com/google/oss-fuzz/tree/master/targets/ffmpeg Signed-off-by: Michael Niedermayer (cherry picked from commit c535436cbeeab89be64e9f3fd652bc736f2f3245) Signed-off-by: Michael Niedermayer --- libavcodec/mlpdec.c | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/libavcodec/mlpdec.c b/libavcodec/mlpdec.c index c93b058dd7..7cad5d1cad 100644 --- a/libavcodec/mlpdec.c +++ b/libavcodec/mlpdec.c @@ -264,7 +264,7 @@ static inline int read_huff_channels(MLPDecodeContext *m, GetBitContext *gbp, result = (result << lsb_bits) + get_bits(gbp, lsb_bits); result += cp->sign_huff_offset; - result <<= quant_step_size; + result *= 1 << quant_step_size; m->sample_buffer[pos + s->blockpos][channel] = result; } From 903c4b2c3c89686e2640ec6aba7f9b12ab3ee780 Mon Sep 17 00:00:00 2001 From: Michael Niedermayer Date: Sat, 6 May 2017 12:10:59 +0200 Subject: [PATCH 401/942] avcodec/fic: Fix multiple left shift of negative value -15 Fixes: 1356/clusterfuzz-testcase-minimized-6008489086287872 Found-by: continuous fuzzing process https://github.com/google/oss-fuzz/tree/master/targets/ffmpeg Signed-off-by: Michael Niedermayer (cherry picked from commit b20c71409b24460983ba5d9afa0716714f9e0f7d) Signed-off-by: Michael Niedermayer --- libavcodec/fic.c | 4 ++-- 1 file changed, 2 insertions(+), 2 deletions(-) diff --git a/libavcodec/fic.c b/libavcodec/fic.c index 7d698f08d9..e58d3b99e2 100644 --- a/libavcodec/fic.c +++ b/libavcodec/fic.c @@ -94,8 +94,8 @@ static av_always_inline void fic_idct(int16_t *blk, int step, int shift, int rnd const int t7 = t3 - t1; const int t8 = 17734 * blk[2 * step] - 42813 * blk[6 * step]; const int t9 = 17734 * blk[6 * step] + 42814 * blk[2 * step]; - const int tA = (blk[0 * step] - blk[4 * step] << 15) + rnd; - const int tB = (blk[0 * step] + blk[4 * step] << 15) + rnd; + const int tA = (blk[0 * step] - blk[4 * step]) * 32768 + rnd; + const int tB = (blk[0 * step] + blk[4 * step]) * 32768 + rnd; blk[0 * step] = ( t4 + t9 + tB) >> shift; blk[1 * step] = ( t6 + t7 + t8 + tA) >> shift; blk[2 * step] = ( t6 - t7 - t8 + tA) >> shift; From c78e5a2cb41a8837cd16e99e91eb5455beb1a60e Mon Sep 17 00:00:00 2001 From: Michael Niedermayer Date: Sat, 6 May 2017 15:17:29 +0200 Subject: [PATCH 402/942] avcodec/mimic: Fix runtime error: left shift of negative value -1 Fixes: 1365/clusterfuzz-testcase-minimized-5624158450876416 Found-by: continuous fuzzing process https://github.com/google/oss-fuzz/tree/master/targets/ffmpeg Signed-off-by: Michael Niedermayer (cherry picked from commit fc2c420b82939a8f30838a6aa08bfd936099d3ce) Signed-off-by: Michael Niedermayer --- libavcodec/mimic.c | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/libavcodec/mimic.c b/libavcodec/mimic.c index 06fb393b92..ce649c602a 100644 --- a/libavcodec/mimic.c +++ b/libavcodec/mimic.c @@ -262,7 +262,7 @@ static int vlc_decode_block(MimicContext *ctx, int num_coeffs, int qscale) coeff = vlcdec_lookup[num_bits][value]; if (pos < 3) - coeff <<= 4; + coeff *= 16; else /* TODO Use >> 10 instead of / 1001 */ coeff = (coeff * qscale) / 1001; From 94a58e597b19ba233f50d7e97b88733eefa70dc7 Mon Sep 17 00:00:00 2001 From: Michael Niedermayer Date: Sat, 6 May 2017 16:32:56 +0200 Subject: [PATCH 403/942] avcodec/g723_1: Fix multiple runtime error: left shift of negative value Fixes: 1367/clusterfuzz-testcase-minimized-571496882346393 Found-by: continuous fuzzing process https://github.com/google/oss-fuzz/tree/master/targets/ffmpeg Signed-off-by: Michael Niedermayer (cherry picked from commit 4ace2d22192f3995911ec926940125dcb29d606a) Signed-off-by: Michael Niedermayer --- libavcodec/g723_1.c | 18 +++++++++--------- libavcodec/g723_1.h | 2 +- libavcodec/g723_1dec.c | 4 ++-- 3 files changed, 12 insertions(+), 12 deletions(-) diff --git a/libavcodec/g723_1.c b/libavcodec/g723_1.c index a11fec8a9e..78ce922266 100644 --- a/libavcodec/g723_1.c +++ b/libavcodec/g723_1.c @@ -41,7 +41,7 @@ int ff_g723_1_scale_vector(int16_t *dst, const int16_t *vector, int length) bits= FFMAX(bits, 0); for (i = 0; i < length; i++) - dst[i] = vector[i] << bits >> 3; + dst[i] = (vector[i] * (1 << bits)) >> 3; return bits - 3; } @@ -125,9 +125,9 @@ static void lsp2lpc(int16_t *lpc) for (j = 0; j < LPC_ORDER; j++) { int index = (lpc[j] >> 7) & 0x1FF; int offset = lpc[j] & 0x7f; - int temp1 = cos_tab[index] << 16; + int temp1 = cos_tab[index] * (1 << 16); int temp2 = (cos_tab[index + 1] - cos_tab[index]) * - ((offset << 8) + 0x80) << 1; + (((offset << 8) + 0x80) << 1); lpc[j] = -(av_sat_dadd32(1 << 15, temp1 + temp2) >> 16); } @@ -138,11 +138,11 @@ static void lsp2lpc(int16_t *lpc) */ /* Initialize with values in Q28 */ f1[0] = 1 << 28; - f1[1] = (lpc[0] << 14) + (lpc[2] << 14); + f1[1] = (lpc[0] + lpc[2]) * (1 << 14); f1[2] = lpc[0] * lpc[2] + (2 << 28); f2[0] = 1 << 28; - f2[1] = (lpc[1] << 14) + (lpc[3] << 14); + f2[1] = (lpc[1] + lpc[3]) * (1 << 14); f2[2] = lpc[1] * lpc[3] + (2 << 28); /* @@ -162,8 +162,8 @@ static void lsp2lpc(int16_t *lpc) f1[0] >>= 1; f2[0] >>= 1; - f1[1] = ((lpc[2 * i] << 16 >> i) + f1[1]) >> 1; - f2[1] = ((lpc[2 * i + 1] << 16 >> i) + f2[1]) >> 1; + f1[1] = ((lpc[2 * i] * 65536 >> i) + f1[1]) >> 1; + f2[1] = ((lpc[2 * i + 1] * 65536 >> i) + f2[1]) >> 1; } /* Convert polynomial coefficients to LPC coefficients */ @@ -171,8 +171,8 @@ static void lsp2lpc(int16_t *lpc) int64_t ff1 = f1[i + 1] + f1[i]; int64_t ff2 = f2[i + 1] - f2[i]; - lpc[i] = av_clipl_int32(((ff1 + ff2) << 3) + (1 << 15)) >> 16; - lpc[LPC_ORDER - i - 1] = av_clipl_int32(((ff1 - ff2) << 3) + + lpc[i] = av_clipl_int32(((ff1 + ff2) * 8) + (1 << 15)) >> 16; + lpc[LPC_ORDER - i - 1] = av_clipl_int32(((ff1 - ff2) * 8) + (1 << 15)) >> 16; } } diff --git a/libavcodec/g723_1.h b/libavcodec/g723_1.h index 40d6e700b1..f833af01c6 100644 --- a/libavcodec/g723_1.h +++ b/libavcodec/g723_1.h @@ -55,7 +55,7 @@ * @param b 16 bit multiplier */ #define MULL2(a, b) \ - ((((a) >> 16) * (b) << 1) + (((a) & 0xffff) * (b) >> 15)) + ((((a) >> 16) * (b) * 2) + (((a) & 0xffff) * (b) >> 15)) /** * G723.1 frame types diff --git a/libavcodec/g723_1dec.c b/libavcodec/g723_1dec.c index 3e8c4897d2..97f91a296c 100644 --- a/libavcodec/g723_1dec.c +++ b/libavcodec/g723_1dec.c @@ -516,7 +516,7 @@ static void residual_interp(int16_t *buf, int16_t *out, int lag, (iir_coef)[n - 1] * ((dest)[m - n] >> in_shift);\ }\ \ - (dest)[m] = av_clipl_int32(((src)[m] << 16) + (filter << 3) +\ + (dest)[m] = av_clipl_int32(((src)[m] * 65536) + (filter * 8) +\ (1 << 15)) >> res_shift;\ }\ } @@ -903,7 +903,7 @@ static int g723_1_decode_frame(AVCodecContext *avctx, void *data, &p->subframe[i], p->cur_rate); /* Get the total excitation */ for (j = 0; j < SUBFRAME_LEN; j++) { - int v = av_clip_int16(vector_ptr[j] << 1); + int v = av_clip_int16(vector_ptr[j] * 2); vector_ptr[j] = av_clip_int16(v + acb_vector[j]); } vector_ptr += SUBFRAME_LEN; From 969689d7d7cf773d263df061599f81f0cf987089 Mon Sep 17 00:00:00 2001 From: Michael Niedermayer Date: Sat, 6 May 2017 16:38:22 +0200 Subject: [PATCH 404/942] avcodec/dfa: Fix signed integer overflow: -2147483648 - 1 cannot be represented in type 'int' Fixes: 1368/clusterfuzz-testcase-minimized-4507293276176384 Found-by: continuous fuzzing process https://github.com/google/oss-fuzz/tree/master/targets/ffmpeg Signed-off-by: Michael Niedermayer (cherry picked from commit 12936a4585bc293c0f88327d6840f49e8e744b62) Signed-off-by: Michael Niedermayer --- libavcodec/dfa.c | 3 ++- 1 file changed, 2 insertions(+), 1 deletion(-) diff --git a/libavcodec/dfa.c b/libavcodec/dfa.c index 5ddb647c4c..3ea12f0511 100644 --- a/libavcodec/dfa.c +++ b/libavcodec/dfa.c @@ -67,7 +67,8 @@ static int decode_tsw1(GetByteContext *gb, uint8_t *frame, int width, int height const uint8_t *frame_start = frame; const uint8_t *frame_end = frame + width * height; int mask = 0x10000, bitbuf = 0; - int v, count, segments; + int v, count; + unsigned segments; unsigned offset; segments = bytestream2_get_le32(gb); From 65ec573358b3831bd482216413af40294240efe7 Mon Sep 17 00:00:00 2001 From: Michael Niedermayer Date: Sat, 6 May 2017 16:43:52 +0200 Subject: [PATCH 405/942] avcodec/webp: Fix null pointer dereference Fixes: 1369/clusterfuzz-testcase-minimized-5048908029886464 Found-by: continuous fuzzing process https://github.com/google/oss-fuzz/tree/master/targets/ffmpeg Signed-off-by: Michael Niedermayer (cherry picked from commit 9bf4523e40148fdd27064ab570952bd8c4d1016e) Signed-off-by: Michael Niedermayer --- libavcodec/webp.c | 2 ++ 1 file changed, 2 insertions(+) diff --git a/libavcodec/webp.c b/libavcodec/webp.c index 5c2961ff19..a3b1fad6cd 100644 --- a/libavcodec/webp.c +++ b/libavcodec/webp.c @@ -1342,6 +1342,8 @@ static int vp8_lossy_decode_frame(AVCodecContext *avctx, AVFrame *p, pkt.size = data_size; ret = ff_vp8_decode_frame(avctx, p, got_frame, &pkt); + if (ret < 0) + return ret; if (s->has_alpha) { ret = vp8_lossy_decode_alpha(avctx, p, s->alpha_data, s->alpha_data_size); From 9f4e2b15e0d8cf1892029b7a470908c0e740f23a Mon Sep 17 00:00:00 2001 From: Michael Niedermayer Date: Sat, 6 May 2017 18:28:09 +0200 Subject: [PATCH 406/942] avcodec/shorten: Check k in get_uint() Fixes: undefined shift Fixes: 1371/clusterfuzz-testcase-minimized-5770822591447040 Found-by: continuous fuzzing process https://github.com/google/oss-fuzz/tree/master/targets/ffmpeg Signed-off-by: Michael Niedermayer (cherry picked from commit 7b6a51f59c467ab9f4b73122dc269206fb517425) Signed-off-by: Michael Niedermayer --- libavcodec/shorten.c | 5 ++++- 1 file changed, 4 insertions(+), 1 deletion(-) diff --git a/libavcodec/shorten.c b/libavcodec/shorten.c index 0f5be96eb7..32f808beb4 100644 --- a/libavcodec/shorten.c +++ b/libavcodec/shorten.c @@ -156,8 +156,11 @@ static int allocate_buffers(ShortenContext *s) static inline unsigned int get_uint(ShortenContext *s, int k) { - if (s->version != 0) + if (s->version != 0) { k = get_ur_golomb_shorten(&s->gb, ULONGSIZE); + if (k > 31U) + return AVERROR_INVALIDDATA; + } return get_ur_golomb_shorten(&s->gb, k); } From 6f57b9d7151d6fe9a3d8704fd2080754aa3a3966 Mon Sep 17 00:00:00 2001 From: Michael Niedermayer Date: Sat, 6 May 2017 19:07:59 +0200 Subject: [PATCH 407/942] avcodec/mss3: Change types in rac_get_model_sym() to match the types they are initialized from Fixes integer overflow Fixes: 1372/clusterfuzz-testcase-minimized-5712192982745088 Found-by: continuous fuzzing process https://github.com/google/oss-fuzz/tree/master/targets/ffmpeg Signed-off-by: Michael Niedermayer (cherry picked from commit 2ef0f392711445e173a56b2c073dedb021ae3783) Signed-off-by: Michael Niedermayer --- libavcodec/mss3.c | 3 ++- 1 file changed, 2 insertions(+), 1 deletion(-) diff --git a/libavcodec/mss3.c b/libavcodec/mss3.c index 01941967a5..8344bfe8a7 100644 --- a/libavcodec/mss3.c +++ b/libavcodec/mss3.c @@ -356,8 +356,9 @@ static int rac_get_model2_sym(RangeCoder *c, Model2 *m) static int rac_get_model_sym(RangeCoder *c, Model *m) { - int prob, prob2, helper, val; + int val; int end, end2; + unsigned prob, prob2, helper; prob = 0; prob2 = c->range; From a5c7c22c66ccace0f056531be853327115dc2412 Mon Sep 17 00:00:00 2001 From: Michael Niedermayer Date: Sat, 6 May 2017 19:11:46 +0200 Subject: [PATCH 408/942] avcodec/hq_hqa: Fix runtime error: left shift of negative value -207 Fixes: 1375/clusterfuzz-testcase-minimized-6070134701555712 Found-by: continuous fuzzing process https://github.com/google/oss-fuzz/tree/master/targets/ffmpeg Signed-off-by: Michael Niedermayer (cherry picked from commit 1283c4244767bd19918f355c31d702a94ee0cc1b) Signed-off-by: Michael Niedermayer --- libavcodec/hq_hqa.c | 4 ++-- 1 file changed, 2 insertions(+), 2 deletions(-) diff --git a/libavcodec/hq_hqa.c b/libavcodec/hq_hqa.c index 3ef83d4eb4..b5113f3ca9 100644 --- a/libavcodec/hq_hqa.c +++ b/libavcodec/hq_hqa.c @@ -67,11 +67,11 @@ static int hq_decode_block(HQContext *c, GetBitContext *gb, int16_t block[64], memset(block, 0, 64 * sizeof(*block)); if (!is_hqa) { - block[0] = get_sbits(gb, 9) << 6; + block[0] = get_sbits(gb, 9) * 64; q = ff_hq_quants[qsel][is_chroma][get_bits(gb, 2)]; } else { q = ff_hq_quants[qsel][is_chroma][get_bits(gb, 2)]; - block[0] = get_sbits(gb, 9) << 6; + block[0] = get_sbits(gb, 9) * 64; } for (;;) { From c99e86556c0ddf3eae9c77fdca85c2ff44352ec1 Mon Sep 17 00:00:00 2001 From: Michael Niedermayer Date: Sat, 6 May 2017 21:31:49 +0200 Subject: [PATCH 409/942] avutil/softfloat: Fix overflow in av_div_sf() Signed-off-by: Michael Niedermayer (cherry picked from commit 277e397eb5964999bd76909f52d4bd3350289c22) Signed-off-by: Michael Niedermayer --- libavutil/softfloat.h | 9 ++++++++- 1 file changed, 8 insertions(+), 1 deletion(-) diff --git a/libavutil/softfloat.h b/libavutil/softfloat.h index 8e28a0e6ee..b4fce57906 100644 --- a/libavutil/softfloat.h +++ b/libavutil/softfloat.h @@ -110,8 +110,15 @@ static inline av_const SoftFloat av_mul_sf(SoftFloat a, SoftFloat b){ * @return Will not be more denormalized than a. */ static inline av_const SoftFloat av_div_sf(SoftFloat a, SoftFloat b){ + int64_t temp = (int64_t)a.mant * (1<<(ONE_BITS+1)); + temp /= b.mant; a.exp -= b.exp; - a.mant = ((int64_t)a.mant<<(ONE_BITS+1)) / b.mant; + a.mant = temp; + while (a.mant != temp) { + temp /= 2; + a.exp--; + a.mant = temp; + } a = av_normalize1_sf(a); if (!a.mant || a.exp < MIN_EXP) return FLOAT_0; From 05b8e57abaf7144072a1db786b2fd1ef78885d74 Mon Sep 17 00:00:00 2001 From: Michael Niedermayer Date: Sat, 6 May 2017 22:24:52 +0200 Subject: [PATCH 410/942] avcodec/cdxl: Check format parameter Fixes out of array access Fixes: 1378/clusterfuzz-testcase-minimized-5715088008806400 Found-by: continuous fuzzing process https://github.com/google/oss-fuzz/tree/master/targets/ffmpeg Signed-off-by: Michael Niedermayer (cherry picked from commit e1b60aad77c27ed5d4dfc11e5e6a05a38c70489d) Signed-off-by: Michael Niedermayer --- libavcodec/cdxl.c | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/libavcodec/cdxl.c b/libavcodec/cdxl.c index 5958efeee3..bb42734d94 100644 --- a/libavcodec/cdxl.c +++ b/libavcodec/cdxl.c @@ -254,7 +254,7 @@ static int cdxl_decode_frame(AVCodecContext *avctx, void *data, c->padded_bits = aligned_width - c->avctx->width; if (c->video_size < aligned_width * avctx->height * (int64_t)c->bpp / 8) return AVERROR_INVALIDDATA; - if (!encoding && c->palette_size && c->bpp <= 8) { + if (!encoding && c->palette_size && c->bpp <= 8 && c->format != CHUNKY) { avctx->pix_fmt = AV_PIX_FMT_PAL8; } else if (encoding == 1 && (c->bpp == 6 || c->bpp == 8)) { if (c->palette_size != (1 << (c->bpp - 1))) From daa9bca16b54685cc80a0a302c9cd8a80a90700b Mon Sep 17 00:00:00 2001 From: Michael Niedermayer Date: Sat, 6 May 2017 22:31:23 +0200 Subject: [PATCH 411/942] avcodec/dds: Fix runtime error: left shift of 1 by 31 places cannot be represented in type 'int' Fixes: 1380/clusterfuzz-testcase-minimized-650122545122508 Found-by: continuous fuzzing process https://github.com/google/oss-fuzz/tree/master/targets/ffmpeg Signed-off-by: Michael Niedermayer (cherry picked from commit 8a8335de030aa6cb6356bb16c7d3aefc5a80e362) Signed-off-by: Michael Niedermayer --- libavcodec/dds.c | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/libavcodec/dds.c b/libavcodec/dds.c index 9577b67f0f..a3d3c676eb 100644 --- a/libavcodec/dds.c +++ b/libavcodec/dds.c @@ -39,7 +39,7 @@ #define DDPF_FOURCC (1 << 2) #define DDPF_PALETTE (1 << 5) -#define DDPF_NORMALMAP (1 << 31) +#define DDPF_NORMALMAP (1U << 31) enum DDSPostProc { DDS_NONE = 0, From 74f35b9d5ea07f5722c4727f90b48f763c1a91d4 Mon Sep 17 00:00:00 2001 From: Michael Niedermayer Date: Sun, 7 May 2017 02:46:54 +0200 Subject: [PATCH 412/942] avcodec/msmpeg4dec: Correct table depth Fixes undefined shift Fixes: 1381/clusterfuzz-testcase-minimized-5513944540119040 Found-by: continuous fuzzing process https://github.com/google/oss-fuzz/tree/master/targets/ffmpeg Signed-off-by: Michael Niedermayer (cherry picked from commit 1121d9270783b284a70af317d8785eac7df1b72f) Signed-off-by: Michael Niedermayer --- libavcodec/msmpeg4dec.c | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/libavcodec/msmpeg4dec.c b/libavcodec/msmpeg4dec.c index aaadd9c073..8f3b6a6650 100644 --- a/libavcodec/msmpeg4dec.c +++ b/libavcodec/msmpeg4dec.c @@ -141,7 +141,7 @@ static int msmpeg4v12_decode_mb(MpegEncContext *s, int16_t block[6][64]) if(s->msmpeg4_version==2) cbp= get_vlc2(&s->gb, v2_intra_cbpc_vlc.table, V2_INTRA_CBPC_VLC_BITS, 1); else - cbp= get_vlc2(&s->gb, ff_h263_intra_MCBPC_vlc.table, INTRA_MCBPC_VLC_BITS, 1); + cbp= get_vlc2(&s->gb, ff_h263_intra_MCBPC_vlc.table, INTRA_MCBPC_VLC_BITS, 2); if(cbp<0 || cbp>3){ av_log(s->avctx, AV_LOG_ERROR, "cbpc %d invalid at %d %d\n", cbp, s->mb_x, s->mb_y); return -1; From 0caf6fa51e6949a2fd9d3e14adf6522f32633268 Mon Sep 17 00:00:00 2001 From: Michael Niedermayer Date: Sun, 7 May 2017 03:16:53 +0200 Subject: [PATCH 413/942] avcodec/svq3: Fix multiple runtime error: signed integer overflow: 44161 * 61694 cannot be represented in type 'int' Fixes: 1382/clusterfuzz-testcase-minimized-6013445293998080 Found-by: continuous fuzzing process https://github.com/google/oss-fuzz/tree/master/targets/ffmpeg Signed-off-by: Michael Niedermayer (cherry picked from commit 669419939c1d36be35196859dc73ec9a194157ad) Signed-off-by: Michael Niedermayer --- libavcodec/svq3.c | 10 +++++----- 1 file changed, 5 insertions(+), 5 deletions(-) diff --git a/libavcodec/svq3.c b/libavcodec/svq3.c index 1a9bfa294f..21e38f00a0 100644 --- a/libavcodec/svq3.c +++ b/libavcodec/svq3.c @@ -166,7 +166,7 @@ static int svq3_decode_end(AVCodecContext *avctx); void ff_svq3_luma_dc_dequant_idct_c(int16_t *output, int16_t *input, int qp) { - const int qmul = svq3_dequant_coeff[qp]; + const unsigned qmul = svq3_dequant_coeff[qp]; #define stride 16 int i; int temp[16]; @@ -191,10 +191,10 @@ void ff_svq3_luma_dc_dequant_idct_c(int16_t *output, int16_t *input, int qp) const int z2 = 7 * temp[4 * 1 + i] - 17 * temp[4 * 3 + i]; const int z3 = 17 * temp[4 * 1 + i] + 7 * temp[4 * 3 + i]; - output[stride * 0 + offset] = (z0 + z3) * qmul + 0x80000 >> 20; - output[stride * 2 + offset] = (z1 + z2) * qmul + 0x80000 >> 20; - output[stride * 8 + offset] = (z1 - z2) * qmul + 0x80000 >> 20; - output[stride * 10 + offset] = (z0 - z3) * qmul + 0x80000 >> 20; + output[stride * 0 + offset] = (int)((z0 + z3) * qmul + 0x80000) >> 20; + output[stride * 2 + offset] = (int)((z1 + z2) * qmul + 0x80000) >> 20; + output[stride * 8 + offset] = (int)((z1 - z2) * qmul + 0x80000) >> 20; + output[stride * 10 + offset] = (int)((z0 - z3) * qmul + 0x80000) >> 20; } } #undef stride From 7465d229cb9c5c4b8324d7b174e45f83c0df1c02 Mon Sep 17 00:00:00 2001 From: Michael Niedermayer Date: Sun, 7 May 2017 03:23:09 +0200 Subject: [PATCH 414/942] avcodec/ivi_dsp: Fix multiple left shift of negative value -2 Fixes: 1385/clusterfuzz-testcase-minimized-5552882663292928 Found-by: continuous fuzzing process https://github.com/google/oss-fuzz/tree/master/targets/ffmpeg Signed-off-by: Michael Niedermayer (cherry picked from commit 9e88cc94e58e9e4d1293f9f56c973510e30495fd) Signed-off-by: Michael Niedermayer --- libavcodec/ivi_dsp.c | 10 +++++----- 1 file changed, 5 insertions(+), 5 deletions(-) diff --git a/libavcodec/ivi_dsp.c b/libavcodec/ivi_dsp.c index 4b973992e0..6f79ada1d5 100644 --- a/libavcodec/ivi_dsp.c +++ b/libavcodec/ivi_dsp.c @@ -243,7 +243,7 @@ void ff_ivi_recompose_haar(const IVIPlaneDesc *plane, uint8_t *dst, #define INV_HAAR8(s1, s5, s3, s7, s2, s4, s6, s8,\ d1, d2, d3, d4, d5, d6, d7, d8,\ t0, t1, t2, t3, t4, t5, t6, t7, t8) {\ - t1 = (s1) << 1; t5 = (s5) << 1;\ + t1 = (s1) * 2; t5 = (s5) * 2;\ IVI_HAAR_BFLY(t1, t5, t1, t5, t0); IVI_HAAR_BFLY(t1, s3, t1, t3, t0);\ IVI_HAAR_BFLY(t5, s7, t5, t7, t0); IVI_HAAR_BFLY(t1, s2, t1, t2, t0);\ IVI_HAAR_BFLY(t3, s4, t3, t4, t0); IVI_HAAR_BFLY(t5, s6, t5, t6, t0);\ @@ -284,10 +284,10 @@ void ff_ivi_inverse_haar_8x8(const int32_t *in, int16_t *out, uint32_t pitch, if (flags[i]) { /* pre-scaling */ shift = !(i & 4); - sp1 = src[ 0] << shift; - sp2 = src[ 8] << shift; - sp3 = src[16] << shift; - sp4 = src[24] << shift; + sp1 = src[ 0] * (1 << shift); + sp2 = src[ 8] * (1 << shift); + sp3 = src[16] * (1 << shift); + sp4 = src[24] * (1 << shift); INV_HAAR8( sp1, sp2, sp3, sp4, src[32], src[40], src[48], src[56], dst[ 0], dst[ 8], dst[16], dst[24], From 2d8a3daddbe4564663370d8f0502b21f29bf619a Mon Sep 17 00:00:00 2001 From: Michael Niedermayer Date: Sun, 7 May 2017 03:27:17 +0200 Subject: [PATCH 415/942] avcodec/texturedsp: Fix multiple runtime error: left shift of 255 by 24 places cannot be represented in type 'int' Fixes: 1386/clusterfuzz-testcase-minimized-5323086394032128 Found-by: continuous fuzzing process https://github.com/google/oss-fuzz/tree/master/targets/ffmpeg Signed-off-by: Michael Niedermayer (cherry picked from commit e92fb2bea1800b987ebc3cbeef9d48cfe4bcd191) Signed-off-by: Michael Niedermayer --- libavcodec/texturedsp.c | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/libavcodec/texturedsp.c b/libavcodec/texturedsp.c index c5e6cc6270..a7f75a4baa 100644 --- a/libavcodec/texturedsp.c +++ b/libavcodec/texturedsp.c @@ -35,7 +35,7 @@ #define RGBA(r, g, b, a) (((uint8_t)(r) << 0) | \ ((uint8_t)(g) << 8) | \ ((uint8_t)(b) << 16) | \ - ((uint8_t)(a) << 24)) + ((unsigned)(uint8_t)(a) << 24)) static av_always_inline void extract_color(uint32_t colors[4], uint16_t color0, From 95700803f451c97456d42fa8fa17c8d0ea4ff55c Mon Sep 17 00:00:00 2001 From: Michael Niedermayer Date: Sun, 7 May 2017 03:49:06 +0200 Subject: [PATCH 416/942] avcodec/targa_y216dec: Fix width type Fixes out of array access Fixes: 1376/clusterfuzz-testcase-minimized-6361794975105024 Found-by: continuous fuzzing process https://github.com/google/oss-fuzz/tree/master/targets/ffmpeg Signed-off-by: Michael Niedermayer (cherry picked from commit 3e56db892600c2fbe34782c6140f1ee832a2c344) Signed-off-by: Michael Niedermayer --- libavcodec/targa_y216dec.c | 3 ++- 1 file changed, 2 insertions(+), 1 deletion(-) diff --git a/libavcodec/targa_y216dec.c b/libavcodec/targa_y216dec.c index 21b3d35d67..443d48a92f 100644 --- a/libavcodec/targa_y216dec.c +++ b/libavcodec/targa_y216dec.c @@ -35,7 +35,8 @@ static int y216_decode_frame(AVCodecContext *avctx, void *data, { AVFrame *pic = data; const uint16_t *src = (uint16_t *)avpkt->data; - uint16_t *y, *u, *v, aligned_width = FFALIGN(avctx->width, 4); + uint16_t *y, *u, *v; + int aligned_width = FFALIGN(avctx->width, 4); int i, j, ret; if (avpkt->size < 4 * avctx->height * aligned_width) { From 9371fef23cc69c571243b32b96f058d5f894dfd4 Mon Sep 17 00:00:00 2001 From: Michael Niedermayer Date: Sun, 7 May 2017 14:12:04 +0200 Subject: [PATCH 417/942] avcodec/mss34dsp: Fix multiple signed integer overflow Fixes: 1387/clusterfuzz-testcase-minimized-4802757766676480 Found-by: continuous fuzzing process https://github.com/google/oss-fuzz/tree/master/targets/ffmpeg Signed-off-by: Michael Niedermayer (cherry picked from commit 464c4b86ee43b7912e6f23fd3e5ba40381b4c371) Signed-off-by: Michael Niedermayer --- libavcodec/mss34dsp.c | 44 +++++++++++++++++++++---------------------- 1 file changed, 22 insertions(+), 22 deletions(-) diff --git a/libavcodec/mss34dsp.c b/libavcodec/mss34dsp.c index 0397add17d..4965ac514d 100644 --- a/libavcodec/mss34dsp.c +++ b/libavcodec/mss34dsp.c @@ -62,30 +62,30 @@ void ff_mss34_gen_quant_mat(uint16_t *qmat, int quality, int luma) } #define DCT_TEMPLATE(blk, step, SOP, shift) \ - const int t0 = -39409 * blk[7 * step] - 58980 * blk[1 * step]; \ - const int t1 = 39410 * blk[1 * step] - 58980 * blk[7 * step]; \ - const int t2 = -33410 * blk[5 * step] - 167963 * blk[3 * step]; \ - const int t3 = 33410 * blk[3 * step] - 167963 * blk[5 * step]; \ - const int t4 = blk[3 * step] + blk[7 * step]; \ - const int t5 = blk[1 * step] + blk[5 * step]; \ - const int t6 = 77062 * t4 + 51491 * t5; \ - const int t7 = 77062 * t5 - 51491 * t4; \ - const int t8 = 35470 * blk[2 * step] - 85623 * blk[6 * step]; \ - const int t9 = 35470 * blk[6 * step] + 85623 * blk[2 * step]; \ - const int tA = SOP(blk[0 * step] - blk[4 * step]); \ - const int tB = SOP(blk[0 * step] + blk[4 * step]); \ + const unsigned t0 =-39409U * blk[7 * step] - 58980U * blk[1 * step]; \ + const unsigned t1 = 39410U * blk[1 * step] - 58980U * blk[7 * step]; \ + const unsigned t2 =-33410U * blk[5 * step] -167963U * blk[3 * step]; \ + const unsigned t3 = 33410U * blk[3 * step] -167963U * blk[5 * step]; \ + const unsigned t4 = blk[3 * step] + blk[7 * step]; \ + const unsigned t5 = blk[1 * step] + blk[5 * step]; \ + const unsigned t6 = 77062U * t4 + 51491U * t5; \ + const unsigned t7 = 77062U * t5 - 51491U * t4; \ + const unsigned t8 = 35470U * blk[2 * step] - 85623U * blk[6 * step]; \ + const unsigned t9 = 35470U * blk[6 * step] + 85623U * blk[2 * step]; \ + const unsigned tA = SOP(blk[0 * step] - blk[4 * step]); \ + const unsigned tB = SOP(blk[0 * step] + blk[4 * step]); \ \ - blk[0 * step] = ( t1 + t6 + t9 + tB) >> shift; \ - blk[1 * step] = ( t3 + t7 + t8 + tA) >> shift; \ - blk[2 * step] = ( t2 + t6 - t8 + tA) >> shift; \ - blk[3 * step] = ( t0 + t7 - t9 + tB) >> shift; \ - blk[4 * step] = (-(t0 + t7) - t9 + tB) >> shift; \ - blk[5 * step] = (-(t2 + t6) - t8 + tA) >> shift; \ - blk[6 * step] = (-(t3 + t7) + t8 + tA) >> shift; \ - blk[7 * step] = (-(t1 + t6) + t9 + tB) >> shift; \ + blk[0 * step] = (int)( t1 + t6 + t9 + tB) >> shift; \ + blk[1 * step] = (int)( t3 + t7 + t8 + tA) >> shift; \ + blk[2 * step] = (int)( t2 + t6 - t8 + tA) >> shift; \ + blk[3 * step] = (int)( t0 + t7 - t9 + tB) >> shift; \ + blk[4 * step] = (int)(-(t0 + t7) - t9 + tB) >> shift; \ + blk[5 * step] = (int)(-(t2 + t6) - t8 + tA) >> shift; \ + blk[6 * step] = (int)(-(t3 + t7) + t8 + tA) >> shift; \ + blk[7 * step] = (int)(-(t1 + t6) + t9 + tB) >> shift; \ -#define SOP_ROW(a) (((a) << 16) + 0x2000) -#define SOP_COL(a) (((a) + 32) << 16) +#define SOP_ROW(a) (((a) * (1U << 16)) + 0x2000) +#define SOP_COL(a) (((a) + 32) * (1U << 16)) void ff_mss34_dct_put(uint8_t *dst, int stride, int *block) { From c4371e8b2fba93e89230a7c6cbd3e2d1fd8bdfc4 Mon Sep 17 00:00:00 2001 From: Michael Niedermayer Date: Sun, 7 May 2017 14:16:33 +0200 Subject: [PATCH 418/942] avcodec/ra144: Fix runtime error: left shift of negative value -798 Fixes: 1388/clusterfuzz-testcase-minimized-6680800936329216 Found-by: continuous fuzzing process https://github.com/google/oss-fuzz/tree/master/targets/ffmpeg Signed-off-by: Michael Niedermayer (cherry picked from commit 78bf446852a7e5e8aa52c7ca9889632e167b665f) Signed-off-by: Michael Niedermayer --- libavcodec/ra144.c | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/libavcodec/ra144.c b/libavcodec/ra144.c index 696a49e7ab..cfe5aea7dc 100644 --- a/libavcodec/ra144.c +++ b/libavcodec/ra144.c @@ -1598,7 +1598,7 @@ void ff_eval_coefs(int *coefs, const int *refl) int i, j; for (i=0; i < LPC_ORDER; i++) { - b1[i] = refl[i] << 4; + b1[i] = refl[i] * 16; for (j=0; j < i; j++) b1[j] = ((refl[i] * b2[i-j-1]) >> 12) + b2[j]; From 87c1cff598912805fed2c7edfbae193ff49b2434 Mon Sep 17 00:00:00 2001 From: Michael Niedermayer Date: Sun, 7 May 2017 15:40:07 +0200 Subject: [PATCH 419/942] avcodec/g726: Fix runtime error: left shift of negative value -2 Fixes: 1393/clusterfuzz-testcase-minimized-5948366791901184 Found-by: continuous fuzzing process https://github.com/google/oss-fuzz/tree/master/targets/ffmpeg Signed-off-by: Michael Niedermayer (cherry picked from commit c04aa148824f4fb7f4b70830ad3ca7a6cba8ab79) Signed-off-by: Michael Niedermayer --- libavcodec/g726.c | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/libavcodec/g726.c b/libavcodec/g726.c index f3de9e715d..4be44b23d0 100644 --- a/libavcodec/g726.c +++ b/libavcodec/g726.c @@ -269,7 +269,7 @@ static int16_t g726_decode(G726Context* c, int I) c->se += mult(i2f(c->a[i] >> 2, &f), &c->sr[i]); c->se >>= 1; - return av_clip(re_signal << 2, -0xffff, 0xffff); + return av_clip(re_signal * 4, -0xffff, 0xffff); } static av_cold int g726_reset(G726Context *c) From d93c75f037a81bc81c1b74440be88bc37703f01e Mon Sep 17 00:00:00 2001 From: Michael Niedermayer Date: Sun, 7 May 2017 15:42:17 +0200 Subject: [PATCH 420/942] avcodec/eamad: Fix runtime error: signed integer overflow: 49674 * 49858 cannot be represented in type 'int' Fixes: 1394/clusterfuzz-testcase-minimized-6493376885030912 Found-by: continuous fuzzing process https://github.com/google/oss-fuzz/tree/master/targets/ffmpeg Signed-off-by: Michael Niedermayer (cherry picked from commit 0ac1c87194a67e6104a3d241a4dd1ca0808784bd) Signed-off-by: Michael Niedermayer --- libavcodec/eamad.c | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/libavcodec/eamad.c b/libavcodec/eamad.c index 4e202f98a3..0525394838 100644 --- a/libavcodec/eamad.c +++ b/libavcodec/eamad.c @@ -284,7 +284,7 @@ static int decode_frame(AVCodecContext *avctx, if (avctx->width != width || avctx->height != height) { av_frame_unref(s->last_frame); - if((width * height)/2048*7 > bytestream2_get_bytes_left(&gb)) + if((width * (int64_t)height)/2048*7 > bytestream2_get_bytes_left(&gb)) return AVERROR_INVALIDDATA; if ((ret = ff_set_dimensions(avctx, width, height)) < 0) return ret; From d55d821b9e23cb641000f07267e9a5f644fa232d Mon Sep 17 00:00:00 2001 From: Michael Niedermayer Date: Sun, 7 May 2017 15:44:51 +0200 Subject: [PATCH 421/942] avcodec/s302m: Fix left shift of 8 by 28 places cannot be represented in type 'int' Fixes: 1395/clusterfuzz-testcase-minimized-5330939741732864 Found-by: continuous fuzzing process https://github.com/google/oss-fuzz/tree/master/targets/ffmpeg Signed-off-by: Michael Niedermayer (cherry picked from commit a38e9797cb4123d13ba871d166a737786ba04a9b) Signed-off-by: Michael Niedermayer --- libavcodec/s302m.c | 8 ++++---- 1 file changed, 4 insertions(+), 4 deletions(-) diff --git a/libavcodec/s302m.c b/libavcodec/s302m.c index ccfb5913a0..a68ac79f2c 100644 --- a/libavcodec/s302m.c +++ b/libavcodec/s302m.c @@ -120,10 +120,10 @@ static int s302m_decode_frame(AVCodecContext *avctx, void *data, if (avctx->bits_per_raw_sample == 24) { uint32_t *o = (uint32_t *)frame->data[0]; for (; buf_size > 6; buf_size -= 7) { - *o++ = (ff_reverse[buf[2]] << 24) | + *o++ = ((unsigned)ff_reverse[buf[2]] << 24) | (ff_reverse[buf[1]] << 16) | (ff_reverse[buf[0]] << 8); - *o++ = (ff_reverse[buf[6] & 0xf0] << 28) | + *o++ = ((unsigned)ff_reverse[buf[6] & 0xf0] << 28) | (ff_reverse[buf[5]] << 20) | (ff_reverse[buf[4]] << 12) | (ff_reverse[buf[3] & 0x0f] << 4); @@ -142,10 +142,10 @@ static int s302m_decode_frame(AVCodecContext *avctx, void *data, } else if (avctx->bits_per_raw_sample == 20) { uint32_t *o = (uint32_t *)frame->data[0]; for (; buf_size > 5; buf_size -= 6) { - *o++ = (ff_reverse[buf[2] & 0xf0] << 28) | + *o++ = ((unsigned)ff_reverse[buf[2] & 0xf0] << 28) | (ff_reverse[buf[1]] << 20) | (ff_reverse[buf[0]] << 12); - *o++ = (ff_reverse[buf[5] & 0xf0] << 28) | + *o++ = ((unsigned)ff_reverse[buf[5] & 0xf0] << 28) | (ff_reverse[buf[4]] << 20) | (ff_reverse[buf[3]] << 12); buf += 6; From 9320f86494bfe31720b51184f49e46a2ae7220d2 Mon Sep 17 00:00:00 2001 From: Michael Niedermayer Date: Sun, 7 May 2017 18:50:49 +0200 Subject: [PATCH 422/942] avcodec/xwddec: Check bpp more completely Fixes out of array access Fixes: 1399/clusterfuzz-testcase-minimized-4866094172995584 Found-by: continuous fuzzing process https://github.com/google/oss-fuzz/tree/master/targets/ffmpeg Signed-off-by: Michael Niedermayer (cherry picked from commit 441026fcb13ac23aa10edc312bdacb6445a0ad06) Signed-off-by: Michael Niedermayer --- libavcodec/xwddec.c | 4 ++-- 1 file changed, 2 insertions(+), 2 deletions(-) diff --git a/libavcodec/xwddec.c b/libavcodec/xwddec.c index 64cd8418a2..8b0845fc01 100644 --- a/libavcodec/xwddec.c +++ b/libavcodec/xwddec.c @@ -157,9 +157,9 @@ static int xwd_decode_frame(AVCodecContext *avctx, void *data, case XWD_GRAY_SCALE: if (bpp != 1 && bpp != 8) return AVERROR_INVALIDDATA; - if (pixdepth == 1) { + if (bpp == 1 && pixdepth == 1) { avctx->pix_fmt = AV_PIX_FMT_MONOWHITE; - } else if (pixdepth == 8) { + } else if (bpp == 8 && pixdepth == 8) { avctx->pix_fmt = AV_PIX_FMT_GRAY8; } break; From e4b1426e1bf90ad2b48f3133f21bd524f0369efa Mon Sep 17 00:00:00 2001 From: Michael Niedermayer Date: Sun, 7 May 2017 23:07:42 +0200 Subject: [PATCH 423/942] avcodec/wmv2dsp: Fix runtime error: signed integer overflow: 181 * -12156865 cannot be represented in type 'int' Fixes: 1401/clusterfuzz-testcase-minimized-6526248148795392 Found-by: continuous fuzzing process https://github.com/google/oss-fuzz/tree/master/targets/ffmpeg Signed-off-by: Michael Niedermayer (cherry picked from commit 8b1f66cf5c2e4d29ae06cdf3f12cdd3d808006bd) Signed-off-by: Michael Niedermayer --- libavcodec/wmv2dsp.c | 4 ++-- 1 file changed, 2 insertions(+), 2 deletions(-) diff --git a/libavcodec/wmv2dsp.c b/libavcodec/wmv2dsp.c index 40e0bef0da..cfa25f08dc 100644 --- a/libavcodec/wmv2dsp.c +++ b/libavcodec/wmv2dsp.c @@ -78,8 +78,8 @@ static void wmv2_idct_col(short * b) a4 = (W0 * b[8 * 0] - W0 * b[8 * 4] ) >> 3; /* step 2 */ - s1 = (181 * (a1 - a5 + a7 - a3) + 128) >> 8; - s2 = (181 * (a1 - a5 - a7 + a3) + 128) >> 8; + s1 = (int)(181U * (a1 - a5 + a7 - a3) + 128) >> 8; + s2 = (int)(181U * (a1 - a5 - a7 + a3) + 128) >> 8; /* step 3 */ b[8 * 0] = (a0 + a2 + a1 + a5 + (1 << 13)) >> 14; From 51e493679836f382c3731cb0e472ace0c05a8f3f Mon Sep 17 00:00:00 2001 From: Michael Niedermayer Date: Mon, 8 May 2017 02:28:07 +0200 Subject: [PATCH 424/942] avcodec/ffv1dec: Fix copying planes of paletted formats Signed-off-by: Michael Niedermayer (cherry picked from commit 3a4d387195a5eb3c1700071af8d8150e4f7f6600) Signed-off-by: Michael Niedermayer --- libavcodec/ffv1dec.c | 8 +++++++- 1 file changed, 7 insertions(+), 1 deletion(-) diff --git a/libavcodec/ffv1dec.c b/libavcodec/ffv1dec.c index d2bf3a89fd..98a286a44f 100644 --- a/libavcodec/ffv1dec.c +++ b/libavcodec/ffv1dec.c @@ -1002,7 +1002,7 @@ static int decode_frame(AVCodecContext *avctx, void *data, int *got_frame, AVPac const uint8_t *src[4]; uint8_t *dst[4]; ff_thread_await_progress(&f->last_picture, INT_MAX, 0); - for (j = 0; j < 4; j++) { + for (j = 0; j < desc->nb_components; j++) { int pixshift = desc->comp[j].depth > 8; int sh = (j == 1 || j == 2) ? f->chroma_h_shift : 0; int sv = (j == 1 || j == 2) ? f->chroma_v_shift : 0; @@ -1010,6 +1010,12 @@ static int decode_frame(AVCodecContext *avctx, void *data, int *got_frame, AVPac (fs->slice_y >> sv) + ((fs->slice_x >> sh) << pixshift); src[j] = f->last_picture.f->data[j] + f->last_picture.f->linesize[j] * (fs->slice_y >> sv) + ((fs->slice_x >> sh) << pixshift); + + } + if (desc->flags & AV_PIX_FMT_FLAG_PAL || + desc->flags & AV_PIX_FMT_FLAG_PSEUDOPAL) { + dst[1] = p->data[1]; + src[1] = f->last_picture.f->data[1]; } av_image_copy(dst, p->linesize, src, f->last_picture.f->linesize, From f903400a0bb54a55c07016fba060291d9d579618 Mon Sep 17 00:00:00 2001 From: Michael Niedermayer Date: Mon, 8 May 2017 11:46:03 +0200 Subject: [PATCH 425/942] avcodec/cdxl: Check format for BGR24 Fixes: out of array access Fixes: 1427/clusterfuzz-testcase-minimized-5020737339392000 Found-by: continuous fuzzing process https://github.com/google/oss-fuzz/tree/master/targets/ffmpeg Signed-off-by: Michael Niedermayer (cherry picked from commit 1e42736b95065c69a7481d0cf55247024f54b660) Signed-off-by: Michael Niedermayer --- libavcodec/cdxl.c | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/libavcodec/cdxl.c b/libavcodec/cdxl.c index bb42734d94..3eaf194d2f 100644 --- a/libavcodec/cdxl.c +++ b/libavcodec/cdxl.c @@ -256,7 +256,7 @@ static int cdxl_decode_frame(AVCodecContext *avctx, void *data, return AVERROR_INVALIDDATA; if (!encoding && c->palette_size && c->bpp <= 8 && c->format != CHUNKY) { avctx->pix_fmt = AV_PIX_FMT_PAL8; - } else if (encoding == 1 && (c->bpp == 6 || c->bpp == 8)) { + } else if (encoding == 1 && (c->bpp == 6 || c->bpp == 8) && c->format != CHUNKY) { if (c->palette_size != (1 << (c->bpp - 1))) return AVERROR_INVALIDDATA; avctx->pix_fmt = AV_PIX_FMT_BGR24; From 6b334460defe5995f2510d11d372e58cdccd37e2 Mon Sep 17 00:00:00 2001 From: Michael Niedermayer Date: Mon, 8 May 2017 11:55:27 +0200 Subject: [PATCH 426/942] avcodec/cavsdec: Check sym_factor Fixes: runtime error: signed integer overflow: 25984 * 130560 cannot be represented in type 'int' Fixes: 1404/clusterfuzz-testcase-minimized-5000441286885376 Found-by: continuous fuzzing process https://github.com/google/oss-fuzz/tree/master/targets/ffmpeg Signed-off-by: Michael Niedermayer (cherry picked from commit 279420b5a63b3f254e4932a4afb91759fb50186a) Signed-off-by: Michael Niedermayer --- libavcodec/cavsdec.c | 4 ++++ 1 file changed, 4 insertions(+) diff --git a/libavcodec/cavsdec.c b/libavcodec/cavsdec.c index 8842346c25..4d1b77187b 100644 --- a/libavcodec/cavsdec.c +++ b/libavcodec/cavsdec.c @@ -1031,6 +1031,10 @@ static int decode_pic(AVSContext *h) h->scale_den[1] = h->dist[1] ? 512/h->dist[1] : 0; if (h->cur.f->pict_type == AV_PICTURE_TYPE_B) { h->sym_factor = h->dist[0] * h->scale_den[1]; + if (FFABS(h->sym_factor) > 32768) { + av_log(h->avctx, AV_LOG_ERROR, "sym_factor %d too large\n", h->sym_factor); + return AVERROR_INVALIDDATA; + } } else { h->direct_den[0] = h->dist[0] ? 16384 / h->dist[0] : 0; h->direct_den[1] = h->dist[1] ? 16384 / h->dist[1] : 0; From 386767ecea4c1f2a9756879c8ad7037d8cda97a7 Mon Sep 17 00:00:00 2001 From: Michael Niedermayer Date: Mon, 8 May 2017 12:04:09 +0200 Subject: [PATCH 427/942] avcodec/hqxdsp: Fix multiple runtime error: signed integer overflow: 248220 * 21407 cannot be represented in type 'int' in idct_col() Fixes: 1405/clusterfuzz-testcase-minimized-5011491835084800 Found-by: continuous fuzzing process https://github.com/google/oss-fuzz/tree/master/targets/ffmpeg Signed-off-by: Michael Niedermayer (cherry picked from commit 5d5118f81bd51b9c33500616b3c637123e8e4691) Signed-off-by: Michael Niedermayer --- libavcodec/hqxdsp.c | 12 ++++++------ 1 file changed, 6 insertions(+), 6 deletions(-) diff --git a/libavcodec/hqxdsp.c b/libavcodec/hqxdsp.c index feff9c0b68..04a65e7767 100644 --- a/libavcodec/hqxdsp.c +++ b/libavcodec/hqxdsp.c @@ -39,18 +39,18 @@ static inline void idct_col(int16_t *blk, const uint8_t *quant) s6 = (int) blk[6 * 8] * quant[6 * 8]; s7 = (int) blk[7 * 8] * quant[7 * 8]; - t0 = (s3 * 19266 + s5 * 12873) >> 15; - t1 = (s5 * 19266 - s3 * 12873) >> 15; - t2 = ((s7 * 4520 + s1 * 22725) >> 15) - t0; - t3 = ((s1 * 4520 - s7 * 22725) >> 15) - t1; + t0 = (int)(s3 * 19266U + s5 * 12873U) >> 15; + t1 = (int)(s5 * 19266U - s3 * 12873U) >> 15; + t2 = ((int)(s7 * 4520U + s1 * 22725U) >> 15) - t0; + t3 = ((int)(s1 * 4520U - s7 * 22725U) >> 15) - t1; t4 = t0 * 2 + t2; t5 = t1 * 2 + t3; t6 = t2 - t3; t7 = t3 * 2 + t6; t8 = (t6 * 11585) >> 14; t9 = (t7 * 11585) >> 14; - tA = (s2 * 8867 - s6 * 21407) >> 14; - tB = (s6 * 8867 + s2 * 21407) >> 14; + tA = (int)(s2 * 8867U - s6 * 21407U) >> 14; + tB = (int)(s6 * 8867U + s2 * 21407U) >> 14; tC = (s0 >> 1) - (s4 >> 1); tD = (s4 >> 1) * 2 + tC; tE = tC - (tA >> 1); From 6c15025deedadf92849f600594722c928b6148ac Mon Sep 17 00:00:00 2001 From: Michael Niedermayer Date: Mon, 8 May 2017 12:07:56 +0200 Subject: [PATCH 428/942] avcodec/vp8dsp: Fixes: runtime error: signed integer overflow: 1330143360 - -1023040530 cannot be represented in type 'int' Fixes: 1406/clusterfuzz-testcase-minimized-5064865125236736 Found-by: continuous fuzzing process https://github.com/google/oss-fuzz/tree/master/targets/ffmpeg Signed-off-by: Michael Niedermayer (cherry picked from commit 8824b7370a9fb72f9c699c3751a5ceb56e0cc41d) Signed-off-by: Michael Niedermayer --- libavcodec/vp8dsp.c | 19 ++++++++++--------- 1 file changed, 10 insertions(+), 9 deletions(-) diff --git a/libavcodec/vp8dsp.c b/libavcodec/vp8dsp.c index 07bea69c78..7d9cfa8278 100644 --- a/libavcodec/vp8dsp.c +++ b/libavcodec/vp8dsp.c @@ -95,7 +95,8 @@ static void vp7_luma_dc_wht_dc_c(int16_t block[4][4][16], int16_t dc[16]) static void vp7_idct_add_c(uint8_t *dst, int16_t block[16], ptrdiff_t stride) { - int i, a1, b1, c1, d1; + int i; + unsigned a1, b1, c1, d1; int16_t tmp[16]; for (i = 0; i < 4; i++) { @@ -104,10 +105,10 @@ static void vp7_idct_add_c(uint8_t *dst, int16_t block[16], ptrdiff_t stride) c1 = block[i * 4 + 1] * 12540 - block[i * 4 + 3] * 30274; d1 = block[i * 4 + 1] * 30274 + block[i * 4 + 3] * 12540; AV_ZERO64(block + i * 4); - tmp[i * 4 + 0] = (a1 + d1) >> 14; - tmp[i * 4 + 3] = (a1 - d1) >> 14; - tmp[i * 4 + 1] = (b1 + c1) >> 14; - tmp[i * 4 + 2] = (b1 - c1) >> 14; + tmp[i * 4 + 0] = (int)(a1 + d1) >> 14; + tmp[i * 4 + 3] = (int)(a1 - d1) >> 14; + tmp[i * 4 + 1] = (int)(b1 + c1) >> 14; + tmp[i * 4 + 2] = (int)(b1 - c1) >> 14; } for (i = 0; i < 4; i++) { @@ -116,13 +117,13 @@ static void vp7_idct_add_c(uint8_t *dst, int16_t block[16], ptrdiff_t stride) c1 = tmp[i + 4] * 12540 - tmp[i + 12] * 30274; d1 = tmp[i + 4] * 30274 + tmp[i + 12] * 12540; dst[0 * stride + i] = av_clip_uint8(dst[0 * stride + i] + - ((a1 + d1 + 0x20000) >> 18)); + ((int)(a1 + d1 + 0x20000) >> 18)); dst[3 * stride + i] = av_clip_uint8(dst[3 * stride + i] + - ((a1 - d1 + 0x20000) >> 18)); + ((int)(a1 - d1 + 0x20000) >> 18)); dst[1 * stride + i] = av_clip_uint8(dst[1 * stride + i] + - ((b1 + c1 + 0x20000) >> 18)); + ((int)(b1 + c1 + 0x20000) >> 18)); dst[2 * stride + i] = av_clip_uint8(dst[2 * stride + i] + - ((b1 - c1 + 0x20000) >> 18)); + ((int)(b1 - c1 + 0x20000) >> 18)); } } From 6cb55a703245c1a3885d412a590aa2215e7012a8 Mon Sep 17 00:00:00 2001 From: Michael Niedermayer Date: Mon, 8 May 2017 15:17:31 +0200 Subject: [PATCH 429/942] avcodec/dvbsubdec: check region dimensions Fixes: 1408/clusterfuzz-testcase-minimized-6529985844084736 Fixes: integer overflow Found-by: continuous fuzzing process https://github.com/google/oss-fuzz/tree/master/targets/ffmpeg Signed-off-by: Michael Niedermayer (cherry picked from commit 0075d9eced22839fa4f7a6eaa02155803ccae3e6) Signed-off-by: Michael Niedermayer --- libavcodec/dvbsubdec.c | 8 ++++++++ 1 file changed, 8 insertions(+) diff --git a/libavcodec/dvbsubdec.c b/libavcodec/dvbsubdec.c index 08f6a9bf85..c1abf354df 100644 --- a/libavcodec/dvbsubdec.c +++ b/libavcodec/dvbsubdec.c @@ -24,6 +24,7 @@ #include "bytestream.h" #include "internal.h" #include "libavutil/colorspace.h" +#include "libavutil/imgutils.h" #include "libavutil/opt.h" #define DVBSUB_PAGE_SEGMENT 0x10 @@ -1239,6 +1240,7 @@ static int dvbsub_parse_region_segment(AVCodecContext *avctx, DVBSubObject *object; DVBSubObjectDisplay *display; int fill; + int ret; if (buf_size < 10) return AVERROR_INVALIDDATA; @@ -1267,6 +1269,12 @@ static int dvbsub_parse_region_segment(AVCodecContext *avctx, region->height = AV_RB16(buf); buf += 2; + ret = av_image_check_size(region->width, region->height, 0, avctx); + if (ret < 0) { + region->width= region->height= 0; + return ret; + } + if (region->width * region->height != region->buf_size) { av_free(region->pbuf); From 3724f36b09a4d9e8889e4ee907a3e2ed04d30ae0 Mon Sep 17 00:00:00 2001 From: Michael Niedermayer Date: Mon, 8 May 2017 15:40:30 +0200 Subject: [PATCH 430/942] avcodec/dss_sp: Fix multiple runtime error: signed integer overflow: -15699 * -164039 cannot be represented in type 'int' Fixed: 1409/clusterfuzz-testcase-minimized-5237365020819456 Found-by: continuous fuzzing process https://github.com/google/oss-fuzz/tree/master/targets/ffmpeg Signed-off-by: Michael Niedermayer (cherry picked from commit ea59ef0c031b6b92f051f60c19fdd0a716769834) Signed-off-by: Michael Niedermayer --- libavcodec/dss_sp.c | 4 ++-- 1 file changed, 2 insertions(+), 2 deletions(-) diff --git a/libavcodec/dss_sp.c b/libavcodec/dss_sp.c index b337cb37ae..3187a76eec 100644 --- a/libavcodec/dss_sp.c +++ b/libavcodec/dss_sp.c @@ -33,7 +33,7 @@ #define DSS_SP_FRAME_SIZE 42 #define DSS_SP_SAMPLE_COUNT (66 * SUBFRAMES) -#define DSS_SP_FORMULA(a, b, c) (((((a) * (1 << 15)) + (b) * (c)) + 0x4000) >> 15) +#define DSS_SP_FORMULA(a, b, c) ((int)((((a) * (1 << 15)) + (b) * (unsigned)(c)) + 0x4000) >> 15) typedef struct DssSpSubframe { int16_t gain; @@ -524,7 +524,7 @@ static void dss_sp_shift_sq_sub(const int32_t *filter_buf, tmp = dst[a] * filter_buf[0]; for (i = 14; i > 0; i--) - tmp -= error_buf[i] * filter_buf[i]; + tmp -= error_buf[i] * (unsigned)filter_buf[i]; for (i = 14; i > 0; i--) error_buf[i] = error_buf[i - 1]; From 154c73b63eeae79c51d29a12a488badef336af18 Mon Sep 17 00:00:00 2001 From: Michael Niedermayer Date: Mon, 8 May 2017 15:46:55 +0200 Subject: [PATCH 431/942] avcodec/bmvvideo: Fix runtime error: left shift of 137 by 24 places cannot be represented in type 'int' Fixes: 1411/clusterfuzz-testcase-minimized-5776085184675840 Found-by: continuous fuzzing process https://github.com/google/oss-fuzz/tree/master/targets/ffmpeg Signed-off-by: Michael Niedermayer (cherry picked from commit 29692023b2f1e0580a4065f4c9b62bafd89ab337) Signed-off-by: Michael Niedermayer --- libavcodec/bmvvideo.c | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/libavcodec/bmvvideo.c b/libavcodec/bmvvideo.c index 97f850dbae..cf7f0a0501 100644 --- a/libavcodec/bmvvideo.c +++ b/libavcodec/bmvvideo.c @@ -107,7 +107,7 @@ static int decode_bmv_frame(const uint8_t *source, int src_len, uint8_t *frame, if (src < source || src >= source_end) return AVERROR_INVALIDDATA; shift += 2; - val |= *src << shift; + val |= (unsigned)*src << shift; if (*src & 0xC) break; } From de5b23ead671884dbf383c45355ebe36e2c73522 Mon Sep 17 00:00:00 2001 From: Michael Niedermayer Date: Sat, 6 May 2017 01:42:53 +0200 Subject: [PATCH 432/942] avcodec/htmlsubtitles: Check for string truncation and return error Fixes out of array access Fixes: 1354/clusterfuzz-testcase-minimized-5520132195483648 Found-by: continuous fuzzing process https://github.com/google/oss-fuzz/tree/master/targets/ffmpeg Signed-off-by: Michael Niedermayer (cherry picked from commit f4ae3cce64bd46b1d539bdeac39753f83015f114) Signed-off-by: Michael Niedermayer --- libavcodec/htmlsubtitles.c | 12 +++++++++--- libavcodec/htmlsubtitles.h | 2 +- 2 files changed, 10 insertions(+), 4 deletions(-) diff --git a/libavcodec/htmlsubtitles.c b/libavcodec/htmlsubtitles.c index 8b57febd26..16295daa0c 100644 --- a/libavcodec/htmlsubtitles.c +++ b/libavcodec/htmlsubtitles.c @@ -46,11 +46,12 @@ typedef struct SrtStack { static void rstrip_spaces_buf(AVBPrint *buf) { - while (buf->len > 0 && buf->str[buf->len - 1] == ' ') - buf->str[--buf->len] = 0; + if (av_bprint_is_complete(buf)) + while (buf->len > 0 && buf->str[buf->len - 1] == ' ') + buf->str[--buf->len] = 0; } -void ff_htmlmarkup_to_ass(void *log_ctx, AVBPrint *dst, const char *in) +int ff_htmlmarkup_to_ass(void *log_ctx, AVBPrint *dst, const char *in) { char *param, buffer[128], tmp[128]; int len, tag_close, sptr = 1, line_start = 1, an = 0, end = 0; @@ -171,8 +172,13 @@ void ff_htmlmarkup_to_ass(void *log_ctx, AVBPrint *dst, const char *in) line_start = 0; } + if (!av_bprint_is_complete(dst)) + return AVERROR(ENOMEM); + while (dst->len >= 2 && !strncmp(&dst->str[dst->len - 2], "\\N", 2)) dst->len -= 2; dst->str[dst->len] = 0; rstrip_spaces_buf(dst); + + return 0; } diff --git a/libavcodec/htmlsubtitles.h b/libavcodec/htmlsubtitles.h index e10cdda241..f3a8ef5d8b 100644 --- a/libavcodec/htmlsubtitles.h +++ b/libavcodec/htmlsubtitles.h @@ -23,6 +23,6 @@ #include "libavutil/bprint.h" -void ff_htmlmarkup_to_ass(void *log_ctx, AVBPrint *dst, const char *in); +int ff_htmlmarkup_to_ass(void *log_ctx, AVBPrint *dst, const char *in); #endif /* AVCODEC_HTMLSUBTITLES_H */ From c152707dc1a1a6913ce106c359370414bd93759b Mon Sep 17 00:00:00 2001 From: Michael Niedermayer Date: Mon, 8 May 2017 20:24:48 +0200 Subject: [PATCH 433/942] avcodec/g723_1dec: Fix several integer related cases of undefined behaviour Fixes: 1412/clusterfuzz-testcase-minimized-6561308772139008 Found-by: continuous fuzzing process https://github.com/google/oss-fuzz/tree/master/targets/ffmpeg Signed-off-by: Michael Niedermayer (cherry picked from commit d3088e0fd8749788818cb5df92abaa3b12e409e1) Signed-off-by: Michael Niedermayer --- libavcodec/g723_1dec.c | 8 ++++---- 1 file changed, 4 insertions(+), 4 deletions(-) diff --git a/libavcodec/g723_1dec.c b/libavcodec/g723_1dec.c index 97f91a296c..735d0360b7 100644 --- a/libavcodec/g723_1dec.c +++ b/libavcodec/g723_1dec.c @@ -663,7 +663,7 @@ static int estimate_sid_gain(G723_1_Context *p) t = p->sid_gain << shift; else t = p->sid_gain >> -shift; - x = t * cng_filt[0] >> 16; + x = av_clipl_int32(t * (int64_t)cng_filt[0] >> 16); if (x >= cng_bseg[2]) return 0x3F; @@ -732,7 +732,7 @@ static void generate_noise(G723_1_Context *p) off[i * 2 + 1] = ((t >> 1) & 1) + SUBFRAME_LEN; t >>= 2; for (j = 0; j < 11; j++) { - signs[i * 11 + j] = (t & 1) * 2 - 1 << 14; + signs[i * 11 + j] = ((t & 1) * 2 - 1) * (1 << 14); t >>= 1; } } @@ -776,7 +776,7 @@ static void generate_noise(G723_1_Context *p) sum = 0; if (shift < 0) { for (j = 0; j < SUBFRAME_LEN * 2; j++) { - t = vector_ptr[j] << -shift; + t = vector_ptr[j] * (1 << -shift); sum += t * t; tmp[j] = t; } @@ -814,7 +814,7 @@ static void generate_noise(G723_1_Context *p) if (shift < 0) x >>= -shift; else - x <<= shift; + x *= 1 << shift; x = av_clip(x, -10000, 10000); for (j = 0; j < 11; j++) { From bac7b595423e094667e3b5320802801e420da234 Mon Sep 17 00:00:00 2001 From: Michael Niedermayer Date: Tue, 9 May 2017 00:02:22 +0200 Subject: [PATCH 434/942] avcodec/indeo2: Check for invalid VLCs Fixes: timeout Fixes: 1416/clusterfuzz-testcase-minimized-5536862435278848 Found-by: continuous fuzzing process https://github.com/google/oss-fuzz/tree/master/targets/ffmpeg Signed-off-by: Michael Niedermayer (cherry picked from commit 159fb8ff7e4038edf13e91d3c08bc7b8abc369b9) Signed-off-by: Michael Niedermayer --- libavcodec/indeo2.c | 9 ++++++++- 1 file changed, 8 insertions(+), 1 deletion(-) diff --git a/libavcodec/indeo2.c b/libavcodec/indeo2.c index f12d6d00d1..d99ad18f0e 100644 --- a/libavcodec/indeo2.c +++ b/libavcodec/indeo2.c @@ -68,6 +68,8 @@ static int ir2_decode_plane(Ir2Context *ctx, int width, int height, uint8_t *dst for (i = 0; i < c * 2; i++) dst[out++] = 0x80; } else { /* copy two values from table */ + if (c <= 0) + return AVERROR_INVALIDDATA; dst[out++] = table[c * 2]; dst[out++] = table[(c * 2) + 1]; } @@ -89,7 +91,10 @@ static int ir2_decode_plane(Ir2Context *ctx, int width, int height, uint8_t *dst out++; } } else { /* add two deltas from table */ - int t = dst[out - pitch] + (table[c * 2] - 128); + int t; + if (c <= 0) + return AVERROR_INVALIDDATA; + t = dst[out - pitch] + (table[c * 2] - 128); t = av_clip_uint8(t); dst[out] = t; out++; @@ -125,6 +130,8 @@ static int ir2_decode_plane_inter(Ir2Context *ctx, int width, int height, uint8_ c -= 0x7F; out += c * 2; } else { /* add two deltas from table */ + if (c <= 0) + return AVERROR_INVALIDDATA; t = dst[out] + (((table[c * 2] - 128)*3) >> 2); t = av_clip_uint8(t); dst[out] = t; From 0fed5947bd6ce5cf8feef6d8c352ea5f959f63c9 Mon Sep 17 00:00:00 2001 From: Michael Niedermayer Date: Wed, 10 May 2017 00:44:37 +0200 Subject: [PATCH 435/942] avcodec/takdec: Fix multiple runtime error: left shift of negative value -1 Fixes: 1423/clusterfuzz-testcase-minimized-5063889899225088 Found-by: continuous fuzzing process https://github.com/google/oss-fuzz/tree/master/targets/ffmpeg Signed-off-by: Michael Niedermayer (cherry picked from commit c5d2fa2fdff08e77bba0c9a31b91826a807c551c) Signed-off-by: Michael Niedermayer --- libavcodec/takdec.c | 12 ++++++------ 1 file changed, 6 insertions(+), 6 deletions(-) diff --git a/libavcodec/takdec.c b/libavcodec/takdec.c index 001086bc74..dd50cc7669 100644 --- a/libavcodec/takdec.c +++ b/libavcodec/takdec.c @@ -422,19 +422,19 @@ static int decode_subframe(TAKDecContext *s, int32_t *decoded, s->predictors[0] = get_sbits(gb, 10); s->predictors[1] = get_sbits(gb, 10); - s->predictors[2] = get_sbits(gb, size) << (10 - size); - s->predictors[3] = get_sbits(gb, size) << (10 - size); + s->predictors[2] = get_sbits(gb, size) * (1 << (10 - size)); + s->predictors[3] = get_sbits(gb, size) * (1 << (10 - size)); if (filter_order > 4) { int tmp = size - get_bits1(gb); for (i = 4; i < filter_order; i++) { if (!(i & 3)) x = tmp - get_bits(gb, 2); - s->predictors[i] = get_sbits(gb, x) << (10 - size); + s->predictors[i] = get_sbits(gb, x) * (1 << (10 - size)); } } - tfilter[0] = s->predictors[0] << 6; + tfilter[0] = s->predictors[0] * 64; for (i = 1; i < filter_order; i++) { int32_t *p1 = &tfilter[0]; int32_t *p2 = &tfilter[i - 1]; @@ -446,7 +446,7 @@ static int decode_subframe(TAKDecContext *s, int32_t *decoded, p2--; } - tfilter[i] = s->predictors[i] << 6; + tfilter[i] = s->predictors[i] * 64; } x = 1 << (32 - (15 - filter_quant)); @@ -480,7 +480,7 @@ static int decode_subframe(TAKDecContext *s, int32_t *decoded, s->residues[i + j + 1] * s->filter[j + 1] + s->residues[i + j ] * s->filter[j ]; } - v = (av_clip_intp2(v >> filter_quant, 13) << dshift) - *decoded; + v = (av_clip_intp2(v >> filter_quant, 13) * (1 << dshift)) - *decoded; *decoded++ = v; s->residues[filter_order + i] = v >> dshift; } From c1a6521df8d2fbee829501f86a4a907e0318ff24 Mon Sep 17 00:00:00 2001 From: Michael Niedermayer Date: Wed, 10 May 2017 00:50:05 +0200 Subject: [PATCH 436/942] avcodec/lagarith: Fix runtime error: left shift of negative value -1 Fixes: 1424/clusterfuzz-testcase-minimized-6088327159611392 Found-by: continuous fuzzing process https://github.com/google/oss-fuzz/tree/master/targets/ffmpeg Signed-off-by: Michael Niedermayer (cherry picked from commit ddb2dd7edbccc5596d8e3c039133be8444cb1d02) Signed-off-by: Michael Niedermayer --- libavcodec/lagarith.c | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/libavcodec/lagarith.c b/libavcodec/lagarith.c index 94d723d319..a8d5cef83e 100644 --- a/libavcodec/lagarith.c +++ b/libavcodec/lagarith.c @@ -98,7 +98,7 @@ static uint32_t softfloat_mul(uint32_t x, uint64_t mantissa) static uint8_t lag_calc_zero_run(int8_t x) { - return (x << 1) ^ (x >> 7); + return (x * 2) ^ (x >> 7); } static int lag_decode_prob(GetBitContext *gb, uint32_t *value) From dfda82809ccdf1679e26f4e43b7e8e89ce47572f Mon Sep 17 00:00:00 2001 From: Michael Niedermayer Date: Wed, 10 May 2017 00:56:45 +0200 Subject: [PATCH 437/942] avcodec/lagarith: Check scale_factor Fixes: 1425/clusterfuzz-testcase-minimized-6295712339853312 Found-by: continuous fuzzing process https://github.com/google/oss-fuzz/tree/master/targets/ffmpeg Signed-off-by: Michael Niedermayer (cherry picked from commit ed3c9b5b0dd5abb545c48e930e1c32c187b0776a) Signed-off-by: Michael Niedermayer --- libavcodec/lagarith.c | 4 +++- 1 file changed, 3 insertions(+), 1 deletion(-) diff --git a/libavcodec/lagarith.c b/libavcodec/lagarith.c index a8d5cef83e..ea069b3d04 100644 --- a/libavcodec/lagarith.c +++ b/libavcodec/lagarith.c @@ -191,7 +191,9 @@ static int lag_read_prob_header(lag_rac *rac, GetBitContext *gb) } scale_factor++; - cumulative_target = 1 << scale_factor; + if (scale_factor >= 32U) + return AVERROR_INVALIDDATA; + cumulative_target = 1U << scale_factor; if (scaled_cumul_prob > cumulative_target) { av_log(rac->avctx, AV_LOG_ERROR, From 4800f38ffb438e93284e5d5d06666fc79a3e1dc1 Mon Sep 17 00:00:00 2001 From: Michael Niedermayer Date: Wed, 10 May 2017 01:18:36 +0200 Subject: [PATCH 438/942] avcodec/texturedsp: Fix runtime error: left shift of 218 by 24 places cannot be represented in type 'int' Fixes: 1428/clusterfuzz-testcase-minimized-5263281793007616 Found-by: continuous fuzzing process https://github.com/google/oss-fuzz/tree/master/targets/ffmpeg Signed-off-by: Michael Niedermayer (cherry picked from commit 2bd8eb05d21b582d627a93852b59cb3cfc305dae) Signed-off-by: Michael Niedermayer --- libavcodec/texturedsp.c | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/libavcodec/texturedsp.c b/libavcodec/texturedsp.c index a7f75a4baa..9826d363eb 100644 --- a/libavcodec/texturedsp.c +++ b/libavcodec/texturedsp.c @@ -291,7 +291,7 @@ static inline void dxt5_block_internal(uint8_t *dst, ptrdiff_t stride, } } } - pixel = colors[code & 3] | (alpha << 24); + pixel = colors[code & 3] | ((unsigned)alpha << 24); code >>= 2; AV_WL32(dst + x * 4, pixel); } From 70cc62271bd4767e7c7337837648ae4ae8cf4a8a Mon Sep 17 00:00:00 2001 From: Michael Niedermayer Date: Wed, 10 May 2017 01:26:39 +0200 Subject: [PATCH 439/942] avcodec/svq3: Fix multiple runtime error: signed integer overflow: -237341 * 24552 cannot be represented in type 'int' Fixes: 1429/clusterfuzz-testcase-minimized-5959951610544128 Found-by: continuous fuzzing process https://github.com/google/oss-fuzz/tree/master/targets/ffmpeg Signed-off-by: Michael Niedermayer (cherry picked from commit ae6fd1790f48c457a8cedb445dcac73f8f7b7698) Signed-off-by: Michael Niedermayer --- libavcodec/svq3.c | 16 ++++++++-------- 1 file changed, 8 insertions(+), 8 deletions(-) diff --git a/libavcodec/svq3.c b/libavcodec/svq3.c index 21e38f00a0..a862927936 100644 --- a/libavcodec/svq3.c +++ b/libavcodec/svq3.c @@ -224,16 +224,16 @@ void ff_svq3_add_idct_c(uint8_t *dst, int16_t *block, } for (i = 0; i < 4; i++) { - const int z0 = 13 * (block[i + 4 * 0] + block[i + 4 * 2]); - const int z1 = 13 * (block[i + 4 * 0] - block[i + 4 * 2]); - const int z2 = 7 * block[i + 4 * 1] - 17 * block[i + 4 * 3]; - const int z3 = 17 * block[i + 4 * 1] + 7 * block[i + 4 * 3]; + const unsigned z0 = 13 * (block[i + 4 * 0] + block[i + 4 * 2]); + const unsigned z1 = 13 * (block[i + 4 * 0] - block[i + 4 * 2]); + const unsigned z2 = 7 * block[i + 4 * 1] - 17 * block[i + 4 * 3]; + const unsigned z3 = 17 * block[i + 4 * 1] + 7 * block[i + 4 * 3]; const int rr = (dc + 0x80000); - dst[i + stride * 0] = av_clip_uint8(dst[i + stride * 0] + ((z0 + z3) * qmul + rr >> 20)); - dst[i + stride * 1] = av_clip_uint8(dst[i + stride * 1] + ((z1 + z2) * qmul + rr >> 20)); - dst[i + stride * 2] = av_clip_uint8(dst[i + stride * 2] + ((z1 - z2) * qmul + rr >> 20)); - dst[i + stride * 3] = av_clip_uint8(dst[i + stride * 3] + ((z0 - z3) * qmul + rr >> 20)); + dst[i + stride * 0] = av_clip_uint8(dst[i + stride * 0] + ((int)((z0 + z3) * qmul + rr) >> 20)); + dst[i + stride * 1] = av_clip_uint8(dst[i + stride * 1] + ((int)((z1 + z2) * qmul + rr) >> 20)); + dst[i + stride * 2] = av_clip_uint8(dst[i + stride * 2] + ((int)((z1 - z2) * qmul + rr) >> 20)); + dst[i + stride * 3] = av_clip_uint8(dst[i + stride * 3] + ((int)((z0 - z3) * qmul + rr) >> 20)); } memset(block, 0, 16 * sizeof(int16_t)); From 7956757d7dac2bf0e7a6027302e79f2f1d8e4474 Mon Sep 17 00:00:00 2001 From: Michael Niedermayer Date: Wed, 10 May 2017 14:33:27 +0200 Subject: [PATCH 440/942] avcodec/y41pdec: Fix width in input buffer size check Fixes: out of array read Fixes: 1437/clusterfuzz-testcase-minimized-4569970002362368 Found-by: continuous fuzzing process https://github.com/google/oss-fuzz/tree/master/targets/ffmpeg Signed-off-by: Michael Niedermayer (cherry picked from commit 3d8d3729475c7dce52d8fb9ffb280fd2ea62e1a2) Signed-off-by: Michael Niedermayer --- libavcodec/y41pdec.c | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/libavcodec/y41pdec.c b/libavcodec/y41pdec.c index 1b177d4262..85a39e4ae2 100644 --- a/libavcodec/y41pdec.c +++ b/libavcodec/y41pdec.c @@ -43,7 +43,7 @@ static int y41p_decode_frame(AVCodecContext *avctx, void *data, uint8_t *y, *u, *v; int i, j, ret; - if (avpkt->size < 3LL * avctx->height * avctx->width / 2) { + if (avpkt->size < 3LL * avctx->height * FFALIGN(avctx->width, 8) / 2) { av_log(avctx, AV_LOG_ERROR, "Insufficient input data.\n"); return AVERROR(EINVAL); } From 742ccace7c3516d2fc23618136e14390a3557af1 Mon Sep 17 00:00:00 2001 From: Michael Niedermayer Date: Wed, 10 May 2017 14:41:23 +0200 Subject: [PATCH 441/942] avcodec/cavs: Check updated MV Fixes: runtime error: signed integer overflow: 251 + 2147483647 cannot be represented in type 'int' Fixes: 1438/clusterfuzz-testcase-minimized-4917542646710272 Found-by: continuous fuzzing process https://github.com/google/oss-fuzz/tree/master/targets/ffmpeg Signed-off-by: Michael Niedermayer (cherry picked from commit 5871adc90f8c1037535563e33ebeaf032bb4d5d6) Signed-off-by: Michael Niedermayer --- libavcodec/cavs.c | 11 +++++++++-- 1 file changed, 9 insertions(+), 2 deletions(-) diff --git a/libavcodec/cavs.c b/libavcodec/cavs.c index 10a25d8749..0bbf975a80 100644 --- a/libavcodec/cavs.c +++ b/libavcodec/cavs.c @@ -614,8 +614,15 @@ void ff_cavs_mv(AVSContext *h, enum cavs_mv_loc nP, enum cavs_mv_loc nC, mv_pred_median(h, mvP, mvA, mvB, mvC); if (mode < MV_PRED_PSKIP) { - mvP->x += get_se_golomb(&h->gb); - mvP->y += get_se_golomb(&h->gb); + int mx = get_se_golomb(&h->gb) + (unsigned)mvP->x; + int my = get_se_golomb(&h->gb) + (unsigned)mvP->y; + + if (mx != (int16_t)mx || my != (int16_t)my) { + av_log(h->avctx, AV_LOG_ERROR, "MV %d %d out of supported range\n", mx, my); + } else { + mvP->x = mx; + mvP->y = my; + } } set_mvs(mvP, size); } From 00e8a7adf4afb350c1b4556d7d2b66412713c463 Mon Sep 17 00:00:00 2001 From: =?UTF-8?q?=E6=9D=8E=E8=B5=9E?= Date: Wed, 10 May 2017 14:55:34 +0200 Subject: [PATCH 442/942] avformat/wavdec: Check chunk_size Fixes integer overflow and out of array access Signed-off-by: Michael Niedermayer (cherry picked from commit 3d232196372f309a75ed074c4cef30578eec1782) Signed-off-by: Michael Niedermayer --- libavformat/wavdec.c | 2 ++ 1 file changed, 2 insertions(+) diff --git a/libavformat/wavdec.c b/libavformat/wavdec.c index d95596f6ed..a9ba03f557 100644 --- a/libavformat/wavdec.c +++ b/libavformat/wavdec.c @@ -804,6 +804,8 @@ static int w64_read_header(AVFormatContext *s) chunk_key[4] = 0; avio_read(pb, chunk_key, 4); chunk_size = avio_rl32(pb); + if (chunk_size == UINT32_MAX) + return AVERROR_INVALIDDATA; value = av_mallocz(chunk_size + 1); if (!value) From 7b4d0a2402b0ac770be0dde62b38d66841f4cdc5 Mon Sep 17 00:00:00 2001 From: Michael Niedermayer Date: Wed, 10 May 2017 18:51:58 +0200 Subject: [PATCH 443/942] avcodec/dss_sp: Fix runtime error: signed integer overflow: 2147481189 + 4096 cannot be represented in type 'int' Fixes: 1441/clusterfuzz-testcase-minimized-6223152357048320 Found-by: continuous fuzzing process https://github.com/google/oss-fuzz/tree/master/targets/ffmpeg Signed-off-by: Michael Niedermayer (cherry picked from commit 6ea428789371fa0601e9ebb5b7f2216d4e73e831) Signed-off-by: Michael Niedermayer --- libavcodec/dss_sp.c | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/libavcodec/dss_sp.c b/libavcodec/dss_sp.c index 3187a76eec..f5dfda3642 100644 --- a/libavcodec/dss_sp.c +++ b/libavcodec/dss_sp.c @@ -529,7 +529,7 @@ static void dss_sp_shift_sq_sub(const int32_t *filter_buf, for (i = 14; i > 0; i--) error_buf[i] = error_buf[i - 1]; - tmp = (tmp + 4096) >> 13; + tmp = (int)(tmp + 4096U) >> 13; error_buf[1] = tmp; From 743c419a59bbd0b75160893e531718241d02466e Mon Sep 17 00:00:00 2001 From: Michael Niedermayer Date: Wed, 10 May 2017 19:02:05 +0200 Subject: [PATCH 444/942] avcodec/eatqi: Fix runtime error: signed integer overflow: 4466147 * 1075 cannot be represented in type 'int' Fixes: 1443/clusterfuzz-testcase-minimized-4826998612426752 Found-by: continuous fuzzing process https://github.com/google/oss-fuzz/tree/master/targets/ffmpeg Signed-off-by: Michael Niedermayer (cherry picked from commit a8de60ba2740185c53cabbee6c00ed67a0d530e2) Signed-off-by: Michael Niedermayer --- libavcodec/eatqi.c | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/libavcodec/eatqi.c b/libavcodec/eatqi.c index 2423e21a41..75f914cd2f 100644 --- a/libavcodec/eatqi.c +++ b/libavcodec/eatqi.c @@ -93,7 +93,7 @@ static inline void tqi_idct_put(TqiContext *t, AVFrame *frame, int16_t (*block)[ static void tqi_calculate_qtable(MpegEncContext *s, int quant) { - const int qscale = (215 - 2*quant)*5; + const int64_t qscale = (215 - 2*quant)*5; int i; s->intra_matrix[0] = (ff_inv_aanscales[0]*ff_mpeg1_default_intra_matrix[0])>>11; for(i=1; i<64; i++) From c0744d75497b288a44f5b4a050ac34fb12630546 Mon Sep 17 00:00:00 2001 From: Michael Niedermayer Date: Wed, 10 May 2017 19:09:31 +0200 Subject: [PATCH 445/942] avcodec/truemotion1: Fix multiple runtime error: left shift of negative value -1 Fixes: 1446/clusterfuzz-testcase-minimized-5577409124368384 Found-by: continuous fuzzing process https://github.com/google/oss-fuzz/tree/master/targets/ffmpeg Signed-off-by: Michael Niedermayer (cherry picked from commit db5fae32294763677caa4c1417dcba704c7e764e) Signed-off-by: Michael Niedermayer --- libavcodec/truemotion1.c | 10 +++++----- 1 file changed, 5 insertions(+), 5 deletions(-) diff --git a/libavcodec/truemotion1.c b/libavcodec/truemotion1.c index da843c4440..08af622fa2 100644 --- a/libavcodec/truemotion1.c +++ b/libavcodec/truemotion1.c @@ -177,10 +177,10 @@ static int make_ydt15_entry(int p1, int p2, int16_t *ydt) int lo, hi; lo = ydt[p1]; - lo += (lo << 5) + (lo << 10); + lo += (lo * 32) + (lo * 1024); hi = ydt[p2]; - hi += (hi << 5) + (hi << 10); - return (lo + (hi << 16)) << 1; + hi += (hi * 32) + (hi * 1024); + return (lo + (hi * (1 << 16))) * 2; } static int make_cdt15_entry(int p1, int p2, int16_t *cdt) @@ -188,9 +188,9 @@ static int make_cdt15_entry(int p1, int p2, int16_t *cdt) int r, b, lo; b = cdt[p2]; - r = cdt[p1] << 10; + r = cdt[p1] * 1024; lo = b + r; - return (lo + (lo << 16)) << 1; + return (lo + (lo * (1 << 16))) * 2; } #if HAVE_BIGENDIAN From 3812e40894d5f21292456ed16d0b3d8f558a0184 Mon Sep 17 00:00:00 2001 From: Michael Niedermayer Date: Wed, 10 May 2017 21:54:31 +0200 Subject: [PATCH 446/942] avfilter/vf_uspp: Fix currently unused input frame dimensions Found-by: Nicolas Signed-off-by: Michael Niedermayer (cherry picked from commit 942036e97c8b149ce2f3ec6e7cbc990df8713d0c) Signed-off-by: Michael Niedermayer --- libavfilter/vf_uspp.c | 4 ++-- 1 file changed, 2 insertions(+), 2 deletions(-) diff --git a/libavfilter/vf_uspp.c b/libavfilter/vf_uspp.c index f963254e11..41f72161d9 100644 --- a/libavfilter/vf_uspp.c +++ b/libavfilter/vf_uspp.c @@ -227,8 +227,8 @@ static void filter(USPPContext *p, uint8_t *dst[3], uint8_t *src[3], p->frame->quality = ff_norm_qscale((qpsum + qpcount/2) / qpcount, p->qscale_type) * FF_QP2LAMBDA; } // init per MB qscale stuff FIXME - p->frame->height = height; - p->frame->width = width; + p->frame->height = height + BLOCK; + p->frame->width = width + BLOCK; for (i = 0; i < count; i++) { const int x1 = offset[i+count-1][0]; From ee12581551293fbd71fd37f013bf80fce754750d Mon Sep 17 00:00:00 2001 From: Michael Niedermayer Date: Wed, 10 May 2017 18:37:49 +0200 Subject: [PATCH 447/942] avcodec/webp: Always set pix_fmt Fixes: out of array access Fixes: 1434/clusterfuzz-testcase-minimized-6314998085189632 Fixes: 1435/clusterfuzz-testcase-minimized-6483783723253760 Found-by: continuous fuzzing process https://github.com/google/oss-fuzz/tree/master/targets/ffmpeg Reviewed-by: "Ronald S. Bultje" Signed-off-by: Michael Niedermayer (cherry picked from commit 6b5d3fb26fb4be48e4966e4b1d97c2165538d4ef) Signed-off-by: Michael Niedermayer --- libavcodec/vp8.c | 2 ++ libavcodec/webp.c | 3 +-- 2 files changed, 3 insertions(+), 2 deletions(-) diff --git a/libavcodec/vp8.c b/libavcodec/vp8.c index 5fb46b6e8b..7511f4dfc9 100644 --- a/libavcodec/vp8.c +++ b/libavcodec/vp8.c @@ -2547,6 +2547,8 @@ int vp78_decode_frame(AVCodecContext *avctx, void *data, int *got_frame, enum AVDiscard skip_thresh; VP8Frame *av_uninit(curframe), *prev_frame; + av_assert0(avctx->pix_fmt == AV_PIX_FMT_YUVA420P || avctx->pix_fmt == AV_PIX_FMT_YUV420P); + if (is_vp7) ret = vp7_decode_frame_header(s, avpkt->data, avpkt->size); else diff --git a/libavcodec/webp.c b/libavcodec/webp.c index a3b1fad6cd..26853d2bd2 100644 --- a/libavcodec/webp.c +++ b/libavcodec/webp.c @@ -1327,9 +1327,8 @@ static int vp8_lossy_decode_frame(AVCodecContext *avctx, AVFrame *p, if (!s->initialized) { ff_vp8_decode_init(avctx); s->initialized = 1; - if (s->has_alpha) - avctx->pix_fmt = AV_PIX_FMT_YUVA420P; } + avctx->pix_fmt = s->has_alpha ? AV_PIX_FMT_YUVA420P : AV_PIX_FMT_YUV420P; s->lossless = 0; if (data_size > INT_MAX) { From 3cb8d1f2c1672dbda64073ddc3632c51d8750bd0 Mon Sep 17 00:00:00 2001 From: Michael Niedermayer Date: Thu, 11 May 2017 00:49:31 +0200 Subject: [PATCH 448/942] avcodec/mpeg12dec: Fixes runtime error: division by zero Fixes: 1464/clusterfuzz-testcase-minimized-4925445571084288 Found-by: continuous fuzzing process https://github.com/google/oss-fuzz/tree/master/targets/ffmpeg Signed-off-by: Michael Niedermayer (cherry picked from commit c0ece1f4addf8ac31df95775a2d36be2a55fc759) Signed-off-by: Michael Niedermayer --- libavcodec/mpeg12dec.c | 3 ++- 1 file changed, 2 insertions(+), 1 deletion(-) diff --git a/libavcodec/mpeg12dec.c b/libavcodec/mpeg12dec.c index 4f520819e0..4ac31d65c8 100644 --- a/libavcodec/mpeg12dec.c +++ b/libavcodec/mpeg12dec.c @@ -1291,7 +1291,8 @@ static int mpeg_decode_postinit(AVCodecContext *avctx) if (avctx->codec_id == AV_CODEC_ID_MPEG1VIDEO) { // MPEG-1 aspect - avctx->sample_aspect_ratio = av_d2q(1.0 / ff_mpeg1_aspect[s->aspect_ratio_info], 255); + AVRational aspect_inv = av_d2q(ff_mpeg1_aspect[s->aspect_ratio_info], 255); + avctx->sample_aspect_ratio = (AVRational) { aspect_inv.den, aspect_inv.num }; } else { // MPEG-2 // MPEG-2 aspect if (s->aspect_ratio_info > 1) { From ddc77f1f1e9056806d720cfce19800df7148c579 Mon Sep 17 00:00:00 2001 From: Michael Niedermayer Date: Thu, 11 May 2017 15:13:53 +0200 Subject: [PATCH 449/942] avcodec/aacdec_fixed: Fix multiple shift exponent 33 is too large for 32-bit type 'int' Fixes: 1471/clusterfuzz-testcase-minimized-6376460543590400 Found-by: continuous fuzzing process https://github.com/google/oss-fuzz/tree/master/targets/ffmpeg Signed-off-by: Michael Niedermayer (cherry picked from commit 3a0ff78168f80f5b2c5c5544325aca4023bc67a4) Signed-off-by: Michael Niedermayer --- libavcodec/aacdec_fixed.c | 6 +++++- 1 file changed, 5 insertions(+), 1 deletion(-) diff --git a/libavcodec/aacdec_fixed.c b/libavcodec/aacdec_fixed.c index 396a874d95..eb631f7df0 100644 --- a/libavcodec/aacdec_fixed.c +++ b/libavcodec/aacdec_fixed.c @@ -171,7 +171,11 @@ static void subband_scale(int *dst, int *src, int scale, int offset, int len) s = offset - (s >> 2); - if (s > 0) { + if (s > 31) { + for (i=0; i 0) { round = 1 << (s-1); for (i=0; i> 32); From 47c6f1b6008b0f4a051e1a0a9291f289a0813704 Mon Sep 17 00:00:00 2001 From: Michael Niedermayer Date: Thu, 11 May 2017 15:18:50 +0200 Subject: [PATCH 450/942] avcodec/dvbsubdec: Check entry_id Fixes: randomly writing over the array end Fixes: 1473/clusterfuzz-testcase-minimized-5768907824562176 Found-by: continuous fuzzing process https://github.com/google/oss-fuzz/tree/master/targets/ffmpeg Signed-off-by: Michael Niedermayer (cherry picked from commit 8a69f2602fea04b7ebae2db16f2581e8ff5ee0cd) Signed-off-by: Michael Niedermayer --- libavcodec/dvbsubdec.c | 4 ++-- 1 file changed, 2 insertions(+), 2 deletions(-) diff --git a/libavcodec/dvbsubdec.c b/libavcodec/dvbsubdec.c index c1abf354df..7c9ae999c2 100644 --- a/libavcodec/dvbsubdec.c +++ b/libavcodec/dvbsubdec.c @@ -1215,9 +1215,9 @@ static int dvbsub_parse_clut_segment(AVCodecContext *avctx, return AVERROR_INVALIDDATA; } - if (depth & 0x80) + if (depth & 0x80 && entry_id < 4) clut->clut4[entry_id] = RGBA(r,g,b,255 - alpha); - else if (depth & 0x40) + else if (depth & 0x40 && entry_id < 16) clut->clut16[entry_id] = RGBA(r,g,b,255 - alpha); else if (depth & 0x20) clut->clut256[entry_id] = RGBA(r,g,b,255 - alpha); From 07e8da34fab17fa26a4f16b41cf6be10d2b9fe9f Mon Sep 17 00:00:00 2001 From: Michael Niedermayer Date: Thu, 11 May 2017 18:35:24 +0200 Subject: [PATCH 451/942] avcodec/cllc: Factor VLC_BITS/DEPTH out, do not use repeated literal numbers Signed-off-by: Michael Niedermayer (cherry picked from commit e717fa1f0a66825fb10fec7debad768f311ee240) Signed-off-by: Michael Niedermayer --- libavcodec/cllc.c | 18 +++++++++++------- 1 file changed, 11 insertions(+), 7 deletions(-) diff --git a/libavcodec/cllc.c b/libavcodec/cllc.c index 1c6902afd4..386b2f0ed2 100644 --- a/libavcodec/cllc.c +++ b/libavcodec/cllc.c @@ -29,6 +29,10 @@ #include "avcodec.h" #include "internal.h" +#define VLC_BITS 7 +#define VLC_DEPTH 2 + + typedef struct CLLCContext { AVCodecContext *avctx; BswapDSPContext bdsp; @@ -74,7 +78,7 @@ static int read_code_table(CLLCContext *ctx, GetBitContext *gb, VLC *vlc) prefix <<= 1; } - return ff_init_vlc_sparse(vlc, 7, count, bits, 1, 1, + return ff_init_vlc_sparse(vlc, VLC_BITS, count, bits, 1, 1, codes, 2, 2, symbols, 1, 1, 0); } @@ -101,7 +105,7 @@ static int read_argb_line(CLLCContext *ctx, GetBitContext *gb, int *top_left, for (i = 0; i < ctx->avctx->width; i++) { /* Always get the alpha component */ UPDATE_CACHE(bits, gb); - GET_VLC(code, bits, gb, vlc[0].table, 7, 2); + GET_VLC(code, bits, gb, vlc[0].table, VLC_BITS, VLC_DEPTH); pred[0] += code; dst[0] = pred[0]; @@ -110,21 +114,21 @@ static int read_argb_line(CLLCContext *ctx, GetBitContext *gb, int *top_left, if (dst[0]) { /* Red */ UPDATE_CACHE(bits, gb); - GET_VLC(code, bits, gb, vlc[1].table, 7, 2); + GET_VLC(code, bits, gb, vlc[1].table, VLC_BITS, VLC_DEPTH); pred[1] += code; dst[1] = pred[1]; /* Green */ UPDATE_CACHE(bits, gb); - GET_VLC(code, bits, gb, vlc[2].table, 7, 2); + GET_VLC(code, bits, gb, vlc[2].table, VLC_BITS, VLC_DEPTH); pred[2] += code; dst[2] = pred[2]; /* Blue */ UPDATE_CACHE(bits, gb); - GET_VLC(code, bits, gb, vlc[3].table, 7, 2); + GET_VLC(code, bits, gb, vlc[3].table, VLC_BITS, VLC_DEPTH); pred[3] += code; dst[3] = pred[3]; @@ -166,7 +170,7 @@ static int read_rgb24_component_line(CLLCContext *ctx, GetBitContext *gb, /* Simultaneously read and restore the line */ for (i = 0; i < ctx->avctx->width; i++) { UPDATE_CACHE(bits, gb); - GET_VLC(code, bits, gb, vlc->table, 7, 2); + GET_VLC(code, bits, gb, vlc->table, VLC_BITS, VLC_DEPTH); pred += code; dst[0] = pred; @@ -195,7 +199,7 @@ static int read_yuv_component_line(CLLCContext *ctx, GetBitContext *gb, /* Simultaneously read and restore the line */ for (i = 0; i < ctx->avctx->width >> is_chroma; i++) { UPDATE_CACHE(bits, gb); - GET_VLC(code, bits, gb, vlc->table, 7, 2); + GET_VLC(code, bits, gb, vlc->table, VLC_BITS, VLC_DEPTH); pred += code; outbuf[i] = pred; From d75f932e774183f70bc6db88d42214486786d9a4 Mon Sep 17 00:00:00 2001 From: Michael Niedermayer Date: Thu, 11 May 2017 18:39:33 +0200 Subject: [PATCH 452/942] avcodec/cllc: Check num_bits Fixes: runtime error: shift exponent -2 is negative Fixes: 1479/clusterfuzz-testcase-minimized-6638493360979968 Found-by: continuous fuzzing process https://github.com/google/oss-fuzz/tree/master/targets/ffmpeg Signed-off-by: Michael Niedermayer (cherry picked from commit 2bfd0a97587d26c0c39413a6291ccc66e4a928d0) Signed-off-by: Michael Niedermayer --- libavcodec/cllc.c | 7 +++++++ 1 file changed, 7 insertions(+) diff --git a/libavcodec/cllc.c b/libavcodec/cllc.c index 386b2f0ed2..24fa168e36 100644 --- a/libavcodec/cllc.c +++ b/libavcodec/cllc.c @@ -55,6 +55,13 @@ static int read_code_table(CLLCContext *ctx, GetBitContext *gb, VLC *vlc) num_lens = get_bits(gb, 5); + if (num_lens > VLC_BITS * VLC_DEPTH) { + vlc->table = NULL; + + av_log(ctx->avctx, AV_LOG_ERROR, "To long VLCs %d\n", num_lens); + return AVERROR_INVALIDDATA; + } + for (i = 0; i < num_lens; i++) { num_codes = get_bits(gb, 9); num_codes_sum += num_codes; From b8c80b9d2dcae1902cd943c7f35eecde06f9621d Mon Sep 17 00:00:00 2001 From: Michael Niedermayer Date: Thu, 11 May 2017 19:10:16 +0200 Subject: [PATCH 453/942] avcodec/msmpeg4dec: Check for cbpy VLC errors Fixes: runtime error: left shift of negative value -1 Fixes: 1480/clusterfuzz-testcase-minimized-5188321007370240 Found-by: continuous fuzzing process https://github.com/google/oss-fuzz/tree/master/targets/ffmpeg Signed-off-by: Michael Niedermayer (cherry picked from commit 15e892aad12b23e9b5686cf66ca6fa739c734ead) Signed-off-by: Michael Niedermayer --- libavcodec/msmpeg4dec.c | 15 +++++++++++++-- 1 file changed, 13 insertions(+), 2 deletions(-) diff --git a/libavcodec/msmpeg4dec.c b/libavcodec/msmpeg4dec.c index 8f3b6a6650..f407910f2b 100644 --- a/libavcodec/msmpeg4dec.c +++ b/libavcodec/msmpeg4dec.c @@ -170,12 +170,23 @@ static int msmpeg4v12_decode_mb(MpegEncContext *s, int16_t block[6][64]) s->mv[0][0][1] = my; *mb_type_ptr = MB_TYPE_L0 | MB_TYPE_16x16; } else { + int v; if(s->msmpeg4_version==2){ s->ac_pred = get_bits1(&s->gb); - cbp|= get_vlc2(&s->gb, ff_h263_cbpy_vlc.table, CBPY_VLC_BITS, 1)<<2; //FIXME check errors + v = get_vlc2(&s->gb, ff_h263_cbpy_vlc.table, CBPY_VLC_BITS, 1); + if (v < 0) { + av_log(s->avctx, AV_LOG_ERROR, "cbpy vlc invalid\n"); + return -1; + } + cbp|= v<<2; } else{ s->ac_pred = 0; - cbp|= get_vlc2(&s->gb, ff_h263_cbpy_vlc.table, CBPY_VLC_BITS, 1)<<2; //FIXME check errors + v = get_vlc2(&s->gb, ff_h263_cbpy_vlc.table, CBPY_VLC_BITS, 1); + if (v < 0) { + av_log(s->avctx, AV_LOG_ERROR, "cbpy vlc invalid\n"); + return -1; + } + cbp|= v<<2; if(s->pict_type==AV_PICTURE_TYPE_P) cbp^=0x3C; } *mb_type_ptr = MB_TYPE_INTRA; From a53182a71c0773f2c322cac33e118f74d21b6558 Mon Sep 17 00:00:00 2001 From: Michael Niedermayer Date: Thu, 11 May 2017 23:24:23 +0200 Subject: [PATCH 454/942] avcodec/diracdec: Fix Assertion frame->buf[0] failed at libavcodec/decode.c:610 Fixes: 1487/clusterfuzz-testcase-minimized-6288036495097856 Found-by: continuous fuzzing process https://github.com/google/oss-fuzz/tree/master/targets/ffmpeg Signed-off-by: Michael Niedermayer (cherry picked from commit 6899e6e56065d9365963e02690dc9e2ce7866050) Signed-off-by: Michael Niedermayer --- libavcodec/diracdec.c | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/libavcodec/diracdec.c b/libavcodec/diracdec.c index b31d71f729..05249f3157 100644 --- a/libavcodec/diracdec.c +++ b/libavcodec/diracdec.c @@ -1966,9 +1966,9 @@ static int get_delayed_pic(DiracContext *s, AVFrame *picture, int *got_frame) if (out) { out->reference ^= DELAYED_PIC_REF; - *got_frame = 1; if((ret = av_frame_ref(picture, out->avframe)) < 0) return ret; + *got_frame = 1; } return 0; From 188e015c7b4bc78b515bc4171cbfd1d03836ab86 Mon Sep 17 00:00:00 2001 From: Michael Niedermayer Date: Fri, 12 May 2017 13:05:46 +0200 Subject: [PATCH 455/942] avcodec/wmv2dsp: Fix runtime error: signed integer overflow: 181 * -17047030 cannot be represented in type 'int' Fixes: 1503/clusterfuzz-testcase-minimized-5369271855087616 Found-by: continuous fuzzing process https://github.com/google/oss-fuzz/tree/master/targets/ffmpeg Signed-off-by: Michael Niedermayer (cherry picked from commit df640dbbc949d0f4deefaf43e86b8bd50ae997cc) Signed-off-by: Michael Niedermayer --- libavcodec/wmv2dsp.c | 4 ++-- 1 file changed, 2 insertions(+), 2 deletions(-) diff --git a/libavcodec/wmv2dsp.c b/libavcodec/wmv2dsp.c index cfa25f08dc..7b59d10a43 100644 --- a/libavcodec/wmv2dsp.c +++ b/libavcodec/wmv2dsp.c @@ -48,8 +48,8 @@ static void wmv2_idct_row(short * b) a4 = W0 * b[0] - W0 * b[4]; /* step 2 */ - s1 = (181 * (a1 - a5 + a7 - a3) + 128) >> 8; // 1, 3, 5, 7 - s2 = (181 * (a1 - a5 - a7 + a3) + 128) >> 8; + s1 = (int)(181U * (a1 - a5 + a7 - a3) + 128) >> 8; // 1, 3, 5, 7 + s2 = (int)(181U * (a1 - a5 - a7 + a3) + 128) >> 8; /* step 3 */ b[0] = (a0 + a2 + a1 + a5 + (1 << 7)) >> 8; From 43965feca7d328b1c6f1c12e17ba6cb9623f8291 Mon Sep 17 00:00:00 2001 From: Michael Niedermayer Date: Fri, 12 May 2017 13:13:46 +0200 Subject: [PATCH 456/942] avcodec/g723_1dec: Fix runtime error: left shift of negative value -1 Fixes: 1504/clusterfuzz-testcase-minimized-6249212138225664 Found-by: continuous fuzzing process https://github.com/google/oss-fuzz/tree/master/targets/ffmpeg Signed-off-by: Michael Niedermayer (cherry picked from commit c4c0245686bc2fcc545644101c7b328fed71f268) Signed-off-by: Michael Niedermayer --- libavcodec/g723_1dec.c | 4 ++-- 1 file changed, 2 insertions(+), 2 deletions(-) diff --git a/libavcodec/g723_1dec.c b/libavcodec/g723_1dec.c index 735d0360b7..5f0d625eec 100644 --- a/libavcodec/g723_1dec.c +++ b/libavcodec/g723_1dec.c @@ -694,13 +694,13 @@ static int estimate_sid_gain(G723_1_Context *p) if (y <= 0) { t = seg * 32 + (val + 1 << seg2); t = t * t - x; - val = (seg2 - 1 << 4) + val; + val = (seg2 - 1) * 16 + val; if (t >= y) val++; } else { t = seg * 32 + (val - 1 << seg2); t = t * t - x; - val = (seg2 - 1 << 4) + val; + val = (seg2 - 1) * 16 + val; if (t >= y) val--; } From b2d2e591747538f95196b4783399dbdca3869e79 Mon Sep 17 00:00:00 2001 From: Michael Niedermayer Date: Fri, 12 May 2017 13:15:33 +0200 Subject: [PATCH 457/942] avcodec/texturedsp: Fix runtime error: left shift of 255 by 24 places cannot be represented in type 'int' Fixes: 1505/clusterfuzz-testcase-minimized-4561688818876416 Found-by: continuous fuzzing process https://github.com/google/oss-fuzz/tree/master/targets/ffmpeg Signed-off-by: Michael Niedermayer (cherry picked from commit f225003d17364cd38fd28f268ae2b29abd8e5024) Signed-off-by: Michael Niedermayer --- libavcodec/texturedsp.c | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/libavcodec/texturedsp.c b/libavcodec/texturedsp.c index 9826d363eb..9283f2973b 100644 --- a/libavcodec/texturedsp.c +++ b/libavcodec/texturedsp.c @@ -158,7 +158,7 @@ static inline void dxt3_block_internal(uint8_t *dst, ptrdiff_t stride, for (x = 0; x < 4; x++) { uint8_t alpha = alpha_values[x]; - uint32_t pixel = colors[code & 3] | (alpha << 24); + uint32_t pixel = colors[code & 3] | ((unsigned)alpha << 24); code >>= 2; AV_WL32(dst + x * 4, pixel); From 86a7a933fcb9e10816ef408c1254834c84e9353d Mon Sep 17 00:00:00 2001 From: Michael Niedermayer Date: Thu, 11 May 2017 13:01:36 +0200 Subject: [PATCH 458/942] avcodec/avcodec: Limit the number of side data elements per packet Fixes: 1293/clusterfuzz-testcase-minimized-6054752074858496 See: [FFmpeg-devel] [PATCH] avcodec/avcodec: Limit the number of side data elements per packet Found-by: continuous fuzzing process https://github.com/google/oss-fuzz/tree/master/targets/ffmpeg Signed-off-by: Michael Niedermayer (cherry picked from commit d5711cb89121268e8d78ebe8563a68e67a236cbb) Signed-off-by: Michael Niedermayer --- libavcodec/avcodec.h | 10 ++++++++++ libavcodec/avpacket.c | 5 ++++- 2 files changed, 14 insertions(+), 1 deletion(-) diff --git a/libavcodec/avcodec.h b/libavcodec/avcodec.h index d8497655b0..54c7e49c59 100644 --- a/libavcodec/avcodec.h +++ b/libavcodec/avcodec.h @@ -1403,6 +1403,16 @@ enum AVPacketSideDataType { * side data includes updated metadata which appeared in the stream. */ AV_PKT_DATA_METADATA_UPDATE, + + /** + * The number of side data elements (in fact a bit more than it). + * This is not part of the public API/ABI in the sense that it may + * change when new side data types are added. + * This must stay the last enum value. + * If its value becomes huge, some code using it + * needs to be updated as it assumes it to be smaller than other limits. + */ + AV_PKT_DATA_NB }; #define AV_PKT_DATA_QUALITY_FACTOR AV_PKT_DATA_QUALITY_STATS //DEPRECATED diff --git a/libavcodec/avpacket.c b/libavcodec/avpacket.c index 3480c23368..5e2e969659 100644 --- a/libavcodec/avpacket.c +++ b/libavcodec/avpacket.c @@ -283,7 +283,7 @@ int av_packet_add_side_data(AVPacket *pkt, enum AVPacketSideDataType type, AVPacketSideData *tmp; int elems = pkt->side_data_elems; - if ((unsigned)elems + 1 > INT_MAX / sizeof(*pkt->side_data)) + if ((unsigned)elems + 1 > AV_PKT_DATA_NB) return AVERROR(ERANGE); tmp = av_realloc(pkt->side_data, (elems + 1) * sizeof(*tmp)); @@ -416,6 +416,9 @@ int av_packet_split_side_data(AVPacket *pkt){ p-= size+5; } + if (i > AV_PKT_DATA_NB) + return AVERROR(ERANGE); + pkt->side_data = av_malloc_array(i, sizeof(*pkt->side_data)); if (!pkt->side_data) return AVERROR(ENOMEM); From d302803c393949a0e9f418e501e22db6e52802c3 Mon Sep 17 00:00:00 2001 From: Michael Niedermayer Date: Wed, 10 May 2017 14:50:40 +0200 Subject: [PATCH 459/942] avcodec/vp8dsp: vp7_luma_dc_wht_c: Fix multiple runtime error: signed integer overflow: -1366381240 + -1262413604 cannot be represented in type 'int' Fixes: 1440/clusterfuzz-testcase-minimized-5785716111966208 Found-by: continuous fuzzing process https://github.com/google/oss-fuzz/tree/master/targets/ffmpeg Signed-off-by: Michael Niedermayer (cherry picked from commit ccce2248bf56692fc7bd436ca2c9acca772d486a) Signed-off-by: Michael Niedermayer --- libavcodec/vp8dsp.c | 19 ++++++++++--------- 1 file changed, 10 insertions(+), 9 deletions(-) diff --git a/libavcodec/vp8dsp.c b/libavcodec/vp8dsp.c index 7d9cfa8278..fed5c67a90 100644 --- a/libavcodec/vp8dsp.c +++ b/libavcodec/vp8dsp.c @@ -53,7 +53,8 @@ static void name ## _idct_dc_add4y_c(uint8_t *dst, int16_t block[4][16], \ #if CONFIG_VP7_DECODER static void vp7_luma_dc_wht_c(int16_t block[4][4][16], int16_t dc[16]) { - int i, a1, b1, c1, d1; + int i; + unsigned a1, b1, c1, d1; int16_t tmp[16]; for (i = 0; i < 4; i++) { @@ -61,10 +62,10 @@ static void vp7_luma_dc_wht_c(int16_t block[4][4][16], int16_t dc[16]) b1 = (dc[i * 4 + 0] - dc[i * 4 + 2]) * 23170; c1 = dc[i * 4 + 1] * 12540 - dc[i * 4 + 3] * 30274; d1 = dc[i * 4 + 1] * 30274 + dc[i * 4 + 3] * 12540; - tmp[i * 4 + 0] = (a1 + d1) >> 14; - tmp[i * 4 + 3] = (a1 - d1) >> 14; - tmp[i * 4 + 1] = (b1 + c1) >> 14; - tmp[i * 4 + 2] = (b1 - c1) >> 14; + tmp[i * 4 + 0] = (int)(a1 + d1) >> 14; + tmp[i * 4 + 3] = (int)(a1 - d1) >> 14; + tmp[i * 4 + 1] = (int)(b1 + c1) >> 14; + tmp[i * 4 + 2] = (int)(b1 - c1) >> 14; } for (i = 0; i < 4; i++) { @@ -73,10 +74,10 @@ static void vp7_luma_dc_wht_c(int16_t block[4][4][16], int16_t dc[16]) c1 = tmp[i + 4] * 12540 - tmp[i + 12] * 30274; d1 = tmp[i + 4] * 30274 + tmp[i + 12] * 12540; AV_ZERO64(dc + i * 4); - block[0][i][0] = (a1 + d1 + 0x20000) >> 18; - block[3][i][0] = (a1 - d1 + 0x20000) >> 18; - block[1][i][0] = (b1 + c1 + 0x20000) >> 18; - block[2][i][0] = (b1 - c1 + 0x20000) >> 18; + block[0][i][0] = (int)(a1 + d1 + 0x20000) >> 18; + block[3][i][0] = (int)(a1 - d1 + 0x20000) >> 18; + block[1][i][0] = (int)(b1 + c1 + 0x20000) >> 18; + block[2][i][0] = (int)(b1 - c1 + 0x20000) >> 18; } } From 4bc3ae5533f2bec59d3f72fac90709c942e93e44 Mon Sep 17 00:00:00 2001 From: Michael Niedermayer Date: Sat, 13 May 2017 14:39:26 +0200 Subject: [PATCH 460/942] avcodec/mlp: Fix multiple runtime error: left shift of negative value -1 Fixes: 1512/clusterfuzz-testcase-minimized-4713846423945216 Found-by: continuous fuzzing process https://github.com/google/oss-fuzz/tree/master/targets/ffmpeg Signed-off-by: Michael Niedermayer (cherry picked from commit 74dc728a2c2cc353da20cdc09b8cdfbbe14b7be8) Signed-off-by: Michael Niedermayer --- libavcodec/mlpdec.c | 6 +++--- libavcodec/mlpdsp.c | 4 ++-- 2 files changed, 5 insertions(+), 5 deletions(-) diff --git a/libavcodec/mlpdec.c b/libavcodec/mlpdec.c index 7cad5d1cad..b471f0d760 100644 --- a/libavcodec/mlpdec.c +++ b/libavcodec/mlpdec.c @@ -684,7 +684,7 @@ static int read_filter_params(MLPDecodeContext *m, GetBitContext *gbp, } for (i = 0; i < order; i++) - fcoeff[i] = get_sbits(gbp, coeff_bits) << coeff_shift; + fcoeff[i] = get_sbits(gbp, coeff_bits) * (1 << coeff_shift); if (get_bits1(gbp)) { int state_bits, state_shift; @@ -999,8 +999,8 @@ static void generate_2_noise_channels(MLPDecodeContext *m, unsigned int substr) for (i = 0; i < s->blockpos; i++) { uint16_t seed_shr7 = seed >> 7; - m->sample_buffer[i][maxchan+1] = ((int8_t)(seed >> 15)) << s->noise_shift; - m->sample_buffer[i][maxchan+2] = ((int8_t) seed_shr7) << s->noise_shift; + m->sample_buffer[i][maxchan+1] = ((int8_t)(seed >> 15)) * (1 << s->noise_shift); + m->sample_buffer[i][maxchan+2] = ((int8_t) seed_shr7) * (1 << s->noise_shift); seed = (seed << 16) ^ seed_shr7 ^ (seed_shr7 << 5); } diff --git a/libavcodec/mlpdsp.c b/libavcodec/mlpdsp.c index 3ae8c37708..2fc453c1f0 100644 --- a/libavcodec/mlpdsp.c +++ b/libavcodec/mlpdsp.c @@ -113,8 +113,8 @@ int32_t ff_mlp_pack_output(int32_t lossless_check_data, for (i = 0; i < blockpos; i++) { for (out_ch = 0; out_ch <= max_matrix_channel; out_ch++) { int mat_ch = ch_assign[out_ch]; - int32_t sample = sample_buffer[i][mat_ch] - << output_shift[mat_ch]; + int32_t sample = sample_buffer[i][mat_ch] * + (1 << output_shift[mat_ch]); lossless_check_data ^= (sample & 0xffffff) << mat_ch; if (is32) *data_32++ = sample << 8; From 03b8d285df974d4f4c6c6ec782bfba780224a5b7 Mon Sep 17 00:00:00 2001 From: Michael Niedermayer Date: Fri, 12 May 2017 04:12:15 +0200 Subject: [PATCH 461/942] avcodec/aacsbr_template: Do not change bs_num_env before its checked Fixes: 1489/clusterfuzz-testcase-minimized-5075102901207040 Fixes: out of array access Found-by: continuous fuzzing process https://github.com/google/oss-fuzz/tree/master/targets/ffmpeg Signed-off-by: Michael Niedermayer (cherry picked from commit 87b08ee6d2a3b0880f0a267c5d51dc7f415e81d7) Signed-off-by: Michael Niedermayer --- libavcodec/aacsbr_template.c | 28 +++++++++++++++------------- 1 file changed, 15 insertions(+), 13 deletions(-) diff --git a/libavcodec/aacsbr_template.c b/libavcodec/aacsbr_template.c index 98c9a8e649..3dcdcd898d 100644 --- a/libavcodec/aacsbr_template.c +++ b/libavcodec/aacsbr_template.c @@ -623,25 +623,26 @@ static int read_sbr_grid(AACContext *ac, SpectralBandReplication *sbr, int abs_bord_trail = 16; int num_rel_lead, num_rel_trail; unsigned bs_num_env_old = ch_data->bs_num_env; + int bs_frame_class, bs_num_env; ch_data->bs_freq_res[0] = ch_data->bs_freq_res[ch_data->bs_num_env]; ch_data->bs_amp_res = sbr->bs_amp_res_header; ch_data->t_env_num_env_old = ch_data->t_env[bs_num_env_old]; - switch (ch_data->bs_frame_class = get_bits(gb, 2)) { + switch (bs_frame_class = get_bits(gb, 2)) { case FIXFIX: - ch_data->bs_num_env = 1 << get_bits(gb, 2); + bs_num_env = 1 << get_bits(gb, 2); + if (bs_num_env > 4) { + av_log(ac->avctx, AV_LOG_ERROR, + "Invalid bitstream, too many SBR envelopes in FIXFIX type SBR frame: %d\n", + bs_num_env); + return -1; + } + ch_data->bs_num_env = bs_num_env; num_rel_lead = ch_data->bs_num_env - 1; if (ch_data->bs_num_env == 1) ch_data->bs_amp_res = 0; - if (ch_data->bs_num_env > 4) { - av_log(ac->avctx, AV_LOG_ERROR, - "Invalid bitstream, too many SBR envelopes in FIXFIX type SBR frame: %d\n", - ch_data->bs_num_env); - ch_data->bs_num_env = 2; - return -1; - } ch_data->t_env[0] = 0; ch_data->t_env[ch_data->bs_num_env] = abs_bord_trail; @@ -689,15 +690,15 @@ static int read_sbr_grid(AACContext *ac, SpectralBandReplication *sbr, abs_bord_trail += get_bits(gb, 2); num_rel_lead = get_bits(gb, 2); num_rel_trail = get_bits(gb, 2); - ch_data->bs_num_env = num_rel_lead + num_rel_trail + 1; + bs_num_env = num_rel_lead + num_rel_trail + 1; - if (ch_data->bs_num_env > 5) { + if (bs_num_env > 5) { av_log(ac->avctx, AV_LOG_ERROR, "Invalid bitstream, too many SBR envelopes in VARVAR type SBR frame: %d\n", - ch_data->bs_num_env); - ch_data->bs_num_env = 2; + bs_num_env); return -1; } + ch_data->bs_num_env = bs_num_env; ch_data->t_env[ch_data->bs_num_env] = abs_bord_trail; @@ -712,6 +713,7 @@ static int read_sbr_grid(AACContext *ac, SpectralBandReplication *sbr, get_bits1_vector(gb, ch_data->bs_freq_res + 1, ch_data->bs_num_env); break; } + ch_data->bs_frame_class = bs_frame_class; av_assert0(bs_pointer >= 0); if (bs_pointer > ch_data->bs_num_env + 1) { From 113bba3a2a1dec02956bf4edde3d17a43f6dd8ea Mon Sep 17 00:00:00 2001 From: Michael Niedermayer Date: Sat, 13 May 2017 18:13:48 +0200 Subject: [PATCH 462/942] avcodec/aacdec_fixed: Fix runtime error: left shift of negative value -1 Fixes: 1535/clusterfuzz-testcase-minimized-5826695535788032 Found-by: continuous fuzzing process https://github.com/google/oss-fuzz/tree/master/targets/ffmpeg Signed-off-by: Michael Niedermayer (cherry picked from commit 26227d91865ddfbfe35c9ff84853cc469e1c7daf) Signed-off-by: Michael Niedermayer --- libavcodec/aacdec_fixed.c | 10 +++++----- 1 file changed, 5 insertions(+), 5 deletions(-) diff --git a/libavcodec/aacdec_fixed.c b/libavcodec/aacdec_fixed.c index eb631f7df0..bbb120f6fe 100644 --- a/libavcodec/aacdec_fixed.c +++ b/libavcodec/aacdec_fixed.c @@ -125,7 +125,7 @@ static inline int *DEC_SQUAD(int *dst, unsigned idx) static inline int *DEC_UPAIR(int *dst, unsigned idx, unsigned sign) { dst[0] = (idx & 15) * (1 - (sign & 0xFFFFFFFE)); - dst[1] = (idx >> 4 & 15) * (1 - ((sign & 1) << 1)); + dst[1] = (idx >> 4 & 15) * (1 - ((sign & 1) * 2)); return dst + 2; } @@ -134,16 +134,16 @@ static inline int *DEC_UQUAD(int *dst, unsigned idx, unsigned sign) { unsigned nz = idx >> 12; - dst[0] = (idx & 3) * (1 + (((int)sign >> 31) << 1)); + dst[0] = (idx & 3) * (1 + (((int)sign >> 31) * 2)); sign <<= nz & 1; nz >>= 1; - dst[1] = (idx >> 2 & 3) * (1 + (((int)sign >> 31) << 1)); + dst[1] = (idx >> 2 & 3) * (1 + (((int)sign >> 31) * 2)); sign <<= nz & 1; nz >>= 1; - dst[2] = (idx >> 4 & 3) * (1 + (((int)sign >> 31) << 1)); + dst[2] = (idx >> 4 & 3) * (1 + (((int)sign >> 31) * 2)); sign <<= nz & 1; nz >>= 1; - dst[3] = (idx >> 6 & 3) * (1 + (((int)sign >> 31) << 1)); + dst[3] = (idx >> 6 & 3) * (1 + (((int)sign >> 31) * 2)); return dst + 4; } From f8502c267f0dc317cf0b6c3b98427d967f0b21a0 Mon Sep 17 00:00:00 2001 From: Michael Niedermayer Date: Sat, 13 May 2017 18:27:27 +0200 Subject: [PATCH 463/942] avcodec/webp: Add missing input padding Fixes: 1536/clusterfuzz-testcase-minimized-5973925404082176 Found-by: continuous fuzzing process https://github.com/google/oss-fuzz/tree/master/targets/ffmpeg Signed-off-by: Michael Niedermayer (cherry picked from commit a3508cc3fe643a8adad6a82a60bece3ea3c5dc63) Signed-off-by: Michael Niedermayer --- libavcodec/webp.c | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/libavcodec/webp.c b/libavcodec/webp.c index 26853d2bd2..f19e448504 100644 --- a/libavcodec/webp.c +++ b/libavcodec/webp.c @@ -1043,7 +1043,7 @@ static int apply_color_indexing_transform(WebPContext *s) uint8_t *line; int pixel_bits = 8 >> pal->size_reduction; - line = av_malloc(img->frame->linesize[0]); + line = av_malloc(img->frame->linesize[0] + AV_INPUT_BUFFER_PADDING_SIZE); if (!line) return AVERROR(ENOMEM); From c24bff130d612a8412a31202c8da0467ed7b91aa Mon Sep 17 00:00:00 2001 From: Michael Niedermayer Date: Sat, 13 May 2017 19:28:01 +0200 Subject: [PATCH 464/942] avcodec/ac3dec: Keep track of band structure It is needed in some corner cases that seem not to be forbidden Fixes: out of array index Fixes: 1538/clusterfuzz-testcase-minimized-4696904925446144 Found-by: continuous fuzzing process https://github.com/google/oss-fuzz/tree/master/targets/ffmpeg Signed-off-by: Michael Niedermayer (cherry picked from commit 9351a156de724edb69ba6e1f05884fe806a13a21) Signed-off-by: Michael Niedermayer --- libavcodec/ac3dec.c | 27 +++++++++++++++------------ libavcodec/ac3dec.h | 2 ++ 2 files changed, 17 insertions(+), 12 deletions(-) diff --git a/libavcodec/ac3dec.c b/libavcodec/ac3dec.c index f82f3974ef..3b93c7537d 100644 --- a/libavcodec/ac3dec.c +++ b/libavcodec/ac3dec.c @@ -744,30 +744,31 @@ static void ac3_upmix_delay(AC3DecodeContext *s) * @param[in] default_band_struct default band structure table * @param[out] num_bands number of bands (optionally NULL) * @param[out] band_sizes array containing the number of bins in each band (optionally NULL) + * @param[in,out] band_struct current band structure */ static void decode_band_structure(GetBitContext *gbc, int blk, int eac3, int ecpl, int start_subband, int end_subband, const uint8_t *default_band_struct, - int *num_bands, uint8_t *band_sizes) + int *num_bands, uint8_t *band_sizes, + uint8_t *band_struct, int band_struct_size) { int subbnd, bnd, n_subbands, n_bands=0; uint8_t bnd_sz[22]; - uint8_t coded_band_struct[22]; - const uint8_t *band_struct; n_subbands = end_subband - start_subband; + if (!blk) + memcpy(band_struct, default_band_struct, band_struct_size); + + av_assert0(band_struct_size >= start_subband + n_subbands); + + band_struct += start_subband + 1; + /* decode band structure from bitstream or use default */ if (!eac3 || get_bits1(gbc)) { for (subbnd = 0; subbnd < n_subbands - 1; subbnd++) { - coded_band_struct[subbnd] = get_bits1(gbc); + band_struct[subbnd] = get_bits1(gbc); } - band_struct = coded_band_struct; - } else if (!blk) { - band_struct = &default_band_struct[start_subband+1]; - } else { - /* no change in band structure */ - return; } /* calculate number of bands and band sizes based on band structure. @@ -894,7 +895,8 @@ static int decode_audio_block(AC3DecodeContext *s, int blk) start_subband, end_subband, ff_eac3_default_spx_band_struct, &s->num_spx_bands, - s->spx_band_sizes); + s->spx_band_sizes, + s->spx_band_struct, sizeof(s->spx_band_struct)); } } if (!s->eac3 || !s->spx_in_use) { @@ -1028,7 +1030,8 @@ static int decode_audio_block(AC3DecodeContext *s, int blk) decode_band_structure(gbc, blk, s->eac3, 0, cpl_start_subband, cpl_end_subband, ff_eac3_default_cpl_band_struct, - &s->num_cpl_bands, s->cpl_band_sizes); + &s->num_cpl_bands, s->cpl_band_sizes, + s->cpl_band_struct, sizeof(s->cpl_band_struct)); } else { /* coupling not in use */ for (ch = 1; ch <= fbw_channels; ch++) { diff --git a/libavcodec/ac3dec.h b/libavcodec/ac3dec.h index b3498fec96..fe3cf86c43 100644 --- a/libavcodec/ac3dec.h +++ b/libavcodec/ac3dec.h @@ -126,6 +126,7 @@ typedef struct AC3DecodeContext { int phase_flags_in_use; ///< phase flags in use (phsflginu) int phase_flags[AC3_MAX_CPL_BANDS]; ///< phase flags (phsflg) int num_cpl_bands; ///< number of coupling bands (ncplbnd) + uint8_t cpl_band_struct[AC3_MAX_CPL_BANDS]; uint8_t cpl_band_sizes[AC3_MAX_CPL_BANDS]; ///< number of coeffs in each coupling band int firstchincpl; ///< first channel in coupling int first_cpl_coords[AC3_MAX_CHANNELS]; ///< first coupling coordinates states (firstcplcos) @@ -142,6 +143,7 @@ typedef struct AC3DecodeContext { int spx_dst_start_freq; ///< spx starting frequency bin for copying (copystartmant) ///< the copy region ends at the start of the spx region. int num_spx_bands; ///< number of spx bands (nspxbnds) + uint8_t spx_band_struct[SPX_MAX_BANDS]; uint8_t spx_band_sizes[SPX_MAX_BANDS]; ///< number of bins in each spx band uint8_t first_spx_coords[AC3_MAX_CHANNELS]; ///< first spx coordinates states (firstspxcos) INTFLOAT spx_noise_blend[AC3_MAX_CHANNELS][SPX_MAX_BANDS]; ///< spx noise blending factor (nblendfact) From 09ac75c47ca053cfa8614066115bf9213f1f35ef Mon Sep 17 00:00:00 2001 From: Michael Niedermayer Date: Sat, 13 May 2017 23:13:38 +0200 Subject: [PATCH 465/942] avcodec/mlpdec: Check that there is enough data for headers Fixes: out of array access Fixes: 1541/clusterfuzz-testcase-minimized-6403410590957568 Found-by: continuous fuzzing process https://github.com/google/oss-fuzz/tree/master/targets/ffmpeg Signed-off-by: Michael Niedermayer (cherry picked from commit e3e51f8c14d22ae11684dcfe58df355f0f9e6401) Signed-off-by: Michael Niedermayer --- libavcodec/mlpdec.c | 5 +++++ 1 file changed, 5 insertions(+) diff --git a/libavcodec/mlpdec.c b/libavcodec/mlpdec.c index b471f0d760..fa4347fb23 100644 --- a/libavcodec/mlpdec.c +++ b/libavcodec/mlpdec.c @@ -1162,6 +1162,11 @@ static int read_access_unit(AVCodecContext *avctx, void* data, substr_header_size += 2; } + if (length < header_size + substr_header_size) { + av_log(m->avctx, AV_LOG_ERROR, "Insuffient data for headers\n"); + goto error; + } + if (!(nonrestart_substr ^ m->is_major_sync_unit)) { av_log(m->avctx, AV_LOG_ERROR, "Invalid nonrestart_substr.\n"); goto error; From f857975bfd2c5e072e282c004f0a6e15ae8192a2 Mon Sep 17 00:00:00 2001 From: Michael Niedermayer Date: Sat, 13 May 2017 23:16:44 +0200 Subject: [PATCH 466/942] avcodec/svq3: Fix runtime error: signed integer overflow: 169 * 12717677 cannot be represented in type 'int' Fixes: 1556/clusterfuzz-testcase-minimized-5027865978470400 Found-by: continuous fuzzing process https://github.com/google/oss-fuzz/tree/master/targets/ffmpeg Signed-off-by: Michael Niedermayer (cherry picked from commit 86b1b0d33dd7459f0d9c352c51ee2e374fd6f7fe) Signed-off-by: Michael Niedermayer --- libavcodec/svq3.c | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/libavcodec/svq3.c b/libavcodec/svq3.c index a862927936..0d63736007 100644 --- a/libavcodec/svq3.c +++ b/libavcodec/svq3.c @@ -206,7 +206,7 @@ void ff_svq3_add_idct_c(uint8_t *dst, int16_t *block, int i; if (dc) { - dc = 13 * 13 * (dc == 1 ? 1538 * block[0] + dc = 13 * 13 * (dc == 1 ? 1538U* block[0] : qmul * (block[0] >> 3) / 2); block[0] = 0; } From e1fcdf1930a7ac4639bd98f763bdb1a12661ea22 Mon Sep 17 00:00:00 2001 From: Michael Niedermayer Date: Sat, 13 May 2017 23:21:24 +0200 Subject: [PATCH 467/942] avcodec/webp: Fix signedness in prefix_code check Fixes: out of array read Fixes: 1557/clusterfuzz-testcase-minimized-6535013757616128 Found-by: continuous fuzzing process https://github.com/google/oss-fuzz/tree/master/targets/ffmpeg Signed-off-by: Michael Niedermayer (cherry picked from commit 8c5cd1c9d33b4b287f85d42efb1aecfaee31de6c) Signed-off-by: Michael Niedermayer --- libavcodec/webp.c | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/libavcodec/webp.c b/libavcodec/webp.c index f19e448504..cf8fadd098 100644 --- a/libavcodec/webp.c +++ b/libavcodec/webp.c @@ -694,7 +694,7 @@ static int decode_entropy_coded_image(WebPContext *s, enum ImageRole role, length = offset + get_bits(&s->gb, extra_bits) + 1; } prefix_code = huff_reader_get_symbol(&hg[HUFF_IDX_DIST], &s->gb); - if (prefix_code > 39) { + if (prefix_code > 39U) { av_log(s->avctx, AV_LOG_ERROR, "distance prefix code too large: %d\n", prefix_code); return AVERROR_INVALIDDATA; From 52f4c9c31fd356942cfb22e737f1bb1cbdb52622 Mon Sep 17 00:00:00 2001 From: Michael Niedermayer Date: Sat, 13 May 2017 23:24:04 +0200 Subject: [PATCH 468/942] avcodec/ffv1dec: Fix runtime error: signed integer overflow: 1550964438 + 1550964438 cannot be represented in type 'int' Fixes: 1559/clusterfuzz-testcase-minimized-5048096079740928 Fixes: 1560/clusterfuzz-testcase-minimized-6011037813833728 Found-by: continuous fuzzing process https://github.com/google/oss-fuzz/tree/master/targets/ffmpeg Signed-off-by: Michael Niedermayer (cherry picked from commit 8630b2cd36c57918acfe18302fe77d1ceefbd676) Signed-off-by: Michael Niedermayer --- libavcodec/ffv1dec.c | 3 ++- 1 file changed, 2 insertions(+), 1 deletion(-) diff --git a/libavcodec/ffv1dec.c b/libavcodec/ffv1dec.c index 98a286a44f..5f7e11fc33 100644 --- a/libavcodec/ffv1dec.c +++ b/libavcodec/ffv1dec.c @@ -45,7 +45,8 @@ static inline av_flatten int get_symbol_inline(RangeCoder *c, uint8_t *state, if (get_rac(c, state + 0)) return 0; else { - int i, e, a; + int i, e; + unsigned a; e = 0; while (get_rac(c, state + 1 + FFMIN(e, 9))) { // 1..10 e++; From 4ffab6703b61a1da055c62dab80c7a661601dbe9 Mon Sep 17 00:00:00 2001 From: Michael Niedermayer Date: Sat, 29 Apr 2017 18:46:48 +0200 Subject: [PATCH 469/942] libswscale/tests/swscale: Fix uninitialized variables Signed-off-by: Michael Niedermayer (cherry picked from commit 7796f290653349a4126f2d448d11bb4440b9f257) Signed-off-by: Michael Niedermayer --- libswscale/swscale-test.c | 4 ++-- 1 file changed, 2 insertions(+), 2 deletions(-) diff --git a/libswscale/swscale-test.c b/libswscale/swscale-test.c index 4d8d08bd1a..b1a526dcac 100644 --- a/libswscale/swscale-test.c +++ b/libswscale/swscale-test.c @@ -307,10 +307,10 @@ static int fileTest(uint8_t *ref[4], int refStride[4], int w, int h, FILE *fp, struct Results r; enum AVPixelFormat srcFormat; char srcStr[12]; - int srcW, srcH; + int srcW = 0, srcH = 0; enum AVPixelFormat dstFormat; char dstStr[12]; - int dstW, dstH; + int dstW = 0, dstH = 0; int flags; int ret; From 49109b0c6fbaecab1075e3e6c44f274342db844b Mon Sep 17 00:00:00 2001 From: Michael Niedermayer Date: Sun, 14 May 2017 14:00:42 +0200 Subject: [PATCH 470/942] avcodec/g723_1dec: Fix LCG type Fixes: 1567/clusterfuzz-testcase-minimized-5693653555085312 Found-by: continuous fuzzing process https://github.com/google/oss-fuzz/tree/master/targets/ffmpeg Signed-off-by: Michael Niedermayer (cherry picked from commit f2c539d3501111f10a2b4e9480ea54c0a3190680) Signed-off-by: Michael Niedermayer --- libavcodec/g723_1dec.c | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/libavcodec/g723_1dec.c b/libavcodec/g723_1dec.c index 5f0d625eec..36b9197cf1 100644 --- a/libavcodec/g723_1dec.c +++ b/libavcodec/g723_1dec.c @@ -487,7 +487,7 @@ static void residual_interp(int16_t *buf, int16_t *out, int lag, (FRAME_LEN - lag) * sizeof(*out)); } else { /* Unvoiced */ for (i = 0; i < FRAME_LEN; i++) { - *rseed = *rseed * 521 + 259; + *rseed = (int16_t)(*rseed * 521 + 259); out[i] = gain * *rseed >> 15; } memset(buf, 0, (FRAME_LEN + PITCH_MAX) * sizeof(*buf)); From 99cbee2a2f58c10e32ccbfdf5be7d2c7ef871ee7 Mon Sep 17 00:00:00 2001 From: Michael Niedermayer Date: Sun, 14 May 2017 14:06:56 +0200 Subject: [PATCH 471/942] avcodec/hqxdsp: Fix runtime error: signed integer overflow: -196264 * 11585 cannot be represented in type 'int' Fixes: 1568/clusterfuzz-testcase-minimized-5944868608147456 Found-by: continuous fuzzing process https://github.com/google/oss-fuzz/tree/master/targets/ffmpeg Signed-off-by: Michael Niedermayer (cherry picked from commit b923213276777f33d6366b1cb9d1845a8658f365) Signed-off-by: Michael Niedermayer --- libavcodec/hqxdsp.c | 4 ++-- 1 file changed, 2 insertions(+), 2 deletions(-) diff --git a/libavcodec/hqxdsp.c b/libavcodec/hqxdsp.c index 04a65e7767..7f8044e463 100644 --- a/libavcodec/hqxdsp.c +++ b/libavcodec/hqxdsp.c @@ -47,8 +47,8 @@ static inline void idct_col(int16_t *blk, const uint8_t *quant) t5 = t1 * 2 + t3; t6 = t2 - t3; t7 = t3 * 2 + t6; - t8 = (t6 * 11585) >> 14; - t9 = (t7 * 11585) >> 14; + t8 = (int)(t6 * 11585U) >> 14; + t9 = (int)(t7 * 11585U) >> 14; tA = (int)(s2 * 8867U - s6 * 21407U) >> 14; tB = (int)(s6 * 8867U + s2 * 21407U) >> 14; tC = (s0 >> 1) - (s4 >> 1); From e2fd01c28228c78bc441927328fe5d9f36f7af0f Mon Sep 17 00:00:00 2001 From: Michael Niedermayer Date: Sun, 14 May 2017 14:42:45 +0200 Subject: [PATCH 472/942] avcodec/ac3dec: Fix: runtime error: index -1 out of bounds for type 'INTFLOAT [2]' It seems dual mono with a LFE channel is not forbidden Fixes: 1570/clusterfuzz-testcase-minimized-6455337349545984 Found-by: continuous fuzzing process https://github.com/google/oss-fuzz/tree/master/targets/ffmpeg Signed-off-by: Michael Niedermayer (cherry picked from commit c55e637072b694a1db40e21948d218bfa2e744bb) Signed-off-by: Michael Niedermayer --- libavcodec/ac3dec.c | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/libavcodec/ac3dec.c b/libavcodec/ac3dec.c index 3b93c7537d..4971abe9f4 100644 --- a/libavcodec/ac3dec.c +++ b/libavcodec/ac3dec.c @@ -1331,7 +1331,7 @@ static int decode_audio_block(AC3DecodeContext *s, int blk) for (ch = 1; ch <= s->channels; ch++) { int audio_channel = 0; INTFLOAT gain; - if (s->channel_mode == AC3_CHMODE_DUALMONO) + if (s->channel_mode == AC3_CHMODE_DUALMONO && ch <= 2) audio_channel = 2-ch; if (s->heavy_compression && s->compression_exists[audio_channel]) gain = s->heavy_dynamic_range[audio_channel]; From eeece50aa2f420a96824246ee54bf836a857d823 Mon Sep 17 00:00:00 2001 From: Michael Niedermayer Date: Sun, 14 May 2017 16:47:13 +0200 Subject: [PATCH 473/942] avcodec/mpeg4videodec: Clear sprite wraping on unsupported cases in VOP decode Fixes: Integer overflow Fixes: 1572/clusterfuzz-testcase-minimized-4578773729017856 Found-by: continuous fuzzing process https://github.com/google/oss-fuzz/tree/master/targets/ffmpeg Signed-off-by: Michael Niedermayer (cherry picked from commit 467677769a2222ff8beab3c4d7826df9b7cbc81b) Signed-off-by: Michael Niedermayer --- libavcodec/mpeg4videodec.c | 24 ++++++++++++++---------- 1 file changed, 14 insertions(+), 10 deletions(-) diff --git a/libavcodec/mpeg4videodec.c b/libavcodec/mpeg4videodec.c index c41f6aa8b6..fc1c8297b9 100644 --- a/libavcodec/mpeg4videodec.c +++ b/libavcodec/mpeg4videodec.c @@ -2438,16 +2438,20 @@ static int decode_vop_header(Mpeg4DecContext *ctx, GetBitContext *gb) ff_init_scantable(s->idsp.idct_permutation, &s->intra_v_scantable, ff_alternate_vertical_scan); } - if (s->pict_type == AV_PICTURE_TYPE_S && - (ctx->vol_sprite_usage == STATIC_SPRITE || - ctx->vol_sprite_usage == GMC_SPRITE)) { - if (mpeg4_decode_sprite_trajectory(ctx, gb) < 0) - return AVERROR_INVALIDDATA; - if (ctx->sprite_brightness_change) - av_log(s->avctx, AV_LOG_ERROR, - "sprite_brightness_change not supported\n"); - if (ctx->vol_sprite_usage == STATIC_SPRITE) - av_log(s->avctx, AV_LOG_ERROR, "static sprite not supported\n"); + if (s->pict_type == AV_PICTURE_TYPE_S) { + if((ctx->vol_sprite_usage == STATIC_SPRITE || + ctx->vol_sprite_usage == GMC_SPRITE)) { + if (mpeg4_decode_sprite_trajectory(ctx, gb) < 0) + return AVERROR_INVALIDDATA; + if (ctx->sprite_brightness_change) + av_log(s->avctx, AV_LOG_ERROR, + "sprite_brightness_change not supported\n"); + if (ctx->vol_sprite_usage == STATIC_SPRITE) + av_log(s->avctx, AV_LOG_ERROR, "static sprite not supported\n"); + } else { + memset(s->sprite_offset, 0, sizeof(s->sprite_offset)); + memset(s->sprite_delta, 0, sizeof(s->sprite_delta)); + } } if (ctx->shape != BIN_ONLY_SHAPE) { From a359138fb3aaa923e3a3d9fb62b140a299f56056 Mon Sep 17 00:00:00 2001 From: Michael Niedermayer Date: Sat, 13 May 2017 01:35:56 +0200 Subject: [PATCH 474/942] avcodec/dds: Fix runtime error: left shift of 210 by 24 places cannot be represented in type 'int' Fixes: 1510/clusterfuzz-testcase-minimized-5826231746428928 Found-by: continuous fuzzing process https://github.com/google/oss-fuzz/tree/master/targets/ffmpeg Signed-off-by: Michael Niedermayer (cherry picked from commit afb4632cc30e83287338690c785ebac180436a59) Signed-off-by: Michael Niedermayer --- libavcodec/dds.c | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/libavcodec/dds.c b/libavcodec/dds.c index a3d3c676eb..7cb89dade7 100644 --- a/libavcodec/dds.c +++ b/libavcodec/dds.c @@ -676,7 +676,7 @@ static int dds_decode(AVCodecContext *avctx, void *data, (frame->data[1][2+i*4]<<0)+ (frame->data[1][1+i*4]<<8)+ (frame->data[1][0+i*4]<<16)+ - (frame->data[1][3+i*4]<<24) + ((unsigned)frame->data[1][3+i*4]<<24) ); frame->palette_has_changed = 1; From 0246760e94510844918334cd0d1297ce297822b7 Mon Sep 17 00:00:00 2001 From: Michael Niedermayer Date: Sat, 13 May 2017 01:31:19 +0200 Subject: [PATCH 475/942] avcodec/rscc: Check pixel_size for overflow Fixes: 1509/clusterfuzz-testcase-minimized-5129419876204544 Found-by: continuous fuzzing process https://github.com/google/oss-fuzz/tree/master/targets/ffmpeg Signed-off-by: Michael Niedermayer (cherry picked from commit 934572c5c3592732a30336afdf2df9926a8b4df2) Signed-off-by: Michael Niedermayer --- libavcodec/rscc.c | 6 ++++++ 1 file changed, 6 insertions(+) diff --git a/libavcodec/rscc.c b/libavcodec/rscc.c index 0c3e81845d..78a8bcea0b 100644 --- a/libavcodec/rscc.c +++ b/libavcodec/rscc.c @@ -184,6 +184,12 @@ static int rscc_decode_frame(AVCodecContext *avctx, void *data, ctx->tiles[i].y = bytestream2_get_le16(gbc); ctx->tiles[i].h = bytestream2_get_le16(gbc); + if (pixel_size + ctx->tiles[i].w * (int64_t)ctx->tiles[i].h * 4 > INT_MAX) { + av_log(avctx, AV_LOG_ERROR, "Invalid tile dimensions\n"); + ret = AVERROR_INVALIDDATA; + goto end; + } + pixel_size += ctx->tiles[i].w * ctx->tiles[i].h * 4; ff_dlog(avctx, "tile %d orig(%d,%d) %dx%d.\n", i, From 98dff828d8b9bc7b8ed9ca54d74e6e2949eac00d Mon Sep 17 00:00:00 2001 From: Michael Niedermayer Date: Tue, 9 May 2017 19:38:46 +0200 Subject: [PATCH 476/942] avcodec/cllc: Check prefix Fixes: runtime error: left shift of 1610706944 by 1 places cannot be represented in type 'int' Fixes: 1421/clusterfuzz-testcase-minimized-6239947507892224 Found-by: continuous fuzzing process https://github.com/google/oss-fuzz/tree/master/targets/ffmpeg Signed-off-by: Michael Niedermayer (cherry picked from commit 62c5949beca2c95d6af5c74985467438d2295a66) Signed-off-by: Michael Niedermayer --- libavcodec/cllc.c | 4 ++++ 1 file changed, 4 insertions(+) diff --git a/libavcodec/cllc.c b/libavcodec/cllc.c index 24fa168e36..97d3ae40ea 100644 --- a/libavcodec/cllc.c +++ b/libavcodec/cllc.c @@ -81,6 +81,10 @@ static int read_code_table(CLLCContext *ctx, GetBitContext *gb, VLC *vlc) count++; } + if (prefix > (65535 - 256)/2) { + vlc->table = NULL; + return AVERROR_INVALIDDATA; + } prefix <<= 1; } From edf7bd14a8bdd18b035b25f927a2e3064476ddec Mon Sep 17 00:00:00 2001 From: Michael Niedermayer Date: Mon, 8 May 2017 14:43:02 +0200 Subject: [PATCH 477/942] avcodec/webp: Factor update_canvas_size() out Signed-off-by: Michael Niedermayer (cherry picked from commit c4f63b78b71e07dd2f5d49c032d9c3eef620c0f3) Signed-off-by: Michael Niedermayer --- libavcodec/webp.c | 27 +++++++++++++++++---------- 1 file changed, 17 insertions(+), 10 deletions(-) diff --git a/libavcodec/webp.c b/libavcodec/webp.c index cf8fadd098..fed02b542b 100644 --- a/libavcodec/webp.c +++ b/libavcodec/webp.c @@ -1099,6 +1099,21 @@ static int apply_color_indexing_transform(WebPContext *s) return 0; } +static void update_canvas_size(AVCodecContext *avctx, int w, int h) +{ + WebPContext *s = avctx->priv_data; + if (s->width && s->width != w) { + av_log(avctx, AV_LOG_WARNING, "Width mismatch. %d != %d\n", + s->width, w); + } + s->width = w; + if (s->height && s->height != h) { + av_log(avctx, AV_LOG_WARNING, "Height mismatch. %d != %d\n", + s->height, h); + } + s->height = h; +} + static int vp8_lossless_decode_frame(AVCodecContext *avctx, AVFrame *p, int *got_frame, uint8_t *data_start, unsigned int data_size, int is_alpha_chunk) @@ -1123,16 +1138,8 @@ static int vp8_lossless_decode_frame(AVCodecContext *avctx, AVFrame *p, w = get_bits(&s->gb, 14) + 1; h = get_bits(&s->gb, 14) + 1; - if (s->width && s->width != w) { - av_log(avctx, AV_LOG_WARNING, "Width mismatch. %d != %d\n", - s->width, w); - } - s->width = w; - if (s->height && s->height != h) { - av_log(avctx, AV_LOG_WARNING, "Height mismatch. %d != %d\n", - s->width, w); - } - s->height = h; + + update_canvas_size(avctx, w, h); ret = ff_set_dimensions(avctx, s->width, s->height); if (ret < 0) From 8198258d9ef8e26cdfedbf424406b7bbf4aaeb79 Mon Sep 17 00:00:00 2001 From: Michael Niedermayer Date: Mon, 8 May 2017 14:43:03 +0200 Subject: [PATCH 478/942] avcodec/webp: Update canvas size in vp8_lossy_decode_frame() as in vp8_lossless_decode_frame() Fixes: 1407/clusterfuzz-testcase-minimized-6044604124102656 Fixes: 1420/clusterfuzz-testcase-minimized-6059927359455232 Found-by: continuous fuzzing process https://github.com/google/oss-fuzz/tree/master/targets/ffmpeg Signed-off-by: Michael Niedermayer (cherry picked from commit 72810d20b74f05cc4b214d6c277fa6f43160df54) Signed-off-by: Michael Niedermayer --- libavcodec/webp.c | 3 +++ 1 file changed, 3 insertions(+) diff --git a/libavcodec/webp.c b/libavcodec/webp.c index fed02b542b..e119a25799 100644 --- a/libavcodec/webp.c +++ b/libavcodec/webp.c @@ -1350,6 +1350,9 @@ static int vp8_lossy_decode_frame(AVCodecContext *avctx, AVFrame *p, ret = ff_vp8_decode_frame(avctx, p, got_frame, &pkt); if (ret < 0) return ret; + + update_canvas_size(avctx, avctx->width, avctx->height); + if (s->has_alpha) { ret = vp8_lossy_decode_alpha(avctx, p, s->alpha_data, s->alpha_data_size); From 2790054dc266a777a81657eb076f2ce5bc702546 Mon Sep 17 00:00:00 2001 From: Michael Niedermayer Date: Tue, 9 May 2017 16:08:14 +0200 Subject: [PATCH 479/942] avcodec/snowdec: Check width Fixes: out of array read Fixes: 1419/clusterfuzz-testcase-minimized-6108700873850880 Found-by: continuous fuzzing process https://github.com/google/oss-fuzz/tree/master/targets/ffmpeg Signed-off-by: Michael Niedermayer (cherry picked from commit 78aa93807b3e0674e34d32c0bf6f78d7f5b7927e) Signed-off-by: Michael Niedermayer --- libavcodec/snowdec.c | 4 ++++ 1 file changed, 4 insertions(+) diff --git a/libavcodec/snowdec.c b/libavcodec/snowdec.c index 97f55288c1..022e9693c7 100644 --- a/libavcodec/snowdec.c +++ b/libavcodec/snowdec.c @@ -384,6 +384,10 @@ static int decode_header(SnowContext *s){ av_log(s->avctx, AV_LOG_ERROR, "spatial_decomposition_count %d too large for size\n", s->spatial_decomposition_count); return AVERROR_INVALIDDATA; } + if (s->avctx->width > 65536-4) { + av_log(s->avctx, AV_LOG_ERROR, "Width %d is too large\n", s->avctx->width); + return AVERROR_INVALIDDATA; + } s->qlog += get_symbol(&s->c, s->header_state, 1); From c82ea252e3d3fc5b5bf0fdeb4a5d18707a4ce0ba Mon Sep 17 00:00:00 2001 From: Michael Niedermayer Date: Tue, 9 May 2017 13:25:34 +0200 Subject: [PATCH 480/942] avcodec/flacdec: Return error code instead of 0 for failures Fixes: infinite loop Fixes: 1418/clusterfuzz-testcase-minimized-5934472438480896 Found-by: continuous fuzzing process https://github.com/google/oss-fuzz/tree/master/targets/ffmpeg Signed-off-by: Michael Niedermayer (cherry picked from commit 3f5a68533decdfb4757207e8d7b5af06e1dcd197) Signed-off-by: Michael Niedermayer --- libavcodec/flacdec.c | 4 ++-- 1 file changed, 2 insertions(+), 2 deletions(-) diff --git a/libavcodec/flacdec.c b/libavcodec/flacdec.c index 4dde0e0591..c372c1b91d 100644 --- a/libavcodec/flacdec.c +++ b/libavcodec/flacdec.c @@ -201,12 +201,12 @@ static int get_metadata_size(const uint8_t *buf, int buf_size) buf += 4; do { if (buf_end - buf < 4) - return 0; + return AVERROR_INVALIDDATA; flac_parse_block_header(buf, &metadata_last, NULL, &metadata_size); buf += 4; if (buf_end - buf < metadata_size) { /* need more data in order to read the complete header */ - return 0; + return AVERROR_INVALIDDATA; } buf += metadata_size; } while (!metadata_last); From 9cd39ab7d3d4e73ed5051f82d1e16b0d57996751 Mon Sep 17 00:00:00 2001 From: Michael Niedermayer Date: Sat, 6 May 2017 14:28:20 +0200 Subject: [PATCH 481/942] avcodec/opus_silk: Fix integer overflow and out of array read Fixes: 1362/clusterfuzz-testcase-minimized-6097275002552320 Found-by: continuous fuzzing process https://github.com/google/oss-fuzz/tree/master/targets/ffmpeg Signed-off-by: Michael Niedermayer (cherry picked from commit 4654baff125d937ae0b1037aa5f0bf53c7351658) Signed-off-by: Michael Niedermayer --- libavcodec/opus_silk.c | 3 +-- 1 file changed, 1 insertion(+), 2 deletions(-) diff --git a/libavcodec/opus_silk.c b/libavcodec/opus_silk.c index 73526f9800..408e4bf43c 100644 --- a/libavcodec/opus_silk.c +++ b/libavcodec/opus_silk.c @@ -851,8 +851,7 @@ static inline void silk_stabilize_lsf(int16_t nlsf[16], int order, const uint16_ if (nlsf[0] < min_delta[0]) nlsf[0] = min_delta[0]; for (i = 1; i < order; i++) - if (nlsf[i] < nlsf[i - 1] + min_delta[i]) - nlsf[i] = nlsf[i - 1] + min_delta[i]; + nlsf[i] = FFMAX(nlsf[i], FFMIN(nlsf[i - 1] + min_delta[i], 32767)); /* push backwards to increase distance */ if (nlsf[order-1] > 32768 - min_delta[order]) From ec7206fdf801cec037f18a16d89ff37be48a8945 Mon Sep 17 00:00:00 2001 From: Michael Niedermayer Date: Fri, 5 May 2017 13:16:07 +0200 Subject: [PATCH 482/942] avcodec/aacps: Fix undefined behavior Fixes: 1337/clusterfuzz-testcase-minimized-5212314171080704 Fixes the existence of a potentially invalid pointer intermediate Found-by: continuous fuzzing process https://github.com/google/oss-fuzz/tree/master/targets/ffmpeg Signed-off-by: Michael Niedermayer (cherry picked from commit 527f89e05922e840083ac6d49eeb838b1e350dd4) Signed-off-by: Michael Niedermayer --- libavcodec/aacps.c | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/libavcodec/aacps.c b/libavcodec/aacps.c index ccc79ffc1d..48b595adbd 100644 --- a/libavcodec/aacps.c +++ b/libavcodec/aacps.c @@ -975,7 +975,7 @@ static void stereo_processing(PSContext *ps, INTFLOAT (*l)[32][2], INTFLOAT (*r) h_step[1][3] = AAC_MSUB31_V3(H22[1][e+1][b], h[1][3], width); } ps->dsp.stereo_interpolate[!PS_BASELINE && ps->enable_ipdopd]( - l[k] + start + 1, r[k] + start + 1, + l[k] + 1 + start, r[k] + 1 + start, h, h_step, stop - start); } } From 55d320ddf850fc720720825cc7cee72b866c8cd7 Mon Sep 17 00:00:00 2001 From: Michael Niedermayer Date: Mon, 15 May 2017 21:19:06 +0200 Subject: [PATCH 483/942] avcodec/tiff: reset sampling[] if its invalid Fixes divission by 0 Fixes: clusterfuzz-testcase-minimized-5592896440893440 Found-by: continuous fuzzing process https://github.com/google/oss-fuzz/tree/master/targets/ffmpeg Signed-off-by: Michael Niedermayer (cherry picked from commit f08122fbe039a56ab3c24f74636b4b0efea97d85) Signed-off-by: Michael Niedermayer --- libavcodec/tiff.c | 1 + 1 file changed, 1 insertion(+) diff --git a/libavcodec/tiff.c b/libavcodec/tiff.c index af433d9a4e..dac406862d 100644 --- a/libavcodec/tiff.c +++ b/libavcodec/tiff.c @@ -1018,6 +1018,7 @@ static int tiff_decode_tag(TiffContext *s, AVFrame *frame) s->subsampling[i] = ff_tget(&s->gb, type, s->le); if (s->subsampling[i] <= 0) { av_log(s->avctx, AV_LOG_ERROR, "subsampling %d is invalid\n", s->subsampling[i]); + s->subsampling[i] = 1; return AVERROR_INVALIDDATA; } } From cd4674f608b6dca14ceb8ef1aa1611fc931b1e03 Mon Sep 17 00:00:00 2001 From: Michael Niedermayer Date: Mon, 15 May 2017 21:21:20 +0200 Subject: [PATCH 484/942] avcodec/svq3: Fix runtime error: left shift of negative value -6 Fixes: 1604/clusterfuzz-testcase-minimized-5312060206350336 Found-by: continuous fuzzing process https://github.com/google/oss-fuzz/tree/master/targets/ffmpeg Signed-off-by: Michael Niedermayer (cherry picked from commit a6eb006ad47beb6d5e5cc2c99f8185965209ec6b) Signed-off-by: Michael Niedermayer --- libavcodec/svq3.c | 4 ++-- 1 file changed, 2 insertions(+), 2 deletions(-) diff --git a/libavcodec/svq3.c b/libavcodec/svq3.c index 0d63736007..e05cab5a04 100644 --- a/libavcodec/svq3.c +++ b/libavcodec/svq3.c @@ -397,8 +397,8 @@ static inline int svq3_mc_dir(SVQ3Context *s, int size, int mode, if (mode != PREDICT_MODE) { pred_motion(h, sl, k, part_width >> 2, dir, 1, &mx, &my); } else { - mx = s->next_pic->motion_val[0][b_xy][0] << 1; - my = s->next_pic->motion_val[0][b_xy][1] << 1; + mx = s->next_pic->motion_val[0][b_xy][0] * 2; + my = s->next_pic->motion_val[0][b_xy][1] * 2; if (dir == 0) { mx = mx * h->frame_num_offset / From e05148dfe6d2727f1bb08c8da385ac85ed27c0cf Mon Sep 17 00:00:00 2001 From: Michael Niedermayer Date: Tue, 16 May 2017 03:04:26 +0200 Subject: [PATCH 485/942] avcodec/truemotion1: Fix multiple runtime error: signed integer overflow: 1246906962 * 2 cannot be represented in type 'int' Fixes: 1616/clusterfuzz-testcase-minimized-5119196578971648 Found-by: continuous fuzzing process https://github.com/google/oss-fuzz/tree/master/targets/ffmpeg Signed-off-by: Michael Niedermayer (cherry picked from commit 5ea6bc2a166edac37042f2bbc28eb603a0fbeccb) Signed-off-by: Michael Niedermayer --- libavcodec/truemotion1.c | 4 ++-- 1 file changed, 2 insertions(+), 2 deletions(-) diff --git a/libavcodec/truemotion1.c b/libavcodec/truemotion1.c index 08af622fa2..28dccaae47 100644 --- a/libavcodec/truemotion1.c +++ b/libavcodec/truemotion1.c @@ -180,7 +180,7 @@ static int make_ydt15_entry(int p1, int p2, int16_t *ydt) lo += (lo * 32) + (lo * 1024); hi = ydt[p2]; hi += (hi * 32) + (hi * 1024); - return (lo + (hi * (1 << 16))) * 2; + return (lo + (hi * (1U << 16))) * 2; } static int make_cdt15_entry(int p1, int p2, int16_t *cdt) @@ -190,7 +190,7 @@ static int make_cdt15_entry(int p1, int p2, int16_t *cdt) b = cdt[p2]; r = cdt[p1] * 1024; lo = b + r; - return (lo + (lo * (1 << 16))) * 2; + return (lo + (lo * (1U << 16))) * 2; } #if HAVE_BIGENDIAN From dcbebc931eb94b894478b1fa604c420f98e39132 Mon Sep 17 00:00:00 2001 From: Michael Niedermayer Date: Tue, 16 May 2017 23:44:24 +0200 Subject: [PATCH 486/942] avcodec/hq_hqa: Fix: runtime error: signed integer overflow: -255 * 10180917 cannot be represented in type 'int' Fixes: 1626/clusterfuzz-testcase-minimized-6416580571299840 Found-by: continuous fuzzing process https://github.com/google/oss-fuzz/tree/master/targets/ffmpeg Signed-off-by: Michael Niedermayer (cherry picked from commit 3d9cb583c8f005a260d255853ef5f1c21e8599a0) Signed-off-by: Michael Niedermayer --- libavcodec/hq_hqa.c | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/libavcodec/hq_hqa.c b/libavcodec/hq_hqa.c index b5113f3ca9..d18464769d 100644 --- a/libavcodec/hq_hqa.c +++ b/libavcodec/hq_hqa.c @@ -82,7 +82,7 @@ static int hq_decode_block(HQContext *c, GetBitContext *gb, int16_t block[64], pos += ff_hq_ac_skips[val]; if (pos >= 64) break; - block[ff_zigzag_direct[pos]] = (ff_hq_ac_syms[val] * q[pos]) >> 12; + block[ff_zigzag_direct[pos]] = (int)(ff_hq_ac_syms[val] * (unsigned)q[pos]) >> 12; pos++; } From e79851f2e7cdd4f8c418bddf8599c6dd383eb50d Mon Sep 17 00:00:00 2001 From: Michael Niedermayer Date: Wed, 17 May 2017 00:44:36 +0200 Subject: [PATCH 487/942] avcodec/takdec: Fix runtime error: left shift of negative value -42 Fixes: 1635/clusterfuzz-testcase-minimized-4992749856096256 Found-by: continuous fuzzing process https://github.com/google/oss-fuzz/tree/master/targets/ffmpeg Signed-off-by: Michael Niedermayer (cherry picked from commit 99c4c76cfbc4ae56dc8c37f5fab02f88f6b2cb48) Signed-off-by: Michael Niedermayer --- libavcodec/takdec.c | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/libavcodec/takdec.c b/libavcodec/takdec.c index dd50cc7669..43b3c92077 100644 --- a/libavcodec/takdec.c +++ b/libavcodec/takdec.c @@ -893,7 +893,7 @@ static int tak_decode_frame(AVCodecContext *avctx, void *data, for (chan = 0; chan < avctx->channels; chan++) { int32_t *samples = (int32_t *)frame->extended_data[chan]; for (i = 0; i < s->nb_samples; i++) - samples[i] <<= 8; + samples[i] *= 1 << 8; } break; } From 28f2341e2f26f448ade857aff650e77a88c506c6 Mon Sep 17 00:00:00 2001 From: Michael Niedermayer Date: Wed, 17 May 2017 00:53:32 +0200 Subject: [PATCH 488/942] avcodec/mlpdec: Fix runtime error: left shift of negative value -1 Fixes: 1636/clusterfuzz-testcase-minimized-5310494757879808 Found-by: continuous fuzzing process https://github.com/google/oss-fuzz/tree/master/targets/ffmpeg Signed-off-by: Michael Niedermayer (cherry picked from commit 552adf1dd3a38fb7a1a6109dd2b517d63290f20e) Signed-off-by: Michael Niedermayer --- libavcodec/mlpdec.c | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/libavcodec/mlpdec.c b/libavcodec/mlpdec.c index fa4347fb23..eaf1aa7c75 100644 --- a/libavcodec/mlpdec.c +++ b/libavcodec/mlpdec.c @@ -701,7 +701,7 @@ static int read_filter_params(MLPDecodeContext *m, GetBitContext *gbp, /* TODO: Check validity of state data. */ for (i = 0; i < order; i++) - fp->state[i] = state_bits ? get_sbits(gbp, state_bits) << state_shift : 0; + fp->state[i] = state_bits ? get_sbits(gbp, state_bits) * (1 << state_shift) : 0; } } From c32237e94850a77a2b0ea860c57a8f5aceff6618 Mon Sep 17 00:00:00 2001 From: Michael Niedermayer Date: Wed, 17 May 2017 01:12:55 +0200 Subject: [PATCH 489/942] avcodec/flicvideo: Check frame_size before decrementing Fixes: runtime error: signed integer overflow: -2147483627 - 22 cannot be represented in type 'int' Fixes: 1637/clusterfuzz-testcase-minimized-5376582493405184 Found-by: continuous fuzzing process https://github.com/google/oss-fuzz/tree/master/targets/ffmpeg Signed-off-by: Michael Niedermayer (cherry picked from commit 355e27e24dc88d6ba8f27501a34925d9d937a399) Signed-off-by: Michael Niedermayer --- libavcodec/flicvideo.c | 5 +++++ 1 file changed, 5 insertions(+) diff --git a/libavcodec/flicvideo.c b/libavcodec/flicvideo.c index 3e0573af93..6f0961ce96 100644 --- a/libavcodec/flicvideo.c +++ b/libavcodec/flicvideo.c @@ -202,6 +202,9 @@ static int flic_decode_frame_8BPP(AVCodecContext *avctx, num_chunks = bytestream2_get_le16(&g2); bytestream2_skip(&g2, 8); /* skip padding */ + if (frame_size < 16) + return AVERROR_INVALIDDATA; + frame_size -= 16; /* iterate through the chunks */ @@ -520,6 +523,8 @@ static int flic_decode_frame_15_16BPP(AVCodecContext *avctx, if (frame_size > buf_size) frame_size = buf_size; + if (frame_size < 16) + return AVERROR_INVALIDDATA; frame_size -= 16; /* iterate through the chunks */ From a1babbd4de4fe75adfec113c97dd966e7f33d325 Mon Sep 17 00:00:00 2001 From: Michael Niedermayer Date: Wed, 17 May 2017 15:51:46 +0200 Subject: [PATCH 490/942] avcodec/aacdec_template: Fix fixed point scale in decode_cce() Fixes: runtime error: shift exponent 1073741824 is too large for 32-bit type 'int' Fixes: 1654/clusterfuzz-testcase-minimized-5151903795118080 Found-by: continuous fuzzing process https://github.com/google/oss-fuzz/tree/master/targets/ffmpeg Signed-off-by: Michael Niedermayer (cherry picked from commit 53a502206a9ea698926694d7252526fe00d1ea44) Signed-off-by: Michael Niedermayer --- libavcodec/aacdec_template.c | 6 +++++- 1 file changed, 5 insertions(+), 1 deletion(-) diff --git a/libavcodec/aacdec_template.c b/libavcodec/aacdec_template.c index 6bc94c879a..ded9e464a7 100644 --- a/libavcodec/aacdec_template.c +++ b/libavcodec/aacdec_template.c @@ -2155,7 +2155,11 @@ static int decode_cce(AACContext *ac, GetBitContext *gb, ChannelElement *che) coup->coupling_point += get_bits1(gb) || (coup->coupling_point >> 1); sign = get_bits(gb, 1); - scale = AAC_RENAME(cce_scale)[get_bits(gb, 2)]; +#if USE_FIXED + scale = get_bits(gb, 2); +#else + scale = cce_scale[get_bits(gb, 2)]; +#endif if ((ret = decode_ics(ac, sce, gb, 0, 0))) return ret; From a1627fe9283d1dbba8e83705a83cb77de213bc5f Mon Sep 17 00:00:00 2001 From: Michael Niedermayer Date: Wed, 17 May 2017 16:45:46 +0200 Subject: [PATCH 491/942] avcodec/aacdec: Fix runtime error: signed integer overflow: 2147483520 + 255 cannot be represented in type 'int' Fixes: 1656/clusterfuzz-testcase-minimized-5900404925661184 Found-by: continuous fuzzing process https://github.com/google/oss-fuzz/tree/master/targets/ffmpeg Signed-off-by: Michael Niedermayer (cherry picked from commit 94d05ff15985d17aba070eaec82acd21c0da3d86) Signed-off-by: Michael Niedermayer --- libavcodec/aacdec.c | 4 +++- 1 file changed, 3 insertions(+), 1 deletion(-) diff --git a/libavcodec/aacdec.c b/libavcodec/aacdec.c index 26bdea1ecc..708779312c 100644 --- a/libavcodec/aacdec.c +++ b/libavcodec/aacdec.c @@ -424,6 +424,8 @@ static int read_payload_length_info(struct LATMContext *ctx, GetBitContext *gb) if (ctx->frame_length_type == 0) { int mux_slot_length = 0; do { + if (get_bits_left(gb) < 8) + return AVERROR_INVALIDDATA; tmp = get_bits(gb, 8); mux_slot_length += tmp; } while (tmp == 255); @@ -453,7 +455,7 @@ static int read_audio_mux_element(struct LATMContext *latmctx, } if (latmctx->audio_mux_version_A == 0) { int mux_slot_length_bytes = read_payload_length_info(latmctx, gb); - if (mux_slot_length_bytes * 8 > get_bits_left(gb)) { + if (mux_slot_length_bytes < 0 || mux_slot_length_bytes * 8LL > get_bits_left(gb)) { av_log(latmctx->aac_ctx.avctx, AV_LOG_ERROR, "incomplete frame\n"); return AVERROR_INVALIDDATA; } else if (mux_slot_length_bytes * 8 + 256 < get_bits_left(gb)) { From cf44f0ae6a52d2c470861aeb938393cad3f047e6 Mon Sep 17 00:00:00 2001 From: James Almer Date: Sat, 22 Apr 2017 13:25:32 -0300 Subject: [PATCH 492/942] avcodec/options: factorize avcodec_copy_context() cleanup code Reviewed-by: Aaron Levinson Tested-by: Michael Niedermayer Signed-off-by: James Almer (cherry picked from commit 54a4c9b4e9a1524b1ac5d2be97c8042272402d0a) --- libavcodec/options.c | 28 ++++++++++++++-------------- 1 file changed, 14 insertions(+), 14 deletions(-) diff --git a/libavcodec/options.c b/libavcodec/options.c index ea2563b571..35098b864d 100644 --- a/libavcodec/options.c +++ b/libavcodec/options.c @@ -179,6 +179,18 @@ void avcodec_free_context(AVCodecContext **pavctx) av_freep(pavctx); } +static void copy_context_reset(AVCodecContext *avctx) +{ + av_opt_free(avctx); + av_freep(&avctx->rc_override); + av_freep(&avctx->intra_matrix); + av_freep(&avctx->inter_matrix); + av_freep(&avctx->extradata); + av_freep(&avctx->subtitle_header); + avctx->subtitle_header_size = 0; + avctx->extradata_size = 0; +} + int avcodec_copy_context(AVCodecContext *dest, const AVCodecContext *src) { const AVCodec *orig_codec = dest->codec; @@ -191,12 +203,7 @@ int avcodec_copy_context(AVCodecContext *dest, const AVCodecContext *src) return AVERROR(EINVAL); } - av_opt_free(dest); - av_freep(&dest->rc_override); - av_freep(&dest->intra_matrix); - av_freep(&dest->inter_matrix); - av_freep(&dest->extradata); - av_freep(&dest->subtitle_header); + copy_context_reset(dest); memcpy(dest, src, sizeof(*dest)); av_opt_copy(dest, src); @@ -248,14 +255,7 @@ FF_ENABLE_DEPRECATION_WARNINGS return 0; fail: - av_freep(&dest->rc_override); - av_freep(&dest->intra_matrix); - av_freep(&dest->inter_matrix); - av_freep(&dest->extradata); - av_freep(&dest->subtitle_header); - dest->subtitle_header_size = 0; - dest->extradata_size = 0; - av_opt_free(dest); + copy_context_reset(dest); return AVERROR(ENOMEM); } From 676ba8eff86d2ed1e9eb14d09c87c7ed41cadc7f Mon Sep 17 00:00:00 2001 From: James Almer Date: Mon, 24 Apr 2017 14:53:47 -0300 Subject: [PATCH 493/942] avcodec/options: do a more thorough clean up in avcodec_copy_context() Free coded_frame and coded_side_data to prevent potential leaks. Reviewed-by: Aaron Levinson Tested-by: Michael Niedermayer Signed-off-by: James Almer (cherry picked from commit cac8de2da5c4935773128335c11b806faa73e19d) --- libavcodec/options.c | 13 +++++++++++++ 1 file changed, 13 insertions(+) diff --git a/libavcodec/options.c b/libavcodec/options.c index 35098b864d..fb23ee6ad4 100644 --- a/libavcodec/options.c +++ b/libavcodec/options.c @@ -181,13 +181,24 @@ void avcodec_free_context(AVCodecContext **pavctx) static void copy_context_reset(AVCodecContext *avctx) { + int i; + av_opt_free(avctx); +#if FF_API_CODED_FRAME +FF_DISABLE_DEPRECATION_WARNINGS + av_frame_free(&avctx->coded_frame); +FF_ENABLE_DEPRECATION_WARNINGS +#endif av_freep(&avctx->rc_override); av_freep(&avctx->intra_matrix); av_freep(&avctx->inter_matrix); av_freep(&avctx->extradata); av_freep(&avctx->subtitle_header); + for (i = 0; i < avctx->nb_coded_side_data; i++) + av_freep(&avctx->coded_side_data[i].data); + av_freep(&avctx->coded_side_data); avctx->subtitle_header_size = 0; + avctx->nb_coded_side_data = 0; avctx->extradata_size = 0; } @@ -228,10 +239,12 @@ FF_ENABLE_DEPRECATION_WARNINGS /* reallocate values that should be allocated separately */ dest->extradata = NULL; + dest->coded_side_data = NULL; dest->intra_matrix = NULL; dest->inter_matrix = NULL; dest->rc_override = NULL; dest->subtitle_header = NULL; + dest->nb_coded_side_data = 0; #define alloc_and_copy_or_fail(obj, size, pad) \ if (src->obj && size > 0) { \ From c54a76bf714b07cf316da06ffeac1a1d753a15f3 Mon Sep 17 00:00:00 2001 From: Aaron Levinson Date: Thu, 20 Apr 2017 23:30:13 -0700 Subject: [PATCH 494/942] avformat/utils: free AVStream.codec properly in free_stream() Fixes memory leaks. Signed-off-by: James Almer (cherry picked from commit b9d2005ea5d6837917a69bc2b8e98f5695f54e39) --- libavformat/utils.c | 4 +--- 1 file changed, 1 insertion(+), 3 deletions(-) diff --git a/libavformat/utils.c b/libavformat/utils.c index b199ff23bf..f90aeb20c1 100644 --- a/libavformat/utils.c +++ b/libavformat/utils.c @@ -3728,9 +3728,7 @@ static void free_stream(AVStream **pst) av_dict_free(&st->metadata); av_freep(&st->probe_data.buf); av_freep(&st->index_entries); - av_freep(&st->codec->extradata); - av_freep(&st->codec->subtitle_header); - av_freep(&st->codec); + avcodec_free_context(&st->codec); av_freep(&st->priv_data); if (st->info) av_freep(&st->info->duration_error); From 30415662ef7a4d8f3a2bffd2a8c05a801b42a279 Mon Sep 17 00:00:00 2001 From: James Almer Date: Tue, 25 Apr 2017 20:23:12 -0300 Subject: [PATCH 495/942] avformat/concatdec: fix the h264 annexb extradata check The start code can be either in the first three or four bytes. (cherry picked from commit b4330a0e02fcbef61d630a369abe5f4421ced659) --- libavformat/concatdec.c | 7 +++++-- 1 file changed, 5 insertions(+), 2 deletions(-) diff --git a/libavformat/concatdec.c b/libavformat/concatdec.c index de7b89a28f..9c7484eb95 100644 --- a/libavformat/concatdec.c +++ b/libavformat/concatdec.c @@ -193,8 +193,11 @@ static int detect_stream_specific(AVFormatContext *avf, int idx) ConcatStream *cs = &cat->cur_file->streams[idx]; AVBitStreamFilterContext *bsf; - if (cat->auto_convert && st->codec->codec_id == AV_CODEC_ID_H264 && - (st->codec->extradata_size < 4 || AV_RB32(st->codec->extradata) != 1)) { + if (cat->auto_convert && st->codec->codec_id == AV_CODEC_ID_H264) { + if (!st->codec->extradata_size || + (st->codec->extradata_size >= 3 && AV_RB24(st->codec->extradata) == 1) || + (st->codec->extradata_size >= 4 && AV_RB32(st->codec->extradata) == 1)) + return 0; av_log(cat->avf, AV_LOG_INFO, "Auto-inserting h264_mp4toannexb bitstream filter\n"); if (!(bsf = av_bitstream_filter_init("h264_mp4toannexb"))) { From abe2d4de9286567e085ee012c30db99cf2f6b082 Mon Sep 17 00:00:00 2001 From: James Almer Date: Sat, 6 May 2017 20:31:45 -0300 Subject: [PATCH 496/942] avcodec/hevc_sei: fix amount of bits skipped when reading picture timing SEI message The code was skipping the entire reported SEI message size regardless of the amount of bits read. While in theory safe for NALU where the picture timing SEI message is alone or at the end as we're using the checked bitstream reader, it isn't in any other situation, where every SEI message in the NALU after the picture timing one would potentially fail to parse. Reviewed-by: Michael Niedermayer Signed-off-by: James Almer (cherry picked from commit f738140807f504c9af7850042067777832f05e88) Conflicts: libavcodec/hevc_sei.c --- libavcodec/hevc_sei.c | 11 +++++++---- 1 file changed, 7 insertions(+), 4 deletions(-) diff --git a/libavcodec/hevc_sei.c b/libavcodec/hevc_sei.c index f598b6393a..9cf5e80010 100644 --- a/libavcodec/hevc_sei.c +++ b/libavcodec/hevc_sei.c @@ -145,7 +145,7 @@ static int decode_nal_sei_display_orientation(HEVCContext *s) return 0; } -static int decode_pic_timing(HEVCContext *s) +static int decode_pic_timing(HEVCContext *s, int size) { GetBitContext *gb = &s->HEVClc->gb; HEVCSPS *sps; @@ -166,8 +166,12 @@ static int decode_pic_timing(HEVCContext *s) } get_bits(gb, 2); // source_scan_type get_bits(gb, 1); // duplicate_flag + skip_bits1(gb); + size--; } - return 1; + skip_bits_long(gb, 8 * size); + + return 0; } static int decode_registered_user_data_closed_caption(HEVCContext *s, int size) @@ -297,9 +301,8 @@ static int decode_nal_sei_prefix(HEVCContext *s, int type, int size) return decode_nal_sei_display_orientation(s); case SEI_TYPE_PICTURE_TIMING: { - int ret = decode_pic_timing(s); + int ret = decode_pic_timing(s, size); av_log(s->avctx, AV_LOG_DEBUG, "Skipped PREFIX SEI %d\n", type); - skip_bits(gb, 8 * size); return ret; } case SEI_TYPE_MASTERING_DISPLAY_INFO: From f2afdab8e40a3a162ba011b026c6331bc73832df Mon Sep 17 00:00:00 2001 From: Michael Niedermayer Date: Thu, 18 May 2017 01:54:43 +0200 Subject: [PATCH 497/942] avcodec/dfa: Fix: runtime error: signed integer overflow: -14202 * 196877 cannot be represented in type 'int' Fixes: 1657/clusterfuzz-testcase-minimized-4710000079405056 Found-by: continuous fuzzing process https://github.com/google/oss-fuzz/tree/master/targets/ffmpeg Signed-off-by: Michael Niedermayer (cherry picked from commit 58ac7fb9c395ab91cb321fa4c8c9e127ce8147c3) Signed-off-by: Michael Niedermayer --- libavcodec/dfa.c | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/libavcodec/dfa.c b/libavcodec/dfa.c index 3ea12f0511..8067ac94e5 100644 --- a/libavcodec/dfa.c +++ b/libavcodec/dfa.c @@ -250,7 +250,7 @@ static int decode_wdlt(GetByteContext *gb, uint8_t *frame, int width, int height segments = bytestream2_get_le16u(gb); while ((segments & 0xC000) == 0xC000) { unsigned skip_lines = -(int16_t)segments; - unsigned delta = -((int16_t)segments * width); + int64_t delta = -((int16_t)segments * (int64_t)width); if (frame_end - frame <= delta || y + lines + skip_lines > height) return AVERROR_INVALIDDATA; frame += delta; From dac9ef7108ed070f59a3f6a988ab68b174599588 Mon Sep 17 00:00:00 2001 From: Michael Niedermayer Date: Thu, 18 May 2017 02:07:17 +0200 Subject: [PATCH 498/942] avcodec/mlpdec: Fix: runtime error: left shift of negative value -8 Fixes: 1658/clusterfuzz-testcase-minimized-4889937130291200 Found-by: continuous fuzzing process https://github.com/google/oss-fuzz/tree/master/targets/ffmpeg Signed-off-by: Michael Niedermayer (cherry picked from commit 25c81e4b737bcc737b13c9a752cb301a28cb3906) Signed-off-by: Michael Niedermayer --- libavcodec/mlpdec.c | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/libavcodec/mlpdec.c b/libavcodec/mlpdec.c index eaf1aa7c75..5426712007 100644 --- a/libavcodec/mlpdec.c +++ b/libavcodec/mlpdec.c @@ -759,7 +759,7 @@ static int read_matrix_params(MLPDecodeContext *m, unsigned int substr, GetBitCo if (get_bits1(gbp)) coeff_val = get_sbits(gbp, frac_bits + 2); - s->matrix_coeff[mat][ch] = coeff_val << (14 - frac_bits); + s->matrix_coeff[mat][ch] = coeff_val * (1 << (14 - frac_bits)); } if (s->noise_type) From b33d01d8a253028083df250b5d4a2e43e5560c64 Mon Sep 17 00:00:00 2001 From: Michael Niedermayer Date: Thu, 18 May 2017 04:21:52 +0200 Subject: [PATCH 499/942] Update for 3.0.8 Signed-off-by: Michael Niedermayer --- Changelog | 194 +++++++++++++++++++++++++++++++++++++++++++++++++++ RELEASE | 2 +- doc/Doxyfile | 2 +- 3 files changed, 196 insertions(+), 2 deletions(-) diff --git a/Changelog b/Changelog index 8e8aa20978..cd39890926 100644 --- a/Changelog +++ b/Changelog @@ -1,6 +1,200 @@ Entries are sorted chronologically from oldest to youngest within each release, releases are sorted from youngest to oldest. +version 3.0.8 +- avcodec/aacdec: Fix runtime error: signed integer overflow: 2147483520 + 255 cannot be represented in type 'int' +- avcodec/aacdec_template: Fix fixed point scale in decode_cce() +- avcodec/flicvideo: Check frame_size before decrementing +- avcodec/mlpdec: Fix runtime error: left shift of negative value -1 +- avcodec/takdec: Fix runtime error: left shift of negative value -42 +- avcodec/hq_hqa: Fix: runtime error: signed integer overflow: -255 * 10180917 cannot be represented in type 'int' +- avcodec/truemotion1: Fix multiple runtime error: signed integer overflow: 1246906962 * 2 cannot be represented in type 'int' +- avcodec/svq3: Fix runtime error: left shift of negative value -6 +- avcodec/tiff: reset sampling[] if its invalid +- avcodec/aacps: Fix undefined behavior +- avcodec/opus_silk: Fix integer overflow and out of array read +- avcodec/flacdec: Return error code instead of 0 for failures +- avcodec/snowdec: Check width +- avcodec/webp: Update canvas size in vp8_lossy_decode_frame() as in vp8_lossless_decode_frame() +- avcodec/webp: Factor update_canvas_size() out +- avcodec/cllc: Check prefix +- avcodec/rscc: Check pixel_size for overflow +- avcodec/dds: Fix runtime error: left shift of 210 by 24 places cannot be represented in type 'int' +- avcodec/mpeg4videodec: Clear sprite wraping on unsupported cases in VOP decode +- avcodec/ac3dec: Fix: runtime error: index -1 out of bounds for type 'INTFLOAT [2]' +- avcodec/hqxdsp: Fix runtime error: signed integer overflow: -196264 * 11585 cannot be represented in type 'int' +- avcodec/g723_1dec: Fix LCG type +- libswscale/tests/swscale: Fix uninitialized variables +- avcodec/ffv1dec: Fix runtime error: signed integer overflow: 1550964438 + 1550964438 cannot be represented in type 'int' +- avcodec/webp: Fix signedness in prefix_code check +- avcodec/svq3: Fix runtime error: signed integer overflow: 169 * 12717677 cannot be represented in type 'int' +- avcodec/mlpdec: Check that there is enough data for headers +- avcodec/ac3dec: Keep track of band structure +- avcodec/webp: Add missing input padding +- avcodec/aacdec_fixed: Fix runtime error: left shift of negative value -1 +- avcodec/aacsbr_template: Do not change bs_num_env before its checked +- avcodec/mlp: Fix multiple runtime error: left shift of negative value -1 +- avcodec/vp8dsp: vp7_luma_dc_wht_c: Fix multiple runtime error: signed integer overflow: -1366381240 + -1262413604 cannot be represented in type 'int' +- avcodec/avcodec: Limit the number of side data elements per packet +- avcodec/texturedsp: Fix runtime error: left shift of 255 by 24 places cannot be represented in type 'int' +- avcodec/g723_1dec: Fix runtime error: left shift of negative value -1 +- avcodec/wmv2dsp: Fix runtime error: signed integer overflow: 181 * -17047030 cannot be represented in type 'int' +- avcodec/diracdec: Fix Assertion frame->buf[0] failed at libavcodec/decode.c:610 +- avcodec/msmpeg4dec: Check for cbpy VLC errors +- avcodec/cllc: Check num_bits +- avcodec/cllc: Factor VLC_BITS/DEPTH out, do not use repeated literal numbers +- avcodec/dvbsubdec: Check entry_id +- avcodec/aacdec_fixed: Fix multiple shift exponent 33 is too large for 32-bit type 'int' +- avcodec/mpeg12dec: Fixes runtime error: division by zero +- avcodec/webp: Always set pix_fmt +- avfilter/vf_uspp: Fix currently unused input frame dimensions +- avcodec/truemotion1: Fix multiple runtime error: left shift of negative value -1 +- avcodec/eatqi: Fix runtime error: signed integer overflow: 4466147 * 1075 cannot be represented in type 'int' +- avcodec/dss_sp: Fix runtime error: signed integer overflow: 2147481189 + 4096 cannot be represented in type 'int' +- avformat/wavdec: Check chunk_size +- avcodec/cavs: Check updated MV +- avcodec/y41pdec: Fix width in input buffer size check +- avcodec/svq3: Fix multiple runtime error: signed integer overflow: -237341 * 24552 cannot be represented in type 'int' +- avcodec/texturedsp: Fix runtime error: left shift of 218 by 24 places cannot be represented in type 'int' +- avcodec/lagarith: Check scale_factor +- avcodec/lagarith: Fix runtime error: left shift of negative value -1 +- avcodec/takdec: Fix multiple runtime error: left shift of negative value -1 +- avcodec/indeo2: Check for invalid VLCs +- avcodec/g723_1dec: Fix several integer related cases of undefined behaviour +- avcodec/htmlsubtitles: Check for string truncation and return error +- avcodec/bmvvideo: Fix runtime error: left shift of 137 by 24 places cannot be represented in type 'int' +- avcodec/dss_sp: Fix multiple runtime error: signed integer overflow: -15699 * -164039 cannot be represented in type 'int' +- avcodec/dvbsubdec: check region dimensions +- avcodec/vp8dsp: Fixes: runtime error: signed integer overflow: 1330143360 - -1023040530 cannot be represented in type 'int' +- avcodec/hqxdsp: Fix multiple runtime error: signed integer overflow: 248220 * 21407 cannot be represented in type 'int' in idct_col() +- avcodec/cavsdec: Check sym_factor +- avcodec/cdxl: Check format for BGR24 +- avcodec/ffv1dec: Fix copying planes of paletted formats +- avcodec/wmv2dsp: Fix runtime error: signed integer overflow: 181 * -12156865 cannot be represented in type 'int' +- avcodec/xwddec: Check bpp more completely +- avcodec/s302m: Fix left shift of 8 by 28 places cannot be represented in type 'int' +- avcodec/eamad: Fix runtime error: signed integer overflow: 49674 * 49858 cannot be represented in type 'int' +- avcodec/g726: Fix runtime error: left shift of negative value -2 +- avcodec/ra144: Fix runtime error: left shift of negative value -798 +- avcodec/mss34dsp: Fix multiple signed integer overflow +- avcodec/targa_y216dec: Fix width type +- avcodec/texturedsp: Fix multiple runtime error: left shift of 255 by 24 places cannot be represented in type 'int' +- avcodec/ivi_dsp: Fix multiple left shift of negative value -2 +- avcodec/svq3: Fix multiple runtime error: signed integer overflow: 44161 * 61694 cannot be represented in type 'int' +- avcodec/msmpeg4dec: Correct table depth +- avcodec/dds: Fix runtime error: left shift of 1 by 31 places cannot be represented in type 'int' +- avcodec/cdxl: Check format parameter +- avutil/softfloat: Fix overflow in av_div_sf() +- avcodec/hq_hqa: Fix runtime error: left shift of negative value -207 +- avcodec/mss3: Change types in rac_get_model_sym() to match the types they are initialized from +- avcodec/shorten: Check k in get_uint() +- avcodec/webp: Fix null pointer dereference +- avcodec/dfa: Fix signed integer overflow: -2147483648 - 1 cannot be represented in type 'int' +- avcodec/g723_1: Fix multiple runtime error: left shift of negative value +- avcodec/mimic: Fix runtime error: left shift of negative value -1 +- avcodec/fic: Fix multiple left shift of negative value -15 +- avcodec/mlpdec: Fix runtime error: left shift of negative value -22 +- avcodec/snowdec: Check qbias +- avutil/softfloat: Fix multiple runtime error: left shift of negative value -8 +- avcodec/aacsbr_template: Do not leave bs_num_env invalid +- avcodec/mdec: Fix signed integer overflow: 28835400 * 83 cannot be represented in type 'int' +- avcodec/dfa: Fix off by 1 error +- avcodec/nellymoser: Fix multiple left shift of negative value -8591 +- avcodec/cdxl: Fix signed integer overflow: 14243456 * 164 cannot be represented in type 'int' +- avcodec/g722: Fix multiple runtime error: left shift of negative value -1 +- avcodec/dss_sp: Fix multiple left shift of negative value -466 +- avcodec/wnv1: Fix runtime error: left shift of negative value -1 +- avcodec/tiertexseqv: set the fixed dimenasions, do not depend on the demuxer doing so +- avcodec/mjpegdec: Fix runtime error: signed integer overflow: -24543 * 2031616 cannot be represented in type 'int' +- avcodec/cavsdec: Fix undefined behavior from integer overflow +- avcodec/dvdsubdec: Fix runtime error: left shift of 242 by 24 places cannot be represented in type 'int' +- libavcodec/mpeg4videodec: Convert sprite_offset to 64bit +- avcodec/pngdec: Use ff_set_dimensions() +- avcodec/msvideo1: Check buffer size before re-getting the frame +- avcodec/h264_cavlc: Fix undefined behavior on qscale overflow +- avcodec/dcadsp: Fix runtime error: signed integer overflow +- avcodec/svq3: Increase offsets to prevent integer overflows +- avcodec/indeo2: Check remaining bits in ir2_decode_plane() +- avcodec/vp3: Check remaining bits in unpack_dct_coeffs() +- doc/developer: Add terse documentation of assumed C implementation defined behavior +- avcodec/mdec: Fix runtime error: left shift of negative value -127 +- avcodec/x86/vc1dsp_init: Fix build failure with --disable-optimizations and clang +- libavcodec/exr : fix float to uint16 conversion for negative float value +- avformat/webmdashenc: Validate the 'streams' adaptation sets parameter +- avformat/webmdashenc: Require the 'adaptation_sets' option to be set +- avcodec/dvdsubdec: Fixes 2 runtime error: left shift of 170 by 24 places cannot be represented in type 'int' +- avformat/oggparsedaala: Do not leave an invalid value in gpshift +- avformat/oggparsedaala: Check duration for AV_NOPTS_VALUE +- avfilter/af_sofalizer: Fix bad shift +- avfilter/avfiltergraph: Add assert to write down in machine readable form what is assumed about sample rates in swap_samplerates_on_filter() +- avcodec/tiff: Perform multiply in tiff_unpack_lzma() as 64bit +- avcodec/vdpau_hevc: Fix potential out-of-bounds write +- avcodec/tiff: Check geotag count for being non zero +- avcodec/vp56: Check avctx->error_concealment before enabling EC +- avcodec/tiff: Check stripsize strippos for overflow +- avcodec/mpegaudiodec_template: Make l3_unscale() work with e=0 +- avcodec/tiff: Check for multiple geo key directories +- avcodec/wavpack: Fix runtime error: shift exponent 32 is too large for 32-bit type 'int' +- avcodec/rv34: Fix runtime error: signed integer overflow: 36880 * 66288 cannot be represented in type 'int' +- avcodec/amrwbdec: Fix runtime error: left shift of negative value -1 +- avcodec/mpeg4videodec: Fix runtime error: signed integer overflow: -135088512 * 16 cannot be represented in type 'int' +- avcodec/h264_mvpred: Fix runtime error: left shift of negative value -1 +- avcodec/mjpegdec: Fix runtime error: left shift of negative value -127 +- avcodec/wavpack: Fix runtime error: left shift of negative value -5 +- avcodec/wavpack: Fix runtime error: left shift of negative value -2 +- avcodec/mpeg4videodec: Fix runtime error: signed integer overflow: 134527392 * 16 cannot be represented in type 'int' +- avcodec/mpeg12dec: Fix runtime error: left shift of negative value -13 +- avcodec/h264_mvpred: Fix multiple runtime error: left shift of negative value +- avcodec/adxdec: Fix runtime error: left shift of negative value -1 +- avcodec/mpeg4videodec: Improve the overflow checks in mpeg4_decode_sprite_trajectory() +- avcodec/mjpegdec: Fix runtime error: left shift of negative value -511 +- avcodec/h264_direct: Fix runtime error: left shift of negative value -14 +- avcodec/pictordec: Check plane value before doing value/mask computations +- avcodec/mpeg4videodec: Fix runtime error: left shift of negative value -2650 +- avcodec/eac3dec: Fix runtime error: left shift of negative value -3 +- avcodec/mpeg12dec: Fix runtime error: left shift of negative value -2 +- avcodec/mpeg4videodec: Check the other 3 sprite points for intermediate overflows +- avcodec/mpeg4videodec: Check sprite_offset in addition to shifts +- avcodec/mpeg4video: Fix runtime error: left shift of negative value +- avcodec/ituh263dec: Fix runtime error: left shift of negative value -22 +- avcodec/rv40: Fix runtime error: left shift of negative value +- avcodec/h264_cabac: runtime error: signed integer overflow: 2147483647 + 14 cannot be represented in type 'int' +- avcodec/mpeg4videodec: Fix runtime error: shift exponent -2 is negative +- avcodec/mjpegdec: Fix runtime error: left shift of negative value -507 +- avcodec/eac3dec: Fix runtime error: left shift of negative value +- avcodec/htmlsubtitles: Fix reading one byte beyond the array +- avcodec/vp6: clear dimensions on failed resolution change in vp6_parse_header() +- avcodec/vp56: Reset have_undamaged_frame on resolution changes +- avcodec/vp8: Fix hang with slice threads +- avcodec/vp8: Check for the bitstream end per MB in decode_mb_row_no_filter() +- avcodec/vp568: Check that there is enough data for ff_vp56_init_range_decoder() +- avcodec/vp8: remove redundant check +- avcodec/vp56: Require a correctly decoded frame before using vp56_conceal_mb() +- avcodec/vp3: Do not return random positive values but the buf size +- avcodec/vp8: Check for bitsteam end in decode_mb_row_no_filter() +- avcodec/vp56: Factorize vp56_render_mb() out +- avcodec/vp3dsp: Fix multiple signed integer overflow: 46341 * 47523 cannot be represented in type 'int' +- Add CHECK/SUINT code +- avcodec/mpeg12dec: Fix runtime error: left shift of negative value -1 +- avcodec/vp56: Clear dimensions in case of failure in the middle of a resolution change +- avcodec/vp56: Implement very basic error concealment +- avcodec/amrwbdec: Fix 2 runtime errors: left shift of negative value -1 +- avcodec/pngdec: Fix runtime error: left shift of 152 by 24 places cannot be represented in type 'int' +- avcodec/vp56: Fix sign typo +- avcodec/mpegaudiodec_template: Correct return code on id3 tag discarding +- avcodec/rv34: Simplify and factor get_slice_offset() code +- avcodec/pictordec: Do not read more than nb_planes +- avcodec/srtdec: Fix signed integer overflow: 1811992524 * 384 cannot be represented in type 'int' +- avcodec/pngdec: Check bit depth for validity +- avcodec/mpeg12dec: Fix runtime error: left shift of negative value +- avcodec/wavpacl: Fix runtime error: left shift of negative value -1 +- avformat/http: Check for truncated buffers in http_connect() +- avformat/apng: fix setting frame delay when max_fps is set to no limit +- swresample/resample: free existing ResampleContext on reinit +- swresample/resample: move resample_free() higher in the file +- lavf/mpeg: Initialize a stack variable used by memcmp(). +- lavc/avpacket: Initialize a variable in error path. + version 3.0.7 - avcodec/h264_slice: Clear ref_counts on redundant slices - lavf/mov.c: Avoid heap allocation wrap in mov_read_uuid diff --git a/RELEASE b/RELEASE index 2451c27caf..67786e246e 100644 --- a/RELEASE +++ b/RELEASE @@ -1 +1 @@ -3.0.7 +3.0.8 diff --git a/doc/Doxyfile b/doc/Doxyfile index cb6e3cf8fc..205549c748 100644 --- a/doc/Doxyfile +++ b/doc/Doxyfile @@ -31,7 +31,7 @@ PROJECT_NAME = FFmpeg # This could be handy for archiving the generated documentation or # if some version control system is used. -PROJECT_NUMBER = 3.0.7 +PROJECT_NUMBER = 3.0.8 # With the PROJECT_LOGO tag one can specify a logo or icon that is included # in the documentation. The maximum height of the logo should not exceed 55 From 1de61c6b015f8f33e3d325db8a12cb3a919dc918 Mon Sep 17 00:00:00 2001 From: Michael Niedermayer Date: Thu, 18 May 2017 17:13:18 +0200 Subject: [PATCH 500/942] avcodec/fic: Fix multiple runtime error: signed integer overflow: 5793 * 419752 cannot be represented in type 'int' Fixes: 1669/clusterfuzz-testcase-minimized-5287529198649344 Found-by: continuous fuzzing process https://github.com/google/oss-fuzz/tree/master/targets/ffmpeg Signed-off-by: Michael Niedermayer (cherry picked from commit a173f484b52ed63292439de5347e49bd78cad0ed) Signed-off-by: Michael Niedermayer --- libavcodec/fic.c | 32 ++++++++++++++++---------------- 1 file changed, 16 insertions(+), 16 deletions(-) diff --git a/libavcodec/fic.c b/libavcodec/fic.c index e58d3b99e2..c3a8dbee30 100644 --- a/libavcodec/fic.c +++ b/libavcodec/fic.c @@ -88,22 +88,22 @@ static av_always_inline void fic_idct(int16_t *blk, int step, int shift, int rnd const int t1 = 27246 * blk[5 * step] - 18405 * blk[3 * step]; const int t2 = 6393 * blk[7 * step] + 32139 * blk[1 * step]; const int t3 = 6393 * blk[1 * step] - 32139 * blk[7 * step]; - const int t4 = 5793 * (t2 + t0 + 0x800 >> 12); - const int t5 = 5793 * (t3 + t1 + 0x800 >> 12); - const int t6 = t2 - t0; - const int t7 = t3 - t1; - const int t8 = 17734 * blk[2 * step] - 42813 * blk[6 * step]; - const int t9 = 17734 * blk[6 * step] + 42814 * blk[2 * step]; - const int tA = (blk[0 * step] - blk[4 * step]) * 32768 + rnd; - const int tB = (blk[0 * step] + blk[4 * step]) * 32768 + rnd; - blk[0 * step] = ( t4 + t9 + tB) >> shift; - blk[1 * step] = ( t6 + t7 + t8 + tA) >> shift; - blk[2 * step] = ( t6 - t7 - t8 + tA) >> shift; - blk[3 * step] = ( t5 - t9 + tB) >> shift; - blk[4 * step] = ( -t5 - t9 + tB) >> shift; - blk[5 * step] = (-(t6 - t7) - t8 + tA) >> shift; - blk[6 * step] = (-(t6 + t7) + t8 + tA) >> shift; - blk[7 * step] = ( -t4 + t9 + tB) >> shift; + const unsigned t4 = 5793U * (t2 + t0 + 0x800 >> 12); + const unsigned t5 = 5793U * (t3 + t1 + 0x800 >> 12); + const unsigned t6 = t2 - t0; + const unsigned t7 = t3 - t1; + const unsigned t8 = 17734 * blk[2 * step] - 42813 * blk[6 * step]; + const unsigned t9 = 17734 * blk[6 * step] + 42814 * blk[2 * step]; + const unsigned tA = (blk[0 * step] - blk[4 * step]) * 32768 + rnd; + const unsigned tB = (blk[0 * step] + blk[4 * step]) * 32768 + rnd; + blk[0 * step] = (int)( t4 + t9 + tB) >> shift; + blk[1 * step] = (int)( t6 + t7 + t8 + tA) >> shift; + blk[2 * step] = (int)( t6 - t7 - t8 + tA) >> shift; + blk[3 * step] = (int)( t5 - t9 + tB) >> shift; + blk[4 * step] = (int)( -t5 - t9 + tB) >> shift; + blk[5 * step] = (int)(-(t6 - t7) - t8 + tA) >> shift; + blk[6 * step] = (int)(-(t6 + t7) + t8 + tA) >> shift; + blk[7 * step] = (int)( -t4 + t9 + tB) >> shift; } static void fic_idct_put(uint8_t *dst, int stride, int16_t *block) From 053ca03564488a03a49ce7e80add370f2724ce26 Mon Sep 17 00:00:00 2001 From: Michael Niedermayer Date: Thu, 18 May 2017 17:46:56 +0200 Subject: [PATCH 501/942] avcodec/mimic: Use ff_set_dimensions() to set the dimensions Fixes: OOM Fixes: 1671/clusterfuzz-testcase-minimized-4759078033162240 Found-by: continuous fuzzing process https://github.com/google/oss-fuzz/tree/master/targets/ffmpeg Signed-off-by: Michael Niedermayer (cherry picked from commit e434840fd4b3c854beec845f950b80bc1bf93b60) Signed-off-by: Michael Niedermayer --- libavcodec/mimic.c | 6 ++++-- 1 file changed, 4 insertions(+), 2 deletions(-) diff --git a/libavcodec/mimic.c b/libavcodec/mimic.c index ce649c602a..b77171a822 100644 --- a/libavcodec/mimic.c +++ b/libavcodec/mimic.c @@ -390,9 +390,11 @@ static int mimic_decode_frame(AVCodecContext *avctx, void *data, return AVERROR_INVALIDDATA; } + res = ff_set_dimensions(avctx, width, height); + if (res < 0) + return res; + ctx->avctx = avctx; - avctx->width = width; - avctx->height = height; avctx->pix_fmt = AV_PIX_FMT_YUV420P; for (i = 0; i < 3; i++) { ctx->num_vblocks[i] = AV_CEIL_RSHIFT(height, 3 + !!i); From 9532ad523ec5b8164ce377bfebf92776d5da898b Mon Sep 17 00:00:00 2001 From: Michael Niedermayer Date: Fri, 19 May 2017 12:25:52 +0200 Subject: [PATCH 502/942] avcodec/aacsbr_fixed: Fix multiple runtime error: shift exponent 150 is too large for 32-bit type 'int' Fixes: 1681/clusterfuzz-testcase-minimized-5970545365483520 Found-by: continuous fuzzing process https://github.com/google/oss-fuzz/tree/master/targets/ffmpeg Signed-off-by: Michael Niedermayer (cherry picked from commit 3fb104f4476ad238e2ca768e9b80dc314e6e856d) Signed-off-by: Michael Niedermayer --- libavcodec/aacsbr_fixed.c | 8 ++++++++ 1 file changed, 8 insertions(+) diff --git a/libavcodec/aacsbr_fixed.c b/libavcodec/aacsbr_fixed.c index b26314a7eb..480062dfcc 100644 --- a/libavcodec/aacsbr_fixed.c +++ b/libavcodec/aacsbr_fixed.c @@ -288,6 +288,8 @@ static void sbr_hf_inverse_filter(SBRDSPContext *dsp, shift = a00.exp; if (shift >= 3) alpha0[k][0] = 0x7fffffff; + else if (shift <= -30) + alpha0[k][0] = 0; else { a00.mant <<= 1; shift = 2-shift; @@ -302,6 +304,8 @@ static void sbr_hf_inverse_filter(SBRDSPContext *dsp, shift = a01.exp; if (shift >= 3) alpha0[k][1] = 0x7fffffff; + else if (shift <= -30) + alpha0[k][1] = 0; else { a01.mant <<= 1; shift = 2-shift; @@ -315,6 +319,8 @@ static void sbr_hf_inverse_filter(SBRDSPContext *dsp, shift = a10.exp; if (shift >= 3) alpha1[k][0] = 0x7fffffff; + else if (shift <= -30) + alpha1[k][0] = 0; else { a10.mant <<= 1; shift = 2-shift; @@ -329,6 +335,8 @@ static void sbr_hf_inverse_filter(SBRDSPContext *dsp, shift = a11.exp; if (shift >= 3) alpha1[k][1] = 0x7fffffff; + else if (shift <= -30) + alpha1[k][1] = 0; else { a11.mant <<= 1; shift = 2-shift; From f6fbc874d1e34cc2f7a028478d47c45547eb6d4c Mon Sep 17 00:00:00 2001 From: Michael Niedermayer Date: Sat, 20 May 2017 01:23:01 +0200 Subject: [PATCH 503/942] avcodec/mlpdec: Do not leave a invalid num_primitive_matrices in the context Fixes: runtime error: index 8 out of bounds for type 'uint8_t [8]' Fixes: 1699/clusterfuzz-testcase-minimized-6327177438035968 Found-by: continuous fuzzing process https://github.com/google/oss-fuzz/tree/master/targets/ffmpeg Signed-off-by: Michael Niedermayer (cherry picked from commit 64ea4d102a070b95832ae4a751688f87da7760a2) Signed-off-by: Michael Niedermayer --- libavcodec/mlpdec.c | 1 + 1 file changed, 1 insertion(+) diff --git a/libavcodec/mlpdec.c b/libavcodec/mlpdec.c index 5426712007..eac19a0d5e 100644 --- a/libavcodec/mlpdec.c +++ b/libavcodec/mlpdec.c @@ -729,6 +729,7 @@ static int read_matrix_params(MLPDecodeContext *m, unsigned int substr, GetBitCo av_log(m->avctx, AV_LOG_ERROR, "Number of primitive matrices cannot be greater than %d.\n", max_primitive_matrices); + s->num_primitive_matrices = 0; return AVERROR_INVALIDDATA; } From 6bd5fcc463c57ced03087bec9160dbdf461be174 Mon Sep 17 00:00:00 2001 From: Michael Niedermayer Date: Sun, 21 May 2017 00:06:10 +0200 Subject: [PATCH 504/942] avcodec/aacsbr_fixed: Fix multiple runtime error: shift exponent 170 is too large for 32-bit type 'int' Fixes part of 1709/clusterfuzz-testcase-minimized-4513580554649600 Found-by: continuous fuzzing process https://github.com/google/oss-fuzz/tree/master/projects/ffmpeg Signed-off-by: Michael Niedermayer (cherry picked from commit 6310fc714de3cd73848416ead73228fcef8b6dc0) Signed-off-by: Michael Niedermayer --- libavcodec/aacsbr_fixed.c | 25 +++++++++++++++---------- 1 file changed, 15 insertions(+), 10 deletions(-) diff --git a/libavcodec/aacsbr_fixed.c b/libavcodec/aacsbr_fixed.c index 480062dfcc..01f81afaaa 100644 --- a/libavcodec/aacsbr_fixed.c +++ b/libavcodec/aacsbr_fixed.c @@ -575,20 +575,25 @@ static void sbr_hf_assemble(int Y1[38][64][2], SoftFloat *in = sbr->s_m[e]; for (m = 0; m+1 < m_max; m+=2) { - shift = 22 - in[m ].exp; - round = 1 << (shift-1); - out[2*m ] += (in[m ].mant * A + round) >> shift; + shift = 22 - in[m ].exp; + if (shift < 32) { + round = 1 << (shift-1); + out[2*m ] += (in[m ].mant * A + round) >> shift; + } - shift = 22 - in[m+1].exp; - round = 1 << (shift-1); - out[2*m+2] += (in[m+1].mant * B + round) >> shift; + shift = 22 - in[m+1].exp; + if (shift < 32) { + round = 1 << (shift-1); + out[2*m+2] += (in[m+1].mant * B + round) >> shift; + } } if(m_max&1) { - shift = 22 - in[m ].exp; - round = 1 << (shift-1); - - out[2*m ] += (in[m ].mant * A + round) >> shift; + shift = 22 - in[m ].exp; + if (shift < 32) { + round = 1 << (shift-1); + out[2*m ] += (in[m ].mant * A + round) >> shift; + } } } indexnoise = (indexnoise + m_max) & 0x1ff; From 9b7c194ba1d726d80745c019d5a8d19d1b28c166 Mon Sep 17 00:00:00 2001 From: Michael Niedermayer Date: Sun, 21 May 2017 01:43:04 +0200 Subject: [PATCH 505/942] avcodec/sbrdsp_fixed: fix runtime error: left shift of 1 by 31 places cannot be represented in type 'int' Fixes: part of 1709/clusterfuzz-testcase-minimized-4513580554649600 Found-by: continuous fuzzing process https://github.com/google/oss-fuzz/tree/master/projects/ffmpeg Signed-off-by: Michael Niedermayer (cherry picked from commit 384508b2ff69bc3fad1e1c2e7de0dcd0913c6208) Signed-off-by: Michael Niedermayer --- libavcodec/sbrdsp_fixed.c | 4 ++-- 1 file changed, 2 insertions(+), 2 deletions(-) diff --git a/libavcodec/sbrdsp_fixed.c b/libavcodec/sbrdsp_fixed.c index f4e3de0c71..924da83c85 100644 --- a/libavcodec/sbrdsp_fixed.c +++ b/libavcodec/sbrdsp_fixed.c @@ -229,11 +229,11 @@ static void sbr_hf_gen_c(int (*X_high)[2], const int (*X_low)[2], static void sbr_hf_g_filt_c(int (*Y)[2], const int (*X_high)[40][2], const SoftFloat *g_filt, int m_max, intptr_t ixh) { - int m, r; + int m; int64_t accu; for (m = 0; m < m_max; m++) { - r = 1 << (22-g_filt[m].exp); + int64_t r = 1LL << (22-g_filt[m].exp); accu = (int64_t)X_high[m][ixh][0] * ((g_filt[m].mant + 0x40)>>7); Y[m][0] = (int)((accu + r) >> (23-g_filt[m].exp)); From fcc87a4676bcf1d4107fa939f0cc239b5b201926 Mon Sep 17 00:00:00 2001 From: Michael Niedermayer Date: Sun, 21 May 2017 02:42:12 +0200 Subject: [PATCH 506/942] avcodec/mlpdsp: Fix runtime error: signed integer overflow: -24419392 * 128 cannot be represented in type 'int' Fixes: 1711/clusterfuzz-testcase-minimized-5248503515185152 Found-by: continuous fuzzing process https://github.com/google/oss-fuzz/tree/master/projects/ffmpeg Signed-off-by: Michael Niedermayer (cherry picked from commit 1d04fc94e1021b70e542dc01a48b8398c6fc6325) Signed-off-by: Michael Niedermayer --- libavcodec/mlpdsp.c | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/libavcodec/mlpdsp.c b/libavcodec/mlpdsp.c index 2fc453c1f0..fbafa92d72 100644 --- a/libavcodec/mlpdsp.c +++ b/libavcodec/mlpdsp.c @@ -114,7 +114,7 @@ int32_t ff_mlp_pack_output(int32_t lossless_check_data, for (out_ch = 0; out_ch <= max_matrix_channel; out_ch++) { int mat_ch = ch_assign[out_ch]; int32_t sample = sample_buffer[i][mat_ch] * - (1 << output_shift[mat_ch]); + (1U << output_shift[mat_ch]); lossless_check_data ^= (sample & 0xffffff) << mat_ch; if (is32) *data_32++ = sample << 8; From 02b8d62a8c0383cbbaea4d48d871a60c56b41819 Mon Sep 17 00:00:00 2001 From: Michael Niedermayer Date: Sun, 21 May 2017 02:46:55 +0200 Subject: [PATCH 507/942] avcodec/takdec: Fix runtime error: left shift of negative value -63 Fixes: 1713/clusterfuzz-testcase-minimized-5791887476654080 Found-by: continuous fuzzing process https://github.com/google/oss-fuzz/tree/master/projects/ffmpeg Signed-off-by: Michael Niedermayer (cherry picked from commit d66193252b4067144f11211f8f3e1d5a50146235) Signed-off-by: Michael Niedermayer --- libavcodec/takdec.c | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/libavcodec/takdec.c b/libavcodec/takdec.c index 43b3c92077..14e51b166c 100644 --- a/libavcodec/takdec.c +++ b/libavcodec/takdec.c @@ -851,7 +851,7 @@ static int tak_decode_frame(AVCodecContext *avctx, void *data, if (s->sample_shift[chan] > 0) for (i = 0; i < s->nb_samples; i++) - decoded[i] <<= s->sample_shift[chan]; + decoded[i] *= 1 << s->sample_shift[chan]; } } From 4cad001b049477078f33bf752f3fbc2448fc139f Mon Sep 17 00:00:00 2001 From: Michael Niedermayer Date: Sun, 21 May 2017 02:51:04 +0200 Subject: [PATCH 508/942] avcodec/aac_defines: Fix: runtime error: left shift of negative value -2 Fixes: 1716/clusterfuzz-testcase-minimized-4691012196761600 Found-by: continuous fuzzing process https://github.com/google/oss-fuzz/tree/master/projects/ffmpeg Signed-off-by: Michael Niedermayer (cherry picked from commit c3547dcbc326474745f02a618e01848a293f3f92) Signed-off-by: Michael Niedermayer --- libavcodec/aac_defines.h | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/libavcodec/aac_defines.h b/libavcodec/aac_defines.h index eff63b347c..b417850838 100644 --- a/libavcodec/aac_defines.h +++ b/libavcodec/aac_defines.h @@ -45,7 +45,7 @@ typedef int AAC_SIGNE; #define Q30(x) (int)((x)*1073741824.0 + 0.5) #define Q31(x) (int)((x)*2147483648.0 + 0.5) #define RANGE15(x) x -#define GET_GAIN(x, y) (-(y) << (x)) + 1024 +#define GET_GAIN(x, y) (-(y) * (1 << (x))) + 1024 #define AAC_MUL16(x, y) (int)(((int64_t)(x) * (y) + 0x8000) >> 16) #define AAC_MUL26(x, y) (int)(((int64_t)(x) * (y) + 0x2000000) >> 26) #define AAC_MUL30(x, y) (int)(((int64_t)(x) * (y) + 0x20000000) >> 30) From d7b53e87b9e572e349a36e7c0eb6a08a981ab8a7 Mon Sep 17 00:00:00 2001 From: Michael Niedermayer Date: Wed, 17 May 2017 00:07:02 +0200 Subject: [PATCH 509/942] avcodec/takdec: Fix runtime error: signed integer overflow: 8192 * 524308 cannot be represented in type 'int' Fixes: 1630/clusterfuzz-testcase-minimized-6326111917047808 Found-by: continuous fuzzing process https://github.com/google/oss-fuzz/tree/master/projects/ffmpeg Signed-off-by: Michael Niedermayer (cherry picked from commit 955db411929a9876d3cd016fbbb9c49b6362feba) Signed-off-by: Michael Niedermayer --- libavcodec/takdec.c | 4 ++-- 1 file changed, 2 insertions(+), 2 deletions(-) diff --git a/libavcodec/takdec.c b/libavcodec/takdec.c index 14e51b166c..b0cbba0e0e 100644 --- a/libavcodec/takdec.c +++ b/libavcodec/takdec.c @@ -256,11 +256,11 @@ static int decode_segment(TAKDecContext *s, int8_t mode, int32_t *decoded, int l code = xcodes[mode - 1]; for (i = 0; i < len; i++) { - int x = get_bits_long(gb, code.init); + unsigned x = get_bits_long(gb, code.init); if (x >= code.escape && get_bits1(gb)) { x |= 1 << code.init; if (x >= code.aescape) { - int scale = get_unary(gb, 1, 9); + unsigned scale = get_unary(gb, 1, 9); if (scale == 9) { int scale_bits = get_bits(gb, 3); if (scale_bits > 0) { From c06677aab1eb620780a450e2fb6c8f50bcdf2ccf Mon Sep 17 00:00:00 2001 From: Michael Niedermayer Date: Sun, 21 May 2017 13:22:16 +0200 Subject: [PATCH 510/942] avcodec/vmnc: Check location before use Fixes: runtime error: signed integer overflow: 65535 * 64256 cannot be represented in type 'int' Fixes: 1717/clusterfuzz-testcase-minimized-5491696676634624 Found-by: continuous fuzzing process https://github.com/google/oss-fuzz/tree/master/projects/ffmpeg Signed-off-by: Michael Niedermayer (cherry picked from commit ec2b76aab44f55be22eb12d86eb0dfd2eff68581) Signed-off-by: Michael Niedermayer --- libavcodec/vmnc.c | 18 ++++++------------ 1 file changed, 6 insertions(+), 12 deletions(-) diff --git a/libavcodec/vmnc.c b/libavcodec/vmnc.c index 49abb776f2..dfabfd394a 100644 --- a/libavcodec/vmnc.c +++ b/libavcodec/vmnc.c @@ -374,6 +374,12 @@ static int decode_frame(AVCodecContext *avctx, void *data, int *got_frame, w = bytestream2_get_be16(gb); h = bytestream2_get_be16(gb); enc = bytestream2_get_be32(gb); + if ((dx + w > c->width) || (dy + h > c->height)) { + av_log(avctx, AV_LOG_ERROR, + "Incorrect frame size: %ix%i+%ix%i of %ix%i\n", + w, h, dx, dy, c->width, c->height); + return AVERROR_INVALIDDATA; + } outptr = c->pic->data[0] + dx * c->bpp2 + dy * c->pic->linesize[0]; size_left = bytestream2_get_bytes_left(gb); switch (enc) { @@ -451,12 +457,6 @@ static int decode_frame(AVCodecContext *avctx, void *data, int *got_frame, bytestream2_skip(gb, 2); break; case 0x00000000: // raw rectangle data - if ((dx + w > c->width) || (dy + h > c->height)) { - av_log(avctx, AV_LOG_ERROR, - "Incorrect frame size: %ix%i+%ix%i of %ix%i\n", - w, h, dx, dy, c->width, c->height); - return AVERROR_INVALIDDATA; - } if (size_left < w * h * c->bpp2) { av_log(avctx, AV_LOG_ERROR, "Premature end of data! (need %i got %i)\n", @@ -467,12 +467,6 @@ static int decode_frame(AVCodecContext *avctx, void *data, int *got_frame, c->pic->linesize[0]); break; case 0x00000005: // HexTile encoded rectangle - if ((dx + w > c->width) || (dy + h > c->height)) { - av_log(avctx, AV_LOG_ERROR, - "Incorrect frame size: %ix%i+%ix%i of %ix%i\n", - w, h, dx, dy, c->width, c->height); - return AVERROR_INVALIDDATA; - } res = decode_hextile(c, outptr, gb, w, h, c->pic->linesize[0]); if (res < 0) return res; From 0e003452c040b5b35f1aa33f4596540efa47f2a3 Mon Sep 17 00:00:00 2001 From: Michael Niedermayer Date: Sun, 21 May 2017 16:01:27 +0200 Subject: [PATCH 511/942] avcodec/mpeg4videodec: Check for multiple VOL headers Fixes multiple: runtime error: signed integer overflow: 2147115008 + 413696 cannot be represented in type 'int' Fixes: 1723/clusterfuzz-testcase-minimized-5309409372667904 Fixes: 1727/clusterfuzz-testcase-minimized-5900685306494976 Fixes: 1737/clusterfuzz-testcase-minimized-5922321338466304 Found-by: continuous fuzzing process https://github.com/google/oss-fuzz/tree/master/projects/ffmpeg Signed-off-by: Michael Niedermayer (cherry picked from commit efeb47fd5d5cbf980e52a6d5e741c3c74b94b5e2) Signed-off-by: Michael Niedermayer --- libavcodec/mpeg4videodec.c | 6 ++++++ 1 file changed, 6 insertions(+) diff --git a/libavcodec/mpeg4videodec.c b/libavcodec/mpeg4videodec.c index fc1c8297b9..77ef7465d7 100644 --- a/libavcodec/mpeg4videodec.c +++ b/libavcodec/mpeg4videodec.c @@ -2549,6 +2549,7 @@ int ff_mpeg4_decode_picture_header(Mpeg4DecContext *ctx, GetBitContext *gb) MpegEncContext *s = &ctx->m; unsigned startcode, v; int ret; + int vol = 0; /* search next start code */ align_get_bits(gb); @@ -2637,6 +2638,11 @@ int ff_mpeg4_decode_picture_header(Mpeg4DecContext *ctx, GetBitContext *gb) } if (startcode >= 0x120 && startcode <= 0x12F) { + if (vol) { + av_log(s->avctx, AV_LOG_ERROR, "Multiple VOL headers"); + return AVERROR_INVALIDDATA; + } + vol++; if ((ret = decode_vol_header(ctx, gb)) < 0) return ret; } else if (startcode == USER_DATA_STARTCODE) { From 96f0b1de49592044eee5ca2c549ecb81b31d3a3f Mon Sep 17 00:00:00 2001 From: Michael Niedermayer Date: Sun, 21 May 2017 16:53:55 +0200 Subject: [PATCH 512/942] avcodec/aacdec_fixed: Fix runtime error: shift exponent 34 is too large for 32-bit type 'int' Fixes: 1721/clusterfuzz-testcase-minimized-4719352135811072 Found-by: continuous fuzzing process https://github.com/google/oss-fuzz/tree/master/projects/ffmpeg Signed-off-by: Michael Niedermayer (cherry picked from commit b5228e44c7f3a5eba537c8a39a45cfbf2961a28d) Signed-off-by: Michael Niedermayer --- libavcodec/aacdec_fixed.c | 6 +++++- 1 file changed, 5 insertions(+), 1 deletion(-) diff --git a/libavcodec/aacdec_fixed.c b/libavcodec/aacdec_fixed.c index bbb120f6fe..3c628b3e25 100644 --- a/libavcodec/aacdec_fixed.c +++ b/libavcodec/aacdec_fixed.c @@ -207,7 +207,11 @@ static void noise_scale(int *coefs, int scale, int band_energy, int len) c /= band_energy; s = 21 + nlz - (s >> 2); - if (s > 0) { + if (s > 31) { + for (i=0; i 0) { round = 1 << (s-1); for (i=0; i> 32); From 9a993c5bc89e2c14d7ecf41a282b44f4cc083369 Mon Sep 17 00:00:00 2001 From: Michael Niedermayer Date: Sun, 21 May 2017 21:49:54 +0200 Subject: [PATCH 513/942] avcodec/mjpegdec: Fix runtime error: signed integer overflow: -32767 * 130560 cannot be represented in type 'int' Fixes: 1724/clusterfuzz-testcase-minimized-4842395432648704 Found-by: continuous fuzzing process https://github.com/google/oss-fuzz/tree/master/projects/ffmpeg Signed-off-by: Michael Niedermayer (cherry picked from commit 40fa6a2fa2c255293a780a194eecae5df52644a1) Signed-off-by: Michael Niedermayer --- libavcodec/mjpegdec.c | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/libavcodec/mjpegdec.c b/libavcodec/mjpegdec.c index e9705f2694..b23b5d2d70 100644 --- a/libavcodec/mjpegdec.c +++ b/libavcodec/mjpegdec.c @@ -728,7 +728,7 @@ static int decode_dc_progressive(MJpegDecodeContext *s, int16_t *block, int component, int dc_index, int16_t *quant_matrix, int Al) { - int val; + unsigned val; s->bdsp.clear_block(block); val = mjpeg_decode_dc(s, dc_index); if (val == 0xfffff) { From 0169072409cf02d3775ce2925dd86776256619ea Mon Sep 17 00:00:00 2001 From: Michael Niedermayer Date: Mon, 22 May 2017 01:19:50 +0200 Subject: [PATCH 514/942] avcodec/ivi_dsp: Fix multiple runtime error: left shift of negative value -71 Fixes: 1734/clusterfuzz-testcase-minimized-5385630815092736 Found-by: continuous fuzzing process https://github.com/google/oss-fuzz/tree/master/projects/ffmpeg Signed-off-by: Michael Niedermayer (cherry picked from commit 8fb00b3e858b7a5aeccfe6bdfc10290c2121c3ec) Signed-off-by: Michael Niedermayer --- libavcodec/ivi_dsp.c | 30 +++++++++++++++--------------- 1 file changed, 15 insertions(+), 15 deletions(-) diff --git a/libavcodec/ivi_dsp.c b/libavcodec/ivi_dsp.c index 6f79ada1d5..7922751fdc 100644 --- a/libavcodec/ivi_dsp.c +++ b/libavcodec/ivi_dsp.c @@ -116,10 +116,10 @@ void ff_ivi_recompose53(const IVIPlaneDesc *plane, uint8_t *dst, b0_2 = b0_ptr[pitch+indx+1]; tmp1 = tmp0 + b0_1; - p0 = tmp0 << 4; - p1 = tmp1 << 3; - p2 = (tmp0 + tmp2) << 3; - p3 = (tmp1 + tmp2 + b0_2) << 2; + p0 = tmp0 * 16; + p1 = tmp1 * 8; + p2 = (tmp0 + tmp2) * 8; + p3 = (tmp1 + tmp2 + b0_2) * 4; } /* process the HL-band by applying HPF vertically and LPF horizontally */ @@ -132,10 +132,10 @@ void ff_ivi_recompose53(const IVIPlaneDesc *plane, uint8_t *dst, tmp2 = tmp1 - tmp0*6 + b1_3; b1_3 = b1_1 - b1_2*6 + b1_ptr[pitch+indx+1]; - p0 += (tmp0 + tmp1) << 3; - p1 += (tmp0 + tmp1 + b1_1 + b1_2) << 2; - p2 += tmp2 << 2; - p3 += (tmp2 + b1_3) << 1; + p0 += (tmp0 + tmp1) * 8; + p1 += (tmp0 + tmp1 + b1_1 + b1_2) * 4; + p2 += tmp2 * 4; + p3 += (tmp2 + b1_3) * 2; } /* process the LH-band by applying LPF vertically and HPF horizontally */ @@ -146,10 +146,10 @@ void ff_ivi_recompose53(const IVIPlaneDesc *plane, uint8_t *dst, tmp0 = b2_1 + b2_2; tmp1 = b2_1 - b2_2*6 + b2_3; - p0 += tmp0 << 3; - p1 += tmp1 << 2; - p2 += (tmp0 + b2_4 + b2_5) << 2; - p3 += (tmp1 + b2_4 - b2_5*6 + b2_6) << 1; + p0 += tmp0 * 8; + p1 += tmp1 * 4; + p2 += (tmp0 + b2_4 + b2_5) * 4; + p3 += (tmp1 + b2_4 - b2_5*6 + b2_6) * 2; } /* process the HH-band by applying HPF both vertically and horizontally */ @@ -163,9 +163,9 @@ void ff_ivi_recompose53(const IVIPlaneDesc *plane, uint8_t *dst, b3_9 = b3_3 - b3_6*6 + b3_ptr[pitch+indx+1]; - p0 += (tmp0 + tmp1) << 2; - p1 += (tmp0 - tmp1*6 + tmp2) << 1; - p2 += (b3_7 + b3_8) << 1; + p0 += (tmp0 + tmp1) * 4; + p1 += (tmp0 - tmp1*6 + tmp2) * 2; + p2 += (b3_7 + b3_8) * 2; p3 += b3_7 - b3_8*6 + b3_9; } From 4e8405b347bf46bd6d0b5ad302a6750122c7baa9 Mon Sep 17 00:00:00 2001 From: Michael Niedermayer Date: Tue, 23 May 2017 22:18:52 +0200 Subject: [PATCH 515/942] avcodec/jpeglsdec: Check get_bits_left() before decoding a picture Signed-off-by: Michael Niedermayer (cherry picked from commit 4bc3008d04451cd31818e21703ed7ed96b6ff074) Signed-off-by: Michael Niedermayer --- libavcodec/jpeglsdec.c | 4 ++++ 1 file changed, 4 insertions(+) diff --git a/libavcodec/jpeglsdec.c b/libavcodec/jpeglsdec.c index 68151cbbd8..20b40445fd 100644 --- a/libavcodec/jpeglsdec.c +++ b/libavcodec/jpeglsdec.c @@ -385,6 +385,10 @@ int ff_jpegls_decode_picture(MJpegDecodeContext *s, int near, av_log(s->avctx, AV_LOG_DEBUG, "JPEG params: ILV=%i Pt=%i BPP=%i, scan = %i\n", ilv, point_transform, s->bits, s->cur_scan); } + if (get_bits_left(&s->gb) < s->height) { + ret = AVERROR_INVALIDDATA; + goto end; + } if (ilv == 0) { /* separate planes */ if (s->cur_scan > s->nb_components) { ret = AVERROR_INVALIDDATA; From 5753c06dd79fcd1e49db87407784921c35810950 Mon Sep 17 00:00:00 2001 From: Max Justicz Date: Wed, 24 May 2017 15:25:50 +0200 Subject: [PATCH 516/942] avcodec/sanm: Fix uninitialized reference frames Fixes: poc.snm Signed-off-by: Michael Niedermayer (cherry picked from commit ca616b0f72c65b0ef5f9e1e6125698b15f50a26e) Signed-off-by: Michael Niedermayer --- libavcodec/sanm.c | 8 ++++---- 1 file changed, 4 insertions(+), 4 deletions(-) diff --git a/libavcodec/sanm.c b/libavcodec/sanm.c index 1aa002b6a5..065bf7aca1 100644 --- a/libavcodec/sanm.c +++ b/libavcodec/sanm.c @@ -462,11 +462,11 @@ static void destroy_buffers(SANMVideoContext *ctx) static av_cold int init_buffers(SANMVideoContext *ctx) { - av_fast_padded_malloc(&ctx->frm0, &ctx->frm0_size, ctx->buf_size); - av_fast_padded_malloc(&ctx->frm1, &ctx->frm1_size, ctx->buf_size); - av_fast_padded_malloc(&ctx->frm2, &ctx->frm2_size, ctx->buf_size); + av_fast_padded_mallocz(&ctx->frm0, &ctx->frm0_size, ctx->buf_size); + av_fast_padded_mallocz(&ctx->frm1, &ctx->frm1_size, ctx->buf_size); + av_fast_padded_mallocz(&ctx->frm2, &ctx->frm2_size, ctx->buf_size); if (!ctx->version) - av_fast_padded_malloc(&ctx->stored_frame, + av_fast_padded_mallocz(&ctx->stored_frame, &ctx->stored_frame_size, ctx->buf_size); if (!ctx->frm0 || !ctx->frm1 || !ctx->frm2 || From c071e74aad6a13b46fa8b2d66f5d6d9a6d4beae0 Mon Sep 17 00:00:00 2001 From: Michael Niedermayer Date: Wed, 24 May 2017 19:40:42 +0200 Subject: [PATCH 517/942] avcodec/jpeg2000dec: Check tile offsets Fixes: runtime error: signed integer overflow: 4096 - -2147483648 cannot be represented in type 'int' Found-by: continuous fuzzing process https://github.com/google/oss-fuzz/tree/master/projects/ffmpeg Signed-off-by: Michael Niedermayer (cherry picked from commit 89325417e7b33f4b08171d9d609c48662d96b2d3) Signed-off-by: Michael Niedermayer --- libavcodec/jpeg2000dec.c | 8 ++++++++ 1 file changed, 8 insertions(+) diff --git a/libavcodec/jpeg2000dec.c b/libavcodec/jpeg2000dec.c index c13670e6d6..b2e1713c65 100644 --- a/libavcodec/jpeg2000dec.c +++ b/libavcodec/jpeg2000dec.c @@ -298,6 +298,14 @@ static int get_siz(Jpeg2000DecoderContext *s) return AVERROR_PATCHWELCOME; } + if (s->tile_offset_x < 0 || s->tile_offset_y < 0 || + s->image_offset_x < s->tile_offset_x || + s->image_offset_y < s->tile_offset_y) { + av_log(s->avctx, AV_LOG_ERROR, "Tile offsets are invalid\n", + s->ncomponents); + return AVERROR_INVALIDDATA; + } + s->ncomponents = ncomponents; if (s->tile_width <= 0 || s->tile_height <= 0) { From 16f76d544db9fb0aeb32afabc076b1f7bce7cd5f Mon Sep 17 00:00:00 2001 From: Michael Niedermayer Date: Thu, 25 May 2017 11:11:33 +0200 Subject: [PATCH 518/942] avcodec/jpeg2000dec: Fix copy and paste error Found-by: jamrial Signed-off-by: Michael Niedermayer (cherry picked from commit 5782e0ba8cc30bb08a806cdeda1adfb89a0556b4) Signed-off-by: Michael Niedermayer --- libavcodec/jpeg2000dec.c | 3 +-- 1 file changed, 1 insertion(+), 2 deletions(-) diff --git a/libavcodec/jpeg2000dec.c b/libavcodec/jpeg2000dec.c index b2e1713c65..fa04d69035 100644 --- a/libavcodec/jpeg2000dec.c +++ b/libavcodec/jpeg2000dec.c @@ -301,8 +301,7 @@ static int get_siz(Jpeg2000DecoderContext *s) if (s->tile_offset_x < 0 || s->tile_offset_y < 0 || s->image_offset_x < s->tile_offset_x || s->image_offset_y < s->tile_offset_y) { - av_log(s->avctx, AV_LOG_ERROR, "Tile offsets are invalid\n", - s->ncomponents); + av_log(s->avctx, AV_LOG_ERROR, "Tile offsets are invalid\n"); return AVERROR_INVALIDDATA; } From 6185b5e9bcbf1ceed0129717bd1b8533b60223ff Mon Sep 17 00:00:00 2001 From: Michael Niedermayer Date: Thu, 25 May 2017 20:07:49 +0200 Subject: [PATCH 519/942] avcodec/smc: Check remaining input Fixes: Timeout Fixes: 1818/clusterfuzz-testcase-minimized-5039166473633792 Found-by: continuous fuzzing process https://github.com/google/oss-fuzz/tree/master/projects/ffmpeg Signed-off-by: Michael Niedermayer (cherry picked from commit 356194fcb17375de2472f4cbff6ede48d6a374b2) Signed-off-by: Michael Niedermayer --- libavcodec/smc.c | 4 ++++ 1 file changed, 4 insertions(+) diff --git a/libavcodec/smc.c b/libavcodec/smc.c index a423c455cc..18174fa57e 100644 --- a/libavcodec/smc.c +++ b/libavcodec/smc.c @@ -132,6 +132,10 @@ static void smc_decode_stream(SmcContext *s) row_ptr, image_size); return; } + if (bytestream2_get_bytes_left(&s->gb) < 1) { + av_log(s->avctx, AV_LOG_ERROR, "input too small\n"); + return; + } opcode = bytestream2_get_byte(&s->gb); switch (opcode & 0xF0) { From 7fe0a0e9e73aad6dfb07d65332d13bbfa6d38312 Mon Sep 17 00:00:00 2001 From: Michael Niedermayer Date: Thu, 25 May 2017 23:01:27 +0200 Subject: [PATCH 520/942] avcodec/aacdec_fixed: Fix runtime error: signed integer overflow: -2147483648 * -1 cannot be represented in type 'int' Fixes: 1825/clusterfuzz-testcase-minimized-6002833050566656 Found-by: continuous fuzzing process https://github.com/google/oss-fuzz/tree/master/projects/ffmpeg Signed-off-by: Michael Niedermayer (cherry picked from commit 8e87d146d798ca25d8f3a4520a6deb7946b39d73) Signed-off-by: Michael Niedermayer --- libavcodec/aacdec_fixed.c | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/libavcodec/aacdec_fixed.c b/libavcodec/aacdec_fixed.c index 3c628b3e25..27e6e469f9 100644 --- a/libavcodec/aacdec_fixed.c +++ b/libavcodec/aacdec_fixed.c @@ -187,7 +187,7 @@ static void subband_scale(int *dst, int *src, int scale, int offset, int len) round = 1 << (s-1); for (i=0; i> s); - dst[i] = out * ssign; + dst[i] = out * (unsigned)ssign; } } } From 278bd748a8b64106f098de3f6eb328576731b2f0 Mon Sep 17 00:00:00 2001 From: Michael Niedermayer Date: Fri, 7 Apr 2017 13:49:09 +0200 Subject: [PATCH 521/942] avutil/internal: Do not enable CHECKED with DEBUG This avoids potential undefined behavior in debug mode while still allowing developers which want to check for potential additional overflows to do so by manually enabling this. Reviewed-by: wm4 Signed-off-by: Michael Niedermayer (cherry picked from commit a44b3abb4cf922e379fbac55452d0482a8223597) Signed-off-by: Michael Niedermayer --- libavutil/internal.h | 5 ++--- 1 file changed, 2 insertions(+), 3 deletions(-) diff --git a/libavutil/internal.h b/libavutil/internal.h index 00872a4b73..25e7703baa 100644 --- a/libavutil/internal.h +++ b/libavutil/internal.h @@ -30,9 +30,8 @@ # define NDEBUG #endif -#if defined(DEBUG) && !defined(CHECKED) -# define CHECKED -#endif +// This can be enabled to allow detection of additional integer overflows with ubsan +//#define CHECKED #include #include From 780c360e760b4e6734570a534a1798bd092adc22 Mon Sep 17 00:00:00 2001 From: Michael Niedermayer Date: Fri, 26 May 2017 18:01:31 +0200 Subject: [PATCH 522/942] avformat/mux: Fix copy an paste typo Found-by: Roger Scott Signed-off-by: Michael Niedermayer (cherry picked from commit 1a36354698fc0453ba4d337786d2cb4d3e374cfb) Signed-off-by: Michael Niedermayer --- libavformat/mux.c | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/libavformat/mux.c b/libavformat/mux.c index f14bfd52d5..48e266e0f2 100644 --- a/libavformat/mux.c +++ b/libavformat/mux.c @@ -650,7 +650,7 @@ static int write_packet(AVFormatContext *s, AVPacket *pkt) av_log(s, AV_LOG_WARNING, "failed to avoid negative " "pts %s in stream %d.\n" "Try -avoid_negative_ts 1 as a possible workaround.\n", - av_ts2str(pkt->dts), + av_ts2str(pkt->pts), pkt->stream_index ); } From 385642f8c86c443e75abceb309110a33d3f278ea Mon Sep 17 00:00:00 2001 From: Michael Niedermayer Date: Sat, 27 May 2017 13:07:00 +0200 Subject: [PATCH 523/942] avcodec/ra144dec: Fix runtime error: left shift of negative value -17 Fixes: 1830/clusterfuzz-testcase-minimized-5828293733384192 Found-by: continuous fuzzing process https://github.com/google/oss-fuzz/tree/master/projects/ffmpeg Signed-off-by: Michael Niedermayer (cherry picked from commit 53c0c637d36c1de9ea461a8d863e8703da090894) Signed-off-by: Michael Niedermayer --- libavcodec/ra144dec.c | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/libavcodec/ra144dec.c b/libavcodec/ra144dec.c index 3eed17c0da..c716c32e67 100644 --- a/libavcodec/ra144dec.c +++ b/libavcodec/ra144dec.c @@ -113,7 +113,7 @@ static int ra144_decode_frame(AVCodecContext * avctx, void *data, do_output_subblock(ractx, block_coefs[i], refl_rms[i], &gb); for (j=0; j < BLOCKSIZE; j++) - *samples++ = av_clip_int16(ractx->curr_sblock[j + 10] << 2); + *samples++ = av_clip_int16(ractx->curr_sblock[j + 10] * (1 << 2)); } ractx->old_energy = energy; From a3ba6a66a3eec0431d3f5bec8253660b9fc8eae7 Mon Sep 17 00:00:00 2001 From: Michael Niedermayer Date: Sat, 27 May 2017 13:17:34 +0200 Subject: [PATCH 524/942] avcodec/mlpdec: Do not leave invalid values in matrix_out_ch[] on error Fixes: runtime error: index 12 out of bounds for type 'uint8_t [8]' Fixes: 1832/clusterfuzz-testcase-minimized-6574546079449088 Found-by: continuous fuzzing process https://github.com/google/oss-fuzz/tree/master/projects/ffmpeg Signed-off-by: Michael Niedermayer (cherry picked from commit ac8dfcbd89a818b786d05ebc1af70f7bf6aeb86e) Signed-off-by: Michael Niedermayer --- libavcodec/mlpdec.c | 12 ++++++++---- 1 file changed, 8 insertions(+), 4 deletions(-) diff --git a/libavcodec/mlpdec.c b/libavcodec/mlpdec.c index eac19a0d5e..f60f14cc71 100644 --- a/libavcodec/mlpdec.c +++ b/libavcodec/mlpdec.c @@ -729,8 +729,7 @@ static int read_matrix_params(MLPDecodeContext *m, unsigned int substr, GetBitCo av_log(m->avctx, AV_LOG_ERROR, "Number of primitive matrices cannot be greater than %d.\n", max_primitive_matrices); - s->num_primitive_matrices = 0; - return AVERROR_INVALIDDATA; + goto error; } for (mat = 0; mat < s->num_primitive_matrices; mat++) { @@ -743,12 +742,12 @@ static int read_matrix_params(MLPDecodeContext *m, unsigned int substr, GetBitCo av_log(m->avctx, AV_LOG_ERROR, "Invalid channel %d specified as output from matrix.\n", s->matrix_out_ch[mat]); - return AVERROR_INVALIDDATA; + goto error; } if (frac_bits > 14) { av_log(m->avctx, AV_LOG_ERROR, "Too many fractional bits specified.\n"); - return AVERROR_INVALIDDATA; + goto error; } max_chan = s->max_matrix_channel; @@ -770,6 +769,11 @@ static int read_matrix_params(MLPDecodeContext *m, unsigned int substr, GetBitCo } return 0; +error: + s->num_primitive_matrices = 0; + memset(s->matrix_out_ch, 0, sizeof(s->matrix_out_ch)); + + return AVERROR_INVALIDDATA; } /** Read channel parameters. */ From 3ad48f9acb19c5eb233cd0f1aa90e085cce54cba Mon Sep 17 00:00:00 2001 From: Kevin Mark Date: Sat, 27 May 2017 10:10:46 -0400 Subject: [PATCH 525/942] doc/filters: Clarify scale2ref example Signed-off-by: Kevin Mark Signed-off-by: Michael Niedermayer (cherry picked from commit 114e8716214d414d7965029ae5fe74668ed69e4a) Signed-off-by: Michael Niedermayer --- doc/filters.texi | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/doc/filters.texi b/doc/filters.texi index 68f54f19b0..9c0cbb6975 100644 --- a/doc/filters.texi +++ b/doc/filters.texi @@ -10598,7 +10598,7 @@ uses the reference video instead of the main input as basis. @itemize @item -Scale a subtitle stream to match the main video in size before overlaying +Scale a subtitle stream (b) to match the main video (a) in size before overlaying @example 'scale2ref[b][a];[a][b]overlay' @end example From 1a800e8ff670cfca4fe40bc8cca5490dd6f93d90 Mon Sep 17 00:00:00 2001 From: Michael Niedermayer Date: Sun, 28 May 2017 03:03:46 +0200 Subject: [PATCH 526/942] avcodec/ivi_dsp: Fix runtime error: left shift of negative value -2 Fixes: 1839/clusterfuzz-testcase-minimized-6238490993885184 Found-by: continuous fuzzing process https://github.com/google/oss-fuzz/tree/master/projects/ffmpeg Signed-off-by: Michael Niedermayer (cherry picked from commit 357f2316a08478a4442e8051978c7b161e10281c) Signed-off-by: Michael Niedermayer --- libavcodec/ivi_dsp.c | 4 ++-- 1 file changed, 2 insertions(+), 2 deletions(-) diff --git a/libavcodec/ivi_dsp.c b/libavcodec/ivi_dsp.c index 7922751fdc..2286c58033 100644 --- a/libavcodec/ivi_dsp.c +++ b/libavcodec/ivi_dsp.c @@ -393,8 +393,8 @@ void ff_ivi_inverse_haar_4x4(const int32_t *in, int16_t *out, uint32_t pitch, if (flags[i]) { /* pre-scaling */ shift = !(i & 2); - sp1 = src[0] << shift; - sp2 = src[4] << shift; + sp1 = src[0] * (1 << shift); + sp2 = src[4] * (1 << shift); INV_HAAR4( sp1, sp2, src[8], src[12], dst[0], dst[4], dst[8], dst[12], t0, t1, t2, t3, t4); From ca3fab8c807ddd9705dd1f0bb54ec4162aebc1a6 Mon Sep 17 00:00:00 2001 From: Michael Niedermayer Date: Tue, 23 May 2017 21:08:48 +0200 Subject: [PATCH 527/942] avcodec/sbrdsp_template: Fix: runtime error: signed integer overflow: 849815297 + 1315389781 cannot be represented in type 'int' Fixes: 1770/clusterfuzz-testcase-minimized-5285511235108864 Found-by: continuous fuzzing process https://github.com/google/oss-fuzz/tree/master/projects/ffmpeg Signed-off-by: Michael Niedermayer (cherry picked from commit 7c36ee216f1e668e2c2af1573bd9dbbb2a501f48) Signed-off-by: Michael Niedermayer --- libavcodec/sbrdsp_template.c | 9 +++++++-- 1 file changed, 7 insertions(+), 2 deletions(-) diff --git a/libavcodec/sbrdsp_template.c b/libavcodec/sbrdsp_template.c index b649dfd7ee..897a3bbffb 100644 --- a/libavcodec/sbrdsp_template.c +++ b/libavcodec/sbrdsp_template.c @@ -33,8 +33,13 @@ static void sbr_qmf_deint_bfly_c(INTFLOAT *v, const INTFLOAT *src0, const INTFLO { int i; for (i = 0; i < 64; i++) { - v[ i] = AAC_SRA_R((src0[i] - src1[63 - i]), 5); - v[127 - i] = AAC_SRA_R((src0[i] + src1[63 - i]), 5); +#if USE_FIXED + v[ i] = (int)(0x10U + src0[i] - src1[63 - i]) >> 5; + v[127 - i] = (int)(0x10U + src0[i] + src1[63 - i]) >> 5; +#else + v[ i] = src0[i] - src1[63 - i]; + v[127 - i] = src0[i] + src1[63 - i]; +#endif } } From 25442bd95fdf1f46d3f994e7600ea427654dee8c Mon Sep 17 00:00:00 2001 From: Michael Niedermayer Date: Thu, 25 May 2017 03:21:50 +0200 Subject: [PATCH 528/942] avcodec/libfdk-aacdec: Correct buffer_size parameter the timeDataSize argument to aacDecoder_DecodeFrame() seems undocumented and until 2016 04 (203e3f28fbebec7011342017fafc2a0bda0ce530) unused. after that commit libfdk-aacdec interprets it as size in sample units and memsets that on error. FFmpeg as well as others (like GStreamer) did interpret it as size in bytes Fixes: 1442/clusterfuzz-testcase-minimized-4540199973421056 (This requires recent libfdk to reproduce) Found-by: continuous fuzzing process https://github.com/google/oss-fuzz/tree/master/projects/ffmpeg Signed-off-by: Michael Niedermayer (cherry picked from commit ca6776a993903dbcfef5ae8a18556c40ecf83e1c) Signed-off-by: Michael Niedermayer --- libavcodec/libfdk-aacdec.c | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/libavcodec/libfdk-aacdec.c b/libavcodec/libfdk-aacdec.c index e5f7c4ebdc..2857b9453f 100644 --- a/libavcodec/libfdk-aacdec.c +++ b/libavcodec/libfdk-aacdec.c @@ -325,7 +325,7 @@ static int fdk_aac_decode_frame(AVCodecContext *avctx, void *data, return AVERROR_INVALIDDATA; } - err = aacDecoder_DecodeFrame(s->handle, (INT_PCM *) s->decoder_buffer, s->decoder_buffer_size, 0); + err = aacDecoder_DecodeFrame(s->handle, (INT_PCM *) s->decoder_buffer, s->decoder_buffer_size / sizeof(INT_PCM), 0); if (err == AAC_DEC_NOT_ENOUGH_BITS) { ret = avpkt->size - valid; goto end; From bd4dcd873166c5affe2d684a372b279f1f55d818 Mon Sep 17 00:00:00 2001 From: Michael Niedermayer Date: Sun, 28 May 2017 03:18:02 +0200 Subject: [PATCH 529/942] avcodec/wnv1: More strict buffer size check This requires at least 25% of a picture to allocate and decode it Fixes: Timeout Fixes: 1845/clusterfuzz-testcase-minimized-5075974343360512 Found-by: continuous fuzzing process https://github.com/google/oss-fuzz/tree/master/projects/ffmpeg Signed-off-by: Michael Niedermayer (cherry picked from commit 7f50c25124a015a539823077bb302ff0c7ce8963) Signed-off-by: Michael Niedermayer --- libavcodec/wnv1.c | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/libavcodec/wnv1.c b/libavcodec/wnv1.c index 126c01a02d..915e9c7dc9 100644 --- a/libavcodec/wnv1.c +++ b/libavcodec/wnv1.c @@ -68,7 +68,7 @@ static int decode_frame(AVCodecContext *avctx, int prev_y = 0, prev_u = 0, prev_v = 0; uint8_t *rbuf; - if (buf_size <= 8) { + if (buf_size < 8 + avctx->height * (avctx->width/2)/8) { av_log(avctx, AV_LOG_ERROR, "Packet size %d is too small\n", buf_size); return AVERROR_INVALIDDATA; } From aaf104e525b47284031e906c3df9ae2419bd003b Mon Sep 17 00:00:00 2001 From: Michael Niedermayer Date: Sun, 28 May 2017 03:34:09 +0200 Subject: [PATCH 530/942] avcodec/aacdec_fixed: Fix multiple runtime error: shift exponent 127 is too large for 32-bit type 'int' Fixes: 1851/clusterfuzz-testcase-minimized-5692607495667712 Found-by: continuous fuzzing process https://github.com/google/oss-fuzz/tree/master/projects/ffmpeg Signed-off-by: Michael Niedermayer (cherry picked from commit 6c3a63fc3d1be7ac947e38a165a299c9e5d37764) Signed-off-by: Michael Niedermayer --- libavcodec/aacdec_fixed.c | 4 +++- 1 file changed, 3 insertions(+), 1 deletion(-) diff --git a/libavcodec/aacdec_fixed.c b/libavcodec/aacdec_fixed.c index 27e6e469f9..18a23a7586 100644 --- a/libavcodec/aacdec_fixed.c +++ b/libavcodec/aacdec_fixed.c @@ -370,7 +370,9 @@ static void apply_dependent_coupling_fixed(AACContext *ac, shift = (gain-1024) >> 3; } - if (shift < 0) { + if (shift < -31) { + // Nothing to do + } else if (shift < 0) { shift = -shift; round = 1 << (shift - 1); From 5c1c1e89de4eb3c30ad571291bf98ed4394567bb Mon Sep 17 00:00:00 2001 From: Michael Niedermayer Date: Sun, 28 May 2017 13:52:13 +0200 Subject: [PATCH 531/942] avcodec/jpeg2000dec: Check tile offsets more completely Signed-off-by: Michael Niedermayer (cherry picked from commit 9c1812491f7be2730351969f4abd9b99d300d604) Signed-off-by: Michael Niedermayer --- libavcodec/jpeg2000dec.c | 5 ++++- 1 file changed, 4 insertions(+), 1 deletion(-) diff --git a/libavcodec/jpeg2000dec.c b/libavcodec/jpeg2000dec.c index fa04d69035..92862a8bad 100644 --- a/libavcodec/jpeg2000dec.c +++ b/libavcodec/jpeg2000dec.c @@ -300,7 +300,10 @@ static int get_siz(Jpeg2000DecoderContext *s) if (s->tile_offset_x < 0 || s->tile_offset_y < 0 || s->image_offset_x < s->tile_offset_x || - s->image_offset_y < s->tile_offset_y) { + s->image_offset_y < s->tile_offset_y || + s->tile_width + (int64_t)s->tile_offset_x <= s->image_offset_x || + s->tile_height + (int64_t)s->tile_offset_y <= s->image_offset_y + ) { av_log(s->avctx, AV_LOG_ERROR, "Tile offsets are invalid\n"); return AVERROR_INVALIDDATA; } From 9495075a7f86e8abbe840e00b3d2f94ab8a5614e Mon Sep 17 00:00:00 2001 From: Michael Niedermayer Date: Sun, 28 May 2017 14:00:30 +0200 Subject: [PATCH 532/942] avcodec/jpeg2000: Fix runtime error: signed integer overflow: 4185 + 2147483394 cannot be represented in type 'int' Fixes: 1870/clusterfuzz-testcase-minimized-4686788029317120 Found-by: continuous fuzzing process https://github.com/google/oss-fuzz/tree/master/projects/ffmpeg Signed-off-by: Michael Niedermayer (cherry picked from commit 781f88bb26534ececc76eaa972f02536ba2f0f55) Signed-off-by: Michael Niedermayer --- libavcodec/jpeg2000.h | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/libavcodec/jpeg2000.h b/libavcodec/jpeg2000.h index ed3b421ad8..873e4505ec 100644 --- a/libavcodec/jpeg2000.h +++ b/libavcodec/jpeg2000.h @@ -220,7 +220,7 @@ static inline int ff_jpeg2000_ceildivpow2(int a, int b) static inline int ff_jpeg2000_ceildiv(int a, int b) { - return (a + b - 1) / b; + return (a + (int64_t)b - 1) / b; } /* TIER-1 routines */ From 21cb305903c90df3f3cb8775f4aa59c38863ec05 Mon Sep 17 00:00:00 2001 From: Michael Niedermayer Date: Sun, 28 May 2017 17:12:35 +0200 Subject: [PATCH 533/942] avcodec/snow: Fix runtime error: signed integer overflow: 1086573993 + 1086573994 cannot be represented in type 'int' Fixes: 1871/clusterfuzz-testcase-minimized-5719950331215872 Found-by: continuous fuzzing process https://github.com/google/oss-fuzz/tree/master/projects/ffmpeg Signed-off-by: Michael Niedermayer (cherry picked from commit b9c032ebc0ad17ac0ffefb915ff96baf9d79cab1) Signed-off-by: Michael Niedermayer --- libavcodec/snow.h | 3 ++- 1 file changed, 2 insertions(+), 1 deletion(-) diff --git a/libavcodec/snow.h b/libavcodec/snow.h index d126d68a49..7b5cf9418c 100644 --- a/libavcodec/snow.h +++ b/libavcodec/snow.h @@ -564,7 +564,8 @@ static inline int get_symbol(RangeCoder *c, uint8_t *state, int is_signed){ if(get_rac(c, state+0)) return 0; else{ - int i, e, a; + int i, e; + unsigned a; e= 0; while(get_rac(c, state+1 + FFMIN(e,9))){ //1..10 e++; From a8625d11105fe3f70aa26e54b1a8011d7a9a39fc Mon Sep 17 00:00:00 2001 From: Michael Niedermayer Date: Sun, 28 May 2017 18:09:47 +0200 Subject: [PATCH 534/942] avcodec/aacdec_fixed: Fix runtime error: left shift of 1 by 31 places cannot be represented in type 'int' Fixes: 1878/clusterfuzz-testcase-minimized-6441918630199296 Found-by: continuous fuzzing process https://github.com/google/oss-fuzz/tree/master/projects/ffmpeg Signed-off-by: Michael Niedermayer (cherry picked from commit 6b9cb5d26a2d9905093621d12785bc5903dce66d) Signed-off-by: Michael Niedermayer --- libavcodec/aacdec_fixed.c | 4 ++-- 1 file changed, 2 insertions(+), 2 deletions(-) diff --git a/libavcodec/aacdec_fixed.c b/libavcodec/aacdec_fixed.c index 18a23a7586..43e4c1ebe6 100644 --- a/libavcodec/aacdec_fixed.c +++ b/libavcodec/aacdec_fixed.c @@ -211,8 +211,8 @@ static void noise_scale(int *coefs, int scale, int band_energy, int len) for (i=0; i 0) { - round = 1 << (s-1); + } else if (s >= 0) { + round = s ? 1 << (s-1) : 0; for (i=0; i> 32); coefs[i] = ((int)(out+round) >> s) * ssign; From 62979de16865de7351bb6dd2748c953ee0fc8548 Mon Sep 17 00:00:00 2001 From: Michael Niedermayer Date: Wed, 10 May 2017 18:37:50 +0200 Subject: [PATCH 535/942] avcodec/webp: Fixes null pointer dereference Fixes: 1470/clusterfuzz-testcase-minimized-5404421666111488 Fixes: 1472/clusterfuzz-testcase-minimized-5677426430443520 Fixes: 1875/clusterfuzz-testcase-minimized-5536474562822144 Approved-by: BBB Found-by: continuous fuzzing process https://github.com/google/oss-fuzz/tree/master/projects/ffmpeg Signed-off-by: Michael Niedermayer (cherry picked from commit 67020711b7d45afa073ef671f755765035a64373) Signed-off-by: Michael Niedermayer --- libavcodec/webp.c | 3 +++ 1 file changed, 3 insertions(+) diff --git a/libavcodec/webp.c b/libavcodec/webp.c index e119a25799..1b3b68c121 100644 --- a/libavcodec/webp.c +++ b/libavcodec/webp.c @@ -1351,6 +1351,9 @@ static int vp8_lossy_decode_frame(AVCodecContext *avctx, AVFrame *p, if (ret < 0) return ret; + if (!*got_frame) + return AVERROR_INVALIDDATA; + update_canvas_size(avctx, avctx->width, avctx->height); if (s->has_alpha) { From 7f0c66b8cf0a27ff28f203aad7bb292bae11b145 Mon Sep 17 00:00:00 2001 From: Michael Niedermayer Date: Sun, 28 May 2017 20:08:49 +0200 Subject: [PATCH 536/942] avcodec/aac_defines: Add missing () to AAC_HALF_SUM() macro Fixes: runtime error: shift exponent 1073741848 is too large for 32-bit type 'INTFLOAT' (aka 'int') Fixes: 1880/clusterfuzz-testcase-minimized-4900645322620928 Found-by: continuous fuzzing process https://github.com/google/oss-fuzz/tree/master/projects/ffmpeg Signed-off-by: Michael Niedermayer (cherry picked from commit 872bac81590ccbec40ba7ad203421d9e38d1b253) Signed-off-by: Michael Niedermayer --- libavcodec/aac_defines.h | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/libavcodec/aac_defines.h b/libavcodec/aac_defines.h index b417850838..83d70af896 100644 --- a/libavcodec/aac_defines.h +++ b/libavcodec/aac_defines.h @@ -72,7 +72,7 @@ typedef int AAC_SIGNE; #define AAC_MSUB31_V3(x, y, z) (int)((((int64_t)(x) * (z)) - \ ((int64_t)(y) * (z)) + \ 0x40000000) >> 31) -#define AAC_HALF_SUM(x, y) (x) >> 1 + (y) >> 1 +#define AAC_HALF_SUM(x, y) (((x) >> 1) + ((y) >> 1)) #define AAC_SRA_R(x, y) (int)(((x) + (1 << ((y) - 1))) >> (y)) #else From 7e7c25a48e592257c0dd358cd5e78f3d3a3db60a Mon Sep 17 00:00:00 2001 From: Michael Niedermayer Date: Sun, 28 May 2017 21:38:24 +0200 Subject: [PATCH 537/942] avcodec/ra144: Fix runtime error: signed integer overflow: 11184810 * 404 cannot be represented in type 'int' Fixes: 1884/clusterfuzz-testcase-minimized-4637425835966464 Found-by: continuous fuzzing process https://github.com/google/oss-fuzz/tree/master/projects/ffmpeg Signed-off-by: Michael Niedermayer (cherry picked from commit 4c472c52525fcab4c80cdbc98b4625d318c84fcb) Signed-off-by: Michael Niedermayer --- libavcodec/ra144.c | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/libavcodec/ra144.c b/libavcodec/ra144.c index cfe5aea7dc..0560b3795f 100644 --- a/libavcodec/ra144.c +++ b/libavcodec/ra144.c @@ -1701,7 +1701,7 @@ void ff_subblock_synthesis(RA144Context *ractx, const int16_t *lpc_coefs, if (cba_idx) { cba_idx += BLOCKSIZE/2 - 1; ff_copy_and_dup(ractx->buffer_a, ractx->adapt_cb, cba_idx); - m[0] = (ff_irms(&ractx->adsp, ractx->buffer_a) * gval) >> 12; + m[0] = (ff_irms(&ractx->adsp, ractx->buffer_a) * (unsigned)gval) >> 12; } else { m[0] = 0; } From 3b3a3b7a5a7f15acc19d0d00d9ce9e46610c3eb0 Mon Sep 17 00:00:00 2001 From: Michael Niedermayer Date: Sun, 28 May 2017 21:44:32 +0200 Subject: [PATCH 538/942] avcodec/ra144: Fix runtime error: signed integer overflow: -2449 * 1398101 cannot be represented in type 'int' Fixes: 1885/clusterfuzz-testcase-minimized-5336328549957632 Found-by: continuous fuzzing process https://github.com/google/oss-fuzz/tree/master/projects/ffmpeg Signed-off-by: Michael Niedermayer (cherry picked from commit 7c845450d2daa0d066045cf94ab51cb496f1b824) Signed-off-by: Michael Niedermayer --- libavcodec/ra144.c | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/libavcodec/ra144.c b/libavcodec/ra144.c index 0560b3795f..85a4217fa8 100644 --- a/libavcodec/ra144.c +++ b/libavcodec/ra144.c @@ -1573,7 +1573,7 @@ int ff_eval_refl(int *refl, const int16_t *coefs, AVCodecContext *avctx) if((int)(a*(unsigned)b) != a*(int64_t)b) return 1; #endif - bp1[j] = ((bp2[j] - ((refl[i+1] * bp2[i-j]) >> 12)) * b) >> 12; + bp1[j] = (int)((bp2[j] - ((refl[i+1] * bp2[i-j]) >> 12)) * (unsigned)b) >> 12; } if ((unsigned) bp1[i] + 0x1000 > 0x1fff) From 24ab34a3fcf362ff1061a8e4ec9a967f48021bb6 Mon Sep 17 00:00:00 2001 From: Michael Niedermayer Date: Sun, 28 May 2017 21:54:02 +0200 Subject: [PATCH 539/942] avcodec/truemotion2: Fix runtime error: left shift of 1 by 31 places cannot be represented in type 'int' Fixes part of: 1888/clusterfuzz-testcase-minimized-5237704826552320 Found-by: continuous fuzzing process https://github.com/google/oss-fuzz/tree/master/projects/ffmpeg Signed-off-by: Michael Niedermayer (cherry picked from commit c9e884f3d98df85bf7f2cf30d71877b22929fdcb) Signed-off-by: Michael Niedermayer --- libavcodec/truemotion2.c | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/libavcodec/truemotion2.c b/libavcodec/truemotion2.c index 245a32a8d7..4f0e52dbf7 100644 --- a/libavcodec/truemotion2.c +++ b/libavcodec/truemotion2.c @@ -272,7 +272,7 @@ static int tm2_read_deltas(TM2Context *ctx, int stream_id) for (i = 0; i < d; i++) { v = get_bits_long(&ctx->gb, mb); if (v & (1 << (mb - 1))) - ctx->deltas[stream_id][i] = v - (1 << mb); + ctx->deltas[stream_id][i] = v - (1U << mb); else ctx->deltas[stream_id][i] = v; } From 27fecc7a73db836781100daa540bf1fff63261ff Mon Sep 17 00:00:00 2001 From: Michael Niedermayer Date: Sun, 28 May 2017 21:54:02 +0200 Subject: [PATCH 540/942] avcodec/truemotion2: Fix passing null pointer to memset() Fixes part of: 1888/clusterfuzz-testcase-minimized-5237704826552320 Found-by: continuous fuzzing process https://github.com/google/oss-fuzz/tree/master/projects/ffmpeg Signed-off-by: Michael Niedermayer (cherry picked from commit c901627918ff7480c1bb6f9cae507ee2c7c933d8) Signed-off-by: Michael Niedermayer --- libavcodec/truemotion2.c | 3 ++- 1 file changed, 2 insertions(+), 1 deletion(-) diff --git a/libavcodec/truemotion2.c b/libavcodec/truemotion2.c index 4f0e52dbf7..e6ae05f1d5 100644 --- a/libavcodec/truemotion2.c +++ b/libavcodec/truemotion2.c @@ -915,7 +915,8 @@ static int decode_frame(AVCodecContext *avctx, buf_size - offset); if (t < 0) { int j = tm2_stream_order[i]; - memset(l->tokens[j], 0, sizeof(**l->tokens) * l->tok_lens[j]); + if (l->tok_lens[j]) + memset(l->tokens[j], 0, sizeof(**l->tokens) * l->tok_lens[j]); return t; } offset += t; From 759739e9964fc8c09b4e4dec67be0c435c57d0e9 Mon Sep 17 00:00:00 2001 From: Michael Niedermayer Date: Mon, 29 May 2017 13:45:29 +0200 Subject: [PATCH 541/942] avcodec/jpeg2000dec: Use ff_set_dimensions() Fixes: OOM Fixes: 1890/clusterfuzz-testcase-minimized-6329019509243904 Found-by: continuous fuzzing process https://github.com/google/oss-fuzz/tree/master/projects/ffmpeg Signed-off-by: Michael Niedermayer (cherry picked from commit f3da6fbff864e05e8871dd04222143abdee9e77b) Signed-off-by: Michael Niedermayer --- libavcodec/jpeg2000dec.c | 12 ++++++++---- 1 file changed, 8 insertions(+), 4 deletions(-) diff --git a/libavcodec/jpeg2000dec.c b/libavcodec/jpeg2000dec.c index 92862a8bad..1dcaf13147 100644 --- a/libavcodec/jpeg2000dec.c +++ b/libavcodec/jpeg2000dec.c @@ -260,6 +260,7 @@ static int get_siz(Jpeg2000DecoderContext *s) uint32_t log2_chroma_wh = 0; const enum AVPixelFormat *possible_fmts = NULL; int possible_fmts_nb = 0; + int ret; if (bytestream2_get_bytes_left(&s->g) < 36) { av_log(s->avctx, AV_LOG_ERROR, "Insufficient space for SIZ\n"); @@ -359,10 +360,13 @@ static int get_siz(Jpeg2000DecoderContext *s) } /* compute image size with reduction factor */ - s->avctx->width = ff_jpeg2000_ceildivpow2(s->width - s->image_offset_x, - s->reduction_factor); - s->avctx->height = ff_jpeg2000_ceildivpow2(s->height - s->image_offset_y, - s->reduction_factor); + ret = ff_set_dimensions(s->avctx, + ff_jpeg2000_ceildivpow2(s->width - s->image_offset_x, + s->reduction_factor), + ff_jpeg2000_ceildivpow2(s->height - s->image_offset_y, + s->reduction_factor)); + if (ret < 0) + return ret; if (s->avctx->profile == FF_PROFILE_JPEG2000_DCINEMA_2K || s->avctx->profile == FF_PROFILE_JPEG2000_DCINEMA_4K) { From c92acd5ed48d3931dbbc77329b6aebaacc097184 Mon Sep 17 00:00:00 2001 From: Michael Niedermayer Date: Mon, 29 May 2017 14:07:33 +0200 Subject: [PATCH 542/942] avcodec/ansi: Fix frame memleak Fixes: 1892/clusterfuzz-testcase-minimized-4519341733183488 Found-by: continuous fuzzing process https://github.com/google/oss-fuzz/tree/master/projects/ffmpeg Signed-off-by: Michael Niedermayer (cherry picked from commit e091b9b3c7859030f2896ca2ae96faa3afc694a1) Signed-off-by: Michael Niedermayer --- libavcodec/ansi.c | 9 +++++---- 1 file changed, 5 insertions(+), 4 deletions(-) diff --git a/libavcodec/ansi.c b/libavcodec/ansi.c index 98ea9e3d2a..31405b4a99 100644 --- a/libavcodec/ansi.c +++ b/libavcodec/ansi.c @@ -80,10 +80,6 @@ static av_cold int decode_init(AVCodecContext *avctx) AnsiContext *s = avctx->priv_data; avctx->pix_fmt = AV_PIX_FMT_PAL8; - s->frame = av_frame_alloc(); - if (!s->frame) - return AVERROR(ENOMEM); - /* defaults */ s->font = avpriv_vga16_font; s->font_height = 16; @@ -98,6 +94,11 @@ static av_cold int decode_init(AVCodecContext *avctx) av_log(avctx, AV_LOG_ERROR, "Invalid dimensions %d %d\n", avctx->width, avctx->height); return AVERROR(EINVAL); } + + s->frame = av_frame_alloc(); + if (!s->frame) + return AVERROR(ENOMEM); + return 0; } From d542185e054192fb3028512c0dae2187cf29607e Mon Sep 17 00:00:00 2001 From: Michael Niedermayer Date: Tue, 30 May 2017 03:09:11 +0200 Subject: [PATCH 543/942] avcodec/wavpack: Fix runtime error: signed integer overflow: 24 * -2147483648 cannot be represented in type 'int' Fixes: 1894/clusterfuzz-testcase-minimized-4716739789062144 Found-by: continuous fuzzing process https://github.com/google/oss-fuzz/tree/master/projects/ffmpeg Signed-off-by: Michael Niedermayer (cherry picked from commit d90c5bf10559554d6f9cd1dfb90767b991b76d5d) Signed-off-by: Michael Niedermayer --- libavcodec/wavpack.c | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/libavcodec/wavpack.c b/libavcodec/wavpack.c index f828fc725b..a679d424eb 100644 --- a/libavcodec/wavpack.c +++ b/libavcodec/wavpack.c @@ -548,7 +548,7 @@ static inline int wv_unpack_mono(WavpackFrameContext *s, GetBitContext *gb, if (type != AV_SAMPLE_FMT_S16P) S = T + ((s->decorr[i].weightA * (int64_t)A + 512) >> 10); else - S = T + ((s->decorr[i].weightA * A + 512) >> 10); + S = T + ((int)(s->decorr[i].weightA * (unsigned)A + 512) >> 10); if (A && T) s->decorr[i].weightA -= ((((T ^ A) >> 30) & 2) - 1) * s->decorr[i].delta; s->decorr[i].samplesA[j] = T = S; From 343c1d1d7d1fbc2a28c16de9c39530780974a24b Mon Sep 17 00:00:00 2001 From: Michael Niedermayer Date: Tue, 30 May 2017 03:13:21 +0200 Subject: [PATCH 544/942] avcodec/wavpack: Check float_shift Fixes: runtime error: shift exponent 40 is too large for 32-bit type 'unsigned int' Fixes: 1898/clusterfuzz-testcase-minimized-5970744880136192 Found-by: continuous fuzzing process https://github.com/google/oss-fuzz/tree/master/projects/ffmpeg Signed-off-by: Michael Niedermayer (cherry picked from commit 4020b009d1e88ff10abd25fb768165afa546851d) Signed-off-by: Michael Niedermayer --- libavcodec/wavpack.c | 6 ++++++ 1 file changed, 6 insertions(+) diff --git a/libavcodec/wavpack.c b/libavcodec/wavpack.c index a679d424eb..3bc345e797 100644 --- a/libavcodec/wavpack.c +++ b/libavcodec/wavpack.c @@ -872,6 +872,12 @@ static int wavpack_decode_block(AVCodecContext *avctx, int block_no, s->float_flag = bytestream2_get_byte(&gb); s->float_shift = bytestream2_get_byte(&gb); s->float_max_exp = bytestream2_get_byte(&gb); + if (s->float_shift > 31) { + av_log(avctx, AV_LOG_ERROR, + "Invalid FLOATINFO, shift = %d (> 31)\n", s->float_shift); + s->float_shift = 0; + continue; + } got_float = 1; bytestream2_skip(&gb, 1); break; From c82db1441159617c3d779335a357364a9c6ee496 Mon Sep 17 00:00:00 2001 From: Michael Niedermayer Date: Tue, 30 May 2017 04:03:09 +0200 Subject: [PATCH 545/942] avcodec/acelp_pitch_delay: Fix runtime error: value 4.83233e+39 is outside the range of representable values of type 'float' Fixes: 1902/clusterfuzz-testcase-minimized-4762451407011840 Found-by: continuous fuzzing process https://github.com/google/oss-fuzz/tree/master/projects/ffmpeg Signed-off-by: Michael Niedermayer (cherry picked from commit 87bddba43b725d43767f2a387cdea0936ac1b549) Signed-off-by: Michael Niedermayer --- libavcodec/acelp_pitch_delay.c | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/libavcodec/acelp_pitch_delay.c b/libavcodec/acelp_pitch_delay.c index c2533b1eb1..fa7e68aa80 100644 --- a/libavcodec/acelp_pitch_delay.c +++ b/libavcodec/acelp_pitch_delay.c @@ -136,7 +136,7 @@ float ff_amr_set_fixed_gain(float fixed_gain_factor, float fixed_mean_energy, ff_exp10(0.05 * (avpriv_scalarproduct_float_c(pred_table, prediction_error, 4) + energy_mean)) / - sqrtf(fixed_mean_energy); + sqrtf(fixed_mean_energy ? fixed_mean_energy : 1.0); // update quantified prediction error energy history memmove(&prediction_error[0], &prediction_error[1], From 794bcc6eca21a4ac64a282a4150036426e641f7b Mon Sep 17 00:00:00 2001 From: Michael Niedermayer Date: Tue, 30 May 2017 21:29:20 +0200 Subject: [PATCH 546/942] avformat/avidec: Limit formats in gab2 to srt and ass/ssa This prevents part of one exploit leading to an information leak Found-by: Emil Lerner and Pavel Cheremushkin Reported-by: Thierry Foucu Signed-off-by: Michael Niedermayer (cherry picked from commit a5d849b149ca67ced2d271dc84db0bc95a548abb) Signed-off-by: Michael Niedermayer --- libavformat/avidec.c | 3 +++ 1 file changed, 3 insertions(+) diff --git a/libavformat/avidec.c b/libavformat/avidec.c index 955b27b857..1a9563aed4 100644 --- a/libavformat/avidec.c +++ b/libavformat/avidec.c @@ -1085,6 +1085,9 @@ static int read_gab2_sub(AVFormatContext *s, AVStream *st, AVPacket *pkt) if (!sub_demuxer) goto error; + if (strcmp(sub_demuxer->name, "srt") && strcmp(sub_demuxer->name, "ass")) + goto error; + if (!(ast->sub_ctx = avformat_alloc_context())) goto error; From f5c5bec448cacf8f8ff85d297be131f2e0680972 Mon Sep 17 00:00:00 2001 From: Michael Niedermayer Date: Wed, 31 May 2017 13:21:58 +0200 Subject: [PATCH 547/942] avcodec/cavsdec: Fix runtime error: signed integer overflow: 59 + 2147483600 cannot be represented in type 'int' Fixes: 1903/clusterfuzz-testcase-minimized-5359318167715840 Found-by: continuous fuzzing process https://github.com/google/oss-fuzz/tree/master/projects/ffmpeg Signed-off-by: Michael Niedermayer (cherry picked from commit 58f8cd4ac576028ef492a005bd06b1f22c3a6879) Signed-off-by: Michael Niedermayer --- libavcodec/cavsdec.c | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/libavcodec/cavsdec.c b/libavcodec/cavsdec.c index 4d1b77187b..cd4eec9caf 100644 --- a/libavcodec/cavsdec.c +++ b/libavcodec/cavsdec.c @@ -615,7 +615,7 @@ static inline int decode_residual_inter(AVSContext *h) /* get quantizer */ if (h->cbp && !h->qp_fixed) - h->qp = (h->qp + get_se_golomb(&h->gb)) & 63; + h->qp = (h->qp + (unsigned)get_se_golomb(&h->gb)) & 63; for (block = 0; block < 4; block++) if (h->cbp & (1 << block)) decode_residual_block(h, &h->gb, inter_dec, 0, h->qp, From 309ec23130a176a486928f29ee1809b8ae67bbb7 Mon Sep 17 00:00:00 2001 From: Michael Niedermayer Date: Wed, 31 May 2017 13:39:45 +0200 Subject: [PATCH 548/942] avcodec/pnm: Use ff_set_dimensions() Fixes: OOM Fixes: 1906/clusterfuzz-testcase-minimized-4599315114754048 Found-by: continuous fuzzing process https://github.com/google/oss-fuzz/tree/master/projects/ffmpeg Signed-off-by: Michael Niedermayer (cherry picked from commit a1c0d1d906d27d3f9e1b058bb065f897f90c1c7c) Signed-off-by: Michael Niedermayer --- libavcodec/pnm.c | 12 ++++++++---- 1 file changed, 8 insertions(+), 4 deletions(-) diff --git a/libavcodec/pnm.c b/libavcodec/pnm.c index 1675959fbf..8b4a4ac292 100644 --- a/libavcodec/pnm.c +++ b/libavcodec/pnm.c @@ -24,6 +24,7 @@ #include "libavutil/imgutils.h" #include "avcodec.h" +#include "internal.h" #include "pnm.h" static inline int pnm_space(int c) @@ -61,6 +62,7 @@ int ff_pnm_decode_header(AVCodecContext *avctx, PNMContext * const s) { char buf1[32], tuple_type[32]; int h, w, depth, maxval; + int ret; pnm_get(s, buf1, sizeof(buf1)); if(buf1[0] != 'P') @@ -110,8 +112,9 @@ int ff_pnm_decode_header(AVCodecContext *avctx, PNMContext * const s) if (w <= 0 || h <= 0 || maxval <= 0 || depth <= 0 || tuple_type[0] == '\0' || av_image_check_size(w, h, 0, avctx) || s->bytestream >= s->bytestream_end) return AVERROR_INVALIDDATA; - avctx->width = w; - avctx->height = h; + ret = ff_set_dimensions(avctx, w, h); + if (ret < 0) + return ret; s->maxval = maxval; if (depth == 1) { if (maxval == 1) { @@ -153,8 +156,9 @@ int ff_pnm_decode_header(AVCodecContext *avctx, PNMContext * const s) if(w <= 0 || h <= 0 || av_image_check_size(w, h, 0, avctx) || s->bytestream >= s->bytestream_end) return AVERROR_INVALIDDATA; - avctx->width = w; - avctx->height = h; + ret = ff_set_dimensions(avctx, w, h); + if (ret < 0) + return ret; if (avctx->pix_fmt != AV_PIX_FMT_MONOWHITE && avctx->pix_fmt != AV_PIX_FMT_MONOBLACK) { pnm_get(s, buf1, sizeof(buf1)); From 9589a7f39175527df3817049cb6cb7cbe20f1520 Mon Sep 17 00:00:00 2001 From: Michael Niedermayer Date: Wed, 31 May 2017 15:52:56 +0200 Subject: [PATCH 549/942] avcodec/ra144: Fixes runtime error: signed integer overflow: 7160 * 327138 cannot be represented in type 'int' Fixes: 1908/clusterfuzz-testcase-minimized-5392712477966336 Found-by: continuous fuzzing process https://github.com/google/oss-fuzz/tree/master/projects/ffmpeg Signed-off-by: Michael Niedermayer (cherry picked from commit 08cb69e870c1b2fdc3574780a3662b92bfd6ef79) Signed-off-by: Michael Niedermayer --- libavcodec/ra144.c | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/libavcodec/ra144.c b/libavcodec/ra144.c index 85a4217fa8..da1af66dab 100644 --- a/libavcodec/ra144.c +++ b/libavcodec/ra144.c @@ -1512,7 +1512,7 @@ static void add_wav(int16_t *dest, int n, int skip_first, int *m, v[0] = 0; for (i=!skip_first; i<3; i++) - v[i] = (ff_gain_val_tab[n][i] * m[i]) >> ff_gain_exp_tab[n]; + v[i] = (ff_gain_val_tab[n][i] * (unsigned)m[i]) >> ff_gain_exp_tab[n]; if (v[0]) { for (i=0; i < BLOCKSIZE; i++) From a249250b3a882b8b637c547da01d2e58a9c89c9f Mon Sep 17 00:00:00 2001 From: Michael Niedermayer Date: Wed, 31 May 2017 22:02:07 +0200 Subject: [PATCH 550/942] avcodec/hevc_ps: Fix runtime error: signed integer overflow: 2147483628 + 256 cannot be represented in type 'int' Fixes: 1909/clusterfuzz-testcase-minimized-6732072662073344 Found-by: continuous fuzzing process https://github.com/google/oss-fuzz/tree/master/projects/ffmpeg Signed-off-by: Michael Niedermayer (cherry picked from commit 6726328f7940a76c43b4d97ac37ababf363d042f) Signed-off-by: Michael Niedermayer --- libavcodec/hevc_ps.c | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/libavcodec/hevc_ps.c b/libavcodec/hevc_ps.c index 64d6e2f064..c9561c5d2b 100644 --- a/libavcodec/hevc_ps.c +++ b/libavcodec/hevc_ps.c @@ -724,7 +724,7 @@ static int scaling_list_data(GetBitContext *gb, AVCodecContext *avctx, ScalingLi ff_hevc_diag_scan8x8_x[i]; scaling_list_delta_coef = get_se_golomb(gb); - next_coef = (next_coef + scaling_list_delta_coef + 256) % 256; + next_coef = (next_coef + 256U + scaling_list_delta_coef) % 256; sl->sl[size_id][matrix_id][pos] = next_coef; } } From 9d8c59ce507a7bb3833695435b1cf5c6762441b2 Mon Sep 17 00:00:00 2001 From: Michael Niedermayer Date: Wed, 31 May 2017 22:18:23 +0200 Subject: [PATCH 551/942] avcodec/cinepak: Check input packet size before frame reallocation Reduces time spend decoding 1917/clusterfuzz-testcase-minimized-5023221273329664 Found-by: continuous fuzzing process https://github.com/google/oss-fuzz/tree/master/projects/ffmpeg Signed-off-by: Michael Niedermayer (cherry picked from commit e47057e932ff9a071d52fa1d5d4a956340eb2475) Signed-off-by: Michael Niedermayer --- libavcodec/cinepak.c | 6 +++--- 1 file changed, 3 insertions(+), 3 deletions(-) diff --git a/libavcodec/cinepak.c b/libavcodec/cinepak.c index 58c26dc69c..7a7466204a 100644 --- a/libavcodec/cinepak.c +++ b/libavcodec/cinepak.c @@ -322,9 +322,6 @@ static int cinepak_decode (CinepakContext *s) int y0 = 0; int encoded_buf_size; - if (s->size < 10) - return AVERROR_INVALIDDATA; - frame_flags = s->data[0]; num_strips = AV_RB16 (&s->data[8]); encoded_buf_size = AV_RB24(&s->data[1]); @@ -439,6 +436,9 @@ static int cinepak_decode_frame(AVCodecContext *avctx, s->data = buf; s->size = buf_size; + if (s->size < 10) + return AVERROR_INVALIDDATA; + if ((ret = ff_reget_buffer(avctx, s->frame)) < 0) return ret; From ecc3fe3859f3f924eb9f841fd0cc5c42d9636a8b Mon Sep 17 00:00:00 2001 From: Michael Niedermayer Date: Wed, 31 May 2017 22:53:02 +0200 Subject: [PATCH 552/942] avcodec/wavpack: Fix runtime error: signed integer overflow: 2013265955 - -134217694 cannot be represented in type 'int' Fixes: 1922/clusterfuzz-testcase-minimized-5561194112876544 Found-by: continuous fuzzing process https://github.com/google/oss-fuzz/tree/master/projects/ffmpeg Signed-off-by: Michael Niedermayer (cherry picked from commit a47273c803edfbc43793349b74429ae29b05c003) Signed-off-by: Michael Niedermayer --- libavcodec/wavpack.c | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/libavcodec/wavpack.c b/libavcodec/wavpack.c index 3bc345e797..9ce074d975 100644 --- a/libavcodec/wavpack.c +++ b/libavcodec/wavpack.c @@ -239,7 +239,7 @@ static int wv_get_value(WavpackFrameContext *ctx, GetBitContext *gb, if (get_bits_left(gb) <= 0) goto error; if (get_bits1(gb)) { - add -= (mid - base); + add -= (mid - (unsigned)base); base = mid; } else add = mid - base - 1; From 2c3bcf6bf2381f214d834bf71eb5b79caac08e7d Mon Sep 17 00:00:00 2001 From: Michael Niedermayer Date: Thu, 1 Jun 2017 18:48:37 +0200 Subject: [PATCH 553/942] avcodec/wavpack: Fix runtime error: shift exponent 32 is too large for 32-bit type 'int' Fixes: 1967/clusterfuzz-testcase-minimized-5757031199801344 Found-by: continuous fuzzing process https://github.com/google/oss-fuzz/tree/master/projects/ffmpeg Signed-off-by: Michael Niedermayer (cherry picked from commit 8b3e580b7f436206e84dac89415e057fa9abdab8) Signed-off-by: Michael Niedermayer --- libavcodec/wavpack.c | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/libavcodec/wavpack.c b/libavcodec/wavpack.c index 9ce074d975..e55cd82595 100644 --- a/libavcodec/wavpack.c +++ b/libavcodec/wavpack.c @@ -184,7 +184,7 @@ static int wv_get_value(WavpackFrameContext *ctx, GetBitContext *gb, goto error; t += t2; } else { - if (get_bits_left(gb) < t2 - 1) + if (t2 >= 32 || get_bits_left(gb) < t2 - 1) goto error; t += get_bits_long(gb, t2 - 1) | (1 << (t2 - 1)); } From 3764e3a2c528def382193e64a6d602bd5772f756 Mon Sep 17 00:00:00 2001 From: Michael Niedermayer Date: Fri, 2 Jun 2017 22:31:02 +0200 Subject: [PATCH 554/942] avcodec/aacps: Fix runtime error: left shift of 1073741824 by 1 places cannot be represented in type 'INTFLOAT' (aka 'int') Fixes: 2005/clusterfuzz-testcase-minimized-5744226438479872 Found-by: continuous fuzzing process https://github.com/google/oss-fuzz/tree/master/projects/ffmpeg Signed-off-by: Michael Niedermayer (cherry picked from commit 9faf098163b33e7b0f5baafa3371ef5401f4105d) Signed-off-by: Michael Niedermayer --- libavcodec/aacps.c | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/libavcodec/aacps.c b/libavcodec/aacps.c index 48b595adbd..01f6d1f076 100644 --- a/libavcodec/aacps.c +++ b/libavcodec/aacps.c @@ -942,7 +942,7 @@ static void stereo_processing(PSContext *ps, INTFLOAT (*l)[32][2], INTFLOAT (*r) int stop = ps->border_position[e+1]; INTFLOAT width = Q30(1.f) / ((stop - start) ? (stop - start) : 1); #if USE_FIXED - width <<= 1; + width = FFMIN(2U*width, INT_MAX); #endif b = k_to_i[k]; h[0][0] = H11[0][e][b]; From 641b38c9c8a2d8d1e3b94c5d38f2e790ccad990e Mon Sep 17 00:00:00 2001 From: Michael Niedermayer Date: Fri, 2 Jun 2017 14:47:16 +0200 Subject: [PATCH 555/942] avformat/options: log filename on open The loglevel is choosen so that the main filename and any images of multi image sequences are shown only at debug level to avoid clutter. This makes exploits in playlists more visible. As they would show accesses to private/sensitive files Signed-off-by: Michael Niedermayer (cherry picked from commit 53e0d5d7247548743e13c59c35e59fc2161e9582) Signed-off-by: Michael Niedermayer --- libavformat/options.c | 12 ++++++++++++ libavformat/utils.c | 2 +- 2 files changed, 13 insertions(+), 1 deletion(-) diff --git a/libavformat/options.c b/libavformat/options.c index 8fe0017196..9d5593e060 100644 --- a/libavformat/options.c +++ b/libavformat/options.c @@ -102,6 +102,18 @@ static const AVClass av_format_context_class = { static int io_open_default(AVFormatContext *s, AVIOContext **pb, const char *url, int flags, AVDictionary **options) { + int loglevel; + + if (!strcmp(url, s->filename) || + s->iformat && !strcmp(s->iformat->name, "image2") || + s->oformat && !strcmp(s->oformat->name, "image2") + ) { + loglevel = AV_LOG_DEBUG; + } else + loglevel = AV_LOG_INFO; + + av_log(s, loglevel, "Opening \'%s\' for %s\n", url, flags & AVIO_FLAG_WRITE ? "writing" : "reading"); + #if FF_API_OLD_OPEN_CALLBACKS FF_DISABLE_DEPRECATION_WARNINGS if (s->open_cb) diff --git a/libavformat/utils.c b/libavformat/utils.c index f90aeb20c1..eaad2a4b17 100644 --- a/libavformat/utils.c +++ b/libavformat/utils.c @@ -448,6 +448,7 @@ int avformat_open_input(AVFormatContext **ps, const char *filename, if ((ret = av_opt_set_dict(s, &tmp)) < 0) goto fail; + av_strlcpy(s->filename, filename ? filename : "", sizeof(s->filename)); if ((ret = init_input(s, filename, &tmp)) < 0) goto fail; s->probe_score = ret; @@ -477,7 +478,6 @@ int avformat_open_input(AVFormatContext **ps, const char *filename, } s->duration = s->start_time = AV_NOPTS_VALUE; - av_strlcpy(s->filename, filename ? filename : "", sizeof(s->filename)); /* Allocate private data. */ if (s->iformat->priv_data_size > 0) { From 06f69315293b8c74679bc9a52f21cce7a323cca5 Mon Sep 17 00:00:00 2001 From: Michael Niedermayer Date: Sun, 4 Jun 2017 13:02:51 +0200 Subject: [PATCH 556/942] avcodec/ac3dec_fixed: Fix runtime error: left shift of 419 by 23 places cannot be represented in type 'int' Fixes: 1352/clusterfuzz-testcase-minimized-5757565017260032 Found-by: continuous fuzzing process https://github.com/google/oss-fuzz/tree/master/projects/ffmpeg Signed-off-by: Michael Niedermayer (cherry picked from commit 136ce8baa4fc16cf38690cb457f7356c00e00a28) Signed-off-by: Michael Niedermayer --- libavcodec/ac3dec_fixed.c | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/libavcodec/ac3dec_fixed.c b/libavcodec/ac3dec_fixed.c index 6416da436e..c5b1d50a13 100644 --- a/libavcodec/ac3dec_fixed.c +++ b/libavcodec/ac3dec_fixed.c @@ -69,7 +69,7 @@ static void scale_coefs ( int temp, temp1, temp2, temp3, temp4, temp5, temp6, temp7; mul = (dynrng & 0x1f) + 0x20; - shift = 4 - ((dynrng << 23) >> 28); + shift = 4 - (sign_extend(dynrng, 9) >> 5); if (shift > 0 ) { round = 1 << (shift-1); for (i=0; i Date: Sun, 4 Jun 2017 13:38:02 +0200 Subject: [PATCH 557/942] avcodec/pafvideo: Check packet size and frame code before ff_reget_buffer() Fixes 1745/clusterfuzz-testcase-minimized-6160693365571584 Fixes: Timeout Found-by: continuous fuzzing process https://github.com/google/oss-fuzz/tree/master/projects/ffmpeg Signed-off-by: Michael Niedermayer (cherry picked from commit faa5a2181df53b5226f998a20b735798addcd365) Signed-off-by: Michael Niedermayer --- libavcodec/pafvideo.c | 15 +++++++++++---- 1 file changed, 11 insertions(+), 4 deletions(-) diff --git a/libavcodec/pafvideo.c b/libavcodec/pafvideo.c index cab3129f8f..1618a3e7c3 100644 --- a/libavcodec/pafvideo.c +++ b/libavcodec/pafvideo.c @@ -267,12 +267,20 @@ static int paf_video_decode(AVCodecContext *avctx, void *data, uint8_t code, *dst, *end; int i, frame, ret; - if ((ret = ff_reget_buffer(avctx, c->pic)) < 0) - return ret; + if (pkt->size < 2) + return AVERROR_INVALIDDATA; bytestream2_init(&c->gb, pkt->data, pkt->size); code = bytestream2_get_byte(&c->gb); + if ((code & 0xF) > 4) { + avpriv_request_sample(avctx, "unknown/invalid code"); + return AVERROR_INVALIDDATA; + } + + if ((ret = ff_reget_buffer(avctx, c->pic)) < 0) + return ret; + if (code & 0x20) { // frame is keyframe for (i = 0; i < 4; i++) memset(c->frame[i], 0, c->frame_size); @@ -367,8 +375,7 @@ static int paf_video_decode(AVCodecContext *avctx, void *data, } break; default: - avpriv_request_sample(avctx, "unknown/invalid code"); - return AVERROR_INVALIDDATA; + av_assert0(0); } av_image_copy_plane(c->pic->data[0], c->pic->linesize[0], From e0d1be3539790ecc2116ccc43f0ed2a524e46674 Mon Sep 17 00:00:00 2001 From: Michael Niedermayer Date: Sun, 4 Jun 2017 15:41:18 +0200 Subject: [PATCH 558/942] avcodec/dxv: Check remaining bytes in dxv_decompress_raw() Fixes: Timeout Fixes: 2006/clusterfuzz-testcase-minimized-5766515037044736 Found-by: continuous fuzzing process https://github.com/google/oss-fuzz/tree/master/projects/ffmpeg Signed-off-by: Michael Niedermayer (cherry picked from commit eb5049227033d946add93c0714bb8a28d94166f1) Signed-off-by: Michael Niedermayer --- libavcodec/dxv.c | 3 +++ 1 file changed, 3 insertions(+) diff --git a/libavcodec/dxv.c b/libavcodec/dxv.c index 05a9aadd24..f194b134b5 100644 --- a/libavcodec/dxv.c +++ b/libavcodec/dxv.c @@ -331,6 +331,9 @@ static int dxv_decompress_raw(AVCodecContext *avctx) DXVContext *ctx = avctx->priv_data; GetByteContext *gbc = &ctx->gbc; + if (bytestream2_get_bytes_left(gbc) < ctx->tex_size) + return AVERROR_INVALIDDATA; + bytestream2_get_buffer(gbc, ctx->tex_data, ctx->tex_size); return 0; } From af85f35d2ce86fed041b80ec5d0b305c5768582c Mon Sep 17 00:00:00 2001 From: Michael Niedermayer Date: Sun, 4 Jun 2017 17:06:27 +0200 Subject: [PATCH 559/942] avcodec/hevc_ps: Fix runtime error: index 32 out of bounds for type 'uint8_t [32]' Fixes: 2010/clusterfuzz-testcase-minimized-6209288450080768 Found-by: continuous fuzzing process https://github.com/google/oss-fuzz/tree/master/projects/ffmpeg Signed-off-by: Michael Niedermayer (cherry picked from commit 29808fff339da3e0f26131f7a6209b853947a54b) Signed-off-by: Michael Niedermayer --- libavcodec/hevc_ps.c | 6 ++++++ 1 file changed, 6 insertions(+) diff --git a/libavcodec/hevc_ps.c b/libavcodec/hevc_ps.c index c9561c5d2b..73b9f0c364 100644 --- a/libavcodec/hevc_ps.c +++ b/libavcodec/hevc_ps.c @@ -169,6 +169,12 @@ int ff_hevc_decode_short_term_rps(GetBitContext *gb, AVCodecContext *avctx, } } + if (k >= FF_ARRAY_ELEMS(rps->used)) { + av_log(avctx, AV_LOG_ERROR, + "Invalid num_delta_pocs: %d\n", k); + return AVERROR_INVALIDDATA; + } + rps->num_delta_pocs = k; rps->num_negative_pics = k0; // sort in increasing order (smallest first) From 1065957f7b05e6242e2ff5b5654e12994775c284 Mon Sep 17 00:00:00 2001 From: Michael Niedermayer Date: Sun, 4 Jun 2017 20:45:09 +0200 Subject: [PATCH 560/942] avutil/softfloat: Fix sign error in and improve documentation of av_int2sf() Signed-off-by: Michael Niedermayer (cherry picked from commit 6019d721d4c10bf73018d68511d9d0a914c0a389) Signed-off-by: Michael Niedermayer --- libavutil/softfloat.h | 6 ++++-- 1 file changed, 4 insertions(+), 2 deletions(-) diff --git a/libavutil/softfloat.h b/libavutil/softfloat.h index b4fce57906..df610b7b3b 100644 --- a/libavutil/softfloat.h +++ b/libavutil/softfloat.h @@ -157,8 +157,10 @@ static inline av_const SoftFloat av_sub_sf(SoftFloat a, SoftFloat b){ //FIXME log, exp, pow /** - * Converts a mantisse and exponent to a SoftFloat - * @returns a SoftFloat with value v * 2^frac_bits + * Converts a mantisse and exponent to a SoftFloat. + * This converts a fixed point value v with frac_bits fractional bits to a + * SoftFloat. + * @returns a SoftFloat with value v * 2^-frac_bits */ static inline av_const SoftFloat av_int2sf(int v, int frac_bits){ int exp_offset = 0; From c4a3020c1ba367632fb295fcfe35fdea773ba57e Mon Sep 17 00:00:00 2001 From: Michael Niedermayer Date: Sun, 4 Jun 2017 21:37:47 +0200 Subject: [PATCH 561/942] avcodec/qdrw: Fix null pointer dereference The RGB555 PACKBITSRGN case tries to read a palette, if such palette is actually stored then it accesses a null pointer. All 16bit samples i could find use DIRECTBITSRGN. Fixes: 2065/clusterfuzz-testcase-minimized-6298930457346048 Found-by: continuous fuzzing process https://github.com/google/oss-fuzz/tree/master/projects/ffmpeg Signed-off-by: Michael Niedermayer (cherry picked from commit 46b865ea9f86cbd12e1bf701913263c7932cccb0) Signed-off-by: Michael Niedermayer --- libavcodec/qdrw.c | 6 +++++- 1 file changed, 5 insertions(+), 1 deletion(-) diff --git a/libavcodec/qdrw.c b/libavcodec/qdrw.c index 0a31b41660..a7ea45fced 100644 --- a/libavcodec/qdrw.c +++ b/libavcodec/qdrw.c @@ -55,6 +55,8 @@ static int parse_palette(AVCodecContext *avctx, GetByteContext *gbc, bytestream2_skip(gbc, 6); continue; } + if (avctx->pix_fmt != AV_PIX_FMT_PAL8) + return AVERROR_INVALIDDATA; r = bytestream2_get_byte(gbc); bytestream2_skip(gbc, 1); g = bytestream2_get_byte(gbc); @@ -227,7 +229,9 @@ static int decode_frame(AVCodecContext *avctx, if ((ret = ff_get_buffer(avctx, p, 0)) < 0) return ret; - parse_palette(avctx, &gbc, (uint32_t *)p->data[1], colors); + ret = parse_palette(avctx, &gbc, (uint32_t *)p->data[1], colors); + if (ret < 0) + return ret; p->palette_has_changed = 1; /* jump to image data */ From bb1014279d865597c281c651c9d78dfb56ca2742 Mon Sep 17 00:00:00 2001 From: Michael Niedermayer Date: Sat, 3 Jun 2017 21:20:04 +0200 Subject: [PATCH 562/942] avformat/hls: Check local file extensions This reduces the attack surface of local file-system information leaking. It prevents the existing exploit leading to an information leak. As well as similar hypothetical attacks. Leaks of information from files and symlinks ending in common multimedia extensions are still possible. But files with sensitive information like private keys and passwords generally do not use common multimedia filename extensions. It does not stop leaks via remote addresses in the LAN. The existing exploit depends on a specific decoder as well. It does appear though that the exploit should be possible with any decoder. The problem is that as long as sensitive information gets into the decoder, the output of the decoder becomes sensitive as well. The only obvious solution is to prevent access to sensitive information. Or to disable hls or possibly some of its feature. More complex solutions like checking the path to limit access to only subdirectories of the hls path may work as an alternative. But such solutions are fragile and tricky to implement portably and would not stop every possible attack nor would they work with all valid hls files. Developers have expressed their dislike / objected to disabling hls by default as well as disabling hls with local files. There also where objections against restricting remote url file extensions. This here is a less robust but also lower inconvenience solution. It can be applied stand alone or together with other solutions. limiting the check to local files was suggested by nevcairiel This recommits the security fix without the author name joke which was originally requested by Nicolas. Found-by: Emil Lerner and Pavel Cheremushkin Reported-by: Thierry Foucu Signed-off-by: Michael Niedermayer (cherry picked from commit 189ff4219644532bdfa7bab28dfedaee4d6d4021) Signed-off-by: Michael Niedermayer --- libavformat/hls.c | 18 +++++++++++++++++- 1 file changed, 17 insertions(+), 1 deletion(-) diff --git a/libavformat/hls.c b/libavformat/hls.c index fc1ff38e05..8de93a59d5 100644 --- a/libavformat/hls.c +++ b/libavformat/hls.c @@ -200,6 +200,7 @@ typedef struct HLSContext { char *http_proxy; ///< holds the address of the HTTP proxy server AVDictionary *avio_opts; int strict_std_compliance; + char *allowed_extensions; } HLSContext; static int read_chomp_line(AVIOContext *s, char *buf, int maxlen) @@ -625,8 +626,19 @@ static int open_url(HLSContext *c, URLContext **uc, const char *url, AVDictionar return AVERROR_INVALIDDATA; // only http(s) & file are allowed - if (!av_strstart(proto_name, "http", NULL) && !av_strstart(proto_name, "file", NULL)) + if (av_strstart(proto_name, "file", NULL)) { + if (strcmp(c->allowed_extensions, "ALL") && !av_match_ext(url, c->allowed_extensions)) { + av_log(c, AV_LOG_ERROR, + "Filename extension of \'%s\' is not a common multimedia extension, blocked for security reasons.\n" + "If you wish to override this adjust allowed_extensions, you can set it to \'ALL\' to allow all\n", + url); + return AVERROR_INVALIDDATA; + } + } else if (av_strstart(proto_name, "http", NULL)) { + ; + } else return AVERROR_INVALIDDATA; + if (!strncmp(proto_name, url, strlen(proto_name)) && url[strlen(proto_name)] == ':') ; else if (strcmp(proto_name, "file") || !strncmp(url, "file,", 5)) @@ -2005,6 +2017,10 @@ static int hls_probe(AVProbeData *p) static const AVOption hls_options[] = { {"live_start_index", "segment index to start live streams at (negative values are from the end)", OFFSET(live_start_index), AV_OPT_TYPE_INT, {.i64 = -3}, INT_MIN, INT_MAX, FLAGS}, + {"allowed_extensions", "List of file extensions that hls is allowed to access", + OFFSET(allowed_extensions), AV_OPT_TYPE_STRING, + {.str = "3gp,aac,avi,flac,mkv,m3u8,m4a,m4s,m4v,mpg,mov,mp2,mp3,mp4,mpeg,mpegts,ogg,ogv,oga,ts,vob,wav"}, + INT_MIN, INT_MAX, FLAGS}, {NULL} }; From 49b744631768c828d57d6bbb6b57df9e70ec59a9 Mon Sep 17 00:00:00 2001 From: Michael Niedermayer Date: Mon, 5 Jun 2017 19:33:56 +0200 Subject: [PATCH 563/942] avcodec/cavs: Fix runtime error: signed integer overflow: -12648062 * 256 cannot be represented in type 'int' Fixes: 2067/clusterfuzz-testcase-minimized-5578430902960128 Found-by: continuous fuzzing process https://github.com/google/oss-fuzz/tree/master/projects/ffmpeg Signed-off-by: Michael Niedermayer (cherry picked from commit 1e6ee86d9254e8fd2158cc9a31d3be96b0809411) Signed-off-by: Michael Niedermayer --- libavcodec/cavs.c | 3 +-- 1 file changed, 1 insertion(+), 2 deletions(-) diff --git a/libavcodec/cavs.c b/libavcodec/cavs.c index 0bbf975a80..9a4a03ef30 100644 --- a/libavcodec/cavs.c +++ b/libavcodec/cavs.c @@ -538,8 +538,7 @@ void ff_cavs_inter(AVSContext *h, enum cavs_mb mb_type) static inline void scale_mv(AVSContext *h, int *d_x, int *d_y, cavs_vector *src, int distp) { - int den = h->scale_den[FFMAX(src->ref, 0)]; - + int64_t den = h->scale_den[FFMAX(src->ref, 0)]; *d_x = (src->x * distp * den + 256 + FF_SIGNBIT(src->x)) >> 9; *d_y = (src->y * distp * den + 256 + FF_SIGNBIT(src->y)) >> 9; } From d37559993fe50ef77a6f1c94df977ec7de9b9ec8 Mon Sep 17 00:00:00 2001 From: Michael Niedermayer Date: Mon, 5 Jun 2017 20:39:21 +0200 Subject: [PATCH 564/942] avcodec/tiff: Avoid loosing allocated geotag values Fixes memleak Fixes: 2076/clusterfuzz-testcase-minimized-6542640243802112 Found-by: continuous fuzzing process https://github.com/google/oss-fuzz/tree/master/projects/ffmpeg Signed-off-by: Michael Niedermayer (cherry picked from commit d7cbeab4c1381f95ed0ebf85d7950bee96f66164) Signed-off-by: Michael Niedermayer --- libavcodec/tiff.c | 2 ++ 1 file changed, 2 insertions(+) diff --git a/libavcodec/tiff.c b/libavcodec/tiff.c index dac406862d..c46f771565 100644 --- a/libavcodec/tiff.c +++ b/libavcodec/tiff.c @@ -1122,6 +1122,8 @@ static int tiff_decode_tag(TiffContext *s, AVFrame *frame) bytestream2_seek(&s->gb, pos + s->geotags[i].offset, SEEK_SET); if (bytestream2_get_bytes_left(&s->gb) < s->geotags[i].count) return AVERROR_INVALIDDATA; + if (s->geotags[i].val) + return AVERROR_INVALIDDATA; ap = av_malloc(s->geotags[i].count); if (!ap) { av_log(s->avctx, AV_LOG_ERROR, "Error allocating temporary buffer\n"); From b6b70060ba5b3806087dee3371cb2fcb7b4910b9 Mon Sep 17 00:00:00 2001 From: Michael Niedermayer Date: Mon, 5 Jun 2017 22:23:15 +0200 Subject: [PATCH 565/942] avcodec/mjpegdec: Check that reference frame matches the current frame Fixes: out of array read Fixes: 2097/clusterfuzz-testcase-minimized-5036861833609216 Found-by: continuous fuzzing process https://github.com/google/oss-fuzz/tree/master/projects/ffmpeg Signed-off-by: Michael Niedermayer (cherry picked from commit 4705edbbb96e193f51c72248f508ae5693702a48) Signed-off-by: Michael Niedermayer --- libavcodec/mjpegdec.c | 9 +++++++++ 1 file changed, 9 insertions(+) diff --git a/libavcodec/mjpegdec.c b/libavcodec/mjpegdec.c index b23b5d2d70..3b9e47f47e 100644 --- a/libavcodec/mjpegdec.c +++ b/libavcodec/mjpegdec.c @@ -1469,6 +1469,15 @@ int ff_mjpeg_decode_sos(MJpegDecodeContext *s, const uint8_t *mb_bitmask, return -1; } + if (reference) { + if (reference->width != s->picture_ptr->width || + reference->height != s->picture_ptr->height || + reference->format != s->picture_ptr->format) { + av_log(s->avctx, AV_LOG_ERROR, "Reference mismatching\n"); + return AVERROR_INVALIDDATA; + } + } + av_assert0(s->picture_ptr->data[0]); /* XXX: verify len field validity */ len = get_bits(&s->gb, 16); From 0ed96055f42438ea09934c689e6cc3c1a87dd01d Mon Sep 17 00:00:00 2001 From: Michael Niedermayer Date: Tue, 6 Jun 2017 16:01:16 +0200 Subject: [PATCH 566/942] avcodec/takdec: Fix multiple runtime error: signed integer overflow: 637072 * 4096 cannot be represented in type 'int' Fixes: 2079/clusterfuzz-testcase-minimized-5345861779324928 Found-by: continuous fuzzing process https://github.com/google/oss-fuzz/tree/master/projects/ffmpeg Signed-off-by: Michael Niedermayer (cherry picked from commit e4efd41b83e78c7f2ee3e74bee90226110743a8e) Signed-off-by: Michael Niedermayer --- libavcodec/takdec.c | 4 ++-- 1 file changed, 2 insertions(+), 2 deletions(-) diff --git a/libavcodec/takdec.c b/libavcodec/takdec.c index b0cbba0e0e..31a6378805 100644 --- a/libavcodec/takdec.c +++ b/libavcodec/takdec.c @@ -851,7 +851,7 @@ static int tak_decode_frame(AVCodecContext *avctx, void *data, if (s->sample_shift[chan] > 0) for (i = 0; i < s->nb_samples; i++) - decoded[i] *= 1 << s->sample_shift[chan]; + decoded[i] *= 1U << s->sample_shift[chan]; } } @@ -893,7 +893,7 @@ static int tak_decode_frame(AVCodecContext *avctx, void *data, for (chan = 0; chan < avctx->channels; chan++) { int32_t *samples = (int32_t *)frame->extended_data[chan]; for (i = 0; i < s->nb_samples; i++) - samples[i] *= 1 << 8; + samples[i] *= 1U << 8; } break; } From a3b9a5c4c42cf01290333ace5b87eb585000532b Mon Sep 17 00:00:00 2001 From: Michael Niedermayer Date: Tue, 6 Jun 2017 16:21:37 +0200 Subject: [PATCH 567/942] avcodec/pafvideo: Fix assertion failure Fixes: 2100/clusterfuzz-testcase-minimized-4522961547558912 Found-by: continuous fuzzing process https://github.com/google/oss-fuzz/tree/master/projects/ffmpeg Signed-off-by: Michael Niedermayer (cherry picked from commit c4360559ee2a6c8c624f24fc7e2a1cf00972ba68) Signed-off-by: Michael Niedermayer --- libavcodec/pafvideo.c | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/libavcodec/pafvideo.c b/libavcodec/pafvideo.c index 1618a3e7c3..91bfe16376 100644 --- a/libavcodec/pafvideo.c +++ b/libavcodec/pafvideo.c @@ -273,7 +273,7 @@ static int paf_video_decode(AVCodecContext *avctx, void *data, bytestream2_init(&c->gb, pkt->data, pkt->size); code = bytestream2_get_byte(&c->gb); - if ((code & 0xF) > 4) { + if ((code & 0xF) > 4 || (code & 0xF) == 3) { avpriv_request_sample(avctx, "unknown/invalid code"); return AVERROR_INVALIDDATA; } From 3ca6d2645880ae3521b4582e5e14c74c1f127be6 Mon Sep 17 00:00:00 2001 From: Michael Niedermayer Date: Tue, 6 Jun 2017 16:28:57 +0200 Subject: [PATCH 568/942] avcodec/mpeg4videodec: Fix runtime error: signed integer overflow: 53098 * 40448 cannot be represented in type 'int' Fixes: 2106/clusterfuzz-testcase-minimized-6136503639998464 Found-by: continuous fuzzing process https://github.com/google/oss-fuzz/tree/master/projects/ffmpeg Signed-off-by: Michael Niedermayer (cherry picked from commit 18bca25adbae9d010d75f9fc197c0af656af758d) Signed-off-by: Michael Niedermayer --- libavcodec/mpeg4videodec.c | 4 ++-- 1 file changed, 2 insertions(+), 2 deletions(-) diff --git a/libavcodec/mpeg4videodec.c b/libavcodec/mpeg4videodec.c index 77ef7465d7..bfa00c9e70 100644 --- a/libavcodec/mpeg4videodec.c +++ b/libavcodec/mpeg4videodec.c @@ -2323,7 +2323,7 @@ static int decode_vop_header(Mpeg4DecContext *ctx, GetBitContext *gb) if (s->pict_type != AV_PICTURE_TYPE_B) { s->last_time_base = s->time_base; s->time_base += time_incr; - s->time = s->time_base * s->avctx->framerate.num + time_increment; + s->time = s->time_base * (int64_t)s->avctx->framerate.num + time_increment; if (s->workaround_bugs & FF_BUG_UMP4) { if (s->time < s->last_non_b_time) { /* header is not mpeg-4-compatible, broken encoder, @@ -2335,7 +2335,7 @@ static int decode_vop_header(Mpeg4DecContext *ctx, GetBitContext *gb) s->pp_time = s->time - s->last_non_b_time; s->last_non_b_time = s->time; } else { - s->time = (s->last_time_base + time_incr) * s->avctx->framerate.num + time_increment; + s->time = (s->last_time_base + time_incr) * (int64_t)s->avctx->framerate.num + time_increment; s->pb_time = s->pp_time - (s->last_non_b_time - s->time); if (s->pp_time <= s->pb_time || s->pp_time <= s->pp_time - s->pb_time || From 968036dbf97f3d8c7a70a1072a2a4e4af035fdce Mon Sep 17 00:00:00 2001 From: Michael Niedermayer Date: Thu, 8 Jun 2017 13:44:32 +0200 Subject: [PATCH 569/942] avcodec/ac3dec_fixed: Fix multiple runtime error: signed integer overflow: -39271008 * 59 cannot be represented in type 'int' Fixes: 2113/clusterfuzz-testcase-minimized-6510704959946752 Found-by: continuous fuzzing process https://github.com/google/oss-fuzz/tree/master/projects/ffmpeg Signed-off-by: Michael Niedermayer (cherry picked from commit 4e3ab1a5c12fe3a88f44b734d3f2e25f4769ec47) Signed-off-by: Michael Niedermayer --- libavcodec/ac3dec_fixed.c | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/libavcodec/ac3dec_fixed.c b/libavcodec/ac3dec_fixed.c index c5b1d50a13..56b62548ec 100644 --- a/libavcodec/ac3dec_fixed.c +++ b/libavcodec/ac3dec_fixed.c @@ -65,7 +65,7 @@ static void scale_coefs ( int len) { int i, shift, round; - int16_t mul; + unsigned mul; int temp, temp1, temp2, temp3, temp4, temp5, temp6, temp7; mul = (dynrng & 0x1f) + 0x20; From 2dcae36de1b85f8054a77c3b82f5640c7f10f384 Mon Sep 17 00:00:00 2001 From: Michael Niedermayer Date: Thu, 8 Jun 2017 13:58:47 +0200 Subject: [PATCH 570/942] avcodec/indeo4: Check remaining data in Pic hdr extension parsing code Fixes: Timeout Fixes: 2115/clusterfuzz-testcase-minimized-6594111748440064 Found-by: continuous fuzzing process https://github.com/google/oss-fuzz/tree/master/projects/ffmpeg Signed-off-by: Michael Niedermayer (cherry picked from commit a3b5b60bdf451faefeeec07c4e684a251968bf2d) Signed-off-by: Michael Niedermayer --- libavcodec/indeo4.c | 2 ++ 1 file changed, 2 insertions(+) diff --git a/libavcodec/indeo4.c b/libavcodec/indeo4.c index 0065b52c75..1bf402551b 100644 --- a/libavcodec/indeo4.c +++ b/libavcodec/indeo4.c @@ -246,6 +246,8 @@ static int decode_pic_hdr(IVI45DecContext *ctx, AVCodecContext *avctx) /* skip picture header extension if any */ while (get_bits1(&ctx->gb)) { ff_dlog(avctx, "Pic hdr extension encountered!\n"); + if (get_bits_left(&ctx->gb) < 10) + return AVERROR_INVALIDDATA; skip_bits(&ctx->gb, 8); } From 72b8c6c645da6580b1ddb0a79d061d2069347dd3 Mon Sep 17 00:00:00 2001 From: Michael Niedermayer Date: Sat, 10 Jun 2017 18:45:08 +0200 Subject: [PATCH 571/942] avcodec/cfhd: Check band parameters before storing them Fixes out of array read Fixes: 2169/clusterfuzz-testcase-minimized-5688641642823680 Found-by: continuous fuzzing process https://github.com/google/oss-fuzz/tree/master/projects/ffmpeg Signed-off-by: Michael Niedermayer (cherry picked from commit 54aaadf648073149f1ac34f56cbde4e6c5aa22ef) Signed-off-by: Michael Niedermayer --- libavcodec/cfhd.c | 18 +++++++++--------- 1 file changed, 9 insertions(+), 9 deletions(-) diff --git a/libavcodec/cfhd.c b/libavcodec/cfhd.c index 196647f3ee..2408dca385 100644 --- a/libavcodec/cfhd.c +++ b/libavcodec/cfhd.c @@ -309,22 +309,22 @@ static int cfhd_decode(AVCodecContext *avctx, void *data, int *got_frame, s->prescale_shift[2] = (data >> 6) & 0x7; av_log(avctx, AV_LOG_DEBUG, "Prescale shift (VC-5): %x\n", data); } else if (tag == 27) { - s->plane[s->channel_num].band[0][0].width = data; - s->plane[s->channel_num].band[0][0].stride = data; av_log(avctx, AV_LOG_DEBUG, "Lowpass width %"PRIu16"\n", data); if (data < 3 || data > s->plane[s->channel_num].band[0][0].a_width) { av_log(avctx, AV_LOG_ERROR, "Invalid lowpass width\n"); ret = AVERROR(EINVAL); break; } + s->plane[s->channel_num].band[0][0].width = data; + s->plane[s->channel_num].band[0][0].stride = data; } else if (tag == 28) { - s->plane[s->channel_num].band[0][0].height = data; av_log(avctx, AV_LOG_DEBUG, "Lowpass height %"PRIu16"\n", data); if (data < 3 || data > s->plane[s->channel_num].band[0][0].height) { av_log(avctx, AV_LOG_ERROR, "Invalid lowpass height\n"); ret = AVERROR(EINVAL); break; } + s->plane[s->channel_num].band[0][0].height = data; } else if (tag == 1) av_log(avctx, AV_LOG_DEBUG, "Sample type? %"PRIu16"\n", data); else if (tag == 10) { @@ -355,39 +355,39 @@ static int cfhd_decode(AVCodecContext *avctx, void *data, int *got_frame, av_log(avctx, AV_LOG_DEBUG, "Tag/Value = %x %x\n", tag2, val2); } } else if (tag == 41) { - s->plane[s->channel_num].band[s->level][s->subband_num].width = data; - s->plane[s->channel_num].band[s->level][s->subband_num].stride = FFALIGN(data, 8); av_log(avctx, AV_LOG_DEBUG, "Highpass width %i channel %i level %i subband %i\n", data, s->channel_num, s->level, s->subband_num); if (data < 3) { av_log(avctx, AV_LOG_ERROR, "Invalid highpass width\n"); ret = AVERROR(EINVAL); break; } + s->plane[s->channel_num].band[s->level][s->subband_num].width = data; + s->plane[s->channel_num].band[s->level][s->subband_num].stride = FFALIGN(data, 8); } else if (tag == 42) { - s->plane[s->channel_num].band[s->level][s->subband_num].height = data; av_log(avctx, AV_LOG_DEBUG, "Highpass height %i\n", data); if (data < 3) { av_log(avctx, AV_LOG_ERROR, "Invalid highpass height\n"); ret = AVERROR(EINVAL); break; } + s->plane[s->channel_num].band[s->level][s->subband_num].height = data; } else if (tag == 49) { - s->plane[s->channel_num].band[s->level][s->subband_num].width = data; - s->plane[s->channel_num].band[s->level][s->subband_num].stride = FFALIGN(data, 8); av_log(avctx, AV_LOG_DEBUG, "Highpass width2 %i\n", data); if (data < 3) { av_log(avctx, AV_LOG_ERROR, "Invalid highpass width2\n"); ret = AVERROR(EINVAL); break; } + s->plane[s->channel_num].band[s->level][s->subband_num].width = data; + s->plane[s->channel_num].band[s->level][s->subband_num].stride = FFALIGN(data, 8); } else if (tag == 50) { - s->plane[s->channel_num].band[s->level][s->subband_num].height = data; av_log(avctx, AV_LOG_DEBUG, "Highpass height2 %i\n", data); if (data < 3) { av_log(avctx, AV_LOG_ERROR, "Invalid highpass height2\n"); ret = AVERROR(EINVAL); break; } + s->plane[s->channel_num].band[s->level][s->subband_num].height = data; } else if (tag == 71) { s->codebook = data; av_log(avctx, AV_LOG_DEBUG, "Codebook %i\n", s->codebook); From 3784d34c3bdf3f378d5a116b6d4720df6d4ce2d6 Mon Sep 17 00:00:00 2001 From: Michael Niedermayer Date: Sat, 10 Jun 2017 19:43:25 +0200 Subject: [PATCH 572/942] avcodec/flicvideo: Fix runtime error: signed integer overflow: 4864 * 459296 cannot be represented in type 'int' Fixes: 2174/clusterfuzz-testcase-minimized-5739234533048320 Found-by: continuous fuzzing process https://github.com/google/oss-fuzz/tree/master/projects/ffmpeg Signed-off-by: Michael Niedermayer (cherry picked from commit 90e8317b3b33dcb54ae01e419d85cbbfbd874963) Signed-off-by: Michael Niedermayer --- libavcodec/flicvideo.c | 10 ++++++++++ 1 file changed, 10 insertions(+) diff --git a/libavcodec/flicvideo.c b/libavcodec/flicvideo.c index 6f0961ce96..0ef7797a85 100644 --- a/libavcodec/flicvideo.c +++ b/libavcodec/flicvideo.c @@ -275,10 +275,14 @@ static int flic_decode_frame_8BPP(AVCodecContext *avctx, while (compressed_lines > 0) { if (bytestream2_tell(&g2) + 2 > stream_ptr_after_chunk) break; + if (y_ptr > pixel_limit) + return AVERROR_INVALIDDATA; line_packets = bytestream2_get_le16(&g2); if ((line_packets & 0xC000) == 0xC000) { // line skip opcode line_packets = -line_packets; + if (line_packets > s->avctx->height) + return AVERROR_INVALIDDATA; y_ptr += line_packets * s->frame->linesize[0]; } else if ((line_packets & 0xC000) == 0x4000) { av_log(avctx, AV_LOG_ERROR, "Undefined opcode (%x) in DELTA_FLI\n", line_packets); @@ -327,6 +331,8 @@ static int flic_decode_frame_8BPP(AVCodecContext *avctx, case FLI_LC: /* line compressed */ starting_line = bytestream2_get_le16(&g2); + if (starting_line >= s->avctx->height) + return AVERROR_INVALIDDATA; y_ptr = 0; y_ptr += starting_line * s->frame->linesize[0]; @@ -561,9 +567,13 @@ static int flic_decode_frame_15_16BPP(AVCodecContext *avctx, while (compressed_lines > 0) { if (bytestream2_tell(&g2) + 2 > stream_ptr_after_chunk) break; + if (y_ptr > pixel_limit) + return AVERROR_INVALIDDATA; line_packets = bytestream2_get_le16(&g2); if (line_packets < 0) { line_packets = -line_packets; + if (line_packets > s->avctx->height) + return AVERROR_INVALIDDATA; y_ptr += line_packets * s->frame->linesize[0]; } else { compressed_lines--; From e7f8984f990b4fa3a965da9b4db6c7ff8a1e36af Mon Sep 17 00:00:00 2001 From: Michael Niedermayer Date: Sun, 11 Jun 2017 00:45:20 +0200 Subject: [PATCH 573/942] avcodec/ra144: Fix runtime error: signed integer overflow: -2200 * 1033073 cannot be represented in type 'int' Fixes: 2175/clusterfuzz-testcase-minimized-5809657849315328 Found-by: continuous fuzzing process https://github.com/google/oss-fuzz/tree/master/projects/ffmpeg Signed-off-by: Michael Niedermayer (cherry picked from commit 71da0a5c9750e9fd0c9609470f610d32952923eb) Signed-off-by: Michael Niedermayer --- libavcodec/ra144.c | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/libavcodec/ra144.c b/libavcodec/ra144.c index da1af66dab..67f0e84469 100644 --- a/libavcodec/ra144.c +++ b/libavcodec/ra144.c @@ -1601,7 +1601,7 @@ void ff_eval_coefs(int *coefs, const int *refl) b1[i] = refl[i] * 16; for (j=0; j < i; j++) - b1[j] = ((refl[i] * b2[i-j-1]) >> 12) + b2[j]; + b1[j] = ((int)(refl[i] * (unsigned)b2[i-j-1]) >> 12) + b2[j]; FFSWAP(int *, b1, b2); } From 91da2f8ebb8264317ef61611c9ca8eed83fc128a Mon Sep 17 00:00:00 2001 From: Michael Niedermayer Date: Sun, 11 Jun 2017 01:05:26 +0200 Subject: [PATCH 574/942] avcodec/tiff: Fix leak of geotags[].val Fixes: 2176/clusterfuzz-testcase-minimized-5908197216878592 Found-by: continuous fuzzing process https://github.com/google/oss-fuzz/tree/master/projects/ffmpeg Signed-off-by: Michael Niedermayer (cherry picked from commit 22a25ab3896cbb8dceebdba4d439e8b2b398ff0e) Signed-off-by: Michael Niedermayer --- libavcodec/tiff.c | 2 ++ 1 file changed, 2 insertions(+) diff --git a/libavcodec/tiff.c b/libavcodec/tiff.c index c46f771565..d026a5bd98 100644 --- a/libavcodec/tiff.c +++ b/libavcodec/tiff.c @@ -1096,6 +1096,8 @@ static int tiff_decode_tag(TiffContext *s, AVFrame *frame) if (s->geotags[i].count == 0 || s->geotags[i].offset + s->geotags[i].count > count) { av_log(s->avctx, AV_LOG_WARNING, "Invalid GeoTIFF key %d\n", s->geotags[i].key); + } else if (s->geotags[i].val) { + av_log(s->avctx, AV_LOG_WARNING, "Duplicate GeoTIFF key %d\n", s->geotags[i].key); } else { char *ap = doubles2str(&dp[s->geotags[i].offset], s->geotags[i].count, ", "); if (!ap) { From f3be926246b6df3851583d0d74d521622c82d806 Mon Sep 17 00:00:00 2001 From: Michael Niedermayer Date: Sun, 11 Jun 2017 14:32:35 +0200 Subject: [PATCH 575/942] avcodec/aacdec_fixed: Fix runtime error: left shift of negative value -1297616 Fixes: 2195/clusterfuzz-testcase-minimized-4736721533009920 Found-by: continuous fuzzing process https://github.com/google/oss-fuzz/tree/master/projects/ffmpeg Signed-off-by: Michael Niedermayer (cherry picked from commit 6d499ecef9c2467772b6066176ffda0b7ab27cc2) Signed-off-by: Michael Niedermayer --- libavcodec/aacdec_fixed.c | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/libavcodec/aacdec_fixed.c b/libavcodec/aacdec_fixed.c index 43e4c1ebe6..95f171dad9 100644 --- a/libavcodec/aacdec_fixed.c +++ b/libavcodec/aacdec_fixed.c @@ -389,7 +389,7 @@ static void apply_dependent_coupling_fixed(AACContext *ac, for (k = offsets[i]; k < offsets[i + 1]; k++) { tmp = (int)(((int64_t)src[group * 128 + k] * c + \ (int64_t)0x1000000000) >> 37); - dest[group * 128 + k] += tmp << shift; + dest[group * 128 + k] += tmp * (1 << shift); } } } From e8c87c21c0cc07689bc86ad34f4a21774112093d Mon Sep 17 00:00:00 2001 From: Michael Niedermayer Date: Sun, 11 Jun 2017 14:34:54 +0200 Subject: [PATCH 576/942] avcodec/snowdec: Fix runtime error: left shift of negative value -1 Fixes: 2197/clusterfuzz-testcase-minimized-6010716676947968 Found-by: continuous fuzzing process https://github.com/google/oss-fuzz/tree/master/projects/ffmpeg Signed-off-by: Michael Niedermayer (cherry picked from commit 2e44126363bc9e23093ceced5d7bde1ee4bbb338) Signed-off-by: Michael Niedermayer --- libavcodec/snowdec.c | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/libavcodec/snowdec.c b/libavcodec/snowdec.c index 022e9693c7..7d6d7ff44f 100644 --- a/libavcodec/snowdec.c +++ b/libavcodec/snowdec.c @@ -586,7 +586,7 @@ static int decode_frame(AVCodecContext *avctx, void *data, int *got_frame, for(; yqsb, yq); for(x=0; x Date: Sun, 11 Jun 2017 20:19:59 +0200 Subject: [PATCH 577/942] avcodec/wavpack: Fix runtime error: signed integer overflow: 1886191616 + 277872640 cannot be represented in type 'int' Fixes: 2181/clusterfuzz-testcase-minimized-6314784322486272 Found-by: continuous fuzzing process https://github.com/google/oss-fuzz/tree/master/projects/ffmpeg Signed-off-by: Michael Niedermayer (cherry picked from commit c996374d4d86e0efbef71812448b4c65656bc667) Signed-off-by: Michael Niedermayer --- libavcodec/wavpack.h | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/libavcodec/wavpack.h b/libavcodec/wavpack.h index a1b46d5bd7..c71006112a 100644 --- a/libavcodec/wavpack.h +++ b/libavcodec/wavpack.h @@ -94,7 +94,7 @@ typedef struct Decorr { typedef struct WvChannel { int median[3]; int slow_level, error_limit; - int bitrate_acc, bitrate_delta; + unsigned bitrate_acc, bitrate_delta; } WvChannel; // macros for manipulating median values From 0f59d5a6e0a84e8be6fc4351c6db7eb71f25371e Mon Sep 17 00:00:00 2001 From: Michael Niedermayer Date: Sun, 11 Jun 2017 20:28:46 +0200 Subject: [PATCH 578/942] avcodec/jpeg2000dwt: Fix runtime error: left shift of negative value -123 Fixes: 2208/clusterfuzz-testcase-minimized-5976593765761024 Found-by: continuous fuzzing process https://github.com/google/oss-fuzz/tree/master/projects/ffmpeg Signed-off-by: Michael Niedermayer (cherry picked from commit d24043e1a2f93f206a2ad59054f24f45ff023e5c) Signed-off-by: Michael Niedermayer --- libavcodec/jpeg2000dwt.c | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/libavcodec/jpeg2000dwt.c b/libavcodec/jpeg2000dwt.c index a46c93a9b2..2bb245d25b 100644 --- a/libavcodec/jpeg2000dwt.c +++ b/libavcodec/jpeg2000dwt.c @@ -488,7 +488,7 @@ static void dwt_decode97_int(DWTContext *s, int32_t *t) line += 5; for (i = 0; i < w * h; i++) - data[i] <<= I_PRESHIFT; + data[i] *= 1 << I_PRESHIFT; for (lev = 0; lev < s->ndeclevels; lev++) { int lh = s->linelen[lev][0], From 3db46e6447f191622a9219a7f14a81234274c5df Mon Sep 17 00:00:00 2001 From: Michael Niedermayer Date: Tue, 13 Jun 2017 13:28:23 +0200 Subject: [PATCH 579/942] avcodec/sbrdsp_fixed: Return an error from sbr_hf_apply_noise() if operations are impossible Fixes: 1775/clusterfuzz-testcase-minimized-5330288148217856 Found-by: continuous fuzzing process https://github.com/google/oss-fuzz/tree/master/projects/ffmpeg Signed-off-by: Michael Niedermayer (cherry picked from commit d549f026d8b64b879c3ce3b8c7d153c82aa5eb52) Signed-off-by: Michael Niedermayer --- libavcodec/sbrdsp_fixed.c | 13 ++++++++++--- 1 file changed, 10 insertions(+), 3 deletions(-) diff --git a/libavcodec/sbrdsp_fixed.c b/libavcodec/sbrdsp_fixed.c index 924da83c85..f42708a8a7 100644 --- a/libavcodec/sbrdsp_fixed.c +++ b/libavcodec/sbrdsp_fixed.c @@ -242,7 +242,7 @@ static void sbr_hf_g_filt_c(int (*Y)[2], const int (*X_high)[40][2], } } -static av_always_inline void sbr_hf_apply_noise(int (*Y)[2], +static av_always_inline int sbr_hf_apply_noise(int (*Y)[2], const SoftFloat *s_m, const SoftFloat *q_filt, int noise, @@ -260,7 +260,10 @@ static av_always_inline void sbr_hf_apply_noise(int (*Y)[2], int shift, round; shift = 22 - s_m[m].exp; - if (shift < 30) { + if (shift < 1) { + av_log(NULL, AV_LOG_ERROR, "Overflow in sbr_hf_apply_noise, shift=%d\n", shift); + return AVERROR(ERANGE); + } else if (shift < 30) { round = 1 << (shift-1); y0 += (s_m[m].mant * phi_sign0 + round) >> shift; y1 += (s_m[m].mant * phi_sign1 + round) >> shift; @@ -270,7 +273,10 @@ static av_always_inline void sbr_hf_apply_noise(int (*Y)[2], int64_t accu; shift = 22 - q_filt[m].exp; - if (shift < 30) { + if (shift < 1) { + av_log(NULL, AV_LOG_ERROR, "Overflow in sbr_hf_apply_noise, shift=%d\n", shift); + return AVERROR(ERANGE); + } else if (shift < 30) { round = 1 << (shift-1); accu = (int64_t)q_filt[m].mant * ff_sbr_noise_table_fixed[noise][0]; @@ -286,6 +292,7 @@ static av_always_inline void sbr_hf_apply_noise(int (*Y)[2], Y[m][1] = y1; phi_sign1 = -phi_sign1; } + return 0; } #include "sbrdsp_template.c" From 5a35ac54358de40db0cf2b2393b0146e616ba233 Mon Sep 17 00:00:00 2001 From: Michael Niedermayer Date: Tue, 13 Jun 2017 16:25:59 +0200 Subject: [PATCH 580/942] avcodec/aacsbr_fixed: Check shift in sbr_hf_assemble() Fixes: runtime error: shift exponent -10 is negative Found-by: continuous fuzzing process https://github.com/google/oss-fuzz/tree/master/projects/ffmpeg Signed-off-by: Michael Niedermayer (cherry picked from commit d1992448d37f7cfa2acda5cc729dc0ff1b019390) Signed-off-by: Michael Niedermayer --- libavcodec/aacsbr_fixed.c | 18 +++++++++++++----- 1 file changed, 13 insertions(+), 5 deletions(-) diff --git a/libavcodec/aacsbr_fixed.c b/libavcodec/aacsbr_fixed.c index 01f81afaaa..1f5ff410d1 100644 --- a/libavcodec/aacsbr_fixed.c +++ b/libavcodec/aacsbr_fixed.c @@ -575,22 +575,30 @@ static void sbr_hf_assemble(int Y1[38][64][2], SoftFloat *in = sbr->s_m[e]; for (m = 0; m+1 < m_max; m+=2) { + int shift2; shift = 22 - in[m ].exp; + shift2= 22 - in[m+1].exp; + if (shift < 1 || shift2 < 1) { + av_log(NULL, AV_LOG_ERROR, "Overflow in sbr_hf_assemble, shift=%d,%d\n", shift, shift2); + return; + } if (shift < 32) { round = 1 << (shift-1); out[2*m ] += (in[m ].mant * A + round) >> shift; } - shift = 22 - in[m+1].exp; - if (shift < 32) { - round = 1 << (shift-1); - out[2*m+2] += (in[m+1].mant * B + round) >> shift; + if (shift2 < 32) { + round = 1 << (shift2-1); + out[2*m+2] += (in[m+1].mant * B + round) >> shift2; } } if(m_max&1) { shift = 22 - in[m ].exp; - if (shift < 32) { + if (shift < 1) { + av_log(NULL, AV_LOG_ERROR, "Overflow in sbr_hf_assemble, shift=%d\n", shift); + return; + } else if (shift < 32) { round = 1 << (shift-1); out[2*m ] += (in[m ].mant * A + round) >> shift; } From 301791a2bd0ff44df5f5ffbdd740aa66b54a23d5 Mon Sep 17 00:00:00 2001 From: Michael Niedermayer Date: Wed, 14 Jun 2017 23:49:23 +0200 Subject: [PATCH 581/942] avcodec/mpeg4videodec: Fix integer overflow in num_sprite_warping_points=2 case Fixes: runtime error: signed integer overflow: 131072 + 2147352576 cannot be represented in type 'int' Fixes: 2192/clusterfuzz-testcase-minimized-5370387988742144 Found-by: continuous fuzzing process https://github.com/google/oss-fuzz/tree/master/projects/ffmpeg Signed-off-by: Michael Niedermayer (cherry picked from commit 0a87be404ab7e3f47e67e79160dcc9623e36835b) Signed-off-by: Michael Niedermayer --- libavcodec/mpeg4videodec.c | 40 +++++++++++++++++++------------------- 1 file changed, 20 insertions(+), 20 deletions(-) diff --git a/libavcodec/mpeg4videodec.c b/libavcodec/mpeg4videodec.c index bfa00c9e70..2518baa7b8 100644 --- a/libavcodec/mpeg4videodec.c +++ b/libavcodec/mpeg4videodec.c @@ -284,26 +284,26 @@ static int mpeg4_decode_sprite_trajectory(Mpeg4DecContext *ctx, GetBitContext *g ctx->sprite_shift[1] = 0; break; case 2: - sprite_offset[0][0] = (sprite_ref[0][0] * (1 << alpha + rho)) + - (-r * sprite_ref[0][0] + virtual_ref[0][0]) * - (-vop_ref[0][0]) + - (r * sprite_ref[0][1] - virtual_ref[0][1]) * - (-vop_ref[0][1]) + (1 << (alpha + rho - 1)); - sprite_offset[0][1] = (sprite_ref[0][1] * (1 << alpha + rho)) + - (-r * sprite_ref[0][1] + virtual_ref[0][1]) * - (-vop_ref[0][0]) + - (-r * sprite_ref[0][0] + virtual_ref[0][0]) * - (-vop_ref[0][1]) + (1 << (alpha + rho - 1)); - sprite_offset[1][0] = ((-r * sprite_ref[0][0] + virtual_ref[0][0]) * - (-2 * vop_ref[0][0] + 1) + - (r * sprite_ref[0][1] - virtual_ref[0][1]) * - (-2 * vop_ref[0][1] + 1) + 2 * w2 * r * - sprite_ref[0][0] - 16 * w2 + (1 << (alpha + rho + 1))); - sprite_offset[1][1] = ((-r * sprite_ref[0][1] + virtual_ref[0][1]) * - (-2 * vop_ref[0][0] + 1) + - (-r * sprite_ref[0][0] + virtual_ref[0][0]) * - (-2 * vop_ref[0][1] + 1) + 2 * w2 * r * - sprite_ref[0][1] - 16 * w2 + (1 << (alpha + rho + 1))); + sprite_offset[0][0] = ((int64_t) sprite_ref[0][0] * (1 << alpha + rho)) + + ((int64_t) -r * sprite_ref[0][0] + virtual_ref[0][0]) * + ((int64_t) -vop_ref[0][0]) + + ((int64_t) r * sprite_ref[0][1] - virtual_ref[0][1]) * + ((int64_t) -vop_ref[0][1]) + (1 << (alpha + rho - 1)); + sprite_offset[0][1] = ((int64_t) sprite_ref[0][1] * (1 << alpha + rho)) + + ((int64_t) -r * sprite_ref[0][1] + virtual_ref[0][1]) * + ((int64_t) -vop_ref[0][0]) + + ((int64_t) -r * sprite_ref[0][0] + virtual_ref[0][0]) * + ((int64_t) -vop_ref[0][1]) + (1 << (alpha + rho - 1)); + sprite_offset[1][0] = (((int64_t)-r * sprite_ref[0][0] + virtual_ref[0][0]) * + ((int64_t)-2 * vop_ref[0][0] + 1) + + ((int64_t) r * sprite_ref[0][1] - virtual_ref[0][1]) * + ((int64_t)-2 * vop_ref[0][1] + 1) + 2 * w2 * r * + (int64_t) sprite_ref[0][0] - 16 * w2 + (1 << (alpha + rho + 1))); + sprite_offset[1][1] = (((int64_t)-r * sprite_ref[0][1] + virtual_ref[0][1]) * + ((int64_t)-2 * vop_ref[0][0] + 1) + + ((int64_t)-r * sprite_ref[0][0] + virtual_ref[0][0]) * + ((int64_t)-2 * vop_ref[0][1] + 1) + 2 * w2 * r * + (int64_t) sprite_ref[0][1] - 16 * w2 + (1 << (alpha + rho + 1))); s->sprite_delta[0][0] = (-r * sprite_ref[0][0] + virtual_ref[0][0]); s->sprite_delta[0][1] = (+r * sprite_ref[0][1] - virtual_ref[0][1]); s->sprite_delta[1][0] = (-r * sprite_ref[0][1] + virtual_ref[0][1]); From ea5603ff3a55b593669f4b0d21682c918fd3dc3f Mon Sep 17 00:00:00 2001 From: Michael Niedermayer Date: Wed, 14 Jun 2017 23:55:17 +0200 Subject: [PATCH 582/942] avcodec/mpeg4videodec: Check sprite delta upshift against overflowing. Fixes: runtime error: signed integer overflow: -268386304 * 16 cannot be represented in type 'int' Fixes: 2204/clusterfuzz-testcase-minimized-5616756909408256 Found-by: continuous fuzzing process https://github.com/google/oss-fuzz/tree/master/projects/ffmpeg Signed-off-by: Michael Niedermayer (cherry picked from commit 12245ab1f677074b8ff83e87f76a41aba692ccd6) Signed-off-by: Michael Niedermayer --- libavcodec/mpeg4videodec.c | 18 ++++++++++-------- 1 file changed, 10 insertions(+), 8 deletions(-) diff --git a/libavcodec/mpeg4videodec.c b/libavcodec/mpeg4videodec.c index 2518baa7b8..d51bdc84e1 100644 --- a/libavcodec/mpeg4videodec.c +++ b/libavcodec/mpeg4videodec.c @@ -361,14 +361,16 @@ static int mpeg4_decode_sprite_trajectory(Mpeg4DecContext *ctx, GetBitContext *g int shift_y = 16 - ctx->sprite_shift[0]; int shift_c = 16 - ctx->sprite_shift[1]; - if (shift_c < 0 || shift_y < 0 || - FFABS(sprite_offset[0][0]) >= INT_MAX >> shift_y || - FFABS(sprite_offset[1][0]) >= INT_MAX >> shift_c || - FFABS(sprite_offset[0][1]) >= INT_MAX >> shift_y || - FFABS(sprite_offset[1][1]) >= INT_MAX >> shift_c - ) { - avpriv_request_sample(s->avctx, "Too large sprite shift or offset"); - goto overflow; + for (i = 0; i < 2; i++) { + if (shift_c < 0 || shift_y < 0 || + FFABS( sprite_offset[0][i]) >= INT_MAX >> shift_y || + FFABS( sprite_offset[1][i]) >= INT_MAX >> shift_c || + FFABS(s->sprite_delta[0][i]) >= INT_MAX >> shift_y || + FFABS(s->sprite_delta[1][i]) >= INT_MAX >> shift_y + ) { + avpriv_request_sample(s->avctx, "Too large sprite shift, delta or offset"); + goto overflow; + } } for (i = 0; i < 2; i++) { From 7c82082ac8d4bc011b22d6fa43e96d43fab0c519 Mon Sep 17 00:00:00 2001 From: Michael Niedermayer Date: Thu, 15 Jun 2017 01:26:01 +0200 Subject: [PATCH 583/942] avcodec/hevc_refs: Check nb_refs in add_candidate_ref() Fixes: runtime error: index 16 out of bounds for type 'int [16]' Fixes: 2209/clusterfuzz-testcase-minimized-5012343912136704 Found-by: continuous fuzzing process https://github.com/google/oss-fuzz/tree/master/projects/ffmpeg Signed-off-by: Michael Niedermayer (cherry picked from commit 1cb4ef526dd1e5f547d0354efb0831d07e967919) Signed-off-by: Michael Niedermayer --- libavcodec/hevc_refs.c | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/libavcodec/hevc_refs.c b/libavcodec/hevc_refs.c index 611ad458de..df52e401ad 100644 --- a/libavcodec/hevc_refs.c +++ b/libavcodec/hevc_refs.c @@ -438,7 +438,7 @@ static int add_candidate_ref(HEVCContext *s, RefPicList *list, { HEVCFrame *ref = find_ref_idx(s, poc); - if (ref == s->ref) + if (ref == s->ref || list->nb_refs >= MAX_REFS) return AVERROR_INVALIDDATA; if (!ref) { From f19152559f5fe60498b145e34cfb5eaac7d8bc24 Mon Sep 17 00:00:00 2001 From: Michael Niedermayer Date: Thu, 15 Jun 2017 01:28:28 +0200 Subject: [PATCH 584/942] avcodec/hevcdec: Check nb_sps Signed-off-by: Michael Niedermayer (cherry picked from commit bc406744620710911de9157eafa3e61d0246566f) Signed-off-by: Michael Niedermayer --- libavcodec/hevc.c | 2 ++ 1 file changed, 2 insertions(+) diff --git a/libavcodec/hevc.c b/libavcodec/hevc.c index 0e849b81c6..0549133ab9 100644 --- a/libavcodec/hevc.c +++ b/libavcodec/hevc.c @@ -246,6 +246,8 @@ static int decode_lt_rps(HEVCContext *s, LongTermRPS *rps, GetBitContext *gb) nb_sps = get_ue_golomb_long(gb); nb_sh = get_ue_golomb_long(gb); + if (nb_sps > sps->num_long_term_ref_pics_sps) + return AVERROR_INVALIDDATA; if (nb_sh + (uint64_t)nb_sps > FF_ARRAY_ELEMS(rps->poc)) return AVERROR_INVALIDDATA; From 23d02b44655774de30aaead4ec5237f281ecbaea Mon Sep 17 00:00:00 2001 From: Michael Niedermayer Date: Thu, 15 Jun 2017 23:26:18 +0200 Subject: [PATCH 585/942] avcodec/jpeg2000: Fixes integer overflow in ff_jpeg2000_ceildivpow2() Fixes: runtime error: negation of -2147483648 cannot be represented in type 'int'; cast to an unsigned type to negate this value to itself Fixes: 2231/clusterfuzz-testcase-minimized-4565181982048256 Found-by: continuous fuzzing process https://github.com/google/oss-fuzz/tree/master/projects/ffmpeg Signed-off-by: Michael Niedermayer (cherry picked from commit e3fadc57c5c170f31455abacbcbd67115d7321d7) Signed-off-by: Michael Niedermayer --- libavcodec/jpeg2000.h | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/libavcodec/jpeg2000.h b/libavcodec/jpeg2000.h index 873e4505ec..8a022ad918 100644 --- a/libavcodec/jpeg2000.h +++ b/libavcodec/jpeg2000.h @@ -215,7 +215,7 @@ typedef struct Jpeg2000Component { /* misc tools */ static inline int ff_jpeg2000_ceildivpow2(int a, int b) { - return -(((int64_t)(-a)) >> b); + return -((-(int64_t)a) >> b); } static inline int ff_jpeg2000_ceildiv(int a, int b) From a5feb7e9bd4742f3790e7cff691164899bc0e5c9 Mon Sep 17 00:00:00 2001 From: Michael Niedermayer Date: Thu, 15 Jun 2017 23:41:46 +0200 Subject: [PATCH 586/942] avcodec/truemotion2: Move skip computation after checks Fixes: runtime error: signed integer overflow: 630067357 * 4 cannot be represented in type 'int' Fixes: 2233/clusterfuzz-testcase-minimized-5943031318446080 Found-by: continuous fuzzing process https://github.com/google/oss-fuzz/tree/master/projects/ffmpeg Signed-off-by: Michael Niedermayer (cherry picked from commit 3c716682a8b69e6644a385a663aaf0e5dc808ae8) Signed-off-by: Michael Niedermayer --- libavcodec/truemotion2.c | 4 ++-- 1 file changed, 2 insertions(+), 2 deletions(-) diff --git a/libavcodec/truemotion2.c b/libavcodec/truemotion2.c index e6ae05f1d5..a463a925fd 100644 --- a/libavcodec/truemotion2.c +++ b/libavcodec/truemotion2.c @@ -298,15 +298,15 @@ static int tm2_read_stream(TM2Context *ctx, const uint8_t *buf, int stream_id, i /* get stream length in dwords */ bytestream2_init(&gb, buf, buf_size); len = bytestream2_get_be32(&gb); - skip = len * 4 + 4; if (len == 0) return 4; - if (len >= INT_MAX / 4 - 1 || len < 0 || skip > buf_size) { + if (len >= INT_MAX / 4 - 1 || len < 0 || len * 4 + 4 > buf_size) { av_log(ctx->avctx, AV_LOG_ERROR, "Error, invalid stream size.\n"); return AVERROR_INVALIDDATA; } + skip = len * 4 + 4; toks = bytestream2_get_be32(&gb); if (toks & 1) { From 79393f4fb140fa026a72373fd62c847cdc0f3fe7 Mon Sep 17 00:00:00 2001 From: Michael Niedermayer Date: Fri, 9 Jun 2017 02:16:54 +0200 Subject: [PATCH 587/942] avcodec/shorten: Sanity check maxnlpc Fixes OOM Fixes: 2131/clusterfuzz-testcase-minimized-4718045157130240 Found-by: continuous fuzzing process https://github.com/google/oss-fuzz/tree/master/projects/ffmpeg Signed-off-by: Michael Niedermayer (cherry picked from commit e77ddd31a8e14bcf5eccd6008d866ae90b4b0d4c) Signed-off-by: Michael Niedermayer --- libavcodec/shorten.c | 4 ++++ 1 file changed, 4 insertions(+) diff --git a/libavcodec/shorten.c b/libavcodec/shorten.c index 32f808beb4..e4bf2e0035 100644 --- a/libavcodec/shorten.c +++ b/libavcodec/shorten.c @@ -369,6 +369,10 @@ static int read_header(ShortenContext *s) s->blocksize = blocksize; maxnlpc = get_uint(s, LPCQSIZE); + if (maxnlpc > 1024U) { + av_log(s->avctx, AV_LOG_ERROR, "maxnlpc is: %d\n", maxnlpc); + return AVERROR_INVALIDDATA; + } s->nmean = get_uint(s, 0); skip_bytes = get_uint(s, NSKIPSIZE); From e8555274b93ad666c28e7a81a1316f0cf65a3a05 Mon Sep 17 00:00:00 2001 From: Michael Niedermayer Date: Fri, 16 Jun 2017 19:57:08 +0200 Subject: [PATCH 588/942] avcodec/jpeg2000dec: Check nonzerobits more completely Fixes: runtime error: shift exponent 36 is too large for 32-bit type 'int' Fixes: 2239/clusterfuzz-testcase-minimized-5639766592716800 Found-by: continuous fuzzing process https://github.com/google/oss-fuzz/tree/master/projects/ffmpeg Signed-off-by: Michael Niedermayer (cherry picked from commit dfb61ea2630029b7aec7911aade769bf1a914eea) Signed-off-by: Michael Niedermayer --- libavcodec/jpeg2000dec.c | 4 ++-- 1 file changed, 2 insertions(+), 2 deletions(-) diff --git a/libavcodec/jpeg2000dec.c b/libavcodec/jpeg2000dec.c index 1dcaf13147..28b5e087e8 100644 --- a/libavcodec/jpeg2000dec.c +++ b/libavcodec/jpeg2000dec.c @@ -960,9 +960,9 @@ static int jpeg2000_decode_packet(Jpeg2000DecoderContext *s, Jpeg2000Tile *tile, if (!cblk->npasses) { int v = expn[bandno] + numgbits - 1 - tag_tree_decode(s, prec->zerobits + cblkno, 100); - if (v < 0) { + if (v < 0 || v > 30) { av_log(s->avctx, AV_LOG_ERROR, - "nonzerobits %d invalid\n", v); + "nonzerobits %d invalid or unsupported\n", v); return AVERROR_INVALIDDATA; } cblk->nonzerobits = v; From 59d40e2d6802b3aa145e8f512bebefc2d6dccf4b Mon Sep 17 00:00:00 2001 From: Michael Niedermayer Date: Sat, 17 Jun 2017 00:34:08 +0200 Subject: [PATCH 589/942] avcodec/hevcdec: Fix signed integer overflow in decode_lt_rps() Fixes: runtime error: signed integer overflow: 2147483647 + 6 cannot be represented in type 'int' Fixes: 2263/clusterfuzz-testcase-minimized-4800359627227136 Found-by: continuous fuzzing process https://github.com/google/oss-fuzz/tree/master/projects/ffmpeg Signed-off-by: Michael Niedermayer (cherry picked from commit 1edbf5e20c75f06d6987bc823e63aa4e649ccddd) Signed-off-by: Michael Niedermayer --- libavcodec/hevc.c | 8 ++++++-- 1 file changed, 6 insertions(+), 2 deletions(-) diff --git a/libavcodec/hevc.c b/libavcodec/hevc.c index 0549133ab9..2046267336 100644 --- a/libavcodec/hevc.c +++ b/libavcodec/hevc.c @@ -271,12 +271,16 @@ static int decode_lt_rps(HEVCContext *s, LongTermRPS *rps, GetBitContext *gb) delta_poc_msb_present = get_bits1(gb); if (delta_poc_msb_present) { - int delta = get_ue_golomb_long(gb); + int64_t delta = get_ue_golomb_long(gb); + int64_t poc; if (i && i != nb_sps) delta += prev_delta_msb; - rps->poc[i] += s->poc - delta * max_poc_lsb - s->sh.pic_order_cnt_lsb; + poc = rps->poc[i] + s->poc - delta * max_poc_lsb - s->sh.pic_order_cnt_lsb; + if (poc != (int32_t)poc) + return AVERROR_INVALIDDATA; + rps->poc[i] = poc; prev_delta_msb = delta; } } From fce334274bf5df2fce4fa3db958a936b5ad44e75 Mon Sep 17 00:00:00 2001 From: Michael Niedermayer Date: Sat, 17 Jun 2017 14:54:19 +0200 Subject: [PATCH 590/942] avcodec/hevcpred_template: Fix left shift of negative value Fixes: runtime error: left shift of negative value -1 Fixes: 2250/clusterfuzz-testcase-minimized-5693382112313344 Found-by: continuous fuzzing process https://github.com/google/oss-fuzz/tree/master/projects/ffmpeg Signed-off-by: Michael Niedermayer (cherry picked from commit c94326c1fc2fb5719c6f28fe1b95c0c74417998b) Signed-off-by: Michael Niedermayer --- libavcodec/hevcpred_template.c | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/libavcodec/hevcpred_template.c b/libavcodec/hevcpred_template.c index 6ae87cca13..6fe33546b1 100644 --- a/libavcodec/hevcpred_template.c +++ b/libavcodec/hevcpred_template.c @@ -35,7 +35,7 @@ static av_always_inline void FUNC(intra_pred)(HEVCContext *s, int x0, int y0, #define MVF(x, y) \ (s->ref->tab_mvf[(x) + (y) * min_pu_width]) #define MVF_PU(x, y) \ - MVF(PU(x0 + ((x) << hshift)), PU(y0 + ((y) << vshift))) + MVF(PU(x0 + ((x) * (1 << hshift))), PU(y0 + ((y) * (1 << vshift)))) #define IS_INTRA(x, y) \ (MVF_PU(x, y).pred_flag == PF_INTRA) #define MIN_TB_ADDR_ZS(x, y) \ From e46f8c96d0c2964687a7da39cabdcc8e5d36dda2 Mon Sep 17 00:00:00 2001 From: Michael Niedermayer Date: Sat, 17 Jun 2017 15:06:21 +0200 Subject: [PATCH 591/942] avcodec/jpeg2000dsp: Reorder operations in ict_int() to avoid 2 integer overflows Fixes: runtime error: signed integer overflow: 58065 * 51981 cannot be represented in type 'int' Fixes: 2271/clusterfuzz-testcase-minimized-5778297776504832 Found-by: continuous fuzzing process https://github.com/google/oss-fuzz/tree/master/projects/ffmpeg Signed-off-by: Michael Niedermayer (cherry picked from commit c746f92a8e03d5a062359fba836eba4b3530687e) Signed-off-by: Michael Niedermayer --- libavcodec/jpeg2000dsp.c | 4 ++-- 1 file changed, 2 insertions(+), 2 deletions(-) diff --git a/libavcodec/jpeg2000dsp.c b/libavcodec/jpeg2000dsp.c index d183cbb87d..c746aed924 100644 --- a/libavcodec/jpeg2000dsp.c +++ b/libavcodec/jpeg2000dsp.c @@ -64,10 +64,10 @@ static void ict_int(void *_src0, void *_src1, void *_src2, int csize) int i; for (i = 0; i < csize; i++) { - i0 = *src0 + (((i_ict_params[0] * *src2) + (1 << 15)) >> 16); + i0 = *src0 + *src2 + (((26345 * *src2) + (1 << 15)) >> 16); i1 = *src0 - (((i_ict_params[1] * *src1) + (1 << 15)) >> 16) - (((i_ict_params[2] * *src2) + (1 << 15)) >> 16); - i2 = *src0 + (((i_ict_params[3] * *src1) + (1 << 15)) >> 16); + i2 = *src0 + (2 * *src1) + (((-14942 * *src1) + (1 << 15)) >> 16); *src0++ = i0; *src1++ = i1; *src2++ = i2; From d5abcaacb396ce379bb1e902d2582a7fc6ba2085 Mon Sep 17 00:00:00 2001 From: Michael Niedermayer Date: Sun, 18 Jun 2017 14:37:19 +0200 Subject: [PATCH 592/942] avcodec/takdec: Fixes: integer overflow in AV_SAMPLE_FMT_U8P output Fixes: runtime error: signed integer overflow: 2147483543 + 128 cannot be represented in type 'int' Fixes: 2234/clusterfuzz-testcase-minimized-6266896041115648 Found-by: continuous fuzzing process https://github.com/google/oss-fuzz/tree/master/projects/ffmpeg Signed-off-by: Michael Niedermayer (cherry picked from commit 27c20068054d8c6786833234f7b6db19f1e98362) Signed-off-by: Michael Niedermayer --- libavcodec/takdec.c | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/libavcodec/takdec.c b/libavcodec/takdec.c index 31a6378805..5797af9988 100644 --- a/libavcodec/takdec.c +++ b/libavcodec/takdec.c @@ -878,7 +878,7 @@ static int tak_decode_frame(AVCodecContext *avctx, void *data, uint8_t *samples = (uint8_t *)frame->extended_data[chan]; int32_t *decoded = s->decoded[chan]; for (i = 0; i < s->nb_samples; i++) - samples[i] = decoded[i] + 0x80; + samples[i] = decoded[i] + 0x80U; } break; case AV_SAMPLE_FMT_S16P: From 48ab5a4dc0034f7a1b7c2da85e9615cfd3fb3d41 Mon Sep 17 00:00:00 2001 From: Anton Mitrofanov Date: Wed, 31 May 2017 02:37:41 +0300 Subject: [PATCH 593/942] avcodec/h264_cabac: Fix CABAC+8x8dct in 4:4:4 Use the correct ctxIdxInc calculation for coded_block_flag. Keep old behavior for old versions of x264 for backward compatibility. Signed-off-by: Ronald S. Bultje (cherry picked from commit 840b41b2a643fc8f0617c0370125a19c02c6b586) Signed-off-by: Michael Niedermayer --- libavcodec/h264_cabac.c | 47 +++++++++++++++++++++++++++++------------ 1 file changed, 33 insertions(+), 14 deletions(-) diff --git a/libavcodec/h264_cabac.c b/libavcodec/h264_cabac.c index 4adbbde8b7..202e988959 100644 --- a/libavcodec/h264_cabac.c +++ b/libavcodec/h264_cabac.c @@ -2343,21 +2343,40 @@ decode_intra_mb: if (CHROMA444(h) && IS_8x8DCT(mb_type)){ int i; uint8_t *nnz_cache = sl->non_zero_count_cache; - for (i = 0; i < 2; i++){ - if (sl->left_type[LEFT(i)] && !IS_8x8DCT(sl->left_type[LEFT(i)])) { - nnz_cache[3+8* 1 + 2*8*i]= - nnz_cache[3+8* 2 + 2*8*i]= - nnz_cache[3+8* 6 + 2*8*i]= - nnz_cache[3+8* 7 + 2*8*i]= - nnz_cache[3+8*11 + 2*8*i]= - nnz_cache[3+8*12 + 2*8*i]= IS_INTRA(mb_type) ? 64 : 0; + if (h->x264_build < 151U) { + for (i = 0; i < 2; i++){ + if (sl->left_type[LEFT(i)] && !IS_8x8DCT(sl->left_type[LEFT(i)])) { + nnz_cache[3+8* 1 + 2*8*i]= + nnz_cache[3+8* 2 + 2*8*i]= + nnz_cache[3+8* 6 + 2*8*i]= + nnz_cache[3+8* 7 + 2*8*i]= + nnz_cache[3+8*11 + 2*8*i]= + nnz_cache[3+8*12 + 2*8*i]= IS_INTRA(mb_type) ? 64 : 0; + } + } + if (sl->top_type && !IS_8x8DCT(sl->top_type)){ + uint32_t top_empty = !IS_INTRA(mb_type) ? 0 : 0x40404040; + AV_WN32A(&nnz_cache[4+8* 0], top_empty); + AV_WN32A(&nnz_cache[4+8* 5], top_empty); + AV_WN32A(&nnz_cache[4+8*10], top_empty); + } + } else { + for (i = 0; i < 2; i++){ + if (sl->left_type[LEFT(i)] && !IS_8x8DCT(sl->left_type[LEFT(i)])) { + nnz_cache[3+8* 1 + 2*8*i]= + nnz_cache[3+8* 2 + 2*8*i]= + nnz_cache[3+8* 6 + 2*8*i]= + nnz_cache[3+8* 7 + 2*8*i]= + nnz_cache[3+8*11 + 2*8*i]= + nnz_cache[3+8*12 + 2*8*i]= !IS_INTRA_PCM(sl->left_type[LEFT(i)]) ? 0 : 64; + } + } + if (sl->top_type && !IS_8x8DCT(sl->top_type)){ + uint32_t top_empty = !IS_INTRA_PCM(sl->top_type) ? 0 : 0x40404040; + AV_WN32A(&nnz_cache[4+8* 0], top_empty); + AV_WN32A(&nnz_cache[4+8* 5], top_empty); + AV_WN32A(&nnz_cache[4+8*10], top_empty); } - } - if (sl->top_type && !IS_8x8DCT(sl->top_type)){ - uint32_t top_empty = CABAC(h) && !IS_INTRA(mb_type) ? 0 : 0x40404040; - AV_WN32A(&nnz_cache[4+8* 0], top_empty); - AV_WN32A(&nnz_cache[4+8* 5], top_empty); - AV_WN32A(&nnz_cache[4+8*10], top_empty); } } h->cur_pic.mb_type[mb_xy] = mb_type; From 273e87be3b24738a837b1854d11a47f2954e96f2 Mon Sep 17 00:00:00 2001 From: Anton Mitrofanov Date: Tue, 13 Jun 2017 23:37:29 +0300 Subject: [PATCH 594/942] avcodec/h264_mb: Fix 8x8dct in lossless for new versions of x264 Signed-off-by: Ronald S. Bultje (cherry picked from commit 06dda70f1e7c69a3b1684af5e6930431c62c527a) Signed-off-by: Michael Niedermayer --- libavcodec/h264_mb.c | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/libavcodec/h264_mb.c b/libavcodec/h264_mb.c index 8302de040e..f9b8287c2e 100644 --- a/libavcodec/h264_mb.c +++ b/libavcodec/h264_mb.c @@ -638,7 +638,7 @@ static av_always_inline void hl_decode_mb_predict_luma(const H264Context *h, uint8_t *const ptr = dest_y + block_offset[i]; const int dir = sl->intra4x4_pred_mode_cache[scan8[i]]; if (transform_bypass && h->sps.profile_idc == 244 && dir <= 1) { - if (h->x264_build != -1) { + if (h->x264_build < 151U) { h->hpc.pred8x8l_add[dir](ptr, sl->mb + (i * 16 + p * 256 << pixel_shift), linesize); } else h->hpc.pred8x8l_filter_add[dir](ptr, sl->mb + (i * 16 + p * 256 << pixel_shift), From 85e0f61b41fc1ef1b982a07d5b3fcb8e347cd886 Mon Sep 17 00:00:00 2001 From: Anton Mitrofanov Date: Wed, 14 Jun 2017 03:01:56 +0300 Subject: [PATCH 595/942] avcodec/h264: Fix mix of lossless and lossy MBs decoding Signed-off-by: Ronald S. Bultje (cherry picked from commit cf231b68da1150c100114f2c5671b7ed740f917a) Signed-off-by: Michael Niedermayer --- libavcodec/h264_cabac.c | 16 ++++++++-------- libavcodec/h264_cavlc.c | 16 ++++++++-------- 2 files changed, 16 insertions(+), 16 deletions(-) diff --git a/libavcodec/h264_cabac.c b/libavcodec/h264_cabac.c index 202e988959..649fa82b72 100644 --- a/libavcodec/h264_cabac.c +++ b/libavcodec/h264_cabac.c @@ -2385,14 +2385,6 @@ decode_intra_mb: const uint8_t *scan, *scan8x8; const uint32_t *qmul; - if(IS_INTERLACED(mb_type)){ - scan8x8 = sl->qscale ? h->field_scan8x8 : h->field_scan8x8_q0; - scan = sl->qscale ? h->field_scan : h->field_scan_q0; - }else{ - scan8x8 = sl->qscale ? h->zigzag_scan8x8 : h->zigzag_scan8x8_q0; - scan = sl->qscale ? h->zigzag_scan : h->zigzag_scan_q0; - } - // decode_cabac_mb_dqp if(get_cabac_noinline( &sl->cabac, &sl->cabac_state[60 + (sl->last_qscale_diff != 0)])){ int val = 1; @@ -2423,6 +2415,14 @@ decode_intra_mb: }else sl->last_qscale_diff=0; + if(IS_INTERLACED(mb_type)){ + scan8x8 = sl->qscale ? h->field_scan8x8 : h->field_scan8x8_q0; + scan = sl->qscale ? h->field_scan : h->field_scan_q0; + }else{ + scan8x8 = sl->qscale ? h->zigzag_scan8x8 : h->zigzag_scan8x8_q0; + scan = sl->qscale ? h->zigzag_scan : h->zigzag_scan_q0; + } + decode_cabac_luma_residual(h, sl, scan, scan8x8, pixel_shift, mb_type, cbp, 0); if (CHROMA444(h)) { decode_cabac_luma_residual(h, sl, scan, scan8x8, pixel_shift, mb_type, cbp, 1); diff --git a/libavcodec/h264_cavlc.c b/libavcodec/h264_cavlc.c index 7a7dd397d8..3fa5b2e197 100644 --- a/libavcodec/h264_cavlc.c +++ b/libavcodec/h264_cavlc.c @@ -1104,14 +1104,6 @@ decode_intra_mb: const uint8_t *scan, *scan8x8; const int max_qp = 51 + 6*(h->sps.bit_depth_luma-8); - if(IS_INTERLACED(mb_type)){ - scan8x8 = sl->qscale ? h->field_scan8x8_cavlc : h->field_scan8x8_cavlc_q0; - scan = sl->qscale ? h->field_scan : h->field_scan_q0; - }else{ - scan8x8 = sl->qscale ? h->zigzag_scan8x8_cavlc : h->zigzag_scan8x8_cavlc_q0; - scan = sl->qscale ? h->zigzag_scan : h->zigzag_scan_q0; - } - dquant= get_se_golomb(&sl->gb); sl->qscale += (unsigned)dquant; @@ -1128,6 +1120,14 @@ decode_intra_mb: sl->chroma_qp[0] = get_chroma_qp(h, 0, sl->qscale); sl->chroma_qp[1] = get_chroma_qp(h, 1, sl->qscale); + if(IS_INTERLACED(mb_type)){ + scan8x8 = sl->qscale ? h->field_scan8x8_cavlc : h->field_scan8x8_cavlc_q0; + scan = sl->qscale ? h->field_scan : h->field_scan_q0; + }else{ + scan8x8 = sl->qscale ? h->zigzag_scan8x8_cavlc : h->zigzag_scan8x8_cavlc_q0; + scan = sl->qscale ? h->zigzag_scan : h->zigzag_scan_q0; + } + if ((ret = decode_luma_residual(h, sl, gb, scan, scan8x8, pixel_shift, mb_type, cbp, 0)) < 0 ) { return -1; } From 9b346f12fa44637031afc77c60b46f6fa70fbb50 Mon Sep 17 00:00:00 2001 From: Michael Niedermayer Date: Sun, 11 Jun 2017 17:58:45 +0200 Subject: [PATCH 596/942] avcodec/htmlsubtitles: Replace very slow redundant sscanf() calls by cleaner and faster code MIME-Version: 1.0 Content-Type: text/plain; charset=UTF-8 Content-Transfer-Encoding: 8bit This reduces the worst case from O(n²) to O(n) time Fixes Timeout Fixes: 2127/clusterfuzz-testcase-minimized-6595787859427328 Signed-off-by: Michael Niedermayer (cherry picked from commit 4132218b87cd6fb13abd162e3037ef4563286baa) Signed-off-by: Michael Niedermayer --- libavcodec/htmlsubtitles.c | 20 +++++++++++++++----- 1 file changed, 15 insertions(+), 5 deletions(-) diff --git a/libavcodec/htmlsubtitles.c b/libavcodec/htmlsubtitles.c index 16295daa0c..70311c66d5 100644 --- a/libavcodec/htmlsubtitles.c +++ b/libavcodec/htmlsubtitles.c @@ -56,6 +56,7 @@ int ff_htmlmarkup_to_ass(void *log_ctx, AVBPrint *dst, const char *in) char *param, buffer[128], tmp[128]; int len, tag_close, sptr = 1, line_start = 1, an = 0, end = 0; SrtStack stack[16]; + int closing_brace_missing = 0; stack[0].tag[0] = 0; strcpy(stack[0].param[PARAM_SIZE], "{\\fs}"); @@ -83,11 +84,20 @@ int ff_htmlmarkup_to_ass(void *log_ctx, AVBPrint *dst, const char *in) and all microdvd like styles such as {Y:xxx} */ len = 0; an += sscanf(in, "{\\an%*1u}%n", &len) >= 0 && len > 0; - if ((an != 1 && (len = 0, sscanf(in, "{\\%*[^}]}%n", &len) >= 0 && len > 0)) || - (len = 0, sscanf(in, "{%*1[CcFfoPSsYy]:%*[^}]}%n", &len) >= 0 && len > 0)) { - in += len - 1; - } else - av_bprint_chars(dst, *in, 1); + + if (!closing_brace_missing) { + if ( (an != 1 && in[1] == '\\') + || (in[1] && strchr("CcFfoPSsYy", in[1]) && in[2] == ':')) { + char *bracep = strchr(in+2, '}'); + if (bracep) { + in = bracep; + break; + } else + closing_brace_missing = 1; + } + } + + av_bprint_chars(dst, *in, 1); break; case '<': tag_close = in[1] == '/'; From 784d57bb62de7dfce126aaf0c39cc0abb9baf6a9 Mon Sep 17 00:00:00 2001 From: Michael Niedermayer Date: Mon, 19 Jun 2017 14:04:32 +0200 Subject: [PATCH 597/942] avcodec/aacdec_fixed: Check s for being too small Fixes: runtime error: shift exponent -8 is negative Fixes: 2286/clusterfuzz-testcase-minimized-5711764169687040 Found-by: continuous fuzzing process https://github.com/google/oss-fuzz/tree/master/projects/ffmpeg Signed-off-by: Michael Niedermayer (cherry picked from commit cf7edbd6c5d48d7302877352f7b60092d5b65243) Signed-off-by: Michael Niedermayer --- libavcodec/aacdec_fixed.c | 5 +++-- 1 file changed, 3 insertions(+), 2 deletions(-) diff --git a/libavcodec/aacdec_fixed.c b/libavcodec/aacdec_fixed.c index 95f171dad9..343425ae8d 100644 --- a/libavcodec/aacdec_fixed.c +++ b/libavcodec/aacdec_fixed.c @@ -181,14 +181,15 @@ static void subband_scale(int *dst, int *src, int scale, int offset, int len) out = (int)(((int64_t)src[i] * c) >> 32); dst[i] = ((int)(out+round) >> s) * ssign; } - } - else { + } else if (s > -32) { s = s + 32; round = 1 << (s-1); for (i=0; i> s); dst[i] = out * (unsigned)ssign; } + } else { + av_log(NULL, AV_LOG_ERROR, "Overflow in subband_scale()\n"); } } From 628e2b2dd34aeeab6e32f74cc37437c62bc5e013 Mon Sep 17 00:00:00 2001 From: Michael Niedermayer Date: Mon, 19 Jun 2017 14:08:58 +0200 Subject: [PATCH 598/942] avcodec/wavpack: Fix undefined integer negation Fixes: runtime error: negation of -2147483648 cannot be represented in type 'int'; cast to an unsigned type to negate this value to itself Fixes: 2291/clusterfuzz-testcase-minimized-5538453481586688 Found-by: continuous fuzzing process https://github.com/google/oss-fuzz/tree/master/projects/ffmpeg Signed-off-by: Michael Niedermayer (cherry picked from commit 5f89747086af741ddc34e2378cde8519b8faee78) Signed-off-by: Michael Niedermayer --- libavcodec/wavpack.c | 4 ++-- 1 file changed, 2 insertions(+), 2 deletions(-) diff --git a/libavcodec/wavpack.c b/libavcodec/wavpack.c index e55cd82595..0dcc05037d 100644 --- a/libavcodec/wavpack.c +++ b/libavcodec/wavpack.c @@ -307,8 +307,8 @@ static float wv_get_value_float(WavpackFrameContext *s, uint32_t *crc, int S) S <<= s->float_shift; sign = S < 0; if (sign) - S = -S; - if (S >= 0x1000000) { + S = -(unsigned)S; + if (S >= 0x1000000U) { if (s->got_extra_bits && get_bits1(&s->gb_extra_bits)) S = get_bits(&s->gb_extra_bits, 23); else From fae49f28e6579c0c59ada8c867592fc8411fd65a Mon Sep 17 00:00:00 2001 From: Michael Niedermayer Date: Thu, 15 Jun 2017 01:35:49 +0200 Subject: [PATCH 599/942] avcodec/lpc: signed integer overflow in compute_lpc_coefs() (aacdec_fixed) Fixes: runtime error: signed integer overflow: -1575818955 + -915383657 cannot be represented in type 'int' Fixes: 2224/clusterfuzz-testcase-minimized-6208559949807616 Found-by: continuous fuzzing process https://github.com/google/oss-fuzz/tree/master/projects/ffmpeg Signed-off-by: Michael Niedermayer (cherry picked from commit e95fcfe8fb28fdfdaecec465c60aad79bc340a3d) Signed-off-by: Michael Niedermayer --- libavcodec/lpc.h | 7 +++++-- 1 file changed, 5 insertions(+), 2 deletions(-) diff --git a/libavcodec/lpc.h b/libavcodec/lpc.h index edb1a6bc7d..704ffa9d4b 100644 --- a/libavcodec/lpc.h +++ b/libavcodec/lpc.h @@ -117,11 +117,14 @@ void ff_lpc_end(LPCContext *s); #if USE_FIXED typedef int LPC_TYPE; +typedef unsigned LPC_TYPE_U; #else #ifdef LPC_USE_DOUBLE typedef double LPC_TYPE; +typedef double LPC_TYPE_U; #else typedef float LPC_TYPE; +typedef float LPC_TYPE_U; #endif #endif // USE_FIXED @@ -192,8 +195,8 @@ static inline int AAC_RENAME(compute_lpc_coefs)(const LPC_TYPE *autoc, int max_o for(j=0; j < (i+1)>>1; j++) { LPC_TYPE f = lpc_last[ j]; LPC_TYPE b = lpc_last[i-1-j]; - lpc[ j] = f + AAC_MUL26(r, b); - lpc[i-1-j] = b + AAC_MUL26(r, f); + lpc[ j] = f + (LPC_TYPE_U)AAC_MUL26(r, b); + lpc[i-1-j] = b + (LPC_TYPE_U)AAC_MUL26(r, f); } if (fail && err < 0) From 6dca67f3a6481c4b74ceeb69d9a5b28385e2a296 Mon Sep 17 00:00:00 2001 From: Michael Niedermayer Date: Tue, 20 Jun 2017 13:52:06 +0200 Subject: [PATCH 600/942] avcodec/mpeg4videodec: Fix overflow in virtual_ref computation Fixes: runtime error: signed integer overflow: 262144 * -16120 cannot be represented in type 'int' Fixes: 2292/clusterfuzz-testcase-minimized-6156080415506432 Found-by: continuous fuzzing process https://github.com/google/oss-fuzz/tree/master/projects/ffmpeg Signed-off-by: Michael Niedermayer (cherry picked from commit 5443c4bdf4828ac5b7b19cf54feb496c2da40079) Signed-off-by: Michael Niedermayer --- libavcodec/mpeg4videodec.c | 16 ++++++++-------- 1 file changed, 8 insertions(+), 8 deletions(-) diff --git a/libavcodec/mpeg4videodec.c b/libavcodec/mpeg4videodec.c index d51bdc84e1..24bff114dd 100644 --- a/libavcodec/mpeg4videodec.c +++ b/libavcodec/mpeg4videodec.c @@ -243,18 +243,18 @@ static int mpeg4_decode_sprite_trajectory(Mpeg4DecContext *ctx, GetBitContext *g * from w&h based to w2&h2 based which are of the 2^x form. */ virtual_ref[0][0] = 16 * (vop_ref[0][0] + w2) + ROUNDED_DIV(((w - w2) * - (r * sprite_ref[0][0] - 16 * vop_ref[0][0]) + - w2 * (r * sprite_ref[1][0] - 16 * vop_ref[1][0])), w); + (r * sprite_ref[0][0] - 16LL * vop_ref[0][0]) + + w2 * (r * sprite_ref[1][0] - 16LL * vop_ref[1][0])), w); virtual_ref[0][1] = 16 * vop_ref[0][1] + ROUNDED_DIV(((w - w2) * - (r * sprite_ref[0][1] - 16 * vop_ref[0][1]) + - w2 * (r * sprite_ref[1][1] - 16 * vop_ref[1][1])), w); + (r * sprite_ref[0][1] - 16LL * vop_ref[0][1]) + + w2 * (r * sprite_ref[1][1] - 16LL * vop_ref[1][1])), w); virtual_ref[1][0] = 16 * vop_ref[0][0] + - ROUNDED_DIV(((h - h2) * (r * sprite_ref[0][0] - 16 * vop_ref[0][0]) + - h2 * (r * sprite_ref[2][0] - 16 * vop_ref[2][0])), h); + ROUNDED_DIV(((h - h2) * (r * sprite_ref[0][0] - 16LL * vop_ref[0][0]) + + h2 * (r * sprite_ref[2][0] - 16LL * vop_ref[2][0])), h); virtual_ref[1][1] = 16 * (vop_ref[0][1] + h2) + - ROUNDED_DIV(((h - h2) * (r * sprite_ref[0][1] - 16 * vop_ref[0][1]) + - h2 * (r * sprite_ref[2][1] - 16 * vop_ref[2][1])), h); + ROUNDED_DIV(((h - h2) * (r * sprite_ref[0][1] - 16LL * vop_ref[0][1]) + + h2 * (r * sprite_ref[2][1] - 16LL * vop_ref[2][1])), h); switch (ctx->num_sprite_warping_points) { case 0: From eb7ad560754db20761018fc252416cb3df35dbd5 Mon Sep 17 00:00:00 2001 From: Michael Niedermayer Date: Tue, 20 Jun 2017 14:38:34 +0200 Subject: [PATCH 601/942] avcodec/hevc_filter: Fix invalid shift Fixes: runtime error: left shift of negative value -1 Fixes: 2299/clusterfuzz-testcase-minimized-4843509351710720 Found-by: continuous fuzzing process https://github.com/google/oss-fuzz/tree/master/projects/ffmpeg Signed-off-by: Michael Niedermayer (cherry picked from commit d7b3d5c3f2e2ff1994762b5e09c05fbc33790b5b) Signed-off-by: Michael Niedermayer --- libavcodec/hevc_filter.c | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/libavcodec/hevc_filter.c b/libavcodec/hevc_filter.c index 1f33b0cdfe..9fbcd1d8b8 100644 --- a/libavcodec/hevc_filter.c +++ b/libavcodec/hevc_filter.c @@ -471,7 +471,7 @@ static int get_pcm(HEVCContext *s, int x, int y) #define TC_CALC(qp, bs) \ tctable[av_clip((qp) + DEFAULT_INTRA_TC_OFFSET * ((bs) - 1) + \ - (tc_offset >> 1 << 1), \ + (tc_offset & -2), \ 0, MAX_QP + DEFAULT_INTRA_TC_OFFSET)] static void deblocking_filter_CTB(HEVCContext *s, int x0, int y0) From 605bc45295e935786b53bb9156440e089f8512d2 Mon Sep 17 00:00:00 2001 From: Michael Niedermayer Date: Wed, 21 Jun 2017 17:56:34 +0200 Subject: [PATCH 602/942] avcodec/cfhd: Fix undefined shift Fixes: runtime error: left shift of negative value -1 Fixes: 2303/clusterfuzz-testcase-minimized-5529675273076736 Found-by: continuous fuzzing process https://github.com/google/oss-fuzz/tree/master/projects/ffmpeg Signed-off-by: Michael Niedermayer (cherry picked from commit 5a950f4e32a9756391f81987246d96b6549dd447) Signed-off-by: Michael Niedermayer --- libavcodec/cfhd.c | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/libavcodec/cfhd.c b/libavcodec/cfhd.c index 2408dca385..1dc9292421 100644 --- a/libavcodec/cfhd.c +++ b/libavcodec/cfhd.c @@ -679,7 +679,7 @@ static int cfhd_decode(AVCodecContext *avctx, void *data, int *got_frame, output = s->plane[plane].subband[0]; for (i = 0; i < lowpass_height * 2; i++) { for (j = 0; j < lowpass_width * 2; j++) - output[j] <<= 2; + output[j] *= 4; output += lowpass_width * 2; } From df11b45644e0c3067650b3a926aa8b6fc45cafa6 Mon Sep 17 00:00:00 2001 From: Michael Niedermayer Date: Wed, 21 Jun 2017 19:34:31 +0200 Subject: [PATCH 603/942] avcodec/cfhd: Check bpc before setting bpc in context Fixes: runtime error: shift exponent 32 is too large for 32-bit type 'int' Fixes: 2306/clusterfuzz-testcase-minimized-5002997392211968 Found-by: continuous fuzzing process https://github.com/google/oss-fuzz/tree/master/projects/ffmpeg Signed-off-by: Michael Niedermayer (cherry picked from commit 6f1d2355a7e4d681bea82b4cf4280272d9fe8af3) Signed-off-by: Michael Niedermayer --- libavcodec/cfhd.c | 9 +++++++-- 1 file changed, 7 insertions(+), 2 deletions(-) diff --git a/libavcodec/cfhd.c b/libavcodec/cfhd.c index 1dc9292421..f596554e1b 100644 --- a/libavcodec/cfhd.c +++ b/libavcodec/cfhd.c @@ -250,6 +250,11 @@ static int cfhd_decode(AVCodecContext *avctx, void *data, int *got_frame, s->coded_height = data; } else if (tag == 101) { av_log(avctx, AV_LOG_DEBUG, "Bits per component: %"PRIu16"\n", data); + if (data < 1 || data > 31) { + av_log(avctx, AV_LOG_ERROR, "Bits per component %d is invalid\n", data); + ret = AVERROR(EINVAL); + break; + } s->bpc = data; } else if (tag == 12) { av_log(avctx, AV_LOG_DEBUG, "Channel Count: %"PRIu16"\n", data); @@ -396,12 +401,12 @@ static int cfhd_decode(AVCodecContext *avctx, void *data, int *got_frame, av_log(avctx, AV_LOG_DEBUG, "Other codebook? %i\n", s->codebook); } else if (tag == 70) { av_log(avctx, AV_LOG_DEBUG, "Subsampling or bit-depth flag? %i\n", data); - s->bpc = data; - if (!(s->bpc == 10 || s->bpc == 12)) { + if (!(data == 10 || data == 12)) { av_log(avctx, AV_LOG_ERROR, "Invalid bits per channel\n"); ret = AVERROR(EINVAL); break; } + s->bpc = data; } else if (tag == 84) { av_log(avctx, AV_LOG_DEBUG, "Sample format? %i\n", data); if (data == 1) From 0879ecd4a3571f53628bd06028e6d5efa464aae2 Mon Sep 17 00:00:00 2001 From: Michael Niedermayer Date: Thu, 22 Jun 2017 20:21:05 +0200 Subject: [PATCH 604/942] avcodec/tiff: Update pointer only when the result is used Fixes: runtime error: signed integer overflow: 538976288 * 32 cannot be represented in type 'int' Fixes: 2310/clusterfuzz-testcase-minimized-4534784887881728 Found-by: continuous fuzzing process https://github.com/google/oss-fuzz/tree/master/projects/ffmpeg Signed-off-by: Michael Niedermayer (cherry picked from commit 27f80ab0160d2e64007e1c9799ffd4504cc13eb5) Signed-off-by: Michael Niedermayer --- libavcodec/tiff.c | 3 ++- 1 file changed, 2 insertions(+), 1 deletion(-) diff --git a/libavcodec/tiff.c b/libavcodec/tiff.c index d026a5bd98..fcfa32dc8b 100644 --- a/libavcodec/tiff.c +++ b/libavcodec/tiff.c @@ -1288,6 +1288,8 @@ static int decode_frame(AVCodecContext *avctx, stride = p->linesize[plane]; dst = p->data[plane]; for (i = 0; i < s->height; i += s->rps) { + if (i) + dst += s->rps * stride; if (s->stripsizesoff) ssize = ff_tget(&stripsizes, s->sstype, le); else @@ -1308,7 +1310,6 @@ static int decode_frame(AVCodecContext *avctx, return ret; break; } - dst += s->rps * stride; } if (s->predictor == 2) { if (s->photometric == TIFF_PHOTOMETRIC_YCBCR) { From addf70e4928a648e7661d0e94ca207db82ad0b49 Mon Sep 17 00:00:00 2001 From: Michael Niedermayer Date: Thu, 22 Jun 2017 21:21:56 +0200 Subject: [PATCH 605/942] avcodec/takdec: Fix integer overflow Fixes: runtime error: signed integer overflow: 512 + 2147483146 cannot be represented in type 'int' Fixes: 2314/clusterfuzz-testcase-minimized-4519333877252096 Found-by: continuous fuzzing process https://github.com/google/oss-fuzz/tree/master/projects/ffmpeg Signed-off-by: Michael Niedermayer (cherry picked from commit 0c2ef4f6b4d52a7b7184c747ffea3576926ea1b1) Signed-off-by: Michael Niedermayer --- libavcodec/takdec.c | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/libavcodec/takdec.c b/libavcodec/takdec.c index 5797af9988..4154f0a1e2 100644 --- a/libavcodec/takdec.c +++ b/libavcodec/takdec.c @@ -472,7 +472,7 @@ static int decode_subframe(TAKDecContext *s, int32_t *decoded, int v = 1 << (filter_quant - 1); if (filter_order & -16) - v += s->adsp.scalarproduct_int16(&s->residues[i], s->filter, + v += (unsigned)s->adsp.scalarproduct_int16(&s->residues[i], s->filter, filter_order & -16); for (j = filter_order & -16; j < filter_order; j += 4) { v += s->residues[i + j + 3] * s->filter[j + 3] + From bb02e5bc09186e20f98d90e32311fd514c69ac56 Mon Sep 17 00:00:00 2001 From: Michael Niedermayer Date: Fri, 23 Jun 2017 01:58:48 +0200 Subject: [PATCH 606/942] avcodec/wavpack: Fix integer overflow Fixes: runtime error: signed integer overflow: 227511904 + 1964113935 cannot be represented in type 'int' Fixes: 2331/clusterfuzz-testcase-minimized-6182185830711296 Found-by: continuous fuzzing process https://github.com/google/oss-fuzz/tree/master/projects/ffmpeg Signed-off-by: Michael Niedermayer (cherry picked from commit 24e95f9d4de012f51fdd5767dff0b3142e13ec3a) Signed-off-by: Michael Niedermayer --- libavcodec/wavpack.c | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/libavcodec/wavpack.c b/libavcodec/wavpack.c index 0dcc05037d..a4f05f094f 100644 --- a/libavcodec/wavpack.c +++ b/libavcodec/wavpack.c @@ -219,7 +219,7 @@ static int wv_get_value(WavpackFrameContext *ctx, GetBitContext *gb, INC_MED(1); DEC_MED(2); } else { - base = GET_MED(0) + GET_MED(1) + GET_MED(2) * (t - 2); + base = GET_MED(0) + GET_MED(1) + GET_MED(2) * (t - 2U); add = GET_MED(2) - 1; INC_MED(0); INC_MED(1); From 8b9e522e08d91d06dae059a844c2bf20c696a078 Mon Sep 17 00:00:00 2001 From: Michael Niedermayer Date: Sat, 24 Jun 2017 13:45:35 +0200 Subject: [PATCH 607/942] avcodec/mpeg4videodec: Fix GMC with videos of dimension 1 Fixes: runtime error: shift exponent -1 is negative Fixes: 2338/clusterfuzz-testcase-minimized-5153426541379584 Found-by: continuous fuzzing process https://github.com/google/oss-fuzz/tree/master/projects/ffmpeg Signed-off-by: Michael Niedermayer (cherry picked from commit 4976a3411f71518d17a57e373b62517f066648fd) Signed-off-by: Michael Niedermayer --- libavcodec/mpeg4videodec.c | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/libavcodec/mpeg4videodec.c b/libavcodec/mpeg4videodec.c index 24bff114dd..d4c24c398e 100644 --- a/libavcodec/mpeg4videodec.c +++ b/libavcodec/mpeg4videodec.c @@ -171,7 +171,7 @@ static int mpeg4_decode_sprite_trajectory(Mpeg4DecContext *ctx, GetBitContext *g int a = 2 << s->sprite_warping_accuracy; int rho = 3 - s->sprite_warping_accuracy; int r = 16 / a; - int alpha = 0; + int alpha = 1; int beta = 0; int w = s->width; int h = s->height; From 0fe174fa9c80fdfe681b4b558eeaba96c4b987bd Mon Sep 17 00:00:00 2001 From: Michael Niedermayer Date: Sun, 25 Jun 2017 00:13:53 +0200 Subject: [PATCH 608/942] avcodec/wavpack: Fix integer overflow in wv_unpack_stereo() Fixes: runtime error: signed integer overflow: 2080374785 + 2080374784 cannot be represented in type 'int' Fixes: 2351/clusterfuzz-testcase-minimized-5359403240783872 Found-by: continuous fuzzing process https://github.com/google/oss-fuzz/tree/master/projects/ffmpeg Signed-off-by: Michael Niedermayer (cherry picked from commit 73ea2a028e12a7d779834f78dc496c8c4b08361f) Signed-off-by: Michael Niedermayer --- libavcodec/wavpack.c | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/libavcodec/wavpack.c b/libavcodec/wavpack.c index a4f05f094f..70625548eb 100644 --- a/libavcodec/wavpack.c +++ b/libavcodec/wavpack.c @@ -474,7 +474,7 @@ static inline int wv_unpack_stereo(WavpackFrameContext *s, GetBitContext *gb, } if (type == AV_SAMPLE_FMT_S16P) { - if (FFABS(L) + FFABS(R) > (1<<19)) { + if (FFABS(L) + (unsigned)FFABS(R) > (1<<19)) { av_log(s->avctx, AV_LOG_ERROR, "sample %d %d too large\n", L, R); return AVERROR_INVALIDDATA; } From 654ff561032a252bfa0f31b74ea54dad98dba294 Mon Sep 17 00:00:00 2001 From: Michael Niedermayer Date: Sun, 25 Jun 2017 02:55:08 +0200 Subject: [PATCH 609/942] Update for 3.0.9 Signed-off-by: Michael Niedermayer --- Changelog | 112 +++++++++++++++++++++++++++++++++++++++++++++++++++ RELEASE | 2 +- doc/Doxyfile | 2 +- 3 files changed, 114 insertions(+), 2 deletions(-) diff --git a/Changelog b/Changelog index cd39890926..5bdee7215c 100644 --- a/Changelog +++ b/Changelog @@ -1,6 +1,118 @@ Entries are sorted chronologically from oldest to youngest within each release, releases are sorted from youngest to oldest. +version 3.0.9 +- avcodec/wavpack: Fix integer overflow in wv_unpack_stereo() +- avcodec/mpeg4videodec: Fix GMC with videos of dimension 1 +- avcodec/wavpack: Fix integer overflow +- avcodec/takdec: Fix integer overflow +- avcodec/tiff: Update pointer only when the result is used +- avcodec/cfhd: Check bpc before setting bpc in context +- avcodec/cfhd: Fix undefined shift +- avcodec/hevc_filter: Fix invalid shift +- avcodec/mpeg4videodec: Fix overflow in virtual_ref computation +- avcodec/lpc: signed integer overflow in compute_lpc_coefs() (aacdec_fixed) +- avcodec/wavpack: Fix undefined integer negation +- avcodec/aacdec_fixed: Check s for being too small +- avcodec/htmlsubtitles: Replace very slow redundant sscanf() calls by cleaner and faster code +- avcodec/h264: Fix mix of lossless and lossy MBs decoding +- avcodec/h264_mb: Fix 8x8dct in lossless for new versions of x264 +- avcodec/h264_cabac: Fix CABAC+8x8dct in 4:4:4 +- avcodec/takdec: Fixes: integer overflow in AV_SAMPLE_FMT_U8P output +- avcodec/jpeg2000dsp: Reorder operations in ict_int() to avoid 2 integer overflows +- avcodec/hevcpred_template: Fix left shift of negative value +- avcodec/hevcdec: Fix signed integer overflow in decode_lt_rps() +- avcodec/jpeg2000dec: Check nonzerobits more completely +- avcodec/shorten: Sanity check maxnlpc +- avcodec/truemotion2: Move skip computation after checks +- avcodec/jpeg2000: Fixes integer overflow in ff_jpeg2000_ceildivpow2() +- avcodec/hevcdec: Check nb_sps +- avcodec/hevc_refs: Check nb_refs in add_candidate_ref() +- avcodec/mpeg4videodec: Check sprite delta upshift against overflowing. +- avcodec/mpeg4videodec: Fix integer overflow in num_sprite_warping_points=2 case +- avcodec/aacsbr_fixed: Check shift in sbr_hf_assemble() +- avcodec/sbrdsp_fixed: Return an error from sbr_hf_apply_noise() if operations are impossible +- avcodec/jpeg2000dwt: Fix runtime error: left shift of negative value -123 +- avcodec/wavpack: Fix runtime error: signed integer overflow: 1886191616 + 277872640 cannot be represented in type 'int' +- avcodec/snowdec: Fix runtime error: left shift of negative value -1 +- avcodec/aacdec_fixed: Fix runtime error: left shift of negative value -1297616 +- avcodec/tiff: Fix leak of geotags[].val +- avcodec/ra144: Fix runtime error: signed integer overflow: -2200 * 1033073 cannot be represented in type 'int' +- avcodec/flicvideo: Fix runtime error: signed integer overflow: 4864 * 459296 cannot be represented in type 'int' +- avcodec/cfhd: Check band parameters before storing them +- avcodec/indeo4: Check remaining data in Pic hdr extension parsing code +- avcodec/ac3dec_fixed: Fix multiple runtime error: signed integer overflow: -39271008 * 59 cannot be represented in type 'int' +- avcodec/mpeg4videodec: Fix runtime error: signed integer overflow: 53098 * 40448 cannot be represented in type 'int' +- avcodec/pafvideo: Fix assertion failure +- avcodec/takdec: Fix multiple runtime error: signed integer overflow: 637072 * 4096 cannot be represented in type 'int' +- avcodec/mjpegdec: Check that reference frame matches the current frame +- avcodec/tiff: Avoid loosing allocated geotag values +- avcodec/cavs: Fix runtime error: signed integer overflow: -12648062 * 256 cannot be represented in type 'int' +- avformat/hls: Check local file extensions +- avcodec/qdrw: Fix null pointer dereference +- avutil/softfloat: Fix sign error in and improve documentation of av_int2sf() +- avcodec/hevc_ps: Fix runtime error: index 32 out of bounds for type 'uint8_t [32]' +- avcodec/dxv: Check remaining bytes in dxv_decompress_raw() +- avcodec/pafvideo: Check packet size and frame code before ff_reget_buffer() +- avcodec/ac3dec_fixed: Fix runtime error: left shift of 419 by 23 places cannot be represented in type 'int' +- avformat/options: log filename on open +- avcodec/aacps: Fix runtime error: left shift of 1073741824 by 1 places cannot be represented in type 'INTFLOAT' (aka 'int') +- avcodec/wavpack: Fix runtime error: shift exponent 32 is too large for 32-bit type 'int' +- avcodec/wavpack: Fix runtime error: signed integer overflow: 2013265955 - -134217694 cannot be represented in type 'int' +- avcodec/cinepak: Check input packet size before frame reallocation +- avcodec/hevc_ps: Fix runtime error: signed integer overflow: 2147483628 + 256 cannot be represented in type 'int' +- avcodec/ra144: Fixes runtime error: signed integer overflow: 7160 * 327138 cannot be represented in type 'int' +- avcodec/pnm: Use ff_set_dimensions() +- avcodec/cavsdec: Fix runtime error: signed integer overflow: 59 + 2147483600 cannot be represented in type 'int' +- avformat/avidec: Limit formats in gab2 to srt and ass/ssa +- avcodec/acelp_pitch_delay: Fix runtime error: value 4.83233e+39 is outside the range of representable values of type 'float' +- avcodec/wavpack: Check float_shift +- avcodec/wavpack: Fix runtime error: signed integer overflow: 24 * -2147483648 cannot be represented in type 'int' +- avcodec/ansi: Fix frame memleak +- avcodec/jpeg2000dec: Use ff_set_dimensions() +- avcodec/truemotion2: Fix passing null pointer to memset() +- avcodec/truemotion2: Fix runtime error: left shift of 1 by 31 places cannot be represented in type 'int' +- avcodec/ra144: Fix runtime error: signed integer overflow: -2449 * 1398101 cannot be represented in type 'int' +- avcodec/ra144: Fix runtime error: signed integer overflow: 11184810 * 404 cannot be represented in type 'int' +- avcodec/aac_defines: Add missing () to AAC_HALF_SUM() macro +- avcodec/webp: Fixes null pointer dereference +- avcodec/aacdec_fixed: Fix runtime error: left shift of 1 by 31 places cannot be represented in type 'int' +- avcodec/snow: Fix runtime error: signed integer overflow: 1086573993 + 1086573994 cannot be represented in type 'int' +- avcodec/jpeg2000: Fix runtime error: signed integer overflow: 4185 + 2147483394 cannot be represented in type 'int' +- avcodec/jpeg2000dec: Check tile offsets more completely +- avcodec/aacdec_fixed: Fix multiple runtime error: shift exponent 127 is too large for 32-bit type 'int' +- avcodec/wnv1: More strict buffer size check +- avcodec/libfdk-aacdec: Correct buffer_size parameter +- avcodec/sbrdsp_template: Fix: runtime error: signed integer overflow: 849815297 + 1315389781 cannot be represented in type 'int' +- avcodec/ivi_dsp: Fix runtime error: left shift of negative value -2 +- doc/filters: Clarify scale2ref example +- avcodec/mlpdec: Do not leave invalid values in matrix_out_ch[] on error +- avcodec/ra144dec: Fix runtime error: left shift of negative value -17 +- avformat/mux: Fix copy an paste typo +- avutil/internal: Do not enable CHECKED with DEBUG +- avcodec/aacdec_fixed: Fix runtime error: signed integer overflow: -2147483648 * -1 cannot be represented in type 'int' +- avcodec/smc: Check remaining input +- avcodec/jpeg2000dec: Fix copy and paste error +- avcodec/jpeg2000dec: Check tile offsets +- avcodec/sanm: Fix uninitialized reference frames +- avcodec/jpeglsdec: Check get_bits_left() before decoding a picture +- avcodec/ivi_dsp: Fix multiple runtime error: left shift of negative value -71 +- avcodec/mjpegdec: Fix runtime error: signed integer overflow: -32767 * 130560 cannot be represented in type 'int' +- avcodec/aacdec_fixed: Fix runtime error: shift exponent 34 is too large for 32-bit type 'int' +- avcodec/mpeg4videodec: Check for multiple VOL headers +- avcodec/vmnc: Check location before use +- avcodec/takdec: Fix runtime error: signed integer overflow: 8192 * 524308 cannot be represented in type 'int' +- avcodec/aac_defines: Fix: runtime error: left shift of negative value -2 +- avcodec/takdec: Fix runtime error: left shift of negative value -63 +- avcodec/mlpdsp: Fix runtime error: signed integer overflow: -24419392 * 128 cannot be represented in type 'int' +- avcodec/sbrdsp_fixed: fix runtime error: left shift of 1 by 31 places cannot be represented in type 'int' +- avcodec/aacsbr_fixed: Fix multiple runtime error: shift exponent 170 is too large for 32-bit type 'int' +- avcodec/mlpdec: Do not leave a invalid num_primitive_matrices in the context +- avcodec/aacsbr_fixed: Fix multiple runtime error: shift exponent 150 is too large for 32-bit type 'int' +- avcodec/mimic: Use ff_set_dimensions() to set the dimensions +- avcodec/fic: Fix multiple runtime error: signed integer overflow: 5793 * 419752 cannot be represented in type 'int' + + version 3.0.8 - avcodec/aacdec: Fix runtime error: signed integer overflow: 2147483520 + 255 cannot be represented in type 'int' - avcodec/aacdec_template: Fix fixed point scale in decode_cce() diff --git a/RELEASE b/RELEASE index 67786e246e..747457c6d2 100644 --- a/RELEASE +++ b/RELEASE @@ -1 +1 @@ -3.0.8 +3.0.9 diff --git a/doc/Doxyfile b/doc/Doxyfile index 205549c748..e1addd3513 100644 --- a/doc/Doxyfile +++ b/doc/Doxyfile @@ -31,7 +31,7 @@ PROJECT_NAME = FFmpeg # This could be handy for archiving the generated documentation or # if some version control system is used. -PROJECT_NUMBER = 3.0.8 +PROJECT_NUMBER = 3.0.9 # With the PROJECT_LOGO tag one can specify a logo or icon that is included # in the documentation. The maximum height of the logo should not exceed 55 From 3cae97b090e139acfcda6dda7c73f2e607c4f74a Mon Sep 17 00:00:00 2001 From: Michael Niedermayer Date: Sun, 16 Jul 2017 14:57:20 +0200 Subject: [PATCH 610/942] avcodec/apedec: Fix integer overflow Fixes: out of array access Fixes: PoC.ape and others Found-by: Bingchang, Liu@VARAS of IIE Signed-off-by: Michael Niedermayer (cherry picked from commit ba4beaf6149f7241c8bd85fe853318c2f6837ad0) Signed-off-by: Michael Niedermayer --- libavcodec/apedec.c | 8 +++++--- 1 file changed, 5 insertions(+), 3 deletions(-) diff --git a/libavcodec/apedec.c b/libavcodec/apedec.c index de9d71ca40..a0ad7dc395 100644 --- a/libavcodec/apedec.c +++ b/libavcodec/apedec.c @@ -1404,6 +1404,7 @@ static int ape_decode_frame(AVCodecContext *avctx, void *data, int32_t *sample24; int i, ch, ret; int blockstodecode; + uint64_t decoded_buffer_size; /* this should never be negative, but bad things will happen if it is, so check it just to make sure. */ @@ -1459,7 +1460,7 @@ static int ape_decode_frame(AVCodecContext *avctx, void *data, skip_bits_long(&s->gb, offset); } - if (!nblocks || nblocks > INT_MAX) { + if (!nblocks || nblocks > INT_MAX / 2 / sizeof(*s->decoded_buffer) - 8) { av_log(avctx, AV_LOG_ERROR, "Invalid sample count: %"PRIu32".\n", nblocks); return AVERROR_INVALIDDATA; @@ -1485,8 +1486,9 @@ static int ape_decode_frame(AVCodecContext *avctx, void *data, blockstodecode = s->samples; /* reallocate decoded sample buffer if needed */ - av_fast_malloc(&s->decoded_buffer, &s->decoded_size, - 2 * FFALIGN(blockstodecode, 8) * sizeof(*s->decoded_buffer)); + decoded_buffer_size = 2LL * FFALIGN(blockstodecode, 8) * sizeof(*s->decoded_buffer); + av_assert0(decoded_buffer_size <= INT_MAX); + av_fast_malloc(&s->decoded_buffer, &s->decoded_size, decoded_buffer_size); if (!s->decoded_buffer) return AVERROR(ENOMEM); memset(s->decoded_buffer, 0, s->decoded_size); From 34535941ae9440177345c0bb2347ce16a1e80887 Mon Sep 17 00:00:00 2001 From: Michael Niedermayer Date: Mon, 26 Jun 2017 15:05:08 +0200 Subject: [PATCH 611/942] avcodec/jpeg2000dwt: Fix integer overflow in dwt_decode97_int() Fixes: runtime error: signed integer overflow: -163654656 * 256 cannot be represented in type 'int' Fixes: 2367/clusterfuzz-testcase-minimized-4648678897745920 Found-by: continuous fuzzing process https://github.com/google/oss-fuzz/tree/master/projects/ffmpeg Signed-off-by: Michael Niedermayer (cherry picked from commit ea5366670e26b2c6c396e6a5f49827a2b71e6dd6) Signed-off-by: Michael Niedermayer --- libavcodec/jpeg2000dwt.c | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/libavcodec/jpeg2000dwt.c b/libavcodec/jpeg2000dwt.c index 2bb245d25b..38a578af3d 100644 --- a/libavcodec/jpeg2000dwt.c +++ b/libavcodec/jpeg2000dwt.c @@ -488,7 +488,7 @@ static void dwt_decode97_int(DWTContext *s, int32_t *t) line += 5; for (i = 0; i < w * h; i++) - data[i] *= 1 << I_PRESHIFT; + data[i] *= 1LL << I_PRESHIFT; for (lev = 0; lev < s->ndeclevels; lev++) { int lh = s->linelen[lev][0], From cc9082dce19cc45bc8dbe7aee4efa86c56e2e319 Mon Sep 17 00:00:00 2001 From: Michael Niedermayer Date: Wed, 28 Jun 2017 20:29:02 +0200 Subject: [PATCH 612/942] avcodec/vb: Check vertical GMC component before multiply Fixes: runtime error: signed integer overflow: 8224 * 663584 cannot be represented in type 'int' Fixes: 2393/clusterfuzz-testcase-minimized-6128334993883136 Found-by: continuous fuzzing process https://github.com/google/oss-fuzz/tree/master/projects/ffmpeg Signed-off-by: Michael Niedermayer (cherry picked from commit bc6ab72bc7af27189e7b524b97e45c6fcadab5cf) Signed-off-by: Michael Niedermayer --- libavcodec/vb.c | 4 ++++ 1 file changed, 4 insertions(+) diff --git a/libavcodec/vb.c b/libavcodec/vb.c index 560165adc7..021657f7d8 100644 --- a/libavcodec/vb.c +++ b/libavcodec/vb.c @@ -205,6 +205,10 @@ static int decode_frame(AVCodecContext *avctx, void *data, int *got_frame, if (flags & VB_HAS_GMC) { i = (int16_t)bytestream2_get_le16(&c->stream); j = (int16_t)bytestream2_get_le16(&c->stream); + if (FFABS(j) > avctx->height) { + av_log(avctx, AV_LOG_ERROR, "GMV out of range\n"); + return AVERROR_INVALIDDATA; + } offset = i + j * avctx->width; } if (flags & VB_HAS_VIDEO) { From 7807d2478bfde81a34412dd4f51cc0a9f3a6760f Mon Sep 17 00:00:00 2001 From: Michael Niedermayer Date: Wed, 28 Jun 2017 20:47:59 +0200 Subject: [PATCH 613/942] avcodec/cfhd: Fix invalid left shift of negative value Fixes: runtime error: left shift of negative value -1 Fixes: 2395/clusterfuzz-testcase-minimized-6540529313513472 Found-by: continuous fuzzing process https://github.com/google/oss-fuzz/tree/master/projects/ffmpeg Signed-off-by: Michael Niedermayer (cherry picked from commit c709f009dad20d99b28918f4f8d7cd394b838def) Signed-off-by: Michael Niedermayer --- libavcodec/cfhd.c | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/libavcodec/cfhd.c b/libavcodec/cfhd.c index f596554e1b..b14de9ec04 100644 --- a/libavcodec/cfhd.c +++ b/libavcodec/cfhd.c @@ -631,7 +631,7 @@ static int cfhd_decode(AVCodecContext *avctx, void *data, int *got_frame, output = s->plane[plane].subband[0]; for (i = 0; i < lowpass_height * 2; i++) { for (j = 0; j < lowpass_width * 2; j++) - output[j] <<= 2; + output[j] *= 4; output += lowpass_width * 2; } From 665885bfc18904fe30500f30d978580cd2e74f68 Mon Sep 17 00:00:00 2001 From: Michael Niedermayer Date: Fri, 30 Jun 2017 16:23:32 +0200 Subject: [PATCH 614/942] avcodec/hevc_ps: Fix integer overflow with beta/tc offsets Fixes: runtime error: signed integer overflow: 2113929216 * 2 cannot be represented in type 'int' Fixes: 2422/clusterfuzz-testcase-minimized-5242114713583616 Found-by: continuous fuzzing process https://github.com/google/oss-fuzz/tree/master/projects/ffmpeg Signed-off-by: Michael Niedermayer (cherry picked from commit de54a37c1dfa2817b5838720fac44e82312ccbfd) Signed-off-by: Michael Niedermayer --- libavcodec/hevc_ps.c | 14 ++++++++------ 1 file changed, 8 insertions(+), 6 deletions(-) diff --git a/libavcodec/hevc_ps.c b/libavcodec/hevc_ps.c index 73b9f0c364..8f3648ecd6 100644 --- a/libavcodec/hevc_ps.c +++ b/libavcodec/hevc_ps.c @@ -1557,20 +1557,22 @@ int ff_hevc_decode_nal_pps(GetBitContext *gb, AVCodecContext *avctx, pps->deblocking_filter_override_enabled_flag = get_bits1(gb); pps->disable_dbf = get_bits1(gb); if (!pps->disable_dbf) { - pps->beta_offset = get_se_golomb(gb) * 2; - pps->tc_offset = get_se_golomb(gb) * 2; - if (pps->beta_offset/2 < -6 || pps->beta_offset/2 > 6) { + int beta_offset_div2 = get_se_golomb(gb); + int tc_offset_div2 = get_se_golomb(gb) ; + if (beta_offset_div2 < -6 || beta_offset_div2 > 6) { av_log(avctx, AV_LOG_ERROR, "pps_beta_offset_div2 out of range: %d\n", - pps->beta_offset/2); + beta_offset_div2); ret = AVERROR_INVALIDDATA; goto err; } - if (pps->tc_offset/2 < -6 || pps->tc_offset/2 > 6) { + if (tc_offset_div2 < -6 || tc_offset_div2 > 6) { av_log(avctx, AV_LOG_ERROR, "pps_tc_offset_div2 out of range: %d\n", - pps->tc_offset/2); + tc_offset_div2); ret = AVERROR_INVALIDDATA; goto err; } + pps->beta_offset = 2 * beta_offset_div2; + pps->tc_offset = 2 * tc_offset_div2; } } From 2170bdb56d68f792cbeaa61cd85a71249360eea7 Mon Sep 17 00:00:00 2001 From: Michael Niedermayer Date: Tue, 27 Jun 2017 13:47:32 +0200 Subject: [PATCH 615/942] avcodec/wavpack: Fix invalid shift Fixes: runtime error: left shift of 1 by 31 places cannot be represented in type 'int' Fixes: 2377/clusterfuzz-testcase-minimized-6108505935183872 Found-by: continuous fuzzing process https://github.com/google/oss-fuzz/tree/master/projects/ffmpeg Signed-off-by: Michael Niedermayer (cherry picked from commit c07af720984acaafaa273369080b458d73975775) Signed-off-by: Michael Niedermayer --- libavcodec/wavpack.c | 4 ++-- 1 file changed, 2 insertions(+), 2 deletions(-) diff --git a/libavcodec/wavpack.c b/libavcodec/wavpack.c index 70625548eb..0429adcfe1 100644 --- a/libavcodec/wavpack.c +++ b/libavcodec/wavpack.c @@ -837,9 +837,9 @@ static int wavpack_decode_block(AVCodecContext *avctx, int block_no, continue; } bytestream2_get_buffer(&gb, val, 4); - if (val[0] > 31) { + if (val[0] > 30) { av_log(avctx, AV_LOG_ERROR, - "Invalid INT32INFO, extra_bits = %d (> 32)\n", val[0]); + "Invalid INT32INFO, extra_bits = %d (> 30)\n", val[0]); continue; } else if (val[0]) { s->extra_bits = val[0]; From 0ddff40bf8887a023e553cf6282e9df654435456 Mon Sep 17 00:00:00 2001 From: Michael Niedermayer Date: Sun, 2 Jul 2017 03:30:54 +0200 Subject: [PATCH 616/942] avcodec/sbrdsp_fixed: Fix integer overflow in sbr_hf_apply_noise() Fixes: runtime error: signed integer overflow: -2049425300 + -117591631 cannot be represented in type 'int' Fixes: part of 2096/clusterfuzz-testcase-minimized-4901566068817920 Found-by: continuous fuzzing process https://github.com/google/oss-fuzz/tree/master/projects/ffmpeg Signed-off-by: Michael Niedermayer (cherry picked from commit 2061de8a3f73f14806e5f6ccaf9a635f740a54e6) Signed-off-by: Michael Niedermayer --- libavcodec/sbrdsp_fixed.c | 4 ++-- 1 file changed, 2 insertions(+), 2 deletions(-) diff --git a/libavcodec/sbrdsp_fixed.c b/libavcodec/sbrdsp_fixed.c index f42708a8a7..7d593a18b8 100644 --- a/libavcodec/sbrdsp_fixed.c +++ b/libavcodec/sbrdsp_fixed.c @@ -253,8 +253,8 @@ static av_always_inline int sbr_hf_apply_noise(int (*Y)[2], int m; for (m = 0; m < m_max; m++) { - int y0 = Y[m][0]; - int y1 = Y[m][1]; + unsigned y0 = Y[m][0]; + unsigned y1 = Y[m][1]; noise = (noise + 1) & 0x1ff; if (s_m[m].mant) { int shift, round; From f1143f5dc0e2c65173b102a8cc097b3606bea3d9 Mon Sep 17 00:00:00 2001 From: Michael Niedermayer Date: Sun, 9 Jul 2017 15:19:18 +0200 Subject: [PATCH 617/942] avcodec/aacps (fixed point): Fix multiple signed integer overflows Fixes: runtime error: signed integer overflow: 1421978265 - -1810326882 cannot be represented in type 'int' Fixes: 2527/clusterfuzz-testcase-minimized-5260915396050944 Found-by: continuous fuzzing process https://github.com/google/oss-fuzz/tree/master/projects/ffmpeg Signed-off-by: Michael Niedermayer (cherry picked from commit 80b9e40b6f1e15db9f36c195e7375e65f6b4924f) Signed-off-by: Michael Niedermayer --- libavcodec/aacps.c | 25 ++++++++----------------- 1 file changed, 8 insertions(+), 17 deletions(-) diff --git a/libavcodec/aacps.c b/libavcodec/aacps.c index 01f6d1f076..8b2cb9f02c 100644 --- a/libavcodec/aacps.c +++ b/libavcodec/aacps.c @@ -692,26 +692,17 @@ static void decorrelation(PSContext *ps, INTFLOAT (*out)[32][2], const INTFLOAT for (i = 0; i < NR_PAR_BANDS[is34]; i++) { for (n = n0; n < nL; n++) { int decayed_peak; - int denom; - decayed_peak = (int)(((int64_t)peak_decay_factor * \ peak_decay_nrg[i] + 0x40000000) >> 31); peak_decay_nrg[i] = FFMAX(decayed_peak, power[i][n]); - power_smooth[i] += (power[i][n] - power_smooth[i] + 2) >> 2; - peak_decay_diff_smooth[i] += (peak_decay_nrg[i] - power[i][n] - \ - peak_decay_diff_smooth[i] + 2) >> 2; - denom = peak_decay_diff_smooth[i] + (peak_decay_diff_smooth[i] >> 1); - if (denom > power_smooth[i]) { - int p = power_smooth[i]; - while (denom < 0x40000000) { - denom <<= 1; - p <<= 1; - } - transient_gain[i][n] = p / (denom >> 16); - } - else { - transient_gain[i][n] = 1 << 16; - } + power_smooth[i] += (power[i][n] + 2LL - power_smooth[i]) >> 2; + peak_decay_diff_smooth[i] += (peak_decay_nrg[i] + 2LL - power[i][n] - \ + peak_decay_diff_smooth[i]) >> 2; + + if (peak_decay_diff_smooth[i]) { + transient_gain[i][n] = FFMIN(power_smooth[i]*43691LL / peak_decay_diff_smooth[i], 1<<16); + } else + transient_gain[i][n] = 1 << 16; } } #else From 9a2ca3cce2cfb74ffdf9fc27405aac24e042df96 Mon Sep 17 00:00:00 2001 From: Michael Niedermayer Date: Wed, 12 Jul 2017 16:24:18 +0200 Subject: [PATCH 618/942] avcodec/mjpegdec: Clip DC also on the negative side. Fixes: runtime error: signed integer overflow: -16711425 + -2130772346 cannot be represented in type 'int' Fixes: 2533/clusterfuzz-testcase-minimized-5372857678823424 Found-by: continuous fuzzing process https://github.com/google/oss-fuzz/tree/master/projects/ffmpeg Signed-off-by: Michael Niedermayer (cherry picked from commit c28f648b19dd36ff9bc869ad527a1569a0b623e2) Signed-off-by: Michael Niedermayer --- libavcodec/mjpegdec.c | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/libavcodec/mjpegdec.c b/libavcodec/mjpegdec.c index 3b9e47f47e..9a37b3251c 100644 --- a/libavcodec/mjpegdec.c +++ b/libavcodec/mjpegdec.c @@ -687,7 +687,7 @@ static int decode_block(MJpegDecodeContext *s, int16_t *block, int component, return AVERROR_INVALIDDATA; } val = val * quant_matrix[0] + s->last_dc[component]; - val = FFMIN(val, 32767); + val = av_clip_int16(val); s->last_dc[component] = val; block[0] = val; /* AC coefs */ From 5e78e477fa6902092774a80c14118b9d98568fc4 Mon Sep 17 00:00:00 2001 From: Michael Niedermayer Date: Fri, 14 Jul 2017 00:45:29 +0200 Subject: [PATCH 619/942] avcodec/aacdec_template: Fix undefined integer overflow in apply_tns() Fixes: runtime error: signed integer overflow: -2147483648 - 1202286525 cannot be represented in type 'int' Fixes: 2071/clusterfuzz-testcase-minimized-6036414271586304 Found-by: continuous fuzzing process https://github.com/google/oss-fuzz/tree/master/projects/ffmpeg Signed-off-by: Michael Niedermayer (cherry picked from commit 0ef8f03133a0bd83c74200a8cf30982c0f574016) Signed-off-by: Michael Niedermayer --- libavcodec/aac_defines.h | 2 ++ libavcodec/aacdec_template.c | 5 +++-- 2 files changed, 5 insertions(+), 2 deletions(-) diff --git a/libavcodec/aac_defines.h b/libavcodec/aac_defines.h index 83d70af896..8a54a666f9 100644 --- a/libavcodec/aac_defines.h +++ b/libavcodec/aac_defines.h @@ -35,6 +35,7 @@ #define AAC_RENAME(x) x ## _fixed #define AAC_RENAME_32(x) x ## _fixed_32 typedef int INTFLOAT; +typedef unsigned UINTFLOAT; ///< Equivalent to INTFLOAT, Used as temporal cast to avoid undefined sign overflow operations. typedef int64_t INT64FLOAT; typedef int16_t SHORTFLOAT; typedef SoftFloat AAC_FLOAT; @@ -83,6 +84,7 @@ typedef int AAC_SIGNE; #define AAC_RENAME(x) x #define AAC_RENAME_32(x) x typedef float INTFLOAT; +typedef float UINTFLOAT; typedef float INT64FLOAT; typedef float SHORTFLOAT; typedef float AAC_FLOAT; diff --git a/libavcodec/aacdec_template.c b/libavcodec/aacdec_template.c index ded9e464a7..b04e595304 100644 --- a/libavcodec/aacdec_template.c +++ b/libavcodec/aacdec_template.c @@ -2363,7 +2363,7 @@ static int decode_extension_payload(AACContext *ac, GetBitContext *gb, int cnt, * @param decode 1 if tool is used normally, 0 if tool is used in LTP. * @param coef spectral coefficients */ -static void apply_tns(INTFLOAT coef[1024], TemporalNoiseShaping *tns, +static void apply_tns(INTFLOAT coef_param[1024], TemporalNoiseShaping *tns, IndividualChannelStream *ics, int decode) { const int mmm = FFMIN(ics->tns_max_bands, ics->max_sfb); @@ -2371,6 +2371,7 @@ static void apply_tns(INTFLOAT coef[1024], TemporalNoiseShaping *tns, int bottom, top, order, start, end, size, inc; INTFLOAT lpc[TNS_MAX_ORDER]; INTFLOAT tmp[TNS_MAX_ORDER+1]; + UINTFLOAT *coef = coef_param; for (w = 0; w < ics->num_windows; w++) { bottom = ics->num_swb; @@ -2400,7 +2401,7 @@ static void apply_tns(INTFLOAT coef[1024], TemporalNoiseShaping *tns, // ar filter for (m = 0; m < size; m++, start += inc) for (i = 1; i <= FFMIN(m, order); i++) - coef[start] -= AAC_MUL26(coef[start - i * inc], lpc[i - 1]); + coef[start] -= AAC_MUL26((INTFLOAT)coef[start - i * inc], lpc[i - 1]); } else { // ma filter for (m = 0; m < size; m++, start += inc) { From 4e7ddba5949ab44798271cd5f82ea878a1826540 Mon Sep 17 00:00:00 2001 From: Michael Niedermayer Date: Sat, 15 Jul 2017 22:22:52 +0200 Subject: [PATCH 620/942] avcodec/aacdec_template (fixed point): Check gain in decode_cce() to avoid undefined shifts later Fixes: runtime error: shift exponent 47 is too large for 32-bit type 'int' Fixes: 2581/clusterfuzz-testcase-minimized-4681474395602944 Found-by: continuous fuzzing process https://github.com/google/oss-fuzz/tree/master/projects/ffmpeg Signed-off-by: Michael Niedermayer (cherry picked from commit 2886142e0c3b5f4304c6e2a2bd282770a8a47f93) Signed-off-by: Michael Niedermayer --- libavcodec/aacdec_template.c | 8 ++++++++ 1 file changed, 8 insertions(+) diff --git a/libavcodec/aacdec_template.c b/libavcodec/aacdec_template.c index b04e595304..674b735c37 100644 --- a/libavcodec/aacdec_template.c +++ b/libavcodec/aacdec_template.c @@ -2173,6 +2173,10 @@ static int decode_cce(AACContext *ac, GetBitContext *gb, ChannelElement *che) cge = coup->coupling_point == AFTER_IMDCT ? 1 : get_bits1(gb); gain = cge ? get_vlc2(gb, vlc_scalefactors.table, 7, 3) - 60: 0; gain_cache = GET_GAIN(scale, gain); +#if USE_FIXED + if ((abs(gain_cache)-1024) >> 3 > 30) + return AVERROR(ERANGE); +#endif } if (coup->coupling_point == AFTER_IMDCT) { coup->gain[c][0] = gain_cache; @@ -2190,6 +2194,10 @@ static int decode_cce(AACContext *ac, GetBitContext *gb, ChannelElement *che) t >>= 1; } gain_cache = GET_GAIN(scale, t) * s; +#if USE_FIXED + if ((abs(gain_cache)-1024) >> 3 > 30) + return AVERROR(ERANGE); +#endif } } coup->gain[c][idx] = gain_cache; From 0df61711cfb974601fbb8ac3d168d1c52c699ac8 Mon Sep 17 00:00:00 2001 From: Michael Niedermayer Date: Wed, 19 Jul 2017 13:48:31 +0200 Subject: [PATCH 621/942] Changelog: update Signed-off-by: Michael Niedermayer --- Changelog | 10 ++++++++++ 1 file changed, 10 insertions(+) diff --git a/Changelog b/Changelog index 5bdee7215c..6cdfcbf97d 100644 --- a/Changelog +++ b/Changelog @@ -2,6 +2,16 @@ Entries are sorted chronologically from oldest to youngest within each release, releases are sorted from youngest to oldest. version 3.0.9 +- avcodec/aacdec_template: Fix undefined integer overflow in apply_tns() +- avcodec/mjpegdec: Clip DC also on the negative side. +- avcodec/aacps (fixed point): Fix multiple signed integer overflows +- avcodec/sbrdsp_fixed: Fix integer overflow in sbr_hf_apply_noise() +- avcodec/wavpack: Fix invalid shift +- avcodec/hevc_ps: Fix integer overflow with beta/tc offsets +- avcodec/cfhd: Fix invalid left shift of negative value +- avcodec/vb: Check vertical GMC component before multiply +- avcodec/jpeg2000dwt: Fix integer overflow in dwt_decode97_int() +- avcodec/apedec: Fix integer overflow - avcodec/wavpack: Fix integer overflow in wv_unpack_stereo() - avcodec/mpeg4videodec: Fix GMC with videos of dimension 1 - avcodec/wavpack: Fix integer overflow From 8642322b9f2325fd088bbb6d869ff15fb514ce55 Mon Sep 17 00:00:00 2001 From: Vodyannikov Aleksandr Date: Fri, 21 Jul 2017 11:49:45 +0200 Subject: [PATCH 622/942] avcodec/cfhd: Fix decoding regression due to height check Fixes: Ticket6546 Regression since: 54aaadf648073149f1ac34f56cbde4e6c5aa22ef Reviewed-by: Muhammad Faiz Reviewed-by: Kieran Kunhya Signed-off-by: Michael Niedermayer (cherry picked from commit 47c93657249f1a4bc8a7aaf2f9f3a33510bee38c) Signed-off-by: Michael Niedermayer --- libavcodec/cfhd.c | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/libavcodec/cfhd.c b/libavcodec/cfhd.c index b14de9ec04..685090eb61 100644 --- a/libavcodec/cfhd.c +++ b/libavcodec/cfhd.c @@ -324,7 +324,7 @@ static int cfhd_decode(AVCodecContext *avctx, void *data, int *got_frame, s->plane[s->channel_num].band[0][0].stride = data; } else if (tag == 28) { av_log(avctx, AV_LOG_DEBUG, "Lowpass height %"PRIu16"\n", data); - if (data < 3 || data > s->plane[s->channel_num].band[0][0].height) { + if (data < 3 || data > s->plane[s->channel_num].band[0][0].a_height) { av_log(avctx, AV_LOG_ERROR, "Invalid lowpass height\n"); ret = AVERROR(EINVAL); break; From d57345e8d076dc076d584eb96eaa7fd8b6a66f0f Mon Sep 17 00:00:00 2001 From: Brice Waegeneire Date: Sat, 22 Jul 2017 00:09:29 +0200 Subject: [PATCH 623/942] doc/filters: typo in frei0r Signed-off-by: Brice Waegeneire Signed-off-by: Michael Niedermayer (cherry picked from commit 6a6eec485d23b0c47a7cfeb94995db1be91c0e1a) Signed-off-by: Michael Niedermayer --- doc/filters.texi | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/doc/filters.texi b/doc/filters.texi index 9c0cbb6975..e46b7822c4 100644 --- a/doc/filters.texi +++ b/doc/filters.texi @@ -7276,7 +7276,7 @@ It accepts the following parameters: @item filter_name The name of the frei0r effect to load. If the environment variable @env{FREI0R_PATH} is defined, the frei0r effect is searched for in each of the -directories specified by the colon-separated list in @env{FREIOR_PATH}. +directories specified by the colon-separated list in @env{FREI0R_PATH}. Otherwise, the standard frei0r paths are searched, in this order: @file{HOME/.frei0r-1/lib/}, @file{/usr/local/lib/frei0r-1/}, @file{/usr/lib/frei0r-1/}. From d4bc7fc412bad5ef1cb6554685d4920acb4303f4 Mon Sep 17 00:00:00 2001 From: Michael Niedermayer Date: Sun, 23 Jul 2017 16:52:47 +0200 Subject: [PATCH 624/942] avcodec/aacdec_fixed: fix: left shift of negative value -1 Fixes: 2699/clusterfuzz-testcase-minimized-5631303862976512 Found-by: continuous fuzzing process https://github.com/google/oss-fuzz/tree/master/projects/ffmpeg Signed-off-by: Michael Niedermayer (cherry picked from commit 2dfb8c417891e0cc3670f8e0791ea0c7071314fe) Signed-off-by: Michael Niedermayer --- libavcodec/aacdec_fixed.c | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/libavcodec/aacdec_fixed.c b/libavcodec/aacdec_fixed.c index 343425ae8d..edb5dc4133 100644 --- a/libavcodec/aacdec_fixed.c +++ b/libavcodec/aacdec_fixed.c @@ -430,7 +430,7 @@ static void apply_independent_coupling_fixed(AACContext *ac, else { for (i = 0; i < len; i++) { tmp = (int)(((int64_t)src[i] * c + (int64_t)0x1000000000) >> 37); - dest[i] += tmp << shift; + dest[i] += tmp * (1 << shift); } } } From 3fd54e444022bd479d53bd772d8141efed4d7fe2 Mon Sep 17 00:00:00 2001 From: Michael Niedermayer Date: Sat, 22 Jul 2017 00:44:14 +0200 Subject: [PATCH 625/942] avcodec/aacps: Fix multiple integer overflow in map_val_34_to_20() Fixes: avcodec/aacps.c:511:40: runtime error: signed integer overflow: 1509077651 + 758068176 cannot be represented in type 'int' Fixes: 2678/clusterfuzz-testcase-minimized-4702787684270080 Found-by: continuous fuzzing process https://github.com/google/oss-fuzz/tree/master/projects/ffmpeg Signed-off-by: Michael Niedermayer (cherry picked from commit 0764fe1d09833ae4dcf9e427df09378d0d6a3386) Signed-off-by: Michael Niedermayer --- libavcodec/aacps.c | 8 ++++---- 1 file changed, 4 insertions(+), 4 deletions(-) diff --git a/libavcodec/aacps.c b/libavcodec/aacps.c index 8b2cb9f02c..aa0220b147 100644 --- a/libavcodec/aacps.c +++ b/libavcodec/aacps.c @@ -499,13 +499,13 @@ static void map_idx_34_to_20(int8_t *par_mapped, const int8_t *par, int full) static void map_val_34_to_20(INTFLOAT par[PS_MAX_NR_IIDICC]) { #if USE_FIXED - par[ 0] = (int)(((int64_t)(par[ 0] + (par[ 1]>>1)) * 1431655765 + \ + par[ 0] = (int)(((int64_t)(par[ 0] + (unsigned)(par[ 1]>>1)) * 1431655765 + \ 0x40000000) >> 31); - par[ 1] = (int)(((int64_t)((par[ 1]>>1) + par[ 2]) * 1431655765 + \ + par[ 1] = (int)(((int64_t)((par[ 1]>>1) + (unsigned)par[ 2]) * 1431655765 + \ 0x40000000) >> 31); - par[ 2] = (int)(((int64_t)(par[ 3] + (par[ 4]>>1)) * 1431655765 + \ + par[ 2] = (int)(((int64_t)(par[ 3] + (unsigned)(par[ 4]>>1)) * 1431655765 + \ 0x40000000) >> 31); - par[ 3] = (int)(((int64_t)((par[ 4]>>1) + par[ 5]) * 1431655765 + \ + par[ 3] = (int)(((int64_t)((par[ 4]>>1) + (unsigned)par[ 5]) * 1431655765 + \ 0x40000000) >> 31); #else par[ 0] = (2*par[ 0] + par[ 1]) * 0.33333333f; From 8c05ac89d3537f26039dfaa60dcd8fb50d68123a Mon Sep 17 00:00:00 2001 From: Michael Niedermayer Date: Tue, 25 Jul 2017 03:19:07 +0200 Subject: [PATCH 626/942] avformat/oggparsecelt: Do not re-allocate os->private Fixes: double free Fixes: clusterfuzz-testcase-minimized-5080550145785856 Found-by: ClusterFuzz Reviewed-by: Nicolas George Signed-off-by: Michael Niedermayer (cherry picked from commit 7140761481e4296723a592019a0244ebe6c1a8cf) Signed-off-by: Michael Niedermayer --- libavformat/oggparsecelt.c | 9 +++++++-- 1 file changed, 7 insertions(+), 2 deletions(-) diff --git a/libavformat/oggparsecelt.c b/libavformat/oggparsecelt.c index 2c0c511c7b..6880314055 100644 --- a/libavformat/oggparsecelt.c +++ b/libavformat/oggparsecelt.c @@ -65,9 +65,14 @@ static int celt_header(AVFormatContext *s, int idx) st->codec->channels = nb_channels; if (sample_rate) avpriv_set_pts_info(st, 64, 1, sample_rate); - priv->extra_headers_left = 1 + extra_headers; - av_free(os->private); + + if (os->private) { + av_free(priv); + priv = os->private; + } os->private = priv; + priv->extra_headers_left = 1 + extra_headers; + AV_WL32(st->codec->extradata + 0, overlap); AV_WL32(st->codec->extradata + 4, version); return 1; From 665311ab1f9620a48fb2b6fc8883bb6a0a3f916f Mon Sep 17 00:00:00 2001 From: Michael Niedermayer Date: Mon, 24 Jul 2017 15:48:37 +0200 Subject: [PATCH 627/942] avcodec/hevc_ps: fix integer overflow in log2_parallel_merge_level_minus2 Fixes: runtime error: signed integer overflow: -2147483647 - 2 cannot be represented in type 'int' Fixes: 2702/clusterfuzz-testcase-minimized-4511932591636480 Found-by: continuous fuzzing process https://github.com/google/oss-fuzz/tree/master/projects/ffmpeg Signed-off-by: Michael Niedermayer (cherry picked from commit 74c1c22d7f0d25f527ed2ebf62493be5ad52c972) Signed-off-by: Michael Niedermayer --- libavcodec/hevc_ps.c | 8 +++++--- 1 file changed, 5 insertions(+), 3 deletions(-) diff --git a/libavcodec/hevc_ps.c b/libavcodec/hevc_ps.c index 8f3648ecd6..013c88574b 100644 --- a/libavcodec/hevc_ps.c +++ b/libavcodec/hevc_ps.c @@ -1398,6 +1398,7 @@ int ff_hevc_decode_nal_pps(GetBitContext *gb, AVCodecContext *avctx, HEVCSPS *sps = NULL; int i, ret = 0; unsigned int pps_id = 0; + unsigned log2_parallel_merge_level_minus2; AVBufferRef *pps_buf; HEVCPPS *pps = av_mallocz(sizeof(*pps)); @@ -1584,13 +1585,14 @@ int ff_hevc_decode_nal_pps(GetBitContext *gb, AVCodecContext *avctx, goto err; } pps->lists_modification_present_flag = get_bits1(gb); - pps->log2_parallel_merge_level = get_ue_golomb_long(gb) + 2; - if (pps->log2_parallel_merge_level > sps->log2_ctb_size) { + log2_parallel_merge_level_minus2 = get_ue_golomb_long(gb); + if (log2_parallel_merge_level_minus2 > sps->log2_ctb_size) { av_log(avctx, AV_LOG_ERROR, "log2_parallel_merge_level_minus2 out of range: %d\n", - pps->log2_parallel_merge_level - 2); + log2_parallel_merge_level_minus2); ret = AVERROR_INVALIDDATA; goto err; } + pps->log2_parallel_merge_level = log2_parallel_merge_level_minus2 + 2; pps->slice_header_extension_present_flag = get_bits1(gb); From f31fc4755f69ab26bf6e8be47875b7dcede8e29e Mon Sep 17 00:00:00 2001 From: Michael Niedermayer Date: Wed, 26 Jul 2017 03:26:59 +0200 Subject: [PATCH 628/942] avcodec/dnxhddec: Move mb height check out of non hr branch Fixes: out of array access Fixes: poc.dnxhd Found-by: Bingchang, Liu@VARAS of IIE Signed-off-by: Michael Niedermayer (cherry picked from commit 296debd213bd6dce7647cedd34eb64e5b94cdc92) Signed-off-by: Michael Niedermayer --- libavcodec/dnxhddec.c | 8 ++++++-- 1 file changed, 6 insertions(+), 2 deletions(-) diff --git a/libavcodec/dnxhddec.c b/libavcodec/dnxhddec.c index 18080803fa..bf14869ac9 100644 --- a/libavcodec/dnxhddec.c +++ b/libavcodec/dnxhddec.c @@ -278,14 +278,18 @@ static int dnxhd_decode_header(DNXHDContext *ctx, AVFrame *frame, if (header_prefix == DNXHD_HEADER_HR2) { ctx->data_offset = 0x170 + (ctx->mb_height << 2); } else { - if (ctx->mb_height > 68 || - (ctx->mb_height << frame->interlaced_frame) > (ctx->height + 15) >> 4) { + if (ctx->mb_height > 68) { av_log(ctx->avctx, AV_LOG_ERROR, "mb height too big: %d\n", ctx->mb_height); return AVERROR_INVALIDDATA; } ctx->data_offset = 0x280; } + if ((ctx->mb_height << frame->interlaced_frame) > (ctx->height + 15) >> 4) { + av_log(ctx->avctx, AV_LOG_ERROR, + "mb height too big: %d\n", ctx->mb_height); + return AVERROR_INVALIDDATA; + } if (buf_size < ctx->data_offset) { av_log(ctx->avctx, AV_LOG_ERROR, From 654e157d21614d1be7513f9cf9b1a0b0f9f2aab7 Mon Sep 17 00:00:00 2001 From: Michael Niedermayer Date: Wed, 26 Jul 2017 20:26:43 +0200 Subject: [PATCH 629/942] avcodec/diracdec: Fix integer overflow in signed multiplication in UNPACK_ARITH() Fixes: runtime error: signed integer overflow: 1073741823 * 4 cannot be represented in type 'int' Fixes: 2729/clusterfuzz-testcase-minimized-5902915464069120 Found-by: continuous fuzzing process https://github.com/google/oss-fuzz/tree/master/projects/ffmpeg Signed-off-by: Michael Niedermayer (cherry picked from commit 8e275a74b09cc87f4334ed572f919b7647d4bea1) Signed-off-by: Michael Niedermayer --- libavcodec/diracdec.c | 3 ++- 1 file changed, 2 insertions(+), 1 deletion(-) diff --git a/libavcodec/diracdec.c b/libavcodec/diracdec.c index 05249f3157..3965861291 100644 --- a/libavcodec/diracdec.c +++ b/libavcodec/diracdec.c @@ -462,7 +462,8 @@ static inline int coeff_unpack_golomb(GetBitContext *gb, int qfactor, int qoffse static inline void coeff_unpack_arith_##n(DiracArith *c, int qfactor, int qoffset, \ SubBand *b, type *buf, int x, int y) \ { \ - int coeff, sign, sign_pred = 0, pred_ctx = CTX_ZPZN_F1; \ + int sign, sign_pred = 0, pred_ctx = CTX_ZPZN_F1; \ + unsigned coeff; \ const int mstride = -(b->stride >> (1+b->pshift)); \ if (b->parent) { \ const type *pbuf = (type *)b->parent->ibuf; \ From 2954ce9dea009573c9e0a286830e668f5ea31b8d Mon Sep 17 00:00:00 2001 From: Michael Niedermayer Date: Fri, 28 Jul 2017 13:41:59 +0200 Subject: [PATCH 630/942] avformat/rtmppkt: Convert ff_amf_tag_size() to bytestream2 Fixes: out of array accesses Fixes: crash-9238fa9e8d4fde3beda1f279626f53812cb001cb-SEGV Found-by: JunDong Xie of Ant-financial Light-Year Security Lab Signed-off-by: Michael Niedermayer (cherry picked from commit 08c073434e25cba8c43aae5ed9554fdd594adfb0) Signed-off-by: Michael Niedermayer --- libavformat/rtmppkt.c | 68 ++++++++++++++++++++++++++++++------------- 1 file changed, 48 insertions(+), 20 deletions(-) diff --git a/libavformat/rtmppkt.c b/libavformat/rtmppkt.c index cde0da78ce..2ea88d09c5 100644 --- a/libavformat/rtmppkt.c +++ b/libavformat/rtmppkt.c @@ -433,50 +433,78 @@ void ff_rtmp_packet_destroy(RTMPPacket *pkt) pkt->size = 0; } -int ff_amf_tag_size(const uint8_t *data, const uint8_t *data_end) +static int amf_tag_skip(GetByteContext *gb) { - const uint8_t *base = data; AMFDataType type; unsigned nb = -1; int parse_key = 1; - if (data >= data_end) + if (bytestream2_get_bytes_left(gb) < 1) return -1; - switch ((type = *data++)) { - case AMF_DATA_TYPE_NUMBER: return 9; - case AMF_DATA_TYPE_BOOL: return 2; - case AMF_DATA_TYPE_STRING: return 3 + AV_RB16(data); - case AMF_DATA_TYPE_LONG_STRING: return 5 + AV_RB32(data); - case AMF_DATA_TYPE_NULL: return 1; - case AMF_DATA_TYPE_DATE: return 11; + + type = bytestream2_get_byte(gb); + switch (type) { + case AMF_DATA_TYPE_NUMBER: + bytestream2_get_be64(gb); + return 0; + case AMF_DATA_TYPE_BOOL: + bytestream2_get_byte(gb); + return 0; + case AMF_DATA_TYPE_STRING: + bytestream2_skip(gb, bytestream2_get_be16(gb)); + return 0; + case AMF_DATA_TYPE_LONG_STRING: + bytestream2_skip(gb, bytestream2_get_be32(gb)); + return 0; + case AMF_DATA_TYPE_NULL: + return 0; + case AMF_DATA_TYPE_DATE: + bytestream2_skip(gb, 10); + return 0; case AMF_DATA_TYPE_ARRAY: parse_key = 0; case AMF_DATA_TYPE_MIXEDARRAY: - nb = bytestream_get_be32(&data); + nb = bytestream2_get_be32(gb); case AMF_DATA_TYPE_OBJECT: while (nb-- > 0 || type != AMF_DATA_TYPE_ARRAY) { int t; if (parse_key) { - int size = bytestream_get_be16(&data); + int size = bytestream2_get_be16(gb); if (!size) { - data++; + bytestream2_get_byte(gb); break; } - if (size < 0 || size >= data_end - data) + if (size < 0 || size >= bytestream2_get_bytes_left(gb)) return -1; - data += size; + bytestream2_skip(gb, size); } - t = ff_amf_tag_size(data, data_end); - if (t < 0 || t >= data_end - data) + t = amf_tag_skip(gb); + if (t < 0 || bytestream2_get_bytes_left(gb) <= 0) return -1; - data += t; } - return data - base; - case AMF_DATA_TYPE_OBJECT_END: return 1; + return 0; + case AMF_DATA_TYPE_OBJECT_END: return 0; default: return -1; } } +int ff_amf_tag_size(const uint8_t *data, const uint8_t *data_end) +{ + GetByteContext gb; + int ret; + + if (data >= data_end) + return -1; + + bytestream2_init(&gb, data, data_end - data); + + ret = amf_tag_skip(&gb); + if (ret < 0 || bytestream2_get_bytes_left(&gb) <= 0) + return -1; + av_assert0(bytestream2_tell(&gb) >= 0 && bytestream2_tell(&gb) <= data_end - data); + return bytestream2_tell(&gb); +} + int ff_amf_get_field_value(const uint8_t *data, const uint8_t *data_end, const uint8_t *name, uint8_t *dst, int dst_size) { From 81c940b151016fb6f363e6ce621c591bbb58bacf Mon Sep 17 00:00:00 2001 From: Michael Niedermayer Date: Fri, 28 Jul 2017 14:37:26 +0200 Subject: [PATCH 631/942] avformat/rtmppkt: Convert ff_amf_get_field_value() to bytestream2 Fixes: out of array accesses Found-by: JunDong Xie of Ant-financial Light-Year Security Lab Signed-off-by: Michael Niedermayer (cherry picked from commit ffcc82219cef0928bed2d558b19ef6ea35634130) Signed-off-by: Michael Niedermayer --- libavformat/rtmppkt.c | 57 ++++++++++++++++++++++++++++--------------- 1 file changed, 37 insertions(+), 20 deletions(-) diff --git a/libavformat/rtmppkt.c b/libavformat/rtmppkt.c index 2ea88d09c5..ca7838868e 100644 --- a/libavformat/rtmppkt.c +++ b/libavformat/rtmppkt.c @@ -505,53 +505,70 @@ int ff_amf_tag_size(const uint8_t *data, const uint8_t *data_end) return bytestream2_tell(&gb); } -int ff_amf_get_field_value(const uint8_t *data, const uint8_t *data_end, +static int amf_get_field_value2(GetByteContext *gb, const uint8_t *name, uint8_t *dst, int dst_size) { int namelen = strlen(name); int len; - while (*data != AMF_DATA_TYPE_OBJECT && data < data_end) { - len = ff_amf_tag_size(data, data_end); - if (len < 0) - len = data_end - data; - data += len; + while (bytestream2_peek_byte(gb) != AMF_DATA_TYPE_OBJECT && bytestream2_get_bytes_left(gb) > 0) { + int ret = amf_tag_skip(gb); + if (ret < 0) + return -1; } - if (data_end - data < 3) + if (bytestream2_get_bytes_left(gb) < 3) return -1; - data++; + bytestream2_get_byte(gb); + for (;;) { - int size = bytestream_get_be16(&data); + int size = bytestream2_get_be16(gb); if (!size) break; - if (size < 0 || size >= data_end - data) + if (size < 0 || size >= bytestream2_get_bytes_left(gb)) return -1; - data += size; - if (size == namelen && !memcmp(data-size, name, namelen)) { - switch (*data++) { + bytestream2_skip(gb, size); + if (size == namelen && !memcmp(gb->buffer-size, name, namelen)) { + switch (bytestream2_get_byte(gb)) { case AMF_DATA_TYPE_NUMBER: - snprintf(dst, dst_size, "%g", av_int2double(AV_RB64(data))); + snprintf(dst, dst_size, "%g", av_int2double(bytestream2_get_be64(gb))); break; case AMF_DATA_TYPE_BOOL: - snprintf(dst, dst_size, "%s", *data ? "true" : "false"); + snprintf(dst, dst_size, "%s", bytestream2_get_byte(gb) ? "true" : "false"); break; case AMF_DATA_TYPE_STRING: - len = bytestream_get_be16(&data); - av_strlcpy(dst, data, FFMIN(len+1, dst_size)); + len = bytestream2_get_be16(gb); + if (dst_size < 1) + return -1; + if (dst_size < len + 1) + len = dst_size - 1; + bytestream2_get_buffer(gb, dst, len); + dst[len] = 0; break; default: return -1; } return 0; } - len = ff_amf_tag_size(data, data_end); - if (len < 0 || len >= data_end - data) + len = amf_tag_skip(gb); + if (len < 0 || bytestream2_get_bytes_left(gb) <= 0) return -1; - data += len; } return -1; } +int ff_amf_get_field_value(const uint8_t *data, const uint8_t *data_end, + const uint8_t *name, uint8_t *dst, int dst_size) +{ + GetByteContext gb; + + if (data >= data_end) + return -1; + + bytestream2_init(&gb, data, data_end - data); + + return amf_get_field_value2(&gb, name, dst, dst_size); +} + static const char* rtmp_packet_type(int type) { switch (type) { From 43d7b1e42fd7b5e9d9f79bfe1171791a9b7566c3 Mon Sep 17 00:00:00 2001 From: Michael Niedermayer Date: Thu, 27 Jul 2017 23:49:26 +0200 Subject: [PATCH 632/942] avcodec/takdec: Fix integer overflow in decode_subframe() Fixes: runtime error: signed integer overflow: -536870912 - 1972191120 cannot be represented in type 'int' Fixes: 2711/clusterfuzz-testcase-minimized-4975142398590976 Found-by: continuous fuzzing process https://github.com/google/oss-fuzz/tree/master/projects/ffmpeg Signed-off-by: Michael Niedermayer (cherry picked from commit 2c630d159ffe8a9822e81f9c041652762b37e068) Signed-off-by: Michael Niedermayer --- libavcodec/takdec.c | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/libavcodec/takdec.c b/libavcodec/takdec.c index 4154f0a1e2..868f43bcba 100644 --- a/libavcodec/takdec.c +++ b/libavcodec/takdec.c @@ -480,7 +480,7 @@ static int decode_subframe(TAKDecContext *s, int32_t *decoded, s->residues[i + j + 1] * s->filter[j + 1] + s->residues[i + j ] * s->filter[j ]; } - v = (av_clip_intp2(v >> filter_quant, 13) * (1 << dshift)) - *decoded; + v = (av_clip_intp2(v >> filter_quant, 13) * (1 << dshift)) - (unsigned)*decoded; *decoded++ = v; s->residues[filter_order + i] = v >> dshift; } From ac0fbaf8acd801fa367b570eb36d51edf5245ee5 Mon Sep 17 00:00:00 2001 From: Michael Niedermayer Date: Thu, 27 Jul 2017 23:49:27 +0200 Subject: [PATCH 633/942] avcodec/diracdec: Fix integer overflow in divide3() Fixes: runtime error: signed integer overflow: -1073746548 * 21845 cannot be represented in type 'int' Fixes: 2729/clusterfuzz-testcase-minimized-5902915464069120 Found-by: continuous fuzzing process https://github.com/google/oss-fuzz/tree/master/projects/ffmpeg Signed-off-by: Michael Niedermayer (cherry picked from commit c0220c768c7fc933a76c863ebbb0abdf68a88533) Signed-off-by: Michael Niedermayer --- libavcodec/diracdec.c | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/libavcodec/diracdec.c b/libavcodec/diracdec.c index 3965861291..450a5bb91e 100644 --- a/libavcodec/diracdec.c +++ b/libavcodec/diracdec.c @@ -231,7 +231,7 @@ enum dirac_subband { /* magic number division by 3 from schroedinger */ static inline int divide3(int x) { - return ((x+1)*21845 + 10922) >> 16; + return (int)((x+1U)*21845 + 10922) >> 16; } static DiracFrame *remove_frame(DiracFrame *framelist[], int picnum) From 693db350dd0be9cea5a5a164f25f8f74405f2e65 Mon Sep 17 00:00:00 2001 From: Michael Niedermayer Date: Fri, 28 Jul 2017 03:22:40 +0200 Subject: [PATCH 634/942] avcodec/dirac_dwt: Fix multiple integer overflows in COMPOSE_DD97iH0() Fixes: runtime error: signed integer overflow: 9 * 335544320 cannot be represented in type 'int' Fixes: 2739/clusterfuzz-testcase-minimized-6737297955356672 Found-by: continuous fuzzing process https://github.com/google/oss-fuzz/tree/master/projects/ffmpeg Signed-off-by: Michael Niedermayer (cherry picked from commit bf8ab72ae95bb11f2c281d464594c2f6ba70326b) Signed-off-by: Michael Niedermayer --- libavcodec/dirac_dwt.h | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/libavcodec/dirac_dwt.h b/libavcodec/dirac_dwt.h index 4d338651fa..62f8472b41 100644 --- a/libavcodec/dirac_dwt.h +++ b/libavcodec/dirac_dwt.h @@ -99,7 +99,7 @@ void ff_spatial_idwt_slice2(DWTContext *d, int y); (b1 + ((b0 + b2 + 1) >> 1)) #define COMPOSE_DD97iH0(b0, b1, b2, b3, b4)\ - (b2 + ((-b0 + 9*b1 + 9*b3 - b4 + 8) >> 4)) + (b2 + ((int)(-b0 + 9U*b1 + 9U*b3 - b4 + 8) >> 4)) #define COMPOSE_DD137iL0(b0, b1, b2, b3, b4)\ (b2 - ((-b0 + 9*b1 + 9*b3 - b4 + 16) >> 5)) From a371850d58e0b988fd4c10faec20bc649ad02b9c Mon Sep 17 00:00:00 2001 From: Steven Siloti Date: Tue, 18 Jul 2017 11:26:39 -0700 Subject: [PATCH 635/942] avformat/utils: fix memory leak in avformat_free_context The pointer to the packet queue is stored in the internal structure so the queue needs to be flushed before internal is freed. Signed-off-by: Steven Siloti Signed-off-by: Michael Niedermayer (cherry picked from commit 949debd1d1df3a96315b3a3083831162845c1188) Signed-off-by: Michael Niedermayer --- libavformat/utils.c | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/libavformat/utils.c b/libavformat/utils.c index eaad2a4b17..fa64e5c188 100644 --- a/libavformat/utils.c +++ b/libavformat/utils.c @@ -3778,8 +3778,8 @@ void avformat_free_context(AVFormatContext *s) av_freep(&s->chapters); av_dict_free(&s->metadata); av_freep(&s->streams); - av_freep(&s->internal); flush_packet_queue(s); + av_freep(&s->internal); av_free(s); } From b59d6183c4ffc33ae920220eb8ef75821ca425e3 Mon Sep 17 00:00:00 2001 From: Michael Niedermayer Date: Fri, 4 Aug 2017 02:41:05 +0200 Subject: [PATCH 636/942] avcodec/h264_slice: Fix overflow in slice offset Fixes: runtime error: signed integer overflow: 1610612736 * 2 cannot be represented in type 'int' Fixes: 2817/clusterfuzz-testcase-minimized-5289691240726528 Found-by: continuous fuzzing process https://github.com/google/oss-fuzz/tree/master/projects/ffmpeg Signed-off-by: Michael Niedermayer (cherry picked from commit 1f53bde6d817ae13a47748f321adbdfa79e15982) Signed-off-by: Michael Niedermayer --- libavcodec/h264_slice.c | 16 +++++++++------- 1 file changed, 9 insertions(+), 7 deletions(-) diff --git a/libavcodec/h264_slice.c b/libavcodec/h264_slice.c index 0b3e0406f2..c0b3b67e49 100644 --- a/libavcodec/h264_slice.c +++ b/libavcodec/h264_slice.c @@ -1822,17 +1822,19 @@ int ff_h264_decode_slice_header(H264Context *h, H264SliceContext *sl) sl->deblocking_filter ^= 1; // 1<->0 if (sl->deblocking_filter) { - sl->slice_alpha_c0_offset = get_se_golomb(&sl->gb) * 2; - sl->slice_beta_offset = get_se_golomb(&sl->gb) * 2; - if (sl->slice_alpha_c0_offset > 12 || - sl->slice_alpha_c0_offset < -12 || - sl->slice_beta_offset > 12 || - sl->slice_beta_offset < -12) { + int slice_alpha_c0_offset_div2 = get_se_golomb(&sl->gb); + int slice_beta_offset_div2 = get_se_golomb(&sl->gb); + if (slice_alpha_c0_offset_div2 > 6 || + slice_alpha_c0_offset_div2 < -6 || + slice_beta_offset_div2 > 6 || + slice_beta_offset_div2 < -6) { av_log(h->avctx, AV_LOG_ERROR, "deblocking filter parameters %d %d out of range\n", - sl->slice_alpha_c0_offset, sl->slice_beta_offset); + slice_alpha_c0_offset_div2, slice_beta_offset_div2); return AVERROR_INVALIDDATA; } + sl->slice_alpha_c0_offset = slice_alpha_c0_offset_div2 * 2; + sl->slice_beta_offset = slice_beta_offset_div2 * 2; } } From 410f709bec2bad3dc851f08434d5b4d97baaebee Mon Sep 17 00:00:00 2001 From: Michael Niedermayer Date: Fri, 4 Aug 2017 03:26:30 +0200 Subject: [PATCH 637/942] avcodec/aacdec_fixed: fix invalid shift in predict() Fixes: runtime error: shift exponent -2 is negative Fixes: 2818/clusterfuzz-testcase-minimized-5062943676825600 Found-by: continuous fuzzing process https://github.com/google/oss-fuzz/tree/master/projects/ffmpeg Signed-off-by: Michael Niedermayer (cherry picked from commit 1e443051b277f73b94a2f660d3fd31a1a7beab52) Signed-off-by: Michael Niedermayer --- libavcodec/aacdec_fixed.c | 8 ++++++-- 1 file changed, 6 insertions(+), 2 deletions(-) diff --git a/libavcodec/aacdec_fixed.c b/libavcodec/aacdec_fixed.c index edb5dc4133..8c8eeafcc1 100644 --- a/libavcodec/aacdec_fixed.c +++ b/libavcodec/aacdec_fixed.c @@ -305,8 +305,12 @@ static av_always_inline void predict(PredictorState *ps, int *coef, if (output_enable) { int shift = 28 - pv.exp; - if (shift < 31) - *coef += (pv.mant + (1 << (shift - 1))) >> shift; + if (shift < 31) { + if (shift > 0) { + *coef += (pv.mant + (1 << (shift - 1))) >> shift; + } else + *coef += pv.mant << -shift; + } } e0 = av_int2sf(*coef, 2); From f91733e1415b232cadffec1078441934713a7bee Mon Sep 17 00:00:00 2001 From: Michael Niedermayer Date: Sun, 6 Aug 2017 05:01:45 +0200 Subject: [PATCH 638/942] avcodec/dirac_dwt: Fixes integer overflows in COMPOSE_DAUB97* Fix multiple: runtime error: signed integer overflow: 6497 * 3409630 cannot be represented in type 'int' Fixes: 2819/clusterfuzz-testcase-minimized-4743700301217792 Found-by: continuous fuzzing process https://github.com/google/oss-fuzz/tree/master/projects/ffmpeg Signed-off-by: Michael Niedermayer (cherry picked from commit a5380f9c1c460acccb2edaa8609e4a57c0456088) Signed-off-by: Michael Niedermayer --- libavcodec/dirac_dwt.h | 8 ++++---- 1 file changed, 4 insertions(+), 4 deletions(-) diff --git a/libavcodec/dirac_dwt.h b/libavcodec/dirac_dwt.h index 62f8472b41..e715e53bc4 100644 --- a/libavcodec/dirac_dwt.h +++ b/libavcodec/dirac_dwt.h @@ -117,16 +117,16 @@ void ff_spatial_idwt_slice2(DWTContext *d, int y); (b4 + ((-2*(b0+b8) + 10*(b1+b7) - 25*(b2+b6) + 81*(b3+b5) + 128) >> 8)) #define COMPOSE_DAUB97iL1(b0, b1, b2)\ - (b1 - ((1817*(b0 + b2) + 2048) >> 12)) + (b1 - ((int)(1817U*(b0 + b2) + 2048) >> 12)) #define COMPOSE_DAUB97iH1(b0, b1, b2)\ - (b1 - (( 113*(b0 + b2) + 64) >> 7)) + (b1 - ((int)( 113U*(b0 + b2) + 64) >> 7)) #define COMPOSE_DAUB97iL0(b0, b1, b2)\ - (b1 + (( 217*(b0 + b2) + 2048) >> 12)) + (b1 + ((int)( 217U*(b0 + b2) + 2048) >> 12)) #define COMPOSE_DAUB97iH0(b0, b1, b2)\ - (b1 + ((6497*(b0 + b2) + 2048) >> 12)) + (b1 + ((int)(6497U*(b0 + b2) + 2048) >> 12)) #endif /* AVCODEC_DWT_H */ From e154826a2f020f966a677cfbff4a97d7a0a94d5f Mon Sep 17 00:00:00 2001 From: Michael Niedermayer Date: Sun, 6 Aug 2017 13:32:54 +0200 Subject: [PATCH 639/942] avcodec/mpeg4videodec: Clear mcsel before decoding an image Fixes: runtime error: signed integer overflow: 2146467840 + 1032192 cannot be represented in type 'int' Fixes: 2826/clusterfuzz-testcase-minimized-5901511613743104 Found-by: continuous fuzzing process https://github.com/google/oss-fuzz/tree/master/projects/ffmpeg Signed-off-by: Michael Niedermayer (cherry picked from commit 7735ed29741d985e1e670249ca56e7a1ce18b729) Signed-off-by: Michael Niedermayer --- libavcodec/mpeg4videodec.c | 1 + 1 file changed, 1 insertion(+) diff --git a/libavcodec/mpeg4videodec.c b/libavcodec/mpeg4videodec.c index d4c24c398e..6f00b227a4 100644 --- a/libavcodec/mpeg4videodec.c +++ b/libavcodec/mpeg4videodec.c @@ -2273,6 +2273,7 @@ static int decode_vop_header(Mpeg4DecContext *ctx, GetBitContext *gb) int time_incr, time_increment; int64_t pts; + s->mcsel = 0; s->pict_type = get_bits(gb, 2) + AV_PICTURE_TYPE_I; /* pict type: I = 0 , P = 1 */ if (s->pict_type == AV_PICTURE_TYPE_B && s->low_delay && ctx->vol_control_parameters == 0 && !(s->avctx->flags & AV_CODEC_FLAG_LOW_DELAY)) { From 9bfa8b692ebd3718e1ba6f67bfc61a29fc3f1b7d Mon Sep 17 00:00:00 2001 From: Michael Niedermayer Date: Tue, 15 Aug 2017 03:32:43 +0200 Subject: [PATCH 640/942] avcodec/diracdec: Check perspective_exp and zrs_exp. Fixes: undefined shift Fixes: runtime error: shift exponent 264 is too large for 32-bit type 'int' Fixes: 2860/clusterfuzz-testcase-minimized-4672811689836544 Found-by: continuous fuzzing process https://github.com/google/oss-fuzz/tree/master/projects/ffmpeg Signed-off-by: Michael Niedermayer (cherry picked from commit 1e6cab874512070b36267a5a53fd053f90072fa2) Signed-off-by: Michael Niedermayer --- libavcodec/diracdec.c | 4 ++++ 1 file changed, 4 insertions(+) diff --git a/libavcodec/diracdec.c b/libavcodec/diracdec.c index 450a5bb91e..80c4e66eed 100644 --- a/libavcodec/diracdec.c +++ b/libavcodec/diracdec.c @@ -1082,6 +1082,10 @@ static int dirac_unpack_prediction_parameters(DiracContext *s) s->globalmc[ref].perspective[0] = dirac_get_se_golomb(gb); s->globalmc[ref].perspective[1] = dirac_get_se_golomb(gb); } + if (s->globalmc[ref].perspective_exp + (uint64_t)s->globalmc[ref].zrs_exp > 30) { + return AVERROR_INVALIDDATA; + } + } } From f7509e9fce7a9a8fc65b3b31b96729497bb37177 Mon Sep 17 00:00:00 2001 From: Michael Niedermayer Date: Thu, 17 Aug 2017 20:32:03 +0200 Subject: [PATCH 641/942] avcodec/snowdec: Fix off by 1 error Fixes: runtime error: index 4 out of bounds for type 'int8_t [4]' Fixes: 3023/clusterfuzz-testcase-minimized-6421736130084864 Found-by: continuous fuzzing process https://github.com/google/oss-fuzz/tree/master/projects/ffmpeg Signed-off-by: Michael Niedermayer (cherry picked from commit d132683ddd4050d3fe103ca88c73258c3442dc34) Signed-off-by: Michael Niedermayer --- libavcodec/snowdec.c | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/libavcodec/snowdec.c b/libavcodec/snowdec.c index 7d6d7ff44f..4ebfa07c6a 100644 --- a/libavcodec/snowdec.c +++ b/libavcodec/snowdec.c @@ -355,7 +355,7 @@ static int decode_header(SnowContext *s){ Plane *p= &s->plane[plane_index]; p->diag_mc= get_rac(&s->c, s->header_state); htaps= get_symbol(&s->c, s->header_state, 0)*2 + 2; - if((unsigned)htaps > HTAPS_MAX || htaps==0) + if((unsigned)htaps >= HTAPS_MAX || htaps==0) return AVERROR_INVALIDDATA; p->htaps= htaps; for(i= htaps/2; i; i--){ From 689e97fcada53517ac68ec5b6cfd85852ae5c4c1 Mon Sep 17 00:00:00 2001 From: Michael Niedermayer Date: Thu, 17 Aug 2017 18:24:37 +0200 Subject: [PATCH 642/942] avcodec/fic: Fixes signed integer overflow Fixes: runtime error: signed integer overflow: 1037142357 + 1227025305 cannot be represented in type 'int' Fixes: 3024/clusterfuzz-testcase-minimized-5885660323905536 Found-by: continuous fuzzing process https://github.com/google/oss-fuzz/tree/master/projects/ffmpeg Signed-off-by: Michael Niedermayer (cherry picked from commit 0c9d5b015c2022e8deebb93367f8ee8a8eb779e8) Signed-off-by: Michael Niedermayer --- libavcodec/fic.c | 12 ++++++------ 1 file changed, 6 insertions(+), 6 deletions(-) diff --git a/libavcodec/fic.c b/libavcodec/fic.c index c3a8dbee30..a2df9d3cbd 100644 --- a/libavcodec/fic.c +++ b/libavcodec/fic.c @@ -84,12 +84,12 @@ static const uint8_t fic_header[7] = { 0, 0, 1, 'F', 'I', 'C', 'V' }; static av_always_inline void fic_idct(int16_t *blk, int step, int shift, int rnd) { - const int t0 = 27246 * blk[3 * step] + 18405 * blk[5 * step]; - const int t1 = 27246 * blk[5 * step] - 18405 * blk[3 * step]; - const int t2 = 6393 * blk[7 * step] + 32139 * blk[1 * step]; - const int t3 = 6393 * blk[1 * step] - 32139 * blk[7 * step]; - const unsigned t4 = 5793U * (t2 + t0 + 0x800 >> 12); - const unsigned t5 = 5793U * (t3 + t1 + 0x800 >> 12); + const unsigned t0 = 27246 * blk[3 * step] + 18405 * blk[5 * step]; + const unsigned t1 = 27246 * blk[5 * step] - 18405 * blk[3 * step]; + const unsigned t2 = 6393 * blk[7 * step] + 32139 * blk[1 * step]; + const unsigned t3 = 6393 * blk[1 * step] - 32139 * blk[7 * step]; + const unsigned t4 = 5793U * ((int)(t2 + t0 + 0x800) >> 12); + const unsigned t5 = 5793U * ((int)(t3 + t1 + 0x800) >> 12); const unsigned t6 = t2 - t0; const unsigned t7 = t3 - t1; const unsigned t8 = 17734 * blk[2 * step] - 42813 * blk[6 * step]; From 2f49580e032934a60fd8c1e349f7d38f9549597d Mon Sep 17 00:00:00 2001 From: Michael Niedermayer Date: Fri, 18 Aug 2017 16:42:58 +0200 Subject: [PATCH 643/942] avcodec/dirac_dwt_template: Fix integer overflow in vertical_compose53iL0() Fixes: runtime error: signed integer overflow: 2147483646 + 2 cannot be represented in type 'int' Fixes: 3013/clusterfuzz-testcase-minimized-4644084197097472 Found-by: continuous fuzzing process https://github.com/google/oss-fuzz/tree/master/projects/ffmpeg Signed-off-by: Michael Niedermayer (cherry picked from commit a165b53daa8a3a526d2328ca72c4aa9e7f163045) Signed-off-by: Michael Niedermayer --- libavcodec/dirac_dwt_template.c | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/libavcodec/dirac_dwt_template.c b/libavcodec/dirac_dwt_template.c index 972c711cff..e436c247a1 100644 --- a/libavcodec/dirac_dwt_template.c +++ b/libavcodec/dirac_dwt_template.c @@ -49,7 +49,7 @@ static void RENAME(vertical_compose53iL0)(uint8_t *_b0, uint8_t *_b1, uint8_t *_ TYPE *b1 = (TYPE *)_b1; TYPE *b2 = (TYPE *)_b2; for (i = 0; i < width; i++) - b1[i] -= (b0[i] + b2[i] + 2) >> 2; + b1[i] -= (int)(b0[i] + (unsigned)b2[i] + 2) >> 2; } static av_always_inline void RENAME(interleave)(TYPE *dst, TYPE *src0, TYPE *src1, int w2, From c543ff526bba6caa3ee035a712c988fb98b7f983 Mon Sep 17 00:00:00 2001 From: Michael Niedermayer Date: Sat, 19 Aug 2017 23:38:58 +0200 Subject: [PATCH 644/942] avcodec/me_cmp: Fix crashes on ARM due to misalignment Adds a diff_pixels_unaligned() Fixes: https://bugs.debian.org/cgi-bin/bugreport.cgi?bug=872503 Signed-off-by: Michael Niedermayer (cherry picked from commit bc488ec28aec4bc91ba47283c49c9f7f25696eaa) Signed-off-by: Michael Niedermayer --- libavcodec/me_cmp.c | 10 +++++----- libavcodec/pixblockdsp.c | 1 + libavcodec/pixblockdsp.h | 5 +++++ libavcodec/x86/pixblockdsp_init.c | 2 ++ 4 files changed, 13 insertions(+), 5 deletions(-) diff --git a/libavcodec/me_cmp.c b/libavcodec/me_cmp.c index dc76b07ba2..4234000487 100644 --- a/libavcodec/me_cmp.c +++ b/libavcodec/me_cmp.c @@ -555,7 +555,7 @@ static int dct_sad8x8_c(MpegEncContext *s, uint8_t *src1, av_assert2(h == 8); - s->pdsp.diff_pixels(temp, src1, src2, stride); + s->pdsp.diff_pixels_unaligned(temp, src1, src2, stride); s->fdsp.fdct(temp); return s->mecc.sum_abs_dctelem(temp); } @@ -595,7 +595,7 @@ static int dct264_sad8x8_c(MpegEncContext *s, uint8_t *src1, int16_t dct[8][8]; int i, sum = 0; - s->pdsp.diff_pixels(dct[0], src1, src2, stride); + s->pdsp.diff_pixels_unaligned(dct[0], src1, src2, stride); #define SRC(x) dct[i][x] #define DST(x, v) dct[i][x] = v @@ -622,7 +622,7 @@ static int dct_max8x8_c(MpegEncContext *s, uint8_t *src1, av_assert2(h == 8); - s->pdsp.diff_pixels(temp, src1, src2, stride); + s->pdsp.diff_pixels_unaligned(temp, src1, src2, stride); s->fdsp.fdct(temp); for (i = 0; i < 64; i++) @@ -641,7 +641,7 @@ static int quant_psnr8x8_c(MpegEncContext *s, uint8_t *src1, av_assert2(h == 8); s->mb_intra = 0; - s->pdsp.diff_pixels(temp, src1, src2, stride); + s->pdsp.diff_pixels_unaligned(temp, src1, src2, stride); memcpy(bak, temp, 64 * sizeof(int16_t)); @@ -744,7 +744,7 @@ static int bit8x8_c(MpegEncContext *s, uint8_t *src1, uint8_t *src2, av_assert2(h == 8); - s->pdsp.diff_pixels(temp, src1, src2, stride); + s->pdsp.diff_pixels_unaligned(temp, src1, src2, stride); s->block_last_index[0 /* FIXME */] = last = diff --git a/libavcodec/pixblockdsp.c b/libavcodec/pixblockdsp.c index f0883d3d08..6152fe40c3 100644 --- a/libavcodec/pixblockdsp.c +++ b/libavcodec/pixblockdsp.c @@ -82,6 +82,7 @@ av_cold void ff_pixblockdsp_init(PixblockDSPContext *c, AVCodecContext *avctx) { const unsigned high_bit_depth = avctx->bits_per_raw_sample > 8; + c->diff_pixels_unaligned = c->diff_pixels = diff_pixels_c; switch (avctx->bits_per_raw_sample) { diff --git a/libavcodec/pixblockdsp.h b/libavcodec/pixblockdsp.h index 79ed86c3a6..b14514de7e 100644 --- a/libavcodec/pixblockdsp.h +++ b/libavcodec/pixblockdsp.h @@ -31,6 +31,11 @@ typedef struct PixblockDSPContext { const uint8_t *s1 /* align 8 */, const uint8_t *s2 /* align 8 */, int stride); + void (*diff_pixels_unaligned)(int16_t *av_restrict block /* align 16 */, + const uint8_t *s1, + const uint8_t *s2, + int stride); + } PixblockDSPContext; void ff_pixblockdsp_init(PixblockDSPContext *c, AVCodecContext *avctx); diff --git a/libavcodec/x86/pixblockdsp_init.c b/libavcodec/x86/pixblockdsp_init.c index 4d06a44c6d..b9027dee54 100644 --- a/libavcodec/x86/pixblockdsp_init.c +++ b/libavcodec/x86/pixblockdsp_init.c @@ -39,12 +39,14 @@ av_cold void ff_pixblockdsp_init_x86(PixblockDSPContext *c, if (EXTERNAL_MMX(cpu_flags)) { if (!high_bit_depth) c->get_pixels = ff_get_pixels_mmx; + c->diff_pixels_unaligned = c->diff_pixels = ff_diff_pixels_mmx; } if (EXTERNAL_SSE2(cpu_flags)) { if (!high_bit_depth) c->get_pixels = ff_get_pixels_sse2; + c->diff_pixels_unaligned = c->diff_pixels = ff_diff_pixels_sse2; } } From 2820ffe3923677361fa026175e0280f01af01516 Mon Sep 17 00:00:00 2001 From: Michael Niedermayer Date: Mon, 21 Aug 2017 02:15:49 +0200 Subject: [PATCH 645/942] avcodec/aacdec_template: Fix running cleanup in decode_ics_info() Fixes: out of array read Fixes: 2873/clusterfuzz-testcase-minimized-5924145713905664 Found-by: continuous fuzzing process https://github.com/google/oss-fuzz/tree/master/projects/ffmpeg Previous version reviewed-by: Alex Converse Signed-off-by: Michael Niedermayer (cherry picked from commit 6f03ffb47d51368a4bbc87702df8446e4660845d) Signed-off-by: Michael Niedermayer --- libavcodec/aacdec_template.c | 13 +++++++++---- 1 file changed, 9 insertions(+), 4 deletions(-) diff --git a/libavcodec/aacdec_template.c b/libavcodec/aacdec_template.c index 674b735c37..13a342784e 100644 --- a/libavcodec/aacdec_template.c +++ b/libavcodec/aacdec_template.c @@ -1255,6 +1255,8 @@ static int decode_ics_info(AACContext *ac, IndividualChannelStream *ics, const MPEG4AudioConfig *const m4ac = &ac->oc[1].m4ac; const int aot = m4ac->object_type; const int sampling_index = m4ac->sampling_index; + int ret_fail = AVERROR_INVALIDDATA; + if (aot != AOT_ER_AAC_ELD) { if (get_bits1(gb)) { av_log(ac->avctx, AV_LOG_ERROR, "Reserved bit set.\n"); @@ -1305,8 +1307,10 @@ static int decode_ics_info(AACContext *ac, IndividualChannelStream *ics, ics->num_swb = ff_aac_num_swb_512[sampling_index]; ics->tns_max_bands = ff_tns_max_bands_512[sampling_index]; } - if (!ics->num_swb || !ics->swb_offset) - return AVERROR_BUG; + if (!ics->num_swb || !ics->swb_offset) { + ret_fail = AVERROR_BUG; + goto fail; + } } else { ics->swb_offset = ff_swb_offset_1024[sampling_index]; ics->num_swb = ff_aac_num_swb_1024[sampling_index]; @@ -1330,7 +1334,8 @@ static int decode_ics_info(AACContext *ac, IndividualChannelStream *ics, if (aot == AOT_ER_AAC_LD) { av_log(ac->avctx, AV_LOG_ERROR, "LTP in ER AAC LD not yet implemented.\n"); - return AVERROR_PATCHWELCOME; + ret_fail = AVERROR_PATCHWELCOME; + goto fail; } if ((ics->ltp.present = get_bits(gb, 1))) decode_ltp(&ics->ltp, gb, ics->max_sfb); @@ -1349,7 +1354,7 @@ static int decode_ics_info(AACContext *ac, IndividualChannelStream *ics, return 0; fail: ics->max_sfb = 0; - return AVERROR_INVALIDDATA; + return ret_fail; } /** From 616154a6a5352cbf3685f3bb494df8b5f4a8ebc0 Mon Sep 17 00:00:00 2001 From: Vitaly Buka Date: Sun, 20 Aug 2017 11:56:47 -0700 Subject: [PATCH 646/942] avcodec/utils: Fix signed integer overflow in rc_initial_buffer_occupancy initialization Signed integer overflow is undefined behavior. Detected with clang and -fsanitize=signed-integer-overflow Signed-off-by: Vitaly Buka Signed-off-by: Michael Niedermayer (cherry picked from commit 8c2bb10ddfef1f151b9455d152c9aca91140a4b0) Signed-off-by: Michael Niedermayer --- libavcodec/utils.c | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/libavcodec/utils.c b/libavcodec/utils.c index d5e1cc87f5..72fd686e34 100644 --- a/libavcodec/utils.c +++ b/libavcodec/utils.c @@ -1487,7 +1487,7 @@ FF_ENABLE_DEPRECATION_WARNINGS } if (!avctx->rc_initial_buffer_occupancy) - avctx->rc_initial_buffer_occupancy = avctx->rc_buffer_size * 3 / 4; + avctx->rc_initial_buffer_occupancy = avctx->rc_buffer_size * 3LL / 4; if (avctx->ticks_per_frame && avctx->time_base.num && avctx->ticks_per_frame > INT_MAX / avctx->time_base.num) { From 64af458bb86288edd640795d346cee6a7327f799 Mon Sep 17 00:00:00 2001 From: Vitaly Buka Date: Sun, 20 Aug 2017 11:56:47 -0700 Subject: [PATCH 647/942] avformat/mov: Fix signed integer overflows with total_size Signed integer overflow is undefined behavior. Detected with clang and -fsanitize=signed-integer-overflow Signed-off-by: Vitaly Buka Signed-off-by: Michael Niedermayer (cherry picked from commit 4a404cb5b90b878cbe1bb528fac65cf508668cc5) Signed-off-by: Michael Niedermayer --- libavformat/mov.c | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/libavformat/mov.c b/libavformat/mov.c index b06e9c84ae..cff3c7017f 100644 --- a/libavformat/mov.c +++ b/libavformat/mov.c @@ -4255,7 +4255,7 @@ static int mov_read_default(MOVContext *c, AVIOContext *pb, MOVAtom atom) if (atom.size < 0) atom.size = INT64_MAX; - while (total_size + 8 <= atom.size && !avio_feof(pb)) { + while (total_size <= atom.size - 8 && !avio_feof(pb)) { int (*parse)(MOVContext*, AVIOContext*, MOVAtom) = NULL; a.size = atom.size; a.type=0; From aadd7fbc14a3156995fb86abfd9febfa08f1daf8 Mon Sep 17 00:00:00 2001 From: Vitaly Buka Date: Sun, 20 Aug 2017 11:56:47 -0700 Subject: [PATCH 648/942] avformat/aviobuf: Fix signed integer overflow in avio_seek() Signed integer overflow is undefined behavior. Detected with clang and -fsanitize=signed-integer-overflow Signed-off-by: Vitaly Buka Signed-off-by: Michael Niedermayer (cherry picked from commit eca2a49716ae1f42804dd3545da2f740edf03250) Signed-off-by: Michael Niedermayer --- libavformat/aviobuf.c | 2 ++ 1 file changed, 2 insertions(+) diff --git a/libavformat/aviobuf.c b/libavformat/aviobuf.c index 213ee96f91..4c8bf3a9c1 100644 --- a/libavformat/aviobuf.c +++ b/libavformat/aviobuf.c @@ -227,6 +227,8 @@ int64_t avio_seek(AVIOContext *s, int64_t offset, int whence) offset1 = pos + (s->buf_ptr - s->buffer); if (offset == 0) return offset1; + if (offset > INT64_MAX - offset1) + return AVERROR(EINVAL); offset += offset1; } if (offset < 0) From 9e98eee39dd31dd632ee7125c0f484703f05fc24 Mon Sep 17 00:00:00 2001 From: Michael Niedermayer Date: Mon, 21 Aug 2017 00:18:48 +0200 Subject: [PATCH 649/942] avcodec/hevc_ps: Check delta_pocs in ff_hevc_decode_short_term_rps() Fixes: integer overflow Fixes: 2893/clusterfuzz-testcase-minimized-5809330567774208 Found-by: continuous fuzzing process https://github.com/google/oss-fuzz/tree/master/projects/ffmpeg Signed-off-by: Michael Niedermayer (cherry picked from commit 2b44dcbc44e99daf9515753e9fd4c2e1ea53a2fa) Signed-off-by: Michael Niedermayer --- libavcodec/hevc_ps.c | 12 ++++++++++++ 1 file changed, 12 insertions(+) diff --git a/libavcodec/hevc_ps.c b/libavcodec/hevc_ps.c index 013c88574b..49308b363f 100644 --- a/libavcodec/hevc_ps.c +++ b/libavcodec/hevc_ps.c @@ -224,6 +224,12 @@ int ff_hevc_decode_short_term_rps(GetBitContext *gb, AVCodecContext *avctx, prev = 0; for (i = 0; i < rps->num_negative_pics; i++) { delta_poc = get_ue_golomb_long(gb) + 1; + if (delta_poc < 1 || delta_poc > 32768) { + av_log(avctx, AV_LOG_ERROR, + "Invalid value of delta_poc: %d\n", + delta_poc); + return AVERROR_INVALIDDATA; + } prev -= delta_poc; rps->delta_poc[i] = prev; rps->used[i] = get_bits1(gb); @@ -231,6 +237,12 @@ int ff_hevc_decode_short_term_rps(GetBitContext *gb, AVCodecContext *avctx, prev = 0; for (i = 0; i < nb_positive_pics; i++) { delta_poc = get_ue_golomb_long(gb) + 1; + if (delta_poc < 1 || delta_poc > 32768) { + av_log(avctx, AV_LOG_ERROR, + "Invalid value of delta_poc: %d\n", + delta_poc); + return AVERROR_INVALIDDATA; + } prev += delta_poc; rps->delta_poc[rps->num_negative_pics + i] = prev; rps->used[rps->num_negative_pics + i] = get_bits1(gb); From cf838b8fd263c140b048e629c7a9c7addef001fb Mon Sep 17 00:00:00 2001 From: Michael Niedermayer Date: Tue, 22 Aug 2017 11:02:38 +0200 Subject: [PATCH 650/942] ffprobe: Fix null pointer dereference with color primaries Found-by: AD-lab of venustech Signed-off-by: Michael Niedermayer (cherry picked from commit 837cb4325b712ff1aab531bf41668933f61d75d2) Signed-off-by: Michael Niedermayer (cherry picked from commit b2c39fcc3c0749490dc93bca80f56724878b55fe) Signed-off-by: Michael Niedermayer --- ffprobe.c | 15 +++++++++++---- 1 file changed, 11 insertions(+), 4 deletions(-) diff --git a/ffprobe.c b/ffprobe.c index 4f23bddb69..05622d19a5 100644 --- a/ffprobe.c +++ b/ffprobe.c @@ -1746,6 +1746,16 @@ static inline int show_tags(WriterContext *w, AVDictionary *tags, int section_id return ret; } +static void print_primaries(WriterContext *w, enum AVColorPrimaries color_primaries) +{ + const char *val = av_color_primaries_name(color_primaries); + if (!val || color_primaries == AVCOL_PRI_UNSPECIFIED) { + print_str_opt("color_primaries", "unknown"); + } else { + print_str("color_primaries", val); + } +} + static void show_packet(WriterContext *w, AVFormatContext *fmt_ctx, AVPacket *pkt, int packet_idx) { char val_str[128]; @@ -2221,10 +2231,7 @@ static int show_stream(WriterContext *w, AVFormatContext *fmt_ctx, int stream_id else print_str_opt("color_transfer", av_color_transfer_name(dec_ctx->color_trc)); - if (dec_ctx->color_primaries != AVCOL_PRI_UNSPECIFIED) - print_str("color_primaries", av_color_primaries_name(dec_ctx->color_primaries)); - else - print_str_opt("color_primaries", av_color_primaries_name(dec_ctx->color_primaries)); + print_primaries(w, dec_ctx->color_primaries); if (dec_ctx->chroma_sample_location != AVCHROMA_LOC_UNSPECIFIED) print_str("chroma_location", av_chroma_location_name(dec_ctx->chroma_sample_location)); From ffdc430c4aeb9a05d082e4a69b942cf736f81fe6 Mon Sep 17 00:00:00 2001 From: Michael Niedermayer Date: Tue, 22 Aug 2017 17:27:17 +0200 Subject: [PATCH 651/942] ffprobe: Fix NULL pointer handling in color parameter printing Signed-off-by: Michael Niedermayer (cherry picked from commit 351e28f9a799d9bbbb33dd10c964dca7219fa13b) Signed-off-by: Michael Niedermayer --- ffprobe.c | 62 ++++++++++++++++++++++++++++++++++++++++--------------- 1 file changed, 45 insertions(+), 17 deletions(-) diff --git a/ffprobe.c b/ffprobe.c index 05622d19a5..6a0e9aebc6 100644 --- a/ffprobe.c +++ b/ffprobe.c @@ -1746,6 +1746,27 @@ static inline int show_tags(WriterContext *w, AVDictionary *tags, int section_id return ret; } + +static void print_color_range(WriterContext *w, enum AVColorRange color_range, const char *fallback) +{ + const char *val = av_color_range_name(color_range); + if (!val || color_range == AVCOL_RANGE_UNSPECIFIED) { + print_str_opt("color_range", fallback); + } else { + print_str("color_range", val); + } +} + +static void print_color_space(WriterContext *w, enum AVColorSpace color_space) +{ + const char *val = av_color_space_name(color_space); + if (!val || color_space == AVCOL_SPC_UNSPECIFIED) { + print_str_opt("color_space", "unknown"); + } else { + print_str("color_space", val); + } +} + static void print_primaries(WriterContext *w, enum AVColorPrimaries color_primaries) { const char *val = av_color_primaries_name(color_primaries); @@ -1756,6 +1777,26 @@ static void print_primaries(WriterContext *w, enum AVColorPrimaries color_primar } } +static void print_color_trc(WriterContext *w, enum AVColorTransferCharacteristic color_trc) +{ + const char *val = av_color_transfer_name(color_trc); + if (!val || color_trc == AVCOL_TRC_UNSPECIFIED) { + print_str_opt("color_transfer", "unknown"); + } else { + print_str("color_transfer", val); + } +} + +static void print_chroma_location(WriterContext *w, enum AVChromaLocation chroma_location) +{ + const char *val = av_chroma_location_name(chroma_location); + if (!val || chroma_location == AVCHROMA_LOC_UNSPECIFIED) { + print_str_opt("chroma_location", "unspecified"); + } else { + print_str("chroma_location", val); + } +} + static void show_packet(WriterContext *w, AVFormatContext *fmt_ctx, AVPacket *pkt, int packet_idx) { char val_str[128]; @@ -2218,25 +2259,12 @@ static int show_stream(WriterContext *w, AVFormatContext *fmt_ctx, int stream_id if (s) print_str ("pix_fmt", s); else print_str_opt("pix_fmt", "unknown"); print_int("level", dec_ctx->level); - if (dec_ctx->color_range != AVCOL_RANGE_UNSPECIFIED) - print_str ("color_range", av_color_range_name(dec_ctx->color_range)); - else - print_str_opt("color_range", "N/A"); - s = av_get_colorspace_name(dec_ctx->colorspace); - if (s) print_str ("color_space", s); - else print_str_opt("color_space", "unknown"); - - if (dec_ctx->color_trc != AVCOL_TRC_UNSPECIFIED) - print_str("color_transfer", av_color_transfer_name(dec_ctx->color_trc)); - else - print_str_opt("color_transfer", av_color_transfer_name(dec_ctx->color_trc)); + print_color_range(w, dec_ctx->color_range, "N/A"); + print_color_space(w, dec_ctx->colorspace); + print_color_trc(w, dec_ctx->color_trc); print_primaries(w, dec_ctx->color_primaries); - - if (dec_ctx->chroma_sample_location != AVCHROMA_LOC_UNSPECIFIED) - print_str("chroma_location", av_chroma_location_name(dec_ctx->chroma_sample_location)); - else - print_str_opt("chroma_location", av_chroma_location_name(dec_ctx->chroma_sample_location)); + print_chroma_location(w, dec_ctx->chroma_sample_location); #if FF_API_PRIVATE_OPT if (dec_ctx->timecode_frame_start >= 0) { From b9fa2a86e6ddb26d3104521c4d54a6e5ded92a25 Mon Sep 17 00:00:00 2001 From: Michael Niedermayer Date: Sat, 26 Aug 2017 01:26:58 +0200 Subject: [PATCH 652/942] avformat/hls: Fix DoS due to infinite loop Fixes: loop.m3u The default max iteration count of 1000 is arbitrary and ideas for a better solution are welcome Found-by: Xiaohei and Wangchu from Alibaba Security Team Previous version reviewed-by: Steven Liu Signed-off-by: Michael Niedermayer (cherry picked from commit 7ec414892ddcad88313848494b6fc5f437c9ca4a) Signed-off-by: Michael Niedermayer --- doc/demuxers.texi | 18 ++++++++++++++++++ libavformat/hls.c | 7 +++++++ 2 files changed, 25 insertions(+) diff --git a/doc/demuxers.texi b/doc/demuxers.texi index 3947bf640f..b8009f20a3 100644 --- a/doc/demuxers.texi +++ b/doc/demuxers.texi @@ -306,6 +306,24 @@ used to end the output video at the length of the shortest input file, which in this case is @file{input.mp4} as the GIF in this example loops infinitely. +@section hls + +HLS demuxer + +It accepts the following options: + +@table @option +@item live_start_index +segment index to start live streams at (negative values are from the end). + +@item allowed_extensions +',' separated list of file extensions that hls is allowed to access. + +@item max_reload +Maximum number of times a insufficient list is attempted to be reloaded. +Default value is 1000. +@end table + @section image2 Image file demuxer. diff --git a/libavformat/hls.c b/libavformat/hls.c index 8de93a59d5..ca8056522d 100644 --- a/libavformat/hls.c +++ b/libavformat/hls.c @@ -201,6 +201,7 @@ typedef struct HLSContext { AVDictionary *avio_opts; int strict_std_compliance; char *allowed_extensions; + int max_reload; } HLSContext; static int read_chomp_line(AVIOContext *s, char *buf, int maxlen) @@ -1254,6 +1255,7 @@ static int read_data(void *opaque, uint8_t *buf, int buf_size) HLSContext *c = v->parent->priv_data; int ret, i; int just_opened = 0; + int reload_count = 0; restart: if (!v->needed) @@ -1285,6 +1287,9 @@ restart: reload_interval = default_reload_interval(v); reload: + reload_count++; + if (reload_count > c->max_reload) + return AVERROR_EOF; if (!v->finished && av_gettime_relative() - v->last_load_time >= reload_interval) { if ((ret = parse_playlist(c, v->url, v, NULL)) < 0) { @@ -2021,6 +2026,8 @@ static const AVOption hls_options[] = { OFFSET(allowed_extensions), AV_OPT_TYPE_STRING, {.str = "3gp,aac,avi,flac,mkv,m3u8,m4a,m4s,m4v,mpg,mov,mp2,mp3,mp4,mpeg,mpegts,ogg,ogv,oga,ts,vob,wav"}, INT_MIN, INT_MAX, FLAGS}, + {"max_reload", "Maximum number of times a insufficient list is attempted to be reloaded", + OFFSET(max_reload), AV_OPT_TYPE_INT, {.i64 = 1000}, 0, INT_MAX, FLAGS}, {NULL} }; From 39ddbd204aad0e1e1988b108a507f3c608b0129b Mon Sep 17 00:00:00 2001 From: =?UTF-8?q?=E5=AD=99=E6=B5=A9=20and=20=E5=BC=A0=E6=B4=AA=E4=BA=AE=28?= =?UTF-8?q?=E6=9C=9B=E5=88=9D=29?= Date: Fri, 25 Aug 2017 12:37:25 +0200 Subject: [PATCH 653/942] avformat/asfdec: Fix DoS due to lack of eof check Fixes: loop.asf Found-by: Xiaohei and Wangchu from Alibaba Security Team Signed-off-by: Michael Niedermayer (cherry picked from commit 7f9ec5593e04827249e7aeb466da06a98a0d7329) Signed-off-by: Michael Niedermayer --- libavformat/asfdec_f.c | 6 ++++-- 1 file changed, 4 insertions(+), 2 deletions(-) diff --git a/libavformat/asfdec_f.c b/libavformat/asfdec_f.c index 3ee0fcd473..42f00259a6 100644 --- a/libavformat/asfdec_f.c +++ b/libavformat/asfdec_f.c @@ -749,13 +749,15 @@ static int asf_read_marker(AVFormatContext *s, int64_t size) count = avio_rl32(pb); // markers count avio_rl16(pb); // reserved 2 bytes name_len = avio_rl16(pb); // name length - for (i = 0; i < name_len; i++) - avio_r8(pb); // skip the name + avio_skip(pb, name_len); for (i = 0; i < count; i++) { int64_t pres_time; int name_len; + if (avio_feof(pb)) + return AVERROR_INVALIDDATA; + avio_rl64(pb); // offset, 8 bytes pres_time = avio_rl64(pb); // presentation time pres_time -= asf->hdr.preroll * 10000; From adca94d65e5c70d9fc104abc38081fa147d7f046 Mon Sep 17 00:00:00 2001 From: =?UTF-8?q?=E5=AD=99=E6=B5=A9=20and=20=E5=BC=A0=E6=B4=AA=E4=BA=AE=28?= =?UTF-8?q?=E6=9C=9B=E5=88=9D=29?= Date: Fri, 25 Aug 2017 01:15:27 +0200 Subject: [PATCH 654/942] avformat/cinedec: Fix DoS due to lack of eof check Fixes: loop.cine Found-by: Xiaohei and Wangchu from Alibaba Security Team Signed-off-by: Michael Niedermayer (cherry picked from commit 7e80b63ecd259d69d383623e75b318bf2bd491f6) Signed-off-by: Michael Niedermayer --- libavformat/cinedec.c | 6 +++++- 1 file changed, 5 insertions(+), 1 deletion(-) diff --git a/libavformat/cinedec.c b/libavformat/cinedec.c index 318408436f..e68622a5a3 100644 --- a/libavformat/cinedec.c +++ b/libavformat/cinedec.c @@ -267,8 +267,12 @@ static int cine_read_header(AVFormatContext *avctx) /* parse image offsets */ avio_seek(pb, offImageOffsets, SEEK_SET); - for (i = 0; i < st->duration; i++) + for (i = 0; i < st->duration; i++) { + if (avio_feof(pb)) + return AVERROR_INVALIDDATA; + av_add_index_entry(st, avio_rl64(pb), i, 0, 0, AVINDEX_KEYFRAME); + } return 0; } From 81e6a95e54ff197251570359dbc39b5b779fe972 Mon Sep 17 00:00:00 2001 From: =?UTF-8?q?=E5=AD=99=E6=B5=A9=20and=20=E5=BC=A0=E6=B4=AA=E4=BA=AE=28?= =?UTF-8?q?=E6=9C=9B=E5=88=9D=29?= Date: Fri, 25 Aug 2017 01:15:28 +0200 Subject: [PATCH 655/942] avformat/rmdec: Fix DoS due to lack of eof check Fixes: loop.ivr Found-by: Xiaohei and Wangchu from Alibaba Security Team Signed-off-by: Michael Niedermayer (cherry picked from commit 124eb202e70678539544f6268efc98131f19fa49) Signed-off-by: Michael Niedermayer --- libavformat/rmdec.c | 5 ++++- 1 file changed, 4 insertions(+), 1 deletion(-) diff --git a/libavformat/rmdec.c b/libavformat/rmdec.c index 1a61b10d44..fa65998769 100644 --- a/libavformat/rmdec.c +++ b/libavformat/rmdec.c @@ -1231,8 +1231,11 @@ static int ivr_read_header(AVFormatContext *s) av_log(s, AV_LOG_DEBUG, "%s = '%s'\n", key, val); } else if (type == 4) { av_log(s, AV_LOG_DEBUG, "%s = '0x", key); - for (j = 0; j < len; j++) + for (j = 0; j < len; j++) { + if (avio_feof(pb)) + return AVERROR_INVALIDDATA; av_log(s, AV_LOG_DEBUG, "%X", avio_r8(pb)); + } av_log(s, AV_LOG_DEBUG, "'\n"); } else if (len == 4 && type == 3 && !strncmp(key, "StreamCount", tlen)) { nb_streams = value = avio_rb32(pb); From 4c6bed6e3be18f09223e952213b9cb1098ff956f Mon Sep 17 00:00:00 2001 From: =?UTF-8?q?=E5=AD=99=E6=B5=A9=20and=20=E5=BC=A0=E6=B4=AA=E4=BA=AE=28?= =?UTF-8?q?=E6=9C=9B=E5=88=9D=29?= Date: Fri, 25 Aug 2017 01:15:29 +0200 Subject: [PATCH 656/942] avformat/rl2: Fix DoS due to lack of eof check Fixes: loop.rl2 Found-by: Xiaohei and Wangchu from Alibaba Security Team Signed-off-by: Michael Niedermayer (cherry picked from commit 96f24d1bee7fe7bac08e2b7c74db1a046c9dc0de) Signed-off-by: Michael Niedermayer --- libavformat/rl2.c | 15 ++++++++++++--- 1 file changed, 12 insertions(+), 3 deletions(-) diff --git a/libavformat/rl2.c b/libavformat/rl2.c index 5017016644..dacd65cd84 100644 --- a/libavformat/rl2.c +++ b/libavformat/rl2.c @@ -170,12 +170,21 @@ static av_cold int rl2_read_header(AVFormatContext *s) } /** read offset and size tables */ - for(i=0; i < frame_count;i++) + for(i=0; i < frame_count;i++) { + if (avio_feof(pb)) + return AVERROR_INVALIDDATA; chunk_size[i] = avio_rl32(pb); - for(i=0; i < frame_count;i++) + } + for(i=0; i < frame_count;i++) { + if (avio_feof(pb)) + return AVERROR_INVALIDDATA; chunk_offset[i] = avio_rl32(pb); - for(i=0; i < frame_count;i++) + } + for(i=0; i < frame_count;i++) { + if (avio_feof(pb)) + return AVERROR_INVALIDDATA; audio_size[i] = avio_rl32(pb) & 0xFFFF; + } /** build the sample index */ for(i=0;i Date: Fri, 25 Aug 2017 01:15:30 +0200 Subject: [PATCH 657/942] avformat/mvdec: Fix DoS due to lack of eof check Fixes: loop.mv Found-by: Xiaohei and Wangchu from Alibaba Security Team Signed-off-by: Michael Niedermayer (cherry picked from commit 4f05e2e2dc1a89f38cd9f0960a6561083d714f1e) Signed-off-by: Michael Niedermayer --- libavformat/mvdec.c | 2 ++ 1 file changed, 2 insertions(+) diff --git a/libavformat/mvdec.c b/libavformat/mvdec.c index 7aa6452f66..e3feda6687 100644 --- a/libavformat/mvdec.c +++ b/libavformat/mvdec.c @@ -338,6 +338,8 @@ static int mv_read_header(AVFormatContext *avctx) uint32_t pos = avio_rb32(pb); uint32_t asize = avio_rb32(pb); uint32_t vsize = avio_rb32(pb); + if (avio_feof(pb)) + return AVERROR_INVALIDDATA; avio_skip(pb, 8); av_add_index_entry(ast, pos, timestamp, asize, 0, AVINDEX_KEYFRAME); av_add_index_entry(vst, pos + asize, i, vsize, 0, AVINDEX_KEYFRAME); From a5018026af1d1eb89005fe5f4646398276e9fcfd Mon Sep 17 00:00:00 2001 From: Michael Niedermayer Date: Sat, 26 Aug 2017 14:00:55 +0200 Subject: [PATCH 658/942] avcodec/sbrdsp_fixed: Fix undefined overflows in autocorrelate() Fixes: runtime error: signed integer overflow: 8903997421129740175 + 354481484684609529 cannot be represented in type 'long' Fixes: 2045/clusterfuzz-testcase-minimized-6751255865065472 Found-by: continuous fuzzing process https://github.com/google/oss-fuzz/tree/master/projects/ffmpeg Signed-off-by: Michael Niedermayer (cherry picked from commit eefb68c9c335dda423c9115ba11dc4bb3e73e3f9) Signed-off-by: Michael Niedermayer --- libavcodec/sbrdsp_fixed.c | 36 ++++++++++++++++++------------------ 1 file changed, 18 insertions(+), 18 deletions(-) diff --git a/libavcodec/sbrdsp_fixed.c b/libavcodec/sbrdsp_fixed.c index 7d593a18b8..f45bb847a8 100644 --- a/libavcodec/sbrdsp_fixed.c +++ b/libavcodec/sbrdsp_fixed.c @@ -136,19 +136,19 @@ static av_always_inline void autocorrelate(const int x[40][2], SoftFloat phi[3][ if (lag) { for (i = 1; i < 38; i++) { - accu_re += (int64_t)x[i][0] * x[i+lag][0]; - accu_re += (int64_t)x[i][1] * x[i+lag][1]; - accu_im += (int64_t)x[i][0] * x[i+lag][1]; - accu_im -= (int64_t)x[i][1] * x[i+lag][0]; + accu_re += (uint64_t)x[i][0] * x[i+lag][0]; + accu_re += (uint64_t)x[i][1] * x[i+lag][1]; + accu_im += (uint64_t)x[i][0] * x[i+lag][1]; + accu_im -= (uint64_t)x[i][1] * x[i+lag][0]; } real_sum = accu_re; imag_sum = accu_im; - accu_re += (int64_t)x[ 0][0] * x[lag][0]; - accu_re += (int64_t)x[ 0][1] * x[lag][1]; - accu_im += (int64_t)x[ 0][0] * x[lag][1]; - accu_im -= (int64_t)x[ 0][1] * x[lag][0]; + accu_re += (uint64_t)x[ 0][0] * x[lag][0]; + accu_re += (uint64_t)x[ 0][1] * x[lag][1]; + accu_im += (uint64_t)x[ 0][0] * x[lag][1]; + accu_im -= (uint64_t)x[ 0][1] * x[lag][0]; phi[2-lag][1][0] = autocorr_calc(accu_re); phi[2-lag][1][1] = autocorr_calc(accu_im); @@ -156,28 +156,28 @@ static av_always_inline void autocorrelate(const int x[40][2], SoftFloat phi[3][ if (lag == 1) { accu_re = real_sum; accu_im = imag_sum; - accu_re += (int64_t)x[38][0] * x[39][0]; - accu_re += (int64_t)x[38][1] * x[39][1]; - accu_im += (int64_t)x[38][0] * x[39][1]; - accu_im -= (int64_t)x[38][1] * x[39][0]; + accu_re += (uint64_t)x[38][0] * x[39][0]; + accu_re += (uint64_t)x[38][1] * x[39][1]; + accu_im += (uint64_t)x[38][0] * x[39][1]; + accu_im -= (uint64_t)x[38][1] * x[39][0]; phi[0][0][0] = autocorr_calc(accu_re); phi[0][0][1] = autocorr_calc(accu_im); } } else { for (i = 1; i < 38; i++) { - accu_re += (int64_t)x[i][0] * x[i][0]; - accu_re += (int64_t)x[i][1] * x[i][1]; + accu_re += (uint64_t)x[i][0] * x[i][0]; + accu_re += (uint64_t)x[i][1] * x[i][1]; } real_sum = accu_re; - accu_re += (int64_t)x[ 0][0] * x[ 0][0]; - accu_re += (int64_t)x[ 0][1] * x[ 0][1]; + accu_re += (uint64_t)x[ 0][0] * x[ 0][0]; + accu_re += (uint64_t)x[ 0][1] * x[ 0][1]; phi[2][1][0] = autocorr_calc(accu_re); accu_re = real_sum; - accu_re += (int64_t)x[38][0] * x[38][0]; - accu_re += (int64_t)x[38][1] * x[38][1]; + accu_re += (uint64_t)x[38][0] * x[38][0]; + accu_re += (uint64_t)x[38][1] * x[38][1]; phi[1][0][0] = autocorr_calc(accu_re); } From 51ee15df5813c6e6225b7dcb74e085eb782e60af Mon Sep 17 00:00:00 2001 From: Michael Niedermayer Date: Sun, 27 Aug 2017 23:59:09 +0200 Subject: [PATCH 659/942] avcodec/hevc_ps: Fix undefined shift in pcm code Fixes: runtime error: shift exponent -1 is negative Fixes: 3091/clusterfuzz-testcase-minimized-6229767969832960 Found-by: continuous fuzzing process https://github.com/google/oss-fuzz/tree/master/projects/ffmpeg Signed-off-by: Michael Niedermayer (cherry picked from commit 2a83866c9f9531eb096c9b9fe0550e742b931ad1) Signed-off-by: Michael Niedermayer --- libavcodec/hevc_ps.c | 6 +++--- 1 file changed, 3 insertions(+), 3 deletions(-) diff --git a/libavcodec/hevc_ps.c b/libavcodec/hevc_ps.c index 49308b363f..2383d18b21 100644 --- a/libavcodec/hevc_ps.c +++ b/libavcodec/hevc_ps.c @@ -999,10 +999,10 @@ int ff_hevc_parse_sps(HEVCSPS *sps, GetBitContext *gb, unsigned int *sps_id, sps->pcm.log2_min_pcm_cb_size = get_ue_golomb_long(gb) + 3; sps->pcm.log2_max_pcm_cb_size = sps->pcm.log2_min_pcm_cb_size + get_ue_golomb_long(gb); - if (sps->pcm.bit_depth > sps->bit_depth) { + if (FFMAX(sps->pcm.bit_depth, sps->pcm.bit_depth_chroma) > sps->bit_depth) { av_log(avctx, AV_LOG_ERROR, - "PCM bit depth (%d) is greater than normal bit depth (%d)\n", - sps->pcm.bit_depth, sps->bit_depth); + "PCM bit depth (%d, %d) is greater than normal bit depth (%d)\n", + sps->pcm.bit_depth, sps->pcm.bit_depth_chroma, sps->bit_depth); return AVERROR_INVALIDDATA; } From e89125faba1a1b3048fbd3e58376ce27f9586d9c Mon Sep 17 00:00:00 2001 From: Michael Niedermayer Date: Mon, 28 Aug 2017 00:30:33 +0200 Subject: [PATCH 660/942] avcodec/snowdec: Fix integer overflow in decode_subband_slice_buffered() Fixes: runtime error: signed integer overflow: 267 * 8388608 cannot be represented in type 'int' Fixes: 2743/clusterfuzz-testcase-minimized-5820652076400640 Found-by: continuous fuzzing process https://github.com/google/oss-fuzz/tree/master/projects/ffmpeg Signed-off-by: Michael Niedermayer (cherry picked from commit 732f9764561558a388c05483ed6a722a5c67b05c) Signed-off-by: Michael Niedermayer --- libavcodec/snowdec.c | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/libavcodec/snowdec.c b/libavcodec/snowdec.c index 4ebfa07c6a..0ac0b55012 100644 --- a/libavcodec/snowdec.c +++ b/libavcodec/snowdec.c @@ -140,7 +140,7 @@ static inline void decode_subband_slice_buffered(SnowContext *s, SubBand *b, sli v = b->x_coeff[new_index].coeff; x = b->x_coeff[new_index++].x; while(x < w){ - register int t= ( (v>>1)*qmul + qadd)>>QEXPSHIFT; + register int t= (int)( (v>>1)*(unsigned)qmul + qadd)>>QEXPSHIFT; register int u= -(v&1); line[x] = (t^u) - u; From c6d3640cf71ce1ada67a5d488fc4db92f84a0dd6 Mon Sep 17 00:00:00 2001 From: =?UTF-8?q?=E5=AD=99=E6=B5=A9=28=E6=99=93=E9=BB=91=29?= Date: Tue, 29 Aug 2017 23:59:21 +0200 Subject: [PATCH 661/942] avformat/nsvdec: Fix DoS due to lack of eof check in nsvs_file_offset loop. MIME-Version: 1.0 Content-Type: text/plain; charset=UTF-8 Content-Transfer-Encoding: 8bit Fixes: 20170829.nsv Co-Author: 张洪亮(望初)" Found-by: Xiaohei and Wangchu from Alibaba Security Team Signed-off-by: Michael Niedermayer (cherry picked from commit c24bcb553650b91e9eff15ef6e54ca73de2453b7) Signed-off-by: Michael Niedermayer --- libavformat/nsvdec.c | 5 ++++- 1 file changed, 4 insertions(+), 1 deletion(-) diff --git a/libavformat/nsvdec.c b/libavformat/nsvdec.c index 95fab644a7..422e14585e 100644 --- a/libavformat/nsvdec.c +++ b/libavformat/nsvdec.c @@ -350,8 +350,11 @@ static int nsv_parse_NSVf_header(AVFormatContext *s) if (!nsv->nsvs_file_offset) return AVERROR(ENOMEM); - for(i=0;insvs_file_offset[i] = avio_rl32(pb) + size; + } if(table_entries > table_entries_used && avio_rl32(pb) == MKTAG('T','O','C','2')) { From 74c067e95572dd4bfb069123f44d68b8a12e1991 Mon Sep 17 00:00:00 2001 From: =?UTF-8?q?=E5=AD=99=E6=B5=A9=28=E6=99=93=E9=BB=91=29?= Date: Tue, 29 Aug 2017 23:59:21 +0200 Subject: [PATCH 662/942] avformat/mxfdec: Fix DoS issues in mxf_read_index_entry_array() MIME-Version: 1.0 Content-Type: text/plain; charset=UTF-8 Content-Transfer-Encoding: 8bit Fixes: 20170829A.mxf Co-Author: 张洪亮(望初)" Found-by: Xiaohei and Wangchu from Alibaba Security Team Signed-off-by: Michael Niedermayer (cherry picked from commit 900f39692ca0337a98a7cf047e4e2611071810c2) Signed-off-by: Michael Niedermayer --- libavformat/mxfdec.c | 4 ++++ 1 file changed, 4 insertions(+) diff --git a/libavformat/mxfdec.c b/libavformat/mxfdec.c index 173a769ada..ae518f9a88 100644 --- a/libavformat/mxfdec.c +++ b/libavformat/mxfdec.c @@ -887,6 +887,8 @@ static int mxf_read_index_entry_array(AVIOContext *pb, MXFIndexTableSegment *seg segment->nb_index_entries = avio_rb32(pb); length = avio_rb32(pb); + if(segment->nb_index_entries && length < 11) + return AVERROR_INVALIDDATA; if (!(segment->temporal_offset_entries=av_calloc(segment->nb_index_entries, sizeof(*segment->temporal_offset_entries))) || !(segment->flag_entries = av_calloc(segment->nb_index_entries, sizeof(*segment->flag_entries))) || @@ -897,6 +899,8 @@ static int mxf_read_index_entry_array(AVIOContext *pb, MXFIndexTableSegment *seg } for (i = 0; i < segment->nb_index_entries; i++) { + if(avio_feof(pb)) + return AVERROR_INVALIDDATA; segment->temporal_offset_entries[i] = avio_r8(pb); avio_r8(pb); /* KeyFrameOffset */ segment->flag_entries[i] = avio_r8(pb); From b2aa633d663d4ed962ed92fcf5657df50521a8d9 Mon Sep 17 00:00:00 2001 From: =?UTF-8?q?=E5=AD=99=E6=B5=A9=28=E6=99=93=E9=BB=91=29?= Date: Tue, 29 Aug 2017 23:59:21 +0200 Subject: [PATCH 663/942] avformat/mxfdec: Fix Sign error in mxf_read_primer_pack() MIME-Version: 1.0 Content-Type: text/plain; charset=UTF-8 Content-Transfer-Encoding: 8bit Fixes: 20170829B.mxf Co-Author: 张洪亮(望初)" Found-by: Xiaohei and Wangchu from Alibaba Security Team Signed-off-by: Michael Niedermayer (cherry picked from commit 9d00fb9d70ee8c0cc7002b89318c5be00f1bbdad) Signed-off-by: Michael Niedermayer --- libavformat/mxfdec.c | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/libavformat/mxfdec.c b/libavformat/mxfdec.c index ae518f9a88..bb0513aaa2 100644 --- a/libavformat/mxfdec.c +++ b/libavformat/mxfdec.c @@ -491,7 +491,7 @@ static int mxf_read_primer_pack(void *arg, AVIOContext *pb, int tag, int size, U avpriv_request_sample(pb, "Primer pack item length %d", item_len); return AVERROR_PATCHWELCOME; } - if (item_num > 65536) { + if (item_num > 65536 || item_num < 0) { av_log(mxf->fc, AV_LOG_ERROR, "item_num %d is too large\n", item_num); return AVERROR_INVALIDDATA; } From 92f4341ed113a3bb6ef36cbebcf10163d84a47d8 Mon Sep 17 00:00:00 2001 From: Michael Niedermayer Date: Fri, 1 Sep 2017 19:56:10 +0200 Subject: [PATCH 664/942] avcodec/diracdec: Fix integer overflow in INTRA_DC_PRED() Fixes: runtime error: signed integer overflow: 1168175789 + 1168178473 cannot be represented in type 'int' Fixes: 3081/clusterfuzz-testcase-minimized-4807564879462400 Fixes: 2844/clusterfuzz-testcase-minimized-5561715838156800 Found-by: continuous fuzzing process https://github.com/google/oss-fuzz/tree/master/projects/ffmpeg Signed-off-by: Michael Niedermayer (cherry picked from commit 2a0823ae966be3ad40e5dba6ec4c4dc1e8c6bcad) Signed-off-by: Michael Niedermayer --- libavcodec/diracdec.c | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/libavcodec/diracdec.c b/libavcodec/diracdec.c index 80c4e66eed..a2291c4f78 100644 --- a/libavcodec/diracdec.c +++ b/libavcodec/diracdec.c @@ -594,7 +594,7 @@ static inline void codeblock(DiracContext *s, SubBand *b, } \ INTRA_DC_PRED(8, int16_t) -INTRA_DC_PRED(10, int32_t) +INTRA_DC_PRED(10, uint32_t) /** * Dirac Specification -> From fd4500df5c87cba6f1cae97ec3cd0932e7a5eac7 Mon Sep 17 00:00:00 2001 From: Michael Niedermayer Date: Fri, 1 Sep 2017 19:56:11 +0200 Subject: [PATCH 665/942] avcodec/dirac_dwt: Fix multiple overflows in 9/7 lifting Fixes: runtime error: signed integer overflow: 1073901567 + 1073901567 cannot be represented in type 'int' Fixes: 3124/clusterfuzz-testcase-minimized-454643435752652 Found-by: continuous fuzzing process https://github.com/google/oss-fuzz/tree/master/projects/ffmpeg Signed-off-by: Michael Niedermayer (cherry picked from commit f71cd44147e7a914f80fcfacca46c9e7b0374362) Signed-off-by: Michael Niedermayer --- libavcodec/dirac_dwt.h | 8 ++++---- 1 file changed, 4 insertions(+), 4 deletions(-) diff --git a/libavcodec/dirac_dwt.h b/libavcodec/dirac_dwt.h index e715e53bc4..adf5178714 100644 --- a/libavcodec/dirac_dwt.h +++ b/libavcodec/dirac_dwt.h @@ -117,16 +117,16 @@ void ff_spatial_idwt_slice2(DWTContext *d, int y); (b4 + ((-2*(b0+b8) + 10*(b1+b7) - 25*(b2+b6) + 81*(b3+b5) + 128) >> 8)) #define COMPOSE_DAUB97iL1(b0, b1, b2)\ - (b1 - ((int)(1817U*(b0 + b2) + 2048) >> 12)) + (b1 - ((int)(1817*(b0 + (unsigned)b2) + 2048) >> 12)) #define COMPOSE_DAUB97iH1(b0, b1, b2)\ - (b1 - ((int)( 113U*(b0 + b2) + 64) >> 7)) + (b1 - ((int)( 113*(b0 + (unsigned)b2) + 64) >> 7)) #define COMPOSE_DAUB97iL0(b0, b1, b2)\ - (b1 + ((int)( 217U*(b0 + b2) + 2048) >> 12)) + (b1 + ((int)( 217*(b0 + (unsigned)b2) + 2048) >> 12)) #define COMPOSE_DAUB97iH0(b0, b1, b2)\ - (b1 + ((int)(6497U*(b0 + b2) + 2048) >> 12)) + (b1 + ((int)(6497*(b0 + (unsigned)b2) + 2048) >> 12)) #endif /* AVCODEC_DWT_H */ From d08abbd0bd165f528fb97bd02c71e551d9f763ff Mon Sep 17 00:00:00 2001 From: Michael Niedermayer Date: Tue, 5 Sep 2017 00:16:29 +0200 Subject: [PATCH 666/942] avformat/mov: Fix DoS in read_tfra() Fixes: Missing EOF check in loop No testcase Found-by: Xiaohei and Wangchu from Alibaba Security Team Signed-off-by: Michael Niedermayer (cherry picked from commit 9cb4eb772839c5e1de2855d126bf74ff16d13382) Signed-off-by: Michael Niedermayer --- libavformat/mov.c | 7 +++++++ 1 file changed, 7 insertions(+) diff --git a/libavformat/mov.c b/libavformat/mov.c index cff3c7017f..6768aa2792 100644 --- a/libavformat/mov.c +++ b/libavformat/mov.c @@ -4702,6 +4702,13 @@ static int read_tfra(MOVContext *mov, AVIOContext *f) } for (i = 0; i < index->item_count; i++) { int64_t time, offset; + + if (avio_feof(f)) { + index->item_count = 0; + av_freep(&index->items); + return AVERROR_INVALIDDATA; + } + if (version == 1) { time = avio_rb64(f); offset = avio_rb64(f); From e4a9790bac9277e7037d9f56fb3354c97d14b726 Mon Sep 17 00:00:00 2001 From: Michael Niedermayer Date: Tue, 5 Sep 2017 00:16:29 +0200 Subject: [PATCH 667/942] avformat/asfdec: Fix DoS in asf_build_simple_index() Fixes: Missing EOF check in loop No testcase Found-by: Xiaohei and Wangchu from Alibaba Security Team Signed-off-by: Michael Niedermayer (cherry picked from commit afc9c683ed9db01edb357bc8c19edad4282b3a97) Signed-off-by: Michael Niedermayer --- libavformat/asfdec_f.c | 5 +++++ 1 file changed, 5 insertions(+) diff --git a/libavformat/asfdec_f.c b/libavformat/asfdec_f.c index 42f00259a6..dec347cfeb 100644 --- a/libavformat/asfdec_f.c +++ b/libavformat/asfdec_f.c @@ -1610,6 +1610,11 @@ static int asf_build_simple_index(AVFormatContext *s, int stream_index) int64_t pos = s->internal->data_offset + s->packet_size * (int64_t)pktnum; int64_t index_pts = FFMAX(av_rescale(itime, i, 10000) - asf->hdr.preroll, 0); + if (avio_feof(s->pb)) { + ret = AVERROR_INVALIDDATA; + goto end; + } + if (pos != last_pos) { av_log(s, AV_LOG_DEBUG, "pktnum:%d, pktct:%d pts: %"PRId64"\n", pktnum, pktct, index_pts); From bed626f845cd89724236b547fa7cc33bae03f7c9 Mon Sep 17 00:00:00 2001 From: Michael Niedermayer Date: Sun, 10 Sep 2017 01:32:50 +0200 Subject: [PATCH 668/942] avcodec/diracdec: Fix overflow in DC computation Fixes: runtime error: signed integer overflow: 11896 + 2147483646 cannot be represented in type 'int' Fixes: 3053/clusterfuzz-testcase-minimized-6355082062856192 Found-by: continuous fuzzing process https://github.com/google/oss-fuzz/tree/master/projects/ffmpeg Signed-off-by: Michael Niedermayer (cherry picked from commit b5995856a4236c27f231210bb08d70688e045192) Signed-off-by: Michael Niedermayer --- libavcodec/diracdec.c | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/libavcodec/diracdec.c b/libavcodec/diracdec.c index a2291c4f78..69ff083157 100644 --- a/libavcodec/diracdec.c +++ b/libavcodec/diracdec.c @@ -1338,7 +1338,7 @@ static void decode_block_params(DiracContext *s, DiracArith arith[8], DiracBlock if (!block->ref) { pred_block_dc(block, stride, x, y); for (i = 0; i < 3; i++) - block->u.dc[i] += dirac_get_arith_int(arith+1+i, CTX_DC_F1, CTX_DC_DATA); + block->u.dc[i] += (unsigned)dirac_get_arith_int(arith+1+i, CTX_DC_F1, CTX_DC_DATA); return; } From 03d8e9fec5c1f521bd31fcf8f56a9a54fb02743c Mon Sep 17 00:00:00 2001 From: Michael Niedermayer Date: Sun, 10 Sep 2017 01:32:51 +0200 Subject: [PATCH 669/942] avcodec/hevcdsp_template: Fix undefined shift in put_hevc_pel_bi_w_pixels Fixes: runtime error: left shift of negative value -95 Fixes: 3077/clusterfuzz-testcase-minimized-4684917524922368 Found-by: continuous fuzzing process https://github.com/google/oss-fuzz/tree/master/projects/ffmpeg Signed-off-by: Michael Niedermayer (cherry picked from commit c225da68cffbea11270a758ff42859194c980863) Signed-off-by: Michael Niedermayer --- libavcodec/hevcdsp_template.c | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/libavcodec/hevcdsp_template.c b/libavcodec/hevcdsp_template.c index b840d179c3..5bca02342d 100644 --- a/libavcodec/hevcdsp_template.c +++ b/libavcodec/hevcdsp_template.c @@ -599,7 +599,7 @@ static void FUNC(put_hevc_pel_bi_w_pixels)(uint8_t *_dst, ptrdiff_t _dststride, ox1 = ox1 * (1 << (BIT_DEPTH - 8)); for (y = 0; y < height; y++) { for (x = 0; x < width; x++) { - dst[x] = av_clip_pixel(( (src[x] << (14 - BIT_DEPTH)) * wx1 + src2[x] * wx0 + ((ox0 + ox1 + 1) << log2Wd)) >> (log2Wd + 1)); + dst[x] = av_clip_pixel(( (src[x] << (14 - BIT_DEPTH)) * wx1 + src2[x] * wx0 + (ox0 + ox1 + 1) * (1 << log2Wd)) >> (log2Wd + 1)); } src += srcstride; dst += dststride; From 9bc5df5ec8b724d5b60857151fd320bbef6f8f90 Mon Sep 17 00:00:00 2001 From: Michael Niedermayer Date: Fri, 8 Sep 2017 23:29:12 +0200 Subject: [PATCH 670/942] avcodec/jpeg2000dsp: Fix multiple integer overflows in ict_int() Fixes: runtime error: signed integer overflow: 22553 * -188962 cannot be represented in type 'int' Fixes: 3042/clusterfuzz-testcase-minimized-5174210131394560 Found-by: continuous fuzzing process https://github.com/google/oss-fuzz/tree/master/projects/ffmpeg Signed-off-by: Michael Niedermayer (cherry picked from commit 2d025e742843ca3532bd49ebbfebeacd51337347) Signed-off-by: Michael Niedermayer --- libavcodec/jpeg2000dsp.c | 4 ++-- 1 file changed, 2 insertions(+), 2 deletions(-) diff --git a/libavcodec/jpeg2000dsp.c b/libavcodec/jpeg2000dsp.c index c746aed924..85a12d0e9b 100644 --- a/libavcodec/jpeg2000dsp.c +++ b/libavcodec/jpeg2000dsp.c @@ -65,9 +65,9 @@ static void ict_int(void *_src0, void *_src1, void *_src2, int csize) for (i = 0; i < csize; i++) { i0 = *src0 + *src2 + (((26345 * *src2) + (1 << 15)) >> 16); - i1 = *src0 - (((i_ict_params[1] * *src1) + (1 << 15)) >> 16) + i1 = *src0 - ((int)(((unsigned)i_ict_params[1] * *src1) + (1 << 15)) >> 16) - (((i_ict_params[2] * *src2) + (1 << 15)) >> 16); - i2 = *src0 + (2 * *src1) + (((-14942 * *src1) + (1 << 15)) >> 16); + i2 = *src0 + (2 * *src1) + ((int)((-14942U * *src1) + (1 << 15)) >> 16); *src0++ = i0; *src1++ = i1; *src2++ = i2; From 791d06da1a00b775f5035c0abb2ea819c912943f Mon Sep 17 00:00:00 2001 From: Michael Niedermayer Date: Sun, 10 Sep 2017 21:10:17 +0200 Subject: [PATCH 671/942] avcodec/hevc_ps: Fix c?_qp_offset_list size Fixes: runtime error: index 5 out of bounds for type 'int8_t const[5]' Fixes:3175/clusterfuzz-testcase-minimized-4736774054084608 Found-by: continuous fuzzing process https://github.com/google/oss-fuzz/tree/master/projects/ffmpeg Signed-off-by: Michael Niedermayer (cherry picked from commit abf3f9fa232409c00b60041464604a91fa5612c0) Signed-off-by: Michael Niedermayer --- libavcodec/hevc.h | 4 ++-- 1 file changed, 2 insertions(+), 2 deletions(-) diff --git a/libavcodec/hevc.h b/libavcodec/hevc.h index 5d9d35c446..77f3db8889 100644 --- a/libavcodec/hevc.h +++ b/libavcodec/hevc.h @@ -538,8 +538,8 @@ typedef struct HEVCPPS { uint8_t chroma_qp_offset_list_enabled_flag; uint8_t diff_cu_chroma_qp_offset_depth; uint8_t chroma_qp_offset_list_len_minus1; - int8_t cb_qp_offset_list[5]; - int8_t cr_qp_offset_list[5]; + int8_t cb_qp_offset_list[6]; + int8_t cr_qp_offset_list[6]; uint8_t log2_sao_offset_scale_luma; uint8_t log2_sao_offset_scale_chroma; From d54cc921a4b2a7322d297d2f24e0916e179e1248 Mon Sep 17 00:00:00 2001 From: Michael Niedermayer Date: Sun, 17 Sep 2017 02:42:11 +0200 Subject: [PATCH 672/942] avcodec/pngdec: Clean up on av_frame_ref() failure Fixes: memleak Fixes: 3203/clusterfuzz-testcase-minimized-4514553595428864 Found-by: continuous fuzzing process https://github.com/google/oss-fuzz/tree/master/projects/ffmpeg Reviewed-by: James Almer Signed-off-by: Michael Niedermayer (cherry picked from commit 5480e82d77770e81e897a8c217f3c7f0c13a6de1) Signed-off-by: Michael Niedermayer --- libavcodec/pngdec.c | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/libavcodec/pngdec.c b/libavcodec/pngdec.c index 0bc8252465..c0988e4f22 100644 --- a/libavcodec/pngdec.c +++ b/libavcodec/pngdec.c @@ -1358,7 +1358,7 @@ static int decode_frame_png(AVCodecContext *avctx, } if ((ret = av_frame_ref(data, s->picture.f)) < 0) - return ret; + goto the_end; *got_frame = 1; From 145fce8c4b2d61f5866e0afbc77f42ec60ec0b76 Mon Sep 17 00:00:00 2001 From: Michael Niedermayer Date: Mon, 18 Sep 2017 17:03:55 +0200 Subject: [PATCH 673/942] avcodec/svq3: Fix overflow in svq3_add_idct_c() Fixes: runtime error: signed integer overflow: 2147392585 + 524288 cannot be represented in type 'int' Fixes: 3348/clusterfuzz-testcase-minimized-4809500517203968 Found-by: continuous fuzzing process https://github.com/google/oss-fuzz/tree/master/projects/ffmpeg Signed-off-by: Michael Niedermayer (cherry picked from commit 2c933c51687db958d8045d25ed87848342e869f6) Signed-off-by: Michael Niedermayer --- libavcodec/svq3.c | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/libavcodec/svq3.c b/libavcodec/svq3.c index e05cab5a04..fdf2e00a91 100644 --- a/libavcodec/svq3.c +++ b/libavcodec/svq3.c @@ -228,7 +228,7 @@ void ff_svq3_add_idct_c(uint8_t *dst, int16_t *block, const unsigned z1 = 13 * (block[i + 4 * 0] - block[i + 4 * 2]); const unsigned z2 = 7 * block[i + 4 * 1] - 17 * block[i + 4 * 3]; const unsigned z3 = 17 * block[i + 4 * 1] + 7 * block[i + 4 * 3]; - const int rr = (dc + 0x80000); + const int rr = (dc + 0x80000u); dst[i + stride * 0] = av_clip_uint8(dst[i + stride * 0] + ((int)((z0 + z3) * qmul + rr) >> 20)); dst[i + stride * 1] = av_clip_uint8(dst[i + stride * 1] + ((int)((z1 + z2) * qmul + rr) >> 20)); From 3386a57b086f91bf7e3053523f3b8d233f2dd357 Mon Sep 17 00:00:00 2001 From: Michael Niedermayer Date: Mon, 18 Sep 2017 17:26:09 +0200 Subject: [PATCH 674/942] avcodec/ffv1dec: Fix integer overflow in read_quant_table() Fixes: runtime error: signed integer overflow: 2147483647 + 1 cannot be represented in type 'int' Fixes: 3361/clusterfuzz-testcase-minimized-5065842955911168 Found-by: continuous fuzzing process https://github.com/google/oss-fuzz/tree/master/projects/ffmpeg Signed-off-by: Michael Niedermayer (cherry picked from commit d00fc952b6c261dd8eb0f7552b9ccf985dbc2b20) Signed-off-by: Michael Niedermayer --- libavcodec/ffv1dec.c | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/libavcodec/ffv1dec.c b/libavcodec/ffv1dec.c index 5f7e11fc33..b92c3b3706 100644 --- a/libavcodec/ffv1dec.c +++ b/libavcodec/ffv1dec.c @@ -483,7 +483,7 @@ static int read_quant_table(RangeCoder *c, int16_t *quant_table, int scale) memset(state, 128, sizeof(state)); for (v = 0; i < 128; v++) { - unsigned len = get_symbol(c, state, 0) + 1; + unsigned len = get_symbol(c, state, 0) + 1U; if (len > 128 - i || !len) return AVERROR_INVALIDDATA; From 977d6d8bffe3725c5f6feaa480721750d1e5072f Mon Sep 17 00:00:00 2001 From: Michael Niedermayer Date: Mon, 18 Sep 2017 02:53:25 +0200 Subject: [PATCH 675/942] avcodec/dirac_dwt: Fix integer overflow in COMPOSE_FIDELITYi*() Fixes: runtime error: signed integer overflow: 161 * 13872281 cannot be represented in type 'int' Fixes: 3295/clusterfuzz-testcase-minimized-4738998142500864 Found-by: continuous fuzzing process https://github.com/google/oss-fuzz/tree/master/projects/ffmpeg Signed-off-by: Michael Niedermayer (cherry picked from commit 67da2685e03805230207daab83ab43a390fbb887) Signed-off-by: Michael Niedermayer --- libavcodec/dirac_dwt.h | 4 ++-- 1 file changed, 2 insertions(+), 2 deletions(-) diff --git a/libavcodec/dirac_dwt.h b/libavcodec/dirac_dwt.h index adf5178714..755d5e5d2d 100644 --- a/libavcodec/dirac_dwt.h +++ b/libavcodec/dirac_dwt.h @@ -111,10 +111,10 @@ void ff_spatial_idwt_slice2(DWTContext *d, int y); (b0 + b1) #define COMPOSE_FIDELITYiL0(b0, b1, b2, b3, b4, b5, b6, b7, b8)\ - (b4 - ((-8*(b0+b8) + 21*(b1+b7) - 46*(b2+b6) + 161*(b3+b5) + 128) >> 8)) + (b4 - ((int)(-8*(b0+(unsigned)b8) + 21*(b1+(unsigned)b7) - 46*(b2+(unsigned)b6) + 161*(b3+(unsigned)b5) + 128) >> 8)) #define COMPOSE_FIDELITYiH0(b0, b1, b2, b3, b4, b5, b6, b7, b8)\ - (b4 + ((-2*(b0+b8) + 10*(b1+b7) - 25*(b2+b6) + 81*(b3+b5) + 128) >> 8)) + (b4 + ((int)(-2*(b0+(unsigned)b8) + 10*(b1+(unsigned)b7) - 25*(b2+(unsigned)b6) + 81*(b3+(unsigned)b5) + 128) >> 8)) #define COMPOSE_DAUB97iL1(b0, b1, b2)\ (b1 - ((int)(1817*(b0 + (unsigned)b2) + 2048) >> 12)) From a89a340e4f1b555efb0e41da30dae33a2337ac4b Mon Sep 17 00:00:00 2001 From: Michael Niedermayer Date: Fri, 22 Sep 2017 20:45:26 +0200 Subject: [PATCH 676/942] avcodec/takdec: Fix integer overflows in decode_subframe() Fixes: runtime error: signed integer overflow: -1562477869 + -691460395 cannot be represented in type 'int' Fixes: 3196/clusterfuzz-testcase-minimized-4528307146063872 Found-by: continuous fuzzing process https://github.com/google/oss-fuzz/tree/master/projects/ffmpeg Signed-off-by: Michael Niedermayer (cherry picked from commit 3dabb9c69db114b1f30c30e0a2788cffc50bac40) Signed-off-by: Michael Niedermayer --- libavcodec/takdec.c | 8 ++++---- 1 file changed, 4 insertions(+), 4 deletions(-) diff --git a/libavcodec/takdec.c b/libavcodec/takdec.c index 868f43bcba..e6867eb1b9 100644 --- a/libavcodec/takdec.c +++ b/libavcodec/takdec.c @@ -475,10 +475,10 @@ static int decode_subframe(TAKDecContext *s, int32_t *decoded, v += (unsigned)s->adsp.scalarproduct_int16(&s->residues[i], s->filter, filter_order & -16); for (j = filter_order & -16; j < filter_order; j += 4) { - v += s->residues[i + j + 3] * s->filter[j + 3] + - s->residues[i + j + 2] * s->filter[j + 2] + - s->residues[i + j + 1] * s->filter[j + 1] + - s->residues[i + j ] * s->filter[j ]; + v += s->residues[i + j + 3] * (unsigned)s->filter[j + 3] + + s->residues[i + j + 2] * (unsigned)s->filter[j + 2] + + s->residues[i + j + 1] * (unsigned)s->filter[j + 1] + + s->residues[i + j ] * (unsigned)s->filter[j ]; } v = (av_clip_intp2(v >> filter_quant, 13) * (1 << dshift)) - (unsigned)*decoded; *decoded++ = v; From 09913c5ec4cc03fbcf1dcebed00b148f41ed2aba Mon Sep 17 00:00:00 2001 From: Michael Niedermayer Date: Fri, 22 Sep 2017 20:45:28 +0200 Subject: [PATCH 677/942] avcodec/proresdec2: Check bits in DECODE_CODEWORD(), fixes invalid shift Fixes: runtime error: shift exponent 42 is too large for 32-bit type 'unsigned int' Fixes: 3410/clusterfuzz-testcase-minimized-5313377960198144 Found-by: continuous fuzzing process https://github.com/google/oss-fuzz/tree/master/projects/ffmpeg Signed-off-by: Michael Niedermayer (cherry picked from commit 4f5eaf0b5956e492ee5023929669b1d09aaf6299) Signed-off-by: Michael Niedermayer --- libavcodec/proresdec2.c | 11 ++++++++--- 1 file changed, 8 insertions(+), 3 deletions(-) diff --git a/libavcodec/proresdec2.c b/libavcodec/proresdec2.c index 2d47a13030..111f4989ef 100644 --- a/libavcodec/proresdec2.c +++ b/libavcodec/proresdec2.c @@ -267,6 +267,8 @@ static int decode_picture_header(AVCodecContext *avctx, const uint8_t *buf, cons \ if (q > switch_bits) { /* exp golomb */ \ bits = exp_order - switch_bits + (q<<1); \ + if (bits > MIN_CACHE_BITS) \ + return AVERROR_INVALIDDATA; \ val = SHOW_UBITS(re, gb, bits) - (1 << exp_order) + \ ((switch_bits + 1) << rice_order); \ SKIP_BITS(re, gb, bits); \ @@ -286,7 +288,7 @@ static int decode_picture_header(AVCodecContext *avctx, const uint8_t *buf, cons static const uint8_t dc_codebook[7] = { 0x04, 0x28, 0x28, 0x4D, 0x4D, 0x70, 0x70}; -static av_always_inline void decode_dc_coeffs(GetBitContext *gb, int16_t *out, +static av_always_inline int decode_dc_coeffs(GetBitContext *gb, int16_t *out, int blocks_per_slice) { int16_t prev_dc; @@ -310,6 +312,7 @@ static av_always_inline void decode_dc_coeffs(GetBitContext *gb, int16_t *out, out[0] = prev_dc; } CLOSE_READER(re, gb); + return 0; } // adaptive codebook switching lut according to previous run/level values @@ -376,7 +379,8 @@ static int decode_slice_luma(AVCodecContext *avctx, SliceContext *slice, init_get_bits(&gb, buf, buf_size << 3); - decode_dc_coeffs(&gb, blocks, blocks_per_slice); + if ((ret = decode_dc_coeffs(&gb, blocks, blocks_per_slice)) < 0) + return ret; if ((ret = decode_ac_coeffs(avctx, &gb, blocks, blocks_per_slice)) < 0) return ret; @@ -409,7 +413,8 @@ static int decode_slice_chroma(AVCodecContext *avctx, SliceContext *slice, init_get_bits(&gb, buf, buf_size << 3); - decode_dc_coeffs(&gb, blocks, blocks_per_slice); + if ((ret = decode_dc_coeffs(&gb, blocks, blocks_per_slice)) < 0) + return ret; if ((ret = decode_ac_coeffs(avctx, &gb, blocks, blocks_per_slice)) < 0) return ret; From 2c84969cb4aef2526e11d070af5c300b5b4e3818 Mon Sep 17 00:00:00 2001 From: Michael Niedermayer Date: Fri, 22 Sep 2017 20:45:27 +0200 Subject: [PATCH 678/942] avcodec/takdec: Fix integer overflow in decode_lpc() Fixes: runtime error: signed integer overflow: 16748560 + 2143729712 cannot be represented in type 'int' Fixes: 3202/clusterfuzz-testcase-minimized-4988291642294272 Found-by: continuous fuzzing process https://github.com/google/oss-fuzz/tree/master/projects/ffmpeg Signed-off-by: Michael Niedermayer (cherry picked from commit 5d31f03a0264cac24434c8108daef4ccba6d28f9) Signed-off-by: Michael Niedermayer --- libavcodec/takdec.c | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/libavcodec/takdec.c b/libavcodec/takdec.c index e6867eb1b9..b494c5888d 100644 --- a/libavcodec/takdec.c +++ b/libavcodec/takdec.c @@ -195,7 +195,7 @@ static void decode_lpc(int32_t *coeffs, int mode, int length) int a1 = *coeffs++; for (i = 0; i < length - 1 >> 1; i++) { *coeffs += a1; - coeffs[1] += *coeffs; + coeffs[1] += (unsigned)*coeffs; a1 = coeffs[1]; coeffs += 2; } From d164c49af76b45fca5c1c8320e5d40a6604f6420 Mon Sep 17 00:00:00 2001 From: Michael Niedermayer Date: Mon, 4 Sep 2017 22:23:26 +0200 Subject: [PATCH 679/942] avcodec/jpeg2000: Check that codsty->log2_prec_widths/heights has been initialized Fixes: OOM Fixes: 2225/clusterfuzz-testcase-minimized-5505632079708160 Found-by: continuous fuzzing process https://github.com/google/oss-fuzz/tree/master/projects/ffmpeg Signed-off-by: Michael Niedermayer (cherry picked from commit 64e034da954125ef98fb8f9153f9706cdb8a96fe) Signed-off-by: Michael Niedermayer --- libavcodec/jpeg2000.c | 3 +++ 1 file changed, 3 insertions(+) diff --git a/libavcodec/jpeg2000.c b/libavcodec/jpeg2000.c index b5b2dbf220..1d6ae373fc 100644 --- a/libavcodec/jpeg2000.c +++ b/libavcodec/jpeg2000.c @@ -506,6 +506,9 @@ int ff_jpeg2000_init_component(Jpeg2000Component *comp, // update precincts size: 2^n value reslevel->log2_prec_width = codsty->log2_prec_widths[reslevelno]; reslevel->log2_prec_height = codsty->log2_prec_heights[reslevelno]; + if (!reslevel->log2_prec_width || !reslevel->log2_prec_height) { + return AVERROR_INVALIDDATA; + } /* Number of bands for each resolution level */ if (reslevelno == 0) From 9f2beced0a524ec002e559155ecc88343e8f91f4 Mon Sep 17 00:00:00 2001 From: Michael Niedermayer Date: Mon, 2 Oct 2017 04:18:21 +0200 Subject: [PATCH 680/942] avcodec/hevcdsp_template: Fix undefined shift Fixes: runtime error: left shift of negative value -255 Fixes: 3373/clusterfuzz-testcase-minimized-5604083912146944 Found-by: continuous fuzzing process https://github.com/google/oss-fuzz/tree/master/projects/ffmpeg Signed-off-by: Michael Niedermayer (cherry picked from commit fbdab6eca7874fbeba6aa79c269f345e4d43f5d4) Signed-off-by: Michael Niedermayer --- libavcodec/hevcdsp_template.c | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/libavcodec/hevcdsp_template.c b/libavcodec/hevcdsp_template.c index 5bca02342d..dd1643f6d1 100644 --- a/libavcodec/hevcdsp_template.c +++ b/libavcodec/hevcdsp_template.c @@ -1492,7 +1492,7 @@ static void FUNC(put_hevc_epel_bi_w_hv)(uint8_t *_dst, ptrdiff_t _dststride, uin for (y = 0; y < height; y++) { for (x = 0; x < width; x++) dst[x] = av_clip_pixel(((EPEL_FILTER(tmp, MAX_PB_SIZE) >> 6) * wx1 + src2[x] * wx0 + - ((ox0 + ox1 + 1) << log2Wd)) >> (log2Wd + 1)); + ((ox0 + ox1 + 1) * (1 << log2Wd))) >> (log2Wd + 1)); tmp += MAX_PB_SIZE; dst += dststride; src2 += MAX_PB_SIZE; From fc1acb103ddee549190974270e56af0a2dfee9f8 Mon Sep 17 00:00:00 2001 From: Michael Niedermayer Date: Mon, 2 Oct 2017 04:18:22 +0200 Subject: [PATCH 681/942] avcodec/proresdec2: SKIP_BITS() does not work with len=32 Fixes: invalid shift Fixes: 3482/clusterfuzz-testcase-minimized-5446915875405824 Found-by: continuous fuzzing process https://github.com/google/oss-fuzz/tree/master/projects/ffmpeg Signed-off-by: Michael Niedermayer (cherry picked from commit c37138e01a93da2f9dd2cc5d4b77e5a38581d130) Signed-off-by: Michael Niedermayer --- libavcodec/proresdec2.c | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/libavcodec/proresdec2.c b/libavcodec/proresdec2.c index 111f4989ef..a1d783d243 100644 --- a/libavcodec/proresdec2.c +++ b/libavcodec/proresdec2.c @@ -267,7 +267,7 @@ static int decode_picture_header(AVCodecContext *avctx, const uint8_t *buf, cons \ if (q > switch_bits) { /* exp golomb */ \ bits = exp_order - switch_bits + (q<<1); \ - if (bits > MIN_CACHE_BITS) \ + if (bits > FFMIN(MIN_CACHE_BITS, 31)) \ return AVERROR_INVALIDDATA; \ val = SHOW_UBITS(re, gb, bits) - (1 << exp_order) + \ ((switch_bits + 1) << rice_order); \ From d0e4c3410c90d9311009b6c7105d11d4abf45f7b Mon Sep 17 00:00:00 2001 From: Michael Niedermayer Date: Sat, 30 Sep 2017 18:54:05 +0200 Subject: [PATCH 682/942] avcodec/aacdec_template: Clear tns present flag on error Fixes: 3444/clusterfuzz-testcase-minimized-6270352105668608 Found-by: continuous fuzzing process https://github.com/google/oss-fuzz/tree/master/projects/ffmpeg Signed-off-by: Michael Niedermayer (cherry picked from commit dcf9bae4a93f54cb5767bc97db4a809efd396f8b) Signed-off-by: Michael Niedermayer --- libavcodec/aacdec_template.c | 44 +++++++++++++++++++++++------------- 1 file changed, 28 insertions(+), 16 deletions(-) diff --git a/libavcodec/aacdec_template.c b/libavcodec/aacdec_template.c index 13a342784e..3cb8f32403 100644 --- a/libavcodec/aacdec_template.c +++ b/libavcodec/aacdec_template.c @@ -1941,16 +1941,17 @@ static int decode_ics(AACContext *ac, SingleChannelElement *sce, global_gain = get_bits(gb, 8); if (!common_window && !scale_flag) { - if (decode_ics_info(ac, ics, gb) < 0) - return AVERROR_INVALIDDATA; + ret = decode_ics_info(ac, ics, gb); + if (ret < 0) + goto fail; } if ((ret = decode_band_types(ac, sce->band_type, sce->band_type_run_end, gb, ics)) < 0) - return ret; + goto fail; if ((ret = decode_scalefactors(ac, sce->sf, gb, global_gain, ics, sce->band_type, sce->band_type_run_end)) < 0) - return ret; + goto fail; pulse_present = 0; if (!scale_flag) { @@ -1958,37 +1959,48 @@ static int decode_ics(AACContext *ac, SingleChannelElement *sce, if (ics->window_sequence[0] == EIGHT_SHORT_SEQUENCE) { av_log(ac->avctx, AV_LOG_ERROR, "Pulse tool not allowed in eight short sequence.\n"); - return AVERROR_INVALIDDATA; + ret = AVERROR_INVALIDDATA; + goto fail; } if (decode_pulses(&pulse, gb, ics->swb_offset, ics->num_swb)) { av_log(ac->avctx, AV_LOG_ERROR, "Pulse data corrupt or invalid.\n"); - return AVERROR_INVALIDDATA; + ret = AVERROR_INVALIDDATA; + goto fail; } } tns->present = get_bits1(gb); - if (tns->present && !er_syntax) - if (decode_tns(ac, tns, gb, ics) < 0) - return AVERROR_INVALIDDATA; + if (tns->present && !er_syntax) { + ret = decode_tns(ac, tns, gb, ics); + if (ret < 0) + goto fail; + } if (!eld_syntax && get_bits1(gb)) { avpriv_request_sample(ac->avctx, "SSR"); - return AVERROR_PATCHWELCOME; + ret = AVERROR_PATCHWELCOME; + goto fail; } // I see no textual basis in the spec for this occurring after SSR gain // control, but this is what both reference and real implmentations do - if (tns->present && er_syntax) - if (decode_tns(ac, tns, gb, ics) < 0) - return AVERROR_INVALIDDATA; + if (tns->present && er_syntax) { + ret = decode_tns(ac, tns, gb, ics); + if (ret < 0) + goto fail; + } } - if (decode_spectrum_and_dequant(ac, out, gb, sce->sf, pulse_present, - &pulse, ics, sce->band_type) < 0) - return AVERROR_INVALIDDATA; + ret = decode_spectrum_and_dequant(ac, out, gb, sce->sf, pulse_present, + &pulse, ics, sce->band_type); + if (ret < 0) + goto fail; if (ac->oc[1].m4ac.object_type == AOT_AAC_MAIN && !common_window) apply_prediction(ac, sce); return 0; +fail: + tns->present = 0; + return ret; } /** From 9825fcea99e4dd7f054db19657df87034ac653da Mon Sep 17 00:00:00 2001 From: Michael Niedermayer Date: Sat, 30 Sep 2017 18:54:06 +0200 Subject: [PATCH 683/942] avcodec/truemotion2: Fix integer overflows in tm2_high_chroma() Fixes: runtime error: signed integer overflow: -1408475220 + -1408475220 cannot be represented in type 'int' Fixes: 3336/clusterfuzz-testcase-minimized-5656839179993088 Found-by: continuous fuzzing process https://github.com/google/oss-fuzz/tree/master/projects/ffmpeg Signed-off-by: Michael Niedermayer (cherry picked from commit 44874b4f5ec2c605c70393573b9d85540ebc2d81) Signed-off-by: Michael Niedermayer --- libavcodec/truemotion2.c | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/libavcodec/truemotion2.c b/libavcodec/truemotion2.c index a463a925fd..f077f0e4bd 100644 --- a/libavcodec/truemotion2.c +++ b/libavcodec/truemotion2.c @@ -465,7 +465,7 @@ static inline void tm2_apply_deltas(TM2Context *ctx, int* Y, int stride, int *de } } -static inline void tm2_high_chroma(int *data, int stride, int *last, int *CD, int *deltas) +static inline void tm2_high_chroma(int *data, int stride, int *last, unsigned *CD, int *deltas) { int i, j; for (j = 0; j < 2; j++) { From 6fa58eabb18c4641f0a02c1756e1daadc0d4427b Mon Sep 17 00:00:00 2001 From: Michael Niedermayer Date: Sat, 30 Sep 2017 00:20:09 +0200 Subject: [PATCH 684/942] avcodec/x86/lossless_videoencdsp: Fix handling of small widths MIME-Version: 1.0 Content-Type: text/plain; charset=UTF-8 Content-Transfer-Encoding: 8bit Fixes out of array access Fixes: crash-huf.avi Regression since: 6b41b4414934cc930468ccd5db598dd6ef643987 This could also be fixed by adding checks in the C code that calls the dsp Found-by: Zhibin Hu and 连一汉 Signed-off-by: Michael Niedermayer (cherry picked from commit df62b70de8aaa285168e72fe8f6e740843ca91fa) Signed-off-by: Michael Niedermayer --- libavcodec/x86/huffyuvencdsp.asm | 13 +++++++------ 1 file changed, 7 insertions(+), 6 deletions(-) diff --git a/libavcodec/x86/huffyuvencdsp.asm b/libavcodec/x86/huffyuvencdsp.asm index a55a1de65d..7a1ce2e839 100644 --- a/libavcodec/x86/huffyuvencdsp.asm +++ b/libavcodec/x86/huffyuvencdsp.asm @@ -42,10 +42,11 @@ cglobal diff_bytes, 4,5,2, dst, src1, src2, w %define i t0q %endmacro -; label to jump to if w < regsize -%macro DIFF_BYTES_LOOP_PREP 1 +; labels to jump to if w < regsize and w < 0 +%macro DIFF_BYTES_LOOP_PREP 2 mov i, wq and i, -2 * regsize + js %2 jz %1 add dstq, i add src1q, i @@ -87,7 +88,7 @@ cglobal diff_bytes, 4,5,2, dst, src1, src2, w %if mmsize > 16 ; fall back to narrower xmm %define regsize mmsize / 2 - DIFF_BYTES_LOOP_PREP .setup_loop_gpr_aa + DIFF_BYTES_LOOP_PREP .setup_loop_gpr_aa, .end_aa .loop2_%1%2: DIFF_BYTES_LOOP_CORE %1, %2, xm0, xm1 add i, 2 * regsize @@ -114,7 +115,7 @@ cglobal diff_bytes, 4,5,2, dst, src1, src2, w INIT_MMX mmx DIFF_BYTES_PROLOGUE %define regsize mmsize - DIFF_BYTES_LOOP_PREP .skip_main_aa + DIFF_BYTES_LOOP_PREP .skip_main_aa, .end_aa DIFF_BYTES_BODY a, a %undef i %endif @@ -122,7 +123,7 @@ DIFF_BYTES_PROLOGUE INIT_XMM sse2 DIFF_BYTES_PROLOGUE %define regsize mmsize - DIFF_BYTES_LOOP_PREP .skip_main_aa + DIFF_BYTES_LOOP_PREP .skip_main_aa, .end_aa test dstq, regsize - 1 jnz .loop_uu test src1q, regsize - 1 @@ -138,7 +139,7 @@ DIFF_BYTES_PROLOGUE %define regsize mmsize ; Directly using unaligned SSE2 version is marginally faster than ; branching based on arguments. - DIFF_BYTES_LOOP_PREP .skip_main_uu + DIFF_BYTES_LOOP_PREP .skip_main_uu, .end_uu test dstq, regsize - 1 jnz .loop_uu test src1q, regsize - 1 From 789ad4d361e1f285c086a4ab398eccd0f159b7c8 Mon Sep 17 00:00:00 2001 From: Michael Niedermayer Date: Sun, 8 Oct 2017 21:41:54 +0200 Subject: [PATCH 685/942] avcodec/mpeg4videodec: Use 64 bit intermediates for sprite delta Fixes: runtime error: signed integer overflow: -104713 * 65536 cannot be represented in type 'int' Fixes: 3453/clusterfuzz-testcase-minimized-5555554657239040 Fixes: 3528/clusterfuzz-testcase-minimized-6283628420005888 Found-by: continuous fuzzing process https://github.com/google/oss-fuzz/tree/master/projects/ffmpeg Signed-off-by: Michael Niedermayer (cherry picked from commit e38f280fece38e270a6462a02cc034f4116a7912) Signed-off-by: Michael Niedermayer --- libavcodec/mpeg4videodec.c | 79 +++++++++++++++++++------------------- 1 file changed, 40 insertions(+), 39 deletions(-) diff --git a/libavcodec/mpeg4videodec.c b/libavcodec/mpeg4videodec.c index 6f00b227a4..cb2224a07b 100644 --- a/libavcodec/mpeg4videodec.c +++ b/libavcodec/mpeg4videodec.c @@ -179,6 +179,7 @@ static int mpeg4_decode_sprite_trajectory(Mpeg4DecContext *ctx, GetBitContext *g int sprite_ref[4][2]; int virtual_ref[2][2]; int64_t sprite_offset[2][2]; + int64_t sprite_delta[2][2]; // only true for rectangle shapes const int vop_ref[4][2] = { { 0, 0 }, { s->width, 0 }, @@ -262,10 +263,10 @@ static int mpeg4_decode_sprite_trajectory(Mpeg4DecContext *ctx, GetBitContext *g sprite_offset[0][1] = sprite_offset[1][0] = sprite_offset[1][1] = 0; - s->sprite_delta[0][0] = a; - s->sprite_delta[0][1] = - s->sprite_delta[1][0] = 0; - s->sprite_delta[1][1] = a; + sprite_delta[0][0] = a; + sprite_delta[0][1] = + sprite_delta[1][0] = 0; + sprite_delta[1][1] = a; ctx->sprite_shift[0] = ctx->sprite_shift[1] = 0; break; @@ -276,10 +277,10 @@ static int mpeg4_decode_sprite_trajectory(Mpeg4DecContext *ctx, GetBitContext *g a * (vop_ref[0][0] / 2); sprite_offset[1][1] = ((sprite_ref[0][1] >> 1) | (sprite_ref[0][1] & 1)) - a * (vop_ref[0][1] / 2); - s->sprite_delta[0][0] = a; - s->sprite_delta[0][1] = - s->sprite_delta[1][0] = 0; - s->sprite_delta[1][1] = a; + sprite_delta[0][0] = a; + sprite_delta[0][1] = + sprite_delta[1][0] = 0; + sprite_delta[1][1] = a; ctx->sprite_shift[0] = ctx->sprite_shift[1] = 0; break; @@ -304,10 +305,10 @@ static int mpeg4_decode_sprite_trajectory(Mpeg4DecContext *ctx, GetBitContext *g ((int64_t)-r * sprite_ref[0][0] + virtual_ref[0][0]) * ((int64_t)-2 * vop_ref[0][1] + 1) + 2 * w2 * r * (int64_t) sprite_ref[0][1] - 16 * w2 + (1 << (alpha + rho + 1))); - s->sprite_delta[0][0] = (-r * sprite_ref[0][0] + virtual_ref[0][0]); - s->sprite_delta[0][1] = (+r * sprite_ref[0][1] - virtual_ref[0][1]); - s->sprite_delta[1][0] = (-r * sprite_ref[0][1] + virtual_ref[0][1]); - s->sprite_delta[1][1] = (-r * sprite_ref[0][0] + virtual_ref[0][0]); + sprite_delta[0][0] = (-r * sprite_ref[0][0] + virtual_ref[0][0]); + sprite_delta[0][1] = (+r * sprite_ref[0][1] - virtual_ref[0][1]); + sprite_delta[1][0] = (-r * sprite_ref[0][1] + virtual_ref[0][1]); + sprite_delta[1][1] = (-r * sprite_ref[0][0] + virtual_ref[0][0]); ctx->sprite_shift[0] = alpha + rho; ctx->sprite_shift[1] = alpha + rho + 2; @@ -332,28 +333,28 @@ static int mpeg4_decode_sprite_trajectory(Mpeg4DecContext *ctx, GetBitContext *g ((int64_t)-r * sprite_ref[0][1] + virtual_ref[1][1]) * w3 * (-2 * vop_ref[0][1] + 1) + (int64_t)2 * w2 * h3 * r * sprite_ref[0][1] - 16 * w2 * h3 + ((int64_t)1 << (alpha + beta + rho - min_ab + 1)); - s->sprite_delta[0][0] = (-r * sprite_ref[0][0] + virtual_ref[0][0]) * h3; - s->sprite_delta[0][1] = (-r * sprite_ref[0][0] + virtual_ref[1][0]) * w3; - s->sprite_delta[1][0] = (-r * sprite_ref[0][1] + virtual_ref[0][1]) * h3; - s->sprite_delta[1][1] = (-r * sprite_ref[0][1] + virtual_ref[1][1]) * w3; + sprite_delta[0][0] = (-r * (int64_t)sprite_ref[0][0] + virtual_ref[0][0]) * h3; + sprite_delta[0][1] = (-r * (int64_t)sprite_ref[0][0] + virtual_ref[1][0]) * w3; + sprite_delta[1][0] = (-r * (int64_t)sprite_ref[0][1] + virtual_ref[0][1]) * h3; + sprite_delta[1][1] = (-r * (int64_t)sprite_ref[0][1] + virtual_ref[1][1]) * w3; ctx->sprite_shift[0] = alpha + beta + rho - min_ab; ctx->sprite_shift[1] = alpha + beta + rho - min_ab + 2; break; } /* try to simplify the situation */ - if (s->sprite_delta[0][0] == a << ctx->sprite_shift[0] && - s->sprite_delta[0][1] == 0 && - s->sprite_delta[1][0] == 0 && - s->sprite_delta[1][1] == a << ctx->sprite_shift[0]) { + if (sprite_delta[0][0] == a << ctx->sprite_shift[0] && + sprite_delta[0][1] == 0 && + sprite_delta[1][0] == 0 && + sprite_delta[1][1] == a << ctx->sprite_shift[0]) { sprite_offset[0][0] >>= ctx->sprite_shift[0]; sprite_offset[0][1] >>= ctx->sprite_shift[0]; sprite_offset[1][0] >>= ctx->sprite_shift[1]; sprite_offset[1][1] >>= ctx->sprite_shift[1]; - s->sprite_delta[0][0] = a; - s->sprite_delta[0][1] = 0; - s->sprite_delta[1][0] = 0; - s->sprite_delta[1][1] = a; + sprite_delta[0][0] = a; + sprite_delta[0][1] = 0; + sprite_delta[1][0] = 0; + sprite_delta[1][1] = a; ctx->sprite_shift[0] = 0; ctx->sprite_shift[1] = 0; s->real_sprite_warping_points = 1; @@ -365,8 +366,8 @@ static int mpeg4_decode_sprite_trajectory(Mpeg4DecContext *ctx, GetBitContext *g if (shift_c < 0 || shift_y < 0 || FFABS( sprite_offset[0][i]) >= INT_MAX >> shift_y || FFABS( sprite_offset[1][i]) >= INT_MAX >> shift_c || - FFABS(s->sprite_delta[0][i]) >= INT_MAX >> shift_y || - FFABS(s->sprite_delta[1][i]) >= INT_MAX >> shift_y + FFABS( sprite_delta[0][i]) >= INT_MAX >> shift_y || + FFABS( sprite_delta[1][i]) >= INT_MAX >> shift_y ) { avpriv_request_sample(s->avctx, "Too large sprite shift, delta or offset"); goto overflow; @@ -376,22 +377,22 @@ static int mpeg4_decode_sprite_trajectory(Mpeg4DecContext *ctx, GetBitContext *g for (i = 0; i < 2; i++) { sprite_offset[0][i] *= 1 << shift_y; sprite_offset[1][i] *= 1 << shift_c; - s->sprite_delta[0][i] *= 1 << shift_y; - s->sprite_delta[1][i] *= 1 << shift_y; + sprite_delta[0][i] *= 1 << shift_y; + sprite_delta[1][i] *= 1 << shift_y; ctx->sprite_shift[i] = 16; } for (i = 0; i < 2; i++) { int64_t sd[2] = { - s->sprite_delta[i][0] - a * (1LL<<16), - s->sprite_delta[i][1] - a * (1LL<<16) + sprite_delta[i][0] - a * (1LL<<16), + sprite_delta[i][1] - a * (1LL<<16) }; - if (llabs(sprite_offset[0][i] + s->sprite_delta[i][0] * (w+16LL)) >= INT_MAX || - llabs(sprite_offset[0][i] + s->sprite_delta[i][1] * (h+16LL)) >= INT_MAX || - llabs(sprite_offset[0][i] + s->sprite_delta[i][0] * (w+16LL) + s->sprite_delta[i][1] * (h+16LL)) >= INT_MAX || - llabs(s->sprite_delta[i][0] * (w+16LL)) >= INT_MAX || - llabs(s->sprite_delta[i][1] * (w+16LL)) >= INT_MAX || + if (llabs(sprite_offset[0][i] + sprite_delta[i][0] * (w+16LL)) >= INT_MAX || + llabs(sprite_offset[0][i] + sprite_delta[i][1] * (h+16LL)) >= INT_MAX || + llabs(sprite_offset[0][i] + sprite_delta[i][0] * (w+16LL) + sprite_delta[i][1] * (h+16LL)) >= INT_MAX || + llabs(sprite_delta[i][0] * (w+16LL)) >= INT_MAX || + llabs(sprite_delta[i][1] * (w+16LL)) >= INT_MAX || llabs(sd[0]) >= INT_MAX || llabs(sd[1]) >= INT_MAX || llabs(sprite_offset[0][i] + sd[0] * (w+16LL)) >= INT_MAX || @@ -405,10 +406,10 @@ static int mpeg4_decode_sprite_trajectory(Mpeg4DecContext *ctx, GetBitContext *g s->real_sprite_warping_points = ctx->num_sprite_warping_points; } - s->sprite_offset[0][0] = sprite_offset[0][0]; - s->sprite_offset[0][1] = sprite_offset[0][1]; - s->sprite_offset[1][0] = sprite_offset[1][0]; - s->sprite_offset[1][1] = sprite_offset[1][1]; + for (i = 0; i < 4; i++) { + s->sprite_offset[i&1][i>>1] = sprite_offset[i&1][i>>1]; + s->sprite_delta [i&1][i>>1] = sprite_delta [i&1][i>>1]; + } return 0; overflow: From ad3b198f479a5a97dc58a6449ed93d4b346a8f19 Mon Sep 17 00:00:00 2001 From: Michael Niedermayer Date: Mon, 9 Oct 2017 00:32:30 +0200 Subject: [PATCH 686/942] avcodec/mpeg_er: Clear mcsel in mpeg_er_decode_mb() Fixes out of array read Should fix: 3516/clusterfuzz-testcase-minimized-4608518562775040 (not reprodoceable) Found-by: Insu Yun, Georgia Tech. Signed-off-by: Michael Niedermayer (cherry picked from commit 127a362630e11fe724e2e63fc871791fdcbcfa64) Signed-off-by: Michael Niedermayer --- libavcodec/mpeg_er.c | 1 + 1 file changed, 1 insertion(+) diff --git a/libavcodec/mpeg_er.c b/libavcodec/mpeg_er.c index dd87ae9cc9..9bd269c440 100644 --- a/libavcodec/mpeg_er.c +++ b/libavcodec/mpeg_er.c @@ -71,6 +71,7 @@ static void mpeg_er_decode_mb(void *opaque, int ref, int mv_dir, int mv_type, s->mb_skipped = mb_skipped; s->mb_x = mb_x; s->mb_y = mb_y; + s->mcsel = 0; memcpy(s->mv, mv, sizeof(*mv)); ff_init_block_index(s); From 87a8a4a507f0bad602aea5a41f5ac4bf113e7210 Mon Sep 17 00:00:00 2001 From: Michael Niedermayer Date: Mon, 9 Oct 2017 01:46:28 +0200 Subject: [PATCH 687/942] avcodec/dirac_dwt: Fix integer overflow in COMPOSE_53iL0() Fixes: runtime error: signed integer overflow: 2147483646 + 2 cannot be represented in type 'int' Fixes: 3485/clusterfuzz-testcase-minimized-4940429332054016 Found-by: continuous fuzzing process https://github.com/google/oss-fuzz/tree/master/projects/ffmpeg Signed-off-by: Michael Niedermayer (cherry picked from commit bdee75a4e750735ab3039f004275ac8479072048) Signed-off-by: Michael Niedermayer --- libavcodec/dirac_dwt.h | 4 ++-- 1 file changed, 2 insertions(+), 2 deletions(-) diff --git a/libavcodec/dirac_dwt.h b/libavcodec/dirac_dwt.h index 755d5e5d2d..35ed8857e9 100644 --- a/libavcodec/dirac_dwt.h +++ b/libavcodec/dirac_dwt.h @@ -93,10 +93,10 @@ void ff_spatial_idwt_slice2(DWTContext *d, int y); // shared stuff for simd optimizations #define COMPOSE_53iL0(b0, b1, b2)\ - (b1 - ((b0 + b2 + 2) >> 2)) + (b1 - ((int)(b0 + (unsigned)(b2) + 2) >> 2)) #define COMPOSE_DIRAC53iH0(b0, b1, b2)\ - (b1 + ((b0 + b2 + 1) >> 1)) + (b1 + ((int)(b0 + (unsigned)(b2) + 1) >> 1)) #define COMPOSE_DD97iH0(b0, b1, b2, b3, b4)\ (b2 + ((int)(-b0 + 9U*b1 + 9U*b3 - b4 + 8) >> 4)) From df441441c552b83d4cd2d716d7d208dc3d698437 Mon Sep 17 00:00:00 2001 From: Michael Niedermayer Date: Mon, 9 Oct 2017 11:49:28 +0200 Subject: [PATCH 688/942] avcodec/ffv1dec: Fix out of array read in slice counting MIME-Version: 1.0 Content-Type: text/plain; charset=UTF-8 Content-Transfer-Encoding: 8bit Fixes: test-201710.mp4 Found-by: 连一汉 and Zhibin Hu Signed-off-by: Michael Niedermayer (cherry picked from commit c20f4fcb74da2d0432c7b54499bb98f48236b904) Signed-off-by: Michael Niedermayer --- libavcodec/ffv1dec.c | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/libavcodec/ffv1dec.c b/libavcodec/ffv1dec.c index b92c3b3706..bf1b1b7302 100644 --- a/libavcodec/ffv1dec.c +++ b/libavcodec/ffv1dec.c @@ -803,7 +803,7 @@ static int read_header(FFV1Context *f) } else { const uint8_t *p = c->bytestream_end; for (f->slice_count = 0; - f->slice_count < MAX_SLICES && 3 < p - c->bytestream_start; + f->slice_count < MAX_SLICES && 3 + 5*!!f->ec < p - c->bytestream_start; f->slice_count++) { int trailer = 3 + 5*!!f->ec; int size = AV_RB24(p-trailer); From 5422cdca42e7d9cb248994e3e232abbb5e60d3b3 Mon Sep 17 00:00:00 2001 From: Michael Niedermayer Date: Fri, 13 Oct 2017 03:06:53 +0200 Subject: [PATCH 689/942] avcodec/pafvideo: Check for bitstream end in decode_0() Fixes: Timeout Fixes: 3529/clusterfuzz-testcase-5057068371279872 Found-by: continuous fuzzing process https://github.com/google/oss-fuzz/tree/master/projects/ffmpeg Signed-off-by: Michael Niedermayer (cherry picked from commit 9c85329cd02e9284892bf263ce6133b2fc479792) Signed-off-by: Michael Niedermayer --- libavcodec/pafvideo.c | 5 ++++- 1 file changed, 4 insertions(+), 1 deletion(-) diff --git a/libavcodec/pafvideo.c b/libavcodec/pafvideo.c index 91bfe16376..6980ae1b35 100644 --- a/libavcodec/pafvideo.c +++ b/libavcodec/pafvideo.c @@ -181,6 +181,8 @@ static int decode_0(PAFVideoDecContext *c, uint8_t *pkt, uint8_t code) dend = c->frame[page] + c->frame_size; offset = (x & 0x7F) * 2; j = bytestream2_get_le16(&c->gb) + offset; + if (bytestream2_get_bytes_left(&c->gb) < (j - offset) * 16) + return AVERROR_INVALIDDATA; do { offset++; if (dst + 3 * c->width + 4 > dend) @@ -198,7 +200,8 @@ static int decode_0(PAFVideoDecContext *c, uint8_t *pkt, uint8_t code) do { set_src_position(c, &src, &send); if ((src + 3 * c->width + 4 > send) || - (dst + 3 * c->width + 4 > dend)) + (dst + 3 * c->width + 4 > dend) || + bytestream2_get_bytes_left(&c->gb) < 4) return AVERROR_INVALIDDATA; copy_block4(dst, src, c->width, c->width, 4); i++; From abb3ec84bb7d89cb8b2b7b5676257c04da4285af Mon Sep 17 00:00:00 2001 From: Michael Niedermayer Date: Fri, 13 Oct 2017 03:06:54 +0200 Subject: [PATCH 690/942] avcodec/snowdec: Check mv_scale Fixes: runtime error: signed integer overflow: 2 * -1094995530 cannot be represented in type 'int' Fixes: 3512/clusterfuzz-testcase-minimized-4812747210489856 Found-by: continuous fuzzing process https://github.com/google/oss-fuzz/tree/master/projects/ffmpeg Signed-off-by: Michael Niedermayer (cherry picked from commit 393d6fc7395611a38792e3c271b2be42ac45e672) Signed-off-by: Michael Niedermayer --- libavcodec/snowdec.c | 3 ++- 1 file changed, 2 insertions(+), 1 deletion(-) diff --git a/libavcodec/snowdec.c b/libavcodec/snowdec.c index 0ac0b55012..6eff729a19 100644 --- a/libavcodec/snowdec.c +++ b/libavcodec/snowdec.c @@ -394,9 +394,10 @@ static int decode_header(SnowContext *s){ s->mv_scale += get_symbol(&s->c, s->header_state, 1); s->qbias += get_symbol(&s->c, s->header_state, 1); s->block_max_depth+= get_symbol(&s->c, s->header_state, 1); - if(s->block_max_depth > 1 || s->block_max_depth < 0){ + if(s->block_max_depth > 1 || s->block_max_depth < 0 || s->mv_scale > 256U){ av_log(s->avctx, AV_LOG_ERROR, "block_max_depth= %d is too large\n", s->block_max_depth); s->block_max_depth= 0; + s->mv_scale = 0; return AVERROR_INVALIDDATA; } if (FFABS(s->qbias) > 127) { From 479e65ba47a140307ea5d0d8de36244541aa4cbe Mon Sep 17 00:00:00 2001 From: Michael Niedermayer Date: Thu, 26 Oct 2017 18:48:41 +0200 Subject: [PATCH 691/942] Update for 3.0.10 Signed-off-by: Michael Niedermayer --- Changelog | 71 ++++++++++++++++++++++++++++++++++++++++++++++++++++ RELEASE | 2 +- doc/Doxyfile | 2 +- 3 files changed, 73 insertions(+), 2 deletions(-) diff --git a/Changelog b/Changelog index 6cdfcbf97d..ea82067a6a 100644 --- a/Changelog +++ b/Changelog @@ -1,6 +1,77 @@ Entries are sorted chronologically from oldest to youngest within each release, releases are sorted from youngest to oldest. +version 3.0.10 +- avcodec/snowdec: Check mv_scale +- avcodec/pafvideo: Check for bitstream end in decode_0() +- avcodec/ffv1dec: Fix out of array read in slice counting +- avcodec/dirac_dwt: Fix integer overflow in COMPOSE_53iL0() +- avcodec/mpeg_er: Clear mcsel in mpeg_er_decode_mb() +- avcodec/mpeg4videodec: Use 64 bit intermediates for sprite delta +- avcodec/x86/lossless_videoencdsp: Fix handling of small widths +- avcodec/truemotion2: Fix integer overflows in tm2_high_chroma() +- avcodec/aacdec_template: Clear tns present flag on error +- avcodec/proresdec2: SKIP_BITS() does not work with len=32 +- avcodec/hevcdsp_template: Fix undefined shift +- avcodec/jpeg2000: Check that codsty->log2_prec_widths/heights has been initialized +- avcodec/takdec: Fix integer overflow in decode_lpc() +- avcodec/proresdec2: Check bits in DECODE_CODEWORD(), fixes invalid shift +- avcodec/takdec: Fix integer overflows in decode_subframe() +- avcodec/dirac_dwt: Fix integer overflow in COMPOSE_FIDELITYi*() +- avcodec/ffv1dec: Fix integer overflow in read_quant_table() +- avcodec/svq3: Fix overflow in svq3_add_idct_c() +- avcodec/pngdec: Clean up on av_frame_ref() failure +- avcodec/hevc_ps: Fix c?_qp_offset_list size +- avcodec/jpeg2000dsp: Fix multiple integer overflows in ict_int() +- avcodec/hevcdsp_template: Fix undefined shift in put_hevc_pel_bi_w_pixels +- avcodec/diracdec: Fix overflow in DC computation +- avformat/asfdec: Fix DoS in asf_build_simple_index() +- avformat/mov: Fix DoS in read_tfra() +- avcodec/dirac_dwt: Fix multiple overflows in 9/7 lifting +- avcodec/diracdec: Fix integer overflow in INTRA_DC_PRED() +- avformat/mxfdec: Fix Sign error in mxf_read_primer_pack() +- avformat/mxfdec: Fix DoS issues in mxf_read_index_entry_array() +- avformat/nsvdec: Fix DoS due to lack of eof check in nsvs_file_offset loop. +- avcodec/snowdec: Fix integer overflow in decode_subband_slice_buffered() +- avcodec/hevc_ps: Fix undefined shift in pcm code +- avcodec/sbrdsp_fixed: Fix undefined overflows in autocorrelate() +- avformat/mvdec: Fix DoS due to lack of eof check +- avformat/rl2: Fix DoS due to lack of eof check +- avformat/rmdec: Fix DoS due to lack of eof check +- avformat/cinedec: Fix DoS due to lack of eof check +- avformat/asfdec: Fix DoS due to lack of eof check +- avformat/hls: Fix DoS due to infinite loop +- ffprobe: Fix NULL pointer handling in color parameter printing +- ffprobe: Fix null pointer dereference with color primaries +- avcodec/hevc_ps: Check delta_pocs in ff_hevc_decode_short_term_rps() +- avformat/aviobuf: Fix signed integer overflow in avio_seek() +- avformat/mov: Fix signed integer overflows with total_size +- avcodec/utils: Fix signed integer overflow in rc_initial_buffer_occupancy initialization +- avcodec/aacdec_template: Fix running cleanup in decode_ics_info() +- avcodec/me_cmp: Fix crashes on ARM due to misalignment +- avcodec/dirac_dwt_template: Fix integer overflow in vertical_compose53iL0() +- avcodec/fic: Fixes signed integer overflow +- avcodec/snowdec: Fix off by 1 error +- avcodec/diracdec: Check perspective_exp and zrs_exp. +- avcodec/mpeg4videodec: Clear mcsel before decoding an image +- avcodec/dirac_dwt: Fixes integer overflows in COMPOSE_DAUB97* +- avcodec/aacdec_fixed: fix invalid shift in predict() +- avcodec/h264_slice: Fix overflow in slice offset +- avformat/utils: fix memory leak in avformat_free_context +- avcodec/dirac_dwt: Fix multiple integer overflows in COMPOSE_DD97iH0() +- avcodec/diracdec: Fix integer overflow in divide3() +- avcodec/takdec: Fix integer overflow in decode_subframe() +- avformat/rtmppkt: Convert ff_amf_get_field_value() to bytestream2 +- avformat/rtmppkt: Convert ff_amf_tag_size() to bytestream2 +- avcodec/diracdec: Fix integer overflow in signed multiplication in UNPACK_ARITH() +- avcodec/dnxhddec: Move mb height check out of non hr branch +- avcodec/hevc_ps: fix integer overflow in log2_parallel_merge_level_minus2 +- avformat/oggparsecelt: Do not re-allocate os->private +- avcodec/aacps: Fix multiple integer overflow in map_val_34_to_20() +- avcodec/aacdec_fixed: fix: left shift of negative value -1 +- doc/filters: typo in frei0r +- avcodec/cfhd: Fix decoding regression due to height chec + version 3.0.9 - avcodec/aacdec_template: Fix undefined integer overflow in apply_tns() - avcodec/mjpegdec: Clip DC also on the negative side. diff --git a/RELEASE b/RELEASE index 747457c6d2..a909317fe5 100644 --- a/RELEASE +++ b/RELEASE @@ -1 +1 @@ -3.0.9 +3.0.10 diff --git a/doc/Doxyfile b/doc/Doxyfile index e1addd3513..a48039b6ff 100644 --- a/doc/Doxyfile +++ b/doc/Doxyfile @@ -31,7 +31,7 @@ PROJECT_NAME = FFmpeg # This could be handy for archiving the generated documentation or # if some version control system is used. -PROJECT_NUMBER = 3.0.9 +PROJECT_NUMBER = 3.0.10 # With the PROJECT_LOGO tag one can specify a logo or icon that is included # in the documentation. The maximum height of the logo should not exceed 55 From 94e538aebbc9f9c529e8b1f2eda860cfb8c473b1 Mon Sep 17 00:00:00 2001 From: Rostislav Pehlivanov Date: Wed, 8 Nov 2017 23:50:04 +0000 Subject: [PATCH 692/942] vc2enc_dwt: pad the temporary buffer by the slice size Since non-Haar wavelets need to look into pixels outside the frame, we need to pad the buffer. The old factor of two seemed to be a workaround that fact and only padded to the left and bottom. This correctly pads by the slice size and as such reduces memory usage and potential exploits. Reported by Liu Bingchang. Ideally, there should be no temporary buffer but the encoder is designed to deinterleave the coefficients into the classical wavelet structure with the lower frequency values in the top left corner. Signed-off-by: Rostislav Pehlivanov (cherry picked from commit 3228ac730c11eca49d5680d5550128e397061c85) --- libavcodec/vc2enc.c | 5 +++-- libavcodec/vc2enc_dwt.c | 12 +++++++++--- libavcodec/vc2enc_dwt.h | 4 +++- 3 files changed, 15 insertions(+), 6 deletions(-) diff --git a/libavcodec/vc2enc.c b/libavcodec/vc2enc.c index bf3f3a980d..eb4e1e3c7e 100644 --- a/libavcodec/vc2enc.c +++ b/libavcodec/vc2enc.c @@ -1106,8 +1106,9 @@ static av_cold int vc2_encode_init(AVCodecContext *avctx) /* DWT init */ if (ff_vc2enc_init_transforms(&s->transform_args[i].t, - s->plane[0].coef_stride, - s->plane[0].dwt_height)) + s->plane[i].coef_stride, + s->plane[i].dwt_height, + s->slice_width, s->slice_height)) goto alloc_fail; } diff --git a/libavcodec/vc2enc_dwt.c b/libavcodec/vc2enc_dwt.c index eb341684cd..0265db8dac 100644 --- a/libavcodec/vc2enc_dwt.c +++ b/libavcodec/vc2enc_dwt.c @@ -211,19 +211,25 @@ static void vc2_subband_dwt_53(VC2TransformContext *t, dwtcoef *data, deinterleave(data, stride, width, height, synth); } -av_cold int ff_vc2enc_init_transforms(VC2TransformContext *s, int p_width, int p_height) +av_cold int ff_vc2enc_init_transforms(VC2TransformContext *s, int p_stride, + int p_height, int slice_w, int slice_h) { s->vc2_subband_dwt[VC2_TRANSFORM_9_7] = vc2_subband_dwt_97; s->vc2_subband_dwt[VC2_TRANSFORM_5_3] = vc2_subband_dwt_53; - s->buffer = av_malloc(2*p_width*p_height*sizeof(dwtcoef)); + /* Pad by the slice size, only matters for non-Haar wavelets */ + s->buffer = av_calloc((p_stride + slice_w)*(p_height + slice_h), sizeof(dwtcoef)); if (!s->buffer) return 1; + s->padding = (slice_h >> 1)*p_stride + (slice_w >> 1); + s->buffer += s->padding; + return 0; } av_cold void ff_vc2enc_free_transforms(VC2TransformContext *s) { - av_freep(&s->buffer); + av_free(s->buffer - s->padding); + s->buffer = NULL; } diff --git a/libavcodec/vc2enc_dwt.h b/libavcodec/vc2enc_dwt.h index 8e1b61498e..7be682bcd9 100644 --- a/libavcodec/vc2enc_dwt.h +++ b/libavcodec/vc2enc_dwt.h @@ -44,12 +44,14 @@ enum VC2TransformType { typedef struct VC2TransformContext { dwtcoef *buffer; + int padding; void (*vc2_subband_dwt[VC2_TRANSFORMS_NB])(struct VC2TransformContext *t, dwtcoef *data, ptrdiff_t stride, int width, int height); } VC2TransformContext; -int ff_vc2enc_init_transforms(VC2TransformContext *t, int p_width, int p_height); +int ff_vc2enc_init_transforms(VC2TransformContext *t, int p_stride, int p_height, + int slice_w, int slice_h); void ff_vc2enc_free_transforms(VC2TransformContext *t); #endif /* AVCODEC_VC2ENC_DWT_H */ From 52bb493afaa51e9929929412a3c37434c109acea Mon Sep 17 00:00:00 2001 From: Michael Niedermayer Date: Thu, 26 Oct 2017 00:02:56 +0200 Subject: [PATCH 693/942] avcodec/jpeglsdec: Check ilv for being a supported value Fixes: 1773/clusterfuzz-testcase-minimized-4832523987189760 Found-by: continuous fuzzing process https://github.com/google/oss-fuzz/tree/master/projects/ffmpeg Signed-off-by: Michael Niedermayer (cherry picked from commit fe533628b9604e2f8e5179d5c5dd17c3cb764265) Signed-off-by: Michael Niedermayer --- libavcodec/jpeglsdec.c | 4 ++++ 1 file changed, 4 insertions(+) diff --git a/libavcodec/jpeglsdec.c b/libavcodec/jpeglsdec.c index 20b40445fd..60701d69fd 100644 --- a/libavcodec/jpeglsdec.c +++ b/libavcodec/jpeglsdec.c @@ -438,6 +438,10 @@ int ff_jpegls_decode_picture(MJpegDecodeContext *s, int near, avpriv_report_missing_feature(s->avctx, "Sample interleaved images"); ret = AVERROR_PATCHWELCOME; goto end; + } else { /* unknown interleaving */ + avpriv_report_missing_feature(s->avctx, "Unknown interleaved images"); + ret = AVERROR_PATCHWELCOME; + goto end; } if (s->xfrm && s->nb_components == 3) { From 93854b705273fa77ff22aed393232ae19dfb30d9 Mon Sep 17 00:00:00 2001 From: Michael Niedermayer Date: Thu, 26 Oct 2017 00:02:57 +0200 Subject: [PATCH 694/942] avcodec/jpeglsdec: Check for end of bitstream in ls_decode_line() Fixes: 1773/clusterfuzz-testcase-minimized-4832523987189760 Fixes: Timeout Found-by: continuous fuzzing process https://github.com/google/oss-fuzz/tree/master/projects/ffmpeg Signed-off-by: Michael Niedermayer (cherry picked from commit f80224ed19a4c012549fd460d529c7c04e68cf21) Signed-off-by: Michael Niedermayer --- libavcodec/jpeglsdec.c | 3 +++ 1 file changed, 3 insertions(+) diff --git a/libavcodec/jpeglsdec.c b/libavcodec/jpeglsdec.c index 60701d69fd..5e0a3d2978 100644 --- a/libavcodec/jpeglsdec.c +++ b/libavcodec/jpeglsdec.c @@ -233,6 +233,9 @@ static inline void ls_decode_line(JLSState *state, MJpegDecodeContext *s, while (x < w) { int err, pred; + if (get_bits_left(&s->gb) <= 0) + return; + /* compute gradients */ Ra = x ? R(dst, x - stride) : R(last, x); Rb = R(last, x); From 56cc35019e4a51bc40b06d9898a6ace387964c7d Mon Sep 17 00:00:00 2001 From: Michael Niedermayer Date: Fri, 27 Oct 2017 02:23:20 +0200 Subject: [PATCH 695/942] avcodec/aacdec_fixed: Fix integer overflow in predict() Fixes: runtime error: signed integer overflow: -2110708110 + -82837504 cannot be represented in type 'int' Fixes: 3547/clusterfuzz-testcase-minimized-6009386439802880 Found-by: continuous fuzzing process https://github.com/google/oss-fuzz/tree/master/projects/ffmpeg Signed-off-by: Michael Niedermayer (cherry picked from commit 0976752420706c0a8b3cb8fd61497a47c7d7270f) Signed-off-by: Michael Niedermayer --- libavcodec/aacdec_fixed.c | 4 ++-- 1 file changed, 2 insertions(+), 2 deletions(-) diff --git a/libavcodec/aacdec_fixed.c b/libavcodec/aacdec_fixed.c index 8c8eeafcc1..21d81e046e 100644 --- a/libavcodec/aacdec_fixed.c +++ b/libavcodec/aacdec_fixed.c @@ -307,9 +307,9 @@ static av_always_inline void predict(PredictorState *ps, int *coef, if (shift < 31) { if (shift > 0) { - *coef += (pv.mant + (1 << (shift - 1))) >> shift; + *coef += (unsigned)((pv.mant + (1 << (shift - 1))) >> shift); } else - *coef += pv.mant << -shift; + *coef += (unsigned)(pv.mant << -shift); } } From 52ebd1a0dc2f0eb29eb6cf39c5b0cd9b35b3a0b5 Mon Sep 17 00:00:00 2001 From: Michael Niedermayer Date: Fri, 27 Oct 2017 02:23:21 +0200 Subject: [PATCH 696/942] avcodec/aacdec_fixed: Fix integer overflow in apply_dependent_coupling_fixed() Fixes: runtime error: signed integer overflow: 623487 * 536870912 cannot be represented in type 'int' Fixes: 3594/clusterfuzz-testcase-minimized-4650622935629824 Found-by: continuous fuzzing process https://github.com/google/oss-fuzz/tree/master/projects/ffmpeg Signed-off-by: Michael Niedermayer (cherry picked from commit 41d96af2a74cb5df50346b160067facd43149667) Signed-off-by: Michael Niedermayer --- libavcodec/aacdec_fixed.c | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/libavcodec/aacdec_fixed.c b/libavcodec/aacdec_fixed.c index 21d81e046e..d6959b8ac2 100644 --- a/libavcodec/aacdec_fixed.c +++ b/libavcodec/aacdec_fixed.c @@ -394,7 +394,7 @@ static void apply_dependent_coupling_fixed(AACContext *ac, for (k = offsets[i]; k < offsets[i + 1]; k++) { tmp = (int)(((int64_t)src[group * 128 + k] * c + \ (int64_t)0x1000000000) >> 37); - dest[group * 128 + k] += tmp * (1 << shift); + dest[group * 128 + k] += tmp * (1U << shift); } } } From a3bb922c4da1745fb6a12adc1b4e15e97794aaa6 Mon Sep 17 00:00:00 2001 From: Michael Niedermayer Date: Mon, 30 Oct 2017 23:21:40 +0100 Subject: [PATCH 697/942] avcodec/xan: Improve overlapping check Fixes: memcpy-param-overlap Fixes: 3612/clusterfuzz-testcase-minimized-6393461273001984 Found-by: continuous fuzzing process https://github.com/google/oss-fuzz/tree/master/projects/ffmpeg Signed-off-by: Michael Niedermayer (cherry picked from commit e8fafef1db43ead4eae5a6301ccc300e73aa47da) Signed-off-by: Michael Niedermayer --- libavcodec/xan.c | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/libavcodec/xan.c b/libavcodec/xan.c index 662386af9a..85fa8e7394 100644 --- a/libavcodec/xan.c +++ b/libavcodec/xan.c @@ -262,7 +262,7 @@ static inline void xan_wc3_copy_pixel_run(XanContext *s, AVFrame *frame, prevframe_index = (y + motion_y) * stride + x + motion_x; prevframe_x = x + motion_x; - if (prev_palette_plane == palette_plane && FFABS(curframe_index - prevframe_index) < pixel_count) { + if (prev_palette_plane == palette_plane && FFABS(motion_x + width*motion_y) < pixel_count) { avpriv_request_sample(s->avctx, "Overlapping copy"); return ; } From 66754f0a962ebb0323269fca4ac2e93643393777 Mon Sep 17 00:00:00 2001 From: Luca Barbato Date: Wed, 12 Apr 2017 01:46:30 +0200 Subject: [PATCH 698/942] avformat: Free the internal codec context at the end Avoid a use after free in avformat_find_stream_info. (cherry picked from commit 9e4a5eb51b9f3b2bff0ef08e0074b7fe4893075d) Signed-off-by: Michael Niedermayer --- libavformat/utils.c | 7 +------ 1 file changed, 1 insertion(+), 6 deletions(-) diff --git a/libavformat/utils.c b/libavformat/utils.c index fa64e5c188..1a098b6d88 100644 --- a/libavformat/utils.c +++ b/libavformat/utils.c @@ -3475,12 +3475,6 @@ int avformat_find_stream_info(AVFormatContext *ic, AVDictionary **options) } } - // close codecs which were opened in try_decode_frame() - for (i = 0; i < ic->nb_streams; i++) { - st = ic->streams[i]; - avcodec_close(st->codec); - } - ff_rfps_calculate(ic); for (i = 0; i < ic->nb_streams; i++) { @@ -3596,6 +3590,7 @@ find_stream_info_err: ic->streams[i]->codec->thread_count = 0; if (st->info) av_freep(&st->info->duration_error); + avcodec_close(st->codec); av_freep(&ic->streams[i]->info); } if (ic->pb) From 4d9321136d7fc344166893153fc092fb821df961 Mon Sep 17 00:00:00 2001 From: Michael Niedermayer Date: Fri, 3 Nov 2017 17:48:29 +0100 Subject: [PATCH 699/942] avcodec/xan: Check for bitstream end in xan_huffman_decode() Fixes: Timeout Fixes: 3707/clusterfuzz-testcase-6465922706440192 Found-by: continuous fuzzing process https://github.com/google/oss-fuzz/tree/master/projects/ffmpeg Signed-off-by: Michael Niedermayer (cherry picked from commit 4b51437dccd62fc5491280db44e3c21b44aeeb3f) Signed-off-by: Michael Niedermayer --- libavcodec/xan.c | 5 ++++- 1 file changed, 4 insertions(+), 1 deletion(-) diff --git a/libavcodec/xan.c b/libavcodec/xan.c index 85fa8e7394..cafcbed9dc 100644 --- a/libavcodec/xan.c +++ b/libavcodec/xan.c @@ -130,7 +130,10 @@ static int xan_huffman_decode(uint8_t *dest, int dest_len, return ret; while (val != 0x16) { - unsigned idx = val - 0x17 + get_bits1(&gb) * byte; + unsigned idx; + if (get_bits_left(&gb) < 1) + return AVERROR_INVALIDDATA; + idx = val - 0x17 + get_bits1(&gb) * byte; if (idx >= 2 * byte) return AVERROR_INVALIDDATA; val = src[idx]; From 122634a580dfecec51f6105205b144e60731ae78 Mon Sep 17 00:00:00 2001 From: Michael Niedermayer Date: Sat, 4 Nov 2017 01:19:20 +0100 Subject: [PATCH 700/942] avcodec/h264idct_template: Fix integer overflows in ff_h264_idct8_add() Fixes: runtime error: signed integer overflow: -503316480 + -2013265038 cannot be represented in type 'int' Fixes: 3805/clusterfuzz-testcase-minimized-6578427831255040 Found-by: continuous fuzzing process https://github.com/google/oss-fuzz/tree/master/projects/ffmpeg Signed-off-by: Michael Niedermayer (cherry picked from commit e131b8cedb00043dcc97cc05ca04749ec8ff57de) Signed-off-by: Michael Niedermayer --- libavcodec/h264idct_template.c | 8 ++++---- 1 file changed, 4 insertions(+), 4 deletions(-) diff --git a/libavcodec/h264idct_template.c b/libavcodec/h264idct_template.c index abf888ed96..e402c9636b 100644 --- a/libavcodec/h264idct_template.c +++ b/libavcodec/h264idct_template.c @@ -91,10 +91,10 @@ void FUNCC(ff_h264_idct8_add)(uint8_t *_dst, int16_t *_block, int stride){ const int a5 = -block[i+1*8] + block[i+7*8] + block[i+5*8] + (block[i+5*8]>>1); const int a7 = block[i+3*8] + block[i+5*8] + block[i+1*8] + (block[i+1*8]>>1); - const int b1 = (a7>>2) + a1; - const int b3 = a3 + (a5>>2); - const int b5 = (a3>>2) - a5; - const int b7 = a7 - (a1>>2); + const int b1 = (a7>>2) + (unsigned)a1; + const int b3 = (unsigned)a3 + (a5>>2); + const int b5 = (a3>>2) - (unsigned)a5; + const int b7 = (unsigned)a7 - (a1>>2); block[i+0*8] = b0 + b7; block[i+7*8] = b0 - b7; From 21ae8b4869e2b2d51be2ce726b03cd86bc36285f Mon Sep 17 00:00:00 2001 From: Michael Niedermayer Date: Wed, 1 Nov 2017 14:00:19 +0100 Subject: [PATCH 701/942] avcodec/aacsbr_fixed: Fix division by zero in sbr_gain_calc() Fixes: 3642/clusterfuzz-testcase-minimized-5443853801750528 Found-by: continuous fuzzing process https://github.com/google/oss-fuzz/tree/master/projects/ffmpeg Signed-off-by: Michael Niedermayer (cherry picked from commit 7d1dec466895eed12f2c79b7ab5447f5390fe869) Signed-off-by: Michael Niedermayer --- libavcodec/aacsbr_fixed.c | 1 + 1 file changed, 1 insertion(+) diff --git a/libavcodec/aacsbr_fixed.c b/libavcodec/aacsbr_fixed.c index 1f5ff410d1..2a679491b0 100644 --- a/libavcodec/aacsbr_fixed.c +++ b/libavcodec/aacsbr_fixed.c @@ -437,6 +437,7 @@ static void sbr_gain_calc(AACContext *ac, SpectralBandReplication *sbr, av_add_sf(FLOAT_1, sbr->e_curr[e][m]), av_add_sf(FLOAT_1, sbr->q_mapped[e][m])))); } + sbr->gain[e][m] = av_add_sf(sbr->gain[e][m], FLOAT_MIN); } for (m = sbr->f_tablelim[k] - sbr->kx[1]; m < sbr->f_tablelim[k + 1] - sbr->kx[1]; m++) { sum[0] = av_add_sf(sum[0], sbr->e_origmapped[e][m]); From 4fbee4272793da37c8ba563eab754de355304ad7 Mon Sep 17 00:00:00 2001 From: Michael Niedermayer Date: Wed, 1 Nov 2017 14:00:18 +0100 Subject: [PATCH 702/942] avutil/softfloat: Add FLOAT_MIN Signed-off-by: Michael Niedermayer --- libavutil/softfloat.h | 1 + 1 file changed, 1 insertion(+) diff --git a/libavutil/softfloat.h b/libavutil/softfloat.h index df610b7b3b..64696450e2 100644 --- a/libavutil/softfloat.h +++ b/libavutil/softfloat.h @@ -43,6 +43,7 @@ static const SoftFloat FLOAT_EPSILON = { 0x29F16B12, -16}; static const SoftFloat FLOAT_1584893192 = { 0x32B771ED, 1}; static const SoftFloat FLOAT_100000 = { 0x30D40000, 17}; static const SoftFloat FLOAT_0999999 = { 0x3FFFFBCE, 0}; +static const SoftFloat FLOAT_MIN = { 0x20000000, MIN_EXP}; static inline av_const double av_sf2double(SoftFloat v) { v.exp -= ONE_BITS +1; From b45971a955572390dca2c180c3477995152447df Mon Sep 17 00:00:00 2001 From: Michael Niedermayer Date: Wed, 1 Nov 2017 14:00:20 +0100 Subject: [PATCH 703/942] avcodec/sbrdsp_fixed: Fix integer overflow in shift in sbr_hf_g_filt_c() Fixes: runtime error: shift exponent 66 is too large for 64-bit type 'long long' Fixes: 3642/clusterfuzz-testcase-minimized-5443853801750528 Found-by: continuous fuzzing process https://github.com/google/oss-fuzz/tree/master/projects/ffmpeg Signed-off-by: Michael Niedermayer (cherry picked from commit 981e99ab99986935affad7c164ebdfe28e8ea7f8) Signed-off-by: Michael Niedermayer --- libavcodec/sbrdsp_fixed.c | 12 +++++++----- 1 file changed, 7 insertions(+), 5 deletions(-) diff --git a/libavcodec/sbrdsp_fixed.c b/libavcodec/sbrdsp_fixed.c index f45bb847a8..07ef12117c 100644 --- a/libavcodec/sbrdsp_fixed.c +++ b/libavcodec/sbrdsp_fixed.c @@ -233,12 +233,14 @@ static void sbr_hf_g_filt_c(int (*Y)[2], const int (*X_high)[40][2], int64_t accu; for (m = 0; m < m_max; m++) { - int64_t r = 1LL << (22-g_filt[m].exp); - accu = (int64_t)X_high[m][ixh][0] * ((g_filt[m].mant + 0x40)>>7); - Y[m][0] = (int)((accu + r) >> (23-g_filt[m].exp)); + if (22 - g_filt[m].exp < 61) { + int64_t r = 1LL << (22-g_filt[m].exp); + accu = (int64_t)X_high[m][ixh][0] * ((g_filt[m].mant + 0x40)>>7); + Y[m][0] = (int)((accu + r) >> (23-g_filt[m].exp)); - accu = (int64_t)X_high[m][ixh][1] * ((g_filt[m].mant + 0x40)>>7); - Y[m][1] = (int)((accu + r) >> (23-g_filt[m].exp)); + accu = (int64_t)X_high[m][ixh][1] * ((g_filt[m].mant + 0x40)>>7); + Y[m][1] = (int)((accu + r) >> (23-g_filt[m].exp)); + } } } From b9e9c5cee03ff9a092f9d8f13df22d91979c24e3 Mon Sep 17 00:00:00 2001 From: Michael Niedermayer Date: Thu, 2 Nov 2017 18:34:09 +0100 Subject: [PATCH 704/942] avcodec/cngdec: Fix integer clipping Fixes: runtime error: value -36211.7 is outside the range of representable values of type 'short' Fixes: 2992/clusterfuzz-testcase-6649611793989632 Found-by: continuous fuzzing process https://github.com/google/oss-fuzz/tree/master/projects/ffmpeg Signed-off-by: Michael Niedermayer (cherry picked from commit 51090133b31bc719ea868db15d3ee38e9dbe90f1) Signed-off-by: Michael Niedermayer --- libavcodec/cngdec.c | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/libavcodec/cngdec.c b/libavcodec/cngdec.c index 0251086042..a3fabf90e3 100644 --- a/libavcodec/cngdec.c +++ b/libavcodec/cngdec.c @@ -147,7 +147,7 @@ static int cng_decode_frame(AVCodecContext *avctx, void *data, return ret; buf_out = (int16_t *)frame->data[0]; for (i = 0; i < avctx->frame_size; i++) - buf_out[i] = p->filter_out[i + p->order]; + buf_out[i] = av_clip_int16(p->filter_out[i + p->order]); memcpy(p->filter_out, p->filter_out + avctx->frame_size, p->order * sizeof(*p->filter_out)); From f33f13172cfe34b3bedb59964957d8d784f9cea0 Mon Sep 17 00:00:00 2001 From: Michael Niedermayer Date: Sun, 5 Nov 2017 21:20:05 +0100 Subject: [PATCH 705/942] avcodec/snowdec: Fix integer overflow in header parsing Fixes: 3984/clusterfuzz-testcase-minimized-5265759929368576 Fixes: runtime error: signed integer overflow: -1085585801 + -1094995529 cannot be represented in type 'int' Found-by: continuous fuzzing process https://github.com/google/oss-fuzz/tree/master/projects/ffmpeg Signed-off-by: Michael Niedermayer (cherry picked from commit c897a9285846b6a072b9650976afd4f091b7a71f) Signed-off-by: Michael Niedermayer --- libavcodec/snowdec.c | 10 +++++----- 1 file changed, 5 insertions(+), 5 deletions(-) diff --git a/libavcodec/snowdec.c b/libavcodec/snowdec.c index 6eff729a19..2b92ed3de0 100644 --- a/libavcodec/snowdec.c +++ b/libavcodec/snowdec.c @@ -374,7 +374,7 @@ static int decode_header(SnowContext *s){ } } - s->spatial_decomposition_type+= get_symbol(&s->c, s->header_state, 1); + s->spatial_decomposition_type+= (unsigned)get_symbol(&s->c, s->header_state, 1); if(s->spatial_decomposition_type > 1U){ av_log(s->avctx, AV_LOG_ERROR, "spatial_decomposition_type %d not supported\n", s->spatial_decomposition_type); return AVERROR_INVALIDDATA; @@ -390,10 +390,10 @@ static int decode_header(SnowContext *s){ } - s->qlog += get_symbol(&s->c, s->header_state, 1); - s->mv_scale += get_symbol(&s->c, s->header_state, 1); - s->qbias += get_symbol(&s->c, s->header_state, 1); - s->block_max_depth+= get_symbol(&s->c, s->header_state, 1); + s->qlog += (unsigned)get_symbol(&s->c, s->header_state, 1); + s->mv_scale += (unsigned)get_symbol(&s->c, s->header_state, 1); + s->qbias += (unsigned)get_symbol(&s->c, s->header_state, 1); + s->block_max_depth+= (unsigned)get_symbol(&s->c, s->header_state, 1); if(s->block_max_depth > 1 || s->block_max_depth < 0 || s->mv_scale > 256U){ av_log(s->avctx, AV_LOG_ERROR, "block_max_depth= %d is too large\n", s->block_max_depth); s->block_max_depth= 0; From f2763b8ba80cb258663807a5e61f028564b02ac3 Mon Sep 17 00:00:00 2001 From: Michael Niedermayer Date: Sun, 5 Nov 2017 21:20:06 +0100 Subject: [PATCH 706/942] avcodec/mdct_*: Fix integer overflow in addition in RESCALE() Fixes: runtime error: signed integer overflow: 1219998458 - -1469874012 cannot be represented in type 'int' Fixes: 3443/clusterfuzz-testcase-minimized-5369987105554432 Found-by: continuous fuzzing process https://github.com/google/oss-fuzz/tree/master/projects/ffmpeg Signed-off-by: Michael Niedermayer (cherry picked from commit 770c934fa1635f4fadf5db4fc5cc5ad15d82455a) Signed-off-by: Michael Niedermayer --- libavcodec/mdct_fixed.c | 8 ++++---- libavcodec/mdct_template.c | 14 +++++++------- 2 files changed, 11 insertions(+), 11 deletions(-) diff --git a/libavcodec/mdct_fixed.c b/libavcodec/mdct_fixed.c index a32cb00ca0..aabf0c88f8 100644 --- a/libavcodec/mdct_fixed.c +++ b/libavcodec/mdct_fixed.c @@ -39,13 +39,13 @@ void ff_mdct_calcw_c(FFTContext *s, FFTDouble *out, const FFTSample *input) /* pre rotation */ for(i=0;i> 6) +# define RSCALE(x, y) ((int)((x) + (unsigned)(y) + 32) >> 6) #else /* FFT_FIXED_32 */ -# define RSCALE(x) ((x) >> 1) +# define RSCALE(x, y) ((int)((x) + (unsigned)(y)) >> 1) #endif /* FFT_FIXED_32 */ #endif @@ -181,13 +181,13 @@ void ff_mdct_calc_c(FFTContext *s, FFTSample *out, const FFTSample *input) /* pre rotation */ for(i=0;i Date: Sun, 5 Nov 2017 21:20:07 +0100 Subject: [PATCH 707/942] avcodec/aacdec_fixed: Fix undefined shift Fixes: runtime error: left shift of negative value -801112064 Fixes: 3492/clusterfuzz-testcase-minimized-5784775283441664 Found-by: continuous fuzzing process https://github.com/google/oss-fuzz/tree/master/projects/ffmpeg Signed-off-by: Michael Niedermayer (cherry picked from commit fca198fb5bf42ba6b765b3f75b11738e4b4fc2a9) Signed-off-by: Michael Niedermayer --- libavcodec/aacdec_fixed.c | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/libavcodec/aacdec_fixed.c b/libavcodec/aacdec_fixed.c index d6959b8ac2..535b323fc0 100644 --- a/libavcodec/aacdec_fixed.c +++ b/libavcodec/aacdec_fixed.c @@ -309,7 +309,7 @@ static av_always_inline void predict(PredictorState *ps, int *coef, if (shift > 0) { *coef += (unsigned)((pv.mant + (1 << (shift - 1))) >> shift); } else - *coef += (unsigned)(pv.mant << -shift); + *coef += (unsigned)pv.mant << -shift; } } From 91aadc6a5b8e295dd649c430e9a994226dc002be Mon Sep 17 00:00:00 2001 From: Michael Niedermayer Date: Sun, 5 Nov 2017 21:20:08 +0100 Subject: [PATCH 708/942] avcodec/aacpsdsp_template: Fix integer overflows in ps_decorrelate_c() Fixes: runtime error: signed integer overflow: 1939661764 - -454942263 cannot be represented in type 'int' Fixes: 3191/clusterfuzz-testcase-minimized-5688798451073024 Found-by: continuous fuzzing process https://github.com/google/oss-fuzz/tree/master/projects/ffmpeg Signed-off-by: Michael Niedermayer (cherry picked from commit 2afe05402f05d485f0c356b04dc562f0510d317d) Signed-off-by: Michael Niedermayer --- libavcodec/aacpsdsp_template.c | 8 ++++---- 1 file changed, 4 insertions(+), 4 deletions(-) diff --git a/libavcodec/aacpsdsp_template.c b/libavcodec/aacpsdsp_template.c index 3049ce8b79..0e532fcf84 100644 --- a/libavcodec/aacpsdsp_template.c +++ b/libavcodec/aacpsdsp_template.c @@ -129,12 +129,12 @@ static void ps_decorrelate_c(INTFLOAT (*out)[2], INTFLOAT (*delay)[2], INTFLOAT apd_im = in_im; in_re = AAC_MSUB30(link_delay_re, fractional_delay_re, link_delay_im, fractional_delay_im); - in_re -= a_re; + in_re -= (UINTFLOAT)a_re; in_im = AAC_MADD30(link_delay_re, fractional_delay_im, link_delay_im, fractional_delay_re); - in_im -= a_im; - ap_delay[m][n+5][0] = apd_re + AAC_MUL31(ag[m], in_re); - ap_delay[m][n+5][1] = apd_im + AAC_MUL31(ag[m], in_im); + in_im -= (UINTFLOAT)a_im; + ap_delay[m][n+5][0] = apd_re + (UINTFLOAT)AAC_MUL31(ag[m], in_re); + ap_delay[m][n+5][1] = apd_im + (UINTFLOAT)AAC_MUL31(ag[m], in_im); } out[n][0] = AAC_MUL16(transient_gain[n], in_re); out[n][1] = AAC_MUL16(transient_gain[n], in_im); From b8a6b5602762e540fbac982cbc3689fa0d2768de Mon Sep 17 00:00:00 2001 From: Michael Niedermayer Date: Mon, 13 Nov 2017 20:47:48 +0100 Subject: [PATCH 709/942] avcodec/x86/mpegvideodsp: Fix signedness bug in need_emu Fixes: out of array read Fixes: 3516/attachment-311488.dat Found-by: Insu Yun, Georgia Tech. Tested-by: wuninsu@gmail.com Signed-off-by: Michael Niedermayer (cherry picked from commit 58cf31cee7a456057f337b3102a03206d833d5e8) Signed-off-by: Michael Niedermayer --- libavcodec/x86/mpegvideodsp.c | 5 +++-- 1 file changed, 3 insertions(+), 2 deletions(-) diff --git a/libavcodec/x86/mpegvideodsp.c b/libavcodec/x86/mpegvideodsp.c index 941a8e2e4c..5dcfd76a61 100644 --- a/libavcodec/x86/mpegvideodsp.c +++ b/libavcodec/x86/mpegvideodsp.c @@ -53,8 +53,9 @@ static void gmc_mmx(uint8_t *dst, uint8_t *src, const int dyh = (dyy - (1 << (16 + shift))) * (h - 1); const int dxh = dxy * (h - 1); const int dyw = dyx * (w - 1); - int need_emu = (unsigned) ix >= width - w || - (unsigned) iy >= height - h; + int need_emu = (unsigned) ix >= width - w || width < w || + (unsigned) iy >= height - h || height< h + ; if ( // non-constant fullpel offset (3% of blocks) ((ox ^ (ox + dxw)) | (ox ^ (ox + dxh)) | (ox ^ (ox + dxw + dxh)) | From 2fc1a8ba4984097aca266d6539e52bcfe67d02fb Mon Sep 17 00:00:00 2001 From: Michael Niedermayer Date: Sat, 21 Oct 2017 18:04:44 +0200 Subject: [PATCH 710/942] avcodec/h264dec: Fix potential array overread add padding before scantable arrays See: 522d850e68ec4b77d3477b3c8f55b1ba00a9d69a Signed-off-by: Michael Niedermayer (cherry picked from commit 380b48fb9fdc7b0c40d67e026f9b3accb12794eb) Signed-off-by: Michael Niedermayer --- libavcodec/h264.h | 1 + 1 file changed, 1 insertion(+) diff --git a/libavcodec/h264.h b/libavcodec/h264.h index a5fc3a053f..cfd14aa646 100644 --- a/libavcodec/h264.h +++ b/libavcodec/h264.h @@ -605,6 +605,7 @@ typedef struct H264Context { uint8_t (*mvd_table[2])[2]; uint8_t *direct_table; + uint8_t scan_padding[16]; uint8_t zigzag_scan[16]; uint8_t zigzag_scan8x8[64]; uint8_t zigzag_scan8x8_cavlc[64]; From 4171249d7632ea4ea2964b992eca7adc12dacb76 Mon Sep 17 00:00:00 2001 From: Michael Niedermayer Date: Wed, 15 Nov 2017 16:53:34 +0100 Subject: [PATCH 711/942] avcodec/vc2enc: Clear coef_buf on allocation Fixes: Use of uninitialized memory Fixes: assertion failure Reviewed-by: Signed-off-by: Michael Niedermayer (cherry picked from commit 6d00905f8134a2932e5c00dd1ec8b2a1f0a38035) Signed-off-by: Michael Niedermayer --- libavcodec/vc2enc.c | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/libavcodec/vc2enc.c b/libavcodec/vc2enc.c index eb4e1e3c7e..ac551caaa1 100644 --- a/libavcodec/vc2enc.c +++ b/libavcodec/vc2enc.c @@ -1088,7 +1088,7 @@ static av_cold int vc2_encode_init(AVCodecContext *avctx) p->dwt_width = w = FFALIGN(p->width, (1 << s->wavelet_depth)); p->dwt_height = h = FFALIGN(p->height, (1 << s->wavelet_depth)); p->coef_stride = FFALIGN(p->dwt_width, 32); - p->coef_buf = av_malloc(p->coef_stride*p->dwt_height*sizeof(dwtcoef)); + p->coef_buf = av_mallocz(p->coef_stride*p->dwt_height*sizeof(dwtcoef)); if (!p->coef_buf) goto alloc_fail; for (level = s->wavelet_depth-1; level >= 0; level--) { From 74677deaca819c4a25b01488e0b69d9e984f103f Mon Sep 17 00:00:00 2001 From: Fredrik Hubinette Date: Wed, 15 Nov 2017 17:24:30 -0800 Subject: [PATCH 712/942] avformat/mov: Check size of STSC allocation Signed-off-by: Michael Niedermayer (cherry picked from commit a6fdd75fe6440d2f4150cb456a9078aa68b00fdb) Signed-off-by: Michael Niedermayer --- libavformat/mov.c | 2 ++ 1 file changed, 2 insertions(+) diff --git a/libavformat/mov.c b/libavformat/mov.c index 6768aa2792..85bf2e5211 100644 --- a/libavformat/mov.c +++ b/libavformat/mov.c @@ -2248,6 +2248,8 @@ static int mov_read_stsc(MOVContext *c, AVIOContext *pb, MOVAtom atom) avio_rb24(pb); /* flags */ entries = avio_rb32(pb); + if ((uint64_t)entries * 12 + 4 > atom.size) + return AVERROR_INVALIDDATA; av_log(c->fc, AV_LOG_TRACE, "track[%i].stsc.entries = %i\n", c->fc->nb_streams-1, entries); From b8a10f10cc5ff6191bd63561cea740f6490366c3 Mon Sep 17 00:00:00 2001 From: Michael Niedermayer Date: Wed, 15 Nov 2017 21:17:15 +0100 Subject: [PATCH 713/942] avcodec/snowdec: Check intra block dc differences. Fixes: Timeout Fixes: 3142/clusterfuzz-testcase-5007853163118592 Found-by: continuous fuzzing process https://github.com/google/oss-fuzz/tree/master/projects/ffmpeg Signed-off-by: Michael Niedermayer (cherry picked from commit c3b9bbcc6edf2d83fe4857484cfa0839872188c6) Signed-off-by: Michael Niedermayer --- libavcodec/snowdec.c | 17 +++++++++++++---- 1 file changed, 13 insertions(+), 4 deletions(-) diff --git a/libavcodec/snowdec.c b/libavcodec/snowdec.c index 2b92ed3de0..af92cb0070 100644 --- a/libavcodec/snowdec.c +++ b/libavcodec/snowdec.c @@ -183,13 +183,22 @@ static int decode_q_branch(SnowContext *s, int level, int x, int y){ int my_context= av_log2(2*FFABS(left->my - top->my)) + 0*av_log2(2*FFABS(tr->my - top->my)); type= get_rac(&s->c, &s->block_state[1 + left->type + top->type]) ? BLOCK_INTRA : 0; - if(type){ + int ld, cbd, crd; pred_mv(s, &mx, &my, 0, left, top, tr); - l += get_symbol(&s->c, &s->block_state[32], 1); + ld = get_symbol(&s->c, &s->block_state[32], 1); + if (ld < -255 || ld > 255) { + return AVERROR_INVALIDDATA; + } + l += ld; if (s->nb_planes > 2) { - cb+= get_symbol(&s->c, &s->block_state[64], 1); - cr+= get_symbol(&s->c, &s->block_state[96], 1); + cbd = get_symbol(&s->c, &s->block_state[64], 1); + crd = get_symbol(&s->c, &s->block_state[96], 1); + if (cbd < -255 || cbd > 255 || crd < -255 || crd > 255) { + return AVERROR_INVALIDDATA; + } + cb += cbd; + cr += crd; } }else{ if(s->ref_frames > 1) From 12aea29a95960603c6777982d363ed644cabfb9a Mon Sep 17 00:00:00 2001 From: Michael Niedermayer Date: Wed, 15 Nov 2017 21:17:16 +0100 Subject: [PATCH 714/942] avcodec/snowdec: Check for remaining bitstream in decode_blocks() Fixes: Timeout Fixes: 3142/clusterfuzz-testcase-5007853163118592 Found-by: continuous fuzzing process https://github.com/google/oss-fuzz/tree/master/projects/ffmpeg Signed-off-by: Michael Niedermayer (cherry picked from commit 4527ec2216109867498edc3ac8a17fd879b5d017) Signed-off-by: Michael Niedermayer --- libavcodec/snowdec.c | 2 ++ 1 file changed, 2 insertions(+) diff --git a/libavcodec/snowdec.c b/libavcodec/snowdec.c index af92cb0070..df425b8cf3 100644 --- a/libavcodec/snowdec.c +++ b/libavcodec/snowdec.c @@ -437,6 +437,8 @@ static int decode_blocks(SnowContext *s){ for(y=0; yc.bytestream >= s->c.bytestream_end) + return AVERROR_INVALIDDATA; if ((res = decode_q_branch(s, 0, x, y)) < 0) return res; } From d1421edab7c1a2e7d481130884cbecf9c9291c54 Mon Sep 17 00:00:00 2001 From: Michael Niedermayer Date: Sun, 17 Sep 2017 01:28:07 +0200 Subject: [PATCH 715/942] avcodec/wmv2dec: Check end of bitstream in parse_mb_skip() and ff_wmv2_decode_mb() Fixes: Timeout Fixes: 3200/clusterfuzz-testcase-5750022136135680 Found-by: continuous fuzzing process https://github.com/google/oss-fuzz/tree/master/projects/ffmpeg Signed-off-by: Michael Niedermayer (cherry picked from commit 65e0a7c473f23f1833538ffecf53c81fe500b5e4) Signed-off-by: Michael Niedermayer --- libavcodec/wmv2dec.c | 18 ++++++++++++++++-- 1 file changed, 16 insertions(+), 2 deletions(-) diff --git a/libavcodec/wmv2dec.c b/libavcodec/wmv2dec.c index 99c95d397a..98df381509 100644 --- a/libavcodec/wmv2dec.c +++ b/libavcodec/wmv2dec.c @@ -30,7 +30,7 @@ #include "wmv2.h" -static void parse_mb_skip(Wmv2Context *w) +static int parse_mb_skip(Wmv2Context *w) { int mb_x, mb_y; MpegEncContext *const s = &w->s; @@ -45,6 +45,8 @@ static void parse_mb_skip(Wmv2Context *w) MB_TYPE_16x16 | MB_TYPE_L0; break; case SKIP_TYPE_MPEG: + if (get_bits_left(&s->gb) < s->mb_height * s->mb_width) + return AVERROR_INVALIDDATA; for (mb_y = 0; mb_y < s->mb_height; mb_y++) for (mb_x = 0; mb_x < s->mb_width; mb_x++) mb_type[mb_y * s->mb_stride + mb_x] = @@ -52,6 +54,8 @@ static void parse_mb_skip(Wmv2Context *w) break; case SKIP_TYPE_ROW: for (mb_y = 0; mb_y < s->mb_height; mb_y++) { + if (get_bits_left(&s->gb) < 1) + return AVERROR_INVALIDDATA; if (get_bits1(&s->gb)) { for (mb_x = 0; mb_x < s->mb_width; mb_x++) mb_type[mb_y * s->mb_stride + mb_x] = @@ -65,6 +69,8 @@ static void parse_mb_skip(Wmv2Context *w) break; case SKIP_TYPE_COL: for (mb_x = 0; mb_x < s->mb_width; mb_x++) { + if (get_bits_left(&s->gb) < 1) + return AVERROR_INVALIDDATA; if (get_bits1(&s->gb)) { for (mb_y = 0; mb_y < s->mb_height; mb_y++) mb_type[mb_y * s->mb_stride + mb_x] = @@ -77,6 +83,7 @@ static void parse_mb_skip(Wmv2Context *w) } break; } + return 0; } static int decode_ext_header(Wmv2Context *w) @@ -170,9 +177,12 @@ int ff_wmv2_decode_secondary_picture_header(MpegEncContext *s) } } else { int cbp_index; + int ret; w->j_type = 0; - parse_mb_skip(w); + ret = parse_mb_skip(w); + if (ret < 0) + return ret; cbp_index = decode012(&s->gb); w->cbp_table_index = wmv2_get_cbp_table_index(s, cbp_index); @@ -352,6 +362,8 @@ int ff_wmv2_decode_mb(MpegEncContext *s, int16_t block[6][64]) w->hshift = 0; return 0; } + if (get_bits_left(&s->gb) <= 0) + return AVERROR_INVALIDDATA; code = get_vlc2(&s->gb, ff_mb_non_intra_vlc[w->cbp_table_index].table, MB_NON_INTRA_VLC_BITS, 3); @@ -362,6 +374,8 @@ int ff_wmv2_decode_mb(MpegEncContext *s, int16_t block[6][64]) cbp = code & 0x3f; } else { s->mb_intra = 1; + if (get_bits_left(&s->gb) <= 0) + return AVERROR_INVALIDDATA; code = get_vlc2(&s->gb, ff_msmp4_mb_i_vlc.table, MB_INTRA_VLC_BITS, 2); if (code < 0) { av_log(s->avctx, AV_LOG_ERROR, From bc65abecd31f2c7f21103472dcd71145e7a8efe7 Mon Sep 17 00:00:00 2001 From: Michael Niedermayer Date: Tue, 14 Nov 2017 03:40:07 +0100 Subject: [PATCH 716/942] avcodec/dirac_dwt: Fix integer overflow in COMPOSE_DD137iL0() Fixes: 4035/clusterfuzz-testcase-minimized-6479308925173760 Fixes: runtime error: signed integer overflow: 9 * 402653183 cannot be represented in type 'int' Found-by: continuous fuzzing process https://github.com/google/oss-fuzz/tree/master/projects/ffmpeg Signed-off-by: Michael Niedermayer (cherry picked from commit 73964680d7bce6d81ddc553a24d73e9a1c9156f9) Signed-off-by: Michael Niedermayer --- libavcodec/dirac_dwt.h | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/libavcodec/dirac_dwt.h b/libavcodec/dirac_dwt.h index 35ed8857e9..f9a9e9e1b3 100644 --- a/libavcodec/dirac_dwt.h +++ b/libavcodec/dirac_dwt.h @@ -102,7 +102,7 @@ void ff_spatial_idwt_slice2(DWTContext *d, int y); (b2 + ((int)(-b0 + 9U*b1 + 9U*b3 - b4 + 8) >> 4)) #define COMPOSE_DD137iL0(b0, b1, b2, b3, b4)\ - (b2 - ((-b0 + 9*b1 + 9*b3 - b4 + 16) >> 5)) + (b2 - ((int)(-b0 + 9U*b1 + 9U*b3 - b4 + 16) >> 5)) #define COMPOSE_HAARiL0(b0, b1)\ (b0 - ((b1 + 1) >> 1)) From b9b4d34ecfdd49b9962491c32422b906e2f455ac Mon Sep 17 00:00:00 2001 From: Michael Niedermayer Date: Wed, 15 Nov 2017 17:11:12 +0100 Subject: [PATCH 717/942] avcodec/zmbv: Check that the buffer is large enough for mvec Fixes: Timeout Fixes: 4143/clusterfuzz-testcase-4736864637419520 Found-by: continuous fuzzing process https://github.com/google/oss-fuzz/tree/master/projects/ffmpeg Signed-off-by: Michael Niedermayer (cherry picked from commit 2ab9568a2c3349039eec29fb960fe39de354b514) Signed-off-by: Michael Niedermayer --- libavcodec/zmbv.c | 2 ++ 1 file changed, 2 insertions(+) diff --git a/libavcodec/zmbv.c b/libavcodec/zmbv.c index 25a1cd215d..39a08db0eb 100644 --- a/libavcodec/zmbv.c +++ b/libavcodec/zmbv.c @@ -539,6 +539,8 @@ static int decode_frame(AVCodecContext *avctx, void *data, int *got_frame, AVPac } else { frame->key_frame = 0; frame->pict_type = AV_PICTURE_TYPE_P; + if (c->decomp_len < 2LL * ((c->width + c->bw - 1) / c->bw) * ((c->height + c->bh - 1) / c->bh)) + return AVERROR_INVALIDDATA; if (c->decomp_len) c->decode_xor(c); } From a3606385f075170dd67d54dfe3ca6b760730fed2 Mon Sep 17 00:00:00 2001 From: Michael Niedermayer Date: Wed, 15 Nov 2017 03:38:37 +0100 Subject: [PATCH 718/942] avcodec/mlpdsp: Fix undefined shift ff_mlp_pack_output() Fixes: runtime error: left shift of negative value -7862264 Fixes: 4074/clusterfuzz-testcase-minimized-4516104123711488 Found-by: continuous fuzzing process https://github.com/google/oss-fuzz/tree/master/projects/ffmpeg Signed-off-by: Michael Niedermayer (cherry picked from commit 4f7f70738e8dd77a698a5e28bba552ea7064af21) Signed-off-by: Michael Niedermayer --- libavcodec/mlpdsp.c | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/libavcodec/mlpdsp.c b/libavcodec/mlpdsp.c index fbafa92d72..4e3a16c781 100644 --- a/libavcodec/mlpdsp.c +++ b/libavcodec/mlpdsp.c @@ -117,7 +117,7 @@ int32_t ff_mlp_pack_output(int32_t lossless_check_data, (1U << output_shift[mat_ch]); lossless_check_data ^= (sample & 0xffffff) << mat_ch; if (is32) - *data_32++ = sample << 8; + *data_32++ = sample * 256; else *data_16++ = sample >> 8; } From bf44f250a2234d963489642eadcf32e79f9bb804 Mon Sep 17 00:00:00 2001 From: Michael Niedermayer Date: Fri, 17 Nov 2017 22:01:29 +0100 Subject: [PATCH 719/942] avcodec/hevcdsp_template: Fix invalid shift in put_hevc_epel_bi_w_v() Fixes: runtime error: left shift of negative value -255 Fixes: 4037/clusterfuzz-testcase-minimized-5290998163832832 Found-by: continuous fuzzing process https://github.com/google/oss-fuzz/tree/master/projects/ffmpeg Signed-off-by: Michael Niedermayer (cherry picked from commit 7d88586e4728e97349f98e07ff782bb168ab96c3) Signed-off-by: Michael Niedermayer --- libavcodec/hevcdsp_template.c | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/libavcodec/hevcdsp_template.c b/libavcodec/hevcdsp_template.c index dd1643f6d1..82ee0b63ac 100644 --- a/libavcodec/hevcdsp_template.c +++ b/libavcodec/hevcdsp_template.c @@ -1413,7 +1413,7 @@ static void FUNC(put_hevc_epel_bi_w_v)(uint8_t *_dst, ptrdiff_t _dststride, uint for (y = 0; y < height; y++) { for (x = 0; x < width; x++) dst[x] = av_clip_pixel(((EPEL_FILTER(src, srcstride) >> (BIT_DEPTH - 8)) * wx1 + src2[x] * wx0 + - ((ox0 + ox1 + 1) << log2Wd)) >> (log2Wd + 1)); + ((ox0 + ox1 + 1) * (1 << log2Wd))) >> (log2Wd + 1)); src += srcstride; dst += dststride; src2 += MAX_PB_SIZE; From 20e78d53394fa56eb4bcb3be06ff70375a86dd94 Mon Sep 17 00:00:00 2001 From: Jacob Trimble Date: Mon, 20 Nov 2017 12:05:02 -0800 Subject: [PATCH 720/942] avformat/mov: Propagate errors in mov_switch_root. Signed-off-by: Jacob Trimble Signed-off-by: Michael Niedermayer (cherry picked from commit 2d9cf3bf16b94cd9db10dabad695c69c5cff4f58) Signed-off-by: Michael Niedermayer --- libavformat/mov.c | 7 +++++-- 1 file changed, 5 insertions(+), 2 deletions(-) diff --git a/libavformat/mov.c b/libavformat/mov.c index 85bf2e5211..d41778cbed 100644 --- a/libavformat/mov.c +++ b/libavformat/mov.c @@ -4975,6 +4975,7 @@ static int should_retry(AVIOContext *pb, int error_code) { static int mov_switch_root(AVFormatContext *s, int64_t target) { + int ret; MOVContext *mov = s->priv_data; int i, j; int already_read = 0; @@ -5011,8 +5012,10 @@ static int mov_switch_root(AVFormatContext *s, int64_t target) mov->found_mdat = 0; - if (mov_read_default(mov, s->pb, (MOVAtom){ AV_RL32("root"), INT64_MAX }) < 0 || - avio_feof(s->pb)) + ret = mov_read_default(mov, s->pb, (MOVAtom){ AV_RL32("root"), INT64_MAX }); + if (ret < 0) + return ret; + if (avio_feof(s->pb)) return AVERROR_EOF; av_log(s, AV_LOG_TRACE, "read fragments, offset 0x%"PRIx64"\n", avio_tell(s->pb)); From 712814fb17b62557d17d0bcff5b57e2a9d8e613c Mon Sep 17 00:00:00 2001 From: Dale Curtis Date: Fri, 17 Nov 2017 14:51:09 -0800 Subject: [PATCH 721/942] Use ff_thread_once for fixed, float table init. These tables are static so they should only be initialized once instead of on every call to ff_mpadsp_init(). Signed-off-by: Dale Curtis Signed-off-by: Michael Niedermayer (cherry picked from commit 5eaaffaf64d1854493f0fe9ec822eed1b3cd9fe1) Signed-off-by: Michael Niedermayer --- libavcodec/mpegaudiodsp.c | 8 ++++++-- 1 file changed, 6 insertions(+), 2 deletions(-) diff --git a/libavcodec/mpegaudiodsp.c b/libavcodec/mpegaudiodsp.c index a5d20df629..3cafca27bf 100644 --- a/libavcodec/mpegaudiodsp.c +++ b/libavcodec/mpegaudiodsp.c @@ -20,17 +20,21 @@ #include "config.h" #include "libavutil/attributes.h" +#include "libavutil/thread.h" #include "mpegaudiodsp.h" #include "dct.h" #include "dct32.h" +static AVOnce mpadsp_float_table_init = AV_ONCE_INIT; +static AVOnce mpadsp_fixed_table_init = AV_ONCE_INIT; + av_cold void ff_mpadsp_init(MPADSPContext *s) { DCTContext dct; ff_dct_init(&dct, 5, DCT_II); - ff_init_mpadsp_tabs_float(); - ff_init_mpadsp_tabs_fixed(); + ff_thread_once(&mpadsp_float_table_init, &ff_init_mpadsp_tabs_float); + ff_thread_once(&mpadsp_fixed_table_init, &ff_init_mpadsp_tabs_fixed); s->apply_window_float = ff_mpadsp_apply_window_float; s->apply_window_fixed = ff_mpadsp_apply_window_fixed; From c09d587ac54d0ecb8190618fb867e9fd907e1359 Mon Sep 17 00:00:00 2001 From: Dale Curtis Date: Fri, 17 Nov 2017 16:05:30 -0800 Subject: [PATCH 722/942] Fix undefined shift on assumed 8-bit input. decode_user_data() attempts to create an integer |build| value with 8 bits of spacing for 3 components. However each component is an int32_t, so shifting each component is undefined for values outside of the 8 bit range. This patch simply clamps input to 8-bits per component and prints out a warning that the values were clamped. Signed-off-by: Dale Curtis Signed-off-by: Michael Niedermayer (cherry picked from commit 7010dd98b575d2e39fca947e609b85be7490b269) Signed-off-by: Michael Niedermayer --- libavcodec/mpeg4videodec.c | 11 +++++++++-- 1 file changed, 9 insertions(+), 2 deletions(-) diff --git a/libavcodec/mpeg4videodec.c b/libavcodec/mpeg4videodec.c index cb2224a07b..d9d67b0fe4 100644 --- a/libavcodec/mpeg4videodec.c +++ b/libavcodec/mpeg4videodec.c @@ -2139,8 +2139,15 @@ static int decode_user_data(Mpeg4DecContext *ctx, GetBitContext *gb) e = sscanf(buf, "FFmpeg v%d.%d.%d / libavcodec build: %d", &ver, &ver2, &ver3, &build); if (e != 4) { e = sscanf(buf, "Lavc%d.%d.%d", &ver, &ver2, &ver3) + 1; - if (e > 1) - build = (ver << 16) + (ver2 << 8) + ver3; + if (e > 1) { + if (ver > 0xFF || ver2 > 0xFF || ver3 > 0xFF) { + av_log(s->avctx, AV_LOG_WARNING, + "Unknown Lavc version string encountered, %d.%d.%d; " + "clamping sub-version values to 8-bits.\n", + ver, ver2, ver3); + } + build = ((ver & 0xFF) << 16) + ((ver2 & 0xFF) << 8) + (ver3 & 0xFF); + } } if (e != 4) { if (strcmp(buf, "ffmpeg") == 0) From 50b22648100e2fa77c798ac770967982d841d04d Mon Sep 17 00:00:00 2001 From: Dale Curtis Date: Mon, 20 Nov 2017 12:07:57 -0800 Subject: [PATCH 723/942] Close ogg stream upon error when using AV_EF_EXPLODE. Without this there can be multiple memory leaks for unrecognized ogg streams. Signed-off-by: Dale Curtis Signed-off-by: Michael Niedermayer (cherry picked from commit bce8fc0754c4b31f574a4372c6d7996ed29f7c2a) Signed-off-by: Michael Niedermayer --- libavformat/oggdec.c | 4 +++- 1 file changed, 3 insertions(+), 1 deletion(-) diff --git a/libavformat/oggdec.c b/libavformat/oggdec.c index 7ecb42ce8f..99e51b8b65 100644 --- a/libavformat/oggdec.c +++ b/libavformat/oggdec.c @@ -709,8 +709,10 @@ static int ogg_read_header(AVFormatContext *s) "Headers mismatch for stream %d: " "expected %d received %d.\n", i, os->codec->nb_header, os->nb_header); - if (s->error_recognition & AV_EF_EXPLODE) + if (s->error_recognition & AV_EF_EXPLODE) { + ogg_read_close(s); return AVERROR_INVALIDDATA; + } } if (os->start_granule != OGG_NOGRANULE_VALUE) os->lastpts = s->streams[i]->start_time = From abff307736fba32305e3b0ac669d62020013a174 Mon Sep 17 00:00:00 2001 From: Michael Niedermayer Date: Tue, 21 Nov 2017 03:15:53 +0100 Subject: [PATCH 724/942] avcodec/mpeg4videodec: Check also for negative versions in the validity check Signed-off-by: Michael Niedermayer (cherry picked from commit 0e7865ce4152f8b04cda6a698bbee4fd4a94009d) Signed-off-by: Michael Niedermayer --- libavcodec/mpeg4videodec.c | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/libavcodec/mpeg4videodec.c b/libavcodec/mpeg4videodec.c index d9d67b0fe4..eff809aafc 100644 --- a/libavcodec/mpeg4videodec.c +++ b/libavcodec/mpeg4videodec.c @@ -2140,7 +2140,7 @@ static int decode_user_data(Mpeg4DecContext *ctx, GetBitContext *gb) if (e != 4) { e = sscanf(buf, "Lavc%d.%d.%d", &ver, &ver2, &ver3) + 1; if (e > 1) { - if (ver > 0xFF || ver2 > 0xFF || ver3 > 0xFF) { + if (ver > 0xFFU || ver2 > 0xFFU || ver3 > 0xFFU) { av_log(s->avctx, AV_LOG_WARNING, "Unknown Lavc version string encountered, %d.%d.%d; " "clamping sub-version values to 8-bits.\n", From 2214afdf408c7cfb9aa1861e2efb5909fdd1bcfb Mon Sep 17 00:00:00 2001 From: Michael Niedermayer Date: Sat, 25 Nov 2017 03:15:16 +0100 Subject: [PATCH 725/942] avcodec/dirac_dwt: Fix integer overflow in COMPOSE_FIDELITYi* Fixes: runtime error: signed integer overflow: -2143827186 - 7404944 cannot be represented in type 'int' Fixes: 4354/clusterfuzz-testcase-minimized-4671122764201984 Found-by: continuous fuzzing process https://github.com/google/oss-fuzz/tree/master/projects/ffmpeg Signed-off-by: Michael Niedermayer (cherry picked from commit 2b6964f764382742bb052a1ee3b7167cac35332f) Signed-off-by: Michael Niedermayer --- libavcodec/dirac_dwt.h | 4 ++-- 1 file changed, 2 insertions(+), 2 deletions(-) diff --git a/libavcodec/dirac_dwt.h b/libavcodec/dirac_dwt.h index f9a9e9e1b3..eb5aebc878 100644 --- a/libavcodec/dirac_dwt.h +++ b/libavcodec/dirac_dwt.h @@ -111,10 +111,10 @@ void ff_spatial_idwt_slice2(DWTContext *d, int y); (b0 + b1) #define COMPOSE_FIDELITYiL0(b0, b1, b2, b3, b4, b5, b6, b7, b8)\ - (b4 - ((int)(-8*(b0+(unsigned)b8) + 21*(b1+(unsigned)b7) - 46*(b2+(unsigned)b6) + 161*(b3+(unsigned)b5) + 128) >> 8)) + ((unsigned)b4 - ((int)(-8*(b0+(unsigned)b8) + 21*(b1+(unsigned)b7) - 46*(b2+(unsigned)b6) + 161*(b3+(unsigned)b5) + 128) >> 8)) #define COMPOSE_FIDELITYiH0(b0, b1, b2, b3, b4, b5, b6, b7, b8)\ - (b4 + ((int)(-2*(b0+(unsigned)b8) + 10*(b1+(unsigned)b7) - 25*(b2+(unsigned)b6) + 81*(b3+(unsigned)b5) + 128) >> 8)) + ((unsigned)b4 + ((int)(-2*(b0+(unsigned)b8) + 10*(b1+(unsigned)b7) - 25*(b2+(unsigned)b6) + 81*(b3+(unsigned)b5) + 128) >> 8)) #define COMPOSE_DAUB97iL1(b0, b1, b2)\ (b1 - ((int)(1817*(b0 + (unsigned)b2) + 2048) >> 12)) From 71e40180cb1df511cfb67e17ff041f69d8d11d32 Mon Sep 17 00:00:00 2001 From: Michael Niedermayer Date: Wed, 22 Nov 2017 20:14:54 +0100 Subject: [PATCH 726/942] avcodec/kgv1dec: Check that there is enough input for maximum RLE compression Fixes: Timeout Fixes: 4271/clusterfuzz-testcase-4676667768307712 Found-by: continuous fuzzing process https://github.com/google/oss-fuzz/tree/master/projects/ffmpeg Signed-off-by: Michael Niedermayer (cherry picked from commit 3aad94bf2b140cfba8ae69d018da05d4948ef37f) Signed-off-by: Michael Niedermayer --- libavcodec/kgv1dec.c | 3 +++ 1 file changed, 3 insertions(+) diff --git a/libavcodec/kgv1dec.c b/libavcodec/kgv1dec.c index 5359411c76..a6bd9400ac 100644 --- a/libavcodec/kgv1dec.c +++ b/libavcodec/kgv1dec.c @@ -62,6 +62,9 @@ static int decode_frame(AVCodecContext *avctx, void *data, int *got_frame, h = (buf[1] + 1) * 8; buf += 2; + if (avpkt->size < 2 + w*h / 513) + return AVERROR_INVALIDDATA; + if (w != avctx->width || h != avctx->height) { av_freep(&c->frame_buffer); av_freep(&c->last_frame_buffer); From 78b6e8fb233f52284d6a3bee169361f5ee82c79f Mon Sep 17 00:00:00 2001 From: Michael Niedermayer Date: Mon, 20 Nov 2017 18:45:45 +0100 Subject: [PATCH 727/942] avcodec/mlpdsp: Fix signed integer overflow, 2nd try The outputted bits should match what is used in the lossless check Fixes: runtime error: signed integer overflow: -538697856 * 256 cannot be represented in type 'int' Fixes: 4326/clusterfuzz-testcase-minimized-5689449645080576 Found-by: continuous fuzzing process https://github.com/google/oss-fuzz/tree/master/projects/ffmpeg Signed-off-by: Michael Niedermayer (cherry picked from commit 97c00edaa043043c29d985653e7e1687b56dfa23) Signed-off-by: Michael Niedermayer --- libavcodec/mlpdsp.c | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/libavcodec/mlpdsp.c b/libavcodec/mlpdsp.c index 4e3a16c781..32a4503b64 100644 --- a/libavcodec/mlpdsp.c +++ b/libavcodec/mlpdsp.c @@ -117,7 +117,7 @@ int32_t ff_mlp_pack_output(int32_t lossless_check_data, (1U << output_shift[mat_ch]); lossless_check_data ^= (sample & 0xffffff) << mat_ch; if (is32) - *data_32++ = sample * 256; + *data_32++ = sample * 256U; else *data_16++ = sample >> 8; } From a65633aa9d2291244d039abeda2864492ca810c6 Mon Sep 17 00:00:00 2001 From: Michael Niedermayer Date: Thu, 30 Nov 2017 21:27:37 +0100 Subject: [PATCH 728/942] avcodec/hevcdsp_template: Fix undefined shift in put_hevc_epel_bi_w_h() Fixes: runtime error: left shift of negative value -127 Fixes: 4397/clusterfuzz-testcase-minimized-4779061080489984 Found-by: continuous fuzzing process https://github.com/google/oss-fuzz/tree/master/projects/ffmpeg Signed-off-by: Michael Niedermayer (cherry picked from commit 0409d333115e623b5ccdbb364d64ca2a52fd8467) Signed-off-by: Michael Niedermayer --- libavcodec/hevcdsp_template.c | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/libavcodec/hevcdsp_template.c b/libavcodec/hevcdsp_template.c index 82ee0b63ac..8ae193d2ea 100644 --- a/libavcodec/hevcdsp_template.c +++ b/libavcodec/hevcdsp_template.c @@ -1361,7 +1361,7 @@ static void FUNC(put_hevc_epel_bi_w_h)(uint8_t *_dst, ptrdiff_t _dststride, uint for (y = 0; y < height; y++) { for (x = 0; x < width; x++) dst[x] = av_clip_pixel(((EPEL_FILTER(src, 1) >> (BIT_DEPTH - 8)) * wx1 + src2[x] * wx0 + - ((ox0 + ox1 + 1) << log2Wd)) >> (log2Wd + 1)); + ((ox0 + ox1 + 1) * (1 << log2Wd))) >> (log2Wd + 1)); src += srcstride; dst += dststride; src2 += MAX_PB_SIZE; From 44dc83f0e07a7bcce135ced249d231c3a7b2fd5d Mon Sep 17 00:00:00 2001 From: Michael Niedermayer Date: Thu, 30 Nov 2017 23:42:04 +0100 Subject: [PATCH 729/942] avcodec/j2kenc: Fix out of array access in encode_cblk() Fixes: 4427/clusterfuzz-testcase-minimized-5106919271301120 Found-by: continuous fuzzing process https://github.com/google/oss-fuzz/tree/master/projects/ffmpeg Signed-off-by: Michael Niedermayer (cherry picked from commit 0674087004538599797688785f6ac82358abc23b) Signed-off-by: Michael Niedermayer --- libavcodec/j2kenc.c | 3 ++- 1 file changed, 2 insertions(+), 1 deletion(-) diff --git a/libavcodec/j2kenc.c b/libavcodec/j2kenc.c index c8d3861732..baaf47422c 100644 --- a/libavcodec/j2kenc.c +++ b/libavcodec/j2kenc.c @@ -688,7 +688,8 @@ static void encode_cblk(Jpeg2000EncoderContext *s, Jpeg2000T1Context *t1, Jpeg20 cblk->npasses = passno; cblk->ninclpasses = passno; - cblk->passes[passno-1].rate = ff_mqc_flush_to(&t1->mqc, cblk->passes[passno-1].flushed, &cblk->passes[passno-1].flushed_len); + if (passno) + cblk->passes[passno-1].rate = ff_mqc_flush_to(&t1->mqc, cblk->passes[passno-1].flushed, &cblk->passes[passno-1].flushed_len); } /* tier-2 routines: */ From b01020a0501aefc6decce15901437d4e03c4bbbf Mon Sep 17 00:00:00 2001 From: Dale Curtis Date: Fri, 17 Nov 2017 13:35:56 -0800 Subject: [PATCH 730/942] avformat/utils: Prevent undefined shift with wrap_bits > 64. 2LL << (wrap_bits=64 - 1) does not fit in int64_t; change the code to use a uint64_t (2ULL) and add an av_assert2() to ensure wrap_bits <= 64. Signed-off-by: Dale Curtis Signed-off-by: Michael Niedermayer (cherry picked from commit 03fbc0daa7e37af024f8b017a28105c32bbe25ca) Signed-off-by: Michael Niedermayer --- libavformat/utils.c | 5 +++-- 1 file changed, 3 insertions(+), 2 deletions(-) diff --git a/libavformat/utils.c b/libavformat/utils.c index 1a098b6d88..6201e38814 100644 --- a/libavformat/utils.c +++ b/libavformat/utils.c @@ -1535,13 +1535,14 @@ int av_read_frame(AVFormatContext *s, AVPacket *pkt) if (next_pkt->dts != AV_NOPTS_VALUE) { int wrap_bits = s->streams[next_pkt->stream_index]->pts_wrap_bits; + av_assert2(wrap_bits <= 64); // last dts seen for this stream. if any of packets following // current one had no dts, we will set this to AV_NOPTS_VALUE. int64_t last_dts = next_pkt->dts; while (pktl && next_pkt->pts == AV_NOPTS_VALUE) { if (pktl->pkt.stream_index == next_pkt->stream_index && - (av_compare_mod(next_pkt->dts, pktl->pkt.dts, 2LL << (wrap_bits - 1)) < 0)) { - if (av_compare_mod(pktl->pkt.pts, pktl->pkt.dts, 2LL << (wrap_bits - 1))) { + av_compare_mod(next_pkt->dts, pktl->pkt.dts, 2ULL << (wrap_bits - 1)) < 0) { + if (av_compare_mod(pktl->pkt.pts, pktl->pkt.dts, 2ULL << (wrap_bits - 1))) { // not B-frame next_pkt->pts = pktl->pkt.dts; } From e6c6bb218e0b4ae4b6963268d6488cf6104656d0 Mon Sep 17 00:00:00 2001 From: Dale Curtis Date: Wed, 22 Nov 2017 10:58:39 -0800 Subject: [PATCH 731/942] avcodec/vorbis: 1 << 31 > int32_t::max(), so use 1u << 31 instead. Signed-off-by: Dale Curtis Signed-off-by: Michael Niedermayer (cherry picked from commit 9648cc6d7fdbb0a260bed1e3e23300569cff9579) Signed-off-by: Michael Niedermayer --- libavcodec/vorbis.c | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/libavcodec/vorbis.c b/libavcodec/vorbis.c index 86d10407f4..61c395e71e 100644 --- a/libavcodec/vorbis.c +++ b/libavcodec/vorbis.c @@ -105,7 +105,7 @@ int ff_vorbis_len2vlc(uint8_t *bits, uint32_t *codes, unsigned num) exit_at_level[i] = 0; // construct code (append 0s to end) and introduce new exits for (j = i + 1 ;j <= bits[p]; ++j) - exit_at_level[j] = code + (1 << (j - 1)); + exit_at_level[j] = code + (1u << (j - 1)); codes[p] = code; #ifdef DEBUG From 532f0d1278c049a9f55d0de3f7b56b958c598440 Mon Sep 17 00:00:00 2001 From: Dale Curtis Date: Tue, 28 Nov 2017 14:26:55 -0800 Subject: [PATCH 732/942] Don't manipulate duration when it's AV_NOPTS_VALUE. This leads to signed integer overflow. Signed-off-by: Dale Curtis Signed-off-by: James Almer (cherry picked from commit c5fd57f483d2ad8e34551b78509f1e14136f73c0) Signed-off-by: Michael Niedermayer --- libavformat/oggparsevp8.c | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/libavformat/oggparsevp8.c b/libavformat/oggparsevp8.c index ca13928f1e..54f1fa6544 100644 --- a/libavformat/oggparsevp8.c +++ b/libavformat/oggparsevp8.c @@ -125,7 +125,7 @@ static int vp8_packet(AVFormatContext *s, int idx) os->lastdts = vp8_gptopts(s, idx, os->granule, NULL) - duration; if(s->streams[idx]->start_time == AV_NOPTS_VALUE) { s->streams[idx]->start_time = os->lastpts; - if (s->streams[idx]->duration) + if (s->streams[idx]->duration && s->streams[idx]->duration != AV_NOPTS_VALUE) s->streams[idx]->duration -= s->streams[idx]->start_time; } } From 06a6f73ad83b53a7b3da4cb7b97cb1c878ec837b Mon Sep 17 00:00:00 2001 From: Dale Curtis Date: Thu, 30 Nov 2017 12:20:36 -0800 Subject: [PATCH 733/942] avcodec/vorbis: Fix another 1 << 31 > int32_t::max() with 1u. Didn't notice this one when 9648cc6d was landed. Signed-off-by: Dale Curtis Signed-off-by: Michael Niedermayer (cherry picked from commit 95bacb521af8cd28f146f045437c9f75717a493a) Signed-off-by: Michael Niedermayer --- libavcodec/vorbis.c | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/libavcodec/vorbis.c b/libavcodec/vorbis.c index 61c395e71e..80d5198c62 100644 --- a/libavcodec/vorbis.c +++ b/libavcodec/vorbis.c @@ -73,7 +73,7 @@ int ff_vorbis_len2vlc(uint8_t *bits, uint32_t *codes, unsigned num) if (bits[p] > 32) return AVERROR_INVALIDDATA; for (i = 0; i < bits[p]; ++i) - exit_at_level[i+1] = 1 << i; + exit_at_level[i+1] = 1u << i; #ifdef DEBUG av_log(NULL, AV_LOG_INFO, " %u. of %u code len %d code %d - ", p, num, bits[p], codes[p]); From 2bc6b9b2a9c9f22b26ce2207f73f6e7a5aa7c0b9 Mon Sep 17 00:00:00 2001 From: Michael Niedermayer Date: Sat, 2 Dec 2017 00:30:18 +0100 Subject: [PATCH 734/942] Changelog: update Signed-off-by: Michael Niedermayer --- Changelog | 41 +++++++++++++++++++++++++++++++++++++++++ 1 file changed, 41 insertions(+) diff --git a/Changelog b/Changelog index ea82067a6a..71a00b80b9 100644 --- a/Changelog +++ b/Changelog @@ -2,6 +2,47 @@ Entries are sorted chronologically from oldest to youngest within each release, releases are sorted from youngest to oldest. version 3.0.10 +- avcodec/vorbis: Fix another 1 << 31 > int32_t::max() with 1u. +- Don't manipulate duration when it's AV_NOPTS_VALUE. +- avcodec/vorbis: 1 << 31 > int32_t::max(), so use 1u << 31 instead. +- avformat/utils: Prevent undefined shift with wrap_bits > 64. +- avcodec/j2kenc: Fix out of array access in encode_cblk() +- avcodec/hevcdsp_template: Fix undefined shift in put_hevc_epel_bi_w_h() +- avcodec/mlpdsp: Fix signed integer overflow, 2nd try +- avcodec/kgv1dec: Check that there is enough input for maximum RLE compression +- avcodec/dirac_dwt: Fix integer overflow in COMPOSE_FIDELITYi* +- avcodec/mpeg4videodec: Check also for negative versions in the validity check +- Close ogg stream upon error when using AV_EF_EXPLODE. +- Fix undefined shift on assumed 8-bit input. +- Use ff_thread_once for fixed, float table init. +- avformat/mov: Propagate errors in mov_switch_root. +- avcodec/hevcdsp_template: Fix invalid shift in put_hevc_epel_bi_w_v() +- avcodec/mlpdsp: Fix undefined shift ff_mlp_pack_output() +- avcodec/zmbv: Check that the buffer is large enough for mvec +- avcodec/dirac_dwt: Fix integer overflow in COMPOSE_DD137iL0() +- avcodec/wmv2dec: Check end of bitstream in parse_mb_skip() and ff_wmv2_decode_mb() +- avcodec/snowdec: Check for remaining bitstream in decode_blocks() +- avcodec/snowdec: Check intra block dc differences. +- avformat/mov: Check size of STSC allocation +- avcodec/vc2enc: Clear coef_buf on allocation +- avcodec/h264dec: Fix potential array overread +- avcodec/x86/mpegvideodsp: Fix signedness bug in need_emu +- avcodec/aacpsdsp_template: Fix integer overflows in ps_decorrelate_c() +- avcodec/aacdec_fixed: Fix undefined shift +- avcodec/mdct_*: Fix integer overflow in addition in RESCALE() +- avcodec/snowdec: Fix integer overflow in header parsing +- avcodec/cngdec: Fix integer clipping +- avcodec/sbrdsp_fixed: Fix integer overflow in shift in sbr_hf_g_filt_c() +- avutil/softfloat: Add FLOAT_MIN +- avcodec/aacsbr_fixed: Fix division by zero in sbr_gain_calc() +- avcodec/h264idct_template: Fix integer overflows in ff_h264_idct8_add() +- avcodec/xan: Check for bitstream end in xan_huffman_decode() +- avformat: Free the internal codec context at the end +- avcodec/xan: Improve overlapping check +- avcodec/aacdec_fixed: Fix integer overflow in apply_dependent_coupling_fixed() +- avcodec/aacdec_fixed: Fix integer overflow in predict() +- avcodec/jpeglsdec: Check for end of bitstream in ls_decode_line() +- avcodec/jpeglsdec: Check ilv for being a supported value - avcodec/snowdec: Check mv_scale - avcodec/pafvideo: Check for bitstream end in decode_0() - avcodec/ffv1dec: Fix out of array read in slice counting From ef95789c8c492e86f21d9a5224745abe6b662cbe Mon Sep 17 00:00:00 2001 From: James Almer Date: Sun, 11 Jun 2017 14:17:30 -0300 Subject: [PATCH 735/942] avformat/libssh: check the user provided a password before trying to use it Fixes ticket #6413 Reviewed-by: Michael Niedermayer Signed-off-by: James Almer (cherry picked from commit 8ddb6820bd52df6ed616abc3d8be200b126aa8c1) --- libavformat/libssh.c | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/libavformat/libssh.c b/libavformat/libssh.c index 3c056f874a..4cf7963e70 100644 --- a/libavformat/libssh.c +++ b/libavformat/libssh.c @@ -103,7 +103,7 @@ static av_cold int libssh_authentication(LIBSSHContext *libssh, const char *user } } - if (!authorized && (auth_methods & SSH_AUTH_METHOD_PASSWORD)) { + if (!authorized && password && (auth_methods & SSH_AUTH_METHOD_PASSWORD)) { if (ssh_userauth_password(libssh->session, NULL, password) == SSH_AUTH_SUCCESS) { av_log(libssh, AV_LOG_DEBUG, "Authentication successful with password.\n"); authorized = 1; From a5a6d2dc75169918dec79e22aec146471e26db23 Mon Sep 17 00:00:00 2001 From: Michael Niedermayer Date: Sat, 2 Dec 2017 21:48:04 +0100 Subject: [PATCH 736/942] avcodec/dirac_dwt: Fix integer overflows in COMPOSE_DAUB97* Fixes: 4478/clusterfuzz-testcase-minimized-4752113767809024 Fixes: runtime error: signed integer overflow: -2147483626 + -319489 cannot be represented in type 'int' Found-by: continuous fuzzing process https://github.com/google/oss-fuzz/tree/master/projects/ffmpeg Signed-off-by: Michael Niedermayer (cherry picked from commit 5e9a13a5a33bf7566591216e335f2529612100bb) Signed-off-by: Michael Niedermayer --- libavcodec/dirac_dwt.h | 8 ++++---- 1 file changed, 4 insertions(+), 4 deletions(-) diff --git a/libavcodec/dirac_dwt.h b/libavcodec/dirac_dwt.h index eb5aebc878..50c8b1e394 100644 --- a/libavcodec/dirac_dwt.h +++ b/libavcodec/dirac_dwt.h @@ -117,16 +117,16 @@ void ff_spatial_idwt_slice2(DWTContext *d, int y); ((unsigned)b4 + ((int)(-2*(b0+(unsigned)b8) + 10*(b1+(unsigned)b7) - 25*(b2+(unsigned)b6) + 81*(b3+(unsigned)b5) + 128) >> 8)) #define COMPOSE_DAUB97iL1(b0, b1, b2)\ - (b1 - ((int)(1817*(b0 + (unsigned)b2) + 2048) >> 12)) + ((unsigned)(b1) - ((int)(1817*(b0 + (unsigned)b2) + 2048) >> 12)) #define COMPOSE_DAUB97iH1(b0, b1, b2)\ - (b1 - ((int)( 113*(b0 + (unsigned)b2) + 64) >> 7)) + ((unsigned)(b1) - ((int)( 113*(b0 + (unsigned)b2) + 64) >> 7)) #define COMPOSE_DAUB97iL0(b0, b1, b2)\ - (b1 + ((int)( 217*(b0 + (unsigned)b2) + 2048) >> 12)) + ((unsigned)(b1) + ((int)( 217*(b0 + (unsigned)b2) + 2048) >> 12)) #define COMPOSE_DAUB97iH0(b0, b1, b2)\ - (b1 + ((int)(6497*(b0 + (unsigned)b2) + 2048) >> 12)) + ((unsigned)(b1) + ((int)(6497*(b0 + (unsigned)b2) + 2048) >> 12)) #endif /* AVCODEC_DWT_H */ From 4a5ec6226b858b1ec88b37c4e602c3b179539c04 Mon Sep 17 00:00:00 2001 From: Michael Niedermayer Date: Sat, 2 Dec 2017 21:53:22 +0100 Subject: [PATCH 737/942] avcodec/diracdsp: Fix integer overflow in PUT_SIGNED_RECT_CLAMPED() Fixes: runtime error: signed integer overflow: 2147483646 + 2048 cannot be represented in type 'int' Fixes: 4479/clusterfuzz-testcase-minimized-6529894147162112 Found-by: continuous fuzzing process https://github.com/google/oss-fuzz/tree/master/projects/ffmpeg Signed-off-by: Michael Niedermayer (cherry picked from commit 610dd74502a58e8bb0f1d8fcbc7015f86b78d70e) Signed-off-by: Michael Niedermayer --- libavcodec/diracdsp.c | 8 ++++---- 1 file changed, 4 insertions(+), 4 deletions(-) diff --git a/libavcodec/diracdsp.c b/libavcodec/diracdsp.c index ab8d1497f7..33c8a6cb1e 100644 --- a/libavcodec/diracdsp.c +++ b/libavcodec/diracdsp.c @@ -159,10 +159,10 @@ static void put_signed_rect_clamped_ ## PX ## bit_c(uint8_t *_dst, int dst_strid int32_t *src = (int32_t *)_src; \ for (y = 0; y < height; y++) { \ for (x = 0; x < width; x+=4) { \ - dst[x ] = av_clip_uintp2(src[x ] + (1 << (PX - 1)), PX); \ - dst[x+1] = av_clip_uintp2(src[x+1] + (1 << (PX - 1)), PX); \ - dst[x+2] = av_clip_uintp2(src[x+2] + (1 << (PX - 1)), PX); \ - dst[x+3] = av_clip_uintp2(src[x+3] + (1 << (PX - 1)), PX); \ + dst[x ] = av_clip_uintp2(src[x ] + (1U << (PX - 1)), PX); \ + dst[x+1] = av_clip_uintp2(src[x+1] + (1U << (PX - 1)), PX); \ + dst[x+2] = av_clip_uintp2(src[x+2] + (1U << (PX - 1)), PX); \ + dst[x+3] = av_clip_uintp2(src[x+3] + (1U << (PX - 1)), PX); \ } \ dst += dst_stride >> 1; \ src += src_stride >> 2; \ From 4d0a4601015b83c52990e5d5d8fb34c321a7d484 Mon Sep 17 00:00:00 2001 From: Michael Niedermayer Date: Thu, 7 Dec 2017 15:32:54 +0100 Subject: [PATCH 738/942] avcodec/amrwbdec: Fix division by 0 in voice_factor() The added value matches "Digital cellular telecommunications system (Phase 2+) (GSM); Universal Mobile Telecommunications System (UMTS); LTE; Extended Adaptive Multi-Rate - Wideband (AMR-WB+) codec; Floating-point ANSI-C code (3GPP TS 26.304 version 14.0.0 Release 14) Extended Adaptive Multi-Rate - Wideband (AMR-WB+) codec; Floating-point ANSI-C code" Fixes: runtime error: division by zero Fixes: 4415/clusterfuzz-testcase-minimized-4677752314658816 Found-by: continuous fuzzing process https://github.com/google/oss-fuzz/tree/master/projects/ffmpeg Signed-off-by: Michael Niedermayer (cherry picked from commit 1d0817d56b66797118880358ea7d7a2acfdca429) Signed-off-by: Michael Niedermayer --- libavcodec/amrwbdec.c | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/libavcodec/amrwbdec.c b/libavcodec/amrwbdec.c index 1431870fa3..328b754e7e 100644 --- a/libavcodec/amrwbdec.c +++ b/libavcodec/amrwbdec.c @@ -614,7 +614,7 @@ static float voice_factor(float *p_vector, float p_gain, AMRWB_SFR_SIZE) * f_gain * f_gain; - return (p_ener - f_ener) / (p_ener + f_ener); + return (p_ener - f_ener) / (p_ener + f_ener + 0.01); } /** From e512c83e63fced446d050da564c38ec722b08840 Mon Sep 17 00:00:00 2001 From: Jun Zhao Date: Mon, 4 Dec 2017 12:50:34 +0800 Subject: [PATCH 739/942] avfilter/formats: fix wrong function name in error message Use perdefined micro __FUNCTION__ rather than hard coding function name to fix wrong function name in error message. Signed-off-by: Jun Zhao Signed-off-by: Michael Niedermayer (cherry picked from commit 4280948702bc256e21c375790b889c735d233b0d) Signed-off-by: Michael Niedermayer --- libavfilter/formats.c | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/libavfilter/formats.c b/libavfilter/formats.c index f12dcf4783..8cb77b27b1 100644 --- a/libavfilter/formats.c +++ b/libavfilter/formats.c @@ -72,7 +72,7 @@ do { for (j = 0; j < b->nb; j++) \ if (a->fmts[i] == b->fmts[j]) { \ if(k >= FFMIN(a->nb, b->nb)){ \ - av_log(NULL, AV_LOG_ERROR, "Duplicate formats in avfilter_merge_formats() detected\n"); \ + av_log(NULL, AV_LOG_ERROR, "Duplicate formats in %s detected\n", __FUNCTION__); \ av_free(ret->fmts); \ av_free(ret); \ return NULL; \ From 95139c4480b009f4f506d815e1340d931d2ade19 Mon Sep 17 00:00:00 2001 From: Kelly Ledford Date: Tue, 12 Dec 2017 11:31:23 -0800 Subject: [PATCH 740/942] libavfilter/af_dcshift.c: Fixed repeated spelling error 'threshhold' should be 'threshold' Signed-off-by: Kelly Ledford Signed-off-by: Michael Niedermayer (cherry picked from commit bc219082bb04b9a4725bfe7e78ce0950244e6e84) Signed-off-by: Michael Niedermayer --- libavfilter/af_dcshift.c | 20 ++++++++++---------- 1 file changed, 10 insertions(+), 10 deletions(-) diff --git a/libavfilter/af_dcshift.c b/libavfilter/af_dcshift.c index 7332c12b19..5dbe40824c 100644 --- a/libavfilter/af_dcshift.c +++ b/libavfilter/af_dcshift.c @@ -28,7 +28,7 @@ typedef struct DCShiftContext { const AVClass *class; double dcshift; - double limiterthreshhold; + double limiterthreshold; double limitergain; } DCShiftContext; @@ -47,7 +47,7 @@ static av_cold int init(AVFilterContext *ctx) { DCShiftContext *s = ctx->priv; - s->limiterthreshhold = INT32_MAX * (1.0 - (fabs(s->dcshift) - s->limitergain)); + s->limiterthreshold = INT32_MAX * (1.0 - (fabs(s->dcshift) - s->limitergain)); return 0; } @@ -106,14 +106,14 @@ static int filter_frame(AVFilterLink *inlink, AVFrame *in) d = src[j]; - if (d > s->limiterthreshhold && dcshift > 0) { - d = (d - s->limiterthreshhold) * s->limitergain / - (INT32_MAX - s->limiterthreshhold) + - s->limiterthreshhold + dcshift; - } else if (d < -s->limiterthreshhold && dcshift < 0) { - d = (d + s->limiterthreshhold) * s->limitergain / - (INT32_MAX - s->limiterthreshhold) - - s->limiterthreshhold + dcshift; + if (d > s->limiterthreshold && dcshift > 0) { + d = (d - s->limiterthreshold) * s->limitergain / + (INT32_MAX - s->limiterthreshold) + + s->limiterthreshold + dcshift; + } else if (d < -s->limiterthreshold && dcshift < 0) { + d = (d + s->limiterthreshold) * s->limitergain / + (INT32_MAX - s->limiterthreshold) - + s->limiterthreshold + dcshift; } else { d = dcshift * INT32_MAX + d; } From b7f48cd0444ba62fc21fe64b50f737d363c4bffe Mon Sep 17 00:00:00 2001 From: Michael Niedermayer Date: Fri, 15 Dec 2017 13:06:30 +0100 Subject: [PATCH 741/942] avcodec/hevcdsp_template: Fix undefined shift in put_hevc_qpel_bi_w_hv() Fixes: runtime error: left shift of negative value -3 Fixes: 4524/clusterfuzz-testcase-minimized-6055590120914944 Found-by: continuous fuzzing process https://github.com/google/oss-fuzz/tree/master/projects/ffmpeg Signed-off-by: Michael Niedermayer (cherry picked from commit 439fbb9c8b2a90e97c44c7c57245e01ca84c865d) Signed-off-by: Michael Niedermayer --- libavcodec/hevcdsp_template.c | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/libavcodec/hevcdsp_template.c b/libavcodec/hevcdsp_template.c index 8ae193d2ea..57d18bd176 100644 --- a/libavcodec/hevcdsp_template.c +++ b/libavcodec/hevcdsp_template.c @@ -1057,7 +1057,7 @@ static void FUNC(put_hevc_qpel_bi_w_hv)(uint8_t *_dst, ptrdiff_t _dststride, uin for (y = 0; y < height; y++) { for (x = 0; x < width; x++) dst[x] = av_clip_pixel(((QPEL_FILTER(tmp, MAX_PB_SIZE) >> 6) * wx1 + src2[x] * wx0 + - ((ox0 + ox1 + 1) << log2Wd)) >> (log2Wd + 1)); + ((ox0 + ox1 + 1) * (1 << log2Wd))) >> (log2Wd + 1)); tmp += MAX_PB_SIZE; dst += dststride; src2 += MAX_PB_SIZE; From 01f2bc5ec89bc50fe917c789be5d860500fc7c4a Mon Sep 17 00:00:00 2001 From: Michael Niedermayer Date: Fri, 15 Dec 2017 17:50:12 +0100 Subject: [PATCH 742/942] avcodec/hevc_sei: Fix integer overflows in decode_nal_sei_message() Fixes: signed integer overflow: 2147483520 + 255 cannot be represented in type 'int' Fixes: 4554/clusterfuzz-testcase-minimized-4843714515042304 Found-by: continuous fuzzing process https://github.com/google/oss-fuzz/tree/master/projects/ffmpeg Signed-off-by: Michael Niedermayer (cherry picked from commit 991ef6e5b9a6a9d95e274ff6bff52db1c82b3808) Signed-off-by: Michael Niedermayer --- libavcodec/hevc_sei.c | 4 ++++ 1 file changed, 4 insertions(+) diff --git a/libavcodec/hevc_sei.c b/libavcodec/hevc_sei.c index 9cf5e80010..190c18740e 100644 --- a/libavcodec/hevc_sei.c +++ b/libavcodec/hevc_sei.c @@ -344,11 +344,15 @@ static int decode_nal_sei_message(HEVCContext *s) av_log(s->avctx, AV_LOG_DEBUG, "Decoding SEI\n"); while (byte == 0xFF) { + if (get_bits_left(gb) < 16 || payload_type > INT_MAX - 255) + return AVERROR_INVALIDDATA; byte = get_bits(gb, 8); payload_type += byte; } byte = 0xFF; while (byte == 0xFF) { + if (get_bits_left(gb) < 8 + 8LL*payload_size) + return AVERROR_INVALIDDATA; byte = get_bits(gb, 8); payload_size += byte; } From 09d61d3b81ce758c165c290cb3369e5d6917ef98 Mon Sep 17 00:00:00 2001 From: Michael Niedermayer Date: Fri, 15 Dec 2017 18:17:13 +0100 Subject: [PATCH 743/942] avcodec/hevc_cabac: Fix integer overflow in ff_hevc_cu_qp_delta_abs() Fixes: signed integer overflow: 2147483647 + 1073741824 cannot be represented in type 'int' Fixes: 4555/clusterfuzz-testcase-minimized-4505532481142784 Found-by: continuous fuzzing process https://github.com/google/oss-fuzz/tree/master/projects/ffmpeg Signed-off-by: Michael Niedermayer (cherry picked from commit 0ee143558d55b590774dba69cff5a16eda089a4d) Signed-off-by: Michael Niedermayer --- libavcodec/hevc_cabac.c | 4 +++- 1 file changed, 3 insertions(+), 1 deletion(-) diff --git a/libavcodec/hevc_cabac.c b/libavcodec/hevc_cabac.c index d1bef8320f..99e6731d5d 100644 --- a/libavcodec/hevc_cabac.c +++ b/libavcodec/hevc_cabac.c @@ -633,8 +633,10 @@ int ff_hevc_cu_qp_delta_abs(HEVCContext *s) suffix_val += 1 << k; k++; } - if (k == CABAC_MAX_BIN) + if (k == CABAC_MAX_BIN) { av_log(s->avctx, AV_LOG_ERROR, "CABAC_MAX_BIN : %d\n", k); + return AVERROR_INVALIDDATA; + } while (k--) suffix_val += get_cabac_bypass(&s->HEVClc->cc) << k; From a0bcc6cced1af58e5ebf19e56281798dfef1f320 Mon Sep 17 00:00:00 2001 From: Michael Niedermayer Date: Fri, 22 Dec 2017 03:06:14 +0100 Subject: [PATCH 744/942] avcodec/dirac_dwt: Fix integer overflow in COMPOSE_DD97iH0() and COMPOSE_DD137iL0() Fixes: runtime error: signed integer overflow: 2147483646 + 33554433 cannot be represented in type 'int' Fixes: 4563/clusterfuzz-testcase-minimized-5438979567517696 Found-by: continuous fuzzing process https://github.com/google/oss-fuzz/tree/master/projects/ffmpeg Signed-off-by: Michael Niedermayer (cherry picked from commit 4d70fbeec8cbab072b3a9b9f760b8deaaef240f2) Signed-off-by: Michael Niedermayer --- libavcodec/dirac_dwt.h | 4 ++-- 1 file changed, 2 insertions(+), 2 deletions(-) diff --git a/libavcodec/dirac_dwt.h b/libavcodec/dirac_dwt.h index 50c8b1e394..f9828d95a4 100644 --- a/libavcodec/dirac_dwt.h +++ b/libavcodec/dirac_dwt.h @@ -99,10 +99,10 @@ void ff_spatial_idwt_slice2(DWTContext *d, int y); (b1 + ((int)(b0 + (unsigned)(b2) + 1) >> 1)) #define COMPOSE_DD97iH0(b0, b1, b2, b3, b4)\ - (b2 + ((int)(-b0 + 9U*b1 + 9U*b3 - b4 + 8) >> 4)) + (int)(((unsigned)(b2) + ((int)(-b0 + 9U*b1 + 9U*b3 - b4 + 8) >> 4))) #define COMPOSE_DD137iL0(b0, b1, b2, b3, b4)\ - (b2 - ((int)(-b0 + 9U*b1 + 9U*b3 - b4 + 16) >> 5)) + (int)(((unsigned)(b2) - ((int)(-b0 + 9U*b1 + 9U*b3 - b4 + 16) >> 5))) #define COMPOSE_HAARiL0(b0, b1)\ (b0 - ((b1 + 1) >> 1)) From b3af84774b03b1b48d919be2514a84b35ca91fe7 Mon Sep 17 00:00:00 2001 From: Michael Niedermayer Date: Fri, 22 Dec 2017 03:12:03 +0100 Subject: [PATCH 745/942] avcodec/hevcdsp_template.c: Fix undefined shift in FUNC(dequant) Fixes: runtime error: left shift of negative value -180 Fixes: 4626/clusterfuzz-testcase-minimized-5647837887987712 Found-by: continuous fuzzing process https://github.com/google/oss-fuzz/tree/master/projects/ffmpeg Signed-off-by: Michael Niedermayer (cherry picked from commit 0c9ab5ef9c1ee852c80c859c9e07efe8730b57ed) Signed-off-by: Michael Niedermayer --- libavcodec/hevcdsp_template.c | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/libavcodec/hevcdsp_template.c b/libavcodec/hevcdsp_template.c index 57d18bd176..4d2e6bf453 100644 --- a/libavcodec/hevcdsp_template.c +++ b/libavcodec/hevcdsp_template.c @@ -125,7 +125,7 @@ static void FUNC(transform_skip)(int16_t *_coeffs, int16_t log2_size) } else { for (y = 0; y < size; y++) { for (x = 0; x < size; x++) { - *coeffs = *coeffs << -shift; + *coeffs = *(uint16_t*)coeffs << -shift; coeffs++; } } From f08be2b3d2ad9ed86d99e3391562facf44ea46b0 Mon Sep 17 00:00:00 2001 From: Michael Niedermayer Date: Tue, 26 Dec 2017 23:24:43 +0100 Subject: [PATCH 746/942] avcodec/flacdec: avoid undefined shift Fixes: shift exponent 32 is too large for 32-bit type 'unsigned int' Fixes: 4688/clusterfuzz-testcase-minimized-6572210748653568 Found-by: continuous fuzzing process https://github.com/google/oss-fuzz/tree/master/projects/ffmpeg Signed-off-by: Michael Niedermayer (cherry picked from commit 560daf88913b0de59a4d845bcd19254b406388dd) Signed-off-by: Michael Niedermayer --- libavcodec/flacdec.c | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/libavcodec/flacdec.c b/libavcodec/flacdec.c index c372c1b91d..f552bbbdad 100644 --- a/libavcodec/flacdec.c +++ b/libavcodec/flacdec.c @@ -445,7 +445,7 @@ static inline int decode_subframe(FLACContext *s, int channel) return AVERROR_INVALIDDATA; } - if (wasted) { + if (wasted && wasted < 32) { int i; for (i = 0; i < s->blocksize; i++) decoded[i] = (unsigned)decoded[i] << wasted; From 844a9b439b27fe205c445b8d4d8b43ffefd326d3 Mon Sep 17 00:00:00 2001 From: Michael Niedermayer Date: Tue, 26 Dec 2017 23:24:45 +0100 Subject: [PATCH 747/942] avcodec/hevcdsp_template: Fix Invalid shifts in put_hevc_qpel_bi_w_h() and put_hevc_qpel_bi_w_w() Fixes: left shift of negative value -1 Fixes: 4690/clusterfuzz-testcase-minimized-6117482428366848 Found-by: continuous fuzzing process https://github.com/google/oss-fuzz/tree/master/projects/ffmpeg Signed-off-by: Michael Niedermayer (cherry picked from commit d135f3c514ac1723256c8e0f5cdd466fe98a2578) Signed-off-by: Michael Niedermayer --- libavcodec/hevcdsp_template.c | 4 ++-- 1 file changed, 2 insertions(+), 2 deletions(-) diff --git a/libavcodec/hevcdsp_template.c b/libavcodec/hevcdsp_template.c index 4d2e6bf453..65dd179d0d 100644 --- a/libavcodec/hevcdsp_template.c +++ b/libavcodec/hevcdsp_template.c @@ -921,7 +921,7 @@ static void FUNC(put_hevc_qpel_bi_w_h)(uint8_t *_dst, ptrdiff_t _dststride, uint for (y = 0; y < height; y++) { for (x = 0; x < width; x++) dst[x] = av_clip_pixel(((QPEL_FILTER(src, 1) >> (BIT_DEPTH - 8)) * wx1 + src2[x] * wx0 + - ((ox0 + ox1 + 1) << log2Wd)) >> (log2Wd + 1)); + ((ox0 + ox1 + 1) * (1 << log2Wd))) >> (log2Wd + 1)); src += srcstride; dst += dststride; src2 += MAX_PB_SIZE; @@ -976,7 +976,7 @@ static void FUNC(put_hevc_qpel_bi_w_v)(uint8_t *_dst, ptrdiff_t _dststride, uint for (y = 0; y < height; y++) { for (x = 0; x < width; x++) dst[x] = av_clip_pixel(((QPEL_FILTER(src, srcstride) >> (BIT_DEPTH - 8)) * wx1 + src2[x] * wx0 + - ((ox0 + ox1 + 1) << log2Wd)) >> (log2Wd + 1)); + ((ox0 + ox1 + 1) * (1 << log2Wd))) >> (log2Wd + 1)); src += srcstride; dst += dststride; src2 += MAX_PB_SIZE; From 6fab791daade82f85234312577782e202323db4d Mon Sep 17 00:00:00 2001 From: Michael Niedermayer Date: Tue, 26 Dec 2017 23:24:44 +0100 Subject: [PATCH 748/942] avcodec/flacdec: Fix overflow in multiplication in decode_subframe_fixed() Fixes: signed integer overflow: 2 * 1629495328 cannot be represented in type 'int' Fixes: 4716/clusterfuzz-testcase-minimized-5835915940331520 Found-by: continuous fuzzing process https://github.com/google/oss-fuzz/tree/master/projects/ffmpeg Signed-off-by: Michael Niedermayer (cherry picked from commit 3d23f7a0969bf76ad6dcdc2c4a5cd3ae884745a8) Signed-off-by: Michael Niedermayer --- libavcodec/flacdec.c | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/libavcodec/flacdec.c b/libavcodec/flacdec.c index f552bbbdad..f95f795f5e 100644 --- a/libavcodec/flacdec.c +++ b/libavcodec/flacdec.c @@ -287,7 +287,7 @@ static int decode_subframe_fixed(FLACContext *s, int32_t *decoded, if (pred_order > 2) c = b - decoded[pred_order-2] + decoded[pred_order-3]; if (pred_order > 3) - d = c - decoded[pred_order-2] + 2*decoded[pred_order-3] - decoded[pred_order-4]; + d = c - decoded[pred_order-2] + 2U*decoded[pred_order-3] - decoded[pred_order-4]; switch (pred_order) { case 0: From 9143ddea0f160a739c380fd6912decf771b32bb0 Mon Sep 17 00:00:00 2001 From: Michael Niedermayer Date: Fri, 29 Dec 2017 03:00:19 +0100 Subject: [PATCH 749/942] avcodec/exr: Check buf_size more completely Fixes: Out of heap array read Fixes: 4683/clusterfuzz-testcase-minimized-6152313673613312 Found-by: continuous fuzzing process https://github.com/google/oss-fuzz/tree/master/projects/ffmpeg Signed-off-by: Michael Niedermayer (cherry picked from commit 903be5e4f66268273dc6e3c42a7fdeaab32066ef) Signed-off-by: Michael Niedermayer --- libavcodec/exr.c | 4 ++-- 1 file changed, 2 insertions(+), 2 deletions(-) diff --git a/libavcodec/exr.c b/libavcodec/exr.c index 292707cd0a..c1490e521a 100644 --- a/libavcodec/exr.c +++ b/libavcodec/exr.c @@ -849,7 +849,7 @@ static int decode_block(AVCodecContext *avctx, void *tdata, line_offset = AV_RL64(s->gb.buffer + jobnr * 8); // Check if the buffer has the required bytes needed from the offset - if (line_offset > buf_size - 8) + if (buf_size < 8 || line_offset > buf_size - 8) return AVERROR_INVALIDDATA; src = buf + line_offset + 8; @@ -858,7 +858,7 @@ static int decode_block(AVCodecContext *avctx, void *tdata, return AVERROR_INVALIDDATA; data_size = AV_RL32(src - 4); - if (data_size <= 0 || data_size > buf_size) + if (data_size <= 0 || data_size > buf_size - line_offset - 8) return AVERROR_INVALIDDATA; s->ysize = FFMIN(s->scan_lines_per_block, s->ymax - line + 1); From 0c753a46efe2ec43bd2f1c5bbdd4c46e83af421e Mon Sep 17 00:00:00 2001 From: Michael Niedermayer Date: Wed, 3 Jan 2018 23:42:00 +0100 Subject: [PATCH 750/942] avcodec/dnxhddec: Check dc vlc Fixes: signed integer overflow: 1024 + 2147483640 cannot be represented in type 'int' Fixes: 4671/clusterfuzz-testcase-minimized-6027464343027712 Found-by: continuous fuzzing process https://github.com/google/oss-fuzz/tree/master/projects/ffmpeg Reviewed-by: Paul B Mahol Signed-off-by: Michael Niedermayer (cherry picked from commit b2be76c0a472b729756ed7a91225c209d0dd1d2e) Signed-off-by: Michael Niedermayer --- libavcodec/dnxhddec.c | 6 +++++- 1 file changed, 5 insertions(+), 1 deletion(-) diff --git a/libavcodec/dnxhddec.c b/libavcodec/dnxhddec.c index bf14869ac9..5f772b99a9 100644 --- a/libavcodec/dnxhddec.c +++ b/libavcodec/dnxhddec.c @@ -356,6 +356,10 @@ static av_always_inline int dnxhd_decode_dct_block(const DNXHDContext *ctx, UPDATE_CACHE(bs, &row->gb); GET_VLC(len, bs, &row->gb, ctx->dc_vlc.table, DNXHD_DC_VLC_BITS, 1); + if (len < 0) { + ret = len; + goto error; + } if (len) { level = GET_CACHE(bs, &row->gb); LAST_SKIP_BITS(bs, &row->gb, len); @@ -409,7 +413,7 @@ static av_always_inline int dnxhd_decode_dct_block(const DNXHDContext *ctx, GET_VLC(index1, bs, &row->gb, ctx->ac_vlc.table, DNXHD_VLC_BITS, 2); } - +error: CLOSE_READER(bs, &row->gb); return ret; } From 06325d77bf12dead2126e42cf89a7fd601691a5f Mon Sep 17 00:00:00 2001 From: Michael Niedermayer Date: Wed, 3 Jan 2018 23:42:01 +0100 Subject: [PATCH 751/942] avcodec/h264_slice: Do not attempt to render into frames already output Fixes: null pointer dereference Fixes: 4698/clusterfuzz-testcase-minimized-5096956322906112 This testcase does not reproduce the issue before 03b82b3ab9883cef017e513c7d0b3b986b3b3e7b Found-by: continuous fuzzing process https://github.com/google/oss-fuzz/tree/master/projects/ffmpeg Signed-off-by: Michael Niedermayer (cherry picked from commit 476665d4de989dba48ec1195215ccc8db54538f4) Signed-off-by: Michael Niedermayer --- libavcodec/h264_slice.c | 6 ++++++ 1 file changed, 6 insertions(+) diff --git a/libavcodec/h264_slice.c b/libavcodec/h264_slice.c index c0b3b67e49..0afd49bac5 100644 --- a/libavcodec/h264_slice.c +++ b/libavcodec/h264_slice.c @@ -1633,6 +1633,12 @@ int ff_h264_decode_slice_header(H264Context *h, H264SliceContext *sl) h->missing_fields ++; h->cur_pic_ptr = NULL; h->first_field = FIELD_PICTURE(h); + } else if (h->cur_pic_ptr->reference & DELAYED_PIC_REF) { + /* This frame was already output, we cannot draw into it + * anymore. + */ + h->first_field = 1; + h->cur_pic_ptr = NULL; } else { h->missing_fields = 0; if (h->cur_pic_ptr->frame_num != h->frame_num) { From 3cad8e730e06ab66bce5a160263452334c09dc68 Mon Sep 17 00:00:00 2001 From: Michael Niedermayer Date: Sun, 7 Jan 2018 04:12:57 +0100 Subject: [PATCH 752/942] avcodec/jpeg2000dsp: Fix integer overflows in ict_int() Fixes: signed integer overflow: 46802 * -71230 cannot be represented in type 'int' Fixes: 4756/clusterfuzz-testcase-minimized-4812495563784192 Found-by: continuous fuzzing process https://github.com/google/oss-fuzz/tree/master/projects/ffmpeg Signed-off-by: Michael Niedermayer (cherry picked from commit b3192c64b5bdcb0474cda437d2d5f9421d68811e) Signed-off-by: Michael Niedermayer --- libavcodec/jpeg2000dsp.c | 4 ++-- 1 file changed, 2 insertions(+), 2 deletions(-) diff --git a/libavcodec/jpeg2000dsp.c b/libavcodec/jpeg2000dsp.c index 85a12d0e9b..90e73b1e20 100644 --- a/libavcodec/jpeg2000dsp.c +++ b/libavcodec/jpeg2000dsp.c @@ -64,9 +64,9 @@ static void ict_int(void *_src0, void *_src1, void *_src2, int csize) int i; for (i = 0; i < csize; i++) { - i0 = *src0 + *src2 + (((26345 * *src2) + (1 << 15)) >> 16); + i0 = *src0 + *src2 + ((int)((26345U * *src2) + (1 << 15)) >> 16); i1 = *src0 - ((int)(((unsigned)i_ict_params[1] * *src1) + (1 << 15)) >> 16) - - (((i_ict_params[2] * *src2) + (1 << 15)) >> 16); + - ((int)(((unsigned)i_ict_params[2] * *src2) + (1 << 15)) >> 16); i2 = *src0 + (2 * *src1) + ((int)((-14942U * *src1) + (1 << 15)) >> 16); *src0++ = i0; *src1++ = i1; From c17cc8ee4ffb2f1c876697df418f51e1f569512b Mon Sep 17 00:00:00 2001 From: Michael Niedermayer Date: Fri, 5 Jan 2018 22:12:07 +0100 Subject: [PATCH 753/942] avcodec/opus_parser: Check payload_len in parse_opus_ts_header() Fixes: clusterfuzz-testcase-minimized-6134545979277312 Fixes: crbug 797469 Reported-by: Matt Wolenetz Signed-off-by: Michael Niedermayer (cherry picked from commit 1bcd7fefcb3c1ec47978fdc64a9e8dfb9512ae62) Signed-off-by: Michael Niedermayer --- libavcodec/opus_parser.c | 16 +++++++++++++--- 1 file changed, 13 insertions(+), 3 deletions(-) diff --git a/libavcodec/opus_parser.c b/libavcodec/opus_parser.c index c30fd7bbd4..1c61c0077f 100644 --- a/libavcodec/opus_parser.c +++ b/libavcodec/opus_parser.c @@ -43,6 +43,7 @@ static const uint8_t *parse_opus_ts_header(const uint8_t *start, int *payload_le const uint8_t *buf = start + 1; int start_trim_flag, end_trim_flag, control_extension_flag, control_extension_length; uint8_t flags; + uint64_t payload_len_tmp; GetByteContext gb; bytestream2_init(&gb, buf, buf_len); @@ -52,11 +53,11 @@ static const uint8_t *parse_opus_ts_header(const uint8_t *start, int *payload_le end_trim_flag = (flags >> 3) & 1; control_extension_flag = (flags >> 2) & 1; - *payload_len = 0; + payload_len_tmp = *payload_len = 0; while (bytestream2_peek_byte(&gb) == 0xff) - *payload_len += bytestream2_get_byte(&gb); + payload_len_tmp += bytestream2_get_byte(&gb); - *payload_len += bytestream2_get_byte(&gb); + payload_len_tmp += bytestream2_get_byte(&gb); if (start_trim_flag) bytestream2_skip(&gb, 2); @@ -67,6 +68,11 @@ static const uint8_t *parse_opus_ts_header(const uint8_t *start, int *payload_le bytestream2_skip(&gb, control_extension_length); } + if (bytestream2_tell(&gb) + payload_len_tmp > buf_len) + return NULL; + + *payload_len = payload_len_tmp; + return buf + bytestream2_tell(&gb); } @@ -104,6 +110,10 @@ static int opus_find_frame_end(AVCodecParserContext *ctx, AVCodecContext *avctx, state = (state << 8) | payload[i]; if ((state & OPUS_TS_MASK) == OPUS_TS_HEADER) { payload = parse_opus_ts_header(payload, &payload_len, buf_size - i); + if (!payload) { + av_log(avctx, AV_LOG_ERROR, "Error parsing Ogg TS header.\n"); + return AVERROR_INVALIDDATA; + } *header_len = payload - buf; start_found = 1; break; From b4d9605c67181f107b23fe38419e9120eee70823 Mon Sep 17 00:00:00 2001 From: Michael Niedermayer Date: Sun, 7 Jan 2018 20:43:24 +0100 Subject: [PATCH 754/942] avcodec/diracdec: Fix integer overflow with quant Fixes: signed integer overflow: 2 + 2147483646 cannot be represented in type 'int' Fixes: 4792/clusterfuzz-testcase-minimized-6322450775146496 Found-by: continuous fuzzing process https://github.com/google/oss-fuzz/tree/master/projects/ffmpeg Signed-off-by: Michael Niedermayer (cherry picked from commit eaa93175895568ef6c2542b13104874907d9c4ef) Signed-off-by: Michael Niedermayer --- libavcodec/diracdec.c | 10 +++++----- 1 file changed, 5 insertions(+), 5 deletions(-) diff --git a/libavcodec/diracdec.c b/libavcodec/diracdec.c index 69ff083157..2cdebe8700 100644 --- a/libavcodec/diracdec.c +++ b/libavcodec/diracdec.c @@ -516,16 +516,16 @@ static inline void codeblock(DiracContext *s, SubBand *b, } if (s->codeblock_mode && !(s->old_delta_quant && blockcnt_one)) { - int quant = b->quant; + int quant; if (is_arith) - quant += dirac_get_arith_int(c, CTX_DELTA_Q_F, CTX_DELTA_Q_DATA); + quant = dirac_get_arith_int(c, CTX_DELTA_Q_F, CTX_DELTA_Q_DATA); else - quant += dirac_get_se_golomb(gb); - if (quant < 0) { + quant = dirac_get_se_golomb(gb); + if (quant > INT_MAX - b->quant || b->quant + quant < 0) { av_log(s->avctx, AV_LOG_ERROR, "Invalid quant\n"); return; } - b->quant = quant; + b->quant += quant; } if (b->quant > 115) { From 6164ca476570f5204882177b39f37eef5a2182b6 Mon Sep 17 00:00:00 2001 From: Michael Niedermayer Date: Sun, 7 Jan 2018 20:58:49 +0100 Subject: [PATCH 755/942] avcodec/dirac_dwt: Fix overflows in COMPOSE_HAARiH0/COMPOSE_HAARiL0 Fixes: 4830/clusterfuzz-testcase-minimized-5255392054476800 Fixes: signed integer overflow: 2147483646 - -7 cannot be represented in type 'int' Found-by: continuous fuzzing process https://github.com/google/oss-fuzz/tree/master/projects/ffmpeg Signed-off-by: Michael Niedermayer (cherry picked from commit 0e62a2373475f58c72c0faf5568be00b26909585) Signed-off-by: Michael Niedermayer --- libavcodec/dirac_dwt.h | 4 ++-- 1 file changed, 2 insertions(+), 2 deletions(-) diff --git a/libavcodec/dirac_dwt.h b/libavcodec/dirac_dwt.h index f9828d95a4..1af41e0702 100644 --- a/libavcodec/dirac_dwt.h +++ b/libavcodec/dirac_dwt.h @@ -105,10 +105,10 @@ void ff_spatial_idwt_slice2(DWTContext *d, int y); (int)(((unsigned)(b2) - ((int)(-b0 + 9U*b1 + 9U*b3 - b4 + 16) >> 5))) #define COMPOSE_HAARiL0(b0, b1)\ - (b0 - ((b1 + 1) >> 1)) + ((int)(b0 - (unsigned)((int)(b1 + 1U) >> 1))) #define COMPOSE_HAARiH0(b0, b1)\ - (b0 + b1) + ((int)(b0 + (unsigned)(b1))) #define COMPOSE_FIDELITYiL0(b0, b1, b2, b3, b4, b5, b6, b7, b8)\ ((unsigned)b4 - ((int)(-8*(b0+(unsigned)b8) + 21*(b1+(unsigned)b7) - 46*(b2+(unsigned)b6) + 161*(b3+(unsigned)b5) + 128) >> 8)) From abb7498c3f00482ebf35fd7c02f315de0344b2e7 Mon Sep 17 00:00:00 2001 From: Michael Niedermayer Date: Sun, 7 Jan 2018 03:48:43 +0100 Subject: [PATCH 756/942] avcodec/h264addpx_template: Fixes integer overflows Fixes: signed integer overflow: 512 + 2147483491 cannot be represented in type 'int' Fixes: 4780/clusterfuzz-testcase-minimized-4709066174627840 Found-by: continuous fuzzing process https://github.com/google/oss-fuzz/tree/master/projects/ffmpeg Signed-off-by: Michael Niedermayer (cherry picked from commit d6945aeee419a8417b8019c7c92227e12e45b7ad) Signed-off-by: Michael Niedermayer --- libavcodec/h264addpx_template.c | 24 ++++++++++++------------ 1 file changed, 12 insertions(+), 12 deletions(-) diff --git a/libavcodec/h264addpx_template.c b/libavcodec/h264addpx_template.c index 046b6c2e19..a99030c589 100644 --- a/libavcodec/h264addpx_template.c +++ b/libavcodec/h264addpx_template.c @@ -35,10 +35,10 @@ static void FUNCC(ff_h264_add_pixels4)(uint8_t *_dst, int16_t *_src, int stride) stride /= sizeof(pixel); for (i = 0; i < 4; i++) { - dst[0] += src[0]; - dst[1] += src[1]; - dst[2] += src[2]; - dst[3] += src[3]; + dst[0] += (unsigned)src[0]; + dst[1] += (unsigned)src[1]; + dst[2] += (unsigned)src[2]; + dst[3] += (unsigned)src[3]; dst += stride; src += 4; @@ -55,14 +55,14 @@ static void FUNCC(ff_h264_add_pixels8)(uint8_t *_dst, int16_t *_src, int stride) stride /= sizeof(pixel); for (i = 0; i < 8; i++) { - dst[0] += src[0]; - dst[1] += src[1]; - dst[2] += src[2]; - dst[3] += src[3]; - dst[4] += src[4]; - dst[5] += src[5]; - dst[6] += src[6]; - dst[7] += src[7]; + dst[0] += (unsigned)src[0]; + dst[1] += (unsigned)src[1]; + dst[2] += (unsigned)src[2]; + dst[3] += (unsigned)src[3]; + dst[4] += (unsigned)src[4]; + dst[5] += (unsigned)src[5]; + dst[6] += (unsigned)src[6]; + dst[7] += (unsigned)src[7]; dst += stride; src += 8; From c7e98ee6e08a0bc4a281a3dc4a403ddcc76fe542 Mon Sep 17 00:00:00 2001 From: Michael Niedermayer Date: Thu, 11 Jan 2018 22:47:10 +0100 Subject: [PATCH 757/942] avcodec/arm/sbrdsp_neon: Use a free register instead of putting 2 things in one Fixes high pitched shriek Fixes: 25420848_1478428308873746_4255813235963330560_n.mp4 Reported-by: Dale Curtis Reviewed-by: Dale Curtis Signed-off-by: Michael Niedermayer (cherry picked from commit 7dbbb75ee32f87108ca9e15f5551dbbe69fe2641) Signed-off-by: Michael Niedermayer --- libavcodec/arm/sbrdsp_neon.S | 4 ++-- 1 file changed, 2 insertions(+), 2 deletions(-) diff --git a/libavcodec/arm/sbrdsp_neon.S b/libavcodec/arm/sbrdsp_neon.S index e66abd682a..003b04ea05 100644 --- a/libavcodec/arm/sbrdsp_neon.S +++ b/libavcodec/arm/sbrdsp_neon.S @@ -336,11 +336,11 @@ function ff_sbr_hf_apply_noise_0_neon, export=1 vld1.32 {d0}, [r0,:64] vld1.32 {d6}, [lr,:64] vld1.32 {d2[]}, [r1,:32]! - vld1.32 {d3[]}, [r2,:32]! + vld1.32 {d18[]}, [r2,:32]! vceq.f32 d4, d2, #0 veor d2, d2, d3 vmov d1, d0 - vmla.f32 d0, d6, d3 + vmla.f32 d0, d6, d18 vadd.f32 s2, s2, s4 vbif d0, d1, d4 vst1.32 {d0}, [r0,:64]! From 222ac346127e2cba983f9368752398d58cbfad36 Mon Sep 17 00:00:00 2001 From: Michael Niedermayer Date: Sun, 4 Jun 2017 01:53:58 +0200 Subject: [PATCH 758/942] avcodec/utils: Avoid hardcoding duplicated types in sizeof() Signed-off-by: Michael Niedermayer (cherry picked from commit 860d991fcd715233b5b9eb1f6c7bf0aadefb6061) Signed-off-by: Michael Niedermayer --- libavcodec/utils.c | 4 ++-- 1 file changed, 2 insertions(+), 2 deletions(-) diff --git a/libavcodec/utils.c b/libavcodec/utils.c index 72fd686e34..cfdfab7f7a 100644 --- a/libavcodec/utils.c +++ b/libavcodec/utils.c @@ -1209,7 +1209,7 @@ int attribute_align_arg avcodec_open2(AVCodecContext *avctx, const AVCodec *code if (ret < 0) return ret; - avctx->internal = av_mallocz(sizeof(AVCodecInternal)); + avctx->internal = av_mallocz(sizeof(*avctx->internal)); if (!avctx->internal) { ret = AVERROR(ENOMEM); goto end; @@ -2534,7 +2534,7 @@ void avsubtitle_free(AVSubtitle *sub) av_freep(&sub->rects); - memset(sub, 0, sizeof(AVSubtitle)); + memset(sub, 0, sizeof(*sub)); } av_cold int avcodec_close(AVCodecContext *avctx) From e858326086c60a9820db7977666515787ce244ed Mon Sep 17 00:00:00 2001 From: Carl Eugen Hoyos Date: Mon, 1 Jan 2018 18:05:55 +0100 Subject: [PATCH 759/942] configure: bump year Happy new year! (cherry picked from commit bddf31ba7570325dd2c8d033eae3d0dd74127f96) Signed-off-by: Michael Niedermayer --- configure | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/configure b/configure index 090a938136..ee88da5d38 100755 --- a/configure +++ b/configure @@ -6412,7 +6412,7 @@ cat > $TMPH < Date: Thu, 18 Jan 2018 15:21:56 -0800 Subject: [PATCH 760/942] avformat/matroskadec: Fix float-cast-overflow undefined behavior in matroska_parse_tracks() Signed-off-by: Michael Niedermayer (cherry picked from commit e07649e618caedc07eaf2f4d09253de7f77d14f0) Signed-off-by: Michael Niedermayer --- libavformat/matroskadec.c | 12 ++++++++++-- 1 file changed, 10 insertions(+), 2 deletions(-) diff --git a/libavformat/matroskadec.c b/libavformat/matroskadec.c index 76b9c8d0c2..0451c33fe7 100644 --- a/libavformat/matroskadec.c +++ b/libavformat/matroskadec.c @@ -1782,8 +1782,16 @@ static int matroska_parse_tracks(AVFormatContext *s) } if (track->type == MATROSKA_TRACK_TYPE_VIDEO) { - if (!track->default_duration && track->video.frame_rate > 0) - track->default_duration = 1000000000 / track->video.frame_rate; + if (!track->default_duration && track->video.frame_rate > 0) { + double default_duration = 1000000000 / track->video.frame_rate; + if (default_duration > UINT64_MAX || default_duration < 0) { + av_log(matroska->ctx, AV_LOG_WARNING, + "Invalid frame rate %e. Cannot calculate default duration.\n", + track->video.frame_rate); + } else { + track->default_duration = default_duration; + } + } if (track->video.display_width == -1) track->video.display_width = track->video.pixel_width; if (track->video.display_height == -1) From 23af1858fe2e4d4fdb3116f501e4a5021327440e Mon Sep 17 00:00:00 2001 From: Nikolas Bowe Date: Fri, 19 Jan 2018 13:17:07 -0800 Subject: [PATCH 761/942] avformat/lrcdec: Fix memory leak in lrc_read_header() Signed-off-by: Michael Niedermayer (cherry picked from commit ef5994e09d07ace62a672fcdc84761231288edad) Signed-off-by: Michael Niedermayer --- libavformat/lrcdec.c | 1 + 1 file changed, 1 insertion(+) diff --git a/libavformat/lrcdec.c b/libavformat/lrcdec.c index d3655fccd5..1f0533f2d1 100644 --- a/libavformat/lrcdec.c +++ b/libavformat/lrcdec.c @@ -212,6 +212,7 @@ static int lrc_read_header(AVFormatContext *s) } ff_subtitles_queue_finalize(s, &lrc->q); ff_metadata_conv_ctx(s, NULL, ff_lrc_metadata_conv); + av_bprint_finalize(&line, NULL); return 0; } From 7d5ca21698112b0a9af49c6ac0023b29a2d959c8 Mon Sep 17 00:00:00 2001 From: Michael Niedermayer Date: Sun, 14 Jan 2018 00:39:39 +0100 Subject: [PATCH 762/942] avcodec/ac3dec_fixed: Fix integer overflow in scale_coefs() Fixes: runtime error: signed integer overflow: 2147483520 + 128 cannot be represented in type 'int' Fixes: 4800/clusterfuzz-testcase-minimized-6110372403609600 Found-by: continuous fuzzing process https://github.com/google/oss-fuzz/tree/master/projects/ffmpeg Signed-off-by: Michael Niedermayer (cherry picked from commit a1f38c75893c852cf19dcf3e4553549ba1e70950) Signed-off-by: Michael Niedermayer --- libavcodec/ac3dec_fixed.c | 4 ++-- 1 file changed, 2 insertions(+), 2 deletions(-) diff --git a/libavcodec/ac3dec_fixed.c b/libavcodec/ac3dec_fixed.c index 56b62548ec..ef5fa5501a 100644 --- a/libavcodec/ac3dec_fixed.c +++ b/libavcodec/ac3dec_fixed.c @@ -64,8 +64,8 @@ static void scale_coefs ( int dynrng, int len) { - int i, shift, round; - unsigned mul; + int i, shift; + unsigned mul, round; int temp, temp1, temp2, temp3, temp4, temp5, temp6, temp7; mul = (dynrng & 0x1f) + 0x20; From e5296dfffaad9e8c61db88d6862c23cae08e35bc Mon Sep 17 00:00:00 2001 From: Michael Niedermayer Date: Mon, 15 Jan 2018 19:03:48 +0100 Subject: [PATCH 763/942] avcodec/ulti: Check number of blocks at init Fixes: Timeout Fixes: 4832/clusterfuzz-testcase-4699096590843904 Found-by: continuous fuzzing process https://github.com/google/oss-fuzz/tree/master/projects/ffmpeg Signed-off-by: Michael Niedermayer (cherry picked from commit 725353525e73bbe5b6b4d01528252675f2417a02) Signed-off-by: Michael Niedermayer --- libavcodec/ulti.c | 2 ++ 1 file changed, 2 insertions(+) diff --git a/libavcodec/ulti.c b/libavcodec/ulti.c index e6f4374981..9e4c088b10 100644 --- a/libavcodec/ulti.c +++ b/libavcodec/ulti.c @@ -50,6 +50,8 @@ static av_cold int ulti_decode_init(AVCodecContext *avctx) s->width = avctx->width; s->height = avctx->height; s->blocks = (s->width / 8) * (s->height / 8); + if (s->blocks == 0) + return AVERROR_INVALIDDATA; avctx->pix_fmt = AV_PIX_FMT_YUV410P; s->ulti_codebook = ulti_codebook; From dfb84488428bae5fe3aacecdb06f934c607a7e44 Mon Sep 17 00:00:00 2001 From: Michael Niedermayer Date: Mon, 15 Jan 2018 03:03:36 +0100 Subject: [PATCH 764/942] avcodec/snowdec: Fix integer overflow before htaps check Fixes: runtime error: signed integer overflow: -1094995529 * 2 cannot be represented in type 'int' Fixes: 4828/clusterfuzz-testcase-minimized-5100849937252352 Found-by: continuous fuzzing process https://github.com/google/oss-fuzz/tree/master/projects/ffmpeg Signed-off-by: Michael Niedermayer (cherry picked from commit 2eecf3cf8eeae67697934df326e98df2149881e5) Signed-off-by: Michael Niedermayer --- libavcodec/snowdec.c | 5 +++-- 1 file changed, 3 insertions(+), 2 deletions(-) diff --git a/libavcodec/snowdec.c b/libavcodec/snowdec.c index df425b8cf3..00fa064102 100644 --- a/libavcodec/snowdec.c +++ b/libavcodec/snowdec.c @@ -363,9 +363,10 @@ static int decode_header(SnowContext *s){ int htaps, i, sum=0; Plane *p= &s->plane[plane_index]; p->diag_mc= get_rac(&s->c, s->header_state); - htaps= get_symbol(&s->c, s->header_state, 0)*2 + 2; - if((unsigned)htaps >= HTAPS_MAX || htaps==0) + htaps= get_symbol(&s->c, s->header_state, 0); + if((unsigned)htaps >= HTAPS_MAX/2 - 1) return AVERROR_INVALIDDATA; + htaps = htaps*2 + 2; p->htaps= htaps; for(i= htaps/2; i; i--){ p->hcoeff[i]= get_symbol(&s->c, s->header_state, 0) * (1-2*(i&1)); From a8ce9d518b2980e0ab2c6cbbc29e04a197e41f83 Mon Sep 17 00:00:00 2001 From: Michael Niedermayer Date: Sat, 20 Jan 2018 04:10:50 +0100 Subject: [PATCH 765/942] avcodec/truemotion2: Fix integer overflow in TM2_RECALC_BLOCK() Fixes: signed integer overflow: 1477974040 - -1877995504 cannot be represented in type 'int' Fixes: 4861/clusterfuzz-testcase-minimized-4570316383715328 Found-by: continuous fuzzing process https://github.com/google/oss-fuzz/tree/master/projects/ffmpeg Signed-off-by: Michael Niedermayer (cherry picked from commit 56a53340ed4cc55898e49c07081311ebb2816630) Signed-off-by: Michael Niedermayer --- libavcodec/truemotion2.c | 4 ++-- 1 file changed, 2 insertions(+), 2 deletions(-) diff --git a/libavcodec/truemotion2.c b/libavcodec/truemotion2.c index f077f0e4bd..97c38f7f08 100644 --- a/libavcodec/truemotion2.c +++ b/libavcodec/truemotion2.c @@ -441,8 +441,8 @@ static inline int GET_TOK(TM2Context *ctx,int type) /* recalculate last and delta values for next blocks */ #define TM2_RECALC_BLOCK(CHR, stride, last, CD) {\ - CD[0] = CHR[1] - last[1];\ - CD[1] = (int)CHR[stride + 1] - (int)CHR[1];\ + CD[0] = (unsigned)CHR[ 1] - (unsigned)last[1];\ + CD[1] = (unsigned)CHR[stride + 1] - (unsigned) CHR[1];\ last[0] = (int)CHR[stride + 0];\ last[1] = (int)CHR[stride + 1];} From f7abc14d0d94066a59f7d8affeb76ea564dfab00 Mon Sep 17 00:00:00 2001 From: Michael Niedermayer Date: Mon, 15 Jan 2018 23:42:57 +0100 Subject: [PATCH 766/942] avcodec/hevc_cabac: Move prefix check in coeff_abs_level_remaining_decode() down Signed-off-by: Michael Niedermayer (cherry picked from commit 94d4237a7a294ce80e1e577b38e9c93e8882aff9) Signed-off-by: Michael Niedermayer --- libavcodec/hevc_cabac.c | 11 +++++++---- 1 file changed, 7 insertions(+), 4 deletions(-) diff --git a/libavcodec/hevc_cabac.c b/libavcodec/hevc_cabac.c index 99e6731d5d..c9525596bc 100644 --- a/libavcodec/hevc_cabac.c +++ b/libavcodec/hevc_cabac.c @@ -977,16 +977,19 @@ static av_always_inline int coeff_abs_level_remaining_decode(HEVCContext *s, int while (prefix < CABAC_MAX_BIN && get_cabac_bypass(&s->HEVClc->cc)) prefix++; - if (prefix == CABAC_MAX_BIN) { - av_log(s->avctx, AV_LOG_ERROR, "CABAC_MAX_BIN : %d\n", prefix); - return 0; - } + if (prefix < 3) { for (i = 0; i < rc_rice_param; i++) suffix = (suffix << 1) | get_cabac_bypass(&s->HEVClc->cc); last_coeff_abs_level_remaining = (prefix << rc_rice_param) + suffix; } else { int prefix_minus3 = prefix - 3; + + if (prefix == CABAC_MAX_BIN) { + av_log(s->avctx, AV_LOG_ERROR, "CABAC_MAX_BIN : %d\n", prefix); + return 0; + } + for (i = 0; i < prefix_minus3 + rc_rice_param; i++) suffix = (suffix << 1) | get_cabac_bypass(&s->HEVClc->cc); last_coeff_abs_level_remaining = (((1 << prefix_minus3) + 3 - 1) From 181c3cbacfae86e2e1935049a11f4d0273fa2351 Mon Sep 17 00:00:00 2001 From: Michael Niedermayer Date: Mon, 22 Jan 2018 14:02:59 +0100 Subject: [PATCH 767/942] avcodec/dxtory: Fix bits left checks Fixes: Timeout Fixes: 4863/clusterfuzz-testcase-6347354178322432 Found-by: continuous fuzzing process https://github.com/google/oss-fuzz/tree/master/projects/ffmpeg Signed-off-by: Michael Niedermayer (cherry picked from commit 6e1a167c5564085385488b4f579e9efb987d4bfa) Signed-off-by: Michael Niedermayer --- libavcodec/dxtory.c | 10 +++++----- 1 file changed, 5 insertions(+), 5 deletions(-) diff --git a/libavcodec/dxtory.c b/libavcodec/dxtory.c index fc1936985d..19c7dbb012 100644 --- a/libavcodec/dxtory.c +++ b/libavcodec/dxtory.c @@ -325,7 +325,7 @@ static int dx2_decode_slice_5x5(GetBitContext *gb, AVFrame *frame, int stride = frame->linesize[0]; uint8_t *dst = frame->data[0] + stride * line; - for (y = 0; y < left && get_bits_left(gb) > 16; y++) { + for (y = 0; y < left && get_bits_left(gb) > 6 * width; y++) { for (x = 0; x < width; x++) { b = decode_sym_565(gb, lru[0], 5); g = decode_sym_565(gb, lru[1], is_565 ? 6 : 5); @@ -391,7 +391,7 @@ static int dx2_decode_slice_rgb(GetBitContext *gb, AVFrame *frame, int stride = frame->linesize[0]; uint8_t *dst = frame->data[0] + stride * line; - for (y = 0; y < left && get_bits_left(gb) > 16; y++) { + for (y = 0; y < left && get_bits_left(gb) > 6 * width; y++) { for (x = 0; x < width; x++) { dst[x * 3 + 0] = decode_sym(gb, lru[0]); dst[x * 3 + 1] = decode_sym(gb, lru[1]); @@ -436,7 +436,7 @@ static int dx2_decode_slice_410(GetBitContext *gb, AVFrame *frame, uint8_t *U = frame->data[1] + (ustride >> 2) * line; uint8_t *V = frame->data[2] + (vstride >> 2) * line; - for (y = 0; y < left - 3 && get_bits_left(gb) > 16; y += 4) { + for (y = 0; y < left - 3 && get_bits_left(gb) > 9 * width; y += 4) { for (x = 0; x < width; x += 4) { for (j = 0; j < 4; j++) for (i = 0; i < 4; i++) @@ -480,7 +480,7 @@ static int dx2_decode_slice_420(GetBitContext *gb, AVFrame *frame, uint8_t *V = frame->data[2] + (vstride >> 1) * line; - for (y = 0; y < left - 1 && get_bits_left(gb) > 16; y += 2) { + for (y = 0; y < left - 1 && get_bits_left(gb) > 6 * width; y += 2) { for (x = 0; x < width; x += 2) { Y[x + 0 + 0 * ystride] = decode_sym(gb, lru[0]); Y[x + 1 + 0 * ystride] = decode_sym(gb, lru[0]); @@ -523,7 +523,7 @@ static int dx2_decode_slice_444(GetBitContext *gb, AVFrame *frame, uint8_t *U = frame->data[1] + ustride * line; uint8_t *V = frame->data[2] + vstride * line; - for (y = 0; y < left && get_bits_left(gb) > 16; y++) { + for (y = 0; y < left && get_bits_left(gb) > 6 * width; y++) { for (x = 0; x < width; x++) { Y[x] = decode_sym(gb, lru[0]); U[x] = decode_sym(gb, lru[1]) ^ 0x80; From 269aecafabf84109cce914d236131afc99841cfe Mon Sep 17 00:00:00 2001 From: Michael Niedermayer Date: Wed, 24 Jan 2018 03:28:49 +0100 Subject: [PATCH 768/942] avcodec/mjpegdec: Fix integer overflow in DC dequantization Fixes: runtime error: signed integer overflow: -65535 * 65312 cannot be represented in type 'int' Fixes: 4900/clusterfuzz-testcase-minimized-5769019744321536 Found-by: continuous fuzzing process https://github.com/google/oss-fuzz/tree/master/projects/ffmpeg Signed-off-by: Michael Niedermayer (cherry picked from commit 1bfc1aa004950c5ad527d823a08b8a19eef34eb0) Signed-off-by: Michael Niedermayer --- libavcodec/mjpegdec.c | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/libavcodec/mjpegdec.c b/libavcodec/mjpegdec.c index 9a37b3251c..cefb9afdb7 100644 --- a/libavcodec/mjpegdec.c +++ b/libavcodec/mjpegdec.c @@ -686,7 +686,7 @@ static int decode_block(MJpegDecodeContext *s, int16_t *block, int component, av_log(s->avctx, AV_LOG_ERROR, "error dc\n"); return AVERROR_INVALIDDATA; } - val = val * quant_matrix[0] + s->last_dc[component]; + val = val * (unsigned)quant_matrix[0] + s->last_dc[component]; val = av_clip_int16(val); s->last_dc[component] = val; block[0] = val; From cedd9ea93ea2f71a57e3b1e9fa01bd7b0cf02bba Mon Sep 17 00:00:00 2001 From: Michael Niedermayer Date: Mon, 15 Jan 2018 23:46:44 +0100 Subject: [PATCH 769/942] avcodec/hevc_cabac: Check prefix so as to avoid invalid shifts in coeff_abs_level_remaining_decode() I suspect that this can be limited tighter, but i failed to find anything in the spec that would confirm that. Fixes: 4833/clusterfuzz-testcase-minimized-5302840101699584 Fixes: runtime error: left shift of 134217730 by 4 places cannot be represented in type 'int' Found-by: continuous fuzzing process https://github.com/google/oss-fuzz/tree/master/projects/ffmpeg Signed-off-by: Michael Niedermayer (cherry picked from commit a026a3efaeb9c2026668dccbbda339a21ab3206b) Signed-off-by: Michael Niedermayer --- libavcodec/hevc_cabac.c | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/libavcodec/hevc_cabac.c b/libavcodec/hevc_cabac.c index c9525596bc..0e4c522bb1 100644 --- a/libavcodec/hevc_cabac.c +++ b/libavcodec/hevc_cabac.c @@ -985,7 +985,7 @@ static av_always_inline int coeff_abs_level_remaining_decode(HEVCContext *s, int } else { int prefix_minus3 = prefix - 3; - if (prefix == CABAC_MAX_BIN) { + if (prefix == CABAC_MAX_BIN || prefix_minus3 + rc_rice_param >= 31) { av_log(s->avctx, AV_LOG_ERROR, "CABAC_MAX_BIN : %d\n", prefix); return 0; } From 5d06804b313677c149f106a8dba97988ad064385 Mon Sep 17 00:00:00 2001 From: Michael Niedermayer Date: Wed, 24 Jan 2018 19:38:05 +0100 Subject: [PATCH 770/942] avfilter/vf_transpose: Fix used plane count. Fixes out of array access Fixes: poc.mp4 Found-by: GwanYeong Kim Signed-off-by: Michael Niedermayer (cherry picked from commit c6939f65a116b1ffed345d29d8621ee4ffb32235) (cherry picked from commit 3f621455d62e46745453568d915badd5b1e5bcd5) Signed-off-by: Michael Niedermayer --- libavfilter/vf_transpose.c | 8 +++++++- 1 file changed, 7 insertions(+), 1 deletion(-) diff --git a/libavfilter/vf_transpose.c b/libavfilter/vf_transpose.c index 9555ff20c8..8f2ff8e33c 100644 --- a/libavfilter/vf_transpose.c +++ b/libavfilter/vf_transpose.c @@ -27,6 +27,7 @@ #include +#include "libavutil/avassert.h" #include "libavutil/imgutils.h" #include "libavutil/internal.h" #include "libavutil/intreadwrite.h" @@ -54,6 +55,7 @@ enum TransposeDir { typedef struct TransContext { const AVClass *class; int hsub, vsub; + int planes; int pixsteps[4]; int passthrough; ///< PassthroughType, landscape passthrough mode enabled @@ -106,6 +108,10 @@ static int config_props_output(AVFilterLink *outlink) s->hsub = desc_in->log2_chroma_w; s->vsub = desc_in->log2_chroma_h; + s->planes = av_pix_fmt_count_planes(outlink->format); + + av_assert0(desc_in->nb_components == desc_out->nb_components); + av_image_fill_max_pixsteps(s->pixsteps, NULL, desc_out); @@ -148,7 +154,7 @@ static int filter_slice(AVFilterContext *ctx, void *arg, int jobnr, AVFrame *in = td->in; int plane; - for (plane = 0; out->data[plane]; plane++) { + for (plane = 0; plane < s->planes; plane++) { int hsub = plane == 1 || plane == 2 ? s->hsub : 0; int vsub = plane == 1 || plane == 2 ? s->vsub : 0; int pixstep = s->pixsteps[plane]; From 78b1d57a4bc4337816dd5e88b6c2fab20cefdefb Mon Sep 17 00:00:00 2001 From: Michael Niedermayer Date: Sun, 28 Jan 2018 02:29:00 +0100 Subject: [PATCH 771/942] avcodec/mpeg4videodec: Check mb_num also against 0 The spec implies that 0 is invalid in addition to the existing checks Found-by: Reviewed-by: Kieran Kunhya Signed-off-by: Michael Niedermayer (cherry picked from commit 05f4703a168a336363750e32bcfdd6f303fbdbc3) Signed-off-by: Michael Niedermayer --- libavcodec/mpeg4videodec.c | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/libavcodec/mpeg4videodec.c b/libavcodec/mpeg4videodec.c index eff809aafc..19ab1ef288 100644 --- a/libavcodec/mpeg4videodec.c +++ b/libavcodec/mpeg4videodec.c @@ -459,7 +459,7 @@ int ff_mpeg4_decode_video_packet_header(Mpeg4DecContext *ctx) } mb_num = get_bits(&s->gb, mb_num_bits); - if (mb_num >= s->mb_num) { + if (mb_num >= s->mb_num || !mb_num) { av_log(s->avctx, AV_LOG_ERROR, "illegal mb_num in video packet (%d %d) \n", mb_num, s->mb_num); return -1; From 6a01b65034a1f5b3ca1c08e2fc242123a083cdee Mon Sep 17 00:00:00 2001 From: Michael Niedermayer Date: Sun, 28 Jan 2018 02:29:01 +0100 Subject: [PATCH 772/942] avcodec/get_bits: Document the return code of get_vlc2() Found-by: kierank Reviewed-by: Kieran Kunhya Signed-off-by: Michael Niedermayer (cherry picked from commit 4a94ff4ccd4f2329c599e37cabe4152dae60359e) Signed-off-by: Michael Niedermayer --- libavcodec/get_bits.h | 1 + 1 file changed, 1 insertion(+) diff --git a/libavcodec/get_bits.h b/libavcodec/get_bits.h index 30e9da311f..0ccbf4dfd2 100644 --- a/libavcodec/get_bits.h +++ b/libavcodec/get_bits.h @@ -574,6 +574,7 @@ void ff_free_vlc(VLC *vlc); * @param max_depth is the number of times bits bits must be read to completely * read the longest vlc code * = (max_vlc_length + bits - 1) / bits + * @returns the code parsed or -1 if no vlc matches */ static av_always_inline int get_vlc2(GetBitContext *s, VLC_TYPE (*table)[2], int bits, int max_depth) From 60039c2d125f5766279b51b387bcfcc007eb11b9 Mon Sep 17 00:00:00 2001 From: Michael Niedermayer Date: Sun, 28 Jan 2018 02:29:02 +0100 Subject: [PATCH 773/942] avcodec/mpeg4videodec: Avoid possibly aliasing violating casts Found-by: kierank Reviewed-by: Kieran Kunhya Signed-off-by: Michael Niedermayer (cherry picked from commit d4967c04e040b3b2f937cad88599af825147ec94) Signed-off-by: Michael Niedermayer --- libavcodec/mpeg4videodec.c | 7 +++++-- 1 file changed, 5 insertions(+), 2 deletions(-) diff --git a/libavcodec/mpeg4videodec.c b/libavcodec/mpeg4videodec.c index 19ab1ef288..705efe0e67 100644 --- a/libavcodec/mpeg4videodec.c +++ b/libavcodec/mpeg4videodec.c @@ -1250,10 +1250,12 @@ not_coded: */ static int mpeg4_decode_partitioned_mb(MpegEncContext *s, int16_t block[6][64]) { - Mpeg4DecContext *ctx = (Mpeg4DecContext *)s; + Mpeg4DecContext *ctx = s->avctx->priv_data; int cbp, mb_type; const int xy = s->mb_x + s->mb_y * s->mb_stride; + av_assert2(s == (void*)ctx); + mb_type = s->current_picture.mb_type[xy]; cbp = s->cbp_table[xy]; @@ -1335,12 +1337,13 @@ static int mpeg4_decode_partitioned_mb(MpegEncContext *s, int16_t block[6][64]) static int mpeg4_decode_mb(MpegEncContext *s, int16_t block[6][64]) { - Mpeg4DecContext *ctx = (Mpeg4DecContext *)s; + Mpeg4DecContext *ctx = s->avctx->priv_data; int cbpc, cbpy, i, cbp, pred_x, pred_y, mx, my, dquant; int16_t *mot_val; static const int8_t quant_tab[4] = { -1, -2, 1, 2 }; const int xy = s->mb_x + s->mb_y * s->mb_stride; + av_assert2(s == (void*)ctx); av_assert2(s->h263_pred); if (s->pict_type == AV_PICTURE_TYPE_P || From d664557023040422ba3b43f7051bb932bee79973 Mon Sep 17 00:00:00 2001 From: Aman Gupta Date: Tue, 26 Sep 2017 18:04:12 -0700 Subject: [PATCH 774/942] avcodec/hevc_ps: extract one SPS fields required for hvcC construction Signed-off-by: Aman Gupta Reviewed-by: Michael Niedermayer --- libavcodec/hevc.h | 1 + libavcodec/hevc_ps.c | 1 + 2 files changed, 2 insertions(+) diff --git a/libavcodec/hevc.h b/libavcodec/hevc.h index 77f3db8889..0d410bdd86 100644 --- a/libavcodec/hevc.h +++ b/libavcodec/hevc.h @@ -407,6 +407,7 @@ typedef struct HEVCSPS { HEVCWindow pic_conf_win; int bit_depth; + int bit_depth_chroma; int pixel_shift; enum AVPixelFormat pix_fmt; diff --git a/libavcodec/hevc_ps.c b/libavcodec/hevc_ps.c index 2383d18b21..863ab523eb 100644 --- a/libavcodec/hevc_ps.c +++ b/libavcodec/hevc_ps.c @@ -906,6 +906,7 @@ int ff_hevc_parse_sps(HEVCSPS *sps, GetBitContext *gb, unsigned int *sps_id, sps->bit_depth, bit_depth_chroma); return AVERROR_INVALIDDATA; } + sps->bit_depth_chroma = bit_depth_chroma; ret = map_pixel_format(avctx, sps); if (ret < 0) From adb0a29111b321357d65d7b8732d6321303410fd Mon Sep 17 00:00:00 2001 From: Michael Niedermayer Date: Wed, 24 Jan 2018 03:15:23 +0100 Subject: [PATCH 775/942] avcodec/hevc_ps: Check log2_sao_offset_scale_* Fixes: 4868/clusterfuzz-testcase-minimized-6236542906400768 Fixes: runtime error: shift exponent 126 is too large for 32-bit type 'int' Found-by: continuous fuzzing process https://github.com/google/oss-fuzz/tree/master/projects/ffmpeg Signed-off-by: Michael Niedermayer (cherry picked from commit 4a75a75c62efc645ec28444e4675c325b8f2bb1a) Signed-off-by: Michael Niedermayer --- libavcodec/hevc_ps.c | 5 +++++ 1 file changed, 5 insertions(+) diff --git a/libavcodec/hevc_ps.c b/libavcodec/hevc_ps.c index 863ab523eb..f76333d273 100644 --- a/libavcodec/hevc_ps.c +++ b/libavcodec/hevc_ps.c @@ -1270,6 +1270,11 @@ static int pps_range_extensions(GetBitContext *gb, AVCodecContext *avctx, pps->log2_sao_offset_scale_luma = get_ue_golomb_long(gb); pps->log2_sao_offset_scale_chroma = get_ue_golomb_long(gb); + if ( pps->log2_sao_offset_scale_luma > FFMAX(sps->bit_depth - 10, 0) + || pps->log2_sao_offset_scale_chroma > FFMAX(sps->bit_depth_chroma - 10, 0) + ) + return AVERROR_INVALIDDATA; + return(0); } From c1a133b610def6b920e9a3dcd0bc9b7771e685a4 Mon Sep 17 00:00:00 2001 From: Michael Niedermayer Date: Fri, 26 Jan 2018 00:24:49 +0100 Subject: [PATCH 776/942] avcodec/indeo5: Do not leave frame_type set to an invalid value Fixes: null pointer dereference Fixes: 5264/clusterfuzz-testcase-minimized-4621956621008896 Found-by: continuous fuzzing process https://github.com/google/oss-fuzz/tree/master/projects/ffmpeg Signed-off-by: Michael Niedermayer (cherry picked from commit 2ff9f178519b68d4d1d606eb5451ad81da948efc) Signed-off-by: Michael Niedermayer --- libavcodec/indeo5.c | 1 + 1 file changed, 1 insertion(+) diff --git a/libavcodec/indeo5.c b/libavcodec/indeo5.c index 5f931c8b98..5028def4bc 100644 --- a/libavcodec/indeo5.c +++ b/libavcodec/indeo5.c @@ -324,6 +324,7 @@ static int decode_pic_hdr(IVI45DecContext *ctx, AVCodecContext *avctx) ctx->frame_type = get_bits(&ctx->gb, 3); if (ctx->frame_type >= 5) { av_log(avctx, AV_LOG_ERROR, "Invalid frame type: %d \n", ctx->frame_type); + ctx->frame_type = FRAMETYPE_INTRA; return AVERROR_INVALIDDATA; } From 35f47ac0d54b7591e8c390e47d209034b788d940 Mon Sep 17 00:00:00 2001 From: Michael Niedermayer Date: Thu, 25 Jan 2018 23:14:37 +0100 Subject: [PATCH 777/942] avcodec/dirac_dwt: Fix several integer overflows Fixes: runtime error: signed integer overflow: -2146071175 + -268479557 cannot be represented in type 'int' Fixes: 5237/clusterfuzz-testcase-minimized-4569895275593728 Found-by: continuous fuzzing process https://github.com/google/oss-fuzz/tree/master/projects/ffmpeg Signed-off-by: Michael Niedermayer (cherry picked from commit fe1e6c06d03432c3e9208f019533c1d701f485d0) Signed-off-by: Michael Niedermayer --- libavcodec/dirac_dwt.h | 4 ++-- libavcodec/dirac_dwt_template.c | 2 +- 2 files changed, 3 insertions(+), 3 deletions(-) diff --git a/libavcodec/dirac_dwt.h b/libavcodec/dirac_dwt.h index 1af41e0702..68ebd19560 100644 --- a/libavcodec/dirac_dwt.h +++ b/libavcodec/dirac_dwt.h @@ -93,10 +93,10 @@ void ff_spatial_idwt_slice2(DWTContext *d, int y); // shared stuff for simd optimizations #define COMPOSE_53iL0(b0, b1, b2)\ - (b1 - ((int)(b0 + (unsigned)(b2) + 2) >> 2)) + (b1 - (unsigned)((int)(b0 + (unsigned)(b2) + 2) >> 2)) #define COMPOSE_DIRAC53iH0(b0, b1, b2)\ - (b1 + ((int)(b0 + (unsigned)(b2) + 1) >> 1)) + (b1 + (unsigned)((int)(b0 + (unsigned)(b2) + 1) >> 1)) #define COMPOSE_DD97iH0(b0, b1, b2, b3, b4)\ (int)(((unsigned)(b2) + ((int)(-b0 + 9U*b1 + 9U*b3 - b4 + 8) >> 4))) diff --git a/libavcodec/dirac_dwt_template.c b/libavcodec/dirac_dwt_template.c index e436c247a1..e68cc4d530 100644 --- a/libavcodec/dirac_dwt_template.c +++ b/libavcodec/dirac_dwt_template.c @@ -49,7 +49,7 @@ static void RENAME(vertical_compose53iL0)(uint8_t *_b0, uint8_t *_b1, uint8_t *_ TYPE *b1 = (TYPE *)_b1; TYPE *b2 = (TYPE *)_b2; for (i = 0; i < width; i++) - b1[i] -= (int)(b0[i] + (unsigned)b2[i] + 2) >> 2; + b1[i] -= (unsigned)((int)(b0[i] + (unsigned)b2[i] + 2) >> 2); } static av_always_inline void RENAME(interleave)(TYPE *dst, TYPE *src0, TYPE *src1, int w2, From 6baa0e811b761f6d8256cbbedc1808da676acf50 Mon Sep 17 00:00:00 2001 From: Michael Niedermayer Date: Wed, 31 Jan 2018 18:13:07 +0100 Subject: [PATCH 778/942] avcodec/aacsbr_fixed: Fix overflows in rounding in sbr_hf_assemble() Fixes: runtime error: signed integer overflow: 2052929346 + 204817098 cannot be represented in type 'int' Fixes: 5275/clusterfuzz-testcase-minimized-5367635958038528 Found-by: continuous fuzzing process https://github.com/google/oss-fuzz/tree/master/projects/ffmpeg Signed-off-by: Michael Niedermayer (cherry picked from commit b1bef755f617af9685b592d866b3eb7f3c4b02b1) Signed-off-by: Michael Niedermayer --- libavcodec/aacsbr_fixed.c | 9 +++++---- 1 file changed, 5 insertions(+), 4 deletions(-) diff --git a/libavcodec/aacsbr_fixed.c b/libavcodec/aacsbr_fixed.c index 2a679491b0..0622d2ff7c 100644 --- a/libavcodec/aacsbr_fixed.c +++ b/libavcodec/aacsbr_fixed.c @@ -572,7 +572,8 @@ static void sbr_hf_assemble(int Y1[38][64][2], int A = (1-((indexsine+(kx & 1))&2)); int B = (A^(-idx)) + idx; int *out = &Y1[i][kx][idx]; - int shift, round; + int shift; + unsigned round; SoftFloat *in = sbr->s_m[e]; for (m = 0; m+1 < m_max; m+=2) { @@ -585,12 +586,12 @@ static void sbr_hf_assemble(int Y1[38][64][2], } if (shift < 32) { round = 1 << (shift-1); - out[2*m ] += (in[m ].mant * A + round) >> shift; + out[2*m ] += (int)(in[m ].mant * A + round) >> shift; } if (shift2 < 32) { round = 1 << (shift2-1); - out[2*m+2] += (in[m+1].mant * B + round) >> shift2; + out[2*m+2] += (int)(in[m+1].mant * B + round) >> shift2; } } if(m_max&1) @@ -601,7 +602,7 @@ static void sbr_hf_assemble(int Y1[38][64][2], return; } else if (shift < 32) { round = 1 << (shift-1); - out[2*m ] += (in[m ].mant * A + round) >> shift; + out[2*m ] += (int)(in[m ].mant * A + round) >> shift; } } } From 8886e1228d1c47cb49212766f7ebf80797dfdaf4 Mon Sep 17 00:00:00 2001 From: Michael Niedermayer Date: Wed, 31 Jan 2018 02:50:18 +0100 Subject: [PATCH 779/942] avcodec/wavpack: Fix integer overflow in FFABS Fixes: negation of -2147483648 cannot be represented in type 'int'; cast to an unsigned type to negate this value to itself Fixes: 5396/clusterfuzz-testcase-minimized-6558555529281536 Found-by: continuous fuzzing process https://github.com/google/oss-fuzz/tree/master/projects/ffmpeg Signed-off-by: Michael Niedermayer (cherry picked from commit 8e50bd61e4ff97bd7fc6cbd7ec4ca514e17a70c4) Signed-off-by: Michael Niedermayer --- libavcodec/wavpack.c | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/libavcodec/wavpack.c b/libavcodec/wavpack.c index 0429adcfe1..34f73fe8f2 100644 --- a/libavcodec/wavpack.c +++ b/libavcodec/wavpack.c @@ -474,7 +474,7 @@ static inline int wv_unpack_stereo(WavpackFrameContext *s, GetBitContext *gb, } if (type == AV_SAMPLE_FMT_S16P) { - if (FFABS(L) + (unsigned)FFABS(R) > (1<<19)) { + if (FFABS((int64_t)L) + FFABS((int64_t)R) > (1<<19)) { av_log(s->avctx, AV_LOG_ERROR, "sample %d %d too large\n", L, R); return AVERROR_INVALIDDATA; } From a26ac3cc69210f14f05db70dca61ae509d7883e2 Mon Sep 17 00:00:00 2001 From: Michael Niedermayer Date: Wed, 31 Jan 2018 19:20:10 +0100 Subject: [PATCH 780/942] avcodec/huffyuvdec: Check input buffer size Fixes: Timeout Fixes: 5487/clusterfuzz-testcase-4696837035393024 Found-by: continuous fuzzing process https://github.com/google/oss-fuzz/tree/master/projects/ffmpeg Reviewed-by: Paul B Mahol Signed-off-by: Michael Niedermayer (cherry picked from commit 08c220d26cff51ca2f6896b65aebfa3accc67290) Signed-off-by: Michael Niedermayer --- libavcodec/huffyuvdec.c | 3 +++ 1 file changed, 3 insertions(+) diff --git a/libavcodec/huffyuvdec.c b/libavcodec/huffyuvdec.c index 7314519fca..47bca00010 100644 --- a/libavcodec/huffyuvdec.c +++ b/libavcodec/huffyuvdec.c @@ -915,6 +915,9 @@ static int decode_frame(AVCodecContext *avctx, void *data, int *got_frame, AVFrame *const p = data; int table_size = 0, ret; + if (buf_size < (width * height + 7)/8) + return AVERROR_INVALIDDATA; + av_fast_padded_malloc(&s->bitstream_buffer, &s->bitstream_buffer_size, buf_size); From c6b5e80635ee1c822eff5adfc3ed3904ba70c206 Mon Sep 17 00:00:00 2001 From: Michael Niedermayer Date: Fri, 9 Feb 2018 04:17:16 +0100 Subject: [PATCH 781/942] avcodec/vp3: Check eob_run Fixes: out of array access Fixes: 5919/clusterfuzz-testcase-minimized-5859311382167552 Fixes: special case for theora (untested due to lack of sample) Found-by: continuous fuzzing process https://github.com/google/oss-fuzz/tree/master/projects/ffmpeg Signed-off-by: Michael Niedermayer (cherry picked from commit 570023eab3e2962b4ad8345a157c1e18ca1a6eca) Signed-off-by: Michael Niedermayer --- libavcodec/vp3.c | 3 +++ 1 file changed, 3 insertions(+) diff --git a/libavcodec/vp3.c b/libavcodec/vp3.c index ea80c0e2b1..819239b8e8 100644 --- a/libavcodec/vp3.c +++ b/libavcodec/vp3.c @@ -978,6 +978,9 @@ static int unpack_vlcs(Vp3DecodeContext *s, GetBitContext *gb, if (eob_run_get_bits[token]) eob_run += get_bits(gb, eob_run_get_bits[token]); + if (!eob_run) + eob_run = INT_MAX; + // record only the number of blocks ended in this plane, // any spill will be recorded in the next plane. if (eob_run > num_coeffs - coeff_i) { From ce46e45f4cb95fbfe4a787ccfbd0cabb94e8dccb Mon Sep 17 00:00:00 2001 From: Michael Niedermayer Date: Fri, 9 Feb 2018 22:24:58 +0100 Subject: [PATCH 782/942] avcodec/mpeg4videodec: Ignore multiple VOL headers Fixes: Ticket7005 Signed-off-by: Michael Niedermayer (cherry picked from commit 63a4bdbf3b732504e54cc2b9ec0886e6242a90bc) Signed-off-by: Michael Niedermayer --- libavcodec/mpeg4videodec.c | 4 ++-- 1 file changed, 2 insertions(+), 2 deletions(-) diff --git a/libavcodec/mpeg4videodec.c b/libavcodec/mpeg4videodec.c index 705efe0e67..63adcf96d4 100644 --- a/libavcodec/mpeg4videodec.c +++ b/libavcodec/mpeg4videodec.c @@ -2653,8 +2653,8 @@ int ff_mpeg4_decode_picture_header(Mpeg4DecContext *ctx, GetBitContext *gb) if (startcode >= 0x120 && startcode <= 0x12F) { if (vol) { - av_log(s->avctx, AV_LOG_ERROR, "Multiple VOL headers"); - return AVERROR_INVALIDDATA; + av_log(s->avctx, AV_LOG_WARNING, "Ignoring multiple VOL headers\n"); + continue; } vol++; if ((ret = decode_vol_header(ctx, gb)) < 0) From 664e3d217aadba713c46404e2e8cb1d8f9c28485 Mon Sep 17 00:00:00 2001 From: Michael Niedermayer Date: Sun, 11 Feb 2018 03:38:54 +0100 Subject: [PATCH 783/942] avcodec/vp3: Error out on invalid num_coeffs in unpack_vlcs() This fixes a hypothetical integer overflow Signed-off-by: Michael Niedermayer (cherry picked from commit f2318aee8ca8df1c84092f7d6691a2d0df02c474) Signed-off-by: Michael Niedermayer --- libavcodec/vp3.c | 4 +++- 1 file changed, 3 insertions(+), 1 deletion(-) diff --git a/libavcodec/vp3.c b/libavcodec/vp3.c index 819239b8e8..165a051541 100644 --- a/libavcodec/vp3.c +++ b/libavcodec/vp3.c @@ -951,9 +951,11 @@ static int unpack_vlcs(Vp3DecodeContext *s, GetBitContext *gb, Vp3Fragment *all_fragments = s->all_fragments; VLC_TYPE(*vlc_table)[2] = table->table; - if (num_coeffs < 0) + if (num_coeffs < 0) { av_log(s->avctx, AV_LOG_ERROR, "Invalid number of coefficents at level %d\n", coeff_index); + return AVERROR_INVALIDDATA; + } if (eob_run > num_coeffs) { coeff_i = From d4f9119532564c631bf9dfcfc3ab3498cdedcad7 Mon Sep 17 00:00:00 2001 From: Xiaohan Wang Date: Sat, 3 Feb 2018 01:43:35 -0800 Subject: [PATCH 784/942] avcodec/h264_cavlc: Set valid qscale value in ff_h264_decode_mb_cavlc() When ff_h264_decode_mb_cavlc() failed due to wrong sl->qscale values, e.g. dquant out of range, set the qscale to be a valid value before returning -1 and exiting the function. The qscale value can be used later e.g. in loop filter. BUG=806122 Signed-off-by: Michael Niedermayer (cherry picked from commit 71f39de2a57efc8db1d607b09c162c3b806cd45d) Signed-off-by: Michael Niedermayer --- libavcodec/h264_cavlc.c | 1 + 1 file changed, 1 insertion(+) diff --git a/libavcodec/h264_cavlc.c b/libavcodec/h264_cavlc.c index 3fa5b2e197..97ec6fd4ae 100644 --- a/libavcodec/h264_cavlc.c +++ b/libavcodec/h264_cavlc.c @@ -1113,6 +1113,7 @@ decode_intra_mb: else sl->qscale -= max_qp+1; if (((unsigned)sl->qscale) > max_qp){ av_log(h->avctx, AV_LOG_ERROR, "dquant out of range (%d) at %d %d\n", dquant, sl->mb_x, sl->mb_y); + sl->qscale = max_qp; return -1; } } From 340c315c671efe137651d75da351c0f292d234fb Mon Sep 17 00:00:00 2001 From: Michael Niedermayer Date: Wed, 14 Feb 2018 00:32:30 +0100 Subject: [PATCH 785/942] avcodec/h264_cabac: Tighten allowed coeff_abs range MIME-Version: 1.0 Content-Type: text/plain; charset=UTF-8 Content-Transfer-Encoding: 8bit Fixes: integer overflows Reported-by: "Xiaohan Wang (王消寒)" Based on limits in "8.5 Transform coefficient decoding process and picture construction process prior to deblocking filter process" Signed-off-by: Michael Niedermayer (cherry picked from commit f26a63c4ee1bdbe21d7ab462cd66f8ba20b14244) Signed-off-by: Michael Niedermayer --- libavcodec/h264_cabac.c | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/libavcodec/h264_cabac.c b/libavcodec/h264_cabac.c index 649fa82b72..a450b4ec39 100644 --- a/libavcodec/h264_cabac.c +++ b/libavcodec/h264_cabac.c @@ -1736,7 +1736,7 @@ decode_cabac_residual_internal(const H264Context *h, H264SliceContext *sl, \ if( coeff_abs >= 15 ) { \ int j = 0; \ - while (get_cabac_bypass(CC) && j < 30) { \ + while (get_cabac_bypass(CC) && j < 16+7) { \ j++; \ } \ \ From e38e2d6533d7086527ad8fd5a47d6294818798b2 Mon Sep 17 00:00:00 2001 From: Michael Niedermayer Date: Wed, 14 Feb 2018 03:54:13 +0100 Subject: [PATCH 786/942] avutil/common: Fix integer overflow in av_clip_uint8_c() and av_clip_uint16_c() Fixes: 5567/clusterfuzz-testcase-minimized-5769966247739392 Fixes: runtime error: negation of -2147483648 cannot be represented in type 'int'; cast to an unsigned type to negate this value to itself Found-by: continuous fuzzing process https://github.com/google/oss-fuzz/tree/master/projects/ffmpeg Signed-off-by: Michael Niedermayer (cherry picked from commit ab6f571ef71967da7c7c1cfba483d3597c7357d5) Signed-off-by: Michael Niedermayer --- libavutil/common.h | 4 ++-- 1 file changed, 2 insertions(+), 2 deletions(-) diff --git a/libavutil/common.h b/libavutil/common.h index 8142b31fdb..53e43feb3a 100644 --- a/libavutil/common.h +++ b/libavutil/common.h @@ -158,7 +158,7 @@ static av_always_inline av_const int64_t av_clip64_c(int64_t a, int64_t amin, in */ static av_always_inline av_const uint8_t av_clip_uint8_c(int a) { - if (a&(~0xFF)) return (-a)>>31; + if (a&(~0xFF)) return (~a)>>31; else return a; } @@ -180,7 +180,7 @@ static av_always_inline av_const int8_t av_clip_int8_c(int a) */ static av_always_inline av_const uint16_t av_clip_uint16_c(int a) { - if (a&(~0xFFFF)) return (-a)>>31; + if (a&(~0xFFFF)) return (~a)>>31; else return a; } From 675e243949bcb331d5dc4f6fd72620a1200dbb40 Mon Sep 17 00:00:00 2001 From: Michael Niedermayer Date: Wed, 14 Feb 2018 13:01:46 +0100 Subject: [PATCH 787/942] avcodec/exr: Check remaining bits in last get code loop Fixes: runtime error: shift exponent -7 is negative Fixes: 3902/clusterfuzz-testcase-minimized-ffmpeg_AV_CODEC_ID_EXR_fuzzer-6081926122176512 Found-by: continuous fuzzing process https://github.com/google/oss-fuzz/tree/master/projects/ffmpeg Signed-off-by: Michael Niedermayer (cherry picked from commit dd8351b1184b8054925c28ecc5fcb6dbbc177fad) Signed-off-by: Michael Niedermayer --- libavcodec/exr.c | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/libavcodec/exr.c b/libavcodec/exr.c index c1490e521a..ac00f85150 100644 --- a/libavcodec/exr.c +++ b/libavcodec/exr.c @@ -539,7 +539,7 @@ static int huf_decode(const uint64_t *hcode, const HufDec *hdecod, while (lc > 0) { const HufDec pl = hdecod[(c << (HUF_DECBITS - lc)) & HUF_DECMASK]; - if (pl.len) { + if (pl.len && lc >= pl.len) { lc -= pl.len; get_code(pl.lit, rlc, c, lc, gb, out, oe, outb); } else { From 010dd0d26e5abd3c244f6680eb3bb0f3370b48db Mon Sep 17 00:00:00 2001 From: Michael Niedermayer Date: Sat, 17 Feb 2018 04:20:52 +0100 Subject: [PATCH 788/942] avcodec/vp8: Check for bitstream end before vp7_fade_frame() Fixes: Timeout Fixes: 5653/clusterfuzz-testcase-5497680018014208 Found-by: continuous fuzzing process https://github.com/google/oss-fuzz/tree/master/projects/ffmpeg Signed-off-by: Michael Niedermayer (cherry picked from commit de675648cef7e451ca82fabaee0d8ec1fe653311) Signed-off-by: Michael Niedermayer --- libavcodec/vp8.c | 2 ++ 1 file changed, 2 insertions(+) diff --git a/libavcodec/vp8.c b/libavcodec/vp8.c index 7511f4dfc9..06d768a576 100644 --- a/libavcodec/vp8.c +++ b/libavcodec/vp8.c @@ -605,6 +605,8 @@ static int vp7_decode_frame_header(VP8Context *s, const uint8_t *buf, int buf_si s->fade_present = vp8_rac_get(c); } + if (c->end <= c->buffer && c->bits >= 0) + return AVERROR_INVALIDDATA; /* E. Fading information for previous frame */ if (s->fade_present && vp8_rac_get(c)) { if ((ret = vp7_fade_frame(s ,c)) < 0) From 6492799fcefba3bde7a291189e1d2fe7ce605282 Mon Sep 17 00:00:00 2001 From: Michael Niedermayer Date: Sat, 17 Feb 2018 21:47:09 +0100 Subject: [PATCH 789/942] avcodec/dirac_dwt_template: Fix Integer overflow in horizontal_compose_dd137i() Fixes: 5894/clusterfuzz-testcase-minimized-5315325420634112 Fixes: runtime error: signed integer overflow: 2147483647 + 1 cannot be represented in type 'int' Found-by: continuous fuzzing process https://github.com/google/oss-fuzz/tree/master/projects/ffmpeg Signed-off-by: Michael Niedermayer (cherry picked from commit 647fa49495c39a48b7ccb92acd8fb975b1575456) Signed-off-by: Michael Niedermayer --- libavcodec/dirac_dwt_template.c | 8 ++++---- 1 file changed, 4 insertions(+), 4 deletions(-) diff --git a/libavcodec/dirac_dwt_template.c b/libavcodec/dirac_dwt_template.c index e68cc4d530..8c25c1f822 100644 --- a/libavcodec/dirac_dwt_template.c +++ b/libavcodec/dirac_dwt_template.c @@ -95,8 +95,8 @@ static void RENAME(horizontal_compose_dd97i)(uint8_t *_b, uint8_t *_tmp, int w) tmp[w2+1] = tmp[w2] = tmp[w2-1]; for (x = 0; x < w2; x++) { - b[2*x ] = (tmp[x] + 1)>>1; - b[2*x+1] = (COMPOSE_DD97iH0(tmp[x-1], tmp[x], b[x+w2], tmp[x+1], tmp[x+2]) + 1)>>1; + b[2*x ] = ((int)(tmp[x] + 1U))>>1; + b[2*x+1] = ((int)(COMPOSE_DD97iH0(tmp[x-1], tmp[x], b[x+w2], tmp[x+1], tmp[x+2]) + 1U))>>1; } } @@ -118,8 +118,8 @@ static void RENAME(horizontal_compose_dd137i)(uint8_t *_b, uint8_t *_tmp, int w) tmp[w2+1] = tmp[w2] = tmp[w2-1]; for (x = 0; x < w2; x++) { - b[2*x ] = (tmp[x] + 1)>>1; - b[2*x+1] = (COMPOSE_DD97iH0(tmp[x-1], tmp[x], b[x+w2], tmp[x+1], tmp[x+2]) + 1)>>1; + b[2*x ] = ((int)(tmp[x] + 1U))>>1; + b[2*x+1] = ((int)(COMPOSE_DD97iH0(tmp[x-1], tmp[x], b[x+w2], tmp[x+1], tmp[x+2]) + 1U))>>1; } } From 9f14908a96ca13b7bad900c65d82f1404fa4fb89 Mon Sep 17 00:00:00 2001 From: Michael Niedermayer Date: Mon, 19 Feb 2018 14:44:49 +0100 Subject: [PATCH 790/942] Update for 3.0.11 Signed-off-by: Michael Niedermayer --- Changelog | 57 ++++++++++++++++++++++++++++++++++++++++++++++++++++ RELEASE | 2 +- doc/Doxyfile | 2 +- 3 files changed, 59 insertions(+), 2 deletions(-) diff --git a/Changelog b/Changelog index 71a00b80b9..f10fc09633 100644 --- a/Changelog +++ b/Changelog @@ -1,6 +1,63 @@ Entries are sorted chronologically from oldest to youngest within each release, releases are sorted from youngest to oldest. +version 3.0.11 +- avcodec/dirac_dwt_template: Fix Integer overflow in horizontal_compose_dd137i() +- avcodec/vp8: Check for bitstream end before vp7_fade_frame() +- avcodec/exr: Check remaining bits in last get code loop +- avutil/common: Fix integer overflow in av_clip_uint8_c() and av_clip_uint16_c() +- avcodec/h264_cabac: Tighten allowed coeff_abs range +- avcodec/h264_cavlc: Set valid qscale value in ff_h264_decode_mb_cavlc() +- avcodec/vp3: Error out on invalid num_coeffs in unpack_vlcs() +- avcodec/mpeg4videodec: Ignore multiple VOL headers +- avcodec/vp3: Check eob_run +- avcodec/huffyuvdec: Check input buffer size +- avcodec/wavpack: Fix integer overflow in FFABS +- avcodec/aacsbr_fixed: Fix overflows in rounding in sbr_hf_assemble() +- avcodec/dirac_dwt: Fix several integer overflows +- avcodec/indeo5: Do not leave frame_type set to an invalid value +- avcodec/hevc_ps: Check log2_sao_offset_scale_* +- avcodec/hevc_ps: extract one SPS fields required for hvcC construction +- avcodec/mpeg4videodec: Avoid possibly aliasing violating casts +- avcodec/get_bits: Document the return code of get_vlc2() +- avcodec/mpeg4videodec: Check mb_num also against 0 +- avfilter/vf_transpose: Fix used plane count. +- avcodec/hevc_cabac: Check prefix so as to avoid invalid shifts in coeff_abs_level_remaining_decode() +- avcodec/mjpegdec: Fix integer overflow in DC dequantization +- avcodec/dxtory: Fix bits left checks +- avcodec/hevc_cabac: Move prefix check in coeff_abs_level_remaining_decode() down +- avcodec/truemotion2: Fix integer overflow in TM2_RECALC_BLOCK() +- avcodec/snowdec: Fix integer overflow before htaps check +- avcodec/ulti: Check number of blocks at init +- avcodec/ac3dec_fixed: Fix integer overflow in scale_coefs() +- avformat/lrcdec: Fix memory leak in lrc_read_header() +- avformat/matroskadec: Fix float-cast-overflow undefined behavior in matroska_parse_tracks() +- configure: bump year +- avcodec/utils: Avoid hardcoding duplicated types in sizeof() +- avcodec/arm/sbrdsp_neon: Use a free register instead of putting 2 things in one +- avcodec/h264addpx_template: Fixes integer overflows +- avcodec/dirac_dwt: Fix overflows in COMPOSE_HAARiH0/COMPOSE_HAARiL0 +- avcodec/diracdec: Fix integer overflow with quant +- avcodec/opus_parser: Check payload_len in parse_opus_ts_header() +- avcodec/jpeg2000dsp: Fix integer overflows in ict_int() +- avcodec/h264_slice: Do not attempt to render into frames already output +- avcodec/dnxhddec: Check dc vlc +- avcodec/exr: Check buf_size more completely +- avcodec/flacdec: Fix overflow in multiplication in decode_subframe_fixed() +- avcodec/hevcdsp_template: Fix Invalid shifts in put_hevc_qpel_bi_w_h() and put_hevc_qpel_bi_w_w() +- avcodec/flacdec: avoid undefined shift +- avcodec/hevcdsp_template.c: Fix undefined shift in FUNC(dequant) +- avcodec/dirac_dwt: Fix integer overflow in COMPOSE_DD97iH0() and COMPOSE_DD137iL0() +- avcodec/hevc_cabac: Fix integer overflow in ff_hevc_cu_qp_delta_abs() +- avcodec/hevc_sei: Fix integer overflows in decode_nal_sei_message() +- avcodec/hevcdsp_template: Fix undefined shift in put_hevc_qpel_bi_w_hv() +- libavfilter/af_dcshift.c: Fixed repeated spelling error +- avfilter/formats: fix wrong function name in error message +- avcodec/amrwbdec: Fix division by 0 in voice_factor() +- avcodec/diracdsp: Fix integer overflow in PUT_SIGNED_RECT_CLAMPED() +- avcodec/dirac_dwt: Fix integer overflows in COMPOSE_DAUB97* +- avformat/libssh: check the user provided a password before trying to use it + version 3.0.10 - avcodec/vorbis: Fix another 1 << 31 > int32_t::max() with 1u. - Don't manipulate duration when it's AV_NOPTS_VALUE. diff --git a/RELEASE b/RELEASE index a909317fe5..778bf95c00 100644 --- a/RELEASE +++ b/RELEASE @@ -1 +1 @@ -3.0.10 +3.0.11 diff --git a/doc/Doxyfile b/doc/Doxyfile index a48039b6ff..65eef53776 100644 --- a/doc/Doxyfile +++ b/doc/Doxyfile @@ -31,7 +31,7 @@ PROJECT_NAME = FFmpeg # This could be handy for archiving the generated documentation or # if some version control system is used. -PROJECT_NUMBER = 3.0.10 +PROJECT_NUMBER = 3.0.11 # With the PROJECT_LOGO tag one can specify a logo or icon that is included # in the documentation. The maximum height of the logo should not exceed 55 From 8ae9bbef87f89f7ea0633b86bf0cadf243bc488f Mon Sep 17 00:00:00 2001 From: Tobias Rapp Date: Wed, 14 Feb 2018 17:01:08 +0100 Subject: [PATCH 791/942] swresample/rematrix: fix update of channel matrix if input or output layout is undefined Prefer direct in/out channel count values over channel layout, when available. Fixes a pan filter bug (ticket #6790). Signed-off-by: Tobias Rapp (cherry picked from commit 6325bd3717348615adafb52e4da2fd01a3007d0a) --- libswresample/rematrix.c | 6 ++++-- 1 file changed, 4 insertions(+), 2 deletions(-) diff --git a/libswresample/rematrix.c b/libswresample/rematrix.c index ddba0433e8..7ab74edd05 100644 --- a/libswresample/rematrix.c +++ b/libswresample/rematrix.c @@ -68,8 +68,10 @@ int swr_set_matrix(struct SwrContext *s, const double *matrix, int stride) if (!s || s->in_convert) // s needs to be allocated but not initialized return AVERROR(EINVAL); memset(s->matrix, 0, sizeof(s->matrix)); - nb_in = av_get_channel_layout_nb_channels(s->user_in_ch_layout); - nb_out = av_get_channel_layout_nb_channels(s->user_out_ch_layout); + nb_in = (s->user_in_ch_count > 0) ? s->user_in_ch_count : + av_get_channel_layout_nb_channels(s->user_in_ch_layout); + nb_out = (s->user_out_ch_count > 0) ? s->user_out_ch_count : + av_get_channel_layout_nb_channels(s->user_out_ch_layout); for (out = 0; out < nb_out; out++) { for (in = 0; in < nb_in; in++) s->matrix[out][in] = matrix[in]; From e0750d2067dc71133cf1c16c0884bd605a4578c7 Mon Sep 17 00:00:00 2001 From: James Almer Date: Fri, 23 Feb 2018 00:03:15 -0300 Subject: [PATCH 792/942] avformat/hvcc: zero initialize the nal buffers past the last written byte Prevents use of uninitialized values. Fixes ticket #7038. Reviewed-by: Michael Niedermayer Signed-off-by: James Almer (cherry picked from commit 9482ec1b203e4cf51d7f60c85d261cc13f9a9d2f) --- libavformat/hevc.c | 2 ++ 1 file changed, 2 insertions(+) diff --git a/libavformat/hevc.c b/libavformat/hevc.c index 7c294ef8a2..4c7ffc3312 100644 --- a/libavformat/hevc.c +++ b/libavformat/hevc.c @@ -668,6 +668,8 @@ static uint8_t *nal_unit_extract_rbsp(const uint8_t *src, uint32_t src_len, while (i < src_len) dst[len++] = src[i++]; + memset(dst + len, 0, AV_INPUT_BUFFER_PADDING_SIZE); + *dst_len = len; return dst; } From 876ecfccfb2796906e1017fbad0388c411052c06 Mon Sep 17 00:00:00 2001 From: Michael Niedermayer Date: Sat, 17 Feb 2018 21:27:16 +0100 Subject: [PATCH 793/942] avcodec/dxtory: Remove code that corrupts dimensions Fixes: Timeout Fixes: 5796/clusterfuzz-testcase-minimized-5206729085157376 Does someone have a valid sample that triggers this path ? Found-by: continuous fuzzing process https://github.com/google/oss-fuzz/tree/master/projects/ffmpeg Signed-off-by: Michael Niedermayer (cherry picked from commit 3748746a4d6988484d34516f7a3c6febf7bdf488) Signed-off-by: Michael Niedermayer --- libavcodec/dxtory.c | 6 +----- 1 file changed, 1 insertion(+), 5 deletions(-) diff --git a/libavcodec/dxtory.c b/libavcodec/dxtory.c index 19c7dbb012..2ac40dd2d1 100644 --- a/libavcodec/dxtory.c +++ b/libavcodec/dxtory.c @@ -304,11 +304,7 @@ static int dxtory_decode_v2(AVCodecContext *avctx, AVFrame *pic, } if (avctx->height - line) { - av_log(avctx, AV_LOG_VERBOSE, - "Not enough slice data available, " - "cropping the frame by %d pixels\n", - avctx->height - line); - avctx->height = line; + avpriv_request_sample(avctx, "Not enough slice data available"); } return 0; From b4135fb335f0ab1f06996233f45610c3dcb85bb7 Mon Sep 17 00:00:00 2001 From: Michael Niedermayer Date: Sat, 17 Feb 2018 23:54:44 +0100 Subject: [PATCH 794/942] avcodec/diracdec: Use int64 in global mv to prevent overflow Fixes: runtime error: signed integer overflow: 361 * -6295541 cannot be represented in type 'int' Fixes: 5911/clusterfuzz-testcase-minimized-6450382197751808 Found-by: continuous fuzzing process https://github.com/google/oss-fuzz/tree/master/projects/ffmpeg Signed-off-by: Michael Niedermayer (cherry picked from commit cbcbefdc3b4cbc917d2f8b2dd216fb12121a838b) Signed-off-by: Michael Niedermayer --- libavcodec/diracdec.c | 4 ++-- 1 file changed, 2 insertions(+), 2 deletions(-) diff --git a/libavcodec/diracdec.c b/libavcodec/diracdec.c index 2cdebe8700..033fbe4261 100644 --- a/libavcodec/diracdec.c +++ b/libavcodec/diracdec.c @@ -1315,8 +1315,8 @@ static void global_mv(DiracContext *s, DiracBlock *block, int x, int y, int ref) int *c = s->globalmc[ref].perspective; int m = (1<u.mv[ref][0] = (mx + (1<<(ez+ep))) >> (ez+ep); block->u.mv[ref][1] = (my + (1<<(ez+ep))) >> (ez+ep); From afc85dacba4be4b91e2e1ca5df31f55fb94b44d6 Mon Sep 17 00:00:00 2001 From: Michael Niedermayer Date: Sun, 18 Feb 2018 00:11:33 +0100 Subject: [PATCH 795/942] avcodec/jpeg2000dwt: Fix integer overflows in sr_1d53() Fixes: 5918/clusterfuzz-testcase-minimized-5120505435652096 Found-by: continuous fuzzing process https://github.com/google/oss-fuzz/tree/master/projects/ffmpeg Signed-off-by: Michael Niedermayer (cherry picked from commit 793347a54579ee954b58d336b82eed4a1786de21) Signed-off-by: Michael Niedermayer --- libavcodec/jpeg2000dwt.c | 8 ++++---- 1 file changed, 4 insertions(+), 4 deletions(-) diff --git a/libavcodec/jpeg2000dwt.c b/libavcodec/jpeg2000dwt.c index 38a578af3d..5a72335d91 100644 --- a/libavcodec/jpeg2000dwt.c +++ b/libavcodec/jpeg2000dwt.c @@ -305,22 +305,22 @@ static void dwt_encode97_int(DWTContext *s, int *t) t[i] = (t[i] + ((1<>1)) >> I_PRESHIFT; } -static void sr_1d53(int *p, int i0, int i1) +static void sr_1d53(unsigned *p, int i0, int i1) { int i; if (i1 <= i0 + 1) { if (i0 == 1) - p[1] >>= 1; + p[1] = (int)p[1] >> 1; return; } extend53(p, i0, i1); for (i = (i0 >> 1); i < (i1 >> 1) + 1; i++) - p[2 * i] -= (p[2 * i - 1] + p[2 * i + 1] + 2) >> 2; + p[2 * i] -= (int)(p[2 * i - 1] + p[2 * i + 1] + 2) >> 2; for (i = (i0 >> 1); i < (i1 >> 1); i++) - p[2 * i + 1] += (p[2 * i] + p[2 * i + 2]) >> 1; + p[2 * i + 1] += (int)(p[2 * i] + p[2 * i + 2]) >> 1; } static void dwt_decode53(DWTContext *s, int *t) From 6648d3fef6b07f3ec0b60ec4b5ec08aa5e1964ca Mon Sep 17 00:00:00 2001 From: Michael Niedermayer Date: Sun, 18 Feb 2018 16:55:52 +0100 Subject: [PATCH 796/942] avcodec/aacdec_templat: Fix integer overflow in apply_ltp() Fixes: signed integer overflow: -1625276744 + -1041893960 cannot be represented in type 'int' Fixes: 5948/clusterfuzz-testcase-minimized-5791479856365568 Found-by: continuous fuzzing process https://github.com/google/oss-fuzz/tree/master/projects/ffmpeg Signed-off-by: Michael Niedermayer (cherry picked from commit 33fe17bdc88d51a8e0c87aa1e8011aaaf38a7a90) Signed-off-by: Michael Niedermayer --- libavcodec/aacdec_template.c | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/libavcodec/aacdec_template.c b/libavcodec/aacdec_template.c index 3cb8f32403..f21d215c9e 100644 --- a/libavcodec/aacdec_template.c +++ b/libavcodec/aacdec_template.c @@ -2496,7 +2496,7 @@ static void apply_ltp(AACContext *ac, SingleChannelElement *sce) for (sfb = 0; sfb < FFMIN(sce->ics.max_sfb, MAX_LTP_LONG_SFB); sfb++) if (ltp->used[sfb]) for (i = offsets[sfb]; i < offsets[sfb + 1]; i++) - sce->coeffs[i] += predFreq[i]; + sce->coeffs[i] += (UINTFLOAT)predFreq[i]; } } From 6822bd50c1eaa385b202ba692d954e1fb2a97fc3 Mon Sep 17 00:00:00 2001 From: Michael Niedermayer Date: Sun, 18 Feb 2018 21:51:38 +0100 Subject: [PATCH 797/942] avcodec/diracdec: Fix integer overflow in mv computation Fixes: signed integer overflow: -2072 + -2147483646 cannot be represented in type 'int' Fixes: 6097/clusterfuzz-testcase-minimized-5034145253163008 Found-by: continuous fuzzing process https://github.com/google/oss-fuzz/tree/master/projects/ffmpeg Signed-off-by: Michael Niedermayer (cherry picked from commit 47e65ad63b3d067445c4de41a7718b83fc07767c) Signed-off-by: Michael Niedermayer --- libavcodec/diracdec.c | 4 ++-- 1 file changed, 2 insertions(+), 2 deletions(-) diff --git a/libavcodec/diracdec.c b/libavcodec/diracdec.c index 033fbe4261..da5240a135 100644 --- a/libavcodec/diracdec.c +++ b/libavcodec/diracdec.c @@ -1353,8 +1353,8 @@ static void decode_block_params(DiracContext *s, DiracArith arith[8], DiracBlock global_mv(s, block, x, y, i); } else { pred_mv(block, stride, x, y, i); - block->u.mv[i][0] += dirac_get_arith_int(arith + 4 + 2 * i, CTX_MV_F1, CTX_MV_DATA); - block->u.mv[i][1] += dirac_get_arith_int(arith + 5 + 2 * i, CTX_MV_F1, CTX_MV_DATA); + block->u.mv[i][0] += (unsigned)dirac_get_arith_int(arith + 4 + 2 * i, CTX_MV_F1, CTX_MV_DATA); + block->u.mv[i][1] += (unsigned)dirac_get_arith_int(arith + 5 + 2 * i, CTX_MV_F1, CTX_MV_DATA); } } } From 24a3c45da511c58f550f33db507c3fda50e496af Mon Sep 17 00:00:00 2001 From: Michael Niedermayer Date: Tue, 20 Feb 2018 23:11:01 +0100 Subject: [PATCH 798/942] avcodec/cavsdec: Check alpha/beta offset Fixes: Integer overflow Fixes: 6183/clusterfuzz-testcase-minimized-6269224436629504 Found-by: continuous fuzzing process https://github.com/google/oss-fuzz/tree/master/projects/ffmpeg Signed-off-by: Michael Niedermayer (cherry picked from commit ae2eb04648839bfc6c61c32cb0f124e91bb7ff8e) Signed-off-by: Michael Niedermayer --- libavcodec/cavsdec.c | 5 +++++ 1 file changed, 5 insertions(+) diff --git a/libavcodec/cavsdec.c b/libavcodec/cavsdec.c index cd4eec9caf..b7aeb45603 100644 --- a/libavcodec/cavsdec.c +++ b/libavcodec/cavsdec.c @@ -1067,6 +1067,11 @@ static int decode_pic(AVSContext *h) if (!h->loop_filter_disable && get_bits1(&h->gb)) { h->alpha_offset = get_se_golomb(&h->gb); h->beta_offset = get_se_golomb(&h->gb); + if ( h->alpha_offset < -64 || h->alpha_offset > 64 + || h-> beta_offset < -64 || h-> beta_offset > 64) { + h->alpha_offset = h->beta_offset = 0; + return AVERROR_INVALIDDATA; + } } else { h->alpha_offset = h->beta_offset = 0; } From 789a12b140ba2426a1c9bb9ce31a7a4f50d0216a Mon Sep 17 00:00:00 2001 From: Michael Niedermayer Date: Fri, 23 Feb 2018 03:40:02 +0100 Subject: [PATCH 799/942] avcodec/smc: Check input packet size Fixes: Timeout Fixes: 6261/clusterfuzz-testcase-minimized-ffmpeg_AV_CODEC_ID_SMC_fuzzer-5811309653262336 Found-by: continuous fuzzing process https://github.com/google/oss-fuzz/tree/master/projects/ffmpeg Signed-off-by: Michael Niedermayer (cherry picked from commit 0293663483ab5dbfff23602a62800d84e021b33c) Signed-off-by: Michael Niedermayer --- libavcodec/smc.c | 4 ++++ 1 file changed, 4 insertions(+) diff --git a/libavcodec/smc.c b/libavcodec/smc.c index 18174fa57e..66de691e2c 100644 --- a/libavcodec/smc.c +++ b/libavcodec/smc.c @@ -437,6 +437,10 @@ static int smc_decode_frame(AVCodecContext *avctx, SmcContext *s = avctx->priv_data; const uint8_t *pal = av_packet_get_side_data(avpkt, AV_PKT_DATA_PALETTE, NULL); int ret; + int total_blocks = ((s->avctx->width + 3) / 4) * ((s->avctx->height + 3) / 4); + + if (total_blocks / 1024 > avpkt->size) + return AVERROR_INVALIDDATA; bytestream2_init(&s->gb, buf, buf_size); From fbf690d79a611a8dd9df1bce4189e5bf9c05508a Mon Sep 17 00:00:00 2001 From: Michael Niedermayer Date: Mon, 26 Feb 2018 03:02:48 +0100 Subject: [PATCH 800/942] avcodec/utvideodec: Check subsample factors Fixes: Out of array read Fixes: heap_poc Found-by: GwanYeong Kim Signed-off-by: Michael Niedermayer (cherry picked from commit 7414d0bda7763f9bd69c26c068e482ab297c1c96) Signed-off-by: Michael Niedermayer --- libavcodec/utvideodec.c | 9 +++++++++ 1 file changed, 9 insertions(+) diff --git a/libavcodec/utvideodec.c b/libavcodec/utvideodec.c index 760d9e5a7f..160528e007 100644 --- a/libavcodec/utvideodec.c +++ b/libavcodec/utvideodec.c @@ -28,6 +28,7 @@ #include #include "libavutil/intreadwrite.h" +#include "libavutil/pixdesc.h" #include "avcodec.h" #include "bswapdsp.h" #include "bytestream.h" @@ -474,6 +475,7 @@ static int decode_frame(AVCodecContext *avctx, void *data, int *got_frame, static av_cold int decode_init(AVCodecContext *avctx) { UtvideoContext * const c = avctx->priv_data; + int h_shift, v_shift; c->avctx = avctx; @@ -538,6 +540,13 @@ static av_cold int decode_init(AVCodecContext *avctx) return AVERROR_INVALIDDATA; } + av_pix_fmt_get_chroma_sub_sample(avctx->pix_fmt, &h_shift, &v_shift); + if ((avctx->width & ((1<height & ((1< Date: Mon, 26 Feb 2018 21:17:08 +0100 Subject: [PATCH 801/942] avcodec/bintext: sanity check dimensions Fixes: Timeout Fixes: 6277/clusterfuzz-testcase-minimized-ffmpeg_AV_CODEC_ID_XBIN_fuzzer-6047202288861184 Found-by: continuous fuzzing process https://github.com/google/oss-fuzz/tree/master/projects/ffmpeg Signed-off-by: Michael Niedermayer (cherry picked from commit 090c0abff9c8b27304614f15d9464dbf4ea59833) Signed-off-by: Michael Niedermayer --- libavcodec/bintext.c | 7 +++++-- 1 file changed, 5 insertions(+), 2 deletions(-) diff --git a/libavcodec/bintext.c b/libavcodec/bintext.c index 90bbe67b59..d967317671 100644 --- a/libavcodec/bintext.c +++ b/libavcodec/bintext.c @@ -35,6 +35,8 @@ #include "bintext.h" #include "internal.h" +#define FONT_WIDTH 8 + typedef struct XbinContext { AVFrame *frame; int palette[16]; @@ -91,6 +93,9 @@ static av_cold int decode_init(AVCodecContext *avctx) break; } } + if (avctx->width < FONT_WIDTH || avctx->height < s->font_height) + return AVERROR_INVALIDDATA; + s->frame = av_frame_alloc(); if (!s->frame) @@ -113,8 +118,6 @@ av_unused static void hscroll(AVCodecContext *avctx) } } -#define FONT_WIDTH 8 - /** * Draw character to screen */ From b910b34926657531d84269bd7c61fb8c74e5d905 Mon Sep 17 00:00:00 2001 From: Michael Niedermayer Date: Tue, 27 Feb 2018 20:00:58 +0100 Subject: [PATCH 802/942] Changelog: update Signed-off-by: Michael Niedermayer --- Changelog | 11 +++++++++++ 1 file changed, 11 insertions(+) diff --git a/Changelog b/Changelog index f10fc09633..a3bf744044 100644 --- a/Changelog +++ b/Changelog @@ -2,6 +2,17 @@ Entries are sorted chronologically from oldest to youngest within each release, releases are sorted from youngest to oldest. version 3.0.11 +- avcodec/bintext: sanity check dimensions +- avcodec/utvideodec: Check subsample factors +- avcodec/smc: Check input packet size +- avcodec/cavsdec: Check alpha/beta offset +- avcodec/diracdec: Fix integer overflow in mv computation +- avcodec/aacdec_templat: Fix integer overflow in apply_ltp() +- avcodec/jpeg2000dwt: Fix integer overflows in sr_1d53() +- avcodec/diracdec: Use int64 in global mv to prevent overflow +- avcodec/dxtory: Remove code that corrupts dimensions +- avformat/hvcc: zero initialize the nal buffers past the last written byte +- swresample/rematrix: fix update of channel matrix if input or output layout is undefined - avcodec/dirac_dwt_template: Fix Integer overflow in horizontal_compose_dd137i() - avcodec/vp8: Check for bitstream end before vp7_fade_frame() - avcodec/exr: Check remaining bits in last get code loop From 3c056989dc57c973bc63a6c85516955986c5fdcf Mon Sep 17 00:00:00 2001 From: Marton Balint Date: Wed, 8 Feb 2017 23:37:42 +0100 Subject: [PATCH 803/942] avdevice/iec61883: free packet on buffer allocation error Fixes Coverity CID 1396416. Signed-off-by: Marton Balint (cherry picked from commit 4556dad2b7379a527134db519ab60111abefaf10) --- libavdevice/iec61883.c | 1 + 1 file changed, 1 insertion(+) diff --git a/libavdevice/iec61883.c b/libavdevice/iec61883.c index c45ae9ae5c..721dca38ee 100644 --- a/libavdevice/iec61883.c +++ b/libavdevice/iec61883.c @@ -120,6 +120,7 @@ static int iec61883_callback(unsigned char *data, int length, packet->buf = av_malloc(length); if (!packet->buf) { + av_free(packet); ret = -1; goto exit; } From b949fd7a65405ab7226f4ce8af868e177b831ae3 Mon Sep 17 00:00:00 2001 From: James Almer Date: Wed, 18 Apr 2018 15:19:40 -0300 Subject: [PATCH 804/942] avdevice/iec61883: return reference counted packets Fixes part of ticket #7146, dealing with leaks of packet data since commit 87c88122703f2befcf96383d05bdf14373c22df9. Signed-off-by: James Almer (cherry picked from commit b8629654c6460a28c507f816a977914e3a6f2520) --- libavdevice/iec61883.c | 17 +++++++++++++---- 1 file changed, 13 insertions(+), 4 deletions(-) diff --git a/libavdevice/iec61883.c b/libavdevice/iec61883.c index 721dca38ee..aeca7616df 100644 --- a/libavdevice/iec61883.c +++ b/libavdevice/iec61883.c @@ -118,7 +118,7 @@ static int iec61883_callback(unsigned char *data, int length, goto exit; } - packet->buf = av_malloc(length); + packet->buf = av_malloc(length + AV_INPUT_BUFFER_PADDING_SIZE); if (!packet->buf) { av_free(packet); ret = -1; @@ -127,6 +127,7 @@ static int iec61883_callback(unsigned char *data, int length, packet->len = length; memcpy(packet->buf, data, length); + memset(packet->buf + length, 0, AV_INPUT_BUFFER_PADDING_SIZE); if (dv->queue_first) { dv->queue_last->next = packet; @@ -200,13 +201,21 @@ static int iec61883_parse_queue_dv(struct iec61883_data *dv, AVPacket *pkt) size = avpriv_dv_produce_packet(dv->dv_demux, pkt, packet->buf, packet->len, -1); dv->queue_first = packet->next; + if (size < 0) + av_free(packet->buf); av_free(packet); dv->packets--; - if (size > 0) - return size; + if (size < 0) + return -1; - return -1; + if (av_packet_from_data(pkt, pkt->data, pkt->size) < 0) { + av_freep(&pkt->data); + av_packet_unref(pkt); + return -1; + } + + return size; } static int iec61883_parse_queue_hdv(struct iec61883_data *dv, AVPacket *pkt) From 29683c6ba1fce32de51c2600cdbd6733b29914d7 Mon Sep 17 00:00:00 2001 From: James Almer Date: Wed, 18 Apr 2018 15:32:10 -0300 Subject: [PATCH 805/942] avdevice/iec61883: free the private context at the end Fixes part of ticket #7146. Signed-off-by: James Almer (cherry picked from commit 5079e96bcc7aaa9cae82a58397ce986e124028e4) --- libavdevice/iec61883.c | 1 + 1 file changed, 1 insertion(+) diff --git a/libavdevice/iec61883.c b/libavdevice/iec61883.c index aeca7616df..382b989fb1 100644 --- a/libavdevice/iec61883.c +++ b/libavdevice/iec61883.c @@ -463,6 +463,7 @@ static int iec61883_close(AVFormatContext *context) } else { iec61883_dv_fb_stop(dv->iec61883_dv); iec61883_dv_fb_close(dv->iec61883_dv); + av_freep(&dv->dv_demux); } while (dv->queue_first) { DVPacket *packet = dv->queue_first; From b8fd13befef430517bd262fc0cac1320128d0639 Mon Sep 17 00:00:00 2001 From: Michael Niedermayer Date: Tue, 6 Mar 2018 18:14:12 +0100 Subject: [PATCH 806/942] libavformat/oggparsevorbis: Fix memleak on multiple headers Fixes: Chromium bug 800123 Reported-by: Matt Wolenetz Reviewed-by: Matt Wolenetz Signed-off-by: Michael Niedermayer (cherry picked from commit 3934aa495d786845d9f541c84ee405c096938f76) Signed-off-by: Michael Niedermayer --- libavformat/oggparsevorbis.c | 4 ++++ 1 file changed, 4 insertions(+) diff --git a/libavformat/oggparsevorbis.c b/libavformat/oggparsevorbis.c index b96be98974..1c8acc3f94 100644 --- a/libavformat/oggparsevorbis.c +++ b/libavformat/oggparsevorbis.c @@ -228,6 +228,10 @@ static int fixup_vorbis_headers(AVFormatContext *as, len = priv->len[0] + priv->len[1] + priv->len[2]; buf_len = len + len / 255 + 64; + + if (*buf) + return AVERROR_INVALIDDATA; + ptr = *buf = av_realloc(NULL, buf_len); if (!ptr) return AVERROR(ENOMEM); From 7fd80d91f72ce456fba8d611727bbdac9038eda7 Mon Sep 17 00:00:00 2001 From: Michael Niedermayer Date: Wed, 7 Mar 2018 00:10:11 +0100 Subject: [PATCH 807/942] avformat/utils: Fix integer overflow of fps_first/last_dts Fixes: runtime error: signed integer overflow: 7738135736989908991 - -7898362169240453118 cannot be represented in type 'long' Fixes: Chromium bug 796778 Reported-by: Matt Wolenetz Signed-off-by: Michael Niedermayer (cherry picked from commit 1b1362e408cd6acb63fef126b814b0d16562aa8e) Signed-off-by: Michael Niedermayer --- libavformat/utils.c | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/libavformat/utils.c b/libavformat/utils.c index 6201e38814..dc7a17690d 100644 --- a/libavformat/utils.c +++ b/libavformat/utils.c @@ -3363,7 +3363,7 @@ int avformat_find_stream_info(AVFormatContext *ic, AVDictionary **options) if (st->info->fps_last_dts != AV_NOPTS_VALUE && st->info->fps_last_dts_idx > st->info->fps_first_dts_idx && (pkt->dts - st->info->fps_last_dts) / 1000 > - (st->info->fps_last_dts - st->info->fps_first_dts) / + (st->info->fps_last_dts - (uint64_t)st->info->fps_first_dts) / (st->info->fps_last_dts_idx - st->info->fps_first_dts_idx)) { av_log(ic, AV_LOG_WARNING, "DTS discontinuity in stream %d: packet %d with DTS " From 81a6076e4b8eb3c9bd6cb3c9c425c5053731d9f6 Mon Sep 17 00:00:00 2001 From: Michael Niedermayer Date: Thu, 8 Mar 2018 17:28:36 +0100 Subject: [PATCH 808/942] avformat/oggparsetheora: Do not adjust AV_NOPTS_VALUE Fixes: Chromium bug 795653 Fixes: signed integer overflow: 9223372036854775807 + 1 cannot be represented in type 'long' Reported-by: Matt Wolenetz Reviewed-by: Matt Wolenetz Signed-off-by: Michael Niedermayer (cherry picked from commit 02ecda4aba69670ca744ccc640391b7621f01fb0) Signed-off-by: Michael Niedermayer --- libavformat/oggparsetheora.c | 6 +++++- 1 file changed, 5 insertions(+), 1 deletion(-) diff --git a/libavformat/oggparsetheora.c b/libavformat/oggparsetheora.c index 5f057c3c8a..6db3d9f848 100644 --- a/libavformat/oggparsetheora.c +++ b/libavformat/oggparsetheora.c @@ -181,6 +181,7 @@ static int theora_packet(AVFormatContext *s, int idx) if ((!os->lastpts || os->lastpts == AV_NOPTS_VALUE) && !(os->flags & OGG_FLAG_EOS)) { int seg; + int64_t pts; duration = 1; for (seg = os->segp; seg < os->nsegs; seg++) { @@ -188,7 +189,10 @@ static int theora_packet(AVFormatContext *s, int idx) duration ++; } - os->lastpts = os->lastdts = theora_gptopts(s, idx, os->granule, NULL) - duration; + pts = theora_gptopts(s, idx, os->granule, NULL); + if (pts != AV_NOPTS_VALUE) + pts -= duration; + os->lastpts = os->lastdts = pts; if(s->streams[idx]->start_time == AV_NOPTS_VALUE) { s->streams[idx]->start_time = os->lastpts; if (s->streams[idx]->duration > 0) From 4df16ad1ef065e86279c3fc2bd2a38cc88dafcf8 Mon Sep 17 00:00:00 2001 From: Michael Niedermayer Date: Thu, 8 Mar 2018 22:40:50 +0100 Subject: [PATCH 809/942] avformat/avidec: Fix integer overflow in cum_len check Fixes: signed integer overflow: 3775922176 * 4278190080 cannot be represented in type 'long' Fixes: Chromium bug 791237 Reported-by: Matt Wolenetz Reviewed-by: Matt Wolenetz Signed-off-by: Michael Niedermayer (cherry picked from commit 06e092e7819b9437da32925200e7c369f93d82e7) Signed-off-by: Michael Niedermayer --- libavformat/avidec.c | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/libavformat/avidec.c b/libavformat/avidec.c index 1a9563aed4..efb5d8639e 100644 --- a/libavformat/avidec.c +++ b/libavformat/avidec.c @@ -667,7 +667,7 @@ static int avi_read_header(AVFormatContext *s) st->start_time = 0; avio_rl32(pb); /* buffer size */ avio_rl32(pb); /* quality */ - if (ast->cum_len*ast->scale/ast->rate > 3600) { + if (ast->cum_len > 3600LL * ast->rate / ast->scale) { av_log(s, AV_LOG_ERROR, "crazy start time, iam scared, giving up\n"); ast->cum_len = 0; } From 46f37c65abc0624168a88c7093baacd1e6b9a185 Mon Sep 17 00:00:00 2001 From: Michael Niedermayer Date: Thu, 8 Mar 2018 23:14:04 +0100 Subject: [PATCH 810/942] avformat/oggparseogm: Fix undefined shift in ogm_packet() Fixes: shift exponent 48 is too large for 32-bit type 'int' Fixes: Chromium bug 786793 Reported-by: Matt Wolenetz Reviewed-by: Matt Wolenetz Signed-off-by: Michael Niedermayer (cherry picked from commit 010b7b30b721b90993e05e9ee6338e88bb8debb3) Signed-off-by: Michael Niedermayer --- libavformat/oggparseogm.c | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/libavformat/oggparseogm.c b/libavformat/oggparseogm.c index d63c83b1c2..11e3c04479 100644 --- a/libavformat/oggparseogm.c +++ b/libavformat/oggparseogm.c @@ -176,7 +176,7 @@ ogm_packet(AVFormatContext *s, int idx) os->psize -= lb + 1; while (lb--) - os->pduration += p[lb+1] << (lb*8); + os->pduration += (uint64_t)p[lb+1] << (lb*8); return 0; } From 69344f628bf50dfbc1c7536b53b3ab55bedeb282 Mon Sep 17 00:00:00 2001 From: Michael Niedermayer Date: Fri, 9 Mar 2018 01:05:20 +0100 Subject: [PATCH 811/942] avformat/oggparseogm: Check lb against psize No testcase, this was found during code review Found-by: Matt Wolenetz Reviewed-by: Matt Wolenetz Signed-off-by: Michael Niedermayer (cherry picked from commit 3e7c847aaf5a298b62afae12b4ecfb8e12385998) Signed-off-by: Michael Niedermayer --- libavformat/oggparseogm.c | 3 +++ 1 file changed, 3 insertions(+) diff --git a/libavformat/oggparseogm.c b/libavformat/oggparseogm.c index 11e3c04479..37284925e7 100644 --- a/libavformat/oggparseogm.c +++ b/libavformat/oggparseogm.c @@ -172,6 +172,9 @@ ogm_packet(AVFormatContext *s, int idx) os->pflags |= AV_PKT_FLAG_KEY; lb = ((*p & 2) << 1) | ((*p >> 6) & 3); + if (os->psize < lb + 1) + return AVERROR_INVALIDDATA; + os->pstart += lb + 1; os->psize -= lb + 1; From ad7c57f9db506cc0c6c3b8e36a14d8e00df0dcfe Mon Sep 17 00:00:00 2001 From: Michael Niedermayer Date: Thu, 8 Mar 2018 17:28:36 +0100 Subject: [PATCH 812/942] avformat/oggparsedaala: Do not adjust AV_NOPTS_VALUE Fixes: potential signed integer overflow Signed-off-by: Michael Niedermayer (cherry picked from commit f655ddfb47e8484b205b14c7f871c643ad24d701) Signed-off-by: Michael Niedermayer --- libavformat/oggparsedaala.c | 6 +++++- 1 file changed, 5 insertions(+), 1 deletion(-) diff --git a/libavformat/oggparsedaala.c b/libavformat/oggparsedaala.c index 9e98d49c8f..41dc059ecd 100644 --- a/libavformat/oggparsedaala.c +++ b/libavformat/oggparsedaala.c @@ -218,6 +218,7 @@ static int daala_packet(AVFormatContext *s, int idx) int seg, duration = 1; struct ogg *ogg = s->priv_data; struct ogg_stream *os = ogg->streams + idx; + int64_t pts; /* * first packet handling: here we parse the duration of each packet in the @@ -230,7 +231,10 @@ static int daala_packet(AVFormatContext *s, int idx) if (os->segments[seg] < 255) duration++; - os->lastpts = os->lastdts = daala_gptopts(s, idx, os->granule, NULL) - duration; + pts = daala_gptopts(s, idx, os->granule, NULL); + if (pts != AV_NOPTS_VALUE) + pts -= duration; + os->lastpts = os->lastdts = pts; if(s->streams[idx]->start_time == AV_NOPTS_VALUE) { s->streams[idx]->start_time = os->lastpts; if (s->streams[idx]->duration != AV_NOPTS_VALUE) From 30d40580c4e0a42eba5e79a29fbad5ae09a78948 Mon Sep 17 00:00:00 2001 From: Michael Niedermayer Date: Fri, 9 Mar 2018 16:43:29 +0100 Subject: [PATCH 813/942] avformat/mov: Fix integer overflows related to sample_duration Fixes: runtime error: signed integer overflow: -9166684017437101870 + -2495066639299164439 cannot be represented in type Fixes: Chromium bug 791349 Reported-by: Matt Wolenetz Reviewed-by: Matt Wolenetz Signed-off-by: Michael Niedermayer (cherry picked from commit 2f37082827a405430c40408ee2db19ea2866ce64) Signed-off-by: Michael Niedermayer --- libavformat/mov.c | 20 +++++++++++++++----- 1 file changed, 15 insertions(+), 5 deletions(-) diff --git a/libavformat/mov.c b/libavformat/mov.c index d41778cbed..30ec2d20e3 100644 --- a/libavformat/mov.c +++ b/libavformat/mov.c @@ -2496,14 +2496,19 @@ static int mov_read_stts(MOVContext *c, AVIOContext *pb, MOVAtom atom) && total_sample_count > 100 && sample_duration/10 > duration / total_sample_count) sample_duration = duration / total_sample_count; - duration+=(int64_t)sample_duration*sample_count; + duration+=(int64_t)sample_duration*(uint64_t)sample_count; total_sample_count+=sample_count; } sc->stts_count = i; - sc->duration_for_fps += duration; - sc->nb_frames_for_fps += total_sample_count; + if (duration > 0 && + duration <= INT64_MAX - sc->duration_for_fps && + total_sample_count <= INT64_MAX - sc->nb_frames_for_fps + ) { + sc->duration_for_fps += duration; + sc->nb_frames_for_fps += total_sample_count; + } if (pb->eof_reached) return AVERROR_EOF; @@ -3649,8 +3654,13 @@ static int mov_read_trun(MOVContext *c, AVIOContext *pb, MOVAtom atom) dts += sample_duration; offset += sample_size; sc->data_size += sample_size; - sc->duration_for_fps += sample_duration; - sc->nb_frames_for_fps ++; + + if (sample_duration <= INT64_MAX - sc->duration_for_fps && + 1 <= INT64_MAX - sc->nb_frames_for_fps + ) { + sc->duration_for_fps += sample_duration; + sc->nb_frames_for_fps ++; + } } if (pb->eof_reached) From 448cd0d0b341e4afb66677a339e9d886f6fa3505 Mon Sep 17 00:00:00 2001 From: Michael Niedermayer Date: Sun, 11 Mar 2018 00:13:57 +0100 Subject: [PATCH 814/942] avcodec/wmalosslessdec: Reset num_saved_bits on error path Fixes: NULL pointer dereference Fixes: poc-201803.wav Found-by: GwanYeong Kim Reviewed-by: Paul B Mahol Signed-off-by: Michael Niedermayer (cherry picked from commit 64c9ce0abc0fd8774b523afda3ddb17c86caa86a) Signed-off-by: Michael Niedermayer --- libavcodec/wmalosslessdec.c | 1 + 1 file changed, 1 insertion(+) diff --git a/libavcodec/wmalosslessdec.c b/libavcodec/wmalosslessdec.c index a335f07ae4..b6ff283cd8 100644 --- a/libavcodec/wmalosslessdec.c +++ b/libavcodec/wmalosslessdec.c @@ -1129,6 +1129,7 @@ static void save_bits(WmallDecodeCtx *s, GetBitContext* gb, int len, if (len <= 0 || buflen > MAX_FRAMESIZE) { avpriv_request_sample(s->avctx, "Too small input buffer"); s->packet_loss = 1; + s->num_saved_bits = 0; return; } From e6238003876564477ce9ba973630ec45112138e4 Mon Sep 17 00:00:00 2001 From: Michael Niedermayer Date: Tue, 27 Feb 2018 15:17:12 +0100 Subject: [PATCH 815/942] avcodec/nuv: Check for minimum input size for uncomprssed and rtjpeg Fixes: Timeout Fixes: 6297/clusterfuzz-testcase-minimized-ffmpeg_AV_CODEC_ID_NUV_fuzzer-4882404863901696 Found-by: continuous fuzzing process https://github.com/google/oss-fuzz/tree/master/projects/ffmpeg Signed-off-by: Michael Niedermayer (cherry picked from commit 8ee3265dbe2e85537affe3b3055b00ba8646aa70) Signed-off-by: Michael Niedermayer --- libavcodec/nuv.c | 11 +++++++++++ 1 file changed, 11 insertions(+) diff --git a/libavcodec/nuv.c b/libavcodec/nuv.c index ade3310d85..96348e9841 100644 --- a/libavcodec/nuv.c +++ b/libavcodec/nuv.c @@ -161,6 +161,7 @@ static int decode_frame(AVCodecContext *avctx, void *data, int *got_frame, int orig_size = buf_size; int keyframe, ret; int size_change = 0; + int minsize = 0; int result, init_frame = !avctx->frame_number; enum { NUV_UNCOMPRESSED = '0', @@ -206,6 +207,16 @@ static int decode_frame(AVCodecContext *avctx, void *data, int *got_frame, keyframe = 1; break; } + switch (comptype) { + case NUV_UNCOMPRESSED: + minsize = c->width * c->height * 3 / 2; + break; + case NUV_RTJPEG: + minsize = c->width/16 * (c->height/16) * 6; + break; + } + if (buf_size < minsize / 4) + return AVERROR_INVALIDDATA; retry: // skip rest of the frameheader. buf = &buf[12]; From f4fe7022583e98efacbd02e8d9484cf88f4950cf Mon Sep 17 00:00:00 2001 From: Michael Niedermayer Date: Tue, 27 Feb 2018 15:17:12 +0100 Subject: [PATCH 816/942] avcodec/nuv: rtjpeg with dimensions less than 16 would result in no decoded pixels thus reject it Fixes: Timeout Fixes: 6297/clusterfuzz-testcase-minimized-ffmpeg_AV_CODEC_ID_NUV_fuzzer-4882404863901696 Found-by: continuous fuzzing process https://github.com/google/oss-fuzz/tree/master/projects/ffmpeg Signed-off-by: Michael Niedermayer (cherry picked from commit 939440ad1aa820bed51f54d273b4fa6c5016d9f9) Signed-off-by: Michael Niedermayer --- libavcodec/nuv.c | 3 +++ 1 file changed, 3 insertions(+) diff --git a/libavcodec/nuv.c b/libavcodec/nuv.c index 96348e9841..53f70164c6 100644 --- a/libavcodec/nuv.c +++ b/libavcodec/nuv.c @@ -199,6 +199,9 @@ static int decode_frame(AVCodecContext *avctx, void *data, int *got_frame, case NUV_RTJPEG_IN_LZO: case NUV_RTJPEG: keyframe = !buf[2]; + if (c->width < 16 || c->height < 16) { + return AVERROR_INVALIDDATA; + } break; case NUV_COPY_LAST: keyframe = 0; From 028af5acbe7b206bad1dae0849fd97ab3d800df9 Mon Sep 17 00:00:00 2001 From: Michael Niedermayer Date: Fri, 16 Mar 2018 19:53:36 +0100 Subject: [PATCH 817/942] avformat/mov: Check STSC and remove invalid entries Fixes assertion failure Fixes: crbug 822547, crbug 822666 and crbug 823009 Affects: aark15sd_9A62E2FA.mp4 Found-by: ClusterFuzz Reviewed-by: Matt Wolenetz Signed-off-by: Michael Niedermayer (cherry picked from commit 9e67447a4ffacf28af8bace33faf3ea432ddc43e) Signed-off-by: Michael Niedermayer --- libavformat/mov.c | 20 ++++++++++++++++++++ 1 file changed, 20 insertions(+) diff --git a/libavformat/mov.c b/libavformat/mov.c index 30ec2d20e3..d7aefee482 100644 --- a/libavformat/mov.c +++ b/libavformat/mov.c @@ -2270,6 +2270,21 @@ static int mov_read_stsc(MOVContext *c, AVIOContext *pb, MOVAtom atom) } sc->stsc_count = i; + for (i = sc->stsc_count - 1; i < UINT_MAX; i--) { + if ((i+1 < sc->stsc_count && sc->stsc_data[i].first >= sc->stsc_data[i+1].first) || + (i > 0 && sc->stsc_data[i].first <= sc->stsc_data[i-1].first) || + sc->stsc_data[i].first < 1 || + sc->stsc_data[i].count < 1 || + sc->stsc_data[i].id < 1) { + av_log(c->fc, AV_LOG_WARNING, "STSC entry %d is invalid (first=%d count=%d id=%d)\n", i, sc->stsc_data[i].first, sc->stsc_data[i].count, sc->stsc_data[i].id); + if (i+1 >= sc->stsc_count || sc->stsc_data[i+1].first < 2) + return AVERROR_INVALIDDATA; + // We replace this entry by the next valid + sc->stsc_data[i].first = sc->stsc_data[i+1].first - 1; + sc->stsc_data[i].count = sc->stsc_data[i+1].count; + sc->stsc_data[i].id = sc->stsc_data[i+1].id; + } + } if (pb->eof_reached) return AVERROR_EOF; @@ -3051,6 +3066,11 @@ static int mov_read_trak(MOVContext *c, AVIOContext *pb, MOVAtom atom) st->index); return 0; } + if (sc->stsc_count && sc->stsc_data[ sc->stsc_count - 1 ].first > sc->chunk_count) { + av_log(c->fc, AV_LOG_ERROR, "stream %d, contradictionary STSC and STCO\n", + st->index); + return AVERROR_INVALIDDATA; + } fix_timescale(c, sc); From 7ccb9c37ac47b4c7ffcd35b1f81f550dfbc26e9c Mon Sep 17 00:00:00 2001 From: Michael Niedermayer Date: Sat, 24 Mar 2018 01:38:53 +0100 Subject: [PATCH 818/942] avcodec/get_bits: Make sure the input bitstream with padding can be addressed Signed-off-by: Michael Niedermayer (cherry picked from commit e529fe7633762cb26a665fb6dee3be29b15285cc) Signed-off-by: Michael Niedermayer --- libavcodec/get_bits.h | 3 ++- 1 file changed, 2 insertions(+), 1 deletion(-) diff --git a/libavcodec/get_bits.h b/libavcodec/get_bits.h index 0ccbf4dfd2..3ae0dbce63 100644 --- a/libavcodec/get_bits.h +++ b/libavcodec/get_bits.h @@ -32,6 +32,7 @@ #include "libavutil/intreadwrite.h" #include "libavutil/log.h" #include "libavutil/avassert.h" +#include "avcodec.h" #include "mathops.h" /* @@ -425,7 +426,7 @@ static inline int init_get_bits(GetBitContext *s, const uint8_t *buffer, int buffer_size; int ret = 0; - if (bit_size >= INT_MAX - 7 || bit_size < 0 || !buffer) { + if (bit_size >= INT_MAX - FFMAX(7, AV_INPUT_BUFFER_PADDING_SIZE*8) || bit_size < 0 || !buffer) { bit_size = 0; buffer = NULL; ret = AVERROR_INVALIDDATA; From 0721e3c1bd23ac3039d11c4e18c64a1fa793356f Mon Sep 17 00:00:00 2001 From: Michael Niedermayer Date: Thu, 29 Mar 2018 01:07:24 +0200 Subject: [PATCH 819/942] avcodec/tableprint_vlc: Fix build failure with --enable-hardcoded-tables Found-by: James Almer Signed-off-by: Michael Niedermayer (cherry picked from commit 5c75438b893539dd17998c489fb4c540fc5a6e48) Signed-off-by: Michael Niedermayer --- libavcodec/tableprint_vlc.h | 1 + 1 file changed, 1 insertion(+) diff --git a/libavcodec/tableprint_vlc.h b/libavcodec/tableprint_vlc.h index 675251a836..3004be3f9c 100644 --- a/libavcodec/tableprint_vlc.h +++ b/libavcodec/tableprint_vlc.h @@ -35,6 +35,7 @@ #define av_freep(p) while(0) #define AVCODEC_AVCODEC_H #define AVCODEC_INTERNAL_H +#define AV_INPUT_BUFFER_PADDING_SIZE 64 // the value does not matter for this #include "tableprint.h" #include "get_bits.h" #include "mathtables.c" From 03f891c05099022215eb41c7b70fa916fe454356 Mon Sep 17 00:00:00 2001 From: Michael Niedermayer Date: Sun, 25 Mar 2018 01:51:28 +0100 Subject: [PATCH 820/942] avcodec/wmalosslessdec: Fix null pointer dereference in decode_frame() Fixes: 2018_03_23_poc.wav Found-by: GwanYeong Kim Signed-off-by: Michael Niedermayer (cherry picked from commit ea15915b2dc5aaa80c91879fbd183475a7e66e54) Signed-off-by: Michael Niedermayer --- libavcodec/wmalosslessdec.c | 4 +++- 1 file changed, 3 insertions(+), 1 deletion(-) diff --git a/libavcodec/wmalosslessdec.c b/libavcodec/wmalosslessdec.c index b6ff283cd8..49eaff694f 100644 --- a/libavcodec/wmalosslessdec.c +++ b/libavcodec/wmalosslessdec.c @@ -1238,7 +1238,9 @@ static int decode_packet(AVCodecContext *avctx, void *data, int *got_frame_ptr, (frame_size = show_bits(gb, s->log2_frame_size)) && frame_size <= remaining_bits(s, gb)) { save_bits(s, gb, frame_size, 0); - s->packet_done = !decode_frame(s); + + if (!s->packet_loss) + s->packet_done = !decode_frame(s); } else if (!s->len_prefix && s->num_saved_bits > get_bits_count(&s->gb)) { /* when the frames do not have a length prefix, we don't know the From 19379529a5b86f8179b8b16b0218169acdb0d10c Mon Sep 17 00:00:00 2001 From: heimdallr Date: Sat, 31 Mar 2018 19:37:23 +0700 Subject: [PATCH 821/942] avcodec/imgconvert: Fix loss mask bug in avcodec_find_best_pix_fmt_of_list() example: AVPixelFormat pixFmts[] = { AV_PIX_FMT_RGB24, AV_PIX_FMT_RGBA }; int loss = 0; AVPixelFormat best = avcodec_find_best_pix_fmt_of_list(pixFmts, AV_PIX_FMT_BGRA, 1, &loss); best is AV_PIX_FMT_RGB24. But AV_PIX_FMT_RGBA is better. Signed-off-by: Michael Niedermayer (cherry picked from commit 354b26a3945eadd4ed8fcd801dfefad2566241de) Signed-off-by: Michael Niedermayer --- libavcodec/imgconvert.c | 8 ++++++-- 1 file changed, 6 insertions(+), 2 deletions(-) diff --git a/libavcodec/imgconvert.c b/libavcodec/imgconvert.c index 0035dc6e1c..19212d5e5b 100644 --- a/libavcodec/imgconvert.c +++ b/libavcodec/imgconvert.c @@ -77,10 +77,14 @@ enum AVPixelFormat avcodec_find_best_pix_fmt_of_list(const enum AVPixelFormat *p int i; enum AVPixelFormat best = AV_PIX_FMT_NONE; + int loss; - for(i=0; pix_fmt_list[i] != AV_PIX_FMT_NONE; i++) - best = avcodec_find_best_pix_fmt_of_2(best, pix_fmt_list[i], src_pix_fmt, has_alpha, loss_ptr); + for (i=0; pix_fmt_list[i] != AV_PIX_FMT_NONE; i++) { + loss = *loss_ptr; + best = avcodec_find_best_pix_fmt_of_2(best, pix_fmt_list[i], src_pix_fmt, has_alpha, &loss); + } + *loss_ptr = loss; return best; } From 1f648a098da0aeafd2f16bd2938fee2a6d5ea79d Mon Sep 17 00:00:00 2001 From: Michael Niedermayer Date: Mon, 12 Mar 2018 00:05:04 +0100 Subject: [PATCH 822/942] avcodec/cscd: Error out when LZ* decompression fails Fixes: Timeout Fixes: 6304/clusterfuzz-testcase-minimized-ffmpeg_AV_CODEC_ID_CSCD_fuzzer-5754772461191168 Found-by: continuous fuzzing process https://github.com/google/oss-fuzz/tree/master/projects/ffmpeg Signed-off-by: Michael Niedermayer (cherry picked from commit d52be5d4e91871a22dac70af3e0ab429e95a2d10) Signed-off-by: Michael Niedermayer --- libavcodec/cscd.c | 8 ++++++-- 1 file changed, 6 insertions(+), 2 deletions(-) diff --git a/libavcodec/cscd.c b/libavcodec/cscd.c index 9e1dec9d96..35c4ee08c3 100644 --- a/libavcodec/cscd.c +++ b/libavcodec/cscd.c @@ -81,15 +81,19 @@ static int decode_frame(AVCodecContext *avctx, void *data, int *got_frame, switch ((buf[0] >> 1) & 7) { case 0: { // lzo compression int outlen = c->decomp_size, inlen = buf_size - 2; - if (av_lzo1x_decode(c->decomp_buf, &outlen, &buf[2], &inlen)) + if (av_lzo1x_decode(c->decomp_buf, &outlen, &buf[2], &inlen)) { av_log(avctx, AV_LOG_ERROR, "error during lzo decompression\n"); + return AVERROR_INVALIDDATA; + } break; } case 1: { // zlib compression #if CONFIG_ZLIB unsigned long dlen = c->decomp_size; - if (uncompress(c->decomp_buf, &dlen, &buf[2], buf_size - 2) != Z_OK) + if (uncompress(c->decomp_buf, &dlen, &buf[2], buf_size - 2) != Z_OK) { av_log(avctx, AV_LOG_ERROR, "error during zlib decompression\n"); + return AVERROR_INVALIDDATA; + } break; #else av_log(avctx, AV_LOG_ERROR, "compiled without zlib support\n"); From 98096645f28f05f46ce438c977c1c33c447681a9 Mon Sep 17 00:00:00 2001 From: Michael Niedermayer Date: Sat, 31 Mar 2018 21:19:19 +0200 Subject: [PATCH 823/942] avcodec/aacdec_fixed: Fix integer overflow in apply_independent_coupling_fixed() I was not able to reproduce this, this fix is based on just the fuzzer log. Fixes: 4959/clusterfuzz-testcase-minimized-6035350934781952 Found-by: continuous fuzzing process https://github.com/google/oss-fuzz/tree/master/projects/ffmpeg Signed-off-by: Michael Niedermayer (cherry picked from commit 197a4e8feed45b2e5868760240e83636818f32a9) Signed-off-by: Michael Niedermayer --- libavcodec/aacdec_fixed.c | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/libavcodec/aacdec_fixed.c b/libavcodec/aacdec_fixed.c index 535b323fc0..743ad6028c 100644 --- a/libavcodec/aacdec_fixed.c +++ b/libavcodec/aacdec_fixed.c @@ -417,7 +417,7 @@ static void apply_independent_coupling_fixed(AACContext *ac, int i, c, shift, round, tmp; const int gain = cce->coup.gain[index][0]; const int *src = cce->ch[0].ret; - int *dest = target->ret; + unsigned int *dest = target->ret; const int len = 1024 << (ac->oc[1].m4ac.sbr == 1); c = cce_scale_fixed[gain & 7]; From da371c5b215d7824a40480d6d544d8604218876e Mon Sep 17 00:00:00 2001 From: Hendrik Schreiber Date: Thu, 5 Apr 2018 13:58:37 +0200 Subject: [PATCH 824/942] swresample/swresample: Fix for seg fault in swr_convert_internal() -> sum2_float during dithering. Removed +len1 in call to s->mix_2_1_f() as I found no logical explanation for it. After removal, problem was gone. Signed-off-by: Hendrik Schreiber Signed-off-by: Michael Niedermayer (cherry picked from commit 647fd4b8292e3bfae30b1086aa842a5ee47ee868) Signed-off-by: Michael Niedermayer --- libswresample/swresample.c | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/libswresample/swresample.c b/libswresample/swresample.c index 8e238998e9..47d4f0dd0b 100644 --- a/libswresample/swresample.c +++ b/libswresample/swresample.c @@ -667,7 +667,7 @@ static int swr_convert_internal(struct SwrContext *s, AudioData *out, int out_co s->mix_2_1_simd(conv_src->ch[ch], preout->ch[ch], s->dither.noise.ch[ch] + s->dither.noise.bps * s->dither.noise_pos, s->native_simd_one, 0, 0, len1); if(out_count != len1) for(ch=0; chch_count; ch++) - s->mix_2_1_f(conv_src->ch[ch] + off, preout->ch[ch] + off, s->dither.noise.ch[ch] + s->dither.noise.bps * s->dither.noise_pos + off + len1, s->native_one, 0, 0, out_count - len1); + s->mix_2_1_f(conv_src->ch[ch] + off, preout->ch[ch] + off, s->dither.noise.ch[ch] + s->dither.noise.bps * s->dither.noise_pos + off, s->native_one, 0, 0, out_count - len1); } else { for(ch=0; chch_count; ch++) s->mix_2_1_f(conv_src->ch[ch], preout->ch[ch], s->dither.noise.ch[ch] + s->dither.noise.bps * s->dither.noise_pos, s->native_one, 0, 0, out_count); From b2be78f9d2dedf92b78e87d7e7e364f9744b6c4b Mon Sep 17 00:00:00 2001 From: Michael Niedermayer Date: Mon, 2 Apr 2018 20:01:07 +0200 Subject: [PATCH 825/942] libavcodec/rv34: error out earlier on missing references Fixes visual corruption on seeking Fixes: downloadTest_clip_24M.rmvb Signed-off-by: Michael Niedermayer (cherry picked from commit 6cd81d68c5e4b0ff00288970c4151ff4031c0ea9) Signed-off-by: Michael Niedermayer --- libavcodec/rv34.c | 6 +++--- 1 file changed, 3 insertions(+), 3 deletions(-) diff --git a/libavcodec/rv34.c b/libavcodec/rv34.c index ac7b36bb2f..3a6faae87b 100644 --- a/libavcodec/rv34.c +++ b/libavcodec/rv34.c @@ -1579,7 +1579,7 @@ int ff_rv34_decode_update_thread_context(AVCodecContext *dst, const AVCodecConte // Do no call ff_mpeg_update_thread_context on a partially initialized // decoder context. - if (!s1->linesize) + if (!s1->context_initialized) return 0; return ff_mpeg_update_thread_context(dst, src); @@ -1727,6 +1727,8 @@ int ff_rv34_decode_frame(AVCodecContext *avctx, if ((err = rv34_decoder_realloc(r)) < 0) return err; } + if (faulty_b) + return AVERROR_INVALIDDATA; s->pict_type = si.type ? si.type : AV_PICTURE_TYPE_I; if (ff_mpv_frame_start(s, s->avctx) < 0) return -1; @@ -1777,8 +1779,6 @@ int ff_rv34_decode_frame(AVCodecContext *avctx, "multithreading mode (start MB is %d).\n", si.start); return AVERROR_INVALIDDATA; } - if (faulty_b) - return AVERROR_INVALIDDATA; for(i = 0; i < slice_count; i++){ int offset = get_slice_offset(avctx, slices_hdr, i , slice_count, buf_size); From 72b9ba8a5bfee62ed281e3d23de34cdd70da7955 Mon Sep 17 00:00:00 2001 From: Michael Niedermayer Date: Sat, 7 Apr 2018 21:55:06 +0200 Subject: [PATCH 826/942] avcodec/aacsbr_fixed: Fix integer overflow in sbr_hf_assemble() Fixes: runtime error: signed integer overflow: 2052929346 + 204817098 cannot be represented in type 'int' This was missed in b1bef755f617af9685b592d866b3eb7f3c4b02b1 Fixes: 5275/clusterfuzz-testcase-minimized-5367635958038528 Found-by: continuous fuzzing process https://github.com/google/oss-fuzz/tree/master/projects/ffmpeg Signed-off-by: Michael Niedermayer (cherry picked from commit c837918f50a7bbd6150afd340857ea43fe4717c7) Signed-off-by: Michael Niedermayer --- libavcodec/aacsbr_fixed.c | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/libavcodec/aacsbr_fixed.c b/libavcodec/aacsbr_fixed.c index 0622d2ff7c..a25605800f 100644 --- a/libavcodec/aacsbr_fixed.c +++ b/libavcodec/aacsbr_fixed.c @@ -571,7 +571,7 @@ static void sbr_hf_assemble(int Y1[38][64][2], int idx = indexsine&1; int A = (1-((indexsine+(kx & 1))&2)); int B = (A^(-idx)) + idx; - int *out = &Y1[i][kx][idx]; + unsigned *out = &Y1[i][kx][idx]; int shift; unsigned round; From c0bb5613d42f8ed6d661886b5084031387ce0882 Mon Sep 17 00:00:00 2001 From: Michael Niedermayer Date: Sun, 8 Apr 2018 03:29:44 +0200 Subject: [PATCH 827/942] avcodec/movtextdec: Check style_start/end Limits based on 3GPP TS 26.245 V14.0.0 Fixes: Timeout Fixes: 6377/clusterfuzz-testcase-minimized-ffmpeg_AV_CODEC_ID_MOVTEXT_fuzzer-5175929115508736 Found-by: continuous fuzzing process https://github.com/google/oss-fuzz/tree/master/projects/ffmpeg Reviewed-by: Philip Langdale Signed-off-by: Michael Niedermayer (cherry picked from commit 249aca8f98ff7fb09c12ea68e23c862c62203b95) Signed-off-by: Michael Niedermayer --- libavcodec/movtextdec.c | 8 ++++++++ 1 file changed, 8 insertions(+) diff --git a/libavcodec/movtextdec.c b/libavcodec/movtextdec.c index 6148593ade..abf0539072 100644 --- a/libavcodec/movtextdec.c +++ b/libavcodec/movtextdec.c @@ -298,6 +298,14 @@ static int decode_styl(const uint8_t *tsmb, MovTextContext *m, AVPacket *avpkt) m->s_temp->style_start = AV_RB16(tsmb); tsmb += 2; m->s_temp->style_end = AV_RB16(tsmb); + + if ( m->s_temp->style_end < m->s_temp->style_start + || (m->count_s && m->s_temp->style_start < m->s[m->count_s - 1]->style_end)) { + av_freep(&m->s_temp); + mov_text_cleanup(m); + return AVERROR(ENOMEM); + } + tsmb += 2; m->s_temp->style_fontID = AV_RB16(tsmb); tsmb += 2; From 4b04da1e52da16f1c56e1532c0e65b1f9771431c Mon Sep 17 00:00:00 2001 From: Matt Wolenetz Date: Tue, 10 Apr 2018 13:59:25 -0700 Subject: [PATCH 828/942] lavc/libopusdec: Allow avcodec_open2 to call .close If there is a decoder initialization failure detected in avcodec_open2 after .init is called, allow graceful decoder .close to prevent leaking libopus decoder allocations. BUG=828526 Signed-off-by: Michael Niedermayer (cherry picked from commit e43e97f0e0f0596b56ceb2f887fe7414f202f081) Signed-off-by: Michael Niedermayer --- libavcodec/libopusdec.c | 6 +++++- 1 file changed, 5 insertions(+), 1 deletion(-) diff --git a/libavcodec/libopusdec.c b/libavcodec/libopusdec.c index 7dff9c16b7..f9480fbbb6 100644 --- a/libavcodec/libopusdec.c +++ b/libavcodec/libopusdec.c @@ -126,7 +126,10 @@ static av_cold int libopus_decode_close(AVCodecContext *avc) { struct libopus_context *opus = avc->priv_data; - opus_multistream_decoder_destroy(opus->dec); + if (opus->dec) { + opus_multistream_decoder_destroy(opus->dec); + opus->dec = NULL; + } return 0; } @@ -200,6 +203,7 @@ AVCodec ff_libopus_decoder = { .decode = libopus_decode, .flush = libopus_flush, .capabilities = AV_CODEC_CAP_DR1, + .caps_internal = FF_CODEC_CAP_INIT_CLEANUP, .sample_fmts = (const enum AVSampleFormat[]){ AV_SAMPLE_FMT_FLT, AV_SAMPLE_FMT_S16, AV_SAMPLE_FMT_NONE }, From 5aaa5bd1b04d51baf328be6b536b4280509b4eb9 Mon Sep 17 00:00:00 2001 From: Michael Niedermayer Date: Tue, 10 Apr 2018 16:12:15 +0200 Subject: [PATCH 829/942] avcodec/mjpegdec: Check input buffer size. Fixes: Timeout Fixes: 6381/clusterfuzz-testcase-minimized-ffmpeg_AV_CODEC_ID_JPEGLS_fuzzer-5665032743419904 Found-by: continuous fuzzing process https://github.com/google/oss-fuzz/tree/master/projects/ffmpeg Signed-off-by: Michael Niedermayer (cherry picked from commit 8d381b57fd9d17fb5c3a851ca46c738b3afc33a2) Signed-off-by: Michael Niedermayer --- libavcodec/mjpegdec.c | 4 ++++ libavcodec/mjpegdec.h | 1 + 2 files changed, 5 insertions(+) diff --git a/libavcodec/mjpegdec.c b/libavcodec/mjpegdec.c index cefb9afdb7..2ce351ddbc 100644 --- a/libavcodec/mjpegdec.c +++ b/libavcodec/mjpegdec.c @@ -306,6 +306,8 @@ int ff_mjpeg_decode_sof(MJpegDecodeContext *s) av_log(s->avctx, AV_LOG_DEBUG, "sof0: picture: %dx%d\n", width, height); if (av_image_check_size(width, height, 0, s->avctx)) return AVERROR_INVALIDDATA; + if (s->buf_size && (width + 7) / 8 * ((height + 7) / 8) > s->buf_size * 4LL) + return AVERROR_INVALIDDATA; nb_components = get_bits(&s->gb, 8); if (nb_components <= 0 || @@ -2078,6 +2080,8 @@ int ff_mjpeg_decode_frame(AVCodecContext *avctx, void *data, int *got_frame, int ret = 0; int is16bit; + s->buf_size = buf_size; + av_dict_free(&s->exif_metadata); av_freep(&s->stereo3d); s->adobe_transform = -1; diff --git a/libavcodec/mjpegdec.h b/libavcodec/mjpegdec.h index fb811294a1..6781c7c03a 100644 --- a/libavcodec/mjpegdec.h +++ b/libavcodec/mjpegdec.h @@ -45,6 +45,7 @@ typedef struct MJpegDecodeContext { AVClass *class; AVCodecContext *avctx; GetBitContext gb; + int buf_size; int start_code; /* current start code */ int buffer_size; From 065057c8a35197b18a939048fb52380cd37b073e Mon Sep 17 00:00:00 2001 From: Michael Niedermayer Date: Tue, 10 Apr 2018 22:24:03 +0200 Subject: [PATCH 830/942] avcodec/truemotion2: Propagate out of bounds error from GET_TOK() Fixes: Timeout Fixes: 6389/clusterfuzz-testcase-minimized-ffmpeg_AV_CODEC_ID_TRUEMOTION2_fuzzer-5695918121680896 Found-by: continuous fuzzing process https://github.com/google/oss-fuzz/tree/master/projects/ffmpeg Signed-off-by: Michael Niedermayer (cherry picked from commit f6304af2341d0cee51c2116766622e3ac567b7a0) Signed-off-by: Michael Niedermayer --- libavcodec/truemotion2.c | 6 ++++++ 1 file changed, 6 insertions(+) diff --git a/libavcodec/truemotion2.c b/libavcodec/truemotion2.c index 97c38f7f08..f7dbe047c7 100644 --- a/libavcodec/truemotion2.c +++ b/libavcodec/truemotion2.c @@ -63,6 +63,7 @@ typedef struct TM2Context { AVFrame *pic; GetBitContext gb; + int error; BswapDSPContext bdsp; uint8_t *buffer; @@ -398,6 +399,7 @@ static inline int GET_TOK(TM2Context *ctx,int type) { if (ctx->tok_ptrs[type] >= ctx->tok_lens[type]) { av_log(ctx->avctx, AV_LOG_ERROR, "Read token from stream %i out of bounds (%i>=%i)\n", type, ctx->tok_ptrs[type], ctx->tok_lens[type]); + ctx->error = 1; return 0; } if (type <= TM2_MOT) { @@ -809,6 +811,8 @@ static int tm2_decode_blocks(TM2Context *ctx, AVFrame *p) default: av_log(ctx->avctx, AV_LOG_ERROR, "Skipping unknown block type %i\n", type); } + if (ctx->error) + return AVERROR_INVALIDDATA; } } @@ -889,6 +893,8 @@ static int decode_frame(AVCodecContext *avctx, int offset = TM2_HEADER_SIZE; int i, t, ret; + l->error = 0; + av_fast_padded_malloc(&l->buffer, &l->buffer_size, buf_size); if (!l->buffer) { av_log(avctx, AV_LOG_ERROR, "Cannot allocate temporary buffer\n"); From cf321e93c4a99635d7b5d39ed5aa6a187a13e834 Mon Sep 17 00:00:00 2001 From: Michael Niedermayer Date: Wed, 11 Apr 2018 19:50:52 +0200 Subject: [PATCH 831/942] avcodec/utils: Enforce minimum width also for VP5/6 Fixes: out of array access Fixes: poc_0411 Found-by: GwanYeong Kim Tested-by: GwanYeong Kim Signed-off-by: Michael Niedermayer (cherry picked from commit 544324827e0131e43af1a54fb790a48a25fd7ba4) Signed-off-by: Michael Niedermayer --- libavcodec/utils.c | 5 ++++- 1 file changed, 4 insertions(+), 1 deletion(-) diff --git a/libavcodec/utils.c b/libavcodec/utils.c index cfdfab7f7a..f8d30c4248 100644 --- a/libavcodec/utils.c +++ b/libavcodec/utils.c @@ -415,7 +415,10 @@ void avcodec_align_dimensions2(AVCodecContext *s, int *width, int *height, *width = FFALIGN(*width, w_align); *height = FFALIGN(*height, h_align); - if (s->codec_id == AV_CODEC_ID_H264 || s->lowres) { + if (s->codec_id == AV_CODEC_ID_H264 || s->lowres || + s->codec_id == AV_CODEC_ID_VP5 || s->codec_id == AV_CODEC_ID_VP6 || + s->codec_id == AV_CODEC_ID_VP6F || s->codec_id == AV_CODEC_ID_VP6A + ) { // some of the optimized chroma MC reads one line too much // which is also done in mpeg decoders with lowres > 0 *height += 2; From b591673c507d85238de5830f210327767bc0afdf Mon Sep 17 00:00:00 2001 From: Michael Niedermayer Date: Fri, 13 Apr 2018 11:38:48 +0200 Subject: [PATCH 832/942] avformat/utils: Check cur_dts in update_initial_timestamps() more Fixes: runtime error: signed integer overflow: 18133149658382192 - -9223090561878065151 cannot be represented in type 'long long' Fixes: crbug 831552 Reported-by: Matt Wolenetz Reviewed-by: Matt Wolenetz Signed-off-by: Michael Niedermayer (cherry picked from commit 37d46dc21d708192b12aa13617ebe6a117b07363) Signed-off-by: Michael Niedermayer --- libavformat/utils.c | 1 + 1 file changed, 1 insertion(+) diff --git a/libavformat/utils.c b/libavformat/utils.c index dc7a17690d..c308f443cf 100644 --- a/libavformat/utils.c +++ b/libavformat/utils.c @@ -937,6 +937,7 @@ static void update_initial_timestamps(AVFormatContext *s, int stream_index, if (st->first_dts != AV_NOPTS_VALUE || dts == AV_NOPTS_VALUE || st->cur_dts == AV_NOPTS_VALUE || + st->cur_dts < INT_MIN + RELATIVE_TS_BASE || is_relative(dts)) return; From 9665d6258c6ccf6de5cc77103a22a91f07b37154 Mon Sep 17 00:00:00 2001 From: Michael Niedermayer Date: Mon, 16 Apr 2018 18:23:12 +0200 Subject: [PATCH 833/942] doc/APIchanges: Fix typos in hashes Thanks-to: Moritz Barsnick for finding the correct ones Signed-off-by: Michael Niedermayer (cherry picked from commit ec8a5262b03f85158d722dbc8b8f30cb6bd67e0f) Signed-off-by: Michael Niedermayer --- doc/APIchanges | 4 ++-- 1 file changed, 2 insertions(+), 2 deletions(-) diff --git a/doc/APIchanges b/doc/APIchanges index 85d4db7065..13f559e253 100644 --- a/doc/APIchanges +++ b/doc/APIchanges @@ -333,7 +333,7 @@ API changes, most recent first: Add av_opt_get_dict_val/set_dict_val with AV_OPT_TYPE_DICT to support dictionary types being set as options. -2014-08-13 - afbd4b8 - lavf 56.01.0 - avformat.h +2014-08-13 - afbd4b7e09 - lavf 56.01.0 - avformat.h Add AVFormatContext.event_flags and AVStream.event_flags for signaling to the user when events happen in the file/stream. @@ -350,7 +350,7 @@ API changes, most recent first: 2014-08-08 - 5c3c671 - lavf 55.53.100 - avio.h Add avio_feof() and deprecate url_feof(). -2014-08-07 - bb78903 - lsws 2.1.3 - swscale.h +2014-08-07 - bb789016d4 - lsws 2.1.3 - swscale.h sws_getContext is not going to be removed in the future. 2014-08-07 - a561662 / ad1ee5f - lavc 55.73.101 / 55.57.3 - avcodec.h From ad3ec05d036a27538e74d4c62e499e542d8d0695 Mon Sep 17 00:00:00 2001 From: Rahul Chaudhry Date: Wed, 18 Apr 2018 16:29:39 -0700 Subject: [PATCH 834/942] swresample/arm: remove unintentional relocation. Branch to global symbol results in reference to PLT, and when compiling for THUMB-2 - in a R_ARM_THM_JUMP19 relocation. Some linkers don't support this relocation (ld.gold), while others can end up truncating the relocation to fit (ld.bfd). Convert this branch through PLT into a direct branch that the assembler can resolve locally. See https://github.com/android-ndk/ndk/issues/337 for background. The current workaround is to disable neon during gstreamer build, which is not optimal and can be reverted after this patch: https://github.com/freedesktop/gstreamer-cerbero/commit/41556c415739fbc3a72c7eaee7e70a565b719b2f Signed-off-by: Michael Niedermayer (cherry picked from commit b22db4f465c9adb2cf1489e04f7b65ef6bb55b8b) Signed-off-by: Michael Niedermayer --- libswresample/arm/audio_convert_neon.S | 6 ++++-- 1 file changed, 4 insertions(+), 2 deletions(-) diff --git a/libswresample/arm/audio_convert_neon.S b/libswresample/arm/audio_convert_neon.S index 1f88316dde..7729514701 100644 --- a/libswresample/arm/audio_convert_neon.S +++ b/libswresample/arm/audio_convert_neon.S @@ -22,6 +22,7 @@ #include "libavutil/arm/asm.S" function swri_oldapi_conv_flt_to_s16_neon, export=1 +_swri_oldapi_conv_flt_to_s16_neon: subs r2, r2, #8 vld1.32 {q0}, [r1,:128]! vcvt.s32.f32 q8, q0, #31 @@ -66,6 +67,7 @@ function swri_oldapi_conv_flt_to_s16_neon, export=1 endfunc function swri_oldapi_conv_fltp_to_s16_2ch_neon, export=1 +_swri_oldapi_conv_fltp_to_s16_2ch_neon: ldm r1, {r1, r3} subs r2, r2, #8 vld1.32 {q0}, [r1,:128]! @@ -133,8 +135,8 @@ function swri_oldapi_conv_fltp_to_s16_nch_neon, export=1 cmp r3, #2 itt lt ldrlt r1, [r1] - blt X(swri_oldapi_conv_flt_to_s16_neon) - beq X(swri_oldapi_conv_fltp_to_s16_2ch_neon) + blt _swri_oldapi_conv_flt_to_s16_neon + beq _swri_oldapi_conv_fltp_to_s16_2ch_neon push {r4-r8, lr} cmp r3, #4 From 5891d222ff6ec4ca5fc750aab84897cafb2f3750 Mon Sep 17 00:00:00 2001 From: Michael Niedermayer Date: Tue, 17 Apr 2018 02:13:42 +0200 Subject: [PATCH 835/942] avcodec/cinepak: move some checks prior to frame allocation Speeds up decoding from 8 to 3 seconds for 6302/clusterfuzz-testcase-minimized-ffmpeg_AV_CODEC_ID_CINEPAK_fuzzer-5626371985375232 Fixes: Timeout Found-by: continuous fuzzing process https://github.com/google/oss-fuzz/tree/master/projects/ffmpeg Signed-off-by: Michael Niedermayer (cherry picked from commit 2324ef1ff32e5effd6f295bca80580ae4816be0b) Signed-off-by: Michael Niedermayer --- libavcodec/cinepak.c | 27 ++++++++++++++++++++++----- 1 file changed, 22 insertions(+), 5 deletions(-) diff --git a/libavcodec/cinepak.c b/libavcodec/cinepak.c index 7a7466204a..908c248ef0 100644 --- a/libavcodec/cinepak.c +++ b/libavcodec/cinepak.c @@ -315,14 +315,11 @@ static int cinepak_decode_strip (CinepakContext *s, return AVERROR_INVALIDDATA; } -static int cinepak_decode (CinepakContext *s) +static int cinepak_predecode_check (CinepakContext *s) { - const uint8_t *eod = (s->data + s->size); - int i, result, strip_size, frame_flags, num_strips; - int y0 = 0; + int num_strips; int encoded_buf_size; - frame_flags = s->data[0]; num_strips = AV_RB16 (&s->data[8]); encoded_buf_size = AV_RB24(&s->data[1]); @@ -353,6 +350,21 @@ static int cinepak_decode (CinepakContext *s) s->sega_film_skip_bytes = 0; } + if (s->size < 10 + s->sega_film_skip_bytes + num_strips * 12) + return AVERROR_INVALIDDATA; + + return 0; +} + +static int cinepak_decode (CinepakContext *s) +{ + const uint8_t *eod = (s->data + s->size); + int i, result, strip_size, frame_flags, num_strips; + int y0 = 0; + + frame_flags = s->data[0]; + num_strips = AV_RB16 (&s->data[8]); + s->data += 10 + s->sega_film_skip_bytes; num_strips = FFMIN(num_strips, MAX_STRIPS); @@ -439,6 +451,11 @@ static int cinepak_decode_frame(AVCodecContext *avctx, if (s->size < 10) return AVERROR_INVALIDDATA; + if ((ret = cinepak_predecode_check(s)) < 0) { + av_log(avctx, AV_LOG_ERROR, "cinepak_predecode_check failed\n"); + return ret; + } + if ((ret = ff_reget_buffer(avctx, s->frame)) < 0) return ret; From 3009bf0be645c184dd83fb6959579b8289c4d54f Mon Sep 17 00:00:00 2001 From: Michael Niedermayer Date: Tue, 17 Apr 2018 02:13:43 +0200 Subject: [PATCH 836/942] avcodec/cinepak: Skip empty frames Speeds up decoding from 3 to 0.1 seconds for 6302/clusterfuzz-testcase-minimized-ffmpeg_AV_CODEC_ID_CINEPAK_fuzzer-5626371985375232 Fixes: Timeout Found-by: continuous fuzzing process https://github.com/google/oss-fuzz/tree/master/projects/ffmpeg Signed-off-by: Michael Niedermayer (cherry picked from commit 9033920bec9ccf17de205fc17c2b330906b200f5) Signed-off-by: Michael Niedermayer --- libavcodec/cinepak.c | 7 +++++++ 1 file changed, 7 insertions(+) diff --git a/libavcodec/cinepak.c b/libavcodec/cinepak.c index 908c248ef0..9060e31fb1 100644 --- a/libavcodec/cinepak.c +++ b/libavcodec/cinepak.c @@ -444,6 +444,7 @@ static int cinepak_decode_frame(AVCodecContext *avctx, const uint8_t *buf = avpkt->data; int ret = 0, buf_size = avpkt->size; CinepakContext *s = avctx->priv_data; + int num_strips; s->data = buf; s->size = buf_size; @@ -451,6 +452,12 @@ static int cinepak_decode_frame(AVCodecContext *avctx, if (s->size < 10) return AVERROR_INVALIDDATA; + num_strips = AV_RB16 (&s->data[8]); + + //Empty frame, do not waste time + if (!num_strips && (!s->palette_video || !av_packet_get_side_data(avpkt, AV_PKT_DATA_PALETTE, NULL))) + return buf_size; + if ((ret = cinepak_predecode_check(s)) < 0) { av_log(avctx, AV_LOG_ERROR, "cinepak_predecode_check failed\n"); return ret; From e49e8259df9121798989a5e22a0cb5bd9d9d1d33 Mon Sep 17 00:00:00 2001 From: Michael Niedermayer Date: Mon, 16 Apr 2018 22:04:53 +0200 Subject: [PATCH 837/942] avcodec/dfa: Check dimension against maximum The headers from where the dimensions are read in actual files are limited to 16bit per component. Fixes: Timeout Fixes: 6305/clusterfuzz-testcase-minimized-ffmpeg_AV_CODEC_ID_DFA_fuzzer-4824270749302784 Found-by: continuous fuzzing process https://github.com/google/oss-fuzz/tree/master/projects/ffmpeg Signed-off-by: Michael Niedermayer (cherry picked from commit 9d5a4fcfbb51edc871bdb1c67a88223cbfb1c0e4) Signed-off-by: Michael Niedermayer --- libavcodec/dfa.c | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/libavcodec/dfa.c b/libavcodec/dfa.c index 8067ac94e5..b8500a4995 100644 --- a/libavcodec/dfa.c +++ b/libavcodec/dfa.c @@ -41,7 +41,7 @@ static av_cold int dfa_decode_init(AVCodecContext *avctx) avctx->pix_fmt = AV_PIX_FMT_PAL8; - if (!avctx->width || !avctx->height) + if (!avctx->width || !avctx->height || FFMAX(avctx->width, avctx->height) >= (1<<16)) return AVERROR_INVALIDDATA; av_assert0(av_image_check_size(avctx->width, avctx->height, 0, avctx) >= 0); From a8640c87a70f4ecd91b54ce70682635df8d9ab75 Mon Sep 17 00:00:00 2001 From: Michael Niedermayer Date: Mon, 16 Apr 2018 22:28:23 +0200 Subject: [PATCH 838/942] avcodec/dsicinvideo: Propagate errors from cin_decode_rle() Signed-off-by: Michael Niedermayer (cherry picked from commit 942217b153a9bff2d17463957abd772fcd72b400) Signed-off-by: Michael Niedermayer --- libavcodec/dsicinvideo.c | 16 ++++++++++++---- 1 file changed, 12 insertions(+), 4 deletions(-) diff --git a/libavcodec/dsicinvideo.c b/libavcodec/dsicinvideo.c index f95cbc74a0..add7afa383 100644 --- a/libavcodec/dsicinvideo.c +++ b/libavcodec/dsicinvideo.c @@ -226,27 +226,35 @@ static int cinvideo_decode_frame(AVCodecContext *avctx, * surface.width = surface.pitch */ switch (bitmap_frame_type) { case 9: - cin_decode_rle(buf, bitmap_frame_size, + res = cin_decode_rle(buf, bitmap_frame_size, cin->bitmap_table[CIN_CUR_BMP], cin->bitmap_size); + if (res < 0) + return res; break; case 34: - cin_decode_rle(buf, bitmap_frame_size, + res = cin_decode_rle(buf, bitmap_frame_size, cin->bitmap_table[CIN_CUR_BMP], cin->bitmap_size); + if (res < 0) + return res; cin_apply_delta_data(cin->bitmap_table[CIN_PRE_BMP], cin->bitmap_table[CIN_CUR_BMP], cin->bitmap_size); break; case 35: bitmap_frame_size = cin_decode_huffman(buf, bitmap_frame_size, cin->bitmap_table[CIN_INT_BMP], cin->bitmap_size); - cin_decode_rle(cin->bitmap_table[CIN_INT_BMP], bitmap_frame_size, + res = cin_decode_rle(cin->bitmap_table[CIN_INT_BMP], bitmap_frame_size, cin->bitmap_table[CIN_CUR_BMP], cin->bitmap_size); + if (res < 0) + return res; break; case 36: bitmap_frame_size = cin_decode_huffman(buf, bitmap_frame_size, cin->bitmap_table[CIN_INT_BMP], cin->bitmap_size); - cin_decode_rle(cin->bitmap_table[CIN_INT_BMP], bitmap_frame_size, + res = cin_decode_rle(cin->bitmap_table[CIN_INT_BMP], bitmap_frame_size, cin->bitmap_table[CIN_CUR_BMP], cin->bitmap_size); + if (res < 0) + return res; cin_apply_delta_data(cin->bitmap_table[CIN_PRE_BMP], cin->bitmap_table[CIN_CUR_BMP], cin->bitmap_size); break; From 3bf0a405f051345b17d7dab7213c285a1bd77216 Mon Sep 17 00:00:00 2001 From: Michael Niedermayer Date: Mon, 16 Apr 2018 22:29:09 +0200 Subject: [PATCH 839/942] avcodec/dsicinvideo: Fail if there is only a small fraction of the data available that comprises a full frame Fixes: Timeout Fixes: 6306/clusterfuzz-testcase-minimized-ffmpeg_AV_CODEC_ID_DSICINVIDEO_fuzzer-5079253549842432 Found-by: continuous fuzzing process https://github.com/google/oss-fuzz/tree/master/projects/ffmpeg Signed-off-by: Michael Niedermayer (cherry picked from commit 5549488bbf3a23c0fb9833cefc6354f97055dd96) Signed-off-by: Michael Niedermayer --- libavcodec/dsicinvideo.c | 7 +++++++ 1 file changed, 7 insertions(+) diff --git a/libavcodec/dsicinvideo.c b/libavcodec/dsicinvideo.c index add7afa383..aa080417d2 100644 --- a/libavcodec/dsicinvideo.c +++ b/libavcodec/dsicinvideo.c @@ -158,6 +158,9 @@ static int cin_decode_lzss(const unsigned char *src, int src_size, } } + if (dst_end - dst > dst_size - dst_size/10) + return AVERROR_INVALIDDATA; + return 0; } @@ -184,6 +187,10 @@ static int cin_decode_rle(const unsigned char *src, int src_size, } dst += len; } + + if (dst_end - dst > dst_size - dst_size/10) + return AVERROR_INVALIDDATA; + return 0; } From 73d07e320c4a3f1c647bb5b64a2f2ba144e5caaa Mon Sep 17 00:00:00 2001 From: Stephan Holljes Date: Fri, 12 Jan 2018 19:16:29 +0100 Subject: [PATCH 840/942] lavf/http.c: Free allocated client URLContext in case of error. Signed-off-by: Stephan Holljes Signed-off-by: Michael Niedermayer (cherry picked from commit 7b6b8c92652d6683d97515352e4a9a4147b7da7c) Signed-off-by: Michael Niedermayer --- libavformat/http.c | 4 ++++ 1 file changed, 4 insertions(+) diff --git a/libavformat/http.c b/libavformat/http.c index 5bb8d586de..b2cba61797 100644 --- a/libavformat/http.c +++ b/libavformat/http.c @@ -526,7 +526,11 @@ static int http_accept(URLContext *s, URLContext **c) goto fail; cc->hd = cl; cc->is_multi_client = 1; + return 0; fail: + if (c) { + ffurl_closep(c); + } return ret; } From 142e1e3e9af80a31fa3f0a90b3172573697306a4 Mon Sep 17 00:00:00 2001 From: Michael Niedermayer Date: Sat, 21 Apr 2018 22:19:31 +0200 Subject: [PATCH 841/942] avcodec/ffv1enc: Check that the crc + version combination is supported The crc flag is only stored since version 3 thus before this crcs do not work. We increase the version as needed same as we do with pix_fmts Signed-off-by: Michael Niedermayer (cherry picked from commit d9706f79c17a33bf97e51a7d6ab211ce83a463ee) Signed-off-by: Michael Niedermayer --- libavcodec/ffv1enc.c | 4 ++++ 1 file changed, 4 insertions(+) diff --git a/libavcodec/ffv1enc.c b/libavcodec/ffv1enc.c index 9b14309b31..6d12a06e97 100644 --- a/libavcodec/ffv1enc.c +++ b/libavcodec/ffv1enc.c @@ -699,6 +699,10 @@ static av_cold int encode_init(AVCodecContext *avctx) s->ec = (s->version >= 3); } + // CRC requires version 3+ + if (s->ec) + s->version = FFMAX(s->version, 3); + if ((s->version == 2 || s->version>3) && avctx->strict_std_compliance > FF_COMPLIANCE_EXPERIMENTAL) { av_log(avctx, AV_LOG_ERROR, "Version 2 needed for requested features but version 2 is experimental and not enabled\n"); return AVERROR_INVALIDDATA; From 70c7c7392089c7c68b6f07184dbb3073799f5d29 Mon Sep 17 00:00:00 2001 From: Michael Niedermayer Date: Mon, 23 Apr 2018 02:08:10 +0200 Subject: [PATCH 842/942] avcodec/vc1_block: simplify ac_val computation also fixes: runtime error: index 1456 out of bounds for type 'int16_t [16]' Found-by: durandal_1707 Reviewed-by: Paul B Mahol Signed-off-by: Michael Niedermayer (cherry picked from commit d06b01fc2d4f5e031d45f9460d1eea610d23d6c5) Signed-off-by: Michael Niedermayer --- libavcodec/vc1_block.c | 6 +++--- 1 file changed, 3 insertions(+), 3 deletions(-) diff --git a/libavcodec/vc1_block.c b/libavcodec/vc1_block.c index 255ba1da70..1b219c9adf 100644 --- a/libavcodec/vc1_block.c +++ b/libavcodec/vc1_block.c @@ -594,7 +594,7 @@ static int vc1_decode_i_block(VC1Context *v, int16_t block[64], int n, scale = s->c_dc_scale; block[0] = dcdiff * scale; - ac_val = s->ac_val[0][0] + s->block_index[n] * 16; + ac_val = s->ac_val[0][s->block_index[n]]; ac_val2 = ac_val; if (dc_pred_dir) // left ac_val -= 16; @@ -745,7 +745,7 @@ static int vc1_decode_i_block_adv(VC1Context *v, int16_t block[64], int n, scale = mquant * 2 + ((mquant == v->pq) ? v->halfpq : 0); - ac_val = s->ac_val[0][0] + s->block_index[n] * 16; + ac_val = s->ac_val[0][s->block_index[n]]; ac_val2 = ac_val; if (dc_pred_dir) // left ac_val -= 16; @@ -946,7 +946,7 @@ static int vc1_decode_intra_block(VC1Context *v, int16_t block[64], int n, if (!a_avail) dc_pred_dir = 1; if (!c_avail) dc_pred_dir = 0; if (!a_avail && !c_avail) use_pred = 0; - ac_val = s->ac_val[0][0] + s->block_index[n] * 16; + ac_val = s->ac_val[0][s->block_index[n]]; ac_val2 = ac_val; scale = mquant * 2 + v->halfpq; From cc8710b5afebe211a4402311d036d11b8f46510d Mon Sep 17 00:00:00 2001 From: Michael Niedermayer Date: Wed, 25 Apr 2018 01:54:17 +0200 Subject: [PATCH 843/942] avcodec/elsdec: Fix memleaks Fixes: 6798/clusterfuzz-testcase-minimized-ffmpeg_AV_CODEC_ID_G2M_fuzzer-5135899701542912 Found-by: continuous fuzzing process https://github.com/google/oss-fuzz/tree/master/projects/ffmpeg Signed-off-by: Michael Niedermayer (cherry picked from commit 0bd0401336df4e4ca7f3da6a7e226904fd7d5add) Signed-off-by: Michael Niedermayer --- libavcodec/elsdec.c | 8 +++----- libavcodec/g2meet.c | 1 + 2 files changed, 4 insertions(+), 5 deletions(-) diff --git a/libavcodec/elsdec.c b/libavcodec/elsdec.c index 4797965457..cb0e9c6534 100644 --- a/libavcodec/elsdec.c +++ b/libavcodec/elsdec.c @@ -271,7 +271,7 @@ void ff_els_decoder_init(ElsDecCtx *ctx, const uint8_t *in, size_t data_size) void ff_els_decoder_uninit(ElsUnsignedRung *rung) { - av_free(rung->rem_rung_list); + av_freep(&rung->rem_rung_list); } static int els_import_byte(ElsDecCtx *ctx) @@ -391,12 +391,10 @@ unsigned ff_els_decode_unsigned(ElsDecCtx *ctx, ElsUnsignedRung *ur) if (ur->rung_list_size <= (ur->avail_index + 2) * sizeof(ElsRungNode)) { // remember rung_node position ptrdiff_t pos = rung_node - ur->rem_rung_list; - ur->rem_rung_list = av_realloc(ur->rem_rung_list, + ctx->err = av_reallocp(&ur->rem_rung_list, ur->rung_list_size + RUNG_SPACE); - if (!ur->rem_rung_list) { - av_free(ur->rem_rung_list); - ctx->err = AVERROR(ENOMEM); + if (ctx->err < 0) { return 0; } memset((uint8_t *) ur->rem_rung_list + ur->rung_list_size, 0, diff --git a/libavcodec/g2meet.c b/libavcodec/g2meet.c index 51e8bbcd7b..fd03685f39 100644 --- a/libavcodec/g2meet.c +++ b/libavcodec/g2meet.c @@ -926,6 +926,7 @@ static int epic_jb_decode_tile(G2MContext *c, int tile_x, int tile_y, if (c->ec.els_ctx.err != 0) { av_log(avctx, AV_LOG_ERROR, "ePIC: couldn't decode transparency pixel!\n"); + ff_els_decoder_uninit(&c->ec.unsigned_rung); return AVERROR_INVALIDDATA; } From aaa2d4a26523caff7246077de423d2314b7d571c Mon Sep 17 00:00:00 2001 From: Michael Niedermayer Date: Sun, 22 Apr 2018 21:07:45 +0200 Subject: [PATCH 844/942] avcodec/h263dec: Check slice_ret in mspeg4 slice loop Fixes infinite loop Fixes: 6858/clusterfuzz-testcase-ffmpeg_AV_CODEC_ID_MSMPEG4V3_fuzzer-4681563766784000 Fixes: 6890/clusterfuzz-testcase-ffmpeg_AV_CODEC_ID_WMV1_fuzzer-4756103142309888 Found-by: continuous fuzzing process https://github.com/google/oss-fuzz/tree/master/projects/ffmpeg Signed-off-by: Michael Niedermayer (cherry picked from commit de841fbea7655b74a9663001e01008a86c88779a) Signed-off-by: Michael Niedermayer --- libavcodec/h263dec.c | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/libavcodec/h263dec.c b/libavcodec/h263dec.c index 628546bb86..8670f53bb9 100644 --- a/libavcodec/h263dec.c +++ b/libavcodec/h263dec.c @@ -637,7 +637,7 @@ retry: slice_ret = decode_slice(s); while (s->mb_y < s->mb_height) { if (s->msmpeg4_version) { - if (s->slice_height == 0 || s->mb_x != 0 || + if (s->slice_height == 0 || s->mb_x != 0 || slice_ret < 0 || (s->mb_y % s->slice_height) != 0 || get_bits_left(&s->gb) < 0) break; } else { From baa4913e1272211a3711078c9bcd0a8b935fc287 Mon Sep 17 00:00:00 2001 From: Michael Niedermayer Date: Sun, 22 Apr 2018 21:46:05 +0200 Subject: [PATCH 845/942] avcodec/error_resilience: Fix integer overflow in filter181() Fixes: runtime error: signed integer overflow: 197710 * 10923 cannot be represented in type 'int' Fixes: 7010/clusterfuzz-testcase-minimized-ffmpeg_AV_CODEC_ID_MPEG4_fuzzer-5667127596941312 Found-by: continuous fuzzing process https://github.com/google/oss-fuzz/tree/master/projects/ffmpeg Signed-off-by: Michael Niedermayer (cherry picked from commit 1c97035e3b1677d6f0c5b6161ebfeffcf7bb638d) Signed-off-by: Michael Niedermayer --- libavcodec/error_resilience.c | 4 ++-- 1 file changed, 2 insertions(+), 2 deletions(-) diff --git a/libavcodec/error_resilience.c b/libavcodec/error_resilience.c index 5a75faddf5..6bea0bf6ea 100644 --- a/libavcodec/error_resilience.c +++ b/libavcodec/error_resilience.c @@ -108,7 +108,7 @@ static void filter181(int16_t *data, int width, int height, int stride) dc = -prev_dc + data[x + y * stride] * 8 - data[x + 1 + y * stride]; - dc = (dc * 10923 + 32768) >> 16; + dc = (av_clip(dc, INT_MIN/10923, INT_MAX/10923 - 32768) * 10923 + 32768) >> 16; prev_dc = data[x + y * stride]; data[x + y * stride] = dc; } @@ -124,7 +124,7 @@ static void filter181(int16_t *data, int width, int height, int stride) dc = -prev_dc + data[x + y * stride] * 8 - data[x + (y + 1) * stride]; - dc = (dc * 10923 + 32768) >> 16; + dc = (av_clip(dc, INT_MIN/10923, INT_MAX/10923 - 32768) * 10923 + 32768) >> 16; prev_dc = data[x + y * stride]; data[x + y * stride] = dc; } From 04e69effbb31ba21ec5f5da625bcd1edafd8e286 Mon Sep 17 00:00:00 2001 From: Michael Niedermayer Date: Fri, 27 Apr 2018 21:44:07 +0200 Subject: [PATCH 846/942] avcodec/wavpack: Fix integer overflow in DEC_MED() / INC_MED() Fixes: runtime error: signed integer overflow: 2147483637 + 128 cannot be represented in type 'int' Fixes: 6701/clusterfuzz-testcase-minimized-ffmpeg_AV_CODEC_ID_WAVPACK_fuzzer-5358324934508544 Found-by: continuous fuzzing process https://github.com/google/oss-fuzz/tree/master/projects/ffmpeg Signed-off-by: Michael Niedermayer (cherry picked from commit 6e95d80e6fae978f8a44afc24b0c5097a062719f) Signed-off-by: Michael Niedermayer --- libavcodec/wavpack.h | 4 ++-- 1 file changed, 2 insertions(+), 2 deletions(-) diff --git a/libavcodec/wavpack.h b/libavcodec/wavpack.h index c71006112a..7fd366a73b 100644 --- a/libavcodec/wavpack.h +++ b/libavcodec/wavpack.h @@ -99,8 +99,8 @@ typedef struct WvChannel { // macros for manipulating median values #define GET_MED(n) ((c->median[n] >> 4) + 1) -#define DEC_MED(n) c->median[n] -= ((c->median[n] + (128 >> (n)) - 2) / (128 >> (n))) * 2 -#define INC_MED(n) c->median[n] += ((c->median[n] + (128 >> (n)) ) / (128 >> (n))) * 5 +#define DEC_MED(n) c->median[n] -= ((int)(c->median[n] + (128U >> (n)) - 2) / (128 >> (n))) * 2U +#define INC_MED(n) c->median[n] += ((int)(c->median[n] + (128U >> (n)) ) / (128 >> (n))) * 5U // macros for applying weight #define UPDATE_WEIGHT_CLIP(weight, delta, samples, in) \ From 9505b285385e96cd25cfd9d57bc499b0914d43ce Mon Sep 17 00:00:00 2001 From: Michael Niedermayer Date: Mon, 30 Apr 2018 22:20:28 +0200 Subject: [PATCH 847/942] avcodec/flac_parser: Fix infinite loop Fixes: crbug/827204 Reported-by: Frank Liberato Reviewed-by: Frank Liberato Signed-off-by: Michael Niedermayer (cherry picked from commit 15a2e35e9e74bba5a27e39c26da5be2361f27945) Signed-off-by: Michael Niedermayer --- libavcodec/flac_parser.c | 9 +++++++-- 1 file changed, 7 insertions(+), 2 deletions(-) diff --git a/libavcodec/flac_parser.c b/libavcodec/flac_parser.c index 6df531b7b3..00181f279a 100644 --- a/libavcodec/flac_parser.c +++ b/libavcodec/flac_parser.c @@ -686,12 +686,17 @@ static int flac_parse(AVCodecParserContext *s, AVCodecContext *avctx, } for (curr = fpc->headers; curr; curr = curr->next) { - if (curr->max_score > 0 && - (!fpc->best_header || curr->max_score > fpc->best_header->max_score)) { + if (!fpc->best_header || curr->max_score > fpc->best_header->max_score) { fpc->best_header = curr; } } + if (fpc->best_header && fpc->best_header->max_score <= 0) { + // Only accept a bad header if there is no other option to continue + if (!buf_size || !buf || read_end != buf || fpc->nb_headers_buffered < FLAC_MIN_HEADERS) + fpc->best_header = NULL; + } + if (fpc->best_header) { fpc->best_header_valid = 1; if (fpc->best_header->offset > 0) { From 88e5a30cf8351c313e52f8b1f75aa18f2912e5c6 Mon Sep 17 00:00:00 2001 From: Michael Niedermayer Date: Fri, 4 May 2018 18:16:08 +0200 Subject: [PATCH 848/942] avcodec/g2meet: Change order of operations to avoid undefined behavior Fixes: signed integer overflow: 65280 * 196032 cannot be represented in type 'int' Fixes: 7279/clusterfuzz-testcase-minimized-ffmpeg_AV_CODEC_ID_G2M_fuzzer-5977332473921536 Found-by: continuous fuzzing process https://github.com/google/oss-fuzz/tree/master/projects/ffmpeg Signed-off-by: Michael Niedermayer (cherry picked from commit 0a4745145840d97619c424961c1b5c625dbf516c) Signed-off-by: Michael Niedermayer --- libavcodec/g2meet.c | 8 +++++--- 1 file changed, 5 insertions(+), 3 deletions(-) diff --git a/libavcodec/g2meet.c b/libavcodec/g2meet.c index fd03685f39..e6be9c8081 100644 --- a/libavcodec/g2meet.c +++ b/libavcodec/g2meet.c @@ -1355,14 +1355,16 @@ static void g2m_paint_cursor(G2MContext *c, uint8_t *dst, int stride) } else { dst += x * 3; } - if (y < 0) { + + if (y < 0) h += y; + if (w < 0 || h < 0) + return; + if (y < 0) { cursor += -y * c->cursor_stride; } else { dst += y * stride; } - if (w < 0 || h < 0) - return; for (j = 0; j < h; j++) { for (i = 0; i < w; i++) { From 6aae60cc7da80c9c5c77634e412fbc52cc4677b2 Mon Sep 17 00:00:00 2001 From: Michael Niedermayer Date: Fri, 4 May 2018 19:11:36 +0200 Subject: [PATCH 849/942] avcodec/jpeg2000dec: Skip init for component in CPRL if nothing is to be done Fixes: assertion failure Fixes: 7949/clusterfuzz-testcase-minimized-ffmpeg_AV_CODEC_ID_JPEG2000_fuzzer-4819602782552064 Found-by: continuous fuzzing process https://github.com/google/oss-fuzz/tree/master/projects/ffmpeg Signed-off-by: Michael Niedermayer (cherry picked from commit a96c131eb53b00de154f4773d96a3b323ea3daed) Signed-off-by: Michael Niedermayer --- libavcodec/jpeg2000dec.c | 3 +++ 1 file changed, 3 insertions(+) diff --git a/libavcodec/jpeg2000dec.c b/libavcodec/jpeg2000dec.c index 28b5e087e8..260f419028 100644 --- a/libavcodec/jpeg2000dec.c +++ b/libavcodec/jpeg2000dec.c @@ -1125,6 +1125,9 @@ static int jpeg2000_decode_packets_po_iteration(Jpeg2000DecoderContext *s, Jpeg2 step_x = 32; step_y = 32; + if (RSpoc > FFMIN(codsty->nreslevels, REpoc)) + continue; + for (reslevelno = RSpoc; reslevelno < FFMIN(codsty->nreslevels, REpoc); reslevelno++) { uint8_t reducedresno = codsty->nreslevels - 1 -reslevelno; // ==> N_L - r Jpeg2000ResLevel *rlevel = comp->reslevel + reslevelno; From 6850377b598c7540efa317476e30bc71fb0a1450 Mon Sep 17 00:00:00 2001 From: Michael Niedermayer Date: Fri, 4 May 2018 19:18:25 +0200 Subject: [PATCH 850/942] avcodec/jpeg2000dec: Fix undefined shift in the jpeg2000_decode_packets_po_iteration() CPRL case Fixes: shift exponent 47 is too large for 32-bit type 'int' Fixes: 7955/clusterfuzz-testcase-minimized-ffmpeg_AV_CODEC_ID_JPEG2000_fuzzer-6016721977606144 Found-by: continuous fuzzing process https://github.com/google/oss-fuzz/tree/master/projects/ffmpeg Signed-off-by: Michael Niedermayer (cherry picked from commit 652ba72ed3124f201f98eea9bafb2232b535f549) Signed-off-by: Michael Niedermayer --- libavcodec/jpeg2000dec.c | 4 ++-- 1 file changed, 2 insertions(+), 2 deletions(-) diff --git a/libavcodec/jpeg2000dec.c b/libavcodec/jpeg2000dec.c index 260f419028..98485ed601 100644 --- a/libavcodec/jpeg2000dec.c +++ b/libavcodec/jpeg2000dec.c @@ -1147,10 +1147,10 @@ static int jpeg2000_decode_packets_po_iteration(Jpeg2000DecoderContext *s, Jpeg2 int xc = x / s->cdx[compno]; int yc = y / s->cdy[compno]; - if (yc % (1 << (rlevel->log2_prec_height + reducedresno)) && y != tile->coord[1][0]) //FIXME this is a subset of the check + if (yc % (1LL << (rlevel->log2_prec_height + reducedresno)) && y != tile->coord[1][0]) //FIXME this is a subset of the check continue; - if (xc % (1 << (rlevel->log2_prec_width + reducedresno)) && x != tile->coord[0][0]) //FIXME this is a subset of the check + if (xc % (1LL << (rlevel->log2_prec_width + reducedresno)) && x != tile->coord[0][0]) //FIXME this is a subset of the check continue; // check if a precinct exists From 00c18862a3134fb09811c5250492712c54b8130b Mon Sep 17 00:00:00 2001 From: Michael Niedermayer Date: Fri, 27 Apr 2018 20:16:13 +0200 Subject: [PATCH 851/942] avcodec/g2meet: Check RGB upper limit Fixes: runtime error: left shift of 1876744317 by 16 places cannot be represented in type 'int' Fixes: 6799/clusterfuzz-testcase-minimized-ffmpeg_AV_CODEC_ID_G2M_fuzzer-5115274731716608 Found-by: continuous fuzzing process https://github.com/google/oss-fuzz/tree/master/projects/ffmpeg Signed-off-by: Michael Niedermayer (cherry picked from commit 4dd2c8b9ea46b4e008a8bfc2077834428cd5a17c) Signed-off-by: Michael Niedermayer --- libavcodec/g2meet.c | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/libavcodec/g2meet.c b/libavcodec/g2meet.c index e6be9c8081..df3b5438ac 100644 --- a/libavcodec/g2meet.c +++ b/libavcodec/g2meet.c @@ -555,7 +555,7 @@ static uint32_t epic_decode_pixel_pred(ePICContext *dc, int x, int y, B = ((pred >> B_shift) & 0xFF) - TOSIGNED(delta); } - if (R<0 || G<0 || B<0) { + if (R<0 || G<0 || B<0 || R > 255 || G > 255 || B > 255) { av_log(NULL, AV_LOG_ERROR, "RGB %d %d %d is out of range\n", R, G, B); return 0; } From 1747563cead72a0ca74aef54317e21bba9457b01 Mon Sep 17 00:00:00 2001 From: Michael Niedermayer Date: Sat, 5 May 2018 22:00:01 +0200 Subject: [PATCH 852/942] avcodec/fic: Check available input space for cursor Fixes: out of array read Fixes: 6546/clusterfuzz-testcase-minimized-ffmpeg_AV_CODEC_ID_FIC_fuzzer-6317064647081984 Found-by: continuous fuzzing process https://github.com/google/oss-fuzz/tree/master/projects/ffmpeg Signed-off-by: Michael Niedermayer (cherry picked from commit cb2f7ea96b4f6e03ebf0c0563677745fc65f148e) Signed-off-by: Michael Niedermayer --- libavcodec/fic.c | 4 ++++ 1 file changed, 4 insertions(+) diff --git a/libavcodec/fic.c b/libavcodec/fic.c index a2df9d3cbd..034965cc46 100644 --- a/libavcodec/fic.c +++ b/libavcodec/fic.c @@ -334,6 +334,10 @@ static int fic_decode_frame(AVCodecContext *avctx, void *data, skip_cursor = 1; } + if (!skip_cursor && avpkt->size < CURSOR_OFFSET + sizeof(ctx->cursor_buf)) { + skip_cursor = 1; + } + /* Slice height for all but the last slice. */ ctx->slice_h = 16 * (ctx->aligned_height >> 4) / nslices; if (ctx->slice_h % 16) From a8fcb810c964380c1389d8256cac96861df496aa Mon Sep 17 00:00:00 2001 From: Michael Niedermayer Date: Mon, 14 May 2018 00:10:33 +0200 Subject: [PATCH 853/942] avcodec/dirac_dwt: Fix integer overflow in COMPOSE_DD97iH0 / COMPOSE_DD137iL0 Fixes: negation of -2147483648 cannot be represented in type 'int32_t' (aka 'int'); Fixes: 6500/clusterfuzz-testcase-minimized-ffmpeg_AV_CODEC_ID_DIRAC_fuzzer-4523620274536448 Found-by: continuous fuzzing process https://github.com/google/oss-fuzz/tree/master/projects/ffmpeg Signed-off-by: Michael Niedermayer (cherry picked from commit cb944fc7f1327443a0cf449afbce5a3e8712f90f) Signed-off-by: Michael Niedermayer --- libavcodec/dirac_dwt.h | 4 ++-- 1 file changed, 2 insertions(+), 2 deletions(-) diff --git a/libavcodec/dirac_dwt.h b/libavcodec/dirac_dwt.h index 68ebd19560..994dc21d70 100644 --- a/libavcodec/dirac_dwt.h +++ b/libavcodec/dirac_dwt.h @@ -99,10 +99,10 @@ void ff_spatial_idwt_slice2(DWTContext *d, int y); (b1 + (unsigned)((int)(b0 + (unsigned)(b2) + 1) >> 1)) #define COMPOSE_DD97iH0(b0, b1, b2, b3, b4)\ - (int)(((unsigned)(b2) + ((int)(-b0 + 9U*b1 + 9U*b3 - b4 + 8) >> 4))) + (int)(((unsigned)(b2) + ((int)(9U*b1 + 9U*b3 - b4 - b0 + 8) >> 4))) #define COMPOSE_DD137iL0(b0, b1, b2, b3, b4)\ - (int)(((unsigned)(b2) - ((int)(-b0 + 9U*b1 + 9U*b3 - b4 + 16) >> 5))) + (int)(((unsigned)(b2) - ((int)(9U*b1 + 9U*b3 - b4 - b0 + 16) >> 5))) #define COMPOSE_HAARiL0(b0, b1)\ ((int)(b0 - (unsigned)((int)(b1 + 1U) >> 1))) From ffe4ffa4ef7afbb2f5e576344c7dd7b2ba4201b1 Mon Sep 17 00:00:00 2001 From: Michael Niedermayer Date: Tue, 15 May 2018 17:07:00 +0200 Subject: [PATCH 854/942] avformat/mov: Only fail for STCO/STSC contradictions if both exist Fixes regression with playback of GF9720Repeal20the20Eighth20with20Helen20Linehan.m4a See: crbug 822666 Found-by: "Mattias Wadman Signed-off-by: Michael Niedermayer (cherry picked from commit 2c2d689c56646cce64d02a3b75f61c12c5589260) Signed-off-by: Michael Niedermayer --- libavformat/mov.c | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/libavformat/mov.c b/libavformat/mov.c index d7aefee482..4faa90fd99 100644 --- a/libavformat/mov.c +++ b/libavformat/mov.c @@ -3066,7 +3066,7 @@ static int mov_read_trak(MOVContext *c, AVIOContext *pb, MOVAtom atom) st->index); return 0; } - if (sc->stsc_count && sc->stsc_data[ sc->stsc_count - 1 ].first > sc->chunk_count) { + if (sc->chunk_count && sc->stsc_count && sc->stsc_data[ sc->stsc_count - 1 ].first > sc->chunk_count) { av_log(c->fc, AV_LOG_ERROR, "stream %d, contradictionary STSC and STCO\n", st->index); return AVERROR_INVALIDDATA; From 876d3ee86209d1b1b86527f5121f1d1b0a412f7a Mon Sep 17 00:00:00 2001 From: Michael Niedermayer Date: Thu, 17 May 2018 13:40:38 +0200 Subject: [PATCH 855/942] indeo4: Decode all or nothing of a band header. This avoids inconsistent value combinations. Alternatively it would be possible to add more checks and careful use of temporary variables, but my try of this quickly seemed to become a rather large change. The disadvantage of this, is that the struct is copied back and forth. Fixes: index 6 out of bounds for type 'const uint16_t [5][16]' Fixes: 6557/clusterfuzz-testcase-minimized-ffmpeg_AV_CODEC_ID_INDEO4_fuzzer-4787296550256640 Found-by: continuous fuzzing process https://github.com/google/oss-fuzz/tree/master/projects/ffmpeg Signed-off-by: Michael Niedermayer (cherry picked from commit 10c8521265da86118597336c5589e26de377a374) Signed-off-by: Michael Niedermayer --- libavcodec/indeo4.c | 11 ++++++++--- 1 file changed, 8 insertions(+), 3 deletions(-) diff --git a/libavcodec/indeo4.c b/libavcodec/indeo4.c index 1bf402551b..13fc42ecde 100644 --- a/libavcodec/indeo4.c +++ b/libavcodec/indeo4.c @@ -269,12 +269,14 @@ static int decode_pic_hdr(IVI45DecContext *ctx, AVCodecContext *avctx) * @param[in] avctx pointer to the AVCodecContext * @return result code: 0 = OK, negative number = error */ -static int decode_band_hdr(IVI45DecContext *ctx, IVIBandDesc *band, +static int decode_band_hdr(IVI45DecContext *ctx, IVIBandDesc *arg_band, AVCodecContext *avctx) { int plane, band_num, indx, transform_id, scan_indx; int i; int quant_mat; + IVIBandDesc temp_band, *band = &temp_band; + memcpy(&temp_band, arg_band, sizeof(temp_band)); plane = get_bits(&ctx->gb, 2); band_num = get_bits(&ctx->gb, 4); @@ -408,10 +410,10 @@ static int decode_band_hdr(IVI45DecContext *ctx, IVIBandDesc *band, /* decode block huffman codebook */ if (!get_bits1(&ctx->gb)) - band->blk_vlc.tab = ctx->blk_vlc.tab; + arg_band->blk_vlc.tab = ctx->blk_vlc.tab; else if (ff_ivi_dec_huff_desc(&ctx->gb, 1, IVI_BLK_HUFF, - &band->blk_vlc, avctx)) + &arg_band->blk_vlc, avctx)) return AVERROR_INVALIDDATA; /* select appropriate rvmap table for this band */ @@ -452,6 +454,9 @@ static int decode_band_hdr(IVI45DecContext *ctx, IVIBandDesc *band, return AVERROR_INVALIDDATA; } + band->blk_vlc = arg_band->blk_vlc; + memcpy(arg_band, band, sizeof(*arg_band)); + return 0; } From 3eff19d38806a6f219fd42d9f03abad0fafd1b1d Mon Sep 17 00:00:00 2001 From: Michael Niedermayer Date: Thu, 17 May 2018 13:58:46 +0200 Subject: [PATCH 856/942] avcodec/mlpdec: Only change noise_type if the related fields are valid Fixes: inconsistency Fixes:runtime error: index 8 out of bounds for type 'int32_t [8]' Fixes: 6686/clusterfuzz-testcase-minimized-ffmpeg_AV_CODEC_ID_TRUEHD_fuzzer-5191383498358784 Found-by: continuous fuzzing process https://github.com/google/oss-fuzz/tree/master/projects/ffmpeg Signed-off-by: Michael Niedermayer (cherry picked from commit 63c4a4b0d692bc86142790276358ba35129f2290) Signed-off-by: Michael Niedermayer --- libavcodec/mlpdec.c | 9 +++++---- 1 file changed, 5 insertions(+), 4 deletions(-) diff --git a/libavcodec/mlpdec.c b/libavcodec/mlpdec.c index f60f14cc71..c50dc73e25 100644 --- a/libavcodec/mlpdec.c +++ b/libavcodec/mlpdec.c @@ -474,7 +474,7 @@ static int read_restart_header(MLPDecodeContext *m, GetBitContext *gbp, uint8_t checksum; uint8_t lossless_check; int start_count = get_bits_count(gbp); - int min_channel, max_channel, max_matrix_channel; + int min_channel, max_channel, max_matrix_channel, noise_type; const int std_max_matrix_channel = m->avctx->codec_id == AV_CODEC_ID_MLP ? MAX_MATRIX_CHANNEL_MLP : MAX_MATRIX_CHANNEL_TRUEHD; @@ -487,9 +487,9 @@ static int read_restart_header(MLPDecodeContext *m, GetBitContext *gbp, return AVERROR_INVALIDDATA; } - s->noise_type = get_bits1(gbp); + noise_type = get_bits1(gbp); - if (m->avctx->codec_id == AV_CODEC_ID_MLP && s->noise_type) { + if (m->avctx->codec_id == AV_CODEC_ID_MLP && noise_type) { av_log(m->avctx, AV_LOG_ERROR, "MLP must have 0x31ea sync word.\n"); return AVERROR_INVALIDDATA; } @@ -515,7 +515,7 @@ static int read_restart_header(MLPDecodeContext *m, GetBitContext *gbp, /* This should happen for TrueHD streams with >6 channels and MLP's noise * type. It is not yet known if this is allowed. */ - if (max_channel > MAX_MATRIX_CHANNEL_MLP && !s->noise_type) { + if (max_channel > MAX_MATRIX_CHANNEL_MLP && !noise_type) { avpriv_request_sample(m->avctx, "%d channels (more than the " "maximum supported by the decoder)", @@ -532,6 +532,7 @@ static int read_restart_header(MLPDecodeContext *m, GetBitContext *gbp, s->min_channel = min_channel; s->max_channel = max_channel; s->max_matrix_channel = max_matrix_channel; + s->noise_type = noise_type; if (m->avctx->request_channel_layout && (s->ch_layout & m->avctx->request_channel_layout) == m->avctx->request_channel_layout && m->max_decoded_substream > substr) { From 0d585110131186b47c092b683c7758922576ae61 Mon Sep 17 00:00:00 2001 From: Michael Niedermayer Date: Mon, 21 May 2018 23:08:05 +0200 Subject: [PATCH 857/942] avcodec/mpeg4videoenc: Use 64 bit for times in mpeg4_encode_gop_header() MIME-Version: 1.0 Content-Type: text/plain; charset=UTF-8 Content-Transfer-Encoding: 8bit Fixes truncation Fixes Assertion n <= 31 && value < (1U << n) failed at libavcodec/put_bits.h:169 Fixes: ffmpeg_crash_2.avi Found-by: Thuan Pham , Marcel Böhme, Andrew Santosa and Alexandru RazvanCaciulescu with AFLSmart Signed-off-by: Michael Niedermayer (cherry picked from commit e1182fac1afba92a4975917823a5f644bee7e6e8) Signed-off-by: Michael Niedermayer --- libavcodec/mpeg4videoenc.c | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/libavcodec/mpeg4videoenc.c b/libavcodec/mpeg4videoenc.c index 1ba92381ec..df12dc8d99 100644 --- a/libavcodec/mpeg4videoenc.c +++ b/libavcodec/mpeg4videoenc.c @@ -910,7 +910,7 @@ void ff_set_mpeg4_time(MpegEncContext *s) static void mpeg4_encode_gop_header(MpegEncContext *s) { - int hours, minutes, seconds; + int64_t hours, minutes, seconds; int64_t time; put_bits(&s->pb, 16, 0); From fe37daf25dc60b92724953224b1a97713c9621e4 Mon Sep 17 00:00:00 2001 From: Michael Niedermayer Date: Fri, 25 May 2018 21:56:04 +0200 Subject: [PATCH 858/942] avcodec/g723_1dec: Clip bits2 in both directions Fixes: shift exponent 33 is too large for 32-bit type 'int' Fixes: 6743/clusterfuzz-testcase-minimized-ffmpeg_AV_CODEC_ID_G723_1_fuzzer-5823772687859712 Found-by: continuous fuzzing process https://github.com/google/oss-fuzz/tree/master/projects/ffmpeg Signed-off-by: Michael Niedermayer (cherry picked from commit 53f241218d9eac368e2e1c58bcca9bbdf10fd0e1) Signed-off-by: Michael Niedermayer --- libavcodec/g723_1dec.c | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/libavcodec/g723_1dec.c b/libavcodec/g723_1dec.c index 36b9197cf1..d205d0428c 100644 --- a/libavcodec/g723_1dec.c +++ b/libavcodec/g723_1dec.c @@ -548,7 +548,7 @@ static void gain_scale(G723_1_Context *p, int16_t * buf, int energy) denom <<= bits2; bits2 = 5 + bits1 - bits2; - bits2 = FFMAX(0, bits2); + bits2 = av_clip_uintp2(bits2, 5); gain = (num >> 1) / (denom >> 16); gain = square_root(gain << 16 >> bits2); From be77d7ba7879ceec361f095d108ed1bee98e9a0f Mon Sep 17 00:00:00 2001 From: Michael Niedermayer Date: Fri, 25 May 2018 22:02:20 +0200 Subject: [PATCH 859/942] oavcodec/aacpsdsp_template: Use unsigned for hs0X to prevent undefined behavior Fixes: signed integer overflow: 1073741842 + 1784008138 cannot be represented in type 'int' Fixes: 6792/clusterfuzz-testcase-minimized-ffmpeg_AV_CODEC_ID_AAC_FIXED_fuzzer-5677589835284480 Found-by: continuous fuzzing process https://github.com/google/oss-fuzz/tree/master/projects/ffmpeg Signed-off-by: Michael Niedermayer (cherry picked from commit 62cb6fadf33de6db386deac92853d4b95c930015) Signed-off-by: Michael Niedermayer --- libavcodec/aacpsdsp_template.c | 8 ++++---- 1 file changed, 4 insertions(+), 4 deletions(-) diff --git a/libavcodec/aacpsdsp_template.c b/libavcodec/aacpsdsp_template.c index 0e532fcf84..8f72624559 100644 --- a/libavcodec/aacpsdsp_template.c +++ b/libavcodec/aacpsdsp_template.c @@ -180,10 +180,10 @@ static void ps_stereo_interpolate_ipdopd_c(INTFLOAT (*l)[2], INTFLOAT (*r)[2], INTFLOAT h01 = h[0][1], h11 = h[1][1]; INTFLOAT h02 = h[0][2], h12 = h[1][2]; INTFLOAT h03 = h[0][3], h13 = h[1][3]; - INTFLOAT hs00 = h_step[0][0], hs10 = h_step[1][0]; - INTFLOAT hs01 = h_step[0][1], hs11 = h_step[1][1]; - INTFLOAT hs02 = h_step[0][2], hs12 = h_step[1][2]; - INTFLOAT hs03 = h_step[0][3], hs13 = h_step[1][3]; + UINTFLOAT hs00 = h_step[0][0], hs10 = h_step[1][0]; + UINTFLOAT hs01 = h_step[0][1], hs11 = h_step[1][1]; + UINTFLOAT hs02 = h_step[0][2], hs12 = h_step[1][2]; + UINTFLOAT hs03 = h_step[0][3], hs13 = h_step[1][3]; int n; for (n = 0; n < len; n++) { From 1f81818c6afef46987884ede8a20d4662800e37e Mon Sep 17 00:00:00 2001 From: Michael Niedermayer Date: Fri, 25 May 2018 22:06:48 +0200 Subject: [PATCH 860/942] avcodec/aacdec_fixed: use 64bit to avoid overflow in rounding in apply_dependent_coupling_fixed() Fixes: signed integer overflow: -2141499320 + -14469590 cannot be represented in type 'int' Fixes: 7351/clusterfuzz-testcase-minimized-ffmpeg_AV_CODEC_ID_AAC_FIXED_fuzzer-6351214791884800 Found-by: continuous fuzzing process https://github.com/google/oss-fuzz/tree/master/projects/ffmpeg Signed-off-by: Michael Niedermayer (cherry picked from commit 90475db97e2e5931d295df6ab86519fa2e14d259) Signed-off-by: Michael Niedermayer --- libavcodec/aacdec_fixed.c | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/libavcodec/aacdec_fixed.c b/libavcodec/aacdec_fixed.c index 743ad6028c..9d50c06f77 100644 --- a/libavcodec/aacdec_fixed.c +++ b/libavcodec/aacdec_fixed.c @@ -385,7 +385,7 @@ static void apply_dependent_coupling_fixed(AACContext *ac, for (k = offsets[i]; k < offsets[i + 1]; k++) { tmp = (int)(((int64_t)src[group * 128 + k] * c + \ (int64_t)0x1000000000) >> 37); - dest[group * 128 + k] += (tmp + round) >> shift; + dest[group * 128 + k] += (tmp + (int64_t)round) >> shift; } } } From 243bdbde57181289b373ab50f6f91707f74f2471 Mon Sep 17 00:00:00 2001 From: Michael Niedermayer Date: Wed, 16 May 2018 22:50:19 +0200 Subject: [PATCH 861/942] avcodec/g2meet: ask for sample with overflowing RGB MIME-Version: 1.0 Content-Type: text/plain; charset=UTF-8 Content-Transfer-Encoding: 8bit Suggested-by: Tomas Härdin Signed-off-by: Michael Niedermayer (cherry picked from commit ab834b8f36c8157b7015e849405cbf6ae21e672f) Signed-off-by: Michael Niedermayer --- libavcodec/g2meet.c | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/libavcodec/g2meet.c b/libavcodec/g2meet.c index df3b5438ac..58bf070e42 100644 --- a/libavcodec/g2meet.c +++ b/libavcodec/g2meet.c @@ -556,7 +556,7 @@ static uint32_t epic_decode_pixel_pred(ePICContext *dc, int x, int y, } if (R<0 || G<0 || B<0 || R > 255 || G > 255 || B > 255) { - av_log(NULL, AV_LOG_ERROR, "RGB %d %d %d is out of range\n", R, G, B); + avpriv_request_sample(NULL, "RGB %d %d %d is out of range\n", R, G, B); return 0; } From fe9c23bebbb2aa8e14eec9af1e99cabc8c5535ba Mon Sep 17 00:00:00 2001 From: Michael Niedermayer Date: Sat, 5 May 2018 23:42:36 +0200 Subject: [PATCH 862/942] avcodec/fic: Avoid some magic numbers related to cursors Signed-off-by: Michael Niedermayer (cherry picked from commit c6a11714c4b1227be62cbc36651ccfc415e8e623) Signed-off-by: Michael Niedermayer --- libavcodec/fic.c | 3 ++- 1 file changed, 2 insertions(+), 1 deletion(-) diff --git a/libavcodec/fic.c b/libavcodec/fic.c index 034965cc46..621d352547 100644 --- a/libavcodec/fic.c +++ b/libavcodec/fic.c @@ -81,6 +81,7 @@ static const uint8_t fic_qmat_lq[64] = { static const uint8_t fic_header[7] = { 0, 0, 1, 'F', 'I', 'C', 'V' }; #define FIC_HEADER_SIZE 27 +#define CURSOR_OFFSET 59 static av_always_inline void fic_idct(int16_t *blk, int step, int shift, int rnd) { @@ -417,7 +418,7 @@ static int fic_decode_frame(AVCodecContext *avctx, void *data, /* Draw cursor. */ if (!skip_cursor) { - memcpy(ctx->cursor_buf, src + 59, 32 * 32 * 4); + memcpy(ctx->cursor_buf, src + CURSOR_OFFSET, sizeof(ctx->cursor_buf)); fic_draw_cursor(avctx, cur_x, cur_y); } From b4024909c12118e0a128ada65b53c012296a2626 Mon Sep 17 00:00:00 2001 From: Michael Niedermayer Date: Tue, 15 May 2018 17:06:59 +0200 Subject: [PATCH 863/942] avformat/mov: Break out early if chunk_count is 0 in mov_build_index() Without this some operations might overflow (undefined behavior) even though the index adding loop would never execute No testcase known Signed-off-by: Michael Niedermayer (cherry picked from commit 56e76bd0579cc7f7b28860885d9e569a39daf41b) Signed-off-by: Michael Niedermayer --- libavformat/mov.c | 3 +++ 1 file changed, 3 insertions(+) diff --git a/libavformat/mov.c b/libavformat/mov.c index 4faa90fd99..c359e93e96 100644 --- a/libavformat/mov.c +++ b/libavformat/mov.c @@ -2829,6 +2829,9 @@ static void mov_build_index(MOVContext *mov, AVStream *st) } else { unsigned chunk_samples, total = 0; + if (!sc->chunk_count) + return; + // compute total chunk count for (i = 0; i < sc->stsc_count; i++) { unsigned count, chunk_count; From 7f142e5402315b2707e2316d486fa5ea090d7bb0 Mon Sep 17 00:00:00 2001 From: Michael Niedermayer Date: Mon, 21 May 2018 03:16:58 +0200 Subject: [PATCH 864/942] avformat/mov: replace a value error by clipping into valid range in mov_read_stsc() Fixes: #7165 Signed-off-by: Michael Niedermayer (cherry picked from commit fe84f70819d6f5aab3c4823290e0d32b99d6de78) Signed-off-by: Michael Niedermayer --- libavformat/mov.c | 14 +++++++++++--- 1 file changed, 11 insertions(+), 3 deletions(-) diff --git a/libavformat/mov.c b/libavformat/mov.c index c359e93e96..5a7f4a4c27 100644 --- a/libavformat/mov.c +++ b/libavformat/mov.c @@ -2271,14 +2271,22 @@ static int mov_read_stsc(MOVContext *c, AVIOContext *pb, MOVAtom atom) sc->stsc_count = i; for (i = sc->stsc_count - 1; i < UINT_MAX; i--) { + int64_t first_min = i + 1; if ((i+1 < sc->stsc_count && sc->stsc_data[i].first >= sc->stsc_data[i+1].first) || (i > 0 && sc->stsc_data[i].first <= sc->stsc_data[i-1].first) || - sc->stsc_data[i].first < 1 || + sc->stsc_data[i].first < first_min || sc->stsc_data[i].count < 1 || sc->stsc_data[i].id < 1) { av_log(c->fc, AV_LOG_WARNING, "STSC entry %d is invalid (first=%d count=%d id=%d)\n", i, sc->stsc_data[i].first, sc->stsc_data[i].count, sc->stsc_data[i].id); - if (i+1 >= sc->stsc_count || sc->stsc_data[i+1].first < 2) - return AVERROR_INVALIDDATA; + if (i+1 >= sc->stsc_count) { + sc->stsc_data[i].first = FFMAX(sc->stsc_data[i].first, first_min); + if (i > 0 && sc->stsc_data[i].first <= sc->stsc_data[i-1].first) + sc->stsc_data[i].first = FFMIN(sc->stsc_data[i-1].first + 1LL, INT_MAX); + sc->stsc_data[i].count = FFMAX(sc->stsc_data[i].count, 1); + sc->stsc_data[i].id = FFMAX(sc->stsc_data[i].id, 1); + continue; + } + av_assert0(sc->stsc_data[i+1].first >= 2); // We replace this entry by the next valid sc->stsc_data[i].first = sc->stsc_data[i+1].first - 1; sc->stsc_data[i].count = sc->stsc_data[i+1].count; From bbd9f480f3e5199ef60374c18b8c4ef432e7fa16 Mon Sep 17 00:00:00 2001 From: Michael Niedermayer Date: Sun, 3 Jun 2018 00:48:06 +0200 Subject: [PATCH 865/942] avcodec/amrwbdec: Fix division by 0 in find_hb_gain() This restructures the code slightly toward D_UTIL_dec_synthesis() Fixes: 7420/clusterfuzz-testcase-minimized-ffmpeg_AV_CODEC_ID_AMRWB_fuzzer-6577305112543232 Found-by: continuous fuzzing process https://github.com/google/oss-fuzz/tree/master/projects/ffmpeg Signed-off-by: Michael Niedermayer (cherry picked from commit dce80a4b47efaba97707bda781a9ee57f5a26974) Signed-off-by: Michael Niedermayer --- libavcodec/amrwbdec.c | 11 ++++++++--- 1 file changed, 8 insertions(+), 3 deletions(-) diff --git a/libavcodec/amrwbdec.c b/libavcodec/amrwbdec.c index 328b754e7e..3314e47838 100644 --- a/libavcodec/amrwbdec.c +++ b/libavcodec/amrwbdec.c @@ -865,15 +865,20 @@ static float find_hb_gain(AMRWBContext *ctx, const float *synth, { int wsp = (vad > 0); float tilt; + float tmp; if (ctx->fr_cur_mode == MODE_23k85) return qua_hb_gain[hb_idx] * (1.0f / (1 << 14)); - tilt = ctx->celpm_ctx.dot_productf(synth, synth + 1, AMRWB_SFR_SIZE - 1) / - ctx->celpm_ctx.dot_productf(synth, synth, AMRWB_SFR_SIZE); + tmp = ctx->celpm_ctx.dot_productf(synth, synth + 1, AMRWB_SFR_SIZE - 1); + + if (tmp > 0) { + tilt = tmp / ctx->celpm_ctx.dot_productf(synth, synth, AMRWB_SFR_SIZE); + } else + tilt = 0; /* return gain bounded by [0.1, 1.0] */ - return av_clipf((1.0 - FFMAX(0.0, tilt)) * (1.25 - 0.25 * wsp), 0.1, 1.0); + return av_clipf((1.0 - tilt) * (1.25 - 0.25 * wsp), 0.1, 1.0); } /** From f144d5eb4977735e1ca7fcbebb67b3ac5903ea05 Mon Sep 17 00:00:00 2001 From: Michael Niedermayer Date: Sun, 3 Jun 2018 01:33:54 +0200 Subject: [PATCH 866/942] avcodec/opus_silk: Change silk_lsf2lpc() slightly toward silk/NLSF2A.c Fixes: runtime error: signed integer overflow: -1440457022 - 785819492 cannot be represented in type 'int' Fixes: 7700/clusterfuzz-testcase-minimized-ffmpeg_AV_CODEC_ID_OPUS_fuzzer-6595838684954624 Found-by: continuous fuzzing process https://github.com/google/oss-fuzz/tree/master/projects/ffmpeg Signed-off-by: Michael Niedermayer (cherry picked from commit e7dda51150b73e5fbdccf4c2d3a72e356980fba3) Signed-off-by: Michael Niedermayer --- libavcodec/opus_silk.c | 6 ++++-- 1 file changed, 4 insertions(+), 2 deletions(-) diff --git a/libavcodec/opus_silk.c b/libavcodec/opus_silk.c index 408e4bf43c..6418743b6b 100644 --- a/libavcodec/opus_silk.c +++ b/libavcodec/opus_silk.c @@ -955,8 +955,10 @@ static void silk_lsf2lpc(const int16_t nlsf[16], float lpcf[16], int order) /* reconstruct A(z) */ for (k = 0; k < order>>1; k++) { - lpc32[k] = -p[k + 1] - p[k] - q[k + 1] + q[k]; - lpc32[order-k-1] = -p[k + 1] - p[k] + q[k + 1] - q[k]; + int32_t p_tmp = p[k + 1] + p[k]; + int32_t q_tmp = q[k + 1] - q[k]; + lpc32[k] = -q_tmp - p_tmp; + lpc32[order-k-1] = q_tmp - p_tmp; } /* limit the range of the LPC coefficients to each fit within an int16_t */ From aee71463fb2f1224e273d4f612ee7d6d63206219 Mon Sep 17 00:00:00 2001 From: Michael Niedermayer Date: Tue, 5 Jun 2018 02:09:59 +0200 Subject: [PATCH 867/942] avcodec/truemotion2: Fix overflow in tm2_apply_deltas() Fixes: signed integer overflow: 1077952576 + 1077952576 cannot be represented in type 'int' Fixes: 7712/clusterfuzz-testcase-minimized-ffmpeg_AV_CODEC_ID_TRUEMOTION2_fuzzer-5056281753681920 Found-by: continuous fuzzing process https://github.com/google/oss-fuzz/tree/master/projects/ffmpeg Signed-off-by: Michael Niedermayer (cherry picked from commit 79c6047c3668c639f717b3a7001a34dddba0ede2) Signed-off-by: Michael Niedermayer --- libavcodec/truemotion2.c | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/libavcodec/truemotion2.c b/libavcodec/truemotion2.c index f7dbe047c7..b689efdb99 100644 --- a/libavcodec/truemotion2.c +++ b/libavcodec/truemotion2.c @@ -451,7 +451,7 @@ static inline int GET_TOK(TM2Context *ctx,int type) /* common operations - add deltas to 4x4 block of luma or 2x2 blocks of chroma */ static inline void tm2_apply_deltas(TM2Context *ctx, int* Y, int stride, int *deltas, int *last) { - int ct, d; + unsigned ct, d; int i, j; for (j = 0; j < 4; j++){ From 0c645bd73c7a80d7fbe4b21e4487520d7dd280b4 Mon Sep 17 00:00:00 2001 From: Michael Niedermayer Date: Tue, 5 Jun 2018 02:17:24 +0200 Subject: [PATCH 868/942] avcodec/mjpegdec: Fix integer overflow in ljpeg_decode_rgb_scan() Fixes: signed integer overflow: 32768 + 2147450880 cannot be represented in type 'int' Fixes: 7885/clusterfuzz-testcase-minimized-ffmpeg_AV_CODEC_ID_THP_fuzzer-5298834394578944 Found-by: continuous fuzzing process https://github.com/google/oss-fuzz/tree/master/projects/ffmpeg Signed-off-by: Michael Niedermayer (cherry picked from commit 936f4a2c2e14ec753e8835f2e820b4cd9aec9a56) Signed-off-by: Michael Niedermayer --- libavcodec/mjpegdec.c | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/libavcodec/mjpegdec.c b/libavcodec/mjpegdec.c index 2ce351ddbc..713526be4c 100644 --- a/libavcodec/mjpegdec.c +++ b/libavcodec/mjpegdec.c @@ -1002,7 +1002,7 @@ static int ljpeg_decode_rgb_scan(MJpegDecodeContext *s, int nb_components, int p return -1; left[i] = buffer[mb_x][i] = - mask & (pred + (dc * (1 << point_transform))); + mask & (pred + (unsigned)(dc * (1 << point_transform))); } if (s->restart_interval && !--s->restart_count) { From 07fd8627e5c274064aed85f0db73e9128a8e8cab Mon Sep 17 00:00:00 2001 From: Michael Niedermayer Date: Tue, 5 Jun 2018 13:03:48 +0200 Subject: [PATCH 869/942] avcodec/shorten: Sanity check nmeans Fixes: OOM Fixes: 8195/clusterfuzz-testcase-minimized-ffmpeg_AV_CODEC_ID_SHORTEN_fuzzer-5179785826271232 The reference software appears to use longs for 32bits and it uses int for nmeans hinting that the intended maximum size was not 32bit. Found-by: continuous fuzzing process https://github.com/google/oss-fuzz/tree/master/projects/ffmpeg Signed-off-by: Michael Niedermayer (cherry picked from commit d91a0b503d7a886587281bc1ee42476aa5e89f85) Signed-off-by: Michael Niedermayer --- libavcodec/shorten.c | 4 ++++ 1 file changed, 4 insertions(+) diff --git a/libavcodec/shorten.c b/libavcodec/shorten.c index e4bf2e0035..b8a5664ce9 100644 --- a/libavcodec/shorten.c +++ b/libavcodec/shorten.c @@ -374,6 +374,10 @@ static int read_header(ShortenContext *s) return AVERROR_INVALIDDATA; } s->nmean = get_uint(s, 0); + if (s->nmean > 32768U) { + av_log(s->avctx, AV_LOG_ERROR, "nmean is: %d\n", s->nmean); + return AVERROR_INVALIDDATA; + } skip_bytes = get_uint(s, NSKIPSIZE); if ((unsigned)skip_bytes > get_bits_left(&s->gb)/8) { From 50e55b81be23bed6a5aa836fdde602494b41c06c Mon Sep 17 00:00:00 2001 From: Michael Niedermayer Date: Tue, 5 Jun 2018 13:19:35 +0200 Subject: [PATCH 870/942] avcodec/shorten: Fix multiple integer overflows Fixes: signed integer overflow: 3 * 1006632960 cannot be represented in type 'int' Fixes: 8278/clusterfuzz-testcase-minimized-ffmpeg_AV_CODEC_ID_SHORTEN_fuzzer-5692857166856192 Found-by: continuous fuzzing process https://github.com/google/oss-fuzz/tree/master/projects/ffmpeg Signed-off-by: Michael Niedermayer (cherry picked from commit f2abd36b3863188894fd21964c662b6c17268bfb) Signed-off-by: Michael Niedermayer --- libavcodec/shorten.c | 4 ++-- 1 file changed, 2 insertions(+), 2 deletions(-) diff --git a/libavcodec/shorten.c b/libavcodec/shorten.c index b8a5664ce9..cbd8a78bc4 100644 --- a/libavcodec/shorten.c +++ b/libavcodec/shorten.c @@ -313,7 +313,7 @@ static int decode_subframe_lpc(ShortenContext *s, int command, int channel, for (i = 0; i < s->blocksize; i++) { sum = init_sum; for (j = 0; j < pred_order; j++) - sum += coeffs[j] * s->decoded[channel][i - j - 1]; + sum += coeffs[j] * (unsigned)s->decoded[channel][i - j - 1]; s->decoded[channel][i] = get_sr_golomb_shorten(&s->gb, residual_size) + (sum >> qshift); } @@ -593,7 +593,7 @@ static int shorten_decode_frame(AVCodecContext *avctx, void *data, /* update means with info from the current block */ if (s->nmean > 0) { - int32_t sum = (s->version < 2) ? 0 : s->blocksize / 2; + int64_t sum = (s->version < 2) ? 0 : s->blocksize / 2; for (i = 0; i < s->blocksize; i++) sum += s->decoded[channel][i]; From 23fdebaec5796268561dc8a10a68cbe32b8396a4 Mon Sep 17 00:00:00 2001 From: Michael Niedermayer Date: Fri, 8 Jun 2018 00:07:04 +0200 Subject: [PATCH 871/942] avcodec/wavpack: Fix overflow in adding tail Fixes: signed integer overflow: 2146907204 + 26846088 cannot be represented in type 'int' Fixes: 8105/clusterfuzz-testcase-minimized-ffmpeg_AV_CODEC_ID_WAVPACK_fuzzer-6233036682166272 Found-by: continuous fuzzing process https://github.com/google/oss-fuzz/tree/master/projects/ffmpeg Signed-off-by: Michael Niedermayer (cherry picked from commit d13379fb79708f550460dd6d698023bf26f968d5) Signed-off-by: Michael Niedermayer --- libavcodec/wavpack.c | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/libavcodec/wavpack.c b/libavcodec/wavpack.c index 34f73fe8f2..c7855090fc 100644 --- a/libavcodec/wavpack.c +++ b/libavcodec/wavpack.c @@ -85,7 +85,7 @@ typedef struct WavpackContext { #define LEVEL_DECAY(a) (((a) + 0x80) >> 8) -static av_always_inline int get_tail(GetBitContext *gb, int k) +static av_always_inline unsigned get_tail(GetBitContext *gb, int k) { int p, e, res; From aa803d93bf89871b7d374c9fcd7d81a7e43bcb43 Mon Sep 17 00:00:00 2001 From: Michael Niedermayer Date: Fri, 8 Jun 2018 00:42:31 +0200 Subject: [PATCH 872/942] avcodec/xwddec: Use ff_set_dimensions() Fixes: OOM Fixes: 8178/clusterfuzz-testcase-minimized-ffmpeg_AV_CODEC_ID_XWD_fuzzer-4844793342459904 Found-by: continuous fuzzing process https://github.com/google/oss-fuzz/tree/master/projects/ffmpeg Reviewed-by: Paul B Mahol Signed-off-by: Michael Niedermayer (cherry picked from commit c2852e4e00de4073ff7de82d41cb3368702686e8) Signed-off-by: Michael Niedermayer --- libavcodec/xwddec.c | 8 ++++++-- 1 file changed, 6 insertions(+), 2 deletions(-) diff --git a/libavcodec/xwddec.c b/libavcodec/xwddec.c index 8b0845fc01..25c64e0e14 100644 --- a/libavcodec/xwddec.c +++ b/libavcodec/xwddec.c @@ -39,6 +39,7 @@ static int xwd_decode_frame(AVCodecContext *avctx, void *data, uint32_t pixformat, pixdepth, bunit, bitorder, bpad; uint32_t rgb[3]; uint8_t *ptr; + int width, height; GetByteContext gb; if (buf_size < XWD_HEADER_SIZE) @@ -60,8 +61,8 @@ static int xwd_decode_frame(AVCodecContext *avctx, void *data, pixformat = bytestream2_get_be32u(&gb); pixdepth = bytestream2_get_be32u(&gb); - avctx->width = bytestream2_get_be32u(&gb); - avctx->height = bytestream2_get_be32u(&gb); + width = bytestream2_get_be32u(&gb); + height = bytestream2_get_be32u(&gb); xoffset = bytestream2_get_be32u(&gb); be = bytestream2_get_be32u(&gb); bunit = bytestream2_get_be32u(&gb); @@ -77,6 +78,9 @@ static int xwd_decode_frame(AVCodecContext *avctx, void *data, ncolors = bytestream2_get_be32u(&gb); bytestream2_skipu(&gb, header_size - (XWD_HEADER_SIZE - 20)); + if ((ret = ff_set_dimensions(avctx, width, height)) < 0) + return ret; + av_log(avctx, AV_LOG_DEBUG, "pixformat %"PRIu32", pixdepth %"PRIu32", bunit %"PRIu32", bitorder %"PRIu32", bpad %"PRIu32"\n", pixformat, pixdepth, bunit, bitorder, bpad); From 18214e2a3f209aa097d274083dca84c246c6c945 Mon Sep 17 00:00:00 2001 From: Michael Niedermayer Date: Fri, 8 Jun 2018 18:25:14 +0200 Subject: [PATCH 873/942] avcodec/h264_mc_template: Only prefetch motion if the list is used. Fixes: index 59 out of bounds for type 'H264Ref [48]' Fixes: 8232/clusterfuzz-testcase-minimized-ffmpeg_AV_CODEC_ID_H264_fuzzer-5703295145345024 Found-by: continuous fuzzing process https://github.com/google/oss-fuzz/tree/master/projects/ffmpeg Signed-off-by: Michael Niedermayer (cherry picked from commit 8b55591757244d8244a2be369c2b54c9ae79b02a) Signed-off-by: Michael Niedermayer --- libavcodec/h264_mc_template.c | 3 ++- 1 file changed, 2 insertions(+), 1 deletion(-) diff --git a/libavcodec/h264_mc_template.c b/libavcodec/h264_mc_template.c index e4333a733c..acdf4d126c 100644 --- a/libavcodec/h264_mc_template.c +++ b/libavcodec/h264_mc_template.c @@ -78,7 +78,8 @@ static void MCFUNC(hl_motion)(const H264Context *h, H264SliceContext *sl, if (HAVE_THREADS && (h->avctx->active_thread_type & FF_THREAD_FRAME)) await_references(h, sl); - prefetch_motion(h, sl, 0, PIXEL_SHIFT, CHROMA_IDC); + if (USES_LIST(mb_type, 0)) + prefetch_motion(h, sl, 0, PIXEL_SHIFT, CHROMA_IDC); if (IS_16X16(mb_type)) { mc_part(h, sl, 0, 1, 16, 0, dest_y, dest_cb, dest_cr, 0, 0, From ff75dc10fd27d97b789f6d8df179e6f82580c586 Mon Sep 17 00:00:00 2001 From: Michael Niedermayer Date: Wed, 16 May 2018 23:35:58 +0200 Subject: [PATCH 874/942] avformat/mov: Only set pkt->duration to non negative values Reviewed-by: Sasi Inguva Signed-off-by: Michael Niedermayer (cherry picked from commit 8176799f31b23849382623f0f9001acc5edf7c76) Signed-off-by: Michael Niedermayer --- libavformat/mov.c | 4 +++- 1 file changed, 3 insertions(+), 1 deletion(-) diff --git a/libavformat/mov.c b/libavformat/mov.c index 5a7f4a4c27..1ea8b4094a 100644 --- a/libavformat/mov.c +++ b/libavformat/mov.c @@ -5141,7 +5141,9 @@ static int mov_read_packet(AVFormatContext *s, AVPacket *pkt) } else { int64_t next_dts = (sc->current_sample < st->nb_index_entries) ? st->index_entries[sc->current_sample].timestamp : st->duration; - pkt->duration = next_dts - pkt->dts; + + if (next_dts >= pkt->dts) + pkt->duration = next_dts - pkt->dts; pkt->pts = pkt->dts; } if (st->discard == AVDISCARD_ALL) From 963915a4b416e944c8f01bc3d635d6b64d8b0022 Mon Sep 17 00:00:00 2001 From: Michael Niedermayer Date: Tue, 1 May 2018 22:44:07 +0200 Subject: [PATCH 875/942] fftools/ffmpeg: Fallback to duration if sample rate is unavailable MIME-Version: 1.0 Content-Type: text/plain; charset=UTF-8 Content-Transfer-Encoding: 8bit Regression since: af1761f7 Fixes: Division by 0 Fixes: ffmpeg_crash_1 Found-by: Thuan Pham, Marcel Böhme, Andrew Santosa and Alexandru Razvan Caciulescu with AFLSmart Signed-off-by: Michael Niedermayer (cherry picked from commit 16d8b13b3b26c19d7f8856e039fe6662d96b4ff3) Signed-off-by: Michael Niedermayer --- ffmpeg.c | 8 ++++++-- 1 file changed, 6 insertions(+), 2 deletions(-) diff --git a/ffmpeg.c b/ffmpeg.c index 4d1a9724bf..11d4c1703d 100644 --- a/ffmpeg.c +++ b/ffmpeg.c @@ -2382,8 +2382,12 @@ static int process_input_packet(InputStream *ist, const AVPacket *pkt, int no_eo ist->dts = ist->next_dts; switch (ist->dec_ctx->codec_type) { case AVMEDIA_TYPE_AUDIO: - ist->next_dts += ((int64_t)AV_TIME_BASE * ist->dec_ctx->frame_size) / - ist->dec_ctx->sample_rate; + if (ist->dec_ctx->sample_rate) { + ist->next_dts += ((int64_t)AV_TIME_BASE * ist->dec_ctx->frame_size) / + ist->dec_ctx->sample_rate; + } else { + ist->next_dts += av_rescale_q(pkt->duration, ist->st->time_base, AV_TIME_BASE_Q); + } break; case AVMEDIA_TYPE_VIDEO: if (ist->framerate.num) { From 626143903b1d9c102b6c7d402a6fc15906909841 Mon Sep 17 00:00:00 2001 From: Michael Niedermayer Date: Thu, 14 Jun 2018 15:41:33 +0200 Subject: [PATCH 876/942] avutil/common: Fix undefined behavior in av_clip_uintp2_c() Fixes: negation of -2147483648 cannot be represented in type 'int'; cast to an unsigned type to negate this value to itself Fixes: 8521/clusterfuzz-testcase-minimized-ffmpeg_AV_CODEC_ID_DIRAC_fuzzer-5639024952737792 Found-by: continuous fuzzing process https://github.com/google/oss-fuzz/tree/master/projects/ffmpeg Signed-off-by: Michael Niedermayer (cherry picked from commit aa41d322be71106ce147445f2b42bb763f1eff86) Signed-off-by: Michael Niedermayer --- libavutil/common.h | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/libavutil/common.h b/libavutil/common.h index 53e43feb3a..58ead80514 100644 --- a/libavutil/common.h +++ b/libavutil/common.h @@ -228,7 +228,7 @@ static av_always_inline av_const int av_clip_intp2_c(int a, int p) */ static av_always_inline av_const unsigned av_clip_uintp2_c(int a, int p) { - if (a & ~((1<> 31 & ((1<> 31 & ((1< Date: Thu, 14 Jun 2018 16:37:32 +0200 Subject: [PATCH 877/942] avcodec/dirac_dwt_template: Fix undefined behavior in interleave() Fixes: signed integer overflow: 2147483647 + 1 cannot be represented in type 'int' Fixes: 8697/clusterfuzz-testcase-minimized-ffmpeg_AV_CODEC_ID_DIRAC_fuzzer-5197148130902016 Found-by: continuous fuzzing process https://github.com/google/oss-fuzz/tree/master/projects/ffmpeg Signed-off-by: Michael Niedermayer (cherry picked from commit 575d8ca0260fabac29e5b3541154633569ce2b5d) Signed-off-by: Michael Niedermayer --- libavcodec/dirac_dwt_template.c | 4 ++-- 1 file changed, 2 insertions(+), 2 deletions(-) diff --git a/libavcodec/dirac_dwt_template.c b/libavcodec/dirac_dwt_template.c index 8c25c1f822..528fc7e9e7 100644 --- a/libavcodec/dirac_dwt_template.c +++ b/libavcodec/dirac_dwt_template.c @@ -57,8 +57,8 @@ static av_always_inline void RENAME(interleave)(TYPE *dst, TYPE *src0, TYPE *src { int i; for (i = 0; i < w2; i++) { - dst[2*i ] = (src0[i] + add) >> shift; - dst[2*i+1] = (src1[i] + add) >> shift; + dst[2*i ] = (src0[i] + (unsigned)add) >> shift; + dst[2*i+1] = (src1[i] + (unsigned)add) >> shift; } } From eaefd3ada963aa35277a466170c6be3e2cbeabfc Mon Sep 17 00:00:00 2001 From: Michael Niedermayer Date: Thu, 14 Jun 2018 16:41:49 +0200 Subject: [PATCH 878/942] avcodec/aacdec_fixed: Fix undefined integer overflow in apply_independent_coupling_fixed() Fixes: signed integer overflow: 1195517 * 2048 cannot be represented in type 'int' Fixes: 8636/clusterfuzz-testcase-minimized-ffmpeg_AV_CODEC_ID_AAC_FIXED_fuzzer-4695836326887424 Found-by: continuous fuzzing process https://github.com/google/oss-fuzz/tree/master/projects/ffmpeg Signed-off-by: Michael Niedermayer (cherry picked from commit 8bd514d9343746566b123275f8b6d0e9c11ec2b0) Signed-off-by: Michael Niedermayer --- libavcodec/aacdec_fixed.c | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/libavcodec/aacdec_fixed.c b/libavcodec/aacdec_fixed.c index 9d50c06f77..795397febe 100644 --- a/libavcodec/aacdec_fixed.c +++ b/libavcodec/aacdec_fixed.c @@ -434,7 +434,7 @@ static void apply_independent_coupling_fixed(AACContext *ac, else { for (i = 0; i < len; i++) { tmp = (int)(((int64_t)src[i] * c + (int64_t)0x1000000000) >> 37); - dest[i] += tmp * (1 << shift); + dest[i] += tmp * (1U << shift); } } } From d862380718a10132686130b4532bf3f9b3f70f14 Mon Sep 17 00:00:00 2001 From: Michael Niedermayer Date: Thu, 21 Jun 2018 22:48:54 +0200 Subject: [PATCH 879/942] avcodec/mjpegdec: Check for end of bitstream in ljpeg_decode_rgb_scan() Fixes: Timeout Fixes: 8648/clusterfuzz-testcase-minimized-ffmpeg_AV_CODEC_ID_MJPEG_fuzzer-5108395525799936 Found-by: continuous fuzzing process https://github.com/google/oss-fuzz/tree/master/projects/ffmpeg Signed-off-by: Michael Niedermayer (cherry picked from commit 540e8c2d641bf90fc28e47e170f8c0b1962197e9) Signed-off-by: Michael Niedermayer --- libavcodec/mjpegdec.c | 5 +++++ 1 file changed, 5 insertions(+) diff --git a/libavcodec/mjpegdec.c b/libavcodec/mjpegdec.c index 713526be4c..e48cea51a9 100644 --- a/libavcodec/mjpegdec.c +++ b/libavcodec/mjpegdec.c @@ -979,6 +979,11 @@ static int ljpeg_decode_rgb_scan(MJpegDecodeContext *s, int nb_components, int p for (mb_x = 0; mb_x < s->mb_width; mb_x++) { int modified_predictor = predictor; + if (get_bits_left(&s->gb) < 1) { + av_log(s->avctx, AV_LOG_ERROR, "bitstream end in rgb_scan\n"); + return AVERROR_INVALIDDATA; + } + if (s->restart_interval && !s->restart_count){ s->restart_count = s->restart_interval; resync_mb_x = mb_x; From 1e067b7ed86c55382699330b9e9bb1d743627974 Mon Sep 17 00:00:00 2001 From: Michael Niedermayer Date: Sun, 24 Jun 2018 19:23:02 +0200 Subject: [PATCH 880/942] avcodec/escape124: Check buf_size against num_superblocks Fixes: Timeout Fixes: 8722/clusterfuzz-testcase-minimized-ffmpeg_AV_CODEC_ID_ESCAPE124_fuzzer-4843268402577408 Found-by: continuous fuzzing process https://github.com/google/oss-fuzz/tree/master/projects/ffmpeg Signed-off-by: Michael Niedermayer (cherry picked from commit 6677c98626489edfdb4b49b4f66ca91867768a9f) Signed-off-by: Michael Niedermayer --- libavcodec/escape124.c | 6 +++++- 1 file changed, 5 insertions(+), 1 deletion(-) diff --git a/libavcodec/escape124.c b/libavcodec/escape124.c index dfbaec9877..97267cfa5f 100644 --- a/libavcodec/escape124.c +++ b/libavcodec/escape124.c @@ -222,7 +222,11 @@ static int escape124_decode_frame(AVCodecContext *avctx, // This call also guards the potential depth reads for the // codebook unpacking. - if (get_bits_left(&gb) < 64) + // Check if the amount we will read minimally is available on input. + // The 64 represent the immedeatly next 2 frame_* elements read, the 23/4320 + // represent a lower bound of the space needed for skiped superblocks. Non + // skipped SBs need more space. + if (get_bits_left(&gb) < 64 + s->num_superblocks * 23LL / 4320) return -1; frame_flags = get_bits_long(&gb, 32); From 662f7cef06d31a0b98cf5769e671e70b7e53aa36 Mon Sep 17 00:00:00 2001 From: Michael Niedermayer Date: Fri, 22 Jun 2018 01:18:20 +0200 Subject: [PATCH 881/942] avcodec/cscd: Check output buffer size for lzo. Fixes: Timeout Fixes: 8665/clusterfuzz-testcase-minimized-ffmpeg_AV_CODEC_ID_CSCD_fuzzer-5768442610188288 Found-by: continuous fuzzing process https://github.com/google/oss-fuzz/tree/master/projects/ffmpeg (cherry picked from commit 78167b498f53c36c31105a2bf11e90b03637598f) Signed-off-by: Michael Niedermayer --- libavcodec/cscd.c | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/libavcodec/cscd.c b/libavcodec/cscd.c index 35c4ee08c3..5eb511a565 100644 --- a/libavcodec/cscd.c +++ b/libavcodec/cscd.c @@ -81,7 +81,7 @@ static int decode_frame(AVCodecContext *avctx, void *data, int *got_frame, switch ((buf[0] >> 1) & 7) { case 0: { // lzo compression int outlen = c->decomp_size, inlen = buf_size - 2; - if (av_lzo1x_decode(c->decomp_buf, &outlen, &buf[2], &inlen)) { + if (av_lzo1x_decode(c->decomp_buf, &outlen, &buf[2], &inlen) || outlen) { av_log(avctx, AV_LOG_ERROR, "error during lzo decompression\n"); return AVERROR_INVALIDDATA; } From 181c3d82e9025ba60cf83376195e6d8ab800cafc Mon Sep 17 00:00:00 2001 From: Michael Niedermayer Date: Thu, 21 Jun 2018 23:08:32 +0200 Subject: [PATCH 882/942] avcodec/ra144: Fix integer overflow in ff_eval_refl() Fixes: signed integer overflow: -4096 * -524288 cannot be represented in type 'int' Fixes: 8650/clusterfuzz-testcase-minimized-ffmpeg_AV_CODEC_ID_RA_144_fuzzer-5734816036159488 Found-by: continuous fuzzing process https://github.com/google/oss-fuzz/tree/master/projects/ffmpeg Signed-off-by: Michael Niedermayer (cherry picked from commit b31189881a4cf54b0057ecf3eab917ad56eecfea) Signed-off-by: Michael Niedermayer --- libavcodec/ra144.c | 4 ++-- 1 file changed, 2 insertions(+), 2 deletions(-) diff --git a/libavcodec/ra144.c b/libavcodec/ra144.c index 67f0e84469..c399304ea1 100644 --- a/libavcodec/ra144.c +++ b/libavcodec/ra144.c @@ -1569,11 +1569,11 @@ int ff_eval_refl(int *refl, const int16_t *coefs, AVCodecContext *avctx) b = 0x1000000 / b; for (j=0; j <= i; j++) { #if CONFIG_FTRAPV - int a = bp2[j] - ((refl[i+1] * bp2[i-j]) >> 12); + int a = bp2[j] - ((int)(refl[i+1] * (unsigned)bp2[i-j]) >> 12); if((int)(a*(unsigned)b) != a*(int64_t)b) return 1; #endif - bp1[j] = (int)((bp2[j] - ((refl[i+1] * bp2[i-j]) >> 12)) * (unsigned)b) >> 12; + bp1[j] = (int)((bp2[j] - ((int)(refl[i+1] * (unsigned)bp2[i-j]) >> 12)) * (unsigned)b) >> 12; } if ((unsigned) bp1[i] + 0x1000 > 0x1fff) From dd7d2770f331cb1d2b3cdb2b2dbdbe1ce9b2b807 Mon Sep 17 00:00:00 2001 From: Michael Niedermayer Date: Wed, 27 Jun 2018 13:00:28 +0200 Subject: [PATCH 883/942] avcodec/escape124: Fix spelling errors in comment Signed-off-by: Michael Niedermayer (cherry picked from commit f59c4e43915ed0528e2789f27ddb1635b59779df) Signed-off-by: Michael Niedermayer --- libavcodec/escape124.c | 4 ++-- 1 file changed, 2 insertions(+), 2 deletions(-) diff --git a/libavcodec/escape124.c b/libavcodec/escape124.c index 97267cfa5f..0965fdc3a7 100644 --- a/libavcodec/escape124.c +++ b/libavcodec/escape124.c @@ -223,8 +223,8 @@ static int escape124_decode_frame(AVCodecContext *avctx, // This call also guards the potential depth reads for the // codebook unpacking. // Check if the amount we will read minimally is available on input. - // The 64 represent the immedeatly next 2 frame_* elements read, the 23/4320 - // represent a lower bound of the space needed for skiped superblocks. Non + // The 64 represent the immediately next 2 frame_* elements read, the 23/4320 + // represent a lower bound of the space needed for skipped superblocks. Non // skipped SBs need more space. if (get_bits_left(&gb) < 64 + s->num_superblocks * 23LL / 4320) return -1; From 405cfcae41cd86d0485467c7ca2a22d16cea0cf9 Mon Sep 17 00:00:00 2001 From: Michael Niedermayer Date: Mon, 2 Jul 2018 18:40:08 +0200 Subject: [PATCH 884/942] avcodec/jpeg2000dec: Check that there are enough bytes for all tiles Fixes: OOM Fixes: 8781/clusterfuzz-testcase-minimized-ffmpeg_AV_CODEC_ID_JPEG2000_fuzzer-5810709081358336 Found-by: continuous fuzzing process https://github.com/google/oss-fuzz/tree/master/projects/ffmpeg Signed-off-by: Michael Niedermayer (cherry picked from commit 0898a3d9909960324e27d3a7a4f48c4effbb654a) Signed-off-by: Michael Niedermayer --- libavcodec/jpeg2000dec.c | 5 ++++- 1 file changed, 4 insertions(+), 1 deletion(-) diff --git a/libavcodec/jpeg2000dec.c b/libavcodec/jpeg2000dec.c index 98485ed601..46f6b28ac5 100644 --- a/libavcodec/jpeg2000dec.c +++ b/libavcodec/jpeg2000dec.c @@ -340,7 +340,10 @@ static int get_siz(Jpeg2000DecoderContext *s) s->numXtiles = ff_jpeg2000_ceildiv(s->width - s->tile_offset_x, s->tile_width); s->numYtiles = ff_jpeg2000_ceildiv(s->height - s->tile_offset_y, s->tile_height); - if (s->numXtiles * (uint64_t)s->numYtiles > INT_MAX/sizeof(*s->tile)) { + // There must be at least a SOT and SOD per tile, their minimum size is 14 + if (s->numXtiles * (uint64_t)s->numYtiles > INT_MAX/sizeof(*s->tile) || + s->numXtiles * s->numYtiles * 14LL > bytestream2_size(&s->g) + ) { s->numXtiles = s->numYtiles = 0; return AVERROR(EINVAL); } From 3afdb1c8a7520ed0b95d013be11baf424765cfcf Mon Sep 17 00:00:00 2001 From: Michael Niedermayer Date: Mon, 2 Jul 2018 18:57:05 +0200 Subject: [PATCH 885/942] avcodec/jpeg2000dec: Fixes invalid shifts in jpeg2000_decode_packets_po_iteration() Fixes: shift exponent 47 is too large for 32-bit type 'int' Fixes: 9163/clusterfuzz-testcase-minimized-ffmpeg_AV_CODEC_ID_JPEG2000_fuzzer-5661750182543360 Found-by: continuous fuzzing process https://github.com/google/oss-fuzz/tree/master/projects/ffmpeg Signed-off-by: Michael Niedermayer (cherry picked from commit 652d7c6348f96181fa69f8e2afb7b27a14c0a88a) Signed-off-by: Michael Niedermayer --- libavcodec/jpeg2000dec.c | 8 ++++---- 1 file changed, 4 insertions(+), 4 deletions(-) diff --git a/libavcodec/jpeg2000dec.c b/libavcodec/jpeg2000dec.c index 46f6b28ac5..65437bb293 100644 --- a/libavcodec/jpeg2000dec.c +++ b/libavcodec/jpeg2000dec.c @@ -1220,10 +1220,10 @@ static int jpeg2000_decode_packets_po_iteration(Jpeg2000DecoderContext *s, Jpeg2 if (reslevelno >= codsty->nreslevels) continue; - if (yc % (1 << (rlevel->log2_prec_height + reducedresno)) && y != tile->coord[1][0]) //FIXME this is a subset of the check + if (yc % (1LL << (rlevel->log2_prec_height + reducedresno)) && y != tile->coord[1][0]) //FIXME this is a subset of the check continue; - if (xc % (1 << (rlevel->log2_prec_width + reducedresno)) && x != tile->coord[0][0]) //FIXME this is a subset of the check + if (xc % (1LL << (rlevel->log2_prec_width + reducedresno)) && x != tile->coord[0][0]) //FIXME this is a subset of the check continue; // check if a precinct exists @@ -1291,10 +1291,10 @@ static int jpeg2000_decode_packets_po_iteration(Jpeg2000DecoderContext *s, Jpeg2 uint8_t reducedresno = codsty->nreslevels - 1 -reslevelno; // ==> N_L - r Jpeg2000ResLevel *rlevel = comp->reslevel + reslevelno; - if (yc % (1 << (rlevel->log2_prec_height + reducedresno)) && y != tile->coord[1][0]) //FIXME this is a subset of the check + if (yc % (1LL << (rlevel->log2_prec_height + reducedresno)) && y != tile->coord[1][0]) //FIXME this is a subset of the check continue; - if (xc % (1 << (rlevel->log2_prec_width + reducedresno)) && x != tile->coord[0][0]) //FIXME this is a subset of the check + if (xc % (1LL << (rlevel->log2_prec_width + reducedresno)) && x != tile->coord[0][0]) //FIXME this is a subset of the check continue; // check if a precinct exists From 21a65701581dba4f48f98b699817f126dd0da51f Mon Sep 17 00:00:00 2001 From: Michael Niedermayer Date: Mon, 2 Jul 2018 19:11:46 +0200 Subject: [PATCH 886/942] avcodec/shorten: Fix undefined addition in shorten_decode_frame() Fixes: signed integer overflow: 1139785606 + 1454196085 cannot be represented in type 'int' Fixes: 8937/clusterfuzz-testcase-minimized-ffmpeg_AV_CODEC_ID_SHORTEN_fuzzer-6202943597445120 Found-by: continuous fuzzing process https://github.com/google/oss-fuzz/tree/master/projects/ffmpeg Signed-off-by: Michael Niedermayer (cherry picked from commit 3b10bb8772c76177cc47b8d15a6970f19dd11039) Signed-off-by: Michael Niedermayer --- libavcodec/shorten.c | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/libavcodec/shorten.c b/libavcodec/shorten.c index cbd8a78bc4..f481a84fed 100644 --- a/libavcodec/shorten.c +++ b/libavcodec/shorten.c @@ -575,7 +575,7 @@ static int shorten_decode_frame(AVCodecContext *avctx, void *data, else { int32_t sum = (s->version < 2) ? 0 : s->nmean / 2; for (i = 0; i < s->nmean; i++) - sum += s->offset[channel][i]; + sum += (unsigned)s->offset[channel][i]; coffset = sum / s->nmean; if (s->version >= 2) coffset = s->bitshift == 0 ? coffset : coffset >> s->bitshift - 1 >> 1; From 438e848b65c2f46fcc09a3809b711e12a6fc240b Mon Sep 17 00:00:00 2001 From: Michael Niedermayer Date: Mon, 2 Jul 2018 01:26:44 +0200 Subject: [PATCH 887/942] avcodec/indeo4: Check for end of bitstream in decode_mb_info() Fixes: Timeout Fixes: 8776/clusterfuzz-testcase-minimized-ffmpeg_AV_CODEC_ID_INDEO4_fuzzer-5361788798369792 Found-by: continuous fuzzing process https://github.com/google/oss-fuzz/tree/master/projects/ffmpeg Signed-off-by: Michael Niedermayer (cherry picked from commit 267ba2aa96354c5b6a1ea89b2943fbd7a4893862) Signed-off-by: Michael Niedermayer --- libavcodec/indeo4.c | 5 +++++ 1 file changed, 5 insertions(+) diff --git a/libavcodec/indeo4.c b/libavcodec/indeo4.c index 13fc42ecde..b2d3cd5f4b 100644 --- a/libavcodec/indeo4.c +++ b/libavcodec/indeo4.c @@ -505,6 +505,11 @@ static int decode_mb_info(IVI45DecContext *ctx, IVIBandDesc *band, mb->b_mv_x = mb->b_mv_y = 0; + if (get_bits_left(&ctx->gb) < 1) { + av_log(avctx, AV_LOG_ERROR, "Insufficient input for mb info\n"); + return AVERROR_INVALIDDATA; + } + if (get_bits1(&ctx->gb)) { if (ctx->frame_type == IVI4_FRAMETYPE_INTRA) { av_log(avctx, AV_LOG_ERROR, "Empty macroblock in an INTRA picture!\n"); From ee8c6566e2abd9ae46976dba9873ecd9bb24001f Mon Sep 17 00:00:00 2001 From: Michael Niedermayer Date: Tue, 3 Jul 2018 21:37:46 +0200 Subject: [PATCH 888/942] avformat/rmdec: Do not pass mime type in rm_read_multi() to ff_rm_read_mdpr_codecdata() Fixes: use after free() Fixes: rmdec-crash-ffe85b4cab1597d1cfea6955705e53f1f5c8a362 Found-by: Paul Ch Signed-off-by: Michael Niedermayer (cherry picked from commit a7e032a277452366771951e29fd0bf2bd5c029f0) Signed-off-by: Michael Niedermayer --- libavformat/rmdec.c | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/libavformat/rmdec.c b/libavformat/rmdec.c index fa65998769..48420cfd67 100644 --- a/libavformat/rmdec.c +++ b/libavformat/rmdec.c @@ -523,7 +523,7 @@ static int rm_read_multi(AVFormatContext *s, AVIOContext *pb, size2 = avio_rb32(pb); ret = ff_rm_read_mdpr_codecdata(s, s->pb, st2, st2->priv_data, - size2, mime); + size2, NULL); if (ret < 0) return ret; } From 6cadf46dff14139ff2e5cf3276eb3ad58fb080e1 Mon Sep 17 00:00:00 2001 From: Michael Niedermayer Date: Tue, 3 Jul 2018 22:14:42 +0200 Subject: [PATCH 889/942] avformat/pva: Check for EOF before retrying in read_part_of_packet() Fixes: Infinite loop Fixes: pva-4b1835dbc2027bf3c567005dcc78e85199240d06 Found-by: Paul Ch Signed-off-by: Michael Niedermayer (cherry picked from commit 9807d3976be0e92e4ece3b4b1701be894cd7c2e1) Signed-off-by: Michael Niedermayer --- libavformat/pva.c | 4 ++++ 1 file changed, 4 insertions(+) diff --git a/libavformat/pva.c b/libavformat/pva.c index 900ad6133d..9714fb186c 100644 --- a/libavformat/pva.c +++ b/libavformat/pva.c @@ -134,6 +134,10 @@ recover: pes_flags = avio_rb16(pb); pes_header_data_length = avio_r8(pb); + if (avio_feof(pb)) { + return AVERROR_EOF; + } + if (pes_signal != 1 || pes_header_data_length == 0) { pva_log(s, AV_LOG_WARNING, "expected non empty signaled PES packet, " "trying to recover\n"); From 94edbf464c007a76115cec61657d1e6accdaf8ca Mon Sep 17 00:00:00 2001 From: Michael Niedermayer Date: Tue, 3 Jul 2018 20:33:04 +0200 Subject: [PATCH 890/942] avformat/mms: Add missing chunksize check Fixes: out of array read Fixes: mms-crash-01b6c5d85f9d9f40f4e879896103e9f5b222816a Found-by: Paul Ch 1st hunk by Paul Ch Tested-by: Paul Ch Signed-off-by: Michael Niedermayer (cherry picked from commit cced03dd667a5df6df8fd40d8de0bff477ee02e8) Signed-off-by: Michael Niedermayer --- libavformat/mms.c | 44 ++++++++++++++++++++++++++------------------ 1 file changed, 26 insertions(+), 18 deletions(-) diff --git a/libavformat/mms.c b/libavformat/mms.c index 807aadef0f..9f675f2dd0 100644 --- a/libavformat/mms.c +++ b/libavformat/mms.c @@ -94,24 +94,26 @@ int ff_mms_asf_header_parser(MMSContext *mms) } } } else if (!memcmp(p, ff_asf_stream_header, sizeof(ff_asf_guid))) { - flags = AV_RL16(p + sizeof(ff_asf_guid)*3 + 24); - stream_id = flags & 0x7F; - //The second condition is for checking CS_PKT_STREAM_ID_REQUEST packet size, - //we can calcuate the packet size by stream_num. - //Please see function send_stream_selection_request(). - if (mms->stream_num < MMS_MAX_STREAMS && - 46 + mms->stream_num * 6 < sizeof(mms->out_buffer)) { - mms->streams = av_fast_realloc(mms->streams, - &mms->nb_streams_allocated, - (mms->stream_num + 1) * sizeof(MMSStream)); - if (!mms->streams) - return AVERROR(ENOMEM); - mms->streams[mms->stream_num].id = stream_id; - mms->stream_num++; - } else { - av_log(NULL, AV_LOG_ERROR, - "Corrupt stream (too many A/V streams)\n"); - return AVERROR_INVALIDDATA; + if (end - p >= (sizeof(ff_asf_guid) * 3 + 26)) { + flags = AV_RL16(p + sizeof(ff_asf_guid)*3 + 24); + stream_id = flags & 0x7F; + //The second condition is for checking CS_PKT_STREAM_ID_REQUEST packet size, + //we can calcuate the packet size by stream_num. + //Please see function send_stream_selection_request(). + if (mms->stream_num < MMS_MAX_STREAMS && + 46 + mms->stream_num * 6 < sizeof(mms->out_buffer)) { + mms->streams = av_fast_realloc(mms->streams, + &mms->nb_streams_allocated, + (mms->stream_num + 1) * sizeof(MMSStream)); + if (!mms->streams) + return AVERROR(ENOMEM); + mms->streams[mms->stream_num].id = stream_id; + mms->stream_num++; + } else { + av_log(NULL, AV_LOG_ERROR, + "Corrupt stream (too many A/V streams)\n"); + return AVERROR_INVALIDDATA; + } } } else if (!memcmp(p, ff_asf_ext_stream_header, sizeof(ff_asf_guid))) { if (end - p >= 88) { @@ -143,6 +145,12 @@ int ff_mms_asf_header_parser(MMSContext *mms) } } else if (!memcmp(p, ff_asf_head1_guid, sizeof(ff_asf_guid))) { chunksize = 46; // see references [2] section 3.4. This should be set 46. + if (chunksize > end - p) { + av_log(NULL, AV_LOG_ERROR, + "Corrupt stream (header chunksize %"PRId64" is invalid)\n", + chunksize); + return AVERROR_INVALIDDATA; + } } p += chunksize; } From 469503ac1de315a9288e333dbfc0896e3027227c Mon Sep 17 00:00:00 2001 From: Michael Niedermayer Date: Wed, 27 Jun 2018 16:51:51 +0200 Subject: [PATCH 891/942] avformat/movenc: Check that frame_types other than EAC3_FRAME_TYPE_INDEPENDENT have a supported substream id MIME-Version: 1.0 Content-Type: text/plain; charset=UTF-8 Content-Transfer-Encoding: 8bit Fixes: out of array access Fixes: ffmpeg_bof_1.avi Found-by: Thuan Pham, Marcel Böhme, Andrew Santosa and Alexandru Razvan Caciulescu with AFLSmart Signed-off-by: Michael Niedermayer (cherry picked from commit ed22dc22216f74c75ee7901f82649e1ff725ba50) Signed-off-by: Michael Niedermayer --- libavformat/movenc.c | 5 +++++ 1 file changed, 5 insertions(+) diff --git a/libavformat/movenc.c b/libavformat/movenc.c index cdc3a00f1f..61116a5227 100644 --- a/libavformat/movenc.c +++ b/libavformat/movenc.c @@ -377,6 +377,11 @@ static int handle_eac3(MOVMuxContext *mov, AVPacket *pkt, MOVTrack *track) info->ec3_done = 1; goto concatenate; } + } else { + if (hdr->substreamid != 0) { + avpriv_request_sample(mov->fc, "Multiple non EAC3 independent substreams"); + return AVERROR_PATCHWELCOME; + } } /* fill the info needed for the "dec3" atom */ From 4ead5a947003f8556bf23533cdca9409187a3ac3 Mon Sep 17 00:00:00 2001 From: Michael Niedermayer Date: Fri, 6 Jul 2018 16:28:14 +0200 Subject: [PATCH 892/942] avcodec/mjpegdec: Check for odd progressive RGB Fixes: out of array access Fixes: 9225/clusterfuzz-testcase-minimized-ffmpeg_AV_CODEC_ID_JPEGLS_fuzzer-5684770334834688 Found-by: continuous fuzzing process https://github.com/google/oss-fuzz/tree/master/projects/ffmpeg Signed-off-by: Michael Niedermayer (cherry picked from commit ee1e3ca5eb1ec7d34e925d129c893e33847ee0b7) Signed-off-by: Michael Niedermayer --- libavcodec/mjpegdec.c | 4 ++++ 1 file changed, 4 insertions(+) diff --git a/libavcodec/mjpegdec.c b/libavcodec/mjpegdec.c index e48cea51a9..a4eefb24a7 100644 --- a/libavcodec/mjpegdec.c +++ b/libavcodec/mjpegdec.c @@ -594,6 +594,10 @@ unk_pixfmt: av_log(s->avctx, AV_LOG_ERROR, "lowres not supported for weird subsampling\n"); return AVERROR_PATCHWELCOME; } + if ((AV_RB32(s->upscale_h) || AV_RB32(s->upscale_v)) && s->progressive && s->avctx->pix_fmt == AV_PIX_FMT_GBRP) { + avpriv_report_missing_feature(s->avctx, "progressive for weird subsampling"); + return AVERROR_PATCHWELCOME; + } if (s->ls) { memset(s->upscale_h, 0, sizeof(s->upscale_h)); memset(s->upscale_v, 0, sizeof(s->upscale_v)); From 790e6fead0785831e2273ad1b425a63c6b64aef3 Mon Sep 17 00:00:00 2001 From: Michael Niedermayer Date: Fri, 6 Jul 2018 22:23:25 +0200 Subject: [PATCH 893/942] avformat/movenc: Check input sample count Fixes: division by 0 Fixes: fpe_movenc.c_199_1.wav Fixes: fpe_movenc.c_199_2.wav Fixes: fpe_movenc.c_199_3.wav Fixes: fpe_movenc.c_199_4.wav Fixes: fpe_movenc.c_199_5.wav Fixes: fpe_movenc.c_199_6.wav Fixes: fpe_movenc.c_199_7.wav Found-by: #CHEN HONGXU# Signed-off-by: Michael Niedermayer (cherry picked from commit 3a2d21bc5f97aa0161db3ae731fc2732be6108b8) Signed-off-by: Michael Niedermayer --- libavformat/movenc.c | 5 +++++ 1 file changed, 5 insertions(+) diff --git a/libavformat/movenc.c b/libavformat/movenc.c index 61116a5227..c093c48ae1 100644 --- a/libavformat/movenc.c +++ b/libavformat/movenc.c @@ -4437,6 +4437,11 @@ int ff_mov_write_packet(AVFormatContext *s, AVPacket *pkt) else samples_in_chunk = 1; + if (samples_in_chunk < 1) { + av_log(s, AV_LOG_ERROR, "fatal error, input packet contains no samples\n"); + return AVERROR_PATCHWELCOME; + } + /* copy extradata if it exists */ if (trk->vos_len == 0 && enc->extradata_size > 0 && !TAG_IS_AVCI(trk->tag) && From c3831e89efce13d6494a1f4308198f48efd274bc Mon Sep 17 00:00:00 2001 From: James Almer Date: Thu, 17 Mar 2016 21:46:06 -0300 Subject: [PATCH 894/942] libwebpenc_animencoder: add missing braces to struct initialization The first member of the WebPAnimEncoderOptions struct is non scalar Signed-off-by: James Almer (cherry picked from commit 488e6409df2487a2aedbd5adb5ac3f7e74216588) Signed-off-by: Michael Niedermayer --- libavcodec/libwebpenc_animencoder.c | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/libavcodec/libwebpenc_animencoder.c b/libavcodec/libwebpenc_animencoder.c index 61ecae8a8a..91bf64ca8b 100644 --- a/libavcodec/libwebpenc_animencoder.c +++ b/libavcodec/libwebpenc_animencoder.c @@ -41,7 +41,7 @@ static av_cold int libwebp_anim_encode_init(AVCodecContext *avctx) int ret = ff_libwebp_encode_init_common(avctx); if (!ret) { LibWebPAnimContext *s = avctx->priv_data; - WebPAnimEncoderOptions enc_options = { 0 }; + WebPAnimEncoderOptions enc_options = { { 0 } }; WebPAnimEncoderOptionsInit(&enc_options); enc_options.verbose = av_log_get_level() >= AV_LOG_VERBOSE; // TODO(urvang): Expose some options on command-line perhaps. From 0d4a11d0a9474c78fbc846fe9bc707be35426c71 Mon Sep 17 00:00:00 2001 From: James Almer Date: Fri, 24 Nov 2017 17:46:16 -0300 Subject: [PATCH 895/942] avformat/utils: fix mixed declarations and code Signed-off-by: James Almer (cherry picked from commit 31de45d20b1ff90d4baf7c5a65e88f582efdb2a6) Signed-off-by: Michael Niedermayer --- libavformat/utils.c | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/libavformat/utils.c b/libavformat/utils.c index c308f443cf..587fad8e1a 100644 --- a/libavformat/utils.c +++ b/libavformat/utils.c @@ -1536,10 +1536,10 @@ int av_read_frame(AVFormatContext *s, AVPacket *pkt) if (next_pkt->dts != AV_NOPTS_VALUE) { int wrap_bits = s->streams[next_pkt->stream_index]->pts_wrap_bits; - av_assert2(wrap_bits <= 64); // last dts seen for this stream. if any of packets following // current one had no dts, we will set this to AV_NOPTS_VALUE. int64_t last_dts = next_pkt->dts; + av_assert2(wrap_bits <= 64); while (pktl && next_pkt->pts == AV_NOPTS_VALUE) { if (pktl->pkt.stream_index == next_pkt->stream_index && av_compare_mod(next_pkt->dts, pktl->pkt.dts, 2ULL << (wrap_bits - 1)) < 0) { From 328ab7f0a1ca1f41002772a193fa0251aa42bf8e Mon Sep 17 00:00:00 2001 From: Rahul Chaudhry Date: Fri, 27 Apr 2018 13:49:52 -0700 Subject: [PATCH 896/942] swresample/arm: rename labels to fix xcode build error Signed-off-by: Michael Niedermayer (cherry picked from commit e84212b78e00df17799e01be1e153a073eb8f689) Signed-off-by: Michael Niedermayer --- libswresample/arm/audio_convert_neon.S | 8 ++++---- 1 file changed, 4 insertions(+), 4 deletions(-) diff --git a/libswresample/arm/audio_convert_neon.S b/libswresample/arm/audio_convert_neon.S index 7729514701..085d50aafa 100644 --- a/libswresample/arm/audio_convert_neon.S +++ b/libswresample/arm/audio_convert_neon.S @@ -22,7 +22,7 @@ #include "libavutil/arm/asm.S" function swri_oldapi_conv_flt_to_s16_neon, export=1 -_swri_oldapi_conv_flt_to_s16_neon: +.L_swri_oldapi_conv_flt_to_s16_neon: subs r2, r2, #8 vld1.32 {q0}, [r1,:128]! vcvt.s32.f32 q8, q0, #31 @@ -67,7 +67,7 @@ _swri_oldapi_conv_flt_to_s16_neon: endfunc function swri_oldapi_conv_fltp_to_s16_2ch_neon, export=1 -_swri_oldapi_conv_fltp_to_s16_2ch_neon: +.L_swri_oldapi_conv_fltp_to_s16_2ch_neon: ldm r1, {r1, r3} subs r2, r2, #8 vld1.32 {q0}, [r1,:128]! @@ -135,8 +135,8 @@ function swri_oldapi_conv_fltp_to_s16_nch_neon, export=1 cmp r3, #2 itt lt ldrlt r1, [r1] - blt _swri_oldapi_conv_flt_to_s16_neon - beq _swri_oldapi_conv_fltp_to_s16_2ch_neon + blt .L_swri_oldapi_conv_flt_to_s16_neon + beq .L_swri_oldapi_conv_fltp_to_s16_2ch_neon push {r4-r8, lr} cmp r3, #4 From 0c9c4c3103c2e980dbebb6622e05e1be4ee65a11 Mon Sep 17 00:00:00 2001 From: Michael Niedermayer Date: Fri, 13 Jul 2018 18:33:08 +0200 Subject: [PATCH 897/942] avcodec/dirac_dwt_template: Fix signedness regression in interleave() Found-by: Tested-by: James Darnley Signed-off-by: Michael Niedermayer (cherry picked from commit 181435a4de6e38e0a15ddaf16de9a157ef41cb18) Signed-off-by: Michael Niedermayer --- libavcodec/dirac_dwt_template.c | 4 ++-- 1 file changed, 2 insertions(+), 2 deletions(-) diff --git a/libavcodec/dirac_dwt_template.c b/libavcodec/dirac_dwt_template.c index 528fc7e9e7..2369c8d15b 100644 --- a/libavcodec/dirac_dwt_template.c +++ b/libavcodec/dirac_dwt_template.c @@ -57,8 +57,8 @@ static av_always_inline void RENAME(interleave)(TYPE *dst, TYPE *src0, TYPE *src { int i; for (i = 0; i < w2; i++) { - dst[2*i ] = (src0[i] + (unsigned)add) >> shift; - dst[2*i+1] = (src1[i] + (unsigned)add) >> shift; + dst[2*i ] = ((int)(src0[i] + (unsigned)add)) >> shift; + dst[2*i+1] = ((int)(src1[i] + (unsigned)add)) >> shift; } } From e7dc6231e2630ad61d4bab12322adffe327e79e5 Mon Sep 17 00:00:00 2001 From: Simon Thelen Date: Tue, 3 Apr 2018 14:41:33 +0200 Subject: [PATCH 898/942] avcodec/imgconvert: fix possible null pointer dereference regression since 354b26a3945eadd4ed8fcd801dfefad2566241de (cherry picked from commit 8c2c97403baf95d0facb53f03e468f023eb943e1) (cherry picked from commit c1e172c2e14ef059dac632f7c67f081dfecd30dc) Signed-off-by: Michael Niedermayer --- libavcodec/imgconvert.c | 5 +++-- 1 file changed, 3 insertions(+), 2 deletions(-) diff --git a/libavcodec/imgconvert.c b/libavcodec/imgconvert.c index 19212d5e5b..3ec1403a1e 100644 --- a/libavcodec/imgconvert.c +++ b/libavcodec/imgconvert.c @@ -80,11 +80,12 @@ enum AVPixelFormat avcodec_find_best_pix_fmt_of_list(const enum AVPixelFormat *p int loss; for (i=0; pix_fmt_list[i] != AV_PIX_FMT_NONE; i++) { - loss = *loss_ptr; + loss = loss_ptr ? *loss_ptr : 0; best = avcodec_find_best_pix_fmt_of_2(best, pix_fmt_list[i], src_pix_fmt, has_alpha, &loss); } - *loss_ptr = loss; + if (loss_ptr) + *loss_ptr = loss; return best; } From d7d237a441cbed22b8a3cce016c94e64c4ab7fed Mon Sep 17 00:00:00 2001 From: Michael Niedermayer Date: Fri, 13 Jul 2018 18:54:48 +0200 Subject: [PATCH 899/942] avcodec/dvdsub_parser: Init output buf/size No testcase Signed-off-by: Michael Niedermayer (cherry picked from commit 9e6c8437761661441d836876934314cb2b8fafe7) Signed-off-by: Michael Niedermayer --- libavcodec/dvdsub_parser.c | 3 +++ 1 file changed, 3 insertions(+) diff --git a/libavcodec/dvdsub_parser.c b/libavcodec/dvdsub_parser.c index 32a945ed65..8e1c48bef6 100644 --- a/libavcodec/dvdsub_parser.c +++ b/libavcodec/dvdsub_parser.c @@ -44,6 +44,9 @@ static int dvdsub_parse(AVCodecParserContext *s, { DVDSubParseContext *pc = s->priv_data; + *poutbuf = buf; + *poutbuf_size = buf_size; + if (pc->packet_index == 0) { if (buf_size < 2 || AV_RB16(buf) && buf_size < 6) { if (buf_size) From 961eeb4035c345e756c4bbf549f1a731e53322bf Mon Sep 17 00:00:00 2001 From: Michael Niedermayer Date: Fri, 13 Jul 2018 18:56:10 +0200 Subject: [PATCH 900/942] avcodec/dvdsub_parser: Allocate input padding Fixes: out of array read Fixes: 9350/clusterfuzz-testcase-minimized-ffmpeg_AV_CODEC_ID_DVDSUB_fuzzer-5746777750765568 Found-by: continuous fuzzing process https://github.com/google/oss-fuzz/tree/master/projects/ffmpeg Signed-off-by: Michael Niedermayer (cherry picked from commit cd86b5cfe278af79d6b147e122d9a72c270a9fde) Signed-off-by: Michael Niedermayer --- libavcodec/dvdsub_parser.c | 6 +++++- 1 file changed, 5 insertions(+), 1 deletion(-) diff --git a/libavcodec/dvdsub_parser.c b/libavcodec/dvdsub_parser.c index 8e1c48bef6..698ccb6987 100644 --- a/libavcodec/dvdsub_parser.c +++ b/libavcodec/dvdsub_parser.c @@ -57,7 +57,11 @@ static int dvdsub_parse(AVCodecParserContext *s, if (pc->packet_len == 0) /* HD-DVD subpicture packet */ pc->packet_len = AV_RB32(buf+2); av_freep(&pc->packet); - pc->packet = av_malloc(pc->packet_len); + if ((unsigned)pc->packet_len > INT_MAX - AV_INPUT_BUFFER_PADDING_SIZE) { + av_log(avctx, AV_LOG_ERROR, "packet length %d is invalid\n", pc->packet_len); + return buf_size; + } + pc->packet = av_malloc(pc->packet_len + AV_INPUT_BUFFER_PADDING_SIZE); } if (pc->packet) { if (pc->packet_index + buf_size <= pc->packet_len) { From 60493f388ca7552970e865ff76d39c963eca955f Mon Sep 17 00:00:00 2001 From: Michael Niedermayer Date: Wed, 18 Jul 2018 22:22:35 +0200 Subject: [PATCH 901/942] avutil/pixfmt: Document chroma plane size for odd resolutions Signed-off-by: Michael Niedermayer (cherry picked from commit be0b77e6e83b61c2da338201b5ddfae1c9acedc5) Signed-off-by: Michael Niedermayer --- libavutil/pixfmt.h | 4 ++++ 1 file changed, 4 insertions(+) diff --git a/libavutil/pixfmt.h b/libavutil/pixfmt.h index c01c0575f7..fd7f6153c2 100644 --- a/libavutil/pixfmt.h +++ b/libavutil/pixfmt.h @@ -43,6 +43,10 @@ * This is stored as BGRA on little-endian CPU architectures and ARGB on * big-endian CPUs. * + * @note + * If the resolution is not a multiple of the chroma subsampling factor + * then the chroma plane resolution must be rounded up. + * * @par * When the pixel format is palettized RGB32 (AV_PIX_FMT_PAL8), the palettized * image data is stored in AVFrame.data[0]. The palette is transported in From d7d54f3fd5a68d6bcc38ff698d1d87fdbf0358aa Mon Sep 17 00:00:00 2001 From: Michael Niedermayer Date: Tue, 24 Jul 2018 22:44:12 +0200 Subject: [PATCH 902/942] swresample/swresample: Fix input channel count in resample_first computation Found-by: Marcin Gorzel Reviewed-by: Marcin Gorzel Signed-off-by: Michael Niedermayer (cherry picked from commit bce4da85e8110b66040a5fb07ffc724ab4e09a86) Signed-off-by: Michael Niedermayer --- libswresample/swresample.c | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/libswresample/swresample.c b/libswresample/swresample.c index 47d4f0dd0b..54180e220c 100644 --- a/libswresample/swresample.c +++ b/libswresample/swresample.c @@ -316,7 +316,7 @@ av_cold int swr_init(struct SwrContext *s){ av_assert0(s->used_ch_count); av_assert0(s->out.ch_count); - s->resample_first= RSC*s->out.ch_count/s->in.ch_count - RSC < s->out_sample_rate/(float)s-> in_sample_rate - 1.0; + s->resample_first= RSC*s->out.ch_count/s->used_ch_count - RSC < s->out_sample_rate/(float)s-> in_sample_rate - 1.0; s->in_buffer= s->in; s->silence = s->in; From 057cfa4200e4d35c89f091d932906fc75945a5dd Mon Sep 17 00:00:00 2001 From: Michael Niedermayer Date: Sun, 22 Jul 2018 18:58:34 +0200 Subject: [PATCH 903/942] avcodec/diracdec: Prevent integer overflow in intermediate in global_mv() Fixes: signed integer overflow: -393471 * 5460 cannot be represented in type 'int' Fixes: 8890/clusterfuzz-testcase-minimized-ffmpeg_AV_CODEC_ID_DIRAC_fuzzer-6299775379963904 Found-by: continuous fuzzing process https://github.com/google/oss-fuzz/tree/master/projects/ffmpeg Signed-off-by: Michael Niedermayer (cherry picked from commit 51290406461ed40b70e0e05b389a461a283f3367) Signed-off-by: Michael Niedermayer --- libavcodec/diracdec.c | 4 ++-- 1 file changed, 2 insertions(+), 2 deletions(-) diff --git a/libavcodec/diracdec.c b/libavcodec/diracdec.c index da5240a135..92fbe355a1 100644 --- a/libavcodec/diracdec.c +++ b/libavcodec/diracdec.c @@ -1315,8 +1315,8 @@ static void global_mv(DiracContext *s, DiracBlock *block, int x, int y, int ref) int *c = s->globalmc[ref].perspective; int m = (1<u.mv[ref][0] = (mx + (1<<(ez+ep))) >> (ez+ep); block->u.mv[ref][1] = (my + (1<<(ez+ep))) >> (ez+ep); From 86dfce06e3acd7e0259aecac2e0b849d31a70d97 Mon Sep 17 00:00:00 2001 From: Michael Niedermayer Date: Sun, 22 Jul 2018 19:11:04 +0200 Subject: [PATCH 904/942] avcodec/dirac_dwt_template: Fix several integer overflows in horizontal_compose_daub97i() Fixes: signed integer overflow: 2147483647 + 1 cannot be represented in type 'int' Fixes: 8926/clusterfuzz-testcase-minimized-ffmpeg_AV_CODEC_ID_DIRAC_fuzzer-6047609228623872 Found-by: continuous fuzzing process https://github.com/google/oss-fuzz/tree/master/projects/ffmpeg Signed-off-by: Michael Niedermayer (cherry picked from commit 69cac9e130dc8c9d2a5b8012011df372974adf35) Signed-off-by: Michael Niedermayer --- libavcodec/dirac_dwt_template.c | 8 ++++---- 1 file changed, 4 insertions(+), 4 deletions(-) diff --git a/libavcodec/dirac_dwt_template.c b/libavcodec/dirac_dwt_template.c index 2369c8d15b..5d55d932a1 100644 --- a/libavcodec/dirac_dwt_template.c +++ b/libavcodec/dirac_dwt_template.c @@ -190,15 +190,15 @@ static void RENAME(horizontal_compose_daub97i)(uint8_t *_b, uint8_t *_temp, int // second stage combined with interleave and shift b0 = b2 = COMPOSE_DAUB97iL0(temp[w2], temp[0], temp[w2]); - b[0] = (b0 + 1) >> 1; + b[0] = ~((~b0) >> 1); for (x = 1; x < w2; x++) { b2 = COMPOSE_DAUB97iL0(temp[x+w2-1], temp[x ], temp[x+w2]); b1 = COMPOSE_DAUB97iH0( b0, temp[x+w2-1], b2 ); - b[2*x-1] = (b1 + 1) >> 1; - b[2*x ] = (b2 + 1) >> 1; + b[2*x-1] = ~((~b1) >> 1); + b[2*x ] = ~((~b2) >> 1); b0 = b2; } - b[w-1] = (COMPOSE_DAUB97iH0(b2, temp[w-1], b2) + 1) >> 1; + b[w-1] = ~((~COMPOSE_DAUB97iH0(b2, temp[w-1], b2)) >> 1); } static void RENAME(vertical_compose_dirac53iH0)(uint8_t *_b0, uint8_t *_b1, uint8_t *_b2, From cc82d22289c94c936eec71fe4f46eb101cf281e3 Mon Sep 17 00:00:00 2001 From: Michael Niedermayer Date: Sun, 22 Jul 2018 20:45:39 +0200 Subject: [PATCH 905/942] avcodec/diracdec: Change frame_number to 64bit as its a 32bit from the bitstream and we also have a -1 special case Fixes: signed integer overflow: 2147483647 + 1 cannot be represented in type 'int' Fixes: 9291/clusterfuzz-testcase-minimized-ffmpeg_AV_CODEC_ID_DIRAC_fuzzer-6324345860259840 Found-by: continuous fuzzing process https://github.com/google/oss-fuzz/tree/master/projects/ffmpeg Signed-off-by: Michael Niedermayer (cherry picked from commit 462d1be6dec5ff4768be8c202f359cbf037db3c6) Signed-off-by: Michael Niedermayer --- libavcodec/diracdec.c | 4 ++-- 1 file changed, 2 insertions(+), 2 deletions(-) diff --git a/libavcodec/diracdec.c b/libavcodec/diracdec.c index 92fbe355a1..d678363875 100644 --- a/libavcodec/diracdec.c +++ b/libavcodec/diracdec.c @@ -129,7 +129,7 @@ typedef struct DiracContext { GetBitContext gb; AVDiracSeqHeader seq; int seen_sequence_header; - int frame_number; /* number of the next frame to display */ + int64_t frame_number; /* number of the next frame to display */ Plane plane[3]; int chroma_x_shift; int chroma_y_shift; @@ -2214,7 +2214,7 @@ static int dirac_decode_frame(AVCodecContext *avctx, void *data, int *got_frame, } if (*got_frame) - s->frame_number = picture->display_picture_number + 1; + s->frame_number = picture->display_picture_number + 1LL; return buf_idx; } From 9f18b056da9be419267c11185c0ab86c817b6312 Mon Sep 17 00:00:00 2001 From: Michael Niedermayer Date: Sun, 22 Jul 2018 21:42:16 +0200 Subject: [PATCH 906/942] avcodec/diracdec: Check bytes count in else branch in decode_lowdelay() too Fixes: signed integer overflow: 8 * 340018243 cannot be represented in type 'int' Fixes: 9441/clusterfuzz-testcase-minimized-ffmpeg_AV_CODEC_ID_DIRAC_fuzzer-5194665207791616 Found-by: continuous fuzzing process https://github.com/google/oss-fuzz/tree/master/projects/ffmpeg Signed-off-by: Michael Niedermayer (cherry picked from commit bed125b7108481574f36fdd6ee699b27354602e8) Signed-off-by: Michael Niedermayer --- libavcodec/diracdec.c | 4 ++++ 1 file changed, 4 insertions(+) diff --git a/libavcodec/diracdec.c b/libavcodec/diracdec.c index d678363875..272f2b4011 100644 --- a/libavcodec/diracdec.c +++ b/libavcodec/diracdec.c @@ -906,6 +906,10 @@ static int decode_lowdelay(DiracContext *s) for (slice_x = 0; bufsize > 0 && slice_x < s->num_x; slice_x++) { bytes = (slice_num+1) * (int64_t)s->lowdelay.bytes.num / s->lowdelay.bytes.den - slice_num * (int64_t)s->lowdelay.bytes.num / s->lowdelay.bytes.den; + if (bytes >= INT_MAX || bytes*8 > bufsize) { + av_log(s->avctx, AV_LOG_ERROR, "too many bytes\n"); + return AVERROR_INVALIDDATA; + } slices[slice_num].bytes = bytes; slices[slice_num].slice_x = slice_x; slices[slice_num].slice_y = slice_y; From f81fd4c524e75013a496619b7571f461b12d9a06 Mon Sep 17 00:00:00 2001 From: Michael Niedermayer Date: Sun, 29 Jul 2018 12:40:48 +0200 Subject: [PATCH 907/942] avcodec/qtrle: Check remaining bytestream in qtrle_decode_XYbpp() Fixes: Timeout Fixes: 9213/clusterfuzz-testcase-minimized-ffmpeg_AV_CODEC_ID_QTRLE_fuzzer-5649753332252672 Found-by: continuous fuzzing process https://github.com/google/oss-fuzz/tree/master/projects/ffmpeg Signed-off-by: Michael Niedermayer (cherry picked from commit 7dd836a3f9771e0e44df1b27e67d6866d91e06d7) Signed-off-by: Michael Niedermayer --- libavcodec/qtrle.c | 10 ++++++++++ 1 file changed, 10 insertions(+) diff --git a/libavcodec/qtrle.c b/libavcodec/qtrle.c index 5745afc517..13b167f089 100644 --- a/libavcodec/qtrle.c +++ b/libavcodec/qtrle.c @@ -155,6 +155,8 @@ static inline void qtrle_decode_2n4bpp(QtrleContext *s, int row_ptr, CHECK_PIXEL_PTR(0); while ((rle_code = (int8_t)bytestream2_get_byte(&s->g)) != -1) { + if (bytestream2_get_bytes_left(&s->g) < 1) + return; if (rle_code == 0) { /* there's another skip code in the stream */ pixel_ptr += (num_pixels * (bytestream2_get_byte(&s->g) - 1)); @@ -210,6 +212,8 @@ static void qtrle_decode_8bpp(QtrleContext *s, int row_ptr, int lines_to_change) CHECK_PIXEL_PTR(0); while ((rle_code = (int8_t)bytestream2_get_byte(&s->g)) != -1) { + if (bytestream2_get_bytes_left(&s->g) < 1) + return; if (rle_code == 0) { /* there's another skip code in the stream */ pixel_ptr += (4 * (bytestream2_get_byte(&s->g) - 1)); @@ -259,6 +263,8 @@ static void qtrle_decode_16bpp(QtrleContext *s, int row_ptr, int lines_to_change CHECK_PIXEL_PTR(0); while ((rle_code = (int8_t)bytestream2_get_byte(&s->g)) != -1) { + if (bytestream2_get_bytes_left(&s->g) < 1) + return; if (rle_code == 0) { /* there's another skip code in the stream */ pixel_ptr += (bytestream2_get_byte(&s->g) - 1) * 2; @@ -303,6 +309,8 @@ static void qtrle_decode_24bpp(QtrleContext *s, int row_ptr, int lines_to_change CHECK_PIXEL_PTR(0); while ((rle_code = (int8_t)bytestream2_get_byte(&s->g)) != -1) { + if (bytestream2_get_bytes_left(&s->g) < 1) + return; if (rle_code == 0) { /* there's another skip code in the stream */ pixel_ptr += (bytestream2_get_byte(&s->g) - 1) * 3; @@ -350,6 +358,8 @@ static void qtrle_decode_32bpp(QtrleContext *s, int row_ptr, int lines_to_change CHECK_PIXEL_PTR(0); while ((rle_code = (int8_t)bytestream2_get_byte(&s->g)) != -1) { + if (bytestream2_get_bytes_left(&s->g) < 1) + return; if (rle_code == 0) { /* there's another skip code in the stream */ pixel_ptr += (bytestream2_get_byte(&s->g) - 1) * 4; From f6e570aa011b7dfc3e396fb19a1ba30b57698a38 Mon Sep 17 00:00:00 2001 From: Michael Niedermayer Date: Sat, 28 Jul 2018 10:59:09 +0200 Subject: [PATCH 908/942] avcodec/aacpsdsp_template: Fix integer overflow in ps_stereo_interpolate_c() Fixes: signed integer overflow: -1813244069 + -1407981383 cannot be represented in type 'int' Fixes: 8823/clusterfuzz-testcase-minimized-ffmpeg_AV_CODEC_ID_AAC_FIXED_fuzzer-5643295618236416 Found-by: continuous fuzzing process https://github.com/google/oss-fuzz/tree/master/projects/ffmpeg Signed-off-by: Michael Niedermayer (cherry picked from commit 47db5763e21c5e3b0ddde2430d15938f8d88480d) Signed-off-by: Michael Niedermayer --- libavcodec/aacpsdsp_template.c | 8 ++++---- 1 file changed, 4 insertions(+), 4 deletions(-) diff --git a/libavcodec/aacpsdsp_template.c b/libavcodec/aacpsdsp_template.c index 8f72624559..b924148e0f 100644 --- a/libavcodec/aacpsdsp_template.c +++ b/libavcodec/aacpsdsp_template.c @@ -149,10 +149,10 @@ static void ps_stereo_interpolate_c(INTFLOAT (*l)[2], INTFLOAT (*r)[2], INTFLOAT h1 = h[0][1]; INTFLOAT h2 = h[0][2]; INTFLOAT h3 = h[0][3]; - INTFLOAT hs0 = h_step[0][0]; - INTFLOAT hs1 = h_step[0][1]; - INTFLOAT hs2 = h_step[0][2]; - INTFLOAT hs3 = h_step[0][3]; + UINTFLOAT hs0 = h_step[0][0]; + UINTFLOAT hs1 = h_step[0][1]; + UINTFLOAT hs2 = h_step[0][2]; + UINTFLOAT hs3 = h_step[0][3]; int n; for (n = 0; n < len; n++) { From f7778c2ce95449b60e167644b3fe5bd09ec1fd14 Mon Sep 17 00:00:00 2001 From: Michael Niedermayer Date: Sun, 5 Aug 2018 14:51:36 +0200 Subject: [PATCH 909/942] avcodec/mpegaudio_parser: Initialize poutbuf* Possibly fixes: null pointer dereference Possibly fixes: 9352/clusterfuzz-testcase-minimized-ffmpeg_AV_CODEC_ID_MP3ADUFLOAT_fuzzer-5146068961460224 Fixes: Heap-use-after-free Fixes: 9453/clusterfuzz-testcase-minimized-ffmpeg_AV_CODEC_ID_MP3ADUFLOAT_fuzzer-5137954375729152 Found-by: continuous fuzzing process https://github.com/google/oss-fuzz/tree/master/projects/ffmpeg Signed-off-by: Michael Niedermayer (cherry picked from commit 0f4c3b0b8e5435d13fd3b64c91969b31c3c018dc) Signed-off-by: Michael Niedermayer --- libavcodec/mpegaudio_parser.c | 2 ++ 1 file changed, 2 insertions(+) diff --git a/libavcodec/mpegaudio_parser.c b/libavcodec/mpegaudio_parser.c index 8c39825792..a072851ecf 100644 --- a/libavcodec/mpegaudio_parser.c +++ b/libavcodec/mpegaudio_parser.c @@ -98,6 +98,8 @@ static int mpegaudio_parse(AVCodecParserContext *s1, } else if (codec_id == AV_CODEC_ID_MP3ADU) { avpriv_report_missing_feature(avctx, "MP3ADU full parser"); + *poutbuf = NULL; + *poutbuf_size = 0; return 0; /* parsers must not return error codes */ } From 5eeaaa29fae0d5c22e2e542bc3064b984e34c93b Mon Sep 17 00:00:00 2001 From: Michael Niedermayer Date: Sun, 12 Aug 2018 22:43:33 +0200 Subject: [PATCH 910/942] avcodec/shorten: Check verbatim length Fixes: Timeout Fixes: 9252/clusterfuzz-testcase-minimized-ffmpeg_AV_CODEC_ID_SHORTEN_fuzzer-5780720709533696 Found-by: continuous fuzzing process https://github.com/google/oss-fuzz/tree/master/projects/ffmpeg Signed-off-by: Michael Niedermayer (cherry picked from commit 7007dabec08f2f9f81661e71ef482dde394e17a8) Signed-off-by: Michael Niedermayer --- libavcodec/shorten.c | 5 +++++ 1 file changed, 5 insertions(+) diff --git a/libavcodec/shorten.c b/libavcodec/shorten.c index f481a84fed..047fb05a9b 100644 --- a/libavcodec/shorten.c +++ b/libavcodec/shorten.c @@ -518,6 +518,11 @@ static int shorten_decode_frame(AVCodecContext *avctx, void *data, switch (cmd) { case FN_VERBATIM: len = get_ur_golomb_shorten(&s->gb, VERBATIM_CKSIZE_SIZE); + if (len < 0 || len > get_bits_left(&s->gb)) { + av_log(avctx, AV_LOG_ERROR, "verbatim length %d invalid\n", + len); + return AVERROR_INVALIDDATA; + } while (len--) get_ur_golomb_shorten(&s->gb, VERBATIM_BYTE_SIZE); break; From f1425b389a3b7d4758d2b1faf97f2624e27c3819 Mon Sep 17 00:00:00 2001 From: Michael Niedermayer Date: Sun, 12 Aug 2018 22:55:59 +0200 Subject: [PATCH 911/942] avcodec/shorten: Fix integer overflow in residual/LPC combination Fixes: signed integer overflow: -540538872 + -2012739576 cannot be represented in type 'int' Fixes: 9255/clusterfuzz-testcase-minimized-ffmpeg_AV_CODEC_ID_SHORTEN_fuzzer-5758630052757504 Found-by: continuous fuzzing process https://github.com/google/oss-fuzz/tree/master/projects/ffmpeg Signed-off-by: Michael Niedermayer (cherry picked from commit db7e9082e1a1479c6a8844f7adf77eae03cc2aa7) Signed-off-by: Michael Niedermayer --- libavcodec/shorten.c | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/libavcodec/shorten.c b/libavcodec/shorten.c index 047fb05a9b..de2be90e77 100644 --- a/libavcodec/shorten.c +++ b/libavcodec/shorten.c @@ -315,7 +315,7 @@ static int decode_subframe_lpc(ShortenContext *s, int command, int channel, for (j = 0; j < pred_order; j++) sum += coeffs[j] * (unsigned)s->decoded[channel][i - j - 1]; s->decoded[channel][i] = get_sr_golomb_shorten(&s->gb, residual_size) + - (sum >> qshift); + (unsigned)(sum >> qshift); } /* add offset to current samples */ From 0ea54cae21824dab70c1d11a329ea3bbab3538af Mon Sep 17 00:00:00 2001 From: Michael Niedermayer Date: Thu, 16 Aug 2018 15:36:29 +0200 Subject: [PATCH 912/942] avformat/rmdec: Fix EOF check in the stream loop in ivr_read_header() Fixes: long running loop Fixes: ivr-timeout-42468cb797f52f025fb329394702f5d4d64322d6 Found-by: Paul Ch Reviewed-by: Paul B Mahol Signed-off-by: Michael Niedermayer (cherry picked from commit c2eec1762d372663c35aaf3d6ee419bafb185057) Signed-off-by: Michael Niedermayer --- libavformat/rmdec.c | 2 ++ 1 file changed, 2 insertions(+) diff --git a/libavformat/rmdec.c b/libavformat/rmdec.c index 48420cfd67..e3c8c56e4c 100644 --- a/libavformat/rmdec.c +++ b/libavformat/rmdec.c @@ -1278,6 +1278,8 @@ static int ivr_read_header(AVFormatContext *s) if (avio_rb32(pb) == MKBETAG('M', 'L', 'T', 'I')) { ret = rm_read_multi(s, pb, st, NULL); } else { + if (avio_feof(pb)) + return AVERROR_INVALIDDATA; avio_seek(pb, -4, SEEK_CUR); ret = ff_rm_read_mdpr_codecdata(s, pb, st, st->priv_data, len, NULL); } From 4babf70c7efbcc6c77839944007815e58a380ec7 Mon Sep 17 00:00:00 2001 From: Michael Niedermayer Date: Thu, 16 Aug 2018 15:36:28 +0200 Subject: [PATCH 913/942] avformat/mlvdec: read_string() received unsigned size, make the argument unsigned Fixes: infinite loop Fixes: mlv-timeout-e3b8cab9835edecad6823baa057e029671329d04 Found-by: Paul Ch Reviewed-by: Paul B Mahol Signed-off-by: Michael Niedermayer (cherry picked from commit 1e71cb2c8edcf3dad657c15a6fb8572862f2afb9) Signed-off-by: Michael Niedermayer --- libavformat/mlvdec.c | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/libavformat/mlvdec.c b/libavformat/mlvdec.c index 288b2a1010..253ad61383 100644 --- a/libavformat/mlvdec.c +++ b/libavformat/mlvdec.c @@ -77,7 +77,7 @@ static int check_file_header(AVIOContext *pb, uint64_t guid) return 0; } -static void read_string(AVFormatContext *avctx, AVIOContext *pb, const char *tag, int size) +static void read_string(AVFormatContext *avctx, AVIOContext *pb, const char *tag, unsigned size) { char * value = av_malloc(size + 1); if (!value) { From 172bb520c98fa96129d909dc9b6c6872702571b6 Mon Sep 17 00:00:00 2001 From: Michael Niedermayer Date: Thu, 16 Aug 2018 12:23:20 +0200 Subject: [PATCH 914/942] avformat/nsvdec: Do not parse multiple NSVf The specification states "NSV files may contain a single file header. " Fixes: out of array access Fixes: nsv-asan-002f473f726a0dcbd3bd53e422c4fc40b3cf3421 Found-by: Paul Ch Tested-by: Paul Ch Signed-off-by: Michael Niedermayer (cherry picked from commit 78d4b6bd43fc266a2ee926f0555c8782246f9445) Signed-off-by: Michael Niedermayer --- libavformat/nsvdec.c | 7 +++++++ 1 file changed, 7 insertions(+) diff --git a/libavformat/nsvdec.c b/libavformat/nsvdec.c index 422e14585e..26e61507dc 100644 --- a/libavformat/nsvdec.c +++ b/libavformat/nsvdec.c @@ -177,6 +177,7 @@ typedef struct NSVContext { AVRational framerate; uint32_t *nsvs_timestamps; //DVDemuxContext* dv_demux; + int nsvf; } NSVContext; static const AVCodecTag nsv_codec_video_tags[] = { @@ -280,6 +281,12 @@ static int nsv_parse_NSVf_header(AVFormatContext *s) nsv->state = NSV_UNSYNC; /* in case we fail */ + if (nsv->nsvf) { + av_log(s, AV_LOG_TRACE, "Multiple NSVf\n"); + return 0; + } + nsv->nsvf = 1; + size = avio_rl32(pb); if (size < 28) return -1; From 22f743e60201c3cc70dde007e69b03f0e35d267a Mon Sep 17 00:00:00 2001 From: Michael Niedermayer Date: Mon, 20 Aug 2018 20:15:19 +0200 Subject: [PATCH 915/942] avcodec/snowdec: Fix integer overflow with motion vector residual Fixes: signed integer overflow: -19818 + -2147483648 cannot be represented in type 'int' Fixes: 9545/clusterfuzz-testcase-minimized-ffmpeg_AV_CODEC_ID_SNOW_fuzzer-4928769537081344 Found-by: continuous fuzzing process https://github.com/google/oss-fuzz/tree/master/projects/ffmpeg Signed-off-by: Michael Niedermayer (cherry picked from commit acba153a148782c08f9fd17f0c05b93468f3cbd0) Signed-off-by: Michael Niedermayer --- libavcodec/snowdec.c | 4 ++-- 1 file changed, 2 insertions(+), 2 deletions(-) diff --git a/libavcodec/snowdec.c b/libavcodec/snowdec.c index 00fa064102..a9fe91d251 100644 --- a/libavcodec/snowdec.c +++ b/libavcodec/snowdec.c @@ -208,8 +208,8 @@ static int decode_q_branch(SnowContext *s, int level, int x, int y){ return AVERROR_INVALIDDATA; } pred_mv(s, &mx, &my, ref, left, top, tr); - mx+= get_symbol(&s->c, &s->block_state[128 + 32*(mx_context + 16*!!ref)], 1); - my+= get_symbol(&s->c, &s->block_state[128 + 32*(my_context + 16*!!ref)], 1); + mx+= (unsigned)get_symbol(&s->c, &s->block_state[128 + 32*(mx_context + 16*!!ref)], 1); + my+= (unsigned)get_symbol(&s->c, &s->block_state[128 + 32*(my_context + 16*!!ref)], 1); } set_blocks(s, level, x, y, l, cb, cr, mx, my, ref, type); }else{ From c2ac8d3147788de45abeacfa07af0d83ce1b366d Mon Sep 17 00:00:00 2001 From: Michael Niedermayer Date: Mon, 20 Aug 2018 22:19:23 +0200 Subject: [PATCH 916/942] avcodec/vb: Check for end of bytestream before reading blocktype Fixes: Timeout Fixes: 9601/clusterfuzz-testcase-minimized-ffmpeg_AV_CODEC_ID_VB_fuzzer-4550228702134272 Found-by: continuous fuzzing process https://github.com/google/oss-fuzz/tree/master/projects/ffmpeg Signed-off-by: Michael Niedermayer (cherry picked from commit 1cbac9ce20d32806febf64cbd9f830e1485695ca) Signed-off-by: Michael Niedermayer --- libavcodec/vb.c | 4 ++++ 1 file changed, 4 insertions(+) diff --git a/libavcodec/vb.c b/libavcodec/vb.c index 021657f7d8..c6dd6fb456 100644 --- a/libavcodec/vb.c +++ b/libavcodec/vb.c @@ -107,6 +107,10 @@ static int vb_decode_framedata(VBDecContext *c, int offset) blk2 = 0; for (blk = 0; blk < blocks; blk++) { if (!(blk & 3)) { + if (bytestream2_get_bytes_left(&g) < 1) { + av_log(c->avctx, AV_LOG_ERROR, "Insufficient data\n"); + return AVERROR_INVALIDDATA; + } blocktypes = bytestream2_get_byte(&g); } switch (blocktypes & 0xC0) { From 23c5d8d9ce7d6e687091aafb418da560fabb22fd Mon Sep 17 00:00:00 2001 From: Michael Niedermayer Date: Mon, 20 Aug 2018 22:53:32 +0200 Subject: [PATCH 917/942] avcodec/hq_hqa: Check remaining input bits in hqa_decode_mb() Fixes: Timeout Fixes: 9634/clusterfuzz-testcase-minimized-ffmpeg_AV_CODEC_ID_HQ_HQA_fuzzer-6267852259590144 Found-by: continuous fuzzing process https://github.com/google/oss-fuzz/tree/master/projects/ffmpeg Signed-off-by: Michael Niedermayer (cherry picked from commit c9222b972d6cbdaf6571cf7ae0a6513bffa5ff9f) Signed-off-by: Michael Niedermayer --- libavcodec/hq_hqa.c | 3 +++ 1 file changed, 3 insertions(+) diff --git a/libavcodec/hq_hqa.c b/libavcodec/hq_hqa.c index d18464769d..7ae58e0985 100644 --- a/libavcodec/hq_hqa.c +++ b/libavcodec/hq_hqa.c @@ -180,6 +180,9 @@ static int hqa_decode_mb(HQContext *c, AVFrame *pic, int qgroup, int flag = 0; int i, ret, cbp; + if (get_bits_left(gb) < 1) + return AVERROR_INVALIDDATA; + cbp = get_vlc2(gb, c->hqa_cbp_vlc.table, 5, 1); for (i = 0; i < 12; i++) From fceedd4de9b2ee68b718d2c895374232971d97be Mon Sep 17 00:00:00 2001 From: Michael Niedermayer Date: Sun, 26 Aug 2018 02:26:24 +0200 Subject: [PATCH 918/942] avcodec/ra144: Fix undefined integer overflow in add_wav() Fixes: signed integer overflow: -26884 * 91439 cannot be represented in type 'int' Fixes: 9687/clusterfuzz-testcase-minimized-ffmpeg_AV_CODEC_ID_RA_144_fuzzer-4995588121690112 Found-by: continuous fuzzing process https://github.com/google/oss-fuzz/tree/master/projects/ffmpeg Signed-off-by: Michael Niedermayer (cherry picked from commit 93a203662f6ff1bb9fd2e966bf7df27e9bdb1916) Signed-off-by: Michael Niedermayer --- libavcodec/ra144.c | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/libavcodec/ra144.c b/libavcodec/ra144.c index c399304ea1..054d275354 100644 --- a/libavcodec/ra144.c +++ b/libavcodec/ra144.c @@ -1516,7 +1516,7 @@ static void add_wav(int16_t *dest, int n, int skip_first, int *m, if (v[0]) { for (i=0; i < BLOCKSIZE; i++) - dest[i] = (s1[i]*v[0] + s2[i]*v[1] + s3[i]*v[2]) >> 12; + dest[i] = ((int)(s1[i]*(unsigned)v[0]) + s2[i]*v[1] + s3[i]*v[2]) >> 12; } else { for (i=0; i < BLOCKSIZE; i++) dest[i] = ( s2[i]*v[1] + s3[i]*v[2]) >> 12; From fcab1b996a219ea49f2f7eaf606cf2ce1adc1958 Mon Sep 17 00:00:00 2001 From: Michael Niedermayer Date: Fri, 17 Aug 2018 02:06:27 +0200 Subject: [PATCH 919/942] avcodec/h264_refs: Document last if() in ff_h264_execute_ref_pic_marking() Signed-off-by: Michael Niedermayer (cherry picked from commit 697984b9db4d4d199680f43ac3eb662cd1d37eff) Signed-off-by: Michael Niedermayer --- libavcodec/h264_refs.c | 1 + 1 file changed, 1 insertion(+) diff --git a/libavcodec/h264_refs.c b/libavcodec/h264_refs.c index d46d940dae..9900cd5805 100644 --- a/libavcodec/h264_refs.c +++ b/libavcodec/h264_refs.c @@ -814,6 +814,7 @@ int ff_h264_execute_ref_pic_marking(H264Context *h, MMCO *mmco, int mmco_count) pps_ref_count[1] = FFMAX(pps_ref_count[1], h->pps.ref_count[1]); } + // Detect unmarked random access points if ( err >= 0 && h->long_ref_count==0 && ( h->short_ref_count<=2 From 1049ccec344945fd86131de8fe827a3602d453ce Mon Sep 17 00:00:00 2001 From: Michael Niedermayer Date: Thu, 13 Sep 2018 04:24:49 +0200 Subject: [PATCH 920/942] avcodec/dvdsubdec: Avoid branch in decode_run_8bit() Speed improvment 35.5 sec -> 34.7sec Reviewed-by: Paul B Mahol Signed-off-by: Michael Niedermayer (cherry picked from commit 71bf0330505e2108935d05c5c018ec65eac4b946) Signed-off-by: Michael Niedermayer --- libavcodec/dvdsubdec.c | 5 +---- 1 file changed, 1 insertion(+), 4 deletions(-) diff --git a/libavcodec/dvdsubdec.c b/libavcodec/dvdsubdec.c index 917adc3dfe..696a668167 100644 --- a/libavcodec/dvdsubdec.c +++ b/libavcodec/dvdsubdec.c @@ -82,10 +82,7 @@ static int decode_run_8bit(GetBitContext *gb, int *color) { int len; int has_run = get_bits1(gb); - if (get_bits1(gb)) - *color = get_bits(gb, 8); - else - *color = get_bits(gb, 2); + *color = get_bits(gb, 2 + 6*get_bits1(gb)); if (has_run) { if (get_bits1(gb)) { len = get_bits(gb, 7); From 1ed6224cdf287457040b0740616580498253f245 Mon Sep 17 00:00:00 2001 From: Michael Niedermayer Date: Sat, 15 Sep 2018 02:08:20 +0200 Subject: [PATCH 921/942] avcodec/shorten: Fix bitstream end check in read_header() Fixes: Timeout Fixes: 9961/clusterfuzz-testcase-minimized-ffmpeg_AV_CODEC_ID_SHORTEN_fuzzer-5687856176562176 Found-by: continuous fuzzing process https://github.com/google/oss-fuzz/tree/master/projects/ffmpeg Reviewed-by: Paul B Mahol Signed-off-by: Michael Niedermayer (cherry picked from commit 28b80c2d52d82eb4f73af5f818dab60946bcf299) Signed-off-by: Michael Niedermayer --- libavcodec/shorten.c | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/libavcodec/shorten.c b/libavcodec/shorten.c index de2be90e77..6ec1632aac 100644 --- a/libavcodec/shorten.c +++ b/libavcodec/shorten.c @@ -380,7 +380,7 @@ static int read_header(ShortenContext *s) } skip_bytes = get_uint(s, NSKIPSIZE); - if ((unsigned)skip_bytes > get_bits_left(&s->gb)/8) { + if ((unsigned)skip_bytes > FFMAX(get_bits_left(&s->gb), 0)/8) { av_log(s->avctx, AV_LOG_ERROR, "invalid skip_bytes: %d\n", skip_bytes); return AVERROR_INVALIDDATA; } From 6161aade4c8dac6d8c4c40f09e280c2ceb0d7a1a Mon Sep 17 00:00:00 2001 From: Michael Niedermayer Date: Mon, 17 Sep 2018 21:33:59 +0200 Subject: [PATCH 922/942] avcodec/zmbv: Update decomp_len in raw frames decomp_len is used in raw frames, so it should not be left at the value from whatever was decoded previously (which may be any other frame) Signed-off-by: Michael Niedermayer (cherry picked from commit 3d201b83cda03fd9e866acafee82d7ce88260e66) Signed-off-by: Michael Niedermayer --- libavcodec/zmbv.c | 1 + 1 file changed, 1 insertion(+) diff --git a/libavcodec/zmbv.c b/libavcodec/zmbv.c index 39a08db0eb..b12c3615b4 100644 --- a/libavcodec/zmbv.c +++ b/libavcodec/zmbv.c @@ -519,6 +519,7 @@ static int decode_frame(AVCodecContext *avctx, void *data, int *got_frame, AVPac return AVERROR_INVALIDDATA; } memcpy(c->decomp_buf, buf, len); + c->decomp_len = len; } else { // ZLIB-compressed data c->zstream.total_in = c->zstream.total_out = 0; c->zstream.next_in = (uint8_t*)buf; From 648b904662c2fcb0721740f150fa9145c7cf314f Mon Sep 17 00:00:00 2001 From: Michael Niedermayer Date: Tue, 18 Sep 2018 00:28:37 +0200 Subject: [PATCH 923/942] avcodec/zmbv: Check that the decompressed data size is correct This checks the value exactly for intra frames and checks it against a minimum for inter frames as they can be variable. Fixes: Timeout Fixes: 10182/clusterfuzz-testcase-minimized-ffmpeg_AV_CODEC_ID_ZMBV_fuzzer-6245951174344704 Found-by: continuous fuzzing process https://github.com/google/oss-fuzz/tree/master/projects/ffmpeg Reviewed-by: Paul B Mahol Signed-off-by: Michael Niedermayer (cherry picked from commit e33b28cc79d164fff22bfee750c9283587c00bc4) Signed-off-by: Michael Niedermayer --- libavcodec/zmbv.c | 14 ++++++++++++++ 1 file changed, 14 insertions(+) diff --git a/libavcodec/zmbv.c b/libavcodec/zmbv.c index b12c3615b4..41525cc08c 100644 --- a/libavcodec/zmbv.c +++ b/libavcodec/zmbv.c @@ -408,6 +408,7 @@ static int decode_frame(AVCodecContext *avctx, void *data, int *got_frame, AVPac int zret = Z_OK; // Zlib return code int len = buf_size; int hi_ver, lo_ver, ret; + int expected_size; /* parse header */ if (len < 1) @@ -504,6 +505,14 @@ static int decode_frame(AVCodecContext *avctx, void *data, int *got_frame, AVPac memset(c->prev, 0, avctx->width * avctx->height * (c->bpp / 8)); c->decode_intra= decode_intra; } + if (c->flags & ZMBV_KEYFRAME) { + expected_size = avctx->width * avctx->height * (c->bpp / 8); + } else { + expected_size = (c->bx * c->by * 2 + 3) & ~3; + } + if (avctx->pix_fmt == AV_PIX_FMT_PAL8 && + (c->flags & (ZMBV_DELTAPAL | ZMBV_KEYFRAME))) + expected_size += 768; if (!c->decode_intra) { av_log(avctx, AV_LOG_ERROR, "Error! Got no format or no keyframe!\n"); @@ -533,6 +542,11 @@ static int decode_frame(AVCodecContext *avctx, void *data, int *got_frame, AVPac } c->decomp_len = c->zstream.total_out; } + if (expected_size > c->decomp_len || + (c->flags & ZMBV_KEYFRAME) && expected_size < c->decomp_len) { + av_log(avctx, AV_LOG_ERROR, "decompressed size %d is incorrect, expected %d\n", c->decomp_len, expected_size); + return AVERROR_INVALIDDATA; + } if (c->flags & ZMBV_KEYFRAME) { frame->key_frame = 1; frame->pict_type = AV_PICTURE_TYPE_I; From 58cb3ad576cb59b914b076246b116c59e084a116 Mon Sep 17 00:00:00 2001 From: Michael Niedermayer Date: Sat, 15 Sep 2018 00:20:38 +0200 Subject: [PATCH 924/942] avcodec/mpeg4videodec: Fix undefined shift in get_amv() Fixes: runtime error: shift exponent -1 is negative Fixes: 9938/clusterfuzz-testcase-minimized-ffmpeg_AV_CODEC_ID_MPEG4_fuzzer-5653783529914368 Found-by: continuous fuzzing process https://github.com/google/oss-fuzz/tree/master/projects/ffmpeg Signed-off-by: Michael Niedermayer (cherry picked from commit c88afa44c4823aba7b6f4a1b01fd6a4169643c57) Signed-off-by: Michael Niedermayer --- libavcodec/mpeg4videodec.c | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/libavcodec/mpeg4videodec.c b/libavcodec/mpeg4videodec.c index 63adcf96d4..3066958318 100644 --- a/libavcodec/mpeg4videodec.c +++ b/libavcodec/mpeg4videodec.c @@ -538,7 +538,7 @@ static inline int get_amv(Mpeg4DecContext *ctx, int n) len >>= s->quarter_sample; if (s->real_sprite_warping_points == 1) { - if (ctx->divx_version == 500 && ctx->divx_build == 413) + if (ctx->divx_version == 500 && ctx->divx_build == 413 && a >= s->quarter_sample) sum = s->sprite_offset[0][n] / (1 << (a - s->quarter_sample)); else sum = RSHIFT(s->sprite_offset[0][n] * (1 << s->quarter_sample), a); From 9b95c4740d23d69e6693f974ab954c50957e4c4e Mon Sep 17 00:00:00 2001 From: Michael Niedermayer Date: Thu, 13 Sep 2018 03:33:50 +0200 Subject: [PATCH 925/942] avcodec/dvdsubdec: Sanity check len in decode_rle() Fixes: Timeout Fixes: 9778/clusterfuzz-testcase-minimized-ffmpeg_AV_CODEC_ID_DVDSUB_fuzzer-5186007132536832 Found-by: continuous fuzzing process https://github.com/google/oss-fuzz/tree/master/projects/ffmpeg Signed-off-by: Michael Niedermayer (cherry picked from commit e7b023e1db9fb13175929c02a02846d03510ec91) Signed-off-by: Michael Niedermayer --- libavcodec/dvdsubdec.c | 2 ++ 1 file changed, 2 insertions(+) diff --git a/libavcodec/dvdsubdec.c b/libavcodec/dvdsubdec.c index 696a668167..c564a889e3 100644 --- a/libavcodec/dvdsubdec.c +++ b/libavcodec/dvdsubdec.c @@ -124,6 +124,8 @@ static int decode_rle(uint8_t *bitmap, int linesize, int w, int h, len = decode_run_8bit(&gb, &color); else len = decode_run_2bit(&gb, &color); + if (len != INT_MAX && len > w - x) + return AVERROR_INVALIDDATA; len = FFMIN(len, w - x); memset(d + x, color, len); x += len; From 4b14c3ed7857e386ae49bd6f1c4124e52d1667f3 Mon Sep 17 00:00:00 2001 From: Michael Niedermayer Date: Sat, 22 Sep 2018 15:18:17 +0200 Subject: [PATCH 926/942] avcodec/unary: Improve get_unary() docs Found-by: kierank Signed-off-by: Michael Niedermayer (cherry picked from commit ad89e203bfedf25df00e2a6ed9196170d772f25b) Signed-off-by: Michael Niedermayer --- libavcodec/unary.h | 15 ++++++++++++++- 1 file changed, 14 insertions(+), 1 deletion(-) diff --git a/libavcodec/unary.h b/libavcodec/unary.h index 908dc93507..d57f9f70c5 100644 --- a/libavcodec/unary.h +++ b/libavcodec/unary.h @@ -28,7 +28,20 @@ * @param gb GetBitContext * @param[in] stop The bitstop value (unary code of 1's or 0's) * @param[in] len Maximum length - * @return Unary length/index + * @return unary 0 based code index. This is also the length in bits of the + * code excluding the stop bit. + * (in case len=1) + * 1 0 + * 0 1 + * (in case len=2) + * 1 0 + * 01 1 + * 00 2 + * (in case len=3) + * 1 0 + * 01 1 + * 001 2 + * 000 3 */ static inline int get_unary(GetBitContext *gb, int stop, int len) { From 51404bb4f6132c054c6266238d483846e6654ad3 Mon Sep 17 00:00:00 2001 From: Michael Niedermayer Date: Fri, 12 Oct 2018 03:00:32 +0200 Subject: [PATCH 927/942] avformat/utils: Fix integer overflow in discontinuity check Fixes: signed integer overflow: 7738135736989908991 - -7954308516317364223 cannot be represented in type 'long' Fixes: find_stream_info_usan Reported-by: Thomas Guilbert Signed-off-by: Michael Niedermayer (cherry picked from commit 4e19cfcfa3944fe4cf97bea758f72f104dcaebad) Signed-off-by: Michael Niedermayer --- libavformat/utils.c | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/libavformat/utils.c b/libavformat/utils.c index 587fad8e1a..8c51824fa0 100644 --- a/libavformat/utils.c +++ b/libavformat/utils.c @@ -3363,7 +3363,7 @@ int avformat_find_stream_info(AVFormatContext *ic, AVDictionary **options) * sequence, we treat it as a discontinuity. */ if (st->info->fps_last_dts != AV_NOPTS_VALUE && st->info->fps_last_dts_idx > st->info->fps_first_dts_idx && - (pkt->dts - st->info->fps_last_dts) / 1000 > + (pkt->dts - (uint64_t)st->info->fps_last_dts) / 1000 > (st->info->fps_last_dts - (uint64_t)st->info->fps_first_dts) / (st->info->fps_last_dts_idx - st->info->fps_first_dts_idx)) { av_log(ic, AV_LOG_WARNING, From 6a5b0a3c751303d359876a85913f5fbbe3976a99 Mon Sep 17 00:00:00 2001 From: Michael Niedermayer Date: Fri, 12 Oct 2018 20:55:25 +0200 Subject: [PATCH 928/942] avformat/utils: Never store negative values in last_IP_duration Fixes: integer overflow compute_pkt_fields() Fixes: compute_pkt_usan Reported-by: Thomas Guilbert Signed-off-by: Michael Niedermayer (cherry picked from commit 079d1a7175c4b881631a7e7f449c4c13b761cdeb) Signed-off-by: Michael Niedermayer --- libavformat/utils.c | 5 +++-- 1 file changed, 3 insertions(+), 2 deletions(-) diff --git a/libavformat/utils.c b/libavformat/utils.c index 8c51824fa0..3f02149ef4 100644 --- a/libavformat/utils.c +++ b/libavformat/utils.c @@ -1157,7 +1157,7 @@ static void compute_pkt_fields(AVFormatContext *s, AVStream *st, /* This is tricky: the dts must be incremented by the duration * of the frame we are displaying, i.e. the last I- or P-frame. */ - if (st->last_IP_duration == 0) + if (st->last_IP_duration == 0 && (uint64_t)pkt->duration <= INT32_MAX) st->last_IP_duration = pkt->duration; if (pkt->dts != AV_NOPTS_VALUE) st->cur_dts = pkt->dts + st->last_IP_duration; @@ -1169,7 +1169,8 @@ static void compute_pkt_fields(AVFormatContext *s, AVStream *st, next_pts != AV_NOPTS_VALUE) pkt->pts = next_dts; - st->last_IP_duration = pkt->duration; + if ((uint64_t)pkt->duration <= INT32_MAX) + st->last_IP_duration = pkt->duration; st->last_IP_pts = pkt->pts; /* Cannot compute PTS if not present (we can compute it only * by knowing the future. */ From b15db639a5caccb2f69c1b37707e09820231b5f8 Mon Sep 17 00:00:00 2001 From: Michael Niedermayer Date: Wed, 10 Oct 2018 04:25:50 +0200 Subject: [PATCH 929/942] avcodec/ra144: Fix integer overflow in add_wav() Fixes: signed integer overflow: -2144033225 + -5208934 cannot be represented in type 'int' Fixes: 10633/clusterfuzz-testcase-minimized-ffmpeg_AV_CODEC_ID_RA_144_fuzzer-5679133791617024 Found-by: continuous fuzzing process https://github.com/google/oss-fuzz/tree/master/projects/ffmpeg Signed-off-by: Michael Niedermayer (cherry picked from commit c6282141cba20934d9801f31134872fabbd6ba3e) Signed-off-by: Michael Niedermayer --- libavcodec/ra144.c | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/libavcodec/ra144.c b/libavcodec/ra144.c index 054d275354..3393d7a87f 100644 --- a/libavcodec/ra144.c +++ b/libavcodec/ra144.c @@ -1516,7 +1516,7 @@ static void add_wav(int16_t *dest, int n, int skip_first, int *m, if (v[0]) { for (i=0; i < BLOCKSIZE; i++) - dest[i] = ((int)(s1[i]*(unsigned)v[0]) + s2[i]*v[1] + s3[i]*v[2]) >> 12; + dest[i] = (int)((s1[i]*(unsigned)v[0]) + s2[i]*v[1] + s3[i]*v[2]) >> 12; } else { for (i=0; i < BLOCKSIZE; i++) dest[i] = ( s2[i]*v[1] + s3[i]*v[2]) >> 12; From f9cfdf2baefd89fd6ef55afb0832aa1e2155a3b9 Mon Sep 17 00:00:00 2001 From: Michael Niedermayer Date: Thu, 4 Oct 2018 03:13:41 +0200 Subject: [PATCH 930/942] avcodec/h264_cavlc: Check mb_skip_run Fixes: 10300/clusterfuzz-testcase-minimized-ffmpeg_AV_CODEC_ID_H264_fuzzer-6292205497483264 Fixes: signed integer overflow: -2147483648 - 1 cannot be represented in type 'int' Found-by: continuous fuzzing process https://github.com/google/oss-fuzz/tree/master/projects/ffmpeg Signed-off-by: Michael Niedermayer (cherry picked from commit f72b9904fefa79d799d0f6ecc8bd97ce52658725) Signed-off-by: Michael Niedermayer --- libavcodec/h264_cavlc.c | 10 ++++++++-- 1 file changed, 8 insertions(+), 2 deletions(-) diff --git a/libavcodec/h264_cavlc.c b/libavcodec/h264_cavlc.c index 97ec6fd4ae..250e93bc8e 100644 --- a/libavcodec/h264_cavlc.c +++ b/libavcodec/h264_cavlc.c @@ -721,8 +721,14 @@ int ff_h264_decode_mb_cavlc(const H264Context *h, H264SliceContext *sl) cbp = 0; /* avoid warning. FIXME: find a solution without slowing down the code */ if (sl->slice_type_nos != AV_PICTURE_TYPE_I) { - if (sl->mb_skip_run == -1) - sl->mb_skip_run = get_ue_golomb_long(&sl->gb); + if (sl->mb_skip_run == -1) { + unsigned mb_skip_run = get_ue_golomb_long(&sl->gb); + if (mb_skip_run > h->mb_num) { + av_log(h->avctx, AV_LOG_ERROR, "mb_skip_run %d is invalid\n", mb_skip_run); + return AVERROR_INVALIDDATA; + } + sl->mb_skip_run = mb_skip_run; + } if (sl->mb_skip_run--) { if (FRAME_MBAFF(h) && (sl->mb_y & 1) == 0) { From 9c1bb7e8debdbcd8f7786c381e1f90bec9f74a45 Mon Sep 17 00:00:00 2001 From: Michael Niedermayer Date: Thu, 18 Oct 2018 01:19:36 +0200 Subject: [PATCH 931/942] avcodec/mpeg4videodec: Fix typo in sprite delta check Fixes: Integer overflow Fixes: 10890/clusterfuzz-testcase-minimized-ffmpeg_AV_CODEC_ID_MPEG4_fuzzer-5636062181851136 Found-by: continuous fuzzing process https://github.com/google/oss-fuzz/tree/master/projects/ffmpeg Signed-off-by: Michael Niedermayer (cherry picked from commit b737317a8813e671c00b8ac7023c47e48ffeb1c8) Signed-off-by: Michael Niedermayer --- libavcodec/mpeg4videodec.c | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/libavcodec/mpeg4videodec.c b/libavcodec/mpeg4videodec.c index 3066958318..7713a2194a 100644 --- a/libavcodec/mpeg4videodec.c +++ b/libavcodec/mpeg4videodec.c @@ -392,7 +392,7 @@ static int mpeg4_decode_sprite_trajectory(Mpeg4DecContext *ctx, GetBitContext *g llabs(sprite_offset[0][i] + sprite_delta[i][1] * (h+16LL)) >= INT_MAX || llabs(sprite_offset[0][i] + sprite_delta[i][0] * (w+16LL) + sprite_delta[i][1] * (h+16LL)) >= INT_MAX || llabs(sprite_delta[i][0] * (w+16LL)) >= INT_MAX || - llabs(sprite_delta[i][1] * (w+16LL)) >= INT_MAX || + llabs(sprite_delta[i][1] * (h+16LL)) >= INT_MAX || llabs(sd[0]) >= INT_MAX || llabs(sd[1]) >= INT_MAX || llabs(sprite_offset[0][i] + sd[0] * (w+16LL)) >= INT_MAX || From dd5232c838470fcbd46e9a1fa7f64af8e948ce92 Mon Sep 17 00:00:00 2001 From: Michael Niedermayer Date: Sat, 20 Oct 2018 22:35:37 +0200 Subject: [PATCH 932/942] avcodec/jpeg2000dec: Fix off by 1 error in JPEG2000_PGOD_CPRL handling Fixes: assertion failure Fixes: 10785/clusterfuzz-testcase-minimized-ffmpeg_AV_CODEC_ID_JPEG2000_fuzzer-5672160496975872 Found-by: continuous fuzzing process https://github.com/google/oss-fuzz/tree/master/projects/ffmpeg Signed-off-by: Michael Niedermayer (cherry picked from commit 305e523105f6f59e7572050f19edc9f4671c036c) Signed-off-by: Michael Niedermayer --- libavcodec/jpeg2000dec.c | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/libavcodec/jpeg2000dec.c b/libavcodec/jpeg2000dec.c index 65437bb293..64355589ee 100644 --- a/libavcodec/jpeg2000dec.c +++ b/libavcodec/jpeg2000dec.c @@ -1128,7 +1128,7 @@ static int jpeg2000_decode_packets_po_iteration(Jpeg2000DecoderContext *s, Jpeg2 step_x = 32; step_y = 32; - if (RSpoc > FFMIN(codsty->nreslevels, REpoc)) + if (RSpoc >= FFMIN(codsty->nreslevels, REpoc)) continue; for (reslevelno = RSpoc; reslevelno < FFMIN(codsty->nreslevels, REpoc); reslevelno++) { From 1dbf2bc7a958684df11c94ba65d1d655e1a0cb61 Mon Sep 17 00:00:00 2001 From: Michael Niedermayer Date: Tue, 23 Oct 2018 02:15:08 +0200 Subject: [PATCH 933/942] Update for 3.0.12 Signed-off-by: Michael Niedermayer --- Changelog | 133 +++++++++++++++++++++++++++++++++++++++++++++++++++ RELEASE | 2 +- doc/Doxyfile | 2 +- 3 files changed, 135 insertions(+), 2 deletions(-) diff --git a/Changelog b/Changelog index a3bf744044..12b3cd9b98 100644 --- a/Changelog +++ b/Changelog @@ -1,6 +1,139 @@ Entries are sorted chronologically from oldest to youngest within each release, releases are sorted from youngest to oldest. +version 3.0.12 +- avcodec/jpeg2000dec: Fix off by 1 error in JPEG2000_PGOD_CPRL handling +- avcodec/mpeg4videodec: Fix typo in sprite delta check +- avcodec/h264_cavlc: Check mb_skip_run +- avcodec/ra144: Fix integer overflow in add_wav() +- avformat/utils: Never store negative values in last_IP_duration +- avformat/utils: Fix integer overflow in discontinuity check +- avcodec/unary: Improve get_unary() docs +- avcodec/dvdsubdec: Sanity check len in decode_rle() +- avcodec/mpeg4videodec: Fix undefined shift in get_amv() +- avcodec/zmbv: Check that the decompressed data size is correct +- avcodec/zmbv: Update decomp_len in raw frames +- avcodec/shorten: Fix bitstream end check in read_header() +- avcodec/dvdsubdec: Avoid branch in decode_run_8bit() +- avcodec/h264_refs: Document last if() in ff_h264_execute_ref_pic_marking() +- avcodec/ra144: Fix undefined integer overflow in add_wav() +- avcodec/hq_hqa: Check remaining input bits in hqa_decode_mb() +- avcodec/vb: Check for end of bytestream before reading blocktype +- avcodec/snowdec: Fix integer overflow with motion vector residual +- avformat/nsvdec: Do not parse multiple NSVf +- avformat/mlvdec: read_string() received unsigned size, make the argument unsigned +- avformat/rmdec: Fix EOF check in the stream loop in ivr_read_header() +- avcodec/shorten: Fix integer overflow in residual/LPC combination +- avcodec/shorten: Check verbatim length +- avcodec/mpegaudio_parser: Initialize poutbuf* +- avcodec/aacpsdsp_template: Fix integer overflow in ps_stereo_interpolate_c() +- avcodec/qtrle: Check remaining bytestream in qtrle_decode_XYbpp() +- avcodec/diracdec: Check bytes count in else branch in decode_lowdelay() too +- avcodec/diracdec: Change frame_number to 64bit as its a 32bit from the bitstream and we also have a -1 special case +- avcodec/dirac_dwt_template: Fix several integer overflows in horizontal_compose_daub97i() +- avcodec/diracdec: Prevent integer overflow in intermediate in global_mv() +- swresample/swresample: Fix input channel count in resample_first computation +- avutil/pixfmt: Document chroma plane size for odd resolutions +- avcodec/dvdsub_parser: Allocate input padding +- avcodec/dvdsub_parser: Init output buf/size +- avcodec/imgconvert: fix possible null pointer dereference +- avcodec/dirac_dwt_template: Fix signedness regression in interleave() +- swresample/arm: rename labels to fix xcode build error +- avformat/utils: fix mixed declarations and code +- libwebpenc_animencoder: add missing braces to struct initialization +- avformat/movenc: Check input sample count +- avcodec/mjpegdec: Check for odd progressive RGB +- avformat/movenc: Check that frame_types other than EAC3_FRAME_TYPE_INDEPENDENT have a supported substream id +- avformat/mms: Add missing chunksize check +- avformat/pva: Check for EOF before retrying in read_part_of_packet() +- avformat/rmdec: Do not pass mime type in rm_read_multi() to ff_rm_read_mdpr_codecdata() +- avcodec/indeo4: Check for end of bitstream in decode_mb_info() +- avcodec/shorten: Fix undefined addition in shorten_decode_frame() +- avcodec/jpeg2000dec: Fixes invalid shifts in jpeg2000_decode_packets_po_iteration() +- avcodec/jpeg2000dec: Check that there are enough bytes for all tiles +- avcodec/escape124: Fix spelling errors in comment +- avcodec/ra144: Fix integer overflow in ff_eval_refl() +- avcodec/cscd: Check output buffer size for lzo. +- avcodec/escape124: Check buf_size against num_superblocks +- avcodec/mjpegdec: Check for end of bitstream in ljpeg_decode_rgb_scan() +- avcodec/aacdec_fixed: Fix undefined integer overflow in apply_independent_coupling_fixed() +- avcodec/dirac_dwt_template: Fix undefined behavior in interleave() +- avutil/common: Fix undefined behavior in av_clip_uintp2_c() +- fftools/ffmpeg: Fallback to duration if sample rate is unavailable +- avformat/mov: Only set pkt->duration to non negative values +- avcodec/h264_mc_template: Only prefetch motion if the list is used. +- avcodec/xwddec: Use ff_set_dimensions() +- avcodec/wavpack: Fix overflow in adding tail +- avcodec/shorten: Fix multiple integer overflows +- avcodec/shorten: Sanity check nmeans +- avcodec/mjpegdec: Fix integer overflow in ljpeg_decode_rgb_scan() +- avcodec/truemotion2: Fix overflow in tm2_apply_deltas() +- avcodec/opus_silk: Change silk_lsf2lpc() slightly toward silk/NLSF2A.c +- avcodec/amrwbdec: Fix division by 0 in find_hb_gain() +- avformat/mov: replace a value error by clipping into valid range in mov_read_stsc() +- avformat/mov: Break out early if chunk_count is 0 in mov_build_index() +- avcodec/fic: Avoid some magic numbers related to cursors +- avcodec/g2meet: ask for sample with overflowing RGB +- avcodec/aacdec_fixed: use 64bit to avoid overflow in rounding in apply_dependent_coupling_fixed() +- oavcodec/aacpsdsp_template: Use unsigned for hs0X to prevent undefined behavior +- avcodec/g723_1dec: Clip bits2 in both directions +- avcodec/mpeg4videoenc: Use 64 bit for times in mpeg4_encode_gop_header() +- avcodec/mlpdec: Only change noise_type if the related fields are valid +- indeo4: Decode all or nothing of a band header. +- avformat/mov: Only fail for STCO/STSC contradictions if both exist +- avcodec/dirac_dwt: Fix integer overflow in COMPOSE_DD97iH0 / COMPOSE_DD137iL0 +- avcodec/fic: Check available input space for cursor +- avcodec/g2meet: Check RGB upper limit +- avcodec/jpeg2000dec: Fix undefined shift in the jpeg2000_decode_packets_po_iteration() CPRL case +- avcodec/jpeg2000dec: Skip init for component in CPRL if nothing is to be done +- avcodec/g2meet: Change order of operations to avoid undefined behavior +- avcodec/flac_parser: Fix infinite loop +- avcodec/wavpack: Fix integer overflow in DEC_MED() / INC_MED() +- avcodec/error_resilience: Fix integer overflow in filter181() +- avcodec/h263dec: Check slice_ret in mspeg4 slice loop +- avcodec/elsdec: Fix memleaks +- avcodec/vc1_block: simplify ac_val computation +- avcodec/ffv1enc: Check that the crc + version combination is supported +- lavf/http.c: Free allocated client URLContext in case of error. +- avcodec/dsicinvideo: Fail if there is only a small fraction of the data available that comprises a full frame +- avcodec/dsicinvideo: Propagate errors from cin_decode_rle() +- avcodec/dfa: Check dimension against maximum +- avcodec/cinepak: Skip empty frames +- avcodec/cinepak: move some checks prior to frame allocation +- swresample/arm: remove unintentional relocation. +- doc/APIchanges: Fix typos in hashes +- avformat/utils: Check cur_dts in update_initial_timestamps() more +- avcodec/utils: Enforce minimum width also for VP5/6 +- avcodec/truemotion2: Propagate out of bounds error from GET_TOK() +- avcodec/mjpegdec: Check input buffer size. +- lavc/libopusdec: Allow avcodec_open2 to call .close +- avcodec/movtextdec: Check style_start/end +- avcodec/aacsbr_fixed: Fix integer overflow in sbr_hf_assemble() +- libavcodec/rv34: error out earlier on missing references +- swresample/swresample: Fix for seg fault in swr_convert_internal() -> sum2_float during dithering. +- avcodec/aacdec_fixed: Fix integer overflow in apply_independent_coupling_fixed() +- avcodec/cscd: Error out when LZ* decompression fails +- avcodec/imgconvert: Fix loss mask bug in avcodec_find_best_pix_fmt_of_list() +- avcodec/wmalosslessdec: Fix null pointer dereference in decode_frame() +- avcodec/tableprint_vlc: Fix build failure with --enable-hardcoded-tables +- avcodec/get_bits: Make sure the input bitstream with padding can be addressed +- avformat/mov: Check STSC and remove invalid entries +- avcodec/nuv: rtjpeg with dimensions less than 16 would result in no decoded pixels thus reject it +- avcodec/nuv: Check for minimum input size for uncomprssed and rtjpeg +- avcodec/wmalosslessdec: Reset num_saved_bits on error path +- avformat/mov: Fix integer overflows related to sample_duration +- avformat/oggparsedaala: Do not adjust AV_NOPTS_VALUE +- avformat/oggparseogm: Check lb against psize +- avformat/oggparseogm: Fix undefined shift in ogm_packet() +- avformat/avidec: Fix integer overflow in cum_len check +- avformat/oggparsetheora: Do not adjust AV_NOPTS_VALUE +- avformat/utils: Fix integer overflow of fps_first/last_dts +- libavformat/oggparsevorbis: Fix memleak on multiple headers +- avdevice/iec61883: free the private context at the end +- avdevice/iec61883: return reference counted packets +- avdevice/iec61883: free packet on buffer allocation error + + version 3.0.11 - avcodec/bintext: sanity check dimensions - avcodec/utvideodec: Check subsample factors diff --git a/RELEASE b/RELEASE index 778bf95c00..f93fc9f42e 100644 --- a/RELEASE +++ b/RELEASE @@ -1 +1 @@ -3.0.11 +3.0.12 diff --git a/doc/Doxyfile b/doc/Doxyfile index 65eef53776..6951092ad7 100644 --- a/doc/Doxyfile +++ b/doc/Doxyfile @@ -31,7 +31,7 @@ PROJECT_NAME = FFmpeg # This could be handy for archiving the generated documentation or # if some version control system is used. -PROJECT_NUMBER = 3.0.11 +PROJECT_NUMBER = 3.0.12 # With the PROJECT_LOGO tag one can specify a logo or icon that is included # in the documentation. The maximum height of the logo should not exceed 55 From 82e796a4c9ccaf2765c0a1e85dbcec73733f4246 Mon Sep 17 00:00:00 2001 From: Michael Niedermayer Date: Sun, 21 Oct 2018 14:40:14 +0200 Subject: [PATCH 934/942] avcodec/msrle: Check that the input is large enough to contain a end of picture code Fixes: Timeout Fixes: 10625/clusterfuzz-testcase-minimized-ffmpeg_AV_CODEC_ID_MSRLE_fuzzer-5659651283091456 Found-by: continuous fuzzing process https://github.com/google/oss-fuzz/tree/master/projects/ffmpeg Signed-off-by: Michael Niedermayer (cherry picked from commit 203ccb8746997777ce66beadd53b4631d217b9cd) Signed-off-by: Michael Niedermayer --- libavcodec/msrle.c | 3 +++ 1 file changed, 3 insertions(+) diff --git a/libavcodec/msrle.c b/libavcodec/msrle.c index 33b157bc75..23858fe6d0 100644 --- a/libavcodec/msrle.c +++ b/libavcodec/msrle.c @@ -95,6 +95,9 @@ static int msrle_decode_frame(AVCodecContext *avctx, s->buf = buf; s->size = buf_size; + if (buf_size < 2) //Minimally a end of picture code should be there + return AVERROR_INVALIDDATA; + if ((ret = ff_reget_buffer(avctx, s->frame)) < 0) return ret; From 15296d64ca4f691285f245b1e5af04241e5b2fd2 Mon Sep 17 00:00:00 2001 From: Michael Niedermayer Date: Wed, 24 Oct 2018 01:44:12 +0200 Subject: [PATCH 935/942] avutil/integer: Fix integer overflow in av_mul_i() Found-by: fate Signed-off-by: Michael Niedermayer (cherry picked from commit 3cc3cb663bf3061e40356392d2f7638de6a479fe) Signed-off-by: Michael Niedermayer --- libavutil/integer.c | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/libavutil/integer.c b/libavutil/integer.c index 6d6855fa1b..ba4aa778c9 100644 --- a/libavutil/integer.c +++ b/libavutil/integer.c @@ -74,7 +74,7 @@ AVInteger av_mul_i(AVInteger a, AVInteger b){ if(a.v[i]) for(j=i; j>16) + out.v[j] + a.v[i]*b.v[j-i]; + carry= (carry>>16) + out.v[j] + a.v[i]*(unsigned)b.v[j-i]; out.v[j]= carry; } } From 527e64d32c345e2da17ae8afc0f852c3cca28345 Mon Sep 17 00:00:00 2001 From: Michael Niedermayer Date: Sun, 28 Oct 2018 00:24:53 +0200 Subject: [PATCH 936/942] Changelog: Update Signed-off-by: Michael Niedermayer --- Changelog | 2 ++ 1 file changed, 2 insertions(+) diff --git a/Changelog b/Changelog index 12b3cd9b98..441be22abe 100644 --- a/Changelog +++ b/Changelog @@ -2,6 +2,8 @@ Entries are sorted chronologically from oldest to youngest within each release, releases are sorted from youngest to oldest. version 3.0.12 +- avutil/integer: Fix integer overflow in av_mul_i() +- avcodec/msrle: Check that the input is large enough to contain a end of picture code - avcodec/jpeg2000dec: Fix off by 1 error in JPEG2000_PGOD_CPRL handling - avcodec/mpeg4videodec: Fix typo in sprite delta check - avcodec/h264_cavlc: Check mb_skip_run From bdcbe9296a43580fb27f8a3eda65d9110a85edcf Mon Sep 17 00:00:00 2001 From: Paul B Mahol Date: Mon, 27 Nov 2017 16:32:54 +0100 Subject: [PATCH 937/942] avfilter/af_silenceremove: fix possible crash if supplied duration is negative Signed-off-by: Paul B Mahol Fixes ticket #7697. (cherry picked from commit 2d1594a8d6a754a426cb53184dccf9cf8c8a94b0) --- libavfilter/af_silenceremove.c | 9 +++++++++ 1 file changed, 9 insertions(+) diff --git a/libavfilter/af_silenceremove.c b/libavfilter/af_silenceremove.c index f156d1883d..3d3651a76f 100644 --- a/libavfilter/af_silenceremove.c +++ b/libavfilter/af_silenceremove.c @@ -186,8 +186,17 @@ static int config_input(AVFilterLink *inlink) s->start_duration = av_rescale(s->start_duration, inlink->sample_rate, AV_TIME_BASE); + if (s->start_duration < 0) { + av_log(ctx, AV_LOG_WARNING, "start duration must be non-negative\n"); + s->start_duration = -s->start_duration; + } + s->stop_duration = av_rescale(s->stop_duration, inlink->sample_rate, AV_TIME_BASE); + if (s->stop_duration < 0) { + av_log(ctx, AV_LOG_WARNING, "stop duration must be non-negative\n"); + s->stop_duration = -s->stop_duration; + } s->start_holdoff = av_malloc_array(FFMAX(s->start_duration, 1), sizeof(*s->start_holdoff) * From b307cbe276131463b3595dcf3abbe244c0bc7389 Mon Sep 17 00:00:00 2001 From: James Almer Date: Mon, 18 Mar 2019 17:25:58 -0300 Subject: [PATCH 938/942] avcodec/hevcdec: decode at most one slice reporting being the first in the picture Fixes deadlocks when decoding packets containing more than one of the aforementioned slices when using frame threads. Tested-by: Derek Buitenhuis Signed-off-by: James Almer (cherry picked from commit 70c8c8a818f39bc262565ec29fae2baffb3e1660) --- libavcodec/hevc.c | 4 ++++ 1 file changed, 4 insertions(+) diff --git a/libavcodec/hevc.c b/libavcodec/hevc.c index 2046267336..7ece31f8aa 100644 --- a/libavcodec/hevc.c +++ b/libavcodec/hevc.c @@ -2781,6 +2781,10 @@ static int decode_nal_unit(HEVCContext *s, const HEVCNAL *nal) } if (s->sh.first_slice_in_pic_flag) { + if (s->ref) { + av_log(s->avctx, AV_LOG_ERROR, "Two slices reporting being the first in the same frame.\n"); + goto fail; + } ret = hevc_frame_start(s); if (ret < 0) return ret; From b858bcbbf6c14285c840f78dfe8a0e7b9d68997a Mon Sep 17 00:00:00 2001 From: Mark Harris Date: Sat, 24 Nov 2018 13:02:02 -0800 Subject: [PATCH 939/942] avutil/mem: Fix invalid use of av_alloc_size The alloc_size attribute is valid only on functions that return a pointer. GCC 9 (not yet released) warns about invalid usage: ./libavutil/mem.h:342:1: warning: 'alloc_size' attribute ignored on a function returning int' [-Wattributes] 342 | av_alloc_size(2, 3) int av_reallocp_array(void *ptr, size_t nmemb, size_t size); | ^~~~~~~~~~~~~ Signed-off-by: Michael Niedermayer (cherry picked from commit 4361293fcf59edb56879c36edcd25f0a91e0edf8) --- libavutil/mem.h | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/libavutil/mem.h b/libavutil/mem.h index d25b3229b7..376fd2e07c 100644 --- a/libavutil/mem.h +++ b/libavutil/mem.h @@ -183,7 +183,7 @@ av_alloc_size(2, 3) void *av_realloc_array(void *ptr, size_t nmemb, size_t size) * The situation is undefined according to POSIX and may crash with * some libc implementations. */ -av_alloc_size(2, 3) int av_reallocp_array(void *ptr, size_t nmemb, size_t size); +int av_reallocp_array(void *ptr, size_t nmemb, size_t size); /** * Free a memory block which has been allocated with av_malloc(z)() or From e6316607268ec4c31beb85ece0a5bcea4fa1e452 Mon Sep 17 00:00:00 2001 From: Andreas Rheinhardt Date: Wed, 20 Nov 2019 13:26:59 +0100 Subject: [PATCH 940/942] avformat/matroskadec: Fix default value of BlockAddID Signed-off-by: Andreas Rheinhardt Signed-off-by: James Almer (cherry picked from commit dbc50f8a935043243232b2e01f3c012ab6d49928) --- libavformat/matroskadec.c | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/libavformat/matroskadec.c b/libavformat/matroskadec.c index 0451c33fe7..e52edeeadf 100644 --- a/libavformat/matroskadec.c +++ b/libavformat/matroskadec.c @@ -591,7 +591,7 @@ static const EbmlSyntax matroska_segments[] = { }; static const EbmlSyntax matroska_blockmore[] = { - { MATROSKA_ID_BLOCKADDID, EBML_UINT, 0, offsetof(MatroskaBlock,additional_id) }, + { MATROSKA_ID_BLOCKADDID, EBML_UINT, 0, offsetof(MatroskaBlock,additional_id), { .u = 1 } }, { MATROSKA_ID_BLOCKADDITIONAL, EBML_BIN, 0, offsetof(MatroskaBlock,additional) }, { 0 } }; From 021fe2603f68a2684b7b2b19ea0eab07f26828c1 Mon Sep 17 00:00:00 2001 From: Andreas Rheinhardt Date: Sat, 23 May 2020 11:40:23 +0200 Subject: [PATCH 941/942] avcodec/libopusenc: Don't free user-provided AVPacket Reviewed-by: James Almer Signed-off-by: Andreas Rheinhardt (cherry picked from commit b803993b6d99423c8c1e01e7e206e3916a98d5d5) --- libavcodec/libopusenc.c | 2 -- 1 file changed, 2 deletions(-) diff --git a/libavcodec/libopusenc.c b/libavcodec/libopusenc.c index 3f3e80d4a0..c1dcd0456a 100644 --- a/libavcodec/libopusenc.c +++ b/libavcodec/libopusenc.c @@ -362,7 +362,6 @@ static int libopus_encode(AVCodecContext *avctx, AVPacket *avpkt, // Check if subtraction resulted in an overflow if ((discard_padding < opus->opts.packet_size) != (avpkt->duration > 0)) { av_packet_unref(avpkt); - av_free(avpkt); return AVERROR(EINVAL); } if (discard_padding > 0) { @@ -371,7 +370,6 @@ static int libopus_encode(AVCodecContext *avctx, AVPacket *avpkt, 10); if(!side_data) { av_packet_unref(avpkt); - av_free(avpkt); return AVERROR(ENOMEM); } AV_WL32(side_data + 4, discard_padding); From df000208eaa413bd27a0645aa71e3772d018ceba Mon Sep 17 00:00:00 2001 From: Andreas Rheinhardt Date: Sat, 23 May 2020 12:13:26 +0200 Subject: [PATCH 942/942] libavcodec/libvpxenc: Don't free user-provided AVPacket Signed-off-by: Andreas Rheinhardt (cherry picked from commit 26b45096906097a73ba587bf3b98dada4e795224) --- libavcodec/libvpxenc.c | 1 - 1 file changed, 1 deletion(-) diff --git a/libavcodec/libvpxenc.c b/libavcodec/libvpxenc.c index 8992497c70..31695d1276 100644 --- a/libavcodec/libvpxenc.c +++ b/libavcodec/libvpxenc.c @@ -792,7 +792,6 @@ FF_ENABLE_DEPRECATION_WARNINGS cx_frame->sz_alpha + 8); if(!side_data) { av_packet_unref(pkt); - av_free(pkt); return AVERROR(ENOMEM); } AV_WB64(side_data, 1);