From 7fa72ff19cc01030aa81195eb778234efa556b0d Mon Sep 17 00:00:00 2001 From: Michael Niedermayer Date: Wed, 16 Jul 2014 01:45:34 +0200 Subject: [PATCH 001/229] update for FFmpeg 2.3 Signed-off-by: Michael Niedermayer --- RELEASE | 2 +- VERSION | 1 + doc/Doxyfile | 2 +- 3 files changed, 3 insertions(+), 2 deletions(-) create mode 100644 VERSION diff --git a/RELEASE b/RELEASE index bd5ee42fcc..bb576dbde1 100644 --- a/RELEASE +++ b/RELEASE @@ -1 +1 @@ -2.2.git +2.3 diff --git a/VERSION b/VERSION new file mode 100644 index 0000000000..bb576dbde1 --- /dev/null +++ b/VERSION @@ -0,0 +1 @@ +2.3 diff --git a/doc/Doxyfile b/doc/Doxyfile index 8697e6c551..7b2a785ae4 100644 --- a/doc/Doxyfile +++ b/doc/Doxyfile @@ -31,7 +31,7 @@ PROJECT_NAME = FFmpeg # This could be handy for archiving the generated documentation or # if some version control system is used. -PROJECT_NUMBER = +PROJECT_NUMBER = 2.3 # With the PROJECT_LOGO tag one can specify a logo or icon that is included # in the documentation. The maximum height of the logo should not exceed 55 From e32249605456a9a2367d76b30dfe8894d60cc4f6 Mon Sep 17 00:00:00 2001 From: Michael Niedermayer Date: Wed, 16 Jul 2014 02:01:14 +0200 Subject: [PATCH 002/229] RELEASE_NOTES: update version numbers Signed-off-by: Michael Niedermayer --- RELEASE_NOTES | 4 ++-- 1 file changed, 2 insertions(+), 2 deletions(-) diff --git a/RELEASE_NOTES b/RELEASE_NOTES index 145abfaca7..86770675e4 100644 --- a/RELEASE_NOTES +++ b/RELEASE_NOTES @@ -33,9 +33,9 @@ • libavutil 52.92.100 • libavcodec 55.69.100 - • libavformat 55.47.100 + • libavformat 55.48.100 • libavdevice 55.13.102 - • libavfilter 4.10.100 + • libavfilter 4.11.100 • libswscale 2. 6.100 • libswresample 0.19.100 • libpostproc 52. 3.100 From 2678b2509910ef2d32de0b5fbe6723a88293b7aa Mon Sep 17 00:00:00 2001 From: Michael Niedermayer Date: Wed, 16 Jul 2014 02:06:44 +0200 Subject: [PATCH 003/229] doc/APIchanges: update Signed-off-by: Michael Niedermayer (cherry picked from commit 13a72d9b08c914c3d3c99be1053e9d5cda8baa88) Signed-off-by: Michael Niedermayer --- doc/APIchanges | 10 +++++----- 1 file changed, 5 insertions(+), 5 deletions(-) diff --git a/doc/APIchanges b/doc/APIchanges index e87f16579d..c0486f2409 100644 --- a/doc/APIchanges +++ b/doc/APIchanges @@ -15,13 +15,13 @@ libavutil: 2012-10-22 API changes, most recent first: -2014-07-14 - xxxxxxx - lavf 55.47.100 - avformat.h +2014-07-14 - 62227a7 - lavf 55.47.100 - avformat.h Add av_stream_get_parser() -2014-07-xx - xxxxxxx - lavu 53.18.0 - display.h +2014-07-09 - c67690f / a54f03b - lavu 52.92.100 / 53.18.0 - display.h Add av_display_matrix_flip() to flip the transformation matrix. -2014-07-xx - xxxxxxx - lavc 55.56.0 - dv_profile.h +2014-07-09 - 1b58f13 / f6ee61f - lavc 55.69.100 / 55.56.0 - dv_profile.h Add a public API for DV profile handling. 2014-06-20 - 0dceefc / 9e500ef - lavu 52.90.100 / 53.17.0 - imgutils.h @@ -42,7 +42,7 @@ API changes, most recent first: 2014-05-30 - 00759d7 - lavu 52.89.100 - opt.h Add av_opt_copy() -2014-04-xx - 03bb99a / 0957b27 - lavc 55.66.100 / 55.54.0 - avcodec.h +2014-06-01 - 03bb99a / 0957b27 - lavc 55.66.100 / 55.54.0 - avcodec.h Add AVCodecContext.side_data_only_packets to allow encoders to output packets with only side data. This option may become mandatory in the future, so all users are recommended to update their code and enable this option. @@ -52,7 +52,7 @@ API changes, most recent first: AVColorTransferCharacteristic, and AVChromaLocation) inside lavu. And add AVFrame fields for them. -2014-04-xx - bdb2e80 / b2d4565 - lavr 1.3.0 - avresample.h +2014-05-29 - bdb2e80 / b2d4565 - lavr 1.3.0 - avresample.h Add avresample_max_output_samples 2014-05-24 - d858ee7 / 6d21259 - lavf 55.42.100 / 55.19.0 - avformat.h From bc4f6ae88e5fa3b7c0de33583e3299f83f3499ef Mon Sep 17 00:00:00 2001 From: Michael Niedermayer Date: Wed, 16 Jul 2014 02:09:06 +0200 Subject: [PATCH 004/229] Changelog: change "version " to "version 2.3" Found-by: jamrial Signed-off-by: Michael Niedermayer (cherry picked from commit faafd1e4f1fcc2d618633eae4dc532050b2be988) Signed-off-by: Michael Niedermayer --- Changelog | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/Changelog b/Changelog index 24a3c01de5..07cf1cf7af 100644 --- a/Changelog +++ b/Changelog @@ -1,7 +1,7 @@ Entries are sorted chronologically from oldest to youngest within each release, releases are sorted from youngest to oldest. -version : +version 2.3: - AC3 fixed-point decoding - shuffleplanes filter - subfile protocol From bef4d9bf87f755be62c8cc35b1c333596e41b3c6 Mon Sep 17 00:00:00 2001 From: Timothy Gu Date: Tue, 15 Jul 2014 17:39:24 -0700 Subject: [PATCH 005/229] RELEASE_NOTES: update Signed-off-by: Timothy Gu Signed-off-by: Michael Niedermayer --- RELEASE_NOTES | 12 +++++++----- 1 file changed, 7 insertions(+), 5 deletions(-) diff --git a/RELEASE_NOTES b/RELEASE_NOTES index 86770675e4..07805951c8 100644 --- a/RELEASE_NOTES +++ b/RELEASE_NOTES @@ -7,9 +7,10 @@ since the release of FFmpeg 2.2. In this release, there are lots of internal overhauls that make FFmpeg a - more accessible project for new developers. Many important new features - like QTKit and AVFoundation input devices are committed. Contributions done - by Libav such as a new native Opus decoder are also merged. + more accessible project for new developers. Many important new + optimizations and features like QTKit and AVFoundation input devices are + committed. Contributions done by Libav such as a new native Opus decoder + are also merged. Because of the increasing difficulty to maintain and lack of maintainers, we are very sorry to say that we have removed all Blackfin and SPARC @@ -17,8 +18,9 @@ interested in maintaining optimization for these two architecture, feel free to contact us and we will restore the code! - Since this release, the traditional Changelog file is upgraded to this - modern-looking release note. Old changelogs are moved to doc/Changelog.old. + Oh, and since this release, this modern-looking release note is provided in + addition to the old-style Changelog file, to make it easier for you to + focus on the most important features in this release. Enjoy! From 84642ec8798a813e10590eb553e26d527b57daf8 Mon Sep 17 00:00:00 2001 From: Michael Niedermayer Date: Thu, 17 Jul 2014 04:25:21 +0200 Subject: [PATCH 006/229] avformat/dv: implement fallback in dv_extract_pack() Fixes Ticket2340 Fixes Ticket2341 Based-on mail from Dave Rice Tested-by: Dave Rice Signed-off-by: Michael Niedermayer (cherry picked from commit 88f038ac97a875f25c2eceac6d2107a09314984c) Signed-off-by: Michael Niedermayer --- libavformat/dv.c | 43 +++++++++++++++++++++++-------------------- 1 file changed, 23 insertions(+), 20 deletions(-) diff --git a/libavformat/dv.c b/libavformat/dv.c index 4f7b062f8b..1e15c08203 100644 --- a/libavformat/dv.c +++ b/libavformat/dv.c @@ -72,30 +72,33 @@ static inline uint16_t dv_audio_12to16(uint16_t sample) return result; } -/* - * This is the dumbest implementation of all -- it simply looks at - * a fixed offset and if pack isn't there -- fails. We might want - * to have a fallback mechanism for complete search of missing packs. - */ static const uint8_t *dv_extract_pack(uint8_t *frame, enum dv_pack_type t) { int offs; + int c; - switch (t) { - case dv_audio_source: - offs = (80 * 6 + 80 * 16 * 3 + 3); - break; - case dv_audio_control: - offs = (80 * 6 + 80 * 16 * 4 + 3); - break; - case dv_video_control: - offs = (80 * 5 + 48 + 5); - break; - case dv_timecode: - offs = (80*1 + 3 + 3); - break; - default: - return NULL; + for (c = 0; c < 10; c++) { + switch (t) { + case dv_audio_source: + if (c&1) offs = (80 * 6 + 80 * 16 * 0 + 3 + c*12000); + else offs = (80 * 6 + 80 * 16 * 3 + 3 + c*12000); + break; + case dv_audio_control: + if (c&1) offs = (80 * 6 + 80 * 16 * 1 + 3 + c*12000); + else offs = (80 * 6 + 80 * 16 * 4 + 3 + c*12000); + break; + case dv_video_control: + if (c&1) offs = (80 * 3 + 8 + c*12000); + else offs = (80 * 5 + 48 + 5 + c*12000); + break; + case dv_timecode: + offs = (80*1 + 3 + 3); + break; + default: + return NULL; + } + if (frame[offs] == t) + break; } return frame[offs] == t ? &frame[offs] : NULL; From 0f04e2741e26c967d3c6683f89bc8ba286baded3 Mon Sep 17 00:00:00 2001 From: Andreas Cadhalpun Date: Tue, 22 Jul 2014 03:32:03 +0200 Subject: [PATCH 007/229] libavformat/img2dec.c: Add a long_name to the piped image demuxers This fixes segfaults in gst-libav1.0 compiled against FFmpeg 2.3. Signed-off-by: Michael Niedermayer (cherry picked from commit 135ea609cebb5a5d331a2550caebe161d163c190) Signed-off-by: Michael Niedermayer --- libavformat/img2dec.c | 1 + 1 file changed, 1 insertion(+) diff --git a/libavformat/img2dec.c b/libavformat/img2dec.c index cda4996568..f97800797e 100644 --- a/libavformat/img2dec.c +++ b/libavformat/img2dec.c @@ -666,6 +666,7 @@ static const AVClass imgname ## _class = {\ };\ AVInputFormat ff_image_ ## imgname ## _pipe_demuxer = {\ .name = AV_STRINGIFY(imgname) "_pipe",\ + .long_name = NULL_IF_CONFIG_SMALL("piped " AV_STRINGIFY(imgname) " sequence"),\ .priv_data_size = sizeof(VideoDemuxData),\ .read_probe = imgname ## _probe,\ .read_header = ff_img_read_header,\ From 9cb45f6ad2248222cf17e2c36f0ae5e6ab5118c1 Mon Sep 17 00:00:00 2001 From: Michael Niedermayer Date: Mon, 21 Jul 2014 21:16:24 +0200 Subject: [PATCH 008/229] doc/APIchanges: mention FF_INPUT_BUFFER_PADDING_SIZE chage Suggested-by: Andreas Cadhalpun Signed-off-by: Michael Niedermayer (cherry picked from commit 94c4ad27dc6305a7e1f218b86311db019e41f632) Signed-off-by: Michael Niedermayer --- doc/APIchanges | 4 ++++ 1 file changed, 4 insertions(+) diff --git a/doc/APIchanges b/doc/APIchanges index c0486f2409..1a9d103ee0 100644 --- a/doc/APIchanges +++ b/doc/APIchanges @@ -35,6 +35,10 @@ API changes, most recent first: is now setting AVStream.time_base, instead of AVStream.codec.time_base as was done previously. The old method is now deprecated. +2014-06-11 - 67d29da - lavc 55.66.101 - avcodec.h + Increase FF_INPUT_BUFFER_PADDING_SIZE to 32 due to some corner cases needing + it + 2014-06-10 - xxxxxxx - lavf 55.43.100 - avformat.h New field int64_t max_analyze_duration2 instead of deprecated int max_analyze_duration. From 489d066d498a56ceaf5780c04bfe4671144c1c8f Mon Sep 17 00:00:00 2001 From: Timothy Gu Date: Thu, 24 Jul 2014 19:39:36 -0700 Subject: [PATCH 009/229] RELEASE_NOTES: fix WebVTT decoder typo (-> encoder) MIME-Version: 1.0 Content-Type: text/plain; charset=UTF-8 Content-Transfer-Encoding: 8bit Found-by: Clément Bœsch Signed-off-by: Timothy Gu Signed-off-by: Michael Niedermayer (cherry picked from commit 065fa668723687eba234ba93bc9aa532d68c8d1c) Signed-off-by: Michael Niedermayer --- RELEASE_NOTES | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/RELEASE_NOTES b/RELEASE_NOTES index 07805951c8..6323cf543c 100644 --- a/RELEASE_NOTES +++ b/RELEASE_NOTES @@ -105,7 +105,7 @@ Other interesting new features including hqx video filter, a pixel art scaling filter; a fixed-point AC-3 decoder contributed by Imagination Technologies; an On2 TrueMotion VP7 video decoder; an HTML5 WebVTT - subtitle decoder that allows creation of WebVTT from any text-based + subtitle encoder that allows creation of WebVTT from any text-based subtitles; and an 1-bit Direct Stream Digital audio decoder. ┌────────────────────────────┐ From fcc6568a10252a69c83e6ce6b166574306631861 Mon Sep 17 00:00:00 2001 From: Michael Niedermayer Date: Sat, 26 Jul 2014 15:22:27 +0200 Subject: [PATCH 010/229] avcodec: add avdct This provides a public sustainable API/ABI for DCT functions. Only externally used dct functions are included. The structure is extensible without ABI issues compared to the existing dct contexts. See Mailing list and IRC log of 2014-07-26/27 Reviewed-by: ubitux Signed-off-by: Michael Niedermayer (cherry picked from commit 932ff7095696a90fda83a8c6343b57f475b40951) Conflicts: doc/APIchanges --- libavcodec/Makefile | 1 + libavcodec/avdct.c | 119 ++++++++++++++++++++++++++++++++++++++++++++ libavcodec/avdct.h | 76 ++++++++++++++++++++++++++++ 3 files changed, 196 insertions(+) create mode 100644 libavcodec/avdct.c create mode 100644 libavcodec/avdct.h diff --git a/libavcodec/Makefile b/libavcodec/Makefile index 0bbfa27e48..e5233f9496 100644 --- a/libavcodec/Makefile +++ b/libavcodec/Makefile @@ -15,6 +15,7 @@ HEADERS = avcodec.h \ OBJS = allcodecs.o \ audioconvert.o \ + avdct.o \ avpacket.o \ avpicture.o \ bitstream.o \ diff --git a/libavcodec/avdct.c b/libavcodec/avdct.c new file mode 100644 index 0000000000..720e7720de --- /dev/null +++ b/libavcodec/avdct.c @@ -0,0 +1,119 @@ +/* + * Copyright (c) 2014 Michael Niedermayer + * + * This file is part of FFmpeg. + * + * FFmpeg is free software; you can redistribute it and/or + * modify it under the terms of the GNU Lesser General Public + * License as published by the Free Software Foundation; either + * version 2.1 of the License, or (at your option) any later version. + * + * FFmpeg is distributed in the hope that it will be useful, + * but WITHOUT ANY WARRANTY; without even the implied warranty of + * MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the GNU + * Lesser General Public License for more details. + * + * You should have received a copy of the GNU Lesser General Public + * License along with FFmpeg; if not, write to the Free Software + * Foundation, Inc., 51 Franklin Street, Fifth Floor, Boston, MA 02110-1301 USA + */ + +#include "avcodec.h" +#include "idctdsp.h" +#include "fdctdsp.h" +#include "avdct.h" + +#define OFFSET(x) offsetof(AVDCT,x) +#define DEFAULT 0 //should be NAN but it does not work as it is not a constant in glibc as required by ANSI/ISO C +//these names are too long to be readable +#define V AV_OPT_FLAG_VIDEO_PARAM +#define A AV_OPT_FLAG_AUDIO_PARAM +#define E AV_OPT_FLAG_ENCODING_PARAM +#define D AV_OPT_FLAG_DECODING_PARAM + +static const AVOption avdct_options[] = { +{"dct", "DCT algorithm", OFFSET(dct_algo), AV_OPT_TYPE_INT, {.i64 = DEFAULT }, 0, INT_MAX, V|E, "dct"}, +{"auto", "autoselect a good one (default)", 0, AV_OPT_TYPE_CONST, {.i64 = FF_DCT_AUTO }, INT_MIN, INT_MAX, V|E, "dct"}, +{"fastint", "fast integer (experimental / for debugging)", 0, AV_OPT_TYPE_CONST, {.i64 = FF_DCT_FASTINT }, INT_MIN, INT_MAX, V|E, "dct"}, +{"int", "accurate integer", 0, AV_OPT_TYPE_CONST, {.i64 = FF_DCT_INT }, INT_MIN, INT_MAX, V|E, "dct"}, +{"mmx", "experimental / for debugging", 0, AV_OPT_TYPE_CONST, {.i64 = FF_DCT_MMX }, INT_MIN, INT_MAX, V|E, "dct"}, +{"altivec", "experimental / for debugging", 0, AV_OPT_TYPE_CONST, {.i64 = FF_DCT_ALTIVEC }, INT_MIN, INT_MAX, V|E, "dct"}, +{"faan", "floating point AAN DCT (experimental / for debugging)", 0, AV_OPT_TYPE_CONST, {.i64 = FF_DCT_FAAN }, INT_MIN, INT_MAX, V|E, "dct"}, + +{"idct", "select IDCT implementation", OFFSET(idct_algo), AV_OPT_TYPE_INT, {.i64 = DEFAULT }, 0, INT_MAX, V|E|D, "idct"}, +{"auto", "autoselect a good one (default)", 0, AV_OPT_TYPE_CONST, {.i64 = FF_IDCT_AUTO }, INT_MIN, INT_MAX, V|E|D, "idct"}, +{"int", "experimental / for debugging", 0, AV_OPT_TYPE_CONST, {.i64 = FF_IDCT_INT }, INT_MIN, INT_MAX, V|E|D, "idct"}, +{"simple", "experimental / for debugging", 0, AV_OPT_TYPE_CONST, {.i64 = FF_IDCT_SIMPLE }, INT_MIN, INT_MAX, V|E|D, "idct"}, +{"simplemmx", "experimental / for debugging", 0, AV_OPT_TYPE_CONST, {.i64 = FF_IDCT_SIMPLEMMX }, INT_MIN, INT_MAX, V|E|D, "idct"}, +{"arm", "experimental / for debugging", 0, AV_OPT_TYPE_CONST, {.i64 = FF_IDCT_ARM }, INT_MIN, INT_MAX, V|E|D, "idct"}, +{"altivec", "experimental / for debugging", 0, AV_OPT_TYPE_CONST, {.i64 = FF_IDCT_ALTIVEC }, INT_MIN, INT_MAX, V|E|D, "idct"}, +#if FF_API_ARCH_SH4 +{"sh4", "experimental / for debugging", 0, AV_OPT_TYPE_CONST, {.i64 = FF_IDCT_SH4 }, INT_MIN, INT_MAX, V|E|D, "idct"}, +#endif +{"simplearm", "experimental / for debugging", 0, AV_OPT_TYPE_CONST, {.i64 = FF_IDCT_SIMPLEARM }, INT_MIN, INT_MAX, V|E|D, "idct"}, +{"simplearmv5te", "experimental / for debugging", 0, AV_OPT_TYPE_CONST, {.i64 = FF_IDCT_SIMPLEARMV5TE }, INT_MIN, INT_MAX, V|E|D, "idct"}, +{"simplearmv6", "experimental / for debugging", 0, AV_OPT_TYPE_CONST, {.i64 = FF_IDCT_SIMPLEARMV6 }, INT_MIN, INT_MAX, V|E|D, "idct"}, +{"simpleneon", "experimental / for debugging", 0, AV_OPT_TYPE_CONST, {.i64 = FF_IDCT_SIMPLENEON }, INT_MIN, INT_MAX, V|E|D, "idct"}, +#if FF_API_ARCH_ALPHA +{"simplealpha", "experimental / for debugging", 0, AV_OPT_TYPE_CONST, {.i64 = FF_IDCT_SIMPLEALPHA }, INT_MIN, INT_MAX, V|E|D, "idct"}, +#endif +{"ipp", "experimental / for debugging", 0, AV_OPT_TYPE_CONST, {.i64 = FF_IDCT_IPP }, INT_MIN, INT_MAX, V|E|D, "idct"}, +{"xvidmmx", "experimental / for debugging", 0, AV_OPT_TYPE_CONST, {.i64 = FF_IDCT_XVIDMMX }, INT_MIN, INT_MAX, V|E|D, "idct"}, +{"faani", "floating point AAN IDCT (experimental / for debugging)", 0, AV_OPT_TYPE_CONST, {.i64 = FF_IDCT_FAAN }, INT_MIN, INT_MAX, V|D|E, "idct"}, +{"simpleauto", "experimental / for debugging", 0, AV_OPT_TYPE_CONST, {.i64 = FF_IDCT_SIMPLEAUTO }, INT_MIN, INT_MAX, V|E|D, "idct"}, +{NULL}, +}; + +static const AVClass avdct_class = { + .class_name = "AVDCT", + .option = avdct_options, + .version = LIBAVUTIL_VERSION_INT, +}; + +AVDCT *avcodec_dct_alloc(void) +{ + AVDCT *dsp = av_mallocz(sizeof(AVDCT)); + + if (!dsp) + return NULL; + + dsp->av_class = &avdct_class; + av_opt_set_defaults(dsp); + + return dsp; +} + +int avcodec_dct_init(AVDCT *dsp) +{ + AVCodecContext *avctx = avcodec_alloc_context3(NULL); + + if (!avctx) + return AVERROR(ENOMEM); + + avctx->idct_algo = dsp->idct_algo; + avctx->dct_algo = dsp->dct_algo; + +#define COPY(src, name) memcpy(&dsp->name, &src.name, sizeof(dsp->name)) + +#if CONFIG_IDCTDSP + { + IDCTDSPContext idsp; + ff_idctdsp_init(&idsp, avctx); + COPY(idsp, idct); + COPY(idsp, idct_permutation); + } +#endif + +#if CONFIG_FDCTDSP + { + FDCTDSPContext fdsp; + ff_fdctdsp_init(&fdsp, avctx); + COPY(fdsp, fdct); + } +#endif + + avcodec_close(avctx); + av_free(avctx); + + return 0; +} diff --git a/libavcodec/avdct.h b/libavcodec/avdct.h new file mode 100644 index 0000000000..4d691e013d --- /dev/null +++ b/libavcodec/avdct.h @@ -0,0 +1,76 @@ +/* + * This file is part of FFmpeg. + * + * FFmpeg is free software; you can redistribute it and/or + * modify it under the terms of the GNU Lesser General Public + * License as published by the Free Software Foundation; either + * version 2.1 of the License, or (at your option) any later version. + * + * FFmpeg is distributed in the hope that it will be useful, + * but WITHOUT ANY WARRANTY; without even the implied warranty of + * MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the GNU + * Lesser General Public License for more details. + * + * You should have received a copy of the GNU Lesser General Public + * License along with FFmpeg; if not, write to the Free Software + * Foundation, Inc., 51 Franklin Street, Fifth Floor, Boston, MA 02110-1301 USA + */ + +#ifndef AVCODEC_AVDCT_H +#define AVCODEC_AVDCT_H + +#include "libavutil/opt.h" + +/** + * AVDCT context. + * @note function pointers can be NULL if the specific features have been + * disabled at build time. + */ +typedef struct AVDCT { + const AVClass *av_class; + + void (*idct)(int16_t *block /* align 16 */); + + /** + * IDCT input permutation. + * Several optimized IDCTs need a permutated input (relative to the + * normal order of the reference IDCT). + * This permutation must be performed before the idct_put/add. + * Note, normally this can be merged with the zigzag/alternate scan
+ * An example to avoid confusion: + * - (->decode coeffs -> zigzag reorder -> dequant -> reference IDCT -> ...) + * - (x -> reference DCT -> reference IDCT -> x) + * - (x -> reference DCT -> simple_mmx_perm = idct_permutation + * -> simple_idct_mmx -> x) + * - (-> decode coeffs -> zigzag reorder -> simple_mmx_perm -> dequant + * -> simple_idct_mmx -> ...) + */ + uint8_t idct_permutation[64]; + + void (*fdct)(int16_t *block /* align 16 */); + + + /** + * DCT algorithm. + * must use AVOptions to set this field. + */ + int dct_algo; + + /** + * IDCT algorithm. + * must use AVOptions to set this field. + */ + int idct_algo; +} AVDCT; + +/** + * Allocates a AVDCT context. + * This needs to be initialized with avcodec_dct_init() after optionally + * configuring it with AVOptions. + * + * To free it use av_free() + */ +AVDCT *avcodec_dct_alloc(void); +int avcodec_dct_init(AVDCT *); + +#endif /* AVCODEC_AVDCT_H */ From 8f53d32dfbe2c727238f366ff649ce8debc17a6b Mon Sep 17 00:00:00 2001 From: Michael Niedermayer Date: Sat, 26 Jul 2014 15:24:42 +0200 Subject: [PATCH 011/229] avfilter/vf_spp: use AVDCT Signed-off-by: Michael Niedermayer (cherry picked from commit e3fac208246f5f94cfc4d3abdb1a4770272f96ee) Signed-off-by: Michael Niedermayer --- libavfilter/vf_spp.c | 13 +++++++------ libavfilter/vf_spp.h | 6 ++---- 2 files changed, 9 insertions(+), 10 deletions(-) diff --git a/libavfilter/vf_spp.c b/libavfilter/vf_spp.c index 4e4a5795f4..aff1ddf305 100644 --- a/libavfilter/vf_spp.c +++ b/libavfilter/vf_spp.c @@ -233,9 +233,9 @@ static void filter(SPPContext *p, uint8_t *dst, uint8_t *src, const int y1 = y + offset[i + count - 1][1]; const int index = x1 + y1*linesize; p->pdsp.get_pixels(block, p->src + index, linesize); - p->fdsp.fdct(block); - p->requantize(block2, block, qp, p->idsp.idct_permutation); - p->idsp.idct(block2); + p->dct->fdct(block); + p->requantize(block2, block, qp, p->dct->idct_permutation); + p->dct->idct(block2); add_block(p->temp + index, linesize, block2); } } @@ -378,11 +378,11 @@ static av_cold int init(AVFilterContext *ctx) SPPContext *spp = ctx->priv; spp->avctx = avcodec_alloc_context3(NULL); - if (!spp->avctx) + spp->dct = avcodec_dct_alloc(); + if (!spp->avctx || !spp->dct) return AVERROR(ENOMEM); - ff_idctdsp_init(&spp->idsp, spp->avctx); - ff_fdctdsp_init(&spp->fdsp, spp->avctx); ff_pixblockdsp_init(&spp->pdsp, spp->avctx); + avcodec_dct_init(spp->dct); spp->store_slice = store_slice_c; switch (spp->mode) { case MODE_HARD: spp->requantize = hardthresh_c; break; @@ -403,6 +403,7 @@ static av_cold void uninit(AVFilterContext *ctx) avcodec_close(spp->avctx); av_freep(&spp->avctx); } + av_freep(&spp->dct); av_freep(&spp->non_b_qp_table); } diff --git a/libavfilter/vf_spp.h b/libavfilter/vf_spp.h index c8eac3caf2..2dcf813ed3 100644 --- a/libavfilter/vf_spp.h +++ b/libavfilter/vf_spp.h @@ -24,8 +24,7 @@ #include "libavcodec/avcodec.h" #include "libavcodec/pixblockdsp.h" -#include "libavcodec/idctdsp.h" -#include "libavcodec/fdctdsp.h" +#include "libavcodec/avdct.h" #include "avfilter.h" #define MAX_LEVEL 6 /* quality levels */ @@ -41,9 +40,8 @@ typedef struct { uint8_t *src; int16_t *temp; AVCodecContext *avctx; - IDCTDSPContext idsp; - FDCTDSPContext fdsp; PixblockDSPContext pdsp; + AVDCT *dct; int8_t *non_b_qp_table; int non_b_qp_alloc_size; int use_bframe_qp; From 65259b4d687a8d5ea8c49463b2a1178dc7fa6ca0 Mon Sep 17 00:00:00 2001 From: Christophe Gisquet Date: Fri, 25 Jul 2014 19:07:27 +0200 Subject: [PATCH 012/229] x86: hevc_mc: replace one lea by add Should have been in 036f11bdb565. Signed-off-by: Michael Niedermayer --- libavcodec/x86/hevc_mc.asm | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/libavcodec/x86/hevc_mc.asm b/libavcodec/x86/hevc_mc.asm index 5cf37d0194..d7796ec673 100644 --- a/libavcodec/x86/hevc_mc.asm +++ b/libavcodec/x86/hevc_mc.asm @@ -342,7 +342,7 @@ QPEL_TABLE 10, 4, w, sse4 %macro LOOP_END 4 lea %1q, [%1q+2*%2q] ; dst += dststride - lea %3q, [%3q+ %4q] ; src += srcstride + add %3q, %4q ; src += srcstride dec heightd ; cmp height jnz .loop ; height loop %endmacro From 2f71aeb30161edb5cb0fea5d3080094a22cc3038 Mon Sep 17 00:00:00 2001 From: Michael Niedermayer Date: Mon, 28 Jul 2014 02:22:11 +0200 Subject: [PATCH 013/229] remove VERSION file it overrides what version.sh prints and thus makes its output from release branches rather useless Signed-off-by: Michael Niedermayer --- VERSION | 1 - 1 file changed, 1 deletion(-) delete mode 100644 VERSION diff --git a/VERSION b/VERSION deleted file mode 100644 index bb576dbde1..0000000000 --- a/VERSION +++ /dev/null @@ -1 +0,0 @@ -2.3 From ee606fd0317df202b59946cf9b738c0a01056316 Mon Sep 17 00:00:00 2001 From: Michael Niedermayer Date: Mon, 28 Jul 2014 02:40:35 +0200 Subject: [PATCH 014/229] version.sh: Print versions based on the last git tag for release branches release branches are detected by checking if "git" is not in RELEASE This changes "N-64706-g2f71aeb" to "n2.3-8-g2f71aeb" for git master theres no change This should improve the readability of lists of versions which come from more than 1 release branch or master + release. fate.ffmpeg.org is one possible example Reviewed-by: Timothy Gu Signed-off-by: Michael Niedermayer --- version.sh | 6 +++++- 1 file changed, 5 insertions(+), 1 deletion(-) diff --git a/version.sh b/version.sh index 92edcb9474..f9754eb3cf 100755 --- a/version.sh +++ b/version.sh @@ -4,7 +4,11 @@ # check for git short hash if ! test "$revision"; then - revision=$(cd "$1" && git describe --tags --match N 2> /dev/null) + if (cd "$1" && grep git RELEASE 2> /dev/null >/dev/null) ; then + revision=$(cd "$1" && git describe --tags --match N 2> /dev/null) + else + revision=$(cd "$1" && git describe --tags --always 2> /dev/null) + fi fi # Shallow Git clones (--depth) do not have the N tag: From ab1ea597bd69d0d13f655c8934e3fa9c772a0a8d Mon Sep 17 00:00:00 2001 From: Vittorio Giovara Date: Tue, 15 Jul 2014 15:22:11 -0400 Subject: [PATCH 015/229] g2meet: allow size changes within original sizes (cherry picked from commit 14b4e64eabc84c5a5e57c8ccc56bbeb95380823b) Signed-off-by: Michael Niedermayer --- libavcodec/g2meet.c | 9 +++++++-- 1 file changed, 7 insertions(+), 2 deletions(-) diff --git a/libavcodec/g2meet.c b/libavcodec/g2meet.c index 60c48c382f..1004e1921e 100644 --- a/libavcodec/g2meet.c +++ b/libavcodec/g2meet.c @@ -90,6 +90,7 @@ typedef struct G2MContext { int compression; int width, height, bpp; + int orig_width, orig_height; int tile_width, tile_height; int tiles_x, tiles_y, tile_x, tile_y; @@ -712,8 +713,8 @@ static int g2m_decode_frame(AVCodecContext *avctx, void *data, } c->width = bytestream2_get_be32(&bc); c->height = bytestream2_get_be32(&bc); - if (c->width < 16 || c->width > avctx->width || - c->height < 16 || c->height > avctx->height) { + if (c->width < 16 || c->width > c->orig_width || + c->height < 16 || c->height > c->orig_height) { av_log(avctx, AV_LOG_ERROR, "Invalid frame dimensions %dx%d\n", c->width, c->height); @@ -882,6 +883,10 @@ static av_cold int g2m_decode_init(AVCodecContext *avctx) avctx->pix_fmt = AV_PIX_FMT_RGB24; + // store original sizes and check against those if resize happens + c->orig_width = avctx->width; + c->orig_height = avctx->height; + return 0; } From 5411040802ac5009f42e7cff9f40eba0788ee54f Mon Sep 17 00:00:00 2001 From: Michael Niedermayer Date: Mon, 28 Jul 2014 18:27:17 +0200 Subject: [PATCH 016/229] tests/fate.sh: If cat *.rep fails try it with a for loop. Fixes fate on haiku, where cat dies due to too many arguments xargs could be used too but we do not use xargs currently so it would be an additional dependency. Also the plain cat is left in place as it is faster than the loop Signed-off-by: Michael Niedermayer (cherry picked from commit d554d004a67c30e3f38bec51b2c691cfe3af3bb8) Conflicts: tests/fate.sh --- tests/fate.sh | 3 ++- 1 file changed, 2 insertions(+), 1 deletion(-) diff --git a/tests/fate.sh b/tests/fate.sh index 38458c748c..ca3caa3b1b 100755 --- a/tests/fate.sh +++ b/tests/fate.sh @@ -82,7 +82,8 @@ clean(){ report(){ date=$(date -u +%Y%m%d%H%M%S) echo "fate:0:${date}:${slot}:${version}:$1:$2:${comment}" >report - cat ${build}/config.fate ${build}/tests/data/fate/*.rep >>report + cat ${build}/config.fate >>report + cat ${build}/tests/data/fate/*.rep >>report || for i in ${build}/tests/data/fate/*.rep ; do cat "$i" >>report ; done test -n "$fate_recv" && $tar report *.log | gzip | $fate_recv } From 6a250c858ebbb9d5111c5b14d8d46d41bd08e218 Mon Sep 17 00:00:00 2001 From: Janne Grunau Date: Sat, 26 Jul 2014 23:29:46 +0200 Subject: [PATCH 017/229] fate: support testing of release branches Adding 'branch=release/2.3' to the fate config file will check the release/2.3 branch instead of master. If no branch is specified it will use 'master' so that existing config are still valid. (cherry picked from commit 42eb9154a83e9a7aedb1168b2f1112af765cf2b5) Conflicts: tests/fate.sh --- tests/fate.sh | 7 +++++-- 1 file changed, 5 insertions(+), 2 deletions(-) diff --git a/tests/fate.sh b/tests/fate.sh index ca3caa3b1b..5a78018b42 100755 --- a/tests/fate.sh +++ b/tests/fate.sh @@ -19,6 +19,8 @@ test -n "$slot" || die "slot not specified" test -n "$repo" || die "repo not specified" test -d "$samples" || die "samples location not specified" +: ${branch:=master} + lock(){ lock=$1/fate.lock (set -C; exec >$lock) 2>/dev/null || return @@ -28,14 +30,14 @@ lock(){ checkout(){ case "$repo" in file:*|/*) src="${repo#file:}" ;; - git:*) git clone --quiet "$repo" "$src" ;; + git:*) git clone --quiet --branch "$branch" "$repo" "$src" ;; esac } update()( cd ${src} || return case "$repo" in - git:*) git fetch --force && git reset --hard FETCH_HEAD ;; + git:*) git fetch --force && git reset --hard "origin/$branch" ;; esac ) @@ -82,6 +84,7 @@ clean(){ report(){ date=$(date -u +%Y%m%d%H%M%S) echo "fate:0:${date}:${slot}:${version}:$1:$2:${comment}" >report +# echo "fate:1:${date}:${slot}:${version}:$1:$2:${branch}:${comment}" >report cat ${build}/config.fate >>report cat ${build}/tests/data/fate/*.rep >>report || for i in ${build}/tests/data/fate/*.rep ; do cat "$i" >>report ; done test -n "$fate_recv" && $tar report *.log | gzip | $fate_recv From c61ac696e56acb317ff4165dd0afaa12e9f8afe3 Mon Sep 17 00:00:00 2001 From: Michael Niedermayer Date: Mon, 28 Jul 2014 05:14:39 +0200 Subject: [PATCH 018/229] avcodec/avdct: Add avcodec_dct_get_class() This should have been in the initial commit of AVDCT Signed-off-by: Michael Niedermayer (cherry picked from commit 2f717be22a933fc8f53b2cb2540ffb3358896467) Signed-off-by: Michael Niedermayer --- libavcodec/avdct.c | 5 +++++ libavcodec/avdct.h | 2 ++ 2 files changed, 7 insertions(+) diff --git a/libavcodec/avdct.c b/libavcodec/avdct.c index 720e7720de..58f4974b49 100644 --- a/libavcodec/avdct.c +++ b/libavcodec/avdct.c @@ -70,6 +70,11 @@ static const AVClass avdct_class = { .version = LIBAVUTIL_VERSION_INT, }; +const AVClass *avcodec_dct_get_class(void) +{ + return &avdct_class; +} + AVDCT *avcodec_dct_alloc(void) { AVDCT *dsp = av_mallocz(sizeof(AVDCT)); diff --git a/libavcodec/avdct.h b/libavcodec/avdct.h index 4d691e013d..4c9d00f904 100644 --- a/libavcodec/avdct.h +++ b/libavcodec/avdct.h @@ -73,4 +73,6 @@ typedef struct AVDCT { AVDCT *avcodec_dct_alloc(void); int avcodec_dct_init(AVDCT *); +const AVClass *avcodec_dct_get_class(void); + #endif /* AVCODEC_AVDCT_H */ From ea5bb5613f7f64b7c7865265d8760035434ed56e Mon Sep 17 00:00:00 2001 From: Michael Niedermayer Date: Mon, 28 Jul 2014 06:16:34 +0200 Subject: [PATCH 019/229] MAINTAINERS: update list of releases i maintain Signed-off-by: Michael Niedermayer (cherry picked from commit 5003b8b9c3bacc4e542c923a7766c2ff46e0b1e8) Signed-off-by: Michael Niedermayer --- MAINTAINERS | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/MAINTAINERS b/MAINTAINERS index 38437725fb..41f40e7709 100644 --- a/MAINTAINERS +++ b/MAINTAINERS @@ -528,8 +528,8 @@ x86 Michael Niedermayer Releases ======== +2.3 Michael Niedermayer 2.2 Michael Niedermayer -2.1 Michael Niedermayer 1.2 Michael Niedermayer If you want to maintain an older release, please contact us From de9d3f22f06edcda10903083d687ddcc039e8146 Mon Sep 17 00:00:00 2001 From: Michael Niedermayer Date: Mon, 28 Jul 2014 20:06:11 +0200 Subject: [PATCH 020/229] avdevice/pulse_audio_enc: use getter function for AVFrame.channels This is required by the API/ABI for things outside libavutil Signed-off-by: Michael Niedermayer (cherry picked from commit 1e51af13c7538f427e8a0cf0e498263de674c70e) Signed-off-by: Michael Niedermayer --- libavdevice/pulse_audio_enc.c | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/libavdevice/pulse_audio_enc.c b/libavdevice/pulse_audio_enc.c index b07d4c0c84..bc4d1f0516 100644 --- a/libavdevice/pulse_audio_enc.c +++ b/libavdevice/pulse_audio_enc.c @@ -681,7 +681,7 @@ static int pulse_write_frame(AVFormatContext *h, int stream_index, AVERROR(EINVAL) : 0; pkt.data = (*frame)->data[0]; - pkt.size = (*frame)->nb_samples * av_get_bytes_per_sample((*frame)->format) * (*frame)->channels; + pkt.size = (*frame)->nb_samples * av_get_bytes_per_sample((*frame)->format) * av_frame_get_channels(*frame); pkt.dts = (*frame)->pkt_dts; pkt.duration = av_frame_get_pkt_duration(*frame); return pulse_write_packet(h, &pkt); From 64bbbcd7b076c2b4c87e728c2b723c6906079ed5 Mon Sep 17 00:00:00 2001 From: Michael Niedermayer Date: Wed, 30 Jul 2014 23:14:25 +0200 Subject: [PATCH 021/229] update for FFmpeg 2.3.1 Signed-off-by: Michael Niedermayer --- RELEASE | 2 +- doc/Doxyfile | 2 +- 2 files changed, 2 insertions(+), 2 deletions(-) diff --git a/RELEASE b/RELEASE index bb576dbde1..2bf1c1ccf3 100644 --- a/RELEASE +++ b/RELEASE @@ -1 +1 @@ -2.3 +2.3.1 diff --git a/doc/Doxyfile b/doc/Doxyfile index 7b2a785ae4..e707528349 100644 --- a/doc/Doxyfile +++ b/doc/Doxyfile @@ -31,7 +31,7 @@ PROJECT_NAME = FFmpeg # This could be handy for archiving the generated documentation or # if some version control system is used. -PROJECT_NUMBER = 2.3 +PROJECT_NUMBER = 2.3.1 # With the PROJECT_LOGO tag one can specify a logo or icon that is included # in the documentation. The maximum height of the logo should not exceed 55 From 1f58590e1e1793133b4558d475a26497d5400373 Mon Sep 17 00:00:00 2001 From: Gerion Entrup Date: Wed, 30 Jul 2014 01:53:32 +0200 Subject: [PATCH 022/229] doc: add very basic libcdio documentation Signed-off-by: Michael Niedermayer (cherry picked from commit dc315cdb4ecffb7ec4d3496f1d0c8d0c123f0a7b) Signed-off-by: Michael Niedermayer --- doc/indevs.texi | 15 +++++++++++++++ 1 file changed, 15 insertions(+) diff --git a/doc/indevs.texi b/doc/indevs.texi index 4205808776..5cac07f16f 100644 --- a/doc/indevs.texi +++ b/doc/indevs.texi @@ -483,6 +483,21 @@ ffplay -f lavfi "movie=test.avi[out0];amovie=test.wav[out1]" @end itemize +@section libcdio + +Audio-CD input device based on cdio. + +To enable this input device during configuration you need libcdio +installed on your system. + +This device allows playing and grabbing from an Audio-CD. + +For example to copy with @command{ffmpeg} the entire Audio-CD in /dev/sr0, +you may run the command: +@example +ffmpeg -f libcdio -i /dev/sr0 cd.wav +@end example + @section libdc1394 IIDC1394 input device, based on libdc1394 and libraw1394. From 7c2d152f562ab089ecf8262438e2f8e9cb9c546f Mon Sep 17 00:00:00 2001 From: Michael Niedermayer Date: Thu, 31 Jul 2014 03:11:40 +0200 Subject: [PATCH 023/229] Changelog: highlighting for 2.3.1 Suggested-by: Timothy Gu Signed-off-by: Michael Niedermayer --- Changelog | 5 +++++ 1 file changed, 5 insertions(+) diff --git a/Changelog b/Changelog index 07cf1cf7af..2faa83fa32 100644 --- a/Changelog +++ b/Changelog @@ -1,6 +1,11 @@ Entries are sorted chronologically from oldest to youngest within each release, releases are sorted from youngest to oldest. +version 2.3.1: +- public AVDCT API/ABI for DCT functions +- g2meet: allow size changes within original sizes +- dv: improved error resilience, fixing Ticket2340 and Ticket2341 + version 2.3: - AC3 fixed-point decoding - shuffleplanes filter From 6d2219e9f950b96279fd8464cc11c4d02518b629 Mon Sep 17 00:00:00 2001 From: "Chris \\\"Koying\\\" Browet" Date: Sat, 26 Jul 2014 09:15:57 +0200 Subject: [PATCH 024/229] avcodec/h264_mp4toannexb_bsf: fix issue when sps/pps are already in the bistream (cherry picked from commit ad91bf854b559f1afc42fc06f8a7dfbb75def5c8) Signed-off-by: Michael Niedermayer --- libavcodec/h264_mp4toannexb_bsf.c | 14 +++++++++++--- 1 file changed, 11 insertions(+), 3 deletions(-) diff --git a/libavcodec/h264_mp4toannexb_bsf.c b/libavcodec/h264_mp4toannexb_bsf.c index 0f142bb2ad..a7b4f4158e 100644 --- a/libavcodec/h264_mp4toannexb_bsf.c +++ b/libavcodec/h264_mp4toannexb_bsf.c @@ -28,6 +28,7 @@ typedef struct H264BSFContext { uint8_t length_size; uint8_t first_idr; + uint8_t idr_sps_pps_seen; int extradata_parsed; } H264BSFContext; @@ -155,6 +156,7 @@ static int h264_mp4toannexb_filter(AVBitStreamFilterContext *bsfc, return ret; ctx->length_size = ret; ctx->first_idr = 1; + ctx->idr_sps_pps_seen = 0; ctx->extradata_parsed = 1; } @@ -174,8 +176,12 @@ static int h264_mp4toannexb_filter(AVBitStreamFilterContext *bsfc, if (buf + nal_size > buf_end || nal_size < 0) goto fail; - /* prepend only to the first type 5 NAL unit of an IDR picture */ - if (ctx->first_idr && (unit_type == 5 || unit_type == 7 || unit_type == 8)) { + if (ctx->first_idr && (unit_type == 7 || unit_type == 8)) + ctx->idr_sps_pps_seen = 1; + + + /* prepend only to the first type 5 NAL unit of an IDR picture, if no sps/pps are already present */ + if (ctx->first_idr && unit_type == 5 && !ctx->idr_sps_pps_seen) { if ((ret=alloc_and_copy(poutbuf, poutbuf_size, avctx->extradata, avctx->extradata_size, buf, nal_size)) < 0) @@ -185,8 +191,10 @@ static int h264_mp4toannexb_filter(AVBitStreamFilterContext *bsfc, if ((ret=alloc_and_copy(poutbuf, poutbuf_size, NULL, 0, buf, nal_size)) < 0) goto fail; - if (!ctx->first_idr && unit_type == 1) + if (!ctx->first_idr && unit_type == 1) { ctx->first_idr = 1; + ctx->idr_sps_pps_seen = 0; + } } buf += nal_size; From 7a1262fca37d16b0de5dfc34937b193a2ede8872 Mon Sep 17 00:00:00 2001 From: Benoit Fouet Date: Thu, 31 Jul 2014 15:32:14 +0200 Subject: [PATCH 025/229] h264_mp4toannexb_bsf: account for consecutive IDR pictures. If there are consecutive IDR pictures, then SPS/PPS should be prepended to all of them, not only the first one. Signed-off-by: Michael Niedermayer (cherry picked from commit bf428bb3145c4f0eef32f8ef00de0ee222b3e414) Signed-off-by: Michael Niedermayer --- libavcodec/h264_mp4toannexb_bsf.c | 5 +++++ 1 file changed, 5 insertions(+) diff --git a/libavcodec/h264_mp4toannexb_bsf.c b/libavcodec/h264_mp4toannexb_bsf.c index a7b4f4158e..a003a1df1d 100644 --- a/libavcodec/h264_mp4toannexb_bsf.c +++ b/libavcodec/h264_mp4toannexb_bsf.c @@ -179,6 +179,11 @@ static int h264_mp4toannexb_filter(AVBitStreamFilterContext *bsfc, if (ctx->first_idr && (unit_type == 7 || unit_type == 8)) ctx->idr_sps_pps_seen = 1; + /* if this is a new IDR picture following an IDR picture, reset the idr flag. + * Just check first_mb_in_slice to be 0 as this is the simplest solution. + * This could be checking idr_pic_id instead, but would complexify the parsing. */ + if (!ctx->first_idr && unit_type == 5 && (buf[1] & 0x80)) + ctx->first_idr = 1; /* prepend only to the first type 5 NAL unit of an IDR picture, if no sps/pps are already present */ if (ctx->first_idr && unit_type == 5 && !ctx->idr_sps_pps_seen) { From 594b1fa9615f9226722956ef0b49ba697241befb Mon Sep 17 00:00:00 2001 From: Michael Niedermayer Date: Thu, 31 Jul 2014 16:25:21 +0200 Subject: [PATCH 026/229] libavcodec/h264_parser: Increase parse_history, fix huge resolutions Signed-off-by: Michael Niedermayer (cherry picked from commit 0782fb6bcb32fe3ab956a99af4cc472ff81da0c2) Signed-off-by: Michael Niedermayer --- libavcodec/h264.h | 2 +- libavcodec/h264_parser.c | 4 ++-- 2 files changed, 3 insertions(+), 3 deletions(-) diff --git a/libavcodec/h264.h b/libavcodec/h264.h index 228558b6f4..7a6a652d07 100644 --- a/libavcodec/h264.h +++ b/libavcodec/h264.h @@ -749,7 +749,7 @@ typedef struct H264Context { int16_t slice_row[MAX_SLICES]; ///< to detect when MAX_SLICES is too low - uint8_t parse_history[4]; + uint8_t parse_history[6]; int parse_history_count; int parse_last_mb; uint8_t *edge_emu_buffer; diff --git a/libavcodec/h264_parser.c b/libavcodec/h264_parser.c index ea0ab98034..a075bfa987 100644 --- a/libavcodec/h264_parser.c +++ b/libavcodec/h264_parser.c @@ -92,7 +92,7 @@ static int h264_find_frame_end(H264Context *h, const uint8_t *buf, state = 7; } else { h->parse_history[h->parse_history_count++]= buf[i]; - if (h->parse_history_count>3) { + if (h->parse_history_count>5) { unsigned int mb, last_mb= h->parse_last_mb; GetBitContext gb; @@ -120,7 +120,7 @@ found: pc->frame_start_found = 0; if (h->is_avc) return next_avc; - return i - (state & 5) - 3 * (state > 7); + return i - (state & 5) - 5 * (state > 7); } static int scan_mmco_reset(AVCodecParserContext *s) From 3ed27832e7b05745822781603fa6978aff6be24c Mon Sep 17 00:00:00 2001 From: Anshul Maheswhwari Date: Thu, 31 Jul 2014 20:59:59 +0530 Subject: [PATCH 027/229] v4l2enc: adding AVClass Signed-off-by: Michael Niedermayer (cherry picked from commit fcb11ec291e9b3e3f352fa4d3e9026c0f7f64aa8) Signed-off-by: Michael Niedermayer --- libavdevice/v4l2enc.c | 1 + 1 file changed, 1 insertion(+) diff --git a/libavdevice/v4l2enc.c b/libavdevice/v4l2enc.c index efe08b589e..c9f8d92d2b 100644 --- a/libavdevice/v4l2enc.c +++ b/libavdevice/v4l2enc.c @@ -22,6 +22,7 @@ #include "avdevice.h" typedef struct { + AVClass *class; int fd; } V4L2Context; From d6173ae341fabacf05608ceb7470d24befdbdc68 Mon Sep 17 00:00:00 2001 From: Michael Niedermayer Date: Fri, 1 Aug 2014 21:10:43 +0200 Subject: [PATCH 028/229] avcodec/mpeg12dec: fix support for interlaced mpeg2 with missing last slice Fixes Ticket3809 Signed-off-by: Michael Niedermayer (cherry picked from commit f95298c913899207344d668a6d5624cb2d2e480c) Signed-off-by: Michael Niedermayer --- libavcodec/mpeg12dec.c | 8 ++++++++ 1 file changed, 8 insertions(+) diff --git a/libavcodec/mpeg12dec.c b/libavcodec/mpeg12dec.c index fcc1d4c48b..0eecb7d1f7 100644 --- a/libavcodec/mpeg12dec.c +++ b/libavcodec/mpeg12dec.c @@ -1884,6 +1884,14 @@ static int mpeg_decode_slice(MpegEncContext *s, int mb_y, } else goto eos; } + if (s->mb_y >= ((s->height + 15) >> 4) && + s->progressive_frame && + !s->progressive_sequence && + get_bits_left(&s->gb) <= 8 && + get_bits_left(&s->gb) >= 0 && + s->mb_skip_run == -1 && + show_bits(&s->gb, 8) == 0) + goto eos; ff_init_block_index(s); } From aa0a8ef50e88e89a5c50dbf7ffc448a1a4315759 Mon Sep 17 00:00:00 2001 From: Michael Niedermayer Date: Sat, 2 Aug 2014 00:27:23 +0200 Subject: [PATCH 029/229] avcodec/dvdsub_parser: never return 0 when the input isnt 0 Fixes a infinite loop Fixes Ticket3804 Signed-off-by: Michael Niedermayer (cherry picked from commit cfdb30d2f1241de9354a8efdbf8252d0f1a6f933) Signed-off-by: Michael Niedermayer --- libavcodec/dvdsub_parser.c | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/libavcodec/dvdsub_parser.c b/libavcodec/dvdsub_parser.c index e50c3396e4..9a6457e8b4 100644 --- a/libavcodec/dvdsub_parser.c +++ b/libavcodec/dvdsub_parser.c @@ -46,7 +46,7 @@ static int dvdsub_parse(AVCodecParserContext *s, if (pc->packet_index == 0) { if (buf_size < 2) - return 0; + return buf_size; pc->packet_len = AV_RB16(buf); if (pc->packet_len == 0) /* HD-DVD subpicture packet */ pc->packet_len = AV_RB32(buf+2); From 76d59f1b34bbee44a98ae8683bcc3780321d8184 Mon Sep 17 00:00:00 2001 From: Michael Niedermayer Date: Sat, 2 Aug 2014 01:15:37 +0200 Subject: [PATCH 030/229] avcodec/dvdsub_parser: Check buf_size before reading 32bit packet size Signed-off-by: Michael Niedermayer (cherry picked from commit 81c1657a593b1c0f8e46fca00ead1d30ee1cd418) Signed-off-by: Michael Niedermayer --- libavcodec/dvdsub_parser.c | 3 ++- 1 file changed, 2 insertions(+), 1 deletion(-) diff --git a/libavcodec/dvdsub_parser.c b/libavcodec/dvdsub_parser.c index 9a6457e8b4..07ed4f72fc 100644 --- a/libavcodec/dvdsub_parser.c +++ b/libavcodec/dvdsub_parser.c @@ -45,8 +45,9 @@ static int dvdsub_parse(AVCodecParserContext *s, DVDSubParseContext *pc = s->priv_data; if (pc->packet_index == 0) { - if (buf_size < 2) + if (buf_size < 2 || AV_RB16(buf) && buf_size < 6) { return buf_size; + } pc->packet_len = AV_RB16(buf); if (pc->packet_len == 0) /* HD-DVD subpicture packet */ pc->packet_len = AV_RB32(buf+2); From 638c3aca645a4834e880e311f73388cdfeb6ad76 Mon Sep 17 00:00:00 2001 From: Michael Niedermayer Date: Sat, 2 Aug 2014 01:16:14 +0200 Subject: [PATCH 031/229] avcodec/dvdsub_parser: print message if packet is smaller than the packet size field Signed-off-by: Michael Niedermayer (cherry picked from commit bcc898dd2643c883522ffa565be4b226ce798c78) Signed-off-by: Michael Niedermayer --- libavcodec/dvdsub_parser.c | 2 ++ 1 file changed, 2 insertions(+) diff --git a/libavcodec/dvdsub_parser.c b/libavcodec/dvdsub_parser.c index 07ed4f72fc..32a945ed65 100644 --- a/libavcodec/dvdsub_parser.c +++ b/libavcodec/dvdsub_parser.c @@ -46,6 +46,8 @@ static int dvdsub_parse(AVCodecParserContext *s, if (pc->packet_index == 0) { if (buf_size < 2 || AV_RB16(buf) && buf_size < 6) { + if (buf_size) + av_log(avctx, AV_LOG_DEBUG, "Parser input %d too small\n", buf_size); return buf_size; } pc->packet_len = AV_RB16(buf); From 2eb72d5bdcd5d06a2440bdfb411583362745b5ec Mon Sep 17 00:00:00 2001 From: Michael Niedermayer Date: Sat, 2 Aug 2014 03:29:42 +0200 Subject: [PATCH 032/229] ffmpeg_opt: Use av_guess_codec() instead of AVOutputFormat->*codec Fixes part of ticket2236 Signed-off-by: Michael Niedermayer (cherry picked from commit 956f4087c6eb717e31f3b92fe03fd56a3747eccf) Signed-off-by: Michael Niedermayer --- ffmpeg_opt.c | 4 ++-- 1 file changed, 2 insertions(+), 2 deletions(-) diff --git a/ffmpeg_opt.c b/ffmpeg_opt.c index ab13d3cf16..a825062a7d 100644 --- a/ffmpeg_opt.c +++ b/ffmpeg_opt.c @@ -1828,7 +1828,7 @@ static int open_output_file(OptionsContext *o, const char *filename) /* pick the "best" stream of each type */ /* video: highest resolution */ - if (!o->video_disable && oc->oformat->video_codec != AV_CODEC_ID_NONE) { + if (!o->video_disable && av_guess_codec(oc->oformat, NULL, filename, NULL, AVMEDIA_TYPE_VIDEO) != AV_CODEC_ID_NONE) { int area = 0, idx = -1; int qcr = avformat_query_codec(oc->oformat, oc->oformat->video_codec, 0); for (i = 0; i < nb_input_streams; i++) { @@ -1850,7 +1850,7 @@ static int open_output_file(OptionsContext *o, const char *filename) } /* audio: most channels */ - if (!o->audio_disable && oc->oformat->audio_codec != AV_CODEC_ID_NONE) { + if (!o->audio_disable && av_guess_codec(oc->oformat, NULL, filename, NULL, AVMEDIA_TYPE_AUDIO) != AV_CODEC_ID_NONE) { int channels = 0, idx = -1; for (i = 0; i < nb_input_streams; i++) { ist = input_streams[i]; From b63ec0cb0fb5998584337f9f11bf74ac27f23921 Mon Sep 17 00:00:00 2001 From: Michael Niedermayer Date: Sat, 2 Aug 2014 22:30:03 +0200 Subject: [PATCH 033/229] avformat/tee: flip assigment direction Found-by: CSA Reviewed-by: Nicolas George Signed-off-by: Michael Niedermayer (cherry picked from commit 2e6fdcb7f3c86491408a3699f0aa9dc52b7c5686) Signed-off-by: Michael Niedermayer --- libavformat/tee.c | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/libavformat/tee.c b/libavformat/tee.c index f26e15742a..681f94330a 100644 --- a/libavformat/tee.c +++ b/libavformat/tee.c @@ -467,7 +467,7 @@ static int tee_write_packet(AVFormatContext *avf, AVPacket *pkt) if ((ret = av_copy_packet(&pkt2, pkt)) < 0 || (ret = av_dup_packet(&pkt2))< 0) if (!ret_all) { - ret = ret_all; + ret_all = ret; continue; } tb = avf ->streams[s ]->time_base; From fdfe94f4b16f70b6ca38dfd184795269906e9cf0 Mon Sep 17 00:00:00 2001 From: Michael Niedermayer Date: Sat, 2 Aug 2014 18:15:12 +0200 Subject: [PATCH 034/229] avcodec/wavpackenc: Fix log2sample() result value Found-by: CSA Reviewed-by: Paul B Mahol Signed-off-by: Michael Niedermayer (cherry picked from commit e706fe764049b3f1ccf10ba9f686426a4c007906) Signed-off-by: Michael Niedermayer --- libavcodec/wavpackenc.c | 4 ++-- 1 file changed, 2 insertions(+), 2 deletions(-) diff --git a/libavcodec/wavpackenc.c b/libavcodec/wavpackenc.c index 66ebf2fa3c..5b8973c5c7 100644 --- a/libavcodec/wavpackenc.c +++ b/libavcodec/wavpackenc.c @@ -638,7 +638,7 @@ static uint32_t log2sample(uint32_t v, int limit, uint32_t *result) if ((v += v >> 9) < (1 << 8)) { dbits = nbits_table[v]; - result += (dbits << 8) + wp_log2_table[(v << (9 - dbits)) & 0xff]; + *result += (dbits << 8) + wp_log2_table[(v << (9 - dbits)) & 0xff]; } else { if (v < (1L << 16)) dbits = nbits_table[v >> 8] + 8; @@ -647,7 +647,7 @@ static uint32_t log2sample(uint32_t v, int limit, uint32_t *result) else dbits = nbits_table[v >> 24] + 24; - result += dbits = (dbits << 8) + wp_log2_table[(v >> (dbits - 9)) & 0xff]; + *result += dbits = (dbits << 8) + wp_log2_table[(v >> (dbits - 9)) & 0xff]; if (limit && dbits >= limit) return 1; From 7a6b5d7a867ee2e9bab9f4cd7456085cc5833435 Mon Sep 17 00:00:00 2001 From: Michael Niedermayer Date: Sat, 2 Aug 2014 14:03:30 +0200 Subject: [PATCH 035/229] ffserver: initialize pbuffer in prepare_sdp_description() also check pbuffer before use Found-by: CSA Reviewed-by: Stefano Sabatini Signed-off-by: Michael Niedermayer (cherry picked from commit 1d8d21b90ab91aa471f369e0f9d1ea20fb40733b) Signed-off-by: Michael Niedermayer --- ffserver.c | 4 +++- 1 file changed, 3 insertions(+), 1 deletion(-) diff --git a/ffserver.c b/ffserver.c index 08f7878541..fa04a54550 100644 --- a/ffserver.c +++ b/ffserver.c @@ -2977,6 +2977,8 @@ static int prepare_sdp_description(FFStream *stream, uint8_t **pbuffer, AVDictionaryEntry *entry = av_dict_get(stream->metadata, "title", NULL, 0); int i; + *pbuffer = NULL; + avc = avformat_alloc_context(); if (avc == NULL || !rtp_format) { return -1; @@ -3013,7 +3015,7 @@ static int prepare_sdp_description(FFStream *stream, uint8_t **pbuffer, av_free(avc); av_free(avs); - return strlen(*pbuffer); + return *pbuffer ? strlen(*pbuffer) : AVERROR(ENOMEM); } static void rtsp_cmd_options(HTTPContext *c, const char *url) From 901e275697dee8a1512540d6d653e38a16103bfa Mon Sep 17 00:00:00 2001 From: Michael Niedermayer Date: Wed, 6 Aug 2014 13:59:18 +0200 Subject: [PATCH 036/229] avutil/cpu: add aarch64 entries to 2nd table Signed-off-by: Michael Niedermayer (cherry picked from commit efc4fe9d74a5040e465dbff80b29468dbc227c19) Signed-off-by: Michael Niedermayer --- libavutil/cpu.c | 4 ++++ 1 file changed, 4 insertions(+) diff --git a/libavutil/cpu.c b/libavutil/cpu.c index 2d402117d0..e9bfb583c8 100644 --- a/libavutil/cpu.c +++ b/libavutil/cpu.c @@ -225,6 +225,10 @@ int av_parse_cpu_caps(unsigned *flags, const char *s) { "vfp", NULL, 0, AV_OPT_TYPE_CONST, { .i64 = AV_CPU_FLAG_VFP }, .unit = "flags" }, { "vfpv3", NULL, 0, AV_OPT_TYPE_CONST, { .i64 = AV_CPU_FLAG_VFPV3 }, .unit = "flags" }, { "neon", NULL, 0, AV_OPT_TYPE_CONST, { .i64 = AV_CPU_FLAG_NEON }, .unit = "flags" }, +#elif ARCH_AARCH64 + { "armv8", NULL, 0, AV_OPT_TYPE_CONST, { .i64 = AV_CPU_FLAG_ARMV8 }, .unit = "flags" }, + { "neon", NULL, 0, AV_OPT_TYPE_CONST, { .i64 = AV_CPU_FLAG_NEON }, .unit = "flags" }, + { "vfp", NULL, 0, AV_OPT_TYPE_CONST, { .i64 = AV_CPU_FLAG_VFP }, .unit = "flags" }, #endif { NULL }, }; From a72b7286e6db0f5ffac386bb13fe6efe55fb0b12 Mon Sep 17 00:00:00 2001 From: Anton Khirnov Date: Wed, 6 Aug 2014 10:56:34 +0000 Subject: [PATCH 037/229] cdgraphics: do not return 0 from the decode function 0 means no data consumed, so it can trigger an infinite loop in the caller. CC:libav-stable@libav.org (cherry picked from commit c7d9b473e28238d4a4ef1b7e8b42c1cca256da36) Signed-off-by: Michael Niedermayer --- libavcodec/cdgraphics.c | 3 +-- 1 file changed, 1 insertion(+), 2 deletions(-) diff --git a/libavcodec/cdgraphics.c b/libavcodec/cdgraphics.c index b7a8fa7ba2..3c07fc726e 100644 --- a/libavcodec/cdgraphics.c +++ b/libavcodec/cdgraphics.c @@ -353,10 +353,9 @@ static int cdg_decode_frame(AVCodecContext *avctx, *got_frame = 1; } else { *got_frame = 0; - buf_size = 0; } - return buf_size; + return avpkt->size; } static av_cold int cdg_decode_end(AVCodecContext *avctx) From 69281934935e0b93e20fa905c1cdbc5a1b24fd2a Mon Sep 17 00:00:00 2001 From: Felix Abecassis Date: Thu, 7 Aug 2014 11:42:36 +0200 Subject: [PATCH 038/229] h264: fix interpretation of interleved stereo modes Column and row frame packing arrangements were inverted. Signed-off-by: Vittorio Giovara (cherry picked from commit a7e541c9926d531a100ba0d36f4e56956dd84651) Signed-off-by: Michael Niedermayer --- libavcodec/h264.c | 4 ++-- libavcodec/libx264.c | 4 ++-- 2 files changed, 4 insertions(+), 4 deletions(-) diff --git a/libavcodec/h264.c b/libavcodec/h264.c index 1d919872fe..f110a67cb5 100644 --- a/libavcodec/h264.c +++ b/libavcodec/h264.c @@ -841,10 +841,10 @@ static void decode_postinit(H264Context *h, int setup_finished) stereo->type = AV_STEREO3D_CHECKERBOARD; break; case 1: - stereo->type = AV_STEREO3D_LINES; + stereo->type = AV_STEREO3D_COLUMNS; break; case 2: - stereo->type = AV_STEREO3D_COLUMNS; + stereo->type = AV_STEREO3D_LINES; break; case 3: if (h->quincunx_subsampling) diff --git a/libavcodec/libx264.c b/libavcodec/libx264.c index edf6fc6130..ab3d59a272 100644 --- a/libavcodec/libx264.c +++ b/libavcodec/libx264.c @@ -236,10 +236,10 @@ static int X264_frame(AVCodecContext *ctx, AVPacket *pkt, const AVFrame *frame, case AV_STEREO3D_CHECKERBOARD: fpa_type = 0; break; - case AV_STEREO3D_LINES: + case AV_STEREO3D_COLUMNS: fpa_type = 1; break; - case AV_STEREO3D_COLUMNS: + case AV_STEREO3D_LINES: fpa_type = 2; break; case AV_STEREO3D_SIDEBYSIDE: From ed15be7519af8aa68bdf58ccdf39915b560d11a2 Mon Sep 17 00:00:00 2001 From: Michael Niedermayer Date: Sat, 9 Aug 2014 04:49:09 +0200 Subject: [PATCH 039/229] avformat/matroskaenc: fix MAX_CUEPOINT_SIZE calculation Fixes assertion failure Fixes Ticket3822 as a side-effect this makes some mkv files a few bytes smaller Signed-off-by: Michael Niedermayer (cherry picked from commit 64d029de41ed556b765df50c7080b06fd5a86417) Signed-off-by: Michael Niedermayer --- libavformat/matroskaenc.c | 15 ++++++++++++++- tests/ref/lavf/mkv | 4 ++-- 2 files changed, 16 insertions(+), 3 deletions(-) diff --git a/libavformat/matroskaenc.c b/libavformat/matroskaenc.c index 92d091f7cf..fc9c72852a 100644 --- a/libavformat/matroskaenc.c +++ b/libavformat/matroskaenc.c @@ -445,8 +445,21 @@ static int64_t mkv_write_cues(AVFormatContext *s, mkv_cues *cues, mkv_track *tra ebml_master cuepoint, track_positions; mkv_cuepoint *entry = &cues->entries[i]; uint64_t pts = entry->pts; + int ctp_nb = 0; - cuepoint = start_ebml_master(pb, MATROSKA_ID_POINTENTRY, MAX_CUEPOINT_SIZE(num_tracks)); + // Calculate the number of entries, so we know the element size + for (j = 0; j < num_tracks; j++) + tracks[j].has_cue = 0; + for (j = 0; j < cues->num_entries - i && entry[j].pts == pts; j++) { + int tracknum = entry[j].stream_idx; + av_assert0(tracknum>=0 && tracknumstreams[tracknum]->codec->codec_type != AVMEDIA_TYPE_SUBTITLE) + continue; + tracks[tracknum].has_cue = 1; + ctp_nb ++; + } + + cuepoint = start_ebml_master(pb, MATROSKA_ID_POINTENTRY, MAX_CUEPOINT_SIZE(ctp_nb)); put_ebml_uint(pb, MATROSKA_ID_CUETIME, pts); // put all the entries from different tracks that have the exact same diff --git a/tests/ref/lavf/mkv b/tests/ref/lavf/mkv index 97c9864bba..edbfe60a00 100644 --- a/tests/ref/lavf/mkv +++ b/tests/ref/lavf/mkv @@ -1,5 +1,5 @@ -bda342503392d517955e1112def7b03a *./tests/data/lavf/lavf.mkv -472671 ./tests/data/lavf/lavf.mkv +bab98f5a04a9f7991fb960041c996478 *./tests/data/lavf/lavf.mkv +472668 ./tests/data/lavf/lavf.mkv ./tests/data/lavf/lavf.mkv CRC=0xec6c3c68 c93950920d4ee57eb3ff5ba0cf0c8b19 *./tests/data/lavf/lavf.mkv 320412 ./tests/data/lavf/lavf.mkv From 83956309cc16b47fbf8548e8c5bcf67b8cd4b65f Mon Sep 17 00:00:00 2001 From: Michael Niedermayer Date: Sun, 10 Aug 2014 21:59:33 +0200 Subject: [PATCH 040/229] avcodec/iff: check pixfmt for rgb8 / rgbn Fixes out of array access Found-by: Piotr Bandurski Signed-off-by: Michael Niedermayer (cherry picked from commit 3539d6c63a16e1b2874bb037a86f317449c58770) Signed-off-by: Michael Niedermayer --- libavcodec/iff.c | 4 ++-- 1 file changed, 2 insertions(+), 2 deletions(-) diff --git a/libavcodec/iff.c b/libavcodec/iff.c index f08a0f70ce..d93015c0c3 100644 --- a/libavcodec/iff.c +++ b/libavcodec/iff.c @@ -847,9 +847,9 @@ static int decode_frame(AVCodecContext *avctx, break; case 4: bytestream2_init(&gb, buf, buf_size); - if (avctx->codec_tag == MKTAG('R', 'G', 'B', '8')) + if (avctx->codec_tag == MKTAG('R', 'G', 'B', '8') && avctx->pix_fmt == AV_PIX_FMT_RGB32) decode_rgb8(&gb, s->frame->data[0], avctx->width, avctx->height, s->frame->linesize[0]); - else if (avctx->codec_tag == MKTAG('R', 'G', 'B', 'N')) + else if (avctx->codec_tag == MKTAG('R', 'G', 'B', 'N') && avctx->pix_fmt == AV_PIX_FMT_RGB444) decode_rgbn(&gb, s->frame->data[0], avctx->width, avctx->height, s->frame->linesize[0]); else return unsupported(avctx); From fc57959fd57dadfc9525f8b3e7acd2ed458185d3 Mon Sep 17 00:00:00 2001 From: Michael Niedermayer Date: Sun, 10 Aug 2014 21:53:39 +0200 Subject: [PATCH 041/229] avcodec/iff: Factorize av_pix_fmt_desc_get() out Signed-off-by: Michael Niedermayer (cherry picked from commit 9bcdb98839f3d883867d87c6425e67ed7bcc7149) Signed-off-by: Michael Niedermayer --- libavcodec/iff.c | 7 ++++--- 1 file changed, 4 insertions(+), 3 deletions(-) diff --git a/libavcodec/iff.c b/libavcodec/iff.c index d93015c0c3..ce06b365fc 100644 --- a/libavcodec/iff.c +++ b/libavcodec/iff.c @@ -677,11 +677,15 @@ static int decode_frame(AVCodecContext *avctx, const uint8_t *buf_end = buf + buf_size; int y, plane, res; GetByteContext gb; + const AVPixFmtDescriptor *desc; if ((res = extract_header(avctx, avpkt)) < 0) return res; if ((res = ff_reget_buffer(avctx, s->frame)) < 0) return res; + + desc = av_pix_fmt_desc_get(avctx->pix_fmt); + if (!s->init && avctx->bits_per_coded_sample <= 8 && avctx->pix_fmt == AV_PIX_FMT_PAL8) { if ((res = cmap_read_palette(avctx, (uint32_t *)s->frame->data[1])) < 0) @@ -721,7 +725,6 @@ static int decode_frame(AVCodecContext *avctx, } else return unsupported(avctx); } else if (avctx->codec_tag == MKTAG('D', 'E', 'E', 'P')) { - const AVPixFmtDescriptor *desc = av_pix_fmt_desc_get(avctx->pix_fmt); int raw_width = avctx->width * (av_get_bits_per_pixel(desc) >> 3); int x; for (y = 0; y < avctx->height && buf < buf_end; y++) { @@ -838,7 +841,6 @@ static int decode_frame(AVCodecContext *avctx, } else return unsupported(avctx); } else if (avctx->codec_tag == MKTAG('D', 'E', 'E', 'P')) { // IFF-DEEP - const AVPixFmtDescriptor *desc = av_pix_fmt_desc_get(avctx->pix_fmt); if (av_get_bits_per_pixel(desc) == 32) decode_deep_rle32(s->frame->data[0], buf, buf_size, avctx->width, avctx->height, s->frame->linesize[0]); else @@ -856,7 +858,6 @@ static int decode_frame(AVCodecContext *avctx, break; case 5: if (avctx->codec_tag == MKTAG('D', 'E', 'E', 'P')) { - const AVPixFmtDescriptor *desc = av_pix_fmt_desc_get(avctx->pix_fmt); if (av_get_bits_per_pixel(desc) == 32) decode_deep_tvdc32(s->frame->data[0], buf, buf_size, avctx->width, avctx->height, s->frame->linesize[0], s->tvdc); else From c5129da726bb8e2dde610799053736b828989864 Mon Sep 17 00:00:00 2001 From: Michael Niedermayer Date: Sun, 10 Aug 2014 22:38:39 +0200 Subject: [PATCH 042/229] update for FFmpeg 2.3.2 Signed-off-by: Michael Niedermayer --- RELEASE | 2 +- doc/Doxyfile | 2 +- 2 files changed, 2 insertions(+), 2 deletions(-) diff --git a/RELEASE b/RELEASE index 2bf1c1ccf3..f90b1afc08 100644 --- a/RELEASE +++ b/RELEASE @@ -1 +1 @@ -2.3.1 +2.3.2 diff --git a/doc/Doxyfile b/doc/Doxyfile index e707528349..13593d849c 100644 --- a/doc/Doxyfile +++ b/doc/Doxyfile @@ -31,7 +31,7 @@ PROJECT_NAME = FFmpeg # This could be handy for archiving the generated documentation or # if some version control system is used. -PROJECT_NUMBER = 2.3.1 +PROJECT_NUMBER = 2.3.2 # With the PROJECT_LOGO tag one can specify a logo or icon that is included # in the documentation. The maximum height of the logo should not exceed 55 From a1fe3b41507300dbaa9a082eb43155f07fcf5124 Mon Sep 17 00:00:00 2001 From: Michael Niedermayer Date: Mon, 11 Aug 2014 02:16:43 +0200 Subject: [PATCH 043/229] avcodec/vc1dec: do not crash when flushing without an allocated frame Fixes Ticket3837 Found-by: Piotr Bandurski Signed-off-by: Michael Niedermayer (cherry picked from commit 6801eb0a0981f113f5f09ed4799d9ae805af62a3) Signed-off-by: Michael Niedermayer --- libavcodec/vc1dec.c | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/libavcodec/vc1dec.c b/libavcodec/vc1dec.c index 06deb7fad6..a73d6150b4 100644 --- a/libavcodec/vc1dec.c +++ b/libavcodec/vc1dec.c @@ -5514,7 +5514,7 @@ static void vc1_sprite_flush(AVCodecContext *avctx) Since we can't enforce it, clear to black the missing sprite. This is wrong but it looks better than doing nothing. */ - if (f->data[0]) + if (f && f->data[0]) for (plane = 0; plane < (s->flags&CODEC_FLAG_GRAY ? 1 : 3); plane++) for (i = 0; i < v->sprite_height>>!!plane; i++) memset(f->data[plane] + i * f->linesize[plane], From 6badd558ce19dffe8c3ea3e687812b933e0cb2ff Mon Sep 17 00:00:00 2001 From: Michael Niedermayer Date: Mon, 11 Aug 2014 15:15:19 +0200 Subject: [PATCH 044/229] avcodec/get_bits: add BITS_LEFT() for finding the bits left with an opened reader Signed-off-by: Michael Niedermayer (cherry picked from commit 11512d70facf42fb490168d33a5986448cf36074) Signed-off-by: Michael Niedermayer --- libavcodec/get_bits.h | 5 +++++ 1 file changed, 5 insertions(+) diff --git a/libavcodec/get_bits.h b/libavcodec/get_bits.h index d8d7b6ea08..d67263c619 100644 --- a/libavcodec/get_bits.h +++ b/libavcodec/get_bits.h @@ -113,6 +113,9 @@ typedef struct RL_VLC_ELEM { * LAST_SKIP_BITS(name, gb, num) * Like SKIP_BITS, to be used if next call is UPDATE_CACHE or CLOSE_READER. * + * BITS_LEFT(name, gb) + * Return the number of bits left + * * For examples see get_bits, show_bits, skip_bits, get_vlc. */ @@ -179,6 +182,8 @@ typedef struct RL_VLC_ELEM { name ## _index = FFMIN(name ## _size_plus8, name ## _index + (num)) #endif +#define BITS_LEFT(name, gb) ((int)((gb)->size_in_bits - name ## _index)) + #define SKIP_BITS(name, gb, num) \ do { \ SKIP_CACHE(name, gb, num); \ From dbf5d7e5cd16d4f02b57c24922b1f77755c0427b Mon Sep 17 00:00:00 2001 From: Michael Niedermayer Date: Mon, 11 Aug 2014 15:16:29 +0200 Subject: [PATCH 045/229] avcodec/huffyuvdec: fix overread checks Fixes: ffvhuff_f.avi Found-by: Piotr Bandurski Signed-off-by: Michael Niedermayer (cherry picked from commit ba47d519e537299179d20b9a599c5824589a3f7a) Signed-off-by: Michael Niedermayer --- libavcodec/huffyuvdec.c | 12 ++++++------ 1 file changed, 6 insertions(+), 6 deletions(-) diff --git a/libavcodec/huffyuvdec.c b/libavcodec/huffyuvdec.c index 74872d2caa..662095f909 100644 --- a/libavcodec/huffyuvdec.c +++ b/libavcodec/huffyuvdec.c @@ -625,9 +625,9 @@ static void decode_422_bitstream(HYuvContext *s, int count) READ_2PIX(s->temp[0][2 * i ], s->temp[1][i], 1); READ_2PIX(s->temp[0][2 * i + 1], s->temp[2][i], 2); } - for (; i < count && get_bits_left(&s->gb) > 0; i++) { + for (; i < count && BITS_LEFT(re, &s->gb) > 0; i++) { READ_2PIX(s->temp[0][2 * i ], s->temp[1][i], 1); - if (get_bits_left(&s->gb) <= 0) break; + if (BITS_LEFT(re, &s->gb) <= 0) break; READ_2PIX(s->temp[0][2 * i + 1], s->temp[2][i], 2); } for (; i < count; i++) @@ -666,7 +666,7 @@ static void decode_plane_bitstream(HYuvContext *s, int count, int plane) if (s->bps <= 8) { OPEN_READER(re, &s->gb); if (count >= (get_bits_left(&s->gb)) / (32 * 2)) { - for (i = 0; i < count && get_bits_left(&s->gb) > 0; i++) { + for (i = 0; i < count && BITS_LEFT(re, &s->gb) > 0; i++) { READ_2PIX_PLANE(s->temp[0][2 * i], s->temp[0][2 * i + 1], plane, OP8bits); } } else { @@ -678,7 +678,7 @@ static void decode_plane_bitstream(HYuvContext *s, int count, int plane) } else if (s->bps <= 14) { OPEN_READER(re, &s->gb); if (count >= (get_bits_left(&s->gb)) / (32 * 2)) { - for (i = 0; i < count && get_bits_left(&s->gb) > 0; i++) { + for (i = 0; i < count && BITS_LEFT(re, &s->gb) > 0; i++) { READ_2PIX_PLANE(s->temp16[0][2 * i], s->temp16[0][2 * i + 1], plane, OP14bits); } } else { @@ -707,7 +707,7 @@ static void decode_gray_bitstream(HYuvContext *s, int count) count/=2; if (count >= (get_bits_left(&s->gb)) / (32 * 2)) { - for (i = 0; i < count && get_bits_left(&s->gb) > 0; i++) { + for (i = 0; i < count && BITS_LEFT(re, &s->gb) > 0; i++) { READ_2PIX(s->temp[0][2 * i], s->temp[0][2 * i + 1], 0); } } else { @@ -724,7 +724,7 @@ static av_always_inline void decode_bgr_1(HYuvContext *s, int count, int i; OPEN_READER(re, &s->gb); - for (i = 0; i < count && get_bits_left(&s->gb) > 0; i++) { + for (i = 0; i < count && BITS_LEFT(re, &s->gb) > 0; i++) { unsigned int index; int code, n; From 11420649d021e35a2b037cf156d8256a0c64c484 Mon Sep 17 00:00:00 2001 From: Michael Niedermayer Date: Mon, 11 Aug 2014 15:36:22 +0200 Subject: [PATCH 046/229] avcodec/snow: fix null pointer dereference in cleanup after allocation failure Fixes: snowf.avi Found-by: Piotr Bandurski Signed-off-by: Michael Niedermayer (cherry picked from commit 9a162146ca6cc12ef7ad4a15164349482885962c) Signed-off-by: Michael Niedermayer --- libavcodec/snow.c | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/libavcodec/snow.c b/libavcodec/snow.c index 711d1a4f08..f7629c59d3 100644 --- a/libavcodec/snow.c +++ b/libavcodec/snow.c @@ -713,7 +713,7 @@ av_cold void ff_snow_common_end(SnowContext *s) for(i=0; iref_mvs[i]); av_freep(&s->ref_scores[i]); - if(s->last_picture[i]->data[0]) { + if(s->last_picture[i] && s->last_picture[i]->data[0]) { av_assert0(s->last_picture[i]->data[0] != s->current_picture->data[0]); } av_frame_free(&s->last_picture[i]); From b88de7b31a4a5c35d10b1392d2d86d93fc942b4c Mon Sep 17 00:00:00 2001 From: Michael Niedermayer Date: Mon, 11 Aug 2014 17:06:48 +0200 Subject: [PATCH 047/229] Changelog: update for 2.3.2 Signed-off-by: Michael Niedermayer --- Changelog | 13 +++++++++++++ 1 file changed, 13 insertions(+) diff --git a/Changelog b/Changelog index 2faa83fa32..57dbfbe3f9 100644 --- a/Changelog +++ b/Changelog @@ -1,6 +1,19 @@ Entries are sorted chronologically from oldest to youngest within each release, releases are sorted from youngest to oldest. +version 2.3.2: +- snow: fix null pointer dereference +- huffyucdec: fix overread +- vc1dec: fix crash +- iff: fix out of array access +- matroskaenc: fix assertion failure +- cdgraphics: fix infinite loop +- dvdsub_parser: fix infinite loop +- mpeg12dec: support decoding some broken files +- v4l2enc: fix crash +- h264_parser: fix handling huge resolutions +- h264_mp4toannexb_bsf: multiple bugfixes + version 2.3.1: - public AVDCT API/ABI for DCT functions - g2meet: allow size changes within original sizes From 9794727ccd24c36529df1a2bb5775dcd95ed76a7 Mon Sep 17 00:00:00 2001 From: Christophe Gisquet Date: Mon, 11 Aug 2014 22:06:07 +0000 Subject: [PATCH 048/229] proresenc_kostya: remove unneeded parameters Signed-off-by: Michael Niedermayer (cherry picked from commit bf10f09bccdcfdb41b9f5bbae01d55961bfd0693) Signed-off-by: Michael Niedermayer --- libavcodec/proresenc_kostya.c | 3 +-- 1 file changed, 1 insertion(+), 2 deletions(-) diff --git a/libavcodec/proresenc_kostya.c b/libavcodec/proresenc_kostya.c index 93bcde727d..24cb333091 100644 --- a/libavcodec/proresenc_kostya.c +++ b/libavcodec/proresenc_kostya.c @@ -471,7 +471,6 @@ static void put_alpha_run(PutBitContext *pb, int run) // todo alpha quantisation for high quants static int encode_alpha_plane(ProresContext *ctx, PutBitContext *pb, - const uint16_t *src, int linesize, int mbs_per_slice, uint16_t *blocks, int quant) { @@ -566,7 +565,7 @@ static int encode_slice(AVCodecContext *avctx, const AVFrame *pic, get_alpha_data(ctx, src, linesize, xp, yp, pwidth, avctx->height / ctx->pictures_per_frame, ctx->blocks[0], mbs_per_slice, ctx->alpha_bits); - sizes[i] = encode_alpha_plane(ctx, pb, src, linesize, + sizes[i] = encode_alpha_plane(ctx, pb, mbs_per_slice, ctx->blocks[0], quant); } From 60bfa9154d0084bc8b007b984051a6bb82d9652c Mon Sep 17 00:00:00 2001 From: Christophe Gisquet Date: Mon, 11 Aug 2014 22:06:08 +0000 Subject: [PATCH 049/229] proresenc_kostya: report buffer overflow If the allocated size, despite best efforts, is too small, exit with the appropriate error. Signed-off-by: Michael Niedermayer (cherry picked from commit 52b81ff4635c077b2bc8b8d3637d933b6629d803) Signed-off-by: Michael Niedermayer --- libavcodec/proresenc_kostya.c | 13 ++++++++++--- 1 file changed, 10 insertions(+), 3 deletions(-) diff --git a/libavcodec/proresenc_kostya.c b/libavcodec/proresenc_kostya.c index 24cb333091..a70ae3cbc7 100644 --- a/libavcodec/proresenc_kostya.c +++ b/libavcodec/proresenc_kostya.c @@ -570,6 +570,11 @@ static int encode_slice(AVCodecContext *avctx, const AVFrame *pic, quant); } total_size += sizes[i]; + if (put_bits_left(pb) < 0) { + av_log(avctx, AV_LOG_ERROR, "Serious underevaluation of" + "required buffer size"); + return AVERROR_BUFFER_TOO_SMALL; + } } return total_size; } @@ -940,9 +945,9 @@ static int encode_frame(AVCodecContext *avctx, AVPacket *pkt, avctx->coded_frame->pict_type = AV_PICTURE_TYPE_I; avctx->coded_frame->key_frame = 1; - pkt_size = ctx->frame_size_upper_bound + FF_MIN_BUFFER_SIZE; + pkt_size = ctx->frame_size_upper_bound; - if ((ret = ff_alloc_packet2(avctx, pkt, pkt_size)) < 0) + if ((ret = ff_alloc_packet2(avctx, pkt, pkt_size + FF_MIN_BUFFER_SIZE)) < 0) return ret; orig_buf = pkt->data; @@ -1019,7 +1024,9 @@ static int encode_frame(AVCodecContext *avctx, AVPacket *pkt, slice_hdr = buf; buf += slice_hdr_size - 1; init_put_bits(&pb, buf, (pkt_size - (buf - orig_buf)) * 8); - encode_slice(avctx, pic, &pb, sizes, x, y, q, mbs_per_slice); + ret = encode_slice(avctx, pic, &pb, sizes, x, y, q, mbs_per_slice); + if (ret < 0) + return ret; bytestream_put_byte(&slice_hdr, q); slice_size = slice_hdr_size + sizes[ctx->num_planes - 1]; From 59d98fc05078b7cb89b871dba84fce01c4e31067 Mon Sep 17 00:00:00 2001 From: Justin Jacobs Date: Wed, 6 Aug 2014 20:04:38 -0400 Subject: [PATCH 050/229] avformat/matroskadec: Check avpriv_new_chapter() for failure Fixes null pointer dereference Signed-off-by: Michael Niedermayer (cherry picked from commit 87dc8b3af9135f0cfcdf3c0520e3f29e7b0d92c6) Signed-off-by: Michael Niedermayer --- libavformat/matroskadec.c | 6 ++++-- 1 file changed, 4 insertions(+), 2 deletions(-) diff --git a/libavformat/matroskadec.c b/libavformat/matroskadec.c index ec43526727..fdfba57d92 100644 --- a/libavformat/matroskadec.c +++ b/libavformat/matroskadec.c @@ -2161,8 +2161,10 @@ static int matroska_read_header(AVFormatContext *s) (AVRational) { 1, 1000000000 }, chapters[i].start, chapters[i].end, chapters[i].title); - av_dict_set(&chapters[i].chapter->metadata, - "title", chapters[i].title, 0); + if (chapters[i].chapter) { + av_dict_set(&chapters[i].chapter->metadata, + "title", chapters[i].title, 0); + } max_start = chapters[i].start; } From 35738e589847ab958f209a44f818f4746d28c7f2 Mon Sep 17 00:00:00 2001 From: Christophe Gisquet Date: Mon, 11 Aug 2014 19:43:27 +0200 Subject: [PATCH 051/229] proresenc_kostya: properly account for alpha The packet buffer allocation considered as dct-coded, while it is actually run-coded and thus requires a larger buffer. Signed-off-by: Michael Niedermayer (cherry picked from commit 117bc8e6ffc744fedcf77edf2fdb33c964b83370) Signed-off-by: Michael Niedermayer --- libavcodec/proresenc_kostya.c | 10 ++++++++-- 1 file changed, 8 insertions(+), 2 deletions(-) diff --git a/libavcodec/proresenc_kostya.c b/libavcodec/proresenc_kostya.c index a70ae3cbc7..c3c2363109 100644 --- a/libavcodec/proresenc_kostya.c +++ b/libavcodec/proresenc_kostya.c @@ -1208,8 +1208,6 @@ static av_cold int encode_init(AVCodecContext *avctx) ctx->bits_per_mb = ls * 8; if (ctx->chroma_factor == CFACTOR_Y444) ctx->bits_per_mb += ls * 4; - if (ctx->num_planes == 4) - ctx->bits_per_mb += ls * 4; } ctx->frame_size_upper_bound = ctx->pictures_per_frame * @@ -1218,6 +1216,14 @@ static av_cold int encode_init(AVCodecContext *avctx) (mps * ctx->bits_per_mb) / 8) + 200; + if (ctx->alpha_bits) { + // alpha plane is run-coded and might run over bit budget + ctx->frame_size_upper_bound += ctx->pictures_per_frame * + ctx->slices_per_picture * + /* num pixels per slice */ (ctx->mbs_per_slice * 256 * + /* bits per pixel */ (1 + ctx->alpha_bits + 1) + 7 >> 3); + } + avctx->codec_tag = ctx->profile_info->tag; av_log(avctx, AV_LOG_DEBUG, From 10c2d22ba19565ef65f6fd9cf6c8a931339470d4 Mon Sep 17 00:00:00 2001 From: Michael Niedermayer Date: Thu, 14 Aug 2014 16:19:53 +0200 Subject: [PATCH 052/229] avcodec/mjpegdec: Support AV_PIX_FMT_YUV420P16 with upscale_h Fixes assertion failure Fixes: test42f.jpg Found-by: Piotr Bandurski Signed-off-by: Michael Niedermayer (cherry picked from commit 5c7899a4834ee927f5629e4c02bfa225b846f016) Signed-off-by: Michael Niedermayer --- libavcodec/mjpegdec.c | 13 +++++++++++-- 1 file changed, 11 insertions(+), 2 deletions(-) diff --git a/libavcodec/mjpegdec.c b/libavcodec/mjpegdec.c index 1a774ddc61..19fd9293a7 100644 --- a/libavcodec/mjpegdec.c +++ b/libavcodec/mjpegdec.c @@ -1894,6 +1894,7 @@ int ff_mjpeg_decode_frame(AVCodecContext *avctx, void *data, int *got_frame, int start_code; int i, index; int ret = 0; + int is16bit; av_dict_free(&s->exif_metadata); av_freep(&s->stereo3d); @@ -2072,6 +2073,9 @@ fail: s->got_picture = 0; return ret; the_end: + + is16bit = av_pix_fmt_desc_get(s->avctx->pix_fmt)->comp[0].step_minus1; + if (s->upscale_h) { int p; av_assert0(avctx->pix_fmt == AV_PIX_FMT_YUVJ444P || @@ -2081,6 +2085,7 @@ the_end: avctx->pix_fmt == AV_PIX_FMT_YUVA444P || avctx->pix_fmt == AV_PIX_FMT_YUVJ420P || avctx->pix_fmt == AV_PIX_FMT_YUV420P || + avctx->pix_fmt == AV_PIX_FMT_YUV420P16|| avctx->pix_fmt == AV_PIX_FMT_GBRAP ); avcodec_get_chroma_sub_sample(s->avctx->pix_fmt, &hshift, &vshift); @@ -2092,8 +2097,12 @@ the_end: if (p==1 || p==2) w >>= hshift; for (i = 0; i < s->chroma_height; i++) { - for (index = w - 1; index; index--) - line[index] = (line[index / 2] + line[(index + 1) / 2]) >> 1; + for (index = w - 1; index; index--) { + if (is16bit) + ((uint16_t*)line)[index] = (((uint16_t*)line)[index / 2] + ((uint16_t*)line)[(index + 1) / 2]) >> 1; + else + line[index] = (line[index / 2] + line[(index + 1) / 2]) >> 1; + } line += s->linesize[p]; } } From 4f187f0af13bf4ff4d4b9c8081ce0ef73ad91345 Mon Sep 17 00:00:00 2001 From: Michael Niedermayer Date: Sat, 16 Aug 2014 23:07:28 +0200 Subject: [PATCH 053/229] avformat/mpegts: Use differential score for analyze() This avoids high scores in random data that has a high 0x47 frequency Fixes Ticket3844 Signed-off-by: Michael Niedermayer (cherry picked from commit 427bcdf035f5decca182651acfe067d685b3feb5) Signed-off-by: Michael Niedermayer --- libavformat/mpegts.c | 5 ++++- 1 file changed, 4 insertions(+), 1 deletion(-) diff --git a/libavformat/mpegts.c b/libavformat/mpegts.c index 71140888a5..93344d7736 100644 --- a/libavformat/mpegts.c +++ b/libavformat/mpegts.c @@ -506,6 +506,7 @@ static int analyze(const uint8_t *buf, int size, int packet_size, int *index) int stat[TS_MAX_PACKET_SIZE]; int i; int best_score = 0; + int best_score2 = 0; memset(stat, 0, packet_size * sizeof(*stat)); @@ -517,11 +518,13 @@ static int analyze(const uint8_t *buf, int size, int packet_size, int *index) best_score = stat[x]; if (index) *index = x; + } else if (stat[x] > best_score2) { + best_score2 = stat[x]; } } } - return best_score; + return best_score - best_score2; } /* autodetect fec presence. Must have at least 1024 bytes */ From 3b6bde3b3de4f392bfd4ac800778e9e62eefa78e Mon Sep 17 00:00:00 2001 From: Michael Niedermayer Date: Sun, 17 Aug 2014 15:00:16 +0200 Subject: [PATCH 054/229] avcodec/h264_mb: fix grayscale only decoding with weighted prediction Fixes Ticket3412 Signed-off-by: Michael Niedermayer (cherry picked from commit 94f60b65446b37132d7bd644ab2c4627d9488295) Signed-off-by: Michael Niedermayer --- libavcodec/h264_mb.c | 56 ++++++++++++++++++++++++-------------------- 1 file changed, 31 insertions(+), 25 deletions(-) diff --git a/libavcodec/h264_mb.c b/libavcodec/h264_mb.c index 191c01aa74..7feae5761c 100644 --- a/libavcodec/h264_mb.c +++ b/libavcodec/h264_mb.c @@ -420,10 +420,12 @@ static av_always_inline void mc_part_weighted(H264Context *h, int n, int square, int weight1 = 64 - weight0; luma_weight_avg(dest_y, tmp_y, h->mb_linesize, height, 5, weight0, weight1, 0); - chroma_weight_avg(dest_cb, tmp_cb, h->mb_uvlinesize, - chroma_height, 5, weight0, weight1, 0); - chroma_weight_avg(dest_cr, tmp_cr, h->mb_uvlinesize, - chroma_height, 5, weight0, weight1, 0); + if (!CONFIG_GRAY || !(h->flags & CODEC_FLAG_GRAY)) { + chroma_weight_avg(dest_cb, tmp_cb, h->mb_uvlinesize, + chroma_height, 5, weight0, weight1, 0); + chroma_weight_avg(dest_cr, tmp_cr, h->mb_uvlinesize, + chroma_height, 5, weight0, weight1, 0); + } } else { luma_weight_avg(dest_y, tmp_y, h->mb_linesize, height, h->luma_log2_weight_denom, @@ -431,18 +433,20 @@ static av_always_inline void mc_part_weighted(H264Context *h, int n, int square, h->luma_weight[refn1][1][0], h->luma_weight[refn0][0][1] + h->luma_weight[refn1][1][1]); - chroma_weight_avg(dest_cb, tmp_cb, h->mb_uvlinesize, chroma_height, - h->chroma_log2_weight_denom, - h->chroma_weight[refn0][0][0][0], - h->chroma_weight[refn1][1][0][0], - h->chroma_weight[refn0][0][0][1] + - h->chroma_weight[refn1][1][0][1]); - chroma_weight_avg(dest_cr, tmp_cr, h->mb_uvlinesize, chroma_height, - h->chroma_log2_weight_denom, - h->chroma_weight[refn0][0][1][0], - h->chroma_weight[refn1][1][1][0], - h->chroma_weight[refn0][0][1][1] + - h->chroma_weight[refn1][1][1][1]); + if (!CONFIG_GRAY || !(h->flags & CODEC_FLAG_GRAY)) { + chroma_weight_avg(dest_cb, tmp_cb, h->mb_uvlinesize, chroma_height, + h->chroma_log2_weight_denom, + h->chroma_weight[refn0][0][0][0], + h->chroma_weight[refn1][1][0][0], + h->chroma_weight[refn0][0][0][1] + + h->chroma_weight[refn1][1][0][1]); + chroma_weight_avg(dest_cr, tmp_cr, h->mb_uvlinesize, chroma_height, + h->chroma_log2_weight_denom, + h->chroma_weight[refn0][0][1][0], + h->chroma_weight[refn1][1][1][0], + h->chroma_weight[refn0][0][1][1] + + h->chroma_weight[refn1][1][1][1]); + } } } else { int list = list1 ? 1 : 0; @@ -456,15 +460,17 @@ static av_always_inline void mc_part_weighted(H264Context *h, int n, int square, h->luma_log2_weight_denom, h->luma_weight[refn][list][0], h->luma_weight[refn][list][1]); - if (h->use_weight_chroma) { - chroma_weight_op(dest_cb, h->mb_uvlinesize, chroma_height, - h->chroma_log2_weight_denom, - h->chroma_weight[refn][list][0][0], - h->chroma_weight[refn][list][0][1]); - chroma_weight_op(dest_cr, h->mb_uvlinesize, chroma_height, - h->chroma_log2_weight_denom, - h->chroma_weight[refn][list][1][0], - h->chroma_weight[refn][list][1][1]); + if (!CONFIG_GRAY || !(h->flags & CODEC_FLAG_GRAY)) { + if (h->use_weight_chroma) { + chroma_weight_op(dest_cb, h->mb_uvlinesize, chroma_height, + h->chroma_log2_weight_denom, + h->chroma_weight[refn][list][0][0], + h->chroma_weight[refn][list][0][1]); + chroma_weight_op(dest_cr, h->mb_uvlinesize, chroma_height, + h->chroma_log2_weight_denom, + h->chroma_weight[refn][list][1][0], + h->chroma_weight[refn][list][1][1]); + } } } } From bc259185cb69c6532232be4b2ad57a70ef7ed946 Mon Sep 17 00:00:00 2001 From: Michael Niedermayer Date: Sun, 17 Aug 2014 15:27:40 +0200 Subject: [PATCH 055/229] Update for FFmpeg 2.3.3 Signed-off-by: Michael Niedermayer --- Changelog | 6 ++++++ RELEASE | 2 +- doc/Doxyfile | 2 +- 3 files changed, 8 insertions(+), 2 deletions(-) diff --git a/Changelog b/Changelog index 57dbfbe3f9..98179ea946 100644 --- a/Changelog +++ b/Changelog @@ -1,6 +1,12 @@ Entries are sorted chronologically from oldest to youngest within each release, releases are sorted from youngest to oldest. +version 2.3.3: +- h264: fix grayscale only decoding with weighted prediction +- mjpegdec: support AV_PIX_FMT_YUV420P16 with upscale_h +- proresenc_ks: fix buffer overflow +- matroskadec: fix crash + version 2.3.2: - snow: fix null pointer dereference - huffyucdec: fix overread diff --git a/RELEASE b/RELEASE index f90b1afc08..0bee604df7 100644 --- a/RELEASE +++ b/RELEASE @@ -1 +1 @@ -2.3.2 +2.3.3 diff --git a/doc/Doxyfile b/doc/Doxyfile index 13593d849c..4159ce0fe3 100644 --- a/doc/Doxyfile +++ b/doc/Doxyfile @@ -31,7 +31,7 @@ PROJECT_NAME = FFmpeg # This could be handy for archiving the generated documentation or # if some version control system is used. -PROJECT_NUMBER = 2.3.2 +PROJECT_NUMBER = 2.3.3 # With the PROJECT_LOGO tag one can specify a logo or icon that is included # in the documentation. The maximum height of the logo should not exceed 55 From 148d9cd122272e525288e2d9758c4dcb7db3731b Mon Sep 17 00:00:00 2001 From: =?UTF-8?q?Cl=C3=A9ment=20B=C5=93sch?= Date: Sat, 13 Sep 2014 15:15:32 +0200 Subject: [PATCH 056/229] avformat/vobsub: fix NULL dereference (cherry picked from commit d86cf4a91de2aa9e167a73b56fb59962230e3a32) --- libavformat/mpeg.c | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/libavformat/mpeg.c b/libavformat/mpeg.c index c53bab3e3c..7d0be5ed72 100644 --- a/libavformat/mpeg.c +++ b/libavformat/mpeg.c @@ -783,7 +783,7 @@ static int vobsub_read_header(AVFormatContext *s) while (*p == ' ') p++; - av_log(s, AV_LOG_DEBUG, "IDX stream[%d] name=%s\n", st->id, p); + av_log(s, AV_LOG_DEBUG, "IDX stream[%d] name=%s\n", stream_id, p); av_strlcpy(alt, p, sizeof(alt)); header_parsed = 1; From f74206cb40ee966ebb1b1bb2e1a4efe92d1206e0 Mon Sep 17 00:00:00 2001 From: Christophe Gisquet Date: Tue, 19 Aug 2014 12:26:47 +0000 Subject: [PATCH 057/229] wavpack: report if there is no bits left Reviewed-by: Paul B Mahol Signed-off-by: Michael Niedermayer (cherry picked from commit 11a39bdf534a4ead634b4a593c66ebf756910b9b) Signed-off-by: Michael Niedermayer --- libavcodec/wavpack.c | 4 ++++ 1 file changed, 4 insertions(+) diff --git a/libavcodec/wavpack.c b/libavcodec/wavpack.c index 7c60f78b66..9f72ebef2b 100644 --- a/libavcodec/wavpack.c +++ b/libavcodec/wavpack.c @@ -253,6 +253,10 @@ static int wv_get_value(WavpackFrameContext *ctx, GetBitContext *gb, return sign ? ~ret : ret; error: + ret = get_bits_left(gb); + if (ret <= 0) { + av_log(ctx->avctx, AV_LOG_ERROR, "Too few bits (%d) left\n", ret); + } *last = 1; return 0; } From 25864cf562c3c7571a27408e17b8ad39a6fd9cdc Mon Sep 17 00:00:00 2001 From: Christophe Gisquet Date: Tue, 19 Aug 2014 12:26:49 +0000 Subject: [PATCH 058/229] wavpackenc: proper buffer allocation The allocation didn't account for headers, that can be easily 79 bytes. As a result, buffers allocated for a few samples (e.g. 5 in the original bug) could be undersized. Fixed ticket #2881. Reviewed-by: Paul B Mahol Signed-off-by: Michael Niedermayer (cherry picked from commit 2ba58bec20b0039ccc40cfba59af6d56de16e8b1) Signed-off-by: Michael Niedermayer --- libavcodec/wavpackenc.c | 5 +++-- 1 file changed, 3 insertions(+), 2 deletions(-) diff --git a/libavcodec/wavpackenc.c b/libavcodec/wavpackenc.c index 5b8973c5c7..005cf7c2e5 100644 --- a/libavcodec/wavpackenc.c +++ b/libavcodec/wavpackenc.c @@ -2876,10 +2876,11 @@ static int wavpack_encode_frame(AVCodecContext *avctx, AVPacket *avpkt, return AVERROR(ENOMEM); } - if ((ret = ff_alloc_packet2(avctx, avpkt, s->block_samples * avctx->channels * 8)) < 0) + buf_size = s->block_samples * avctx->channels * 8 + + 200 /* for headers */; + if ((ret = ff_alloc_packet2(avctx, avpkt, buf_size)) < 0) return ret; buf = avpkt->data; - buf_size = avpkt->size; for (s->ch_offset = 0; s->ch_offset < avctx->channels;) { set_samplerate(s); From 29ee8b72c40ba694fec18229428214b871dd4154 Mon Sep 17 00:00:00 2001 From: Michael Niedermayer Date: Fri, 22 Aug 2014 01:15:57 +0200 Subject: [PATCH 059/229] avcodec: fix aac/ac3 parser bitstream buffer size Buffers containing copies of the AAC and AC3 header bits were not padded before parsing, violating init_get_bits() buffer padding requirement, leading to potential buffer read overflows. This change adds FF_INPUT_BUFFER_PADDING_SIZE bytes to the bit buffer for parsing the header in each of aac_parser.c and ac3_parser.c. Based on patch by: Matt Wolenetz Signed-off-by: Michael Niedermayer (cherry picked from commit fccd85b9f30525f88692f53134eba41f1f2d90db) Signed-off-by: Michael Niedermayer --- libavcodec/aac_parser.c | 2 +- libavcodec/ac3_parser.c | 2 +- 2 files changed, 2 insertions(+), 2 deletions(-) diff --git a/libavcodec/aac_parser.c b/libavcodec/aac_parser.c index ab6ca4e268..cb93ba9482 100644 --- a/libavcodec/aac_parser.c +++ b/libavcodec/aac_parser.c @@ -34,7 +34,7 @@ static int aac_sync(uint64_t state, AACAC3ParseContext *hdr_info, int size; union { uint64_t u64; - uint8_t u8[8]; + uint8_t u8[8 + FF_INPUT_BUFFER_PADDING_SIZE]; } tmp; tmp.u64 = av_be2ne64(state); diff --git a/libavcodec/ac3_parser.c b/libavcodec/ac3_parser.c index dd6d77c9ab..131e180360 100644 --- a/libavcodec/ac3_parser.c +++ b/libavcodec/ac3_parser.c @@ -166,7 +166,7 @@ static int ac3_sync(uint64_t state, AACAC3ParseContext *hdr_info, int err; union { uint64_t u64; - uint8_t u8[8]; + uint8_t u8[8 + FF_INPUT_BUFFER_PADDING_SIZE]; } tmp = { av_be2ne64(state) }; AC3HeaderInfo hdr, *phdr = &hdr; GetBitContext gbc; From 8a20224059647afaeed77f354932f8e089d354f6 Mon Sep 17 00:00:00 2001 From: Michael Niedermayer Date: Sun, 24 Aug 2014 23:33:40 +0200 Subject: [PATCH 060/229] avcodec/utils: add GBRP16 to avcodec_align_dimensions2() Fixes Ticket3869 Signed-off-by: Michael Niedermayer (cherry picked from commit 3fe9e7be4c70c8fccdcd56fd19276e668cfb7de8) Signed-off-by: Michael Niedermayer --- libavcodec/utils.c | 2 ++ 1 file changed, 2 insertions(+) diff --git a/libavcodec/utils.c b/libavcodec/utils.c index 9fa8e16042..6771464e90 100644 --- a/libavcodec/utils.c +++ b/libavcodec/utils.c @@ -374,6 +374,8 @@ void avcodec_align_dimensions2(AVCodecContext *s, int *width, int *height, case AV_PIX_FMT_GBRP12BE: case AV_PIX_FMT_GBRP14LE: case AV_PIX_FMT_GBRP14BE: + case AV_PIX_FMT_GBRP16LE: + case AV_PIX_FMT_GBRP16BE: w_align = 16; //FIXME assume 16 pixel per macroblock h_align = 16 * 2; // interlaced needs 2 macroblocks height break; From 17a6ca7d3179f63f145bd08886c7252a77a1eeff Mon Sep 17 00:00:00 2001 From: Michael Niedermayer Date: Mon, 25 Aug 2014 02:17:32 +0200 Subject: [PATCH 061/229] avcodec/vc1dec: fix null pointer dereference Fixes Ticket3860 Signed-off-by: Michael Niedermayer (cherry picked from commit 30f680ee0a2707af9a649a0aa3fd951d18a25c05) Signed-off-by: Michael Niedermayer --- libavcodec/vc1dec.c | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/libavcodec/vc1dec.c b/libavcodec/vc1dec.c index a73d6150b4..2d4fdd3ab8 100644 --- a/libavcodec/vc1dec.c +++ b/libavcodec/vc1dec.c @@ -5484,7 +5484,7 @@ static int vc1_decode_sprites(VC1Context *v, GetBitContext* gb) if (ret < 0) return ret; - if (!s->current_picture.f->data[0]) { + if (!s->current_picture.f || !s->current_picture.f->data[0]) { av_log(avctx, AV_LOG_ERROR, "Got no sprites\n"); return -1; } From d3bfb66a6665de9d89760b70411d53d10e0c7ba1 Mon Sep 17 00:00:00 2001 From: Michael Niedermayer Date: Thu, 28 Aug 2014 23:34:20 +0200 Subject: [PATCH 062/229] ffmpeg: Fix missing {} in Stream to Packet side data code Signed-off-by: Michael Niedermayer (cherry picked from commit 31f9c228c042e7f0a017670e7eb18d9b27a71a10) Signed-off-by: Michael Niedermayer --- ffmpeg.c | 3 ++- 1 file changed, 2 insertions(+), 1 deletion(-) diff --git a/ffmpeg.c b/ffmpeg.c index 1c1a5599d0..0dcdcfdff1 100644 --- a/ffmpeg.c +++ b/ffmpeg.c @@ -3419,7 +3419,7 @@ static int process_input(int file_index) } /* add the stream-global side data to the first packet */ - if (ist->nb_packets == 1) + if (ist->nb_packets == 1) { if (ist->st->nb_side_data) av_packet_split_side_data(&pkt); for (i = 0; i < ist->st->nb_side_data; i++) { @@ -3435,6 +3435,7 @@ static int process_input(int file_index) memcpy(dst_data, src_sd->data, src_sd->size); } + } if (pkt.dts != AV_NOPTS_VALUE) pkt.dts += av_rescale_q(ifile->ts_offset, AV_TIME_BASE_Q, ist->st->time_base); From e13e928baa6b92ca3e967651550b11dc0bfaad27 Mon Sep 17 00:00:00 2001 From: Michael Niedermayer Date: Sat, 30 Aug 2014 02:12:10 +0200 Subject: [PATCH 063/229] avcodec/snow: check coeffs for validity Fixes deadlock Fixes integer overflow Fixes Ticket 3892 Signed-off-by: Michael Niedermayer (cherry picked from commit 596636a474ab201badaae269f3a2cef4824b8c1f) Signed-off-by: Michael Niedermayer --- libavcodec/snow.h | 9 ++++++++- 1 file changed, 8 insertions(+), 1 deletion(-) diff --git a/libavcodec/snow.h b/libavcodec/snow.h index 2cda5b323d..b890d3f176 100644 --- a/libavcodec/snow.h +++ b/libavcodec/snow.h @@ -659,7 +659,10 @@ static inline void unpack_coeffs(SnowContext *s, SubBand *b, SubBand * parent, i if(v){ v= 2*(get_symbol2(&s->c, b->state[context + 2], context-4) + 1); v+=get_rac(&s->c, &b->state[0][16 + 1 + 3 + ff_quant3bA[l&0xFF] + 3*ff_quant3bA[t&0xFF]]); - + if ((uint16_t)v != v) { + av_log(s->avctx, AV_LOG_ERROR, "Coefficient damaged\n"); + v = 1; + } xc->x=x; (xc++)->coeff= v; } @@ -669,6 +672,10 @@ static inline void unpack_coeffs(SnowContext *s, SubBand *b, SubBand * parent, i else run= INT_MAX; v= 2*(get_symbol2(&s->c, b->state[0 + 2], 0-4) + 1); v+=get_rac(&s->c, &b->state[0][16 + 1 + 3]); + if ((uint16_t)v != v) { + av_log(s->avctx, AV_LOG_ERROR, "Coefficient damaged\n"); + v = 1; + } xc->x=x; (xc++)->coeff= v; From 9e43d92d6a16417aa06b62f0375212d528d1a484 Mon Sep 17 00:00:00 2001 From: wm4 Date: Sat, 30 Aug 2014 15:39:15 +0200 Subject: [PATCH 064/229] oggdec: fix invalid free on error The read_packet callback passes a pointer to a stack-allocated AVPacket. Attempting to free it with av_free() makes no sense. Signed-off-by: Michael Niedermayer (cherry picked from commit b173f5c15572cc82f68128599722e689df4ff137) Signed-off-by: Michael Niedermayer --- libavformat/oggdec.c | 1 - 1 file changed, 1 deletion(-) diff --git a/libavformat/oggdec.c b/libavformat/oggdec.c index f7d00c1b4b..74df6e72ad 100644 --- a/libavformat/oggdec.c +++ b/libavformat/oggdec.c @@ -817,7 +817,6 @@ retry: return psize; fail: av_free_packet(pkt); - av_free(pkt); return AVERROR(ENOMEM); } From 9a840d5e1745a4f1408633a1d086471fcf3654a2 Mon Sep 17 00:00:00 2001 From: Michael Niedermayer Date: Sun, 31 Aug 2014 14:42:53 +0200 Subject: [PATCH 065/229] avcodec/mjpegdec: fix green vertical line at the right with upscale h Fixes Ticket3891 Signed-off-by: Michael Niedermayer (cherry picked from commit 63a52ca134dc4ee648a547c7c410d547f371b481) Signed-off-by: Michael Niedermayer --- libavcodec/mjpegdec.c | 5 ++++- 1 file changed, 4 insertions(+), 1 deletion(-) diff --git a/libavcodec/mjpegdec.c b/libavcodec/mjpegdec.c index 19fd9293a7..b839e583ef 100644 --- a/libavcodec/mjpegdec.c +++ b/libavcodec/mjpegdec.c @@ -2096,8 +2096,11 @@ the_end: continue; if (p==1 || p==2) w >>= hshift; + av_assert0(w > 0); for (i = 0; i < s->chroma_height; i++) { - for (index = w - 1; index; index--) { + if (is16bit) ((uint16_t*)line)[w - 1] = ((uint16_t*)line)[(w - 1) / 2]; + else line[w - 1] = line[(w - 1) / 2]; + for (index = w - 2; index > 0; index--) { if (is16bit) ((uint16_t*)line)[index] = (((uint16_t*)line)[index / 2] + ((uint16_t*)line)[(index + 1) / 2]) >> 1; else From f903147f2d170edcb1740fefce944f52a684d3ae Mon Sep 17 00:00:00 2001 From: Michael Niedermayer Date: Sun, 31 Aug 2014 15:33:30 +0200 Subject: [PATCH 066/229] avcodec/mjpegdec: fix green line at the bottom with upscale v Signed-off-by: Michael Niedermayer (cherry picked from commit f0d4f00f24d41441ebd63694df57ab203a764aa5) Signed-off-by: Michael Niedermayer --- libavcodec/mjpegdec.c | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/libavcodec/mjpegdec.c b/libavcodec/mjpegdec.c index b839e583ef..ce2d9fd839 100644 --- a/libavcodec/mjpegdec.c +++ b/libavcodec/mjpegdec.c @@ -2130,7 +2130,7 @@ the_end: for (i = s->height - 1; i; i--) { uint8_t *src1 = &((uint8_t *)s->picture_ptr->data[p])[i / 2 * s->linesize[p]]; uint8_t *src2 = &((uint8_t *)s->picture_ptr->data[p])[(i + 1) / 2 * s->linesize[p]]; - if (src1 == src2) { + if (src1 == src2 || i == s->height - 1) { memcpy(dst, src1, w); } else { for (index = 0; index < w; index++) From 08f56b846c23889e0a47f94d06baa3114a121b4b Mon Sep 17 00:00:00 2001 From: Mark Harris Date: Mon, 1 Sep 2014 12:32:33 -0700 Subject: [PATCH 067/229] doc/filters.texi: fix filter name in examples Signed-off-by: Michael Niedermayer (cherry picked from commit 1b3a98f137900b6c3eb9a4c177d0b25684d6d144) Signed-off-by: Michael Niedermayer --- doc/filters.texi | 4 ++-- 1 file changed, 2 insertions(+), 2 deletions(-) diff --git a/doc/filters.texi b/doc/filters.texi index 0f73314a12..784a972f29 100644 --- a/doc/filters.texi +++ b/doc/filters.texi @@ -491,7 +491,7 @@ aeval=val(ch)/2:c=same @item Invert phase of the second channel: @example -eval=val(0)|-val(1) +aeval=val(0)|-val(1) @end example @end itemize @@ -9318,7 +9318,7 @@ Default value is "all", which will cycle through the list of all tests. Some examples: @example -testsrc=t=dc_luma +mptestsrc=t=dc_luma @end example will generate a "dc_luma" test pattern. From 8df77c37584a01bcd8ac90ed4fe4d51856935cf4 Mon Sep 17 00:00:00 2001 From: Mika Raento Date: Mon, 1 Sep 2014 20:10:03 +0300 Subject: [PATCH 068/229] segment: don't access outside seg->frames array Fixes wrong number of segments output and undefined memory access. Signed-off-by: Michael Niedermayer (cherry picked from commit 58e0402e02ae5e466c33b9465c1465fdee68d342) Signed-off-by: Michael Niedermayer --- libavformat/segment.c | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/libavformat/segment.c b/libavformat/segment.c index f8227d149e..b627cd7e3c 100644 --- a/libavformat/segment.c +++ b/libavformat/segment.c @@ -684,7 +684,7 @@ static int seg_write_packet(AVFormatContext *s, AVPacket *pkt) end_pts = seg->segment_count < seg->nb_times ? seg->times[seg->segment_count] : INT64_MAX; } else if (seg->frames) { - start_frame = seg->segment_count <= seg->nb_frames ? + start_frame = seg->segment_count < seg->nb_frames ? seg->frames[seg->segment_count] : INT_MAX; } else { if (seg->use_clocktime) { From d18d48def6472e0572ccf22ae0105a3d1f45d3f9 Mon Sep 17 00:00:00 2001 From: Michael Niedermayer Date: Tue, 2 Sep 2014 05:22:26 +0200 Subject: [PATCH 069/229] avformat/swfdec: Use side data to communicate w/h changes to the decoder Fixes reading from freed data Fixes part of Ticket3539 Reviewed-by: Paul B Mahol Signed-off-by: Michael Niedermayer (cherry picked from commit 1c55d0ff3202a04ebc67a72d72391104e9bdb633) Signed-off-by: Michael Niedermayer --- libavformat/swfdec.c | 8 ++++++-- 1 file changed, 6 insertions(+), 2 deletions(-) diff --git a/libavformat/swfdec.c b/libavformat/swfdec.c index c95b18ec6c..babaaa182f 100644 --- a/libavformat/swfdec.c +++ b/libavformat/swfdec.c @@ -353,11 +353,15 @@ static int swf_read_packet(AVFormatContext *s, AVPacket *pkt) avpriv_set_pts_info(vst, 64, 256, swf->frame_rate); st = vst; } - st->codec->width = width; - st->codec->height = height; if ((res = av_new_packet(pkt, out_len - colormapsize * colormapbpp)) < 0) goto bitmap_end; + if (!st->codec->width && !st->codec->height) { + st->codec->width = width; + st->codec->height = height; + } else { + ff_add_param_change(pkt, 0, 0, 0, width, height); + } pkt->pos = pos; pkt->stream_index = st->index; From eefb6b654dbdc87434e7cdbb10ace4e4d5e7bfde Mon Sep 17 00:00:00 2001 From: Michael Niedermayer Date: Tue, 2 Sep 2014 16:42:33 +0200 Subject: [PATCH 070/229] avformat/swfdec: Do not change the pixel format This is currently not supported Fixes part of Ticket 3539 Signed-off-by: Michael Niedermayer (cherry picked from commit c2430304dfb3cc0e3a59ce6d1b59ebdcc934a0c2) Signed-off-by: Michael Niedermayer --- libavformat/swfdec.c | 13 ++++++++++--- 1 file changed, 10 insertions(+), 3 deletions(-) diff --git a/libavformat/swfdec.c b/libavformat/swfdec.c index babaaa182f..91db06d55c 100644 --- a/libavformat/swfdec.c +++ b/libavformat/swfdec.c @@ -289,6 +289,7 @@ static int swf_read_packet(AVFormatContext *s, AVPacket *pkt) const int bmp_fmt = avio_r8(pb); const int width = avio_rl16(pb); const int height = avio_rl16(pb); + int pix_fmt; len -= 2+1+2+2; @@ -367,7 +368,7 @@ static int swf_read_packet(AVFormatContext *s, AVPacket *pkt) switch (bmp_fmt) { case 3: - st->codec->pix_fmt = AV_PIX_FMT_PAL8; + pix_fmt = AV_PIX_FMT_PAL8; for (i = 0; i < colormapsize; i++) if (alpha_bmp) colormap[i] = buf[3]<<24 | AV_RB24(buf + 4*i); else colormap[i] = 0xffU <<24 | AV_RB24(buf + 3*i); @@ -379,14 +380,20 @@ static int swf_read_packet(AVFormatContext *s, AVPacket *pkt) memcpy(pal, colormap, AVPALETTE_SIZE); break; case 4: - st->codec->pix_fmt = AV_PIX_FMT_RGB555; + pix_fmt = AV_PIX_FMT_RGB555; break; case 5: - st->codec->pix_fmt = alpha_bmp ? AV_PIX_FMT_ARGB : AV_PIX_FMT_0RGB; + pix_fmt = alpha_bmp ? AV_PIX_FMT_ARGB : AV_PIX_FMT_0RGB; break; default: av_assert0(0); } + if (st->codec->pix_fmt != AV_PIX_FMT_NONE && st->codec->pix_fmt != pix_fmt) { + av_log(s, AV_LOG_ERROR, "pixel format change unsupported\n"); + res = AVERROR_PATCHWELCOME; + goto bitmap_end; + } + st->codec->pix_fmt = pix_fmt; if (linesize * height > pkt->size) { res = AVERROR_INVALIDDATA; From f68395f7fcabc32f901deaa5dffd7d0ae0b458d6 Mon Sep 17 00:00:00 2001 From: Michael Niedermayer Date: Sun, 7 Sep 2014 01:42:28 +0200 Subject: [PATCH 071/229] avcodec/h264: Allow partial escaping Fixes Ticket3923 Signed-off-by: Michael Niedermayer (cherry picked from commit 033a5334badd8af48f13c6fd1e6827f8e3f2c2f3) Signed-off-by: Michael Niedermayer --- libavcodec/h264.c | 4 ++-- 1 file changed, 2 insertions(+), 2 deletions(-) diff --git a/libavcodec/h264.c b/libavcodec/h264.c index f110a67cb5..22fd829f25 100644 --- a/libavcodec/h264.c +++ b/libavcodec/h264.c @@ -248,7 +248,7 @@ const uint8_t *ff_h264_decode_nal(H264Context *h, const uint8_t *src, #define STARTCODE_TEST \ if (i + 2 < length && src[i + 1] == 0 && src[i + 2] <= 3) { \ - if (src[i + 2] != 3) { \ + if (src[i + 2] != 3 && src[i + 2] != 0) { \ /* startcode, so we must be past the end */ \ length = i; \ } \ @@ -321,7 +321,7 @@ const uint8_t *ff_h264_decode_nal(H264Context *h, const uint8_t *src, if (src[si + 2] > 3) { dst[di++] = src[si++]; dst[di++] = src[si++]; - } else if (src[si] == 0 && src[si + 1] == 0) { + } else if (src[si] == 0 && src[si + 1] == 0 && src[si + 2] != 0) { if (src[si + 2] == 3) { // escape dst[di++] = 0; dst[di++] = 0; From 77bb6b5bcc845b84ca41e6f1dca16841ad30c1c0 Mon Sep 17 00:00:00 2001 From: Michael Niedermayer Date: Sun, 7 Sep 2014 12:52:24 +0200 Subject: [PATCH 072/229] avcodec/mpegvideo: Use "goto fail" for all error paths in ff_mpv_common_frame_size_change() Signed-off-by: Michael Niedermayer (cherry picked from commit 2762323c37511fbbc98b164c07620b9ebc59ec68) Signed-off-by: Michael Niedermayer --- libavcodec/mpegvideo.c | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/libavcodec/mpegvideo.c b/libavcodec/mpegvideo.c index a9024a978e..eb3a1ba644 100644 --- a/libavcodec/mpegvideo.c +++ b/libavcodec/mpegvideo.c @@ -1466,7 +1466,7 @@ int ff_MPV_common_frame_size_change(MpegEncContext *s) if ((s->width || s->height) && av_image_check_size(s->width, s->height, 0, s->avctx)) - return AVERROR_INVALIDDATA; + goto fail; if ((err = init_context_frame(s))) goto fail; From 80aec733ada5ca4db143c9b75b4048df46648a21 Mon Sep 17 00:00:00 2001 From: Michael Niedermayer Date: Sun, 7 Sep 2014 13:00:47 +0200 Subject: [PATCH 073/229] avcodec/mpegvideo: check that the context is initialized in ff_mpv_common_frame_size_change() The function otherwise would initialize the context without setting context_initialized alternatively we could set context_initialized Fixes valgrind anomalies related to ticket 3928 Signed-off-by: Michael Niedermayer (cherry picked from commit 0d0f7f0ba43f64312ae4a05d97afecf1b7b1330c) Signed-off-by: Michael Niedermayer --- libavcodec/mpegvideo.c | 3 +++ 1 file changed, 3 insertions(+) diff --git a/libavcodec/mpegvideo.c b/libavcodec/mpegvideo.c index eb3a1ba644..96d031a5ae 100644 --- a/libavcodec/mpegvideo.c +++ b/libavcodec/mpegvideo.c @@ -1436,6 +1436,9 @@ int ff_MPV_common_frame_size_change(MpegEncContext *s) { int i, err = 0; + if (!s->context_initialized) + return AVERROR(EINVAL); + if (s->slice_context_count > 1) { for (i = 0; i < s->slice_context_count; i++) { free_duplicate_context(s->thread_context[i]); From beb55b398134f4c1349a2f363e11975cff408dc8 Mon Sep 17 00:00:00 2001 From: Michael Niedermayer Date: Sun, 7 Sep 2014 14:14:52 +0200 Subject: [PATCH 074/229] avcodec/mpegvideo: Set err on failure in ff_mpv_common_frame_size_change() Found-by: ubitux Signed-off-by: Michael Niedermayer (cherry picked from commit cfce6f7efd28130bf0dd409b2367ca0f8c9b2417) Signed-off-by: Michael Niedermayer --- libavcodec/mpegvideo.c | 4 ++-- 1 file changed, 2 insertions(+), 2 deletions(-) diff --git a/libavcodec/mpegvideo.c b/libavcodec/mpegvideo.c index 96d031a5ae..65c7c9de3c 100644 --- a/libavcodec/mpegvideo.c +++ b/libavcodec/mpegvideo.c @@ -1468,7 +1468,7 @@ int ff_MPV_common_frame_size_change(MpegEncContext *s) s->mb_height = (s->height + 15) / 16; if ((s->width || s->height) && - av_image_check_size(s->width, s->height, 0, s->avctx)) + (err = av_image_check_size(s->width, s->height, 0, s->avctx)) < 0) goto fail; if ((err = init_context_frame(s))) @@ -1485,7 +1485,7 @@ int ff_MPV_common_frame_size_change(MpegEncContext *s) } for (i = 0; i < nb_slices; i++) { - if (init_duplicate_context(s->thread_context[i]) < 0) + if ((err = init_duplicate_context(s->thread_context[i])) < 0) goto fail; s->thread_context[i]->start_mb_y = (s->mb_height * (i) + nb_slices / 2) / nb_slices; From 6359be67517faf76654b64e9fcb5a160f19917bd Mon Sep 17 00:00:00 2001 From: Michael Niedermayer Date: Sun, 7 Sep 2014 16:39:39 +0200 Subject: [PATCH 075/229] avformat/m4vdec: Check for non startcode 00 00 00 sequences in probe Fixes miss detection of PCM as m4v Fixes Ticket 3928 Signed-off-by: Michael Niedermayer (cherry picked from commit 7c1835c52a4be2e4e996f83c91a8d5a147b01100) Signed-off-by: Michael Niedermayer --- libavformat/m4vdec.c | 8 +++++--- 1 file changed, 5 insertions(+), 3 deletions(-) diff --git a/libavformat/m4vdec.c b/libavformat/m4vdec.c index ead0066cca..80bd75e589 100644 --- a/libavformat/m4vdec.c +++ b/libavformat/m4vdec.c @@ -33,13 +33,15 @@ static int mpeg4video_probe(AVProbeData *probe_packet) for(i=0; ibuf_size; i++){ temp_buffer = (temp_buffer<<8) + probe_packet->buf[i]; - if ((temp_buffer & 0xffffff00) != 0x100) + if (temp_buffer & 0xfffffe00) + continue; + if (temp_buffer < 2) continue; if (temp_buffer == VOP_START_CODE) VOP++; else if (temp_buffer == VISUAL_OBJECT_START_CODE) VISO++; - else if (temp_buffer < 0x120) VO++; - else if (temp_buffer < 0x130) VOL++; + else if (temp_buffer >= 0x100 && temp_buffer < 0x120) VO++; + else if (temp_buffer >= 0x120 && temp_buffer < 0x130) VOL++; else if ( !(0x1AF < temp_buffer && temp_buffer < 0x1B7) && !(0x1B9 < temp_buffer && temp_buffer < 0x1C4)) res++; } From 6952f6f39b5ed1b93bf879a8517c87702406ed49 Mon Sep 17 00:00:00 2001 From: Michael Niedermayer Date: Mon, 8 Sep 2014 21:06:47 +0200 Subject: [PATCH 076/229] avcodec/cabac_functions: fix "warning: UNCHECKED_BITSTREAM_READER is not defined, evaluates to 0" Signed-off-by: Michael Niedermayer (cherry picked from commit a67b6c95415438b4a6bfb6277f066f7c7b57b40f) Signed-off-by: Michael Niedermayer --- libavcodec/cabac_functions.h | 4 ++++ 1 file changed, 4 insertions(+) diff --git a/libavcodec/cabac_functions.h b/libavcodec/cabac_functions.h index d7d6d7dfdb..14fdd76b58 100644 --- a/libavcodec/cabac_functions.h +++ b/libavcodec/cabac_functions.h @@ -32,6 +32,10 @@ #include "cabac.h" #include "config.h" +#ifndef UNCHECKED_BITSTREAM_READER +#define UNCHECKED_BITSTREAM_READER !CONFIG_SAFE_BITSTREAM_READER +#endif + #if ARCH_AARCH64 # include "aarch64/cabac.h" #endif From 9c57328b8192982b0c394ff5fd45a0b6863efbfd Mon Sep 17 00:00:00 2001 From: Michael Niedermayer Date: Thu, 11 Sep 2014 04:55:58 +0200 Subject: [PATCH 077/229] ffmpeg: Do av_buffersink_set_frame_size() when reconfiguring the filtergraph not just when changing audio resample parameters Fixes Ticket3562 Signed-off-by: Michael Niedermayer (cherry picked from commit 16de4d927e8bd1308694217af6027265700b3694) Signed-off-by: Michael Niedermayer --- ffmpeg.c | 8 -------- ffmpeg_filter.c | 10 ++++++++++ 2 files changed, 10 insertions(+), 8 deletions(-) diff --git a/ffmpeg.c b/ffmpeg.c index 0dcdcfdff1..3015ca85b3 100644 --- a/ffmpeg.c +++ b/ffmpeg.c @@ -1799,18 +1799,10 @@ static int decode_audio(InputStream *ist, AVPacket *pkt, int *got_output) for (i = 0; i < nb_filtergraphs; i++) if (ist_in_filtergraph(filtergraphs[i], ist)) { FilterGraph *fg = filtergraphs[i]; - int j; if (configure_filtergraph(fg) < 0) { av_log(NULL, AV_LOG_FATAL, "Error reinitializing filters!\n"); exit_program(1); } - for (j = 0; j < fg->nb_outputs; j++) { - OutputStream *ost = fg->outputs[j]->ost; - if (ost->enc->type == AVMEDIA_TYPE_AUDIO && - !(ost->enc->capabilities & CODEC_CAP_VARIABLE_FRAME_SIZE)) - av_buffersink_set_frame_size(ost->filter->filter, - ost->enc_ctx->frame_size); - } } } diff --git a/ffmpeg_filter.c b/ffmpeg_filter.c index 50ee422c6c..7b75e6fe5e 100644 --- a/ffmpeg_filter.c +++ b/ffmpeg_filter.c @@ -919,6 +919,16 @@ int configure_filtergraph(FilterGraph *fg) } fg->reconfiguration = 1; + + for (i = 0; i < fg->nb_outputs; i++) { + OutputStream *ost = fg->outputs[i]->ost; + if (ost && + ost->enc->type == AVMEDIA_TYPE_AUDIO && + !(ost->enc->capabilities & CODEC_CAP_VARIABLE_FRAME_SIZE)) + av_buffersink_set_frame_size(ost->filter->filter, + ost->enc_ctx->frame_size); + } + return 0; } From be94d15a03e7fd65a254288f782b48f37842501f Mon Sep 17 00:00:00 2001 From: Michael Niedermayer Date: Tue, 16 Sep 2014 18:04:51 +0200 Subject: [PATCH 078/229] tools/crypto_bench: fix build when AV_READ_TIME is unavailable Found-by: Andreas Cadhalpun Signed-off-by: Michael Niedermayer (cherry picked from commit 4a99134f1a71994a0dc4542a0d6bee8e36146b60) Signed-off-by: Michael Niedermayer --- tools/crypto_bench.c | 4 ++++ 1 file changed, 4 insertions(+) diff --git a/tools/crypto_bench.c b/tools/crypto_bench.c index 1a699ce684..5300380ebe 100644 --- a/tools/crypto_bench.c +++ b/tools/crypto_bench.c @@ -33,6 +33,10 @@ #include "libavutil/intreadwrite.h" #include "libavutil/timer.h" +#ifndef AV_READ_TIME +#define AV_READ_TIME(x) 0 +#endif + #if HAVE_UNISTD_H #include /* for getopt */ #endif From 5c3bc127ca68a60f6c63cc41cb1c1382659aab1d Mon Sep 17 00:00:00 2001 From: Katerina Barone-Adesi Date: Tue, 16 Sep 2014 01:40:24 +0200 Subject: [PATCH 079/229] apetag: Fix APE tag size check The size variable is (correctly) unsigned, but is passed to several functions which take signed parameters, such as avio_read, sometimes after having numbers added to it. So ensure that size remains within the bounds that these functions can handle. CC: libav-stable@libav.org Signed-off-by: Diego Biurrun (cherry picked from commit c5560e72d0bb69f8a1ac9536570398f84388f396) Signed-off-by: Michael Niedermayer --- libavformat/apetag.c | 6 ++++-- 1 file changed, 4 insertions(+), 2 deletions(-) diff --git a/libavformat/apetag.c b/libavformat/apetag.c index 7d2f0b3222..c8d1bdca5a 100644 --- a/libavformat/apetag.c +++ b/libavformat/apetag.c @@ -55,8 +55,10 @@ static int ape_tag_read_field(AVFormatContext *s) av_log(s, AV_LOG_WARNING, "Invalid APE tag key '%s'.\n", key); return -1; } - if (size >= UINT_MAX) - return -1; + if (size > INT32_MAX - FF_INPUT_BUFFER_PADDING_SIZE) { + av_log(s, AV_LOG_ERROR, "APE tag size too large.\n"); + return AVERROR_INVALIDDATA; + } if (flags & APE_TAG_FLAG_IS_BINARY) { uint8_t filename[1024]; enum AVCodecID id; From 1c733a440aebcea33365713cb1316023f72badc1 Mon Sep 17 00:00:00 2001 From: Michael Niedermayer Date: Wed, 17 Sep 2014 23:36:53 +0200 Subject: [PATCH 080/229] avcodec/x86/vp9lpf: Always include x86util.asm Fixes executable stack Signed-off-by: Michael Niedermayer (cherry picked from commit 41d82b85ab0ee8bb2931c1f783e30c38c2fb5206) Signed-off-by: Michael Niedermayer --- libavcodec/x86/vp9lpf.asm | 4 ++-- 1 file changed, 2 insertions(+), 2 deletions(-) diff --git a/libavcodec/x86/vp9lpf.asm b/libavcodec/x86/vp9lpf.asm index c5db0caffb..1d58f5d807 100644 --- a/libavcodec/x86/vp9lpf.asm +++ b/libavcodec/x86/vp9lpf.asm @@ -20,10 +20,10 @@ ;* Foundation, Inc., 51 Franklin Street, Fifth Floor, Boston, MA 02110-1301 USA ;****************************************************************************** -%if ARCH_X86_64 - %include "libavutil/x86/x86util.asm" +%if ARCH_X86_64 + SECTION_RODATA cextern pb_3 From 4a4e30a6d87a0c232a789b3f5c0d6520a3e50014 Mon Sep 17 00:00:00 2001 From: Pascal Massimino Date: Tue, 16 Sep 2014 17:01:07 +0200 Subject: [PATCH 081/229] libavcodec/webp: treat out-of-bound palette index as translucent black See https://code.google.com/p/webp/issues/detail?id=206 for a description of the problem/fix. Signed-off-by: Michael Niedermayer This patch makes the decoder follow the recommendation of the spec. There is some disagreement (see "[FFmpeg-devel] [PATCH]: libavcodec/webp") about what would be best to be written in the spec, so in case the spec is changed again, this potentially would need to be amended or reverted (cherry picked from commit 4fd21d58a72c38ab63c3a4483b420db260fa7b8d) Signed-off-by: Michael Niedermayer --- libavcodec/webp.c | 10 +++++----- 1 file changed, 5 insertions(+), 5 deletions(-) diff --git a/libavcodec/webp.c b/libavcodec/webp.c index c737f5492d..66c2d57c84 100644 --- a/libavcodec/webp.c +++ b/libavcodec/webp.c @@ -1028,7 +1028,7 @@ static int apply_color_indexing_transform(WebPContext *s) ImageContext *img; ImageContext *pal; int i, x, y; - uint8_t *p, *pi; + uint8_t *p; img = &s->image[IMAGE_ROLE_ARGB]; pal = &s->image[IMAGE_ROLE_COLOR_INDEXING]; @@ -1066,11 +1066,11 @@ static int apply_color_indexing_transform(WebPContext *s) p = GET_PIXEL(img->frame, x, y); i = p[2]; if (i >= pal->frame->width) { - av_log(s->avctx, AV_LOG_ERROR, "invalid palette index %d\n", i); - return AVERROR_INVALIDDATA; + AV_WB32(p, 0xFF000000); + } else { + const uint8_t *pi = GET_PIXEL(pal->frame, i, 0); + AV_COPY32(p, pi); } - pi = GET_PIXEL(pal->frame, i, 0); - AV_COPY32(p, pi); } } From 8e276fc96a30cbcf4f19a17e32b6591b8ee242c9 Mon Sep 17 00:00:00 2001 From: Gianluigi Tiesi Date: Fri, 19 Sep 2014 04:49:36 +0200 Subject: [PATCH 082/229] avcodec/libilbc: support for latest git of libilbc in the latest git commits of libilbc developers removed WebRtc_xxx typedefs This commit uses int types instead, it's safe to apply also for previous versions since WebRtc_Word16 was always a typedef of int16_t and WebRtc_UWord16 a typedef of uint16_t Reviewed-by: Timothy Gu Signed-off-by: Michael Niedermayer (cherry picked from commit 59af5383c18c8cf3fe2a4b5cc1ebf2f3300bdfe5) Signed-off-by: Michael Niedermayer --- libavcodec/libilbc.c | 5 ++--- 1 file changed, 2 insertions(+), 3 deletions(-) diff --git a/libavcodec/libilbc.c b/libavcodec/libilbc.c index 898fe83b1c..9fdd3c83f5 100644 --- a/libavcodec/libilbc.c +++ b/libavcodec/libilbc.c @@ -96,8 +96,7 @@ static int ilbc_decode_frame(AVCodecContext *avctx, void *data, if ((ret = ff_get_buffer(avctx, frame, 0)) < 0) return ret; - WebRtcIlbcfix_DecodeImpl((WebRtc_Word16*) frame->data[0], - (const WebRtc_UWord16*) buf, &s->decoder, 1); + WebRtcIlbcfix_DecodeImpl((int16_t *) frame->data[0], (const uint16_t *) buf, &s->decoder, 1); *got_frame_ptr = 1; @@ -170,7 +169,7 @@ static int ilbc_encode_frame(AVCodecContext *avctx, AVPacket *avpkt, if ((ret = ff_alloc_packet2(avctx, avpkt, 50)) < 0) return ret; - WebRtcIlbcfix_EncodeImpl((WebRtc_UWord16*) avpkt->data, (const WebRtc_Word16*) frame->data[0], &s->encoder); + WebRtcIlbcfix_EncodeImpl((uint16_t *) avpkt->data, (const int16_t *) frame->data[0], &s->encoder); avpkt->size = s->encoder.no_of_bytes; *got_packet_ptr = 1; From aa40bbb492afc2c5e043999b1a291b7507fdcb7d Mon Sep 17 00:00:00 2001 From: Pascal Massimino Date: Mon, 22 Sep 2014 14:48:57 -0700 Subject: [PATCH 083/229] avcodec/webp: fix default palette color 0xff000000 -> 0x00000000 Signed-off-by: Michael Niedermayer (cherry picked from commit e5b3112996c3da45aa03b39c5ade375d40d4407d) Signed-off-by: Michael Niedermayer --- libavcodec/webp.c | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/libavcodec/webp.c b/libavcodec/webp.c index 66c2d57c84..274708df79 100644 --- a/libavcodec/webp.c +++ b/libavcodec/webp.c @@ -1066,7 +1066,7 @@ static int apply_color_indexing_transform(WebPContext *s) p = GET_PIXEL(img->frame, x, y); i = p[2]; if (i >= pal->frame->width) { - AV_WB32(p, 0xFF000000); + AV_WB32(p, 0x00000000); } else { const uint8_t *pi = GET_PIXEL(pal->frame, i, 0); AV_COPY32(p, pi); From ed9c6529f032b16c8a94ff70caea2e17a4e68f99 Mon Sep 17 00:00:00 2001 From: Benoit Fouet Date: Tue, 23 Sep 2014 10:07:10 +0200 Subject: [PATCH 084/229] avformat/riffenc: Filter out "BottomUp" in ff_put_bmp_header() Fixes Ticket1304 Commit message and extradata size bugfix by commiter Signed-off-by: Michael Niedermayer (cherry picked from commit 6843b9dc78bc966bb30121828ef4f6b6755cf877) Signed-off-by: Michael Niedermayer --- libavformat/riffenc.c | 12 ++++++++---- 1 file changed, 8 insertions(+), 4 deletions(-) diff --git a/libavformat/riffenc.c b/libavformat/riffenc.c index ef4d399030..2eb2ae1d0e 100644 --- a/libavformat/riffenc.c +++ b/libavformat/riffenc.c @@ -209,11 +209,15 @@ int ff_put_wav_header(AVIOContext *pb, AVCodecContext *enc, int flags) void ff_put_bmp_header(AVIOContext *pb, AVCodecContext *enc, const AVCodecTag *tags, int for_asf, int ignore_extradata) { + int keep_height = enc->extradata_size >= 9 && + !memcmp(enc->extradata + enc->extradata_size - 9, "BottomUp", 9); + int extradata_size = enc->extradata_size - 9*keep_height; + /* size */ - avio_wl32(pb, 40 + (ignore_extradata ? 0 : enc->extradata_size)); + avio_wl32(pb, 40 + (ignore_extradata ? 0 :extradata_size)); avio_wl32(pb, enc->width); //We always store RGB TopDown - avio_wl32(pb, enc->codec_tag ? enc->height : -enc->height); + avio_wl32(pb, enc->codec_tag || keep_height ? enc->height : -enc->height); /* planes */ avio_wl16(pb, 1); /* depth */ @@ -227,9 +231,9 @@ void ff_put_bmp_header(AVIOContext *pb, AVCodecContext *enc, avio_wl32(pb, 0); if (!ignore_extradata) { - avio_write(pb, enc->extradata, enc->extradata_size); + avio_write(pb, enc->extradata, extradata_size); - if (!for_asf && enc->extradata_size & 1) + if (!for_asf && extradata_size & 1) avio_w8(pb, 0); } } From f913da3e15e09c7ec897206cde634b5d7b5162d4 Mon Sep 17 00:00:00 2001 From: Philip DeCamp Date: Wed, 24 Sep 2014 16:15:18 -0400 Subject: [PATCH 085/229] libavutil/opt: fix av_opt_set_channel_layout() to access correct memory address Signed-off-by: Philip DeCamp Signed-off-by: Michael Niedermayer (cherry picked from commit 857fc0a71f1b52fbba3281ba64b5a35195458622) Signed-off-by: Michael Niedermayer --- libavutil/opt.c | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/libavutil/opt.c b/libavutil/opt.c index 694295dc35..4115484498 100644 --- a/libavutil/opt.c +++ b/libavutil/opt.c @@ -631,7 +631,7 @@ int av_opt_set_channel_layout(void *obj, const char *name, int64_t cl, int searc "The value set by option '%s' is not a channel layout.\n", o->name); return AVERROR(EINVAL); } - *(int *)(((int64_t *)target_obj) + o->offset) = cl; + *(int64_t *)(((uint8_t *)target_obj) + o->offset) = cl; return 0; } From 437f6fb488416f602ded7f0d4fc41ca1f227d4a7 Mon Sep 17 00:00:00 2001 From: lvqcl Date: Sat, 27 Sep 2014 13:21:31 +0200 Subject: [PATCH 086/229] avutil/x86/cpu: fix cpuid sub-leaf selection Signed-off-by: Michael Niedermayer (cherry picked from commit e58fc44649d07d523fcd17aa10d9eb0d3a5ef3f4) Signed-off-by: Michael Niedermayer --- libavutil/x86/cpu.c | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/libavutil/x86/cpu.c b/libavutil/x86/cpu.c index 8ad478400c..2b62e92479 100644 --- a/libavutil/x86/cpu.c +++ b/libavutil/x86/cpu.c @@ -45,7 +45,7 @@ "cpuid \n\t" \ "xchg %%"REG_b", %%"REG_S \ : "=a" (eax), "=S" (ebx), "=c" (ecx), "=d" (edx) \ - : "0" (index)) + : "0" (index), "2"(0)) #define xgetbv(index, eax, edx) \ __asm__ (".byte 0x0f, 0x01, 0xd0" : "=a"(eax), "=d"(edx) : "c" (index)) From ca2ccd85d7d1d0cb0c90f9da965a53bb98187b8f Mon Sep 17 00:00:00 2001 From: Michael Niedermayer Date: Sat, 27 Sep 2014 20:34:44 +0200 Subject: [PATCH 087/229] avcodec/ac3enc_template: fix out of array read Found-by: Andreas Cadhalpun Signed-off-by: Michael Niedermayer (cherry picked from commit d85ebea3f3b68ebccfe308fa839fc30fa634e4de) Signed-off-by: Michael Niedermayer --- libavcodec/ac3enc_template.c | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/libavcodec/ac3enc_template.c b/libavcodec/ac3enc_template.c index 192d16f57e..0d6bc45fd8 100644 --- a/libavcodec/ac3enc_template.c +++ b/libavcodec/ac3enc_template.c @@ -263,7 +263,7 @@ static void apply_channel_coupling(AC3EncodeContext *s) energy_cpl = energy[blk][CPL_CH][bnd]; energy_ch = energy[blk][ch][bnd]; blk1 = blk+1; - while (!s->blocks[blk1].new_cpl_coords[ch] && blk1 < s->num_blocks) { + while (blk1 < s->num_blocks && !s->blocks[blk1].new_cpl_coords[ch]) { if (s->blocks[blk1].cpl_in_use) { energy_cpl += energy[blk1][CPL_CH][bnd]; energy_ch += energy[blk1][ch][bnd]; From 45ca270ec9f4b22683152bda43bff257b8a99388 Mon Sep 17 00:00:00 2001 From: =?UTF-8?q?Reimar=20D=C3=B6ffinger?= Date: Sun, 21 Sep 2014 09:58:10 +0100 Subject: [PATCH 088/229] configure: add noexecstack to linker options if supported. MIME-Version: 1.0 Content-Type: text/plain; charset=UTF-8 Content-Transfer-Encoding: 8bit Signed-off-by: Reimar Döffinger (cherry picked from commit b7082d953fda93f7841ffffe7d15a6c3cd15bdee) Signed-off-by: Michael Niedermayer --- configure | 1 + 1 file changed, 1 insertion(+) diff --git a/configure b/configure index 4ed43a0fdd..ceaaf176f2 100755 --- a/configure +++ b/configure @@ -4528,6 +4528,7 @@ EOF fi check_ldflags -Wl,--as-needed +check_ldflags -Wl,-z,noexecstack if check_func dlopen; then ldl= From 5e34dded10f4784702ce0759e36c380b95029900 Mon Sep 17 00:00:00 2001 From: Michael Niedermayer Date: Thu, 2 Oct 2014 23:17:21 +0200 Subject: [PATCH 089/229] avcodec/jpeglsdec: Check run value more completely in ls_decode_line() previously it could have been by 1 too large Fixes out of array access Fixes: asan_heap-oob_12240f5_1_asan_heap-oob_12240f5_448_t8c1e3.jls Fixes: asan_heap-oob_12240f5_1_asan_heap-oob_12240f5_448_t8nde0.jls Fixes: asan_heap-oob_12240fa_1_asan_heap-oob_12240fa_448_t16e3.jls Found-by: Mateusz "j00ru" Jurczyk and Gynvael Coldwind Signed-off-by: Michael Niedermayer (cherry picked from commit 06e7d58410a17dc72c30ee7f3145fcacc425f4f2) Signed-off-by: Michael Niedermayer --- libavcodec/jpeglsdec.c | 5 +++++ 1 file changed, 5 insertions(+) diff --git a/libavcodec/jpeglsdec.c b/libavcodec/jpeglsdec.c index fb3762dad0..bb8c264ae0 100644 --- a/libavcodec/jpeglsdec.c +++ b/libavcodec/jpeglsdec.c @@ -269,6 +269,11 @@ static inline void ls_decode_line(JLSState *state, MJpegDecodeContext *s, x += stride; } + if (x >= w) { + av_log(NULL, AV_LOG_ERROR, "run overflow\n"); + return; + } + /* decode run termination value */ Rb = R(last, x); RItype = (FFABS(Ra - Rb) <= state->near) ? 1 : 0; From 57bdb3f3dde3de7e84c888ae205574873bd1787b Mon Sep 17 00:00:00 2001 From: Michael Niedermayer Date: Fri, 3 Oct 2014 01:50:27 +0200 Subject: [PATCH 090/229] avcodec/mjpegdec: check bits per pixel for changes similar to dimensions Fixes out of array accesses Fixes: asan_heap-oob_16668e9_2_asan_heap-oob_16668e9_346_miss_congeniality_pegasus_mjpg.avi Found-by: Mateusz "j00ru" Jurczyk and Gynvael Coldwind Signed-off-by: Michael Niedermayer (cherry picked from commit 5c378d6a6df8243f06c87962b873bd563e58cd39) Signed-off-by: Michael Niedermayer --- libavcodec/mjpegdec.c | 12 +++++++----- 1 file changed, 7 insertions(+), 5 deletions(-) diff --git a/libavcodec/mjpegdec.c b/libavcodec/mjpegdec.c index ce2d9fd839..6a025272c2 100644 --- a/libavcodec/mjpegdec.c +++ b/libavcodec/mjpegdec.c @@ -244,7 +244,7 @@ int ff_mjpeg_decode_dht(MJpegDecodeContext *s) int ff_mjpeg_decode_sof(MJpegDecodeContext *s) { - int len, nb_components, i, width, height, pix_fmt_id, ret; + int len, nb_components, i, width, height, bits, pix_fmt_id, ret; int h_count[MAX_COMPONENTS]; int v_count[MAX_COMPONENTS]; @@ -254,11 +254,11 @@ int ff_mjpeg_decode_sof(MJpegDecodeContext *s) /* XXX: verify len field validity */ len = get_bits(&s->gb, 16); s->avctx->bits_per_raw_sample = - s->bits = get_bits(&s->gb, 8); + bits = get_bits(&s->gb, 8); if (s->pegasus_rct) - s->bits = 9; - if (s->bits == 9 && !s->pegasus_rct) + bits = 9; + if (bits == 9 && !s->pegasus_rct) s->rct = 1; // FIXME ugly if(s->lossless && s->avctx->lowres){ @@ -291,7 +291,7 @@ int ff_mjpeg_decode_sof(MJpegDecodeContext *s) return AVERROR_INVALIDDATA; } } - if (s->ls && !(s->bits <= 8 || nb_components == 1)) { + if (s->ls && !(bits <= 8 || nb_components == 1)) { avpriv_report_missing_feature(s->avctx, "JPEG-LS that is not <= 8 " "bits/component or 16-bit gray"); @@ -337,11 +337,13 @@ int ff_mjpeg_decode_sof(MJpegDecodeContext *s) /* if different size, realloc/alloc picture */ if ( width != s->width || height != s->height + || bits != s->bits || memcmp(s->h_count, h_count, sizeof(h_count)) || memcmp(s->v_count, v_count, sizeof(v_count))) { s->width = width; s->height = height; + s->bits = bits; memcpy(s->h_count, h_count, sizeof(h_count)); memcpy(s->v_count, v_count, sizeof(v_count)); s->interlaced = 0; From d005e2ecce5c8104679b39f2050a9d83e417d275 Mon Sep 17 00:00:00 2001 From: Michael Niedermayer Date: Fri, 3 Oct 2014 03:32:17 +0200 Subject: [PATCH 091/229] update for FFmpeg 2.3.4 Signed-off-by: Michael Niedermayer --- RELEASE | 2 +- doc/Doxyfile | 2 +- 2 files changed, 2 insertions(+), 2 deletions(-) diff --git a/RELEASE b/RELEASE index 0bee604df7..3f684d2d90 100644 --- a/RELEASE +++ b/RELEASE @@ -1 +1 @@ -2.3.3 +2.3.4 diff --git a/doc/Doxyfile b/doc/Doxyfile index 4159ce0fe3..5ded0c660d 100644 --- a/doc/Doxyfile +++ b/doc/Doxyfile @@ -31,7 +31,7 @@ PROJECT_NAME = FFmpeg # This could be handy for archiving the generated documentation or # if some version control system is used. -PROJECT_NUMBER = 2.3.3 +PROJECT_NUMBER = 2.3.4 # With the PROJECT_LOGO tag one can specify a logo or icon that is included # in the documentation. The maximum height of the logo should not exceed 55 From e2c5f88237e74694c56a5954e579de055166f9c6 Mon Sep 17 00:00:00 2001 From: Michael Niedermayer Date: Fri, 3 Oct 2014 04:30:58 +0200 Subject: [PATCH 092/229] avcodec/utils: Add case for jv to avcodec_align_dimensions2() Fixes out of array accesses Fixes: asan_heap-oob_12304aa_8_asan_heap-oob_4da4f3_300_intro.jv Found-by: Mateusz "j00ru" Jurczyk and Gynvael Coldwind Signed-off-by: Michael Niedermayer (cherry picked from commit 105654e376a736d243aef4a1d121abebce912e6b) Signed-off-by: Michael Niedermayer --- libavcodec/utils.c | 4 ++++ 1 file changed, 4 insertions(+) diff --git a/libavcodec/utils.c b/libavcodec/utils.c index 6771464e90..cb51e48433 100644 --- a/libavcodec/utils.c +++ b/libavcodec/utils.c @@ -405,6 +405,10 @@ void avcodec_align_dimensions2(AVCodecContext *s, int *width, int *height, w_align = 4; h_align = 4; } + if (s->codec_id == AV_CODEC_ID_JV) { + w_align = 8; + h_align = 8; + } break; case AV_PIX_FMT_BGR24: if ((s->codec_id == AV_CODEC_ID_MSZH) || From b5ef1eee4527d563f081d4dedd0290ab41f9e6bf Mon Sep 17 00:00:00 2001 From: Michael Niedermayer Date: Fri, 3 Oct 2014 12:32:21 +0200 Subject: [PATCH 093/229] avcodec/h263dec: Fix decoding messenger.h263 Fixes http://samples.mplayerhq.hu/V-codecs/h263/h263-raw/messenger.h263 Fixes regression since b239f3f6 Found-by: Josh Allmann Signed-off-by: Michael Niedermayer (cherry picked from commit d225b0f7aaa65eafccc87165130e1c4bab71708b) Signed-off-by: Michael Niedermayer --- libavcodec/h263dec.c | 8 ++++++++ 1 file changed, 8 insertions(+) diff --git a/libavcodec/h263dec.c b/libavcodec/h263dec.c index 31ec642e9f..7680858769 100644 --- a/libavcodec/h263dec.c +++ b/libavcodec/h263dec.c @@ -336,6 +336,14 @@ static int decode_slice(MpegEncContext *s) s->padding_bug_score += 32; } + if (s->codec_id == AV_CODEC_ID_H263 && + (s->workaround_bugs & FF_BUG_AUTODETECT) && + get_bits_left(&s->gb) >= 64 && + AV_RB64(s->gb.buffer_end - 8) == 0xCDCDCDCDFC7F0000) { + + s->padding_bug_score += 32; + } + if (s->workaround_bugs & FF_BUG_AUTODETECT) { if (s->padding_bug_score > -2 && !s->data_partitioning) s->workaround_bugs |= FF_BUG_NO_PADDING; From 01817d508ba59246f203b9299a3cab13d0a78145 Mon Sep 17 00:00:00 2001 From: Michael Niedermayer Date: Fri, 3 Oct 2014 14:45:04 +0200 Subject: [PATCH 094/229] avcodec/mmvideo: Bounds check 2nd line of HHV Intra blocks Fixes out of array access Fixes: asan_heap-oob_4da4f3_8_asan_heap-oob_4da4f3_419_scene1a.mm Found-by: Mateusz "j00ru" Jurczyk and Gynvael Coldwind Signed-off-by: Michael Niedermayer (cherry picked from commit 8b0e96e1f21b761ca15dbb470cd619a1ebf86c3e) Signed-off-by: Michael Niedermayer --- libavcodec/mmvideo.c | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/libavcodec/mmvideo.c b/libavcodec/mmvideo.c index ab59b58781..baedccd7f1 100644 --- a/libavcodec/mmvideo.c +++ b/libavcodec/mmvideo.c @@ -111,7 +111,7 @@ static int mm_decode_intra(MmContext * s, int half_horiz, int half_vert) if (color) { memset(s->frame->data[0] + y*s->frame->linesize[0] + x, color, run_length); - if (half_vert) + if (half_vert && y + half_vert < s->avctx->height) memset(s->frame->data[0] + (y+1)*s->frame->linesize[0] + x, color, run_length); } x+= run_length; From c3af801c63024c2fcd7a5fbb571b6f8a9c9790dc Mon Sep 17 00:00:00 2001 From: Michael Niedermayer Date: Fri, 3 Oct 2014 16:08:32 +0200 Subject: [PATCH 095/229] avcodec/tiff: more completely check bpp/bppcount Fixes pixel format selection Fixes out of array accesses Fixes: asan_heap-oob_1766029_6_asan_heap-oob_20aa045_332_cov_1823216757_m2-d1d366d7965db766c19a66c7a2ccbb6b.tif Found-by: Mateusz "j00ru" Jurczyk and Gynvael Coldwind Signed-off-by: Michael Niedermayer (cherry picked from commit e1c0cfaa419aa5d320540d5a1b3f8fd9b82ab7e5) Signed-off-by: Michael Niedermayer --- libavcodec/tiff.c | 13 ++++++++++--- 1 file changed, 10 insertions(+), 3 deletions(-) diff --git a/libavcodec/tiff.c b/libavcodec/tiff.c index 1caad84845..a57dee13ef 100644 --- a/libavcodec/tiff.c +++ b/libavcodec/tiff.c @@ -712,13 +712,13 @@ static int tiff_decode_tag(TiffContext *s, AVFrame *frame) s->height = value; break; case TIFF_BPP: - s->bppcount = count; - if (count > 4) { + if (count > 4U) { av_log(s->avctx, AV_LOG_ERROR, "This format is not supported (bpp=%d, %d components)\n", - s->bpp, count); + value, count); return AVERROR_INVALIDDATA; } + s->bppcount = count; if (count == 1) s->bpp = value; else { @@ -736,6 +736,13 @@ static int tiff_decode_tag(TiffContext *s, AVFrame *frame) s->bpp = -1; } } + if (s->bpp > 64U) { + av_log(s->avctx, AV_LOG_ERROR, + "This format is not supported (bpp=%d, %d components)\n", + s->bpp, count); + s->bpp = 0; + return AVERROR_INVALIDDATA; + } break; case TIFF_SAMPLES_PER_PIXEL: if (count != 1) { From 433e15bb873f7ba54d8895de7e74c43205551084 Mon Sep 17 00:00:00 2001 From: Michael Niedermayer Date: Fri, 3 Oct 2014 17:35:58 +0200 Subject: [PATCH 096/229] avcodec/pngdec: Check bits per pixel before setting monoblack pixel format Fixes out of array accesses Fixes: asan_heap-oob_14dbfcf_4_asan_heap-oob_1ce5767_179_add_method_small.png Found-by: Mateusz "j00ru" Jurczyk and Gynvael Coldwind Signed-off-by: Michael Niedermayer (cherry picked from commit 3e2b745020c2dbf0201fe7df3dad9e7e0b2e1bb6) Signed-off-by: Michael Niedermayer --- libavcodec/pngdec.c | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/libavcodec/pngdec.c b/libavcodec/pngdec.c index c92087f5e8..faf938b36e 100644 --- a/libavcodec/pngdec.c +++ b/libavcodec/pngdec.c @@ -644,7 +644,7 @@ static int decode_frame(AVCodecContext *avctx, } else if ((s->bits_per_pixel == 1 || s->bits_per_pixel == 2 || s->bits_per_pixel == 4 || s->bits_per_pixel == 8) && s->color_type == PNG_COLOR_TYPE_PALETTE) { avctx->pix_fmt = AV_PIX_FMT_PAL8; - } else if (s->bit_depth == 1) { + } else if (s->bit_depth == 1 && s->bits_per_pixel == 1) { avctx->pix_fmt = AV_PIX_FMT_MONOBLACK; } else if (s->bit_depth == 8 && s->color_type == PNG_COLOR_TYPE_GRAY_ALPHA) { From 9806028fbba5dc7a2af6dd5b0a08057180cccc79 Mon Sep 17 00:00:00 2001 From: Michael Niedermayer Date: Fri, 3 Oct 2014 17:54:21 +0200 Subject: [PATCH 097/229] avcodec/pngdec: Calculate MPNG bytewidth more defensively Signed-off-by: Michael Niedermayer (cherry picked from commit e830902934a29df05c7af65aef2a480b15f572c4) Signed-off-by: Michael Niedermayer --- libavcodec/pngdec.c | 3 ++- 1 file changed, 2 insertions(+), 1 deletion(-) diff --git a/libavcodec/pngdec.c b/libavcodec/pngdec.c index faf938b36e..8f3da77a2a 100644 --- a/libavcodec/pngdec.c +++ b/libavcodec/pngdec.c @@ -851,10 +851,11 @@ exit_loop: int i, j; uint8_t *pd = p->data[0]; uint8_t *pd_last = s->last_picture.f->data[0]; + int ls = FFMIN(av_image_get_linesize(p->format, s->width, 0), s->width * s->bpp); ff_thread_await_progress(&s->last_picture, INT_MAX, 0); for (j = 0; j < s->height; j++) { - for (i = 0; i < s->width * s->bpp; i++) + for (i = 0; i < ls; i++) pd[i] += pd_last[i]; pd += s->image_linesize; pd_last += s->image_linesize; From 693faadd30c569d772cae2c6702895745348c5bd Mon Sep 17 00:00:00 2001 From: Michael Niedermayer Date: Fri, 3 Oct 2014 19:33:01 +0200 Subject: [PATCH 098/229] avcodec/cinepak: fix integer underflow Fixes out of array access Fixes: asan_heap-oob_4da0ba_6_asan_heap-oob_4da0ba_241_cvid_crash.avi Found-by: Mateusz "j00ru" Jurczyk and Gynvael Coldwind Signed-off-by: Michael Niedermayer (cherry picked from commit e7e5114c506957f40aafd794e06de1a7e341e9d5) Signed-off-by: Michael Niedermayer --- libavcodec/cinepak.c | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/libavcodec/cinepak.c b/libavcodec/cinepak.c index 082d0b232a..d0d07bc9ef 100644 --- a/libavcodec/cinepak.c +++ b/libavcodec/cinepak.c @@ -135,7 +135,7 @@ static int cinepak_decode_vectors (CinepakContext *s, cvid_strip *strip, const uint8_t *eod = (data + size); uint32_t flag, mask; uint8_t *cb0, *cb1, *cb2, *cb3; - unsigned int x, y; + int x, y; char *ip0, *ip1, *ip2, *ip3; flag = 0; From 6fb9bfb1a356aa4f711e7c45bbf79eaa18e4d522 Mon Sep 17 00:00:00 2001 From: Michael Niedermayer Date: Fri, 3 Oct 2014 20:15:52 +0200 Subject: [PATCH 099/229] avcodec/gifdec: factorize interleave end handling out also change it to a loop Fixes out of array access Fixes: asan_heap-oob_ca5410_8_asan_heap-oob_ca5410_97_ID_LSD_Size_Less_Then_Data_Inter_3.gif Found-by: Mateusz "j00ru" Jurczyk and Gynvael Coldwind Signed-off-by: Michael Niedermayer (cherry picked from commit 8f1457864be8fb9653643519dea1c6492f1dde57) Signed-off-by: Michael Niedermayer --- libavcodec/gifdec.c | 15 +++++---------- 1 file changed, 5 insertions(+), 10 deletions(-) diff --git a/libavcodec/gifdec.c b/libavcodec/gifdec.c index 78c8900628..6d9b926b05 100644 --- a/libavcodec/gifdec.c +++ b/libavcodec/gifdec.c @@ -258,26 +258,21 @@ static int gif_read_image(GifState *s, AVFrame *frame) case 1: y1 += 8; ptr += linesize * 8; - if (y1 >= height) { - y1 = pass ? 2 : 4; - ptr = ptr1 + linesize * y1; - pass++; - } break; case 2: y1 += 4; ptr += linesize * 4; - if (y1 >= height) { - y1 = 1; - ptr = ptr1 + linesize; - pass++; - } break; case 3: y1 += 2; ptr += linesize * 2; break; } + while (y1 >= height) { + y1 = 4 >> pass; + ptr = ptr1 + linesize * y1; + pass++; + } } else { ptr += linesize; } From 3998071039b22f8a620b98d027b16f87c76f01ce Mon Sep 17 00:00:00 2001 From: Michael Niedermayer Date: Fri, 3 Oct 2014 21:08:52 +0200 Subject: [PATCH 100/229] avcodec/qpeg: fix off by 1 error in MV bounds check Fixes out of array access Fixes: asan_heap-oob_153760f_4_asan_heap-oob_1d7a4cf_164_VWbig6.avi Found-by: Mateusz "j00ru" Jurczyk and Gynvael Coldwind Signed-off-by: Michael Niedermayer (cherry picked from commit dd3bfe3cc1ca26d0fff3a3baf61a40207032143f) Signed-off-by: Michael Niedermayer --- libavcodec/qpeg.c | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/libavcodec/qpeg.c b/libavcodec/qpeg.c index 94cb5bd0b6..d61bceafd7 100644 --- a/libavcodec/qpeg.c +++ b/libavcodec/qpeg.c @@ -163,7 +163,7 @@ static void av_noinline qpeg_decode_inter(QpegContext *qctx, uint8_t *dst, /* check motion vector */ if ((me_x + filled < 0) || (me_x + me_w + filled > width) || - (height - me_y - me_h < 0) || (height - me_y > orig_height) || + (height - me_y - me_h < 0) || (height - me_y >= orig_height) || (filled + me_w > width) || (height - me_h < 0)) av_log(NULL, AV_LOG_ERROR, "Bogus motion vector (%i,%i), block size %ix%i at %i,%i\n", me_x, me_y, me_w, me_h, filled, height); From 1ac4ae2a32d16c97792f40df660cd8c4a9e049b2 Mon Sep 17 00:00:00 2001 From: Michael Niedermayer Date: Fri, 3 Oct 2014 22:50:45 +0200 Subject: [PATCH 101/229] avcodec/smc: fix off by 1 error Fixes out of array access Fixes: asan_heap-oob_1685bf0_5_asan_heap-oob_1f35116_430_smc.mov Found-by: Mateusz "j00ru" Jurczyk and Gynvael Coldwind Signed-off-by: Michael Niedermayer (cherry picked from commit c727401aa9d62335e89d118a5b4e202edf39d905) Signed-off-by: Michael Niedermayer --- libavcodec/smc.c | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/libavcodec/smc.c b/libavcodec/smc.c index 31e6c885bf..791612ebd4 100644 --- a/libavcodec/smc.c +++ b/libavcodec/smc.c @@ -70,7 +70,7 @@ typedef struct SmcContext { row_ptr += stride * 4; \ } \ total_blocks--; \ - if (total_blocks < 0) \ + if (total_blocks < 0 + !!n_blocks) \ { \ av_log(s->avctx, AV_LOG_INFO, "warning: block counter just went negative (this should not happen)\n"); \ return; \ From 603f4ecd14a170104d97ad5ffd64f7d394ed4d07 Mon Sep 17 00:00:00 2001 From: Michael Niedermayer Date: Sat, 4 Oct 2014 00:13:26 +0200 Subject: [PATCH 102/229] avcodec/svq3: Dont memcpy AVFrame This avoids out of array accesses Fixes: asan_heap-uaf_21f42e4_9_asan_heap-uaf_21f42e4_278_gl2.mov Found-by: Mateusz "j00ru" Jurczyk and Gynvael Coldwind Signed-off-by: Michael Niedermayer (cherry picked from commit 075a165d2715837d125a9cc714fb430ccf6c9d6b) Signed-off-by: Michael Niedermayer --- libavcodec/svq3.c | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/libavcodec/svq3.c b/libavcodec/svq3.c index 97233b19d6..9459329058 100644 --- a/libavcodec/svq3.c +++ b/libavcodec/svq3.c @@ -1176,7 +1176,7 @@ static int svq3_decode_frame(AVCodecContext *avctx, void *data, h->cur_pic_ptr = s->cur_pic; av_frame_unref(&h->cur_pic.f); - h->cur_pic = *s->cur_pic; + memcpy(&h->cur_pic.tf, &s->cur_pic->tf, sizeof(h->cur_pic) - offsetof(H264Picture, tf)); ret = av_frame_ref(&h->cur_pic.f, &s->cur_pic->f); if (ret < 0) return ret; From fdc8f4e5b4f12ba5ef2d7645d5ba628f6ddf14c9 Mon Sep 17 00:00:00 2001 From: Michael Niedermayer Date: Sat, 4 Oct 2014 03:12:34 +0200 Subject: [PATCH 103/229] avcodec/vorbisdec: Fix off by 1 error in ptns_to_read Fixes read of uninitialized memory Fixes: asan_heap-uaf_18dac2b_9_asan_heap-uaf_22eb375_208_beta3_test_small.ogg Found-by: Mateusz "j00ru" Jurczyk and Gynvael Coldwind Signed-off-by: Michael Niedermayer (cherry picked from commit 8c50704ebf1777bee76772c4835d9760b3721057) Signed-off-by: Michael Niedermayer --- libavcodec/vorbisdec.c | 12 +++++++----- 1 file changed, 7 insertions(+), 5 deletions(-) diff --git a/libavcodec/vorbisdec.c b/libavcodec/vorbisdec.c index 87d1bbb97a..354ab0e466 100644 --- a/libavcodec/vorbisdec.c +++ b/libavcodec/vorbisdec.c @@ -1314,7 +1314,9 @@ static av_always_inline int setup_classifs(vorbis_context *vc, vorbis_residue *vr, uint8_t *do_not_decode, unsigned ch_used, - int partition_count) + int partition_count, + int ptns_to_read + ) { int p, j, i; unsigned c_p_c = vc->codebooks[vr->classbook].dimensions; @@ -1336,7 +1338,7 @@ static av_always_inline int setup_classifs(vorbis_context *vc, for (i = partition_count + c_p_c - 1; i >= partition_count; i--) { temp2 = (((uint64_t)temp) * inverse_class) >> 32; - if (i < vr->ptns_to_read) + if (i < ptns_to_read) vr->classifs[p + i] = temp - temp2 * vr->classifications; temp = temp2; } @@ -1344,13 +1346,13 @@ static av_always_inline int setup_classifs(vorbis_context *vc, for (i = partition_count + c_p_c - 1; i >= partition_count; i--) { temp2 = temp / vr->classifications; - if (i < vr->ptns_to_read) + if (i < ptns_to_read) vr->classifs[p + i] = temp - temp2 * vr->classifications; temp = temp2; } } } - p += vr->ptns_to_read; + p += ptns_to_read; } return 0; } @@ -1404,7 +1406,7 @@ static av_always_inline int vorbis_residue_decode_internal(vorbis_context *vc, for (partition_count = 0; partition_count < ptns_to_read;) { // SPEC error if (!pass) { int ret; - if ((ret = setup_classifs(vc, vr, do_not_decode, ch_used, partition_count)) < 0) + if ((ret = setup_classifs(vc, vr, do_not_decode, ch_used, partition_count, ptns_to_read)) < 0) return ret; } for (i = 0; (i < c_p_c) && (partition_count < ptns_to_read); ++i) { From cbfd6b1fa4b199824a3e2cb0bd294a70856424b8 Mon Sep 17 00:00:00 2001 From: Michael Niedermayer Date: Sat, 4 Oct 2014 04:29:40 +0200 Subject: [PATCH 104/229] avformat/mpegts: Check desc_len / get8() return code Fixes out of array read Fixes: signal_sigsegv_844d59_10_signal_sigsegv_a17bb7_366_mpegts_mpeg2video_mp2_dvbsub_topfield.rec Found-by: Mateusz "j00ru" Jurczyk and Gynvael Coldwind Signed-off-by: Michael Niedermayer (cherry picked from commit c3d7f00ee3e09801f56f25db8b5961f25e842bd2) Signed-off-by: Michael Niedermayer --- libavformat/mpegts.c | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/libavformat/mpegts.c b/libavformat/mpegts.c index 93344d7736..bf976023a4 100644 --- a/libavformat/mpegts.c +++ b/libavformat/mpegts.c @@ -1988,7 +1988,7 @@ static void sdt_cb(MpegTSFilter *filter, const uint8_t *section, int section_len break; desc_len = get8(&p, desc_list_end); desc_end = p + desc_len; - if (desc_end > desc_list_end) + if (desc_len < 0 || desc_end > desc_list_end) break; av_dlog(ts->stream, "tag: 0x%02x len=%d\n", From 5926bea980ad42a7b4a613c7d922468ba128b0e4 Mon Sep 17 00:00:00 2001 From: Michael Niedermayer Date: Sat, 4 Oct 2014 05:14:08 +0200 Subject: [PATCH 105/229] avformat/mpegts: use a padded buffer in read_sl_header() Fixes overread Fixes: asan_heap-oob_84f75d_8_asan_heap-oob_a2a00a_341_mbc.ts Found-by: Mateusz "j00ru" Jurczyk and Gynvael Coldwind Signed-off-by: Michael Niedermayer (cherry picked from commit 27f6da292118850ca7900de64d06b56e0ebb5070) Signed-off-by: Michael Niedermayer --- libavformat/mpegts.c | 6 +++++- 1 file changed, 5 insertions(+), 1 deletion(-) diff --git a/libavformat/mpegts.c b/libavformat/mpegts.c index bf976023a4..b1dd8c699c 100644 --- a/libavformat/mpegts.c +++ b/libavformat/mpegts.c @@ -852,8 +852,12 @@ static int read_sl_header(PESContext *pes, SLConfigDescr *sl, int padding_flag = 0, padding_bits = 0, inst_bitrate_flag = 0; int dts_flag = -1, cts_flag = -1; int64_t dts = AV_NOPTS_VALUE, cts = AV_NOPTS_VALUE; + uint8_t buf_padded[128 + FF_INPUT_BUFFER_PADDING_SIZE]; + int buf_padded_size = FFMIN(buf_size, sizeof(buf_padded) - FF_INPUT_BUFFER_PADDING_SIZE); - init_get_bits(&gb, buf, buf_size * 8); + memcpy(buf_padded, buf, buf_padded_size); + + init_get_bits(&gb, buf_padded, buf_padded_size * 8); if (sl->use_au_start) au_start_flag = get_bits1(&gb); From 279003eb9edeeaa3967b8773cc85ecb8a19b53a8 Mon Sep 17 00:00:00 2001 From: Michael Niedermayer Date: Sat, 4 Oct 2014 14:51:46 +0200 Subject: [PATCH 106/229] avcodec/h264: Check mode before considering mixed mode intra prediction Fixes out of array read Fixes: asan_heap-oob_e476fc_2_asan_heap-oob_1333ec6_61_CAMACI3_Sony_C.jsv Found-by: Mateusz "j00ru" Jurczyk and Gynvael Coldwind Signed-off-by: Michael Niedermayer (cherry picked from commit 9734a7a1de3043f012ad0f1ef11027d9488067e6) Signed-off-by: Michael Niedermayer --- libavcodec/h264.c | 12 ++++++------ 1 file changed, 6 insertions(+), 6 deletions(-) diff --git a/libavcodec/h264.c b/libavcodec/h264.c index 22fd829f25..99a5577ab2 100644 --- a/libavcodec/h264.c +++ b/libavcodec/h264.c @@ -215,18 +215,18 @@ int ff_h264_check_intra_pred_mode(H264Context *h, int mode, int is_chroma) if ((h->left_samples_available & 0x8080) != 0x8080) { mode = left[mode]; - if (is_chroma && (h->left_samples_available & 0x8080)) { - // mad cow disease mode, aka MBAFF + constrained_intra_pred - mode = ALZHEIMER_DC_L0T_PRED8x8 + - (!(h->left_samples_available & 0x8000)) + - 2 * (mode == DC_128_PRED8x8); - } if (mode < 0) { av_log(h->avctx, AV_LOG_ERROR, "left block unavailable for requested intra mode at %d %d\n", h->mb_x, h->mb_y); return AVERROR_INVALIDDATA; } + if (is_chroma && (h->left_samples_available & 0x8080)) { + // mad cow disease mode, aka MBAFF + constrained_intra_pred + mode = ALZHEIMER_DC_L0T_PRED8x8 + + (!(h->left_samples_available & 0x8000)) + + 2 * (mode == DC_128_PRED8x8); + } } return mode; From e2e0c5b7f64d526907955b27e5682c8bf4de7700 Mon Sep 17 00:00:00 2001 From: Michael Niedermayer Date: Sat, 4 Oct 2014 16:17:32 +0200 Subject: [PATCH 107/229] avcodec/hevc: fix chroma transform_add size Fixes accessing misaligned address Fixes: signal_sigsegv_1feb99c_10_signal_sigsegv_2d1d35c_79_cov_691940146_EXT_A_ericsson_3.bit Found-by: Mateusz "j00ru" Jurczyk and Gynvael Coldwind Signed-off-by: Michael Niedermayer (cherry picked from commit df8394c693d3c1e13b7ebf6af01c5e55321cf952) Signed-off-by: Michael Niedermayer --- libavcodec/hevc.c | 4 ++-- 1 file changed, 2 insertions(+), 2 deletions(-) diff --git a/libavcodec/hevc.c b/libavcodec/hevc.c index afb2baaf65..3fb8a8a3cf 100644 --- a/libavcodec/hevc.c +++ b/libavcodec/hevc.c @@ -978,7 +978,7 @@ static int hls_transform_unit(HEVCContext *s, int x0, int y0, for (i = 0; i < (size * size); i++) { coeffs[i] = ((lc->tu.res_scale_val * coeffs_y[i]) >> 3); } - s->hevcdsp.transform_add[log2_trafo_size-2](dst, coeffs, stride); + s->hevcdsp.transform_add[log2_trafo_size_c-2](dst, coeffs, stride); } } @@ -1007,7 +1007,7 @@ static int hls_transform_unit(HEVCContext *s, int x0, int y0, for (i = 0; i < (size * size); i++) { coeffs[i] = ((lc->tu.res_scale_val * coeffs_y[i]) >> 3); } - s->hevcdsp.transform_add[log2_trafo_size-2](dst, coeffs, stride); + s->hevcdsp.transform_add[log2_trafo_size_c-2](dst, coeffs, stride); } } } else if (blk_idx == 3) { From 5f7e48a113918b59b50b88a80ee0c0dfc39b6fab Mon Sep 17 00:00:00 2001 From: Michael Niedermayer Date: Sat, 4 Oct 2014 22:15:07 +0200 Subject: [PATCH 108/229] avcodec/on2avc: Check number of channels Fixes out of array access Fixes: asan_heap-oob_4da4f3_7_asan_heap-oob_4da4f3_173_Xmen_avc_500.vp6 Found-by: Mateusz "j00ru" Jurczyk and Gynvael Coldwind Signed-off-by: Michael Niedermayer (cherry picked from commit 550f3e9df3410b3dd975e590042c0d83e20a8da3) Signed-off-by: Michael Niedermayer --- libavcodec/on2avc.c | 5 +++++ 1 file changed, 5 insertions(+) diff --git a/libavcodec/on2avc.c b/libavcodec/on2avc.c index ab6048b63e..e5e7cc3879 100644 --- a/libavcodec/on2avc.c +++ b/libavcodec/on2avc.c @@ -908,6 +908,11 @@ static av_cold int on2avc_decode_init(AVCodecContext *avctx) On2AVCContext *c = avctx->priv_data; int i; + if (avctx->channels > 2U) { + avpriv_request_sample(avctx, "Decoding more than 2 channels"); + return AVERROR_PATCHWELCOME; + } + c->avctx = avctx; avctx->sample_fmt = AV_SAMPLE_FMT_FLTP; avctx->channel_layout = (avctx->channels == 2) ? AV_CH_LAYOUT_STEREO From 1ebd7d2ccfe1b7196894b245416b0aa913681e22 Mon Sep 17 00:00:00 2001 From: Michael Niedermayer Date: Mon, 6 Oct 2014 01:08:20 +0200 Subject: [PATCH 109/229] swresample/swresample: fix sample drop loop end condition Fixes Ticket3985 Signed-off-by: Michael Niedermayer (cherry picked from commit f9fefa499f0af48f47ea73c8ce0b25df0976c315) Signed-off-by: Michael Niedermayer --- libswresample/swresample.c | 2 ++ 1 file changed, 2 insertions(+) diff --git a/libswresample/swresample.c b/libswresample/swresample.c index 91baca62d2..bba628b784 100644 --- a/libswresample/swresample.c +++ b/libswresample/swresample.c @@ -639,6 +639,8 @@ int swr_convert(struct SwrContext *s, uint8_t *out_arg[SWR_CH_MAX], int out_coun in_count = 0; if(ret>0) { s->drop_output -= ret; + if (!s->drop_output && !out_arg) + return 0; continue; } From f2fba0749486d42453288626b7842ad383add398 Mon Sep 17 00:00:00 2001 From: Christophe Gisquet Date: Thu, 9 Oct 2014 23:27:38 +0200 Subject: [PATCH 110/229] utvideoenc: properly set slice height/last line Mimic decoder and obey sampling. Does not affect fate tests for utvideo. Fixes ticket #3949. Signed-off-by: Michael Niedermayer (cherry picked from commit cb530dda7d76790b08ee3b7f67e251f3ce48c359) Signed-off-by: Michael Niedermayer --- libavcodec/utvideoenc.c | 17 +++++++++-------- 1 file changed, 9 insertions(+), 8 deletions(-) diff --git a/libavcodec/utvideoenc.c b/libavcodec/utvideoenc.c index cbd34d01fd..355fdb1b8d 100644 --- a/libavcodec/utvideoenc.c +++ b/libavcodec/utvideoenc.c @@ -389,7 +389,7 @@ static int write_huff_codes(uint8_t *src, uint8_t *dst, int dst_size, } static int encode_plane(AVCodecContext *avctx, uint8_t *src, - uint8_t *dst, int stride, + uint8_t *dst, int stride, int plane_no, int width, int height, PutByteContext *pb) { UtvideoContext *c = avctx->priv_data; @@ -399,6 +399,7 @@ static int encode_plane(AVCodecContext *avctx, uint8_t *src, HuffEntry he[256]; uint32_t offset = 0, slice_len = 0; + const int cmask = ~(!plane_no && avctx->pix_fmt == AV_PIX_FMT_YUV420P); int i, sstart, send = 0; int symbol; int ret; @@ -408,7 +409,7 @@ static int encode_plane(AVCodecContext *avctx, uint8_t *src, case PRED_NONE: for (i = 0; i < c->slices; i++) { sstart = send; - send = height * (i + 1) / c->slices; + send = height * (i + 1) / c->slices & cmask; av_image_copy_plane(dst + sstart * width, width, src + sstart * stride, stride, width, send - sstart); @@ -417,7 +418,7 @@ static int encode_plane(AVCodecContext *avctx, uint8_t *src, case PRED_LEFT: for (i = 0; i < c->slices; i++) { sstart = send; - send = height * (i + 1) / c->slices; + send = height * (i + 1) / c->slices & cmask; left_predict(src + sstart * stride, dst + sstart * width, stride, width, send - sstart); } @@ -425,7 +426,7 @@ static int encode_plane(AVCodecContext *avctx, uint8_t *src, case PRED_MEDIAN: for (i = 0; i < c->slices; i++) { sstart = send; - send = height * (i + 1) / c->slices; + send = height * (i + 1) / c->slices & cmask; median_predict(c, src + sstart * stride, dst + sstart * width, stride, width, send - sstart); } @@ -489,7 +490,7 @@ static int encode_plane(AVCodecContext *avctx, uint8_t *src, send = 0; for (i = 0; i < c->slices; i++) { sstart = send; - send = height * (i + 1) / c->slices; + send = height * (i + 1) / c->slices & cmask; /* * Write the huffman codes to a buffer, @@ -571,7 +572,7 @@ static int utvideo_encode_frame(AVCodecContext *avctx, AVPacket *pkt, case AV_PIX_FMT_RGBA: for (i = 0; i < c->planes; i++) { ret = encode_plane(avctx, c->slice_buffer[i] + 2 * c->slice_stride, - c->slice_buffer[i], c->slice_stride, + c->slice_buffer[i], c->slice_stride, i, width, height, &pb); if (ret) { @@ -583,7 +584,7 @@ static int utvideo_encode_frame(AVCodecContext *avctx, AVPacket *pkt, case AV_PIX_FMT_YUV422P: for (i = 0; i < c->planes; i++) { ret = encode_plane(avctx, pic->data[i], c->slice_buffer[0], - pic->linesize[i], width >> !!i, height, &pb); + pic->linesize[i], i, width >> !!i, height, &pb); if (ret) { av_log(avctx, AV_LOG_ERROR, "Error encoding plane %d.\n", i); @@ -594,7 +595,7 @@ static int utvideo_encode_frame(AVCodecContext *avctx, AVPacket *pkt, case AV_PIX_FMT_YUV420P: for (i = 0; i < c->planes; i++) { ret = encode_plane(avctx, pic->data[i], c->slice_buffer[0], - pic->linesize[i], width >> !!i, height >> !!i, + pic->linesize[i], i, width >> !!i, height >> !!i, &pb); if (ret) { From d887a12145884553e8ef4f94c28ffe65aec26411 Mon Sep 17 00:00:00 2001 From: Michael Niedermayer Date: Sun, 12 Oct 2014 20:26:27 +0200 Subject: [PATCH 111/229] postproc/postprocess: fix quant store for fq mode Signed-off-by: Michael Niedermayer (cherry picked from commit 941aaa39e8cd78ba4d16dfcec767290aec9a0136) Signed-off-by: Michael Niedermayer --- libpostproc/postprocess.c | 2 +- tests/ref/fate/filter-pp3 | 2 +- 2 files changed, 2 insertions(+), 2 deletions(-) diff --git a/libpostproc/postprocess.c b/libpostproc/postprocess.c index da586ffd31..54163c8d36 100644 --- a/libpostproc/postprocess.c +++ b/libpostproc/postprocess.c @@ -1004,7 +1004,7 @@ void pp_postprocess(const uint8_t * src[3], const int srcStride[3], if((pict_type&7)!=3){ if (QPStride >= 0){ int i; - const int count= mbHeight * QPStride; + const int count= mbHeight * FFMAX(QPStride, mbWidth); for(i=0; i<(count>>2); i++){ ((uint32_t*)c->nonBQPTable)[i] = ((const uint32_t*)QP_store)[i] & 0x3F3F3F3F; } diff --git a/tests/ref/fate/filter-pp3 b/tests/ref/fate/filter-pp3 index 00d4595f37..c2f2b4cb16 100644 --- a/tests/ref/fate/filter-pp3 +++ b/tests/ref/fate/filter-pp3 @@ -1 +1 @@ -pp3 f38fdc2dfa4c8d889918efe6d7a7ac3a +pp3 ef0f10f1859af2f75717e8c9d64ee38a From 0f4c149730f1b68df8f83a6211906ae26ed0507c Mon Sep 17 00:00:00 2001 From: Michael Niedermayer Date: Mon, 13 Oct 2014 16:02:42 +0200 Subject: [PATCH 112/229] postproc: fix qp count Found-by: ubitux Signed-off-by: Michael Niedermayer (cherry picked from commit 0b7e5d0d75e7d8762dd04d35f8c0821736164372) Signed-off-by: Michael Niedermayer --- libpostproc/postprocess.c | 4 ++-- 1 file changed, 2 insertions(+), 2 deletions(-) diff --git a/libpostproc/postprocess.c b/libpostproc/postprocess.c index 54163c8d36..37206c5a48 100644 --- a/libpostproc/postprocess.c +++ b/libpostproc/postprocess.c @@ -979,7 +979,7 @@ void pp_postprocess(const uint8_t * src[3], const int srcStride[3], if(pict_type & PP_PICT_TYPE_QP2){ int i; - const int count= mbHeight * absQPStride; + const int count= FFMAX(mbHeight * absQPStride, mbWidth); for(i=0; i<(count>>2); i++){ ((uint32_t*)c->stdQPTable)[i] = (((const uint32_t*)QP_store)[i]>>1) & 0x7F7F7F7F; } @@ -1004,7 +1004,7 @@ void pp_postprocess(const uint8_t * src[3], const int srcStride[3], if((pict_type&7)!=3){ if (QPStride >= 0){ int i; - const int count= mbHeight * FFMAX(QPStride, mbWidth); + const int count= FFMAX(mbHeight * QPStride, mbWidth); for(i=0; i<(count>>2); i++){ ((uint32_t*)c->nonBQPTable)[i] = ((const uint32_t*)QP_store)[i] & 0x3F3F3F3F; } From 4fbdac00e94e6a5ca8c9d2b05f93503f6bbf8fc3 Mon Sep 17 00:00:00 2001 From: Lukasz Marek Date: Mon, 20 Oct 2014 12:12:20 +0200 Subject: [PATCH 113/229] lavd: export all symbols with av_ prefix Signed-off-by: Lukasz Marek (cherry picked from commit e493814d6191c6dd2900296df546b5f5c7e4452d) Signed-off-by: Michael Niedermayer --- libavdevice/libavdevice.v | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/libavdevice/libavdevice.v b/libavdevice/libavdevice.v index 663af85ba8..de7278c193 100644 --- a/libavdevice/libavdevice.v +++ b/libavdevice/libavdevice.v @@ -1,4 +1,4 @@ LIBAVDEVICE_$MAJOR { - global: avdevice_*; + global: avdevice_*; av_*; local: *; }; From c3c8857263d4e607b3ae6323f87f484c76b5e53f Mon Sep 17 00:00:00 2001 From: Christophe Gisquet Date: Sun, 12 Oct 2014 21:10:54 +0200 Subject: [PATCH 114/229] avcodec/tiffenc: properly compute packet size The bytes per row is a better indication of it. Helps resolving ticket #3874 by fixing ffmpeg's encoder and transforming the issue in a issue with non-compliant decoders. ffmpeg's one is ok, but unfortunately, many others aren't handling correctly unusual chroma samplings. Signed-off-by: Michael Niedermayer (cherry picked from commit 0e8bfd3c934768f9812dd20d71fa4709de54186d) Signed-off-by: Michael Niedermayer --- libavcodec/tiffenc.c | 6 +++--- 1 file changed, 3 insertions(+), 3 deletions(-) diff --git a/libavcodec/tiffenc.c b/libavcodec/tiffenc.c index 5a61f1aefa..138d214c2f 100644 --- a/libavcodec/tiffenc.c +++ b/libavcodec/tiffenc.c @@ -305,7 +305,9 @@ static int encode_frame(AVCodecContext *avctx, AVPacket *pkt, strips = (s->height - 1) / s->rps + 1; - packet_size = avctx->height * ((avctx->width * s->bpp + 7) >> 3) * 2 + + bytes_per_row = (((s->width - 1) / s->subsampling[0] + 1) * s->bpp * + s->subsampling[0] * s->subsampling[1] + 7) >> 3; + packet_size = avctx->height * bytes_per_row * 2 + avctx->height * 4 + FF_MIN_BUFFER_SIZE; if ((ret = ff_alloc_packet2(avctx, pkt, packet_size)) < 0) @@ -333,8 +335,6 @@ static int encode_frame(AVCodecContext *avctx, AVPacket *pkt, goto fail; } - bytes_per_row = (((s->width - 1) / s->subsampling[0] + 1) * s->bpp * - s->subsampling[0] * s->subsampling[1] + 7) >> 3; if (is_yuv) { av_fast_padded_malloc(&s->yuv_line, &s->yuv_line_size, bytes_per_row); if (s->yuv_line == NULL) { From 4a03c31728c833f8d4a959f6de4837234560ca3d Mon Sep 17 00:00:00 2001 From: Michael Niedermayer Date: Mon, 27 Oct 2014 20:48:58 +0100 Subject: [PATCH 115/229] avcodec/sgidec: fix linesize for 16bit Fixes: asan_heap-oob_22b30d4_39_038.sgi Found-by: Mateusz "j00ru" Jurczyk and Gynvael Coldwind Signed-off-by: Michael Niedermayer (cherry picked from commit 3b20ed85489a14cb5028c873d06960dbc5eef88a) Signed-off-by: Michael Niedermayer --- libavcodec/sgidec.c | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/libavcodec/sgidec.c b/libavcodec/sgidec.c index 6f51ec3531..8338863637 100644 --- a/libavcodec/sgidec.c +++ b/libavcodec/sgidec.c @@ -145,7 +145,7 @@ static int read_rle_sgi(uint8_t *out_buf, SgiState *s) for (z = 0; z < s->depth; z++) { dest_row = out_buf; for (y = 0; y < s->height; y++) { - linesize = s->width * s->depth * s->bytes_per_channel; + linesize = s->width * s->depth; dest_row -= s->linesize; start_offset = bytestream2_get_be32(&g_table); bytestream2_seek(&s->g, start_offset, SEEK_SET); From 5c791b1c9ce0edab69d4aa9b17a967a3b3792a07 Mon Sep 17 00:00:00 2001 From: Michael Niedermayer Date: Mon, 27 Oct 2014 20:48:58 +0100 Subject: [PATCH 116/229] avcodec/sgidec: fix count check Fixes: asan_heap-oob_22b30d4_39_038.sgi Found-by: Mateusz "j00ru" Jurczyk and Gynvael Coldwind Signed-off-by: Michael Niedermayer (cherry picked from commit a050cf0c451bdf1c1bd512c4fce6b6f8a5e85102) Signed-off-by: Michael Niedermayer --- libavcodec/sgidec.c | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/libavcodec/sgidec.c b/libavcodec/sgidec.c index 8338863637..3ddbf77bc8 100644 --- a/libavcodec/sgidec.c +++ b/libavcodec/sgidec.c @@ -98,7 +98,7 @@ static int expand_rle_row16(SgiState *s, uint16_t *out_buf, break; /* Check for buffer overflow. */ - if (pixelstride * (count - 1) >= len) { + if (out_end - out_buf <= pixelstride * (count - 1)) { av_log(s->avctx, AV_LOG_ERROR, "Invalid pixel count.\n"); return AVERROR_INVALIDDATA; } From 1ec6a3c768b28296022dd5eee08863a313ff1acb Mon Sep 17 00:00:00 2001 From: Michael Niedermayer Date: Tue, 28 Oct 2014 01:23:40 +0100 Subject: [PATCH 117/229] avcodec/diracdec: Use 64bit in calculation of codeblock coordinates Fixes integer overflow Fixes out of array read Fixes: asan_heap-oob_107866c_42_041.drc Found-by: Mateusz "j00ru" Jurczyk and Gynvael Coldwind Signed-off-by: Michael Niedermayer (cherry picked from commit 526886e6069636a918c8c04db17e864e3d8151c1) Signed-off-by: Michael Niedermayer --- libavcodec/diracdec.c | 4 ++-- 1 file changed, 2 insertions(+), 2 deletions(-) diff --git a/libavcodec/diracdec.c b/libavcodec/diracdec.c index a18c867a3a..a7ace3c9f6 100644 --- a/libavcodec/diracdec.c +++ b/libavcodec/diracdec.c @@ -611,10 +611,10 @@ static av_always_inline void decode_subband_internal(DiracContext *s, SubBand *b top = 0; for (cb_y = 0; cb_y < cb_height; cb_y++) { - bottom = (b->height * (cb_y+1)) / cb_height; + bottom = (b->height * (cb_y+1LL)) / cb_height; left = 0; for (cb_x = 0; cb_x < cb_width; cb_x++) { - right = (b->width * (cb_x+1)) / cb_width; + right = (b->width * (cb_x+1LL)) / cb_width; codeblock(s, b, &gb, &c, left, right, top, bottom, blockcnt_one, is_arith); left = right; } From ad98b2891cea0276323ae1769ba6a6128855c316 Mon Sep 17 00:00:00 2001 From: Michael Niedermayer Date: Tue, 28 Oct 2014 01:23:40 +0100 Subject: [PATCH 118/229] avcodec/diracdec: Tighter checks on CODEBLOCKS_X/Y Fixes very long but finite loop Fixes: asan_heap-oob_107866c_42_041.drc Found-by: Mateusz "j00ru" Jurczyk and Gynvael Coldwind Signed-off-by: Michael Niedermayer (cherry picked from commit 5145d22b88b9835db81c4d286b931a78e08ab76a) Signed-off-by: Michael Niedermayer --- libavcodec/diracdec.c | 4 ++-- 1 file changed, 2 insertions(+), 2 deletions(-) diff --git a/libavcodec/diracdec.c b/libavcodec/diracdec.c index a7ace3c9f6..806ff82c92 100644 --- a/libavcodec/diracdec.c +++ b/libavcodec/diracdec.c @@ -1003,8 +1003,8 @@ static int dirac_unpack_idwt_params(DiracContext *s) /* Codeblock parameters (core syntax only) */ if (get_bits1(gb)) { for (i = 0; i <= s->wavelet_depth; i++) { - CHECKEDREAD(s->codeblock[i].width , tmp < 1, "codeblock width invalid\n") - CHECKEDREAD(s->codeblock[i].height, tmp < 1, "codeblock height invalid\n") + CHECKEDREAD(s->codeblock[i].width , tmp < 1 || tmp > (s->avctx->width >>s->wavelet_depth-i), "codeblock width invalid\n") + CHECKEDREAD(s->codeblock[i].height, tmp < 1 || tmp > (s->avctx->height>>s->wavelet_depth-i), "codeblock height invalid\n") } CHECKEDREAD(s->codeblock_mode, tmp > 1, "unknown codeblock mode\n") From e26fd791efaa52f825903be6e41d44fbaf40aadb Mon Sep 17 00:00:00 2001 From: Michael Niedermayer Date: Tue, 28 Oct 2014 02:14:41 +0100 Subject: [PATCH 119/229] avcodec/dirac_arith: fix integer overflow Fixes: asan_heap-oob_1078676_9_008.drc Found-by: Mateusz "j00ru" Jurczyk and Gynvael Coldwind Signed-off-by: Michael Niedermayer (cherry picked from commit 39680caceebfc6abf09b17032048752c014e57a8) Signed-off-by: Michael Niedermayer --- libavcodec/dirac_arith.h | 4 ++++ 1 file changed, 4 insertions(+) diff --git a/libavcodec/dirac_arith.h b/libavcodec/dirac_arith.h index 089c71a698..a1fa96b5bc 100644 --- a/libavcodec/dirac_arith.h +++ b/libavcodec/dirac_arith.h @@ -171,6 +171,10 @@ static inline int dirac_get_arith_uint(DiracArith *c, int follow_ctx, int data_c { int ret = 1; while (!dirac_get_arith_bit(c, follow_ctx)) { + if (ret >= 0x40000000) { + av_log(NULL, AV_LOG_ERROR, "dirac_get_arith_uint overflow\n"); + return -1; + } ret <<= 1; ret += dirac_get_arith_bit(c, data_ctx); follow_ctx = ff_dirac_next_ctx[follow_ctx]; From 7b7d12ea0448c8418ab086ec8f202a5fb14f54fe Mon Sep 17 00:00:00 2001 From: Michael Niedermayer Date: Tue, 28 Oct 2014 15:26:42 +0100 Subject: [PATCH 120/229] avcodec/dxa: check dimensions Fixes out of array access Fixes: asan_heap-oob_11222fb_21_020.dxa Found-by: Mateusz "j00ru" Jurczyk and Gynvael Coldwind Signed-off-by: Michael Niedermayer (cherry picked from commit e70312dfc22c4e54d5716f28f28db8f99c74cc90) Signed-off-by: Michael Niedermayer --- libavcodec/dxa.c | 5 +++++ 1 file changed, 5 insertions(+) diff --git a/libavcodec/dxa.c b/libavcodec/dxa.c index 0f64b5e619..c8e3f71399 100644 --- a/libavcodec/dxa.c +++ b/libavcodec/dxa.c @@ -329,6 +329,11 @@ static av_cold int decode_init(AVCodecContext *avctx) { DxaDecContext * const c = avctx->priv_data; + if (avctx->width%4 || avctx->height%4) { + avpriv_request_sample(avctx, "dimensions are not a multiple of 4"); + return AVERROR_INVALIDDATA; + } + c->prev = av_frame_alloc(); if (!c->prev) return AVERROR(ENOMEM); From e3275571c7e27f62eec6ce5b4945c612b1b649b8 Mon Sep 17 00:00:00 2001 From: Michael Niedermayer Date: Wed, 29 Oct 2014 00:57:07 +0100 Subject: [PATCH 121/229] avcodec/dnxhddec: treat pix_fmt like width/height Fixes out of array accesses Fixes: asan_heap-oob_22c9a39_16_015.mxf Found-by: Mateusz "j00ru" Jurczyk and Gynvael Coldwind Signed-off-by: Michael Niedermayer (cherry picked from commit f3c0e0bf6f53df0977f3878d4f5cec99dff8de9e) Signed-off-by: Michael Niedermayer --- libavcodec/dnxhddec.c | 13 ++++++++++--- 1 file changed, 10 insertions(+), 3 deletions(-) diff --git a/libavcodec/dnxhddec.c b/libavcodec/dnxhddec.c index 787c6c5ec4..06800746d1 100644 --- a/libavcodec/dnxhddec.c +++ b/libavcodec/dnxhddec.c @@ -38,6 +38,7 @@ typedef struct DNXHDContext { BlockDSPContext bdsp; int64_t cid; ///< compression id unsigned int width, height; + enum AVPixelFormat pix_fmt; unsigned int mb_width, mb_height; uint32_t mb_scan_index[68]; /* max for 1080p */ int cur_field; ///< current interlaced field @@ -141,7 +142,7 @@ static int dnxhd_decode_header(DNXHDContext *ctx, AVFrame *frame, ctx->is_444 = 0; if (buf[0x4] == 0x2) { - ctx->avctx->pix_fmt = AV_PIX_FMT_YUV444P10; + ctx->pix_fmt = AV_PIX_FMT_YUV444P10; ctx->avctx->bits_per_raw_sample = 10; if (ctx->bit_depth != 10) { ff_blockdsp_init(&ctx->bdsp, ctx->avctx); @@ -151,7 +152,7 @@ static int dnxhd_decode_header(DNXHDContext *ctx, AVFrame *frame, } ctx->is_444 = 1; } else if (buf[0x21] & 0x40) { - ctx->avctx->pix_fmt = AV_PIX_FMT_YUV422P10; + ctx->pix_fmt = AV_PIX_FMT_YUV422P10; ctx->avctx->bits_per_raw_sample = 10; if (ctx->bit_depth != 10) { ff_blockdsp_init(&ctx->bdsp, ctx->avctx); @@ -160,7 +161,7 @@ static int dnxhd_decode_header(DNXHDContext *ctx, AVFrame *frame, ctx->decode_dct_block = dnxhd_decode_dct_block_10; } } else { - ctx->avctx->pix_fmt = AV_PIX_FMT_YUV422P; + ctx->pix_fmt = AV_PIX_FMT_YUV422P; ctx->avctx->bits_per_raw_sample = 8; if (ctx->bit_depth != 8) { ff_blockdsp_init(&ctx->bdsp, ctx->avctx); @@ -446,7 +447,13 @@ decode_coding_unit: avctx->width, avctx->height, ctx->width, ctx->height); first_field = 1; } + if (avctx->pix_fmt != AV_PIX_FMT_NONE && avctx->pix_fmt != ctx->pix_fmt) { + av_log(avctx, AV_LOG_WARNING, "pix_fmt changed: %s -> %s\n", + av_get_pix_fmt_name(avctx->pix_fmt), av_get_pix_fmt_name(ctx->pix_fmt)); + first_field = 1; + } + avctx->pix_fmt = ctx->pix_fmt; ret = ff_set_dimensions(avctx, ctx->width, ctx->height); if (ret < 0) return ret; From 0db579445f5201fe2a341ae6485ac51668254fe7 Mon Sep 17 00:00:00 2001 From: Michael Niedermayer Date: Wed, 29 Oct 2014 14:15:29 +0100 Subject: [PATCH 122/229] avcodec/utils: Align dimensions by at least their chroma sub-sampling factors. Fixes: out of array accesses Fixes: asan_heap-oob_112c6b3_13_012.avi Found-by: Mateusz "j00ru" Jurczyk and Gynvael Coldwind Signed-off-by: Michael Niedermayer (cherry picked from commit df74811cd53e45fcbbd3b77a1c42416816687c5c) Signed-off-by: Michael Niedermayer --- libavcodec/utils.c | 8 ++++++-- 1 file changed, 6 insertions(+), 2 deletions(-) diff --git a/libavcodec/utils.c b/libavcodec/utils.c index cb51e48433..8919e15e9e 100644 --- a/libavcodec/utils.c +++ b/libavcodec/utils.c @@ -297,6 +297,12 @@ void avcodec_align_dimensions2(AVCodecContext *s, int *width, int *height, int i; int w_align = 1; int h_align = 1; + AVPixFmtDescriptor *desc = av_pix_fmt_desc_get(s->pix_fmt); + + if (desc) { + w_align = 1 << desc->log2_chroma_w; + h_align = 1 << desc->log2_chroma_h; + } switch (s->pix_fmt) { case AV_PIX_FMT_YUV420P: @@ -424,8 +430,6 @@ void avcodec_align_dimensions2(AVCodecContext *s, int *width, int *height, } break; default: - w_align = 1; - h_align = 1; break; } From bfee1e90725aa2b832a0fd7bbd0393c9c23e7f0a Mon Sep 17 00:00:00 2001 From: Michael Niedermayer Date: Thu, 30 Oct 2014 01:19:17 +0100 Subject: [PATCH 123/229] avcodec/g2meet: check tile dimensions to avoid integer overflow Fixes out of array access Fixes: asan_heap-oob_12a55d3_30_029.wmv Found-by: Mateusz "j00ru" Jurczyk and Gynvael Coldwind Signed-off-by: Michael Niedermayer (cherry picked from commit 32e666c354e4a3160d8cf1d303cb51990b095c87) Signed-off-by: Michael Niedermayer --- libavcodec/g2meet.c | 6 ++++-- 1 file changed, 4 insertions(+), 2 deletions(-) diff --git a/libavcodec/g2meet.c b/libavcodec/g2meet.c index 1004e1921e..d0cb88cb56 100644 --- a/libavcodec/g2meet.c +++ b/libavcodec/g2meet.c @@ -736,8 +736,10 @@ static int g2m_decode_frame(AVCodecContext *avctx, void *data, } c->tile_width = bytestream2_get_be32(&bc); c->tile_height = bytestream2_get_be32(&bc); - if (!c->tile_width || !c->tile_height || - ((c->tile_width | c->tile_height) & 0xF)) { + if (c->tile_width <= 0 || c->tile_height <= 0 || + ((c->tile_width | c->tile_height) & 0xF) || + c->tile_width * 4LL * c->tile_height >= INT_MAX + ) { av_log(avctx, AV_LOG_ERROR, "Invalid tile dimensions %dx%d\n", c->tile_width, c->tile_height); From 25d2a4dde7240e05f5098c6d50ae3d534463dd79 Mon Sep 17 00:00:00 2001 From: Michael Niedermayer Date: Thu, 30 Oct 2014 16:53:09 +0100 Subject: [PATCH 124/229] avcodec/cook: check that the subpacket sizes fit in block_align Fixes out of array read Fixes: asan_heap-oob_fb5c50_19_018.rmvb Found-by: Mateusz "j00ru" Jurczyk and Gynvael Coldwind Signed-off-by: Michael Niedermayer (cherry picked from commit 10e32618acce9c3fc64c061eb7907e8a8d2749ae) Signed-off-by: Michael Niedermayer --- libavcodec/cook.c | 4 ++-- 1 file changed, 2 insertions(+), 2 deletions(-) diff --git a/libavcodec/cook.c b/libavcodec/cook.c index 5860288e04..4f83c9dc25 100644 --- a/libavcodec/cook.c +++ b/libavcodec/cook.c @@ -1215,8 +1215,8 @@ static av_cold int cook_decode_init(AVCodecContext *avctx) q->num_subpackets++; s++; - if (s > MAX_SUBPACKETS) { - avpriv_request_sample(avctx, "subpackets > %d", MAX_SUBPACKETS); + if (s > FFMIN(MAX_SUBPACKETS, avctx->block_align)) { + avpriv_request_sample(avctx, "subpackets > %d", FFMIN(MAX_SUBPACKETS, avctx->block_align)); return AVERROR_PATCHWELCOME; } } From 9395a3a96bf82038d0cad65b7fb4b9d873836ae7 Mon Sep 17 00:00:00 2001 From: Michael Niedermayer Date: Thu, 30 Oct 2014 18:16:25 +0100 Subject: [PATCH 125/229] avcodec/svq1dec: zero terminate embedded message before printing Fixes out of array access Fixes: asan_stack-oob_49b1e5_10_009.mov Found-by: Mateusz "j00ru" Jurczyk and Gynvael Coldwind Signed-off-by: Michael Niedermayer (cherry picked from commit e91ba2efa949470e9157b652535d207a101f91e0) Signed-off-by: Michael Niedermayer --- libavcodec/svq1dec.c | 7 ++++--- 1 file changed, 4 insertions(+), 3 deletions(-) diff --git a/libavcodec/svq1dec.c b/libavcodec/svq1dec.c index 1e7ab494a8..8ac7885c14 100644 --- a/libavcodec/svq1dec.c +++ b/libavcodec/svq1dec.c @@ -495,7 +495,7 @@ static int svq1_decode_delta_block(AVCodecContext *avctx, HpelDSPContext *hdsp, return result; } -static void svq1_parse_string(GetBitContext *bitbuf, uint8_t *out) +static void svq1_parse_string(GetBitContext *bitbuf, uint8_t out[257]) { uint8_t seed; int i; @@ -507,6 +507,7 @@ static void svq1_parse_string(GetBitContext *bitbuf, uint8_t *out) out[i] = get_bits(bitbuf, 8) ^ seed; seed = string_table[out[i] ^ seed]; } + out[i] = 0; } static int svq1_decode_frame_header(AVCodecContext *avctx, AVFrame *frame) @@ -549,12 +550,12 @@ static int svq1_decode_frame_header(AVCodecContext *avctx, AVFrame *frame) } if ((s->frame_code ^ 0x10) >= 0x50) { - uint8_t msg[256]; + uint8_t msg[257]; svq1_parse_string(bitbuf, msg); av_log(avctx, AV_LOG_INFO, - "embedded message:\n%s\n", (char *)msg); + "embedded message:\n%s\n", ((char *)msg) + 1); } skip_bits(bitbuf, 2); From b44506c393b176dc396502ad262ac18bec52a110 Mon Sep 17 00:00:00 2001 From: Michael Niedermayer Date: Sat, 1 Nov 2014 14:30:10 +0100 Subject: [PATCH 126/229] update for 2.3.5 Signed-off-by: Michael Niedermayer --- RELEASE | 2 +- doc/Doxyfile | 2 +- 2 files changed, 2 insertions(+), 2 deletions(-) diff --git a/RELEASE b/RELEASE index 3f684d2d90..cc6c9a491e 100644 --- a/RELEASE +++ b/RELEASE @@ -1 +1 @@ -2.3.4 +2.3.5 diff --git a/doc/Doxyfile b/doc/Doxyfile index 5ded0c660d..c4f02364b5 100644 --- a/doc/Doxyfile +++ b/doc/Doxyfile @@ -31,7 +31,7 @@ PROJECT_NAME = FFmpeg # This could be handy for archiving the generated documentation or # if some version control system is used. -PROJECT_NUMBER = 2.3.4 +PROJECT_NUMBER = 2.3.5 # With the PROJECT_LOGO tag one can specify a logo or icon that is included # in the documentation. The maximum height of the logo should not exceed 55 From 4f515913a205475433c622aca14612f4d4a3cda0 Mon Sep 17 00:00:00 2001 From: Michael Niedermayer Date: Wed, 8 Oct 2014 20:23:40 +0200 Subject: [PATCH 127/229] avformat/matroskadec: do not trust the default duration to be the real 1/timebase if its less than 5fps Fixes Ticket3980 Signed-off-by: Michael Niedermayer (cherry picked from commit be695ee389724d713e1b8a61ef899fe1795193ce) --- libavformat/matroskadec.c | 3 ++- 1 file changed, 2 insertions(+), 1 deletion(-) diff --git a/libavformat/matroskadec.c b/libavformat/matroskadec.c index fdfba57d92..ea0b5abecf 100644 --- a/libavformat/matroskadec.c +++ b/libavformat/matroskadec.c @@ -1979,7 +1979,8 @@ static int matroska_parse_tracks(AVFormatContext *s) av_reduce(&st->avg_frame_rate.num, &st->avg_frame_rate.den, 1000000000, track->default_duration, 30000); #if FF_API_R_FRAME_RATE - if (st->avg_frame_rate.num < st->avg_frame_rate.den * 1000L) + if ( st->avg_frame_rate.num < st->avg_frame_rate.den * 1000L + && st->avg_frame_rate.num > st->avg_frame_rate.den * 5L) st->r_frame_rate = st->avg_frame_rate; #endif } From 10464ca0eba33672eb305da7270c37052245c035 Mon Sep 17 00:00:00 2001 From: Michael Niedermayer Date: Sun, 5 Oct 2014 21:43:17 +0200 Subject: [PATCH 128/229] avformat/options_table: add FF_COMPLIANCE_UNOFFICIAL Fixes ticket 3959 Signed-off-by: Michael Niedermayer (cherry picked from commit c02ea58c5f0a77f20c8046041edb974bb4376f4c) --- libavformat/options_table.h | 1 + 1 file changed, 1 insertion(+) diff --git a/libavformat/options_table.h b/libavformat/options_table.h index e3943fd5f3..c1a66a8fe8 100644 --- a/libavformat/options_table.h +++ b/libavformat/options_table.h @@ -93,6 +93,7 @@ static const AVOption avformat_options[] = { {"strict", "how strictly to follow the standards", OFFSET(strict_std_compliance), AV_OPT_TYPE_INT, {.i64 = DEFAULT }, INT_MIN, INT_MAX, D|E, "strict"}, {"strict", "strictly conform to all the things in the spec no matter what the consequences", 0, AV_OPT_TYPE_CONST, {.i64 = FF_COMPLIANCE_STRICT }, INT_MIN, INT_MAX, D|E, "strict"}, {"normal", NULL, 0, AV_OPT_TYPE_CONST, {.i64 = FF_COMPLIANCE_NORMAL }, INT_MIN, INT_MAX, D|E, "strict"}, +{"unofficial", "allow unofficial extensions", 0, AV_OPT_TYPE_CONST, {.i64 = FF_COMPLIANCE_UNOFFICIAL }, INT_MIN, INT_MAX, D|E, "strict"}, {"experimental", "allow non-standardized experimental variants", 0, AV_OPT_TYPE_CONST, {.i64 = FF_COMPLIANCE_EXPERIMENTAL }, INT_MIN, INT_MAX, D|E, "strict"}, {NULL}, }; From 63ed7e09dd1e4b6a0721f3d5f74b4819d53e103c Mon Sep 17 00:00:00 2001 From: Michael Niedermayer Date: Sat, 13 Sep 2014 22:08:21 +0200 Subject: [PATCH 129/229] avformat/mpegts: Improve probe heuristic by considering the overall frequency of 0x47 headers Fixes Ticket3939 Signed-off-by: Michael Niedermayer (cherry picked from commit 296cd9c432775bbf57867fd76e8d2f505a512569) --- libavformat/mpegts.c | 7 +++---- 1 file changed, 3 insertions(+), 4 deletions(-) diff --git a/libavformat/mpegts.c b/libavformat/mpegts.c index b1dd8c699c..520644fbbc 100644 --- a/libavformat/mpegts.c +++ b/libavformat/mpegts.c @@ -504,9 +504,9 @@ static void mpegts_close_filter(MpegTSContext *ts, MpegTSFilter *filter) static int analyze(const uint8_t *buf, int size, int packet_size, int *index) { int stat[TS_MAX_PACKET_SIZE]; + int stat_all = 0; int i; int best_score = 0; - int best_score2 = 0; memset(stat, 0, packet_size * sizeof(*stat)); @@ -514,17 +514,16 @@ static int analyze(const uint8_t *buf, int size, int packet_size, int *index) if (buf[i] == 0x47 && !(buf[i + 1] & 0x80) && buf[i + 3] != 0x47) { int x = i % packet_size; stat[x]++; + stat_all++; if (stat[x] > best_score) { best_score = stat[x]; if (index) *index = x; - } else if (stat[x] > best_score2) { - best_score2 = stat[x]; } } } - return best_score - best_score2; + return best_score - FFMAX(stat_all - 10*best_score, 0)/10; } /* autodetect fec presence. Must have at least 1024 bytes */ From 193b949f715edc81cedd0bf116b7060e20d6a112 Mon Sep 17 00:00:00 2001 From: =?UTF-8?q?Cl=C3=A9ment=20B=C5=93sch?= Date: Sat, 13 Sep 2014 20:25:27 +0200 Subject: [PATCH 130/229] avcodec/mjpegdec: Fix chroma width rounding Fixes vertical line at the right side Fixes Ticket 3929 Signed-off-by: Michael Niedermayer (cherry picked from commit b96d864fd685aa1f661a5f8666224129d68b8eaf) --- libavcodec/mjpegdec.c | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/libavcodec/mjpegdec.c b/libavcodec/mjpegdec.c index 6a025272c2..b29b3405ed 100644 --- a/libavcodec/mjpegdec.c +++ b/libavcodec/mjpegdec.c @@ -2128,7 +2128,7 @@ the_end: if (!(s->upscale_v & (1<>= hshift; + w = FF_CEIL_RSHIFT(w, hshift); for (i = s->height - 1; i; i--) { uint8_t *src1 = &((uint8_t *)s->picture_ptr->data[p])[i / 2 * s->linesize[p]]; uint8_t *src2 = &((uint8_t *)s->picture_ptr->data[p])[(i + 1) / 2 * s->linesize[p]]; From 19ccc06d8b617ba48c3122decf59b9e3376b415b Mon Sep 17 00:00:00 2001 From: Michael Niedermayer Date: Sun, 7 Sep 2014 21:44:19 +0200 Subject: [PATCH 131/229] avformat/mp3dec: Improve seeking frame sync code Fixes Ticket3884 Signed-off-by: Michael Niedermayer (cherry picked from commit 1b5ccae0f2045ac86bc9e1257cec1b3fba81315f) --- libavformat/mp3dec.c | 27 +++++++++++++++++++-------- 1 file changed, 19 insertions(+), 8 deletions(-) diff --git a/libavformat/mp3dec.c b/libavformat/mp3dec.c index 8335388409..8936854621 100644 --- a/libavformat/mp3dec.c +++ b/libavformat/mp3dec.c @@ -398,6 +398,8 @@ static int mp3_seek(AVFormatContext *s, int stream_index, int64_t timestamp, int64_t ret = av_index_search_timestamp(st, timestamp, flags); int i, j; int dir = (flags&AVSEEK_FLAG_BACKWARD) ? -1 : 1; + int64_t best_pos; + int best_score; if (mp3->is_cbr && st->duration > 0 && mp3->header_filesize > s->data_offset) { int64_t filesize = avio_size(s->pb); @@ -421,28 +423,37 @@ static int mp3_seek(AVFormatContext *s, int stream_index, int64_t timestamp, return -1; } - if (dir < 0) - avio_seek(s->pb, FFMAX(ie->pos - 4096, 0), SEEK_SET); + avio_seek(s->pb, FFMAX(ie->pos - 4096, 0), SEEK_SET); ret = avio_seek(s->pb, ie->pos, SEEK_SET); if (ret < 0) return ret; #define MIN_VALID 3 + best_pos = ie->pos; + best_score = 999; for(i=0; i<4096; i++) { - int64_t pos = ie->pos + i*dir; + int64_t pos = ie->pos + (dir > 0 ? i - 1024 : -i); + int64_t candidate = -1; + int score = 999; for(j=0; jpos - pos)*dir <= 0 && abs(MIN_VALID/2-j) < score) { + candidate = pos; + score = abs(MIN_VALID/2-j); + } pos += ret; } - if(j==MIN_VALID) - break; + if (best_score > score && j == MIN_VALID) { + best_pos = candidate; + best_score = score; + if(score == 0) + break; + } } - if(j!=MIN_VALID) - i=0; - ret = avio_seek(s->pb, ie->pos + i*dir, SEEK_SET); + ret = avio_seek(s->pb, best_pos, SEEK_SET); if (ret < 0) return ret; ff_update_cur_dts(s, st, ie->timestamp); From 4e2e997fafc68da52bf3ba112ae1828b774d0870 Mon Sep 17 00:00:00 2001 From: Michael Niedermayer Date: Sun, 7 Sep 2014 19:18:21 +0200 Subject: [PATCH 132/229] avformat/mpeg: increase score for short mpeg-ps by 1 Fixes Ticket 3855 Signed-off-by: Michael Niedermayer (cherry picked from commit 5109ce2017c15202275b33bce58ec9d88044eeb5) --- libavformat/mpeg.c | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/libavformat/mpeg.c b/libavformat/mpeg.c index 7d0be5ed72..14a75c0201 100644 --- a/libavformat/mpeg.c +++ b/libavformat/mpeg.c @@ -101,7 +101,7 @@ static int mpegps_probe(AVProbeData *p) if (sys > invalid && sys * 9 <= pspack * 10) return (audio > 12 || vid > 3 || pspack > 2) ? AVPROBE_SCORE_EXTENSION + 2 - : AVPROBE_SCORE_EXTENSION / 2; // 1 more than .mpg + : AVPROBE_SCORE_EXTENSION / 2 + 1; // 1 more than .mpg if (pspack > invalid && (priv1 + vid + audio) * 10 >= pspack * 9) return pspack > 2 ? AVPROBE_SCORE_EXTENSION + 2 : AVPROBE_SCORE_EXTENSION / 2; // 1 more than .mpg From 48b586ca4e8c4b28a9de2396140fcacb2bfb9b1d Mon Sep 17 00:00:00 2001 From: Michael Niedermayer Date: Sat, 6 Sep 2014 04:42:48 +0200 Subject: [PATCH 133/229] ffmpeg: Copy extradata if it has been initialized later from the encoder Fixes Ticket3909 Signed-off-by: Michael Niedermayer (cherry picked from commit ab84effdeda931a74d8503891488ed538619a5d3) --- ffmpeg.c | 8 ++++++++ 1 file changed, 8 insertions(+) diff --git a/ffmpeg.c b/ffmpeg.c index 3015ca85b3..af171d23ce 100644 --- a/ffmpeg.c +++ b/ffmpeg.c @@ -578,6 +578,14 @@ static void write_frame(AVFormatContext *s, AVPacket *pkt, OutputStream *ost) AVCodecContext *avctx = ost->st->codec; int ret; + if (!ost->st->codec->extradata_size && ost->enc_ctx->extradata_size) { + ost->st->codec->extradata = av_mallocz(ost->enc_ctx->extradata_size + FF_INPUT_BUFFER_PADDING_SIZE); + if (ost->st->codec->extradata) { + memcpy(ost->st->codec->extradata, ost->enc_ctx->extradata, ost->enc_ctx->extradata_size); + ost->st->codec->extradata_size = ost->enc_ctx->extradata_size; + } + } + if ((avctx->codec_type == AVMEDIA_TYPE_VIDEO && video_sync_method == VSYNC_DROP) || (avctx->codec_type == AVMEDIA_TYPE_AUDIO && audio_sync_method < 0)) pkt->pts = pkt->dts = AV_NOPTS_VALUE; From ab43652c67a47d3c26b7a19510fd910eb42fbe61 Mon Sep 17 00:00:00 2001 From: Michael Niedermayer Date: Mon, 27 Oct 2014 04:22:42 +0100 Subject: [PATCH 134/229] Move get_avc_nalsize() and find_start_code() to h264.h This allows sharing them with the h264 parser Signed-off-by: Michael Niedermayer (cherry picked from commit 4898440f6bd19152373969159fff057b532c6374) Conflicts: libavcodec/h264.c --- libavcodec/h264.c | 37 ------------------------------------- libavcodec/h264.h | 37 +++++++++++++++++++++++++++++++++++++ 2 files changed, 37 insertions(+), 37 deletions(-) diff --git a/libavcodec/h264.c b/libavcodec/h264.c index 99a5577ab2..297d4989b1 100644 --- a/libavcodec/h264.c +++ b/libavcodec/h264.c @@ -1330,43 +1330,6 @@ int ff_set_ref_count(H264Context *h) static const uint8_t start_code[] = { 0x00, 0x00, 0x01 }; -static int find_start_code(const uint8_t *buf, int buf_size, - int buf_index, int next_avc) -{ - // start code prefix search - for (; buf_index + 3 < next_avc; buf_index++) - // This should always succeed in the first iteration. - if (buf[buf_index] == 0 && - buf[buf_index + 1] == 0 && - buf[buf_index + 2] == 1) - break; - - buf_index += 3; - - if (buf_index >= buf_size) - return buf_size; - - return buf_index; -} - -static int get_avc_nalsize(H264Context *h, const uint8_t *buf, - int buf_size, int *buf_index) -{ - int i, nalsize = 0; - - if (*buf_index >= buf_size - h->nal_length_size) - return -1; - - for (i = 0; i < h->nal_length_size; i++) - nalsize = (nalsize << 8) | buf[(*buf_index)++]; - if (nalsize <= 0 || nalsize > buf_size - *buf_index) { - av_log(h->avctx, AV_LOG_ERROR, - "AVC: nal size %d\n", nalsize); - return -1; - } - return nalsize; -} - static int get_bit_length(H264Context *h, const uint8_t *buf, const uint8_t *ptr, int dst_length, int i, int next_avc) diff --git a/libavcodec/h264.h b/libavcodec/h264.h index 7a6a652d07..90830260ea 100644 --- a/libavcodec/h264.h +++ b/libavcodec/h264.h @@ -1092,6 +1092,43 @@ static av_always_inline int get_dct8x8_allowed(H264Context *h) 0x0001000100010001ULL)); } +static inline int find_start_code(const uint8_t *buf, int buf_size, + int buf_index, int next_avc) +{ + // start code prefix search + for (; buf_index + 3 < next_avc; buf_index++) + // This should always succeed in the first iteration. + if (buf[buf_index] == 0 && + buf[buf_index + 1] == 0 && + buf[buf_index + 2] == 1) + break; + + buf_index += 3; + + if (buf_index >= buf_size) + return buf_size; + + return buf_index; +} + +static inline int get_avc_nalsize(H264Context *h, const uint8_t *buf, + int buf_size, int *buf_index) +{ + int i, nalsize = 0; + + if (*buf_index >= buf_size - h->nal_length_size) + return -1; + + for (i = 0; i < h->nal_length_size; i++) + nalsize = ((unsigned)nalsize << 8) | buf[(*buf_index)++]; + if (nalsize <= 0 || nalsize > buf_size - *buf_index) { + av_log(h->avctx, AV_LOG_ERROR, + "AVC: nal size %d\n", nalsize); + return -1; + } + return nalsize; +} + int ff_h264_field_end(H264Context *h, int in_setup); int ff_h264_ref_picture(H264Context *h, H264Picture *dst, H264Picture *src); From 48bf926bad57b7b503742c63c46d355e52974059 Mon Sep 17 00:00:00 2001 From: Michael Niedermayer Date: Mon, 27 Oct 2014 04:24:20 +0100 Subject: [PATCH 135/229] avcodec/h264: simplify find_start_code() this also uses avpriv_find_start_code(), though no speed change is expected as the area searched is generally small Signed-off-by: Michael Niedermayer (cherry picked from commit 3b678da5e386c138316954e867d595f946666051) Signed-off-by: Michael Niedermayer --- libavcodec/h264.h | 16 ++++------------ 1 file changed, 4 insertions(+), 12 deletions(-) diff --git a/libavcodec/h264.h b/libavcodec/h264.h index 90830260ea..cf84e9347e 100644 --- a/libavcodec/h264.h +++ b/libavcodec/h264.h @@ -37,6 +37,7 @@ #include "h264dsp.h" #include "h264pred.h" #include "h264qpel.h" +#include "internal.h" // for avpriv_find_start_code() #include "mpegutils.h" #include "parser.h" #include "qpeldsp.h" @@ -1095,20 +1096,11 @@ static av_always_inline int get_dct8x8_allowed(H264Context *h) static inline int find_start_code(const uint8_t *buf, int buf_size, int buf_index, int next_avc) { - // start code prefix search - for (; buf_index + 3 < next_avc; buf_index++) - // This should always succeed in the first iteration. - if (buf[buf_index] == 0 && - buf[buf_index + 1] == 0 && - buf[buf_index + 2] == 1) - break; + uint32_t state = -1; - buf_index += 3; + buf_index = avpriv_find_start_code(buf + buf_index, buf + next_avc + 1, &state) - buf - 1; - if (buf_index >= buf_size) - return buf_size; - - return buf_index; + return FFMIN(buf_index, buf_size); } static inline int get_avc_nalsize(H264Context *h, const uint8_t *buf, From 4b8cb3fe51eb7a654259dc39fadb4004786b3dc6 Mon Sep 17 00:00:00 2001 From: Michael Niedermayer Date: Mon, 27 Oct 2014 04:30:11 +0100 Subject: [PATCH 136/229] avcodec/h264_parser: rewrite the parse_nal_units() loop logic based on h264.c Fixes Ticket4011 Signed-off-by: Michael Niedermayer (cherry picked from commit 69a9a90d2ef795162074be24e3ad2182a8676af2) Signed-off-by: Michael Niedermayer --- libavcodec/h264_parser.c | 40 +++++++++++++++++++++------------------- 1 file changed, 21 insertions(+), 19 deletions(-) diff --git a/libavcodec/h264_parser.c b/libavcodec/h264_parser.c index a075bfa987..1e1d7581a6 100644 --- a/libavcodec/h264_parser.c +++ b/libavcodec/h264_parser.c @@ -203,10 +203,10 @@ static int scan_mmco_reset(AVCodecParserContext *s) */ static inline int parse_nal_units(AVCodecParserContext *s, AVCodecContext *avctx, - const uint8_t *buf, int buf_size) + const uint8_t * const buf, int buf_size) { H264Context *h = s->priv_data; - const uint8_t *buf_end = buf + buf_size; + int buf_index, next_avc; unsigned int pps_id; unsigned int slice_type; int state = -1, got_reset = 0; @@ -226,26 +226,26 @@ static inline int parse_nal_units(AVCodecParserContext *s, if (!buf_size) return 0; + buf_index = 0; + next_avc = h->is_avc ? 0 : buf_size; for (;;) { int src_length, dst_length, consumed, nalsize = 0; - if (h->is_avc) { - int i; - if (h->nal_length_size >= buf_end - buf) break; - nalsize = 0; - for (i = 0; i < h->nal_length_size; i++) - nalsize = (nalsize << 8) | *buf++; - if (nalsize <= 0 || nalsize > buf_end - buf) { - av_log(h->avctx, AV_LOG_ERROR, "AVC: nal size %d\n", nalsize); + + if (buf_index >= next_avc) { + nalsize = get_avc_nalsize(h, buf, buf_size, &buf_index); + if (nalsize < 0) break; - } - src_length = nalsize; + next_avc = buf_index + nalsize; } else { - buf = avpriv_find_start_code(buf, buf_end, &state); - if (buf >= buf_end) - break; - --buf; - src_length = buf_end - buf; + buf_index = find_start_code(buf, buf_size, buf_index, next_avc); + if (buf_index >= buf_size) + break; + if (buf_index >= next_avc) + continue; } + src_length = next_avc - buf_index; + + state = buf[buf_index]; switch (state & 0x1f) { case NAL_SLICE: case NAL_IDR_SLICE: @@ -262,10 +262,13 @@ static inline int parse_nal_units(AVCodecParserContext *s, } break; } - ptr = ff_h264_decode_nal(h, buf, &dst_length, &consumed, src_length); + ptr = ff_h264_decode_nal(h, buf + buf_index, &dst_length, + &consumed, src_length); if (ptr == NULL || dst_length < 0) break; + buf_index += consumed; + init_get_bits(&h->gb, ptr, 8 * dst_length); switch (h->nal_unit_type) { case NAL_SPS: @@ -440,7 +443,6 @@ static inline int parse_nal_units(AVCodecParserContext *s, return 0; /* no need to evaluate the rest */ } - buf += h->is_avc ? nalsize : consumed; } if (q264) return 0; From a0605792c2d48325cfad56b45d429f85e9f9812f Mon Sep 17 00:00:00 2001 From: Michael Niedermayer Date: Thu, 6 Nov 2014 00:04:51 +0100 Subject: [PATCH 137/229] avcodec/mpegaudio_parser: fix off by 1 error in bitrate calculation Fixes Ticket3918 Signed-off-by: Michael Niedermayer (cherry picked from commit 817663897e59f45f60016fa9d3d16e325b803967) --- libavcodec/mpegaudio_parser.c | 5 +++-- 1 file changed, 3 insertions(+), 2 deletions(-) diff --git a/libavcodec/mpegaudio_parser.c b/libavcodec/mpegaudio_parser.c index 3d9e94688a..79dbf635b4 100644 --- a/libavcodec/mpegaudio_parser.c +++ b/libavcodec/mpegaudio_parser.c @@ -73,20 +73,21 @@ static int mpegaudio_parse(AVCodecParserContext *s1, if (i > 4) s->header_count = -2; } else { + int header_threshold = avctx->codec_id != AV_CODEC_ID_NONE && avctx->codec_id != codec_id; if((state&SAME_HEADER_MASK) != (s->header&SAME_HEADER_MASK) && s->header) s->header_count= -3; s->header= state; s->header_count++; s->frame_size = ret-4; - if (s->header_count > 0 + (avctx->codec_id != AV_CODEC_ID_NONE && avctx->codec_id != codec_id)) { + if (s->header_count > header_threshold) { avctx->sample_rate= sr; avctx->channels = channels; s1->duration = frame_size; avctx->codec_id = codec_id; if (s->no_bitrate || !avctx->bit_rate) { s->no_bitrate = 1; - avctx->bit_rate += (bit_rate - avctx->bit_rate) / s->header_count; + avctx->bit_rate += (bit_rate - avctx->bit_rate) / (s->header_count - header_threshold); } } break; From b152305bb34fe384bdca041df7dce2d3ae35ea42 Mon Sep 17 00:00:00 2001 From: Michael Niedermayer Date: Sat, 8 Nov 2014 12:43:50 +0100 Subject: [PATCH 138/229] Revert "v4l2: setting device parameters early" This reverts commit b1ad9312331759679a9c956233716a67ae681d89. Fixes Ticket #3517 Requested-by: Giorgio Vazzana Merged-by: Michael Niedermayer (cherry picked from commit 6f21fb793238ab6a790b94b86084148d99373ddf) Conflicts: libavdevice/v4l2.c --- libavdevice/v4l2.c | 6 +++--- 1 file changed, 3 insertions(+), 3 deletions(-) diff --git a/libavdevice/v4l2.c b/libavdevice/v4l2.c index 64df0c7950..1e394fa439 100644 --- a/libavdevice/v4l2.c +++ b/libavdevice/v4l2.c @@ -868,9 +868,6 @@ static int v4l2_read_header(AVFormatContext *s1) avpriv_set_pts_info(st, 64, 1, 1000000); /* 64 bits pts in us */ - if ((res = v4l2_set_parameters(s1)) < 0) - return res; - if (s->pixel_format) { AVCodec *codec = avcodec_find_decoder_by_name(s->pixel_format); @@ -922,6 +919,9 @@ static int v4l2_read_header(AVFormatContext *s1) s->frame_format = desired_format; + if ((res = v4l2_set_parameters(s1)) < 0) + return res; + st->codec->pix_fmt = avpriv_fmt_v4l2ff(desired_format, codec_id); s->frame_size = avpicture_get_size(st->codec->pix_fmt, s->width, s->height); From 80473805149bbafab862d735efd7762ee8e6e8db Mon Sep 17 00:00:00 2001 From: Michael Niedermayer Date: Sun, 16 Nov 2014 02:49:12 +0100 Subject: [PATCH 139/229] avformat/segment: export inner muxer timebase Fixes "Non-monotonous DTS in output stream 0:0" Fixes Ticket4020 Signed-off-by: Michael Niedermayer (cherry picked from commit ce80f9fee97160049687bbbef4eb31a68166c3ee) --- libavformat/segment.c | 8 ++++++++ 1 file changed, 8 insertions(+) diff --git a/libavformat/segment.c b/libavformat/segment.c index b627cd7e3c..e73f33f908 100644 --- a/libavformat/segment.c +++ b/libavformat/segment.c @@ -562,6 +562,7 @@ static int seg_write_header(AVFormatContext *s) SegmentContext *seg = s->priv_data; AVFormatContext *oc = NULL; int ret; + int i; seg->segment_count = 0; if (!seg->write_header_trailer) @@ -649,6 +650,13 @@ static int seg_write_header(AVFormatContext *s) } seg->is_first_pkt = 1; + av_assert0(s->nb_streams == oc->nb_streams); + for (i = 0; i < s->nb_streams; i++) { + AVStream *inner_st = oc->streams[i]; + AVStream *outer_st = s->streams[i]; + avpriv_set_pts_info(outer_st, inner_st->pts_wrap_bits, inner_st->time_base.num, inner_st->time_base.den); + } + if (oc->avoid_negative_ts > 0 && s->avoid_negative_ts < 0) s->avoid_negative_ts = 1; From b6ff3acafcc90a21f9927e23752efcde56a1ebad Mon Sep 17 00:00:00 2001 From: Michael Niedermayer Date: Fri, 21 Nov 2014 03:08:20 +0100 Subject: [PATCH 140/229] avformat/avidec: fix handling dv in avi Fixes Ticket4086 Signed-off-by: Michael Niedermayer (cherry picked from commit f0ae0354d3f04c369257c2a28557524d28c5df15) --- libavformat/avidec.c | 5 ++++- 1 file changed, 4 insertions(+), 1 deletion(-) diff --git a/libavformat/avidec.c b/libavformat/avidec.c index 8c70649b47..6536991011 100644 --- a/libavformat/avidec.c +++ b/libavformat/avidec.c @@ -1141,7 +1141,7 @@ start_sync: goto start_sync; } - n = avi->dv_demux ? 0 : get_stream_idx(d); + n = get_stream_idx(d); if (!((i - avi->last_pkt_pos) & 1) && get_stream_idx(d + 1) < s->nb_streams) @@ -1153,6 +1153,9 @@ start_sync: goto start_sync; } + if (avi->dv_demux && n != 0) + continue; + // parse ##dc/##wb if (n < s->nb_streams) { AVStream *st; From 0cc15f7c83aaab159830ecc04b74438d0819c4ef Mon Sep 17 00:00:00 2001 From: Michael Stypa Date: Fri, 28 Nov 2014 15:54:50 +0100 Subject: [PATCH 141/229] fix Makefile objects for pulseaudio support Signed-off-by: Michael Niedermayer (cherry picked from commit cb58c771ade66afcc623250e1c7ac8191381d991) --- libavdevice/Makefile | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/libavdevice/Makefile b/libavdevice/Makefile index 767df19aa7..d6207f9ba7 100644 --- a/libavdevice/Makefile +++ b/libavdevice/Makefile @@ -34,7 +34,7 @@ OBJS-$(CONFIG_OPENGL_OUTDEV) += opengl_enc.o OBJS-$(CONFIG_OSS_INDEV) += oss_audio.o OBJS-$(CONFIG_OSS_OUTDEV) += oss_audio.o OBJS-$(CONFIG_PULSE_INDEV) += pulse_audio_dec.o \ - pulse_audio_common.o + pulse_audio_common.o timefilter.o OBJS-$(CONFIG_PULSE_OUTDEV) += pulse_audio_enc.o \ pulse_audio_common.o OBJS-$(CONFIG_QTKIT_INDEV) += qtkit.o From c2517fb363f56e71697507d56e58ebe117475cfa Mon Sep 17 00:00:00 2001 From: =?UTF-8?q?Cl=C3=A9ment=20B=C5=93sch?= Date: Sat, 20 Dec 2014 00:17:43 +0100 Subject: [PATCH 142/229] avformat/rsd: make tag_buf string larger av_get_codec_tag_string() uses more that 1 char for unprintable characters. (cherry picked from commit edbbb11488e1fce9b9703535936d2e1731e2e318) --- libavformat/rsd.c | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/libavformat/rsd.c b/libavformat/rsd.c index b6f168633b..c14ade09ea 100644 --- a/libavformat/rsd.c +++ b/libavformat/rsd.c @@ -70,7 +70,7 @@ static int rsd_read_header(AVFormatContext *s) codec->codec_tag = avio_rl32(pb); codec->codec_id = ff_codec_get_id(rsd_tags, codec->codec_tag); if (!codec->codec_id) { - char tag_buf[5]; + char tag_buf[32]; av_get_codec_tag_string(tag_buf, sizeof(tag_buf), codec->codec_tag); for (i=0; i < FF_ARRAY_ELEMS(rsd_unsupported_tags); i++) { From 05bc6f8ba653e979e55bfbc33c7f078031081dba Mon Sep 17 00:00:00 2001 From: Michael Niedermayer Date: Sun, 2 Nov 2014 01:55:40 +0100 Subject: [PATCH 143/229] avcodec/h264_slice: Clear table pointers to avoid stale pointers Might fix Ticket3889 Signed-off-by: Michael Niedermayer (cherry picked from commit 547fce95858ef83f8c25ae347e3ae3b8ba437fd9) Signed-off-by: Michael Niedermayer --- libavcodec/h264_slice.c | 11 +++++++++++ 1 file changed, 11 insertions(+) diff --git a/libavcodec/h264_slice.c b/libavcodec/h264_slice.c index ded26f8465..489000b69e 100644 --- a/libavcodec/h264_slice.c +++ b/libavcodec/h264_slice.c @@ -586,6 +586,17 @@ int ff_h264_update_thread_context(AVCodecContext *dst, h->mb_type_pool = NULL; h->ref_index_pool = NULL; h->motion_val_pool = NULL; + h->intra4x4_pred_mode= NULL; + h->non_zero_count = NULL; + h->slice_table_base = NULL; + h->slice_table = NULL; + h->cbp_table = NULL; + h->chroma_pred_mode_table = NULL; + memset(h->mvd_table, 0, sizeof(h->mvd_table)); + h->direct_table = NULL; + h->list_counts = NULL; + h->mb2b_xy = NULL; + h->mb2br_xy = NULL; for (i = 0; i < 2; i++) { h->rbsp_buffer[i] = NULL; h->rbsp_buffer_size[i] = 0; From d4c70c8b502aa5d0ec1929785986433647f49f6b Mon Sep 17 00:00:00 2001 From: Carl Eugen Hoyos Date: Thu, 30 Oct 2014 00:27:04 +0100 Subject: [PATCH 144/229] lavc/utils: Make pix_fmt desc pointer const. Fixes an "initialization discards qualifiers from pointer target type" warning. (cherry picked from commit f05855414ed4cce97c06ba2a31f4987af47e6d4e) Signed-off-by: Michael Niedermayer --- libavcodec/utils.c | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/libavcodec/utils.c b/libavcodec/utils.c index 8919e15e9e..85d614a028 100644 --- a/libavcodec/utils.c +++ b/libavcodec/utils.c @@ -297,7 +297,7 @@ void avcodec_align_dimensions2(AVCodecContext *s, int *width, int *height, int i; int w_align = 1; int h_align = 1; - AVPixFmtDescriptor *desc = av_pix_fmt_desc_get(s->pix_fmt); + AVPixFmtDescriptor const *desc = av_pix_fmt_desc_get(s->pix_fmt); if (desc) { w_align = 1 << desc->log2_chroma_w; From 6ed35a66745eded0b2774aa5fe925947d2df8e95 Mon Sep 17 00:00:00 2001 From: Michael Niedermayer Date: Mon, 3 Nov 2014 13:20:24 +0100 Subject: [PATCH 145/229] avcodec/options_table fix min of audio channels and sample rate Found-by: Lukasz Marek Signed-off-by: Michael Niedermayer (cherry picked from commit 206c98f303e833c9e94427c9e3f9867f85265f78) Signed-off-by: Michael Niedermayer --- libavcodec/options_table.h | 4 ++-- 1 file changed, 2 insertions(+), 2 deletions(-) diff --git a/libavcodec/options_table.h b/libavcodec/options_table.h index cbefa52275..ca700769cd 100644 --- a/libavcodec/options_table.h +++ b/libavcodec/options_table.h @@ -102,8 +102,8 @@ static const AVOption avcodec_options[] = { {"extradata_size", NULL, OFFSET(extradata_size), AV_OPT_TYPE_INT, {.i64 = DEFAULT }, INT_MIN, INT_MAX}, {"time_base", NULL, OFFSET(time_base), AV_OPT_TYPE_RATIONAL, {.dbl = 0}, INT_MIN, INT_MAX}, {"g", "set the group of picture (GOP) size", OFFSET(gop_size), AV_OPT_TYPE_INT, {.i64 = 12 }, INT_MIN, INT_MAX, V|E}, -{"ar", "set audio sampling rate (in Hz)", OFFSET(sample_rate), AV_OPT_TYPE_INT, {.i64 = DEFAULT }, INT_MIN, INT_MAX, A|D|E}, -{"ac", "set number of audio channels", OFFSET(channels), AV_OPT_TYPE_INT, {.i64 = DEFAULT }, INT_MIN, INT_MAX, A|D|E}, +{"ar", "set audio sampling rate (in Hz)", OFFSET(sample_rate), AV_OPT_TYPE_INT, {.i64 = DEFAULT }, 0, INT_MAX, A|D|E}, +{"ac", "set number of audio channels", OFFSET(channels), AV_OPT_TYPE_INT, {.i64 = DEFAULT }, 0, INT_MAX, A|D|E}, {"cutoff", "set cutoff bandwidth", OFFSET(cutoff), AV_OPT_TYPE_INT, {.i64 = DEFAULT }, INT_MIN, INT_MAX, A|E}, {"frame_size", NULL, OFFSET(frame_size), AV_OPT_TYPE_INT, {.i64 = DEFAULT }, INT_MIN, INT_MAX, A|E}, {"frame_number", NULL, OFFSET(frame_number), AV_OPT_TYPE_INT, {.i64 = DEFAULT }, INT_MIN, INT_MAX}, From b89b136c001b2bacab01c8778b3b1231f2a07849 Mon Sep 17 00:00:00 2001 From: Michael Niedermayer Date: Mon, 10 Nov 2014 19:44:20 +0100 Subject: [PATCH 146/229] avcodec/utvideodec: fix assumtation that slice_height >= 1 Fixes out of array read Fixes: asan_heap-oob_2573085_3783_utvideo_rgba_median.avi Found-by: Mateusz "j00ru" Jurczyk and Gynvael Coldwind Signed-off-by: Michael Niedermayer (cherry picked from commit 7656c4c6e66f8a787d384f027ad824cc1677fda1) Signed-off-by: Michael Niedermayer --- libavcodec/utvideodec.c | 4 ++-- 1 file changed, 2 insertions(+), 2 deletions(-) diff --git a/libavcodec/utvideodec.c b/libavcodec/utvideodec.c index afd56ea1bd..05c943f808 100644 --- a/libavcodec/utvideodec.c +++ b/libavcodec/utvideodec.c @@ -224,7 +224,7 @@ static void restore_median(uint8_t *src, int step, int stride, A = bsrc[i]; } bsrc += stride; - if (slice_height == 1) + if (slice_height <= 1) continue; // second line - first element has top prediction, the rest uses median C = bsrc[-stride]; @@ -284,7 +284,7 @@ static void restore_median_il(uint8_t *src, int step, int stride, A = bsrc[stride + i]; } bsrc += stride2; - if (slice_height == 1) + if (slice_height <= 1) continue; // second line - first element has top prediction, the rest uses median C = bsrc[-stride2]; From 66261cfa77893cdb5b727db2a01e354ab34e933e Mon Sep 17 00:00:00 2001 From: Michael Niedermayer Date: Mon, 10 Nov 2014 23:07:50 +0100 Subject: [PATCH 147/229] avcodec/wmaprodec: Fix integer overflow in sfb_offsets initialization Fixes out of array read Fixes: asan_heap-oob_2aec5b0_1828_classical_22_16_2_16000_v3c_0_exclusive_0_29.wma Found-by: Mateusz "j00ru" Jurczyk and Gynvael Coldwind Signed-off-by: Michael Niedermayer (cherry picked from commit 5dcb99033df16eccc4dbbc4a099ad64457f9f090) Signed-off-by: Michael Niedermayer --- libavcodec/wmaprodec.c | 3 +++ 1 file changed, 3 insertions(+) diff --git a/libavcodec/wmaprodec.c b/libavcodec/wmaprodec.c index 2f6c485891..345fad87b7 100644 --- a/libavcodec/wmaprodec.c +++ b/libavcodec/wmaprodec.c @@ -422,6 +422,9 @@ static av_cold int decode_init(AVCodecContext *avctx) offset &= ~3; if (offset > s->sfb_offsets[i][band - 1]) s->sfb_offsets[i][band++] = offset; + + if (offset >= subframe_len) + break; } s->sfb_offsets[i][band - 1] = subframe_len; s->num_sfb[i] = band - 1; From bb2c09310cbdbb1f48a1eae21f68ba8a63f4e9ba Mon Sep 17 00:00:00 2001 From: Lukasz Marek Date: Tue, 11 Nov 2014 21:17:58 +0100 Subject: [PATCH 148/229] lavu/opt: fix av_opt_get function Signed-off-by: Lukasz Marek (cherry picked from commit 173d51c982f1ecaa8d28cd0d8611164be0c9d36d) Signed-off-by: Michael Niedermayer --- libavutil/opt.c | 10 ++++++++-- 1 file changed, 8 insertions(+), 2 deletions(-) diff --git a/libavutil/opt.c b/libavutil/opt.c index 4115484498..f1c71006b4 100644 --- a/libavutil/opt.c +++ b/libavutil/opt.c @@ -711,6 +711,10 @@ int av_opt_get(void *obj, const char *name, int search_flags, uint8_t **out_val) return AVERROR(EINVAL); if (!(*out_val = av_malloc(len*2 + 1))) return AVERROR(ENOMEM); + if (!len) { + *out_val[0] = '\0'; + return 0; + } bin = *(uint8_t**)dst; for (i = 0; i < len; i++) snprintf(*out_val + i*2, 3, "%02X", bin[i]); @@ -726,12 +730,14 @@ int av_opt_get(void *obj, const char *name, int search_flags, uint8_t **out_val) break; case AV_OPT_TYPE_DURATION: i64 = *(int64_t *)dst; - ret = snprintf(buf, sizeof(buf), "%"PRIi64"d:%02d:%02d.%06d", + ret = snprintf(buf, sizeof(buf), "%"PRIi64":%02d:%02d.%06d", i64 / 3600000000, (int)((i64 / 60000000) % 60), (int)((i64 / 1000000) % 60), (int)(i64 % 1000000)); break; case AV_OPT_TYPE_COLOR: - ret = snprintf(buf, sizeof(buf), "0x%02x%02x%02x%02x", ((int *)dst)[0], ((int *)dst)[1], ((int *)dst)[2], ((int *)dst)[3]); + ret = snprintf(buf, sizeof(buf), "0x%02x%02x%02x%02x", + (int)((uint8_t *)dst)[0], (int)((uint8_t *)dst)[1], + (int)((uint8_t *)dst)[2], (int)((uint8_t *)dst)[3]); break; case AV_OPT_TYPE_CHANNEL_LAYOUT: i64 = *(int64_t *)dst; From 693d0d3ac520b5bd516b4c9165e9b04f6623d45e Mon Sep 17 00:00:00 2001 From: Michael Niedermayer Date: Sun, 16 Nov 2014 04:02:56 +0100 Subject: [PATCH 149/229] avformat/hlsenc: Free context after hls_append_segment Fixes reading uninitialized memory Signed-off-by: Michael Niedermayer (cherry picked from commit 530eb6acf8ee867bf00728bf7efaf505da107e17) Conflicts: libavformat/hlsenc.c (cherry picked from commit 0ac22f043bee2f1c4daf5e1044b014326325d929) Conflicts: libavformat/hlsenc.c --- libavformat/hlsenc.c | 3 ++- 1 file changed, 2 insertions(+), 1 deletion(-) diff --git a/libavformat/hlsenc.c b/libavformat/hlsenc.c index 388a23a18b..313fcd3e6a 100644 --- a/libavformat/hlsenc.c +++ b/libavformat/hlsenc.c @@ -314,9 +314,10 @@ static int hls_write_trailer(struct AVFormatContext *s) av_write_trailer(oc); avio_closep(&oc->pb); - avformat_free_context(oc); av_free(hls->basename); append_entry(hls, hls->duration); + avformat_free_context(oc); + hls->avf = NULL; hls_window(s, 1); free_entries(hls); From 17ff5d3f882672c039ca9c6dbc91b322f1a773bf Mon Sep 17 00:00:00 2001 From: Michael Niedermayer Date: Tue, 18 Nov 2014 11:52:17 +0100 Subject: [PATCH 150/229] doc/APIchanges: Fix some wrong versions Signed-off-by: Michael Niedermayer (cherry picked from commit 4eae568a0712b8b59cb74b3882963f938c26eab4) Conflicts: doc/APIchanges (cherry picked from commit f00c8f879ac311066001b74d3f396cf3dc1f9ad3) Signed-off-by: Michael Niedermayer --- doc/APIchanges | 4 ++-- 1 file changed, 2 insertions(+), 2 deletions(-) diff --git a/doc/APIchanges b/doc/APIchanges index 1a9d103ee0..2497d8854a 100644 --- a/doc/APIchanges +++ b/doc/APIchanges @@ -105,10 +105,10 @@ API changes, most recent first: 2014-05-11 - 14aef38 / 66e6c8a - lavu 52.83.100 / 53.14.0 - pixfmt.h Add AV_PIX_FMT_VDA for new-style VDA acceleration. -2014-05-xx - xxxxxxx - lavu 52.82.0 - fifo.h +2014-05-xx - xxxxxxx - lavu 52.82.100 - fifo.h Add av_fifo_freep() function. -2014-05-02 - ba52fb11 - lavu 52.81.0 - opt.h +2014-05-02 - ba52fb11 - lavu 52.81.100 - opt.h Add av_opt_set_dict2() function. 2014-05-01 - e77b985 / a2941c8 - lavc 55.60.103 / 55.50.3 - avcodec.h From dca70c59317869a8ff699fcb9bd17f9c184e4903 Mon Sep 17 00:00:00 2001 From: Michael Niedermayer Date: Thu, 20 Nov 2014 00:43:45 +0100 Subject: [PATCH 151/229] swscale/x86/rgb2rgb_template: handle the first 2 lines with C in rgb24toyv12_*() This avoids out of array accesses Should fix Ticket3451 Signed-off-by: Michael Niedermayer (cherry picked from commit 4388e78a0f022c8572996f9ab568a39b5f716f9d) Signed-off-by: Michael Niedermayer --- libswscale/x86/rgb2rgb_template.c | 10 ++++++++++ 1 file changed, 10 insertions(+) diff --git a/libswscale/x86/rgb2rgb_template.c b/libswscale/x86/rgb2rgb_template.c index 3899d0a842..7796d384bb 100644 --- a/libswscale/x86/rgb2rgb_template.c +++ b/libswscale/x86/rgb2rgb_template.c @@ -1634,6 +1634,16 @@ static inline void RENAME(rgb24toyv12)(const uint8_t *src, uint8_t *ydst, uint8_ #define BGR2V_IDX "16*4+16*34" int y; const x86_reg chromWidth= width>>1; + + if (height > 2) { + ff_rgb24toyv12_c(src, ydst, udst, vdst, width, 2, lumStride, chromStride, srcStride, rgb2yuv); + src += 2*srcStride; + ydst += 2*lumStride; + udst += chromStride; + vdst += chromStride; + height -= 2; + } + for (y=0; y Date: Tue, 25 Nov 2014 01:14:38 +0100 Subject: [PATCH 152/229] avcodec/mjpegdec: Check for pixfmtid 0x42111100 || 0x24111100 with more than 8 bits These cases are not supported yet Fixes assertion failure Fixes: signal_sigabrt_7ffff6ac7bb9_1_cov_1553101927_00.jpg Found-by: Mateusz "j00ru" Jurczyk and Gynvael Coldwind Signed-off-by: Michael Niedermayer (cherry picked from commit 0bf416f2628137e5389050fa323c329692dd4ba6) Conflicts: libavcodec/mjpegdec.c (cherry picked from commit bc73ee996b08b331d5a6c41df6acdd53e8deeb5d) Signed-off-by: Michael Niedermayer --- libavcodec/mjpegdec.c | 2 ++ 1 file changed, 2 insertions(+) diff --git a/libavcodec/mjpegdec.c b/libavcodec/mjpegdec.c index b29b3405ed..37652e95e1 100644 --- a/libavcodec/mjpegdec.c +++ b/libavcodec/mjpegdec.c @@ -513,6 +513,8 @@ int ff_mjpeg_decode_sof(MJpegDecodeContext *s) else s->avctx->pix_fmt = AV_PIX_FMT_YUV420P16; s->avctx->color_range = s->cs_itu601 ? AVCOL_RANGE_MPEG : AVCOL_RANGE_JPEG; if (pix_fmt_id == 0x42111100) { + if (s->bits > 8) + goto unk_pixfmt; s->upscale_h = 6; s->chroma_height = s->height / 2; } From 6c63eb59099e7096aaaaaad3c15a1dab62afc87b Mon Sep 17 00:00:00 2001 From: Michael Niedermayer Date: Tue, 25 Nov 2014 13:53:06 +0100 Subject: [PATCH 153/229] avcodec/mjpegdec: Fix context fields becoming inconsistent Fixes out of array access Fixes: asan_heap-oob_1ca4f85_2760_cov_144449187_miss_congeniality_pegasus_ljpg.avi Found-by: Mateusz "j00ru" Jurczyk and Gynvael Coldwind Signed-off-by: Michael Niedermayer (cherry picked from commit 0eecf40935b22644e6cd74c586057237ecfd6844) Signed-off-by: Michael Niedermayer --- libavcodec/mjpegdec.c | 20 ++++++++++++++++---- 1 file changed, 16 insertions(+), 4 deletions(-) diff --git a/libavcodec/mjpegdec.c b/libavcodec/mjpegdec.c index 37652e95e1..e1dff5a6f7 100644 --- a/libavcodec/mjpegdec.c +++ b/libavcodec/mjpegdec.c @@ -1595,6 +1595,8 @@ static int mjpeg_decode_app(MJpegDecodeContext *s) } if (id == AV_RB32("LJIF")) { + int rgb = s->rgb; + int pegasus_rct = s->pegasus_rct; if (s->avctx->debug & FF_DEBUG_PICT_INFO) av_log(s->avctx, AV_LOG_INFO, "Pegasus lossless jpeg header found\n"); @@ -1604,17 +1606,27 @@ static int mjpeg_decode_app(MJpegDecodeContext *s) skip_bits(&s->gb, 16); /* unknown always 0? */ switch (i=get_bits(&s->gb, 8)) { case 1: - s->rgb = 1; - s->pegasus_rct = 0; + rgb = 1; + pegasus_rct = 0; break; case 2: - s->rgb = 1; - s->pegasus_rct = 1; + rgb = 1; + pegasus_rct = 1; break; default: av_log(s->avctx, AV_LOG_ERROR, "unknown colorspace %d\n", i); } + len -= 9; + if (s->got_picture) + if (rgb != s->rgb || pegasus_rct != s->pegasus_rct) { + av_log(s->avctx, AV_LOG_WARNING, "Mismatching LJIF tag\n"); + goto out; + } + + s->rgb = rgb; + s->pegasus_rct = pegasus_rct; + goto out; } if (id == AV_RL32("colr") && len > 0) { From 494d3d14dbff87dbdc1b79154deef96b96246d87 Mon Sep 17 00:00:00 2001 From: Michael Niedermayer Date: Tue, 25 Nov 2014 14:45:30 +0100 Subject: [PATCH 154/229] avcodec/utils: Check that the data is complete in avpriv_bprint_to_extradata() Fixes out of array read Fixes: asan_heap-oob_4d2250_814_cov_2745172097_JACOsub_capability_tester.jss Found-by: Mateusz "j00ru" Jurczyk and Gynvael Coldwind Signed-off-by: Michael Niedermayer (cherry picked from commit 3d5d95db3f5d8e2093e9e19d0c46e86f54ed2a5d) Signed-off-by: Michael Niedermayer --- libavcodec/utils.c | 5 +++++ 1 file changed, 5 insertions(+) diff --git a/libavcodec/utils.c b/libavcodec/utils.c index 85d614a028..a30b6d9d39 100644 --- a/libavcodec/utils.c +++ b/libavcodec/utils.c @@ -3601,6 +3601,11 @@ int avpriv_bprint_to_extradata(AVCodecContext *avctx, struct AVBPrint *buf) ret = av_bprint_finalize(buf, &str); if (ret < 0) return ret; + if (!av_bprint_is_complete(buf)) { + av_free(str); + return AVERROR(ENOMEM); + } + avctx->extradata = str; /* Note: the string is NUL terminated (so extradata can be read as a * string), but the ending character is not accounted in the size (in From 419bd6e30311ecbfa09e3e774f51819b8218bc26 Mon Sep 17 00:00:00 2001 From: Michael Niedermayer Date: Wed, 26 Nov 2014 03:29:03 +0100 Subject: [PATCH 155/229] avcodec/flacdec: Call ff_flacdsp_init() unconditionally Fixes out of array access Fixes: signal_sigsegv_324b135_3398_cov_246853371_short.flac Found-by: Mateusz "j00ru" Jurczyk and Gynvael Coldwind Signed-off-by: Michael Niedermayer (cherry picked from commit e5c01ccdf5a9a330d4c51a9b9ea721fd8f1fb70b) Conflicts: libavcodec/flacdec.c --- libavcodec/flacdec.c | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/libavcodec/flacdec.c b/libavcodec/flacdec.c index b8d45b8e1b..614f5aac37 100644 --- a/libavcodec/flacdec.c +++ b/libavcodec/flacdec.c @@ -471,10 +471,10 @@ static int decode_frame(FLACContext *s) ret = allocate_buffers(s); if (ret < 0) return ret; - ff_flacdsp_init(&s->dsp, s->avctx->sample_fmt, s->bps); s->got_streaminfo = 1; dump_headers(s->avctx, (FLACStreaminfo *)s); } + ff_flacdsp_init(&s->dsp, s->avctx->sample_fmt, s->bps); // dump_headers(s->avctx, (FLACStreaminfo *)s); From 1bfd23d2c934db2f7fc20c1e4de5404869555991 Mon Sep 17 00:00:00 2001 From: Michael Niedermayer Date: Wed, 26 Nov 2014 15:45:47 +0100 Subject: [PATCH 156/229] avcodec/pngdec: Check IHDR/IDAT order Fixes out of array access Fixes: asan_heap-oob_20a6c26_2690_cov_3434532168_mail.png Found-by: Mateusz "j00ru" Jurczyk and Gynvael Coldwind Signed-off-by: Michael Niedermayer (cherry picked from commit 79ceaf827be0b070675d4cd0a55c3386542defd8) Conflicts: libavcodec/pngdec.c --- libavcodec/pngdec.c | 6 ++++++ 1 file changed, 6 insertions(+) diff --git a/libavcodec/pngdec.c b/libavcodec/pngdec.c index 8f3da77a2a..5e62a60318 100644 --- a/libavcodec/pngdec.c +++ b/libavcodec/pngdec.c @@ -576,6 +576,12 @@ static int decode_frame(AVCodecContext *avctx, case MKTAG('I', 'H', 'D', 'R'): if (length != 13) goto fail; + + if (s->state & PNG_IDAT) { + av_log(avctx, AV_LOG_ERROR, "IHDR after IDAT\n"); + goto fail; + } + s->width = bytestream2_get_be32(&s->gb); s->height = bytestream2_get_be32(&s->gb); if (av_image_check_size(s->width, s->height, 0, avctx)) { From e0822b147f25e56c65b48b7717eaa68f249346eb Mon Sep 17 00:00:00 2001 From: Michael Niedermayer Date: Wed, 26 Nov 2014 18:56:39 +0100 Subject: [PATCH 157/229] avcodec/rawdec: Check the return code of avpicture_get_size() Fixes out of array access Fixes: asan_heap-oob_22388d0_3435_cov_3297128910_small_roll5_FlashCine1.cine Found-by: Mateusz "j00ru" Jurczyk and Gynvael Coldwind Signed-off-by: Michael Niedermayer (cherry picked from commit 1d3a3b9f8907625b361420d48fe05716859620ff) Conflicts: libavcodec/rawdec.c --- libavcodec/rawdec.c | 3 +++ 1 file changed, 3 insertions(+) diff --git a/libavcodec/rawdec.c b/libavcodec/rawdec.c index ee1f3970ad..04fd68f259 100644 --- a/libavcodec/rawdec.c +++ b/libavcodec/rawdec.c @@ -117,6 +117,9 @@ static av_cold int raw_init_decoder(AVCodecContext *avctx) context->frame_size = avpicture_get_size(avctx->pix_fmt, avctx->width, avctx->height); } + if (context->frame_size < 0) + return context->frame_size; + if ((avctx->extradata_size >= 9 && !memcmp(avctx->extradata + avctx->extradata_size - 9, "BottomUp", 9)) || From 0c51b26729996bdf2acbf4fd34b74b4d14d92a33 Mon Sep 17 00:00:00 2001 From: Michael Niedermayer Date: Thu, 27 Nov 2014 02:31:46 +0100 Subject: [PATCH 158/229] avcodec/hevc_ps: Check return code from pps_range_extensions() Fixes out of array read Fixes: asan_heap-oob_177e222_885_cov_1532528832_MERGE_D_TI_3.bit Found-by: Mateusz "j00ru" Jurczyk and Gynvael Coldwind Signed-off-by: Michael Niedermayer (cherry picked from commit 9f9440bd8122cc8798139c9370db0873a24ae14b) Conflicts: libavcodec/hevc_ps.c --- libavcodec/hevc_ps.c | 3 ++- 1 file changed, 2 insertions(+), 1 deletion(-) diff --git a/libavcodec/hevc_ps.c b/libavcodec/hevc_ps.c index 98d987dcf4..357ff75af4 100644 --- a/libavcodec/hevc_ps.c +++ b/libavcodec/hevc_ps.c @@ -1289,7 +1289,8 @@ int ff_hevc_decode_nal_pps(HEVCContext *s) if (sps->ptl.general_ptl.profile_idc == FF_PROFILE_HEVC_REXT && pps_range_extensions_flag) { av_log(s->avctx, AV_LOG_ERROR, "PPS extension flag is partially implemented.\n"); - pps_range_extensions(s, pps, sps); + if ((ret = pps_range_extensions(s, pps, sps)) < 0) + goto err; } } From fac6ae0814c901c1f1b47f9bccac8cdf6bf4fb77 Mon Sep 17 00:00:00 2001 From: Michael Niedermayer Date: Thu, 27 Nov 2014 19:27:05 +0100 Subject: [PATCH 159/229] avcodec/mjpegdec: Fix integer overflow in shift Fixes: signal_sigabrt_7ffff6ac7bb9_2683_cov_4120310995_m_ijpg.avi Found-by: Mateusz "j00ru" Jurczyk and Gynvael Coldwind Signed-off-by: Michael Niedermayer (cherry picked from commit 970a8f1c256f08d2f6414d573a54f2fa035c8e7a) Signed-off-by: Michael Niedermayer --- libavcodec/mjpegdec.c | 5 +++-- 1 file changed, 3 insertions(+), 2 deletions(-) diff --git a/libavcodec/mjpegdec.c b/libavcodec/mjpegdec.c index e1dff5a6f7..7f6e0549b9 100644 --- a/libavcodec/mjpegdec.c +++ b/libavcodec/mjpegdec.c @@ -244,7 +244,8 @@ int ff_mjpeg_decode_dht(MJpegDecodeContext *s) int ff_mjpeg_decode_sof(MJpegDecodeContext *s) { - int len, nb_components, i, width, height, bits, pix_fmt_id, ret; + int len, nb_components, i, width, height, bits, ret; + unsigned pix_fmt_id; int h_count[MAX_COMPONENTS]; int v_count[MAX_COMPONENTS]; @@ -378,7 +379,7 @@ int ff_mjpeg_decode_sof(MJpegDecodeContext *s) else if (!s->lossless) s->rgb = 0; /* XXX: not complete test ! */ - pix_fmt_id = (s->h_count[0] << 28) | (s->v_count[0] << 24) | + pix_fmt_id = ((unsigned)s->h_count[0] << 28) | (s->v_count[0] << 24) | (s->h_count[1] << 20) | (s->v_count[1] << 16) | (s->h_count[2] << 12) | (s->v_count[2] << 8) | (s->h_count[3] << 4) | s->v_count[3]; From 87d0339d67669b9cca9142603c4b00ee10d833c5 Mon Sep 17 00:00:00 2001 From: Michael Niedermayer Date: Fri, 28 Nov 2014 03:46:56 +0100 Subject: [PATCH 160/229] avcodec/hevc_ps: Check num_long_term_ref_pics_sps Fixes out of array access Fixes: signal_sigsegv_35bd0f0_1182_cov_791726764_STRUCT_B_Samsung_4.bit Found-by: Mateusz "j00ru" Jurczyk and Gynvael Coldwind Signed-off-by: Michael Niedermayer (cherry picked from commit ea38e5a6b75706477898eb1e6582d667dbb9946c) Signed-off-by: Michael Niedermayer --- libavcodec/hevc_ps.c | 5 +++++ 1 file changed, 5 insertions(+) diff --git a/libavcodec/hevc_ps.c b/libavcodec/hevc_ps.c index 357ff75af4..c81fb461f7 100644 --- a/libavcodec/hevc_ps.c +++ b/libavcodec/hevc_ps.c @@ -865,6 +865,11 @@ int ff_hevc_decode_nal_sps(HEVCContext *s) sps->long_term_ref_pics_present_flag = get_bits1(gb); if (sps->long_term_ref_pics_present_flag) { sps->num_long_term_ref_pics_sps = get_ue_golomb_long(gb); + if (sps->num_long_term_ref_pics_sps > 31U) { + av_log(0, AV_LOG_ERROR, "num_long_term_ref_pics_sps %d is out of range.\n", + sps->num_long_term_ref_pics_sps); + goto err; + } for (i = 0; i < sps->num_long_term_ref_pics_sps; i++) { sps->lt_ref_pic_poc_lsb_sps[i] = get_bits(gb, sps->log2_max_poc_lsb); sps->used_by_curr_pic_lt_sps_flag[i] = get_bits1(gb); From 5630d5cdc2673a6699c8e0173075be324430576b Mon Sep 17 00:00:00 2001 From: Anton Khirnov Date: Mon, 24 Nov 2014 11:16:46 +0100 Subject: [PATCH 161/229] opusdec: make sure all substreams have the same number of coded samples Fixes invalid writes with invalid multichannel streams. CC:libav-stable@libav.org (cherry picked from commit 1973079417e8701b52ba810a72cb6c7c6f7f9a56) Signed-off-by: Michael Niedermayer --- libavcodec/opusdec.c | 6 ++++++ 1 file changed, 6 insertions(+) diff --git a/libavcodec/opusdec.c b/libavcodec/opusdec.c index b28edfbcd9..3ce519d1dc 100644 --- a/libavcodec/opusdec.c +++ b/libavcodec/opusdec.c @@ -499,6 +499,12 @@ static int opus_decode_packet(AVCodecContext *avctx, void *data, av_log(avctx, AV_LOG_ERROR, "Error parsing the packet header.\n"); return ret; } + if (coded_samples != s->packet.frame_count * s->packet.frame_duration) { + av_log(avctx, AV_LOG_ERROR, + "Mismatching coded sample count in substream %d.\n", i); + return AVERROR_INVALIDDATA; + } + s->silk_samplerate = get_silk_samplerate(s->packet.config); } From a07dfcdd6d72768696e6572f4d614d63a68f4969 Mon Sep 17 00:00:00 2001 From: Michael Niedermayer Date: Mon, 1 Dec 2014 13:23:24 +0100 Subject: [PATCH 162/229] avcodec/motion_est: use 2x8x8 for interlaced qpel Fixes out of array read Fixes Ticket4121 Signed-off-by: Michael Niedermayer (cherry picked from commit b50e003e1cb6a215df44ffa3354603bf600b4aa3) Signed-off-by: Michael Niedermayer --- libavcodec/motion_est.c | 8 +++++++- 1 file changed, 7 insertions(+), 1 deletion(-) diff --git a/libavcodec/motion_est.c b/libavcodec/motion_est.c index 6b3cd61e8a..6e6d3f69e4 100644 --- a/libavcodec/motion_est.c +++ b/libavcodec/motion_est.c @@ -190,7 +190,13 @@ static av_always_inline int cmp_inline(MpegEncContext *s, const int x, const int int uvdxy; /* no, it might not be used uninitialized */ if(dxy){ if(qpel){ - c->qpel_put[size][dxy](c->temp, ref[0] + x + y*stride, stride); //FIXME prototype (add h) + if (h << size == 16) { + c->qpel_put[size][dxy](c->temp, ref[0] + x + y*stride, stride); //FIXME prototype (add h) + } else if (size == 0 && h == 8) { + c->qpel_put[1][dxy](c->temp , ref[0] + x + y*stride , stride); + c->qpel_put[1][dxy](c->temp + 8, ref[0] + x + y*stride + 8, stride); + } else + av_assert2(0); if(chroma){ int cx= hx/2; int cy= hy/2; From bb70b6673f94f319cd791aadfa9d1f881a657eb5 Mon Sep 17 00:00:00 2001 From: Michael Niedermayer Date: Wed, 3 Dec 2014 19:05:56 +0100 Subject: [PATCH 163/229] avformat/aviobuf: Fix infinite loop in ff_get_line() Fixes ticket4152 Signed-off-by: Michael Niedermayer (cherry picked from commit eac5c7b8377f3f0e8262ab44e5ccb2c7ed060cdd) Signed-off-by: Michael Niedermayer --- libavformat/aviobuf.c | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/libavformat/aviobuf.c b/libavformat/aviobuf.c index 738459e830..8955825d87 100644 --- a/libavformat/aviobuf.c +++ b/libavformat/aviobuf.c @@ -666,7 +666,7 @@ int ff_get_line(AVIOContext *s, char *buf, int maxlen) if (c && i < maxlen-1) buf[i++] = c; } while (c != '\n' && c != '\r' && c); - if (c == '\r' && avio_r8(s) != '\n') + if (c == '\r' && avio_r8(s) != '\n' && !url_feof(s)) avio_skip(s, -1); buf[i] = 0; From de75b4063d19dd58f73a5b09f8f56ded48f66ed7 Mon Sep 17 00:00:00 2001 From: Michael Niedermayer Date: Wed, 3 Dec 2014 20:01:18 +0100 Subject: [PATCH 164/229] avformat/rmdec: Check codec_data_size Fixes infinite loop Fixes Ticket4154 Signed-off-by: Michael Niedermayer (cherry picked from commit a6f730730b82645a9d31aad0968487cb77d6946c) Signed-off-by: Michael Niedermayer --- libavformat/rmdec.c | 3 +++ 1 file changed, 3 insertions(+) diff --git a/libavformat/rmdec.c b/libavformat/rmdec.c index 36764ee9b2..11878a4931 100644 --- a/libavformat/rmdec.c +++ b/libavformat/rmdec.c @@ -312,6 +312,9 @@ ff_rm_read_mdpr_codecdata (AVFormatContext *s, AVIOContext *pb, int64_t codec_pos; int ret; + if (codec_data_size < 0) + return AVERROR_INVALIDDATA; + avpriv_set_pts_info(st, 64, 1, 1000); codec_pos = avio_tell(pb); v = avio_rb32(pb); From cedb96db37236b6a02782b7747d2c5bf1211b9be Mon Sep 17 00:00:00 2001 From: Michael Niedermayer Date: Wed, 3 Dec 2014 20:21:56 +0100 Subject: [PATCH 165/229] swscale/x86/rgb2rgb_template: fix crash with tiny size and nv12 output Fixes Ticket4151 Signed-off-by: Michael Niedermayer (cherry picked from commit 8524558858b7e14bc50afa10233e0194f591ab9d) Signed-off-by: Michael Niedermayer --- libswscale/x86/rgb2rgb_template.c | 1 + 1 file changed, 1 insertion(+) diff --git a/libswscale/x86/rgb2rgb_template.c b/libswscale/x86/rgb2rgb_template.c index 7796d384bb..e71c7ebfe3 100644 --- a/libswscale/x86/rgb2rgb_template.c +++ b/libswscale/x86/rgb2rgb_template.c @@ -1887,6 +1887,7 @@ static void RENAME(interleaveBytes)(const uint8_t *src1, const uint8_t *src2, ui for (h=0; h < height; h++) { int w; + if (width >= 16) #if COMPILE_TEMPLATE_SSE2 __asm__( "xor %%"REG_a", %%"REG_a" \n\t" From 4a495766d1e820264fdf5d62e8105a83853c7805 Mon Sep 17 00:00:00 2001 From: Michael Niedermayer Date: Thu, 4 Dec 2014 18:58:38 +0100 Subject: [PATCH 166/229] doc/examples/transcoding: check encoder before using it Fixes null pointer exception Found-by: stoupeace Signed-off-by: Michael Niedermayer (cherry picked from commit bde27e1e617dfeb3c026f530f48a77f5ed8aa2ea) Signed-off-by: Michael Niedermayer --- doc/examples/transcoding.c | 4 ++++ 1 file changed, 4 insertions(+) diff --git a/doc/examples/transcoding.c b/doc/examples/transcoding.c index a8f4210e6e..d7c4a84de9 100644 --- a/doc/examples/transcoding.c +++ b/doc/examples/transcoding.c @@ -116,6 +116,10 @@ static int open_output_file(const char *filename) || dec_ctx->codec_type == AVMEDIA_TYPE_AUDIO) { /* in this example, we choose transcoding to same codec */ encoder = avcodec_find_encoder(dec_ctx->codec_id); + if (!encoder) { + av_log(NULL, AV_LOG_FATAL, "Neccessary encoder not found\n"); + return AVERROR_INVALIDDATA; + } /* In this example, we transcode to same properties (picture size, * sample rate etc.). These properties can be changed for output From a6f808b36ae87cda814f08685f063ca56c8023a4 Mon Sep 17 00:00:00 2001 From: wm4 Date: Sat, 6 Dec 2014 16:53:30 +0100 Subject: [PATCH 167/229] avformat/matroskadec: fix handling of recursive SeekHead elements When matroska_execute_seekhead() is called, it goes through the list of seekhead entries and attempts to read elements not read yet. When doing this, the parser can find further SeekHead elements, and will extend the matroska->seekhead list. This can lead to a (practically) infinite loop with certain broken files. (Maybe it can happen even with valid files. The demuxer doesn't seem to check correctly whether an element has already been read.) Fix this by ignoring elements that were added to the seekhead field during executing seekhead entries. This does not fix the possible situation when multiple SeekHead elements after the file header (i.e. occur after the "before_pos" file position) point to the same elements. These elements will probably be parsed multiple times, likely leading to bugs. Fixes ticket #4162. Signed-off-by: Michael Niedermayer (cherry picked from commit 6551acab6877addae815decd02aeca33ba4990c8) Signed-off-by: Michael Niedermayer --- libavformat/matroskadec.c | 6 +++++- 1 file changed, 5 insertions(+), 1 deletion(-) diff --git a/libavformat/matroskadec.c b/libavformat/matroskadec.c index ea0b5abecf..9e5faba418 100644 --- a/libavformat/matroskadec.c +++ b/libavformat/matroskadec.c @@ -1471,13 +1471,17 @@ static void matroska_execute_seekhead(MatroskaDemuxContext *matroska) EbmlList *seekhead_list = &matroska->seekhead; int64_t before_pos = avio_tell(matroska->ctx->pb); int i; + int nb_elem; // we should not do any seeking in the streaming case if (!matroska->ctx->pb->seekable || (matroska->ctx->flags & AVFMT_FLAG_IGNIDX)) return; - for (i = 0; i < seekhead_list->nb_elem; i++) { + // do not read entries that are added while parsing seekhead entries + nb_elem = seekhead_list->nb_elem; + + for (i = 0; i < nb_elem; i++) { MatroskaSeekhead *seekhead = seekhead_list->elem; if (seekhead[i].pos <= before_pos) continue; From 1f59cfe65bc5f7e7787ca02cec37fa6f1d6f78dc Mon Sep 17 00:00:00 2001 From: Rob Sykes Date: Sat, 13 Dec 2014 21:12:56 +0100 Subject: [PATCH 168/229] swresample/soxr_resample: fix error handling Fixes CID1257659 Signed-off-by: Michael Niedermayer (cherry picked from commit 4b6f2253741f3023928e61ae5105ccd4b1c515fb) Signed-off-by: Michael Niedermayer --- libswresample/soxr_resample.c | 8 ++++++-- 1 file changed, 6 insertions(+), 2 deletions(-) diff --git a/libswresample/soxr_resample.c b/libswresample/soxr_resample.c index 064451df45..9e87f2fc4b 100644 --- a/libswresample/soxr_resample.c +++ b/libswresample/soxr_resample.c @@ -76,8 +76,12 @@ static int process( AudioData *src, int src_size, int *consumed){ size_t idone, odone; soxr_error_t error = soxr_set_error((soxr_t)c, soxr_set_num_channels((soxr_t)c, src->ch_count)); - error = soxr_process((soxr_t)c, src->ch, (size_t)src_size, - &idone, dst->ch, (size_t)dst_size, &odone); + if (!error) + error = soxr_process((soxr_t)c, src->ch, (size_t)src_size, + &idone, dst->ch, (size_t)dst_size, &odone); + else + idone = 0; + *consumed = (int)idone; return error? -1 : odone; } From 0e9fe8510ec3113514758ec2d4cb1afdf3d3d0dc Mon Sep 17 00:00:00 2001 From: Michael Niedermayer Date: Sun, 14 Dec 2014 17:26:11 +0100 Subject: [PATCH 169/229] avformat/aviobuf: Check that avio_seek() target is non negative Fixes out of array access Suggested-by: Andrew Scherkus Signed-off-by: Michael Niedermayer (cherry picked from commit ed86dbd05d61363dc1c0d33f3267e2177c985fdd) Signed-off-by: Michael Niedermayer --- libavformat/aviobuf.c | 3 +++ 1 file changed, 3 insertions(+) diff --git a/libavformat/aviobuf.c b/libavformat/aviobuf.c index 8955825d87..baf7d600a6 100644 --- a/libavformat/aviobuf.c +++ b/libavformat/aviobuf.c @@ -220,6 +220,9 @@ int64_t avio_seek(AVIOContext *s, int64_t offset, int whence) return offset1; offset += offset1; } + if (offset < 0) + return AVERROR(EINVAL); + offset1 = offset - pos; if (!s->must_flush && (!s->direct || !s->seek) && offset1 >= 0 && offset1 <= buffer_size) { From 0621421ee2a36bc0abd4901f363c4c3cf05d2e4a Mon Sep 17 00:00:00 2001 From: Michael Niedermayer Date: Sun, 14 Dec 2014 19:46:31 +0100 Subject: [PATCH 170/229] avformat/utils: Do not update programs streams from program-less streams in update_wrap_reference() Fixes Ticket3686 Signed-off-by: Michael Niedermayer (cherry picked from commit a29524bf2e197dd8d582445de0fe17f03b79f79d) Signed-off-by: Michael Niedermayer --- libavformat/utils.c | 2 ++ 1 file changed, 2 insertions(+) diff --git a/libavformat/utils.c b/libavformat/utils.c index e095d601e1..a4929b37f1 100644 --- a/libavformat/utils.c +++ b/libavformat/utils.c @@ -730,6 +730,8 @@ static int update_wrap_reference(AVFormatContext *s, AVStream *st, int stream_in int default_stream_index = av_find_default_stream_index(s); if (s->streams[default_stream_index]->pts_wrap_reference == AV_NOPTS_VALUE) { for (i = 0; i < s->nb_streams; i++) { + if (av_find_program_from_stream(s, NULL, i)) + continue; s->streams[i]->pts_wrap_reference = pts_wrap_reference; s->streams[i]->pts_wrap_behavior = pts_wrap_behavior; } From c3cd7b8a2904566de19a70215ceaef4cab841d44 Mon Sep 17 00:00:00 2001 From: wm4 Date: Mon, 15 Dec 2014 04:32:58 +0100 Subject: [PATCH 171/229] lavu/frame: fix malloc error path in av_frame_copy_props() The error path frees all side data, but forgets to reset the side data count. This can blow up later in av_frame_unref() and free_side_data(). Signed-off-by: Michael Niedermayer (cherry picked from commit a400edbb6d00c0211de38e4f1b4f593681db91d8) Signed-off-by: Michael Niedermayer --- libavutil/frame.c | 1 + 1 file changed, 1 insertion(+) diff --git a/libavutil/frame.c b/libavutil/frame.c index fdfbc46753..e44ce8e580 100644 --- a/libavutil/frame.c +++ b/libavutil/frame.c @@ -503,6 +503,7 @@ int av_frame_copy_props(AVFrame *dst, const AVFrame *src) free_side_data(&dst->side_data[i]); } av_freep(&dst->side_data); + dst->nb_side_data = 0; return AVERROR(ENOMEM); } memcpy(sd_dst->data, sd_src->data, sd_src->size); From 2b15ceec6247846644a7bd0f283778cff112c824 Mon Sep 17 00:00:00 2001 From: Michael Niedermayer Date: Mon, 15 Dec 2014 04:32:23 +0100 Subject: [PATCH 172/229] configure: create the tests directory like the doc directory This fixes an issue where the tests directory is not created for out of tree builds before its needed Tested-by: Dave Yeo Signed-off-by: Michael Niedermayer (cherry picked from commit e631872f13b6be0583603d45a11e53319754bc8d) Signed-off-by: Michael Niedermayer --- configure | 1 + 1 file changed, 1 insertion(+) diff --git a/configure b/configure index ceaaf176f2..d61c6f9867 100755 --- a/configure +++ b/configure @@ -5535,6 +5535,7 @@ enabled getenv || echo "#define getenv(x) NULL" >> $TMPH mkdir -p doc +mkdir -p tests echo "@c auto-generated by configure" > doc/config.texi print_config ARCH_ "$config_files" $ARCH_LIST From 557e3790ef1ff7c7f660e9bae013216f4723fc12 Mon Sep 17 00:00:00 2001 From: Michael Niedermayer Date: Tue, 16 Dec 2014 15:03:32 +0100 Subject: [PATCH 173/229] avformat/flvdec: Use av_freep() avoid leaving stale pointers in memory Signed-off-by: Michael Niedermayer (cherry picked from commit 91ea466551c148bd897706a1b6a168e783761a06) Signed-off-by: Michael Niedermayer --- libavformat/flvdec.c | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/libavformat/flvdec.c b/libavformat/flvdec.c index 899a0368f4..ee73dd7502 100644 --- a/libavformat/flvdec.c +++ b/libavformat/flvdec.c @@ -620,7 +620,7 @@ static int flv_read_close(AVFormatContext *s) static int flv_get_extradata(AVFormatContext *s, AVStream *st, int size) { - av_free(st->codec->extradata); + av_freep(&st->codec->extradata); if (ff_get_extradata(st->codec, s->pb, size) < 0) return AVERROR(ENOMEM); return 0; From 942806cbe41e2d25bf1d25fa97b9fe04885afb77 Mon Sep 17 00:00:00 2001 From: Michael Niedermayer Date: Tue, 16 Dec 2014 16:24:55 +0100 Subject: [PATCH 174/229] avcodec/vmdvideo: Check len before using it in method 3 Fixes out of array access Fixes: asan_heap-oob_4d23ba_91_cov_3853393937_128.vmd Found-by: Mateusz "j00ru" Jurczyk and Gynvael Coldwind Signed-off-by: Michael Niedermayer (cherry picked from commit 3030fb7e0d41836f8add6399e9a7c7b740b48bfd) Signed-off-by: Michael Niedermayer --- libavcodec/vmdvideo.c | 3 +++ 1 file changed, 3 insertions(+) diff --git a/libavcodec/vmdvideo.c b/libavcodec/vmdvideo.c index 279c56ab4f..42e19ae53c 100644 --- a/libavcodec/vmdvideo.c +++ b/libavcodec/vmdvideo.c @@ -339,6 +339,9 @@ static int vmd_decode(VmdVideoContext *s, AVFrame *frame) ofs += slen; bytestream2_skip(&gb, len); } else { + if (ofs + len > frame_width || + bytestream2_get_bytes_left(&gb) < len) + return AVERROR_INVALIDDATA; bytestream2_get_buffer(&gb, &dp[ofs], len); ofs += len; } From 7ef11e82213fb7732e746c02664e061f66664318 Mon Sep 17 00:00:00 2001 From: Michael Niedermayer Date: Tue, 16 Dec 2014 20:45:31 +0100 Subject: [PATCH 175/229] avcodec/utvideodec: Fix handling of slice_height=0 Fixes out of array accesses Fixes: asan_heap-oob_25bcd7e_3783_cov_3553517262_utvideo_rgba_median.avi Found-by: Mateusz "j00ru" Jurczyk and Gynvael Coldwind Signed-off-by: Michael Niedermayer (cherry picked from commit 3881606240953b9275a247a1c98a567f3c44890f) Signed-off-by: Michael Niedermayer --- libavcodec/utvideodec.c | 4 ++++ 1 file changed, 4 insertions(+) diff --git a/libavcodec/utvideodec.c b/libavcodec/utvideodec.c index 05c943f808..abf550b081 100644 --- a/libavcodec/utvideodec.c +++ b/libavcodec/utvideodec.c @@ -214,6 +214,8 @@ static void restore_median(uint8_t *src, int step, int stride, slice_height = ((((slice + 1) * height) / slices) & cmask) - slice_start; + if (!slice_height) + continue; bsrc = src + slice_start * stride; // first line - left neighbour prediction @@ -269,6 +271,8 @@ static void restore_median_il(uint8_t *src, int step, int stride, slice_height = ((((slice + 1) * height) / slices) & cmask) - slice_start; slice_height >>= 1; + if (!slice_height) + continue; bsrc = src + slice_start * stride; From 6eca20aaec5c1c3a1878b389d2389026103772a7 Mon Sep 17 00:00:00 2001 From: Michael Niedermayer Date: Tue, 16 Dec 2014 21:14:40 +0100 Subject: [PATCH 176/229] avformat/mov: check atom nesting depth Fixes call stack overflow Fixes: case1_call_stack_overflow.mp4 Found-by: Michal Zalewski Signed-off-by: Michael Niedermayer (cherry picked from commit caa7a3914f499f74b3ee346f26d598ebdc0ec210) Conflicts: libavformat/isom.h --- libavformat/isom.h | 1 + libavformat/mov.c | 13 ++++++++++++- 2 files changed, 13 insertions(+), 1 deletion(-) diff --git a/libavformat/isom.h b/libavformat/isom.h index 414b87cc9d..ab285af4ea 100644 --- a/libavformat/isom.h +++ b/libavformat/isom.h @@ -171,6 +171,7 @@ typedef struct MOVContext { int *bitrates; ///< bitrates read before streams creation int bitrates_count; int moov_retry; + int atom_depth; } MOVContext; int ff_mp4_read_descr_len(AVIOContext *pb); diff --git a/libavformat/mov.c b/libavformat/mov.c index 9b4832fb34..70bc053fa8 100644 --- a/libavformat/mov.c +++ b/libavformat/mov.c @@ -3151,6 +3151,12 @@ static int mov_read_default(MOVContext *c, AVIOContext *pb, MOVAtom atom) MOVAtom a; int i; + if (c->atom_depth > 10) { + av_log(c->fc, AV_LOG_ERROR, "Atoms too deeply nested\n"); + return AVERROR_INVALIDDATA; + } + c->atom_depth ++; + if (atom.size < 0) atom.size = INT64_MAX; while (total_size + 8 <= atom.size && !url_feof(pb)) { @@ -3180,6 +3186,7 @@ static int mov_read_default(MOVContext *c, AVIOContext *pb, MOVAtom atom) { av_log(c->fc, AV_LOG_ERROR, "Broken file, trak/mdat not at top-level\n"); avio_skip(pb, -8); + c->atom_depth --; return 0; } } @@ -3216,13 +3223,16 @@ static int mov_read_default(MOVContext *c, AVIOContext *pb, MOVAtom atom) int64_t start_pos = avio_tell(pb); int64_t left; int err = parse(c, pb, a); - if (err < 0) + if (err < 0) { + c->atom_depth --; return err; + } if (c->found_moov && c->found_mdat && ((!pb->seekable || c->fc->flags & AVFMT_FLAG_IGNIDX) || start_pos + a.size == avio_size(pb))) { if (!pb->seekable || c->fc->flags & AVFMT_FLAG_IGNIDX) c->next_root_atom = start_pos + a.size; + c->atom_depth --; return 0; } left = a.size - avio_tell(pb) + start_pos; @@ -3242,6 +3252,7 @@ static int mov_read_default(MOVContext *c, AVIOContext *pb, MOVAtom atom) if (total_size < atom.size && atom.size < 0x7ffff) avio_skip(pb, atom.size - total_size); + c->atom_depth --; return 0; } From dbe690b572ddad346be831a029f3d5b9239bfdf8 Mon Sep 17 00:00:00 2001 From: Michael Niedermayer Date: Tue, 16 Dec 2014 21:29:27 +0100 Subject: [PATCH 177/229] avformat/mov: fix integer overflow of size Fixes: case1_call_stack_overflow.mp4 Found-by: Michal Zalewski Signed-off-by: Michael Niedermayer --- libavformat/mov.c | 6 +++--- 1 file changed, 3 insertions(+), 3 deletions(-) diff --git a/libavformat/mov.c b/libavformat/mov.c index 70bc053fa8..5ad4786f68 100644 --- a/libavformat/mov.c +++ b/libavformat/mov.c @@ -1452,7 +1452,7 @@ static void mov_parse_stsd_audio(MOVContext *c, AVIOContext *pb, static void mov_parse_stsd_subtitle(MOVContext *c, AVIOContext *pb, AVStream *st, MOVStreamContext *sc, - int size) + int64_t size) { // ttxt stsd contains display flags, justification, background // color, fonts, and default styles, so fake an atom to read it @@ -1517,10 +1517,10 @@ static int mov_rewrite_dvd_sub_extradata(AVStream *st) static int mov_parse_stsd_data(MOVContext *c, AVIOContext *pb, AVStream *st, MOVStreamContext *sc, - int size) + int64_t size) { if (st->codec->codec_tag == MKTAG('t','m','c','d')) { - if (ff_get_extradata(st->codec, pb, size) < 0) + if ((int)size != size || ff_get_extradata(st->codec, pb, size) < 0) return AVERROR(ENOMEM); if (size > 16) { MOVStreamContext *tmcd_ctx = st->priv_data; From 0f77303c57457fbc7483ac3a6834233e17b167bc Mon Sep 17 00:00:00 2001 From: Michael Niedermayer Date: Tue, 16 Dec 2014 22:21:21 +0100 Subject: [PATCH 178/229] swscale: increase yuv2rgb table headroom Fixes out of array access Fixes: case2_bad_read_yuv2rgbx32.mp4 Found-by: Michal Zalewski Signed-off-by: Michael Niedermayer --- libswscale/swscale_internal.h | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/libswscale/swscale_internal.h b/libswscale/swscale_internal.h index 8d2d56acb7..7e48a62d98 100644 --- a/libswscale/swscale_internal.h +++ b/libswscale/swscale_internal.h @@ -37,7 +37,7 @@ #define STR(s) AV_TOSTRING(s) // AV_STRINGIFY is too long -#define YUVRGB_TABLE_HEADROOM 128 +#define YUVRGB_TABLE_HEADROOM 256 #define MAX_FILTER_SIZE SWS_MAX_FILTER_SIZE From a74a0a5c0c2659ea78cb945ec04cda681be6a761 Mon Sep 17 00:00:00 2001 From: Michael Niedermayer Date: Wed, 17 Dec 2014 01:31:48 +0100 Subject: [PATCH 179/229] avcodec/h264: make the first field of H264Context an AVClass Fixes use of freed memory Fixes: asan_heap-uaf_3660f67_757_cov_1257014655_Hi422FR1_SONY_A.jsv Found-by: Mateusz "j00ru" Jurczyk and Gynvael Coldwind Signed-off-by: Michael Niedermayer (cherry picked from commit f3b5b139ad853b6f69c6a0b036815a60e7b3f261) Signed-off-by: Michael Niedermayer --- libavcodec/h264.h | 1 + 1 file changed, 1 insertion(+) diff --git a/libavcodec/h264.h b/libavcodec/h264.h index cf84e9347e..fd42df8e87 100644 --- a/libavcodec/h264.h +++ b/libavcodec/h264.h @@ -338,6 +338,7 @@ typedef struct H264Picture { * H264Context */ typedef struct H264Context { + AVClass *av_class; AVCodecContext *avctx; VideoDSPContext vdsp; H264DSPContext h264dsp; From 30e7dae22c307f4468f85df42737309ced7effb2 Mon Sep 17 00:00:00 2001 From: Michael Niedermayer Date: Wed, 17 Dec 2014 03:14:21 +0100 Subject: [PATCH 180/229] avcodec/indeo3: use signed variables to avoid underflow Fixes out of array read Fixes: signal_sigsegv_1b0a4da_1865_cov_2167818389_computer_anger.avi Found-by: Mateusz "j00ru" Jurczyk and Gynvael Coldwind Signed-off-by: Michael Niedermayer (cherry picked from commit 3305acdc92fa37869f160a11a87741c8a0de0454) Signed-off-by: Michael Niedermayer --- libavcodec/indeo3.c | 5 +++-- 1 file changed, 3 insertions(+), 2 deletions(-) diff --git a/libavcodec/indeo3.c b/libavcodec/indeo3.c index aa9c30aca9..4659b18cfb 100644 --- a/libavcodec/indeo3.c +++ b/libavcodec/indeo3.c @@ -94,7 +94,7 @@ typedef struct Indeo3DecodeContext { int16_t width, height; uint32_t frame_num; ///< current frame number (zero-based) - uint32_t data_size; ///< size of the frame data in bytes + int data_size; ///< size of the frame data in bytes uint16_t frame_flags; ///< frame properties uint8_t cb_offset; ///< needed for selecting VQ tables uint8_t buf_sel; ///< active frame buffer: 0 - primary, 1 -secondary @@ -899,7 +899,8 @@ static int decode_frame_headers(Indeo3DecodeContext *ctx, AVCodecContext *avctx, GetByteContext gb; const uint8_t *bs_hdr; uint32_t frame_num, word2, check_sum, data_size; - uint32_t y_offset, u_offset, v_offset, starts[3], ends[3]; + int y_offset, u_offset, v_offset; + uint32_t starts[3], ends[3]; uint16_t height, width; int i, j; From c8fb53357dbf15ed8cd881c4f810cd1170b1e501 Mon Sep 17 00:00:00 2001 From: Michael Niedermayer Date: Wed, 17 Dec 2014 15:33:05 +0100 Subject: [PATCH 181/229] avcodec/dcadec: Check that the added xch channel isnt already there Fixes null pointer dereference Fixes: signal_sigsegv_369609d_623_cov_2008234281_ES_6.1_16bit.dts Found-by: Mateusz "j00ru" Jurczyk and Gynvael Coldwind Signed-off-by: Michael Niedermayer (cherry picked from commit 7d593495e42e92693cc8f3ce9b42cf3edcea377a) Signed-off-by: Michael Niedermayer --- libavcodec/dcadec.c | 4 ++++ 1 file changed, 4 insertions(+) diff --git a/libavcodec/dcadec.c b/libavcodec/dcadec.c index c671fcd722..06fd74c8bf 100644 --- a/libavcodec/dcadec.c +++ b/libavcodec/dcadec.c @@ -2359,6 +2359,10 @@ FF_ENABLE_DEPRECATION_WARNINGS #else if (s->xch_present && !s->xch_disable) { #endif + if (avctx->channel_layout & AV_CH_BACK_CENTER) { + avpriv_request_sample(avctx, "XCh with Back center channel"); + return AVERROR_INVALIDDATA; + } avctx->channel_layout |= AV_CH_BACK_CENTER; if (s->lfe) { avctx->channel_layout |= AV_CH_LOW_FREQUENCY; From b052ea0f5b62341861d9faea0d440f133790a89f Mon Sep 17 00:00:00 2001 From: Michael Niedermayer Date: Wed, 17 Dec 2014 19:42:57 +0100 Subject: [PATCH 182/229] avcodec/hevc: clear filter_slice_edges() on allocation This avoids use of uninitialized memory Fixes: asan_static-oob_17aa046_582_cov_212287884_DBLK_G_VIXS_1.bit Found-by: Mateusz "j00ru" Jurczyk and Gynvael Coldwind Signed-off-by: Michael Niedermayer (cherry picked from commit 8aa8d12554868c32436750f881954193087219c8) Signed-off-by: Michael Niedermayer --- libavcodec/hevc.c | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/libavcodec/hevc.c b/libavcodec/hevc.c index 3fb8a8a3cf..d88bca8119 100644 --- a/libavcodec/hevc.c +++ b/libavcodec/hevc.c @@ -108,7 +108,7 @@ static int pic_arrays_init(HEVCContext *s, const HEVCSPS *sps) if (!s->tab_ipm || !s->cbf_luma || !s->is_pcm) goto fail; - s->filter_slice_edges = av_malloc(ctb_count); + s->filter_slice_edges = av_mallocz(ctb_count); s->tab_slice_address = av_malloc_array(pic_size_in_ctb, sizeof(*s->tab_slice_address)); s->qp_y_tab = av_malloc_array(pic_size_in_ctb, From 3353a00d58e26806c7e693d0a524987aac722d90 Mon Sep 17 00:00:00 2001 From: Michael Niedermayer Date: Wed, 17 Dec 2014 21:27:37 +0100 Subject: [PATCH 183/229] avcodec/h264: Clear delayed_pic on deallocation Fixes use of freed memory Fixes: case5_av_frame_copy_props.mp4 Found-by: Michal Zalewski Signed-off-by: Michael Niedermayer (cherry picked from commit e8714f6f93d1a32f4e4655209960afcf4c185214) Signed-off-by: Michael Niedermayer --- libavcodec/h264.c | 1 + 1 file changed, 1 insertion(+) diff --git a/libavcodec/h264.c b/libavcodec/h264.c index 297d4989b1..ce9b799ab5 100644 --- a/libavcodec/h264.c +++ b/libavcodec/h264.c @@ -392,6 +392,7 @@ void ff_h264_free_tables(H264Context *h, int free_rbsp) if (free_rbsp && h->DPB) { for (i = 0; i < H264_MAX_PICTURE_COUNT; i++) ff_h264_unref_picture(h, &h->DPB[i]); + memset(h->delayed_pic, 0, sizeof(h->delayed_pic)); av_freep(&h->DPB); } else if (h->DPB) { for (i = 0; i < H264_MAX_PICTURE_COUNT; i++) From afd7fac3f19de0c3fd4ed8aa78026ae4c6189cb7 Mon Sep 17 00:00:00 2001 From: Michael Niedermayer Date: Thu, 18 Dec 2014 02:09:23 +0100 Subject: [PATCH 184/229] avcodec/hevc_ps: Check diff_cu_qp_delta_depth Fixes undefined behavior Fixes: asan_static-oob_17aa046_582_cov_1577759978_DBLK_G_VIXS_1.bit Found-by: Mateusz "j00ru" Jurczyk and Gynvael Coldwind Signed-off-by: Michael Niedermayer (cherry picked from commit 3281fa892599d71b4dc298a426af8296419cd90e) Signed-off-by: Michael Niedermayer --- libavcodec/hevc_ps.c | 8 ++++++++ 1 file changed, 8 insertions(+) diff --git a/libavcodec/hevc_ps.c b/libavcodec/hevc_ps.c index c81fb461f7..40b8b74403 100644 --- a/libavcodec/hevc_ps.c +++ b/libavcodec/hevc_ps.c @@ -1169,6 +1169,14 @@ int ff_hevc_decode_nal_pps(HEVCContext *s) if (pps->cu_qp_delta_enabled_flag) pps->diff_cu_qp_delta_depth = get_ue_golomb_long(gb); + if (pps->diff_cu_qp_delta_depth < 0 || + pps->diff_cu_qp_delta_depth > sps->log2_diff_max_min_coding_block_size) { + av_log(s->avctx, AV_LOG_ERROR, "diff_cu_qp_delta_depth %d is invalid\n", + pps->diff_cu_qp_delta_depth); + ret = AVERROR_INVALIDDATA; + goto err; + } + pps->cb_qp_offset = get_se_golomb(gb); if (pps->cb_qp_offset < -12 || pps->cb_qp_offset > 12) { av_log(s->avctx, AV_LOG_ERROR, "pps_cb_qp_offset out of range: %d\n", From 730826275fcf4e4c8466f64ade029689f23702be Mon Sep 17 00:00:00 2001 From: Michael Niedermayer Date: Thu, 18 Dec 2014 03:16:39 +0100 Subject: [PATCH 185/229] avcodec/h264: Check *log2_weight_denom Fixes undefined behavior Fixes: signal_sigsegv_14768d2_2248_cov_3629497219_h264_h264___pi_20070614T182942.h264 Found-by: Mateusz "j00ru" Jurczyk and Gynvael Coldwind Signed-off-by: Michael Niedermayer (cherry picked from commit 61296d41e2de3b41304339e4631dd44c2e15f805) Signed-off-by: Michael Niedermayer --- libavcodec/h264.c | 10 ++++++++++ 1 file changed, 10 insertions(+) diff --git a/libavcodec/h264.c b/libavcodec/h264.c index ce9b799ab5..34e520d7e4 100644 --- a/libavcodec/h264.c +++ b/libavcodec/h264.c @@ -991,6 +991,16 @@ int ff_pred_weight_table(H264Context *h) h->luma_log2_weight_denom = get_ue_golomb(&h->gb); if (h->sps.chroma_format_idc) h->chroma_log2_weight_denom = get_ue_golomb(&h->gb); + + if (h->luma_log2_weight_denom > 7U) { + av_log(h->avctx, AV_LOG_ERROR, "luma_log2_weight_denom %d is out of range\n", h->luma_log2_weight_denom); + h->luma_log2_weight_denom = 0; + } + if (h->chroma_log2_weight_denom > 7U) { + av_log(h->avctx, AV_LOG_ERROR, "chroma_log2_weight_denom %d is out of range\n", h->chroma_log2_weight_denom); + h->chroma_log2_weight_denom = 0; + } + luma_def = 1 << h->luma_log2_weight_denom; chroma_def = 1 << h->chroma_log2_weight_denom; From 185e55279c24f0f23627308e4d8320e5fec362b5 Mon Sep 17 00:00:00 2001 From: Michael Niedermayer Date: Thu, 18 Dec 2014 18:57:27 +0100 Subject: [PATCH 186/229] avcodec/indeo3: ensure offsets are non negative Signed-off-by: Michael Niedermayer (cherry picked from commit 368642361f3a589d7b0c23ea327d988edb434e3f) Signed-off-by: Michael Niedermayer --- libavcodec/indeo3.c | 3 ++- 1 file changed, 2 insertions(+), 1 deletion(-) diff --git a/libavcodec/indeo3.c b/libavcodec/indeo3.c index 4659b18cfb..97ca180cce 100644 --- a/libavcodec/indeo3.c +++ b/libavcodec/indeo3.c @@ -982,7 +982,8 @@ static int decode_frame_headers(Indeo3DecodeContext *ctx, AVCodecContext *avctx, ctx->y_data_size = ends[0] - starts[0]; ctx->v_data_size = ends[1] - starts[1]; ctx->u_data_size = ends[2] - starts[2]; - if (FFMAX3(y_offset, v_offset, u_offset) >= ctx->data_size - 16 || + if (FFMIN3(y_offset, v_offset, u_offset) < 0 || + FFMAX3(y_offset, v_offset, u_offset) >= ctx->data_size - 16 || FFMIN3(y_offset, v_offset, u_offset) < gb.buffer - bs_hdr + 16 || FFMIN3(ctx->y_data_size, ctx->v_data_size, ctx->u_data_size) <= 0) { av_log(avctx, AV_LOG_ERROR, "One of the y/u/v offsets is invalid\n"); From b5dbe93c8bc4b2180f9723a7a68b1db5591f3168 Mon Sep 17 00:00:00 2001 From: Anton Khirnov Date: Sun, 14 Dec 2014 21:01:59 +0100 Subject: [PATCH 187/229] jvdec: check frame dimensions The frame size must be set by the caller and each dimension must be a multiple of 8. Found-by: Mateusz "j00ru" Jurczyk and Gynvael Coldwind Signed-off-by: Michael Niedermayer See: 105654e376a736d243aef4a1d121abebce912e6b These should be redundant, but are backported for saftey anyway (cherry picked from commit e012cb8dea7969c7b3927dbf846ef2742cd4a7ab) Signed-off-by: Michael Niedermayer --- libavcodec/jvdec.c | 7 +++++++ 1 file changed, 7 insertions(+) diff --git a/libavcodec/jvdec.c b/libavcodec/jvdec.c index 47e8edcae6..9c4a8d4ca3 100644 --- a/libavcodec/jvdec.c +++ b/libavcodec/jvdec.c @@ -43,6 +43,13 @@ static av_cold int decode_init(AVCodecContext *avctx) { JvContext *s = avctx->priv_data; + if (!avctx->width || !avctx->height || + (avctx->width & 7) || (avctx->height & 7)) { + av_log(avctx, AV_LOG_ERROR, "Invalid video dimensions: %dx%d\n", + avctx->width, avctx->height); + return AVERROR(EINVAL); + } + s->frame = av_frame_alloc(); if (!s->frame) return AVERROR(ENOMEM); From 8a01fb3729e58aab2fdc17ed6ddfa2c4efb3a54c Mon Sep 17 00:00:00 2001 From: Anton Khirnov Date: Sun, 14 Dec 2014 21:01:59 +0100 Subject: [PATCH 188/229] mmvideo: check frame dimensions The frame size must be set by the caller and each dimension must be a multiple of 2. Found-by: Mateusz "j00ru" Jurczyk and Gynvael Coldwind Signed-off-by: Michael Niedermayer See: 8b0e96e1f21b761ca15dbb470cd619a1ebf86c3e These should be redundant, but are backported for saftey anyway (cherry picked from commit b0273232d8fffdc8a977ccdad460b8071a0e353c) Signed-off-by: Michael Niedermayer --- libavcodec/mmvideo.c | 7 +++++++ 1 file changed, 7 insertions(+) diff --git a/libavcodec/mmvideo.c b/libavcodec/mmvideo.c index baedccd7f1..9af35e5108 100644 --- a/libavcodec/mmvideo.c +++ b/libavcodec/mmvideo.c @@ -61,6 +61,13 @@ static av_cold int mm_decode_init(AVCodecContext *avctx) avctx->pix_fmt = AV_PIX_FMT_PAL8; + if (!avctx->width || !avctx->height || + (avctx->width & 1) || (avctx->height & 1)) { + av_log(avctx, AV_LOG_ERROR, "Invalid video dimensions: %dx%d\n", + avctx->width, avctx->height); + return AVERROR(EINVAL); + } + s->frame = av_frame_alloc(); if (!s->frame) return AVERROR(ENOMEM); From 841ce9a83816199ab0ecbda76589f09677e04b08 Mon Sep 17 00:00:00 2001 From: Michael Niedermayer Date: Fri, 19 Dec 2014 18:04:40 +0100 Subject: [PATCH 189/229] Add FFMPEG_VERSION into the binary libs This simplifies identifying from which revision a binary of a lib came from Signed-off-by: Michael Niedermayer (cherry picked from commit 649c158e8c94ac0cff7f03e97d6ea8bbf71b7f02) Signed-off-by: Michael Niedermayer --- libavcodec/utils.c | 3 +++ libavdevice/avdevice.c | 3 +++ libavfilter/avfilter.c | 3 +++ libavformat/utils.c | 3 +++ libavutil/utils.c | 3 +++ libpostproc/postprocess.c | 3 +++ libswresample/swresample.c | 3 +++ 7 files changed, 21 insertions(+) diff --git a/libavcodec/utils.c b/libavcodec/utils.c index a30b6d9d39..020524f498 100644 --- a/libavcodec/utils.c +++ b/libavcodec/utils.c @@ -66,6 +66,9 @@ #include "compat/os2threads.h" #endif +#include "libavutil/ffversion.h" +const char av_codec_ffversion[] = "FFmpeg version " FFMPEG_VERSION; + #if HAVE_PTHREADS || HAVE_W32THREADS || HAVE_OS2THREADS static int default_lockmgr_cb(void **arg, enum AVLockOp op) { diff --git a/libavdevice/avdevice.c b/libavdevice/avdevice.c index 6a75bd79d7..c391931ac2 100644 --- a/libavdevice/avdevice.c +++ b/libavdevice/avdevice.c @@ -23,6 +23,9 @@ #include "avdevice.h" #include "config.h" +#include "libavutil/ffversion.h" +const char av_device_ffversion[] = "FFmpeg version " FFMPEG_VERSION; + #define E AV_OPT_FLAG_ENCODING_PARAM #define D AV_OPT_FLAG_DECODING_PARAM #define A AV_OPT_FLAG_AUDIO_PARAM diff --git a/libavfilter/avfilter.c b/libavfilter/avfilter.c index 7e166e04f8..885be470c5 100644 --- a/libavfilter/avfilter.c +++ b/libavfilter/avfilter.c @@ -37,6 +37,9 @@ #include "formats.h" #include "internal.h" +#include "libavutil/ffversion.h" +const char av_filter_ffversion[] = "FFmpeg version " FFMPEG_VERSION; + static int ff_filter_frame_framed(AVFilterLink *link, AVFrame *frame); void ff_tlog_ref(void *ctx, AVFrame *ref, int end) diff --git a/libavformat/utils.c b/libavformat/utils.c index a4929b37f1..c4f745c024 100644 --- a/libavformat/utils.c +++ b/libavformat/utils.c @@ -53,6 +53,9 @@ #include "riff.h" #include "url.h" +#include "libavutil/ffversion.h" +const char av_format_ffversion[] = "FFmpeg version " FFMPEG_VERSION; + /** * @file * various utility functions for use within FFmpeg diff --git a/libavutil/utils.c b/libavutil/utils.c index aafd3b909e..da8b5ae2d3 100644 --- a/libavutil/utils.c +++ b/libavutil/utils.c @@ -27,6 +27,9 @@ * various utility functions */ +#include "libavutil/ffversion.h" +const char av_util_ffversion[] = "FFmpeg version " FFMPEG_VERSION; + unsigned avutil_version(void) { static int checks_done; diff --git a/libpostproc/postprocess.c b/libpostproc/postprocess.c index 37206c5a48..f2757acc78 100644 --- a/libpostproc/postprocess.c +++ b/libpostproc/postprocess.c @@ -89,6 +89,9 @@ try to unroll inner for(x=0 ... loop to avoid these damn if(x ... checks #include "postprocess_internal.h" #include "libavutil/avstring.h" +#include "libavutil/ffversion.h" +const char postproc_ffversion[] = "FFmpeg version " FFMPEG_VERSION; + unsigned postproc_version(void) { av_assert0(LIBPOSTPROC_VERSION_MICRO >= 100); diff --git a/libswresample/swresample.c b/libswresample/swresample.c index bba628b784..fa09dca01b 100644 --- a/libswresample/swresample.c +++ b/libswresample/swresample.c @@ -28,6 +28,9 @@ #define ALIGN 32 +#include "libavutil/ffversion.h" +const char swr_ffversion[] = "FFmpeg version " FFMPEG_VERSION; + unsigned swresample_version(void) { av_assert0(LIBSWRESAMPLE_VERSION_MICRO >= 100); From d4c45f92497157f1284e4319dcda25177d9af5d2 Mon Sep 17 00:00:00 2001 From: Michael Niedermayer Date: Sat, 20 Dec 2014 04:09:01 +0100 Subject: [PATCH 190/229] Makefile: add dependencies which require ffversion.h Without this ffversion.h could sometimes be built too late Signed-off-by: Michael Niedermayer (cherry picked from commit 4ae87554f3c8bc54db572873f5049427a7e6cb31) Signed-off-by: Michael Niedermayer --- Makefile | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/Makefile b/Makefile index 86b3508425..e83ec39eb5 100644 --- a/Makefile +++ b/Makefile @@ -110,7 +110,7 @@ endef $(foreach P,$(PROGS),$(eval $(call DOPROG,$(P:$(PROGSSUF)$(EXESUF)=)))) -ffprobe.o cmdutils.o : libavutil/ffversion.h +ffprobe.o cmdutils.o libavcodec/utils.o libavformat/utils.o libavdevice/avdevice.o libavfilter/avfilter.o libavutil/utils.o libpostproc/postprocess.o libswresample/swresample.o libswscale/utils.o : libavutil/ffversion.h $(PROGS): %$(PROGSSUF)$(EXESUF): %$(PROGSSUF)_g$(EXESUF) $(CP) $< $@ From 103cf56c62a14297c0721f2c170ccd456fdd2af8 Mon Sep 17 00:00:00 2001 From: Michael Niedermayer Date: Wed, 26 Nov 2014 18:16:15 +0100 Subject: [PATCH 191/229] avformat/mov: Fix memleaks for duplicate STCO/CO64/STSC atoms Also see [FFmpeg-devel] [PATCH] avformat/mov: strengthen some table allocations which contains more fixes but is unfinished Fixes: signal_sigabrt_7ffff6ac7bb9_3484_cov_1830000177_starfox2.mov Found-by: Mateusz "j00ru" Jurczyk and Gynvael Coldwind Signed-off-by: Michael Niedermayer (cherry picked from commit 1b5d11240692025f036e945bc37968735679320a) Signed-off-by: Michael Niedermayer --- libavformat/mov.c | 8 ++++++++ 1 file changed, 8 insertions(+) diff --git a/libavformat/mov.c b/libavformat/mov.c index 5ad4786f68..3ffaf0b459 100644 --- a/libavformat/mov.c +++ b/libavformat/mov.c @@ -1176,6 +1176,10 @@ static int mov_read_stco(MOVContext *c, AVIOContext *pb, MOVAtom atom) if (entries >= UINT_MAX/sizeof(int64_t)) return AVERROR_INVALIDDATA; + if (sc->chunk_offsets) + av_log(c->fc, AV_LOG_WARNING, "Duplicate STCO atom\n"); + av_free(sc->chunk_offsets); + sc->chunk_count = 0; sc->chunk_offsets = av_malloc(entries * sizeof(int64_t)); if (!sc->chunk_offsets) return AVERROR(ENOMEM); @@ -1747,6 +1751,10 @@ static int mov_read_stsc(MOVContext *c, AVIOContext *pb, MOVAtom atom) return 0; if (entries >= UINT_MAX / sizeof(*sc->stsc_data)) return AVERROR_INVALIDDATA; + if (sc->stsc_data) + av_log(c->fc, AV_LOG_WARNING, "Duplicate STSC atom\n"); + av_free(sc->stsc_data); + sc->stsc_count = 0; sc->stsc_data = av_malloc(entries * sizeof(*sc->stsc_data)); if (!sc->stsc_data) return AVERROR(ENOMEM); From 15601df419c6592b7c51fd53b48793d58beae12c Mon Sep 17 00:00:00 2001 From: =?UTF-8?q?Cl=C3=A9ment=20B=C5=93sch?= Date: Mon, 10 Nov 2014 18:21:28 +0100 Subject: [PATCH 192/229] avformat/mov: strengthen some table allocations (cherry picked from commit 5ab882d7283f57560c889919c35f2688253b1d9c) Signed-off-by: Michael Niedermayer --- libavformat/mov.c | 48 ++++++++++++++++++++++++++--------------------- 1 file changed, 27 insertions(+), 21 deletions(-) diff --git a/libavformat/mov.c b/libavformat/mov.c index 3ffaf0b459..156bbbdf75 100644 --- a/libavformat/mov.c +++ b/libavformat/mov.c @@ -1173,14 +1173,12 @@ static int mov_read_stco(MOVContext *c, AVIOContext *pb, MOVAtom atom) if (!entries) return 0; - if (entries >= UINT_MAX/sizeof(int64_t)) - return AVERROR_INVALIDDATA; if (sc->chunk_offsets) av_log(c->fc, AV_LOG_WARNING, "Duplicate STCO atom\n"); av_free(sc->chunk_offsets); sc->chunk_count = 0; - sc->chunk_offsets = av_malloc(entries * sizeof(int64_t)); + sc->chunk_offsets = av_malloc_array(entries, sizeof(*sc->chunk_offsets)); if (!sc->chunk_offsets) return AVERROR(ENOMEM); sc->chunk_count = entries; @@ -1749,13 +1747,11 @@ static int mov_read_stsc(MOVContext *c, AVIOContext *pb, MOVAtom atom) if (!entries) return 0; - if (entries >= UINT_MAX / sizeof(*sc->stsc_data)) - return AVERROR_INVALIDDATA; if (sc->stsc_data) av_log(c->fc, AV_LOG_WARNING, "Duplicate STSC atom\n"); av_free(sc->stsc_data); sc->stsc_count = 0; - sc->stsc_data = av_malloc(entries * sizeof(*sc->stsc_data)); + sc->stsc_data = av_malloc_array(entries, sizeof(*sc->stsc_data)); if (!sc->stsc_data) return AVERROR(ENOMEM); @@ -1787,9 +1783,11 @@ static int mov_read_stps(MOVContext *c, AVIOContext *pb, MOVAtom atom) avio_rb32(pb); // version + flags entries = avio_rb32(pb); - if (entries >= UINT_MAX / sizeof(*sc->stps_data)) - return AVERROR_INVALIDDATA; - sc->stps_data = av_malloc(entries * sizeof(*sc->stps_data)); + if (sc->stps_data) + av_log(c->fc, AV_LOG_WARNING, "Duplicate STPS atom\n"); + av_free(sc->stps_data); + sc->stps_count = 0; + sc->stps_data = av_malloc_array(entries, sizeof(*sc->stps_data)); if (!sc->stps_data) return AVERROR(ENOMEM); @@ -1831,9 +1829,11 @@ static int mov_read_stss(MOVContext *c, AVIOContext *pb, MOVAtom atom) st->need_parsing = AVSTREAM_PARSE_HEADERS; return 0; } - if (entries >= UINT_MAX / sizeof(int)) - return AVERROR_INVALIDDATA; - sc->keyframes = av_malloc(entries * sizeof(int)); + if (sc->keyframes) + av_log(c->fc, AV_LOG_WARNING, "Duplicate STSS atom\n"); + av_free(sc->keyframes); + sc->keyframe_count = 0; + sc->keyframes = av_malloc_array(entries, sizeof(*sc->keyframes)); if (!sc->keyframes) return AVERROR(ENOMEM); @@ -1892,9 +1892,13 @@ static int mov_read_stsz(MOVContext *c, AVIOContext *pb, MOVAtom atom) if (!entries) return 0; - if (entries >= UINT_MAX / sizeof(int) || entries >= (UINT_MAX - 4) / field_size) + if (entries >= (UINT_MAX - 4) / field_size) return AVERROR_INVALIDDATA; - sc->sample_sizes = av_malloc(entries * sizeof(int)); + if (sc->sample_sizes) + av_log(c->fc, AV_LOG_WARNING, "Duplicate STSZ atom\n"); + av_free(sc->sample_sizes); + sc->sample_count = 0; + sc->sample_sizes = av_malloc_array(entries, sizeof(*sc->sample_sizes)); if (!sc->sample_sizes) return AVERROR(ENOMEM); @@ -1948,11 +1952,11 @@ static int mov_read_stts(MOVContext *c, AVIOContext *pb, MOVAtom atom) av_dlog(c->fc, "track[%i].stts.entries = %i\n", c->fc->nb_streams-1, entries); - if (entries >= UINT_MAX / sizeof(*sc->stts_data)) - return -1; - + if (sc->stts_data) + av_log(c->fc, AV_LOG_WARNING, "Duplicate STTS atom\n"); av_free(sc->stts_data); - sc->stts_data = av_malloc(entries * sizeof(*sc->stts_data)); + sc->stts_count = 0; + sc->stts_data = av_malloc_array(entries, sizeof(*sc->stts_data)); if (!sc->stts_data) return AVERROR(ENOMEM); @@ -2091,9 +2095,11 @@ static int mov_read_sbgp(MOVContext *c, AVIOContext *pb, MOVAtom atom) entries = avio_rb32(pb); if (!entries) return 0; - if (entries >= UINT_MAX / sizeof(*sc->rap_group)) - return AVERROR_INVALIDDATA; - sc->rap_group = av_malloc(entries * sizeof(*sc->rap_group)); + if (sc->rap_group) + av_log(c->fc, AV_LOG_WARNING, "Duplicate SBGP atom\n"); + av_free(sc->rap_group); + sc->rap_group_count = 0; + sc->rap_group = av_malloc_array(entries, sizeof(*sc->rap_group)); if (!sc->rap_group) return AVERROR(ENOMEM); From d071c1f0e143b248a5bf8ab85a5ab71615c5a564 Mon Sep 17 00:00:00 2001 From: Michael Niedermayer Date: Thu, 25 Dec 2014 12:38:20 +0100 Subject: [PATCH 193/229] avformat/segment: Use av_freep() avoid leaving stale pointers in memory Signed-off-by: Michael Niedermayer (cherry picked from commit 68fa549230af35179df2a2af2bdb84ee6c825bed) Signed-off-by: Michael Niedermayer --- libavformat/segment.c | 14 +++++++------- 1 file changed, 7 insertions(+), 7 deletions(-) diff --git a/libavformat/segment.c b/libavformat/segment.c index e73f33f908..07351d60dc 100644 --- a/libavformat/segment.c +++ b/libavformat/segment.c @@ -336,7 +336,7 @@ static int segment_end(AVFormatContext *s, int write_trailer, int is_last) if (seg->list_size && seg->segment_count > seg->list_size) { entry = seg->segment_list_entries; seg->segment_list_entries = seg->segment_list_entries->next; - av_free(entry->filename); + av_freep(&entry->filename); av_freep(&entry); } @@ -494,10 +494,10 @@ static int open_null_ctx(AVIOContext **ctx) return 0; } -static void close_null_ctx(AVIOContext *pb) +static void close_null_ctxp(AVIOContext **pb) { - av_free(pb->buffer); - av_free(pb); + av_freep(&(*pb)->buffer); + av_freep(pb); } static int select_reference_stream(AVFormatContext *s) @@ -661,7 +661,7 @@ static int seg_write_header(AVFormatContext *s) s->avoid_negative_ts = 1; if (!seg->write_header_trailer) { - close_null_ctx(oc->pb); + close_null_ctxp(&oc->pb); if ((ret = avio_open2(&oc->pb, oc->filename, AVIO_FLAG_WRITE, &s->interrupt_callback, NULL)) < 0) goto fail; @@ -787,7 +787,7 @@ static int seg_write_trailer(struct AVFormatContext *s) goto fail; open_null_ctx(&oc->pb); ret = av_write_trailer(oc); - close_null_ctx(oc->pb); + close_null_ctxp(&oc->pb); } else { ret = segment_end(s, 1, 1); } @@ -802,7 +802,7 @@ fail: cur = seg->segment_list_entries; while (cur) { next = cur->next; - av_free(cur->filename); + av_freep(&cur->filename); av_free(cur); cur = next; } From 3ee4a610c2c07ebb0012d1216e4e88f993c1f5f4 Mon Sep 17 00:00:00 2001 From: Michael Niedermayer Date: Wed, 31 Dec 2014 21:41:46 +0100 Subject: [PATCH 194/229] avformat/cdxl: Fix integer overflow of image_size Signed-off-by: Michael Niedermayer (cherry picked from commit 3eb5cbe0c50d0a0bbe10bcabbd6b16d73d93c128) Signed-off-by: Michael Niedermayer --- libavformat/cdxl.c | 2 ++ 1 file changed, 2 insertions(+) diff --git a/libavformat/cdxl.c b/libavformat/cdxl.c index ab8a846cc5..51b9567d20 100644 --- a/libavformat/cdxl.c +++ b/libavformat/cdxl.c @@ -127,6 +127,8 @@ static int cdxl_read_packet(AVFormatContext *s, AVPacket *pkt) height = AV_RB16(&cdxl->header[16]); palette_size = AV_RB16(&cdxl->header[20]); audio_size = AV_RB16(&cdxl->header[22]); + if (FFALIGN(width, 16) * (uint64_t)height * cdxl->header[19] > INT_MAX) + return AVERROR_INVALIDDATA; image_size = FFALIGN(width, 16) * height * cdxl->header[19] / 8; video_size = palette_size + image_size; From c9a25ff5a02a228f5f15bd203e37f505e4b79634 Mon Sep 17 00:00:00 2001 From: Michael Niedermayer Date: Thu, 1 Jan 2015 18:07:24 +0100 Subject: [PATCH 195/229] avformat/flvdec: do not inject dts=0 metadata packets which failed to be parsed into a new data stream Such data streams (which then contain no other packets except the faulty one) confuse some user applications, like VLC Works around vlcticket 12389 Signed-off-by: Michael Niedermayer (cherry picked from commit 322f0f5960a743cac47252d90a0f1ea7a025feff) Conflicts: libavformat/flvdec.c --- libavformat/flvdec.c | 6 +++--- 1 file changed, 3 insertions(+), 3 deletions(-) diff --git a/libavformat/flvdec.c b/libavformat/flvdec.c index ee73dd7502..d77c06d322 100644 --- a/libavformat/flvdec.c +++ b/libavformat/flvdec.c @@ -555,13 +555,13 @@ static int flv_read_metabody(AVFormatContext *s, int64_t next_pos) type = avio_r8(ioc); if (type != AMF_DATA_TYPE_STRING || amf_get_string(ioc, buffer, sizeof(buffer)) < 0) - return -1; + return 2; if (!strcmp(buffer, "onTextData")) return 1; if (strcmp(buffer, "onMetaData")) - return -1; + return 2; // find the streams now so that amf_parse_object doesn't need to do // the lookup every time it is called. @@ -819,7 +819,7 @@ static int flv_read_packet(AVFormatContext *s, AVPacket *pkt) stream_type=FLV_STREAM_TYPE_DATA; if (size > 13 + 1 + 4 && dts == 0) { // Header-type metadata stuff meta_pos = avio_tell(s->pb); - if (flv_read_metabody(s, next) == 0) { + if (flv_read_metabody(s, next) <= 0) { goto skip; } avio_seek(s->pb, meta_pos, SEEK_SET); From 0b033cd3a14bb9dc728b928c2c76e7a56c594077 Mon Sep 17 00:00:00 2001 From: Michael Niedermayer Date: Thu, 1 Jan 2015 18:15:16 +0100 Subject: [PATCH 196/229] avformat/flvdec: Increase string array size Fixes parsing httphostheader of Scarlatti\,\ Pieter-Jan\ Belder\ -\ Sonata\ K113\ in\ A\ major\ -\ Alle.flv Signed-off-by: Michael Niedermayer (cherry picked from commit eb767a276bfdb9a0493bdb0b38203638230b7ccb) Signed-off-by: Michael Niedermayer --- libavformat/flvdec.c | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/libavformat/flvdec.c b/libavformat/flvdec.c index d77c06d322..263a7035d1 100644 --- a/libavformat/flvdec.c +++ b/libavformat/flvdec.c @@ -390,7 +390,7 @@ static int amf_parse_object(AVFormatContext *s, AVStream *astream, FLVContext *flv = s->priv_data; AVIOContext *ioc; AMFDataType amf_type; - char str_val[256]; + char str_val[1024]; double num_val; num_val = 0; From 11c0531099da3185d0f03c4230018ac623f226ca Mon Sep 17 00:00:00 2001 From: Michael Niedermayer Date: Sun, 4 Jan 2015 01:03:26 +0100 Subject: [PATCH 197/229] avfilter/vf_sab: fix filtering tiny images Fixes out of array reads Signed-off-by: Michael Niedermayer (cherry picked from commit 9bff052b51f27f6cce04e8d7d8b405c710d7ad67) Signed-off-by: Michael Niedermayer --- libavfilter/vf_sab.c | 22 ++++++++++++++++------ 1 file changed, 16 insertions(+), 6 deletions(-) diff --git a/libavfilter/vf_sab.c b/libavfilter/vf_sab.c index aa38b533fe..b8af27cdcd 100644 --- a/libavfilter/vf_sab.c +++ b/libavfilter/vf_sab.c @@ -220,6 +220,19 @@ static int config_props(AVFilterLink *inlink) #define NB_PLANES 4 +static inline int mirror(int x, int w) +{ + if (!w) + return 0; + + while ((unsigned)x > (unsigned)w) { + x = -x; + if (x < 0) + x += 2 * w; + } + return x; +} + static void blur(uint8_t *dst, const int dst_linesize, const uint8_t *src, const int src_linesize, const int w, const int h, FilterParam *fp) @@ -253,8 +266,7 @@ static void blur(uint8_t *dst, const int dst_linesize, for (dy = 0; dy < radius*2 + 1; dy++) { int dx; int iy = y+dy - radius; - if (iy < 0) iy = -iy; - else if (iy >= h) iy = h+h-iy-1; + iy = mirror(iy, h-1); for (dx = 0; dx < radius*2 + 1; dx++) { const int ix = x+dx - radius; @@ -265,13 +277,11 @@ static void blur(uint8_t *dst, const int dst_linesize, for (dy = 0; dy < radius*2+1; dy++) { int dx; int iy = y+dy - radius; - if (iy < 0) iy = -iy; - else if (iy >= h) iy = h+h-iy-1; + iy = mirror(iy, h-1); for (dx = 0; dx < radius*2 + 1; dx++) { int ix = x+dx - radius; - if (ix < 0) ix = -ix; - else if (ix >= w) ix = w+w-ix-1; + ix = mirror(ix, w-1); UPDATE_FACTOR; } } From f03888b449faf2888a149cae3b340ea13c6f85fa Mon Sep 17 00:00:00 2001 From: wm4 Date: Mon, 5 Jan 2015 04:45:26 +0100 Subject: [PATCH 198/229] avcodec/dvdsubdec: fix out of bounds accesses The code blindly trusted buffer offsets read from the file in the RLE decoder. Explicitly check the offset. Also error out on other RLE decoding errors. Signed-off-by: Michael Niedermayer (cherry picked from commit c9151de7c42553bb145be608df8513c1287f1f24) Signed-off-by: Michael Niedermayer --- libavcodec/dvdsubdec.c | 13 +++++++++---- 1 file changed, 9 insertions(+), 4 deletions(-) diff --git a/libavcodec/dvdsubdec.c b/libavcodec/dvdsubdec.c index 39b0e25a13..7dbaf17198 100644 --- a/libavcodec/dvdsubdec.c +++ b/libavcodec/dvdsubdec.c @@ -105,6 +105,9 @@ static int decode_rle(uint8_t *bitmap, int linesize, int w, int h, int x, y, len, color; uint8_t *d; + if (start >= buf_size) + return -1; + bit_len = (buf_size - start) * 8; init_get_bits(&gb, buf + start, bit_len); @@ -356,10 +359,12 @@ static int decode_dvd_subtitles(DVDSubContext *ctx, AVSubtitle *sub_header, sub_header->rects[0] = av_mallocz(sizeof(AVSubtitleRect)); sub_header->num_rects = 1; sub_header->rects[0]->pict.data[0] = bitmap; - decode_rle(bitmap, w * 2, w, (h + 1) / 2, - buf, offset1, buf_size, is_8bit); - decode_rle(bitmap + w, w * 2, w, h / 2, - buf, offset2, buf_size, is_8bit); + if (decode_rle(bitmap, w * 2, w, (h + 1) / 2, + buf, offset1, buf_size, is_8bit) < 0) + goto fail; + if (decode_rle(bitmap + w, w * 2, w, h / 2, + buf, offset2, buf_size, is_8bit) < 0) + goto fail; sub_header->rects[0]->pict.data[1] = av_mallocz(AVPALETTE_SIZE); if (is_8bit) { if (yuv_palette == 0) From 22558d6f6e8652d362add0c5c195964c5e65cfd2 Mon Sep 17 00:00:00 2001 From: Dale Curtis Date: Mon, 5 Jan 2015 16:19:09 -0800 Subject: [PATCH 199/229] mov: Avoid overflow with mov_metadata_raw() The code previously added 1 to len without checking its size, resulting in an overflow which can corrupt value[-1] -- which may be used to store unaligned ptr information for certain allocators. Found-by: Paul Mehta Signed-off-by: Dale Curtis Signed-off-by: Michael Niedermayer --- libavformat/mov.c | 3 +++ 1 file changed, 3 insertions(+) diff --git a/libavformat/mov.c b/libavformat/mov.c index 156bbbdf75..3711d2932e 100644 --- a/libavformat/mov.c +++ b/libavformat/mov.c @@ -214,6 +214,9 @@ static int mov_read_covr(MOVContext *c, AVIOContext *pb, int type, int len) static int mov_metadata_raw(MOVContext *c, AVIOContext *pb, unsigned len, const char *key) { + // Check for overflow. + if (len >= INT_MAX) + return AVERROR(EINVAL); char *value = av_malloc(len + 1); if (!value) return AVERROR(ENOMEM); From ffe915b6f596de5fc54eabf631b7b9b1a19aaa63 Mon Sep 17 00:00:00 2001 From: Michael Niedermayer Date: Tue, 6 Jan 2015 04:29:10 +0100 Subject: [PATCH 200/229] avformat/mov: fix integer overflow in mov_read_udta_string() Found-by: Paul Mehta Signed-off-by: Michael Niedermayer (cherry picked from commit 3859868c75313e318ebc5d0d33baada62d45dd75) Signed-off-by: Michael Niedermayer --- libavformat/mov.c | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/libavformat/mov.c b/libavformat/mov.c index 3711d2932e..d7e5669c8e 100644 --- a/libavformat/mov.c +++ b/libavformat/mov.c @@ -359,7 +359,7 @@ static int mov_read_udta_string(MOVContext *c, AVIOContext *pb, MOVAtom atom) if (!key) return 0; - if (atom.size < 0) + if (atom.size < 0 || str_size >= INT_MAX/2) return AVERROR_INVALIDDATA; str_size = FFMIN3(sizeof(str)-1, str_size, atom.size); From 27a910a8575879d08edaae9d8956ab6d1821044a Mon Sep 17 00:00:00 2001 From: Dale Curtis Date: Mon, 5 Jan 2015 16:34:17 -0800 Subject: [PATCH 201/229] mov: Fix negative size calculation in mov_read_default(). The previous code assumed if an atom was marked with a 64-bit size extension, it actually had that data available. The new code verfies there's enough data in the atom for this to be done. Failure to verify causes total_size > atom.size which will result in negative size calculations later on. Found-by: Paul Mehta Signed-off-by: Dale Curtis Signed-off-by: Michael Niedermayer (cherry picked from commit 3ebd76a9c57558e284e94da367dd23b435e6a6d0) Signed-off-by: Michael Niedermayer --- libavformat/mov.c | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/libavformat/mov.c b/libavformat/mov.c index d7e5669c8e..4f4dcc9991 100644 --- a/libavformat/mov.c +++ b/libavformat/mov.c @@ -3208,7 +3208,7 @@ static int mov_read_default(MOVContext *c, AVIOContext *pb, MOVAtom atom) } } total_size += 8; - if (a.size == 1) { /* 64 bit extended size */ + if (a.size == 1 && total_size + 8 <= atom.size) { /* 64 bit extended size */ a.size = avio_rb64(pb) - 8; total_size += 8; } From bbfe0f7b084e7217800e7f5e1cb34968840173f0 Mon Sep 17 00:00:00 2001 From: Paul B Mahol Date: Tue, 6 Jan 2015 09:42:59 +0000 Subject: [PATCH 202/229] lavfi: check av_strdup() return value Signed-off-by: Paul B Mahol (cherry picked from commit 145a84717b62e086cdb5f26649ad9f1b51ef38d0) Signed-off-by: Michael Niedermayer --- libavfilter/af_amix.c | 2 ++ libavfilter/af_join.c | 2 ++ libavfilter/split.c | 2 ++ libavfilter/src_movie.c | 2 ++ 4 files changed, 8 insertions(+) diff --git a/libavfilter/af_amix.c b/libavfilter/af_amix.c index 1eef70d8c4..34f23b0e4c 100644 --- a/libavfilter/af_amix.c +++ b/libavfilter/af_amix.c @@ -496,6 +496,8 @@ static av_cold int init(AVFilterContext *ctx) snprintf(name, sizeof(name), "input%d", i); pad.type = AVMEDIA_TYPE_AUDIO; pad.name = av_strdup(name); + if (!pad.name) + return AVERROR(ENOMEM); pad.filter_frame = filter_frame; ff_insert_inpad(ctx, i, &pad); diff --git a/libavfilter/af_join.c b/libavfilter/af_join.c index 3e9ccc8d74..7d99a4c8d1 100644 --- a/libavfilter/af_join.c +++ b/libavfilter/af_join.c @@ -214,6 +214,8 @@ static av_cold int join_init(AVFilterContext *ctx) snprintf(name, sizeof(name), "input%d", i); pad.type = AVMEDIA_TYPE_AUDIO; pad.name = av_strdup(name); + if (!pad.name) + return AVERROR(ENOMEM); pad.filter_frame = filter_frame; pad.needs_fifo = 1; diff --git a/libavfilter/split.c b/libavfilter/split.c index 6abd5ee2e0..7353810677 100644 --- a/libavfilter/split.c +++ b/libavfilter/split.c @@ -52,6 +52,8 @@ static av_cold int split_init(AVFilterContext *ctx) snprintf(name, sizeof(name), "output%d", i); pad.type = ctx->filter->inputs[0].type; pad.name = av_strdup(name); + if (!pad.name) + return AVERROR(ENOMEM); ff_insert_outpad(ctx, i, &pad); } diff --git a/libavfilter/src_movie.c b/libavfilter/src_movie.c index bcc8e05495..b7b1ec7256 100644 --- a/libavfilter/src_movie.c +++ b/libavfilter/src_movie.c @@ -292,6 +292,8 @@ static av_cold int movie_common_init(AVFilterContext *ctx) snprintf(name, sizeof(name), "out%d", i); pad.type = movie->st[i].st->codec->codec_type; pad.name = av_strdup(name); + if (!pad.name) + return AVERROR(ENOMEM); pad.config_props = movie_config_output_props; pad.request_frame = movie_request_frame; ff_insert_outpad(ctx, i, &pad); From 7959b9a0f3f9dad15db480417ccfde7d37019b4b Mon Sep 17 00:00:00 2001 From: Michael Niedermayer Date: Tue, 6 Jan 2015 12:48:38 +0100 Subject: [PATCH 203/229] avformat/matroskadec: Use av_freep() to avoid leaving stale pointers in memory Signed-off-by: Michael Niedermayer (cherry picked from commit 6e70e4aca50696040cc9256ec96e5c31d9641432) Signed-off-by: Michael Niedermayer --- libavformat/matroskadec.c | 8 ++++---- 1 file changed, 4 insertions(+), 4 deletions(-) diff --git a/libavformat/matroskadec.c b/libavformat/matroskadec.c index 9e5faba418..ac7d0ea095 100644 --- a/libavformat/matroskadec.c +++ b/libavformat/matroskadec.c @@ -1078,7 +1078,7 @@ static void ebml_free(EbmlSyntax *syntax, void *data) for (j = 0; j < list->nb_elem; j++, ptr += syntax[i].list_elem_size) ebml_free(syntax[i].def.n, ptr); - av_free(list->elem); + av_freep(&list->elem); } else ebml_free(syntax[i].def.n, data_off); default: @@ -2189,7 +2189,7 @@ static int matroska_deliver_packet(MatroskaDemuxContext *matroska, { if (matroska->num_packets > 0) { memcpy(pkt, matroska->packets[0], sizeof(AVPacket)); - av_free(matroska->packets[0]); + av_freep(&matroska->packets[0]); if (matroska->num_packets > 1) { void *newpackets; memmove(&matroska->packets[0], &matroska->packets[1], @@ -2220,7 +2220,7 @@ static void matroska_clear_queue(MatroskaDemuxContext *matroska) int n; for (n = 0; n < matroska->num_packets; n++) { av_free_packet(matroska->packets[n]); - av_free(matroska->packets[n]); + av_freep(&matroska->packets[n]); } av_freep(&matroska->packets); matroska->num_packets = 0; @@ -3068,7 +3068,7 @@ static int matroska_read_close(AVFormatContext *s) for (n = 0; n < matroska->tracks.nb_elem; n++) if (tracks[n].type == MATROSKA_TRACK_TYPE_AUDIO) - av_free(tracks[n].audio.buf); + av_freep(&tracks[n].audio.buf); ebml_free(matroska_cluster, &matroska->current_cluster); ebml_free(matroska_segment, matroska); From 63b5cb1fb0cd3182bdc1a2a4a0b8b1193b4029b6 Mon Sep 17 00:00:00 2001 From: Michael Niedermayer Date: Tue, 6 Jan 2015 12:53:53 +0100 Subject: [PATCH 204/229] avformat/utils: Clear pointer in ff_alloc_extradata() to avoid leaving a stale pointer in memory Signed-off-by: Michael Niedermayer (cherry picked from commit bbfca8e84b0e69abba523d665536c0135fc1c00e) Signed-off-by: Michael Niedermayer --- libavformat/utils.c | 1 + 1 file changed, 1 insertion(+) diff --git a/libavformat/utils.c b/libavformat/utils.c index c4f745c024..c43050f09c 100644 --- a/libavformat/utils.c +++ b/libavformat/utils.c @@ -2954,6 +2954,7 @@ int ff_alloc_extradata(AVCodecContext *avctx, int size) int ret; if (size < 0 || size >= INT32_MAX - FF_INPUT_BUFFER_PADDING_SIZE) { + avctx->extradata = NULL; avctx->extradata_size = 0; return AVERROR(EINVAL); } From a620c463f05a5e852d125de551d6f25646e53f4a Mon Sep 17 00:00:00 2001 From: Michael Niedermayer Date: Tue, 6 Jan 2015 13:12:22 +0100 Subject: [PATCH 205/229] cmdutils: Use 64bit for file size/offset related variable in cmdutils_read_file() Signed-off-by: Michael Niedermayer (cherry picked from commit 369b4cd4120bf67aa5187b6bc72574970a24ca22) Signed-off-by: Michael Niedermayer --- cmdutils.c | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/cmdutils.c b/cmdutils.c index 67bb66e9b5..081d37b26e 100644 --- a/cmdutils.c +++ b/cmdutils.c @@ -1857,7 +1857,7 @@ int read_yesno(void) int cmdutils_read_file(const char *filename, char **bufptr, size_t *size) { - int ret; + int64_t ret; FILE *f = av_fopen_utf8(filename, "rb"); if (!f) { From 8327bef1c920c6e2ad654e239f3b746dca20cd89 Mon Sep 17 00:00:00 2001 From: Michael Niedermayer Date: Tue, 6 Jan 2015 19:37:09 +0100 Subject: [PATCH 206/229] Update for 2.3.6 Signed-off-by: Michael Niedermayer --- RELEASE | 2 +- doc/Doxyfile | 2 +- 2 files changed, 2 insertions(+), 2 deletions(-) diff --git a/RELEASE b/RELEASE index cc6c9a491e..e75da3e63d 100644 --- a/RELEASE +++ b/RELEASE @@ -1 +1 @@ -2.3.5 +2.3.6 diff --git a/doc/Doxyfile b/doc/Doxyfile index c4f02364b5..2ae11e63f9 100644 --- a/doc/Doxyfile +++ b/doc/Doxyfile @@ -31,7 +31,7 @@ PROJECT_NAME = FFmpeg # This could be handy for archiving the generated documentation or # if some version control system is used. -PROJECT_NUMBER = 2.3.5 +PROJECT_NUMBER = 2.3.6 # With the PROJECT_LOGO tag one can specify a logo or icon that is included # in the documentation. The maximum height of the logo should not exceed 55 From db27f50e0658e91758e8a17fdcf390e6bc93c1d2 Mon Sep 17 00:00:00 2001 From: Michael Niedermayer Date: Tue, 6 Jan 2015 19:51:38 +0100 Subject: [PATCH 207/229] avformat/mov: Fix mixed declaration and statement warning Signed-off-by: Michael Niedermayer --- libavformat/mov.c | 3 ++- 1 file changed, 2 insertions(+), 1 deletion(-) diff --git a/libavformat/mov.c b/libavformat/mov.c index 4f4dcc9991..f57568a146 100644 --- a/libavformat/mov.c +++ b/libavformat/mov.c @@ -214,10 +214,11 @@ static int mov_read_covr(MOVContext *c, AVIOContext *pb, int type, int len) static int mov_metadata_raw(MOVContext *c, AVIOContext *pb, unsigned len, const char *key) { + char *value; // Check for overflow. if (len >= INT_MAX) return AVERROR(EINVAL); - char *value = av_malloc(len + 1); + value = av_malloc(len + 1); if (!value) return AVERROR(ENOMEM); avio_read(pb, value, len); From ac4126decd33b5e236a8c86e5ce08d5e10a5d95b Mon Sep 17 00:00:00 2001 From: Carl Eugen Hoyos Date: Wed, 25 Feb 2015 15:07:18 +0100 Subject: [PATCH 208/229] lavfi/fade: Do not overread input buffer. (cherry picked from commit ab3ff19f08b7a83e320c39ab066f289c242b8030) --- libavfilter/vf_fade.c | 4 +++- 1 file changed, 3 insertions(+), 1 deletion(-) diff --git a/libavfilter/vf_fade.c b/libavfilter/vf_fade.c index 80ce75dcda..a7597cdff0 100644 --- a/libavfilter/vf_fade.c +++ b/libavfilter/vf_fade.c @@ -138,7 +138,9 @@ static int config_props(AVFilterLink *inlink) s->hsub = pixdesc->log2_chroma_w; s->vsub = pixdesc->log2_chroma_h; - s->bpp = av_get_bits_per_pixel(pixdesc) >> 3; + s->bpp = pixdesc->flags & AV_PIX_FMT_FLAG_PLANAR ? + 1 : + av_get_bits_per_pixel(pixdesc) >> 3; s->alpha &= !!(pixdesc->flags & AV_PIX_FMT_FLAG_ALPHA); s->is_packed_rgb = ff_fill_rgba_map(s->rgba_map, inlink->format) >= 0; From 86c85b6f1a8ebbc831b942c29980b48cc74beef3 Mon Sep 17 00:00:00 2001 From: Michael Niedermayer Date: Wed, 27 May 2015 04:31:30 +0200 Subject: [PATCH 209/229] avfilter/x86/vf_hqdn3d: Fix register types Fixes Ticket4301 Signed-off-by: Michael Niedermayer (cherry picked from commit 52fc3e372f8ed4de5735abed1f7f7569fe37b023) --- libavfilter/x86/vf_hqdn3d.asm | 4 ++-- 1 file changed, 2 insertions(+), 2 deletions(-) diff --git a/libavfilter/x86/vf_hqdn3d.asm b/libavfilter/x86/vf_hqdn3d.asm index 961127e670..e3b1bdca53 100644 --- a/libavfilter/x86/vf_hqdn3d.asm +++ b/libavfilter/x86/vf_hqdn3d.asm @@ -27,8 +27,8 @@ SECTION .text %if lut_bits != 8 sar %1q, 8-lut_bits %endif - movsx %1d, word [%3q+%1q*2] - add %1d, %2d + movsx %1q, word [%3q+%1q*2] + add %1q, %2q %endmacro %macro LOAD 3 ; dstreg, x, bitdepth From 7d97587b1ae79045bf77f24413b630250a822e42 Mon Sep 17 00:00:00 2001 From: Michael Niedermayer Date: Mon, 25 May 2015 01:26:55 +0200 Subject: [PATCH 210/229] avformat/mov: Mark avio context of decompressed atoms as seekable Fixes Ticket4329 Signed-off-by: Michael Niedermayer (cherry picked from commit 8ce564ea280b61d21eebf8a2fd741f792ce81638) --- libavformat/mov.c | 1 + 1 file changed, 1 insertion(+) diff --git a/libavformat/mov.c b/libavformat/mov.c index f57568a146..303c9accf1 100644 --- a/libavformat/mov.c +++ b/libavformat/mov.c @@ -2953,6 +2953,7 @@ static int mov_read_cmov(MOVContext *c, AVIOContext *pb, MOVAtom atom) goto free_and_return; if (ffio_init_context(&ctx, moov_data, moov_len, 0, NULL, NULL, NULL, NULL) != 0) goto free_and_return; + ctx.seekable = AVIO_SEEKABLE_NORMAL; atom.type = MKTAG('m','o','o','v'); atom.size = moov_len; ret = mov_read_default(c, &ctx, atom); From e1afd6ed60755292884f62baa6a4b4df9a0aef2f Mon Sep 17 00:00:00 2001 From: Michael Niedermayer Date: Tue, 9 Jun 2015 05:11:09 +0200 Subject: [PATCH 211/229] avcodec/x86/h264_weight: handle weight1=128 Fix ticket4596 Signed-off-by: Michael Niedermayer (cherry picked from commit e1009665759d4a3938dd2dd07b7e84d8bc9c5290) --- libavcodec/x86/h264_weight.asm | 3 +++ 1 file changed, 3 insertions(+) diff --git a/libavcodec/x86/h264_weight.asm b/libavcodec/x86/h264_weight.asm index b4fb9db309..1e1219ddde 100644 --- a/libavcodec/x86/h264_weight.asm +++ b/libavcodec/x86/h264_weight.asm @@ -135,8 +135,11 @@ WEIGHT_FUNC_HALF_MM 8, 8 add off_regd, 1 or off_regd, 1 add r4, 1 + cmp r6d, 128 + je .nonnormal cmp r5, 128 jne .normal +.nonnormal sar r5, 1 sar r6, 1 sar off_regd, 1 From 17d9157c8229af384b7e1377a6aa7f414e2a79f0 Mon Sep 17 00:00:00 2001 From: Paul B Mahol Date: Sat, 6 Jun 2015 15:56:06 +0000 Subject: [PATCH 212/229] avcodec/exr: fix crash caused by merge Various header informations need to be reset when decoding next frame. Regression since: 95582b5c Fixes ticket #4597. Signed-off-by: Paul B Mahol (cherry picked from commit a03b69478b7f1c0c31e53acb0cf392917c0f967a) --- libavcodec/exr.c | 31 ++++++++++++++++--------------- 1 file changed, 16 insertions(+), 15 deletions(-) diff --git a/libavcodec/exr.c b/libavcodec/exr.c index 62e8521adc..ff2d7b062c 100644 --- a/libavcodec/exr.c +++ b/libavcodec/exr.c @@ -1011,6 +1011,22 @@ static int decode_header(EXRContext *s) int current_channel_offset = 0; int magic_number, version, flags, i; + s->xmin = ~0; + s->xmax = ~0; + s->ymin = ~0; + s->ymax = ~0; + s->xdelta = ~0; + s->ydelta = ~0; + s->channel_offsets[0] = -1; + s->channel_offsets[1] = -1; + s->channel_offsets[2] = -1; + s->channel_offsets[3] = -1; + s->pixel_type = EXR_UNKNOWN; + s->compression = EXR_UNKN; + s->nb_channels = 0; + s->w = 0; + s->h = 0; + if (bytestream2_get_bytes_left(&s->gb) < 10) { av_log(s->avctx, AV_LOG_ERROR, "Header too short to parse.\n"); return AVERROR_INVALIDDATA; @@ -1351,21 +1367,6 @@ static av_cold int decode_init(AVCodecContext *avctx) float one_gamma = 1.0f / s->gamma; s->avctx = avctx; - s->xmin = ~0; - s->xmax = ~0; - s->ymin = ~0; - s->ymax = ~0; - s->xdelta = ~0; - s->ydelta = ~0; - s->channel_offsets[0] = -1; - s->channel_offsets[1] = -1; - s->channel_offsets[2] = -1; - s->channel_offsets[3] = -1; - s->pixel_type = EXR_UNKNOWN; - s->compression = EXR_UNKN; - s->nb_channels = 0; - s->w = 0; - s->h = 0; if ( one_gamma > 0.9999f && one_gamma < 1.0001f ) { for ( i = 0; i < 65536; ++i ) { From bf4fa00162d871052683736a1cd36c7ceb339e99 Mon Sep 17 00:00:00 2001 From: Michael Niedermayer Date: Wed, 8 Jul 2015 02:43:02 +0200 Subject: [PATCH 213/229] avformat/swfdec: Do not error out on pixel format changes Instead print an error and continue Fixes Ticket4702 Signed-off-by: Michael Niedermayer (cherry picked from commit 6a1204a1a46674084b1e6b92562f81aaab7aac69) --- libavformat/swfdec.c | 6 ++---- 1 file changed, 2 insertions(+), 4 deletions(-) diff --git a/libavformat/swfdec.c b/libavformat/swfdec.c index 91db06d55c..35c91df794 100644 --- a/libavformat/swfdec.c +++ b/libavformat/swfdec.c @@ -390,10 +390,8 @@ static int swf_read_packet(AVFormatContext *s, AVPacket *pkt) } if (st->codec->pix_fmt != AV_PIX_FMT_NONE && st->codec->pix_fmt != pix_fmt) { av_log(s, AV_LOG_ERROR, "pixel format change unsupported\n"); - res = AVERROR_PATCHWELCOME; - goto bitmap_end; - } - st->codec->pix_fmt = pix_fmt; + }else + st->codec->pix_fmt = pix_fmt; if (linesize * height > pkt->size) { res = AVERROR_INVALIDDATA; From d88a85c49338f018daf5382fdf16207931dbaabe Mon Sep 17 00:00:00 2001 From: Michael Niedermayer Date: Fri, 31 Jul 2015 15:54:38 +0200 Subject: [PATCH 214/229] MAINTAINERS: Remove myself as leader Signed-off-by: Michael Niedermayer (cherry picked from commit f2c58931e629343f7d68258cc2b2d62c5f501ba5) Signed-off-by: Michael Niedermayer --- MAINTAINERS | 1 - 1 file changed, 1 deletion(-) diff --git a/MAINTAINERS b/MAINTAINERS index 41f40e7709..08d771f7c5 100644 --- a/MAINTAINERS +++ b/MAINTAINERS @@ -14,7 +14,6 @@ patches and related discussions. Project Leader ============== -Michael Niedermayer final design decisions From f57a595024d679427946ba92c0c70e65ae2d4342 Mon Sep 17 00:00:00 2001 From: wm4 Date: Wed, 30 Sep 2015 14:53:35 +0200 Subject: [PATCH 215/229] avcodec/mp3: fix skipping zeros Commits 43bc5cf9 and c5371f77 add code for skipping initial zeros in mp3 packets. This code forgot to report to the user that data was skipped at all. Since audio codecs allow partial packet decoding, the user application has to rely on the return value. It will remove the data reported as consumed by the decoder, and feed it to the decoder again. This resulted in the mp3 frame after the zero region to be decoded over and over again, until the zero region was finally skipped by the application. Fix this by including the amount of skipped bytes to the number of consumed bytes returned by the decode call. Fixes trac ticket #4890. (cherry picked from commit cb1da9fb8d71bb611a7b0028914c97afc3f5711d) --- libavcodec/mpegaudiodec_template.c | 4 +++- 1 file changed, 3 insertions(+), 1 deletion(-) diff --git a/libavcodec/mpegaudiodec_template.c b/libavcodec/mpegaudiodec_template.c index 05237070ea..90543aa6dc 100644 --- a/libavcodec/mpegaudiodec_template.c +++ b/libavcodec/mpegaudiodec_template.c @@ -1642,9 +1642,11 @@ static int decode_frame(AVCodecContext * avctx, void *data, int *got_frame_ptr, uint32_t header; int ret; + int skipped = 0; while(buf_size && !*buf){ buf++; buf_size--; + skipped++; } if (buf_size < HEADER_SIZE) @@ -1699,7 +1701,7 @@ static int decode_frame(AVCodecContext * avctx, void *data, int *got_frame_ptr, return ret; } s->frame_size = 0; - return buf_size; + return buf_size + skipped; } static void mp_flush(MPADecodeContext *ctx) From e2f0443af082508c335b6d44c2c7dcef0f6a868f Mon Sep 17 00:00:00 2001 From: Michael Niedermayer Date: Thu, 24 Sep 2015 23:49:30 +0200 Subject: [PATCH 216/229] avcodec/ffv1: seperate slice_count from max_slice_count Fix segfault with too large slice_count Fixes Ticket4879 Signed-off-by: Michael Niedermayer (cherry picked from commit aa6c43f3fdec8a7518534b9dab20c9eb4be11568) Conflicts: libavcodec/ffv1enc.c libavcodec/ffv1.c --- libavcodec/ffv1.c | 14 +++++++------- libavcodec/ffv1.h | 1 + libavcodec/ffv1dec.c | 8 +++++--- libavcodec/ffv1enc.c | 4 +++- 4 files changed, 16 insertions(+), 11 deletions(-) diff --git a/libavcodec/ffv1.c b/libavcodec/ffv1.c index ab58a6074f..6073bc4461 100644 --- a/libavcodec/ffv1.c +++ b/libavcodec/ffv1.c @@ -101,7 +101,7 @@ av_cold int ffv1_init_slice_state(FFV1Context *f, FFV1Context *fs) av_cold int ffv1_init_slices_state(FFV1Context *f) { int i, ret; - for (i = 0; i < f->slice_count; i++) { + for (i = 0; i < f->max_slice_count; i++) { FFV1Context *fs = f->slice_context[i]; if ((ret = ffv1_init_slice_state(f, fs)) < 0) return AVERROR(ENOMEM); @@ -113,10 +113,10 @@ av_cold int ffv1_init_slice_contexts(FFV1Context *f) { int i; - f->slice_count = f->num_h_slices * f->num_v_slices; - av_assert0(f->slice_count > 0); + f->max_slice_count = f->num_h_slices * f->num_v_slices; + av_assert0(f->max_slice_count > 0); - for (i = 0; i < f->slice_count; i++) { + for (i = 0; i < f->max_slice_count; i++) { FFV1Context *fs = av_mallocz(sizeof(*fs)); int sx = i % f->num_h_slices; int sy = i / f->num_h_slices; @@ -201,7 +201,7 @@ av_cold int ffv1_close(AVCodecContext *avctx) ff_thread_release_buffer(avctx, &s->last_picture); av_frame_free(&s->last_picture.f); - for (j = 0; j < s->slice_count; j++) { + for (j = 0; j < s->max_slice_count; j++) { FFV1Context *fs = s->slice_context[j]; for (i = 0; i < s->plane_count; i++) { PlaneContext *p = &fs->plane[i]; @@ -215,14 +215,14 @@ av_cold int ffv1_close(AVCodecContext *avctx) av_freep(&avctx->stats_out); for (j = 0; j < s->quant_table_count; j++) { av_freep(&s->initial_states[j]); - for (i = 0; i < s->slice_count; i++) { + for (i = 0; i < s->max_slice_count; i++) { FFV1Context *sf = s->slice_context[i]; av_freep(&sf->rc_stat2[j]); } av_freep(&s->rc_stat2[j]); } - for (i = 0; i < s->slice_count; i++) + for (i = 0; i < s->max_slice_count; i++) av_freep(&s->slice_context[i]); return 0; diff --git a/libavcodec/ffv1.h b/libavcodec/ffv1.h index 5081397f54..cc354c385e 100644 --- a/libavcodec/ffv1.h +++ b/libavcodec/ffv1.h @@ -117,6 +117,7 @@ typedef struct FFV1Context { struct FFV1Context *slice_context[MAX_SLICES]; int slice_count; + int max_slice_count; int num_v_slices; int num_h_slices; int slice_width; diff --git a/libavcodec/ffv1dec.c b/libavcodec/ffv1dec.c index b10e212ce5..f50bb5d6ce 100644 --- a/libavcodec/ffv1dec.c +++ b/libavcodec/ffv1dec.c @@ -758,6 +758,7 @@ static int read_header(FFV1Context *f) av_log(f->avctx, AV_LOG_ERROR, "read_quant_table error\n"); return AVERROR_INVALIDDATA; } + f->slice_count = f->max_slice_count; } else if (f->version < 3) { f->slice_count = get_symbol(c, state, 0); } else { @@ -772,8 +773,8 @@ static int read_header(FFV1Context *f) p -= size + trailer; } } - if (f->slice_count > (unsigned)MAX_SLICES || f->slice_count <= 0) { - av_log(f->avctx, AV_LOG_ERROR, "slice count %d is invalid\n", f->slice_count); + if (f->slice_count > (unsigned)MAX_SLICES || f->slice_count <= 0 || f->slice_count > f->max_slice_count) { + av_log(f->avctx, AV_LOG_ERROR, "slice count %d is invalid (max=%d)\n", f->slice_count, f->max_slice_count); return AVERROR_INVALIDDATA; } @@ -996,6 +997,7 @@ static int init_thread_copy(AVCodecContext *avctx) f->picture.f = NULL; f->last_picture.f = NULL; f->sample_buffer = NULL; + f->max_slice_count = 0; f->slice_count = 0; for (i = 0; i < f->quant_table_count; i++) { @@ -1066,7 +1068,7 @@ static int update_thread_context(AVCodecContext *dst, const AVCodecContext *src) av_assert0(!fdst->sample_buffer); } - av_assert1(fdst->slice_count == fsrc->slice_count); + av_assert1(fdst->max_slice_count == fsrc->max_slice_count); ff_thread_release_buffer(dst, &fdst->picture); diff --git a/libavcodec/ffv1enc.c b/libavcodec/ffv1enc.c index b63ed429d9..a289ff3b0d 100644 --- a/libavcodec/ffv1enc.c +++ b/libavcodec/ffv1enc.c @@ -955,6 +955,7 @@ slices_ok: if ((ret = ffv1_init_slice_contexts(s)) < 0) return ret; + s->slice_count = s->max_slice_count; if ((ret = ffv1_init_slices_state(s)) < 0) return ret; @@ -964,7 +965,7 @@ slices_ok: if (!avctx->stats_out) return AVERROR(ENOMEM); for (i = 0; i < s->quant_table_count; i++) - for (j = 0; j < s->slice_count; j++) { + for (j = 0; j < s->max_slice_count; j++) { FFV1Context *sf = s->slice_context[j]; av_assert0(!sf->rc_stat2[i]); sf->rc_stat2[i] = av_mallocz(s->context_count[i] * @@ -1188,6 +1189,7 @@ static int encode_frame(AVCodecContext *avctx, AVPacket *pkt, for (i = 0; i < f->quant_table_count; i++) memset(f->rc_stat2[i], 0, f->context_count[i] * sizeof(*f->rc_stat2[i])); + av_assert0(f->slice_count == f->max_slice_count); for (j = 0; j < f->slice_count; j++) { FFV1Context *fs = f->slice_context[j]; for (i = 0; i < 256; i++) { From 44184226acec52d10949f405d971d76330a21cf6 Mon Sep 17 00:00:00 2001 From: "Ronald S. Bultje" Date: Sun, 20 Sep 2015 12:39:14 +0200 Subject: [PATCH 217/229] hevc: fix wpp threading deadlock. Fixes ticket 4258. (cherry picked from commit 74e4948235bc8f8946eeca20525258bbf383f75d) --- libavcodec/hevc.c | 2 ++ 1 file changed, 2 insertions(+) diff --git a/libavcodec/hevc.c b/libavcodec/hevc.c index d88bca8119..302a88319b 100644 --- a/libavcodec/hevc.c +++ b/libavcodec/hevc.c @@ -2378,6 +2378,8 @@ static int hls_decode_entry_wpp(AVCodecContext *avctxt, void *input_ctb_row, int if (more_data < 0) { s->tab_slice_address[ctb_addr_rs] = -1; + avpriv_atomic_int_set(&s1->wpp_err, 1); + ff_thread_report_progress2(s->avctx, ctb_row ,thread, SHIFT_CTB_WPP); return more_data; } From 9e1b4939160c2a41ea41cc8b817991ef69221bc6 Mon Sep 17 00:00:00 2001 From: Hendrik Leppkes Date: Sat, 12 Sep 2015 21:50:24 +0200 Subject: [PATCH 218/229] hevc: properly handle no_rasl_output_flag when removing pictures from the DPB Fixes ticket #4185. Reviewed-By: Mickael Raulet Signed-off-by: Hendrik Leppkes (cherry picked from commit 0118158efa8e45761f9f65a3bb74f33907bd2aec) --- libavcodec/hevc.c | 5 +++++ libavcodec/hevc.h | 1 + libavcodec/hevc_refs.c | 2 +- 3 files changed, 7 insertions(+), 1 deletion(-) diff --git a/libavcodec/hevc.c b/libavcodec/hevc.c index 302a88319b..0a7ba5472e 100644 --- a/libavcodec/hevc.c +++ b/libavcodec/hevc.c @@ -746,6 +746,8 @@ static int hls_slice_header(HEVCContext *s) s->HEVClc->tu.cu_qp_offset_cb = 0; s->HEVClc->tu.cu_qp_offset_cr = 0; + s->no_rasl_output_flag = IS_IDR(s) || IS_BLA(s) || (s->nal_unit_type == NAL_CRA_NUT && s->last_eos); + return 0; } @@ -3308,6 +3310,7 @@ static int hevc_update_thread_context(AVCodecContext *dst, s->pocTid0 = s0->pocTid0; s->max_ra = s0->max_ra; s->eos = s0->eos; + s->no_rasl_output_flag = s0->no_rasl_output_flag; s->is_nalff = s0->is_nalff; s->nal_length_size = s0->nal_length_size; @@ -3402,6 +3405,7 @@ static av_cold int hevc_decode_init(AVCodecContext *avctx) s->enable_parallel_tiles = 0; s->picture_struct = 0; + s->eos = 1; if(avctx->active_thread_type & FF_THREAD_SLICE) s->threads_number = avctx->thread_count; @@ -3443,6 +3447,7 @@ static void hevc_decode_flush(AVCodecContext *avctx) HEVCContext *s = avctx->priv_data; ff_hevc_flush_dpb(s); s->max_ra = INT_MAX; + s->eos = 1; } #define OFFSET(x) offsetof(HEVCContext, x) diff --git a/libavcodec/hevc.h b/libavcodec/hevc.h index 2a5ce2523c..9a10022dcc 100644 --- a/libavcodec/hevc.h +++ b/libavcodec/hevc.h @@ -850,6 +850,7 @@ typedef struct HEVCContext { int bs_height; int is_decoded; + int no_rasl_output_flag; HEVCPredContext hpc; HEVCDSPContext hevcdsp; diff --git a/libavcodec/hevc_refs.c b/libavcodec/hevc_refs.c index 136cc6ff0e..53b4bcf2c1 100644 --- a/libavcodec/hevc_refs.c +++ b/libavcodec/hevc_refs.c @@ -163,7 +163,7 @@ int ff_hevc_output_frame(HEVCContext *s, AVFrame *out, int flush) int min_poc = INT_MAX; int i, min_idx, ret; - if (s->sh.no_output_of_prior_pics_flag == 1) { + if (s->sh.no_output_of_prior_pics_flag == 1 && s->no_rasl_output_flag == 1) { for (i = 0; i < FF_ARRAY_ELEMS(s->DPB); i++) { HEVCFrame *frame = &s->DPB[i]; if ((frame->flags & HEVC_FRAME_FLAG_OUTPUT) && frame->poc != s->poc && From 80a467b452e196c03bba6c469d19f827f6b8997b Mon Sep 17 00:00:00 2001 From: Michael Niedermayer Date: Tue, 15 Sep 2015 04:01:27 +0200 Subject: [PATCH 219/229] avformat/avidec: Workaround broken initial frame Fixes Ticket4851 Signed-off-by: Michael Niedermayer (cherry picked from commit 3e2ef00394b8079e93835d47c993868229f07502) --- libavformat/avidec.c | 3 ++- 1 file changed, 2 insertions(+), 1 deletion(-) diff --git a/libavformat/avidec.c b/libavformat/avidec.c index 6536991011..44ed45e7ed 100644 --- a/libavformat/avidec.c +++ b/libavformat/avidec.c @@ -1527,7 +1527,8 @@ static int avi_read_idx1(AVFormatContext *s, int size) ast = st->priv_data; if (first_packet && first_packet_pos) { - data_offset = first_packet_pos - pos; + if (avi->movi_list + 4 != pos || pos + 500 > first_packet_pos) + data_offset = first_packet_pos - pos; first_packet = 0; } pos += data_offset; From d40ab18c07195252360dd04d3c8fd650d52c7216 Mon Sep 17 00:00:00 2001 From: Michael Niedermayer Date: Thu, 27 Aug 2015 04:08:42 +0200 Subject: [PATCH 220/229] avformat/oggenc: Check segments_count for headers too Fixes infinite loop and segfault in ogg_buffer_data() Fixes Ticket4806 Signed-off-by: Michael Niedermayer (cherry picked from commit 81a8701eb52d2b6469ae16ef442ce425388141b7) --- libavformat/oggenc.c | 11 +++++++---- 1 file changed, 7 insertions(+), 4 deletions(-) diff --git a/libavformat/oggenc.c b/libavformat/oggenc.c index f6a6d7d96d..2b1cbe3bf3 100644 --- a/libavformat/oggenc.c +++ b/libavformat/oggenc.c @@ -249,7 +249,7 @@ static int ogg_buffer_data(AVFormatContext *s, AVStream *st, if (i == total_segments) page->granule = granule; - if (!header) { + { AVStream *st = s->streams[page->stream_index]; int64_t start = av_rescale_q(page->start_granule, st->time_base, @@ -257,10 +257,13 @@ static int ogg_buffer_data(AVFormatContext *s, AVStream *st, int64_t next = av_rescale_q(page->granule, st->time_base, AV_TIME_BASE_Q); - if (page->segments_count == 255 || - (ogg->pref_size > 0 && page->size >= ogg->pref_size) || - (ogg->pref_duration > 0 && next - start >= ogg->pref_duration)) { + if (page->segments_count == 255) { ogg_buffer_page(s, oggstream); + } else if (!header) { + if ((ogg->pref_size > 0 && page->size >= ogg->pref_size) || + (ogg->pref_duration > 0 && next - start >= ogg->pref_duration)) { + ogg_buffer_page(s, oggstream); + } } } } From 5279f5d0680ab266d970ea83df098d46afc23d06 Mon Sep 17 00:00:00 2001 From: Michael Niedermayer Date: Fri, 21 Aug 2015 02:49:21 +0200 Subject: [PATCH 221/229] avcodec/h264_mp4toannexb_bsf: Reorder operations in nal_size check Fixes Ticket4778 Signed-off-by: Michael Niedermayer (cherry picked from commit 2bb54b82b5094fd906aa28c0443be08c95662a31) --- libavcodec/h264_mp4toannexb_bsf.c | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/libavcodec/h264_mp4toannexb_bsf.c b/libavcodec/h264_mp4toannexb_bsf.c index a003a1df1d..91605ff863 100644 --- a/libavcodec/h264_mp4toannexb_bsf.c +++ b/libavcodec/h264_mp4toannexb_bsf.c @@ -173,7 +173,7 @@ static int h264_mp4toannexb_filter(AVBitStreamFilterContext *bsfc, buf += ctx->length_size; unit_type = *buf & 0x1f; - if (buf + nal_size > buf_end || nal_size < 0) + if (nal_size > buf_end - buf || nal_size < 0) goto fail; if (ctx->first_idr && (unit_type == 7 || unit_type == 8)) From f6006295c037e8ac2706874ee7b4b97bdda5c387 Mon Sep 17 00:00:00 2001 From: "Ronald S. Bultje" Date: Fri, 23 Oct 2015 11:11:53 -0400 Subject: [PATCH 222/229] videodsp: don't overread edges in vfix3 emu_edge. Fixes trac ticket 3226. Also see Andreas' analysis in https://bugs.debian.org/801745, which was very helpful. (cherry picked from commit 52f84d82bdf1851ecfcc412c1719e5f6f3396209) --- libavcodec/x86/videodsp.asm | 15 +++++++++++---- 1 file changed, 11 insertions(+), 4 deletions(-) diff --git a/libavcodec/x86/videodsp.asm b/libavcodec/x86/videodsp.asm index 1ac02574d6..77189fa6ef 100644 --- a/libavcodec/x86/videodsp.asm +++ b/libavcodec/x86/videodsp.asm @@ -185,8 +185,12 @@ hvar_fn %elif (%2-%%off) == 2 mov valw, [srcq+%2-2] %elifidn %1, body - mov vald, [srcq+%2-3] -%else + mov valb, [srcq+%2-1] + sal vald, 16 + mov valw, [srcq+%2-3] +%elifidn %1, bottom + movd mm %+ %%mmx_idx, [srcq+%2-4] +%else ; top movd mm %+ %%mmx_idx, [srcq+%2-3] %endif %endif ; (%2-%%off) >= 1 @@ -242,12 +246,15 @@ hvar_fn mov [dstq+%2-2], valw %elifidn %1, body mov [dstq+%2-3], valw - shr vald, 16 + sar vald, 16 mov [dstq+%2-1], valb %else movd vald, mm %+ %%mmx_idx +%ifidn %1, bottom + sar vald, 8 +%endif mov [dstq+%2-3], valw - shr vald, 16 + sar vald, 16 mov [dstq+%2-1], valb %endif %endif ; (%2-%%off) >= 1 From f450caf0575215c997f22421f7e442657a71a3bc Mon Sep 17 00:00:00 2001 From: Andrey Utkin Date: Tue, 1 Dec 2015 21:15:53 +0200 Subject: [PATCH 223/229] doc/filters/drawtext: fix centering example Signed-off-by: Andrey Utkin Signed-off-by: Lou Logan (cherry picked from commit 648b26acc5e25ab40c43fddc54b50e9f0b13ebd8) Signed-off-by: Timothy Gu --- doc/filters.texi | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/doc/filters.texi b/doc/filters.texi index 784a972f29..9064f4aaba 100644 --- a/doc/filters.texi +++ b/doc/filters.texi @@ -3968,7 +3968,7 @@ within the parameter list. @item Show the text at the center of the video frame: @example -drawtext="fontsize=30:fontfile=FreeSerif.ttf:text='hello world':x=(w-text_w)/2:y=(h-text_h-line_h)/2" +drawtext="fontsize=30:fontfile=FreeSerif.ttf:text='hello world':x=(w-text_w)/2:y=(h-text_h)/2" @end example @item From eb0a9cd68a25e8537f4134c928f3cde09ac9c785 Mon Sep 17 00:00:00 2001 From: Michael Niedermayer Date: Thu, 5 Nov 2015 00:36:59 +0100 Subject: [PATCH 224/229] avcodec/ffv1dec: Check for 0 quant tables Fixes assertion failure Fixes: 07ec1fc3c1cbf2d3edcd7d9b52ca156c/asan_heap-oob_13624c5_491_ecd4720a03e697ba750b235690656c8f.avi Found-by: Mateusz "j00ru" Jurczyk and Gynvael Coldwind Signed-off-by: Michael Niedermayer (cherry picked from commit 5745cf799a4389bc5d14f2b4daf32fe4631c50bc) --- libavcodec/ffv1dec.c | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/libavcodec/ffv1dec.c b/libavcodec/ffv1dec.c index f50bb5d6ce..c61afe3bad 100644 --- a/libavcodec/ffv1dec.c +++ b/libavcodec/ffv1dec.c @@ -554,7 +554,7 @@ static int read_extra_header(FFV1Context *f) } f->quant_table_count = get_symbol(c, state, 0); - if (f->quant_table_count > (unsigned)MAX_QUANT_TABLES) + if (f->quant_table_count > (unsigned)MAX_QUANT_TABLES || !f->quant_table_count) return AVERROR_INVALIDDATA; for (i = 0; i < f->quant_table_count; i++) { From 1fff9947098b406127565bf9dac997607fbeacb8 Mon Sep 17 00:00:00 2001 From: Michael Niedermayer Date: Thu, 5 Nov 2015 01:25:50 +0100 Subject: [PATCH 225/229] avcodec/ffv1dec: Print an error if the quant table count is invalid Signed-off-by: Michael Niedermayer (cherry picked from commit a8b254e436dce2f5c8c6459108dab4b02cc6b79b) --- libavcodec/ffv1dec.c | 4 +++- 1 file changed, 3 insertions(+), 1 deletion(-) diff --git a/libavcodec/ffv1dec.c b/libavcodec/ffv1dec.c index c61afe3bad..3fc307b311 100644 --- a/libavcodec/ffv1dec.c +++ b/libavcodec/ffv1dec.c @@ -554,8 +554,10 @@ static int read_extra_header(FFV1Context *f) } f->quant_table_count = get_symbol(c, state, 0); - if (f->quant_table_count > (unsigned)MAX_QUANT_TABLES || !f->quant_table_count) + if (f->quant_table_count > (unsigned)MAX_QUANT_TABLES || !f->quant_table_count) { + av_log(f->avctx, AV_LOG_ERROR, "quant table count %d is invalid\n", f->quant_table_count); return AVERROR_INVALIDDATA; + } for (i = 0; i < f->quant_table_count; i++) { f->context_count[i] = read_quant_tables(c, f->quant_tables[i]); From 0fde898f16cfbc93bb9b9c96b7f826473d231a25 Mon Sep 17 00:00:00 2001 From: Michael Niedermayer Date: Sat, 14 Nov 2015 13:21:58 +0100 Subject: [PATCH 226/229] avcodec/ffv1dec: Clear quant_table_count if its invalid Fixes deallocation of corrupted pointer Fixes: 343dfbe142a38b521ed069dc4ea7c03b/signal_sigsegv_421427_4074_ffb11959610278cd40dbc153464aa254.avi No releases affected Found-by: Mateusz "j00ru" Jurczyk and Gynvael Coldwind Signed-off-by: Michael Niedermayer (cherry picked from commit e04126072e984f8db5db9da9303c89ae01f7d6bb) Fixes ticket #5052. --- libavcodec/ffv1dec.c | 1 + 1 file changed, 1 insertion(+) diff --git a/libavcodec/ffv1dec.c b/libavcodec/ffv1dec.c index 3fc307b311..6aece65e6f 100644 --- a/libavcodec/ffv1dec.c +++ b/libavcodec/ffv1dec.c @@ -556,6 +556,7 @@ static int read_extra_header(FFV1Context *f) f->quant_table_count = get_symbol(c, state, 0); if (f->quant_table_count > (unsigned)MAX_QUANT_TABLES || !f->quant_table_count) { av_log(f->avctx, AV_LOG_ERROR, "quant table count %d is invalid\n", f->quant_table_count); + f->quant_table_count = 0; return AVERROR_INVALIDDATA; } From 633bf6246cfad484308af2461212800e52ac37e3 Mon Sep 17 00:00:00 2001 From: Michael Niedermayer Date: Tue, 15 Dec 2015 02:06:04 +0100 Subject: [PATCH 227/229] swscale/x86/rgb2rgb_template: Do not crash on misaligend stride Fixes Ticket5013 Signed-off-by: Michael Niedermayer (cherry picked from commit 80bfce35ccd11458e97f68f417fc094c5347070c) --- libswscale/x86/rgb2rgb_template.c | 5 ++++- 1 file changed, 4 insertions(+), 1 deletion(-) diff --git a/libswscale/x86/rgb2rgb_template.c b/libswscale/x86/rgb2rgb_template.c index e71c7ebfe3..e86285b6a3 100644 --- a/libswscale/x86/rgb2rgb_template.c +++ b/libswscale/x86/rgb2rgb_template.c @@ -1887,8 +1887,10 @@ static void RENAME(interleaveBytes)(const uint8_t *src1, const uint8_t *src2, ui for (h=0; h < height; h++) { int w; - if (width >= 16) + if (width >= 16 #if COMPILE_TEMPLATE_SSE2 + && !((((intptr_t)src1) | ((intptr_t)src2) | ((intptr_t)dest))&15) + ) __asm__( "xor %%"REG_a", %%"REG_a" \n\t" "1: \n\t" @@ -1908,6 +1910,7 @@ static void RENAME(interleaveBytes)(const uint8_t *src1, const uint8_t *src2, ui : "memory", "%"REG_a"" ); #else + ) __asm__( "xor %%"REG_a", %%"REG_a" \n\t" "1: \n\t" From f8b25be7f7519a9b6992d5269ed721a6bda2c4b9 Mon Sep 17 00:00:00 2001 From: Michael Niedermayer Date: Tue, 15 Dec 2015 02:50:20 +0100 Subject: [PATCH 228/229] swscale/x86/rgb2rgb_template: Fallback to mmx in interleaveBytes() if the alignment is insufficient for SSE* This also as a sideeffect fixes the non aligned case Signed-off-by: Michael Niedermayer (cherry picked from commit a066ff89bcbae6033c2ffda9271cad84f6c1b807) --- libswscale/x86/rgb2rgb_template.c | 12 ++++++------ 1 file changed, 6 insertions(+), 6 deletions(-) diff --git a/libswscale/x86/rgb2rgb_template.c b/libswscale/x86/rgb2rgb_template.c index e86285b6a3..7be4ab6455 100644 --- a/libswscale/x86/rgb2rgb_template.c +++ b/libswscale/x86/rgb2rgb_template.c @@ -1887,10 +1887,9 @@ static void RENAME(interleaveBytes)(const uint8_t *src1, const uint8_t *src2, ui for (h=0; h < height; h++) { int w; - if (width >= 16 + if (width >= 16) { #if COMPILE_TEMPLATE_SSE2 - && !((((intptr_t)src1) | ((intptr_t)src2) | ((intptr_t)dest))&15) - ) + if (!((((intptr_t)src1) | ((intptr_t)src2) | ((intptr_t)dest))&15)) { __asm__( "xor %%"REG_a", %%"REG_a" \n\t" "1: \n\t" @@ -1909,8 +1908,8 @@ static void RENAME(interleaveBytes)(const uint8_t *src1, const uint8_t *src2, ui ::"r"(dest), "r"(src1), "r"(src2), "r" ((x86_reg)width-15) : "memory", "%"REG_a"" ); -#else - ) + } else +#endif __asm__( "xor %%"REG_a", %%"REG_a" \n\t" "1: \n\t" @@ -1936,7 +1935,8 @@ static void RENAME(interleaveBytes)(const uint8_t *src1, const uint8_t *src2, ui ::"r"(dest), "r"(src1), "r"(src2), "r" ((x86_reg)width-15) : "memory", "%"REG_a ); -#endif + + } for (w= (width&(~15)); w < width; w++) { dest[2*w+0] = src1[w]; dest[2*w+1] = src2[w]; From 49fb1f66f15ff00c45bb20dfa94c3555503a2605 Mon Sep 17 00:00:00 2001 From: Paul B Mahol Date: Wed, 2 Mar 2016 11:20:07 +0100 Subject: [PATCH 229/229] doc/utils: fix typo for min() description Signed-off-by: Paul B Mahol (cherry picked from commit bdf474bcff29f5b40fe14f6fa1dbe10e69c73ab7) Signed-off-by: Timothy Gu --- doc/utils.texi | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/doc/utils.texi b/doc/utils.texi index c46ad4523b..72aef7c718 100644 --- a/doc/utils.texi +++ b/doc/utils.texi @@ -858,7 +858,7 @@ Return 1 if @var{x} is lesser than or equal to @var{y}, 0 otherwise. Return the maximum between @var{x} and @var{y}. @item min(x, y) -Return the maximum between @var{x} and @var{y}. +Return the minimum between @var{x} and @var{y}. @item mod(x, y) Compute the remainder of division of @var{x} by @var{y}.